From c9c4552ca7545d3916f64b5c9fbef553d80930f6 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Sat, 11 Oct 2008 17:37:11 -0700 Subject: - redo internal snmpv3 user creation for linkUpDownNotifications --- scripts/snmp/vyatta-snmp.pl | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index b43485b3..6de63fb0 100644 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -49,11 +49,11 @@ sub snmp_init { } sub snmp_restart { - system("$snmp_init restart"); + system("$snmp_init restart > /dev/null 2>&1 &"); } sub snmp_stop { - system("$snmp_init stop"); + system("$snmp_init stop > /dev/null 2>&1"); } sub snmp_get_constants { @@ -127,10 +127,18 @@ sub snmp_get_values { my @trap_targets = $config->returnValues("trap-target"); if ($#trap_targets >= 0) { - # code for creating a snmpv3 user, setting access-level for it and use user to do internal snmpv3 requests - snmp_create_snmpv3_user(); - snmp_write_snmpv3_user(); - $output .= "iquerySecName vyatta\n"; + + # linkUpDownNotifications configure the Event MIB tables to monitor the ifTable for network interfaces being taken up or down + # for making internal queries to retrieve any necessary information a snmpv3 user needs to be created + # we write appropriate values to /var/lib/snmp/snmpd.conf and /usr/share/snmp/snmpd.conf to do so + # any external snmpv3 queries (from localhost or any other ip) using this username will not be responded to + + my $generate_vyatta_user_append_string = join "", map { unpack "H*", chr(rand(256)) } 1..8; #generate a random 16 character hex string + #create an internal snmpv3 user of the form 'vyattaxxxxxxxxxxxxxxxx' + my $vyatta_user = "vyatta" . "$generate_vyatta_user_append_string"; + snmp_create_snmpv3_user($vyatta_user); + snmp_write_snmpv3_user($vyatta_user); + $output .= "iquerySecName $vyatta_user\n"; # code to activate link up down traps $output .= "linkUpDownNotifications yes\n"; } @@ -143,7 +151,9 @@ sub snmp_get_values { sub snmp_create_snmpv3_user { - my $createuser = "createUser vyatta MD5 \"vyatta\" DES"; + my $vyatta_user = shift; + my $passphrase = join "", map { unpack "H*", chr(rand(256)) } 1..16; #generate a random 32 character hex string + my $createuser = "createUser $vyatta_user MD5 \"$passphrase\" DES"; open(my $fh, '>>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; print $fh $createuser; close $fh; @@ -151,8 +161,10 @@ sub snmp_create_snmpv3_user { sub snmp_write_snmpv3_user { - my $user = "rwuser vyatta"; - open(my $fh, '>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!"; + my $vyatta_user = shift; + my $user = "rouser $vyatta_user\n"; + system ("sed -i '/user[[:space:]]*vyatta[[:alnum:]]*/d' $snmp_snmpv3_user_conf;"); + open(my $fh, '>>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!"; print $fh $user; close $fh; } -- cgit v1.2.3 From 22b1e03e3b042e1899ef31d9759f88c87a3ab58e Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Mon, 13 Oct 2008 15:30:52 -0700 Subject: add ssh key blacklists --- Makefile.am | 2 ++ debian/control | 3 ++- debian/vyatta-cfg-system.postinst.in | 16 ++++++++++++++++ sysconf/blacklist.DSA-1024 | 21 +++++++++++++++++++++ sysconf/blacklist.RSA-2048 | 21 +++++++++++++++++++++ 5 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 sysconf/blacklist.DSA-1024 create mode 100644 sysconf/blacklist.RSA-2048 diff --git a/Makefile.am b/Makefile.am index 9e66286c..a018961f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -48,6 +48,8 @@ sysconf_DATA += sysconf/motd.tail sysconf_DATA += sysconf/syslog.conf sysconf_DATA += sysconf/default_ssh sysconf_DATA += sysconf/vyatta-sysctl.conf +sysconf_DATA += sysconf/blacklist.DSA-1024 +sysconf_DATA += sysconf/blacklist.RSA-2048 libudev_SCRIPTS = scripts/vyatta_net_name etcudev_DATA = sysconf/vyatta-net.rules diff --git a/debian/control b/debian/control index 89b55bbe..2094387a 100644 --- a/debian/control +++ b/debian/control @@ -24,7 +24,8 @@ Depends: sed (>= 4.1.5), snmpd, vyatta-keepalived, bridge-utils, - ssh, + ssh (>= 5.1p1-3), + openssh-server (>= 5.1p1-3), ed, tshark, ifenslave-2.6, diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 6e5fa735..26ae9a02 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -66,6 +66,20 @@ EOF %users ALL=NOPASSWD: ${bindir}/sudo-users/ ### END VYATTA EOF + + # set up blacklists + for f in blacklist.DSA-1024 blacklist.RSA-2048; do + if [ -r "/etc/ssh/$f" ]; then + l=$(head -1 $sysconfdir/$f) + if ! grep -q "$l" /etc/ssh/$f; then + tmp=$(mktemp /tmp/bl.XXXXXXXXXX) + cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp + mv $tmp /etc/ssh/$f + fi + else + cp $sysconfdir/$f /etc/ssh/$f + fi + done fi # update crontab for logrotate @@ -87,6 +101,8 @@ fi sed -i 's/^set /builtin set /' /etc/bash_completion +/usr/sbin/dpkg-reconfigure -f noninteractive openssh-server + # Fix up PAM configuration for login so that invalid users are prompted # for password sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login diff --git a/sysconf/blacklist.DSA-1024 b/sysconf/blacklist.DSA-1024 new file mode 100644 index 00000000..74ecaf53 --- /dev/null +++ b/sysconf/blacklist.DSA-1024 @@ -0,0 +1,21 @@ +01e53715431bcae79677 +036a4048556eb8092113 +0db19fcc95efc89d2173 +22da67b6aafc3df124f3 +2307b2e9769c6b66857c +3c13948cb606c6041284 +4218a1912ef9941a0881 +4582eff4cf42af0b19f0 +54f103cd4fbc7b08c8e2 +6d56bcebc8bb9d30ecd9 +83848247dbabf6135644 +8e730ef49b321946e7aa +96a4f81de014a53e1890 +9adab16d72364f6032f7 +9b25df69798b447fd5ee +9d5e4438920babd3030e +a1eeb08f514492069e51 +d63657291b4d940a9a47 +db3101e70b8ef04ad4fe +dd71e503f1a8319e3caf +f407f33616b53f79c1b8 diff --git a/sysconf/blacklist.RSA-2048 b/sysconf/blacklist.RSA-2048 new file mode 100644 index 00000000..0cb0d489 --- /dev/null +++ b/sysconf/blacklist.RSA-2048 @@ -0,0 +1,21 @@ +0a47235c3142262b3b90 +1899b9c1f6346576a66e +20059ae36e5ac97fc3b2 +2487f28e692f45affa43 +4394e40d532aef252906 +440ea42b848111613a48 +46a6daa5036020063340 +52287579c05c0e45c57e +52cec5c2a10c09661389 +6b3446654ce7e07da10d +768e7f724aeb0cf86814 +84d1e68fda77b8fe88bf +b0e10f3cfca7ac4aba50 +b8570f784995af2fa6b8 +bcdc020d5e8e6a61345a +c3e94aed4f1d75569eab +c5d8c5731f3fa668ffae +d9deed191624c2472978 +e66c42ba8e40c8501106 +ea93328c2d72642a5d59 +f954c671c9c639f8a375 -- cgit v1.2.3 From 3529bdf5b65016cea331f8ba6e7293c7eea9e6ce Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Mon, 13 Oct 2008 15:31:26 -0700 Subject: add ssh key blacklists --- Makefile.am | 2 ++ debian/control | 3 ++- debian/vyatta-cfg-system.postinst.in | 16 ++++++++++++++++ sysconf/blacklist.DSA-1024 | 21 +++++++++++++++++++++ sysconf/blacklist.RSA-2048 | 21 +++++++++++++++++++++ 5 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 sysconf/blacklist.DSA-1024 create mode 100644 sysconf/blacklist.RSA-2048 diff --git a/Makefile.am b/Makefile.am index 576be4be..7f148153 100644 --- a/Makefile.am +++ b/Makefile.am @@ -44,6 +44,8 @@ sysconf_DATA += sysconf/motd.tail sysconf_DATA += sysconf/syslog.conf sysconf_DATA += sysconf/default_ssh sysconf_DATA += sysconf/vyatta-sysctl.conf +sysconf_DATA += sysconf/blacklist.DSA-1024 +sysconf_DATA += sysconf/blacklist.RSA-2048 libudev_SCRIPTS = scripts/vyatta_net_name etcudev_DATA = sysconf/vyatta-net.rules diff --git a/debian/control b/debian/control index 4b5692bb..877ee68c 100644 --- a/debian/control +++ b/debian/control @@ -24,7 +24,8 @@ Depends: sed (>= 4.1.5), snmpd, vyatta-keepalived, bridge-utils, - ssh, + ssh (>= 5.1p1-3), + openssh-server (>= 5.1p1-3), ed, tshark, iputils-arping diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 0dd6248f..fe50fa79 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -66,6 +66,20 @@ EOF %users ALL=NOPASSWD: ${bindir}/sudo-users/ ### END VYATTA EOF + + # set up blacklists + for f in blacklist.DSA-1024 blacklist.RSA-2048; do + if [ -r "/etc/ssh/$f" ]; then + l=$(head -1 $sysconfdir/$f) + if ! grep -q "$l" /etc/ssh/$f; then + tmp=$(mktemp /tmp/bl.XXXXXXXXXX) + cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp + mv $tmp /etc/ssh/$f + fi + else + cp $sysconfdir/$f /etc/ssh/$f + fi + done fi # update crontab for logrotate @@ -87,6 +101,8 @@ fi sed -i 's/^set /builtin set /' /etc/bash_completion +/usr/sbin/dpkg-reconfigure -f noninteractive openssh-server + # Local Variables: # mode: shell-script # sh-indentation: 4 diff --git a/sysconf/blacklist.DSA-1024 b/sysconf/blacklist.DSA-1024 new file mode 100644 index 00000000..74ecaf53 --- /dev/null +++ b/sysconf/blacklist.DSA-1024 @@ -0,0 +1,21 @@ +01e53715431bcae79677 +036a4048556eb8092113 +0db19fcc95efc89d2173 +22da67b6aafc3df124f3 +2307b2e9769c6b66857c +3c13948cb606c6041284 +4218a1912ef9941a0881 +4582eff4cf42af0b19f0 +54f103cd4fbc7b08c8e2 +6d56bcebc8bb9d30ecd9 +83848247dbabf6135644 +8e730ef49b321946e7aa +96a4f81de014a53e1890 +9adab16d72364f6032f7 +9b25df69798b447fd5ee +9d5e4438920babd3030e +a1eeb08f514492069e51 +d63657291b4d940a9a47 +db3101e70b8ef04ad4fe +dd71e503f1a8319e3caf +f407f33616b53f79c1b8 diff --git a/sysconf/blacklist.RSA-2048 b/sysconf/blacklist.RSA-2048 new file mode 100644 index 00000000..0cb0d489 --- /dev/null +++ b/sysconf/blacklist.RSA-2048 @@ -0,0 +1,21 @@ +0a47235c3142262b3b90 +1899b9c1f6346576a66e +20059ae36e5ac97fc3b2 +2487f28e692f45affa43 +4394e40d532aef252906 +440ea42b848111613a48 +46a6daa5036020063340 +52287579c05c0e45c57e +52cec5c2a10c09661389 +6b3446654ce7e07da10d +768e7f724aeb0cf86814 +84d1e68fda77b8fe88bf +b0e10f3cfca7ac4aba50 +b8570f784995af2fa6b8 +bcdc020d5e8e6a61345a +c3e94aed4f1d75569eab +c5d8c5731f3fa668ffae +d9deed191624c2472978 +e66c42ba8e40c8501106 +ea93328c2d72642a5d59 +f954c671c9c639f8a375 -- cgit v1.2.3 From db349aeba68d510648b8b1c9f37342779f21b941 Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Mon, 13 Oct 2008 16:10:52 -0700 Subject: use epoch in package version number --- debian/control | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index 2094387a..b8128287 100644 --- a/debian/control +++ b/debian/control @@ -24,8 +24,8 @@ Depends: sed (>= 4.1.5), snmpd, vyatta-keepalived, bridge-utils, - ssh (>= 5.1p1-3), - openssh-server (>= 5.1p1-3), + ssh (>= 1:5.1p1-3), + openssh-server (>= 1:5.1p1-3), ed, tshark, ifenslave-2.6, -- cgit v1.2.3 From 1ae422b13aac7ae6d9c412ae0f392f465d7537af Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Mon, 13 Oct 2008 16:11:08 -0700 Subject: use epoch in package version number --- debian/control | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index 877ee68c..2888d0e3 100644 --- a/debian/control +++ b/debian/control @@ -24,8 +24,8 @@ Depends: sed (>= 4.1.5), snmpd, vyatta-keepalived, bridge-utils, - ssh (>= 5.1p1-3), - openssh-server (>= 5.1p1-3), + ssh (>= 1:5.1p1-3), + openssh-server (>= 1:5.1p1-3), ed, tshark, iputils-arping -- cgit v1.2.3 From 81c8c9f28dff67e7ff3208278790f3381bc879dc Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Mon, 13 Oct 2008 19:09:41 -0700 Subject: remove unused files --- debian/vyatta-cfg-system.postinst.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index fe50fa79..b484c2a1 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -102,6 +102,8 @@ fi sed -i 's/^set /builtin set /' /etc/bash_completion /usr/sbin/dpkg-reconfigure -f noninteractive openssh-server +rm -f /etc/ssh/*.broken +update-rc.d -f ssh remove >/dev/null # Local Variables: # mode: shell-script -- cgit v1.2.3 From aed20563b004d8c274b8a3f72d161cf75bcf4e4c Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Mon, 13 Oct 2008 19:09:57 -0700 Subject: remove unused files --- debian/vyatta-cfg-system.postinst.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 26ae9a02..53fa062c 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -102,6 +102,8 @@ fi sed -i 's/^set /builtin set /' /etc/bash_completion /usr/sbin/dpkg-reconfigure -f noninteractive openssh-server +rm -f /etc/ssh/*.broken +update-rc.d -f ssh remove >/dev/null # Fix up PAM configuration for login so that invalid users are prompted # for password -- cgit v1.2.3 From 1fa9bf825f3dfa51a71d87ffb08a64ad52dde61a Mon Sep 17 00:00:00 2001 From: Robert Bays Date: Mon, 13 Oct 2008 13:30:16 -0400 Subject: fix ssh keygen on startup --- scripts/rl-system.init | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/scripts/rl-system.init b/scripts/rl-system.init index 23d67d12..36a4f64f 100755 --- a/scripts/rl-system.init +++ b/scripts/rl-system.init @@ -134,8 +134,25 @@ udev_rescan () done } +create_ssh_host_keys () { + if [ ! -f "/etc/ssh/ssh_host_rsa_key" ]; then + syslog "Creating ssh v2 rsa host key." + ssh-keygen -q -N '' -t rsa -f /etc/ssh/ssh_host_rsa_key + fi; + if [ ! -f "/etc/ssh/ssh_host_dsa_key" ]; then + syslog "Creating ssh v2 dsa host key." + ssh-keygen -q -N '' -t dsa -f /etc/ssh/ssh_host_dsa_key + fi; + if [ ! -f "/etc/ssh/ssh_host_key" ]; then + syslog "Creating ssh v1 host key." + ssh-keygen -q -N '' -t rsa1 -f /etc/ssh/ssh_host_key + fi; +} + start () { udev_rescan + create_ssh_host_keys || \ + log_failure_msg "can't initialize ssh host keys" clear_or_override_config_files || \ log_failure_msg "can\'t reset config files" set_reboot_on_panic || \ -- cgit v1.2.3 From 6a2393d8053ab9ff9651a6f9c3b243cced7e4439 Mon Sep 17 00:00:00 2001 From: Bob Gilligan Date: Tue, 14 Oct 2008 13:54:35 -0700 Subject: Bugfix: 3744 When a new member is added to a RAID group that holds the root filesystem, we need to re-install grub so that the new disk will be bootable. But this can only be done after the RAID set has completed rebuilding. Added mechanism that uses the event notification infrastructure of "mdadm" to trigger the re-installation of grub after the rebuild completes. --- debian/vyatta-cfg-system.postinst.in | 7 +++ scripts/vyatta-raid-event | 104 +++++++++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+) create mode 100644 scripts/vyatta-raid-event diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 53fa062c..21d7ff32 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -111,6 +111,13 @@ sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $root [ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist +# +# Ask mdadm to call our own event handling daemon +# +if [ -e /etc/default/mdadm ]; then + sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm +fi + # Local Variables: # mode: shell-script # sh-indentation: 4 diff --git a/scripts/vyatta-raid-event b/scripts/vyatta-raid-event new file mode 100644 index 00000000..f279a57d --- /dev/null +++ b/scripts/vyatta-raid-event @@ -0,0 +1,104 @@ +#!/bin/bash +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Bob Gilligan +# Date: 2008 +# Description: A script to handle events from the Linux Software RAID +# subsystem. +# +# **** End License **** +# +# This script is called by the "mdadm" daemon running in "monitor" mode +# whenever an event occurs in in the RAID subsytem. The script is called +# with two or three arguments: The first argument is always the name of +# the event, e.g. "RebuildFinished". The second argument is the name of +# the RAID set device that the event pertains to, e.g. "/dev/md0". The +# third argument is provided for some events, and gives the name of the +# RAID set member that the event pertains to, e.g. "/dev/sda2". +# +# See the mdadm(8) man page for more details on the events that it provides. +# + +# Script will be called with 2 or 3 arguments, depending on the event +if [ $# -lt 2 ]; then + logger -t "RAID" -p local0.warning "vyatta-raid-event: Error: Not enough args: $*" + # We can't do anything if we don't know event and RAID device it + # pertains to. + exit 1 +fi +if [ $# -gt 3 ]; then + logger -t "RAID" -p local0.warning "vyatta-raid-event: Warning: too many args: $*" + # Be Robust: Try to complete task with args we know about +fi + +event=$1 +raid_set=$2 + +case $event in + + RebuildFinished) + logger -t "RAID" -p local0.warning "event ${event} ${raid_set}" + + # We need to update grub at the time that a resync completes + # on the root filesystem so that the new member disk will be + # bootable. + mounted_on=`mount | grep "^${raid_set}" | awk '{ print $3 }'` + if [ "$mounted_on" = "/" ]; then + raid_set_dev=${raid_set##*/} + if [ -e /sys/block/${raid_set_dev}/md/degraded ]; then + degraded=`cat /sys/block/${raid_set_dev}/md/degraded` + else + degraded=0 + fi + if [ $degraded -eq 0 ]; then + drive=${member_to_add%%[0-9]*} + logger -t "RAID" -p local0.warning \ + "RAID set ${raid_set} holds root filesystem. Updating grub." + touch /tmp/raid-grub-install-log + grub-install --no-floppy --recheck --root-directory=/ ${raid_set} \ + >> /tmp/raid-grub-install-log 2>&1 + if [ $? -ne 0 ]; then + logger -t "RAID" -p local0.warning \ + "grub-installed failed for $raid_set" + fi + else + logger -t "RAID" -p local0.warning \ + "RAID set ${raid_set} is still degraded. No action taken." + fi + else + logger -t "RAID" -p local0.warning \ + "RAID set ${raid_set} does not hold root filesystem. No action taken" + fi + ;; + + DeviceDisappeared | RebuildStarted | Rebuild?? | NewArray | \ + DegradedArray | MoveSpare | SparesMissing | TestMessage) + logger -t "RAID" -p local0.warning \ + "event ${event} ${raid_set}: No action taken" + ;; + + Fail | FailSpare | SpareActive) + member=$3 + logger -t "RAID" -p local0.warning \ + "event ${event} ${raid_set} ${member}: No action taken" + ;; + + *) + logger -t "RAID" -p local0.warning \ + "event ${event} unknown. No action taken" + ;; + + esac -- cgit v1.2.3 From ec928267b1e61e7a957515ad553bd171baf2d651 Mon Sep 17 00:00:00 2001 From: Mark O'Brien Date: Tue, 14 Oct 2008 17:30:18 -0700 Subject: 3.1.4 --- debian/changelog | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/debian/changelog b/debian/changelog index 803fdb87..28c93bf7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +vyatta-cfg-system (0.14) unstable; urgency=low + + 3.1.4 + [ Mark O'Brien ] + + + [ Robert Bays ] + * fix ssh keygen on startup + + [ An-Cheng Huang ] + * remove unused files + * use epoch in package version number + * add ssh key blacklists + + [ Mark O'Brien ] + + -- Mark O'Brien Tue, 14 Oct 2008 17:30:18 -0700 + vyatta-cfg-system (0.13) unstable; urgency=low 3.1.3 -- cgit v1.2.3 From 25438666015dc5ea9695f5172b0f4925c3ae2d9a Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 15 Oct 2008 13:30:57 -0700 Subject: Block remote access to rpc-bind port Use hosts.deny to block access to portmapper Bugfix 3767 --- debian/vyatta-cfg-system.postinst.in | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 21d7ff32..498e431f 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -80,8 +80,17 @@ EOF cp $sysconfdir/$f /etc/ssh/$f fi done + + # block external rpc access + if ! grep -q "^portmap" /etc/hosts.deny + then cat <<-EOF >>/etc/hosts.deny + # Disable rpc access from other hosts + portmap: ALL + EOF + fi fi + # update crontab for logrotate grep -v logrotate /etc/crontab>/etc/crontab.$$ echo "*/10 * * * * root /usr/sbin/logrotate /etc/logrotate.conf" >> /etc/crontab.$$ -- cgit v1.2.3 From 540cf454c6f7a5595a0fce42906f2656dc10cc9f Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 15 Oct 2008 13:47:03 -0700 Subject: Revert "Block remote access to rpc-bind port" This change isn't needed. This reverts commit 25438666015dc5ea9695f5172b0f4925c3ae2d9a. --- debian/vyatta-cfg-system.postinst.in | 9 --------- 1 file changed, 9 deletions(-) diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 498e431f..21d7ff32 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -80,17 +80,8 @@ EOF cp $sysconfdir/$f /etc/ssh/$f fi done - - # block external rpc access - if ! grep -q "^portmap" /etc/hosts.deny - then cat <<-EOF >>/etc/hosts.deny - # Disable rpc access from other hosts - portmap: ALL - EOF - fi fi - # update crontab for logrotate grep -v logrotate /etc/crontab>/etc/crontab.$$ echo "*/10 * * * * root /usr/sbin/logrotate /etc/logrotate.conf" >> /etc/crontab.$$ -- cgit v1.2.3 From b48beb78f51cea17ff967ad693d2380030e629af Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 15 Oct 2008 14:11:09 -0700 Subject: Fix parsing of allow-root field Bugfix 3795 The field is boolean and was failing during bootup. Rework to use sed and do it the simple way --- templates/service/ssh/allow-root/node.def | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/templates/service/ssh/allow-root/node.def b/templates/service/ssh/allow-root/node.def index 9aa98826..21c85e59 100644 --- a/templates/service/ssh/allow-root/node.def +++ b/templates/service/ssh/allow-root/node.def @@ -1,16 +1,8 @@ -type: txt +type: bool default: false help: Enable/disable root login over ssh -syntax:expression: $VAR(@) in "true", "false" ; "must be true or false" -update: if [ \"$VAR(@)\" == \"true\" ]; then - sudo ed - /etc/ssh/sshd_config <<-"EOF" - /^PermitRootLogin/s/no/yes/ - wq - EOF - else - sudo ed - /etc/ssh/sshd_config <<-"EOF" - /^PermitRootLogin/s/yes/no/ - wq - EOF +update: if [ "$VAR(@)" == "true" ]; + then regex='/^PermitRootLogin/s/no/yes/' + else regex='/^PermitRootLogin/s/yes/no/' fi - /bin/true + sed -i -e "$regex" /etc/ssh/sshd_config -- cgit v1.2.3 From 92301fd9eaba31f0b3a3ded1e27663c790914ffa Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 16 Oct 2008 10:54:25 -0700 Subject: Need sudo when editing ssh config file --- templates/service/ssh/allow-root/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/service/ssh/allow-root/node.def b/templates/service/ssh/allow-root/node.def index 21c85e59..87ff1ded 100644 --- a/templates/service/ssh/allow-root/node.def +++ b/templates/service/ssh/allow-root/node.def @@ -5,4 +5,4 @@ update: if [ "$VAR(@)" == "true" ]; then regex='/^PermitRootLogin/s/no/yes/' else regex='/^PermitRootLogin/s/yes/no/' fi - sed -i -e "$regex" /etc/ssh/sshd_config + sudo sed -i -e "$regex" /etc/ssh/sshd_config -- cgit v1.2.3 From dcf88dd71fb7c6464464472ca829a5a59ca4d3b6 Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Thu, 16 Oct 2008 18:22:25 -0700 Subject: Change telnet allow-root type from txt to bool. Fix tab completion on bool. --- templates/service/ssh/allow-root/node.def | 6 ++++++ templates/service/telnet/allow-root/node.def | 10 +++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/templates/service/ssh/allow-root/node.def b/templates/service/ssh/allow-root/node.def index 87ff1ded..25a5a97a 100644 --- a/templates/service/ssh/allow-root/node.def +++ b/templates/service/ssh/allow-root/node.def @@ -6,3 +6,9 @@ update: if [ "$VAR(@)" == "true" ]; else regex='/^PermitRootLogin/s/yes/no/' fi sudo sed -i -e "$regex" /etc/ssh/sshd_config + +comp_help: possible completions: + true Enable root login over ssh + false Disable root login over ssh + +allowed: echo "true false" diff --git a/templates/service/telnet/allow-root/node.def b/templates/service/telnet/allow-root/node.def index 347a9476..b853fc42 100644 --- a/templates/service/telnet/allow-root/node.def +++ b/templates/service/telnet/allow-root/node.def @@ -1,9 +1,7 @@ -type: txt +type: bool default: false help: Enable/disable root login -syntax:expression: $VAR(@) in "true", "false" ; "must be true or false" - update: pids=`who -u | awk -F " " '{print $7}'` for i in $pids do @@ -34,3 +32,9 @@ delete: pids=`who -u | awk -F " " '{print $7}'` done sudo mv -f /etc/securetty.allow-root /etc/securetty >&/dev/null /bin/true + +comp_help: possible completions: + true Enable root login over telnet + false Disable root login over telnet + +allowed: echo "true false" -- cgit v1.2.3 From 523d1b674931a3bf8c97706d237da06b4b425e63 Mon Sep 17 00:00:00 2001 From: Bob Gilligan Date: Mon, 20 Oct 2008 10:57:33 -0700 Subject: Bugfix: 3775: Allow RAID-1 to be configured on disks with different sizes --- scripts/install-system | 61 +++++++++++++++++++++++++++++++++----------------- 1 file changed, 40 insertions(+), 21 deletions(-) diff --git a/scripts/install-system b/scripts/install-system index 9980e210..f5484e9a 100644 --- a/scripts/install-system +++ b/scripts/install-system @@ -305,9 +305,11 @@ check_for_new_raid () { numdrives=`echo $drives | wc -w` + # Need at least two drives for RAID-1. We don't yet have the code + # to handle selection of two from a set of 3 or more, so for now, we + # only support two drives. + # if [ $numdrives -ne 2 ]; then - # debug - echo "check_for_new_raid: don't have 2 drives" return fi @@ -317,13 +319,14 @@ check_for_new_raid () { drivesize1=$(get_drive_size $drive1) drivesize2=$(get_drive_size $drive2) - if [ $drivesize1 -ne $drivesize2 ]; then - # debug - echo "check_for_new_raid: have 2 drives, but different sizes" + # Both drives must have enough space to hold our minimum root filesystem + # + if [ $drivesize1 -lt $ROOT_MIN -o $drivesize2 -lt $ROOT_MIN ]; then return fi - echo "You have two identical disk drives:" + + echo "You have two disk drives:" echo -e "\t$drive1 \t$drivesize1 MB" echo -e "\t$drive2 \t$drivesize2 MB" @@ -334,6 +337,13 @@ check_for_new_raid () { return fi + if [ $drivesize1 -ne $drivesize2 ]; then + echo "Since the disks are not the same size, we will use the smaller" + echo "of the two sizes in configuring the RAID-1 set. This will" + echo "waste some space on the larger drive." + echo "" + fi + # Configure RAID-1 echo "This process will erase all data on both drives." echo -n "Are you sure you want to do this? (Yes/No) [No]: " @@ -358,27 +368,36 @@ check_for_new_raid () { part_start_offset=2 part_diag_size=60 - echo "Would you like me to create a $part_diag_size MB partition for diagnostics?" - echo -n "(Yes/No) [No]: " - diag_response=$(get_response "No" "Yes No Y N") - if [ "$diag_response" == "yes" ] || [ "$diag_response" == "y" ]; then - for drive in $drives - do - echo "Creating diag partition on drive $drive" - create_partitions "$drive" $part_diag_size $part_start_offset "no" - sfdisk --change-id /dev/$drive 1 0x6 - done - data_dev=2 - let part_start_offset+=$part_diag_size + if [ $drivesize1 -gt $drivesize2 ]; then + size=$drivesize1 else - data_dev=1 + size=$drivesize2 fi + let min_size_with_diag=${MIN_ROOT}+${part_diag_size} + if [ $size -ge $min_size_with_diag ]; then + echo "Would you like me to create a $part_diag_size MB partition for diagnostics?" + echo -n "(Yes/No) [No]: " + diag_response=$(get_response "No" "Yes No Y N") + if [ "$diag_response" == "yes" ] || [ "$diag_response" == "y" ]; then + for drive in $drives + do + echo "Creating diag partition on drive $drive" + create_partitions "$drive" $part_diag_size $part_start_offset "no" + sfdisk --change-id /dev/$drive 1 0x6 + done + data_dev=2 + let part_start_offset+=$part_diag_size + else + data_dev=1 + fi + fi + + let size-=$part_start_offset + for drive in $drives do echo "Creating data partition: /dev/${drive}${data_dev}" - size=$(get_drive_size $drive) - let size-=$part_start_offset create_partitions "$drive" $size $part_start_offset "no" sfdisk --change-id /dev/$drive $data_dev 0xfd done -- cgit v1.2.3 From 43c3c737ae7dc7c89d46359e8cd2ada2bc281f5b Mon Sep 17 00:00:00 2001 From: Bob Gilligan Date: Mon, 20 Oct 2008 14:31:52 -0700 Subject: Bugfix: 3687: Only start mdadm if we have a RAID group as root filesystem. --- scripts/install-system | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/scripts/install-system b/scripts/install-system index f5484e9a..ff7a5d41 100644 --- a/scripts/install-system +++ b/scripts/install-system @@ -1320,6 +1320,21 @@ if [ -z $UNION ]; then sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login fi +# +# Only start the mdadm daemon if we have the root filesystem running +# on a RAID set. Since this script is the only way that the root filesystem +# ever gets set up, we can do this configuration here. +# +MDADM_CONFIG_FILE=$rootfsdir/etc/default/mdadm +if [ -e $MDADM_CONFIG_FILE ]; then + if [ ${INSTALL_DRIVE:0:2} = "md" ]; then + sed -i 's/^START_DAEMON.*$/START_DAEMON=true/' $MDADM_CONFIG_FILE + else + sed -i 's/^START_DAEMON.*$/START_DAEMON=false/' $MDADM_CONFIG_FILE + fi +fi + + # postinst hook if [ -e /opt/vyatta/etc/install-system/postinst ]; then echo "running post-install script" -- cgit v1.2.3 From 556580381ed0008c463aa0dd109f839f140f3443 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Wed, 22 Oct 2008 02:01:03 -0700 Subject: Fix Bug 3567 Debug messages are not logged by default on upgraded system - copy over default islavista syslog.conf during upgrade from hollywood --- debian/vyatta-cfg-system.postinst.in | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 21d7ff32..e9541dbe 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -118,6 +118,15 @@ if [ -e /etc/default/mdadm ]; then sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm fi +# --following is added to resolve issues related to bug 3567 on upgrade from hollywood to islavista-- +# back-up existing /etc/syslog.conf file in hollywood which might be broken +# and replace it with the default syslog.conf in islavista. when system restarts +# after upgrade, whatever is configured in CLI will be written to syslog.conf +# + +cp -p /etc/syslog.conf /etc/syslog.conf.bak +cp -f /opt/vyatta/etc/syslog.conf /etc/syslog.conf + # Local Variables: # mode: shell-script # sh-indentation: 4 -- cgit v1.2.3