summaryrefslogtreecommitdiff
path: root/contrib/cygwin/ssh-host-config
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/cygwin/ssh-host-config')
-rw-r--r--contrib/cygwin/ssh-host-config544
1 files changed, 370 insertions, 174 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index d968d4619..3ac39a621 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -1,6 +1,6 @@
1#!/bin/bash 1#!/bin/bash
2# 2#
3# ssh-host-config, Copyright 2000-2009 Red Hat Inc. 3# ssh-host-config, Copyright 2000-2011 Red Hat Inc.
4# 4#
5# This file is part of the Cygwin port of OpenSSH. 5# This file is part of the Cygwin port of OpenSSH.
6# 6#
@@ -19,12 +19,39 @@
19# ====================================================================== 19# ======================================================================
20# Initialization 20# Initialization
21# ====================================================================== 21# ======================================================================
22PROGNAME=$(basename $0)
23_tdir=$(dirname $0)
24PROGDIR=$(cd $_tdir && pwd)
25 22
26CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh 23CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
27 24
25# List of apps used. This is checkad for existance in csih_sanity_check
26# Don't use *any* transient commands before sourcing the csih helper script,
27# otherwise the sanity checks are short-circuited.
28declare -a csih_required_commands=(
29 /usr/bin/basename coreutils
30 /usr/bin/cat coreutils
31 /usr/bin/chmod coreutils
32 /usr/bin/dirname coreutils
33 /usr/bin/id coreutils
34 /usr/bin/mv coreutils
35 /usr/bin/rm coreutils
36 /usr/bin/cygpath cygwin
37 /usr/bin/mount cygwin
38 /usr/bin/ps cygwin
39 /usr/bin/setfacl cygwin
40 /usr/bin/umount cygwin
41 /usr/bin/cmp diffutils
42 /usr/bin/grep grep
43 /usr/bin/awk gawk
44 /usr/bin/ssh-keygen openssh
45 /usr/sbin/sshd openssh
46 /usr/bin/sed sed
47)
48csih_sanity_check_server=yes
49source ${CSIH_SCRIPT}
50
51PROGNAME=$(/usr/bin/basename $0)
52_tdir=$(/usr/bin/dirname $0)
53PROGDIR=$(cd $_tdir && pwd)
54
28# Subdirectory where the new package is being installed 55# Subdirectory where the new package is being installed
29PREFIX=/usr 56PREFIX=/usr
30 57
@@ -32,8 +59,6 @@ PREFIX=/usr
32SYSCONFDIR=/etc 59SYSCONFDIR=/etc
33LOCALSTATEDIR=/var 60LOCALSTATEDIR=/var
34 61
35source ${CSIH_SCRIPT}
36
37port_number=22 62port_number=22
38privsep_configured=no 63privsep_configured=no
39privsep_used=yes 64privsep_used=yes
@@ -46,23 +71,48 @@ opt_force=no
46# Routine: create_host_keys 71# Routine: create_host_keys
47# ====================================================================== 72# ======================================================================
48create_host_keys() { 73create_host_keys() {
74 local ret=0
75
49 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] 76 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
50 then 77 then
51 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" 78 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
52 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null 79 if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
80 then
81 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
82 let ++ret
83 fi
53 fi 84 fi
54 85
55 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] 86 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
56 then 87 then
57 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" 88 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
58 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null 89 if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
90 then
91 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
92 let ++ret
93 fi
59 fi 94 fi
60 95
61 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] 96 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
62 then 97 then
63 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" 98 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
64 ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null 99 if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
100 then
101 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
102 let ++ret
103 fi
65 fi 104 fi
105
106 if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ]
107 then
108 csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key"
109 if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null
110 then
111 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
112 let ++ret
113 fi
114 fi
115 return $ret
66} # --- End of create_host_keys --- # 116} # --- End of create_host_keys --- #
67 117
68# ====================================================================== 118# ======================================================================
@@ -75,61 +125,58 @@ update_services_file() {
75 local _spaces 125 local _spaces
76 local _serv_tmp 126 local _serv_tmp
77 local _wservices 127 local _wservices
128 local ret=0
78 129
79 if csih_is_nt 130 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
80 then 131 _services="${_my_etcdir}/services"
81 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" 132 _spaces=" #"
82 _services="${_my_etcdir}/services"
83 # On NT, 27 spaces, no space after the hash
84 _spaces=" #"
85 else
86 _win_etcdir="${WINDIR}"
87 _services="${_my_etcdir}/SERVICES"
88 # On 9x, 18 spaces (95 is very touchy), a space after the hash
89 _spaces=" # "
90 fi
91 _serv_tmp="${_my_etcdir}/srv.out.$$" 133 _serv_tmp="${_my_etcdir}/srv.out.$$"
92 134
93 mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" 135 /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
94 136
95 # Depends on the above mount 137 # Depends on the above mount
96 _wservices=`cygpath -w "${_services}"` 138 _wservices=`cygpath -w "${_services}"`
97 139
98 # Remove sshd 22/port from services 140 # Remove sshd 22/port from services
99 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] 141 if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
100 then 142 then
101 grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" 143 /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
102 if [ -f "${_serv_tmp}" ] 144 if [ -f "${_serv_tmp}" ]
103 then 145 then
104 if mv "${_serv_tmp}" "${_services}" 146 if /usr/bin/mv "${_serv_tmp}" "${_services}"
105 then 147 then
106 csih_inform "Removing sshd from ${_wservices}" 148 csih_inform "Removing sshd from ${_wservices}"
107 else 149 else
108 csih_warning "Removing sshd from ${_wservices} failed!" 150 csih_warning "Removing sshd from ${_wservices} failed!"
151 let ++ret
109 fi 152 fi
110 rm -f "${_serv_tmp}" 153 /usr/bin/rm -f "${_serv_tmp}"
111 else 154 else
112 csih_warning "Removing sshd from ${_wservices} failed!" 155 csih_warning "Removing sshd from ${_wservices} failed!"
156 let ++ret
113 fi 157 fi
114 fi 158 fi
115 159
116 # Add ssh 22/tcp and ssh 22/udp to services 160 # Add ssh 22/tcp and ssh 22/udp to services
117 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] 161 if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
118 then 162 then
119 if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" 163 if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
120 then 164 then
121 if mv "${_serv_tmp}" "${_services}" 165 if /usr/bin/mv "${_serv_tmp}" "${_services}"
122 then 166 then
123 csih_inform "Added ssh to ${_wservices}" 167 csih_inform "Added ssh to ${_wservices}"
124 else 168 else
125 csih_warning "Adding ssh to ${_wservices} failed!" 169 csih_warning "Adding ssh to ${_wservices} failed!"
170 let ++ret
126 fi 171 fi
127 rm -f "${_serv_tmp}" 172 /usr/bin/rm -f "${_serv_tmp}"
128 else 173 else
129 csih_warning "Adding ssh to ${_wservices} failed!" 174 csih_warning "Adding ssh to ${_wservices} failed!"
175 let ++ret
130 fi 176 fi
131 fi 177 fi
132 umount "${_my_etcdir}" 178 /usr/bin/umount "${_my_etcdir}"
179 return $ret
133} # --- End of update_services_file --- # 180} # --- End of update_services_file --- #
134 181
135# ====================================================================== 182# ======================================================================
@@ -138,51 +185,57 @@ update_services_file() {
138# ====================================================================== 185# ======================================================================
139sshd_privsep() { 186sshd_privsep() {
140 local sshdconfig_tmp 187 local sshdconfig_tmp
188 local ret=0
141 189
142 if [ "${privsep_configured}" != "yes" ] 190 if [ "${privsep_configured}" != "yes" ]
143 then 191 then
144 if csih_is_nt 192 csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
193 csih_inform "However, this requires a non-privileged account called 'sshd'."
194 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
195 if csih_request "Should privilege separation be used?"
145 then 196 then
146 csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." 197 privsep_used=yes
147 csih_inform "However, this requires a non-privileged account called 'sshd'." 198 if ! csih_create_unprivileged_user sshd
148 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
149 if csih_request "Should privilege separation be used?"
150 then 199 then
151 privsep_used=yes 200 csih_error_recoverable "Couldn't create user 'sshd'!"
152 if ! csih_create_unprivileged_user sshd 201 csih_error_recoverable "Privilege separation set to 'no' again!"
153 then 202 csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!"
154 csih_warning "Couldn't create user 'sshd'!" 203 let ++ret
155 csih_warning "Privilege separation set to 'no' again!"
156 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
157 privsep_used=no
158 fi
159 else
160 privsep_used=no 204 privsep_used=no
161 fi 205 fi
162 else 206 else
163 # On 9x don't use privilege separation. Since security isn't
164 # available it just adds useless additional processes.
165 privsep_used=no 207 privsep_used=no
166 fi 208 fi
167 fi 209 fi
168 210
169 # Create default sshd_config from skeleton files in /etc/defaults/etc or 211 # Create default sshd_config from skeleton files in /etc/defaults/etc or
170 # modify to add the missing privsep configuration option 212 # modify to add the missing privsep configuration option
171 if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 213 if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
172 then 214 then
173 csih_inform "Updating ${SYSCONFDIR}/sshd_config file" 215 csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
174 sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ 216 sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
175 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ 217 /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
176 s/^#Port 22/Port ${port_number}/ 218 s/^#Port 22/Port ${port_number}/
177 s/^#StrictModes yes/StrictModes no/" \ 219 s/^#StrictModes yes/StrictModes no/" \
178 < ${SYSCONFDIR}/sshd_config \ 220 < ${SYSCONFDIR}/sshd_config \
179 > "${sshdconfig_tmp}" 221 > "${sshdconfig_tmp}"
180 mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config 222 if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
223 then
224 csih_warning "Setting privilege separation to 'yes' failed!"
225 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
226 let ++ret
227 fi
181 elif [ "${privsep_configured}" != "yes" ] 228 elif [ "${privsep_configured}" != "yes" ]
182 then 229 then
183 echo >> ${SYSCONFDIR}/sshd_config 230 echo >> ${SYSCONFDIR}/sshd_config
184 echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config 231 if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
232 then
233 csih_warning "Setting privilege separation to 'yes' failed!"
234 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
235 let ++ret
236 fi
185 fi 237 fi
238 return $ret
186} # --- End of sshd_privsep --- # 239} # --- End of sshd_privsep --- #
187 240
188# ====================================================================== 241# ======================================================================
@@ -195,72 +248,82 @@ update_inetd_conf() {
195 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" 248 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
196 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" 249 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
197 local _with_comment=1 250 local _with_comment=1
251 local ret=0
198 252
199 if [ -d "${_inetcnf_dir}" ] 253 if [ -d "${_inetcnf_dir}" ]
200 then 254 then
201 # we have inetutils-1.5 inetd.d support 255 # we have inetutils-1.5 inetd.d support
202 if [ -f "${_inetcnf}" ] 256 if [ -f "${_inetcnf}" ]
203 then 257 then
204 grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 258 /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
205 259
206 # check for sshd OR ssh in top-level inetd.conf file, and remove 260 # check for sshd OR ssh in top-level inetd.conf file, and remove
207 # will be replaced by a file in inetd.d/ 261 # will be replaced by a file in inetd.d/
208 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] 262 if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
209 then 263 then
210 grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" 264 /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
211 if [ -f "${_inetcnf_tmp}" ] 265 if [ -f "${_inetcnf_tmp}" ]
212 then 266 then
213 if mv "${_inetcnf_tmp}" "${_inetcnf}" 267 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
214 then 268 then
215 csih_inform "Removed ssh[d] from ${_inetcnf}" 269 csih_inform "Removed ssh[d] from ${_inetcnf}"
216 else 270 else
217 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 271 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
272 let ++ret
218 fi 273 fi
219 rm -f "${_inetcnf_tmp}" 274 /usr/bin/rm -f "${_inetcnf_tmp}"
220 else 275 else
221 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 276 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
277 let ++ret
222 fi 278 fi
223 fi 279 fi
224 fi 280 fi
225 281
226 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" 282 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
227 if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 283 if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
228 then 284 then
229 if [ "${_with_comment}" -eq 0 ] 285 if [ "${_with_comment}" -eq 0 ]
230 then 286 then
231 sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 287 /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
232 else 288 else
233 sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 289 /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
290 fi
291 if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
292 then
293 csih_inform "Updated ${_sshd_inetd_conf}"
294 else
295 csih_warning "Updating ${_sshd_inetd_conf} failed!"
296 let ++ret
234 fi 297 fi
235 mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
236 csih_inform "Updated ${_sshd_inetd_conf}"
237 fi 298 fi
238 299
239 elif [ -f "${_inetcnf}" ] 300 elif [ -f "${_inetcnf}" ]
240 then 301 then
241 grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 302 /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
242 303
243 # check for sshd in top-level inetd.conf file, and remove 304 # check for sshd in top-level inetd.conf file, and remove
244 # will be replaced by a file in inetd.d/ 305 # will be replaced by a file in inetd.d/
245 if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] 306 if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
246 then 307 then
247 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" 308 /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
248 if [ -f "${_inetcnf_tmp}" ] 309 if [ -f "${_inetcnf_tmp}" ]
249 then 310 then
250 if mv "${_inetcnf_tmp}" "${_inetcnf}" 311 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
251 then 312 then
252 csih_inform "Removed sshd from ${_inetcnf}" 313 csih_inform "Removed sshd from ${_inetcnf}"
253 else 314 else
254 csih_warning "Removing sshd from ${_inetcnf} failed!" 315 csih_warning "Removing sshd from ${_inetcnf} failed!"
316 let ++ret
255 fi 317 fi
256 rm -f "${_inetcnf_tmp}" 318 /usr/bin/rm -f "${_inetcnf_tmp}"
257 else 319 else
258 csih_warning "Removing sshd from ${_inetcnf} failed!" 320 csih_warning "Removing sshd from ${_inetcnf} failed!"
321 let ++ret
259 fi 322 fi
260 fi 323 fi
261 324
262 # Add ssh line to inetd.conf 325 # Add ssh line to inetd.conf
263 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] 326 if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
264 then 327 then
265 if [ "${_with_comment}" -eq 0 ] 328 if [ "${_with_comment}" -eq 0 ]
266 then 329 then
@@ -268,115 +331,186 @@ update_inetd_conf() {
268 else 331 else
269 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 332 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
270 fi 333 fi
271 csih_inform "Added ssh to ${_inetcnf}" 334 if [ $? -eq 0 ]
335 then
336 csih_inform "Added ssh to ${_inetcnf}"
337 else
338 csih_warning "Adding ssh to ${_inetcnf} failed!"
339 let ++ret
340 fi
272 fi 341 fi
273 fi 342 fi
343 return $ret
274} # --- End of update_inetd_conf --- # 344} # --- End of update_inetd_conf --- #
275 345
276# ====================================================================== 346# ======================================================================
347# Routine: check_service_files_ownership
348# Checks that the files in /etc and /var belong to the right owner
349# ======================================================================
350check_service_files_ownership() {
351 local run_service_as=$1
352 local ret=0
353
354 if [ -z "${run_service_as}" ]
355 then
356 accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
357 if [ "${accnt_name}" = "LocalSystem" ]
358 then
359 # Convert "LocalSystem" to "SYSTEM" as is the correct account name
360 accnt_name="SYSTEM:"
361 elif [[ "${accnt_name}" =~ ^\.\\ ]]
362 then
363 # Convert "." domain to local machine name
364 accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
365 fi
366 run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
367 if [ -z "${run_service_as}" ]
368 then
369 csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
370 csih_warning "As a result, this script cannot make sure that the files used"
371 csih_warning "by the sshd service belong to the user running the service."
372 csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd"
373 csih_warning "file is in a good shape."
374 return 1
375 fi
376 fi
377 for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
378 do
379 if [ -f "$i" ]
380 then
381 if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
382 then
383 csih_warning "Couldn't change owner of $i!"
384 let ++ret
385 fi
386 fi
387 done
388 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
389 then
390 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
391 let ++ret
392 fi
393 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
394 then
395 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
396 let ++ret
397 fi
398 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
399 then
400 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
401 then
402 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
403 let ++ret
404 fi
405 fi
406 if [ $ret -ne 0 ]
407 then
408 csih_warning "Couldn't change owner of important files to ${run_service_as}!"
409 csih_warning "This may cause the sshd service to fail! Please make sure that"
410 csih_warning "you have suufficient permissions to change the ownership of files"
411 csih_warning "and try to run the ssh-host-config script again."
412 fi
413 return $ret
414} # --- End of check_service_files_ownership --- #
415
416# ======================================================================
277# Routine: install_service 417# Routine: install_service
278# Install sshd as a service 418# Install sshd as a service
279# ====================================================================== 419# ======================================================================
280install_service() { 420install_service() {
281 local run_service_as 421 local run_service_as
282 local password 422 local password
423 local ret=0
283 424
284 if csih_is_nt 425 echo
426 if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
285 then 427 then
286 if ! cygrunsrv -Q sshd >/dev/null 2>&1 428 csih_inform "Sshd service is already installed."
429 check_service_files_ownership "" || let ret+=$?
430 else
431 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
432 if csih_request "(Say \"no\" if it is already installed as a service)"
287 then 433 then
288 echo 434 csih_get_cygenv "${cygwin_value}"
289 echo
290 csih_warning "The following functions require administrator privileges!"
291 echo
292 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
293 if csih_request "(Say \"no\" if it is already installed as a service)"
294 then
295 csih_get_cygenv "${cygwin_value}"
296 435
297 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) 436 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
298 then 437 then
299 csih_inform "On Windows Server 2003, Windows Vista, and above, the" 438 csih_inform "On Windows Server 2003, Windows Vista, and above, the"
300 csih_inform "SYSTEM account cannot setuid to other users -- a capability" 439 csih_inform "SYSTEM account cannot setuid to other users -- a capability"
301 csih_inform "sshd requires. You need to have or to create a privileged" 440 csih_inform "sshd requires. You need to have or to create a privileged"
302 csih_inform "account. This script will help you do so." 441 csih_inform "account. This script will help you do so."
303 echo 442 echo
304 443
305 [ "${opt_force}" = "yes" ] && opt_f=-f 444 [ "${opt_force}" = "yes" ] && opt_f=-f
306 [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" 445 [ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
307 csih_select_privileged_username ${opt_f} ${opt_u} sshd 446 csih_select_privileged_username ${opt_f} ${opt_u} sshd
308 447
309 if ! csih_create_privileged_user "${password_value}" 448 if ! csih_create_privileged_user "${password_value}"
310 then 449 then
311 csih_error_recoverable "There was a serious problem creating a privileged user." 450 csih_error_recoverable "There was a serious problem creating a privileged user."
312 csih_request "Do you want to proceed anyway?" || exit 1 451 csih_request "Do you want to proceed anyway?" || exit 1
313 fi 452 let ++ret
314 fi 453 fi
454 fi
315 455
316 # never returns empty if NT or above 456 # Never returns empty if NT or above
317 run_service_as=$(csih_service_should_run_as) 457 run_service_as=$(csih_service_should_run_as)
318 458
319 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] 459 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
460 then
461 password="${csih_PRIVILEGED_PASSWORD}"
462 if [ -z "${password}" ]
320 then 463 then
321 password="${csih_PRIVILEGED_PASSWORD}" 464 csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
322 if [ -z "${password}" ] 465 password="${csih_value}"
323 then
324 csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
325 password="${csih_value}"
326 fi
327 fi 466 fi
467 fi
328 468
329 # at this point, we either have $run_service_as = "system" and $password is empty, 469 # At this point, we either have $run_service_as = "system" and
330 # or $run_service_as is some privileged user and (hopefully) $password contains 470 # $password is empty, or $run_service_as is some privileged user and
331 # the correct password. So, from here out, we use '-z "${password}"' to discriminate 471 # (hopefully) $password contains the correct password. So, from here
332 # the two cases. 472 # out, we use '-z "${password}"' to discriminate the two cases.
333 473
334 csih_check_user "${run_service_as}" 474 csih_check_user "${run_service_as}"
335 475
336 if [ -n "${csih_cygenv}" ] 476 if [ -n "${csih_cygenv}" ]
477 then
478 cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
479 fi
480 if [ -z "${password}" ]
481 then
482 if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
483 -a "-D" -y tcpip "${cygwin_env[@]}"
337 then 484 then
338 cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) 485 echo
486 csih_inform "The sshd service has been installed under the LocalSystem"
487 csih_inform "account (also known as SYSTEM). To start the service now, call"
488 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
489 csih_inform "will start automatically after the next reboot."
339 fi 490 fi
340 if [ -z "${password}" ] 491 else
492 if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
493 -a "-D" -y tcpip "${cygwin_env[@]}" \
494 -u "${run_service_as}" -w "${password}"
341 then 495 then
342 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ 496 echo
343 -a "-D" -y tcpip "${cygwin_env[@]}" 497 csih_inform "The sshd service has been installed under the '${run_service_as}'"
344 then 498 csih_inform "account. To start the service now, call \`net start sshd' or"
345 echo 499 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
346 csih_inform "The sshd service has been installed under the LocalSystem" 500 csih_inform "after the next reboot."
347 csih_inform "account (also known as SYSTEM). To start the service now, call"
348 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
349 csih_inform "will start automatically after the next reboot."
350 fi
351 else
352 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
353 -a "-D" -y tcpip "${cygwin_env[@]}" \
354 -u "${run_service_as}" -w "${password}"
355 then
356 echo
357 csih_inform "The sshd service has been installed under the '${run_service_as}'"
358 csih_inform "account. To start the service now, call \`net start sshd' or"
359 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
360 csih_inform "after the next reboot."
361 fi
362 fi 501 fi
502 fi
363 503
364 # now, if successfully installed, set ownership of the affected files 504 if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
365 if cygrunsrv -Q sshd >/dev/null 2>&1 505 then
366 then 506 check_service_files_ownership "${run_service_as}" || let ret+=$?
367 chown "${run_service_as}" ${SYSCONFDIR}/ssh* 507 else
368 chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty 508 csih_error_recoverable "Installing sshd as a service failed!"
369 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog 509 let ++ret
370 if [ -f ${LOCALSTATEDIR}/log/sshd.log ] 510 fi
371 then 511 fi # user allowed us to install as service
372 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log 512 fi # service not yet installed
373 fi 513 return $ret
374 else
375 csih_warning "Something went wrong installing the sshd service."
376 fi
377 fi # user allowed us to install as service
378 fi # service not yet installed
379 fi # csih_is_nt
380} # --- End of install_service --- # 514} # --- End of install_service --- #
381 515
382# ====================================================================== 516# ======================================================================
@@ -488,21 +622,71 @@ done
488 622
489# Check for running ssh/sshd processes first. Refuse to do anything while 623# Check for running ssh/sshd processes first. Refuse to do anything while
490# some ssh processes are still running 624# some ssh processes are still running
491if ps -ef | grep -q '/sshd\?$' 625if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
492then 626then
493 echo 627 echo
494 csih_error "There are still ssh processes running. Please shut them down first." 628 csih_error "There are still ssh processes running. Please shut them down first."
495fi 629fi
496 630
631# Make sure the user is running in an administrative context
632admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
633if [ "${admin}" != "yes" ]
634then
635 echo
636 csih_warning "Running this script typically requires administrator privileges!"
637 csih_warning "However, it seems your account does not have these privileges."
638 csih_warning "Here's the list of groups in your user token:"
639 echo
640 for i in $(/usr/bin/id -G)
641 do
642 /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group
643 done
644 echo
645 csih_warning "This usually means you're running this script from a non-admin"
646 csih_warning "desktop session, or in a non-elevated shell under UAC control."
647 echo
648 csih_warning "Make sure you have the appropriate privileges right now,"
649 csih_warning "otherwise parts of this script will probably fail!"
650 echo
651 echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure"
652 if ! csih_request "you have the required privileges)"
653 then
654 echo
655 csih_inform "Ok. Exiting. Make sure to switch to an administrative account"
656 csih_inform "or to start this script from an elevated shell."
657 exit 1
658 fi
659fi
660
661echo
662
663warning_cnt=0
664
497# Check for ${SYSCONFDIR} directory 665# Check for ${SYSCONFDIR} directory
498csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." 666csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
499chmod 775 "${SYSCONFDIR}" 667if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
500setfacl -m u:system:rwx "${SYSCONFDIR}" 668then
669 csih_warning "Can't set permissions on ${SYSCONFDIR}!"
670 let ++warning_cnt
671fi
672if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
673then
674 csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
675 let ++warning_cnt
676fi
501 677
502# Check for /var/log directory 678# Check for /var/log directory
503csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." 679csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
504chmod 775 "${LOCALSTATEDIR}/log" 680if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
505setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" 681then
682 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
683 let ++warning_cnt
684fi
685if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
686then
687 csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
688 let ++warning_cnt
689fi
506 690
507# Create /var/log/lastlog if not already exists 691# Create /var/log/lastlog if not already exists
508if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 692if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
@@ -513,26 +697,33 @@ then
513fi 697fi
514if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 698if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
515then 699then
516 cat /dev/null > ${LOCALSTATEDIR}/log/lastlog 700 /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
517 chmod 644 ${LOCALSTATEDIR}/log/lastlog 701 if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
702 then
703 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
704 let ++warning_cnt
705 fi
518fi 706fi
519 707
520# Create /var/empty file used as chroot jail for privilege separation 708# Create /var/empty file used as chroot jail for privilege separation
521csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." 709csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
522chmod 755 "${LOCALSTATEDIR}/empty" 710if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
523setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" 711then
712 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
713 let ++warning_cnt
714fi
715if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
716then
717 csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
718 let ++warning_cnt
719fi
524 720
525# host keys 721# host keys
526create_host_keys 722create_host_keys || let warning_cnt+=$?
527
528# use 'cmp' program to determine if a config file is identical
529# to the default version of that config file
530csih_check_program_or_error cmp diffutils
531
532 723
533# handle ssh_config 724# handle ssh_config
534csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" 725csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
535if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 726if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
536then 727then
537 if [ "${port_number}" != "22" ] 728 if [ "${port_number}" != "22" ]
538 then 729 then
@@ -543,19 +734,24 @@ then
543fi 734fi
544 735
545# handle sshd_config (and privsep) 736# handle sshd_config (and privsep)
546csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" 737csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
547if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 738if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
548then 739then
549 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes 740 /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
550fi 741fi
551sshd_privsep 742sshd_privsep || let warning_cnt+=$?
552
553 743
554 744update_services_file || let warning_cnt+=$?
555update_services_file 745update_inetd_conf || let warning_cnt+=$?
556update_inetd_conf 746install_service || let warning_cnt+=$?
557install_service
558 747
559echo 748echo
560csih_inform "Host configuration finished. Have fun!" 749if [ $warning_cnt -eq 0 ]
561 750then
751 csih_inform "Host configuration finished. Have fun!"
752else
753 csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
754 csih_warning "Make sure that all problems reported are fixed,"
755 csih_warning "then re-run ssh-host-config."
756fi
757exit $warning_cnt
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-02 21:37:55 +0000