ssh config: Add ssh_allow_root_on_localnet

A global setting name ssh_allow_root_on_localnet is added The old sshd_config template enable PermitRootLogin from client on the localnet. According to the server where Yunohost is deployed it doesn't make sense and could be a security issue when hosted on a 3rd party. Signed-off-by: Nicolas Palix <nicolas.palix@imag.fr>
2024-09-03 20:06:10 +02:00 · 2022-12-19 21:08:32 +01:00 · 2022-12-19 21:08:32 +01:00 · df5b986801
commit df5b986801
parent 4a3a9f8064
4 changed files with 11 additions and 2 deletions
--- a/conf/ssh/sshd_config
+++ b/conf/ssh/sshd_config
@ -100,11 +100,11 @@ Match Group sftp.app,!ssh.app
    PermitTunnel no
    PermitUserRC no
    PasswordAuthentication {{ password_authentication }}
-
+{% if allow_root_on_localnet == "true" %}
 # root login is allowed on local networks
 # It's meant to be a backup solution in case LDAP is down and
 # user admin can't be used...
 # If the server is a VPS, it's expected that the owner of the
 # server has access to a web console through which to log in.
 Match Address 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,fe80::/10,fd00::/8
-    PermitRootLogin yes
+    PermitRootLogin yes{% endif %}
--- a/hooks/conf_regen/03-ssh
+++ b/hooks/conf_regen/03-ssh
@ -18,6 +18,7 @@ do_pre_regen() {
    export compatibility="$(yunohost settings get 'security.ssh.ssh_compatibility')"
    export port="$(yunohost settings get 'security.ssh.ssh_port')"
    export password_authentication="$(yunohost settings get 'security.ssh.ssh_password_authentication')"
+    export allow_root_on_localnet="$(yunohost settings get 'security.ssh.ssh_allow_root_on_localnet')"
    export ssh_keys
    export ipv6_enabled
    ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config"
--- a/locales/en.json
+++ b/locales/en.json
@ -423,6 +423,8 @@
    "global_settings_setting_ssh_compatibility_help": "Compatibility vs. security tradeoff for the SSH server. Affects the ciphers (and other security-related aspects). See https://infosec.mozilla.org/guidelines/openssh for more info.",
    "global_settings_setting_ssh_password_authentication": "Password authentication",
    "global_settings_setting_ssh_password_authentication_help": "Allow password authentication for SSH",
+    "global_settings_setting_ssh_allow_root_on_localnet": "Permit root from localnet",
+    "global_settings_setting_ssh_allow_root_on_localnet_help": "Allow root login from the local network",
    "global_settings_setting_ssh_port": "SSH port",
    "global_settings_setting_ssowat_panel_overlay_enabled": "Enable the small 'YunoHost' portal shortcut square on apps",
    "global_settings_setting_portal_theme": "Portal theme",
--- a/share/config_global.toml
+++ b/share/config_global.toml
@ -45,6 +45,12 @@ name = "Security"
        yes = "yes"
        no = "no"

+        [security.ssh.ssh_allow_root_on_localnet]
+        type = "boolean"
+        default = true
+        yes = "true"
+        no = "false"
+
    [security.nginx]
    name = "NGINX (web server)"
        [security.nginx.nginx_redirect_to_https]