From 93e846e775c97af17c0e4f74c07957ae1eb5eab4 Mon Sep 17 00:00:00 2001 From: darksider3 Date: Mon, 23 Sep 2019 23:15:28 +0200 Subject: [PATCH 1/4] Big restructure of all directories: config regarding ssh-reg into ssh-reg repository, config regarding ssh and logins itself into config/etc administrate.py to private/ userapplications.py to public/ scripts to private/scripts/ --- config/applicationsconfig.ini | 23 ++++++++++++ config/etc/login.defs | 29 +++++++++++++++ config/etc/ssh/sshd_config | 10 ++++++ {admin => private}/administrate.py | 0 private/scripts/delusers.sh | 11 ++++++ private/scripts/make-tilde-user.sh | 23 ++++++++++++ private/scripts/testinput.sh | 35 +++++++++++++++++++ .../useerapplication.py | 0 8 files changed, 131 insertions(+) create mode 100755 config/applicationsconfig.ini create mode 100644 config/etc/login.defs create mode 100644 config/etc/ssh/sshd_config rename {admin => private}/administrate.py (100%) create mode 100755 private/scripts/delusers.sh create mode 100755 private/scripts/make-tilde-user.sh create mode 100755 private/scripts/testinput.sh rename application/userapplication.py => public/useerapplication.py (100%) diff --git a/config/applicationsconfig.ini b/config/applicationsconfig.ini new file mode 100755 index 0000000..6b0f826 --- /dev/null +++ b/config/applicationsconfig.ini @@ -0,0 +1,23 @@ +[DEFAULT] +base_path=/application/ +applications_db=%(base_path)sapplications.sqlite +log_dir=/application/ +log_file=%(log_dir)sapplications.log +user_creationscript=%(base_path)smake-tilde-user.sh + +[USERS] +UserGroup=tilde +userPWLock=yes +chmodPerms=0o700 +chmodParams=-Rv +chownParams=%(chmodParams)s +chownGroups=%(UserGroup)s:%(UserGroup)s + +[LOG_LEVEL] +log_level=%(log_debug)s +log_notset=0 +log_debug=10 +log_info=20 +log_warning=30 +log_error=40 +lo0g_critical=50 diff --git a/config/etc/login.defs b/config/etc/login.defs new file mode 100644 index 0000000..7c810f4 --- /dev/null +++ b/config/etc/login.defs @@ -0,0 +1,29 @@ +MAIL_DIR /var/mail +FAILLOG_ENAB yes +LOG_UNKFAIL_ENAB no +LOG_OK_LOGINS no +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes +FTMP_FILE /var/log/btmp +SU_NAME su +HUSHLOGIN_FILE .hushlogin +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games +TTYGROUP tty +TTYPERM 0600 +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 +UID_MIN 100000 +UID_MAX 165536 +GID_MIN 100000 +GID_MAX 165536 +LOGIN_RETRIES 5 +LOGIN_TIMEOUT 60 +CHFN_RESTRICT rwh +DEFAULT_HOME yes +USERGROUPS_ENAB yes +ENCRYPT_METHOD SHA512 diff --git a/config/etc/ssh/sshd_config b/config/etc/ssh/sshd_config new file mode 100644 index 0000000..385ab46 --- /dev/null +++ b/config/etc/ssh/sshd_config @@ -0,0 +1,10 @@ +UseDNS no +Protocol 2 +SyslogFacility AUTHPRIV +PermitRootLogin no +PubkeyAuthentication yes +ChallengeResponseAuthentication no +Subsystem sftp /usr/lib/openssh/sftp-server + +Match User tilde + PermitEmptyPasswords yes diff --git a/admin/administrate.py b/private/administrate.py similarity index 100% rename from admin/administrate.py rename to private/administrate.py diff --git a/private/scripts/delusers.sh b/private/scripts/delusers.sh new file mode 100755 index 0000000..b734589 --- /dev/null +++ b/private/scripts/delusers.sh @@ -0,0 +1,11 @@ +#!/bin/bash +cut -d: -f1 /etc/passwd | grep test > deltest.txt +while read name; do + userdel "$name" + rm -rf /home/$name + if [ "$#" -eq 1 ]; then + sqlite3 -batch $1 "DELETE FROM applications WHERE username = '$name'" + fi +done < deltest.txt + +rm -f deltest.txt diff --git a/private/scripts/make-tilde-user.sh b/private/scripts/make-tilde-user.sh new file mode 100755 index 0000000..1569b45 --- /dev/null +++ b/private/scripts/make-tilde-user.sh @@ -0,0 +1,23 @@ +#!/bin/env bash +USERNAME=$1 +REALNAME=$2 +EMAIL=$3 +PUBKEY=$4 + +adduser $USERNAME + +# empty password +usermod --lock $USERNAME + +# add to tilde group +usermod -a -G tilde $USERNAME + +# paste ssh key +mkdir /home/$USERNAME/.ssh +echo $PUBKEY >/home/$USERNAME/.ssh/authorized_keys + +# fix perms +chmod -Rv 700 /home/$USERNAME/.ssh/ +chown -Rv $USERNAME:$USERNAME /home/$USERNAME/.ssh/ +echo "user created." +return 0 diff --git a/private/scripts/testinput.sh b/private/scripts/testinput.sh new file mode 100755 index 0000000..fdfef7b --- /dev/null +++ b/private/scripts/testinput.sh @@ -0,0 +1,35 @@ +#!/usr/bin/expect +expr {srand([clock seconds])} ;# initialize RNG +set username "testuser" +set mail "test@testmail.com" +set name "test Name" +set sshkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Tob2HvgKL5yns9BQpb/EJENR3UurMdhM9oc7tQ/USw/nIiisRDp4qmwqZM3kyl1RfkGoSiEALCogM693jl/2RO2MFLW/Da9WFuXwBmV4wMbQZQiZJCvqyMBW7uPHgfCXJ2E8T707Ixwv9S9gtmwgAqg/+x12C0fF7P45MpO3Mvc+6ZPdP5qg/GCaej67KHqfVTb4/OMrvHkRTlETFYVNj4B/uwuA7NxTi8YkCSKH+BGCLYDl95uISrHOxaKbeDb6OgkgdYS9ygg2F7r3S36n8woLdSXqJNpxx2zLgO8Ow9KE0paezyeQqPPjbYu6l8y2IAkKCWTHKTAQ6DFgcvAD darksider3@prism" +set y "y" +set random "[expr {int(rand() * 1000)}]" +spawn ./userapplication.py + +expect "allowed:" +send "$username$random\r" +expect "full name:" +send "$name\r" +expect "email address:" +send "$random$mail\r" +expect "ssh public key:" +send "$sshkey\r" +expect "correct?*" +send "$y\r" +interact + +spawn ./administrate.py + +expect -glob "*-> " +send "1\r" +expect -glob "*->" +send "\r" +expect -glob "*-> " +send "A\r" +expect -glob "*..." +send "\r" +expect -glob "*-> " +send "4\r" +interact diff --git a/application/userapplication.py b/public/useerapplication.py similarity index 100% rename from application/userapplication.py rename to public/useerapplication.py From e00e587fac584c04bab177ff530d96e131a721f6 Mon Sep 17 00:00:00 2001 From: darksider3 Date: Mon, 23 Sep 2019 23:17:56 +0200 Subject: [PATCH 2/4] Reflect changes made --- Dockerfile | 47 +++++++++++++++++++ config/applicationsconfig.ini | 6 +-- config/environment | 1 + config/etc/ssh/sshd_config | 1 + ...useerapplication.py => userapplication.py} | 0 5 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 Dockerfile create mode 100644 config/environment rename public/{useerapplication.py => userapplication.py} (100%) diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..6a204e0 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,47 @@ +FROM python:3-slim + +MAINTAINER n1trux +RUN apt-get update &&\ + apt-get -y upgrade &&\ + DEBIAN_FRONTEND=noninteractive apt-get -y install \ + nano rsync openssh-server acl + +# Clean up APT when done. +RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + + +# private/{scripts, administrate.py}, public/{scripts, userapplications.py}, config/userapplicatonsconfig.ini +#configs, logs, db +COPY config/applicationsconfig.ini /app/data/applicationsconfig.ini + +# admin scripts +COPY private/ /app/admin/ + +# user accessible scripts +# Make TILDE_ENV +COPY config/environment /app/user/.ssh/environment +COPY public/ /app/user/ +#SSH config into /etc :) +COPY config/etc /etc + +# create user for applications +RUN useradd -Md /app/user/ -s /app/user/userapplication.py tilde + +# make tilde's password empty +RUN passwd -d tilde +RUN usermod -U tilde + +# add admin user +RUN useradd -Md /app/admin -s /app/admin/administrate.py admin +# privilege separation directory +RUN mkdir -p /var/run/sshd + +# expose SSH port +EXPOSE 22 +ENV TILDE_CONF="/app/data/applicationsconfig.ini" +RUN touch /app/data/applications.sqlite +RUN touch /app/data/applications.log +# Doesnt work, @TODO why +#RUN setfacl -R -m u:tilde:rwx /app/data/ +RUN chown -R tilde /app/data +CMD ["/usr/sbin/sshd", "-D"] diff --git a/config/applicationsconfig.ini b/config/applicationsconfig.ini index 6b0f826..a930f9b 100755 --- a/config/applicationsconfig.ini +++ b/config/applicationsconfig.ini @@ -1,9 +1,9 @@ [DEFAULT] -base_path=/application/ +base_path=/app/data/ applications_db=%(base_path)sapplications.sqlite -log_dir=/application/ +log_dir=/app/data/ log_file=%(log_dir)sapplications.log -user_creationscript=%(base_path)smake-tilde-user.sh +user_creationscript=%(base_path)s/scripts/make-tilde-user.sh [USERS] UserGroup=tilde diff --git a/config/environment b/config/environment new file mode 100644 index 0000000..88ed684 --- /dev/null +++ b/config/environment @@ -0,0 +1 @@ +TILDE_CONF=/app/data/applicationsconfig.ini diff --git a/config/etc/ssh/sshd_config b/config/etc/ssh/sshd_config index 385ab46..5f5aeb1 100644 --- a/config/etc/ssh/sshd_config +++ b/config/etc/ssh/sshd_config @@ -2,6 +2,7 @@ UseDNS no Protocol 2 SyslogFacility AUTHPRIV PermitRootLogin no +PermitUserEnvironment yes PubkeyAuthentication yes ChallengeResponseAuthentication no Subsystem sftp /usr/lib/openssh/sftp-server diff --git a/public/useerapplication.py b/public/userapplication.py similarity index 100% rename from public/useerapplication.py rename to public/userapplication.py From 4079166167e09db39e509d57af1b1424de4ce5a3 Mon Sep 17 00:00:00 2001 From: darksider3 Date: Sun, 6 Oct 2019 13:41:24 +0200 Subject: [PATCH 3/4] Respect $TILDE_CONF ENV in container build --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 6a204e0..ca241c9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,7 +19,6 @@ COPY private/ /app/admin/ # user accessible scripts # Make TILDE_ENV -COPY config/environment /app/user/.ssh/environment COPY public/ /app/user/ #SSH config into /etc :) COPY config/etc /etc @@ -39,6 +38,8 @@ RUN mkdir -p /var/run/sshd # expose SSH port EXPOSE 22 ENV TILDE_CONF="/app/data/applicationsconfig.ini" +#COPY config/environment /app/user/.ssh/environment +RUN echo TILDE_CONF=$TILDE_CONF > /app/user/.ssh/environment RUN touch /app/data/applications.sqlite RUN touch /app/data/applications.log # Doesnt work, @TODO why From a772fa9d401d5c85ea5132b624516e1e4066c9a6 Mon Sep 17 00:00:00 2001 From: Darksider3 Date: Thu, 10 Oct 2019 17:55:53 +0200 Subject: [PATCH 4/4] Create /app/user/.ssh before trying to write to it! --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index ca241c9..0e16c7e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -39,6 +39,7 @@ RUN mkdir -p /var/run/sshd EXPOSE 22 ENV TILDE_CONF="/app/data/applicationsconfig.ini" #COPY config/environment /app/user/.ssh/environment +RUN mkdir /app/user/.ssh RUN echo TILDE_CONF=$TILDE_CONF > /app/user/.ssh/environment RUN touch /app/data/applications.sqlite RUN touch /app/data/applications.log