summaryrefslogtreecommitdiff
path: root/src/op_mode/ssh.py
blob: 89db7b3d3254c96e39632d131d7019172547a46b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/usr/bin/env python3
#
# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library.  If not, see <http://www.gnu.org/licenses/>.

import json
import sys
import glob
import vyos.opmode
from vyos.utils.process import cmd
from vyos.configquery import ConfigTreeQuery
from tabulate import tabulate

def show_fingerprints(raw: bool, ascii: bool):
    config = ConfigTreeQuery()
    if not config.exists("service ssh"):
        raise vyos.opmode.UnconfiguredSubsystem("SSH server is not enabled.")

    publickeys = glob.glob("/etc/ssh/*.pub")

    if publickeys:
        keys = []
        for keyfile in publickeys:
            try:
                if ascii:
                    keydata = cmd("ssh-keygen -l -v -E sha256 -f " + keyfile).splitlines()
                else:
                    keydata = cmd("ssh-keygen -l -E sha256 -f " + keyfile).splitlines()
                type = keydata[0].split(None)[-1].strip("()")
                key_size = keydata[0].split(None)[0]
                fingerprint = keydata[0].split(None)[1]
                comment = keydata[0].split(None)[2:-1][0]
                if ascii:
                    ascii_art = "\n".join(keydata[1:])
                    keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment, "ascii_art": ascii_art})
                else:
                    keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment})
            except:
                # Ignore invalid public keys
                pass
        if raw:
            return keys
        else:
            headers = {"type": "Type", "key_size": "Key Size", "fingerprint": "Fingerprint", "comment": "Comment", "ascii_art": "ASCII Art"}
            output = "SSH server public key fingerprints:\n\n" + tabulate(keys, headers=headers, tablefmt="simple")
            return output
    else:
        if raw:
            return []
        else:
            return "No SSH server public keys are found."

def show_dynamic_protection(raw: bool):
    config = ConfigTreeQuery()
    if not config.exists("service ssh dynamic-protection"):
        raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.")

    attackers = []
    try:
        # IPv4
        attackers = attackers + json.loads(cmd("sudo nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"]
    except:
        pass
    try:
        # IPv6
        attackers = attackers + json.loads(cmd("sudo nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"]
    except:
        pass
    if attackers:
        if raw:
            return attackers
        else:
            output = "Blocked attackers:\n" + "\n".join(attackers)
            return output
    else:
        if raw:
            return []
        else:
            return "No blocked attackers."

if __name__ == '__main__':
    try:
        res = vyos.opmode.run(sys.modules[__name__])
        if res:
            print(res)
    except (ValueError, vyos.opmode.Error) as e:
        print(e)
        sys.exit(1)