mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2025-01-11 17:04:19 +01:00
f99f0ee14e
This gives more permissions to services (e.g. network access to services which require this) when they are started as an automatic service jail. The sshd patch is important for the sshd-related functionality as described in the man-page in the service jails part. The location of the added env vars is supposed to allow overriding them in rc.conf, and to hard-disable the use of svcj for some parts where it doesn't make sense or will not work. Only a subset of all of the services are fully tested (I'm running this since more than a year with various services started as service jails). The untested parts should be most of the time ok, in some edge-cases more permissions are needed inside the service jail. Differential Revision: https://reviews.freebsd.org/D40371
90 lines
1.6 KiB
Bash
Executable File
90 lines
1.6 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
#
|
|
|
|
# PROVIDE: sshd
|
|
# REQUIRE: LOGIN FILESYSTEMS
|
|
# KEYWORD: shutdown
|
|
|
|
. /etc/rc.subr
|
|
|
|
name="sshd"
|
|
desc="Secure Shell Daemon"
|
|
rcvar="sshd_enable"
|
|
command="/usr/sbin/${name}"
|
|
keygen_cmd="sshd_keygen"
|
|
start_precmd="sshd_precmd"
|
|
reload_precmd="sshd_configtest"
|
|
restart_precmd="sshd_configtest"
|
|
configtest_cmd="sshd_configtest"
|
|
pidfile="/var/run/${name}.pid"
|
|
extra_commands="configtest keygen reload"
|
|
|
|
: ${sshd_rsa_enable:="yes"}
|
|
: ${sshd_dsa_enable:="no"}
|
|
: ${sshd_ecdsa_enable:="yes"}
|
|
: ${sshd_ed25519_enable:="yes"}
|
|
|
|
# sshd in a jail would not see other jails. As such exclude it from
|
|
# svcj_all_enable="YES" by setting sshd_svcj to NO. This allows to
|
|
# enable it in rc.conf.
|
|
: ${sshd_svcj:="NO"}
|
|
: ${sshd_svcj_options:="net_basic"}
|
|
|
|
sshd_keygen_alg()
|
|
{
|
|
local alg=$1
|
|
local ALG="$(echo $alg | tr a-z A-Z)"
|
|
local keyfile
|
|
|
|
if ! checkyesno "sshd_${alg}_enable" ; then
|
|
return 0
|
|
fi
|
|
|
|
case $alg in
|
|
rsa|dsa|ecdsa|ed25519)
|
|
keyfile="/etc/ssh/ssh_host_${alg}_key"
|
|
;;
|
|
*)
|
|
return 1
|
|
;;
|
|
esac
|
|
|
|
if [ -f "${keyfile}" ] ; then
|
|
info "$ALG host key exists."
|
|
return 0
|
|
fi
|
|
|
|
if [ ! -x /usr/bin/ssh-keygen ] ; then
|
|
warn "/usr/bin/ssh-keygen does not exist."
|
|
return 1
|
|
fi
|
|
|
|
echo "Generating $ALG host key."
|
|
/usr/bin/ssh-keygen -q -t $alg -f "$keyfile" -N ""
|
|
/usr/bin/ssh-keygen -l -f "$keyfile.pub"
|
|
}
|
|
|
|
sshd_keygen()
|
|
{
|
|
sshd_keygen_alg rsa
|
|
sshd_keygen_alg dsa
|
|
sshd_keygen_alg ecdsa
|
|
sshd_keygen_alg ed25519
|
|
}
|
|
|
|
sshd_configtest()
|
|
{
|
|
echo "Performing sanity check on ${name} configuration."
|
|
eval ${command} ${sshd_flags} -t
|
|
}
|
|
|
|
sshd_precmd()
|
|
{
|
|
run_rc_command keygen
|
|
run_rc_command configtest
|
|
}
|
|
|
|
load_rc_config $name
|
|
run_rc_command "$1"
|