summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRenato Botelho <garga@FreeBSD.org>2014-05-30 09:01:02 -0300
committerRenato Botelho <garga@FreeBSD.org>2014-05-30 09:01:02 -0300
commit2d6e7bfb45ef798b4914b74a4ef71497709bacf6 (patch)
tree389b83d8bf1780c5c3d8bd1674fb047f6208cef8
parent7a47edcc26221cadbf2d9d27fe553d6820e0b10f (diff)
downloadpfsense-2d6e7bfb45ef798b4914b74a4ef71497709bacf6.zip
pfsense-2d6e7bfb45ef798b4914b74a4ef71497709bacf6.tar.gz
Improve /etc/sshd:
. Create ed25519 key for ssh and silent daemon . Remove some exec() calls . We do not need to re-create all keys if /root/.ssh/authorized_keys is empty . Remove some redundancy and declare a single array with all keys
-rwxr-xr-xetc/sshd60
1 files changed, 36 insertions, 24 deletions
diff --git a/etc/sshd b/etc/sshd
index eef64b6..59df32c 100755
--- a/etc/sshd
+++ b/etc/sshd
@@ -43,31 +43,40 @@
conf_mount_rw();
}
+ $keys = array(
+ 'ssh_host_key',
+ 'ssh_host_key.pub',
+ 'ssh_host_dsa_key',
+ 'ssh_host_dsa_key.pub',
+ 'ssh_host_rsa_key',
+ 'ssh_host_rsa_key.pub',
+ 'ssh_host_ecdsa_key',
+ 'ssh_host_ecdsa_key.pub',
+ 'ssh_host_ed25519_key',
+ 'ssh_host_ed25519_key.pub'
+ );
+
/* restore ssh data for nanobsd platform */
- if($g['platform'] == "nanobsd" and file_exists("/conf/sshd/ssh_host_key")) {
- if(!file_exists("/etc/ssh/ssh_host_key.pub")) {
- echo "Restoring SSH from /conf/sshd/";
- exec("/bin/cp -p /conf/sshd/* /etc/ssh/");
-
- /* make sure host private key permissions aren't too open so sshd won't complain */
- $files_to_check = array('ssh_host_dsa_key','ssh_host_key','ssh_host_rsa_key');
- foreach($files_to_check as $f2c) {
- if(file_exists("/etc/ssh/{$f2c}"))
- chmod("/etc/ssh/{$f2c}", 0600);
- }
- unset($files_to_check);
+ if($g['platform'] == "nanobsd" and file_exists("/conf/sshd/ssh_host_key") and !file_exists("/etc/ssh/ssh_host_key.pub")) {
+ echo "Restoring SSH from /conf/sshd/";
+ exec("/bin/cp -p /conf/sshd/* /etc/ssh/");
+
+ /* make sure host private key permissions aren't too open so sshd won't complain */
+ foreach($keys as $f2c) {
+ if(file_exists("/etc/ssh/{$f2c}"))
+ chmod("/etc/ssh/{$f2c}", 0600);
}
}
/* if any of these files are 0 bytes then they are corrupted.
* remove them
*/
- $files_to_check = array('ssh_host_dsa_key','ssh_host_dsa_key.pub','ssh_host_key','ssh_host_key.pub','ssh_host_rsa_key','ssh_host_rsa_key.pub','/root/.ssh/authorized_keys');
- foreach($files_to_check as $f2c) {
- if (file_exists("/etc/ssh/{$f2c}") && filesize("/etc/ssh/{$f2c}") == 0)
- mwexec("rm /etc/ssh/ssh_host*", true);
+ foreach($keys as $f2c) {
+ if (file_exists("/etc/ssh/{$f2c}") && filesize("/etc/ssh/{$f2c}") == 0) {
+ unlink_if_exists(glob('/etc/ssh/ssh_host*'));
+ break;
+ }
}
- unset($files_to_check);
if (!is_dir("/var/empty")) {
/* make ssh home directory */
@@ -127,6 +136,7 @@
if($config['ssh']['dsa_key'] <> "") {
unset($config['ssh']['dsa_key']);
unset($config['ssh']['ecdsa_key']);
+ unset($config['ssh']['ed25519_key']);
unset($config['ssh']['rsa_key']);
unset($config['ssh']['rsa1_key']);
unset($config['ssh']['dsa']);
@@ -138,28 +148,30 @@
/* are we already running? if so exit */
if(is_subsystem_dirty('sshdkeys')) {
+ unset($keys);
return;
}
// Check for all needed key files. If any are missing, the keys need to be regenerated.
- $files_to_check = array('ssh_host_dsa_key','ssh_host_dsa_key.pub','ssh_host_key','ssh_host_key.pub','ssh_host_rsa_key','ssh_host_rsa_key.pub', 'ssh_host_ecdsa_key', 'ssh_host_ecdsa_key.pub');
$generate_keys = false;
- foreach ($files_to_check as $f2c) {
+ foreach ($keys as $f2c) {
if (!file_exists("/etc/ssh/{$f2c}")) {
$generate_keys = true;
+ break;
}
}
- unset($files_to_check);
+
if ($generate_keys) {
/* remove previous keys and regen later */
file_notice("SSH", "{$g['product_name']} has started creating your SSH keys. SSH Startup will be delayed. Please note that reloading the filter rules and changes will be delayed until this operation is completed.", "SSH KeyGen", "");
- mwexec("rm /etc/ssh/ssh_host_*", true);
+ unlink_if_exists(glob('/etc/ssh/ssh_host_*'));
mark_subsystem_dirty('sshdkeys');
echo " Generating Keys:\n";
$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa1 -N '' -f $sshConfigDir/ssh_host_key");
$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa -N '' -f $sshConfigDir/ssh_host_rsa_key");
$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t dsa -N '' -f $sshConfigDir/ssh_host_dsa_key");
$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t ecdsa -N '' -f $sshConfigDir/ssh_host_ecdsa_key");
+ $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t ed25519 -N '' -f $sshConfigDir/ssh_host_ecdsa_key");
clear_subsystem_dirty('sshdkeys');
file_notice("SSH", "{$g['product_name']} has completed creating your SSH keys. SSH is now started.", "SSH Startup", "");
}
@@ -168,7 +180,7 @@
$sshd_pid = exec("ps ax | egrep '/usr/sbin/[s]shd' | awk '{print $1}'");
if($sshd_pid <> "") {
echo "stopping ssh process $sshd_pid \n";
- mwexec("kill $sshd_pid");
+ posix_kill($sshd_pid, SIGTERM);
}
/* Launch new server process */
$status = mwexec("/usr/sbin/sshd");
@@ -182,9 +194,9 @@
// NanoBSD
if($g['platform'] == "nanobsd") {
if(!is_dir("/conf/sshd"))
- exec("mkdir /conf/sshd");
+ mkdir("/conf/sshd", 0750);
$_gb = exec("/bin/cp -p /etc/ssh/ssh_host* /conf/sshd");
}
conf_mount_ro();
-
+ unset($keys);
?>
OpenPOWER on IntegriCloud