Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F3774029
D1336.id3428.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
7 KB
Referenced Files
None
Subscribers
None
D1336.id3428.diff
View Options
diff --git a/map.jinja b/map.jinja
--- a/map.jinja
+++ b/map.jinja
@@ -45,15 +45,19 @@
{% set paths = salt['grains.filter_by']({
'FreeBSD': {
+ 'sshd': '/usr/sbin/sshd',
'sftp': '/usr/libexec/sftp-server',
},
'Debian': {
+ 'sshd': '/usr/sbin/sshd',
'sftp': '/usr/lib/openssh/sftp-server',
},
'RedHat': {
+ 'sshd': '/sbin/sshd',
'sftp': '/usr/libexec/openssh/sftp-server',
},
'Arch': {
+ 'sshd': '/usr/sbin/sshd',
'sftp': '/usr/lib/ssh/sftp-server',
},
}, default='FreeBSD') %}
diff --git a/roles/bastion/init.sls b/roles/bastion/init.sls
--- a/roles/bastion/init.sls
+++ b/roles/bastion/init.sls
@@ -9,4 +9,5 @@
# -------------------------------------------------------------
include:
+ - .sshd-otp
- .yubico
diff --git a/roles/bastion/sshd-otp/files/sshd.rc b/roles/bastion/sshd-otp/files/sshd.rc
new file mode 100755
--- /dev/null
+++ b/roles/bastion/sshd-otp/files/sshd.rc
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# -------------------------------------------------------------
+# OpenSSH configuration - OTP SSHD for bastion servers
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2018-02-19
+# Forked from: FreeBSD: releng/11.1/etc/rc.d/sshd
+# 303770 2016-08-05 15:32:35Z des
+# Source file: roles/bastion/sshd-otp/files/sshd.rc
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+# PROVIDE: sshd-otp
+# REQUIRE: LOGIN FILESYSTEMS
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+
+name="sshd_otp"
+rcvar="sshd_otp_enable"
+load_rc_config $name
+
+: ${sshd_config="/etc/ssh/sshd_otp_config"}
+
+desc="Secure Shell Daemon (OTP)"
+required_files="${sshd_config}"
+command="/usr/sbin/sshd-otp"
+command_args="${sshd_otp_flags} -f ${sshd_config}"
+pidfile="/var/run/${name}.pid"
+
+start_precmd="sshd_otp_configtest"
+reload_precmd="sshd_otp_configtest"
+restart_precmd="sshd_otp_configtest"
+configtest_cmd="sshd_otp_configtest"
+extra_commands="configtest reload"
+
+sshd_otp_configtest()
+{
+ echo "Performing sanity check on ${name} configuration."
+ eval ${command} ${command_args} -t
+}
+
+run_rc_command "$1"
diff --git a/roles/bastion/sshd-otp/files/sshd.service b/roles/bastion/sshd-otp/files/sshd.service
new file mode 100644
--- /dev/null
+++ b/roles/bastion/sshd-otp/files/sshd.service
@@ -0,0 +1,37 @@
+# -------------------------------------------------------------
+# OpenSSH configuration - OTP SSHD for bastion servers
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2018-02-19
+# Forked from: Debian /etc/systemd/system/sshd.service
+# Source file: roles/bastion/sshd-otp/files/sshd.service
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+[Unit]
+Description=OpenBSD Secure Shell server (OTP)
+After=network.target auditd.service
+ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+
+[Service]
+EnvironmentFile=-/etc/default/ssh
+ExecStartPre=/usr/sbin/sshd-otp -f /etc/ssh/sshd_otp_config -t
+ExecStart=/usr/sbin/sshd-otp -D -f /etc/ssh/sshd_otp_config $SSHD_OPTS
+ExecReload=/usr/sbin/sshd-otp -f /etc/ssh/sshd_otp_config -t
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+Type=notify
+RuntimeDirectory=sshd-otp
+RuntimeDirectoryMode=0755
+
+[Install]
+WantedBy=multi-user.target
+Alias=sshd-otp.service
diff --git a/roles/bastion/sshd-otp/files/sshd_config b/roles/bastion/sshd-otp/files/sshd_config
new file mode 100644
--- /dev/null
+++ b/roles/bastion/sshd-otp/files/sshd_config
@@ -0,0 +1,35 @@
+# -------------------------------------------------------------
+# OpenSSH configuration - OTP SSHD for bastion servers
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2017-02-28
+# License: Trivial work, not eligible to copyright
+# Source file: roles/bastion/sshd-otp/files/sshd_config
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+Port 5022
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+# In this SSH configuration, we can use PAM modules with challenge/response.
+# This allows to use PAM provided capabilities like OTP (Yubikey, OPIE).
+PasswordAuthentication no
+ChallengeResponseAuthentication yes
+UsePAM yes
+
+# Misc options
+PrintMotd {{ "yes" if print_motd else "no" }}
+AcceptEnv LANG LC_*
+PidFile /var/run/sshd_otp.pid
+
+# SFTP
+Subsystem sftp {{ sftp }}
diff --git a/roles/bastion/sshd-otp/init.sls b/roles/bastion/sshd-otp/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/bastion/sshd-otp/init.sls
@@ -0,0 +1,54 @@
+# -------------------------------------------------------------
+# Salt — Bastion
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Description: This role allows to login through alternative
+# ways, like traditional keys or with an OTP.
+# Created: 2018-02-19
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import dirs, paths, capabilities, services with context %}
+
+# -------------------------------------------------------------
+# OpenSSH binary symbolic link
+#
+# Allows to get 'sshd-otp' in the logs, instead of 'sshd
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ paths.sshd }}-otp:
+ file.symlink:
+ - target: {{ paths.sshd }}
+
+# -------------------------------------------------------------
+# OpenSSH configuration — OTP
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/etc/ssh/sshd_otp_config:
+ file.managed:
+ - source: salt://roles/bastion/sshd-otp/files/sshd_config
+ - template: jinja
+ - context:
+ sftp: {{ paths.sftp }}
+ print_motd: {{ not capabilities['MOTD-printed-at-login'] }}
+
+# -------------------------------------------------------------
+# Service
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+# The goal is to run {{ paths.sshd }}-otp -f /etc/ssh/sshd_otp_config
+{% if grains['os'] == 'FreeBSD' %}
+
+{{ dirs.etc }}/rc.d/sshd-otp:
+ file.managed:
+ - source: salt://roles/bastion/sshd-otp/files/sshd.rc
+ - mode: 755
+
+{% elif services['manager'] == 'systemd' %}
+
+{{ dirs.etc }}/systemd/system/sshd.service:
+ file.managed:
+ - source: salt://roles/bastion/sshd-otp/files/sshd.service
+ - mode: 755
+
+{% endif %}
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Mon, Nov 25, 09:23 (19 h, 38 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2262323
Default Alt Text
D1336.id3428.diff (7 KB)
Attached To
Mode
D1336: Run a secondary SSH server for OTP purpose
Attached
Detach File
Event Timeline
Log In to Comment