Generic configuration of system security:
- Update SSH config and strip unused features
- Enable only SSHv2 public key authentication
- Enable SSH login only for members of
ssh_accessgroup - Create special user for admin access
- Setup encrypted admin password
- Setup sudoers
- Harden /bin/su to allow access only from wheel group
- Configure firewall for SSH access only from whitelisted hosts
- Example configuration
- Free & Commercial support: support@codingfuture.net
Up to date installation instructions are available in Puppet Forge: https://forge.puppet.com/codingfuture/cfauth
Please use librarian-puppet or cfpuppetserver module to deal with dependencies.
There is a known r10k issue RK-3 which prevents automatic dependencies of dependencies installation.
Please check codingufuture/puppet-test for example of a complete infrastructure configuration and Vagrant provisioning.
cfnetwork::describe_services:
cfssh:
server: prefix(any2array($cfauth::sshd_ports), 'tcp/')
cfnetwork::service_ports:
'any:cfssh:cfauth':
src: 'ipset:cfauth_admin'
cfnetwork::ipsets:
cfauth_admin:
type: net
addr: $cfauth::admin_hosts
dynamic: true
whitelist:cfauth:
type: net
addr: 'ipset:cfauth_admin'admin_auth_keys- mandatory required list of allowed SSH public keys in format of suitable forcreate_resources(ssh_authorized_key, $admin_auth_keys, { user => $admin_user, type => 'ssh-rsa' }).admin_user = 'adminaccess'- setup non-root user for SSH access capable ofsudoadmin_password = undef- encrypted password forrootand$admin_user, if set Note: use the following command for generationmkpasswd -m sha-512admin_hosts = undef- passed assrcparamter tocfnetwork::service_portsudo_no_password_all = false- allowsudofor$admin_userwithout password. See below.sudo_no_password_commands= []` - optional list of commands which are allowed to run without passwordsudo_env_keep = []- optional list of environment variables allowed to be preserved in sudosudo_entries = {}- optional resources of typecfauth::sudoentryclear_sudoers = true- clear unmanaged /etc/sudoers.dcustom_sudoers = []- arbitrary lines to add to global sudoers filesshd_ports = '22',sshd_config_template = 'cfauth/sshd_config.epp',secure_path = [<system default>]- array of global trusted pathsssh_max_startups = 10- parameter for SSH MaxStartupsfreeipa = undef- optional FreeIPA client support:server- FreeIPA server address,domain- FreeIPA domain,groups- FreeIPA groups to allow SSH access.
Enabling it is useful for bulk administration of less privileged VMs.
Even if password is required, the following commands can be run without password:
/opt/puppetlabs/puppet/bin/puppet agent --test- deploy puppet/usr/bin/apt-get update- update apt repository metadata/usr/bin/apt-get dist-upgrade- run system upgrade with optional parameter, like-s -y(for simulation( and-y(for install)/usr/bin/apt-get autoremove- run automatic unusued package remove/usr/sbin/cfntpdate- force run pre-configured ntpdate fromcfsystemmodule
The following environment variables are allowed in sudo by default:
DEBIAN_FRONTEND
title- name of file under '/etc/sudoers.d'command = []- command to allow to execute without password- String or Array of Strings
env_keep = []- list of environment variables for env_keepuser = $cfauth::admin_user- user for the entrycustom_config = []- arbitrary lines to add
A standalone cfauth::sftp class has to be included.
All users are created with sftp_ prefix. Their home folders are
located under $cfauth::sftp::root/home. All users are chrooted
under $cfauth::sftp::root/chroot/%u. Each use has data folder
under chroot - the default selected.
Note: if disk quota is configured then filesystem must be mounted by any type of user quota support.
root = '/mnt/sftp'- root for SFTP location.users = {}-cfauth::sftp::userdefinitions
name- name of user withoutsftp_prefix.auth_keys = {}- definition of SSH authentication keys.user_hosts = []- list of SSH-accepted IP addresses to allow access from.block_limit = undef- passed to setquota hard block limitinode_limit = undef- passed to setquota hard inode limit