Commit 3b84ed46 authored by Adam Wujek's avatar Adam Wujek

rootfs: add scripts for sshd

Signed-off-by: Adam Wujek's avatarAdam Wujek <adam.wujek@cern.ch>
parent eff064e6
#!/bin/sh
#
# Starts sshd.
#
dotconfig=/wr/etc/dot-config
# Make sure the ssh-keygen progam exists
[ -f /usr/bin/ssh-keygen ] || exit 0
start_counter() {
# increase boot counter
COUNTER_FILE="/tmp/start_cnt_sshd"
START_COUNTER=1
if [ -f "$COUNTER_FILE" ];
then
read -r START_COUNTER < $COUNTER_FILE
START_COUNTER=$((START_COUNTER+1))
fi
echo "$START_COUNTER" > $COUNTER_FILE
}
start() {
echo -n "Starting sshd: "
if [ -f "$dotconfig" ]; then
. "$dotconfig"
else
echo "$0 unable to source dot-config ($dotconfig)!"
fi
# copy authorized keys if exists
if [ -f /usr/authorized_keys ] ; then
mkdir -p /root/.ssh/
cp /usr/authorized_keys /root/.ssh/
fi
# Make sure ssh directory exists
mkdir -p /etc/ssh
mkdir -p /usr/etc/ssh
# Check for the ssh keys
if [ ! -f /etc/ssh/ssh_host_rsa_key ] \
|| [ ! -f /etc/ssh/ssh_host_dsa_key ] \
|| [ ! -f /etc/ssh/ssh_host_ecdsa_key ] \
|| [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
# echo -n "generating ssh keys... "
/usr/bin/ssh-keygen -A
cp /etc/ssh/ssh_host_*_key* /usr/etc/ssh
fi
if [ "$CONFIG_ROOT_ACCESS_DISABLE" = "y" ]; then
sed -i "s|^PermitRootLogin.*|PermitRootLogin prohibit-password # replaced by $0|g" /etc/ssh/sshd_config
else
sed -i "s|^PermitRootLogin.*|PermitRootLogin yes # replaced by $0|g" /etc/ssh/sshd_config
fi
umask 077
# /var/run/sshd.pid is created automatically by sshd
start-stop-daemon -S -q -p /var/run/sshd.pid --exec /usr/sbin/sshd
ret=$?
if [ $ret -eq 0 ]; then
start_counter
echo "OK"
elif [ $ret -eq 1 ]; then
echo "Failed (already running?)"
else
echo "Failed"
fi
}
stop() {
echo -n "Stopping sshd: "
start-stop-daemon -K -q -p /var/run/sshd.pid
if [ $? -eq 0 ]; then
echo "OK"
else
echo "Failed"
fi
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
restart
;;
*)
echo $"Usage: $0 {start|stop|restart}"
exit 1
esac
exit $?
check process sshd with pidfile /var/run/sshd.pid
start program = "/etc/init.d/sshd.sh start"
stop program = "/etc/init.d/sshd.sh stop"
if 5 restarts within 10 cycles then exec "/etc/init.d/reboot.sh sshd"
#%PAM-1.0
auth sufficient /lib/security/pam_krb5.so minimum_uid=1000
# auth line to be replaced by startup scripts
auth required /lib/security/pam_unix.so shadow nodelay
account required /lib/security/pam_nologin.so
account required /lib/security/pam_unix.so
account required /lib/security/pam_krb5.so minimum_uid=1000
# don't support changing kerberos password
# account line to be replaced by startup scripts
password required /lib/security/pam_unix.so shadow nullok use_authtok
session required /lib/security/pam_unix.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_krb5.so minimum_uid=1000
# session line to be replaced by startup scripts
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
../init.d/sshd.sh
\ No newline at end of file
......@@ -41,7 +41,8 @@
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
# PermitRootLogin may be replaced by a startup scripts
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
......@@ -69,7 +70,14 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
# Set to no to avoid additional prompts for a password after 3 failures.
# From man:
# Because PAM challenge-response authentication usually serves an
# equivalent role to password authentication, you should disable
# either PasswordAuthentication or
# ChallengeResponseAuthentication.
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
......@@ -107,7 +115,7 @@ UsePAM yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
UsePrivilegeSeparation no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment