summaryrefslogtreecommitdiff
path: root/contrib/cygwin/ssh-host-config
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/cygwin/ssh-host-config')
-rw-r--r--contrib/cygwin/ssh-host-config502
1 files changed, 249 insertions, 253 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index c69cfd88b..18793ca85 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -1,6 +1,6 @@
1#!/bin/sh 1#!/bin/bash
2# 2#
3# ssh-host-config, Copyright 2000, Red Hat Inc. 3# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
4# 4#
5# This file is part of the Cygwin port of OpenSSH. 5# This file is part of the Cygwin port of OpenSSH.
6 6
@@ -9,10 +9,7 @@ PREFIX=/usr
9 9
10# Directory where the config files are stored 10# Directory where the config files are stored
11SYSCONFDIR=/etc 11SYSCONFDIR=/etc
12 12LOCALSTATEDIR=/var
13# Subdirectory where an old package might be installed
14OLDPREFIX=/usr/local
15OLDSYSCONFDIR=${OLDPREFIX}/etc
16 13
17progname=$0 14progname=$0
18auto_answer="" 15auto_answer=""
@@ -27,9 +24,11 @@ request()
27{ 24{
28 if [ "${auto_answer}" = "yes" ] 25 if [ "${auto_answer}" = "yes" ]
29 then 26 then
27 echo "$1 (yes/no) yes"
30 return 0 28 return 0
31 elif [ "${auto_answer}" = "no" ] 29 elif [ "${auto_answer}" = "no" ]
32 then 30 then
31 echo "$1 (yes/no) no"
33 return 1 32 return 1
34 fi 33 fi
35 34
@@ -37,7 +36,7 @@ request()
37 while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] 36 while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
38 do 37 do
39 echo -n "$1 (yes/no) " 38 echo -n "$1 (yes/no) "
40 read answer 39 read -e answer
41 done 40 done
42 if [ "X${answer}" = "Xyes" ] 41 if [ "X${answer}" = "Xyes" ]
43 then 42 then
@@ -60,7 +59,7 @@ do
60 option=$1 59 option=$1
61 shift 60 shift
62 61
63 case "$option" in 62 case "${option}" in
64 -d | --debug ) 63 -d | --debug )
65 set -x 64 set -x
66 ;; 65 ;;
@@ -73,21 +72,33 @@ do
73 auto_answer=no 72 auto_answer=no
74 ;; 73 ;;
75 74
75 -c | --cygwin )
76 cygwin_value="$1"
77 shift
78 ;;
79
76 -p | --port ) 80 -p | --port )
77 port_number=$1 81 port_number=$1
78 shift 82 shift
79 ;; 83 ;;
80 84
85 -w | --pwd )
86 password_value="$1"
87 shift
88 ;;
89
81 *) 90 *)
82 echo "usage: ${progname} [OPTION]..." 91 echo "usage: ${progname} [OPTION]..."
83 echo 92 echo
84 echo "This script creates an OpenSSH host configuration." 93 echo "This script creates an OpenSSH host configuration."
85 echo 94 echo
86 echo "Options:" 95 echo "Options:"
87 echo " --debug -d Enable shell's debug output." 96 echo " --debug -d Enable shell's debug output."
88 echo " --yes -y Answer all questions with \"yes\" automatically." 97 echo " --yes -y Answer all questions with \"yes\" automatically."
89 echo " --no -n Answer all questions with \"no\" automatically." 98 echo " --no -n Answer all questions with \"no\" automatically."
90 echo " --port -p <n> sshd listens on port n." 99 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
100 echo " --port -p <n> sshd listens on port n."
101 echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'."
91 echo 102 echo
92 exit 1 103 exit 1
93 ;; 104 ;;
@@ -96,8 +107,13 @@ do
96done 107done
97 108
98# Check if running on NT 109# Check if running on NT
99_sys="`uname -a`" 110_sys="`uname`"
100_nt=`expr "$_sys" : "CYGWIN_NT"` 111_nt=`expr "${_sys}" : "CYGWIN_NT"`
112# If running on NT, check if running under 2003 Server or later
113if [ ${_nt} -gt 0 ]
114then
115 _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
116fi
101 117
102# Check for running ssh/sshd processes first. Refuse to do anything while 118# Check for running ssh/sshd processes first. Refuse to do anything while
103# some ssh processes are still running 119# some ssh processes are still running
@@ -137,87 +153,33 @@ fi
137 153
138# Create /var/log and /var/log/lastlog if not already existing 154# Create /var/log and /var/log/lastlog if not already existing
139 155
140if [ -f /var/log ] 156if [ -f ${LOCALSTATEDIR}/log ]
141then 157then
142 echo "Creating /var/log failed\!" 158 echo "Creating ${LOCALSTATEDIR}/log failed!"
143else 159else
144 if [ ! -d /var/log ] 160 if [ ! -d ${LOCALSTATEDIR}/log ]
145 then 161 then
146 mkdir -p /var/log 162 mkdir -p ${LOCALSTATEDIR}/log
147 fi 163 fi
148 if [ -d /var/log/lastlog ] 164 if [ -d ${LOCALSTATEDIR}/log/lastlog ]
149 then 165 then
150 echo "Creating /var/log/lastlog failed\!" 166 chmod 777 ${LOCALSTATEDIR}/log/lastlog
151 elif [ ! -f /var/log/lastlog ] 167 elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
152 then 168 then
153 cat /dev/null > /var/log/lastlog 169 cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
170 chmod 666 ${LOCALSTATEDIR}/log/lastlog
154 fi 171 fi
155fi 172fi
156 173
157# Create /var/empty file used as chroot jail for privilege separation 174# Create /var/empty file used as chroot jail for privilege separation
158if [ -f /var/empty ] 175if [ -f ${LOCALSTATEDIR}/empty ]
159then 176then
160 echo "Creating /var/empty failed\!" 177 echo "Creating ${LOCALSTATEDIR}/empty failed!"
161else 178else
162 mkdir -p /var/empty 179 mkdir -p ${LOCALSTATEDIR}/empty
163 # On NT change ownership of that dir to user "system" 180 if [ ${_nt} -gt 0 ]
164 if [ $_nt -gt 0 ]
165 then 181 then
166 chmod 755 /var/empty 182 chmod 755 ${LOCALSTATEDIR}/empty
167 chown system.system /var/empty
168 fi
169fi
170
171# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
172# the same as ${PREFIX}
173
174old_install=0
175if [ "${OLDPREFIX}" != "${PREFIX}" ]
176then
177 if [ -f "${OLDPREFIX}/sbin/sshd" ]
178 then
179 echo
180 echo "You seem to have an older installation in ${OLDPREFIX}."
181 echo
182 # Check if old global configuration files exist
183 if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
184 then
185 if request "Do you want to copy your config files to your new installation?"
186 then
187 cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
188 cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
189 cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
190 cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
191 cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
192 cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
193 fi
194 fi
195 if request "Do you want to erase your old installation?"
196 then
197 rm -f ${OLDPREFIX}/bin/ssh.exe
198 rm -f ${OLDPREFIX}/bin/ssh-config
199 rm -f ${OLDPREFIX}/bin/scp.exe
200 rm -f ${OLDPREFIX}/bin/ssh-add.exe
201 rm -f ${OLDPREFIX}/bin/ssh-agent.exe
202 rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
203 rm -f ${OLDPREFIX}/bin/slogin
204 rm -f ${OLDSYSCONFDIR}/ssh_host_key
205 rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
206 rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
207 rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
208 rm -f ${OLDSYSCONFDIR}/ssh_config
209 rm -f ${OLDSYSCONFDIR}/sshd_config
210 rm -f ${OLDPREFIX}/man/man1/ssh.1
211 rm -f ${OLDPREFIX}/man/man1/scp.1
212 rm -f ${OLDPREFIX}/man/man1/ssh-add.1
213 rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
214 rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
215 rm -f ${OLDPREFIX}/man/man1/slogin.1
216 rm -f ${OLDPREFIX}/man/man8/sshd.8
217 rm -f ${OLDPREFIX}/sbin/sshd.exe
218 rm -f ${OLDPREFIX}/sbin/sftp-server.exe
219 fi
220 old_install=1
221 fi 183 fi
222fi 184fi
223 185
@@ -255,52 +217,16 @@ then
255 fi 217 fi
256fi 218fi
257 219
258# Create default ssh_config from here script 220# Create default ssh_config from skeleton file in /etc/defaults/etc
259 221
260if [ ! -f "${SYSCONFDIR}/ssh_config" ] 222if [ ! -f "${SYSCONFDIR}/ssh_config" ]
261then 223then
262 echo "Generating ${SYSCONFDIR}/ssh_config file" 224 echo "Generating ${SYSCONFDIR}/ssh_config file"
263 cat > ${SYSCONFDIR}/ssh_config << EOF 225 cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
264# This is the ssh client system-wide configuration file. See 226 if [ "${port_number}" != "22" ]
265# ssh_config(5) for more information. This file provides defaults for
266# users, and the values can be changed in per-user configuration files
267# or on the command line.
268
269# Configuration data is parsed as follows:
270# 1. command line options
271# 2. user-specific file
272# 3. system-wide file
273# Any configuration value is only changed the first time it is set.
274# Thus, host-specific definitions should be at the beginning of the
275# configuration file, and defaults at the end.
276
277# Site-wide defaults for various options
278
279# Host *
280# ForwardAgent no
281# ForwardX11 no
282# RhostsRSAAuthentication no
283# RSAAuthentication yes
284# PasswordAuthentication yes
285# HostbasedAuthentication no
286# BatchMode no
287# CheckHostIP yes
288# AddressFamily any
289# ConnectTimeout 0
290# StrictHostKeyChecking ask
291# IdentityFile ~/.ssh/identity
292# IdentityFile ~/.ssh/id_dsa
293# IdentityFile ~/.ssh/id_rsa
294# Port 22
295# Protocol 2,1
296# Cipher 3des
297# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
298# EscapeChar ~
299EOF
300 if [ "$port_number" != "22" ]
301 then 227 then
302 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config 228 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
303 echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config 229 echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
304 fi 230 fi
305fi 231fi
306 232
@@ -322,35 +248,35 @@ fi
322 248
323# Prior to creating or modifying sshd_config, care for privilege separation 249# Prior to creating or modifying sshd_config, care for privilege separation
324 250
325if [ "$privsep_configured" != "yes" ] 251if [ "${privsep_configured}" != "yes" ]
326then 252then
327 if [ $_nt -gt 0 ] 253 if [ ${_nt} -gt 0 ]
328 then 254 then
329 echo "Privilege separation is set to yes by default since OpenSSH 3.3." 255 echo "Privilege separation is set to yes by default since OpenSSH 3.3."
330 echo "However, this requires a non-privileged account called 'sshd'." 256 echo "However, this requires a non-privileged account called 'sshd'."
331 echo "For more info on privilege separation read /usr/doc/openssh/README.privsep." 257 echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
332 echo 258 echo
333 if request "Shall privilege separation be used?" 259 if request "Should privilege separation be used?"
334 then 260 then
335 privsep_used=yes 261 privsep_used=yes
336 grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes 262 grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
337 net user sshd >/dev/null 2>&1 && sshd_in_sam=yes 263 net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
338 if [ "$sshd_in_passwd" != "yes" ] 264 if [ "${sshd_in_passwd}" != "yes" ]
339 then 265 then
340 if [ "$sshd_in_sam" != "yes" ] 266 if [ "${sshd_in_sam}" != "yes" ]
341 then 267 then
342 echo "Warning: The following function requires administrator privileges!" 268 echo "Warning: The following function requires administrator privileges!"
343 if request "Shall this script create a local user 'sshd' on this machine?" 269 if request "Should this script create a local user 'sshd' on this machine?"
344 then 270 then
345 dos_var_empty=`cygpath -w /var/empty` 271 dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
346 net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes 272 net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
347 if [ "$sshd_in_sam" != "yes" ] 273 if [ "${sshd_in_sam}" != "yes" ]
348 then 274 then
349 echo "Warning: Creating the user 'sshd' failed!" 275 echo "Warning: Creating the user 'sshd' failed!"
350 fi 276 fi
351 fi 277 fi
352 fi 278 fi
353 if [ "$sshd_in_sam" != "yes" ] 279 if [ "${sshd_in_sam}" != "yes" ]
354 then 280 then
355 echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" 281 echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
356 echo " Privilege separation set to 'no' again!" 282 echo " Privilege separation set to 'no' again!"
@@ -365,117 +291,41 @@ then
365 fi 291 fi
366 else 292 else
367 # On 9x don't use privilege separation. Since security isn't 293 # On 9x don't use privilege separation. Since security isn't
368 # available it just adds useless addtional processes. 294 # available it just adds useless additional processes.
369 privsep_used=no 295 privsep_used=no
370 fi 296 fi
371fi 297fi
372 298
373# Create default sshd_config from here script or modify to add the 299# Create default sshd_config from skeleton files in /etc/defaults/etc or
374# missing privsep configuration option 300# modify to add the missing privsep configuration option
375 301
376if [ ! -f "${SYSCONFDIR}/sshd_config" ] 302if [ ! -f "${SYSCONFDIR}/sshd_config" ]
377then 303then
378 echo "Generating ${SYSCONFDIR}/sshd_config file" 304 echo "Generating ${SYSCONFDIR}/sshd_config file"
379 cat > ${SYSCONFDIR}/sshd_config << EOF 305 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
380# This is the sshd server system-wide configuration file. See 306 s/^#Port 22/Port ${port_number}/
381# sshd_config(5) for more information. 307 s/^#StrictModes yes/StrictModes no/" \
382 308 < ${SYSCONFDIR}/defaults/etc/sshd_config \
383# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 309 > ${SYSCONFDIR}/sshd_config
384 310elif [ "${privsep_configured}" != "yes" ]
385# The strategy used for options in the default sshd_config shipped with
386# OpenSSH is to specify options with their default value where
387# possible, but leave them commented. Uncommented options change a
388# default value.
389
390Port $port_number
391#Protocol 2,1
392#ListenAddress 0.0.0.0
393#ListenAddress ::
394
395# HostKey for protocol version 1
396#HostKey ${SYSCONFDIR}/ssh_host_key
397# HostKeys for protocol version 2
398#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
399#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
400
401# Lifetime and size of ephemeral version 1 server key
402#KeyRegenerationInterval 1h
403#ServerKeyBits 768
404
405# Logging
406#obsoletes QuietMode and FascistLogging
407#SyslogFacility AUTH
408#LogLevel INFO
409
410# Authentication:
411
412#LoginGraceTime 2m
413#PermitRootLogin yes
414# The following setting overrides permission checks on host key files
415# and directories. For security reasons set this to "yes" when running
416# NT/W2K, NTFS and CYGWIN=ntsec.
417StrictModes no
418
419#RSAAuthentication yes
420#PubkeyAuthentication yes
421#AuthorizedKeysFile .ssh/authorized_keys
422
423# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
424#RhostsRSAAuthentication no
425# similar for protocol version 2
426#HostbasedAuthentication no
427# Change to yes if you don't trust ~/.ssh/known_hosts for
428# RhostsRSAAuthentication and HostbasedAuthentication
429#IgnoreUserKnownHosts no
430# Don't read the user's ~/.rhosts and ~/.shosts files
431#IgnoreRhosts yes
432
433# To disable tunneled clear text passwords, change to no here!
434#PasswordAuthentication yes
435#PermitEmptyPasswords no
436
437# Change to no to disable s/key passwords
438#ChallengeResponseAuthentication yes
439
440#AllowTcpForwarding yes
441#GatewayPorts no
442#X11Forwarding no
443#X11DisplayOffset 10
444#X11UseLocalhost yes
445#PrintMotd yes
446#PrintLastLog yes
447#KeepAlive yes
448#UseLogin no
449UsePrivilegeSeparation $privsep_used
450#PermitUserEnvironment no
451#Compression yes
452#ClientAliveInterval 0
453#ClientAliveCountMax 3
454#UseDNS yes
455#PidFile /var/run/sshd.pid
456#MaxStartups 10
457
458# no default banner path
459#Banner /some/path
460
461# override default of no subsystems
462Subsystem sftp /usr/sbin/sftp-server
463EOF
464elif [ "$privsep_configured" != "yes" ]
465then 311then
466 echo >> ${SYSCONFDIR}/sshd_config 312 echo >> ${SYSCONFDIR}/sshd_config
467 echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config 313 echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
468fi 314fi
469 315
470# Care for services file 316# Care for services file
471_my_etcdir="/ssh-host-config.$$" 317_my_etcdir="/ssh-host-config.$$"
472if [ $_nt -gt 0 ] 318if [ ${_nt} -gt 0 ]
473then 319then
474 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" 320 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
475 _services="${_my_etcdir}/services" 321 _services="${_my_etcdir}/services"
322 # On NT, 27 spaces, no space after the hash
323 _spaces=" #"
476else 324else
477 _win_etcdir="${WINDIR}" 325 _win_etcdir="${WINDIR}"
478 _services="${_my_etcdir}/SERVICES" 326 _services="${_my_etcdir}/SERVICES"
327 # On 9x, 18 spaces (95 is very touchy), a space after the hash
328 _spaces=" # "
479fi 329fi
480_serv_tmp="${_my_etcdir}/srv.out.$$" 330_serv_tmp="${_my_etcdir}/srv.out.$$"
481 331
@@ -494,29 +344,28 @@ then
494 then 344 then
495 echo "Removing sshd from ${_wservices}" 345 echo "Removing sshd from ${_wservices}"
496 else 346 else
497 echo "Removing sshd from ${_wservices} failed\!" 347 echo "Removing sshd from ${_wservices} failed!"
498 fi 348 fi
499 rm -f "${_serv_tmp}" 349 rm -f "${_serv_tmp}"
500 else 350 else
501 echo "Removing sshd from ${_wservices} failed\!" 351 echo "Removing sshd from ${_wservices} failed!"
502 fi 352 fi
503fi 353fi
504 354
505# Add ssh 22/tcp and ssh 22/udp to services 355# Add ssh 22/tcp and ssh 22/udp to services
506if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] 356if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
507then 357then
508 awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" 358 if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
509 if [ -f "${_serv_tmp}" ]
510 then 359 then
511 if mv "${_serv_tmp}" "${_services}" 360 if mv "${_serv_tmp}" "${_services}"
512 then 361 then
513 echo "Added ssh to ${_wservices}" 362 echo "Added ssh to ${_wservices}"
514 else 363 else
515 echo "Adding ssh to ${_wservices} failed\!" 364 echo "Adding ssh to ${_wservices} failed!"
516 fi 365 fi
517 rm -f "${_serv_tmp}" 366 rm -f "${_serv_tmp}"
518 else 367 else
519 echo "Adding ssh to ${_wservices} failed\!" 368 echo "WARNING: Adding ssh to ${_wservices} failed!"
520 fi 369 fi
521fi 370fi
522 371
@@ -541,11 +390,11 @@ then
541 then 390 then
542 echo "Removed sshd from ${_inetcnf}" 391 echo "Removed sshd from ${_inetcnf}"
543 else 392 else
544 echo "Removing sshd from ${_inetcnf} failed\!" 393 echo "Removing sshd from ${_inetcnf} failed!"
545 fi 394 fi
546 rm -f "${_inetcnf_tmp}" 395 rm -f "${_inetcnf_tmp}"
547 else 396 else
548 echo "Removing sshd from ${_inetcnf} failed\!" 397 echo "Removing sshd from ${_inetcnf} failed!"
549 fi 398 fi
550 fi 399 fi
551 400
@@ -563,34 +412,181 @@ then
563fi 412fi
564 413
565# On NT ask if sshd should be installed as service 414# On NT ask if sshd should be installed as service
566if [ $_nt -gt 0 ] 415if [ ${_nt} -gt 0 ]
567then 416then
568 echo 417 # But only if it is not already installed
569 echo "Do you want to install sshd as service?" 418 if ! cygrunsrv -Q sshd > /dev/null 2>&1
570 if request "(Say \"no\" if it's already installed as service)"
571 then 419 then
572 echo 420 echo
573 echo "Which value should the environment variable CYGWIN have when" 421 echo
574 echo "sshd starts? It's recommended to set at least \"ntsec\" to be" 422 echo "Warning: The following functions require administrator privileges!"
575 echo "able to change user context without password." 423 echo
576 echo -n "Default is \"binmode ntsec tty\". CYGWIN=" 424 echo "Do you want to install sshd as service?"
577 read _cygwin 425 if request "(Say \"no\" if it's already installed as service)"
578 [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
579 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
580 then 426 then
581 chown system ${SYSCONFDIR}/ssh* 427 if [ $_nt2003 -gt 0 ]
582 echo 428 then
583 echo "The service has been installed under LocalSystem account." 429 grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
430 if [ "${sshd_server_in_passwd}" = "yes" ]
431 then
432 # Drop sshd_server from passwd since it could have wrong settings
433 grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
434 rm -f ${SYSCONFDIR}/passwd
435 mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
436 chmod g-w,o-w ${SYSCONFDIR}/passwd
437 fi
438 net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
439 if [ "${sshd_server_in_sam}" != "yes" ]
440 then
441 echo
442 echo "You appear to be running Windows 2003 Server or later. On 2003 and"
443 echo "later systems, it's not possible to use the LocalSystem account"
444 echo "if sshd should allow passwordless logon (e. g. public key authentication)."
445 echo "If you want to enable that functionality, it's required to create a new"
446 echo "account 'sshd_server' with special privileges, which is then used to run"
447 echo "the sshd service under."
448 echo
449 echo "Should this script create a new local account 'sshd_server' which has"
450 if request "the required privileges?"
451 then
452 _admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group`
453 if [ -z "${_admingroup}" ]
454 then
455 echo "There's no group with SID S-1-5-32-544 (Local administrators group) in"
456 echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'"
457 echo "and restart this script."
458 exit 1
459 fi
460 dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
461 while [ "${sshd_server_in_sam}" != "yes" ]
462 do
463 if [ -n "${password_value}" ]
464 then
465 _password="${password_value}"
466 # Allow to ask for password if first try fails
467 password_value=""
468 else
469 echo
470 echo "Please enter a password for new user 'sshd_server'. Please be sure that"
471 echo "this password matches the password rules given on your system."
472 echo -n "Entering no password will exit the configuration. PASSWORD="
473 read -e _password
474 if [ -z "${_password}" ]
475 then
476 echo
477 echo "Exiting configuration. No user sshd_server has been created,"
478 echo "no sshd service installed."
479 exit 1
480 fi
481 fi
482 net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
483 if [ "${sshd_server_in_sam}" != "yes" ]
484 then
485 echo "Creating the user 'sshd_server' failed! Reason:"
486 cat /tmp/nu.$$
487 rm /tmp/nu.$$
488 fi
489 done
490 net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
491 if [ "${sshd_server_in_admingroup}" != "yes" ]
492 then
493 echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
494 echo "Please add sshd_server to local group ${_admingroup} before"
495 echo "starting the sshd service!"
496 echo
497 fi
498 passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
499 if [ "${passwd_has_expiry_flags}" != "yes" ]
500 then
501 echo
502 echo "WARNING: User sshd_server has password expiry set to system default."
503 echo "Please check that password never expires or set it to your needs."
504 elif ! passwd -e sshd_server
505 then
506 echo
507 echo "WARNING: Setting password expiry for user sshd_server failed!"
508 echo "Please check that password never expires or set it to your needs."
509 fi
510 editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
511 editrights -a SeCreateTokenPrivilege -u sshd_server &&
512 editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
513 editrights -a SeDenyNetworkLogonRight -u sshd_server &&
514 editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
515 editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
516 editrights -a SeServiceLogonRight -u sshd_server &&
517 sshd_server_got_all_rights="yes"
518 if [ "${sshd_server_got_all_rights}" != "yes" ]
519 then
520 echo
521 echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
522 echo "Can't create sshd service!"
523 exit 1
524 fi
525 echo
526 echo "User 'sshd_server' has been created with password '${_password}'."
527 echo "If you change the password, please keep in mind to change the password"
528 echo "for the sshd service, too."
529 echo
530 echo "Also keep in mind that the user sshd_server needs read permissions on all"
531 echo "users' .ssh/authorized_keys file to allow public key authentication for"
532 echo "these users!. (Re-)running ssh-user-config for each user will set the"
533 echo "required permissions correctly."
534 echo
535 fi
536 fi
537 if [ "${sshd_server_in_sam}" = "yes" ]
538 then
539 mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
540 fi
541 fi
542 if [ -n "${cygwin_value}" ]
543 then
544 _cygwin="${cygwin_value}"
545 else
546 echo
547 echo "Which value should the environment variable CYGWIN have when"
548 echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
549 echo "able to change user context without password."
550 echo -n "Default is \"ntsec\". CYGWIN="
551 read -e _cygwin
552 fi
553 [ -z "${_cygwin}" ] && _cygwin="ntsec"
554 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
555 then
556 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}"
557 then
558 echo
559 echo "The service has been installed under sshd_server account."
560 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
561 fi
562 else
563 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
564 then
565 echo
566 echo "The service has been installed under LocalSystem account."
567 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
568 fi
569 fi
570 fi
571 # Now check if sshd has been successfully installed. This allows to
572 # set the ownership of the affected files correctly.
573 if cygrunsrv -Q sshd > /dev/null 2>&1
574 then
575 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
576 then
577 _user="sshd_server"
578 else
579 _user="system"
580 fi
581 chown "${_user}" ${SYSCONFDIR}/ssh*
582 chown "${_user}".544 ${LOCALSTATEDIR}/empty
583 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
584 then
585 chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
586 fi
584 fi 587 fi
585 fi 588 fi
586fi 589fi
587 590
588if [ "${old_install}" = "1" ]
589then
590 echo
591 echo "Note: If you have used sshd as service or from inetd, don't forget to"
592 echo " change the path to sshd.exe in the service entry or in inetd.conf."
593fi
594
595echo 591echo
596echo "Host configuration finished. Have fun!" 592echo "Host configuration finished. Have fun!"