diff options
| -rw-r--r-- | Makefile.am | 2 | ||||
| -rw-r--r-- | debian/changelog | 18 | ||||
| -rw-r--r-- | debian/control | 3 | ||||
| -rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 34 | ||||
| -rw-r--r-- | scripts/install-system | 76 | ||||
| -rw-r--r-- | scripts/snmp/vyatta-snmp.pl | 30 | ||||
| -rw-r--r-- | scripts/vyatta-raid-event | 104 | ||||
| -rw-r--r-- | sysconf/blacklist.DSA-1024 | 21 | ||||
| -rw-r--r-- | sysconf/blacklist.RSA-2048 | 21 | ||||
| -rw-r--r-- | templates/service/ssh/allow-root/node.def | 24 | ||||
| -rw-r--r-- | templates/service/telnet/allow-root/node.def | 10 |
11 files changed, 296 insertions, 47 deletions
diff --git a/Makefile.am b/Makefile.am index 9e66286c..a018961f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -48,6 +48,8 @@ sysconf_DATA += sysconf/motd.tail sysconf_DATA += sysconf/syslog.conf sysconf_DATA += sysconf/default_ssh sysconf_DATA += sysconf/vyatta-sysctl.conf +sysconf_DATA += sysconf/blacklist.DSA-1024 +sysconf_DATA += sysconf/blacklist.RSA-2048 libudev_SCRIPTS = scripts/vyatta_net_name etcudev_DATA = sysconf/vyatta-net.rules diff --git a/debian/changelog b/debian/changelog index 803fdb87..28c93bf7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +vyatta-cfg-system (0.14) unstable; urgency=low + + 3.1.4 + [ Mark O'Brien ] + + + [ Robert Bays ] + * fix ssh keygen on startup + + [ An-Cheng Huang ] + * remove unused files + * use epoch in package version number + * add ssh key blacklists + + [ Mark O'Brien ] + + -- Mark O'Brien <mobrien@firebolt.vyatta.com> Tue, 14 Oct 2008 17:30:18 -0700 + vyatta-cfg-system (0.13) unstable; urgency=low 3.1.3 diff --git a/debian/control b/debian/control index 89b55bbe..b8128287 100644 --- a/debian/control +++ b/debian/control @@ -24,7 +24,8 @@ Depends: sed (>= 4.1.5), snmpd, vyatta-keepalived, bridge-utils, - ssh, + ssh (>= 1:5.1p1-3), + openssh-server (>= 1:5.1p1-3), ed, tshark, ifenslave-2.6, diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 6e5fa735..e9541dbe 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -66,6 +66,20 @@ EOF %users ALL=NOPASSWD: ${bindir}/sudo-users/ ### END VYATTA EOF + + # set up blacklists + for f in blacklist.DSA-1024 blacklist.RSA-2048; do + if [ -r "/etc/ssh/$f" ]; then + l=$(head -1 $sysconfdir/$f) + if ! grep -q "$l" /etc/ssh/$f; then + tmp=$(mktemp /tmp/bl.XXXXXXXXXX) + cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp + mv $tmp /etc/ssh/$f + fi + else + cp $sysconfdir/$f /etc/ssh/$f + fi + done fi # update crontab for logrotate @@ -87,12 +101,32 @@ fi sed -i 's/^set /builtin set /' /etc/bash_completion +/usr/sbin/dpkg-reconfigure -f noninteractive openssh-server +rm -f /etc/ssh/*.broken +update-rc.d -f ssh remove >/dev/null + # Fix up PAM configuration for login so that invalid users are prompted # for password sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login [ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist +# +# Ask mdadm to call our own event handling daemon +# +if [ -e /etc/default/mdadm ]; then + sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm +fi + +# --following is added to resolve issues related to bug 3567 on upgrade from hollywood to islavista-- +# back-up existing /etc/syslog.conf file in hollywood which might be broken +# and replace it with the default syslog.conf in islavista. when system restarts +# after upgrade, whatever is configured in CLI will be written to syslog.conf +# + +cp -p /etc/syslog.conf /etc/syslog.conf.bak +cp -f /opt/vyatta/etc/syslog.conf /etc/syslog.conf + # Local Variables: # mode: shell-script # sh-indentation: 4 diff --git a/scripts/install-system b/scripts/install-system index 9980e210..ff7a5d41 100644 --- a/scripts/install-system +++ b/scripts/install-system @@ -305,9 +305,11 @@ check_for_new_raid () { numdrives=`echo $drives | wc -w` + # Need at least two drives for RAID-1. We don't yet have the code + # to handle selection of two from a set of 3 or more, so for now, we + # only support two drives. + # if [ $numdrives -ne 2 ]; then - # debug - echo "check_for_new_raid: don't have 2 drives" return fi @@ -317,13 +319,14 @@ check_for_new_raid () { drivesize1=$(get_drive_size $drive1) drivesize2=$(get_drive_size $drive2) - if [ $drivesize1 -ne $drivesize2 ]; then - # debug - echo "check_for_new_raid: have 2 drives, but different sizes" + # Both drives must have enough space to hold our minimum root filesystem + # + if [ $drivesize1 -lt $ROOT_MIN -o $drivesize2 -lt $ROOT_MIN ]; then return fi - echo "You have two identical disk drives:" + + echo "You have two disk drives:" echo -e "\t$drive1 \t$drivesize1 MB" echo -e "\t$drive2 \t$drivesize2 MB" @@ -334,6 +337,13 @@ check_for_new_raid () { return fi + if [ $drivesize1 -ne $drivesize2 ]; then + echo "Since the disks are not the same size, we will use the smaller" + echo "of the two sizes in configuring the RAID-1 set. This will" + echo "waste some space on the larger drive." + echo "" + fi + # Configure RAID-1 echo "This process will erase all data on both drives." echo -n "Are you sure you want to do this? (Yes/No) [No]: " @@ -358,27 +368,36 @@ check_for_new_raid () { part_start_offset=2 part_diag_size=60 - echo "Would you like me to create a $part_diag_size MB partition for diagnostics?" - echo -n "(Yes/No) [No]: " - diag_response=$(get_response "No" "Yes No Y N") - if [ "$diag_response" == "yes" ] || [ "$diag_response" == "y" ]; then - for drive in $drives - do - echo "Creating diag partition on drive $drive" - create_partitions "$drive" $part_diag_size $part_start_offset "no" - sfdisk --change-id /dev/$drive 1 0x6 - done - data_dev=2 - let part_start_offset+=$part_diag_size + if [ $drivesize1 -gt $drivesize2 ]; then + size=$drivesize1 else - data_dev=1 + size=$drivesize2 + fi + + let min_size_with_diag=${MIN_ROOT}+${part_diag_size} + if [ $size -ge $min_size_with_diag ]; then + echo "Would you like me to create a $part_diag_size MB partition for diagnostics?" + echo -n "(Yes/No) [No]: " + diag_response=$(get_response "No" "Yes No Y N") + if [ "$diag_response" == "yes" ] || [ "$diag_response" == "y" ]; then + for drive in $drives + do + echo "Creating diag partition on drive $drive" + create_partitions "$drive" $part_diag_size $part_start_offset "no" + sfdisk --change-id /dev/$drive 1 0x6 + done + data_dev=2 + let part_start_offset+=$part_diag_size + else + data_dev=1 + fi fi + let size-=$part_start_offset + for drive in $drives do echo "Creating data partition: /dev/${drive}${data_dev}" - size=$(get_drive_size $drive) - let size-=$part_start_offset create_partitions "$drive" $size $part_start_offset "no" sfdisk --change-id /dev/$drive $data_dev 0xfd done @@ -1301,6 +1320,21 @@ if [ -z $UNION ]; then sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login fi +# +# Only start the mdadm daemon if we have the root filesystem running +# on a RAID set. Since this script is the only way that the root filesystem +# ever gets set up, we can do this configuration here. +# +MDADM_CONFIG_FILE=$rootfsdir/etc/default/mdadm +if [ -e $MDADM_CONFIG_FILE ]; then + if [ ${INSTALL_DRIVE:0:2} = "md" ]; then + sed -i 's/^START_DAEMON.*$/START_DAEMON=true/' $MDADM_CONFIG_FILE + else + sed -i 's/^START_DAEMON.*$/START_DAEMON=false/' $MDADM_CONFIG_FILE + fi +fi + + # postinst hook if [ -e /opt/vyatta/etc/install-system/postinst ]; then echo "running post-install script" diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index b43485b3..6de63fb0 100644 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -49,11 +49,11 @@ sub snmp_init { } sub snmp_restart { - system("$snmp_init restart"); + system("$snmp_init restart > /dev/null 2>&1 &"); } sub snmp_stop { - system("$snmp_init stop"); + system("$snmp_init stop > /dev/null 2>&1"); } sub snmp_get_constants { @@ -127,10 +127,18 @@ sub snmp_get_values { my @trap_targets = $config->returnValues("trap-target"); if ($#trap_targets >= 0) { - # code for creating a snmpv3 user, setting access-level for it and use user to do internal snmpv3 requests - snmp_create_snmpv3_user(); - snmp_write_snmpv3_user(); - $output .= "iquerySecName vyatta\n"; + + # linkUpDownNotifications configure the Event MIB tables to monitor the ifTable for network interfaces being taken up or down + # for making internal queries to retrieve any necessary information a snmpv3 user needs to be created + # we write appropriate values to /var/lib/snmp/snmpd.conf and /usr/share/snmp/snmpd.conf to do so + # any external snmpv3 queries (from localhost or any other ip) using this username will not be responded to + + my $generate_vyatta_user_append_string = join "", map { unpack "H*", chr(rand(256)) } 1..8; #generate a random 16 character hex string + #create an internal snmpv3 user of the form 'vyattaxxxxxxxxxxxxxxxx' + my $vyatta_user = "vyatta" . "$generate_vyatta_user_append_string"; + snmp_create_snmpv3_user($vyatta_user); + snmp_write_snmpv3_user($vyatta_user); + $output .= "iquerySecName $vyatta_user\n"; # code to activate link up down traps $output .= "linkUpDownNotifications yes\n"; } @@ -143,7 +151,9 @@ sub snmp_get_values { sub snmp_create_snmpv3_user { - my $createuser = "createUser vyatta MD5 \"vyatta\" DES"; + my $vyatta_user = shift; + my $passphrase = join "", map { unpack "H*", chr(rand(256)) } 1..16; #generate a random 32 character hex string + my $createuser = "createUser $vyatta_user MD5 \"$passphrase\" DES"; open(my $fh, '>>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; print $fh $createuser; close $fh; @@ -151,8 +161,10 @@ sub snmp_create_snmpv3_user { sub snmp_write_snmpv3_user { - my $user = "rwuser vyatta"; - open(my $fh, '>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!"; + my $vyatta_user = shift; + my $user = "rouser $vyatta_user\n"; + system ("sed -i '/user[[:space:]]*vyatta[[:alnum:]]*/d' $snmp_snmpv3_user_conf;"); + open(my $fh, '>>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!"; print $fh $user; close $fh; } diff --git a/scripts/vyatta-raid-event b/scripts/vyatta-raid-event new file mode 100644 index 00000000..f279a57d --- /dev/null +++ b/scripts/vyatta-raid-event @@ -0,0 +1,104 @@ +#!/bin/bash +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Bob Gilligan <gilligan@vyatta.com> +# Date: 2008 +# Description: A script to handle events from the Linux Software RAID +# subsystem. +# +# **** End License **** +# +# This script is called by the "mdadm" daemon running in "monitor" mode +# whenever an event occurs in in the RAID subsytem. The script is called +# with two or three arguments: The first argument is always the name of +# the event, e.g. "RebuildFinished". The second argument is the name of +# the RAID set device that the event pertains to, e.g. "/dev/md0". The +# third argument is provided for some events, and gives the name of the +# RAID set member that the event pertains to, e.g. "/dev/sda2". +# +# See the mdadm(8) man page for more details on the events that it provides. +# + +# Script will be called with 2 or 3 arguments, depending on the event +if [ $# -lt 2 ]; then + logger -t "RAID" -p local0.warning "vyatta-raid-event: Error: Not enough args: $*" + # We can't do anything if we don't know event and RAID device it + # pertains to. + exit 1 +fi +if [ $# -gt 3 ]; then + logger -t "RAID" -p local0.warning "vyatta-raid-event: Warning: too many args: $*" + # Be Robust: Try to complete task with args we know about +fi + +event=$1 +raid_set=$2 + +case $event in + + RebuildFinished) + logger -t "RAID" -p local0.warning "event ${event} ${raid_set}" + + # We need to update grub at the time that a resync completes + # on the root filesystem so that the new member disk will be + # bootable. + mounted_on=`mount | grep "^${raid_set}" | awk '{ print $3 }'` + if [ "$mounted_on" = "/" ]; then + raid_set_dev=${raid_set##*/} + if [ -e /sys/block/${raid_set_dev}/md/degraded ]; then + degraded=`cat /sys/block/${raid_set_dev}/md/degraded` + else + degraded=0 + fi + if [ $degraded -eq 0 ]; then + drive=${member_to_add%%[0-9]*} + logger -t "RAID" -p local0.warning \ + "RAID set ${raid_set} holds root filesystem. Updating grub." + touch /tmp/raid-grub-install-log + grub-install --no-floppy --recheck --root-directory=/ ${raid_set} \ + >> /tmp/raid-grub-install-log 2>&1 + if [ $? -ne 0 ]; then + logger -t "RAID" -p local0.warning \ + "grub-installed failed for $raid_set" + fi + else + logger -t "RAID" -p local0.warning \ + "RAID set ${raid_set} is still degraded. No action taken." + fi + else + logger -t "RAID" -p local0.warning \ + "RAID set ${raid_set} does not hold root filesystem. No action taken" + fi + ;; + + DeviceDisappeared | RebuildStarted | Rebuild?? | NewArray | \ + DegradedArray | MoveSpare | SparesMissing | TestMessage) + logger -t "RAID" -p local0.warning \ + "event ${event} ${raid_set}: No action taken" + ;; + + Fail | FailSpare | SpareActive) + member=$3 + logger -t "RAID" -p local0.warning \ + "event ${event} ${raid_set} ${member}: No action taken" + ;; + + *) + logger -t "RAID" -p local0.warning \ + "event ${event} unknown. No action taken" + ;; + + esac diff --git a/sysconf/blacklist.DSA-1024 b/sysconf/blacklist.DSA-1024 new file mode 100644 index 00000000..74ecaf53 --- /dev/null +++ b/sysconf/blacklist.DSA-1024 @@ -0,0 +1,21 @@ +01e53715431bcae79677 +036a4048556eb8092113 +0db19fcc95efc89d2173 +22da67b6aafc3df124f3 +2307b2e9769c6b66857c +3c13948cb606c6041284 +4218a1912ef9941a0881 +4582eff4cf42af0b19f0 +54f103cd4fbc7b08c8e2 +6d56bcebc8bb9d30ecd9 +83848247dbabf6135644 +8e730ef49b321946e7aa +96a4f81de014a53e1890 +9adab16d72364f6032f7 +9b25df69798b447fd5ee +9d5e4438920babd3030e +a1eeb08f514492069e51 +d63657291b4d940a9a47 +db3101e70b8ef04ad4fe +dd71e503f1a8319e3caf +f407f33616b53f79c1b8 diff --git a/sysconf/blacklist.RSA-2048 b/sysconf/blacklist.RSA-2048 new file mode 100644 index 00000000..0cb0d489 --- /dev/null +++ b/sysconf/blacklist.RSA-2048 @@ -0,0 +1,21 @@ +0a47235c3142262b3b90 +1899b9c1f6346576a66e +20059ae36e5ac97fc3b2 +2487f28e692f45affa43 +4394e40d532aef252906 +440ea42b848111613a48 +46a6daa5036020063340 +52287579c05c0e45c57e +52cec5c2a10c09661389 +6b3446654ce7e07da10d +768e7f724aeb0cf86814 +84d1e68fda77b8fe88bf +b0e10f3cfca7ac4aba50 +b8570f784995af2fa6b8 +bcdc020d5e8e6a61345a +c3e94aed4f1d75569eab +c5d8c5731f3fa668ffae +d9deed191624c2472978 +e66c42ba8e40c8501106 +ea93328c2d72642a5d59 +f954c671c9c639f8a375 diff --git a/templates/service/ssh/allow-root/node.def b/templates/service/ssh/allow-root/node.def index 9aa98826..25a5a97a 100644 --- a/templates/service/ssh/allow-root/node.def +++ b/templates/service/ssh/allow-root/node.def @@ -1,16 +1,14 @@ -type: txt +type: bool default: false help: Enable/disable root login over ssh -syntax:expression: $VAR(@) in "true", "false" ; "must be true or false" -update: if [ \"$VAR(@)\" == \"true\" ]; then - sudo ed - /etc/ssh/sshd_config <<-"EOF" - /^PermitRootLogin/s/no/yes/ - wq - EOF - else - sudo ed - /etc/ssh/sshd_config <<-"EOF" - /^PermitRootLogin/s/yes/no/ - wq - EOF +update: if [ "$VAR(@)" == "true" ]; + then regex='/^PermitRootLogin/s/no/yes/' + else regex='/^PermitRootLogin/s/yes/no/' fi - /bin/true + sudo sed -i -e "$regex" /etc/ssh/sshd_config + +comp_help: possible completions: + true Enable root login over ssh + false Disable root login over ssh + +allowed: echo "true false" diff --git a/templates/service/telnet/allow-root/node.def b/templates/service/telnet/allow-root/node.def index 347a9476..b853fc42 100644 --- a/templates/service/telnet/allow-root/node.def +++ b/templates/service/telnet/allow-root/node.def @@ -1,9 +1,7 @@ -type: txt +type: bool default: false help: Enable/disable root login -syntax:expression: $VAR(@) in "true", "false" ; "must be true or false" - update: pids=`who -u | awk -F " " '{print $7}'` for i in $pids do @@ -34,3 +32,9 @@ delete: pids=`who -u | awk -F " " '{print $7}'` done sudo mv -f /etc/securetty.allow-root /etc/securetty >&/dev/null /bin/true + +comp_help: possible completions: + true Enable root login over telnet + false Disable root login over telnet + +allowed: echo "true false" |