summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2020-06-05 23:35:49 +0200
committerJan Dittberner <jandd@cacert.org>2020-06-05 23:37:37 +0200
commit0e5b5f5acb3bab5bc75da0761f7287c847b635e4 (patch)
tree97e1a7e41926abd9bf7857dfba7b2defe32951cc
parent169d4518e8c3b4a44b440cc922f7e42369f7ef93 (diff)
downloadcacert-puppet-0e5b5f5acb3bab5bc75da0761f7287c847b635e4.tar.gz
cacert-puppet-0e5b5f5acb3bab5bc75da0761f7287c847b635e4.tar.xz
cacert-puppet-0e5b5f5acb3bab5bc75da0761f7287c847b635e4.zip
Switch from rssh to sftponly for debarchive
rssh has been dropped in Debian Buster. This change removes rssh configuration from webstatic. The debarchive user is now restricted to sftp via sshd_config.
-rw-r--r--sitemodules/profiles/manifests/debarchive.pp43
1 files changed, 8 insertions, 35 deletions
diff --git a/sitemodules/profiles/manifests/debarchive.pp b/sitemodules/profiles/manifests/debarchive.pp
index 82888b5..f8796d5 100644
--- a/sitemodules/profiles/manifests/debarchive.pp
+++ b/sitemodules/profiles/manifests/debarchive.pp
@@ -59,20 +59,15 @@ class profiles::debarchive (
include profiles::apache_common
include profiles::systemd_reload
- package{ ['rssh', 'reprepro', 'inoticoming']:
+ package{ ['reprepro', 'inoticoming']:
ensure => latest,
- } ->
- file { 'ensure that suid bit on rssh_chroot_helper is set':
- path => '/usr/lib/rssh/rssh_chroot_helper',
- ensure => present,
- owner => 'root',
- group => 'root',
- mode => '4755',
}
- exec { 'add rssh to list of valid shells':
- command => '/usr/sbin/add-shell /usr/bin/rssh',
- unless => '/bin/grep -q rss /etc/shells',
- require => Package['rssh'],
+ file { '/etc/rssh.conf':
+ ensure => absent,
+ }
+ exec { 'remove rssh from list of valid shells':
+ command => '/bin/sed -d /usr/bin/rssh -i /etc/shells',
+ onlyif => '/bin/grep -q rssh /etc/shells',
}
# setup user, groups and directories
@@ -85,9 +80,8 @@ class profiles::debarchive (
system => true,
gid => 'nogroup',
home => $debarchive_home,
- shell => '/usr/bin/rssh',
+ shell => '/usr/sbin/nologin',
purge_ssh_keys => true,
- require => Package['rssh'],
}
file { $debarchive_home:
ensure => directory,
@@ -115,27 +109,6 @@ class profiles::debarchive (
refreshonly => true,
}
- $rssh_conf = '/etc/rssh.conf'
-
- concat { $rssh_conf:
- ensure => present,
- owner => 'root',
- group => 'root',
- mode => '0644',
- }
-
- concat::fragment { 'rssh-global':
- target => $rssh_conf,
- order => '01',
- source => 'puppet:///modules/profiles/debarchive/rssh.global.conf',
- }
-
- concat::fragment { 'rssh-debarchive':
- target => $rssh_conf,
- order => '10',
- content => "user = \"debarchive:022:000110:${upload_chroot}\"\n",
- }
-
# setup ssh keys
$uploaders.each |String $username| {
$ssh_keys = $::profiles::base::users[$username]['ssh_keys']