Skip to content

Commit

Permalink
Merge pull request #1091 from yast/huha-open-ssh-02-sp5
Browse files Browse the repository at this point in the history
Don't always Enable SSHD and Open SSH Port [SLE-15-SP5]
  • Loading branch information
shundhammer authored Jun 19, 2023
2 parents 48826ac + 07ec3d3 commit 5ed2d9b
Show file tree
Hide file tree
Showing 8 changed files with 125 additions and 231 deletions.
76 changes: 0 additions & 76 deletions doc/startup/pictures/basic.fig.bak

This file was deleted.

133 changes: 0 additions & 133 deletions doc/startup/pictures/run.fig.bak

This file was deleted.

7 changes: 7 additions & 0 deletions package/yast2-installation.changes
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
-------------------------------------------------------------------
-------------------------------------------------------------------
Thu Jun 15 15:01:13 UTC 2023 - Stefan Hundhammer <[email protected]>

- Don't always enable sshd and open the ssh port (bsc#1211764)
- 4.5.17

-------------------------------------------------------------------
Mon Mar 13 08:35:59 UTC 2023 - Ladislav Slezák <[email protected]>

Expand Down
2 changes: 1 addition & 1 deletion package/yast2-installation.spec
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
#

Name: yast2-installation
Version: 4.5.16
Version: 4.5.17
Release: 0
Summary: YaST2 - Installation Parts
License: GPL-2.0-only
Expand Down
4 changes: 4 additions & 0 deletions src/lib/installation/clients/security_proposal.rb
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,10 @@ def firewall_proposal
# Returns the SSH service part of the firewall proposal description
# @return [String] proposal html text
def sshd_proposal
# Check if only public key auth is configured, and if yes,
# enable SSHD and open the SSH port; but only now, after we are sure
# that the user was prompted for the root password (bsc#1211764).
@settings.propose
if @settings.enable_sshd
_(
"SSH service will be enabled (<a href=\"%s\">disable</a>)"
Expand Down
56 changes: 44 additions & 12 deletions src/lib/installation/security_settings.rb
Original file line number Diff line number Diff line change
Expand Up @@ -78,22 +78,49 @@ def propose_lsm_config
Yast::PackagesProposal.SetResolvables("LSM", :pattern, lsm_config.needed_patterns)
end

# Make a one-time proposal for the security settings:
#
# If only public key authentication is configured, and no root password is set,
# open the SSH port and enable SSHD so at least SSH access can be used.
#
# This should be called AFTER the user was prompted for the root password, e.g.
# when the security proposal is made during installation.
#
# This is done only once. Use 'reset_proposal' to do do it again.
def propose
return if @proposal_done

@proposal_done = true
log.info("Making security settings proposal")
return unless only_public_key_auth?

log.info("Only public key auth")
open_ssh! unless @open_ssh
enable_sshd! unless @enable_sshd
end

# Reset the proposal; i.e. the next call to 'propose' will do a fresh
# proposal.
def reset_proposal
@proposal_done = false
end

# Services

# Add the firewall package to be installed and sets the firewalld service
# to be enabled
def enable_firewall!
Yast::PackagesProposal.AddResolvables("firewall", :package, ["firewalld"])

log.info "Enabling Firewall"
log.info "Enabling firewall"
self.enable_firewall = true
end

# Remove the firewalld package from being installed and sets the firewalld
# service to be disabled
def disable_firewall!
Yast::PackagesProposal.RemoveResolvables("firewall", :package, ["firewalld"])
log.info "Disabling Firewall"
log.info "Disabling firewall"
self.enable_firewall = false
end

Expand Down Expand Up @@ -121,19 +148,19 @@ def open_ssh!

# Set the ssh port to be closed
def close_ssh!
log.info "Opening SSH port"
log.info "Closing SSH port"
self.open_ssh = false
end

# Set the vnc port to be opened
def open_vnc!
log.info "Close VNC port"
log.info "Opening VNC port"
self.open_vnc = true
end

# Set the vnc port to be closed
def close_vnc!
log.info "Close VNC port"
log.info "Closing VNC port"
self.open_vnc = false
end

Expand All @@ -144,7 +171,7 @@ def close_vnc!
# authentication and the system is not accesible through ssh
def access_problem?
# public key is not the only way
return false unless only_public_key_auth
return false unless only_public_key_auth?

# without running sshd it is useless
return true unless @enable_sshd
Expand Down Expand Up @@ -181,27 +208,32 @@ def global_section
end

def wanted_enable_sshd?
Yast::Linuxrc.usessh || only_public_key_auth || @enable_sshd
Yast::Linuxrc.usessh || @enable_sshd
end

def wanted_open_ssh?
Yast::Linuxrc.usessh || only_public_key_auth || @open_ssh
Yast::Linuxrc.usessh || @open_ssh
end

def wanted_open_vnc?
Yast::Linuxrc.vnc
end

# Determines whether only public key authentication is supported
# Determines whether only public key authentication is supported.
#
# Do not call this prematurely before the user was even prompted for a root password;
# in particular, do not call this from the constructor of this class.
#
# @note If the root user does not have a password, we assume that we will use a public
# key in order to log into the system. In such a case, we need to enable the SSH
# service (including opening the port).
def only_public_key_auth
return true unless root_user
def only_public_key_auth?
if root_user.nil?
log.warn("No root user created yet; can't check root password!")
return false
end

password = root_user.password_content || ""

password.empty?
end

Expand Down
Loading

0 comments on commit 5ed2d9b

Please sign in to comment.