diff options
30 files changed, 179 insertions, 205 deletions
diff --git a/Makefile.am b/Makefile.am index 26991557..23a716b5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -55,7 +55,6 @@ sbin_SCRIPTS += scripts/system/vyatta_update_sysctl.pl sbin_SCRIPTS += scripts/system/vyatta_update_syslog.pl sbin_SCRIPTS += scripts/system/vyatta_update_console.pl sbin_SCRIPTS += scripts/system/vyatta_update_ntp.pl -sbin_SCRIPTS += scripts/system/vyatta_update_telnet sbin_SCRIPTS += scripts/system/irq-affinity.pl sbin_SCRIPTS += scripts/snmp/vyatta-snmp.pl sbin_SCRIPTS += scripts/snmp/vyatta-snmp-v3.pl diff --git a/debian/changelog b/debian/changelog index 2d7dc77f..4eaba380 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,43 @@ +vyatta-cfg-system (0.20.44+vyos2+current9) unstable; urgency=medium + + * T546: Add support for IPv6 address in 'service dns forwarding domain' + * T533: Rename "client" NTP option to "allow-clients" + * T522: Adjust rsyslog.conf to use the journald forwarding + + -- Christian Poessinger <christian@poessinger.com> Wed, 21 Feb 2018 11:28:46 +0100 + +vyatta-cfg-system (0.20.44+vyos2+current8) unstable; urgency=medium + + * T523: Only bind dnsmasq to configured interfaces + * T523: Use systemctl to stop/restart dnsmasq + * T523: Use new location for dnsmasq config files + + -- Christian Poessinger <christian@poessinger.com> Sun, 21 Jan 2018 17:16:04 +0100 + +vyatta-cfg-system (0.20.44+vyos2+current7) unstable; urgency=medium + + * T297: Fix DNS Forwarding server does not allow IPv6 address in name-server + + -- Christian Poessinger <christian@poessinger.com> Thu, 28 Dec 2017 00:39:04 +0100 + +vyatta-cfg-system (0.20.44+vyos2+current6) unstable; urgency=medium + + * T496: remove diagnostic partition for RAID1 installs + + -- Christian Poessinger <christian@poessinger.com> Wed, 27 Dec 2017 23:32:44 +0100 + +vyatta-cfg-system (0.20.44+vyos2+current5) unstable; urgency=medium + + * T488: GRUB can't boot from software RAID + + -- Christian Poessinger <christian@poessinger.com> Tue, 26 Dec 2017 14:40:54 +0100 + +vyatta-cfg-system (0.20.44+vyos2+current4) unstable; urgency=medium + + * T414: Remove telnetd service + + -- Christian Poessinger <christian@poessinger.com> Sat, 09 Dec 2017 15:29:45 +0100 + vyatta-cfg-system (0.20.44+vyos2+current3) unstable; urgency=medium [ Kim Hagen ] diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 60ed8eeb..9850f077 100755 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -8,7 +8,8 @@ sbindir=@sbindir@ # remove init of daemons that are controlled by Vyatta configuration process for init in ntp ssh snmpd openhpid logd \ - ipvsadm dnsmasq ddclient radvd hostapd conntrackd + ipvsadm dnsmasq ddclient radvd \ + hostapd conntrackd keepalived do update-rc.d -f ${init} remove >/dev/null systemctl disable ${init} >/dev/null diff --git a/scripts/dns-forwarding/vyatta-dns-forwarding.pl b/scripts/dns-forwarding/vyatta-dns-forwarding.pl index fa9fae68..00a64b3e 100755 --- a/scripts/dns-forwarding/vyatta-dns-forwarding.pl +++ b/scripts/dns-forwarding/vyatta-dns-forwarding.pl @@ -31,15 +31,14 @@ use Getopt::Long; use strict; use warnings; -my $dnsforwarding_init = '/etc/init.d/dnsmasq'; -my $dnsforwarding_conf = '/etc/dnsmasq.conf'; +my $dnsforwarding_conf = '/etc/dnsmasq.d/vyos.conf'; sub dnsforwarding_restart { - system("$dnsforwarding_init restart >&/dev/null"); + system("systemctl restart dnsmasq"); } sub dnsforwarding_stop { - system("$dnsforwarding_init stop >&/dev/null"); + system("systemctl stop dnsmasq"); } sub dnsforwarding_get_constants { @@ -51,6 +50,7 @@ sub dnsforwarding_get_constants { $output .= "log-facility=/var/log/dnsmasq.log\n"; $output .= "no-poll\n"; $output .= "edns-packet-max=4096\n"; + $output .= "bind-interfaces\n"; system("rm -f /var/log/dnsmasq.log; touch /var/log/dnsmasq.log"); return $output; } diff --git a/scripts/install/install-get-partition b/scripts/install/install-get-partition index 0ddbd443..f1b373ae 100755 --- a/scripts/install/install-get-partition +++ b/scripts/install/install-get-partition @@ -259,12 +259,12 @@ check_for_new_raid () { done # Need to leave space on both disks between the MBR and the start - # of the first partition for grub. Grub needs to embed a large + # of the first partition for grub. Grub needs to embed a large # boot image there when booting off RAID devices. # # Partition creation variables are in units of megabytes. part_start_offset=2 - part_diag_size=60 + data_dev=1 if [ $drivesize1 -lt $drivesize2 ]; then root_size=$drivesize1 @@ -272,24 +272,6 @@ check_for_new_raid () { root_size=$drivesize2 fi - let min_size_with_diag=${MIN_ROOT}+${part_diag_size} - if [ $root_size -ge $min_size_with_diag ]; then - echo "Would you like me to create a $part_diag_size MB partition for diagnostics?" - echo -n "(Yes/No) [No]: " - diag_response=$(get_response "No" "Yes No Y N") - if [ "$diag_response" == "yes" ] || [ "$diag_response" == "y" ]; then - for drive in $drives; do - echo "Creating diag partition on drive $drive" - create_partitions "$drive" $part_diag_size $part_start_offset "no" - sfdisk --change-id /dev/$drive 1 0x6 - done - data_dev=2 - let part_start_offset+=$part_diag_size - else - data_dev=1 - fi - fi - let root_size-=$part_start_offset for drive in $drives; do diff --git a/scripts/system/vyatta_update_ntp.pl b/scripts/system/vyatta_update_ntp.pl index eaaae14a..78a617bc 100755 --- a/scripts/system/vyatta_update_ntp.pl +++ b/scripts/system/vyatta_update_ntp.pl @@ -78,10 +78,10 @@ my @clients; if ($dhclient_script == 1) { @servers = $cfg->listOrigNodes("server"); - @clients = $cfg->returnOrigValues("client address"); + @clients = $cfg->returnOrigValues("allow-clients address"); } else { @servers = $cfg->listNodes("server"); - @clients = $cfg->returnValues("client address"); + @clients = $cfg->returnValues("allow-clients address"); } if (scalar(@servers) > 0) { diff --git a/scripts/system/vyatta_update_telnet b/scripts/system/vyatta_update_telnet deleted file mode 100755 index f50eef79..00000000 --- a/scripts/system/vyatta_update_telnet +++ /dev/null @@ -1,84 +0,0 @@ -#! /bin/bash -# Script to control telnet daemon parameters -# and block changes when logged in over telnet - -# Block changes to telnet daemon when logged in over telnet -pid=$(who -um | awk -F " " '{print $7}') -if [ -n "$pid" ]; then - if ps --pid $(ps --pid $pid -o ppid=) -o cmd= | grep -q telnetd - then - echo "Please configure telnet settings via ssh or console." - exit 1 - fi -fi - -usage() { - echo "Usage: $0 enable <port>" - echo " $0 disable" - echo " $0 allow-root {true|false}" - exit 1; -} - -allow-root() { - case "$1" in - true) ;; - false) ;; - *) echo "Expect true or false" - usage ;; - esac - - sudo sed -i -e '/^# Pseudo-terminal (telnet)/,$d' /etc/securetty - - if [ $1 = "false" ]; then - return - fi - - sudo sh -c "cat >>/etc/securetty" <<EOF -# Pseudo-terminal (telnet) -pts/0 -pts/1 -pts/2 -pts/3 -pts/4 -pts/5 -pts/6 -pts/7 -pts/8 -pts/9 -pts/10 -pts/11 -pts/12 -pts/13 -pts/14 -pts/15 -pts/16 -pts/17 -pts/18 -pts/19 -EOF - -} - -case "$1" in - allow-root) - allow-root $2 - ;; - - enable) - if [ -z "$2" ] - then echo "Missing port number"; - usage - fi - exec sudo /opt/vyatta/sbin/telnetd.init restart $2 $3 - ;; - - disable) - exec sudo /opt/vyatta/sbin/telnetd.init stop - ;; - - *) - echo "Unknown argument $1"; - usage - ;; -esac - diff --git a/scripts/vyatta-grub-setup b/scripts/vyatta-grub-setup index 7a5d3891..ea4dc905 100755 --- a/scripts/vyatta-grub-setup +++ b/scripts/vyatta-grub-setup @@ -1,7 +1,7 @@ #!/bin/sh # # Module: grup-setup -# +# # **** License **** # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 as @@ -15,11 +15,11 @@ # This code was originally developed by Vyatta, Inc. # Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc. # All Rights Reserved. -# +# # Author: Robert Bays # Date: 2006 # Description: -# +# # **** End License **** # # Vyatta grub customization setup script. @@ -55,7 +55,7 @@ ROOT_PARTITION="$1" GRUB_OPTIONS="$2" ROOTFSDIR="$3" -[ "$ROOT_PARTITION" ] || exit 1 +[ "$ROOT_PARTITION" ] || exit 1 # Grub options if [ "$GRUB_OPTIONS" ] @@ -114,7 +114,7 @@ if eval "$UNION"; then 2> /dev/null | grep -v xen \ | awk -F/ '{ print $6 }' | sed 's/vmlinuz//g' \ | sort -r) -else +else # Read UUID off of filesystem and use it to tell GRUB where to mount drive # This allows device to move around and grub will still find it uuid=$(dumpe2fs -h /dev/${ROOT_PARTITION} 2>/dev/null | awk '/^Filesystem UUID/ {print $3}') @@ -133,11 +133,6 @@ if [ -n "$xen_kernel_version" ] || [ -n "$union_xen_kernel_version" ]; then default_console=0 fi -# Check for diagnostic partition residing in first partition of drive -# holding the root partition. - -diag_drive_number="" - if [ ${ROOT_PARTITION:0:2} = "md" ]; then # Select the first disk in the RAID group to look for diag partition on root_disks=`echo /sys/block/$ROOT_PARTITION/slaves/*` @@ -149,20 +144,6 @@ else root_disk=${ROOT_PARTITION:0:${#ROOT_PARTITION}-1} fi -# If the root partition is not occupying the first partition, then we -# can look for a diag partition there. -if [ "$ROOT_PARTITION" != "${root_disk}1" ]; then - first_part_fstype=`fdisk -l /dev/$root_disk | grep ^/dev/${root_disk}1 | awk '{ print $6 }'` - - if [ "$first_part_fstype" = "FAT16" -o "$first_part_fstype" = "Dell" ]; then - # Translate the Linux drive letter (e.g. the "a" in "/dev/sda") into - # a drive number that grub uses. i.e. "a" = 0, "b" = 1, etc. - diag_drive_letter=${root_disk:2:1} - diag_drive_number=`echo $diag_drive_letter | od -t u1 -N 1 | awk '{ print $2 }'` - let diag_drive_number-=97 - fi -fi - ( # create the grub.cfg file for grub # The "default=" line selects which boot option will be used by default. @@ -175,19 +156,17 @@ fi echo "terminal_output --append serial" if [ ${ROOT_PARTITION:0:2} = "md" ]; then + uuid_root_disk=`/sbin/tune2fs -l /dev/${root_disk}1 | grep UUID | awk '{print $3}'` + uuid_root_md=`/sbin/tune2fs -l /dev/md${ROOT_PARTITION#md} | grep UUID | awk '{print $3}'` echo "" - echo -e "insmod mdraid09" + echo -e "insmod part_msdos" + echo -e "insmod diskfilter" + echo -e "insmod ext2" echo -e "insmod mdraid1x" - echo -e "set root=(md/${ROOT_PARTITION#md})" + echo -e "set root='mduuid/${uuid_root_disk}'" + echo -e "search --no-floppy --fs-uuid --set=root ${uuid_root_md}" fi - echo "" - echo "echo -n Press ESC to enter the Grub menu..." - echo "if sleep --verbose --interruptible 5 ; then" - echo -e "\tterminal_input console serial" - echo "fi" - echo "" - # create xen kernels if they exist XEN_OPTS='dom0_mem=512M xenheap_megabytes=128' if [ -n "$xen_kernel_version" ]; then @@ -233,7 +212,7 @@ fi echo -e "\tlinux /boot/$livedir/vmlinuz $GRUB_OPTIONS $usb_console" echo -e "\tinitrd /boot/$livedir/initrd.img" echo -e "}" - + elif [ -n "$union_kernel_versions" ]; then for kversion in $union_kernel_versions; do echo @@ -261,8 +240,8 @@ fi echo -e "\tlinux /boot/vmlinuz $GRUB_OPTIONS $VGA_LOGO $vty_console" echo -e "\tinitrd /boot/initrd.img" echo -e "}" - - # Set the second system boot option. + + # Set the second system boot option. # Make the serial port be the default console in this one. echo echo -e "menuentry \"VyOS $version (Serial console)\" {" @@ -295,19 +274,19 @@ fi fi fi - # Set options for root password reset. Offer + # Set options for root password reset. Offer # options for both serial and KVM console. reset_boot_path=/boot if eval "$UNION"; then reset_boot_path=/boot/$livedir fi - + echo echo -e "menuentry \"Lost password change $version (KVM console)\" {" echo -e "\tlinux $reset_boot_path/vmlinuz $GRUB_OPTIONS $NOSELINUX $vty_console init=$pass_reset" echo -e "\tinitrd $reset_boot_path/initrd.img" echo -e "}" - + echo echo -e "menuentry \"Lost password change $version (Serial console)\" {" echo -e "\tlinux $reset_boot_path/vmlinuz $GRUB_OPTIONS $NOSELINUX $serial_console init=$pass_reset" @@ -320,14 +299,6 @@ fi echo -e "\tinitrd $reset_boot_path/initrd.img" echo -e "}" - if [ -n "$diag_drive_number" ]; then - echo - echo -e "menuentry \"Diagnostics\" {" - echo -e "\tchainloader (hd$diag_drive_number,1)+1" - echo -e "}" - fi - - ) >"$ROOTFSDIR"/boot/grub/grub.cfg ( [ -s /boot/grub/menu.lst ] && diff --git a/scripts/vyatta-load-user-key.pl b/scripts/vyatta-load-user-key.pl index 5c34b6ab..651a08b1 100755 --- a/scripts/vyatta-load-user-key.pl +++ b/scripts/vyatta-load-user-key.pl @@ -103,7 +103,7 @@ sub geturl { sub validate_keytype { my ($keytype) = @_; - if ($keytype eq 'ssh-rsa' || $keytype eq 'ssh-dss') { + if ($keytype eq 'ssh-rsa' || $keytype eq 'ssh-dss' || $keytype eq 'ecdsa-sha2-nistp256' || $keytype eq 'ecdsa-sha2-nistp384' || $keytype eq 'ecdsa-sha2-nistp521' || $keytype eq 'ssh-ed25519') { return 1; } return 0; @@ -135,7 +135,7 @@ sub getkeys { my $comment; $comment = join(' ', @fields); - die "Unknown key type $keytype : must be ssh-rsa or ssh-dss\n" + die "Unknown key type $keytype : must be one of ssh-rsa, ssh-dss, ecdsa-sha2-nistp* or ssh-ed25519\n" unless validate_keytype $keytype; my $cmd diff --git a/sysconf/rsyslog.conf b/sysconf/rsyslog.conf index 961806dc..7db872bf 100644 --- a/sysconf/rsyslog.conf +++ b/sysconf/rsyslog.conf @@ -12,6 +12,9 @@ $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability +$OmitLocalLogging no +$SystemLogSocketName /run/systemd/journal/syslog + $KLogPath /proc/kmsg # provides UDP syslog reception @@ -54,8 +57,11 @@ $IncludeConfig /etc/rsyslog.d/*.conf #### RULES #### ############### +daemon.* /var/log/messages + # Log authorization failure messages auth,authpriv.* /var/log/auth.log # Emergencies are sent to everybody logged in. *.emerg :omusrmsg:* + diff --git a/templates/interfaces/l2tpv3/node.def b/templates/interfaces/l2tpv3/node.def index 03c677ad..973256bf 100644 --- a/templates/interfaces/l2tpv3/node.def +++ b/templates/interfaces/l2tpv3/node.def @@ -49,7 +49,7 @@ create: delete: ip link set $VAR(@) down if [ -n "$VAR(./tunnel-id/@)" ] && [ -n "$VAR(./session-id/@)" ] ; then - ip l2tp del session $VAR(./tunnel-id/@) session_id $VAR(./session-id/@) + ip l2tp del session tunnel_id $VAR(./tunnel-id/@) session_id $VAR(./session-id/@) fi if [ -n "$VAR(./tunnel-id/@)" ] ; then ip l2tp del tunnel tunnel_id $VAR(./tunnel-id/@) diff --git a/templates/service/dns/forwarding/domain/node.tag/server/node.def b/templates/service/dns/forwarding/domain/node.tag/server/node.def index 8f40a299..e616c0aa 100644 --- a/templates/service/dns/forwarding/domain/node.tag/server/node.def +++ b/templates/service/dns/forwarding/domain/node.tag/server/node.def @@ -1,3 +1,5 @@ multi: -type: ipv4 -help: DNS server to forward queries +type: ipv4,ipv6 +help: Domain Name Server (DNS) to forward queries +val_help: ipv4; Domain Name Server (DNS) address +val_help: ipv6; Domain Name Server (DNS) address diff --git a/templates/service/dns/forwarding/name-server/node.def b/templates/service/dns/forwarding/name-server/node.def index 3ed4c459..ac7e45b6 100644 --- a/templates/service/dns/forwarding/name-server/node.def +++ b/templates/service/dns/forwarding/name-server/node.def @@ -1,3 +1,5 @@ multi: -type: ipv4 -help: DNS server to forward queries +type: ipv4,ipv6 +help: Domain Name Server (DNS) +val_help: ipv4; Domain Name Server (DNS) address +val_help: ipv6; Domain Name Server (DNS) address diff --git a/templates/service/ssh/access-control/allow-groups/node.def b/templates/service/ssh/access-control/allow-groups/node.def new file mode 100644 index 00000000..2d6aa75b --- /dev/null +++ b/templates/service/ssh/access-control/allow-groups/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for allowed groups. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +AllowGroups $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^AllowGroups $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^AllowGroups.*$/c \ +AllowGroups $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/access-control/allow-users/node.def b/templates/service/ssh/access-control/allow-users/node.def new file mode 100644 index 00000000..2052bf69 --- /dev/null +++ b/templates/service/ssh/access-control/allow-users/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for allowed users. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +AllowUsers $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^AllowUsers $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^AllowUsers.*$/c \ +AllowUsers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/access-control/deny-groups/node.def b/templates/service/ssh/access-control/deny-groups/node.def new file mode 100644 index 00000000..c2c8dcab --- /dev/null +++ b/templates/service/ssh/access-control/deny-groups/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for disallowed groups. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple groups can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +DenyGroups $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^DenyGroups $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^DenyGroups.*$/c \ +DenyGroups $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/access-control/deny-users/node.def b/templates/service/ssh/access-control/deny-users/node.def new file mode 100644 index 00000000..a6426f90 --- /dev/null +++ b/templates/service/ssh/access-control/deny-users/node.def @@ -0,0 +1,11 @@ +type: txt +help: Configure sshd_config access control for disallowed users. +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. + +create: sudo sed -i -e '$ a \ +DenyUsers $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^DenyUsers $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^DenyUsers.*$/c \ +DenyUsers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/access-control/node.def b/templates/service/ssh/access-control/node.def new file mode 100644 index 00000000..8f6ca6e7 --- /dev/null +++ b/templates/service/ssh/access-control/node.def @@ -0,0 +1,2 @@ +help: SSH user/group access controls +comp_help: The SSH user and group access control directives (allow/deny) are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. Multiple users can be specified as a comma-separated list. diff --git a/templates/service/ssh/ciphers/node.def b/templates/service/ssh/ciphers/node.def index 7eab846e..b5e5af68 100644 --- a/templates/service/ssh/ciphers/node.def +++ b/templates/service/ssh/ciphers/node.def @@ -1,21 +1,26 @@ type: txt help: Allowed ciphers val_help: txt; Cipher string -val_help: 3des-cbc; 3DES CBC +val_help: aes128-gcm@openssh.com; AES 128 GCM +val_help: aes256-gcm@openssh.com; AES 256 GCM +val_help: chacha20-poly1305@openssh.com; ChaCha20 Poly1305 +val_help: 3des-cbc; 3DES CBC (weak) val_help: aes128-cbc; AES 128 CBC val_help: aes192-cbc; AES 192 CBC val_help: aes256-cbc; AES 256 CBC val_help: aes128-ctr; AES 128 CTR val_help: aes192-ctr; AES 192 CTR val_help: aes256-ctr; AES 256 CTR -val_help: arcfour128; AC4 128 -val_help: arcfour256; AC4 256 -val_help: arcfour; AC4 +val_help: arcfour128; AC4 128 (broken) +val_help: arcfour256; AC4 256 (broken) +val_help: arcfour; AC4 (broken) val_help: blowfish-cbc; Blowfish CBC val_help: cast128-cbc; CAST 128 CBC comp_help: Multiple ciphers can be specified as a comma-separated list. -syntax:expression: pattern $VAR(@) "^((3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|aes128-ctr|aes192-ctr|\ +syntax:expression: pattern $VAR(@) "^((aes128-gcm@openssh.com|\ +aes256-gcm@openssh.com|chacha20-poly1305@openssh.com|\ +3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|aes128-ctr|aes192-ctr|\ aes256-ctr|arcfour128|arcfour256|arcfour|\ blowfish-cbc|cast128-cbc)(,|$))+$"; \ "$VAR(@) is not a valid cipher list" @@ -25,5 +30,5 @@ Ciphers $VAR(@)' /etc/ssh/sshd_config delete: sudo sed -i -e '/^Ciphers $VAR(@)$/d' /etc/ssh/sshd_config -update: sudo sed -i -e '/^Ciphers/c \ +update: sudo sed -i -e '/^Ciphers.*$/c \ Ciphers $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/key-exchange/node.def b/templates/service/ssh/key-exchange/node.def new file mode 100644 index 00000000..a3c91b0b --- /dev/null +++ b/templates/service/ssh/key-exchange/node.def @@ -0,0 +1,11 @@ +type: txt +help: Allowed key exchange algorithms +comp_help: Specifies the available KEX (key exchange) algorithms. The KEX algorithm is used in protocol version 2 for key negotiation upon session creation. Multiple algorithms must be comma-separated. See 'ssh -Q kex' for supported KEX algorithms. + +create: sudo sed -i -e '$ a \ +KexAlgorithms $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^KexAlgorithms $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^KexAlgorithms.*$/c \ +KexAlgorithms $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/loglevel/node.def b/templates/service/ssh/loglevel/node.def new file mode 100644 index 00000000..f66ec068 --- /dev/null +++ b/templates/service/ssh/loglevel/node.def @@ -0,0 +1,19 @@ +type: txt +help: Log Level +val_help: QUIET; stay silent +val_help: FATAL; log fatals only +val_help: ERROR; log errors and fatals only +val_help: INFO; default log level +val_help: VERBOSE; enable logging of failed login attempts +comp_help: Gives the verbosity level that is used when logging messages from sshd(8). The default is INFO. + +syntax:expression: pattern $VAR(@) "^((QUIET|FATAL|ERROR|INFO|VERBOSE)(,|$))+$"; \ +"$VAR(@) is not a valid log level" + +create: sudo sed -i -e '/^LogLevel.*$/c \ +LogLevel $VAR(@)' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^LogLevel $VAR(@)$/d' /etc/ssh/sshd_config + +update: sudo sed -i -e '/^LogLevel.*$/c \ +LogLevel $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/ssh/macs/node.def b/templates/service/ssh/macs/node.def index ee6c60e1..f9bf4176 100644 --- a/templates/service/ssh/macs/node.def +++ b/templates/service/ssh/macs/node.def @@ -1,10 +1,11 @@ type: txt -help: Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. See 'man sshd_config' for supported MACs. +help: Allowed message authentication algorithms +comp_help: Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. See 'ssh -Q mac' for supported MACs. create: sudo sed -i -e '$ a \ MACs $VAR(@)' /etc/ssh/sshd_config delete: sudo sed -i -e '/^MACs $VAR(@)$/d' /etc/ssh/sshd_config -update: sudo sed -i -e '/^MACs/c \ -MACs $VAR(@)' /etc/ssh/sshd_config
\ No newline at end of file +update: sudo sed -i -e '/^MACs.*$/c \ +MACs $VAR(@)' /etc/ssh/sshd_config diff --git a/templates/service/telnet/allow-root/node.def b/templates/service/telnet/allow-root/node.def deleted file mode 100644 index 39c78062..00000000 --- a/templates/service/telnet/allow-root/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Enable root login over telnet -create: /opt/vyatta/sbin/vyatta_update_telnet allow-root true -delete:/opt/vyatta/sbin/vyatta_update_telnet allow-root false diff --git a/templates/service/telnet/listen-address/node.def b/templates/service/telnet/listen-address/node.def deleted file mode 100644 index cd016628..00000000 --- a/templates/service/telnet/listen-address/node.def +++ /dev/null @@ -1,7 +0,0 @@ -type: ipv4,ipv6 -help: Local addresses telnet should listen on -val_help: ipv4: IP address to listen for incoming connections -val_help: ipv6: IPv6 address to listen for incoming connections - -commit:expression: exec "/opt/vyatta/sbin/local_ip $VAR(@)"; \ - "IP address $VAR(@) doesn\'t exist on this system" diff --git a/templates/service/telnet/node.def b/templates/service/telnet/node.def deleted file mode 100644 index e173d243..00000000 --- a/templates/service/telnet/node.def +++ /dev/null @@ -1,8 +0,0 @@ -priority: 500 # After syslog and logins -help: Enable/disable Network Virtual Terminal Protocol (TELNET) protocol -update: touch /tmp/vyatta-telnet.$PPID -delete: /opt/vyatta/sbin/vyatta_update_telnet disable -end: if [ -f /tmp/vyatta-telnet.$PPID ]; then - rm -f /tmp/vyatta-telnet.$PPID - /opt/vyatta/sbin/vyatta_update_telnet enable $VAR(port/@) $VAR(listen-address/@) - fi diff --git a/templates/service/telnet/port/node.def b/templates/service/telnet/port/node.def deleted file mode 100644 index c4db688a..00000000 --- a/templates/service/telnet/port/node.def +++ /dev/null @@ -1,9 +0,0 @@ -type: u32 -default: 23 -help: Port for TELNET service - -val_help: u32:1-65535; Numeric IP port -syntax:expression: $VAR(@) > 0 && $VAR(@) <= 65535 ; \ - "Port number must be in range 1 to 65535" -commit:expression: exec "sudo /opt/vyatta/sbin/is_port_available.pl $VAR(@)"; \ - "Port $VAR(@) is already in use!" diff --git a/templates/system/login/user/node.tag/authentication/public-keys/node.tag/type/node.def b/templates/system/login/user/node.tag/authentication/public-keys/node.tag/type/node.def index 5ad1c58b..bf789e06 100644 --- a/templates/system/login/user/node.tag/authentication/public-keys/node.tag/type/node.def +++ b/templates/system/login/user/node.tag/authentication/public-keys/node.tag/type/node.def @@ -1,4 +1,4 @@ type: txt help: Public key type -allowed: echo "ssh-dss ssh-rsa" -syntax:expression: $VAR(@) in "ssh-rsa", "ssh-dss" ; "Unknown key type" +allowed: echo "ssh-dss ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519" +syntax:expression: $VAR(@) in "ssh-rsa", "ssh-dss", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "ssh-ed25519"; "Unknown key type" diff --git a/templates/system/ntp/client/address/node.def b/templates/system/ntp/allow-clients/address/node.def index a48a2b5a..a48a2b5a 100644 --- a/templates/system/ntp/client/address/node.def +++ b/templates/system/ntp/allow-clients/address/node.def diff --git a/templates/system/ntp/allow-clients/node.def b/templates/system/ntp/allow-clients/node.def new file mode 100644 index 00000000..8228130e --- /dev/null +++ b/templates/system/ntp/allow-clients/node.def @@ -0,0 +1 @@ +help: Network Time Protocol (NTP) server options diff --git a/templates/system/ntp/client/node.def b/templates/system/ntp/client/node.def deleted file mode 100644 index dd849f8f..00000000 --- a/templates/system/ntp/client/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Network Time Protocol (NTP) client |