Loading .gitlab-ci.yml +5 −5 Original line number Diff line number Diff line Loading @@ -3,7 +3,7 @@ stages: variables: NO2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd" WITH2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd_2fa" WITH2FA_URL: "${CI_REGISTRY_IMAGE}/opensuse_sshd_2fa" # This import is for the func_rse_docker_* functions before_script: Loading @@ -24,8 +24,8 @@ build-docker: script: - docker login --username=$CI_REGISTRY_USER --password=$CI_REGISTRY_PASSWORD $CI_REGISTRY - if [$CI_COMMIT_REF_NAME == 'master']; then export IMAGE_PREFIX=""; fi - docker build -f server_side/dockerfiles/Dockerfile -t no2fa --target no2fa ./server_side - docker build -f server_side/dockerfiles/Dockerfile -t with2fa --target with2fa ./server_side - docker build -f server_side/dockerfiles/Dockerfile.ubuntu -t no2fa --target no2fa ./server_side - docker build -f server_side/dockerfiles/Dockerfile.opensuse -t with2fa --target with2fa ./server_side - docker tag no2fa $NO2FA_URL$IMAGE_PREFIX:latest - docker tag with2fa $WITH2FA_URL$IMAGE_PREFIX:latest - docker push $NO2FA_URL$IMAGE_PREFIX:latest Loading @@ -36,9 +36,9 @@ build-docker: build-packages: stage: build script: - docker build -f server_side/dockerfiles/Dockerfile -t ubuntu22 --target package ./server_side - docker build -f server_side/dockerfiles/Dockerfile.ubuntu -t ubuntu22 --target package ./server_side - docker run --rm -v `pwd`:/tmp ubuntu22 bash -c "cp /src/c/build/*.deb /tmp" - docker build -f server_side/dockerfiles/Dockerfile.opensuse -t opensuse ./server_side - docker build -f server_side/dockerfiles/Dockerfile.opensuse -t opensuse --target package ./server_side - docker run --rm -v `pwd`:/tmp opensuse bash -c "cp /src/c/build/*.rpm /tmp" artifacts: paths: Loading server_side/c/sshd +1 −1 Original line number Diff line number Diff line # PAM configuration for the Secure Shell service auth [success=1 default=ignore] pam_unix.so auth [success=done default=die] oidc-pam.so /etc/security/oidc/oidc-pam.json use_first_pass auth [success=done default=die] /usr/lib/security/oidc-pam.so /etc/security/oidc/oidc-pam.json use_first_pass # Standard Un*x authentication. @include common-auth Loading server_side/c/sshd_2fa +12 −58 Original line number Diff line number Diff line #%PAM-1.0 # PAM configuration for the Secure Shell service auth [success=done default=ignore] oidc-pam.so /etc/security/oidc/oidc-pam.json auth [success=done default=ignore] /usr/lib/security/oidc-pam.so /etc/security/oidc/oidc-pam.json auth [success=done default=die] pam_google_authenticator.so use_first_pass secret=${HOME}/auth/.google_authenticator # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. #account sufficient pam_python.so /opt/oidc/oidc-pam.py @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Set the loginuid process attribute. auth requisite pam_nologin.so #auth include common-auth account requisite pam_nologin.so account include common-account password include common-password session required pam_loginuid.so # Create a new session keyring. session include common-session session optional pam_lastlog.so silent noupdate showfailed session optional pam_keyinit.so force revoke # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. session required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. session required pam_env.so user_readenv=1 envfile=/etc/default/locale # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # Standard Un*x password updating. @include common-password # PAM configuration for the Secure Shell service server_side/dockerfiles/Dockerfile.opensuse +39 −1 Original line number Diff line number Diff line from opensuse/leap:15.3 from opensuse/leap:15.3 as package RUN zypper in -y cmake libcurl-devel pam-devel gcc rpmbuild Loading @@ -7,3 +7,41 @@ COPY c /src/c WORKDIR /src/c RUN bash ./build.sh RPM #2FA FROM opensuse/leap:15.3 AS with2fa RUN useradd test RUN mkhomedir_helper test RUN echo test:123 | chpasswd RUN mkdir /run/sshd /etc/security/oidc RUN zypper in -y google-authenticator-libpam curl python3 openssh COPY --from=package /src/c/build/*.rpm /package/ RUN zypper in -y --allow-unsigned-rpm /package/oidc-pam-0.1.0-Linux.rpm COPY start_2fa.sh /tmp/oidc/ COPY update_oidc_config.py /tmp/oidc/ COPY oidc-pam.json /tmp/oidc/ COPY c/sshd_2fa /etc/pam.d/sshd COPY sshd_pam.conf /etc/ssh/sshd_config.d/ EXPOSE 22 ENV OIDC_CHECK_2FA=1 RUN ssh-keygen -A RUN chmod 777 /tmp/oidc/start_2fa.sh CMD /tmp/oidc/start_2fa.sh USER root server_side/dockerfiles/Dockerfile→server_side/dockerfiles/Dockerfile.ubuntu +0 −19 Original line number Diff line number Diff line Loading @@ -35,22 +35,3 @@ EXPOSE 22 RUN chmod 777 /tmp/oidc/start_no2fa.sh CMD /tmp/oidc/start_no2fa.sh #2FA FROM no2fa AS with2fa RUN apt-get install -y libpam-google-authenticator COPY c/sshd_2fa /etc/pam.d/sshd ENV OIDC_CHECK_2FA=1 COPY start_2fa.sh /tmp/oidc/ RUN chmod 777 /tmp/oidc/start_2fa.sh CMD /tmp/oidc/start_2fa.sh USER root Loading
.gitlab-ci.yml +5 −5 Original line number Diff line number Diff line Loading @@ -3,7 +3,7 @@ stages: variables: NO2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd" WITH2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd_2fa" WITH2FA_URL: "${CI_REGISTRY_IMAGE}/opensuse_sshd_2fa" # This import is for the func_rse_docker_* functions before_script: Loading @@ -24,8 +24,8 @@ build-docker: script: - docker login --username=$CI_REGISTRY_USER --password=$CI_REGISTRY_PASSWORD $CI_REGISTRY - if [$CI_COMMIT_REF_NAME == 'master']; then export IMAGE_PREFIX=""; fi - docker build -f server_side/dockerfiles/Dockerfile -t no2fa --target no2fa ./server_side - docker build -f server_side/dockerfiles/Dockerfile -t with2fa --target with2fa ./server_side - docker build -f server_side/dockerfiles/Dockerfile.ubuntu -t no2fa --target no2fa ./server_side - docker build -f server_side/dockerfiles/Dockerfile.opensuse -t with2fa --target with2fa ./server_side - docker tag no2fa $NO2FA_URL$IMAGE_PREFIX:latest - docker tag with2fa $WITH2FA_URL$IMAGE_PREFIX:latest - docker push $NO2FA_URL$IMAGE_PREFIX:latest Loading @@ -36,9 +36,9 @@ build-docker: build-packages: stage: build script: - docker build -f server_side/dockerfiles/Dockerfile -t ubuntu22 --target package ./server_side - docker build -f server_side/dockerfiles/Dockerfile.ubuntu -t ubuntu22 --target package ./server_side - docker run --rm -v `pwd`:/tmp ubuntu22 bash -c "cp /src/c/build/*.deb /tmp" - docker build -f server_side/dockerfiles/Dockerfile.opensuse -t opensuse ./server_side - docker build -f server_side/dockerfiles/Dockerfile.opensuse -t opensuse --target package ./server_side - docker run --rm -v `pwd`:/tmp opensuse bash -c "cp /src/c/build/*.rpm /tmp" artifacts: paths: Loading
server_side/c/sshd +1 −1 Original line number Diff line number Diff line # PAM configuration for the Secure Shell service auth [success=1 default=ignore] pam_unix.so auth [success=done default=die] oidc-pam.so /etc/security/oidc/oidc-pam.json use_first_pass auth [success=done default=die] /usr/lib/security/oidc-pam.so /etc/security/oidc/oidc-pam.json use_first_pass # Standard Un*x authentication. @include common-auth Loading
server_side/c/sshd_2fa +12 −58 Original line number Diff line number Diff line #%PAM-1.0 # PAM configuration for the Secure Shell service auth [success=done default=ignore] oidc-pam.so /etc/security/oidc/oidc-pam.json auth [success=done default=ignore] /usr/lib/security/oidc-pam.so /etc/security/oidc/oidc-pam.json auth [success=done default=die] pam_google_authenticator.so use_first_pass secret=${HOME}/auth/.google_authenticator # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. #account sufficient pam_python.so /opt/oidc/oidc-pam.py @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Set the loginuid process attribute. auth requisite pam_nologin.so #auth include common-auth account requisite pam_nologin.so account include common-account password include common-password session required pam_loginuid.so # Create a new session keyring. session include common-session session optional pam_lastlog.so silent noupdate showfailed session optional pam_keyinit.so force revoke # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. session required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. session required pam_env.so user_readenv=1 envfile=/etc/default/locale # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # Standard Un*x password updating. @include common-password # PAM configuration for the Secure Shell service
server_side/dockerfiles/Dockerfile.opensuse +39 −1 Original line number Diff line number Diff line from opensuse/leap:15.3 from opensuse/leap:15.3 as package RUN zypper in -y cmake libcurl-devel pam-devel gcc rpmbuild Loading @@ -7,3 +7,41 @@ COPY c /src/c WORKDIR /src/c RUN bash ./build.sh RPM #2FA FROM opensuse/leap:15.3 AS with2fa RUN useradd test RUN mkhomedir_helper test RUN echo test:123 | chpasswd RUN mkdir /run/sshd /etc/security/oidc RUN zypper in -y google-authenticator-libpam curl python3 openssh COPY --from=package /src/c/build/*.rpm /package/ RUN zypper in -y --allow-unsigned-rpm /package/oidc-pam-0.1.0-Linux.rpm COPY start_2fa.sh /tmp/oidc/ COPY update_oidc_config.py /tmp/oidc/ COPY oidc-pam.json /tmp/oidc/ COPY c/sshd_2fa /etc/pam.d/sshd COPY sshd_pam.conf /etc/ssh/sshd_config.d/ EXPOSE 22 ENV OIDC_CHECK_2FA=1 RUN ssh-keygen -A RUN chmod 777 /tmp/oidc/start_2fa.sh CMD /tmp/oidc/start_2fa.sh USER root
server_side/dockerfiles/Dockerfile→server_side/dockerfiles/Dockerfile.ubuntu +0 −19 Original line number Diff line number Diff line Loading @@ -35,22 +35,3 @@ EXPOSE 22 RUN chmod 777 /tmp/oidc/start_no2fa.sh CMD /tmp/oidc/start_no2fa.sh #2FA FROM no2fa AS with2fa RUN apt-get install -y libpam-google-authenticator COPY c/sshd_2fa /etc/pam.d/sshd ENV OIDC_CHECK_2FA=1 COPY start_2fa.sh /tmp/oidc/ RUN chmod 777 /tmp/oidc/start_2fa.sh CMD /tmp/oidc/start_2fa.sh USER root
