From c89a5a97944d83d021708d20424e7de3dd261ff7 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 16 Nov 2020 14:12:14 +0100
Subject: [SshConfigGenerator] Adapt to changed config from slx-admin

See #3628 and #3345
---
 data/sshd_config.template                          |  9 ++-
 .../taskmanager/tasks/SshdConfigGenerator.java     | 73 ++++++++++++++++++----
 2 files changed, 64 insertions(+), 18 deletions(-)

diff --git a/data/sshd_config.template b/data/sshd_config.template
index a6536e2..5517c1a 100644
--- a/data/sshd_config.template
+++ b/data/sshd_config.template
@@ -1,4 +1,8 @@
 Port %PORT%
+PasswordAuthentication %ALLOW_PASSWORD%
+PermitRootLogin %ALLOW_ROOT%
+AllowUsers %ALLOW_USERS%
+DenyUsers %DENY_USERS%
 Protocol 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
@@ -6,24 +10,19 @@ HostKey /etc/ssh/ssh_host_ecdsa_key
 SyslogFacility AUTH
 LogLevel INFO
 LoginGraceTime 30
-PermitRootLogin yes
 StrictModes yes
 PubkeyAuthentication yes
-PasswordAuthentication %PASSWORDLOGIN%
 AuthorizedKeysFile	%h/.ssh/authorized_keys
 IgnoreRhosts yes
 HostbasedAuthentication no
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 X11Forwarding yes
-X11DisplayOffset 10
 PrintMotd no
-PrintLastLog yes
 TCPKeepAlive yes
 Banner /etc/issue.net
 AcceptEnv LANG LC_*
 Subsystem sftp /usr/lib/openssh/sftp-server
 UsePAM yes
-AllowUsers root
 UseDNS no
 
diff --git a/src/main/java/org/openslx/taskmanager/tasks/SshdConfigGenerator.java b/src/main/java/org/openslx/taskmanager/tasks/SshdConfigGenerator.java
index fff70ca..cb66038 100644
--- a/src/main/java/org/openslx/taskmanager/tasks/SshdConfigGenerator.java
+++ b/src/main/java/org/openslx/taskmanager/tasks/SshdConfigGenerator.java
@@ -14,12 +14,23 @@ import com.google.gson.annotations.Expose;
 
 public class SshdConfigGenerator extends AbstractTask
 {
+
+	private static enum PasswordLogin
+	{
+		NO, USER_ONLY, YES
+	};
+
+	private static enum AllowUsers
+	{
+		ROOT_ONLY, USER_ONLY, ALL
+	}
+
 	@Expose
 	private int listenPort = 0;
 	@Expose
-	private String allowPasswordLogin = "no";
+	private PasswordLogin allowPasswordLogin;
 	@Expose
-	private String publicKey = "";
+	private AllowUsers allowedUsersLogin;
 	@Expose
 	private String filename = null;
 
@@ -29,14 +40,18 @@ public class SshdConfigGenerator extends AbstractTask
 	protected boolean initTask()
 	{
 		this.setStatusObject( status );
-		if ( !Util.isAllowedDir( this.filename ) )
+		if ( !Util.isAllowedDir( this.filename ) ) {
 			status.error = "Invalid directory for " + this.filename;
-		if ( allowPasswordLogin == null || ( !allowPasswordLogin.equals( "yes" ) && !allowPasswordLogin.equals( "no" ) ) )
-			status.error = "Invalid value for allowPasswordLogin: " + allowPasswordLogin;
-		if ( listenPort > 65535 || listenPort < 1 )
+		}
+		if ( allowPasswordLogin == null ) {
+			status.error = "Invalid value for allowPasswordLogin";
+		}
+		if ( allowedUsersLogin == null ) {
+			status.error = "Invalid value for allowedUsersLogin";
+		}
+		if ( listenPort > 65535 || listenPort < 1 ) {
 			status.error = "Invalid value for listenPort: " + listenPort;
-		if ( publicKey != null && !publicKey.isEmpty() && !publicKey.matches( "^[a-z0-9\\-]+ [A-Za-z0-9=/\\+]+ .*" ) )
-			status.error = "Invalid public key: '" + publicKey + "'";
+		}
 		return status.error == null;
 	}
 
@@ -53,8 +68,44 @@ public class SshdConfigGenerator extends AbstractTask
 				status.error = e.toString();
 				return false;
 			}
+			String allowPassword;
+			String allowRoot;
+			switch ( allowPasswordLogin ) {
+			default:
+			case NO:
+				allowPassword = "no";
+				allowRoot = "prohibit-password";
+				break;
+			case USER_ONLY:
+				allowPassword = "yes";
+				allowRoot = "prohibit-password";
+				break;
+			case YES:
+				allowPassword = "yes";
+				allowRoot = "yes";
+				break;
+			}
+			String allowUsers;
+			String denyUsers = "demo";
+			switch ( allowedUsersLogin ) {
+			case ALL:
+				allowUsers = "*";
+				break;
+			default:
+			case ROOT_ONLY:
+				allowUsers = "root";
+				break;
+			case USER_ONLY:
+				allowUsers = "*";
+				denyUsers += " root";
+				allowRoot = "no";
+				break;
+			}
 			template = template.replace( "%PORT%", Integer.toString( this.listenPort ) );
-			template = template.replace( "%PASSWORDLOGIN%", allowPasswordLogin );
+			template = template.replace( "%ALLOW_PASSWORD%", allowPassword );
+			template = template.replace( "%ALLOW_ROOT%", allowRoot );
+			template = template.replace( "%ALLOW_USERS%", allowUsers );
+			template = template.replace( "%DENY_USERS%", denyUsers );
 			try {
 				outArchive = Archive.createTarArchive( this.filename );
 			} catch ( IOException e ) {
@@ -62,10 +113,6 @@ public class SshdConfigGenerator extends AbstractTask
 				return false;
 			}
 			boolean ok = Archive.tarCreateFileFromString( outArchive, "/etc/ssh/sshd_config", template, 0644 );
-			if ( publicKey != null && !publicKey.isEmpty() ) {
-				String name = "sshd_conf_mod-" + publicKey.hashCode() + "-" + System.currentTimeMillis() + ".pub";
-				ok |= Archive.tarCreateFileFromString( outArchive, "/root/.ssh/authorized_keys.d/" + name, publicKey, 0600 );
-			}
 			ok |= Archive.tarCreateSymlink( outArchive, "../sshd.service", "/etc/systemd/system/network.target.wants/sshd.service" );
 			if ( !ok ) {
 				status.error = "Could not create module archive contents";
-- 
cgit v1.2.3-55-g7522