Fix knot SSH: allow privsep escalation and bump MaxAuthTries

this repo has no description

sshd privilege separation requires allowPrivilegeEscalation (the
privsep child needs to set up seccomp/rlimit sandboxing). Added
SYS_CHROOT capability for privsep chroot. Bumped MaxAuthTries
from 1 to 3 so SSH agents with multiple keys don't get rejected.

sans-self.org 1 month ago 91ce5f93 ae4ec43e

+4 -2

2 changed files

expand all

k8s

knot

configmap.yaml

deployment.yaml

+1 -1

k8s/knot/configmap.yaml

··· 20 20 namespace: knot 21 21 data: 22 22 hardening.conf: | 23 - MaxAuthTries 1 23 + MaxAuthTries 3 24 24 LoginGraceTime 10 25 25 MaxStartups 3:50:10 26 26 PermitRootLogin no

+3 -1

k8s/knot/deployment.yaml

··· 48 48 port: 5555 49 49 initialDelaySeconds: 5 50 50 periodSeconds: 10 51 + # knot runs sshd via s6 — needs privilege escalation for privsep 52 + # and SETUID/SETGID for s6-applyuidgid to drop to git user 51 53 securityContext: 52 - allowPrivilegeEscalation: false 53 54 capabilities: 54 55 drop: 55 56 - ALL ··· 57 58 - NET_BIND_SERVICE 58 59 - SETUID 59 60 - SETGID 61 + - SYS_CHROOT 60 62 resources: 61 63 requests: 62 64 cpu: 100m