Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
O
OpnSense
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kulya
OpnSense
Commits
0f7c882c
Commit
0f7c882c
authored
Mar 18, 2017
by
Franco Fichtner
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
openssh: work for #1480
parent
95eebf1c
Changes
8
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
193 additions
and
124 deletions
+193
-124
plist
plist
+2
-1
openssh.inc
src/etc/inc/plugins.inc.d/openssh.inc
+169
-0
services.inc
src/etc/inc/services.inc
+1
-9
rc.bootup
src/etc/rc.bootup
+0
-4
rc.reload_all
src/etc/rc.reload_all
+0
-2
rc.sshd
src/etc/rc.sshd
+3
-107
actions_openssh.conf
src/opnsense/service/conf/actions.d/actions_openssh.conf
+17
-0
system_advanced_admin.php
src/www/system_advanced_admin.php
+1
-1
No files found.
plist
View file @
0f7c882c
...
...
@@ -42,6 +42,7 @@
/usr/local/etc/inc/plugins.inc.d/ipsec/auth-user.php
/usr/local/etc/inc/plugins.inc.d/netflow.inc
/usr/local/etc/inc/plugins.inc.d/ntpd.inc
/usr/local/etc/inc/plugins.inc.d/openssh.inc
/usr/local/etc/inc/plugins.inc.d/openvpn.inc
/usr/local/etc/inc/plugins.inc.d/openvpn/auth-user.php
/usr/local/etc/inc/plugins.inc.d/openvpn/tls-verify.php
...
...
@@ -628,10 +629,10 @@
/usr/local/opnsense/service/conf/actions.d/actions_ipsec.conf
/usr/local/opnsense/service/conf/actions.d/actions_ipsecdns.conf
/usr/local/opnsense/service/conf/actions.d/actions_netflow.conf
/usr/local/opnsense/service/conf/actions.d/actions_openssh.conf
/usr/local/opnsense/service/conf/actions.d/actions_openvpn.conf
/usr/local/opnsense/service/conf/actions.d/actions_proxy.conf
/usr/local/opnsense/service/conf/actions.d/actions_routedns.conf
/usr/local/opnsense/service/conf/actions.d/actions_sshd.conf
/usr/local/opnsense/service/conf/actions.d/actions_system.conf
/usr/local/opnsense/service/conf/actions.d/actions_systemhealth.conf
/usr/local/opnsense/service/conf/actions.d/actions_template.conf
...
...
src/etc/inc/plugins.inc.d/openssh.inc
0 → 100755
View file @
0f7c882c
#!/usr/local/bin/php
<?php
/*
* Copyright (C) 2004 Scott K Ullrich
* Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
* Copyright (C) 2015-2017 Franco Fichtner <franco@opnsense.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
function
openssh_configure
()
{
return
array
(
'bootup'
=>
array
(
'openssh_configure_do'
),
'local'
=>
array
(
'openssh_configure_do'
),
);
}
function
openssh_services
()
{
global
$config
;
$services
=
array
();
if
(
isset
(
$config
[
'system'
][
'ssh'
][
'enabled'
]))
{
$pconfig
=
array
();
$pconfig
[
'name'
]
=
'openssh'
;
$pconfig
[
'description'
]
=
gettext
(
'Secure Shell Daemon'
);
$pconfig
[
'configd'
][
'restart'
]
=
array
(
'openssh restart'
);
$pconfig
[
'configd'
][
'start'
]
=
array
(
'openssh start'
);
$pconfig
[
'configd'
][
'stop'
]
=
array
(
'openssh stop'
);
$services
[]
=
$pconfig
;
}
return
$services
;
}
function
openssh_configure_do
(
$verbose
=
false
)
{
global
$config
;
/* if run from a shell session, `-af' and the full path is needed */
mwexecf
(
'/bin/pkill -af %s'
,
'/usr/local/sbin/sshd'
,
true
);
$sshcfg
=
null
;
if
(
isset
(
$config
[
'system'
][
'ssh'
]))
{
if
(
isset
(
$config
[
'system'
][
'ssh'
][
'enabled'
]))
{
$sshcfg
=
$config
[
'system'
][
'ssh'
];
}
}
elseif
(
is_install_media
())
{
/* only revert to installer config when ssh is not set at all */
$sshcfg
=
array
(
'permitrootlogin'
=>
1
,
'passwordauth'
=>
1
);
}
if
(
$sshcfg
===
null
)
{
return
;
}
/* make sshd key store */
@
mkdir
(
'/conf/sshd'
,
0777
,
true
);
/* make ssh home directory */
@
mkdir
(
'/var/empty'
,
0555
,
true
);
/* Login related files. */
touch
(
'/var/log/lastlog'
);
$keys
=
array
(
/* .pub files are implied */
'rsa'
=>
'ssh_host_rsa_key'
,
'ecdsa'
=>
'ssh_host_ecdsa_key'
,
'ed25519'
=>
'ssh_host_ed25519_key'
,
);
$keys_dep
=
array
(
/* .pub files are implied */
'dsa'
=>
'ssh_host_dsa_key'
,
);
$keys_all
=
array_merge
(
$keys
,
$keys_dep
);
/* Check for all needed key files. If any are missing, the keys need to be regenerated. */
$generate_keys
=
false
;
foreach
(
$keys
as
$name
)
{
$file
=
"/conf/sshd/
{
$name
}
"
;
if
(
!
file_exists
(
$file
)
||
!
file_exists
(
"
{
$file
}
.pub"
))
{
$generate_keys
=
true
;
break
;
}
}
if
(
$generate_keys
)
{
if
(
is_subsystem_dirty
(
'sshdkeys'
))
{
return
;
}
log_error
(
'Started creating your SSH keys. SSH startup is being delayed a wee bit.'
);
mark_subsystem_dirty
(
'sshdkeys'
);
foreach
(
$keys
as
$type
=>
$name
)
{
$file
=
"/conf/sshd/
{
$name
}
"
;
@
unlink
(
"
{
$file
}
.pub"
);
@
unlink
(
$file
);
mwexecf
(
'/usr/local/bin/ssh-keygen -t %s -N "" -f %s'
,
array
(
$type
,
$file
));
}
clear_subsystem_dirty
(
'sshdkeys'
);
log_error
(
'Completed creating your SSH keys. SSH will now be started.'
);
}
$sshport
=
isset
(
$sshcfg
[
'port'
])
?
$sshcfg
[
'port'
]
:
22
;
$sshconf
=
"# This file was automatically generated by /usr/local/etc/inc/plugins.inc.d/openssh.inc
\n
"
;
$sshconf
.=
"Port
{
$sshport
}
\n
"
;
$sshconf
.=
"Protocol 2
\n
"
;
$sshconf
.=
"Compression yes
\n
"
;
$sshconf
.=
"ClientAliveInterval 30
\n
"
;
$sshconf
.=
"UseDNS no
\n
"
;
$sshconf
.=
"X11Forwarding no
\n
"
;
$sshconf
.=
"PubkeyAuthentication yes
\n
"
;
$sshconf
.=
"Subsystem
\t
sftp
\t
internal-sftp
\n
"
;
if
(
isset
(
$sshcfg
[
'permitrootlogin'
]))
{
$sshconf
.=
"PermitRootLogin yes
\n
"
;
}
if
(
isset
(
$sshcfg
[
'passwordauth'
]))
{
$sshconf
.=
"ChallengeResponseAuthentication yes
\n
"
;
$sshconf
.=
"PasswordAuthentication yes
\n
"
;
}
else
{
$sshconf
.=
"ChallengeResponseAuthentication no
\n
"
;
$sshconf
.=
"PasswordAuthentication no
\n
"
;
}
foreach
(
$keys_all
as
$name
)
{
$file
=
"/conf/sshd/
{
$name
}
"
;
if
(
!
file_exists
(
$file
))
{
continue
;
}
$sshconf
.=
"HostKey
{
$file
}
\n
"
;
}
/* Write the new sshd config file */
file_put_contents
(
"/usr/local/etc/ssh/sshd_config"
,
$sshconf
);
/* Launch new server process */
echo
"Reloading sshd..."
;
if
(
mwexecf
(
'/usr/bin/protect -i /usr/local/sbin/sshd'
))
{
echo
"failed.
\n
"
;
}
else
{
echo
"done.
\n
"
;
}
}
src/etc/inc/services.inc
View file @
0f7c882c
...
...
@@ -48,6 +48,7 @@ require_once('plugins.inc.d/dyndns.inc');
require_once
(
'plugins.inc.d/ipsec.inc'
);
require_once
(
'plugins.inc.d/openvpn.inc'
);
require_once
(
'plugins.inc.d/rfc2136.inc'
);
require_once
(
'plugins.inc.d/openssh.inc'
);
require_once
(
'plugins.inc.d/unbound.inc'
);
function
generate_ipv6_from_mac
(
$mac
)
...
...
@@ -1667,15 +1668,6 @@ function services_get()
$services
[]
=
$pconfig
;
}
if
(
isset
(
$config
[
'system'
][
'ssh'
][
'enabled'
]))
{
$pconfig
=
array
();
$pconfig
[
'name'
]
=
'sshd'
;
$pconfig
[
'description'
]
=
gettext
(
'Secure Shell Daemon'
);
$pconfig
[
'configd'
][
'restart'
]
=
array
(
'sshd restart'
);
$pconfig
[
'configd'
][
'start'
]
=
array
(
'sshd restart'
);
$services
[]
=
$pconfig
;
}
if
(
isset
(
$config
[
'OPNsense'
][
'captiveportal'
][
'zones'
][
'zone'
]))
{
$enabled
=
false
;
if
(
!
empty
(
$config
[
'OPNsense'
][
'captiveportal'
][
'zones'
][
'zone'
][
'enabled'
]))
{
...
...
src/etc/rc.bootup
View file @
0f7c882c
...
...
@@ -110,8 +110,6 @@ services_dhcrelay6_configure(true);
prefer_ipv4_or_ipv6
();
filter_configure_sync
(
true
);
mwexec
(
"/usr/local/etc/rc.sshd"
);
/* XXX convert to plugin */
plugins_configure
(
'bootup'
,
true
);
/* start IPsec tunnels */
...
...
@@ -161,8 +159,6 @@ if (is_install_media()) {
$root
[
'name'
]
=
'installer'
;
local_user_set
(
$root
,
true
);
mwexec
(
"/usr/local/etc/rc.sshd installer"
);
echo
"
\n
"
;
echo
"Welcome! Both `root' and `installer' users are availabe for system
\n
"
;
echo
"setup or invoking the installer, respectively. The predefined root
\n
"
;
...
...
src/etc/rc.reload_all
View file @
0f7c882c
...
...
@@ -62,8 +62,6 @@ services_dhcpd_configure('all', array(), true);
interfaces_configure
(
true
);
system_cron_configure
(
true
);
mwexec_bg
(
'/usr/local/etc/rc.sshd'
);
log_error
(
"rc.reload_all: Reloading all plugin settings."
);
plugins_configure
(
'local'
,
true
);
...
...
src/etc/rc.sshd
View file @
0f7c882c
...
...
@@ -30,111 +30,7 @@
*/
require_once
(
'config.inc'
);
require_once
(
"util.inc"
);
require_once
(
'util.inc'
);
require_once
(
'plugins.inc.d/openssh.inc'
);
/* if run from a shell session, `-af' and the full path is needed */
mwexecf
(
'/bin/pkill -af %s'
,
'/usr/local/sbin/sshd'
,
true
);
$sshcfg
=
null
;
if
(
isset
(
$config
[
'system'
][
'ssh'
]))
{
if
(
isset
(
$config
[
'system'
][
'ssh'
][
'enabled'
]))
{
$sshcfg
=
$config
[
'system'
][
'ssh'
];
}
}
elseif
(
count
(
$argv
)
>
1
&&
$argv
[
1
]
==
'installer'
)
{
/* only revert to installer config when ssh is not set at all */
$sshcfg
=
array
(
'permitrootlogin'
=>
1
,
'passwordauth'
=>
1
);
}
if
(
$sshcfg
===
null
)
{
return
;
}
/* make sshd key store */
@
mkdir
(
'/conf/sshd'
,
0777
,
true
);
/* make ssh home directory */
@
mkdir
(
'/var/empty'
,
0555
,
true
);
/* Login related files. */
touch
(
'/var/log/lastlog'
);
$keys
=
array
(
/* .pub files are implied */
'rsa'
=>
'ssh_host_rsa_key'
,
'ecdsa'
=>
'ssh_host_ecdsa_key'
,
'ed25519'
=>
'ssh_host_ed25519_key'
,
);
$keys_dep
=
array
(
/* .pub files are implied */
'dsa'
=>
'ssh_host_dsa_key'
,
);
$keys_all
=
array_merge
(
$keys
,
$keys_dep
);
/* Check for all needed key files. If any are missing, the keys need to be regenerated. */
$generate_keys
=
false
;
foreach
(
$keys
as
$name
)
{
$file
=
"/conf/sshd/
{
$name
}
"
;
if
(
!
file_exists
(
$file
)
||
!
file_exists
(
"
{
$file
}
.pub"
))
{
$generate_keys
=
true
;
break
;
}
}
if
(
$generate_keys
)
{
if
(
is_subsystem_dirty
(
'sshdkeys'
))
{
return
;
}
log_error
(
'Started creating your SSH keys. SSH startup is being delayed a wee bit.'
);
mark_subsystem_dirty
(
'sshdkeys'
);
foreach
(
$keys
as
$type
=>
$name
)
{
$file
=
"/conf/sshd/
{
$name
}
"
;
@
unlink
(
"
{
$file
}
.pub"
);
@
unlink
(
$file
);
mwexecf
(
'/usr/local/bin/ssh-keygen -t %s -N "" -f %s'
,
array
(
$type
,
$file
));
}
clear_subsystem_dirty
(
'sshdkeys'
);
log_error
(
'Completed creating your SSH keys. SSH will now be started.'
);
}
$sshport
=
isset
(
$sshcfg
[
'port'
])
?
$sshcfg
[
'port'
]
:
22
;
$sshconf
=
"# This file was automatically generated by /usr/local/etc/rc.sshd
\n
"
;
$sshconf
.=
"Port
{
$sshport
}
\n
"
;
$sshconf
.=
"Protocol 2
\n
"
;
$sshconf
.=
"Compression yes
\n
"
;
$sshconf
.=
"ClientAliveInterval 30
\n
"
;
$sshconf
.=
"UseDNS no
\n
"
;
$sshconf
.=
"X11Forwarding no
\n
"
;
$sshconf
.=
"PubkeyAuthentication yes
\n
"
;
$sshconf
.=
"Subsystem
\t
sftp
\t
internal-sftp
\n
"
;
if
(
isset
(
$sshcfg
[
'permitrootlogin'
]))
{
$sshconf
.=
"PermitRootLogin yes
\n
"
;
}
if
(
isset
(
$sshcfg
[
'passwordauth'
]))
{
$sshconf
.=
"ChallengeResponseAuthentication yes
\n
"
;
$sshconf
.=
"PasswordAuthentication yes
\n
"
;
}
else
{
$sshconf
.=
"ChallengeResponseAuthentication no
\n
"
;
$sshconf
.=
"PasswordAuthentication no
\n
"
;
}
foreach
(
$keys_all
as
$name
)
{
$file
=
"/conf/sshd/
{
$name
}
"
;
if
(
!
file_exists
(
$file
))
{
continue
;
}
$sshconf
.=
"HostKey
{
$file
}
\n
"
;
}
/* Write the new sshd config file */
file_put_contents
(
"/usr/local/etc/ssh/sshd_config"
,
$sshconf
);
/* Launch new server process */
echo
"Reloading sshd..."
;
if
(
mwexecf
(
'/usr/bin/protect -i /usr/local/sbin/sshd'
))
{
echo
"failed.
\n
"
;
}
else
{
echo
"done.
\n
"
;
}
openssh_configure_do
();
src/opnsense/service/conf/actions.d/actions_
sshd
.conf
→
src/opnsense/service/conf/actions.d/actions_
openssh
.conf
View file @
0f7c882c
[
start
]
command
:/
usr
/
local
/
etc
/
rc
.
sshd
parameters
:
type
:
script
message
:
starting
openssh
[
restart
]
command
:/
usr
/
local
/
etc
/
rc
.
sshd
parameters
:
type
:
script
message
:
starting
sshd
message
:
restarting
openssh
[
stop
]
command
:/
bin
/
pkill
-
TERM
sshd
||
exit
0
command
:/
bin
/
pkill
-
af
/
usr
/
local
/
sbin
/
sshd
||
exit
0
parameters
:
type
:
script
message
:
stop
sshd
message
:
stop
ping
openssh
src/www/system_advanced_admin.php
View file @
0f7c882c
...
...
@@ -268,7 +268,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
services_dhcpd_configure
();
if
(
$restart_sshd
)
{
configd_run
(
'
sshd
restart'
,
true
);
configd_run
(
'
openssh
restart'
,
true
);
}
if
(
$restart_webgui
)
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment