From c53f5ac16ae98e63105b2bb7790b1572124d23f5 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 16 Apr 2021 22:05:36 +0200 Subject: [PATCH] Report an error in the diagnosis and migration if sshd config is insecure --- data/hooks/diagnosis/70-regenconf.py | 10 ++++++++++ locales/en.json | 1 + .../data_migrations/0020_ssh_sftp_permissions.py | 6 ++++++ 3 files changed, 17 insertions(+) diff --git a/data/hooks/diagnosis/70-regenconf.py b/data/hooks/diagnosis/70-regenconf.py index 5ab1e3808..b8551f5fe 100644 --- a/data/hooks/diagnosis/70-regenconf.py +++ b/data/hooks/diagnosis/70-regenconf.py @@ -35,6 +35,16 @@ class RegenconfDiagnoser(Diagnoser): details=["diagnosis_regenconf_manually_modified_details"], ) + if any(f["path"] == '/etc/ssh/sshd_config' for f in regenconf_modified_files) \ + and os.system("grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config") != 0: + yield dict( + meta={ + "test": "sshd_config_insecure" + }, + status="ERROR", + summary="diagnosis_sshd_config_insecure", + ) + def manually_modified_files(self): for category, infos in _get_regenconf_infos().items(): diff --git a/locales/en.json b/locales/en.json index 027fe981e..840d359ed 100644 --- a/locales/en.json +++ b/locales/en.json @@ -269,6 +269,7 @@ "diagnosis_unknown_categories": "The following categories are unknown: {categories}", "diagnosis_never_ran_yet": "It looks like this server was setup recently and there's no diagnosis report to show yet. You should start by running a full diagnosis, either from the webadmin or using 'yunohost diagnosis run' from the command line.", "diagnosis_processes_killed_by_oom_reaper": "Some processes were recently killed by the system because it ran out of memory. This is typically symptomatic of a lack of memory on the system or of a process that ate up to much memory. Summary of the processes killed:\n{kills_summary}", + "diagnosis_sshd_config_insecure": "The SSH configuration appears to have been manually modified, and is insecure because it contains no 'AllowGroups' or 'AllowUsers' directive to limit access to authorized users.", "domain_cannot_remove_main": "You cannot remove '{domain:s}' since it's the main domain, you first need to set another domain as the main domain using 'yunohost domain main-domain -n '; here is the list of candidate domains: {other_domains:s}", "domain_cannot_add_xmpp_upload": "You cannot add domains starting with 'xmpp-upload.'. This kind of name is reserved for the XMPP upload feature integrated in YunoHost.", "domain_cannot_remove_main_add_new_one": "You cannot remove '{domain:s}' since it's the main domain and your only domain, you need to first add another domain using 'yunohost domain add ', then set is as the main domain using 'yunohost domain main-domain -n ' and then you can remove the domain '{domain:s}' using 'yunohost domain remove {domain:s}'.'", diff --git a/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py b/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py index 97d4ee2fd..52d813d32 100644 --- a/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py +++ b/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py @@ -1,4 +1,5 @@ import subprocess +import os from moulinette import m18n from moulinette.utils.log import getActionLogger @@ -6,6 +7,7 @@ from moulinette.utils.filesystem import read_yaml from yunohost.tools import Migration from yunohost.permission import user_permission_update, permission_sync_to_user +from yunohost.regenconf import manually_modified_files logger = getActionLogger('yunohost.migration') @@ -49,6 +51,10 @@ class MyMigration(Migration): # old loginShell value ? subprocess.call(['nscd', '-i', 'passwd']) + if '/etc/ssh/sshd_config' in manually_modified_files() \ + and os.system("grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config") != 0: + logger.error(m18n.n('diagnosis_sshd_config_insecure')) + def run_after_system_restore(self): self.run()