1 From 06a23d2cea6e57cca82c47e14a7b6d038b8e4286 Mon Sep 17 00:00:00 2001
2 From: Alex Wilson <alex.wilson@joyent.com>
3 Date: Fri, 7 Aug 2015 12:19:47 -0700
4 Subject: [PATCH 25/36] Add SMF manifest and method, and install them
5
6 ---
7 Makefile.in | 6 ++
8 smf/manifest.xml | 169 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
9 smf/method.sh | 121 +++++++++++++++++++++++++++++++++++++++
10 3 files changed, 296 insertions(+)
11 create mode 100644 smf/manifest.xml
12 create mode 100644 smf/method.sh
13
14 diff --git a/Makefile.in b/Makefile.in
15 index 66c4585..7130542 100644
16 --- a/Makefile.in
17 +++ b/Makefile.in
18 @@ -27,6 +27,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server
19 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
20 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
21 ROOTDLIBDIR64=$(DESTDIR)/usr/lib/dtrace/64
22 +SMFMETHODDIR=$(DESTDIR)/lib/svc/method
23 +SMFNETMANIDIR=$(DESTDIR)/lib/svc/manifest/network
24 PRIVSEP_PATH=@PRIVSEP_PATH@
25 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
26 STRIP_OPT=@STRIP_OPT@
27 @@ -359,6 +361,10 @@ install-files:
28 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
29 ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
30 mkdir -p $(ROOTDLIBDIR64) && cp $(srcdir)/sftp64.d $(ROOTDLIBDIR64)/sftp64.d
31 + $(srcdir)/mkinstalldirs $(SMFMETHODDIR)
32 + $(srcdir)/mkinstalldirs $(SMFNETMANIDIR)
33 + $(INSTALL) -m 555 smf/method.sh $(SMFMETHODDIR)/sshd
34 + $(INSTALL) -m 444 smf/manifest.xml $(SMFNETMANIDIR)/ssh.xml
35
36 install-sysconf:
37 if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
38 diff --git a/smf/manifest.xml b/smf/manifest.xml
39 new file mode 100644
40 index 0000000..5045296
41 --- /dev/null
42 +++ b/smf/manifest.xml
43 @@ -0,0 +1,169 @@
44 +<?xml version="1.0"?>
45 +<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
46 +<!--
47 + CDDL HEADER START
48 +
49 + The contents of this file are subject to the terms of the
50 + Common Development and Distribution License (the "License").
51 + You may not use this file except in compliance with the License.
52 +
53 + You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
54 + or http://www.opensolaris.org/os/licensing.
55 + See the License for the specific language governing permissions
56 + and limitations under the License.
57 +
58 + When distributing Covered Code, include this CDDL HEADER in each
59 + file and include the License file at usr/src/OPENSOLARIS.LICENSE.
60 + If applicable, add the following below this CDDL HEADER, with the
61 + fields enclosed by brackets "[]" replaced with your own identifying
62 + information: Portions Copyright [yyyy] [name of copyright owner]
63 +
64 + CDDL HEADER END
65 +
66 + Copyright 2009 Sun Microsystems, Inc. All rights reserved.
67 + Use is subject to license terms.
68 +
69 + NOTE: This service manifest is not editable; its contents will
70 + be overwritten by package or patch operations, including
71 + operating system upgrade. Make customizations in a different
72 + file.
73 +-->
74 +
75 +<service_bundle type='manifest' name='SUNWsshdr:ssh'>
76 +
77 +<service
78 + name='network/ssh'
79 + type='service'
80 + version='1'>
81 +
82 + <create_default_instance enabled='false' />
83 +
84 + <single_instance />
85 +
86 + <dependency name='fs-local'
87 + grouping='require_all'
88 + restart_on='none'
89 + type='service'>
90 + <service_fmri
91 + value='svc:/system/filesystem/local' />
92 + </dependency>
93 +
94 + <dependency name='fs-autofs'
95 + grouping='optional_all'
96 + restart_on='none'
97 + type='service'>
98 + <service_fmri value='svc:/system/filesystem/autofs' />
99 + </dependency>
100 +
101 + <dependency name='net-loopback'
102 + grouping='require_all'
103 + restart_on='none'
104 + type='service'>
105 + <service_fmri value='svc:/network/loopback' />
106 + </dependency>
107 +
108 + <dependency name='net-physical'
109 + grouping='require_all'
110 + restart_on='none'
111 + type='service'>
112 + <service_fmri value='svc:/network/physical' />
113 + </dependency>
114 +
115 + <dependency name='cryptosvc'
116 + grouping='require_all'
117 + restart_on='none'
118 + type='service'>
119 + <service_fmri value='svc:/system/cryptosvc' />
120 + </dependency>
121 +
122 + <dependency name='utmp'
123 + grouping='require_all'
124 + restart_on='none'
125 + type='service'>
126 + <service_fmri value='svc:/system/utmp' />
127 + </dependency>
128 +
129 + <dependency name='network_ipfilter'
130 + grouping='optional_all'
131 + restart_on='error'
132 + type='service'>
133 + <service_fmri value='svc:/network/ipfilter:default' />
134 + </dependency>
135 +
136 + <dependency name='config_data'
137 + grouping='require_all'
138 + restart_on='restart'
139 + type='path'>
140 + <service_fmri
141 + value='file://localhost/etc/ssh/sshd_config' />
142 + </dependency>
143 +
144 + <dependent
145 + name='ssh_multi-user-server'
146 + grouping='optional_all'
147 + restart_on='none'>
148 + <service_fmri
149 + value='svc:/milestone/multi-user-server' />
150 + </dependent>
151 +
152 + <exec_method
153 + type='method'
154 + name='start'
155 + exec='/lib/svc/method/sshd start'
156 + timeout_seconds='60'/>
157 +
158 + <exec_method
159 + type='method'
160 + name='stop'
161 + exec=':kill'
162 + timeout_seconds='60' />
163 +
164 + <exec_method
165 + type='method'
166 + name='refresh'
167 + exec='/lib/svc/method/sshd restart'
168 + timeout_seconds='60' />
169 +
170 + <property_group name='startd'
171 + type='framework'>
172 + <!-- sub-process core dumps shouldn't restart session -->
173 + <propval name='ignore_error'
174 + type='astring' value='core,signal' />
175 + </property_group>
176 +
177 + <property_group name='general' type='framework'>
178 + <!-- to start stop sshd -->
179 + <propval name='action_authorization' type='astring'
180 + value='solaris.smf.manage.ssh' />
181 + </property_group>
182 +
183 + <property_group name='firewall_context' type='com.sun,fw_definition'>
184 + <propval name='name' type='astring' value='ssh' />
185 + <propval name='ipf_method' type='astring'
186 + value='/lib/svc/method/sshd ipfilter' />
187 + </property_group>
188 +
189 + <property_group name='firewall_config' type='com.sun,fw_configuration'>
190 + <propval name='policy' type='astring' value='use_global' />
191 + <propval name='apply_to' type='astring' value='' />
192 + <propval name='exceptions' type='astring' value='' />
193 + <propval name='value_authorization' type='astring'
194 + value='solaris.smf.value.firewall.config' />
195 + </property_group>
196 +
197 + <stability value='Unstable' />
198 +
199 + <template>
200 + <common_name>
201 + <loctext xml:lang='C'>
202 + SSH server
203 + </loctext>
204 + </common_name>
205 + <documentation>
206 + <manpage title='sshd' section='1M' manpath='/usr/share/man' />
207 + </documentation>
208 + </template>
209 +
210 +</service>
211 +
212 +</service_bundle>
213 \ No newline at end of file
214 diff --git a/smf/method.sh b/smf/method.sh
215 new file mode 100644
216 index 0000000..e91ed55
217 --- /dev/null
218 +++ b/smf/method.sh
219 @@ -0,0 +1,121 @@
220 +#!/sbin/sh
221 +#
222 +# Copyright 2010 Sun Microsystems, Inc. All rights reserved.
223 +# Use is subject to license terms.
224 +#
225 +
226 +. /lib/svc/share/ipf_include.sh
227 +. /lib/svc/share/smf_include.sh
228 +
229 +SSHDIR=/etc/ssh
230 +SSHKEYDIR=/var/ssh
231 +KEYGEN="/usr/bin/ssh-keygen -q"
232 +PIDFILE=/var/run/sshd.pid
233 +
234 +# Checks to see if RSA, and DSA host keys are available
235 +# if any of these keys are not present, the respective keys are created.
236 +create_key()
237 +{
238 + keypath=$1
239 + keytype=$2
240 +
241 + if [ ! -f $keypath ]; then
242 + #
243 + # HostKey keywords in sshd_config may be preceded or
244 + # followed by a mix of any number of space or tabs,
245 + # and optionally have an = between keyword and
246 + # argument. We use two grep invocations such that we
247 + # can match HostKey case insensitively but still have
248 + # the case of the path name be significant, keeping
249 + # the pattern somewhat more readable.
250 + #
251 + # The character classes below contain one literal
252 + # space and one literal tab.
253 + #
254 + grep -i "^[ ]*HostKey[ ]*=\{0,1\}[ ]*$keypath" \
255 + $SSHDIR/sshd_config | grep "$keypath" > /dev/null 2>&1
256 +
257 + if [ $? -eq 0 ]; then
258 + echo Creating new $keytype public/private host key pair
259 + $KEYGEN -f $keypath -t $keytype -N ''
260 + if [ $? -ne 0 ]; then
261 + echo "Could not create $keytype key: $keypath"
262 + exit $SMF_EXIT_ERR_CONFIG
263 + fi
264 + fi
265 + fi
266 +}
267 +
268 +create_ipf_rules()
269 +{
270 + FMRI=$1
271 + ipf_file=`fmri_to_file ${FMRI} $IPF_SUFFIX`
272 + policy=`get_policy ${FMRI}`
273 +
274 + #
275 + # Get port from /etc/ssh/sshd_config
276 + #
277 + tports=`grep "^Port" /etc/ssh/sshd_config 2>/dev/null | \
278 + awk '{print $2}'`
279 +
280 + echo "# $FMRI" >$ipf_file
281 + for port in $tports; do
282 + generate_rules $FMRI $policy "tcp" "any" $port $ipf_file
283 + done
284 +}
285 +
286 +# This script is being used for two purposes: as part of an SMF
287 +# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
288 +# application.
289 +#
290 +# Both, the SMF methods and sysidconfig/sys-unconfig use different
291 +# arguments..
292 +
293 +case $1 in
294 + # sysidconfig/sys-unconfig arguments (-c and -u)
295 +'-c')
296 + create_key $SSHDIR/ssh_host_rsa_key rsa
297 + create_key $SSHDIR/ssh_host_dsa_key dsa
298 + create_key $SSHDIR/ssh_host_ecdsa_key ecdsa
299 + create_key $SSHDIR/ssh_host_ed25519_key ed25519
300 + ;;
301 +
302 +'-u')
303 + # sys-unconfig(1M) knows how to remove ssh host keys, so there's
304 + # nothing to do here.
305 + :
306 + ;;
307 +
308 + # SMF arguments (start and restart [really "refresh"])
309 +
310 +'ipfilter')
311 + create_ipf_rules $2
312 + ;;
313 +
314 +'start')
315 + #
316 + # If host keys don't exist when the service is started, create
317 + # them; sysidconfig is not run in every situation (such as on
318 + # the install media).
319 + #
320 + create_key $SSHKEYDIR/ssh_host_rsa_key rsa
321 + create_key $SSHKEYDIR/ssh_host_dsa_key dsa
322 + create_key $SSHKEYDIR/ssh_host_ecdsa_key ecdsa
323 + create_key $SSHKEYDIR/ssh_host_ed25519_key ed25519
324 +
325 + /usr/lib/ssh/sshd
326 + ;;
327 +
328 +'restart')
329 + if [ -f "$PIDFILE" ]; then
330 + /usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
331 + fi
332 + ;;
333 +
334 +*)
335 + echo "Usage: $0 { start | restart }"
336 + exit 1
337 + ;;
338 +esac
339 +
340 +exit $?
341 \ No newline at end of file
342 --
343 2.5.4 (Apple Git-61)
344