-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 27 Oct 2009, Peter Jones wrote:
This leaves the sshd support on the s390 intact and functional (testing
needed), and at the same time add the ability to ssh in and get a terminal
on non-s390 platforms.
This all looks fine to me.
---
anaconda | 26 ++++++++++++++++++
flags.py | 12 +++++---
loader/linuxrc.s390 | 2 +-
scripts/mk-images | 72 ++++++++++++++++++++++++++++---------------------
scripts/upd-instroot | 24 +++++++++-------
5 files changed, 89 insertions(+), 47 deletions(-)
diff --git a/anaconda b/anaconda
index d1d2ba2..b774736 100755
--- a/anaconda
+++ b/anaconda
@@ -396,6 +396,30 @@ def setupGraphicalLinks():
except:
pass
+def createSshKey(algorithm, keyfile):
+ path = '/etc/ssh/%s' % (keyfile,)
+ argv = ['-q','-t',algorithm,'-f',path,'-C','','-N','']
+ iutil.execWithRedirect('ssh-keygen', argv, searchPath=1)
+
+def startSsh():
+ if not flags.sshd:
+ return
+ if iutil.isS390():
+ return
+
+ childpid = os.fork()
+ if not childpid:
+ ssh_keys = {
+ 'rsa1':'ssh_host_key',
+ 'rsa':'ssh_host_rsa_key',
+ 'dsa':'ssh_host_dsa_key',
+ }
+ for (algorithm, keyfile) in ssh_keys.items():
+ createSshKey(algorithm, keyfile)
+ args = ["/sbin/sshd", "-f", "/etc/ssh/sshd_config.anaconda"]
+ os.execv("/sbin/sshd", args)
+ sys.exit(1)
+
class Anaconda:
def __init__(self):
self.intf = None
@@ -573,6 +597,8 @@ if __name__ == "__main__":
warnings.showwarning = AnacondaShowWarning
+ startSsh()
+
setupTranslations()
# reset python's default SIGINT handler
diff --git a/flags.py b/flags.py
index ce77621..93472e3 100644
--- a/flags.py
+++ b/flags.py
@@ -86,17 +86,19 @@ class Flags:
self.__dict__['flags']['cmdline'] = self.createCmdlineDict()
self.__dict__['flags']['useIPv4'] = True
self.__dict__['flags']['useIPv6'] = True
+ self.__dict__['flags']['sshd'] = 1
# for non-physical consoles like some ppc and sgi altix,
# we need to preserve the console device and not try to
# do things like bogl on them. this preserves what that
# device is
self.__dict__['flags']['virtpconsole'] = None
- if self.__dict__['flags']['cmdline'].has_key("selinux"):
- if self.__dict__['flags']['cmdline']["selinux"]:
- self.__dict__['flags']['selinux'] = 1
- else:
- self.__dict__['flags']['selinux'] = 0
+ for x in ['selinux','sshd']:
+ if self.__dict__['flags']['cmdline'].has_key(x):
+ if self.__dict__['flags']['cmdline'][x]:
+ self.__dict__['flags'][x] = 1
+ else:
+ self.__dict__['flags'][x] = 0
if self.__dict__['flags']['cmdline'].has_key("debug"):
self.__dict__['flags']['debug'] = self.__dict__['flags']['cmdline']['debug']
diff --git a/loader/linuxrc.s390 b/loader/linuxrc.s390
index 854fdfb..3939371 100644
--- a/loader/linuxrc.s390
+++ b/loader/linuxrc.s390
@@ -126,7 +126,7 @@ function startinetd()
echo >> /etc/motd
fi # testing
- /sbin/sshd
+ /sbin/sshd -f /etc/sshd_config.anaconda
if [ -z "$RUNKS" ]; then
echo
echo $"Connect now to $IPADDR and log in as user install to start the installation."
diff --git a/scripts/mk-images b/scripts/mk-images
index 44e4664..214da16 100755
--- a/scripts/mk-images
+++ b/scripts/mk-images
@@ -406,7 +406,9 @@ instbin() {
}
setupShellEnvironment() {
- echo "tcp 6 TCP" > $MBD_DIR/etc/protocols
+ cp -f $IMGPATH/etc/protocols $MBD_DIR/etc/protocols
+ echo "sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin" \
+ >> $MBD_DIR/etc/passwd
# enable root shell logins
echo "root::14438:0:99999:7:::" >> $MBD_DIR/etc/shadow
@@ -439,26 +441,29 @@ EOF
cp -f $IMGPATH/etc/security/{limits.conf,pam_env.conf} $MBD_DIR/etc/security/
- # key generation takes ages on s390, you really don't want this for every
- # installation attempt. These are NOT the keys of the installed system!
mkdir -m 0700 -p $MBD_DIR/etc/ssh
- echo -n "Generating SSH1 RSA host key: "
- /usr/bin/ssh-keygen -q -t rsa1 -f $MBD_DIR/etc/ssh/ssh_host_key \
- -C '' -N '' >&/dev/null
- echo
- echo -n "Generating SSH2 RSA host key: "
- /usr/bin/ssh-keygen -q -t rsa -f $MBD_DIR/etc/ssh/ssh_host_rsa_key \
- -C '' -N '' >&/dev/null
- echo
- echo -n "Generating SSH2 DSA host key: "
- /usr/bin/ssh-keygen -q -t dsa -f $MBD_DIR/etc/ssh/ssh_host_dsa_key \
- -C '' -N '' >&/dev/null
- echo
- (cd $MBD_DIR/etc/ssh; \
- chmod 600 ssh_host_key ssh_host_rsa_key ssh_host_dsa_key; \
- chmod 644 ssh_host_key.pub ssh_host_rsa_key.pub ssh_host_dsa_key.pub; )
-
- cat > $MBD_DIR/etc/ssh/sshd_config <<EOF
+ if [ "$BUILDARCH" = "s390" -o "$BUILDARCH" = "s390x" ]; then
+ # key generation takes ages on s390, you really don't want this
+ # for every installation attempt. These are NOT the keys of the
+ # installed system!
+ echo -n "Generating SSH1 RSA host key: "
+ /usr/bin/ssh-keygen -q -t rsa1 -f $MBD_DIR/etc/ssh/ssh_host_key \
+ -C '' -N '' >&/dev/null
+ echo
+ echo -n "Generating SSH2 RSA host key: "
+ /usr/bin/ssh-keygen -q -t rsa -f $MBD_DIR/etc/ssh/ssh_host_rsa_key \
+ -C '' -N '' >&/dev/null
+ echo
+ echo -n "Generating SSH2 DSA host key: "
+ /usr/bin/ssh-keygen -q -t dsa -f $MBD_DIR/etc/ssh/ssh_host_dsa_key \
+ -C '' -N '' >&/dev/null
+ echo
+ (cd $MBD_DIR/etc/ssh; \
+ chmod 600 ssh_host_key ssh_host_rsa_key ssh_host_dsa_key; \
+ chmod 644 ssh_host_key.pub ssh_host_rsa_key.pub ssh_host_dsa_key.pub; )
+ fi
+
+ cat > $MBD_DIR/etc/ssh/sshd_config.anaconda <<EOF
Port 22
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
@@ -477,11 +482,13 @@ PasswordAuthentication yes
PermitEmptyPasswords yes
PermitUserEnvironment yes
EOF
- chmod 600 $MBD_DIR/etc/ssh/sshd_config
+ chmod 600 $MBD_DIR/etc/ssh/sshd_config.anaconda
# copy in the binaries
- instbin $IMGPATH /usr/bin/login $MBD_DIR /sbin/login
+ instbin $IMGPATH /sbin/nologin $MBD_DIR /sbin/nologin
+ instbin $IMGPATH /bin/login $MBD_DIR /sbin/login
instbin $IMGPATH /usr/sbin/sshd $MBD_DIR /sbin/sshd
+ instbin $IMGPATH /usr/bin/ssh-keygen $MBD_DIR /sbin/ssh-keygen
}
@@ -573,13 +580,19 @@ makeinitrd() {
mkdir -p $MBD_DIR/etc/rc.d/init.d
mkdir -p $MBD_DIR/usr/sbin
mkdir -p $MBD_DIR/var/run/wpa_supplicant
+ mkdir -m 111 -p $MBD_DIR/var/empty/sshd
+ mkdir -p $MBD_DIR/etc/{pam.d,security}
+ mkdir -p $MBD_DIR/$LIBDIR/security
+
+ for x in $IMGPATH/$LIBDIR/security/* ; do
+ y=$(basename $x)
+ instbin $IMGPATH $LIBDIR/security/$y $MBD_DIR $LIBDIR/security/$y
+ done
+
+ cp $IMGPATH/$LIBDIR/libpam_misc.so.0.* $MBD_DIR/$LIBDIR/libpam_misc.so.0
+ cp $IMGPATH/$LIBDIR/libwrap*.so* $MBD_DIR/$LIBDIR/
if [ "$BUILDARCH" = "s390" -o "$BUILDARCH" = "s390x" ]; then
- mkdir -m 111 -p $MBD_DIR/var/empty/sshd
- mkdir -p $MBD_DIR/etc/{pam.d,security}
- mkdir -p $MBD_DIR/$LIBDIR/security
- cp $IMGPATH/$LIBDIR/libpam_misc.so.0.* $MBD_DIR/$LIBDIR/libpam_misc.so.0
- cp $IMGPATH/$LIBDIR/libwrap*.so* $MBD_DIR/$LIBDIR/
ln -s /tmp $MBD_DIR/var/state/xkb
instbin $IMGPATH /usr/bin/xauth $MBD_DIR /sbin/xauth
local cmsfsbin cmd
@@ -821,10 +834,7 @@ makeinitrd() {
mkdir -p $MBD_DIR/var/lib
ln -s ../../tmp $MBD_DIR/var/lib/xkb
- # s390/s390x need sshd setup
- if [ "$BUILDARCH" = "s390" -o "$BUILDARCH" = "s390x" ]; then
- setupShellEnvironment
- fi
+ setupShellEnvironment
cat > $MBD_DIR/.profile <<EOF
PS1="[anaconda \u@\h \W]\\\\$ "
diff --git a/scripts/upd-instroot b/scripts/upd-instroot
index 64017d1..a9b4058 100755
--- a/scripts/upd-instroot
+++ b/scripts/upd-instroot
@@ -181,7 +181,9 @@ PACKAGES="GConf2 NetworkManager ORBit2 acl anaconda
lohit-oriya-fonts lohit-punjabi-fonts lohit-sindhi-fonts lohit-tamil-fonts
lohit-telugu-fonts lvm2 madan-fonts mdadm
mesa-dri-drivers mkinitrd module-init-tools nash ncurses neon net-tools
- newt newt-python nfs-utils nspr nss nss-softokn ntfs-3g openldap pam pango parted pciutils pcre
+ newt newt-python nfs-utils nspr nss nss-softokn ntfs-3g
+ openldap openssh openssh-server
+ pam pango parted pciutils pcre
pygtk2-libglade pykickstart pyparted python python-bugzilla python-decorator
python-libs python-nss python-pyblock python-sqlite
python-urlgrabber python-volume_key pyxf86config readline redhat-artwork
@@ -222,7 +224,7 @@ fi
if [ $ARCH = s390 -o $ARCH = s390x ]; then
PACKAGES="$PACKAGES bind-utils binutils coreutils findutils gzip
initscripts iputils less libgcc login lsscsi modutils mount
- net-tools openssh openssh-clients openssh-server pam portmap
+ net-tools openssh-clients pam portmap
s390utils sed strace tar tcp_wrappers xorg-x11-libs
xorg-x11-xauth"
fi
@@ -283,6 +285,8 @@ $LIBDIR/bdevid
$LIBDIR/dbus-1
$LIBDIR/libnss_dns*
$LIBDIR/libnss_files*
+$LIBDIR/libwrap*.so*
+$LIBDIR/security/pam_*
bin/arch
bin/basename
bin/bash
@@ -310,6 +314,7 @@ bin/hostname
bin/ipcalc
bin/kill
bin/ln
+bin/login
bin/ls
bin/mkdir
bin/mknod
@@ -353,6 +358,8 @@ etc/iscsid.conf
etc/man.config
etc/mke2fs.conf
etc/nsswitch.conf
+etc/pam.d/other
+etc/pam.d/sshd
etc/pango
etc/passwd
etc/pcmcia
@@ -363,6 +370,8 @@ etc/prelink.conf
etc/protocols
etc/rc.d/init.d/functions
etc/rpm/macros.prelink
+etc/security/limits.conf
+etc/security/pam_env.conf
etc/selinux/targeted
etc/services
etc/shells
@@ -430,6 +439,7 @@ sbin/mkreiserfs
sbin/mkswap
sbin/mount.nfs*
sbin/mount.ntfs*
+sbin/nologin
sbin/ofpath
sbin/parted
sbin/pcmcia-socket-startup
@@ -511,6 +521,7 @@ usr/bin/reduce-font
usr/bin/setxkbmap
usr/bin/sha1sum
usr/bin/split
+usr/bin/ssh-keygen
usr/bin/syslinux
usr/bin/tac
usr/bin/tail
@@ -567,6 +578,7 @@ usr/sbin/prelink
usr/sbin/semodule
usr/sbin/showpart
usr/sbin/smartctl
+usr/sbin/sshd
usr/sbin/wpa_passphrase
usr/sbin/wpa_supplicant
usr/sbin/wrapper
@@ -660,7 +672,6 @@ bin/dmesg
bin/echo
bin/find
bin/gzip
-bin/login
bin/ls
bin/mknod
bin/ping
@@ -670,12 +681,6 @@ bin/sort
bin/tar
bin/uname
bin/vi
-etc/pam.d/other
-etc/pam.d/sshd
-etc/security/limits.conf
-etc/security/pam_env.conf
-$LIBDIR/libwrap*.so*
-$LIBDIR/security/pam_*
lib/modules/ibm
lib/security
sbin/arp
@@ -711,7 +716,6 @@ usr/bin/tr
usr/bin/wc
usr/bin/xauth
usr/sbin/glibc_post_upgrade
-usr/sbin/sshd
usr/share/terminfo/a/ansi
usr/share/terminfo/d/dumb
usr/share/terminfo/k/kterm
- --
David Cantrell <dcantrell@xxxxxxxxxx>
Red Hat / Honolulu, HI
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkrnpMQACgkQ5hsjjIy1Vkn7/ACgxcqIbRnuSlLUtvizhcbFGCsm
aucAnjseZbZGEigMNBRQxfAkO70l7DoD
=7ls1
-----END PGP SIGNATURE-----
_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
