summaryrefslogtreecommitdiff
path: root/contrib/cygwin
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/cygwin')
-rw-r--r--contrib/cygwin/README3
-rw-r--r--contrib/cygwin/ssh-host-config198
2 files changed, 103 insertions, 98 deletions
diff --git a/contrib/cygwin/README b/contrib/cygwin/README
index 2562b6186..1396d99cd 100644
--- a/contrib/cygwin/README
+++ b/contrib/cygwin/README
@@ -69,7 +69,7 @@ Building OpenSSH
69Building from source is easy. Just unpack the source archive, cd to that 69Building from source is easy. Just unpack the source archive, cd to that
70directory, and call cygport: 70directory, and call cygport:
71 71
72 cygport openssh.cygport almostall 72 cygport openssh.cygport all
73 73
74You must have installed the following packages to be able to build OpenSSH 74You must have installed the following packages to be able to build OpenSSH
75with the aforementioned cygport script: 75with the aforementioned cygport script:
@@ -77,7 +77,6 @@ with the aforementioned cygport script:
77 zlib 77 zlib
78 crypt 78 crypt
79 openssl-devel 79 openssl-devel
80 libwrap-devel
81 libedit-devel 80 libedit-devel
82 libkrb5-devel 81 libkrb5-devel
83 82
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index 05efd3b3b..a7ea3e0d2 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -34,9 +34,9 @@ declare -a csih_required_commands=(
34 /usr/bin/mv coreutils 34 /usr/bin/mv coreutils
35 /usr/bin/rm coreutils 35 /usr/bin/rm coreutils
36 /usr/bin/cygpath cygwin 36 /usr/bin/cygpath cygwin
37 /usr/bin/mkpasswd cygwin
37 /usr/bin/mount cygwin 38 /usr/bin/mount cygwin
38 /usr/bin/ps cygwin 39 /usr/bin/ps cygwin
39 /usr/bin/setfacl cygwin
40 /usr/bin/umount cygwin 40 /usr/bin/umount cygwin
41 /usr/bin/cmp diffutils 41 /usr/bin/cmp diffutils
42 /usr/bin/grep grep 42 /usr/bin/grep grep
@@ -59,8 +59,9 @@ PREFIX=/usr
59SYSCONFDIR=/etc 59SYSCONFDIR=/etc
60LOCALSTATEDIR=/var 60LOCALSTATEDIR=/var
61 61
62sshd_config_configured=no
62port_number=22 63port_number=22
63privsep_configured=no 64strictmodes=yes
64privsep_used=yes 65privsep_used=yes
65cygwin_value="" 66cygwin_value=""
66user_account= 67user_account=
@@ -89,28 +90,8 @@ update_services_file() {
89 # Depends on the above mount 90 # Depends on the above mount
90 _wservices=`cygpath -w "${_services}"` 91 _wservices=`cygpath -w "${_services}"`
91 92
92 # Remove sshd 22/port from services
93 if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
94 then
95 /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
96 if [ -f "${_serv_tmp}" ]
97 then
98 if /usr/bin/mv "${_serv_tmp}" "${_services}"
99 then
100 csih_inform "Removing sshd from ${_wservices}"
101 else
102 csih_warning "Removing sshd from ${_wservices} failed!"
103 let ++ret
104 fi
105 /usr/bin/rm -f "${_serv_tmp}"
106 else
107 csih_warning "Removing sshd from ${_wservices} failed!"
108 let ++ret
109 fi
110 fi
111
112 # Add ssh 22/tcp and ssh 22/udp to services 93 # Add ssh 22/tcp and ssh 22/udp to services
113 if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] 94 if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
114 then 95 then
115 if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" 96 if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
116 then 97 then
@@ -132,17 +113,45 @@ update_services_file() {
132} # --- End of update_services_file --- # 113} # --- End of update_services_file --- #
133 114
134# ====================================================================== 115# ======================================================================
116# Routine: sshd_strictmodes
117# MODIFIES: strictmodes
118# ======================================================================
119sshd_strictmodes() {
120 if [ "${sshd_config_configured}" != "yes" ]
121 then
122 echo
123 csih_inform "StrictModes is set to 'yes' by default."
124 csih_inform "This is the recommended setting, but it requires that the POSIX"
125 csih_inform "permissions of the user's home directory, the user's .ssh"
126 csih_inform "directory, and the user's ssh key files are tight so that"
127 csih_inform "only the user has write permissions."
128 csih_inform "On the other hand, StrictModes don't work well with default"
129 csih_inform "Windows permissions of a home directory mounted with the"
130 csih_inform "'noacl' option, and they don't work at all if the home"
131 csih_inform "directory is on a FAT or FAT32 partition."
132 if ! csih_request "Should StrictModes be used?"
133 then
134 strictmodes=no
135 fi
136 fi
137 return 0
138}
139
140# ======================================================================
135# Routine: sshd_privsep 141# Routine: sshd_privsep
136# MODIFIES: privsep_configured privsep_used 142# MODIFIES: privsep_used
137# ====================================================================== 143# ======================================================================
138sshd_privsep() { 144sshd_privsep() {
139 local sshdconfig_tmp
140 local ret=0 145 local ret=0
141 146
142 if [ "${privsep_configured}" != "yes" ] 147 if [ "${sshd_config_configured}" != "yes" ]
143 then 148 then
144 csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." 149 echo
145 csih_inform "However, this requires a non-privileged account called 'sshd'." 150 csih_inform "Privilege separation is set to 'sandbox' by default since"
151 csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set"
152 csih_inform "to 'yes' or 'no'."
153 csih_inform "However, using privilege separation requires a non-privileged account"
154 csih_inform "called 'sshd'."
146 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." 155 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
147 if csih_request "Should privilege separation be used?" 156 if csih_request "Should privilege separation be used?"
148 then 157 then
@@ -159,36 +168,53 @@ sshd_privsep() {
159 privsep_used=no 168 privsep_used=no
160 fi 169 fi
161 fi 170 fi
171 return $ret
172} # --- End of sshd_privsep --- #
162 173
163 # Create default sshd_config from skeleton files in /etc/defaults/etc or 174# ======================================================================
164 # modify to add the missing privsep configuration option 175# Routine: sshd_config_tweak
165 if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 176# ======================================================================
177sshd_config_tweak() {
178 local ret=0
179
180 # Modify sshd_config
181 csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
182 if [ "${port_number}" -ne 22 ]
166 then 183 then
167 csih_inform "Updating ${SYSCONFDIR}/sshd_config file" 184 /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
168 sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ 185 ${SYSCONFDIR}/sshd_config
169 /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ 186 if [ $? -ne 0 ]
170 s/^#Port 22/Port ${port_number}/
171 s/^#StrictModes yes/StrictModes no/" \
172 < ${SYSCONFDIR}/sshd_config \
173 > "${sshdconfig_tmp}"
174 if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
175 then 187 then
176 csih_warning "Setting privilege separation to 'yes' failed!" 188 csih_warning "Setting listening port to ${port_number} failed!"
177 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 189 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
178 let ++ret 190 let ++ret
191 fi
192 fi
193 if [ "${strictmodes}" = "no" ]
194 then
195 /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
196 ${SYSCONFDIR}/sshd_config
197 if [ $? -ne 0 ]
198 then
199 csih_warning "Setting StrictModes to 'no' failed!"
200 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
201 let ++ret
179 fi 202 fi
180 elif [ "${privsep_configured}" != "yes" ] 203 fi
204 if [ "${sshd_config_configured}" != "yes" ]
181 then 205 then
182 echo >> ${SYSCONFDIR}/sshd_config 206 /usr/bin/sed -i -e "
183 if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config 207 s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
208 ${SYSCONFDIR}/sshd_config
209 if [ $? -ne 0 ]
184 then 210 then
185 csih_warning "Setting privilege separation to 'yes' failed!" 211 csih_warning "Setting privilege separation failed!"
186 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 212 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
187 let ++ret 213 let ++ret
188 fi 214 fi
189 fi 215 fi
190 return $ret 216 return $ret
191} # --- End of sshd_privsep --- # 217} # --- End of sshd_config_tweak --- #
192 218
193# ====================================================================== 219# ======================================================================
194# Routine: update_inetd_conf 220# Routine: update_inetd_conf
@@ -207,11 +233,11 @@ update_inetd_conf() {
207 # we have inetutils-1.5 inetd.d support 233 # we have inetutils-1.5 inetd.d support
208 if [ -f "${_inetcnf}" ] 234 if [ -f "${_inetcnf}" ]
209 then 235 then
210 /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 236 /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
211 237
212 # check for sshd OR ssh in top-level inetd.conf file, and remove 238 # check for sshd OR ssh in top-level inetd.conf file, and remove
213 # will be replaced by a file in inetd.d/ 239 # will be replaced by a file in inetd.d/
214 if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] 240 if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
215 then 241 then
216 /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" 242 /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
217 if [ -f "${_inetcnf_tmp}" ] 243 if [ -f "${_inetcnf_tmp}" ]
@@ -236,9 +262,9 @@ update_inetd_conf() {
236 then 262 then
237 if [ "${_with_comment}" -eq 0 ] 263 if [ "${_with_comment}" -eq 0 ]
238 then 264 then
239 /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 265 /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
240 else 266 else
241 /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 267 /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
242 fi 268 fi
243 if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" 269 if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
244 then 270 then
@@ -251,13 +277,13 @@ update_inetd_conf() {
251 277
252 elif [ -f "${_inetcnf}" ] 278 elif [ -f "${_inetcnf}" ]
253 then 279 then
254 /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 280 /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
255 281
256 # check for sshd in top-level inetd.conf file, and remove 282 # check for sshd in top-level inetd.conf file, and remove
257 # will be replaced by a file in inetd.d/ 283 # will be replaced by a file in inetd.d/
258 if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] 284 if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
259 then 285 then
260 /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" 286 /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
261 if [ -f "${_inetcnf_tmp}" ] 287 if [ -f "${_inetcnf_tmp}" ]
262 then 288 then
263 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 289 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
@@ -305,17 +331,26 @@ check_service_files_ownership() {
305 331
306 if [ -z "${run_service_as}" ] 332 if [ -z "${run_service_as}" ]
307 then 333 then
308 accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp') 334 accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
335 /usr/bin/sed -ne 's/^Account *: *//gp')
309 if [ "${accnt_name}" = "LocalSystem" ] 336 if [ "${accnt_name}" = "LocalSystem" ]
310 then 337 then
311 # Convert "LocalSystem" to "SYSTEM" as is the correct account name 338 # Convert "LocalSystem" to "SYSTEM" as is the correct account name
312 accnt_name="SYSTEM:" 339 run_service_as="SYSTEM"
313 elif [[ "${accnt_name}" =~ ^\.\\ ]] 340 else
314 then 341 dom="${accnt_name%%\\*}"
315 # Convert "." domain to local machine name 342 accnt_name="${accnt_name#*\\}"
316 accnt_name="U-${COMPUTERNAME}${accnt_name#.}," 343 if [ "${dom}" = '.' ]
344 then
345 # Check local account
346 run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
347 /usr/bin/awk -F: '{print $1;}')
348 else
349 # Check domain
350 run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
351 /usr/bin/awk -F: '{print $1;}')
352 fi
317 fi 353 fi
318 run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
319 if [ -z "${run_service_as}" ] 354 if [ -z "${run_service_as}" ]
320 then 355 then
321 csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" 356 csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
@@ -615,32 +650,6 @@ echo
615 650
616warning_cnt=0 651warning_cnt=0
617 652
618# Check for ${SYSCONFDIR} directory
619csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
620if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
621then
622 csih_warning "Can't set permissions on ${SYSCONFDIR}!"
623 let ++warning_cnt
624fi
625if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
626then
627 csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
628 let ++warning_cnt
629fi
630
631# Check for /var/log directory
632csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
633if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
634then
635 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
636 let ++warning_cnt
637fi
638if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
639then
640 csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
641 let ++warning_cnt
642fi
643
644# Create /var/log/lastlog if not already exists 653# Create /var/log/lastlog if not already exists
645if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 654if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
646then 655then
@@ -665,13 +674,9 @@ then
665 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" 674 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
666 let ++warning_cnt 675 let ++warning_cnt
667fi 676fi
668if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
669then
670 csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
671 let ++warning_cnt
672fi
673 677
674# generate missing host keys 678# generate missing host keys
679csih_inform "Generating missing SSH host keys"
675/usr/bin/ssh-keygen -A || let warning_cnt+=$? 680/usr/bin/ssh-keygen -A || let warning_cnt+=$?
676 681
677# handle ssh_config 682# handle ssh_config
@@ -690,10 +695,11 @@ fi
690csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 695csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
691if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 696if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
692then 697then
693 /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes 698 sshd_config_configured=yes
694fi 699fi
700sshd_strictmodes || let warning_cnt+=$?
695sshd_privsep || let warning_cnt+=$? 701sshd_privsep || let warning_cnt+=$?
696 702sshd_config_tweak || let warning_cnt+=$?
697update_services_file || let warning_cnt+=$? 703update_services_file || let warning_cnt+=$?
698update_inetd_conf || let warning_cnt+=$? 704update_inetd_conf || let warning_cnt+=$?
699install_service || let warning_cnt+=$? 705install_service || let warning_cnt+=$?