Correct and improve stricter ssh and doas access #34

New issue

Closed

opened 2020-07-23 15:13:06 +02:00 by jdubois · 1 comment

jdubois commented 2020-07-23 15:13:06 +02:00

Member

Copy link

Commit 8b1ce861e3 added stricter ssh and doas access, and was improved by commit 10d56cad1e.

But there are some problems and questions :

• Why are the groups name evolinux-xxx ? We should name them evobsd-xxx.
• The evolinux-sudo group is not used in sudoers file but in doas.conf. It should be named evobsd-doas.
• Since we use doas in place of sudo, we should remove the evomaintenance configuration in the sudo configuration.
• Are theses groups made for every users, namely Evolix users and clients, or are they made only for Evolix users ?
• If they are made only for Evolix users, then how do we allow clients to ssh or to use evomaintenance on their servers ?
• Shouldn't we have only one group instead of a ssh and a sudo group, since each added users will necessarily be in both groups ?
• Is the wheel group still expected to be used ?

Commit 8b1ce861e3a95bd532c82bebb295c42afec5ffdb added stricter ssh and doas access, and was improved by commit 10d56cad1ea2e1a21ab7fa66874492785cb8bf19. But there are some problems and questions : * Why are the groups name `evolinux-xxx` ? We should name them `evobsd-xxx`. * The `evolinux-sudo` group is not used in sudoers file but in doas.conf. It should be named `evobsd-doas`. * Since we use doas in place of sudo, we should remove the evomaintenance configuration in the sudo configuration. * Are theses groups made for every users, namely Evolix users and clients, or are they made only for Evolix users ? * If they are made only for Evolix users, then how do we allow clients to ssh or to use evomaintenance on their servers ? * Shouldn't we have only one group instead of a ssh and a sudo group, since each added users will necessarily be in both groups ? * Is the wheel group still expected to be used ?

Ghost commented 2020-07-23 16:53:00 +02:00

Copy link

Yes, it was a mistake to import these evolinux-xxx groups from Evolinux.

For me, these groups are exclusives to Evolix users. We should just replace them by a single evolix group. That would make more sense to me...

Evolix users should still be part of the wheel group but I think it's more natural to rely on a specific evolix group for SSH and sudo/doas rights. In doing so every sysadmin - not necessarily familiarised with OpenBSD and the wheel group - will understand straight away.

If for some reason a client needs to connect to an OpenBSD system, then we would create a group named after the client name and add it in the SSH configuration.

Yes, it was a mistake to import these evolinux-xxx groups from Evolinux. For me, these groups are exclusives to Evolix users. We should just replace them by a single evolix group. That would make more sense to me... Evolix users should still be part of the wheel group but I think it's more natural to rely on a specific evolix group for SSH and sudo/doas rights. In doing so every sysadmin - not necessarily familiarised with OpenBSD and the wheel group - will understand straight away. If for some reason a client needs to connect to an OpenBSD system, then we would create a group named after the client name and add it in the SSH configuration.

jdubois referenced this issue from a commit 2020-10-13 16:10:48 +02:00

Stricter ssh and doas access - better version Fix #34 We now use a unique evobsd_group (evolix by default). Each user has 2 groups : evobsd_group and user.name. Only evobsd_group can ssh to server and use doas. I also added a password restrictions block for IPs/group. And we make sure the home folder is only readable by owner.

jdubois closed this issue 2020-10-13 16:10:48 +02:00

jdubois referenced this issue from a commit 2020-10-21 12:07:30 +02:00

Stricter ssh and doas access - two separate groups actually needed Fix #34 again After some discussions, with actually need two separates groups : - One group for ssh access (evobsd_ssh_group) - One group for sudo/doas access (evobsd_sudo_group) We won't need any client group. A client user will be added to the ssh group, so that we won't have to think about what specific group a user need to be added in.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

master

d481cf2b11e7c875525c3757ef24ae76d06b35ea

6.9.0

6.8.0

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: evolix/EvoBSD#34

No description provided.