From 729fa26eca292d60bcbeaba05d8878ff6112876e Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu, 12 Dec 2019 09:00:08 -0500
Subject: [PATCH] use pam_acccess only for /etc/pam.d/login remove "Allow
 members of group 'ssh' to login." remove "+:ssh:ALL EXCEPT LOCAL"

---
 debian/security-misc.preinst                  | 48 +------------------
 etc/security/access-security-misc.conf        |  3 --
 usr/lib/security-misc/pam_only_if_login       | 21 ++++++++
 .../console-lockdown-security-misc            |  3 +-
 4 files changed, 25 insertions(+), 50 deletions(-)
 create mode 100755 usr/lib/security-misc/pam_only_if_login

diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst
index 2c0c579..5033d84 100644
--- a/debian/security-misc.preinst
+++ b/debian/security-misc.preinst
@@ -27,8 +27,8 @@ user_groups_modifications() {
    ## Useful to create groups in preinst rather than postinst.
    ## Otherwise if a user saw an error message such as this:
    ##
-   ## /var/lib/dpkg/tmp.ci/preinst: ERROR: No user is a member of group 'console'. Installation aborted.
-   ## /var/lib/dpkg/tmp.ci/preinst: ERROR: You probably want to run:
+   ## /var/lib/ dpkg/tmp.ci/preinst: ERROR: No user is a member of group 'console'. Installation aborted.
+   ## /var/lib/ dpkg/tmp.ci/preinst: ERROR: You probably want to run:
    ## sudo adduser user console
    ##
    ## Then the user could not run 'sudo adduser user console' but also would
@@ -39,7 +39,6 @@ user_groups_modifications() {
    ## /etc/security/access-security-misc.conf
    addgroup --system console
    addgroup --system console-unrestricted
-   addgroup --system ssh
    ## This has no effect since by default this package also ships and an
    ## /etc/securetty configuration file that contains nothing but comments, i.e.
    ## an "empty" /etc/securetty.
@@ -132,54 +131,11 @@ console_users_check() {
    fi
 }
 
-ssh_users_check() {
-   if ! deb-systemd-helper --quiet was-enabled 'ssh.service'; then
-      return 0
-   fi
-
-   ssh_users="$(getent group ssh | cut -d: -f4)"
-   ## example ssh_users:
-   ## user
-
-   OLD_IFS="$IFS"
-   IFS=","
-   export IFS
-
-   for user_with_ssh in $ssh_users ; do
-      if [ "$user_with_ssh" = "root" ]; then
-         ## root login is also restricted.
-         ## Therefore user "root" being member of group "ssh" is
-         ## considered insufficient.
-         continue
-      fi
-      are_there_any_ssh_users=yes
-      break
-   done
-
-   IFS="$OLD_IFS"
-   export IFS
-
-   ## Prevent users from locking themselves out.
-   ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
-   if [ ! "$are_there_any_ssh_users" = "yes" ]; then
-      echo "$0: ERROR: ssh.service is enabled but no user is a member of group 'ssh'." >&2
-      echo "$0: ERROR: Installation aborted since this would likely break SSH login." >&2
-      echo "$0: ERROR: You probably want to run:" >&2
-      echo "" >&2
-      echo "sudo adduser user ssh" >&2
-      echo "" >&2
-      echo "$0: ERROR: See also installation instructions:" >&2
-      echo "https://www.whonix.org/wiki/security-misc#install" >&2
-      exit 201
-   fi
-}
-
 user_groups_modifications
 
 if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then
    sudo_users_check
    console_users_check
-   ssh_users_check
 fi
 
 true "INFO: debhelper beginning here."
diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf
index 44c21c1..a081d33 100644
--- a/etc/security/access-security-misc.conf
+++ b/etc/security/access-security-misc.conf
@@ -20,9 +20,6 @@
 ## Qubes uses 'hvc0' when using in dom0 "sudo xl console vm-name".
 +:console:tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9
 
-## Allow members of group 'ssh' to login.
-+:ssh:ALL EXCEPT LOCAL
-
 ## Everyone else except members of group 'console-unrestricted'
 ## are restricted from everything else.
 -:ALL EXCEPT console-unrestricted :ALL
diff --git a/usr/lib/security-misc/pam_only_if_login b/usr/lib/security-misc/pam_only_if_login
new file mode 100755
index 0000000..51b6d80
--- /dev/null
+++ b/usr/lib/security-misc/pam_only_if_login
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files
+
+set -x
+
+true "PAM_SERVICE: $PAM_SERVICE"
+
+if [ "$PAM_SERVICE" = "login" ]; then
+   ## FIXME:
+   ## Creates unwanted journal log entry.
+   ## pam_exec(login:account): /usr/lib/security-misc/pam_only_if_login failed: exit code 1
+   exit 1
+else
+   ## exit success so [success=1 default=ignore] will result in skipping the
+   ## next pam module.
+   exit 0
+fi
diff --git a/usr/share/pam-configs/console-lockdown-security-misc b/usr/share/pam-configs/console-lockdown-security-misc
index e6e4fae..61fec78 100644
--- a/usr/share/pam-configs/console-lockdown-security-misc
+++ b/usr/share/pam-configs/console-lockdown-security-misc
@@ -1,6 +1,7 @@
-Name: allow only members of group console / ssh to login/incoming ssh (by package security-misc)
+Name: allow only members of group console to use login (by package security-misc)
 Default: no
 Priority: 280
 Account-Type: Primary
 Account:
+	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/lib/security-misc/pam_only_if_login
 	required	pam_access.so accessfile=/etc/security/access-security-misc.conf debug