From 5ec82316b089d0be4f544937fbd3ed5d3333c829 Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen.hemminger@vyatta.com>
Date: Tue, 16 Jun 2009 15:31:49 -0700
Subject: Make telnet management smarter

Bug 4591
Consolidate check for telnet login
Don't remove /etc/securetty edit it
(cherry picked from commit c6c477f2ffb0f2fd4cf12882f22c2c44ab57cc46)
---
 Makefile.am                                  |  2 +
 debian/vyatta-cfg-system.postinst.in         |  2 +
 scripts/system/vyatta_update_telnet          | 82 +++++++++++++++++++++++++++
 sysconf/securetty                            | 83 ++++++++++++++++++++++++++++
 templates/service/telnet/allow-root/node.def | 35 +-----------
 templates/service/telnet/node.def            | 34 ++----------
 6 files changed, 176 insertions(+), 62 deletions(-)
 create mode 100755 scripts/system/vyatta_update_telnet
 create mode 100644 sysconf/securetty

diff --git a/Makefile.am b/Makefile.am
index a6423362..3d4de537 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -27,6 +27,7 @@ sbin_SCRIPTS += scripts/system/vyatta_update_login.pl
 sbin_SCRIPTS += scripts/system/vyatta_update_logrotate.pl
 sbin_SCRIPTS += scripts/system/vyatta_update_resolv.pl
 sbin_SCRIPTS += scripts/system/vyatta_update_syslog.pl
+sbin_SCRIPTS += scripts/system/vyatta_update_telnet
 sbin_SCRIPTS += scripts/snmp/vyatta-snmp.pl
 sbin_SCRIPTS += scripts/snmp/snmpd.init
 sbin_SCRIPTS += scripts/keepalived/vyatta-keepalived.pl
@@ -57,6 +58,7 @@ sysconf_DATA += sysconf/motd.tail
 sysconf_DATA += sysconf/syslog.conf
 sysconf_DATA += sysconf/ntp.conf
 sysconf_DATA += sysconf/default_ssh
+sysconf_DATA += sysconf/securetty
 sysconf_DATA += sysconf/vyatta-sysctl.conf
 sysconf_DATA += sysconf/blacklist.DSA-1024
 sysconf_DATA += sysconf/blacklist.RSA-2048
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index a756ba34..38d276ec 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -110,6 +110,8 @@ EOF
     # replace debian /etc/ntp.conf with Vyatta version
     cp $sysconfdir/ntp.conf /etc/ntp.conf
 
+    # purge off ancient devfs stuff from /etc/securetty
+    cp $sysconfdir/securetty /etc/securetty
 fi
 
 # update crontab for logrotate
diff --git a/scripts/system/vyatta_update_telnet b/scripts/system/vyatta_update_telnet
new file mode 100755
index 00000000..0725a85f
--- /dev/null
+++ b/scripts/system/vyatta_update_telnet
@@ -0,0 +1,82 @@
+#! /bin/bash
+# Script to control telnet daemon parameters
+# and block changes when logged in over telnet
+
+# Block changes to telnet daemon when logged in over telnet
+pid=$(who -um | awk -F " " '{print $7}')
+if ps --pid $(ps --pid $pid -o ppid=) -o cmd= | grep -q telnetd
+then
+    echo "Please configure telnet settings via ssh or console."
+    exit 1
+fi
+
+usage() {
+    echo "Usage: $0 enable <port>"
+    echo "       $0 disable"
+    echo "       $0 allow-root {true|false}"
+    exit 1;
+}
+
+allow-root() {
+    case "$1" in
+    true) ;;
+    false) ;;
+        *)  echo "Expect true or false"
+	    usage ;;
+    esac
+
+    sudo sed -i -e '/^# Pseudo-terminal (telnet)/,$d' /etc/securetty
+
+    if [ $1 = "false" ]; then
+	return
+    fi
+
+    sudo sh -c "cat >>/etc/securetty" <<EOF
+# Pseudo-terminal (telnet)
+pts/0
+pts/1
+pts/2
+pts/3
+pts/4
+pts/5
+pts/6
+pts/7
+pts/8
+pts/9
+pts/10
+pts/11
+pts/12
+pts/13
+pts/14
+pts/15
+pts/16
+pts/17
+pts/18
+pts/19
+EOF
+
+}
+
+case "$1" in
+    allow-root) 
+	allow-root $2
+	;;
+
+    enable)
+	if [ -z "$2" ]
+	then echo "Missing port number";
+	    usage
+	fi
+	exec sudo /opt/vyatta/sbin/telnetd.init restart "$2"
+	;;
+
+    disable)
+	exec sudo /opt/vyatta/sbin/telnetd.init stop
+	;;
+
+    *)  
+	echo "Unknown argument $1";
+	usage 
+	;;
+esac
+	
diff --git a/sysconf/securetty b/sysconf/securetty
new file mode 100644
index 00000000..17d8610a
--- /dev/null
+++ b/sysconf/securetty
@@ -0,0 +1,83 @@
+# /etc/securetty: list of terminals on which root is allowed to login.
+# See securetty(5) and login(1).
+console
+
+# Standard serial ports
+ttyS0
+ttyS1
+
+# USB dongles
+ttyUSB0
+ttyUSB1
+ttyUSB2
+
+# Standard hypervisor virtual console
+hvc0
+
+# Oldstyle Xen console
+xvc0
+
+# Standard consoles
+tty1
+tty2
+tty3
+tty4
+tty5
+tty6
+tty7
+tty8
+tty9
+tty10
+tty11
+tty12
+tty13
+tty14
+tty15
+tty16
+tty17
+tty18
+tty19
+tty20
+tty21
+tty22
+tty23
+tty24
+tty25
+tty26
+tty27
+tty28
+tty29
+tty30
+tty31
+tty32
+tty33
+tty34
+tty35
+tty36
+tty37
+tty38
+tty39
+tty40
+tty41
+tty42
+tty43
+tty44
+tty45
+tty46
+tty47
+tty48
+tty49
+tty50
+tty51
+tty52
+tty53
+tty54
+tty55
+tty56
+tty57
+tty58
+tty59
+tty60
+tty61
+tty62
+tty63
diff --git a/templates/service/telnet/allow-root/node.def b/templates/service/telnet/allow-root/node.def
index b853fc42..1065df48 100644
--- a/templates/service/telnet/allow-root/node.def
+++ b/templates/service/telnet/allow-root/node.def
@@ -1,40 +1,7 @@
 type: bool
 default: false
 help: Enable/disable root login
-
-update: pids=`who -u | awk -F " " '{print $7}'`
-        for i in $pids
-        do
-          ppid=`ps -p $i -o ppid=`
-          if ps -p $ppid -o cmd= | grep -q telnetd
-          then
-            echo "Please configure telnet settings via ssh or console."
-            exit 1
-          fi
-        done
-        if [ "$VAR(@)" == "true" ]
-        then 
-          sudo mv -f /etc/securetty /etc/securetty.allow-root >&/dev/null
-        else
-          sudo mv -f /etc/securetty.allow-root /etc/securetty >&/dev/null
-        fi 
-        /bin/true
-
-delete: pids=`who -u | awk -F " " '{print $7}'`
-        for i in $pids
-        do
-          ppid=`ps -p $i -o ppid=`
-          if ps -p $ppid -o cmd= | grep -q telnetd
-          then
-            echo "Please configure telnet settings via ssh or console."
-            exit 1
-          fi
-        done
-        sudo mv -f /etc/securetty.allow-root /etc/securetty >&/dev/null
-        /bin/true
-
+update: /opt/vyatta/sbin/vyatta_update_telnet allow-root $VAR(@)
 comp_help: possible completions:
   true     Enable root login over telnet
   false    Disable root login over telnet
-
-allowed: echo "true false"
diff --git a/templates/service/telnet/node.def b/templates/service/telnet/node.def
index 399f25ac..eefb3b4a 100644
--- a/templates/service/telnet/node.def
+++ b/templates/service/telnet/node.def
@@ -1,29 +1,7 @@
 help: Enable/disable Network Virtual Terminal Protocol (TELNET) protocol
-
-delete: pids=`who -u | awk -F " " '{print $7}'`
-        for i in $pids
-        do
-          ppid=`ps -p $i -o ppid=`
-          if ps -p $ppid -o cmd= | grep -q telnetd
-          then
-            echo "Please configure telnet settings via ssh or console."
-            exit 1
-          fi
-        done
-        sudo /opt/vyatta/sbin/telnetd.init stop
-
-end:    pids=`who -u | awk -F " " '{print $7}'`
-        for i in $pids
-        do
-          ppid=`ps -p $i -o ppid=`
-          if ps -p $ppid -o cmd= | grep -q telnetd
-          then
-            echo "Please configure telnet settings via ssh or console."
-            exit 1
-          fi
-        done
-        if [ -z "$VAR(port/@)" ] 
-        then
-          exit 0
-        fi
-        sudo /opt/vyatta/sbin/telnetd.init restart $VAR(port/@)
+create: touch /tmp/vyatta-telnet.$PPID
+delete: /opt/vyatta/sbin/vyatta_update_telnet disable
+end: if [ -f /tmp/vyatta-telnet.$PPID ]; then
+          rm -f /tmp/vyatta-telnet.$PPID
+	  /opt/vyatta/sbin/vyatta_update_telnet enable $VAR(port/@)
+     fi
-- 
cgit v1.2.3