thaloco/banger
1
Fork 0
Code Pull requests Releases Packages Activity Actions

port smoke to go

Browse source
This commit is contained in:
Thales Maciel 2026-05-01 19:34:44 -03:00
parent b0a9d64f4a
commit 9ed44bfd75
No known key found for this signature in database
GPG key ID: 33112E6833C34679
20 changed files with 2118 additions and 1573 deletions
Download patch file Download diff file Expand all files Collapse all files

5
internal/daemon/sshd_config_test.go
View file

@ -20,6 +20,11 @@ func TestSshdGuestConfig_Hardened(t *testing.T) {
"PasswordAuthentication no",
"KbdInteractiveAuthentication no",
"AuthorizedKeysFile /root/.ssh/authorized_keys",
// Quiet-login: short-lived sandboxes don't need the Debian
// MOTD or the "Last login" line. .hushlogin in /root covers
// pam_motd; these two cover sshd's own paths.
"PrintMotd no",
"PrintLastLog no",
}
for _, line := range mustContain {
if !strings.Contains(cfg, line) {

15
internal/daemon/vm_disk.go
View file

@ -50,6 +50,11 @@ func (s *VMService) patchRootOverlay(ctx context.Context, vm model.VMRecord, ima
builder.WriteFile(guestnet.ConfigPath, guestnet.ConfigFile(vm.Runtime.GuestIP, s.config.BridgeIP, s.config.DefaultDNS))
builder.WriteFile(guestnet.GuestScriptPath, []byte(guestnet.BootstrapScript()))
builder.WriteFile("/etc/ssh/sshd_config.d/99-banger.conf", sshdConfig)
// pam_motd reads /etc/motd + /etc/update-motd.d on Debian-family
// guests independent of sshd's PrintMotd. .hushlogin in $HOME tells
// pam_motd to stay quiet for that user — root is the only login on
// banger VMs, so a single file suffices.
builder.WriteFile("/root/.hushlogin", []byte{})
builder.DropMountTarget("/home")
builder.DropMountTarget("/var")
builder.AddMount(guestconfig.MountSpec{
@ -159,6 +164,14 @@ func (s *VMService) ensureWorkDisk(ctx context.Context, vm *model.VMRecord, imag
// Pins the lookup path so the banger-written file always wins,
// regardless of distro default ($HOME/.ssh/authorized_keys) and
// regardless of any per-image weirdness.
//
// - PrintMotd no / PrintLastLog no
// Banger VMs are short-lived sandboxes. The Debian-style MOTD
// ("Linux ... GNU/Linux comes with ABSOLUTELY NO WARRANTY …") and
// the "Last login" line are pure noise for `vm run -- echo hi`
// style invocations. Pair this with the .hushlogin written below
// so pam_motd also stays silent on distros that read /etc/motd
// through PAM rather than sshd.
func sshdGuestConfig() string {
return strings.Join([]string{
"PermitRootLogin prohibit-password",
@ -166,6 +179,8 @@ func sshdGuestConfig() string {
"PasswordAuthentication no",
"KbdInteractiveAuthentication no",
"AuthorizedKeysFile /root/.ssh/authorized_keys",
"PrintMotd no",
"PrintLastLog no",
"",
}, "\n")
}