This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via ee82349a0ea00866d731936e769fab9441690932 (commit) via e4bc9b8b6fa0cc0d67d2f698e2bdd5d41af49f05 (commit) via ee53381ab167b195d2d4d94da3d2a3d4a024288d (commit) via f9de28e6f0ca455aacca3b0fc30722b88d542630 (commit) via e918b62ae223b31f459ca5843d291532f5188faf (commit) via e1f6dfcbbc3c34130027ffe113488f5f3d9c9557 (commit) from 4f30ce49b3c2375d52e7358d12a6235c3e35997d (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit ee82349a0ea00866d731936e769fab9441690932 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Apr 8 20:20:18 2019 +0200
convert-snort: Re-order steps at end of script
This will ensure that the whole IDS is configured property, if no or an empty snort config file is present.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e4bc9b8b6fa0cc0d67d2f698e2bdd5d41af49f05 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Apr 8 20:02:53 2019 +0200
convert-snort: Fix logic for detecting enough free disk space.
The subfunction only will return something if the check fails - so the logic of the if statement was wrong set and the downloader only was called if this check failed and to less diskspace would be available.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ee53381ab167b195d2d4d94da3d2a3d4a024288d Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 8 20:53:47 2019 +0100
core130: Ship SSH Agent Forwarding changes
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f9de28e6f0ca455aacca3b0fc30722b88d542630 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 8 16:35:00 2019 +0000
change AllowAgentForwarding in SSHD configuration if, necessary
Fixes #11931
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e918b62ae223b31f459ca5843d291532f5188faf Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 8 16:35:00 2019 +0000
allow SSH agent forwarding to be configured via WebUI
Fixes #11931
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e1f6dfcbbc3c34130027ffe113488f5f3d9c9557 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 8 16:34:00 2019 +0000
add language strings for SSH agent forwarding settings
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/131/filelists/files | 2 ++ config/suricata/convert-snort | 39 +++++++++++++++++-------------- html/cgi-bin/remote.cgi | 11 ++++++++- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + src/misc-progs/sshctrl.c | 5 ++++ 6 files changed, 40 insertions(+), 19 deletions(-)
Difference in files: diff --git a/config/rootfiles/core/131/filelists/files b/config/rootfiles/core/131/filelists/files index 4924308dc..428d877c6 100644 --- a/config/rootfiles/core/131/filelists/files +++ b/config/rootfiles/core/131/filelists/files @@ -15,8 +15,10 @@ srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/logs.cgi/ids.dat srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/remote.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/local/bin/ipsec-interfaces +usr/local/bin/sshctrl usr/local/bin/suricatactrl usr/local/bin/update-ids-ruleset usr/sbin/convert-snort diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort index ca650b149..0ad2942b1 100644 --- a/config/suricata/convert-snort +++ b/config/suricata/convert-snort @@ -231,6 +231,9 @@ if (-f $snort_rules_tarball) { } else { # Check if enought disk space is available. if(&IDS::checkdiskspace()) { + # Print error message. + print "Could not download ruleset - Not enough free diskspace available.\n"; + } else { # Call the download function and grab the new ruleset. &IDS::downloadruleset(); } @@ -250,7 +253,24 @@ if (-f $IDS::rulestarball) { }
# -## Step 8: Grab used ruleset files from snort config file and convert +## Step 8: Generate file for the HOME Net. +# + +# Call subfunction to generate the file. +&IDS::generate_home_net_file(); + +# +## Step 9: Setup automatic ruleset updates. +# + +# Check if a ruleset is configured. +if($rulessettings{"RULES"}) { + # Call suricatactrl and setup the periodic update mechanism. + &IDS::call_suricatactrl("cron", $rulessettings{'AUTOUPDATE_INTERVAL'}); +} + +# +## Step 10: Grab used ruleset files from snort config file and convert ## them into the new format. #
@@ -295,23 +315,6 @@ close(SNORTCONF); # Pass the array of enabled rule files to the subfunction and write the file. &IDS::write_used_rulefiles_file(@enabled_rule_files);
-# -## Step 9: Generate file for the HOME Net. -# - -# Call subfunction to generate the file. -&IDS::generate_home_net_file(); - -# -## Step 10: Setup automatic ruleset updates. -# - -# Check if a ruleset is configured. -if($rulessettings{"RULES"}) { - # Call suricatactrl and setup the periodic update mechanism. - &IDS::call_suricatactrl("cron", $rulessettings{'AUTOUPDATE_INTERVAL'}); -} - # ## Step 11: Start the IDS if enabled. # diff --git a/html/cgi-bin/remote.cgi b/html/cgi-bin/remote.cgi index 1b3dfed70..10d94fe99 100644 --- a/html/cgi-bin/remote.cgi +++ b/html/cgi-bin/remote.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -105,6 +105,7 @@ else { # used $remotesettings{'ENABLE_SSH_PASSWORDS'} = 'on' unless exists $remotesettings{'ENABLE_SSH_PASSWORDS'}; $remotesettings{'ENABLE_SSH_KEYS'} = 'on' unless exists $remotesettings{'ENABLE_SSH_KEYS'}; + $remotesettings{'SSH_AGENT_FORWARDING'} = 'off' unless exists $remotesettings{'SSH_AGENT_FORWARDING'};
$checked{'ENABLE_SSH'}{'off'} = ''; $checked{'ENABLE_SSH'}{'on'} = ''; @@ -121,6 +122,9 @@ $checked{'ENABLE_SSH_KEYS'}{$remotesettings{'ENABLE_SSH_KEYS'}} = "checked='chec $checked{'SSH_PORT'}{'off'} = ''; $checked{'SSH_PORT'}{'on'} = ''; $checked{'SSH_PORT'}{$remotesettings{'SSH_PORT'}} = "checked='checked'"; +$checked{'SSH_AGENT_FORWARDING'}{'off'} = ''; +$checked{'SSH_AGENT_FORWARDING'}{'on'} = ''; +$checked{'SSH_AGENT_FORWARDING'}{$remotesettings{'SSH_AGENT_FORWARDING'}} = "checked='checked'";
&Header::openpage($Lang::tr{'remote access'}, 1, '');
@@ -161,6 +165,11 @@ print <<END <td><input type='checkbox' name='SSH_PORT' $checked{'SSH_PORT'}{'on'} /></td> <td width='100%' class='base'>$Lang::tr{'ssh port'}</td> </tr> +<tr> + <td> </td> + <td><input type='checkbox' name='SSH_AGENT_FORWARDING' $checked{'SSH_AGENT_FORWARDING'}{'on'} /></td> + <td width='100%' class='base'>$Lang::tr{'ssh agent forwarding'}</td> +</tr> <tr> <td align='right' colspan='3'> <input type='submit' name='ACTION' value='$Lang::tr{'ssh tempstart15'}' /> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 88b34d23b..d63ebe6e5 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2187,6 +2187,7 @@ 'ssh access' => 'SSH-Zugriff', 'ssh access tip' => 'IPFire SSH läuft nicht auf dem Standardport 22!', 'ssh active sessions' => 'Aktive Benutzeranmeldungen', +'ssh agent forwarding' => 'Weiterleitung des SSH-Agenten (Agent Forwarding) zulassen', 'ssh fingerprint' => 'Fingerabdruck', 'ssh host keys' => 'SSH Host Schlüssel', 'ssh is disabled' => 'Secure Shell ist deaktiviert. Halte an.', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index af0d514af..a709604b0 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2230,6 +2230,7 @@ 'ssh access' => 'SSH Access', 'ssh access tip' => 'IPFire SSH is not using default port 22!', 'ssh active sessions' => 'Active logins', +'ssh agent forwarding' => 'Enable SSH agent forwarding', 'ssh fingerprint' => 'Fingerprint', 'ssh host keys' => 'SSH Host Keys', 'ssh is disabled' => 'SSH is disabled. Stopping.', diff --git a/src/misc-progs/sshctrl.c b/src/misc-progs/sshctrl.c index 30074973d..476dbc9d5 100644 --- a/src/misc-progs/sshctrl.c +++ b/src/misc-progs/sshctrl.c @@ -76,6 +76,11 @@ int main(int argc, char *argv[]) else strlcat(command, "s/^Port .*$/Port 222/", STRING_SIZE - 1 );
+ if(findkey(kv, "SSH_AGENT_FORWARDING", buffer) && !strcmp(buffer,"on")) + strlcat(command, "s/^AllowAgentForwarding .*$/AllowAgentForwarding yes/;", STRING_SIZE - 1 ); + else + strlcat(command, "s/^AllowAgentForwarding .*$/AllowAgentForwarding no/;", STRING_SIZE - 1 ); + freekeyvalues(kv);
snprintf(buffer, STRING_SIZE - 1, "' /etc/ssh/sshd_config >&%d", config_fd );
hooks/post-receive -- IPFire 2.x development tree