Report an error in the diagnosis and migration if sshd config is insecure

2024-09-03 20:06:10 +02:00 · 2021-04-16 22:05:36 +02:00 · 2021-04-16 22:05:36 +02:00 · c53f5ac16a
commit c53f5ac16a
parent 4a0b343e5e
3 changed files with 17 additions and 0 deletions
--- a/data/hooks/diagnosis/70-regenconf.py
+++ b/data/hooks/diagnosis/70-regenconf.py
@ -35,6 +35,16 @@ class RegenconfDiagnoser(Diagnoser):
                    details=["diagnosis_regenconf_manually_modified_details"],
                )
        if any(f["path"] == '/etc/ssh/sshd_config' for f in regenconf_modified_files) \
            and os.system("grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config") != 0:
                yield dict(
                   meta={
                       "test": "sshd_config_insecure"
                   },
                   status="ERROR",
                   summary="diagnosis_sshd_config_insecure",
                )
    def manually_modified_files(self):
        for category, infos in _get_regenconf_infos().items():
--- a/locales/en.json
+++ b/locales/en.json
@ -269,6 +269,7 @@
    "diagnosis_unknown_categories": "The following categories are unknown: {categories}",
    "diagnosis_never_ran_yet": "It looks like this server was setup recently and there's no diagnosis report to show yet. You should start by running a full diagnosis, either from the webadmin or using 'yunohost diagnosis run' from the command line.",
    "diagnosis_processes_killed_by_oom_reaper": "Some processes were recently killed by the system because it ran out of memory. This is typically symptomatic of a lack of memory on the system or of a process that ate up to much memory. Summary of the processes killed:\n{kills_summary}",
    "diagnosis_sshd_config_insecure": "The SSH configuration appears to have been manually modified, and is insecure because it contains no 'AllowGroups' or 'AllowUsers' directive to limit access to authorized users.",
    "domain_cannot_remove_main": "You cannot remove '{domain:s}' since it's the main domain, you first need to set another domain as the main domain using 'yunohost domain main-domain -n <another-domain>'; here is the list of candidate domains: {other_domains:s}",
    "domain_cannot_add_xmpp_upload": "You cannot add domains starting with 'xmpp-upload.'. This kind of name is reserved for the XMPP upload feature integrated in YunoHost.",
    "domain_cannot_remove_main_add_new_one": "You cannot remove '{domain:s}' since it's the main domain and your only domain, you need to first add another domain using 'yunohost domain add <another-domain.com>', then set is as the main domain using 'yunohost domain main-domain -n <another-domain.com>' and then you can remove the domain '{domain:s}' using 'yunohost domain remove {domain:s}'.'",
--- a/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py
+++ b/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py
@ -1,4 +1,5 @@
 import subprocess
 import os
 from moulinette import m18n
 from moulinette.utils.log import getActionLogger
@ -6,6 +7,7 @@ from moulinette.utils.filesystem import read_yaml
 from yunohost.tools import Migration
 from yunohost.permission import user_permission_update, permission_sync_to_user
 from yunohost.regenconf import manually_modified_files
 logger = getActionLogger('yunohost.migration')
@ -49,6 +51,10 @@ class MyMigration(Migration):
        # old loginShell value ?
        subprocess.call(['nscd', '-i', 'passwd'])
        if '/etc/ssh/sshd_config' in manually_modified_files() \
            and os.system("grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config") != 0:
                logger.error(m18n.n('diagnosis_sshd_config_insecure'))
    def run_after_system_restore(self):
        self.run()