Proper PAM config to disable session logging

Add postfix recipient access restrictions
Fix sshd user config
2020-08-28 00:51:28 +02:00 · 2020-08-28 00:46:57 +02:00 · 2020-08-28 00:27:51 +02:00
8 changed files with 27 additions and 3 deletions
--- a/mail/postfix/access.cf
+++ b/mail/postfix/access.cf
@ -0,0 +1,2 @@
+dbpath = /data/mail/config/vmail.db
+query = SELECT action FROM access WHERE address = '%s'
--- a/mail/postfix/main.cf
+++ b/mail/postfix/main.cf
@ -38,3 +38,5 @@ smtpd_sender_login_maps = sqlite:/etc/postfix/login.cf, $virtual_alias_maps

 smtpd_milters = unix:private/opendkim
 non_smtpd_milters = $smtpd_milters
+
+smtpd_recipient_restrictions = check_recipient_access sqlite:/etc/postfix/access.cf
--- a/mail/schema.sql
+++ b/mail/schema.sql
@ -4,3 +4,4 @@ create table mailbox (username varchar(255) not null primary key, password varch

 create table dkim (match varchar(255) not null primary key, key varchar(255) not null);
 create table dkim_key (key varchar(255) not null primary key, domain varchar(255) not null, selector varchar(255) not null, private_key varchar(65535) not null);
+create table access (address varchar(255) not null primary key, action varchar(255) not null);
--- a/misc/README.md
+++ b/misc/README.md
@ -18,8 +18,9 @@ sudo cp 99-no-wifi-on-ethernet /etc/NetworkManager/dispatcher.d
 sudo sed -i '$ a EXTRA_OPTS=-L 4' /etc/default/cron
 ```

-## Do not log cron sessions
+## Do not log sessions

 ```sh
-sudo sed -i '/pam_unix.so/ i session [success=1 default=ignore] pam_succeed_if.so service in cron quiet' /etc/pam.d/common-session-noninteractive
+sudo cp unix-no-session-log /usr/share/pam-configs
+sudo pam-auth-update # Select OK to update
 ```
--- a/misc/unix-no-session-log
+++ b/misc/unix-no-session-log
@ -0,0 +1,6 @@
+Name: Unix authentication - no session logging
+Default: yes
+Priority: 257
+Session-Type: Additional
+Session:
+	[success=1 default=ignore] pam_succeed_if.so service in cron:sudo quiet
--- a/ssh/README.md
+++ b/ssh/README.md
@ -5,7 +5,9 @@ Switch to your main user with `su - adminuser` afterwards.

 ```sh
 sudo sed -i '$ a sshlogin:*:1001:65534::/home/sshlogin:/bin/sh' /etc/passwd
-sudo cp *.conf /etc/ssh/sshd_config.d
+sudo sed -i '$ a Match User *' /etc/ssh/sshd_config
+sudo sed -i '$ a Include /etc/ssh/sshd_config.d/*.user' /etc/ssh/sshd_config
+sudo cp *.conf *.user /etc/ssh/sshd_config.d

 sudo mkdir -p /home/sshlogin/.ssh
 sudo chown sshlogin:root /home/sshlogin/.ssh
@ -13,3 +15,13 @@ sudo chown sshlogin:root /home/sshlogin/.ssh

 * Either create a password with `sudo passwd sshlogin` or
 * Add a key `sudo -u sshlogin editor /home/sshlogin/.ssh/authorized_keys`
+* Test config for user with `sudo sshd -T -C user=sshlogin`
+
+## Notes
+
+> Included files do not affect the match context of the file including them.
+
+https://bugzilla.mindrot.org/show_bug.cgi?id=2468#c26
+
+According to the tests, the above is possible:
+https://github.com/openssh/openssh-portable/blob/master/regress/servcfginclude.sh
--- a/ssh/user-backup.conf
+++ b/ssh/user-backup.conf
--- a/ssh/user-sshlogin.conf
+++ b/ssh/user-sshlogin.conf
Author	SHA1	Message	Date
Adrian	65dda1f790	Proper PAM config to disable session logging	2020-08-28 00:51:28 +02:00
Adrian	67dbae6477	Add postfix recipient access restrictions	2020-08-28 00:46:57 +02:00
Adrian	527a120468	Fix sshd user config	2020-08-28 00:27:51 +02:00