rootfs: add scripts for sshd

Signed-off-by: Adam Wujek <adam.wujek@cern.ch>

rootfs: add scripts for sshd
Signed-off-by: Adam Wujek <adam.wujek@cern.ch>
3b84ed46 · Adam Wujek · eff064e6 · 3b84ed46 · 3b84ed46 · 3b84ed46
Commit 3b84ed46 authored Jan 31, 2019 by Adam Wujek 💬
5 changed files
--- a/userspace/rootfs_override/etc/init.d/sshd.sh
+++ b/userspace/rootfs_override/etc/init.d/sshd.sh
+#!/bin/sh
+#
+# Starts sshd.
+#
+
+dotconfig=/wr/etc/dot-config
+
+# Make sure the ssh-keygen progam exists
+[ -f /usr/bin/ssh-keygen ] || exit 0
+
+start_counter() {
+	# increase boot counter
+	COUNTER_FILE="/tmp/start_cnt_sshd"
+	START_COUNTER=1
+	if [ -f "$COUNTER_FILE" ];
+	then
+		read -r START_COUNTER < $COUNTER_FILE
+		START_COUNTER=$((START_COUNTER+1))
+	fi
+	echo "$START_COUNTER" > $COUNTER_FILE
+}
+
+start() {
+	echo -n "Starting sshd: "
+
+	if [ -f "$dotconfig" ]; then
+		. "$dotconfig"
+	else
+		echo "$0 unable to source dot-config ($dotconfig)!"
+	fi
+
+ 	# copy authorized keys if exists
+	if [ -f /usr/authorized_keys ] ; then
+		mkdir -p /root/.ssh/
+		cp /usr/authorized_keys /root/.ssh/
+	fi
+
+	# Make sure ssh directory exists
+	mkdir -p /etc/ssh
+	mkdir -p /usr/etc/ssh
+	# Check for the ssh keys
+	if     [ ! -f /etc/ssh/ssh_host_rsa_key ] \
+        || [ ! -f /etc/ssh/ssh_host_dsa_key ] \
+        || [ ! -f /etc/ssh/ssh_host_ecdsa_key ] \
+        || [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
+# 		echo -n "generating ssh keys... "
+		/usr/bin/ssh-keygen -A
+		cp /etc/ssh/ssh_host_*_key* /usr/etc/ssh
+	fi
+
+	if [ "$CONFIG_ROOT_ACCESS_DISABLE" = "y" ]; then
+		sed -i "s|^PermitRootLogin.*|PermitRootLogin prohibit-password # replaced by $0|g" /etc/ssh/sshd_config
+	else
+		sed -i "s|^PermitRootLogin.*|PermitRootLogin yes # replaced by $0|g" /etc/ssh/sshd_config
+	fi
+
+	umask 077
+	# /var/run/sshd.pid is created automatically by sshd
+	start-stop-daemon -S -q -p /var/run/sshd.pid --exec /usr/sbin/sshd
+	ret=$?
+	if [ $ret -eq 0 ]; then
+		start_counter
+		echo "OK"
+	elif [ $ret -eq 1 ]; then
+		echo "Failed (already running?)"
+	else
+		echo "Failed"
+	fi
+}
+
+stop() {
+	echo -n "Stopping sshd: "
+	start-stop-daemon -K -q -p /var/run/sshd.pid
+	if [ $? -eq 0 ]; then
+		echo "OK"
+	else
+		echo "Failed"
+	fi
+}
+
+restart() {
+	stop
+	start
+}
+
+case "$1" in
+  start)
+  	start
+	;;
+  stop)
+  	stop
+	;;
+  restart|reload)
+  	restart
+	;;
+  *)
+	echo $"Usage: $0 {start|stop|restart}"
+	exit 1
+esac
+
+exit $?
+
--- a/userspace/rootfs_override/etc/monit.d/sshd.conf
+++ b/userspace/rootfs_override/etc/monit.d/sshd.conf
+ check process sshd with pidfile /var/run/sshd.pid
+   start program = "/etc/init.d/sshd.sh start"
+   stop program = "/etc/init.d/sshd.sh stop"
+   if 5 restarts within 10 cycles then exec "/etc/init.d/reboot.sh sshd"
--- a/userspace/rootfs_override/etc/pam.d/sshd
+++ b/userspace/rootfs_override/etc/pam.d/sshd
 #%PAM-1.0
-auth       sufficient   /lib/security/pam_krb5.so minimum_uid=1000
+# auth line to be replaced by startup scripts
 auth       required     /lib/security/pam_unix.so shadow nodelay
 account    required     /lib/security/pam_nologin.so
 account    required     /lib/security/pam_unix.so
-account    required     /lib/security/pam_krb5.so minimum_uid=1000
-# don't support changing kerberos password
+# account line to be replaced by startup scripts
 password   required     /lib/security/pam_unix.so shadow nullok use_authtok
 session    required     /lib/security/pam_unix.so
 session    required     /lib/security/pam_limits.so
-session    required     /lib/security/pam_krb5.so minimum_uid=1000
+# session line to be replaced by startup scripts
 session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
--- a/userspace/rootfs_override/etc/rcS/S50sshd.sh
+++ b/userspace/rootfs_override/etc/rcS/S50sshd.sh
+../init.d/sshd.sh
\ No newline at end of file
--- a/userspace/rootfs_override/etc/ssh/sshd_config
+++ b/userspace/rootfs_override/etc/ssh/sshd_config
@@ -41,7 +41,8 @@
 # Authentication:

 #LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+# PermitRootLogin may be replaced by a startup scripts
+PermitRootLogin yes
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
@@ -69,7 +70,14 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes

 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+# Set to no to avoid additional prompts for a password after 3 failures.
+# From man:
+# Because PAM challenge-response authentication usually serves an
+# equivalent role to password authentication, you should disable
+# either PasswordAuthentication or
+# ChallengeResponseAuthentication.
+
+PasswordAuthentication no
 #PermitEmptyPasswords no

 # Change to no to disable s/key passwords
@@ -107,7 +115,7 @@ UsePAM yes
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
-UsePrivilegeSeparation sandbox		# Default for new installations.
+UsePrivilegeSeparation no
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0