18 OpenSSH Policy

The OpenSSH Policy allows you to deploy OpenSSH settings to client machines. The policies are applied to a file in the /etc/ssh/sshd_config.d directory.

This policy is physically stored on the SYSVOL in MACHINE/VGP/VTLA /SshCfg/SshD/manifest.xml. The manifest.xml file is in xml format, and is easily modified manually using a text editor.

18.1 Server Side Extension

The Server Side Extensions (SSE) for OpenSSH Policy is administered using the samba-tool gpo manage openssh command. This SSE cannot be modified using the GPME.

18.1.1 Managing OpenSSH Policy via samba-tool

The samba-tool gpo manage openssh command has 2 subcommands; set and list.

> samba-tool gpo manage openssh
Usage: samba-tool gpo manage openssh <subcommand>

Manage OpenSSH Group Policy Objects


Options:
  -h, --help  show this help message and exit


Available subcommands:
  list  - List VGP OpenSSH Group Policy from the sysvol
  set   - Sets a VGP OpenSSH Group Policy to the sysvol

To set a new OpenSSH rule, call the samba-tool gpo manage openssh set command, providing the following arguments:

  1. gpo: the Group Policy Object (GPO) that you want to modify. This MUST be the GUID of the GPO.
  2. setting: the OpenSSH setting that you want to modify. See the man page for sshd_config (man sshd_config) for a list of possible settings.
  3. value: the value that you want to set for the specified setting. If you do not provide a value, the policy will be unset.

Here is an example of how you might use this command to set the KerberosAuthentication to Yes:

samba-tool gpo manage openssh set \
 {31B2F340-016D-11D2-945F-00C04FB984F9} \
 KerberosAuthentication Yes -UAdministrator

Then let’s list the policy to see what has been set on the SYSVOL.

> samba-tool gpo manage openssh list \
 {31B2F340-016D-11D2-945F-00C04FB984F9} -UAdministrator
KerberosAuthentication Yes

18.2 Client Side Extension

The OpenSSH Client Side Extension (CSE) will create a new file in the /etc/ssh/sshd_config.d directory.

Let’s list the Resultant Set of Policy to view the policies we’ve created.

> sudo /usr/sbin/samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy

GPO: Default Domain Policy
=================================================================
  CSE: vgp_openssh_ext
  -----------------------------------------------------------
    Policy Type: VGP/Unix Settings/OpenSSH
    -----------------------------------------------------------
    [ KerberosAuthentication ] =         Yes
    -----------------------------------------------------------
  -----------------------------------------------------------
=================================================================

The KerberosAuthentication setting we set is listed as expected.

Let’s now force an apply.

sudo /usr/sbin/samba-gpupdate --force
> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
 | sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
 | xmllint --xpath "//gp_ext[@name='VGP/Unix
                                    Settings/OpenSSH']" - \
 | xmllint --format -
<gp_ext name="VGP/Unix Settings/OpenSSH">
  <attribute name="ezMx...Zy5k">
    /etc/ssh/sshd_config.d/gp_c7hytho4
  </attribute>
</gp_ext>

Notice that our new policy has been stored in /etc/ssh/sshd_config.d/gp_c7hytho4. Let’s check the contents of this file to see what was generated. 

> sudo cat /etc/ssh/sshd_config.d/gp_c7hytho4

### autogenerated by samba
#
# This file is generated by the vgp_openssh_ext Group Policy
# Client Side Extension. To modify the contents of this file,
# modify the appropriate Group Policy objects which apply
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
#

KerberosAuthentication Yes

Our policy was successfully applied.