Merge pull request #49 from speed47/ttyrecfreebsd

enh: freebsd: use ttyrec prebuilt static version

.github/workflows/freebsd.yml

@@ -19,17 +19,11 @@ jobs:
           set -ex
           freebsd-version
           mount -o acls /
-          pkg install -y bash unzip rsync ca_root_nss jq fping screen flock gmake
+          pkg install -y bash rsync ca_root_nss jq fping screen flock
           mkdir -p /opt/bastion
           rsync -a . /opt/bastion/
-          fetch https://github.com/ovh/ovh-ttyrec/archive/master.zip
-          unzip master.zip
-          cd ovh-ttyrec-master/
-          ./configure
-          gmake
-          gmake install
-          cd ..
           /opt/bastion/bin/admin/packages-check.sh -i
+          /opt/bastion/bin/admin/install-ttyrec.sh -s
           /opt/bastion/bin/admin/install --new-install --no-wait
           ssh-keygen -t ed25519 -f id_user
           ssh-keygen -t ed25519 -f id_root

README.md

@@ -78,11 +78,11 @@ Linux distros below are tested with each release, but as this is a security prod
 *: Note that these versions have no out-of-the-box MFA support, as they lack packaged versions of `pamtester`, `pam-google-authenticator`, or both. Of course, you may compile those yourself.
 Any other so-called "modern" Linux version are not tested with each release, but should work with no or minor adjustments.
 
-The code is also known to work correctly under:
+The following OS are also tested with each release:
 
-- FreeBSD 10+ / HardenedBSD**
+- FreeBSD/HardenedBSD 12.1**
 
-**: Note that FreeBSD has partial MFA support, due to its reduced set of available `pam` plugins. You can set it up to support an additional password or TOTP factor, but not both.
+**: Note that these have partial MFA support, due to their reduced set of available `pam` plugins. Support for either an additional password or TOTP factor can be configured, but not both at the same time. The code is actually known to work on FreeBSD/HardenedBSD 10+, but it's only regularly tested under 12.1.
 
 Other BSD variants partially work but are unsupported and discouraged as they have a severe limitation over the maximum number of supplementary groups (causing problems for group membership and restricted commands checks), no filesystem-level ACL support and missing MFA:
 

bin/admin/install-ttyrec.sh

@@ -39,8 +39,16 @@ set_download_url() {
         _download() {
             curl -sL -O "$1"
         }
+    elif command -v fetch >/dev/null; then
+        action_done fetch
+        _apicall() {
+            fetch -o - "$1" || true
+        }
+        _download() {
+            fetch "$1"
+        }
     else
-        action_error "Couldn't find wget nor curl"
+        action_error "Couldn't find wget, curl nor fetch"
         exit 1
     fi
     action_doing "Getting latest release for arch $arch..."
@@ -83,8 +91,9 @@ action_static() {
     else
         arch=$(uname -m)
     fi
+    os=$(uname -s | tr '[:upper:]' '[:lower:]')
 
-    set_download_url "_$arch-linux-static-binary.tar.gz"
+    set_download_url "_$arch-$os-static-binary.tar.gz"
     prepare_temp_folder
 
     _download "$url"
@@ -191,7 +200,7 @@ action_auto() {
     esac
 }
 
-if [ "$OS_FAMILY" != "Linux" ]; then
+if [ "$OS_FAMILY" != "Linux" ] && [ "$OS_FAMILY" != "FreeBSD" ]; then
     echo "Sorry, your OS ($OS_FAMILY) is not supported." >&2
     exit 1
 fi