* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out

for a while, but there's no GSSAPI patch available for it yet. - Change the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". - Add countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack (closes: #506115, LP: #379329). - ForceCommand directive now accepts commandline arguments for the internal-sftp server (closes: #524423, LP: #362511). - Add AllowAgentForwarding to available Match keywords list (closes: #540623). - Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. - Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1; closes: #496017). * Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch, including cascading credentials support (LP: #416958).
author: Colin Watson <cjwatson@debian.org> 2010-01-01 23:53:30 +0000
committer: Colin Watson <cjwatson@debian.org> 2010-01-01 23:53:30 +0000
commit: df03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch)
tree: 1aab079441dff9615274769b19f2d734ddf508dd /contrib/cygwin/ssh-host-config
parent: 6ad6994c288662fca6949f42bf91fec2aff00bca (diff)
parent: 99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff)
1 files changed, 122 insertions, 119 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index bbb6da4c4..57e728fbc 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -25,7 +25,7 @@ source ${CSIH_SCRIPT}
 port_number=22
 privsep_configured=no
 privsep_used=yes
-cygwin_value="ntsec"
+cygwin_value=""
 password_value=
 # ======================================================================
@@ -37,13 +37,13 @@ create_host_keys() {
    csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
    ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
  fi
-  
  if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
  then
    csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
    ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
  fi
-  
  if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
  then
    csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
@@ -75,12 +75,12 @@ update_services_file() {
    _spaces="                  # "
  fi
  _serv_tmp="${_my_etcdir}/srv.out.$$"
-  
-  mount -t -f "${_win_etcdir}" "${_my_etcdir}"
+  mount -o text -f "${_win_etcdir}" "${_my_etcdir}"
-  
  # Depends on the above mount
  _wservices=`cygpath -w "${_services}"`
-  
  # Remove sshd 22/port from services
  if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
  then
@@ -89,16 +89,16 @@ update_services_file() {
    then
      if mv "${_serv_tmp}" "${_services}"
      then
-        csih_inform "Removing sshd from ${_wservices}"
+        csih_inform "Removing sshd from ${_wservices}"
      else
-        csih_warning "Removing sshd from ${_wservices} failed!"
+        csih_warning "Removing sshd from ${_wservices} failed!"
      fi
      rm -f "${_serv_tmp}"
    else
      csih_warning "Removing sshd from ${_wservices} failed!"
    fi
  fi
-  
  # Add ssh 22/tcp  and ssh 22/udp to services
  if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
  then
@@ -106,9 +106,9 @@ update_services_file() {
    then
      if mv "${_serv_tmp}" "${_services}"
      then
-        csih_inform "Added ssh to ${_wservices}"
+        csih_inform "Added ssh to ${_wservices}"
      else
-        csih_warning "Adding ssh to ${_wservices} failed!"
+        csih_warning "Adding ssh to ${_wservices} failed!"
      fi
      rm -f "${_serv_tmp}"
    else
@@ -134,16 +134,16 @@ sshd_privsep() {
      csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
      if csih_request "Should privilege separation be used?"
      then
-        privsep_used=yes
+        privsep_used=yes
-        if ! csih_create_unprivileged_user sshd
+        if ! csih_create_unprivileged_user sshd
-        then
+        then
          csih_warning "Couldn't create user 'sshd'!"
-          csih_warning "Privilege separation set to 'no' again!"
+          csih_warning "Privilege separation set to 'no' again!"
-          csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+          csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
          privsep_used=no
-        fi
+        fi
      else
-        privsep_used=no
+        privsep_used=no
      fi
    else
      # On 9x don't use privilege separation.  Since security isn't
@@ -151,7 +151,7 @@ sshd_privsep() {
      privsep_used=no
    fi
  fi
-  
  # Create default sshd_config from skeleton files in /etc/defaults/etc or
  # modify to add the missing privsep configuration option
  if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
@@ -161,8 +161,8 @@ sshd_privsep() {
    sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
          s/^#Port 22/Port ${port_number}/
          s/^#StrictModes yes/StrictModes no/" \
-        < ${SYSCONFDIR}/sshd_config \
+        < ${SYSCONFDIR}/sshd_config \
-        > "${sshdconfig_tmp}"
+        > "${sshdconfig_tmp}"
    mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
  elif [ "${privsep_configured}" != "yes" ]
  then
@@ -193,19 +193,19 @@ update_inetd_conf() {
      # will be replaced by a file in inetd.d/
      if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
      then
-        grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
+        grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
-        if [ -f "${_inetcnf_tmp}" ]
+        if [ -f "${_inetcnf_tmp}" ]
-        then
+        then
-          if mv "${_inetcnf_tmp}" "${_inetcnf}"
+          if mv "${_inetcnf_tmp}" "${_inetcnf}"
-          then
+          then
            csih_inform "Removed ssh[d] from ${_inetcnf}"
-          else
+          else
            csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
-          fi
+          fi
-          rm -f "${_inetcnf_tmp}"
+          rm -f "${_inetcnf_tmp}"
-        else
+        else
-          csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
+          csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
-        fi
+        fi
      fi
    fi
@@ -214,13 +214,13 @@ update_inetd_conf() {
    then
      if [ "${_with_comment}" -eq 0 ]
      then
-        sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+        sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
      else
-        sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+        sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
      fi
      mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
      csih_inform "Updated ${_sshd_inetd_conf}"
-    fi 
+    fi
  elif [ -f "${_inetcnf}" ]
  then
@@ -233,26 +233,26 @@ update_inetd_conf() {
      grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
      if [ -f "${_inetcnf_tmp}" ]
      then
-        if mv "${_inetcnf_tmp}" "${_inetcnf}"
+        if mv "${_inetcnf_tmp}" "${_inetcnf}"
-        then
+        then
            csih_inform "Removed sshd from ${_inetcnf}"
-        else
+        else
            csih_warning "Removing sshd from ${_inetcnf} failed!"
-        fi
+        fi
-        rm -f "${_inetcnf_tmp}"
+        rm -f "${_inetcnf_tmp}"
      else
-        csih_warning "Removing sshd from ${_inetcnf} failed!"
+        csih_warning "Removing sshd from ${_inetcnf} failed!"
      fi
    fi
-  
    # Add ssh line to inetd.conf
    if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
    then
      if [ "${_with_comment}" -eq 0 ]
      then
-        echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
+        echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
      else
-        echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
+        echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
      fi
      csih_inform "Added ssh to ${_inetcnf}"
    fi
@@ -278,80 +278,83 @@ install_service() {
      echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
      if csih_request "(Say \"no\" if it is already installed as a service)"
      then
-        csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\""
+        csih_get_cygenv "${cygwin_value}"
-        csih_inform "for sshd to be able to change user context without password."
-        csih_get_cygenv "${cygwin_value}"
+        if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
+        then
-        if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
+          csih_inform "On Windows Server 2003, Windows Vista, and above, the"
-        then
+          csih_inform "SYSTEM account cannot setuid to other users -- a capability"
-          csih_inform "On Windows Server 2003, Windows Vista, and above, the"
+          csih_inform "sshd requires.  You need to have or to create a privileged"
-          csih_inform "SYSTEM account cannot setuid to other users -- a capability"
+          csih_inform "account.  This script will help you do so."
-          csih_inform "sshd requires.  You need to have or to create a privileged"
+          echo
-          csih_inform "account.  This script will help you do so."
+          if ! csih_create_privileged_user "${password_value}"
-          echo
+          then
-          if ! csih_create_privileged_user "${password_value}"
+            csih_error_recoverable "There was a serious problem creating a privileged user."
-          then
+            csih_request "Do you want to proceed anyway?" || exit 1
-            csih_error_recoverable "There was a serious problem creating a privileged user."
+          fi
-            csih_request "Do you want to proceed anyway?" || exit 1
+        fi
-          fi
-        fi
+        # never returns empty if NT or above
+        run_service_as=$(csih_service_should_run_as)
-        # never returns empty if NT or above
-        run_service_as=$(csih_service_should_run_as)
+        if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
+        then
-        if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
+          password="${csih_PRIVILEGED_PASSWORD}"
-        then
+          if [ -z "${password}" ]
-          password="${csih_PRIVILEGED_PASSWORD}"
+          then
-          if [ -z "${password}" ]
+            csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
-          then
+            password="${csih_value}"
-            csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
+          fi
-            password="${csih_value}"
+        fi
-          fi
-        fi
+        # at this point, we either have $run_service_as = "system" and $password is empty,
+        # or $run_service_as is some privileged user and (hopefully) $password contains
-        # at this point, we either have $run_service_as = "system" and $password is empty,
+        # the correct password.  So, from here out, we use '-z "${password}"' to discriminate
-        # or $run_service_as is some privileged user and (hopefully) $password contains
+        # the two cases.
-        # the correct password.  So, from here out, we use '-z "${password}"' to discriminate
-        # the two cases.
+        csih_check_user "${run_service_as}"
-        csih_check_user "${run_service_as}"
+        if [ -n "${csih_cygenv}" ]
+        then
-        if [ -z "${password}" ]
+          cygwin_env="-e CYGWIN=\"${csih_cygenv}\""
-        then
+        fi
-          if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
+        if [ -z "${password}" ]
-             -e CYGWIN="${csih_cygenv}"
+        then
-          then
+          if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \
-            echo
+                            -a "-D" -y tcpip ${cygwin_env}
-            csih_inform "The sshd service has been installed under the LocalSystem"
+          then
-            csih_inform "account (also known as SYSTEM). To start the service now, call"
+            echo
-            csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'.  Otherwise, it"
+            csih_inform "The sshd service has been installed under the LocalSystem"
-            csih_inform "will start automatically after the next reboot."
+            csih_inform "account (also known as SYSTEM). To start the service now, call"
-          fi
+            csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'.  Otherwise, it"
-        else
+            csih_inform "will start automatically after the next reboot."
-          if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
+          fi
-             -e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}"
+        else
-          then
+          if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \
+                            -a "-D" -y tcpip ${cygwin_env} \
+                            -u "${run_service_as}" -w "${password}"
+          then
            echo
            csih_inform "The sshd service has been installed under the '${run_service_as}'"
            csih_inform "account.  To start the service now, call \`net start sshd' or"
-            csih_inform "\`cygrunsrv -S sshd'.  Otherwise, it will start automatically"
+            csih_inform "\`cygrunsrv -S sshd'.  Otherwise, it will start automatically"
-            csih_inform "after the next reboot."
+            csih_inform "after the next reboot."
-          fi
+          fi
-        fi
+        fi
-        # now, if successfully installed, set ownership of the affected files 
+        # now, if successfully installed, set ownership of the affected files
-        if cygrunsrv -Q sshd >/dev/null 2>&1
+        if cygrunsrv -Q sshd >/dev/null 2>&1
-        then
+        then
-          chown "${run_service_as}" ${SYSCONFDIR}/ssh*
+          chown "${run_service_as}" ${SYSCONFDIR}/ssh*
-          chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
+          chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
-          chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
+          chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
-          if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
+          if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
-          then
+          then
            chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
-          fi
+          fi
-        else
+        else
-          csih_warning "Something went wrong installing the sshd service."
+          csih_warning "Something went wrong installing the sshd service."
-        fi
+        fi
      fi # user allowed us to install as service
    fi # service not yet installed
  fi # csih_is_nt
@@ -456,7 +459,7 @@ done
 # Check for running ssh/sshd processes first. Refuse to do anything while
 # some ssh processes are still running
-if ps -ef | grep -v grep | grep -q ssh
+if ps -ef | grep -q '/sshd\?$'
 then
  echo
  csih_error "There are still ssh processes running. Please shut them down first."
@@ -475,9 +478,9 @@ setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
 # Create /var/log/lastlog if not already exists
 if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
 then
-  echo 
+  echo
  csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
-                   "Cannot create ssh host configuration."
+                   "Cannot create ssh host configuration."
 fi
 if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
 then
@@ -520,7 +523,7 @@ sshd_privsep
-update_services_file 
+update_services_file
 update_inetd_conf
 install_service
author	Colin Watson <cjwatson@debian.org>	2010-01-01 23:53:30 +0000
committer	Colin Watson <cjwatson@debian.org>	2010-01-01 23:53:30 +0000
commit	df03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch)
tree	1aab079441dff9615274769b19f2d734ddf508dd /contrib/cygwin/ssh-host-config
parent	6ad6994c288662fca6949f42bf91fec2aff00bca (diff)
parent	99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff)

diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index bbb6da4c4..57e728fbc 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config
@@ -25,7 +25,7 @@ source ${CSIH_SCRIPT}
25	port_number=22	25	port_number=22
26	privsep_configured=no	26	privsep_configured=no
27	privsep_used=yes	27	privsep_used=yes
28	cygwin_value="ntsec"	28	cygwin_value=""
29	password_value=	29	password_value=
30		30
31	# ======================================================================	31	# ======================================================================
@@ -37,13 +37,13 @@ create_host_keys() {
37	csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"	37	csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
38	ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null	38	ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
39	fi	39	fi
40		40
41	if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]	41	if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
42	then	42	then
43	csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"	43	csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
44	ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null	44	ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
45	fi	45	fi
46		46
47	if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]	47	if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
48	then	48	then
49	csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"	49	csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
@@ -75,12 +75,12 @@ update_services_file() {
75	_spaces=" # "	75	_spaces=" # "
76	fi	76	fi
77	_serv_tmp="${_my_etcdir}/srv.out.$$"	77	_serv_tmp="${_my_etcdir}/srv.out.$$"
78		78
79	mount -t -f "${_win_etcdir}" "${_my_etcdir}"	79	mount -o text -f "${_win_etcdir}" "${_my_etcdir}"
80		80
81	# Depends on the above mount	81	# Depends on the above mount
82	_wservices=`cygpath -w "${_services}"`	82	_wservices=`cygpath -w "${_services}"`
83		83
84	# Remove sshd 22/port from services	84	# Remove sshd 22/port from services
85	if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]	85	if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
86	then	86	then
@@ -89,16 +89,16 @@ update_services_file() {
89	then	89	then
90	if mv "${_serv_tmp}" "${_services}"	90	if mv "${_serv_tmp}" "${_services}"
91	then	91	then
92	csih_inform "Removing sshd from ${_wservices}"	92	csih_inform "Removing sshd from ${_wservices}"
93	else	93	else
94	csih_warning "Removing sshd from ${_wservices} failed!"	94	csih_warning "Removing sshd from ${_wservices} failed!"
95	fi	95	fi
96	rm -f "${_serv_tmp}"	96	rm -f "${_serv_tmp}"
97	else	97	else
98	csih_warning "Removing sshd from ${_wservices} failed!"	98	csih_warning "Removing sshd from ${_wservices} failed!"
99	fi	99	fi
100	fi	100	fi
101		101
102	# Add ssh 22/tcp and ssh 22/udp to services	102	# Add ssh 22/tcp and ssh 22/udp to services
103	if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]	103	if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
104	then	104	then
@@ -106,9 +106,9 @@ update_services_file() {
106	then	106	then
107	if mv "${_serv_tmp}" "${_services}"	107	if mv "${_serv_tmp}" "${_services}"
108	then	108	then
109	csih_inform "Added ssh to ${_wservices}"	109	csih_inform "Added ssh to ${_wservices}"
110	else	110	else
111	csih_warning "Adding ssh to ${_wservices} failed!"	111	csih_warning "Adding ssh to ${_wservices} failed!"
112	fi	112	fi
113	rm -f "${_serv_tmp}"	113	rm -f "${_serv_tmp}"
114	else	114	else
@@ -134,16 +134,16 @@ sshd_privsep() {
134	csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."	134	csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
135	if csih_request "Should privilege separation be used?"	135	if csih_request "Should privilege separation be used?"
136	then	136	then
137	privsep_used=yes	137	privsep_used=yes
138	if ! csih_create_unprivileged_user sshd	138	if ! csih_create_unprivileged_user sshd
139	then	139	then
140	csih_warning "Couldn't create user 'sshd'!"	140	csih_warning "Couldn't create user 'sshd'!"
141	csih_warning "Privilege separation set to 'no' again!"	141	csih_warning "Privilege separation set to 'no' again!"
142	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"	142	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
143	privsep_used=no	143	privsep_used=no
144	fi	144	fi
145	else	145	else
146	privsep_used=no	146	privsep_used=no
147	fi	147	fi
148	else	148	else
149	# On 9x don't use privilege separation. Since security isn't	149	# On 9x don't use privilege separation. Since security isn't
@@ -151,7 +151,7 @@ sshd_privsep() {
151	privsep_used=no	151	privsep_used=no
152	fi	152	fi
153	fi	153	fi
154		154
155	# Create default sshd_config from skeleton files in /etc/defaults/etc or	155	# Create default sshd_config from skeleton files in /etc/defaults/etc or
156	# modify to add the missing privsep configuration option	156	# modify to add the missing privsep configuration option
157	if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1	157	if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
@@ -161,8 +161,8 @@ sshd_privsep() {
161	sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/	161	sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
162	s/^#Port 22/Port ${port_number}/	162	s/^#Port 22/Port ${port_number}/
163	s/^#StrictModes yes/StrictModes no/" \	163	s/^#StrictModes yes/StrictModes no/" \
164	< ${SYSCONFDIR}/sshd_config \	164	< ${SYSCONFDIR}/sshd_config \
165	> "${sshdconfig_tmp}"	165	> "${sshdconfig_tmp}"
166	mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config	166	mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
167	elif [ "${privsep_configured}" != "yes" ]	167	elif [ "${privsep_configured}" != "yes" ]
168	then	168	then
@@ -193,19 +193,19 @@ update_inetd_conf() {
193	# will be replaced by a file in inetd.d/	193	# will be replaced by a file in inetd.d/
194	if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]	194	if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
195	then	195	then
196	grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"	196	grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
197	if [ -f "${_inetcnf_tmp}" ]	197	if [ -f "${_inetcnf_tmp}" ]
198	then	198	then
199	if mv "${_inetcnf_tmp}" "${_inetcnf}"	199	if mv "${_inetcnf_tmp}" "${_inetcnf}"
200	then	200	then
201	csih_inform "Removed ssh[d] from ${_inetcnf}"	201	csih_inform "Removed ssh[d] from ${_inetcnf}"
202	else	202	else
203	csih_warning "Removing ssh[d] from ${_inetcnf} failed!"	203	csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
204	fi	204	fi
205	rm -f "${_inetcnf_tmp}"	205	rm -f "${_inetcnf_tmp}"
206	else	206	else
207	csih_warning "Removing ssh[d] from ${_inetcnf} failed!"	207	csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
208	fi	208	fi
209	fi	209	fi
210	fi	210	fi
211		211
@@ -214,13 +214,13 @@ update_inetd_conf() {
214	then	214	then
215	if [ "${_with_comment}" -eq 0 ]	215	if [ "${_with_comment}" -eq 0 ]
216	then	216	then
217	sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"	217	sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
218	else	218	else
219	sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"	219	sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
220	fi	220	fi
221	mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"	221	mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
222	csih_inform "Updated ${_sshd_inetd_conf}"	222	csih_inform "Updated ${_sshd_inetd_conf}"
223	fi	223	fi
224		224
225	elif [ -f "${_inetcnf}" ]	225	elif [ -f "${_inetcnf}" ]
226	then	226	then
@@ -233,26 +233,26 @@ update_inetd_conf() {
233	grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"	233	grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
234	if [ -f "${_inetcnf_tmp}" ]	234	if [ -f "${_inetcnf_tmp}" ]
235	then	235	then
236	if mv "${_inetcnf_tmp}" "${_inetcnf}"	236	if mv "${_inetcnf_tmp}" "${_inetcnf}"
237	then	237	then
238	csih_inform "Removed sshd from ${_inetcnf}"	238	csih_inform "Removed sshd from ${_inetcnf}"
239	else	239	else
240	csih_warning "Removing sshd from ${_inetcnf} failed!"	240	csih_warning "Removing sshd from ${_inetcnf} failed!"
241	fi	241	fi
242	rm -f "${_inetcnf_tmp}"	242	rm -f "${_inetcnf_tmp}"
243	else	243	else
244	csih_warning "Removing sshd from ${_inetcnf} failed!"	244	csih_warning "Removing sshd from ${_inetcnf} failed!"
245	fi	245	fi
246	fi	246	fi
247		247
248	# Add ssh line to inetd.conf	248	# Add ssh line to inetd.conf
249	if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]	249	if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
250	then	250	then
251	if [ "${_with_comment}" -eq 0 ]	251	if [ "${_with_comment}" -eq 0 ]
252	then	252	then
253	echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"	253	echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
254	else	254	else
255	echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"	255	echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
256	fi	256	fi
257	csih_inform "Added ssh to ${_inetcnf}"	257	csih_inform "Added ssh to ${_inetcnf}"
258	fi	258	fi
@@ -278,80 +278,83 @@ install_service() {
278	echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"	278	echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
279	if csih_request "(Say \"no\" if it is already installed as a service)"	279	if csih_request "(Say \"no\" if it is already installed as a service)"
280	then	280	then
281	csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\""	281	csih_get_cygenv "${cygwin_value}"
282	csih_inform "for sshd to be able to change user context without password."	282
283	csih_get_cygenv "${cygwin_value}"	283	if ( csih_is_nt2003 \|\| [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
284		284	then
285	if ( csih_is_nt2003 \|\| [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )	285	csih_inform "On Windows Server 2003, Windows Vista, and above, the"
286	then	286	csih_inform "SYSTEM account cannot setuid to other users -- a capability"
287	csih_inform "On Windows Server 2003, Windows Vista, and above, the"	287	csih_inform "sshd requires. You need to have or to create a privileged"
288	csih_inform "SYSTEM account cannot setuid to other users -- a capability"	288	csih_inform "account. This script will help you do so."
289	csih_inform "sshd requires. You need to have or to create a privileged"	289	echo
290	csih_inform "account. This script will help you do so."	290	if ! csih_create_privileged_user "${password_value}"
291	echo	291	then
292	if ! csih_create_privileged_user "${password_value}"	292	csih_error_recoverable "There was a serious problem creating a privileged user."
293	then	293	csih_request "Do you want to proceed anyway?" \|\| exit 1
294	csih_error_recoverable "There was a serious problem creating a privileged user."	294	fi
295	csih_request "Do you want to proceed anyway?" \|\| exit 1	295	fi
296	fi	296
297	fi	297	# never returns empty if NT or above
298		298	run_service_as=$(csih_service_should_run_as)
299	# never returns empty if NT or above	299
300	run_service_as=$(csih_service_should_run_as)	300	if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
301		301	then
302	if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]	302	password="${csih_PRIVILEGED_PASSWORD}"
303	then	303	if [ -z "${password}" ]
304	password="${csih_PRIVILEGED_PASSWORD}"	304	then
305	if [ -z "${password}" ]	305	csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
306	then	306	password="${csih_value}"
307	csih_get_value "Please enter the password for user '${run_service_as}':" "-s"	307	fi
308	password="${csih_value}"	308	fi
309	fi	309
310	fi	310	# at this point, we either have $run_service_as = "system" and $password is empty,
311		311	# or $run_service_as is some privileged user and (hopefully) $password contains
312	# at this point, we either have $run_service_as = "system" and $password is empty,	312	# the correct password. So, from here out, we use '-z "${password}"' to discriminate
313	# or $run_service_as is some privileged user and (hopefully) $password contains	313	# the two cases.
314	# the correct password. So, from here out, we use '-z "${password}"' to discriminate	314
315	# the two cases.	315	csih_check_user "${run_service_as}"
316		316
317	csih_check_user "${run_service_as}"	317	if [ -n "${csih_cygenv}" ]
318		318	then
319	if [ -z "${password}" ]	319	cygwin_env="-e CYGWIN=\"${csih_cygenv}\""
320	then	320	fi
321	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \	321	if [ -z "${password}" ]
322	-e CYGWIN="${csih_cygenv}"	322	then
323	then	323	if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \
324	echo	324	-a "-D" -y tcpip ${cygwin_env}
325	csih_inform "The sshd service has been installed under the LocalSystem"	325	then
326	csih_inform "account (also known as SYSTEM). To start the service now, call"	326	echo
327	csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"	327	csih_inform "The sshd service has been installed under the LocalSystem"
328	csih_inform "will start automatically after the next reboot."	328	csih_inform "account (also known as SYSTEM). To start the service now, call"
329	fi	329	csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
330	else	330	csih_inform "will start automatically after the next reboot."
331	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \	331	fi
332	-e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}"	332	else
333	then	333	if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \
		334	-a "-D" -y tcpip ${cygwin_env} \
		335	-u "${run_service_as}" -w "${password}"
		336	then
334	echo	337	echo
335	csih_inform "The sshd service has been installed under the '${run_service_as}'"	338	csih_inform "The sshd service has been installed under the '${run_service_as}'"
336	csih_inform "account. To start the service now, call \`net start sshd' or"	339	csih_inform "account. To start the service now, call \`net start sshd' or"
337	csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"	340	csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
338	csih_inform "after the next reboot."	341	csih_inform "after the next reboot."
339	fi	342	fi
340	fi	343	fi
341		344
342	# now, if successfully installed, set ownership of the affected files	345	# now, if successfully installed, set ownership of the affected files
343	if cygrunsrv -Q sshd >/dev/null 2>&1	346	if cygrunsrv -Q sshd >/dev/null 2>&1
344	then	347	then
345	chown "${run_service_as}" ${SYSCONFDIR}/ssh*	348	chown "${run_service_as}" ${SYSCONFDIR}/ssh*
346	chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty	349	chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
347	chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog	350	chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
348	if [ -f ${LOCALSTATEDIR}/log/sshd.log ]	351	if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
349	then	352	then
350	chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log	353	chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
351	fi	354	fi
352	else	355	else
353	csih_warning "Something went wrong installing the sshd service."	356	csih_warning "Something went wrong installing the sshd service."
354	fi	357	fi
355	fi # user allowed us to install as service	358	fi # user allowed us to install as service
356	fi # service not yet installed	359	fi # service not yet installed
357	fi # csih_is_nt	360	fi # csih_is_nt
@@ -456,7 +459,7 @@ done
456		459
457	# Check for running ssh/sshd processes first. Refuse to do anything while	460	# Check for running ssh/sshd processes first. Refuse to do anything while
458	# some ssh processes are still running	461	# some ssh processes are still running
459	if ps -ef \| grep -v grep \| grep -q ssh	462	if ps -ef \| grep -q '/sshd\?$'
460	then	463	then
461	echo	464	echo
462	csih_error "There are still ssh processes running. Please shut them down first."	465	csih_error "There are still ssh processes running. Please shut them down first."
@@ -475,9 +478,9 @@ setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
475	# Create /var/log/lastlog if not already exists	478	# Create /var/log/lastlog if not already exists
476	if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]	479	if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
477	then	480	then
478	echo	481	echo
479	csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \	482	csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
480	"Cannot create ssh host configuration."	483	"Cannot create ssh host configuration."
481	fi	484	fi
482	if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]	485	if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
483	then	486	then
@@ -520,7 +523,7 @@ sshd_privsep
520		523
521		524
522		525
523	update_services_file	526	update_services_file
524	update_inetd_conf	527	update_inetd_conf
525	install_service	528	install_service
526		529