#!/usr/bin/perl ############################################################################### # # # IPFire.org - A linux based firewall # # Copyright (C) 2007-2020 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation, either version 3 of the License, or # # (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program. If not, see . # # # ############################################################################### use strict; # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; use IO::Socket; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/location-functions.pl"; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; my %color = (); my %mainsettings = (); my %remotesettings=(); my %checked=(); my $errormessage=''; my $counter = 0; &General::readhash("${General::swroot}/main/settings", \%mainsettings); &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); &Header::showhttpheaders(); $remotesettings{'ENABLE_SSH'} = 'off'; $remotesettings{'ENABLE_SSH_PORTFW'} = 'off'; $remotesettings{'ACTION'} = ''; &Header::getcgihash(\%remotesettings); if ( (($remotesettings{'ACTION'} eq $Lang::tr{'save'}) || ($remotesettings{'ACTION'} eq $Lang::tr{'ssh tempstart15'}) || ($remotesettings{'ACTION'} eq $Lang::tr{'ssh tempstart30'})) && $remotesettings{'ACTION'} ne "" ) { # not existing here indicates the box is unticked $remotesettings{'ENABLE_SSH_PASSWORDS'} = 'off' unless exists $remotesettings{'ENABLE_SSH_PASSWORDS'}; $remotesettings{'ENABLE_SSH_KEYS'} = 'off' unless exists $remotesettings{'ENABLE_SSH_KEYS'}; &General::writehash("${General::swroot}/remote/settings", \%remotesettings); if ($remotesettings{'ENABLE_SSH'} eq 'on') { &General::log($Lang::tr{'ssh is enabled'}); if ($remotesettings{'ENABLE_SSH_PASSWORDS'} eq 'off' and $remotesettings{'ENABLE_SSH_KEYS'} eq 'off') { $errormessage = $Lang::tr{'ssh no auth'}; } &General::system('/usr/bin/touch', "${General::swroot}/remote/enablessh"); } else { &General::log($Lang::tr{'ssh is disabled'}); unlink "${General::swroot}/remote/enablessh"; } if ($remotesettings{'SSH_PORT'} eq 'on') { &General::log("SSH Port 22"); } else { &General::log("SSH Port 222"); } if ( $remotesettings{'ACTION'} eq $Lang::tr{'ssh tempstart15'} || $remotesettings{'ACTION'} eq $Lang::tr{'ssh tempstart30'} ){ if ($remotesettings{'ENABLE_SSH'} eq 'off') { &General::system('/usr/bin/touch', "${General::swroot}/remote/enablessh"); &General::system('/usr/local/bin/sshctrl'); } if ( $remotesettings{'ACTION'} eq $Lang::tr{'ssh tempstart15'} ) { $counter = 900;} elsif ( $remotesettings{'ACTION'} eq $Lang::tr{'ssh tempstart30'} ) { $counter = 1800;} system("/usr/local/bin/sshctrl tempstart $counter >/dev/null"); } else { system('/usr/local/bin/sshctrl') == 0 or $errormessage = "$Lang::tr{'bad return code'} " . $?/256; } } &General::readhash("${General::swroot}/remote/settings", \%remotesettings); # not existing here means they're undefined and the default value should be # used $remotesettings{'ENABLE_SSH_PASSWORDS'} = 'on' unless exists $remotesettings{'ENABLE_SSH_PASSWORDS'}; $remotesettings{'ENABLE_SSH_KEYS'} = 'on' unless exists $remotesettings{'ENABLE_SSH_KEYS'}; $remotesettings{'SSH_AGENT_FORWARDING'} = 'off' unless exists $remotesettings{'SSH_AGENT_FORWARDING'}; $checked{'ENABLE_SSH'}{'off'} = ''; $checked{'ENABLE_SSH'}{'on'} = ''; $checked{'ENABLE_SSH'}{$remotesettings{'ENABLE_SSH'}} = "checked='checked'"; $checked{'ENABLE_SSH_PORTFW'}{'off'} = ''; $checked{'ENABLE_SSH_PORTFW'}{'on'} = ''; $checked{'ENABLE_SSH_PORTFW'}{$remotesettings{'ENABLE_SSH_PORTFW'}} = "checked='checked'"; $checked{'ENABLE_SSH_PASSWORDS'}{'off'} = ''; $checked{'ENABLE_SSH_PASSWORDS'}{'on'} = ''; $checked{'ENABLE_SSH_PASSWORDS'}{$remotesettings{'ENABLE_SSH_PASSWORDS'}} = "checked='checked'"; $checked{'ENABLE_SSH_KEYS'}{'off'} = ''; $checked{'ENABLE_SSH_KEYS'}{'on'} = ''; $checked{'ENABLE_SSH_KEYS'}{$remotesettings{'ENABLE_SSH_KEYS'}} = "checked='checked'"; $checked{'SSH_PORT'}{'off'} = ''; $checked{'SSH_PORT'}{'on'} = ''; $checked{'SSH_PORT'}{$remotesettings{'SSH_PORT'}} = "checked='checked'"; $checked{'SSH_AGENT_FORWARDING'}{'off'} = ''; $checked{'SSH_AGENT_FORWARDING'}{'on'} = ''; $checked{'SSH_AGENT_FORWARDING'}{$remotesettings{'SSH_AGENT_FORWARDING'}} = "checked='checked'"; &Header::openpage($Lang::tr{'remote access'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); if ($errormessage) { &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); print "$errormessage \n"; &Header::closebox(); } print "
\n"; &Header::openbox('100%', 'left', $Lang::tr{'ssh'}); print < $Lang::tr{'ssh access'}   $Lang::tr{'ssh agent forwarding'}   $Lang::tr{'ssh portfw'}   $Lang::tr{'ssh passwords'}   $Lang::tr{'ssh keys'}   $Lang::tr{'ssh port'} END ; &Header::closebox(); print "\n"; &Header::openbox('100%', 'center', $Lang::tr{'ssh host keys'}); print "\n"; print < END ; &viewkey("/etc/ssh/ssh_host_key.pub","RSA1"); &viewkey("/etc/ssh/ssh_host_rsa_key.pub","RSA2"); &viewkey("/etc/ssh/ssh_host_dsa_key.pub","DSA"); &viewkey("/etc/ssh/ssh_host_ecdsa_key.pub","ECDSA"); &viewkey("/etc/ssh/ssh_host_ed25519_key.pub","ED25519"); print "\n
$Lang::tr{'ssh key'} $Lang::tr{'type'} $Lang::tr{'ssh fingerprint'} $Lang::tr{'ssh key size'}
\n"; &Header::closebox(); &Header::openbox('100%', 'center', $Lang::tr{'ssh active sessions'}); print < $Lang::tr{'ssh username'} $Lang::tr{'ssh login time'} $Lang::tr{'ip address'} $Lang::tr{'country'} $Lang::tr{'rdns'} END &printactivelogins(); print "\n\n"; &Header::closebox(); &Header::closebigbox(); &Header::closepage(); sub viewkey { my $key = $_[0]; my $name = $_[1]; if ( -e $key ) { # Use safe system_output function to call ssh-keygen and get the output from the tool. my @ssh_keygen = &General::system_output("/usr/bin/ssh-keygen", "-l", "-f", "$key"); my @temp = split(/ /, $ssh_keygen[0]); my $keysize = &Header::cleanhtml($temp[0],"y"); my $fingerprint = &Header::cleanhtml($temp[1],"y"); print "$key$name$fingerprint$keysize\n"; } } sub printactivelogins() { # print active SSH logins (grep outpout of "who -s") my @output = &General::system_output("who", "-s"); chomp(@output); my $id = 0; if ( scalar(@output) == 0 ) { # no logins appeared my $table_colour = ($id++ % 2) ? $color{'color20'} : $color{'color22'}; print "$Lang::tr{'ssh no active logins'}\n"; } else { # list active logins... foreach my $line (@output) { my @arry = split(/\ +/, $line); my $username = @arry[0]; my $logintime = join(' ', @arry[2..4]); my $remoteip = @arry[5]; $remoteip =~ s/[()]//g; # display more information about that IP adress... my $ccode = &Location::Functions::lookup_country_code($remoteip); my $flag_icon = &Location::Functions::get_flag_icon($ccode); # get rDNS... my $iaddr = inet_aton($remoteip); my $rdns = gethostbyaddr($iaddr, AF_INET); if (!$rdns) { $rdns = $Lang::tr{'ptr lookup failed'}; }; my $table_colour = ($id++ % 2) ? $color{'color20'} : $color{'color22'}; print < $username $logintime $remoteip $ccode $rdns END ; } } }