diff options
author | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-01-24 22:15:27 -0800 |
---|---|---|
committer | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-01-24 22:24:13 -0800 |
commit | ec515b52b681cd96bf51626bf899e3177bdbe3f3 (patch) | |
tree | 0cc4a8ce494aa1c697f7042c637edf986f1a3622 | |
parent | 8fc0c2869f77782d344bf0cddf5a2e3d5657761b (diff) | |
download | vyatta-cfg-system-ec515b52b681cd96bf51626bf899e3177bdbe3f3.tar.gz vyatta-cfg-system-ec515b52b681cd96bf51626bf899e3177bdbe3f3.zip |
Fix allow-root for telnet/ssh
Bug 5252
The boot script needs to restore default settings, and the
templates are then used to enable root access.
-rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 2 | ||||
-rwxr-xr-x | scripts/rl-system.init | 22 | ||||
-rw-r--r-- | templates/service/ssh/allow-root/node.def | 2 | ||||
-rw-r--r-- | templates/service/telnet/allow-root/node.def | 2 |
4 files changed, 20 insertions, 8 deletions
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 1e77d69d..f06bfb50 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -45,6 +45,8 @@ if [ "$sysconfdir" != "/etc" ]; then # enable ssh banner sed -i 's/^#Banner/Banner/' /etc/ssh/sshd_config + # make sure PermitRoot is off + sed -i '/^PermitRootLogin/s/yes/no' /etc/ssh/sshd_config # for "admin" level sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers diff --git a/scripts/rl-system.init b/scripts/rl-system.init index 09d4509e..960674d8 100755 --- a/scripts/rl-system.init +++ b/scripts/rl-system.init @@ -165,11 +165,21 @@ setup_ntp_config_file () { fi } -# restore PAM back to virgin state (no radius other services) -pam_reset () { - if grep -q radius /etc/pam.d/common-auth - then pam-auth-update --remove radius - fi + +# These are all the default security setting which are later +# overridden when configuration is read. These are the values the +# system defaults. +security_reset () { + # restore PAM back to virgin state (no radius other services) + if grep -q radius /etc/pam.d/common-auth + then pam-auth-update --remove radius + fi + + # Disable root login with ssh + sed -i -e '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config + + # Disable root login over telnet + sed -i -e '/^# Pseudo-terminal (telnet)/,$d' /etc/securetty } start () { @@ -183,7 +193,7 @@ start () { log_failure_msg "can\'t add serial interfaces" set_ipv6_params - pam_reset + security_reset update_version_info diff --git a/templates/service/ssh/allow-root/node.def b/templates/service/ssh/allow-root/node.def index 1c56d221..c1e6abf2 100644 --- a/templates/service/ssh/allow-root/node.def +++ b/templates/service/ssh/allow-root/node.def @@ -1,5 +1,5 @@ help: Enable root login over ssh -update: sudo sed -i -e '/^PermitRootLogin/s/no/yes/' /etc/ssh/sshd_config +create: sudo sed -i -e '/^PermitRootLogin/s/no/yes/' /etc/ssh/sshd_config delete: sudo sed -i -e '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config diff --git a/templates/service/telnet/allow-root/node.def b/templates/service/telnet/allow-root/node.def index 01c8bd0f..39c78062 100644 --- a/templates/service/telnet/allow-root/node.def +++ b/templates/service/telnet/allow-root/node.def @@ -1,3 +1,3 @@ help: Enable root login over telnet -update: /opt/vyatta/sbin/vyatta_update_telnet allow-root true +create: /opt/vyatta/sbin/vyatta_update_telnet allow-root true delete:/opt/vyatta/sbin/vyatta_update_telnet allow-root false |