✨ The terminal tool supports password login #1052

Author: WMC001

backend/database/tool_db.py

@@ -164,7 +164,9 @@ def add_tool_field(tool_info):
         # add tool params
         tool_params = tool.params
         for ele in tool_params:
-            ele["default"] = tool_info["params"][ele["name"]]
+            param_name = ele["name"]
+            param_value = tool_info["params"].get(param_name)
+            ele["default"] = param_value
 
         tool_dict = as_dict(tool)
         tool_dict["params"] = tool_params

docker/deploy.sh

@@ -127,127 +127,6 @@ generate_supabase_keys() {
   fi
 }
 
-generate_ssh_keys() {
-  # Function to generate SSH key pair for Terminal tool
-  
-  if [ "$ENABLE_TERMINAL_TOOL" = "true" ]; then
-      # Create ssh-keys directory
-      create_dir_with_permission "$ROOT_DIR/openssh-server/ssh-keys" 700
-      create_dir_with_permission "$ROOT_DIR/openssh-server/config" 755
-
-      # Check if SSH keys already exist
-      if [ -f "$ROOT_DIR/openssh-server/ssh-keys/openssh_server_key" ] && [ -f "$ROOT_DIR/openssh-server/ssh-keys/openssh_server_key.pub" ]; then
-          echo "🚧 SSH key pair already exists, skipping generation..."
-          echo "🔑 Private key: $ROOT_DIR/openssh-server/ssh-keys/openssh_server_key"
-          echo "🗝️  Public key: $ROOT_DIR/openssh-server/ssh-keys/openssh_server_key.pub"
-
-          # Ensure authorized_keys is set up correctly with ONLY our public key
-          cp "$ROOT_DIR/openssh-server/ssh-keys/openssh_server_key.pub" "$ROOT_DIR/openssh-server/config/authorized_keys"
-          chmod 644 "$ROOT_DIR/openssh-server/config/authorized_keys"
-
-          # Set SSH key path in environment
-          SSH_PRIVATE_KEY_PATH="$ROOT_DIR/openssh-server/ssh-keys/openssh_server_key"
-          export SSH_PRIVATE_KEY_PATH
-
-          # Add to .env file
-          update_env_var "SSH_PRIVATE_KEY_PATH" "$SSH_PRIVATE_KEY_PATH"
-
-          echo ""
-          echo "--------------------------------"
-          echo ""
-          return 0
-      fi
-
-      echo "🔑 Generating SSH key pair for Terminal tool..."
-
-      # Generate SSH key pair using Docker (cross-platform compatible)
-      echo "   🔐 Using Docker to generate SSH key pair..."
-
-      # Create temporary file to capture output
-      TEMP_OUTPUT="/tmp/ssh_keygen_output_$$.txt"
-
-      # Generate ed25519 key pair using the openssh-server container
-      if docker run --rm -i "$OPENSSH_SERVER_IMAGE" bash -c "ssh-keygen -t ed25519 -f /tmp/id_ed25519 -N '' && cat /tmp/id_ed25519 && echo '---' && cat /tmp/id_ed25519.pub" > "$TEMP_OUTPUT" 2>&1; then
-          echo "   🔍 SSH key generation completed, extracting keys..."
-
-          # Extract private key (everything between -----BEGIN and -----END)
-          PRIVATE_KEY=$(sed -n '/-----BEGIN OPENSSH PRIVATE KEY-----/,/-----END OPENSSH PRIVATE KEY-----/p' "$TEMP_OUTPUT")
-
-          # Extract public key (line that starts with ssh-)
-          PUBLIC_KEY=$(grep "^ssh-" "$TEMP_OUTPUT" | head -1)
-
-          # Remove leading/trailing whitespace
-          PRIVATE_KEY=$(echo "$PRIVATE_KEY" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
-          PUBLIC_KEY=$(echo "$PUBLIC_KEY" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
-
-          # Validate extracted keys
-          if [ -z "$PRIVATE_KEY" ]; then
-              echo "   ❌ Failed to extract private key"
-              ERROR_OCCURRED=1
-              return 1
-          fi
-
-          if [ -z "$PUBLIC_KEY" ]; then
-              echo "   ❌ Failed to extract public key"
-              ERROR_OCCURRED=1
-              return 1
-          fi
-
-          echo "   ✅ SSH keys extracted successfully"
-
-          if [ -n "$PRIVATE_KEY" ] && [ -n "$PUBLIC_KEY" ]; then
-              # Save private key
-              echo "$PRIVATE_KEY" > "$ROOT_DIR/openssh-server/ssh-keys/openssh_server_key"
-              chmod 600 "$ROOT_DIR/openssh-server/ssh-keys/openssh_server_key"
-
-              # Save public key
-              echo "$PUBLIC_KEY" > "$ROOT_DIR/openssh-server/ssh-keys/openssh_server_key.pub"
-              chmod 644 "$ROOT_DIR/openssh-server/ssh-keys/openssh_server_key.pub"
-
-              # Copy public key to authorized_keys with correct permissions (ensure ONLY our key)
-              cp "$ROOT_DIR/openssh-server/ssh-keys/openssh_server_key.pub" "$ROOT_DIR/openssh-server/config/authorized_keys"
-              chmod 644 "$ROOT_DIR/openssh-server/config/authorized_keys"
-
-              # Set SSH key path in environment
-              SSH_PRIVATE_KEY_PATH="$ROOT_DIR/openssh-server/ssh-keys/openssh_server_key"
-              export SSH_PRIVATE_KEY_PATH
-
-              # Add to .env file
-              update_env_var "SSH_PRIVATE_KEY_PATH" "$SSH_PRIVATE_KEY_PATH"
-
-              # Fix SSH host key permissions (must be 600)
-              find "$ROOT_DIR/openssh-server/config" -name "*_key" -type f -exec chmod 600 {} \; 2>/dev/null || true
-
-              echo "   ✅ SSH key pair generated successfully!"
-              echo "      🔑 Private key: $ROOT_DIR/openssh-server/ssh-keys/openssh_server_key"
-              echo "      🗝️  Public key: $ROOT_DIR/openssh-server/ssh-keys/openssh_server_key.pub"
-              echo "      ⚙️  SSH config: $ROOT_DIR/openssh-server/config/sshd_config (60min session timeout)"
-          else
-              echo "   ❌ ERROR Failed to extract SSH keys from Docker output"
-              echo "   📋 Full output saved to: $TEMP_OUTPUT for debugging"
-              ERROR_OCCURRED=1
-              return 1
-          fi
-      else
-          echo "   ❌ ERROR Docker key generation command failed"
-          if [ -f "$TEMP_OUTPUT" ]; then
-              echo "📋 Error output:"
-              cat "$TEMP_OUTPUT"
-          fi
-          ERROR_OCCURRED=1
-          return 1
-      fi
-
-      # Clean up temp file (only if successful)
-      if [ "$ERROR_OCCURRED" -eq 0 ]; then
-          rm -f "$TEMP_OUTPUT"
-      fi
-
-      echo ""
-      echo "--------------------------------"
-      echo ""
-  fi
-}
 
 generate_elasticsearch_api_key() {
   # Function to generate Elasticsearch API key
@@ -534,7 +413,7 @@ deploy_infrastructure() {
       fi
 
       # Start Supabase services
-      if ! ${docker_compose_command} -p nexent -f "docker-compose-supabase${COMPOSE_FILE_SUFFIX}" up -d; then
+      if ! $docker_compose_command -p nexent -f "docker-compose-supabase${COMPOSE_FILE_SUFFIX}" up -d; then
           echo "   ❌ ERROR Failed to start supabase services"
           ERROR_OCCURRED=1
           return 1
@@ -653,6 +532,7 @@ select_terminal_tool() {
         export COMPOSE_PROFILES="${COMPOSE_PROFILES:+$COMPOSE_PROFILES,}terminal"
         echo "✅ Terminal tool enabled 🔧"
         echo "   🔧 Deploying an openssh-server container for secure command execution"
+        update_env_var "ENABLE_TERMINAL_TOOL" "true"
 
         # Ask user to specify directory mapping
         default_terminal_dir="/opt/terminal"
@@ -672,10 +552,66 @@ select_terminal_tool() {
         echo "   📁 Terminal mount configuration:"
         echo "      • Host: $TERMINAL_MOUNT_DIR"
         echo "      • Container: /opt/terminal"
+        echo "      • This directory will be created if it doesn't exist"
+        echo ""
+        
+        # Setup SSH credentials for Terminal tool
+        echo "🔐 Setting up SSH credentials for Terminal tool..."
+        
+        # Check if SSH credentials are already set
+        if [ -n "$SSH_USERNAME" ] && [ -n "$SSH_PASSWORD" ]; then
+            echo "🚧 SSH credentials already configured, skipping setup..."
+            echo "👤 Username: $SSH_USERNAME"
+            echo "🔑 Password: [HIDDEN]"
+        else
+            # Prompt for SSH credentials
+            echo "Please enter SSH credentials for Terminal tool:"
+            echo ""
+            
+            # Get SSH username
+            if [ -z "$SSH_USERNAME" ]; then
+                read -p "SSH Username (default: root): " input_username
+                SSH_USERNAME=${input_username:-root}
+            fi
+            
+            # Get SSH password
+            if [ -z "$SSH_PASSWORD" ]; then
+                echo "SSH Password (will be hidden): "
+                read -s input_password
+                echo ""
+                if [ -z "$input_password" ]; then
+                    echo "❌ SSH password cannot be empty"
+                    ERROR_OCCURRED=1
+                    return 1
+                fi
+                SSH_PASSWORD="$input_password"
+            fi
+            
+            # Validate credentials
+            if [ -z "$SSH_USERNAME" ] || [ -z "$SSH_PASSWORD" ]; then
+                echo "❌ Both username and password are required"
+                ERROR_OCCURRED=1
+                return 1
+            fi
+            
+            # Export environment variables
+            export SSH_USERNAME
+            export SSH_PASSWORD
+            
+            # Add to .env file
+            update_env_var "SSH_USERNAME" "$SSH_USERNAME"
+            update_env_var "SSH_PASSWORD" "$SSH_PASSWORD"
+            
+            echo "   ✅ SSH credentials configured successfully!"
+            echo "      👤 Username: $SSH_USERNAME"
+            echo "      🔑 Password: [HIDDEN]"
+            echo "      ⚙️  Authentication: Password-based"
+        fi
+        echo ""
     else
         export ENABLE_TERMINAL_TOOL="false"
         echo "🚫 Terminal tool disabled"
-
+        update_env_var "ENABLE_TERMINAL_TOOL" "false"
     fi
     echo ""
     echo "--------------------------------"
@@ -747,9 +683,6 @@ main_deploy() {
   prepare_directory_and_data || { echo "❌ Permission setup failed"; exit 1; }
   generate_minio_ak_sk || { echo "❌ MinIO key generation failed"; exit 1; }
 
-  if [ "$ENABLE_TERMINAL_TOOL" = "true" ]; then
-    generate_ssh_keys || { echo "❌ SSH key generation failed"; exit 1; }
-  fi
 
   # Generate Supabase secrets
   generate_supabase_keys || { echo "❌ Supabase secrets generation failed"; exit 1; }

docker/docker-compose.prod.yml

@@ -200,10 +200,10 @@ services:
     container_name: nexent-openssh-server
     hostname: nexent-openssh-server
     environment:
-      - DEV_USER=linuxserver.io
+      - DEV_USER=${SSH_USERNAME:-linuxserver.io}
+      - DEV_PASSWORD=${SSH_PASSWORD:-nexent123}
     volumes:
       - ${TERMINAL_MOUNT_DIR:-./workspace}:/opt/terminal
-      - ${ROOT_DIR}/openssh-server/config:/tmp/ssh_keys:ro  # 只读挂载SSH公钥
     networks:
       - nexent
     restart: always

docker/docker-compose.yml

@@ -214,12 +214,12 @@ services:
     container_name: nexent-openssh-server
     hostname: nexent-openssh-server
     environment:
-      - DEV_USER=linuxserver.io
+      - DEV_USER=${SSH_USERNAME:-linuxserver.io}
+      - DEV_PASSWORD=${SSH_PASSWORD:-nexent123}
     ports:
       - "2222:22"  # SSH port
     volumes:
       - ${TERMINAL_MOUNT_DIR:-./workspace}:/opt/terminal
-      - ${ROOT_DIR}/openssh-server/ssh-keys:/tmp/ssh_keys:ro
     networks:
       - nexent
     restart: always

docker/generate_env.sh

@@ -73,6 +73,25 @@ update_env_file() {
       echo "ELASTICSEARCH_API_KEY=$ELASTICSEARCH_API_KEY" >> ../.env
     fi
   fi
+
+  # Update or add SSH credentials (only if they were set)
+  if [ -n "$SSH_USERNAME" ]; then
+    if grep -q "^SSH_USERNAME=" ../.env; then
+      sed -i.bak "s~^SSH_USERNAME=.*~SSH_USERNAME=$SSH_USERNAME~" ../.env
+    else
+      echo "" >> ../.env
+      echo "# SSH Terminal Tool Credentials" >> ../.env
+      echo "SSH_USERNAME=$SSH_USERNAME" >> ../.env
+    fi
+  fi
+
+  if [ -n "$SSH_PASSWORD" ]; then
+    if grep -q "^SSH_PASSWORD=" ../.env; then
+      sed -i.bak "s~^SSH_PASSWORD=.*~SSH_PASSWORD=$SSH_PASSWORD~" ../.env
+    else
+      echo "SSH_PASSWORD=$SSH_PASSWORD" >> ../.env
+    fi
+  fi
   echo "   ✅ Generated keys updated successfully"
 
   # Force update development environment service URLs for localhost access
@@ -218,6 +237,12 @@ show_summary() {
   if [ -n "$SERVICE_ROLE_KEY" ]; then
     echo "  🔑 SERVICE_ROLE_KEY: $SERVICE_ROLE_KEY"
   fi
+  if [ -n "$SSH_USERNAME" ]; then
+    echo "  👤 SSH_USERNAME: $SSH_USERNAME"
+  fi
+  if [ -n "$SSH_PASSWORD" ]; then
+    echo "  🔑 SSH_PASSWORD: [HIDDEN]"
+  fi
   if [ -z "$ELASTICSEARCH_API_KEY" ]; then
     echo "   ⚠️  Note: To generate ELASTICSEARCH_API_KEY later, please:"
     echo "      1. Start Elasticsearch: docker-compose -p nexent up -d nexent-elasticsearch"

make/terminal/Dockerfile

@@ -19,38 +19,31 @@ RUN apt-get clean && \
     && rm -rf /var/lib/apt/lists/* \
     && apt-get clean
 
-# Create development user
-ARG DEV_USER=linuxserver.io
-RUN useradd -m -s /bin/bash $DEV_USER && \
-    usermod -aG sudo $DEV_USER && \
-    echo "$DEV_USER ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+# Using root user - no additional user creation needed
 
-# Configure SSH - disable root login + disable password authentication
+# Configure SSH - enable root login + enable password authentication
 RUN mkdir /var/run/sshd && \
-    sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config && \
-    sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
+    sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config && \
+    sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config
 
 # Install Miniconda
 ARG TARGETARCH
 RUN wget https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-$(if [ "$TARGETARCH" = "amd64" ]; then echo "x86_64"; elif [ "$TARGETARCH" = "arm64" ]; then echo "aarch64"; else echo "$TARGETARCH"; fi).sh -O /tmp/miniconda.sh && \
     bash /tmp/miniconda.sh -b -p $CONDA_DIR && \
     rm /tmp/miniconda.sh
 
-# Set conda permissions
-RUN chown -R $DEV_USER:$DEV_USER $CONDA_DIR
+# Conda permissions - root owns everything by default
 
 # Add conda to PATH and initialize
 ENV PATH="$CONDA_DIR/bin:$PATH"
 RUN conda init
 
-# Create .ssh directory
-RUN mkdir -p /home/$DEV_USER/.ssh && \
-    chown $DEV_USER:$DEV_USER /home/$DEV_USER/.ssh && \
-    chmod 700 /home/$DEV_USER/.ssh
+# Create .ssh directory for root
+RUN mkdir -p /root/.ssh && \
+    chmod 700 /root/.ssh
 
 # Create default working directory
-RUN mkdir -p /opt/terminal && \
-    chown $DEV_USER:$DEV_USER /opt/terminal
+RUN mkdir -p /opt/terminal
 
 # Set working directory
 WORKDIR /opt