From 46251a023f02ef023f4483c37426dcf7dd9051f8 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Thu, 11 Dec 2014 09:44:56 +0100 Subject: [PATCH 1/4] inc: we still need auto_login() for Instead of leaving the doors wide open, we make the default and bring back the killswitch for everbody who doesn't like it. --- src/etc/config.xml | 2 +- src/etc/inc/pfsense-utils.inc | 61 ++++++++++++++++++++++++++++++++--- src/etc/inc/system.inc | 11 ------- src/etc/rc.bootup | 3 -- 4 files changed, 58 insertions(+), 19 deletions(-) diff --git a/src/etc/config.xml b/src/etc/config.xml index bfdd229d6..02b1415f6 100644 --- a/src/etc/config.xml +++ b/src/etc/config.xml @@ -189,7 +189,7 @@ https yes - + diff --git a/src/etc/inc/pfsense-utils.inc b/src/etc/inc/pfsense-utils.inc index fb1a971d2..4a6b82edb 100644 --- a/src/etc/inc/pfsense-utils.inc +++ b/src/etc/inc/pfsense-utils.inc @@ -998,13 +998,65 @@ function setup_serial_port($when="save", $path="") { } unset($on_off, $console_type, $serial_type); fclose($fd); + auto_login(); reload_ttys(); - conf_mount_ro(); - return; } -function is_serial_enabled() { +function auto_login() +{ + global $config; + + /* + * This function appends the autologin extension in /etc/gettytab + * for the main console. This only works with a vanilla config; + * it is likely that manual editing by the user will make this + * function stop working properly. In case of no match, throw a + * little error... + */ + + $getty_file = "/etc/gettytab"; + $getty_text = explode("\n", file_get_contents($getty_file)); + + $getty_al = isset($config['system']['disableconsolemenu']) ? "" : "al=root:"; + $getty_base = "\t:ht:np:sp#9600:"; + $getty_new = $getty_base . $getty_al; + $getty_ok = false; + + foreach ($getty_text as $getty_old) { + if (!strncmp($getty_old, $getty_base, strlen($getty_base))) { + if (!strcmp($getty_old, $getty_new)) { + /* already the correct setting */ + return; + } + $getty_ok = true; + } + } + + if (!$getty_ok) { + log_error(gettext("Could not toggle auto login setting.")); + return; + } + + $fd = fopen($getty_file, "w"); + if (!$fd) { + log_error(gettext("Could not write auto login setting.")); + return; + } + + foreach ($getty_text as $getty_old) { + if (!strncmp($getty_old, $getty_base, strlen($getty_base))) { + fprintf($fd, "%s\n", $getty_new); + } else { + fprintf($fd, "%s\n", $getty_old); + } + } + + fclose($fd); +} + +function is_serial_enabled() +{ global $g, $config; if (!isset($g['enableserial_force']) && @@ -1015,7 +1067,8 @@ function is_serial_enabled() { return true; } -function reload_ttys() { +function reload_ttys() +{ // Send a HUP signal to init will make it reload /etc/ttys posix_kill(1, SIGHUP); } diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index 862a3f3fe..6dc047336 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -1681,17 +1681,6 @@ function system_reboot_cleanup() { stop_packages(); } -function system_console_configure() -{ - global $config, $g; - - if (isset($config['system']['disableconsolemenu'])) { - touch("{$g['varetc_path']}/disableconsole"); - } else { - unlink_if_exists("{$g['varetc_path']}/disableconsole"); - } -} - function system_dmesg_save() { global $g; diff --git a/src/etc/rc.bootup b/src/etc/rc.bootup index c55215ee8..6697e8e73 100755 --- a/src/etc/rc.bootup +++ b/src/etc/rc.bootup @@ -301,9 +301,6 @@ echo "done.\n"; /* start load balancer daemon */ relayd_configure(); -/* configure console menu */ -system_console_configure(); - /* start DHCP service */ services_dhcpd_configure(); From c076d1c7283a5a9e6ad17c81b97f3723947d2e6e Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Thu, 11 Dec 2014 10:06:31 +0100 Subject: [PATCH 2/4] rc: change install media workflow * Boot into the installer by default; it can still be aborted. * Remove the dysfunct rescue installer. The normal installer now has a better rescue tool called "Import configuration". * Move and rework the installer launcher as rc.installer. It can be called at any time if needed. --- src/etc/rc.bootup | 54 +++++----- src/etc/rc.initial | 42 +++----- src/etc/rc.installer | 95 ++++++++++++++++++ src/installer/lua_installer | 155 ----------------------------- src/installer/lua_installer_rescue | 146 --------------------------- 5 files changed, 134 insertions(+), 358 deletions(-) create mode 100755 src/etc/rc.installer delete mode 100755 src/installer/lua_installer delete mode 100755 src/installer/lua_installer_rescue diff --git a/src/etc/rc.bootup b/src/etc/rc.bootup index 6697e8e73..2e239cfe6 100755 --- a/src/etc/rc.bootup +++ b/src/etc/rc.bootup @@ -31,21 +31,19 @@ POSSIBILITY OF SUCH DAMAGE. */ -function rescue_detect_keypress() { - // How long do you want the script to wait before moving on (in seconds) - $timeout=9; +function rescue_detect_keypress() +{ + $timeout = 9; + echo "\n"; - echo "[ Press R to enter recovery mode or ]\n"; - echo "[ press I to launch the installer ]\n\n"; - echo "(R)ecovery mode can assist by rescuing config.xml\n"; - echo "from a broken hard disk installation, etc.\n\n"; - echo "(I)nstaller may be invoked now if you do \n"; - echo "not wish to boot into the liveCD environment at this time.\n\n"; - echo "(C) continues the LiveCD bootup without further pause.\n\n"; + echo "(I)nstaller will be invoked by default.\n\n"; + echo "(C)ontinue with LiveCD bootup instead.\n\n"; + echo "(R)ecovery mode escapes to a root shell.\n\n"; echo "Timeout before auto boot continues (seconds): {$timeout}"; + $key = null; exec("/bin/stty erase " . chr(8)); - while(!in_array($key, array("c", "C", "r","R", "i", "I", "~", "!"))) { + while (!in_array($key, array("c", "C", "r","R", "i", "I"))) { echo chr(8) . "{$timeout}"; `/bin/stty -icanon min 0 time 25`; $key = trim(`KEY=\`dd count=1 2>/dev/null\`; echo \$KEY`); @@ -53,30 +51,26 @@ function rescue_detect_keypress() { // Decrement our timeout value $timeout--; // If we have reached 0 exit and continue on - if ($timeout == 0) - break; + if ($timeout == 0) { + break; + } } - // If R or I was pressed do our logic here + + echo "\n\n"; + if (in_array($key, array("r", "R"))) { - putenv("TERM=cons25"); - echo "\n\nRecovery mode selected...\n"; - passthru("/usr/bin/env TERM=cons25 /bin/csh -c /usr/local/installer/lua_installer_rescue"); - } elseif (in_array($key, array("i", "I"))) { - putenv("TERM=cons25"); - echo "\n\nInstaller mode selected...\n"; - passthru("/usr/bin/env TERM=cons25 /bin/csh -c /usr/local/installer/lua_installer"); - if(file_exists("/tmp/install_complete")) { - passthru("/usr/local/etc/rc.reboot"); - exit; - } - } elseif (in_array($key, array("!", "~"))) { - putenv("TERM=cons25"); - echo "\n\nRecovery shell selected...\n"; - echo "\n"; + echo "Recovery shell selected...\n\n"; touch("/tmp/donotbootup"); exit; + } elseif (in_array($key, array("c", "C"))) { + /* nothing */ } else { - echo "\n\n"; + echo "Installer mode selected...\n"; + passthru("/usr/local/etc/rc.installer"); + if (file_exists("/tmp/install_complete")) { + passthru("/usr/local/etc/rc.reboot"); + exit; + } } } diff --git a/src/etc/rc.initial b/src/etc/rc.initial index 3a4fc24da..2c09e4dd3 100755 --- a/src/etc/rc.initial +++ b/src/etc/rc.initial @@ -14,25 +14,15 @@ # If recovery console shell option has been specified if [ -f "/tmp/donotbootup" ]; then - /usr/bin/env prompt="%B[%n@%m]%b%/(%h)||RecoveryConsoleShell: " /bin/csh - rm "/tmp/donotbootup" - echo "Rebooting in 5 seconds... CTRL-C to abort..." - sleep 5 + rm /tmp/donotbootup + /bin/csh /usr/local/etc/rc.reboot - exit + # no coming back from here fi -CONFIG="/cf/conf/config.xml" -WORD="https" - -# Set our operating platform -PLATFORM=`cat /usr/local/etc/platform` - # endless loop while : ; do -product=`grep product_name /usr/local/etc/inc/globals.inc | cut -d'"' -f4` - # Check to see if SSH is running. if pgrep -q -a -F /var/run/sshd.pid sshd >/dev/null 2>&1; then sshd_option="14) Disable Secure Shell (sshd)"; @@ -40,21 +30,24 @@ else sshd_option="14) Enable Secure Shell (sshd)"; fi -if [ "$PLATFORM" = "cdrom" ]; then - option99="99) Install ${product} to a hard drive, etc." +# If we are on the LiveCD advertise the installer +if _tmpdir=$(mktemp -d -q /.diskless.XXXXXX); then + rmdir ${_tmpdir} +else + option99="99) Launch the installer" fi -# display a cheap menu echo " 0) Logout 8) Shell" echo " 1) Assign Interfaces 9) pfTop" echo " 2) Set interface(s) IP address 10) Filter Logs" -echo " 3) Reset webConfigurator password 11) Restart webConfigurator" -echo " 4) Reset to factory defaults 12) ${product} Developer Shell" +echo " 3) Reset the root password 11) Restart web interface" +echo " 4) Reset to factory defaults 12) Developer Shell" echo " 5) Reboot system 13) Upgrade from console" echo " 6) Halt system ${sshd_option}" -echo " 7) Ping host 15) Restore recent configuration" -if [ "${option99}" != "" ]; then - /bin/echo "${option99}" +echo " 7) Ping host 15) Restore a configuration" +if [ -n "${option99}" ]; then +# flat for alignment... +echo " ${option99}" fi echo @@ -112,18 +105,13 @@ case ${opmode} in /usr/local/etc/rc.restore_config_backup ;; 99) - if [ -e /dev/ukbd0 ]; then - env TERM=cons25 /usr/local/installer/lua_installer - else - /usr/local/installer/lua_installer - fi + /usr/local/etc/rc.installer ;; *) ;; esac /usr/local/etc/rc.initial.banner - echo done diff --git a/src/etc/rc.installer b/src/etc/rc.installer new file mode 100755 index 000000000..76f028fec --- /dev/null +++ b/src/etc/rc.installer @@ -0,0 +1,95 @@ +#!/bin/sh +# +# Launch BSD Installer with fake "installer root" +# Copyright 2004-2009 Scott Ullrich +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. + +PRODUCT=`grep product_name /usr/local/etc/inc/globals.inc | cut -d'"' -f4` +USERNAME=`grep factory_shipped_username /usr/local/etc/inc/globals.inc | cut -d'"' -f4` +PASSWORD=`grep factory_shipped_password /usr/local/etc/inc/globals.inc | cut -d'"' -f4` + +/sbin/sysctl kern.geom.debugflags=16 >/dev/null +/sbin/sysctl net.link.ether.inet.log_arp_wrong_iface=0 >/dev/null + +/sbin/ifconfig lo0 127.0.0.1/24 +/sbin/ifconfig lo0 up + +# Start the backend in the background (must mute all the ouput) +LUA_CPATH='/usr/local/lib/lua/5.0/?.so' /usr/local/bin/lua50 \ + -l/usr/local/share/lua/5.0/compat-5.1.lua \ + /usr/local/share/dfuibe_lua/main.lua \ + /usr/local/share/dfuibe_lua/conf/BSDInstaller.lua \ + /usr/local/share/dfuibe_lua/conf/FreeBSD.lua \ + /usr/local/share/dfuibe_lua/conf/pfSense.lua > /dev/null 2>&1 & + +/sbin/conscontrol mute on > /dev/null + +# Launch the frontend goo (must include cons25 for first boot) +TERM=cons25 /usr/local/sbin/dfuife_curses + +/sbin/conscontrol mute off > /dev/null + +if [ ! -f /tmp/install_complete ]; then + echo "The installation was aborted." + echo + exit +fi + +clear + +echo +echo +echo +echo +echo +echo +echo +echo +echo +echo +echo +echo +echo +echo +echo +echo "${PRODUCT} is now rebooting" +echo +echo "After the reboot is complete, open a web browser and" +echo "enter https://192.168.1.1 (or the LAN IP Address) in the" +echo "location bar." +echo +echo "You might need to acknowledge the HTTPS certificate if " +echo "your browser reports it as untrusted. This is normal" +echo "as a self-signed certificate is used by default." +echo +echo "*DEFAULT Username*: ${USERNAME}" +echo "*DEFAULT Password*: ${PASSWORD}" +echo + +for n in 5 4 3 2 1; do + echo Rebooting in $n seconds. CTRL-C to abort. + sleep 1 +done +echo + +reboot diff --git a/src/installer/lua_installer b/src/installer/lua_installer deleted file mode 100755 index e922d3f82..000000000 --- a/src/installer/lua_installer +++ /dev/null @@ -1,155 +0,0 @@ -#!/bin/sh -# -# Launch BSD Installer with fake "installer root" -# Copyright 2004-2009 Scott Ullrich -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# 1. Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. - -product=`cat /usr/local/etc/inc/globals.inc | grep product_name | cut -d'"' -f4` -factory_shipped_password=`cat /usr/local/etc/inc/globals.inc | grep factory_shipped_password | cut -d'"' -f4` -factory_shipped_username=`cat /usr/local/etc/inc/globals.inc | grep factory_shipped_username | cut -d'"' -f4` - -echo -echo "Launching ${product} Installer..." -echo - -# Ensure install-session.sh exists where the installtion was recorded to -touch /tmp/install-session.sh - -/sbin/sysctl kern.geom.debugflags=16 -/sbin/sysctl net.link.ether.inet.log_arp_wrong_iface=0 >/dev/null - -/sbin/ifconfig lo0 127.0.0.1/24 -/sbin/ifconfig lo0 up - -# Check if host is running on VMware -- early boot -if [ `dmesg -a | grep VMware | wc -l` -gt 0 ]; then - touch /var/IS_VMWARE -fi - -# Check if host is running on VMware -if [ -f /var/log/dmesg.boot ]; then - if [ `cat /var/log/dmesg.boot | /usr/bin/grep VMware | /usr/bin/wc -l` -gt 0 ]; then - echo -n "VMware detected. The installer will make changes to tune this host." - touch /var/IS_VMWARE - sleep 1 - echo -n "." - sleep 1 - echo -n "." - sleep 1 - echo -n "." - sleep 1 - echo "." - fi - - # Check if host is running on pfSenseDEV - if [ `/sbin/sysctl -n kern.bootfile | /usr/bin/grep pfSense_Dev | /usr/bin/wc -l` -gt 0 ]; then - echo -n "${product} developer iso detected." - touch /var/pfSenseDEV - sleep 1 - echo -n "." - sleep 1 - echo -n "." - sleep 1 - echo -n "." - sleep 1 - echo "." - fi - - if [ -f /var/run/dmesg.boot ]; then - ln -s /var/log/dmesg.boot /var/run/dmesg.boot - fi -fi - -echo "One moment please..." -echo - -echo -n "LUA_CPATH='/usr/local/lib/lua/5.0/?.so' exec /usr/local/bin/lua50 -l/usr/local/share/lua/5.0/compat-5.1.lua " > /tmp/lua50c51 - -echo "/usr/local/share/dfuibe_lua/main.lua \ -/usr/local/share/dfuibe_lua/conf/BSDInstaller.lua \ -/usr/local/share/dfuibe_lua/conf/FreeBSD.lua \ -/usr/local/share/dfuibe_lua/conf/pfSense.lua " >> /tmp/lua50c51 - -#/sbin/conscontrol mute on >/dev/null 2>&1 - -sh /tmp/lua50c51 >/dev/null 2>&1 & - -sleep 1 - -echo Launching Installer NCurses frontend... -/usr/local/sbin/dfuife_curses - -#/sbin/conscontrol mute off >/dev/null 2>&1 - -if [ ! -f /tmp/install_complete ]; then - echo Installation did not finish correctly. - exit -fi - -clear - -echo -echo -echo -echo -echo -echo -echo -echo -echo -echo -echo -echo -echo -echo -echo -echo "${product} is now rebooting" -echo -echo "After the reboot is complete, open a web browser and" -echo "enter https://192.168.1.1 (or the LAN IP Address) in the" -echo "location bar." -echo -echo "You might need to acknowledge the HTTPS certificate if " -echo "your browser reports it as untrusted. This is normal" -echo "as a self-signed certificate is used by default." -echo -echo "*DEFAULT Username*: ${factory_shipped_username}" -echo "*DEFAULT Password*: ${factory_shipped_password}" -echo - -echo Rebooting in 5 seconds. CTRL-C to abort. -sleep 1 -echo Rebooting in 4 seconds. CTRL-C to abort. -sleep 1 -echo Rebooting in 3 seconds. CTRL-C to abort. -sleep 1 -echo Rebooting in 2 seconds. CTRL-C to abort. -sleep 1 -echo Rebooting in 1 second.. CTRL-C to abort. -sleep 1 -echo -echo ${product} is now rebooting. -echo - -reboot - diff --git a/src/installer/lua_installer_rescue b/src/installer/lua_installer_rescue deleted file mode 100755 index 3fe7ced3f..000000000 --- a/src/installer/lua_installer_rescue +++ /dev/null @@ -1,146 +0,0 @@ -#!/bin/sh -# -# Launch BSD Installer with fake "installer root" -# Copyright 2004-2009 Scott Ullrich -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# 1. Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. - -product=`cat /usr/local/etc/inc/globals.inc | grep product_name | cut -d'"' -f4` -factory_shipped_password=`cat /usr/local/etc/inc/globals.inc | grep factory_shipped_password | cut -d'"' -f4` -factory_shipped_username=`cat /usr/local/etc/inc/globals.inc | grep factory_shipped_username | cut -d'"' -f4` - -echo -echo "Launching ${product} Installer config.xml rescue..." -echo -echo "One moment please..." -echo - -# Ensure install-session.sh exists where the installtion was recorded to -touch /tmp/install-session.sh - -/sbin/sysctl kern.geom.debugflags=16 -/sbin/sysctl net.link.ether.inet.log_arp_wrong_iface=0 >/dev/null - -/sbin/ifconfig lo0 127.0.0.1/24 -/sbin/ifconfig lo0 up - -# Check if host is running on VMware -if [ -f /var/log/dmesg.boot ]; then - if [ `cat /var/log/dmesg.boot | /usr/bin/grep VMware | /usr/bin/wc -l` -gt 0 ]; then - echo -n "VMware detected. The installer will make changes to tune this host." - touch /var/IS_VMWARE - sleep 1 - echo -n "." - sleep 1 - echo -n "." - sleep 1 - echo -n "." - sleep 1 - echo "." - fi - - # Check if host is running on pfSenseDEV - if [ `/sbin/sysctl -n kern.bootfile | /usr/bin/grep pfSense_Dev | /usr/bin/wc -l` -gt 0 ]; then - echo -n "${product} developer iso detected." - touch /var/pfSenseDEV - sleep 1 - echo -n "." - sleep 1 - echo -n "." - sleep 1 - echo -n "." - sleep 1 - echo "." - fi - - if [ -f /var/run/dmesg.boot ]; then - ln -s /var/log/dmesg.boot /var/run/dmesg.boot - fi -fi - -echo Launching LUA Installer... -echo -n "LUA_CPATH='/usr/local/lib/lua/5.0/?.so' exec /usr/local/bin/lua50 -l/usr/local/share/lua/5.0/compat-5.1.lua " > /tmp/lua50c51 - -echo "/usr/local/share/dfuibe_lua/main.lua \ -/usr/local/share/dfuibe_lua/conf/BSDInstaller.lua \ -/usr/local/share/dfuibe_lua/conf/FreeBSD.lua \ -/usr/local/share/dfuibe_lua/conf/pfSense_rescue.lua " >> /tmp/lua50c51 - -#/sbin/conscontrol mute on >/dev/null 2>&1 - -sh /tmp/lua50c51 >/dev/null 2>&1 & - -sleep 1 - -echo Launching Installer NCurses frontend... -/usr/local/sbin/dfuife_curses - -#/sbin/conscontrol mute off >/dev/null 2>&1 - -if [ ! -f /tmp/install_complete ]; then - echo Installation did not finish correctly. - exit -fi - -clear - -echo -echo -echo -echo -echo -echo -echo -echo -echo -echo -echo -echo -echo -echo -echo -echo "${product} is now rebooting" -echo -echo "After the reboot is complete, open a web browser and" -echo "enter http://192.168.1.1 (or the LAN IP Address) in the" -echo "location bar." -echo -echo "*DEFAULT Username*: ${factory_shipped_username}" -echo "*DEFAULT Password*: ${factory_shipped_password}" -echo - -echo Rebooting in 5 seconds. CTRL-C to abort. -sleep 1 -echo Rebooting in 4 seconds. CTRL-C to abort. -sleep 1 -echo Rebooting in 3 seconds. CTRL-C to abort. -sleep 1 -echo Rebooting in 2 seconds. CTRL-C to abort. -sleep 1 -echo Rebooting in 1 second.. CTRL-C to abort. -sleep 1 -echo -echo ${product} is now rebooting. -echo - -reboot - From a1a316b7fbde391b752d3b61d5a5779a2df45287 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Thu, 11 Dec 2014 10:42:41 +0100 Subject: [PATCH 3/4] rc: rework sshd start/stop script --- src/etc/rc.sshd | 138 ++++++++++++++++++------------------------------ 1 file changed, 50 insertions(+), 88 deletions(-) diff --git a/src/etc/rc.sshd b/src/etc/rc.sshd index 4e7f2a000..dae1376a7 100755 --- a/src/etc/rc.sshd +++ b/src/etc/rc.sshd @@ -2,9 +2,8 @@ . + Copyright (C) 2004 Scott K Ullrich + Copyright (C) 2004 Fred Mol . All rights reserved. Redistribution and use in source and binary forms, with or without @@ -34,6 +33,8 @@ require_once("config.inc"); require_once("functions.inc"); require_once("shaper.inc"); +killbyname('sshd'); + if (!isset($config['system']['enablesshd'])) { return; } @@ -43,6 +44,10 @@ if (!is_subsystem_dirty('sshdkeys')) { conf_mount_rw(); } +if (file_exists('/conf/sshd/ssh_host_key') && !file_exists('/etc/ssh/ssh_host_key')) { + mwexec('/bin/cp -p /conf/sshd/* /etc/ssh/'); +} + $keys = array( 'ssh_host_key', 'ssh_host_key.pub', @@ -56,93 +61,61 @@ $keys = array( 'ssh_host_ed25519_key.pub' ); -/* restore ssh data for nanobsd platform */ -if($g['platform'] == "nanobsd" and file_exists("/conf/sshd/ssh_host_key") and !file_exists("/etc/ssh/ssh_host_key.pub")) { - echo "Restoring SSH from /conf/sshd/"; - exec("/bin/cp -p /conf/sshd/* /etc/ssh/"); - - /* make sure host private key permissions aren't too open so sshd won't complain */ - foreach($keys as $f2c) { - if(file_exists("/etc/ssh/{$f2c}")) - chmod("/etc/ssh/{$f2c}", 0600); - } -} - -/* if any of these files are 0 bytes then they are corrupted. - * remove them - */ foreach($keys as $f2c) { if (file_exists("/etc/ssh/{$f2c}") && filesize("/etc/ssh/{$f2c}") == 0) { - unlink_if_exists('/etc/ssh/ssh_host*'); - break; + unlink("/etc/ssh/{$f2c}"); } } -if (!is_dir("/var/empty")) { - /* make ssh home directory */ - mkdir("/var/empty", 0555); -} +/* make ssh home directory */ +@mkdir("/var/empty", 0555, true); -if(!file_exists("/var/log/lastlog")) { - /* Login related files. */ - @touch("/var/log/lastlog"); -} +/* Login related files. */ +touch("/var/log/lastlog"); $sshConfigDir = "/etc/ssh"; -if (is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) +if (isset($config['system']['ssh']['port'])) { $sshport = $config['system']['ssh']['port']; -else +} else { $sshport = 22; +} + +/* + * XXX ZOMG sshd_config BOOTSTRAPPING ACTION + * + * We can't just ditch the system file by default and roll + * our own. Instead, use the current file to find the actual + * settings that need toggling, then toggle them! + */ /* Include default configuration for pfSense */ -$sshconf = "# This file is automatically generated at startup\n"; -$sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n"; -$sshconf .= "PermitRootLogin yes\n"; +$sshconf = "# This file was automatically generated by /usr/local/etc/rc.sshd\n"; +$sshconf .= "Port {$sshport}\n"; +$sshconf .= "Protocol 2\n"; +/* XXX a couple of those need moar cleanups: */ $sshconf .= "Compression yes\n"; $sshconf .= "ClientAliveInterval 30\n"; $sshconf .= "UseDNS no\n"; $sshconf .= "X11Forwarding no\n"; +$sshconf .= "PubkeyAuthentication yes\n"; +$sshconf .= "Subsystem\tsftp\tinternal-sftp\n"; +if (isset($config['system']['ssh']['permitrootlogin'])) { + $sshconf .= "PermitRootLogin yes\n"; +} if (isset($config['system']['ssh']['sshdkeyonly'])) { - $sshconf .= "# Login via Key only\n"; $sshconf .= "PasswordAuthentication no\n"; $sshconf .= "ChallengeResponseAuthentication no\n"; - $sshconf .= "PubkeyAuthentication yes\n"; } else { - $sshconf .= "# Login via Key and Password\n"; $sshconf .= "PasswordAuthentication yes\n"; $sshconf .= "ChallengeResponseAuthentication yes\n"; - $sshconf .= "PubkeyAuthentication yes\n"; } -$sshconf .= "# override default of no subsystems\n"; -$sshconf .= "Subsystem sftp /usr/libexec/sftp-server\n"; -/* Only allow protocol 2, because we say so */ -$sshconf .= "Protocol 2\n"; -/* Run the server on another port if we have one defined */ -$sshconf .= "Port $sshport\n"; -/* Hide FreeBSD version */ -$sshconf .= "VersionAddendum \n"; /* Write the new sshd config file */ -@file_put_contents("/etc/ssh/sshd_config", $sshconf); - -/* mop up from a badly implemented ssh keys -> cf backup */ -if($config['ssh']['dsa_key'] <> "") { - unset($config['ssh']['dsa_key']); - unset($config['ssh']['ecdsa_key']); - unset($config['ssh']['ed25519_key']); - unset($config['ssh']['rsa_key']); - unset($config['ssh']['rsa1_key']); - unset($config['ssh']['dsa']); - unset($config['ssh']['rsa']); - unset($config['ssh']['rsa1']); - unset($config['ssh']['ak']); - write_config("Clearing SSH keys from config.xml"); -} +file_put_contents('/etc/ssh/sshd_config', $sshconf); /* are we already running? if so exit */ -if(is_subsystem_dirty('sshdkeys')) { - unset($keys); +if (is_subsystem_dirty('sshdkeys')) { return; } @@ -156,40 +129,29 @@ foreach ($keys as $f2c) { } if ($generate_keys) { - /* remove previous keys and regen later */ - file_notice("SSH", "{$g['product_name']} has started creating your SSH keys. SSH Startup will be delayed. Please note that reloading the filter rules and changes will be delayed until this operation is completed.", "SSH KeyGen", ""); - unlink_if_exists('/etc/ssh/ssh_host_*'); + log_error(_('Started creating your SSH keys. SSH startup is being delayed a wee bit.')); mark_subsystem_dirty('sshdkeys'); - echo " Generating Keys:\n"; - $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa1 -N '' -f $sshConfigDir/ssh_host_key"); - $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa -N '' -f $sshConfigDir/ssh_host_rsa_key"); - $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t dsa -N '' -f $sshConfigDir/ssh_host_dsa_key"); - $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t ecdsa -N '' -f $sshConfigDir/ssh_host_ecdsa_key"); - $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t ed25519 -N '' -f $sshConfigDir/ssh_host_ed25519_key"); + mwexec('/bin/rm /etc/ssh/ssh_host_*', true); + mwexec("/usr/bin/ssh-keygen -t rsa1 -N '' -f {$sshConfigDir}/ssh_host_key"); + mwexec("/usr/bin/ssh-keygen -t rsa -N '' -f {$sshConfigDir}/ssh_host_rsa_key"); + mwexec("/usr/bin/ssh-keygen -t dsa -N '' -f {$sshConfigDir}/ssh_host_dsa_key"); + mwexec("/usr/bin/ssh-keygen -t ecdsa -N '' -f {$sshConfigDir}/ssh_host_ecdsa_key"); + mwexec("/usr/bin/ssh-keygen -t ed25519 -N '' -f {$sshConfigDir}/ssh_host_ed25519_key"); clear_subsystem_dirty('sshdkeys'); - file_notice("SSH", "{$g['product_name']} has completed creating your SSH keys. SSH is now started.", "SSH Startup", ""); + log_error(_('Completed creating your SSH keys. SSH will now be started.')); } -/* kill existing sshd process, server only, not the childs */ -$sshd_pid = exec("ps ax | egrep '/usr/sbin/[s]shd' | awk '{print $1}'"); -if($sshd_pid <> "") { - echo "stopping ssh process $sshd_pid \n"; - @posix_kill($sshd_pid, SIGTERM); -} /* Launch new server process */ -$status = mwexec("/usr/sbin/sshd"); -if($status <> 0) { - file_notice("sshd_startup", "SSHD failed to start.", "SSHD Daemon", ""); - echo "error!\n"; +echo "Reloading sshd..."; +if (mwexec('/usr/sbin/sshd')) { + echo "failed.\n"; } else { echo "done.\n"; } -// NanoBSD -if($g['platform'] == "nanobsd") { - if(!is_dir("/conf/sshd")) - mkdir("/conf/sshd", 0750); - $_gb = exec("/bin/cp -p /etc/ssh/ssh_host* /conf/sshd"); -} +/* back up files in case they are useful */ +@mkdir('/conf/sshd', 0777, true); +mwexec('/bin/cp -p /etc/ssh/ssh_host* /conf/sshd'); + conf_mount_ro(); unset($keys); From 95babf60114588f1087bc5e416f215a1f42f553d Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Thu, 11 Dec 2014 11:43:20 +0100 Subject: [PATCH 4/4] www: top half of sshd rework * Sane defaults like FreeBSD: off, no root login, no passwords. * Fix a bug in handling. Yes, it has been broken for ages. --- src/etc/config.xml | 3 +++ src/www/system_advanced_admin.php | 37 +++++++++++++++++++++++++------ 2 files changed, 33 insertions(+), 7 deletions(-) diff --git a/src/etc/config.xml b/src/etc/config.xml index 02b1415f6..9b66ccfb3 100644 --- a/src/etc/config.xml +++ b/src/etc/config.xml @@ -202,6 +202,9 @@ monthly + + + diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php index d19284edd..f7f3d6dd4 100644 --- a/src/www/system_advanced_admin.php +++ b/src/www/system_advanced_admin.php @@ -1,7 +1,6 @@ + + + + /> + +
+ + + +