- (dtucker) [README ssh-host-config ssh-user-config Makefile] (All

   contrib/cygwin).  Major update from vinschen at redhat.com.
   - Makefile provides a `cygwin-postinstall' target to run right after
     `make install'.
   - Better support for Windows 2003 Server.
   - Try to get permissions as correct as possible.
   - New command line options to allow full automated host configuration.
   - Create configs from skeletons in /etc/defaults/etc.
   - Use /bin/bash, allows reading user input with readline support.
   - Remove really old configs from /usr/local.

1 files changed, 249 insertions, 253 deletions

diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index c69cfd88b..18793ca85 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -1,6 +1,6 @@
-#!/bin/sh
+#!/bin/bash
 #
-# ssh-host-config, Copyright 2000, Red Hat Inc.
+# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
 #
 # This file is part of the Cygwin port of OpenSSH.
 
@@ -9,10 +9,7 @@ PREFIX=/usr
 
 # Directory where the config files are stored
 SYSCONFDIR=/etc
-
-# Subdirectory where an old package might be installed
-OLDPREFIX=/usr/local
-OLDSYSCONFDIR=${OLDPREFIX}/etc
+LOCALSTATEDIR=/var
 
 progname=$0
 auto_answer=""
@@ -27,9 +24,11 @@ request()
 {
   if [ "${auto_answer}" = "yes" ]
   then
+    echo "$1 (yes/no) yes"
     return 0
   elif [ "${auto_answer}" = "no" ]
   then
+    echo "$1 (yes/no) no"
     return 1
   fi
 
@@ -37,7 +36,7 @@ request()
   while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
   do
     echo -n "$1 (yes/no) "
-    read answer
+    read -e answer
   done
   if [ "X${answer}" = "Xyes" ]
   then
@@ -60,7 +59,7 @@ do
   option=$1
   shift
 
-  case "$option" in
+  case "${option}" in
   -d | --debug )
     set -x
     ;;
@@ -73,21 +72,33 @@ do
     auto_answer=no
     ;;
 
+  -c | --cygwin )
+    cygwin_value="$1"
+    shift
+    ;;
+
   -p | --port )
     port_number=$1
     shift
     ;;
 
+  -w | --pwd )
+    password_value="$1"
+    shift
+    ;;
+
   *)
     echo "usage: ${progname} [OPTION]..."
     echo
     echo "This script creates an OpenSSH host configuration."
     echo
     echo "Options:"
-    echo "    --debug  -d     Enable shell's debug output."
-    echo "    --yes    -y     Answer all questions with \"yes\" automatically."
-    echo "    --no     -n     Answer all questions with \"no\" automatically."
-    echo "    --port   -p <n> sshd listens on port n."
+    echo "  --debug  -d            Enable shell's debug output."
+    echo "  --yes    -y            Answer all questions with \"yes\" automatically."
+    echo "  --no     -n            Answer all questions with \"no\" automatically."
+    echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
+    echo "  --port   -p <n>        sshd listens on port n."
+    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for user 'sshd_server'."
     echo
     exit 1
     ;;
@@ -96,8 +107,13 @@ do
 done
 
 # Check if running on NT
-_sys="`uname -a`"
-_nt=`expr "$_sys" : "CYGWIN_NT"`
+_sys="`uname`"
+_nt=`expr "${_sys}" : "CYGWIN_NT"`
+# If running on NT, check if running under 2003 Server or later
+if [ ${_nt} -gt 0 ]
+then
+  _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
+fi
 
 # Check for running ssh/sshd processes first. Refuse to do anything while
 # some ssh processes are still running
@@ -137,87 +153,33 @@ fi
 
 # Create /var/log and /var/log/lastlog if not already existing
 
-if [ -f /var/log ]
+if [ -f ${LOCALSTATEDIR}/log ]
 then
-  echo "Creating /var/log failed\!"
+  echo "Creating ${LOCALSTATEDIR}/log failed!"
 else
-  if [ ! -d /var/log ]
+  if [ ! -d ${LOCALSTATEDIR}/log ]
   then
-    mkdir -p /var/log
+    mkdir -p ${LOCALSTATEDIR}/log
   fi
-  if [ -d /var/log/lastlog ]
+  if [ -d ${LOCALSTATEDIR}/log/lastlog ]
   then
-    echo "Creating /var/log/lastlog failed\!"
-  elif [ ! -f /var/log/lastlog ]
+    chmod 777 ${LOCALSTATEDIR}/log/lastlog
+  elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
   then
-    cat /dev/null > /var/log/lastlog
+    cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
+    chmod 666 ${LOCALSTATEDIR}/log/lastlog
   fi
 fi
 
 # Create /var/empty file used as chroot jail for privilege separation
-if [ -f /var/empty ]
+if [ -f ${LOCALSTATEDIR}/empty ]
 then
-  echo "Creating /var/empty failed\!"
+  echo "Creating ${LOCALSTATEDIR}/empty failed!"
 else
-  mkdir -p /var/empty
-  # On NT change ownership of that dir to user "system"
-  if [ $_nt -gt 0 ]
+  mkdir -p ${LOCALSTATEDIR}/empty
+  if [ ${_nt} -gt 0 ]
   then
-    chmod 755 /var/empty
-    chown system.system /var/empty
-  fi
-fi
-
-# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
-# the same as ${PREFIX}
-
-old_install=0
-if [ "${OLDPREFIX}" != "${PREFIX}" ]
-then
-  if [ -f "${OLDPREFIX}/sbin/sshd" ]
-  then
-    echo
-    echo "You seem to have an older installation in ${OLDPREFIX}."
-    echo
-    # Check if old global configuration files exist
-    if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
-    then
-      if request "Do you want to copy your config files to your new installation?"
-      then
-        cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
-        cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
-        cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
-        cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
-        cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
-        cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
-      fi
-    fi
-    if request "Do you want to erase your old installation?"
-    then
-      rm -f ${OLDPREFIX}/bin/ssh.exe
-      rm -f ${OLDPREFIX}/bin/ssh-config
-      rm -f ${OLDPREFIX}/bin/scp.exe
-      rm -f ${OLDPREFIX}/bin/ssh-add.exe
-      rm -f ${OLDPREFIX}/bin/ssh-agent.exe
-      rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
-      rm -f ${OLDPREFIX}/bin/slogin
-      rm -f ${OLDSYSCONFDIR}/ssh_host_key
-      rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
-      rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
-      rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
-      rm -f ${OLDSYSCONFDIR}/ssh_config
-      rm -f ${OLDSYSCONFDIR}/sshd_config
-      rm -f ${OLDPREFIX}/man/man1/ssh.1
-      rm -f ${OLDPREFIX}/man/man1/scp.1
-      rm -f ${OLDPREFIX}/man/man1/ssh-add.1
-      rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
-      rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
-      rm -f ${OLDPREFIX}/man/man1/slogin.1
-      rm -f ${OLDPREFIX}/man/man8/sshd.8
-      rm -f ${OLDPREFIX}/sbin/sshd.exe
-      rm -f ${OLDPREFIX}/sbin/sftp-server.exe
-    fi
-    old_install=1
+    chmod 755 ${LOCALSTATEDIR}/empty
   fi
 fi
 
@@ -255,52 +217,16 @@ then
   fi
 fi
 
-# Create default ssh_config from here script
+# Create default ssh_config from skeleton file in /etc/defaults/etc
 
 if [ ! -f "${SYSCONFDIR}/ssh_config" ]
 then
   echo "Generating ${SYSCONFDIR}/ssh_config file"
-  cat > ${SYSCONFDIR}/ssh_config << EOF
-# This is the ssh client system-wide configuration file.  See
-# ssh_config(5) for more information.  This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.
-
-# Configuration data is parsed as follows:
-#  1. command line options
-#  2. user-specific file
-#  3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.
-
-# Site-wide defaults for various options
-
-# Host *
-#   ForwardAgent no
-#   ForwardX11 no
-#   RhostsRSAAuthentication no
-#   RSAAuthentication yes
-#   PasswordAuthentication yes
-#   HostbasedAuthentication no
-#   BatchMode no
-#   CheckHostIP yes
-#   AddressFamily any
-#   ConnectTimeout 0
-#   StrictHostKeyChecking ask
-#   IdentityFile ~/.ssh/identity
-#   IdentityFile ~/.ssh/id_dsa
-#   IdentityFile ~/.ssh/id_rsa
-#   Port 22
-#   Protocol 2,1
-#   Cipher 3des
-#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
-#   EscapeChar ~
-EOF
-  if [ "$port_number" != "22" ]
+  cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
+  if [ "${port_number}" != "22" ]
   then
     echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
-    echo "    Port $port_number" >> ${SYSCONFDIR}/ssh_config
+    echo "    Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
   fi
 fi
 
@@ -322,35 +248,35 @@ fi
 
 # Prior to creating or modifying sshd_config, care for privilege separation
 
-if [ "$privsep_configured" != "yes" ]
+if [ "${privsep_configured}" != "yes" ]
 then
-  if [ $_nt -gt 0 ]
+  if [ ${_nt} -gt 0 ]
   then
     echo "Privilege separation is set to yes by default since OpenSSH 3.3."
     echo "However, this requires a non-privileged account called 'sshd'."
-    echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
+    echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
     echo
-    if request "Shall privilege separation be used?"
+    if request "Should privilege separation be used?"
     then
       privsep_used=yes
       grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
       net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
-      if [ "$sshd_in_passwd" != "yes" ]
+      if [ "${sshd_in_passwd}" != "yes" ]
       then
-        if [ "$sshd_in_sam" != "yes" ]
+        if [ "${sshd_in_sam}" != "yes" ]
         then
           echo "Warning: The following function requires administrator privileges!"
-          if request "Shall this script create a local user 'sshd' on this machine?"
+          if request "Should this script create a local user 'sshd' on this machine?"
           then
-            dos_var_empty=`cygpath -w /var/empty`
-            net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
-            if [ "$sshd_in_sam" != "yes" ]
+            dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
+            net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
+            if [ "${sshd_in_sam}" != "yes" ]
             then
               echo "Warning: Creating the user 'sshd' failed!"
             fi
           fi
         fi
-        if [ "$sshd_in_sam" != "yes" ]
+        if [ "${sshd_in_sam}" != "yes" ]
         then
           echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
           echo "         Privilege separation set to 'no' again!"
@@ -365,117 +291,41 @@ then
     fi
   else
     # On 9x don't use privilege separation.  Since security isn't
-    # available it just adds useless addtional processes.
+    # available it just adds useless additional processes.
     privsep_used=no
   fi
 fi
 
-# Create default sshd_config from here script or modify to add the
-# missing privsep configuration option
+# Create default sshd_config from skeleton files in /etc/defaults/etc or
+# modify to add the missing privsep configuration option
 
 if [ ! -f "${SYSCONFDIR}/sshd_config" ]
 then
   echo "Generating ${SYSCONFDIR}/sshd_config file"
-  cat > ${SYSCONFDIR}/sshd_config << EOF
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options change a
-# default value.
-
-Port $port_number
-#Protocol 2,1
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-# HostKey for protocol version 1
-#HostKey ${SYSCONFDIR}/ssh_host_key
-# HostKeys for protocol version 2
-#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
-#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
-
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 768
-
-# Logging
-#obsoletes QuietMode and FascistLogging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-#PermitRootLogin yes
-# The following setting overrides permission checks on host key files
-# and directories. For security reasons set this to "yes" when running
-# NT/W2K, NTFS and CYGWIN=ntsec.
-StrictModes no
-
-#RSAAuthentication yes
-#PubkeyAuthentication yes
-#AuthorizedKeysFile     .ssh/authorized_keys
-
-# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
-
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PrintMotd yes
-#PrintLastLog yes
-#KeepAlive yes
-#UseLogin no
-UsePrivilegeSeparation $privsep_used
-#PermitUserEnvironment no
-#Compression yes
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS yes
-#PidFile /var/run/sshd.pid
-#MaxStartups 10
-
-# no default banner path
-#Banner /some/path
-
-# override default of no subsystems
-Subsystem      sftp    /usr/sbin/sftp-server
-EOF
-elif [ "$privsep_configured" != "yes" ]
+  sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
+          s/^#Port 22/Port ${port_number}/
+          s/^#StrictModes yes/StrictModes no/" \
+      < ${SYSCONFDIR}/defaults/etc/sshd_config \
+      > ${SYSCONFDIR}/sshd_config
+elif [ "${privsep_configured}" != "yes" ]
 then
   echo >> ${SYSCONFDIR}/sshd_config
-  echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
+  echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
 fi
 
 # Care for services file
 _my_etcdir="/ssh-host-config.$$"
-if [ $_nt -gt 0 ]
+if [ ${_nt} -gt 0 ]
 then
   _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
   _services="${_my_etcdir}/services"
+  # On NT, 27 spaces, no space after the hash
+  _spaces="                           #"
 else
   _win_etcdir="${WINDIR}"
   _services="${_my_etcdir}/SERVICES"
+  # On 9x, 18 spaces (95 is very touchy), a space after the hash
+  _spaces="                  # "
 fi
 _serv_tmp="${_my_etcdir}/srv.out.$$"
 
@@ -494,29 +344,28 @@ then
     then
       echo "Removing sshd from ${_wservices}"
     else
-      echo "Removing sshd from ${_wservices} failed\!"
+      echo "Removing sshd from ${_wservices} failed!"
     fi 
     rm -f "${_serv_tmp}"
   else
-    echo "Removing sshd from ${_wservices} failed\!"
+    echo "Removing sshd from ${_wservices} failed!"
   fi
 fi
 
 # Add ssh 22/tcp  and ssh 22/udp to services
 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
 then
-  awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp                           #SSH Remote Login Protocol\nssh                22/udp                           #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
-  if [ -f "${_serv_tmp}" ]
+  if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
   then
     if mv "${_serv_tmp}" "${_services}"
     then
       echo "Added ssh to ${_wservices}"
     else
-      echo "Adding ssh to ${_wservices} failed\!"
+      echo "Adding ssh to ${_wservices} failed!"
     fi
     rm -f "${_serv_tmp}"
   else
-    echo "Adding ssh to ${_wservices} failed\!"
+    echo "WARNING: Adding ssh to ${_wservices} failed!"
   fi
 fi
 
@@ -541,11 +390,11 @@ then
       then
         echo "Removed sshd from ${_inetcnf}"
       else
-        echo "Removing sshd from ${_inetcnf} failed\!"
+        echo "Removing sshd from ${_inetcnf} failed!"
       fi
       rm -f "${_inetcnf_tmp}"
     else
-      echo "Removing sshd from ${_inetcnf} failed\!"
+      echo "Removing sshd from ${_inetcnf} failed!"
     fi
   fi
 
@@ -563,34 +412,181 @@ then
 fi
 
 # On NT ask if sshd should be installed as service
-if [ $_nt -gt 0 ]
+if [ ${_nt} -gt 0 ]
 then
-  echo
-  echo "Do you want to install sshd as service?"
-  if request "(Say \"no\" if it's already installed as service)"
+  # But only if it is not already installed
+  if ! cygrunsrv -Q sshd > /dev/null 2>&1
   then
     echo
-    echo "Which value should the environment variable CYGWIN have when"
-    echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
-    echo "able to change user context without password."
-    echo -n "Default is \"binmode ntsec tty\".  CYGWIN="
-    read _cygwin
-    [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
-    if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
+    echo
+    echo "Warning: The following functions require administrator privileges!"
+    echo
+    echo "Do you want to install sshd as service?"
+    if request "(Say \"no\" if it's already installed as service)"
     then
-      chown system ${SYSCONFDIR}/ssh*
-      echo
-      echo "The service has been installed under LocalSystem account."
+      if [ $_nt2003 -gt 0 ]
+      then
+        grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
+        if [ "${sshd_server_in_passwd}" = "yes" ]
+        then
+          # Drop sshd_server from passwd since it could have wrong settings
+          grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
+          rm -f ${SYSCONFDIR}/passwd
+          mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
+          chmod g-w,o-w ${SYSCONFDIR}/passwd
+        fi
+        net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
+        if [ "${sshd_server_in_sam}" != "yes" ]
+        then
+          echo
+          echo "You appear to be running Windows 2003 Server or later.  On 2003 and"
+          echo "later systems, it's not possible to use the LocalSystem account"
+          echo "if sshd should allow passwordless logon (e. g. public key authentication)."
+          echo "If you want to enable that functionality, it's required to create a new"
+          echo "account 'sshd_server' with special privileges, which is then used to run"
+          echo "the sshd service under."
+          echo
+          echo "Should this script create a new local account 'sshd_server' which has"
+          if request "the required privileges?"
+          then
+            _admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group`
+            if [ -z "${_admingroup}" ]
+            then
+              echo "There's no group with SID S-1-5-32-544 (Local administrators group) in"
+              echo "your ${SYSCONFDIR}/group file.  Please regenerate this entry using 'mkgroup -l'"
+              echo "and restart this script."
+              exit 1
+            fi
+            dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
+            while [ "${sshd_server_in_sam}" != "yes" ]
+            do
+              if [ -n "${password_value}" ]
+              then
+                _password="${password_value}"
+                # Allow to ask for password if first try fails
+                password_value=""
+              else
+                echo
+                echo "Please enter a password for new user 'sshd_server'.  Please be sure that"
+                echo "this password matches the password rules given on your system."
+                echo -n "Entering no password will exit the configuration.  PASSWORD="
+                read -e _password
+                if [ -z "${_password}" ]
+                then
+                  echo
+                  echo "Exiting configuration.  No user sshd_server has been created,"
+                  echo "no sshd service installed."
+                  exit 1
+                fi
+              fi
+              net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
+              if [ "${sshd_server_in_sam}" != "yes" ]
+              then
+                echo "Creating the user 'sshd_server' failed!  Reason:"
+                cat /tmp/nu.$$
+                rm /tmp/nu.$$
+              fi
+            done
+            net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
+            if [ "${sshd_server_in_admingroup}" != "yes" ]
+            then
+              echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
+              echo "Please add sshd_server to local group ${_admingroup} before"
+              echo "starting the sshd service!"
+              echo
+            fi
+            passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
+            if [ "${passwd_has_expiry_flags}" != "yes" ]
+            then
+              echo
+              echo "WARNING: User sshd_server has password expiry set to system default."
+              echo "Please check that password never expires or set it to your needs."
+            elif ! passwd -e sshd_server
+            then
+              echo
+              echo "WARNING: Setting password expiry for user sshd_server failed!"
+              echo "Please check that password never expires or set it to your needs."
+            fi
+            editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
+            editrights -a SeCreateTokenPrivilege -u sshd_server &&
+            editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
+            editrights -a SeDenyNetworkLogonRight -u sshd_server &&
+            editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
+            editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
+            editrights -a SeServiceLogonRight -u sshd_server &&
+            sshd_server_got_all_rights="yes"
+            if [ "${sshd_server_got_all_rights}" != "yes" ]
+            then
+              echo
+              echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
+              echo "Can't create sshd service!"
+              exit 1
+            fi
+            echo
+            echo "User 'sshd_server' has been created with password '${_password}'."
+            echo "If you change the password, please keep in mind to change the password"
+            echo "for the sshd service, too."
+            echo
+            echo "Also keep in mind that the user sshd_server needs read permissions on all"
+            echo "users' .ssh/authorized_keys file to allow public key authentication for"
+            echo "these users!.  (Re-)running ssh-user-config for each user will set the"
+            echo "required permissions correctly."
+            echo
+          fi
+        fi
+        if [ "${sshd_server_in_sam}" = "yes" ]
+        then
+          mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
+        fi
+      fi
+      if [ -n "${cygwin_value}" ]
+      then
+        _cygwin="${cygwin_value}"
+      else
+        echo
+        echo "Which value should the environment variable CYGWIN have when"
+        echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
+        echo "able to change user context without password."
+        echo -n "Default is \"ntsec\".  CYGWIN="
+        read -e _cygwin
+      fi
+      [ -z "${_cygwin}" ] && _cygwin="ntsec"
+      if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
+      then
+        if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}"
+        then
+          echo
+          echo "The service has been installed under sshd_server account."
+          echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
+        fi
+      else
+        if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
+        then
+          echo
+          echo "The service has been installed under LocalSystem account."
+          echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
+        fi
+      fi
+    fi
+    # Now check if sshd has been successfully installed.  This allows to
+    # set the ownership of the affected files correctly.
+    if cygrunsrv -Q sshd > /dev/null 2>&1
+    then
+      if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
+      then
+        _user="sshd_server"
+      else
+        _user="system"
+      fi
+      chown "${_user}" ${SYSCONFDIR}/ssh*
+      chown "${_user}".544 ${LOCALSTATEDIR}/empty
+      if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
+      then
+        chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
+      fi
     fi
   fi
 fi
 
-if [ "${old_install}" = "1" ]
-then
-  echo
-  echo "Note: If you have used sshd as service or from inetd, don't forget to"
-  echo "      change the path to sshd.exe in the service entry or in inetd.conf."
-fi
-
 echo
 echo "Host configuration finished. Have fun!"