Index: scripts/lockdown.sh =================================================================== diff -u -r26d16005a23c70c0995584f7ae4364fa2d75add0 -rff95c34e6cc28ec8de8f81854ea9f4369afa9c7f --- scripts/lockdown.sh (.../lockdown.sh) (revision 26d16005a23c70c0995584f7ae4364fa2d75add0) +++ scripts/lockdown.sh (.../lockdown.sh) (revision ff95c34e6cc28ec8de8f81854ea9f4369afa9c7f) @@ -53,6 +53,10 @@ denali ALL=(root) NOPASSWD: /bin/mkdir * denali ALL=(root) NOPASSWD: /usr/sbin/cryptsetup * denali ALL=(root) NOPASSWD: /sbin/mkfs.ext4 * +denali ALL=(root) NOPASSWD: /bin/systemctl start sshd.socket +denali ALL=(root) NOPASSWD: /bin/systemctl stop sshd.socket +denali ALL=(root) NOPASSWD: /bin/systemctl disable sshd.socket +denali ALL=(root) NOPASSWD: /bin/systemctl status sshd.socket " CONTENT_IPTABLES=" @@ -139,8 +143,8 @@ chown -R root.denali ${fileTarget} chmod -R g+rw ${fileTarget} - # Restart service on remote. - systemctl restart system-sshd.slice + # Disable the ssh service by defalut and will be enalbed when needed. + systemctl disable sshd.socket } Index: scripts/rootsshaccess.sh =================================================================== diff -u --- scripts/rootsshaccess.sh (revision 0) +++ scripts/rootsshaccess.sh (revision ff95c34e6cc28ec8de8f81854ea9f4369afa9c7f) @@ -0,0 +1,123 @@ +#!/bin/sh +########################################################################### +# +# Copyright (c) 2021-2023 Diality Inc. - All Rights Reserved. +# +# THIS CODE MAY NOT BE COPIED OR REPRODUCED IN ANY FORM, IN PART OR IN +# WHOLE, WITHOUT THE EXPLICIT PERMISSION OF THE COPYRIGHT OWNER. +# +# @file ssh_access.sh +# +# @author (last) Behrouz NematiPour +# @date (last) 23-aug-2023 +# @author (original) Behrouz NematiPour +# @date (original) 23-aug-2023 +# +############################################################################ + +TERM=dumb + +ECHO_STRING="ssh connection" +SSHD_CONFIG="/etc/ssh/sshd_config" +ERR_EXECUTION=201 + +_enable=1 +_disable=0 + +#TODO Move to globals.sh +function check_num() { + if [ $1 != 0 ]; then + echo "execution failed" + exit $ERR_EXECUTION + fi +} + + +function sshd_set() { + if [ $_enable == $1 ]; then + sudo systemctl start sshd.socket + check_num $? ", started" + else + # is is always disabled but to make sure and be backward compatible will do it again. + sudo systemctl disable sshd.socket + check_num $? ", disabled" + # stop the ssh service + sudo systemctl stop sshd.socket + check_num $? ", stopped" + fi +} + +function sshd_get() { + out=$(sudo systemctl status sshd.socket | grep "Active: active (listening)") + if [ -n "$out" ]; then + echo $_enable + else + echo $_disable + fi +} + +function root_set() { + if [ $_enable == $1 ]; then + sudo sed -i '/PermitRootLogin/c\PermitRootLogin yes' $SSHD_CONFIG + check_num $? " enalbed" + else + sudo sed -i '/PermitRootLogin/c\PermitRootLogin no' $SSHD_CONFIG + check_num $? " disalbed" + fi +} + +function root_get() { + if [ "$(grep -ir "^PermitRootLogin" $SSHD_CONFIG | tr -s ' ' | cut -f2 -d' ')" == "yes" ]; then + echo $_enable + else + echo $_disable + fi +} + +function handleCommand() { + local state=$1 + # sshd and root + local sshd_disable=0 # 0 0 + local sshd_enable=1 # 1 0 + local root_enable=2 # 1 1 + + case $1 in + $sshd_disable) + sshd_set $_disable + root_set $_disable + ;; + $sshd_enable) + sshd_set $_enable + root_set $_disable + ;; + $root_enable) + sshd_set $_enable + root_set $_enable + ;; + esac +} + +function toCheckState() { + local sshd=$(sshd_get) + local root=$(root_get) + case $sshd in + $_disable) + echo 0 + ;; + $_enable) + echo $(( $sshd + $root )) + ;; + esac +} + +case "$#" in + 0) + echo $(toCheckState) + ;; + 1) + handleCommand $1 + ;; +esac + +echo "" +exit 0 Fisheye: Tag ff95c34e6cc28ec8de8f81854ea9f4369afa9c7f refers to a dead (removed) revision in file `scripts/rootsshaccess_get.sh'. Fisheye: No comparison available. Pass `N' to diff? Fisheye: Tag ff95c34e6cc28ec8de8f81854ea9f4369afa9c7f refers to a dead (removed) revision in file `scripts/rootsshaccess_set.sh'. Fisheye: No comparison available. Pass `N' to diff?