[ previous ] [ next ] [ threads ]
 From:  "Fred Mol" <fredlist at xs4all dot nl>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: ssh module
 Date:  Fri, 16 Jul 2004 13:26:19 +0200 (CEST)
On Thu, 15 Jul 2004 14:22:07 +0200, Alexander C.H. Lorenz wrote:

> Hi folks, Hi Manuel

> we've implement a ssh deamon with password-change via webGUI and pam.

Hmm, I've been working on something like that as well. Maybe we can
combine our efforts?

My implementation is also implemented as a module, althouh it only has an
initialization (rc) file right now. That creates a few directories and
files in /var that sshd likes to have, sets the root password to the
m0n0wall admin passwd and starts sshd:

    // sshd home
    mkdir("/var/empty", 0555);
    // vi likes to have /var/tmp
    symlink("/tmp", "/var/tmp");
    // sshd likes to have this file
    system("touch /var/log/lastlog");
    // Set root passwd to the m0n0 admin passwd
    $fd = popen("pw usermod -n root -H 0", "w");
    fwrite($fd, $config['system']['password']);
    // And finally...

The main work has been to create a script that "upgrades" (not everybody
will agree this is an upgrade :-)) a m0n0wall iso image with this module,
sshd and related files and some executables (tcpdump, grep, vi, ...)
that allows you to do something useful with that ssh access.

The script does the following:
- Unpacks the iso
- Unpacks the mfsroot filesystem to a new, bigger, mfsroot filesystem
- Updates mfsroot with sshd and other FreeBSD files
- Creates an sshd_config file that's a copy of the default FreeBSD sshd_config
  with one modification: it has: PermitRootLogin yes
- Generates ssh host key files, if not present yet (they are preserved
  between runs of the script)
- Creates the one-and-only-module-file: /etc/inc/ext/ssh/rc
- Adds group sshd and login sshd to the m0nowall group and passwd databases
- Creates a new iso image

A GUI is not present right now, as it's not really needed. Because the
m0n0 admin password is used for the root login there is no need for
separate username/password maintenance.

One thing I like to change is to move to generation of ssh host key
files from the install script to the 'rc' script and save/restore them
to/from /conf.

> Also we've changed the rc.initial scripts so anybody can use the
> ssh-shell and serial console on i386 based systems. Also we added small
> debug support such as nstreams, tcpdump and a real shell access.

> @ Manuel: did monowall anythings like that need? We spend the code to
> monowall, when anyone need them

I think Manuel already has expressed his views on ssh support in m0nowall.
I even agree with him (that it's not a good idea). However, I'm having
problems with my pptp (adsl) wan connection and I needed something
better than exec.php to diagnose the problems.

> cy'A

> alex

--Fred Mol