/etc/sshd - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/sshd @ 842beb79

1	5b237745	Scott Ullrich	#! /usr/local/bin/php -f
2			<?php
3			/*
4			sshd - Modified to work on disk based system
5			Copyright 2004 Scott K Ullrich
6	b2981d7a	Scott Ullrich
7	5b237745	Scott Ullrich	Original Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
8			All rights reserved.
9	b2981d7a	Scott Ullrich
10	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
11			modification, are permitted provided that the following conditions are met:
12	b2981d7a	Scott Ullrich
13	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
14			this list of conditions and the following disclaimer.
15	b2981d7a	Scott Ullrich
16	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
17			notice, this list of conditions and the following disclaimer in the
18			documentation and/or other materials provided with the distribution.
19	b2981d7a	Scott Ullrich
20	5b237745	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
21			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
22			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
24			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29			POSSIBILITY OF SUCH DAMAGE.
30			*/
31			require_once("config.inc");
32	16df91e0	Scott Ullrich	require_once("notices.inc");
33	b2981d7a	Scott Ullrich
34	668b7b2e	Scott Ullrich	if(isset($config['system']['enablesshd'])) {
35			/* do nothing, we're enabled */
36			} else {
37			if($g['booting'])
38			echo "SSHD is disabled.";
39	b15e2ed4	Scott Ullrich	exit;
40	668b7b2e	Scott Ullrich	}
41	36aaefff	Scott Ullrich
42	746b5ee2	Scott Ullrich	function file_size($file) {
43			$size = filesize($file);
44			return $size;
45			}
46
47			/* if any of these files are 0 bytes then they are corrupted.
48			* remove them
49			*/
50	03b42caa	Scott Ullrich	$files_to_check = array('ssh_host_dsa_key','ssh_host_dsa_key.pub','ssh_host_key','ssh_host_key.pub','ssh_host_rsa_key','ssh_host_rsa_key.pub','/root/.authorized_keys');
51	746b5ee2	Scott Ullrich	foreach($files_to_check as $f2c) {
52	7e6d816a	Scott Ullrich	if(file_exists("/etc/ssh/{$f2c}"))
53			if(file_size("/etc/ssh/{$f2c}")==0) {
54	c5a9b876	Scott Ullrich	mwexec("rm /etc/ssh/ssh_host*");
55	5858cbdb	Scott Ullrich	}
56	746b5ee2	Scott Ullrich	}
57
58	5b237745	Scott Ullrich	if (!is_dir("/var/empty")) {
59	efa761f6	Scott Ullrich	/* make ssh home directory */
60	5b237745	Scott Ullrich	mkdir("/var/empty", 0555);
61			}
62
63			if(!file_exists("")) {
64	efa761f6	Scott Ullrich	/* Login related files. */
65	5b237745	Scott Ullrich	touch("/var/log/lastlog");
66			}
67
68	efa761f6	Scott Ullrich	/* Make the root passwords are the same as the web admin password. */
69	823b7b0f	Scott Ullrich	conf_mount_rw();
70	5b237745	Scott Ullrich	$fd = popen("/usr/sbin/pw usermod -n root -H 0", "w");
71			fwrite($fd, $config['system']['password']);
72			pclose($fd);
73	efa761f6	Scott Ullrich
74			/* Make the admin passwords are the same as the web admin password. */
75	128f6a3e	Bill Marquette	$fd = popen("/usr/sbin/pw usermod -n admin -H 0", "w");
76			fwrite($fd, $config['system']['password']);
77			pclose($fd);
78	5b237745	Scott Ullrich
79			$sshConfigDir = "/etc/ssh";
80	850b71ec	Scott Ullrich
81	5b7eb87c	Seth Mos	if($config['system']['ssh']['port'] <> "") {
82			$sshport = $config['system']['ssh']['port'];
83			} else {
84			$sshport = 22;
85			}
86
87			/* Include default configuration for pfSense */
88			$sshconf = "# This file is automatically generated at startup\n";
89			$sshconf .= "PermitRootLogin yes\n";
90	f8196f12	Scott Ullrich	$sshconf .= "PasswordAuthentication yes\n";
91	5b7eb87c	Seth Mos	$sshconf .= "Compression yes\n";
92			$sshconf .= "ClientAliveInterval 30\n";
93			$sshconf .= "UseDNS no\n";
94			$sshconf .= "X11Forwarding no\n";
95			$sshconf .= "# override default of no subsystems\n";
96			$sshconf .= "Subsystem sftp /usr/libexec/sftp-server\n";
97			/* Only allow protocol 2, because we say so */
98			$sshconf .= "Protocol 2\n";
99			/* Run the server on another port if we have one defined */
100			$sshconf .= "Port $sshport\n";
101
102			/* Write the new sshd config file */
103			$fd = fopen("/etc/ssh/sshd_config", "w");
104			fwrite($fd, $sshconf);
105			pclose($fd);
106
107	0f953a29	Scott Ullrich	/* mop up from a badly implemented ssh keys -> cf backup */
108	426f300c	Scott Ullrich	if($config['ssh']['dsa_key'] <> "") {
109			unset($config['ssh']['dsa_key']);
110			unset($config['ssh']['rsa_key']);
111			unset($config['ssh']['rsa1_key']);
112			unset($config['ssh']['dsa']);
113			unset($config['ssh']['rsa']);
114			unset($config['ssh']['rsa1']);
115			unset($config['ssh']['ak']);
116			write_config("Clearing SSH keys from config.xml");
117			}
118	c3290534	Scott Ullrich
119	dcb64768	Scott Ullrich	/* are we already running? if so exit */
120			if(file_exists("/tmp/keys_generating"))
121			exit;
122
123	0f953a29	Scott Ullrich	if (!file_exists("$sshConfigDir/ssh_host_key") or file_exists("/etc/keys_generating")) {
124	c2338828	Scott Ullrich	/* remove previous keys and regen later */
125	c8599926	Scott Ullrich	file_notice("SSH", "pfSense has started creating your SSH keys. SSH Startup will be delayed. Please note that reloading the filter rules and changes will be delayed until this operation is completed.", "SSH KeyGen", "");
126	0ae71d81	Scott Ullrich	conf_mount_rw();
127	c2338828	Scott Ullrich	mwexec("rm /etc/ssh/ssh_host_*");
128	0f953a29	Scott Ullrich	touch("/etc/keys_generating");
129	dcb64768	Scott Ullrich	touch("/tmp/keys_generating");
130	0f953a29	Scott Ullrich	echo " Generating Keys:\n";
131	e1338375	Scott Ullrich	system("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa1 -N '' -f $sshConfigDir/ssh_host_key");
132			system("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa -N '' -f $sshConfigDir/ssh_host_rsa_key");
133			system("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t dsa -N '' -f $sshConfigDir/ssh_host_dsa_key");
134	0f953a29	Scott Ullrich	unlink("/etc/keys_generating");
135	dcb64768	Scott Ullrich	unlink("/tmp/keys_generating");
136	63d671d9	Scott Ullrich	file_notice("SSH", "pfSense has completed creating your SSH keys. SSH is now started.", "SSH Startup", "");
137	0f953a29	Scott Ullrich	echo "Starting SSH... ";
138	c2338828	Scott Ullrich	}
139	efa761f6	Scott Ullrich
140	5b7eb87c	Seth Mos	/* kill existing sshd process, server only, not the childs */
141			$sshd_pid = exec("ps ax \| egrep '/usr/sbin/[s]shd' \| awk '{print $1}'");
142			if($sshd_pid <> "") {
143			echo "stopping ssh process $sshd_pid \n";
144			mwexec("kill $sshd_pid");
145			}
146			/* Launch new server process */
147	2d195c3f	Scott Ullrich	$status = mwexec("/usr/sbin/sshd");
148	0f953a29	Scott Ullrich	if($status <> 0) {
149	fdfc687c	Scott Ullrich	file_notice("sshd_startup", "SSHD failed to start.", "SSHD Daemon", "");
150	f6661aed	Scott Ullrich	echo "error!\n";
151	0f953a29	Scott Ullrich	} else {
152	f6661aed	Scott Ullrich	echo "done.\n";
153	0f953a29	Scott Ullrich	}
154
155	823b7b0f	Scott Ullrich	conf_mount_ro();
156	0f953a29	Scott Ullrich
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194	21b20aae	Scott Ullrich	exit;
195	6b21d1ed	Scott Ullrich
196			/* exit early, this needs more testing. */
197
198	efa761f6	Scott Ullrich	if (!file_exists("$sshConfigDir/ssh_host_key") and $config['ssh']['dsa'] == "") {
199			/* generate keys */
200	e1338375	Scott Ullrich	system("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa1 -N '' -f $sshConfigDir/ssh_host_key");
201			system("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa -N '' -f $sshConfigDir/ssh_host_rsa_key");
202			system("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t dsa -N '' -f $sshConfigDir/ssh_host_dsa_key");
203	efa761f6	Scott Ullrich
204			/* save keys */
205	7822d966	Colin Smith	$dsa = file_get_contents("{$sshConfigDir}/ssh_host_dsa_key");
206			$rsa = file_get_contents("{$sshConfigDir}/ssh_host_rsa_key");
207			$rsa1 = file_get_contents("{$sshConfigDir}/ssh_host_key");
208	efa761f6	Scott Ullrich	$config['ssh']['dsa'] = base64_encode($dsa);
209			$config['ssh']['rsa'] = base64_encode($rsa);
210			$config['ssh']['rsa1']= base64_encode($rsa1);
211
212			/* save public keys */
213	7822d966	Colin Smith	$dsapub = file_get_contents("{$sshConfigDir}/ssh_host_dsa_key.pub");
214			$rsapub = file_get_contents("{$sshConfigDir}/ssh_host_rsa_key.pub");
215			$rsa1pub = file_get_contents("{$sshConfigDir}/ssh_host_key.pub");
216	efa761f6	Scott Ullrich	$config['ssh']['dsa_key'] = base64_encode($dsapub);
217			$config['ssh']['rsa_key'] = base64_encode($rsapub);
218			$config['ssh']['rsa1_key']= base64_encode($rsa1pub);
219	5fa404d4	Scott Ullrich	write_config("Saved SSH keys.");
220	9e3fc88e	Scott Ullrich	} else {
221	efa761f6	Scott Ullrich	/* restore keys */
222			$rsa1 = base64_decode($config['ssh']['rsa1']);
223			$rsa = base64_decode($config['ssh']['rsa']);
224			$dsa = base64_decode($config['ssh']['dsa']);
225			file_put_contents("{$sshConfigDir}/ssh_host_key", $rsa1);
226			file_put_contents("{$sshConfigDir}/ssh_host_rsa_key", $rsa);
227			file_put_contents("{$sshConfigDir}/ssh_host_dsa_key", $dsa);
228
229			/* restore public keys */
230			$rsa1_pub = base64_decode($config['ssh']['rsa1_key']);
231			$rsa_pub = base64_decode($config['ssh']['rsa_key']);
232			$dsa_pub = base64_decode($config['ssh']['dsa_key']);
233			file_put_contents("{$sshConfigDir}/ssh_host_key.pub", $rsa1_pub);
234			file_put_contents("{$sshConfigDir}/ssh_host_rsa_key.pub", $rsa_pub);
235			file_put_contents("{$sshConfigDir}/ssh_host_dsa_key.pub", $dsa_pub);
236
237			/* change keys owner to root */
238			chown("{$sshConfigDir}/ssh_host_key", "root");
239			chown("{$sshConfigDir}/ssh_host_rsa_key", "root");
240			chown("{$sshConfigDir}/ssh_host_dsa_key", "root");
241
242			/* change public keys owner to root */
243			chown("{$sshConfigDir}/ssh_host_key.pub", "root");
244			chown("{$sshConfigDir}/ssh_host_rsa_key.pub", "root");
245			chown("{$sshConfigDir}/ssh_host_dsa_key.pub", "root");
246
247			/* change mode on keys to u+rw */
248			chmod("{$sshConfigDir}/ssh_host_key",0600);
249			chmod("{$sshConfigDir}/ssh_host_rsa_key",0600);
250			chmod("{$sshConfigDir}/ssh_host_dsa_key",0600);
251
252			/* change mode on public keys to u+rw */
253			chmod("{$sshConfigDir}/ssh_host_key.pub",0600);
254			chmod("{$sshConfigDir}/ssh_host_rsa_key.pub",0600);
255			chmod("{$sshConfigDir}/ssh_host_dsa_key.pub",0600);
256	5b237745	Scott Ullrich	}
257
258	0a4869c5	Scott Ullrich	if($config['ssh']['ak'] <> "") {
259			$ak = base64_decode($config['ssh']['ak']);
260			file_put_contents("/root/.authorized_keys", $ak);
261			chmod("/root/.authorized_keys",0600);
262			}
263
264	efa761f6	Scott Ullrich	/* start sshd */
265	abafa16b	Scott Ullrich	system("/usr/sbin/sshd");
266	f6661aed	Scott Ullrich	echo "done.\n";
267	efa761f6	Scott Ullrich
268	7822d966	Colin Smith	?>

Project

General

Profile

pfSense