thaloco/banger
1
Fork 0
Code Pull requests Releases Packages Activity Actions

guest sshd: drop DEBUG3 + StrictModes no; normalise /root perms

Browse source 
Previously /etc/ssh/sshd_config.d/99-banger.conf landed with:

  LogLevel DEBUG3
  PermitRootLogin yes
  PubkeyAuthentication yes
  AuthorizedKeysFile /root/.ssh/authorized_keys
  StrictModes no

DEBUG3 was debug leftover that floods journald in normal use.
StrictModes no was a workaround for /root perm drift on the work
disk — the real fix is to make those perms correct at provisioning
time.

New drop-in:

  PermitRootLogin prohibit-password
  PubkeyAuthentication yes
  PasswordAuthentication no
  KbdInteractiveAuthentication no
  AuthorizedKeysFile /root/.ssh/authorized_keys

prohibit-password blocks password root login even if PasswordAuth
gets flipped on elsewhere; KbdInteractiveAuth no closes the last
interactive fallback; StrictModes is now on (sshd's default).

normaliseHomeDirPerms chown/chmods /root to 0755 root:root at every
work-disk mount (ensureAuthorizedKeyOnWorkDisk,
seedAuthorizedKeyOnExt4Image); the .ssh dir also explicitly
chown'd root:root. Verified end-to-end against a real VM:
`sshd -T` reports strictmodes yes and all five directives match.

Regression test (sshd_config_test.go) pins the allow-list and the
deny-list (DEBUG3, StrictModes no, bare `PermitRootLogin yes`) so
the next accidental reintroduction fails fast.

README's Security section updated to reflect the new posture.
This commit is contained in:
Thales Maciel 2026-04-19 13:40:40 -03:00
parent 6cd52d12f4
commit 2e6e64bc04
No known key found for this signature in database
GPG key ID: 33112E6833C34679
6 changed files with 175 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

15
internal/daemon/vm_test.go
View file

@ -1857,13 +1857,18 @@ func (r *filesystemRunner) RunSudo(ctx context.Context, args ...string) ([]byte,
}
return nil, os.WriteFile(dst, data, os.FileMode(mode))
case "chown":
// chown -R OWNER TARGET — owner is ignored under test; we
// already run as the test user and os.Chown would require
// CAP_CHOWN.
if len(args) != 4 || args[1] != "-R" {
// Recognised forms, both no-op under test (we run as the test
// user and os.Chown would need CAP_CHOWN):
// chown OWNER TARGET
// chown -R OWNER TARGET
switch {
case len(args) == 3:
return nil, nil
case len(args) == 4 && args[1] == "-R":
return nil, nil
default:
return nil, fmt.Errorf("unexpected chown args: %v", args)
}
return nil, nil
default:
return nil, fmt.Errorf("unexpected sudo command: %v", args)
}