From 93f3737a9426aae5378d2aa93ac789f61fead199 Mon Sep 17 00:00:00 2001
From: Stephan Raue <stephan@openelec.tv>
Date: Thu, 22 Dec 2011 20:38:15 +0100
Subject: [PATCH] openssh: dont run ssh per default, there is a security
 related discussion in
 http://openelec.tv/forum/20-development-discussion/20259-security-the-dilema-of-the-out-of-the-box-experience
 . Add 'ssh' to the appendline in our bootloader, or put a file called
 'ssh_enable' in /storage/.config or the 'Configfile' Samba share. Both will
 enable SSH on boot. Add 'progress' to the appendline in bootloader to show
 the bootprogress without enabled debugging.

Signed-off-by: Stephan Raue <stephan@openelec.tv>
---
 .../sysutils/busybox-initramfs/scripts/init   |  8 +-
 packages/network/openssh/init.d/51_sshd       | 84 ++++++++++---------
 packages/sysutils/busybox/config/profile      |  8 +-
 3 files changed, 57 insertions(+), 43 deletions(-)

diff --git a/packages/initramfs/sysutils/busybox-initramfs/scripts/init b/packages/initramfs/sysutils/busybox-initramfs/scripts/init
index 2621d54f7d..5120288ba0 100755
--- a/packages/initramfs/sysutils/busybox-initramfs/scripts/init
+++ b/packages/initramfs/sysutils/busybox-initramfs/scripts/init
@@ -52,6 +52,12 @@ NFS_OVERLAY="192.168.1.1:/var/lib/overlay"
       bootchart)
         BOOTCHART=yes
         ;;
+      ssh)
+        SSH=yes
+        ;;
+      progress)
+        PROGRESS=yes
+        ;;
       fastboot)
         FASTBOOT=yes
         ;;
@@ -80,7 +86,7 @@ NFS_OVERLAY="192.168.1.1:/var/lib/overlay"
   fi
 
   progress() {
-    if test "$DEBUG" = "yes"; then
+    if test "$PROGRESS" = "yes"; then
       echo "### $1 ###"
     fi
   }
diff --git a/packages/network/openssh/init.d/51_sshd b/packages/network/openssh/init.d/51_sshd
index 16e255775c..4d686b3c0a 100644
--- a/packages/network/openssh/init.d/51_sshd
+++ b/packages/network/openssh/init.d/51_sshd
@@ -22,7 +22,6 @@
 #
 # runlevels: openelec, textmode
 
-(
   RSA1_KEY="/storage/.cache/ssh/ssh_host_key"
   RSA2_KEY="/storage/.cache/ssh/ssh_host_rsa_key"
   DSA2_KEY="/storage/.cache/ssh/ssh_host_dsa_key"
@@ -30,45 +29,48 @@
   KEYGEN="/usr/bin/ssh-keygen"
   SSHD="/usr/sbin/sshd"
 
-  # Check for the SSH1 RSA key
-    if [ ! -s $RSA1_KEY ] ; then
-      progress "SSH: generating SSH1 RSA key"
+  (
+    if [ "$SSH" = yes -o -f /storage/.config/ssh_enable ]; then
 
-      mkdir -p /storage/.cache/ssh
-        $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null
-        chmod 600 $RSA1_KEY
+    # Check for the SSH1 RSA key
+      if [ ! -s $RSA1_KEY ] ; then
+        progress "SSH: generating SSH1 RSA key"
+
+        mkdir -p /storage/.cache/ssh
+          $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null
+          chmod 600 $RSA1_KEY
+      fi
+
+    # Check for the SSH2 RSA key
+      if [ ! -s $RSA2_KEY ] ; then
+        progress "SSH: generating SSH2 RSA key"
+
+        mkdir -p /storage/.cache/ssh
+          $KEYGEN -q -t rsa -f $RSA2_KEY -C '' -N '' >&/dev/null
+          chmod 600 $RSA2_KEY
+      fi
+
+    # Check for the SSH2 DSA key
+      if [ ! -s $DSA2_KEY ] ; then
+        progress "SSH: generating SSH2 DSA key"
+
+        mkdir -p /storage/.cache/ssh
+          $KEYGEN -q -t dsa -f $DSA2_KEY -C '' -N '' >&/dev/null
+          chmod 600 $DSA2_KEY
+      fi
+
+    # Check for predifined known hosts file
+      if [ -f /etc/ssh/known_hosts -a ! -f $HOME/.ssh/known_hosts ] ; then
+        progress "SSH: setup predifined known hosts"
+
+        mkdir -p /$HOME/.ssh
+          cp /etc/ssh/known_hosts $HOME/.ssh
+      fi
+
+      progress "Starting SSH Server"
+
+      mkdir -p /var/empty
+      chmod -R 600 /var/empty
+      $SSHD
     fi
-
-  # Check for the SSH2 RSA key
-    if [ ! -s $RSA2_KEY ] ; then
-      progress "SSH: generating SSH2 RSA key"
-
-      mkdir -p /storage/.cache/ssh
-        $KEYGEN -q -t rsa -f $RSA2_KEY -C '' -N '' >&/dev/null
-        chmod 600 $RSA2_KEY
-    fi
-
-  # Check for the SSH2 DSA key
-    if [ ! -s $DSA2_KEY ] ; then
-      progress "SSH: generating SSH2 DSA key"
-
-      mkdir -p /storage/.cache/ssh
-        $KEYGEN -q -t dsa -f $DSA2_KEY -C '' -N '' >&/dev/null
-        chmod 600 $DSA2_KEY
-    fi
-
-  # Check for predifined known hosts file
-    if [ -f /etc/ssh/known_hosts -a ! -f $HOME/.ssh/known_hosts ] ; then
-      progress "SSH: setup predifined known hosts"
-
-      mkdir -p /$HOME/.ssh
-        cp /etc/ssh/known_hosts $HOME/.ssh
-    fi
-
-  progress "Starting SSH Server"
-
-    mkdir -p /var/empty
-    chmod -R 600 /var/empty
-    $SSHD
-
-)&
+  )&
diff --git a/packages/sysutils/busybox/config/profile b/packages/sysutils/busybox/config/profile
index ab0c5df507..76142ff65c 100644
--- a/packages/sysutils/busybox/config/profile
+++ b/packages/sysutils/busybox/config/profile
@@ -30,6 +30,12 @@
       debugging)
         DEBUG=yes
         ;;
+      ssh)
+        SSH=yes
+        ;;
+      progress)
+        PROGRESS=yes
+        ;;
       fastboot)
         FASTBOOT=yes
         ;;
@@ -43,7 +49,7 @@
 
 # functions
   progress() {
-    if test "$DEBUG" = yes; then
+    if test "$PROGRESS" = yes; then
       logger -s -t Boot "### $1 ###"
     else
       logger -t Boot "### $1 ###"