From 527a120468f42eb2e6c3ad818413601e24d850f1 Mon Sep 17 00:00:00 2001 From: Adrian Date: Thu, 30 Jul 2020 16:04:43 +0200 Subject: [PATCH 1/3] Fix sshd user config --- ssh/README.md | 14 +++++++++++++- ssh/{user-backup.conf => backup.user} | 0 ssh/{user-sshlogin.conf => sshlogin.user} | 0 3 files changed, 13 insertions(+), 1 deletion(-) rename ssh/{user-backup.conf => backup.user} (100%) rename ssh/{user-sshlogin.conf => sshlogin.user} (100%) diff --git a/ssh/README.md b/ssh/README.md index aeb5763..c7f2de8 100644 --- a/ssh/README.md +++ b/ssh/README.md @@ -5,7 +5,9 @@ Switch to your main user with `su - adminuser` afterwards. ```sh sudo sed -i '$ a sshlogin:*:1001:65534::/home/sshlogin:/bin/sh' /etc/passwd -sudo cp *.conf /etc/ssh/sshd_config.d +sudo sed -i '$ a Match User *' /etc/ssh/sshd_config +sudo sed -i '$ a Include /etc/ssh/sshd_config.d/*.user' /etc/ssh/sshd_config +sudo cp *.conf *.user /etc/ssh/sshd_config.d sudo mkdir -p /home/sshlogin/.ssh sudo chown sshlogin:root /home/sshlogin/.ssh @@ -13,3 +15,13 @@ sudo chown sshlogin:root /home/sshlogin/.ssh * Either create a password with `sudo passwd sshlogin` or * Add a key `sudo -u sshlogin editor /home/sshlogin/.ssh/authorized_keys` +* Test config for user with `sudo sshd -T -C user=sshlogin` + +## Notes + +> Included files do not affect the match context of the file including them. + +https://bugzilla.mindrot.org/show_bug.cgi?id=2468#c26 + +According to the tests, the above is possible: +https://github.com/openssh/openssh-portable/blob/master/regress/servcfginclude.sh diff --git a/ssh/user-backup.conf b/ssh/backup.user similarity index 100% rename from ssh/user-backup.conf rename to ssh/backup.user diff --git a/ssh/user-sshlogin.conf b/ssh/sshlogin.user similarity index 100% rename from ssh/user-sshlogin.conf rename to ssh/sshlogin.user From 67dbae6477cb5f3ee8e60a37723ede2752b9caeb Mon Sep 17 00:00:00 2001 From: Adrian Date: Sat, 15 Aug 2020 10:01:06 +0200 Subject: [PATCH 2/3] Add postfix recipient access restrictions --- mail/postfix/access.cf | 2 ++ mail/postfix/main.cf | 2 ++ mail/schema.sql | 1 + 3 files changed, 5 insertions(+) create mode 100644 mail/postfix/access.cf diff --git a/mail/postfix/access.cf b/mail/postfix/access.cf new file mode 100644 index 0000000..025ab71 --- /dev/null +++ b/mail/postfix/access.cf @@ -0,0 +1,2 @@ +dbpath = /data/mail/config/vmail.db +query = SELECT action FROM access WHERE address = '%s' diff --git a/mail/postfix/main.cf b/mail/postfix/main.cf index 66b0ba0..4fc969c 100644 --- a/mail/postfix/main.cf +++ b/mail/postfix/main.cf @@ -38,3 +38,5 @@ smtpd_sender_login_maps = sqlite:/etc/postfix/login.cf, $virtual_alias_maps smtpd_milters = unix:private/opendkim non_smtpd_milters = $smtpd_milters + +smtpd_recipient_restrictions = check_recipient_access sqlite:/etc/postfix/access.cf diff --git a/mail/schema.sql b/mail/schema.sql index 7bc9222..007c022 100644 --- a/mail/schema.sql +++ b/mail/schema.sql @@ -4,3 +4,4 @@ create table mailbox (username varchar(255) not null primary key, password varch create table dkim (match varchar(255) not null primary key, key varchar(255) not null); create table dkim_key (key varchar(255) not null primary key, domain varchar(255) not null, selector varchar(255) not null, private_key varchar(65535) not null); +create table access (address varchar(255) not null primary key, action varchar(255) not null); From 65dda1f790c03517b7ab95c67f577b9759951e1d Mon Sep 17 00:00:00 2001 From: Adrian Date: Mon, 17 Aug 2020 23:21:42 +0200 Subject: [PATCH 3/3] Proper PAM config to disable session logging --- misc/README.md | 5 +++-- misc/unix-no-session-log | 6 ++++++ 2 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 misc/unix-no-session-log diff --git a/misc/README.md b/misc/README.md index e53c6fb..362fa36 100644 --- a/misc/README.md +++ b/misc/README.md @@ -18,8 +18,9 @@ sudo cp 99-no-wifi-on-ethernet /etc/NetworkManager/dispatcher.d sudo sed -i '$ a EXTRA_OPTS=-L 4' /etc/default/cron ``` -## Do not log cron sessions +## Do not log sessions ```sh -sudo sed -i '/pam_unix.so/ i session [success=1 default=ignore] pam_succeed_if.so service in cron quiet' /etc/pam.d/common-session-noninteractive +sudo cp unix-no-session-log /usr/share/pam-configs +sudo pam-auth-update # Select OK to update ``` diff --git a/misc/unix-no-session-log b/misc/unix-no-session-log new file mode 100644 index 0000000..4320170 --- /dev/null +++ b/misc/unix-no-session-log @@ -0,0 +1,6 @@ +Name: Unix authentication - no session logging +Default: yes +Priority: 257 +Session-Type: Additional +Session: + [success=1 default=ignore] pam_succeed_if.so service in cron:sudo quiet