diff options
Diffstat (limited to 'contrib/cygwin')
-rw-r--r-- | contrib/cygwin/README | 3 | ||||
-rw-r--r-- | contrib/cygwin/ssh-host-config | 198 |
2 files changed, 103 insertions, 98 deletions
diff --git a/contrib/cygwin/README b/contrib/cygwin/README index 2562b6186..1396d99cd 100644 --- a/contrib/cygwin/README +++ b/contrib/cygwin/README | |||
@@ -69,7 +69,7 @@ Building OpenSSH | |||
69 | Building from source is easy. Just unpack the source archive, cd to that | 69 | Building from source is easy. Just unpack the source archive, cd to that |
70 | directory, and call cygport: | 70 | directory, and call cygport: |
71 | 71 | ||
72 | cygport openssh.cygport almostall | 72 | cygport openssh.cygport all |
73 | 73 | ||
74 | You must have installed the following packages to be able to build OpenSSH | 74 | You must have installed the following packages to be able to build OpenSSH |
75 | with the aforementioned cygport script: | 75 | with the aforementioned cygport script: |
@@ -77,7 +77,6 @@ with the aforementioned cygport script: | |||
77 | zlib | 77 | zlib |
78 | crypt | 78 | crypt |
79 | openssl-devel | 79 | openssl-devel |
80 | libwrap-devel | ||
81 | libedit-devel | 80 | libedit-devel |
82 | libkrb5-devel | 81 | libkrb5-devel |
83 | 82 | ||
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 05efd3b3b..a7ea3e0d2 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config | |||
@@ -34,9 +34,9 @@ declare -a csih_required_commands=( | |||
34 | /usr/bin/mv coreutils | 34 | /usr/bin/mv coreutils |
35 | /usr/bin/rm coreutils | 35 | /usr/bin/rm coreutils |
36 | /usr/bin/cygpath cygwin | 36 | /usr/bin/cygpath cygwin |
37 | /usr/bin/mkpasswd cygwin | ||
37 | /usr/bin/mount cygwin | 38 | /usr/bin/mount cygwin |
38 | /usr/bin/ps cygwin | 39 | /usr/bin/ps cygwin |
39 | /usr/bin/setfacl cygwin | ||
40 | /usr/bin/umount cygwin | 40 | /usr/bin/umount cygwin |
41 | /usr/bin/cmp diffutils | 41 | /usr/bin/cmp diffutils |
42 | /usr/bin/grep grep | 42 | /usr/bin/grep grep |
@@ -59,8 +59,9 @@ PREFIX=/usr | |||
59 | SYSCONFDIR=/etc | 59 | SYSCONFDIR=/etc |
60 | LOCALSTATEDIR=/var | 60 | LOCALSTATEDIR=/var |
61 | 61 | ||
62 | sshd_config_configured=no | ||
62 | port_number=22 | 63 | port_number=22 |
63 | privsep_configured=no | 64 | strictmodes=yes |
64 | privsep_used=yes | 65 | privsep_used=yes |
65 | cygwin_value="" | 66 | cygwin_value="" |
66 | user_account= | 67 | user_account= |
@@ -89,28 +90,8 @@ update_services_file() { | |||
89 | # Depends on the above mount | 90 | # Depends on the above mount |
90 | _wservices=`cygpath -w "${_services}"` | 91 | _wservices=`cygpath -w "${_services}"` |
91 | 92 | ||
92 | # Remove sshd 22/port from services | ||
93 | if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] | ||
94 | then | ||
95 | /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" | ||
96 | if [ -f "${_serv_tmp}" ] | ||
97 | then | ||
98 | if /usr/bin/mv "${_serv_tmp}" "${_services}" | ||
99 | then | ||
100 | csih_inform "Removing sshd from ${_wservices}" | ||
101 | else | ||
102 | csih_warning "Removing sshd from ${_wservices} failed!" | ||
103 | let ++ret | ||
104 | fi | ||
105 | /usr/bin/rm -f "${_serv_tmp}" | ||
106 | else | ||
107 | csih_warning "Removing sshd from ${_wservices} failed!" | ||
108 | let ++ret | ||
109 | fi | ||
110 | fi | ||
111 | |||
112 | # Add ssh 22/tcp and ssh 22/udp to services | 93 | # Add ssh 22/tcp and ssh 22/udp to services |
113 | if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] | 94 | if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ] |
114 | then | 95 | then |
115 | if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" | 96 | if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" |
116 | then | 97 | then |
@@ -132,17 +113,45 @@ update_services_file() { | |||
132 | } # --- End of update_services_file --- # | 113 | } # --- End of update_services_file --- # |
133 | 114 | ||
134 | # ====================================================================== | 115 | # ====================================================================== |
116 | # Routine: sshd_strictmodes | ||
117 | # MODIFIES: strictmodes | ||
118 | # ====================================================================== | ||
119 | sshd_strictmodes() { | ||
120 | if [ "${sshd_config_configured}" != "yes" ] | ||
121 | then | ||
122 | echo | ||
123 | csih_inform "StrictModes is set to 'yes' by default." | ||
124 | csih_inform "This is the recommended setting, but it requires that the POSIX" | ||
125 | csih_inform "permissions of the user's home directory, the user's .ssh" | ||
126 | csih_inform "directory, and the user's ssh key files are tight so that" | ||
127 | csih_inform "only the user has write permissions." | ||
128 | csih_inform "On the other hand, StrictModes don't work well with default" | ||
129 | csih_inform "Windows permissions of a home directory mounted with the" | ||
130 | csih_inform "'noacl' option, and they don't work at all if the home" | ||
131 | csih_inform "directory is on a FAT or FAT32 partition." | ||
132 | if ! csih_request "Should StrictModes be used?" | ||
133 | then | ||
134 | strictmodes=no | ||
135 | fi | ||
136 | fi | ||
137 | return 0 | ||
138 | } | ||
139 | |||
140 | # ====================================================================== | ||
135 | # Routine: sshd_privsep | 141 | # Routine: sshd_privsep |
136 | # MODIFIES: privsep_configured privsep_used | 142 | # MODIFIES: privsep_used |
137 | # ====================================================================== | 143 | # ====================================================================== |
138 | sshd_privsep() { | 144 | sshd_privsep() { |
139 | local sshdconfig_tmp | ||
140 | local ret=0 | 145 | local ret=0 |
141 | 146 | ||
142 | if [ "${privsep_configured}" != "yes" ] | 147 | if [ "${sshd_config_configured}" != "yes" ] |
143 | then | 148 | then |
144 | csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." | 149 | echo |
145 | csih_inform "However, this requires a non-privileged account called 'sshd'." | 150 | csih_inform "Privilege separation is set to 'sandbox' by default since" |
151 | csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set" | ||
152 | csih_inform "to 'yes' or 'no'." | ||
153 | csih_inform "However, using privilege separation requires a non-privileged account" | ||
154 | csih_inform "called 'sshd'." | ||
146 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." | 155 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." |
147 | if csih_request "Should privilege separation be used?" | 156 | if csih_request "Should privilege separation be used?" |
148 | then | 157 | then |
@@ -159,36 +168,53 @@ sshd_privsep() { | |||
159 | privsep_used=no | 168 | privsep_used=no |
160 | fi | 169 | fi |
161 | fi | 170 | fi |
171 | return $ret | ||
172 | } # --- End of sshd_privsep --- # | ||
162 | 173 | ||
163 | # Create default sshd_config from skeleton files in /etc/defaults/etc or | 174 | # ====================================================================== |
164 | # modify to add the missing privsep configuration option | 175 | # Routine: sshd_config_tweak |
165 | if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 | 176 | # ====================================================================== |
177 | sshd_config_tweak() { | ||
178 | local ret=0 | ||
179 | |||
180 | # Modify sshd_config | ||
181 | csih_inform "Updating ${SYSCONFDIR}/sshd_config file" | ||
182 | if [ "${port_number}" -ne 22 ] | ||
166 | then | 183 | then |
167 | csih_inform "Updating ${SYSCONFDIR}/sshd_config file" | 184 | /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \ |
168 | sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ | 185 | ${SYSCONFDIR}/sshd_config |
169 | /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ | 186 | if [ $? -ne 0 ] |
170 | s/^#Port 22/Port ${port_number}/ | ||
171 | s/^#StrictModes yes/StrictModes no/" \ | ||
172 | < ${SYSCONFDIR}/sshd_config \ | ||
173 | > "${sshdconfig_tmp}" | ||
174 | if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config | ||
175 | then | 187 | then |
176 | csih_warning "Setting privilege separation to 'yes' failed!" | 188 | csih_warning "Setting listening port to ${port_number} failed!" |
177 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | 189 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" |
178 | let ++ret | 190 | let ++ret |
191 | fi | ||
192 | fi | ||
193 | if [ "${strictmodes}" = "no" ] | ||
194 | then | ||
195 | /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \ | ||
196 | ${SYSCONFDIR}/sshd_config | ||
197 | if [ $? -ne 0 ] | ||
198 | then | ||
199 | csih_warning "Setting StrictModes to 'no' failed!" | ||
200 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | ||
201 | let ++ret | ||
179 | fi | 202 | fi |
180 | elif [ "${privsep_configured}" != "yes" ] | 203 | fi |
204 | if [ "${sshd_config_configured}" != "yes" ] | ||
181 | then | 205 | then |
182 | echo >> ${SYSCONFDIR}/sshd_config | 206 | /usr/bin/sed -i -e " |
183 | if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config | 207 | s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \ |
208 | ${SYSCONFDIR}/sshd_config | ||
209 | if [ $? -ne 0 ] | ||
184 | then | 210 | then |
185 | csih_warning "Setting privilege separation to 'yes' failed!" | 211 | csih_warning "Setting privilege separation failed!" |
186 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | 212 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" |
187 | let ++ret | 213 | let ++ret |
188 | fi | 214 | fi |
189 | fi | 215 | fi |
190 | return $ret | 216 | return $ret |
191 | } # --- End of sshd_privsep --- # | 217 | } # --- End of sshd_config_tweak --- # |
192 | 218 | ||
193 | # ====================================================================== | 219 | # ====================================================================== |
194 | # Routine: update_inetd_conf | 220 | # Routine: update_inetd_conf |
@@ -207,11 +233,11 @@ update_inetd_conf() { | |||
207 | # we have inetutils-1.5 inetd.d support | 233 | # we have inetutils-1.5 inetd.d support |
208 | if [ -f "${_inetcnf}" ] | 234 | if [ -f "${_inetcnf}" ] |
209 | then | 235 | then |
210 | /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 | 236 | /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0 |
211 | 237 | ||
212 | # check for sshd OR ssh in top-level inetd.conf file, and remove | 238 | # check for sshd OR ssh in top-level inetd.conf file, and remove |
213 | # will be replaced by a file in inetd.d/ | 239 | # will be replaced by a file in inetd.d/ |
214 | if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] | 240 | if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ] |
215 | then | 241 | then |
216 | /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" | 242 | /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" |
217 | if [ -f "${_inetcnf_tmp}" ] | 243 | if [ -f "${_inetcnf_tmp}" ] |
@@ -236,9 +262,9 @@ update_inetd_conf() { | |||
236 | then | 262 | then |
237 | if [ "${_with_comment}" -eq 0 ] | 263 | if [ "${_with_comment}" -eq 0 ] |
238 | then | 264 | then |
239 | /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | 265 | /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" |
240 | else | 266 | else |
241 | /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | 267 | /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" |
242 | fi | 268 | fi |
243 | if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" | 269 | if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" |
244 | then | 270 | then |
@@ -251,13 +277,13 @@ update_inetd_conf() { | |||
251 | 277 | ||
252 | elif [ -f "${_inetcnf}" ] | 278 | elif [ -f "${_inetcnf}" ] |
253 | then | 279 | then |
254 | /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 | 280 | /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0 |
255 | 281 | ||
256 | # check for sshd in top-level inetd.conf file, and remove | 282 | # check for sshd in top-level inetd.conf file, and remove |
257 | # will be replaced by a file in inetd.d/ | 283 | # will be replaced by a file in inetd.d/ |
258 | if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] | 284 | if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] |
259 | then | 285 | then |
260 | /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" | 286 | /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" |
261 | if [ -f "${_inetcnf_tmp}" ] | 287 | if [ -f "${_inetcnf_tmp}" ] |
262 | then | 288 | then |
263 | if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" | 289 | if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" |
@@ -305,17 +331,26 @@ check_service_files_ownership() { | |||
305 | 331 | ||
306 | if [ -z "${run_service_as}" ] | 332 | if [ -z "${run_service_as}" ] |
307 | then | 333 | then |
308 | accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp') | 334 | accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | |
335 | /usr/bin/sed -ne 's/^Account *: *//gp') | ||
309 | if [ "${accnt_name}" = "LocalSystem" ] | 336 | if [ "${accnt_name}" = "LocalSystem" ] |
310 | then | 337 | then |
311 | # Convert "LocalSystem" to "SYSTEM" as is the correct account name | 338 | # Convert "LocalSystem" to "SYSTEM" as is the correct account name |
312 | accnt_name="SYSTEM:" | 339 | run_service_as="SYSTEM" |
313 | elif [[ "${accnt_name}" =~ ^\.\\ ]] | 340 | else |
314 | then | 341 | dom="${accnt_name%%\\*}" |
315 | # Convert "." domain to local machine name | 342 | accnt_name="${accnt_name#*\\}" |
316 | accnt_name="U-${COMPUTERNAME}${accnt_name#.}," | 343 | if [ "${dom}" = '.' ] |
344 | then | ||
345 | # Check local account | ||
346 | run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" | | ||
347 | /usr/bin/awk -F: '{print $1;}') | ||
348 | else | ||
349 | # Check domain | ||
350 | run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" | | ||
351 | /usr/bin/awk -F: '{print $1;}') | ||
352 | fi | ||
317 | fi | 353 | fi |
318 | run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}') | ||
319 | if [ -z "${run_service_as}" ] | 354 | if [ -z "${run_service_as}" ] |
320 | then | 355 | then |
321 | csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" | 356 | csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" |
@@ -615,32 +650,6 @@ echo | |||
615 | 650 | ||
616 | warning_cnt=0 | 651 | warning_cnt=0 |
617 | 652 | ||
618 | # Check for ${SYSCONFDIR} directory | ||
619 | csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." | ||
620 | if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1 | ||
621 | then | ||
622 | csih_warning "Can't set permissions on ${SYSCONFDIR}!" | ||
623 | let ++warning_cnt | ||
624 | fi | ||
625 | if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1 | ||
626 | then | ||
627 | csih_warning "Can't set extended permissions on ${SYSCONFDIR}!" | ||
628 | let ++warning_cnt | ||
629 | fi | ||
630 | |||
631 | # Check for /var/log directory | ||
632 | csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." | ||
633 | if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1 | ||
634 | then | ||
635 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!" | ||
636 | let ++warning_cnt | ||
637 | fi | ||
638 | if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1 | ||
639 | then | ||
640 | csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!" | ||
641 | let ++warning_cnt | ||
642 | fi | ||
643 | |||
644 | # Create /var/log/lastlog if not already exists | 653 | # Create /var/log/lastlog if not already exists |
645 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] | 654 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] |
646 | then | 655 | then |
@@ -665,13 +674,9 @@ then | |||
665 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" | 674 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" |
666 | let ++warning_cnt | 675 | let ++warning_cnt |
667 | fi | 676 | fi |
668 | if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 | ||
669 | then | ||
670 | csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!" | ||
671 | let ++warning_cnt | ||
672 | fi | ||
673 | 677 | ||
674 | # generate missing host keys | 678 | # generate missing host keys |
679 | csih_inform "Generating missing SSH host keys" | ||
675 | /usr/bin/ssh-keygen -A || let warning_cnt+=$? | 680 | /usr/bin/ssh-keygen -A || let warning_cnt+=$? |
676 | 681 | ||
677 | # handle ssh_config | 682 | # handle ssh_config |
@@ -690,10 +695,11 @@ fi | |||
690 | csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt | 695 | csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt |
691 | if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 | 696 | if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 |
692 | then | 697 | then |
693 | /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes | 698 | sshd_config_configured=yes |
694 | fi | 699 | fi |
700 | sshd_strictmodes || let warning_cnt+=$? | ||
695 | sshd_privsep || let warning_cnt+=$? | 701 | sshd_privsep || let warning_cnt+=$? |
696 | 702 | sshd_config_tweak || let warning_cnt+=$? | |
697 | update_services_file || let warning_cnt+=$? | 703 | update_services_file || let warning_cnt+=$? |
698 | update_inetd_conf || let warning_cnt+=$? | 704 | update_inetd_conf || let warning_cnt+=$? |
699 | install_service || let warning_cnt+=$? | 705 | install_service || let warning_cnt+=$? |