improve: switch to drop-ins instead of full overrides

2025-11-02 11:28:06 +00:00 · 2024-01-25 21:30:47 -08:00
parent 378f32202f
commit 6bc46d51d6
4 changed files with 27 additions and 194 deletions
--- a/config/files/server/usr/etc/ssh/sshd_config
+++ b/config/files/server/usr/etc/ssh/sshd_config
@@ -1,130 +0,0 @@
 #       $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 # To modify the system-wide sshd configuration, create a  *.conf  file under
 #  /etc/ssh/sshd_config.d/  which will be automatically included below
 Include /etc/ssh/sshd_config.d/*.conf
 # If you want to change the port on a SELinux system, you have to tell
 # SELinux about this change.
 # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
 #
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key
 # Ciphers and keying
 #RekeyLimit default none
 # Logging
 #SyslogFacility AUTH
 #LogLevel INFO
 # Authentication:
 #LoginGraceTime 2m
 #PermitRootLogin prohibit-password
 #StrictModes yes
 MaxAuthTries 3
 MaxSessions 2
 #PubkeyAuthentication yes
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile      .ssh/authorized_keys
 #AuthorizedPrincipalsFile none
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 # Change to no to disable s/key passwords
 #KbdInteractiveAuthentication yes
 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 #KerberosUseKuserok yes
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
 #GSSAPIEnablek5users no
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via KbdInteractiveAuthentication may bypass
 # the setting of "PermitRootLogin prohibit-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and KbdInteractiveAuthentication to 'no'.
 # WARNING: 'UsePAM no' is not supported in Fedora and may cause several
 # problems.
 #UsePAM no
 AllowAgentForwarding no
 AllowTcpForwarding no
 #GatewayPorts no
 X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
 #PrintMotd yes
 #PrintLastLog yes
 TCPKeepAlive no
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 ClientAliveCountMax 2
 #UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
 # no default banner path
 #Banner none
 # override default of no subsystems
 Subsystem       sftp    /usr/libexec/openssh/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #       X11Forwarding no
 #       AllowTcpForwarding no
 #       PermitTTY no
 #       ForceCommand cvs server
--- a/config/files/server/usr/etc/ssh/sshd_config.d/99-hardening.conf
+++ b/config/files/server/usr/etc/ssh/sshd_config.d/99-hardening.conf
@@ -0,0 +1,23 @@
 # Only allow three auth attempts
 MaxAuthTries 3
 # Only allow two simultaneous sessions
 MaxSessions 2
 # Forbid agent forwarding
 AllowAgentForwarding no
 # Forbid TCP forwarding
 AllowTcpForwarding no
 # Forbid X11 forwarding
 X11Forwarding no
 # Disable TCPKeepAlive
 TCPKeepAlive no
 # Maximum number of client alive messages sent without response||
 ClientAliveCountMax 2
 # Forbid sshing as root
 PermitRootLogin no
--- a/config/files/usr/etc/security/limits.conf
+++ b/config/files/usr/etc/security/limits.conf
@@ -1,64 +0,0 @@
 # /etc/security/limits.conf
 #
 #This file sets the resource limits for the users logged in via PAM.
 #It does not affect resource limits of the system services.
 #
 #Also note that configuration files in /etc/security/limits.d directory,
 #which are read in alphabetical order, override the settings in this
 #file in case the domain is the same or more specific.
 #That means, for example, that setting a limit for wildcard domain here
 #can be overridden with a wildcard setting in a config file in the
 #subdirectory, but a user specific setting here can be overridden only
 #with a user specific setting in the subdirectory.
 #
 #Each line describes a limit for a user in the form:
 #
 #<domain>        <type>  <item>  <value>
 #
 #Where:
 #<domain> can be:
 #        - a user name
 #        - a group name, with @group syntax
 #        - the wildcard *, for default entry
 #        - the wildcard %, can be also used with %group syntax,
 #                 for maxlogin limit
 #
 #<type> can have the two values:
 #        - "soft" for enforcing the soft limits
 #        - "hard" for enforcing hard limits
 #
 #<item> can be one of the following:
 #        - core - limits the core file size (KB)
 #        - data - max data size (KB)
 #        - fsize - maximum filesize (KB)
 #        - memlock - max locked-in-memory address space (KB)
 #        - nofile - max number of open file descriptors
 #        - rss - max resident set size (KB)
 #        - stack - max stack size (KB)
 #        - cpu - max CPU time (MIN)
 #        - nproc - max number of processes
 #        - as - address space limit (KB)
 #        - maxlogins - max number of logins for this user
 #        - maxsyslogins - max number of logins on the system
 #        - priority - the priority to run user process with
 #        - locks - max number of file locks the user can hold
 #        - sigpending - max number of pending signals
 #        - msgqueue - max memory used by POSIX message queues (bytes)
 #        - nice - max nice priority allowed to raise to values: [-20, 19]
 #        - rtprio - max realtime priority
 #
 #<domain>      <type>  <item>         <value>
 #
 #*               soft    core            0
 #*               hard    rss             10000
 #@student        hard    nproc           20
 #@faculty        soft    nproc           20
 #@faculty        hard    nproc           50
 #ftp             hard    nproc           0
 #@student        -       maxlogins       4
 * hard core 0
 * soft core 0
 # End of file
--- a/config/files/usr/etc/security/limits.d/99-disable-coredump.conf
+++ b/config/files/usr/etc/security/limits.d/99-disable-coredump.conf
@@ -0,0 +1,4 @@
 # Disable coredumps
 * hard core 0
 * soft core 0