From 22b1e03e3b042e1899ef31d9759f88c87a3ab58e Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Mon, 13 Oct 2008 15:30:52 -0700 Subject: add ssh key blacklists --- debian/control | 3 ++- debian/vyatta-cfg-system.postinst.in | 16 ++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/control b/debian/control index 89b55bbe..2094387a 100644 --- a/debian/control +++ b/debian/control @@ -24,7 +24,8 @@ Depends: sed (>= 4.1.5), snmpd, vyatta-keepalived, bridge-utils, - ssh, + ssh (>= 5.1p1-3), + openssh-server (>= 5.1p1-3), ed, tshark, ifenslave-2.6, diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 6e5fa735..26ae9a02 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -66,6 +66,20 @@ EOF %users ALL=NOPASSWD: ${bindir}/sudo-users/ ### END VYATTA EOF + + # set up blacklists + for f in blacklist.DSA-1024 blacklist.RSA-2048; do + if [ -r "/etc/ssh/$f" ]; then + l=$(head -1 $sysconfdir/$f) + if ! grep -q "$l" /etc/ssh/$f; then + tmp=$(mktemp /tmp/bl.XXXXXXXXXX) + cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp + mv $tmp /etc/ssh/$f + fi + else + cp $sysconfdir/$f /etc/ssh/$f + fi + done fi # update crontab for logrotate @@ -87,6 +101,8 @@ fi sed -i 's/^set /builtin set /' /etc/bash_completion +/usr/sbin/dpkg-reconfigure -f noninteractive openssh-server + # Fix up PAM configuration for login so that invalid users are prompted # for password sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login -- cgit v1.2.3 From 3529bdf5b65016cea331f8ba6e7293c7eea9e6ce Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Mon, 13 Oct 2008 15:31:26 -0700 Subject: add ssh key blacklists --- Makefile.am | 2 ++ debian/control | 3 ++- debian/vyatta-cfg-system.postinst.in | 16 ++++++++++++++++ sysconf/blacklist.DSA-1024 | 21 +++++++++++++++++++++ sysconf/blacklist.RSA-2048 | 21 +++++++++++++++++++++ 5 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 sysconf/blacklist.DSA-1024 create mode 100644 sysconf/blacklist.RSA-2048 (limited to 'debian') diff --git a/Makefile.am b/Makefile.am index 576be4be..7f148153 100644 --- a/Makefile.am +++ b/Makefile.am @@ -44,6 +44,8 @@ sysconf_DATA += sysconf/motd.tail sysconf_DATA += sysconf/syslog.conf sysconf_DATA += sysconf/default_ssh sysconf_DATA += sysconf/vyatta-sysctl.conf +sysconf_DATA += sysconf/blacklist.DSA-1024 +sysconf_DATA += sysconf/blacklist.RSA-2048 libudev_SCRIPTS = scripts/vyatta_net_name etcudev_DATA = sysconf/vyatta-net.rules diff --git a/debian/control b/debian/control index 4b5692bb..877ee68c 100644 --- a/debian/control +++ b/debian/control @@ -24,7 +24,8 @@ Depends: sed (>= 4.1.5), snmpd, vyatta-keepalived, bridge-utils, - ssh, + ssh (>= 5.1p1-3), + openssh-server (>= 5.1p1-3), ed, tshark, iputils-arping diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 0dd6248f..fe50fa79 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -66,6 +66,20 @@ EOF %users ALL=NOPASSWD: ${bindir}/sudo-users/ ### END VYATTA EOF + + # set up blacklists + for f in blacklist.DSA-1024 blacklist.RSA-2048; do + if [ -r "/etc/ssh/$f" ]; then + l=$(head -1 $sysconfdir/$f) + if ! grep -q "$l" /etc/ssh/$f; then + tmp=$(mktemp /tmp/bl.XXXXXXXXXX) + cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp + mv $tmp /etc/ssh/$f + fi + else + cp $sysconfdir/$f /etc/ssh/$f + fi + done fi # update crontab for logrotate @@ -87,6 +101,8 @@ fi sed -i 's/^set /builtin set /' /etc/bash_completion +/usr/sbin/dpkg-reconfigure -f noninteractive openssh-server + # Local Variables: # mode: shell-script # sh-indentation: 4 diff --git a/sysconf/blacklist.DSA-1024 b/sysconf/blacklist.DSA-1024 new file mode 100644 index 00000000..74ecaf53 --- /dev/null +++ b/sysconf/blacklist.DSA-1024 @@ -0,0 +1,21 @@ +01e53715431bcae79677 +036a4048556eb8092113 +0db19fcc95efc89d2173 +22da67b6aafc3df124f3 +2307b2e9769c6b66857c +3c13948cb606c6041284 +4218a1912ef9941a0881 +4582eff4cf42af0b19f0 +54f103cd4fbc7b08c8e2 +6d56bcebc8bb9d30ecd9 +83848247dbabf6135644 +8e730ef49b321946e7aa +96a4f81de014a53e1890 +9adab16d72364f6032f7 +9b25df69798b447fd5ee +9d5e4438920babd3030e +a1eeb08f514492069e51 +d63657291b4d940a9a47 +db3101e70b8ef04ad4fe +dd71e503f1a8319e3caf +f407f33616b53f79c1b8 diff --git a/sysconf/blacklist.RSA-2048 b/sysconf/blacklist.RSA-2048 new file mode 100644 index 00000000..0cb0d489 --- /dev/null +++ b/sysconf/blacklist.RSA-2048 @@ -0,0 +1,21 @@ +0a47235c3142262b3b90 +1899b9c1f6346576a66e +20059ae36e5ac97fc3b2 +2487f28e692f45affa43 +4394e40d532aef252906 +440ea42b848111613a48 +46a6daa5036020063340 +52287579c05c0e45c57e +52cec5c2a10c09661389 +6b3446654ce7e07da10d +768e7f724aeb0cf86814 +84d1e68fda77b8fe88bf +b0e10f3cfca7ac4aba50 +b8570f784995af2fa6b8 +bcdc020d5e8e6a61345a +c3e94aed4f1d75569eab +c5d8c5731f3fa668ffae +d9deed191624c2472978 +e66c42ba8e40c8501106 +ea93328c2d72642a5d59 +f954c671c9c639f8a375 -- cgit v1.2.3 From db349aeba68d510648b8b1c9f37342779f21b941 Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Mon, 13 Oct 2008 16:10:52 -0700 Subject: use epoch in package version number --- debian/control | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/control b/debian/control index 2094387a..b8128287 100644 --- a/debian/control +++ b/debian/control @@ -24,8 +24,8 @@ Depends: sed (>= 4.1.5), snmpd, vyatta-keepalived, bridge-utils, - ssh (>= 5.1p1-3), - openssh-server (>= 5.1p1-3), + ssh (>= 1:5.1p1-3), + openssh-server (>= 1:5.1p1-3), ed, tshark, ifenslave-2.6, -- cgit v1.2.3 From 1ae422b13aac7ae6d9c412ae0f392f465d7537af Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Mon, 13 Oct 2008 16:11:08 -0700 Subject: use epoch in package version number --- debian/control | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/control b/debian/control index 877ee68c..2888d0e3 100644 --- a/debian/control +++ b/debian/control @@ -24,8 +24,8 @@ Depends: sed (>= 4.1.5), snmpd, vyatta-keepalived, bridge-utils, - ssh (>= 5.1p1-3), - openssh-server (>= 5.1p1-3), + ssh (>= 1:5.1p1-3), + openssh-server (>= 1:5.1p1-3), ed, tshark, iputils-arping -- cgit v1.2.3 From 81c8c9f28dff67e7ff3208278790f3381bc879dc Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Mon, 13 Oct 2008 19:09:41 -0700 Subject: remove unused files --- debian/vyatta-cfg-system.postinst.in | 2 ++ 1 file changed, 2 insertions(+) (limited to 'debian') diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index fe50fa79..b484c2a1 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -102,6 +102,8 @@ fi sed -i 's/^set /builtin set /' /etc/bash_completion /usr/sbin/dpkg-reconfigure -f noninteractive openssh-server +rm -f /etc/ssh/*.broken +update-rc.d -f ssh remove >/dev/null # Local Variables: # mode: shell-script -- cgit v1.2.3 From aed20563b004d8c274b8a3f72d161cf75bcf4e4c Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Mon, 13 Oct 2008 19:09:57 -0700 Subject: remove unused files --- debian/vyatta-cfg-system.postinst.in | 2 ++ 1 file changed, 2 insertions(+) (limited to 'debian') diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 26ae9a02..53fa062c 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -102,6 +102,8 @@ fi sed -i 's/^set /builtin set /' /etc/bash_completion /usr/sbin/dpkg-reconfigure -f noninteractive openssh-server +rm -f /etc/ssh/*.broken +update-rc.d -f ssh remove >/dev/null # Fix up PAM configuration for login so that invalid users are prompted # for password -- cgit v1.2.3 From 6a2393d8053ab9ff9651a6f9c3b243cced7e4439 Mon Sep 17 00:00:00 2001 From: Bob Gilligan Date: Tue, 14 Oct 2008 13:54:35 -0700 Subject: Bugfix: 3744 When a new member is added to a RAID group that holds the root filesystem, we need to re-install grub so that the new disk will be bootable. But this can only be done after the RAID set has completed rebuilding. Added mechanism that uses the event notification infrastructure of "mdadm" to trigger the re-installation of grub after the rebuild completes. --- debian/vyatta-cfg-system.postinst.in | 7 +++ scripts/vyatta-raid-event | 104 +++++++++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+) create mode 100644 scripts/vyatta-raid-event (limited to 'debian') diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 53fa062c..21d7ff32 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -111,6 +111,13 @@ sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $root [ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist +# +# Ask mdadm to call our own event handling daemon +# +if [ -e /etc/default/mdadm ]; then + sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm +fi + # Local Variables: # mode: shell-script # sh-indentation: 4 diff --git a/scripts/vyatta-raid-event b/scripts/vyatta-raid-event new file mode 100644 index 00000000..f279a57d --- /dev/null +++ b/scripts/vyatta-raid-event @@ -0,0 +1,104 @@ +#!/bin/bash +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Bob Gilligan +# Date: 2008 +# Description: A script to handle events from the Linux Software RAID +# subsystem. +# +# **** End License **** +# +# This script is called by the "mdadm" daemon running in "monitor" mode +# whenever an event occurs in in the RAID subsytem. The script is called +# with two or three arguments: The first argument is always the name of +# the event, e.g. "RebuildFinished". The second argument is the name of +# the RAID set device that the event pertains to, e.g. "/dev/md0". The +# third argument is provided for some events, and gives the name of the +# RAID set member that the event pertains to, e.g. "/dev/sda2". +# +# See the mdadm(8) man page for more details on the events that it provides. +# + +# Script will be called with 2 or 3 arguments, depending on the event +if [ $# -lt 2 ]; then + logger -t "RAID" -p local0.warning "vyatta-raid-event: Error: Not enough args: $*" + # We can't do anything if we don't know event and RAID device it + # pertains to. + exit 1 +fi +if [ $# -gt 3 ]; then + logger -t "RAID" -p local0.warning "vyatta-raid-event: Warning: too many args: $*" + # Be Robust: Try to complete task with args we know about +fi + +event=$1 +raid_set=$2 + +case $event in + + RebuildFinished) + logger -t "RAID" -p local0.warning "event ${event} ${raid_set}" + + # We need to update grub at the time that a resync completes + # on the root filesystem so that the new member disk will be + # bootable. + mounted_on=`mount | grep "^${raid_set}" | awk '{ print $3 }'` + if [ "$mounted_on" = "/" ]; then + raid_set_dev=${raid_set##*/} + if [ -e /sys/block/${raid_set_dev}/md/degraded ]; then + degraded=`cat /sys/block/${raid_set_dev}/md/degraded` + else + degraded=0 + fi + if [ $degraded -eq 0 ]; then + drive=${member_to_add%%[0-9]*} + logger -t "RAID" -p local0.warning \ + "RAID set ${raid_set} holds root filesystem. Updating grub." + touch /tmp/raid-grub-install-log + grub-install --no-floppy --recheck --root-directory=/ ${raid_set} \ + >> /tmp/raid-grub-install-log 2>&1 + if [ $? -ne 0 ]; then + logger -t "RAID" -p local0.warning \ + "grub-installed failed for $raid_set" + fi + else + logger -t "RAID" -p local0.warning \ + "RAID set ${raid_set} is still degraded. No action taken." + fi + else + logger -t "RAID" -p local0.warning \ + "RAID set ${raid_set} does not hold root filesystem. No action taken" + fi + ;; + + DeviceDisappeared | RebuildStarted | Rebuild?? | NewArray | \ + DegradedArray | MoveSpare | SparesMissing | TestMessage) + logger -t "RAID" -p local0.warning \ + "event ${event} ${raid_set}: No action taken" + ;; + + Fail | FailSpare | SpareActive) + member=$3 + logger -t "RAID" -p local0.warning \ + "event ${event} ${raid_set} ${member}: No action taken" + ;; + + *) + logger -t "RAID" -p local0.warning \ + "event ${event} unknown. No action taken" + ;; + + esac -- cgit v1.2.3 From ec928267b1e61e7a957515ad553bd171baf2d651 Mon Sep 17 00:00:00 2001 From: Mark O'Brien Date: Tue, 14 Oct 2008 17:30:18 -0700 Subject: 3.1.4 --- debian/changelog | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 803fdb87..28c93bf7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +vyatta-cfg-system (0.14) unstable; urgency=low + + 3.1.4 + [ Mark O'Brien ] + + + [ Robert Bays ] + * fix ssh keygen on startup + + [ An-Cheng Huang ] + * remove unused files + * use epoch in package version number + * add ssh key blacklists + + [ Mark O'Brien ] + + -- Mark O'Brien Tue, 14 Oct 2008 17:30:18 -0700 + vyatta-cfg-system (0.13) unstable; urgency=low 3.1.3 -- cgit v1.2.3 From 25438666015dc5ea9695f5172b0f4925c3ae2d9a Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 15 Oct 2008 13:30:57 -0700 Subject: Block remote access to rpc-bind port Use hosts.deny to block access to portmapper Bugfix 3767 --- debian/vyatta-cfg-system.postinst.in | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'debian') diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 21d7ff32..498e431f 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -80,8 +80,17 @@ EOF cp $sysconfdir/$f /etc/ssh/$f fi done + + # block external rpc access + if ! grep -q "^portmap" /etc/hosts.deny + then cat <<-EOF >>/etc/hosts.deny + # Disable rpc access from other hosts + portmap: ALL + EOF + fi fi + # update crontab for logrotate grep -v logrotate /etc/crontab>/etc/crontab.$$ echo "*/10 * * * * root /usr/sbin/logrotate /etc/logrotate.conf" >> /etc/crontab.$$ -- cgit v1.2.3 From 540cf454c6f7a5595a0fce42906f2656dc10cc9f Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 15 Oct 2008 13:47:03 -0700 Subject: Revert "Block remote access to rpc-bind port" This change isn't needed. This reverts commit 25438666015dc5ea9695f5172b0f4925c3ae2d9a. --- debian/vyatta-cfg-system.postinst.in | 9 --------- 1 file changed, 9 deletions(-) (limited to 'debian') diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 498e431f..21d7ff32 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -80,17 +80,8 @@ EOF cp $sysconfdir/$f /etc/ssh/$f fi done - - # block external rpc access - if ! grep -q "^portmap" /etc/hosts.deny - then cat <<-EOF >>/etc/hosts.deny - # Disable rpc access from other hosts - portmap: ALL - EOF - fi fi - # update crontab for logrotate grep -v logrotate /etc/crontab>/etc/crontab.$$ echo "*/10 * * * * root /usr/sbin/logrotate /etc/logrotate.conf" >> /etc/crontab.$$ -- cgit v1.2.3 From 556580381ed0008c463aa0dd109f839f140f3443 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Wed, 22 Oct 2008 02:01:03 -0700 Subject: Fix Bug 3567 Debug messages are not logged by default on upgraded system - copy over default islavista syslog.conf during upgrade from hollywood --- debian/vyatta-cfg-system.postinst.in | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'debian') diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 21d7ff32..e9541dbe 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -118,6 +118,15 @@ if [ -e /etc/default/mdadm ]; then sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm fi +# --following is added to resolve issues related to bug 3567 on upgrade from hollywood to islavista-- +# back-up existing /etc/syslog.conf file in hollywood which might be broken +# and replace it with the default syslog.conf in islavista. when system restarts +# after upgrade, whatever is configured in CLI will be written to syslog.conf +# + +cp -p /etc/syslog.conf /etc/syslog.conf.bak +cp -f /opt/vyatta/etc/syslog.conf /etc/syslog.conf + # Local Variables: # mode: shell-script # sh-indentation: 4 -- cgit v1.2.3