- (djm) [contrib/cygwin/ssh-host-config] Updated Cygwin ssh-host-config

from Corinna Vinschen, fixing a number of bugs and preparing for Cygwin 1.7.30.
author: Damien Miller <djm@mindrot.org> 2014-05-27 14:31:58 +1000
committer: Damien Miller <djm@mindrot.org> 2014-05-27 14:31:58 +1000
commit: f9eb5e0734f7a7f6e975809eb54684d2a06a7ffc (patch)
tree: 70106db653a4859b9ea8fbbc77afc8a05cb0ef2f /contrib/cygwin/ssh-host-config
parent: eae88744662e6b149f43ef071657727f1a157d95 (diff)
1 files changed, 102 insertions, 64 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index 05efd3b3b..fed87947d 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -34,6 +34,7 @@ declare -a csih_required_commands=(
  /usr/bin/mv coreutils
  /usr/bin/rm coreutils
  /usr/bin/cygpath cygwin
+  /usr/bin/mkpasswd cygwin
  /usr/bin/mount cygwin
  /usr/bin/ps cygwin
  /usr/bin/setfacl cygwin
@@ -59,8 +60,9 @@ PREFIX=/usr
 SYSCONFDIR=/etc
 LOCALSTATEDIR=/var
+sshd_config_configured=no
 port_number=22
-privsep_configured=no
+strictmodes=yes
 privsep_used=yes
 cygwin_value=""
 user_account=
@@ -89,28 +91,8 @@ update_services_file() {
  # Depends on the above mount
  _wservices=`cygpath -w "${_services}"`
-  # Remove sshd 22/port from services
-  if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
-  then
-    /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
-    if [ -f "${_serv_tmp}" ]
-    then
-      if /usr/bin/mv "${_serv_tmp}" "${_services}"
-      then
-        csih_inform "Removing sshd from ${_wservices}"
-      else
-        csih_warning "Removing sshd from ${_wservices} failed!"
-        let ++ret
-      fi
-      /usr/bin/rm -f "${_serv_tmp}"
-    else
-      csih_warning "Removing sshd from ${_wservices} failed!"
-      let ++ret
-    fi
-  fi
  # Add ssh 22/tcp  and ssh 22/udp to services
-  if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
+  if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
  then
    if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
    then
@@ -132,17 +114,45 @@ update_services_file() {
 } # --- End of update_services_file --- #
 # ======================================================================
+# Routine: sshd_strictmodes
+#  MODIFIES: strictmodes
+# ======================================================================
+sshd_strictmodes() {
+  if [ "${sshd_config_configured}" != "yes" ]
+  then
+    echo
+    csih_inform "StrictModes is set to 'yes' by default."
+    csih_inform "This is the recommended setting, but it requires that the POSIX"
+    csih_inform "permissions of the user's home directory, the user's .ssh"
+    csih_inform "directory, and the user's ssh key files are tight so that"
+    csih_inform "only the user has write permissions."
+    csih_inform "On the other hand, StrictModes don't work well with default"
+    csih_inform "Windows permissions of a home directory mounted with the"
+    csih_inform "'noacl' option, and they don't work at all if the home"
+    csih_inform "directory is on a FAT or FAT32 partition."
+    if ! csih_request "Should StrictModes be used?"
+    then
+      strictmodes=no
+    fi
+  fi
+  return 0
+}
+# ======================================================================
 # Routine: sshd_privsep
-#  MODIFIES: privsep_configured  privsep_used
+#  MODIFIES: privsep_used
 # ======================================================================
 sshd_privsep() {
-  local sshdconfig_tmp
  local ret=0
-  if [ "${privsep_configured}" != "yes" ]
+  if [ "${sshd_config_configured}" != "yes" ]
  then
-    csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
+    echo
-    csih_inform "However, this requires a non-privileged account called 'sshd'."
+    csih_inform "Privilege separation is set to 'sandbox' by default since"
+    csih_inform "OpenSSH 6.1.  This is unsupported by Cygwin and has to be set"
+    csih_inform "to 'yes' or 'no'."
+    csih_inform "However, using privilege separation requires a non-privileged account"
+    csih_inform "called 'sshd'."
    csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
    if csih_request "Should privilege separation be used?"
    then
@@ -159,36 +169,53 @@ sshd_privsep() {
      privsep_used=no
    fi
  fi
+  return $ret
+} # --- End of sshd_privsep --- #
+# ======================================================================
+# Routine: sshd_config_tweak
+# ======================================================================
+sshd_config_tweak() {
+  local ret=0
-  # Create default sshd_config from skeleton files in /etc/defaults/etc or
+  # Modify sshd_config
-  # modify to add the missing privsep configuration option
+  csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
-  if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
+  if [ "${port_number}" -ne 22 ]
  then
-    csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
+    /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
-    sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
+      ${SYSCONFDIR}/sshd_config
-    /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
+    if [ $? -ne 0 ]
-          s/^#Port 22/Port ${port_number}/
-          s/^#StrictModes yes/StrictModes no/" \
-        < ${SYSCONFDIR}/sshd_config \
-        > "${sshdconfig_tmp}"
-    if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
    then
-        csih_warning "Setting privilege separation to 'yes' failed!"
+      csih_warning "Setting listening port to ${port_number} failed!"
-        csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
-        let ++ret
+      let ++ret
    fi
-  elif [ "${privsep_configured}" != "yes" ]
+  fi
+  if [ "${strictmodes}" = "no" ]
  then
-    echo >> ${SYSCONFDIR}/sshd_config
+    /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
-    if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
+      ${SYSCONFDIR}/sshd_config
+    if [ $? -ne 0 ]
    then
-        csih_warning "Setting privilege separation to 'yes' failed!"
+      csih_warning "Setting StrictModes to 'no' failed!"
-        csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
-        let ++ret
+      let ++ret
+    fi
+  fi
+  if [ "${sshd_config_configured}" != "yes" ]
+  then
+    /usr/bin/sed -i -e "
+      s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
+      ${SYSCONFDIR}/sshd_config
+    if [ $? -ne 0 ]
+    then
+      csih_warning "Setting privilege separation failed!"
+      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+      let ++ret
    fi
  fi
  return $ret
-} # --- End of sshd_privsep --- #
+} # --- End of sshd_config_tweak --- #
 # ======================================================================
 # Routine: update_inetd_conf
@@ -207,11 +234,11 @@ update_inetd_conf() {
    # we have inetutils-1.5 inetd.d support
    if [ -f "${_inetcnf}" ]
    then
-      /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
+      /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
      # check for sshd OR ssh in top-level inetd.conf file, and remove
      # will be replaced by a file in inetd.d/
-      if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
+      if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
      then
        /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
        if [ -f "${_inetcnf_tmp}" ]
@@ -236,9 +263,9 @@ update_inetd_conf() {
    then
      if [ "${_with_comment}" -eq 0 ]
      then
-        /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+        /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
      else
-        /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+        /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
      fi
      if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
      then
@@ -251,13 +278,13 @@ update_inetd_conf() {
  elif [ -f "${_inetcnf}" ]
  then
-    /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
+    /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
    # check for sshd in top-level inetd.conf file, and remove
    # will be replaced by a file in inetd.d/
-    if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
+    if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
    then
-      /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
+      /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
      if [ -f "${_inetcnf_tmp}" ]
      then
        if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
@@ -305,17 +332,26 @@ check_service_files_ownership() {
  if [ -z "${run_service_as}" ]
  then
-    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
+    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
+                 /usr/bin/sed -ne 's/^Account *: *//gp')
    if [ "${accnt_name}" = "LocalSystem" ]
    then
      # Convert "LocalSystem" to "SYSTEM" as is the correct account name
-      accnt_name="SYSTEM:"
+      run_service_as="SYSTEM"
-    elif [[ "${accnt_name}" =~ ^\.\\ ]]
+    else
-    then
+      dom="${accnt_name%%\\*}"
-      # Convert "." domain to local machine name
+      accnt_name="${accnt_name#*\\}"
-      accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
+      if [ "${dom}" = '.' ]
+      then
+        # Check local account
+        run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
+                         /usr/bin/awk -F: '{print $1;}')
+      else
+        # Check domain
+        run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
+                         /usr/bin/awk -F: '{print $1;}')
+      fi
    fi
-    run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
    if [ -z "${run_service_as}" ]
    then
      csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
@@ -672,6 +708,7 @@ then
 fi
 # generate missing host keys
+csih_inform "Generating missing SSH host keys"
 /usr/bin/ssh-keygen -A || let warning_cnt+=$?
 # handle ssh_config
@@ -690,10 +727,11 @@ fi
 csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
 if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
 then
-  /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
+  sshd_config_configured=yes
 fi
+sshd_strictmodes || let warning_cnt+=$?
 sshd_privsep || let warning_cnt+=$?
+sshd_config_tweak || let warning_cnt+=$?
 update_services_file || let warning_cnt+=$?
 update_inetd_conf || let warning_cnt+=$?
 install_service || let warning_cnt+=$?
author	Damien Miller <djm@mindrot.org>	2014-05-27 14:31:58 +1000
committer	Damien Miller <djm@mindrot.org>	2014-05-27 14:31:58 +1000
commit	f9eb5e0734f7a7f6e975809eb54684d2a06a7ffc (patch)
tree	70106db653a4859b9ea8fbbc77afc8a05cb0ef2f /contrib/cygwin/ssh-host-config
parent	eae88744662e6b149f43ef071657727f1a157d95 (diff)

diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 05efd3b3b..fed87947d 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config
@@ -34,6 +34,7 @@ declare -a csih_required_commands=(
34	/usr/bin/mv coreutils	34	/usr/bin/mv coreutils
35	/usr/bin/rm coreutils	35	/usr/bin/rm coreutils
36	/usr/bin/cygpath cygwin	36	/usr/bin/cygpath cygwin
		37	/usr/bin/mkpasswd cygwin
37	/usr/bin/mount cygwin	38	/usr/bin/mount cygwin
38	/usr/bin/ps cygwin	39	/usr/bin/ps cygwin
39	/usr/bin/setfacl cygwin	40	/usr/bin/setfacl cygwin
@@ -59,8 +60,9 @@ PREFIX=/usr
59	SYSCONFDIR=/etc	60	SYSCONFDIR=/etc
60	LOCALSTATEDIR=/var	61	LOCALSTATEDIR=/var
61		62
		63	sshd_config_configured=no
62	port_number=22	64	port_number=22
63	privsep_configured=no	65	strictmodes=yes
64	privsep_used=yes	66	privsep_used=yes
65	cygwin_value=""	67	cygwin_value=""
66	user_account=	68	user_account=
@@ -89,28 +91,8 @@ update_services_file() {
89	# Depends on the above mount	91	# Depends on the above mount
90	_wservices=`cygpath -w "${_services}"`	92	_wservices=`cygpath -w "${_services}"`
91		93
92	# Remove sshd 22/port from services
93	if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
94	then
95	/usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
96	if [ -f "${_serv_tmp}" ]
97	then
98	if /usr/bin/mv "${_serv_tmp}" "${_services}"
99	then
100	csih_inform "Removing sshd from ${_wservices}"
101	else
102	csih_warning "Removing sshd from ${_wservices} failed!"
103	let ++ret
104	fi
105	/usr/bin/rm -f "${_serv_tmp}"
106	else
107	csih_warning "Removing sshd from ${_wservices} failed!"
108	let ++ret
109	fi
110	fi
111
112	# Add ssh 22/tcp and ssh 22/udp to services	94	# Add ssh 22/tcp and ssh 22/udp to services
113	if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]	95	if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
114	then	96	then
115	if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"	97	if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
116	then	98	then
@@ -132,17 +114,45 @@ update_services_file() {
132	} # --- End of update_services_file --- #	114	} # --- End of update_services_file --- #
133		115
134	# ======================================================================	116	# ======================================================================
		117	# Routine: sshd_strictmodes
		118	# MODIFIES: strictmodes
		119	# ======================================================================
		120	sshd_strictmodes() {
		121	if [ "${sshd_config_configured}" != "yes" ]
		122	then
		123	echo
		124	csih_inform "StrictModes is set to 'yes' by default."
		125	csih_inform "This is the recommended setting, but it requires that the POSIX"
		126	csih_inform "permissions of the user's home directory, the user's .ssh"
		127	csih_inform "directory, and the user's ssh key files are tight so that"
		128	csih_inform "only the user has write permissions."
		129	csih_inform "On the other hand, StrictModes don't work well with default"
		130	csih_inform "Windows permissions of a home directory mounted with the"
		131	csih_inform "'noacl' option, and they don't work at all if the home"
		132	csih_inform "directory is on a FAT or FAT32 partition."
		133	if ! csih_request "Should StrictModes be used?"
		134	then
		135	strictmodes=no
		136	fi
		137	fi
		138	return 0
		139	}
		140
		141	# ======================================================================
135	# Routine: sshd_privsep	142	# Routine: sshd_privsep
136	# MODIFIES: privsep_configured privsep_used	143	# MODIFIES: privsep_used
137	# ======================================================================	144	# ======================================================================
138	sshd_privsep() {	145	sshd_privsep() {
139	local sshdconfig_tmp
140	local ret=0	146	local ret=0
141		147
142	if [ "${privsep_configured}" != "yes" ]	148	if [ "${sshd_config_configured}" != "yes" ]
143	then	149	then
144	csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."	150	echo
145	csih_inform "However, this requires a non-privileged account called 'sshd'."	151	csih_inform "Privilege separation is set to 'sandbox' by default since"
		152	csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set"
		153	csih_inform "to 'yes' or 'no'."
		154	csih_inform "However, using privilege separation requires a non-privileged account"
		155	csih_inform "called 'sshd'."
146	csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."	156	csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
147	if csih_request "Should privilege separation be used?"	157	if csih_request "Should privilege separation be used?"
148	then	158	then
@@ -159,36 +169,53 @@ sshd_privsep() {
159	privsep_used=no	169	privsep_used=no
160	fi	170	fi
161	fi	171	fi
		172	return $ret
		173	} # --- End of sshd_privsep --- #
		174
		175	# ======================================================================
		176	# Routine: sshd_config_tweak
		177	# ======================================================================
		178	sshd_config_tweak() {
		179	local ret=0
162		180
163	# Create default sshd_config from skeleton files in /etc/defaults/etc or	181	# Modify sshd_config
164	# modify to add the missing privsep configuration option	182	csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
165	if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1	183	if [ "${port_number}" -ne 22 ]
166	then	184	then
167	csih_inform "Updating ${SYSCONFDIR}/sshd_config file"	185	/usr/bin/sed -i -e "s/^#\?[[:space:]]Port[[:space:]]./Port ${port_number}/" \
168	sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$	186	${SYSCONFDIR}/sshd_config
169	/usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/	187	if [ $? -ne 0 ]
170	s/^#Port 22/Port ${port_number}/
171	s/^#StrictModes yes/StrictModes no/" \
172	< ${SYSCONFDIR}/sshd_config \
173	> "${sshdconfig_tmp}"
174	if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
175	then	188	then
176	csih_warning "Setting privilege separation to 'yes' failed!"	189	csih_warning "Setting listening port to ${port_number} failed!"
177	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"	190	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
178	let ++ret	191	let ++ret
179	fi	192	fi
180	elif [ "${privsep_configured}" != "yes" ]	193	fi
		194	if [ "${strictmodes}" = "no" ]
181	then	195	then
182	echo >> ${SYSCONFDIR}/sshd_config	196	/usr/bin/sed -i -e "s/^#\?[[:space:]]StrictModes[[:space:]]./StrictModes no/" \
183	if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config	197	${SYSCONFDIR}/sshd_config
		198	if [ $? -ne 0 ]
184	then	199	then
185	csih_warning "Setting privilege separation to 'yes' failed!"	200	csih_warning "Setting StrictModes to 'no' failed!"
186	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"	201	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
187	let ++ret	202	let ++ret
		203	fi
		204	fi
		205	if [ "${sshd_config_configured}" != "yes" ]
		206	then
		207	/usr/bin/sed -i -e "
		208	s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
		209	${SYSCONFDIR}/sshd_config
		210	if [ $? -ne 0 ]
		211	then
		212	csih_warning "Setting privilege separation failed!"
		213	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
		214	let ++ret
188	fi	215	fi
189	fi	216	fi
190	return $ret	217	return $ret
191	} # --- End of sshd_privsep --- #	218	} # --- End of sshd_config_tweak --- #
192		219
193	# ======================================================================	220	# ======================================================================
194	# Routine: update_inetd_conf	221	# Routine: update_inetd_conf
@@ -207,11 +234,11 @@ update_inetd_conf() {
207	# we have inetutils-1.5 inetd.d support	234	# we have inetutils-1.5 inetd.d support
208	if [ -f "${_inetcnf}" ]	235	if [ -f "${_inetcnf}" ]
209	then	236	then
210	/usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0	237	/usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
211		238
212	# check for sshd OR ssh in top-level inetd.conf file, and remove	239	# check for sshd OR ssh in top-level inetd.conf file, and remove
213	# will be replaced by a file in inetd.d/	240	# will be replaced by a file in inetd.d/
214	if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]	241	if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
215	then	242	then
216	/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"	243	/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
217	if [ -f "${_inetcnf_tmp}" ]	244	if [ -f "${_inetcnf_tmp}" ]
@@ -236,9 +263,9 @@ update_inetd_conf() {
236	then	263	then
237	if [ "${_with_comment}" -eq 0 ]	264	if [ "${_with_comment}" -eq 0 ]
238	then	265	then
239	/usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"	266	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
240	else	267	else
241	/usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"	268	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
242	fi	269	fi
243	if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"	270	if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
244	then	271	then
@@ -251,13 +278,13 @@ update_inetd_conf() {
251		278
252	elif [ -f "${_inetcnf}" ]	279	elif [ -f "${_inetcnf}" ]
253	then	280	then
254	/usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0	281	/usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
255		282
256	# check for sshd in top-level inetd.conf file, and remove	283	# check for sshd in top-level inetd.conf file, and remove
257	# will be replaced by a file in inetd.d/	284	# will be replaced by a file in inetd.d/
258	if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]	285	if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
259	then	286	then
260	/usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"	287	/usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
261	if [ -f "${_inetcnf_tmp}" ]	288	if [ -f "${_inetcnf_tmp}" ]
262	then	289	then
263	if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"	290	if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
@@ -305,17 +332,26 @@ check_service_files_ownership() {
305		332
306	if [ -z "${run_service_as}" ]	333	if [ -z "${run_service_as}" ]
307	then	334	then
308	accnt_name=$(/usr/bin/cygrunsrv -VQ sshd \| /usr/bin/sed -ne 's/^Account : //gp')	335	accnt_name=$(/usr/bin/cygrunsrv -VQ sshd \|
		336	/usr/bin/sed -ne 's/^Account : //gp')
309	if [ "${accnt_name}" = "LocalSystem" ]	337	if [ "${accnt_name}" = "LocalSystem" ]
310	then	338	then
311	# Convert "LocalSystem" to "SYSTEM" as is the correct account name	339	# Convert "LocalSystem" to "SYSTEM" as is the correct account name
312	accnt_name="SYSTEM:"	340	run_service_as="SYSTEM"
313	elif [[ "${accnt_name}" =~ ^\.\\ ]]	341	else
314	then	342	dom="${accnt_name%%\\*}"
315	# Convert "." domain to local machine name	343	accnt_name="${accnt_name#*\\}"
316	accnt_name="U-${COMPUTERNAME}${accnt_name#.},"	344	if [ "${dom}" = '.' ]
		345	then
		346	# Check local account
		347	run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" \|
		348	/usr/bin/awk -F: '{print $1;}')
		349	else
		350	# Check domain
		351	run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" \|
		352	/usr/bin/awk -F: '{print $1;}')
		353	fi
317	fi	354	fi
318	run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd \| /usr/bin/awk -F: '{print $1;}')
319	if [ -z "${run_service_as}" ]	355	if [ -z "${run_service_as}" ]
320	then	356	then
321	csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"	357	csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
@@ -672,6 +708,7 @@ then
672	fi	708	fi
673		709
674	# generate missing host keys	710	# generate missing host keys
		711	csih_inform "Generating missing SSH host keys"
675	/usr/bin/ssh-keygen -A \|\| let warning_cnt+=$?	712	/usr/bin/ssh-keygen -A \|\| let warning_cnt+=$?
676		713
677	# handle ssh_config	714	# handle ssh_config
@@ -690,10 +727,11 @@ fi
690	csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" \|\| let ++warning_cnt	727	csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" \|\| let ++warning_cnt
691	if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1	728	if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
692	then	729	then
693	/usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes	730	sshd_config_configured=yes
694	fi	731	fi
		732	sshd_strictmodes \|\| let warning_cnt+=$?
695	sshd_privsep \|\| let warning_cnt+=$?	733	sshd_privsep \|\| let warning_cnt+=$?
696		734	sshd_config_tweak \|\| let warning_cnt+=$?
697	update_services_file \|\| let warning_cnt+=$?	735	update_services_file \|\| let warning_cnt+=$?
698	update_inetd_conf \|\| let warning_cnt+=$?	736	update_inetd_conf \|\| let warning_cnt+=$?
699	install_service \|\| let warning_cnt+=$?	737	install_service \|\| let warning_cnt+=$?