openssh: prevent SFTP login for non-admins...

unless explicity configured. We set "admins" in the default config with also adds "wheel" underneath, but some systems may not use "admins" so that doesn't work then. PR: https://forum.opnsense.org/index.php?topic=6994.15
2026-03-15 00:54:41 +00:00 · 2018-01-31 21:14:31 +00:00 · 2018-01-31 21:14:31 +00:00 · 4cdfe13bc4
commit 4cdfe13bc4
parent 57f51d2943
3 changed files with 45 additions and 12 deletions
--- a/src/etc/config.xml.sample
+++ b/src/etc/config.xml.sample
@ -231,6 +231,9 @@
    <crypto_hardware>aesni</crypto_hardware>
    <pf_share_forward>1</pf_share_forward>
    <lb_use_sticky>1</lb_use_sticky>
+    <ssh>
+      <group>admins</group>
+    </ssh>
  </system>
  <interfaces>
    <wan>
--- a/src/etc/inc/plugins.inc.d/openssh.inc
+++ b/src/etc/inc/plugins.inc.d/openssh.inc
@ -3,7 +3,7 @@
 /*
 * Copyright (C) 2004 Scott Ullrich <sullrich@gmail.com>
 * Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
- * Copyright (C) 2015-2017 Franco Fichtner <franco@opnsense.org>
+ * Copyright (C) 2015-2018 Franco Fichtner <franco@opnsense.org>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -158,7 +158,11 @@ function openssh_configure_do($verbose = false, $interface = '')
    $sshconf .= "X11Forwarding no\n";
    $sshconf .= "PubkeyAuthentication yes\n";
    $sshconf .= "Subsystem sftp internal-sftp\n";
-    $sshconf .= "AllowGroups wheel\n";
+    $sshconf .= "AllowGroups wheel";
+    if (!empty($sshcfg['group'][0])) {
+        $sshconf .= " {$sshcfg['group'][0]}";
+    }
+    $sshconf .= "\n";
    if (isset($sshcfg['permitrootlogin'])) {
        $sshconf .= "PermitRootLogin yes\n";
    } else {
--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@ -35,6 +35,8 @@ require_once("filter.inc");
 require_once("system.inc");
 require_once("services.inc");

+$a_group = &config_read_array('system', 'group');
+
 if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    $pconfig = array();
    $pconfig['webguiinterfaces'] = !empty($config['system']['webgui']['interfaces']) ? explode(',', $config['system']['webgui']['interfaces']) : array();
@ -57,7 +59,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    $pconfig['enablesshd'] = $config['system']['ssh']['enabled'];
    $pconfig['sshport'] = $config['system']['ssh']['port'];
    $pconfig['sshinterfaces'] = !empty($config['system']['ssh']['interfaces']) ? explode(',', $config['system']['ssh']['interfaces']) : array();
-    $pconfig['passwordauth'] = isset($config['system']['ssh']['passwordauth']);
+    /* XXX listtag "fun" */
+    $pconfig['sshlogingroup'] = !empty($config['system']['ssh']['group'][0]) ? $config['system']['ssh']['group'][0] : null;
+    $pconfig['sshpasswordauth'] = isset($config['system']['ssh']['passwordauth']);
    $pconfig['sshdpermitrootlogin'] = isset($config['system']['ssh']['permitrootlogin']);
    $pconfig['quietlogin'] = isset($config['system']['webgui']['quietlogin']);
 } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
@ -187,7 +191,13 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            unset($config['system']['ssh']['enabled']);
        }

-        if (!empty($pconfig['passwordauth'])) {
+        if (!empty($pconfig['sshlogingroup'])) {
+            $config['system']['ssh']['group'] = $pconfig['sshlogingroup'];
+        } elseif (isset($config['system']['ssh']['group'])) {
+            unset($config['system']['ssh']['group']);
+        }
+
+        if (!empty($pconfig['sshpasswordauth'])) {
            $config['system']['ssh']['passwordauth'] = true;
        } elseif (isset($config['system']['ssh']['passwordauth'])) {
            unset($config['system']['ssh']['passwordauth']);
@ -246,7 +256,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    }
 }

-
 $a_cert = isset($config['cert']) ? $config['cert'] : array();
 $interfaces = get_configured_interface_with_descr();

@ -258,12 +267,13 @@ if (count($a_cert)) {
 if (empty($pconfig['webguiproto']) || !$certs_available) {
    $pconfig['webguiproto'] = "http";
 }
+
 legacy_html_escape_form_data($pconfig);
+legacy_html_escape_form_data($a_group);

 include("head.inc");

 ?>
-
 <body>
 <?php include("fbegin.inc"); ?>
 <script>
@ -413,7 +423,7 @@ $(document).ready(function() {
                <tr class="ssl_opts">
                  <td><a id="help_for_sslciphers" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("SSL Ciphers"); ?></td>
                  <td>
-                      <select name="ssl-ciphers[]" class="selectpicker"  multiple="multiple" data-live-search="true" title="<?=gettext("System defaults");?>">
+                      <select name="ssl-ciphers[]" class="formselect selectpicker"  multiple="multiple" data-live-search="true" title="<?=gettext("System defaults");?>">
 <?php
                      $ciphers = json_decode(configd_run("system ssl ciphers"), true);
                      if ($ciphers == null) {
@ -515,7 +525,7 @@ $(document).ready(function() {
                <tr>
                  <td><a id="help_for_webguiinterfaces" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Listen Interfaces') ?></td>
                    <td>
-                    <select id="webguiinterface" name="webguiinterfaces[]" multiple="multiple" class="selectpicker" title="<?= html_safe(gettext('All (recommended)')) ?>">
+                    <select id="webguiinterface" name="webguiinterfaces[]" multiple="multiple" class="formselect selectpicker" title="<?= html_safe(gettext('All (recommended)')) ?>">
 <?php
                    foreach ($interfaces as $iface => $ifacename): ?>
                        <option value="<?= html_safe($iface) ?>" <?= !empty($pconfig['webguiinterfaces']) && in_array($iface, $pconfig['webguiinterfaces']) ? 'selected="selected"' : '' ?>><?= html_safe($ifacename) ?></option>
@ -551,6 +561,22 @@ $(document).ready(function() {
                    <strong><?=gettext("Enable Secure Shell"); ?></strong>
                  </td>
                </tr>
+                <tr>
+                  <td><a id="help_for_sshlogingroup" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Login Group') ?></td>
+                    <td>
+                    <select name="sshlogingroup" class="formselect selectpicker">
+                        <option value=""><!-- do not translate: -->wheel</option>
+<?php
+                    foreach ($a_group as $group) :?>
+                        <option value="<?= html_safe($group['name']) ?>" <?= $pconfig['sshlogingroup'] == $group['name'] ? 'selected="selected"' : '' ?>><!-- do not translate: -->wheel, <?= html_safe($group['name']) ?></option>
+<?php
+                    endforeach;?>
+                    </select>
+                    <output class="hidden" for="help_for_sshlogingroup">
+                      <?= gettext('Select the allowed groups for remote login. The "wheel" group is always set for recovery purposes and an additional local group can be selected at will. Do not yield remote access to non-adminstrators as every user can access system files using SSH or SFTP.') ?>
+                    </output>
+                  </td>
+                </tr>
                <tr>
                  <td><a id="help_for_sshdpermitrootlogin" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Root Login") ?></td>
                  <td>
@ -565,11 +591,11 @@ $(document).ready(function() {
                  </td>
                </tr>
                <tr>
-                  <td><a id="help_for_passwordauth" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Authentication Method") ?></td>
+                  <td><a id="help_for_sshpasswordauth" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Authentication Method") ?></td>
                  <td>
-                    <input name="passwordauth" type="checkbox" value="yes" <?= empty($pconfig['passwordauth']) ? '' : 'checked="checked"' ?> />
+                    <input name="sshpasswordauth" type="checkbox" value="yes" <?= empty($pconfig['sshpasswordauth']) ? '' : 'checked="checked"' ?> />
                    <strong><?=gettext("Permit password login"); ?></strong>
-                    <output class="hidden" for="help_for_passwordauth">
+                    <output class="hidden" for="help_for_sshpasswordauth">
                      <?=sprintf(gettext("When disabled, authorized keys need to be configured for each %sUser%s that has been granted secure shell access."),
                                '<a href="system_usermanager.php">', '</a>') ?>
                    </output>
@ -587,7 +613,7 @@ $(document).ready(function() {
                <tr>
                  <td><a id="help_for_sshinterfaces" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Listen Interfaces') ?></td>
                    <td>
-                    <select name="sshinterfaces[]" multiple="multiple" class="selectpicker" title="<?= html_safe(gettext('All (recommended)')) ?>">
+                    <select name="sshinterfaces[]" multiple="multiple" class="formselect selectpicker" title="<?= html_safe(gettext('All (recommended)')) ?>">
 <?php
                    foreach ($interfaces as $iface => $ifacename): ?>
                        <option value="<?= html_safe($iface) ?>" <?= !empty($pconfig['sshinterfaces']) && in_array($iface, $pconfig['sshinterfaces']) ? 'selected="selected"' : '' ?>><?= html_safe($ifacename) ?></option>