openssh: work on listen interface selection #1347

opnsense · Nov 28, 2017 · 9e20956 · 9e20956
1 parent 0455980
commit 9e20956
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 4 deletions.
diff --git a/src/etc/inc/plugins.inc.d/openssh.inc b/src/etc/inc/plugins.inc.d/openssh.inc
@@ -41,6 +41,7 @@ function openssh_configure()
     return array(
         'earlybootup' => array('openssh_configure_do'),
         'local' => array('openssh_configure_do'),
+        'newwanip' => array('openssh_configure_do:2'),
     );
 }
 
@@ -64,12 +65,15 @@ function openssh_services()
     return $services;
 }
 
-function openssh_configure_do($verbose = false)
+function openssh_stop()
 {
-    global $config;
-
     /* if run from a shell session, `-af' and the full path is needed */
     mwexecf('/bin/pkill -af %s', '/usr/local/sbin/sshd', true);
+}
+
+function openssh_configure_do($verbose = false, $interface = '')
+{
+    global $config;
 
     $sshcfg = null;
 
@@ -81,9 +85,21 @@ function openssh_configure_do($verbose = false)
     }
 
     if ($sshcfg === null) {
+        openssh_stop();
+        return;
+    }
+
+    $interfaces = array();
+    if (!empty($sshcfg['interfaces'])) {
+        $interfaces = explode(',', $sshcfg['interfaces']);
+    }
+
+    if (!empty($interface) && !in_array($interface, $interfaces)) {
         return;
     }
 
+    openssh_stop();
+
     /* make sshd key store */
     @mkdir('/conf/sshd', 0777, true);
 
@@ -162,14 +178,36 @@ function openssh_configure_do($verbose = false)
         $sshconf .= "HostKey {$file}\n";
     }
 
+    $any = count($interfaces) ? false : true;
+
+    foreach ($interfaces as $interface) {
+        $realif = get_real_interface($interface);
+        $addrs = legacy_get_interface_addresses($realif);
+        if (!empty($addrs['ipaddr'])) {
+            $sshconf .= "ListenAddress {$addrs['ipaddr']}\n";
+            $any = true;
+        }
+        if (!empty($addrs['ipaddr6'])) {
+            $sshconf .= "ListenAddress {$addrs['ipaddr6']}\n";
+            $any = true;
+        }
+        $viparr = &config_read_array('virtualip', 'vip');
+        foreach ($viparr as $vip) {
+            if ($vip['interface'] == $interface && is_ipaddr($vip['subnet'])) {
+                $sshconf .= "ListenAddress {$vip['subnet']}\n";
+                $any = true;
+            }
+        }
+    }
+
     file_put_contents("/usr/local/etc/ssh/sshd_config", $sshconf);
 
     if ($verbose) {
         echo 'Configuring OpenSSH...';
         flush();
     }
 
-    if (mwexecf('/usr/bin/protect -i /usr/local/sbin/sshd')) {
+    if (!$any || mwexecf('/usr/bin/protect -i /usr/local/sbin/sshd')) {
         if ($verbose) {
             echo "failed.\n";
         }

diff --git a/src/etc/rc.sshd b/src/etc/rc.sshd
@@ -31,6 +31,7 @@
 
 require_once('config.inc');
 require_once('util.inc');
+require_once('interfaces.inc');
 require_once('plugins.inc.d/openssh.inc');
 
 openssh_configure_do(true);
diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php
@@ -60,6 +60,7 @@
     $pconfig['secondaryconsole'] = $config['system']['secondaryconsole'];
     $pconfig['enablesshd'] = $config['system']['ssh']['enabled'];
     $pconfig['sshport'] = $config['system']['ssh']['port'];
+    $pconfig['sshinterfaces'] = !empty($config['system']['ssh']['interfaces']) ? explode(',', $config['system']['ssh']['interfaces']) : array();
     $pconfig['passwordauth'] = isset($config['system']['ssh']['passwordauth']);
     $pconfig['sshdpermitrootlogin'] = isset($config['system']['ssh']['permitrootlogin']);
     $pconfig['quietlogin'] = isset($config['system']['webgui']['quietlogin']);
@@ -199,6 +200,8 @@
         /* always store setting to prevent installer auto-start */
         $config['system']['ssh']['noauto'] = 1;
 
+        $config['system']['ssh']['interfaces'] = !empty($pconfig['sshinterfaces']) ? implode(',', $pconfig['sshinterfaces']) : null;
+
         if (!empty($pconfig['enablesshd'])) {
             $config['system']['ssh']['enabled'] = 'enabled';
         } elseif (isset($config['system']['ssh']['enabled'])) {
@@ -558,6 +561,23 @@
                     </div>
                   </td>
                 </tr>
+                <tr>
+                  <td><a id="help_for_sshinterfaces" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Listen Interfaces') ?></td>
+                    <td>
+<?php
+                    $interfaces = get_configured_interface_with_descr(); ?>
+                    <select name="sshinterfaces[]" multiple="multiple" class="selectpicker">
+<?php
+                    foreach ($interfaces as $iface => $ifacename): ?>
+                        <option value="<?= html_safe($iface) ?>" <?= in_array($iface, $pconfig['sshinterfaces']) ? 'selected="selected"' : '' ?>><?= html_safe($ifacename) ?></option>
+<?php
+                    endforeach;?>
+                    </select>
+                    <div class="hidden" for="help_for_sshinterfaces">
+                      <?= gettext('Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care.') ?>
+                    </div>
+                  </td>
+                </tr>
                 <tr>
                   <th colspan="2"><?=gettext("Console Options"); ?></th>
                 </tr>