diff options
author | Timo Boettcher <spida@pfsense.org> | 2007-06-02 21:58:50 +0000 |
---|---|---|
committer | Timo Boettcher <spida@pfsense.org> | 2007-06-02 21:58:50 +0000 |
commit | ed4b63b09785b89f5dcbd2517ff0bfd20632be85 (patch) | |
tree | 5a5fd85078f63f6199ef3b06763142fdff4eca0b | |
parent | 942ed037d0775dc3efd043e4911b1a001bf907b3 (diff) | |
download | pfsense-ed4b63b09785b89f5dcbd2517ff0bfd20632be85.zip pfsense-ed4b63b09785b89f5dcbd2517ff0bfd20632be85.tar.gz |
SSH-Key(only) Login
-rwxr-xr-x | etc/sshd | 32 | ||||
-rwxr-xr-x | usr/local/www/system_advanced.php | 23 |
2 files changed, 48 insertions, 7 deletions
@@ -47,7 +47,7 @@ /* if any of these files are 0 bytes then they are corrupted. * remove them */ - $files_to_check = array('ssh_host_dsa_key','ssh_host_dsa_key.pub','ssh_host_key','ssh_host_key.pub','ssh_host_rsa_key','ssh_host_rsa_key.pub','../../root/.ssh/authorized_keys'); + $files_to_check = array('ssh_host_dsa_key','ssh_host_dsa_key.pub','ssh_host_key','ssh_host_key.pub','ssh_host_rsa_key','ssh_host_rsa_key.pub','/root/.ssh/authorized_keys'); foreach($files_to_check as $f2c) { if(file_exists("/etc/ssh/{$f2c}")) if(file_size("/etc/ssh/{$f2c}")==0) { @@ -92,6 +92,17 @@ $sshconf .= "ClientAliveInterval 30\n"; $sshconf .= "UseDNS no\n"; $sshconf .= "X11Forwarding no\n"; + if($config['system']['ssh']['sshdkeyonly'] <> "") { + $sshconf .= "# Login via Key only\n"; + $sshconf .= "PasswordAuthentication no\n"; + $sshconf .= "ChallengeResponseAuthentication no\n"; + $sshconf .= "PubkeyAuthentication yes\n"; + } else { + $sshconf .= "# Login via Key and Password\n"; + $sshconf .= "PasswordAuthentication yes\n"; + $sshconf .= "ChallengeResponseAuthentication yes\n"; + $sshconf .= "PubkeyAuthentication yes\n"; + } $sshconf .= "# override default of no subsystems\n"; $sshconf .= "Subsystem sftp /usr/libexec/sftp-server\n"; /* Only allow protocol 2, because we say so */ @@ -104,6 +115,19 @@ fwrite($fd, $sshconf); fclose($fd); + if($config['system']['ssh']['authorizedkeys'] <> "") { + echo "writing /root/.ssh/authorized_keys\n"; + if (!is_dir("/root/.ssh")) { + mkdir('/root/.ssh', 0700); + } + $authorizedkeys = "# This file is automatically generated at startup\n"; + $authorizedkeys .= base64_decode($config['system']['ssh']['authorizedkeys']); + $fd = fopen("/root/.ssh/authorized_keys", "w"); + fwrite($fd, $authorizedkeys); + pclose($fd); + chmod("/root/.ssh/authorized_keys",0644); + } + /* mop up from a badly implemented ssh keys -> cf backup */ if($config['ssh']['dsa_key'] <> "") { unset($config['ssh']['dsa_key']); @@ -255,12 +279,6 @@ chmod("{$sshConfigDir}/ssh_host_dsa_key.pub",0600); } - if($config['ssh']['ak'] <> "") { - $ak = base64_decode($config['ssh']['ak']); - file_put_contents("/root/.authorized_keys", $ak); - chmod("/root/.authorized_keys",0600); - } - /* start sshd */ system("/usr/sbin/sshd"); echo "done.\n"; diff --git a/usr/local/www/system_advanced.php b/usr/local/www/system_advanced.php index 7328782..e4ff952 100755 --- a/usr/local/www/system_advanced.php +++ b/usr/local/www/system_advanced.php @@ -52,6 +52,8 @@ $pconfig['disablefirmwarecheck'] = isset($config['system']['disablefirmwarecheck $pconfig['preferoldsa_enable'] = isset($config['ipsec']['preferoldsa']); $pconfig['enablesshd'] = $config['system']['enablesshd']; $pconfig['sshport'] = $config['system']['ssh']['port']; +$pconfig['sshdkeyonly'] = $config['system']['ssh']['sshdkeyonly']; +$pconfig['authorizedkeys'] = base64_decode($config['system']['ssh']['authorizedkeys']); $pconfig['sharednet'] = $config['system']['sharednet']; $pconfig['polling_enable'] = isset($config['system']['polling']); $pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']); @@ -101,6 +103,12 @@ if ($_POST) { $input_errors[] = "You must specify a valid port number"; } } + if($_POST['sshdkeyonly'] == "yes") { + $config['system']['ssh']['sshdkeyonly'] = "enabled"; + } else { + unset($config['system']['ssh']['sshdkeyonly']); + } + $config['system']['ssh']['authorizedkeys'] = base64_encode($_POST['authorizedkeys']); } @@ -305,6 +313,13 @@ include("head.inc"); <strong>Enable Secure Shell</strong> </td> </tr> + <tr> + <td width="22%" valign="top" class="vncell"> </td> + <td width="78%" class="vtable"> + <input name="sshdkeyonly" type="checkbox" id="sshdkeyonly" value="yes" <?php if (isset($pconfig['sshdkeyonly'])) echo "checked"; ?> onclick="enable_change(false)" /> + <strong>Disable Passwordlogin for Secure Shell (KEY only)</strong> + </td> + </tr> <tr> <td width="22%" valign="top" class="vncell">SSH port</td> <td width="78%" class="vtable"> @@ -314,6 +329,14 @@ include("head.inc"); </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Authorizedkeys");?></td> + <td width="78%" class="vtable"> + <textarea name="authorizedkeys" cols="65" rows="7" id="authorizedkeys" class="formfld_cert"><?=htmlspecialchars($pconfig['authorizedkeys']);?></textarea> + <br /> + Paste an authorized keys file here. + </td> + </tr> + <tr> <td width="22%" valign="top"> </td> <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="Save" onclick="enable_change(true)" /> |