bkctld-ip: fail when trying to add an IP when there is no AllowUsers
This commit is contained in:
parent
86111acfea
commit
5a90ae8a16
|
@ -17,9 +17,13 @@ jail_path=$(jail_path "${jail_name}")
|
|||
|
||||
test -d "${jail_path}" || error "${jail_name}: jail is missing."
|
||||
|
||||
jail_sshd_config="${jail_path}/${SSHD_CONFIG}"
|
||||
|
||||
if [ -z "${ip}" ]; then
|
||||
# parse IP addresses from AllowUsers directives in sshd config
|
||||
grep -E "^AllowUsers" "${jail_path}/${SSHD_CONFIG}" | grep -Eo "root@[^ ]+" | while read allow; do
|
||||
grep -E "^AllowUsers" "${jail_sshd_config}" \
|
||||
| grep -E -o "root@[^ ]+" \
|
||||
| while read allow; do
|
||||
echo "${allow}" | cut -d'@' -f2
|
||||
done
|
||||
else
|
||||
|
@ -33,7 +37,11 @@ else
|
|||
for ip in ${new_ips}; do
|
||||
allow_users="${allow_users} root@${ip}"
|
||||
done
|
||||
sed -i "s~^AllowUsers .*~${allow_users}~" "${jail_path}/${SSHD_CONFIG}"
|
||||
if grep -q -E "^AllowUsers" "${jail_sshd_config}"; then
|
||||
sed -i "s~^AllowUsers .*~${allow_users}~" "${jail_sshd_config}"
|
||||
else
|
||||
error "${jail_name}: No 'AllowUsers' directive found in '${jail_sshd_config}'"
|
||||
fi
|
||||
notice "${jail_name}: IP whitelist updated to ${ip}"
|
||||
"${LIBDIR}/bkctld-reload" "${jail_name}"
|
||||
"${LIBDIR}/bkctld-firewall" "${jail_name}"
|
||||
|
|
|
@ -58,6 +58,14 @@ load test_helper
|
|||
assert_success
|
||||
}
|
||||
|
||||
@test "Missing AllowUsers" {
|
||||
# Remove AllowUsers directive in SSH config
|
||||
sed -i '/^AllowUsers/d' "${JAILPATH}/etc/ssh/sshd_config"
|
||||
# An error should be raised when trying to add an IP restriction
|
||||
run /usr/lib/bkctld/bkctld-ip "${JAILNAME}" "10.0.0.1"
|
||||
assert_failure
|
||||
}
|
||||
|
||||
@test "SSH connectivity" {
|
||||
/usr/lib/bkctld/bkctld-start "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-port "${JAILNAME}" "${PORT}"
|
||||
|
|
Loading…
Reference in a new issue