Commit 0f7c882c authored by Franco Fichtner's avatar Franco Fichtner

openssh: work for #1480

parent 95eebf1c
...@@ -42,6 +42,7 @@ ...@@ -42,6 +42,7 @@
/usr/local/etc/inc/plugins.inc.d/ipsec/auth-user.php /usr/local/etc/inc/plugins.inc.d/ipsec/auth-user.php
/usr/local/etc/inc/plugins.inc.d/netflow.inc /usr/local/etc/inc/plugins.inc.d/netflow.inc
/usr/local/etc/inc/plugins.inc.d/ntpd.inc /usr/local/etc/inc/plugins.inc.d/ntpd.inc
/usr/local/etc/inc/plugins.inc.d/openssh.inc
/usr/local/etc/inc/plugins.inc.d/openvpn.inc /usr/local/etc/inc/plugins.inc.d/openvpn.inc
/usr/local/etc/inc/plugins.inc.d/openvpn/auth-user.php /usr/local/etc/inc/plugins.inc.d/openvpn/auth-user.php
/usr/local/etc/inc/plugins.inc.d/openvpn/tls-verify.php /usr/local/etc/inc/plugins.inc.d/openvpn/tls-verify.php
...@@ -628,10 +629,10 @@ ...@@ -628,10 +629,10 @@
/usr/local/opnsense/service/conf/actions.d/actions_ipsec.conf /usr/local/opnsense/service/conf/actions.d/actions_ipsec.conf
/usr/local/opnsense/service/conf/actions.d/actions_ipsecdns.conf /usr/local/opnsense/service/conf/actions.d/actions_ipsecdns.conf
/usr/local/opnsense/service/conf/actions.d/actions_netflow.conf /usr/local/opnsense/service/conf/actions.d/actions_netflow.conf
/usr/local/opnsense/service/conf/actions.d/actions_openssh.conf
/usr/local/opnsense/service/conf/actions.d/actions_openvpn.conf /usr/local/opnsense/service/conf/actions.d/actions_openvpn.conf
/usr/local/opnsense/service/conf/actions.d/actions_proxy.conf /usr/local/opnsense/service/conf/actions.d/actions_proxy.conf
/usr/local/opnsense/service/conf/actions.d/actions_routedns.conf /usr/local/opnsense/service/conf/actions.d/actions_routedns.conf
/usr/local/opnsense/service/conf/actions.d/actions_sshd.conf
/usr/local/opnsense/service/conf/actions.d/actions_system.conf /usr/local/opnsense/service/conf/actions.d/actions_system.conf
/usr/local/opnsense/service/conf/actions.d/actions_systemhealth.conf /usr/local/opnsense/service/conf/actions.d/actions_systemhealth.conf
/usr/local/opnsense/service/conf/actions.d/actions_template.conf /usr/local/opnsense/service/conf/actions.d/actions_template.conf
......
#!/usr/local/bin/php
<?php
/*
* Copyright (C) 2004 Scott K Ullrich
* Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
* Copyright (C) 2015-2017 Franco Fichtner <franco@opnsense.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
function openssh_configure()
{
return array(
'bootup' => array('openssh_configure_do'),
'local' => array('openssh_configure_do'),
);
}
function openssh_services()
{
global $config;
$services = array();
if (isset($config['system']['ssh']['enabled'])) {
$pconfig = array();
$pconfig['name'] = 'openssh';
$pconfig['description'] = gettext('Secure Shell Daemon');
$pconfig['configd']['restart'] = array('openssh restart');
$pconfig['configd']['start'] = array('openssh start');
$pconfig['configd']['stop'] = array('openssh stop');
$services[] = $pconfig;
}
return $services;
}
function openssh_configure_do($verbose = false)
{
global $config;
/* if run from a shell session, `-af' and the full path is needed */
mwexecf('/bin/pkill -af %s', '/usr/local/sbin/sshd', true);
$sshcfg = null;
if (isset($config['system']['ssh'])) {
if (isset($config['system']['ssh']['enabled'])) {
$sshcfg = $config['system']['ssh'];
}
} elseif (is_install_media()) {
/* only revert to installer config when ssh is not set at all */
$sshcfg = array('permitrootlogin' => 1, 'passwordauth' => 1);
}
if ($sshcfg === null) {
return;
}
/* make sshd key store */
@mkdir('/conf/sshd', 0777, true);
/* make ssh home directory */
@mkdir('/var/empty', 0555, true);
/* Login related files. */
touch('/var/log/lastlog');
$keys = array(
/* .pub files are implied */
'rsa' => 'ssh_host_rsa_key',
'ecdsa' => 'ssh_host_ecdsa_key',
'ed25519' => 'ssh_host_ed25519_key',
);
$keys_dep = array(
/* .pub files are implied */
'dsa' => 'ssh_host_dsa_key',
);
$keys_all = array_merge($keys, $keys_dep);
/* Check for all needed key files. If any are missing, the keys need to be regenerated. */
$generate_keys = false;
foreach ($keys as $name) {
$file = "/conf/sshd/{$name}";
if (!file_exists($file) || !file_exists("{$file}.pub")) {
$generate_keys = true;
break;
}
}
if ($generate_keys) {
if (is_subsystem_dirty('sshdkeys')) {
return;
}
log_error('Started creating your SSH keys. SSH startup is being delayed a wee bit.');
mark_subsystem_dirty('sshdkeys');
foreach ($keys as $type => $name) {
$file = "/conf/sshd/{$name}";
@unlink("{$file}.pub");
@unlink($file);
mwexecf('/usr/local/bin/ssh-keygen -t %s -N "" -f %s', array($type, $file));
}
clear_subsystem_dirty('sshdkeys');
log_error('Completed creating your SSH keys. SSH will now be started.');
}
$sshport = isset($sshcfg['port']) ? $sshcfg['port'] : 22;
$sshconf = "# This file was automatically generated by /usr/local/etc/inc/plugins.inc.d/openssh.inc\n";
$sshconf .= "Port {$sshport}\n";
$sshconf .= "Protocol 2\n";
$sshconf .= "Compression yes\n";
$sshconf .= "ClientAliveInterval 30\n";
$sshconf .= "UseDNS no\n";
$sshconf .= "X11Forwarding no\n";
$sshconf .= "PubkeyAuthentication yes\n";
$sshconf .= "Subsystem\tsftp\tinternal-sftp\n";
if (isset($sshcfg['permitrootlogin'])) {
$sshconf .= "PermitRootLogin yes\n";
}
if (isset($sshcfg['passwordauth'])) {
$sshconf .= "ChallengeResponseAuthentication yes\n";
$sshconf .= "PasswordAuthentication yes\n";
} else {
$sshconf .= "ChallengeResponseAuthentication no\n";
$sshconf .= "PasswordAuthentication no\n";
}
foreach ($keys_all as $name) {
$file = "/conf/sshd/{$name}";
if (!file_exists($file)) {
continue;
}
$sshconf .= "HostKey {$file}\n";
}
/* Write the new sshd config file */
file_put_contents("/usr/local/etc/ssh/sshd_config", $sshconf);
/* Launch new server process */
echo "Reloading sshd...";
if (mwexecf('/usr/bin/protect -i /usr/local/sbin/sshd')) {
echo "failed.\n";
} else {
echo "done.\n";
}
}
...@@ -48,6 +48,7 @@ require_once('plugins.inc.d/dyndns.inc'); ...@@ -48,6 +48,7 @@ require_once('plugins.inc.d/dyndns.inc');
require_once('plugins.inc.d/ipsec.inc'); require_once('plugins.inc.d/ipsec.inc');
require_once('plugins.inc.d/openvpn.inc'); require_once('plugins.inc.d/openvpn.inc');
require_once('plugins.inc.d/rfc2136.inc'); require_once('plugins.inc.d/rfc2136.inc');
require_once('plugins.inc.d/openssh.inc');
require_once('plugins.inc.d/unbound.inc'); require_once('plugins.inc.d/unbound.inc');
function generate_ipv6_from_mac($mac) function generate_ipv6_from_mac($mac)
...@@ -1667,15 +1668,6 @@ function services_get() ...@@ -1667,15 +1668,6 @@ function services_get()
$services[] = $pconfig; $services[] = $pconfig;
} }
if (isset($config['system']['ssh']['enabled'])) {
$pconfig = array();
$pconfig['name'] = 'sshd';
$pconfig['description'] = gettext('Secure Shell Daemon');
$pconfig['configd']['restart'] = array('sshd restart');
$pconfig['configd']['start'] = array('sshd restart');
$services[] = $pconfig;
}
if (isset($config['OPNsense']['captiveportal']['zones']['zone'])) { if (isset($config['OPNsense']['captiveportal']['zones']['zone'])) {
$enabled = false; $enabled = false;
if (!empty($config['OPNsense']['captiveportal']['zones']['zone']['enabled'])) { if (!empty($config['OPNsense']['captiveportal']['zones']['zone']['enabled'])) {
......
...@@ -110,8 +110,6 @@ services_dhcrelay6_configure(true); ...@@ -110,8 +110,6 @@ services_dhcrelay6_configure(true);
prefer_ipv4_or_ipv6(); prefer_ipv4_or_ipv6();
filter_configure_sync(true); filter_configure_sync(true);
mwexec("/usr/local/etc/rc.sshd"); /* XXX convert to plugin */
plugins_configure('bootup', true); plugins_configure('bootup', true);
/* start IPsec tunnels */ /* start IPsec tunnels */
...@@ -161,8 +159,6 @@ if (is_install_media()) { ...@@ -161,8 +159,6 @@ if (is_install_media()) {
$root['name'] = 'installer'; $root['name'] = 'installer';
local_user_set($root, true); local_user_set($root, true);
mwexec("/usr/local/etc/rc.sshd installer");
echo "\n"; echo "\n";
echo "Welcome! Both `root' and `installer' users are availabe for system\n"; echo "Welcome! Both `root' and `installer' users are availabe for system\n";
echo "setup or invoking the installer, respectively. The predefined root\n"; echo "setup or invoking the installer, respectively. The predefined root\n";
......
...@@ -62,8 +62,6 @@ services_dhcpd_configure('all', array(), true); ...@@ -62,8 +62,6 @@ services_dhcpd_configure('all', array(), true);
interfaces_configure(true); interfaces_configure(true);
system_cron_configure(true); system_cron_configure(true);
mwexec_bg('/usr/local/etc/rc.sshd');
log_error("rc.reload_all: Reloading all plugin settings."); log_error("rc.reload_all: Reloading all plugin settings.");
plugins_configure('local', true); plugins_configure('local', true);
......
...@@ -30,111 +30,7 @@ ...@@ -30,111 +30,7 @@
*/ */
require_once('config.inc'); require_once('config.inc');
require_once("util.inc"); require_once('util.inc');
require_once('plugins.inc.d/openssh.inc');
/* if run from a shell session, `-af' and the full path is needed */ openssh_configure_do();
mwexecf('/bin/pkill -af %s', '/usr/local/sbin/sshd', true);
$sshcfg = null;
if (isset($config['system']['ssh'])) {
if (isset($config['system']['ssh']['enabled'])) {
$sshcfg = $config['system']['ssh'];
}
} elseif (count($argv) > 1 && $argv[1] == 'installer') {
/* only revert to installer config when ssh is not set at all */
$sshcfg = array('permitrootlogin' => 1, 'passwordauth' => 1);
}
if ($sshcfg === null) {
return;
}
/* make sshd key store */
@mkdir('/conf/sshd', 0777, true);
/* make ssh home directory */
@mkdir('/var/empty', 0555, true);
/* Login related files. */
touch('/var/log/lastlog');
$keys = array(
/* .pub files are implied */
'rsa' => 'ssh_host_rsa_key',
'ecdsa' => 'ssh_host_ecdsa_key',
'ed25519' => 'ssh_host_ed25519_key',
);
$keys_dep = array(
/* .pub files are implied */
'dsa' => 'ssh_host_dsa_key',
);
$keys_all = array_merge($keys, $keys_dep);
/* Check for all needed key files. If any are missing, the keys need to be regenerated. */
$generate_keys = false;
foreach ($keys as $name) {
$file = "/conf/sshd/{$name}";
if (!file_exists($file) || !file_exists("{$file}.pub")) {
$generate_keys = true;
break;
}
}
if ($generate_keys) {
if (is_subsystem_dirty('sshdkeys')) {
return;
}
log_error('Started creating your SSH keys. SSH startup is being delayed a wee bit.');
mark_subsystem_dirty('sshdkeys');
foreach ($keys as $type => $name) {
$file = "/conf/sshd/{$name}";
@unlink("{$file}.pub");
@unlink($file);
mwexecf('/usr/local/bin/ssh-keygen -t %s -N "" -f %s', array($type, $file));
}
clear_subsystem_dirty('sshdkeys');
log_error('Completed creating your SSH keys. SSH will now be started.');
}
$sshport = isset($sshcfg['port']) ? $sshcfg['port'] : 22;
$sshconf = "# This file was automatically generated by /usr/local/etc/rc.sshd\n";
$sshconf .= "Port {$sshport}\n";
$sshconf .= "Protocol 2\n";
$sshconf .= "Compression yes\n";
$sshconf .= "ClientAliveInterval 30\n";
$sshconf .= "UseDNS no\n";
$sshconf .= "X11Forwarding no\n";
$sshconf .= "PubkeyAuthentication yes\n";
$sshconf .= "Subsystem\tsftp\tinternal-sftp\n";
if (isset($sshcfg['permitrootlogin'])) {
$sshconf .= "PermitRootLogin yes\n";
}
if (isset($sshcfg['passwordauth'])) {
$sshconf .= "ChallengeResponseAuthentication yes\n";
$sshconf .= "PasswordAuthentication yes\n";
} else {
$sshconf .= "ChallengeResponseAuthentication no\n";
$sshconf .= "PasswordAuthentication no\n";
}
foreach ($keys_all as $name) {
$file = "/conf/sshd/{$name}";
if (!file_exists($file)) {
continue;
}
$sshconf .= "HostKey {$file}\n";
}
/* Write the new sshd config file */
file_put_contents("/usr/local/etc/ssh/sshd_config", $sshconf);
/* Launch new server process */
echo "Reloading sshd...";
if (mwexecf('/usr/bin/protect -i /usr/local/sbin/sshd')) {
echo "failed.\n";
} else {
echo "done.\n";
}
[start]
command:/usr/local/etc/rc.sshd
parameters:
type:script
message:starting openssh
[restart] [restart]
command:/usr/local/etc/rc.sshd command:/usr/local/etc/rc.sshd
parameters: parameters:
type:script type:script
message:starting sshd message:restarting openssh
[stop] [stop]
command:/bin/pkill -TERM sshd || exit 0 command:/bin/pkill -af /usr/local/sbin/sshd || exit 0
parameters: parameters:
type:script type:script
message:stop sshd message:stopping openssh
...@@ -268,7 +268,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -268,7 +268,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
services_dhcpd_configure(); services_dhcpd_configure();
if ($restart_sshd) { if ($restart_sshd) {
configd_run('sshd restart', true); configd_run('openssh restart', true);
} }
if ($restart_webgui) { if ($restart_webgui) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment