change AllowAgentForwarding in SSHD configuration if, necessary
[ipfire-2.x.git] / src / misc-progs / sshctrl.c
CommitLineData
900832fa 1/* SmoothWall helper program - sshctrl
70db8683
CS
2 *
3 * This program is distributed under the terms of the GNU General Public
4 * Licence. See the file COPYING for details.
5 *
6 * (c) Mark Wormgoor, 2001
7 * Simple program intended to be installed setuid(0) that can be used for
8 * restarting SSHd.
9 *
900832fa 10 * $Id: sshctrl.c,v 1.3 2003/12/11 10:57:34 riddles Exp $
70db8683
CS
11 *
12 */
13
14#include <stdio.h>
15#include <stdlib.h>
16#include <unistd.h>
17#include <string.h>
18#include <sys/types.h>
19#include <fcntl.h>
20#include <signal.h>
21#include <errno.h>
22#include "libsmooth.h"
23#include "setuid.h"
24
ca4c317c
CS
25#define BUFFER_SIZE 1024
26
27char command[BUFFER_SIZE];
28
70db8683
CS
29int main(int argc, char *argv[])
30{
ca4c317c
CS
31 if (argc < 2) {
32 int fd, config_fd, rc, pid;
33 char buffer[STRING_SIZE], command[STRING_SIZE] = "/bin/sed -e '";
34 struct keyvalue *kv = NULL;
35
36 if (!(initsetuid()))
37 exit(1);
38
39 kv = initkeyvalues();
40 if (!readkeyvalues(kv, CONFIG_ROOT "/remote/settings")){
41 fprintf(stderr, "Cannot read remote access settings\n");
42 exit(1);
43 }
44
45 /* By using O_CREAT with O_EXCL open() will fail if the file already exists,
46 * this prevents 2 copies of sshctrl both trying to edit the config file
47 * at once. It also prevents race conditions, but these shouldn't be
48 * possible as /etc/ssh/ should only be writable by root anyhow
49 */
50
51 if ((config_fd = open( "/etc/ssh/sshd_config.new", O_WRONLY|O_CREAT|O_EXCL, 0644 )) == -1 ){
52 perror("Unable to open new config file");
53 freekeyvalues(kv);
54 exit(1);
55 }
56
701b39d8 57 strlcat(command, "s/^Protocol .*$/Protocol 2/;", STRING_SIZE - 1 );
70db8683 58
ca4c317c
CS
59 if(findkey(kv, "ENABLE_SSH_KEYS", buffer) && !strcmp(buffer,"off"))
60 strlcat(command, "s/^RSAAuthentication .*$/RSAAuthentication no/;" "s/^PubkeyAuthentication .*$/PubkeyAuthentication no/;", STRING_SIZE - 1 );
61 else
62 strlcat(command, "s/^RSAAuthentication .*$/RSAAuthentication yes/;" "s/^PubkeyAuthentication .*$/PubkeyAuthentication yes/;", STRING_SIZE - 1 );
70db8683 63
ca4c317c
CS
64 if(findkey(kv, "ENABLE_SSH_PASSWORDS", buffer) && !strcmp(buffer,"off"))
65 strlcat(command, "s/^PasswordAuthentication .*$/PasswordAuthentication no/;", STRING_SIZE - 1 );
66 else
67 strlcat(command, "s/^PasswordAuthentication .*$/PasswordAuthentication yes/;", STRING_SIZE - 1 );
70db8683 68
ca4c317c 69 if(findkey(kv, "ENABLE_SSH_PORTFW", buffer) && !strcmp(buffer,"on"))
51d1705b 70 strlcat(command, "s/^AllowTcpForwarding .*$/AllowTcpForwarding yes/;", STRING_SIZE - 1 );
70db8683 71 else
51d1705b
JPT
72 strlcat(command, "s/^AllowTcpForwarding .*$/AllowTcpForwarding no/;", STRING_SIZE - 1 );
73
74 if(findkey(kv, "SSH_PORT", buffer) && !strcmp(buffer,"on"))
75 strlcat(command, "s/^Port .*$/Port 22/", STRING_SIZE - 1 );
76 else
77 strlcat(command, "s/^Port .*$/Port 222/", STRING_SIZE - 1 );
ca4c317c 78
f9de28e6
PM
79 if(findkey(kv, "SSH_AGENT_FORWARDING", buffer) && !strcmp(buffer,"on"))
80 strlcat(command, "s/^AllowAgentForwarding .*$/AllowAgentForwarding yes/;", STRING_SIZE - 1 );
81 else
82 strlcat(command, "s/^AllowAgentForwarding .*$/AllowAgentForwarding no/;", STRING_SIZE - 1 );
83
ca4c317c
CS
84 freekeyvalues(kv);
85
86 snprintf(buffer, STRING_SIZE - 1, "' /etc/ssh/sshd_config >&%d", config_fd );
87 strlcat(command, buffer, STRING_SIZE - 1);
88
89 if((rc = unpriv_system(command,99,99)) != 0){
90 fprintf(stderr, "sed returned bad exit code: %d\n", rc);
91 close(config_fd);
92 unlink("/etc/ssh/sshd_config.new");
93 exit(1);
94 }
95
96 close(config_fd);
97 if (rename("/etc/ssh/sshd_config.new","/etc/ssh/sshd_config") != 0){
98 perror("Unable to replace old config file");
99 unlink("/etc/ssh/sshd_config.new");
100 exit(1);
101 }
102
103 memset(buffer, 0, STRING_SIZE);
104
105 if ((fd = open("/var/run/sshd.pid", O_RDONLY)) != -1){
106 if (read(fd, buffer, STRING_SIZE - 1) == -1)
107 fprintf(stderr, "Couldn't read from pid file\n");
108 else{
109 pid = atoi(buffer);
110 if (pid <= 1)
111 fprintf(stderr, "Bad pid value\n");
112 else{
113 if (kill(pid, SIGTERM) == -1)
114 fprintf(stderr, "Unable to send SIGTERM\n");
115 else
116 unlink("/var/run/sshd.pid");
117 }
118 }
119 close(fd);
120 }
121 else{
122 if (errno != ENOENT){
123 perror("Unable to open pid file");
124 exit(1);
125 }
126 }
127
128 if ((fd = open(CONFIG_ROOT "/remote/enablessh", O_RDONLY)) != -1){
129 close(fd);
130 safe_system("/usr/sbin/sshd");
131 }
132
133 return 0;
70db8683 134 }
ca4c317c
CS
135 else if (strcmp(argv[1], "tempstart") == 0) {
136 safe_system("/usr/local/bin/sshctrl");
137 sleep(5);
138 unlink("/var/ipfire/remote/enablessh");
139 safe_system("cat /var/ipfire/remote/settings | sed 's/ENABLE_SSH=on/ENABLE_SSH=off/' > /var/ipfire/remote/settings2 && mv /var/ipfire/remote/settings2 /var/ipfire/remote/settings");
113cd628 140 safe_system("chown nobody.nobody /var/ipfire/remote/settings");
ca4c317c
CS
141 snprintf(command, BUFFER_SIZE-1, "sleep %s && /usr/local/bin/sshctrl &", argv[2]);
142 safe_system(command);
70db8683 143 }
70db8683 144}