From fc7eff94b643fd2bf57133bd0335330432d75371 Mon Sep 17 00:00:00 2001
From: Jason Parks <jpraprks@gmail.com>
Date: Sat, 22 Mar 2025 14:26:40 -0600
Subject: [PATCH] fix: Security Audit SSH Errors #1377

- Fixed SSH key authentication detection in server-audit.ts
- Added proper handling for prohibit-password and other secure root login options
- Fixed typos in security audit UI labels
- Improved error handling with optional chaining
---
 .../settings/servers/security-audit.tsx       | 65 ++++++++++++-------
 packages/server/src/setup/server-audit.ts     | 51 +++++++++++++--
 2 files changed, 86 insertions(+), 30 deletions(-)

diff --git a/apps/dokploy/components/dashboard/settings/servers/security-audit.tsx b/apps/dokploy/components/dashboard/settings/servers/security-audit.tsx
index 8cce306a5..bf1f74c36 100644
--- a/apps/dokploy/components/dashboard/settings/servers/security-audit.tsx
+++ b/apps/dokploy/components/dashboard/settings/servers/security-audit.tsx
@@ -26,6 +26,16 @@ export const SecurityAudit = ({ serverId }: Props) => {
 			},
 		);
 	const _utils = api.useUtils();
+	
+	// Helper function to check if root login is securely configured
+	const isRootLoginSecure = () => {
+		if (!data?.ssh?.permitRootLogin) return false;
+		
+		// These are secure options for PermitRootLogin
+		const secureOptions = ['no', 'prohibit-password', 'without-password', 'forced-commands-only'];
+		return secureOptions.includes(data.ssh.permitRootLogin);
+	};
+	
 	return (
 		<CardContent className="p-0">
 			<div className="flex flex-col gap-4">
@@ -36,10 +46,10 @@ export const SecurityAudit = ({ serverId }: Props) => {
 								<div className="flex items-center gap-2">
 									<LockKeyhole className="size-5" />
 									<CardTitle className="text-xl">
-										Setup Security Sugestions
+										Setup Security Suggestions
 									</CardTitle>
 								</div>
-								<CardDescription>Check the security sugestions</CardDescription>
+								<CardDescription>Check the security suggestions</CardDescription>
 							</div>
 							<Button
 								isLoading={isRefreshing}
@@ -120,36 +130,45 @@ export const SecurityAudit = ({ serverId }: Props) => {
 									<div className="grid gap-2.5">
 										<StatusRow
 											label="Enabled"
-											isEnabled={data?.ssh.enabled}
+											isEnabled={data?.ssh?.enabled}
 											description={
-												data?.ssh.enabled
+												data?.ssh?.enabled
 													? "Enabled"
 													: "Not Enabled (SSH should be enabled)"
 											}
 										/>
 										<StatusRow
 											label="Key Auth"
-											isEnabled={data?.ssh.keyAuth}
+											isEnabled={data?.ssh?.keyAuth}
 											description={
-												data?.ssh.keyAuth
+												data?.ssh?.keyAuth
 													? "Enabled (Recommended)"
 													: "Not Enabled (Key Authentication should be enabled)"
 											}
 										/>
 										<StatusRow
 											label="Password Auth"
-											isEnabled={data?.ssh.passwordAuth === "no"}
+											isEnabled={data?.ssh?.passwordAuth === "no"}
 											description={
-												data?.ssh.passwordAuth === "no"
+												data?.ssh?.passwordAuth === "no"
 													? "Disabled (Recommended)"
 													: "Enabled (Password Authentication should be disabled)"
 											}
 										/>
 										<StatusRow
-											label="Use PAM"
-											isEnabled={data?.ssh.usePam === "no"}
+											label="Root Login"
+											isEnabled={isRootLoginSecure()}
 											description={
-												data?.ssh.usePam === "no"
+												isRootLoginSecure()
+													? `${data?.ssh?.permitRootLogin} (Secure)`
+													: `${data?.ssh?.permitRootLogin || "yes"} (Should be set to 'prohibit-password' or 'no')`
+											}
+										/>
+										<StatusRow
+											label="Use PAM"
+											isEnabled={data?.ssh?.usePam === "no"}
+											description={
+												data?.ssh?.usePam === "no"
 													? "Disabled (Recommended for key-based auth)"
 													: "Enabled (Should be disabled when using key-based auth)"
 											}
@@ -166,9 +185,9 @@ export const SecurityAudit = ({ serverId }: Props) => {
 									<div className="grid gap-2.5">
 										<StatusRow
 											label="Installed"
-											isEnabled={data?.fail2ban.installed}
+											isEnabled={data?.fail2ban?.installed}
 											description={
-												data?.fail2ban.installed
+												data?.fail2ban?.installed
 													? "Installed (Recommended)"
 													: "Not Installed (Fail2Ban should be installed for protection against brute force attacks)"
 											}
@@ -176,18 +195,18 @@ export const SecurityAudit = ({ serverId }: Props) => {
 
 										<StatusRow
 											label="Enabled"
-											isEnabled={data?.fail2ban.enabled}
+											isEnabled={data?.fail2ban?.enabled}
 											description={
-												data?.fail2ban.enabled
+												data?.fail2ban?.enabled
 													? "Enabled (Recommended)"
 													: "Not Enabled (Fail2Ban service should be enabled)"
 											}
 										/>
 										<StatusRow
 											label="Active"
-											isEnabled={data?.fail2ban.active}
+											isEnabled={data?.fail2ban?.active}
 											description={
-												data?.fail2ban.active
+												data?.fail2ban?.active
 													? "Active (Recommended)"
 													: "Not Active (Fail2Ban service should be running)"
 											}
@@ -195,9 +214,9 @@ export const SecurityAudit = ({ serverId }: Props) => {
 
 										<StatusRow
 											label="SSH Protection"
-											isEnabled={data?.fail2ban.sshEnabled === "true"}
+											isEnabled={data?.fail2ban?.sshEnabled === "true"}
 											description={
-												data?.fail2ban.sshEnabled === "true"
+												data?.fail2ban?.sshEnabled === "true"
 													? "Enabled (Recommended)"
 													: "Not Enabled (SSH protection should be enabled to prevent brute force attacks)"
 											}
@@ -205,11 +224,11 @@ export const SecurityAudit = ({ serverId }: Props) => {
 
 										<StatusRow
 											label="SSH Mode"
-											isEnabled={data?.fail2ban.sshMode === "aggressive"}
+											isEnabled={data?.fail2ban?.sshMode === "aggressive"}
 											description={
-												data?.fail2ban.sshMode === "aggressive"
+												data?.fail2ban?.sshMode === "aggressive"
 													? "Aggressive Mode (Recommended)"
-													: `Mode: ${data?.fail2ban.sshMode || "Not Set"} (Aggressive mode recommended for better protection)`
+													: `Mode: ${data?.fail2ban?.sshMode || "Not Set"} (Aggressive mode recommended for better protection)`
 											}
 										/>
 									</div>
@@ -221,4 +240,4 @@ export const SecurityAudit = ({ serverId }: Props) => {
 			</div>
 		</CardContent>
 	);
-};
+};
\ No newline at end of file
diff --git a/packages/server/src/setup/server-audit.ts b/packages/server/src/setup/server-audit.ts
index b9283c313..fed65c129 100644
--- a/packages/server/src/setup/server-audit.ts
+++ b/packages/server/src/setup/server-audit.ts
@@ -14,13 +14,50 @@ const validateUfw = () => `
 `;
 
 const validateSsh = () => `
-  if systemctl is-active --quiet sshd; then
+  if systemctl is-active --quiet sshd || systemctl is-active --quiet ssh; then
     isEnabled=true
-    hasKeyAuth=$(find "$HOME/.ssh" -type f -name "authorized_keys" 2>/dev/null | grep -q . && echo true || echo false)
-    permitRootLogin=$(sudo sshd -T | grep -i "^PermitRootLogin" | awk '{print $2}')
-    passwordAuth=$(sudo sshd -T | grep -i "^PasswordAuthentication" | awk '{print $2}')
-    usePam=$(sudo sshd -T | grep -i "^UsePAM" | awk '{print $2}')
-    echo "{\\"enabled\\": $isEnabled, \\"keyAuth\\": $hasKeyAuth, \\"permitRootLogin\\": \\"$permitRootLogin\\", \\"passwordAuth\\": \\"$passwordAuth\\", \\"usePam\\": \\"$usePam\\"}"
+    
+    # Get the sshd config file path
+    sshd_config=$(sudo sshd -T 2>/dev/null | grep -i "^configfile" | awk '{print $2}')
+    
+    # If we couldn't get the path, use the default
+    if [ -z "$sshd_config" ]; then
+      sshd_config="/etc/ssh/sshd_config"
+    fi
+    
+    # Check for key authentication
+    # SSH key auth is enabled by default unless explicitly disabled
+    pubkey_line=$(sudo grep -i "^PubkeyAuthentication" "$sshd_config" 2>/dev/null | grep -v "#")
+    if [ -z "$pubkey_line" ] || echo "$pubkey_line" | grep -q -i "yes"; then
+      keyAuth=true
+    else
+      keyAuth=false
+    fi
+    
+    # Get the exact PermitRootLogin value from config
+    # This preserves values like "prohibit-password" without normalization
+    permitRootLogin=$(sudo grep -i "^PermitRootLogin" "$sshd_config" 2>/dev/null | grep -v "#" | awk '{print $2}')
+    if [ -z "$permitRootLogin" ]; then
+      # Default is prohibit-password in newer versions
+      permitRootLogin="prohibit-password"
+    fi
+    
+    # Get the exact PasswordAuthentication value from config
+    passwordAuth=$(sudo grep -i "^PasswordAuthentication" "$sshd_config" 2>/dev/null | grep -v "#" | awk '{print $2}')
+    if [ -z "$passwordAuth" ]; then
+      # Default is yes
+      passwordAuth="yes"
+    fi
+    
+    # Get the exact UsePAM value from config
+    usePam=$(sudo grep -i "^UsePAM" "$sshd_config" 2>/dev/null | grep -v "#" | awk '{print $2}')
+    if [ -z "$usePam" ]; then
+      # Default is yes in most distros
+      usePam="yes"
+    fi
+    
+    # Return the results with exact values from config file
+    echo "{\\"enabled\\": $isEnabled, \\"keyAuth\\": $keyAuth, \\"permitRootLogin\\": \\"$permitRootLogin\\", \\"passwordAuth\\": \\"$passwordAuth\\", \\"usePam\\": \\"$usePam\\"}"
   else
     echo "{\\"enabled\\": false, \\"keyAuth\\": false, \\"permitRootLogin\\": \\"unknown\\", \\"passwordAuth\\": \\"unknown\\", \\"usePam\\": \\"unknown\\"}"
   fi
@@ -111,4 +148,4 @@ export const serverAudit = async (serverId: string) => {
 				privateKey: server.sshKey?.privateKey,
 			});
 	});
-};
+};
\ No newline at end of file