diff options
Diffstat (limited to 'contrib/cygwin/ssh-host-config')
-rw-r--r-- | contrib/cygwin/ssh-host-config | 502 |
1 files changed, 249 insertions, 253 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index c69cfd88b..18793ca85 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/bash |
2 | # | 2 | # |
3 | # ssh-host-config, Copyright 2000, Red Hat Inc. | 3 | # ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc. |
4 | # | 4 | # |
5 | # This file is part of the Cygwin port of OpenSSH. | 5 | # This file is part of the Cygwin port of OpenSSH. |
6 | 6 | ||
@@ -9,10 +9,7 @@ PREFIX=/usr | |||
9 | 9 | ||
10 | # Directory where the config files are stored | 10 | # Directory where the config files are stored |
11 | SYSCONFDIR=/etc | 11 | SYSCONFDIR=/etc |
12 | 12 | LOCALSTATEDIR=/var | |
13 | # Subdirectory where an old package might be installed | ||
14 | OLDPREFIX=/usr/local | ||
15 | OLDSYSCONFDIR=${OLDPREFIX}/etc | ||
16 | 13 | ||
17 | progname=$0 | 14 | progname=$0 |
18 | auto_answer="" | 15 | auto_answer="" |
@@ -27,9 +24,11 @@ request() | |||
27 | { | 24 | { |
28 | if [ "${auto_answer}" = "yes" ] | 25 | if [ "${auto_answer}" = "yes" ] |
29 | then | 26 | then |
27 | echo "$1 (yes/no) yes" | ||
30 | return 0 | 28 | return 0 |
31 | elif [ "${auto_answer}" = "no" ] | 29 | elif [ "${auto_answer}" = "no" ] |
32 | then | 30 | then |
31 | echo "$1 (yes/no) no" | ||
33 | return 1 | 32 | return 1 |
34 | fi | 33 | fi |
35 | 34 | ||
@@ -37,7 +36,7 @@ request() | |||
37 | while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] | 36 | while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] |
38 | do | 37 | do |
39 | echo -n "$1 (yes/no) " | 38 | echo -n "$1 (yes/no) " |
40 | read answer | 39 | read -e answer |
41 | done | 40 | done |
42 | if [ "X${answer}" = "Xyes" ] | 41 | if [ "X${answer}" = "Xyes" ] |
43 | then | 42 | then |
@@ -60,7 +59,7 @@ do | |||
60 | option=$1 | 59 | option=$1 |
61 | shift | 60 | shift |
62 | 61 | ||
63 | case "$option" in | 62 | case "${option}" in |
64 | -d | --debug ) | 63 | -d | --debug ) |
65 | set -x | 64 | set -x |
66 | ;; | 65 | ;; |
@@ -73,21 +72,33 @@ do | |||
73 | auto_answer=no | 72 | auto_answer=no |
74 | ;; | 73 | ;; |
75 | 74 | ||
75 | -c | --cygwin ) | ||
76 | cygwin_value="$1" | ||
77 | shift | ||
78 | ;; | ||
79 | |||
76 | -p | --port ) | 80 | -p | --port ) |
77 | port_number=$1 | 81 | port_number=$1 |
78 | shift | 82 | shift |
79 | ;; | 83 | ;; |
80 | 84 | ||
85 | -w | --pwd ) | ||
86 | password_value="$1" | ||
87 | shift | ||
88 | ;; | ||
89 | |||
81 | *) | 90 | *) |
82 | echo "usage: ${progname} [OPTION]..." | 91 | echo "usage: ${progname} [OPTION]..." |
83 | echo | 92 | echo |
84 | echo "This script creates an OpenSSH host configuration." | 93 | echo "This script creates an OpenSSH host configuration." |
85 | echo | 94 | echo |
86 | echo "Options:" | 95 | echo "Options:" |
87 | echo " --debug -d Enable shell's debug output." | 96 | echo " --debug -d Enable shell's debug output." |
88 | echo " --yes -y Answer all questions with \"yes\" automatically." | 97 | echo " --yes -y Answer all questions with \"yes\" automatically." |
89 | echo " --no -n Answer all questions with \"no\" automatically." | 98 | echo " --no -n Answer all questions with \"no\" automatically." |
90 | echo " --port -p <n> sshd listens on port n." | 99 | echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." |
100 | echo " --port -p <n> sshd listens on port n." | ||
101 | echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'." | ||
91 | echo | 102 | echo |
92 | exit 1 | 103 | exit 1 |
93 | ;; | 104 | ;; |
@@ -96,8 +107,13 @@ do | |||
96 | done | 107 | done |
97 | 108 | ||
98 | # Check if running on NT | 109 | # Check if running on NT |
99 | _sys="`uname -a`" | 110 | _sys="`uname`" |
100 | _nt=`expr "$_sys" : "CYGWIN_NT"` | 111 | _nt=`expr "${_sys}" : "CYGWIN_NT"` |
112 | # If running on NT, check if running under 2003 Server or later | ||
113 | if [ ${_nt} -gt 0 ] | ||
114 | then | ||
115 | _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` | ||
116 | fi | ||
101 | 117 | ||
102 | # Check for running ssh/sshd processes first. Refuse to do anything while | 118 | # Check for running ssh/sshd processes first. Refuse to do anything while |
103 | # some ssh processes are still running | 119 | # some ssh processes are still running |
@@ -137,87 +153,33 @@ fi | |||
137 | 153 | ||
138 | # Create /var/log and /var/log/lastlog if not already existing | 154 | # Create /var/log and /var/log/lastlog if not already existing |
139 | 155 | ||
140 | if [ -f /var/log ] | 156 | if [ -f ${LOCALSTATEDIR}/log ] |
141 | then | 157 | then |
142 | echo "Creating /var/log failed\!" | 158 | echo "Creating ${LOCALSTATEDIR}/log failed!" |
143 | else | 159 | else |
144 | if [ ! -d /var/log ] | 160 | if [ ! -d ${LOCALSTATEDIR}/log ] |
145 | then | 161 | then |
146 | mkdir -p /var/log | 162 | mkdir -p ${LOCALSTATEDIR}/log |
147 | fi | 163 | fi |
148 | if [ -d /var/log/lastlog ] | 164 | if [ -d ${LOCALSTATEDIR}/log/lastlog ] |
149 | then | 165 | then |
150 | echo "Creating /var/log/lastlog failed\!" | 166 | chmod 777 ${LOCALSTATEDIR}/log/lastlog |
151 | elif [ ! -f /var/log/lastlog ] | 167 | elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ] |
152 | then | 168 | then |
153 | cat /dev/null > /var/log/lastlog | 169 | cat /dev/null > ${LOCALSTATEDIR}/log/lastlog |
170 | chmod 666 ${LOCALSTATEDIR}/log/lastlog | ||
154 | fi | 171 | fi |
155 | fi | 172 | fi |
156 | 173 | ||
157 | # Create /var/empty file used as chroot jail for privilege separation | 174 | # Create /var/empty file used as chroot jail for privilege separation |
158 | if [ -f /var/empty ] | 175 | if [ -f ${LOCALSTATEDIR}/empty ] |
159 | then | 176 | then |
160 | echo "Creating /var/empty failed\!" | 177 | echo "Creating ${LOCALSTATEDIR}/empty failed!" |
161 | else | 178 | else |
162 | mkdir -p /var/empty | 179 | mkdir -p ${LOCALSTATEDIR}/empty |
163 | # On NT change ownership of that dir to user "system" | 180 | if [ ${_nt} -gt 0 ] |
164 | if [ $_nt -gt 0 ] | ||
165 | then | 181 | then |
166 | chmod 755 /var/empty | 182 | chmod 755 ${LOCALSTATEDIR}/empty |
167 | chown system.system /var/empty | ||
168 | fi | ||
169 | fi | ||
170 | |||
171 | # Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't | ||
172 | # the same as ${PREFIX} | ||
173 | |||
174 | old_install=0 | ||
175 | if [ "${OLDPREFIX}" != "${PREFIX}" ] | ||
176 | then | ||
177 | if [ -f "${OLDPREFIX}/sbin/sshd" ] | ||
178 | then | ||
179 | echo | ||
180 | echo "You seem to have an older installation in ${OLDPREFIX}." | ||
181 | echo | ||
182 | # Check if old global configuration files exist | ||
183 | if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ] | ||
184 | then | ||
185 | if request "Do you want to copy your config files to your new installation?" | ||
186 | then | ||
187 | cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR} | ||
188 | cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR} | ||
189 | cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR} | ||
190 | cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR} | ||
191 | cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR} | ||
192 | cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR} | ||
193 | fi | ||
194 | fi | ||
195 | if request "Do you want to erase your old installation?" | ||
196 | then | ||
197 | rm -f ${OLDPREFIX}/bin/ssh.exe | ||
198 | rm -f ${OLDPREFIX}/bin/ssh-config | ||
199 | rm -f ${OLDPREFIX}/bin/scp.exe | ||
200 | rm -f ${OLDPREFIX}/bin/ssh-add.exe | ||
201 | rm -f ${OLDPREFIX}/bin/ssh-agent.exe | ||
202 | rm -f ${OLDPREFIX}/bin/ssh-keygen.exe | ||
203 | rm -f ${OLDPREFIX}/bin/slogin | ||
204 | rm -f ${OLDSYSCONFDIR}/ssh_host_key | ||
205 | rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub | ||
206 | rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key | ||
207 | rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub | ||
208 | rm -f ${OLDSYSCONFDIR}/ssh_config | ||
209 | rm -f ${OLDSYSCONFDIR}/sshd_config | ||
210 | rm -f ${OLDPREFIX}/man/man1/ssh.1 | ||
211 | rm -f ${OLDPREFIX}/man/man1/scp.1 | ||
212 | rm -f ${OLDPREFIX}/man/man1/ssh-add.1 | ||
213 | rm -f ${OLDPREFIX}/man/man1/ssh-agent.1 | ||
214 | rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1 | ||
215 | rm -f ${OLDPREFIX}/man/man1/slogin.1 | ||
216 | rm -f ${OLDPREFIX}/man/man8/sshd.8 | ||
217 | rm -f ${OLDPREFIX}/sbin/sshd.exe | ||
218 | rm -f ${OLDPREFIX}/sbin/sftp-server.exe | ||
219 | fi | ||
220 | old_install=1 | ||
221 | fi | 183 | fi |
222 | fi | 184 | fi |
223 | 185 | ||
@@ -255,52 +217,16 @@ then | |||
255 | fi | 217 | fi |
256 | fi | 218 | fi |
257 | 219 | ||
258 | # Create default ssh_config from here script | 220 | # Create default ssh_config from skeleton file in /etc/defaults/etc |
259 | 221 | ||
260 | if [ ! -f "${SYSCONFDIR}/ssh_config" ] | 222 | if [ ! -f "${SYSCONFDIR}/ssh_config" ] |
261 | then | 223 | then |
262 | echo "Generating ${SYSCONFDIR}/ssh_config file" | 224 | echo "Generating ${SYSCONFDIR}/ssh_config file" |
263 | cat > ${SYSCONFDIR}/ssh_config << EOF | 225 | cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config |
264 | # This is the ssh client system-wide configuration file. See | 226 | if [ "${port_number}" != "22" ] |
265 | # ssh_config(5) for more information. This file provides defaults for | ||
266 | # users, and the values can be changed in per-user configuration files | ||
267 | # or on the command line. | ||
268 | |||
269 | # Configuration data is parsed as follows: | ||
270 | # 1. command line options | ||
271 | # 2. user-specific file | ||
272 | # 3. system-wide file | ||
273 | # Any configuration value is only changed the first time it is set. | ||
274 | # Thus, host-specific definitions should be at the beginning of the | ||
275 | # configuration file, and defaults at the end. | ||
276 | |||
277 | # Site-wide defaults for various options | ||
278 | |||
279 | # Host * | ||
280 | # ForwardAgent no | ||
281 | # ForwardX11 no | ||
282 | # RhostsRSAAuthentication no | ||
283 | # RSAAuthentication yes | ||
284 | # PasswordAuthentication yes | ||
285 | # HostbasedAuthentication no | ||
286 | # BatchMode no | ||
287 | # CheckHostIP yes | ||
288 | # AddressFamily any | ||
289 | # ConnectTimeout 0 | ||
290 | # StrictHostKeyChecking ask | ||
291 | # IdentityFile ~/.ssh/identity | ||
292 | # IdentityFile ~/.ssh/id_dsa | ||
293 | # IdentityFile ~/.ssh/id_rsa | ||
294 | # Port 22 | ||
295 | # Protocol 2,1 | ||
296 | # Cipher 3des | ||
297 | # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc | ||
298 | # EscapeChar ~ | ||
299 | EOF | ||
300 | if [ "$port_number" != "22" ] | ||
301 | then | 227 | then |
302 | echo "Host localhost" >> ${SYSCONFDIR}/ssh_config | 228 | echo "Host localhost" >> ${SYSCONFDIR}/ssh_config |
303 | echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config | 229 | echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config |
304 | fi | 230 | fi |
305 | fi | 231 | fi |
306 | 232 | ||
@@ -322,35 +248,35 @@ fi | |||
322 | 248 | ||
323 | # Prior to creating or modifying sshd_config, care for privilege separation | 249 | # Prior to creating or modifying sshd_config, care for privilege separation |
324 | 250 | ||
325 | if [ "$privsep_configured" != "yes" ] | 251 | if [ "${privsep_configured}" != "yes" ] |
326 | then | 252 | then |
327 | if [ $_nt -gt 0 ] | 253 | if [ ${_nt} -gt 0 ] |
328 | then | 254 | then |
329 | echo "Privilege separation is set to yes by default since OpenSSH 3.3." | 255 | echo "Privilege separation is set to yes by default since OpenSSH 3.3." |
330 | echo "However, this requires a non-privileged account called 'sshd'." | 256 | echo "However, this requires a non-privileged account called 'sshd'." |
331 | echo "For more info on privilege separation read /usr/doc/openssh/README.privsep." | 257 | echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." |
332 | echo | 258 | echo |
333 | if request "Shall privilege separation be used?" | 259 | if request "Should privilege separation be used?" |
334 | then | 260 | then |
335 | privsep_used=yes | 261 | privsep_used=yes |
336 | grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes | 262 | grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes |
337 | net user sshd >/dev/null 2>&1 && sshd_in_sam=yes | 263 | net user sshd >/dev/null 2>&1 && sshd_in_sam=yes |
338 | if [ "$sshd_in_passwd" != "yes" ] | 264 | if [ "${sshd_in_passwd}" != "yes" ] |
339 | then | 265 | then |
340 | if [ "$sshd_in_sam" != "yes" ] | 266 | if [ "${sshd_in_sam}" != "yes" ] |
341 | then | 267 | then |
342 | echo "Warning: The following function requires administrator privileges!" | 268 | echo "Warning: The following function requires administrator privileges!" |
343 | if request "Shall this script create a local user 'sshd' on this machine?" | 269 | if request "Should this script create a local user 'sshd' on this machine?" |
344 | then | 270 | then |
345 | dos_var_empty=`cygpath -w /var/empty` | 271 | dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` |
346 | net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes | 272 | net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes |
347 | if [ "$sshd_in_sam" != "yes" ] | 273 | if [ "${sshd_in_sam}" != "yes" ] |
348 | then | 274 | then |
349 | echo "Warning: Creating the user 'sshd' failed!" | 275 | echo "Warning: Creating the user 'sshd' failed!" |
350 | fi | 276 | fi |
351 | fi | 277 | fi |
352 | fi | 278 | fi |
353 | if [ "$sshd_in_sam" != "yes" ] | 279 | if [ "${sshd_in_sam}" != "yes" ] |
354 | then | 280 | then |
355 | echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" | 281 | echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" |
356 | echo " Privilege separation set to 'no' again!" | 282 | echo " Privilege separation set to 'no' again!" |
@@ -365,117 +291,41 @@ then | |||
365 | fi | 291 | fi |
366 | else | 292 | else |
367 | # On 9x don't use privilege separation. Since security isn't | 293 | # On 9x don't use privilege separation. Since security isn't |
368 | # available it just adds useless addtional processes. | 294 | # available it just adds useless additional processes. |
369 | privsep_used=no | 295 | privsep_used=no |
370 | fi | 296 | fi |
371 | fi | 297 | fi |
372 | 298 | ||
373 | # Create default sshd_config from here script or modify to add the | 299 | # Create default sshd_config from skeleton files in /etc/defaults/etc or |
374 | # missing privsep configuration option | 300 | # modify to add the missing privsep configuration option |
375 | 301 | ||
376 | if [ ! -f "${SYSCONFDIR}/sshd_config" ] | 302 | if [ ! -f "${SYSCONFDIR}/sshd_config" ] |
377 | then | 303 | then |
378 | echo "Generating ${SYSCONFDIR}/sshd_config file" | 304 | echo "Generating ${SYSCONFDIR}/sshd_config file" |
379 | cat > ${SYSCONFDIR}/sshd_config << EOF | 305 | sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ |
380 | # This is the sshd server system-wide configuration file. See | 306 | s/^#Port 22/Port ${port_number}/ |
381 | # sshd_config(5) for more information. | 307 | s/^#StrictModes yes/StrictModes no/" \ |
382 | 308 | < ${SYSCONFDIR}/defaults/etc/sshd_config \ | |
383 | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | 309 | > ${SYSCONFDIR}/sshd_config |
384 | 310 | elif [ "${privsep_configured}" != "yes" ] | |
385 | # The strategy used for options in the default sshd_config shipped with | ||
386 | # OpenSSH is to specify options with their default value where | ||
387 | # possible, but leave them commented. Uncommented options change a | ||
388 | # default value. | ||
389 | |||
390 | Port $port_number | ||
391 | #Protocol 2,1 | ||
392 | #ListenAddress 0.0.0.0 | ||
393 | #ListenAddress :: | ||
394 | |||
395 | # HostKey for protocol version 1 | ||
396 | #HostKey ${SYSCONFDIR}/ssh_host_key | ||
397 | # HostKeys for protocol version 2 | ||
398 | #HostKey ${SYSCONFDIR}/ssh_host_rsa_key | ||
399 | #HostKey ${SYSCONFDIR}/ssh_host_dsa_key | ||
400 | |||
401 | # Lifetime and size of ephemeral version 1 server key | ||
402 | #KeyRegenerationInterval 1h | ||
403 | #ServerKeyBits 768 | ||
404 | |||
405 | # Logging | ||
406 | #obsoletes QuietMode and FascistLogging | ||
407 | #SyslogFacility AUTH | ||
408 | #LogLevel INFO | ||
409 | |||
410 | # Authentication: | ||
411 | |||
412 | #LoginGraceTime 2m | ||
413 | #PermitRootLogin yes | ||
414 | # The following setting overrides permission checks on host key files | ||
415 | # and directories. For security reasons set this to "yes" when running | ||
416 | # NT/W2K, NTFS and CYGWIN=ntsec. | ||
417 | StrictModes no | ||
418 | |||
419 | #RSAAuthentication yes | ||
420 | #PubkeyAuthentication yes | ||
421 | #AuthorizedKeysFile .ssh/authorized_keys | ||
422 | |||
423 | # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts | ||
424 | #RhostsRSAAuthentication no | ||
425 | # similar for protocol version 2 | ||
426 | #HostbasedAuthentication no | ||
427 | # Change to yes if you don't trust ~/.ssh/known_hosts for | ||
428 | # RhostsRSAAuthentication and HostbasedAuthentication | ||
429 | #IgnoreUserKnownHosts no | ||
430 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
431 | #IgnoreRhosts yes | ||
432 | |||
433 | # To disable tunneled clear text passwords, change to no here! | ||
434 | #PasswordAuthentication yes | ||
435 | #PermitEmptyPasswords no | ||
436 | |||
437 | # Change to no to disable s/key passwords | ||
438 | #ChallengeResponseAuthentication yes | ||
439 | |||
440 | #AllowTcpForwarding yes | ||
441 | #GatewayPorts no | ||
442 | #X11Forwarding no | ||
443 | #X11DisplayOffset 10 | ||
444 | #X11UseLocalhost yes | ||
445 | #PrintMotd yes | ||
446 | #PrintLastLog yes | ||
447 | #KeepAlive yes | ||
448 | #UseLogin no | ||
449 | UsePrivilegeSeparation $privsep_used | ||
450 | #PermitUserEnvironment no | ||
451 | #Compression yes | ||
452 | #ClientAliveInterval 0 | ||
453 | #ClientAliveCountMax 3 | ||
454 | #UseDNS yes | ||
455 | #PidFile /var/run/sshd.pid | ||
456 | #MaxStartups 10 | ||
457 | |||
458 | # no default banner path | ||
459 | #Banner /some/path | ||
460 | |||
461 | # override default of no subsystems | ||
462 | Subsystem sftp /usr/sbin/sftp-server | ||
463 | EOF | ||
464 | elif [ "$privsep_configured" != "yes" ] | ||
465 | then | 311 | then |
466 | echo >> ${SYSCONFDIR}/sshd_config | 312 | echo >> ${SYSCONFDIR}/sshd_config |
467 | echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config | 313 | echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config |
468 | fi | 314 | fi |
469 | 315 | ||
470 | # Care for services file | 316 | # Care for services file |
471 | _my_etcdir="/ssh-host-config.$$" | 317 | _my_etcdir="/ssh-host-config.$$" |
472 | if [ $_nt -gt 0 ] | 318 | if [ ${_nt} -gt 0 ] |
473 | then | 319 | then |
474 | _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" | 320 | _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" |
475 | _services="${_my_etcdir}/services" | 321 | _services="${_my_etcdir}/services" |
322 | # On NT, 27 spaces, no space after the hash | ||
323 | _spaces=" #" | ||
476 | else | 324 | else |
477 | _win_etcdir="${WINDIR}" | 325 | _win_etcdir="${WINDIR}" |
478 | _services="${_my_etcdir}/SERVICES" | 326 | _services="${_my_etcdir}/SERVICES" |
327 | # On 9x, 18 spaces (95 is very touchy), a space after the hash | ||
328 | _spaces=" # " | ||
479 | fi | 329 | fi |
480 | _serv_tmp="${_my_etcdir}/srv.out.$$" | 330 | _serv_tmp="${_my_etcdir}/srv.out.$$" |
481 | 331 | ||
@@ -494,29 +344,28 @@ then | |||
494 | then | 344 | then |
495 | echo "Removing sshd from ${_wservices}" | 345 | echo "Removing sshd from ${_wservices}" |
496 | else | 346 | else |
497 | echo "Removing sshd from ${_wservices} failed\!" | 347 | echo "Removing sshd from ${_wservices} failed!" |
498 | fi | 348 | fi |
499 | rm -f "${_serv_tmp}" | 349 | rm -f "${_serv_tmp}" |
500 | else | 350 | else |
501 | echo "Removing sshd from ${_wservices} failed\!" | 351 | echo "Removing sshd from ${_wservices} failed!" |
502 | fi | 352 | fi |
503 | fi | 353 | fi |
504 | 354 | ||
505 | # Add ssh 22/tcp and ssh 22/udp to services | 355 | # Add ssh 22/tcp and ssh 22/udp to services |
506 | if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] | 356 | if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] |
507 | then | 357 | then |
508 | awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" | 358 | if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" |
509 | if [ -f "${_serv_tmp}" ] | ||
510 | then | 359 | then |
511 | if mv "${_serv_tmp}" "${_services}" | 360 | if mv "${_serv_tmp}" "${_services}" |
512 | then | 361 | then |
513 | echo "Added ssh to ${_wservices}" | 362 | echo "Added ssh to ${_wservices}" |
514 | else | 363 | else |
515 | echo "Adding ssh to ${_wservices} failed\!" | 364 | echo "Adding ssh to ${_wservices} failed!" |
516 | fi | 365 | fi |
517 | rm -f "${_serv_tmp}" | 366 | rm -f "${_serv_tmp}" |
518 | else | 367 | else |
519 | echo "Adding ssh to ${_wservices} failed\!" | 368 | echo "WARNING: Adding ssh to ${_wservices} failed!" |
520 | fi | 369 | fi |
521 | fi | 370 | fi |
522 | 371 | ||
@@ -541,11 +390,11 @@ then | |||
541 | then | 390 | then |
542 | echo "Removed sshd from ${_inetcnf}" | 391 | echo "Removed sshd from ${_inetcnf}" |
543 | else | 392 | else |
544 | echo "Removing sshd from ${_inetcnf} failed\!" | 393 | echo "Removing sshd from ${_inetcnf} failed!" |
545 | fi | 394 | fi |
546 | rm -f "${_inetcnf_tmp}" | 395 | rm -f "${_inetcnf_tmp}" |
547 | else | 396 | else |
548 | echo "Removing sshd from ${_inetcnf} failed\!" | 397 | echo "Removing sshd from ${_inetcnf} failed!" |
549 | fi | 398 | fi |
550 | fi | 399 | fi |
551 | 400 | ||
@@ -563,34 +412,181 @@ then | |||
563 | fi | 412 | fi |
564 | 413 | ||
565 | # On NT ask if sshd should be installed as service | 414 | # On NT ask if sshd should be installed as service |
566 | if [ $_nt -gt 0 ] | 415 | if [ ${_nt} -gt 0 ] |
567 | then | 416 | then |
568 | echo | 417 | # But only if it is not already installed |
569 | echo "Do you want to install sshd as service?" | 418 | if ! cygrunsrv -Q sshd > /dev/null 2>&1 |
570 | if request "(Say \"no\" if it's already installed as service)" | ||
571 | then | 419 | then |
572 | echo | 420 | echo |
573 | echo "Which value should the environment variable CYGWIN have when" | 421 | echo |
574 | echo "sshd starts? It's recommended to set at least \"ntsec\" to be" | 422 | echo "Warning: The following functions require administrator privileges!" |
575 | echo "able to change user context without password." | 423 | echo |
576 | echo -n "Default is \"binmode ntsec tty\". CYGWIN=" | 424 | echo "Do you want to install sshd as service?" |
577 | read _cygwin | 425 | if request "(Say \"no\" if it's already installed as service)" |
578 | [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" | ||
579 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" | ||
580 | then | 426 | then |
581 | chown system ${SYSCONFDIR}/ssh* | 427 | if [ $_nt2003 -gt 0 ] |
582 | echo | 428 | then |
583 | echo "The service has been installed under LocalSystem account." | 429 | grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes |
430 | if [ "${sshd_server_in_passwd}" = "yes" ] | ||
431 | then | ||
432 | # Drop sshd_server from passwd since it could have wrong settings | ||
433 | grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$ | ||
434 | rm -f ${SYSCONFDIR}/passwd | ||
435 | mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd | ||
436 | chmod g-w,o-w ${SYSCONFDIR}/passwd | ||
437 | fi | ||
438 | net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes | ||
439 | if [ "${sshd_server_in_sam}" != "yes" ] | ||
440 | then | ||
441 | echo | ||
442 | echo "You appear to be running Windows 2003 Server or later. On 2003 and" | ||
443 | echo "later systems, it's not possible to use the LocalSystem account" | ||
444 | echo "if sshd should allow passwordless logon (e. g. public key authentication)." | ||
445 | echo "If you want to enable that functionality, it's required to create a new" | ||
446 | echo "account 'sshd_server' with special privileges, which is then used to run" | ||
447 | echo "the sshd service under." | ||
448 | echo | ||
449 | echo "Should this script create a new local account 'sshd_server' which has" | ||
450 | if request "the required privileges?" | ||
451 | then | ||
452 | _admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group` | ||
453 | if [ -z "${_admingroup}" ] | ||
454 | then | ||
455 | echo "There's no group with SID S-1-5-32-544 (Local administrators group) in" | ||
456 | echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'" | ||
457 | echo "and restart this script." | ||
458 | exit 1 | ||
459 | fi | ||
460 | dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` | ||
461 | while [ "${sshd_server_in_sam}" != "yes" ] | ||
462 | do | ||
463 | if [ -n "${password_value}" ] | ||
464 | then | ||
465 | _password="${password_value}" | ||
466 | # Allow to ask for password if first try fails | ||
467 | password_value="" | ||
468 | else | ||
469 | echo | ||
470 | echo "Please enter a password for new user 'sshd_server'. Please be sure that" | ||
471 | echo "this password matches the password rules given on your system." | ||
472 | echo -n "Entering no password will exit the configuration. PASSWORD=" | ||
473 | read -e _password | ||
474 | if [ -z "${_password}" ] | ||
475 | then | ||
476 | echo | ||
477 | echo "Exiting configuration. No user sshd_server has been created," | ||
478 | echo "no sshd service installed." | ||
479 | exit 1 | ||
480 | fi | ||
481 | fi | ||
482 | net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes | ||
483 | if [ "${sshd_server_in_sam}" != "yes" ] | ||
484 | then | ||
485 | echo "Creating the user 'sshd_server' failed! Reason:" | ||
486 | cat /tmp/nu.$$ | ||
487 | rm /tmp/nu.$$ | ||
488 | fi | ||
489 | done | ||
490 | net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes | ||
491 | if [ "${sshd_server_in_admingroup}" != "yes" ] | ||
492 | then | ||
493 | echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!" | ||
494 | echo "Please add sshd_server to local group ${_admingroup} before" | ||
495 | echo "starting the sshd service!" | ||
496 | echo | ||
497 | fi | ||
498 | passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'` | ||
499 | if [ "${passwd_has_expiry_flags}" != "yes" ] | ||
500 | then | ||
501 | echo | ||
502 | echo "WARNING: User sshd_server has password expiry set to system default." | ||
503 | echo "Please check that password never expires or set it to your needs." | ||
504 | elif ! passwd -e sshd_server | ||
505 | then | ||
506 | echo | ||
507 | echo "WARNING: Setting password expiry for user sshd_server failed!" | ||
508 | echo "Please check that password never expires or set it to your needs." | ||
509 | fi | ||
510 | editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server && | ||
511 | editrights -a SeCreateTokenPrivilege -u sshd_server && | ||
512 | editrights -a SeDenyInteractiveLogonRight -u sshd_server && | ||
513 | editrights -a SeDenyNetworkLogonRight -u sshd_server && | ||
514 | editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server && | ||
515 | editrights -a SeIncreaseQuotaPrivilege -u sshd_server && | ||
516 | editrights -a SeServiceLogonRight -u sshd_server && | ||
517 | sshd_server_got_all_rights="yes" | ||
518 | if [ "${sshd_server_got_all_rights}" != "yes" ] | ||
519 | then | ||
520 | echo | ||
521 | echo "Assigning the appropriate privileges to user 'sshd_server' failed!" | ||
522 | echo "Can't create sshd service!" | ||
523 | exit 1 | ||
524 | fi | ||
525 | echo | ||
526 | echo "User 'sshd_server' has been created with password '${_password}'." | ||
527 | echo "If you change the password, please keep in mind to change the password" | ||
528 | echo "for the sshd service, too." | ||
529 | echo | ||
530 | echo "Also keep in mind that the user sshd_server needs read permissions on all" | ||
531 | echo "users' .ssh/authorized_keys file to allow public key authentication for" | ||
532 | echo "these users!. (Re-)running ssh-user-config for each user will set the" | ||
533 | echo "required permissions correctly." | ||
534 | echo | ||
535 | fi | ||
536 | fi | ||
537 | if [ "${sshd_server_in_sam}" = "yes" ] | ||
538 | then | ||
539 | mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd | ||
540 | fi | ||
541 | fi | ||
542 | if [ -n "${cygwin_value}" ] | ||
543 | then | ||
544 | _cygwin="${cygwin_value}" | ||
545 | else | ||
546 | echo | ||
547 | echo "Which value should the environment variable CYGWIN have when" | ||
548 | echo "sshd starts? It's recommended to set at least \"ntsec\" to be" | ||
549 | echo "able to change user context without password." | ||
550 | echo -n "Default is \"ntsec\". CYGWIN=" | ||
551 | read -e _cygwin | ||
552 | fi | ||
553 | [ -z "${_cygwin}" ] && _cygwin="ntsec" | ||
554 | if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] | ||
555 | then | ||
556 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" | ||
557 | then | ||
558 | echo | ||
559 | echo "The service has been installed under sshd_server account." | ||
560 | echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." | ||
561 | fi | ||
562 | else | ||
563 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" | ||
564 | then | ||
565 | echo | ||
566 | echo "The service has been installed under LocalSystem account." | ||
567 | echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." | ||
568 | fi | ||
569 | fi | ||
570 | fi | ||
571 | # Now check if sshd has been successfully installed. This allows to | ||
572 | # set the ownership of the affected files correctly. | ||
573 | if cygrunsrv -Q sshd > /dev/null 2>&1 | ||
574 | then | ||
575 | if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] | ||
576 | then | ||
577 | _user="sshd_server" | ||
578 | else | ||
579 | _user="system" | ||
580 | fi | ||
581 | chown "${_user}" ${SYSCONFDIR}/ssh* | ||
582 | chown "${_user}".544 ${LOCALSTATEDIR}/empty | ||
583 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] | ||
584 | then | ||
585 | chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log | ||
586 | fi | ||
584 | fi | 587 | fi |
585 | fi | 588 | fi |
586 | fi | 589 | fi |
587 | 590 | ||
588 | if [ "${old_install}" = "1" ] | ||
589 | then | ||
590 | echo | ||
591 | echo "Note: If you have used sshd as service or from inetd, don't forget to" | ||
592 | echo " change the path to sshd.exe in the service entry or in inetd.conf." | ||
593 | fi | ||
594 | |||
595 | echo | 591 | echo |
596 | echo "Host configuration finished. Have fun!" | 592 | echo "Host configuration finished. Have fun!" |