Commit 0dab19fe authored by Mike Hibler's avatar Mike Hibler

Sync with FreeBSD versions.

parent bfd105be
......@@ -241,7 +241,7 @@ loadone() {
IMAGEID=`getvar IMAGEID "$_LOADINFO"`
KEEPALIVE=`getvar KEEPALIVE "$_LOADINFO" 0`
OSVERSION=`getvar OSVERSION "$_LOADINFO" 0`
HEARTBEAT=`getvar HEARTBEAT "$_LOADINFO" -1`
HEARTBEAT=`getvar HEARTBEAT "$_LOADINFO" 0`
#
# One of ADDR or IMAGEID must be set.
......@@ -398,9 +398,9 @@ loadone() {
fi
#
#
# Current semantics:
# HEARTBEAT==0: no heartbeat
# ow: send report at specified interval (<= one hour)
# ow: enable heartbeat, but let server dictate (-H 0)
#
HB=""
case "$HEARTBEAT" in
......@@ -408,12 +408,8 @@ loadone() {
echo "Ignoring bogus HEARTBEAT value \"$HEARTBEAT\""
;;
*)
if [ $HEARTBEAT -le 0 -o $HEARTBEAT -gt 3600 ]; then
if [ $HEARTBEAT -ne 0 ]; then
echo "Ignoring bad HEARTBEAT value \"$HEARTBEAT\""
fi
else
HB="-H $HEARTBEAT"
if [ $HEARTBEAT -gt 0 ]; then
HB="-H 0"
fi
;;
esac
......@@ -576,15 +572,18 @@ fi
$BINDIR/tmcc state RELOADING
#
# HACK ALERT: If we're reloading we need to zap the superblocks and
# MBRs of any other disks in the system. This is to prevent Linux from
# finding an old filesystem with the same label or UUID and mounting
# that instead of the right one. We skip the disks that are mounted
# and the disk we're going to write to.
#
# DOUBLE HACK ALERT: Changed this to zap all disks to avoid having
# to figure out what the other disks are when loading multiple images.
# Since a new MBR will be laid down anyway there is no harm in doing
# this as long as we are sure we are in the reloading experiment.
#
case $STATUS in
*ALLOCATED=emulab-ops/reloading*)
disks=`find_disks`
......@@ -699,10 +698,9 @@ fi
# some reason.
#
if [ $reboot -eq 1 ]; then
# XXX let serial output drain
echo "`date`: Waiting for server to reboot us ..."
sleep 2
$BINDIR/tmcc state RELOADDONEV2
echo "`date`: Waiting for server to reboot us ..."
sleep 30
echo "`date`: No response from server, rebooting myself ..."
reboot
......
......@@ -120,25 +120,174 @@ getloadervar() {
echo $_val
}
#
# Make sure /root/.ssh contains only an authorized_keys file with the boot
# root pubkey.
#
# Called with arg=1 if you just want to see if anything is wrong (returns
# non-zero if so), 0 to fix.
#
dofixauthkeys() {
_test=$1
if [ $_test -ne 0 ]; then
if [ ! -d /mnt/root/.ssh ]; then
return 1
fi
# XXX busybox stat has different arguments
if [ -L /usr/bin/stat ]; then
_stat=`/usr/bin/stat -c '%u,%g,%f' /mnt/root/.ssh`
if [ "$_stat" != "0,0,41c0" ]; then
return 1
fi
elif [ -x /usr/bin/stat ]; then
_stat=`/usr/bin/stat -f '%u,%g,%p' /mnt/root/.ssh`
if [ "$_stat" != "0,0,40700" ]; then
return 1
fi
fi
if [ ! -e /mnt/root/.ssh/authorized_keys ]; then
return 1
fi
if [ -e /mnt/root/.ssh/authorized_keys2 ]; then
return 1
fi
fi
#
# If we are a localized MFS, we just need to use the authorized_keys2
# file from the MFS. Otherwise we get the key(s) from tmcd and put
# them into the MFS authorized_keys2 file.
#
if ! islocalized; then
rm -f /root/.ssh/authorized_keys2
_key=`$BINDIR/tmcc localization | grep 'ROOTPUBKEY=' | head -1 | \
sed -e "s/^ROOTPUBKEY='//" | sed -e "s/'$//"`
if [ $? -ne 0 -o -z "$_key" ]; then
echo "WARNING: no boss pubkey returned!"
else
echo "$_key" > /root/.ssh/authorized_keys2
fi
fi
if [ $_test -ne 0 ]; then
cmp -s /root/.ssh/authorized_keys2 /mnt/root/.ssh/authorized_keys
if [ $? -ne 0 ]; then
return 1
fi
else
echo " updating /root/.ssh"
# make sure /root/.ssh exists and has proper permissions
mkdir -p /mnt/root/.ssh
if [ -x /bin/chown ]; then
chown root:0 /mnt/root/.ssh
fi
chmod 700 /mnt/root/.ssh
rm -f /mnt/root/.ssh/authorized_keys2
#
# XXX no proper pubkey, just leave the current file intact.
# XXX maybe we should just nuke it instead?
#
if [ ! -r /root/.ssh/authorized_keys2 ]; then
return 0
fi
# create authkeys file with just root key(s)
rm -f /mnt/root/.ssh/authorized_keys
cp /root/.ssh/authorized_keys2 /mnt/root/.ssh/authorized_keys
chmod 644 /mnt/root/.ssh/authorized_keys
fi
return 0
}
#
# Make sshd more secure by default: no password based login.
# XXX argh! First use wins, so we have to comment out before adding ours!
# We will fix if there are multiple settings of the same variable,
# if it is set incorrectly, or it is not set at all.
#
# Called with arg=1 if you just want to see if anything is wrong (returns
# non-zero if so), 0 to fix.
#
dofixsshd() {
echo " updating /etc/ssh/sshd_config"
sed -i .preemulab \
-e 's;^Protocol;#Protocol;' \
-e 's;^PasswordAuth;#PasswordAuth;' \
-e 's;^ChallengeResp;#ChallengeResp;' \
-e 's;^PermitRootLogin;#PermitRootLogin;' /mnt/etc/ssh/sshd_config
cat <<EOF8 >>/mnt/etc/ssh/sshd_config
_test=$1
if [ $_test -ne 0 ]; then
# sshd_config doesn't exist, call it okay
if [ ! -f /mnt/etc/ssh/sshd_config ]; then
echo "WARNING: no sshd_config found!"
return 0
fi
# find all uncommented instances of variables we care about
OIFS="$IFS"
IFS='
'
_fix=0
_valP=
_valPA=
_valCRA=
_valPRL=
for _opt in `grep -E '^(Protocol|PasswordAuthentication|ChallengeResponseAuthentication|PermitRootLogin) ' /mnt/etc/ssh/sshd_config`; do
_k=${_opt%% *}
_v=${_opt#* }
case $_k in
Protocol)
if [ -n "$_valP" -o "$_v" != "2" ]; then
_fix=1
fi
_valP=$_v
;;
PasswordAuthentication)
if [ -n "$_valPA" -o "$_v" != "no" ]; then
_fix=1
fi
_valPA=$_v
;;
ChallengeResponseAuthentication)
if [ -n "$_valCRA" -o "$_v" != "no" ]; then
_fix=1
fi
_valCRA=$_v
;;
PermitRootLogin)
if [ -n "$_valPRL" -o "$_v" != "without-password" ]; then
_fix=1
fi
_valPRL=$_v
;;
esac
done
IFS=$OIFS
# a var had wrong value or more than one setting, fix
if [ $_fix -ne 0 ]; then
return 1
fi
# a var was not explicitly set, fix
if [ -z "$_valP" -o -z "$_valPA" -o -z "$_valCRA" -o -z "$_valPRL" ]; then
return 1
fi
else
echo " updating /etc/ssh/sshd_config"
sed -i \
-e '/^Protocol /d' \
-e '/^PasswordAuthentication /d' \
-e '/^ChallengeResponseAuthentication /d' \
-e '/^PermitRootLogin /d' \
-e '/^# Emulab/d' /mnt/etc/ssh/sshd_config
cat <<EOF8 >>/mnt/etc/ssh/sshd_config
# Emulab config
Protocol 2
PasswordAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin without-password
EOF8
fi
return 0
}
dolinux() {
......@@ -252,9 +401,15 @@ dolinux() {
#
# Fixup sshd config
#
if [ -r /mnt/etc/ssh/sshd_config ] && \
! grep -q '^# Emulab config' /mnt/etc/ssh/sshd_config; then
dofixsshd
if ! dofixsshd 1; then
dofixsshd 0
fi
#
# Fixup root authorized keys
#
if ! dofixauthkeys 1; then
dofixauthkeys 0
fi
#
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment