fix: Security Audit SSH Errors #1377

- Fixed SSH key authentication detection in server-audit.ts - Added proper handling for prohibit-password and other secure root login options - Fixed typos in security audit UI labels - Improved error handling with optional chaining
2025-06-26 18:27:59 +00:00 · 2025-03-22 14:26:40 -06:00
parent ff3d444b89
commit fc7eff94b6
2 changed files with 86 additions and 30 deletions
--- a/packages/server/src/setup/server-audit.ts
+++ b/packages/server/src/setup/server-audit.ts
@@ -14,13 +14,50 @@ const validateUfw = () => `
 `;

 const validateSsh = () => `
-  if systemctl is-active --quiet sshd; then
+  if systemctl is-active --quiet sshd || systemctl is-active --quiet ssh; then
    isEnabled=true
-    hasKeyAuth=$(find "$HOME/.ssh" -type f -name "authorized_keys" 2>/dev/null | grep -q . && echo true || echo false)
-    permitRootLogin=$(sudo sshd -T | grep -i "^PermitRootLogin" | awk '{print $2}')
-    passwordAuth=$(sudo sshd -T | grep -i "^PasswordAuthentication" | awk '{print $2}')
-    usePam=$(sudo sshd -T | grep -i "^UsePAM" | awk '{print $2}')
-    echo "{\\"enabled\\": $isEnabled, \\"keyAuth\\": $hasKeyAuth, \\"permitRootLogin\\": \\"$permitRootLogin\\", \\"passwordAuth\\": \\"$passwordAuth\\", \\"usePam\\": \\"$usePam\\"}"
+    
+    # Get the sshd config file path
+    sshd_config=$(sudo sshd -T 2>/dev/null | grep -i "^configfile" | awk '{print $2}')
+    
+    # If we couldn't get the path, use the default
+    if [ -z "$sshd_config" ]; then
+      sshd_config="/etc/ssh/sshd_config"
+    fi
+    
+    # Check for key authentication
+    # SSH key auth is enabled by default unless explicitly disabled
+    pubkey_line=$(sudo grep -i "^PubkeyAuthentication" "$sshd_config" 2>/dev/null | grep -v "#")
+    if [ -z "$pubkey_line" ] || echo "$pubkey_line" | grep -q -i "yes"; then
+      keyAuth=true
+    else
+      keyAuth=false
+    fi
+    
+    # Get the exact PermitRootLogin value from config
+    # This preserves values like "prohibit-password" without normalization
+    permitRootLogin=$(sudo grep -i "^PermitRootLogin" "$sshd_config" 2>/dev/null | grep -v "#" | awk '{print $2}')
+    if [ -z "$permitRootLogin" ]; then
+      # Default is prohibit-password in newer versions
+      permitRootLogin="prohibit-password"
+    fi
+    
+    # Get the exact PasswordAuthentication value from config
+    passwordAuth=$(sudo grep -i "^PasswordAuthentication" "$sshd_config" 2>/dev/null | grep -v "#" | awk '{print $2}')
+    if [ -z "$passwordAuth" ]; then
+      # Default is yes
+      passwordAuth="yes"
+    fi
+    
+    # Get the exact UsePAM value from config
+    usePam=$(sudo grep -i "^UsePAM" "$sshd_config" 2>/dev/null | grep -v "#" | awk '{print $2}')
+    if [ -z "$usePam" ]; then
+      # Default is yes in most distros
+      usePam="yes"
+    fi
+    
+    # Return the results with exact values from config file
+    echo "{\\"enabled\\": $isEnabled, \\"keyAuth\\": $keyAuth, \\"permitRootLogin\\": \\"$permitRootLogin\\", \\"passwordAuth\\": \\"$passwordAuth\\", \\"usePam\\": \\"$usePam\\"}"
  else
    echo "{\\"enabled\\": false, \\"keyAuth\\": false, \\"permitRootLogin\\": \\"unknown\\", \\"passwordAuth\\": \\"unknown\\", \\"usePam\\": \\"unknown\\"}"
  fi
@@ -111,4 +148,4 @@ export const serverAudit = async (serverId: string) => {
 				privateKey: server.sshKey?.privateKey,
 			});
 	});
-};
+};