fix(recovery): surface 110 ssh account metadata receipt
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 39s
CD Pipeline / build-and-deploy (push) Failing after 28s
CD Pipeline / post-deploy-checks (push) Has been skipped

This commit is contained in:
Your Name
2026-07-01 12:42:34 +08:00
parent 56522aa003
commit f963894995
5 changed files with 99 additions and 2 deletions

View File

@@ -70,14 +70,26 @@ stat_path() {
check_user() {
local user="$1"
local home_dir
local home_dir shell passwd_status account_locked shell_exists shell_executable
home_dir="$(getent passwd "$user" | awk -F: '{print $6}')"
if [ -z "$home_dir" ]; then
echo "USER_STATUS user=$user exists=0"
return 1
fi
shell="$(getent passwd "$user" | awk -F: '{print $7}')"
passwd_status="$(passwd -S "$user" 2>/dev/null | awk '{print $2}' || true)"
account_locked=false
case "$passwd_status" in
L|LK) account_locked=true ;;
esac
shell_exists=false
shell_executable=false
[ -n "$shell" ] && [ -e "$shell" ] && shell_exists=true
[ -n "$shell" ] && [ -x "$shell" ] && shell_executable=true
echo "USER_STATUS user=$user exists=1 home=$home_dir"
echo "ACCOUNT_METADATA user=$user passwd_status=${passwd_status:-unknown} account_locked=${account_locked} shell=${shell:-unknown} shell_exists=${shell_exists} shell_executable=${shell_executable}"
stat_path "$home_dir"
stat_path "$home_dir/.ssh"
stat_path "$home_dir/.ssh/authorized_keys"
@@ -88,6 +100,28 @@ check_user() {
fi
}
check_sshd_effective_config() {
local user="$1"
local effective pubkey password kbdinteractive usepam maxstartups authorized_keys_file_default
effective="$(sshd -T -C "user=$user,host=localhost,addr=127.0.0.1" 2>/dev/null || true)"
if [ -z "$effective" ]; then
echo "SSHD_EFFECTIVE_CONFIG available=false"
return 0
fi
pubkey="$(printf '%s\n' "$effective" | awk '$1 == "pubkeyauthentication" {print $2; exit}')"
password="$(printf '%s\n' "$effective" | awk '$1 == "passwordauthentication" {print $2; exit}')"
kbdinteractive="$(printf '%s\n' "$effective" | awk '$1 == "kbdinteractiveauthentication" {print $2; exit}')"
usepam="$(printf '%s\n' "$effective" | awk '$1 == "usepam" {print $2; exit}')"
maxstartups="$(printf '%s\n' "$effective" | awk '$1 == "maxstartups" {print $2; exit}')"
if printf '%s\n' "$effective" | awk '$1 == "authorizedkeysfile" {$1=""; print}' | grep -q '\.ssh/authorized_keys'; then
authorized_keys_file_default=true
else
authorized_keys_file_default=false
fi
echo "SSHD_EFFECTIVE_CONFIG available=true pubkeyauthentication=${pubkey:-unknown} passwordauthentication=${password:-unknown} kbdinteractiveauthentication=${kbdinteractive:-unknown} usepam=${usepam:-unknown} maxstartups=${maxstartups:-unknown} authorized_keys_file_default=${authorized_keys_file_default}"
}
apply_user_permissions() {
local user="$1"
local home_dir
@@ -118,6 +152,7 @@ systemctl is-active ssh 2>/dev/null | sed 's/^/SSH_SERVICE_ACTIVE=/' || true
sshd -t
echo "SSHD_CONFIG_SYNTAX=ok"
check_user "$TARGET_USER"
check_sshd_effective_config "$TARGET_USER"
if [ "$APPLY" -eq 1 ]; then
apply_user_permissions "$TARGET_USER"

View File

@@ -138,6 +138,15 @@ def test_110_ssh_publickey_auth_repair_is_local_and_does_not_print_keys() -> Non
assert "chmod 600" in text
assert "chown \"$user:$user\"" in text
assert "sshd -t" in text
assert "ACCOUNT_METADATA user=" in text
assert "passwd -S" in text
assert "account_locked=" in text
assert "shell_executable=" in text
assert "SSHD_EFFECTIVE_CONFIG available=true" in text
assert "sshd -T -C" in text
assert "pubkeyauthentication=" in text
assert "authorized_keys_file_default=" in text
assert 'RELOAD_SSH="${RELOAD_SSH:-0}"' in text
assert "cat \"$home_dir/.ssh/authorized_keys\"" not in text
assert "getent shadow" not in text
assert "echo \"$(cat" not in text