From 6727b902c6245885eba6f903e7a885c22598831f Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Sat, 20 Nov 2021 19:55:23 +0000 Subject: [PATCH] Add config files --- config-files/init.d/sshd-oobm | 128 ++++++++++++++++++++++++++++ config-files/ssh/sshd_banner | 8 ++ config-files/ssh/sshd_config | 134 ++++++++++++++++++++++++++++++ config-files/ssh/sshd_oobm_banner | 8 ++ config-files/ssh/sshd_oobm_cmd | 4 + config-files/ssh/sshd_oobm_config | 134 ++++++++++++++++++++++++++++++ config-files/sudoers | 102 +++++++++++++++++++++++ 7 files changed, 518 insertions(+) create mode 100644 config-files/init.d/sshd-oobm create mode 100644 config-files/ssh/sshd_banner create mode 100644 config-files/ssh/sshd_config create mode 100644 config-files/ssh/sshd_oobm_banner create mode 100644 config-files/ssh/sshd_oobm_cmd create mode 100644 config-files/ssh/sshd_oobm_config create mode 100644 config-files/sudoers diff --git a/config-files/init.d/sshd-oobm b/config-files/init.d/sshd-oobm new file mode 100644 index 0000000..a9d2454 --- /dev/null +++ b/config-files/init.d/sshd-oobm @@ -0,0 +1,128 @@ +#! /bin/sh +set -e + +PIDFILE=/var/run/sshd-oobm.pid +CONFFILE=/etc/ssh/sshd_oobm_config + +# source function library +. /etc/init.d/functions + +# /etc/init.d/sshd-oobm: start and stop the OpenBSD "secure shell" daemon for OOBM + +test -x /usr/sbin/sshd || exit 0 +( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0 + +# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS +if test -f /etc/default/ssh; then + . /etc/default/ssh +fi + +[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh +mkdir -p $SYSCONFDIR + +HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key +HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key +HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key +HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key + +check_for_no_start() { + # forget it if we're trying to start, and /etc/ssh/sshd_oobm_not_to_be_run exists + if [ -e $SYSCONFDIR/sshd_oobm_not_to_be_run ]; then + echo "OpenBSD Secure Shell server for OOBM not in use ($SYSCONFDIR/sshd_oobm_not_to_be_run)" + exit 0 + fi +} + +check_privsep_dir() { + # Create the PrivSep empty dir if necessary + if [ ! -d /var/run/sshd-oobm ]; then + mkdir /var/run/sshd-oobm + chmod 0755 /var/run/sshd-oobm + fi +} + +check_config() { + /usr/sbin/sshd -t $SSHD_OPTS || exit 1 +} + +check_keys() { + # create keys if necessary + if [ ! -f $HOST_KEY_RSA ]; then + echo " generating ssh RSA key..." + ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa + fi + if [ ! -f $HOST_KEY_ECDSA ]; then + echo " generating ssh ECDSA key..." + ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa + fi + if [ ! -f $HOST_KEY_DSA ]; then + echo " generating ssh DSA key..." + ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa + fi + if [ ! -f $HOST_KEY_ED25519 ]; then + echo " generating ssh ED25519 key..." + ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519 + fi +} + +export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" + +case "$1" in + start) + check_for_no_start + echo "Starting OOBM server" + check_keys + check_privsep_dir + start-stop-daemon -S -p $PIDFILE --make-pidfile --startas /usr/sbin/sshd -- -f $CONFFILE $SSHD_OPTS + echo "done." + ;; + stop) + echo -n "Stopping OOBM server" + pidno1=$(<$PIDFILE) + pidno=$((pidno1 + 1)) + kill $pidno + echo "." + ;; + + reload|force-reload|restart) + check_for_no_start + check_keys + check_config + echo -n "Reloading OOBM server configuration" + /etc/init.d/sshd-oobm stop + /etc/init.d/sshd-oobm start + # start-stop-daemon -S -p $PIDFILE --make-pidfile --startas /usr/sbin/sshd -- -f $CONFFILE $SSHD_OPTS + echo "." + ;; + +# restart) +# check_keys +# check_config +# echo -n "Restarting OpenBSD Secure Shell server: sshd" +# start-stop-daemon -K -p $PIDFILE --oknodo --startas /usr/sbin/sshd +# check_for_no_start +# check_privsep_dir +# sleep 2 +# start-stop-daemon -S -p $PIDFILE --make-pidfile --startas /usr/sbin/sshd -- -f $CONFFILE $SSHD_OPTS +# echo "." +# ;; + + status) + #�status /usr/sbin/sshd + pidno1=$(<$PIDFILE) + pidno=$((pidno1 + 1)) + if ps -p $pidno > /dev/null + then + echo "OOBM server ($pidno) is running" + else + echo "OOBM server is not running" + fi + exit $? + ;; + + *) + echo "Usage: /etc/init.d/ssh-oobm {start|stop|status|reload|force-reload|restart}" + exit 1 +esac + +exit 0 diff --git a/config-files/ssh/sshd_banner b/config-files/ssh/sshd_banner new file mode 100644 index 0000000..d9013b9 --- /dev/null +++ b/config-files/ssh/sshd_banner @@ -0,0 +1,8 @@ + +##################### +# MultiTech Conduit # +# LoRaWAN Gateway # +##################### + +MODE: Remote Gateway Management + diff --git a/config-files/ssh/sshd_config b/config-files/ssh/sshd_config new file mode 100644 index 0000000..c92d258 --- /dev/null +++ b/config-files/ssh/sshd_config @@ -0,0 +1,134 @@ +# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Ciphers and keying +#RekeyLimit default none + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +UsePrivilegeSeparation sandbox # Default for new installations. +#PermitUserEnvironment no +Compression no +ClientAliveInterval 15 +ClientAliveCountMax 4 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +Banner /etc/ssh/sshd_banner + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + diff --git a/config-files/ssh/sshd_oobm_banner b/config-files/ssh/sshd_oobm_banner new file mode 100644 index 0000000..12fc174 --- /dev/null +++ b/config-files/ssh/sshd_oobm_banner @@ -0,0 +1,8 @@ + +##################### +# MultiTech Conduit # +# LoRaWAN Gateway # +##################### + +MODE: Out of Band Management service + diff --git a/config-files/ssh/sshd_oobm_cmd b/config-files/ssh/sshd_oobm_cmd new file mode 100644 index 0000000..0e4f432 --- /dev/null +++ b/config-files/ssh/sshd_oobm_cmd @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +sudo mts-io-sysfs store ap1/serial-mode rs232 +/usr/bin/screen /dev/ttyAP1 9600 + diff --git a/config-files/ssh/sshd_oobm_config b/config-files/ssh/sshd_oobm_config new file mode 100644 index 0000000..088b804 --- /dev/null +++ b/config-files/ssh/sshd_oobm_config @@ -0,0 +1,134 @@ +# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ + +# This is the sshd server OOBM configuration file. + +############################ +# CONNECTIVITY # +############################ +Port 1024 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Ciphers and keying +#RekeyLimit default none + +############################ +#�LOGGING # +############################ +SyslogFacility AUTH +LogLevel INFO + +############################ +# AUTHENTICATION # +############################ +AllowGroups oobm +ForceCommand /etc/ssh/sshd_oobm_cmd + +#LoginGraceTime 2m +#PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +UsePrivilegeSeparation sandbox # Default for new installations. +#PermitUserEnvironment no +Compression no +ClientAliveInterval 15 +ClientAliveCountMax 4 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +Banner /etc/ssh/sshd_oobm_banner + +# override default of no subsystems +Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server + diff --git a/config-files/sudoers b/config-files/sudoers new file mode 100644 index 0000000..6ebf734 --- /dev/null +++ b/config-files/sudoers @@ -0,0 +1,102 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top +# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to use a hard-coded PATH instead of the user's to find commands +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +## +## Uncomment to send mail if the user does not enter the correct password. +# Defaults mail_badpass +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +# %wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +%sudo ALL=(ALL) ALL + +## OOBM +%sudo ALL=(ALL:ALL) NOPASSWD: /usr/sbin/mts-io-sysfs +%oobm ALL=(ALL:ALL) NOPASSWD: /usr/sbin/mts-io-sysfs + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files from /etc/sudoers.d +## (the '#' here does not indicate a comment) +#includedir /etc/sudoers.d +