Merge branch 'master' of git.opnsense.org:repo/opnsense-core

b3f9d883 · Jos Schellevis · f1df67f5 · 95babf60 · b3f9d883 · b3f9d883
Commit b3f9d883 authored Dec 11, 2014 by Jos Schellevis
9 changed files
--- a/src/etc/config.xml
+++ b/src/etc/config.xml
@@ -189,7 +189,7 @@
 			<protocol>https</protocol>
 		</webgui>
 		<disablenatreflection>yes</disablenatreflection>
-		<!-- <disableconsolemenu/> -->
+		<disableconsolemenu/>
 		<!-- <disablefirmwarecheck/> -->
 		<!-- <harddiskstandby></harddiskstandby> -->
 		<disablesegmentationoffloading/>
@@ -202,6 +202,9 @@
 			<interval>monthly</interval>
 		</bogons>
 		<kill_states/>
+		<ssh>
+			<sshdkeyonly/>
+		</ssh>
 	</system>
 	<interfaces>
 		<wan>

--- a/src/etc/inc/pfsense-utils.inc
+++ b/src/etc/inc/pfsense-utils.inc
@@ -998,13 +998,65 @@ function setup_serial_port($when="save", $path="") {
 	}
 	unset($on_off, $console_type, $serial_type);
 	fclose($fd);
+	auto_login();
 	reload_ttys();
-
 	conf_mount_ro();
-	return;
 }

-function is_serial_enabled() {
+function auto_login()
+{
+	global $config;
+
+	/*
+	 * This function appends the autologin extension in /etc/gettytab
+	 * for the main console.  This only works with a vanilla config;
+	 * it is likely that manual editing by the user will make this
+	 * function stop working properly.  In case of no match, throw a
+	 * little error...
+	 */
+
+	$getty_file = "/etc/gettytab";
+	$getty_text = explode("\n", file_get_contents($getty_file));
+
+	$getty_al = isset($config['system']['disableconsolemenu']) ? "" : "al=root:";
+	$getty_base = "\t:ht:np:sp#9600:";
+	$getty_new = $getty_base . $getty_al;
+	$getty_ok = false;
+
+	foreach ($getty_text as $getty_old) {
+		if (!strncmp($getty_old, $getty_base, strlen($getty_base))) {
+			if (!strcmp($getty_old, $getty_new)) {
+				/* already the correct setting */
+				return;
+			}
+			$getty_ok = true;
+		}
+	}
+
+	if (!$getty_ok) {
+		log_error(gettext("Could not toggle auto login setting."));
+		return;
+	}
+
+	$fd = fopen($getty_file, "w");
+	if (!$fd) {
+		log_error(gettext("Could not write auto login setting."));
+		return;
+	}
+
+	foreach ($getty_text as $getty_old) {
+		if (!strncmp($getty_old, $getty_base, strlen($getty_base))) {
+			fprintf($fd, "%s\n", $getty_new);
+		} else {
+			fprintf($fd, "%s\n", $getty_old);
+		}
+	}
+
+	fclose($fd);
+}
+
+function is_serial_enabled()
+{
 	global $g, $config;

 	if (!isset($g['enableserial_force']) &&
@@ -1015,7 +1067,8 @@ function is_serial_enabled() {
 	return true;
 }

-function reload_ttys() {
+function reload_ttys()
+{
 	// Send a HUP signal to init will make it reload /etc/ttys
 	posix_kill(1, SIGHUP);
 }

--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -1681,17 +1681,6 @@ function system_reboot_cleanup() {
 	stop_packages();
 }

-function system_console_configure()
-{
-	global $config, $g;
-
-	if (isset($config['system']['disableconsolemenu'])) {
-		touch("{$g['varetc_path']}/disableconsole");
-	} else {
-		unlink_if_exists("{$g['varetc_path']}/disableconsole");
-	}
-}
-
 function system_dmesg_save()
 {
 	global $g;

--- a/src/etc/rc.bootup
+++ b/src/etc/rc.bootup
@@ -31,21 +31,19 @@
 	POSSIBILITY OF SUCH DAMAGE.
 */

-function rescue_detect_keypress() {
-	// How long do you want the script to wait before moving on (in seconds)
-	$timeout=9;
+function rescue_detect_keypress()
+{
+	$timeout = 9;
+
 	echo "\n";
-    echo "[ Press R to enter recovery mode or ]\n";
-	echo "[  press I to launch the installer  ]\n\n";
-	echo "(R)ecovery mode can assist by rescuing config.xml\n";
-	echo "from a broken hard disk installation, etc.\n\n";
-	echo "(I)nstaller may be invoked now if you do \n";
-	echo "not wish to boot into the liveCD environment at this time.\n\n";
-	echo "(C) continues the LiveCD bootup without further pause.\n\n";
+	echo "(I)nstaller will be invoked by default.\n\n";
+	echo "(C)ontinue with LiveCD bootup instead.\n\n";
+	echo "(R)ecovery mode escapes to a root shell.\n\n";
 	echo "Timeout before auto boot continues (seconds): {$timeout}";
+
 	$key = null;
 	exec("/bin/stty erase " . chr(8));
-	while(!in_array($key, array("c", "C", "r","R", "i", "I", "~", "!"))) {
+	while (!in_array($key, array("c", "C", "r","R", "i", "I"))) {
 	        echo chr(8) . "{$timeout}";
 	        `/bin/stty -icanon min 0 time 25`;
 	        $key = trim(`KEY=\`dd count=1 2>/dev/null\`; echo \$KEY`);
@@ -53,30 +51,26 @@ function rescue_detect_keypress() {
 	        // Decrement our timeout value
 	        $timeout--;
 	        // If we have reached 0 exit and continue on
-	        if ($timeout == 0) 
-				break;
+	        if ($timeout == 0) {
+			break;
+		}
 	}
-	// If R or I was pressed do our logic here
+
+	echo "\n\n";
+
 	if (in_array($key, array("r", "R"))) {
-	  putenv("TERM=cons25");
-	  echo "\n\nRecovery mode selected...\n";
-	  passthru("/usr/bin/env TERM=cons25 /bin/csh -c /usr/local/installer/lua_installer_rescue");
-	} elseif (in_array($key, array("i", "I"))) {
-	  putenv("TERM=cons25");
-	  echo "\n\nInstaller mode selected...\n";
-	  passthru("/usr/bin/env TERM=cons25 /bin/csh -c /usr/local/installer/lua_installer");
-	  if(file_exists("/tmp/install_complete")) {
-		passthru("/usr/local/etc/rc.reboot");
-		exit;
-	  }
-	} elseif (in_array($key, array("!", "~"))) {
-		putenv("TERM=cons25");
-		echo "\n\nRecovery shell selected...\n";
-		echo "\n";
+		echo "Recovery shell selected...\n\n";
 		touch("/tmp/donotbootup");
 		exit;
+	} elseif (in_array($key, array("c", "C"))) {
+		/* nothing */
 	} else {
-		echo "\n\n";
+		echo "Installer mode selected...\n";
+		passthru("/usr/local/etc/rc.installer");
+		if (file_exists("/tmp/install_complete")) {
+			passthru("/usr/local/etc/rc.reboot");
+			exit;
+		}
 	}
 }

@@ -301,9 +295,6 @@ echo "done.\n";
 /* start load balancer daemon */
 relayd_configure();

-/* configure console menu */
-system_console_configure();
-
 /* start DHCP service */
 services_dhcpd_configure();


--- a/src/etc/rc.initial
+++ b/src/etc/rc.initial
@@ -14,25 +14,15 @@

 # If recovery console shell option has been specified
 if [ -f "/tmp/donotbootup" ]; then
-	/usr/bin/env prompt="%B[%n@%m]%b%/(%h)||RecoveryConsoleShell: " /bin/csh
-	rm "/tmp/donotbootup"
-	echo "Rebooting in 5 seconds... CTRL-C to abort..."
-	sleep 5
+	rm /tmp/donotbootup
+	/bin/csh
 	/usr/local/etc/rc.reboot
-	exit
+	# no coming back from here
 fi

-CONFIG="/cf/conf/config.xml"
-WORD="https"
-
-# Set our operating platform
-PLATFORM=`cat /usr/local/etc/platform`
-
 # endless loop
 while : ; do

-product=`grep product_name /usr/local/etc/inc/globals.inc | cut -d'"' -f4`
-
 # Check to see if SSH is running.
 if pgrep -q -a -F /var/run/sshd.pid sshd >/dev/null 2>&1; then
 	sshd_option="14) Disable Secure Shell (sshd)";
@@ -40,21 +30,24 @@ else
 	sshd_option="14) Enable Secure Shell (sshd)";
 fi

-if [ "$PLATFORM" = "cdrom" ]; then
-    option99="99) Install ${product} to a hard drive, etc."
+# If we are on the LiveCD advertise the installer
+if _tmpdir=$(mktemp -d -q /.diskless.XXXXXX); then
+	rmdir ${_tmpdir}
+else
+	option99="99) Launch the installer"
 fi

-# display a cheap menu
 echo " 0) Logout                             8) Shell"
 echo " 1) Assign Interfaces                  9) pfTop"
 echo " 2) Set interface(s) IP address       10) Filter Logs"
-echo " 3) Reset webConfigurator password    11) Restart webConfigurator"
-echo " 4) Reset to factory defaults         12) ${product} Developer Shell"
+echo " 3) Reset the root password           11) Restart web interface"
+echo " 4) Reset to factory defaults         12) Developer Shell"
 echo " 5) Reboot system                     13) Upgrade from console"
 echo " 6) Halt system                       ${sshd_option}"
-echo " 7) Ping host                         15) Restore recent configuration"
-if [ "${option99}" != "" ]; then
-	/bin/echo "${option99}"
+echo " 7) Ping host                         15) Restore a configuration"
+if [ -n "${option99}" ]; then
+# flat for alignment...
+echo "                                      ${option99}"
 fi

 echo
@@ -112,18 +105,13 @@ case ${opmode} in
 	/usr/local/etc/rc.restore_config_backup
 	;;
 99)
-	if [ -e /dev/ukbd0 ]; then
-		env TERM=cons25 /usr/local/installer/lua_installer
-	else
-		/usr/local/installer/lua_installer
-	fi
+	/usr/local/etc/rc.installer
 	;;
 *)
 	;;
 esac

 /usr/local/etc/rc.initial.banner
-
 echo

 done
--- a/src/installer/lua_installer
+++ b/src/installer/lua_installer
@@ -5,14 +5,14 @@
 #
 #   Redistribution and use in source and binary forms, with or without
 #   modification, are permitted provided that the following conditions are met:
-#   
+#
 #   1. Redistributions of source code must retain the above copyright notice,
 #      this list of conditions and the following disclaimer.
-#   
+#
 #   2. Redistributions in binary form must reproduce the above copyright
 #      notice, this list of conditions and the following disclaimer in the
 #      documentation and/or other materials provided with the distribution.
-#   
+#
 #   THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
 #   INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
 #   AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
@@ -24,85 +24,34 @@
 #   ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 #   POSSIBILITY OF SUCH DAMAGE.

-product=`cat /usr/local/etc/inc/globals.inc | grep product_name | cut -d'"' -f4`
-factory_shipped_password=`cat /usr/local/etc/inc/globals.inc | grep factory_shipped_password | cut -d'"' -f4`
-factory_shipped_username=`cat /usr/local/etc/inc/globals.inc | grep factory_shipped_username | cut -d'"' -f4`
-
-echo
-echo "Launching ${product} Installer..."
-echo
-
-# Ensure install-session.sh exists where the installtion was recorded to
-touch /tmp/install-session.sh
+PRODUCT=`grep product_name /usr/local/etc/inc/globals.inc | cut -d'"' -f4`
+USERNAME=`grep factory_shipped_username /usr/local/etc/inc/globals.inc | cut -d'"' -f4`
+PASSWORD=`grep factory_shipped_password /usr/local/etc/inc/globals.inc | cut -d'"' -f4`

-/sbin/sysctl kern.geom.debugflags=16
+/sbin/sysctl kern.geom.debugflags=16 >/dev/null
 /sbin/sysctl net.link.ether.inet.log_arp_wrong_iface=0 >/dev/null

 /sbin/ifconfig lo0 127.0.0.1/24
 /sbin/ifconfig lo0 up

-# Check if host is running on VMware -- early boot
-if [ `dmesg -a | grep VMware | wc -l` -gt 0 ]; then
-	touch /var/IS_VMWARE
-fi
+# Start the backend in the background (must mute all the ouput)
+LUA_CPATH='/usr/local/lib/lua/5.0/?.so' /usr/local/bin/lua50 \
+	-l/usr/local/share/lua/5.0/compat-5.1.lua \
+	/usr/local/share/dfuibe_lua/main.lua \
+	/usr/local/share/dfuibe_lua/conf/BSDInstaller.lua \
+	/usr/local/share/dfuibe_lua/conf/FreeBSD.lua \
+	/usr/local/share/dfuibe_lua/conf/pfSense.lua > /dev/null 2>&1 &

-# Check if host is running on VMware
-if [ -f /var/log/dmesg.boot ]; then
-	if [ `cat /var/log/dmesg.boot | /usr/bin/grep VMware | /usr/bin/wc -l` -gt 0 ]; then
-		echo -n "VMware detected.  The installer will make changes to tune this host."
-	        touch /var/IS_VMWARE
-		sleep 1
-		echo -n "."
-		sleep 1
-		echo -n "."
-		sleep 1
-		echo -n "."
-		sleep 1
-		echo "."
-	fi
+/sbin/conscontrol mute on > /dev/null

-	# Check if host is running on pfSenseDEV
-	if [ `/sbin/sysctl -n kern.bootfile | /usr/bin/grep pfSense_Dev | /usr/bin/wc -l` -gt 0 ]; then
-		echo -n "${product} developer iso detected."
-	        touch /var/pfSenseDEV
-		sleep 1
-		echo -n "."
-		sleep 1
-		echo -n "."
-		sleep 1
-		echo -n "."
-		sleep 1
-		echo "."
-	fi
+# Launch the frontend goo (must include cons25 for first boot)
+TERM=cons25 /usr/local/sbin/dfuife_curses

-	if [ -f /var/run/dmesg.boot ]; then
-		ln -s /var/log/dmesg.boot /var/run/dmesg.boot
-	fi
-fi
-
-echo "One moment please..."
-echo
-
-echo -n "LUA_CPATH='/usr/local/lib/lua/5.0/?.so' exec /usr/local/bin/lua50 -l/usr/local/share/lua/5.0/compat-5.1.lua " > /tmp/lua50c51
-
-echo "/usr/local/share/dfuibe_lua/main.lua \
-/usr/local/share/dfuibe_lua/conf/BSDInstaller.lua \
-/usr/local/share/dfuibe_lua/conf/FreeBSD.lua \
-/usr/local/share/dfuibe_lua/conf/pfSense.lua " >> /tmp/lua50c51
-
-#/sbin/conscontrol mute on >/dev/null 2>&1
-
-sh /tmp/lua50c51 >/dev/null 2>&1 &
-
-sleep 1
-
-echo Launching Installer NCurses frontend...
-/usr/local/sbin/dfuife_curses
-
-#/sbin/conscontrol mute off >/dev/null 2>&1
+/sbin/conscontrol mute off > /dev/null

 if [ ! -f /tmp/install_complete ]; then
-	echo Installation did not finish correctly.
+	echo "The installation was aborted."
+	echo
 	exit
 fi

@@ -123,7 +72,7 @@ echo
 echo
 echo
 echo
-echo "${product} is now rebooting"
+echo "${PRODUCT} is now rebooting"
 echo
 echo "After the reboot is complete, open a web browser and"
 echo "enter https://192.168.1.1 (or the LAN IP Address) in the"
@@ -133,23 +82,14 @@ echo "You might need to acknowledge the HTTPS certificate if "
 echo "your browser reports it as untrusted.  This is normal"
 echo "as a self-signed certificate is used by default."
 echo
-echo "*DEFAULT Username*: ${factory_shipped_username}"
-echo "*DEFAULT Password*: ${factory_shipped_password}"
+echo "*DEFAULT Username*: ${USERNAME}"
+echo "*DEFAULT Password*: ${PASSWORD}"
 echo

-echo Rebooting in 5 seconds.  CTRL-C to abort.
-sleep 1
-echo Rebooting in 4 seconds.  CTRL-C to abort.
-sleep 1
-echo Rebooting in 3 seconds.  CTRL-C to abort.
-sleep 1
-echo Rebooting in 2 seconds.  CTRL-C to abort.
-sleep 1
-echo Rebooting in 1 second..  CTRL-C to abort.
-sleep 1
-echo
-echo ${product} is now rebooting.
+for n in 5 4 3 2 1; do
+    echo Rebooting in $n seconds.  CTRL-C to abort.
+    sleep 1
+done
 echo

 reboot
-
--- a/src/etc/rc.sshd
+++ b/src/etc/rc.sshd
@@ -2,9 +2,8 @@
 <?php

 /*
-	Copyright 2004 Scott K Ullrich
-
-	Original Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
+	Copyright (C) 2004 Scott K Ullrich
+	Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
 	All rights reserved.

 	Redistribution and use in source and binary forms, with or without
@@ -34,6 +33,8 @@ require_once("config.inc");
 require_once("functions.inc");
 require_once("shaper.inc");

+killbyname('sshd');
+
 if (!isset($config['system']['enablesshd'])) {
 	return;
 }
@@ -43,6 +44,10 @@ if (!is_subsystem_dirty('sshdkeys')) {
 	conf_mount_rw();
 }

+if (file_exists('/conf/sshd/ssh_host_key') && !file_exists('/etc/ssh/ssh_host_key')) {
+	mwexec('/bin/cp -p /conf/sshd/* /etc/ssh/');
+}
+
 $keys = array(
 	'ssh_host_key',
 	'ssh_host_key.pub',
@@ -56,93 +61,61 @@ $keys = array(
 	'ssh_host_ed25519_key.pub'
 );

-/* restore ssh data for nanobsd platform */
-if($g['platform'] == "nanobsd" and file_exists("/conf/sshd/ssh_host_key") and !file_exists("/etc/ssh/ssh_host_key.pub")) {
-	echo "Restoring SSH from /conf/sshd/";
-	exec("/bin/cp -p /conf/sshd/* /etc/ssh/");
-
-	/* make sure host private key permissions aren't too open so sshd won't complain */
-	foreach($keys as $f2c) {
-		if(file_exists("/etc/ssh/{$f2c}"))
-			chmod("/etc/ssh/{$f2c}", 0600);
-	}
-}
-
-/*    if any of these files are 0 bytes then they are corrupted.
- *    remove them
- */
 foreach($keys as $f2c) {
 	if (file_exists("/etc/ssh/{$f2c}") && filesize("/etc/ssh/{$f2c}") == 0) {
-		unlink_if_exists('/etc/ssh/ssh_host*');
-		break;
+		unlink("/etc/ssh/{$f2c}");
 	}
 }

-if (!is_dir("/var/empty")) {
-	/* make ssh home directory */
-	mkdir("/var/empty", 0555);
-}
+/* make ssh home directory */
+@mkdir("/var/empty", 0555, true);

-if(!file_exists("/var/log/lastlog")) {
-	/* Login related files. */
-	@touch("/var/log/lastlog");
-}
+/* Login related files. */
+touch("/var/log/lastlog");

 $sshConfigDir = "/etc/ssh";

-if (is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port']))
+if (isset($config['system']['ssh']['port'])) {
 	$sshport = $config['system']['ssh']['port'];
-else
+} else {
 	$sshport = 22;
+}
+
+/*
+ * XXX ZOMG sshd_config BOOTSTRAPPING ACTION
+ *
+ * We can't just ditch the system file by default and roll
+ * our own.  Instead, use the current file to find the actual
+ * settings that need toggling, then toggle them!
+ */

 /* Include default configuration for pfSense */
-$sshconf = "# This file is automatically generated at startup\n";
-$sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n";
-$sshconf .= "PermitRootLogin yes\n";
+$sshconf = "# This file was automatically generated by /usr/local/etc/rc.sshd\n";
+$sshconf .= "Port {$sshport}\n";
+$sshconf .= "Protocol 2\n";
+/* XXX a couple of those need moar cleanups: */
 $sshconf .= "Compression yes\n";
 $sshconf .= "ClientAliveInterval 30\n";
 $sshconf .= "UseDNS no\n";
 $sshconf .= "X11Forwarding no\n";
+$sshconf .= "PubkeyAuthentication yes\n";
+$sshconf .= "Subsystem\tsftp\tinternal-sftp\n";
+if (isset($config['system']['ssh']['permitrootlogin'])) {
+	$sshconf .= "PermitRootLogin yes\n";
+}
 if (isset($config['system']['ssh']['sshdkeyonly'])) {
-	$sshconf .= "# Login via Key only\n";
 	$sshconf .= "PasswordAuthentication no\n";
 	$sshconf .= "ChallengeResponseAuthentication no\n";
-	$sshconf .= "PubkeyAuthentication yes\n";
 } else {
-	$sshconf .= "# Login via Key and Password\n";
 	$sshconf .= "PasswordAuthentication yes\n";
 	$sshconf .= "ChallengeResponseAuthentication yes\n";
-	$sshconf .= "PubkeyAuthentication yes\n";
 }
-$sshconf .= "# override default of no subsystems\n";
-$sshconf .= "Subsystem       sftp    /usr/libexec/sftp-server\n";
-/* Only allow protocol 2, because we say so */
-$sshconf .= "Protocol 2\n";
-/* Run the server on another port if we have one defined */
-$sshconf .= "Port $sshport\n";
-/* Hide FreeBSD version */
-$sshconf .= "VersionAddendum \n";

 /* Write the new sshd config file */
-@file_put_contents("/etc/ssh/sshd_config", $sshconf);
-
-/* mop up from a badly implemented ssh keys -> cf backup */
-if($config['ssh']['dsa_key'] <> "") {
-	unset($config['ssh']['dsa_key']);
-	unset($config['ssh']['ecdsa_key']);
-	unset($config['ssh']['ed25519_key']);
-	unset($config['ssh']['rsa_key']);
-	unset($config['ssh']['rsa1_key']);
-	unset($config['ssh']['dsa']);
-	unset($config['ssh']['rsa']);
-	unset($config['ssh']['rsa1']);
-	unset($config['ssh']['ak']);
-	write_config("Clearing SSH keys from config.xml");
-}
+file_put_contents('/etc/ssh/sshd_config', $sshconf);

 /* are we already running?  if so exit */
-if(is_subsystem_dirty('sshdkeys')) {
-	unset($keys);
+if (is_subsystem_dirty('sshdkeys')) {
 	return;
 }

@@ -156,40 +129,29 @@ foreach ($keys as $f2c) {
 }

 if ($generate_keys) {
-	/* remove previous keys and regen later */
-	file_notice("SSH", "{$g['product_name']} has started creating your SSH keys.  SSH Startup will be delayed.  Please note that reloading the filter rules and changes will be delayed until this operation is completed.", "SSH KeyGen", "");
-	unlink_if_exists('/etc/ssh/ssh_host_*');
+	log_error(_('Started creating your SSH keys. SSH startup is being delayed a wee bit.'));
 	mark_subsystem_dirty('sshdkeys');
-	echo " Generating Keys:\n";
-	$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa1 -N '' -f $sshConfigDir/ssh_host_key");
-	$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa -N '' -f $sshConfigDir/ssh_host_rsa_key");
-	$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t dsa -N '' -f $sshConfigDir/ssh_host_dsa_key");
-	$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t ecdsa -N '' -f $sshConfigDir/ssh_host_ecdsa_key");
-	$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t ed25519 -N '' -f $sshConfigDir/ssh_host_ed25519_key");
+	mwexec('/bin/rm /etc/ssh/ssh_host_*', true);
+	mwexec("/usr/bin/ssh-keygen -t rsa1 -N '' -f {$sshConfigDir}/ssh_host_key");
+	mwexec("/usr/bin/ssh-keygen -t rsa -N '' -f {$sshConfigDir}/ssh_host_rsa_key");
+	mwexec("/usr/bin/ssh-keygen -t dsa -N '' -f {$sshConfigDir}/ssh_host_dsa_key");
+	mwexec("/usr/bin/ssh-keygen -t ecdsa -N '' -f {$sshConfigDir}/ssh_host_ecdsa_key");
+	mwexec("/usr/bin/ssh-keygen -t ed25519 -N '' -f {$sshConfigDir}/ssh_host_ed25519_key");
 	clear_subsystem_dirty('sshdkeys');
-	file_notice("SSH", "{$g['product_name']} has completed creating your SSH keys.  SSH is now started.", "SSH Startup", "");
+	log_error(_('Completed creating your SSH keys. SSH will now be started.'));
 }

-/* kill existing sshd process, server only, not the childs */
-$sshd_pid = exec("ps ax | egrep '/usr/sbin/[s]shd' | awk '{print $1}'");
-if($sshd_pid <> "") {
-	echo "stopping ssh process $sshd_pid \n";
-	@posix_kill($sshd_pid, SIGTERM);
-}
 /* Launch new server process */
-$status = mwexec("/usr/sbin/sshd");
-if($status <> 0) {
-	file_notice("sshd_startup", "SSHD failed to start.", "SSHD Daemon", "");
-	echo "error!\n";
+echo "Reloading sshd...";
+if (mwexec('/usr/sbin/sshd')) {
+	echo "failed.\n";
 } else {
 	echo "done.\n";
 }

-// NanoBSD
-if($g['platform'] == "nanobsd") {
-	if(!is_dir("/conf/sshd"))
-		mkdir("/conf/sshd", 0750);
-	$_gb = exec("/bin/cp -p /etc/ssh/ssh_host* /conf/sshd");
-}
+/* back up files in case they are useful */
+@mkdir('/conf/sshd', 0777, true);
+mwexec('/bin/cp -p /etc/ssh/ssh_host* /conf/sshd');
+
 conf_mount_ro();
 unset($keys);
--- a/src/installer/lua_installer_rescue
+++ b/src/installer/lua_installer_rescue
-#!/bin/sh
-#
-#   Launch BSD Installer with fake "installer root"
-#   Copyright 2004-2009 Scott Ullrich
-#
-#   Redistribution and use in source and binary forms, with or without
-#   modification, are permitted provided that the following conditions are met:
-#   
-#   1. Redistributions of source code must retain the above copyright notice,
-#      this list of conditions and the following disclaimer.
-#   
-#   2. Redistributions in binary form must reproduce the above copyright
-#      notice, this list of conditions and the following disclaimer in the
-#      documentation and/or other materials provided with the distribution.
-#   
-#   THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-#   INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-#   AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-#   AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-#   OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-#   SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-#   INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-#   CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-#   ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-#   POSSIBILITY OF SUCH DAMAGE.
-
-product=`cat /usr/local/etc/inc/globals.inc | grep product_name | cut -d'"' -f4`
-factory_shipped_password=`cat /usr/local/etc/inc/globals.inc | grep factory_shipped_password | cut -d'"' -f4`
-factory_shipped_username=`cat /usr/local/etc/inc/globals.inc | grep factory_shipped_username | cut -d'"' -f4`
-
-echo
-echo "Launching ${product} Installer config.xml rescue..."
-echo
-echo "One moment please..."
-echo
-
-# Ensure install-session.sh exists where the installtion was recorded to
-touch /tmp/install-session.sh
-
-/sbin/sysctl kern.geom.debugflags=16
-/sbin/sysctl net.link.ether.inet.log_arp_wrong_iface=0 >/dev/null
-
-/sbin/ifconfig lo0 127.0.0.1/24
-/sbin/ifconfig lo0 up
-
-# Check if host is running on VMware
-if [ -f /var/log/dmesg.boot ]; then
-	if [ `cat /var/log/dmesg.boot | /usr/bin/grep VMware | /usr/bin/wc -l` -gt 0 ]; then
-		echo -n "VMware detected.  The installer will make changes to tune this host."
-	        touch /var/IS_VMWARE
-		sleep 1
-		echo -n "."
-		sleep 1
-		echo -n "."
-		sleep 1
-		echo -n "."
-		sleep 1
-		echo "."
-	fi
-
-	# Check if host is running on pfSenseDEV
-	if [ `/sbin/sysctl -n kern.bootfile | /usr/bin/grep pfSense_Dev | /usr/bin/wc -l` -gt 0 ]; then
-		echo -n "${product} developer iso detected."
-        	touch /var/pfSenseDEV
-		sleep 1
-		echo -n "."
-		sleep 1
-		echo -n "."
-		sleep 1
-		echo -n "."
-		sleep 1
-		echo "."
-	fi
-
-	if [ -f /var/run/dmesg.boot ]; then
-		ln -s /var/log/dmesg.boot /var/run/dmesg.boot
-	fi
-fi
-
-echo Launching LUA Installer...
-echo -n "LUA_CPATH='/usr/local/lib/lua/5.0/?.so' exec /usr/local/bin/lua50 -l/usr/local/share/lua/5.0/compat-5.1.lua " > /tmp/lua50c51
-
-echo "/usr/local/share/dfuibe_lua/main.lua \
-/usr/local/share/dfuibe_lua/conf/BSDInstaller.lua \
-/usr/local/share/dfuibe_lua/conf/FreeBSD.lua \
-/usr/local/share/dfuibe_lua/conf/pfSense_rescue.lua " >> /tmp/lua50c51
-
-#/sbin/conscontrol mute on >/dev/null 2>&1
-
-sh /tmp/lua50c51 >/dev/null 2>&1 &
-
-sleep 1
-
-echo Launching Installer NCurses frontend...
-/usr/local/sbin/dfuife_curses
-
-#/sbin/conscontrol mute off >/dev/null 2>&1
-
-if [ ! -f /tmp/install_complete ]; then
-	echo Installation did not finish correctly.
-	exit
-fi
-
-clear
-
-echo
-echo
-echo
-echo
-echo
-echo
-echo
-echo
-echo
-echo
-echo
-echo
-echo
-echo
-echo
-echo "${product} is now rebooting"
-echo
-echo "After the reboot is complete, open a web browser and"
-echo "enter http://192.168.1.1 (or the LAN IP Address) in the"
-echo "location bar."
-echo
-echo "*DEFAULT Username*: ${factory_shipped_username}"
-echo "*DEFAULT Password*: ${factory_shipped_password}"
-echo
-
-echo Rebooting in 5 seconds.  CTRL-C to abort.
-sleep 1
-echo Rebooting in 4 seconds.  CTRL-C to abort.
-sleep 1
-echo Rebooting in 3 seconds.  CTRL-C to abort.
-sleep 1
-echo Rebooting in 2 seconds.  CTRL-C to abort.
-sleep 1
-echo Rebooting in 1 second..  CTRL-C to abort.
-sleep 1
-echo
-echo ${product} is now rebooting.
-echo
-
-reboot
-
--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
 <?php
-/* $Id$ */
+
 /*
-	system_advanced_admin.php
 	part of pfSense
 	Copyright (C) 2005-2010 Scott Ullrich

@@ -67,6 +66,7 @@ $pconfig['primaryconsole'] = $config['system']['primaryconsole'];
 $pconfig['enablesshd'] = $config['system']['enablesshd'];
 $pconfig['sshport'] = $config['system']['ssh']['port'];
 $pconfig['sshdkeyonly'] = isset($config['system']['ssh']['sshdkeyonly']);
+$pconfig['sshdpermitrootlogin'] = isset($config['system']['ssh']['permitrootlogin']);
 $pconfig['quietlogin'] = isset($config['system']['webgui']['quietlogin']);

 $a_cert =& $config['cert'];
@@ -108,6 +108,11 @@ if ($_POST) {
 	else if (isset($config['system']['ssh']['sshdkeyonly']))
 		unset($config['system']['ssh']['sshdkeyonly']);

+	if($_POST['sshdpermitrootlogin'] == "yes")
+		$config['system']['ssh']['permitrootlogin'] = "enabled";
+	else if (isset($config['system']['ssh']['permitrootlogin']))
+		unset($config['system']['ssh']['permitrootlogin']);
+
 	ob_flush();
 	flush();

@@ -191,11 +196,11 @@ if ($_POST) {
 		else
 			unset($config['system']['enablesshd']);

-		$sshd_keyonly = isset($config['system']['sshdkeyonly']);
+		$sshd_keyonly = isset($config['system']['ssh']['sshdkeyonly']);
 		if ($_POST['sshdkeyonly'])
-			$config['system']['sshdkeyonly'] = true;
+			$config['system']['ssh']['sshdkeyonly'] = true;
 		else
-			unset($config['system']['sshdkeyonly']);
+			unset($config['system']['ssh']['sshdkeyonly']);

 		$sshd_port = $config['system']['ssh']['port'];
 		if ($_POST['sshport'])
@@ -203,10 +208,18 @@ if ($_POST) {
 		else if (isset($config['system']['ssh']['port']))
 			unset($config['system']['ssh']['port']);

+		$sshd_permitrootlogin = $config['system']['ssh']['permitrootlogin'];
+		if ($_POST['sshdpermitrootlogin'])
+			$config['system']['ssh']['permitrootlogin'] = $_POST['sshdpermitrootlogin'];
+		else if (isset($config['system']['ssh']['permitrootlogin']))
+			unset($config['system']['ssh']['permitrootlogin']);
+
 		if (($sshd_enabled != $config['system']['enablesshd']) ||
-			($sshd_keyonly != $config['system']['sshdkeyonly']) ||
-			($sshd_port != $config['system']['ssh']['port']))
+			($sshd_keyonly != $config['system']['ssh']['sshdkeyonly']) ||
+			($sshd_port != $config['system']['ssh']['port']) ||
+			($sshd_permitrootlogin != $config['system']['ssh']['permitrootlogin'])) {
 			$restart_sshd = true;
+		}

 		if ($restart_webgui) {
 			global $_SERVER;
@@ -503,6 +516,16 @@ include("head.inc");
        									<strong><?=gettext("Enable Secure Shell"); ?></strong>
        								</td>
        							</tr>
+        							<tr>
+        								<td width="22%" valign="top" class="vncell"><?=gettext("Root Login"); ?></td>
+        								<td width="78%" class="vtable">
+        									<input name="sshdpermitrootlogin" type="checkbox" id="sshdpermitrootlogin" value="yes" <?php if ($pconfig['sshdpermitrootlogin']) echo "checked=\"checked\""; ?> />
+        									<strong><?=gettext("Enable root user login"); ?></strong>
+        									<br />
+        									<?=gettext("Root login is generally discouraged. It is advised "); ?>
+        									<?=gettext("to log in via another user and switch to root afterwards."); ?>
+        								</td>
+        							</tr>
        							<tr>
        								<td width="22%" valign="top" class="vncell"><?=gettext("Authentication Method"); ?></td>
        								<td width="78%" class="vtable">