#!/bin/sh #---------------------------------------------------------------------------- # /var/install/bin/ssh-validate-sshd-config - check sshd config # # Creation: 2012-09-21 hbfl # Last Update: $Id$ # # Copyright (c) 2002-2012 Ansgar Puester, ansgar.puester(at)freenet(dot)de # Copyright (c) 2012-2012 Holger Bruenjes, holgerbruenjes(at)gmx(dot)net # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. #---------------------------------------------------------------------------- # include eislib . /var/install/include/eislib # include inetlib . /var/install/include/inetlib # base config . /etc/config.d/base # ssh config . /etc/config.d/ssh sshd_config_file=/etc/ssh/sshd_config # --------------------------------------------------------------------------- # check config # --------------------------------------------------------------------------- invalid=0 valid_ips='' if [ "$SSH_LISTEN_ADDR_N" -gt "0" ] then idx=1 while [ "$idx" -le "$SSH_LISTEN_ADDR_N" ] do eval active='${SSH_LISTEN_ADDR_'${idx}'_ACTIVE}' if [ "${active}" = "yes" ] then eval laddr='${SSH_LISTEN_ADDR_'${idx}'}' if [ -z "$laddr" ] then mecho --error "Empty Listenaddress SSH_LISTEN_ADDR_$idx ignored" else if [ "$laddr" -gt $IP_ETH_N ] then mecho --error "SSH_LISTEN_ADDR_$idx ($laddr) is not defined in /etc/config.d/base" invalid=1 else # check number, substitution has to result in an empty string e_laddr=`echo "$laddr" | sed 's|[0-9]*||'` if [ -n "$e_laddr" ] then mecho --error "Invalid SSH_LISTEN_ADDR_$idx ($laddr) ignored" else eval ipaddr='${IP_ETH_'${laddr}'_IPADDR}' act_ipaddr=`get_ipaddr $laddr` act_interface=`get_interface $laddr` if [ -z "$ipaddr" ] then mecho --error "Empty IP Address IP_ETH_${laddr}_IPADDR ignored" fi if [ -n "$act_ipaddr" ] then if [ ! "$ipaddr" = "$act_ipaddr" ] then mecho --warn "Actual IP Address for interface $act_interface ($act_ipaddr) is different" mecho --warn "to the value ($ipaddr) found in /etc/config.d/base." mecho --warn "Actual IP Address will be used for sshd." ipaddr="$act_ipaddr" fi fi # valid address found if [ -z "$valid_ips" ] then valid_ips=$ipaddr else valid_ips="$valid_ips $ipaddr" fi grep -q "^ListenAddress $ipaddr" $sshd_config_file rc=$? if [ "$rc" -ne 0 ] then #mecho --error "SSH_LISTEN_ADDR_$idx is invalid" invalid=1 fi fi fi fi fi idx=`/usr/bin/expr $idx + 1` done fi if [ "$invalid" -eq 1 ] then mecho --error "Current ListenAddress settings for sshd are invalid" mecho --error "Creating new $sshd_config_file" cp $sshd_config_file $sshd_config_file.invalid grep -v '^ListenAddress' $sshd_config_file.invalid > $sshd_config_file # restore ListenAddress to localhost echo 'ListenAddress 127.0.0.1' >> $sshd_config_file if [ -n "$valid_ips" ] then mecho --error "Using IP-Addresses $valid_ips" for ipaddr in $valid_ips do echo "ListenAddress $ipaddr" >> $sshd_config_file done else mecho --error "Using IP-Address 0.0.0.0" echo "ListenAddress 0.0.0.0" >> $sshd_config_file fi else mecho --info "Current ListenAddress settings for sshd are valid" fi anykey exit 0 # --------------------------------------------------------------------------- # end # ---------------------------------------------------------------------------