search

hassio-addons / addon-ssh

Advanced SSH & Web Terminal - Home Assistant Community Add-ons
https://addons.community
MIT License
348 stars 95 forks source link

Configurable ListenAddress configuration #769

Closed xeor closed 1 month ago

xeor commented 3 months ago

Problem/Motivation

This addon is an "advanced" addon for ssh access and I think many advanced users have separated their home-assistant instance in two vlans. One for IOT and one where they can administer the web-interface. This is fairly simple to do using the ha command ha network vlan enp...., and configuring the http.server_host config to make it listen on only one of the interface.

It would be very useful to be able to do this with this addon as well since it is a very powerful entrence to the home-assistant server.

Others have been requesting this before as well, example in https://github.com/hassio-addons/addon-ssh/issues/664

Expected behavior

Being able to limit the interface ssh listens on using sshd ListenAddress directive from the addons configuration page.

Actual behavior

Not being able to configure this.

Proposed changes

Adding it as a configuration parameter, leaving it default to 0.0.0.0.

Alternatives

Since ListenAddress can be added multiple times in sshd_config, it might add too much complexity to add it as a "simple" parameter. An alternative would be to add a text box (multiline) configuration for "additional sshd configuration". Maybe one for pre and one for post..? Any thing that makes ListenAddress possible would be a very nice addition.

zeus86 commented 2 months ago

i totally second this.
I really don't know how one can state, that this would be a niece requirement (comment in #664). segmenting your network and lock down inherently insecure IoT-Devices and in consequence move the other services over to your management-/main-/lan-network should be a number one priority before even thinking about playing around with IoT-stuff. Any network-/linux-admin will tell you that this is a neccessity, not a cornercase. There is absolutely no reason whatsoever to expose ssh to the network in which are only insecure IoT-Devices around, especially when the homeassistant instance is the one single point, where you might be able to escape a purposefully locked down IoT-Network...via ssh. The same is valid for other services, too, like the Webinterface itself up to a certain point...

tl;dr: please make this configurable, this is not a cornercase, but security best-practice, especially when dealing with IoT-stuff, and furthermore because it is comparatively easy to implement (you can configure this in the sshd-service, via iptables or - depending how it is set up - in docker)...

github-actions[bot] commented 1 month ago

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

xeor commented 1 month ago

Still an issue that should be looked at. I might do a pr on this. Might need to support a single ListenAddress tho

frenck commented 1 month ago

Still an issue that should be looked at.

It isn't an issue, but an feature request. I have no intention to add support for this edge case.

../Frenck

xeor commented 1 month ago

@frenck even tho we made a pr for it? It's not really a edge case since there are many people who have multiple ips reaching hass. Specially now that it is fully support for it in haos.

Please reconsider adding this. Would be a really helpful option.

If not, would you consider an opensshd_extra config for arbitrary sshd configs?