[Kim] vyos#2554 customise vyos-1x

* update sshd_config template with parameters required for freeipa/sssd * symlink config to /config/freeipa so it can be updated and retained * /etc/krb5.conf * /etc/krb5.conf.d * /etc/nslcd.conf * /etc/nsswitch.conf * /etc/pam.d/common-account * /etc/pam.d/common-account-ldaps * /etc/pam.d/common-auth * /etc/pam.d/common-auth-ldaps * /etc/pam.d/common-session * /etc/pam.d/common-session-ldaps * /etc/pam.d/common-session-noninteractive * /etc/pam.d/common-session-noninteractive-ldaps * /etc/sssd/conf.d * /etc/sssd/pki * /etc/sssd/sssd.conf * /etc/telegraf/telegraf.conf * /etc/telegraf/telegraf.d * /root/.k5login * /usr/local/share/ca-certificates * /var/lib/ipa-client * override service definitions to start in mgmt vrf * nslcd * pdns-recursor * telegraf
TransFICC · Dec 6, 2023 · a603679 · a603679
1 parent 983e36f
commit a603679
Show file tree

Hide file tree

Showing 24 changed files with 51 additions and 1 deletion.
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
@@ -31,6 +31,14 @@ AddressFamily any
 DebianBanner no
 KbdInteractiveAuthentication no
 
+# Added freeipa config
+
+UsePAM yes
+GSSAPIAuthentication yes
+ChallengeResponseAuthentication yes
+AuthorizedKeysCommandUser nobody
+AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+
 #
 # User configurable section
 #

diff --git a/src/etc/krb5.conf b/src/etc/krb5.conf
@@ -0,0 +1 @@
+/config/freeipa/etc/krb5.conf
diff --git a/src/etc/krb5.conf.d b/src/etc/krb5.conf.d
@@ -0,0 +1 @@
+/config/freeipa/etc/krb5.conf.d
diff --git a/src/etc/nslcd.conf b/src/etc/nslcd.conf
@@ -0,0 +1 @@
+/config/freeipa/etc/nslcd.conf
diff --git a/src/etc/nsswitch.conf b/src/etc/nsswitch.conf
@@ -0,0 +1 @@
+/config/freeipa/etc/nsswitch.conf
diff --git a/src/etc/pam.d/common-account b/src/etc/pam.d/common-account
@@ -0,0 +1 @@
+/config/freeipa/etc/pam.d/common-account
diff --git a/src/etc/pam.d/common-account-ldaps b/src/etc/pam.d/common-account-ldaps
@@ -0,0 +1 @@
+/config/freeipa/etc/pam.d/common-account-ldaps
diff --git a/src/etc/pam.d/common-auth b/src/etc/pam.d/common-auth
@@ -0,0 +1 @@
+/config/freeipa/etc/pam.d/common-auth
diff --git a/src/etc/pam.d/common-auth-ldaps b/src/etc/pam.d/common-auth-ldaps
@@ -0,0 +1 @@
+/config/freeipa/etc/pam.d/common-auth-ldaps
diff --git a/src/etc/pam.d/common-session b/src/etc/pam.d/common-session
@@ -0,0 +1 @@
+/config/freeipa/etc/pam.d/common-session
diff --git a/src/etc/pam.d/common-session-ldaps b/src/etc/pam.d/common-session-ldaps
@@ -0,0 +1 @@
+/config/freeipa/etc/pam.d/common-session-ldaps
diff --git a/src/etc/pam.d/common-session-noninteractive b/src/etc/pam.d/common-session-noninteractive
@@ -0,0 +1 @@
+/config/freeipa/etc/pam.d/common-session-noninteractive
diff --git a/src/etc/pam.d/common-session-noninteractive-ldaps b/src/etc/pam.d/common-session-noninteractive-ldaps
@@ -0,0 +1 @@
+/config/freeipa/etc/pam.d/common-session-noninteractive-ldaps
diff --git a/src/etc/sssd/conf.d b/src/etc/sssd/conf.d
@@ -0,0 +1 @@
+/config/freeipa/etc/sssd/conf.d
diff --git a/src/etc/sssd/pki b/src/etc/sssd/pki
@@ -0,0 +1 @@
+/config/freeipa/etc/sssd/pki
diff --git a/src/etc/sssd/sssd.conf b/src/etc/sssd/sssd.conf
@@ -0,0 +1 @@
+/config/freeipa/etc/sssd/sssd.conf
diff --git a/src/etc/systemd/system/nslcd.service.d/override.conf b/src/etc/systemd/system/nslcd.service.d/override.conf
@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/ip vrf exec mgmt /etc/init.d/nslcd start
diff --git a/src/etc/systemd/system/pdns-recursor.service.d/override.conf b/src/etc/systemd/system/pdns-recursor.service.d/override.conf
@@ -1,8 +1,15 @@
 [Service]
+User=root
 WorkingDirectory=
 WorkingDirectory=/run/powerdns
 RuntimeDirectory=
 RuntimeDirectory=powerdns
 RuntimeDirectoryPreserve=yes
 ExecStart=
-ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no --config-dir=/run/powerdns --socket-dir=/run/powerdns
+ExecStart=/bin/ip vrf exec mgmt /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no --config-dir=/run/powerdns --socket-dir=/run/powerdns --setuid=pdns
+
+LimitMEMLOCK=8388608
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_SYS_ADMIN CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_SETUID
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_SYS_ADMIN CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_SETUID
+ProtectControlGroups=false
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
diff --git a/src/etc/systemd/system/telegraf.service.d/override.conf b/src/etc/systemd/system/telegraf.service.d/override.conf
@@ -0,0 +1,12 @@
+[Unit]
+After=vyos-router.service
+
+[Service]
+User=root
+ExecStart=
+ExecStart=/usr/sbin/ip vrf exec mgmt /sbin/runuser -u telegraf -- /usr/bin/telegraf -config /etc/telegraf/telegraf.conf -config-directory /etc/telegraf/telegraf.d $TELEGRAF_OPTS
+RestartSec=10s
+
+[Install]
+WantedBy=
+WantedBy=vyos.target
diff --git a/src/etc/telegraf/telegraf.conf b/src/etc/telegraf/telegraf.conf
@@ -0,0 +1 @@
+/config/telegraf/telegraf.conf
diff --git a/src/etc/telegraf/telegraf.d b/src/etc/telegraf/telegraf.d
@@ -0,0 +1 @@
+/config/telegraf/telegraf.d
diff --git a/src/root/.k5login b/src/root/.k5login
@@ -0,0 +1 @@
+/config/freeipa/root/.k5login
diff --git a/src/usr/local/share/ca-certificates b/src/usr/local/share/ca-certificates
@@ -0,0 +1 @@
+/config/freeipa/usr/local/share/ca-certificates
diff --git a/src/var/lib/ipa-client b/src/var/lib/ipa-client
@@ -0,0 +1 @@
+/config/freeipa/var/lib/ipa-client
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		/config/freeipa/etc/pam.d/common-session-noninteractive
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		/config/freeipa/usr/local/share/ca-certificates