sshd: Retire DSA support

Chase 3dcf2c2cafbc ("OpenSSH: remove ability to enable DSA support (in
configure)").

Reviewed by: emaste
Approved by: emaste (mentor)
Differential Revision: https://reviews

sshd: Retire DSA support

Chase 3dcf2c2cafbc ("OpenSSH: remove ability to enable DSA support (in
configure)").

Reviewed by: emaste
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D49740

show more ...

rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
servic

rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
service jail.

The sshd patch is important for the sshd-related functionality as
described in the man-page in the service jails part.

The location of the added env vars is supposed to allow overriding them
in rc.conf, and to hard-disable the use of svcj for some parts where it
doesn't make sense or will not work.

Only a subset of all of the services are fully tested (I'm running this
since more than a year with various services started as service jails).
The untested parts should be most of the time ok, in some edge-cases
more permissions are needed inside the service jail.
Differential Revision: https://reviews.freebsd.org/D40371

show more ...

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

sshd: Warn about missing ssh-keygen only when necessary

The sshd service is using ssh-keygen to generate missing SSH keys.
If ssh-keygen is missing, it prints the following message:

> /etc/rc.d/ssh

sshd: Warn about missing ssh-keygen only when necessary

The sshd service is using ssh-keygen to generate missing SSH keys.
If ssh-keygen is missing, it prints the following message:

> /etc/rc.d/sshd: WARNING: /usr/bin/ssh-keygen does not exist.

It makes sense when the key is not generated yet and
cannot be created because ssh-keygen is missing.

The problem is that even if the key is present on the host,
the sshd service would still warn about missing ssh-keygen
(even though it does not need it).

Reviewed by: emaste
Approved by: emaste (src)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D23911

show more ...

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update bec

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update because an rc script was touched.
(a follow-up commit will make init its own package)
* having rc in its own place will allow more easy replacement
of the rc framework with alternatives, such as openrc.

Discussed with: brd (during BSDCam), kmoore
Requested by: cem, bz
PR: 231522
Approved by: re (gjb)

show more ...

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision:

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision: https://reviews.freebsd.org/D16466

show more ...

Remove the ability to generate long since useless SSH1 RSA keys.

Disable DSA again.

MFC after: 3 days

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueff

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueffer
Differential Revision: D452

show more ...

Turn ssh_host_dsa_key back on until PR#208254 is taken care of.

Do not generate RSA1 or DSA keys by default.

Upgrade to OpenSSH 6.5p1.

Reduce priority of host key exists message in sshd startup
script to info.

Approved by: re (gjb)

Ditch the random seeding code, which never really worked as intended.
Add config variables to enable / disable individual host key algorithms.
Clean up the host key generation code.

Approved by: re

Ditch the random seeding code, which never really worked as intended.
Add config variables to enable / disable individual host key algorithms.
Clean up the host key generation code.

Approved by: re (gjb)
MFC after: 3 weeks

show more ...

Call sshd_precmd instead of sshd_configtest when the operator
requests reload or restart, which, in addition of testing the
configuration, will also generate host keys when they are not
present (prev

Call sshd_precmd instead of sshd_configtest when the operator
requests reload or restart, which, in addition of testing the
configuration, will also generate host keys when they are not
present (previous behavior).

Obtained from: FreeNAS
Ok'ed by: bdrewery, des
MFC after: 1 week

show more ...

Also call configtest before reload to ensure working config.

Approved by: jhb
MFC after: 1 week
X-MFC-With: r249489

Run configtest before restarting so that the system is not
left without a running sshd.

Approved by: des
MFC after: 1 week

Simply things so that "#REQUIRE: FILESYSTEMS" means the file
systems are fully "ready to go".

'FILESYSTEMS' states: "This is a dummy dependency, for services which
require file systems to be mounted

Simply things so that "#REQUIRE: FILESYSTEMS" means the file
systems are fully "ready to go".

'FILESYSTEMS' states: "This is a dummy dependency, for services which
require file systems to be mounted before starting." However, we have
'var' which is was run after 'FILESYSTEMS' and can mount /var if it
already isn't mounted. Furthermore, several scripts cannot use /var
until 'cleanvar' has done its thing. Thus "FILESYSTEMS" hasn't really
meant all critical file systems are fully usable.

show more ...

Add a configtest command.

Submitted by: gjb@
MFC after: 1 week

Prepare for the removal of set_rcvar() by changing the rcvar=
assignments to the literal values it would have returned.

The concept of set_rcvar() was nice in theory, but the forks
it creates are a

Prepare for the removal of set_rcvar() by changing the rcvar=
assignments to the literal values it would have returned.

The concept of set_rcvar() was nice in theory, but the forks
it creates are a drag on the startup process, which is especially
noticeable on slower systems, such as embedded ones.

During the discussion on freebsd-rc@ a preference was expressed for
using ${name}_enable instead of the literal values. However the
code portability concept doesn't really apply since there are so
many other places where the literal name has to be searched for
and replaced. Also, using the literal value is also a tiny bit
faster than dereferencing the variables, and every little bit helps.

show more ...

Upgrade to OpenSSH 5.8p2.

Add the shutdown KEYWORD to those scripts that start persistent services
to allow them to do a "clean" shutdown.

I purposely avoided making changes to network-related stuff since the
system shutting

Add the shutdown KEYWORD to those scripts that start persistent services
to allow them to do a "clean" shutdown.

I purposely avoided making changes to network-related stuff since the
system shutting down is pretty conclusive, and there may be complicated
dependencies on the network that I would rather not try to unravel.

I also skipped kerberos-related stuff for the reasons above, and
because I have no way to test it.

show more ...

Remove $NetBSD$ CVS tags. We no longer attempt to synch our rc.d files
with theirs, so this information doesn't need to be in the live file.
Having it in our CVS history is enough.

Backout this commit since it breaks startup and some scripts in
certain conditions. I haven't been able to find a better solution yet:

- Set a two read-only variables (${prefix} and ${etcdir}).

Backout this commit since it breaks startup and some scripts in
certain conditions. I haven't been able to find a better solution yet:

- Set a two read-only variables (${prefix} and ${etcdir}). This is
especially useful when using /etc/rc.d scripts with third-party
software installed from ports.
- Fix rc.d/sshd to work with openssh from ports using ${etcdir}
instead of hardcoded /etc.
- Reflect prefix/etcdir changes in rc.subr.8.

src/etc/rc.d/sshd: rev 1.9 -> 1.10
src/etc/rc.subr: rev 1.51 -> 1.52
src/share/man/man8/rc.subr.8: rev 1.11 -> 1.12

Approved by: cperciva (mentor)

show more ...

- Fix rc.d/sshd test on kern.random.sys.seeded.

PR: conf/94377
Submitted by: dwhite
Approved by: cperciva (mentor)
MFC after: 1 week