[mgmt-sshd] New module for independent access to machine

Getting the configurable default sshd play nice with requirements
we have for automatic access from the server makes life complicated.
Just spawn another instance on a different port.

10 files changed, 96 insertions, 0 deletions

diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key
new file mode 100644
index 00000000..0132fe84
--- /dev/null
+++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key
@@ -0,0 +1,12 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBugIBAAKBgQDu6vk2uFnUyKt9/In9Rtkq+2zqwd8slm90NUt6JBXyjYsIJwRp
+hxRG1sFDho3ogog5hlt+y+UuNPc5QchT/e3O71zt2XbrfK2irr4XBJILuup95AGe
+iW/gzMIUD4an8I58yYM9rXhTzvIMwri7jM6EKlCUytafVTdMICVH78Y97QIVAJ9a
+Cs8Gxy91XMoHK3zcHutQcIF3AoGAV6p2ISW0pAE+2GbeKUDvraCNXDG37JaMCjZr
+S+NB3cN/vJwjy0fPI6CB5o6GcgFhB0cxdgCb60lV8Qz76clx4ZJId8PVxeKp4vSw
+kHdSbcRlBpRbe/YJY8ja/ITkvmeiEMncTQByo1t2VXDqHbvgQsllIqbbRWl0B2yV
+WO4Uw4gCgYAFCgiy2Ncal0KhsHAJV5dP4imeyd49lONI488RO18wiODhCzGtkbvV
+pL/saDZWkm3pUhJ9J0qalIZaJGG0WO6GHiQC5CzH21GF9RgsoNjrMl3gzuZB9FxB
+4cg8UyZ2QCqXlRusOCIiZhBdIZzDkK6HlQMMtFGEGg/c9yNgxkPAzQIULLxfDTNh
+8Ouz5BhfKWJrZ0XGUsA=
+-----END DSA PRIVATE KEY-----
diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key.pub b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key.pub
new file mode 100644
index 00000000..97af5cb0
--- /dev/null
+++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key.pub
@@ -0,0 +1 @@
+ssh-dss AAAAB3NzaC1kc3MAAACBAO7q+Ta4WdTIq338if1G2Sr7bOrB3yyWb3Q1S3okFfKNiwgnBGmHFEbWwUOGjeiCiDmGW37L5S409zlByFP97c7vXO3Zdut8raKuvhcEkgu66n3kAZ6Jb+DMwhQPhqfwjnzJgz2teFPO8gzCuLuMzoQqUJTK1p9VN0wgJUfvxj3tAAAAFQCfWgrPBscvdVzKByt83B7rUHCBdwAAAIBXqnYhJbSkAT7YZt4pQO+toI1cMbfslowKNmtL40Hdw3+8nCPLR88joIHmjoZyAWEHRzF2AJvrSVXxDPvpyXHhkkh3w9XF4qni9LCQd1JtxGUGlFt79gljyNr8hOS+Z6IQydxNAHKjW3ZVcOodu+BCyWUipttFaXQHbJVY7hTDiAAAAIAFCgiy2Ncal0KhsHAJV5dP4imeyd49lONI488RO18wiODhCzGtkbvVpL/saDZWkm3pUhJ9J0qalIZaJGG0WO6GHiQC5CzH21GF9RgsoNjrMl3gzuZB9FxB4cg8UyZ2QCqXlRusOCIiZhBdIZzDkK6HlQMMtFGEGg/c9yNgxkPAzQ== root@stp
diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key
new file mode 100644
index 00000000..1fea2717
--- /dev/null
+++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDDwyXBE0s5I7Cci/by2EInEyHyIvfC6IB5U8XF5eZUDlVMxkgBYK0sm
+r3Lyuy4XR3CgBwYFK4EEACKhZANiAATwyn0SyUKavp9CfPiv9IRSu8ICK1HekDMf
+lB4AIOObT1CMEROVfwh6ur1w980426YSZW+j+bQN5RQVDF7njcsD0eiSeJj8HVrR
+3PDpreZJMZVV2mLNYZxuE0kx9ILK12I=
+-----END EC PRIVATE KEY-----
diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key.pub b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key.pub
new file mode 100644
index 00000000..0ef413ba
--- /dev/null
+++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPDKfRLJQpq+n0J8+K/0hFK7wgIrUd6QMx+UHgAg45tPUIwRE5V/CHq6vXD3zTjbphJlb6P5tA3lFBUMXueNywPR6JJ4mPwdWtHc8Omt5kkxlVXaYs1hnG4TSTH0gsrXYg== root@stp
diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key
new file mode 100644
index 00000000..b37b5a74
--- /dev/null
+++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC4QG0lNN4NewU8nTxNr/dpF4FGRrVifIDOgTVcfJluYt3c1mfJ
+tA2/ujwJ9jUV196P7UJ4QsAlpwd6SlKlxQ/tCTF2Zi2tjNtypIuSwBysxBM0BTRr
+L/ntwET2vqdA1wRRRVDMl+l3B3YI1aJBUYqyM72v/yK/jbJiS5hZLp9TXwIDAQAB
+AoGAXEGuJPYexWM20Q3t9vxIBrAFQ9n90o2CtWPPAztEXBhW/M/CciWcyMaIb3h/
+RiurvidPpAXQTkofHWV/ko9klDLDAOTsJE+mir61izvdPHqZH13ZJyI+GUN4bQ0a
+1hV415OPsiks1jBL+J5sD1dvFZU4nOOeFbIZcmCf/Z5DIlECQQDke7DdNiiy2zls
+C1GrCbj0R85h1ZmwZ4GytVkxlik+Ids2aeskxDba5wlEUZutVyGlQuUe6Zm4r2eI
+Vq7/47VnAkEAznELdXCd6zYynGz8RYY4zMtLvu+oWePLKX/6P/egkfkloaB13Ohr
+yEd//V+cnobL9g5ed5Ggt4WF4AhcvKn/SQJBAJDO1AlfievRhVM02U3Nm6s211aq
+Sf3DnC/nP+BtizYVvxl9h8qFkT6rrvPdxQzXbDuRaiVtaD/k63k9dyw25YECQBfF
+GGarUuOUV/t+6QUwUTXzaoNPoPjIq8nZfH0FDC4Cm/yiNy/6av6ijPAlpCj0qGNq
+gCIQWIsJCsMi81qd0FECQQCfu6wSDszVseas0CAcxjP4MU5lVr6/L8//ZUn9TDJM
+WSQelziGbnbsIXq7owCVDxROJ770IqOL4OQZDw5R8Swd
+-----END RSA PRIVATE KEY-----
diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key.pub b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key.pub
new file mode 100644
index 00000000..e6fd0588
--- /dev/null
+++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC4QG0lNN4NewU8nTxNr/dpF4FGRrVifIDOgTVcfJluYt3c1mfJtA2/ujwJ9jUV196P7UJ4QsAlpwd6SlKlxQ/tCTF2Zi2tjNtypIuSwBysxBM0BTRrL/ntwET2vqdA1wRRRVDMl+l3B3YI1aJBUYqyM72v/yK/jbJiS5hZLp9TXw== root@stp
diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/sshd_config b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/sshd_config
new file mode 100644
index 00000000..40f27414
--- /dev/null
+++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/sshd_config
@@ -0,0 +1,33 @@
+Port 9922
+Protocol 2
+HostKey /etc/ssh/mgmt/ssh_host_rsa_key
+HostKey /etc/ssh/mgmt/ssh_host_dsa_key
+HostKey /etc/ssh/mgmt/ssh_host_ecdsa_key
+UsePrivilegeSeparation yes
+KeyRegenerationInterval 3600
+SyslogFacility AUTH
+LogLevel INFO
+LoginGraceTime 30
+PermitRootLogin yes
+StrictModes yes
+PubkeyAuthentication yes
+AuthorizedKeysFile	/etc/ssh/mgmt/authorized_keys
+IgnoreRhosts yes
+RhostsRSAAuthentication no
+HostbasedAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+KerberosAuthentication no
+GSSAPIAuthentication no
+X11Forwarding yes
+X11DisplayOffset 20
+PrintLastLog yes
+TCPKeepAlive yes
+#Banner /etc/issue.net
+#PrintMotd yes
+AcceptEnv LANG LC_*
+UsePAM yes
+UseDNS no
+PidFile /run/sshd_mgmt/pid
+AllowUsers root
diff --git a/core/modules/mgmt-sshd/data/etc/systemd/system/basic.target.wants/mgmt-sshd.service b/core/modules/mgmt-sshd/data/etc/systemd/system/basic.target.wants/mgmt-sshd.service
new file mode 120000
index 00000000..a59a869f
--- /dev/null
+++ b/core/modules/mgmt-sshd/data/etc/systemd/system/basic.target.wants/mgmt-sshd.service
@@ -0,0 +1 @@
+../mgmt-sshd.service
\ No newline at end of file
diff --git a/core/modules/mgmt-sshd/data/etc/systemd/system/mgmt-sshd.service b/core/modules/mgmt-sshd/data/etc/systemd/system/mgmt-sshd.service
new file mode 100644
index 00000000..9c267547
--- /dev/null
+++ b/core/modules/mgmt-sshd/data/etc/systemd/system/mgmt-sshd.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Management OpenSSH Daemon for OpenSLX
+
+[Service]
+ExecStartPre=-/opt/openslx/scripts/systemd-mgmt_sshd_fw
+ExecStart=/usr/sbin/sshd -D -f /etc/ssh/mgmt/sshd_config
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=always
diff --git a/core/modules/mgmt-sshd/data/opt/openslx/scripts/systemd-mgmt_sshd_fw b/core/modules/mgmt-sshd/data/opt/openslx/scripts/systemd-mgmt_sshd_fw
new file mode 100755
index 00000000..1e0758ee
--- /dev/null
+++ b/core/modules/mgmt-sshd/data/opt/openslx/scripts/systemd-mgmt_sshd_fw
@@ -0,0 +1,17 @@
+#!/bin/ash
+
+FILE="/opt/openslx/iptables/rules.d/99-mgmt-sshd"
+[ -s "$FILE" ] && exit 0
+
+. /opt/openslx/config
+
+(
+	for ip in $SLX_KCL_SERVERS; do
+		echo "iptables -I ipt-helper-INPUT 1 -s $ip -p tcp --dport 9922 -j ACCEPT"
+	done
+	echo "iptables -A ipt-helper-INPUT -p tcp --dport 9922 -j REJECT"
+) > "$FILE"
+chmod +x "$FILE"
+
+exit 0
+