diff --git a/README.md b/README.md index 5694506..02c9cb0 100644 --- a/README.md +++ b/README.md @@ -72,21 +72,19 @@ Also don't forget to customize your `bastion.conf` file, which can be found in ` Linux distros below are tested with each release, but as this is a security product, you are **warmly** advised to run it on the latest up-to-date stable version of your favorite OS: -- Debian 10 (Buster), 9 (Stretch), 8 (Jessie) +- Debian 10 (Buster), 9 (Stretch) - RHEL/CentOS 8.x (8.3.2011, 8.2.2004, 8.1.1911), 7.x (7.9.2009, 7.8.2003, 7.7.1908) -- Ubuntu LTS 20.04, 18.04, 16.04, 14.04\* -- OpenSUSE Leap 15.2\*, 15.1\*, 15.0\*\* +- Ubuntu LTS 20.04, 18.04, 16.04 +- OpenSUSE Leap 15.3\*, 15.2\* \*: Note that these versions have no out-of-the-box MFA support, as they lack packaged versions of `pamtester`, `pam-google-authenticator`, or both. Of course, you may compile those yourself. Any other so-called "modern" Linux version are not tested with each release, but should work with no or minor adjustments. -\*\*: OpenSUSE Leap 15.0 randomly hits a segfault when [updating system packages](https://bugzilla.opensuse.org/show_bug.cgi?id=1146027), we had to remove it from our automated tests workflow. - The following OS are also tested with each release: -- FreeBSD/HardenedBSD 13.0\*\*\* +- FreeBSD/HardenedBSD 13.0\*\* -\*\*\*: Note that these have partial MFA support, due to their reduced set of available `pam` plugins. Support for either an additional password or TOTP factor can be configured, but not both at the same time. The code is actually known to work on FreeBSD/HardenedBSD 10+, but it's only regularly tested under 13.0. +\*\*: Note that these have partial MFA support, due to their reduced set of available `pam` plugins. Support for either an additional password or TOTP factor can be configured, but not both at the same time. The code is actually known to work on FreeBSD/HardenedBSD 10+, but it's only regularly tested under 13.0. Other BSD variants partially work but are unsupported and discouraged as they have a severe limitation over the maximum number of supplementary groups (causing problems for group membership and restricted commands checks), no filesystem-level ACL support and missing MFA: diff --git a/bin/admin/fixrights.sh b/bin/admin/fixrights.sh index 263754c..ca8c3ec 100755 --- a/bin/admin/fixrights.sh +++ b/bin/admin/fixrights.sh @@ -27,7 +27,6 @@ find "$basedir" -name .git -prune -o -name contrib -prune -o -type f -print0 | x find "$basedir"/bin/ ! -name "*.json" -print0 | xargs -r0 chmod 0755 chmod 0644 "$basedir"/bin/dev/perlcriticrc chmod 0700 "$basedir"/bin/admin/install -chmod 0700 "$basedir"/contrib chmod 0700 "$basedir"/bin/sudogen chmod 0700 "$basedir"/tests test -d "$basedir"/install && chmod 0700 "$basedir"/install diff --git a/contrib/libterm-readline-gnu-perl-jessiefix.patch b/contrib/libterm-readline-gnu-perl-jessiefix.patch deleted file mode 100644 index 1af005f..0000000 --- a/contrib/libterm-readline-gnu-perl-jessiefix.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- /usr/lib/x86_64-linux-gnu/perl5/5.20/Term/ReadLine/Gnu/XS.pm 2014-08-15 14:13:27.000000000 +0200 -+++ /usr/lib/x86_64-linux-gnu/perl5/5.20/Term/ReadLine/Gnu/XS.pm 2011-11-15 04:36:04.000000000 +0100 -@@ -581,7 +580,10 @@ - return undef unless defined $_matches[0]; - } - -- return $_matches[$_i]; -+ for (; $_i <= $#_matches; $_i++) { -+ return $_matches[$_i] if ($_matches[$_i] =~ /^\Q$text/); -+ } -+ return undef; - } - - 1; diff --git a/doc/sphinx/installation/advanced.rst b/doc/sphinx/installation/advanced.rst index d6b6007..1442556 100644 --- a/doc/sphinx/installation/advanced.rst +++ b/doc/sphinx/installation/advanced.rst @@ -228,19 +228,6 @@ On the master Misc ==== -Fix buggy ReadLine under Debian Jessie -************************************** - -Unfortunately, the version of `libterm-readline-gnu-perl` of Debian Jessie is bugged. -The version of Wheezy (7) and Stretch (9) are correct, only Jessie (8) is affected. -This impacts the ``interactive`` mode of the bastion, namely the autocomplete feature, if you want to apply a quickfix on your system, you can use this: - -.. code-block:: shell - - patch -p0 -d / -r - < /opt/bastion/contrib/libterm-readline-gnu-perl-jessiefix.patch - -Now, as Debian Jessie is quite old, the proper solution is probably not to use it! - Create SSHFP records ******************** diff --git a/doc/sphinx/installation/basic.rst b/doc/sphinx/installation/basic.rst index 2335d9c..c792d60 100644 --- a/doc/sphinx/installation/basic.rst +++ b/doc/sphinx/installation/basic.rst @@ -26,21 +26,19 @@ We published a Puppet module to handle The Bastion configuration and prerequisit The following Linux distros are tested with each release, but as this is a security product, you are *warmly* advised to run it on the latest up-to-date stable version of your favorite OS: -- Debian 10 (Buster), 9 (Stretch), 8 (Jessie) +- Debian 10 (Buster), 9 (Stretch) - RHEL/CentOS 8.x (8.3.2011, 8.2.2004, 8.1.1911), 7.x (7.9.2009, 7.8.2003, 7.7.1908) -- Ubuntu LTS 20.04, 18.04, 16.04, 14.04\* -- OpenSUSE Leap 15.2\*, 15.1\*, 15.0\*\* +- Ubuntu LTS 20.04, 18.04, 16.04 +- OpenSUSE Leap 15.3\*, 15.2\* \*: Note that these versions have no out-of-the-box MFA support, as they lack packaged versions of ``pamtester``, ``pam-google-authenticator``, or both. Of course, you may compile those yourself. Any other so-called `modern` Linux version are not tested with each release, but should work with no or minor adjustments. -\*\*: OpenSUSE Leap 15.0 randomly hits a segfault when `updating system packages `_, we had to remove it from our automated tests workflow. - The following OS are also tested with each release: -- FreeBSD/HardenedBSD 12.1\*\*\* +- FreeBSD/HardenedBSD 12.1\*\* -\*\*\*: Note that these have partial MFA support, due to their reduced set of available ``pam`` plugins. Support for either an additional password or TOTP factor can be configured, but not both at the same time. The code is actually known to work on FreeBSD/HardenedBSD 10+, but it's only regularly tested under 12.1. +\*\*: Note that these have partial MFA support, due to their reduced set of available ``pam`` plugins. Support for either an additional password or TOTP factor can be configured, but not both at the same time. The code is actually known to work on FreeBSD/HardenedBSD 10+, but it's only regularly tested under 12.1. Other BSD variants partially work but are unsupported and discouraged as they have a severe limitation over the maximum number of supplementary groups (causing problems for group membership and restricted commands checks), no filesystem-level ACL support and missing MFA: diff --git a/docker/Dockerfile.debian8 b/docker/Dockerfile.debian8 deleted file mode 100644 index e5d1fb6..0000000 --- a/docker/Dockerfile.debian8 +++ /dev/null @@ -1,30 +0,0 @@ -FROM debian:jessie -LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" - -# cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ -RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] -RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] -RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] - -# handle locales -RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen - -# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log -RUN test -e /etc/syslog-ng/syslog-ng.conf && \ - sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf - -# at each modification of our code, we'll start from here thanks to build cache -COPY . /opt/bastion - -# tests that the environment works -RUN ["/opt/bastion/bin/dev/perl-check.sh"] - -# setup ssh/sshd config and setup bastion install -RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"] - -# start at entrypoint -ENTRYPOINT /opt/bastion/docker/entrypoint.sh - -# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1 diff --git a/docker/Dockerfile.opensuse152 b/docker/Dockerfile.opensuse15 similarity index 85% rename from docker/Dockerfile.opensuse152 rename to docker/Dockerfile.opensuse15 index 4a9225f..5a80422 100644 --- a/docker/Dockerfile.opensuse152 +++ b/docker/Dockerfile.opensuse15 @@ -1,4 +1,4 @@ -FROM opensuse/leap:15.2 +FROM opensuse/leap:15 LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # cache builds efficiently: just copy the scripts to install packages first @@ -19,9 +19,10 @@ COPY . /opt/bastion RUN ["/opt/bastion/bin/dev/perl-check.sh"] # setup ssh/sshd config and setup bastion install -RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"] +RUN ["/opt/bastion/bin/admin/install","--new-install"] # start at entrypoint ENTRYPOINT /opt/bastion/docker/entrypoint.sh -# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1 +# TESTOPT --has-mfa=0 --has-pamtester=0 --has-piv=0 +# TESTFROM opensuse/leap:15.2 opensuse/leap:15.3 diff --git a/docker/Dockerfile.opensuse150 b/docker/Dockerfile.opensuse150 deleted file mode 100644 index 84e19e2..0000000 --- a/docker/Dockerfile.opensuse150 +++ /dev/null @@ -1,27 +0,0 @@ -FROM opensuse/leap:15.0 -LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" - -# cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ -RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] -RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] -RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"] - -# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log -RUN test -e /etc/syslog-ng/syslog-ng.conf && \ - sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf - -# at each modification of our code, we'll start from here thanks to build cache -COPY . /opt/bastion - -# tests that the environment works -RUN ["/opt/bastion/bin/dev/perl-check.sh"] - -# setup ssh/sshd config and setup bastion install -RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"] - -# start at entrypoint -ENTRYPOINT /opt/bastion/docker/entrypoint.sh - -# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1 diff --git a/docker/Dockerfile.opensuse151 b/docker/Dockerfile.opensuse151 deleted file mode 100644 index 4bb5d51..0000000 --- a/docker/Dockerfile.opensuse151 +++ /dev/null @@ -1,27 +0,0 @@ -FROM opensuse/leap:15.1 -LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" - -# cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ -RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] -RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] -RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"] - -# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log -RUN test -e /etc/syslog-ng/syslog-ng.conf && \ - sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf - -# at each modification of our code, we'll start from here thanks to build cache -COPY . /opt/bastion - -# tests that the environment works -RUN ["/opt/bastion/bin/dev/perl-check.sh"] - -# setup ssh/sshd config and setup bastion install -RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"] - -# start at entrypoint -ENTRYPOINT /opt/bastion/docker/entrypoint.sh - -# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1 diff --git a/docker/Dockerfile.ubuntu1404 b/docker/Dockerfile.ubuntu1404 deleted file mode 100644 index aa3d8de..0000000 --- a/docker/Dockerfile.ubuntu1404 +++ /dev/null @@ -1,30 +0,0 @@ -FROM ubuntu:14.04 -LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" - -# cache builds efficiently: just copy the scripts to install packages first -COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ -COPY lib/shell /opt/bastion/lib/shell/ -RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] -RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] -RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"] - -# handle locales -RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen - -# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log -RUN test -e /etc/syslog-ng/syslog-ng.conf && \ - sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf - -# at each modification of our code, we'll start from here thanks to build cache -COPY . /opt/bastion - -# tests that the environment works -RUN ["/opt/bastion/bin/dev/perl-check.sh"] - -# setup ssh/sshd config and setup bastion install -RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"] - -# start at entrypoint -ENTRYPOINT /opt/bastion/docker/entrypoint.sh - -# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1