diff --git a/locales/en.json b/locales/en.json index 803d5c937..54792a827 100644 --- a/locales/en.json +++ b/locales/en.json @@ -296,12 +296,12 @@ "migration_0006_done": "Your root password have been replaced by your admin password.", "migration_0006_cancelled": "YunoHost has failed to improve the way your SSH conf is managed.", "migration_0006_cannot_restart": "SSH can't be restarted after trying to cancel migration number 6.", - "migration_0007_general_warning": "To improve the security of your server, it is recommended to let YunoHost manage the SSH configuration. Your current SSH configuration differs from the recommended configuration. If you let YunoHost reconfigure it, the way you connect to your server through SSH will change in the following way:", + "migration_0007_general_disclaimer": "To improve the security of your server, it is recommended to let YunoHost manage the SSH configuration. Your current SSH configuration differs from the recommended configuration. If you let YunoHost reconfigure it, the way you connect to your server through SSH will change in the following way:", "migration_0007_port": " - you will have to connect using port 22 instead of your current custom SSH port. Feel free to reconfigure it ;", - "migration_0007_root": " - you will not be able to connect with root user, instead you will have to use the admin user ;", - "migration_0007_dsa": " - you might need to invalidate a warning and to recheck the fingerprint of your server, because DSA key will be disabled ;", - "migration_0007_risk": "If you understand those warnings and agree to let YunoHost override your current configuration, run the migration. Otherwise, you can also skip the migration though it is not recommended.", - "migration_0007_no_risk": "No major risk has been indentified about overriding your SSH configuration - but it's difficult to be sure. If you agree to let YunoHost override your current configuration, run the migration. Otherwise, you can also skip the migration though it is not recommended.", + "migration_0007_root": " - you will not be able to connect as root through SSH. Instead you should use the admin user ;", + "migration_0007_dsa": " - the DSA key will be disabled. Hence, you might need to invalidate a warning from your SSH client, and recheck the fingerprint of your server ;", + "migration_0007_warning": "If you understand those warnings and agree to let YunoHost override your current configuration, run the migration. Otherwise, you can also skip the migration - though it is not recommended.", + "migration_0007_no_warning": "No major risk has been indentified about overriding your SSH configuration - but we can't be absolutely sure ;) ! If you agree to let YunoHost override your current configuration, run the migration. Otherwise, you can also skip the migration - though it is not recommended.", "migrations_backward": "Migrating backward.", "migrations_bad_value_for_target": "Invalid number for target argument, available migrations numbers are 0 or {}", "migrations_cant_reach_migration_file": "Can't access migrations files at path %s", diff --git a/src/yunohost/data_migrations/0007_ssh_conf_managed_by_yunohost_step2.py b/src/yunohost/data_migrations/0007_ssh_conf_managed_by_yunohost_step2.py index 10e319b2d..c6355ac61 100644 --- a/src/yunohost/data_migrations/0007_ssh_conf_managed_by_yunohost_step2.py +++ b/src/yunohost/data_migrations/0007_ssh_conf_managed_by_yunohost_step2.py @@ -11,6 +11,7 @@ from yunohost.settings import settings_set, settings_get logger = getActionLogger('yunohost.migration') +SSHD_CONF = '/etc/ssh/sshd_config' class MyMigration(Migration): """ @@ -41,10 +42,8 @@ class MyMigration(Migration): # and no DSA key is used, then we're good to go # and the migration can be done automatically # (basically nothing shall change) - ynh_hash = _get_conf_hashes('ssh') - if '/etc/ssh/sshd_config' in ynh_hash: - ynh_hash = ynh_hash['/etc/ssh/sshd_config'] - current_hash = _calculate_hash('/etc/ssh/sshd_config') + ynh_hash = _get_conf_hashes('ssh').get(SSHD_CONF, None) + current_hash = _calculate_hash(SSHD_CONF) dsa = settings_get("service.ssh._deprecated_dsa_hostkey") if ynh_hash == current_hash and not dsa: return "auto" @@ -59,43 +58,39 @@ class MyMigration(Migration): # Detect key things to be aware of before enabling the # recommended configuration - dsa = False + dsa_key_enabled = False ports = [] root_login = [] port_rgx = r'^[ \t]*Port[ \t]+(\d+)[ \t]*(?:#.*)?$' root_rgx = r'^[ \t]*PermitRootLogin[ \t]([^# \t]*)[ \t]*(?:#.*)?$' dsa_rgx = r'^[ \t]*HostKey[ \t]+/etc/ssh/ssh_host_dsa_key[ \t]*(?:#.*)?$' - for line in open('/etc/ssh/sshd_config'): + for line in open(SSHD_CONF): ports = ports + re.findall(port_rgx, line) root_login = root_login + re.findall(root_rgx, line) - if not dsa and re.match(dsa_rgx, line) is not None: - dsa = True + if not dsa_key_enabled and re.match(dsa_rgx, line) is not None: + dsa_key_enabled = True - if len(ports) == 0: - ports = ['22'] - - port = ports != ['22'] - - root_user = root_login and root_login[-1] != 'no' + custom_port = ports != ['22'] and ports != [] + root_login_enabled = root_login and root_login[-1] != 'no' # Build message - message = m18n.n("migration_0007_general_warning") + message = m18n.n("migration_0007_general_disclaimer") - if port: + if custom_port: message += "\n\n" + m18n.n("migration_0007_port") - if root_user: + if root_login_enabled: message += "\n\n" + m18n.n("migration_0007_root") - if dsa: + if dsa_key_enabled: message += "\n\n" + m18n.n("migration_0007_dsa") - if port or root_user or dsa: - message += "\n\n" + m18n.n("migration_0007_risk") + if custom_port or root_login_enabled or dsa_key_enabled: + message += "\n\n" + m18n.n("migration_0007_warning") else: - message += "\n\n" + m18n.n("migration_0007_no_risk") + message += "\n\n" + m18n.n("migration_0007_no_warning") return message