diff options
author | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
commit | 978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch) | |
tree | 89400a44e42d84937deba7864e4964d6c7734da5 /contrib | |
parent | 87c685b8c6a49814fd782288097b3093f975aa72 (diff) | |
parent | 3a7e89697ca363de0f64e0d5704c57219294e41c (diff) |
* New upstream release (http://www.openssh.org/txt/release-5.9).
- Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
mandatory restrictions on the syscalls the privsep child can perform.
- Add new SHA256-based HMAC transport integrity modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
- The pre-authentication sshd(8) privilege separation slave process now
logs via a socket shared with the master process, avoiding the need to
maintain /dev/log inside the chroot (closes: #75043, #429243,
#599240).
- ssh(1) now warns when a server refuses X11 forwarding (closes:
#504757).
- sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace (closes: #76312). The authorized_keys2
fallback is deprecated but documented (closes: #560156).
- ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
ToS/DSCP (closes: #498297).
- ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add
- < /path/to/key" (closes: #229124).
- Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
- Say "required" rather than "recommended" in unprotected-private-key
warning (LP: #663455).
Diffstat (limited to 'contrib')
-rwxr-xr-x | contrib/aix/buildbff.sh | 11 | ||||
-rw-r--r-- | contrib/caldera/openssh.spec | 4 | ||||
-rw-r--r-- | contrib/cygwin/ssh-host-config | 544 | ||||
-rw-r--r-- | contrib/cygwin/ssh-user-config | 84 | ||||
-rw-r--r-- | contrib/redhat/openssh.spec | 24 | ||||
-rwxr-xr-x | contrib/redhat/sshd.init | 71 | ||||
-rw-r--r-- | contrib/ssh-copy-id | 2 | ||||
-rw-r--r-- | contrib/suse/openssh.spec | 18 | ||||
-rw-r--r-- | contrib/suse/rc.sshd | 16 |
9 files changed, 419 insertions, 355 deletions
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh index ca4bf0210..81d8cc301 100755 --- a/contrib/aix/buildbff.sh +++ b/contrib/aix/buildbff.sh | |||
@@ -1,7 +1,7 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # | 2 | # |
3 | # buildbff.sh: Create AIX SMIT-installable OpenSSH packages | 3 | # buildbff.sh: Create AIX SMIT-installable OpenSSH packages |
4 | # $Id: buildbff.sh,v 1.12 2010/04/18 03:35:00 dtucker Exp $ | 4 | # $Id: buildbff.sh,v 1.13 2011/05/05 03:48:41 djm Exp $ |
5 | # | 5 | # |
6 | # Author: Darren Tucker (dtucker at zip dot com dot au) | 6 | # Author: Darren Tucker (dtucker at zip dot com dot au) |
7 | # This file is placed in the public domain and comes with absolutely | 7 | # This file is placed in the public domain and comes with absolutely |
@@ -156,13 +156,6 @@ do | |||
156 | mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default | 156 | mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default |
157 | done | 157 | done |
158 | 158 | ||
159 | # AIX 5.3 and newer have /dev/random and don't create ssh_prng_cmds | ||
160 | if [ -f $FAKE_ROOT/$sysconfdir/ssh_prng_cmds ] | ||
161 | then | ||
162 | mv $FAKE_ROOT/$sysconfdir/ssh_prng_cmds \ | ||
163 | $FAKE_ROOT/$sysconfdir/ssh_prng_cmds.default | ||
164 | fi | ||
165 | |||
166 | # | 159 | # |
167 | # Generate lpp control files. | 160 | # Generate lpp control files. |
168 | # working dir is $FAKE_ROOT but files are generated in dir above | 161 | # working dir is $FAKE_ROOT but files are generated in dir above |
@@ -197,7 +190,7 @@ cat <<EOF >>../openssh.post_i | |||
197 | #!/bin/sh | 190 | #!/bin/sh |
198 | 191 | ||
199 | echo Creating configs from defaults if necessary. | 192 | echo Creating configs from defaults if necessary. |
200 | for cfgfile in ssh_config sshd_config ssh_prng_cmds | 193 | for cfgfile in ssh_config sshd_config |
201 | do | 194 | do |
202 | if [ ! -f $sysconfdir/\$cfgfile ] | 195 | if [ ! -f $sysconfdir/\$cfgfile ] |
203 | then | 196 | then |
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 435003a2a..73d441d0c 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec | |||
@@ -16,7 +16,7 @@ | |||
16 | 16 | ||
17 | #old cvs stuff. please update before use. may be deprecated. | 17 | #old cvs stuff. please update before use. may be deprecated. |
18 | %define use_stable 1 | 18 | %define use_stable 1 |
19 | %define version 5.8p1 | 19 | %define version 5.9p1 |
20 | %if %{use_stable} | 20 | %if %{use_stable} |
21 | %define cvs %{nil} | 21 | %define cvs %{nil} |
22 | %define release 1 | 22 | %define release 1 |
@@ -363,4 +363,4 @@ fi | |||
363 | * Mon Jan 01 1998 ... | 363 | * Mon Jan 01 1998 ... |
364 | Template Version: 1.31 | 364 | Template Version: 1.31 |
365 | 365 | ||
366 | $Id: openssh.spec,v 1.73.4.1 2011/02/04 00:57:54 djm Exp $ | 366 | $Id: openssh.spec,v 1.75.2.1 2011/09/05 00:28:11 djm Exp $ |
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index d968d4619..3ac39a621 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # | 2 | # |
3 | # ssh-host-config, Copyright 2000-2009 Red Hat Inc. | 3 | # ssh-host-config, Copyright 2000-2011 Red Hat Inc. |
4 | # | 4 | # |
5 | # This file is part of the Cygwin port of OpenSSH. | 5 | # This file is part of the Cygwin port of OpenSSH. |
6 | # | 6 | # |
@@ -19,12 +19,39 @@ | |||
19 | # ====================================================================== | 19 | # ====================================================================== |
20 | # Initialization | 20 | # Initialization |
21 | # ====================================================================== | 21 | # ====================================================================== |
22 | PROGNAME=$(basename $0) | ||
23 | _tdir=$(dirname $0) | ||
24 | PROGDIR=$(cd $_tdir && pwd) | ||
25 | 22 | ||
26 | CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh | 23 | CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh |
27 | 24 | ||
25 | # List of apps used. This is checkad for existance in csih_sanity_check | ||
26 | # Don't use *any* transient commands before sourcing the csih helper script, | ||
27 | # otherwise the sanity checks are short-circuited. | ||
28 | declare -a csih_required_commands=( | ||
29 | /usr/bin/basename coreutils | ||
30 | /usr/bin/cat coreutils | ||
31 | /usr/bin/chmod coreutils | ||
32 | /usr/bin/dirname coreutils | ||
33 | /usr/bin/id coreutils | ||
34 | /usr/bin/mv coreutils | ||
35 | /usr/bin/rm coreutils | ||
36 | /usr/bin/cygpath cygwin | ||
37 | /usr/bin/mount cygwin | ||
38 | /usr/bin/ps cygwin | ||
39 | /usr/bin/setfacl cygwin | ||
40 | /usr/bin/umount cygwin | ||
41 | /usr/bin/cmp diffutils | ||
42 | /usr/bin/grep grep | ||
43 | /usr/bin/awk gawk | ||
44 | /usr/bin/ssh-keygen openssh | ||
45 | /usr/sbin/sshd openssh | ||
46 | /usr/bin/sed sed | ||
47 | ) | ||
48 | csih_sanity_check_server=yes | ||
49 | source ${CSIH_SCRIPT} | ||
50 | |||
51 | PROGNAME=$(/usr/bin/basename $0) | ||
52 | _tdir=$(/usr/bin/dirname $0) | ||
53 | PROGDIR=$(cd $_tdir && pwd) | ||
54 | |||
28 | # Subdirectory where the new package is being installed | 55 | # Subdirectory where the new package is being installed |
29 | PREFIX=/usr | 56 | PREFIX=/usr |
30 | 57 | ||
@@ -32,8 +59,6 @@ PREFIX=/usr | |||
32 | SYSCONFDIR=/etc | 59 | SYSCONFDIR=/etc |
33 | LOCALSTATEDIR=/var | 60 | LOCALSTATEDIR=/var |
34 | 61 | ||
35 | source ${CSIH_SCRIPT} | ||
36 | |||
37 | port_number=22 | 62 | port_number=22 |
38 | privsep_configured=no | 63 | privsep_configured=no |
39 | privsep_used=yes | 64 | privsep_used=yes |
@@ -46,23 +71,48 @@ opt_force=no | |||
46 | # Routine: create_host_keys | 71 | # Routine: create_host_keys |
47 | # ====================================================================== | 72 | # ====================================================================== |
48 | create_host_keys() { | 73 | create_host_keys() { |
74 | local ret=0 | ||
75 | |||
49 | if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] | 76 | if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] |
50 | then | 77 | then |
51 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" | 78 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" |
52 | ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null | 79 | if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null |
80 | then | ||
81 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" | ||
82 | let ++ret | ||
83 | fi | ||
53 | fi | 84 | fi |
54 | 85 | ||
55 | if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] | 86 | if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] |
56 | then | 87 | then |
57 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" | 88 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" |
58 | ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null | 89 | if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null |
90 | then | ||
91 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" | ||
92 | let ++ret | ||
93 | fi | ||
59 | fi | 94 | fi |
60 | 95 | ||
61 | if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] | 96 | if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] |
62 | then | 97 | then |
63 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" | 98 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" |
64 | ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null | 99 | if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null |
100 | then | ||
101 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" | ||
102 | let ++ret | ||
103 | fi | ||
65 | fi | 104 | fi |
105 | |||
106 | if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ] | ||
107 | then | ||
108 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key" | ||
109 | if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null | ||
110 | then | ||
111 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" | ||
112 | let ++ret | ||
113 | fi | ||
114 | fi | ||
115 | return $ret | ||
66 | } # --- End of create_host_keys --- # | 116 | } # --- End of create_host_keys --- # |
67 | 117 | ||
68 | # ====================================================================== | 118 | # ====================================================================== |
@@ -75,61 +125,58 @@ update_services_file() { | |||
75 | local _spaces | 125 | local _spaces |
76 | local _serv_tmp | 126 | local _serv_tmp |
77 | local _wservices | 127 | local _wservices |
128 | local ret=0 | ||
78 | 129 | ||
79 | if csih_is_nt | 130 | _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" |
80 | then | 131 | _services="${_my_etcdir}/services" |
81 | _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" | 132 | _spaces=" #" |
82 | _services="${_my_etcdir}/services" | ||
83 | # On NT, 27 spaces, no space after the hash | ||
84 | _spaces=" #" | ||
85 | else | ||
86 | _win_etcdir="${WINDIR}" | ||
87 | _services="${_my_etcdir}/SERVICES" | ||
88 | # On 9x, 18 spaces (95 is very touchy), a space after the hash | ||
89 | _spaces=" # " | ||
90 | fi | ||
91 | _serv_tmp="${_my_etcdir}/srv.out.$$" | 133 | _serv_tmp="${_my_etcdir}/srv.out.$$" |
92 | 134 | ||
93 | mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" | 135 | /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" |
94 | 136 | ||
95 | # Depends on the above mount | 137 | # Depends on the above mount |
96 | _wservices=`cygpath -w "${_services}"` | 138 | _wservices=`cygpath -w "${_services}"` |
97 | 139 | ||
98 | # Remove sshd 22/port from services | 140 | # Remove sshd 22/port from services |
99 | if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] | 141 | if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] |
100 | then | 142 | then |
101 | grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" | 143 | /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" |
102 | if [ -f "${_serv_tmp}" ] | 144 | if [ -f "${_serv_tmp}" ] |
103 | then | 145 | then |
104 | if mv "${_serv_tmp}" "${_services}" | 146 | if /usr/bin/mv "${_serv_tmp}" "${_services}" |
105 | then | 147 | then |
106 | csih_inform "Removing sshd from ${_wservices}" | 148 | csih_inform "Removing sshd from ${_wservices}" |
107 | else | 149 | else |
108 | csih_warning "Removing sshd from ${_wservices} failed!" | 150 | csih_warning "Removing sshd from ${_wservices} failed!" |
151 | let ++ret | ||
109 | fi | 152 | fi |
110 | rm -f "${_serv_tmp}" | 153 | /usr/bin/rm -f "${_serv_tmp}" |
111 | else | 154 | else |
112 | csih_warning "Removing sshd from ${_wservices} failed!" | 155 | csih_warning "Removing sshd from ${_wservices} failed!" |
156 | let ++ret | ||
113 | fi | 157 | fi |
114 | fi | 158 | fi |
115 | 159 | ||
116 | # Add ssh 22/tcp and ssh 22/udp to services | 160 | # Add ssh 22/tcp and ssh 22/udp to services |
117 | if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] | 161 | if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] |
118 | then | 162 | then |
119 | if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" | 163 | if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" |
120 | then | 164 | then |
121 | if mv "${_serv_tmp}" "${_services}" | 165 | if /usr/bin/mv "${_serv_tmp}" "${_services}" |
122 | then | 166 | then |
123 | csih_inform "Added ssh to ${_wservices}" | 167 | csih_inform "Added ssh to ${_wservices}" |
124 | else | 168 | else |
125 | csih_warning "Adding ssh to ${_wservices} failed!" | 169 | csih_warning "Adding ssh to ${_wservices} failed!" |
170 | let ++ret | ||
126 | fi | 171 | fi |
127 | rm -f "${_serv_tmp}" | 172 | /usr/bin/rm -f "${_serv_tmp}" |
128 | else | 173 | else |
129 | csih_warning "Adding ssh to ${_wservices} failed!" | 174 | csih_warning "Adding ssh to ${_wservices} failed!" |
175 | let ++ret | ||
130 | fi | 176 | fi |
131 | fi | 177 | fi |
132 | umount "${_my_etcdir}" | 178 | /usr/bin/umount "${_my_etcdir}" |
179 | return $ret | ||
133 | } # --- End of update_services_file --- # | 180 | } # --- End of update_services_file --- # |
134 | 181 | ||
135 | # ====================================================================== | 182 | # ====================================================================== |
@@ -138,51 +185,57 @@ update_services_file() { | |||
138 | # ====================================================================== | 185 | # ====================================================================== |
139 | sshd_privsep() { | 186 | sshd_privsep() { |
140 | local sshdconfig_tmp | 187 | local sshdconfig_tmp |
188 | local ret=0 | ||
141 | 189 | ||
142 | if [ "${privsep_configured}" != "yes" ] | 190 | if [ "${privsep_configured}" != "yes" ] |
143 | then | 191 | then |
144 | if csih_is_nt | 192 | csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." |
193 | csih_inform "However, this requires a non-privileged account called 'sshd'." | ||
194 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." | ||
195 | if csih_request "Should privilege separation be used?" | ||
145 | then | 196 | then |
146 | csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." | 197 | privsep_used=yes |
147 | csih_inform "However, this requires a non-privileged account called 'sshd'." | 198 | if ! csih_create_unprivileged_user sshd |
148 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." | ||
149 | if csih_request "Should privilege separation be used?" | ||
150 | then | 199 | then |
151 | privsep_used=yes | 200 | csih_error_recoverable "Couldn't create user 'sshd'!" |
152 | if ! csih_create_unprivileged_user sshd | 201 | csih_error_recoverable "Privilege separation set to 'no' again!" |
153 | then | 202 | csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!" |
154 | csih_warning "Couldn't create user 'sshd'!" | 203 | let ++ret |
155 | csih_warning "Privilege separation set to 'no' again!" | ||
156 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | ||
157 | privsep_used=no | ||
158 | fi | ||
159 | else | ||
160 | privsep_used=no | 204 | privsep_used=no |
161 | fi | 205 | fi |
162 | else | 206 | else |
163 | # On 9x don't use privilege separation. Since security isn't | ||
164 | # available it just adds useless additional processes. | ||
165 | privsep_used=no | 207 | privsep_used=no |
166 | fi | 208 | fi |
167 | fi | 209 | fi |
168 | 210 | ||
169 | # Create default sshd_config from skeleton files in /etc/defaults/etc or | 211 | # Create default sshd_config from skeleton files in /etc/defaults/etc or |
170 | # modify to add the missing privsep configuration option | 212 | # modify to add the missing privsep configuration option |
171 | if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 | 213 | if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 |
172 | then | 214 | then |
173 | csih_inform "Updating ${SYSCONFDIR}/sshd_config file" | 215 | csih_inform "Updating ${SYSCONFDIR}/sshd_config file" |
174 | sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ | 216 | sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ |
175 | sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ | 217 | /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ |
176 | s/^#Port 22/Port ${port_number}/ | 218 | s/^#Port 22/Port ${port_number}/ |
177 | s/^#StrictModes yes/StrictModes no/" \ | 219 | s/^#StrictModes yes/StrictModes no/" \ |
178 | < ${SYSCONFDIR}/sshd_config \ | 220 | < ${SYSCONFDIR}/sshd_config \ |
179 | > "${sshdconfig_tmp}" | 221 | > "${sshdconfig_tmp}" |
180 | mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config | 222 | if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config |
223 | then | ||
224 | csih_warning "Setting privilege separation to 'yes' failed!" | ||
225 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | ||
226 | let ++ret | ||
227 | fi | ||
181 | elif [ "${privsep_configured}" != "yes" ] | 228 | elif [ "${privsep_configured}" != "yes" ] |
182 | then | 229 | then |
183 | echo >> ${SYSCONFDIR}/sshd_config | 230 | echo >> ${SYSCONFDIR}/sshd_config |
184 | echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config | 231 | if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config |
232 | then | ||
233 | csih_warning "Setting privilege separation to 'yes' failed!" | ||
234 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | ||
235 | let ++ret | ||
236 | fi | ||
185 | fi | 237 | fi |
238 | return $ret | ||
186 | } # --- End of sshd_privsep --- # | 239 | } # --- End of sshd_privsep --- # |
187 | 240 | ||
188 | # ====================================================================== | 241 | # ====================================================================== |
@@ -195,72 +248,82 @@ update_inetd_conf() { | |||
195 | local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" | 248 | local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" |
196 | local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" | 249 | local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" |
197 | local _with_comment=1 | 250 | local _with_comment=1 |
251 | local ret=0 | ||
198 | 252 | ||
199 | if [ -d "${_inetcnf_dir}" ] | 253 | if [ -d "${_inetcnf_dir}" ] |
200 | then | 254 | then |
201 | # we have inetutils-1.5 inetd.d support | 255 | # we have inetutils-1.5 inetd.d support |
202 | if [ -f "${_inetcnf}" ] | 256 | if [ -f "${_inetcnf}" ] |
203 | then | 257 | then |
204 | grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 | 258 | /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 |
205 | 259 | ||
206 | # check for sshd OR ssh in top-level inetd.conf file, and remove | 260 | # check for sshd OR ssh in top-level inetd.conf file, and remove |
207 | # will be replaced by a file in inetd.d/ | 261 | # will be replaced by a file in inetd.d/ |
208 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] | 262 | if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] |
209 | then | 263 | then |
210 | grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" | 264 | /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" |
211 | if [ -f "${_inetcnf_tmp}" ] | 265 | if [ -f "${_inetcnf_tmp}" ] |
212 | then | 266 | then |
213 | if mv "${_inetcnf_tmp}" "${_inetcnf}" | 267 | if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" |
214 | then | 268 | then |
215 | csih_inform "Removed ssh[d] from ${_inetcnf}" | 269 | csih_inform "Removed ssh[d] from ${_inetcnf}" |
216 | else | 270 | else |
217 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" | 271 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" |
272 | let ++ret | ||
218 | fi | 273 | fi |
219 | rm -f "${_inetcnf_tmp}" | 274 | /usr/bin/rm -f "${_inetcnf_tmp}" |
220 | else | 275 | else |
221 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" | 276 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" |
277 | let ++ret | ||
222 | fi | 278 | fi |
223 | fi | 279 | fi |
224 | fi | 280 | fi |
225 | 281 | ||
226 | csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" | 282 | csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" |
227 | if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 | 283 | if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 |
228 | then | 284 | then |
229 | if [ "${_with_comment}" -eq 0 ] | 285 | if [ "${_with_comment}" -eq 0 ] |
230 | then | 286 | then |
231 | sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | 287 | /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" |
232 | else | 288 | else |
233 | sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | 289 | /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" |
290 | fi | ||
291 | if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" | ||
292 | then | ||
293 | csih_inform "Updated ${_sshd_inetd_conf}" | ||
294 | else | ||
295 | csih_warning "Updating ${_sshd_inetd_conf} failed!" | ||
296 | let ++ret | ||
234 | fi | 297 | fi |
235 | mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" | ||
236 | csih_inform "Updated ${_sshd_inetd_conf}" | ||
237 | fi | 298 | fi |
238 | 299 | ||
239 | elif [ -f "${_inetcnf}" ] | 300 | elif [ -f "${_inetcnf}" ] |
240 | then | 301 | then |
241 | grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 | 302 | /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 |
242 | 303 | ||
243 | # check for sshd in top-level inetd.conf file, and remove | 304 | # check for sshd in top-level inetd.conf file, and remove |
244 | # will be replaced by a file in inetd.d/ | 305 | # will be replaced by a file in inetd.d/ |
245 | if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] | 306 | if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] |
246 | then | 307 | then |
247 | grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" | 308 | /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" |
248 | if [ -f "${_inetcnf_tmp}" ] | 309 | if [ -f "${_inetcnf_tmp}" ] |
249 | then | 310 | then |
250 | if mv "${_inetcnf_tmp}" "${_inetcnf}" | 311 | if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" |
251 | then | 312 | then |
252 | csih_inform "Removed sshd from ${_inetcnf}" | 313 | csih_inform "Removed sshd from ${_inetcnf}" |
253 | else | 314 | else |
254 | csih_warning "Removing sshd from ${_inetcnf} failed!" | 315 | csih_warning "Removing sshd from ${_inetcnf} failed!" |
316 | let ++ret | ||
255 | fi | 317 | fi |
256 | rm -f "${_inetcnf_tmp}" | 318 | /usr/bin/rm -f "${_inetcnf_tmp}" |
257 | else | 319 | else |
258 | csih_warning "Removing sshd from ${_inetcnf} failed!" | 320 | csih_warning "Removing sshd from ${_inetcnf} failed!" |
321 | let ++ret | ||
259 | fi | 322 | fi |
260 | fi | 323 | fi |
261 | 324 | ||
262 | # Add ssh line to inetd.conf | 325 | # Add ssh line to inetd.conf |
263 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] | 326 | if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] |
264 | then | 327 | then |
265 | if [ "${_with_comment}" -eq 0 ] | 328 | if [ "${_with_comment}" -eq 0 ] |
266 | then | 329 | then |
@@ -268,115 +331,186 @@ update_inetd_conf() { | |||
268 | else | 331 | else |
269 | echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" | 332 | echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
270 | fi | 333 | fi |
271 | csih_inform "Added ssh to ${_inetcnf}" | 334 | if [ $? -eq 0 ] |
335 | then | ||
336 | csih_inform "Added ssh to ${_inetcnf}" | ||
337 | else | ||
338 | csih_warning "Adding ssh to ${_inetcnf} failed!" | ||
339 | let ++ret | ||
340 | fi | ||
272 | fi | 341 | fi |
273 | fi | 342 | fi |
343 | return $ret | ||
274 | } # --- End of update_inetd_conf --- # | 344 | } # --- End of update_inetd_conf --- # |
275 | 345 | ||
276 | # ====================================================================== | 346 | # ====================================================================== |
347 | # Routine: check_service_files_ownership | ||
348 | # Checks that the files in /etc and /var belong to the right owner | ||
349 | # ====================================================================== | ||
350 | check_service_files_ownership() { | ||
351 | local run_service_as=$1 | ||
352 | local ret=0 | ||
353 | |||
354 | if [ -z "${run_service_as}" ] | ||
355 | then | ||
356 | accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp') | ||
357 | if [ "${accnt_name}" = "LocalSystem" ] | ||
358 | then | ||
359 | # Convert "LocalSystem" to "SYSTEM" as is the correct account name | ||
360 | accnt_name="SYSTEM:" | ||
361 | elif [[ "${accnt_name}" =~ ^\.\\ ]] | ||
362 | then | ||
363 | # Convert "." domain to local machine name | ||
364 | accnt_name="U-${COMPUTERNAME}${accnt_name#.}," | ||
365 | fi | ||
366 | run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}') | ||
367 | if [ -z "${run_service_as}" ] | ||
368 | then | ||
369 | csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" | ||
370 | csih_warning "As a result, this script cannot make sure that the files used" | ||
371 | csih_warning "by the sshd service belong to the user running the service." | ||
372 | csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd" | ||
373 | csih_warning "file is in a good shape." | ||
374 | return 1 | ||
375 | fi | ||
376 | fi | ||
377 | for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub | ||
378 | do | ||
379 | if [ -f "$i" ] | ||
380 | then | ||
381 | if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 | ||
382 | then | ||
383 | csih_warning "Couldn't change owner of $i!" | ||
384 | let ++ret | ||
385 | fi | ||
386 | fi | ||
387 | done | ||
388 | if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 | ||
389 | then | ||
390 | csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" | ||
391 | let ++ret | ||
392 | fi | ||
393 | if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 | ||
394 | then | ||
395 | csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" | ||
396 | let ++ret | ||
397 | fi | ||
398 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] | ||
399 | then | ||
400 | if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1 | ||
401 | then | ||
402 | csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" | ||
403 | let ++ret | ||
404 | fi | ||
405 | fi | ||
406 | if [ $ret -ne 0 ] | ||
407 | then | ||
408 | csih_warning "Couldn't change owner of important files to ${run_service_as}!" | ||
409 | csih_warning "This may cause the sshd service to fail! Please make sure that" | ||
410 | csih_warning "you have suufficient permissions to change the ownership of files" | ||
411 | csih_warning "and try to run the ssh-host-config script again." | ||
412 | fi | ||
413 | return $ret | ||
414 | } # --- End of check_service_files_ownership --- # | ||
415 | |||
416 | # ====================================================================== | ||
277 | # Routine: install_service | 417 | # Routine: install_service |
278 | # Install sshd as a service | 418 | # Install sshd as a service |
279 | # ====================================================================== | 419 | # ====================================================================== |
280 | install_service() { | 420 | install_service() { |
281 | local run_service_as | 421 | local run_service_as |
282 | local password | 422 | local password |
423 | local ret=0 | ||
283 | 424 | ||
284 | if csih_is_nt | 425 | echo |
426 | if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 | ||
285 | then | 427 | then |
286 | if ! cygrunsrv -Q sshd >/dev/null 2>&1 | 428 | csih_inform "Sshd service is already installed." |
429 | check_service_files_ownership "" || let ret+=$? | ||
430 | else | ||
431 | echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" | ||
432 | if csih_request "(Say \"no\" if it is already installed as a service)" | ||
287 | then | 433 | then |
288 | echo | 434 | csih_get_cygenv "${cygwin_value}" |
289 | echo | ||
290 | csih_warning "The following functions require administrator privileges!" | ||
291 | echo | ||
292 | echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" | ||
293 | if csih_request "(Say \"no\" if it is already installed as a service)" | ||
294 | then | ||
295 | csih_get_cygenv "${cygwin_value}" | ||
296 | 435 | ||
297 | if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) | 436 | if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) |
298 | then | 437 | then |
299 | csih_inform "On Windows Server 2003, Windows Vista, and above, the" | 438 | csih_inform "On Windows Server 2003, Windows Vista, and above, the" |
300 | csih_inform "SYSTEM account cannot setuid to other users -- a capability" | 439 | csih_inform "SYSTEM account cannot setuid to other users -- a capability" |
301 | csih_inform "sshd requires. You need to have or to create a privileged" | 440 | csih_inform "sshd requires. You need to have or to create a privileged" |
302 | csih_inform "account. This script will help you do so." | 441 | csih_inform "account. This script will help you do so." |
303 | echo | 442 | echo |
304 | 443 | ||
305 | [ "${opt_force}" = "yes" ] && opt_f=-f | 444 | [ "${opt_force}" = "yes" ] && opt_f=-f |
306 | [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" | 445 | [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" |
307 | csih_select_privileged_username ${opt_f} ${opt_u} sshd | 446 | csih_select_privileged_username ${opt_f} ${opt_u} sshd |
308 | 447 | ||
309 | if ! csih_create_privileged_user "${password_value}" | 448 | if ! csih_create_privileged_user "${password_value}" |
310 | then | 449 | then |
311 | csih_error_recoverable "There was a serious problem creating a privileged user." | 450 | csih_error_recoverable "There was a serious problem creating a privileged user." |
312 | csih_request "Do you want to proceed anyway?" || exit 1 | 451 | csih_request "Do you want to proceed anyway?" || exit 1 |
313 | fi | 452 | let ++ret |
314 | fi | 453 | fi |
454 | fi | ||
315 | 455 | ||
316 | # never returns empty if NT or above | 456 | # Never returns empty if NT or above |
317 | run_service_as=$(csih_service_should_run_as) | 457 | run_service_as=$(csih_service_should_run_as) |
318 | 458 | ||
319 | if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] | 459 | if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] |
460 | then | ||
461 | password="${csih_PRIVILEGED_PASSWORD}" | ||
462 | if [ -z "${password}" ] | ||
320 | then | 463 | then |
321 | password="${csih_PRIVILEGED_PASSWORD}" | 464 | csih_get_value "Please enter the password for user '${run_service_as}':" "-s" |
322 | if [ -z "${password}" ] | 465 | password="${csih_value}" |
323 | then | ||
324 | csih_get_value "Please enter the password for user '${run_service_as}':" "-s" | ||
325 | password="${csih_value}" | ||
326 | fi | ||
327 | fi | 466 | fi |
467 | fi | ||
328 | 468 | ||
329 | # at this point, we either have $run_service_as = "system" and $password is empty, | 469 | # At this point, we either have $run_service_as = "system" and |
330 | # or $run_service_as is some privileged user and (hopefully) $password contains | 470 | # $password is empty, or $run_service_as is some privileged user and |
331 | # the correct password. So, from here out, we use '-z "${password}"' to discriminate | 471 | # (hopefully) $password contains the correct password. So, from here |
332 | # the two cases. | 472 | # out, we use '-z "${password}"' to discriminate the two cases. |
333 | 473 | ||
334 | csih_check_user "${run_service_as}" | 474 | csih_check_user "${run_service_as}" |
335 | 475 | ||
336 | if [ -n "${csih_cygenv}" ] | 476 | if [ -n "${csih_cygenv}" ] |
477 | then | ||
478 | cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) | ||
479 | fi | ||
480 | if [ -z "${password}" ] | ||
481 | then | ||
482 | if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ | ||
483 | -a "-D" -y tcpip "${cygwin_env[@]}" | ||
337 | then | 484 | then |
338 | cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) | 485 | echo |
486 | csih_inform "The sshd service has been installed under the LocalSystem" | ||
487 | csih_inform "account (also known as SYSTEM). To start the service now, call" | ||
488 | csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" | ||
489 | csih_inform "will start automatically after the next reboot." | ||
339 | fi | 490 | fi |
340 | if [ -z "${password}" ] | 491 | else |
492 | if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ | ||
493 | -a "-D" -y tcpip "${cygwin_env[@]}" \ | ||
494 | -u "${run_service_as}" -w "${password}" | ||
341 | then | 495 | then |
342 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ | 496 | echo |
343 | -a "-D" -y tcpip "${cygwin_env[@]}" | 497 | csih_inform "The sshd service has been installed under the '${run_service_as}'" |
344 | then | 498 | csih_inform "account. To start the service now, call \`net start sshd' or" |
345 | echo | 499 | csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" |
346 | csih_inform "The sshd service has been installed under the LocalSystem" | 500 | csih_inform "after the next reboot." |
347 | csih_inform "account (also known as SYSTEM). To start the service now, call" | ||
348 | csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" | ||
349 | csih_inform "will start automatically after the next reboot." | ||
350 | fi | ||
351 | else | ||
352 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ | ||
353 | -a "-D" -y tcpip "${cygwin_env[@]}" \ | ||
354 | -u "${run_service_as}" -w "${password}" | ||
355 | then | ||
356 | echo | ||
357 | csih_inform "The sshd service has been installed under the '${run_service_as}'" | ||
358 | csih_inform "account. To start the service now, call \`net start sshd' or" | ||
359 | csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" | ||
360 | csih_inform "after the next reboot." | ||
361 | fi | ||
362 | fi | 501 | fi |
502 | fi | ||
363 | 503 | ||
364 | # now, if successfully installed, set ownership of the affected files | 504 | if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 |
365 | if cygrunsrv -Q sshd >/dev/null 2>&1 | 505 | then |
366 | then | 506 | check_service_files_ownership "${run_service_as}" || let ret+=$? |
367 | chown "${run_service_as}" ${SYSCONFDIR}/ssh* | 507 | else |
368 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty | 508 | csih_error_recoverable "Installing sshd as a service failed!" |
369 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog | 509 | let ++ret |
370 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] | 510 | fi |
371 | then | 511 | fi # user allowed us to install as service |
372 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log | 512 | fi # service not yet installed |
373 | fi | 513 | return $ret |
374 | else | ||
375 | csih_warning "Something went wrong installing the sshd service." | ||
376 | fi | ||
377 | fi # user allowed us to install as service | ||
378 | fi # service not yet installed | ||
379 | fi # csih_is_nt | ||
380 | } # --- End of install_service --- # | 514 | } # --- End of install_service --- # |
381 | 515 | ||
382 | # ====================================================================== | 516 | # ====================================================================== |
@@ -488,21 +622,71 @@ done | |||
488 | 622 | ||
489 | # Check for running ssh/sshd processes first. Refuse to do anything while | 623 | # Check for running ssh/sshd processes first. Refuse to do anything while |
490 | # some ssh processes are still running | 624 | # some ssh processes are still running |
491 | if ps -ef | grep -q '/sshd\?$' | 625 | if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' |
492 | then | 626 | then |
493 | echo | 627 | echo |
494 | csih_error "There are still ssh processes running. Please shut them down first." | 628 | csih_error "There are still ssh processes running. Please shut them down first." |
495 | fi | 629 | fi |
496 | 630 | ||
631 | # Make sure the user is running in an administrative context | ||
632 | admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no) | ||
633 | if [ "${admin}" != "yes" ] | ||
634 | then | ||
635 | echo | ||
636 | csih_warning "Running this script typically requires administrator privileges!" | ||
637 | csih_warning "However, it seems your account does not have these privileges." | ||
638 | csih_warning "Here's the list of groups in your user token:" | ||
639 | echo | ||
640 | for i in $(/usr/bin/id -G) | ||
641 | do | ||
642 | /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group | ||
643 | done | ||
644 | echo | ||
645 | csih_warning "This usually means you're running this script from a non-admin" | ||
646 | csih_warning "desktop session, or in a non-elevated shell under UAC control." | ||
647 | echo | ||
648 | csih_warning "Make sure you have the appropriate privileges right now," | ||
649 | csih_warning "otherwise parts of this script will probably fail!" | ||
650 | echo | ||
651 | echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure" | ||
652 | if ! csih_request "you have the required privileges)" | ||
653 | then | ||
654 | echo | ||
655 | csih_inform "Ok. Exiting. Make sure to switch to an administrative account" | ||
656 | csih_inform "or to start this script from an elevated shell." | ||
657 | exit 1 | ||
658 | fi | ||
659 | fi | ||
660 | |||
661 | echo | ||
662 | |||
663 | warning_cnt=0 | ||
664 | |||
497 | # Check for ${SYSCONFDIR} directory | 665 | # Check for ${SYSCONFDIR} directory |
498 | csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." | 666 | csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." |
499 | chmod 775 "${SYSCONFDIR}" | 667 | if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1 |
500 | setfacl -m u:system:rwx "${SYSCONFDIR}" | 668 | then |
669 | csih_warning "Can't set permissions on ${SYSCONFDIR}!" | ||
670 | let ++warning_cnt | ||
671 | fi | ||
672 | if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1 | ||
673 | then | ||
674 | csih_warning "Can't set extended permissions on ${SYSCONFDIR}!" | ||
675 | let ++warning_cnt | ||
676 | fi | ||
501 | 677 | ||
502 | # Check for /var/log directory | 678 | # Check for /var/log directory |
503 | csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." | 679 | csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." |
504 | chmod 775 "${LOCALSTATEDIR}/log" | 680 | if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1 |
505 | setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" | 681 | then |
682 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!" | ||
683 | let ++warning_cnt | ||
684 | fi | ||
685 | if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1 | ||
686 | then | ||
687 | csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!" | ||
688 | let ++warning_cnt | ||
689 | fi | ||
506 | 690 | ||
507 | # Create /var/log/lastlog if not already exists | 691 | # Create /var/log/lastlog if not already exists |
508 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] | 692 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] |
@@ -513,26 +697,33 @@ then | |||
513 | fi | 697 | fi |
514 | if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] | 698 | if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] |
515 | then | 699 | then |
516 | cat /dev/null > ${LOCALSTATEDIR}/log/lastlog | 700 | /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog |
517 | chmod 644 ${LOCALSTATEDIR}/log/lastlog | 701 | if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 |
702 | then | ||
703 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" | ||
704 | let ++warning_cnt | ||
705 | fi | ||
518 | fi | 706 | fi |
519 | 707 | ||
520 | # Create /var/empty file used as chroot jail for privilege separation | 708 | # Create /var/empty file used as chroot jail for privilege separation |
521 | csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." | 709 | csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." |
522 | chmod 755 "${LOCALSTATEDIR}/empty" | 710 | if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 |
523 | setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" | 711 | then |
712 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" | ||
713 | let ++warning_cnt | ||
714 | fi | ||
715 | if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 | ||
716 | then | ||
717 | csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!" | ||
718 | let ++warning_cnt | ||
719 | fi | ||
524 | 720 | ||
525 | # host keys | 721 | # host keys |
526 | create_host_keys | 722 | create_host_keys || let warning_cnt+=$? |
527 | |||
528 | # use 'cmp' program to determine if a config file is identical | ||
529 | # to the default version of that config file | ||
530 | csih_check_program_or_error cmp diffutils | ||
531 | |||
532 | 723 | ||
533 | # handle ssh_config | 724 | # handle ssh_config |
534 | csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" | 725 | csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt |
535 | if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 | 726 | if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 |
536 | then | 727 | then |
537 | if [ "${port_number}" != "22" ] | 728 | if [ "${port_number}" != "22" ] |
538 | then | 729 | then |
@@ -543,19 +734,24 @@ then | |||
543 | fi | 734 | fi |
544 | 735 | ||
545 | # handle sshd_config (and privsep) | 736 | # handle sshd_config (and privsep) |
546 | csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" | 737 | csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt |
547 | if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 | 738 | if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 |
548 | then | 739 | then |
549 | grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes | 740 | /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes |
550 | fi | 741 | fi |
551 | sshd_privsep | 742 | sshd_privsep || let warning_cnt+=$? |
552 | |||
553 | 743 | ||
554 | 744 | update_services_file || let warning_cnt+=$? | |
555 | update_services_file | 745 | update_inetd_conf || let warning_cnt+=$? |
556 | update_inetd_conf | 746 | install_service || let warning_cnt+=$? |
557 | install_service | ||
558 | 747 | ||
559 | echo | 748 | echo |
560 | csih_inform "Host configuration finished. Have fun!" | 749 | if [ $warning_cnt -eq 0 ] |
561 | 750 | then | |
751 | csih_inform "Host configuration finished. Have fun!" | ||
752 | else | ||
753 | csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!" | ||
754 | csih_warning "Make sure that all problems reported are fixed," | ||
755 | csih_warning "then re-run ssh-host-config." | ||
756 | fi | ||
757 | exit $warning_cnt | ||
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config index f1a001a93..027ae6032 100644 --- a/contrib/cygwin/ssh-user-config +++ b/contrib/cygwin/ssh-user-config | |||
@@ -39,85 +39,34 @@ pwdhome= | |||
39 | with_passphrase= | 39 | with_passphrase= |
40 | 40 | ||
41 | # ====================================================================== | 41 | # ====================================================================== |
42 | # Routine: create_ssh1_identity | 42 | # Routine: create_identity |
43 | # optionally create ~/.ssh/identity[.pub] | 43 | # optionally create identity of type argument in ~/.ssh |
44 | # optionally add result to ~/.ssh/authorized_keys | 44 | # optionally add result to ~/.ssh/authorized_keys |
45 | # ====================================================================== | 45 | # ====================================================================== |
46 | create_ssh1_identity() { | 46 | create_identity() { |
47 | if [ ! -f "${pwdhome}/.ssh/identity" ] | 47 | local file="$1" |
48 | local type="$2" | ||
49 | local name="$3" | ||
50 | if [ ! -f "${pwdhome}/.ssh/${file}" ] | ||
48 | then | 51 | then |
49 | if csih_request "Shall I create an SSH1 RSA identity file for you?" | 52 | if csih_request "Shall I create a ${name} identity file for you?" |
50 | then | 53 | then |
51 | csih_inform "Generating ${pwdhome}/.ssh/identity" | 54 | csih_inform "Generating ${pwdhome}/.ssh/${file}" |
52 | if [ "${with_passphrase}" = "yes" ] | 55 | if [ "${with_passphrase}" = "yes" ] |
53 | then | 56 | then |
54 | ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null | 57 | ssh-keygen -t "${type}" -N "${passphrase}" -f "${pwdhome}/.ssh/${file}" > /dev/null |
55 | else | 58 | else |
56 | ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null | 59 | ssh-keygen -t "${type}" -f "${pwdhome}/.ssh/${file}" > /dev/null |
57 | fi | 60 | fi |
58 | if csih_request "Do you want to use this identity to login to this machine?" | 61 | if csih_request "Do you want to use this identity to login to this machine?" |
59 | then | 62 | then |
60 | csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" | 63 | csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" |
61 | cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys" | 64 | cat "${pwdhome}/.ssh/${file}.pub" >> "${pwdhome}/.ssh/authorized_keys" |
62 | fi | 65 | fi |
63 | fi | 66 | fi |
64 | fi | 67 | fi |
65 | } # === End of create_ssh1_identity() === # | 68 | } # === End of create_ssh1_identity() === # |
66 | readonly -f create_ssh1_identity | 69 | readonly -f create_identity |
67 | |||
68 | # ====================================================================== | ||
69 | # Routine: create_ssh2_rsa_identity | ||
70 | # optionally create ~/.ssh/id_rsa[.pub] | ||
71 | # optionally add result to ~/.ssh/authorized_keys | ||
72 | # ====================================================================== | ||
73 | create_ssh2_rsa_identity() { | ||
74 | if [ ! -f "${pwdhome}/.ssh/id_rsa" ] | ||
75 | then | ||
76 | if csih_request "Shall I create an SSH2 RSA identity file for you?" | ||
77 | then | ||
78 | csih_inform "Generating ${pwdhome}/.ssh/id_rsa" | ||
79 | if [ "${with_passphrase}" = "yes" ] | ||
80 | then | ||
81 | ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null | ||
82 | else | ||
83 | ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null | ||
84 | fi | ||
85 | if csih_request "Do you want to use this identity to login to this machine?" | ||
86 | then | ||
87 | csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" | ||
88 | cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys" | ||
89 | fi | ||
90 | fi | ||
91 | fi | ||
92 | } # === End of create_ssh2_rsa_identity() === # | ||
93 | readonly -f create_ssh2_rsa_identity | ||
94 | |||
95 | # ====================================================================== | ||
96 | # Routine: create_ssh2_dsa_identity | ||
97 | # optionally create ~/.ssh/id_dsa[.pub] | ||
98 | # optionally add result to ~/.ssh/authorized_keys | ||
99 | # ====================================================================== | ||
100 | create_ssh2_dsa_identity() { | ||
101 | if [ ! -f "${pwdhome}/.ssh/id_dsa" ] | ||
102 | then | ||
103 | if csih_request "Shall I create an SSH2 DSA identity file for you?" | ||
104 | then | ||
105 | csih_inform "Generating ${pwdhome}/.ssh/id_dsa" | ||
106 | if [ "${with_passphrase}" = "yes" ] | ||
107 | then | ||
108 | ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null | ||
109 | else | ||
110 | ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null | ||
111 | fi | ||
112 | if csih_request "Do you want to use this identity to login to this machine?" | ||
113 | then | ||
114 | csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" | ||
115 | cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys" | ||
116 | fi | ||
117 | fi | ||
118 | fi | ||
119 | } # === End of create_ssh2_dsa_identity() === # | ||
120 | readonly -f create_ssh2_dsa_identity | ||
121 | 70 | ||
122 | # ====================================================================== | 71 | # ====================================================================== |
123 | # Routine: check_user_homedir | 72 | # Routine: check_user_homedir |
@@ -311,9 +260,10 @@ fi | |||
311 | 260 | ||
312 | check_user_homedir | 261 | check_user_homedir |
313 | check_user_dot_ssh_dir | 262 | check_user_dot_ssh_dir |
314 | create_ssh1_identity | 263 | create_identity id_rsa rsa "SSH2 RSA" |
315 | create_ssh2_rsa_identity | 264 | create_identity id_dsa dsa "SSH2 DSA" |
316 | create_ssh2_dsa_identity | 265 | create_identity id_ecdsa ecdsa "SSH2 ECDSA" |
266 | create_identity identity rsa1 "(deprecated) SSH1 RSA" | ||
317 | fix_authorized_keys_perms | 267 | fix_authorized_keys_perms |
318 | 268 | ||
319 | echo | 269 | echo |
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index e99e33d0f..be6de088c 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec | |||
@@ -1,4 +1,4 @@ | |||
1 | %define ver 5.8p1 | 1 | %define ver 5.9p1 |
2 | %define rel 1 | 2 | %define rel 1 |
3 | 3 | ||
4 | # OpenSSH privilege separation requires a user & group ID | 4 | # OpenSSH privilege separation requires a user & group ID |
@@ -84,24 +84,24 @@ Obsoletes: ssh | |||
84 | %if %{build6x} | 84 | %if %{build6x} |
85 | PreReq: initscripts >= 5.00 | 85 | PreReq: initscripts >= 5.00 |
86 | %else | 86 | %else |
87 | PreReq: initscripts >= 5.20 | 87 | Requires: initscripts >= 5.20 |
88 | %endif | 88 | %endif |
89 | BuildPreReq: perl, openssl-devel, tcp_wrappers | 89 | BuildRequires: perl, openssl-devel, tcp_wrappers |
90 | BuildPreReq: /bin/login | 90 | BuildRequires: /bin/login |
91 | %if ! %{build6x} | 91 | %if ! %{build6x} |
92 | BuildPreReq: glibc-devel, pam | 92 | BuildPreReq: glibc-devel, pam |
93 | %else | 93 | %else |
94 | BuildPreReq: /usr/include/security/pam_appl.h | 94 | BuildRequires: /usr/include/security/pam_appl.h |
95 | %endif | 95 | %endif |
96 | %if ! %{no_x11_askpass} | 96 | %if ! %{no_x11_askpass} |
97 | BuildPreReq: /usr/include/X11/Xlib.h | 97 | BuildRequires: /usr/include/X11/Xlib.h |
98 | %endif | 98 | %endif |
99 | %if ! %{no_gnome_askpass} | 99 | %if ! %{no_gnome_askpass} |
100 | BuildPreReq: pkgconfig | 100 | BuildRequires: pkgconfig |
101 | %endif | 101 | %endif |
102 | %if %{kerberos5} | 102 | %if %{kerberos5} |
103 | BuildPreReq: krb5-devel | 103 | BuildRequires: krb5-devel |
104 | BuildPreReq: krb5-libs | 104 | BuildRequires: krb5-libs |
105 | %endif | 105 | %endif |
106 | 106 | ||
107 | %package clients | 107 | %package clients |
@@ -114,7 +114,7 @@ Obsoletes: ssh-clients | |||
114 | Summary: The OpenSSH server daemon. | 114 | Summary: The OpenSSH server daemon. |
115 | Group: System Environment/Daemons | 115 | Group: System Environment/Daemons |
116 | Obsoletes: ssh-server | 116 | Obsoletes: ssh-server |
117 | PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9 | 117 | Requires: openssh = %{version}-%{release}, chkconfig >= 0.9 |
118 | %if ! %{build6x} | 118 | %if ! %{build6x} |
119 | Requires: /etc/pam.d/system-auth | 119 | Requires: /etc/pam.d/system-auth |
120 | %endif | 120 | %endif |
@@ -712,7 +712,7 @@ fi | |||
712 | it generates. | 712 | it generates. |
713 | 713 | ||
714 | * Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com> | 714 | * Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com> |
715 | - Add BuildPreReq on /usr/include/security/pam_appl.h to be sure we always | 715 | - Add BuildRequires on /usr/include/security/pam_appl.h to be sure we always |
716 | build PAM authentication in. | 716 | build PAM authentication in. |
717 | - Try setting SSH_ASKPASS if gnome-ssh-askpass is installed. | 717 | - Try setting SSH_ASKPASS if gnome-ssh-askpass is installed. |
718 | - Clean out no-longer-used patches. | 718 | - Clean out no-longer-used patches. |
@@ -721,7 +721,7 @@ fi | |||
721 | 721 | ||
722 | * Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com> | 722 | * Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com> |
723 | - Update x11-askpass to 1.0.2. (#17835) | 723 | - Update x11-askpass to 1.0.2. (#17835) |
724 | - Add BuildPreReqs for /bin/login and /usr/bin/rsh so that configure will | 724 | - Add BuildRequiress for /bin/login and /usr/bin/rsh so that configure will |
725 | always find them in the right place. (#17909) | 725 | always find them in the right place. (#17909) |
726 | - Set the default path to be the same as the one supplied by /bin/login, but | 726 | - Set the default path to be the same as the one supplied by /bin/login, but |
727 | add /usr/X11R6/bin. (#17909) | 727 | add /usr/X11R6/bin. (#17909) |
diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init index 854aff665..2334d8142 100755 --- a/contrib/redhat/sshd.init +++ b/contrib/redhat/sshd.init | |||
@@ -22,70 +22,9 @@ RETVAL=0 | |||
22 | prog="sshd" | 22 | prog="sshd" |
23 | 23 | ||
24 | # Some functions to make the below more readable | 24 | # Some functions to make the below more readable |
25 | KEYGEN=/usr/bin/ssh-keygen | ||
26 | SSHD=/usr/sbin/sshd | 25 | SSHD=/usr/sbin/sshd |
27 | RSA1_KEY=/etc/ssh/ssh_host_key | ||
28 | RSA_KEY=/etc/ssh/ssh_host_rsa_key | ||
29 | DSA_KEY=/etc/ssh/ssh_host_dsa_key | ||
30 | PID_FILE=/var/run/sshd.pid | 26 | PID_FILE=/var/run/sshd.pid |
31 | 27 | ||
32 | do_rsa1_keygen() { | ||
33 | if [ ! -s $RSA1_KEY ]; then | ||
34 | echo -n $"Generating SSH1 RSA host key: " | ||
35 | if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then | ||
36 | chmod 600 $RSA1_KEY | ||
37 | chmod 644 $RSA1_KEY.pub | ||
38 | if [ -x /sbin/restorecon ]; then | ||
39 | /sbin/restorecon $RSA1_KEY.pub | ||
40 | fi | ||
41 | success $"RSA1 key generation" | ||
42 | echo | ||
43 | else | ||
44 | failure $"RSA1 key generation" | ||
45 | echo | ||
46 | exit 1 | ||
47 | fi | ||
48 | fi | ||
49 | } | ||
50 | |||
51 | do_rsa_keygen() { | ||
52 | if [ ! -s $RSA_KEY ]; then | ||
53 | echo -n $"Generating SSH2 RSA host key: " | ||
54 | if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then | ||
55 | chmod 600 $RSA_KEY | ||
56 | chmod 644 $RSA_KEY.pub | ||
57 | if [ -x /sbin/restorecon ]; then | ||
58 | /sbin/restorecon $RSA_KEY.pub | ||
59 | fi | ||
60 | success $"RSA key generation" | ||
61 | echo | ||
62 | else | ||
63 | failure $"RSA key generation" | ||
64 | echo | ||
65 | exit 1 | ||
66 | fi | ||
67 | fi | ||
68 | } | ||
69 | |||
70 | do_dsa_keygen() { | ||
71 | if [ ! -s $DSA_KEY ]; then | ||
72 | echo -n $"Generating SSH2 DSA host key: " | ||
73 | if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then | ||
74 | chmod 600 $DSA_KEY | ||
75 | chmod 644 $DSA_KEY.pub | ||
76 | if [ -x /sbin/restorecon ]; then | ||
77 | /sbin/restorecon $DSA_KEY.pub | ||
78 | fi | ||
79 | success $"DSA key generation" | ||
80 | echo | ||
81 | else | ||
82 | failure $"DSA key generation" | ||
83 | echo | ||
84 | exit 1 | ||
85 | fi | ||
86 | fi | ||
87 | } | ||
88 | |||
89 | do_restart_sanity_check() | 28 | do_restart_sanity_check() |
90 | { | 29 | { |
91 | $SSHD -t | 30 | $SSHD -t |
@@ -99,9 +38,13 @@ do_restart_sanity_check() | |||
99 | start() | 38 | start() |
100 | { | 39 | { |
101 | # Create keys if necessary | 40 | # Create keys if necessary |
102 | do_rsa1_keygen | 41 | /usr/bin/ssh-keygen -A |
103 | do_rsa_keygen | 42 | if [ -x /sbin/restorecon ]; then |
104 | do_dsa_keygen | 43 | /sbin/restorcon /etc/ssh/ssh_host_key.pub |
44 | /sbin/restorcon /etc/ssh/ssh_host_rsa_key.pub | ||
45 | /sbin/restorcon /etc/ssh/ssh_host_dsa_key.pub | ||
46 | /sbin/restorcon /etc/ssh/ssh_host_ecdsa_key.pub | ||
47 | fi | ||
105 | 48 | ||
106 | echo -n $"Starting $prog:" | 49 | echo -n $"Starting $prog:" |
107 | $SSHD $OPTIONS && success || failure | 50 | $SSHD $OPTIONS && success || failure |
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index 368645cb4..9451aceec 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id | |||
@@ -25,7 +25,7 @@ else | |||
25 | fi | 25 | fi |
26 | 26 | ||
27 | if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then | 27 | if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then |
28 | GET_ID="cat ${ID_FILE}" | 28 | GET_ID="cat \"${ID_FILE}\"" |
29 | fi | 29 | fi |
30 | 30 | ||
31 | if [ -z "`eval $GET_ID`" ]; then | 31 | if [ -z "`eval $GET_ID`" ]; then |
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 6afdcc4b4..3a4dfea37 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec | |||
@@ -13,7 +13,7 @@ | |||
13 | 13 | ||
14 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation | 14 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation |
15 | Name: openssh | 15 | Name: openssh |
16 | Version: 5.8p1 | 16 | Version: 5.9p1 |
17 | URL: http://www.openssh.com/ | 17 | URL: http://www.openssh.com/ |
18 | Release: 1 | 18 | Release: 1 |
19 | Source0: openssh-%{version}.tar.gz | 19 | Source0: openssh-%{version}.tar.gz |
@@ -28,11 +28,12 @@ Provides: ssh | |||
28 | # (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.) | 28 | # (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.) |
29 | # building prerequisites -- stuff for | 29 | # building prerequisites -- stuff for |
30 | # OpenSSL (openssl-devel), | 30 | # OpenSSL (openssl-devel), |
31 | # TCP Wrappers (nkitb), | 31 | # TCP Wrappers (tcpd-devel), |
32 | # and Gnome (glibdev, gtkdev, and gnlibsd) | 32 | # and Gnome (glibdev, gtkdev, and gnlibsd) |
33 | # | 33 | # |
34 | BuildPrereq: openssl | 34 | BuildPrereq: openssl |
35 | BuildPrereq: nkitb | 35 | BuildPrereq: tcpd-devel |
36 | BuildPrereq: zlib-devel | ||
36 | #BuildPrereq: glibdev | 37 | #BuildPrereq: glibdev |
37 | #BuildPrereq: gtkdev | 38 | #BuildPrereq: gtkdev |
38 | #BuildPrereq: gnlibsd | 39 | #BuildPrereq: gnlibsd |
@@ -177,15 +178,8 @@ rm -rf $RPM_BUILD_ROOT | |||
177 | /usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || : | 178 | /usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || : |
178 | 179 | ||
179 | %post | 180 | %post |
180 | if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then | 181 | /usr/bin/ssh-keygen -A |
181 | echo "Generating SSH RSA host key..." | 182 | %{fillup_and_insserv -n -y ssh sshd} |
182 | /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' >&2 | ||
183 | fi | ||
184 | if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then | ||
185 | echo "Generating SSH DSA host key..." | ||
186 | /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' >&2 | ||
187 | fi | ||
188 | %{fillup_and_insserv -n -s -y ssh sshd START_SSHD} | ||
189 | %run_permissions | 183 | %run_permissions |
190 | 184 | ||
191 | %verifyscript | 185 | %verifyscript |
diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd index 4d4880d7e..4a3bc41db 100644 --- a/contrib/suse/rc.sshd +++ b/contrib/suse/rc.sshd | |||
@@ -43,20 +43,8 @@ rc_reset | |||
43 | 43 | ||
44 | case "$1" in | 44 | case "$1" in |
45 | start) | 45 | start) |
46 | if ! test -f /etc/ssh/ssh_host_key ; then | 46 | # Generate any missing host keys |
47 | echo Generating /etc/ssh/ssh_host_key. | 47 | ssh-keygen -A |
48 | ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N '' | ||
49 | fi | ||
50 | if ! test -f /etc/ssh/ssh_host_dsa_key ; then | ||
51 | echo Generating /etc/ssh/ssh_host_dsa_key. | ||
52 | |||
53 | ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' | ||
54 | fi | ||
55 | if ! test -f /etc/ssh/ssh_host_rsa_key ; then | ||
56 | echo Generating /etc/ssh/ssh_host_rsa_key. | ||
57 | |||
58 | ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' | ||
59 | fi | ||
60 | echo -n "Starting SSH daemon" | 48 | echo -n "Starting SSH daemon" |
61 | ## Start daemon with startproc(8). If this fails | 49 | ## Start daemon with startproc(8). If this fails |
62 | ## the echo return value is set appropriate. | 50 | ## the echo return value is set appropriate. |