Commit b3f9d883 authored by Jos Schellevis's avatar Jos Schellevis

Merge branch 'master' of git.opnsense.org:repo/opnsense-core

parents f1df67f5 95babf60
...@@ -189,7 +189,7 @@ ...@@ -189,7 +189,7 @@
<protocol>https</protocol> <protocol>https</protocol>
</webgui> </webgui>
<disablenatreflection>yes</disablenatreflection> <disablenatreflection>yes</disablenatreflection>
<!-- <disableconsolemenu/> --> <disableconsolemenu/>
<!-- <disablefirmwarecheck/> --> <!-- <disablefirmwarecheck/> -->
<!-- <harddiskstandby></harddiskstandby> --> <!-- <harddiskstandby></harddiskstandby> -->
<disablesegmentationoffloading/> <disablesegmentationoffloading/>
...@@ -202,6 +202,9 @@ ...@@ -202,6 +202,9 @@
<interval>monthly</interval> <interval>monthly</interval>
</bogons> </bogons>
<kill_states/> <kill_states/>
<ssh>
<sshdkeyonly/>
</ssh>
</system> </system>
<interfaces> <interfaces>
<wan> <wan>
......
...@@ -998,13 +998,65 @@ function setup_serial_port($when="save", $path="") { ...@@ -998,13 +998,65 @@ function setup_serial_port($when="save", $path="") {
} }
unset($on_off, $console_type, $serial_type); unset($on_off, $console_type, $serial_type);
fclose($fd); fclose($fd);
auto_login();
reload_ttys(); reload_ttys();
conf_mount_ro(); conf_mount_ro();
return;
} }
function is_serial_enabled() { function auto_login()
{
global $config;
/*
* This function appends the autologin extension in /etc/gettytab
* for the main console. This only works with a vanilla config;
* it is likely that manual editing by the user will make this
* function stop working properly. In case of no match, throw a
* little error...
*/
$getty_file = "/etc/gettytab";
$getty_text = explode("\n", file_get_contents($getty_file));
$getty_al = isset($config['system']['disableconsolemenu']) ? "" : "al=root:";
$getty_base = "\t:ht:np:sp#9600:";
$getty_new = $getty_base . $getty_al;
$getty_ok = false;
foreach ($getty_text as $getty_old) {
if (!strncmp($getty_old, $getty_base, strlen($getty_base))) {
if (!strcmp($getty_old, $getty_new)) {
/* already the correct setting */
return;
}
$getty_ok = true;
}
}
if (!$getty_ok) {
log_error(gettext("Could not toggle auto login setting."));
return;
}
$fd = fopen($getty_file, "w");
if (!$fd) {
log_error(gettext("Could not write auto login setting."));
return;
}
foreach ($getty_text as $getty_old) {
if (!strncmp($getty_old, $getty_base, strlen($getty_base))) {
fprintf($fd, "%s\n", $getty_new);
} else {
fprintf($fd, "%s\n", $getty_old);
}
}
fclose($fd);
}
function is_serial_enabled()
{
global $g, $config; global $g, $config;
if (!isset($g['enableserial_force']) && if (!isset($g['enableserial_force']) &&
...@@ -1015,7 +1067,8 @@ function is_serial_enabled() { ...@@ -1015,7 +1067,8 @@ function is_serial_enabled() {
return true; return true;
} }
function reload_ttys() { function reload_ttys()
{
// Send a HUP signal to init will make it reload /etc/ttys // Send a HUP signal to init will make it reload /etc/ttys
posix_kill(1, SIGHUP); posix_kill(1, SIGHUP);
} }
......
...@@ -1681,17 +1681,6 @@ function system_reboot_cleanup() { ...@@ -1681,17 +1681,6 @@ function system_reboot_cleanup() {
stop_packages(); stop_packages();
} }
function system_console_configure()
{
global $config, $g;
if (isset($config['system']['disableconsolemenu'])) {
touch("{$g['varetc_path']}/disableconsole");
} else {
unlink_if_exists("{$g['varetc_path']}/disableconsole");
}
}
function system_dmesg_save() function system_dmesg_save()
{ {
global $g; global $g;
......
...@@ -31,21 +31,19 @@ ...@@ -31,21 +31,19 @@
POSSIBILITY OF SUCH DAMAGE. POSSIBILITY OF SUCH DAMAGE.
*/ */
function rescue_detect_keypress() { function rescue_detect_keypress()
// How long do you want the script to wait before moving on (in seconds) {
$timeout=9; $timeout = 9;
echo "\n"; echo "\n";
echo "[ Press R to enter recovery mode or ]\n"; echo "(I)nstaller will be invoked by default.\n\n";
echo "[ press I to launch the installer ]\n\n"; echo "(C)ontinue with LiveCD bootup instead.\n\n";
echo "(R)ecovery mode can assist by rescuing config.xml\n"; echo "(R)ecovery mode escapes to a root shell.\n\n";
echo "from a broken hard disk installation, etc.\n\n";
echo "(I)nstaller may be invoked now if you do \n";
echo "not wish to boot into the liveCD environment at this time.\n\n";
echo "(C) continues the LiveCD bootup without further pause.\n\n";
echo "Timeout before auto boot continues (seconds): {$timeout}"; echo "Timeout before auto boot continues (seconds): {$timeout}";
$key = null; $key = null;
exec("/bin/stty erase " . chr(8)); exec("/bin/stty erase " . chr(8));
while(!in_array($key, array("c", "C", "r","R", "i", "I", "~", "!"))) { while (!in_array($key, array("c", "C", "r","R", "i", "I"))) {
echo chr(8) . "{$timeout}"; echo chr(8) . "{$timeout}";
`/bin/stty -icanon min 0 time 25`; `/bin/stty -icanon min 0 time 25`;
$key = trim(`KEY=\`dd count=1 2>/dev/null\`; echo \$KEY`); $key = trim(`KEY=\`dd count=1 2>/dev/null\`; echo \$KEY`);
...@@ -53,30 +51,26 @@ function rescue_detect_keypress() { ...@@ -53,30 +51,26 @@ function rescue_detect_keypress() {
// Decrement our timeout value // Decrement our timeout value
$timeout--; $timeout--;
// If we have reached 0 exit and continue on // If we have reached 0 exit and continue on
if ($timeout == 0) if ($timeout == 0) {
break; break;
}
} }
// If R or I was pressed do our logic here
echo "\n\n";
if (in_array($key, array("r", "R"))) { if (in_array($key, array("r", "R"))) {
putenv("TERM=cons25"); echo "Recovery shell selected...\n\n";
echo "\n\nRecovery mode selected...\n";
passthru("/usr/bin/env TERM=cons25 /bin/csh -c /usr/local/installer/lua_installer_rescue");
} elseif (in_array($key, array("i", "I"))) {
putenv("TERM=cons25");
echo "\n\nInstaller mode selected...\n";
passthru("/usr/bin/env TERM=cons25 /bin/csh -c /usr/local/installer/lua_installer");
if(file_exists("/tmp/install_complete")) {
passthru("/usr/local/etc/rc.reboot");
exit;
}
} elseif (in_array($key, array("!", "~"))) {
putenv("TERM=cons25");
echo "\n\nRecovery shell selected...\n";
echo "\n";
touch("/tmp/donotbootup"); touch("/tmp/donotbootup");
exit; exit;
} elseif (in_array($key, array("c", "C"))) {
/* nothing */
} else { } else {
echo "\n\n"; echo "Installer mode selected...\n";
passthru("/usr/local/etc/rc.installer");
if (file_exists("/tmp/install_complete")) {
passthru("/usr/local/etc/rc.reboot");
exit;
}
} }
} }
...@@ -301,9 +295,6 @@ echo "done.\n"; ...@@ -301,9 +295,6 @@ echo "done.\n";
/* start load balancer daemon */ /* start load balancer daemon */
relayd_configure(); relayd_configure();
/* configure console menu */
system_console_configure();
/* start DHCP service */ /* start DHCP service */
services_dhcpd_configure(); services_dhcpd_configure();
......
...@@ -14,25 +14,15 @@ ...@@ -14,25 +14,15 @@
# If recovery console shell option has been specified # If recovery console shell option has been specified
if [ -f "/tmp/donotbootup" ]; then if [ -f "/tmp/donotbootup" ]; then
/usr/bin/env prompt="%B[%n@%m]%b%/(%h)||RecoveryConsoleShell: " /bin/csh rm /tmp/donotbootup
rm "/tmp/donotbootup" /bin/csh
echo "Rebooting in 5 seconds... CTRL-C to abort..."
sleep 5
/usr/local/etc/rc.reboot /usr/local/etc/rc.reboot
exit # no coming back from here
fi fi
CONFIG="/cf/conf/config.xml"
WORD="https"
# Set our operating platform
PLATFORM=`cat /usr/local/etc/platform`
# endless loop # endless loop
while : ; do while : ; do
product=`grep product_name /usr/local/etc/inc/globals.inc | cut -d'"' -f4`
# Check to see if SSH is running. # Check to see if SSH is running.
if pgrep -q -a -F /var/run/sshd.pid sshd >/dev/null 2>&1; then if pgrep -q -a -F /var/run/sshd.pid sshd >/dev/null 2>&1; then
sshd_option="14) Disable Secure Shell (sshd)"; sshd_option="14) Disable Secure Shell (sshd)";
...@@ -40,21 +30,24 @@ else ...@@ -40,21 +30,24 @@ else
sshd_option="14) Enable Secure Shell (sshd)"; sshd_option="14) Enable Secure Shell (sshd)";
fi fi
if [ "$PLATFORM" = "cdrom" ]; then # If we are on the LiveCD advertise the installer
option99="99) Install ${product} to a hard drive, etc." if _tmpdir=$(mktemp -d -q /.diskless.XXXXXX); then
rmdir ${_tmpdir}
else
option99="99) Launch the installer"
fi fi
# display a cheap menu
echo " 0) Logout 8) Shell" echo " 0) Logout 8) Shell"
echo " 1) Assign Interfaces 9) pfTop" echo " 1) Assign Interfaces 9) pfTop"
echo " 2) Set interface(s) IP address 10) Filter Logs" echo " 2) Set interface(s) IP address 10) Filter Logs"
echo " 3) Reset webConfigurator password 11) Restart webConfigurator" echo " 3) Reset the root password 11) Restart web interface"
echo " 4) Reset to factory defaults 12) ${product} Developer Shell" echo " 4) Reset to factory defaults 12) Developer Shell"
echo " 5) Reboot system 13) Upgrade from console" echo " 5) Reboot system 13) Upgrade from console"
echo " 6) Halt system ${sshd_option}" echo " 6) Halt system ${sshd_option}"
echo " 7) Ping host 15) Restore recent configuration" echo " 7) Ping host 15) Restore a configuration"
if [ "${option99}" != "" ]; then if [ -n "${option99}" ]; then
/bin/echo "${option99}" # flat for alignment...
echo " ${option99}"
fi fi
echo echo
...@@ -112,18 +105,13 @@ case ${opmode} in ...@@ -112,18 +105,13 @@ case ${opmode} in
/usr/local/etc/rc.restore_config_backup /usr/local/etc/rc.restore_config_backup
;; ;;
99) 99)
if [ -e /dev/ukbd0 ]; then /usr/local/etc/rc.installer
env TERM=cons25 /usr/local/installer/lua_installer
else
/usr/local/installer/lua_installer
fi
;; ;;
*) *)
;; ;;
esac esac
/usr/local/etc/rc.initial.banner /usr/local/etc/rc.initial.banner
echo echo
done done
...@@ -5,14 +5,14 @@ ...@@ -5,14 +5,14 @@
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met: # modification, are permitted provided that the following conditions are met:
# #
# 1. Redistributions of source code must retain the above copyright notice, # 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer. # this list of conditions and the following disclaimer.
# #
# 2. Redistributions in binary form must reproduce the above copyright # 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the # notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution. # documentation and/or other materials provided with the distribution.
# #
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
...@@ -24,85 +24,34 @@ ...@@ -24,85 +24,34 @@
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE. # POSSIBILITY OF SUCH DAMAGE.
product=`cat /usr/local/etc/inc/globals.inc | grep product_name | cut -d'"' -f4` PRODUCT=`grep product_name /usr/local/etc/inc/globals.inc | cut -d'"' -f4`
factory_shipped_password=`cat /usr/local/etc/inc/globals.inc | grep factory_shipped_password | cut -d'"' -f4` USERNAME=`grep factory_shipped_username /usr/local/etc/inc/globals.inc | cut -d'"' -f4`
factory_shipped_username=`cat /usr/local/etc/inc/globals.inc | grep factory_shipped_username | cut -d'"' -f4` PASSWORD=`grep factory_shipped_password /usr/local/etc/inc/globals.inc | cut -d'"' -f4`
echo
echo "Launching ${product} Installer..."
echo
# Ensure install-session.sh exists where the installtion was recorded to
touch /tmp/install-session.sh
/sbin/sysctl kern.geom.debugflags=16 /sbin/sysctl kern.geom.debugflags=16 >/dev/null
/sbin/sysctl net.link.ether.inet.log_arp_wrong_iface=0 >/dev/null /sbin/sysctl net.link.ether.inet.log_arp_wrong_iface=0 >/dev/null
/sbin/ifconfig lo0 127.0.0.1/24 /sbin/ifconfig lo0 127.0.0.1/24
/sbin/ifconfig lo0 up /sbin/ifconfig lo0 up
# Check if host is running on VMware -- early boot # Start the backend in the background (must mute all the ouput)
if [ `dmesg -a | grep VMware | wc -l` -gt 0 ]; then LUA_CPATH='/usr/local/lib/lua/5.0/?.so' /usr/local/bin/lua50 \
touch /var/IS_VMWARE -l/usr/local/share/lua/5.0/compat-5.1.lua \
fi /usr/local/share/dfuibe_lua/main.lua \
/usr/local/share/dfuibe_lua/conf/BSDInstaller.lua \
/usr/local/share/dfuibe_lua/conf/FreeBSD.lua \
/usr/local/share/dfuibe_lua/conf/pfSense.lua > /dev/null 2>&1 &
# Check if host is running on VMware /sbin/conscontrol mute on > /dev/null
if [ -f /var/log/dmesg.boot ]; then
if [ `cat /var/log/dmesg.boot | /usr/bin/grep VMware | /usr/bin/wc -l` -gt 0 ]; then
echo -n "VMware detected. The installer will make changes to tune this host."
touch /var/IS_VMWARE
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo "."
fi
# Check if host is running on pfSenseDEV # Launch the frontend goo (must include cons25 for first boot)
if [ `/sbin/sysctl -n kern.bootfile | /usr/bin/grep pfSense_Dev | /usr/bin/wc -l` -gt 0 ]; then TERM=cons25 /usr/local/sbin/dfuife_curses
echo -n "${product} developer iso detected."
touch /var/pfSenseDEV
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo "."
fi
if [ -f /var/run/dmesg.boot ]; then /sbin/conscontrol mute off > /dev/null
ln -s /var/log/dmesg.boot /var/run/dmesg.boot
fi
fi
echo "One moment please..."
echo
echo -n "LUA_CPATH='/usr/local/lib/lua/5.0/?.so' exec /usr/local/bin/lua50 -l/usr/local/share/lua/5.0/compat-5.1.lua " > /tmp/lua50c51
echo "/usr/local/share/dfuibe_lua/main.lua \
/usr/local/share/dfuibe_lua/conf/BSDInstaller.lua \
/usr/local/share/dfuibe_lua/conf/FreeBSD.lua \
/usr/local/share/dfuibe_lua/conf/pfSense.lua " >> /tmp/lua50c51
#/sbin/conscontrol mute on >/dev/null 2>&1
sh /tmp/lua50c51 >/dev/null 2>&1 &
sleep 1
echo Launching Installer NCurses frontend...
/usr/local/sbin/dfuife_curses
#/sbin/conscontrol mute off >/dev/null 2>&1
if [ ! -f /tmp/install_complete ]; then if [ ! -f /tmp/install_complete ]; then
echo Installation did not finish correctly. echo "The installation was aborted."
echo
exit exit
fi fi
...@@ -123,7 +72,7 @@ echo ...@@ -123,7 +72,7 @@ echo
echo echo
echo echo
echo echo
echo "${product} is now rebooting" echo "${PRODUCT} is now rebooting"
echo echo
echo "After the reboot is complete, open a web browser and" echo "After the reboot is complete, open a web browser and"
echo "enter https://192.168.1.1 (or the LAN IP Address) in the" echo "enter https://192.168.1.1 (or the LAN IP Address) in the"
...@@ -133,23 +82,14 @@ echo "You might need to acknowledge the HTTPS certificate if " ...@@ -133,23 +82,14 @@ echo "You might need to acknowledge the HTTPS certificate if "
echo "your browser reports it as untrusted. This is normal" echo "your browser reports it as untrusted. This is normal"
echo "as a self-signed certificate is used by default." echo "as a self-signed certificate is used by default."
echo echo
echo "*DEFAULT Username*: ${factory_shipped_username}" echo "*DEFAULT Username*: ${USERNAME}"
echo "*DEFAULT Password*: ${factory_shipped_password}" echo "*DEFAULT Password*: ${PASSWORD}"
echo echo
echo Rebooting in 5 seconds. CTRL-C to abort. for n in 5 4 3 2 1; do
sleep 1 echo Rebooting in $n seconds. CTRL-C to abort.
echo Rebooting in 4 seconds. CTRL-C to abort. sleep 1
sleep 1 done
echo Rebooting in 3 seconds. CTRL-C to abort.
sleep 1
echo Rebooting in 2 seconds. CTRL-C to abort.
sleep 1
echo Rebooting in 1 second.. CTRL-C to abort.
sleep 1
echo
echo ${product} is now rebooting.
echo echo
reboot reboot
...@@ -2,9 +2,8 @@ ...@@ -2,9 +2,8 @@
<?php <?php
/* /*
Copyright 2004 Scott K Ullrich Copyright (C) 2004 Scott K Ullrich
Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
Original Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
All rights reserved. All rights reserved.
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without
...@@ -34,6 +33,8 @@ require_once("config.inc"); ...@@ -34,6 +33,8 @@ require_once("config.inc");
require_once("functions.inc"); require_once("functions.inc");
require_once("shaper.inc"); require_once("shaper.inc");
killbyname('sshd');
if (!isset($config['system']['enablesshd'])) { if (!isset($config['system']['enablesshd'])) {
return; return;
} }
...@@ -43,6 +44,10 @@ if (!is_subsystem_dirty('sshdkeys')) { ...@@ -43,6 +44,10 @@ if (!is_subsystem_dirty('sshdkeys')) {
conf_mount_rw(); conf_mount_rw();
} }
if (file_exists('/conf/sshd/ssh_host_key') && !file_exists('/etc/ssh/ssh_host_key')) {
mwexec('/bin/cp -p /conf/sshd/* /etc/ssh/');
}
$keys = array( $keys = array(
'ssh_host_key', 'ssh_host_key',
'ssh_host_key.pub', 'ssh_host_key.pub',
...@@ -56,93 +61,61 @@ $keys = array( ...@@ -56,93 +61,61 @@ $keys = array(
'ssh_host_ed25519_key.pub' 'ssh_host_ed25519_key.pub'
); );
/* restore ssh data for nanobsd platform */
if($g['platform'] == "nanobsd" and file_exists("/conf/sshd/ssh_host_key") and !file_exists("/etc/ssh/ssh_host_key.pub")) {
echo "Restoring SSH from /conf/sshd/";
exec("/bin/cp -p /conf/sshd/* /etc/ssh/");
/* make sure host private key permissions aren't too open so sshd won't complain */
foreach($keys as $f2c) {
if(file_exists("/etc/ssh/{$f2c}"))
chmod("/etc/ssh/{$f2c}", 0600);
}
}
/* if any of these files are 0 bytes then they are corrupted.
* remove them
*/
foreach($keys as $f2c) { foreach($keys as $f2c) {
if (file_exists("/etc/ssh/{$f2c}") && filesize("/etc/ssh/{$f2c}") == 0) { if (file_exists("/etc/ssh/{$f2c}") && filesize("/etc/ssh/{$f2c}") == 0) {
unlink_if_exists('/etc/ssh/ssh_host*'); unlink("/etc/ssh/{$f2c}");
break;
} }
} }
if (!is_dir("/var/empty")) { /* make ssh home directory */
/* make ssh home directory */ @mkdir("/var/empty", 0555, true);
mkdir("/var/empty", 0555);
}
if(!file_exists("/var/log/lastlog")) { /* Login related files. */
/* Login related files. */ touch("/var/log/lastlog");
@touch("/var/log/lastlog");
}
$sshConfigDir = "/etc/ssh"; $sshConfigDir = "/etc/ssh";
if (is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) if (isset($config['system']['ssh']['port'])) {
$sshport = $config['system']['ssh']['port']; $sshport = $config['system']['ssh']['port'];
else } else {
$sshport = 22; $sshport = 22;
}
/*
* XXX ZOMG sshd_config BOOTSTRAPPING ACTION
*
* We can't just ditch the system file by default and roll
* our own. Instead, use the current file to find the actual
* settings that need toggling, then toggle them!
*/
/* Include default configuration for pfSense */ /* Include default configuration for pfSense */
$sshconf = "# This file is automatically generated at startup\n"; $sshconf = "# This file was automatically generated by /usr/local/etc/rc.sshd\n";
$sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n"; $sshconf .= "Port {$sshport}\n";
$sshconf .= "PermitRootLogin yes\n"; $sshconf .= "Protocol 2\n";
/* XXX a couple of those need moar cleanups: */
$sshconf .= "Compression yes\n"; $sshconf .= "Compression yes\n";
$sshconf .= "ClientAliveInterval 30\n"; $sshconf .= "ClientAliveInterval 30\n";
$sshconf .= "UseDNS no\n"; $sshconf .= "UseDNS no\n";
$sshconf .= "X11Forwarding no\n"; $sshconf .= "X11Forwarding no\n";
$sshconf .= "PubkeyAuthentication yes\n";
$sshconf .= "Subsystem\tsftp\tinternal-sftp\n";
if (isset($config['system']['ssh']['permitrootlogin'])) {
$sshconf .= "PermitRootLogin yes\n";
}
if (isset($config['system']['ssh']['sshdkeyonly'])) { if (isset($config['system']['ssh']['sshdkeyonly'])) {
$sshconf .= "# Login via Key only\n";
$sshconf .= "PasswordAuthentication no\n"; $sshconf .= "PasswordAuthentication no\n";
$sshconf .= "ChallengeResponseAuthentication no\n"; $sshconf .= "ChallengeResponseAuthentication no\n";
$sshconf .= "PubkeyAuthentication yes\n";
} else { } else {
$sshconf .= "# Login via Key and Password\n";
$sshconf .= "PasswordAuthentication yes\n"; $sshconf .= "PasswordAuthentication yes\n";
$sshconf .= "ChallengeResponseAuthentication yes\n"; $sshconf .= "ChallengeResponseAuthentication yes\n";
$sshconf .= "PubkeyAuthentication yes\n";
} }
$sshconf .= "# override default of no subsystems\n";
$sshconf .= "Subsystem sftp /usr/libexec/sftp-server\n";
/* Only allow protocol 2, because we say so */
$sshconf .= "Protocol 2\n";
/* Run the server on another port if we have one defined */
$sshconf .= "Port $sshport\n";
/* Hide FreeBSD version */
$sshconf .= "VersionAddendum \n";
/* Write the new sshd config file */ /* Write the new sshd config file */
@file_put_contents("/etc/ssh/sshd_config", $sshconf); file_put_contents('/etc/ssh/sshd_config', $sshconf);
/* mop up from a badly implemented ssh keys -> cf backup */
if($config['ssh']['dsa_key'] <> "") {
unset($config['ssh']['dsa_key']);
unset($config['ssh']['ecdsa_key']);
unset($config['ssh']['ed25519_key']);
unset($config['ssh']['rsa_key']);
unset($config['ssh']['rsa1_key']);
unset($config['ssh']['dsa']);
unset($config['ssh']['rsa']);
unset($config['ssh']['rsa1']);
unset($config['ssh']['ak']);
write_config("Clearing SSH keys from config.xml");
}
/* are we already running? if so exit */ /* are we already running? if so exit */
if(is_subsystem_dirty('sshdkeys')) { if (is_subsystem_dirty('sshdkeys')) {
unset($keys);
return; return;
} }
...@@ -156,40 +129,29 @@ foreach ($keys as $f2c) { ...@@ -156,40 +129,29 @@ foreach ($keys as $f2c) {
} }
if ($generate_keys) { if ($generate_keys) {
/* remove previous keys and regen later */ log_error(_('Started creating your SSH keys. SSH startup is being delayed a wee bit.'));
file_notice("SSH", "{$g['product_name']} has started creating your SSH keys. SSH Startup will be delayed. Please note that reloading the filter rules and changes will be delayed until this operation is completed.", "SSH KeyGen", "");
unlink_if_exists('/etc/ssh/ssh_host_*');
mark_subsystem_dirty('sshdkeys'); mark_subsystem_dirty('sshdkeys');
echo " Generating Keys:\n"; mwexec('/bin/rm /etc/ssh/ssh_host_*', true);
$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa1 -N '' -f $sshConfigDir/ssh_host_key"); mwexec("/usr/bin/ssh-keygen -t rsa1 -N '' -f {$sshConfigDir}/ssh_host_key");
$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa -N '' -f $sshConfigDir/ssh_host_rsa_key"); mwexec("/usr/bin/ssh-keygen -t rsa -N '' -f {$sshConfigDir}/ssh_host_rsa_key");
$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t dsa -N '' -f $sshConfigDir/ssh_host_dsa_key"); mwexec("/usr/bin/ssh-keygen -t dsa -N '' -f {$sshConfigDir}/ssh_host_dsa_key");
$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t ecdsa -N '' -f $sshConfigDir/ssh_host_ecdsa_key"); mwexec("/usr/bin/ssh-keygen -t ecdsa -N '' -f {$sshConfigDir}/ssh_host_ecdsa_key");
$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t ed25519 -N '' -f $sshConfigDir/ssh_host_ed25519_key"); mwexec("/usr/bin/ssh-keygen -t ed25519 -N '' -f {$sshConfigDir}/ssh_host_ed25519_key");
clear_subsystem_dirty('sshdkeys'); clear_subsystem_dirty('sshdkeys');
file_notice("SSH", "{$g['product_name']} has completed creating your SSH keys. SSH is now started.", "SSH Startup", ""); log_error(_('Completed creating your SSH keys. SSH will now be started.'));
} }
/* kill existing sshd process, server only, not the childs */
$sshd_pid = exec("ps ax | egrep '/usr/sbin/[s]shd' | awk '{print $1}'");
if($sshd_pid <> "") {
echo "stopping ssh process $sshd_pid \n";
@posix_kill($sshd_pid, SIGTERM);
}
/* Launch new server process */ /* Launch new server process */
$status = mwexec("/usr/sbin/sshd"); echo "Reloading sshd...";
if($status <> 0) { if (mwexec('/usr/sbin/sshd')) {
file_notice("sshd_startup", "SSHD failed to start.", "SSHD Daemon", ""); echo "failed.\n";
echo "error!\n";
} else { } else {
echo "done.\n"; echo "done.\n";
} }
// NanoBSD /* back up files in case they are useful */
if($g['platform'] == "nanobsd") { @mkdir('/conf/sshd', 0777, true);
if(!is_dir("/conf/sshd")) mwexec('/bin/cp -p /etc/ssh/ssh_host* /conf/sshd');
mkdir("/conf/sshd", 0750);
$_gb = exec("/bin/cp -p /etc/ssh/ssh_host* /conf/sshd");
}
conf_mount_ro(); conf_mount_ro();
unset($keys); unset($keys);
#!/bin/sh
#
# Launch BSD Installer with fake "installer root"
# Copyright 2004-2009 Scott Ullrich
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
product=`cat /usr/local/etc/inc/globals.inc | grep product_name | cut -d'"' -f4`
factory_shipped_password=`cat /usr/local/etc/inc/globals.inc | grep factory_shipped_password | cut -d'"' -f4`
factory_shipped_username=`cat /usr/local/etc/inc/globals.inc | grep factory_shipped_username | cut -d'"' -f4`
echo
echo "Launching ${product} Installer config.xml rescue..."
echo
echo "One moment please..."
echo
# Ensure install-session.sh exists where the installtion was recorded to
touch /tmp/install-session.sh
/sbin/sysctl kern.geom.debugflags=16
/sbin/sysctl net.link.ether.inet.log_arp_wrong_iface=0 >/dev/null
/sbin/ifconfig lo0 127.0.0.1/24
/sbin/ifconfig lo0 up
# Check if host is running on VMware
if [ -f /var/log/dmesg.boot ]; then
if [ `cat /var/log/dmesg.boot | /usr/bin/grep VMware | /usr/bin/wc -l` -gt 0 ]; then
echo -n "VMware detected. The installer will make changes to tune this host."
touch /var/IS_VMWARE
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo "."
fi
# Check if host is running on pfSenseDEV
if [ `/sbin/sysctl -n kern.bootfile | /usr/bin/grep pfSense_Dev | /usr/bin/wc -l` -gt 0 ]; then
echo -n "${product} developer iso detected."
touch /var/pfSenseDEV
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo "."
fi
if [ -f /var/run/dmesg.boot ]; then
ln -s /var/log/dmesg.boot /var/run/dmesg.boot
fi
fi
echo Launching LUA Installer...
echo -n "LUA_CPATH='/usr/local/lib/lua/5.0/?.so' exec /usr/local/bin/lua50 -l/usr/local/share/lua/5.0/compat-5.1.lua " > /tmp/lua50c51
echo "/usr/local/share/dfuibe_lua/main.lua \
/usr/local/share/dfuibe_lua/conf/BSDInstaller.lua \
/usr/local/share/dfuibe_lua/conf/FreeBSD.lua \
/usr/local/share/dfuibe_lua/conf/pfSense_rescue.lua " >> /tmp/lua50c51
#/sbin/conscontrol mute on >/dev/null 2>&1
sh /tmp/lua50c51 >/dev/null 2>&1 &
sleep 1
echo Launching Installer NCurses frontend...
/usr/local/sbin/dfuife_curses
#/sbin/conscontrol mute off >/dev/null 2>&1
if [ ! -f /tmp/install_complete ]; then
echo Installation did not finish correctly.
exit
fi
clear
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo
echo "${product} is now rebooting"
echo
echo "After the reboot is complete, open a web browser and"
echo "enter http://192.168.1.1 (or the LAN IP Address) in the"
echo "location bar."
echo
echo "*DEFAULT Username*: ${factory_shipped_username}"
echo "*DEFAULT Password*: ${factory_shipped_password}"
echo
echo Rebooting in 5 seconds. CTRL-C to abort.
sleep 1
echo Rebooting in 4 seconds. CTRL-C to abort.
sleep 1
echo Rebooting in 3 seconds. CTRL-C to abort.
sleep 1
echo Rebooting in 2 seconds. CTRL-C to abort.
sleep 1
echo Rebooting in 1 second.. CTRL-C to abort.
sleep 1
echo
echo ${product} is now rebooting.
echo
reboot
<?php <?php
/* $Id$ */
/* /*
system_advanced_admin.php
part of pfSense part of pfSense
Copyright (C) 2005-2010 Scott Ullrich Copyright (C) 2005-2010 Scott Ullrich
...@@ -67,6 +66,7 @@ $pconfig['primaryconsole'] = $config['system']['primaryconsole']; ...@@ -67,6 +66,7 @@ $pconfig['primaryconsole'] = $config['system']['primaryconsole'];
$pconfig['enablesshd'] = $config['system']['enablesshd']; $pconfig['enablesshd'] = $config['system']['enablesshd'];
$pconfig['sshport'] = $config['system']['ssh']['port']; $pconfig['sshport'] = $config['system']['ssh']['port'];
$pconfig['sshdkeyonly'] = isset($config['system']['ssh']['sshdkeyonly']); $pconfig['sshdkeyonly'] = isset($config['system']['ssh']['sshdkeyonly']);
$pconfig['sshdpermitrootlogin'] = isset($config['system']['ssh']['permitrootlogin']);
$pconfig['quietlogin'] = isset($config['system']['webgui']['quietlogin']); $pconfig['quietlogin'] = isset($config['system']['webgui']['quietlogin']);
$a_cert =& $config['cert']; $a_cert =& $config['cert'];
...@@ -108,6 +108,11 @@ if ($_POST) { ...@@ -108,6 +108,11 @@ if ($_POST) {
else if (isset($config['system']['ssh']['sshdkeyonly'])) else if (isset($config['system']['ssh']['sshdkeyonly']))
unset($config['system']['ssh']['sshdkeyonly']); unset($config['system']['ssh']['sshdkeyonly']);
if($_POST['sshdpermitrootlogin'] == "yes")
$config['system']['ssh']['permitrootlogin'] = "enabled";
else if (isset($config['system']['ssh']['permitrootlogin']))
unset($config['system']['ssh']['permitrootlogin']);
ob_flush(); ob_flush();
flush(); flush();
...@@ -191,11 +196,11 @@ if ($_POST) { ...@@ -191,11 +196,11 @@ if ($_POST) {
else else
unset($config['system']['enablesshd']); unset($config['system']['enablesshd']);
$sshd_keyonly = isset($config['system']['sshdkeyonly']); $sshd_keyonly = isset($config['system']['ssh']['sshdkeyonly']);
if ($_POST['sshdkeyonly']) if ($_POST['sshdkeyonly'])
$config['system']['sshdkeyonly'] = true; $config['system']['ssh']['sshdkeyonly'] = true;
else else
unset($config['system']['sshdkeyonly']); unset($config['system']['ssh']['sshdkeyonly']);
$sshd_port = $config['system']['ssh']['port']; $sshd_port = $config['system']['ssh']['port'];
if ($_POST['sshport']) if ($_POST['sshport'])
...@@ -203,10 +208,18 @@ if ($_POST) { ...@@ -203,10 +208,18 @@ if ($_POST) {
else if (isset($config['system']['ssh']['port'])) else if (isset($config['system']['ssh']['port']))
unset($config['system']['ssh']['port']); unset($config['system']['ssh']['port']);
$sshd_permitrootlogin = $config['system']['ssh']['permitrootlogin'];
if ($_POST['sshdpermitrootlogin'])
$config['system']['ssh']['permitrootlogin'] = $_POST['sshdpermitrootlogin'];
else if (isset($config['system']['ssh']['permitrootlogin']))
unset($config['system']['ssh']['permitrootlogin']);
if (($sshd_enabled != $config['system']['enablesshd']) || if (($sshd_enabled != $config['system']['enablesshd']) ||
($sshd_keyonly != $config['system']['sshdkeyonly']) || ($sshd_keyonly != $config['system']['ssh']['sshdkeyonly']) ||
($sshd_port != $config['system']['ssh']['port'])) ($sshd_port != $config['system']['ssh']['port']) ||
($sshd_permitrootlogin != $config['system']['ssh']['permitrootlogin'])) {
$restart_sshd = true; $restart_sshd = true;
}
if ($restart_webgui) { if ($restart_webgui) {
global $_SERVER; global $_SERVER;
...@@ -503,6 +516,16 @@ include("head.inc"); ...@@ -503,6 +516,16 @@ include("head.inc");
<strong><?=gettext("Enable Secure Shell"); ?></strong> <strong><?=gettext("Enable Secure Shell"); ?></strong>
</td> </td>
</tr> </tr>
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("Root Login"); ?></td>
<td width="78%" class="vtable">
<input name="sshdpermitrootlogin" type="checkbox" id="sshdpermitrootlogin" value="yes" <?php if ($pconfig['sshdpermitrootlogin']) echo "checked=\"checked\""; ?> />
<strong><?=gettext("Enable root user login"); ?></strong>
<br />
<?=gettext("Root login is generally discouraged. It is advised "); ?>
<?=gettext("to log in via another user and switch to root afterwards."); ?>
</td>
</tr>
<tr> <tr>
<td width="22%" valign="top" class="vncell"><?=gettext("Authentication Method"); ?></td> <td width="22%" valign="top" class="vncell"><?=gettext("Authentication Method"); ?></td>
<td width="78%" class="vtable"> <td width="78%" class="vtable">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment