thaloco/banger
1
Fork 0
Code Pull requests Releases Packages Activity Actions

guest sshd: drop DEBUG3 + StrictModes no; normalise /root perms

Browse source 
Previously /etc/ssh/sshd_config.d/99-banger.conf landed with:

  LogLevel DEBUG3
  PermitRootLogin yes
  PubkeyAuthentication yes
  AuthorizedKeysFile /root/.ssh/authorized_keys
  StrictModes no

DEBUG3 was debug leftover that floods journald in normal use.
StrictModes no was a workaround for /root perm drift on the work
disk — the real fix is to make those perms correct at provisioning
time.

New drop-in:

  PermitRootLogin prohibit-password
  PubkeyAuthentication yes
  PasswordAuthentication no
  KbdInteractiveAuthentication no
  AuthorizedKeysFile /root/.ssh/authorized_keys

prohibit-password blocks password root login even if PasswordAuth
gets flipped on elsewhere; KbdInteractiveAuth no closes the last
interactive fallback; StrictModes is now on (sshd's default).

normaliseHomeDirPerms chown/chmods /root to 0755 root:root at every
work-disk mount (ensureAuthorizedKeyOnWorkDisk,
seedAuthorizedKeyOnExt4Image); the .ssh dir also explicitly
chown'd root:root. Verified end-to-end against a real VM:
`sshd -T` reports strictmodes yes and all five directives match.

Regression test (sshd_config_test.go) pins the allow-list and the
deny-list (DEBUG3, StrictModes no, bare `PermitRootLogin yes`) so
the next accidental reintroduction fails fast.

README's Security section updated to reflect the new posture.
This commit is contained in:
Thales Maciel 2026-04-19 13:40:40 -03:00
parent 6cd52d12f4
commit 2e6e64bc04
No known key found for this signature in database
GPG key ID: 33112E6833C34679
6 changed files with 175 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

10
internal/daemon/image_seed.go
View file

@ -34,6 +34,13 @@ func (d *Daemon) seedAuthorizedKeyOnExt4Image(ctx context.Context, imagePath str
return "", err
}
// Same rationale as in ensureAuthorizedKeyOnWorkDisk — the seed's
// filesystem root becomes /root inside the guest, and sshd's
// StrictModes check walks its ownership and mode.
if err := normaliseHomeDirPerms(ctx, d.runner, mountDir); err != nil {
return "", err
}
sshDir := filepath.Join(mountDir, ".ssh")
if _, err := d.runner.RunSudo(ctx, "mkdir", "-p", sshDir); err != nil {
return "", err
@ -41,6 +48,9 @@ func (d *Daemon) seedAuthorizedKeyOnExt4Image(ctx context.Context, imagePath str
if _, err := d.runner.RunSudo(ctx, "chmod", "700", sshDir); err != nil {
return "", err
}
if _, err := d.runner.RunSudo(ctx, "chown", "0:0", sshDir); err != nil {
return "", err
}
authorizedKeysPath := filepath.Join(sshDir, "authorized_keys")
existing, err := d.runner.RunSudo(ctx, "cat", authorizedKeysPath)