deprecated/e-smith-openssh
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial commit of file from CVS for e-smith-openssh on Thu Jul 13 12:50:02 AEST 2023

Browse Source
This commit is contained in:
Trevor Batley
2023-07-13 12:50:02 +10:00
parent 0990ad9bc0
commit 5b637d96ad
90 changed files with 2123 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
root/etc/e-smith/templates/etc/hosts.allow/sshd Normal file
View File

@@ -0,0 +1,4 @@
{
$OUT .= $DB->hosts_allow_spec('sshd');
$OUT .= " EXCEPT /etc/hosts.deny_ssh" if ( ( -f "/etc/hosts.deny_ssh") && ($denyhosts{'status'} || 'disabled') eq "enabled" );
}

25
root/etc/e-smith/templates/etc/rc.d/init.d/masq/42CreateSSHAutoblock Normal file
View File

@@ -0,0 +1,25 @@
{
my $abtries = ${'sshd'}{'AutoBlockTries'} || "4";
my $abtime = ${'sshd'}{'AutoBlockTime'} || "900";
my $sshd_port = ${'sshd'}{'TCPPort'} || "22";
$OUT .=<<"EOF";
# Create a whitelist
/sbin/iptables --new-chain SSH_Whitelist
/sbin/iptables --new-chain SSH_Whitelist_1
/sbin/iptables --append SSH_Whitelist -j SSH_Whitelist_1
# Use recent packets match to block SSH from sites generating
# $abtries connections within $abtime seconds
# Check/clear IP block status in /proc/net/xt_recent/SSH
/sbin/iptables --new-chain SSH_Autoblock
# First check if not whitelisted
/sbin/iptables --append SSH_Autoblock --proto tcp --dport $sshd_port \\
-m state --state NEW -j SSH_Whitelist
/sbin/iptables --append SSH_Autoblock -m recent --set --name SSH
/sbin/iptables --append SSH_Autoblock -m recent --rcheck --rttl \\
--seconds $abtime --hitcount $abtries --name SSH -j denylog
EOF
}

13
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundTCP07FilterSSH Normal file
View File

@@ -0,0 +1,13 @@
{
my $sshd_autoblock = ${'sshd'}{'AutoBlock'} || "enabled";
my $sshd_public = ${'sshd'}{'access'} || "private";
my $sshd_port = ${'sshd'}{'TCPPort'} || "22";
if ($sshd_autoblock eq "enabled" && $sshd_public eq "public" ) {
$OUT = " # SSH autoblock enabled - send new SSH connects through recent IPs filter\n";
$OUT .= " /sbin/iptables --append \$NEW_InboundTCP --proto tcp --dport $sshd_port \\\n";
$OUT .= " -m state --state NEW -j SSH_Autoblock\n"
} else {
$OUT = " # SSH autoblock disabled or sshd access is private\n";
}
}

44
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustSSHAutoblock Normal file
View File

@@ -0,0 +1,44 @@
{
# SSH_Whitelist
my $sshd_port = ${'sshd'}{'TCPPort'} || "22";
# Find the current SSH_Whitelit_$$ chain, and create a new one.
$OUT .=<<'EOF';
OLD_SSH_Whitelist=$(get_safe_id SSH_Whitelist filter find)
NEW_SSH_Whitelist=$(get_safe_id SSH_Whitelist filter new)
/sbin/iptables --new-chain $NEW_SSH_Whitelist
EOF
# here we add the content from sshd ValidFrom
# or create a new one dedicated for sshd
my @vals = split ",", ($sshd{ValidFrom} || '');
#$OUT .="#sshd whitelist content : "
#$OUT .= join " ", @vals;
foreach my $ip ( @vals ){
$OUT .= " /sbin/iptables --append \$NEW_SSH_Whitelist -s $ip";
$OUT .= " -p tcp";
$OUT .= " --dport $sshd_port" ;
$OUT .= " -j ACCEPT\n";
}
$OUT .= " /sbin/iptables --append \$NEW_SSH_Whitelist" .
" -j RETURN\n";
# Having created a new SSH_Whitelist chain, activate it and destroy the old one.
$OUT .=<<'EOF';
/sbin/iptables --replace SSH_Whitelist 1 \
--jump $NEW_SSH_Whitelist
/sbin/iptables --flush $OLD_SSH_Whitelist
/sbin/iptables --delete-chain $OLD_SSH_Whitelist
EOF
# SSH_Autoblock
my $abtries = ${'sshd'}{'AutoBlockTries'} || "4";
my $abtime = ${'sshd'}{'AutoBlockTime'} || "900";
$OUT .=<<"EOF";
/sbin/iptables --replace SSH_Autoblock 3 -m recent --rcheck --rttl \\
--seconds $abtime --hitcount $abtries --name SSH -j denylog
# Clear SSH_Autoblock site history too
echo / > /proc/net/xt_recent/SSH
EOF
}

1
root/etc/e-smith/templates/etc/rssh.conf/10logfacility Normal file
View File

@@ -0,0 +1 @@
logfacility = LOG_USER

1
root/etc/e-smith/templates/etc/rssh.conf/10umask Normal file
View File

@@ -0,0 +1 @@
umask = 022

22
root/etc/e-smith/templates/etc/rssh.conf/40users Normal file
View File

@@ -0,0 +1,22 @@
{
use esmith::AccountsDB;
my $adb = esmith::AccountsDB->open_ro or die "Couldn't open AccountsDB\n";
$OUT = '';
for my $user ( $adb->users )
{
my %props = $user->props;
$props{AllowRSSH} ||= 'unknown';
next unless ($props{PasswordSet} eq 'yes');
next if ($props{AllowRSSH} eq 'no');
next unless ($props{AllowRSSH} eq 'yes' or
$props{VPNClientAccess} eq 'yes');
$OUT .= "user = " . $user->key . ":022:11111:" . "\n";
}
}

1
root/etc/e-smith/templates/etc/rsyslog.conf/15sshSocket Normal file
View File

@@ -0,0 +1 @@
$AddUnixListenSocket /var/empty/sshd/dev/log

6
root/etc/e-smith/templates/etc/rsyslog.conf/32sshd Normal file
View File

@@ -0,0 +1,6 @@
#sshd
if $programname == 'sshd' and $syslogfacility-text == 'authpriv' then /var/log/secure
:programname, isequal, "sshd" /var/log/sshd/sshd.log
& stop

1
root/etc/e-smith/templates/etc/ssh/ssh_config/10Host Normal file
View File

@@ -0,0 +1 @@
Host *

1
root/etc/e-smith/templates/etc/ssh/ssh_config/10Port Normal file
View File

@@ -0,0 +1 @@
Port 22

1
root/etc/e-smith/templates/etc/ssh/ssh_config/20Protocol Normal file
View File

@@ -0,0 +1 @@
Protocol 2

1
root/etc/e-smith/templates/etc/ssh/ssh_config/30Cipher Normal file
View File

@@ -0,0 +1 @@
Cipher blowfish

1
root/etc/e-smith/templates/etc/ssh/ssh_config/30Ciphers Normal file
View File

@@ -0,0 +1 @@
Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-cbc,aes192-cbc,aes128-cbc

1
root/etc/e-smith/templates/etc/ssh/ssh_config/40HostKeyAlgorithms Normal file
View File

@@ -0,0 +1 @@
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

1
root/etc/e-smith/templates/etc/ssh/ssh_config/50GSSAPIAuthentication Normal file
View File

@@ -0,0 +1 @@
GSSAPIAuthentication yes

5
root/etc/e-smith/templates/etc/ssh/ssh_config/50X11Forwarding Normal file
View File

@@ -0,0 +1,5 @@
#ForwardX11 no
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes

5
root/etc/e-smith/templates/etc/ssh/ssh_config/60Locale Normal file
View File

@@ -0,0 +1,5 @@
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

5
root/etc/e-smith/templates/etc/ssh/sshd_config/10Port Normal file
View File

@@ -0,0 +1,5 @@
{
my $ssh_port = $sshd{'TCPPort'} || 22;
$OUT = "Port $ssh_port";
}

10
root/etc/e-smith/templates/etc/ssh/sshd_config/15ListenAddress Normal file
View File

@@ -0,0 +1,10 @@
{
my $access = $sshd{'access'} || 'private';
my $address = ($access eq "public") ? "0.0.0.0" : "$LocalIP";
$OUT .= "ListenAddress $address";
# Another alternative is: "ListenAddress ::"
}

1
root/etc/e-smith/templates/etc/ssh/sshd_config/20HostKey Normal file
View File

@@ -0,0 +1 @@
HostKey /etc/ssh/ssh_host_key

1
root/etc/e-smith/templates/etc/ssh/sshd_config/20HostKeyDSA Normal file
View File

@@ -0,0 +1 @@
HostKey /etc/ssh/ssh_host_dsa_key

1
root/etc/e-smith/templates/etc/ssh/sshd_config/20HostKeyECDSA Normal file
View File

@@ -0,0 +1 @@
HostKey /etc/ssh/ssh_host_ecdsa_key

2
root/etc/e-smith/templates/etc/ssh/sshd_config/20HostKeyED25519 Normal file
View File

@@ -0,0 +1,2 @@
HostKey /etc/ssh/ssh_host_ed25519_key

1
root/etc/e-smith/templates/etc/ssh/sshd_config/20HostKeyRSA Normal file
View File

@@ -0,0 +1 @@
HostKey /etc/ssh/ssh_host_rsa_key

4
root/etc/e-smith/templates/etc/ssh/sshd_config/20LoginGraceTime Normal file
View File

@@ -0,0 +1,4 @@
{
my $LoginGraceTime = $sshd{LoginGraceTime} || "600";
$OUT = "LoginGraceTime $LoginGraceTime";
}

1
root/etc/e-smith/templates/etc/ssh/sshd_config/20Protocol Normal file
View File

@@ -0,0 +1 @@
Protocol 2

4
root/etc/e-smith/templates/etc/ssh/sshd_config/20UsePAM Normal file
View File

@@ -0,0 +1,4 @@
{
my $pam = $sshd{UsePAM} || "no";
$OUT = "UsePAM $pam";
}

1
root/etc/e-smith/templates/etc/ssh/sshd_config/30KexAlgorithms Normal file
View File

@@ -0,0 +1 @@
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

1
root/etc/e-smith/templates/etc/ssh/sshd_config/32Ciphers Normal file
View File

@@ -0,0 +1 @@
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

1
root/etc/e-smith/templates/etc/ssh/sshd_config/33MACs Normal file
View File

@@ -0,0 +1 @@
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

1
root/etc/e-smith/templates/etc/ssh/sshd_config/40ChallengeResponseAuthentication Normal file
View File

@@ -0,0 +1 @@
ChallengeResponseAuthentication no

1
root/etc/e-smith/templates/etc/ssh/sshd_config/40Compression Normal file
View File

@@ -0,0 +1 @@
Compression yes

4
root/etc/e-smith/templates/etc/ssh/sshd_config/40IgnoreRhosts Normal file
View File

@@ -0,0 +1,4 @@
{ #
# Don't read ~/.rhosts and ~/.shosts files
}
IgnoreRhosts yes

4
root/etc/e-smith/templates/etc/ssh/sshd_config/40IgnoreUserKnownHosts Normal file
View File

@@ -0,0 +1,4 @@
{
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
}

1
root/etc/e-smith/templates/etc/ssh/sshd_config/40KbdInteractiveAuthentication Normal file
View File

@@ -0,0 +1 @@
KbdInteractiveAuthentication no

7
root/etc/e-smith/templates/etc/ssh/sshd_config/40KerberosAuthentication Normal file
View File

@@ -0,0 +1,7 @@
{
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
}

4
root/etc/e-smith/templates/etc/ssh/sshd_config/40KerberosTgtPassing Normal file
View File

@@ -0,0 +1,4 @@
{
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
}

8
root/etc/e-smith/templates/etc/ssh/sshd_config/40MaxAuthTries Normal file
View File

@@ -0,0 +1,8 @@
{
# MaxAuthTries specifies the maximum number of authentication
# attempts permitted per connection. Once the number of failures
# reaches half this value, additional failures are logged. The
# sshd default is 6 - we consider that too many.
my $MaxAuthTries = $sshd{MaxAuthTries} || "2";
$OUT = "MaxAuthTries $MaxAuthTries";
}

9
root/etc/e-smith/templates/etc/ssh/sshd_config/40MaxStartups Normal file
View File

@@ -0,0 +1,9 @@
{
# Maximum number of concurrent unauthenticated connections
# The values are start:rate:full - start is when the rate limiter
# will kick in, rate is the percentage of new connections dropped and
# full is when all new connections are refused
# See sshd(1) for more details.
my $MaxStartups = $sshd{MaxStartups} || "10:30:60";
$OUT = "MaxStartups $MaxStartups";
}

6
root/etc/e-smith/templates/etc/ssh/sshd_config/40PasswordAuthentication Normal file
View File

@@ -0,0 +1,6 @@
{ # To disable tunneled clear text passwords, change to no here!
my $PasswordAuthentication = $sshd{'PasswordAuthentication'} || 'no';
$OUT = "PasswordAuthentication ";
$OUT .= ($PasswordAuthentication eq "yes") ? "yes" : "no";
}

1
root/etc/e-smith/templates/etc/ssh/sshd_config/40PermitEmptyPasswords Normal file
View File

@@ -0,0 +1 @@
PermitEmptyPasswords no

14
root/etc/e-smith/templates/etc/ssh/sshd_config/40PermitRootLogin Normal file
View File

@@ -0,0 +1,14 @@
{
my $PermitRootLogin = $sshd{'PermitRootLogin'} || "no";
my $status = $sshd{'status'} || 'disabled';
$OUT .= "PermitRootLogin ";
if ( $status ne 'enabled' ) {
$OUT .= 'no';
} elsif ( $PermitRootLogin eq 'yes' ) {
$OUT .= 'yes';
} elsif ( $PermitRootLogin eq 'key' || $PermitRootLogin eq 'nopass' ) {
$OUT .= 'without-password';
} else {
$OUT .= 'no';
}
}

5
root/etc/e-smith/templates/etc/ssh/sshd_config/40SkeyAuthentication Normal file
View File

@@ -0,0 +1,5 @@
{
# Uncomment to disable s/key passwords
#SkeyAuthentication no
#KbdInteractiveAuthentication yes
}

1
root/etc/e-smith/templates/etc/ssh/sshd_config/40StrictModes Normal file
View File

@@ -0,0 +1 @@
StrictModes yes

1
root/etc/e-smith/templates/etc/ssh/sshd_config/40UsePrivilegeSeparation Normal file
View File

@@ -0,0 +1 @@
UsePrivilegeSeparation yes

11
root/etc/e-smith/templates/etc/ssh/sshd_config/50SubsystemSftp Normal file
View File

@@ -0,0 +1,11 @@
{
# NOTE: This just provides a path independent way to access the sftp server
# With this disabled, you can still specify a path to the sftp client
# so we default to enabling sftp
my $SubsystemSftp = $sshd{"SubsystemSftp"} || "yes";
$OUT = ($SubsystemSftp eq "yes") ?
"Subsystem sftp /usr/libexec/openssh/sftp-server" :
"# The sftp Subsystem is disabled in the configuration database";
}

1
root/etc/e-smith/templates/etc/ssh/sshd_config/50X11DisplayOffset Normal file
View File

@@ -0,0 +1 @@
X11DisplayOffset 10

1
root/etc/e-smith/templates/etc/ssh/sshd_config/50X11Forwarding Normal file
View File

@@ -0,0 +1 @@
X11Forwarding no

5
root/etc/e-smith/templates/etc/ssh/sshd_config/60ClientAliveCountMax Normal file
View File

@@ -0,0 +1,5 @@
{
my $count = $sshd{ClientAliveCountMax} || 3;
$OUT = "ClientAliveCountMax $count\n";
}

5
root/etc/e-smith/templates/etc/ssh/sshd_config/60ClientAliveInterval Normal file
View File

@@ -0,0 +1,5 @@
{
my $interval = $sshd{ClientAliveInterval} || 15;
$OUT = "ClientAliveInterval $interval\n";
}

13
root/etc/e-smith/templates/etc/ssh/sshd_config/60PrintMotd Normal file
View File

@@ -0,0 +1,13 @@
{
my $MotdStatus = $sshd{'MotdStatus'} || 'enabled';
if ( $MotdStatus eq 'disabled' )
{
$OUT .= "PrintMotd no\n";
}
else
{
$OUT .= "PrintMotd yes\n";
}
}

3
root/etc/e-smith/templates/etc/ssh/sshd_config/60UseLogin Normal file
View File

@@ -0,0 +1,3 @@
{
#UseLogin no
}

4
root/etc/e-smith/templates/etc/ssh/sshd_config/80Logging Normal file
View File

@@ -0,0 +1,4 @@
{ # Logging }
SyslogFacility AUTH
LogLevel INFO
{ #obsoletes QuietMode and FascistLogging }