SSH: enhance securityv0.41.3

2 files changed, 20 insertions, 2 deletions

diff --git a/changelog.md b/changelog.md
index 977f60b3..d95f312c 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,7 @@
 
-[v0.41.2](https://github.com/nextcloud/nextcloudpi/commit/f4dd242) (2017-12-04) nc-automount: check for USBdrive labeled drive case
+[v0.41.3](https://github.com/nextcloud/nextcloudpi/commit/bf1ff0e) (2017-12-05) SSH: enhance security
+
+[v0.41.2 ](https://github.com/nextcloud/nextcloudpi/commit/a2c5de7) (2017-12-04) nc-automount: check for USBdrive labeled drive case
 
 [v0.41.1 ](https://github.com/nextcloud/nextcloudpi/commit/9ef8bc1) (2017-12-04) nc-info: warn of long operation
 
diff --git a/etc/nextcloudpi-config.d/SSH.sh b/etc/nextcloudpi-config.d/SSH.sh
index 8033404c..a20cafc8 100644
--- a/etc/nextcloudpi-config.d/SSH.sh
+++ b/etc/nextcloudpi-config.d/SSH.sh
@@ -39,7 +39,7 @@ configure()
   id "$USER_" &>/dev/null || useradd "$USER_"
   echo -e "$PASS_\n$CONFIRM_" | passwd "$USER_" || return 1
 
-  # Check for insecure default password ( taken from old jessie method )
+  # Check for insecure default pi password ( taken from old jessie method )
   local SHADOW="$( grep -E '^pi:' /etc/shadow )"
   test -n "${SHADOW}" && {
     local SALT=$(echo "${SHADOW}" | sed -n 's/pi:\$6\$//;s/\$.*//p')
@@ -54,7 +54,23 @@ configure()
     }
   }
 
+  # Check for insecure default ncp password ( taken from old jessie method )
+  local SHADOW="$( grep -E '^ncp:' /etc/shadow )"
+  test -n "${SHADOW}" && {
+    local SALT=$(echo "${SHADOW}" | sed -n 's/ncp:\$6\$//;s/\$.*//p')
+    local HASH=$(mkpasswd -msha-512 ownyourbits "$SALT")
+
+    grep -q "${HASH}" <<< "${SHADOW}" && {
+      systemctl stop    ssh
+      systemctl disable ssh
+      echo "The user ncp is using the default password. Refusing to activate SSH"
+      echo "SSH disabled"
+      return 1
+    }
+  }
+
   # Enable
+  chage -d 0 "$USER_"
   systemctl enable ssh
   systemctl start  ssh
   echo "SSH enabled"