Feat(eos_cli_config_gen): Set ssh authentication protocols and empty …

…password (#4436)
aristanetworks · Sep 6, 2024 · 4e310f9 · 4e310f9
1 parent 533a57e
commit 4e310f9
Show file tree

Hide file tree

Showing 8 changed files with 80 additions and 0 deletions.
diff --git a/.../arista/avd/molecule/eos_cli_config_gen/documentation/devices/management-ssh.md b/.../arista/avd/molecule/eos_cli_config_gen/documentation/devices/management-ssh.md
@@ -36,6 +36,12 @@ interface Management1
 
 ### Management SSH
 
+#### Authentication Settings
+
+| Authentication protocols | Empty passwords |
+| ------------------------ | --------------- |
+| keyboard-interactive, password, public-key | permit |
+
 #### IPv4 ACL
 
 | IPv4 ACL | VRF |
@@ -75,8 +81,10 @@ management ssh
    ip access-group ACL-SSH in
    ip access-group ACL-SSH-VRF vrf mgt in
    idle-timeout 15
+   authentication protocol keyboard-interactive password public-key
    connection limit 50
    connection per-host 10
+   authentication empty-passwords permit
    client-alive interval 666
    client-alive count-max 42
    fips restrictions

diff --git a/...le_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/management-ssh.cfg b/...le_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/management-ssh.cfg
@@ -8,8 +8,10 @@ management ssh
    ip access-group ACL-SSH in
    ip access-group ACL-SSH-VRF vrf mgt in
    idle-timeout 15
+   authentication protocol keyboard-interactive password public-key
    connection limit 50
    connection per-host 10
+   authentication empty-passwords permit
    client-alive interval 666
    client-alive count-max 42
    fips restrictions

diff --git a/...collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/management-ssh.yml b/...collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/management-ssh.yml
@@ -1,4 +1,10 @@
 management_ssh:
+  authentication:
+    empty_passwords: permit
+    protocols:
+      - keyboard-interactive
+      - password
+      - public-key
   access_groups:
     - name: ACL-SSH
     - name: ACL-SSH-VRF

diff --git a/...e_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md b/...e_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-ssh.md
diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-ssh.j2
@@ -7,6 +7,20 @@
 {% if management_ssh is arista.avd.defined %}
 
 ### Management SSH
+{%     if management_ssh.authentication is arista.avd.defined %}
+
+#### Authentication Settings
+
+| Authentication protocols | Empty passwords |
+| ------------------------ | --------------- |
+{%         if management_ssh.authentication.protocols is arista.avd.defined  %}
+{%             set protocols = management_ssh.authentication.protocols | join(", ") %}
+{%         else %}
+{%             set protocols = 'keyboard-interactive, public-key' %}
+{%         endif %}
+{%         set empty_passwords = management_ssh.authentication.empty_passwords | arista.avd.default('auto') %}
+| {{ protocols }} | {{ empty_passwords }} |
+{%     endif %}
 {%     if management_ssh.access_groups is arista.avd.defined %}
 
 #### IPv4 ACL

diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-ssh.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-ssh.j2
@@ -30,12 +30,18 @@ management ssh
 {%     if management_ssh.idle_timeout is arista.avd.defined %}
    idle-timeout {{ management_ssh.idle_timeout }}
 {%     endif %}
+{%     if management_ssh.authentication.protocols is arista.avd.defined  %}
+   authentication protocol {{ management_ssh.authentication.protocols | join(" ") }}
+{%     endif %}
 {%     if management_ssh.connection.limit is arista.avd.defined %}
    connection limit {{ management_ssh.connection.limit }}
 {%     endif %}
 {%     if management_ssh.connection.per_host is arista.avd.defined %}
    connection per-host {{ management_ssh.connection.per_host }}
 {%     endif %}
+{%     if management_ssh.authentication.empty_passwords is arista.avd.defined  %}
+   authentication empty-passwords {{ management_ssh.authentication.empty_passwords }}
+{%     endif %}
 {%     if management_ssh.client_alive.interval is arista.avd.defined %}
    client-alive interval {{ management_ssh.client_alive.interval }}
 {%     endif %}

diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_ssh.schema.yml
@@ -10,6 +10,19 @@ keys:
   management_ssh:
     type: dict
     keys:
+      authentication:
+        type: dict
+        keys:
+          empty_passwords:
+            type: str
+            valid_values: ["auto", "deny", "permit"]
+            description: Permit or deny empty passwords for SSH authentication.
+          protocols:
+            type: list
+            items:
+              type: str
+              valid_values: ["keyboard-interactive", "password", "public-key"]
+            description: Allowed SSH authentication methods.
       access_groups:
         type: list
         items: