3 files changed, 116 insertions, 9 deletions
diff --git a/src/conf_mode/load-balancing-haproxy.py b/src/conf_mode/load-balancing-haproxy.py
index 8fe429653..ec4311bb5 100755
--- a/src/conf_mode/load-balancing-haproxy.py
+++ b/src/conf_mode/load-balancing-haproxy.py
@@ -94,8 +94,8 @@ def generate(lb):
             if os.path.isfile(file):
                 os.unlink(file)
         # Delete old directories
-        #if os.path.isdir(load_balancing_dir):
-        #    rmtree(load_balancing_dir, ignore_errors=True)
+        if os.path.isdir(load_balancing_dir):
+            rmtree(load_balancing_dir, ignore_errors=True)
 
         return None
 
@@ -106,15 +106,12 @@ def generate(lb):
     # SSL Certificates for frontend
     for front, front_config in lb['service'].items():
         if 'ssl' in front_config:
-            cert_file_path = os.path.join(load_balancing_dir, 'cert.pem')
-            cert_key_path = os.path.join(load_balancing_dir, 'cert.pem.key')
-            ca_cert_file_path = os.path.join(load_balancing_dir, 'ca.pem')
 
             if 'certificate' in front_config['ssl']:
-                #cert_file_path = os.path.join(load_balancing_dir, 'cert.pem')
-                #cert_key_path = os.path.join(load_balancing_dir, 'cert.key')
                 cert_name = front_config['ssl']['certificate']
                 pki_cert = lb['pki']['certificate'][cert_name]
+                cert_file_path = os.path.join(load_balancing_dir, f'{cert_name}.pem')
+                cert_key_path = os.path.join(load_balancing_dir, f'{cert_name}.pem.key')
 
                 with open(cert_file_path, 'w') as f:
                     f.write(wrap_certificate(pki_cert['certificate']))
@@ -126,6 +123,7 @@ def generate(lb):
             if 'ca_certificate' in front_config['ssl']:
                 ca_name = front_config['ssl']['ca_certificate']
                 pki_ca_cert = lb['pki']['ca'][ca_name]
+                ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem')
 
                 with open(ca_cert_file_path, 'w') as f:
                     f.write(wrap_certificate(pki_ca_cert['certificate']))
@@ -133,11 +131,11 @@ def generate(lb):
     # SSL Certificates for backend
     for back, back_config in lb['backend'].items():
         if 'ssl' in back_config:
-            ca_cert_file_path = os.path.join(load_balancing_dir, 'ca.pem')
 
             if 'ca_certificate' in back_config['ssl']:
                 ca_name = back_config['ssl']['ca_certificate']
                 pki_ca_cert = lb['pki']['ca'][ca_name]
+                ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem')
 
                 with open(ca_cert_file_path, 'w') as f:
                     f.write(wrap_certificate(pki_ca_cert['certificate']))
diff --git a/src/op_mode/generate_firewall_rule-resequence.py b/src/op_mode/generate_firewall_rule-resequence.py
index b5b625a80..eb82a1a0a 100755
--- a/src/op_mode/generate_firewall_rule-resequence.py
+++ b/src/op_mode/generate_firewall_rule-resequence.py
@@ -116,9 +116,18 @@ if __name__ == "__main__":
         print('Firewall is not configured')
         exit(1)
 
-    #config_dict =  config.get_config_dict('firewall')
     config_dict = config.get_config_dict('firewall')
 
+    # Remove global-options, group and flowtable as they don't need sequencing
+    if 'global-options' in config_dict['firewall']:
+        del config_dict['firewall']['global-options']
+
+    if 'group' in config_dict['firewall']:
+        del config_dict['firewall']['group']
+
+    if 'flowtable' in config_dict['firewall']:
+        del config_dict['firewall']['flowtable']
+    
     # Convert rule keys to integers, rule "10" -> rule 10
     # This is necessary for sorting the rules
     config_dict = convert_rule_keys_to_int(config_dict)
diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py
new file mode 100755
index 000000000..acb066144
--- /dev/null
+++ b/src/op_mode/ssh.py
@@ -0,0 +1,100 @@
+#!/usr/bin/env python3
+#
+# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+import json
+import sys
+import glob
+import vyos.opmode
+from vyos.utils.process import cmd
+from vyos.configquery import ConfigTreeQuery
+from tabulate import tabulate
+
+def show_fingerprints(raw: bool, ascii: bool):
+    config = ConfigTreeQuery()
+    if not config.exists("service ssh"):
+        raise vyos.opmode.UnconfiguredSubsystem("SSH server is not enabled.")
+
+    publickeys = glob.glob("/etc/ssh/*.pub")
+
+    if publickeys:
+        keys = []
+        for keyfile in publickeys:
+            try:
+                if ascii:
+                    keydata = cmd("ssh-keygen -l -v -E sha256 -f " + keyfile).splitlines()
+                else:
+                    keydata = cmd("ssh-keygen -l -E sha256 -f " + keyfile).splitlines()
+                type = keydata[0].split(None)[-1].strip("()")
+                key_size = keydata[0].split(None)[0]
+                fingerprint = keydata[0].split(None)[1]
+                comment = keydata[0].split(None)[2:-1][0]
+                if ascii:
+                    ascii_art = "\n".join(keydata[1:])
+                    keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment, "ascii_art": ascii_art})
+                else:
+                    keys.append({"type": type, "key_size": key_size, "fingerprint": fingerprint, "comment": comment})
+            except:
+                # Ignore invalid public keys
+                pass
+        if raw:
+            return keys
+        else:
+            headers = {"type": "Type", "key_size": "Key Size", "fingerprint": "Fingerprint", "comment": "Comment", "ascii_art": "ASCII Art"}
+            output = "SSH server public key fingerprints:\n\n" + tabulate(keys, headers=headers, tablefmt="simple")
+            return output
+    else:
+        if raw:
+            return []
+        else:
+            return "No SSH server public keys are found."
+
+def show_dynamic_protection(raw: bool):
+    config = ConfigTreeQuery()
+    if not config.exists(['service', 'ssh', 'dynamic-protection']):
+        raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.")
+
+    attackers = []
+    try:
+        # IPv4
+        attackers = attackers + json.loads(cmd("nft -j list set ip sshguard attackers"))["nftables"][1]["set"]["elem"]
+    except:
+        pass
+    try:
+        # IPv6
+        attackers = attackers + json.loads(cmd("nft -j list set ip6 sshguard attackers"))["nftables"][1]["set"]["elem"]
+    except:
+        pass
+    if attackers:
+        if raw:
+            return attackers
+        else:
+            output = "Blocked attackers:\n" + "\n".join(attackers)
+            return output
+    else:
+        if raw:
+            return []
+        else:
+            return "No blocked attackers."
+
+if __name__ == '__main__':
+    try:
+        res = vyos.opmode.run(sys.modules[__name__])
+        if res:
+            print(res)
+    except (ValueError, vyos.opmode.Error) as e:
+        print(e)
+        sys.exit(1)