From 6fec94766fe6d4b9df9ed7503589d147d3c04ca0 Mon Sep 17 00:00:00 2001 From: Aneesh Agrawal Date: Sat, 30 Sep 2017 02:36:20 -0400 Subject: [PATCH 1/3] Manage sshd_config file This is based on Mozilla's Modern sshd_config from: https://wiki.mozilla.org/Security/Guidelines/OpenSSH Note that root login is still allowed, because we have not yet set up per-user accounts. Add a test to ensure the sshd_config file is properly parsed and validated by the OpenSSH version on the machine to help guard against this behavior. --- .travis/dispatch.sh | 1 + admin/files/sshd_config | 25 +++++++++++++++++++++++++ admin/init.sls | 23 ++++++++++++++++++++++- tests/sls/admin/__init__.py | 0 tests/sls/admin/valid_sshd_config.py | 20 ++++++++++++++++++++ 5 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 admin/files/sshd_config create mode 100644 tests/sls/admin/__init__.py create mode 100644 tests/sls/admin/valid_sshd_config.py diff --git a/.travis/dispatch.sh b/.travis/dispatch.sh index 374c8f107..a434be475 100755 --- a/.travis/dispatch.sh +++ b/.travis/dispatch.sh @@ -141,6 +141,7 @@ else ./test.py sls.servo-build-dependencies.android fi + ./test.py sls.admin # Salt doesn't support timezone.system on OSX # See https://github.com/saltstack/salt/issues/31345 if [[ ! "${SALT_NODE_ID}" =~ servo-mac.* ]]; then diff --git a/admin/files/sshd_config b/admin/files/sshd_config new file mode 100644 index 000000000..527841ed2 --- /dev/null +++ b/admin/files/sshd_config @@ -0,0 +1,25 @@ +HostKey /etc/ssh/ssh_host_ed25519_key +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com + +# Only pubkey authentication is enabled, i.e. password logins are disabled +PasswordAuthentication no +ChallengeResponseAuthentication no +PubkeyAuthentication yes +AuthenticationMethods publickey +# TODO: Disable root login after creating per-user accounts +PermitRootLogin yes + +MaxAuthTries 2 +LoginGraceTime 1m + +{% if grains['kernel'] == 'Linux' %} +UsePAM yes +# PAM does this +PrintMotd no +{% endif %} + +UsePrivilegeSeparation sandbox +# LogLevel VERBOSE logs user's key fingerprint on login. +# Needed to have a clear audit track of which key was using to log in. +LogLevel VERBOSE diff --git a/admin/init.sls b/admin/init.sls index 721982f2c..17112fede 100644 --- a/admin/init.sls +++ b/admin/init.sls @@ -7,7 +7,8 @@ admin-packages: - tmux - mosh {% if grains['os'] != 'MacOS' %} - - screen # Installed by default on OS X + - openssh-server # Use default macOS version, not Homebrew's + - screen # Installed by default on macOS {% endif %} {% if grains['os'] != 'MacOS' and grains.get('virtual_subtype', '') != 'Docker' %} @@ -22,6 +23,15 @@ UTC: - mode: 644 - source: salt://{{ tpldir }}/files/hosts +sshd_config: + file.managed: + - name: /etc/ssh/sshd_config + - user: {{ root.user }} + - group: {{ root.group }} + - mode: 644 + - template: jinja + - source: salt://{{ tpldir }}/files/sshd_config + sshkeys-dir: file.directory: - name: {{ root.home }}/.ssh @@ -41,3 +51,14 @@ sshkeys: {% endfor %} - require: - file: sshkeys-dir + +{% if grains['os'] != 'MacOS' %} +sshd: + service.running: + - name: ssh + - enable: True + - require: + - file: sshkeys + - watch: + - file: sshd_config +{% endif %} diff --git a/tests/sls/admin/__init__.py b/tests/sls/admin/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/tests/sls/admin/valid_sshd_config.py b/tests/sls/admin/valid_sshd_config.py new file mode 100644 index 000000000..3ac894ad7 --- /dev/null +++ b/tests/sls/admin/valid_sshd_config.py @@ -0,0 +1,20 @@ +import subprocess + +from tests.util import Failure, Success + + +def run(): + proc = subprocess.Popen( + ['sshd', '-T', '-f', '/etc/ssh/sshd_config'], + stdout=subprocess.DEVNULL, + stderr=subprocess.PIPE, + universal_newlines=True + ) + _, stderr = proc.communicate() + + if proc.returncode != 0: + return Failure( + 'Invalid sshd_config file:', stderr + ) + + return Success('SSHD config file is valid') From 728c7d97f85024958bbc112568752d20ce13ab26 Mon Sep 17 00:00:00 2001 From: Aneesh Agrawal Date: Thu, 26 Oct 2017 22:43:50 -0700 Subject: [PATCH 2/3] Use xcode8 on Travis to better match prod Our new 10.11.6 macOS machines have Xcode 8.2 installed. Use xcode8 on Travis, which maps to Xcode 8gm and macOS 10.11. This is also important to help ensure tests like the sshd config test match the behavior we'll see in the field. --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 8ea29584f..8c2fc3901 100644 --- a/.travis.yml +++ b/.travis.yml @@ -25,7 +25,7 @@ matrix: - SALT_NODE_ID=servo-mac1 - SALT_FROM_SCRATCH=true os: osx - osx_image: xcode8.3 + osx_image: xcode8 - env: - SALT_NODE_ID=servo-linux1 - SALT_FROM_SCRATCH=true @@ -49,7 +49,7 @@ matrix: - SALT_NODE_ID=servo-mac1 - SALT_FROM_SCRATCH=false os: osx - osx_image: xcode8.3 + osx_image: xcode8 - env: - SALT_NODE_ID=servo-linux1 - SALT_FROM_SCRATCH=false From 04e19a38aa65da1362b1677024226b432768e3b1 Mon Sep 17 00:00:00 2001 From: Aneesh Agrawal Date: Tue, 6 Mar 2018 09:42:59 -0800 Subject: [PATCH 3/3] Add additional Travis builders for macOS 10.10 We still have production machines on macOS 10.10.5 (and Xcode 7.2); this is the closest fit that Travis offers, which macOS 10.10, albeit an older Xcode version of 6.4. --- .travis.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.travis.yml b/.travis.yml index 8c2fc3901..16aa2dac3 100644 --- a/.travis.yml +++ b/.travis.yml @@ -26,6 +26,11 @@ matrix: - SALT_FROM_SCRATCH=true os: osx osx_image: xcode8 + - env: + - SALT_NODE_ID=servo-mac2 + - SALT_FROM_SCRATCH=true + os: osx + osx_image: xcode6.4 - env: - SALT_NODE_ID=servo-linux1 - SALT_FROM_SCRATCH=true @@ -50,6 +55,11 @@ matrix: - SALT_FROM_SCRATCH=false os: osx osx_image: xcode8 + - env: + - SALT_NODE_ID=servo-mac2 + - SALT_FROM_SCRATCH=false + os: osx + osx_image: xcode6.4 - env: - SALT_NODE_ID=servo-linux1 - SALT_FROM_SCRATCH=false