From 948b5bcc1cb964cfc172c149f51cd02876f659ee Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 2 Apr 2015 21:52:07 +0200
Subject: [PATCH] system: flip ssh settings for clarity

---
 src/etc/config.xml                |  3 --
 src/etc/inc/config.console.inc    |  2 +-
 src/etc/inc/filter.inc            |  3 +-
 src/etc/inc/globals.inc           |  2 +-
 src/etc/inc/service-utils.inc     |  6 ++--
 src/etc/inc/upgrade_config.inc    | 24 +++++++++++++---
 src/etc/rc.sshd                   | 12 ++++----
 src/www/system_advanced_admin.php | 47 ++++++++++++++++---------------
 8 files changed, 58 insertions(+), 41 deletions(-)

diff --git a/src/etc/config.xml b/src/etc/config.xml
index 168ff9aa8..adc25feba 100644
--- a/src/etc/config.xml
+++ b/src/etc/config.xml
@@ -202,9 +202,6 @@
 			<interval>monthly</interval>
 		</bogons>
 		<kill_states/>
-		<ssh>
-			<sshdkeyonly/>
-		</ssh>
 	</system>
 	<interfaces>
 		<wan>
diff --git a/src/etc/inc/config.console.inc b/src/etc/inc/config.console.inc
index 9fbcb80df..9605477cf 100644
--- a/src/etc/inc/config.console.inc
+++ b/src/etc/inc/config.console.inc
@@ -145,7 +145,7 @@ EOD;
 				return;
 		} while (!isset($wanif));
 
-		$config['system']['enablesshd'] = 'enabled';
+		$config['system']['ssh']['enabled'] = 'enabled';
 		$key = 'y';
 
 	} else {		//Manually assign interfaces
diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index 546d0a570..01d1dc478 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -3562,8 +3562,9 @@ function filter_get_antilockout_ports($wantarray = false) {
 	if (($config['system']['webgui']['protocol'] == "https") && !isset($config['system']['webgui']['disablehttpredirect']) && ($guiport != "80"))
 		$lockoutports[] = "80";
 
-	if (isset($config['system']['enablesshd']))
+	if (isset($config['system']['ssh']['enabled'])) {
 		$lockoutports[] = empty($config['system']['ssh']['port']) ? "22" : $config['system']['ssh']['port'];
+	}
 
 	if ($wantarray)
 		return $lockoutports;
diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc
index 5c1174fa0..e79bcd8a2 100644
--- a/src/etc/inc/globals.inc
+++ b/src/etc/inc/globals.inc
@@ -48,7 +48,7 @@ $g = array(
 	"product_copyright_owner" => "Deciso B.V.",
 	"product_copyright_years" => "2014 - 2015",
 	"product_copyright_url" => "https://www.deciso.com/",
-	"latest_config" => "11.1",
+	"latest_config" => "11.2",
 	"wireless_regex" => "/^(ndis|wi|ath|an|ral|ural|iwi|wlan|rum|run|bwn|zyd|mwl|bwi|ipw|iwn|malo|uath|upgt|urtw|wpi)/",
 );
 
diff --git a/src/etc/inc/service-utils.inc b/src/etc/inc/service-utils.inc
index e4e9f1de5..be0e329f9 100644
--- a/src/etc/inc/service-utils.inc
+++ b/src/etc/inc/service-utils.inc
@@ -147,10 +147,10 @@ if (!function_exists('get_services')) {
 			$services[] = $pconfig;
 		}
 
-		if (isset($config['system']['enablesshd'])) {
+		if (isset($config['system']['ssh']['enabled'])) {
 			$pconfig = array();
-			$pconfig['name'] = "sshd";
-			$pconfig['description'] = gettext("Secure Shell Daemon");
+			$pconfig['name'] = 'sshd';
+			$pconfig['description'] = gettext('Secure Shell Daemon');
 			$services[] = $pconfig;
 		}
 
diff --git a/src/etc/inc/upgrade_config.inc b/src/etc/inc/upgrade_config.inc
index df043a174..a475732f4 100644
--- a/src/etc/inc/upgrade_config.inc
+++ b/src/etc/inc/upgrade_config.inc
@@ -3245,12 +3245,10 @@ function upgrade_109_to_110() {
 	}
 }
 
-function upgrade_110_to_111() {
+function upgrade_110_to_111()
+{
 	global $config;
 
-	/* OPNsense modifications on top of this version */
-	$config['theme'] = 'opnsense';
-
 	/* Make sure unbound user exist */
 	mwexec('/usr/sbin/pw groupadd -n unbound -g 59', true);
 	mwexec('/usr/sbin/pw useradd -n unbound -c "Unbound DNS Resolver" -d /var/unbound -s /usr/sbin/nologin -u 59 -g 59', true);
@@ -3372,3 +3370,21 @@ function upgrade_110_to_111() {
 
 	unset($pkg, $new);
 }
+
+function upgrade_111_to_112()
+{
+	global $config;
+
+	$config['theme'] = 'opnsense';
+
+	if (isset($config['system']['ssh']['sshdkeyonly'])) {
+		unset($config['system']['ssh']['sshdkeyonly']);
+	} else {
+		$config['system']['ssh']['passwordauth'] = true;
+	}
+
+	if (isset($config['system']['sshdenable'])) {
+		$config['system']['ssh']['enabled'] = true;
+		unset($config['system']['sshdenable']);
+	}
+}
diff --git a/src/etc/rc.sshd b/src/etc/rc.sshd
index b534c1bd4..be4bea95d 100755
--- a/src/etc/rc.sshd
+++ b/src/etc/rc.sshd
@@ -36,7 +36,7 @@ require_once('shaper.inc');
 
 killbyname('sshd');
 
-if (!isset($config['system']['enablesshd'])) {
+if (!isset($config['system']['ssh']['enabled'])) {
 	return;
 }
 
@@ -103,12 +103,12 @@ $sshconf .= "Subsystem\tsftp\tinternal-sftp\n";
 if (isset($config['system']['ssh']['permitrootlogin'])) {
 	$sshconf .= "PermitRootLogin yes\n";
 }
-if (isset($config['system']['ssh']['sshdkeyonly'])) {
-	$sshconf .= "PasswordAuthentication no\n";
-	$sshconf .= "ChallengeResponseAuthentication no\n";
-} else {
-	$sshconf .= "PasswordAuthentication yes\n";
+if (isset($config['system']['ssh']['passwordauth'])) {
 	$sshconf .= "ChallengeResponseAuthentication yes\n";
+	$sshconf .= "PasswordAuthentication yes\n";
+} else {
+	$sshconf .= "ChallengeResponseAuthentication no\n";
+	$sshconf .= "PasswordAuthentication no\n";
 }
 
 /* Write the new sshd config file */
diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php
index 0ae6746ae..996b61b9d 100644
--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -49,9 +49,9 @@ $pconfig['althostnames'] = $config['system']['webgui']['althostnames'];
 $pconfig['enableserial'] = $config['system']['enableserial'];
 $pconfig['serialspeed'] = $config['system']['serialspeed'];
 $pconfig['primaryconsole'] = $config['system']['primaryconsole'];
-$pconfig['enablesshd'] = $config['system']['enablesshd'];
+$pconfig['enablesshd'] = $config['system']['ssh']['enabled'];
 $pconfig['sshport'] = $config['system']['ssh']['port'];
-$pconfig['sshdkeyonly'] = isset($config['system']['ssh']['sshdkeyonly']);
+$pconfig['passwordauth'] = isset($config['system']['ssh']['passwordauth']);
 $pconfig['sshdpermitrootlogin'] = isset($config['system']['ssh']['permitrootlogin']);
 $pconfig['quietlogin'] = isset($config['system']['webgui']['quietlogin']);
 
@@ -89,10 +89,11 @@ if ($_POST) {
 		if(!is_port($_POST['sshport']))
 			$input_errors[] = gettext("You must specify a valid port number");
 
-	if($_POST['sshdkeyonly'] == "yes")
-		$config['system']['ssh']['sshdkeyonly'] = "enabled";
-	else if (isset($config['system']['ssh']['sshdkeyonly']))
-		unset($config['system']['ssh']['sshdkeyonly']);
+	if ($_POST['passwordauth'] == 'yes') {
+		$config['system']['ssh']['passwordauth'] = 'enabled';
+	} elseif (isset($config['system']['ssh']['passwordauth'])) {
+		unset($config['system']['ssh']['passwordauth']);
+	}
 
 	if($_POST['sshdpermitrootlogin'] == "yes")
 		$config['system']['ssh']['permitrootlogin'] = "enabled";
@@ -176,17 +177,19 @@ if ($_POST) {
 		else
 			unset($config['system']['webgui']['althostnames']);
 
-		$sshd_enabled = $config['system']['enablesshd'];
-		if($_POST['enablesshd'])
-			$config['system']['enablesshd'] = "enabled";
-		else
-			unset($config['system']['enablesshd']);
+		$sshd_enabled = $config['system']['ssh']['enabled'];
+		if ($_POST['enablesshd']) {
+			$config['system']['ssh']['enabled'] = 'enabled';
+		} else {
+			unset($config['system']['ssh']['enabled']);
+		}
 
-		$sshd_keyonly = isset($config['system']['ssh']['sshdkeyonly']);
-		if ($_POST['sshdkeyonly'])
-			$config['system']['ssh']['sshdkeyonly'] = true;
-		else if (isset($config['system']['ssh']['sshdkeyonly']))
-			unset($config['system']['ssh']['sshdkeyonly']);
+		$sshd_passwordauth = isset($config['system']['ssh']['passwordauth']);
+		if ($_POST['passwordauth']) {
+			$config['system']['ssh']['passwordauth'] = true;
+		} else if (isset($config['system']['ssh']['passwordauth'])) {
+			unset($config['system']['ssh']['passwordauth']);
+		}
 
 		$sshd_port = $config['system']['ssh']['port'];
 		if ($_POST['sshport'])
@@ -197,8 +200,8 @@ if ($_POST) {
 		if (!isset($_POST['sshdpermitrootlogin']) && isset($config['system']['ssh']['permitrootlogin']))
 			unset($config['system']['ssh']['permitrootlogin']);
 
-		if (($sshd_enabled != $config['system']['enablesshd']) ||
-			($sshd_keyonly != $config['system']['ssh']['sshdkeyonly']) ||
+		if (($sshd_enabled != $config['system']['ssh']['enabled']) ||
+			($sshd_passwordauth != $config['system']['ssh']['passwordauth']) ||
 			($sshd_port != $config['system']['ssh']['port']) ||
 			($pconfig['system']['ssh']['permitrootlogin'] != isset($config['system']['ssh']['permitrootlogin'])) ) {
 			$restart_sshd = true;
@@ -501,10 +504,10 @@ include("head.inc");
 								<tr>
 									<td width="22%" valign="top" class="vncell"><?=gettext("Authentication Method"); ?></td>
 									<td width="78%" class="vtable">
-										<input name="sshdkeyonly" type="checkbox" id="sshdkeyonly" value="yes" <?php if ($pconfig['sshdkeyonly']) echo "checked=\"checked\""; ?> />
-										<strong><?=gettext("Disable password login for Secure Shell (RSA/DSA key only)"); ?></strong>
+										<input name="passwordauth" type="checkbox" id="passwordauth" value="yes" <?php if ($pconfig['passwordauth']) echo "checked=\"checked\""; ?> />
+										<strong><?=gettext("Enable password login for Secure Shell"); ?></strong>
 										<br />
-										<?=gettext("When enabled, authorized keys need to be configured for each"); ?>
+										<?=gettext("When disabled, authorized keys need to be configured for each"); ?>
 										<a href="system_usermanager.php"><?=gettext("user"); ?></a>
 										<?=gettext("that has been granted secure shell access."); ?>
 									</td>
@@ -603,7 +606,7 @@ if ($restart_sshd) {
 	killbyname("sshd");
 	log_error(gettext("secure shell configuration has changed. Stopping sshd."));
 
-	if ($config['system']['enablesshd']) {
+	if ($config['system']['ssh']['enabled']) {
 		log_error(gettext("secure shell configuration has changed. Restarting sshd."));
 		send_event("service restart sshd");
 	}