From 77ec2e80ad7085fb5f35a4624ac16bb65d580ca8 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 16 Apr 2014 19:39:36 +0200 Subject: Restrict SSH login to members of the 'ssh-login' group. Don't use the group 'ssh', as it's automatically created by openssh-client's postinstall hook, and is used for ssh-agent's setgid. --- preseed.cfg | 1 - src/fripost-postinst-udeb/finish-install.d/07fripost | 4 ++++ src/fripost-postinst-udeb/sshd_config | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/preseed.cfg b/preseed.cfg index 6428063..c9ecbb9 100644 --- a/preseed.cfg +++ b/preseed.cfg @@ -80,7 +80,6 @@ d-i passwd/user-fullname string Guilhem Moulin d-i passwd/username string guilhem # TODO: should be generated by preseed.sh: echo ... | mkpasswd -s -m SHA-512 d-i passwd/user-password-crypted password $6$QjLeZdW1O$9VymVDc5q6NctEylAqObvmP4S7FXk1ckCPaHua0JaiFSaTeTKoWxaP7bQoUWvzCPDY23Xqthg87QDBbaCY9BP0 -d-i passwd/user-default-groups string ssh ################################################################################ diff --git a/src/fripost-postinst-udeb/finish-install.d/07fripost b/src/fripost-postinst-udeb/finish-install.d/07fripost index 2dfb98b..6b5d7b1 100755 --- a/src/fripost-postinst-udeb/finish-install.d/07fripost +++ b/src/fripost-postinst-udeb/finish-install.d/07fripost @@ -286,3 +286,7 @@ progress "Copying authorized_keys to ~$user/.ssh" [ -d /target"$home/.ssh" ] || mkdir -m0700 /target"$home/.ssh" copy_authorized_keys $import/authorized_keys /target"$home/.ssh/authorized_keys" chown -R "$ugid" /target"$home/.ssh" # Probably 1000:1000, but who knows + +# Enable ssh login for "$user" +/bin/in-target /usr/sbin/addgroup --system ssh-login +/bin/in-target /usr/sbin/adduser "$user" ssh-login diff --git a/src/fripost-postinst-udeb/sshd_config b/src/fripost-postinst-udeb/sshd_config index e81b272..4281ad1 100644 --- a/src/fripost-postinst-udeb/sshd_config +++ b/src/fripost-postinst-udeb/sshd_config @@ -16,7 +16,7 @@ LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no -AllowGroups ssh +AllowGroups ssh-login StrictModes yes PubkeyAuthentication yes -- cgit v1.2.3