Merge pull request andreapollastri#28 from andreapollastri/develop

SSH root key access (thank you to Lewis Smallwood)

.env.example

@@ -17,7 +17,8 @@ USER_NAME="Cipi Admin"
 USER_EMAIL=[email protected]
 USER_PASSWORD=12345678
 
-SSH_DEFAULT_PORT=1759
+SSH_DEFAULT_PORT=22
+ENABLE_SSH_ROOT_ACCESS=0
 
 BROADCAST_DRIVER=log
 CACHE_DRIVER=file

.gitignore

@@ -8,3 +8,5 @@ Homestead.json
 Homestead.yaml
 npm-debug.log
 yarn-error.log
+.idea/
+.idea/*

app/Http/Controllers/AliasesController.php

@@ -67,10 +67,18 @@ public function create(Request $request)
 
         $aliascode = md5(uniqid().microtime().$request->name);
 
-        $ssh = New \phpseclib\Net\SSH2($server->ip, $server->port);
-        if(!$ssh->login($server->username, $server->password)) {
-            $messagge = 'There was a problem with server connection. Try later!';
-            return view('generic', compact('profile','messagge'));
+        // Attempt to login with SSH key.
+        $ssh = new \phpseclib\Net\SSH2($server->ip, $server->port);
+        $key = new \phpseclib\Crypt\RSA();
+
+        $key->loadKey(file_get_contents('/cipi/id_rsa'));
+
+        if (!$ssh->login($server->username, $key)) {
+            // If login failed, default back to password.
+            if (!$ssh->login($server->username, $server->password)) {
+                $messagge = 'There was a problem with server connection. Try later!';
+                return view('generic', compact('profile','messagge'));
+            }
         }
 
         Storage::disk('local')->put('public/'.$application->username.'.conf', '');
@@ -146,10 +154,18 @@ public function delete(Request $request)
 
         $alias->delete();
 
-        $ssh = New \phpseclib\Net\SSH2($alias->server->ip, $alias->server->port);
-        if(!$ssh->login($alias->server->username, $alias->server->password)) {
-            $messagge = 'There was a problem with server connection. Try later!';
-            return view('generic', compact('profile','messagge'));
+        // Attempt to login with SSH key.
+        $ssh = new \phpseclib\Net\SSH2($alias->server->ip, $alias->server->port);
+        $key = new \phpseclib\Crypt\RSA();
+
+        $key->loadKey(file_get_contents('/cipi/id_rsa'));
+
+        if (!$ssh->login($alias->server->username, $key)) {
+            // If login failed, default back to password.
+            if (!$ssh->login($alias->server->username, $alias->server->password)) {
+                $messagge = 'There was a problem with server connection. Try later!';
+                return view('generic', compact('profile','messagge'));
+            }
         }
 
         Storage::disk('local')->put('public/'.$alias->application->username.'.conf', '');

app/Http/Controllers/ApisController.php

@@ -115,13 +115,20 @@ public function sslapplication($applicationcode)
         }
 
 
-        $ssh = New \phpseclib\Net\SSH2($application->server->ip, $application->server->port);
-        if(!$ssh->login($application->server->username, $application->server->password)) {
-            $messagge = 'There was a problem with server connection. Try later!';
-            return view('generic', compact('profile','messagge'));
+        // Attempt to login with SSH key.
+        $ssh = new \phpseclib\Net\SSH2($application->server->ip, $application->server->port);
+        $key = new \phpseclib\Crypt\RSA();
+
+        $key->loadKey(file_get_contents('/cipi/id_rsa'));
+
+        if (!$ssh->login($application->server->username, $key)) {
+            // If login failed, default back to password.
+            if (!$ssh->login($application->server->username, $application->server->password)) {
+                $messagge = 'There was a problem with server connection. Try later!';
+                return view('generic', compact('profile','messagge'));
+            }
         }
 
-
         $ssh->setTimeout(60);
         $response = $ssh->exec('echo '.$application->server->password.' | sudo -S sudo sh /cipi/ssl.sh -d '.$application->domain);
 
@@ -152,12 +159,19 @@ public function sslalias($aliascode)
             return abort(403);
         }
 
-        $ssh = New \phpseclib\Net\SSH2($alias->server->ip, $alias->server->port);
-        if(!$ssh->login($alias->server->username, $alias->server->password)) {
-            $messagge = 'There was a problem with server connection. Try later!';
-            return view('generic', compact('profile','messagge'));
-        }
+        // Attempt to login with SSH key.
+        $ssh = new \phpseclib\Net\SSH2($alias->server->ip, $alias->server->port);
+        $key = new \phpseclib\Crypt\RSA();
 
+        $key->loadKey(file_get_contents('/cipi/id_rsa'));
+
+        if (!$ssh->login($alias->server->username, $key)) {
+            // If login failed, default back to password.
+            if (!$ssh->login($alias->server->username, $alias->server->password)) {
+                $messagge = 'There was a problem with server connection. Try later!';
+                return view('generic', compact('profile','messagge'));
+            }
+        }
         $ssh->setTimeout(60);
         $response = $ssh->exec('echo '.$alias->server->password.' | sudo -S sudo sh /cipi/ssl.sh -d '.$alias->domain);
 

app/Http/Controllers/ApplicationsController.php

@@ -71,10 +71,18 @@ public function create(Request $request)
         $appcode= md5(uniqid().microtime().$request->name);
 
 
-        $ssh = New \phpseclib\Net\SSH2($server->ip, $server->port);
-        if(!$ssh->login($server->username, $server->password)) {
-            $messagge = 'There was a problem with server connection. Try later!';
-            return view('generic', compact('profile','messagge'));
+        // Attempt to login with SSH key.
+        $ssh = new \phpseclib\Net\SSH2($server->ip, $server->port);
+        $key = new \phpseclib\Crypt\RSA();
+
+        $key->loadKey(file_get_contents('/cipi/id_rsa'));
+
+        if (!$ssh->login($server->username, $key)) {
+            // If login failed, default back to password.
+            if (!$ssh->login($server->username, $server->password)) {
+                $messagge = 'There was a problem with server connection. Try later!';
+                return view('generic', compact('profile','messagge'));
+            }
         }
 
 
@@ -145,10 +153,18 @@ public function delete(Request $request)
 
         $application->delete();
 
-        $ssh = New \phpseclib\Net\SSH2($application->server->ip, $application->server->port);
-        if(!$ssh->login($application->server->username, $application->server->password)) {
-            $messagge = 'There was a problem with server connection. Try later!';
-            return view('generic', compact('profile','messagge'));
+        // Attempt to login with SSH key.
+        $ssh = new \phpseclib\Net\SSH2($application->server->ip, $application->server->port);
+        $key = new \phpseclib\Crypt\RSA();
+
+        $key->loadKey(file_get_contents('/cipi/id_rsa'));
+
+        if (!$ssh->login($application->server->username, $key)) {
+            // If login failed, default back to password.
+            if (!$ssh->login($application->server->username, $application->server->password)) {
+                $messagge = 'There was a problem with server connection. Try later!';
+                return view('generic', compact('profile','messagge'));
+            }
         }
 
         $ssh->setTimeout(60);

app/Http/Controllers/ScriptsController.php

@@ -38,7 +38,8 @@ public function install($servercode)
             $server->password,
             $server->dbroot,
             $server->servercode,
-            $this->url->to('/')
+            $this->url->to('/'),
+            env("ENABLE_SSH_ROOT_ACCESS", 0)
         ], $script);
 
         return response($script)->withHeaders(['Content-Type' =>'application/x-sh']);
@@ -167,6 +168,22 @@ public function status($servercode)
         return response($script)->withHeaders(['Content-Type' =>'application/x-sh']);
 
     }
+
+
+	public function authorizedkeys($servercode)
+    {
+
+        $server = Server::where([['servercode', $servercode]])->where([['complete', 1]])->get()->first();
+
+        if(!$server) {
+            return response("")->withHeaders(['Content-Type' =>'text/plain']);
+        }
+
+        $script = Storage::get('configuration/authorized_keys');
+
+        return response($script)->withHeaders(['Content-Type' =>'text/plain']);
+
+    }
 
 
 

app/Http/Controllers/UsersController.php

@@ -44,11 +44,18 @@ public function reset(Request $request)
             return redirect()->route('users');
         }
 
-
-        $ssh = New \phpseclib\Net\SSH2($application->server->ip, $application->server->port);
-        if(!$ssh->login($application->server->username, $application->server->password)) {
-            $messagge = 'There was a problem with server connection. Try later!';
-            return view('generic', compact('profile','messagge'));
+        // Attempt to login with SSH key.
+        $ssh = new \phpseclib\Net\SSH2($application->server->ip, $application->server->port);
+        $key = new \phpseclib\Crypt\RSA();
+
+        $key->loadKey(file_get_contents('/cipi/id_rsa'));
+
+        if (!$ssh->login($application->server->username, $key)) {
+            // If login failed, default back to password.
+            if (!$ssh->login($application->server->username, $application->server->password)) {
+                $messagge = 'There was a problem with server connection. Try later!';
+                return view('generic', compact('profile','messagge'));
+            }
         }
 
         $pass   = str_random(16);

go.sh

@@ -174,6 +174,11 @@ echo "Application installation: OK!"
 sleep 3s
 echo -e "\n"
 
+# SETUP SSH KEYLESS ACCESS INTO CHILD SERVERS
+cat /dev/zero | ssh-keygen -q -N "" > /dev/null
+AUTHORIZEDKEY=$(cat ~/.ssh/id_rsa.pub)
+sudo rpl -i -w "# CIPI-CONTROL-PANEL-PUBLIC-KEY" "$AUTHORIZEDKEY" /cipi/storage/app/configuration/authorized_keys
+sudo cp ~/.ssh/id_rsa /cipi/id_rsa
 
 #FINAL MESSAGGE
 clear

routes/web.php

@@ -40,6 +40,7 @@
 Route::post('/servers/delete/','ServersController@delete')->name('serverdelete');
 
 Route::get('/scripts/install/{servercode}','ScriptsController@install')->name('serverinstall');
+Route::get('/scripts/authorizedkeys/{servercode}','ScriptsController@authorizedkeys');
 Route::get('/scripts/hostadd/{servercode}','ScriptsController@hostadd');
 Route::get('/scripts/hostdel/{servercode}','ScriptsController@hostdel');
 Route::get('/scripts/hostssl/{servercode}','ScriptsController@hostssl');
@@ -53,8 +54,6 @@
 Route::get('/users','UsersController@index')->name('users');
 Route::post('/users/reset/','UsersController@reset')->name('usersreset');
 
-Route::get('/backups','BackupsController@index')->name('backups');
-
 Route::get('/applications','ApplicationsController@index')->name('applications');
 Route::post('/applications','ApplicationsController@create')->name('applicationcreate');
 Route::post('/applicationdelete','ApplicationsController@delete')->name('applicationdelete');

storage/app/configuration/authorized_keys

@@ -0,0 +1,12 @@
+# This is the authorized_keys file. It provides passwordless access to the system from other hosts via SSH.
+# The host running the Cipi control panel has a private key on it. By putting the public key for the server below,
+# this allows the Cipi control panel to have passwordless control over the root account via SSH on the system using the
+# public and private keypair.
+# 
+# DO NOT MODIFY THIS FILE OR THE /etc/ssh/sshd_config FILE UNLESS YOU KNOW WHAT YOU ARE DOING
+# OR YOU MAY LOSE ACCESS TO THIS SERVER FROM THE CIPI CONTROL PANEL.
+#
+# The control panel access key
+# CIPI-CONTROL-PANEL-PUBLIC-KEY
+#
+# ADD YOUR HOSTS BELOW