I know that /etc/pam.d/ssh and /etc/ssh/sshd_config should probably be done with the other debathena config magic, but I just don't understand it, and also, my Perl-fu isn't good enough
svn path=/trunk/packages/sipb-xen-console/; revision=380
+sipb-xen-console (6) unstable; urgency=low
+
+ * modprobe fuse before attaching consolefs
+ * Revert code to block dropping privileges to user accounts
+ * Add configuration to accept Kerberos config for users and error on
+ non-root users if Kerberos authentication fails
+
+ -- SIPB Xen Project <sipb-xen@mit.edu> Tue, 01 Apr 2008 20:03:11 -0400
+
sipb-xen-console (5.1) unstable; urgency=low
* Package should create /consolefs so that sipb-xen-consolefs has
Architecture: all
Provides: ${diverted-files}
Conflicts: ${diverted-files}
-Depends: ${shlibs:Depends}, ${misc:Depends}, daemon, fuse-utils, libnss-pgsql1, nscd, openssh-client, openssh-server, python-fuse, sipb-xen-database-common
+Depends: ${shlibs:Depends}, ${misc:Depends}, daemon, debathena-kerberos-config, fuse-utils, libnss-pgsql1, nscd, openssh-client, openssh-server, python-fuse, sipb-xen-chrony-config, sipb-xen-database-common
Description: SIPB Xen serial console server
This package should be installed on sipb-xen-console
It makes sure that necessary tools are available.
Architecture: all
Provides: ${diverted-files}
Conflicts: ${diverted-files}
-Depends: ${shlibs:Depends}, ${misc:Depends}, daemon, fuse-utils, libnss-pgsql1, nscd, openssh-client, openssh-server, python-fuse, sipb-xen-chrony-config, sipb-xen-database-common
+Depends: ${shlibs:Depends}, ${misc:Depends}, daemon, debathena-kerberos-config, fuse-utils, libnss-pgsql1, nscd, openssh-client, openssh-server, python-fuse, sipb-xen-chrony-config, sipb-xen-database-common
Description: SIPB Xen serial console server
This package should be installed on sipb-xen-console
It makes sure that necessary tools are available.
DEB_DIVERT_FILES_sipb-xen-console += \
/etc/init.d/bootmisc.sh \
/etc/modules \
+ /etc/motd \
/etc/nscd.conf \
/etc/nsswitch.conf \
- /etc/motd \
- /etc/ssh/ssh_config
+ /etc/pam.d/ssh \
+ /etc/ssh/ssh_config \
+ /etc/ssh/sshd_config
include /usr/share/cdbs/1/rules/debhelper.mk
include /usr/share/cdbs/1/rules/replace-files.mk
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
+ modprobe fuse
daemon --running -n $NAME && return 1
daemon -r -O daemon.info -E daemon.err -n $NAME -U $DAEMON $DAEMON_ARGS || return 2
}
--- /dev/null
+You must login to the sipb-xen console server using Kerberos tickets, but your
+ssh client did not pass a valid ticket to the console server.
--- /dev/null
+The VM you are attempting to access does not appear to exist.
+
+++ /dev/null
-# /etc/modules: kernel modules to load at boot time.
-#
-# This file contains the names of kernel modules that should be loaded
-# at boot time, one per line. Lines beginning with "#" are ignored.
-
-loop
-fuse
\ No newline at end of file
--- /dev/null
+# PAM configuration for the Secure Shell service
+
+# If they're not root, but their user exists (success),
+auth [success=ignore ignore=ignore default=1 module_unknown=die] pam_succeed_if.so uid > 0
+# print the "You don't have tickets" error:
+auth [success=die ignore=reset default=die module_unknown=die] pam_echo.so file=/etc/issue.net.no_tkt
+# If !(they are root),
+auth [success=1 ignore=ignore default=ignore module_unknown=die] pam_succeed_if.so uid eq 0
+# print the "your account doesn't exist" error:
+auth [success=die ignore=reset default=die module_unknown=die] pam_echo.so file=/etc/issue.net.no_user
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+auth required pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+auth required pam_env.so envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account required pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account required pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+session optional pam_motd.so # [1]
+
+# Print the status of the user's mailbox upon successful login.
+session optional pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session required pam_limits.so
+
+# Set up SELinux capabilities (need modified pam)
+# session required pam_selinux.so multiple
+
+# Standard Un*x password updating.
+@include common-password
--- /dev/null
+Port 22
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication yes
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials yes
+GSSAPIKeyExchange yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+UsePAM yes
#!/bin/bash
-if [ "$SHLVL" != "1" ]
-then
- echo "Please do not compromise our users' machines"
- exit 1
-fi
-
export VM_NAME="d_$USER"
ssh console@black-mesa
projects / invirt/packages/invirt-console.git / commitdiff
