chore: push sandbox and tester images from Deb10 to Deb11

Also remove old config files from previsously dropped OS versions
2025-09-08 22:14:25 +08:00 · 2023-03-23 19:09:29 +00:00 · 2023-03-23 19:09:29 +00:00 · 49dc104dd7
commit 49dc104dd7
parent c6904d0fa0
8 changed files with 7 additions and 508 deletions
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -6,13 +6,13 @@ on:

 jobs:
    tests_short:
-        name: Short (deb10 only, no cc)
+        name: Short (deb11 only, no cc)
        runs-on: ubuntu-latest
        if: contains(github.event.pull_request.labels.*.name, 'tests:short')
        steps:
        - uses: actions/checkout@v2
-        - name: run tests inside a debian10 docker
-          run: tests/functional/docker/docker_build_and_run_tests.sh debian10 --skip-consistency-check --no-pause-on-fail
+        - name: run tests inside a debian11 docker
+          run: tests/functional/docker/docker_build_and_run_tests.sh debian11 --skip-consistency-check --no-pause-on-fail
          env:
            DOCKER_TTY: false

--- a/bin/admin/install
+++ b/bin/admin/install
@ -272,10 +272,8 @@ if [ "${opt[modify-ssh-config]}" = 1 ] || [ "${opt[modify-sshd-config]}" = 1 ] ;
        filesuffix=$short_suffix_name
    elif [ "$OS_FAMILY" = Linux ]; then
        if [ "$LINUX_DISTRO" = ubuntu ]; then
-            if [ "$DISTRO_VERSION_MAJOR" -le 14 ]; then
-                filesuffix=debian7
-            elif [ "$DISTRO_VERSION_MAJOR" -le 16 ]; then
-                filesuffix=debian8
+              if [ "$DISTRO_VERSION_MAJOR" -le 16 ]; then
+                filesuffix=debian9
            elif [ "$DISTRO_VERSION_MAJOR" -le 18 ]; then
                filesuffix=debian10
            elif [ "$DISTRO_VERSION_MAJOR" -le 20 ]; then
--- a/docker/Dockerfile.sandbox
+++ b/docker/Dockerfile.sandbox
@ -1,4 +1,4 @@
-FROM debian:buster
+FROM debian:bullseye
 LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"

 # first, copy everything we need
--- a/docker/Dockerfile.tester
+++ b/docker/Dockerfile.tester
@ -1,4 +1,4 @@
-FROM debian:buster
+FROM debian:bullseye
 LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"

 # install prerequisites
--- a/etc/ssh/ssh_config.debian7
+++ b/etc/ssh/ssh_config.debian7
@ -1,113 +0,0 @@
-# Hardened SSH bastion config -- modify wisely!
-# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
-# With modifications where applicable/needed
-
-# hardened params follow. every non-needed feature is disabled by default,
-# following the principle of least rights and least features (more enabled
-# features mean a more important attack surface).
-
-# === FEATURES ===
-
-# disable non-needed sshd features
-# mitigates CVE-0216-0778
-UseRoaming no
-# other unwanted features
-Tunnel no
-ForwardAgent no
-ForwardX11 no
-GatewayPorts no
-ControlMaster no
-
-# === CRYPTOGRAPHY ===
-
-# enforce the use of ssh version 2 protocol, version 1 is disabled.
-# all sshd_config options regarding protocol 1 are therefore omitted.
-Protocol 2
-
-# list of allowed ciphers.
-# aes is a trusted standard, only allow it's ctr mode (cbc is not considered secure)
-# we deny arcfour(rc4), 3des, blowfish and cast
-# for older remote servers (or esoteric hardware), we might need to add: aes256-cbc,aes192-cbc,aes128-cbc
-# known gotchas:
-# - BSD (https://lists.freebsd.org/pipermail/freebsd-bugs/2013-June/053005.html) needs aes256-gcm@openssh.com,aes128-gcm@openssh.com DISABLED
-# - Old Cisco IOS (such as v12.2) only supports aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
-# - Ancient Debians (Sarge) and RedHats (7) only support aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
-Ciphers aes256-ctr,aes192-ctr,aes128-ctr
-
-# list of allowed message authentication code algorithms.
-# we prefer umac (has been proven secure) then sha2.
-# we deny md5 and sha1
-# for older remote servers (or esoteric hardware), we might need to add: hmac-sha1
-# Known gotchas:
-# - Old Cisco IOS (such as v12.2) only supports hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
-# - Ancient Debians (Sarge) and RedHats (7) only support hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
-MACs umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
-
-# List of allowed key exchange algorithms.
-# we allow diffie hellman with group exchange using sha256 which is
-# the most secure dh-based kex.
-# we avoid algorithms based on the disputed NIST curves, and anything based
-# on sha1.
-# known gotchas:
-# - Windows needs diffie-hellman-group14-sha1 and also needs to NOT have diffie-hellman-group-exchange-sha1 present in the list AT ALL
-# - OmniOS 5.11 needs diffie-hellman-group1-sha1
-# - Old Cisco IOS (such as v12.2) only supports diffie-hellman-group1-sha1
-# - Ancient Debians (Sarge) and RedHats (7) only support diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
-KexAlgorithms diffie-hellman-group-exchange-sha256
-
-# === AUTHENTICATION ===
-
-# we allow only public key authentication ...
-PubkeyAuthentication yes
-# ... not password nor keyboard-interactive
-# ... (set to yes if sshpass is to be used)
-PasswordAuthentication no
-# ChallengeResponseAuthentication=yes forces KbdInteractiveAuthentication=yes in the openssh code!
-ChallengeResponseAuthentication yes
-KbdInteractiveAuthentication yes
-# ... not host-based
-HostbasedAuthentication no
-# ... and not gssapi auth.
-GSSAPIAuthentication no
-GSSAPIKeyExchange no
-GSSAPIDelegateCredentials no
-# now we specify the auth methods order we want for manual ssh calls.
-# NOTE1: as per the ssh source code, an auth method omitted hereafter
-# will not be used, even if set to "yes" above.
-# NOTE2: the bastion code (namely, ttyrec), will always set the proper
-# value explicitly on command-line (pubkey OR sshpass), so the value
-# specified hereafter will be ignored. if you want to force-disable
-# a method, set it to "no" in the list above, as those will never be
-# overridden by the code.
-PreferredAuthentications publickey,keyboard-interactive
-
-# === LOGIN ###
-
-# disable escape character use
-EscapeChar none
-
-# detect if a hostkey changed due to DNS spoofing
-CheckHostIP yes
-
-# ignore ssh-agent, only use specified keys (-i)
-IdentitiesOnly yes
-# disable auto-lookup of ~/.ssh/id_rsa ~/.ssh/id_ecdsa etc.
-IdentityFile /dev/non/existent/file
-
-# carry those vars to the other side (includes LC_BASTION)
-SendEnv LANG LC_*
-
-# allow usage of SSHFP DNS records
-VerifyHostKeyDNS ask
-
-# yell if remote hostkey changed
-StrictHostKeyChecking ask
-
-# === SYSTEM ===
-
-# don't hash the users known_hosts files, in the context of a bastion, this adds no security
-HashKnownHosts no
-
-# send an ssh ping each 57 seconds to the client and disconnect after 5 no-replies
-ServerAliveInterval 57
-ServerAliveCountMax 5
--- a/etc/ssh/ssh_config.debian8
+++ b/etc/ssh/ssh_config.debian8
@ -1,118 +0,0 @@
-# Hardened SSH bastion config -- modify wisely!
-# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
-# With modifications where applicable/needed
-
-# hardened params follow. every non-needed feature is disabled by default,
-# following the principle of least rights and least features (more enabled
-# features mean a more important attack surface).
-
-# === FEATURES ===
-
-# disable non-needed sshd features
-# mitigates CVE-0216-0778
-UseRoaming no
-# other unwanted features
-Tunnel no
-ForwardAgent no
-ForwardX11 no
-GatewayPorts no
-ControlMaster no
-
-# === CRYPTOGRAPHY ===
-
-# enforce the use of ssh version 2 protocol, version 1 is disabled.
-# all sshd_config options regarding protocol 1 are therefore omitted.
-Protocol 2
-
-# list of allowed ciphers.
-# chacha20-poly1305 is a modern cipher, considered very secure
-# aes is still the standard, we prefer gcm cipher mode, but also
-# allow ctr cipher mode for compatibility (ctr is considered secure)
-# we deny arcfour(rc4), 3des, blowfish and cast
-# for older remote servers (or esoteric hardware), we might need to add: aes256-cbc,aes192-cbc,aes128-cbc
-# known gotchas:
-# - BSD (https://lists.freebsd.org/pipermail/freebsd-bugs/2013-June/053005.html) needs aes256-gcm@openssh.com,aes128-gcm@openssh.com DISABLED
-# - Old Cisco IOS (such as v12.2) only supports aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
-# - Ancient Debians (Sarge) and RedHats (7) only support aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-
-# list of allowed message authentication code algorithms.
-# etm (encrypt-then-mac) are considered the more secure, we
-# prefer umac (has been proven secure) then sha2.
-# for older remote servers, fallback to the non-etm version of
-# the algorithms. we deny md5 entirely.
-# for older remote servers (or esoteric hardware), we might need to add: hmac-sha1
-# Known gotchas:
-# - Old Cisco IOS (such as v12.2) only supports hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
-# - Ancient Debians (Sarge) and RedHats (7) only support hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
-MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
-
-# List of allowed key exchange algorithms.
-# we prefer curve25519-sha256 which is considered the most modern/secure,
-# and still allow diffie hellman with group exchange using sha256 which is
-# the most secure dh-based kex.
-# we avoid algorithms based on the disputed NIST curves, and anything based
-# on sha1.
-# known gotchas:
-# - Windows needs diffie-hellman-group14-sha1 and also needs to NOT have diffie-hellman-group-exchange-sha1 present in the list AT ALL
-# - OmniOS 5.11 needs diffie-hellman-group1-sha1
-# - Old Cisco IOS (such as v12.2) only supports diffie-hellman-group1-sha1
-# - Ancient Debians (Sarge) and RedHats (7) only support diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-
-# === AUTHENTICATION ===
-
-# we allow only public key authentication ...
-PubkeyAuthentication yes
-# ... not password nor keyboard-interactive
-# ... (set to yes if sshpass is to be used)
-PasswordAuthentication no
-# ChallengeResponseAuthentication=yes forces KbdInteractiveAuthentication=yes in the openssh code!
-ChallengeResponseAuthentication yes
-KbdInteractiveAuthentication yes
-# ... not host-based
-HostbasedAuthentication no
-# ... and not gssapi auth.
-GSSAPIAuthentication no
-GSSAPIKeyExchange no
-GSSAPIDelegateCredentials no
-# now we specify the auth methods order we want for manual ssh calls.
-# NOTE1: as per the ssh source code, an auth method omitted hereafter
-# will not be used, even if set to "yes" above.
-# NOTE2: the bastion code (namely, ttyrec), will always set the proper
-# value explicitly on command-line (pubkey OR sshpass), so the value
-# specified hereafter will be ignored. if you want to force-disable
-# a method, set it to "no" in the list above, as those will never be
-# overridden by the code.
-PreferredAuthentications publickey,keyboard-interactive
-
-# === LOGIN ###
-
-# disable escape character use
-EscapeChar none
-
-# detect if a hostkey changed due to DNS spoofing
-CheckHostIP yes
-
-# ignore ssh-agent, only use specified keys (-i)
-IdentitiesOnly yes
-# disable auto-lookup of ~/.ssh/id_rsa ~/.ssh/id_ecdsa etc.
-IdentityFile /dev/non/existent/file
-
-# carry those vars to the other side (includes LC_BASTION)
-SendEnv LANG LC_*
-
-# allow usage of SSHFP DNS records
-VerifyHostKeyDNS ask
-
-# yell if remote hostkey changed
-StrictHostKeyChecking ask
-
-# === SYSTEM ===
-
-# don't hash the users known_hosts files, in the context of a bastion, this adds no security
-HashKnownHosts no
-
-# send an ssh ping each 57 seconds to the client and disconnect after 5 no-replies
-ServerAliveInterval 57
-ServerAliveCountMax 5
--- a/etc/ssh/sshd_config.debian7
+++ b/etc/ssh/sshd_config.debian7
@ -1,122 +0,0 @@
-# Hardened SSHD bastion config -- modify wisely!
-# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
-# With additional restrictions where applicable
-
-# -lo and -rt users only have local console login
-DenyUsers *-rt
-DenyUsers *-lo
-
-# hardened params follow. every non-needed feature is disabled by default,
-# following the principle of least rights and least features (more enabled
-# features mean a more important attack surface).
-
-# === FEATURES ===
-
-# disable non-needed sshd features
-AllowAgentForwarding no
-AllowTcpForwarding no
-X11Forwarding no
-PermitTunnel no
-PermitUserEnvironment no
-GatewayPorts no
-
-# === INFORMATION DISCLOSURE ===
-
-# don't yell to the world that we're running debian,
-# this disables the debian string version on the server hello message
-DebianBanner no
-
-# however, display a legal notice for each connection
-Banner /etc/ssh/banner
-
-# don't print the bastion MOTD on connection
-PrintMotd no
-
-# === CRYPTOGRAPHY ===
-
-# enforce the use of ssh version 2 protocol, version 1 is disabled.
-# all sshd_config options regarding protocol 1 are therefore omitted.
-Protocol 2
-
-# only use hostkeys with RSA
-HostKey /etc/ssh/ssh_host_rsa_key
-
-# list of allowed ciphers.
-# aes is a trusted standard, only allow it's ctr mode (cbc is not considered secure)
-# we deny arcfour(rc4), 3des, blowfish and cast
-Ciphers aes256-ctr,aes192-ctr,aes128-ctr
-
-# list of allowed message authentication code algorithms.
-# we prefer umac (has been proven secure) then sha2.
-# we deny md5 and sha1
-MACs umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
-
-# List of allowed key exchange algorithms.
-# we allow diffie hellman with group exchange using sha256 which is
-# the most secure dh-based kex.
-# we avoid algorithms based on the disputed NIST curves, and anything based
-# on sha1.
-KexAlgorithms diffie-hellman-group-exchange-sha256
-
-# === AUTHENTICATION ===
-
-# we allow only public key authentication ...
-PubkeyAuthentication yes
-# ... not password
-PasswordAuthentication no
-# ... keyboard interactive (needed for MFA through PAM)
-KbdInteractiveAuthentication yes
-# ... not kerberos
-KerberosAuthentication no
-# ... challenge-response (needed for MFA through PAM)
-ChallengeResponseAuthentication yes
-# ... not host-based
-HostbasedAuthentication no
-# ... and not gssapi auth.
-GSSAPIAuthentication no
-GSSAPIKeyExchange no
-
-# just in case, we also explicitly deny empty passwords
-PermitEmptyPasswords no
-
-# this needs to be set at "yes" to allow PAM keyboard-interactive authentication,
-# which is not a security issue because the AuthenticationMethods below force the use of
-# either publickey or publickey+keyboard-interactive, hence password-only login is never
-# possible, for root or any other account for that matter
-PermitRootLogin yes
-
-# === LOGIN ===
-
-# disconnect after 30 seconds if user didn't log in successfully
-LoginGraceTime 30
-
-# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode)
-MaxSessions 1
-
-# maximum concurrent unauth connections to the sshd daemon
-MaxStartups 50:30:500
-
-# accept LANG and LC_* vars (also includes LC_BASTION)
-AcceptEnv LANG LC_*
-
-# === SYSTEM ===
-
-# sshd log level at verbose in auth facility for auditing purposes
-LogLevel VERBOSE
-SyslogFacility AUTH
-
-# check sanity of user HOME dir before allowing user to login
-StrictModes yes
-
-# never use dns (slows down connections)
-UseDNS no
-
-# use PAM facility
-UsePAM yes
-
-# Debian 7 doesn't support the AuthenticationMethods, hence we can't benefit
-# from the bastion-nopam group (accountModify --pam-auth-bypass will not work)
-#Match Group bastion-nopam
-#	AuthenticationMethods publickey
-#Match All
-#	AuthenticationMethods publickey,keyboard-interactive:pam
--- a/etc/ssh/sshd_config.debian8
+++ b/etc/ssh/sshd_config.debian8
@ -1,146 +0,0 @@
-# Hardened SSHD bastion config -- modify wisely!
-# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
-# With additional restrictions where applicable
-
-# -lo and -rt users only have local console login
-DenyUsers *-rt
-DenyUsers *-lo
-
-# hardened params follow. every non-needed feature is disabled by default,
-# following the principle of least rights and least features (more enabled
-# features mean a more important attack surface).
-
-# === FEATURES ===
-
-# disable non-needed sshd features
-AllowAgentForwarding no
-AllowTcpForwarding no
-AllowStreamLocalForwarding no
-X11Forwarding no
-PermitTunnel no
-PermitUserEnvironment no
-PermitUserRC no
-GatewayPorts no
-
-# === INFORMATION DISCLOSURE ===
-
-# don't yell to the world that we're running debian,
-# this disables the debian string version on the server hello message
-DebianBanner no
-
-# however, display a legal notice for each connection
-Banner /etc/ssh/banner
-
-# don't print the bastion MOTD on connection
-PrintMotd no
-
-# === CRYPTOGRAPHY ===
-
-# enforce the use of ssh version 2 protocol, version 1 is disabled.
-# all sshd_config options regarding protocol 1 are therefore omitted.
-Protocol 2
-
-# only use hostkeys with secure algorithms, and omit the ones using NIST curves
-HostKey /etc/ssh/ssh_host_ed25519_key
-HostKey /etc/ssh/ssh_host_rsa_key
-
-# list of allowed ciphers.
-# chacha20-poly1305 is a modern cipher, considered very secure
-# aes is still the standard, we prefer gcm cipher mode, but also
-# allow ctr cipher mode for compatibility (ctr is still considered secure)
-# we deny arcfour(rc4), 3des, blowfish and cast
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-
-# list of allowed message authentication code algorithms.
-# etm (encrypt-then-mac) are considered the more secure, we
-# prefer umac (has been proven secure) then sha2.
-# for older ssh client, fallback to the non-etm version of
-# the algorithms.
-# we deny md5 and sha1
-MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
-
-# List of allowed key exchange algorithms.
-# we prefer curve25519-sha256 which is considered the most modern/secure,
-# and still allow diffie hellman with group exchange using sha256 which is
-# the most secure dh-based kex.
-# we avoid algorithms based on the disputed NIST curves, and anything based
-# on sha1.
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-
-# force rekey every 512M of data or 6 hours of connection, whichever comes first
-RekeyLimit 512M 6h
-
-# === AUTHENTICATION ===
-
-# we allow only public key authentication ...
-PubkeyAuthentication yes
-# ... not password
-PasswordAuthentication no
-# ... keyboard interactive (needed for MFA through PAM)
-KbdInteractiveAuthentication yes
-# ... not kerberos
-KerberosAuthentication no
-# ... challenge-response (needed for MFA through PAM)
-ChallengeResponseAuthentication yes
-# ... not host-based
-HostbasedAuthentication no
-# ... and not gssapi auth.
-GSSAPIAuthentication no
-GSSAPIKeyExchange no
-
-# just in case, we also explicitly deny empty passwords
-PermitEmptyPasswords no
-
-# this needs to be set at "yes" to allow PAM keyboard-interactive authentication,
-# which is not a security issue because the AuthenticationMethods below force the use of
-# either publickey or publickey+keyboard-interactive, hence password-only login is never
-# possible, for root or any other account for that matter
-PermitRootLogin yes
-
-# === LOGIN ===
-
-# disconnect after 30 seconds if user didn't log in successfully
-LoginGraceTime 30
-
-# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode)
-MaxSessions 1
-
-# maximum concurrent unauth connections to the sshd daemon
-MaxStartups 50:30:500
-
-# accept LANG and LC_* vars (also includes LC_BASTION)
-AcceptEnv LANG LC_*
-
-# === SYSTEM ===
-
-# sshd log level at verbose in auth facility for auditing purposes
-LogLevel VERBOSE
-SyslogFacility AUTH
-
-# check sanity of user HOME dir before allowing user to login
-StrictModes yes
-
-# never use dns (slows down connections)
-UseDNS no
-
-# use PAM facility
-UsePAM yes
-
-# === AuthenticationMethods vs potential root OTP vs potential user MFA ===
-# If 2FA has been configured for root, we force pubkey+PAM for it. If this is the case
-# on your system, uncomment the next two lines (see
-# https://ovh.github.io/the-bastion/installation/advanced.html#fa-root-authentication)
-#Match User root
-#    AuthenticationMethods publickey,keyboard-interactive:pam
-# Unconditionally skip PAM auth for members of the bastion-nopam group
-Match Group bastion-nopam
-    AuthenticationMethods publickey
-# if in one of the mfa groups AND the osh-pubkey-auth-optional group, use publickey+pam OR pam
-Match Group mfa-totp-configd,mfa-password-configd Group osh-pubkey-auth-optional
-    AuthenticationMethods publickey,keyboard-interactive:pam keyboard-interactive:pam
-# if in one of the mfa groups, use publickey AND pam
-Match Group mfa-totp-configd,mfa-password-configd
-    AuthenticationMethods publickey,keyboard-interactive:pam
-# by default, always ask the publickey (no PAM)
-Match All
-    AuthenticationMethods publickey