Patch command (OpenSSH issues only)

[a-martynovich]

Note: all "actions" are now argparse commands which can have subcommands:

$ agent --help
usage: wott-agent [-h] [--dev] [--debug]
                  {whoami,portscan,test-cert,claim-token,claim-url,daemon,node-metadata,credentials,patch}
                  ...

Let's Encrypt for IoT (with more bells and whistles).
When called without arguments, generates node certificate
or renews it if necessary.

positional arguments:
  {whoami,portscan,test-cert,claim-token,claim-url,daemon,node-metadata,credentials,patch}
                        Choose one of the following:
    whoami              Print node ID.
    portscan            Print open ports.
    test-cert           Validate node certificate.
    claim-token         Print claim token.
    claim-url           Print claim URL.
    daemon              Run as daemon
    node-metadata       Fetch node specific, secret metadata.
    credentials         Fetch credentials.
    patch               patch the system

optional arguments:
  -h, --help            show this help message and exit
  --dev                 Developer mode: work with locally running server.
  --debug               Debug mode: set log level to DEBUG.

Only "patch" command has a subcommand:

$ agent patch --help
usage: wott-agent patch [-h] patch_name

positional arguments:
  patch_name  One of the following:
              openssh-empty-password    OpenSSH: Disable logins with empty password
              openssh-root-login        OpenSSH: Disable root login
              openssh-password-auth     OpenSSH: Disable password authentication
              openssh-agent-forwarding  OpenSSH: Disable agent forwarding
              openssh-protocol          OpenSSH: Force protocol version 2

optional arguments:
  -h, --help  show this help message and exit

In order to pass a dev or debug flag the --dev or --debug argument should come before the command, for example:

$ agent --dev whoami
...
$ agent --debug --dev patch openssh-root-login

#257

[vpetersson]

I guess we also need a separate PR for the updated RAs.

[vpetersson]

It should in theory be safe to run service ssh restart after, as it has a check-config first:

  restart)
	check_for_upstart 1
	check_privsep_dir
	check_config
	log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
	start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/sshd.pid
	check_for_no_start log_end_msg
	check_dev_null log_end_msg
	if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
	    log_end_msg 0 || true
	else
	    log_end_msg 1 || true
	fi
	;;

[a-martynovich]

Sorry forgot about that

[vpetersson]

Alternatively, we could check it manually (which is what check_config does above):

/usr/sbin/sshd $SSHD_OPTS -t

And then send a SIGHUP to it.

That way it becomes distro agnostic.

[a-martynovich]

SIGHUP won’t restart it, it will reload. This is what “service sshd reload” does. Also I think (need to double-check) reload will fail if config is invalid.

[vpetersson]

Yes, service ssh reload will do the same, however, the reason for sending SIGHUP vs using service is that we don't need to worry about distro specific things (like if it's called "ssh" or "sshd")

[a-martynovich]

Are we sure that it is in /usr/sbin in all distros?

[vpetersson]

Nope. That said, I doesn't seem like the -t argument requires an absolute path:

$ sudo sshd -t
$ echo $?
0

(Launching sshd will however require an absolute path.)

[vpetersson]

Can we copy this file to /opt/wott/backups/sshd_config.$TIMESTAMP or similar instead?

[vpetersson]

Can we annotate the end of this line with something like # Added by wott-agent on $TIMESTAMP?

[a-martynovich]

We can only add a comment above or below the line, not to the line itself.

[vpetersson]

This is not true:

$ grep Proto /etc/ssh/sshd_config
Protocol 2 #This is a comment
$ sudo service ssh restart
$ sudo /usr/sbin/sshd -t
$ echo $?
0

[vpetersson]

That said, I agree that praxis is to add it above, so maybe we should stick to that.

[vpetersson]

Doesn't seem like PasswordAuthentication patch works when the line is commented out:

$ sudo wott-agent patch openssh-password-auth
[...]
patch "PasswordAuthentication"
<Command '/usr/sbin/sshd --hel...(1 more)' call_args {'err_bufsize': 1, '...(495 more)>: starting process
<Command '/usr/bin/lscpu' call_args {'err_bufsize': 1, '...(495 more)>: starting process
Certificate expires in 3 days and 6 hours. No need for renewal.Renewal threshold is set to 3 days.

$ grep PasswordAuth /etc/ssh/sshd_config
#PasswordAuthentication yes
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication, then enable this but set PasswordAuthentication

$ sudo sshd -T  | grep passwordauth
passwordauthentication yes

The same is true if a value isn't set:

$ grep AllowAgentForwarding /etc/ssh/sshd_config

$ sudo wott-agent patch openssh-agent-forwarding
[...]
patch "AllowAgentForwarding"
<Command '/usr/sbin/sshd --hel...(1 more)' call_args {'decode_errors': 's...(495 more)>: starting process
<Command '/usr/bin/lscpu' call_args {'decode_errors': 's...(495 more)>: starting process
Certificate expires in 3 days and 6 hours. No need for renewal.Renewal threshold is set to 3 days.

$ sudo sshd -T  | grep allowagentforwarding
allowagentforwarding yes