Page MenuHomeDevCentral
Files F8421500

D1336.id3427.diff
No OneTemporary
Actions

D1336.id3427.diff
View Options

diff --git a/map.jinja b/map.jinja
--- a/map.jinja
+++ b/map.jinja
@@ -45,15 +45,19 @@
{% set paths = salt['grains.filter_by']({
'FreeBSD': {
+ 'sshd': '/usr/sbin/sshd',
'sftp': '/usr/libexec/sftp-server',
},
'Debian': {
+ 'sshd': '/usr/sbin/sshd',
'sftp': '/usr/lib/openssh/sftp-server',
},
'RedHat': {
+ 'sshd': '/sbin/sshd',
'sftp': '/usr/libexec/openssh/sftp-server',
},
'Arch': {
+ 'sshd': '/usr/sbin/sshd',
'sftp': '/usr/lib/ssh/sftp-server',
},
}, default='FreeBSD') %}
diff --git a/roles/bastion/init.sls b/roles/bastion/init.sls
--- a/roles/bastion/init.sls
+++ b/roles/bastion/init.sls
@@ -9,4 +9,5 @@
# -------------------------------------------------------------
include:
+ - .sshd-otp
- .yubico
diff --git a/roles/bastion/sshd-otp/files/sshd_config b/roles/bastion/sshd-otp/files/sshd_config
new file mode 100644
--- /dev/null
+++ b/roles/bastion/sshd-otp/files/sshd_config
@@ -0,0 +1,34 @@
+# -------------------------------------------------------------
+# OpenSSH configuration - OTP SSHD for bastion servers
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2017-02-28
+# License: Trivial work, not eligible to copyright
+# Source file: roles/bastion/sshd-otp/files/sshd_config
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+Port 5022
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+# In this SSH configuration, we can use PAM modules with challenge/response.
+# This allows to use PAM provided capabilities like OTP (Yubikey, OPIE).
+PasswordAuthentication no
+ChallengeResponseAuthentication yes
+UsePAM yes
+
+# Misc options
+PrintMotd {{ "yes" if print_motd else "no" }}
+AcceptEnv LANG LC_*
+
+# SFTP
+Subsystem sftp {{ sftp }}
diff --git a/roles/bastion/sshd-otp/init.sls b/roles/bastion/sshd-otp/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/bastion/sshd-otp/init.sls
@@ -0,0 +1,50 @@
+# -------------------------------------------------------------
+# Salt — Bastion
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Description: This role allows to login through alternative
+# ways, like traditional keys or with an OTP.
+# Created: 2018-02-19
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import dirs, paths, capabilities, services with context %}
+
+# -------------------------------------------------------------
+# OpenSSH binary symbolic link
+#
+# Allows to get 'sshd-otp' in the logs, instead of 'sshd
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ paths.sshd }}-otp:
+ file.symlink:
+ - target: {{ paths.sshd }}
+
+# -------------------------------------------------------------
+# OpenSSH configuration — OTP
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/etc/ssh/sshd_otp_config:
+ file.managed:
+ - source: salt://roles/bastion/sshd-otp/files/sshd_config
+ - template: jinja
+ - context:
+ sftp: {{ paths.sftp }}
+ print_motd: {{ not capabilities['MOTD-printed-at-login'] }}
+
+# -------------------------------------------------------------
+# Service
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+# The goal is to run {{ paths.sshd }}-otp -f /etc/ssh/sshd_otp_config
+{% if grains['os'] == 'FreeBSD' %}
+{{ dirs.etc }}/rc.d/sshd-otp:
+ file.managed:
+ - source: salt://roles/core/sshd/files/sshd.rc
+ - mode: 755
+{% elseif services['manager'] == 'systemd' %}
+{{ dirs.etc }}/systemd/system/sshd.service:
+ file.managed:
+ - source: salt://roles/core/sshd/files/sshd.services
+ - mode: 755
+{% endif %}
diff --git a/roles/core/sshd/files/sshd.rc b/roles/core/sshd/files/sshd.rc
new file mode 100755
--- /dev/null
+++ b/roles/core/sshd/files/sshd.rc
@@ -0,0 +1,89 @@
+#!/bin/sh
+#
+# $FreeBSD: releng/11.1/etc/rc.d/sshd 303770 2016-08-05 15:32:35Z des $
+#
+
+# PROVIDE: sshd-otp
+# REQUIRE: LOGIN FILESYSTEMS
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+
+name="sshd-otp"
+desc="Secure Shell Daemon"
+rcvar="sshd_otp_enable"
+command="/usr/sbin/${name}"
+keygen_cmd="sshd_keygen"
+start_precmd="sshd_precmd"
+reload_precmd="sshd_configtest"
+restart_precmd="sshd_configtest"
+configtest_cmd="sshd_configtest"
+pidfile="/var/run/${name}.pid"
+command_args="${sshd_otp_flags} -f /etc/ssh/sshd_otp_config"
+extra_commands="configtest keygen reload"
+
+: ${sshd_otp_rsa1_enable:="no"}
+: ${sshd_otp_rsa_enable:="yes"}
+: ${sshd_otp_dsa_enable:="no"}
+: ${sshd_otp_ecdsa_enable:="yes"}
+: ${sshd_otp_ed25519_enable:="yes"}
+
+sshd_keygen_alg()
+{
+ local alg=$1
+ local ALG="$(echo $alg | tr a-z A-Z)"
+ local keyfile
+
+ if ! checkyesno "sshd_${alg}_enable" ; then
+ return 0
+ fi
+
+ case $alg in
+ rsa1)
+ keyfile="/etc/ssh/ssh_host_key"
+ ;;
+ rsa|dsa|ecdsa|ed25519)
+ keyfile="/etc/ssh/ssh_host_${alg}_key"
+ ;;
+ *)
+ return 1
+ ;;
+ esac
+
+ if [ ! -x /usr/bin/ssh-keygen ] ; then
+ warn "/usr/bin/ssh-keygen does not exist."
+ return 1
+ fi
+
+ if [ -f "${keyfile}" ] ; then
+ info "$ALG host key exists."
+ else
+ echo "Generating $ALG host key."
+ /usr/bin/ssh-keygen -q -t $alg -f "$keyfile" -N ""
+ /usr/bin/ssh-keygen -l -f "$keyfile.pub"
+ fi
+}
+
+sshd_keygen()
+{
+ sshd_keygen_alg rsa1
+ sshd_keygen_alg rsa
+ sshd_keygen_alg dsa
+ sshd_keygen_alg ecdsa
+ sshd_keygen_alg ed25519
+}
+
+sshd_configtest()
+{
+ echo "Performing sanity check on ${name} configuration."
+ eval ${command} ${sshd_otp_flags} -f /etc/ssh/sshd_otp_config -t
+}
+
+sshd_precmd()
+{
+ run_rc_command keygen
+ run_rc_command configtest
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/roles/core/sshd/files/sshd.service b/roles/core/sshd/files/sshd.service
new file mode 100644
--- /dev/null
+++ b/roles/core/sshd/files/sshd.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=OpenBSD Secure Shell server (OTP)
+After=network.target auditd.service
+ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+
+[Service]
+EnvironmentFile=-/etc/default/ssh
+ExecStartPre=/usr/sbin/sshd-otp -f /etc/ssh/sshd_otp_config -t
+ExecStart=/usr/sbin/sshd-otp -D -f /etc/ssh/sshd_otp_config $SSHD_OPTS
+ExecReload=/usr/sbin/sshd-otp -f /etc/ssh/sshd_otp_config -t
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+Type=notify
+RuntimeDirectory=sshd-otp
+RuntimeDirectoryMode=0755
+
+[Install]
+WantedBy=multi-user.target
+Alias=sshd-otp.service

File Metadata

Mime Type
text/plain
Expires
Wed, May 14, 13:15 (16 h, 52 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2655462
Default Alt Text
D1336.id3427.diff (6 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator