machineconfig 8.14__py3-none-any.whl → 8.50__py3-none-any.whl

machineconfig/scripts/python/helpers/helpers_network/ssh_debug_linux.py

@@ -0,0 +1,319 @@
+
+
+from platform import system
+from pathlib import Path
+from rich.console import Console
+from rich.panel import Panel
+from rich.table import Table
+from rich import box
+import subprocess
+import os
+import re
+
+
+console = Console()
+
+
+def _run(cmd: list[str]) -> tuple[bool, str]:
+    try:
+        result = subprocess.run(cmd, capture_output=True, text=True, check=False)
+        return result.returncode == 0, result.stdout.strip()
+    except FileNotFoundError:
+        return False, ""
+
+
+def _check_sshd_installed() -> tuple[bool, str]:
+    sshd_paths = ["/usr/sbin/sshd", "/usr/bin/sshd", "/sbin/sshd"]
+    for path in sshd_paths:
+        if Path(path).exists():
+            return True, path
+    ok, which_out = _run(["which", "sshd"])
+    if ok and which_out:
+        return True, which_out
+    return False, ""
+
+
+def _detect_package_manager() -> tuple[str, str]:
+    if Path("/usr/bin/apt").exists() or Path("/usr/bin/apt-get").exists():
+        return "apt", "sudo apt update && sudo apt install -y openssh-server"
+    if Path("/usr/bin/dnf").exists():
+        return "dnf", "sudo dnf install -y openssh-server"
+    if Path("/usr/bin/yum").exists():
+        return "yum", "sudo yum install -y openssh-server"
+    if Path("/usr/bin/pacman").exists():
+        return "pacman", "sudo pacman -S --noconfirm openssh"
+    if Path("/usr/bin/zypper").exists():
+        return "zypper", "sudo zypper install -y openssh"
+    return "unknown", "# Install openssh-server using your package manager"
+
+
+def ssh_debug_linux() -> dict[str, dict[str, str | bool]]:
+    if system() != "Linux":
+        raise NotImplementedError("ssh_debug_linux is only supported on Linux")
+
+    results: dict[str, dict[str, str | bool]] = {}
+    issues: list[tuple[str, str, str]] = []
+    current_user = os.environ.get("USER", os.environ.get("USERNAME", "unknown"))
+    ssh_port = "22"
+    ip_addresses: list[str] = []
+
+    ok, hostname = _run(["hostname"])
+    hostname = hostname if ok else "unknown"
+
+    install_info: list[str] = []
+    sshd_installed, sshd_path = _check_sshd_installed()
+    _pkg_manager, install_cmd = _detect_package_manager()
+    if not sshd_installed:
+        results["installation"] = {"status": "error", "message": "OpenSSH Server not installed"}
+        issues.append(("sshd not installed", "Cannot accept incoming SSH connections", install_cmd))
+        install_info.append("❌ OpenSSH Server: [red]NOT INSTALLED[/red]")
+        install_info.append(f"   [dim]Install with: {install_cmd}[/dim]")
+    else:
+        results["installation"] = {"status": "ok", "message": f"sshd found at {sshd_path}"}
+        install_info.append(f"✅ OpenSSH Server: installed at [cyan]{sshd_path}[/cyan]")
+    console.print(Panel("\n".join(install_info), title="[bold]Installation[/bold]", border_style="blue"))
+
+    ssh_dir = Path.home().joinpath(".ssh")
+    authorized_keys = ssh_dir.joinpath("authorized_keys")
+    home_dir = Path.home()
+
+    perm_info: list[str] = []
+    home_stat = os.stat(home_dir)
+    home_perms = oct(home_stat.st_mode)[-3:]
+    if home_perms[2] in ["7", "6", "3", "2"]:
+        results["home_directory"] = {"status": "error", "message": f"Home world-writable: {home_perms}"}
+        issues.append((f"Home dir perms {home_perms}", "sshd refuses login if home is world-writable", f"chmod 755 {home_dir}"))
+        perm_info.append(f"❌ Home directory: [red]{home_perms}[/red] (world-writable)")
+        perm_info.append("   [dim]sshd will refuse key auth if home is writable by others[/dim]")
+    else:
+        perm_info.append(f"✅ Home directory: {home_perms}")
+
+    if not ssh_dir.exists():
+        results["ssh_directory"] = {"status": "error", "message": "~/.ssh missing"}
+        issues.append(("~/.ssh missing", "No place for authorized_keys", "mkdir -p ~/.ssh && chmod 700 ~/.ssh"))
+        perm_info.append("❌ ~/.ssh: [red]does not exist[/red]")
+    else:
+        ssh_perms = oct(os.stat(ssh_dir).st_mode)[-3:]
+        if ssh_perms != "700":
+            results["ssh_directory"] = {"status": "error", "message": f"~/.ssh perms {ssh_perms}"}
+            issues.append((f"~/.ssh perms {ssh_perms}", "sshd requires 700 on ~/.ssh", "chmod 700 ~/.ssh"))
+            perm_info.append(f"❌ ~/.ssh: [red]{ssh_perms}[/red] (must be 700)")
+        else:
+            perm_info.append(f"✅ ~/.ssh: {ssh_perms}")
+
+    if not authorized_keys.exists():
+        results["authorized_keys"] = {"status": "error", "message": "authorized_keys missing"}
+        issues.append(("authorized_keys missing", "No keys = no login", "Add public key: cat id_rsa.pub >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"))
+        perm_info.append("❌ authorized_keys: [red]does not exist[/red]")
+        perm_info.append("   [dim]No authorized keys = cannot login with SSH key[/dim]")
+    else:
+        ak_perms = oct(os.stat(authorized_keys).st_mode)[-3:]
+        try:
+            keys = [line for line in authorized_keys.read_text(encoding="utf-8").split("\n") if line.strip()]
+            key_count = len(keys)
+        except Exception:
+            key_count = 0
+        if ak_perms not in ["600", "644"]:
+            results["authorized_keys"] = {"status": "error", "message": f"authorized_keys perms {ak_perms}"}
+            issues.append((f"authorized_keys perms {ak_perms}", "sshd requires 600 or 644", "chmod 600 ~/.ssh/authorized_keys"))
+            perm_info.append(f"❌ authorized_keys: [red]{ak_perms}[/red] ({key_count} key(s)) - must be 600/644")
+        else:
+            results["authorized_keys"] = {"status": "ok", "message": f"{key_count} key(s)"}
+            perm_info.append(f"✅ authorized_keys: {ak_perms} ([green]{key_count} key(s)[/green])")
+
+    console.print(Panel("\n".join(perm_info), title="[bold]Permissions[/bold]", border_style="blue"))
+
+    svc_info: list[str] = []
+    ssh_ok, _ = _run(["systemctl", "is-active", "ssh"])
+    sshd_ok, _ = _run(["systemctl", "is-active", "sshd"])
+    if ssh_ok or sshd_ok:
+        svc_name = "ssh" if ssh_ok else "sshd"
+        results["ssh_service"] = {"status": "ok", "message": f"{svc_name} running"}
+        svc_info.append(f"✅ Service: [green]{svc_name} running[/green]")
+    else:
+        results["ssh_service"] = {"status": "error", "message": "sshd not running"}
+        issues.append(("sshd not running", "No SSH daemon = no connections", "sudo systemctl start ssh && sudo systemctl enable ssh"))
+        svc_info.append("❌ Service: [red]not running[/red]")
+
+    console.print(Panel("\n".join(svc_info), title="[bold]Service[/bold]", border_style="blue"))
+
+    net_info: list[str] = []
+    ok, ip_out = _run(["ip", "addr", "show"])
+    if ok:
+        ip_addresses = re.findall(r'inet\s+(\d+\.\d+\.\d+\.\d+)/\d+.*scope\s+global', ip_out)
+        if ip_addresses:
+            net_info.append(f"🌐 IP: [cyan]{', '.join(ip_addresses)}[/cyan]")
+
+    sshd_config_paths = [Path("/etc/ssh/sshd_config"), Path("/etc/sshd_config")]
+    sshd_config: Path | None = None
+    for p in sshd_config_paths:
+        if p.exists():
+            sshd_config = p
+            break
+
+    if sshd_config:
+        try:
+            config_text = sshd_config.read_text(encoding="utf-8")
+            port_lines = [line for line in config_text.split("\n") if line.strip().startswith("Port") and not line.strip().startswith("#")]
+            if port_lines:
+                ssh_port = port_lines[0].split()[1]
+            net_info.append(f"🔌 Port: [cyan]{ssh_port}[/cyan]")
+
+            pubkey_lines = [line for line in config_text.split("\n") if "PubkeyAuthentication" in line and not line.strip().startswith("#")]
+            if pubkey_lines and "no" in pubkey_lines[-1].lower():
+                results["pubkey_auth"] = {"status": "error", "message": "PubkeyAuthentication disabled"}
+                issues.append(("PubkeyAuthentication disabled", "Key-based login won't work", f"Edit {sshd_config}: set PubkeyAuthentication yes, then sudo systemctl restart ssh"))
+                net_info.append("❌ PubkeyAuthentication: [red]disabled[/red]")
+            else:
+                net_info.append("✅ PubkeyAuthentication: enabled")
+
+            password_lines = [line for line in config_text.split("\n") if "PasswordAuthentication" in line and not line.strip().startswith("#")]
+            if password_lines:
+                password_enabled = "yes" in password_lines[-1].lower()
+                if password_enabled:
+                    results["password_auth"] = {"status": "ok", "message": "PasswordAuthentication enabled"}
+                    net_info.append("✅ PasswordAuthentication: [green]enabled[/green]")
+                else:
+                    results["password_auth"] = {"status": "info", "message": "PasswordAuthentication disabled"}
+                    net_info.append("ℹ️  PasswordAuthentication: [yellow]disabled[/yellow] (key-only)")
+            else:
+                results["password_auth"] = {"status": "ok", "message": "PasswordAuthentication enabled (default)"}
+                net_info.append("✅ PasswordAuthentication: [green]enabled[/green] (default)")
+
+            permit_root = [line for line in config_text.split("\n") if "PermitRootLogin" in line and not line.strip().startswith("#")]
+            if permit_root:
+                val = permit_root[-1].split()[-1].lower()
+                net_info.append(f"ℹ️  PermitRootLogin: {val}")
+        except Exception:
+            pass
+
+    ok, ss_out = _run(["ss", "-tlnp"])
+    if ok:
+        listening = [line for line in ss_out.split("\n") if f":{ssh_port}" in line]
+        if not listening:
+            results["ssh_listening"] = {"status": "error", "message": f"Not listening on {ssh_port}"}
+            issues.append((f"Not listening on port {ssh_port}", "No connections possible", "sudo systemctl restart ssh"))
+            net_info.append(f"❌ Listening: [red]NOT on port {ssh_port}[/red]")
+        elif all("127.0.0.1" in line or "[::1]" in line for line in listening):
+            results["ssh_listening"] = {"status": "error", "message": "Localhost only"}
+            issues.append(("SSH bound to localhost", "Only local connections", f"Edit {sshd_config}: remove/comment ListenAddress 127.0.0.1"))
+            net_info.append("❌ Listening: [red]localhost only[/red]")
+        else:
+            results["ssh_listening"] = {"status": "ok", "message": f"Listening on {ssh_port}"}
+            net_info.append(f"✅ Listening: 0.0.0.0:{ssh_port}")
+
+    fw_checked = False
+    ok, ufw_out = _run(["ufw", "status"])
+    if ok and "Status: active" in ufw_out:
+        fw_checked = True
+        if f"{ssh_port}/tcp" in ufw_out.lower() or "ssh" in ufw_out.lower() or f" {ssh_port} " in ufw_out:
+            results["firewall"] = {"status": "ok", "message": "UFW allows SSH"}
+            net_info.append("✅ Firewall (UFW): allows SSH")
+        else:
+            results["firewall"] = {"status": "error", "message": "UFW blocking SSH"}
+            issues.append(("UFW blocking SSH", "Incoming connections dropped", f"sudo ufw allow {ssh_port}/tcp"))
+            net_info.append("❌ Firewall (UFW): [red]blocking SSH[/red]")
+            net_info.append("   [dim]Active firewall without SSH rule = blocked[/dim]")
+
+    if not fw_checked:
+        ok, fwd_out = _run(["firewall-cmd", "--state"])
+        if ok and "running" in fwd_out.lower():
+            fw_checked = True
+            ok2, svc_out = _run(["firewall-cmd", "--list-services"])
+            if ok2 and "ssh" in svc_out.lower():
+                results["firewall"] = {"status": "ok", "message": "firewalld allows SSH"}
+                net_info.append("✅ Firewall (firewalld): allows SSH")
+            else:
+                results["firewall"] = {"status": "error", "message": "firewalld blocking SSH"}
+                issues.append(("firewalld blocking SSH", "Incoming connections dropped", "sudo firewall-cmd --permanent --add-service=ssh && sudo firewall-cmd --reload"))
+                net_info.append("❌ Firewall (firewalld): [red]blocking SSH[/red]")
+
+    if not fw_checked:
+        ok, ipt_out = _run(["iptables", "-L", "INPUT", "-n"])
+        if ok and ipt_out:
+            has_drop_policy = "policy DROP" in ipt_out or "policy REJECT" in ipt_out
+            has_ssh_allow = f"dpt:{ssh_port}" in ipt_out or "dpt:ssh" in ipt_out
+            if has_drop_policy and not has_ssh_allow:
+                results["firewall"] = {"status": "error", "message": "iptables blocking SSH"}
+                issues.append(("iptables blocking SSH", "DROP/REJECT policy without SSH allow", f"sudo iptables -I INPUT -p tcp --dport {ssh_port} -j ACCEPT"))
+                net_info.append("❌ Firewall (iptables): [red]DROP policy, no SSH rule[/red]")
+                fw_checked = True
+            elif has_drop_policy and has_ssh_allow:
+                results["firewall"] = {"status": "ok", "message": "iptables allows SSH"}
+                net_info.append("✅ Firewall (iptables): allows SSH")
+                fw_checked = True
+
+    if not fw_checked:
+        net_info.append("ℹ️  Firewall: none detected / not active")
+
+    console.print(Panel("\n".join(net_info), title="[bold]Network & Firewall[/bold]", border_style="blue"))
+
+    other_info: list[str] = []
+    hosts_deny = Path("/etc/hosts.deny")
+    if hosts_deny.exists():
+        try:
+            content = hosts_deny.read_text(encoding="utf-8")
+            active = [line for line in content.splitlines() if line.strip() and not line.strip().startswith("#")]
+            joined = " ".join(active).lower()
+            if "sshd" in joined or "all" in joined:
+                results["hosts_deny"] = {"status": "error", "message": "hosts.deny blocking"}
+                issues.append(("hosts.deny blocking SSH", "TCP wrappers deny before firewall", "Edit /etc/hosts.deny to remove sshd/ALL entries"))
+                other_info.append("❌ /etc/hosts.deny: [red]may block SSH[/red]")
+            else:
+                other_info.append("✅ /etc/hosts.deny: OK")
+        except Exception:
+            pass
+
+    ok, se_out = _run(["getenforce"])
+    if ok and se_out:
+        if se_out == "Enforcing":
+            other_info.append("ℹ️  SELinux: Enforcing (run [cyan]restorecon -Rv ~/.ssh[/cyan] if issues)")
+        else:
+            other_info.append(f"ℹ️  SELinux: {se_out}")
+
+    log_files = [Path("/var/log/auth.log"), Path("/var/log/secure")]
+    for lf in log_files:
+        if lf.exists():
+            ok, tail = _run(["tail", "-n", "20", str(lf)])
+            if ok:
+                errors = [line for line in tail.split("\n") if any(k in line.lower() for k in ["error", "failed", "refused", "denied"]) and "ssh" in line.lower()]
+                if errors:
+                    other_info.append(f"⚠️  Recent SSH errors in {lf.name}: {len(errors)}")
+                else:
+                    other_info.append(f"✅ {lf.name}: no recent SSH errors")
+            break
+
+    if other_info:
+        console.print(Panel("\n".join(other_info), title="[bold]Additional[/bold]", border_style="blue"))
+
+    if issues:
+        fix_table = Table(title="Issues & Fixes", box=box.ROUNDED, show_lines=True, title_style="bold red")
+        fix_table.add_column("Issue", style="yellow", width=25)
+        fix_table.add_column("Impact", style="white", width=35)
+        fix_table.add_column("Fix Command", style="green", width=55)
+        for issue, impact, fix in issues:
+            fix_table.add_row(issue, impact, fix)
+        console.print(fix_table)
+
+        fix_script_path = Path("/tmp/ssh_fix.sh")
+        script_lines = ["#!/bin/bash", "set -e", "", "# SSH Fix Script - Generated by ssh_debug_linux", f"# {len(issues)} issue(s) to fix", ""]
+        for issue, _impact, fix in issues:
+            script_lines.append(f"# Fix: {issue}")
+            script_lines.append(fix)
+            script_lines.append("")
+        script_lines.append("echo 'All fixes applied. Re-run ssh_debug_linux to verify.'")
+        fix_script_path.write_text("\n".join(script_lines), encoding="utf-8")
+        fix_script_path.chmod(0o755)
+
+        console.print(Panel(f"[bold yellow]⚠️  {len(issues)} issue(s) found[/bold yellow]\n\nFix script generated: [cyan]{fix_script_path}[/cyan]\nRun: [green]sudo bash {fix_script_path}[/green]", title="[bold]Summary[/bold]", border_style="yellow"))
+    else:
+        conn_info = f"👤 {current_user}  🖥️  {hostname}  🔌 :{ssh_port}"
+        if ip_addresses:
+            conn_info += f"\n\n[bold]Connect:[/bold] ssh {current_user}@{ip_addresses[0]}"
+        console.print(Panel(f"[bold green]✅ All checks passed[/bold green]\n\n{conn_info}", title="[bold]Ready[/bold]", border_style="green"))
+
+    return results
+
+
+if __name__ == "__main__":
+    ssh_debug_linux()

machineconfig/scripts/python/helpers/helpers_network/ssh_debug_windows.py

@@ -0,0 +1,275 @@
+
+
+from platform import system
+from pathlib import Path
+from rich.console import Console
+from rich.panel import Panel
+from rich.table import Table
+from rich import box
+import subprocess
+import os
+
+
+console = Console()
+
+
+def _run_ps(cmd: str) -> tuple[bool, str]:
+    result = subprocess.run(["powershell", "-Command", cmd], capture_output=True, text=True, check=False)
+    return result.returncode == 0, result.stdout.strip()
+
+
+def _check_sshd_binary_exists() -> tuple[bool, str]:
+    sshd_locations = [
+        Path("C:/Windows/System32/OpenSSH/sshd.exe"),
+        Path("C:/Program Files/OpenSSH/sshd.exe"),
+        Path("C:/Program Files (x86)/OpenSSH/sshd.exe"),
+    ]
+    for loc in sshd_locations:
+        if loc.exists():
+            return True, str(loc)
+    ok, which_out = _run_ps("Get-Command sshd -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Source")
+    if ok and which_out:
+        return True, which_out
+    return False, ""
+
+
+def _detect_openssh() -> tuple[str, Path | None, Path | None]:
+    capability_sshd = Path("C:/Windows/System32/OpenSSH/sshd.exe")
+    winget_sshd = Path("C:/Program Files/OpenSSH/sshd.exe")
+    programdata_config = Path("C:/ProgramData/ssh")
+    capability_config = Path("C:/ProgramData/ssh")
+    if capability_sshd.exists():
+        return ("capability", capability_sshd, capability_config)
+    if winget_sshd.exists():
+        return ("winget", winget_sshd, programdata_config)
+    return ("not_found", None, None)
+
+
+def ssh_debug_windows() -> dict[str, dict[str, str | bool]]:
+    if system() != "Windows":
+        raise NotImplementedError("ssh_debug_windows is only supported on Windows")
+
+    results: dict[str, dict[str, str | bool]] = {}
+    issues: list[tuple[str, str, str]] = []
+    current_user = os.environ.get("USERNAME", "unknown")
+    ssh_port = "22"
+    ip_addresses: list[str] = []
+
+    sshd_exists, sshd_path = _check_sshd_binary_exists()
+    install_type, _sshd_exe, config_dir = _detect_openssh()
+    ok, hostname = _run_ps("hostname")
+    hostname = hostname if ok else "unknown"
+
+    install_info: list[str] = []
+    if not sshd_exists:
+        results["installation"] = {"status": "error", "message": "sshd.exe not found on system"}
+        issues.append(("sshd.exe not found", "OpenSSH Server binary missing entirely", "Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0"))
+        install_info.append("❌ sshd.exe: [red]NOT FOUND[/red]")
+        install_info.append("   [dim]OpenSSH Server is not installed on this system[/dim]")
+    elif install_type == "not_found":
+        results["installation"] = {"status": "warning", "message": f"sshd found at {sshd_path} but not in standard location"}
+        install_info.append(f"⚠️  sshd.exe: found at [yellow]{sshd_path}[/yellow]")
+        install_info.append("   [dim]Non-standard location - may need manual configuration[/dim]")
+    else:
+        results["installation"] = {"status": "ok", "message": f"OpenSSH installed ({install_type})"}
+        install_info.append(f"✅ OpenSSH Server: installed via {'Windows Capability' if install_type == 'capability' else 'winget'}")
+        install_info.append(f"   Binary: {sshd_path}")
+        install_info.append(f"   Config: {config_dir}")
+
+    ok, status = _run_ps("Get-Service -Name sshd -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Status")
+    if not ok or not status:
+        results["ssh_service"] = {"status": "error", "message": "sshd service not found"}
+        issues.append(("sshd service missing", "SSH daemon not installed", "Install OpenSSH Server first"))
+        install_info.append("❌ sshd service: [red]NOT FOUND[/red]")
+    elif status != "Running":
+        results["ssh_service"] = {"status": "error", "message": f"sshd is {status}"}
+        issues.append((f"sshd is {status}", "SSH connections will be refused", "Start-Service sshd ; Set-Service sshd -StartupType Automatic"))
+        install_info.append(f"❌ sshd service: [yellow]{status}[/yellow]")
+    else:
+        results["ssh_service"] = {"status": "ok", "message": "sshd running"}
+        ok, startup = _run_ps("Get-Service -Name sshd | Select-Object -ExpandProperty StartType")
+        startup_note = f" (startup: {startup})" if ok else ""
+        install_info.append(f"✅ sshd service: [green]Running[/green]{startup_note}")
+
+    console.print(Panel("\n".join(install_info), title="[bold]Installation & Service[/bold]", border_style="blue"))
+
+    ssh_dir = Path.home().joinpath(".ssh")
+    authorized_keys = ssh_dir.joinpath("authorized_keys")
+    admin_auth_keys = Path("C:/ProgramData/ssh/administrators_authorized_keys")
+    perm_info: list[str] = []
+
+    ok, is_admin_str = _run_ps("([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)")
+    is_admin = "True" in is_admin_str
+
+    if is_admin:
+        perm_info.append(f"👤 User [cyan]{current_user}[/cyan] is an [yellow]Administrator[/yellow]")
+        perm_info.append("   ➜ Keys must be in: [cyan]C:\\ProgramData\\ssh\\administrators_authorized_keys[/cyan]")
+        target_auth_keys = admin_auth_keys
+    else:
+        perm_info.append(f"👤 User [cyan]{current_user}[/cyan] is a standard user")
+        perm_info.append(f"   ➜ Keys should be in: [cyan]{authorized_keys}[/cyan]")
+        target_auth_keys = authorized_keys
+
+    if not target_auth_keys.exists():
+        results["authorized_keys"] = {"status": "error", "message": f"{target_auth_keys.name} missing"}
+        issues.append((f"{target_auth_keys.name} missing", "No public keys authorized - SSH login will fail", f"Create file and add your public key to {target_auth_keys}"))
+        perm_info.append(f"\n❌ [red]{target_auth_keys.name} does not exist[/red]")
+        perm_info.append("   [dim]No keys = no login. Add your public key to this file.[/dim]")
+    else:
+        try:
+            keys = [line for line in target_auth_keys.read_text(encoding="utf-8").split("\n") if line.strip()]
+            results["authorized_keys"] = {"status": "ok", "message": f"{len(keys)} key(s)"}
+            perm_info.append(f"\n✅ {target_auth_keys.name}: [green]{len(keys)} key(s)[/green]")
+        except Exception as e:
+            perm_info.append(f"\n⚠️  Could not read {target_auth_keys.name}: {e}")
+
+    if is_admin and admin_auth_keys.exists():
+        ok, icacls_out = _run_ps(f'icacls "{admin_auth_keys}"')
+        if ok:
+            needs_fix = "BUILTIN\\Users" in icacls_out or "Everyone" in icacls_out
+            if needs_fix:
+                results["admin_keys_perms"] = {"status": "error", "message": "Permissions too open"}
+                issues.append(("administrators_authorized_keys permissions wrong", "sshd ignores file if permissions allow other users", f'icacls "{admin_auth_keys}" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"'))
+                perm_info.append("❌ [red]Permissions too open[/red] - sshd will ignore this file!")
+            else:
+                perm_info.append("✅ Permissions: restricted to Administrators/SYSTEM")
+
+    console.print(Panel("\n".join(perm_info), title="[bold]Keys & Permissions[/bold]", border_style="blue"))
+
+    net_info: list[str] = []
+    ok, ip_out = _run_ps("Get-NetIPAddress -AddressFamily IPv4 -PrefixOrigin Dhcp,Manual | Where-Object {$_.IPAddress -notlike '127.*' -and $_.IPAddress -notlike '169.254.*'} | Select-Object -ExpandProperty IPAddress")
+    if ok and ip_out:
+        ip_addresses = [ip.strip() for ip in ip_out.split("\n") if ip.strip()]
+        net_info.append(f"🌐 IP addresses: [cyan]{', '.join(ip_addresses)}[/cyan]")
+
+    sshd_config: Path | None = config_dir.joinpath("sshd_config") if config_dir else None
+    config_text: str | None = None
+    if sshd_config and sshd_config.exists():
+        try:
+            config_text = sshd_config.read_text(encoding="utf-8")
+        except PermissionError:
+            ok, config_text_ps = _run_ps(f'Get-Content "{sshd_config}" -Raw')
+            config_text = config_text_ps if ok and config_text_ps else None
+        except Exception:
+            config_text = None
+        if config_text:
+            port_lines = [line for line in config_text.split("\n") if line.strip().startswith("Port") and not line.strip().startswith("#")]
+            if port_lines:
+                ssh_port = port_lines[0].split()[1]
+
+    auth_info: list[str] = []
+    auth_info.append(f"📄 Config file: [cyan]{sshd_config}[/cyan]" if sshd_config else "📄 Config file: [red]not found[/red]")
+    if config_text:
+        pubkey_lines = [line for line in config_text.split("\n") if "PubkeyAuthentication" in line and not line.strip().startswith("#")]
+        if pubkey_lines and "no" in pubkey_lines[-1].lower():
+            results["pubkey_auth"] = {"status": "error", "message": "PubkeyAuthentication disabled"}
+            issues.append(("PubkeyAuthentication disabled", "Key-based login won't work", f'Edit {sshd_config} and set PubkeyAuthentication yes, then Restart-Service sshd'))
+            auth_info.append("❌ PubkeyAuthentication: [red]disabled[/red]")
+        else:
+            results["pubkey_auth"] = {"status": "ok", "message": "PubkeyAuthentication enabled (default)"}
+            auth_info.append("✅ PubkeyAuthentication: [green]enabled[/green] (default: yes)")
+
+        password_lines = [line for line in config_text.split("\n") if "PasswordAuthentication" in line and not line.strip().startswith("#")]
+        if password_lines:
+            password_enabled = "yes" in password_lines[-1].lower()
+            if password_enabled:
+                results["password_auth"] = {"status": "ok", "message": "PasswordAuthentication enabled"}
+                auth_info.append("✅ PasswordAuthentication: [green]enabled[/green]")
+            else:
+                results["password_auth"] = {"status": "info", "message": "PasswordAuthentication disabled"}
+                auth_info.append("🔐 PasswordAuthentication: [yellow]disabled[/yellow] (key-only)")
+        else:
+            results["password_auth"] = {"status": "ok", "message": "PasswordAuthentication enabled (default)"}
+            auth_info.append("✅ PasswordAuthentication: [green]enabled[/green] (default: yes)")
+    else:
+        auth_info.append("⚠️  Could not read sshd_config - auth settings unknown")
+        results["pubkey_auth"] = {"status": "unknown", "message": "Could not read config"}
+        results["password_auth"] = {"status": "unknown", "message": "Could not read config"}
+
+    console.print(Panel("\n".join(auth_info), title="[bold]Authentication Settings[/bold]", border_style="blue"))
+
+    net_info.append(f"🔌 SSH port: [cyan]{ssh_port}[/cyan]")
+    netstat = subprocess.run(["netstat", "-an"], capture_output=True, text=True, check=False)
+    if netstat.returncode == 0:
+        listening_lines = [line for line in netstat.stdout.split("\n") if f":{ssh_port}" in line and "LISTENING" in line]
+        if not listening_lines:
+            results["ssh_listening"] = {"status": "error", "message": f"Not listening on port {ssh_port}"}
+            issues.append((f"SSH not listening on port {ssh_port}", "No connections possible", "Restart-Service sshd"))
+            net_info.append(f"❌ Listening: [red]NOT listening on port {ssh_port}[/red]")
+        elif all("127.0.0.1" in line or "[::1]" in line for line in listening_lines):
+            results["ssh_listening"] = {"status": "error", "message": "Listening on localhost only"}
+            issues.append(("SSH bound to localhost only", "Only local connections work", f"Check ListenAddress in {sshd_config}"))
+            net_info.append("❌ Listening: [red]localhost only[/red] (remote connections blocked)")
+        else:
+            results["ssh_listening"] = {"status": "ok", "message": f"Listening on port {ssh_port}"}
+            net_info.append(f"✅ Listening: 0.0.0.0:{ssh_port}")
+
+    fw_cmd = f"""
+        $rules = Get-NetFirewallRule -ErrorAction SilentlyContinue | Where-Object {{
+            ($_.DisplayName -like '*SSH*' -or $_.DisplayName -like '*OpenSSH*' -or $_.Name -like '*SSH*' -or $_.Name -like '*sshd*') -and
+            $_.Direction -eq 'Inbound'
+        }}
+        if (-not $rules) {{
+            $portFilter = Get-NetFirewallPortFilter -ErrorAction SilentlyContinue | Where-Object {{ $_.LocalPort -eq '{ssh_port}' -and $_.Protocol -eq 'TCP' }}
+            if ($portFilter) {{
+                $rules = $portFilter | ForEach-Object {{ Get-NetFirewallRule -AssociatedNetFirewallPortFilter $_ -ErrorAction SilentlyContinue }} | Where-Object {{ $_.Direction -eq 'Inbound' }}
+            }}
+        }}
+        if ($rules) {{
+            $rules | Select-Object Name, DisplayName, Enabled, Action | Format-List
+        }}
+    """
+    ok, fw_out = _run_ps(fw_cmd)
+    if ok and fw_out.strip():
+        has_allow = "Enabled : True" in fw_out and "Action : Allow" in fw_out
+        if has_allow:
+            results["firewall"] = {"status": "ok", "message": "Firewall allows SSH"}
+            net_info.append("✅ Firewall: SSH rule exists and enabled")
+        else:
+            results["firewall"] = {"status": "warning", "message": "Firewall rule exists but may not be active"}
+            issues.append(("Firewall rule not active", "Incoming SSH may be blocked", f'New-NetFirewallRule -Name "SSH" -DisplayName "SSH" -Protocol TCP -LocalPort {ssh_port} -Action Allow -Enabled True'))
+            net_info.append("⚠️  Firewall: SSH rule exists but [yellow]not enabled[/yellow]")
+    else:
+        if not is_admin:
+            results["firewall"] = {"status": "warning", "message": "Cannot verify firewall (run as Admin)"}
+            net_info.append("⚠️  Firewall: [yellow]Cannot verify - run script as Administrator[/yellow]")
+            net_info.append("   [dim]Firewall rules may exist but require elevation to query.[/dim]")
+        else:
+            results["firewall"] = {"status": "error", "message": "No SSH firewall rule"}
+            issues.append(("No SSH firewall rule", "Windows Firewall blocks incoming SSH by default", f'New-NetFirewallRule -Name "SSH" -DisplayName "SSH" -Protocol TCP -LocalPort {ssh_port} -Action Allow -Enabled True'))
+            net_info.append("❌ Firewall: [red]No SSH rule found[/red]")
+            net_info.append("   [dim]Windows blocks all incoming by default. Must create allow rule.[/dim]")
+
+    console.print(Panel("\n".join(net_info), title="[bold]Network & Firewall[/bold]", border_style="blue"))
+
+    if issues:
+        fix_table = Table(title="Issues & Fixes", box=box.ROUNDED, show_lines=True, title_style="bold red")
+        fix_table.add_column("Issue", style="yellow", width=30)
+        fix_table.add_column("Impact", style="white", width=35)
+        fix_table.add_column("Fix Command", style="green", width=60)
+        for issue, impact, fix in issues:
+            fix_table.add_row(issue, impact, fix)
+        console.print(fix_table)
+
+        fix_script_path = Path(os.environ.get("TEMP", "C:/Temp")).joinpath("ssh_fix.ps1")
+        script_lines = ["# SSH Fix Script - Generated by ssh_debug_windows", f"# {len(issues)} issue(s) to fix", "# Run this script as Administrator", "", "$ErrorActionPreference = 'Stop'", ""]
+        for issue, _impact, fix in issues:
+            script_lines.append(f"# Fix: {issue}")
+            script_lines.append(f"Write-Host 'Fixing: {issue}' -ForegroundColor Yellow")
+            script_lines.append(fix)
+            script_lines.append("")
+        script_lines.append("Write-Host 'All fixes applied. Re-run ssh_debug_windows to verify.' -ForegroundColor Green")
+        fix_script_path.write_text("\n".join(script_lines), encoding="utf-8")
+
+        console.print(Panel(f"[bold yellow]⚠️  {len(issues)} issue(s) found[/bold yellow]\n\nFix script generated: [cyan]{fix_script_path}[/cyan]\nRun as Administrator: [green]powershell -ExecutionPolicy Bypass -File \"{fix_script_path}\"[/green]", title="[bold]Summary[/bold]", border_style="yellow"))
+    else:
+        conn_info = f"👤 {current_user}  🖥️  {hostname}  🔌 :{ssh_port}"
+        if ip_addresses:
+            conn_info += f"\n\n[bold]Connect:[/bold] ssh {current_user}@{ip_addresses[0]}"
+        console.print(Panel(f"[bold green]✅ All checks passed[/bold green]\n\n{conn_info}", title="[bold]Ready[/bold]", border_style="green"))
+
+    return results
+
+
+if __name__ == "__main__":
+    ssh_debug_windows()

machineconfig/scripts/python/{helpers_repos → helpers/helpers_repos}/action.py

@@ -1,7 +1,7 @@
-from machineconfig.scripts.python.helpers_repos.action_helper import GitAction, GitOperationResult, GitOperationSummary, print_git_operations_summary
+from machineconfig.scripts.python.helpers.helpers_repos.action_helper import GitAction, GitOperationResult, GitOperationSummary, print_git_operations_summary
 from machineconfig.utils.path_extended import PathExtended
 from machineconfig.utils.accessories import randstr
-from machineconfig.scripts.python.helpers_repos.update import update_repository
+from machineconfig.scripts.python.helpers.helpers_repos.update import update_repository
 
 from typing import Optional, Dict, Any, List, cast
 import concurrent.futures
@@ -117,7 +117,7 @@ def perform_git_operations(repos_root: PathExtended, pull: bool, commit: bool, p
         operations_performed.append("push")
 
     # Collect all candidate paths first
-    paths = list(repos_root.search("*"))
+    paths = list(repos_root.glob("*"))
 
     def _process_path(a_path: PathExtended) -> Dict[str, Any]:
         """Worker that processes a single path and returns metadata and results."""

machineconfig/scripts/python/{helpers_repos → helpers/helpers_repos}/action_helper.py

@@ -1,5 +1,5 @@
 from enum import Enum
-from machineconfig.utils.path_extended import PathExtended
+from pathlib import Path
 
 
 from dataclasses import dataclass
@@ -12,7 +12,7 @@ from rich.table import Table
 @dataclass
 class GitOperationResult:
     """Result of a git operation on a single repository."""
-    repo_path: PathExtended
+    repo_path: Path
     action: str
     success: bool
     message: str
@@ -52,7 +52,7 @@ class GitOperationSummary:
 
     def __post_init__(self):
         self.failed_operations: list[GitOperationResult] = []
-        self.repos_without_remotes: list[PathExtended] = []
+        self.repos_without_remotes: list[Path] = []
 
 
 def print_git_operations_summary(summary: GitOperationSummary, operations_performed: list[str]) -> None: