diff options
author | Simon Rettberg | 2017-11-02 21:42:14 +0100 |
---|---|---|
committer | Simon Rettberg | 2017-11-02 21:42:14 +0100 |
commit | 19d4e60fb012f97ff25c774d4ed28bc12c6752cf (patch) | |
tree | e587fa54bf2e6b0679819d3eda5155009a363338 /core/modules/mgmt-sshd/data | |
parent | [dnbd3-proxy-mode] Tweak serverPenalty, only create ipt rules with whitelist ... (diff) | |
download | mltk-19d4e60fb012f97ff25c774d4ed28bc12c6752cf.tar.gz mltk-19d4e60fb012f97ff25c774d4ed28bc12c6752cf.tar.xz mltk-19d4e60fb012f97ff25c774d4ed28bc12c6752cf.zip |
[mgmt-sshd] New module for independent access to machine
Getting the configurable default sshd play nice with requirements
we have for automatic access from the server makes life complicated.
Just spawn another instance on a different port.
Diffstat (limited to 'core/modules/mgmt-sshd/data')
10 files changed, 96 insertions, 0 deletions
diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key new file mode 100644 index 00000000..0132fe84 --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key @@ -0,0 +1,12 @@ +-----BEGIN DSA PRIVATE KEY----- +MIIBugIBAAKBgQDu6vk2uFnUyKt9/In9Rtkq+2zqwd8slm90NUt6JBXyjYsIJwRp +hxRG1sFDho3ogog5hlt+y+UuNPc5QchT/e3O71zt2XbrfK2irr4XBJILuup95AGe +iW/gzMIUD4an8I58yYM9rXhTzvIMwri7jM6EKlCUytafVTdMICVH78Y97QIVAJ9a +Cs8Gxy91XMoHK3zcHutQcIF3AoGAV6p2ISW0pAE+2GbeKUDvraCNXDG37JaMCjZr +S+NB3cN/vJwjy0fPI6CB5o6GcgFhB0cxdgCb60lV8Qz76clx4ZJId8PVxeKp4vSw +kHdSbcRlBpRbe/YJY8ja/ITkvmeiEMncTQByo1t2VXDqHbvgQsllIqbbRWl0B2yV +WO4Uw4gCgYAFCgiy2Ncal0KhsHAJV5dP4imeyd49lONI488RO18wiODhCzGtkbvV +pL/saDZWkm3pUhJ9J0qalIZaJGG0WO6GHiQC5CzH21GF9RgsoNjrMl3gzuZB9FxB +4cg8UyZ2QCqXlRusOCIiZhBdIZzDkK6HlQMMtFGEGg/c9yNgxkPAzQIULLxfDTNh +8Ouz5BhfKWJrZ0XGUsA= +-----END DSA PRIVATE KEY----- diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key.pub b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key.pub new file mode 100644 index 00000000..97af5cb0 --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key.pub @@ -0,0 +1 @@ +ssh-dss AAAAB3NzaC1kc3MAAACBAO7q+Ta4WdTIq338if1G2Sr7bOrB3yyWb3Q1S3okFfKNiwgnBGmHFEbWwUOGjeiCiDmGW37L5S409zlByFP97c7vXO3Zdut8raKuvhcEkgu66n3kAZ6Jb+DMwhQPhqfwjnzJgz2teFPO8gzCuLuMzoQqUJTK1p9VN0wgJUfvxj3tAAAAFQCfWgrPBscvdVzKByt83B7rUHCBdwAAAIBXqnYhJbSkAT7YZt4pQO+toI1cMbfslowKNmtL40Hdw3+8nCPLR88joIHmjoZyAWEHRzF2AJvrSVXxDPvpyXHhkkh3w9XF4qni9LCQd1JtxGUGlFt79gljyNr8hOS+Z6IQydxNAHKjW3ZVcOodu+BCyWUipttFaXQHbJVY7hTDiAAAAIAFCgiy2Ncal0KhsHAJV5dP4imeyd49lONI488RO18wiODhCzGtkbvVpL/saDZWkm3pUhJ9J0qalIZaJGG0WO6GHiQC5CzH21GF9RgsoNjrMl3gzuZB9FxB4cg8UyZ2QCqXlRusOCIiZhBdIZzDkK6HlQMMtFGEGg/c9yNgxkPAzQ== root@stp diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key new file mode 100644 index 00000000..1fea2717 --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDDwyXBE0s5I7Cci/by2EInEyHyIvfC6IB5U8XF5eZUDlVMxkgBYK0sm +r3Lyuy4XR3CgBwYFK4EEACKhZANiAATwyn0SyUKavp9CfPiv9IRSu8ICK1HekDMf +lB4AIOObT1CMEROVfwh6ur1w980426YSZW+j+bQN5RQVDF7njcsD0eiSeJj8HVrR +3PDpreZJMZVV2mLNYZxuE0kx9ILK12I= +-----END EC PRIVATE KEY----- diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key.pub b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key.pub new file mode 100644 index 00000000..0ef413ba --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPDKfRLJQpq+n0J8+K/0hFK7wgIrUd6QMx+UHgAg45tPUIwRE5V/CHq6vXD3zTjbphJlb6P5tA3lFBUMXueNywPR6JJ4mPwdWtHc8Omt5kkxlVXaYs1hnG4TSTH0gsrXYg== root@stp diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key new file mode 100644 index 00000000..b37b5a74 --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQC4QG0lNN4NewU8nTxNr/dpF4FGRrVifIDOgTVcfJluYt3c1mfJ +tA2/ujwJ9jUV196P7UJ4QsAlpwd6SlKlxQ/tCTF2Zi2tjNtypIuSwBysxBM0BTRr +L/ntwET2vqdA1wRRRVDMl+l3B3YI1aJBUYqyM72v/yK/jbJiS5hZLp9TXwIDAQAB +AoGAXEGuJPYexWM20Q3t9vxIBrAFQ9n90o2CtWPPAztEXBhW/M/CciWcyMaIb3h/ +RiurvidPpAXQTkofHWV/ko9klDLDAOTsJE+mir61izvdPHqZH13ZJyI+GUN4bQ0a +1hV415OPsiks1jBL+J5sD1dvFZU4nOOeFbIZcmCf/Z5DIlECQQDke7DdNiiy2zls +C1GrCbj0R85h1ZmwZ4GytVkxlik+Ids2aeskxDba5wlEUZutVyGlQuUe6Zm4r2eI +Vq7/47VnAkEAznELdXCd6zYynGz8RYY4zMtLvu+oWePLKX/6P/egkfkloaB13Ohr +yEd//V+cnobL9g5ed5Ggt4WF4AhcvKn/SQJBAJDO1AlfievRhVM02U3Nm6s211aq +Sf3DnC/nP+BtizYVvxl9h8qFkT6rrvPdxQzXbDuRaiVtaD/k63k9dyw25YECQBfF +GGarUuOUV/t+6QUwUTXzaoNPoPjIq8nZfH0FDC4Cm/yiNy/6av6ijPAlpCj0qGNq +gCIQWIsJCsMi81qd0FECQQCfu6wSDszVseas0CAcxjP4MU5lVr6/L8//ZUn9TDJM +WSQelziGbnbsIXq7owCVDxROJ770IqOL4OQZDw5R8Swd +-----END RSA PRIVATE KEY----- diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key.pub b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key.pub new file mode 100644 index 00000000..e6fd0588 --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC4QG0lNN4NewU8nTxNr/dpF4FGRrVifIDOgTVcfJluYt3c1mfJtA2/ujwJ9jUV196P7UJ4QsAlpwd6SlKlxQ/tCTF2Zi2tjNtypIuSwBysxBM0BTRrL/ntwET2vqdA1wRRRVDMl+l3B3YI1aJBUYqyM72v/yK/jbJiS5hZLp9TXw== root@stp diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/sshd_config b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/sshd_config new file mode 100644 index 00000000..40f27414 --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/sshd_config @@ -0,0 +1,33 @@ +Port 9922 +Protocol 2 +HostKey /etc/ssh/mgmt/ssh_host_rsa_key +HostKey /etc/ssh/mgmt/ssh_host_dsa_key +HostKey /etc/ssh/mgmt/ssh_host_ecdsa_key +UsePrivilegeSeparation yes +KeyRegenerationInterval 3600 +SyslogFacility AUTH +LogLevel INFO +LoginGraceTime 30 +PermitRootLogin yes +StrictModes yes +PubkeyAuthentication yes +AuthorizedKeysFile /etc/ssh/mgmt/authorized_keys +IgnoreRhosts yes +RhostsRSAAuthentication no +HostbasedAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +PasswordAuthentication no +KerberosAuthentication no +GSSAPIAuthentication no +X11Forwarding yes +X11DisplayOffset 20 +PrintLastLog yes +TCPKeepAlive yes +#Banner /etc/issue.net +#PrintMotd yes +AcceptEnv LANG LC_* +UsePAM yes +UseDNS no +PidFile /run/sshd_mgmt/pid +AllowUsers root diff --git a/core/modules/mgmt-sshd/data/etc/systemd/system/basic.target.wants/mgmt-sshd.service b/core/modules/mgmt-sshd/data/etc/systemd/system/basic.target.wants/mgmt-sshd.service new file mode 120000 index 00000000..a59a869f --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/systemd/system/basic.target.wants/mgmt-sshd.service @@ -0,0 +1 @@ +../mgmt-sshd.service
\ No newline at end of file diff --git a/core/modules/mgmt-sshd/data/etc/systemd/system/mgmt-sshd.service b/core/modules/mgmt-sshd/data/etc/systemd/system/mgmt-sshd.service new file mode 100644 index 00000000..9c267547 --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/systemd/system/mgmt-sshd.service @@ -0,0 +1,9 @@ +[Unit] +Description=Management OpenSSH Daemon for OpenSLX + +[Service] +ExecStartPre=-/opt/openslx/scripts/systemd-mgmt_sshd_fw +ExecStart=/usr/sbin/sshd -D -f /etc/ssh/mgmt/sshd_config +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=always diff --git a/core/modules/mgmt-sshd/data/opt/openslx/scripts/systemd-mgmt_sshd_fw b/core/modules/mgmt-sshd/data/opt/openslx/scripts/systemd-mgmt_sshd_fw new file mode 100755 index 00000000..1e0758ee --- /dev/null +++ b/core/modules/mgmt-sshd/data/opt/openslx/scripts/systemd-mgmt_sshd_fw @@ -0,0 +1,17 @@ +#!/bin/ash + +FILE="/opt/openslx/iptables/rules.d/99-mgmt-sshd" +[ -s "$FILE" ] && exit 0 + +. /opt/openslx/config + +( + for ip in $SLX_KCL_SERVERS; do + echo "iptables -I ipt-helper-INPUT 1 -s $ip -p tcp --dport 9922 -j ACCEPT" + done + echo "iptables -A ipt-helper-INPUT -p tcp --dport 9922 -j REJECT" +) > "$FILE" +chmod +x "$FILE" + +exit 0 + |