From 19fdd02d47bb40fa26ddc8a27300af9808219a4e Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Thu, 29 Sep 2016 07:00:33 +0200 Subject: [PATCH] rc: add deprecated host keys if available, but do not generate them; #1200 --- src/etc/rc.sshd | 73 +++++++++++++++++++++++++++++-------------------- 1 file changed, 44 insertions(+), 29 deletions(-) diff --git a/src/etc/rc.sshd b/src/etc/rc.sshd index afb63b952..9b856352d 100755 --- a/src/etc/rc.sshd +++ b/src/etc/rc.sshd @@ -66,8 +66,17 @@ $keys = array( 'ed25519' => 'ssh_host_ed25519_key', ); -foreach($keys as $name) { - $file = "{$etc_ssh}/etc/ssh/{$name}"; +$keys_dep = array( + /* .pub files are implied */ + 'rsa1' => 'ssh_host_key', + 'dsa' => 'ssh_host_dsa_key', +); + +$keys_all = array_merge($keys, $keys_dep); + +foreach ($keys_all as $name) { + /* this is one of the infamous UFS workarounds ;) */ + $file = "{$etc_ssh}/{$name}"; if (file_exists($file) && filesize($file) == 0) { unlink($file); } @@ -83,38 +92,12 @@ foreach($keys as $name) { /* Login related files. */ touch("/var/log/lastlog"); -$sshport = isset($sshcfg['port']) ? $sshcfg['port'] : 22; - -$sshconf = "# This file was automatically generated by /usr/local/etc/rc.sshd\n"; -$sshconf .= "Port {$sshport}\n"; -$sshconf .= "Protocol 2\n"; -/* XXX a couple of those need moar cleanups: */ -$sshconf .= "Compression yes\n"; -$sshconf .= "ClientAliveInterval 30\n"; -$sshconf .= "UseDNS no\n"; -$sshconf .= "X11Forwarding no\n"; -$sshconf .= "PubkeyAuthentication yes\n"; -$sshconf .= "Subsystem\tsftp\tinternal-sftp\n"; -if (isset($sshcfg['permitrootlogin'])) { - $sshconf .= "PermitRootLogin yes\n"; -} -if (isset($sshcfg['passwordauth'])) { - $sshconf .= "ChallengeResponseAuthentication yes\n"; - $sshconf .= "PasswordAuthentication yes\n"; -} else { - $sshconf .= "ChallengeResponseAuthentication no\n"; - $sshconf .= "PasswordAuthentication no\n"; -} - -/* Write the new sshd config file */ -file_put_contents("{$etc_ssh}/sshd_config", $sshconf); - /* are we already running? if so exit */ if (is_subsystem_dirty('sshdkeys')) { return; } -// Check for all needed key files. If any are missing, the keys need to be regenerated. +/* Check for all needed key files. If any are missing, the keys need to be regenerated. */ $generate_keys = false; foreach ($keys as $name) { $file = "{$etc_ssh}/{$name}"; @@ -135,6 +118,38 @@ if ($generate_keys) { log_error('Completed creating your SSH keys. SSH will now be started.'); } +$sshport = isset($sshcfg['port']) ? $sshcfg['port'] : 22; + +$sshconf = "# This file was automatically generated by /usr/local/etc/rc.sshd\n"; +$sshconf .= "Port {$sshport}\n"; +$sshconf .= "Protocol 2\n"; +$sshconf .= "Compression yes\n"; +$sshconf .= "ClientAliveInterval 30\n"; +$sshconf .= "UseDNS no\n"; +$sshconf .= "X11Forwarding no\n"; +$sshconf .= "PubkeyAuthentication yes\n"; +$sshconf .= "Subsystem\tsftp\tinternal-sftp\n"; +if (isset($sshcfg['permitrootlogin'])) { + $sshconf .= "PermitRootLogin yes\n"; +} +if (isset($sshcfg['passwordauth'])) { + $sshconf .= "ChallengeResponseAuthentication yes\n"; + $sshconf .= "PasswordAuthentication yes\n"; +} else { + $sshconf .= "ChallengeResponseAuthentication no\n"; + $sshconf .= "PasswordAuthentication no\n"; +} +foreach ($keys_all as $name) { + $file = "{$etc_ssh}/{$name}"; + if (!file_exists($file)) { + continue; + } + $sshconf .= "HostKey {$file}\n"; +} + +/* Write the new sshd config file */ +file_put_contents("{$etc_ssh}/sshd_config", $sshconf); + /* Launch new server process */ echo "Reloading sshd..."; if (mwexecf('/usr/bin/protect -i %s', $sbin_sshd)) {