1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-12-22 07:17:05 +00:00

More robust reading of sshd configuration (#2330)

Use sshd -T instead of directly reading the configuration files
This commit is contained in:
KiekerJan 2024-03-23 16:16:40 +01:00 committed by GitHub
parent 9b450469eb
commit 1a239c55bb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 44 additions and 43 deletions

View File

@ -9,7 +9,7 @@ import ipaddress
import rtyaml import rtyaml
import dns.resolver import dns.resolver
from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains from utils import shell, load_env_vars_from_file, safe_domain_name, sort_domains, get_ssh_port
from ssl_certificates import get_ssl_certificates, check_certificate from ssl_certificates import get_ssl_certificates, check_certificate
import contextlib import contextlib
@ -448,14 +448,11 @@ def build_sshfp_records():
# if SSH has been configured to listen on a nonstandard port, we must # if SSH has been configured to listen on a nonstandard port, we must
# specify that port to sshkeyscan. # specify that port to sshkeyscan.
port = 22 port = get_ssh_port()
with open('/etc/ssh/sshd_config', encoding="utf-8") as f:
for line in f: # If nothing returned, SSH is probably not installed.
s = line.rstrip().split() if not port:
if len(s) == 2 and s[0] == 'Port': return
with contextlib.suppress(ValueError):
port = int(s[1])
break
keys = shell("check_output", ["ssh-keyscan", "-4", "-t", "rsa,dsa,ecdsa,ed25519", "-p", str(port), "localhost"]) keys = shell("check_output", ["ssh-keyscan", "-4", "-t", "rsa,dsa,ecdsa,ed25519", "-p", str(port), "localhost"])
keys = sorted(keys.split("\n")) keys = sorted(keys.split("\n"))

View File

@ -17,7 +17,7 @@ from web_update import get_web_domains, get_domains_with_a_records
from ssl_certificates import get_ssl_certificates, get_domain_ssl_files, check_certificate from ssl_certificates import get_ssl_certificates, get_domain_ssl_files, check_certificate
from mailconfig import get_mail_domains, get_mail_aliases from mailconfig import get_mail_domains, get_mail_aliases
from utils import shell, sort_domains, load_env_vars_from_file, load_settings from utils import shell, sort_domains, load_env_vars_from_file, load_settings, get_ssh_port, get_ssh_config_value
def get_services(): def get_services():
return [ return [
@ -65,24 +65,6 @@ def run_checks(rounded_values, env, output, pool, domains_to_check=None):
run_network_checks(env, output) run_network_checks(env, output)
run_domain_checks(rounded_values, env, output, pool, domains_to_check=domains_to_check) run_domain_checks(rounded_values, env, output, pool, domains_to_check=domains_to_check)
def get_ssh_port():
# Returns ssh port
try:
output = shell('check_output', ['sshd', '-T'])
except FileNotFoundError:
# sshd is not installed. That's ok.
return None
returnNext = False
for e in output.split():
if returnNext:
return int(e)
if e == "port":
returnNext = True
# Did not find port!
return None
def run_services_checks(env, output, pool): def run_services_checks(env, output, pool):
# Check that system services are running. # Check that system services are running.
all_running = True all_running = True
@ -206,21 +188,15 @@ def is_port_allowed(ufw, port):
return any(re.match(str(port) +"[/ \t].*", item) for item in ufw) return any(re.match(str(port) +"[/ \t].*", item) for item in ufw)
def check_ssh_password(env, output): def check_ssh_password(env, output):
# Check that SSH login with password is disabled. The openssh-server config_value = get_ssh_config_value("passwordauthentication")
# package may not be installed so check that before trying to access if config_value:
# the configuration file. if config_value == "no":
if not os.path.exists("/etc/ssh/sshd_config"): output.print_ok("SSH disallows password-based login.")
return else:
with open("/etc/ssh/sshd_config", encoding="utf-8") as f: output.print_error("""The SSH server on this machine permits password-based login. A more secure
sshd = f.read() way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check
if re.search("\nPasswordAuthentication\\s+yes", sshd) \ that you can log in without a password, set the option 'PasswordAuthentication no' in
or not re.search("\nPasswordAuthentication\\s+no", sshd): /etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""")
output.print_error("""The SSH server on this machine permits password-based login. A more secure
way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check
that you can log in without a password, set the option 'PasswordAuthentication no' in
/etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""")
else:
output.print_ok("SSH disallows password-based login.")
def is_reboot_needed_due_to_package_installation(): def is_reboot_needed_due_to_package_installation():
return os.path.exists("/var/run/reboot-required") return os.path.exists("/var/run/reboot-required")

View File

@ -179,6 +179,34 @@ def wait_for_service(port, public, env, timeout):
return False return False
time.sleep(min(timeout/4, 1)) time.sleep(min(timeout/4, 1))
def get_ssh_port():
port_value = get_ssh_config_value("port")
if port_value:
return int(port_value)
return None
def get_ssh_config_value(parameter_name):
# Returns ssh configuration value for the provided parameter
try:
output = shell('check_output', ['sshd', '-T'])
except FileNotFoundError:
# sshd is not installed. That's ok.
return None
except subprocess.CalledProcessError:
# error while calling shell command
return None
for line in output.split("\n"):
if " " not in line: continue # there's a blank line at the end
key, values = line.split(" ", 1)
if key == parameter_name:
return values # space-delimited if there are multiple values
# Did not find the parameter!
return None
if __name__ == "__main__": if __name__ == "__main__":
from web_update import get_web_domains from web_update import get_web_domains
env = load_environment() env = load_environment()