ssh 1.97 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
#
# The template
#
use strict;
use libinstall;
use installvars;

sub Install($$$)
{
    my ($server, $isupdate, $impotent) = @_;

    # Replace if this script does an update for ip/domain.
    return 0
	if ($isupdate);

    Phase "ssh", "Allowing root ssh", sub {
	Phase "sshdconfig", "Permitting root login through ssh", sub {
	    DoneIfEdited($SSHD_CONFIG);
	    # modern versions of FBSD explicitly turn off proto 1 by default
	    if ($FBSD_MAJOR > 6) {
		ExecQuietFatal("sed -i.orig -e 's/Protocol/#Protocol/' ".
			       "$SSHD_CONFIG");
	    }
24 25 26 27 28 29 30
	    my @strings = ("PermitRootLogin yes",
			   "Protocol 2,1");

	    # GPO wants this turned off.
	    if ($PROTOGENI_GENIRACK) {
		ExecQuietFatal("sed -i.orig ".
			       "  -e 's/PasswordAuth/#PasswordAuth/' ".
31 32 33
			       "  -e 's/PermitRootLogin/#PermitRootLogin/' ".
			       "  -e 's/ChallengeResponseAuthentication/".
			       "#ChallengeResponseAuthentication/' ".
34
			       "$SSHD_CONFIG");
35 36 37 38
		push(@strings,
		     "PasswordAuthentication no",
		     "ChallengeResponseAuthentication no",
		     "PermitRootLogin without-password");
39 40 41
	    }
	    AppendToFileFatal($SSHD_CONFIG, @strings);

42 43 44 45 46 47 48 49 50 51 52 53 54 55
	    # HUP the server so the changes take effect
	    if (-r "/var/run/sshd.pid") {
		my $dpid = `cat /var/run/sshd.pid`;
		chomp($dpid);
		ExecQuiet("kill -HUP $dpid");
	    }
	};
	Phase "dotssh", "Making root's .ssh directory", sub {
	    DoneIfExists("/root/.ssh");
	    mkdir("/root/.ssh",0700) or
		PhaseFail("Unable to create /root/.ssh: $!");
	};
	Phase "authkeys", "Adding stub identity to root authorized_keys", sub {
	    DoneIfEdited($AUTHKEYS);
56 57
	    my $ident = `cat $INIT_PUBKEY`;
	    PhaseFail("Could not read $INIT_PUBKEY")
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75
		if ($?);
	    chomp($ident);
	    if (! -e $AUTHKEYS) {
		CreateFileFatal($AUTHKEYS);
	    }
	    # This does not work when ops is a vm on boss.
	    $ident = "from=\"${BOSSNODE}\" $ident"
		if (!$OPSVM_ENABLE);
	    AppendToFileFatal($AUTHKEYS, $ident);
	};
    };

    return 0;
}

# Local Variables:
# mode:perl
# End: