forked from 0k/0k-charms
Browse Source
new: [rsync-backup-target] a key identifier is now required and enforced
new: [rsync-backup-target] a key identifier is now required and enforced
The key identifier will be used to fence each key in its own folder. Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>0k/dev/master
Valentin Lab
5 years ago
6 changed files with 195 additions and 56 deletions
-
22rsync-backup-target/build/Dockerfile
-
12rsync-backup-target/build/entrypoint.sh
-
118rsync-backup-target/build/src/etc/ssh/sshd_config
-
23rsync-backup-target/build/src/etc/sudoers.d/rsync
-
51rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate
-
25rsync-backup-target/hooks/init
@ -0,0 +1,118 @@ |
|||||
|
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ |
||||
|
|
||||
|
# This is the sshd server system-wide configuration file. See |
||||
|
# sshd_config(5) for more information. |
||||
|
|
||||
|
# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin |
||||
|
|
||||
|
# The strategy used for options in the default sshd_config shipped with |
||||
|
# OpenSSH is to specify options with their default value where |
||||
|
# possible, but leave them commented. Uncommented options override the |
||||
|
# default value. |
||||
|
|
||||
|
#Port 22 |
||||
|
#AddressFamily any |
||||
|
#ListenAddress 0.0.0.0 |
||||
|
#ListenAddress :: |
||||
|
|
||||
|
#HostKey /etc/ssh/ssh_host_rsa_key |
||||
|
#HostKey /etc/ssh/ssh_host_ecdsa_key |
||||
|
#HostKey /etc/ssh/ssh_host_ed25519_key |
||||
|
|
||||
|
# Ciphers and keying |
||||
|
#RekeyLimit default none |
||||
|
|
||||
|
# Logging |
||||
|
#SyslogFacility AUTH |
||||
|
#LogLevel INFO |
||||
|
|
||||
|
# Authentication: |
||||
|
|
||||
|
#LoginGraceTime 2m |
||||
|
#PermitRootLogin prohibit-password |
||||
|
#StrictModes yes |
||||
|
#MaxAuthTries 6 |
||||
|
#MaxSessions 10 |
||||
|
|
||||
|
#PubkeyAuthentication yes |
||||
|
|
||||
|
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 |
||||
|
# but this is overridden so installations will only check .ssh/authorized_keys |
||||
|
AuthorizedKeysFile .ssh/authorized_keys |
||||
|
|
||||
|
#AuthorizedPrincipalsFile none |
||||
|
|
||||
|
#AuthorizedKeysCommand none |
||||
|
#AuthorizedKeysCommandUser nobody |
||||
|
|
||||
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts |
||||
|
#HostbasedAuthentication no |
||||
|
# Change to yes if you don't trust ~/.ssh/known_hosts for |
||||
|
# HostbasedAuthentication |
||||
|
#IgnoreUserKnownHosts no |
||||
|
# Don't read the user's ~/.rhosts and ~/.shosts files |
||||
|
#IgnoreRhosts yes |
||||
|
|
||||
|
# To disable tunneled clear text passwords, change to no here! |
||||
|
PasswordAuthentication no |
||||
|
PermitEmptyPasswords no |
||||
|
|
||||
|
# Change to no to disable s/key passwords |
||||
|
ChallengeResponseAuthentication no |
||||
|
|
||||
|
# Kerberos options |
||||
|
#KerberosAuthentication no |
||||
|
#KerberosOrLocalPasswd yes |
||||
|
#KerberosTicketCleanup yes |
||||
|
#KerberosGetAFSToken no |
||||
|
|
||||
|
# GSSAPI options |
||||
|
#GSSAPIAuthentication no |
||||
|
#GSSAPICleanupCredentials yes |
||||
|
|
||||
|
# Set this to 'yes' to enable PAM authentication, account processing, |
||||
|
# and session processing. If this is enabled, PAM authentication will |
||||
|
# be allowed through the ChallengeResponseAuthentication and |
||||
|
# PasswordAuthentication. Depending on your PAM configuration, |
||||
|
# PAM authentication via ChallengeResponseAuthentication may bypass |
||||
|
# the setting of "PermitRootLogin without-password". |
||||
|
# If you just want the PAM account and session checks to run without |
||||
|
# PAM authentication, then enable this but set PasswordAuthentication |
||||
|
# and ChallengeResponseAuthentication to 'no'. |
||||
|
#UsePAM yes |
||||
|
|
||||
|
#AllowAgentForwarding yes |
||||
|
# Feel free to re-enable these if your use case requires them. |
||||
|
AllowTcpForwarding no |
||||
|
GatewayPorts no |
||||
|
X11Forwarding no |
||||
|
#X11DisplayOffset 10 |
||||
|
#X11UseLocalhost yes |
||||
|
#PermitTTY yes |
||||
|
#PrintMotd yes |
||||
|
#PrintLastLog yes |
||||
|
#TCPKeepAlive yes |
||||
|
#PermitUserEnvironment no |
||||
|
#Compression delayed |
||||
|
#ClientAliveInterval 0 |
||||
|
#ClientAliveCountMax 3 |
||||
|
#UseDNS no |
||||
|
#PidFile /run/sshd.pid |
||||
|
#MaxStartups 10:30:100 |
||||
|
PermitTunnel no |
||||
|
#ChrootDirectory none |
||||
|
#VersionAddendum none |
||||
|
|
||||
|
# no default banner path |
||||
|
#Banner none |
||||
|
|
||||
|
# override default of no subsystems |
||||
|
#Subsystem sftp /usr/lib/ssh/sftp-server |
||||
|
|
||||
|
# Example of overriding settings on a per-user basis |
||||
|
#Match User anoncvs |
||||
|
# X11Forwarding no |
||||
|
# AllowTcpForwarding no |
||||
|
# PermitTTY no |
||||
|
# ForceCommand cvs server |
||||
|
|
@ -1,21 +1,4 @@ |
|||||
## allow rsync to access /var/mirror |
|
||||
|
|
||||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtprRz --delete . /var/mirror/* |
|
||||
|
|
||||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtprRze.iLs --delete . /var/mirror/* |
|
||||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtprRze.iLsf --delete . /var/mirror/* |
|
||||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtprRze.iLsf --bwlimit=200 --delete . /var/mirror/* |
|
||||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtpArRze.iLsf --delete . /var/mirror/* |
|
||||
|
|
||||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtpArRze.iLs --delete --partial-dir .rsync-partial --numeric-ids . /var/mirror/* |
|
||||
|
|
||||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtprRze.iLs --delete --partial-dir .rsync-partial --numeric-ids . /var/mirror/* |
|
||||
|
|
||||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlHogDtpArRze.iLs --delete --partial-dir .rsync-partial --numeric-ids . /var/mirror/* |
|
||||
|
|
||||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtpArRze.iLsf --delete --partial-dir .rsync-partial --numeric-ids . /var/mirror/* |
|
||||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtpArRze.iLsf --bwlimit=200 --delete . /var/mirror/* |
|
||||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtpArRze.iLsfx --delete --partial-dir .rsync-partial --numeric-ids . /var/mirror/* |
|
||||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlogDtpArze.iLsfx --delete --partial-dir .rsync-partial --numeric-ids . /var/mirror/* |
|
||||
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server -vlHogDtpArRze.iLsfx --delete --partial-dir .rsync-partial --numeric-ids . /var/mirror/* |
|
||||
|
## allow rsync to access /var/mirror, this is really not sufficient, but |
||||
|
## the real check is done on the ``ssh-cmd-validate`` side. |
||||
|
|
||||
|
rsync ALL=(root) NOPASSWD: /usr/bin/rsync --server * . /var/mirror/* |
@ -1,22 +1,43 @@ |
|||||
#!/bin/sh |
|
||||
|
#!/bin/bash |
||||
|
|
||||
|
## Note that the shebang is not used, but it's the login shell that |
||||
|
## will execute this command. |
||||
|
|
||||
exname=$(basename "$0") |
exname=$(basename "$0") |
||||
|
|
||||
|
if [ -z "$1" ] || ! [[ "$1" =~ ^[a-zA-Z0-9._-]+$ ]]; then |
||||
|
logger -t "$exname" "INVALID SETUP, ARG IS: '$1'" |
||||
|
echo "Your command has been rejected. Contact administrator." |
||||
|
exit 1 |
||||
|
fi |
||||
|
|
||||
reject() { |
reject() { |
||||
logger -t "$exname" "REJECTED: $SSH_ORIGINAL_COMMAND" |
logger -t "$exname" "REJECTED: $SSH_ORIGINAL_COMMAND" |
||||
echo "Your command has been rejected and reported to sys admin." |
|
||||
|
# echo "ORIG: $SSH_ORIGINAL_COMMAND" >&2 |
||||
|
echo "Your command has been rejected and reported to sys admin." >&2 |
||||
|
exit 1 |
||||
} |
} |
||||
|
|
||||
case "$SSH_ORIGINAL_COMMAND" in |
|
||||
*\&* | *\(* | *\{* | *\;* | *\<* | *\`*) |
|
||||
reject |
|
||||
;; |
|
||||
md5sum\ /var/mirror/*|find\ /var/mirror/*|rsync\ --server*) |
|
||||
echo "ACCEPTED: $SSH_ORIGINAL_COMMAND" >/tmp/accepted |
|
||||
logger -t "$exname" "ACCEPTED: $SSH_ORIGINAL_COMMAND" |
|
||||
sudo $SSH_ORIGINAL_COMMAND |
|
||||
;; |
|
||||
*) |
|
||||
reject |
|
||||
;; |
|
||||
esac |
|
||||
|
|
||||
|
if [[ "$SSH_ORIGINAL_COMMAND" =~ [\&\(\{\;\<\>\`\$\}] ]]; then |
||||
|
# echo "Bad chars: $SSH_ORIGINAL_COMMAND" >&2 |
||||
|
reject |
||||
|
fi |
||||
|
|
||||
|
if [[ "$SSH_ORIGINAL_COMMAND" =~ ^"rsync --server -"[vloHgDtpArRzCeiLsfx\.]+(" --"[a-z-]+|" --partial-dir .rsync-partial")*" . /var/mirror/$1"$ ]]; then |
||||
|
logger -t "$exname" "ACCEPTED: $SSH_ORIGINAL_COMMAND" |
||||
|
# echo "Would accept: $SSH_ORIGINAL_COMMAND" >&2 |
||||
|
exec sudo $SSH_ORIGINAL_COMMAND |
||||
|
else |
||||
|
reject |
||||
|
fi |
||||
|
|
||||
|
## For other commands, like `find` or `md5`, that could be used to |
||||
|
## challenge the backups and check that archive is actually |
||||
|
## functional, I would suggest to write a simple command that takes no |
||||
|
## arguments, so as to prevent allowing wildcards or suspicious |
||||
|
## contents. Letting `find` go through is dangerous for instance |
||||
|
## because of the `-exec`. And path traversal can be done also when |
||||
|
## allowing /my/path/* by using '..'. This is why a fixed purpose |
||||
|
## embedded executable will be much simpler to handle, and to be honest |
||||
|
## we don't need much more. |
Write
Preview
Loading…
Cancel
Save
Reference in new issue