ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-11-18 23:38:38 +08:00
Code Issues Projects Releases Packages Wiki Activity

feat: preparatory work to support Debian 11 "Bullseye"

Browse source 
We still need to replacee pam_tally2 by pam_faillock
Debian 11 is NOT yet supported, and won't be before it's released as stable.
This commit is contained in:
Stéphane Lesimple 2021-03-19 17:51:00 +00:00 committed by Stéphane Lesimple
parent 1d9018ef7f
commit 003052530e
7 changed files with 383 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/tests.yml vendored
View file

@ -20,7 +20,7 @@ jobs:
name: Full
strategy:
matrix:
platform: ['centos7@centos:7.7.1908', 'centos7@centos:7.8.2003', 'centos7@centos:7.9.2009', 'centos8@centos:8.1.1911', 'centos8@centos:8.2.2004', 'centos8@centos:8.3.2011', debian10, debian8, debian9, opensuse151, opensuse152, ubuntu1404, ubuntu1604, ubuntu1804, ubuntu2004]
platform: ['centos7@centos:7.7.1908', 'centos7@centos:7.8.2003', 'centos7@centos:7.9.2009', 'centos8@centos:8.1.1911', 'centos8@centos:8.2.2004', 'centos8@centos:8.3.2011', debian8, debian9, debian10, debian11, opensuse151, opensuse152, ubuntu1404, ubuntu1604, ubuntu1804, ubuntu2004]
runs-on: ubuntu-latest
if: contains(github.event.pull_request.labels.*.name, 'tests:full')
steps:

9
bin/admin/install
View file

@ -1300,10 +1300,13 @@ if [ "${opt[modify-pam-sshd]}" = 1 ]; then
echo "$DISTRO_LIKE" | grep -q -w debian && pamsuffix=debian
echo "$DISTRO_LIKE" | grep -q -w rhel && pamsuffix=rhel
[ "$OS_FAMILY" = FreeBSD ] && pamsuffix=freebsd
if [ -n "$pamsuffix" ] && [ -e $PAM_SSHD ] && [ -e "$basedir/etc/pam.d/sshd.$pamsuffix" ]; then
if [ -n "$pamsuffix" ] && [ -e "$basedir/etc/pam.d/sshd.$pamsuffix$DISTRO_VERSION" ]; then
pamsuffix="$pamsuffix$DISTRO_VERSION"
fi
if [ -n "$pamsuffix" ] && [ -e "$PAM_SSHD" ] && [ -e "$basedir/etc/pam.d/sshd.$pamsuffix" ]; then
cp -a "$PAM_SSHD" "$PAM_SSHD.backup_$(date +%s)"
cat "$basedir/etc/pam.d/sshd.$pamsuffix" > $PAM_SSHD
action_done
cat "$basedir/etc/pam.d/sshd.$pamsuffix" > "$PAM_SSHD"
action_done "sshd.$pamsuffix"
else
action_error "couldn't use our pam.d/sshd template (no template for $OS_FAMILY/$DISTRO_LIKE)"
fi

30
docker/Dockerfile.debian11 Normal file
View file

@ -0,0 +1,30 @@
FROM debian:bullseye
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
# cache builds efficiently: just copy the scripts to install packages first
COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
COPY lib/shell /opt/bastion/lib/shell/
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
# handle locales
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
RUN test -e /etc/syslog-ng/syslog-ng.conf && \
sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf
# at each modification of our code, we'll start from here thanks to build cache
COPY . /opt/bastion
# tests that the environment works
RUN ["/opt/bastion/bin/dev/perl-check.sh"]
# setup ssh/sshd config and setup bastion install
RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
# start at entrypoint
ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1

81
etc/pam.d/sshd.debian11 Normal file
View file

@ -0,0 +1,81 @@
# PAM configuration for the Secure Shell service
auth requisite pam_nologin.so
# --- PASSWORD CHECK SECTION
# proceed in this section ONLY if the user is in group mfa-password-configd, skip it entirely otherwise
auth [success=ignore ignore=ignore default=4] pam_succeed_if.so quiet user ingroup mfa-password-configd
auth optional pam_echo.so Your account has Multi-Factor Authentication enabled, an additional authentication factor is required (password).
auth optional pam_exec.so quiet debug stdout /opt/bastion/bin/shell/pam_exec_pwd_info.sh
# lock account after 6 failures, for 5 minutes
#FIXME auth required pam_tally2.so onerr=fail deny=6 unlock_time=300
# then check password
auth required pam_unix.so
# --- TOTP CHECK SECTION
# if root, enable TOTP check
auth [success=ignore ignore=ignore default=1] pam_succeed_if.so quiet uid eq 0
# [success=ok new_authtok_reqd=ok ignore=ignore default=bad module_unknown=ignore] == required + module_unknown:ignore
# if you have a recent enough libpam-google-authenticator, you can customize the prompt with the following option: [authtok_prompt=Verification Code (OTP): ]
# you can also add "debug" for more verbose logs (requires a not too old version of the pam module)
# note the nullok parameter, instructing that if TOTP is not configured for root, it shouldn't be asked
# if you know you've configured TOTP for root and prefer blocking access if there is a problem with the secret file, remove `nullok'
auth [success=ok new_authtok_reqd=ok ignore=ignore default=bad module_unknown=ignore] pam_google_authenticator.so nullok secret=/var/otp/root
# if root, TOTP check has already been done just above, so skip this subsection
auth [success=3 ignore=ignore default=ignore] pam_succeed_if.so quiet uid eq 0
# else (if not root), proceed in this section ONLY if the user is in group mfa-totp-configd, skip it entirely otherwise
auth [success=ignore ignore=ignore default=2] pam_succeed_if.so quiet user ingroup mfa-totp-configd
auth optional pam_echo.so Multi-Factor Authentication enabled, an additional authentication factor is required (OTP).
auth [success=ok new_authtok_reqd=ok ignore=ignore default=bad module_unknown=ignore] pam_google_authenticator.so secret=~/.otp
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Reset counter if auth succeeded
#FIXME account required pam_tally2.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
#session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password

118
etc/ssh/ssh_config.debian11 Normal file
View file

@ -0,0 +1,118 @@
# Hardened SSH bastion config -- modify wisely!
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
# With modifications where applicable/needed
# hardened params follow. every non-needed feature is disabled by default,
# following the principle of least rights and least features (more enabled
# features mean a more important attack surface).
# === FEATURES ===
# disable non-needed sshd features
# mitigates CVE-0216-0778
UseRoaming no
# other unwanted features
Tunnel no
ForwardAgent no
ForwardX11 no
GatewayPorts no
ControlMaster no
# === CRYPTOGRAPHY ===
# enforce the use of ssh version 2 protocol, version 1 is disabled.
# all sshd_config options regarding protocol 1 are therefore omitted.
Protocol 2
# list of allowed ciphers.
# chacha20-poly1305 is a modern cipher, considered very secure
# aes is still the standard, we prefer gcm cipher mode, but also
# allow ctr cipher mode for compatibility (ctr is considered secure)
# we deny arcfour(rc4), 3des, blowfish and cast
# for older remote servers (or esoteric hardware), we might need to add: aes256-cbc,aes192-cbc,aes128-cbc
# known gotchas:
# - BSD (https://lists.freebsd.org/pipermail/freebsd-bugs/2013-June/053005.html) needs aes256-gcm@openssh.com,aes128-gcm@openssh.com DISABLED
# - Old Cisco IOS (such as v12.2) only supports aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
# - Ancient Debians (Sarge) and RedHats (7) only support aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# list of allowed message authentication code algorithms.
# etm (encrypt-then-mac) are considered the more secure, we
# prefer umac (has been proven secure) then sha2.
# for older remote servers, fallback to the non-etm version of
# the algorithms. we deny md5 entirely.
# for older remote servers (or esoteric hardware), we might need to add: hmac-sha1
# Known gotchas:
# - Old Cisco IOS (such as v12.2) only supports hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
# - Ancient Debians (Sarge) and RedHats (7) only support hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
# List of allowed key exchange algorithms.
# we prefer curve25519-sha256 which is considered the most modern/secure,
# and still allow diffie hellman with group exchange using sha256 which is
# the most secure dh-based kex.
# we avoid algorithms based on the disputed NIST curves, and anything based
# on sha1.
# known gotchas:
# - Windows needs diffie-hellman-group14-sha1 and also needs to NOT have diffie-hellman-group-exchange-sha1 present in the list AT ALL
# - OmniOS 5.11 needs diffie-hellman-group1-sha1
# - Old Cisco IOS (such as v12.2) only supports diffie-hellman-group1-sha1
# - Ancient Debians (Sarge) and RedHats (7) only support diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
# === AUTHENTICATION ===
# we allow only public key authentication ...
PubkeyAuthentication yes
# ... not password nor keyboard-interactive
# ... (set to yes if sshpass is to be used)
PasswordAuthentication no
# ChallengeResponseAuthentication=yes forces KbdInteractiveAuthentication=yes in the openssh code!
ChallengeResponseAuthentication yes
KbdInteractiveAuthentication yes
# ... not host-based
HostbasedAuthentication no
# ... and not gssapi auth.
GSSAPIAuthentication no
GSSAPIKeyExchange no
GSSAPIDelegateCredentials no
# now we specify the auth methods order we want for manual ssh calls.
# NOTE1: as per the ssh source code, an auth method omitted hereafter
# will not be used, even if set to "yes" above.
# NOTE2: the bastion code (namely, ttyrec), will always set the proper
# value explicitly on command-line (pubkey OR sshpass), so the value
# specified hereafter will be ignored. if you want to force-disable
# a method, set it to "no" in the list above, as those will never be
# overridden by the code.
PreferredAuthentications publickey,keyboard-interactive
# === LOGIN ###
# disable escape character use
EscapeChar none
# detect if a hostkey changed due to DNS spoofing
CheckHostIP yes
# ignore ssh-agent, only use specified keys (-i)
IdentitiesOnly yes
# disable auto-lookup of ~/.ssh/id_rsa ~/.ssh/id_ecdsa etc.
IdentityFile /dev/non/existent/file
# carry those vars to the other side (includes LC_BASTION)
SendEnv LANG LC_*
# allow usage of SSHFP DNS records
VerifyHostKeyDNS ask
# yell if remote hostkey changed
StrictHostKeyChecking ask
# === SYSTEM ===
# don't hash the users known_hosts files, in the context of a bastion, this adds no security
HashKnownHosts no
# send an ssh ping each 57 seconds to the client and disconnect after 5 no-replies
ServerAliveInterval 57
ServerAliveCountMax 5

143
etc/ssh/sshd_config.debian11 Normal file
View file

@ -0,0 +1,143 @@
# Hardened SSHD bastion config -- modify wisely!
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
# With additional restrictions where applicable
# -lo and -rt users only have local console login
DenyUsers *-rt
DenyUsers *-lo
# hardened params follow. every non-needed feature is disabled by default,
# following the principle of least rights and least features (more enabled
# features mean a more important attack surface).
# === FEATURES ===
# disable non-needed sshd features
AllowAgentForwarding no
AllowTcpForwarding no
AllowStreamLocalForwarding no
X11Forwarding no
PermitTunnel no
PermitUserEnvironment no
PermitUserRC no
GatewayPorts no
# === INFORMATION DISCLOSURE ===
# don't yell to the world that we're running debian,
# this disables the debian string version on the server hello message
DebianBanner no
# however, display a legal notice for each connection
Banner /etc/ssh/banner
# don't print the bastion MOTD on connection
PrintMotd no
# === CRYPTOGRAPHY ===
# enforce the use of ssh version 2 protocol, version 1 is disabled.
# all sshd_config options regarding protocol 1 are therefore omitted.
Protocol 2
# only use hostkeys with secure algorithms, and omit the ones using NIST curves
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# list of allowed ciphers.
# chacha20-poly1305 is a modern cipher, considered very secure
# aes is still the standard, we prefer gcm cipher mode, but also
# allow ctr cipher mode for compatibility (ctr is still considered secure)
# we deny arcfour(rc4), 3des, blowfish and cast
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# list of allowed message authentication code algorithms.
# etm (encrypt-then-mac) are considered the more secure, we
# prefer umac (has been proven secure) then sha2.
# for older ssh client, fallback to the non-etm version of
# the algorithms.
# we deny md5 and sha1
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
# List of allowed key exchange algorithms.
# we prefer curve25519-sha256 which is considered the most modern/secure,
# and still allow diffie hellman with group exchange using sha256 which is
# the most secure dh-based kex.
# we avoid algorithms based on the disputed NIST curves, and anything based
# on sha1.
KexAlgorithms sntrup4591761x25519-sha512@tinyssh.org,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
# force rekey every 512M of data or 6 hours of connection, whichever comes first
RekeyLimit 512M 6h
# === AUTHENTICATION ===
# we allow only public key authentication ...
PubkeyAuthentication yes
# ... not password
PasswordAuthentication no
# ... keyboard interactive (needed for MFA through PAM)
KbdInteractiveAuthentication yes
# ... not kerberos
KerberosAuthentication no
# ... challenge-response (needed for MFA through PAM)
ChallengeResponseAuthentication yes
# ... not host-based
HostbasedAuthentication no
# ... and not gssapi auth.
GSSAPIAuthentication no
GSSAPIKeyExchange no
# just in case, we also explicitly deny empty passwords
PermitEmptyPasswords no
# this needs to be set at "yes" to allow PAM keyboard-interactive authentication,
# which is not a security issue because the AuthenticationMethods below force the use of
# either publickey or publickey+keyboard-interactive, hence password-only login is never
# possible, for root or any other account for that matter
PermitRootLogin yes
# === LOGIN ===
# disconnect after 30 seconds if user didn't log in successfully
LoginGraceTime 30
# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode)
MaxSessions 1
# maximum concurrent unauth connections to the sshd daemon
MaxStartups 50:30:500
# accept LANG and LC_* vars (also includes LC_BASTION)
AcceptEnv LANG LC_*
# === SYSTEM ===
# sshd log level at verbose in auth facility for auditing purposes
LogLevel VERBOSE
SyslogFacility AUTH
# check sanity of user HOME dir before allowing user to login
StrictModes yes
# never use dns (slows down connections)
UseDNS no
# use PAM facility
UsePAM yes
# === AuthenticationMethods vs potential root OTP vs potential user MFA ===
# 2FA has been configured for root, so we force pubkey+PAM for it
#Match User root
# AuthenticationMethods publickey,keyboard-interactive:pam
# Unconditionally skip PAM auth for members of the bastion-nopam group
Match Group bastion-nopam
AuthenticationMethods publickey
# if in one of the mfa groups, use pam
Match Group mfa-totp-configd
AuthenticationMethods publickey,keyboard-interactive:pam
Match Group mfa-password-configd
AuthenticationMethods publickey,keyboard-interactive:pam
# by default, always ask the publickey (no PAM)
Match All
AuthenticationMethods publickey

4
lib/shell/functions.inc
View file

@ -25,6 +25,10 @@ if [ -z "$LINUX_DISTRO" ] || [ -z "$DISTRO_VERSION" ]; then
elif [ -e /etc/debian_version ]; then
LINUX_DISTRO=debian
DISTRO_VERSION=$(cat /etc/debian_version)
# special case while bullseye is not yet released
if [ "$DISTRO_VERSION" = "bullseye/sid" ]; then
DISTRO_VERSION=11
fi
elif [ -e /etc/redhat-release ]; then
LINUX_DISTRO=redhat
fi