summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Hemminger <stephen.hemminger@vyatta.com>2010-01-24 22:15:27 -0800
committerStephen Hemminger <stephen.hemminger@vyatta.com>2010-01-24 22:24:13 -0800
commitec515b52b681cd96bf51626bf899e3177bdbe3f3 (patch)
tree0cc4a8ce494aa1c697f7042c637edf986f1a3622
parent8fc0c2869f77782d344bf0cddf5a2e3d5657761b (diff)
downloadvyatta-cfg-system-ec515b52b681cd96bf51626bf899e3177bdbe3f3.tar.gz
vyatta-cfg-system-ec515b52b681cd96bf51626bf899e3177bdbe3f3.zip
Fix allow-root for telnet/ssh
Bug 5252 The boot script needs to restore default settings, and the templates are then used to enable root access.
-rw-r--r--debian/vyatta-cfg-system.postinst.in2
-rwxr-xr-xscripts/rl-system.init22
-rw-r--r--templates/service/ssh/allow-root/node.def2
-rw-r--r--templates/service/telnet/allow-root/node.def2
4 files changed, 20 insertions, 8 deletions
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 1e77d69d..f06bfb50 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -45,6 +45,8 @@ if [ "$sysconfdir" != "/etc" ]; then
# enable ssh banner
sed -i 's/^#Banner/Banner/' /etc/ssh/sshd_config
+ # make sure PermitRoot is off
+ sed -i '/^PermitRootLogin/s/yes/no' /etc/ssh/sshd_config
# for "admin" level
sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers
diff --git a/scripts/rl-system.init b/scripts/rl-system.init
index 09d4509e..960674d8 100755
--- a/scripts/rl-system.init
+++ b/scripts/rl-system.init
@@ -165,11 +165,21 @@ setup_ntp_config_file () {
fi
}
-# restore PAM back to virgin state (no radius other services)
-pam_reset () {
- if grep -q radius /etc/pam.d/common-auth
- then pam-auth-update --remove radius
- fi
+
+# These are all the default security setting which are later
+# overridden when configuration is read. These are the values the
+# system defaults.
+security_reset () {
+ # restore PAM back to virgin state (no radius other services)
+ if grep -q radius /etc/pam.d/common-auth
+ then pam-auth-update --remove radius
+ fi
+
+ # Disable root login with ssh
+ sed -i -e '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
+
+ # Disable root login over telnet
+ sed -i -e '/^# Pseudo-terminal (telnet)/,$d' /etc/securetty
}
start () {
@@ -183,7 +193,7 @@ start () {
log_failure_msg "can\'t add serial interfaces"
set_ipv6_params
- pam_reset
+ security_reset
update_version_info
diff --git a/templates/service/ssh/allow-root/node.def b/templates/service/ssh/allow-root/node.def
index 1c56d221..c1e6abf2 100644
--- a/templates/service/ssh/allow-root/node.def
+++ b/templates/service/ssh/allow-root/node.def
@@ -1,5 +1,5 @@
help: Enable root login over ssh
-update: sudo sed -i -e '/^PermitRootLogin/s/no/yes/' /etc/ssh/sshd_config
+create: sudo sed -i -e '/^PermitRootLogin/s/no/yes/' /etc/ssh/sshd_config
delete: sudo sed -i -e '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
diff --git a/templates/service/telnet/allow-root/node.def b/templates/service/telnet/allow-root/node.def
index 01c8bd0f..39c78062 100644
--- a/templates/service/telnet/allow-root/node.def
+++ b/templates/service/telnet/allow-root/node.def
@@ -1,3 +1,3 @@
help: Enable root login over telnet
-update: /opt/vyatta/sbin/vyatta_update_telnet allow-root true
+create: /opt/vyatta/sbin/vyatta_update_telnet allow-root true
delete:/opt/vyatta/sbin/vyatta_update_telnet allow-root false