commit e05df6135adc342714e1eb0aa52000db39b6010c from: smytht via: GitHub date: Sun Sep 10 14:57:05 2023 UTC Merge pull request #143 from smytht/master Improve Readme by converting to markdown and adding a quick installation guide for nsh commit - 5b66ac0b69d9684f9579c5cef44a1d4c41993249 commit + e05df6135adc342714e1eb0aa52000db39b6010c blob - 5e86783637b685a1185858f43235998bd3428999 (mode 644) blob + /dev/null --- README +++ /dev/null @@ -1,30 +0,0 @@ -nsh//network config shell//Chris Cappuccio version 1.1 - -NSH is a CLI intended for OpenBSD-based network appliances. It replaces -ifconfig, sysctl and route with its own simple command language, and -encapsulates configuration for other daemons into one place, effectively -replacing /etc/netstart and parts of /etc/rc for appliance-style usage. - -Daemons and services encapsulated by nsh: - -bgpd, dhcpd, dhcpleased, dhcrelay, dvmrpd, eigrpd, ftp-proxy, ifstated, inetd, -iked, ipsecctl, ldapd, ldpd, npppd, ntpd, ospfd, ospf6d, pf, rad, relayd, -resolvd, ripd, sasyncd, slaacd, smtpd, snmpd, sshd, tftpd, tftp-proxy. - -NSH is freely licensed, in the BSD style. - -In conjunction with the OpenBSD kernel and the daemons you wish to control, -you have a fully functioning network appliance type of system. - -See https://github.com/yellowman/nsh/wiki/NSH-Manual-page or -nsh.8 manual for detailed installation instructions and command set. - -See the to-do list on https://github.com/users/yellowman/projects/1 for -details on implementation status and future ideas. - -See http://github.com/yellowman/nsh/ for current source code repository. -See http://www.nmedia.net/nsh/ for example configurations and mailing -list. - -See https://www.youtube.com/watch?v=WMKxIHaWaG0 for an EurobsdCon 2022 -Presentation on NSH for network administrators. blob - /dev/null blob + 3e50706edef704b575bf753ec2007b60a57134fa (mode 644) --- /dev/null +++ README.md @@ -0,0 +1,123 @@ +# nsh + +## network shell + +--- +Chris Cappuccio version 1.1 + + +NSH is a CLI intended for OpenBSD-based network appliances. It replaces +ifconfig, sysctl and route with its own simple command language, and +encapsulates configuration for other daemons into one place, effectively +replacing /etc/netstart and parts of /etc/rc for appliance-style usage. + +## Daemons and services encapsulated by nsh: + +bgpd, dhcpd, dhcpleased, dhcrelay, dvmrpd, eigrpd, ftp-proxy, ifstated, inetd, +iked, ipsecctl, ldapd, ldpd, npppd, ntpd, ospfd, ospf6d, pf, rad, relayd, +resolvd, ripd, sasyncd, slaacd, smtpd, snmpd, sshd, tftpd, tftp-proxy. + +--- + +## License + +NSH is freely licensed, in the BSD style. + +In conjunction with the OpenBSD kernel and the daemons you wish to control, +you have a fully functioning network appliance type of system. + +--- + +## NSH Manual + +See https://github.com/yellowman/nsh/wiki/NSH-Manual-page or +nsh.8 manual for detailed installation instructions and command set. + +See the to-do list on https://github.com/users/yellowman/projects/1 for +details on implementation status and future ideas. + +See http://github.com/yellowman/nsh/ for current source code repository. +See http://www.nmedia.net/nsh/ for example configurations and mailing +list. + +See https://www.youtube.com/watch?v=WMKxIHaWaG0 for an EurobsdCon 2022 +Presentation on NSH for network administrators. + +--- + +## Quickstart Guide for installing and building **nsh** on an OpenBSD system + +1. Install OpenBSD on your system + +2. Install the OpenBSD port of nsh on your system -(this will install the latest nsh release version) + +```shell +pkg_add nsh +``` + +3. Install git on your system to allow fetching more recent versions of nsh from github + +```shell +pkg_add git +``` + +4. to download the latest development of nsh use git to download the latest nsh repository + +```shell +git clone https://github.com/yellowman/nsh +``` + +5. change directory to the downloaded nsh directory + +```shell +cd nsh +``` + +6. to build the nsh sources follow the steps below + +6a. make objects + +```shell +make obj +``` + +6b. make / compile the sources + +```shell +make +``` + +6c. Install the compiled nsh binaries and supporting files (you will need root privileges to do this). + +```shell +make install +``` + +7. To have nsh take over the configuration of a system a number of steps that need to be carried out such as + + +7a. Backup configuration of system, daemons and network in /etc + +7b. Copy the configuration files to /var/run/example-configfilename.0 (the .0 file extension) implies running in the default rdomain / rtable (rdomain 0) + +7c. save the running config to /etc/nshrc + +7d. secure the /etc/nshrc file so that world cannot read, write or execute it . + +7e. configure the system to run nsh -i /etc/nshrc either adding a line to /etc/rc.local or using an rccctl script for nsh. + +For the users convenience, the above steps can be largely automated by running the **rc.local-nsh-openbsd-integration.sh** script and following on screen instructions. + +```shell +cd scripts/ +./rc.local-nsh-openbsd-integration.sh +``` + +8. once configuration has been imported, restart the system and verify nsh config is running as expected + + +10. please provide feedback , bug repots and suggestions to the developers on our mailing list . + + + + blob - /dev/null blob + 2c7e3ffff6026e8a0cb93a4c38262738babcd5bb (mode 644) --- /dev/null +++ scripts/shell/rc.local-nsh-openbsd-integration.sh @@ -0,0 +1,271 @@ +#!/bin/sh - + +dflt='No' + +#check if user is root +if [ $(id -u) != 0 ]; +then + echo "Must be run as root" + exit +else + #ask user do they want to continue + #default is No + echo "This script is built to suit a typical OpenBSD network setup" + echo "If you have an unusual config, e.g. multiple routing domains" + echo "The import script will require user verification" + echo "This script is designed to assist a user with using nsh on" + echo "top of a fresh OpenBSD installation." + read input?"Do you want to continue? (Yes/No) [${dflt}] " + + if [ -z "${input}" ]; then input="${dflt}"; fi + if [ "${input}" = 'Yes' ] || [ "${input}" = 'yes' ]; + then + test -f /var/nsh/backup/pre-nsh-config && echo pre-nsh-config exists already && exit + test -f /etc/nshrc && echo etc-nshrc exists already && exit + + mkdir -p /var/nsh/backup/pre-nsh-config + + #remove world permissions from created directories + chmod -R 750 /var/nsh + chown -R root /var/nsh + chgrp -R wheel /var/nsh + #chmod 750 /var/nsh/backup + #chmod 750 /var/nsh/backup/pre-nsh-config + + #checks if file exists + #makes a copy and moves conf file + #secures file + pf='/etc/pf.conf' + if [ -f $pf ]; then + cp /etc/pf.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/pf.conf /var/run/pf.conf.0 + chown root /var/run/pf.conf.0 + chgrp wheel /var/run/pf.conf.0 + chmod 660 /var/run/pf.conf.0 + else + echo etc-pf does not exist, not importing! + fi + + ipsec='/etc/ipsec.conf' + if [ -f $ipsec ]; then + cp /etc/ipsec.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/ipsec.conf /var/run/ipsec.conf.0 + chown root /var/run/ipsec.conf.0 + chgrp wheel /var/run/ipsec.conf.0 + chmod 660 /var/run/ipsec.conf.0 + else + echo etc-ipsec does not exist, not importing! + fi + + bgpd='/etc/bgpd.conf' + if [ -f $bgpd ]; then + cp /etc/bgpd.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/bgpd.conf /var/run/bgpd.conf.0 + chown root /var/run/bgpd.conf.0 + chgrp wheel /var/run/bgpd.conf.0 + chmod 660 /var/run/bgpd.conf.0 + else + echo etc-bgpd does not exist, not importing! + fi + + ospfd='/etc/ospfd.conf' + if [ -f $ospfd ]; then + cp /etc/ospfd.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/ospfd.conf /var/run/ospfd.conf.0 + chown root /var/run/ospfd.conf.0 + chgrp wheel /var/run/ospfd.conf.0 + chmod 660 /var/run/ospfd.conf.0 + else + echo etc-ospfd does not exist, not importing! + fi + + + ospf6d='/etc/ospf6d.conf' + if [ -f $ospf6d ]; then + cp /etc/ospf6d.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/ospf6d.conf /var/run/ospf6d.conf.0 + chown root /var/run/ospf6d.conf.0 + chgrp wheel /var/run/ospf6d.conf.0 + chmod 660 /var/run/ospf6d.conf.0 + else + echo etc-ospf6d does not exist, not importing! + + fi + dhcpd='/etc/dhcpd.conf' + if [ -f $dhcpd ]; then + cp /etc/dhcpd.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/dhcpd.conf /var/run/dhcpd.conf.0 + chown root /var/run/dhcpd.conf.0 + chgrp wheel /var/run/dhcpd.conf.0 + chmod 660 /var/run/dhcpd.conf.0 + else + echo etc-dhcpd does not exist, not importing! + fi + + ntpd='/etc/ntpd.conf' + if [ -f $ntpd ]; then + cp /etc/ntpd.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/ntpd.conf /var/run/ntpd.conf.0 + chown root /var/run/ntpd.conf.0 + chgrp wheel /var/run/ntpd.conf.0 + chmod 660 /var/run/ntpd.conf.0 + else + echo etc-ntpd does not exist, not importing! + fi + + sshd_config='/etc/ssh/sshd_config' + if [ -f $sshd_config ]; then + cp /etc/ssh/sshd_config /var/nsh/backup/pre-nsh-config/ + mv /etc/ssh/sshd_config /var/run/sshd.conf.0 + chown root /var/run/sshd.conf.0 + chgrp wheel /var/run/sshd.conf.0 + chmod 660 /var/run/sshd.conf.0 + else + echo etc-ssh_config does not exist, not importing! + fi + + eigrpd='/etc/eigrpd.conf' + if [ -f $eigrpd ]; then + cp /etc/eigrpd.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/eigrpd.conf /var/run/eigrpd.conf.0 + chown root /var/run/eigrpd.conf.0 + chgrp wheel /var/run/eigrpd.conf.0 + chmod 660 /var/run/eigrpd.conf.0 + else + echo etc-eigrpd does not exist, not importing! + fi + + relayd='/etc/relayd.conf' + if [ -f $relayd ]; then + cp /etc/relayd.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/relayd.conf /var/run/relayd.conf.0 + chown root /var/run/relayd.conf.0 + chgrp wheel /var/run/relayd.conf.0 + chmod 660 /var/run/relayd.conf.0 + else + echo etc-relayd does not exist, not importing! + fi + + ripd='/etc/ripd.conf' + if [ -f $ripd ]; then + cp /etc/ripd.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/ripd.conf /var/run/ripd.conf.0 + chown root /var/run/ripd.conf.0 + chgrp wheel /var/run/ripd.conf.0 + chmod 660 /var/run/ripd.conf.0 + else + echo etc-ripd does not exist, not importing! + fi + + ldpd='/etc/ldpd.conf' + if [ -f $ldpd ]; then + cp /etc/ldpd.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/ldpd.conf /var/run/ldpd.conf.0 + chown root /var/run/ldpd.conf.0 + chgrp wheel /var/run/ldpd.conf.0 + chmod 660 /var/run/ldpd.conf.0 + else + echo etc-ldpd does not exist, not importing! + fi + + iked='/etc/iked.conf' + if [ -f $iked ]; then + cp /etc/iked.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/iked.conf /var/run/iked.conf.0 + chown root /var/run/iked.conf.0 + chgrp wheel /var/run/iked.conf.0 + chmod 660 /var/run/iked.conf.0 + else + echo etc-iked does not exist, not importing! + fi + + snmpd='/etc/snmpd.conf' + if [ -f $snmpd ]; then + cp /etc/snmpd.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/snmpd.conf /var/run/snmpd.conf.0 + chown root /var/run/snmpd.conf.0 + chgrp wheel /var/run/snmpd.conf.0 + chmod 660 /var/run/snmpd.conf.0 + else + echo etc-snmpd does not exist, not importing! + fi + + ldapd='/etc/ldapd.conf' + if [ -f $ldapd ]; then + cp /etc/ldapd.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/ldapd.conf /var/run/ldapd.conf.0 + chown root /var/run/ldapd.conf.0 + chgrp wheel /var/run/ldapd.conf.0 + chmod 660 /var/run/ldapd.conf.0 + else + echo etc-ldapd does not exist, not importing! + fi + + resolv='/etc/resolv.conf' + if [ -f $resolv ]; then + cp /etc/resolv.conf /var/nsh/backup/pre-nsh-config/ + + else + echo etc-resolv does not exist, not backing up! + fi + + motd='/etc/motd' + if [ -f $motd ]; then + cp /etc/motd /var/nsh/backup/pre-nsh-config/ + mv /etc/motd /var/run/motd.0 + sed -i 's/Welcome to OpenBSD/OpenBSD/g' /var/run/motd.0 + ln -s /var/run/motd.0 /etc/motd + chown root /var/run/motd.0 + chgrp wheel /var/run/motd.0 + chmod 660 /var/run/motd.0 + else + echo etc-motd does not exist, not importing! + fi + + smtpd='/etc/mail/smtpd.conf' + if [ -f $smtpd ]; then + cp /etc/mail/smtpd.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/mail/smtpd.conf /var/run/smtpd.conf.0 + chown root /var/run/smtpd.conf.0 + chgrp wheel /var/run/smtpd.conf.0 + chmod 660 /var/run/smtpd.conf.0 + else + echo etc-smtpd does not exist, not importing! + fi + + dvmrpd='/etc/dvmrpd.conf' + if [ -f $dvmrpd ]; then + cp /etc/dvmrpd.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/dvmrpd.conf /var/run/dvmrpd.conf.0 + chown root /var/run/dvmrpd.conf.0 + chgrp wheel /var/run/dvmrpd.conf.0 + chmod 660 /var/run/dvmrpd.conf.0 + else + echo etc-dvmrpd does not exist, not importing! + fi + + sasync='/etc/sasync.conf' + if [ -f $sasync ]; then + cp /etc/sasync.conf /var/nsh/backup/pre-nsh-config/ + mv /etc/sasync.conf /var/run/sasync.conf.0 + chown root /var/run/sasync.conf.0 + chgrp wheel /var/run/sasync.conf.0 + chmod 660 /var/run/sasync.conf.0 + else + echo etc-sasyncd does not exist, not importing! + fi + + #setup and secure nshlog + touch /var/log/nsh.log + chown root /var/log/nsh.log + chgrp wheel /var/log/nsh.log + chmod 660 /var/log/nsh.log + #import running Openbsd kernel configuration + /usr/local/bin/nsh -c ../nshrc/write-config.nshrc + #secure nshrc config file + chmod 660 /etc/nshrc + echo /usr/local/bin/nsh -i /etc/nshrc >>/etc/rc.local + else + exit + fi +fi