* Thu Feb 27 2025 Brian Read <brianr@koozali.org> 11.0.0-60.sme

- Enhance ssh security wording to mention autoblock in remoteaccess panel  [SME: 8309]

root/usr/share/smanager/lib/SrvMngr.pm

@@ -43,7 +43,7 @@ $VERSION = eval $VERSION;
 use Exporter 'import';
 our @EXPORT_OK = qw( 
 	init_session get_mod_url theme_list
-	getNavigation ip_number is_normal_password email_simple
+	getNavigation ip_number validate_password is_normal_password email_simple
 	mac_address_or_blank mac_address ip_number_or_blank
 	lang_space get_routes_list subnet_mask get_reg_mask
 	gen_locale_date_string get_public_ip_address
@@ -788,7 +788,23 @@ sub ip_number {
     return 'OK';
 }
 
+sub validate_password {
+    my ($c, $strength, $pass) = @_;
+    use esmith::util;
+    use POSIX qw(locale_h);
+    use locale;
+    my $old_locale = setlocale(LC_ALL);
+    setlocale(LC_ALL, "en_US");
+    my $reason = esmith::util::validatePassword($pass,$strength);
+    return "OK" if ($reason eq "ok");
+    setlocale(LC_ALL, $old_locale);
+    return
+          $c->l("Bad Password Choice") . ": "
+        . $c->l("The password you have chosen is not a good choice, because") . " "
+        . $c->l($reason). ".";
+} ## end sub validate_password
 
+# to deprecate : this is not anymore a way to validate our passwords
 sub is_normal_password {
 
 #  from CGI::FormMagick::Validator qw( password );

root/usr/share/smanager/lib/SrvMngr/Controller/Backup.pm

@@ -32,10 +32,10 @@ use esmith::util;
 use esmith::lockfile;
 use esmith::BlockDevices;
 use constant DEBUG => $ENV{MOJO_SMANAGER_DEBUG} || 0;
-our $cdb = esmith::ConfigDB->open   || die "Couldn't open config db";
-our $adb = esmith::AccountsDB->open || die "Couldn't open accounts db";
-our $rdb = esmith::ConfigDB->open('/etc/e-smith/restore')
-    || die "Couldn't open restore db";
+#our $cdb = esmith::ConfigDB->open   || die "Couldn't open config db"; #remove as cached gives problems
+#our $adb = esmith::AccountsDB->open || die "Couldn't open accounts db";
+#our $rdb = esmith::ConfigDB->open('/etc/e-smith/restore') || die "Couldn't open restore db";
+my ($cdb,$adb,$rdb);
 my $es_backup = new esmith::Backup or die "Couldn't create Backup object\n";
 my @directories = $es_backup->restore_list;
 @directories = grep { -e "/$_" } @directories;
@@ -52,6 +52,9 @@ sub main {
     my $c = shift;
     $c->app->log->info($c->log_req);
     my %bac_datas = ();
+	$cdb = esmith::ConfigDB->open   || die "Couldn't open config db";
+	$adb = esmith::AccountsDB->open || die "Couldn't open accounts db";
+	$rdb = esmith::ConfigDB->open('/etc/e-smith/restore');
     my $title     = $c->l('bac_BACKUP_TITLE');
     my $notif;
     $bac_datas{'function'} = 'desktop_backup';
@@ -108,6 +111,9 @@ sub do_display {
     my $rt = $c->current_route;
     my ($res, $result) = '';
     my $function = $c->param('Function');
+	$cdb = esmith::ConfigDB->open   || die "Couldn't open config db";
+	$adb = esmith::AccountsDB->open || die "Couldn't open accounts db";
+	$rdb = esmith::ConfigDB->open('/etc/e-smith/restore');
 
     if ($function =~ /^(\S+)$/) {
         $function = $1;
@@ -129,7 +135,11 @@ sub do_display {
         $c->stash(compressionlevel => $CompressionLevel, exclude => \@exclude, directories => \@directories);
 
         # streaming download in template
-        return $c->render("/backdown");
+        $c->render(template=>"backdown");
+        #sleep(30);
+        # Redirect to the front page
+		#$c->redirect_to('/backup');
+        return ""
     } ## end if ($function eq 'desktop_backup')
 
     if ($function eq 'tape_configure') {
@@ -265,6 +275,9 @@ sub do_update {
     my $c = shift;
     $c->app->log->info($c->log_req);
     my $rt       = $c->current_route;
+	$cdb = esmith::ConfigDB->open   || die "Couldn't open config db";
+	$adb = esmith::AccountsDB->open || die "Couldn't open accounts db";
+	$rdb = esmith::ConfigDB->open('/etc/e-smith/restore');
     my $function = $c->param('Function');
     DEBUG && warn("do_update $function");
     my %bac_datas = ();
@@ -2011,4 +2024,4 @@ sub vmount {
         return (qx(/bin/mount -t nfs -o nolock,timeo=30,retrans=1,retry=0 "$host:/$share" $mountdir 2>&1));
     }
 } ## end sub vmount
-1;
+1;

root/usr/share/smanager/lib/SrvMngr/Controller/Ibays.pm

@@ -13,7 +13,7 @@ use warnings;
 use Mojo::Base 'Mojolicious::Controller';
 use Locale::gettext;
 use SrvMngr::I18N;
-use SrvMngr qw( theme_list init_session is_normal_password );
+use SrvMngr qw( theme_list init_session validate_password );
 use esmith::AccountsDB;
 use esmith::ConfigDB;
 use esmith::DomainsDB;
@@ -385,31 +385,6 @@ sub check_password {
     return validate_password($c, $strength, $password);
 } ## end sub check_password
 
-sub validate_password {
-    my ($c, $strength, $pass) = @_;
-    use Crypt::Cracklib;
-    my $reason;
-
-    if ($strength eq "none") {
-        return $c->l("Passwords must be at least 7 characters long") unless (length($pass) > 6);
-        return "OK";
-    }
-    $reason = is_normal_password($c, $pass, undef);
-    return $reason unless ($reason eq "OK");
-    return "OK" unless ($strength eq "strong");
-
-    if (-f '/usr/lib64/cracklib_dict.pwd') {
-        $reason = fascist_check($pass, '/usr/lib64/cracklib_dict');
-    } else {
-        $reason = fascist_check($pass, '/usr/lib/cracklib_dict');
-    }
-    $reason ||= "Software error: password check failed";
-    return "OK" if ($reason eq "ok");
-    return
-          $c->l("Bad Password Choice") . ": "
-        . $c->l("The password you have chosen is not a good choice, because") . " "
-        . $c->($reason) . ".";
-} ## end sub validate_password
 
 =head2 group_list()
 

root/usr/share/smanager/lib/SrvMngr/Controller/Useraccounts.pm

@@ -14,7 +14,7 @@ use Mojo::Base 'Mojolicious::Controller';
 use Locale::gettext;
 use SrvMngr::I18N;
 use SrvMngr qw(theme_list init_session
-    is_normal_password email_simple);
+    validate_password email_simple);
 
 #use esmith::FormMagick qw( validate_password );
 #use CGI::FormMagick::Validator qw( call_fm_validation );
@@ -434,31 +434,6 @@ sub check_password {
     return validate_password($c, $check_type, $pass1);
 } ## end sub check_password
 
-sub validate_password {
-    my ($c, $strength, $pass) = @_;
-    use Crypt::Cracklib;
-    my $reason;
-
-    if ($strength eq "none") {
-        return $c->l("Passwords must be at least 7 characters long") unless (length($pass) > 6);
-        return "OK";
-    }
-    $reason = is_normal_password($c, $pass, undef);
-    return $reason unless ($reason eq "OK");
-    return "OK" unless ($strength eq "strong");
-
-    if (-f '/usr/lib64/cracklib_dict.pwd') {
-        $reason = fascist_check($pass, '/usr/lib64/cracklib_dict');
-    } else {
-        $reason = fascist_check($pass, '/usr/lib/cracklib_dict');
-    }
-    $reason ||= "Software error: password check failed";
-    return "OK" if ($reason eq "ok");
-    return $c->l("Bad Password Choice") . ": "
-        . $c->l("The password you have chosen is not a good choice, because") . " "
-        . $c->l($reason) . ".";
-} ## end sub validate_password
-
 sub emailForward_list {
     my $c = shift;
     return [

root/usr/share/smanager/lib/SrvMngr/Controller/Userpassword.pm

@@ -16,7 +16,7 @@ use esmith::ConfigDB;
 use esmith::AccountsDB;
 use Locale::gettext;
 use SrvMngr::I18N;
-use SrvMngr qw( theme_list init_session is_normal_password );
+use SrvMngr qw( theme_list init_session validate_password );
 #our $cdb = esmith::ConfigDB->open_ro || die "Couldn't open configuration db";
 
 sub main {
@@ -200,28 +200,4 @@ sub check_password {
     return validate_password($c, $strength, $password);
 } ## end sub check_password
 
-sub validate_password {
-    my ($c, $strength, $pass) = @_;
-    use Crypt::Cracklib;
-
-    if ($strength eq "none") {
-        return $c->l("Passwords must be at least 7 characters long") unless (length($pass) > 6);
-        return "OK";
-    }
-    my $reason = is_normal_password($c, $pass, undef);
-    return $reason unless ($reason eq "OK");
-    return "OK" unless ($strength eq "strong");
-
-    if (-f '/usr/lib64/cracklib_dict.pwd') {
-        $reason = fascist_check($pass, '/usr/lib64/cracklib_dict');
-    } else {
-        $reason = fascist_check($pass, '/usr/lib/cracklib_dict');
-    }
-    $reason ||= "Software error: password check failed";
-    return "OK" if ($reason eq "ok");
-    return
-          $c->l("Bad Password Choice") . ": "
-        . $c->l("The password you have chosen is not a good choice, because") . " "
-        . $c->($reason) . ".";
-} ## end sub validate_password
 1;

root/usr/share/smanager/lib/SrvMngr/I18N/Modules/Remoteaccess/remoteaccess_en.lex

@@ -26,7 +26,9 @@ experienced administrators
 for remote problem diagnosis and resolution. 
 We recommend leaving this
 parameter set to "No Access"
-unless you have a specific reason to do otherwise.',
+unless you have a specific reason to do otherwise.
+Note that an "Autoblock" feature is enabled by default when public access is enabled; to disable or tune this feature, refer to the manual at https://wiki.koozali.org/AutoBlock
+',
 'rma_TITLE_FTP_ACCESS' => 'FTP Settings',
 'rma_DESC_FTP_ACCESS' => 'You can also control <b>FTP</b> access to your server. We
 recommend leaving this parameter set to \'no access\' unless you
@@ -90,4 +92,4 @@ to the number 0 unless you require IPSEC client access.',
 can do so here.<br>Any old certificates will no longer
 authenticate against the server, so <b><i>all IPSEC clients will
 need to import a new certificate!</i></b>.',
-'rma_LABEL_IPSECRW_RESET' => 'Reset digital certificates',
+'rma_LABEL_IPSECRW_RESET' => 'Reset digital certificates',

root/usr/share/smanager/themes/default/templates/backdown.html.ep

@@ -16,30 +16,41 @@
     }
 
     my $clvl = $c->stash('compressionlevel');
-    my $cmd = "/bin/tar --directory / --create @{$c->stash('directories')} --file=-"
-        . "@{$c->stash('exclude')} | /usr/bin/gzip $clvl ";
+    my $cmd = "/bin/tar --create --file=- --directory / @{$c->stash('exclude')}  "
+        . "@{$c->stash('directories')} | /usr/bin/gzip $clvl ";
 
     my $success = open my $fh, '-|', $cmd;
-    unless ($success) { return "Error dowload command."; };
- 
-  # Write chunk
-  $c->res->headers->content_type('application/x-tar');
-  $c->res->headers->content_disposition(qq/attachment; filename="smeserver.tgz"/);
-
-  my $cb;
-  $cb = sub {
-    my $c = shift;
-    my $size = 500 * 1024;
-    my $length = sysread($fh, my $buffer, $size);
-    unless ($length) {
-      close $fh;
-      undef $cb;
-      $c->finish;
-      return;
-    }
-    $c->write_chunk($buffer, $cb);
-  };
-  $c->$cb;
+    #unless ($success) { return "Error download command."; };
+    if ($success) {
+		# Try with download plugin - seems to fail to complete download and also 
+		# name of file deposited is not as required.
+		#my $output = do { local $/; <$fh> };
+		#close $fh;
+		#$c->render_file(
+			#data => $output,
+			#filename => 'output.txt',
+			#content_type => 'text/plain'
+		#);
+		# So organise it ourselves.
+		$c->res->headers->content_type('application/x-tar');
+		$c->res->headers->content_disposition(qq/attachment; filename="smeserver.tgz"/);
+		my $cb;
+		$cb = sub {
+		my $c = shift;
+		my $size = 500 * 1024;
+		my $length = sysread($fh, my $buffer, $size);
+		unless ($length) {
+		  close $fh;
+		  undef $cb;
+		  $c->finish;
+		  return;
+		}
+		$c->write_chunk($buffer, $cb);
+		};
+		$c->$cb;
+	} else {
+		$c->render(text => "Failed to execute command: $!", status => 500);
+	}
 
     # Remove the dumped tables.
     $status = system("/sbin/e-smith/signal-event", "post-backup", "desktop");
@@ -53,3 +64,4 @@
     $backup_rec->set_prop('Result', "0");
 
 %>
+1;

root/usr/share/smanager/themes/default/templates/partials/_info.html.ep

@@ -1,3 +1,4 @@
+<%     use POSIX qw(strftime); %>
 <div id="info">
     <% if (! $c->session->{PwdSet} ) { %>
 	<div class="sme-error"><h5>
@@ -13,4 +14,12 @@
         Warning: Development or debug mode enabled AND public access is offered !
         </h5></div>
     <% } %>
+    <% my $curdate = strftime '%Y%m%d', localtime; %>
+    <% if ( "$curdate"  >= "20290531" ) { %>
+	<div class="sme-error"><h5>
+      URGENT NOTICE: As per May 31st 2029, SME Server 11 is obsolete, and potentially INSECURE. NO support will be offered for any issue found with this installed version.
+      Please migrate IMMEDIATELY to Koozali SME Server 12 or higher version. Failure to upgrade may lead to the compromise of this server.
+      </br>Please, consult <a href="https://wiki.koozali.org/SME_Server:Download" target="_blank">https://wiki.koozali.org/SME_Server:Download</a> to get the latest version
+     </h5></div>
+    <% } %>
 </div>

smeserver-manager.spec

@@ -2,7 +2,7 @@ Summary: Sme server  navigation module : manager 2
 %define name smeserver-manager
 Name: %{name}
 %define version 11.0.0
-%define release 56
+%define release 60
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -143,9 +143,23 @@ true
 %defattr(-,root,root)
 
 %changelog
+* Thu Feb 27 2025 Brian Read <brianr@koozali.org> 11.0.0-60.sme
+- Enhance ssh security wording to mention autoblock in remoteaccess panel  [SME: 8309]
+
+* Thu Feb 27 2025 Brian Read <brianr@koozali.org> 11.0.0-59.sme
+- Arrange for Urgent notice to be displayed if date is past Rocky 8 EOL [SME: 12918]
+
+* Tue Feb 25 2025 Brian Read <brianr@koozali.org> 11.0.0-58.sme
+- re-organise open db placement [SME: 12695]
+- Re-arrange parameters to tar to avoid warning message in logs [SME: 12943]
+
+* Fri Feb 21 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-57.sme
+- upgrade validate_password sub to use esmith::util [SME: 12937]
+  and deduplicate code
+
 * Thu Feb 20 2025 Brian Read <brianr@koozali.org> 11.0.0-56.sme
 - open db in routes for backup controller file  [SME: 12933]
-- Fix error handling for pre-backup fail [SME: 
+- Fix error handling for pre-backup fail [SME: 12934]
 
 * Tue Feb 18 2025 Brian Read <brianr@koozali.org> 11.0.0-55.sme
 - fix public ftp access not showing on panel [SME: 12927]