/etc/sshd - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/sshd @ 2e906a1a

1	9cc22856	Ermal	#!/usr/local/bin/php -f
2	5b237745	Scott Ullrich	<?php
3			/*
4			sshd - Modified to work on disk based system
5			Copyright 2004 Scott K Ullrich
6	b2981d7a	Scott Ullrich
7	5b237745	Scott Ullrich	Original Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
8			All rights reserved.
9	b2981d7a	Scott Ullrich
10	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
11			modification, are permitted provided that the following conditions are met:
12	b2981d7a	Scott Ullrich
13	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
14			this list of conditions and the following disclaimer.
15	b2981d7a	Scott Ullrich
16	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
17			notice, this list of conditions and the following disclaimer in the
18			documentation and/or other materials provided with the distribution.
19	b2981d7a	Scott Ullrich
20	5b237745	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
21			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
22			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
24			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29			POSSIBILITY OF SUCH DAMAGE.
30			*/
31	2257118f	Scott Ullrich
32			require_once("globals.inc");
33	116852b8	Scott Ullrich	require_once("config.inc");
34	7c6cef3c	Scott Ullrich	require_once("functions.inc");
35			require_once("shaper.inc");
36
37	5a890490	Ermal	if (!isset($config['system']['enablesshd'])) {
38	9be0ec8a	Ermal	return;
39	668b7b2e	Scott Ullrich	}
40	579946e2	Scott Ullrich
41	17730d9d	jim-p	/* are we already running? if not, do conf_mount_rw(), otherwise it should already be rw */
42	5a890490	Ermal	if (!is_subsystem_dirty('sshdkeys')) {
43	17730d9d	jim-p	conf_mount_rw();
44			}
45	36fcc77f	Scott Ullrich
46	2d6e7bfb	Renato Botelho	$keys = array(
47			'ssh_host_key',
48			'ssh_host_key.pub',
49			'ssh_host_dsa_key',
50			'ssh_host_dsa_key.pub',
51			'ssh_host_rsa_key',
52			'ssh_host_rsa_key.pub',
53			'ssh_host_ecdsa_key',
54			'ssh_host_ecdsa_key.pub',
55			'ssh_host_ed25519_key',
56			'ssh_host_ed25519_key.pub'
57			);
58
59	5c3ccc0d	Scott Ullrich	/* restore ssh data for nanobsd platform */
60	2d6e7bfb	Renato Botelho	if($g['platform'] == "nanobsd" and file_exists("/conf/sshd/ssh_host_key") and !file_exists("/etc/ssh/ssh_host_key.pub")) {
61			echo "Restoring SSH from /conf/sshd/";
62			exec("/bin/cp -p /conf/sshd/* /etc/ssh/");
63
64			/* make sure host private key permissions aren't too open so sshd won't complain */
65			foreach($keys as $f2c) {
66			if(file_exists("/etc/ssh/{$f2c}"))
67			chmod("/etc/ssh/{$f2c}", 0600);
68	5c3ccc0d	Scott Ullrich	}
69			}
70
71	116852b8	Scott Ullrich	/* if any of these files are 0 bytes then they are corrupted.
72			* remove them
73			*/
74	2d6e7bfb	Renato Botelho	foreach($keys as $f2c) {
75			if (file_exists("/etc/ssh/{$f2c}") && filesize("/etc/ssh/{$f2c}") == 0) {
76	8490ba0f	Renato Botelho	unlink_if_exists('/etc/ssh/ssh_host*');
77	2d6e7bfb	Renato Botelho	break;
78			}
79	116852b8	Scott Ullrich	}
80
81			if (!is_dir("/var/empty")) {
82			/* make ssh home directory */
83	5b237745	Scott Ullrich	mkdir("/var/empty", 0555);
84	116852b8	Scott Ullrich	}
85	5b237745	Scott Ullrich
86	56c0c91f	Ermal Lu?i	if(!file_exists("/var/log/lastlog")) {
87	116852b8	Scott Ullrich	/* Login related files. */
88	5a890490	Ermal	@touch("/var/log/lastlog");
89	116852b8	Scott Ullrich	}
90	5b237745	Scott Ullrich
91	116852b8	Scott Ullrich	$sshConfigDir = "/etc/ssh";
92	850b71ec	Scott Ullrich
93	5a890490	Ermal	if (is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port']))
94	116852b8	Scott Ullrich	$sshport = $config['system']['ssh']['port'];
95	5a890490	Ermal	else
96	116852b8	Scott Ullrich	$sshport = 22;
97
98			/* Include default configuration for pfSense */
99			$sshconf = "# This file is automatically generated at startup\n";
100	868a5b99	Scott Ullrich	$sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n";
101	116852b8	Scott Ullrich	$sshconf .= "PermitRootLogin yes\n";
102	5b7eb87c	Seth Mos	$sshconf .= "Compression yes\n";
103			$sshconf .= "ClientAliveInterval 30\n";
104			$sshconf .= "UseDNS no\n";
105	116852b8	Scott Ullrich	$sshconf .= "X11Forwarding no\n";
106	5a890490	Ermal	if (isset($config['system']['ssh']['sshdkeyonly'])) {
107	116852b8	Scott Ullrich	$sshconf .= "# Login via Key only\n";
108	ed4b63b0	Timo Boettcher	$sshconf .= "PasswordAuthentication no\n";
109			$sshconf .= "ChallengeResponseAuthentication no\n";
110			$sshconf .= "PubkeyAuthentication yes\n";
111			} else {
112	116852b8	Scott Ullrich	$sshconf .= "# Login via Key and Password\n";
113	ed4b63b0	Timo Boettcher	$sshconf .= "PasswordAuthentication yes\n";
114			$sshconf .= "ChallengeResponseAuthentication yes\n";
115			$sshconf .= "PubkeyAuthentication yes\n";
116			}
117	116852b8	Scott Ullrich	$sshconf .= "# override default of no subsystems\n";
118			$sshconf .= "Subsystem sftp /usr/libexec/sftp-server\n";
119			/* Only allow protocol 2, because we say so */
120			$sshconf .= "Protocol 2\n";
121			/* Run the server on another port if we have one defined */
122			$sshconf .= "Port $sshport\n";
123	3eebc3eb	Namezero
124			/* Apply package SSHDCond settings if config file exists */
125	5a890490	Ermal	if (file_exists("/etc/sshd_extra")) {
126	3eebc3eb	Namezero	$fdExtra = fopen("/etc/sshd_extra", 'r');
127			$szExtra = fread($fdExtra, 1048576); // Read up to 1MB from extra file
128			$sshconf .= $szExtra;
129			fclose($fdExtra);
130			}
131	5b7eb87c	Seth Mos
132	116852b8	Scott Ullrich	/* Write the new sshd config file */
133	5a890490	Ermal	@file_put_contents("/etc/ssh/sshd_config", $sshconf);
134	5b7eb87c	Seth Mos
135	0f953a29	Scott Ullrich	/* mop up from a badly implemented ssh keys -> cf backup */
136	426f300c	Scott Ullrich	if($config['ssh']['dsa_key'] <> "") {
137			unset($config['ssh']['dsa_key']);
138	6363a6de	Ermal	unset($config['ssh']['ecdsa_key']);
139	2d6e7bfb	Renato Botelho	unset($config['ssh']['ed25519_key']);
140	426f300c	Scott Ullrich	unset($config['ssh']['rsa_key']);
141			unset($config['ssh']['rsa1_key']);
142			unset($config['ssh']['dsa']);
143			unset($config['ssh']['rsa']);
144			unset($config['ssh']['rsa1']);
145			unset($config['ssh']['ak']);
146	116852b8	Scott Ullrich	write_config("Clearing SSH keys from config.xml");
147	426f300c	Scott Ullrich	}
148	579946e2	Scott Ullrich
149	116852b8	Scott Ullrich	/* are we already running? if so exit */
150	06e28ceb	Ermal Lu?i	if(is_subsystem_dirty('sshdkeys')) {
151	2d6e7bfb	Renato Botelho	unset($keys);
152	5a890490	Ermal	return;
153	36fcc77f	Scott Ullrich	}
154
155	2d402f57	jim-p	// Check for all needed key files. If any are missing, the keys need to be regenerated.
156			$generate_keys = false;
157	2d6e7bfb	Renato Botelho	foreach ($keys as $f2c) {
158	4c4b068c	jim-p	if (!file_exists("/etc/ssh/{$f2c}")) {
159	2d402f57	jim-p	$generate_keys = true;
160	2d6e7bfb	Renato Botelho	break;
161	2d402f57	jim-p	}
162			}
163	2d6e7bfb	Renato Botelho
164	2d402f57	jim-p	if ($generate_keys) {
165	116852b8	Scott Ullrich	/* remove previous keys and regen later */
166	5b6eac01	Scott Ullrich	file_notice("SSH", "{$g['product_name']} has started creating your SSH keys. SSH Startup will be delayed. Please note that reloading the filter rules and changes will be delayed until this operation is completed.", "SSH KeyGen", "");
167	8490ba0f	Renato Botelho	unlink_if_exists('/etc/ssh/ssh_host_*');
168	06e28ceb	Ermal Lu?i	mark_subsystem_dirty('sshdkeys');
169	116852b8	Scott Ullrich	echo " Generating Keys:\n";
170	5a890490	Ermal	$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa1 -N '' -f $sshConfigDir/ssh_host_key");
171			$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa -N '' -f $sshConfigDir/ssh_host_rsa_key");
172			$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t dsa -N '' -f $sshConfigDir/ssh_host_dsa_key");
173			$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t ecdsa -N '' -f $sshConfigDir/ssh_host_ecdsa_key");
174	33b42689	Renato Botelho	$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t ed25519 -N '' -f $sshConfigDir/ssh_host_ed25519_key");
175	06e28ceb	Ermal Lu?i	clear_subsystem_dirty('sshdkeys');
176	5b6eac01	Scott Ullrich	file_notice("SSH", "{$g['product_name']} has completed creating your SSH keys. SSH is now started.", "SSH Startup", "");
177	c2338828	Scott Ullrich	}
178	efa761f6	Scott Ullrich
179	116852b8	Scott Ullrich	/* kill existing sshd process, server only, not the childs */
180			$sshd_pid = exec("ps ax \| egrep '/usr/sbin/[s]shd' \| awk '{print $1}'");
181			if($sshd_pid <> "") {
182			echo "stopping ssh process $sshd_pid \n";
183	5125c746	Renato Botelho	@posix_kill($sshd_pid, SIGTERM);
184	5b7eb87c	Seth Mos	}
185	116852b8	Scott Ullrich	/* Launch new server process */
186			$status = mwexec("/usr/sbin/sshd");
187	0f953a29	Scott Ullrich	if($status <> 0) {
188	fdfc687c	Scott Ullrich	file_notice("sshd_startup", "SSHD failed to start.", "SSHD Daemon", "");
189	116852b8	Scott Ullrich	echo "error!\n";
190			} else {
191			echo "done.\n";
192	0f953a29	Scott Ullrich	}
193	579946e2	Scott Ullrich
194	43640486	Scott Ullrich	// NanoBSD
195	5c3ccc0d	Scott Ullrich	if($g['platform'] == "nanobsd") {
196	4c2fa5b5	Scott Ullrich	if(!is_dir("/conf/sshd"))
197	2d6e7bfb	Renato Botelho	mkdir("/conf/sshd", 0750);
198	5a890490	Ermal	$_gb = exec("/bin/cp -p /etc/ssh/ssh_host* /conf/sshd");
199	5c3ccc0d	Scott Ullrich	}
200	63e18082	jim-p	conf_mount_ro();
201	2d6e7bfb	Renato Botelho	unset($keys);
202	06e28ceb	Ermal Lu?i	?>

Project

General

Profile

pfSense