From fbdc5f70da412104a209617ca38b091f0797f411 Mon Sep 17 00:00:00 2001 From: Evan Broder Date: Tue, 1 Apr 2008 20:06:31 -0400 Subject: [PATCH] Added configuration changes for Kerberos and passwordless SSH, and fixed some miscellaneous things. I know that /etc/pam.d/ssh and /etc/ssh/sshd_config should probably be done with the other debathena config magic, but I just don't understand it, and also, my Perl-fu isn't good enough svn path=/trunk/packages/sipb-xen-console/; revision=380 --- debian/changelog | 9 ++++++ debian/control | 2 +- debian/control.in | 2 +- debian/rules | 6 ++-- debian/sipb-xen-console.init | 1 + files/etc/issue.net.no_tkt | 2 ++ files/etc/issue.net.no_user | 2 ++ files/etc/modules.sipb-xen | 7 ----- files/etc/pam.d/ssh.sipb-xen | 48 +++++++++++++++++++++++++++++ files/etc/ssh/sshd_config.sipb-xen | 59 ++++++++++++++++++++++++++++++++++++ files/usr/bin/sipb-xen-consolesh | 6 ---- 11 files changed, 127 insertions(+), 17 deletions(-) create mode 100644 files/etc/issue.net.no_tkt create mode 100644 files/etc/issue.net.no_user delete mode 100644 files/etc/modules.sipb-xen create mode 100644 files/etc/pam.d/ssh.sipb-xen create mode 100644 files/etc/ssh/sshd_config.sipb-xen diff --git a/debian/changelog b/debian/changelog index 848d7dc..685923d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +sipb-xen-console (6) unstable; urgency=low + + * modprobe fuse before attaching consolefs + * Revert code to block dropping privileges to user accounts + * Add configuration to accept Kerberos config for users and error on + non-root users if Kerberos authentication fails + + -- SIPB Xen Project Tue, 01 Apr 2008 20:03:11 -0400 + sipb-xen-console (5.1) unstable; urgency=low * Package should create /consolefs so that sipb-xen-consolefs has diff --git a/debian/control b/debian/control index cde59d2..4cbdbcf 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Package: sipb-xen-console Architecture: all Provides: ${diverted-files} Conflicts: ${diverted-files} -Depends: ${shlibs:Depends}, ${misc:Depends}, daemon, fuse-utils, libnss-pgsql1, nscd, openssh-client, openssh-server, python-fuse, sipb-xen-database-common +Depends: ${shlibs:Depends}, ${misc:Depends}, daemon, debathena-kerberos-config, fuse-utils, libnss-pgsql1, nscd, openssh-client, openssh-server, python-fuse, sipb-xen-chrony-config, sipb-xen-database-common Description: SIPB Xen serial console server This package should be installed on sipb-xen-console It makes sure that necessary tools are available. diff --git a/debian/control.in b/debian/control.in index e9b03c6..09e65d8 100644 --- a/debian/control.in +++ b/debian/control.in @@ -9,7 +9,7 @@ Package: sipb-xen-console Architecture: all Provides: ${diverted-files} Conflicts: ${diverted-files} -Depends: ${shlibs:Depends}, ${misc:Depends}, daemon, fuse-utils, libnss-pgsql1, nscd, openssh-client, openssh-server, python-fuse, sipb-xen-chrony-config, sipb-xen-database-common +Depends: ${shlibs:Depends}, ${misc:Depends}, daemon, debathena-kerberos-config, fuse-utils, libnss-pgsql1, nscd, openssh-client, openssh-server, python-fuse, sipb-xen-chrony-config, sipb-xen-database-common Description: SIPB Xen serial console server This package should be installed on sipb-xen-console It makes sure that necessary tools are available. diff --git a/debian/rules b/debian/rules index 3d57b08..3d6ccab 100755 --- a/debian/rules +++ b/debian/rules @@ -5,10 +5,12 @@ DEB_DIVERT_EXTENSION = .sipb-xen DEB_DIVERT_FILES_sipb-xen-console += \ /etc/init.d/bootmisc.sh \ /etc/modules \ + /etc/motd \ /etc/nscd.conf \ /etc/nsswitch.conf \ - /etc/motd \ - /etc/ssh/ssh_config + /etc/pam.d/ssh \ + /etc/ssh/ssh_config \ + /etc/ssh/sshd_config include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/rules/replace-files.mk diff --git a/debian/sipb-xen-console.init b/debian/sipb-xen-console.init index 6d2b7d4..117aec4 100755 --- a/debian/sipb-xen-console.init +++ b/debian/sipb-xen-console.init @@ -44,6 +44,7 @@ do_start() # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started + modprobe fuse daemon --running -n $NAME && return 1 daemon -r -O daemon.info -E daemon.err -n $NAME -U $DAEMON $DAEMON_ARGS || return 2 } diff --git a/files/etc/issue.net.no_tkt b/files/etc/issue.net.no_tkt new file mode 100644 index 0000000..c1c5464 --- /dev/null +++ b/files/etc/issue.net.no_tkt @@ -0,0 +1,2 @@ +You must login to the sipb-xen console server using Kerberos tickets, but your +ssh client did not pass a valid ticket to the console server. diff --git a/files/etc/issue.net.no_user b/files/etc/issue.net.no_user new file mode 100644 index 0000000..774bde5 --- /dev/null +++ b/files/etc/issue.net.no_user @@ -0,0 +1,2 @@ +The VM you are attempting to access does not appear to exist. + diff --git a/files/etc/modules.sipb-xen b/files/etc/modules.sipb-xen deleted file mode 100644 index d9af5ce..0000000 --- a/files/etc/modules.sipb-xen +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/modules: kernel modules to load at boot time. -# -# This file contains the names of kernel modules that should be loaded -# at boot time, one per line. Lines beginning with "#" are ignored. - -loop -fuse \ No newline at end of file diff --git a/files/etc/pam.d/ssh.sipb-xen b/files/etc/pam.d/ssh.sipb-xen new file mode 100644 index 0000000..4aa1e74 --- /dev/null +++ b/files/etc/pam.d/ssh.sipb-xen @@ -0,0 +1,48 @@ +# PAM configuration for the Secure Shell service + +# If they're not root, but their user exists (success), +auth [success=ignore ignore=ignore default=1 module_unknown=die] pam_succeed_if.so uid > 0 +# print the "You don't have tickets" error: +auth [success=die ignore=reset default=die module_unknown=die] pam_echo.so file=/etc/issue.net.no_tkt +# If !(they are root), +auth [success=1 ignore=ignore default=ignore module_unknown=die] pam_succeed_if.so uid eq 0 +# print the "your account doesn't exist" error: +auth [success=die ignore=reset default=die module_unknown=die] pam_echo.so file=/etc/issue.net.no_user + +# Read environment variables from /etc/environment and +# /etc/security/pam_env.conf. +auth required pam_env.so # [1] +# In Debian 4.0 (etch), locale-related environment variables were moved to +# /etc/default/locale, so read that as well. +auth required pam_env.so envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# Disallow non-root logins when /etc/nologin exists. +account required pam_nologin.so + +# Uncomment and edit /etc/security/access.conf if you need to set complex +# access limits that are hard to express in sshd_config. +# account required pam_access.so + +# Standard Un*x authorization. +@include common-account + +# Standard Un*x session setup and teardown. +@include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so # [1] + +# Print the status of the user's mailbox upon successful login. +session optional pam_mail.so standard noenv # [1] + +# Set up user limits from /etc/security/limits.conf. +session required pam_limits.so + +# Set up SELinux capabilities (need modified pam) +# session required pam_selinux.so multiple + +# Standard Un*x password updating. +@include common-password diff --git a/files/etc/ssh/sshd_config.sipb-xen b/files/etc/ssh/sshd_config.sipb-xen new file mode 100644 index 0000000..a68dacd --- /dev/null +++ b/files/etc/ssh/sshd_config.sipb-xen @@ -0,0 +1,59 @@ +Port 22 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin yes +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication yes + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# GSSAPI options +GSSAPIAuthentication yes +GSSAPICleanupCredentials yes +GSSAPIKeyExchange yes + +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +UsePAM yes diff --git a/files/usr/bin/sipb-xen-consolesh b/files/usr/bin/sipb-xen-consolesh index c3a5e53..ffaa191 100755 --- a/files/usr/bin/sipb-xen-consolesh +++ b/files/usr/bin/sipb-xen-consolesh @@ -1,10 +1,4 @@ #!/bin/bash -if [ "$SHLVL" != "1" ] -then - echo "Please do not compromise our users' machines" - exit 1 -fi - export VM_NAME="d_$USER" ssh console@black-mesa -- 1.7.9.5