diff --git a/management/whats_next.py b/management/whats_next.py index dca23eac..6f927ca8 100755 --- a/management/whats_next.py +++ b/management/whats_next.py @@ -17,6 +17,27 @@ from mailconfig import get_mail_domains, get_mail_aliases from utils import shell, sort_domains def run_checks(env): + run_system_checks(env) + run_domain_checks(env) + +def run_system_checks(env): + print("System") + print("======") + + # Check that SSH login with password is disabled. + sshd = open("/etc/ssh/sshd_config").read() + if re.search("\nPasswordAuthentication\s+yes", sshd) \ + or not re.search("\nPasswordAuthentication\s+no", sshd): + print_error("""The SSH server on this machine permits password-based login. A more secure + way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check + that you can log in without a password, set the option 'PasswordAuthentication no' in + /etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""") + else: + print_ok("SSH disallows password-based login.") + + print() + +def run_domain_checks(env): # Get the list of domains we handle mail for. mail_domains = get_mail_domains(env) diff --git a/setup/check_ssh.sh b/setup/check_ssh.sh deleted file mode 100755 index 155bf704..00000000 --- a/setup/check_ssh.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -# Check that SSH login with password is disabled. Stop if it's enabled. -if grep -q "^PasswordAuthentication yes" /etc/ssh/sshd_config \ - || ! grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config ; then - echo "The SSH server on this machine permits password-based login." - echo "A more secure way to log in is using a public key." - echo "" - echo "Add your SSH public key to $HOME/.ssh/authorized_keys, check" - echo "check that you can log in without a password, set the option" - echo "'PasswordAuthentication no' in /etc/ssh/sshd_config, and then" - echo "restart the openssh via 'sudo service ssh restart'" - exit -fi -