ssh: Restrict logins to groups root, admin and freedombox-ssh

Tests: - Remove restricted console logins. Try to login via SSH with non-admin and note that it fails. sudo into the user succeeds. - Add a user to freedombox-ssh group from Users & Groups app. Login with SSH succeeds. - Login with admin user succeeds with and without adding to freedombox-ssh group. - On a fresh install, non-admin users are not restricted. - On an upgrade from a version with the patch, non-admin users are restricted. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-01-21 07:55:00 +00:00 · 2022-11-11 14:26:14 -08:00 · 2022-11-11 14:26:14 -08:00 · 21c8a8945f
commit 21c8a8945f
parent 7d4283d7b8
3 changed files with 36 additions and 2 deletions
--- a/plinth/modules/ssh/init.py
+++ b/plinth/modules/ssh/init.py
@ -12,6 +12,7 @@ from plinth import menu
 from plinth.daemon import Daemon
 from plinth.modules.backups.components import BackupRestore
 from plinth.modules.firewall.components import Firewall
+from plinth.modules.users.components import UsersAndGroups
 from plinth.package import Packages

 from . import manifest, privileged
@ -29,7 +30,7 @@ class SSHApp(app_module.App):

    app_id = 'ssh'

-    _version = 1
+    _version = 2

    def __init__(self):
        """Create components for the app."""
@ -56,6 +57,13 @@ class SSHApp(app_module.App):
        daemon = Daemon('daemon-ssh', 'ssh')
        self.add(daemon)

+        groups = {
+            'freedombox-ssh': _('Remotely login using Secure Shell (SSH)')
+        }
+        users_and_groups = UsersAndGroups('users-and-groups-ssh',
+                                          groups=groups)
+        self.add(users_and_groups)
+
        backup_restore = BackupRestore('backup-restore-ssh', **manifest.backup)
        self.add(backup_restore)

@ -63,7 +71,10 @@ class SSHApp(app_module.App):
        """Install and configure the app."""
        super().setup(old_version)
        privileged.setup()
-        self.enable()
+        if not old_version:
+            self.enable()
+        elif old_version == 1:
+            privileged.restrict_users(True)


 def get_host_keys():
--- a/plinth/modules/ssh/manifest.py
+++ b/plinth/modules/ssh/manifest.py
@ -4,6 +4,9 @@ Application manifest for ssh.
 """

 backup = {
+    'config': {
+        'files': ['/etc/ssh/sshd_config.d/freedombox.conf']
+    },
    'secrets': {
        'files': [
            '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ecdsa_key.pub',
--- a/plinth/modules/ssh/privileged.py
+++ b/plinth/modules/ssh/privileged.py
@ -3,6 +3,7 @@

 import grp
 import os
+import pathlib
 import pwd
 import shutil
 import stat
@ -13,6 +14,8 @@ import augeas
 from plinth import action_utils, utils
 from plinth.actions import privileged

+config_file = pathlib.Path('/etc/ssh/sshd_config.d/freedombox.conf')
+

 def _validate_user(username, password, must_be_admin=True):
    """Validate a user."""
@ -53,6 +56,23 @@ def setup():
    action_utils.dpkg_reconfigure('openssh-server', {})


+@privileged
+def restrict_users(should_restrict: bool):
+    """Restrict SSH logins to groups root, admin and freedombox-ssh."""
+    if not should_restrict:
+        config_file.unlink(missing_ok=True)
+    else:
+        config_file.write_text('AllowGroups root admin freedombox-ssh\n',
+                               encoding='utf-8')
+
+    action_utils.service_reload('sshd')
+
+
+def are_users_restricted() -> bool:
+    """Return whether only restricted groups of users are allowed."""
+    return config_file.exists()
+
+
 def get_user_homedir(username):
    """Return the home dir of a user by looking up in password database."""
    try: