Attachment #19898 for bug #56564

View | Details | Raw Unified | Return to bug 56564
Collapse All | Expand All

Return to bug 56564

Line Link Here

(-)file_not_specified_in_diff (-19 / +19 lines)
0	-- a/usr/share/rear/build/default/500_ssh_setup.sh	0	++ b/usr/share/rear/build/default/500_ssh_setup.sh
Lines 10-16 is_false "$SSH_FILES" && return Link Here
10	# Patch sshd_config:	10	# Patch sshd_config:
11	# Because only OpenSSH >= 3.1 is supported where /etc/ssh/ is the default directory for configuration files	11	# Because only OpenSSH >= 3.1 is supported where /etc/ssh/ is the default directory for configuration files
12	# only etc/ssh/sshd_config is used cf. https://github.com/rear/rear/pull/1538#issuecomment-337904240	12	# only etc/ssh/sshd_config is used cf. https://github.com/rear/rear/pull/1538#issuecomment-337904240
13	local sshd_config_file="$ROOTFS_DIR/etc/ssh/sshd_config"	13	local sshd_config_file="$ROOTFS_DIR/etc/openssh/sshd_config"
14	if [[ -f "$sshd_config_file" ]]; then	14	if [[ -f "$sshd_config_file" ]]; then
15	# Enable root login with a password only if SSH_ROOT_PASSWORD is set	15	# Enable root login with a password only if SSH_ROOT_PASSWORD is set
16	local password_authentication_value=no	16	local password_authentication_value=no
Lines 137-143 local ssh_host_key_file="" Link Here
137	local recovery_system_key_file=""	137	local recovery_system_key_file=""
138	local ssh_host_key_exists="no"	138	local ssh_host_key_exists="no"
139	for ssh_host_key_type in $ssh_host_key_types ; do	139	for ssh_host_key_type in $ssh_host_key_types ; do
140	ssh_host_key_file="etc/ssh/ssh_host_${ssh_host_key_type}_key"	140	ssh_host_key_file="etc/openssh/ssh_host_${ssh_host_key_type}_key"
141	# Do not overwrite what is already there (could have been copied via COPY_AS_IS):	141	# Do not overwrite what is already there (could have been copied via COPY_AS_IS):
142	if test -f "$ROOTFS_DIR/$ssh_host_key_file" ; then	142	if test -f "$ROOTFS_DIR/$ssh_host_key_file" ; then
143	Log "Using existing SSH host key $ssh_host_key_file in recovery system"	143	Log "Using existing SSH host key $ssh_host_key_file in recovery system"
Lines 161-165 for ssh_host_key_type in $ssh_host_key_types ; do Link Here
161	# cf. https://github.com/rear/rear/pull/1530#issuecomment-336405425	161	# cf. https://github.com/rear/rear/pull/1530#issuecomment-336405425
162	ssh-keygen $v -t "$ssh_host_key_type" -N '' -f "$recovery_system_key_file" && ssh_host_key_exists="yes" \|\| Log "Cannot generate $ssh_host_key_type key"	162	ssh-keygen $v -t "$ssh_host_key_type" -N '' -f "$recovery_system_key_file" && ssh_host_key_exists="yes" \|\| Log "Cannot generate $ssh_host_key_type key"
163	done	163	done
164	is_false "$ssh_host_key_exists" && LogPrintError "No SSH host key etc/ssh/ssh_host_TYPE_key of any type $ssh_host_key_types in recovery system"	164	is_false "$ssh_host_key_exists" && LogPrintError "No SSH host key etc/openssh/ssh_host_TYPE_key of any type $ssh_host_key_types in recovery system"
165	-- a/usr/share/rear/build/default/501_check_ssh_keys.sh	165	++ b/usr/share/rear/build/default/501_check_ssh_keys.sh
Lines 18-24 local key_files=() Link Here
18	# The funny [] around a letter makes 'shopt -s nullglob' remove this file from the list if it does not exist.	18	# The funny [] around a letter makes 'shopt -s nullglob' remove this file from the list if it does not exist.
19	if is_false "$SSH_UNPROTECTED_PRIVATE_KEYS" ; then	19	if is_false "$SSH_UNPROTECTED_PRIVATE_KEYS" ; then
20	# When SSH_UNPROTECTED_PRIVATE_KEYS is false let ReaR find SSH key files:	20	# When SSH_UNPROTECTED_PRIVATE_KEYS is false let ReaR find SSH key files:
21	local host_key_files=( etc/ssh/ssh_host_* )	21	local host_key_files=( etc/openssh/ssh_host_* )
22	# Caveat: This code will only detect SSH key files for root, not for other users.	22	# Caveat: This code will only detect SSH key files for root, not for other users.
23	local root_key_files=( ./$ROOT_HOME_DIR/.ssh/identi[t]y ./$ROOT_HOME_DIR/.ssh/id_* )	23	local root_key_files=( ./$ROOT_HOME_DIR/.ssh/identi[t]y ./$ROOT_HOME_DIR/.ssh/id_* )
24	# Parse SSH config files in $ROOTFS_DIR/etc/ssh for non-commented IdentityFile keywords and values	24	# Parse SSH config files in $ROOTFS_DIR/etc/ssh for non-commented IdentityFile keywords and values
Lines 45-51 if is_false "$SSH_UNPROTECTED_PRIVATE_KEYS" ; then Link Here
45	# can be found and filtered out by the below key_files=( $( echo ... \| sort -u ) )	45	# can be found and filtered out by the below key_files=( $( echo ... \| sort -u ) )
46	# The "find ./etc/ssh" ensures that SSH 'Include' config files e.g. in /etc/ssh/ssh_config.d/	46	# The "find ./etc/ssh" ensures that SSH 'Include' config files e.g. in /etc/ssh/ssh_config.d/
47	# are also parsed, cf. https://github.com/rear/rear/issues/2421	47	# are also parsed, cf. https://github.com/rear/rear/issues/2421
48	local host_identity_files=( $( find ./etc/ssh -type f \| xargs grep -ih '^[^#]*IdentityFile' \| tr -d ' "=' \| sed -e 's/identityfile//I' -e "s#~#./$ROOT_HOME_DIR#g" ) )	48	local host_identity_files=( $( find ./etc/openssh -type f \| xargs grep -ih '^[^#]*IdentityFile' \| tr -d ' "=' \| sed -e 's/identityfile//I' -e "s#~#./$ROOT_HOME_DIR#g" ) )
49	# If $ROOTFS_DIR/root/.ssh/config exists parse it for IdentityFile values in the same way as above:	49	# If $ROOTFS_DIR/root/.ssh/config exists parse it for IdentityFile values in the same way as above:
50	local root_identity_files=()	50	local root_identity_files=()
51	local root_ssh_config="./$ROOT_HOME_DIR/.ssh/config"	51	local root_ssh_config="./$ROOT_HOME_DIR/.ssh/config"
52	-- a/usr/share/rear/rescue/default/500_ssh.sh	52	++ b/usr/share/rear/rescue/default/500_ssh.sh
Lines 23-29 if is_true "$SSH_FILES" ; then Link Here
23	# into the recovery system to make remote access "just work" in the recovery system	23	# into the recovery system to make remote access "just work" in the recovery system
24	# (provided SSH_UNPROTECTED_PRIVATE_KEYS is not false - otherwise unprotected keys get excluded)	24	# (provided SSH_UNPROTECTED_PRIVATE_KEYS is not false - otherwise unprotected keys get excluded)
25	# cf. https://github.com/rear/rear/issues/1512 and https://github.com/rear/rear/issues/1511	25	# cf. https://github.com/rear/rear/issues/1512 and https://github.com/rear/rear/issues/1511
26	copy_as_is_ssh_files=( /etc/s[s]h $ROOT_HOME_DIR/.s[s]h $ROOT_HOME_DIR/.shos[t]s )	26	copy_as_is_ssh_files=( /etc/opens[s]h $ROOT_HOME_DIR/.s[s]h $ROOT_HOME_DIR/.shos[t]s )
27	else	27	else
28	# Use a reasonably secure fallback if SSH_FILES is not set or empty:	28	# Use a reasonably secure fallback if SSH_FILES is not set or empty:
29	contains_visible_char "${SSH_FILES[*]}" \|\| SSH_FILES="avoid_sensitive_files"	29	contains_visible_char "${SSH_FILES[*]}" \|\| SSH_FILES="avoid_sensitive_files"
Lines 32-38 else Link Here
32	# From /etc/ssh copy only moduli ssh_config sshd_config ssh_known_hosts	32	# From /etc/ssh copy only moduli ssh_config sshd_config ssh_known_hosts
33	# and from $ROOT_HOME_DIR/.ssh copy only authorized_keys known_hosts (if exists)	33	# and from $ROOT_HOME_DIR/.ssh copy only authorized_keys known_hosts (if exists)
34	# cf. https://github.com/rear/rear/issues/1512#issuecomment-331638066	34	# cf. https://github.com/rear/rear/issues/1512#issuecomment-331638066
35	copy_as_is_ssh_files=( /etc/ssh/modu[l]i /etc/ssh/ssh_co[n]fig /etc/ssh/sshd_co[n]fig /etc/ssh/ssh_known_hos[t]s )	35	copy_as_is_ssh_files=( /etc/openssh/modu[l]i /etc/openssh/ssh_co[n]fig /etc/openssh/sshd_co[n]fig /etc/openssh/ssh_known_hos[t]s )
36	copy_as_is_ssh_files+=( $ROOT_HOME_DIR/.ssh/authorized_ke[y]s $ROOT_HOME_DIR/.ssh/known_hos[t]s )	36	copy_as_is_ssh_files+=( $ROOT_HOME_DIR/.ssh/authorized_ke[y]s $ROOT_HOME_DIR/.ssh/known_hos[t]s )
37	else	37	else
38	# Copy exactly what is specified:	38	# Copy exactly what is specified:
Lines 72-78 test "$sshdsessionpath" && COPY_AS_IS+=( "$sshdsessionpath" ) Link Here
72	# grep 'sftp' /etc/ssh/sshd_config 2>/dev/null	72	# grep 'sftp' /etc/ssh/sshd_config 2>/dev/null
73	# looks like	73	# looks like
74	# Subsystem sftp /usr/lib/ssh/sftp-server	74	# Subsystem sftp /usr/lib/ssh/sftp-server
75	local grep_sftp_output=( $( grep 'sftp' /etc/ssh/sshd_config 2>/dev/null ) )	75	local grep_sftp_output=( $( grep 'sftp' /etc/openssh/sshd_config 2>/dev/null ) )
76	local sftp_program="${grep_sftp_output[2]}"	76	local sftp_program="${grep_sftp_output[2]}"
77	test "$sftp_program" && PROGS+=( "$sftp_program" )	77	test "$sftp_program" && PROGS+=( "$sftp_program" )
78	-- a/usr/share/rear/skel/default/etc/scripts/run-sshd	78	++ b/usr/share/rear/skel/default/etc/scripts/run-sshd
Lines 2-8 Link Here
2	# Check /etc/inittab for "ssh:23:respawn:..." which means sshd should be started	2	# Check /etc/inittab for "ssh:23:respawn:..." which means sshd should be started
3	# (that entry is written by rescue/default/500_ssh.sh if sshd should be started):	3	# (that entry is written by rescue/default/500_ssh.sh if sshd should be started):
4	if grep -q '^ssh:' /etc/inittab ; then	4	if grep -q '^ssh:' /etc/inittab ; then
5	if ! test -s /etc/ssh/ssh_host_rsa_key ; then	5	if ! test -s /etc/openssh/ssh_host_rsa_key ; then
6	# Generate at least an rsa SSH host key if there is none to be fail-safe against	6	# Generate at least an rsa SSH host key if there is none to be fail-safe against
7	# running sshd possibly without any SSH host key which is not accessible from remote	7	# running sshd possibly without any SSH host key which is not accessible from remote
8	# (on the remote host one would get "Connection to recovery.system.IP.address closed.")	8	# (on the remote host one would get "Connection to recovery.system.IP.address closed.")
Lines 10-22 if grep -q '^ssh:' /etc/inittab ; then Link Here
10	# Run ssh-keygen silently with '-q' to avoid messages about key generation	10	# Run ssh-keygen silently with '-q' to avoid messages about key generation
11	# that swamp the recovery system login screen so that there is be no longer a login prompt visible	11	# that swamp the recovery system login screen so that there is be no longer a login prompt visible
12	# cf. https://github.com/rear/rear/issues/1512#issuecomment-348196998	12	# cf. https://github.com/rear/rear/issues/1512#issuecomment-348196998
13	ssh-keygen -q -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key	13	ssh-keygen -q -t rsa -N '' -f /etc/openssh/ssh_host_rsa_key
14	echo -e "\nSSH fingerprint: $( ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub )\n" >> /etc/issue	14	echo -e "\nSSH fingerprint: $( ssh-keygen -l -f /etc/openssh/ssh_host_rsa_key.pub )\n" >> /etc/issue
15	fi	15	fi
16	if ! test -s /etc/ssh/ssh_host_ed25519_key ; then	16	if ! test -s /etc/openssh/ssh_host_ed25519_key ; then
17	# Generate the ed25519 SSH host key required on EL9	17	# Generate the ed25519 SSH host key required on EL9
18	ssh-keygen -q -t ed25519 -N '' -f /etc/ssh/ssh_host_ed25519_key	18	ssh-keygen -q -t ed25519 -N '' -f /etc/openssh/ssh_host_ed25519_key
19	echo -e "\nSSH fingerprint: $( ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub )\n" >> /etc/issue	19	echo -e "\nSSH fingerprint: $( ssh-keygen -l -f /etc/openssh/ssh_host_ed25519_key.pub )\n" >> /etc/issue
20	fi	20	fi
21	mkdir -p /usr/share/empty.sshd # required on EL9	21	mkdir -p /usr/share/empty.sshd # required on EL9
22	mkdir -p /run/sshd	22	mkdir -p /run/sshd
Lines 26-31 if grep -q '^ssh:' /etc/inittab ; then Link Here
26	# and without '-D' one gets at least on SLES11 with SysVinit	26	# and without '-D' one gets at least on SLES11 with SysVinit
27	# INIT: Id "ssh" respawning too fast: disabled for 5 minutes	27	# INIT: Id "ssh" respawning too fast: disabled for 5 minutes
28	# cf. https://github.com/rear/rear/issues/1512#issuecomment-348201905	28	# cf. https://github.com/rear/rear/issues/1512#issuecomment-348201905
29	exec /bin/sshd -D 2>/dev/null	29	exec /sbin/sshd -D 2>/dev/null
30	fi	30	fi