From fbdc5f70da412104a209617ca38b091f0797f411 Mon Sep 17 00:00:00 2001
From: Evan Broder <broder@mit.edu>
Date: Tue, 1 Apr 2008 20:06:31 -0400
Subject: [PATCH] Added configuration changes for Kerberos and passwordless
 SSH, and fixed some miscellaneous things.

I know that /etc/pam.d/ssh and /etc/ssh/sshd_config should probably be done with the other debathena config magic, but I just don't understand it, and also, my Perl-fu isn't good enough

svn path=/trunk/packages/sipb-xen-console/; revision=380
---
 debian/changelog                   |    9 ++++++
 debian/control                     |    2 +-
 debian/control.in                  |    2 +-
 debian/rules                       |    6 ++--
 debian/sipb-xen-console.init       |    1 +
 files/etc/issue.net.no_tkt         |    2 ++
 files/etc/issue.net.no_user        |    2 ++
 files/etc/modules.sipb-xen         |    7 -----
 files/etc/pam.d/ssh.sipb-xen       |   48 +++++++++++++++++++++++++++++
 files/etc/ssh/sshd_config.sipb-xen |   59 ++++++++++++++++++++++++++++++++++++
 files/usr/bin/sipb-xen-consolesh   |    6 ----
 11 files changed, 127 insertions(+), 17 deletions(-)
 create mode 100644 files/etc/issue.net.no_tkt
 create mode 100644 files/etc/issue.net.no_user
 delete mode 100644 files/etc/modules.sipb-xen
 create mode 100644 files/etc/pam.d/ssh.sipb-xen
 create mode 100644 files/etc/ssh/sshd_config.sipb-xen

diff --git a/debian/changelog b/debian/changelog
index 848d7dc..685923d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+sipb-xen-console (6) unstable; urgency=low
+
+  * modprobe fuse before attaching consolefs
+  * Revert code to block dropping privileges to user accounts
+  * Add configuration to accept Kerberos config for users and error on
+    non-root users if Kerberos authentication fails
+
+ -- SIPB Xen Project <sipb-xen@mit.edu>  Tue, 01 Apr 2008 20:03:11 -0400
+
 sipb-xen-console (5.1) unstable; urgency=low
 
   * Package should create /consolefs so that sipb-xen-consolefs has
diff --git a/debian/control b/debian/control
index cde59d2..4cbdbcf 100644
--- a/debian/control
+++ b/debian/control
@@ -9,7 +9,7 @@ Package: sipb-xen-console
 Architecture: all
 Provides: ${diverted-files}
 Conflicts: ${diverted-files}
-Depends: ${shlibs:Depends}, ${misc:Depends}, daemon, fuse-utils, libnss-pgsql1, nscd, openssh-client, openssh-server, python-fuse, sipb-xen-database-common
+Depends: ${shlibs:Depends}, ${misc:Depends}, daemon, debathena-kerberos-config, fuse-utils, libnss-pgsql1, nscd, openssh-client, openssh-server, python-fuse, sipb-xen-chrony-config, sipb-xen-database-common
 Description: SIPB Xen serial console server
  This package  should be installed on sipb-xen-console
  It makes sure that necessary tools are available.
diff --git a/debian/control.in b/debian/control.in
index e9b03c6..09e65d8 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -9,7 +9,7 @@ Package: sipb-xen-console
 Architecture: all
 Provides: ${diverted-files}
 Conflicts: ${diverted-files}
-Depends: ${shlibs:Depends}, ${misc:Depends}, daemon, fuse-utils, libnss-pgsql1, nscd, openssh-client, openssh-server, python-fuse, sipb-xen-chrony-config, sipb-xen-database-common
+Depends: ${shlibs:Depends}, ${misc:Depends}, daemon, debathena-kerberos-config, fuse-utils, libnss-pgsql1, nscd, openssh-client, openssh-server, python-fuse, sipb-xen-chrony-config, sipb-xen-database-common
 Description: SIPB Xen serial console server
  This package  should be installed on sipb-xen-console
  It makes sure that necessary tools are available.
diff --git a/debian/rules b/debian/rules
index 3d57b08..3d6ccab 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,10 +5,12 @@ DEB_DIVERT_EXTENSION = .sipb-xen
 DEB_DIVERT_FILES_sipb-xen-console += \
 	/etc/init.d/bootmisc.sh \
 	/etc/modules \
+	/etc/motd \
 	/etc/nscd.conf \
 	/etc/nsswitch.conf \
-	/etc/motd \
-	/etc/ssh/ssh_config
+	/etc/pam.d/ssh \
+	/etc/ssh/ssh_config \
+	/etc/ssh/sshd_config
 
 include /usr/share/cdbs/1/rules/debhelper.mk
 include /usr/share/cdbs/1/rules/replace-files.mk
diff --git a/debian/sipb-xen-console.init b/debian/sipb-xen-console.init
index 6d2b7d4..117aec4 100755
--- a/debian/sipb-xen-console.init
+++ b/debian/sipb-xen-console.init
@@ -44,6 +44,7 @@ do_start()
 	#   0 if daemon has been started
 	#   1 if daemon was already running
 	#   2 if daemon could not be started
+	modprobe fuse
 	daemon --running -n $NAME && return 1
 	daemon -r -O daemon.info -E daemon.err -n $NAME -U $DAEMON $DAEMON_ARGS || return 2
 }
diff --git a/files/etc/issue.net.no_tkt b/files/etc/issue.net.no_tkt
new file mode 100644
index 0000000..c1c5464
--- /dev/null
+++ b/files/etc/issue.net.no_tkt
@@ -0,0 +1,2 @@
+You must login to the sipb-xen console server using Kerberos tickets, but your
+ssh client did not pass a valid ticket to the console server.
diff --git a/files/etc/issue.net.no_user b/files/etc/issue.net.no_user
new file mode 100644
index 0000000..774bde5
--- /dev/null
+++ b/files/etc/issue.net.no_user
@@ -0,0 +1,2 @@
+The VM you are attempting to access does not appear to exist.
+
diff --git a/files/etc/modules.sipb-xen b/files/etc/modules.sipb-xen
deleted file mode 100644
index d9af5ce..0000000
--- a/files/etc/modules.sipb-xen
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/modules: kernel modules to load at boot time.
-#
-# This file contains the names of kernel modules that should be loaded
-# at boot time, one per line. Lines beginning with "#" are ignored.
-
-loop
-fuse
\ No newline at end of file
diff --git a/files/etc/pam.d/ssh.sipb-xen b/files/etc/pam.d/ssh.sipb-xen
new file mode 100644
index 0000000..4aa1e74
--- /dev/null
+++ b/files/etc/pam.d/ssh.sipb-xen
@@ -0,0 +1,48 @@
+# PAM configuration for the Secure Shell service
+
+# If they're not root, but their user exists (success),
+auth    [success=ignore ignore=ignore default=1 module_unknown=die]        pam_succeed_if.so uid > 0
+# print the "You don't have tickets" error:
+auth    [success=die ignore=reset default=die module_unknown=die]  pam_echo.so file=/etc/issue.net.no_tkt
+# If !(they are root),
+auth    [success=1 ignore=ignore default=ignore module_unknown=die]        pam_succeed_if.so uid eq 0
+# print the "your account doesn't exist" error:
+auth    [success=die ignore=reset default=die module_unknown=die]  pam_echo.so file=/etc/issue.net.no_user
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+auth       required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+auth       required     pam_env.so envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account  required     pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+session    optional     pam_motd.so # [1]
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Set up SELinux capabilities (need modified pam)
+# session  required     pam_selinux.so multiple
+
+# Standard Un*x password updating.
+@include common-password
diff --git a/files/etc/ssh/sshd_config.sipb-xen b/files/etc/ssh/sshd_config.sipb-xen
new file mode 100644
index 0000000..a68dacd
--- /dev/null
+++ b/files/etc/ssh/sshd_config.sipb-xen
@@ -0,0 +1,59 @@
+Port 22
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication yes
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials yes
+GSSAPIKeyExchange yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+UsePAM yes
diff --git a/files/usr/bin/sipb-xen-consolesh b/files/usr/bin/sipb-xen-consolesh
index c3a5e53..ffaa191 100755
--- a/files/usr/bin/sipb-xen-consolesh
+++ b/files/usr/bin/sipb-xen-consolesh
@@ -1,10 +1,4 @@
 #!/bin/bash
 
-if [ "$SHLVL" != "1" ]
-then
-    echo "Please do not compromise our users' machines"
-    exit 1
-fi
-
 export VM_NAME="d_$USER"
 ssh console@black-mesa
-- 
1.7.9.5