diff options
author | nachoparker <nacho@ownyourbits.com> | 2017-12-05 13:44:53 +0300 |
---|---|---|
committer | nachoparker <nacho@ownyourbits.com> | 2017-12-05 13:45:34 +0300 |
commit | 30c34d8162f48c976b896141586174e916378369 (patch) | |
tree | 04a0b4b2c2c6ad9081b1b6963838c70068c680ee | |
parent | 36bb1dee32c79b5734a34683df51cb774ababba1 (diff) |
SSH: enhance securityv0.41.3
-rw-r--r-- | changelog.md | 4 | ||||
-rw-r--r-- | etc/nextcloudpi-config.d/SSH.sh | 18 |
2 files changed, 20 insertions, 2 deletions
diff --git a/changelog.md b/changelog.md index 977f60b3..d95f312c 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,7 @@ -[v0.41.2](https://github.com/nextcloud/nextcloudpi/commit/f4dd242) (2017-12-04) nc-automount: check for USBdrive labeled drive case +[v0.41.3](https://github.com/nextcloud/nextcloudpi/commit/bf1ff0e) (2017-12-05) SSH: enhance security + +[v0.41.2 ](https://github.com/nextcloud/nextcloudpi/commit/a2c5de7) (2017-12-04) nc-automount: check for USBdrive labeled drive case [v0.41.1 ](https://github.com/nextcloud/nextcloudpi/commit/9ef8bc1) (2017-12-04) nc-info: warn of long operation diff --git a/etc/nextcloudpi-config.d/SSH.sh b/etc/nextcloudpi-config.d/SSH.sh index 8033404c..a20cafc8 100644 --- a/etc/nextcloudpi-config.d/SSH.sh +++ b/etc/nextcloudpi-config.d/SSH.sh @@ -39,7 +39,7 @@ configure() id "$USER_" &>/dev/null || useradd "$USER_" echo -e "$PASS_\n$CONFIRM_" | passwd "$USER_" || return 1 - # Check for insecure default password ( taken from old jessie method ) + # Check for insecure default pi password ( taken from old jessie method ) local SHADOW="$( grep -E '^pi:' /etc/shadow )" test -n "${SHADOW}" && { local SALT=$(echo "${SHADOW}" | sed -n 's/pi:\$6\$//;s/\$.*//p') @@ -54,7 +54,23 @@ configure() } } + # Check for insecure default ncp password ( taken from old jessie method ) + local SHADOW="$( grep -E '^ncp:' /etc/shadow )" + test -n "${SHADOW}" && { + local SALT=$(echo "${SHADOW}" | sed -n 's/ncp:\$6\$//;s/\$.*//p') + local HASH=$(mkpasswd -msha-512 ownyourbits "$SALT") + + grep -q "${HASH}" <<< "${SHADOW}" && { + systemctl stop ssh + systemctl disable ssh + echo "The user ncp is using the default password. Refusing to activate SSH" + echo "SSH disabled" + return 1 + } + } + # Enable + chage -d 0 "$USER_" systemctl enable ssh systemctl start ssh echo "SSH enabled" |