From 9c51b6f6bb6c2a6bec28b0d007d9d346f1d326c2 Mon Sep 17 00:00:00 2001
From: Timo Boettcher <spida@pfsense.org>
Date: Sat, 2 Jun 2007 22:12:03 +0000
Subject: SSH-Key(only) Login

---
 etc/sshd | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

(limited to 'etc/sshd')

diff --git a/etc/sshd b/etc/sshd
index 3c1b1c5..f4793a6 100755
--- a/etc/sshd
+++ b/etc/sshd
@@ -47,7 +47,7 @@
 	/*    if any of these files are 0 bytes then they are corrupted.
 	 *    remove them
 	 */
-	$files_to_check = array('ssh_host_dsa_key','ssh_host_dsa_key.pub','ssh_host_key','ssh_host_key.pub','ssh_host_rsa_key','ssh_host_rsa_key.pub','../../root/.ssh/authorized_keys');
+	$files_to_check = array('ssh_host_dsa_key','ssh_host_dsa_key.pub','ssh_host_key','ssh_host_key.pub','ssh_host_rsa_key','ssh_host_rsa_key.pub','/root/.ssh/authorized_keys');
 	foreach($files_to_check as $f2c) {
 		if(file_exists("/etc/ssh/{$f2c}"))
 			if(file_size("/etc/ssh/{$f2c}")==0) {
@@ -92,6 +92,17 @@
 	$sshconf .= "ClientAliveInterval 30\n";
 	$sshconf .= "UseDNS no\n";
 	$sshconf .= "X11Forwarding no\n";
+	if($config['system']['ssh']['sshdkeyonly'] <> "") {
+		$sshconf .= "# Login via Key only\n";
+		$sshconf .= "PasswordAuthentication no\n";
+		$sshconf .= "ChallengeResponseAuthentication no\n";
+		$sshconf .= "PubkeyAuthentication yes\n";
+	} else {
+		$sshconf .= "# Login via Key and Password\n";
+		$sshconf .= "PasswordAuthentication yes\n";
+		$sshconf .= "ChallengeResponseAuthentication yes\n";
+		$sshconf .= "PubkeyAuthentication yes\n";
+	}
 	$sshconf .= "# override default of no subsystems\n";
 	$sshconf .= "Subsystem       sftp    /usr/libexec/sftp-server\n";
 	/* Only allow protocol 2, because we say so */
@@ -104,6 +115,19 @@
 	fwrite($fd, $sshconf);
 	fclose($fd);
 
+	if($config['system']['ssh']['authorizedkeys'] <> "") {
+		echo "writing /root/.ssh/authorized_keys\n";
+		if (!is_dir("/root/.ssh")) {
+			mkdir('/root/.ssh', 0700);
+		}
+		$authorizedkeys  = "# This file is automatically generated at startup\n";
+		$authorizedkeys .= base64_decode($config['system']['ssh']['authorizedkeys']);
+		$fd = fopen("/root/.ssh/authorized_keys", "w");
+		fwrite($fd, $authorizedkeys);
+		pclose($fd);
+		chmod("/root/.ssh/authorized_keys",0644);
+	} 
+
 	/* mop up from a badly implemented ssh keys -> cf backup */
 	if($config['ssh']['dsa_key'] <> "") {
 		unset($config['ssh']['dsa_key']);
@@ -255,12 +279,6 @@
 		chmod("{$sshConfigDir}/ssh_host_dsa_key.pub",0600);
 	}
 
-	if($config['ssh']['ak'] <> "") {
-		$ak  = base64_decode($config['ssh']['ak']);
-		file_put_contents("/root/.authorized_keys", $ak);
-		chmod("/root/.authorized_keys",0600);
-	}
-
 	/* start sshd */
 	system("/usr/sbin/sshd");
 	echo "done.\n";
-- 
cgit v1.1