mailinabox
mailinabox copied to clipboard
mail-in-a-box
Update status_checks.py
This function uses the subprocess.run method to execute the sshd -T command, which prints the effective configuration of the SSH server, and then checks if 'passwordauthentication yes' is present in the output. If there's an error executing the command (like if sshd isn't found), it will print an error message. If the command runs but the configuration allows password authentication, it will print an error with instructions on how to secure the SSH server. Otherwise, it will confirm that password-based login is disabled.
I saw this bug too (in an AWS EC2 instance where sshd is configured using more sshd_conf.d/* files), and even worked up a solution on my own (slightly differently).
But I notice in your code you've changed the behavior slightly: if sshd is NOT installed, the original code does a simple "return"; in contrast, yours prints an error message to the user.
My version is similar (not necessarily better than yours), but uses the shell() function that is the convention in this file.
@@ -213,16 +213,28 @@ def check_ssh_password(env, output):
# the configuration file.
if not os.path.exists("/etc/ssh/sshd_config"):
return
- with open("/etc/ssh/sshd_config", "r") as f:
- sshd = f.read()
- if re.search("\nPasswordAuthentication\s+yes", sshd) \
- or not re.search("\nPasswordAuthentication\s+no", sshd):
- output.print_error("""The SSH server on this machine permits password-based login. A more secure
- way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check
- that you can log in without a password, set the option 'PasswordAuthentication no' in
- /etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""")
- else:
- output.print_ok("SSH disallows password-based login.")
+ try:
+ sshdOutput = shell('check_output', ['sshd', '-T'])
+ except FileNotFoundError:
+ # sshd is not installed. That's ok.
+ return
+
+ inspectNext = False
+ for e in sshdOutput.split():
+ if inspectNext:
+ if e.lower() == "yes":
+ output.print_error("""The SSH server on this machine permits password-based login. A more secure
+ way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check
+ that you can log in without a password, set the option 'PasswordAuthentication no' in
+ /etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.""")
+ else:
+ output.print_ok("SSH disallows password-based login.")
+ return
+ if e.lower() == "passwordauthentication":
+ inspectNext = True
+
+ # Did not find passwordauthentication setting
+ return
def is_reboot_needed_due_to_package_installation():
return os.path.exists("/var/run/reboot-required")
There was a similar issue getting the SSH port. Both are addressed in #2330, so I'm closing this PR. Thanks.
