diff -r e93ae190039c -r 16204c8a93ff components/openssh/sources/sshd.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/sources/sshd.sh Thu Mar 03 14:55:30 2016 -0800 @@ -0,0 +1,203 @@ +#!/usr/sbin/sh +# +# Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved. +# + +. /lib/svc/share/smf_include.sh +. /lib/svc/share/ipf_include.sh + +SSHDIR=/etc/ssh +KEYGEN="/usr/bin/ssh-keygen -q" +PIDFILE=$SMF_SYSVOL_FS/sshd.pid + +# Checks to see if RSA, and DSA host keys are available +# if any of these keys are not present, the respective keys are created. +create_key() +{ + keypath=$1 + keytype=$2 + + if [ ! -f $keypath ]; then + # + # HostKey keywords in sshd_config may be preceded or + # followed by a mix of any number of space or tabs, + # and optionally have an = between keyword and + # argument. We use two grep invocations such that we + # can match HostKey case insensitively but still have + # the case of the path name be significant, keeping + # the pattern somewhat more readable. + # + # The character classes below contain one literal + # space and one literal tab. + # + grep -i "^[ ]*HostKey[ ]*=\{0,1\}[ ]*$keypath" \ + $SSHDIR/sshd_config | grep "$keypath" > /dev/null 2>&1 + + if [ $? -eq 0 ]; then + echo Creating new $keytype public/private host key pair + $KEYGEN -f $keypath -t $keytype -N '' + if [ $? -ne 0 ]; then + echo "Could not create $keytype key: $keypath" + exit $SMF_EXIT_ERR_CONFIG + fi + fi + fi +} + +create_ipf_rules() +{ + FMRI=$1 + ipf_file=`fmri_to_file ${FMRI} $IPF_SUFFIX` + policy=`get_policy ${FMRI}` + + # + # Get port from /etc/ssh/sshd_config + # + tports=`grep "^Port" /etc/ssh/sshd_config 2>/dev/null | \ + awk '{print $2}'` + + echo "# $FMRI" >$ipf_file + for port in $tports; do + generate_rules $FMRI $policy "tcp" "any" $port $ipf_file + done +} + +remove_key() +{ + keypath=$1 + if [ -f $keypath ]; then + grep -i "^[ ]*HostKey[ ]*=\{0,1\}[ ]*$keypath" \ + $SSHDIR/sshd_config | grep "$keypath" > /dev/null 2>&1 + if [ $? -eq 0 ]; then + rm -f ${keypath} ${keypath}.pub + fi + fi +} + +# +# Makes sure, that /etc/ssh/sshd_config does not contain single line +# 'ListenAddress ::'. +# +# This used to be part of default SunSSH sshd_config and instructed SunSSH +# to listen on all interfaces. For OpenSSH, the same line means listen on all +# IPv6 interfaces. +# +fix_listenaddress() +{ + fbackup="$SSHDIR/sshd_config.pre_listenaddress_fix" + reason4change="#\n\ +# Historically default sshd_config was shipped with 'ListenAddress ::',\n\ +# which means 'listen on all interfaces' in SunSSH.\n\ +# In OpenSSH this setting means 'listen on all IPv6 interfaces'.\n\ +# To avoid loss of service after transitioning to OpenSSH, the following\n\ +# line was commented out by the network/ssh service method script on\n\ +# $(date).\n\ +# Original file was backed up to $fbackup\n\ +#\n\ +# " + expl4log="Historically default sshd_config was shipped with \ +'ListenAddress ::', which means 'listen on all interfaces' in SunSSH. \ +In OpenSSH this setting means 'listen on all IPv6 interfaces'. \ +For both SunSSH and OpenSSH the default behavior when no ListenAddress \ +is specified is to listen on all interfaces (both IPv4 and IPv6)." + msg_not_removed="Custom ListenAddress setting detected in \ +$SSHDIR/sshd_config, the file will not be modified. Please, check your \ +ListenAddress settings. $expl4log" + msg_removed="Removing 'ListenAddress ::'. $expl4log Original file has \ +been backed up to $fbackup" + + # only modify sshd_config, if ssh implementation is OpenSSH + if [[ "$(ssh -V 2>&1)" == Sun_SSH_* ]]; then + return 0; + fi + + # comment '# IPv4 & IPv6' indicates an old default sshd_config + grep -q '^# IPv4 & IPv6$' $SSHDIR/sshd_config || return 0; + + # backup + cp $SSHDIR/sshd_config $fbackup + + # if 'ListenAddress ::' is the only ListenAddress line, comment it out + listen_address=$(grep -i '^[ \t]*ListenAddress' $SSHDIR/sshd_config) + if [[ "$listen_address" == 'ListenAddress ::' ]]; then + echo $msg_removed + awk_prog="/^ListenAddress ::$/ {printf(\"$reason4change\")}\ + !/^# IPv4 & IPv6$/ {print}" + elif [[ -z "$listen_address" ]]; then + # no ListenAddress setting => OK, silently remove comment + awk_prog="!/^# IPv4 & IPv6$/ {print}" + else + # send warning message both to log and console + echo $msg_not_removed | smf_console + awk_prog="!/^# IPv4 & IPv6$/ {print}" + fi; + + sshd_config=$(nawk "$awk_prog" $SSHDIR/sshd_config) + if [[ $? -ne 0 ]]; then + echo "Update error! Check your ListenAddress settings." + return 1; + else + # write the fixed content to the file + echo "$sshd_config" > $SSHDIR/sshd_config + return 0; + fi + +} + +# This script is being used for two purposes: as part of an SMF +# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M) +# application. +# +# Both, the SMF methods and sysidconfig/sys-unconfig use different +# arguments.. + +case $1 in + # sysidconfig/sys-unconfig arguments (-c and -u) +'-c') + create_key $SSHDIR/ssh_host_rsa_key rsa + create_key $SSHDIR/ssh_host_dsa_key dsa + ;; + +'-u') + # sysconfig unconfigure to remove the sshd host keys + remove_key $SSHDIR/ssh_host_rsa_key + remove_key $SSHDIR/ssh_host_dsa_key + ;; + + # SMF arguments (start and restart [really "refresh"]) + +'ipfilter') + create_ipf_rules $2 + ;; + +'start') + # + # If host keys don't exist when the service is started, create + # them; sysidconfig is not run in every situation (such as on + # the install media). + # + create_key $SSHDIR/ssh_host_rsa_key rsa + create_key $SSHDIR/ssh_host_dsa_key dsa + + # + # Make sure, that /etc/ssh/sshd_config does not contain single line + # 'ListenAddress ::'. + # + fix_listenaddress + + /usr/lib/ssh/sshd + ;; + +'restart') + if [ -f "$PIDFILE" ]; then + /usr/bin/kill -HUP `/usr/bin/cat $PIDFILE` + fi + ;; + +*) + echo "Usage: $0 { start | restart }" + exit 1 + ;; +esac + +exit $?