summaryrefslogtreecommitdiff
path: root/contrib/cygwin/ssh-host-config
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/cygwin/ssh-host-config')
-rw-r--r--contrib/cygwin/ssh-host-config241
1 files changed, 122 insertions, 119 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index bbb6da4c4..57e728fbc 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -25,7 +25,7 @@ source ${CSIH_SCRIPT}
25port_number=22 25port_number=22
26privsep_configured=no 26privsep_configured=no
27privsep_used=yes 27privsep_used=yes
28cygwin_value="ntsec" 28cygwin_value=""
29password_value= 29password_value=
30 30
31# ====================================================================== 31# ======================================================================
@@ -37,13 +37,13 @@ create_host_keys() {
37 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" 37 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
38 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null 38 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
39 fi 39 fi
40 40
41 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] 41 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
42 then 42 then
43 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" 43 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
44 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null 44 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
45 fi 45 fi
46 46
47 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] 47 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
48 then 48 then
49 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" 49 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
@@ -75,12 +75,12 @@ update_services_file() {
75 _spaces=" # " 75 _spaces=" # "
76 fi 76 fi
77 _serv_tmp="${_my_etcdir}/srv.out.$$" 77 _serv_tmp="${_my_etcdir}/srv.out.$$"
78 78
79 mount -t -f "${_win_etcdir}" "${_my_etcdir}" 79 mount -o text -f "${_win_etcdir}" "${_my_etcdir}"
80 80
81 # Depends on the above mount 81 # Depends on the above mount
82 _wservices=`cygpath -w "${_services}"` 82 _wservices=`cygpath -w "${_services}"`
83 83
84 # Remove sshd 22/port from services 84 # Remove sshd 22/port from services
85 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] 85 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
86 then 86 then
@@ -89,16 +89,16 @@ update_services_file() {
89 then 89 then
90 if mv "${_serv_tmp}" "${_services}" 90 if mv "${_serv_tmp}" "${_services}"
91 then 91 then
92 csih_inform "Removing sshd from ${_wservices}" 92 csih_inform "Removing sshd from ${_wservices}"
93 else 93 else
94 csih_warning "Removing sshd from ${_wservices} failed!" 94 csih_warning "Removing sshd from ${_wservices} failed!"
95 fi 95 fi
96 rm -f "${_serv_tmp}" 96 rm -f "${_serv_tmp}"
97 else 97 else
98 csih_warning "Removing sshd from ${_wservices} failed!" 98 csih_warning "Removing sshd from ${_wservices} failed!"
99 fi 99 fi
100 fi 100 fi
101 101
102 # Add ssh 22/tcp and ssh 22/udp to services 102 # Add ssh 22/tcp and ssh 22/udp to services
103 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] 103 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
104 then 104 then
@@ -106,9 +106,9 @@ update_services_file() {
106 then 106 then
107 if mv "${_serv_tmp}" "${_services}" 107 if mv "${_serv_tmp}" "${_services}"
108 then 108 then
109 csih_inform "Added ssh to ${_wservices}" 109 csih_inform "Added ssh to ${_wservices}"
110 else 110 else
111 csih_warning "Adding ssh to ${_wservices} failed!" 111 csih_warning "Adding ssh to ${_wservices} failed!"
112 fi 112 fi
113 rm -f "${_serv_tmp}" 113 rm -f "${_serv_tmp}"
114 else 114 else
@@ -134,16 +134,16 @@ sshd_privsep() {
134 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." 134 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
135 if csih_request "Should privilege separation be used?" 135 if csih_request "Should privilege separation be used?"
136 then 136 then
137 privsep_used=yes 137 privsep_used=yes
138 if ! csih_create_unprivileged_user sshd 138 if ! csih_create_unprivileged_user sshd
139 then 139 then
140 csih_warning "Couldn't create user 'sshd'!" 140 csih_warning "Couldn't create user 'sshd'!"
141 csih_warning "Privilege separation set to 'no' again!" 141 csih_warning "Privilege separation set to 'no' again!"
142 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 142 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
143 privsep_used=no 143 privsep_used=no
144 fi 144 fi
145 else 145 else
146 privsep_used=no 146 privsep_used=no
147 fi 147 fi
148 else 148 else
149 # On 9x don't use privilege separation. Since security isn't 149 # On 9x don't use privilege separation. Since security isn't
@@ -151,7 +151,7 @@ sshd_privsep() {
151 privsep_used=no 151 privsep_used=no
152 fi 152 fi
153 fi 153 fi
154 154
155 # Create default sshd_config from skeleton files in /etc/defaults/etc or 155 # Create default sshd_config from skeleton files in /etc/defaults/etc or
156 # modify to add the missing privsep configuration option 156 # modify to add the missing privsep configuration option
157 if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 157 if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
@@ -161,8 +161,8 @@ sshd_privsep() {
161 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ 161 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
162 s/^#Port 22/Port ${port_number}/ 162 s/^#Port 22/Port ${port_number}/
163 s/^#StrictModes yes/StrictModes no/" \ 163 s/^#StrictModes yes/StrictModes no/" \
164 < ${SYSCONFDIR}/sshd_config \ 164 < ${SYSCONFDIR}/sshd_config \
165 > "${sshdconfig_tmp}" 165 > "${sshdconfig_tmp}"
166 mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config 166 mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
167 elif [ "${privsep_configured}" != "yes" ] 167 elif [ "${privsep_configured}" != "yes" ]
168 then 168 then
@@ -193,19 +193,19 @@ update_inetd_conf() {
193 # will be replaced by a file in inetd.d/ 193 # will be replaced by a file in inetd.d/
194 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] 194 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
195 then 195 then
196 grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" 196 grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
197 if [ -f "${_inetcnf_tmp}" ] 197 if [ -f "${_inetcnf_tmp}" ]
198 then 198 then
199 if mv "${_inetcnf_tmp}" "${_inetcnf}" 199 if mv "${_inetcnf_tmp}" "${_inetcnf}"
200 then 200 then
201 csih_inform "Removed ssh[d] from ${_inetcnf}" 201 csih_inform "Removed ssh[d] from ${_inetcnf}"
202 else 202 else
203 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 203 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
204 fi 204 fi
205 rm -f "${_inetcnf_tmp}" 205 rm -f "${_inetcnf_tmp}"
206 else 206 else
207 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 207 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
208 fi 208 fi
209 fi 209 fi
210 fi 210 fi
211 211
@@ -214,13 +214,13 @@ update_inetd_conf() {
214 then 214 then
215 if [ "${_with_comment}" -eq 0 ] 215 if [ "${_with_comment}" -eq 0 ]
216 then 216 then
217 sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 217 sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
218 else 218 else
219 sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 219 sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
220 fi 220 fi
221 mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" 221 mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
222 csih_inform "Updated ${_sshd_inetd_conf}" 222 csih_inform "Updated ${_sshd_inetd_conf}"
223 fi 223 fi
224 224
225 elif [ -f "${_inetcnf}" ] 225 elif [ -f "${_inetcnf}" ]
226 then 226 then
@@ -233,26 +233,26 @@ update_inetd_conf() {
233 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" 233 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
234 if [ -f "${_inetcnf_tmp}" ] 234 if [ -f "${_inetcnf_tmp}" ]
235 then 235 then
236 if mv "${_inetcnf_tmp}" "${_inetcnf}" 236 if mv "${_inetcnf_tmp}" "${_inetcnf}"
237 then 237 then
238 csih_inform "Removed sshd from ${_inetcnf}" 238 csih_inform "Removed sshd from ${_inetcnf}"
239 else 239 else
240 csih_warning "Removing sshd from ${_inetcnf} failed!" 240 csih_warning "Removing sshd from ${_inetcnf} failed!"
241 fi 241 fi
242 rm -f "${_inetcnf_tmp}" 242 rm -f "${_inetcnf_tmp}"
243 else 243 else
244 csih_warning "Removing sshd from ${_inetcnf} failed!" 244 csih_warning "Removing sshd from ${_inetcnf} failed!"
245 fi 245 fi
246 fi 246 fi
247 247
248 # Add ssh line to inetd.conf 248 # Add ssh line to inetd.conf
249 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] 249 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
250 then 250 then
251 if [ "${_with_comment}" -eq 0 ] 251 if [ "${_with_comment}" -eq 0 ]
252 then 252 then
253 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 253 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
254 else 254 else
255 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 255 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
256 fi 256 fi
257 csih_inform "Added ssh to ${_inetcnf}" 257 csih_inform "Added ssh to ${_inetcnf}"
258 fi 258 fi
@@ -278,80 +278,83 @@ install_service() {
278 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" 278 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
279 if csih_request "(Say \"no\" if it is already installed as a service)" 279 if csih_request "(Say \"no\" if it is already installed as a service)"
280 then 280 then
281 csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\"" 281 csih_get_cygenv "${cygwin_value}"
282 csih_inform "for sshd to be able to change user context without password." 282
283 csih_get_cygenv "${cygwin_value}" 283 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
284 284 then
285 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) 285 csih_inform "On Windows Server 2003, Windows Vista, and above, the"
286 then 286 csih_inform "SYSTEM account cannot setuid to other users -- a capability"
287 csih_inform "On Windows Server 2003, Windows Vista, and above, the" 287 csih_inform "sshd requires. You need to have or to create a privileged"
288 csih_inform "SYSTEM account cannot setuid to other users -- a capability" 288 csih_inform "account. This script will help you do so."
289 csih_inform "sshd requires. You need to have or to create a privileged" 289 echo
290 csih_inform "account. This script will help you do so." 290 if ! csih_create_privileged_user "${password_value}"
291 echo 291 then
292 if ! csih_create_privileged_user "${password_value}" 292 csih_error_recoverable "There was a serious problem creating a privileged user."
293 then 293 csih_request "Do you want to proceed anyway?" || exit 1
294 csih_error_recoverable "There was a serious problem creating a privileged user." 294 fi
295 csih_request "Do you want to proceed anyway?" || exit 1 295 fi
296 fi 296
297 fi 297 # never returns empty if NT or above
298 298 run_service_as=$(csih_service_should_run_as)
299 # never returns empty if NT or above 299
300 run_service_as=$(csih_service_should_run_as) 300 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
301 301 then
302 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] 302 password="${csih_PRIVILEGED_PASSWORD}"
303 then 303 if [ -z "${password}" ]
304 password="${csih_PRIVILEGED_PASSWORD}" 304 then
305 if [ -z "${password}" ] 305 csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
306 then 306 password="${csih_value}"
307 csih_get_value "Please enter the password for user '${run_service_as}':" "-s" 307 fi
308 password="${csih_value}" 308 fi
309 fi 309
310 fi 310 # at this point, we either have $run_service_as = "system" and $password is empty,
311 311 # or $run_service_as is some privileged user and (hopefully) $password contains
312 # at this point, we either have $run_service_as = "system" and $password is empty, 312 # the correct password. So, from here out, we use '-z "${password}"' to discriminate
313 # or $run_service_as is some privileged user and (hopefully) $password contains 313 # the two cases.
314 # the correct password. So, from here out, we use '-z "${password}"' to discriminate 314
315 # the two cases. 315 csih_check_user "${run_service_as}"
316 316
317 csih_check_user "${run_service_as}" 317 if [ -n "${csih_cygenv}" ]
318 318 then
319 if [ -z "${password}" ] 319 cygwin_env="-e CYGWIN=\"${csih_cygenv}\""
320 then 320 fi
321 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \ 321 if [ -z "${password}" ]
322 -e CYGWIN="${csih_cygenv}" 322 then
323 then 323 if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \
324 echo 324 -a "-D" -y tcpip ${cygwin_env}
325 csih_inform "The sshd service has been installed under the LocalSystem" 325 then
326 csih_inform "account (also known as SYSTEM). To start the service now, call" 326 echo
327 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" 327 csih_inform "The sshd service has been installed under the LocalSystem"
328 csih_inform "will start automatically after the next reboot." 328 csih_inform "account (also known as SYSTEM). To start the service now, call"
329 fi 329 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
330 else 330 csih_inform "will start automatically after the next reboot."
331 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \ 331 fi
332 -e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}" 332 else
333 then 333 if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \
334 -a "-D" -y tcpip ${cygwin_env} \
335 -u "${run_service_as}" -w "${password}"
336 then
334 echo 337 echo
335 csih_inform "The sshd service has been installed under the '${run_service_as}'" 338 csih_inform "The sshd service has been installed under the '${run_service_as}'"
336 csih_inform "account. To start the service now, call \`net start sshd' or" 339 csih_inform "account. To start the service now, call \`net start sshd' or"
337 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" 340 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
338 csih_inform "after the next reboot." 341 csih_inform "after the next reboot."
339 fi 342 fi
340 fi 343 fi
341 344
342 # now, if successfully installed, set ownership of the affected files 345 # now, if successfully installed, set ownership of the affected files
343 if cygrunsrv -Q sshd >/dev/null 2>&1 346 if cygrunsrv -Q sshd >/dev/null 2>&1
344 then 347 then
345 chown "${run_service_as}" ${SYSCONFDIR}/ssh* 348 chown "${run_service_as}" ${SYSCONFDIR}/ssh*
346 chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty 349 chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
347 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog 350 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
348 if [ -f ${LOCALSTATEDIR}/log/sshd.log ] 351 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
349 then 352 then
350 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log 353 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
351 fi 354 fi
352 else 355 else
353 csih_warning "Something went wrong installing the sshd service." 356 csih_warning "Something went wrong installing the sshd service."
354 fi 357 fi
355 fi # user allowed us to install as service 358 fi # user allowed us to install as service
356 fi # service not yet installed 359 fi # service not yet installed
357 fi # csih_is_nt 360 fi # csih_is_nt
@@ -456,7 +459,7 @@ done
456 459
457# Check for running ssh/sshd processes first. Refuse to do anything while 460# Check for running ssh/sshd processes first. Refuse to do anything while
458# some ssh processes are still running 461# some ssh processes are still running
459if ps -ef | grep -v grep | grep -q ssh 462if ps -ef | grep -q '/sshd\?$'
460then 463then
461 echo 464 echo
462 csih_error "There are still ssh processes running. Please shut them down first." 465 csih_error "There are still ssh processes running. Please shut them down first."
@@ -475,9 +478,9 @@ setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
475# Create /var/log/lastlog if not already exists 478# Create /var/log/lastlog if not already exists
476if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 479if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
477then 480then
478 echo 481 echo
479 csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ 482 csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
480 "Cannot create ssh host configuration." 483 "Cannot create ssh host configuration."
481fi 484fi
482if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 485if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
483then 486then
@@ -520,7 +523,7 @@ sshd_privsep
520 523
521 524
522 525
523update_services_file 526update_services_file
524update_inetd_conf 527update_inetd_conf
525install_service 528install_service
526 529