feat: check sshd config before starting the install (#313)

now that we only allow installations with root the ssh installation
method became a huge problem. we can only install if ssh access is
allowed for the root user using a ssh key.

while we work on moving ourselves out of the ssh based installation
we need to at least provide the users with valid information on how
to work around this issue.

this pr does exactly that, upon finding an "invalid" ssh config this
is what is printed on the terminal:

```
rmarasch@ec:~$ sudo ./embedded-cluster install
PermitRootLogin config is set to 'no' in /etc/ssh/sshd_config
This will prevent embedded-cluster from installing.
You can temporarily enable root login by changing the
PermitRootLogin config to 'without-password' and restarting
the sshd service. Once the installation is finished you can
restore the original configuration.
FATA[0000] ssh root access is not allowed
rmarasch@ec:~$
```

Author: ricardomaraschini

.github/workflows/pull-request.yaml

@@ -91,6 +91,7 @@ jobs:
           - TestMultiNodeInstallation
           - TestMultiNodeReset
           - TestCommandsRequireSudo
+          - TestInstallWithoutRootSSHAccess
     steps:
     - name: Checkout
       uses: actions/checkout@v4

.github/workflows/release-dev.yaml

@@ -59,6 +59,7 @@ jobs:
           - TestMultiNodeInstallation
           - TestMultiNodeReset
           - TestCommandsRequireSudo
+          - TestInstallWithoutRootSSHAccess
     steps:
       - name: Checkout
         uses: actions/checkout@v4

cmd/embedded-cluster/install.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"bufio"
 	"bytes"
 	"context"
 	"fmt"
@@ -408,6 +409,38 @@ func runOutro(c *cli.Context) error {
 	return addons.NewApplier(opts...).Outro(c.Context)
 }
 
+// validateSSHDConfig checks if we can ssh into ourselves as root using ssh
+// keys. XXX this is a workaround while we don't implement a different method
+// of installation that does not require ssh access.
+func validateSSHDConfig() error {
+	sshdcfg := "/etc/ssh/sshd_config"
+	fp, err := os.Open(sshdcfg)
+	if err != nil {
+		return fmt.Errorf("unable to read sshd_config (%s): %w", sshdcfg, err)
+	}
+	defer fp.Close()
+	scanner := bufio.NewScanner(fp)
+	var invalid bool
+	for scanner.Scan() {
+		line := scanner.Text()
+		if !strings.HasPrefix(line, "PermitRootLogin") {
+			continue
+		}
+		invalid = strings.HasSuffix(line, "no")
+		break
+	}
+	if !invalid {
+		return nil
+	}
+	fmt.Printf("PermitRootLogin config is set to 'no' in %s\n", sshdcfg)
+	fmt.Printf("This will prevent %s from installing.\n", defaults.BinaryName())
+	fmt.Printf("You can temporarily enable root login by changing the\n")
+	fmt.Printf("PermitRootLogin config to 'without-password' and restarting\n")
+	fmt.Printf("the sshd service. Once the installation is finished you can\n")
+	fmt.Printf("restore the original configuration.\n")
+	return fmt.Errorf("ssh root access is not allowed")
+}
+
 // installCommands executes the "install" command. This will ensure that a
 // k0sctl.yaml file exists and then run `k0sctl apply` to apply the cluster.
 // Once this is finished then a "kubeconfig" file is created.
@@ -455,6 +488,10 @@ var installCommand = &cli.Command{
 			metrics.ReportApplyFinished(c, fmt.Errorf("wrong upgrade on decentralized install"))
 			return fmt.Errorf("decentralized install detected")
 		}
+		if err := validateSSHDConfig(); err != nil {
+			metrics.ReportApplyFinished(c, err)
+			return err
+		}
 		logrus.Infof("Materializing binaries")
 		if err := goods.Materialize(); err != nil {
 			err := fmt.Errorf("unable to materialize binaries: %w", err)

e2e/install_test.go

@@ -368,3 +368,32 @@ func runPuppeteerAppStatusCheck(t *testing.T, node int, tc *cluster.Output) {
 		t.Fatalf("cluster or app not ready: %s", stdout)
 	}
 }
+
+func TestInstallWithoutRootSSHAccess(t *testing.T) {
+	t.Parallel()
+	tc := cluster.NewTestCluster(&cluster.Input{
+		T:                   t,
+		Nodes:               1,
+		Image:               "ubuntu/jammy",
+		SSHPublicKey:        "../output/tmp/id_rsa.pub",
+		SSHPrivateKey:       "../output/tmp/id_rsa",
+		EmbeddedClusterPath: "../output/bin/embedded-cluster",
+	})
+	defer tc.Destroy()
+	t.Log("installing ssh on node 0")
+	commands := [][]string{
+		{"apt-get", "update", "-y"},
+		{"apt-get", "install", "openssh-server", "-y"},
+	}
+	if err := RunCommandsOnNode(t, tc, 0, commands); err != nil {
+		t.Fatalf("fail to install ssh on node %s: %v", tc.Nodes[0], err)
+	}
+	t.Log("testing installation without root access")
+	line := []string{"single-node-install-without-root.sh"}
+	if stdout, stderr, err := RunCommandOnNode(t, tc, 0, line); err != nil {
+		t.Log("install stdout:", stdout)
+		t.Log("install stderr:", stderr)
+		t.Log("failed")
+		t.Fatalf("fail to install embedded-cluster on node %s: %v", tc.Nodes[0], err)
+	}
+}

e2e/scripts/single-node-install-without-root.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -euox pipefail
+
+main() {
+    echo "PermitRootLogin no" >> /etc/ssh/sshd_config
+    if ! systemctl restart sshd; then
+        echo "Failed to restart sshd"
+        return 1
+    fi
+    if embedded-cluster install --no-prompt 2>&1 | tee /tmp/log ; then
+        cat /tmp/log
+        echo "This should never happen, able to install!"
+        exit 1
+    fi
+    if ! grep -q "You can temporarily enable root login by changing" /tmp/log ; then
+        cat /tmp/log
+        echo "Failed to find expected error message"
+        return 1
+    fi
+    sed -i '/^PermitRootLogin/c\PermitRootLogin without-password' /etc/ssh/sshd_config
+    if ! systemctl restart sshd; then
+        echo "Failed to restart sshd"
+        return 1
+    fi
+    if ! embedded-cluster install --no-prompt 2>&1 | tee /tmp/log ; then
+        cat /tmp/log
+        echo "Unable to install with root login enabled without password"
+        exit 1
+    fi
+}
+
+export EMBEDDED_CLUSTER_METRICS_BASEURL="https://staging.replicated.app"
+export KUBECONFIG=/root/.config/embedded-cluster/etc/kubeconfig
+export PATH=$PATH:/root/.config/embedded-cluster/bin
+main