summaryrefslogtreecommitdiff
path: root/contrib/cygwin/ssh-host-config
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/cygwin/ssh-host-config')
-rw-r--r--contrib/cygwin/ssh-host-config219
1 files changed, 155 insertions, 64 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index da6011267..df8341c85 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -18,6 +18,11 @@ progname=$0
18auto_answer="" 18auto_answer=""
19port_number=22 19port_number=22
20 20
21privsep_configured=no
22privsep_used=yes
23sshd_in_passwd=no
24sshd_in_sam=no
25
21request() 26request()
22{ 27{
23 if [ "${auto_answer}" = "yes" ] 28 if [ "${auto_answer}" = "yes" ]
@@ -90,6 +95,10 @@ do
90 esac 95 esac
91done 96done
92 97
98# Check if running on NT
99_sys="`uname -a`"
100_nt=`expr "$_sys" : "CYGWIN_NT"`
101
93# Check for running ssh/sshd processes first. Refuse to do anything while 102# Check for running ssh/sshd processes first. Refuse to do anything while
94# some ssh processes are still running 103# some ssh processes are still running
95 104
@@ -126,6 +135,38 @@ then
126 fi 135 fi
127fi 136fi
128 137
138# Create /var/log and /var/log/lastlog if not already existing
139
140if [ -f /var/log ]
141then
142 echo "Creating /var/log failed\!"
143else
144 if [ ! -d /var/log ]
145 then
146 mkdir -p /var/log
147 fi
148 if [ -d /var/log/lastlog ]
149 then
150 echo "Creating /var/log/lastlog failed\!"
151 elif [ ! -f /var/log/lastlog ]
152 then
153 cat /dev/null > /var/log/lastlog
154 fi
155fi
156
157# Create /var/empty file used as chroot jail for privilege separation
158if [ -f /var/empty ]
159then
160 echo "Creating /var/empty failed\!"
161else
162 mkdir -p /var/empty
163 # On NT change ownership of that dir to user "system"
164 if [ $_nt -gt 0 ]
165 then
166 chown system.system /var/empty
167 fi
168fi
169
129# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't 170# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
130# the same as ${PREFIX} 171# the same as ${PREFIX}
131 172
@@ -219,9 +260,10 @@ if [ ! -f "${SYSCONFDIR}/ssh_config" ]
219then 260then
220 echo "Generating ${SYSCONFDIR}/ssh_config file" 261 echo "Generating ${SYSCONFDIR}/ssh_config file"
221 cat > ${SYSCONFDIR}/ssh_config << EOF 262 cat > ${SYSCONFDIR}/ssh_config << EOF
222# This is ssh client systemwide configuration file. This file provides 263# This is the ssh client system-wide configuration file. See
223# defaults for users, and the values can be changed in per-user configuration 264# ssh_config(5) for more information. This file provides defaults for
224# files or on the command line. 265# users, and the values can be changed in per-user configuration files
266# or on the command line.
225 267
226# Configuration data is parsed as follows: 268# Configuration data is parsed as follows:
227# 1. command line options 269# 1. command line options
@@ -237,20 +279,19 @@ then
237# ForwardAgent no 279# ForwardAgent no
238# ForwardX11 no 280# ForwardX11 no
239# RhostsAuthentication no 281# RhostsAuthentication no
240# RhostsRSAAuthentication yes 282# RhostsRSAAuthentication no
241# RSAAuthentication yes 283# RSAAuthentication yes
242# PasswordAuthentication yes 284# PasswordAuthentication yes
243# FallBackToRsh no
244# UseRsh no
245# BatchMode no 285# BatchMode no
246# CheckHostIP yes 286# CheckHostIP yes
247# StrictHostKeyChecking yes 287# StrictHostKeyChecking ask
248# IdentityFile ~/.ssh/identity 288# IdentityFile ~/.ssh/identity
249# IdentityFile ~/.ssh/id_dsa 289# IdentityFile ~/.ssh/id_dsa
250# IdentityFile ~/.ssh/id_rsa 290# IdentityFile ~/.ssh/id_rsa
251# Port 22 291# Port 22
252# Protocol 2,1 292# Protocol 2,1
253# Cipher blowfish 293# Cipher 3des
294# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
254# EscapeChar ~ 295# EscapeChar ~
255EOF 296EOF
256 if [ "$port_number" != "22" ] 297 if [ "$port_number" != "22" ]
@@ -271,17 +312,75 @@ then
271 then 312 then
272 echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." 313 echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
273 fi 314 fi
315 else
316 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
317 fi
318fi
319
320# Prior to creating or modifying sshd_config, care for privilege separation
321
322if [ "$privsep_configured" != "yes" ]
323then
324 if [ $_nt -gt 0 ]
325 then
326 echo "Privilege separation is set to yes by default since OpenSSH 3.3."
327 echo "However, this requires a non-privileged account called 'sshd'."
328 echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
329 echo
330 if request "Shall privilege separation be used?"
331 then
332 privsep_used=yes
333 grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
334 net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
335 if [ "$sshd_in_passwd" != "yes" ]
336 then
337 if [ "$sshd_in_sam" != "yes" ]
338 then
339 echo "Warning: The following function requires administrator privileges!"
340 if request "Shall this script create a local user 'sshd' on this machine?"
341 then
342 dos_var_empty=`cygpath -w /var/empty`
343 net user sshd /add /fullname:"sshd privsep" "/HOMEDIR:$dos_var_empty" > /dev/null 2>&1 && sshd_in_sam=yes
344 if [ "$sshd_in_sam" != "yes" ]
345 then
346 echo "Warning: Creating the user 'sshd' failed!"
347 fi
348 fi
349 fi
350 if [ "$sshd_in_sam" != "yes" ]
351 then
352 echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
353 echo " Privilege separation set to 'no' again!"
354 echo " Check your ${SYSCONFDIR}/sshd_config file!"
355 privsep_used=no
356 else
357 mkpasswd -l -u sshd >> ${SYSCONFDIR}/passwd
358 fi
359 fi
360 else
361 privsep_used=no
362 fi
363 else
364 # On 9x don't use privilege separation. Since security isn't
365 # available it just adds useless addtional processes.
366 privsep_used=no
274 fi 367 fi
275fi 368fi
276 369
277# Create default sshd_config from here script 370# Create default sshd_config from here script or modify to add the
371# missing privsep configuration option
278 372
279if [ ! -f "${SYSCONFDIR}/sshd_config" ] 373if [ ! -f "${SYSCONFDIR}/sshd_config" ]
280then 374then
281 echo "Generating ${SYSCONFDIR}/sshd_config file" 375 echo "Generating ${SYSCONFDIR}/sshd_config file"
282 cat > ${SYSCONFDIR}/sshd_config << EOF 376 cat > ${SYSCONFDIR}/sshd_config << EOF
283# This is the sshd server system-wide configuration file. See sshd(8) 377# This is the sshd server system-wide configuration file. See
284# for more information. 378# sshd_config(5) for more information.
379
380# The strategy used for options in the default sshd_config shipped with
381# OpenSSH is to specify options with their default value where
382# possible, but leave them commented. Uncommented options change a
383# default value.
285 384
286Port $port_number 385Port $port_number
287#Protocol 2,1 386#Protocol 2,1
@@ -289,66 +388,77 @@ Port $port_number
289#ListenAddress :: 388#ListenAddress ::
290 389
291# HostKey for protocol version 1 390# HostKey for protocol version 1
292HostKey /etc/ssh_host_key 391#HostKey ${SYSCONFDIR}/ssh_host_key
293# HostKeys for protocol version 2 392# HostKeys for protocol version 2
294HostKey /etc/ssh_host_rsa_key 393#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
295HostKey /etc/ssh_host_dsa_key 394#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
296 395
297# Lifetime and size of ephemeral version 1 server ke 396# Lifetime and size of ephemeral version 1 server ke
298KeyRegenerationInterval 3600 397#KeyRegenerationInterval 3600
299ServerKeyBits 768 398#ServerKeyBits 768
300 399
301# Logging 400# Logging
302SyslogFacility AUTH
303LogLevel INFO
304#obsoletes QuietMode and FascistLogging 401#obsoletes QuietMode and FascistLogging
402#SyslogFacility AUTH
403#LogLevel INFO
305 404
306# Authentication: 405# Authentication:
307 406
308LoginGraceTime 600 407#LoginGraceTime 600
309PermitRootLogin yes 408#PermitRootLogin yes
310# The following setting overrides permission checks on host key files 409# The following setting overrides permission checks on host key files
311# and directories. For security reasons set this to "yes" when running 410# and directories. For security reasons set this to "yes" when running
312# NT/W2K, NTFS and CYGWIN=ntsec. 411# NT/W2K, NTFS and CYGWIN=ntsec.
313StrictModes no 412StrictModes no
314 413
315RSAAuthentication yes 414#RSAAuthentication yes
316PubkeyAuthentication yes 415#PubkeyAuthentication yes
317#AuthorizedKeysFile %h/.ssh/authorized_keys 416#AuthorizedKeysFile %h/.ssh/authorized_keys
318 417
319# rhosts authentication should not be used 418# rhosts authentication should not be used
320RhostsAuthentication no 419#RhostsAuthentication no
321# Don't read ~/.rhosts and ~/.shosts files 420# Don't read ~/.rhosts and ~/.shosts files
322IgnoreRhosts yes 421#IgnoreRhosts yes
323# For this to work you will also need host keys in /etc/ssh_known_hosts 422# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
324RhostsRSAAuthentication no 423#RhostsRSAAuthentication no
325# similar for protocol version 2 424# similar for protocol version 2
326HostbasedAuthentication no 425#HostbasedAuthentication no
327# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication 426# Change to yes if you don't trust ~/.ssh/known_hosts for
328#IgnoreUserKnownHosts yes 427# RhostsRSAAuthentication and HostbasedAuthentication
428#IgnoreUserKnownHosts no
329 429
330# To disable tunneled clear text passwords, change to no here! 430# To disable tunneled clear text passwords, change to no here!
331PasswordAuthentication yes 431#PasswordAuthentication yes
332PermitEmptyPasswords no 432#PermitEmptyPasswords no
333 433
334X11Forwarding no 434# Change to no to disable s/key passwords
335X11DisplayOffset 10 435#ChallengeResponseAuthentication yes
336PrintMotd yes 436
337#PrintLastLog no 437#X11Forwarding no
338KeepAlive yes 438#X11DisplayOffset 10
439#X11UseLocalhost yes
440#PrintMotd yes
441#PrintLastLog yes
442#KeepAlive yes
339#UseLogin no 443#UseLogin no
444UsePrivilegeSeparation $privsep_used
445#Compression yes
340 446
341#MaxStartups 10:30:60 447#MaxStartups 10
342#Banner /etc/issue.net 448# no default banner path
343#ReverseMappingCheck yes 449#Banner /some/path
450#VerifyReverseMapping no
344 451
452# override default of no subsystems
345Subsystem sftp /usr/sbin/sftp-server 453Subsystem sftp /usr/sbin/sftp-server
346EOF 454EOF
455elif [ "$privsep_configured" != "yes" ]
456then
457 echo >> ${SYSCONFDIR}/sshd_config
458 echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
347fi 459fi
348 460
349# Care for services file 461# Care for services file
350_sys="`uname -a`"
351_nt=`expr "$_sys" : "CYGWIN_NT"`
352if [ $_nt -gt 0 ] 462if [ $_nt -gt 0 ]
353then 463then
354 _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services" 464 _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
@@ -403,8 +513,8 @@ umount "${_services}"
403umount "${_serv_tmp}" 513umount "${_serv_tmp}"
404 514
405# Care for inetd.conf file 515# Care for inetd.conf file
406_inetcnf="/etc/inetd.conf" 516_inetcnf="${SYSCONFDIR}/inetd.conf"
407_inetcnf_tmp="/etc/inetd.conf.$$" 517_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
408 518
409if [ -f "${_inetcnf}" ] 519if [ -f "${_inetcnf}" ]
410then 520then
@@ -442,25 +552,6 @@ then
442 fi 552 fi
443fi 553fi
444 554
445# Create /var/log and /var/log/lastlog if not already existing
446
447if [ -f /var/log ]
448then
449 echo "Creating /var/log failed\!"
450else
451 if [ ! -d /var/log ]
452 then
453 mkdir /var/log
454 fi
455 if [ -d /var/log/lastlog ]
456 then
457 echo "Creating /var/log/lastlog failed\!"
458 elif [ ! -f /var/log/lastlog ]
459 then
460 cat /dev/null > /var/log/lastlog
461 fi
462fi
463
464# On NT ask if sshd should be installed as service 555# On NT ask if sshd should be installed as service
465if [ $_nt -gt 0 ] 556if [ $_nt -gt 0 ]
466then 557then
@@ -477,7 +568,7 @@ then
477 [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" 568 [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
478 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" 569 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
479 then 570 then
480 chown system /etc/ssh* 571 chown system /${SYSCONFDIR}/ssh*
481 echo 572 echo
482 echo "The service has been installed under LocalSystem account." 573 echo "The service has been installed under LocalSystem account."
483 fi 574 fi