[debian-lan-devel] [debian-lan] 01/03: Modify default restrictions for ssh access (needed for sshfs).

[Andreas B. Mundt]

This is an automated email from the git hooks/post-receive script.

andi pushed a commit to branch master
in repository debian-lan.

commit 8d72d2302184f9fb00c4d8e98fd254a19646ad50
Author: Andreas B. Mundt <andi at debian.org>
Date:   Mon Jun 16 14:01:37 2014 +0200

    Modify default restrictions for ssh access (needed for sshfs).
    
    Do not limit ssh access from the local network in FIREWALL class by default.
    Add examples in 'sshd_config'.
---
 fai/config/scripts/FIREWALL/10-config |  8 +++-----
 fai/config/scripts/SERVER_A/30-sshd   | 20 ++++++++++++++++++++
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/fai/config/scripts/FIREWALL/10-config b/fai/config/scripts/FIREWALL/10-config
index c5a78b9..5f5c714 100755
--- a/fai/config/scripts/FIREWALL/10-config
+++ b/fai/config/scripts/FIREWALL/10-config
@@ -22,8 +22,8 @@ prepare_shorewall(){
     sed -i -e 's/eth0/\$NET_IF/' -e 's/eth1/\$LOC_IF/' $CONFDIR/interfaces $CONFDIR/masq $CONFDIR/stoppedrules
     sed -i -e '$i LOC_IF=eth0' -e '$i NET_IF=eth1' $CONFDIR/params
 
-    ## Limited ssh access:
-    sed -i -e 's%^\(SSH(ACCEPT).*\)$%\1  -  -  -  -  s:1/min:1%' $CONFDIR/rules
+    ## Limited ssh access (uncomment to activate):
+    #sed -i -e 's%^\(SSH(ACCEPT).*\)$%\1  -  -  -  -  s:1/min:1%' $CONFDIR/rules
 }
 
 if [ "$HOSTNAME" = "mainserver" ] ; then
@@ -48,7 +48,6 @@ $FW             net             ACCEPT' $CONFDIR/policy
 ##  Debian-LAN
 ##
 SSH(ACCEPT)     net             \$FW  -  -  -  -  s:1/min:1
-Limit(SSH,1,60):info  loc       \$FW  tcp  22
 EOF
 
     else
@@ -63,9 +62,8 @@ EOF
 \#\1\
 net     $FW     ACCEPT%' $CONFDIR/policy
 
-        ## Comment rules where traffic is allowed already and limit ssh access:
+        ## Comment rules where traffic is allowed already:
         sed -i -e "s/^\(.*ACCEPT)\?\s\+net\s\+\$FW.*\)$/\#\# Allowed by Debian-LAN policy:\n\#\1/" $CONFDIR/rules
-        echo 'Limit(SSH,1,60):info  net       $FW  tcp  22' >> $CONFDIR/rules
     fi
 
 elif [ "$HOSTNAME" = "gateway" ] ; then
diff --git a/fai/config/scripts/SERVER_A/30-sshd b/fai/config/scripts/SERVER_A/30-sshd
new file mode 100755
index 0000000..25b3993
--- /dev/null
+++ b/fai/config/scripts/SERVER_A/30-sshd
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# Add optional access restrictions to sshd.
+#
+set -e
+
+if [ "$FAI_ACTION" != "install" ] && [ "$CONVERT" != "true" ] ; then
+    exit 0
+fi
+
+cat >> ${target}/etc/ssh/sshd_config <<EOF
+
+
+### Debian-LAN access restrictions (examples) ###
+#AllowUsers admin
+
+## Only allow sftp (sufficient for sshfs):
+#Match Group *,!admin
+#   ForceCommand internal-sftp
+EOF

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/debian-lan.git