summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Hemminger <stephen.hemminger@vyatta.com>2009-06-16 15:31:49 -0700
committerAn-Cheng Huang <ancheng@vyatta.com>2009-07-17 14:56:04 -0700
commit5ec82316b089d0be4f544937fbd3ed5d3333c829 (patch)
tree9e29e450cbb1cdb392e358f88373c6e227f6f15d
parent3f05a5d8e5fed097dc3ddd3139ae72b4208cdccc (diff)
downloadvyatta-cfg-system-5ec82316b089d0be4f544937fbd3ed5d3333c829.tar.gz
vyatta-cfg-system-5ec82316b089d0be4f544937fbd3ed5d3333c829.zip
Make telnet management smarter
Bug 4591 Consolidate check for telnet login Don't remove /etc/securetty edit it (cherry picked from commit c6c477f2ffb0f2fd4cf12882f22c2c44ab57cc46)
-rw-r--r--Makefile.am2
-rw-r--r--debian/vyatta-cfg-system.postinst.in2
-rwxr-xr-xscripts/system/vyatta_update_telnet82
-rw-r--r--sysconf/securetty83
-rw-r--r--templates/service/telnet/allow-root/node.def35
-rw-r--r--templates/service/telnet/node.def34
6 files changed, 176 insertions, 62 deletions
diff --git a/Makefile.am b/Makefile.am
index a6423362..3d4de537 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -27,6 +27,7 @@ sbin_SCRIPTS += scripts/system/vyatta_update_login.pl
sbin_SCRIPTS += scripts/system/vyatta_update_logrotate.pl
sbin_SCRIPTS += scripts/system/vyatta_update_resolv.pl
sbin_SCRIPTS += scripts/system/vyatta_update_syslog.pl
+sbin_SCRIPTS += scripts/system/vyatta_update_telnet
sbin_SCRIPTS += scripts/snmp/vyatta-snmp.pl
sbin_SCRIPTS += scripts/snmp/snmpd.init
sbin_SCRIPTS += scripts/keepalived/vyatta-keepalived.pl
@@ -57,6 +58,7 @@ sysconf_DATA += sysconf/motd.tail
sysconf_DATA += sysconf/syslog.conf
sysconf_DATA += sysconf/ntp.conf
sysconf_DATA += sysconf/default_ssh
+sysconf_DATA += sysconf/securetty
sysconf_DATA += sysconf/vyatta-sysctl.conf
sysconf_DATA += sysconf/blacklist.DSA-1024
sysconf_DATA += sysconf/blacklist.RSA-2048
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index a756ba34..38d276ec 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -110,6 +110,8 @@ EOF
# replace debian /etc/ntp.conf with Vyatta version
cp $sysconfdir/ntp.conf /etc/ntp.conf
+ # purge off ancient devfs stuff from /etc/securetty
+ cp $sysconfdir/securetty /etc/securetty
fi
# update crontab for logrotate
diff --git a/scripts/system/vyatta_update_telnet b/scripts/system/vyatta_update_telnet
new file mode 100755
index 00000000..0725a85f
--- /dev/null
+++ b/scripts/system/vyatta_update_telnet
@@ -0,0 +1,82 @@
+#! /bin/bash
+# Script to control telnet daemon parameters
+# and block changes when logged in over telnet
+
+# Block changes to telnet daemon when logged in over telnet
+pid=$(who -um | awk -F " " '{print $7}')
+if ps --pid $(ps --pid $pid -o ppid=) -o cmd= | grep -q telnetd
+then
+ echo "Please configure telnet settings via ssh or console."
+ exit 1
+fi
+
+usage() {
+ echo "Usage: $0 enable <port>"
+ echo " $0 disable"
+ echo " $0 allow-root {true|false}"
+ exit 1;
+}
+
+allow-root() {
+ case "$1" in
+ true) ;;
+ false) ;;
+ *) echo "Expect true or false"
+ usage ;;
+ esac
+
+ sudo sed -i -e '/^# Pseudo-terminal (telnet)/,$d' /etc/securetty
+
+ if [ $1 = "false" ]; then
+ return
+ fi
+
+ sudo sh -c "cat >>/etc/securetty" <<EOF
+# Pseudo-terminal (telnet)
+pts/0
+pts/1
+pts/2
+pts/3
+pts/4
+pts/5
+pts/6
+pts/7
+pts/8
+pts/9
+pts/10
+pts/11
+pts/12
+pts/13
+pts/14
+pts/15
+pts/16
+pts/17
+pts/18
+pts/19
+EOF
+
+}
+
+case "$1" in
+ allow-root)
+ allow-root $2
+ ;;
+
+ enable)
+ if [ -z "$2" ]
+ then echo "Missing port number";
+ usage
+ fi
+ exec sudo /opt/vyatta/sbin/telnetd.init restart "$2"
+ ;;
+
+ disable)
+ exec sudo /opt/vyatta/sbin/telnetd.init stop
+ ;;
+
+ *)
+ echo "Unknown argument $1";
+ usage
+ ;;
+esac
+
diff --git a/sysconf/securetty b/sysconf/securetty
new file mode 100644
index 00000000..17d8610a
--- /dev/null
+++ b/sysconf/securetty
@@ -0,0 +1,83 @@
+# /etc/securetty: list of terminals on which root is allowed to login.
+# See securetty(5) and login(1).
+console
+
+# Standard serial ports
+ttyS0
+ttyS1
+
+# USB dongles
+ttyUSB0
+ttyUSB1
+ttyUSB2
+
+# Standard hypervisor virtual console
+hvc0
+
+# Oldstyle Xen console
+xvc0
+
+# Standard consoles
+tty1
+tty2
+tty3
+tty4
+tty5
+tty6
+tty7
+tty8
+tty9
+tty10
+tty11
+tty12
+tty13
+tty14
+tty15
+tty16
+tty17
+tty18
+tty19
+tty20
+tty21
+tty22
+tty23
+tty24
+tty25
+tty26
+tty27
+tty28
+tty29
+tty30
+tty31
+tty32
+tty33
+tty34
+tty35
+tty36
+tty37
+tty38
+tty39
+tty40
+tty41
+tty42
+tty43
+tty44
+tty45
+tty46
+tty47
+tty48
+tty49
+tty50
+tty51
+tty52
+tty53
+tty54
+tty55
+tty56
+tty57
+tty58
+tty59
+tty60
+tty61
+tty62
+tty63
diff --git a/templates/service/telnet/allow-root/node.def b/templates/service/telnet/allow-root/node.def
index b853fc42..1065df48 100644
--- a/templates/service/telnet/allow-root/node.def
+++ b/templates/service/telnet/allow-root/node.def
@@ -1,40 +1,7 @@
type: bool
default: false
help: Enable/disable root login
-
-update: pids=`who -u | awk -F " " '{print $7}'`
- for i in $pids
- do
- ppid=`ps -p $i -o ppid=`
- if ps -p $ppid -o cmd= | grep -q telnetd
- then
- echo "Please configure telnet settings via ssh or console."
- exit 1
- fi
- done
- if [ "$VAR(@)" == "true" ]
- then
- sudo mv -f /etc/securetty /etc/securetty.allow-root >&/dev/null
- else
- sudo mv -f /etc/securetty.allow-root /etc/securetty >&/dev/null
- fi
- /bin/true
-
-delete: pids=`who -u | awk -F " " '{print $7}'`
- for i in $pids
- do
- ppid=`ps -p $i -o ppid=`
- if ps -p $ppid -o cmd= | grep -q telnetd
- then
- echo "Please configure telnet settings via ssh or console."
- exit 1
- fi
- done
- sudo mv -f /etc/securetty.allow-root /etc/securetty >&/dev/null
- /bin/true
-
+update: /opt/vyatta/sbin/vyatta_update_telnet allow-root $VAR(@)
comp_help: possible completions:
true Enable root login over telnet
false Disable root login over telnet
-
-allowed: echo "true false"
diff --git a/templates/service/telnet/node.def b/templates/service/telnet/node.def
index 399f25ac..eefb3b4a 100644
--- a/templates/service/telnet/node.def
+++ b/templates/service/telnet/node.def
@@ -1,29 +1,7 @@
help: Enable/disable Network Virtual Terminal Protocol (TELNET) protocol
-
-delete: pids=`who -u | awk -F " " '{print $7}'`
- for i in $pids
- do
- ppid=`ps -p $i -o ppid=`
- if ps -p $ppid -o cmd= | grep -q telnetd
- then
- echo "Please configure telnet settings via ssh or console."
- exit 1
- fi
- done
- sudo /opt/vyatta/sbin/telnetd.init stop
-
-end: pids=`who -u | awk -F " " '{print $7}'`
- for i in $pids
- do
- ppid=`ps -p $i -o ppid=`
- if ps -p $ppid -o cmd= | grep -q telnetd
- then
- echo "Please configure telnet settings via ssh or console."
- exit 1
- fi
- done
- if [ -z "$VAR(port/@)" ]
- then
- exit 0
- fi
- sudo /opt/vyatta/sbin/telnetd.init restart $VAR(port/@)
+create: touch /tmp/vyatta-telnet.$PPID
+delete: /opt/vyatta/sbin/vyatta_update_telnet disable
+end: if [ -f /tmp/vyatta-telnet.$PPID ]; then
+ rm -f /tmp/vyatta-telnet.$PPID
+ /opt/vyatta/sbin/vyatta_update_telnet enable $VAR(port/@)
+ fi