From: Stepan Henek <[email protected]> This patch converts the configuration options from /etc/ssh/sshd_config to /etc/config/sshd to uci format. The options are kept as they were in the orignal /etc/ssh/sshd_config file. It generates /var/etc/ssh/sshd_config which is used as a command line paramter during the sshd server startup.
Signed-off-by: Stepan Henek <[email protected]> --- diff --git a/net/openssh/Makefile b/net/openssh/Makefile index 6b390ce..f974e77 100644 --- a/net/openssh/Makefile +++ b/net/openssh/Makefile @@ -1,4 +1,5 @@ # +# Copyright (C) 2013 CZ.NIC z.s.p.o. <[email protected]> # Copyright (C) 2006-2011 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. @@ -86,7 +87,7 @@ OpenSSH server. endef define Package/openssh-server/conffiles -/etc/ssh/sshd_config +/etc/config/sshd endef define Package/openssh-sftp-client @@ -178,9 +179,10 @@ endef define Package/openssh-server/install $(INSTALL_DIR) $(1)/etc/ssh chmod 0700 $(1)/etc/ssh - $(CP) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/sshd.init $(1)/etc/init.d/sshd + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_BIN) ./files/sshd.config $(1)/etc/config/sshd $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/sshd $(1)/usr/sbin/ endef diff --git a/net/openssh/files/sshd.config b/net/openssh/files/sshd.config new file mode 100644 index 0000000..66217a7 --- /dev/null +++ b/net/openssh/files/sshd.config @@ -0,0 +1,167 @@ +#Copyright (C) 2013 CZ.NIC z.s.p.o. <[email protected]> + +package openssh + +config openssh + #list Port 22 + #option AddressFamily any + #list ListenAddress 0.0.0.0 + #list ListenAddress :: + #option Protocol 2 + #list HostKey /etc/ssh/ssh_host_rsa_key + #list HostKey /etc/ssh/ssh_host_dsa_key + #list HostKey /etc/ssh/ssh_host_ecdsa_key + + # Lifetime and size of ephemeral version 1 server key + #option KeyRegenerationInterval 1h + #option ServerKeyBits 1024 + + # Logging + #option SyslogFacility AUTH + #option LogLevel INFO + + # Authentication + #option LoginGraceTime 2m + #option PermitRootLogin yes + #option StrictModes yes + #option MaxAuthTries 6 + #option MaxSessions 10 + #option RSAAuthentication yes + #option PubkeyAuthentication yes + option AuthorizedKeysFile .ssh/authorized_keys + #option AuthorizedPrincipalsFile none + #option AuthorizedKeysCommand none + #option AuthorizedKeysCommandUser nobody + + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts + #option RhostsRSAAuthentication no + # similar for protocol version 2 + #option HostbasedAuthentication no + # Change to yes if you don't trust ~/.ssh/known_hosts for + # RhostsRSAAuthentication and HostbasedAuthentication + #option IgnoreUserKnownHosts no + # Don't read the user's ~/.rhosts and ~/.shosts files + #option IgnoreRhosts yes + + # To disable tunneled clear text passwords, change to no here! + #option PasswordAuthentication yes + #option PermitEmptyPasswords no + + + # Change to no to disable s/key passwords + #option ChallengeResponseAuthentication yes + + # Kerberos options + #option KerberosAuthentication no + #option KerberosOrLocalPasswd yes + #option KerberosTicketCleanup yes + #option KerberosGetAFSToken no + + # GSSAPI options + #option GSSAPIAuthentication no + #option GSSAPICleanupCredentials yes + + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will + # be allowed through the ChallengeResponseAuthentication and + # PasswordAuthentication. Depending on your PAM configuration, + # PAM authentication via ChallengeResponseAuthentication may bypass + # the setting of "PermitRootLogin without-password". + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and ChallengeResponseAuthentication to 'no'. + #option UsePAM no + + #option AllowAgentForwarding yes + #option AllowTcpForwarding yes + #option GatewayPorts no + #option X11Forwarding no + #option X11DisplayOffset 10 + #option X11UseLocalhost yes + #option PrintMotd yes + #option PrintLastLog yes + #option TCPKeepAlive yes + #option UseLogin no + option UsePrivilegeSeparation sandbox + #option PermitUserEnvironment no + #option Compression delayed + #option ClientAliveInterval 0 + #option ClientAliveCountMax 3 + #option UseDNS yes + #option PidFile /var/run/sshd.pid + #option MaxStartups 10:30:100 + #option PermitTunnel no + #option ChrootDirectory none + #option VersionAddendum none + + + # no default banner path + #option Banner none + + #list IPQoS AF21 + #list IPQoS AF11 + + list Subsystem "sftp /usr/lib/sftp-server" + +#config match + #option type User #User Group Host Address + #option match root + + #option AllowAgentForwarding + #option AllowTcpForwarding + #option AuthorizedKeysFile + #option AuthorizedPrincipalsFile + #option Banner + #option ChrootDirectory + #option ForceCommand + #option GatewayPorts + #option GSSAPIAuthentication + #option HostbasedAuthentication + #option HostbasedUsesNameFromPacketOnly + #option KbdInteractiveAuthentication + #option KerberosAuthentication + #option MaxAuthTries + #option MaxSessions + #option PasswordAuthentication + #option PermitEmptyPasswords + #option PermitOpen + #option PermitRootLogin + #option PermitTunnel + #option PubkeyAuthentication yes + #option RhostsRSAAuthentication + #option RSAAuthentication + #option X11DisplayOffset + #option X11Forwarding + #option X11UseLocalHost + +#config match + #option type User #User Group Host Address + #option match nobody + + #option AllowAgentForwarding + #option AllowTcpForwarding + #option AuthorizedKeysFile + #option AuthorizedPrincipalsFile + #option Banner + #option ChrootDirectory + #option ForceCommand + #option GatewayPorts + #option GSSAPIAuthentication + #option HostbasedAuthentication + #option HostbasedUsesNameFromPacketOnly + #option KbdInteractiveAuthentication + #option KerberosAuthentication + #option MaxAuthTries + #option MaxSessions + #option PasswordAuthentication + #option PermitEmptyPasswords + #option PermitOpen + #option PermitRootLogin + #option PermitTunnel + #option PubkeyAuthentication yes + #option RhostsRSAAuthentication + #option RSAAuthentication + #option X11DisplayOffset + #option X11Forwarding + #option X11UseLocalHost diff --git a/net/openssh/files/sshd.init b/net/openssh/files/sshd.init old mode 100644 new mode 100755 index ecc44c3..9c7d864 --- a/net/openssh/files/sshd.init +++ b/net/openssh/files/sshd.init @@ -1,4 +1,5 @@ #!/bin/sh /etc/rc.common +# Copyright (C) 2013 CZ.NIC z.s.p.o. <[email protected]> # Copyright (C) 2006-2011 OpenWrt.org START=50 @@ -6,7 +7,179 @@ STOP=50 SERVICE_USE_PID=1 +CONFIGFILE="/var/etc/ssh/sshd_config" + +INDENT="" + +header() { + cat > "$CONFIGFILE" <<-EOF +# auto-generated config file from /etc/config/sshd + +EOF +} + +indent_reset() { + INDENT="" +} + +indent_higher() { + INDENT="${INDENT}\t" +} + +set_parameter() { + local section="$1" + local var="$2" + local opt="$3" + local def="$4" + local val + + config_get val "$section" "$var" + val=${val:-$def} + if [ -n "$val" ]; then + echo -e "${INDENT}${opt} ${val}" >> "$CONFIGFILE" + fi +} + +add_parameter() { + val="$1" + opt="$2" + echo -e "${INDENT}${opt} ${val}" >> "$CONFIGFILE" +} + +set_multiple_parameters() { + local section="$1" + local var="$2" + local opt="$3" + + config_list_foreach "$section" "$var" add_parameter "$opt" +} + +handle_openssh_section(){ + local config="$1" + + set_multiple_parameters "$config" Port Port + set_parameter "$config" AddressFamily AddressFamily + set_multiple_parameters "$config" ListenAddress ListenAddress + set_parameter "$confing" Protocol Protocol + set_multiple_parameters "$config" HostKey HostKey + set_parameter "$config" KeyRegenerationInterval KeyRegenerationInterval + set_parameter "$config" ServerKeyBits ServerKeyBits + set_parameter "$config" SyslogFacility SyslogFacility + set_parameter "$config" LogLevel LogLevel + set_parameter "$config" LoginGraceTime LoginGraceTime + set_parameter "$config" PermitRootLogin PermitRootLogin + set_parameter "$config" StrictModes StrictModes + set_parameter "$config" MaxAuthTries MaxAuthTries + set_parameter "$config" MaxSessions MaxSessions + set_parameter "$config" RSAAuthentication RSAAuthentication + set_parameter "$config" PubkeyAuthentication PubkeyAuthentication + set_parameter "$config" AuthorizedKeysFile AuthorizedKeysFile .ssh/authorized_keys + set_parameter "$config" AuthorizedPrincipalsFile AuthorizedPrincipalsFile + set_parameter "$config" AuthorizedKeysCommand AuthorizedKeysCommand + set_parameter "$config" AuthorizedKeysCommandUser AuthorizedKeysCommandUser + set_parameter "$config" RhostsRSAAuthentication RhostsRSAAuthentication + set_parameter "$config" HostbasedAuthentication HostbasedAuthentication + set_parameter "$config" IgnoreUserKnownHosts IgnoreUserKnownHosts + set_parameter "$config" IgnoreRhosts IgnoreRhosts + set_parameter "$config" PasswordAuthentication PasswordAuthentication + set_parameter "$config" PermitEmptyPasswords PermitEmptyPasswords + set_parameter "$config" ChallengeResponseAuthentication ChallengeResponseAuthentication + set_parameter "$config" KerberosAuthentication KerberosAuthentication + set_parameter "$config" KerberosOrLocalPasswd KerberosOrLocalPasswd + set_parameter "$config" KerberosTicketCleanup KerberosTicketCleanup + set_parameter "$config" KerberosGetAFSToken KerberosGetAFSToken + set_parameter "$config" GSSAPIAuthentication GSSAPIAuthentication + set_parameter "$config" GSSAPICleanupCredentials GSSAPICleanupCredentials + set_parameter "$config" UsePAM UsePAM + set_parameter "$config" AllowAgentForwarding AllowAgentForwarding + set_parameter "$config" AllowTcpForwarding AllowTcpForwarding + set_parameter "$config" GatewayPorts GatewayPorts + set_parameter "$config" X11Forwarding X11Forwarding + set_parameter "$config" X11DisplayOffset X11DisplayOffset + set_parameter "$config" X11UseLocalhost X11UseLocalhost + set_parameter "$config" PrintMotd PrintMotd + set_parameter "$config" PrintLastLog PrintLastLog + set_parameter "$config" TCPKeepAlive TCPKeepAlive + set_parameter "$config" UseLogin UseLogin + set_parameter "$config" UsePrivilegeSeparation UsePrivilegeSeparation sandbox + set_parameter "$config" PermitUserEnvironment PermitUserEnvironment + set_parameter "$config" Compression Compression + set_parameter "$config" ClientAliveInterval ClientAliveInterval + set_parameter "$config" ClientAliveCountMax ClientAliveCountMax + set_parameter "$config" UseDNS UseDNS + set_parameter "$config" PidFile PidFile + set_parameter "$config" MaxStartups MaxStartups + set_parameter "$config" PermitTunnel PermitTunnel + set_parameter "$config" ChrootDirectory ChrootDirectory + set_parameter "$config" VersionAddendum VersionAddendum + set_parameter "$config" Banner Banner + set_parameter "$config" IPQoS IPQoS + set_multiple_parameters "$config" Subsystem Subsystem +} + +handle_match_section() { + local config="$1" + local type="" + local match="" + + config_get type "$section" type + config_get match "$section" match + + if [ -n "$type" -a -n "$match" ]; then + + set_parameter "$config" GatewayPorts GatewayPorts + set_parameter "$config" GSSAPIAuthentication GSSAPIAuthentication + set_parameter "$config" HostbasedAuthentication HostbasedAuthentication + set_parameter "$config" HostbasedUsesNameFromPacketOnly HostbasedUsesNameFromPacketOnly + set_parameter "$config" KbdInteractiveAuthentication KbdInteractiveAuthentication + set_parameter "$config" KerberosAuthentication KerberosAuthentication + set_parameter "$config" MaxAuthTries MaxAuthTries + set_parameter "$config" MaxSessions MaxSessions + set_parameter "$config" PasswordAuthentication PasswordAuthentication + set_parameter "$config" PermitEmptyPasswords PermitEmptyPasswords + set_parameter "$config" PermitOpen PermitOpen + set_parameter "$config" PermitRootLogin PermitRootLogin + set_parameter "$config" PermitTunnel PermitTunnel + set_parameter "$config" PubkeyAuthentication PubkeyAuthentication + set_parameter "$config" RhostsRSAAuthentication RhostsRSAAuthentication + set_parameter "$config" RSAAuthentication RSAAuthentication + set_parameter "$config" X11DisplayOffset X11DisplayOffset + set_parameter "$config" X11Forwarding X11Forwarding + set_parameter "$config" X11UseLocalHost X11UseLocalHost + + indent_reset + fi +} + +#create sshd confing file +init_sshd() { + + mkdir -p $(dirname "$CONFIGFILE") + + #Clear the config and set header + header + + config_load sshd + + config_foreach handle_openssh_section openssh + config_foreach handle_match_section match +} + start() { + init_sshd + for type in rsa dsa; do { # check for keys key=/etc/ssh/ssh_host_${type}_key @@ -20,7 +193,13 @@ start() { user_exists sshd 22 || user_add sshd 22 22 sshd /var/empty group_exists sshd 22 || group_add sshd 22 mkdir -m 0700 -p /var/empty - service_start /usr/sbin/sshd + service_start /usr/sbin/sshd -f "$CONFIGFILE" +} + +reload() { + init_sshd + + service_reload /usr/sbin/sshd -f "$CONFIGFILE" } stop() { _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
