feat: switch banner if node is sealed

bin/admin/install

@@ -302,7 +302,12 @@ fi
 
 if [ "${opt[modify-banner]}" = 1 ] ; then
     action_doing "Install default sshd banner"
-    install -o "$UID0" -g "$GID0" -m 0644 "$basedir/etc/ssh/banner" $SSH_DIR/
+    install -o "$UID0" -g "$GID0" -m 0644 "$basedir/etc/ssh/banner.ok" $SSH_DIR/
+    install -o "$UID0" -g "$GID0" -m 0644 "$basedir/etc/ssh/banner.sealed" $SSH_DIR/
+    if [ -f $SSH_DIR/banner ] && [ ! -L $SSH_DIR/banner ] ; then
+        rm $SSH_DIR/banner
+    fi
+    ln -sf $SSH_DIR/banner.ok $SSH_DIR/banner
     action_done
 fi
 

bin/admin/setup-encryption.sh

@@ -226,3 +226,30 @@ if [ ! -e /root/unlock-home.sh ]; then
     ln -s /opt/bastion/bin/admin/unlock-home.sh /root/
 fi
 
+action_doing "Enabling SSH banner seal service"
+if command -v systemctl >/dev/null 2>&1; then
+    # SystemD system
+    if systemctl enable osh-seal-banner.service; then
+        action_done "systemd service enabled"
+        action_doing "Starting SSH banner seal service"
+        if systemctl start osh-seal-banner.service; then
+            action_done "systemd service started - banner now in sealed state"
+        else
+            action_error "Failed to start systemd service"
+        fi
+    else
+        action_error "Failed to enable systemd service, please enable manually"
+    fi
+else
+    if update-rc.d osh-seal-banner defaults; then
+        action_done "SysV service enabled (update-rc.d)"
+        action_doing "Starting SSH banner seal service"
+        if service osh-seal-banner start; then
+            action_done "SysV service started - banner now in sealed state"
+        else
+            action_error "Failed to start SysV service"
+        fi
+    else
+        action_error "Failed to enable SysV service with update-rc.d"
+    fi
+fi

bin/admin/unlock-home.sh

@@ -4,11 +4,30 @@ CONFIGFILE=/etc/bastion/luks-config.sh
 # shellcheck source=etc/bastion/luks-config.sh.dist
 . "$CONFIGFILE"
 
+update_banner()
+{
+    if command -v systemctl >/dev/null 2>&1; then
+        if systemctl restart osh-seal-banner.service; then
+            echo "SSH banner updated"
+        else
+            echo "Warning: Could not restart osh-seal-banner service"
+        fi
+    else
+        if service osh-seal-banner restart; then
+            echo "SSH banner updated"
+        else
+            echo "Warning: Could not restart osh-seal-banner service"
+        fi
+    fi
+}
+
 do_mount()
 {
     mount "$MOUNTPOINT"; ret=$?
     if [ $ret -eq 0 ] ; then
         echo "Success!"
+        # Stop the banner seal service to switch to unsealed state
+        update_banner
     else
         echo "Failure... is $MOUNTPOINT correctly specified in /etc/fstab?"
     fi
@@ -22,6 +41,8 @@ fi
 
 if [ -e "$MOUNTPOINT/allowkeeper" ] && mountpoint -q /home ; then
     echo "Already unlocked and mounted"
+    # Stop the banner seal service to ensure banner is in unsealed state
+    update_banner
     exit 0
 fi
 

etc/init.d/osh-seal-banner

@@ -0,0 +1,76 @@
+#! /bin/sh
+#
+# osh-seal-banner: The Bastion SSH banner seal service
+#
+### BEGIN INIT INFO
+# Provides:          osh-seal-banner
+# Required-Start:    $local_fs
+# Required-Stop:     $local_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Sets SSH banner to sealed state at boot time
+# Description:       Script to set SSH banner to indicate the node is sealed
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
+. /lib/lsb/init-functions
+
+case "$1" in
+    start)
+	printf "Setting SSH banner to sealed state... "
+	if [ -f /etc/ssh/banner.sealed ]; then
+		ln -sf /etc/ssh/banner.sealed /etc/ssh/banner
+		echo "done."
+	else
+		echo "banner.sealed not found, skipping."
+	fi
+	;;
+    stop)
+	printf "Setting SSH banner to unsealed state... "
+	if [ -f /etc/ssh/banner.ok ]; then
+		ln -sf /etc/ssh/banner.ok /etc/ssh/banner
+		echo "done."
+	else
+		echo "banner.ok not found, skipping."
+	fi
+	;;
+    force-reload|restart)
+	printf "Restarting SSH banner seal service... "
+	if [ -f /etc/ssh/banner.sealed ]; then
+		ln -sf /etc/ssh/banner.sealed /etc/ssh/banner
+		echo "done."
+	else
+		echo "banner.sealed not found, skipping."
+	fi
+	;;
+    status)
+	if [ -L /etc/ssh/banner ]; then
+		target=$(readlink /etc/ssh/banner)
+		if [ "$target" = "/etc/ssh/banner.sealed" ]; then
+			echo "SSH banner is in sealed state"
+			exit 0
+		elif [ "$target" = "/etc/ssh/banner.ok" ]; then
+			echo "SSH banner is in unsealed state"
+			exit 0
+		else
+			echo "SSH banner state unknown (points to $target)"
+			exit 1
+		fi
+	else
+		echo "SSH banner is not managed by seal service"
+		exit 1
+	fi
+	;;
+    *)
+	echo "Usage: $0 {start|stop|restart|force-reload|status}"
+	exit 1
+	;;
+esac
+
+exit 0

etc/ssh/banner.sealed

@@ -0,0 +1,6 @@
+*------------------------------------------------------------------------------*
+|THIS IS A PRIVATE COMPUTER SYSTEM, UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED.|
+|ALL CONNECTIONS ARE LOGGED. IF YOU ARE NOT AUTHORIZED, DISCONNECT NOW.        |
+|                                                                              |
+| !!! THIS NODE IS CURRENTLY SEALED AND DOESN'T ACCEPT CONNECTIONS !!!         |
+*------------------------------------------------------------------------------*

etc/systemd/osh-seal-banner.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=OVH::Bastion SSH banner seal service
+After=local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/ln -sf /etc/ssh/banner.sealed /etc/ssh/banner
+RemainAfterExit=true
+ExecStop=/bin/ln -sf /etc/ssh/banner.ok /etc/ssh/banner
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target