From 6472278074b2e8a9fb9e9d4a42292c8cf237c9d9 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 23 Aug 2024 09:44:55 +0200 Subject: [PATCH] openssh: convert to newwanip_map and modernise * Replace subsystem "locking" with broader config file lock * change syslog() to log_msg() * change array() to [] --- src/etc/inc/plugins.inc.d/openssh.inc | 67 +++++++++++++-------------- 1 file changed, 33 insertions(+), 34 deletions(-) diff --git a/src/etc/inc/plugins.inc.d/openssh.inc b/src/etc/inc/plugins.inc.d/openssh.inc index 94b27bd67..f4f14acd6 100644 --- a/src/etc/inc/plugins.inc.d/openssh.inc +++ b/src/etc/inc/plugins.inc.d/openssh.inc @@ -3,7 +3,7 @@ /* * Copyright (C) 2004 Scott Ullrich * Copyright (C) 2004 Fred Mol - * Copyright (C) 2015-2022 Franco Fichtner + * Copyright (C) 2015-2024 Franco Fichtner * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -38,23 +38,23 @@ function openssh_enabled() function openssh_configure() { - return array( - 'early' => array('openssh_configure_do'), - 'local' => array('openssh_configure_do'), - 'newwanip' => array('openssh_configure_do:2'), - ); + return [ + 'early' => ['openssh_configure_do'], + 'local' => ['openssh_configure_do'], + 'newwanip_map' => ['openssh_configure_do:2'], + ]; } function openssh_services() { - $services = array(); + $services = []; if (openssh_enabled()) { - $pconfig = array(); + $pconfig = []; $pconfig['description'] = gettext('Secure Shell Daemon'); - $pconfig['configd']['restart'] = array('openssh restart'); - $pconfig['configd']['start'] = array('openssh start'); - $pconfig['configd']['stop'] = array('openssh stop'); + $pconfig['configd']['restart'] = ['openssh restart']; + $pconfig['configd']['start'] = ['openssh start']; + $pconfig['configd']['stop'] = ['openssh stop']; $pconfig['pidfile'] = '/var/run/sshd.pid'; $pconfig['name'] = 'openssh'; $services[] = $pconfig; @@ -69,15 +69,12 @@ function openssh_services() */ function openssh_xmlrpc_sync() { - $result = []; - $result[] = array( + return [[ 'description' => gettext('OpenSSH'), 'section' => 'system.ssh', + 'services' => ['openssh'], 'id' => 'ssh', - 'services' => ["openssh"], - ); - - return $result; + ]]; } @@ -87,7 +84,7 @@ function openssh_stop() mwexecf('/bin/pkill -af %s', '/usr/local/sbin/sshd', true); } -function openssh_configure_do($verbose = false, $interface = '') +function openssh_configure_do($verbose = false, $interface_map = null) { global $config; @@ -97,7 +94,7 @@ function openssh_configure_do($verbose = false, $interface = '') $sshcfg = $config['system']['ssh']; } elseif (!isset($config['system']['ssh']['noauto']) && is_install_media()) { /* only revert to installer config when ssh is not set at all */ - $sshcfg = array('permitrootlogin' => 1, 'passwordauth' => 1); + $sshcfg = ['permitrootlogin' => 1, 'passwordauth' => 1]; } if ($sshcfg === null) { @@ -105,16 +102,22 @@ function openssh_configure_do($verbose = false, $interface = '') return; } - $interfaces = array(); + $interfaces = []; if (!empty($sshcfg['interfaces'])) { $interfaces = explode(',', $sshcfg['interfaces']); - $interfaces[] = 'lo0'; + array_unshift($interfaces, 'lo0'); } - if (!empty($interface) && !in_array($interface, $interfaces)) { - return; + /* 'newwanip_map' configuration is the only event to take second argument */ + if (!empty($interface_map)) { + if (!count(array_intersect(explode(',', $interface_map), $interfaces))) { + return; + } } + /* lock the config generation and service start/stop, also secures key generation */ + $fobj = new \OPNsense\Core\FileObject('/usr/local/etc/ssh/sshd_config', 'a+', null, LOCK_EX); + openssh_stop(); /* make sshd key store */ @@ -141,18 +144,12 @@ function openssh_configure_do($verbose = false, $interface = '') } if ($generate_keys) { - /* XXX replace with file lock */ - if (is_subsystem_dirty('sshdkeys')) { - return; - } - mark_subsystem_dirty('sshdkeys'); foreach ($keys as $type => $name) { $file = "/conf/sshd/{$name}"; @unlink("{$file}.pub"); @unlink($file); - mwexecf('/usr/local/bin/ssh-keygen -t %s -N "" -f %s', array($type, $file)); + mwexecf('/usr/local/bin/ssh-keygen -t %s -N "" -f %s', [$type, $file]); } - clear_subsystem_dirty('sshdkeys'); } $sshport = isset($sshcfg['port']) ? $sshcfg['port'] : 22; @@ -192,7 +189,7 @@ function openssh_configure_do($verbose = false, $interface = '') $sshconf .= "HostKey {$file}\n"; } - $listeners = array(); + $listeners = []; foreach (interfaces_addresses($interfaces) as $tmpaddr => $info) { if (!$info['bind']) { @@ -236,18 +233,18 @@ function openssh_configure_do($verbose = false, $interface = '') if (in_array($elem, $supported[$adv['key']])) { $selected[] = $elem; } else { - syslog(LOG_WARNING, "OpenSSH: Configured {$adv['node']} value '{$elem}' is not supported."); + log_msg("OpenSSH: Configured {$adv['node']} value '{$elem}' is not supported.", LOG_WARNING); } } if (count($selected) == 0) { - syslog(LOG_WARNING, "OpenSSH: No configured {$adv['node']} value is supported - using defaults."); + log_msg("OpenSSH: No configured {$adv['node']} value is supported - using defaults.", LOG_WARNING); } else { $sshconf .= $adv['config'] . ' ' . implode(',', $selected) . PHP_EOL; } } - file_put_contents("/usr/local/etc/ssh/sshd_config", $sshconf); + $fobj->truncate(0)->write($sshconf); service_log('Configuring OpenSSH...', $verbose); @@ -256,4 +253,6 @@ function openssh_configure_do($verbose = false, $interface = '') } else { service_log("done.\n", $verbose); } + + unset($fobj); }