diff options
Diffstat (limited to 'contrib/cygwin')
-rw-r--r-- | contrib/cygwin/Makefile | 7 | ||||
-rw-r--r-- | contrib/cygwin/ssh-host-config | 898 | ||||
-rw-r--r-- | contrib/cygwin/ssh-user-config | 414 | ||||
-rw-r--r-- | contrib/cygwin/sshd-inetd | 4 |
4 files changed, 655 insertions, 668 deletions
diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile index 09e8ea2db..3e2d26404 100644 --- a/contrib/cygwin/Makefile +++ b/contrib/cygwin/Makefile | |||
@@ -8,6 +8,7 @@ sshdocdir=$(docdir)/openssh | |||
8 | cygdocdir=$(docdir)/Cygwin | 8 | cygdocdir=$(docdir)/Cygwin |
9 | sysconfdir=/etc | 9 | sysconfdir=/etc |
10 | defaultsdir=$(sysconfdir)/defaults/etc | 10 | defaultsdir=$(sysconfdir)/defaults/etc |
11 | inetdefdir=$(defaultsdir)/inetd.d | ||
11 | PRIVSEP_PATH=/var/empty | 12 | PRIVSEP_PATH=/var/empty |
12 | INSTALL=/usr/bin/install -c | 13 | INSTALL=/usr/bin/install -c |
13 | 14 | ||
@@ -27,6 +28,10 @@ move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/ss | |||
27 | remove-empty-dir: | 28 | remove-empty-dir: |
28 | rm -rf $(DESTDIR)$(PRIVSEP_PATH) | 29 | rm -rf $(DESTDIR)$(PRIVSEP_PATH) |
29 | 30 | ||
31 | install-inetd-config: | ||
32 | $(srcdir)/mkinstalldirs $(DESTDIR)$(inetdefdir) | ||
33 | $(INSTALL) -m 644 sshd-inetd $(DESTDIR)$(inetdefdir)/sshd-inetd | ||
34 | |||
30 | install-sshdoc: | 35 | install-sshdoc: |
31 | $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir) | 36 | $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir) |
32 | $(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS | 37 | $(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS |
@@ -52,5 +57,5 @@ install-scripts: ssh-host-config ssh-user-config | |||
52 | $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config | 57 | $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config |
53 | $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config | 58 | $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config |
54 | 59 | ||
55 | cygwin-postinstall: move-config-files remove-empty-dir install-doc install-scripts | 60 | cygwin-postinstall: move-config-files remove-empty-dir install-inetd-config install-doc install-scripts |
56 | @echo "Cygwin specific configuration finished." | 61 | @echo "Cygwin specific configuration finished." |
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index e2ad69f19..bbb6da4c4 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config | |||
@@ -4,6 +4,15 @@ | |||
4 | # | 4 | # |
5 | # This file is part of the Cygwin port of OpenSSH. | 5 | # This file is part of the Cygwin port of OpenSSH. |
6 | 6 | ||
7 | # ====================================================================== | ||
8 | # Initialization | ||
9 | # ====================================================================== | ||
10 | PROGNAME=$(basename $0) | ||
11 | _tdir=$(dirname $0) | ||
12 | PROGDIR=$(cd $_tdir && pwd) | ||
13 | |||
14 | CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh | ||
15 | |||
7 | # Subdirectory where the new package is being installed | 16 | # Subdirectory where the new package is being installed |
8 | PREFIX=/usr | 17 | PREFIX=/usr |
9 | 18 | ||
@@ -11,43 +20,371 @@ PREFIX=/usr | |||
11 | SYSCONFDIR=/etc | 20 | SYSCONFDIR=/etc |
12 | LOCALSTATEDIR=/var | 21 | LOCALSTATEDIR=/var |
13 | 22 | ||
14 | progname=$0 | 23 | source ${CSIH_SCRIPT} |
15 | auto_answer="" | ||
16 | port_number=22 | ||
17 | 24 | ||
25 | port_number=22 | ||
18 | privsep_configured=no | 26 | privsep_configured=no |
19 | privsep_used=yes | 27 | privsep_used=yes |
20 | sshd_in_passwd=no | 28 | cygwin_value="ntsec" |
21 | sshd_in_sam=no | 29 | password_value= |
30 | |||
31 | # ====================================================================== | ||
32 | # Routine: create_host_keys | ||
33 | # ====================================================================== | ||
34 | create_host_keys() { | ||
35 | if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] | ||
36 | then | ||
37 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" | ||
38 | ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null | ||
39 | fi | ||
40 | |||
41 | if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] | ||
42 | then | ||
43 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" | ||
44 | ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null | ||
45 | fi | ||
46 | |||
47 | if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] | ||
48 | then | ||
49 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" | ||
50 | ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null | ||
51 | fi | ||
52 | } # --- End of create_host_keys --- # | ||
53 | |||
54 | # ====================================================================== | ||
55 | # Routine: update_services_file | ||
56 | # ====================================================================== | ||
57 | update_services_file() { | ||
58 | local _my_etcdir="/ssh-host-config.$$" | ||
59 | local _win_etcdir | ||
60 | local _services | ||
61 | local _spaces | ||
62 | local _serv_tmp | ||
63 | local _wservices | ||
64 | |||
65 | if csih_is_nt | ||
66 | then | ||
67 | _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" | ||
68 | _services="${_my_etcdir}/services" | ||
69 | # On NT, 27 spaces, no space after the hash | ||
70 | _spaces=" #" | ||
71 | else | ||
72 | _win_etcdir="${WINDIR}" | ||
73 | _services="${_my_etcdir}/SERVICES" | ||
74 | # On 9x, 18 spaces (95 is very touchy), a space after the hash | ||
75 | _spaces=" # " | ||
76 | fi | ||
77 | _serv_tmp="${_my_etcdir}/srv.out.$$" | ||
78 | |||
79 | mount -t -f "${_win_etcdir}" "${_my_etcdir}" | ||
80 | |||
81 | # Depends on the above mount | ||
82 | _wservices=`cygpath -w "${_services}"` | ||
83 | |||
84 | # Remove sshd 22/port from services | ||
85 | if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] | ||
86 | then | ||
87 | grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" | ||
88 | if [ -f "${_serv_tmp}" ] | ||
89 | then | ||
90 | if mv "${_serv_tmp}" "${_services}" | ||
91 | then | ||
92 | csih_inform "Removing sshd from ${_wservices}" | ||
93 | else | ||
94 | csih_warning "Removing sshd from ${_wservices} failed!" | ||
95 | fi | ||
96 | rm -f "${_serv_tmp}" | ||
97 | else | ||
98 | csih_warning "Removing sshd from ${_wservices} failed!" | ||
99 | fi | ||
100 | fi | ||
101 | |||
102 | # Add ssh 22/tcp and ssh 22/udp to services | ||
103 | if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] | ||
104 | then | ||
105 | if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" | ||
106 | then | ||
107 | if mv "${_serv_tmp}" "${_services}" | ||
108 | then | ||
109 | csih_inform "Added ssh to ${_wservices}" | ||
110 | else | ||
111 | csih_warning "Adding ssh to ${_wservices} failed!" | ||
112 | fi | ||
113 | rm -f "${_serv_tmp}" | ||
114 | else | ||
115 | csih_warning "Adding ssh to ${_wservices} failed!" | ||
116 | fi | ||
117 | fi | ||
118 | umount "${_my_etcdir}" | ||
119 | } # --- End of update_services_file --- # | ||
120 | |||
121 | # ====================================================================== | ||
122 | # Routine: sshd_privsep | ||
123 | # MODIFIES: privsep_configured privsep_used | ||
124 | # ====================================================================== | ||
125 | sshd_privsep() { | ||
126 | local sshdconfig_tmp | ||
22 | 127 | ||
23 | request() | 128 | if [ "${privsep_configured}" != "yes" ] |
24 | { | 129 | then |
25 | if [ "${auto_answer}" = "yes" ] | 130 | if csih_is_nt |
131 | then | ||
132 | csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." | ||
133 | csih_inform "However, this requires a non-privileged account called 'sshd'." | ||
134 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." | ||
135 | if csih_request "Should privilege separation be used?" | ||
136 | then | ||
137 | privsep_used=yes | ||
138 | if ! csih_create_unprivileged_user sshd | ||
139 | then | ||
140 | csih_warning "Couldn't create user 'sshd'!" | ||
141 | csih_warning "Privilege separation set to 'no' again!" | ||
142 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | ||
143 | privsep_used=no | ||
144 | fi | ||
145 | else | ||
146 | privsep_used=no | ||
147 | fi | ||
148 | else | ||
149 | # On 9x don't use privilege separation. Since security isn't | ||
150 | # available it just adds useless additional processes. | ||
151 | privsep_used=no | ||
152 | fi | ||
153 | fi | ||
154 | |||
155 | # Create default sshd_config from skeleton files in /etc/defaults/etc or | ||
156 | # modify to add the missing privsep configuration option | ||
157 | if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 | ||
26 | then | 158 | then |
27 | echo "$1 (yes/no) yes" | 159 | csih_inform "Updating ${SYSCONFDIR}/sshd_config file" |
28 | return 0 | 160 | sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ |
29 | elif [ "${auto_answer}" = "no" ] | 161 | sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ |
162 | s/^#Port 22/Port ${port_number}/ | ||
163 | s/^#StrictModes yes/StrictModes no/" \ | ||
164 | < ${SYSCONFDIR}/sshd_config \ | ||
165 | > "${sshdconfig_tmp}" | ||
166 | mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config | ||
167 | elif [ "${privsep_configured}" != "yes" ] | ||
30 | then | 168 | then |
31 | echo "$1 (yes/no) no" | 169 | echo >> ${SYSCONFDIR}/sshd_config |
32 | return 1 | 170 | echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config |
33 | fi | 171 | fi |
172 | } # --- End of sshd_privsep --- # | ||
173 | |||
174 | # ====================================================================== | ||
175 | # Routine: update_inetd_conf | ||
176 | # ====================================================================== | ||
177 | update_inetd_conf() { | ||
178 | local _inetcnf="${SYSCONFDIR}/inetd.conf" | ||
179 | local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" | ||
180 | local _inetcnf_dir="${SYSCONFDIR}/inetd.d" | ||
181 | local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" | ||
182 | local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" | ||
183 | local _with_comment=1 | ||
184 | |||
185 | if [ -d "${_inetcnf_dir}" ] | ||
186 | then | ||
187 | # we have inetutils-1.5 inetd.d support | ||
188 | if [ -f "${_inetcnf}" ] | ||
189 | then | ||
190 | grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 | ||
34 | 191 | ||
35 | answer="" | 192 | # check for sshd OR ssh in top-level inetd.conf file, and remove |
36 | while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] | 193 | # will be replaced by a file in inetd.d/ |
37 | do | 194 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] |
38 | echo -n "$1 (yes/no) " | 195 | then |
39 | read -e answer | 196 | grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" |
40 | done | 197 | if [ -f "${_inetcnf_tmp}" ] |
41 | if [ "X${answer}" = "Xyes" ] | 198 | then |
199 | if mv "${_inetcnf_tmp}" "${_inetcnf}" | ||
200 | then | ||
201 | csih_inform "Removed ssh[d] from ${_inetcnf}" | ||
202 | else | ||
203 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" | ||
204 | fi | ||
205 | rm -f "${_inetcnf_tmp}" | ||
206 | else | ||
207 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" | ||
208 | fi | ||
209 | fi | ||
210 | fi | ||
211 | |||
212 | csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" | ||
213 | if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 | ||
214 | then | ||
215 | if [ "${_with_comment}" -eq 0 ] | ||
216 | then | ||
217 | sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | ||
218 | else | ||
219 | sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | ||
220 | fi | ||
221 | mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" | ||
222 | csih_inform "Updated ${_sshd_inetd_conf}" | ||
223 | fi | ||
224 | |||
225 | elif [ -f "${_inetcnf}" ] | ||
42 | then | 226 | then |
43 | return 0 | 227 | grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 |
44 | else | 228 | |
45 | return 1 | 229 | # check for sshd in top-level inetd.conf file, and remove |
230 | # will be replaced by a file in inetd.d/ | ||
231 | if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] | ||
232 | then | ||
233 | grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" | ||
234 | if [ -f "${_inetcnf_tmp}" ] | ||
235 | then | ||
236 | if mv "${_inetcnf_tmp}" "${_inetcnf}" | ||
237 | then | ||
238 | csih_inform "Removed sshd from ${_inetcnf}" | ||
239 | else | ||
240 | csih_warning "Removing sshd from ${_inetcnf} failed!" | ||
241 | fi | ||
242 | rm -f "${_inetcnf_tmp}" | ||
243 | else | ||
244 | csih_warning "Removing sshd from ${_inetcnf} failed!" | ||
245 | fi | ||
246 | fi | ||
247 | |||
248 | # Add ssh line to inetd.conf | ||
249 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] | ||
250 | then | ||
251 | if [ "${_with_comment}" -eq 0 ] | ||
252 | then | ||
253 | echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" | ||
254 | else | ||
255 | echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" | ||
256 | fi | ||
257 | csih_inform "Added ssh to ${_inetcnf}" | ||
258 | fi | ||
46 | fi | 259 | fi |
47 | } | 260 | } # --- End of update_inetd_conf --- # |
48 | 261 | ||
49 | # Check options | 262 | # ====================================================================== |
263 | # Routine: install_service | ||
264 | # Install sshd as a service | ||
265 | # ====================================================================== | ||
266 | install_service() { | ||
267 | local run_service_as | ||
268 | local password | ||
269 | |||
270 | if csih_is_nt | ||
271 | then | ||
272 | if ! cygrunsrv -Q sshd >/dev/null 2>&1 | ||
273 | then | ||
274 | echo | ||
275 | echo | ||
276 | csih_warning "The following functions require administrator privileges!" | ||
277 | echo | ||
278 | echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" | ||
279 | if csih_request "(Say \"no\" if it is already installed as a service)" | ||
280 | then | ||
281 | csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\"" | ||
282 | csih_inform "for sshd to be able to change user context without password." | ||
283 | csih_get_cygenv "${cygwin_value}" | ||
284 | |||
285 | if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) | ||
286 | then | ||
287 | csih_inform "On Windows Server 2003, Windows Vista, and above, the" | ||
288 | csih_inform "SYSTEM account cannot setuid to other users -- a capability" | ||
289 | csih_inform "sshd requires. You need to have or to create a privileged" | ||
290 | csih_inform "account. This script will help you do so." | ||
291 | echo | ||
292 | if ! csih_create_privileged_user "${password_value}" | ||
293 | then | ||
294 | csih_error_recoverable "There was a serious problem creating a privileged user." | ||
295 | csih_request "Do you want to proceed anyway?" || exit 1 | ||
296 | fi | ||
297 | fi | ||
298 | |||
299 | # never returns empty if NT or above | ||
300 | run_service_as=$(csih_service_should_run_as) | ||
301 | |||
302 | if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] | ||
303 | then | ||
304 | password="${csih_PRIVILEGED_PASSWORD}" | ||
305 | if [ -z "${password}" ] | ||
306 | then | ||
307 | csih_get_value "Please enter the password for user '${run_service_as}':" "-s" | ||
308 | password="${csih_value}" | ||
309 | fi | ||
310 | fi | ||
311 | |||
312 | # at this point, we either have $run_service_as = "system" and $password is empty, | ||
313 | # or $run_service_as is some privileged user and (hopefully) $password contains | ||
314 | # the correct password. So, from here out, we use '-z "${password}"' to discriminate | ||
315 | # the two cases. | ||
316 | |||
317 | csih_check_user "${run_service_as}" | ||
318 | |||
319 | if [ -z "${password}" ] | ||
320 | then | ||
321 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \ | ||
322 | -e CYGWIN="${csih_cygenv}" | ||
323 | then | ||
324 | echo | ||
325 | csih_inform "The sshd service has been installed under the LocalSystem" | ||
326 | csih_inform "account (also known as SYSTEM). To start the service now, call" | ||
327 | csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" | ||
328 | csih_inform "will start automatically after the next reboot." | ||
329 | fi | ||
330 | else | ||
331 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \ | ||
332 | -e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}" | ||
333 | then | ||
334 | echo | ||
335 | csih_inform "The sshd service has been installed under the '${run_service_as}'" | ||
336 | csih_inform "account. To start the service now, call \`net start sshd' or" | ||
337 | csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" | ||
338 | csih_inform "after the next reboot." | ||
339 | fi | ||
340 | fi | ||
341 | |||
342 | # now, if successfully installed, set ownership of the affected files | ||
343 | if cygrunsrv -Q sshd >/dev/null 2>&1 | ||
344 | then | ||
345 | chown "${run_service_as}" ${SYSCONFDIR}/ssh* | ||
346 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty | ||
347 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog | ||
348 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] | ||
349 | then | ||
350 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log | ||
351 | fi | ||
352 | else | ||
353 | csih_warning "Something went wrong installing the sshd service." | ||
354 | fi | ||
355 | fi # user allowed us to install as service | ||
356 | fi # service not yet installed | ||
357 | fi # csih_is_nt | ||
358 | } # --- End of install_service --- # | ||
359 | |||
360 | # ====================================================================== | ||
361 | # Main Entry Point | ||
362 | # ====================================================================== | ||
363 | |||
364 | # Check how the script has been started. If | ||
365 | # (1) it has been started by giving the full path and | ||
366 | # that path is /etc/postinstall, OR | ||
367 | # (2) Otherwise, if the environment variable | ||
368 | # SSH_HOST_CONFIG_AUTO_ANSWER_NO is set | ||
369 | # then set auto_answer to "no". This allows automatic | ||
370 | # creation of the config files in /etc w/o overwriting | ||
371 | # them if they already exist. In both cases, color | ||
372 | # escape sequences are suppressed, so as to prevent | ||
373 | # cluttering setup's logfiles. | ||
374 | if [ "$PROGDIR" = "/etc/postinstall" ] | ||
375 | then | ||
376 | csih_auto_answer="no" | ||
377 | csih_disable_color | ||
378 | fi | ||
379 | if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ] | ||
380 | then | ||
381 | csih_auto_answer="no" | ||
382 | csih_disable_color | ||
383 | fi | ||
50 | 384 | ||
385 | # ====================================================================== | ||
386 | # Parse options | ||
387 | # ====================================================================== | ||
51 | while : | 388 | while : |
52 | do | 389 | do |
53 | case $# in | 390 | case $# in |
@@ -62,14 +399,15 @@ do | |||
62 | case "${option}" in | 399 | case "${option}" in |
63 | -d | --debug ) | 400 | -d | --debug ) |
64 | set -x | 401 | set -x |
402 | csih_trace_on | ||
65 | ;; | 403 | ;; |
66 | 404 | ||
67 | -y | --yes ) | 405 | -y | --yes ) |
68 | auto_answer=yes | 406 | csih_auto_answer=yes |
69 | ;; | 407 | ;; |
70 | 408 | ||
71 | -n | --no ) | 409 | -n | --no ) |
72 | auto_answer=no | 410 | csih_auto_answer=no |
73 | ;; | 411 | ;; |
74 | 412 | ||
75 | -c | --cygwin ) | 413 | -c | --cygwin ) |
@@ -87,6 +425,10 @@ do | |||
87 | shift | 425 | shift |
88 | ;; | 426 | ;; |
89 | 427 | ||
428 | --privileged ) | ||
429 | csih_FORCE_PRIVILEGED_USER=yes | ||
430 | ;; | ||
431 | |||
90 | *) | 432 | *) |
91 | echo "usage: ${progname} [OPTION]..." | 433 | echo "usage: ${progname} [OPTION]..." |
92 | echo | 434 | echo |
@@ -98,7 +440,9 @@ do | |||
98 | echo " --no -n Answer all questions with \"no\" automatically." | 440 | echo " --no -n Answer all questions with \"no\" automatically." |
99 | echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." | 441 | echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." |
100 | echo " --port -p <n> sshd listens on port n." | 442 | echo " --port -p <n> sshd listens on port n." |
101 | echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'." | 443 | echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user." |
444 | echo " --privileged On Windows NT/2k/XP, require privileged user" | ||
445 | echo " instead of LocalSystem for sshd service." | ||
102 | echo | 446 | echo |
103 | exit 1 | 447 | exit 1 |
104 | ;; | 448 | ;; |
@@ -106,73 +450,34 @@ do | |||
106 | esac | 450 | esac |
107 | done | 451 | done |
108 | 452 | ||
109 | # Check if running on NT | 453 | # ====================================================================== |
110 | _sys="`uname`" | 454 | # Action! |
111 | _nt=`expr "${_sys}" : "CYGWIN_NT"` | 455 | # ====================================================================== |
112 | # If running on NT, check if running under 2003 Server or later | ||
113 | if [ ${_nt} -gt 0 ] | ||
114 | then | ||
115 | _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` | ||
116 | fi | ||
117 | 456 | ||
118 | # Check for running ssh/sshd processes first. Refuse to do anything while | 457 | # Check for running ssh/sshd processes first. Refuse to do anything while |
119 | # some ssh processes are still running | 458 | # some ssh processes are still running |
120 | |||
121 | if ps -ef | grep -v grep | grep -q ssh | 459 | if ps -ef | grep -v grep | grep -q ssh |
122 | then | 460 | then |
123 | echo | 461 | echo |
124 | echo "There are still ssh processes running. Please shut them down first." | 462 | csih_error "There are still ssh processes running. Please shut them down first." |
125 | echo | ||
126 | exit 1 | ||
127 | fi | 463 | fi |
128 | 464 | ||
129 | # Check for ${SYSCONFDIR} directory | 465 | # Check for ${SYSCONFDIR} directory |
466 | csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." | ||
467 | chmod 775 "${SYSCONFDIR}" | ||
468 | setfacl -m u:system:rwx "${SYSCONFDIR}" | ||
130 | 469 | ||
131 | if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ] | 470 | # Check for /var/log directory |
132 | then | 471 | csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." |
133 | echo | 472 | chmod 775 "${LOCALSTATEDIR}/log" |
134 | echo "${SYSCONFDIR} is existant but not a directory." | 473 | setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" |
135 | echo "Cannot create global configuration files." | ||
136 | echo | ||
137 | exit 1 | ||
138 | fi | ||
139 | |||
140 | # Create it if necessary | ||
141 | |||
142 | if [ ! -e "${SYSCONFDIR}" ] | ||
143 | then | ||
144 | mkdir "${SYSCONFDIR}" | ||
145 | if [ ! -e "${SYSCONFDIR}" ] | ||
146 | then | ||
147 | echo | ||
148 | echo "Creating ${SYSCONFDIR} directory failed" | ||
149 | echo | ||
150 | exit 1 | ||
151 | fi | ||
152 | fi | ||
153 | |||
154 | # Create /var/log and /var/log/lastlog if not already existing | ||
155 | |||
156 | if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ] | ||
157 | then | ||
158 | echo | ||
159 | echo "${LOCALSTATEDIR}/log is existant but not a directory." | ||
160 | echo "Cannot create ssh host configuration." | ||
161 | echo | ||
162 | exit 1 | ||
163 | fi | ||
164 | if [ ! -e ${LOCALSTATEDIR}/log ] | ||
165 | then | ||
166 | mkdir -p ${LOCALSTATEDIR}/log | ||
167 | fi | ||
168 | 474 | ||
475 | # Create /var/log/lastlog if not already exists | ||
169 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] | 476 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] |
170 | then | 477 | then |
171 | echo | 478 | echo |
172 | echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." | 479 | csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ |
173 | echo "Cannot create ssh host configuration." | 480 | "Cannot create ssh host configuration." |
174 | echo | ||
175 | exit 1 | ||
176 | fi | 481 | fi |
177 | if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] | 482 | if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] |
178 | then | 483 | then |
@@ -181,431 +486,44 @@ then | |||
181 | fi | 486 | fi |
182 | 487 | ||
183 | # Create /var/empty file used as chroot jail for privilege separation | 488 | # Create /var/empty file used as chroot jail for privilege separation |
184 | if [ -f ${LOCALSTATEDIR}/empty ] | 489 | csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create log directory." |
185 | then | 490 | chmod 755 "${LOCALSTATEDIR}/empty" |
186 | echo "Creating ${LOCALSTATEDIR}/empty failed!" | 491 | setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" |
187 | else | ||
188 | mkdir -p ${LOCALSTATEDIR}/empty | ||
189 | if [ ${_nt} -gt 0 ] | ||
190 | then | ||
191 | chmod 755 ${LOCALSTATEDIR}/empty | ||
192 | fi | ||
193 | fi | ||
194 | 492 | ||
195 | # First generate host keys if not already existing | 493 | # host keys |
494 | create_host_keys | ||
196 | 495 | ||
197 | if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] | 496 | # use 'cmp' program to determine if a config file is identical |
198 | then | 497 | # to the default version of that config file |
199 | echo "Generating ${SYSCONFDIR}/ssh_host_key" | 498 | csih_check_program_or_error cmp diffutils |
200 | ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null | ||
201 | fi | ||
202 | 499 | ||
203 | if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] | ||
204 | then | ||
205 | echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key" | ||
206 | ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null | ||
207 | fi | ||
208 | 500 | ||
209 | if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] | 501 | # handle ssh_config |
502 | csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" | ||
503 | if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 | ||
210 | then | 504 | then |
211 | echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key" | ||
212 | ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null | ||
213 | fi | ||
214 | |||
215 | # Check if ssh_config exists. If yes, ask for overwriting | ||
216 | |||
217 | if [ -f "${SYSCONFDIR}/ssh_config" ] | ||
218 | then | ||
219 | if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?" | ||
220 | then | ||
221 | rm -f "${SYSCONFDIR}/ssh_config" | ||
222 | if [ -f "${SYSCONFDIR}/ssh_config" ] | ||
223 | then | ||
224 | echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected." | ||
225 | fi | ||
226 | fi | ||
227 | fi | ||
228 | |||
229 | # Create default ssh_config from skeleton file in /etc/defaults/etc | ||
230 | |||
231 | if [ ! -f "${SYSCONFDIR}/ssh_config" ] | ||
232 | then | ||
233 | echo "Generating ${SYSCONFDIR}/ssh_config file" | ||
234 | cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config | ||
235 | if [ "${port_number}" != "22" ] | 505 | if [ "${port_number}" != "22" ] |
236 | then | 506 | then |
507 | csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port" | ||
237 | echo "Host localhost" >> ${SYSCONFDIR}/ssh_config | 508 | echo "Host localhost" >> ${SYSCONFDIR}/ssh_config |
238 | echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config | 509 | echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config |
239 | fi | 510 | fi |
240 | fi | 511 | fi |
241 | 512 | ||
242 | # Check if sshd_config exists. If yes, ask for overwriting | 513 | # handle sshd_config (and privsep) |
243 | 514 | csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" | |
244 | if [ -f "${SYSCONFDIR}/sshd_config" ] | 515 | if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 |
245 | then | 516 | then |
246 | if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?" | 517 | grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes |
247 | then | ||
248 | rm -f "${SYSCONFDIR}/sshd_config" | ||
249 | if [ -f "${SYSCONFDIR}/sshd_config" ] | ||
250 | then | ||
251 | echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." | ||
252 | fi | ||
253 | else | ||
254 | grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes | ||
255 | fi | ||
256 | fi | 518 | fi |
519 | sshd_privsep | ||
257 | 520 | ||
258 | # Prior to creating or modifying sshd_config, care for privilege separation | ||
259 | 521 | ||
260 | if [ "${privsep_configured}" != "yes" ] | ||
261 | then | ||
262 | if [ ${_nt} -gt 0 ] | ||
263 | then | ||
264 | echo "Privilege separation is set to yes by default since OpenSSH 3.3." | ||
265 | echo "However, this requires a non-privileged account called 'sshd'." | ||
266 | echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." | ||
267 | echo | ||
268 | if request "Should privilege separation be used?" | ||
269 | then | ||
270 | privsep_used=yes | ||
271 | grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes | ||
272 | net user sshd >/dev/null 2>&1 && sshd_in_sam=yes | ||
273 | if [ "${sshd_in_passwd}" != "yes" ] | ||
274 | then | ||
275 | if [ "${sshd_in_sam}" != "yes" ] | ||
276 | then | ||
277 | echo "Warning: The following function requires administrator privileges!" | ||
278 | if request "Should this script create a local user 'sshd' on this machine?" | ||
279 | then | ||
280 | dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` | ||
281 | net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes | ||
282 | if [ "${sshd_in_sam}" != "yes" ] | ||
283 | then | ||
284 | echo "Warning: Creating the user 'sshd' failed!" | ||
285 | fi | ||
286 | fi | ||
287 | fi | ||
288 | if [ "${sshd_in_sam}" != "yes" ] | ||
289 | then | ||
290 | echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" | ||
291 | echo " Privilege separation set to 'no' again!" | ||
292 | echo " Check your ${SYSCONFDIR}/sshd_config file!" | ||
293 | privsep_used=no | ||
294 | else | ||
295 | mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd | ||
296 | fi | ||
297 | fi | ||
298 | else | ||
299 | privsep_used=no | ||
300 | fi | ||
301 | else | ||
302 | # On 9x don't use privilege separation. Since security isn't | ||
303 | # available it just adds useless additional processes. | ||
304 | privsep_used=no | ||
305 | fi | ||
306 | fi | ||
307 | |||
308 | # Create default sshd_config from skeleton files in /etc/defaults/etc or | ||
309 | # modify to add the missing privsep configuration option | ||
310 | |||
311 | if [ ! -f "${SYSCONFDIR}/sshd_config" ] | ||
312 | then | ||
313 | echo "Generating ${SYSCONFDIR}/sshd_config file" | ||
314 | sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ | ||
315 | s/^#Port 22/Port ${port_number}/ | ||
316 | s/^#StrictModes yes/StrictModes no/" \ | ||
317 | < ${SYSCONFDIR}/defaults/etc/sshd_config \ | ||
318 | > ${SYSCONFDIR}/sshd_config | ||
319 | elif [ "${privsep_configured}" != "yes" ] | ||
320 | then | ||
321 | echo >> ${SYSCONFDIR}/sshd_config | ||
322 | echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config | ||
323 | fi | ||
324 | 522 | ||
325 | # Care for services file | 523 | update_services_file |
326 | _my_etcdir="/ssh-host-config.$$" | 524 | update_inetd_conf |
327 | if [ ${_nt} -gt 0 ] | 525 | install_service |
328 | then | ||
329 | _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" | ||
330 | _services="${_my_etcdir}/services" | ||
331 | # On NT, 27 spaces, no space after the hash | ||
332 | _spaces=" #" | ||
333 | else | ||
334 | _win_etcdir="${WINDIR}" | ||
335 | _services="${_my_etcdir}/SERVICES" | ||
336 | # On 9x, 18 spaces (95 is very touchy), a space after the hash | ||
337 | _spaces=" # " | ||
338 | fi | ||
339 | _serv_tmp="${_my_etcdir}/srv.out.$$" | ||
340 | |||
341 | mount -t -f "${_win_etcdir}" "${_my_etcdir}" | ||
342 | |||
343 | # Depends on the above mount | ||
344 | _wservices=`cygpath -w "${_services}"` | ||
345 | |||
346 | # Remove sshd 22/port from services | ||
347 | if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] | ||
348 | then | ||
349 | grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" | ||
350 | if [ -f "${_serv_tmp}" ] | ||
351 | then | ||
352 | if mv "${_serv_tmp}" "${_services}" | ||
353 | then | ||
354 | echo "Removing sshd from ${_wservices}" | ||
355 | else | ||
356 | echo "Removing sshd from ${_wservices} failed!" | ||
357 | fi | ||
358 | rm -f "${_serv_tmp}" | ||
359 | else | ||
360 | echo "Removing sshd from ${_wservices} failed!" | ||
361 | fi | ||
362 | fi | ||
363 | |||
364 | # Add ssh 22/tcp and ssh 22/udp to services | ||
365 | if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] | ||
366 | then | ||
367 | if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" | ||
368 | then | ||
369 | if mv "${_serv_tmp}" "${_services}" | ||
370 | then | ||
371 | echo "Added ssh to ${_wservices}" | ||
372 | else | ||
373 | echo "Adding ssh to ${_wservices} failed!" | ||
374 | fi | ||
375 | rm -f "${_serv_tmp}" | ||
376 | else | ||
377 | echo "WARNING: Adding ssh to ${_wservices} failed!" | ||
378 | fi | ||
379 | fi | ||
380 | |||
381 | umount "${_my_etcdir}" | ||
382 | |||
383 | # Care for inetd.conf file | ||
384 | _inetcnf="${SYSCONFDIR}/inetd.conf" | ||
385 | _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" | ||
386 | |||
387 | if [ -f "${_inetcnf}" ] | ||
388 | then | ||
389 | # Check if ssh service is already in use as sshd | ||
390 | with_comment=1 | ||
391 | grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0 | ||
392 | # Remove sshd line from inetd.conf | ||
393 | if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] | ||
394 | then | ||
395 | grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" | ||
396 | if [ -f "${_inetcnf_tmp}" ] | ||
397 | then | ||
398 | if mv "${_inetcnf_tmp}" "${_inetcnf}" | ||
399 | then | ||
400 | echo "Removed sshd from ${_inetcnf}" | ||
401 | else | ||
402 | echo "Removing sshd from ${_inetcnf} failed!" | ||
403 | fi | ||
404 | rm -f "${_inetcnf_tmp}" | ||
405 | else | ||
406 | echo "Removing sshd from ${_inetcnf} failed!" | ||
407 | fi | ||
408 | fi | ||
409 | |||
410 | # Add ssh line to inetd.conf | ||
411 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] | ||
412 | then | ||
413 | if [ "${with_comment}" -eq 0 ] | ||
414 | then | ||
415 | echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" | ||
416 | else | ||
417 | echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" | ||
418 | fi | ||
419 | echo "Added ssh to ${_inetcnf}" | ||
420 | fi | ||
421 | fi | ||
422 | |||
423 | # On NT ask if sshd should be installed as service | ||
424 | if [ ${_nt} -gt 0 ] | ||
425 | then | ||
426 | # But only if it is not already installed | ||
427 | if ! cygrunsrv -Q sshd > /dev/null 2>&1 | ||
428 | then | ||
429 | echo | ||
430 | echo | ||
431 | echo "Warning: The following functions require administrator privileges!" | ||
432 | echo | ||
433 | echo "Do you want to install sshd as service?" | ||
434 | if request "(Say \"no\" if it's already installed as service)" | ||
435 | then | ||
436 | if [ $_nt2003 -gt 0 ] | ||
437 | then | ||
438 | grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes | ||
439 | if [ "${sshd_server_in_passwd}" = "yes" ] | ||
440 | then | ||
441 | # Drop sshd_server from passwd since it could have wrong settings | ||
442 | grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$ | ||
443 | rm -f ${SYSCONFDIR}/passwd | ||
444 | mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd | ||
445 | chmod g-w,o-w ${SYSCONFDIR}/passwd | ||
446 | fi | ||
447 | net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes | ||
448 | if [ "${sshd_server_in_sam}" != "yes" ] | ||
449 | then | ||
450 | echo | ||
451 | echo "You appear to be running Windows 2003 Server or later. On 2003 and" | ||
452 | echo "later systems, it's not possible to use the LocalSystem account" | ||
453 | echo "if sshd should allow passwordless logon (e. g. public key authentication)." | ||
454 | echo "If you want to enable that functionality, it's required to create a new" | ||
455 | echo "account 'sshd_server' with special privileges, which is then used to run" | ||
456 | echo "the sshd service under." | ||
457 | echo | ||
458 | echo "Should this script create a new local account 'sshd_server' which has" | ||
459 | if request "the required privileges?" | ||
460 | then | ||
461 | _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ` | ||
462 | if [ -z "${_admingroup}" ] | ||
463 | then | ||
464 | echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)." | ||
465 | exit 1 | ||
466 | fi | ||
467 | dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` | ||
468 | while [ "${sshd_server_in_sam}" != "yes" ] | ||
469 | do | ||
470 | if [ -n "${password_value}" ] | ||
471 | then | ||
472 | _password="${password_value}" | ||
473 | # Allow to ask for password if first try fails | ||
474 | password_value="" | ||
475 | else | ||
476 | echo | ||
477 | echo "Please enter a password for new user 'sshd_server'. Please be sure that" | ||
478 | echo "this password matches the password rules given on your system." | ||
479 | echo -n "Entering no password will exit the configuration. PASSWORD=" | ||
480 | read -e _password | ||
481 | if [ -z "${_password}" ] | ||
482 | then | ||
483 | echo | ||
484 | echo "Exiting configuration. No user sshd_server has been created," | ||
485 | echo "no sshd service installed." | ||
486 | exit 1 | ||
487 | fi | ||
488 | fi | ||
489 | net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes | ||
490 | if [ "${sshd_server_in_sam}" != "yes" ] | ||
491 | then | ||
492 | echo "Creating the user 'sshd_server' failed! Reason:" | ||
493 | cat /tmp/nu.$$ | ||
494 | rm /tmp/nu.$$ | ||
495 | fi | ||
496 | done | ||
497 | net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes | ||
498 | if [ "${sshd_server_in_admingroup}" != "yes" ] | ||
499 | then | ||
500 | echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!" | ||
501 | echo "Please add sshd_server to local group ${_admingroup} before" | ||
502 | echo "starting the sshd service!" | ||
503 | echo | ||
504 | fi | ||
505 | passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'` | ||
506 | if [ "${passwd_has_expiry_flags}" != "yes" ] | ||
507 | then | ||
508 | echo | ||
509 | echo "WARNING: User sshd_server has password expiry set to system default." | ||
510 | echo "Please check that password never expires or set it to your needs." | ||
511 | elif ! passwd -e sshd_server | ||
512 | then | ||
513 | echo | ||
514 | echo "WARNING: Setting password expiry for user sshd_server failed!" | ||
515 | echo "Please check that password never expires or set it to your needs." | ||
516 | fi | ||
517 | editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server && | ||
518 | editrights -a SeCreateTokenPrivilege -u sshd_server && | ||
519 | editrights -a SeTcbPrivilege -u sshd_server && | ||
520 | editrights -a SeDenyInteractiveLogonRight -u sshd_server && | ||
521 | editrights -a SeDenyNetworkLogonRight -u sshd_server && | ||
522 | editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server && | ||
523 | editrights -a SeIncreaseQuotaPrivilege -u sshd_server && | ||
524 | editrights -a SeServiceLogonRight -u sshd_server && | ||
525 | sshd_server_got_all_rights="yes" | ||
526 | if [ "${sshd_server_got_all_rights}" != "yes" ] | ||
527 | then | ||
528 | echo | ||
529 | echo "Assigning the appropriate privileges to user 'sshd_server' failed!" | ||
530 | echo "Can't create sshd service!" | ||
531 | exit 1 | ||
532 | fi | ||
533 | echo | ||
534 | echo "User 'sshd_server' has been created with password '${_password}'." | ||
535 | echo "If you change the password, please keep in mind to change the password" | ||
536 | echo "for the sshd service, too." | ||
537 | echo | ||
538 | echo "Also keep in mind that the user sshd_server needs read permissions on all" | ||
539 | echo "users' .ssh/authorized_keys file to allow public key authentication for" | ||
540 | echo "these users!. (Re-)running ssh-user-config for each user will set the" | ||
541 | echo "required permissions correctly." | ||
542 | echo | ||
543 | fi | ||
544 | fi | ||
545 | if [ "${sshd_server_in_sam}" = "yes" ] | ||
546 | then | ||
547 | mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd | ||
548 | fi | ||
549 | fi | ||
550 | if [ -n "${cygwin_value}" ] | ||
551 | then | ||
552 | _cygwin="${cygwin_value}" | ||
553 | else | ||
554 | echo | ||
555 | echo "Which value should the environment variable CYGWIN have when" | ||
556 | echo "sshd starts? It's recommended to set at least \"ntsec\" to be" | ||
557 | echo "able to change user context without password." | ||
558 | echo -n "Default is \"ntsec\". CYGWIN=" | ||
559 | read -e _cygwin | ||
560 | fi | ||
561 | [ -z "${_cygwin}" ] && _cygwin="ntsec" | ||
562 | if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] | ||
563 | then | ||
564 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip | ||
565 | then | ||
566 | echo | ||
567 | echo "The service has been installed under sshd_server account." | ||
568 | echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." | ||
569 | fi | ||
570 | else | ||
571 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip | ||
572 | then | ||
573 | echo | ||
574 | echo "The service has been installed under LocalSystem account." | ||
575 | echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." | ||
576 | fi | ||
577 | fi | ||
578 | fi | ||
579 | # Now check if sshd has been successfully installed. This allows to | ||
580 | # set the ownership of the affected files correctly. | ||
581 | if cygrunsrv -Q sshd > /dev/null 2>&1 | ||
582 | then | ||
583 | if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] | ||
584 | then | ||
585 | _user="sshd_server" | ||
586 | else | ||
587 | _user="system" | ||
588 | fi | ||
589 | chown "${_user}" ${SYSCONFDIR}/ssh* | ||
590 | chown "${_user}".544 ${LOCALSTATEDIR}/empty | ||
591 | chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog | ||
592 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] | ||
593 | then | ||
594 | chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log | ||
595 | fi | ||
596 | fi | ||
597 | if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' ) | ||
598 | then | ||
599 | echo | ||
600 | echo "Warning: It appears that you have user mode mounts (\"Just me\"" | ||
601 | echo "chosen during install.) Any daemons installed as services will" | ||
602 | echo "fail to function unless system mounts are used. To change this," | ||
603 | echo "re-run setup.exe and choose \"All users\"." | ||
604 | echo | ||
605 | echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33" | ||
606 | fi | ||
607 | fi | ||
608 | fi | ||
609 | 526 | ||
610 | echo | 527 | echo |
611 | echo "Host configuration finished. Have fun!" | 528 | csih_inform "Host configuration finished. Have fun!" |
529 | |||
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config index 9482efe9e..f210bd556 100644 --- a/contrib/cygwin/ssh-user-config +++ b/contrib/cygwin/ssh-user-config | |||
@@ -1,52 +1,235 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/bash |
2 | # | 2 | # |
3 | # ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc. | 3 | # ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc. |
4 | # | 4 | # |
5 | # This file is part of the Cygwin port of OpenSSH. | 5 | # This file is part of the Cygwin port of OpenSSH. |
6 | 6 | ||
7 | # ====================================================================== | ||
8 | # Initialization | ||
9 | # ====================================================================== | ||
10 | PROGNAME=$(basename -- $0) | ||
11 | _tdir=$(dirname -- $0) | ||
12 | PROGDIR=$(cd $_tdir && pwd) | ||
13 | |||
14 | CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh | ||
15 | |||
16 | # Subdirectory where the new package is being installed | ||
17 | PREFIX=/usr | ||
18 | |||
7 | # Directory where the config files are stored | 19 | # Directory where the config files are stored |
8 | SYSCONFDIR=/etc | 20 | SYSCONFDIR=/etc |
9 | 21 | ||
10 | progname=$0 | 22 | source ${CSIH_SCRIPT} |
11 | auto_answer="" | 23 | |
12 | auto_passphrase="no" | 24 | auto_passphrase="no" |
13 | passphrase="" | 25 | passphrase="" |
26 | pwdhome= | ||
27 | with_passphrase= | ||
28 | |||
29 | # ====================================================================== | ||
30 | # Routine: create_ssh1_identity | ||
31 | # optionally create ~/.ssh/identity[.pub] | ||
32 | # optionally add result to ~/.ssh/authorized_keys | ||
33 | # ====================================================================== | ||
34 | create_ssh1_identity() { | ||
35 | if [ ! -f "${pwdhome}/.ssh/identity" ] | ||
36 | then | ||
37 | if csih_request "Shall I create an SSH1 RSA identity file for you?" | ||
38 | then | ||
39 | csih_inform "Generating ${pwdhome}/.ssh/identity" | ||
40 | if [ "${with_passphrase}" = "yes" ] | ||
41 | then | ||
42 | ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null | ||
43 | else | ||
44 | ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null | ||
45 | fi | ||
46 | if csih_request "Do you want to use this identity to login to this machine?" | ||
47 | then | ||
48 | csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" | ||
49 | cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys" | ||
50 | fi | ||
51 | fi | ||
52 | fi | ||
53 | } # === End of create_ssh1_identity() === # | ||
54 | readonly -f create_ssh1_identity | ||
55 | |||
56 | # ====================================================================== | ||
57 | # Routine: create_ssh2_rsa_identity | ||
58 | # optionally create ~/.ssh/id_rsa[.pub] | ||
59 | # optionally add result to ~/.ssh/authorized_keys | ||
60 | # ====================================================================== | ||
61 | create_ssh2_rsa_identity() { | ||
62 | if [ ! -f "${pwdhome}/.ssh/id_rsa" ] | ||
63 | then | ||
64 | if csih_request "Shall I create an SSH2 RSA identity file for you?" | ||
65 | then | ||
66 | csih_inform "Generating ${pwdhome}/.ssh/id_rsa" | ||
67 | if [ "${with_passphrase}" = "yes" ] | ||
68 | then | ||
69 | ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null | ||
70 | else | ||
71 | ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null | ||
72 | fi | ||
73 | if csih_request "Do you want to use this identity to login to this machine?" | ||
74 | then | ||
75 | csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" | ||
76 | cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys" | ||
77 | fi | ||
78 | fi | ||
79 | fi | ||
80 | } # === End of create_ssh2_rsa_identity() === # | ||
81 | readonly -f create_ssh2_rsa_identity | ||
82 | |||
83 | # ====================================================================== | ||
84 | # Routine: create_ssh2_dsa_identity | ||
85 | # optionally create ~/.ssh/id_dsa[.pub] | ||
86 | # optionally add result to ~/.ssh/authorized_keys | ||
87 | # ====================================================================== | ||
88 | create_ssh2_dsa_identity() { | ||
89 | if [ ! -f "${pwdhome}/.ssh/id_dsa" ] | ||
90 | then | ||
91 | if csih_request "Shall I create an SSH2 DSA identity file for you?" | ||
92 | then | ||
93 | csih_inform "Generating ${pwdhome}/.ssh/id_dsa" | ||
94 | if [ "${with_passphrase}" = "yes" ] | ||
95 | then | ||
96 | ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null | ||
97 | else | ||
98 | ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null | ||
99 | fi | ||
100 | if csih_request "Do you want to use this identity to login to this machine?" | ||
101 | then | ||
102 | csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" | ||
103 | cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys" | ||
104 | fi | ||
105 | fi | ||
106 | fi | ||
107 | } # === End of create_ssh2_dsa_identity() === # | ||
108 | readonly -f create_ssh2_dsa_identity | ||
109 | |||
110 | # ====================================================================== | ||
111 | # Routine: check_user_homedir | ||
112 | # Perform various checks on the user's home directory | ||
113 | # SETS GLOBAL VARIABLE: | ||
114 | # pwdhome | ||
115 | # ====================================================================== | ||
116 | check_user_homedir() { | ||
117 | local uid=$(id -u) | ||
118 | pwdhome=$(awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd) | ||
119 | if [ "X${pwdhome}" = "X" ] | ||
120 | then | ||
121 | csih_error_multiline \ | ||
122 | "There is no home directory set for you in ${SYSCONFDIR}/passwd." \ | ||
123 | 'Setting $HOME is not sufficient!' | ||
124 | fi | ||
125 | |||
126 | if [ ! -d "${pwdhome}" ] | ||
127 | then | ||
128 | csih_error_multiline \ | ||
129 | "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" \ | ||
130 | 'but it is not a valid directory. Cannot create user identity files.' | ||
131 | fi | ||
132 | |||
133 | # If home is the root dir, set home to empty string to avoid error messages | ||
134 | # in subsequent parts of that script. | ||
135 | if [ "X${pwdhome}" = "X/" ] | ||
136 | then | ||
137 | # But first raise a warning! | ||
138 | csih_warning "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!" | ||
139 | if csih_request "Would you like to proceed anyway?" | ||
140 | then | ||
141 | pwdhome='' | ||
142 | else | ||
143 | csih_warning "Exiting. Configuration is not complete" | ||
144 | exit 1 | ||
145 | fi | ||
146 | fi | ||
147 | |||
148 | if [ -d "${pwdhome}" -a csih_is_nt -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ] | ||
149 | then | ||
150 | echo | ||
151 | csih_warning 'group and other have been revoked write permission to your home' | ||
152 | csih_warning "directory ${pwdhome}." | ||
153 | csih_warning 'This is required by OpenSSH to allow public key authentication using' | ||
154 | csih_warning 'the key files stored in your .ssh subdirectory.' | ||
155 | csih_warning 'Revert this change ONLY if you know what you are doing!' | ||
156 | echo | ||
157 | fi | ||
158 | } # === End of check_user_homedir() === # | ||
159 | readonly -f check_user_homedir | ||
14 | 160 | ||
15 | request() | 161 | # ====================================================================== |
16 | { | 162 | # Routine: check_user_dot_ssh_dir |
17 | if [ "${auto_answer}" = "yes" ] | 163 | # Perform various checks on the ~/.ssh directory |
164 | # PREREQUISITE: | ||
165 | # pwdhome -- check_user_homedir() | ||
166 | # ====================================================================== | ||
167 | check_user_dot_ssh_dir() { | ||
168 | if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] | ||
18 | then | 169 | then |
19 | return 0 | 170 | csih_error "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." |
20 | elif [ "${auto_answer}" = "no" ] | 171 | fi |
172 | |||
173 | if [ ! -e "${pwdhome}/.ssh" ] | ||
21 | then | 174 | then |
22 | return 1 | 175 | mkdir "${pwdhome}/.ssh" |
176 | if [ ! -e "${pwdhome}/.ssh" ] | ||
177 | then | ||
178 | csih_error "Creating users ${pwdhome}/.ssh directory failed" | ||
179 | fi | ||
23 | fi | 180 | fi |
181 | } # === End of check_user_dot_ssh_dir() === # | ||
182 | readonly -f check_user_dot_ssh_dir | ||
24 | 183 | ||
25 | answer="" | 184 | # ====================================================================== |
26 | while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] | 185 | # Routine: fix_authorized_keys_perms |
27 | do | 186 | # Corrects the permissions of ~/.ssh/authorized_keys |
28 | echo -n "$1 (yes/no) " | 187 | # PREREQUISITE: |
29 | read answer | 188 | # pwdhome -- check_user_homedir() |
30 | done | 189 | # ====================================================================== |
31 | if [ "X${answer}" = "Xyes" ] | 190 | fix_authorized_keys_perms() { |
191 | if [ csih_is_nt -a -e "${pwdhome}/.ssh/authorized_keys" ] | ||
32 | then | 192 | then |
33 | return 0 | 193 | if ! setfacl -m "u::rw-,g::---,o::---" "${pwdhome}/.ssh/authorized_keys" |
34 | else | 194 | then |
35 | return 1 | 195 | csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys" |
196 | csih_warning "failed. Please care for the correct permissions. The minimum requirement" | ||
197 | csih_warning "is, the owner needs read permissions." | ||
198 | echo | ||
199 | fi | ||
36 | fi | 200 | fi |
37 | } | 201 | } # === End of fix_authorized_keys_perms() === # |
202 | readonly -f fix_authorized_keys_perms | ||
203 | |||
204 | |||
205 | # ====================================================================== | ||
206 | # Main Entry Point | ||
207 | # ====================================================================== | ||
38 | 208 | ||
39 | # Check if running on NT | 209 | # Check how the script has been started. If |
40 | _sys="`uname -a`" | 210 | # (1) it has been started by giving the full path and |
41 | _nt=`expr "$_sys" : "CYGWIN_NT"` | 211 | # that path is /etc/postinstall, OR |
42 | # If running on NT, check if running under 2003 Server or later | 212 | # (2) Otherwise, if the environment variable |
43 | if [ $_nt -gt 0 ] | 213 | # SSH_USER_CONFIG_AUTO_ANSWER_NO is set |
214 | # then set auto_answer to "no". This allows automatic | ||
215 | # creation of the config files in /etc w/o overwriting | ||
216 | # them if they already exist. In both cases, color | ||
217 | # escape sequences are suppressed, so as to prevent | ||
218 | # cluttering setup's logfiles. | ||
219 | if [ "$PROGDIR" = "/etc/postinstall" ] | ||
44 | then | 220 | then |
45 | _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` | 221 | csih_auto_answer="no" |
222 | csih_disable_color | ||
223 | fi | ||
224 | if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ] | ||
225 | then | ||
226 | csih_auto_answer="no" | ||
227 | csih_disable_color | ||
46 | fi | 228 | fi |
47 | 229 | ||
48 | # Check options | 230 | # ====================================================================== |
49 | 231 | # Parse options | |
232 | # ====================================================================== | ||
50 | while : | 233 | while : |
51 | do | 234 | do |
52 | case $# in | 235 | case $# in |
@@ -61,14 +244,15 @@ do | |||
61 | case "$option" in | 244 | case "$option" in |
62 | -d | --debug ) | 245 | -d | --debug ) |
63 | set -x | 246 | set -x |
247 | csih_trace_on | ||
64 | ;; | 248 | ;; |
65 | 249 | ||
66 | -y | --yes ) | 250 | -y | --yes ) |
67 | auto_answer=yes | 251 | csih_auto_answer=yes |
68 | ;; | 252 | ;; |
69 | 253 | ||
70 | -n | --no ) | 254 | -n | --no ) |
71 | auto_answer=no | 255 | csih_auto_answer=no |
72 | ;; | 256 | ;; |
73 | 257 | ||
74 | -p | --passphrase ) | 258 | -p | --passphrase ) |
@@ -77,8 +261,12 @@ do | |||
77 | shift | 261 | shift |
78 | ;; | 262 | ;; |
79 | 263 | ||
264 | --privileged ) | ||
265 | csih_FORCE_PRIVILEGED_USER=yes | ||
266 | ;; | ||
267 | |||
80 | *) | 268 | *) |
81 | echo "usage: ${progname} [OPTION]..." | 269 | echo "usage: ${PROGNAME} [OPTION]..." |
82 | echo | 270 | echo |
83 | echo "This script creates an OpenSSH user configuration." | 271 | echo "This script creates an OpenSSH user configuration." |
84 | echo | 272 | echo |
@@ -87,6 +275,8 @@ do | |||
87 | echo " --yes -y Answer all questions with \"yes\" automatically." | 275 | echo " --yes -y Answer all questions with \"yes\" automatically." |
88 | echo " --no -n Answer all questions with \"no\" automatically." | 276 | echo " --no -n Answer all questions with \"no\" automatically." |
89 | echo " --passphrase -p word Use \"word\" as passphrase automatically." | 277 | echo " --passphrase -p word Use \"word\" as passphrase automatically." |
278 | echo " --privileged On Windows NT/2k/XP, assume privileged user" | ||
279 | echo " instead of LocalSystem for sshd service." | ||
90 | echo | 280 | echo |
91 | exit 1 | 281 | exit 1 |
92 | ;; | 282 | ;; |
@@ -94,157 +284,27 @@ do | |||
94 | esac | 284 | esac |
95 | done | 285 | done |
96 | 286 | ||
97 | # Ask user if user identity should be generated | 287 | # ====================================================================== |
288 | # Action! | ||
289 | # ====================================================================== | ||
98 | 290 | ||
291 | # Check passwd file | ||
99 | if [ ! -f ${SYSCONFDIR}/passwd ] | 292 | if [ ! -f ${SYSCONFDIR}/passwd ] |
100 | then | 293 | then |
101 | echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" | 294 | csih_error_multiline \ |
102 | echo 'first using mkpasswd. Check if it contains an entry for you and' | 295 | "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" \ |
103 | echo 'please care for the home directory in your entry as well.' | 296 | 'first using mkpasswd. Check if it contains an entry for you and' \ |
104 | exit 1 | 297 | 'please care for the home directory in your entry as well.' |
105 | fi | ||
106 | |||
107 | uid=`id -u` | ||
108 | pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd` | ||
109 | |||
110 | if [ "X${pwdhome}" = "X" ] | ||
111 | then | ||
112 | echo "There is no home directory set for you in ${SYSCONFDIR}/passwd." | ||
113 | echo 'Setting $HOME is not sufficient!' | ||
114 | exit 1 | ||
115 | fi | ||
116 | |||
117 | if [ ! -d "${pwdhome}" ] | ||
118 | then | ||
119 | echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" | ||
120 | echo 'but it is not a valid directory. Cannot create user identity files.' | ||
121 | exit 1 | ||
122 | fi | ||
123 | |||
124 | # If home is the root dir, set home to empty string to avoid error messages | ||
125 | # in subsequent parts of that script. | ||
126 | if [ "X${pwdhome}" = "X/" ] | ||
127 | then | ||
128 | # But first raise a warning! | ||
129 | echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!" | ||
130 | if request "Would you like to proceed anyway?" | ||
131 | then | ||
132 | pwdhome='' | ||
133 | else | ||
134 | exit 1 | ||
135 | fi | ||
136 | fi | ||
137 | |||
138 | if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ] | ||
139 | then | ||
140 | echo | ||
141 | echo 'WARNING: group and other have been revoked write permission to your home' | ||
142 | echo " directory ${pwdhome}." | ||
143 | echo ' This is required by OpenSSH to allow public key authentication using' | ||
144 | echo ' the key files stored in your .ssh subdirectory.' | ||
145 | echo ' Revert this change ONLY if you know what you are doing!' | ||
146 | echo | ||
147 | fi | ||
148 | |||
149 | if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] | ||
150 | then | ||
151 | echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." | ||
152 | exit 1 | ||
153 | fi | ||
154 | |||
155 | if [ ! -e "${pwdhome}/.ssh" ] | ||
156 | then | ||
157 | mkdir "${pwdhome}/.ssh" | ||
158 | if [ ! -e "${pwdhome}/.ssh" ] | ||
159 | then | ||
160 | echo "Creating users ${pwdhome}/.ssh directory failed" | ||
161 | exit 1 | ||
162 | fi | ||
163 | fi | ||
164 | |||
165 | if [ $_nt -gt 0 ] | ||
166 | then | ||
167 | _user="system" | ||
168 | if [ $_nt2003 -gt 0 ] | ||
169 | then | ||
170 | grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server" | ||
171 | fi | ||
172 | if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh" | ||
173 | then | ||
174 | echo "${pwdhome}/.ssh couldn't be given the correct permissions." | ||
175 | echo "Please try to solve this problem first." | ||
176 | exit 1 | ||
177 | fi | ||
178 | fi | ||
179 | |||
180 | if [ ! -f "${pwdhome}/.ssh/identity" ] | ||
181 | then | ||
182 | if request "Shall I create an SSH1 RSA identity file for you?" | ||
183 | then | ||
184 | echo "Generating ${pwdhome}/.ssh/identity" | ||
185 | if [ "${with_passphrase}" = "yes" ] | ||
186 | then | ||
187 | ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null | ||
188 | else | ||
189 | ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null | ||
190 | fi | ||
191 | if request "Do you want to use this identity to login to this machine?" | ||
192 | then | ||
193 | echo "Adding to ${pwdhome}/.ssh/authorized_keys" | ||
194 | cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys" | ||
195 | fi | ||
196 | fi | ||
197 | fi | 298 | fi |
198 | 299 | ||
199 | if [ ! -f "${pwdhome}/.ssh/id_rsa" ] | 300 | check_user_homedir |
200 | then | 301 | check_user_dot_ssh_dir |
201 | if request "Shall I create an SSH2 RSA identity file for you?" | 302 | create_ssh1_identity |
202 | then | 303 | create_ssh2_rsa_identity |
203 | echo "Generating ${pwdhome}/.ssh/id_rsa" | 304 | create_ssh2_dsa_identity |
204 | if [ "${with_passphrase}" = "yes" ] | 305 | fix_authorized_keys_perms |
205 | then | ||
206 | ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null | ||
207 | else | ||
208 | ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null | ||
209 | fi | ||
210 | if request "Do you want to use this identity to login to this machine?" | ||
211 | then | ||
212 | echo "Adding to ${pwdhome}/.ssh/authorized_keys" | ||
213 | cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys" | ||
214 | fi | ||
215 | fi | ||
216 | fi | ||
217 | 306 | ||
218 | if [ ! -f "${pwdhome}/.ssh/id_dsa" ] | 307 | echo |
219 | then | 308 | csih_inform "Configuration finished. Have fun!" |
220 | if request "Shall I create an SSH2 DSA identity file for you?" | ||
221 | then | ||
222 | echo "Generating ${pwdhome}/.ssh/id_dsa" | ||
223 | if [ "${with_passphrase}" = "yes" ] | ||
224 | then | ||
225 | ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null | ||
226 | else | ||
227 | ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null | ||
228 | fi | ||
229 | if request "Do you want to use this identity to login to this machine?" | ||
230 | then | ||
231 | echo "Adding to ${pwdhome}/.ssh/authorized_keys" | ||
232 | cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys" | ||
233 | fi | ||
234 | fi | ||
235 | fi | ||
236 | 309 | ||
237 | if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ] | ||
238 | then | ||
239 | if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys" | ||
240 | then | ||
241 | echo | ||
242 | echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys" | ||
243 | echo "failed. Please care for the correct permissions. The minimum requirement" | ||
244 | echo "is, the owner and ${_user} both need read permissions." | ||
245 | echo | ||
246 | fi | ||
247 | fi | ||
248 | 310 | ||
249 | echo | ||
250 | echo "Configuration finished. Have fun!" | ||
diff --git a/contrib/cygwin/sshd-inetd b/contrib/cygwin/sshd-inetd new file mode 100644 index 000000000..aa6bf073f --- /dev/null +++ b/contrib/cygwin/sshd-inetd | |||
@@ -0,0 +1,4 @@ | |||
1 | # This file can be used to enable sshd as a slave of the inetd service | ||
2 | # To do so, the line below should be uncommented. | ||
3 | @COMMENT@ ssh stream tcp nowait root /usr/sbin/sshd sshd -i | ||
4 | |||