aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-04-16 19:39:36 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 04:28:07 +0200
commit77ec2e80ad7085fb5f35a4624ac16bb65d580ca8 (patch)
tree8927703d2a499296feac693f1cc0ff40f578959f
parentfb7da2da82b4d90f23d6270d2e64823a8ce6d4b0 (diff)
Restrict SSH login to members of the 'ssh-login' group.
Don't use the group 'ssh', as it's automatically created by openssh-client's postinstall hook, and is used for ssh-agent's setgid.
-rw-r--r--preseed.cfg1
-rwxr-xr-xsrc/fripost-postinst-udeb/finish-install.d/07fripost4
-rw-r--r--src/fripost-postinst-udeb/sshd_config2
3 files changed, 5 insertions, 2 deletions
diff --git a/preseed.cfg b/preseed.cfg
index 6428063..c9ecbb9 100644
--- a/preseed.cfg
+++ b/preseed.cfg
@@ -80,7 +80,6 @@ d-i passwd/user-fullname string Guilhem Moulin
d-i passwd/username string guilhem
# TODO: should be generated by preseed.sh: echo ... | mkpasswd -s -m SHA-512
d-i passwd/user-password-crypted password $6$QjLeZdW1O$9VymVDc5q6NctEylAqObvmP4S7FXk1ckCPaHua0JaiFSaTeTKoWxaP7bQoUWvzCPDY23Xqthg87QDBbaCY9BP0
-d-i passwd/user-default-groups string ssh
################################################################################
diff --git a/src/fripost-postinst-udeb/finish-install.d/07fripost b/src/fripost-postinst-udeb/finish-install.d/07fripost
index 2dfb98b..6b5d7b1 100755
--- a/src/fripost-postinst-udeb/finish-install.d/07fripost
+++ b/src/fripost-postinst-udeb/finish-install.d/07fripost
@@ -286,3 +286,7 @@ progress "Copying authorized_keys to ~$user/.ssh"
[ -d /target"$home/.ssh" ] || mkdir -m0700 /target"$home/.ssh"
copy_authorized_keys $import/authorized_keys /target"$home/.ssh/authorized_keys"
chown -R "$ugid" /target"$home/.ssh" # Probably 1000:1000, but who knows
+
+# Enable ssh login for "$user"
+/bin/in-target /usr/sbin/addgroup --system ssh-login
+/bin/in-target /usr/sbin/adduser "$user" ssh-login
diff --git a/src/fripost-postinst-udeb/sshd_config b/src/fripost-postinst-udeb/sshd_config
index e81b272..4281ad1 100644
--- a/src/fripost-postinst-udeb/sshd_config
+++ b/src/fripost-postinst-udeb/sshd_config
@@ -16,7 +16,7 @@ LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
-AllowGroups ssh
+AllowGroups ssh-login
StrictModes yes
PubkeyAuthentication yes