mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-01-28 08:03:36 +00:00
21c8a8945f
Tests: - Remove restricted console logins. Try to login via SSH with non-admin and note that it fails. sudo into the user succeeds. - Add a user to freedombox-ssh group from Users & Groups app. Login with SSH succeeds. - Login with admin user succeeds with and without adding to freedombox-ssh group. - On a fresh install, non-admin users are not restricted. - On an upgrade from a version with the patch, non-admin users are restricted. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
98 lines
3.1 KiB
Python
98 lines
3.1 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""FreedomBox app for OpenSSH server."""
|
|
|
|
import pathlib
|
|
import re
|
|
import subprocess
|
|
|
|
from django.utils.translation import gettext_lazy as _
|
|
|
|
from plinth import app as app_module
|
|
from plinth import menu
|
|
from plinth.daemon import Daemon
|
|
from plinth.modules.backups.components import BackupRestore
|
|
from plinth.modules.firewall.components import Firewall
|
|
from plinth.modules.users.components import UsersAndGroups
|
|
from plinth.package import Packages
|
|
|
|
from . import manifest, privileged
|
|
|
|
_description = [
|
|
_('A Secure Shell server uses the secure shell protocol to accept '
|
|
'connections from remote computers. An authorized remote computer '
|
|
'can perform administration tasks, copy files or run other services '
|
|
'using such connections.')
|
|
]
|
|
|
|
|
|
class SSHApp(app_module.App):
|
|
"""FreedomBox app for SSH."""
|
|
|
|
app_id = 'ssh'
|
|
|
|
_version = 2
|
|
|
|
def __init__(self):
|
|
"""Create components for the app."""
|
|
super().__init__()
|
|
|
|
info = app_module.Info(app_id=self.app_id, version=self._version,
|
|
is_essential=True,
|
|
name=_('Secure Shell (SSH) Server'),
|
|
icon='fa-terminal', description=_description,
|
|
manual_page='SecureShell')
|
|
self.add(info)
|
|
|
|
menu_item = menu.Menu('menu-ssh', info.name, None, info.icon,
|
|
'ssh:index', parent_url_name='system')
|
|
self.add(menu_item)
|
|
|
|
packages = Packages('packages-ssh', ['openssh-server'])
|
|
self.add(packages)
|
|
|
|
firewall = Firewall('firewall-ssh', info.name, ports=['ssh'],
|
|
is_external=True)
|
|
self.add(firewall)
|
|
|
|
daemon = Daemon('daemon-ssh', 'ssh')
|
|
self.add(daemon)
|
|
|
|
groups = {
|
|
'freedombox-ssh': _('Remotely login using Secure Shell (SSH)')
|
|
}
|
|
users_and_groups = UsersAndGroups('users-and-groups-ssh',
|
|
groups=groups)
|
|
self.add(users_and_groups)
|
|
|
|
backup_restore = BackupRestore('backup-restore-ssh', **manifest.backup)
|
|
self.add(backup_restore)
|
|
|
|
def setup(self, old_version):
|
|
"""Install and configure the app."""
|
|
super().setup(old_version)
|
|
privileged.setup()
|
|
if not old_version:
|
|
self.enable()
|
|
elif old_version == 1:
|
|
privileged.restrict_users(True)
|
|
|
|
|
|
def get_host_keys():
|
|
"""Return Host keys of the system."""
|
|
etc_ssh = pathlib.Path('/etc/ssh/')
|
|
host_keys = []
|
|
pattern = re.compile(r'^(?P<bit_size>\d+) (?P<fingerprint>[\S]+) '
|
|
r'.+ \((?P<algorithm>\w+)\)$')
|
|
|
|
for public_key in etc_ssh.glob('*.pub'):
|
|
process = subprocess.run(['ssh-keygen', '-l', '-f',
|
|
str(public_key)], stdout=subprocess.PIPE,
|
|
check=True)
|
|
output = process.stdout.decode().strip()
|
|
if output:
|
|
match = re.match(pattern, output)
|
|
if match:
|
|
host_keys.append(match.groupdict())
|
|
|
|
return host_keys
|