summaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2011-09-06 14:56:29 +0100
committerColin Watson <cjwatson@debian.org>2011-09-06 14:56:29 +0100
commit978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch)
tree89400a44e42d84937deba7864e4964d6c7734da5 /contrib
parent87c685b8c6a49814fd782288097b3093f975aa72 (diff)
parent3a7e89697ca363de0f64e0d5704c57219294e41c (diff)
* New upstream release (http://www.openssh.org/txt/release-5.9).
- Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. - Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt. - The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot (closes: #75043, #429243, #599240). - ssh(1) now warns when a server refuses X11 forwarding (closes: #504757). - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by whitespace (closes: #76312). The authorized_keys2 fallback is deprecated but documented (closes: #560156). - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4 ToS/DSCP (closes: #498297). - ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add - < /path/to/key" (closes: #229124). - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691). - Say "required" rather than "recommended" in unprotected-private-key warning (LP: #663455).
Diffstat (limited to 'contrib')
-rwxr-xr-xcontrib/aix/buildbff.sh11
-rw-r--r--contrib/caldera/openssh.spec4
-rw-r--r--contrib/cygwin/ssh-host-config544
-rw-r--r--contrib/cygwin/ssh-user-config84
-rw-r--r--contrib/redhat/openssh.spec24
-rwxr-xr-xcontrib/redhat/sshd.init71
-rw-r--r--contrib/ssh-copy-id2
-rw-r--r--contrib/suse/openssh.spec18
-rw-r--r--contrib/suse/rc.sshd16
9 files changed, 419 insertions, 355 deletions
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh
index ca4bf0210..81d8cc301 100755
--- a/contrib/aix/buildbff.sh
+++ b/contrib/aix/buildbff.sh
@@ -1,7 +1,7 @@
1#!/bin/sh 1#!/bin/sh
2# 2#
3# buildbff.sh: Create AIX SMIT-installable OpenSSH packages 3# buildbff.sh: Create AIX SMIT-installable OpenSSH packages
4# $Id: buildbff.sh,v 1.12 2010/04/18 03:35:00 dtucker Exp $ 4# $Id: buildbff.sh,v 1.13 2011/05/05 03:48:41 djm Exp $
5# 5#
6# Author: Darren Tucker (dtucker at zip dot com dot au) 6# Author: Darren Tucker (dtucker at zip dot com dot au)
7# This file is placed in the public domain and comes with absolutely 7# This file is placed in the public domain and comes with absolutely
@@ -156,13 +156,6 @@ do
156 mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default 156 mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default
157done 157done
158 158
159# AIX 5.3 and newer have /dev/random and don't create ssh_prng_cmds
160if [ -f $FAKE_ROOT/$sysconfdir/ssh_prng_cmds ]
161then
162 mv $FAKE_ROOT/$sysconfdir/ssh_prng_cmds \
163 $FAKE_ROOT/$sysconfdir/ssh_prng_cmds.default
164fi
165
166# 159#
167# Generate lpp control files. 160# Generate lpp control files.
168# working dir is $FAKE_ROOT but files are generated in dir above 161# working dir is $FAKE_ROOT but files are generated in dir above
@@ -197,7 +190,7 @@ cat <<EOF >>../openssh.post_i
197#!/bin/sh 190#!/bin/sh
198 191
199echo Creating configs from defaults if necessary. 192echo Creating configs from defaults if necessary.
200for cfgfile in ssh_config sshd_config ssh_prng_cmds 193for cfgfile in ssh_config sshd_config
201do 194do
202 if [ ! -f $sysconfdir/\$cfgfile ] 195 if [ ! -f $sysconfdir/\$cfgfile ]
203 then 196 then
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index 435003a2a..73d441d0c 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -16,7 +16,7 @@
16 16
17#old cvs stuff. please update before use. may be deprecated. 17#old cvs stuff. please update before use. may be deprecated.
18%define use_stable 1 18%define use_stable 1
19%define version 5.8p1 19%define version 5.9p1
20%if %{use_stable} 20%if %{use_stable}
21 %define cvs %{nil} 21 %define cvs %{nil}
22 %define release 1 22 %define release 1
@@ -363,4 +363,4 @@ fi
363* Mon Jan 01 1998 ... 363* Mon Jan 01 1998 ...
364Template Version: 1.31 364Template Version: 1.31
365 365
366$Id: openssh.spec,v 1.73.4.1 2011/02/04 00:57:54 djm Exp $ 366$Id: openssh.spec,v 1.75.2.1 2011/09/05 00:28:11 djm Exp $
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index d968d4619..3ac39a621 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -1,6 +1,6 @@
1#!/bin/bash 1#!/bin/bash
2# 2#
3# ssh-host-config, Copyright 2000-2009 Red Hat Inc. 3# ssh-host-config, Copyright 2000-2011 Red Hat Inc.
4# 4#
5# This file is part of the Cygwin port of OpenSSH. 5# This file is part of the Cygwin port of OpenSSH.
6# 6#
@@ -19,12 +19,39 @@
19# ====================================================================== 19# ======================================================================
20# Initialization 20# Initialization
21# ====================================================================== 21# ======================================================================
22PROGNAME=$(basename $0)
23_tdir=$(dirname $0)
24PROGDIR=$(cd $_tdir && pwd)
25 22
26CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh 23CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
27 24
25# List of apps used. This is checkad for existance in csih_sanity_check
26# Don't use *any* transient commands before sourcing the csih helper script,
27# otherwise the sanity checks are short-circuited.
28declare -a csih_required_commands=(
29 /usr/bin/basename coreutils
30 /usr/bin/cat coreutils
31 /usr/bin/chmod coreutils
32 /usr/bin/dirname coreutils
33 /usr/bin/id coreutils
34 /usr/bin/mv coreutils
35 /usr/bin/rm coreutils
36 /usr/bin/cygpath cygwin
37 /usr/bin/mount cygwin
38 /usr/bin/ps cygwin
39 /usr/bin/setfacl cygwin
40 /usr/bin/umount cygwin
41 /usr/bin/cmp diffutils
42 /usr/bin/grep grep
43 /usr/bin/awk gawk
44 /usr/bin/ssh-keygen openssh
45 /usr/sbin/sshd openssh
46 /usr/bin/sed sed
47)
48csih_sanity_check_server=yes
49source ${CSIH_SCRIPT}
50
51PROGNAME=$(/usr/bin/basename $0)
52_tdir=$(/usr/bin/dirname $0)
53PROGDIR=$(cd $_tdir && pwd)
54
28# Subdirectory where the new package is being installed 55# Subdirectory where the new package is being installed
29PREFIX=/usr 56PREFIX=/usr
30 57
@@ -32,8 +59,6 @@ PREFIX=/usr
32SYSCONFDIR=/etc 59SYSCONFDIR=/etc
33LOCALSTATEDIR=/var 60LOCALSTATEDIR=/var
34 61
35source ${CSIH_SCRIPT}
36
37port_number=22 62port_number=22
38privsep_configured=no 63privsep_configured=no
39privsep_used=yes 64privsep_used=yes
@@ -46,23 +71,48 @@ opt_force=no
46# Routine: create_host_keys 71# Routine: create_host_keys
47# ====================================================================== 72# ======================================================================
48create_host_keys() { 73create_host_keys() {
74 local ret=0
75
49 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] 76 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
50 then 77 then
51 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" 78 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
52 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null 79 if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
80 then
81 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
82 let ++ret
83 fi
53 fi 84 fi
54 85
55 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] 86 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
56 then 87 then
57 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" 88 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
58 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null 89 if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
90 then
91 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
92 let ++ret
93 fi
59 fi 94 fi
60 95
61 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] 96 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
62 then 97 then
63 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" 98 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
64 ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null 99 if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
100 then
101 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
102 let ++ret
103 fi
65 fi 104 fi
105
106 if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ]
107 then
108 csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key"
109 if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null
110 then
111 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
112 let ++ret
113 fi
114 fi
115 return $ret
66} # --- End of create_host_keys --- # 116} # --- End of create_host_keys --- #
67 117
68# ====================================================================== 118# ======================================================================
@@ -75,61 +125,58 @@ update_services_file() {
75 local _spaces 125 local _spaces
76 local _serv_tmp 126 local _serv_tmp
77 local _wservices 127 local _wservices
128 local ret=0
78 129
79 if csih_is_nt 130 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
80 then 131 _services="${_my_etcdir}/services"
81 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" 132 _spaces=" #"
82 _services="${_my_etcdir}/services"
83 # On NT, 27 spaces, no space after the hash
84 _spaces=" #"
85 else
86 _win_etcdir="${WINDIR}"
87 _services="${_my_etcdir}/SERVICES"
88 # On 9x, 18 spaces (95 is very touchy), a space after the hash
89 _spaces=" # "
90 fi
91 _serv_tmp="${_my_etcdir}/srv.out.$$" 133 _serv_tmp="${_my_etcdir}/srv.out.$$"
92 134
93 mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" 135 /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
94 136
95 # Depends on the above mount 137 # Depends on the above mount
96 _wservices=`cygpath -w "${_services}"` 138 _wservices=`cygpath -w "${_services}"`
97 139
98 # Remove sshd 22/port from services 140 # Remove sshd 22/port from services
99 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] 141 if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
100 then 142 then
101 grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" 143 /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
102 if [ -f "${_serv_tmp}" ] 144 if [ -f "${_serv_tmp}" ]
103 then 145 then
104 if mv "${_serv_tmp}" "${_services}" 146 if /usr/bin/mv "${_serv_tmp}" "${_services}"
105 then 147 then
106 csih_inform "Removing sshd from ${_wservices}" 148 csih_inform "Removing sshd from ${_wservices}"
107 else 149 else
108 csih_warning "Removing sshd from ${_wservices} failed!" 150 csih_warning "Removing sshd from ${_wservices} failed!"
151 let ++ret
109 fi 152 fi
110 rm -f "${_serv_tmp}" 153 /usr/bin/rm -f "${_serv_tmp}"
111 else 154 else
112 csih_warning "Removing sshd from ${_wservices} failed!" 155 csih_warning "Removing sshd from ${_wservices} failed!"
156 let ++ret
113 fi 157 fi
114 fi 158 fi
115 159
116 # Add ssh 22/tcp and ssh 22/udp to services 160 # Add ssh 22/tcp and ssh 22/udp to services
117 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] 161 if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
118 then 162 then
119 if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" 163 if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
120 then 164 then
121 if mv "${_serv_tmp}" "${_services}" 165 if /usr/bin/mv "${_serv_tmp}" "${_services}"
122 then 166 then
123 csih_inform "Added ssh to ${_wservices}" 167 csih_inform "Added ssh to ${_wservices}"
124 else 168 else
125 csih_warning "Adding ssh to ${_wservices} failed!" 169 csih_warning "Adding ssh to ${_wservices} failed!"
170 let ++ret
126 fi 171 fi
127 rm -f "${_serv_tmp}" 172 /usr/bin/rm -f "${_serv_tmp}"
128 else 173 else
129 csih_warning "Adding ssh to ${_wservices} failed!" 174 csih_warning "Adding ssh to ${_wservices} failed!"
175 let ++ret
130 fi 176 fi
131 fi 177 fi
132 umount "${_my_etcdir}" 178 /usr/bin/umount "${_my_etcdir}"
179 return $ret
133} # --- End of update_services_file --- # 180} # --- End of update_services_file --- #
134 181
135# ====================================================================== 182# ======================================================================
@@ -138,51 +185,57 @@ update_services_file() {
138# ====================================================================== 185# ======================================================================
139sshd_privsep() { 186sshd_privsep() {
140 local sshdconfig_tmp 187 local sshdconfig_tmp
188 local ret=0
141 189
142 if [ "${privsep_configured}" != "yes" ] 190 if [ "${privsep_configured}" != "yes" ]
143 then 191 then
144 if csih_is_nt 192 csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
193 csih_inform "However, this requires a non-privileged account called 'sshd'."
194 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
195 if csih_request "Should privilege separation be used?"
145 then 196 then
146 csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." 197 privsep_used=yes
147 csih_inform "However, this requires a non-privileged account called 'sshd'." 198 if ! csih_create_unprivileged_user sshd
148 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
149 if csih_request "Should privilege separation be used?"
150 then 199 then
151 privsep_used=yes 200 csih_error_recoverable "Couldn't create user 'sshd'!"
152 if ! csih_create_unprivileged_user sshd 201 csih_error_recoverable "Privilege separation set to 'no' again!"
153 then 202 csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!"
154 csih_warning "Couldn't create user 'sshd'!" 203 let ++ret
155 csih_warning "Privilege separation set to 'no' again!"
156 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
157 privsep_used=no
158 fi
159 else
160 privsep_used=no 204 privsep_used=no
161 fi 205 fi
162 else 206 else
163 # On 9x don't use privilege separation. Since security isn't
164 # available it just adds useless additional processes.
165 privsep_used=no 207 privsep_used=no
166 fi 208 fi
167 fi 209 fi
168 210
169 # Create default sshd_config from skeleton files in /etc/defaults/etc or 211 # Create default sshd_config from skeleton files in /etc/defaults/etc or
170 # modify to add the missing privsep configuration option 212 # modify to add the missing privsep configuration option
171 if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 213 if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
172 then 214 then
173 csih_inform "Updating ${SYSCONFDIR}/sshd_config file" 215 csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
174 sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ 216 sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
175 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ 217 /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
176 s/^#Port 22/Port ${port_number}/ 218 s/^#Port 22/Port ${port_number}/
177 s/^#StrictModes yes/StrictModes no/" \ 219 s/^#StrictModes yes/StrictModes no/" \
178 < ${SYSCONFDIR}/sshd_config \ 220 < ${SYSCONFDIR}/sshd_config \
179 > "${sshdconfig_tmp}" 221 > "${sshdconfig_tmp}"
180 mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config 222 if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
223 then
224 csih_warning "Setting privilege separation to 'yes' failed!"
225 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
226 let ++ret
227 fi
181 elif [ "${privsep_configured}" != "yes" ] 228 elif [ "${privsep_configured}" != "yes" ]
182 then 229 then
183 echo >> ${SYSCONFDIR}/sshd_config 230 echo >> ${SYSCONFDIR}/sshd_config
184 echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config 231 if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
232 then
233 csih_warning "Setting privilege separation to 'yes' failed!"
234 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
235 let ++ret
236 fi
185 fi 237 fi
238 return $ret
186} # --- End of sshd_privsep --- # 239} # --- End of sshd_privsep --- #
187 240
188# ====================================================================== 241# ======================================================================
@@ -195,72 +248,82 @@ update_inetd_conf() {
195 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" 248 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
196 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" 249 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
197 local _with_comment=1 250 local _with_comment=1
251 local ret=0
198 252
199 if [ -d "${_inetcnf_dir}" ] 253 if [ -d "${_inetcnf_dir}" ]
200 then 254 then
201 # we have inetutils-1.5 inetd.d support 255 # we have inetutils-1.5 inetd.d support
202 if [ -f "${_inetcnf}" ] 256 if [ -f "${_inetcnf}" ]
203 then 257 then
204 grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 258 /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
205 259
206 # check for sshd OR ssh in top-level inetd.conf file, and remove 260 # check for sshd OR ssh in top-level inetd.conf file, and remove
207 # will be replaced by a file in inetd.d/ 261 # will be replaced by a file in inetd.d/
208 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] 262 if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
209 then 263 then
210 grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" 264 /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
211 if [ -f "${_inetcnf_tmp}" ] 265 if [ -f "${_inetcnf_tmp}" ]
212 then 266 then
213 if mv "${_inetcnf_tmp}" "${_inetcnf}" 267 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
214 then 268 then
215 csih_inform "Removed ssh[d] from ${_inetcnf}" 269 csih_inform "Removed ssh[d] from ${_inetcnf}"
216 else 270 else
217 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 271 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
272 let ++ret
218 fi 273 fi
219 rm -f "${_inetcnf_tmp}" 274 /usr/bin/rm -f "${_inetcnf_tmp}"
220 else 275 else
221 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 276 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
277 let ++ret
222 fi 278 fi
223 fi 279 fi
224 fi 280 fi
225 281
226 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" 282 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
227 if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 283 if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
228 then 284 then
229 if [ "${_with_comment}" -eq 0 ] 285 if [ "${_with_comment}" -eq 0 ]
230 then 286 then
231 sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 287 /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
232 else 288 else
233 sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 289 /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
290 fi
291 if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
292 then
293 csih_inform "Updated ${_sshd_inetd_conf}"
294 else
295 csih_warning "Updating ${_sshd_inetd_conf} failed!"
296 let ++ret
234 fi 297 fi
235 mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
236 csih_inform "Updated ${_sshd_inetd_conf}"
237 fi 298 fi
238 299
239 elif [ -f "${_inetcnf}" ] 300 elif [ -f "${_inetcnf}" ]
240 then 301 then
241 grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 302 /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
242 303
243 # check for sshd in top-level inetd.conf file, and remove 304 # check for sshd in top-level inetd.conf file, and remove
244 # will be replaced by a file in inetd.d/ 305 # will be replaced by a file in inetd.d/
245 if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] 306 if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
246 then 307 then
247 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" 308 /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
248 if [ -f "${_inetcnf_tmp}" ] 309 if [ -f "${_inetcnf_tmp}" ]
249 then 310 then
250 if mv "${_inetcnf_tmp}" "${_inetcnf}" 311 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
251 then 312 then
252 csih_inform "Removed sshd from ${_inetcnf}" 313 csih_inform "Removed sshd from ${_inetcnf}"
253 else 314 else
254 csih_warning "Removing sshd from ${_inetcnf} failed!" 315 csih_warning "Removing sshd from ${_inetcnf} failed!"
316 let ++ret
255 fi 317 fi
256 rm -f "${_inetcnf_tmp}" 318 /usr/bin/rm -f "${_inetcnf_tmp}"
257 else 319 else
258 csih_warning "Removing sshd from ${_inetcnf} failed!" 320 csih_warning "Removing sshd from ${_inetcnf} failed!"
321 let ++ret
259 fi 322 fi
260 fi 323 fi
261 324
262 # Add ssh line to inetd.conf 325 # Add ssh line to inetd.conf
263 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] 326 if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
264 then 327 then
265 if [ "${_with_comment}" -eq 0 ] 328 if [ "${_with_comment}" -eq 0 ]
266 then 329 then
@@ -268,115 +331,186 @@ update_inetd_conf() {
268 else 331 else
269 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 332 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
270 fi 333 fi
271 csih_inform "Added ssh to ${_inetcnf}" 334 if [ $? -eq 0 ]
335 then
336 csih_inform "Added ssh to ${_inetcnf}"
337 else
338 csih_warning "Adding ssh to ${_inetcnf} failed!"
339 let ++ret
340 fi
272 fi 341 fi
273 fi 342 fi
343 return $ret
274} # --- End of update_inetd_conf --- # 344} # --- End of update_inetd_conf --- #
275 345
276# ====================================================================== 346# ======================================================================
347# Routine: check_service_files_ownership
348# Checks that the files in /etc and /var belong to the right owner
349# ======================================================================
350check_service_files_ownership() {
351 local run_service_as=$1
352 local ret=0
353
354 if [ -z "${run_service_as}" ]
355 then
356 accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
357 if [ "${accnt_name}" = "LocalSystem" ]
358 then
359 # Convert "LocalSystem" to "SYSTEM" as is the correct account name
360 accnt_name="SYSTEM:"
361 elif [[ "${accnt_name}" =~ ^\.\\ ]]
362 then
363 # Convert "." domain to local machine name
364 accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
365 fi
366 run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
367 if [ -z "${run_service_as}" ]
368 then
369 csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
370 csih_warning "As a result, this script cannot make sure that the files used"
371 csih_warning "by the sshd service belong to the user running the service."
372 csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd"
373 csih_warning "file is in a good shape."
374 return 1
375 fi
376 fi
377 for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
378 do
379 if [ -f "$i" ]
380 then
381 if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
382 then
383 csih_warning "Couldn't change owner of $i!"
384 let ++ret
385 fi
386 fi
387 done
388 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
389 then
390 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
391 let ++ret
392 fi
393 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
394 then
395 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
396 let ++ret
397 fi
398 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
399 then
400 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
401 then
402 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
403 let ++ret
404 fi
405 fi
406 if [ $ret -ne 0 ]
407 then
408 csih_warning "Couldn't change owner of important files to ${run_service_as}!"
409 csih_warning "This may cause the sshd service to fail! Please make sure that"
410 csih_warning "you have suufficient permissions to change the ownership of files"
411 csih_warning "and try to run the ssh-host-config script again."
412 fi
413 return $ret
414} # --- End of check_service_files_ownership --- #
415
416# ======================================================================
277# Routine: install_service 417# Routine: install_service
278# Install sshd as a service 418# Install sshd as a service
279# ====================================================================== 419# ======================================================================
280install_service() { 420install_service() {
281 local run_service_as 421 local run_service_as
282 local password 422 local password
423 local ret=0
283 424
284 if csih_is_nt 425 echo
426 if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
285 then 427 then
286 if ! cygrunsrv -Q sshd >/dev/null 2>&1 428 csih_inform "Sshd service is already installed."
429 check_service_files_ownership "" || let ret+=$?
430 else
431 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
432 if csih_request "(Say \"no\" if it is already installed as a service)"
287 then 433 then
288 echo 434 csih_get_cygenv "${cygwin_value}"
289 echo
290 csih_warning "The following functions require administrator privileges!"
291 echo
292 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
293 if csih_request "(Say \"no\" if it is already installed as a service)"
294 then
295 csih_get_cygenv "${cygwin_value}"
296 435
297 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) 436 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
298 then 437 then
299 csih_inform "On Windows Server 2003, Windows Vista, and above, the" 438 csih_inform "On Windows Server 2003, Windows Vista, and above, the"
300 csih_inform "SYSTEM account cannot setuid to other users -- a capability" 439 csih_inform "SYSTEM account cannot setuid to other users -- a capability"
301 csih_inform "sshd requires. You need to have or to create a privileged" 440 csih_inform "sshd requires. You need to have or to create a privileged"
302 csih_inform "account. This script will help you do so." 441 csih_inform "account. This script will help you do so."
303 echo 442 echo
304 443
305 [ "${opt_force}" = "yes" ] && opt_f=-f 444 [ "${opt_force}" = "yes" ] && opt_f=-f
306 [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" 445 [ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
307 csih_select_privileged_username ${opt_f} ${opt_u} sshd 446 csih_select_privileged_username ${opt_f} ${opt_u} sshd
308 447
309 if ! csih_create_privileged_user "${password_value}" 448 if ! csih_create_privileged_user "${password_value}"
310 then 449 then
311 csih_error_recoverable "There was a serious problem creating a privileged user." 450 csih_error_recoverable "There was a serious problem creating a privileged user."
312 csih_request "Do you want to proceed anyway?" || exit 1 451 csih_request "Do you want to proceed anyway?" || exit 1
313 fi 452 let ++ret
314 fi 453 fi
454 fi
315 455
316 # never returns empty if NT or above 456 # Never returns empty if NT or above
317 run_service_as=$(csih_service_should_run_as) 457 run_service_as=$(csih_service_should_run_as)
318 458
319 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] 459 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
460 then
461 password="${csih_PRIVILEGED_PASSWORD}"
462 if [ -z "${password}" ]
320 then 463 then
321 password="${csih_PRIVILEGED_PASSWORD}" 464 csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
322 if [ -z "${password}" ] 465 password="${csih_value}"
323 then
324 csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
325 password="${csih_value}"
326 fi
327 fi 466 fi
467 fi
328 468
329 # at this point, we either have $run_service_as = "system" and $password is empty, 469 # At this point, we either have $run_service_as = "system" and
330 # or $run_service_as is some privileged user and (hopefully) $password contains 470 # $password is empty, or $run_service_as is some privileged user and
331 # the correct password. So, from here out, we use '-z "${password}"' to discriminate 471 # (hopefully) $password contains the correct password. So, from here
332 # the two cases. 472 # out, we use '-z "${password}"' to discriminate the two cases.
333 473
334 csih_check_user "${run_service_as}" 474 csih_check_user "${run_service_as}"
335 475
336 if [ -n "${csih_cygenv}" ] 476 if [ -n "${csih_cygenv}" ]
477 then
478 cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
479 fi
480 if [ -z "${password}" ]
481 then
482 if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
483 -a "-D" -y tcpip "${cygwin_env[@]}"
337 then 484 then
338 cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) 485 echo
486 csih_inform "The sshd service has been installed under the LocalSystem"
487 csih_inform "account (also known as SYSTEM). To start the service now, call"
488 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
489 csih_inform "will start automatically after the next reboot."
339 fi 490 fi
340 if [ -z "${password}" ] 491 else
492 if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
493 -a "-D" -y tcpip "${cygwin_env[@]}" \
494 -u "${run_service_as}" -w "${password}"
341 then 495 then
342 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ 496 echo
343 -a "-D" -y tcpip "${cygwin_env[@]}" 497 csih_inform "The sshd service has been installed under the '${run_service_as}'"
344 then 498 csih_inform "account. To start the service now, call \`net start sshd' or"
345 echo 499 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
346 csih_inform "The sshd service has been installed under the LocalSystem" 500 csih_inform "after the next reboot."
347 csih_inform "account (also known as SYSTEM). To start the service now, call"
348 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
349 csih_inform "will start automatically after the next reboot."
350 fi
351 else
352 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
353 -a "-D" -y tcpip "${cygwin_env[@]}" \
354 -u "${run_service_as}" -w "${password}"
355 then
356 echo
357 csih_inform "The sshd service has been installed under the '${run_service_as}'"
358 csih_inform "account. To start the service now, call \`net start sshd' or"
359 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
360 csih_inform "after the next reboot."
361 fi
362 fi 501 fi
502 fi
363 503
364 # now, if successfully installed, set ownership of the affected files 504 if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
365 if cygrunsrv -Q sshd >/dev/null 2>&1 505 then
366 then 506 check_service_files_ownership "${run_service_as}" || let ret+=$?
367 chown "${run_service_as}" ${SYSCONFDIR}/ssh* 507 else
368 chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty 508 csih_error_recoverable "Installing sshd as a service failed!"
369 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog 509 let ++ret
370 if [ -f ${LOCALSTATEDIR}/log/sshd.log ] 510 fi
371 then 511 fi # user allowed us to install as service
372 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log 512 fi # service not yet installed
373 fi 513 return $ret
374 else
375 csih_warning "Something went wrong installing the sshd service."
376 fi
377 fi # user allowed us to install as service
378 fi # service not yet installed
379 fi # csih_is_nt
380} # --- End of install_service --- # 514} # --- End of install_service --- #
381 515
382# ====================================================================== 516# ======================================================================
@@ -488,21 +622,71 @@ done
488 622
489# Check for running ssh/sshd processes first. Refuse to do anything while 623# Check for running ssh/sshd processes first. Refuse to do anything while
490# some ssh processes are still running 624# some ssh processes are still running
491if ps -ef | grep -q '/sshd\?$' 625if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
492then 626then
493 echo 627 echo
494 csih_error "There are still ssh processes running. Please shut them down first." 628 csih_error "There are still ssh processes running. Please shut them down first."
495fi 629fi
496 630
631# Make sure the user is running in an administrative context
632admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
633if [ "${admin}" != "yes" ]
634then
635 echo
636 csih_warning "Running this script typically requires administrator privileges!"
637 csih_warning "However, it seems your account does not have these privileges."
638 csih_warning "Here's the list of groups in your user token:"
639 echo
640 for i in $(/usr/bin/id -G)
641 do
642 /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group
643 done
644 echo
645 csih_warning "This usually means you're running this script from a non-admin"
646 csih_warning "desktop session, or in a non-elevated shell under UAC control."
647 echo
648 csih_warning "Make sure you have the appropriate privileges right now,"
649 csih_warning "otherwise parts of this script will probably fail!"
650 echo
651 echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure"
652 if ! csih_request "you have the required privileges)"
653 then
654 echo
655 csih_inform "Ok. Exiting. Make sure to switch to an administrative account"
656 csih_inform "or to start this script from an elevated shell."
657 exit 1
658 fi
659fi
660
661echo
662
663warning_cnt=0
664
497# Check for ${SYSCONFDIR} directory 665# Check for ${SYSCONFDIR} directory
498csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." 666csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
499chmod 775 "${SYSCONFDIR}" 667if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
500setfacl -m u:system:rwx "${SYSCONFDIR}" 668then
669 csih_warning "Can't set permissions on ${SYSCONFDIR}!"
670 let ++warning_cnt
671fi
672if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
673then
674 csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
675 let ++warning_cnt
676fi
501 677
502# Check for /var/log directory 678# Check for /var/log directory
503csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." 679csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
504chmod 775 "${LOCALSTATEDIR}/log" 680if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
505setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" 681then
682 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
683 let ++warning_cnt
684fi
685if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
686then
687 csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
688 let ++warning_cnt
689fi
506 690
507# Create /var/log/lastlog if not already exists 691# Create /var/log/lastlog if not already exists
508if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 692if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
@@ -513,26 +697,33 @@ then
513fi 697fi
514if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 698if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
515then 699then
516 cat /dev/null > ${LOCALSTATEDIR}/log/lastlog 700 /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
517 chmod 644 ${LOCALSTATEDIR}/log/lastlog 701 if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
702 then
703 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
704 let ++warning_cnt
705 fi
518fi 706fi
519 707
520# Create /var/empty file used as chroot jail for privilege separation 708# Create /var/empty file used as chroot jail for privilege separation
521csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." 709csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
522chmod 755 "${LOCALSTATEDIR}/empty" 710if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
523setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" 711then
712 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
713 let ++warning_cnt
714fi
715if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
716then
717 csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
718 let ++warning_cnt
719fi
524 720
525# host keys 721# host keys
526create_host_keys 722create_host_keys || let warning_cnt+=$?
527
528# use 'cmp' program to determine if a config file is identical
529# to the default version of that config file
530csih_check_program_or_error cmp diffutils
531
532 723
533# handle ssh_config 724# handle ssh_config
534csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" 725csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
535if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 726if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
536then 727then
537 if [ "${port_number}" != "22" ] 728 if [ "${port_number}" != "22" ]
538 then 729 then
@@ -543,19 +734,24 @@ then
543fi 734fi
544 735
545# handle sshd_config (and privsep) 736# handle sshd_config (and privsep)
546csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" 737csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
547if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 738if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
548then 739then
549 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes 740 /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
550fi 741fi
551sshd_privsep 742sshd_privsep || let warning_cnt+=$?
552
553 743
554 744update_services_file || let warning_cnt+=$?
555update_services_file 745update_inetd_conf || let warning_cnt+=$?
556update_inetd_conf 746install_service || let warning_cnt+=$?
557install_service
558 747
559echo 748echo
560csih_inform "Host configuration finished. Have fun!" 749if [ $warning_cnt -eq 0 ]
561 750then
751 csih_inform "Host configuration finished. Have fun!"
752else
753 csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
754 csih_warning "Make sure that all problems reported are fixed,"
755 csih_warning "then re-run ssh-host-config."
756fi
757exit $warning_cnt
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config
index f1a001a93..027ae6032 100644
--- a/contrib/cygwin/ssh-user-config
+++ b/contrib/cygwin/ssh-user-config
@@ -39,85 +39,34 @@ pwdhome=
39with_passphrase= 39with_passphrase=
40 40
41# ====================================================================== 41# ======================================================================
42# Routine: create_ssh1_identity 42# Routine: create_identity
43# optionally create ~/.ssh/identity[.pub] 43# optionally create identity of type argument in ~/.ssh
44# optionally add result to ~/.ssh/authorized_keys 44# optionally add result to ~/.ssh/authorized_keys
45# ====================================================================== 45# ======================================================================
46create_ssh1_identity() { 46create_identity() {
47 if [ ! -f "${pwdhome}/.ssh/identity" ] 47 local file="$1"
48 local type="$2"
49 local name="$3"
50 if [ ! -f "${pwdhome}/.ssh/${file}" ]
48 then 51 then
49 if csih_request "Shall I create an SSH1 RSA identity file for you?" 52 if csih_request "Shall I create a ${name} identity file for you?"
50 then 53 then
51 csih_inform "Generating ${pwdhome}/.ssh/identity" 54 csih_inform "Generating ${pwdhome}/.ssh/${file}"
52 if [ "${with_passphrase}" = "yes" ] 55 if [ "${with_passphrase}" = "yes" ]
53 then 56 then
54 ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null 57 ssh-keygen -t "${type}" -N "${passphrase}" -f "${pwdhome}/.ssh/${file}" > /dev/null
55 else 58 else
56 ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null 59 ssh-keygen -t "${type}" -f "${pwdhome}/.ssh/${file}" > /dev/null
57 fi 60 fi
58 if csih_request "Do you want to use this identity to login to this machine?" 61 if csih_request "Do you want to use this identity to login to this machine?"
59 then 62 then
60 csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" 63 csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
61 cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys" 64 cat "${pwdhome}/.ssh/${file}.pub" >> "${pwdhome}/.ssh/authorized_keys"
62 fi 65 fi
63 fi 66 fi
64 fi 67 fi
65} # === End of create_ssh1_identity() === # 68} # === End of create_ssh1_identity() === #
66readonly -f create_ssh1_identity 69readonly -f create_identity
67
68# ======================================================================
69# Routine: create_ssh2_rsa_identity
70# optionally create ~/.ssh/id_rsa[.pub]
71# optionally add result to ~/.ssh/authorized_keys
72# ======================================================================
73create_ssh2_rsa_identity() {
74 if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
75 then
76 if csih_request "Shall I create an SSH2 RSA identity file for you?"
77 then
78 csih_inform "Generating ${pwdhome}/.ssh/id_rsa"
79 if [ "${with_passphrase}" = "yes" ]
80 then
81 ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null
82 else
83 ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
84 fi
85 if csih_request "Do you want to use this identity to login to this machine?"
86 then
87 csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
88 cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
89 fi
90 fi
91 fi
92} # === End of create_ssh2_rsa_identity() === #
93readonly -f create_ssh2_rsa_identity
94
95# ======================================================================
96# Routine: create_ssh2_dsa_identity
97# optionally create ~/.ssh/id_dsa[.pub]
98# optionally add result to ~/.ssh/authorized_keys
99# ======================================================================
100create_ssh2_dsa_identity() {
101 if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
102 then
103 if csih_request "Shall I create an SSH2 DSA identity file for you?"
104 then
105 csih_inform "Generating ${pwdhome}/.ssh/id_dsa"
106 if [ "${with_passphrase}" = "yes" ]
107 then
108 ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null
109 else
110 ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
111 fi
112 if csih_request "Do you want to use this identity to login to this machine?"
113 then
114 csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
115 cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
116 fi
117 fi
118 fi
119} # === End of create_ssh2_dsa_identity() === #
120readonly -f create_ssh2_dsa_identity
121 70
122# ====================================================================== 71# ======================================================================
123# Routine: check_user_homedir 72# Routine: check_user_homedir
@@ -311,9 +260,10 @@ fi
311 260
312check_user_homedir 261check_user_homedir
313check_user_dot_ssh_dir 262check_user_dot_ssh_dir
314create_ssh1_identity 263create_identity id_rsa rsa "SSH2 RSA"
315create_ssh2_rsa_identity 264create_identity id_dsa dsa "SSH2 DSA"
316create_ssh2_dsa_identity 265create_identity id_ecdsa ecdsa "SSH2 ECDSA"
266create_identity identity rsa1 "(deprecated) SSH1 RSA"
317fix_authorized_keys_perms 267fix_authorized_keys_perms
318 268
319echo 269echo
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index e99e33d0f..be6de088c 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
1%define ver 5.8p1 1%define ver 5.9p1
2%define rel 1 2%define rel 1
3 3
4# OpenSSH privilege separation requires a user & group ID 4# OpenSSH privilege separation requires a user & group ID
@@ -84,24 +84,24 @@ Obsoletes: ssh
84%if %{build6x} 84%if %{build6x}
85PreReq: initscripts >= 5.00 85PreReq: initscripts >= 5.00
86%else 86%else
87PreReq: initscripts >= 5.20 87Requires: initscripts >= 5.20
88%endif 88%endif
89BuildPreReq: perl, openssl-devel, tcp_wrappers 89BuildRequires: perl, openssl-devel, tcp_wrappers
90BuildPreReq: /bin/login 90BuildRequires: /bin/login
91%if ! %{build6x} 91%if ! %{build6x}
92BuildPreReq: glibc-devel, pam 92BuildPreReq: glibc-devel, pam
93%else 93%else
94BuildPreReq: /usr/include/security/pam_appl.h 94BuildRequires: /usr/include/security/pam_appl.h
95%endif 95%endif
96%if ! %{no_x11_askpass} 96%if ! %{no_x11_askpass}
97BuildPreReq: /usr/include/X11/Xlib.h 97BuildRequires: /usr/include/X11/Xlib.h
98%endif 98%endif
99%if ! %{no_gnome_askpass} 99%if ! %{no_gnome_askpass}
100BuildPreReq: pkgconfig 100BuildRequires: pkgconfig
101%endif 101%endif
102%if %{kerberos5} 102%if %{kerberos5}
103BuildPreReq: krb5-devel 103BuildRequires: krb5-devel
104BuildPreReq: krb5-libs 104BuildRequires: krb5-libs
105%endif 105%endif
106 106
107%package clients 107%package clients
@@ -114,7 +114,7 @@ Obsoletes: ssh-clients
114Summary: The OpenSSH server daemon. 114Summary: The OpenSSH server daemon.
115Group: System Environment/Daemons 115Group: System Environment/Daemons
116Obsoletes: ssh-server 116Obsoletes: ssh-server
117PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9 117Requires: openssh = %{version}-%{release}, chkconfig >= 0.9
118%if ! %{build6x} 118%if ! %{build6x}
119Requires: /etc/pam.d/system-auth 119Requires: /etc/pam.d/system-auth
120%endif 120%endif
@@ -712,7 +712,7 @@ fi
712 it generates. 712 it generates.
713 713
714* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com> 714* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com>
715- Add BuildPreReq on /usr/include/security/pam_appl.h to be sure we always 715- Add BuildRequires on /usr/include/security/pam_appl.h to be sure we always
716 build PAM authentication in. 716 build PAM authentication in.
717- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed. 717- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed.
718- Clean out no-longer-used patches. 718- Clean out no-longer-used patches.
@@ -721,7 +721,7 @@ fi
721 721
722* Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com> 722* Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com>
723- Update x11-askpass to 1.0.2. (#17835) 723- Update x11-askpass to 1.0.2. (#17835)
724- Add BuildPreReqs for /bin/login and /usr/bin/rsh so that configure will 724- Add BuildRequiress for /bin/login and /usr/bin/rsh so that configure will
725 always find them in the right place. (#17909) 725 always find them in the right place. (#17909)
726- Set the default path to be the same as the one supplied by /bin/login, but 726- Set the default path to be the same as the one supplied by /bin/login, but
727 add /usr/X11R6/bin. (#17909) 727 add /usr/X11R6/bin. (#17909)
diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init
index 854aff665..2334d8142 100755
--- a/contrib/redhat/sshd.init
+++ b/contrib/redhat/sshd.init
@@ -22,70 +22,9 @@ RETVAL=0
22prog="sshd" 22prog="sshd"
23 23
24# Some functions to make the below more readable 24# Some functions to make the below more readable
25KEYGEN=/usr/bin/ssh-keygen
26SSHD=/usr/sbin/sshd 25SSHD=/usr/sbin/sshd
27RSA1_KEY=/etc/ssh/ssh_host_key
28RSA_KEY=/etc/ssh/ssh_host_rsa_key
29DSA_KEY=/etc/ssh/ssh_host_dsa_key
30PID_FILE=/var/run/sshd.pid 26PID_FILE=/var/run/sshd.pid
31 27
32do_rsa1_keygen() {
33 if [ ! -s $RSA1_KEY ]; then
34 echo -n $"Generating SSH1 RSA host key: "
35 if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
36 chmod 600 $RSA1_KEY
37 chmod 644 $RSA1_KEY.pub
38 if [ -x /sbin/restorecon ]; then
39 /sbin/restorecon $RSA1_KEY.pub
40 fi
41 success $"RSA1 key generation"
42 echo
43 else
44 failure $"RSA1 key generation"
45 echo
46 exit 1
47 fi
48 fi
49}
50
51do_rsa_keygen() {
52 if [ ! -s $RSA_KEY ]; then
53 echo -n $"Generating SSH2 RSA host key: "
54 if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
55 chmod 600 $RSA_KEY
56 chmod 644 $RSA_KEY.pub
57 if [ -x /sbin/restorecon ]; then
58 /sbin/restorecon $RSA_KEY.pub
59 fi
60 success $"RSA key generation"
61 echo
62 else
63 failure $"RSA key generation"
64 echo
65 exit 1
66 fi
67 fi
68}
69
70do_dsa_keygen() {
71 if [ ! -s $DSA_KEY ]; then
72 echo -n $"Generating SSH2 DSA host key: "
73 if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
74 chmod 600 $DSA_KEY
75 chmod 644 $DSA_KEY.pub
76 if [ -x /sbin/restorecon ]; then
77 /sbin/restorecon $DSA_KEY.pub
78 fi
79 success $"DSA key generation"
80 echo
81 else
82 failure $"DSA key generation"
83 echo
84 exit 1
85 fi
86 fi
87}
88
89do_restart_sanity_check() 28do_restart_sanity_check()
90{ 29{
91 $SSHD -t 30 $SSHD -t
@@ -99,9 +38,13 @@ do_restart_sanity_check()
99start() 38start()
100{ 39{
101 # Create keys if necessary 40 # Create keys if necessary
102 do_rsa1_keygen 41 /usr/bin/ssh-keygen -A
103 do_rsa_keygen 42 if [ -x /sbin/restorecon ]; then
104 do_dsa_keygen 43 /sbin/restorcon /etc/ssh/ssh_host_key.pub
44 /sbin/restorcon /etc/ssh/ssh_host_rsa_key.pub
45 /sbin/restorcon /etc/ssh/ssh_host_dsa_key.pub
46 /sbin/restorcon /etc/ssh/ssh_host_ecdsa_key.pub
47 fi
105 48
106 echo -n $"Starting $prog:" 49 echo -n $"Starting $prog:"
107 $SSHD $OPTIONS && success || failure 50 $SSHD $OPTIONS && success || failure
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 368645cb4..9451aceec 100644
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -25,7 +25,7 @@ else
25fi 25fi
26 26
27if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then 27if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
28 GET_ID="cat ${ID_FILE}" 28 GET_ID="cat \"${ID_FILE}\""
29fi 29fi
30 30
31if [ -z "`eval $GET_ID`" ]; then 31if [ -z "`eval $GET_ID`" ]; then
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 6afdcc4b4..3a4dfea37 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
13 13
14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation 14Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
15Name: openssh 15Name: openssh
16Version: 5.8p1 16Version: 5.9p1
17URL: http://www.openssh.com/ 17URL: http://www.openssh.com/
18Release: 1 18Release: 1
19Source0: openssh-%{version}.tar.gz 19Source0: openssh-%{version}.tar.gz
@@ -28,11 +28,12 @@ Provides: ssh
28# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.) 28# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
29# building prerequisites -- stuff for 29# building prerequisites -- stuff for
30# OpenSSL (openssl-devel), 30# OpenSSL (openssl-devel),
31# TCP Wrappers (nkitb), 31# TCP Wrappers (tcpd-devel),
32# and Gnome (glibdev, gtkdev, and gnlibsd) 32# and Gnome (glibdev, gtkdev, and gnlibsd)
33# 33#
34BuildPrereq: openssl 34BuildPrereq: openssl
35BuildPrereq: nkitb 35BuildPrereq: tcpd-devel
36BuildPrereq: zlib-devel
36#BuildPrereq: glibdev 37#BuildPrereq: glibdev
37#BuildPrereq: gtkdev 38#BuildPrereq: gtkdev
38#BuildPrereq: gnlibsd 39#BuildPrereq: gnlibsd
@@ -177,15 +178,8 @@ rm -rf $RPM_BUILD_ROOT
177/usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || : 178/usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || :
178 179
179%post 180%post
180if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then 181/usr/bin/ssh-keygen -A
181 echo "Generating SSH RSA host key..." 182%{fillup_and_insserv -n -y ssh sshd}
182 /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' >&2
183fi
184if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then
185 echo "Generating SSH DSA host key..."
186 /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' >&2
187fi
188%{fillup_and_insserv -n -s -y ssh sshd START_SSHD}
189%run_permissions 183%run_permissions
190 184
191%verifyscript 185%verifyscript
diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd
index 4d4880d7e..4a3bc41db 100644
--- a/contrib/suse/rc.sshd
+++ b/contrib/suse/rc.sshd
@@ -43,20 +43,8 @@ rc_reset
43 43
44case "$1" in 44case "$1" in
45 start) 45 start)
46 if ! test -f /etc/ssh/ssh_host_key ; then 46 # Generate any missing host keys
47 echo Generating /etc/ssh/ssh_host_key. 47 ssh-keygen -A
48 ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ''
49 fi
50 if ! test -f /etc/ssh/ssh_host_dsa_key ; then
51 echo Generating /etc/ssh/ssh_host_dsa_key.
52
53 ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
54 fi
55 if ! test -f /etc/ssh/ssh_host_rsa_key ; then
56 echo Generating /etc/ssh/ssh_host_rsa_key.
57
58 ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
59 fi
60 echo -n "Starting SSH daemon" 48 echo -n "Starting SSH daemon"
61 ## Start daemon with startproc(8). If this fails 49 ## Start daemon with startproc(8). If this fails
62 ## the echo return value is set appropriate. 50 ## the echo return value is set appropriate.