summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-10-29 08:08:02 +0100
committerChristian Breunig <christian@breunig.cc>2023-10-29 08:08:02 +0100
commit428dee29d36cc3629990ec41afef887821886834 (patch)
treec9658858f9ca2ad7098559b616214633bca0bfd4
parente1b4e972b40941acec76c97e714767214cefe426 (diff)
downloadvyos-1x-428dee29d36cc3629990ec41afef887821886834.tar.gz
vyos-1x-428dee29d36cc3629990ec41afef887821886834.zip
op-mode: T5661: remove call to sudo in ssh.py and move it to XML definition
Try to have as few calls to sudo in the op-mode scripts as possible. The XML definitions can deal with it.
-rw-r--r--op-mode-definitions/show-ssh.xml.in2
-rwxr-xr-xsrc/op_mode/ssh.py6
2 files changed, 4 insertions, 4 deletions
diff --git a/op-mode-definitions/show-ssh.xml.in b/op-mode-definitions/show-ssh.xml.in
index 88faecada..ca8e669b3 100644
--- a/op-mode-definitions/show-ssh.xml.in
+++ b/op-mode-definitions/show-ssh.xml.in
@@ -11,7 +11,7 @@
<properties>
<help>Show SSH server dynamic-protection blocked attackers</help>
</properties>
- <command>${vyos_op_scripts_dir}/ssh.py show_dynamic_protection</command>
+ <command>sudo ${vyos_op_scripts_dir}/ssh.py show_dynamic_protection</command>
</node>
<node name="fingerprints">
<properties>
diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py
index c09b2166f..102becc55 100755
--- a/src/op_mode/ssh.py
+++ b/src/op_mode/ssh.py
@@ -64,18 +64,18 @@ def show_fingerprints(raw: bool, ascii: bool):
def show_dynamic_protection(raw: bool):
config = ConfigTreeQuery()
- if not config.exists("service ssh dynamic-protection"):
+ if not config.exists(['service', 'ssh', 'dynamic-protection']):
raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.")
attackers = []
try:
# IPv4
- attackers = attackers + json.loads(cmd("sudo nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"]
+ attackers = attackers + json.loads(cmd("nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"]
except:
pass
try:
# IPv6
- attackers = attackers + json.loads(cmd("sudo nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"]
+ attackers = attackers + json.loads(cmd("nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"]
except:
pass
if attackers: