1 files changed, 408 insertions, 490 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index e2ad69f19..bbb6da4c4 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -4,6 +4,15 @@
 #
 # This file is part of the Cygwin port of OpenSSH.
+# ======================================================================
+# Initialization
+# ======================================================================
+PROGNAME=$(basename $0)
+_tdir=$(dirname $0)
+PROGDIR=$(cd $_tdir && pwd)
+CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
 # Subdirectory where the new package is being installed
 PREFIX=/usr
@@ -11,43 +20,371 @@ PREFIX=/usr
 SYSCONFDIR=/etc
 LOCALSTATEDIR=/var
-progname=$0
+source ${CSIH_SCRIPT}
-auto_answer=""
-port_number=22
+port_number=22
 privsep_configured=no
 privsep_used=yes
-sshd_in_passwd=no
+cygwin_value="ntsec"
-sshd_in_sam=no
+password_value=
+# ======================================================================
+# Routine: create_host_keys
+# ======================================================================
+create_host_keys() {
+  if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
+  then
+    csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
+    ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
+  fi
+  
+  if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
+  then
+    csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
+    ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
+  fi
+  
+  if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
+  then
+    csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
+    ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
+  fi
+} # --- End of create_host_keys --- #
+# ======================================================================
+# Routine: update_services_file
+# ======================================================================
+update_services_file() {
+  local _my_etcdir="/ssh-host-config.$$"
+  local _win_etcdir
+  local _services
+  local _spaces
+  local _serv_tmp
+  local _wservices
+  if csih_is_nt
+  then
+    _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
+    _services="${_my_etcdir}/services"
+    # On NT, 27 spaces, no space after the hash
+    _spaces="                           #"
+  else
+    _win_etcdir="${WINDIR}"
+    _services="${_my_etcdir}/SERVICES"
+    # On 9x, 18 spaces (95 is very touchy), a space after the hash
+    _spaces="                  # "
+  fi
+  _serv_tmp="${_my_etcdir}/srv.out.$$"
+  
+  mount -t -f "${_win_etcdir}" "${_my_etcdir}"
+  
+  # Depends on the above mount
+  _wservices=`cygpath -w "${_services}"`
+  
+  # Remove sshd 22/port from services
+  if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
+  then
+    grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
+    if [ -f "${_serv_tmp}" ]
+    then
+      if mv "${_serv_tmp}" "${_services}"
+      then
+        csih_inform "Removing sshd from ${_wservices}"
+      else
+        csih_warning "Removing sshd from ${_wservices} failed!"
+      fi
+      rm -f "${_serv_tmp}"
+    else
+      csih_warning "Removing sshd from ${_wservices} failed!"
+    fi
+  fi
+  
+  # Add ssh 22/tcp  and ssh 22/udp to services
+  if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
+  then
+    if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
+    then
+      if mv "${_serv_tmp}" "${_services}"
+      then
+        csih_inform "Added ssh to ${_wservices}"
+      else
+        csih_warning "Adding ssh to ${_wservices} failed!"
+      fi
+      rm -f "${_serv_tmp}"
+    else
+      csih_warning "Adding ssh to ${_wservices} failed!"
+    fi
+  fi
+  umount "${_my_etcdir}"
+} # --- End of update_services_file --- #
+# ======================================================================
+# Routine: sshd_privsep
+#  MODIFIES: privsep_configured  privsep_used
+# ======================================================================
+sshd_privsep() {
+  local sshdconfig_tmp
-request()
+  if [ "${privsep_configured}" != "yes" ]
-{
+  then
-  if [ "${auto_answer}" = "yes" ]
+    if csih_is_nt
+    then
+      csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
+      csih_inform "However, this requires a non-privileged account called 'sshd'."
+      csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
+      if csih_request "Should privilege separation be used?"
+      then
+        privsep_used=yes
+        if ! csih_create_unprivileged_user sshd
+        then
+          csih_warning "Couldn't create user 'sshd'!"
+          csih_warning "Privilege separation set to 'no' again!"
+          csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+          privsep_used=no
+        fi
+      else
+        privsep_used=no
+      fi
+    else
+      # On 9x don't use privilege separation.  Since security isn't
+      # available it just adds useless additional processes.
+      privsep_used=no
+    fi
+  fi
+  
+  # Create default sshd_config from skeleton files in /etc/defaults/etc or
+  # modify to add the missing privsep configuration option
+  if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
  then
-    echo "$1 (yes/no) yes"
+    csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
-    return 0
+    sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
-  elif [ "${auto_answer}" = "no" ]
+    sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
+          s/^#Port 22/Port ${port_number}/
+          s/^#StrictModes yes/StrictModes no/" \
+        < ${SYSCONFDIR}/sshd_config \
+        > "${sshdconfig_tmp}"
+    mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
+  elif [ "${privsep_configured}" != "yes" ]
  then
-    echo "$1 (yes/no) no"
+    echo >> ${SYSCONFDIR}/sshd_config
-    return 1
+    echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
  fi
+} # --- End of sshd_privsep --- #
+# ======================================================================
+# Routine: update_inetd_conf
+# ======================================================================
+update_inetd_conf() {
+  local _inetcnf="${SYSCONFDIR}/inetd.conf"
+  local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
+  local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
+  local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
+  local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
+  local _with_comment=1
+  if [ -d "${_inetcnf_dir}" ]
+  then
+    # we have inetutils-1.5 inetd.d support
+    if [ -f "${_inetcnf}" ]
+    then
+      grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
-  answer=""
+      # check for sshd OR ssh in top-level inetd.conf file, and remove
-  while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
+      # will be replaced by a file in inetd.d/
-  do
+      if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
-    echo -n "$1 (yes/no) "
+      then
-    read -e answer
+        grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
-  done
+        if [ -f "${_inetcnf_tmp}" ]
-  if [ "X${answer}" = "Xyes" ]
+        then
+          if mv "${_inetcnf_tmp}" "${_inetcnf}"
+          then
+            csih_inform "Removed ssh[d] from ${_inetcnf}"
+          else
+            csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
+          fi
+          rm -f "${_inetcnf_tmp}"
+        else
+          csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
+        fi
+      fi
+    fi
+    csih_install_config "${_sshd_inetd_conf}"   "${SYSCONFDIR}/defaults"
+    if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
+    then
+      if [ "${_with_comment}" -eq 0 ]
+      then
+        sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+      else
+        sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+      fi
+      mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
+      csih_inform "Updated ${_sshd_inetd_conf}"
+    fi 
+  elif [ -f "${_inetcnf}" ]
  then
-    return 0
+    grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
-  else
-    return 1
+    # check for sshd in top-level inetd.conf file, and remove
+    # will be replaced by a file in inetd.d/
+    if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
+    then
+      grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
+      if [ -f "${_inetcnf_tmp}" ]
+      then
+        if mv "${_inetcnf_tmp}" "${_inetcnf}"
+        then
+            csih_inform "Removed sshd from ${_inetcnf}"
+        else
+            csih_warning "Removing sshd from ${_inetcnf} failed!"
+        fi
+        rm -f "${_inetcnf_tmp}"
+      else
+        csih_warning "Removing sshd from ${_inetcnf} failed!"
+      fi
+    fi
+  
+    # Add ssh line to inetd.conf
+    if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
+    then
+      if [ "${_with_comment}" -eq 0 ]
+      then
+        echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
+      else
+        echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
+      fi
+      csih_inform "Added ssh to ${_inetcnf}"
+    fi
  fi
-}
+} # --- End of update_inetd_conf --- #
-# Check options
+# ======================================================================
+# Routine: install_service
+#   Install sshd as a service
+# ======================================================================
+install_service() {
+  local run_service_as
+  local password
+  if csih_is_nt
+  then
+    if ! cygrunsrv -Q sshd >/dev/null 2>&1
+    then
+      echo
+      echo
+      csih_warning "The following functions require administrator privileges!"
+      echo
+      echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
+      if csih_request "(Say \"no\" if it is already installed as a service)"
+      then
+        csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\""
+        csih_inform "for sshd to be able to change user context without password."
+        csih_get_cygenv "${cygwin_value}"
+        if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
+        then
+          csih_inform "On Windows Server 2003, Windows Vista, and above, the"
+          csih_inform "SYSTEM account cannot setuid to other users -- a capability"
+          csih_inform "sshd requires.  You need to have or to create a privileged"
+          csih_inform "account.  This script will help you do so."
+          echo
+          if ! csih_create_privileged_user "${password_value}"
+          then
+            csih_error_recoverable "There was a serious problem creating a privileged user."
+            csih_request "Do you want to proceed anyway?" || exit 1
+          fi
+        fi
+        # never returns empty if NT or above
+        run_service_as=$(csih_service_should_run_as)
+        if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
+        then
+          password="${csih_PRIVILEGED_PASSWORD}"
+          if [ -z "${password}" ]
+          then
+            csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
+            password="${csih_value}"
+          fi
+        fi
+        # at this point, we either have $run_service_as = "system" and $password is empty,
+        # or $run_service_as is some privileged user and (hopefully) $password contains
+        # the correct password.  So, from here out, we use '-z "${password}"' to discriminate
+        # the two cases.
+        csih_check_user "${run_service_as}"
+        if [ -z "${password}" ]
+        then
+          if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
+             -e CYGWIN="${csih_cygenv}"
+          then
+            echo
+            csih_inform "The sshd service has been installed under the LocalSystem"
+            csih_inform "account (also known as SYSTEM). To start the service now, call"
+            csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'.  Otherwise, it"
+            csih_inform "will start automatically after the next reboot."
+          fi
+        else
+          if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
+             -e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}"
+          then
+            echo
+            csih_inform "The sshd service has been installed under the '${run_service_as}'"
+            csih_inform "account.  To start the service now, call \`net start sshd' or"
+            csih_inform "\`cygrunsrv -S sshd'.  Otherwise, it will start automatically"
+            csih_inform "after the next reboot."
+          fi
+        fi
+        # now, if successfully installed, set ownership of the affected files 
+        if cygrunsrv -Q sshd >/dev/null 2>&1
+        then
+          chown "${run_service_as}" ${SYSCONFDIR}/ssh*
+          chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
+          chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
+          if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
+          then
+            chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
+          fi
+        else
+          csih_warning "Something went wrong installing the sshd service."
+        fi
+      fi # user allowed us to install as service
+    fi # service not yet installed
+  fi # csih_is_nt
+} # --- End of install_service --- #
+# ======================================================================
+# Main Entry Point
+# ======================================================================
+# Check how the script has been started.  If
+#   (1) it has been started by giving the full path and
+#       that path is /etc/postinstall, OR
+#   (2) Otherwise, if the environment variable
+#       SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
+# then set auto_answer to "no".  This allows automatic
+# creation of the config files in /etc w/o overwriting
+# them if they already exist.  In both cases, color
+# escape sequences are suppressed, so as to prevent
+# cluttering setup's logfiles.
+if [ "$PROGDIR" = "/etc/postinstall" ]
+then
+  csih_auto_answer="no"
+  csih_disable_color
+fi
+if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
+then
+  csih_auto_answer="no"
+  csih_disable_color
+fi
+# ======================================================================
+# Parse options
+# ======================================================================
 while :
 do
  case $# in
@@ -62,14 +399,15 @@ do
  case "${option}" in
  -d | --debug )
    set -x
+    csih_trace_on
    ;;
  -y | --yes )
-    auto_answer=yes
+    csih_auto_answer=yes
    ;;
  -n | --no )
-    auto_answer=no
+    csih_auto_answer=no
    ;;
  -c | --cygwin )
@@ -87,6 +425,10 @@ do
    shift
    ;;
+  --privileged )
+    csih_FORCE_PRIVILEGED_USER=yes
+    ;;
  *)
    echo "usage: ${progname} [OPTION]..."
    echo
@@ -98,7 +440,9 @@ do
    echo "  --no     -n            Answer all questions with \"no\" automatically."
    echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
    echo "  --port   -p <n>        sshd listens on port n."
-    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for user 'sshd_server'."
+    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for privileged user."
+    echo "  --privileged           On Windows NT/2k/XP, require privileged user"
+    echo "                         instead of LocalSystem for sshd service."
    echo
    exit 1
    ;;
@@ -106,73 +450,34 @@ do
  esac
 done
-# Check if running on NT
+# ======================================================================
-_sys="`uname`"
+# Action!
-_nt=`expr "${_sys}" : "CYGWIN_NT"`
+# ======================================================================
-# If running on NT, check if running under 2003 Server or later
-if [ ${_nt} -gt 0 ]
-then
-  _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
-fi
 # Check for running ssh/sshd processes first. Refuse to do anything while
 # some ssh processes are still running
 if ps -ef | grep -v grep | grep -q ssh
 then
  echo
-  echo "There are still ssh processes running. Please shut them down first."
+  csih_error "There are still ssh processes running. Please shut them down first."
-  echo
-  exit 1
 fi
 # Check for ${SYSCONFDIR} directory
+csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
+chmod 775 "${SYSCONFDIR}"
+setfacl -m u:system:rwx "${SYSCONFDIR}"
-if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
+# Check for /var/log directory
-then
+csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
-  echo
+chmod 775 "${LOCALSTATEDIR}/log"
-  echo "${SYSCONFDIR} is existant but not a directory."
+setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
-  echo "Cannot create global configuration files."
-  echo
-  exit 1
-fi
-# Create it if necessary
-if [ ! -e "${SYSCONFDIR}" ]
-then
-  mkdir "${SYSCONFDIR}"
-  if [ ! -e "${SYSCONFDIR}" ]
-  then
-    echo
-    echo "Creating ${SYSCONFDIR} directory failed"
-    echo
-    exit 1
-  fi
-fi
-# Create /var/log and /var/log/lastlog if not already existing
-if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ]
-then
-  echo
-  echo "${LOCALSTATEDIR}/log is existant but not a directory."
-  echo "Cannot create ssh host configuration."
-  echo
-  exit 1
-fi
-if [ ! -e ${LOCALSTATEDIR}/log ]
-then
-  mkdir -p ${LOCALSTATEDIR}/log
-fi
+# Create /var/log/lastlog if not already exists
 if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
 then
  echo 
-  echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file."
+  csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
-  echo "Cannot create ssh host configuration."
+                   "Cannot create ssh host configuration."
-  echo 
-  exit 1
 fi
 if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
 then
@@ -181,431 +486,44 @@ then
 fi
 # Create /var/empty file used as chroot jail for privilege separation
-if [ -f ${LOCALSTATEDIR}/empty ]
+csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create log directory."
-then
+chmod 755 "${LOCALSTATEDIR}/empty"
-  echo "Creating ${LOCALSTATEDIR}/empty failed!"
+setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"
-else
-  mkdir -p ${LOCALSTATEDIR}/empty
-  if [ ${_nt} -gt 0 ]
-  then
-    chmod 755 ${LOCALSTATEDIR}/empty
-  fi
-fi
-# First generate host keys if not already existing
+# host keys
+create_host_keys
-if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
+# use 'cmp' program to determine if a config file is identical
-then
+# to the default version of that config file
-  echo "Generating ${SYSCONFDIR}/ssh_host_key"
+csih_check_program_or_error cmp diffutils
-  ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
-fi
-if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
-then
-  echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
-  ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
-fi
-if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
+# handle ssh_config
+csih_install_config "${SYSCONFDIR}/ssh_config"   "${SYSCONFDIR}/defaults"
+if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
 then
-  echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
-  ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
-fi
-# Check if ssh_config exists. If yes, ask for overwriting
-if [ -f "${SYSCONFDIR}/ssh_config" ]
-then
-  if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
-  then
-    rm -f "${SYSCONFDIR}/ssh_config"
-    if [ -f "${SYSCONFDIR}/ssh_config" ]
-    then
-      echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
-    fi
-  fi
-fi
-# Create default ssh_config from skeleton file in /etc/defaults/etc
-if [ ! -f "${SYSCONFDIR}/ssh_config" ]
-then
-  echo "Generating ${SYSCONFDIR}/ssh_config file"
-  cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
  if [ "${port_number}" != "22" ]
  then
+    csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
    echo "    Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
  fi
 fi
-# Check if sshd_config exists. If yes, ask for overwriting
+# handle sshd_config (and privsep)
+csih_install_config "${SYSCONFDIR}/sshd_config"   "${SYSCONFDIR}/defaults"
-if [ -f "${SYSCONFDIR}/sshd_config" ]
+if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
 then
-  if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
+  grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
-  then
-    rm -f "${SYSCONFDIR}/sshd_config"
-    if [ -f "${SYSCONFDIR}/sshd_config" ]
-    then
-      echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
-    fi
-  else
-    grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
-  fi
 fi
+sshd_privsep
-# Prior to creating or modifying sshd_config, care for privilege separation
-if [ "${privsep_configured}" != "yes" ]
-then
-  if [ ${_nt} -gt 0 ]
-  then
-    echo "Privilege separation is set to yes by default since OpenSSH 3.3."
-    echo "However, this requires a non-privileged account called 'sshd'."
-    echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
-    echo
-    if request "Should privilege separation be used?"
-    then
-      privsep_used=yes
-      grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
-      net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
-      if [ "${sshd_in_passwd}" != "yes" ]
-      then
-        if [ "${sshd_in_sam}" != "yes" ]
-        then
-          echo "Warning: The following function requires administrator privileges!"
-          if request "Should this script create a local user 'sshd' on this machine?"
-          then
-            dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
-            net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
-            if [ "${sshd_in_sam}" != "yes" ]
-            then
-              echo "Warning: Creating the user 'sshd' failed!"
-            fi
-          fi
-        fi
-        if [ "${sshd_in_sam}" != "yes" ]
-        then
-          echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
-          echo "         Privilege separation set to 'no' again!"
-          echo "         Check your ${SYSCONFDIR}/sshd_config file!"
-          privsep_used=no
-        else
-          mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
-        fi
-      fi
-    else
-      privsep_used=no
-    fi
-  else
-    # On 9x don't use privilege separation.  Since security isn't
-    # available it just adds useless additional processes.
-    privsep_used=no
-  fi
-fi
-# Create default sshd_config from skeleton files in /etc/defaults/etc or
-# modify to add the missing privsep configuration option
-if [ ! -f "${SYSCONFDIR}/sshd_config" ]
-then
-  echo "Generating ${SYSCONFDIR}/sshd_config file"
-  sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
-          s/^#Port 22/Port ${port_number}/
-          s/^#StrictModes yes/StrictModes no/" \
-      < ${SYSCONFDIR}/defaults/etc/sshd_config \
-      > ${SYSCONFDIR}/sshd_config
-elif [ "${privsep_configured}" != "yes" ]
-then
-  echo >> ${SYSCONFDIR}/sshd_config
-  echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
-fi
-# Care for services file
+update_services_file 
-_my_etcdir="/ssh-host-config.$$"
+update_inetd_conf
-if [ ${_nt} -gt 0 ]
+install_service
-then
-  _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
-  _services="${_my_etcdir}/services"
-  # On NT, 27 spaces, no space after the hash
-  _spaces="                           #"
-else
-  _win_etcdir="${WINDIR}"
-  _services="${_my_etcdir}/SERVICES"
-  # On 9x, 18 spaces (95 is very touchy), a space after the hash
-  _spaces="                  # "
-fi
-_serv_tmp="${_my_etcdir}/srv.out.$$"
-mount -t -f "${_win_etcdir}" "${_my_etcdir}"
-# Depends on the above mount
-_wservices=`cygpath -w "${_services}"`
-# Remove sshd 22/port from services
-if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
-then
-  grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
-  if [ -f "${_serv_tmp}" ]
-  then
-    if mv "${_serv_tmp}" "${_services}"
-    then
-      echo "Removing sshd from ${_wservices}"
-    else
-      echo "Removing sshd from ${_wservices} failed!"
-    fi
-    rm -f "${_serv_tmp}"
-  else
-    echo "Removing sshd from ${_wservices} failed!"
-  fi
-fi
-# Add ssh 22/tcp  and ssh 22/udp to services
-if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
-then
-  if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
-  then
-    if mv "${_serv_tmp}" "${_services}"
-    then
-      echo "Added ssh to ${_wservices}"
-    else
-      echo "Adding ssh to ${_wservices} failed!"
-    fi
-    rm -f "${_serv_tmp}"
-  else
-    echo "WARNING: Adding ssh to ${_wservices} failed!"
-  fi
-fi
-umount "${_my_etcdir}"
-# Care for inetd.conf file
-_inetcnf="${SYSCONFDIR}/inetd.conf"
-_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
-if [ -f "${_inetcnf}" ]
-then
-  # Check if ssh service is already in use as sshd
-  with_comment=1
-  grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
-  # Remove sshd line from inetd.conf
-  if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
-  then
-    grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
-    if [ -f "${_inetcnf_tmp}" ]
-    then
-      if mv "${_inetcnf_tmp}" "${_inetcnf}"
-      then
-        echo "Removed sshd from ${_inetcnf}"
-      else
-        echo "Removing sshd from ${_inetcnf} failed!"
-      fi
-      rm -f "${_inetcnf_tmp}"
-    else
-      echo "Removing sshd from ${_inetcnf} failed!"
-    fi
-  fi
-  # Add ssh line to inetd.conf
-  if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
-  then
-    if [ "${with_comment}" -eq 0 ]
-    then
-      echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
-    else
-      echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
-    fi
-    echo "Added ssh to ${_inetcnf}"
-  fi
-fi
-# On NT ask if sshd should be installed as service
-if [ ${_nt} -gt 0 ]
-then
-  # But only if it is not already installed
-  if ! cygrunsrv -Q sshd > /dev/null 2>&1
-  then
-    echo
-    echo
-    echo "Warning: The following functions require administrator privileges!"
-    echo
-    echo "Do you want to install sshd as service?"
-    if request "(Say \"no\" if it's already installed as service)"
-    then
-      if [ $_nt2003 -gt 0 ]
-      then
-        grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
-        if [ "${sshd_server_in_passwd}" = "yes" ]
-        then
-          # Drop sshd_server from passwd since it could have wrong settings
-          grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
-          rm -f ${SYSCONFDIR}/passwd
-          mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
-          chmod g-w,o-w ${SYSCONFDIR}/passwd
-        fi
-        net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
-        if [ "${sshd_server_in_sam}" != "yes" ]
-        then
-          echo
-          echo "You appear to be running Windows 2003 Server or later.  On 2003 and"
-          echo "later systems, it's not possible to use the LocalSystem account"
-          echo "if sshd should allow passwordless logon (e. g. public key authentication)."
-          echo "If you want to enable that functionality, it's required to create a new"
-          echo "account 'sshd_server' with special privileges, which is then used to run"
-          echo "the sshd service under."
-          echo
-          echo "Should this script create a new local account 'sshd_server' which has"
-          if request "the required privileges?"
-          then
-            _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
-            if [ -z "${_admingroup}" ]
-            then
-              echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
-              exit 1
-            fi
-            dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
-            while [ "${sshd_server_in_sam}" != "yes" ]
-            do
-              if [ -n "${password_value}" ]
-              then
-                _password="${password_value}"
-                # Allow to ask for password if first try fails
-                password_value=""
-              else
-                echo
-                echo "Please enter a password for new user 'sshd_server'.  Please be sure that"
-                echo "this password matches the password rules given on your system."
-                echo -n "Entering no password will exit the configuration.  PASSWORD="
-                read -e _password
-                if [ -z "${_password}" ]
-                then
-                  echo
-                  echo "Exiting configuration.  No user sshd_server has been created,"
-                  echo "no sshd service installed."
-                  exit 1
-                fi
-              fi
-              net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
-              if [ "${sshd_server_in_sam}" != "yes" ]
-              then
-                echo "Creating the user 'sshd_server' failed!  Reason:"
-                cat /tmp/nu.$$
-                rm /tmp/nu.$$
-              fi
-            done
-            net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
-            if [ "${sshd_server_in_admingroup}" != "yes" ]
-            then
-              echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
-              echo "Please add sshd_server to local group ${_admingroup} before"
-              echo "starting the sshd service!"
-              echo
-            fi
-            passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
-            if [ "${passwd_has_expiry_flags}" != "yes" ]
-            then
-              echo
-              echo "WARNING: User sshd_server has password expiry set to system default."
-              echo "Please check that password never expires or set it to your needs."
-            elif ! passwd -e sshd_server
-            then
-              echo
-              echo "WARNING: Setting password expiry for user sshd_server failed!"
-              echo "Please check that password never expires or set it to your needs."
-            fi
-            editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
-            editrights -a SeCreateTokenPrivilege -u sshd_server &&
-            editrights -a SeTcbPrivilege -u sshd_server &&
-            editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
-            editrights -a SeDenyNetworkLogonRight -u sshd_server &&
-            editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
-            editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
-            editrights -a SeServiceLogonRight -u sshd_server &&
-            sshd_server_got_all_rights="yes"
-            if [ "${sshd_server_got_all_rights}" != "yes" ]
-            then
-              echo
-              echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
-              echo "Can't create sshd service!"
-              exit 1
-            fi
-            echo
-            echo "User 'sshd_server' has been created with password '${_password}'."
-            echo "If you change the password, please keep in mind to change the password"
-            echo "for the sshd service, too."
-            echo
-            echo "Also keep in mind that the user sshd_server needs read permissions on all"
-            echo "users' .ssh/authorized_keys file to allow public key authentication for"
-            echo "these users!.  (Re-)running ssh-user-config for each user will set the"
-            echo "required permissions correctly."
-            echo
-          fi
-        fi
-        if [ "${sshd_server_in_sam}" = "yes" ]
-        then
-          mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
-        fi
-      fi
-      if [ -n "${cygwin_value}" ]
-      then
-        _cygwin="${cygwin_value}"
-      else
-        echo
-        echo "Which value should the environment variable CYGWIN have when"
-        echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
-        echo "able to change user context without password."
-        echo -n "Default is \"ntsec\".  CYGWIN="
-        read -e _cygwin
-      fi
-      [ -z "${_cygwin}" ] && _cygwin="ntsec"
-      if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
-      then
-        if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
-        then
-          echo
-          echo "The service has been installed under sshd_server account."
-          echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
-        fi
-      else
-        if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
-        then
-          echo
-          echo "The service has been installed under LocalSystem account."
-          echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
-        fi
-      fi
-    fi
-    # Now check if sshd has been successfully installed.  This allows to
-    # set the ownership of the affected files correctly.
-    if cygrunsrv -Q sshd > /dev/null 2>&1
-    then
-      if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
-      then
-        _user="sshd_server"
-      else
-        _user="system"
-      fi
-      chown "${_user}" ${SYSCONFDIR}/ssh*
-      chown "${_user}".544 ${LOCALSTATEDIR}/empty
-      chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog
-      if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
-      then
-        chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
-      fi
-    fi
-    if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
-    then
-      echo
-      echo "Warning: It appears that you have user mode mounts (\"Just me\""
-      echo "chosen during install.)  Any daemons installed as services will"
-      echo "fail to function unless system mounts are used.  To change this,"
-      echo "re-run setup.exe and choose \"All users\"."
-      echo
-      echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
-    fi
-  fi
-fi
 echo
-echo "Host configuration finished. Have fun!"
+csih_inform "Host configuration finished. Have fun!"