[Ovirt-devel] [PATCH node] Disables SSH by default, and allows for enabling at firstboot. rhbz#509842

Mon Jul 6 21:27:38 UTC 2009

Adds a new firstboot menu option for enabling/disabling SSH login.

Signed-off-by: Darryl L. Pierce <dpierce at redhat.com>
---
 Makefile.am                     |    1 +
 ovirt-node.spec.in              |    3 ++
 scripts/ovirt-config-enable-ssh |   46 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 50 insertions(+), 0 deletions(-)
 create mode 100755 scripts/ovirt-config-enable-ssh

diff --git a/Makefile.am b/Makefile.am
index 2f52144..7f4fa07 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -33,6 +33,7 @@ EXTRA_DIST =			\
   scripts/ovirt-config-boot  \
   scripts/ovirt-config-boot-wrapper  \
   scripts/ovirt-config-collectd  \
+  scripts/ovirt-config-enable-ssh \
   scripts/ovirt-config-hostname  \
   scripts/ovirt-config-logging  \
   scripts/ovirt-config-networking \
diff --git a/ovirt-node.spec.in b/ovirt-node.spec.in
index 6fa45ce..361d092 100644
--- a/ovirt-node.spec.in
+++ b/ovirt-node.spec.in
@@ -148,6 +148,7 @@ cd -
 %{__install} -p -m0755 scripts/ovirt-config-boot %{buildroot}%{_sbindir}
 %{__install} -p -m0755 scripts/ovirt-config-boot-wrapper %{buildroot}%{_sbindir}
 %{__install} -p -m0755 scripts/ovirt-config-collectd %{buildroot}%{_sbindir}
+%{__install} -p -m0755 scripts/ovirt-config-enable-ssh %{buildroot}%{_sbindir}
 %{__install} -p -m0755 scripts/ovirt-config-hostname %{buildroot}%{_sbindir}
 %{__install} -p -m0755 scripts/ovirt-config-logging %{buildroot}%{_sbindir}
 %{__install} -p -m0755 scripts/ovirt-config-networking %{buildroot}%{_sbindir}
@@ -224,6 +225,7 @@ ln -s ovirt-release %{buildroot}/etc/system-release
 %{__install} -d -m0755 %{buildroot}%{_sysconfdir}/ovirt-config-setup.d
 %{__ln_s} ../..%{_sbindir}/ovirt-config-storage %{buildroot}%{_sysconfdir}/ovirt-config-setup.d/"00_Disk Partitioning"
 %{__ln_s} ../..%{_sbindir}/ovirt-config-password %{buildroot}%{_sysconfdir}/ovirt-config-setup.d/"05_Administrator Password"
+%{__ln_s} ../..%{_sbindir}/ovirt-config-enable-ssh %{buildroot}%{_sysconfdir}/ovirt-config-setup.d/"06_Enable SSH Access"
 %{__ln_s} ../..%{_sbindir}/ovirt-config-hostname %{buildroot}%{_sysconfdir}/ovirt-config-setup.d/"10_Set Hostname"
 %{__ln_s} ../..%{_sbindir}/ovirt-config-networking %{buildroot}%{_sysconfdir}/ovirt-config-setup.d/"15_Networking Setup"
 %{__ln_s} ../..%{_sbindir}/ovirt-config-logging %{buildroot}%{_sysconfdir}/ovirt-config-setup.d/"30_Logging Setup"
@@ -306,6 +308,7 @@ fi
 %{_sbindir}/ovirt-config-boot
 %{_sbindir}/ovirt-config-boot-wrapper
 %{_sbindir}/ovirt-config-collectd
+%{_sbindir}/ovirt-config-enable-ssh
 %{_sbindir}/ovirt-config-hostname
 %{_sbindir}/ovirt-config-logging
 %{_sbindir}/ovirt-config-networking
diff --git a/scripts/ovirt-config-enable-ssh b/scripts/ovirt-config-enable-ssh
new file mode 100755
index 0000000..ec01b26
--- /dev/null
+++ b/scripts/ovirt-config-enable-ssh
@@ -0,0 +1,46 @@
+#!/bin/bash
+#
+# Iterates over the list of network devices on the node and prompts the user
+# to configure each.
+
+. /etc/init.d/ovirt-functions
+
+ME=$(basename "$0")
+warn() { printf '%s: %s\n' "$ME" "$*" >&2; }
+die() { warn "$*"; exit 1; }
+
+WORKDIR=$(mktemp -d) || exit 1
+
+# Remove $WORKDIR upon interrupt (and HUP, PIPE, TERM) and upon normal
+# termination, being careful not to change the exit status.
+trap '__st=$?; rm -rf "$WORKDIR"; exit $__st' 0
+trap 'exit $?' 1 2 13 15
+
+toggle_ssh_access ()
+{
+    local allowed=$1
+    local config=$WORKDIR/augeas-ssh
+
+    if $allowed; then permit="yes"; else permit="no"; fi
+    printf "set /files/etc/ssh/sshd_config/PermitRootLogin ${permit}\n" > $config
+    cat $config | augtool
+
+    service sshd restart
+}
+
+while true; do
+    state="disabled"
+    prompt="Enable SSH access"
+    grep "^PermitRootLogin\ *yes" /etc/ssh/sshd_config > /dev/null
+    if [ $? == 0 ]; then
+        state="enabled"
+        prompt="Leave SSH access enabled"
+    fi
+    printf "\nSSH access is currently ${state}.\n\n"
+    read -ep "${prompt} (y/n/a)? "
+    case $REPLY in
+        Y|y) toggle_ssh_access true; exit 0;;
+        N|n) toggle_ssh_access false; exit 0;;
+        A|a) exit 99;;
+    esac
+done
-- 
1.6.2.5


