summaryrefslogtreecommitdiff
path: root/contrib/cygwin/ssh-host-config
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@zip.com.au>2011-02-21 21:41:29 +1100
committerDarren Tucker <dtucker@zip.com.au>2011-02-21 21:41:29 +1100
commite541aaaf0f544fca9aeedff5941f5103b8e49a5c (patch)
tree886b60b1c0e69a0fe88aa24754db0fa19ca1a513 /contrib/cygwin/ssh-host-config
parent0588beba3987853d02b849e92a243ec0a38aa4fb (diff)
- (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of the
Cygwin-specific service installer script ssh-host-config. The actual functionality is the same, the revisited version is just more exact when it comes to check for problems which disallow to run certain aspects of the script. So, part of this script and the also rearranged service helper script library "csih" is to check if all the tools required to run the script are available on the system. The new script also is more thorough to inform the user why the script failed. Patch from vinschen at redhat com.
Diffstat (limited to 'contrib/cygwin/ssh-host-config')
-rw-r--r--contrib/cygwin/ssh-host-config540
1 files changed, 365 insertions, 175 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index 0af6907dc..3ac39a621 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -1,6 +1,6 @@
1#!/bin/bash 1#!/bin/bash
2# 2#
3# ssh-host-config, Copyright 2000-2009 Red Hat Inc. 3# ssh-host-config, Copyright 2000-2011 Red Hat Inc.
4# 4#
5# This file is part of the Cygwin port of OpenSSH. 5# This file is part of the Cygwin port of OpenSSH.
6# 6#
@@ -19,12 +19,39 @@
19# ====================================================================== 19# ======================================================================
20# Initialization 20# Initialization
21# ====================================================================== 21# ======================================================================
22PROGNAME=$(basename $0)
23_tdir=$(dirname $0)
24PROGDIR=$(cd $_tdir && pwd)
25 22
26CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh 23CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
27 24
25# List of apps used. This is checkad for existance in csih_sanity_check
26# Don't use *any* transient commands before sourcing the csih helper script,
27# otherwise the sanity checks are short-circuited.
28declare -a csih_required_commands=(
29 /usr/bin/basename coreutils
30 /usr/bin/cat coreutils
31 /usr/bin/chmod coreutils
32 /usr/bin/dirname coreutils
33 /usr/bin/id coreutils
34 /usr/bin/mv coreutils
35 /usr/bin/rm coreutils
36 /usr/bin/cygpath cygwin
37 /usr/bin/mount cygwin
38 /usr/bin/ps cygwin
39 /usr/bin/setfacl cygwin
40 /usr/bin/umount cygwin
41 /usr/bin/cmp diffutils
42 /usr/bin/grep grep
43 /usr/bin/awk gawk
44 /usr/bin/ssh-keygen openssh
45 /usr/sbin/sshd openssh
46 /usr/bin/sed sed
47)
48csih_sanity_check_server=yes
49source ${CSIH_SCRIPT}
50
51PROGNAME=$(/usr/bin/basename $0)
52_tdir=$(/usr/bin/dirname $0)
53PROGDIR=$(cd $_tdir && pwd)
54
28# Subdirectory where the new package is being installed 55# Subdirectory where the new package is being installed
29PREFIX=/usr 56PREFIX=/usr
30 57
@@ -32,8 +59,6 @@ PREFIX=/usr
32SYSCONFDIR=/etc 59SYSCONFDIR=/etc
33LOCALSTATEDIR=/var 60LOCALSTATEDIR=/var
34 61
35source ${CSIH_SCRIPT}
36
37port_number=22 62port_number=22
38privsep_configured=no 63privsep_configured=no
39privsep_used=yes 64privsep_used=yes
@@ -46,29 +71,48 @@ opt_force=no
46# Routine: create_host_keys 71# Routine: create_host_keys
47# ====================================================================== 72# ======================================================================
48create_host_keys() { 73create_host_keys() {
74 local ret=0
75
49 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] 76 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
50 then 77 then
51 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" 78 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
52 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null 79 if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
80 then
81 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
82 let ++ret
83 fi
53 fi 84 fi
54 85
55 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] 86 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
56 then 87 then
57 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" 88 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
58 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null 89 if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
90 then
91 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
92 let ++ret
93 fi
59 fi 94 fi
60 95
61 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] 96 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
62 then 97 then
63 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" 98 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
64 ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null 99 if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
100 then
101 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
102 let ++ret
103 fi
65 fi 104 fi
66 105
67 if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ] 106 if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ]
68 then 107 then
69 csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key" 108 csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key"
70 ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null 109 if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null
110 then
111 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
112 let ++ret
113 fi
71 fi 114 fi
115 return $ret
72} # --- End of create_host_keys --- # 116} # --- End of create_host_keys --- #
73 117
74# ====================================================================== 118# ======================================================================
@@ -81,61 +125,58 @@ update_services_file() {
81 local _spaces 125 local _spaces
82 local _serv_tmp 126 local _serv_tmp
83 local _wservices 127 local _wservices
128 local ret=0
84 129
85 if csih_is_nt 130 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
86 then 131 _services="${_my_etcdir}/services"
87 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" 132 _spaces=" #"
88 _services="${_my_etcdir}/services"
89 # On NT, 27 spaces, no space after the hash
90 _spaces=" #"
91 else
92 _win_etcdir="${WINDIR}"
93 _services="${_my_etcdir}/SERVICES"
94 # On 9x, 18 spaces (95 is very touchy), a space after the hash
95 _spaces=" # "
96 fi
97 _serv_tmp="${_my_etcdir}/srv.out.$$" 133 _serv_tmp="${_my_etcdir}/srv.out.$$"
98 134
99 mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" 135 /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
100 136
101 # Depends on the above mount 137 # Depends on the above mount
102 _wservices=`cygpath -w "${_services}"` 138 _wservices=`cygpath -w "${_services}"`
103 139
104 # Remove sshd 22/port from services 140 # Remove sshd 22/port from services
105 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] 141 if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
106 then 142 then
107 grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" 143 /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
108 if [ -f "${_serv_tmp}" ] 144 if [ -f "${_serv_tmp}" ]
109 then 145 then
110 if mv "${_serv_tmp}" "${_services}" 146 if /usr/bin/mv "${_serv_tmp}" "${_services}"
111 then 147 then
112 csih_inform "Removing sshd from ${_wservices}" 148 csih_inform "Removing sshd from ${_wservices}"
113 else 149 else
114 csih_warning "Removing sshd from ${_wservices} failed!" 150 csih_warning "Removing sshd from ${_wservices} failed!"
151 let ++ret
115 fi 152 fi
116 rm -f "${_serv_tmp}" 153 /usr/bin/rm -f "${_serv_tmp}"
117 else 154 else
118 csih_warning "Removing sshd from ${_wservices} failed!" 155 csih_warning "Removing sshd from ${_wservices} failed!"
156 let ++ret
119 fi 157 fi
120 fi 158 fi
121 159
122 # Add ssh 22/tcp and ssh 22/udp to services 160 # Add ssh 22/tcp and ssh 22/udp to services
123 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] 161 if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
124 then 162 then
125 if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" 163 if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
126 then 164 then
127 if mv "${_serv_tmp}" "${_services}" 165 if /usr/bin/mv "${_serv_tmp}" "${_services}"
128 then 166 then
129 csih_inform "Added ssh to ${_wservices}" 167 csih_inform "Added ssh to ${_wservices}"
130 else 168 else
131 csih_warning "Adding ssh to ${_wservices} failed!" 169 csih_warning "Adding ssh to ${_wservices} failed!"
170 let ++ret
132 fi 171 fi
133 rm -f "${_serv_tmp}" 172 /usr/bin/rm -f "${_serv_tmp}"
134 else 173 else
135 csih_warning "Adding ssh to ${_wservices} failed!" 174 csih_warning "Adding ssh to ${_wservices} failed!"
175 let ++ret
136 fi 176 fi
137 fi 177 fi
138 umount "${_my_etcdir}" 178 /usr/bin/umount "${_my_etcdir}"
179 return $ret
139} # --- End of update_services_file --- # 180} # --- End of update_services_file --- #
140 181
141# ====================================================================== 182# ======================================================================
@@ -144,51 +185,57 @@ update_services_file() {
144# ====================================================================== 185# ======================================================================
145sshd_privsep() { 186sshd_privsep() {
146 local sshdconfig_tmp 187 local sshdconfig_tmp
188 local ret=0
147 189
148 if [ "${privsep_configured}" != "yes" ] 190 if [ "${privsep_configured}" != "yes" ]
149 then 191 then
150 if csih_is_nt 192 csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
193 csih_inform "However, this requires a non-privileged account called 'sshd'."
194 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
195 if csih_request "Should privilege separation be used?"
151 then 196 then
152 csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." 197 privsep_used=yes
153 csih_inform "However, this requires a non-privileged account called 'sshd'." 198 if ! csih_create_unprivileged_user sshd
154 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
155 if csih_request "Should privilege separation be used?"
156 then 199 then
157 privsep_used=yes 200 csih_error_recoverable "Couldn't create user 'sshd'!"
158 if ! csih_create_unprivileged_user sshd 201 csih_error_recoverable "Privilege separation set to 'no' again!"
159 then 202 csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!"
160 csih_warning "Couldn't create user 'sshd'!" 203 let ++ret
161 csih_warning "Privilege separation set to 'no' again!"
162 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
163 privsep_used=no
164 fi
165 else
166 privsep_used=no 204 privsep_used=no
167 fi 205 fi
168 else 206 else
169 # On 9x don't use privilege separation. Since security isn't
170 # available it just adds useless additional processes.
171 privsep_used=no 207 privsep_used=no
172 fi 208 fi
173 fi 209 fi
174 210
175 # Create default sshd_config from skeleton files in /etc/defaults/etc or 211 # Create default sshd_config from skeleton files in /etc/defaults/etc or
176 # modify to add the missing privsep configuration option 212 # modify to add the missing privsep configuration option
177 if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 213 if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
178 then 214 then
179 csih_inform "Updating ${SYSCONFDIR}/sshd_config file" 215 csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
180 sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ 216 sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
181 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ 217 /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
182 s/^#Port 22/Port ${port_number}/ 218 s/^#Port 22/Port ${port_number}/
183 s/^#StrictModes yes/StrictModes no/" \ 219 s/^#StrictModes yes/StrictModes no/" \
184 < ${SYSCONFDIR}/sshd_config \ 220 < ${SYSCONFDIR}/sshd_config \
185 > "${sshdconfig_tmp}" 221 > "${sshdconfig_tmp}"
186 mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config 222 if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
223 then
224 csih_warning "Setting privilege separation to 'yes' failed!"
225 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
226 let ++ret
227 fi
187 elif [ "${privsep_configured}" != "yes" ] 228 elif [ "${privsep_configured}" != "yes" ]
188 then 229 then
189 echo >> ${SYSCONFDIR}/sshd_config 230 echo >> ${SYSCONFDIR}/sshd_config
190 echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config 231 if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
232 then
233 csih_warning "Setting privilege separation to 'yes' failed!"
234 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
235 let ++ret
236 fi
191 fi 237 fi
238 return $ret
192} # --- End of sshd_privsep --- # 239} # --- End of sshd_privsep --- #
193 240
194# ====================================================================== 241# ======================================================================
@@ -201,72 +248,82 @@ update_inetd_conf() {
201 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" 248 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
202 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" 249 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
203 local _with_comment=1 250 local _with_comment=1
251 local ret=0
204 252
205 if [ -d "${_inetcnf_dir}" ] 253 if [ -d "${_inetcnf_dir}" ]
206 then 254 then
207 # we have inetutils-1.5 inetd.d support 255 # we have inetutils-1.5 inetd.d support
208 if [ -f "${_inetcnf}" ] 256 if [ -f "${_inetcnf}" ]
209 then 257 then
210 grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 258 /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
211 259
212 # check for sshd OR ssh in top-level inetd.conf file, and remove 260 # check for sshd OR ssh in top-level inetd.conf file, and remove
213 # will be replaced by a file in inetd.d/ 261 # will be replaced by a file in inetd.d/
214 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] 262 if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
215 then 263 then
216 grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" 264 /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
217 if [ -f "${_inetcnf_tmp}" ] 265 if [ -f "${_inetcnf_tmp}" ]
218 then 266 then
219 if mv "${_inetcnf_tmp}" "${_inetcnf}" 267 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
220 then 268 then
221 csih_inform "Removed ssh[d] from ${_inetcnf}" 269 csih_inform "Removed ssh[d] from ${_inetcnf}"
222 else 270 else
223 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 271 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
272 let ++ret
224 fi 273 fi
225 rm -f "${_inetcnf_tmp}" 274 /usr/bin/rm -f "${_inetcnf_tmp}"
226 else 275 else
227 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 276 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
277 let ++ret
228 fi 278 fi
229 fi 279 fi
230 fi 280 fi
231 281
232 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" 282 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
233 if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 283 if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
234 then 284 then
235 if [ "${_with_comment}" -eq 0 ] 285 if [ "${_with_comment}" -eq 0 ]
236 then 286 then
237 sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 287 /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
288 else
289 /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
290 fi
291 if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
292 then
293 csih_inform "Updated ${_sshd_inetd_conf}"
238 else 294 else
239 sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 295 csih_warning "Updating ${_sshd_inetd_conf} failed!"
296 let ++ret
240 fi 297 fi
241 mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
242 csih_inform "Updated ${_sshd_inetd_conf}"
243 fi 298 fi
244 299
245 elif [ -f "${_inetcnf}" ] 300 elif [ -f "${_inetcnf}" ]
246 then 301 then
247 grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 302 /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
248 303
249 # check for sshd in top-level inetd.conf file, and remove 304 # check for sshd in top-level inetd.conf file, and remove
250 # will be replaced by a file in inetd.d/ 305 # will be replaced by a file in inetd.d/
251 if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] 306 if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
252 then 307 then
253 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" 308 /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
254 if [ -f "${_inetcnf_tmp}" ] 309 if [ -f "${_inetcnf_tmp}" ]
255 then 310 then
256 if mv "${_inetcnf_tmp}" "${_inetcnf}" 311 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
257 then 312 then
258 csih_inform "Removed sshd from ${_inetcnf}" 313 csih_inform "Removed sshd from ${_inetcnf}"
259 else 314 else
260 csih_warning "Removing sshd from ${_inetcnf} failed!" 315 csih_warning "Removing sshd from ${_inetcnf} failed!"
316 let ++ret
261 fi 317 fi
262 rm -f "${_inetcnf_tmp}" 318 /usr/bin/rm -f "${_inetcnf_tmp}"
263 else 319 else
264 csih_warning "Removing sshd from ${_inetcnf} failed!" 320 csih_warning "Removing sshd from ${_inetcnf} failed!"
321 let ++ret
265 fi 322 fi
266 fi 323 fi
267 324
268 # Add ssh line to inetd.conf 325 # Add ssh line to inetd.conf
269 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] 326 if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
270 then 327 then
271 if [ "${_with_comment}" -eq 0 ] 328 if [ "${_with_comment}" -eq 0 ]
272 then 329 then
@@ -274,115 +331,186 @@ update_inetd_conf() {
274 else 331 else
275 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 332 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
276 fi 333 fi
277 csih_inform "Added ssh to ${_inetcnf}" 334 if [ $? -eq 0 ]
335 then
336 csih_inform "Added ssh to ${_inetcnf}"
337 else
338 csih_warning "Adding ssh to ${_inetcnf} failed!"
339 let ++ret
340 fi
278 fi 341 fi
279 fi 342 fi
343 return $ret
280} # --- End of update_inetd_conf --- # 344} # --- End of update_inetd_conf --- #
281 345
282# ====================================================================== 346# ======================================================================
347# Routine: check_service_files_ownership
348# Checks that the files in /etc and /var belong to the right owner
349# ======================================================================
350check_service_files_ownership() {
351 local run_service_as=$1
352 local ret=0
353
354 if [ -z "${run_service_as}" ]
355 then
356 accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
357 if [ "${accnt_name}" = "LocalSystem" ]
358 then
359 # Convert "LocalSystem" to "SYSTEM" as is the correct account name
360 accnt_name="SYSTEM:"
361 elif [[ "${accnt_name}" =~ ^\.\\ ]]
362 then
363 # Convert "." domain to local machine name
364 accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
365 fi
366 run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
367 if [ -z "${run_service_as}" ]
368 then
369 csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
370 csih_warning "As a result, this script cannot make sure that the files used"
371 csih_warning "by the sshd service belong to the user running the service."
372 csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd"
373 csih_warning "file is in a good shape."
374 return 1
375 fi
376 fi
377 for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
378 do
379 if [ -f "$i" ]
380 then
381 if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
382 then
383 csih_warning "Couldn't change owner of $i!"
384 let ++ret
385 fi
386 fi
387 done
388 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
389 then
390 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
391 let ++ret
392 fi
393 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
394 then
395 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
396 let ++ret
397 fi
398 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
399 then
400 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
401 then
402 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
403 let ++ret
404 fi
405 fi
406 if [ $ret -ne 0 ]
407 then
408 csih_warning "Couldn't change owner of important files to ${run_service_as}!"
409 csih_warning "This may cause the sshd service to fail! Please make sure that"
410 csih_warning "you have suufficient permissions to change the ownership of files"
411 csih_warning "and try to run the ssh-host-config script again."
412 fi
413 return $ret
414} # --- End of check_service_files_ownership --- #
415
416# ======================================================================
283# Routine: install_service 417# Routine: install_service
284# Install sshd as a service 418# Install sshd as a service
285# ====================================================================== 419# ======================================================================
286install_service() { 420install_service() {
287 local run_service_as 421 local run_service_as
288 local password 422 local password
423 local ret=0
289 424
290 if csih_is_nt 425 echo
426 if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
291 then 427 then
292 if ! cygrunsrv -Q sshd >/dev/null 2>&1 428 csih_inform "Sshd service is already installed."
429 check_service_files_ownership "" || let ret+=$?
430 else
431 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
432 if csih_request "(Say \"no\" if it is already installed as a service)"
293 then 433 then
294 echo 434 csih_get_cygenv "${cygwin_value}"
295 echo
296 csih_warning "The following functions require administrator privileges!"
297 echo
298 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
299 if csih_request "(Say \"no\" if it is already installed as a service)"
300 then
301 csih_get_cygenv "${cygwin_value}"
302 435
303 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) 436 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
304 then 437 then
305 csih_inform "On Windows Server 2003, Windows Vista, and above, the" 438 csih_inform "On Windows Server 2003, Windows Vista, and above, the"
306 csih_inform "SYSTEM account cannot setuid to other users -- a capability" 439 csih_inform "SYSTEM account cannot setuid to other users -- a capability"
307 csih_inform "sshd requires. You need to have or to create a privileged" 440 csih_inform "sshd requires. You need to have or to create a privileged"
308 csih_inform "account. This script will help you do so." 441 csih_inform "account. This script will help you do so."
309 echo 442 echo
310 443
311 [ "${opt_force}" = "yes" ] && opt_f=-f 444 [ "${opt_force}" = "yes" ] && opt_f=-f
312 [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" 445 [ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
313 csih_select_privileged_username ${opt_f} ${opt_u} sshd 446 csih_select_privileged_username ${opt_f} ${opt_u} sshd
314 447
315 if ! csih_create_privileged_user "${password_value}" 448 if ! csih_create_privileged_user "${password_value}"
316 then 449 then
317 csih_error_recoverable "There was a serious problem creating a privileged user." 450 csih_error_recoverable "There was a serious problem creating a privileged user."
318 csih_request "Do you want to proceed anyway?" || exit 1 451 csih_request "Do you want to proceed anyway?" || exit 1
319 fi 452 let ++ret
320 fi 453 fi
454 fi
321 455
322 # never returns empty if NT or above 456 # Never returns empty if NT or above
323 run_service_as=$(csih_service_should_run_as) 457 run_service_as=$(csih_service_should_run_as)
324 458
325 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] 459 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
460 then
461 password="${csih_PRIVILEGED_PASSWORD}"
462 if [ -z "${password}" ]
326 then 463 then
327 password="${csih_PRIVILEGED_PASSWORD}" 464 csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
328 if [ -z "${password}" ] 465 password="${csih_value}"
329 then
330 csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
331 password="${csih_value}"
332 fi
333 fi 466 fi
467 fi
334 468
335 # at this point, we either have $run_service_as = "system" and $password is empty, 469 # At this point, we either have $run_service_as = "system" and
336 # or $run_service_as is some privileged user and (hopefully) $password contains 470 # $password is empty, or $run_service_as is some privileged user and
337 # the correct password. So, from here out, we use '-z "${password}"' to discriminate 471 # (hopefully) $password contains the correct password. So, from here
338 # the two cases. 472 # out, we use '-z "${password}"' to discriminate the two cases.
339 473
340 csih_check_user "${run_service_as}" 474 csih_check_user "${run_service_as}"
341 475
342 if [ -n "${csih_cygenv}" ] 476 if [ -n "${csih_cygenv}" ]
477 then
478 cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
479 fi
480 if [ -z "${password}" ]
481 then
482 if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
483 -a "-D" -y tcpip "${cygwin_env[@]}"
343 then 484 then
344 cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) 485 echo
486 csih_inform "The sshd service has been installed under the LocalSystem"
487 csih_inform "account (also known as SYSTEM). To start the service now, call"
488 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
489 csih_inform "will start automatically after the next reboot."
345 fi 490 fi
346 if [ -z "${password}" ] 491 else
492 if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
493 -a "-D" -y tcpip "${cygwin_env[@]}" \
494 -u "${run_service_as}" -w "${password}"
347 then 495 then
348 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ 496 echo
349 -a "-D" -y tcpip "${cygwin_env[@]}" 497 csih_inform "The sshd service has been installed under the '${run_service_as}'"
350 then 498 csih_inform "account. To start the service now, call \`net start sshd' or"
351 echo 499 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
352 csih_inform "The sshd service has been installed under the LocalSystem" 500 csih_inform "after the next reboot."
353 csih_inform "account (also known as SYSTEM). To start the service now, call"
354 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
355 csih_inform "will start automatically after the next reboot."
356 fi
357 else
358 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
359 -a "-D" -y tcpip "${cygwin_env[@]}" \
360 -u "${run_service_as}" -w "${password}"
361 then
362 echo
363 csih_inform "The sshd service has been installed under the '${run_service_as}'"
364 csih_inform "account. To start the service now, call \`net start sshd' or"
365 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
366 csih_inform "after the next reboot."
367 fi
368 fi 501 fi
502 fi
369 503
370 # now, if successfully installed, set ownership of the affected files 504 if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
371 if cygrunsrv -Q sshd >/dev/null 2>&1 505 then
372 then 506 check_service_files_ownership "${run_service_as}" || let ret+=$?
373 chown "${run_service_as}" ${SYSCONFDIR}/ssh* 507 else
374 chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty 508 csih_error_recoverable "Installing sshd as a service failed!"
375 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog 509 let ++ret
376 if [ -f ${LOCALSTATEDIR}/log/sshd.log ] 510 fi
377 then 511 fi # user allowed us to install as service
378 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log 512 fi # service not yet installed
379 fi 513 return $ret
380 else
381 csih_warning "Something went wrong installing the sshd service."
382 fi
383 fi # user allowed us to install as service
384 fi # service not yet installed
385 fi # csih_is_nt
386} # --- End of install_service --- # 514} # --- End of install_service --- #
387 515
388# ====================================================================== 516# ======================================================================
@@ -494,21 +622,71 @@ done
494 622
495# Check for running ssh/sshd processes first. Refuse to do anything while 623# Check for running ssh/sshd processes first. Refuse to do anything while
496# some ssh processes are still running 624# some ssh processes are still running
497if ps -ef | grep -q '/sshd\?$' 625if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
498then 626then
499 echo 627 echo
500 csih_error "There are still ssh processes running. Please shut them down first." 628 csih_error "There are still ssh processes running. Please shut them down first."
501fi 629fi
502 630
631# Make sure the user is running in an administrative context
632admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
633if [ "${admin}" != "yes" ]
634then
635 echo
636 csih_warning "Running this script typically requires administrator privileges!"
637 csih_warning "However, it seems your account does not have these privileges."
638 csih_warning "Here's the list of groups in your user token:"
639 echo
640 for i in $(/usr/bin/id -G)
641 do
642 /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group
643 done
644 echo
645 csih_warning "This usually means you're running this script from a non-admin"
646 csih_warning "desktop session, or in a non-elevated shell under UAC control."
647 echo
648 csih_warning "Make sure you have the appropriate privileges right now,"
649 csih_warning "otherwise parts of this script will probably fail!"
650 echo
651 echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure"
652 if ! csih_request "you have the required privileges)"
653 then
654 echo
655 csih_inform "Ok. Exiting. Make sure to switch to an administrative account"
656 csih_inform "or to start this script from an elevated shell."
657 exit 1
658 fi
659fi
660
661echo
662
663warning_cnt=0
664
503# Check for ${SYSCONFDIR} directory 665# Check for ${SYSCONFDIR} directory
504csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." 666csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
505chmod 775 "${SYSCONFDIR}" 667if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
506setfacl -m u:system:rwx "${SYSCONFDIR}" 668then
669 csih_warning "Can't set permissions on ${SYSCONFDIR}!"
670 let ++warning_cnt
671fi
672if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
673then
674 csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
675 let ++warning_cnt
676fi
507 677
508# Check for /var/log directory 678# Check for /var/log directory
509csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." 679csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
510chmod 775 "${LOCALSTATEDIR}/log" 680if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
511setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" 681then
682 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
683 let ++warning_cnt
684fi
685if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
686then
687 csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
688 let ++warning_cnt
689fi
512 690
513# Create /var/log/lastlog if not already exists 691# Create /var/log/lastlog if not already exists
514if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 692if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
@@ -519,26 +697,33 @@ then
519fi 697fi
520if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 698if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
521then 699then
522 cat /dev/null > ${LOCALSTATEDIR}/log/lastlog 700 /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
523 chmod 644 ${LOCALSTATEDIR}/log/lastlog 701 if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
702 then
703 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
704 let ++warning_cnt
705 fi
524fi 706fi
525 707
526# Create /var/empty file used as chroot jail for privilege separation 708# Create /var/empty file used as chroot jail for privilege separation
527csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." 709csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
528chmod 755 "${LOCALSTATEDIR}/empty" 710if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
529setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" 711then
712 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
713 let ++warning_cnt
714fi
715if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
716then
717 csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
718 let ++warning_cnt
719fi
530 720
531# host keys 721# host keys
532create_host_keys 722create_host_keys || let warning_cnt+=$?
533
534# use 'cmp' program to determine if a config file is identical
535# to the default version of that config file
536csih_check_program_or_error cmp diffutils
537
538 723
539# handle ssh_config 724# handle ssh_config
540csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" 725csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
541if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 726if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
542then 727then
543 if [ "${port_number}" != "22" ] 728 if [ "${port_number}" != "22" ]
544 then 729 then
@@ -549,19 +734,24 @@ then
549fi 734fi
550 735
551# handle sshd_config (and privsep) 736# handle sshd_config (and privsep)
552csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" 737csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
553if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 738if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
554then 739then
555 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes 740 /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
556fi 741fi
557sshd_privsep 742sshd_privsep || let warning_cnt+=$?
558
559 743
560 744update_services_file || let warning_cnt+=$?
561update_services_file 745update_inetd_conf || let warning_cnt+=$?
562update_inetd_conf 746install_service || let warning_cnt+=$?
563install_service
564 747
565echo 748echo
566csih_inform "Host configuration finished. Have fun!" 749if [ $warning_cnt -eq 0 ]
567 750then
751 csih_inform "Host configuration finished. Have fun!"
752else
753 csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
754 csih_warning "Make sure that all problems reported are fixed,"
755 csih_warning "then re-run ssh-host-config."
756fi
757exit $warning_cnt