diff mbox series

[isar-cip-core,RFC,6/9] security-customizations: Extract sshd config from postinst to files

Message ID 20231023150243.3990309-7-Quirin.Gylstorff@siemens.com (mailing list archive)
State Superseded
Headers show
Series cleanup of customizations | expand

Commit Message

Gylstorff Quirin Oct. 23, 2023, 3 p.m. UTC 
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

For easier maintenance extract the ssh configuration to
/etc/sshd_config.d/.

Configuration entries in sshd_config.d will overwrite elements in
sshd_config.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 .../security-customizations/files/postinst       | 16 ----------------
 .../files/ssh-pam-remote.conf                    |  4 ++++
 .../files/ssh-remote-session-term.conf           |  5 +++++
 .../security-customizations.bb                   |  9 ++++++++-
 4 files changed, 17 insertions(+), 17 deletions(-)
 create mode 100644 recipes-core/security-customizations/files/ssh-pam-remote.conf
 create mode 100644 recipes-core/security-customizations/files/ssh-remote-session-term.conf
diff mbox series

Patch

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 717b7ac..daade83 100755
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -51,14 +51,6 @@  if grep -c "${PAM_MODULE}" "${PAM_AUTH_FILE}";then
 fi
 sed -i "0,/^auth.*/s/^auth.*/${PAM_CONFIG}\n&/" "${PAM_AUTH_FILE}"
 
-# CR2.6: Remote session termination
-# Terminate remote session after inactive time period
-SSHD_CONFIG="/etc/ssh/sshd_config"
-alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
-alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
-sed -i "/${alive_interval}/c ClientAliveInterval 120"  "${SSHD_CONFIG}"
-sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
-
 # CR2.7: Concurrent session control
 # Limit the concurrent login sessions
 LIMITS_CONFIG="/etc/security/limits.conf"
@@ -80,12 +72,4 @@  if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
         sed -i '/pam_google_authenticator.so/ s/^#*/#/'  "${SSHD_AUTH_CONFIG}"
 fi
 echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
-# Enable PAM configuration for Remote Session
-if grep -s -q "ChallengeResponseAuthentication" "${SSHD_CONFIG}";then
-       sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
-fi
 
-if grep -s -q "KbdInteractiveAuthentication" "${SSHD_CONFIG}";then
-       sed -i 's/KbdInteractiveAuthentication no/KbdInteractiveAuthentication yes/g' "${SSHD_CONFIG}"
-fi
-echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
diff --git a/recipes-core/security-customizations/files/ssh-pam-remote.conf b/recipes-core/security-customizations/files/ssh-pam-remote.conf
new file mode 100644
index 0000000..d460b0c
--- /dev/null
+++ b/recipes-core/security-customizations/files/ssh-pam-remote.conf
@@ -0,0 +1,4 @@ 
+# Enable PAM configuration for Remote Session
+ChallengeResponseAuthentication yes
+KbdInteractiveAuthentication yes
+AuthenticationMethods keyboard-interactive
diff --git a/recipes-core/security-customizations/files/ssh-remote-session-term.conf b/recipes-core/security-customizations/files/ssh-remote-session-term.conf
new file mode 100644
index 0000000..d11b92e
--- /dev/null
+++ b/recipes-core/security-customizations/files/ssh-remote-session-term.conf
@@ -0,0 +1,5 @@ 
+# CR2.6: Remote session termination
+# Terminate remote session after inactive time period
+
+ClientAliveInterval 120
+ClientAliveCountMax 0
diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
index d5249a2..d3cede8 100644
--- a/recipes-core/security-customizations/security-customizations.bb
+++ b/recipes-core/security-customizations/security-customizations.bb
@@ -13,8 +13,15 @@  inherit dpkg-raw
 
 DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
 
-SRC_URI = "file://postinst"
+SRC_URI = "file://postinst \
+           file://ssh-remote-session-term.conf \
+           file://ssh-pam-remote.conf"
 
 DEPENDS = "customizations, sshd-regen-keys"
 DEBIAN_DEPENDS = "customizations , sshd-regen-keys, libpam-google-authenticator"
 
+do_install[cleandirs] += "${D}/etc/ssh/sshd_config.d/"
+do_install () {
+    install -m 600 ${WORKDIR}/ssh-remote-session-term.conf ${D}/etc/ssh/sshd_config.d/
+    install -m 600 ${WORKDIR}/ssh-pam-remote.conf ${D}/etc/ssh/sshd_config.d/
+}