diff --git a/data/hooks/diagnosis/70-regenconf.py b/data/hooks/diagnosis/70-regenconf.py index 5ab1e3808..b8551f5fe 100644 --- a/data/hooks/diagnosis/70-regenconf.py +++ b/data/hooks/diagnosis/70-regenconf.py @@ -35,6 +35,16 @@ class RegenconfDiagnoser(Diagnoser): details=["diagnosis_regenconf_manually_modified_details"], ) + if any(f["path"] == '/etc/ssh/sshd_config' for f in regenconf_modified_files) \ + and os.system("grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config") != 0: + yield dict( + meta={ + "test": "sshd_config_insecure" + }, + status="ERROR", + summary="diagnosis_sshd_config_insecure", + ) + def manually_modified_files(self): for category, infos in _get_regenconf_infos().items(): diff --git a/locales/en.json b/locales/en.json index 027fe981e..840d359ed 100644 --- a/locales/en.json +++ b/locales/en.json @@ -269,6 +269,7 @@ "diagnosis_unknown_categories": "The following categories are unknown: {categories}", "diagnosis_never_ran_yet": "It looks like this server was setup recently and there's no diagnosis report to show yet. You should start by running a full diagnosis, either from the webadmin or using 'yunohost diagnosis run' from the command line.", "diagnosis_processes_killed_by_oom_reaper": "Some processes were recently killed by the system because it ran out of memory. This is typically symptomatic of a lack of memory on the system or of a process that ate up to much memory. Summary of the processes killed:\n{kills_summary}", + "diagnosis_sshd_config_insecure": "The SSH configuration appears to have been manually modified, and is insecure because it contains no 'AllowGroups' or 'AllowUsers' directive to limit access to authorized users.", "domain_cannot_remove_main": "You cannot remove '{domain:s}' since it's the main domain, you first need to set another domain as the main domain using 'yunohost domain main-domain -n <another-domain>'; here is the list of candidate domains: {other_domains:s}", "domain_cannot_add_xmpp_upload": "You cannot add domains starting with 'xmpp-upload.'. This kind of name is reserved for the XMPP upload feature integrated in YunoHost.", "domain_cannot_remove_main_add_new_one": "You cannot remove '{domain:s}' since it's the main domain and your only domain, you need to first add another domain using 'yunohost domain add <another-domain.com>', then set is as the main domain using 'yunohost domain main-domain -n <another-domain.com>' and then you can remove the domain '{domain:s}' using 'yunohost domain remove {domain:s}'.'", diff --git a/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py b/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py index 97d4ee2fd..52d813d32 100644 --- a/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py +++ b/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py @@ -1,4 +1,5 @@ import subprocess +import os from moulinette import m18n from moulinette.utils.log import getActionLogger @@ -6,6 +7,7 @@ from moulinette.utils.filesystem import read_yaml from yunohost.tools import Migration from yunohost.permission import user_permission_update, permission_sync_to_user +from yunohost.regenconf import manually_modified_files logger = getActionLogger('yunohost.migration') @@ -49,6 +51,10 @@ class MyMigration(Migration): # old loginShell value ? subprocess.call(['nscd', '-i', 'passwd']) + if '/etc/ssh/sshd_config' in manually_modified_files() \ + and os.system("grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config") != 0: + logger.error(m18n.n('diagnosis_sshd_config_insecure')) + def run_after_system_restore(self): self.run()