aboutsummaryrefslogtreecommitdiff
path: root/straper/db/public/users
diff options
context:
space:
mode:
Diffstat (limited to 'straper/db/public/users')
-rw-r--r--straper/db/public/users/groups-sanitized.txt80
-rw-r--r--straper/db/public/users/login-users.txt3
-rw-r--r--straper/db/public/users/login.defs192
-rw-r--r--straper/db/public/users/passwd-sanitized.txt50
-rw-r--r--straper/db/public/users/shells11
-rw-r--r--straper/db/public/users/sshd_config133
6 files changed, 469 insertions, 0 deletions
diff --git a/straper/db/public/users/groups-sanitized.txt b/straper/db/public/users/groups-sanitized.txt
new file mode 100644
index 0000000..55c01eb
--- /dev/null
+++ b/straper/db/public/users/groups-sanitized.txt
@@ -0,0 +1,80 @@
+root:0
+daemon:1
+bin:2
+sys:3
+adm:4
+tty:5
+disk:6
+lp:7
+mail:8
+news:9
+uucp:10
+man:12
+proxy:13
+kmem:15
+dialout:20
+fax:21
+voice:22
+cdrom:24
+floppy:25
+tape:26
+sudo:27
+audio:29
+dip:30
+www-data:33
+backup:34
+operator:37
+list:38
+irc:39
+src:40
+shadow:42
+utmp:43
+video:44
+sasl:45
+plugdev:46
+staff:50
+games:60
+users:100
+nogroup:65534
+systemd-journal:999
+systemd-network:998
+crontab:997
+input:996
+sgx:995
+clock:994
+kvm:993
+render:992
+netdev:101
+messagebus:991
+systemd-timesync:990
+_ssh:102
+bluetooth:103
+lukasz:1000
+systemd-resolve:988
+polkitd:986
+borg:1001
+borgbrowse:1002
+docker:989
+tcpdump:104
+mysql:105
+plocate:106
+ssl-cert:107
+prosody:108
+uuidd:109
+prometheus:111
+grafana:112
+msmtp:110
+postfix:113
+postdrop:114
+vlock:115
+tss:116
+fwupd-refresh:985
+lufi:987
+ice:117
+mumble-server:118
+avahi:119
+unbound:120
+alloy:984
+debian-tor:121
+i2pd:122
+gopher:123
diff --git a/straper/db/public/users/login-users.txt b/straper/db/public/users/login-users.txt
new file mode 100644
index 0000000..3636d59
--- /dev/null
+++ b/straper/db/public/users/login-users.txt
@@ -0,0 +1,3 @@
+root home=/root shell=/bin/bash
+lukasz home=/home/lukasz shell=/usr/bin/zsh
+borg home=/home/borg shell=/bin/bash
diff --git a/straper/db/public/users/login.defs b/straper/db/public/users/login.defs
new file mode 100644
index 0000000..91d3ec4
--- /dev/null
+++ b/straper/db/public/users/login.defs
@@ -0,0 +1,192 @@
+#
+# /etc/login.defs - Configuration control definitions for the shadow package.
+#
+
+# REQUIRED for useradd/userdel/usermod
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
+# MAIL_DIR takes precedence.
+#
+# Essentially:
+# - MAIL_DIR defines the location of users mail spool files
+# (for mbox use) by appending the username to MAIL_DIR as defined
+# below.
+# - MAIL_FILE defines the location of the users mail spool files as the
+# fully-qualified filename obtained by prepending the user home
+# directory before $MAIL_FILE
+#
+# NOTE: This is no more used for setting up users MAIL environment variable
+# which is, starting from shadow 4.0.12-1 in Debian, entirely the
+# job of the pam_mail PAM modules
+# See default PAM configuration files provided for
+# login, su, etc.
+#
+# This is a temporary situation: setting these variables will soon
+# move to /etc/default/useradd and the variables will then be
+# no more supported
+MAIL_DIR /var/mail
+#MAIL_FILE .mail
+
+#
+# Enable display of unknown usernames when login(1) failures are recorded.
+#
+# WARNING: Unknown usernames may become world readable.
+# See #290803 and #298773 for details about how this could become a security
+# concern
+LOG_UNKFAIL_ENAB no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS no
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format similar to "vt100 tty01".
+#
+#TTYTYPE_FILE /etc/ttytype
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence. If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file. If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE .hushlogin
+#HUSHLOGIN_FILE /etc/hushlogins
+
+#
+# *REQUIRED* The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+#
+# Terminal permissions for terminals after login(1).
+# These settings are ignored for remote and other logins.
+#
+# TTYGROUP Login tty will be assigned this group ownership.
+# TTYPERM Login tty will be set to this permission.
+#
+#TTYGROUP tty
+TTYPERM 0600
+
+#
+# Login configuration initializations:
+#
+# ERASECHAR Terminal ERASE character ('\010' = backspace).
+# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+#
+ERASECHAR 0177
+KILLCHAR 025
+
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+HOME_MODE 0700
+
+#
+# Password aging controls:
+#
+# PASS_MAX_DAYS Maximum number of days a password may be used.
+# PASS_MIN_DAYS Minimum number of days allowed between password changes.
+# PASS_WARN_AGE Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS 99999
+PASS_MIN_DAYS 0
+PASS_WARN_AGE 7
+
+#
+# Min/max values for automatic uid selection in useradd(8)
+#
+UID_MIN 1000
+UID_MAX 60000
+# System accounts
+#SYS_UID_MIN 101
+#SYS_UID_MAX 999
+# Extra per user uids
+SUB_UID_MIN 100000
+SUB_UID_MAX 600100000
+SUB_UID_COUNT 65536
+
+#
+# Min/max values for automatic gid selection in groupadd(8)
+#
+GID_MIN 1000
+GID_MAX 60000
+# System accounts
+#SYS_GID_MIN 101
+#SYS_GID_MAX 999
+# Extra per user group ids
+SUB_GID_MIN 100000
+SUB_GID_MAX 600100000
+SUB_GID_COUNT 65536
+
+#
+# Max number of login(1) retries if password is bad
+# This will most likely be overriden by PAM, since the default pam_unix module
+# has it's own built in of 3 retries. However, this is a safe fallback in case
+# you are using an authentication module that does not enforce PAM_MAXTRIES.
+#
+LOGIN_RETRIES 5
+
+#
+# Max time in seconds for login(1)
+#
+LOGIN_TIMEOUT 60
+
+#
+# Which fields may be changed by regular users using chfn(1) - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT rwh
+
+#
+# If set to MD5, MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+ENCRYPT_METHOD YESCRYPT
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default is no.
+#
+DEFAULT_HOME yes
+
+#
+# The pwck(8) utility emits a warning for any system account with a home
+# directory that does not exist. Some system accounts intentionally do
+# not have a home directory. Such accounts may have this string as
+# their home directory in /etc/passwd to avoid a spurious warning.
+#
+NONEXISTENT /nonexistent
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD /usr/sbin/userdel_local
+
+#
+# If set to yes, userdel(8) will remove the user's group if it contains no more
+# members, and useradd(8) will create by default a group with the name of the
+# user.
+#
+# Other former uses of this variable are not used in PAM environments, such as
+# Debian.
+#
+USERGROUPS_ENAB yes
diff --git a/straper/db/public/users/passwd-sanitized.txt b/straper/db/public/users/passwd-sanitized.txt
new file mode 100644
index 0000000..79fc10b
--- /dev/null
+++ b/straper/db/public/users/passwd-sanitized.txt
@@ -0,0 +1,50 @@
+root:0:0:root:/root:/bin/bash
+daemon:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:2:2:bin:/bin:/usr/sbin/nologin
+sys:3:3:sys:/dev:/usr/sbin/nologin
+sync:4:65534:sync:/bin:/bin/sync
+games:5:60:games:/usr/games:/usr/sbin/nologin
+man:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:8:8:mail:/var/mail:/usr/sbin/nologin
+news:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:34:34:backup:/var/backups:/usr/sbin/nologin
+list:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-network:998:998:systemd Network Management:/:/usr/sbin/nologin
+dhcpcd:100:65534:DHCP Client Daemon:/usr/lib/dhcpcd:/bin/false
+messagebus:991:991:System Message Bus:/nonexistent:/usr/sbin/nologin
+systemd-timesync:990:990:systemd Time Synchronization:/:/usr/sbin/nologin
+sshd:989:65534:sshd user:/run/sshd:/usr/sbin/nologin
+lukasz:1000:1000:lukasz,,,:/home/lukasz:/usr/bin/zsh
+systemd-resolve:988:988:systemd Resolver:/:/usr/sbin/nologin
+dnsmasq:987:65534:dnsmasq:/var/lib/misc:/usr/sbin/nologin
+polkitd:986:986:User for polkitd:/:/usr/sbin/nologin
+borg:1001:1001::/home/borg:/bin/bash
+tcpdump:101:104::/nonexistent:/usr/sbin/nologin
+mysql:102:105:MariaDB Server:/nonexistent:/bin/false
+prosody:103:108:Prosody XMPP Server:/var/lib/prosody:/usr/sbin/nologin
+uuidd:104:109::/run/uuidd:/usr/sbin/nologin
+usbmux:105:46:usbmux daemon:/var/lib/usbmux:/usr/sbin/nologin
+prometheus:107:111:Prometheus daemon:/var/lib/prometheus:/usr/sbin/nologin
+grafana:108:112::/usr/share/grafana:/bin/false
+msmtp:106:110::/var/lib/msmtp:/usr/sbin/nologin
+postfix:109:113:Postfix MTA:/var/spool/postfix:/usr/sbin/nologin
+tss:110:116:TPM software stack:/var/lib/tpm:/bin/false
+fwupd-refresh:985:985:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
+lufi:999:987::/srv/lufi:/usr/sbin/nologin
+ice:111:117:Ice Service account:/var/lib/ice:/usr/sbin/nologin
+mumble-server:112:118::/var/lib/mumble-server:/usr/sbin/nologin
+avahi:113:119:Avahi mDNS daemon:/run/avahi-daemon:/usr/sbin/nologin
+unbound:114:120::/var/lib/unbound:/usr/sbin/nologin
+loki:115:65534::/nonexistent:/bin/false
+promtail:116:65534::/nonexistent:/bin/false
+alloy:997:984:alloy user:/var/lib/alloy:/sbin/nologin
+debian-tor:117:121::/var/lib/tor:/bin/false
+i2pd:118:122::/var/lib/i2pd:/usr/sbin/nologin
+gopher:119:123::/var/gopher:/usr/sbin/nologin
diff --git a/straper/db/public/users/shells b/straper/db/public/users/shells
new file mode 100644
index 0000000..ee9995a
--- /dev/null
+++ b/straper/db/public/users/shells
@@ -0,0 +1,11 @@
+# /etc/shells: valid login shells
+/bin/sh
+/usr/bin/sh
+/bin/bash
+/usr/bin/bash
+/bin/rbash
+/usr/bin/rbash
+/usr/bin/dash
+/usr/bin/tmux
+/bin/zsh
+/usr/bin/zsh
diff --git a/straper/db/public/users/sshd_config b/straper/db/public/users/sshd_config
new file mode 100644
index 0000000..e7bec65
--- /dev/null
+++ b/straper/db/public/users/sshd_config
@@ -0,0 +1,133 @@
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to "no" here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to "yes" to enable keyboard-interactive authentication. Depending on
+# the system's configuration, this may involve passwords, challenge-response,
+# one-time passwords or some combination of these and other methods.
+# Beware issues with some PAM modules and threads.
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale and color environment variables
+AcceptEnv LANG LC_* COLORTERM NO_COLOR
+
+# override default of no subsystems
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# PermitTTY no
+# ForceCommand cvs server
+# === custom hardening ===
+Port 57385
+PermitRootLogin no
+PasswordAuthentication no
+PubkeyAuthentication yes
+MaxAuthTries 3
+LoginGraceTime 30
+AllowUsers lukasz borg
+