1 files changed, 102 insertions, 96 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index 05efd3b3b..a7ea3e0d2 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -34,9 +34,9 @@ declare -a csih_required_commands=(
  /usr/bin/mv coreutils
  /usr/bin/rm coreutils
  /usr/bin/cygpath cygwin
+  /usr/bin/mkpasswd cygwin
  /usr/bin/mount cygwin
  /usr/bin/ps cygwin
-  /usr/bin/setfacl cygwin
  /usr/bin/umount cygwin
  /usr/bin/cmp diffutils
  /usr/bin/grep grep
@@ -59,8 +59,9 @@ PREFIX=/usr
 SYSCONFDIR=/etc
 LOCALSTATEDIR=/var
+sshd_config_configured=no
 port_number=22
-privsep_configured=no
+strictmodes=yes
 privsep_used=yes
 cygwin_value=""
 user_account=
@@ -89,28 +90,8 @@ update_services_file() {
  # Depends on the above mount
  _wservices=`cygpath -w "${_services}"`
-  # Remove sshd 22/port from services
-  if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
-  then
-    /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
-    if [ -f "${_serv_tmp}" ]
-    then
-      if /usr/bin/mv "${_serv_tmp}" "${_services}"
-      then
-        csih_inform "Removing sshd from ${_wservices}"
-      else
-        csih_warning "Removing sshd from ${_wservices} failed!"
-        let ++ret
-      fi
-      /usr/bin/rm -f "${_serv_tmp}"
-    else
-      csih_warning "Removing sshd from ${_wservices} failed!"
-      let ++ret
-    fi
-  fi
  # Add ssh 22/tcp  and ssh 22/udp to services
-  if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
+  if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
  then
    if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
    then
@@ -132,17 +113,45 @@ update_services_file() {
 } # --- End of update_services_file --- #
 # ======================================================================
+# Routine: sshd_strictmodes
+#  MODIFIES: strictmodes
+# ======================================================================
+sshd_strictmodes() {
+  if [ "${sshd_config_configured}" != "yes" ]
+  then
+    echo
+    csih_inform "StrictModes is set to 'yes' by default."
+    csih_inform "This is the recommended setting, but it requires that the POSIX"
+    csih_inform "permissions of the user's home directory, the user's .ssh"
+    csih_inform "directory, and the user's ssh key files are tight so that"
+    csih_inform "only the user has write permissions."
+    csih_inform "On the other hand, StrictModes don't work well with default"
+    csih_inform "Windows permissions of a home directory mounted with the"
+    csih_inform "'noacl' option, and they don't work at all if the home"
+    csih_inform "directory is on a FAT or FAT32 partition."
+    if ! csih_request "Should StrictModes be used?"
+    then
+      strictmodes=no
+    fi
+  fi
+  return 0
+}
+# ======================================================================
 # Routine: sshd_privsep
-#  MODIFIES: privsep_configured  privsep_used
+#  MODIFIES: privsep_used
 # ======================================================================
 sshd_privsep() {
-  local sshdconfig_tmp
  local ret=0
-  if [ "${privsep_configured}" != "yes" ]
+  if [ "${sshd_config_configured}" != "yes" ]
  then
-    csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
+    echo
-    csih_inform "However, this requires a non-privileged account called 'sshd'."
+    csih_inform "Privilege separation is set to 'sandbox' by default since"
+    csih_inform "OpenSSH 6.1.  This is unsupported by Cygwin and has to be set"
+    csih_inform "to 'yes' or 'no'."
+    csih_inform "However, using privilege separation requires a non-privileged account"
+    csih_inform "called 'sshd'."
    csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
    if csih_request "Should privilege separation be used?"
    then
@@ -159,36 +168,53 @@ sshd_privsep() {
      privsep_used=no
    fi
  fi
+  return $ret
+} # --- End of sshd_privsep --- #
-  # Create default sshd_config from skeleton files in /etc/defaults/etc or
+# ======================================================================
-  # modify to add the missing privsep configuration option
+# Routine: sshd_config_tweak
-  if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
+# ======================================================================
+sshd_config_tweak() {
+  local ret=0
+  # Modify sshd_config
+  csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
+  if [ "${port_number}" -ne 22 ]
  then
-    csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
+    /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
-    sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
+      ${SYSCONFDIR}/sshd_config
-    /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
+    if [ $? -ne 0 ]
-          s/^#Port 22/Port ${port_number}/
-          s/^#StrictModes yes/StrictModes no/" \
-        < ${SYSCONFDIR}/sshd_config \
-        > "${sshdconfig_tmp}"
-    if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
    then
-        csih_warning "Setting privilege separation to 'yes' failed!"
+      csih_warning "Setting listening port to ${port_number} failed!"
-        csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
-        let ++ret
+      let ++ret
+    fi
+  fi
+  if [ "${strictmodes}" = "no" ]
+  then
+    /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
+      ${SYSCONFDIR}/sshd_config
+    if [ $? -ne 0 ]
+    then
+      csih_warning "Setting StrictModes to 'no' failed!"
+      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+      let ++ret
    fi
-  elif [ "${privsep_configured}" != "yes" ]
+  fi
+  if [ "${sshd_config_configured}" != "yes" ]
  then
-    echo >> ${SYSCONFDIR}/sshd_config
+    /usr/bin/sed -i -e "
-    if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
+      s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
+      ${SYSCONFDIR}/sshd_config
+    if [ $? -ne 0 ]
    then
-        csih_warning "Setting privilege separation to 'yes' failed!"
+      csih_warning "Setting privilege separation failed!"
-        csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
-        let ++ret
+      let ++ret
    fi
  fi
  return $ret
-} # --- End of sshd_privsep --- #
+} # --- End of sshd_config_tweak --- #
 # ======================================================================
 # Routine: update_inetd_conf
@@ -207,11 +233,11 @@ update_inetd_conf() {
    # we have inetutils-1.5 inetd.d support
    if [ -f "${_inetcnf}" ]
    then
-      /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
+      /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
      # check for sshd OR ssh in top-level inetd.conf file, and remove
      # will be replaced by a file in inetd.d/
-      if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
+      if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
      then
        /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
        if [ -f "${_inetcnf_tmp}" ]
@@ -236,9 +262,9 @@ update_inetd_conf() {
    then
      if [ "${_with_comment}" -eq 0 ]
      then
-        /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+        /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
      else
-        /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+        /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
      fi
      if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
      then
@@ -251,13 +277,13 @@ update_inetd_conf() {
  elif [ -f "${_inetcnf}" ]
  then
-    /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
+    /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
    # check for sshd in top-level inetd.conf file, and remove
    # will be replaced by a file in inetd.d/
-    if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
+    if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
    then
-      /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
+      /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
      if [ -f "${_inetcnf_tmp}" ]
      then
        if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
@@ -305,17 +331,26 @@ check_service_files_ownership() {
  if [ -z "${run_service_as}" ]
  then
-    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
+    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
+                 /usr/bin/sed -ne 's/^Account *: *//gp')
    if [ "${accnt_name}" = "LocalSystem" ]
    then
      # Convert "LocalSystem" to "SYSTEM" as is the correct account name
-      accnt_name="SYSTEM:"
+      run_service_as="SYSTEM"
-    elif [[ "${accnt_name}" =~ ^\.\\ ]]
+    else
-    then
+      dom="${accnt_name%%\\*}"
-      # Convert "." domain to local machine name
+      accnt_name="${accnt_name#*\\}"
-      accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
+      if [ "${dom}" = '.' ]
+      then
+        # Check local account
+        run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
+                         /usr/bin/awk -F: '{print $1;}')
+      else
+        # Check domain
+        run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
+                         /usr/bin/awk -F: '{print $1;}')
+      fi
    fi
-    run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
    if [ -z "${run_service_as}" ]
    then
      csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
@@ -615,32 +650,6 @@ echo
 warning_cnt=0
-# Check for ${SYSCONFDIR} directory
-csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
-if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
-then
-  csih_warning "Can't set permissions on ${SYSCONFDIR}!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
-  let ++warning_cnt
-fi
-# Check for /var/log directory
-csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
-if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
-then
-  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
-  let ++warning_cnt
-fi
 # Create /var/log/lastlog if not already exists
 if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
 then
@@ -665,13 +674,9 @@ then
  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
  let ++warning_cnt
 fi
-if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
-  let ++warning_cnt
-fi
 # generate missing host keys
+csih_inform "Generating missing SSH host keys"
 /usr/bin/ssh-keygen -A || let warning_cnt+=$?
 # handle ssh_config
@@ -690,10 +695,11 @@ fi
 csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
 if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
 then
-  /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
+  sshd_config_configured=yes
 fi
+sshd_strictmodes || let warning_cnt+=$?
 sshd_privsep || let warning_cnt+=$?
+sshd_config_tweak || let warning_cnt+=$?
 update_services_file || let warning_cnt+=$?
 update_inetd_conf || let warning_cnt+=$?
 install_service || let warning_cnt+=$?

diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 05efd3b3b..a7ea3e0d2 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config
@@ -34,9 +34,9 @@ declare -a csih_required_commands=(
34	/usr/bin/mv coreutils	34	/usr/bin/mv coreutils
35	/usr/bin/rm coreutils	35	/usr/bin/rm coreutils
36	/usr/bin/cygpath cygwin	36	/usr/bin/cygpath cygwin
		37	/usr/bin/mkpasswd cygwin
37	/usr/bin/mount cygwin	38	/usr/bin/mount cygwin
38	/usr/bin/ps cygwin	39	/usr/bin/ps cygwin
39	/usr/bin/setfacl cygwin
40	/usr/bin/umount cygwin	40	/usr/bin/umount cygwin
41	/usr/bin/cmp diffutils	41	/usr/bin/cmp diffutils
42	/usr/bin/grep grep	42	/usr/bin/grep grep
@@ -59,8 +59,9 @@ PREFIX=/usr
59	SYSCONFDIR=/etc	59	SYSCONFDIR=/etc
60	LOCALSTATEDIR=/var	60	LOCALSTATEDIR=/var
61		61
		62	sshd_config_configured=no
62	port_number=22	63	port_number=22
63	privsep_configured=no	64	strictmodes=yes
64	privsep_used=yes	65	privsep_used=yes
65	cygwin_value=""	66	cygwin_value=""
66	user_account=	67	user_account=
@@ -89,28 +90,8 @@ update_services_file() {
89	# Depends on the above mount	90	# Depends on the above mount
90	_wservices=`cygpath -w "${_services}"`	91	_wservices=`cygpath -w "${_services}"`
91		92
92	# Remove sshd 22/port from services
93	if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
94	then
95	/usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
96	if [ -f "${_serv_tmp}" ]
97	then
98	if /usr/bin/mv "${_serv_tmp}" "${_services}"
99	then
100	csih_inform "Removing sshd from ${_wservices}"
101	else
102	csih_warning "Removing sshd from ${_wservices} failed!"
103	let ++ret
104	fi
105	/usr/bin/rm -f "${_serv_tmp}"
106	else
107	csih_warning "Removing sshd from ${_wservices} failed!"
108	let ++ret
109	fi
110	fi
111
112	# Add ssh 22/tcp and ssh 22/udp to services	93	# Add ssh 22/tcp and ssh 22/udp to services
113	if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]	94	if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
114	then	95	then
115	if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"	96	if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
116	then	97	then
@@ -132,17 +113,45 @@ update_services_file() {
132	} # --- End of update_services_file --- #	113	} # --- End of update_services_file --- #
133		114
134	# ======================================================================	115	# ======================================================================
		116	# Routine: sshd_strictmodes
		117	# MODIFIES: strictmodes
		118	# ======================================================================
		119	sshd_strictmodes() {
		120	if [ "${sshd_config_configured}" != "yes" ]
		121	then
		122	echo
		123	csih_inform "StrictModes is set to 'yes' by default."
		124	csih_inform "This is the recommended setting, but it requires that the POSIX"
		125	csih_inform "permissions of the user's home directory, the user's .ssh"
		126	csih_inform "directory, and the user's ssh key files are tight so that"
		127	csih_inform "only the user has write permissions."
		128	csih_inform "On the other hand, StrictModes don't work well with default"
		129	csih_inform "Windows permissions of a home directory mounted with the"
		130	csih_inform "'noacl' option, and they don't work at all if the home"
		131	csih_inform "directory is on a FAT or FAT32 partition."
		132	if ! csih_request "Should StrictModes be used?"
		133	then
		134	strictmodes=no
		135	fi
		136	fi
		137	return 0
		138	}
		139
		140	# ======================================================================
135	# Routine: sshd_privsep	141	# Routine: sshd_privsep
136	# MODIFIES: privsep_configured privsep_used	142	# MODIFIES: privsep_used
137	# ======================================================================	143	# ======================================================================
138	sshd_privsep() {	144	sshd_privsep() {
139	local sshdconfig_tmp
140	local ret=0	145	local ret=0
141		146
142	if [ "${privsep_configured}" != "yes" ]	147	if [ "${sshd_config_configured}" != "yes" ]
143	then	148	then
144	csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."	149	echo
145	csih_inform "However, this requires a non-privileged account called 'sshd'."	150	csih_inform "Privilege separation is set to 'sandbox' by default since"
		151	csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set"
		152	csih_inform "to 'yes' or 'no'."
		153	csih_inform "However, using privilege separation requires a non-privileged account"
		154	csih_inform "called 'sshd'."
146	csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."	155	csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
147	if csih_request "Should privilege separation be used?"	156	if csih_request "Should privilege separation be used?"
148	then	157	then
@@ -159,36 +168,53 @@ sshd_privsep() {
159	privsep_used=no	168	privsep_used=no
160	fi	169	fi
161	fi	170	fi
		171	return $ret
		172	} # --- End of sshd_privsep --- #
162		173
163	# Create default sshd_config from skeleton files in /etc/defaults/etc or	174	# ======================================================================
164	# modify to add the missing privsep configuration option	175	# Routine: sshd_config_tweak
165	if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1	176	# ======================================================================
		177	sshd_config_tweak() {
		178	local ret=0
		179
		180	# Modify sshd_config
		181	csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
		182	if [ "${port_number}" -ne 22 ]
166	then	183	then
167	csih_inform "Updating ${SYSCONFDIR}/sshd_config file"	184	/usr/bin/sed -i -e "s/^#\?[[:space:]]Port[[:space:]]./Port ${port_number}/" \
168	sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$	185	${SYSCONFDIR}/sshd_config
169	/usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/	186	if [ $? -ne 0 ]
170	s/^#Port 22/Port ${port_number}/
171	s/^#StrictModes yes/StrictModes no/" \
172	< ${SYSCONFDIR}/sshd_config \
173	> "${sshdconfig_tmp}"
174	if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
175	then	187	then
176	csih_warning "Setting privilege separation to 'yes' failed!"	188	csih_warning "Setting listening port to ${port_number} failed!"
177	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"	189	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
178	let ++ret	190	let ++ret
		191	fi
		192	fi
		193	if [ "${strictmodes}" = "no" ]
		194	then
		195	/usr/bin/sed -i -e "s/^#\?[[:space:]]StrictModes[[:space:]]./StrictModes no/" \
		196	${SYSCONFDIR}/sshd_config
		197	if [ $? -ne 0 ]
		198	then
		199	csih_warning "Setting StrictModes to 'no' failed!"
		200	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
		201	let ++ret
179	fi	202	fi
180	elif [ "${privsep_configured}" != "yes" ]	203	fi
		204	if [ "${sshd_config_configured}" != "yes" ]
181	then	205	then
182	echo >> ${SYSCONFDIR}/sshd_config	206	/usr/bin/sed -i -e "
183	if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config	207	s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
		208	${SYSCONFDIR}/sshd_config
		209	if [ $? -ne 0 ]
184	then	210	then
185	csih_warning "Setting privilege separation to 'yes' failed!"	211	csih_warning "Setting privilege separation failed!"
186	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"	212	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
187	let ++ret	213	let ++ret
188	fi	214	fi
189	fi	215	fi
190	return $ret	216	return $ret
191	} # --- End of sshd_privsep --- #	217	} # --- End of sshd_config_tweak --- #
192		218
193	# ======================================================================	219	# ======================================================================
194	# Routine: update_inetd_conf	220	# Routine: update_inetd_conf
@@ -207,11 +233,11 @@ update_inetd_conf() {
207	# we have inetutils-1.5 inetd.d support	233	# we have inetutils-1.5 inetd.d support
208	if [ -f "${_inetcnf}" ]	234	if [ -f "${_inetcnf}" ]
209	then	235	then
210	/usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0	236	/usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
211		237
212	# check for sshd OR ssh in top-level inetd.conf file, and remove	238	# check for sshd OR ssh in top-level inetd.conf file, and remove
213	# will be replaced by a file in inetd.d/	239	# will be replaced by a file in inetd.d/
214	if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]	240	if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
215	then	241	then
216	/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"	242	/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
217	if [ -f "${_inetcnf_tmp}" ]	243	if [ -f "${_inetcnf_tmp}" ]
@@ -236,9 +262,9 @@ update_inetd_conf() {
236	then	262	then
237	if [ "${_with_comment}" -eq 0 ]	263	if [ "${_with_comment}" -eq 0 ]
238	then	264	then
239	/usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"	265	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
240	else	266	else
241	/usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"	267	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
242	fi	268	fi
243	if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"	269	if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
244	then	270	then
@@ -251,13 +277,13 @@ update_inetd_conf() {
251		277
252	elif [ -f "${_inetcnf}" ]	278	elif [ -f "${_inetcnf}" ]
253	then	279	then
254	/usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0	280	/usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
255		281
256	# check for sshd in top-level inetd.conf file, and remove	282	# check for sshd in top-level inetd.conf file, and remove
257	# will be replaced by a file in inetd.d/	283	# will be replaced by a file in inetd.d/
258	if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]	284	if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
259	then	285	then
260	/usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"	286	/usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
261	if [ -f "${_inetcnf_tmp}" ]	287	if [ -f "${_inetcnf_tmp}" ]
262	then	288	then
263	if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"	289	if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
@@ -305,17 +331,26 @@ check_service_files_ownership() {
305		331
306	if [ -z "${run_service_as}" ]	332	if [ -z "${run_service_as}" ]
307	then	333	then
308	accnt_name=$(/usr/bin/cygrunsrv -VQ sshd \| /usr/bin/sed -ne 's/^Account : //gp')	334	accnt_name=$(/usr/bin/cygrunsrv -VQ sshd \|
		335	/usr/bin/sed -ne 's/^Account : //gp')
309	if [ "${accnt_name}" = "LocalSystem" ]	336	if [ "${accnt_name}" = "LocalSystem" ]
310	then	337	then
311	# Convert "LocalSystem" to "SYSTEM" as is the correct account name	338	# Convert "LocalSystem" to "SYSTEM" as is the correct account name
312	accnt_name="SYSTEM:"	339	run_service_as="SYSTEM"
313	elif [[ "${accnt_name}" =~ ^\.\\ ]]	340	else
314	then	341	dom="${accnt_name%%\\*}"
315	# Convert "." domain to local machine name	342	accnt_name="${accnt_name#*\\}"
316	accnt_name="U-${COMPUTERNAME}${accnt_name#.},"	343	if [ "${dom}" = '.' ]
		344	then
		345	# Check local account
		346	run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" \|
		347	/usr/bin/awk -F: '{print $1;}')
		348	else
		349	# Check domain
		350	run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" \|
		351	/usr/bin/awk -F: '{print $1;}')
		352	fi
317	fi	353	fi
318	run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd \| /usr/bin/awk -F: '{print $1;}')
319	if [ -z "${run_service_as}" ]	354	if [ -z "${run_service_as}" ]
320	then	355	then
321	csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"	356	csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
@@ -615,32 +650,6 @@ echo
615		650
616	warning_cnt=0	651	warning_cnt=0
617		652
618	# Check for ${SYSCONFDIR} directory
619	csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
620	if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
621	then
622	csih_warning "Can't set permissions on ${SYSCONFDIR}!"
623	let ++warning_cnt
624	fi
625	if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
626	then
627	csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
628	let ++warning_cnt
629	fi
630
631	# Check for /var/log directory
632	csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
633	if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
634	then
635	csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
636	let ++warning_cnt
637	fi
638	if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
639	then
640	csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
641	let ++warning_cnt
642	fi
643
644	# Create /var/log/lastlog if not already exists	653	# Create /var/log/lastlog if not already exists
645	if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]	654	if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
646	then	655	then
@@ -665,13 +674,9 @@ then
665	csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"	674	csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
666	let ++warning_cnt	675	let ++warning_cnt
667	fi	676	fi
668	if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
669	then
670	csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
671	let ++warning_cnt
672	fi
673		677
674	# generate missing host keys	678	# generate missing host keys
		679	csih_inform "Generating missing SSH host keys"
675	/usr/bin/ssh-keygen -A \|\| let warning_cnt+=$?	680	/usr/bin/ssh-keygen -A \|\| let warning_cnt+=$?
676		681
677	# handle ssh_config	682	# handle ssh_config
@@ -690,10 +695,11 @@ fi
690	csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" \|\| let ++warning_cnt	695	csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" \|\| let ++warning_cnt
691	if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1	696	if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
692	then	697	then
693	/usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes	698	sshd_config_configured=yes
694	fi	699	fi
		700	sshd_strictmodes \|\| let warning_cnt+=$?
695	sshd_privsep \|\| let warning_cnt+=$?	701	sshd_privsep \|\| let warning_cnt+=$?
696		702	sshd_config_tweak \|\| let warning_cnt+=$?
697	update_services_file \|\| let warning_cnt+=$?	703	update_services_file \|\| let warning_cnt+=$?
698	update_inetd_conf \|\| let warning_cnt+=$?	704	update_inetd_conf \|\| let warning_cnt+=$?
699	install_service \|\| let warning_cnt+=$?	705	install_service \|\| let warning_cnt+=$?