diff --git a/check-sftp-user.sh b/check-sftp-user.sh index c2bb62d..7a3f9b9 100644 --- a/check-sftp-user.sh +++ b/check-sftp-user.sh @@ -202,20 +202,29 @@ echo echo "=== 5. PASSWORD CHECK ===" if [ "${USER_EXISTS:-true}" != "false" ] && id "$USERNAME" &>/dev/null 2>&1; then - # Check if password is set (this is tricky - we can only check if shadow entry exists) - if grep -q "^$USERNAME:" /etc/shadow; then - print_status "OK" "User has shadow entry (password record exists)" - # Check if password field is empty or has '!' (locked) - PWD_FIELD=$(grep "^$USERNAME:" /etc/shadow | cut -d: -f2) - if [ -z "$PWD_FIELD" ] || [ "$PWD_FIELD" = "*" ] || [ "$PWD_FIELD" = "!" ]; then - print_status "ERROR" "User password appears to be LOCKED or NOT SET!" - echo " Password field: $PWD_FIELD" - echo " Fix: echo '$USERNAME:NEW_PASSWORD' | chpasswd" + # Check if password is set (requires root to read /etc/shadow) + if [ "$EUID" -eq 0 ]; then + # Running as root - can check shadow file + if grep -q "^$USERNAME:" /etc/shadow 2>/dev/null; then + print_status "OK" "User has shadow entry (password record exists)" + # Check if password field is empty or has '!' (locked) + PWD_FIELD=$(grep "^$USERNAME:" /etc/shadow 2>/dev/null | cut -d: -f2) + if [ -z "$PWD_FIELD" ] || [ "$PWD_FIELD" = "*" ] || [ "$PWD_FIELD" = "!" ]; then + print_status "ERROR" "User password appears to be LOCKED or NOT SET!" + echo " Password field: $PWD_FIELD" + echo " Fix: echo '$USERNAME:NEW_PASSWORD' | chpasswd" + else + print_status "OK" "User password appears to be set (hashed)" + fi else - print_status "OK" "User password appears to be set (hashed)" + print_status "ERROR" "User does NOT have shadow entry!" fi else - print_status "ERROR" "User does NOT have shadow entry!" + # Not running as root - cannot read /etc/shadow + print_status "WARNING" "Cannot check password status (requires root privileges)" + echo " Note: Password check requires root access to read /etc/shadow" + echo " Run as root or use sudo to check password status" + echo " To verify password: sudo grep '^$USERNAME:' /etc/shadow" fi fi echo @@ -238,15 +247,32 @@ fi # Check addon config file ADDON_CONFIG="/etc/ssh/sshd_config.d/99-sftp-addon.conf" if [ -d "/etc/ssh/sshd_config.d" ]; then - if [ -f "$ADDON_CONFIG" ]; then - print_status "OK" "Addon config file exists: $ADDON_CONFIG" - echo " Contents:" - cat "$ADDON_CONFIG" | sed 's/^/ /' + # Check if file exists (may require root to read) + if [ -r "$ADDON_CONFIG" ] || [ "$EUID" -eq 0 ]; then + if [ -f "$ADDON_CONFIG" ]; then + print_status "OK" "Addon config file exists: $ADDON_CONFIG" + if [ -r "$ADDON_CONFIG" ] || [ "$EUID" -eq 0 ]; then + echo " Contents:" + cat "$ADDON_CONFIG" 2>/dev/null | sed 's/^/ /' || echo " (Cannot read file - requires root)" + else + echo " File exists but cannot be read (requires root privileges)" + fi + else + print_status "WARNING" "Addon config file does NOT exist: $ADDON_CONFIG" + echo " This file should be created during addon installation." + echo " The addon may not have been properly installed or updated." + echo " Fix: Reinstall or update the addon to create this file." + fi else - print_status "WARNING" "Addon config file does NOT exist: $ADDON_CONFIG" - echo " This file should be created during addon installation." - echo " The addon may not have been properly installed or updated." - echo " Fix: Reinstall or update the addon to create this file." + # Check if file exists using test (works even without read permission) + if sudo test -f "$ADDON_CONFIG" 2>/dev/null || [ -f "$ADDON_CONFIG" ]; then + print_status "OK" "Addon config file exists: $ADDON_CONFIG" + echo " Note: Cannot read contents (requires root privileges)" + echo " To view: sudo cat $ADDON_CONFIG" + else + print_status "WARNING" "Cannot verify addon config file (requires root privileges)" + echo " Check: sudo ls -la $ADDON_CONFIG" + fi fi else print_status "WARNING" "SSH config.d directory does not exist: /etc/ssh/sshd_config.d" @@ -264,28 +290,70 @@ else fi # Check Match Group configuration -if grep -q "Match Group sftpusers" /etc/ssh/sshd_config; then +MATCH_SFTPUSERS_FOUND=false +MATCH_SSHUSERS_FOUND=false + +# Check main config +if grep -q "Match Group sftpusers" /etc/ssh/sshd_config 2>/dev/null; then + MATCH_SFTPUSERS_FOUND=true print_status "OK" "Match Group sftpusers found in main config" -elif [ -f "$ADDON_CONFIG" ] && grep -q "Match Group sftpusers" "$ADDON_CONFIG"; then - print_status "OK" "Match Group sftpusers found in addon config" -else +fi + +# Check addon config (may require root to read) +if [ "$MATCH_SFTPUSERS_FOUND" = false ]; then + if [ -r "$ADDON_CONFIG" ]; then + if [ -f "$ADDON_CONFIG" ] && grep -q "Match Group sftpusers" "$ADDON_CONFIG" 2>/dev/null; then + MATCH_SFTPUSERS_FOUND=true + print_status "OK" "Match Group sftpusers found in addon config" + fi + elif sudo test -f "$ADDON_CONFIG" 2>/dev/null && sudo grep -q "Match Group sftpusers" "$ADDON_CONFIG" 2>/dev/null; then + MATCH_SFTPUSERS_FOUND=true + print_status "OK" "Match Group sftpusers found in addon config" + fi +fi + +if [ "$MATCH_SFTPUSERS_FOUND" = false ]; then print_status "ERROR" "Match Group sftpusers NOT found in SSH config!" fi -if grep -q "Match Group sshusers" /etc/ssh/sshd_config; then +# Check for sshusers group +if grep -q "Match Group sshusers" /etc/ssh/sshd_config 2>/dev/null; then + MATCH_SSHUSERS_FOUND=true print_status "OK" "Match Group sshusers found in main config" -elif [ -f "$ADDON_CONFIG" ] && grep -q "Match Group sshusers" "$ADDON_CONFIG"; then - print_status "OK" "Match Group sshusers found in addon config" -else - print_status "WARNING" "Match Group sshusers NOT found (needed for SSH access)" fi -# Test SSH config syntax -if sshd -t 2>/dev/null; then - print_status "OK" "SSH configuration syntax is valid" +if [ "$MATCH_SSHUSERS_FOUND" = false ]; then + if [ -r "$ADDON_CONFIG" ]; then + if [ -f "$ADDON_CONFIG" ] && grep -q "Match Group sshusers" "$ADDON_CONFIG" 2>/dev/null; then + MATCH_SSHUSERS_FOUND=true + print_status "OK" "Match Group sshusers found in addon config" + fi + elif sudo test -f "$ADDON_CONFIG" 2>/dev/null && sudo grep -q "Match Group sshusers" "$ADDON_CONFIG" 2>/dev/null; then + MATCH_SSHUSERS_FOUND=true + print_status "OK" "Match Group sshusers found in addon config" + fi +fi + +if [ "$MATCH_SSHUSERS_FOUND" = false ]; then + print_status "WARNING" "Match Group sshusers NOT found (needed for SSH access)" + echo " Note: This may be in the addon config file that requires root to read" + echo " Check: sudo grep 'Match Group sshusers' $ADDON_CONFIG" +fi + +# Test SSH config syntax (requires root) +if [ "$EUID" -eq 0 ]; then + if sshd -t 2>&1; then + print_status "OK" "SSH configuration syntax is valid" + else + SSH_TEST_OUTPUT=$(sshd -t 2>&1) + print_status "ERROR" "SSH configuration syntax is INVALID!" + echo " Errors:" + echo "$SSH_TEST_OUTPUT" | sed 's/^/ /' + fi else - print_status "ERROR" "SSH configuration syntax is INVALID!" - echo " Run: sshd -t (as root) to see errors" + print_status "WARNING" "Cannot test SSH config syntax (requires root privileges)" + echo " To test: sudo sshd -t" + echo " Note: SSH service is running, so config is likely valid" fi echo