change AllowAgentForwarding in SSHD configuration if, necessary
[ipfire-2.x.git] / src / misc-progs / sshctrl.c
1 /* SmoothWall helper program - sshctrl
2  *
3  * This program is distributed under the terms of the GNU General Public
4  * Licence.  See the file COPYING for details.
5  *
6  * (c) Mark Wormgoor, 2001
7  * Simple program intended to be installed setuid(0) that can be used for
8  * restarting SSHd. 
9  * 
10  * $Id: sshctrl.c,v 1.3 2003/12/11 10:57:34 riddles Exp $
11  * 
12  */
13
14 #include <stdio.h>
15 #include <stdlib.h>
16 #include <unistd.h>
17 #include <string.h>
18 #include <sys/types.h>
19 #include <fcntl.h>
20 #include <signal.h>
21 #include <errno.h>
22 #include "libsmooth.h"
23 #include "setuid.h"
24
25 #define BUFFER_SIZE 1024
26
27 char command[BUFFER_SIZE]; 
28
29 int main(int argc, char *argv[])
30 {
31         if (argc < 2) {
32                                 int fd, config_fd, rc, pid;
33                                 char buffer[STRING_SIZE], command[STRING_SIZE] = "/bin/sed -e '";
34                                 struct keyvalue *kv = NULL;
35
36                                 if (!(initsetuid()))
37                                                 exit(1);
38
39                                 kv = initkeyvalues();
40                                 if (!readkeyvalues(kv, CONFIG_ROOT "/remote/settings")){
41                                                 fprintf(stderr, "Cannot read remote access settings\n");
42                                                 exit(1);
43                                 }
44
45                                 /* By using O_CREAT with O_EXCL open() will fail if the file already exists,
46                                 * this prevents 2 copies of sshctrl both trying to edit the config file
47                                 * at once. It also prevents race conditions, but these shouldn't be
48                                 * possible as /etc/ssh/ should only be writable by root anyhow
49                                 */
50
51                                 if ((config_fd = open( "/etc/ssh/sshd_config.new", O_WRONLY|O_CREAT|O_EXCL, 0644 )) == -1 ){
52                                                 perror("Unable to open new config file");
53                                                 freekeyvalues(kv);
54                                                 exit(1);
55                                 }
56
57                                 strlcat(command, "s/^Protocol .*$/Protocol 2/;", STRING_SIZE - 1 );
58
59                                 if(findkey(kv, "ENABLE_SSH_KEYS", buffer) && !strcmp(buffer,"off"))
60                                                 strlcat(command, "s/^RSAAuthentication .*$/RSAAuthentication no/;"              "s/^PubkeyAuthentication .*$/PubkeyAuthentication no/;", STRING_SIZE - 1 );
61                                 else
62                                                 strlcat(command, "s/^RSAAuthentication .*$/RSAAuthentication yes/;"             "s/^PubkeyAuthentication .*$/PubkeyAuthentication yes/;", STRING_SIZE - 1 );
63
64                                 if(findkey(kv, "ENABLE_SSH_PASSWORDS", buffer) && !strcmp(buffer,"off"))
65                                                 strlcat(command, "s/^PasswordAuthentication .*$/PasswordAuthentication no/;", STRING_SIZE - 1 );
66                                 else
67                                                 strlcat(command, "s/^PasswordAuthentication .*$/PasswordAuthentication yes/;", STRING_SIZE - 1 );
68
69                                 if(findkey(kv, "ENABLE_SSH_PORTFW", buffer) && !strcmp(buffer,"on"))
70                                                 strlcat(command, "s/^AllowTcpForwarding .*$/AllowTcpForwarding yes/;", STRING_SIZE - 1 );
71                                 else
72                                                 strlcat(command, "s/^AllowTcpForwarding .*$/AllowTcpForwarding no/;", STRING_SIZE - 1 );
73                                                 
74                                 if(findkey(kv, "SSH_PORT", buffer) && !strcmp(buffer,"on"))
75                                                 strlcat(command, "s/^Port .*$/Port 22/", STRING_SIZE - 1 );
76                                 else
77                                                 strlcat(command, "s/^Port .*$/Port 222/", STRING_SIZE - 1 );
78
79                                 if(findkey(kv, "SSH_AGENT_FORWARDING", buffer) && !strcmp(buffer,"on"))
80                                                 strlcat(command, "s/^AllowAgentForwarding .*$/AllowAgentForwarding yes/;", STRING_SIZE - 1 );
81                                 else
82                                                 strlcat(command, "s/^AllowAgentForwarding .*$/AllowAgentForwarding no/;", STRING_SIZE - 1 );
83
84                                 freekeyvalues(kv);
85
86                                 snprintf(buffer, STRING_SIZE - 1, "' /etc/ssh/sshd_config >&%d", config_fd );
87                                 strlcat(command, buffer, STRING_SIZE - 1);
88
89                                 if((rc = unpriv_system(command,99,99)) != 0){
90                                                 fprintf(stderr, "sed returned bad exit code: %d\n", rc);
91                                                 close(config_fd);
92                                                 unlink("/etc/ssh/sshd_config.new");
93                                                 exit(1);
94                                 }
95
96                                 close(config_fd);
97                                 if (rename("/etc/ssh/sshd_config.new","/etc/ssh/sshd_config") != 0){
98                                                 perror("Unable to replace old config file");
99                                                 unlink("/etc/ssh/sshd_config.new");
100                                                 exit(1);
101                                 }
102
103                                 memset(buffer, 0, STRING_SIZE);
104
105                                 if ((fd = open("/var/run/sshd.pid", O_RDONLY)) != -1){
106                                                 if (read(fd, buffer, STRING_SIZE - 1) == -1)
107                                                                 fprintf(stderr, "Couldn't read from pid file\n");
108                                                 else{
109                                                                 pid = atoi(buffer);
110                                                                 if (pid <= 1)
111                                                                                 fprintf(stderr, "Bad pid value\n");
112                                                                 else{
113                                                                                 if (kill(pid, SIGTERM) == -1)
114                                                                                                 fprintf(stderr, "Unable to send SIGTERM\n");
115                                                                                 else
116                                                                                                 unlink("/var/run/sshd.pid");
117                                                                                 }
118                                                                 }
119                                                 close(fd);
120                                 }
121                                 else{
122                                                 if (errno != ENOENT){
123                                                                 perror("Unable to open pid file");
124                                                                 exit(1);
125                                                 }
126                                 }
127
128                                 if ((fd = open(CONFIG_ROOT "/remote/enablessh", O_RDONLY)) != -1){
129                                                 close(fd);
130                                                 safe_system("/usr/sbin/sshd");
131                                 }
132
133                                 return 0;
134         }
135         else if (strcmp(argv[1], "tempstart") == 0) {
136                                 safe_system("/usr/local/bin/sshctrl");
137                                 sleep(5);
138                                 unlink("/var/ipfire/remote/enablessh");
139                                 safe_system("cat /var/ipfire/remote/settings | sed 's/ENABLE_SSH=on/ENABLE_SSH=off/' > /var/ipfire/remote/settings2 && mv /var/ipfire/remote/settings2 /var/ipfire/remote/settings");
140         safe_system("chown nobody.nobody /var/ipfire/remote/settings");
141                                 snprintf(command, BUFFER_SIZE-1, "sleep %s && /usr/local/bin/sshctrl &", argv[2]);
142                                 safe_system(command);
143         }
144 }