diff options
| author | Maciej Strzelczyk <strzelczyk@google.com> | 2021-08-26 14:23:58 +0200 |
|---|---|---|
| committer | Jake Hunsaker <jhunsake@redhat.com> | 2021-08-30 10:27:12 -0400 |
| commit | e3001f8dc9ef204c4176050178733396f3ee15ec (patch) | |
| tree | 05e6409b12c8e5c1588551ce73ae3b9b128489f2 | |
| parent | b4f2bf87aef40411c9fed964ae25796642a53061 (diff) | |
| download | sos-e3001f8dc9ef204c4176050178733396f3ee15ec.tar.gz | |
[ssh] Include info about ~/.ssh folders of users.
The SSH demon will not accept connection for users whose `.ssh`
forlders don't have proper permissions set. This change makes
the ssh plugin to list (ls -laZ) the `~/.ssh` folders of
all users found in the system.
Closes #2658
Signed-off-by: Maciej Strzelczyk <strzelczyk@google.com>
| -rw-r--r-- | sos/report/plugins/ssh.py | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/sos/report/plugins/ssh.py b/sos/report/plugins/ssh.py index f36bdca2..971cda8b 100644 --- a/sos/report/plugins/ssh.py +++ b/sos/report/plugins/ssh.py @@ -9,6 +9,7 @@ # See the LICENSE file in the source distribution for further information. from sos.report.plugins import Plugin, IndependentPlugin +import os.path class Ssh(Plugin, IndependentPlugin): @@ -33,6 +34,10 @@ class Ssh(Plugin, IndependentPlugin): # Include main config files self.add_copy_spec(sshcfgs) + self.included_configs(sshcfgs) + self.user_ssh_files_permissions() + + def included_configs(self, sshcfgs): # Read configs for any includes and copy those try: for sshcfg in sshcfgs: @@ -49,5 +54,33 @@ class Ssh(Plugin, IndependentPlugin): except Exception: pass + def user_ssh_files_permissions(self): + """ + Iterate over .ssh folders in user homes to see their permissions. + + Bad permissions can prevent SSH from allowing access to given user. + """ + users_data = self.exec_cmd('getent passwd') + + if users_data['status']: + # If getent fails, fallback to just reading /etc/passwd + try: + with open('/etc/passwd') as passwd_file: + users_data_lines = passwd_file.readlines() + except Exception: + # If we can't read /etc/passwd, then there's something wrong. + self._log_error("Couldn't read /etc/passwd") + return + else: + users_data_lines = users_data['output'].splitlines() + + # Read the home paths of users in the system and check the ~/.ssh dirs + for usr_line in users_data_lines: + try: + home_dir = os.path.join(usr_line.split(':')[5], '.ssh') + if self.path_isdir(home_dir): + self.add_cmd_output('ls -laZ {}'.format(home_dir)) + except IndexError: + pass # vim: set et ts=4 sw=4 : |