From 19d4e60fb012f97ff25c774d4ed28bc12c6752cf Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Thu, 2 Nov 2017 21:42:14 +0100 Subject: [mgmt-sshd] New module for independent access to machine Getting the configurable default sshd play nice with requirements we have for automatic access from the server makes life complicated. Just spawn another instance on a different port. --- .../mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key | 12 ++++++++ .../data/etc/ssh/mgmt/ssh_host_dsa_key.pub | 1 + .../mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key | 6 ++++ .../data/etc/ssh/mgmt/ssh_host_ecdsa_key.pub | 1 + .../mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key | 15 ++++++++++ .../data/etc/ssh/mgmt/ssh_host_rsa_key.pub | 1 + .../mgmt-sshd/data/etc/ssh/mgmt/sshd_config | 33 ++++++++++++++++++++++ .../system/basic.target.wants/mgmt-sshd.service | 1 + .../data/etc/systemd/system/mgmt-sshd.service | 9 ++++++ .../data/opt/openslx/scripts/systemd-mgmt_sshd_fw | 17 +++++++++++ core/modules/mgmt-sshd/module.build | 12 ++++++++ core/modules/mgmt-sshd/module.conf | 3 ++ 12 files changed, 111 insertions(+) create mode 100644 core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key create mode 100644 core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key.pub create mode 100644 core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key create mode 100644 core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key.pub create mode 100644 core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key create mode 100644 core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key.pub create mode 100644 core/modules/mgmt-sshd/data/etc/ssh/mgmt/sshd_config create mode 120000 core/modules/mgmt-sshd/data/etc/systemd/system/basic.target.wants/mgmt-sshd.service create mode 100644 core/modules/mgmt-sshd/data/etc/systemd/system/mgmt-sshd.service create mode 100755 core/modules/mgmt-sshd/data/opt/openslx/scripts/systemd-mgmt_sshd_fw create mode 100644 core/modules/mgmt-sshd/module.build create mode 100644 core/modules/mgmt-sshd/module.conf (limited to 'core/modules') diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key new file mode 100644 index 00000000..0132fe84 --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key @@ -0,0 +1,12 @@ +-----BEGIN DSA PRIVATE KEY----- +MIIBugIBAAKBgQDu6vk2uFnUyKt9/In9Rtkq+2zqwd8slm90NUt6JBXyjYsIJwRp +hxRG1sFDho3ogog5hlt+y+UuNPc5QchT/e3O71zt2XbrfK2irr4XBJILuup95AGe +iW/gzMIUD4an8I58yYM9rXhTzvIMwri7jM6EKlCUytafVTdMICVH78Y97QIVAJ9a +Cs8Gxy91XMoHK3zcHutQcIF3AoGAV6p2ISW0pAE+2GbeKUDvraCNXDG37JaMCjZr +S+NB3cN/vJwjy0fPI6CB5o6GcgFhB0cxdgCb60lV8Qz76clx4ZJId8PVxeKp4vSw +kHdSbcRlBpRbe/YJY8ja/ITkvmeiEMncTQByo1t2VXDqHbvgQsllIqbbRWl0B2yV +WO4Uw4gCgYAFCgiy2Ncal0KhsHAJV5dP4imeyd49lONI488RO18wiODhCzGtkbvV +pL/saDZWkm3pUhJ9J0qalIZaJGG0WO6GHiQC5CzH21GF9RgsoNjrMl3gzuZB9FxB +4cg8UyZ2QCqXlRusOCIiZhBdIZzDkK6HlQMMtFGEGg/c9yNgxkPAzQIULLxfDTNh +8Ouz5BhfKWJrZ0XGUsA= +-----END DSA PRIVATE KEY----- diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key.pub b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key.pub new file mode 100644 index 00000000..97af5cb0 --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_dsa_key.pub @@ -0,0 +1 @@ +ssh-dss AAAAB3NzaC1kc3MAAACBAO7q+Ta4WdTIq338if1G2Sr7bOrB3yyWb3Q1S3okFfKNiwgnBGmHFEbWwUOGjeiCiDmGW37L5S409zlByFP97c7vXO3Zdut8raKuvhcEkgu66n3kAZ6Jb+DMwhQPhqfwjnzJgz2teFPO8gzCuLuMzoQqUJTK1p9VN0wgJUfvxj3tAAAAFQCfWgrPBscvdVzKByt83B7rUHCBdwAAAIBXqnYhJbSkAT7YZt4pQO+toI1cMbfslowKNmtL40Hdw3+8nCPLR88joIHmjoZyAWEHRzF2AJvrSVXxDPvpyXHhkkh3w9XF4qni9LCQd1JtxGUGlFt79gljyNr8hOS+Z6IQydxNAHKjW3ZVcOodu+BCyWUipttFaXQHbJVY7hTDiAAAAIAFCgiy2Ncal0KhsHAJV5dP4imeyd49lONI488RO18wiODhCzGtkbvVpL/saDZWkm3pUhJ9J0qalIZaJGG0WO6GHiQC5CzH21GF9RgsoNjrMl3gzuZB9FxB4cg8UyZ2QCqXlRusOCIiZhBdIZzDkK6HlQMMtFGEGg/c9yNgxkPAzQ== root@stp diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key new file mode 100644 index 00000000..1fea2717 --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDDwyXBE0s5I7Cci/by2EInEyHyIvfC6IB5U8XF5eZUDlVMxkgBYK0sm +r3Lyuy4XR3CgBwYFK4EEACKhZANiAATwyn0SyUKavp9CfPiv9IRSu8ICK1HekDMf +lB4AIOObT1CMEROVfwh6ur1w980426YSZW+j+bQN5RQVDF7njcsD0eiSeJj8HVrR +3PDpreZJMZVV2mLNYZxuE0kx9ILK12I= +-----END EC PRIVATE KEY----- diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key.pub b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key.pub new file mode 100644 index 00000000..0ef413ba --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_ecdsa_key.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPDKfRLJQpq+n0J8+K/0hFK7wgIrUd6QMx+UHgAg45tPUIwRE5V/CHq6vXD3zTjbphJlb6P5tA3lFBUMXueNywPR6JJ4mPwdWtHc8Omt5kkxlVXaYs1hnG4TSTH0gsrXYg== root@stp diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key new file mode 100644 index 00000000..b37b5a74 --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQC4QG0lNN4NewU8nTxNr/dpF4FGRrVifIDOgTVcfJluYt3c1mfJ +tA2/ujwJ9jUV196P7UJ4QsAlpwd6SlKlxQ/tCTF2Zi2tjNtypIuSwBysxBM0BTRr +L/ntwET2vqdA1wRRRVDMl+l3B3YI1aJBUYqyM72v/yK/jbJiS5hZLp9TXwIDAQAB +AoGAXEGuJPYexWM20Q3t9vxIBrAFQ9n90o2CtWPPAztEXBhW/M/CciWcyMaIb3h/ +RiurvidPpAXQTkofHWV/ko9klDLDAOTsJE+mir61izvdPHqZH13ZJyI+GUN4bQ0a +1hV415OPsiks1jBL+J5sD1dvFZU4nOOeFbIZcmCf/Z5DIlECQQDke7DdNiiy2zls +C1GrCbj0R85h1ZmwZ4GytVkxlik+Ids2aeskxDba5wlEUZutVyGlQuUe6Zm4r2eI +Vq7/47VnAkEAznELdXCd6zYynGz8RYY4zMtLvu+oWePLKX/6P/egkfkloaB13Ohr +yEd//V+cnobL9g5ed5Ggt4WF4AhcvKn/SQJBAJDO1AlfievRhVM02U3Nm6s211aq +Sf3DnC/nP+BtizYVvxl9h8qFkT6rrvPdxQzXbDuRaiVtaD/k63k9dyw25YECQBfF +GGarUuOUV/t+6QUwUTXzaoNPoPjIq8nZfH0FDC4Cm/yiNy/6av6ijPAlpCj0qGNq +gCIQWIsJCsMi81qd0FECQQCfu6wSDszVseas0CAcxjP4MU5lVr6/L8//ZUn9TDJM +WSQelziGbnbsIXq7owCVDxROJ770IqOL4OQZDw5R8Swd +-----END RSA PRIVATE KEY----- diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key.pub b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key.pub new file mode 100644 index 00000000..e6fd0588 --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/ssh_host_rsa_key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC4QG0lNN4NewU8nTxNr/dpF4FGRrVifIDOgTVcfJluYt3c1mfJtA2/ujwJ9jUV196P7UJ4QsAlpwd6SlKlxQ/tCTF2Zi2tjNtypIuSwBysxBM0BTRrL/ntwET2vqdA1wRRRVDMl+l3B3YI1aJBUYqyM72v/yK/jbJiS5hZLp9TXw== root@stp diff --git a/core/modules/mgmt-sshd/data/etc/ssh/mgmt/sshd_config b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/sshd_config new file mode 100644 index 00000000..40f27414 --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/ssh/mgmt/sshd_config @@ -0,0 +1,33 @@ +Port 9922 +Protocol 2 +HostKey /etc/ssh/mgmt/ssh_host_rsa_key +HostKey /etc/ssh/mgmt/ssh_host_dsa_key +HostKey /etc/ssh/mgmt/ssh_host_ecdsa_key +UsePrivilegeSeparation yes +KeyRegenerationInterval 3600 +SyslogFacility AUTH +LogLevel INFO +LoginGraceTime 30 +PermitRootLogin yes +StrictModes yes +PubkeyAuthentication yes +AuthorizedKeysFile /etc/ssh/mgmt/authorized_keys +IgnoreRhosts yes +RhostsRSAAuthentication no +HostbasedAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +PasswordAuthentication no +KerberosAuthentication no +GSSAPIAuthentication no +X11Forwarding yes +X11DisplayOffset 20 +PrintLastLog yes +TCPKeepAlive yes +#Banner /etc/issue.net +#PrintMotd yes +AcceptEnv LANG LC_* +UsePAM yes +UseDNS no +PidFile /run/sshd_mgmt/pid +AllowUsers root diff --git a/core/modules/mgmt-sshd/data/etc/systemd/system/basic.target.wants/mgmt-sshd.service b/core/modules/mgmt-sshd/data/etc/systemd/system/basic.target.wants/mgmt-sshd.service new file mode 120000 index 00000000..a59a869f --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/systemd/system/basic.target.wants/mgmt-sshd.service @@ -0,0 +1 @@ +../mgmt-sshd.service \ No newline at end of file diff --git a/core/modules/mgmt-sshd/data/etc/systemd/system/mgmt-sshd.service b/core/modules/mgmt-sshd/data/etc/systemd/system/mgmt-sshd.service new file mode 100644 index 00000000..9c267547 --- /dev/null +++ b/core/modules/mgmt-sshd/data/etc/systemd/system/mgmt-sshd.service @@ -0,0 +1,9 @@ +[Unit] +Description=Management OpenSSH Daemon for OpenSLX + +[Service] +ExecStartPre=-/opt/openslx/scripts/systemd-mgmt_sshd_fw +ExecStart=/usr/sbin/sshd -D -f /etc/ssh/mgmt/sshd_config +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=always diff --git a/core/modules/mgmt-sshd/data/opt/openslx/scripts/systemd-mgmt_sshd_fw b/core/modules/mgmt-sshd/data/opt/openslx/scripts/systemd-mgmt_sshd_fw new file mode 100755 index 00000000..1e0758ee --- /dev/null +++ b/core/modules/mgmt-sshd/data/opt/openslx/scripts/systemd-mgmt_sshd_fw @@ -0,0 +1,17 @@ +#!/bin/ash + +FILE="/opt/openslx/iptables/rules.d/99-mgmt-sshd" +[ -s "$FILE" ] && exit 0 + +. /opt/openslx/config + +( + for ip in $SLX_KCL_SERVERS; do + echo "iptables -I ipt-helper-INPUT 1 -s $ip -p tcp --dport 9922 -j ACCEPT" + done + echo "iptables -A ipt-helper-INPUT -p tcp --dport 9922 -j REJECT" +) > "$FILE" +chmod +x "$FILE" + +exit 0 + diff --git a/core/modules/mgmt-sshd/module.build b/core/modules/mgmt-sshd/module.build new file mode 100644 index 00000000..37b7a4f7 --- /dev/null +++ b/core/modules/mgmt-sshd/module.build @@ -0,0 +1,12 @@ +#!/bin/bash +fetch_source() { + : +} + +build() { + : +} + +post_copy() { + chmod -R go-rwX "${TARGET_BUILD_DIR}/etc/ssh" +} diff --git a/core/modules/mgmt-sshd/module.conf b/core/modules/mgmt-sshd/module.conf new file mode 100644 index 00000000..75c459a1 --- /dev/null +++ b/core/modules/mgmt-sshd/module.conf @@ -0,0 +1,3 @@ +#!/bin/bash +REQUIRED_MODULES="sshd" + -- cgit v1.2.3-55-g7522