From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. ee82349a0ea00866d731936e769fab9441690932
Date: Mon, 08 Apr 2019 21:40:52 +0100 [thread overview]
Message-ID: <20190408204052.81BEE84FDAF@people01.i.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 10506 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via ee82349a0ea00866d731936e769fab9441690932 (commit)
via e4bc9b8b6fa0cc0d67d2f698e2bdd5d41af49f05 (commit)
via ee53381ab167b195d2d4d94da3d2a3d4a024288d (commit)
via f9de28e6f0ca455aacca3b0fc30722b88d542630 (commit)
via e918b62ae223b31f459ca5843d291532f5188faf (commit)
via e1f6dfcbbc3c34130027ffe113488f5f3d9c9557 (commit)
from 4f30ce49b3c2375d52e7358d12a6235c3e35997d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit ee82349a0ea00866d731936e769fab9441690932
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Apr 8 20:20:18 2019 +0200
convert-snort: Re-order steps at end of script
This will ensure that the whole IDS is configured property, if
no or an empty snort config file is present.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e4bc9b8b6fa0cc0d67d2f698e2bdd5d41af49f05
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Apr 8 20:02:53 2019 +0200
convert-snort: Fix logic for detecting enough free disk space.
The subfunction only will return something if the check fails - so the logic
of the if statement was wrong set and the downloader only was called if
this check failed and to less diskspace would be available.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit ee53381ab167b195d2d4d94da3d2a3d4a024288d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Apr 8 20:53:47 2019 +0100
core130: Ship SSH Agent Forwarding changes
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit f9de28e6f0ca455aacca3b0fc30722b88d542630
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Apr 8 16:35:00 2019 +0000
change AllowAgentForwarding in SSHD configuration if, necessary
Fixes #11931
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e918b62ae223b31f459ca5843d291532f5188faf
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Apr 8 16:35:00 2019 +0000
allow SSH agent forwarding to be configured via WebUI
Fixes #11931
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e1f6dfcbbc3c34130027ffe113488f5f3d9c9557
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Apr 8 16:34:00 2019 +0000
add language strings for SSH agent forwarding settings
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/131/filelists/files | 2 ++
config/suricata/convert-snort | 39 +++++++++++++++++--------------
html/cgi-bin/remote.cgi | 11 ++++++++-
langs/de/cgi-bin/de.pl | 1 +
langs/en/cgi-bin/en.pl | 1 +
src/misc-progs/sshctrl.c | 5 ++++
6 files changed, 40 insertions(+), 19 deletions(-)
Difference in files:
diff --git a/config/rootfiles/core/131/filelists/files b/config/rootfiles/core/131/filelists/files
index 4924308dc..428d877c6 100644
--- a/config/rootfiles/core/131/filelists/files
+++ b/config/rootfiles/core/131/filelists/files
@@ -15,8 +15,10 @@ srv/web/ipfire/cgi-bin/ids.cgi
srv/web/ipfire/cgi-bin/logs.cgi/ids.dat
srv/web/ipfire/cgi-bin/logs.cgi/log.dat
srv/web/ipfire/cgi-bin/ovpnmain.cgi
+srv/web/ipfire/cgi-bin/remote.cgi
srv/web/ipfire/cgi-bin/vpnmain.cgi
usr/local/bin/ipsec-interfaces
+usr/local/bin/sshctrl
usr/local/bin/suricatactrl
usr/local/bin/update-ids-ruleset
usr/sbin/convert-snort
diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort
index ca650b149..0ad2942b1 100644
--- a/config/suricata/convert-snort
+++ b/config/suricata/convert-snort
@@ -231,6 +231,9 @@ if (-f $snort_rules_tarball) {
} else {
# Check if enought disk space is available.
if(&IDS::checkdiskspace()) {
+ # Print error message.
+ print "Could not download ruleset - Not enough free diskspace available.\n";
+ } else {
# Call the download function and grab the new ruleset.
&IDS::downloadruleset();
}
@@ -250,7 +253,24 @@ if (-f $IDS::rulestarball) {
}
#
-## Step 8: Grab used ruleset files from snort config file and convert
+## Step 8: Generate file for the HOME Net.
+#
+
+# Call subfunction to generate the file.
+&IDS::generate_home_net_file();
+
+#
+## Step 9: Setup automatic ruleset updates.
+#
+
+# Check if a ruleset is configured.
+if($rulessettings{"RULES"}) {
+ # Call suricatactrl and setup the periodic update mechanism.
+ &IDS::call_suricatactrl("cron", $rulessettings{'AUTOUPDATE_INTERVAL'});
+}
+
+#
+## Step 10: Grab used ruleset files from snort config file and convert
## them into the new format.
#
@@ -295,23 +315,6 @@ close(SNORTCONF);
# Pass the array of enabled rule files to the subfunction and write the file.
&IDS::write_used_rulefiles_file(@enabled_rule_files);
-#
-## Step 9: Generate file for the HOME Net.
-#
-
-# Call subfunction to generate the file.
-&IDS::generate_home_net_file();
-
-#
-## Step 10: Setup automatic ruleset updates.
-#
-
-# Check if a ruleset is configured.
-if($rulessettings{"RULES"}) {
- # Call suricatactrl and setup the periodic update mechanism.
- &IDS::call_suricatactrl("cron", $rulessettings{'AUTOUPDATE_INTERVAL'});
-}
-
#
## Step 11: Start the IDS if enabled.
#
diff --git a/html/cgi-bin/remote.cgi b/html/cgi-bin/remote.cgi
index 1b3dfed70..10d94fe99 100644
--- a/html/cgi-bin/remote.cgi
+++ b/html/cgi-bin/remote.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2014 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -105,6 +105,7 @@ else {
# used
$remotesettings{'ENABLE_SSH_PASSWORDS'} = 'on' unless exists $remotesettings{'ENABLE_SSH_PASSWORDS'};
$remotesettings{'ENABLE_SSH_KEYS'} = 'on' unless exists $remotesettings{'ENABLE_SSH_KEYS'};
+ $remotesettings{'SSH_AGENT_FORWARDING'} = 'off' unless exists $remotesettings{'SSH_AGENT_FORWARDING'};
$checked{'ENABLE_SSH'}{'off'} = '';
$checked{'ENABLE_SSH'}{'on'} = '';
@@ -121,6 +122,9 @@ $checked{'ENABLE_SSH_KEYS'}{$remotesettings{'ENABLE_SSH_KEYS'}} = "checked='chec
$checked{'SSH_PORT'}{'off'} = '';
$checked{'SSH_PORT'}{'on'} = '';
$checked{'SSH_PORT'}{$remotesettings{'SSH_PORT'}} = "checked='checked'";
+$checked{'SSH_AGENT_FORWARDING'}{'off'} = '';
+$checked{'SSH_AGENT_FORWARDING'}{'on'} = '';
+$checked{'SSH_AGENT_FORWARDING'}{$remotesettings{'SSH_AGENT_FORWARDING'}} = "checked='checked'";
&Header::openpage($Lang::tr{'remote access'}, 1, '');
@@ -161,6 +165,11 @@ print <<END
<td><input type='checkbox' name='SSH_PORT' $checked{'SSH_PORT'}{'on'} /></td>
<td width='100%' class='base'>$Lang::tr{'ssh port'}</td>
</tr>
+<tr>
+ <td> </td>
+ <td><input type='checkbox' name='SSH_AGENT_FORWARDING' $checked{'SSH_AGENT_FORWARDING'}{'on'} /></td>
+ <td width='100%' class='base'>$Lang::tr{'ssh agent forwarding'}</td>
+</tr>
<tr>
<td align='right' colspan='3'>
<input type='submit' name='ACTION' value='$Lang::tr{'ssh tempstart15'}' />
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 88b34d23b..d63ebe6e5 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -2187,6 +2187,7 @@
'ssh access' => 'SSH-Zugriff',
'ssh access tip' => 'IPFire SSH läuft nicht auf dem Standardport 22!',
'ssh active sessions' => 'Aktive Benutzeranmeldungen',
+'ssh agent forwarding' => 'Weiterleitung des SSH-Agenten (Agent Forwarding) zulassen',
'ssh fingerprint' => 'Fingerabdruck',
'ssh host keys' => 'SSH Host Schlüssel',
'ssh is disabled' => 'Secure Shell ist deaktiviert. Halte an.',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index af0d514af..a709604b0 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2230,6 +2230,7 @@
'ssh access' => 'SSH Access',
'ssh access tip' => 'IPFire SSH is not using default port 22!',
'ssh active sessions' => 'Active logins',
+'ssh agent forwarding' => 'Enable SSH agent forwarding',
'ssh fingerprint' => 'Fingerprint',
'ssh host keys' => 'SSH Host Keys',
'ssh is disabled' => 'SSH is disabled. Stopping.',
diff --git a/src/misc-progs/sshctrl.c b/src/misc-progs/sshctrl.c
index 30074973d..476dbc9d5 100644
--- a/src/misc-progs/sshctrl.c
+++ b/src/misc-progs/sshctrl.c
@@ -76,6 +76,11 @@ int main(int argc, char *argv[])
else
strlcat(command, "s/^Port .*$/Port 222/", STRING_SIZE - 1 );
+ if(findkey(kv, "SSH_AGENT_FORWARDING", buffer) && !strcmp(buffer,"on"))
+ strlcat(command, "s/^AllowAgentForwarding .*$/AllowAgentForwarding yes/;", STRING_SIZE - 1 );
+ else
+ strlcat(command, "s/^AllowAgentForwarding .*$/AllowAgentForwarding no/;", STRING_SIZE - 1 );
+
freekeyvalues(kv);
snprintf(buffer, STRING_SIZE - 1, "' /etc/ssh/sshd_config >&%d", config_fd );
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2019-04-08 20:40 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190408204052.81BEE84FDAF@people01.i.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox