projects / openwrt / staging / jow.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
dropbear: better handle receive window size
[openwrt/staging/jow.git] / package / network / services / dropbear / files / dropbear.init
1 #!/bin/sh /etc/rc.common
2 # Copyright (C) 2006-2010 OpenWrt.org
3 # Copyright (C) 2006 Carlos Sobrinho
4
5 START=19
6 STOP=50
7
8 USE_PROCD=1
9 PROG=/usr/sbin/dropbear
10 NAME=dropbear
11 PIDCOUNT=0
12
13 extra_command "killclients" "Kill ${NAME} processes except servers and yourself"
14
15 # most of time real_stat() will be failing
16 # due to missing "stat" binary (by default)
17 real_stat() { env stat -L "$@" 2>/dev/null ; }
18 dumb_stat() { ls -Ldln "$1" | tr -s '\t ' ' ' ; }
19 stat_perm() { real_stat -c '%A' "$1" || dumb_stat "$1" | cut -d ' ' -f 1 ; }
20 stat_owner() { real_stat -c '%u' "$1" || dumb_stat "$1" | cut -d ' ' -f 3 ; }
21
22 _dropbearkey()
23 {
24 /usr/bin/dropbearkey "$@" </dev/null >/dev/null 2>&1
25 }
26
27 # $1 - file name (host key or config)
28 file_verify()
29 {
30 [ -f "$1" ] || return 1
31 # checking file ownership
32 [ "$(stat_owner "$1")" = "0" ] || {
33 chown 0 "$1"
34 [ "$(stat_owner "$1")" = "0" ] || return 2
35 }
36 # checking file permissions
37 [ "$(stat_perm "$1")" = "-rw-------" ] || {
38 chmod 0600 "$1"
39 [ "$(stat_perm "$1")" = "-rw-------" ] || return 3
40 }
41 # file is host key or not?
42 # if $2 is empty string - file is "host key"
43 # if $2 is non-empty string - file is "config"
44 [ -z "$2" ] || return 0
45 # checking file contents (finally)
46 [ -s "$1" ] || return 4
47 _dropbearkey -y -f "$1" || return 5
48 return 0
49 }
50
51 # $1 - file_verify() return code
52 file_errmsg()
53 {
54 case "$1" in
55 0) ;;
56 1) echo "file does not exist" ;;
57 2) echo "file has wrong owner (must be owned by root)" ;;
58 3) echo "file has wrong permissions (must not have group/other write bit)" ;;
59 4) echo "file has zero length" ;;
60 5) echo "file is not valid host key or not supported" ;;
61 *) echo "unknown error" ;;
62 esac
63 }
64
65 # $1 - config option
66 # $2 - host key file name
67 hk_config()
68 {
69 local x m
70 file_verify "$2" ; x=$?
71 if [ "$x" = 0 ] ; then
72 procd_append_param command -r "$2"
73 return
74 fi
75 m=$(file_errmsg "$x")
76 logger -s -t "${NAME}" -p daemon.warn \
77 "Option '$1', skipping '$2': $m"
78 }
79
80 # $1 - host key file name
81 hk_config__keyfile() { hk_config keyfile "$1" ; }
82
83 ktype_all='ed25519 ecdsa rsa'
84
85 hk_generate_as_needed()
86 {
87 local hk_cfg_dir kgen ktype kfile hk_tmp_dir
88 hk_cfg_dir='/etc/dropbear'
89
90 [ -d "${hk_cfg_dir}" ] || mkdir -p "${hk_cfg_dir}"
91
92 kgen=
93 for ktype in ${ktype_all} ; do
94 kfile="${hk_cfg_dir}/dropbear_${ktype}_host_key"
95
96 if file_verify "${kfile}" ; then continue ; fi
97
98 kgen="${kgen}${kgen:+ }${ktype}"
99 done
100
101 # all keys are sane?
102 [ -n "${kgen}" ] || return 0
103
104 hk_tmp_dir=$(mktemp -d)
105 # system in bad state?
106 [ -n "${hk_tmp_dir}" ] || return 1
107
108 chmod 0700 "${hk_tmp_dir}"
109
110 for ktype in ${kgen} ; do
111 kfile="${hk_tmp_dir}/dropbear_${ktype}_host_key"
112
113 if ! _dropbearkey -t ${ktype} -f "${kfile}" ; then
114 # unsupported key type
115 rm -f "${kfile}"
116 continue
117 fi
118
119 chmod 0600 "${kfile}"
120 done
121
122 kgen=
123 for ktype in ${ktype_all} ; do
124 kfile="${hk_tmp_dir}/dropbear_${ktype}_host_key"
125
126 [ -s "${kfile}" ] || continue
127
128 kgen="${kgen}${kgen:+ }${ktype}"
129 done
130
131 if [ -n "${kgen}" ] ; then
132 for ktype in ${kgen} ; do
133 kfile="${hk_tmp_dir}/dropbear_${ktype}_host_key"
134 [ -s "${kfile}" ] || continue
135 mv -f "${kfile}" "${hk_cfg_dir}/"
136 done
137 fi
138
139 rm -rf "${hk_tmp_dir}"
140
141 # cleanup empty files
142 for ktype in ${ktype_all} ; do
143 kfile="${hk_cfg_dir}/dropbear_${ktype}_host_key"
144
145 [ -s "${kfile}" ] || rm -f "${kfile}"
146 done
147 }
148
149 append_ports()
150 {
151 local ipaddrs="$1"
152 local port="$2"
153
154 [ -z "$ipaddrs" ] && {
155 procd_append_param command -p "$port"
156 return
157 }
158
159 for addr in $ipaddrs; do
160 procd_append_param command -p "$addr:$port"
161 done
162 }
163
164 validate_section_dropbear()
165 {
166 uci_load_validate dropbear dropbear "$1" "$2" \
167 'PasswordAuth:bool:1' \
168 'enable:bool:1' \
169 'Interface:string' \
170 'GatewayPorts:bool:0' \
171 'ForceCommand:string' \
172 'RootPasswordAuth:bool:1' \
173 'RootLogin:bool:1' \
174 'rsakeyfile:file' \
175 'keyfile:list(file)' \
176 'BannerFile:file' \
177 'Port:port:22' \
178 'SSHKeepAlive:uinteger:300' \
179 'IdleTimeout:uinteger:0' \
180 'MaxAuthTries:uinteger:3' \
181 'RecvWindowSize:uinteger:262144' \
182 'mdns:bool:1'
183 }
184
185 dropbear_instance()
186 {
187 local ipaddrs
188
189 [ "$2" = 0 ] || {
190 echo "validation failed"
191 return 1
192 }
193
194 [ -n "${Interface}" ] && {
195 [ -n "${BOOT}" ] && return 0
196
197 network_get_ipaddrs_all ipaddrs "${Interface}" || {
198 echo "interface ${Interface} has no physdev or physdev has no suitable ip"
199 return 1
200 }
201 }
202
203 [ "${enable}" = "0" ] && return 1
204 PIDCOUNT="$(( ${PIDCOUNT} + 1))"
205 local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"
206
207 procd_open_instance
208 procd_set_param command "$PROG" -F -P "$pid_file"
209 [ "${PasswordAuth}" -eq 0 ] && procd_append_param command -s
210 [ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a
211 [ -n "${ForceCommand}" ] && procd_append_param command -c "${ForceCommand}"
212 [ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g
213 [ "${RootLogin}" -eq 0 ] && procd_append_param command -w
214 config_list_foreach "$1" 'keyfile' hk_config__keyfile
215 if [ -n "${rsakeyfile}" ]; then
216 logger -s -t "${NAME}" -p daemon.crit \
217 "Option 'rsakeyfile' is considered to be DEPRECATED and will be REMOVED in future releases, use 'keyfile' list instead"
218 sed -i.before-upgrade -E -e 's/option(\s+)rsakeyfile/list keyfile/' \
219 "/etc/config/${NAME}"
220 logger -s -t "${NAME}" -p daemon.crit \
221 "Auto-transition 'option rsakeyfile' => 'list keyfile' in /etc/config/${NAME} is done, please verify your configuration"
222 hk_config 'rsakeyfile' "${rsakeyfile}"
223 fi
224 [ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}"
225 append_ports "${ipaddrs}" "${Port}"
226 [ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}"
227 [ "${SSHKeepAlive}" -ne 0 ] && procd_append_param command -K "${SSHKeepAlive}"
228 [ "${MaxAuthTries}" -ne 0 ] && procd_append_param command -T "${MaxAuthTries}"
229 [ "${RecvWindowSize}" -gt 0 ] && {
230 # NB: OpenWrt increases receive window size to increase throughput on high latency links
231 # ref: validate_section_dropbear()
232 # default receive window size is 24576 (DEFAULT_RECV_WINDOW in default_options.h)
233
234 # sysoptions.h
235 local MAX_RECV_WINDOW=10485760
236 if [ "${RecvWindowSize}" -gt ${MAX_RECV_WINDOW} ] ; then
237 # separate logging is required because syslog misses dropbear's message
238 # Bad recv window '${RecvWindowSize}', using ${MAX_RECV_WINDOW}
239 # it's probably dropbear issue but we should handle this and notify user
240 logger -s -t "${NAME}" -p daemon.warn \
241 "Option 'RecvWindowSize' is too high (${RecvWindowSize}), limiting to ${MAX_RECV_WINDOW}"
242 RecvWindowSize=${MAX_RECV_WINDOW}
243 fi
244 procd_append_param command -W "${RecvWindowSize}"
245 }
246 [ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear"
247 procd_set_param respawn
248 procd_close_instance
249 }
250
251 load_interfaces()
252 {
253 config_get interface "$1" Interface
254 config_get enable "$1" enable 1
255
256 [ "${enable}" = "1" ] && interfaces=" ${interface} ${interfaces}"
257 }
258
259 boot()
260 {
261 BOOT=1
262 start "$@"
263 }
264
265 start_service()
266 {
267 hk_generate_as_needed
268 file_verify /etc/dropbear/authorized_keys config
269
270 . /lib/functions.sh
271 . /lib/functions/network.sh
272
273 config_load "${NAME}"
274 config_foreach validate_section_dropbear dropbear dropbear_instance
275 }
276
277 service_triggers()
278 {
279 local interfaces
280
281 procd_add_config_trigger "config.change" "dropbear" /etc/init.d/dropbear reload
282
283 config_load "${NAME}"
284 config_foreach load_interfaces dropbear
285
286 [ -n "${interfaces}" ] && {
287 for n in $interfaces ; do
288 procd_add_interface_trigger "interface.*" $n /etc/init.d/dropbear reload
289 done
290 }
291
292 procd_add_validation validate_section_dropbear
293 }
294
295 shutdown() {
296 # close all open connections
297 killall dropbear
298 }
299
300 killclients()
301 {
302 local ignore=''
303 local server
304 local pid
305
306 # if this script is run from inside a client session, then ignore that session
307 pid="$$"
308 while [ "${pid}" -ne 0 ]
309 do
310 # get parent process id
311 pid=$(cut -d ' ' -f 4 "/proc/${pid}/stat")
312 [ "${pid}" -eq 0 ] && break
313
314 # check if client connection
315 grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" && {
316 append ignore "${pid}"
317 break
318 }
319 done
320
321 # get all server pids that should be ignored
322 for server in $(cat /var/run/${NAME}.*.pid)
323 do
324 append ignore "${server}"
325 done
326
327 # get all running pids and kill client connections
328 local skip
329 for pid in $(pidof "${NAME}")
330 do
331 # check if correct program, otherwise process next pid
332 grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || {
333 continue
334 }
335
336 # check if pid should be ignored (servers, ourself)
337 skip=0
338 for server in ${ignore}
339 do
340 if [ "${pid}" = "${server}" ]
341 then
342 skip=1
343 break
344 fi
345 done
346 [ "${skip}" -ne 0 ] && continue
347
348 # kill process
349 echo "${initscript}: Killing ${pid}..."
350 kill -KILL ${pid}
351 done
352 }
Staging tree of Jo-Philipp Wich