Page MenuHomeDevCentral
Files F3774117

D1336.id3429.diff
No OneTemporary
Actions

D1336.id3429.diff
View Options

diff --git a/map.jinja b/map.jinja
--- a/map.jinja
+++ b/map.jinja
@@ -45,15 +45,19 @@
{% set paths = salt['grains.filter_by']({
'FreeBSD': {
+ 'sshd': '/usr/sbin/sshd',
'sftp': '/usr/libexec/sftp-server',
},
'Debian': {
+ 'sshd': '/usr/sbin/sshd',
'sftp': '/usr/lib/openssh/sftp-server',
},
'RedHat': {
+ 'sshd': '/sbin/sshd',
'sftp': '/usr/libexec/openssh/sftp-server',
},
'Arch': {
+ 'sshd': '/usr/sbin/sshd',
'sftp': '/usr/lib/ssh/sftp-server',
},
}, default='FreeBSD') %}
diff --git a/roles/bastion/init.sls b/roles/bastion/init.sls
--- a/roles/bastion/init.sls
+++ b/roles/bastion/init.sls
@@ -9,4 +9,5 @@
# -------------------------------------------------------------
include:
+ - .sshd-otp
- .yubico
diff --git a/roles/bastion/sshd-otp/files/sshd.rc b/roles/bastion/sshd-otp/files/sshd.rc
new file mode 100755
--- /dev/null
+++ b/roles/bastion/sshd-otp/files/sshd.rc
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# -------------------------------------------------------------
+# OpenSSH configuration - OTP SSHD for bastion servers
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2018-02-19
+# Forked from: FreeBSD: releng/11.1/etc/rc.d/sshd
+# 303770 2016-08-05 15:32:35Z des
+# Source file: roles/bastion/sshd-otp/files/sshd.rc
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+# PROVIDE: sshd-otp
+# REQUIRE: LOGIN FILESYSTEMS
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+
+name="sshd_otp"
+rcvar="sshd_otp_enable"
+load_rc_config $name
+
+: ${sshd_config="/etc/ssh/sshd_otp_config"}
+
+desc="Secure Shell Daemon (OTP)"
+required_files="${sshd_config}"
+command="/usr/sbin/sshd-otp"
+command_args="${sshd_otp_flags} -f ${sshd_config}"
+pidfile="/var/run/${name}.pid"
+
+start_precmd="sshd_otp_configtest"
+reload_precmd="sshd_otp_configtest"
+restart_precmd="sshd_otp_configtest"
+configtest_cmd="sshd_otp_configtest"
+extra_commands="configtest reload"
+
+sshd_otp_configtest()
+{
+ echo "Performing sanity check on ${name} configuration."
+ eval ${command} ${command_args} -t
+}
+
+run_rc_command "$1"
diff --git a/roles/bastion/sshd-otp/files/sshd.rc.conf b/roles/bastion/sshd-otp/files/sshd.rc.conf
new file mode 100644
--- /dev/null
+++ b/roles/bastion/sshd-otp/files/sshd.rc.conf
@@ -0,0 +1,16 @@
+# -------------------------------------------------------------
+# OpenSSH configuration - OTP SSHD for bastion servers
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/bastion/sshd-otp/files/sshd.rc.conf
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+sshd_otp_enable="YES"
diff --git a/roles/bastion/sshd-otp/files/sshd.service b/roles/bastion/sshd-otp/files/sshd.service
new file mode 100644
--- /dev/null
+++ b/roles/bastion/sshd-otp/files/sshd.service
@@ -0,0 +1,37 @@
+# -------------------------------------------------------------
+# OpenSSH configuration - OTP SSHD for bastion servers
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2018-02-19
+# Forked from: Debian /etc/systemd/system/sshd.service
+# Source file: roles/bastion/sshd-otp/files/sshd.service
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+[Unit]
+Description=OpenBSD Secure Shell server (OTP)
+After=network.target auditd.service
+ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+
+[Service]
+EnvironmentFile=-/etc/default/ssh
+ExecStartPre={{ executable }} -f /etc/ssh/sshd_otp_config -t
+ExecStart={{ executable }} -D -f /etc/ssh/sshd_otp_config $SSHD_OPTS
+ExecReload={{ executable }} -f /etc/ssh/sshd_otp_config -t
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+Type=notify
+RuntimeDirectory=sshd-otp
+RuntimeDirectoryMode=0755
+
+[Install]
+WantedBy=multi-user.target
+Alias=sshd-otp.service
diff --git a/roles/bastion/sshd-otp/files/sshd_config b/roles/bastion/sshd-otp/files/sshd_config
new file mode 100644
--- /dev/null
+++ b/roles/bastion/sshd-otp/files/sshd_config
@@ -0,0 +1,35 @@
+# -------------------------------------------------------------
+# OpenSSH configuration - OTP SSHD for bastion servers
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2017-02-28
+# License: Trivial work, not eligible to copyright
+# Source file: roles/bastion/sshd-otp/files/sshd_config
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+Port 5022
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+# In this SSH configuration, we can use PAM modules with challenge/response.
+# This allows to use PAM provided capabilities like OTP (Yubikey, OPIE).
+PasswordAuthentication no
+ChallengeResponseAuthentication yes
+UsePAM yes
+
+# Misc options
+PrintMotd {{ "yes" if print_motd else "no" }}
+AcceptEnv LANG LC_*
+PidFile /var/run/sshd_otp.pid
+
+# SFTP
+Subsystem sftp {{ sftp }}
diff --git a/roles/bastion/init.sls b/roles/bastion/sshd-otp/init.sls
copy from roles/bastion/init.sls
copy to roles/bastion/sshd-otp/init.sls
--- a/roles/bastion/init.sls
+++ b/roles/bastion/sshd-otp/init.sls
@@ -4,9 +4,10 @@
# Project: Nasqueron
# Description: This role allows to login through alternative
# ways, like traditional keys or with an OTP.
-# Created: 2018-02-18
+# Created: 2018-02-19
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- - .yubico
+ - .software
+ - .service
diff --git a/roles/bastion/sshd-otp/service.sls b/roles/bastion/sshd-otp/service.sls
new file mode 100644
--- /dev/null
+++ b/roles/bastion/sshd-otp/service.sls
@@ -0,0 +1,57 @@
+# -------------------------------------------------------------
+# Salt — Bastion
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Description: This role allows to login through alternative
+# ways, like traditional keys or with an OTP.
+# Created: 2018-02-19
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import dirs, paths, services with context %}
+
+# -------------------------------------------------------------
+# Service
+#
+# :: FreeBSD / rc
+# :: * / systemd
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% if grains['os'] == 'FreeBSD' %}
+
+sshd_otp_service:
+ file.managed:
+ - name: {{ dirs.etc }}/rc.d/sshd-otp
+ - source: salt://roles/bastion/sshd-otp/files/sshd.rc
+ - mode: 755
+
+sshd_otp_service_enable:
+ file.managed:
+ - name: /etc/rc.conf.d/sshd_otp
+ - source: salt://roles/bastion/sshd-otp/files/sshd.rc.conf
+
+sshd_otp_running:
+ service.running:
+ - name: sshd-otp
+ - watch:
+ - file: sshd_otp_service
+
+{% elif services['manager'] == 'systemd' %}
+
+sshd_otp_service:
+ file.managed:
+ - name: {{ dirs.etc }}/systemd/system/sshd-otp.service
+ - source: salt://roles/bastion/sshd-otp/files/sshd.service
+ - mode: 755
+ - template: jinja
+ - context:
+ executable: {{ paths.sshd }}-otp
+
+sshd_otp_running:
+ service.running:
+ - name: sshd-otp
+ - enable: true
+ - watch:
+ - file: sshd_otp_service
+
+{% endif %}
diff --git a/roles/bastion/sshd-otp/software.sls b/roles/bastion/sshd-otp/software.sls
new file mode 100644
--- /dev/null
+++ b/roles/bastion/sshd-otp/software.sls
@@ -0,0 +1,33 @@
+# -------------------------------------------------------------
+# Salt — Bastion
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Description: This role allows to login through alternative
+# ways, like traditional keys or with an OTP.
+# Created: 2018-02-19
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import paths, capabilities with context %}
+
+# -------------------------------------------------------------
+# OpenSSH binary symbolic link
+#
+# Allows to get 'sshd-otp' in the logs, instead of 'sshd
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ paths.sshd }}-otp:
+ file.symlink:
+ - target: {{ paths.sshd }}
+
+# -------------------------------------------------------------
+# OpenSSH configuration — OTP
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/etc/ssh/sshd_otp_config:
+ file.managed:
+ - source: salt://roles/bastion/sshd-otp/files/sshd_config
+ - template: jinja
+ - context:
+ sftp: {{ paths.sftp }}
+ print_motd: {{ not capabilities['MOTD-printed-at-login'] }}

File Metadata

Mime Type
text/plain
Expires
Mon, Nov 25, 09:51 (19 h, 47 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2262199
Default Alt Text
D1336.id3429.diff (9 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator