Handle the absence of openssh-server
It is not strictly required for us to have sshd installed, for example on baremetal machines where shell access is physical-only. Instead we'll skip certain tasks that depend on sshd if it is not installed.
This commit is contained in:
David Duque
parent
aa0994b1d7
commit
f605e55997
2 changed files with 31 additions and 22 deletions
|
|
@ -663,15 +663,21 @@ def build_sshfp_records():
|
|||
# specify that port to sshkeyscan.
|
||||
|
||||
port = 22
|
||||
with open('/etc/ssh/sshd_config', 'r') as f:
|
||||
for line in f:
|
||||
s = line.rstrip().split()
|
||||
if len(s) == 2 and s[0] == 'Port':
|
||||
try:
|
||||
port = int(s[1])
|
||||
except ValueError:
|
||||
pass
|
||||
break
|
||||
|
||||
try:
|
||||
with open('/etc/ssh/sshd_config', 'r') as f:
|
||||
for line in f:
|
||||
s = line.rstrip().split()
|
||||
if len(s) == 2 and s[0] == 'Port':
|
||||
try:
|
||||
port = int(s[1])
|
||||
except ValueError:
|
||||
pass
|
||||
break
|
||||
except FileNotFoundError:
|
||||
# No configuration file most likely means that sshd is not installed.
|
||||
# As such, we have no SSHFP records to return
|
||||
return []
|
||||
|
||||
keys = shell("check_output", [
|
||||
"ssh-keyscan", "-t", "rsa,dsa,ecdsa,ed25519", "-p",
|
||||
|
|
|
|||
|
|
@ -248,20 +248,23 @@ if [ -z "${DISABLE_FIREWALL:-}" ]; then
|
|||
# Install `ufw` which provides a simple firewall configuration.
|
||||
apt_install ufw
|
||||
|
||||
# Allow incoming connections to SSH.
|
||||
ufw_limit ssh;
|
||||
# Check if we have got an SSH server installed.
|
||||
# It's not critical for us to have one, so if it isn't installed,
|
||||
# no need to open the port
|
||||
if [ -x "$(command -v sshd)" ]; then
|
||||
# Allow incoming connections to SSH.
|
||||
ufw_limit ssh;
|
||||
|
||||
# ssh might be running on an alternate port. Use sshd -T to dump sshd's #NODOC
|
||||
# settings, find the port it is supposedly running on, and open that port #NODOC
|
||||
# too. #NODOC
|
||||
SSH_PORT=$(sshd -T 2>/dev/null | grep "^port " | sed "s/port //") #NODOC
|
||||
if [ ! -z "$SSH_PORT" ]; then
|
||||
if [ "$SSH_PORT" != "22" ]; then
|
||||
|
||||
echo Opening alternate SSH port $SSH_PORT. #NODOC
|
||||
ufw_limit $SSH_PORT #NODOC
|
||||
|
||||
fi
|
||||
# ssh might be running on an alternate port. Use sshd -T to dump sshd's #NODOC
|
||||
# settings, find the port it is supposedly running on, and open that port #NODOC
|
||||
# too. #NODOC
|
||||
SSH_PORT=$(sshd -T 2>/dev/null | grep "^port " | sed "s/port //") #NODOC
|
||||
if [ ! -z "$SSH_PORT" ]; then
|
||||
if [ "$SSH_PORT" != "22" ]; then
|
||||
echo Opening alternate SSH port $SSH_PORT. #NODOC
|
||||
ufw_limit $SSH_PORT #NODOC
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
ufw --force enable;
|
||||
|
|
|
|||
Loading…
Reference in a new issue