diff options
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | contrib/cygwin/ssh-host-config | 166 |
2 files changed, 105 insertions, 64 deletions
@@ -1,5 +1,8 @@ | |||
1 | 20140527 | 1 | 20140527 |
2 | - (djm) [cipher.c] Fix merge botch. | 2 | - (djm) [cipher.c] Fix merge botch. |
3 | - (djm) [contrib/cygwin/ssh-host-config] Updated Cygwin ssh-host-config | ||
4 | from Corinna Vinschen, fixing a number of bugs and preparing for | ||
5 | Cygwin 1.7.30. | ||
3 | 6 | ||
4 | 20140522 | 7 | 20140522 |
5 | - (djm) [Makefile.in] typo in path | 8 | - (djm) [Makefile.in] typo in path |
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 05efd3b3b..fed87947d 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config | |||
@@ -34,6 +34,7 @@ declare -a csih_required_commands=( | |||
34 | /usr/bin/mv coreutils | 34 | /usr/bin/mv coreutils |
35 | /usr/bin/rm coreutils | 35 | /usr/bin/rm coreutils |
36 | /usr/bin/cygpath cygwin | 36 | /usr/bin/cygpath cygwin |
37 | /usr/bin/mkpasswd cygwin | ||
37 | /usr/bin/mount cygwin | 38 | /usr/bin/mount cygwin |
38 | /usr/bin/ps cygwin | 39 | /usr/bin/ps cygwin |
39 | /usr/bin/setfacl cygwin | 40 | /usr/bin/setfacl cygwin |
@@ -59,8 +60,9 @@ PREFIX=/usr | |||
59 | SYSCONFDIR=/etc | 60 | SYSCONFDIR=/etc |
60 | LOCALSTATEDIR=/var | 61 | LOCALSTATEDIR=/var |
61 | 62 | ||
63 | sshd_config_configured=no | ||
62 | port_number=22 | 64 | port_number=22 |
63 | privsep_configured=no | 65 | strictmodes=yes |
64 | privsep_used=yes | 66 | privsep_used=yes |
65 | cygwin_value="" | 67 | cygwin_value="" |
66 | user_account= | 68 | user_account= |
@@ -89,28 +91,8 @@ update_services_file() { | |||
89 | # Depends on the above mount | 91 | # Depends on the above mount |
90 | _wservices=`cygpath -w "${_services}"` | 92 | _wservices=`cygpath -w "${_services}"` |
91 | 93 | ||
92 | # Remove sshd 22/port from services | ||
93 | if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] | ||
94 | then | ||
95 | /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" | ||
96 | if [ -f "${_serv_tmp}" ] | ||
97 | then | ||
98 | if /usr/bin/mv "${_serv_tmp}" "${_services}" | ||
99 | then | ||
100 | csih_inform "Removing sshd from ${_wservices}" | ||
101 | else | ||
102 | csih_warning "Removing sshd from ${_wservices} failed!" | ||
103 | let ++ret | ||
104 | fi | ||
105 | /usr/bin/rm -f "${_serv_tmp}" | ||
106 | else | ||
107 | csih_warning "Removing sshd from ${_wservices} failed!" | ||
108 | let ++ret | ||
109 | fi | ||
110 | fi | ||
111 | |||
112 | # Add ssh 22/tcp and ssh 22/udp to services | 94 | # Add ssh 22/tcp and ssh 22/udp to services |
113 | if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] | 95 | if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ] |
114 | then | 96 | then |
115 | if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" | 97 | if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" |
116 | then | 98 | then |
@@ -132,17 +114,45 @@ update_services_file() { | |||
132 | } # --- End of update_services_file --- # | 114 | } # --- End of update_services_file --- # |
133 | 115 | ||
134 | # ====================================================================== | 116 | # ====================================================================== |
117 | # Routine: sshd_strictmodes | ||
118 | # MODIFIES: strictmodes | ||
119 | # ====================================================================== | ||
120 | sshd_strictmodes() { | ||
121 | if [ "${sshd_config_configured}" != "yes" ] | ||
122 | then | ||
123 | echo | ||
124 | csih_inform "StrictModes is set to 'yes' by default." | ||
125 | csih_inform "This is the recommended setting, but it requires that the POSIX" | ||
126 | csih_inform "permissions of the user's home directory, the user's .ssh" | ||
127 | csih_inform "directory, and the user's ssh key files are tight so that" | ||
128 | csih_inform "only the user has write permissions." | ||
129 | csih_inform "On the other hand, StrictModes don't work well with default" | ||
130 | csih_inform "Windows permissions of a home directory mounted with the" | ||
131 | csih_inform "'noacl' option, and they don't work at all if the home" | ||
132 | csih_inform "directory is on a FAT or FAT32 partition." | ||
133 | if ! csih_request "Should StrictModes be used?" | ||
134 | then | ||
135 | strictmodes=no | ||
136 | fi | ||
137 | fi | ||
138 | return 0 | ||
139 | } | ||
140 | |||
141 | # ====================================================================== | ||
135 | # Routine: sshd_privsep | 142 | # Routine: sshd_privsep |
136 | # MODIFIES: privsep_configured privsep_used | 143 | # MODIFIES: privsep_used |
137 | # ====================================================================== | 144 | # ====================================================================== |
138 | sshd_privsep() { | 145 | sshd_privsep() { |
139 | local sshdconfig_tmp | ||
140 | local ret=0 | 146 | local ret=0 |
141 | 147 | ||
142 | if [ "${privsep_configured}" != "yes" ] | 148 | if [ "${sshd_config_configured}" != "yes" ] |
143 | then | 149 | then |
144 | csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." | 150 | echo |
145 | csih_inform "However, this requires a non-privileged account called 'sshd'." | 151 | csih_inform "Privilege separation is set to 'sandbox' by default since" |
152 | csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set" | ||
153 | csih_inform "to 'yes' or 'no'." | ||
154 | csih_inform "However, using privilege separation requires a non-privileged account" | ||
155 | csih_inform "called 'sshd'." | ||
146 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." | 156 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." |
147 | if csih_request "Should privilege separation be used?" | 157 | if csih_request "Should privilege separation be used?" |
148 | then | 158 | then |
@@ -159,36 +169,53 @@ sshd_privsep() { | |||
159 | privsep_used=no | 169 | privsep_used=no |
160 | fi | 170 | fi |
161 | fi | 171 | fi |
172 | return $ret | ||
173 | } # --- End of sshd_privsep --- # | ||
174 | |||
175 | # ====================================================================== | ||
176 | # Routine: sshd_config_tweak | ||
177 | # ====================================================================== | ||
178 | sshd_config_tweak() { | ||
179 | local ret=0 | ||
162 | 180 | ||
163 | # Create default sshd_config from skeleton files in /etc/defaults/etc or | 181 | # Modify sshd_config |
164 | # modify to add the missing privsep configuration option | 182 | csih_inform "Updating ${SYSCONFDIR}/sshd_config file" |
165 | if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 | 183 | if [ "${port_number}" -ne 22 ] |
166 | then | 184 | then |
167 | csih_inform "Updating ${SYSCONFDIR}/sshd_config file" | 185 | /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \ |
168 | sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ | 186 | ${SYSCONFDIR}/sshd_config |
169 | /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ | 187 | if [ $? -ne 0 ] |
170 | s/^#Port 22/Port ${port_number}/ | ||
171 | s/^#StrictModes yes/StrictModes no/" \ | ||
172 | < ${SYSCONFDIR}/sshd_config \ | ||
173 | > "${sshdconfig_tmp}" | ||
174 | if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config | ||
175 | then | 188 | then |
176 | csih_warning "Setting privilege separation to 'yes' failed!" | 189 | csih_warning "Setting listening port to ${port_number} failed!" |
177 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | 190 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" |
178 | let ++ret | 191 | let ++ret |
179 | fi | 192 | fi |
180 | elif [ "${privsep_configured}" != "yes" ] | 193 | fi |
194 | if [ "${strictmodes}" = "no" ] | ||
181 | then | 195 | then |
182 | echo >> ${SYSCONFDIR}/sshd_config | 196 | /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \ |
183 | if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config | 197 | ${SYSCONFDIR}/sshd_config |
198 | if [ $? -ne 0 ] | ||
184 | then | 199 | then |
185 | csih_warning "Setting privilege separation to 'yes' failed!" | 200 | csih_warning "Setting StrictModes to 'no' failed!" |
186 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | 201 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" |
187 | let ++ret | 202 | let ++ret |
203 | fi | ||
204 | fi | ||
205 | if [ "${sshd_config_configured}" != "yes" ] | ||
206 | then | ||
207 | /usr/bin/sed -i -e " | ||
208 | s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \ | ||
209 | ${SYSCONFDIR}/sshd_config | ||
210 | if [ $? -ne 0 ] | ||
211 | then | ||
212 | csih_warning "Setting privilege separation failed!" | ||
213 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | ||
214 | let ++ret | ||
188 | fi | 215 | fi |
189 | fi | 216 | fi |
190 | return $ret | 217 | return $ret |
191 | } # --- End of sshd_privsep --- # | 218 | } # --- End of sshd_config_tweak --- # |
192 | 219 | ||
193 | # ====================================================================== | 220 | # ====================================================================== |
194 | # Routine: update_inetd_conf | 221 | # Routine: update_inetd_conf |
@@ -207,11 +234,11 @@ update_inetd_conf() { | |||
207 | # we have inetutils-1.5 inetd.d support | 234 | # we have inetutils-1.5 inetd.d support |
208 | if [ -f "${_inetcnf}" ] | 235 | if [ -f "${_inetcnf}" ] |
209 | then | 236 | then |
210 | /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 | 237 | /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0 |
211 | 238 | ||
212 | # check for sshd OR ssh in top-level inetd.conf file, and remove | 239 | # check for sshd OR ssh in top-level inetd.conf file, and remove |
213 | # will be replaced by a file in inetd.d/ | 240 | # will be replaced by a file in inetd.d/ |
214 | if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] | 241 | if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ] |
215 | then | 242 | then |
216 | /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" | 243 | /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" |
217 | if [ -f "${_inetcnf_tmp}" ] | 244 | if [ -f "${_inetcnf_tmp}" ] |
@@ -236,9 +263,9 @@ update_inetd_conf() { | |||
236 | then | 263 | then |
237 | if [ "${_with_comment}" -eq 0 ] | 264 | if [ "${_with_comment}" -eq 0 ] |
238 | then | 265 | then |
239 | /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | 266 | /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" |
240 | else | 267 | else |
241 | /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | 268 | /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" |
242 | fi | 269 | fi |
243 | if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" | 270 | if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" |
244 | then | 271 | then |
@@ -251,13 +278,13 @@ update_inetd_conf() { | |||
251 | 278 | ||
252 | elif [ -f "${_inetcnf}" ] | 279 | elif [ -f "${_inetcnf}" ] |
253 | then | 280 | then |
254 | /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 | 281 | /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0 |
255 | 282 | ||
256 | # check for sshd in top-level inetd.conf file, and remove | 283 | # check for sshd in top-level inetd.conf file, and remove |
257 | # will be replaced by a file in inetd.d/ | 284 | # will be replaced by a file in inetd.d/ |
258 | if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] | 285 | if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] |
259 | then | 286 | then |
260 | /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" | 287 | /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" |
261 | if [ -f "${_inetcnf_tmp}" ] | 288 | if [ -f "${_inetcnf_tmp}" ] |
262 | then | 289 | then |
263 | if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" | 290 | if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" |
@@ -305,17 +332,26 @@ check_service_files_ownership() { | |||
305 | 332 | ||
306 | if [ -z "${run_service_as}" ] | 333 | if [ -z "${run_service_as}" ] |
307 | then | 334 | then |
308 | accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp') | 335 | accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | |
336 | /usr/bin/sed -ne 's/^Account *: *//gp') | ||
309 | if [ "${accnt_name}" = "LocalSystem" ] | 337 | if [ "${accnt_name}" = "LocalSystem" ] |
310 | then | 338 | then |
311 | # Convert "LocalSystem" to "SYSTEM" as is the correct account name | 339 | # Convert "LocalSystem" to "SYSTEM" as is the correct account name |
312 | accnt_name="SYSTEM:" | 340 | run_service_as="SYSTEM" |
313 | elif [[ "${accnt_name}" =~ ^\.\\ ]] | 341 | else |
314 | then | 342 | dom="${accnt_name%%\\*}" |
315 | # Convert "." domain to local machine name | 343 | accnt_name="${accnt_name#*\\}" |
316 | accnt_name="U-${COMPUTERNAME}${accnt_name#.}," | 344 | if [ "${dom}" = '.' ] |
345 | then | ||
346 | # Check local account | ||
347 | run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" | | ||
348 | /usr/bin/awk -F: '{print $1;}') | ||
349 | else | ||
350 | # Check domain | ||
351 | run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" | | ||
352 | /usr/bin/awk -F: '{print $1;}') | ||
353 | fi | ||
317 | fi | 354 | fi |
318 | run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}') | ||
319 | if [ -z "${run_service_as}" ] | 355 | if [ -z "${run_service_as}" ] |
320 | then | 356 | then |
321 | csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" | 357 | csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" |
@@ -672,6 +708,7 @@ then | |||
672 | fi | 708 | fi |
673 | 709 | ||
674 | # generate missing host keys | 710 | # generate missing host keys |
711 | csih_inform "Generating missing SSH host keys" | ||
675 | /usr/bin/ssh-keygen -A || let warning_cnt+=$? | 712 | /usr/bin/ssh-keygen -A || let warning_cnt+=$? |
676 | 713 | ||
677 | # handle ssh_config | 714 | # handle ssh_config |
@@ -690,10 +727,11 @@ fi | |||
690 | csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt | 727 | csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt |
691 | if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 | 728 | if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 |
692 | then | 729 | then |
693 | /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes | 730 | sshd_config_configured=yes |
694 | fi | 731 | fi |
732 | sshd_strictmodes || let warning_cnt+=$? | ||
695 | sshd_privsep || let warning_cnt+=$? | 733 | sshd_privsep || let warning_cnt+=$? |
696 | 734 | sshd_config_tweak || let warning_cnt+=$? | |
697 | update_services_file || let warning_cnt+=$? | 735 | update_services_file || let warning_cnt+=$? |
698 | update_inetd_conf || let warning_cnt+=$? | 736 | update_inetd_conf || let warning_cnt+=$? |
699 | install_service || let warning_cnt+=$? | 737 | install_service || let warning_cnt+=$? |