LibrePortal/scripts/cli/commands/ssh/cli_ssh_commands.sh
librelad 3a679d7343 feat(ssh): admin host SSH-access engine (backend + CLI + snapshot)
Fresh, on-demand inbound SSH-access management for the host (replaces the old
maze). scripts/ssh/host_access.sh manages the install user's authorized_keys —
add a pasted public key (validated), list, remove — and toggles sshd password
login behind a lockout guard (won't disable passwords with no key; won't drop
the last key while passwords are off; sshd -t before reload, with backup).

New 'ssh' CLI category (status/key-add/key-remove/password-auth/generate) and
a webuiGenerateSshAccess snapshot (data/ssh/access.json: user, password_auth,
authorized keys as type+fingerprint+comment — public only) wired into the
regen chain. Nothing runs automatically; only explicit admin actions change
anything. WebUI page next.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 16:40:59 +01:00

37 lines
1.1 KiB
Bash

#!/bin/bash
cliHandleSshCommands()
{
local action="$initial_command2"
local arg="$initial_command3"
case "$action" in
""|help)
cliShowSshHelp
;;
status)
local pw="off"; hostSshPasswordAuthEnabled && pw="on"
echo "user=$(hostSshUser) password_login=$pw authorized_keys=$(hostSshKeyCount)"
;;
key-add)
[[ -z "$arg" ]] && { isNotice "Usage: ssh key-add <base64-public-key>"; cliShowSshHelp; return; }
hostSshKeyAdd "$arg"
;;
key-remove)
[[ -z "$arg" ]] && { isNotice "Usage: ssh key-remove <fingerprint>"; cliShowSshHelp; return; }
hostSshKeyRemove "$arg"
;;
password-auth)
[[ -z "$arg" ]] && { isNotice "Usage: ssh password-auth <on|off>"; cliShowSshHelp; return; }
hostSshSetPasswordAuth "$arg"
;;
generate)
webuiGenerateSshAccess
;;
*)
isNotice "Unknown ssh action: $action"
cliShowSshHelp
;;
esac
}