diff options
author | Darren Tucker <dtucker@zip.com.au> | 2011-02-21 21:41:29 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2011-02-21 21:41:29 +1100 |
commit | e541aaaf0f544fca9aeedff5941f5103b8e49a5c (patch) | |
tree | 886b60b1c0e69a0fe88aa24754db0fa19ca1a513 /contrib/cygwin/ssh-host-config | |
parent | 0588beba3987853d02b849e92a243ec0a38aa4fb (diff) |
- (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the
Cygwin-specific service installer script ssh-host-config. The actual
functionality is the same, the revisited version is just more
exact when it comes to check for problems which disallow to run
certain aspects of the script. So, part of this script and the also
rearranged service helper script library "csih" is to check if all
the tools required to run the script are available on the system.
The new script also is more thorough to inform the user why the
script failed. Patch from vinschen at redhat com.
Diffstat (limited to 'contrib/cygwin/ssh-host-config')
-rw-r--r-- | contrib/cygwin/ssh-host-config | 540 |
1 files changed, 365 insertions, 175 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 0af6907dc..3ac39a621 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # | 2 | # |
3 | # ssh-host-config, Copyright 2000-2009 Red Hat Inc. | 3 | # ssh-host-config, Copyright 2000-2011 Red Hat Inc. |
4 | # | 4 | # |
5 | # This file is part of the Cygwin port of OpenSSH. | 5 | # This file is part of the Cygwin port of OpenSSH. |
6 | # | 6 | # |
@@ -19,12 +19,39 @@ | |||
19 | # ====================================================================== | 19 | # ====================================================================== |
20 | # Initialization | 20 | # Initialization |
21 | # ====================================================================== | 21 | # ====================================================================== |
22 | PROGNAME=$(basename $0) | ||
23 | _tdir=$(dirname $0) | ||
24 | PROGDIR=$(cd $_tdir && pwd) | ||
25 | 22 | ||
26 | CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh | 23 | CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh |
27 | 24 | ||
25 | # List of apps used. This is checkad for existance in csih_sanity_check | ||
26 | # Don't use *any* transient commands before sourcing the csih helper script, | ||
27 | # otherwise the sanity checks are short-circuited. | ||
28 | declare -a csih_required_commands=( | ||
29 | /usr/bin/basename coreutils | ||
30 | /usr/bin/cat coreutils | ||
31 | /usr/bin/chmod coreutils | ||
32 | /usr/bin/dirname coreutils | ||
33 | /usr/bin/id coreutils | ||
34 | /usr/bin/mv coreutils | ||
35 | /usr/bin/rm coreutils | ||
36 | /usr/bin/cygpath cygwin | ||
37 | /usr/bin/mount cygwin | ||
38 | /usr/bin/ps cygwin | ||
39 | /usr/bin/setfacl cygwin | ||
40 | /usr/bin/umount cygwin | ||
41 | /usr/bin/cmp diffutils | ||
42 | /usr/bin/grep grep | ||
43 | /usr/bin/awk gawk | ||
44 | /usr/bin/ssh-keygen openssh | ||
45 | /usr/sbin/sshd openssh | ||
46 | /usr/bin/sed sed | ||
47 | ) | ||
48 | csih_sanity_check_server=yes | ||
49 | source ${CSIH_SCRIPT} | ||
50 | |||
51 | PROGNAME=$(/usr/bin/basename $0) | ||
52 | _tdir=$(/usr/bin/dirname $0) | ||
53 | PROGDIR=$(cd $_tdir && pwd) | ||
54 | |||
28 | # Subdirectory where the new package is being installed | 55 | # Subdirectory where the new package is being installed |
29 | PREFIX=/usr | 56 | PREFIX=/usr |
30 | 57 | ||
@@ -32,8 +59,6 @@ PREFIX=/usr | |||
32 | SYSCONFDIR=/etc | 59 | SYSCONFDIR=/etc |
33 | LOCALSTATEDIR=/var | 60 | LOCALSTATEDIR=/var |
34 | 61 | ||
35 | source ${CSIH_SCRIPT} | ||
36 | |||
37 | port_number=22 | 62 | port_number=22 |
38 | privsep_configured=no | 63 | privsep_configured=no |
39 | privsep_used=yes | 64 | privsep_used=yes |
@@ -46,29 +71,48 @@ opt_force=no | |||
46 | # Routine: create_host_keys | 71 | # Routine: create_host_keys |
47 | # ====================================================================== | 72 | # ====================================================================== |
48 | create_host_keys() { | 73 | create_host_keys() { |
74 | local ret=0 | ||
75 | |||
49 | if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] | 76 | if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] |
50 | then | 77 | then |
51 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" | 78 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" |
52 | ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null | 79 | if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null |
80 | then | ||
81 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" | ||
82 | let ++ret | ||
83 | fi | ||
53 | fi | 84 | fi |
54 | 85 | ||
55 | if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] | 86 | if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] |
56 | then | 87 | then |
57 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" | 88 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" |
58 | ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null | 89 | if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null |
90 | then | ||
91 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" | ||
92 | let ++ret | ||
93 | fi | ||
59 | fi | 94 | fi |
60 | 95 | ||
61 | if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] | 96 | if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] |
62 | then | 97 | then |
63 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" | 98 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" |
64 | ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null | 99 | if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null |
100 | then | ||
101 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" | ||
102 | let ++ret | ||
103 | fi | ||
65 | fi | 104 | fi |
66 | 105 | ||
67 | if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ] | 106 | if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ] |
68 | then | 107 | then |
69 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key" | 108 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key" |
70 | ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null | 109 | if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null |
110 | then | ||
111 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" | ||
112 | let ++ret | ||
113 | fi | ||
71 | fi | 114 | fi |
115 | return $ret | ||
72 | } # --- End of create_host_keys --- # | 116 | } # --- End of create_host_keys --- # |
73 | 117 | ||
74 | # ====================================================================== | 118 | # ====================================================================== |
@@ -81,61 +125,58 @@ update_services_file() { | |||
81 | local _spaces | 125 | local _spaces |
82 | local _serv_tmp | 126 | local _serv_tmp |
83 | local _wservices | 127 | local _wservices |
128 | local ret=0 | ||
84 | 129 | ||
85 | if csih_is_nt | 130 | _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" |
86 | then | 131 | _services="${_my_etcdir}/services" |
87 | _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" | 132 | _spaces=" #" |
88 | _services="${_my_etcdir}/services" | ||
89 | # On NT, 27 spaces, no space after the hash | ||
90 | _spaces=" #" | ||
91 | else | ||
92 | _win_etcdir="${WINDIR}" | ||
93 | _services="${_my_etcdir}/SERVICES" | ||
94 | # On 9x, 18 spaces (95 is very touchy), a space after the hash | ||
95 | _spaces=" # " | ||
96 | fi | ||
97 | _serv_tmp="${_my_etcdir}/srv.out.$$" | 133 | _serv_tmp="${_my_etcdir}/srv.out.$$" |
98 | 134 | ||
99 | mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" | 135 | /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" |
100 | 136 | ||
101 | # Depends on the above mount | 137 | # Depends on the above mount |
102 | _wservices=`cygpath -w "${_services}"` | 138 | _wservices=`cygpath -w "${_services}"` |
103 | 139 | ||
104 | # Remove sshd 22/port from services | 140 | # Remove sshd 22/port from services |
105 | if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] | 141 | if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] |
106 | then | 142 | then |
107 | grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" | 143 | /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" |
108 | if [ -f "${_serv_tmp}" ] | 144 | if [ -f "${_serv_tmp}" ] |
109 | then | 145 | then |
110 | if mv "${_serv_tmp}" "${_services}" | 146 | if /usr/bin/mv "${_serv_tmp}" "${_services}" |
111 | then | 147 | then |
112 | csih_inform "Removing sshd from ${_wservices}" | 148 | csih_inform "Removing sshd from ${_wservices}" |
113 | else | 149 | else |
114 | csih_warning "Removing sshd from ${_wservices} failed!" | 150 | csih_warning "Removing sshd from ${_wservices} failed!" |
151 | let ++ret | ||
115 | fi | 152 | fi |
116 | rm -f "${_serv_tmp}" | 153 | /usr/bin/rm -f "${_serv_tmp}" |
117 | else | 154 | else |
118 | csih_warning "Removing sshd from ${_wservices} failed!" | 155 | csih_warning "Removing sshd from ${_wservices} failed!" |
156 | let ++ret | ||
119 | fi | 157 | fi |
120 | fi | 158 | fi |
121 | 159 | ||
122 | # Add ssh 22/tcp and ssh 22/udp to services | 160 | # Add ssh 22/tcp and ssh 22/udp to services |
123 | if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] | 161 | if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] |
124 | then | 162 | then |
125 | if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" | 163 | if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" |
126 | then | 164 | then |
127 | if mv "${_serv_tmp}" "${_services}" | 165 | if /usr/bin/mv "${_serv_tmp}" "${_services}" |
128 | then | 166 | then |
129 | csih_inform "Added ssh to ${_wservices}" | 167 | csih_inform "Added ssh to ${_wservices}" |
130 | else | 168 | else |
131 | csih_warning "Adding ssh to ${_wservices} failed!" | 169 | csih_warning "Adding ssh to ${_wservices} failed!" |
170 | let ++ret | ||
132 | fi | 171 | fi |
133 | rm -f "${_serv_tmp}" | 172 | /usr/bin/rm -f "${_serv_tmp}" |
134 | else | 173 | else |
135 | csih_warning "Adding ssh to ${_wservices} failed!" | 174 | csih_warning "Adding ssh to ${_wservices} failed!" |
175 | let ++ret | ||
136 | fi | 176 | fi |
137 | fi | 177 | fi |
138 | umount "${_my_etcdir}" | 178 | /usr/bin/umount "${_my_etcdir}" |
179 | return $ret | ||
139 | } # --- End of update_services_file --- # | 180 | } # --- End of update_services_file --- # |
140 | 181 | ||
141 | # ====================================================================== | 182 | # ====================================================================== |
@@ -144,51 +185,57 @@ update_services_file() { | |||
144 | # ====================================================================== | 185 | # ====================================================================== |
145 | sshd_privsep() { | 186 | sshd_privsep() { |
146 | local sshdconfig_tmp | 187 | local sshdconfig_tmp |
188 | local ret=0 | ||
147 | 189 | ||
148 | if [ "${privsep_configured}" != "yes" ] | 190 | if [ "${privsep_configured}" != "yes" ] |
149 | then | 191 | then |
150 | if csih_is_nt | 192 | csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." |
193 | csih_inform "However, this requires a non-privileged account called 'sshd'." | ||
194 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." | ||
195 | if csih_request "Should privilege separation be used?" | ||
151 | then | 196 | then |
152 | csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." | 197 | privsep_used=yes |
153 | csih_inform "However, this requires a non-privileged account called 'sshd'." | 198 | if ! csih_create_unprivileged_user sshd |
154 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." | ||
155 | if csih_request "Should privilege separation be used?" | ||
156 | then | 199 | then |
157 | privsep_used=yes | 200 | csih_error_recoverable "Couldn't create user 'sshd'!" |
158 | if ! csih_create_unprivileged_user sshd | 201 | csih_error_recoverable "Privilege separation set to 'no' again!" |
159 | then | 202 | csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!" |
160 | csih_warning "Couldn't create user 'sshd'!" | 203 | let ++ret |
161 | csih_warning "Privilege separation set to 'no' again!" | ||
162 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | ||
163 | privsep_used=no | ||
164 | fi | ||
165 | else | ||
166 | privsep_used=no | 204 | privsep_used=no |
167 | fi | 205 | fi |
168 | else | 206 | else |
169 | # On 9x don't use privilege separation. Since security isn't | ||
170 | # available it just adds useless additional processes. | ||
171 | privsep_used=no | 207 | privsep_used=no |
172 | fi | 208 | fi |
173 | fi | 209 | fi |
174 | 210 | ||
175 | # Create default sshd_config from skeleton files in /etc/defaults/etc or | 211 | # Create default sshd_config from skeleton files in /etc/defaults/etc or |
176 | # modify to add the missing privsep configuration option | 212 | # modify to add the missing privsep configuration option |
177 | if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 | 213 | if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 |
178 | then | 214 | then |
179 | csih_inform "Updating ${SYSCONFDIR}/sshd_config file" | 215 | csih_inform "Updating ${SYSCONFDIR}/sshd_config file" |
180 | sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ | 216 | sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ |
181 | sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ | 217 | /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ |
182 | s/^#Port 22/Port ${port_number}/ | 218 | s/^#Port 22/Port ${port_number}/ |
183 | s/^#StrictModes yes/StrictModes no/" \ | 219 | s/^#StrictModes yes/StrictModes no/" \ |
184 | < ${SYSCONFDIR}/sshd_config \ | 220 | < ${SYSCONFDIR}/sshd_config \ |
185 | > "${sshdconfig_tmp}" | 221 | > "${sshdconfig_tmp}" |
186 | mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config | 222 | if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config |
223 | then | ||
224 | csih_warning "Setting privilege separation to 'yes' failed!" | ||
225 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | ||
226 | let ++ret | ||
227 | fi | ||
187 | elif [ "${privsep_configured}" != "yes" ] | 228 | elif [ "${privsep_configured}" != "yes" ] |
188 | then | 229 | then |
189 | echo >> ${SYSCONFDIR}/sshd_config | 230 | echo >> ${SYSCONFDIR}/sshd_config |
190 | echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config | 231 | if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config |
232 | then | ||
233 | csih_warning "Setting privilege separation to 'yes' failed!" | ||
234 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | ||
235 | let ++ret | ||
236 | fi | ||
191 | fi | 237 | fi |
238 | return $ret | ||
192 | } # --- End of sshd_privsep --- # | 239 | } # --- End of sshd_privsep --- # |
193 | 240 | ||
194 | # ====================================================================== | 241 | # ====================================================================== |
@@ -201,72 +248,82 @@ update_inetd_conf() { | |||
201 | local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" | 248 | local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" |
202 | local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" | 249 | local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" |
203 | local _with_comment=1 | 250 | local _with_comment=1 |
251 | local ret=0 | ||
204 | 252 | ||
205 | if [ -d "${_inetcnf_dir}" ] | 253 | if [ -d "${_inetcnf_dir}" ] |
206 | then | 254 | then |
207 | # we have inetutils-1.5 inetd.d support | 255 | # we have inetutils-1.5 inetd.d support |
208 | if [ -f "${_inetcnf}" ] | 256 | if [ -f "${_inetcnf}" ] |
209 | then | 257 | then |
210 | grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 | 258 | /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 |
211 | 259 | ||
212 | # check for sshd OR ssh in top-level inetd.conf file, and remove | 260 | # check for sshd OR ssh in top-level inetd.conf file, and remove |
213 | # will be replaced by a file in inetd.d/ | 261 | # will be replaced by a file in inetd.d/ |
214 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] | 262 | if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] |
215 | then | 263 | then |
216 | grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" | 264 | /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" |
217 | if [ -f "${_inetcnf_tmp}" ] | 265 | if [ -f "${_inetcnf_tmp}" ] |
218 | then | 266 | then |
219 | if mv "${_inetcnf_tmp}" "${_inetcnf}" | 267 | if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" |
220 | then | 268 | then |
221 | csih_inform "Removed ssh[d] from ${_inetcnf}" | 269 | csih_inform "Removed ssh[d] from ${_inetcnf}" |
222 | else | 270 | else |
223 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" | 271 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" |
272 | let ++ret | ||
224 | fi | 273 | fi |
225 | rm -f "${_inetcnf_tmp}" | 274 | /usr/bin/rm -f "${_inetcnf_tmp}" |
226 | else | 275 | else |
227 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" | 276 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" |
277 | let ++ret | ||
228 | fi | 278 | fi |
229 | fi | 279 | fi |
230 | fi | 280 | fi |
231 | 281 | ||
232 | csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" | 282 | csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" |
233 | if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 | 283 | if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 |
234 | then | 284 | then |
235 | if [ "${_with_comment}" -eq 0 ] | 285 | if [ "${_with_comment}" -eq 0 ] |
236 | then | 286 | then |
237 | sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | 287 | /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" |
288 | else | ||
289 | /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | ||
290 | fi | ||
291 | if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" | ||
292 | then | ||
293 | csih_inform "Updated ${_sshd_inetd_conf}" | ||
238 | else | 294 | else |
239 | sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | 295 | csih_warning "Updating ${_sshd_inetd_conf} failed!" |
296 | let ++ret | ||
240 | fi | 297 | fi |
241 | mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" | ||
242 | csih_inform "Updated ${_sshd_inetd_conf}" | ||
243 | fi | 298 | fi |
244 | 299 | ||
245 | elif [ -f "${_inetcnf}" ] | 300 | elif [ -f "${_inetcnf}" ] |
246 | then | 301 | then |
247 | grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 | 302 | /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 |
248 | 303 | ||
249 | # check for sshd in top-level inetd.conf file, and remove | 304 | # check for sshd in top-level inetd.conf file, and remove |
250 | # will be replaced by a file in inetd.d/ | 305 | # will be replaced by a file in inetd.d/ |
251 | if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] | 306 | if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] |
252 | then | 307 | then |
253 | grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" | 308 | /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" |
254 | if [ -f "${_inetcnf_tmp}" ] | 309 | if [ -f "${_inetcnf_tmp}" ] |
255 | then | 310 | then |
256 | if mv "${_inetcnf_tmp}" "${_inetcnf}" | 311 | if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" |
257 | then | 312 | then |
258 | csih_inform "Removed sshd from ${_inetcnf}" | 313 | csih_inform "Removed sshd from ${_inetcnf}" |
259 | else | 314 | else |
260 | csih_warning "Removing sshd from ${_inetcnf} failed!" | 315 | csih_warning "Removing sshd from ${_inetcnf} failed!" |
316 | let ++ret | ||
261 | fi | 317 | fi |
262 | rm -f "${_inetcnf_tmp}" | 318 | /usr/bin/rm -f "${_inetcnf_tmp}" |
263 | else | 319 | else |
264 | csih_warning "Removing sshd from ${_inetcnf} failed!" | 320 | csih_warning "Removing sshd from ${_inetcnf} failed!" |
321 | let ++ret | ||
265 | fi | 322 | fi |
266 | fi | 323 | fi |
267 | 324 | ||
268 | # Add ssh line to inetd.conf | 325 | # Add ssh line to inetd.conf |
269 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] | 326 | if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] |
270 | then | 327 | then |
271 | if [ "${_with_comment}" -eq 0 ] | 328 | if [ "${_with_comment}" -eq 0 ] |
272 | then | 329 | then |
@@ -274,115 +331,186 @@ update_inetd_conf() { | |||
274 | else | 331 | else |
275 | echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" | 332 | echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
276 | fi | 333 | fi |
277 | csih_inform "Added ssh to ${_inetcnf}" | 334 | if [ $? -eq 0 ] |
335 | then | ||
336 | csih_inform "Added ssh to ${_inetcnf}" | ||
337 | else | ||
338 | csih_warning "Adding ssh to ${_inetcnf} failed!" | ||
339 | let ++ret | ||
340 | fi | ||
278 | fi | 341 | fi |
279 | fi | 342 | fi |
343 | return $ret | ||
280 | } # --- End of update_inetd_conf --- # | 344 | } # --- End of update_inetd_conf --- # |
281 | 345 | ||
282 | # ====================================================================== | 346 | # ====================================================================== |
347 | # Routine: check_service_files_ownership | ||
348 | # Checks that the files in /etc and /var belong to the right owner | ||
349 | # ====================================================================== | ||
350 | check_service_files_ownership() { | ||
351 | local run_service_as=$1 | ||
352 | local ret=0 | ||
353 | |||
354 | if [ -z "${run_service_as}" ] | ||
355 | then | ||
356 | accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp') | ||
357 | if [ "${accnt_name}" = "LocalSystem" ] | ||
358 | then | ||
359 | # Convert "LocalSystem" to "SYSTEM" as is the correct account name | ||
360 | accnt_name="SYSTEM:" | ||
361 | elif [[ "${accnt_name}" =~ ^\.\\ ]] | ||
362 | then | ||
363 | # Convert "." domain to local machine name | ||
364 | accnt_name="U-${COMPUTERNAME}${accnt_name#.}," | ||
365 | fi | ||
366 | run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}') | ||
367 | if [ -z "${run_service_as}" ] | ||
368 | then | ||
369 | csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" | ||
370 | csih_warning "As a result, this script cannot make sure that the files used" | ||
371 | csih_warning "by the sshd service belong to the user running the service." | ||
372 | csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd" | ||
373 | csih_warning "file is in a good shape." | ||
374 | return 1 | ||
375 | fi | ||
376 | fi | ||
377 | for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub | ||
378 | do | ||
379 | if [ -f "$i" ] | ||
380 | then | ||
381 | if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 | ||
382 | then | ||
383 | csih_warning "Couldn't change owner of $i!" | ||
384 | let ++ret | ||
385 | fi | ||
386 | fi | ||
387 | done | ||
388 | if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 | ||
389 | then | ||
390 | csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" | ||
391 | let ++ret | ||
392 | fi | ||
393 | if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 | ||
394 | then | ||
395 | csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" | ||
396 | let ++ret | ||
397 | fi | ||
398 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] | ||
399 | then | ||
400 | if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1 | ||
401 | then | ||
402 | csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" | ||
403 | let ++ret | ||
404 | fi | ||
405 | fi | ||
406 | if [ $ret -ne 0 ] | ||
407 | then | ||
408 | csih_warning "Couldn't change owner of important files to ${run_service_as}!" | ||
409 | csih_warning "This may cause the sshd service to fail! Please make sure that" | ||
410 | csih_warning "you have suufficient permissions to change the ownership of files" | ||
411 | csih_warning "and try to run the ssh-host-config script again." | ||
412 | fi | ||
413 | return $ret | ||
414 | } # --- End of check_service_files_ownership --- # | ||
415 | |||
416 | # ====================================================================== | ||
283 | # Routine: install_service | 417 | # Routine: install_service |
284 | # Install sshd as a service | 418 | # Install sshd as a service |
285 | # ====================================================================== | 419 | # ====================================================================== |
286 | install_service() { | 420 | install_service() { |
287 | local run_service_as | 421 | local run_service_as |
288 | local password | 422 | local password |
423 | local ret=0 | ||
289 | 424 | ||
290 | if csih_is_nt | 425 | echo |
426 | if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 | ||
291 | then | 427 | then |
292 | if ! cygrunsrv -Q sshd >/dev/null 2>&1 | 428 | csih_inform "Sshd service is already installed." |
429 | check_service_files_ownership "" || let ret+=$? | ||
430 | else | ||
431 | echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" | ||
432 | if csih_request "(Say \"no\" if it is already installed as a service)" | ||
293 | then | 433 | then |
294 | echo | 434 | csih_get_cygenv "${cygwin_value}" |
295 | echo | ||
296 | csih_warning "The following functions require administrator privileges!" | ||
297 | echo | ||
298 | echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" | ||
299 | if csih_request "(Say \"no\" if it is already installed as a service)" | ||
300 | then | ||
301 | csih_get_cygenv "${cygwin_value}" | ||
302 | 435 | ||
303 | if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) | 436 | if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) |
304 | then | 437 | then |
305 | csih_inform "On Windows Server 2003, Windows Vista, and above, the" | 438 | csih_inform "On Windows Server 2003, Windows Vista, and above, the" |
306 | csih_inform "SYSTEM account cannot setuid to other users -- a capability" | 439 | csih_inform "SYSTEM account cannot setuid to other users -- a capability" |
307 | csih_inform "sshd requires. You need to have or to create a privileged" | 440 | csih_inform "sshd requires. You need to have or to create a privileged" |
308 | csih_inform "account. This script will help you do so." | 441 | csih_inform "account. This script will help you do so." |
309 | echo | 442 | echo |
310 | 443 | ||
311 | [ "${opt_force}" = "yes" ] && opt_f=-f | 444 | [ "${opt_force}" = "yes" ] && opt_f=-f |
312 | [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" | 445 | [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" |
313 | csih_select_privileged_username ${opt_f} ${opt_u} sshd | 446 | csih_select_privileged_username ${opt_f} ${opt_u} sshd |
314 | 447 | ||
315 | if ! csih_create_privileged_user "${password_value}" | 448 | if ! csih_create_privileged_user "${password_value}" |
316 | then | 449 | then |
317 | csih_error_recoverable "There was a serious problem creating a privileged user." | 450 | csih_error_recoverable "There was a serious problem creating a privileged user." |
318 | csih_request "Do you want to proceed anyway?" || exit 1 | 451 | csih_request "Do you want to proceed anyway?" || exit 1 |
319 | fi | 452 | let ++ret |
320 | fi | 453 | fi |
454 | fi | ||
321 | 455 | ||
322 | # never returns empty if NT or above | 456 | # Never returns empty if NT or above |
323 | run_service_as=$(csih_service_should_run_as) | 457 | run_service_as=$(csih_service_should_run_as) |
324 | 458 | ||
325 | if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] | 459 | if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] |
460 | then | ||
461 | password="${csih_PRIVILEGED_PASSWORD}" | ||
462 | if [ -z "${password}" ] | ||
326 | then | 463 | then |
327 | password="${csih_PRIVILEGED_PASSWORD}" | 464 | csih_get_value "Please enter the password for user '${run_service_as}':" "-s" |
328 | if [ -z "${password}" ] | 465 | password="${csih_value}" |
329 | then | ||
330 | csih_get_value "Please enter the password for user '${run_service_as}':" "-s" | ||
331 | password="${csih_value}" | ||
332 | fi | ||
333 | fi | 466 | fi |
467 | fi | ||
334 | 468 | ||
335 | # at this point, we either have $run_service_as = "system" and $password is empty, | 469 | # At this point, we either have $run_service_as = "system" and |
336 | # or $run_service_as is some privileged user and (hopefully) $password contains | 470 | # $password is empty, or $run_service_as is some privileged user and |
337 | # the correct password. So, from here out, we use '-z "${password}"' to discriminate | 471 | # (hopefully) $password contains the correct password. So, from here |
338 | # the two cases. | 472 | # out, we use '-z "${password}"' to discriminate the two cases. |
339 | 473 | ||
340 | csih_check_user "${run_service_as}" | 474 | csih_check_user "${run_service_as}" |
341 | 475 | ||
342 | if [ -n "${csih_cygenv}" ] | 476 | if [ -n "${csih_cygenv}" ] |
477 | then | ||
478 | cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) | ||
479 | fi | ||
480 | if [ -z "${password}" ] | ||
481 | then | ||
482 | if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ | ||
483 | -a "-D" -y tcpip "${cygwin_env[@]}" | ||
343 | then | 484 | then |
344 | cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) | 485 | echo |
486 | csih_inform "The sshd service has been installed under the LocalSystem" | ||
487 | csih_inform "account (also known as SYSTEM). To start the service now, call" | ||
488 | csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" | ||
489 | csih_inform "will start automatically after the next reboot." | ||
345 | fi | 490 | fi |
346 | if [ -z "${password}" ] | 491 | else |
492 | if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ | ||
493 | -a "-D" -y tcpip "${cygwin_env[@]}" \ | ||
494 | -u "${run_service_as}" -w "${password}" | ||
347 | then | 495 | then |
348 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ | 496 | echo |
349 | -a "-D" -y tcpip "${cygwin_env[@]}" | 497 | csih_inform "The sshd service has been installed under the '${run_service_as}'" |
350 | then | 498 | csih_inform "account. To start the service now, call \`net start sshd' or" |
351 | echo | 499 | csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" |
352 | csih_inform "The sshd service has been installed under the LocalSystem" | 500 | csih_inform "after the next reboot." |
353 | csih_inform "account (also known as SYSTEM). To start the service now, call" | ||
354 | csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" | ||
355 | csih_inform "will start automatically after the next reboot." | ||
356 | fi | ||
357 | else | ||
358 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ | ||
359 | -a "-D" -y tcpip "${cygwin_env[@]}" \ | ||
360 | -u "${run_service_as}" -w "${password}" | ||
361 | then | ||
362 | echo | ||
363 | csih_inform "The sshd service has been installed under the '${run_service_as}'" | ||
364 | csih_inform "account. To start the service now, call \`net start sshd' or" | ||
365 | csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" | ||
366 | csih_inform "after the next reboot." | ||
367 | fi | ||
368 | fi | 501 | fi |
502 | fi | ||
369 | 503 | ||
370 | # now, if successfully installed, set ownership of the affected files | 504 | if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 |
371 | if cygrunsrv -Q sshd >/dev/null 2>&1 | 505 | then |
372 | then | 506 | check_service_files_ownership "${run_service_as}" || let ret+=$? |
373 | chown "${run_service_as}" ${SYSCONFDIR}/ssh* | 507 | else |
374 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty | 508 | csih_error_recoverable "Installing sshd as a service failed!" |
375 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog | 509 | let ++ret |
376 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] | 510 | fi |
377 | then | 511 | fi # user allowed us to install as service |
378 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log | 512 | fi # service not yet installed |
379 | fi | 513 | return $ret |
380 | else | ||
381 | csih_warning "Something went wrong installing the sshd service." | ||
382 | fi | ||
383 | fi # user allowed us to install as service | ||
384 | fi # service not yet installed | ||
385 | fi # csih_is_nt | ||
386 | } # --- End of install_service --- # | 514 | } # --- End of install_service --- # |
387 | 515 | ||
388 | # ====================================================================== | 516 | # ====================================================================== |
@@ -494,21 +622,71 @@ done | |||
494 | 622 | ||
495 | # Check for running ssh/sshd processes first. Refuse to do anything while | 623 | # Check for running ssh/sshd processes first. Refuse to do anything while |
496 | # some ssh processes are still running | 624 | # some ssh processes are still running |
497 | if ps -ef | grep -q '/sshd\?$' | 625 | if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' |
498 | then | 626 | then |
499 | echo | 627 | echo |
500 | csih_error "There are still ssh processes running. Please shut them down first." | 628 | csih_error "There are still ssh processes running. Please shut them down first." |
501 | fi | 629 | fi |
502 | 630 | ||
631 | # Make sure the user is running in an administrative context | ||
632 | admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no) | ||
633 | if [ "${admin}" != "yes" ] | ||
634 | then | ||
635 | echo | ||
636 | csih_warning "Running this script typically requires administrator privileges!" | ||
637 | csih_warning "However, it seems your account does not have these privileges." | ||
638 | csih_warning "Here's the list of groups in your user token:" | ||
639 | echo | ||
640 | for i in $(/usr/bin/id -G) | ||
641 | do | ||
642 | /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group | ||
643 | done | ||
644 | echo | ||
645 | csih_warning "This usually means you're running this script from a non-admin" | ||
646 | csih_warning "desktop session, or in a non-elevated shell under UAC control." | ||
647 | echo | ||
648 | csih_warning "Make sure you have the appropriate privileges right now," | ||
649 | csih_warning "otherwise parts of this script will probably fail!" | ||
650 | echo | ||
651 | echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure" | ||
652 | if ! csih_request "you have the required privileges)" | ||
653 | then | ||
654 | echo | ||
655 | csih_inform "Ok. Exiting. Make sure to switch to an administrative account" | ||
656 | csih_inform "or to start this script from an elevated shell." | ||
657 | exit 1 | ||
658 | fi | ||
659 | fi | ||
660 | |||
661 | echo | ||
662 | |||
663 | warning_cnt=0 | ||
664 | |||
503 | # Check for ${SYSCONFDIR} directory | 665 | # Check for ${SYSCONFDIR} directory |
504 | csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." | 666 | csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." |
505 | chmod 775 "${SYSCONFDIR}" | 667 | if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1 |
506 | setfacl -m u:system:rwx "${SYSCONFDIR}" | 668 | then |
669 | csih_warning "Can't set permissions on ${SYSCONFDIR}!" | ||
670 | let ++warning_cnt | ||
671 | fi | ||
672 | if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1 | ||
673 | then | ||
674 | csih_warning "Can't set extended permissions on ${SYSCONFDIR}!" | ||
675 | let ++warning_cnt | ||
676 | fi | ||
507 | 677 | ||
508 | # Check for /var/log directory | 678 | # Check for /var/log directory |
509 | csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." | 679 | csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." |
510 | chmod 775 "${LOCALSTATEDIR}/log" | 680 | if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1 |
511 | setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" | 681 | then |
682 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!" | ||
683 | let ++warning_cnt | ||
684 | fi | ||
685 | if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1 | ||
686 | then | ||
687 | csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!" | ||
688 | let ++warning_cnt | ||
689 | fi | ||
512 | 690 | ||
513 | # Create /var/log/lastlog if not already exists | 691 | # Create /var/log/lastlog if not already exists |
514 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] | 692 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] |
@@ -519,26 +697,33 @@ then | |||
519 | fi | 697 | fi |
520 | if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] | 698 | if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] |
521 | then | 699 | then |
522 | cat /dev/null > ${LOCALSTATEDIR}/log/lastlog | 700 | /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog |
523 | chmod 644 ${LOCALSTATEDIR}/log/lastlog | 701 | if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 |
702 | then | ||
703 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" | ||
704 | let ++warning_cnt | ||
705 | fi | ||
524 | fi | 706 | fi |
525 | 707 | ||
526 | # Create /var/empty file used as chroot jail for privilege separation | 708 | # Create /var/empty file used as chroot jail for privilege separation |
527 | csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." | 709 | csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." |
528 | chmod 755 "${LOCALSTATEDIR}/empty" | 710 | if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 |
529 | setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" | 711 | then |
712 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" | ||
713 | let ++warning_cnt | ||
714 | fi | ||
715 | if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 | ||
716 | then | ||
717 | csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!" | ||
718 | let ++warning_cnt | ||
719 | fi | ||
530 | 720 | ||
531 | # host keys | 721 | # host keys |
532 | create_host_keys | 722 | create_host_keys || let warning_cnt+=$? |
533 | |||
534 | # use 'cmp' program to determine if a config file is identical | ||
535 | # to the default version of that config file | ||
536 | csih_check_program_or_error cmp diffutils | ||
537 | |||
538 | 723 | ||
539 | # handle ssh_config | 724 | # handle ssh_config |
540 | csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" | 725 | csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt |
541 | if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 | 726 | if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 |
542 | then | 727 | then |
543 | if [ "${port_number}" != "22" ] | 728 | if [ "${port_number}" != "22" ] |
544 | then | 729 | then |
@@ -549,19 +734,24 @@ then | |||
549 | fi | 734 | fi |
550 | 735 | ||
551 | # handle sshd_config (and privsep) | 736 | # handle sshd_config (and privsep) |
552 | csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" | 737 | csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt |
553 | if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 | 738 | if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 |
554 | then | 739 | then |
555 | grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes | 740 | /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes |
556 | fi | 741 | fi |
557 | sshd_privsep | 742 | sshd_privsep || let warning_cnt+=$? |
558 | |||
559 | 743 | ||
560 | 744 | update_services_file || let warning_cnt+=$? | |
561 | update_services_file | 745 | update_inetd_conf || let warning_cnt+=$? |
562 | update_inetd_conf | 746 | install_service || let warning_cnt+=$? |
563 | install_service | ||
564 | 747 | ||
565 | echo | 748 | echo |
566 | csih_inform "Host configuration finished. Have fun!" | 749 | if [ $warning_cnt -eq 0 ] |
567 | 750 | then | |
751 | csih_inform "Host configuration finished. Have fun!" | ||
752 | else | ||
753 | csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!" | ||
754 | csih_warning "Make sure that all problems reported are fixed," | ||
755 | csih_warning "then re-run ssh-host-config." | ||
756 | fi | ||
757 | exit $warning_cnt | ||