#!/usr/local/bin/php <?php /* * Copyright (C) 2004 Scott K Ullrich * Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>. * Copyright (C) 2015-2016 Franco Fichtner <franco@opnsense.org> * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ require_once('config.inc'); require_once("util.inc"); /* if run from a shell session, `-af' and the full path is needed */ mwexecf('/bin/pkill -af %s', '/usr/local/sbin/sshd', true); $sshcfg = null; if (isset($config['system']['ssh'])) { if (isset($config['system']['ssh']['enabled'])) { $sshcfg = $config['system']['ssh']; } } elseif (count($argv) > 1 && $argv[1] == 'installer') { /* only revert to installer config when ssh is not set at all */ $sshcfg = array('permitrootlogin' => 1, 'passwordauth' => 1); } if ($sshcfg === null) { return; } /* make sshd key store */ @mkdir('/conf/sshd', 0777, true); /* make ssh home directory */ @mkdir('/var/empty', 0555, true); /* Login related files. */ touch('/var/log/lastlog'); $keys = array( /* .pub files are implied */ 'rsa' => 'ssh_host_rsa_key', 'ecdsa' => 'ssh_host_ecdsa_key', 'ed25519' => 'ssh_host_ed25519_key', ); $keys_dep = array( /* .pub files are implied */ 'dsa' => 'ssh_host_dsa_key', ); $keys_all = array_merge($keys, $keys_dep); /* Check for all needed key files. If any are missing, the keys need to be regenerated. */ $generate_keys = false; foreach ($keys as $name) { $file = "/conf/sshd/{$name}"; if (!file_exists($file) || !file_exists("{$file}.pub")) { $generate_keys = true; break; } } if ($generate_keys) { if (is_subsystem_dirty('sshdkeys')) { return; } log_error('Started creating your SSH keys. SSH startup is being delayed a wee bit.'); mark_subsystem_dirty('sshdkeys'); foreach ($keys as $type => $name) { $file = "/conf/sshd/{$name}"; @unlink("{$file}.pub"); @unlink($file); mwexecf('/usr/local/bin/ssh-keygen -t %s -N "" -f %s', array($type, $file)); } clear_subsystem_dirty('sshdkeys'); log_error('Completed creating your SSH keys. SSH will now be started.'); } $sshport = isset($sshcfg['port']) ? $sshcfg['port'] : 22; $sshconf = "# This file was automatically generated by /usr/local/etc/rc.sshd\n"; $sshconf .= "Port {$sshport}\n"; $sshconf .= "Protocol 2\n"; $sshconf .= "Compression yes\n"; $sshconf .= "ClientAliveInterval 30\n"; $sshconf .= "UseDNS no\n"; $sshconf .= "X11Forwarding no\n"; $sshconf .= "PubkeyAuthentication yes\n"; $sshconf .= "Subsystem\tsftp\tinternal-sftp\n"; if (isset($sshcfg['permitrootlogin'])) { $sshconf .= "PermitRootLogin yes\n"; } if (isset($sshcfg['passwordauth'])) { $sshconf .= "ChallengeResponseAuthentication yes\n"; $sshconf .= "PasswordAuthentication yes\n"; } else { $sshconf .= "ChallengeResponseAuthentication no\n"; $sshconf .= "PasswordAuthentication no\n"; } foreach ($keys_all as $name) { $file = "/conf/sshd/{$name}"; if (!file_exists($file)) { continue; } $sshconf .= "HostKey {$file}\n"; } /* Write the new sshd config file */ file_put_contents("/usr/local/etc/ssh/sshd_config", $sshconf); /* Launch new server process */ echo "Reloading sshd..."; if (mwexecf('/usr/bin/protect -i /usr/local/sbin/sshd')) { echo "failed.\n"; } else { echo "done.\n"; }