diff options
author | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2009-06-16 15:31:49 -0700 |
---|---|---|
committer | An-Cheng Huang <ancheng@vyatta.com> | 2009-07-17 14:56:04 -0700 |
commit | 5ec82316b089d0be4f544937fbd3ed5d3333c829 (patch) | |
tree | 9e29e450cbb1cdb392e358f88373c6e227f6f15d | |
parent | 3f05a5d8e5fed097dc3ddd3139ae72b4208cdccc (diff) | |
download | vyatta-cfg-system-5ec82316b089d0be4f544937fbd3ed5d3333c829.tar.gz vyatta-cfg-system-5ec82316b089d0be4f544937fbd3ed5d3333c829.zip |
Make telnet management smarter
Bug 4591
Consolidate check for telnet login
Don't remove /etc/securetty edit it
(cherry picked from commit c6c477f2ffb0f2fd4cf12882f22c2c44ab57cc46)
-rw-r--r-- | Makefile.am | 2 | ||||
-rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 2 | ||||
-rwxr-xr-x | scripts/system/vyatta_update_telnet | 82 | ||||
-rw-r--r-- | sysconf/securetty | 83 | ||||
-rw-r--r-- | templates/service/telnet/allow-root/node.def | 35 | ||||
-rw-r--r-- | templates/service/telnet/node.def | 34 |
6 files changed, 176 insertions, 62 deletions
diff --git a/Makefile.am b/Makefile.am index a6423362..3d4de537 100644 --- a/Makefile.am +++ b/Makefile.am @@ -27,6 +27,7 @@ sbin_SCRIPTS += scripts/system/vyatta_update_login.pl sbin_SCRIPTS += scripts/system/vyatta_update_logrotate.pl sbin_SCRIPTS += scripts/system/vyatta_update_resolv.pl sbin_SCRIPTS += scripts/system/vyatta_update_syslog.pl +sbin_SCRIPTS += scripts/system/vyatta_update_telnet sbin_SCRIPTS += scripts/snmp/vyatta-snmp.pl sbin_SCRIPTS += scripts/snmp/snmpd.init sbin_SCRIPTS += scripts/keepalived/vyatta-keepalived.pl @@ -57,6 +58,7 @@ sysconf_DATA += sysconf/motd.tail sysconf_DATA += sysconf/syslog.conf sysconf_DATA += sysconf/ntp.conf sysconf_DATA += sysconf/default_ssh +sysconf_DATA += sysconf/securetty sysconf_DATA += sysconf/vyatta-sysctl.conf sysconf_DATA += sysconf/blacklist.DSA-1024 sysconf_DATA += sysconf/blacklist.RSA-2048 diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index a756ba34..38d276ec 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -110,6 +110,8 @@ EOF # replace debian /etc/ntp.conf with Vyatta version cp $sysconfdir/ntp.conf /etc/ntp.conf + # purge off ancient devfs stuff from /etc/securetty + cp $sysconfdir/securetty /etc/securetty fi # update crontab for logrotate diff --git a/scripts/system/vyatta_update_telnet b/scripts/system/vyatta_update_telnet new file mode 100755 index 00000000..0725a85f --- /dev/null +++ b/scripts/system/vyatta_update_telnet @@ -0,0 +1,82 @@ +#! /bin/bash +# Script to control telnet daemon parameters +# and block changes when logged in over telnet + +# Block changes to telnet daemon when logged in over telnet +pid=$(who -um | awk -F " " '{print $7}') +if ps --pid $(ps --pid $pid -o ppid=) -o cmd= | grep -q telnetd +then + echo "Please configure telnet settings via ssh or console." + exit 1 +fi + +usage() { + echo "Usage: $0 enable <port>" + echo " $0 disable" + echo " $0 allow-root {true|false}" + exit 1; +} + +allow-root() { + case "$1" in + true) ;; + false) ;; + *) echo "Expect true or false" + usage ;; + esac + + sudo sed -i -e '/^# Pseudo-terminal (telnet)/,$d' /etc/securetty + + if [ $1 = "false" ]; then + return + fi + + sudo sh -c "cat >>/etc/securetty" <<EOF +# Pseudo-terminal (telnet) +pts/0 +pts/1 +pts/2 +pts/3 +pts/4 +pts/5 +pts/6 +pts/7 +pts/8 +pts/9 +pts/10 +pts/11 +pts/12 +pts/13 +pts/14 +pts/15 +pts/16 +pts/17 +pts/18 +pts/19 +EOF + +} + +case "$1" in + allow-root) + allow-root $2 + ;; + + enable) + if [ -z "$2" ] + then echo "Missing port number"; + usage + fi + exec sudo /opt/vyatta/sbin/telnetd.init restart "$2" + ;; + + disable) + exec sudo /opt/vyatta/sbin/telnetd.init stop + ;; + + *) + echo "Unknown argument $1"; + usage + ;; +esac + diff --git a/sysconf/securetty b/sysconf/securetty new file mode 100644 index 00000000..17d8610a --- /dev/null +++ b/sysconf/securetty @@ -0,0 +1,83 @@ +# /etc/securetty: list of terminals on which root is allowed to login. +# See securetty(5) and login(1). +console + +# Standard serial ports +ttyS0 +ttyS1 + +# USB dongles +ttyUSB0 +ttyUSB1 +ttyUSB2 + +# Standard hypervisor virtual console +hvc0 + +# Oldstyle Xen console +xvc0 + +# Standard consoles +tty1 +tty2 +tty3 +tty4 +tty5 +tty6 +tty7 +tty8 +tty9 +tty10 +tty11 +tty12 +tty13 +tty14 +tty15 +tty16 +tty17 +tty18 +tty19 +tty20 +tty21 +tty22 +tty23 +tty24 +tty25 +tty26 +tty27 +tty28 +tty29 +tty30 +tty31 +tty32 +tty33 +tty34 +tty35 +tty36 +tty37 +tty38 +tty39 +tty40 +tty41 +tty42 +tty43 +tty44 +tty45 +tty46 +tty47 +tty48 +tty49 +tty50 +tty51 +tty52 +tty53 +tty54 +tty55 +tty56 +tty57 +tty58 +tty59 +tty60 +tty61 +tty62 +tty63 diff --git a/templates/service/telnet/allow-root/node.def b/templates/service/telnet/allow-root/node.def index b853fc42..1065df48 100644 --- a/templates/service/telnet/allow-root/node.def +++ b/templates/service/telnet/allow-root/node.def @@ -1,40 +1,7 @@ type: bool default: false help: Enable/disable root login - -update: pids=`who -u | awk -F " " '{print $7}'` - for i in $pids - do - ppid=`ps -p $i -o ppid=` - if ps -p $ppid -o cmd= | grep -q telnetd - then - echo "Please configure telnet settings via ssh or console." - exit 1 - fi - done - if [ "$VAR(@)" == "true" ] - then - sudo mv -f /etc/securetty /etc/securetty.allow-root >&/dev/null - else - sudo mv -f /etc/securetty.allow-root /etc/securetty >&/dev/null - fi - /bin/true - -delete: pids=`who -u | awk -F " " '{print $7}'` - for i in $pids - do - ppid=`ps -p $i -o ppid=` - if ps -p $ppid -o cmd= | grep -q telnetd - then - echo "Please configure telnet settings via ssh or console." - exit 1 - fi - done - sudo mv -f /etc/securetty.allow-root /etc/securetty >&/dev/null - /bin/true - +update: /opt/vyatta/sbin/vyatta_update_telnet allow-root $VAR(@) comp_help: possible completions: true Enable root login over telnet false Disable root login over telnet - -allowed: echo "true false" diff --git a/templates/service/telnet/node.def b/templates/service/telnet/node.def index 399f25ac..eefb3b4a 100644 --- a/templates/service/telnet/node.def +++ b/templates/service/telnet/node.def @@ -1,29 +1,7 @@ help: Enable/disable Network Virtual Terminal Protocol (TELNET) protocol - -delete: pids=`who -u | awk -F " " '{print $7}'` - for i in $pids - do - ppid=`ps -p $i -o ppid=` - if ps -p $ppid -o cmd= | grep -q telnetd - then - echo "Please configure telnet settings via ssh or console." - exit 1 - fi - done - sudo /opt/vyatta/sbin/telnetd.init stop - -end: pids=`who -u | awk -F " " '{print $7}'` - for i in $pids - do - ppid=`ps -p $i -o ppid=` - if ps -p $ppid -o cmd= | grep -q telnetd - then - echo "Please configure telnet settings via ssh or console." - exit 1 - fi - done - if [ -z "$VAR(port/@)" ] - then - exit 0 - fi - sudo /opt/vyatta/sbin/telnetd.init restart $VAR(port/@) +create: touch /tmp/vyatta-telnet.$PPID +delete: /opt/vyatta/sbin/vyatta_update_telnet disable +end: if [ -f /tmp/vyatta-telnet.$PPID ]; then + rm -f /tmp/vyatta-telnet.$PPID + /opt/vyatta/sbin/vyatta_update_telnet enable $VAR(port/@) + fi |