/etc/sshd - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/sshd @ ae17d2e9

1	5b237745	Scott Ullrich	#! /usr/local/bin/php -f
2			<?php
3			/*
4			sshd - Modified to work on disk based system
5			Copyright 2004 Scott K Ullrich
6	b2981d7a	Scott Ullrich
7	5b237745	Scott Ullrich	Original Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
8			All rights reserved.
9	b2981d7a	Scott Ullrich
10	5b237745	Scott Ullrich	Redistribution and use in source and binary forms, with or without
11			modification, are permitted provided that the following conditions are met:
12	b2981d7a	Scott Ullrich
13	5b237745	Scott Ullrich	1. Redistributions of source code must retain the above copyright notice,
14			this list of conditions and the following disclaimer.
15	b2981d7a	Scott Ullrich
16	5b237745	Scott Ullrich	2. Redistributions in binary form must reproduce the above copyright
17			notice, this list of conditions and the following disclaimer in the
18			documentation and/or other materials provided with the distribution.
19	b2981d7a	Scott Ullrich
20	5b237745	Scott Ullrich	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
21			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
22			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
24			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29			POSSIBILITY OF SUCH DAMAGE.
30			*/
31	2257118f	Scott Ullrich
32			require_once("globals.inc");
33	116852b8	Scott Ullrich	require_once("config.inc");
34	7c6cef3c	Scott Ullrich	require_once("functions.inc");
35			require_once("shaper.inc");
36
37	116852b8	Scott Ullrich	if(isset($config['system']['enablesshd'])) {
38			/* do nothing, we're enabled */
39			} else {
40	668b7b2e	Scott Ullrich	if($g['booting'])
41			echo "SSHD is disabled.";
42	b15e2ed4	Scott Ullrich	exit;
43	668b7b2e	Scott Ullrich	}
44	579946e2	Scott Ullrich
45	17730d9d	jim-p	/* are we already running? if not, do conf_mount_rw(), otherwise it should already be rw */
46			if(!is_subsystem_dirty('sshdkeys')) {
47			conf_mount_rw();
48			}
49	36fcc77f	Scott Ullrich
50	116852b8	Scott Ullrich	function file_size($file) {
51			$size = filesize($file);
52			return $size;
53			}
54	746b5ee2	Scott Ullrich
55	5c3ccc0d	Scott Ullrich	/* restore ssh data for nanobsd platform */
56	8fe7e3fc	Scott Ullrich	if($g['platform'] == "nanobsd" and file_exists("/conf/sshd/ssh_host_key")) {
57	1d3bc939	Scott Ullrich	if(!file_exists("/etc/ssh/ssh_host_key.pub")) {
58	d226535c	Scott Ullrich	echo "Restoring SSH from /conf/sshd/";
59	56bff6a3	Erik Fonnesbeck	exec("/bin/cp -p /conf/sshd/* /etc/ssh/");
60
61			/* make sure host private key permissions aren't too open so sshd won't complain */
62			$files_to_check = array('ssh_host_dsa_key','ssh_host_key','ssh_host_rsa_key');
63			foreach($files_to_check as $f2c) {
64			if(file_exists("/etc/ssh/{$f2c}"))
65			chmod("/etc/ssh/{$f2c}", 0600);
66			}
67	5c3ccc0d	Scott Ullrich	}
68			}
69
70	116852b8	Scott Ullrich	/* if any of these files are 0 bytes then they are corrupted.
71			* remove them
72			*/
73			$files_to_check = array('ssh_host_dsa_key','ssh_host_dsa_key.pub','ssh_host_key','ssh_host_key.pub','ssh_host_rsa_key','ssh_host_rsa_key.pub','/root/.ssh/authorized_keys');
74			foreach($files_to_check as $f2c) {
75			if(file_exists("/etc/ssh/{$f2c}"))
76			if(file_size("/etc/ssh/{$f2c}")==0) {
77	e28f5b93	jim-p	mwexec("rm /etc/ssh/ssh_host*", true);
78	116852b8	Scott Ullrich	}
79			}
80
81			if (!is_dir("/var/empty")) {
82			/* make ssh home directory */
83	5b237745	Scott Ullrich	mkdir("/var/empty", 0555);
84	116852b8	Scott Ullrich	}
85	5b237745	Scott Ullrich
86	56c0c91f	Ermal Lu?i	if(!file_exists("/var/log/lastlog")) {
87	116852b8	Scott Ullrich	/* Login related files. */
88	5b237745	Scott Ullrich	touch("/var/log/lastlog");
89	116852b8	Scott Ullrich	}
90	5b237745	Scott Ullrich
91	116852b8	Scott Ullrich	$sshConfigDir = "/etc/ssh";
92	850b71ec	Scott Ullrich
93	116852b8	Scott Ullrich	if($config['system']['ssh']['port'] <> "") {
94			$sshport = $config['system']['ssh']['port'];
95			} else {
96			$sshport = 22;
97			}
98
99			/* Include default configuration for pfSense */
100			$sshconf = "# This file is automatically generated at startup\n";
101	868a5b99	Scott Ullrich	$sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n";
102	116852b8	Scott Ullrich	$sshconf .= "PermitRootLogin yes\n";
103	5b7eb87c	Seth Mos	$sshconf .= "Compression yes\n";
104			$sshconf .= "ClientAliveInterval 30\n";
105			$sshconf .= "UseDNS no\n";
106	116852b8	Scott Ullrich	$sshconf .= "X11Forwarding no\n";
107	56c91631	Ermal	if(isset($config['system']['ssh']['sshdkeyonly'])) {
108	116852b8	Scott Ullrich	$sshconf .= "# Login via Key only\n";
109	ed4b63b0	Timo Boettcher	$sshconf .= "PasswordAuthentication no\n";
110			$sshconf .= "ChallengeResponseAuthentication no\n";
111			$sshconf .= "PubkeyAuthentication yes\n";
112			} else {
113	116852b8	Scott Ullrich	$sshconf .= "# Login via Key and Password\n";
114	ed4b63b0	Timo Boettcher	$sshconf .= "PasswordAuthentication yes\n";
115			$sshconf .= "ChallengeResponseAuthentication yes\n";
116			$sshconf .= "PubkeyAuthentication yes\n";
117			}
118	116852b8	Scott Ullrich	$sshconf .= "# override default of no subsystems\n";
119			$sshconf .= "Subsystem sftp /usr/libexec/sftp-server\n";
120			/* Only allow protocol 2, because we say so */
121			$sshconf .= "Protocol 2\n";
122			/* Run the server on another port if we have one defined */
123			$sshconf .= "Port $sshport\n";
124	5b7eb87c	Seth Mos
125	116852b8	Scott Ullrich	/* Write the new sshd config file */
126			$fd = fopen("/etc/ssh/sshd_config", "w");
127	5b7eb87c	Seth Mos	fwrite($fd, $sshconf);
128	579946e2	Scott Ullrich	fclose($fd);
129	5b7eb87c	Seth Mos
130	0f953a29	Scott Ullrich	/* mop up from a badly implemented ssh keys -> cf backup */
131	426f300c	Scott Ullrich	if($config['ssh']['dsa_key'] <> "") {
132			unset($config['ssh']['dsa_key']);
133			unset($config['ssh']['rsa_key']);
134			unset($config['ssh']['rsa1_key']);
135			unset($config['ssh']['dsa']);
136			unset($config['ssh']['rsa']);
137			unset($config['ssh']['rsa1']);
138			unset($config['ssh']['ak']);
139	116852b8	Scott Ullrich	write_config("Clearing SSH keys from config.xml");
140	426f300c	Scott Ullrich	}
141	579946e2	Scott Ullrich
142	116852b8	Scott Ullrich	/* are we already running? if so exit */
143	06e28ceb	Ermal Lu?i	if(is_subsystem_dirty('sshdkeys')) {
144	dcb64768	Scott Ullrich	exit;
145	36fcc77f	Scott Ullrich	}
146
147	2d402f57	jim-p	// Check for all needed key files. If any are missing, the keys need to be regenerated.
148	4c4b068c	jim-p	$files_to_check = array('ssh_host_dsa_key','ssh_host_dsa_key.pub','ssh_host_key','ssh_host_key.pub','ssh_host_rsa_key','ssh_host_rsa_key.pub');
149	2d402f57	jim-p	$generate_keys = false;
150			foreach ($files_to_check as $f2c) {
151	4c4b068c	jim-p	if (!file_exists("/etc/ssh/{$f2c}")) {
152	2d402f57	jim-p	$generate_keys = true;
153			}
154			}
155			if ($generate_keys) {
156	116852b8	Scott Ullrich	/* remove previous keys and regen later */
157	5b6eac01	Scott Ullrich	file_notice("SSH", "{$g['product_name']} has started creating your SSH keys. SSH Startup will be delayed. Please note that reloading the filter rules and changes will be delayed until this operation is completed.", "SSH KeyGen", "");
158	e28f5b93	jim-p	mwexec("rm /etc/ssh/ssh_host_*", true);
159	06e28ceb	Ermal Lu?i	mark_subsystem_dirty('sshdkeys');
160	116852b8	Scott Ullrich	echo " Generating Keys:\n";
161			system("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa1 -N '' -f $sshConfigDir/ssh_host_key");
162			system("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa -N '' -f $sshConfigDir/ssh_host_rsa_key");
163			system("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t dsa -N '' -f $sshConfigDir/ssh_host_dsa_key");
164	06e28ceb	Ermal Lu?i	clear_subsystem_dirty('sshdkeys');
165	5b6eac01	Scott Ullrich	file_notice("SSH", "{$g['product_name']} has completed creating your SSH keys. SSH is now started.", "SSH Startup", "");
166	116852b8	Scott Ullrich	echo "Starting SSH... ";
167	c2338828	Scott Ullrich	}
168	efa761f6	Scott Ullrich
169	116852b8	Scott Ullrich	/* kill existing sshd process, server only, not the childs */
170			$sshd_pid = exec("ps ax \| egrep '/usr/sbin/[s]shd' \| awk '{print $1}'");
171			if($sshd_pid <> "") {
172			echo "stopping ssh process $sshd_pid \n";
173			mwexec("kill $sshd_pid");
174	5b7eb87c	Seth Mos	}
175	116852b8	Scott Ullrich	/* Launch new server process */
176			$status = mwexec("/usr/sbin/sshd");
177	0f953a29	Scott Ullrich	if($status <> 0) {
178	fdfc687c	Scott Ullrich	file_notice("sshd_startup", "SSHD failed to start.", "SSHD Daemon", "");
179	116852b8	Scott Ullrich	echo "error!\n";
180			} else {
181			echo "done.\n";
182	0f953a29	Scott Ullrich	}
183	579946e2	Scott Ullrich
184	43640486	Scott Ullrich	// NanoBSD
185	5c3ccc0d	Scott Ullrich	if($g['platform'] == "nanobsd") {
186	4c2fa5b5	Scott Ullrich	if(!is_dir("/conf/sshd"))
187			exec("mkdir /conf/sshd");
188	7a9ed301	Ermal	exec("/bin/cp -p /etc/ssh/ssh_host* /conf/sshd");
189	5c3ccc0d	Scott Ullrich	}
190	63e18082	jim-p	conf_mount_ro();
191	579946e2	Scott Ullrich
192	06e28ceb	Ermal Lu?i	?>

Project

General

Profile

pfSense