rc: merge ssh changes from master

PR: https://github.com/opnsense/core/issues/1200

rc: merge ssh changes from master
PR: https://github.com/opnsense/core/issues/1200
526779bb · Franco Fichtner · 3fe64a5f · 526779bb
Commit 526779bb authored Oct 28, 2016 by Franco Fichtner
Show whitespace changes
Inline Side-by-side

Showing with 91 additions and 99 deletions

rc.sshd src/etc/rc.sshd +91 -99

No files found.
--- a/src/etc/rc.sshd
+++ b/src/etc/rc.sshd
@@ -2,42 +2,38 @@
 <?php

 /*
-	Copyright (C) 2004 Scott K Ullrich
-	Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
-	Copyright (C) 2015-2016 Franco Fichtner <franco@opnsense.org>
-	All rights reserved.
-
-	Redistribution and use in source and binary forms, with or without
-	modification, are permitted provided that the following conditions are met:
-
-	1. Redistributions of source code must retain the above copyright notice,
-	   this list of conditions and the following disclaimer.
-
-	2. Redistributions in binary form must reproduce the above copyright
-	   notice, this list of conditions and the following disclaimer in the
-	   documentation and/or other materials provided with the distribution.
-
-	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-	POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2004 Scott K Ullrich
+ * Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
+ * Copyright (C) 2015-2016 Franco Fichtner <franco@opnsense.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */

 require_once('config.inc');
 require_once("util.inc");

-$bin_ssh_keygen = '/usr/local/bin/ssh-keygen';
-$sbin_sshd = '/usr/local/sbin/sshd';
-$etc_ssh = '/usr/local/etc/ssh';
-
 /* if run from a shell session, `-af' and the full path is needed */
-mwexecf('/bin/pkill -af %s', $sbin_sshd);
+mwexecf('/bin/pkill -af %s', '/usr/local/sbin/sshd', true);

 $sshcfg = null;

@@ -47,17 +43,21 @@ if (isset($config['system']['ssh'])) {
    }
 } elseif (count($argv) > 1 && $argv[1] == 'installer') {
    /* only revert to installer config when ssh is not set at all */
-	$sshcfg = array( 'permitrootlogin' => 1, 'passwordauth' => 1);
+    $sshcfg = array('permitrootlogin' => 1, 'passwordauth' => 1);
 }

 if ($sshcfg === null) {
    return;
 }

-/* reinstall the backup if it is available */
-if (file_exists('/conf/sshd/ssh_host_rsa_key') && !file_exists("{$etc_ssh}/ssh_host_rsa_key")) {
-	mwexec("/bin/cp -p /conf/sshd/* {$etc_ssh}/");
-}
+/* make sshd key store */
+@mkdir('/conf/sshd', 0777, true);
+
+/* make ssh home directory */
+@mkdir('/var/empty', 0555, true);
+
+/* Login related files. */
+touch('/var/log/lastlog');

 $keys = array(
    /* .pub files are implied */
@@ -66,29 +66,44 @@ $keys = array(
    'ed25519' => 'ssh_host_ed25519_key',
 );

-foreach($keys as $name) {
-	$file = "{$etc_ssh}/etc/ssh/{$name}";
-	if (file_exists($file) && filesize($file) == 0) {
-		unlink($file);
-	}
-	$file = "{$file}.pub";
-	if (file_exists($file) && filesize($file) == 0) {
-		unlink($file);
+$keys_dep = array(
+    /* .pub files are implied */
+    'dsa' => 'ssh_host_dsa_key',
+);
+
+$keys_all = array_merge($keys, $keys_dep);
+
+/* Check for all needed key files. If any are missing, the keys need to be regenerated. */
+$generate_keys = false;
+foreach ($keys as $name) {
+    $file = "/conf/sshd/{$name}";
+    if (!file_exists($file) || !file_exists("{$file}.pub")) {
+        $generate_keys = true;
+        break;
    }
 }

-/* make ssh home directory */
-@mkdir("/var/empty", 0555, true);
-
-/* Login related files. */
-touch("/var/log/lastlog");
+if ($generate_keys) {
+    if (is_subsystem_dirty('sshdkeys')) {
+        return;
+    }
+    log_error('Started creating your SSH keys. SSH startup is being delayed a wee bit.');
+    mark_subsystem_dirty('sshdkeys');
+    foreach ($keys as $type => $name) {
+        $file = "/conf/sshd/{$name}";
+        @unlink("{$file}.pub");
+        @unlink($file);
+        mwexecf('/usr/local/bin/ssh-keygen -t %s -N "" -f %s', array($type, $file));
+    }
+    clear_subsystem_dirty('sshdkeys');
+    log_error('Completed creating your SSH keys. SSH will now be started.');
+}

 $sshport = isset($sshcfg['port']) ? $sshcfg['port'] : 22;

 $sshconf = "# This file was automatically generated by /usr/local/etc/rc.sshd\n";
 $sshconf .= "Port {$sshport}\n";
 $sshconf .= "Protocol 2\n";
-/* XXX a couple of those need moar cleanups: */
 $sshconf .= "Compression yes\n";
 $sshconf .= "ClientAliveInterval 30\n";
 $sshconf .= "UseDNS no\n";
@@ -105,44 +120,21 @@ if (isset($sshcfg['passwordauth'])) {
    $sshconf .= "ChallengeResponseAuthentication no\n";
    $sshconf .= "PasswordAuthentication no\n";
 }
-
-/* Write the new sshd config file */
-file_put_contents("{$etc_ssh}/sshd_config", $sshconf);
-
-/* are we already running?  if so exit */
-if (is_subsystem_dirty('sshdkeys')) {
-	return;
-}
-
-// Check for all needed key files. If any are missing, the keys need to be regenerated.
-$generate_keys = false;
-foreach ($keys as $name) {
-	$file = "{$etc_ssh}/{$name}";
-	if (!file_exists($file) || !file_exists("{$file}.pub")) {
-		$generate_keys = true;
-		break;
+foreach ($keys_all as $name) {
+    $file = "/conf/sshd/{$name}";
+    if (!file_exists($file)) {
+        continue;
    }
+    $sshconf .= "HostKey {$file}\n";
 }

-if ($generate_keys) {
-	log_error('Started creating your SSH keys. SSH startup is being delayed a wee bit.');
-	mark_subsystem_dirty('sshdkeys');
-	mwexec("/bin/rm -f {$etc_ssh}/ssh_host_*");
-	foreach ($keys as $type => $name) {
-		mwexec(sprintf('%s -t %s -N "" -f %s/%s', $bin_ssh_keygen, $type, $etc_ssh, $name));
-	}
-	clear_subsystem_dirty('sshdkeys');
-	log_error('Completed creating your SSH keys. SSH will now be started.');
-}
+/* Write the new sshd config file */
+file_put_contents("/usr/local/etc/ssh/sshd_config", $sshconf);

 /* Launch new server process */
 echo "Reloading sshd...";
-if (mwexecf('/usr/bin/protect -i %s', $sbin_sshd)) {
+if (mwexecf('/usr/bin/protect -i /usr/local/sbin/sshd')) {
    echo "failed.\n";
 } else {
    echo "done.\n";
 }
-
-/* back up files in case they are useful ;) */
-@mkdir('/conf/sshd', 0777, true);
-mwexec("/bin/cp -p ${etc_ssh}/ssh_host_* /conf/sshd/");