Commit 83c3a764 authored by Adam Wujek's avatar Adam Wujek

Merge branch adam_ldap

Add LDAP+kerberos support
This changes the used standard C library (due to lack of /etc/nsswitch.conf support)
and uses openssh instead of dropbear (due to lack of LDAP/kerberos
support in the dropbear)
Signed-off-by: Adam Wujek's avatarAdam Wujek <adam.wujek@cern.ch>
parents 70c80659 d69d55dc
......@@ -170,8 +170,95 @@ config HOSTNAME_STRING
help
Use this string as a static hostname of the switch.
menu "Authorization and authentication"
config ROOT_ACCESS_DISABLE
bool "Disable root access via ssh"
help
Used by ssh
config LDAP_ENABLE
bool "Enable LDAP authorization"
help
Enable LDAP authorization. Used by ssh.
config LDAP_SERVER
string "LDAP server"
depends on LDAP_ENABLE
help
LDAP server(s) e.g. ldap://xldap.cern.ch
config LDAP_SEARCH_BASE
string "LDAP search base"
depends on LDAP_ENABLE
help
LDAP search base e.g. dc=cern,dc=ch
choice
prompt "LDAP filter"
depends on LDAP_ENABLE
default LDAP_FILTER_NONE
config LDAP_FILTER_NONE
bool "Don't apply filter to LDAP"
help
Allow all LDAP users to log in.
config LDAP_FILTER_EGROUP
bool "Apply e-group filter to LDAP"
help
Allow logins only from an e-group defined in CONFIG_LDAP_FILTER_EGROUP_STR
This option is CERN specific.
config LDAP_FILTER_CUSTOM
bool "Apply custom filter to LDAP"
help
Provide custom filtering string for LDAP authorization.
endchoice
config LDAP_FILTER_EGROUP_STR
string "LDAP e-group"
depends on LDAP_FILTER_EGROUP
help
LDAP's e-group for authorization. This option is CERN specific.
config LDAP_FILTER_CUSTOM_STR
string "LDAP access filter string"
depends on LDAP_FILTER_CUSTOM
help
Custom string with a filter for LDAP authorization:
(memberOf=CN=white-rabbit-switch-root,OU=e-groups,OU=Workgroups,DC=cern,DC=ch)
choice
prompt "Authorization method"
depends on LDAP_ENABLE
default AUTH_KRB5
config AUTH_LDAP
bool "Enable LDAP authentication"
depends on LDAP_ENABLE
help
Used by ssh for authentication
config AUTH_KRB5
bool "Enable Kerberos authentication"
depends on LDAP_ENABLE
help
Used by ssh for authentication
endchoice
config AUTH_KRB5_SERVER
string "Kerberos server"
depends on AUTH_KRB5
help
Server name of Kerberos. Usually it is in capital letters.
For CERN, please use CERN.CH
menu "Root Password"
config ROOT_PWD_IS_ENCRYPTED
bool "Should this file include an encripted root password?"
help
......@@ -195,11 +282,12 @@ config ROOT_PWD_CYPHER
depends on ROOT_PWD_IS_ENCRYPTED
help
The actual pre-encrypted string. This is stored at run time
into /etc/passwd, for ssh authenticazion. To create the
into /etc/passwd, for ssh authentication. To create the
string, please run "mkpasswd --method=md5 <password>"
endmenu
endmenu # "Authorization and authentication"
config NTP_SERVER
string "IP address of local NTP server (empty for none)"
......
......@@ -32,14 +32,12 @@ ROOTFS_INITRAMFS="$WRS_OUTPUT_DIR/images/wrs-initramfs.gz"
cat > $TMPSCRIPT << EOF
mkdir -p $TMPFS/wr
cp -r $rootfs_vanilla/* $TMPFS
cp -r --preserve=mode $rootfs_vanilla/* $TMPFS
cp -r $WRS_OUTPUT_DIR/images/wr/* $TMPFS/wr
cp -r $WRS_OUTPUT_DIR/images/lib/* $TMPFS/lib
rm -f $TMPFS/etc/init.d/*
rm -f $TMPFS/THIS_IS_NOT_YOUR_ROOT_FILESYSTEM
# remove symlink from the buildroot
rm -rf $TMPFS/etc/dropbear
mkdir -p $TMPFS/etc/dropbear; chown -R root:root $TMPFS/etc/dropbear
cp -r $rootfs_override/* $TMPFS
# remove leftovers from on-going edits in rootfs_override
......@@ -61,7 +59,7 @@ chmod a+rx $TMPFS
##### now move stuff to usr (we need usr to be in flash, / remains initramfs)
# remove needless stuff
rm -rf $TMPFS/home $TMPFS/opt
rm -rf $TMPFS/opt
sed -i '/^default/ d' $TMPFS/etc/passwd
# move /wr and /var to /usr/wr and /usr/var
mv $TMPFS/wr $TMPFS/usr; ln -s usr/wr $TMPFS
......
This diff is collapsed.
......@@ -1914,8 +1914,10 @@ switch. Check is done every 10 seconds. As for now supervised processes are:
@t{ppsi},
@t{wrs_watchdog},
@t{lighttpd},
@t{dropbear},
@t{snmpd}.
@t{sshd},
@t{snmpd},
@t{lldpd},
@t{nslcd}.
In case any of the supervised processes does not run anymore (because of a crash,
exit etc.), @t{monit} restarts missing process. If 5 restarts of a particular
......
......@@ -573,6 +573,41 @@ appropriate way, before the respective service is started.
(@t{CONFIG_HOSTNAME_DHCP}) or use a predefined value
(@t{CONFIG_HOSTNAME_STATIC}) defined in option @t{CONFIG_HOSTNAME_STRING}.
@item CONFIG_ROOT_ACCESS_DISABLE
Disable root access via ssh. With this option enabled it is still
possible to use sudo to get root privileges.
@item CONFIG_LDAP_ENABLE
@itemx CONFIG_LDAP_SERVER
@itemx CONFIG_LDAP_SEARCH_BASE
@itemx CONFIG_LDAP_FILTER_NONE
@itemx CONFIG_LDAP_FILTER_EGROUP
@itemx CONFIG_LDAP_FILTER_CUSTOM
@itemx CONFIG_LDAP_FILTER_EGROUP_STR
@itemx CONFIG_LDAP_FILTER_CUSTOM_STR
Set of options related to providing an authorization via LDAP for ssh.
To be able to use LDAP please enable an option @t{CONFIG_LDAP_ENABLE},
provide LDAP server (@t{CONFIG_LDAP_SERVER}) and the search base
(@t{CONFIG_LDAP_SEARCH_BASE}). It is possible to limit the access
to a particular e-group used at CERN (@t{CONFIG_LDAP_FILTER_EGROUP}
to enable and @t{CONFIG_LDAP_FILTER_EGROUP_STR} to provide
the e-group's name) or to provide the custom filtering string
(@t{CONFIG_LDAP_FILTER_CUSTOM} to enable and
@t{CONFIG_LDAP_FILTER_CUSTOM_STR} to provide the filter).
For more information please refer to the @i{Kconfig}'s help.
@item CONFIG_AUTH_LDAP
@itemx CONFIG_AUTH_KRB5
@itemx CONFIG_AUTH_KRB5_SERVER
Choose the authentication method. @t{CONFIG_AUTH_LDAP} for LDAP
authentication, @t{CONFIG_AUTH_LDAP} for Kerberos authentication.
For the later one it is obligatory to specify Kerberos Realm
@t{CONFIG_AUTH_KRB5_SERVER}.
@item CONFIG_ROOT_PWD_IS_ENCRYPTED
@itemx CONFIG_ROOT_PWD_CLEAR
@itemx CONFIG_ROOT_PWD_CYPHER
......
......@@ -660,7 +660,7 @@ list of faults leading to a data error.
The idea is to reboot the system if it was not able to boot correctly.
Then we use the scratchpad registers of the processor to keep
the boot count. If the value of this counter is more than X we stop
rebooting and try to have a system running with at least \emph{dropbear}
rebooting and try to have a system running with at least \emph{sshd}
for SSH and \emph{net-snmp} to allow remote diagnostics. If on the other
hand the switch has booted correctly, we set the boot count to 0.
\end{pck_descr}
......@@ -709,6 +709,7 @@ list of faults leading to a data error.
\snmpadd{WR-SWITCH-MIB::wrsStartCntWrsWatchdog}\\
\snmpadd{WR-SWITCH-MIB::wrsStartCntLldpd}\\
\snmpadd{WR-SWITCH-MIB::wrsStartCntSPLL}\\
\snmpadd{WR-SWITCH-MIB::wrsStartCntLdap}\\
\snmpadd{WR-SWITCH-MIB::wrsBootUserspaceDaemonsMissing}\\
\snmpadd{WR-SWITCH-MIB::wrsBootSuccessful} \\
\snmpadd{WR-SWITCH-MIB::wrsOSStatus}\\
......@@ -732,12 +733,13 @@ list of faults leading to a data error.
Less critical processes (Restarting them and Warning generation is
enough):
\begin{itemize}
\item \emph{dropbear}
\item \emph{sshd}
\item \emph{udhcpc}
\item \emph{rsyslogd}
\item \emph{snmpd}
\item \emph{lighttpd}
\item \emph{lldpd}
\item \emph{nslcd} (LDAP)
\item \emph{TRUd/eRSTPd} -- not yet implemented
\end{itemize}
......
......@@ -512,6 +512,7 @@
\snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntSyslogd}{}
\snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntWrsWatchdog}{}
\snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntLldpd}{}
\snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntLdap}{}
\snmpentrye{WR-SWITCH-MIB}{wrsStartCntGroup}{wrsStartCntSPLL}{Not implemented}
\snmpentrye{WR-SWITCH-MIB}{}{wrsSpllState}{}
......
From f6ac6fde47cedd2b0a92412b39f9b9a014d637a7 Mon Sep 17 00:00:00 2001
From: Adam Wujek <adam.wujek@cern.ch>
Date: Tue, 4 Sep 2018 10:48:30 +0200
Subject: [PATCH] add libkrb5
Signed-off-by: Adam Wujek <adam.wujek@cern.ch>
---
package/Config.in | 1 +
package/libkrb5/Config.in | 18 ++++++++++++++++
package/libkrb5/libkrb5.hash | 5 +++++
package/libkrb5/libkrb5.mk | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 83 insertions(+)
create mode 100644 package/libkrb5/Config.in
create mode 100644 package/libkrb5/libkrb5.hash
create mode 100644 package/libkrb5/libkrb5.mk
diff --git a/package/Config.in b/package/Config.in
index 529ad33..b5583da 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1084,6 +1084,7 @@ menu "Networking"
source "package/libidn/Config.in"
source "package/libiscsi/Config.in"
source "package/libldns/Config.in"
+ source "package/libkrb5/Config.in"
source "package/libmbus/Config.in"
source "package/libmemcached/Config.in"
source "package/libmicrohttpd/Config.in"
diff --git a/package/libkrb5/Config.in b/package/libkrb5/Config.in
new file mode 100644
index 0000000..2e24c87
--- /dev/null
+++ b/package/libkrb5/Config.in
@@ -0,0 +1,18 @@
+config BR2_PACKAGE_LIBKRB5
+ bool "libkrb5"
+ # needs fork()
+ depends on BR2_USE_MMU
+ depends on !BR2_STATIC_LIBS
+ help
+ Kerberos is a system for authenticating users and services
+ on a network. Kerberos is a trusted third-party service.
+ That means that there is a third party (the Kerberos server)
+ that is trusted by all the entities on the network (users
+ and services, usually called "principals"). This is the MIT
+ reference implementation of Kerberos V5.
+
+ https://web.mit.edu/kerberos/
+
+comment "libkrb5 needs a toolchain w/ dynamic library"
+ depends on BR2_USE_MMU
+ depends on BR2_STATIC_LIBS
diff --git a/package/libkrb5/libkrb5.hash b/package/libkrb5/libkrb5.hash
new file mode 100644
index 0000000..2980947
--- /dev/null
+++ b/package/libkrb5/libkrb5.hash
@@ -0,0 +1,5 @@
+# Locally calculated after checking pgp signature
+sha256 214ffe394e3ad0c730564074ec44f1da119159d94281bbec541dc29168d21117 krb5-1.16.1.tar.gz
+
+# Hash for license file:
+sha256 58534f00ed877fd32936fcab094f49d399aeef7716393204d8028c4b89050c82 NOTICE
diff --git a/package/libkrb5/libkrb5.mk b/package/libkrb5/libkrb5.mk
new file mode 100644
index 0000000..d9d7160
--- /dev/null
+++ b/package/libkrb5/libkrb5.mk
@@ -0,0 +1,59 @@
+################################################################################
+#
+# libkrb5
+#
+################################################################################
+
+LIBKRB5_VERSION_MAJOR = 1.16
+LIBKRB5_VERSION = $(LIBKRB5_VERSION_MAJOR).1
+LIBKRB5_SITE = https://web.mit.edu/kerberos/dist/krb5/$(LIBKRB5_VERSION_MAJOR)
+LIBKRB5_SOURCE = krb5-$(LIBKRB5_VERSION).tar.gz
+LIBKRB5_SUBDIR = src
+LIBKRB5_LICENSE = MIT
+LIBKRB5_LICENSE_FILES = NOTICE
+LIBKRB5_DEPENDENCIES = host-bison
+LIBKRB5_INSTALL_STAGING = YES
+
+# The configure script uses AC_TRY_RUN tests to check for those values,
+# which doesn't work in a cross-compilation scenario. Therefore,
+# we feed the configure script with the correct answer for those tests
+LIBKRB5_CONF_ENV = \
+ ac_cv_printf_positional=yes \
+ ac_cv_func_regcomp=yes \
+ krb5_cv_attr_constructor_destructor=yes,yes
+
+# Never use the host packages
+LIBKRB5_CONF_OPTS = \
+ --without-system-db \
+ --without-system-et \
+ --without-system-ss \
+ --without-system-verto \
+ --without-tcl \
+ --disable-rpath
+
+ifeq ($(BR2_PACKAGE_OPENLDAP),y)
+LIBKRB5_CONF_OPTS += --with-ldap
+LIBKRB5_DEPENDENCIES += openldap
+else
+LIBKRB5_CONF_OPTS += --without-ldap
+endif
+
+ifeq ($(BR2_PACKAGE_LIBEDIT),y)
+LIBKRB5_CONF_OPTS += --with-libedit
+LIBKRB5_DEPENDENCIES += libedit
+else
+LIBKRB5_CONF_OPTS += --without-libedit
+endif
+
+ifeq ($(BR2_PACKAGE_READLINE),y)
+LIBKRB5_CONF_OPTS += --with-readline
+LIBKRB5_DEPENDENCIES += readline
+else
+LIBKRB5_CONF_OPTS += --without-readline
+endif
+
+ifneq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
+LIBKRB5_CONF_OPTS += --disable-thread-support
+endif
+
+$(eval $(autotools-package))
--
1.9.1
From 4a5dae02798200481775d6d8ba4a6c8f0a629544 Mon Sep 17 00:00:00 2001
From: Adam Wujek <adam.wujek@cern.ch>
Date: Wed, 5 Sep 2018 17:21:24 +0200
Subject: [PATCH] add libpam-krb5
Signed-off-by: Adam Wujek <adam.wujek@cern.ch>
---
package/Config.in | 1 +
package/libpam-krb5/Config.in | 21 +++++++++++++++++++++
package/libpam-krb5/libpam-krb5.hash | 6 ++++++
package/libpam-krb5/libpam-krb5.mk | 16 ++++++++++++++++
4 files changed, 44 insertions(+)
create mode 100644 package/libpam-krb5/Config.in
create mode 100644 package/libpam-krb5/libpam-krb5.hash
create mode 100644 package/libpam-krb5/libpam-krb5.mk
diff --git a/package/Config.in b/package/Config.in
index b5583da..8b43b7c 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1208,6 +1208,7 @@ if BR2_PACKAGE_LINUX_PAM
comment "linux-pam plugins"
source "package/libpam-radius-auth/Config.in"
source "package/libpam-tacplus/Config.in"
+ source "package/libpam-krb5/Config.in"
endif
source "package/liquid-dsp/Config.in"
source "package/lttng-libust/Config.in"
diff --git a/package/libpam-krb5/Config.in b/package/libpam-krb5/Config.in
new file mode 100644
index 0000000..7845e6c
--- /dev/null
+++ b/package/libpam-krb5/Config.in
@@ -0,0 +1,21 @@
+config BR2_PACKAGE_LIBPAM_KRB5
+ bool "libpam-krb5"
+ # needs fork()
+ depends on BR2_USE_MMU
+ depends on !BR2_STATIC_LIBS
+ help
+ This package provides PAM plugin for kerberos.
+ https://www.eyrie.org/~eagle/software/pam-krb5/
+
+ Kerberos is a system for authenticating users and services
+ on a network. Kerberos is a trusted third-party service.
+ That means that there is a third party (the Kerberos server)
+ that is trusted by all the entities on the network (users
+ and services, usually called "principals"). This is the MIT
+ reference implementation of Kerberos V5.
+
+ https://web.mit.edu/kerberos/
+
+comment "libpam-krb5 needs a toolchain w/ dynamic library"
+ depends on BR2_USE_MMU
+ depends on BR2_STATIC_LIBS
diff --git a/package/libpam-krb5/libpam-krb5.hash b/package/libpam-krb5/libpam-krb5.hash
new file mode 100644
index 0000000..650ea5a
--- /dev/null
+++ b/package/libpam-krb5/libpam-krb5.hash
@@ -0,0 +1,6 @@
+# Locally calculated after checking pgp signature
+sha256 3abb458b4b3aa200d414bd2b859b3daabddd55954f753c988b41cedf95932649 pam-krb5-4.8.tar.gz
+
+# Hash for license file:
+sha256 65e1a886587af0b0af4d7e9aae8618fe80e1276cc62117ff548ae69d0f1e9be3 LICENSE
+
diff --git a/package/libpam-krb5/libpam-krb5.mk b/package/libpam-krb5/libpam-krb5.mk
new file mode 100644
index 0000000..5fa5fb2
--- /dev/null
+++ b/package/libpam-krb5/libpam-krb5.mk
@@ -0,0 +1,16 @@
+################################################################################
+#
+# libpam-krb5
+#
+################################################################################
+
+LIBPAM_KRB5_VERSION = 4.8
+LIBPAM_KRB5_SITE = https://archives.eyrie.org/software/kerberos
+LIBPAM_KRB5_SOURCE = pam-krb5-$(LIBPAM_KRB5_VERSION).tar.gz
+# LIBPAM_KRB5_SUBDIR = src
+LIBPAM_KRB5_LICENSE = MIT?
+LIBPAM_KRB5_LICENSE_FILES = LICENSE
+LIBPAM_KRB5_DEPENDENCIES = linux-pam
+LIBPAM_KRB5_INSTALL_STAGING = YES
+
+$(eval $(autotools-package))
--
1.9.1
nslcd.sh
\ No newline at end of file
#!/bin/sh
#
# Starts nslcd needed for LDAP
#
MONIT=/usr/bin/monit
dotconfig=/wr/etc/dot-config
start_counter() {
# increase boot counter
COUNTER_FILE="/tmp/start_cnt_ldap"
START_COUNTER=1
if [ -f "$COUNTER_FILE" ];
then
read -r START_COUNTER < $COUNTER_FILE
START_COUNTER=$((START_COUNTER+1))
fi
echo "$START_COUNTER" > $COUNTER_FILE
}
start() {
echo -n "Starting nslcd (LDAP): "
if [ -f "$dotconfig" ]; then
. "$dotconfig"
else
echo "$0 unable to source dot-config ($dotconfig)!"
fi
if [ "$CONFIG_LDAP_ENABLE" != "y" ]; then
echo "LDAP not enabled in dot-config"
# Unmonitor web server (nslcd), ignore all printouts
# from monit.
# Run in background since monit may wait for a timeout.
$MONIT unmonitor nslcd &>/dev/null &
exit 0
fi
if [ -z "$CONFIG_LDAP_SERVER" ]; then
echo "Failed! LDAP server not defined"
exit 0
fi
# fill LDAP server address
cp -a /usr/etc/nslcd.conf /etc/nslcd.conf
sed -i "s,^uri CONFIG_LDAP_SERVER_ADDRESS,uri $CONFIG_LDAP_SERVER,g" /etc/nslcd.conf
if [ -z "$CONFIG_LDAP_SEARCH_BASE" ]; then
echo "Failed! LDAP search base not defined"
exit 0
fi
# fill LDAP search base
sed -i "s/CONFIG_LDAP_SEARCH_BASE/$CONFIG_LDAP_SEARCH_BASE/g" /etc/nslcd.conf
if [ "$CONFIG_LDAP_FILTER_NONE" = "y" ]; then
# no filter
sed -i "s/CONFIG_LDAP_FILTER//g" /etc/nslcd.conf
elif [ "$CONFIG_LDAP_FILTER_EGROUP" = "y" ]; then
if [ -z "$CONFIG_LDAP_FILTER_EGROUP_STR" ]; then
echo -n "Warning: CONFIG_LDAP_FILTER_EGROUP_STR empty! "
fi
sed -i "s/CONFIG_LDAP_FILTER/(memberOf=CN=$CONFIG_LDAP_FILTER_EGROUP_STR,OU=e-groups,OU=Workgroups,$CONFIG_LDAP_SEARCH_BASE)/g" /etc/nslcd.conf
elif [ "$CONFIG_LDAP_FILTER_CUSTOM" = "y" ]; then
if [ -z "$CONFIG_LDAP_FILTER_CUSTOM_STR" ]; then
echo -n "Warning: CONFIG_LDAP_FILTER_CUSTOM_STR empty! "
fi
sed -i "s/CONFIG_LDAP_FILTER/$CONFIG_LDAP_FILTER_CUSTOM_STR/g" /etc/nslcd.conf
fi
# add ldap to /etc/nsswitch.conf
cp -a /usr/etc/nsswitch.conf /etc/nsswitch.conf
sed -i "s/^passwd:[ \t]*files\$/passwd: files ldap/g" /etc/nsswitch.conf
sed -i "s/^group:[ \t]*files\$/group: files ldap/g" /etc/nsswitch.conf
sed -i "s/^shadow:[ \t]*files\$/shadow: files ldap/g" /etc/nsswitch.conf
cp -a /usr/etc/pam.d/sshd /etc/pam.d/sshd
if [ "$CONFIG_AUTH_KRB5" = "y" ]; then
if [ -z "$CONFIG_AUTH_KRB5_SERVER" ]; then
echo "Failed! CONFIG_AUTH_KRB5_SERVER empty!"
exit 0
fi
sed -i "s,# auth line to be replaced by startup scripts,# added by $0\nauth sufficient /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
sed -i "s,# account line to be replaced by startup scripts,# added by $0\naccount required /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
sed -i "s,# session line to be replaced by startup scripts,# added by $0\nsession required /lib/security/pam_krb5.so minimum_uid=1000\n,g" /etc/pam.d/sshd
cp -a /usr/etc/krb5.conf /etc/krb5.conf
sed -i "s,default_realm = CONFIG_AUTH_KRB5_SERVER,default_realm = $CONFIG_AUTH_KRB5_SERVER,g" /etc/krb5.conf
fi
if [ "$CONFIG_AUTH_LDAP" = "y" ]; then
sed -i "s,# auth line to be replaced by startup scripts,# added by $0\nauth sufficient /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd
sed -i "s,# account line to be replaced by startup scripts,# added by $0\naccount required /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd
sed -i "s,# session line to be replaced by startup scripts,# added by $0\nsession required /lib/security/pam_ldap.so minimum_uid=1000\n,g" /etc/pam.d/sshd
fi
# /var/run/nslcd/nslcd.pid is created automatically by nslcd
start-stop-daemon -S -q -p /var/run/nslcd/nslcd.pid --exec /usr/sbin/nslcd
ret=$?
if [ $ret -eq 0 ]; then
start_counter
echo "OK"
elif [ $ret -eq 1 ]; then
echo "Failed (already running?)"
else
echo "Failed"
fi
}
stop() {
echo -n "Stopping nslcd (LDAP): "
start-stop-daemon -K -q -p /var/run/nslcd/nslcd.pid
if [ $? -eq 0 ]; then
echo "OK"
else
echo "Failed"
fi
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
restart
;;
*)
echo $"Usage: $0 {start|stop|restart}"
exit 1
esac
exit $?
#!/bin/sh
#
# Starts dropbear sshd.
# Starts sshd.
#
# Make sure the dropbearkey progam exists
[ -f /usr/bin/dropbearkey ] || exit 0
dotconfig=/wr/etc/dot-config
# Make sure the ssh-keygen progam exists
[ -f /usr/bin/ssh-keygen ] || exit 0
start_counter() {
# increase boot counter
......@@ -19,32 +21,42 @@ start_counter() {
}
start() {
echo -n "Starting dropbear sshd: "
echo -n "Starting sshd: "
if [ -f "$dotconfig" ]; then
. "$dotconfig"
else
echo "$0 unable to source dot-config ($dotconfig)!"
fi
# copy authorized keys if exists
if [ -f /usr/authorized_keys ] ; then
mkdir -p /root/.ssh/
cp /usr/authorized_keys /root/.ssh/
fi
# Make sure dropbear directory exists
if [ ! -d /etc/dropbear ] ; then
mkdir -p /etc/dropbear
fi
mkdir -p /usr/etc/dropbear
# Check for the Dropbear RSA key
if [ ! -f /etc/dropbear/dropbear_rsa_host_key ] ; then
echo -n "generating rsa key... "
/usr/bin/dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
cp /etc/dropbear/dropbear_rsa_host_key /usr/etc/dropbear
# Make sure ssh directory exists
mkdir -p /etc/ssh
mkdir -p /usr/etc/ssh
# Check for the ssh keys
if [ ! -f /etc/ssh/ssh_host_rsa_key ] \
|| [ ! -f /etc/ssh/ssh_host_dsa_key ] \
|| [ ! -f /etc/ssh/ssh_host_ecdsa_key ] \
|| [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
# echo -n "generating ssh keys... "
/usr/bin/ssh-keygen -A
cp /etc/ssh/ssh_host_*_key* /usr/etc/ssh
fi
# Check for the Dropbear DSS key
if [ ! -f /etc/dropbear/dropbear_dss_host_key ] ; then
echo -n "generating dsa key... "
/usr/bin/dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
cp /etc/dropbear/dropbear_dss_host_key /usr/etc/dropbear
if [ "$CONFIG_ROOT_ACCESS_DISABLE" = "y" ]; then
sed -i "s|^PermitRootLogin.*|PermitRootLogin prohibit-password # replaced by $0|g" /etc/ssh/sshd_config
else
sed -i "s|^PermitRootLogin.*|PermitRootLogin yes # replaced by $0|g" /etc/ssh/sshd_config
fi
umask 077
start-stop-daemon -S -q -p /var/run/dropbear.pid --exec /usr/sbin/dropbear
# /var/run/sshd.pid is created automatically by sshd
start-stop-daemon -S -q -p /var/run/sshd.pid --exec /usr/sbin/sshd
ret=$?
if [ $ret -eq 0 ]; then
start_counter
......@@ -57,8 +69,8 @@ start() {
}
stop() {
echo -n "Stopping dropbear sshd: "
start-stop-daemon -K -q -p /var/run/dropbear.pid
echo -n "Stopping sshd: "
start-stop-daemon -K -q -p /var/run/sshd.pid
if [ $? -eq 0 ]; then
echo "OK"
else
......
......@@ -296,3 +296,6 @@ if grep -q initrd= /proc/cmdline; then
rm /etc/init.d/wrs-boot-procedure;
cp -a /usr/etc/* /etc
fi
# create dir for home dirs
mkdir -p /tmp/home
[libdefaults]
default_realm = CONFIG_AUTH_KRB5_SERVER
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
check process dropbear with pidfile /var/run/dropbear.pid
start program = "/etc/init.d/dropbear start"
stop program = "/etc/init.d/dropbear stop"
if 5 restarts within 10 cycles then exec "/etc/init.d/reboot.sh dropbear"
# nslcd is used for LDAP
check process nslcd with pidfile /var/run/nslcd/nslcd.pid
start program = "/etc/init.d/nslcd.sh start"
stop program = "/etc/init.d/nslcd.sh stop"
if 5 restarts within 10 cycles then exec "/etc/init.d/reboot.sh nslcd"
check process sshd with pidfile /var/run/sshd.pid
start program = "/etc/init.d/sshd.sh start"
stop program = "/etc/init.d/sshd.sh stop"
if 5 restarts within 10 cycles then exec "/etc/init.d/reboot.sh sshd"
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
uri CONFIG_LDAP_SERVER_ADDRESS
#uri ldap://127.0.0.1/