From 615f26af8b5c4b2d0c869591d2cfbdfaa04d42d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 17 Nov 2020 20:27:42 +0100 Subject: [PATCH] enh: freebsd: use ttyrec prebuild static version --- .github/workflows/freebsd.yml | 10 ++-------- README.md | 6 +++--- bin/admin/install-ttyrec.sh | 15 ++++++++++++--- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/.github/workflows/freebsd.yml b/.github/workflows/freebsd.yml index 49f0b95..fdf00f5 100644 --- a/.github/workflows/freebsd.yml +++ b/.github/workflows/freebsd.yml @@ -19,17 +19,11 @@ jobs: set -ex freebsd-version mount -o acls / - pkg install -y bash unzip rsync ca_root_nss jq fping screen flock gmake + pkg install -y bash rsync ca_root_nss jq fping screen flock mkdir -p /opt/bastion rsync -a . /opt/bastion/ - fetch https://github.com/ovh/ovh-ttyrec/archive/master.zip - unzip master.zip - cd ovh-ttyrec-master/ - ./configure - gmake - gmake install - cd .. /opt/bastion/bin/admin/packages-check.sh -i + /opt/bastion/bin/admin/install-ttyrec.sh -s /opt/bastion/bin/admin/install --new-install --no-wait ssh-keygen -t ed25519 -f id_user ssh-keygen -t ed25519 -f id_root diff --git a/README.md b/README.md index a241819..df86173 100644 --- a/README.md +++ b/README.md @@ -78,11 +78,11 @@ Linux distros below are tested with each release, but as this is a security prod *: Note that these versions have no out-of-the-box MFA support, as they lack packaged versions of `pamtester`, `pam-google-authenticator`, or both. Of course, you may compile those yourself. Any other so-called "modern" Linux version are not tested with each release, but should work with no or minor adjustments. -The code is also known to work correctly under: +The following OS are also tested with each release: -- FreeBSD 10+ / HardenedBSD** +- FreeBSD/HardenedBSD 12.1** -**: Note that FreeBSD has partial MFA support, due to its reduced set of available `pam` plugins. You can set it up to support an additional password or TOTP factor, but not both. +**: Note that these have partial MFA support, due to their reduced set of available `pam` plugins. Support for either an additional password or TOTP factor can be configured, but not both at the same time. The code is actually known to work on FreeBSD/HardenedBSD 10+, but it's only regularly tested under 12.1. Other BSD variants partially work but are unsupported and discouraged as they have a severe limitation over the maximum number of supplementary groups (causing problems for group membership and restricted commands checks), no filesystem-level ACL support and missing MFA: diff --git a/bin/admin/install-ttyrec.sh b/bin/admin/install-ttyrec.sh index 993bad9..5f39d78 100755 --- a/bin/admin/install-ttyrec.sh +++ b/bin/admin/install-ttyrec.sh @@ -39,8 +39,16 @@ set_download_url() { _download() { curl -sL -O "$1" } + elif command -v fetch >/dev/null; then + action_done fetch + _apicall() { + fetch -o - "$1" || true + } + _download() { + fetch "$1" + } else - action_error "Couldn't find wget nor curl" + action_error "Couldn't find wget, curl nor fetch" exit 1 fi action_doing "Getting latest release for arch $arch..." @@ -83,8 +91,9 @@ action_static() { else arch=$(uname -m) fi + os=$(uname -s | tr '[:upper:]' '[:lower:]') - set_download_url "_$arch-linux-static-binary.tar.gz" + set_download_url "_$arch-$os-static-binary.tar.gz" prepare_temp_folder _download "$url" @@ -191,7 +200,7 @@ action_auto() { esac } -if [ "$OS_FAMILY" != "Linux" ]; then +if [ "$OS_FAMILY" != "Linux" ] && [ "$OS_FAMILY" != "FreeBSD" ]; then echo "Sorry, your OS ($OS_FAMILY) is not supported." >&2 exit 1 fi