Browse Source
new: [rsync-backup-target] a key identifier is now required and enforced
new: [rsync-backup-target] a key identifier is now required and enforced
The key identifier will be used to fence each key in its own folder. Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>lokavaluto/dev/master
Valentin Lab
5 years ago
6 changed files with 195 additions and 56 deletions
-
22rsync-backup-target/build/Dockerfile
-
12rsync-backup-target/build/entrypoint.sh
-
118rsync-backup-target/build/src/etc/ssh/sshd_config
-
23rsync-backup-target/build/src/etc/sudoers.d/rsync
-
51rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate
-
25rsync-backup-target/hooks/init
@ -0,0 +1,118 @@ |
|||
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ |
|||
|
|||
# This is the sshd server system-wide configuration file. See |
|||
# sshd_config(5) for more information. |
|||
|
|||
# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin |
|||
|
|||
# The strategy used for options in the default sshd_config shipped with |
|||
# OpenSSH is to specify options with their default value where |
|||
# possible, but leave them commented. Uncommented options override the |
|||
# default value. |
|||
|
|||
#Port 22 |
|||
#AddressFamily any |
|||
#ListenAddress 0.0.0.0 |
|||
#ListenAddress :: |
|||
|
|||
#HostKey /etc/ssh/ssh_host_rsa_key |
|||
#HostKey /etc/ssh/ssh_host_ecdsa_key |
|||
#HostKey /etc/ssh/ssh_host_ed25519_key |
|||
|
|||
# Ciphers and keying |
|||
#RekeyLimit default none |
|||
|
|||
# Logging |
|||
#SyslogFacility AUTH |
|||
#LogLevel INFO |
|||
|
|||
# Authentication: |
|||
|
|||
#LoginGraceTime 2m |
|||
#PermitRootLogin prohibit-password |
|||
#StrictModes yes |
|||
#MaxAuthTries 6 |
|||
#MaxSessions 10 |
|||
|
|||
#PubkeyAuthentication yes |
|||
|
|||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 |
|||
# but this is overridden so installations will only check .ssh/authorized_keys |
|||
AuthorizedKeysFile .ssh/authorized_keys |
|||
|
|||
#AuthorizedPrincipalsFile none |
|||
|
|||
#AuthorizedKeysCommand none |
|||
#AuthorizedKeysCommandUser nobody |
|||
|
|||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts |
|||
#HostbasedAuthentication no |
|||
# Change to yes if you don't trust ~/.ssh/known_hosts for |
|||
# HostbasedAuthentication |
|||
#IgnoreUserKnownHosts no |
|||
# Don't read the user's ~/.rhosts and ~/.shosts files |
|||
#IgnoreRhosts yes |
|||
|
|||
# To disable tunneled clear text passwords, change to no here! |
|||
PasswordAuthentication no |
|||
PermitEmptyPasswords no |
|||
|
|||
# Change to no to disable s/key passwords |
|||
ChallengeResponseAuthentication no |
|||
|
|||
# Kerberos options |
|||
#KerberosAuthentication no |
|||
#KerberosOrLocalPasswd yes |
|||
#KerberosTicketCleanup yes |
|||
#KerberosGetAFSToken no |
|||
|
|||
# GSSAPI options |
|||
#GSSAPIAuthentication no |
|||
#GSSAPICleanupCredentials yes |
|||
|
|||
# Set this to 'yes' to enable PAM authentication, account processing, |
|||
# and session processing. If this is enabled, PAM authentication will |
|||
# be allowed through the ChallengeResponseAuthentication and |
|||
# PasswordAuthentication. Depending on your PAM configuration, |
|||
# PAM authentication via ChallengeResponseAuthentication may bypass |
|||
# the setting of "PermitRootLogin without-password". |
|||
# If you just want the PAM account and session checks to run without |
|||
# PAM authentication, then enable this but set PasswordAuthentication |
|||
# and ChallengeResponseAuthentication to 'no'. |
|||
#UsePAM yes |
|||
|
|||
#AllowAgentForwarding yes |
|||
# Feel free to re-enable these if your use case requires them. |
|||
AllowTcpForwarding no |
|||
GatewayPorts no |
|||
X11Forwarding no |
|||
#X11DisplayOffset 10 |
|||
#X11UseLocalhost yes |
|||
#PermitTTY yes |
|||
#PrintMotd yes |
|||
#PrintLastLog yes |
|||
#TCPKeepAlive yes |
|||
#PermitUserEnvironment no |
|||
#Compression delayed |
|||
#ClientAliveInterval 0 |
|||
#ClientAliveCountMax 3 |
|||
#UseDNS no |
|||
#PidFile /run/sshd.pid |
|||
#MaxStartups 10:30:100 |
|||
PermitTunnel no |
|||
#ChrootDirectory none |
|||
#VersionAddendum none |
|||
|
|||
# no default banner path |
|||
#Banner none |
|||
|
|||
# override default of no subsystems |
|||
#Subsystem sftp /usr/lib/ssh/sftp-server |
|||
|
|||
# Example of overriding settings on a per-user basis |
|||
#Match User anoncvs |
|||
# X11Forwarding no |
|||
# AllowTcpForwarding no |
|||
# PermitTTY no |
|||
# ForceCommand cvs server |
|||
|
@ -1,21 +1,4 @@ |
|||
## allow rsync to access /var/mirror |
|||
|
|||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtprRz --delete . /var/mirror/* |
|||
|
|||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtprRze.iLs --delete . /var/mirror/* |
|||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtprRze.iLsf --delete . /var/mirror/* |
|||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtprRze.iLsf --bwlimit=200 --delete . /var/mirror/* |
|||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtpArRze.iLsf --delete . /var/mirror/* |
|||
|
|||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtpArRze.iLs --delete --partial-dir .rsync-partial --numeric-ids . /var/mirror/* |
|||
|
|||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtprRze.iLs --delete --partial-dir .rsync-partial --numeric-ids . /var/mirror/* |
|||
|
|||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlHogDtpArRze.iLs --delete --partial-dir .rsync-partial --numeric-ids . /var/mirror/* |
|||
|
|||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtpArRze.iLsf --delete --partial-dir .rsync-partial --numeric-ids . /var/mirror/* |
|||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtpArRze.iLsf --bwlimit=200 --delete . /var/mirror/* |
|||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtpArRze.iLsfx --delete --partial-dir .rsync-partial --numeric-ids . /var/mirror/* |
|||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtpArze.iLsfx --delete --partial-dir .rsync-partial --numeric-ids . /var/mirror/* |
|||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlHogDtpArRze.iLsfx --delete --partial-dir .rsync-partial --numeric-ids . /var/mirror/* |
|||
## allow rsync to access /var/mirror, this is really not sufficient, but |
|||
## the real check is done on the ``ssh-cmd-validate`` side. |
|||
|
|||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server * . /var/mirror/* |
@ -1,22 +1,43 @@ |
|||
#!/bin/sh |
|||
#!/bin/bash |
|||
|
|||
## Note that the shebang is not used, but it's the login shell that |
|||
## will execute this command. |
|||
|
|||
exname=$(basename "$0") |
|||
|
|||
if [ -z "$1" ] || ! [[ "$1" =~ ^[a-zA-Z0-9._-]+$ ]]; then |
|||
logger -t "$exname" "INVALID SETUP, ARG IS: '$1'" |
|||
echo "Your command has been rejected. Contact administrator." |
|||
exit 1 |
|||
fi |
|||
|
|||
reject() { |
|||
logger -t "$exname" "REJECTED: $SSH_ORIGINAL_COMMAND" |
|||
echo "Your command has been rejected and reported to sys admin." |
|||
# echo "ORIG: $SSH_ORIGINAL_COMMAND" >&2 |
|||
echo "Your command has been rejected and reported to sys admin." >&2 |
|||
exit 1 |
|||
} |
|||
|
|||
case "$SSH_ORIGINAL_COMMAND" in |
|||
*\&* | *\(* | *\{* | *\;* | *\<* | *\`*) |
|||
reject |
|||
;; |
|||
md5sum\ /var/mirror/*|find\ /var/mirror/*|rsync\ --server*) |
|||
echo "ACCEPTED: $SSH_ORIGINAL_COMMAND" >/tmp/accepted |
|||
logger -t "$exname" "ACCEPTED: $SSH_ORIGINAL_COMMAND" |
|||
sudo $SSH_ORIGINAL_COMMAND |
|||
;; |
|||
*) |
|||
reject |
|||
;; |
|||
esac |
|||
|
|||
if [[ "$SSH_ORIGINAL_COMMAND" =~ [\&\(\{\;\<\>\`\$\}] ]]; then |
|||
# echo "Bad chars: $SSH_ORIGINAL_COMMAND" >&2 |
|||
reject |
|||
fi |
|||
|
|||
if [[ "$SSH_ORIGINAL_COMMAND" =~ ^"rsync --server -"[vloHgDtpArRzCeiLsfx\.]+(" --"[a-z-]+|" --partial-dir .rsync-partial")*" . /var/mirror/$1"$ ]]; then |
|||
logger -t "$exname" "ACCEPTED: $SSH_ORIGINAL_COMMAND" |
|||
# echo "Would accept: $SSH_ORIGINAL_COMMAND" >&2 |
|||
exec sudo $SSH_ORIGINAL_COMMAND |
|||
else |
|||
reject |
|||
fi |
|||
|
|||
## For other commands, like `find` or `md5`, that could be used to |
|||
## challenge the backups and check that archive is actually |
|||
## functional, I would suggest to write a simple command that takes no |
|||
## arguments, so as to prevent allowing wildcards or suspicious |
|||
## contents. Letting `find` go through is dangerous for instance |
|||
## because of the `-exec`. And path traversal can be done also when |
|||
## allowing /my/path/* by using '..'. This is why a fixed purpose |
|||
## embedded executable will be much simpler to handle, and to be honest |
|||
## we don't need much more. |
Write
Preview
Loading…
Cancel
Save
Reference in new issue