rc: sshd rework... #1200

Uh, oh: the keys are not purged on factory reset. Since we now store the explicit host key file names in the config, it's better to stop writing keys to /usr/local/etc/ssh and just keep the backup where it was. It's fully compatible with our approach. While there, remove the need to softcode commands in variables as this was done to migrate from base OpenSSH to ports OpenSSH, which was done in 2015.

rc: sshd rework... #1200
Uh, oh: the keys are not purged on factory reset. Since we now store the explicit host key file names in the config, it's better to stop writing keys to /usr/local/etc/ssh and just keep the backup where it was. It's fully compatible with our approach. While there, remove the need to softcode commands in variables as this was done to migrate from base OpenSSH to ports OpenSSH, which was done in 2015.
888b9a22 · Franco Fichtner · 383e4bba · 888b9a22
Commit 888b9a22 authored Sep 29, 2016 by Franco Fichtner
Hide whitespace changes
Inline Side-by-side

Showing with 79 additions and 101 deletions

rc.sshd src/etc/rc.sshd +79 -101

No files found.
--- a/src/etc/rc.sshd
+++ b/src/etc/rc.sshd
@@ -2,119 +2,101 @@
 <?php

 /*
-	Copyright (C) 2004 Scott K Ullrich
-	Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
-	Copyright (C) 2015-2016 Franco Fichtner <franco@opnsense.org>
-	All rights reserved.
-
-	Redistribution and use in source and binary forms, with or without
-	modification, are permitted provided that the following conditions are met:
-
-	1. Redistributions of source code must retain the above copyright notice,
-	   this list of conditions and the following disclaimer.
-
-	2. Redistributions in binary form must reproduce the above copyright
-	   notice, this list of conditions and the following disclaimer in the
-	   documentation and/or other materials provided with the distribution.
-
-	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-	POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2004 Scott K Ullrich
+ * Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
+ * Copyright (C) 2015-2016 Franco Fichtner <franco@opnsense.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */

 require_once('config.inc');
 require_once("util.inc");

-$bin_ssh_keygen = '/usr/local/bin/ssh-keygen';
-$sbin_sshd = '/usr/local/sbin/sshd';
-$etc_ssh = '/usr/local/etc/ssh';
-
 /* if run from a shell session, `-af' and the full path is needed */
-mwexecf('/bin/pkill -af %s', $sbin_sshd);
+mwexecf('/bin/pkill -af %s', '/usr/local/sbin/sshd');

 $sshcfg = null;

 if (isset($config['system']['ssh'])) {
-	if (isset($config['system']['ssh']['enabled'])) {
-		$sshcfg = $config['system']['ssh'];
-	}
+    if (isset($config['system']['ssh']['enabled'])) {
+        $sshcfg = $config['system']['ssh'];
+    }
 } elseif (count($argv) > 1 && $argv[1] == 'installer') {
-	/* only revert to installer config when ssh is not set at all */
-	$sshcfg = array( 'permitrootlogin' => 1, 'passwordauth' => 1);
+    /* only revert to installer config when ssh is not set at all */
+    $sshcfg = array('permitrootlogin' => 1, 'passwordauth' => 1);
 }

 if ($sshcfg === null) {
-	return;
+    return;
 }

-/* reinstall the backup if it is available */
-if (file_exists('/conf/sshd/ssh_host_rsa_key') && !file_exists("{$etc_ssh}/ssh_host_rsa_key")) {
-	mwexec("/bin/cp -p /conf/sshd/* {$etc_ssh}/");
-}
+/* make sshd key store */
+@mkdir('/conf/sshd', 0777, true);
+
+/* make ssh home directory */
+@mkdir('/var/empty', 0555, true);
+
+/* Login related files. */
+touch('/var/log/lastlog');

 $keys = array(
-	/* .pub files are implied */
-	'rsa' => 'ssh_host_rsa_key',
-	'ecdsa' => 'ssh_host_ecdsa_key',
-	'ed25519' => 'ssh_host_ed25519_key',
+    /* .pub files are implied */
+    'rsa' => 'ssh_host_rsa_key',
+    'ecdsa' => 'ssh_host_ecdsa_key',
+    'ed25519' => 'ssh_host_ed25519_key',
 );

 $keys_dep = array(
-	/* .pub files are implied */
-	'dsa' => 'ssh_host_dsa_key',
+    /* .pub files are implied */
+    'dsa' => 'ssh_host_dsa_key',
 );

 $keys_all = array_merge($keys, $keys_dep);

-foreach ($keys_all as $name) {
-	/* this is one of the infamous UFS workarounds ;) */
-	$file = "{$etc_ssh}/{$name}";
-	if (file_exists($file) && filesize($file) == 0) {
-		unlink($file);
-	}
-	$file = "{$file}.pub";
-	if (file_exists($file) && filesize($file) == 0) {
-		unlink($file);
-	}
-}
-
-/* make ssh home directory */
-@mkdir("/var/empty", 0555, true);
-
-/* Login related files. */
-touch("/var/log/lastlog");
-
-/* are we already running?  if so exit */
-if (is_subsystem_dirty('sshdkeys')) {
-	return;
-}
-
 /* Check for all needed key files. If any are missing, the keys need to be regenerated. */
 $generate_keys = false;
 foreach ($keys as $name) {
-	$file = "{$etc_ssh}/{$name}";
-	if (!file_exists($file) || !file_exists("{$file}.pub")) {
-		$generate_keys = true;
-		break;
-	}
+    $file = "/conf/sshd/{$name}";
+    if (!file_exists($file) || !file_exists("{$file}.pub")) {
+        $generate_keys = true;
+        break;
+    }
 }

 if ($generate_keys) {
-	log_error('Started creating your SSH keys. SSH startup is being delayed a wee bit.');
-	mark_subsystem_dirty('sshdkeys');
-	mwexec("/bin/rm -f {$etc_ssh}/ssh_host_*");
-	foreach ($keys as $type => $name) {
-		mwexec(sprintf('%s -t %s -N "" -f %s/%s', $bin_ssh_keygen, $type, $etc_ssh, $name));
-	}
-	clear_subsystem_dirty('sshdkeys');
-	log_error('Completed creating your SSH keys. SSH will now be started.');
+    if (is_subsystem_dirty('sshdkeys')) {
+        return;
+    }
+    log_error('Started creating your SSH keys. SSH startup is being delayed a wee bit.');
+    mark_subsystem_dirty('sshdkeys');
+    foreach ($keys as $type => $name) {
+        $file = "/conf/sshd/{$name}";
+        @unlink("{$file}.pub");
+        @unlink($file);
+        mwexecf('/usr/local/bin/ssh-keygen -t %s -N "" -f %s', array($type, $file));
+    }
+    clear_subsystem_dirty('sshdkeys');
+    log_error('Completed creating your SSH keys. SSH will now be started.');
 }

 $sshport = isset($sshcfg['port']) ? $sshcfg['port'] : 22;
@@ -129,34 +111,30 @@ $sshconf .= "X11Forwarding no\n";
 $sshconf .= "PubkeyAuthentication yes\n";
 $sshconf .= "Subsystem\tsftp\tinternal-sftp\n";
 if (isset($sshcfg['permitrootlogin'])) {
-	$sshconf .= "PermitRootLogin yes\n";
+    $sshconf .= "PermitRootLogin yes\n";
 }
 if (isset($sshcfg['passwordauth'])) {
-	$sshconf .= "ChallengeResponseAuthentication yes\n";
-	$sshconf .= "PasswordAuthentication yes\n";
+    $sshconf .= "ChallengeResponseAuthentication yes\n";
+    $sshconf .= "PasswordAuthentication yes\n";
 } else {
-	$sshconf .= "ChallengeResponseAuthentication no\n";
-	$sshconf .= "PasswordAuthentication no\n";
+    $sshconf .= "ChallengeResponseAuthentication no\n";
+    $sshconf .= "PasswordAuthentication no\n";
 }
 foreach ($keys_all as $name) {
-	$file = "{$etc_ssh}/{$name}";
-	if (!file_exists($file)) {
-		continue;
-	}
-	$sshconf .= "HostKey {$file}\n";
+    $file = "/conf/sshd/{$name}";
+    if (!file_exists($file)) {
+        continue;
+    }
+    $sshconf .= "HostKey {$file}\n";
 }

 /* Write the new sshd config file */
-file_put_contents("{$etc_ssh}/sshd_config", $sshconf);
+file_put_contents("/usr/local/etc/ssh/sshd_config", $sshconf);

 /* Launch new server process */
 echo "Reloading sshd...";
-if (mwexecf('/usr/bin/protect -i %s', $sbin_sshd)) {
-	echo "failed.\n";
+if (mwexecf('/usr/bin/protect -i /usr/local/sbin/sshd')) {
+    echo "failed.\n";
 } else {
-	echo "done.\n";
+    echo "done.\n";
 }
-
-/* back up files in case they are useful ;) */
-@mkdir('/conf/sshd', 0777, true);
-mwexec("/bin/cp -p ${etc_ssh}/ssh_host_* /conf/sshd/");