summaryrefslogtreecommitdiff
path: root/contrib/cygwin
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/cygwin')
-rw-r--r--contrib/cygwin/Makefile7
-rw-r--r--contrib/cygwin/ssh-host-config898
-rw-r--r--contrib/cygwin/ssh-user-config414
-rw-r--r--contrib/cygwin/sshd-inetd4
4 files changed, 655 insertions, 668 deletions
diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile
index 09e8ea2db..3e2d26404 100644
--- a/contrib/cygwin/Makefile
+++ b/contrib/cygwin/Makefile
@@ -8,6 +8,7 @@ sshdocdir=$(docdir)/openssh
8cygdocdir=$(docdir)/Cygwin 8cygdocdir=$(docdir)/Cygwin
9sysconfdir=/etc 9sysconfdir=/etc
10defaultsdir=$(sysconfdir)/defaults/etc 10defaultsdir=$(sysconfdir)/defaults/etc
11inetdefdir=$(defaultsdir)/inetd.d
11PRIVSEP_PATH=/var/empty 12PRIVSEP_PATH=/var/empty
12INSTALL=/usr/bin/install -c 13INSTALL=/usr/bin/install -c
13 14
@@ -27,6 +28,10 @@ move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/ss
27remove-empty-dir: 28remove-empty-dir:
28 rm -rf $(DESTDIR)$(PRIVSEP_PATH) 29 rm -rf $(DESTDIR)$(PRIVSEP_PATH)
29 30
31install-inetd-config:
32 $(srcdir)/mkinstalldirs $(DESTDIR)$(inetdefdir)
33 $(INSTALL) -m 644 sshd-inetd $(DESTDIR)$(inetdefdir)/sshd-inetd
34
30install-sshdoc: 35install-sshdoc:
31 $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir) 36 $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir)
32 $(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS 37 $(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
@@ -52,5 +57,5 @@ install-scripts: ssh-host-config ssh-user-config
52 $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config 57 $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config
53 $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config 58 $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config
54 59
55cygwin-postinstall: move-config-files remove-empty-dir install-doc install-scripts 60cygwin-postinstall: move-config-files remove-empty-dir install-inetd-config install-doc install-scripts
56 @echo "Cygwin specific configuration finished." 61 @echo "Cygwin specific configuration finished."
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index e2ad69f19..bbb6da4c4 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -4,6 +4,15 @@
4# 4#
5# This file is part of the Cygwin port of OpenSSH. 5# This file is part of the Cygwin port of OpenSSH.
6 6
7# ======================================================================
8# Initialization
9# ======================================================================
10PROGNAME=$(basename $0)
11_tdir=$(dirname $0)
12PROGDIR=$(cd $_tdir && pwd)
13
14CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
15
7# Subdirectory where the new package is being installed 16# Subdirectory where the new package is being installed
8PREFIX=/usr 17PREFIX=/usr
9 18
@@ -11,43 +20,371 @@ PREFIX=/usr
11SYSCONFDIR=/etc 20SYSCONFDIR=/etc
12LOCALSTATEDIR=/var 21LOCALSTATEDIR=/var
13 22
14progname=$0 23source ${CSIH_SCRIPT}
15auto_answer=""
16port_number=22
17 24
25port_number=22
18privsep_configured=no 26privsep_configured=no
19privsep_used=yes 27privsep_used=yes
20sshd_in_passwd=no 28cygwin_value="ntsec"
21sshd_in_sam=no 29password_value=
30
31# ======================================================================
32# Routine: create_host_keys
33# ======================================================================
34create_host_keys() {
35 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
36 then
37 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
38 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
39 fi
40
41 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
42 then
43 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
44 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
45 fi
46
47 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
48 then
49 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
50 ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
51 fi
52} # --- End of create_host_keys --- #
53
54# ======================================================================
55# Routine: update_services_file
56# ======================================================================
57update_services_file() {
58 local _my_etcdir="/ssh-host-config.$$"
59 local _win_etcdir
60 local _services
61 local _spaces
62 local _serv_tmp
63 local _wservices
64
65 if csih_is_nt
66 then
67 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
68 _services="${_my_etcdir}/services"
69 # On NT, 27 spaces, no space after the hash
70 _spaces=" #"
71 else
72 _win_etcdir="${WINDIR}"
73 _services="${_my_etcdir}/SERVICES"
74 # On 9x, 18 spaces (95 is very touchy), a space after the hash
75 _spaces=" # "
76 fi
77 _serv_tmp="${_my_etcdir}/srv.out.$$"
78
79 mount -t -f "${_win_etcdir}" "${_my_etcdir}"
80
81 # Depends on the above mount
82 _wservices=`cygpath -w "${_services}"`
83
84 # Remove sshd 22/port from services
85 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
86 then
87 grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
88 if [ -f "${_serv_tmp}" ]
89 then
90 if mv "${_serv_tmp}" "${_services}"
91 then
92 csih_inform "Removing sshd from ${_wservices}"
93 else
94 csih_warning "Removing sshd from ${_wservices} failed!"
95 fi
96 rm -f "${_serv_tmp}"
97 else
98 csih_warning "Removing sshd from ${_wservices} failed!"
99 fi
100 fi
101
102 # Add ssh 22/tcp and ssh 22/udp to services
103 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
104 then
105 if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
106 then
107 if mv "${_serv_tmp}" "${_services}"
108 then
109 csih_inform "Added ssh to ${_wservices}"
110 else
111 csih_warning "Adding ssh to ${_wservices} failed!"
112 fi
113 rm -f "${_serv_tmp}"
114 else
115 csih_warning "Adding ssh to ${_wservices} failed!"
116 fi
117 fi
118 umount "${_my_etcdir}"
119} # --- End of update_services_file --- #
120
121# ======================================================================
122# Routine: sshd_privsep
123# MODIFIES: privsep_configured privsep_used
124# ======================================================================
125sshd_privsep() {
126 local sshdconfig_tmp
22 127
23request() 128 if [ "${privsep_configured}" != "yes" ]
24{ 129 then
25 if [ "${auto_answer}" = "yes" ] 130 if csih_is_nt
131 then
132 csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
133 csih_inform "However, this requires a non-privileged account called 'sshd'."
134 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
135 if csih_request "Should privilege separation be used?"
136 then
137 privsep_used=yes
138 if ! csih_create_unprivileged_user sshd
139 then
140 csih_warning "Couldn't create user 'sshd'!"
141 csih_warning "Privilege separation set to 'no' again!"
142 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
143 privsep_used=no
144 fi
145 else
146 privsep_used=no
147 fi
148 else
149 # On 9x don't use privilege separation. Since security isn't
150 # available it just adds useless additional processes.
151 privsep_used=no
152 fi
153 fi
154
155 # Create default sshd_config from skeleton files in /etc/defaults/etc or
156 # modify to add the missing privsep configuration option
157 if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
26 then 158 then
27 echo "$1 (yes/no) yes" 159 csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
28 return 0 160 sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
29 elif [ "${auto_answer}" = "no" ] 161 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
162 s/^#Port 22/Port ${port_number}/
163 s/^#StrictModes yes/StrictModes no/" \
164 < ${SYSCONFDIR}/sshd_config \
165 > "${sshdconfig_tmp}"
166 mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
167 elif [ "${privsep_configured}" != "yes" ]
30 then 168 then
31 echo "$1 (yes/no) no" 169 echo >> ${SYSCONFDIR}/sshd_config
32 return 1 170 echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
33 fi 171 fi
172} # --- End of sshd_privsep --- #
173
174# ======================================================================
175# Routine: update_inetd_conf
176# ======================================================================
177update_inetd_conf() {
178 local _inetcnf="${SYSCONFDIR}/inetd.conf"
179 local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
180 local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
181 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
182 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
183 local _with_comment=1
184
185 if [ -d "${_inetcnf_dir}" ]
186 then
187 # we have inetutils-1.5 inetd.d support
188 if [ -f "${_inetcnf}" ]
189 then
190 grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
34 191
35 answer="" 192 # check for sshd OR ssh in top-level inetd.conf file, and remove
36 while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] 193 # will be replaced by a file in inetd.d/
37 do 194 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
38 echo -n "$1 (yes/no) " 195 then
39 read -e answer 196 grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
40 done 197 if [ -f "${_inetcnf_tmp}" ]
41 if [ "X${answer}" = "Xyes" ] 198 then
199 if mv "${_inetcnf_tmp}" "${_inetcnf}"
200 then
201 csih_inform "Removed ssh[d] from ${_inetcnf}"
202 else
203 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
204 fi
205 rm -f "${_inetcnf_tmp}"
206 else
207 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
208 fi
209 fi
210 fi
211
212 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
213 if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
214 then
215 if [ "${_with_comment}" -eq 0 ]
216 then
217 sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
218 else
219 sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
220 fi
221 mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
222 csih_inform "Updated ${_sshd_inetd_conf}"
223 fi
224
225 elif [ -f "${_inetcnf}" ]
42 then 226 then
43 return 0 227 grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
44 else 228
45 return 1 229 # check for sshd in top-level inetd.conf file, and remove
230 # will be replaced by a file in inetd.d/
231 if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
232 then
233 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
234 if [ -f "${_inetcnf_tmp}" ]
235 then
236 if mv "${_inetcnf_tmp}" "${_inetcnf}"
237 then
238 csih_inform "Removed sshd from ${_inetcnf}"
239 else
240 csih_warning "Removing sshd from ${_inetcnf} failed!"
241 fi
242 rm -f "${_inetcnf_tmp}"
243 else
244 csih_warning "Removing sshd from ${_inetcnf} failed!"
245 fi
246 fi
247
248 # Add ssh line to inetd.conf
249 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
250 then
251 if [ "${_with_comment}" -eq 0 ]
252 then
253 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
254 else
255 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
256 fi
257 csih_inform "Added ssh to ${_inetcnf}"
258 fi
46 fi 259 fi
47} 260} # --- End of update_inetd_conf --- #
48 261
49# Check options 262# ======================================================================
263# Routine: install_service
264# Install sshd as a service
265# ======================================================================
266install_service() {
267 local run_service_as
268 local password
269
270 if csih_is_nt
271 then
272 if ! cygrunsrv -Q sshd >/dev/null 2>&1
273 then
274 echo
275 echo
276 csih_warning "The following functions require administrator privileges!"
277 echo
278 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
279 if csih_request "(Say \"no\" if it is already installed as a service)"
280 then
281 csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\""
282 csih_inform "for sshd to be able to change user context without password."
283 csih_get_cygenv "${cygwin_value}"
284
285 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
286 then
287 csih_inform "On Windows Server 2003, Windows Vista, and above, the"
288 csih_inform "SYSTEM account cannot setuid to other users -- a capability"
289 csih_inform "sshd requires. You need to have or to create a privileged"
290 csih_inform "account. This script will help you do so."
291 echo
292 if ! csih_create_privileged_user "${password_value}"
293 then
294 csih_error_recoverable "There was a serious problem creating a privileged user."
295 csih_request "Do you want to proceed anyway?" || exit 1
296 fi
297 fi
298
299 # never returns empty if NT or above
300 run_service_as=$(csih_service_should_run_as)
301
302 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
303 then
304 password="${csih_PRIVILEGED_PASSWORD}"
305 if [ -z "${password}" ]
306 then
307 csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
308 password="${csih_value}"
309 fi
310 fi
311
312 # at this point, we either have $run_service_as = "system" and $password is empty,
313 # or $run_service_as is some privileged user and (hopefully) $password contains
314 # the correct password. So, from here out, we use '-z "${password}"' to discriminate
315 # the two cases.
316
317 csih_check_user "${run_service_as}"
318
319 if [ -z "${password}" ]
320 then
321 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
322 -e CYGWIN="${csih_cygenv}"
323 then
324 echo
325 csih_inform "The sshd service has been installed under the LocalSystem"
326 csih_inform "account (also known as SYSTEM). To start the service now, call"
327 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
328 csih_inform "will start automatically after the next reboot."
329 fi
330 else
331 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
332 -e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}"
333 then
334 echo
335 csih_inform "The sshd service has been installed under the '${run_service_as}'"
336 csih_inform "account. To start the service now, call \`net start sshd' or"
337 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
338 csih_inform "after the next reboot."
339 fi
340 fi
341
342 # now, if successfully installed, set ownership of the affected files
343 if cygrunsrv -Q sshd >/dev/null 2>&1
344 then
345 chown "${run_service_as}" ${SYSCONFDIR}/ssh*
346 chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
347 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
348 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
349 then
350 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
351 fi
352 else
353 csih_warning "Something went wrong installing the sshd service."
354 fi
355 fi # user allowed us to install as service
356 fi # service not yet installed
357 fi # csih_is_nt
358} # --- End of install_service --- #
359
360# ======================================================================
361# Main Entry Point
362# ======================================================================
363
364# Check how the script has been started. If
365# (1) it has been started by giving the full path and
366# that path is /etc/postinstall, OR
367# (2) Otherwise, if the environment variable
368# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
369# then set auto_answer to "no". This allows automatic
370# creation of the config files in /etc w/o overwriting
371# them if they already exist. In both cases, color
372# escape sequences are suppressed, so as to prevent
373# cluttering setup's logfiles.
374if [ "$PROGDIR" = "/etc/postinstall" ]
375then
376 csih_auto_answer="no"
377 csih_disable_color
378fi
379if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
380then
381 csih_auto_answer="no"
382 csih_disable_color
383fi
50 384
385# ======================================================================
386# Parse options
387# ======================================================================
51while : 388while :
52do 389do
53 case $# in 390 case $# in
@@ -62,14 +399,15 @@ do
62 case "${option}" in 399 case "${option}" in
63 -d | --debug ) 400 -d | --debug )
64 set -x 401 set -x
402 csih_trace_on
65 ;; 403 ;;
66 404
67 -y | --yes ) 405 -y | --yes )
68 auto_answer=yes 406 csih_auto_answer=yes
69 ;; 407 ;;
70 408
71 -n | --no ) 409 -n | --no )
72 auto_answer=no 410 csih_auto_answer=no
73 ;; 411 ;;
74 412
75 -c | --cygwin ) 413 -c | --cygwin )
@@ -87,6 +425,10 @@ do
87 shift 425 shift
88 ;; 426 ;;
89 427
428 --privileged )
429 csih_FORCE_PRIVILEGED_USER=yes
430 ;;
431
90 *) 432 *)
91 echo "usage: ${progname} [OPTION]..." 433 echo "usage: ${progname} [OPTION]..."
92 echo 434 echo
@@ -98,7 +440,9 @@ do
98 echo " --no -n Answer all questions with \"no\" automatically." 440 echo " --no -n Answer all questions with \"no\" automatically."
99 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." 441 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
100 echo " --port -p <n> sshd listens on port n." 442 echo " --port -p <n> sshd listens on port n."
101 echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'." 443 echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
444 echo " --privileged On Windows NT/2k/XP, require privileged user"
445 echo " instead of LocalSystem for sshd service."
102 echo 446 echo
103 exit 1 447 exit 1
104 ;; 448 ;;
@@ -106,73 +450,34 @@ do
106 esac 450 esac
107done 451done
108 452
109# Check if running on NT 453# ======================================================================
110_sys="`uname`" 454# Action!
111_nt=`expr "${_sys}" : "CYGWIN_NT"` 455# ======================================================================
112# If running on NT, check if running under 2003 Server or later
113if [ ${_nt} -gt 0 ]
114then
115 _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
116fi
117 456
118# Check for running ssh/sshd processes first. Refuse to do anything while 457# Check for running ssh/sshd processes first. Refuse to do anything while
119# some ssh processes are still running 458# some ssh processes are still running
120
121if ps -ef | grep -v grep | grep -q ssh 459if ps -ef | grep -v grep | grep -q ssh
122then 460then
123 echo 461 echo
124 echo "There are still ssh processes running. Please shut them down first." 462 csih_error "There are still ssh processes running. Please shut them down first."
125 echo
126 exit 1
127fi 463fi
128 464
129# Check for ${SYSCONFDIR} directory 465# Check for ${SYSCONFDIR} directory
466csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
467chmod 775 "${SYSCONFDIR}"
468setfacl -m u:system:rwx "${SYSCONFDIR}"
130 469
131if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ] 470# Check for /var/log directory
132then 471csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
133 echo 472chmod 775 "${LOCALSTATEDIR}/log"
134 echo "${SYSCONFDIR} is existant but not a directory." 473setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
135 echo "Cannot create global configuration files."
136 echo
137 exit 1
138fi
139
140# Create it if necessary
141
142if [ ! -e "${SYSCONFDIR}" ]
143then
144 mkdir "${SYSCONFDIR}"
145 if [ ! -e "${SYSCONFDIR}" ]
146 then
147 echo
148 echo "Creating ${SYSCONFDIR} directory failed"
149 echo
150 exit 1
151 fi
152fi
153
154# Create /var/log and /var/log/lastlog if not already existing
155
156if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ]
157then
158 echo
159 echo "${LOCALSTATEDIR}/log is existant but not a directory."
160 echo "Cannot create ssh host configuration."
161 echo
162 exit 1
163fi
164if [ ! -e ${LOCALSTATEDIR}/log ]
165then
166 mkdir -p ${LOCALSTATEDIR}/log
167fi
168 474
475# Create /var/log/lastlog if not already exists
169if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 476if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
170then 477then
171 echo 478 echo
172 echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." 479 csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
173 echo "Cannot create ssh host configuration." 480 "Cannot create ssh host configuration."
174 echo
175 exit 1
176fi 481fi
177if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 482if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
178then 483then
@@ -181,431 +486,44 @@ then
181fi 486fi
182 487
183# Create /var/empty file used as chroot jail for privilege separation 488# Create /var/empty file used as chroot jail for privilege separation
184if [ -f ${LOCALSTATEDIR}/empty ] 489csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create log directory."
185then 490chmod 755 "${LOCALSTATEDIR}/empty"
186 echo "Creating ${LOCALSTATEDIR}/empty failed!" 491setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"
187else
188 mkdir -p ${LOCALSTATEDIR}/empty
189 if [ ${_nt} -gt 0 ]
190 then
191 chmod 755 ${LOCALSTATEDIR}/empty
192 fi
193fi
194 492
195# First generate host keys if not already existing 493# host keys
494create_host_keys
196 495
197if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] 496# use 'cmp' program to determine if a config file is identical
198then 497# to the default version of that config file
199 echo "Generating ${SYSCONFDIR}/ssh_host_key" 498csih_check_program_or_error cmp diffutils
200 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
201fi
202 499
203if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
204then
205 echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
206 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
207fi
208 500
209if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] 501# handle ssh_config
502csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults"
503if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
210then 504then
211 echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
212 ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
213fi
214
215# Check if ssh_config exists. If yes, ask for overwriting
216
217if [ -f "${SYSCONFDIR}/ssh_config" ]
218then
219 if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
220 then
221 rm -f "${SYSCONFDIR}/ssh_config"
222 if [ -f "${SYSCONFDIR}/ssh_config" ]
223 then
224 echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
225 fi
226 fi
227fi
228
229# Create default ssh_config from skeleton file in /etc/defaults/etc
230
231if [ ! -f "${SYSCONFDIR}/ssh_config" ]
232then
233 echo "Generating ${SYSCONFDIR}/ssh_config file"
234 cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
235 if [ "${port_number}" != "22" ] 505 if [ "${port_number}" != "22" ]
236 then 506 then
507 csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
237 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config 508 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
238 echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config 509 echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
239 fi 510 fi
240fi 511fi
241 512
242# Check if sshd_config exists. If yes, ask for overwriting 513# handle sshd_config (and privsep)
243 514csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults"
244if [ -f "${SYSCONFDIR}/sshd_config" ] 515if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
245then 516then
246 if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?" 517 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
247 then
248 rm -f "${SYSCONFDIR}/sshd_config"
249 if [ -f "${SYSCONFDIR}/sshd_config" ]
250 then
251 echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
252 fi
253 else
254 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
255 fi
256fi 518fi
519sshd_privsep
257 520
258# Prior to creating or modifying sshd_config, care for privilege separation
259 521
260if [ "${privsep_configured}" != "yes" ]
261then
262 if [ ${_nt} -gt 0 ]
263 then
264 echo "Privilege separation is set to yes by default since OpenSSH 3.3."
265 echo "However, this requires a non-privileged account called 'sshd'."
266 echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
267 echo
268 if request "Should privilege separation be used?"
269 then
270 privsep_used=yes
271 grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
272 net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
273 if [ "${sshd_in_passwd}" != "yes" ]
274 then
275 if [ "${sshd_in_sam}" != "yes" ]
276 then
277 echo "Warning: The following function requires administrator privileges!"
278 if request "Should this script create a local user 'sshd' on this machine?"
279 then
280 dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
281 net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
282 if [ "${sshd_in_sam}" != "yes" ]
283 then
284 echo "Warning: Creating the user 'sshd' failed!"
285 fi
286 fi
287 fi
288 if [ "${sshd_in_sam}" != "yes" ]
289 then
290 echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
291 echo " Privilege separation set to 'no' again!"
292 echo " Check your ${SYSCONFDIR}/sshd_config file!"
293 privsep_used=no
294 else
295 mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
296 fi
297 fi
298 else
299 privsep_used=no
300 fi
301 else
302 # On 9x don't use privilege separation. Since security isn't
303 # available it just adds useless additional processes.
304 privsep_used=no
305 fi
306fi
307
308# Create default sshd_config from skeleton files in /etc/defaults/etc or
309# modify to add the missing privsep configuration option
310
311if [ ! -f "${SYSCONFDIR}/sshd_config" ]
312then
313 echo "Generating ${SYSCONFDIR}/sshd_config file"
314 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
315 s/^#Port 22/Port ${port_number}/
316 s/^#StrictModes yes/StrictModes no/" \
317 < ${SYSCONFDIR}/defaults/etc/sshd_config \
318 > ${SYSCONFDIR}/sshd_config
319elif [ "${privsep_configured}" != "yes" ]
320then
321 echo >> ${SYSCONFDIR}/sshd_config
322 echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
323fi
324 522
325# Care for services file 523update_services_file
326_my_etcdir="/ssh-host-config.$$" 524update_inetd_conf
327if [ ${_nt} -gt 0 ] 525install_service
328then
329 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
330 _services="${_my_etcdir}/services"
331 # On NT, 27 spaces, no space after the hash
332 _spaces=" #"
333else
334 _win_etcdir="${WINDIR}"
335 _services="${_my_etcdir}/SERVICES"
336 # On 9x, 18 spaces (95 is very touchy), a space after the hash
337 _spaces=" # "
338fi
339_serv_tmp="${_my_etcdir}/srv.out.$$"
340
341mount -t -f "${_win_etcdir}" "${_my_etcdir}"
342
343# Depends on the above mount
344_wservices=`cygpath -w "${_services}"`
345
346# Remove sshd 22/port from services
347if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
348then
349 grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
350 if [ -f "${_serv_tmp}" ]
351 then
352 if mv "${_serv_tmp}" "${_services}"
353 then
354 echo "Removing sshd from ${_wservices}"
355 else
356 echo "Removing sshd from ${_wservices} failed!"
357 fi
358 rm -f "${_serv_tmp}"
359 else
360 echo "Removing sshd from ${_wservices} failed!"
361 fi
362fi
363
364# Add ssh 22/tcp and ssh 22/udp to services
365if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
366then
367 if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
368 then
369 if mv "${_serv_tmp}" "${_services}"
370 then
371 echo "Added ssh to ${_wservices}"
372 else
373 echo "Adding ssh to ${_wservices} failed!"
374 fi
375 rm -f "${_serv_tmp}"
376 else
377 echo "WARNING: Adding ssh to ${_wservices} failed!"
378 fi
379fi
380
381umount "${_my_etcdir}"
382
383# Care for inetd.conf file
384_inetcnf="${SYSCONFDIR}/inetd.conf"
385_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
386
387if [ -f "${_inetcnf}" ]
388then
389 # Check if ssh service is already in use as sshd
390 with_comment=1
391 grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
392 # Remove sshd line from inetd.conf
393 if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
394 then
395 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
396 if [ -f "${_inetcnf_tmp}" ]
397 then
398 if mv "${_inetcnf_tmp}" "${_inetcnf}"
399 then
400 echo "Removed sshd from ${_inetcnf}"
401 else
402 echo "Removing sshd from ${_inetcnf} failed!"
403 fi
404 rm -f "${_inetcnf_tmp}"
405 else
406 echo "Removing sshd from ${_inetcnf} failed!"
407 fi
408 fi
409
410 # Add ssh line to inetd.conf
411 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
412 then
413 if [ "${with_comment}" -eq 0 ]
414 then
415 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
416 else
417 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
418 fi
419 echo "Added ssh to ${_inetcnf}"
420 fi
421fi
422
423# On NT ask if sshd should be installed as service
424if [ ${_nt} -gt 0 ]
425then
426 # But only if it is not already installed
427 if ! cygrunsrv -Q sshd > /dev/null 2>&1
428 then
429 echo
430 echo
431 echo "Warning: The following functions require administrator privileges!"
432 echo
433 echo "Do you want to install sshd as service?"
434 if request "(Say \"no\" if it's already installed as service)"
435 then
436 if [ $_nt2003 -gt 0 ]
437 then
438 grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
439 if [ "${sshd_server_in_passwd}" = "yes" ]
440 then
441 # Drop sshd_server from passwd since it could have wrong settings
442 grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
443 rm -f ${SYSCONFDIR}/passwd
444 mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
445 chmod g-w,o-w ${SYSCONFDIR}/passwd
446 fi
447 net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
448 if [ "${sshd_server_in_sam}" != "yes" ]
449 then
450 echo
451 echo "You appear to be running Windows 2003 Server or later. On 2003 and"
452 echo "later systems, it's not possible to use the LocalSystem account"
453 echo "if sshd should allow passwordless logon (e. g. public key authentication)."
454 echo "If you want to enable that functionality, it's required to create a new"
455 echo "account 'sshd_server' with special privileges, which is then used to run"
456 echo "the sshd service under."
457 echo
458 echo "Should this script create a new local account 'sshd_server' which has"
459 if request "the required privileges?"
460 then
461 _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
462 if [ -z "${_admingroup}" ]
463 then
464 echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
465 exit 1
466 fi
467 dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
468 while [ "${sshd_server_in_sam}" != "yes" ]
469 do
470 if [ -n "${password_value}" ]
471 then
472 _password="${password_value}"
473 # Allow to ask for password if first try fails
474 password_value=""
475 else
476 echo
477 echo "Please enter a password for new user 'sshd_server'. Please be sure that"
478 echo "this password matches the password rules given on your system."
479 echo -n "Entering no password will exit the configuration. PASSWORD="
480 read -e _password
481 if [ -z "${_password}" ]
482 then
483 echo
484 echo "Exiting configuration. No user sshd_server has been created,"
485 echo "no sshd service installed."
486 exit 1
487 fi
488 fi
489 net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
490 if [ "${sshd_server_in_sam}" != "yes" ]
491 then
492 echo "Creating the user 'sshd_server' failed! Reason:"
493 cat /tmp/nu.$$
494 rm /tmp/nu.$$
495 fi
496 done
497 net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
498 if [ "${sshd_server_in_admingroup}" != "yes" ]
499 then
500 echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
501 echo "Please add sshd_server to local group ${_admingroup} before"
502 echo "starting the sshd service!"
503 echo
504 fi
505 passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
506 if [ "${passwd_has_expiry_flags}" != "yes" ]
507 then
508 echo
509 echo "WARNING: User sshd_server has password expiry set to system default."
510 echo "Please check that password never expires or set it to your needs."
511 elif ! passwd -e sshd_server
512 then
513 echo
514 echo "WARNING: Setting password expiry for user sshd_server failed!"
515 echo "Please check that password never expires or set it to your needs."
516 fi
517 editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
518 editrights -a SeCreateTokenPrivilege -u sshd_server &&
519 editrights -a SeTcbPrivilege -u sshd_server &&
520 editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
521 editrights -a SeDenyNetworkLogonRight -u sshd_server &&
522 editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
523 editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
524 editrights -a SeServiceLogonRight -u sshd_server &&
525 sshd_server_got_all_rights="yes"
526 if [ "${sshd_server_got_all_rights}" != "yes" ]
527 then
528 echo
529 echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
530 echo "Can't create sshd service!"
531 exit 1
532 fi
533 echo
534 echo "User 'sshd_server' has been created with password '${_password}'."
535 echo "If you change the password, please keep in mind to change the password"
536 echo "for the sshd service, too."
537 echo
538 echo "Also keep in mind that the user sshd_server needs read permissions on all"
539 echo "users' .ssh/authorized_keys file to allow public key authentication for"
540 echo "these users!. (Re-)running ssh-user-config for each user will set the"
541 echo "required permissions correctly."
542 echo
543 fi
544 fi
545 if [ "${sshd_server_in_sam}" = "yes" ]
546 then
547 mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
548 fi
549 fi
550 if [ -n "${cygwin_value}" ]
551 then
552 _cygwin="${cygwin_value}"
553 else
554 echo
555 echo "Which value should the environment variable CYGWIN have when"
556 echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
557 echo "able to change user context without password."
558 echo -n "Default is \"ntsec\". CYGWIN="
559 read -e _cygwin
560 fi
561 [ -z "${_cygwin}" ] && _cygwin="ntsec"
562 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
563 then
564 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
565 then
566 echo
567 echo "The service has been installed under sshd_server account."
568 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
569 fi
570 else
571 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
572 then
573 echo
574 echo "The service has been installed under LocalSystem account."
575 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
576 fi
577 fi
578 fi
579 # Now check if sshd has been successfully installed. This allows to
580 # set the ownership of the affected files correctly.
581 if cygrunsrv -Q sshd > /dev/null 2>&1
582 then
583 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
584 then
585 _user="sshd_server"
586 else
587 _user="system"
588 fi
589 chown "${_user}" ${SYSCONFDIR}/ssh*
590 chown "${_user}".544 ${LOCALSTATEDIR}/empty
591 chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog
592 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
593 then
594 chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
595 fi
596 fi
597 if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
598 then
599 echo
600 echo "Warning: It appears that you have user mode mounts (\"Just me\""
601 echo "chosen during install.) Any daemons installed as services will"
602 echo "fail to function unless system mounts are used. To change this,"
603 echo "re-run setup.exe and choose \"All users\"."
604 echo
605 echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
606 fi
607 fi
608fi
609 526
610echo 527echo
611echo "Host configuration finished. Have fun!" 528csih_inform "Host configuration finished. Have fun!"
529
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config
index 9482efe9e..f210bd556 100644
--- a/contrib/cygwin/ssh-user-config
+++ b/contrib/cygwin/ssh-user-config
@@ -1,52 +1,235 @@
1#!/bin/sh 1#!/bin/bash
2# 2#
3# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc. 3# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc.
4# 4#
5# This file is part of the Cygwin port of OpenSSH. 5# This file is part of the Cygwin port of OpenSSH.
6 6
7# ======================================================================
8# Initialization
9# ======================================================================
10PROGNAME=$(basename -- $0)
11_tdir=$(dirname -- $0)
12PROGDIR=$(cd $_tdir && pwd)
13
14CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
15
16# Subdirectory where the new package is being installed
17PREFIX=/usr
18
7# Directory where the config files are stored 19# Directory where the config files are stored
8SYSCONFDIR=/etc 20SYSCONFDIR=/etc
9 21
10progname=$0 22source ${CSIH_SCRIPT}
11auto_answer="" 23
12auto_passphrase="no" 24auto_passphrase="no"
13passphrase="" 25passphrase=""
26pwdhome=
27with_passphrase=
28
29# ======================================================================
30# Routine: create_ssh1_identity
31# optionally create ~/.ssh/identity[.pub]
32# optionally add result to ~/.ssh/authorized_keys
33# ======================================================================
34create_ssh1_identity() {
35 if [ ! -f "${pwdhome}/.ssh/identity" ]
36 then
37 if csih_request "Shall I create an SSH1 RSA identity file for you?"
38 then
39 csih_inform "Generating ${pwdhome}/.ssh/identity"
40 if [ "${with_passphrase}" = "yes" ]
41 then
42 ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null
43 else
44 ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null
45 fi
46 if csih_request "Do you want to use this identity to login to this machine?"
47 then
48 csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
49 cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys"
50 fi
51 fi
52 fi
53} # === End of create_ssh1_identity() === #
54readonly -f create_ssh1_identity
55
56# ======================================================================
57# Routine: create_ssh2_rsa_identity
58# optionally create ~/.ssh/id_rsa[.pub]
59# optionally add result to ~/.ssh/authorized_keys
60# ======================================================================
61create_ssh2_rsa_identity() {
62 if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
63 then
64 if csih_request "Shall I create an SSH2 RSA identity file for you?"
65 then
66 csih_inform "Generating ${pwdhome}/.ssh/id_rsa"
67 if [ "${with_passphrase}" = "yes" ]
68 then
69 ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null
70 else
71 ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
72 fi
73 if csih_request "Do you want to use this identity to login to this machine?"
74 then
75 csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
76 cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
77 fi
78 fi
79 fi
80} # === End of create_ssh2_rsa_identity() === #
81readonly -f create_ssh2_rsa_identity
82
83# ======================================================================
84# Routine: create_ssh2_dsa_identity
85# optionally create ~/.ssh/id_dsa[.pub]
86# optionally add result to ~/.ssh/authorized_keys
87# ======================================================================
88create_ssh2_dsa_identity() {
89 if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
90 then
91 if csih_request "Shall I create an SSH2 DSA identity file for you?"
92 then
93 csih_inform "Generating ${pwdhome}/.ssh/id_dsa"
94 if [ "${with_passphrase}" = "yes" ]
95 then
96 ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null
97 else
98 ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
99 fi
100 if csih_request "Do you want to use this identity to login to this machine?"
101 then
102 csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
103 cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
104 fi
105 fi
106 fi
107} # === End of create_ssh2_dsa_identity() === #
108readonly -f create_ssh2_dsa_identity
109
110# ======================================================================
111# Routine: check_user_homedir
112# Perform various checks on the user's home directory
113# SETS GLOBAL VARIABLE:
114# pwdhome
115# ======================================================================
116check_user_homedir() {
117 local uid=$(id -u)
118 pwdhome=$(awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd)
119 if [ "X${pwdhome}" = "X" ]
120 then
121 csih_error_multiline \
122 "There is no home directory set for you in ${SYSCONFDIR}/passwd." \
123 'Setting $HOME is not sufficient!'
124 fi
125
126 if [ ! -d "${pwdhome}" ]
127 then
128 csih_error_multiline \
129 "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" \
130 'but it is not a valid directory. Cannot create user identity files.'
131 fi
132
133 # If home is the root dir, set home to empty string to avoid error messages
134 # in subsequent parts of that script.
135 if [ "X${pwdhome}" = "X/" ]
136 then
137 # But first raise a warning!
138 csih_warning "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
139 if csih_request "Would you like to proceed anyway?"
140 then
141 pwdhome=''
142 else
143 csih_warning "Exiting. Configuration is not complete"
144 exit 1
145 fi
146 fi
147
148 if [ -d "${pwdhome}" -a csih_is_nt -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
149 then
150 echo
151 csih_warning 'group and other have been revoked write permission to your home'
152 csih_warning "directory ${pwdhome}."
153 csih_warning 'This is required by OpenSSH to allow public key authentication using'
154 csih_warning 'the key files stored in your .ssh subdirectory.'
155 csih_warning 'Revert this change ONLY if you know what you are doing!'
156 echo
157 fi
158} # === End of check_user_homedir() === #
159readonly -f check_user_homedir
14 160
15request() 161# ======================================================================
16{ 162# Routine: check_user_dot_ssh_dir
17 if [ "${auto_answer}" = "yes" ] 163# Perform various checks on the ~/.ssh directory
164# PREREQUISITE:
165# pwdhome -- check_user_homedir()
166# ======================================================================
167check_user_dot_ssh_dir() {
168 if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
18 then 169 then
19 return 0 170 csih_error "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
20 elif [ "${auto_answer}" = "no" ] 171 fi
172
173 if [ ! -e "${pwdhome}/.ssh" ]
21 then 174 then
22 return 1 175 mkdir "${pwdhome}/.ssh"
176 if [ ! -e "${pwdhome}/.ssh" ]
177 then
178 csih_error "Creating users ${pwdhome}/.ssh directory failed"
179 fi
23 fi 180 fi
181} # === End of check_user_dot_ssh_dir() === #
182readonly -f check_user_dot_ssh_dir
24 183
25 answer="" 184# ======================================================================
26 while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] 185# Routine: fix_authorized_keys_perms
27 do 186# Corrects the permissions of ~/.ssh/authorized_keys
28 echo -n "$1 (yes/no) " 187# PREREQUISITE:
29 read answer 188# pwdhome -- check_user_homedir()
30 done 189# ======================================================================
31 if [ "X${answer}" = "Xyes" ] 190fix_authorized_keys_perms() {
191 if [ csih_is_nt -a -e "${pwdhome}/.ssh/authorized_keys" ]
32 then 192 then
33 return 0 193 if ! setfacl -m "u::rw-,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
34 else 194 then
35 return 1 195 csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
196 csih_warning "failed. Please care for the correct permissions. The minimum requirement"
197 csih_warning "is, the owner needs read permissions."
198 echo
199 fi
36 fi 200 fi
37} 201} # === End of fix_authorized_keys_perms() === #
202readonly -f fix_authorized_keys_perms
203
204
205# ======================================================================
206# Main Entry Point
207# ======================================================================
38 208
39# Check if running on NT 209# Check how the script has been started. If
40_sys="`uname -a`" 210# (1) it has been started by giving the full path and
41_nt=`expr "$_sys" : "CYGWIN_NT"` 211# that path is /etc/postinstall, OR
42# If running on NT, check if running under 2003 Server or later 212# (2) Otherwise, if the environment variable
43if [ $_nt -gt 0 ] 213# SSH_USER_CONFIG_AUTO_ANSWER_NO is set
214# then set auto_answer to "no". This allows automatic
215# creation of the config files in /etc w/o overwriting
216# them if they already exist. In both cases, color
217# escape sequences are suppressed, so as to prevent
218# cluttering setup's logfiles.
219if [ "$PROGDIR" = "/etc/postinstall" ]
44then 220then
45 _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` 221 csih_auto_answer="no"
222 csih_disable_color
223fi
224if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ]
225then
226 csih_auto_answer="no"
227 csih_disable_color
46fi 228fi
47 229
48# Check options 230# ======================================================================
49 231# Parse options
232# ======================================================================
50while : 233while :
51do 234do
52 case $# in 235 case $# in
@@ -61,14 +244,15 @@ do
61 case "$option" in 244 case "$option" in
62 -d | --debug ) 245 -d | --debug )
63 set -x 246 set -x
247 csih_trace_on
64 ;; 248 ;;
65 249
66 -y | --yes ) 250 -y | --yes )
67 auto_answer=yes 251 csih_auto_answer=yes
68 ;; 252 ;;
69 253
70 -n | --no ) 254 -n | --no )
71 auto_answer=no 255 csih_auto_answer=no
72 ;; 256 ;;
73 257
74 -p | --passphrase ) 258 -p | --passphrase )
@@ -77,8 +261,12 @@ do
77 shift 261 shift
78 ;; 262 ;;
79 263
264 --privileged )
265 csih_FORCE_PRIVILEGED_USER=yes
266 ;;
267
80 *) 268 *)
81 echo "usage: ${progname} [OPTION]..." 269 echo "usage: ${PROGNAME} [OPTION]..."
82 echo 270 echo
83 echo "This script creates an OpenSSH user configuration." 271 echo "This script creates an OpenSSH user configuration."
84 echo 272 echo
@@ -87,6 +275,8 @@ do
87 echo " --yes -y Answer all questions with \"yes\" automatically." 275 echo " --yes -y Answer all questions with \"yes\" automatically."
88 echo " --no -n Answer all questions with \"no\" automatically." 276 echo " --no -n Answer all questions with \"no\" automatically."
89 echo " --passphrase -p word Use \"word\" as passphrase automatically." 277 echo " --passphrase -p word Use \"word\" as passphrase automatically."
278 echo " --privileged On Windows NT/2k/XP, assume privileged user"
279 echo " instead of LocalSystem for sshd service."
90 echo 280 echo
91 exit 1 281 exit 1
92 ;; 282 ;;
@@ -94,157 +284,27 @@ do
94 esac 284 esac
95done 285done
96 286
97# Ask user if user identity should be generated 287# ======================================================================
288# Action!
289# ======================================================================
98 290
291# Check passwd file
99if [ ! -f ${SYSCONFDIR}/passwd ] 292if [ ! -f ${SYSCONFDIR}/passwd ]
100then 293then
101 echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" 294 csih_error_multiline \
102 echo 'first using mkpasswd. Check if it contains an entry for you and' 295 "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" \
103 echo 'please care for the home directory in your entry as well.' 296 'first using mkpasswd. Check if it contains an entry for you and' \
104 exit 1 297 'please care for the home directory in your entry as well.'
105fi
106
107uid=`id -u`
108pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd`
109
110if [ "X${pwdhome}" = "X" ]
111then
112 echo "There is no home directory set for you in ${SYSCONFDIR}/passwd."
113 echo 'Setting $HOME is not sufficient!'
114 exit 1
115fi
116
117if [ ! -d "${pwdhome}" ]
118then
119 echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory"
120 echo 'but it is not a valid directory. Cannot create user identity files.'
121 exit 1
122fi
123
124# If home is the root dir, set home to empty string to avoid error messages
125# in subsequent parts of that script.
126if [ "X${pwdhome}" = "X/" ]
127then
128 # But first raise a warning!
129 echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
130 if request "Would you like to proceed anyway?"
131 then
132 pwdhome=''
133 else
134 exit 1
135 fi
136fi
137
138if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
139then
140 echo
141 echo 'WARNING: group and other have been revoked write permission to your home'
142 echo " directory ${pwdhome}."
143 echo ' This is required by OpenSSH to allow public key authentication using'
144 echo ' the key files stored in your .ssh subdirectory.'
145 echo ' Revert this change ONLY if you know what you are doing!'
146 echo
147fi
148
149if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
150then
151 echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
152 exit 1
153fi
154
155if [ ! -e "${pwdhome}/.ssh" ]
156then
157 mkdir "${pwdhome}/.ssh"
158 if [ ! -e "${pwdhome}/.ssh" ]
159 then
160 echo "Creating users ${pwdhome}/.ssh directory failed"
161 exit 1
162 fi
163fi
164
165if [ $_nt -gt 0 ]
166then
167 _user="system"
168 if [ $_nt2003 -gt 0 ]
169 then
170 grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server"
171 fi
172 if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh"
173 then
174 echo "${pwdhome}/.ssh couldn't be given the correct permissions."
175 echo "Please try to solve this problem first."
176 exit 1
177 fi
178fi
179
180if [ ! -f "${pwdhome}/.ssh/identity" ]
181then
182 if request "Shall I create an SSH1 RSA identity file for you?"
183 then
184 echo "Generating ${pwdhome}/.ssh/identity"
185 if [ "${with_passphrase}" = "yes" ]
186 then
187 ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null
188 else
189 ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null
190 fi
191 if request "Do you want to use this identity to login to this machine?"
192 then
193 echo "Adding to ${pwdhome}/.ssh/authorized_keys"
194 cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys"
195 fi
196 fi
197fi 298fi
198 299
199if [ ! -f "${pwdhome}/.ssh/id_rsa" ] 300check_user_homedir
200then 301check_user_dot_ssh_dir
201 if request "Shall I create an SSH2 RSA identity file for you?" 302create_ssh1_identity
202 then 303create_ssh2_rsa_identity
203 echo "Generating ${pwdhome}/.ssh/id_rsa" 304create_ssh2_dsa_identity
204 if [ "${with_passphrase}" = "yes" ] 305fix_authorized_keys_perms
205 then
206 ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null
207 else
208 ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
209 fi
210 if request "Do you want to use this identity to login to this machine?"
211 then
212 echo "Adding to ${pwdhome}/.ssh/authorized_keys"
213 cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
214 fi
215 fi
216fi
217 306
218if [ ! -f "${pwdhome}/.ssh/id_dsa" ] 307echo
219then 308csih_inform "Configuration finished. Have fun!"
220 if request "Shall I create an SSH2 DSA identity file for you?"
221 then
222 echo "Generating ${pwdhome}/.ssh/id_dsa"
223 if [ "${with_passphrase}" = "yes" ]
224 then
225 ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null
226 else
227 ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
228 fi
229 if request "Do you want to use this identity to login to this machine?"
230 then
231 echo "Adding to ${pwdhome}/.ssh/authorized_keys"
232 cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
233 fi
234 fi
235fi
236 309
237if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ]
238then
239 if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
240 then
241 echo
242 echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
243 echo "failed. Please care for the correct permissions. The minimum requirement"
244 echo "is, the owner and ${_user} both need read permissions."
245 echo
246 fi
247fi
248 310
249echo
250echo "Configuration finished. Have fun!"
diff --git a/contrib/cygwin/sshd-inetd b/contrib/cygwin/sshd-inetd
new file mode 100644
index 000000000..aa6bf073f
--- /dev/null
+++ b/contrib/cygwin/sshd-inetd
@@ -0,0 +1,4 @@
1# This file can be used to enable sshd as a slave of the inetd service
2# To do so, the line below should be uncommented.
3@COMMENT@ ssh stream tcp nowait root /usr/sbin/sshd sshd -i
4