Commit ab28de2e authored by Franco Fichtner's avatar Franco Fichtner

rc: rework sshd handling

* Prefer the openssh-portable port, but fall back to the base
  version if it is available.

* Refactor the key generation to produce less duplicated code.

* Locking is completely bogus, but I have no clue how to fix
  that short term without doing a full audit of the subsystem-dirty
  mechanic.
parent 2833fbca
......@@ -4,6 +4,7 @@
/*
Copyright (C) 2004 Scott K Ullrich
Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
Copyright (C) 2015 Franco Fichtner <franco@opnsense.org>
All rights reserved.
Redistribution and use in source and binary forms, with or without
......@@ -28,10 +29,10 @@
POSSIBILITY OF SUCH DAMAGE.
*/
require_once("globals.inc");
require_once("config.inc");
require_once("functions.inc");
require_once("shaper.inc");
require_once('globals.inc');
require_once('config.inc');
require_once('functions.inc');
require_once('shaper.inc');
killbyname('sshd');
......@@ -44,26 +45,46 @@ if (!is_subsystem_dirty('sshdkeys')) {
conf_mount_rw();
}
if (file_exists('/conf/sshd/ssh_host_key') && !file_exists('/etc/ssh/ssh_host_key')) {
mwexec('/bin/cp -p /conf/sshd/* /etc/ssh/');
}
$keys = array(
'ssh_host_key',
'ssh_host_key.pub',
'ssh_host_dsa_key',
'ssh_host_dsa_key.pub',
'ssh_host_rsa_key',
'ssh_host_rsa_key.pub',
'ssh_host_ecdsa_key',
'ssh_host_ecdsa_key.pub',
//'ssh_host_ed25519_key',
//'ssh_host_ed25519_key.pub'
/* .pub files are implied */
'rsa1' => 'ssh_host_key',
'rsa' => 'ssh_host_rsa_key',
'dsa' => 'ssh_host_dsa_key',
'ecdsa' => 'ssh_host_ecdsa_key',
'ed25519' => 'ssh_host_ed25519_key',
);
foreach($keys as $f2c) {
if (file_exists("/etc/ssh/{$f2c}") && filesize("/etc/ssh/{$f2c}") == 0) {
unlink("/etc/ssh/{$f2c}");
if (file_exists('/usr/local/sbin/sshd')) {
/* use the ports version */
$bin_ssh_keygen = '/usr/local/bin/ssh-keygen';
$sbin_sshd = '/usr/local/sbin/sshd';
$etc_ssh = '/usr/local/etc/ssh';
} elseif (file_exists('/usr/sbin/sshd')) {
/* use the base version (legacy fallback) */
$bin_ssh_keygen = '/usr/bin/ssh-keygen';
$sbin_sshd = '/usr/sbin/sshd';
$etc_ssh = '/etc/ssh';
/* mode is not supported */
unset($keys['ed25519']);
} else {
/* the infamous "this should never happen" */
log_error(_('Could not find an SSH implementation on your system.'));
return;
}
/* reinstall the backup if it is available */
if (file_exists('/conf/sshd/ssh_host_key') && !file_exists("{$etc_ssh}/ssh_host_key")) {
mwexec("/bin/cp -p /conf/sshd/* {$etc_ssh}/");
}
foreach($keys as $name) {
$file = "{$etc_ssh}/etc/ssh/{$name}";
if (file_exists($file) && filesize($file) == 0) {
unlink($file);
}
$file = "{$file}.pub";
if (file_exists($file) && filesize($file) == 0) {
unlink($file);
}
}
......@@ -73,8 +94,6 @@ foreach($keys as $f2c) {
/* Login related files. */
touch("/var/log/lastlog");
$sshConfigDir = "/etc/ssh";
if (isset($config['system']['ssh']['port'])) {
$sshport = $config['system']['ssh']['port'];
} else {
......@@ -112,7 +131,7 @@ if (isset($config['system']['ssh']['sshdkeyonly'])) {
}
/* Write the new sshd config file */
file_put_contents('/etc/ssh/sshd_config', $sshconf);
file_put_contents("{$etc_ssh}/sshd_config", $sshconf);
/* are we already running? if so exit */
if (is_subsystem_dirty('sshdkeys')) {
......@@ -121,8 +140,9 @@ if (is_subsystem_dirty('sshdkeys')) {
// Check for all needed key files. If any are missing, the keys need to be regenerated.
$generate_keys = false;
foreach ($keys as $f2c) {
if (!file_exists("/etc/ssh/{$f2c}")) {
foreach ($keys as $name) {
$file = "{$etc_ssh}/{$name}";
if (!file_exists($file) || !file_exists("{$file}.pub")) {
$generate_keys = true;
break;
}
......@@ -131,27 +151,25 @@ foreach ($keys as $f2c) {
if ($generate_keys) {
log_error(_('Started creating your SSH keys. SSH startup is being delayed a wee bit.'));
mark_subsystem_dirty('sshdkeys');
mwexec('/bin/rm /etc/ssh/ssh_host_*', true);
mwexec("/usr/bin/ssh-keygen -t rsa1 -N '' -f {$sshConfigDir}/ssh_host_key");
mwexec("/usr/bin/ssh-keygen -t rsa -N '' -f {$sshConfigDir}/ssh_host_rsa_key");
mwexec("/usr/bin/ssh-keygen -t dsa -N '' -f {$sshConfigDir}/ssh_host_dsa_key");
mwexec("/usr/bin/ssh-keygen -t ecdsa -N '' -f {$sshConfigDir}/ssh_host_ecdsa_key");
//mwexec("/usr/bin/ssh-keygen -t ed25519 -N '' -f {$sshConfigDir}/ssh_host_ed25519_key");
mwexec("/bin/rm -f {$etc_ssh}/ssh_host_*");
foreach ($keys as $type => $name) {
mwexec(sprintf('%s -t %s -N "" -f %s/%s', $bin_ssh_keygen, $type, $etc_ssh, $name));
}
clear_subsystem_dirty('sshdkeys');
log_error(_('Completed creating your SSH keys. SSH will now be started.'));
}
/* Launch new server process */
echo "Reloading sshd...";
if (mwexec('/usr/sbin/sshd')) {
if (mwexec($sbin_sshd)) {
echo "failed.\n";
} else {
echo "done.\n";
}
/* back up files in case they are useful */
/* back up files in case they are useful ;) */
@mkdir('/conf/sshd', 0777, true);
mwexec('/bin/cp -p /etc/ssh/ssh_host* /conf/sshd');
mwexec("/bin/cp -p ${etc_ssh}/ssh_host_* /conf/sshd/");
conf_mount_ro();
unset($keys);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment