nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-01-21 07:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
FreedomBox/debian/control
Sunil Mohan Adapa c2007d0f6d
backups: Fix issue with verifying SSH hosts with RSA key 
- In current stable and testing, verifying SSH remote hosts using RSA is not
working. After selecting the verified RSA fingerprint, paramiko fails to connect

- A change introduced in paramiko 2.9 lead to failures when connecting to hosts
that have a verified RSA host key[1][2][3]. To fix the issue,
disabled_algorithms must be used to drop some of the other algorithms supported
by the server to force paramiko behavior. A better solution to the problem was
introduced in paramiko 3.2. Both these solutions require careful update to the
code. Considering the utility paramiko provides, the regression annoyance,
effort required for this fix, and the security implications (it is an completely
independent SSH implementation), the library does not seem to be worth the
effort in our case.

- Switch to using sshpass command line utility instead of paramiko library. The
only reason to use paramiko seems that 'ssh' command by default does not allow
us to input password easily while paramiko does.

- Another place where paramiko is being used is to check if a host is already
verified in the known_hosts file. This has been trivially replaced with
'ssh-keygen -F'.

- Exit codes provided by sshpass can replace the specific exception raised by
paramiko.

Links:

1) https://www.paramiko.org/changelog.html
2) https://github.com/paramiko/paramiko/issues/2017
3) https://github.com/paramiko/paramiko/issues/1984

Tests:

- Add a remote backup repository with and without encryption.

- Add remote backup repository with all three types of algorithms.

- Add a remote repository again with wrong password. Authentication error is
properly shown.

- Add a remote backup repository and remove it. Host remains verified. Add a
repository again.

- Add a remote backup repository and remove it. Host remains verified. Change
the fingerprint the /var/lib/plinth/.ssh/known_hosts file. Add a repository
again. A proper error is shown that remote host could not be verified.

- Add a remote backup repository and remove it. Host remains verified. Stop SSH
server on the remote host. A generic error is shown that ssh command on remote
host failed.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2024-12-29 14:01:04 -05:00

187 lines
5.2 KiB
Plaintext
Raw Blame History

Source: freedombox
Section: web
Priority: optional
Maintainer: FreedomBox packaging team <freedombox-pkg-team@lists.alioth.debian.org>
Uploaders:
Tzafrir Cohen <tzafrir@debian.org>,
Piotr Ożarowski <piotr@debian.org>,
Petter Reinholdtsen <pere@debian.org>,
Sunil Mohan Adapa <sunil@medhas.org>,
Nick Daly <Nick.M.Daly@gmail.com>,
Federico Ceratto <federico@debian.org>,
James Valleroy <jvalleroy@mailbox.org>,
Build-Depends:
debhelper-compat (= 13),
dblatex,
dh-python,
docbook-xsl,
e2fsprogs,
gir1.2-nm-1.0,
libjs-bootstrap5,
pybuild-plugin-pyproject,
python3-all:any,
python3-apt,
python3-augeas,
python3-bootstrapform,
python3-build,
python3-cherrypy3,
python3-configobj,
python3-cryptography,
python3-dbus,
python3-django,
python3-django-axes,
python3-django-captcha,
# Explictly depend on ipware as it is optional dependecy of django-axes
python3-django-ipware,
python3-django-stronghold,
python3-gi,
python3-markupsafe,
python3-mypy,
python3-pampy,
python3-pexpect,
python3-pip,
python3-psutil,
python3-pytest,
python3-pytest-cov,
python3-pytest-django,
python3-pytest-runner,
python3-requests,
python3-ruamel.yaml,
python3-setuptools,
python3-setuptools-git,
# python3-tomli is needed by python3-coverage when pyproject.toml is used
python3-tomli,
python3-typeshed,
python3-yaml,
sshpass,
xmlto,
xsltproc
Standards-Version: 4.6.2
Homepage: https://salsa.debian.org/freedombox-team/freedombox
Vcs-Git: https://salsa.debian.org/freedombox-team/freedombox.git
Vcs-Browser: https://salsa.debian.org/freedombox-team/freedombox
Rules-Requires-Root: no
Package: freedombox
Breaks:
# Ensure fuse gets replaced by fuse3 on upgrades from buster s.t. sshfs can be installed.
fuse (<< 3),
# If ufw is installed, remove it. See issue 2247.
ufw,
Architecture: all
Depends:
${python3:Depends},
${misc:Depends},
${freedombox:Depends},
adduser,
augeas-tools,
curl,
debconf,
dnsutils,
e2fsprogs,
fonts-fork-awesome,
fonts-lato,
# sgdisk is used in storage app to expand GPT disks
gdisk,
gettext,
gir1.2-glib-2.0,
gir1.2-nm-1.0,
javascript-common,
ldapscripts,
# For gdbus used to call hooks into service
libglib2.0-bin,
libjs-bootstrap5,
libjs-jquery,
lsof,
netcat-openbsd,
network-manager,
ppp,
pppoe,
python3-apt,
python3-argon2,
python3-augeas,
python3-bootstrapform,
python3-cherrypy3,
python3-configobj,
python3-dbus,
python3-django,
python3-django-axes,
python3-django-captcha,
# Explictly depend on ipware as it is optional dependecy of django-axes
python3-django-ipware,
python3-django-stronghold,
python3-gi,
python3-markupsafe,
python3-pampy,
python3-pexpect,
python3-psutil,
python3-requests,
python3-ruamel.yaml,
python3-systemd,
python3-yaml,
sudo,
wget,
# Ensure fuse gets replaced by fuse3 on upgrades from buster s.t. sshfs can be installed.
fuse3,
Recommends:
# Wifi firmware
firmware-ath9k-htc,
# FreedomBox documentation
freedombox-doc-en,
freedombox-doc-es,
# Resolve .local address using mDNS
libnss-mdns,
# Resolve current hostname without /etc/hosts
libnss-myhostname,
# Block repeated failed PAM login attempts
libpam-abl,
# Priority: standard
locales,
# Precompiled data for all locales
locales-all,
# Priority: standard
openssh-client,
# Used by unattended-upgrades to check if running on AC power
powermgmt-base,
# fuser, killall, pstree and other utilities
psmisc,
Description: easy to manage, privacy oriented home server
FreedomBox is designed to be your own inexpensive server at home. It runs free
software and offers an increasing number of services ranging from a calendar or
jabber server to a wiki or VPN. A web interface allows you to easily install
and configure your apps.
.
This package provides the FreedomBox Service (Plinth) which installs,
configures and manages all functions of FreedomBox. The service is managed
using a web interface available at https://localhost/.
Package: freedombox-doc-en
Architecture: all
Multi-Arch: foreign
Section: doc
Depends: ${misc:Depends}
Description: easy to manage, privacy oriented home server - user manual (English)
FreedomBox is designed to be your own inexpensive server at home. It runs free
software and offers an increasing number of services ranging from a calendar or
jabber server to a wiki or VPN. A web interface allows you to easily install
and configure your apps.
.
This package contains the English user manual in HTML and PDF formats. It
describes how to setup and use each application in FreedomBox and FreedomBox
itself. It is accessible from Help menu in the FreedomBox web interface.
Package: freedombox-doc-es
Architecture: all
Multi-Arch: foreign
Section: doc
Depends: ${misc:Depends}
Description: easy to manage, privacy oriented home server - user manual (Spanish)
FreedomBox is designed to be your own inexpensive server at home. It runs free
software and offers an increasing number of services ranging from a calendar or
jabber server to a wiki or VPN. A web interface allows you to easily install
and configure your apps.
.
This package contains the Spanish user manual in HTML and PDF formats. It
describes how to setup and use each application in FreedomBox and FreedomBox
itself. It is accessible from Help menu in the FreedomBox web interface.
Reference in New Issue View Git Blame Copy Permalink