1.10.0 -> 1.10.1
----------------
- global modifications
--------------------
- changed version from 1.10.0 to 1.10.1
- changed software versions
openssh from version 4.6p1 to 4.7p1
1.9.0 -> 1.10.0
---------------
- global modifications
--------------------
- changed version from 1.9.0 to 1.10.0
- changed status from testing to stable
- corrected typos in releasenotes
1.8.3 -> 1.9.0
--------------
- global modifications
--------------------
- changed version from 1.8.3 to 1.9.0
- changed status from stable to testing
- required eisfair base version changed to 1.3.2
- required libssl version changed to 1.2.5 (OpenSSL 0.9.8e)
- changed software versions
openssh from version 4.5p1 to 4.6p1
- modifications for sshd
----------------------
- enhanced configuration checking
If SSH_PASSWDAUTH is set to 'no' SSH_USEPAM had to be set
to 'no' too. If this was not done login with password was
still possible.
A new check was included, showing the message
"SSH_PASSWDAUTH='no' requires SSH_USEPAM='no'"
if required.
- security enhancement
If the use of Subsystem sftp was prohibited by setting
SSH_ENABLE_SFTP='no', tools like FileZilla and WinSCP
could bypass this by starting /sbin/sftp-server directly.
Now sftp is delivered as /sbin/sftp-server.subsystem
and only if SSH_ENABLE_SFTP='yes' is set an appropriate
link /sbin/sftp-server -> /sbin/sftp-server.subsystem
will be created.
Attention:
If you choose protocols like 'SFTP (allow SCP fallback)'
or 'SCP' when using WinSCP, this simulates the existence
of sftp and will (unfortunately?) still work.
Tools that meet standards, like the Linux command line
sftp had no impact on this, but reported an error like
"Request for subsystem 'sftp' failed on channel 0"
if SSH_ENABLE_SFTP was set to 'no'.
- modifications for pure-ftpd
---------------------------
- The documentation for the options FTP_USER_BANDWIDTH and
FTP_ANONYMOUS_BANDWIDTH was wrong and both options could
be set at the same time.
FTP_USER_BANDWIDTH (option -T of pure-ftpd) and
FTP_ANONYMOUS_BANDWIDTH (option -t of pure-ftpd) can't
be used simultaneously because pure-ftpd stores the
values in one set of variables.
Witch option is used depends upon the order of the
appearance of the two options on the command line.
The values of the last option overwrites the values
of the preceding option.
Rules :
FTP_USER_BANDWIDTH enables bandwidth throttling for
Unix users, user anonymous and virtual users (if there
are no special settings using pure-pw usermod).
FTP_ANONYMOUS_BANDWIDTH enables bandwidth throttling
only for user anonymous.
It is no longer possible to set FTP_USER_BANDWIDTH
and FTP_ANONYMOUS_BANDWIDTH.
The documentation in /inet/etc/config.d and the
package documentation have been changed.
1.8.2 -> 1.8.3
--------------
- global modifications
--------------------
- changed version from 1.8.2 to 1.8.3
- changed software versions
tftpd from version 0.43 to 0.48
- modifications for xinetd
------------------------
Service files in directory /etc/xinetd.d will be
generated only if they contain elements of <service>.expert
files or if a <service>.expert file for this service
exists.
Up to version 1.8.2 the service files were unnecessarily
generated every time xinetd was started.
1.8.1 -> 1.8.2
--------------
- global modifications
--------------------
- changed version from 1.8.1 to 1.8.2
- changed software versions
tftpd from version 0.42 to 0.43
- enhanced documentation of SSH_PUBLIC_KEY_N
Thanks to Jean Wolter.
1.8.0 -> 1.8.1
--------------
- global modifications
--------------------
- changed version from 1.8.0 to 1.8.1
- changed software versions
openssh from Version 4.4p1 to 4.5p1
1.7.3 -> 1.8.0
--------------
- global modifications
--------------------
- changed version from 1.7.3 to 1.8.0
- changed status from testing to stable
- corrected typos in releasenotes
1.7.2 -> 1.7.3
--------------
- global modifications
--------------------
- A stupid error (wrong sequence removing/creating group and user)
when changing UID/GUID of User/Group sshd was corrected.
- When processing <service>.expert files a message like
"processing <service>.expert" is displayed.
1.7.1 -> 1.7.2
--------------
- global modifications
--------------------
- changed software versions
openssh from Version 4.3p2 to 4.4p1
Because openssh Version 4.4p1 always checks if user sshd exists,
user sshd and group sshd will be created during installation of
package inet. Before inet version 1.7.2 this was only done if
UsePrivilegeSeparation was set to yes (SSH_ENABLE_PRIV_SEPARATION).
Up to inet version 1.7.2 UID and GID 27 was used. This does not
conform to eisfair standard. Now UID 65 and GID 71 will be used.
Existing user and group with wrong ID will be deleted an recreated
with correct IDs.
1.7.0 -> 1.7.1
-------------
- global modifications
--------------------
- recompiled pure-ftpd and openssh because of change to OpenSSL 0.9.8c
1.6.3 -> 1.7.0
--------------
- global modifications
--------------------
- changed software versions
tftpd from version 0.41 to 0.42
openssh 4.3p2 recompiled and relinked with OpenSSL 0.9.8b
- corrected typo in /etc/init.d/inet_shlib
- modifications for pure-ftpd
---------------------------
- pure-ftpd is configured with --with-mysql
- new default for START_FTP is 'no'
- Check if kernel supports IPv6 is done and, if required,
parameter '-6' is added to the parameterlist of pure-ftpd
(See: http://linuxreviews.org/howtos/networking/IPv6-LinuxHowto/en/c719.html#AEN728)
- modifications for sshd
----------------------
- corrected awful bug in /etc/init.d/sshd
Procedure validate_sshd_config scrambled /etc/sshd_config
when checking SSH_LISTEN_ADDR_N and SSH_LISTEN_ADDR_#.
Thanks to Christian Treczoks.
- changed creation of file /root/.ssh/authorized_keys
If a newline is missing at the end of a key file
(SSH_PUBLIC_KEY_#) the missing newline will be added.
- modifications for xinetd
------------------------
- Implemented handling of <service>.expert files.
If a file named <service>.expert (e.g. ftp.expert)
exists in directory /etc/xinetd.d, this file is
included into the original service file <service>.
The following example shows what happens.
Original file /etc/xinetd.d/ftp
service ftp
{
server = /usr/sbin/pure-ftpd
server_args = -l unix -A -E -k 95% -I 15 -c 20 -S 21
socket_type = stream
protocol = tcp
wait = no
user = root
disable = no
}
Expert file /etc/xinetd.d/ftp.expert
per_source = 2
only_from = 192.168.1.11
Resulting file /etc/xinetd.d/ftp
service ftp
{
#B Expert
per_source = 2
only_from = 192.168.1.11
#E Expert
server = /usr/sbin/pure-ftpd
server_args = -l unix -A -E -k 95% -I 15 -c 20 -S 21
socket_type = stream
protocol = tcp
wait = no
user = root
disable = no
}
File /etc/xinetd.d/ftp.expert is included into
/etc/xinetd.d/ftp after the opening brace but
before the original contents of /etc/xinetd.d/ftp.
Two special comment lines are added
#B Expert
#E Expert
See:
http://www.die.net/doc/linux/man/man5/xinetd.conf.5.html
for a description of xinetd configuration files.
The above example limits ftp access to only one
IP-Address (only_from = 192.168.1.11) and in addition limits
the number of connections per source to 2
(per_source = 2).
Attention:
Be careful with this expert option, because you
may create erroneous configuration files.
Have a look to /var/log/messages whether xinetd starts
up with success.
Dont modify the two special comment lines.
They are important to remove/change the expert options
if you remove/change the <service>.expert file.
Handling of <service>.expert files is done every time
xinetd is started (e.g. /etc/init.d/xinetd start).
<service>.expert files follow an idea from Tobias Becker.
1.6.2 -> 1.6.3
--------------
- global modifications
--------------------
- changed software versions
pureftpd from version 1.0.20 to 1.0.21
1.6.1 -> 1.6.2
--------------
- global modifications
--------------------
- changed software versions
openssh from version 4.3p1 to 4.3p2
1.6.0 -> 1.6.1
--------------
- global modifications
--------------------
- changed software versions
openssh from version 4.2p1 to 4.3p1
- fixed typo in /var/install/config.d/inet_update.sh
1.5.5 -> 1.6.0
--------------
- global modifications
--------------------
- changed version from 1.5.5 to 1.6.0
- changed status from testing to stable
1.5.4 -> 1.5.5
--------------
- global modifications
--------------------
- Package inet now requires at least base version 1.1.5.
- changed software versions
zlib from version 1.2.2 to 1.2.3
openssh from version 4.1p1 to 4.2p1
openssl from version 0.9.7g to 0.9.8a
xinetd from version 2.3.13 to 2.3.14
tftpd from version 0.40 to 0.41
- removed use of obsolete variable ECHO_MODE from
/etc/init.d/inet_shlib
/etc/init.d/pure-ftpd
/etc/init.d/sshd
/etc/init.d/xinetd
- removed bad line from
/var/install/menu/setup.services.inet.menu
- corrected error in /var/install/deinstall/inet
menu entry was not removed on deinstall
- fixed problem with ACLs in /tmp/install.sh
procedure verify_host_keys
- changed /var/install/packages/inet
libwrap as <require-lib> not as <require-package>
- The following configuration was not handled correctly
START_SSH='no' but SSHD_START_METHOD='xi' and
START_FTP='no' but FTP_START_METHOD='xi'
sshd and pure-ftpd where available through xinetd
This bug has been corrected.
- modifications for sshd
----------------------
- All programs coming from OpenSSH are now using the
shared library libcrypto.so.0.9.8 instead of the
static library libcrypto.a. This saves a lot of space
(about 3 MB on disk and about 1 MB for inet.tar.gz).
1.5.3 -> 1.5.4
--------------
- global modifications
--------------------
- Package inet now requires at least base version 1.1.1.
Package inet now requires libwrap7-6
- menu format was changed to the new XML format
obsolte shell scripts removed
- changed software versions
zlib from version 1.2.1 to 1.2.2
openssh from version 3.9p1 to 4.1p1
openssl from version 0.9.7e to 0.9.7g
- the following libraries are no more part of the inet
package
libcrypto.so.0.9.7
and its links
libcrypto.so
libcrypto.so.0
libcrypto.so.0.9.6
libssl.so.0.9.7
and its links
libssl.so
libssl.so.0
libssl.so.0.9.6
libz.so.1.2.1
and its links
libz.so
libz.so.1
- the following files are not more part of the inet
package
/usr/bin/openssl
/usr/bin/ssl/c_hash
/usr/bin/ssl/c_info
/usr/bin/ssl/c_issuer
/usr/bin/ssl/c_name
/usr/bin/ssl/c_rehash
/usr/bin/ssl/c89.sh
install package CERT, if the files are required
- modifications for sshd
----------------------
- Default for SSH_LISTEN_ADDR_N is set to '0'
Deamon sshd will listen on all local addresses
when using this default.
Attention: this default will only be used if
no old configuration file was found.
- If you define listen addresses using a value
different from '0' for SSH_LISTEN_ADDR_N one
additional entry will be added by default.
ListenAddress 127.0.0.1 allows you to do
a "ssh localhost".
- File /etc/pam.d/sshd was added
- /etc/init.d/sshd was modified
The change takes effect if SSH_LISTEN_ADDR_N is not '0'.
Before the sshd daemon is started, the script tries
to find out if all ListenAddress(es) in /etc/sshd_config
are valid. In the past this was done using the variables
IP_ETH_N, IP_ETH_#_IPADDR from /etc/config.d/base.
The check is now enhanced using functions from
/var/install/include/inetlib. These functions get
the actual IP address of an interfaces using ifconfig.
This should make sshd work better with dynamic
configurations e.g. using package dhcpc.
- modifications for pure-ftpd
---------------------------
- the bad file /usr/local/ssl/certs/pure-ftpd.pem
from version 1.5.2 or 1.5.3 is replaced by a better
one if there is no self generated file.
- corrected generation of certfile
cert configuration file was not used
failure in creating temporary configuration file
cerficates are now valid for 365 days
added new default cerficate for pure-ftpd
1.5.2 -> 1.5.3
--------------
- global modifications
--------------------
Hotfix for base update 1.1.0 / 1.1.1
The following libraries in /lib
libcrypto.so.0.9.7
and its links
libcrypto.so
libcrypto.so.0
libcrypto.so.0.9.6
libssl.so.0.9.7
and its links
libssl.so
libssl.so.0
libssl.so.0.9.6
libz.so.1.2.1
and its links
libz.so
libz.so.1
are no longer restored if missing.
The libraries are now located in /usr/lib and are
contained in package base.
1.5.1 -> 1.5.2
--------------
- global modifications
--------------------
- This is the first version that was compiled and generated
on eisfair using the eisfair development environment.
- Package inet now requires at least base version 1.0.8.
- Shell scripts are using EISLIB (/var/install/include/eislib)
Package inet no more requires /local/bin/html_colecho.
changed /init.d/inet_shlib
removed function multi_echo
- changed software versions
openssl from version 0.9.7d to 0.9.7e
- changed software source
tftpd source is now
http://www.kernel.org/pub/software/network/tftp/
version 0.40
This version supports the "tsize" TFTP option
and works with PXELINUX.
The option -s (-s /tftpboot) is used by default
to obtain compatibility with the former tftpd.
Thanks to Nico Wallmeier and Thilo Gass.
- modified /var/install/config.d/inet.sh
There was a bug handling the home directory of
virtual users, because of an incorrect grep
statement.
- corrected /var/install/config.d/inet.sh
Use of variable TFTPD_ADD_ARGS went wrong.
Thanks to Torsten Hoellermann.
- corrected /etc/check.d/inet.exp
INET_PERCENTAGE used for FTP_LIMIT had a fault
Thanks to Thomas Unger.
- modifications for pure-ftpd
---------------------------
- pure-ftpd is configured with --with-tls
This enables an experimental support for
encryption of the control channel using SSL/TLS
security mechanisms.
Please read http://www.pureftpd.org/README.TLS
for further information.
- added the following option to /etc/config.d/inet
FTP_TLS='0'
'0' support for SSL/TLS is disabled
'1' clients can connect either the traditional
way or through an SSL/TLS layer
'2' cleartext sessions are refused and only
SSL/TLS compatible clients are accepted
Unfortunately pure-ftpd and FileZilla 2.2.10 are
not compatible. Core FTP Lite works fine.
- added "Create new certificate for pure-ftpd"
to the "pure-ftpd administration" menue
and the webconf menue.
- pure-ftpd is configured with --with-virtualhosts
The configuration of Virtual Hosts has to be done
manually.
- pure-ftpd is configured with --with-sysquotas
I never checked if this works, for I did not install
the "Quota Tools".
- modifications for sshd
----------------------
ssh is configured with the following options
--with-pam
This enables PAM support.
--with-tcp-wrappers
This enables TCP Wrappers (/etc/hosts.allow|deny) support.
- changed the implementation of
SSH_ALLOW_USER_N and SSH_ALLOW_USER_#
SSH_ALLOW_USER_N='0'
Number of user name patterns.
Login is allowed only for user names that
match one of the pattern. '*' and '?' can be
used as wildcards in the patterns.
Default: 0 - login is allowed for all users.
SSH_ALLOW_USER_1='root'
Example: First user name pattern.
- added the following option to /etc/config.d/inet
SSH_DENY_USER_N='0'
Number of user name patterns.
Login is disallowed only for user names that
match one of the pattern. '*' and '?' can be
used as wildcards in the patterns.
Default: 0 - login is allowed for all users.
SSH_DENY_USER_1='batch'
Example: First user name pattern.
SSH_ALLOW_GROUP_N='0'
Number of group name patterns.
Login is allowed only for users whose
primary group or supplemantary group
matches one of the pattern. '*' and '?' can
be used as wildcards in the patterns.
Default: 0 - login is allowed for all groups
SSH_ALLOW_GROUP_1='root'
Example: First group name pattern.
SSH_DENY_GROUP_N='0'
Number of group name patterns.
Login is disallowed only for users whose
primary group or supplemantary group
matches one of the pattern. '*' and '?' can
be used as wildcards in the patterns.
Default: 0 - login is allowed for all groups
SSH_DENY_GROUP_1='batch'
Example: First group name pattern.
See also the old option SSH_ALLOW_USER.
Please use this settings with care.
All four lists are checked when a login is
done. So wrong settings could exclude an
important user (e.g. root or eis) from login.
SSH_PERMITROOTLOGIN='yes'
Secifies whether root can login using ssh.
'yes' User root can login.
'no' User root can't login.
'without-password' Password authentication
for user root is disabled. Note that other
authentications (e.g. keyboard-interactive/
PAM) may still allow root to login using a
password.
'forced-commands-only' root login with
public key authentication will be allowed,
but only if the command option has been
specified. See command="command" option
for Authorized_Keys File Format in SSHD(8).
SSH_USEPAM='no'
Enable Pluggable Authentication Module
interface (PAM) 'yes' or 'no'.
This is a preparation for LDAP Authentication.
SSH_CH_RESPONSEAUTH='yes'
Allow challenge response authentication
'yes' or 'no'.
SSH_CLIENTALIVEINTERVAL='0'
Timeout interval in seconds for
client alive message.
Default: 0 - no message
SSH_CLIENTALIVECOUNTMAX='3'
Number of client alive messages
until disconnection.
Default: 3
SSH_LOGLEVEL='INFO'
Verbosity level that is used when
logging messages from sshd.
Values QUIET FATAL ERROR INFO VERBOSE
DEBUG DEBUG1 DEBUG2 DEBUG3 are allowed.
Default: INFO
Logging with a DEBUG level violates
the privacy of users and is not
recommended.
Some of this options are for expert users only.
Please use options that are unfamilar to you
with special care.
SSHD_CONFIG(8) is a good place to retrieve
information about all options.
- change menues "(Re)-Create SSH Server Keys"
You are no longer asked for a passphrase.
An empty passphrase is used for all keys.
You are no longer asked to allow deletion of
key files. Key file are deleted before they
are recreated.
1.5.0 -> 1.5.1
--------------
- global modifications
--------------------
- changed software versions
pureftpd from version 1.0.18 to 1.0.19 (1.0.20)
openssh from version 3.8p1 to 3.9p1
- corrected two bugs in /etc/init.d/inet_shlib
verify_pidfile and check_start did not work
well when checking processes with a name
longer than 15 characters
- removed all links from the distribution file
links are created in /tmp/install.sh
- changed deinstallation of package inet to
strict mode. This means that the following
files are removed:
/etc/ftpusers
/etc/pureftpd.pdb
/etc/pureftpd.passwd
/etc/config.d/inet
FTP-Log identified by FTP_LOG_PATH
If this directories are empty, they will be
removed.
/tftpboot
/etc/xinetd.d
/home/ftp
/home/vftp
If this users do not own any files or directories
they will be deleted
ftp
vftp
User sshd and group sshd will be removed.
The SSH Server Keys (Host Keys) are not deleted.
- minimized number of messages during start and
stop of services
- minimized number of messages during configuration
processes
- modifications for pure-ftpd
---------------------------
- when using pure-uploadscript start and stop
of pure-ftpd does no longer show invalid
error messages
Thanks to Thomas Unger for his advice.
- modifications for webconf
-------------------------
- changed call of add_advancedconfigmenu
and del_advancedconfigmenu
- removed bug in webconf function
Show pure-ftpd virtual user if
pure-ftpd virtual users are not enabled
or file /etc/pureftpd.passwd is not readable
1.4.1 -> 1.5.0
--------------
- global modifications
--------------------
- corrected two error messages in /check.d/inet.ext
FTP_START_METHOD='xi' requires START_XINETD='yes'
SSHD_START_METHOD='xi' requires START_XINETD='yes'
- If advanced configuration file handling is available
(will be released with eisfair 1.0.5)
it will be included into the inet menu structure
- the following libraries are no longer removed
when package inet is removed
libcrypto.so.0.9.7
and its links
libcrypto.so
libcrypto.so.0
libcrypto.so.0.9.6
libssl.so.0.9.7
and its links
libssl.so
libssl.so.0
libssl.so.0.9.6
libz.so.1.2.1
and its links
libz.so
libz.so.1
Version 1.5.0 still contains these libraries in
directory /tmp/lib.
If the libraries are not existent in /lib
they will be copied from /tmp/lib to /lib.
Future relaeses of this package will not contain
the libraries. They will be loaded to your server
using the upcoming new eisfair library concept.
- added option forcestart to
/etc/init.d/pure-ftpd
/etc/init.d/sshd
/etc/init.d/xinetd
By running
/etc/init.d/pure-ftpd forcestart
you are able start the pure-ftpd daemon even
START_FTP was set to 'no'.
Similar handling für
/etc/init.d/sshd to follow START_SSH and
/etc/init.d/xinetd to follow START_XINETD.
- modifications for webconf
-------------------------
- changed design of tables in
List pure-ftpd virtual users
Check pure-ftpd virtual users
/var/install/prep/inet.pureftpd.checkvusers.sh
/var/install/prep/inet.pureftpd.listvusers.sh
- added form "Report current FTP sessions / kill session"
to menue pure-ftpd administration
/var/install/form/inet.pureftpd.admin
/var/install/form/inet.pureftpd.pure-ftpwho
/var/install/prep/inet.pureftpd.pure-ftpwho.sh
/var/install/servadm/inet.pureftpd.clean.sh
/var/install/servadm/inet.pureftpd.pure-ftpwho.sh
- added form "View FTP transfer log"
to menue pure-ftpd administration
/var/install/form/inet.pureftpd.viewlog
/var/install/prep/inet.pureftpd.viewlog.sh
- modifications for sshd
----------------------
- added variable SSH_PASSWDAUTH to
/etc/config.d/inet
Default SSH_PASSWDAUTH='yes'
Allow password authentication 'yes' or 'no'.
If password authentication is not allowed you
have to use key authentication.
Check that this works before you change
SSH_PASSWDAUTH to 'no'.
1.4.0 -> 1.4.1
--------------
- global modifications
--------------------
Hotfix for base update 1.1.0 / 1.1.1
All Libraries where removed
/lib/libcrypto.so
/lib/libcrypto.so.0
/lib/libcrypto.so.0.9.6
/lib/libcrypto.so.0.9.7
/lib/libssl.so
/lib/libssl.so.0
/lib/libssl.so.0.9.6
/lib/libssl.so.0.9.7
/lib/libz.so
/lib/libz.so.1
/lib/libz.so.1.2.1
Statement
rm -f /usr/lib/libz.so.1
invalidated in /tmp/preinstall.sh
1.3.2 -> 1.4.0
--------------
- global modifications
--------------------
- changed version from 1.3.2 to 1.4.0
- changed status from testing to stable
1.3.1 -> 1.3.2
--------------
- global modifications
--------------------
- changed software versions
openssl from version 0.9.7c to 0.9.7d
1.3.0 -> 1.3.1
--------------
- global modifications
--------------------
- changed software versions
zlib from version 1.1.4 to 1.2.1
xinetd from version 2.3.12 to 2.3.13
pureftpd from version 1.0.17a to 1.0.18
openssh from version 3.7.1p2 to 3.8p1
- included check of base package version
into /tmp/preinstall.sh
- default configuration file changed
old /etc/config.d/inet.default
new /etc/default.d/inet
- corrected some regexps in
/var/install/form/inet
- corrected bug in
/etc/check.d/inet.ext
- corrected bug in
/etc/check.d/inet
SSH_PUBLIC_KEY_% may contain blanks
(NOBLANK changed to NONE)
Thanks to Armin Behrendt for his advice.
- changed order of configuration parameters
in /etc/config.d/inet
parameters for ssh appear first
parameters for pure-ftpd come next
- modified experimental support for webconf
files:
/local/bin/html_colecho
/var/install/form
/var/install/form/inet.docu
/var/install/form/inet.main
/var/install/form/inet.create.sshkeys
/var/install/form/inet.pureftpd.admin
/var/install/form/inet.pureftpd.checkvusers
/var/install/form/inet.pureftpd.listvusers
/var/install/form/inet.pureftpd.showvuser
/var/install/help/inet
/var/install/prep
/var/install/prep/inet.pureftpd.checkvusers.sh
/var/install/prep/inet.pureftpd.listvusers.sh
/var/install/prep/inet.pureftpd.showvuser.sh
/var/install/servadm
/var/install/servadm/inet.create.sshkeys.sh
/var/install/servadm/inet.pureftpd.clean.sh
/var/install/servadm/inet.pureftpd.showvuser.sh
webconf 0.40.4 or higher is required
- modifications for pure-ftpd
---------------------------
- changed ./configure options for pure-ftpd
added
--with-largefile
Support downloading of files larger than
2 gigabytes on 32-bit architectures.
- added option to FTP_LOG_FORMAT
FTP_LOG_FORMAT now allows format xferlog.
Xferlog is the traditional format created by wu-ftpd
FTP_LOG_FORMAT='CLF'
Format of alternative log file. The values
'CLF', 'Stats', 'W3C' and 'xferlog' are allowed.
- modifications for sshd
----------------------
- The sshd ListenAddress(es) are checked
at every startup of the sshd daemon.
The message:
Checking sshd ListenAddress(es) ...
is displayed.
If an invalid ListenAddress is found in
/etc/shhd_config a new file is created
using the actual settings from both
configuration files /etc/config.d/inet
and /etc/config.d/base.
This modification tries to gurantee that a
sshd session is possible even if
IP-Address(es) where changed in
/etc/config.d/base and the configuration
of sshd was not updated using the eis
menue "Service administration".
This does not garantee that all other
services using IP-Addrsses are also
available. But a sshd session allows you
to check and reconfigure the system.
- generation of /etc/sshd_config was changed
line
AuthorizedKeysFile /root/.ssh/authorized_keys
is now generated as a comment
#AuthorizedKeysFile /root/.ssh/authorized_keys
so the new default is
AuthorizedKeysFile %h/.ssh/authorized_keys
This allows every user to have an authorized_keys
file in subdirectory .ssh of the home directory.
- changed default of SSH_USE_SSH1
New installation default is 'no'.
Your configuration will not be changed
when doing an update.
A user trying to use the SSH1 protocol will
get the error message
'Protocol major versions differ: 1 vs. 2'
if SSH1 protocol is not allowd.
To allow connections to your server using the
SSH1 protocol you explicitly have to change the
value to 'yes'.
Thanks to Frank Hemmerling for this security
consideration.
- added script ssh-copy-id
- change to SSH_PUBLIC_KEY_#
If the first character of SSH_PUBLIC_KEY_#
is a slash (/) the value is interpreted
as an absolut pathname of a file. The
content of this file is added to the file
/root/.ssh/authorized_keys
1.2.0 -> 1.3.0
--------------
- global modifications
--------------------
- changed software versions
pureftpd from version 1.0.14 to 1.0.17a
xinetd from version 2.3.11 to 2.3.12
openssh from version 3.6.1p1 to 3.7.1p2
openssl from version 0.9.7b to 0.9.7c
- removed all man pages from the package
because of a decision made by the
Eisfair Developer Team September, 14th 2003
- using /var/install/bin/doc
to show all documents and files
- added eischk to check the configuration file
files:
/etc/check.d/inet
/etc/check.d/inet.exp
/etc/check.d/inet.ext
- added experimental support for webconf
files:
/local/bin/html_colecho
/var/install/form/inet
/var/install/form/inet.change
/var/install/form/inet.main
/var/install/form/inet.status
/var/install/help/
/var/install/help/inet
/var/install/prep/
/var/install/prep/prep_change_inet_status.sh
/var/install/prep/prep_inet_status.sh
/var/install/servadm/
/var/install/servadm/change_pureftpd_status.sh
/var/install/servadm/change_sshd_status.sh
/var/install/servadm/change_xinetd_status.sh
/var/install/servadm/clean_inet_status.sh
- adjusted file access permissions for file
/var/install/menu/setup.services.inet.menu
- added menues
Inet documentation
Show inet package documentation
Show inet package changes
pure-ftpd administration
List pure-ftpd virtual users
Show info about a pure-ftpd virtual user
Check pure-ftpd virtual users
- modified
/etc/init.d/sshd
/etc/init.d/pure-ftpd
/etc/init.d/xinetd
/tmp/preinstall.sh
/tmp/install.sh
/var/install/bin/inet-edit
/var/install/bin/sshd-create_keys
/var/install/config.d/inet.sh
/var/install/deinstall/inet
- added /init.d/inet_shlib
added function multi_echo
function kill_and_wait
function check_start
modified function verify_pidfile
- modifications for pure-ftpd
---------------------------
- changed documentation for FTP_HANGUP_TIME
hangup time is in minutes not in seconds
- added FTP_HARDKILL='no'
kill all pure-ftpd processes, when stopping
the main pure-ftpd daemon 'yes' or 'no'.
'yes' all pure-ftpd processes are killed
'no' only main pure-ftpd is killed
Requires FTP_START_METHOD='st'.
- changed start command from
/usr/sbin/pure-ftpd $ARGS to
nohup /usr/sbin/pure-ftpd $ARGS >/tmp/pure-ftpd.$$ 2>&1 &
to avoid hanging of mini_httpd when using webconf
(I don't understand what's going on)
- the code to handle virtual users was rewritten
Now a virtual user is only modified if the password
or the home directory has changed.
You will receive a message like
Modifying virtual user <user> (directory password)
if both has changed.
- added the following option to /etc/config.d/inet
FTP_VIRTUAL_USERS_DELETE='no'
Delete virtual users that are no more listed
in a FTP_VIRTUAL_USERS_#_USERNAME variable
If you set FTP_VIRTUAL_USERS_DELETE to 'yes'
only those virtual users listed in the actual
configuration file will be available.
Other virtual users will be deleted, but
their home directories will still be there.
For compatiblity to older versions this
variable defaults to 'no'.
- modifications for sshd
----------------------
- file /etc/sshd_config
option
RhostsAuthentication=no
deleted because sshd 3.7.1p2 deprecates it
- added the following option to /etc/config.d/inet
SSHD_START_METHOD='st'
Start method for sshd.
'st' start sshd as standalone server.
'xi' start sshd via xinetd.
'xi' requires START_XINETD='yes'.
Have a look at /etc/xinitd.d/sshd to see some
security attributes that are available when
starting sshd via xinetd.
Look at the xinetd.conf man page to find out
more about this attributes.
(Thanks to Tobias Becker for his proposal)
- time service
------------
added time service
ENABLE_TIME_SERVICE='no'
enable time service UPD and TCP
on port 37: 'yes' or 'no'
'yes' requires START_XINETD='yes'
1.2.2 -> 1.2.3
--------------
security update
all changes of this update are contained in 1.3.0
1.2.1 -> 1.2.2
--------------
security update
all changes of this update are contained in 1.3.0
1.2.0 -> 1.2.1
--------------
security update
all changes of this update are contained in 1.30
1.1.1 -> 1.2.0
--------------
- global modifications
--------------------
- changed SSH Server Key generation during installation.
Existing SSH Server Keys are not (!) deleted.
SSH Server Keys (Host Keys) stored in
/etc/ssh_host_key
/etc/ssh_host_rsa_key
/etc/ssh_host_dsa_key
are checked.
If the keys are invalid, they are deleted.
New keys are generated without asking for a passphrase.
An empty passphrase is used (-N "").
- SSH-Keys are no more deleted when inet is deinstalled
- modifications for pure-ftpd
---------------------------
- converted
/usr/share/doc/inet/examples/create_dot_ftpquota.sh
from DOS file to Unix file
1.1.0 -> 1.1.1
--------------
- global modifications
--------------------
- changed software versions
openssh from version 3.5p1 to 3.6.1p1
openssl from version 0.9.7a to 0.9.7b
xinetd from version 2.3.10 to 2.3.11
- Configuration file /etc/config.d/inet
will be saved when installing a new version
of the inet package.
The "old" configuration parameters will be
retained unchanged and are transferred into
the "new" configuration.
- Configuration file /etc/config.d/inet
will not be removed when uninstalling
the inet package
If you wish to remove the file,
please do it by yourself.
- modifications for xinetd
------------------------
- added man pages for xinetd
xinetd.8 xinetd.conf.5 xinetd.log.5
- modifications for pure-ftpd
---------------------------
- modified /etc/init.d/pure-ftpd
FTP_DONT_CHROOT_GROUP didn't work
(Thanks to Peter Schmitz for this correction)
Using the -B argument to start pure-ftpd to have the
standalone server start in background (daemonization)
(Thanks to Mathias Gumz for his proposal)
- modified /var/install/bin/ftpd-start
no background handling of /etc/init.d/pure-ftpd
- added pure-quotacheck and it's man page pure-quotacheck.8
added /usr/share/doc/inet/examples/create_dot_ftpquota.sh
This script can be used to create .ftpquota files
for all non-system users found in /etc/passwd and
all virtual users found in /etc/pureftpd.passwd.
- added pure-uploadscript and it's man page pure-uploadscript.8
- added pure-statsdecode and it's man page pure-statsdecode.8
- added /etc/pureftpd.pdb.empty
This <puredb_database_file> will be installed
as /etc/pureftpd.pdb if no /etc/pureftpd.pdb
exists.
- removed faulty "rmdir /home/ftp" command
from /tmp/preinstall
/home/ftp is used for anonymous ftp users.
/home/ftp will be created when it is missing.
- changed ./configure options for pure-ftpd
old options:
--with-ftpwho
--with-puredb
--with-virtualchroot
--with-language=english
--with-throttling
--with-altlog
--with-quotas
added options are:
--with-uploadscript
--with-peruserlimits
--with-ratios
--with-pam
- added the following option to /etc/config.d/inet
FTP_SHOW_ARGS='no'
Show all arguments for pure-ftpd on startup.
'yes' enables this debugging option.
FTP_START_METHOD='st'
Start method for pure-ftpd.
'st' start pure-ftpd as standalone server.
'xi' start pure-ftpd via xinetd.
'xi' requires START_XINETD='yes'.
FTP_USE_PAM='no'
Use PAM authentication instead of Unix
authentication (the traditional
/etc/passwd file).
If set to 'yes' the file /etc/ftpusers
is verified. This file contains
the list of users that aren't allowed
to use the PureFTPd.
Example: the lines
bill
paul
in /etc/ftpusers disallows bill and paul
to log in.
FTP_UPLOADSCRIPT_ARGS=''
Arguments for pure-uploadscript.
When set, pure-ftpd will be startet with
argument -o and pure-uploadscript
with argument $FTP_UPLOADSCRIPT_ARGS
will be startet in the background.
Example '-r /tmp/scanner.sh'.
See /usr/share/doc/inet/pure-uploadscript.8
for a documentation of pure-uploadscript.
/usr/share/doc/inet/examples contains
the dummy example script scanner.sh.
pure-uploadscript can not be used,
when FTP_START_METHOD is set to 'xi'.
Visit www.pureftpd.org for a detailed
description.
FTP_MAXCON_PER_IP=''
Maximum number of connections per IP.
Limit the number of simultanous connections
coming from the same IP address to n.
Requires FTP_START_METHOD='st'.
FTP_LIST_DOT_FILES='no'
List files beginning with a dot ('.')
even when the client doesn't append the
'-a' option to the list command.
This is a workaround for badly configured
FTP clients.
FTP_ONLY_ANONYMOUS='no'
Only allow anonymous users.
FTP_DISALLOW_RENAMING='no'
Disallow renaming of files.
FTP_DISALLOW_ANONYMOUS_UPLOAD='no'
Disallow upload for anonymous users.
FTP_MAX_CPU_LOAD=''
Don't allow anonymous download if the
load is above <cpu load> .
Upload is still allowed, though.
FTP_UMASKS=''
Format <umask for files>:<umask for dirs>.
Change the file creation mask.
The default is 133:022.
FTP_MAX_LOGINS=''
Format <max user logins>:<max anonymous logins>.
It restricts the number of concurrent
sessions the same user can have.
A null value ('0') means 'unlimited'.
FTP_FILE_QUOTA=''
PureFTPd's virtual quota mechanism.
Format <max files>:<max size>.
<max size> is in Megabytes.
Quotas are enabled for all users, except
for users of trusted groups.
See FTP_DONT_CHROOT_GROUP.
To create the required .ftpquota files
see pure-quotacheck.
FTP_USER_BANDWIDTH=''
Enable bandwidth limitation for normal user.
Format [<upload>]:[<download>].
Bandwidth is specified in kilobytes/seconds.
Examples:
256:64 256 KB/s for uploads, 64 KB/s for downloads
256: 256 KB/s for uploads, no limit for downloads
:64 no limit for uploads, 64 KB/s for downloads
FTP_ANONYMOUS_BANDWIDTH=''
Enable bandwidth limitation for virtual user.
See FTP_USER_BANDWIDTH.
FTP_ANONYMOUS_RATIO=''
Enable ratios for anonymous users.
Format <upload ratio>:<download ratio>.
Ratio is specified in Mbyte.
For example 2:5 means that an anonymousi
user has to upload at least 2 Mb of goodies to be
able to download 5 Mb.
FTP_ALL_USER_RATIO=''
Enable ratios for everybody (anonymous
and non-anonymous).
See FTP_ANONYMOUS_RATIO.
1.0.6 -> 1.1.0
--------------
- added /usr/share/doc/inet/changes.txt (this file)
- changed software versions
pureftpd from version 1.0.11 to 1.0.14
openssl from version 0.9.6e to 0.9.7a
openssh from version 3.4p1 to 3.5p1
xinetd from version 2.3.4 to 2.3.10
- changed ./configure options for pure-ftpd
new options are:
--with-ftpwho
--with-puredb
--with-virtualchroot
--with-language=english
--with-throttling
--with-altlog
--with-quotas
- changed SSH Server Key generation during installation.
Existing SSH Server Keys are deleted.
SSH Server Keys (Host Keys) stored in
/etc/ssh_host_key
/etc/ssh_host_rsa_key
/etc/ssh_host_dsa_key
are generated without asking for a passphrase.
An empty passphrase is used (-N "").
If you know what you are doing, you
might generate Host Keys with a passphrase
using "(Re)-Create SSH Server Keys".
- SSH-Keys are deleted when inet is deinstalled
- modified /tmp/preinstall.sh
/tmp/install.sh
delete all obsolete files from version 1.0.6
changed dynamic chown / chmod to correct
files delivered inside the tar file
- modified /var/install/deinstall/inet
added some files
- added /var/empty
used by sshd during privilege separation in
the pre-authentication phase
- modified /etc/config.d/inet and
/install/config.d/inet.sh
using a lot of proposals from Jürgen Edner.
Gathered some ideas from Florian Zierers
opt_pftpd for fli4l.
A lot of coding in /install/config.d/inet.sh
was done by Jürgen Edner.
Many thanks to both.
- added options to configure pure-ftpd
FTP_LIMIT='95'
Don't allow uploads if the partition is more than
<percentage>% full. Using pure-ftpd's -k switch.
FTP_LOG='no'
Enable ('yes') or disable ('no') recording of
all file transfers into a specific log file,
in an alternative format.
FTP_LOG_FORMAT='CLF'
Format of alternative log file. The values
'CLF', 'Stats' and 'W3C' are allowed.
FTP_LOG_PATH='/var/log/pure-ftpd.log'
Log file name for alternative log file.
FTP_ADD_ARGS=''
Additional arguments / switches for
pure-ftpd. See pure-ftpd documentation.
Please use this option only if you know
what you are doing.
FTP_PORT='21'
Listen for an incoming connection on port
FTP_PORT.
FTP_VIRTUAL_USERS_x_PASSWD=''
Password for virtual user x.
If you set a password to '', you will be asked to
enter the password when the user is created.
If you define a password, the virtual user will
be created without asking.
To keep security the password will be changed
to '******' after creating the user.
At this time no password changing can be done
using the config file.
If you want to use the Webconf Package, you'll
have to define passwords for all virtual users.
Modified checking of virtual users to
avoid some errors. E.g. mismatch between
FTP_VIRTUAL_USERS_N and really defined users.
Stronger checking of /etc/pureftpd.passwd
to see if user already exist.
Corrected error when trying to create user ftp.
User ftp is used for anonymous ftp.
- added in.tftpd
START_TFTPD='no'
Valid values are 'yes' and 'no'.
tftpd requires xinetd.
tftpd is invoked with argument /tftpboot
so tfptd is restricted to this directory.
Thanks to Christoph Peus for preparing this section.
Read http://fli4l.de/german/howtos/howto-netzboot-fli4l.htm
to boot your fli4l-Router using your eisfair server.
TFTPD_ADD_ARGS=''
Additional arguments / switches for tftpd.
See tftpd documentation.
Please use this option only if you know
what you are doing.
- added many options to configure sshd
SSH_PORT='22'
ssh port, see also FIREWALL_DENY_PORT_x
SSH_USE_SSH1='yes'
use ssh1 protocol - default: yes
SSH_USE_SSH2='yes'
use ssh2 protocol - default: yes
SSH_SVR_KEYBITS='1536'
server keybits - default: 1536
value 512, 768 or 1536
SSH_LISTEN_ADDR_N='1'
number of addresses sshd should listen to.
0 - listen on all local ports.
SSH_LISTEN_ADDR_1='1'
first ip address, sshd should listen to.
use n'th ethernet card configured in /etc/config.d/base
SSH_ALLOW_USER_N='0'
number of users sshd login has been granted to
default: 0 - login is allowed for all users
SSH_ALLOW_USER_1='root'
first user, sshd access has been granted
remember that users must exist in /etc/passwd
SSH_PUBLIC_KEY_N='0'
number of public keys to add to /.ssh/authorized_keys
SSH_PUBLIC_KEY_1=''
public key (identity.pub) generated by ssh-keygen
SSH_MAX_STARTUPS='10'
maximum number of concurrent unauthenticated
connections. default: 10
SSH_ENABLE_PRIV_SEPARATION='no'
enable user privilege separation: yes or no
If you set SSH_ENABLE_PRIV_SEPARATION to 'yes'
you probably have to set SSH_COMPRESSION tp 'no'
See http://www.afp548.com/Articles/security/ssh34p1.html
SSH_COMPRESSION='yes'
allow compression: yes or no
SSH_STRICTMODES='yes'
Use Strictmodes: yes or no
SSH_ENABLE_SFTP='yes'
activate sftp: yes or no
- file /var/log/lastlog
will be created when installing inet
This will result in messages like
Last login: Sun Jan 26 13:00:58 2003 from speedy.ap.de
when you log in.
- file /usr/bin/ssl/c_rehash contains
#!/usr/bin/perl instead of
#!/usr/bin/perl5 to run perl