Restrict SSH login to members of the 'ssh-login' group.

Don't use the group 'ssh', as it's automatically created by openssh-client's postinstall hook, and is used for ssh-agent's setgid.
author: Guilhem Moulin <guilhem@fripost.org> 2014-04-16 19:39:36 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 04:28:07 +0200
commit: 77ec2e80ad7085fb5f35a4624ac16bb65d580ca8 (patch)
tree: 8927703d2a499296feac693f1cc0ff40f578959f /src
parent: fb7da2da82b4d90f23d6270d2e64823a8ce6d4b0 (diff)
2 files changed, 5 insertions, 1 deletions
diff --git a/src/fripost-postinst-udeb/finish-install.d/07fripost b/src/fripost-postinst-udeb/finish-install.d/07fripost
index 2dfb98b..6b5d7b1 100755
--- a/src/fripost-postinst-udeb/finish-install.d/07fripost
+++ b/src/fripost-postinst-udeb/finish-install.d/07fripost
@@ -286,3 +286,7 @@ progress "Copying authorized_keys to ~$user/.ssh"
 [ -d /target"$home/.ssh" ] || mkdir -m0700 /target"$home/.ssh"
 copy_authorized_keys $import/authorized_keys /target"$home/.ssh/authorized_keys"
 chown -R "$ugid" /target"$home/.ssh" # Probably 1000:1000, but who knows
+
+# Enable ssh login for "$user"
+/bin/in-target /usr/sbin/addgroup --system ssh-login
+/bin/in-target /usr/sbin/adduser  "$user"  ssh-login
diff --git a/src/fripost-postinst-udeb/sshd_config b/src/fripost-postinst-udeb/sshd_config
index e81b272..4281ad1 100644
--- a/src/fripost-postinst-udeb/sshd_config
+++ b/src/fripost-postinst-udeb/sshd_config
@@ -16,7 +16,7 @@ LogLevel INFO
 # Authentication:
 LoginGraceTime 120
 PermitRootLogin no
-AllowGroups ssh
+AllowGroups ssh-login
 StrictModes yes
 
 PubkeyAuthentication yes
author	Guilhem Moulin <guilhem@fripost.org>	2014-04-16 19:39:36 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 04:28:07 +0200
commit	77ec2e80ad7085fb5f35a4624ac16bb65d580ca8 (patch)
tree	8927703d2a499296feac693f1cc0ff40f578959f /src
parent	fb7da2da82b4d90f23d6270d2e64823a8ce6d4b0 (diff)