Fresh, on-demand inbound SSH-access management for the host (replaces the old maze). scripts/ssh/host_access.sh manages the install user's authorized_keys — add a pasted public key (validated), list, remove — and toggles sshd password login behind a lockout guard (won't disable passwords with no key; won't drop the last key while passwords are off; sshd -t before reload, with backup). New 'ssh' CLI category (status/key-add/key-remove/password-auth/generate) and a webuiGenerateSshAccess snapshot (data/ssh/access.json: user, password_auth, authorized keys as type+fingerprint+comment — public only) wired into the regen chain. Nothing runs automatically; only explicit admin actions change anything. WebUI page next. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
24 lines
796 B
Bash
24 lines
796 B
Bash
#!/bin/bash
|
|
|
|
cliShowSshHelp()
|
|
{
|
|
isHeader "LibrePortal SSH Access Commands"
|
|
echo "ssh status"
|
|
echo " Show the login user, password-login state, and authorized key count."
|
|
echo ""
|
|
echo "ssh key-add <base64-public-key>"
|
|
echo " Authorize a public key for SSH login (base64-encoded; the WebUI"
|
|
echo " encodes pasted keys for you)."
|
|
echo ""
|
|
echo "ssh key-remove <fingerprint>"
|
|
echo " Remove an authorized key by its SHA256 fingerprint."
|
|
echo ""
|
|
echo "ssh password-auth <on|off>"
|
|
echo " Enable/disable sshd password login. Disabling is refused unless at"
|
|
echo " least one key is authorized (lockout guard)."
|
|
echo ""
|
|
echo "ssh generate"
|
|
echo " Regenerate the WebUI SSH-access snapshot (access.json)."
|
|
echo ""
|
|
}
|