From 4d233104e35e160b57d8aba6b1c8f2af955761ba Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Tue, 10 Apr 2012 19:08:58 +0200 Subject: [PATCH] Current state --- .etckeeper | 20 +- ImageMagick/delegates.xml | 2 +- ImageMagick/policy.xml | 7 +- ImageMagick/type-ghostscript.xml | 68 +++---- apache2/modules.d/00_apache_manual.conf | 4 +- config-archive/etc/ImageMagick/delegates.xml | 18 +- .../etc/ImageMagick/delegates.xml.1 | 28 +-- .../etc/ImageMagick/delegates.xml.2 | 12 +- .../etc/ImageMagick/delegates.xml.dist | 2 +- config-archive/etc/ImageMagick/policy.xml | 6 +- .../etc/ImageMagick/policy.xml.1 | 13 +- .../etc/ImageMagick/policy.xml.dist | 7 +- .../etc/ImageMagick/type-ghostscript.xml | 54 ++++++ .../etc/ImageMagick/type-ghostscript.xml.dist | 0 .../apache2/modules.d/00_apache_manual.conf | 26 +++ .../modules.d/00_apache_manual.conf.dist | 0 config-archive/etc/init.d/apache2 | 182 ++++++++++++++++++ .../etc/init.d/apache2.dist | 0 config-archive/etc/init.d/sshd | 85 ++++++++ .../etc/init.d/sshd.dist | 0 config-archive/etc/ssh/sshd_config | 68 ++++++- .../etc/ssh/sshd_config.1 | 76 +------- config-archive/etc/ssh/sshd_config.dist | 6 +- init.d/apache2 | 2 +- init.d/sshd | 4 +- ssh/sshd_config | 6 +- 26 files changed, 528 insertions(+), 168 deletions(-) rename ImageMagick/._cfg0000_delegates.xml => config-archive/etc/ImageMagick/delegates.xml.2 (91%) rename ImageMagick/._cfg0000_policy.xml => config-archive/etc/ImageMagick/policy.xml.1 (80%) create mode 100644 config-archive/etc/ImageMagick/type-ghostscript.xml rename ImageMagick/._cfg0000_type-ghostscript.xml => config-archive/etc/ImageMagick/type-ghostscript.xml.dist (100%) create mode 100644 config-archive/etc/apache2/modules.d/00_apache_manual.conf rename apache2/modules.d/._cfg0000_00_apache_manual.conf => config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist (100%) create mode 100755 config-archive/etc/init.d/apache2 rename init.d/._cfg0000_apache2 => config-archive/etc/init.d/apache2.dist (100%) create mode 100755 config-archive/etc/init.d/sshd rename init.d/._cfg0000_sshd => config-archive/etc/init.d/sshd.dist (100%) rename ssh/._cfg0000_sshd_config => config-archive/etc/ssh/sshd_config.1 (55%) diff --git a/.etckeeper b/.etckeeper index 3db0457..587dcf1 100755 --- a/.etckeeper +++ b/.etckeeper @@ -28,9 +28,6 @@ maybe chmod 0600 './.pwd.lock' maybe chmod 0644 './DIR_COLORS' maybe chmod 0644 './GeoIP.conf' maybe chmod 0755 './ImageMagick' -maybe chmod 0644 './ImageMagick/._cfg0000_delegates.xml' -maybe chmod 0644 './ImageMagick/._cfg0000_policy.xml' -maybe chmod 0644 './ImageMagick/._cfg0000_type-ghostscript.xml' maybe chmod 0644 './ImageMagick/coder.xml' maybe chmod 0644 './ImageMagick/colors.xml' maybe chmod 0644 './ImageMagick/delegates.xml' @@ -59,7 +56,6 @@ maybe chmod 0755 './apache2' maybe chmod 0644 './apache2/httpd.conf' maybe chmod 0644 './apache2/magic' maybe chmod 0755 './apache2/modules.d' -maybe chmod 0644 './apache2/modules.d/._cfg0000_00_apache_manual.conf' maybe chmod 0644 './apache2/modules.d/.keep_dev-vcs_subversion-0' maybe chmod 0644 './apache2/modules.d/.keep_www-servers_apache-2' maybe chmod 0644 './apache2/modules.d/00_apache_manual.conf' @@ -201,9 +197,17 @@ maybe chmod 0755 './config-archive/etc' maybe chmod 0755 './config-archive/etc/ImageMagick' maybe chmod 0644 './config-archive/etc/ImageMagick/delegates.xml' maybe chmod 0644 './config-archive/etc/ImageMagick/delegates.xml.1' +maybe chmod 0644 './config-archive/etc/ImageMagick/delegates.xml.2' maybe chmod 0644 './config-archive/etc/ImageMagick/delegates.xml.dist' maybe chmod 0644 './config-archive/etc/ImageMagick/policy.xml' +maybe chmod 0644 './config-archive/etc/ImageMagick/policy.xml.1' maybe chmod 0644 './config-archive/etc/ImageMagick/policy.xml.dist' +maybe chmod 0644 './config-archive/etc/ImageMagick/type-ghostscript.xml' +maybe chmod 0644 './config-archive/etc/ImageMagick/type-ghostscript.xml.dist' +maybe chmod 0755 './config-archive/etc/apache2' +maybe chmod 0755 './config-archive/etc/apache2/modules.d' +maybe chmod 0644 './config-archive/etc/apache2/modules.d/00_apache_manual.conf' +maybe chmod 0644 './config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist' maybe chmod 0755 './config-archive/etc/bash' maybe chmod 0644 './config-archive/etc/bash/bashrc' maybe chmod 0644 './config-archive/etc/bash/bashrc.dist.new' @@ -248,6 +252,8 @@ maybe chmod 0644 './config-archive/etc/eselect/postgresql/slots/9.1/server.dist' maybe chmod 0644 './config-archive/etc/hosts' maybe chmod 0644 './config-archive/etc/hosts.dist.new' maybe chmod 0755 './config-archive/etc/init.d' +maybe chmod 0755 './config-archive/etc/init.d/apache2' +maybe chmod 0755 './config-archive/etc/init.d/apache2.dist' maybe chmod 0755 './config-archive/etc/init.d/bootmisc' maybe chmod 0755 './config-archive/etc/init.d/bootmisc.dist' maybe chmod 0755 './config-archive/etc/init.d/consolefont' @@ -273,6 +279,8 @@ maybe chmod 0755 './config-archive/etc/init.d/postgresql-9.1' maybe chmod 0755 './config-archive/etc/init.d/postgresql-9.1.dist' maybe chmod 0755 './config-archive/etc/init.d/slapd' maybe chmod 0755 './config-archive/etc/init.d/slapd.dist' +maybe chmod 0755 './config-archive/etc/init.d/sshd' +maybe chmod 0755 './config-archive/etc/init.d/sshd.dist' maybe chmod 0755 './config-archive/etc/init.d/staticroute' maybe chmod 0755 './config-archive/etc/init.d/staticroute.dist' maybe chmod 0755 './config-archive/etc/init.d/sysfs' @@ -427,6 +435,7 @@ maybe chmod 0755 './config-archive/etc/ssh' maybe chmod 0644 './config-archive/etc/ssh/ssh_config' maybe chmod 0644 './config-archive/etc/ssh/ssh_config.dist' maybe chmod 0600 './config-archive/etc/ssh/sshd_config' +maybe chmod 0600 './config-archive/etc/ssh/sshd_config.1' maybe chmod 0600 './config-archive/etc/ssh/sshd_config.dist' maybe chmod 0440 './config-archive/etc/sudoers' maybe chmod 0440 './config-archive/etc/sudoers.dist.new' @@ -716,8 +725,6 @@ maybe chmod 0644 './idn.conf.sample' maybe chmod 0644 './idnalias.conf' maybe chmod 0644 './idnalias.conf.sample' maybe chmod 0755 './init.d' -maybe chmod 0755 './init.d/._cfg0000_apache2' -maybe chmod 0755 './init.d/._cfg0000_sshd' maybe chmod 0755 './init.d/acpid' maybe chmod 0755 './init.d/amavisd' maybe chmod 0755 './init.d/apache2' @@ -1293,7 +1300,6 @@ maybe chmod 0755 './snmp' maybe chmod 0644 './snmp/.keep_net-analyzer_net-snmp-0' maybe chmod 0644 './snmp/snmpd.conf.example' maybe chmod 0755 './ssh' -maybe chmod 0600 './ssh/._cfg0000_sshd_config' maybe chmod 0755 './ssh/ca' maybe chmod 0644 './ssh/moduli' maybe chmod 0644 './ssh/ssh_config' diff --git a/ImageMagick/delegates.xml b/ImageMagick/delegates.xml index b186532..a21e0e7 100644 --- a/ImageMagick/delegates.xml +++ b/ImageMagick/delegates.xml @@ -102,7 +102,7 @@ - + diff --git a/ImageMagick/policy.xml b/ImageMagick/policy.xml index 19e9796..3be0a4b 100644 --- a/ImageMagick/policy.xml +++ b/ImageMagick/policy.xml @@ -39,9 +39,10 @@ - Note, resource policies are maximums for each instance of ImageMagick (e.g. - policy memory limit 1GB, -limit 2GB exceeds policy maximum so memory limit - is 1GB). + Define arguments for the memory, map, area, and disk resources with + SI prefixes (.e.g 100MB). In addition, resource policies are maximums for + each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB + exceeds policy maximum so memory limit is 1GB). --> diff --git a/ImageMagick/type-ghostscript.xml b/ImageMagick/type-ghostscript.xml index 30182b8..213cb31 100644 --- a/ImageMagick/type-ghostscript.xml +++ b/ImageMagick/type-ghostscript.xml @@ -17,38 +17,38 @@ ]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/apache2/modules.d/00_apache_manual.conf b/apache2/modules.d/00_apache_manual.conf index a1bfed2..25de5d1 100644 --- a/apache2/modules.d/00_apache_manual.conf +++ b/apache2/modules.d/00_apache_manual.conf @@ -3,9 +3,9 @@ # The documentation is always available at # http://httpd.apache.org/docs/2.2/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.21-r1/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.22/manual$1" - + Options Indexes AllowOverride None Order allow,deny diff --git a/config-archive/etc/ImageMagick/delegates.xml b/config-archive/etc/ImageMagick/delegates.xml index 1fefa70..b186532 100644 --- a/config-archive/etc/ImageMagick/delegates.xml +++ b/config-archive/etc/ImageMagick/delegates.xml @@ -68,8 +68,8 @@ - - + + @@ -85,18 +85,18 @@ - - + + - - + + - - + + - + diff --git a/config-archive/etc/ImageMagick/delegates.xml.1 b/config-archive/etc/ImageMagick/delegates.xml.1 index f671293..1fefa70 100644 --- a/config-archive/etc/ImageMagick/delegates.xml.1 +++ b/config-archive/etc/ImageMagick/delegates.xml.1 @@ -68,8 +68,8 @@ - - + + @@ -80,31 +80,31 @@ - + - + - - - + + + - - + + - - + + - + - + - + diff --git a/ImageMagick/._cfg0000_delegates.xml b/config-archive/etc/ImageMagick/delegates.xml.2 similarity index 91% rename from ImageMagick/._cfg0000_delegates.xml rename to config-archive/etc/ImageMagick/delegates.xml.2 index a21e0e7..f671293 100644 --- a/ImageMagick/._cfg0000_delegates.xml +++ b/config-archive/etc/ImageMagick/delegates.xml.2 @@ -80,14 +80,14 @@ - + - + - + @@ -100,11 +100,11 @@ - + - + - + diff --git a/config-archive/etc/ImageMagick/delegates.xml.dist b/config-archive/etc/ImageMagick/delegates.xml.dist index b186532..a21e0e7 100644 --- a/config-archive/etc/ImageMagick/delegates.xml.dist +++ b/config-archive/etc/ImageMagick/delegates.xml.dist @@ -102,7 +102,7 @@ - + diff --git a/config-archive/etc/ImageMagick/policy.xml b/config-archive/etc/ImageMagick/policy.xml index 28eda17..19e9796 100644 --- a/config-archive/etc/ImageMagick/policy.xml +++ b/config-archive/etc/ImageMagick/policy.xml @@ -37,7 +37,7 @@ Any large image is cached to disk rather than memory: - + Note, resource policies are maximums for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB exceeds policy maximum so memory limit @@ -48,8 +48,8 @@ - - + + diff --git a/ImageMagick/._cfg0000_policy.xml b/config-archive/etc/ImageMagick/policy.xml.1 similarity index 80% rename from ImageMagick/._cfg0000_policy.xml rename to config-archive/etc/ImageMagick/policy.xml.1 index 3be0a4b..28eda17 100644 --- a/ImageMagick/._cfg0000_policy.xml +++ b/config-archive/etc/ImageMagick/policy.xml.1 @@ -37,20 +37,19 @@ Any large image is cached to disk rather than memory: - + - Define arguments for the memory, map, area, and disk resources with - SI prefixes (.e.g 100MB). In addition, resource policies are maximums for - each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB - exceeds policy maximum so memory limit is 1GB). + Note, resource policies are maximums for each instance of ImageMagick (e.g. + policy memory limit 1GB, -limit 2GB exceeds policy maximum so memory limit + is 1GB). --> - - + + diff --git a/config-archive/etc/ImageMagick/policy.xml.dist b/config-archive/etc/ImageMagick/policy.xml.dist index 19e9796..3be0a4b 100644 --- a/config-archive/etc/ImageMagick/policy.xml.dist +++ b/config-archive/etc/ImageMagick/policy.xml.dist @@ -39,9 +39,10 @@ - Note, resource policies are maximums for each instance of ImageMagick (e.g. - policy memory limit 1GB, -limit 2GB exceeds policy maximum so memory limit - is 1GB). + Define arguments for the memory, map, area, and disk resources with + SI prefixes (.e.g 100MB). In addition, resource policies are maximums for + each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB + exceeds policy maximum so memory limit is 1GB). --> diff --git a/config-archive/etc/ImageMagick/type-ghostscript.xml b/config-archive/etc/ImageMagick/type-ghostscript.xml new file mode 100644 index 0000000..30182b8 --- /dev/null +++ b/config-archive/etc/ImageMagick/type-ghostscript.xml @@ -0,0 +1,54 @@ + + + + + + + + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/ImageMagick/._cfg0000_type-ghostscript.xml b/config-archive/etc/ImageMagick/type-ghostscript.xml.dist similarity index 100% rename from ImageMagick/._cfg0000_type-ghostscript.xml rename to config-archive/etc/ImageMagick/type-ghostscript.xml.dist diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf b/config-archive/etc/apache2/modules.d/00_apache_manual.conf new file mode 100644 index 0000000..a1bfed2 --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf @@ -0,0 +1,26 @@ +# Provide access to the documentation on your server as +# http://yourserver.example.com/manual/ +# The documentation is always available at +# http://httpd.apache.org/docs/2.2/ + +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.21-r1/manual$1" + + + Options Indexes + AllowOverride None + Order allow,deny + Allow from all + + + SetHandler type-map + + + SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|pt-br)/ prefer-language=$1 + RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|pt-br)){2,}(/.*)?$ /manual/$1$2 + + LanguagePriority en de es fr ja ko pt-br + ForceLanguagePriority Prefer Fallback + + + +# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/._cfg0000_00_apache_manual.conf b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist similarity index 100% rename from apache2/modules.d/._cfg0000_00_apache_manual.conf rename to config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist diff --git a/config-archive/etc/init.d/apache2 b/config-archive/etc/init.d/apache2 new file mode 100755 index 0000000..6d22ce8 --- /dev/null +++ b/config-archive/etc/init.d/apache2 @@ -0,0 +1,182 @@ +#!/sbin/runscript +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="configtest modules virtualhosts" +extra_started_commands="configdump fullstatus graceful gracefulstop reload" + +description_configdump="Dumps the configuration of the runing apache server. Requires server-info to be enabled and www-client/lynx." +description_configtest="Run syntax tests for configuration files." +description_fullstatus="Gives the full status of the server. Requires lynx and server-status to be enabled." +description_graceful="A graceful restart advises the children to exit after the current request and reloads the configuration." +description_gracefulstop="A graceful stop advises the children to exit after the current request and stops the server." +description_modules="Dump a list of loaded Static and Shared Modules." +description_reload="Kills all children and reloads the configuration." +description_virtualhosts="Show the settings as parsed from the config file (currently only shows the virtualhost settings)." +description_stop="Kills all children and stops the server." + +depend() { + need net + use mysql dns logger netmount postgresql + after sshd +} + +configtest() { + ebegin "Checking ${SVCNAME} configuration" + checkconfig + eend $? +} + +checkconfd() { + if [ ! -f /etc/init.d/sysfs ]; then + eerror "This init script works only with openrc (baselayout-2)." + eerror "If you still need baselayout-1.x, please, use" + eerror "apache2.initd-baselayout-1 from /usr/share/doc/apache2-*/" + fi + + PIDFILE="${PIDFILE:-/var/run/apache2.pid}" + TIMEOUT=${TIMEOUT:-15} + + SERVERROOT="${SERVERROOT:-/usr/lib64/apache2}" + if [ ! -d ${SERVERROOT} ]; then + eerror "SERVERROOT does not exist: ${SERVERROOT}" + return 1 + fi + + CONFIGFILE="${CONFIGFILE:-/etc/apache2/httpd.conf}" + [ "${CONFIGFILE#/}" = "${CONFIGFILE}" ] && CONFIGFILE="${SERVERROOT}/${CONFIGFILE}" + if [ ! -r "${CONFIGFILE}" ]; then + eerror "Unable to read configuration file: ${CONFIGFILE}" + return 1 + fi + + APACHE2_OPTS="${APACHE2_OPTS} -d ${SERVERROOT}" + APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}" + [ -n "${STARTUPERRORLOG}" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}" + + APACHE2="/usr/sbin/apache2" +} + +checkconfig() { + checkconfd || return 1 + + ${APACHE2} ${APACHE2_OPTS} -t 1>/dev/null 2>&1 + ret=$? + if [ $ret -ne 0 ]; then + eerror "${SVCNAME} has detected an error in your setup:" + ${APACHE2} ${APACHE2_OPTS} -t + fi + + return $ret +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + # Use start stop daemon to apply system limits #347301 + start-stop-daemon --start -- ${APACHE2} ${APACHE2_OPTS} -k start + + i=0 + while [ ! -e "${PIDFILE}" ] && [ $i -lt ${TIMEOUT} ]; do + sleep 1 && i=$(expr $i + 1) + done + + eend $(test $i -lt ${TIMEOUT}) +} + +stop() { + if [ "${RC_CMD}" = "restart" ]; then + checkconfig || return 1 + else + checkconfd || return 1 + fi + + PID=$(cat "${PIDFILE}" 2>/dev/null) + if [ -z "${PID}" ]; then + einfo "${SVCNAME} not running (no pid file)" + return 0 + fi + + ebegin "Stopping ${SVCNAME}" + ${APACHE2} ${APACHE2_OPTS} -k stop + + i=0 + while ( ! test -f "${PIDFILE}" && pgrep -P ${PID} apache2 >/dev/null ) \ + && [ $i -lt ${TIMEOUT} ]; do + sleep 1 && i=$(expr $i + 1) + done + + eend $(test $i -lt ${TIMEOUT}) +} + +reload() { + RELOAD_TYPE="${RELOAD_TYPE:-graceful}" + + checkconfig || return 1 + + if [ "${RELOAD_TYPE}" = "restart" ]; then + ebegin "Restarting ${SVCNAME}" + ${APACHE2} ${APACHE2_OPTS} -k restart + eend $? + elif [ "${RELOAD_TYPE}" = "graceful" ]; then + ebegin "Gracefully restarting ${SVCNAME}" + ${APACHE2} ${APACHE2_OPTS} -k graceful + eend $? + else + eerror "${RELOAD_TYPE} is not a valid RELOAD_TYPE. Please edit /etc/conf.d/${SVCNAME}" + fi +} + +graceful() { + checkconfig || return 1 + ebegin "Gracefully restarting ${SVCNAME}" + ${APACHE2} ${APACHE2_OPTS} -k graceful + eend $? +} + +gracefulstop() { + checkconfig || return 1 + ebegin "Gracefully stopping ${SVCNAME}" + ${APACHE2} ${APACHE2_OPTS} -k graceful-stop + eend $? +} + +modules() { + checkconfig || return 1 + ${APACHE2} ${APACHE2_OPTS} -M 2>&1 +} + +fullstatus() { + LYNX="${LYNX:-lynx -dump}" + STATUSURL="${STATUSURL:-http://localhost/server-status}" + + if ! type -p $(set -- ${LYNX}; echo $1) 2>&1 >/dev/null; then + eerror "lynx not found! you need to emerge www-client/lynx" + else + ${LYNX} ${STATUSURL} + fi +} + +virtualhosts() { + checkconfig || return 1 + ${APACHE2} ${APACHE2_OPTS} -S +} + +configdump() { + LYNX="${LYNX:-lynx -dump}" + INFOURL="${INFOURL:-http://localhost/server-info}" + + checkconfd || return 1 + + if ! type -p $(set -- ${LYNX}; echo $1) 2>&1 >/dev/null; then + eerror "lynx not found! you need to emerge www-client/lynx" + else + echo "${APACHE2} started with '${APACHE2_OPTS}'" + for i in config server list; do + ${LYNX} "${INFOURL}/?${i}" | sed '/Apache Server Information/d;/^[[:space:]]\+[_]\+$/Q' + done + fi +} + +# vim: ts=4 filetype=gentoo-init-d diff --git a/init.d/._cfg0000_apache2 b/config-archive/etc/init.d/apache2.dist similarity index 100% rename from init.d/._cfg0000_apache2 rename to config-archive/etc/init.d/apache2.dist diff --git a/config-archive/etc/init.d/sshd b/config-archive/etc/init.d/sshd new file mode 100755 index 0000000..22aaaad --- /dev/null +++ b/config-archive/etc/init.d/sshd @@ -0,0 +1,85 @@ +#!/sbin/runscript +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.2,v 1.3 2011/12/04 10:08:19 swegener Exp $ + +extra_commands="checkconfig gen_keys" +extra_started_commands="reload" + +depend() { + use logger dns + need net +} + +SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh} +SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid} +SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then + eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + gen_keys || return 1 + + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \ + && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFDIR}/sshd_config" + + "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 +} + +gen_key() { + local type=$1 key ks + [ $# -eq 1 ] && ks="${type}_" + key="${SSHD_CONFDIR}/ssh_host_${ks}key" + if [ ! -e "${key}" ] ; then + ebegin "Generating ${type} host key" + ssh-keygen -t ${type} -f "${key}" -N '' + eend $? || return $? + fi +} + +gen_keys() { + if egrep -q '^[[:space:]]*Protocol[[:space:]]+.*1' "${SSHD_CONFDIR}"/sshd_config ; then + gen_key rsa1 "" || return 1 + fi + gen_key dsa && gen_key rsa && gen_key ecdsa + return $? +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${SSHD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --stop --signal HUP --oknodo \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/init.d/._cfg0000_sshd b/config-archive/etc/init.d/sshd.dist similarity index 100% rename from init.d/._cfg0000_sshd rename to config-archive/etc/init.d/sshd.dist diff --git a/config-archive/etc/ssh/sshd_config b/config-archive/etc/ssh/sshd_config index ca72979..e686e9f 100644 --- a/config-archive/etc/ssh/sshd_config +++ b/config-archive/etc/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ +# $OpenBSD$ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -25,6 +25,72 @@ #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key +# "key type names" for X.509 certificates with RSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 +#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 + +# "key type names" for X.509 certificates with DSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-dss,dss-asn1 +#X509KeyAlgorithm x509v3-sign-dss,dss-raw + +# The intended use for the X509 client certificate. Without this option +# no chain verification will be done. Currently accepted uses are case +# insensitive: +# - "sslclient", "SSL client", "SSL_client" or "client" +# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" +# - "skip" or ""(empty): don`t check purpose. +#AllowedCertPurpose sslclient + +# Specifies whether self-issued(self-signed) X.509 certificate can be +# allowed only by entry in AutorizedKeysFile that contain matching +# public key or certificate blob. +#KeyAllowSelfIssued no + +# Specifies whether CRL must present in store for all certificates in +# certificate chain with atribute "cRLDistributionPoints" +#MandatoryCRL no + +# A file with multiple certificates of certificate signers +# in PEM format concatenated together. +#CACertificateFile /etc/ssh/ca/ca-bundle.crt + +# A directory with certificates of certificate signers. +# The certificates should have name of the form: [HASH].[NUMBER] +# or have symbolic links to them of this form. +#CACertificatePath /etc/ssh/ca/crt + +# A file with multiple CRL of certificate signers +# in PEM format concatenated together. +#CARevocationFile /etc/ssh/ca/ca-bundle.crl + +# A directory with CRL of certificate signers. +# The CRL should have name of the form: [HASH].r[NUMBER] +# or have symbolic links to them of this form. +#CARevocationPath /etc/ssh/ca/crl + +# LDAP protocol version. +# Example: +# CAldapVersion 2 + +# Note because of OpenSSH options parser limitation +# use %3D instead of = ! +# LDAP initialization may require URL to be escaped, i.e. +# use %2C instead of ,(comma). Escaped URL don't depend from +# LDAP initialization method. +# Example: +# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom + +# SSH can use "Online Certificate Status Protocol"(OCSP) +# to validate certificate. Set VAType to +# - none : do not use OCSP to validate certificates; +# - ocspcert: validate only certificates that specify `OCSP +# Service Locator' URL; +# - ocspspec: use specified in the configuration 'OCSP Responder' +# to validate all certificates. +#VAType none + # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 diff --git a/ssh/._cfg0000_sshd_config b/config-archive/etc/ssh/sshd_config.1 similarity index 55% rename from ssh/._cfg0000_sshd_config rename to config-archive/etc/ssh/sshd_config.1 index 6a61721..ca72979 100644 --- a/ssh/._cfg0000_sshd_config +++ b/config-archive/etc/ssh/sshd_config.1 @@ -1,4 +1,4 @@ -# $OpenBSD$ +# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -7,7 +7,7 @@ # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the +# possible, but leave them commented. Uncommented options change a # default value. #Port 22 @@ -25,72 +25,6 @@ #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key -# "key type names" for X.509 certificates with RSA key -# Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 -#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 - -# "key type names" for X.509 certificates with DSA key -# Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-dss,dss-asn1 -#X509KeyAlgorithm x509v3-sign-dss,dss-raw - -# The intended use for the X509 client certificate. Without this option -# no chain verification will be done. Currently accepted uses are case -# insensitive: -# - "sslclient", "SSL client", "SSL_client" or "client" -# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" -# - "skip" or ""(empty): don`t check purpose. -#AllowedCertPurpose sslclient - -# Specifies whether self-issued(self-signed) X.509 certificate can be -# allowed only by entry in AutorizedKeysFile that contain matching -# public key or certificate blob. -#KeyAllowSelfIssued no - -# Specifies whether CRL must present in store for all certificates in -# certificate chain with atribute "cRLDistributionPoints" -#MandatoryCRL no - -# A file with multiple certificates of certificate signers -# in PEM format concatenated together. -#CACertificateFile /etc/ssh/ca/ca-bundle.crt - -# A directory with certificates of certificate signers. -# The certificates should have name of the form: [HASH].[NUMBER] -# or have symbolic links to them of this form. -#CACertificatePath /etc/ssh/ca/crt - -# A file with multiple CRL of certificate signers -# in PEM format concatenated together. -#CARevocationFile /etc/ssh/ca/ca-bundle.crl - -# A directory with CRL of certificate signers. -# The CRL should have name of the form: [HASH].r[NUMBER] -# or have symbolic links to them of this form. -#CARevocationPath /etc/ssh/ca/crl - -# LDAP protocol version. -# Example: -# CAldapVersion 2 - -# Note because of OpenSSH options parser limitation -# use %3D instead of = ! -# LDAP initialization may require URL to be escaped, i.e. -# use %2C instead of ,(comma). Escaped URL don't depend from -# LDAP initialization method. -# Example: -# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom - -# SSH can use "Online Certificate Status Protocol"(OCSP) -# to validate certificate. Set VAType to -# - none : do not use OCSP to validate certificates; -# - ocspcert: validate only certificates that specify `OCSP -# Service Locator' URL; -# - ocspspec: use specified in the configuration 'OCSP Responder' -# to validate all certificates. -#VAType none - # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 @@ -104,15 +38,13 @@ #LoginGraceTime 2m #PermitRootLogin yes +PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts @@ -126,6 +58,7 @@ #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication no PasswordAuthentication no #PermitEmptyPasswords no @@ -141,7 +74,6 @@ PasswordAuthentication no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will diff --git a/config-archive/etc/ssh/sshd_config.dist b/config-archive/etc/ssh/sshd_config.dist index 562d762..6a61721 100644 --- a/config-archive/etc/ssh/sshd_config.dist +++ b/config-archive/etc/ssh/sshd_config.dist @@ -7,7 +7,7 @@ # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a +# possible, but leave them commented. Uncommented options override the # default value. #Port 22 @@ -110,6 +110,9 @@ #RSAAuthentication yes #PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts @@ -138,6 +141,7 @@ PasswordAuthentication no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will diff --git a/init.d/apache2 b/init.d/apache2 index 6d22ce8..c3ce4e7 100755 --- a/init.d/apache2 +++ b/init.d/apache2 @@ -102,7 +102,7 @@ stop() { ${APACHE2} ${APACHE2_OPTS} -k stop i=0 - while ( ! test -f "${PIDFILE}" && pgrep -P ${PID} apache2 >/dev/null ) \ + while ( test -f "${PIDFILE}" && pgrep -P ${PID} apache2 >/dev/null ) \ && [ $i -lt ${TIMEOUT} ]; do sleep 1 && i=$(expr $i + 1) done diff --git a/init.d/sshd b/init.d/sshd index 22aaaad..c55116e 100755 --- a/init.d/sshd +++ b/init.d/sshd @@ -1,7 +1,7 @@ #!/sbin/runscript # Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.2,v 1.3 2011/12/04 10:08:19 swegener Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.3,v 1.2 2011/09/14 21:46:19 polynomial-c Exp $ extra_commands="checkconfig gen_keys" extra_started_commands="reload" @@ -79,7 +79,7 @@ stop() { reload() { checkconfig || return 1 ebegin "Reloading ${SVCNAME}" - start-stop-daemon --stop --signal HUP --oknodo \ + start-stop-daemon --signal HUP \ --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" eend $? } diff --git a/ssh/sshd_config b/ssh/sshd_config index e686e9f..1df843e 100644 --- a/ssh/sshd_config +++ b/ssh/sshd_config @@ -7,7 +7,7 @@ # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a +# possible, but leave them commented. Uncommented options override the # default value. #Port 22 @@ -111,6 +111,9 @@ PermitRootLogin no #RSAAuthentication yes #PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts @@ -140,6 +143,7 @@ PasswordAuthentication no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -- 2.39.5