summaryrefslogtreecommitdiff
path: root/Propellor/Property/Ssh.hs
diff options
context:
space:
mode:
Diffstat (limited to 'Propellor/Property/Ssh.hs')
-rw-r--r--Propellor/Property/Ssh.hs53
1 files changed, 53 insertions, 0 deletions
diff --git a/Propellor/Property/Ssh.hs b/Propellor/Property/Ssh.hs
new file mode 100644
index 00000000..39e02689
--- /dev/null
+++ b/Propellor/Property/Ssh.hs
@@ -0,0 +1,53 @@
+module Propellor.Property.Ssh where
+
+import Propellor.Common
+import qualified Propellor.Property.File as File
+import Propellor.Property.User
+
+sshBool :: Bool -> String
+sshBool True = "yes"
+sshBool False = "no"
+
+sshdConfig :: FilePath
+sshdConfig = "/etc/ssh/sshd_config"
+
+setSshdConfig :: String -> Bool -> Property
+setSshdConfig setting allowed = combineProperties
+ [ sshdConfig `File.lacksLine` (sshline $ not allowed)
+ , sshdConfig `File.containsLine` (sshline allowed)
+ ]
+ `onChange` restartSshd
+ `describe` unwords [ "ssh config:", setting, sshBool allowed ]
+ where
+ sshline v = setting ++ " " ++ sshBool v
+
+permitRootLogin :: Bool -> Property
+permitRootLogin = setSshdConfig "PermitRootLogin"
+
+passwordAuthentication :: Bool -> Property
+passwordAuthentication = setSshdConfig "PasswordAuthentication"
+
+hasAuthorizedKeys :: UserName -> IO Bool
+hasAuthorizedKeys = go <=< homedir
+ where
+ go Nothing = return False
+ go (Just home) = not . null <$> catchDefaultIO ""
+ (readFile $ home </> ".ssh" </> "authorized_keys")
+
+restartSshd :: Property
+restartSshd = cmdProperty "service" [Param "ssh", Param "restart"]
+
+{- | Blow away existing host keys and make new ones. Use a flag
+ - file to prevent doing this more than once. -}
+uniqueHostKeys :: Property
+uniqueHostKeys = flagFile prop "/etc/ssh/.unique_host_keys"
+ `onChange` restartSshd
+ where
+ prop = Property "ssh unique host keys" $ do
+ void $ boolSystem "sh"
+ [ Param "-c"
+ , Param "rm -f /etc/ssh/ssh_host_*"
+ ]
+ ensureProperty $
+ cmdProperty "/var/lib/dpkg/info/openssh-server.postinst"
+ [Param "configure"]