diff options
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/cygwin/ssh-host-config | 540 |
1 files changed, 365 insertions, 175 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 0af6907dc..3ac39a621 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | # | 2 | # |
3 | # ssh-host-config, Copyright 2000-2009 Red Hat Inc. | 3 | # ssh-host-config, Copyright 2000-2011 Red Hat Inc. |
4 | # | 4 | # |
5 | # This file is part of the Cygwin port of OpenSSH. | 5 | # This file is part of the Cygwin port of OpenSSH. |
6 | # | 6 | # |
@@ -19,12 +19,39 @@ | |||
19 | # ====================================================================== | 19 | # ====================================================================== |
20 | # Initialization | 20 | # Initialization |
21 | # ====================================================================== | 21 | # ====================================================================== |
22 | PROGNAME=$(basename $0) | ||
23 | _tdir=$(dirname $0) | ||
24 | PROGDIR=$(cd $_tdir && pwd) | ||
25 | 22 | ||
26 | CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh | 23 | CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh |
27 | 24 | ||
25 | # List of apps used. This is checkad for existance in csih_sanity_check | ||
26 | # Don't use *any* transient commands before sourcing the csih helper script, | ||
27 | # otherwise the sanity checks are short-circuited. | ||
28 | declare -a csih_required_commands=( | ||
29 | /usr/bin/basename coreutils | ||
30 | /usr/bin/cat coreutils | ||
31 | /usr/bin/chmod coreutils | ||
32 | /usr/bin/dirname coreutils | ||
33 | /usr/bin/id coreutils | ||
34 | /usr/bin/mv coreutils | ||
35 | /usr/bin/rm coreutils | ||
36 | /usr/bin/cygpath cygwin | ||
37 | /usr/bin/mount cygwin | ||
38 | /usr/bin/ps cygwin | ||
39 | /usr/bin/setfacl cygwin | ||
40 | /usr/bin/umount cygwin | ||
41 | /usr/bin/cmp diffutils | ||
42 | /usr/bin/grep grep | ||
43 | /usr/bin/awk gawk | ||
44 | /usr/bin/ssh-keygen openssh | ||
45 | /usr/sbin/sshd openssh | ||
46 | /usr/bin/sed sed | ||
47 | ) | ||
48 | csih_sanity_check_server=yes | ||
49 | source ${CSIH_SCRIPT} | ||
50 | |||
51 | PROGNAME=$(/usr/bin/basename $0) | ||
52 | _tdir=$(/usr/bin/dirname $0) | ||
53 | PROGDIR=$(cd $_tdir && pwd) | ||
54 | |||
28 | # Subdirectory where the new package is being installed | 55 | # Subdirectory where the new package is being installed |
29 | PREFIX=/usr | 56 | PREFIX=/usr |
30 | 57 | ||
@@ -32,8 +59,6 @@ PREFIX=/usr | |||
32 | SYSCONFDIR=/etc | 59 | SYSCONFDIR=/etc |
33 | LOCALSTATEDIR=/var | 60 | LOCALSTATEDIR=/var |
34 | 61 | ||
35 | source ${CSIH_SCRIPT} | ||
36 | |||
37 | port_number=22 | 62 | port_number=22 |
38 | privsep_configured=no | 63 | privsep_configured=no |
39 | privsep_used=yes | 64 | privsep_used=yes |
@@ -46,29 +71,48 @@ opt_force=no | |||
46 | # Routine: create_host_keys | 71 | # Routine: create_host_keys |
47 | # ====================================================================== | 72 | # ====================================================================== |
48 | create_host_keys() { | 73 | create_host_keys() { |
74 | local ret=0 | ||
75 | |||
49 | if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] | 76 | if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] |
50 | then | 77 | then |
51 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" | 78 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" |
52 | ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null | 79 | if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null |
80 | then | ||
81 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" | ||
82 | let ++ret | ||
83 | fi | ||
53 | fi | 84 | fi |
54 | 85 | ||
55 | if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] | 86 | if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] |
56 | then | 87 | then |
57 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" | 88 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" |
58 | ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null | 89 | if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null |
90 | then | ||
91 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" | ||
92 | let ++ret | ||
93 | fi | ||
59 | fi | 94 | fi |
60 | 95 | ||
61 | if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] | 96 | if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] |
62 | then | 97 | then |
63 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" | 98 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" |
64 | ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null | 99 | if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null |
100 | then | ||
101 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" | ||
102 | let ++ret | ||
103 | fi | ||
65 | fi | 104 | fi |
66 | 105 | ||
67 | if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ] | 106 | if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ] |
68 | then | 107 | then |
69 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key" | 108 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key" |
70 | ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null | 109 | if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null |
110 | then | ||
111 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" | ||
112 | let ++ret | ||
113 | fi | ||
71 | fi | 114 | fi |
115 | return $ret | ||
72 | } # --- End of create_host_keys --- # | 116 | } # --- End of create_host_keys --- # |
73 | 117 | ||
74 | # ====================================================================== | 118 | # ====================================================================== |
@@ -81,61 +125,58 @@ update_services_file() { | |||
81 | local _spaces | 125 | local _spaces |
82 | local _serv_tmp | 126 | local _serv_tmp |
83 | local _wservices | 127 | local _wservices |
128 | local ret=0 | ||
84 | 129 | ||
85 | if csih_is_nt | 130 | _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" |
86 | then | 131 | _services="${_my_etcdir}/services" |
87 | _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" | 132 | _spaces=" #" |
88 | _services="${_my_etcdir}/services" | ||
89 | # On NT, 27 spaces, no space after the hash | ||
90 | _spaces=" #" | ||
91 | else | ||
92 | _win_etcdir="${WINDIR}" | ||
93 | _services="${_my_etcdir}/SERVICES" | ||
94 | # On 9x, 18 spaces (95 is very touchy), a space after the hash | ||
95 | _spaces=" # " | ||
96 | fi | ||
97 | _serv_tmp="${_my_etcdir}/srv.out.$$" | 133 | _serv_tmp="${_my_etcdir}/srv.out.$$" |
98 | 134 | ||
99 | mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" | 135 | /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" |
100 | 136 | ||
101 | # Depends on the above mount | 137 | # Depends on the above mount |
102 | _wservices=`cygpath -w "${_services}"` | 138 | _wservices=`cygpath -w "${_services}"` |
103 | 139 | ||
104 | # Remove sshd 22/port from services | 140 | # Remove sshd 22/port from services |
105 | if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] | 141 | if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] |
106 | then | 142 | then |
107 | grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" | 143 | /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" |
108 | if [ -f "${_serv_tmp}" ] | 144 | if [ -f "${_serv_tmp}" ] |
109 | then | 145 | then |
110 | if mv "${_serv_tmp}" "${_services}" | 146 | if /usr/bin/mv "${_serv_tmp}" "${_services}" |
111 | then | 147 | then |
112 | csih_inform "Removing sshd from ${_wservices}" | 148 | csih_inform "Removing sshd from ${_wservices}" |
113 | else | 149 | else |
114 | csih_warning "Removing sshd from ${_wservices} failed!" | 150 | csih_warning "Removing sshd from ${_wservices} failed!" |
151 | let ++ret | ||
115 | fi | 152 | fi |
116 | rm -f "${_serv_tmp}" | 153 | /usr/bin/rm -f "${_serv_tmp}" |
117 | else | 154 | else |
118 | csih_warning "Removing sshd from ${_wservices} failed!" | 155 | csih_warning "Removing sshd from ${_wservices} failed!" |
156 | let ++ret | ||
119 | fi | 157 | fi |
120 | fi | 158 | fi |
121 | 159 | ||
122 | # Add ssh 22/tcp and ssh 22/udp to services | 160 | # Add ssh 22/tcp and ssh 22/udp to services |
123 | if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] | 161 | if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] |
124 | then | 162 | then |
125 | if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" | 163 | if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" |
126 | then | 164 | then |
127 | if mv "${_serv_tmp}" "${_services}" | 165 | if /usr/bin/mv "${_serv_tmp}" "${_services}" |
128 | then | 166 | then |
129 | csih_inform "Added ssh to ${_wservices}" | 167 | csih_inform "Added ssh to ${_wservices}" |
130 | else | 168 | else |
131 | csih_warning "Adding ssh to ${_wservices} failed!" | 169 | csih_warning "Adding ssh to ${_wservices} failed!" |
170 | let ++ret | ||
132 | fi | 171 | fi |
133 | rm -f "${_serv_tmp}" | 172 | /usr/bin/rm -f "${_serv_tmp}" |
134 | else | 173 | else |
135 | csih_warning "Adding ssh to ${_wservices} failed!" | 174 | csih_warning "Adding ssh to ${_wservices} failed!" |
175 | let ++ret | ||
136 | fi | 176 | fi |
137 | fi | 177 | fi |
138 | umount "${_my_etcdir}" | 178 | /usr/bin/umount "${_my_etcdir}" |
179 | return $ret | ||
139 | } # --- End of update_services_file --- # | 180 | } # --- End of update_services_file --- # |
140 | 181 | ||
141 | # ====================================================================== | 182 | # ====================================================================== |
@@ -144,51 +185,57 @@ update_services_file() { | |||
144 | # ====================================================================== | 185 | # ====================================================================== |
145 | sshd_privsep() { | 186 | sshd_privsep() { |
146 | local sshdconfig_tmp | 187 | local sshdconfig_tmp |
188 | local ret=0 | ||
147 | 189 | ||
148 | if [ "${privsep_configured}" != "yes" ] | 190 | if [ "${privsep_configured}" != "yes" ] |
149 | then | 191 | then |
150 | if csih_is_nt | 192 | csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." |
193 | csih_inform "However, this requires a non-privileged account called 'sshd'." | ||
194 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." | ||
195 | if csih_request "Should privilege separation be used?" | ||
151 | then | 196 | then |
152 | csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." | 197 | privsep_used=yes |
153 | csih_inform "However, this requires a non-privileged account called 'sshd'." | 198 | if ! csih_create_unprivileged_user sshd |
154 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." | ||
155 | if csih_request "Should privilege separation be used?" | ||
156 | then | 199 | then |
157 | privsep_used=yes | 200 | csih_error_recoverable "Couldn't create user 'sshd'!" |
158 | if ! csih_create_unprivileged_user sshd | 201 | csih_error_recoverable "Privilege separation set to 'no' again!" |
159 | then | 202 | csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!" |
160 | csih_warning "Couldn't create user 'sshd'!" | 203 | let ++ret |
161 | csih_warning "Privilege separation set to 'no' again!" | ||
162 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | ||
163 | privsep_used=no | ||
164 | fi | ||
165 | else | ||
166 | privsep_used=no | 204 | privsep_used=no |
167 | fi | 205 | fi |
168 | else | 206 | else |
169 | # On 9x don't use privilege separation. Since security isn't | ||
170 | # available it just adds useless additional processes. | ||
171 | privsep_used=no | 207 | privsep_used=no |
172 | fi | 208 | fi |
173 | fi | 209 | fi |
174 | 210 | ||
175 | # Create default sshd_config from skeleton files in /etc/defaults/etc or | 211 | # Create default sshd_config from skeleton files in /etc/defaults/etc or |
176 | # modify to add the missing privsep configuration option | 212 | # modify to add the missing privsep configuration option |
177 | if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 | 213 | if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 |
178 | then | 214 | then |
179 | csih_inform "Updating ${SYSCONFDIR}/sshd_config file" | 215 | csih_inform "Updating ${SYSCONFDIR}/sshd_config file" |
180 | sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ | 216 | sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ |
181 | sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ | 217 | /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ |
182 | s/^#Port 22/Port ${port_number}/ | 218 | s/^#Port 22/Port ${port_number}/ |
183 | s/^#StrictModes yes/StrictModes no/" \ | 219 | s/^#StrictModes yes/StrictModes no/" \ |
184 | < ${SYSCONFDIR}/sshd_config \ | 220 | < ${SYSCONFDIR}/sshd_config \ |
185 | > "${sshdconfig_tmp}" | 221 | > "${sshdconfig_tmp}" |
186 | mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config | 222 | if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config |
223 | then | ||
224 | csih_warning "Setting privilege separation to 'yes' failed!" | ||
225 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | ||
226 | let ++ret | ||
227 | fi | ||
187 | elif [ "${privsep_configured}" != "yes" ] | 228 | elif [ "${privsep_configured}" != "yes" ] |
188 | then | 229 | then |
189 | echo >> ${SYSCONFDIR}/sshd_config | 230 | echo >> ${SYSCONFDIR}/sshd_config |
190 | echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config | 231 | if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config |
232 | then | ||
233 | csih_warning "Setting privilege separation to 'yes' failed!" | ||
234 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | ||
235 | let ++ret | ||
236 | fi | ||
191 | fi | 237 | fi |
238 | return $ret | ||
192 | } # --- End of sshd_privsep --- # | 239 | } # --- End of sshd_privsep --- # |
193 | 240 | ||
194 | # ====================================================================== | 241 | # ====================================================================== |
@@ -201,72 +248,82 @@ update_inetd_conf() { | |||
201 | local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" | 248 | local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" |
202 | local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" | 249 | local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" |
203 | local _with_comment=1 | 250 | local _with_comment=1 |
251 | local ret=0 | ||
204 | 252 | ||
205 | if [ -d "${_inetcnf_dir}" ] | 253 | if [ -d "${_inetcnf_dir}" ] |
206 | then | 254 | then |
207 | # we have inetutils-1.5 inetd.d support | 255 | # we have inetutils-1.5 inetd.d support |
208 | if [ -f "${_inetcnf}" ] | 256 | if [ -f "${_inetcnf}" ] |
209 | then | 257 | then |
210 | grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 | 258 | /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 |
211 | 259 | ||
212 | # check for sshd OR ssh in top-level inetd.conf file, and remove | 260 | # check for sshd OR ssh in top-level inetd.conf file, and remove |
213 | # will be replaced by a file in inetd.d/ | 261 | # will be replaced by a file in inetd.d/ |
214 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] | 262 | if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] |
215 | then | 263 | then |
216 | grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" | 264 | /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" |
217 | if [ -f "${_inetcnf_tmp}" ] | 265 | if [ -f "${_inetcnf_tmp}" ] |
218 | then | 266 | then |
219 | if mv "${_inetcnf_tmp}" "${_inetcnf}" | 267 | if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" |
220 | then | 268 | then |
221 | csih_inform "Removed ssh[d] from ${_inetcnf}" | 269 | csih_inform "Removed ssh[d] from ${_inetcnf}" |
222 | else | 270 | else |
223 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" | 271 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" |
272 | let ++ret | ||
224 | fi | 273 | fi |
225 | rm -f "${_inetcnf_tmp}" | 274 | /usr/bin/rm -f "${_inetcnf_tmp}" |
226 | else | 275 | else |
227 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" | 276 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" |
277 | let ++ret | ||
228 | fi | 278 | fi |
229 | fi | 279 | fi |
230 | fi | 280 | fi |
231 | 281 | ||
232 | csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" | 282 | csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" |
233 | if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 | 283 | if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 |
234 | then | 284 | then |
235 | if [ "${_with_comment}" -eq 0 ] | 285 | if [ "${_with_comment}" -eq 0 ] |
236 | then | 286 | then |
237 | sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | 287 | /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" |
288 | else | ||
289 | /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | ||
290 | fi | ||
291 | if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" | ||
292 | then | ||
293 | csih_inform "Updated ${_sshd_inetd_conf}" | ||
238 | else | 294 | else |
239 | sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" | 295 | csih_warning "Updating ${_sshd_inetd_conf} failed!" |
296 | let ++ret | ||
240 | fi | 297 | fi |
241 | mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" | ||
242 | csih_inform "Updated ${_sshd_inetd_conf}" | ||
243 | fi | 298 | fi |
244 | 299 | ||
245 | elif [ -f "${_inetcnf}" ] | 300 | elif [ -f "${_inetcnf}" ] |
246 | then | 301 | then |
247 | grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 | 302 | /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 |
248 | 303 | ||
249 | # check for sshd in top-level inetd.conf file, and remove | 304 | # check for sshd in top-level inetd.conf file, and remove |
250 | # will be replaced by a file in inetd.d/ | 305 | # will be replaced by a file in inetd.d/ |
251 | if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] | 306 | if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] |
252 | then | 307 | then |
253 | grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" | 308 | /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" |
254 | if [ -f "${_inetcnf_tmp}" ] | 309 | if [ -f "${_inetcnf_tmp}" ] |
255 | then | 310 | then |
256 | if mv "${_inetcnf_tmp}" "${_inetcnf}" | 311 | if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" |
257 | then | 312 | then |
258 | csih_inform "Removed sshd from ${_inetcnf}" | 313 | csih_inform "Removed sshd from ${_inetcnf}" |
259 | else | 314 | else |
260 | csih_warning "Removing sshd from ${_inetcnf} failed!" | 315 | csih_warning "Removing sshd from ${_inetcnf} failed!" |
316 | let ++ret | ||
261 | fi | 317 | fi |
262 | rm -f "${_inetcnf_tmp}" | 318 | /usr/bin/rm -f "${_inetcnf_tmp}" |
263 | else | 319 | else |
264 | csih_warning "Removing sshd from ${_inetcnf} failed!" | 320 | csih_warning "Removing sshd from ${_inetcnf} failed!" |
321 | let ++ret | ||
265 | fi | 322 | fi |
266 | fi | 323 | fi |
267 | 324 | ||
268 | # Add ssh line to inetd.conf | 325 | # Add ssh line to inetd.conf |
269 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] | 326 | if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] |
270 | then | 327 | then |
271 | if [ "${_with_comment}" -eq 0 ] | 328 | if [ "${_with_comment}" -eq 0 ] |
272 | then | 329 | then |
@@ -274,115 +331,186 @@ update_inetd_conf() { | |||
274 | else | 331 | else |
275 | echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" | 332 | echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
276 | fi | 333 | fi |
277 | csih_inform "Added ssh to ${_inetcnf}" | 334 | if [ $? -eq 0 ] |
335 | then | ||
336 | csih_inform "Added ssh to ${_inetcnf}" | ||
337 | else | ||
338 | csih_warning "Adding ssh to ${_inetcnf} failed!" | ||
339 | let ++ret | ||
340 | fi | ||
278 | fi | 341 | fi |
279 | fi | 342 | fi |
343 | return $ret | ||
280 | } # --- End of update_inetd_conf --- # | 344 | } # --- End of update_inetd_conf --- # |
281 | 345 | ||
282 | # ====================================================================== | 346 | # ====================================================================== |
347 | # Routine: check_service_files_ownership | ||
348 | # Checks that the files in /etc and /var belong to the right owner | ||
349 | # ====================================================================== | ||
350 | check_service_files_ownership() { | ||
351 | local run_service_as=$1 | ||
352 | local ret=0 | ||
353 | |||
354 | if [ -z "${run_service_as}" ] | ||
355 | then | ||
356 | accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp') | ||
357 | if [ "${accnt_name}" = "LocalSystem" ] | ||
358 | then | ||
359 | # Convert "LocalSystem" to "SYSTEM" as is the correct account name | ||
360 | accnt_name="SYSTEM:" | ||
361 | elif [[ "${accnt_name}" =~ ^\.\\ ]] | ||
362 | then | ||
363 | # Convert "." domain to local machine name | ||
364 | accnt_name="U-${COMPUTERNAME}${accnt_name#.}," | ||
365 | fi | ||
366 | run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}') | ||
367 | if [ -z "${run_service_as}" ] | ||
368 | then | ||
369 | csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" | ||
370 | csih_warning "As a result, this script cannot make sure that the files used" | ||
371 | csih_warning "by the sshd service belong to the user running the service." | ||
372 | csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd" | ||
373 | csih_warning "file is in a good shape." | ||
374 | return 1 | ||
375 | fi | ||
376 | fi | ||
377 | for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub | ||
378 | do | ||
379 | if [ -f "$i" ] | ||
380 | then | ||
381 | if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 | ||
382 | then | ||
383 | csih_warning "Couldn't change owner of $i!" | ||
384 | let ++ret | ||
385 | fi | ||
386 | fi | ||
387 | done | ||
388 | if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 | ||
389 | then | ||
390 | csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" | ||
391 | let ++ret | ||
392 | fi | ||
393 | if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 | ||
394 | then | ||
395 | csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" | ||
396 | let ++ret | ||
397 | fi | ||
398 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] | ||
399 | then | ||
400 | if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1 | ||
401 | then | ||
402 | csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" | ||
403 | let ++ret | ||
404 | fi | ||
405 | fi | ||
406 | if [ $ret -ne 0 ] | ||
407 | then | ||
408 | csih_warning "Couldn't change owner of important files to ${run_service_as}!" | ||
409 | csih_warning "This may cause the sshd service to fail! Please make sure that" | ||
410 | csih_warning "you have suufficient permissions to change the ownership of files" | ||
411 | csih_warning "and try to run the ssh-host-config script again." | ||
412 | fi | ||
413 | return $ret | ||
414 | } # --- End of check_service_files_ownership --- # | ||
415 | |||
416 | # ====================================================================== | ||
283 | # Routine: install_service | 417 | # Routine: install_service |
284 | # Install sshd as a service | 418 | # Install sshd as a service |
285 | # ====================================================================== | 419 | # ====================================================================== |
286 | install_service() { | 420 | install_service() { |
287 | local run_service_as | 421 | local run_service_as |
288 | local password | 422 | local password |
423 | local ret=0 | ||
289 | 424 | ||
290 | if csih_is_nt | 425 | echo |
426 | if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 | ||
291 | then | 427 | then |
292 | if ! cygrunsrv -Q sshd >/dev/null 2>&1 | 428 | csih_inform "Sshd service is already installed." |
429 | check_service_files_ownership "" || let ret+=$? | ||
430 | else | ||
431 | echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" | ||
432 | if csih_request "(Say \"no\" if it is already installed as a service)" | ||
293 | then | 433 | then |
294 | echo | 434 | csih_get_cygenv "${cygwin_value}" |
295 | echo | ||
296 | csih_warning "The following functions require administrator privileges!" | ||
297 | echo | ||
298 | echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" | ||
299 | if csih_request "(Say \"no\" if it is already installed as a service)" | ||
300 | then | ||
301 | csih_get_cygenv "${cygwin_value}" | ||
302 | 435 | ||
303 | if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) | 436 | if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) |
304 | then | 437 | then |
305 | csih_inform "On Windows Server 2003, Windows Vista, and above, the" | 438 | csih_inform "On Windows Server 2003, Windows Vista, and above, the" |
306 | csih_inform "SYSTEM account cannot setuid to other users -- a capability" | 439 | csih_inform "SYSTEM account cannot setuid to other users -- a capability" |
307 | csih_inform "sshd requires. You need to have or to create a privileged" | 440 | csih_inform "sshd requires. You need to have or to create a privileged" |
308 | csih_inform "account. This script will help you do so." | 441 | csih_inform "account. This script will help you do so." |
309 | echo | 442 | echo |
310 | 443 | ||
311 | [ "${opt_force}" = "yes" ] && opt_f=-f | 444 | [ "${opt_force}" = "yes" ] && opt_f=-f |
312 | [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" | 445 | [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" |
313 | csih_select_privileged_username ${opt_f} ${opt_u} sshd | 446 | csih_select_privileged_username ${opt_f} ${opt_u} sshd |
314 | 447 | ||
315 | if ! csih_create_privileged_user "${password_value}" | 448 | if ! csih_create_privileged_user "${password_value}" |
316 | then | 449 | then |
317 | csih_error_recoverable "There was a serious problem creating a privileged user." | 450 | csih_error_recoverable "There was a serious problem creating a privileged user." |
318 | csih_request "Do you want to proceed anyway?" || exit 1 | 451 | csih_request "Do you want to proceed anyway?" || exit 1 |
319 | fi | 452 | let ++ret |
320 | fi | 453 | fi |
454 | fi | ||
321 | 455 | ||
322 | # never returns empty if NT or above | 456 | # Never returns empty if NT or above |
323 | run_service_as=$(csih_service_should_run_as) | 457 | run_service_as=$(csih_service_should_run_as) |
324 | 458 | ||
325 | if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] | 459 | if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] |
460 | then | ||
461 | password="${csih_PRIVILEGED_PASSWORD}" | ||
462 | if [ -z "${password}" ] | ||
326 | then | 463 | then |
327 | password="${csih_PRIVILEGED_PASSWORD}" | 464 | csih_get_value "Please enter the password for user '${run_service_as}':" "-s" |
328 | if [ -z "${password}" ] | 465 | password="${csih_value}" |
329 | then | ||
330 | csih_get_value "Please enter the password for user '${run_service_as}':" "-s" | ||
331 | password="${csih_value}" | ||
332 | fi | ||
333 | fi | 466 | fi |
467 | fi | ||
334 | 468 | ||
335 | # at this point, we either have $run_service_as = "system" and $password is empty, | 469 | # At this point, we either have $run_service_as = "system" and |
336 | # or $run_service_as is some privileged user and (hopefully) $password contains | 470 | # $password is empty, or $run_service_as is some privileged user and |
337 | # the correct password. So, from here out, we use '-z "${password}"' to discriminate | 471 | # (hopefully) $password contains the correct password. So, from here |
338 | # the two cases. | 472 | # out, we use '-z "${password}"' to discriminate the two cases. |
339 | 473 | ||
340 | csih_check_user "${run_service_as}" | 474 | csih_check_user "${run_service_as}" |
341 | 475 | ||
342 | if [ -n "${csih_cygenv}" ] | 476 | if [ -n "${csih_cygenv}" ] |
477 | then | ||
478 | cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) | ||
479 | fi | ||
480 | if [ -z "${password}" ] | ||
481 | then | ||
482 | if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ | ||
483 | -a "-D" -y tcpip "${cygwin_env[@]}" | ||
343 | then | 484 | then |
344 | cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) | 485 | echo |
486 | csih_inform "The sshd service has been installed under the LocalSystem" | ||
487 | csih_inform "account (also known as SYSTEM). To start the service now, call" | ||
488 | csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" | ||
489 | csih_inform "will start automatically after the next reboot." | ||
345 | fi | 490 | fi |
346 | if [ -z "${password}" ] | 491 | else |
492 | if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ | ||
493 | -a "-D" -y tcpip "${cygwin_env[@]}" \ | ||
494 | -u "${run_service_as}" -w "${password}" | ||
347 | then | 495 | then |
348 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ | 496 | echo |
349 | -a "-D" -y tcpip "${cygwin_env[@]}" | 497 | csih_inform "The sshd service has been installed under the '${run_service_as}'" |
350 | then | 498 | csih_inform "account. To start the service now, call \`net start sshd' or" |
351 | echo | 499 | csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" |
352 | csih_inform "The sshd service has been installed under the LocalSystem" | 500 | csih_inform "after the next reboot." |
353 | csih_inform "account (also known as SYSTEM). To start the service now, call" | ||
354 | csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" | ||
355 | csih_inform "will start automatically after the next reboot." | ||
356 | fi | ||
357 | else | ||
358 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ | ||
359 | -a "-D" -y tcpip "${cygwin_env[@]}" \ | ||
360 | -u "${run_service_as}" -w "${password}" | ||
361 | then | ||
362 | echo | ||
363 | csih_inform "The sshd service has been installed under the '${run_service_as}'" | ||
364 | csih_inform "account. To start the service now, call \`net start sshd' or" | ||
365 | csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" | ||
366 | csih_inform "after the next reboot." | ||
367 | fi | ||
368 | fi | 501 | fi |
502 | fi | ||
369 | 503 | ||
370 | # now, if successfully installed, set ownership of the affected files | 504 | if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 |
371 | if cygrunsrv -Q sshd >/dev/null 2>&1 | 505 | then |
372 | then | 506 | check_service_files_ownership "${run_service_as}" || let ret+=$? |
373 | chown "${run_service_as}" ${SYSCONFDIR}/ssh* | 507 | else |
374 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty | 508 | csih_error_recoverable "Installing sshd as a service failed!" |
375 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog | 509 | let ++ret |
376 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] | 510 | fi |
377 | then | 511 | fi # user allowed us to install as service |
378 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log | 512 | fi # service not yet installed |
379 | fi | 513 | return $ret |
380 | else | ||
381 | csih_warning "Something went wrong installing the sshd service." | ||
382 | fi | ||
383 | fi # user allowed us to install as service | ||
384 | fi # service not yet installed | ||
385 | fi # csih_is_nt | ||
386 | } # --- End of install_service --- # | 514 | } # --- End of install_service --- # |
387 | 515 | ||
388 | # ====================================================================== | 516 | # ====================================================================== |
@@ -494,21 +622,71 @@ done | |||
494 | 622 | ||
495 | # Check for running ssh/sshd processes first. Refuse to do anything while | 623 | # Check for running ssh/sshd processes first. Refuse to do anything while |
496 | # some ssh processes are still running | 624 | # some ssh processes are still running |
497 | if ps -ef | grep -q '/sshd\?$' | 625 | if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' |
498 | then | 626 | then |
499 | echo | 627 | echo |
500 | csih_error "There are still ssh processes running. Please shut them down first." | 628 | csih_error "There are still ssh processes running. Please shut them down first." |
501 | fi | 629 | fi |
502 | 630 | ||
631 | # Make sure the user is running in an administrative context | ||
632 | admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no) | ||
633 | if [ "${admin}" != "yes" ] | ||
634 | then | ||
635 | echo | ||
636 | csih_warning "Running this script typically requires administrator privileges!" | ||
637 | csih_warning "However, it seems your account does not have these privileges." | ||
638 | csih_warning "Here's the list of groups in your user token:" | ||
639 | echo | ||
640 | for i in $(/usr/bin/id -G) | ||
641 | do | ||
642 | /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group | ||
643 | done | ||
644 | echo | ||
645 | csih_warning "This usually means you're running this script from a non-admin" | ||
646 | csih_warning "desktop session, or in a non-elevated shell under UAC control." | ||
647 | echo | ||
648 | csih_warning "Make sure you have the appropriate privileges right now," | ||
649 | csih_warning "otherwise parts of this script will probably fail!" | ||
650 | echo | ||
651 | echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure" | ||
652 | if ! csih_request "you have the required privileges)" | ||
653 | then | ||
654 | echo | ||
655 | csih_inform "Ok. Exiting. Make sure to switch to an administrative account" | ||
656 | csih_inform "or to start this script from an elevated shell." | ||
657 | exit 1 | ||
658 | fi | ||
659 | fi | ||
660 | |||
661 | echo | ||
662 | |||
663 | warning_cnt=0 | ||
664 | |||
503 | # Check for ${SYSCONFDIR} directory | 665 | # Check for ${SYSCONFDIR} directory |
504 | csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." | 666 | csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." |
505 | chmod 775 "${SYSCONFDIR}" | 667 | if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1 |
506 | setfacl -m u:system:rwx "${SYSCONFDIR}" | 668 | then |
669 | csih_warning "Can't set permissions on ${SYSCONFDIR}!" | ||
670 | let ++warning_cnt | ||
671 | fi | ||
672 | if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1 | ||
673 | then | ||
674 | csih_warning "Can't set extended permissions on ${SYSCONFDIR}!" | ||
675 | let ++warning_cnt | ||
676 | fi | ||
507 | 677 | ||
508 | # Check for /var/log directory | 678 | # Check for /var/log directory |
509 | csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." | 679 | csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." |
510 | chmod 775 "${LOCALSTATEDIR}/log" | 680 | if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1 |
511 | setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" | 681 | then |
682 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!" | ||
683 | let ++warning_cnt | ||
684 | fi | ||
685 | if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1 | ||
686 | then | ||
687 | csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!" | ||
688 | let ++warning_cnt | ||
689 | fi | ||
512 | 690 | ||
513 | # Create /var/log/lastlog if not already exists | 691 | # Create /var/log/lastlog if not already exists |
514 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] | 692 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] |
@@ -519,26 +697,33 @@ then | |||
519 | fi | 697 | fi |
520 | if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] | 698 | if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] |
521 | then | 699 | then |
522 | cat /dev/null > ${LOCALSTATEDIR}/log/lastlog | 700 | /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog |
523 | chmod 644 ${LOCALSTATEDIR}/log/lastlog | 701 | if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 |
702 | then | ||
703 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" | ||
704 | let ++warning_cnt | ||
705 | fi | ||
524 | fi | 706 | fi |
525 | 707 | ||
526 | # Create /var/empty file used as chroot jail for privilege separation | 708 | # Create /var/empty file used as chroot jail for privilege separation |
527 | csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." | 709 | csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." |
528 | chmod 755 "${LOCALSTATEDIR}/empty" | 710 | if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 |
529 | setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" | 711 | then |
712 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" | ||
713 | let ++warning_cnt | ||
714 | fi | ||
715 | if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 | ||
716 | then | ||
717 | csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!" | ||
718 | let ++warning_cnt | ||
719 | fi | ||
530 | 720 | ||
531 | # host keys | 721 | # host keys |
532 | create_host_keys | 722 | create_host_keys || let warning_cnt+=$? |
533 | |||
534 | # use 'cmp' program to determine if a config file is identical | ||
535 | # to the default version of that config file | ||
536 | csih_check_program_or_error cmp diffutils | ||
537 | |||
538 | 723 | ||
539 | # handle ssh_config | 724 | # handle ssh_config |
540 | csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" | 725 | csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt |
541 | if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 | 726 | if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 |
542 | then | 727 | then |
543 | if [ "${port_number}" != "22" ] | 728 | if [ "${port_number}" != "22" ] |
544 | then | 729 | then |
@@ -549,19 +734,24 @@ then | |||
549 | fi | 734 | fi |
550 | 735 | ||
551 | # handle sshd_config (and privsep) | 736 | # handle sshd_config (and privsep) |
552 | csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" | 737 | csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt |
553 | if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 | 738 | if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 |
554 | then | 739 | then |
555 | grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes | 740 | /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes |
556 | fi | 741 | fi |
557 | sshd_privsep | 742 | sshd_privsep || let warning_cnt+=$? |
558 | |||
559 | 743 | ||
560 | 744 | update_services_file || let warning_cnt+=$? | |
561 | update_services_file | 745 | update_inetd_conf || let warning_cnt+=$? |
562 | update_inetd_conf | 746 | install_service || let warning_cnt+=$? |
563 | install_service | ||
564 | 747 | ||
565 | echo | 748 | echo |
566 | csih_inform "Host configuration finished. Have fun!" | 749 | if [ $warning_cnt -eq 0 ] |
567 | 750 | then | |
751 | csih_inform "Host configuration finished. Have fun!" | ||
752 | else | ||
753 | csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!" | ||
754 | csih_warning "Make sure that all problems reported are fixed," | ||
755 | csih_warning "then re-run ssh-host-config." | ||
756 | fi | ||
757 | exit $warning_cnt | ||