summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Rettberg2020-11-16 14:12:14 +0100
committerSimon Rettberg2020-11-16 14:12:14 +0100
commitc89a5a97944d83d021708d20424e7de3dd261ff7 (patch)
tree7366d725636e2b67cc58cd68c00df08112af4ba4
parent[RecompressArchive] Properly implement duplicate filename detection (diff)
downloadtmlite-bwlp-c89a5a97944d83d021708d20424e7de3dd261ff7.tar.gz
tmlite-bwlp-c89a5a97944d83d021708d20424e7de3dd261ff7.tar.xz
tmlite-bwlp-c89a5a97944d83d021708d20424e7de3dd261ff7.zip
[SshConfigGenerator] Adapt to changed config from slx-admin
See #3628 and #3345
-rw-r--r--data/sshd_config.template9
-rw-r--r--src/main/java/org/openslx/taskmanager/tasks/SshdConfigGenerator.java73
2 files changed, 64 insertions, 18 deletions
diff --git a/data/sshd_config.template b/data/sshd_config.template
index a6536e2..5517c1a 100644
--- a/data/sshd_config.template
+++ b/data/sshd_config.template
@@ -1,4 +1,8 @@
Port %PORT%
+PasswordAuthentication %ALLOW_PASSWORD%
+PermitRootLogin %ALLOW_ROOT%
+AllowUsers %ALLOW_USERS%
+DenyUsers %DENY_USERS%
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
@@ -6,24 +10,19 @@ HostKey /etc/ssh/ssh_host_ecdsa_key
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 30
-PermitRootLogin yes
StrictModes yes
PubkeyAuthentication yes
-PasswordAuthentication %PASSWORDLOGIN%
AuthorizedKeysFile %h/.ssh/authorized_keys
IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
-X11DisplayOffset 10
PrintMotd no
-PrintLastLog yes
TCPKeepAlive yes
Banner /etc/issue.net
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
-AllowUsers root
UseDNS no
diff --git a/src/main/java/org/openslx/taskmanager/tasks/SshdConfigGenerator.java b/src/main/java/org/openslx/taskmanager/tasks/SshdConfigGenerator.java
index fff70ca..cb66038 100644
--- a/src/main/java/org/openslx/taskmanager/tasks/SshdConfigGenerator.java
+++ b/src/main/java/org/openslx/taskmanager/tasks/SshdConfigGenerator.java
@@ -14,12 +14,23 @@ import com.google.gson.annotations.Expose;
public class SshdConfigGenerator extends AbstractTask
{
+
+ private static enum PasswordLogin
+ {
+ NO, USER_ONLY, YES
+ };
+
+ private static enum AllowUsers
+ {
+ ROOT_ONLY, USER_ONLY, ALL
+ }
+
@Expose
private int listenPort = 0;
@Expose
- private String allowPasswordLogin = "no";
+ private PasswordLogin allowPasswordLogin;
@Expose
- private String publicKey = "";
+ private AllowUsers allowedUsersLogin;
@Expose
private String filename = null;
@@ -29,14 +40,18 @@ public class SshdConfigGenerator extends AbstractTask
protected boolean initTask()
{
this.setStatusObject( status );
- if ( !Util.isAllowedDir( this.filename ) )
+ if ( !Util.isAllowedDir( this.filename ) ) {
status.error = "Invalid directory for " + this.filename;
- if ( allowPasswordLogin == null || ( !allowPasswordLogin.equals( "yes" ) && !allowPasswordLogin.equals( "no" ) ) )
- status.error = "Invalid value for allowPasswordLogin: " + allowPasswordLogin;
- if ( listenPort > 65535 || listenPort < 1 )
+ }
+ if ( allowPasswordLogin == null ) {
+ status.error = "Invalid value for allowPasswordLogin";
+ }
+ if ( allowedUsersLogin == null ) {
+ status.error = "Invalid value for allowedUsersLogin";
+ }
+ if ( listenPort > 65535 || listenPort < 1 ) {
status.error = "Invalid value for listenPort: " + listenPort;
- if ( publicKey != null && !publicKey.isEmpty() && !publicKey.matches( "^[a-z0-9\\-]+ [A-Za-z0-9=/\\+]+ .*" ) )
- status.error = "Invalid public key: '" + publicKey + "'";
+ }
return status.error == null;
}
@@ -53,8 +68,44 @@ public class SshdConfigGenerator extends AbstractTask
status.error = e.toString();
return false;
}
+ String allowPassword;
+ String allowRoot;
+ switch ( allowPasswordLogin ) {
+ default:
+ case NO:
+ allowPassword = "no";
+ allowRoot = "prohibit-password";
+ break;
+ case USER_ONLY:
+ allowPassword = "yes";
+ allowRoot = "prohibit-password";
+ break;
+ case YES:
+ allowPassword = "yes";
+ allowRoot = "yes";
+ break;
+ }
+ String allowUsers;
+ String denyUsers = "demo";
+ switch ( allowedUsersLogin ) {
+ case ALL:
+ allowUsers = "*";
+ break;
+ default:
+ case ROOT_ONLY:
+ allowUsers = "root";
+ break;
+ case USER_ONLY:
+ allowUsers = "*";
+ denyUsers += " root";
+ allowRoot = "no";
+ break;
+ }
template = template.replace( "%PORT%", Integer.toString( this.listenPort ) );
- template = template.replace( "%PASSWORDLOGIN%", allowPasswordLogin );
+ template = template.replace( "%ALLOW_PASSWORD%", allowPassword );
+ template = template.replace( "%ALLOW_ROOT%", allowRoot );
+ template = template.replace( "%ALLOW_USERS%", allowUsers );
+ template = template.replace( "%DENY_USERS%", denyUsers );
try {
outArchive = Archive.createTarArchive( this.filename );
} catch ( IOException e ) {
@@ -62,10 +113,6 @@ public class SshdConfigGenerator extends AbstractTask
return false;
}
boolean ok = Archive.tarCreateFileFromString( outArchive, "/etc/ssh/sshd_config", template, 0644 );
- if ( publicKey != null && !publicKey.isEmpty() ) {
- String name = "sshd_conf_mod-" + publicKey.hashCode() + "-" + System.currentTimeMillis() + ".pub";
- ok |= Archive.tarCreateFileFromString( outArchive, "/root/.ssh/authorized_keys.d/" + name, publicKey, 0600 );
- }
ok |= Archive.tarCreateSymlink( outArchive, "../sshd.service", "/etc/systemd/system/network.target.wants/sshd.service" );
if ( !ok ) {
status.error = "Could not create module archive contents";