rc: rework sshd handling

* Prefer the openssh-portable port, but fall back to the base version if it is available. * Refactor the key generation to produce less duplicated code. * Locking is completely bogus, but I have no clue how to fix that short term without doing a full audit of the subsystem-dirty mechanic.
2026-03-15 09:04:39 +00:00 · 2015-01-25 13:57:16 +01:00 · 2015-01-25 13:57:16 +01:00 · ab28de2e19
commit ab28de2e19
parent 2833fbcad4
1 changed files with 53 additions and 35 deletions
--- a/src/etc/rc.sshd
+++ b/src/etc/rc.sshd
@ -4,6 +4,7 @@
 /*
 	Copyright (C) 2004 Scott K Ullrich
 	Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>.
+	Copyright (C) 2015 Franco Fichtner <franco@opnsense.org>
 	All rights reserved.

 	Redistribution and use in source and binary forms, with or without
@ -28,10 +29,10 @@
 	POSSIBILITY OF SUCH DAMAGE.
 */

-require_once("globals.inc");
-require_once("config.inc");
-require_once("functions.inc");
-require_once("shaper.inc");
+require_once('globals.inc');
+require_once('config.inc');
+require_once('functions.inc');
+require_once('shaper.inc');

 killbyname('sshd');

@ -44,26 +45,46 @@ if (!is_subsystem_dirty('sshdkeys')) {
 	conf_mount_rw();
 }

-if (file_exists('/conf/sshd/ssh_host_key') && !file_exists('/etc/ssh/ssh_host_key')) {
-	mwexec('/bin/cp -p /conf/sshd/* /etc/ssh/');
-}
-
 $keys = array(
-	'ssh_host_key',
-	'ssh_host_key.pub',
-	'ssh_host_dsa_key',
-	'ssh_host_dsa_key.pub',
-	'ssh_host_rsa_key',
-	'ssh_host_rsa_key.pub',
-	'ssh_host_ecdsa_key',
-	'ssh_host_ecdsa_key.pub',
-	//'ssh_host_ed25519_key',
-	//'ssh_host_ed25519_key.pub'
+	/* .pub files are implied */
+	'rsa1' => 'ssh_host_key',
+	'rsa' => 'ssh_host_rsa_key',
+	'dsa' => 'ssh_host_dsa_key',
+	'ecdsa' => 'ssh_host_ecdsa_key',
+	'ed25519' => 'ssh_host_ed25519_key',
 );

-foreach($keys as $f2c) {
-	if (file_exists("/etc/ssh/{$f2c}") && filesize("/etc/ssh/{$f2c}") == 0) {
-		unlink("/etc/ssh/{$f2c}");
+if (file_exists('/usr/local/sbin/sshd')) {
+	/* use the ports version */
+	$bin_ssh_keygen = '/usr/local/bin/ssh-keygen';
+	$sbin_sshd = '/usr/local/sbin/sshd';
+	$etc_ssh = '/usr/local/etc/ssh';
+} elseif (file_exists('/usr/sbin/sshd')) {
+	/* use the base version (legacy fallback) */
+	$bin_ssh_keygen = '/usr/bin/ssh-keygen';
+	$sbin_sshd = '/usr/sbin/sshd';
+	$etc_ssh = '/etc/ssh';
+	/* mode is not supported */
+	unset($keys['ed25519']);
+} else {
+	/* the infamous "this should never happen" */
+	log_error(_('Could not find an SSH implementation on your system.'));
+	return;
+}
+
+/* reinstall the backup if it is available */
+if (file_exists('/conf/sshd/ssh_host_key') && !file_exists("{$etc_ssh}/ssh_host_key")) {
+	mwexec("/bin/cp -p /conf/sshd/* {$etc_ssh}/");
+}
+
+foreach($keys as $name) {
+	$file = "{$etc_ssh}/etc/ssh/{$name}";
+	if (file_exists($file) && filesize($file) == 0) {
+		unlink($file);
+	}
+	$file = "{$file}.pub";
+	if (file_exists($file) && filesize($file) == 0) {
+		unlink($file);
 	}
 }

@ -73,8 +94,6 @@ foreach($keys as $f2c) {
 /* Login related files. */
 touch("/var/log/lastlog");

-$sshConfigDir = "/etc/ssh";
-
 if (isset($config['system']['ssh']['port'])) {
 	$sshport = $config['system']['ssh']['port'];
 } else {
@ -112,7 +131,7 @@ if (isset($config['system']['ssh']['sshdkeyonly'])) {
 }

 /* Write the new sshd config file */
-file_put_contents('/etc/ssh/sshd_config', $sshconf);
+file_put_contents("{$etc_ssh}/sshd_config", $sshconf);

 /* are we already running?  if so exit */
 if (is_subsystem_dirty('sshdkeys')) {
@ -121,8 +140,9 @@ if (is_subsystem_dirty('sshdkeys')) {

 // Check for all needed key files. If any are missing, the keys need to be regenerated.
 $generate_keys = false;
-foreach ($keys as $f2c) {
-	if (!file_exists("/etc/ssh/{$f2c}")) {
+foreach ($keys as $name) {
+	$file = "{$etc_ssh}/{$name}";
+	if (!file_exists($file) || !file_exists("{$file}.pub")) {
 		$generate_keys = true;
 		break;
 	}
@ -131,27 +151,25 @@ foreach ($keys as $f2c) {
 if ($generate_keys) {
 	log_error(_('Started creating your SSH keys. SSH startup is being delayed a wee bit.'));
 	mark_subsystem_dirty('sshdkeys');
-	mwexec('/bin/rm /etc/ssh/ssh_host_*', true);
-	mwexec("/usr/bin/ssh-keygen -t rsa1 -N '' -f {$sshConfigDir}/ssh_host_key");
-	mwexec("/usr/bin/ssh-keygen -t rsa -N '' -f {$sshConfigDir}/ssh_host_rsa_key");
-	mwexec("/usr/bin/ssh-keygen -t dsa -N '' -f {$sshConfigDir}/ssh_host_dsa_key");
-	mwexec("/usr/bin/ssh-keygen -t ecdsa -N '' -f {$sshConfigDir}/ssh_host_ecdsa_key");
-	//mwexec("/usr/bin/ssh-keygen -t ed25519 -N '' -f {$sshConfigDir}/ssh_host_ed25519_key");
+	mwexec("/bin/rm -f {$etc_ssh}/ssh_host_*");
+	foreach ($keys as $type => $name) {
+		mwexec(sprintf('%s -t %s -N "" -f %s/%s', $bin_ssh_keygen, $type, $etc_ssh, $name));
+	}
 	clear_subsystem_dirty('sshdkeys');
 	log_error(_('Completed creating your SSH keys. SSH will now be started.'));
 }

 /* Launch new server process */
 echo "Reloading sshd...";
-if (mwexec('/usr/sbin/sshd')) {
+if (mwexec($sbin_sshd)) {
 	echo "failed.\n";
 } else {
 	echo "done.\n";
 }

-/* back up files in case they are useful */
+/* back up files in case they are useful ;) */
@mkdir('/conf/sshd', 0777, true);
-mwexec('/bin/cp -p /etc/ssh/ssh_host* /conf/sshd');
+mwexec("/bin/cp -p ${etc_ssh}/ssh_host_* /conf/sshd/");

 conf_mount_ro();
 unset($keys);