From f716ddebc132f2e83f0b22146b31bc9c6c9453ca Mon Sep 17 00:00:00 2001 From: ljf Date: Sun, 26 Aug 2018 14:46:17 +0200 Subject: [PATCH 1/7] [wip] Ask user for keeping or not sshd config --- install_yunohost | 60 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 57 insertions(+), 3 deletions(-) diff --git a/install_yunohost b/install_yunohost index 26079fd..2f5d183 100755 --- a/install_yunohost +++ b/install_yunohost @@ -90,6 +90,7 @@ function main() step install_script_dependencies || die "Unable to install dependencies to install script" step create_custom_config || die "Creating custom configuration file /etc/yunohost/yunohost.conf failed" step confirm_installation || die "Installation cancelled at your request" + step manage_ssh_config || die "Error caught during sshd management" step fix_locales # do not die for a failure here, it's minor step setup_package_source || die "Setting up deb package sources failed" step apt_update || die "Error caught during 'apt-get update'" @@ -276,9 +277,6 @@ function install_script_dependencies() { function create_custom_config() { # Create YunoHost configuration folder mkdir -p /etc/yunohost/ - - # Store info about installation method - touch /etc/yunohost/from_script } function confirm_installation() { @@ -300,6 +298,62 @@ Are you sure you want to proceed with the installation of Yunohost? whiptail --title "Yunohost Installation" --yesno "$text" 20 78 } +function manage_sshd_config() { + # In auto mode we erase the current sshd config + [[ "$AUTOMODE" == "1" ]] && return 0 + + [[ ! -f /etc/ssh/sshd_config ]] && return 0 + + local sshd_config_differs = "0" + local text=" +Caution ! + +To ensure a global security of your server, YunoHost recommends to let it manage the SSH configuration of your server. + +Your current SSH configuration differs from common default configuration. If you +let YunoHost reconfigure it, the way to access with SSH to your server could +change after postinstall: +" + + # If root login is not deactivate + if ! grep -E "^[ \t]*PermitRootLogin[ \t]+no" /etc/ssh/sshd_config ; then + sshd_config_differs = "1" + text="$text- you will not be able to connect with root user, instead you will have to use admin user. +" + fi + + # If we are using an other Port + if ! grep -E "^[ \t]*Port[ \t]+22[ \t]*(#.*)?$" /etc/ssh/sshd_config && \ + grep -E "^[ \t]*Port[ \t]$" /etc/ssh/sshd_config ; then + sshd_config_differs = "1" + text="$text- you will have to connect using port 22 instead of your custom SSH port. Feel free to reconfigure it after the postinstallation. +" + fi + + # If we are using DSA key for ssh server fingerprint + if grep "^[ \t]*HostKey[ \t]+/etc/ssh/ssh_host_dsa_key" /etc/ssh/sshd_config ; then + sshd_config_differs = "1" + text="$text- you might need to invalidate a warning and to recheck fingerprint of your server, because DSA key will be disabled. +" + + fi + + text="${text} Are you agree to let YunoHost replace your configuration and change you way to access your server ? +" + + # In all this case we ask user + if [[ "$sshd_config_differs" == "1" ]] ; then + if ! whiptail --title "SSH Configuration" --yesno "$text" 20 78 --defaultno ; then + + # Keep a copy to restore it after regen-conf + cp /etc/ssh/sshd_config /etc/ssh/sshd_config.to_restore + fi + fi + + return 0 + +} + function setup_package_source() { local CUSTOMAPT=/etc/apt/sources.list.d/yunohost.list From 81ffc1c2f8602fbc9a9be0a214addee0ca34f90d Mon Sep 17 00:00:00 2001 From: ljf Date: Sun, 26 Aug 2018 17:22:04 +0200 Subject: [PATCH 2/7] [fix] Bash error --- install_yunohost | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/install_yunohost b/install_yunohost index 2f5d183..aa69f1b 100755 --- a/install_yunohost +++ b/install_yunohost @@ -90,7 +90,7 @@ function main() step install_script_dependencies || die "Unable to install dependencies to install script" step create_custom_config || die "Creating custom configuration file /etc/yunohost/yunohost.conf failed" step confirm_installation || die "Installation cancelled at your request" - step manage_ssh_config || die "Error caught during sshd management" + step manage_sshd_config || die "Error caught during sshd management" step fix_locales # do not die for a failure here, it's minor step setup_package_source || die "Setting up deb package sources failed" step apt_update || die "Error caught during 'apt-get update'" @@ -304,7 +304,7 @@ function manage_sshd_config() { [[ ! -f /etc/ssh/sshd_config ]] && return 0 - local sshd_config_differs = "0" + local sshd_config_differs="0" local text=" Caution ! @@ -317,7 +317,7 @@ change after postinstall: # If root login is not deactivate if ! grep -E "^[ \t]*PermitRootLogin[ \t]+no" /etc/ssh/sshd_config ; then - sshd_config_differs = "1" + sshd_config_differs="1" text="$text- you will not be able to connect with root user, instead you will have to use admin user. " fi @@ -325,14 +325,14 @@ change after postinstall: # If we are using an other Port if ! grep -E "^[ \t]*Port[ \t]+22[ \t]*(#.*)?$" /etc/ssh/sshd_config && \ grep -E "^[ \t]*Port[ \t]$" /etc/ssh/sshd_config ; then - sshd_config_differs = "1" + sshd_config_differs="1" text="$text- you will have to connect using port 22 instead of your custom SSH port. Feel free to reconfigure it after the postinstallation. " fi # If we are using DSA key for ssh server fingerprint if grep "^[ \t]*HostKey[ \t]+/etc/ssh/ssh_host_dsa_key" /etc/ssh/sshd_config ; then - sshd_config_differs = "1" + sshd_config_differs="1" text="$text- you might need to invalidate a warning and to recheck fingerprint of your server, because DSA key will be disabled. " From a2021fe1b9f6735840e2a4c8b0d0a1a5e352add9 Mon Sep 17 00:00:00 2001 From: ljf Date: Sun, 26 Aug 2018 17:51:51 +0200 Subject: [PATCH 3/7] [fix] Allow to scroll if sshd text too big --- install_yunohost | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/install_yunohost b/install_yunohost index aa69f1b..29da9b9 100755 --- a/install_yunohost +++ b/install_yunohost @@ -305,14 +305,9 @@ function manage_sshd_config() { [[ ! -f /etc/ssh/sshd_config ]] && return 0 local sshd_config_differs="0" - local text=" -Caution ! + local text="To ensure a global security of your server, YunoHost recommends to let it manage the SSH configuration of your server. -To ensure a global security of your server, YunoHost recommends to let it manage the SSH configuration of your server. - -Your current SSH configuration differs from common default configuration. If you -let YunoHost reconfigure it, the way to access with SSH to your server could -change after postinstall: +Your current SSH configuration differs from common default configuration. If you let YunoHost reconfigure it, the way to access with SSH to your server could change after postinstall: " # If root login is not deactivate @@ -338,12 +333,13 @@ change after postinstall: fi - text="${text} Are you agree to let YunoHost replace your configuration and change you way to access your server ? + text="${text} +Are you agree to let YunoHost replace your configuration and change you way to access your server ? " # In all this case we ask user if [[ "$sshd_config_differs" == "1" ]] ; then - if ! whiptail --title "SSH Configuration" --yesno "$text" 20 78 --defaultno ; then + if ! whiptail --title "SSH Configuration" --yesno "$text" 20 78 --defaultno --scrolltext ; then # Keep a copy to restore it after regen-conf cp /etc/ssh/sshd_config /etc/ssh/sshd_config.to_restore From 9db1689c213326059fa3eb9273dc07ac1b21ef64 Mon Sep 17 00:00:00 2001 From: ljf Date: Sun, 26 Aug 2018 18:34:31 +0200 Subject: [PATCH 4/7] [fix] Grep regex --- install_yunohost | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/install_yunohost b/install_yunohost index 29da9b9..da367c8 100755 --- a/install_yunohost +++ b/install_yunohost @@ -311,22 +311,21 @@ Your current SSH configuration differs from common default configuration. If you " # If root login is not deactivate - if ! grep -E "^[ \t]*PermitRootLogin[ \t]+no" /etc/ssh/sshd_config ; then + if ! grep -E "^[[:blank:]]*PermitRootLogin[[:blank:]]+no" /etc/ssh/sshd_config ; then sshd_config_differs="1" text="$text- you will not be able to connect with root user, instead you will have to use admin user. " fi # If we are using an other Port - if ! grep -E "^[ \t]*Port[ \t]+22[ \t]*(#.*)?$" /etc/ssh/sshd_config && \ - grep -E "^[ \t]*Port[ \t]$" /etc/ssh/sshd_config ; then + if grep -Ev "^[[:blank:]]*Port[[:blank:]]+22[[:blank:]]*(#.*)?$" /etc/ssh/sshd_config | grep -E "^[[:blank:]]*Port[[:blank:]]+[[:digit:]]+$" ; then sshd_config_differs="1" text="$text- you will have to connect using port 22 instead of your custom SSH port. Feel free to reconfigure it after the postinstallation. " fi # If we are using DSA key for ssh server fingerprint - if grep "^[ \t]*HostKey[ \t]+/etc/ssh/ssh_host_dsa_key" /etc/ssh/sshd_config ; then + if grep -E "^[[:blank:]]*HostKey[[:blank:]]+/etc/ssh/ssh_host_dsa_key" /etc/ssh/sshd_config ; then sshd_config_differs="1" text="$text- you might need to invalidate a warning and to recheck fingerprint of your server, because DSA key will be disabled. " From 16ef5193e4c84c7660d4bba87e54f17b1b5c6d23 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Thu, 25 Oct 2018 23:29:47 +0200 Subject: [PATCH 5/7] Improve wording --- install_yunohost | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/install_yunohost b/install_yunohost index da367c8..8a294aa 100755 --- a/install_yunohost +++ b/install_yunohost @@ -305,35 +305,34 @@ function manage_sshd_config() { [[ ! -f /etc/ssh/sshd_config ]] && return 0 local sshd_config_differs="0" - local text="To ensure a global security of your server, YunoHost recommends to let it manage the SSH configuration of your server. - -Your current SSH configuration differs from common default configuration. If you let YunoHost reconfigure it, the way to access with SSH to your server could change after postinstall: -" + local text="To improve the security of your server, it is recommended to let YunoHost manage the SSH configuration. +Your current SSH configuration differs from the recommended configuration. +If you let YunoHost reconfigure it, the way you connect to your server through SSH will change in the following way:" # If root login is not deactivate if ! grep -E "^[[:blank:]]*PermitRootLogin[[:blank:]]+no" /etc/ssh/sshd_config ; then sshd_config_differs="1" - text="$text- you will not be able to connect with root user, instead you will have to use admin user. + text="$text- you will not be able to connect as root through SSH. Instead you should use the admin user ; " fi # If we are using an other Port if grep -Ev "^[[:blank:]]*Port[[:blank:]]+22[[:blank:]]*(#.*)?$" /etc/ssh/sshd_config | grep -E "^[[:blank:]]*Port[[:blank:]]+[[:digit:]]+$" ; then sshd_config_differs="1" - text="$text- you will have to connect using port 22 instead of your custom SSH port. Feel free to reconfigure it after the postinstallation. + text="$text- you will have to connect using port 22 instead of your current custom SSH port. Feel free to reconfigure it after the postinstallation. " fi # If we are using DSA key for ssh server fingerprint if grep -E "^[[:blank:]]*HostKey[[:blank:]]+/etc/ssh/ssh_host_dsa_key" /etc/ssh/sshd_config ; then sshd_config_differs="1" - text="$text- you might need to invalidate a warning and to recheck fingerprint of your server, because DSA key will be disabled. + text="$text- the DSA key will be disabled. Hence, you might need to invalidate a spooky warning from your SSH client, and recheck the fingerprint of your server ; " fi text="${text} -Are you agree to let YunoHost replace your configuration and change you way to access your server ? +Do you agree to let YunoHost apply those changes to your configuration and therefore affect the way you connect through SSH ? " # In all this case we ask user From 337b73fa76251922a69915c394a4eb546b28fe8e Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Thu, 29 Nov 2018 17:21:54 +0100 Subject: [PATCH 6/7] Misc cosmetic improvements --- install_yunohost | 43 ++++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/install_yunohost b/install_yunohost index 8a294aa..a2b4c6f 100755 --- a/install_yunohost +++ b/install_yunohost @@ -303,30 +303,30 @@ function manage_sshd_config() { [[ "$AUTOMODE" == "1" ]] && return 0 [[ ! -f /etc/ssh/sshd_config ]] && return 0 - - local sshd_config_differs="0" + + local sshd_config_possible_issues="0" local text="To improve the security of your server, it is recommended to let YunoHost manage the SSH configuration. -Your current SSH configuration differs from the recommended configuration. +Your current SSH configuration differs from the recommended configuration. If you let YunoHost reconfigure it, the way you connect to your server through SSH will change in the following way:" - # If root login is not deactivate + # If root login is currently enabled if ! grep -E "^[[:blank:]]*PermitRootLogin[[:blank:]]+no" /etc/ssh/sshd_config ; then - sshd_config_differs="1" - text="$text- you will not be able to connect as root through SSH. Instead you should use the admin user ; + sshd_config_possible_issues="1" + text="$text\n- you will not be able to connect as root through SSH. Instead you should use the admin user ; " fi - - # If we are using an other Port + + # If current conf uses a custom ssh port if grep -Ev "^[[:blank:]]*Port[[:blank:]]+22[[:blank:]]*(#.*)?$" /etc/ssh/sshd_config | grep -E "^[[:blank:]]*Port[[:blank:]]+[[:digit:]]+$" ; then - sshd_config_differs="1" - text="$text- you will have to connect using port 22 instead of your current custom SSH port. Feel free to reconfigure it after the postinstallation. + sshd_config_possible_issues="1" + text="$text\n- you will have to connect using port 22 instead of your current custom SSH port. Feel free to reconfigure it after the postinstallation. " fi # If we are using DSA key for ssh server fingerprint if grep -E "^[[:blank:]]*HostKey[[:blank:]]+/etc/ssh/ssh_host_dsa_key" /etc/ssh/sshd_config ; then - sshd_config_differs="1" - text="$text- the DSA key will be disabled. Hence, you might need to invalidate a spooky warning from your SSH client, and recheck the fingerprint of your server ; + sshd_config_possible_issues="1" + text="$text\n- the DSA key will be disabled. Hence, you might later need to invalidate a spooky warning from your SSH client, and recheck the fingerprint of your server ; " fi @@ -334,18 +334,19 @@ If you let YunoHost reconfigure it, the way you connect to your server through S text="${text} Do you agree to let YunoHost apply those changes to your configuration and therefore affect the way you connect through SSH ? " - - # In all this case we ask user - if [[ "$sshd_config_differs" == "1" ]] ; then - if ! whiptail --title "SSH Configuration" --yesno "$text" 20 78 --defaultno --scrolltext ; then - - # Keep a copy to restore it after regen-conf - cp /etc/ssh/sshd_config /etc/ssh/sshd_config.to_restore - fi + + # If no possible issue found, we just assume it's okay and will take over the SSH conf during postinstall + [[ "$sshd_config_possible_issues" == "0" ]] && return 0 + + # Otherwise, we ask the user to confirm + if ! whiptail --title "SSH Configuration" --yesno "$text" 20 78 --defaultno --scrolltext ; then + + # Keep a copy to be restored during the postinstall + # so that the ssh confs behaves as manually modified. + cp /etc/ssh/sshd_config /etc/ssh/sshd_config.to_restore fi return 0 - } function setup_package_source() { From 536b5fe94b3a81331873203b6f2e086a1414a341 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 3 Dec 2018 17:06:47 +0000 Subject: [PATCH 7/7] Semantics --- install_yunohost | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install_yunohost b/install_yunohost index a2b4c6f..968313d 100755 --- a/install_yunohost +++ b/install_yunohost @@ -343,7 +343,7 @@ Do you agree to let YunoHost apply those changes to your configuration and there # Keep a copy to be restored during the postinstall # so that the ssh confs behaves as manually modified. - cp /etc/ssh/sshd_config /etc/ssh/sshd_config.to_restore + cp /etc/ssh/sshd_config /etc/ssh/sshd_config.before_yunohost fi return 0