summaryrefslogtreecommitdiff
path: root/contrib/cygwin/ssh-host-config
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2008-07-22 19:45:18 +0000
committerColin Watson <cjwatson@debian.org>2008-07-22 19:45:18 +0000
commit137d76ba65883aa8143af1fcad83b57e7badef0c (patch)
treef426e804bb5248ceafedfab7bb78ae6e6752942c /contrib/cygwin/ssh-host-config
parentdac7d049dad31f5f84d421d4eb628a7e13f977d7 (diff)
parentef94e5613d37bcbf880f21ee6094e4b1c7683a4c (diff)
* New upstream release (closes: #474301). Important changes not previously
backported to 4.7p1: - 4.9/4.9p1 (http://www.openssh.com/txt/release-4.9): + Added chroot(2) support for sshd(8), controlled by a new option "ChrootDirectory" (closes: #139047, LP: #24777). + Linked sftp-server(8) into sshd(8). The internal sftp server is used when the command "internal-sftp" is specified in a Subsystem or ForceCommand declaration. When used with ChrootDirectory, the internal sftp server requires no special configuration of files inside the chroot environment. + Added a protocol extension method "posix-rename@openssh.com" for sftp-server(8) to perform POSIX atomic rename() operations; sftp(1) prefers this if available (closes: #308561). + Removed the fixed limit of 100 file handles in sftp-server(8). + ssh(8) will now skip generation of SSH protocol 1 ephemeral server keys when in inetd mode and protocol 2 connections are negotiated. This speeds up protocol 2 connections to inetd-mode servers that also allow Protocol 1. + Accept the PermitRootLogin directive in a sshd_config(5) Match block. Allows for, e.g. permitting root only from the local network. + Reworked sftp(1) argument splitting and escaping to be more internally consistent (i.e. between sftp commands) and more consistent with sh(1). Please note that this will change the interpretation of some quoted strings, especially those with embedded backslash escape sequences. + Support "Banner=none" in sshd_config(5) to disable sending of a pre-login banner (e.g. in a Match block). + ssh(1) ProxyCommands are now executed with $SHELL rather than /bin/sh. + ssh(1)'s ConnectTimeout option is now applied to both the TCP connection and the SSH banner exchange (previously it just covered the TCP connection). This allows callers of ssh(1) to better detect and deal with stuck servers that accept a TCP connection but don't progress the protocol, and also makes ConnectTimeout useful for connections via a ProxyCommand. + scp(1) incorrectly reported "stalled" on slow copies (closes: #140828). + scp(1) date underflow for timestamps before epoch. + ssh(1) used the obsolete SIG DNS RRtype for host keys in DNS, instead of the current standard RRSIG. + Correctly drain ACKs when a sftp(1) upload write fails midway, avoids a fatal() exit from what should be a recoverable condition. + Fixed ssh-keygen(1) selective host key hashing (i.e. "ssh-keygen -HF hostname") to not include any IP address in the data to be hashed. + Make ssh(1) skip listening on the IPv6 wildcard address when a binding address of 0.0.0.0 is used against an old SSH server that does not support the RFC4254 syntax for wildcard bind addresses. + Enable IPV6_V6ONLY socket option on sshd(8) listen socket, as is already done for X11/TCP forwarding sockets (closes: #439661). + Fix FD leak that could hang a ssh(1) connection multiplexing master. + Make ssh(1) -q option documentation consistent with reality. + Fixed sshd(8) PAM support not calling pam_session_close(), or failing to call it with root privileges (closes: #372680). + Fix activation of OpenSSL engine support when requested in configure (LP: #119295). - 5.1/5.1p1 (http://www.openssh.com/txt/release-5.1): + Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1) and ssh-keygen(1). Visual fingerprint display is controlled by a new ssh_config(5) option "VisualHostKey". The intent is to render SSH host keys in a visual form that is amenable to easy recall and rejection of changed host keys. + sshd_config(5) now supports CIDR address/masklen matching in "Match address" blocks, with a fallback to classic wildcard matching. + sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys from="..." restrictions, also with a fallback to classic wildcard matching. + Added an extended test mode (-T) to sshd(8) to request that it write its effective configuration to stdout and exit. Extended test mode also supports the specification of connection parameters (username, source address and hostname) to test the application of sshd_config(5) Match rules. + ssh(1) now prints the number of bytes transferred and the overall connection throughput for SSH protocol 2 sessions when in verbose mode (previously these statistics were displayed for protocol 1 connections only). + sftp-server(8) now supports extension methods statvfs@openssh.com and fstatvfs@openssh.com that implement statvfs(2)-like operations. + sftp(1) now has a "df" command to the sftp client that uses the statvfs@openssh.com to produce a df(1)-like display of filesystem space and inode utilisation (requires statvfs@openssh.com support on the server). + Added a MaxSessions option to sshd_config(5) to allow control of the number of multiplexed sessions supported over a single TCP connection. This allows increasing the number of allowed sessions above the previous default of 10, disabling connection multiplexing (MaxSessions=1) or disallowing login/shell/subsystem sessions entirely (MaxSessions=0). + Added a no-more-sessions@openssh.com global request extension that is sent from ssh(1) to sshd(8) when the client knows that it will never request another session (i.e. when session multiplexing is disabled). This allows a server to disallow further session requests and terminate the session in cases where the client has been hijacked. + ssh-keygen(1) now supports the use of the -l option in combination with -F to search for a host in ~/.ssh/known_hosts and display its fingerprint. + ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of "rsa1". + Added an AllowAgentForwarding option to sshd_config(8) to control whether authentication agent forwarding is permitted. Note that this is a loose control, as a client may install their own unofficial forwarder. + ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving network data, resulting in a ~10% speedup. + ssh(1) and sshd(8) will now try additional addresses when connecting to a port forward destination whose DNS name resolves to more than one address. The previous behaviour was to try the only first address and give up if that failed. + ssh(1) and sshd(8) now support signalling that channels are half-closed for writing, through a channel protocol extension notification "eow@openssh.com". This allows propagation of closed file descriptors, so that commands such as "ssh -2 localhost od /bin/ls | true" do not send unnecessary data over the wire. + sshd(8): increased the default size of ssh protocol 1 ephemeral keys from 768 to 1024 bits. + When ssh(1) has been requested to fork after authentication ("ssh -f") with ExitOnForwardFailure enabled, delay the fork until after replies for any -R forwards have been seen. Allows for robust detection of -R forward failure when using -f. + "Match group" blocks in sshd_config(5) now support negation of groups. E.g. "Match group staff,!guests". + sftp(1) and sftp-server(8) now allow chmod-like operations to set set[ug]id/sticky bits. + The MaxAuthTries option is now permitted in sshd_config(5) match blocks. + Multiplexed ssh(1) sessions now support a subset of the ~ escapes that are available to a primary connection. + ssh(1) connection multiplexing will now fall back to creating a new connection in most error cases (closes: #352830). + Make ssh(1) deal more gracefully with channel requests that fail. Previously it would optimistically assume that requests would always succeed, which could cause hangs if they did not (e.g. when the server runs out of file descriptors). + ssh(1) now reports multiplexing errors via the multiplex slave's stderr where possible (subject to LogLevel in the mux master). + Prevent sshd(8) from erroneously applying public key restrictions leaned from ~/.ssh/authorized_keys to other authentication methods when public key authentication subsequently fails (LP: #161047). + Fixed an UMAC alignment problem that manifested on Itanium platforms.
Diffstat (limited to 'contrib/cygwin/ssh-host-config')
-rw-r--r--contrib/cygwin/ssh-host-config898
1 files changed, 408 insertions, 490 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index e2ad69f19..bbb6da4c4 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -4,6 +4,15 @@
4# 4#
5# This file is part of the Cygwin port of OpenSSH. 5# This file is part of the Cygwin port of OpenSSH.
6 6
7# ======================================================================
8# Initialization
9# ======================================================================
10PROGNAME=$(basename $0)
11_tdir=$(dirname $0)
12PROGDIR=$(cd $_tdir && pwd)
13
14CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
15
7# Subdirectory where the new package is being installed 16# Subdirectory where the new package is being installed
8PREFIX=/usr 17PREFIX=/usr
9 18
@@ -11,43 +20,371 @@ PREFIX=/usr
11SYSCONFDIR=/etc 20SYSCONFDIR=/etc
12LOCALSTATEDIR=/var 21LOCALSTATEDIR=/var
13 22
14progname=$0 23source ${CSIH_SCRIPT}
15auto_answer=""
16port_number=22
17 24
25port_number=22
18privsep_configured=no 26privsep_configured=no
19privsep_used=yes 27privsep_used=yes
20sshd_in_passwd=no 28cygwin_value="ntsec"
21sshd_in_sam=no 29password_value=
30
31# ======================================================================
32# Routine: create_host_keys
33# ======================================================================
34create_host_keys() {
35 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
36 then
37 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
38 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
39 fi
40
41 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
42 then
43 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
44 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
45 fi
46
47 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
48 then
49 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
50 ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
51 fi
52} # --- End of create_host_keys --- #
53
54# ======================================================================
55# Routine: update_services_file
56# ======================================================================
57update_services_file() {
58 local _my_etcdir="/ssh-host-config.$$"
59 local _win_etcdir
60 local _services
61 local _spaces
62 local _serv_tmp
63 local _wservices
64
65 if csih_is_nt
66 then
67 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
68 _services="${_my_etcdir}/services"
69 # On NT, 27 spaces, no space after the hash
70 _spaces=" #"
71 else
72 _win_etcdir="${WINDIR}"
73 _services="${_my_etcdir}/SERVICES"
74 # On 9x, 18 spaces (95 is very touchy), a space after the hash
75 _spaces=" # "
76 fi
77 _serv_tmp="${_my_etcdir}/srv.out.$$"
78
79 mount -t -f "${_win_etcdir}" "${_my_etcdir}"
80
81 # Depends on the above mount
82 _wservices=`cygpath -w "${_services}"`
83
84 # Remove sshd 22/port from services
85 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
86 then
87 grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
88 if [ -f "${_serv_tmp}" ]
89 then
90 if mv "${_serv_tmp}" "${_services}"
91 then
92 csih_inform "Removing sshd from ${_wservices}"
93 else
94 csih_warning "Removing sshd from ${_wservices} failed!"
95 fi
96 rm -f "${_serv_tmp}"
97 else
98 csih_warning "Removing sshd from ${_wservices} failed!"
99 fi
100 fi
101
102 # Add ssh 22/tcp and ssh 22/udp to services
103 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
104 then
105 if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
106 then
107 if mv "${_serv_tmp}" "${_services}"
108 then
109 csih_inform "Added ssh to ${_wservices}"
110 else
111 csih_warning "Adding ssh to ${_wservices} failed!"
112 fi
113 rm -f "${_serv_tmp}"
114 else
115 csih_warning "Adding ssh to ${_wservices} failed!"
116 fi
117 fi
118 umount "${_my_etcdir}"
119} # --- End of update_services_file --- #
120
121# ======================================================================
122# Routine: sshd_privsep
123# MODIFIES: privsep_configured privsep_used
124# ======================================================================
125sshd_privsep() {
126 local sshdconfig_tmp
22 127
23request() 128 if [ "${privsep_configured}" != "yes" ]
24{ 129 then
25 if [ "${auto_answer}" = "yes" ] 130 if csih_is_nt
131 then
132 csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
133 csih_inform "However, this requires a non-privileged account called 'sshd'."
134 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
135 if csih_request "Should privilege separation be used?"
136 then
137 privsep_used=yes
138 if ! csih_create_unprivileged_user sshd
139 then
140 csih_warning "Couldn't create user 'sshd'!"
141 csih_warning "Privilege separation set to 'no' again!"
142 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
143 privsep_used=no
144 fi
145 else
146 privsep_used=no
147 fi
148 else
149 # On 9x don't use privilege separation. Since security isn't
150 # available it just adds useless additional processes.
151 privsep_used=no
152 fi
153 fi
154
155 # Create default sshd_config from skeleton files in /etc/defaults/etc or
156 # modify to add the missing privsep configuration option
157 if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
26 then 158 then
27 echo "$1 (yes/no) yes" 159 csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
28 return 0 160 sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
29 elif [ "${auto_answer}" = "no" ] 161 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
162 s/^#Port 22/Port ${port_number}/
163 s/^#StrictModes yes/StrictModes no/" \
164 < ${SYSCONFDIR}/sshd_config \
165 > "${sshdconfig_tmp}"
166 mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
167 elif [ "${privsep_configured}" != "yes" ]
30 then 168 then
31 echo "$1 (yes/no) no" 169 echo >> ${SYSCONFDIR}/sshd_config
32 return 1 170 echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
33 fi 171 fi
172} # --- End of sshd_privsep --- #
173
174# ======================================================================
175# Routine: update_inetd_conf
176# ======================================================================
177update_inetd_conf() {
178 local _inetcnf="${SYSCONFDIR}/inetd.conf"
179 local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
180 local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
181 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
182 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
183 local _with_comment=1
184
185 if [ -d "${_inetcnf_dir}" ]
186 then
187 # we have inetutils-1.5 inetd.d support
188 if [ -f "${_inetcnf}" ]
189 then
190 grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
34 191
35 answer="" 192 # check for sshd OR ssh in top-level inetd.conf file, and remove
36 while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] 193 # will be replaced by a file in inetd.d/
37 do 194 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
38 echo -n "$1 (yes/no) " 195 then
39 read -e answer 196 grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
40 done 197 if [ -f "${_inetcnf_tmp}" ]
41 if [ "X${answer}" = "Xyes" ] 198 then
199 if mv "${_inetcnf_tmp}" "${_inetcnf}"
200 then
201 csih_inform "Removed ssh[d] from ${_inetcnf}"
202 else
203 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
204 fi
205 rm -f "${_inetcnf_tmp}"
206 else
207 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
208 fi
209 fi
210 fi
211
212 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
213 if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
214 then
215 if [ "${_with_comment}" -eq 0 ]
216 then
217 sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
218 else
219 sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
220 fi
221 mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
222 csih_inform "Updated ${_sshd_inetd_conf}"
223 fi
224
225 elif [ -f "${_inetcnf}" ]
42 then 226 then
43 return 0 227 grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
44 else 228
45 return 1 229 # check for sshd in top-level inetd.conf file, and remove
230 # will be replaced by a file in inetd.d/
231 if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
232 then
233 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
234 if [ -f "${_inetcnf_tmp}" ]
235 then
236 if mv "${_inetcnf_tmp}" "${_inetcnf}"
237 then
238 csih_inform "Removed sshd from ${_inetcnf}"
239 else
240 csih_warning "Removing sshd from ${_inetcnf} failed!"
241 fi
242 rm -f "${_inetcnf_tmp}"
243 else
244 csih_warning "Removing sshd from ${_inetcnf} failed!"
245 fi
246 fi
247
248 # Add ssh line to inetd.conf
249 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
250 then
251 if [ "${_with_comment}" -eq 0 ]
252 then
253 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
254 else
255 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
256 fi
257 csih_inform "Added ssh to ${_inetcnf}"
258 fi
46 fi 259 fi
47} 260} # --- End of update_inetd_conf --- #
48 261
49# Check options 262# ======================================================================
263# Routine: install_service
264# Install sshd as a service
265# ======================================================================
266install_service() {
267 local run_service_as
268 local password
269
270 if csih_is_nt
271 then
272 if ! cygrunsrv -Q sshd >/dev/null 2>&1
273 then
274 echo
275 echo
276 csih_warning "The following functions require administrator privileges!"
277 echo
278 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
279 if csih_request "(Say \"no\" if it is already installed as a service)"
280 then
281 csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\""
282 csih_inform "for sshd to be able to change user context without password."
283 csih_get_cygenv "${cygwin_value}"
284
285 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
286 then
287 csih_inform "On Windows Server 2003, Windows Vista, and above, the"
288 csih_inform "SYSTEM account cannot setuid to other users -- a capability"
289 csih_inform "sshd requires. You need to have or to create a privileged"
290 csih_inform "account. This script will help you do so."
291 echo
292 if ! csih_create_privileged_user "${password_value}"
293 then
294 csih_error_recoverable "There was a serious problem creating a privileged user."
295 csih_request "Do you want to proceed anyway?" || exit 1
296 fi
297 fi
298
299 # never returns empty if NT or above
300 run_service_as=$(csih_service_should_run_as)
301
302 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
303 then
304 password="${csih_PRIVILEGED_PASSWORD}"
305 if [ -z "${password}" ]
306 then
307 csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
308 password="${csih_value}"
309 fi
310 fi
311
312 # at this point, we either have $run_service_as = "system" and $password is empty,
313 # or $run_service_as is some privileged user and (hopefully) $password contains
314 # the correct password. So, from here out, we use '-z "${password}"' to discriminate
315 # the two cases.
316
317 csih_check_user "${run_service_as}"
318
319 if [ -z "${password}" ]
320 then
321 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
322 -e CYGWIN="${csih_cygenv}"
323 then
324 echo
325 csih_inform "The sshd service has been installed under the LocalSystem"
326 csih_inform "account (also known as SYSTEM). To start the service now, call"
327 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
328 csih_inform "will start automatically after the next reboot."
329 fi
330 else
331 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
332 -e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}"
333 then
334 echo
335 csih_inform "The sshd service has been installed under the '${run_service_as}'"
336 csih_inform "account. To start the service now, call \`net start sshd' or"
337 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
338 csih_inform "after the next reboot."
339 fi
340 fi
341
342 # now, if successfully installed, set ownership of the affected files
343 if cygrunsrv -Q sshd >/dev/null 2>&1
344 then
345 chown "${run_service_as}" ${SYSCONFDIR}/ssh*
346 chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
347 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
348 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
349 then
350 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
351 fi
352 else
353 csih_warning "Something went wrong installing the sshd service."
354 fi
355 fi # user allowed us to install as service
356 fi # service not yet installed
357 fi # csih_is_nt
358} # --- End of install_service --- #
359
360# ======================================================================
361# Main Entry Point
362# ======================================================================
363
364# Check how the script has been started. If
365# (1) it has been started by giving the full path and
366# that path is /etc/postinstall, OR
367# (2) Otherwise, if the environment variable
368# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
369# then set auto_answer to "no". This allows automatic
370# creation of the config files in /etc w/o overwriting
371# them if they already exist. In both cases, color
372# escape sequences are suppressed, so as to prevent
373# cluttering setup's logfiles.
374if [ "$PROGDIR" = "/etc/postinstall" ]
375then
376 csih_auto_answer="no"
377 csih_disable_color
378fi
379if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
380then
381 csih_auto_answer="no"
382 csih_disable_color
383fi
50 384
385# ======================================================================
386# Parse options
387# ======================================================================
51while : 388while :
52do 389do
53 case $# in 390 case $# in
@@ -62,14 +399,15 @@ do
62 case "${option}" in 399 case "${option}" in
63 -d | --debug ) 400 -d | --debug )
64 set -x 401 set -x
402 csih_trace_on
65 ;; 403 ;;
66 404
67 -y | --yes ) 405 -y | --yes )
68 auto_answer=yes 406 csih_auto_answer=yes
69 ;; 407 ;;
70 408
71 -n | --no ) 409 -n | --no )
72 auto_answer=no 410 csih_auto_answer=no
73 ;; 411 ;;
74 412
75 -c | --cygwin ) 413 -c | --cygwin )
@@ -87,6 +425,10 @@ do
87 shift 425 shift
88 ;; 426 ;;
89 427
428 --privileged )
429 csih_FORCE_PRIVILEGED_USER=yes
430 ;;
431
90 *) 432 *)
91 echo "usage: ${progname} [OPTION]..." 433 echo "usage: ${progname} [OPTION]..."
92 echo 434 echo
@@ -98,7 +440,9 @@ do
98 echo " --no -n Answer all questions with \"no\" automatically." 440 echo " --no -n Answer all questions with \"no\" automatically."
99 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." 441 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
100 echo " --port -p <n> sshd listens on port n." 442 echo " --port -p <n> sshd listens on port n."
101 echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'." 443 echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
444 echo " --privileged On Windows NT/2k/XP, require privileged user"
445 echo " instead of LocalSystem for sshd service."
102 echo 446 echo
103 exit 1 447 exit 1
104 ;; 448 ;;
@@ -106,73 +450,34 @@ do
106 esac 450 esac
107done 451done
108 452
109# Check if running on NT 453# ======================================================================
110_sys="`uname`" 454# Action!
111_nt=`expr "${_sys}" : "CYGWIN_NT"` 455# ======================================================================
112# If running on NT, check if running under 2003 Server or later
113if [ ${_nt} -gt 0 ]
114then
115 _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
116fi
117 456
118# Check for running ssh/sshd processes first. Refuse to do anything while 457# Check for running ssh/sshd processes first. Refuse to do anything while
119# some ssh processes are still running 458# some ssh processes are still running
120
121if ps -ef | grep -v grep | grep -q ssh 459if ps -ef | grep -v grep | grep -q ssh
122then 460then
123 echo 461 echo
124 echo "There are still ssh processes running. Please shut them down first." 462 csih_error "There are still ssh processes running. Please shut them down first."
125 echo
126 exit 1
127fi 463fi
128 464
129# Check for ${SYSCONFDIR} directory 465# Check for ${SYSCONFDIR} directory
466csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
467chmod 775 "${SYSCONFDIR}"
468setfacl -m u:system:rwx "${SYSCONFDIR}"
130 469
131if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ] 470# Check for /var/log directory
132then 471csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
133 echo 472chmod 775 "${LOCALSTATEDIR}/log"
134 echo "${SYSCONFDIR} is existant but not a directory." 473setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
135 echo "Cannot create global configuration files."
136 echo
137 exit 1
138fi
139
140# Create it if necessary
141
142if [ ! -e "${SYSCONFDIR}" ]
143then
144 mkdir "${SYSCONFDIR}"
145 if [ ! -e "${SYSCONFDIR}" ]
146 then
147 echo
148 echo "Creating ${SYSCONFDIR} directory failed"
149 echo
150 exit 1
151 fi
152fi
153
154# Create /var/log and /var/log/lastlog if not already existing
155
156if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ]
157then
158 echo
159 echo "${LOCALSTATEDIR}/log is existant but not a directory."
160 echo "Cannot create ssh host configuration."
161 echo
162 exit 1
163fi
164if [ ! -e ${LOCALSTATEDIR}/log ]
165then
166 mkdir -p ${LOCALSTATEDIR}/log
167fi
168 474
475# Create /var/log/lastlog if not already exists
169if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 476if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
170then 477then
171 echo 478 echo
172 echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." 479 csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
173 echo "Cannot create ssh host configuration." 480 "Cannot create ssh host configuration."
174 echo
175 exit 1
176fi 481fi
177if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 482if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
178then 483then
@@ -181,431 +486,44 @@ then
181fi 486fi
182 487
183# Create /var/empty file used as chroot jail for privilege separation 488# Create /var/empty file used as chroot jail for privilege separation
184if [ -f ${LOCALSTATEDIR}/empty ] 489csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create log directory."
185then 490chmod 755 "${LOCALSTATEDIR}/empty"
186 echo "Creating ${LOCALSTATEDIR}/empty failed!" 491setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"
187else
188 mkdir -p ${LOCALSTATEDIR}/empty
189 if [ ${_nt} -gt 0 ]
190 then
191 chmod 755 ${LOCALSTATEDIR}/empty
192 fi
193fi
194 492
195# First generate host keys if not already existing 493# host keys
494create_host_keys
196 495
197if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] 496# use 'cmp' program to determine if a config file is identical
198then 497# to the default version of that config file
199 echo "Generating ${SYSCONFDIR}/ssh_host_key" 498csih_check_program_or_error cmp diffutils
200 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
201fi
202 499
203if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
204then
205 echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
206 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
207fi
208 500
209if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] 501# handle ssh_config
502csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults"
503if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
210then 504then
211 echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
212 ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
213fi
214
215# Check if ssh_config exists. If yes, ask for overwriting
216
217if [ -f "${SYSCONFDIR}/ssh_config" ]
218then
219 if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
220 then
221 rm -f "${SYSCONFDIR}/ssh_config"
222 if [ -f "${SYSCONFDIR}/ssh_config" ]
223 then
224 echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
225 fi
226 fi
227fi
228
229# Create default ssh_config from skeleton file in /etc/defaults/etc
230
231if [ ! -f "${SYSCONFDIR}/ssh_config" ]
232then
233 echo "Generating ${SYSCONFDIR}/ssh_config file"
234 cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
235 if [ "${port_number}" != "22" ] 505 if [ "${port_number}" != "22" ]
236 then 506 then
507 csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
237 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config 508 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
238 echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config 509 echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
239 fi 510 fi
240fi 511fi
241 512
242# Check if sshd_config exists. If yes, ask for overwriting 513# handle sshd_config (and privsep)
243 514csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults"
244if [ -f "${SYSCONFDIR}/sshd_config" ] 515if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
245then 516then
246 if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?" 517 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
247 then
248 rm -f "${SYSCONFDIR}/sshd_config"
249 if [ -f "${SYSCONFDIR}/sshd_config" ]
250 then
251 echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
252 fi
253 else
254 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
255 fi
256fi 518fi
519sshd_privsep
257 520
258# Prior to creating or modifying sshd_config, care for privilege separation
259 521
260if [ "${privsep_configured}" != "yes" ]
261then
262 if [ ${_nt} -gt 0 ]
263 then
264 echo "Privilege separation is set to yes by default since OpenSSH 3.3."
265 echo "However, this requires a non-privileged account called 'sshd'."
266 echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
267 echo
268 if request "Should privilege separation be used?"
269 then
270 privsep_used=yes
271 grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
272 net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
273 if [ "${sshd_in_passwd}" != "yes" ]
274 then
275 if [ "${sshd_in_sam}" != "yes" ]
276 then
277 echo "Warning: The following function requires administrator privileges!"
278 if request "Should this script create a local user 'sshd' on this machine?"
279 then
280 dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
281 net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
282 if [ "${sshd_in_sam}" != "yes" ]
283 then
284 echo "Warning: Creating the user 'sshd' failed!"
285 fi
286 fi
287 fi
288 if [ "${sshd_in_sam}" != "yes" ]
289 then
290 echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
291 echo " Privilege separation set to 'no' again!"
292 echo " Check your ${SYSCONFDIR}/sshd_config file!"
293 privsep_used=no
294 else
295 mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
296 fi
297 fi
298 else
299 privsep_used=no
300 fi
301 else
302 # On 9x don't use privilege separation. Since security isn't
303 # available it just adds useless additional processes.
304 privsep_used=no
305 fi
306fi
307
308# Create default sshd_config from skeleton files in /etc/defaults/etc or
309# modify to add the missing privsep configuration option
310
311if [ ! -f "${SYSCONFDIR}/sshd_config" ]
312then
313 echo "Generating ${SYSCONFDIR}/sshd_config file"
314 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
315 s/^#Port 22/Port ${port_number}/
316 s/^#StrictModes yes/StrictModes no/" \
317 < ${SYSCONFDIR}/defaults/etc/sshd_config \
318 > ${SYSCONFDIR}/sshd_config
319elif [ "${privsep_configured}" != "yes" ]
320then
321 echo >> ${SYSCONFDIR}/sshd_config
322 echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
323fi
324 522
325# Care for services file 523update_services_file
326_my_etcdir="/ssh-host-config.$$" 524update_inetd_conf
327if [ ${_nt} -gt 0 ] 525install_service
328then
329 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
330 _services="${_my_etcdir}/services"
331 # On NT, 27 spaces, no space after the hash
332 _spaces=" #"
333else
334 _win_etcdir="${WINDIR}"
335 _services="${_my_etcdir}/SERVICES"
336 # On 9x, 18 spaces (95 is very touchy), a space after the hash
337 _spaces=" # "
338fi
339_serv_tmp="${_my_etcdir}/srv.out.$$"
340
341mount -t -f "${_win_etcdir}" "${_my_etcdir}"
342
343# Depends on the above mount
344_wservices=`cygpath -w "${_services}"`
345
346# Remove sshd 22/port from services
347if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
348then
349 grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
350 if [ -f "${_serv_tmp}" ]
351 then
352 if mv "${_serv_tmp}" "${_services}"
353 then
354 echo "Removing sshd from ${_wservices}"
355 else
356 echo "Removing sshd from ${_wservices} failed!"
357 fi
358 rm -f "${_serv_tmp}"
359 else
360 echo "Removing sshd from ${_wservices} failed!"
361 fi
362fi
363
364# Add ssh 22/tcp and ssh 22/udp to services
365if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
366then
367 if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
368 then
369 if mv "${_serv_tmp}" "${_services}"
370 then
371 echo "Added ssh to ${_wservices}"
372 else
373 echo "Adding ssh to ${_wservices} failed!"
374 fi
375 rm -f "${_serv_tmp}"
376 else
377 echo "WARNING: Adding ssh to ${_wservices} failed!"
378 fi
379fi
380
381umount "${_my_etcdir}"
382
383# Care for inetd.conf file
384_inetcnf="${SYSCONFDIR}/inetd.conf"
385_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
386
387if [ -f "${_inetcnf}" ]
388then
389 # Check if ssh service is already in use as sshd
390 with_comment=1
391 grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
392 # Remove sshd line from inetd.conf
393 if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
394 then
395 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
396 if [ -f "${_inetcnf_tmp}" ]
397 then
398 if mv "${_inetcnf_tmp}" "${_inetcnf}"
399 then
400 echo "Removed sshd from ${_inetcnf}"
401 else
402 echo "Removing sshd from ${_inetcnf} failed!"
403 fi
404 rm -f "${_inetcnf_tmp}"
405 else
406 echo "Removing sshd from ${_inetcnf} failed!"
407 fi
408 fi
409
410 # Add ssh line to inetd.conf
411 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
412 then
413 if [ "${with_comment}" -eq 0 ]
414 then
415 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
416 else
417 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
418 fi
419 echo "Added ssh to ${_inetcnf}"
420 fi
421fi
422
423# On NT ask if sshd should be installed as service
424if [ ${_nt} -gt 0 ]
425then
426 # But only if it is not already installed
427 if ! cygrunsrv -Q sshd > /dev/null 2>&1
428 then
429 echo
430 echo
431 echo "Warning: The following functions require administrator privileges!"
432 echo
433 echo "Do you want to install sshd as service?"
434 if request "(Say \"no\" if it's already installed as service)"
435 then
436 if [ $_nt2003 -gt 0 ]
437 then
438 grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
439 if [ "${sshd_server_in_passwd}" = "yes" ]
440 then
441 # Drop sshd_server from passwd since it could have wrong settings
442 grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
443 rm -f ${SYSCONFDIR}/passwd
444 mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
445 chmod g-w,o-w ${SYSCONFDIR}/passwd
446 fi
447 net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
448 if [ "${sshd_server_in_sam}" != "yes" ]
449 then
450 echo
451 echo "You appear to be running Windows 2003 Server or later. On 2003 and"
452 echo "later systems, it's not possible to use the LocalSystem account"
453 echo "if sshd should allow passwordless logon (e. g. public key authentication)."
454 echo "If you want to enable that functionality, it's required to create a new"
455 echo "account 'sshd_server' with special privileges, which is then used to run"
456 echo "the sshd service under."
457 echo
458 echo "Should this script create a new local account 'sshd_server' which has"
459 if request "the required privileges?"
460 then
461 _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
462 if [ -z "${_admingroup}" ]
463 then
464 echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
465 exit 1
466 fi
467 dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
468 while [ "${sshd_server_in_sam}" != "yes" ]
469 do
470 if [ -n "${password_value}" ]
471 then
472 _password="${password_value}"
473 # Allow to ask for password if first try fails
474 password_value=""
475 else
476 echo
477 echo "Please enter a password for new user 'sshd_server'. Please be sure that"
478 echo "this password matches the password rules given on your system."
479 echo -n "Entering no password will exit the configuration. PASSWORD="
480 read -e _password
481 if [ -z "${_password}" ]
482 then
483 echo
484 echo "Exiting configuration. No user sshd_server has been created,"
485 echo "no sshd service installed."
486 exit 1
487 fi
488 fi
489 net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
490 if [ "${sshd_server_in_sam}" != "yes" ]
491 then
492 echo "Creating the user 'sshd_server' failed! Reason:"
493 cat /tmp/nu.$$
494 rm /tmp/nu.$$
495 fi
496 done
497 net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
498 if [ "${sshd_server_in_admingroup}" != "yes" ]
499 then
500 echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
501 echo "Please add sshd_server to local group ${_admingroup} before"
502 echo "starting the sshd service!"
503 echo
504 fi
505 passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
506 if [ "${passwd_has_expiry_flags}" != "yes" ]
507 then
508 echo
509 echo "WARNING: User sshd_server has password expiry set to system default."
510 echo "Please check that password never expires or set it to your needs."
511 elif ! passwd -e sshd_server
512 then
513 echo
514 echo "WARNING: Setting password expiry for user sshd_server failed!"
515 echo "Please check that password never expires or set it to your needs."
516 fi
517 editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
518 editrights -a SeCreateTokenPrivilege -u sshd_server &&
519 editrights -a SeTcbPrivilege -u sshd_server &&
520 editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
521 editrights -a SeDenyNetworkLogonRight -u sshd_server &&
522 editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
523 editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
524 editrights -a SeServiceLogonRight -u sshd_server &&
525 sshd_server_got_all_rights="yes"
526 if [ "${sshd_server_got_all_rights}" != "yes" ]
527 then
528 echo
529 echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
530 echo "Can't create sshd service!"
531 exit 1
532 fi
533 echo
534 echo "User 'sshd_server' has been created with password '${_password}'."
535 echo "If you change the password, please keep in mind to change the password"
536 echo "for the sshd service, too."
537 echo
538 echo "Also keep in mind that the user sshd_server needs read permissions on all"
539 echo "users' .ssh/authorized_keys file to allow public key authentication for"
540 echo "these users!. (Re-)running ssh-user-config for each user will set the"
541 echo "required permissions correctly."
542 echo
543 fi
544 fi
545 if [ "${sshd_server_in_sam}" = "yes" ]
546 then
547 mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
548 fi
549 fi
550 if [ -n "${cygwin_value}" ]
551 then
552 _cygwin="${cygwin_value}"
553 else
554 echo
555 echo "Which value should the environment variable CYGWIN have when"
556 echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
557 echo "able to change user context without password."
558 echo -n "Default is \"ntsec\". CYGWIN="
559 read -e _cygwin
560 fi
561 [ -z "${_cygwin}" ] && _cygwin="ntsec"
562 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
563 then
564 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
565 then
566 echo
567 echo "The service has been installed under sshd_server account."
568 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
569 fi
570 else
571 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
572 then
573 echo
574 echo "The service has been installed under LocalSystem account."
575 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
576 fi
577 fi
578 fi
579 # Now check if sshd has been successfully installed. This allows to
580 # set the ownership of the affected files correctly.
581 if cygrunsrv -Q sshd > /dev/null 2>&1
582 then
583 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
584 then
585 _user="sshd_server"
586 else
587 _user="system"
588 fi
589 chown "${_user}" ${SYSCONFDIR}/ssh*
590 chown "${_user}".544 ${LOCALSTATEDIR}/empty
591 chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog
592 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
593 then
594 chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
595 fi
596 fi
597 if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
598 then
599 echo
600 echo "Warning: It appears that you have user mode mounts (\"Just me\""
601 echo "chosen during install.) Any daemons installed as services will"
602 echo "fail to function unless system mounts are used. To change this,"
603 echo "re-run setup.exe and choose \"All users\"."
604 echo
605 echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
606 fi
607 fi
608fi
609 526
610echo 527echo
611echo "Host configuration finished. Have fun!" 528csih_inform "Host configuration finished. Have fun!"
529