diff options
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/README | 6 | ||||
-rwxr-xr-x | contrib/aix/buildbff.sh | 50 | ||||
-rwxr-xr-x | contrib/aix/inventory.sh | 4 | ||||
-rw-r--r-- | contrib/caldera/openssh.spec | 7 | ||||
-rwxr-xr-x | contrib/caldera/ssh-host-keygen | 8 | ||||
-rwxr-xr-x | contrib/caldera/sshd.init | 8 | ||||
-rw-r--r-- | contrib/cygwin/Makefile | 56 | ||||
-rw-r--r-- | contrib/cygwin/README | 134 | ||||
-rw-r--r-- | contrib/cygwin/ssh-host-config | 533 | ||||
-rw-r--r-- | contrib/cygwin/ssh-user-config | 64 | ||||
-rw-r--r-- | contrib/findssl.sh | 16 | ||||
-rw-r--r-- | contrib/gnome-ssh-askpass1.c | 14 | ||||
-rw-r--r-- | contrib/gnome-ssh-askpass2.c | 14 | ||||
-rw-r--r-- | contrib/redhat/openssh.spec | 21 | ||||
-rwxr-xr-x | contrib/solaris/README | 2 | ||||
-rwxr-xr-x | contrib/solaris/buildpkg.sh | 67 | ||||
-rwxr-xr-x | contrib/solaris/opensshd.in | 16 | ||||
-rw-r--r-- | contrib/suse/openssh.spec | 26 |
18 files changed, 591 insertions, 455 deletions
diff --git a/contrib/README b/contrib/README index 67dbbd277..9de3d961d 100644 --- a/contrib/README +++ b/contrib/README | |||
@@ -1,4 +1,4 @@ | |||
1 | Other patches and addons for OpenSSH. Please send submissions to | 1 | Other patches and addons for OpenSSH. Please send submissions to |
2 | djm@mindrot.org | 2 | djm@mindrot.org |
3 | 3 | ||
4 | Externally maintained | 4 | Externally maintained |
@@ -7,7 +7,7 @@ Externally maintained | |||
7 | SSH Proxy Command -- connect.c | 7 | SSH Proxy Command -- connect.c |
8 | 8 | ||
9 | Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand | 9 | Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand |
10 | which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or | 10 | which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or |
11 | https CONNECT style proxy server. His page for connect.c has extensive | 11 | https CONNECT style proxy server. His page for connect.c has extensive |
12 | documentation on its use as well as compiled versions for Win32. | 12 | documentation on its use as well as compiled versions for Win32. |
13 | 13 | ||
@@ -47,7 +47,7 @@ Dominik Brettnacher <domi@saargate.de> | |||
47 | mdoc2man.pl: | 47 | mdoc2man.pl: |
48 | 48 | ||
49 | Converts mdoc formated manpages into normal manpages. This can be used | 49 | Converts mdoc formated manpages into normal manpages. This can be used |
50 | on Solaris machines to provide manpages that are not preformated. | 50 | on Solaris machines to provide manpages that are not preformated. |
51 | Contributed by Mark D. Roth <roth@feep.net> | 51 | Contributed by Mark D. Roth <roth@feep.net> |
52 | 52 | ||
53 | redhat: | 53 | redhat: |
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh index 727ac446d..4a5c32b0e 100755 --- a/contrib/aix/buildbff.sh +++ b/contrib/aix/buildbff.sh | |||
@@ -1,12 +1,12 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # | 2 | # |
3 | # buildbff.sh: Create AIX SMIT-installable OpenSSH packages | 3 | # buildbff.sh: Create AIX SMIT-installable OpenSSH packages |
4 | # $Id: buildbff.sh,v 1.6 2003/08/25 05:01:04 dtucker Exp $ | 4 | # $Id: buildbff.sh,v 1.7 2003/11/21 12:48:56 djm Exp $ |
5 | # | 5 | # |
6 | # Author: Darren Tucker (dtucker at zip dot com dot au) | 6 | # Author: Darren Tucker (dtucker at zip dot com dot au) |
7 | # This file is placed in the public domain and comes with absolutely | 7 | # This file is placed in the public domain and comes with absolutely |
8 | # no warranty. | 8 | # no warranty. |
9 | # | 9 | # |
10 | # Based originally on Ben Lindstrom's buildpkg.sh for Solaris | 10 | # Based originally on Ben Lindstrom's buildpkg.sh for Solaris |
11 | # | 11 | # |
12 | 12 | ||
@@ -45,7 +45,7 @@ fi | |||
45 | if [ ! -f Makefile ] | 45 | if [ ! -f Makefile ] |
46 | then | 46 | then |
47 | echo "Makefile not found (did you run configure?)" | 47 | echo "Makefile not found (did you run configure?)" |
48 | exit 1 | 48 | exit 1 |
49 | fi | 49 | fi |
50 | 50 | ||
51 | # | 51 | # |
@@ -96,12 +96,12 @@ then | |||
96 | PRIVSEP_PATH=/var/empty | 96 | PRIVSEP_PATH=/var/empty |
97 | fi | 97 | fi |
98 | 98 | ||
99 | # Clean package build directory | 99 | # Clean package build directory |
100 | rm -rf $objdir/$PKGDIR | 100 | rm -rf $objdir/$PKGDIR |
101 | FAKE_ROOT=$objdir/$PKGDIR/root | 101 | FAKE_ROOT=$objdir/$PKGDIR/root |
102 | mkdir -p $FAKE_ROOT | 102 | mkdir -p $FAKE_ROOT |
103 | 103 | ||
104 | # Start by faking root install | 104 | # Start by faking root install |
105 | echo "Faking root install..." | 105 | echo "Faking root install..." |
106 | cd $objdir | 106 | cd $objdir |
107 | make install-nokeys DESTDIR=$FAKE_ROOT | 107 | make install-nokeys DESTDIR=$FAKE_ROOT |
@@ -136,15 +136,15 @@ echo "Building BFF for $PKGNAME $VERSION (package version $BFFVERSION)" | |||
136 | # | 136 | # |
137 | # Set ssh and sshd parameters as per config.local | 137 | # Set ssh and sshd parameters as per config.local |
138 | # | 138 | # |
139 | if [ "${PERMIT_ROOT_LOGIN}" = no ] | 139 | if [ "${PERMIT_ROOT_LOGIN}" = no ] |
140 | then | 140 | then |
141 | perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \ | 141 | perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \ |
142 | $FAKE_ROOT/${sysconfdir}/sshd_config | 142 | $FAKE_ROOT/${sysconfdir}/sshd_config |
143 | fi | 143 | fi |
144 | if [ "${X11_FORWARDING}" = yes ] | 144 | if [ "${X11_FORWARDING}" = yes ] |
145 | then | 145 | then |
146 | perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \ | 146 | perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \ |
147 | $FAKE_ROOT/${sysconfdir}/sshd_config | 147 | $FAKE_ROOT/${sysconfdir}/sshd_config |
148 | fi | 148 | fi |
149 | 149 | ||
150 | 150 | ||
@@ -190,13 +190,13 @@ cat <<EOF >>../openssh.post_i | |||
190 | echo Creating configs from defaults if necessary. | 190 | echo Creating configs from defaults if necessary. |
191 | for cfgfile in ssh_config sshd_config ssh_prng_cmds | 191 | for cfgfile in ssh_config sshd_config ssh_prng_cmds |
192 | do | 192 | do |
193 | if [ ! -f $sysconfdir/\$cfgfile ] | 193 | if [ ! -f $sysconfdir/\$cfgfile ] |
194 | then | 194 | then |
195 | echo "Creating \$cfgfile from default" | 195 | echo "Creating \$cfgfile from default" |
196 | cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile | 196 | cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile |
197 | else | 197 | else |
198 | echo "\$cfgfile already exists." | 198 | echo "\$cfgfile already exists." |
199 | fi | 199 | fi |
200 | done | 200 | done |
201 | echo | 201 | echo |
202 | 202 | ||
@@ -244,19 +244,19 @@ echo | |||
244 | # Generate keys unless they already exist | 244 | # Generate keys unless they already exist |
245 | echo Creating host keys if required. | 245 | echo Creating host keys if required. |
246 | if [ -f "$sysconfdir/ssh_host_key" ] ; then | 246 | if [ -f "$sysconfdir/ssh_host_key" ] ; then |
247 | echo "$sysconfdir/ssh_host_key already exists, skipping." | 247 | echo "$sysconfdir/ssh_host_key already exists, skipping." |
248 | else | 248 | else |
249 | $bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N "" | 249 | $bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N "" |
250 | fi | 250 | fi |
251 | if [ -f $sysconfdir/ssh_host_dsa_key ] ; then | 251 | if [ -f $sysconfdir/ssh_host_dsa_key ] ; then |
252 | echo "$sysconfdir/ssh_host_dsa_key already exists, skipping." | 252 | echo "$sysconfdir/ssh_host_dsa_key already exists, skipping." |
253 | else | 253 | else |
254 | $bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N "" | 254 | $bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N "" |
255 | fi | 255 | fi |
256 | if [ -f $sysconfdir/ssh_host_rsa_key ] ; then | 256 | if [ -f $sysconfdir/ssh_host_rsa_key ] ; then |
257 | echo "$sysconfdir/ssh_host_rsa_key already exists, skipping." | 257 | echo "$sysconfdir/ssh_host_rsa_key already exists, skipping." |
258 | else | 258 | else |
259 | $bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N "" | 259 | $bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N "" |
260 | fi | 260 | fi |
261 | echo | 261 | echo |
262 | 262 | ||
@@ -369,7 +369,7 @@ echo Creating $PKGNAME-$VERSION.bff with backup... | |||
369 | rm -f $PKGNAME-$VERSION.bff | 369 | rm -f $PKGNAME-$VERSION.bff |
370 | ( | 370 | ( |
371 | echo "./lpp_name" | 371 | echo "./lpp_name" |
372 | find . ! -name lpp_name -a ! -name . -print | 372 | find . ! -name lpp_name -a ! -name . -print |
373 | ) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist | 373 | ) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist |
374 | 374 | ||
375 | # | 375 | # |
diff --git a/contrib/aix/inventory.sh b/contrib/aix/inventory.sh index 4f408e678..e2641e79c 100755 --- a/contrib/aix/inventory.sh +++ b/contrib/aix/inventory.sh | |||
@@ -1,7 +1,7 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # | 2 | # |
3 | # inventory.sh | 3 | # inventory.sh |
4 | # $Id: inventory.sh,v 1.5 2003/08/26 03:43:13 dtucker Exp $ | 4 | # $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $ |
5 | # | 5 | # |
6 | # Originally written by Ben Lindstrom, modified by Darren Tucker to use perl | 6 | # Originally written by Ben Lindstrom, modified by Darren Tucker to use perl |
7 | # This file is placed into the public domain. | 7 | # This file is placed into the public domain. |
@@ -59,5 +59,5 @@ find . ! -name . -print | perl -ne '{ | |||
59 | } elsif ( -d $_ ) { | 59 | } elsif ( -d $_ ) { |
60 | # Entry is Directory | 60 | # Entry is Directory |
61 | print "\ttype=DIRECTORY\n"; | 61 | print "\ttype=DIRECTORY\n"; |
62 | } | 62 | } |
63 | }' | 63 | }' |
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 97d6adf51..599244b5d 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec | |||
@@ -17,11 +17,11 @@ | |||
17 | #old cvs stuff. please update before use. may be deprecated. | 17 | #old cvs stuff. please update before use. may be deprecated. |
18 | %define use_stable 1 | 18 | %define use_stable 1 |
19 | %if %{use_stable} | 19 | %if %{use_stable} |
20 | %define version 3.7p1 | 20 | %define version 3.8p1 |
21 | %define cvs %{nil} | 21 | %define cvs %{nil} |
22 | %define release 1 | 22 | %define release 1 |
23 | %else | 23 | %else |
24 | %define version 2.9.9p2 | 24 | %define version 3.8p1 |
25 | %define cvs cvs20011009 | 25 | %define cvs cvs20011009 |
26 | %define release 0r1 | 26 | %define release 0r1 |
27 | %endif | 27 | %endif |
@@ -180,7 +180,6 @@ CFLAGS="$RPM_OPT_FLAGS" \ | |||
180 | %configure \ | 180 | %configure \ |
181 | --with-pam \ | 181 | --with-pam \ |
182 | --with-tcp-wrappers \ | 182 | --with-tcp-wrappers \ |
183 | --with-ipv4-default \ | ||
184 | --with-privsep-path=%{_var}/empty/sshd \ | 183 | --with-privsep-path=%{_var}/empty/sshd \ |
185 | #leave this line for easy edits. | 184 | #leave this line for easy edits. |
186 | 185 | ||
@@ -364,4 +363,4 @@ fi | |||
364 | * Mon Jan 01 1998 ... | 363 | * Mon Jan 01 1998 ... |
365 | Template Version: 1.31 | 364 | Template Version: 1.31 |
366 | 365 | ||
367 | $Id: openssh.spec,v 1.43.2.2 2003/09/16 06:02:40 djm Exp $ | 366 | $Id: openssh.spec,v 1.48 2004/02/24 05:00:04 djm Exp $ |
diff --git a/contrib/caldera/ssh-host-keygen b/contrib/caldera/ssh-host-keygen index 28a97b9b4..3c5c17182 100755 --- a/contrib/caldera/ssh-host-keygen +++ b/contrib/caldera/ssh-host-keygen | |||
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # | 2 | # |
3 | # $Id: ssh-host-keygen,v 1.1 2001/04/27 05:50:50 tim Exp $ | 3 | # $Id: ssh-host-keygen,v 1.2 2003/11/21 12:48:57 djm Exp $ |
4 | # | 4 | # |
5 | # This script is normally run only *once* for a given host | 5 | # This script is normally run only *once* for a given host |
6 | # (in a given period of time) -- on updates/upgrades/recovery | 6 | # (in a given period of time) -- on updates/upgrades/recovery |
@@ -12,7 +12,7 @@ keydir=@sysconfdir@ | |||
12 | keygen=@sshkeygen@ | 12 | keygen=@sshkeygen@ |
13 | 13 | ||
14 | if [ -f $keydir/ssh_host_key -o \ | 14 | if [ -f $keydir/ssh_host_key -o \ |
15 | -f $keydir/ssh_host_key.pub ]; then | 15 | -f $keydir/ssh_host_key.pub ]; then |
16 | echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key." | 16 | echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key." |
17 | else | 17 | else |
18 | echo "Generating 1024 bit SSH1 RSA host key." | 18 | echo "Generating 1024 bit SSH1 RSA host key." |
@@ -20,7 +20,7 @@ else | |||
20 | fi | 20 | fi |
21 | 21 | ||
22 | if [ -f $keydir/ssh_host_rsa_key -o \ | 22 | if [ -f $keydir/ssh_host_rsa_key -o \ |
23 | -f $keydir/ssh_host_rsa_key.pub ]; then | 23 | -f $keydir/ssh_host_rsa_key.pub ]; then |
24 | echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key." | 24 | echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key." |
25 | else | 25 | else |
26 | echo "Generating 1024 bit SSH2 RSA host key." | 26 | echo "Generating 1024 bit SSH2 RSA host key." |
@@ -28,7 +28,7 @@ else | |||
28 | fi | 28 | fi |
29 | 29 | ||
30 | if [ -f $keydir/ssh_host_dsa_key -o \ | 30 | if [ -f $keydir/ssh_host_dsa_key -o \ |
31 | -f $keydir/ssh_host_dsa_key.pub ]; then | 31 | -f $keydir/ssh_host_dsa_key.pub ]; then |
32 | echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key." | 32 | echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key." |
33 | else | 33 | else |
34 | echo "Generating SSH2 DSA host key." | 34 | echo "Generating SSH2 DSA host key." |
diff --git a/contrib/caldera/sshd.init b/contrib/caldera/sshd.init index 90b36379a..983146f4f 100755 --- a/contrib/caldera/sshd.init +++ b/contrib/caldera/sshd.init | |||
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/bash | 1 | #! /bin/bash |
2 | # | 2 | # |
3 | # $Id: sshd.init,v 1.3 2001/11/03 19:09:33 tim Exp $ | 3 | # $Id: sshd.init,v 1.4 2003/11/21 12:48:57 djm Exp $ |
4 | # | 4 | # |
5 | ### BEGIN INIT INFO | 5 | ### BEGIN INIT INFO |
6 | # Provides: | 6 | # Provides: |
@@ -64,11 +64,11 @@ case "$1" in | |||
64 | SVIemptyConfig @sysconfdir@/sshd_config && exit 6 | 64 | SVIemptyConfig @sysconfdir@/sshd_config && exit 6 |
65 | 65 | ||
66 | if [ ! \( -f @sysconfdir@/ssh_host_key -a \ | 66 | if [ ! \( -f @sysconfdir@/ssh_host_key -a \ |
67 | -f @sysconfdir@/ssh_host_key.pub \) -a \ | 67 | -f @sysconfdir@/ssh_host_key.pub \) -a \ |
68 | ! \( -f @sysconfdir@/ssh_host_rsa_key -a \ | 68 | ! \( -f @sysconfdir@/ssh_host_rsa_key -a \ |
69 | -f @sysconfdir@/ssh_host_rsa_key.pub \) -a \ | 69 | -f @sysconfdir@/ssh_host_rsa_key.pub \) -a \ |
70 | ! \( -f @sysconfdir@/ssh_host_dsa_key -a \ | 70 | ! \( -f @sysconfdir@/ssh_host_dsa_key -a \ |
71 | -f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then | 71 | -f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then |
72 | 72 | ||
73 | echo "$SVIsubsys: host key not initialized: skipped!" | 73 | echo "$SVIsubsys: host key not initialized: skipped!" |
74 | echo "$SVIsubsys: use ssh-host-keygen to generate one!" | 74 | echo "$SVIsubsys: use ssh-host-keygen to generate one!" |
diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile new file mode 100644 index 000000000..09e8ea2db --- /dev/null +++ b/contrib/cygwin/Makefile | |||
@@ -0,0 +1,56 @@ | |||
1 | srcdir=../.. | ||
2 | prefix=/usr | ||
3 | exec_prefix=$(prefix) | ||
4 | bindir=$(prefix)/bin | ||
5 | datadir=$(prefix)/share | ||
6 | docdir=$(datadir)/doc | ||
7 | sshdocdir=$(docdir)/openssh | ||
8 | cygdocdir=$(docdir)/Cygwin | ||
9 | sysconfdir=/etc | ||
10 | defaultsdir=$(sysconfdir)/defaults/etc | ||
11 | PRIVSEP_PATH=/var/empty | ||
12 | INSTALL=/usr/bin/install -c | ||
13 | |||
14 | DESTDIR= | ||
15 | |||
16 | all: | ||
17 | @echo | ||
18 | @echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'" | ||
19 | @echo "Be sure having DESTDIR set correctly!" | ||
20 | @echo | ||
21 | |||
22 | move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config | ||
23 | $(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir) | ||
24 | mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir) | ||
25 | mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir) | ||
26 | |||
27 | remove-empty-dir: | ||
28 | rm -rf $(DESTDIR)$(PRIVSEP_PATH) | ||
29 | |||
30 | install-sshdoc: | ||
31 | $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir) | ||
32 | $(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS | ||
33 | $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog | ||
34 | $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE | ||
35 | $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW | ||
36 | $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README | ||
37 | $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns | ||
38 | $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep | ||
39 | $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard | ||
40 | $(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff | ||
41 | $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO | ||
42 | $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG | ||
43 | |||
44 | install-cygwindoc: README | ||
45 | $(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir) | ||
46 | $(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README | ||
47 | |||
48 | install-doc: install-sshdoc install-cygwindoc | ||
49 | |||
50 | install-scripts: ssh-host-config ssh-user-config | ||
51 | $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) | ||
52 | $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config | ||
53 | $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config | ||
54 | |||
55 | cygwin-postinstall: move-config-files remove-empty-dir install-doc install-scripts | ||
56 | @echo "Cygwin specific configuration finished." | ||
diff --git a/contrib/cygwin/README b/contrib/cygwin/README index ec58964c9..fc0a2f69b 100644 --- a/contrib/cygwin/README +++ b/contrib/cygwin/README | |||
@@ -1,4 +1,49 @@ | |||
1 | This package is the actual port of OpenSSH to Cygwin 1.5. | 1 | This package describes important Cygwin specific stuff concerning OpenSSH. |
2 | |||
3 | The binary package is usually built for recent Cygwin versions and might | ||
4 | not run on older versions. Please check http://cygwin.com/ for information | ||
5 | about current Cygwin releases. | ||
6 | |||
7 | Build instructions are at the end of the file. | ||
8 | |||
9 | =========================================================================== | ||
10 | Important change since 3.7.1p2-2: | ||
11 | |||
12 | The ssh-host-config file doesn't create the /etc/ssh_config and | ||
13 | /etc/sshd_config files from builtin here-scripts anymore, but it uses | ||
14 | skeleton files installed in /etc/defaults/etc. | ||
15 | |||
16 | Also it now tries hard to create appropriate permissions on files. | ||
17 | Same applies for ssh-user-config. | ||
18 | |||
19 | After creating the sshd service with ssh-host-config, it's advisable to | ||
20 | call ssh-user-config for all affected users, also already exising user | ||
21 | configurations. In the latter case, file and directory permissions are | ||
22 | checked and changed, if requireed to match the host configuration. | ||
23 | |||
24 | Important note for Windows 2003 Server users: | ||
25 | --------------------------------------------- | ||
26 | |||
27 | 2003 Server has a funny new feature. When starting services under SYSTEM | ||
28 | account, these services have nearly all user rights which SYSTEM holds... | ||
29 | except for the "Create a token object" right, which is needed to allow | ||
30 | public key authentication :-( | ||
31 | |||
32 | There's no way around this, except for creating a substitute account which | ||
33 | has the appropriate privileges. Basically, this account should be member | ||
34 | of the administrators group, plus it should have the following user rights: | ||
35 | |||
36 | Create a token object | ||
37 | Logon as a service | ||
38 | Replace a process level token | ||
39 | Increase Quota | ||
40 | |||
41 | The ssh-host-config script asks you, if it should create such an account, | ||
42 | called "sshd_server". If you say "no" here, you're on your own. Please | ||
43 | follow the instruction in ssh-host-config exactly if possible. Note that | ||
44 | ssh-user-config sets the permissions on 2003 Server machines dependent of | ||
45 | whether a sshd_server account exists or not. | ||
46 | =========================================================================== | ||
2 | 47 | ||
3 | =========================================================================== | 48 | =========================================================================== |
4 | Important change since 3.4p1-2: | 49 | Important change since 3.4p1-2: |
@@ -58,7 +103,7 @@ features of the FAT/FAT32 filesystems. | |||
58 | 103 | ||
59 | If you are installing OpenSSH the first time, you can generate global config | 104 | If you are installing OpenSSH the first time, you can generate global config |
60 | files and server keys by running | 105 | files and server keys by running |
61 | 106 | ||
62 | /usr/bin/ssh-host-config | 107 | /usr/bin/ssh-host-config |
63 | 108 | ||
64 | Note that this binary archive doesn't contain default config files in /etc. | 109 | Note that this binary archive doesn't contain default config files in /etc. |
@@ -73,10 +118,12 @@ some options: | |||
73 | 118 | ||
74 | usage: ssh-host-config [OPTION]... | 119 | usage: ssh-host-config [OPTION]... |
75 | Options: | 120 | Options: |
76 | --debug -d Enable shell's debug output. | 121 | --debug -d Enable shell's debug output. |
77 | --yes -y Answer all questions with "yes" automatically. | 122 | --yes -y Answer all questions with "yes" automatically. |
78 | --no -n Answer all questions with "no" automatically. | 123 | --no -n Answer all questions with "no" automatically. |
79 | --port -p <n> sshd listens on port n. | 124 | --cygwin -c <options> Use "options" as value for CYGWIN environment var. |
125 | --port -p <n> sshd listens on port n. | ||
126 | --pwd -w <passwd> Use "pwd" as password for user 'sshd_server'. | ||
80 | 127 | ||
81 | Additionally ssh-host-config now asks if it should install sshd as a | 128 | Additionally ssh-host-config now asks if it should install sshd as a |
82 | service when running under NT/W2K. This requires cygrunsrv installed. | 129 | service when running under NT/W2K. This requires cygrunsrv installed. |
@@ -114,54 +161,6 @@ ${SYSTEMROOT}/system32/drivers/etc/services file: | |||
114 | 161 | ||
115 | ssh 22/tcp #SSH daemon | 162 | ssh 22/tcp #SSH daemon |
116 | 163 | ||
117 | =========================================================================== | ||
118 | The following restrictions only apply to Cygwin versions up to 1.3.1 | ||
119 | =========================================================================== | ||
120 | |||
121 | Authentication to sshd is possible in one of two ways. | ||
122 | You'll have to decide before starting sshd! | ||
123 | |||
124 | - If you want to authenticate via RSA and you want to login to that | ||
125 | machine to exactly one user account you can do so by running sshd | ||
126 | under that user account. You must change /etc/sshd_config | ||
127 | to contain the following: | ||
128 | |||
129 | RSAAuthentication yes | ||
130 | |||
131 | Moreover it's possible to use rhosts and/or rhosts with | ||
132 | RSA authentication by setting the following in sshd_config: | ||
133 | |||
134 | RhostsAuthentication yes | ||
135 | RhostsRSAAuthentication yes | ||
136 | |||
137 | - If you want to be able to login to different user accounts you'll | ||
138 | have to start sshd under system account or any other account that | ||
139 | is able to switch user context. Note that administrators are _not_ | ||
140 | able to do that by default! You'll have to give the following | ||
141 | special user rights to the user: | ||
142 | "Act as part of the operating system" | ||
143 | "Replace process level token" | ||
144 | "Increase quotas" | ||
145 | and if used via service manager | ||
146 | "Logon as a service". | ||
147 | |||
148 | The system account does of course own that user rights by default. | ||
149 | |||
150 | Unfortunately, if you choose that way, you can only logon with | ||
151 | NT password authentification and you should change | ||
152 | /etc/sshd_config to contain the following: | ||
153 | |||
154 | PasswordAuthentication yes | ||
155 | RhostsAuthentication no | ||
156 | RhostsRSAAuthentication no | ||
157 | RSAAuthentication no | ||
158 | |||
159 | However you can login to the user which has started sshd with | ||
160 | RSA authentication anyway. If you want that, change the RSA | ||
161 | authentication setting back to "yes": | ||
162 | |||
163 | RSAAuthentication yes | ||
164 | |||
165 | Please note that OpenSSH does never use the value of $HOME to | 164 | Please note that OpenSSH does never use the value of $HOME to |
166 | search for the users configuration files! It always uses the | 165 | search for the users configuration files! It always uses the |
167 | value of the pw_dir field in /etc/passwd as the home directory. | 166 | value of the pw_dir field in /etc/passwd as the home directory. |
@@ -169,7 +168,7 @@ If no home diretory is set in /etc/passwd, the root directory | |||
169 | is used instead! | 168 | is used instead! |
170 | 169 | ||
171 | You may use all features of the CYGWIN=ntsec setting the same | 170 | You may use all features of the CYGWIN=ntsec setting the same |
172 | way as they are used by the `login' port on sources.redhat.com: | 171 | way as they are used by Cygwin's login(1) port: |
173 | 172 | ||
174 | The pw_gecos field may contain an additional field, that begins | 173 | The pw_gecos field may contain an additional field, that begins |
175 | with (upper case!) "U-", followed by the domain and the username | 174 | with (upper case!) "U-", followed by the domain and the username |
@@ -186,6 +185,8 @@ way as they are used by the `login' port on sources.redhat.com: | |||
186 | 185 | ||
187 | locuser::1104:513:John Doe,U-user,S-1-5-21-... | 186 | locuser::1104:513:John Doe,U-user,S-1-5-21-... |
188 | 187 | ||
188 | Note that the CYGWIN=ntsec setting is required for public key authentication. | ||
189 | |||
189 | SSH2 server and user keys are generated by the `ssh-*-config' scripts | 190 | SSH2 server and user keys are generated by the `ssh-*-config' scripts |
190 | as well. | 191 | as well. |
191 | 192 | ||
@@ -194,15 +195,30 @@ configure are used for the Cygwin binary distribution: | |||
194 | 195 | ||
195 | --prefix=/usr \ | 196 | --prefix=/usr \ |
196 | --sysconfdir=/etc \ | 197 | --sysconfdir=/etc \ |
197 | --libexecdir='${exec_prefix}/sbin' | 198 | --libexecdir='$(sbindir)' \ |
198 | 199 | --localstatedir=/var \ | |
199 | You must have installed the zlib and openssl packages to be able to | 200 | --datadir='$(prefix)/share' \ |
201 | --mandir='$(datadir)/man' \ | ||
202 | --with-tcp-wrappers | ||
203 | |||
204 | If you want to create a Cygwin package, equivalent to the one | ||
205 | in the Cygwin binary distribution, install like this: | ||
206 | |||
207 | mkdir /tmp/cygwin-ssh | ||
208 | cd $(builddir) | ||
209 | make install DESTDIR=/tmp/cygwin-ssh | ||
210 | cd $(srcdir)/contrib/cygwin | ||
211 | make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh | ||
212 | cd /tmp/cygwin-ssh | ||
213 | find * \! -type d | tar cvjfT my-openssh.tar.bz2 - | ||
214 | |||
215 | You must have installed the zlib and openssl-devel packages to be able to | ||
200 | build OpenSSH! | 216 | build OpenSSH! |
201 | 217 | ||
202 | Please send requests, error reports etc. to cygwin@cygwin.com. | 218 | Please send requests, error reports etc. to cygwin@cygwin.com. |
203 | 219 | ||
204 | Have fun, | 220 | Have fun, |
205 | 221 | ||
206 | Corinna Vinschen <vinschen@redhat.com> | 222 | Corinna Vinschen |
207 | Cygwin Developer | 223 | Cygwin Developer |
208 | Red Hat Inc. | 224 | Red Hat Inc. |
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index e9c56aea9..9c0dabf41 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/bash |
2 | # | 2 | # |
3 | # ssh-host-config, Copyright 2000, Red Hat Inc. | 3 | # ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc. |
4 | # | 4 | # |
5 | # This file is part of the Cygwin port of OpenSSH. | 5 | # This file is part of the Cygwin port of OpenSSH. |
6 | 6 | ||
@@ -9,10 +9,7 @@ PREFIX=/usr | |||
9 | 9 | ||
10 | # Directory where the config files are stored | 10 | # Directory where the config files are stored |
11 | SYSCONFDIR=/etc | 11 | SYSCONFDIR=/etc |
12 | 12 | LOCALSTATEDIR=/var | |
13 | # Subdirectory where an old package might be installed | ||
14 | OLDPREFIX=/usr/local | ||
15 | OLDSYSCONFDIR=${OLDPREFIX}/etc | ||
16 | 13 | ||
17 | progname=$0 | 14 | progname=$0 |
18 | auto_answer="" | 15 | auto_answer="" |
@@ -27,9 +24,11 @@ request() | |||
27 | { | 24 | { |
28 | if [ "${auto_answer}" = "yes" ] | 25 | if [ "${auto_answer}" = "yes" ] |
29 | then | 26 | then |
27 | echo "$1 (yes/no) yes" | ||
30 | return 0 | 28 | return 0 |
31 | elif [ "${auto_answer}" = "no" ] | 29 | elif [ "${auto_answer}" = "no" ] |
32 | then | 30 | then |
31 | echo "$1 (yes/no) no" | ||
33 | return 1 | 32 | return 1 |
34 | fi | 33 | fi |
35 | 34 | ||
@@ -37,7 +36,7 @@ request() | |||
37 | while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] | 36 | while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] |
38 | do | 37 | do |
39 | echo -n "$1 (yes/no) " | 38 | echo -n "$1 (yes/no) " |
40 | read answer | 39 | read -e answer |
41 | done | 40 | done |
42 | if [ "X${answer}" = "Xyes" ] | 41 | if [ "X${answer}" = "Xyes" ] |
43 | then | 42 | then |
@@ -60,7 +59,7 @@ do | |||
60 | option=$1 | 59 | option=$1 |
61 | shift | 60 | shift |
62 | 61 | ||
63 | case "$option" in | 62 | case "${option}" in |
64 | -d | --debug ) | 63 | -d | --debug ) |
65 | set -x | 64 | set -x |
66 | ;; | 65 | ;; |
@@ -73,21 +72,33 @@ do | |||
73 | auto_answer=no | 72 | auto_answer=no |
74 | ;; | 73 | ;; |
75 | 74 | ||
75 | -c | --cygwin ) | ||
76 | cygwin_value="$1" | ||
77 | shift | ||
78 | ;; | ||
79 | |||
76 | -p | --port ) | 80 | -p | --port ) |
77 | port_number=$1 | 81 | port_number=$1 |
78 | shift | 82 | shift |
79 | ;; | 83 | ;; |
80 | 84 | ||
85 | -w | --pwd ) | ||
86 | password_value="$1" | ||
87 | shift | ||
88 | ;; | ||
89 | |||
81 | *) | 90 | *) |
82 | echo "usage: ${progname} [OPTION]..." | 91 | echo "usage: ${progname} [OPTION]..." |
83 | echo | 92 | echo |
84 | echo "This script creates an OpenSSH host configuration." | 93 | echo "This script creates an OpenSSH host configuration." |
85 | echo | 94 | echo |
86 | echo "Options:" | 95 | echo "Options:" |
87 | echo " --debug -d Enable shell's debug output." | 96 | echo " --debug -d Enable shell's debug output." |
88 | echo " --yes -y Answer all questions with \"yes\" automatically." | 97 | echo " --yes -y Answer all questions with \"yes\" automatically." |
89 | echo " --no -n Answer all questions with \"no\" automatically." | 98 | echo " --no -n Answer all questions with \"no\" automatically." |
90 | echo " --port -p <n> sshd listens on port n." | 99 | echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." |
100 | echo " --port -p <n> sshd listens on port n." | ||
101 | echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'." | ||
91 | echo | 102 | echo |
92 | exit 1 | 103 | exit 1 |
93 | ;; | 104 | ;; |
@@ -96,8 +107,13 @@ do | |||
96 | done | 107 | done |
97 | 108 | ||
98 | # Check if running on NT | 109 | # Check if running on NT |
99 | _sys="`uname -a`" | 110 | _sys="`uname`" |
100 | _nt=`expr "$_sys" : "CYGWIN_NT"` | 111 | _nt=`expr "${_sys}" : "CYGWIN_NT"` |
112 | # If running on NT, check if running under 2003 Server or later | ||
113 | if [ ${_nt} -gt 0 ] | ||
114 | then | ||
115 | _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` | ||
116 | fi | ||
101 | 117 | ||
102 | # Check for running ssh/sshd processes first. Refuse to do anything while | 118 | # Check for running ssh/sshd processes first. Refuse to do anything while |
103 | # some ssh processes are still running | 119 | # some ssh processes are still running |
@@ -137,87 +153,33 @@ fi | |||
137 | 153 | ||
138 | # Create /var/log and /var/log/lastlog if not already existing | 154 | # Create /var/log and /var/log/lastlog if not already existing |
139 | 155 | ||
140 | if [ -f /var/log ] | 156 | if [ -f ${LOCALSTATEDIR}/log ] |
141 | then | 157 | then |
142 | echo "Creating /var/log failed\!" | 158 | echo "Creating ${LOCALSTATEDIR}/log failed!" |
143 | else | 159 | else |
144 | if [ ! -d /var/log ] | 160 | if [ ! -d ${LOCALSTATEDIR}/log ] |
145 | then | 161 | then |
146 | mkdir -p /var/log | 162 | mkdir -p ${LOCALSTATEDIR}/log |
147 | fi | 163 | fi |
148 | if [ -d /var/log/lastlog ] | 164 | if [ -d ${LOCALSTATEDIR}/log/lastlog ] |
149 | then | 165 | then |
150 | echo "Creating /var/log/lastlog failed\!" | 166 | chmod 777 ${LOCALSTATEDIR}/log/lastlog |
151 | elif [ ! -f /var/log/lastlog ] | 167 | elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ] |
152 | then | 168 | then |
153 | cat /dev/null > /var/log/lastlog | 169 | cat /dev/null > ${LOCALSTATEDIR}/log/lastlog |
170 | chmod 666 ${LOCALSTATEDIR}/log/lastlog | ||
154 | fi | 171 | fi |
155 | fi | 172 | fi |
156 | 173 | ||
157 | # Create /var/empty file used as chroot jail for privilege separation | 174 | # Create /var/empty file used as chroot jail for privilege separation |
158 | if [ -f /var/empty ] | 175 | if [ -f ${LOCALSTATEDIR}/empty ] |
159 | then | 176 | then |
160 | echo "Creating /var/empty failed\!" | 177 | echo "Creating ${LOCALSTATEDIR}/empty failed!" |
161 | else | 178 | else |
162 | mkdir -p /var/empty | 179 | mkdir -p ${LOCALSTATEDIR}/empty |
163 | # On NT change ownership of that dir to user "system" | 180 | if [ ${_nt} -gt 0 ] |
164 | if [ $_nt -gt 0 ] | ||
165 | then | 181 | then |
166 | chmod 755 /var/empty | 182 | chmod 755 ${LOCALSTATEDIR}/empty |
167 | chown system.system /var/empty | ||
168 | fi | ||
169 | fi | ||
170 | |||
171 | # Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't | ||
172 | # the same as ${PREFIX} | ||
173 | |||
174 | old_install=0 | ||
175 | if [ "${OLDPREFIX}" != "${PREFIX}" ] | ||
176 | then | ||
177 | if [ -f "${OLDPREFIX}/sbin/sshd" ] | ||
178 | then | ||
179 | echo | ||
180 | echo "You seem to have an older installation in ${OLDPREFIX}." | ||
181 | echo | ||
182 | # Check if old global configuration files exist | ||
183 | if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ] | ||
184 | then | ||
185 | if request "Do you want to copy your config files to your new installation?" | ||
186 | then | ||
187 | cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR} | ||
188 | cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR} | ||
189 | cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR} | ||
190 | cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR} | ||
191 | cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR} | ||
192 | cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR} | ||
193 | fi | ||
194 | fi | ||
195 | if request "Do you want to erase your old installation?" | ||
196 | then | ||
197 | rm -f ${OLDPREFIX}/bin/ssh.exe | ||
198 | rm -f ${OLDPREFIX}/bin/ssh-config | ||
199 | rm -f ${OLDPREFIX}/bin/scp.exe | ||
200 | rm -f ${OLDPREFIX}/bin/ssh-add.exe | ||
201 | rm -f ${OLDPREFIX}/bin/ssh-agent.exe | ||
202 | rm -f ${OLDPREFIX}/bin/ssh-keygen.exe | ||
203 | rm -f ${OLDPREFIX}/bin/slogin | ||
204 | rm -f ${OLDSYSCONFDIR}/ssh_host_key | ||
205 | rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub | ||
206 | rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key | ||
207 | rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub | ||
208 | rm -f ${OLDSYSCONFDIR}/ssh_config | ||
209 | rm -f ${OLDSYSCONFDIR}/sshd_config | ||
210 | rm -f ${OLDPREFIX}/man/man1/ssh.1 | ||
211 | rm -f ${OLDPREFIX}/man/man1/scp.1 | ||
212 | rm -f ${OLDPREFIX}/man/man1/ssh-add.1 | ||
213 | rm -f ${OLDPREFIX}/man/man1/ssh-agent.1 | ||
214 | rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1 | ||
215 | rm -f ${OLDPREFIX}/man/man1/slogin.1 | ||
216 | rm -f ${OLDPREFIX}/man/man8/sshd.8 | ||
217 | rm -f ${OLDPREFIX}/sbin/sshd.exe | ||
218 | rm -f ${OLDPREFIX}/sbin/sftp-server.exe | ||
219 | fi | ||
220 | old_install=1 | ||
221 | fi | 183 | fi |
222 | fi | 184 | fi |
223 | 185 | ||
@@ -255,52 +217,16 @@ then | |||
255 | fi | 217 | fi |
256 | fi | 218 | fi |
257 | 219 | ||
258 | # Create default ssh_config from here script | 220 | # Create default ssh_config from skeleton file in /etc/defaults/etc |
259 | 221 | ||
260 | if [ ! -f "${SYSCONFDIR}/ssh_config" ] | 222 | if [ ! -f "${SYSCONFDIR}/ssh_config" ] |
261 | then | 223 | then |
262 | echo "Generating ${SYSCONFDIR}/ssh_config file" | 224 | echo "Generating ${SYSCONFDIR}/ssh_config file" |
263 | cat > ${SYSCONFDIR}/ssh_config << EOF | 225 | cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config |
264 | # This is the ssh client system-wide configuration file. See | 226 | if [ "${port_number}" != "22" ] |
265 | # ssh_config(5) for more information. This file provides defaults for | ||
266 | # users, and the values can be changed in per-user configuration files | ||
267 | # or on the command line. | ||
268 | |||
269 | # Configuration data is parsed as follows: | ||
270 | # 1. command line options | ||
271 | # 2. user-specific file | ||
272 | # 3. system-wide file | ||
273 | # Any configuration value is only changed the first time it is set. | ||
274 | # Thus, host-specific definitions should be at the beginning of the | ||
275 | # configuration file, and defaults at the end. | ||
276 | |||
277 | # Site-wide defaults for various options | ||
278 | |||
279 | # Host * | ||
280 | # ForwardAgent no | ||
281 | # ForwardX11 no | ||
282 | # RhostsRSAAuthentication no | ||
283 | # RSAAuthentication yes | ||
284 | # PasswordAuthentication yes | ||
285 | # HostbasedAuthentication no | ||
286 | # BatchMode no | ||
287 | # CheckHostIP yes | ||
288 | # AddressFamily any | ||
289 | # ConnectTimeout 0 | ||
290 | # StrictHostKeyChecking ask | ||
291 | # IdentityFile ~/.ssh/identity | ||
292 | # IdentityFile ~/.ssh/id_dsa | ||
293 | # IdentityFile ~/.ssh/id_rsa | ||
294 | # Port 22 | ||
295 | # Protocol 2,1 | ||
296 | # Cipher 3des | ||
297 | # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc | ||
298 | # EscapeChar ~ | ||
299 | EOF | ||
300 | if [ "$port_number" != "22" ] | ||
301 | then | 227 | then |
302 | echo "Host localhost" >> ${SYSCONFDIR}/ssh_config | 228 | echo "Host localhost" >> ${SYSCONFDIR}/ssh_config |
303 | echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config | 229 | echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config |
304 | fi | 230 | fi |
305 | fi | 231 | fi |
306 | 232 | ||
@@ -322,35 +248,35 @@ fi | |||
322 | 248 | ||
323 | # Prior to creating or modifying sshd_config, care for privilege separation | 249 | # Prior to creating or modifying sshd_config, care for privilege separation |
324 | 250 | ||
325 | if [ "$privsep_configured" != "yes" ] | 251 | if [ "${privsep_configured}" != "yes" ] |
326 | then | 252 | then |
327 | if [ $_nt -gt 0 ] | 253 | if [ ${_nt} -gt 0 ] |
328 | then | 254 | then |
329 | echo "Privilege separation is set to yes by default since OpenSSH 3.3." | 255 | echo "Privilege separation is set to yes by default since OpenSSH 3.3." |
330 | echo "However, this requires a non-privileged account called 'sshd'." | 256 | echo "However, this requires a non-privileged account called 'sshd'." |
331 | echo "For more info on privilege separation read /usr/doc/openssh/README.privsep." | 257 | echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." |
332 | echo | 258 | echo |
333 | if request "Shall privilege separation be used?" | 259 | if request "Should privilege separation be used?" |
334 | then | 260 | then |
335 | privsep_used=yes | 261 | privsep_used=yes |
336 | grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes | 262 | grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes |
337 | net user sshd >/dev/null 2>&1 && sshd_in_sam=yes | 263 | net user sshd >/dev/null 2>&1 && sshd_in_sam=yes |
338 | if [ "$sshd_in_passwd" != "yes" ] | 264 | if [ "${sshd_in_passwd}" != "yes" ] |
339 | then | 265 | then |
340 | if [ "$sshd_in_sam" != "yes" ] | 266 | if [ "${sshd_in_sam}" != "yes" ] |
341 | then | 267 | then |
342 | echo "Warning: The following function requires administrator privileges!" | 268 | echo "Warning: The following function requires administrator privileges!" |
343 | if request "Shall this script create a local user 'sshd' on this machine?" | 269 | if request "Should this script create a local user 'sshd' on this machine?" |
344 | then | 270 | then |
345 | dos_var_empty=`cygpath -w /var/empty` | 271 | dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` |
346 | net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes | 272 | net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes |
347 | if [ "$sshd_in_sam" != "yes" ] | 273 | if [ "${sshd_in_sam}" != "yes" ] |
348 | then | 274 | then |
349 | echo "Warning: Creating the user 'sshd' failed!" | 275 | echo "Warning: Creating the user 'sshd' failed!" |
350 | fi | 276 | fi |
351 | fi | 277 | fi |
352 | fi | 278 | fi |
353 | if [ "$sshd_in_sam" != "yes" ] | 279 | if [ "${sshd_in_sam}" != "yes" ] |
354 | then | 280 | then |
355 | echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" | 281 | echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" |
356 | echo " Privilege separation set to 'no' again!" | 282 | echo " Privilege separation set to 'no' again!" |
@@ -365,161 +291,85 @@ then | |||
365 | fi | 291 | fi |
366 | else | 292 | else |
367 | # On 9x don't use privilege separation. Since security isn't | 293 | # On 9x don't use privilege separation. Since security isn't |
368 | # available it just adds useless addtional processes. | 294 | # available it just adds useless additional processes. |
369 | privsep_used=no | 295 | privsep_used=no |
370 | fi | 296 | fi |
371 | fi | 297 | fi |
372 | 298 | ||
373 | # Create default sshd_config from here script or modify to add the | 299 | # Create default sshd_config from skeleton files in /etc/defaults/etc or |
374 | # missing privsep configuration option | 300 | # modify to add the missing privsep configuration option |
375 | 301 | ||
376 | if [ ! -f "${SYSCONFDIR}/sshd_config" ] | 302 | if [ ! -f "${SYSCONFDIR}/sshd_config" ] |
377 | then | 303 | then |
378 | echo "Generating ${SYSCONFDIR}/sshd_config file" | 304 | echo "Generating ${SYSCONFDIR}/sshd_config file" |
379 | cat > ${SYSCONFDIR}/sshd_config << EOF | 305 | sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ |
380 | # This is the sshd server system-wide configuration file. See | 306 | s/^#Port 22/Port ${port_number}/ |
381 | # sshd_config(5) for more information. | 307 | s/^#StrictModes yes/StrictModes no/" \ |
382 | 308 | < ${SYSCONFDIR}/defaults/etc/sshd_config \ | |
383 | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | 309 | > ${SYSCONFDIR}/sshd_config |
384 | 310 | elif [ "${privsep_configured}" != "yes" ] | |
385 | # The strategy used for options in the default sshd_config shipped with | ||
386 | # OpenSSH is to specify options with their default value where | ||
387 | # possible, but leave them commented. Uncommented options change a | ||
388 | # default value. | ||
389 | |||
390 | Port $port_number | ||
391 | #Protocol 2,1 | ||
392 | #ListenAddress 0.0.0.0 | ||
393 | #ListenAddress :: | ||
394 | |||
395 | # HostKey for protocol version 1 | ||
396 | #HostKey ${SYSCONFDIR}/ssh_host_key | ||
397 | # HostKeys for protocol version 2 | ||
398 | #HostKey ${SYSCONFDIR}/ssh_host_rsa_key | ||
399 | #HostKey ${SYSCONFDIR}/ssh_host_dsa_key | ||
400 | |||
401 | # Lifetime and size of ephemeral version 1 server key | ||
402 | #KeyRegenerationInterval 1h | ||
403 | #ServerKeyBits 768 | ||
404 | |||
405 | # Logging | ||
406 | #obsoletes QuietMode and FascistLogging | ||
407 | #SyslogFacility AUTH | ||
408 | #LogLevel INFO | ||
409 | |||
410 | # Authentication: | ||
411 | |||
412 | #LoginGraceTime 2m | ||
413 | #PermitRootLogin yes | ||
414 | # The following setting overrides permission checks on host key files | ||
415 | # and directories. For security reasons set this to "yes" when running | ||
416 | # NT/W2K, NTFS and CYGWIN=ntsec. | ||
417 | StrictModes no | ||
418 | |||
419 | #RSAAuthentication yes | ||
420 | #PubkeyAuthentication yes | ||
421 | #AuthorizedKeysFile .ssh/authorized_keys | ||
422 | |||
423 | # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts | ||
424 | #RhostsRSAAuthentication no | ||
425 | # similar for protocol version 2 | ||
426 | #HostbasedAuthentication no | ||
427 | # Change to yes if you don't trust ~/.ssh/known_hosts for | ||
428 | # RhostsRSAAuthentication and HostbasedAuthentication | ||
429 | #IgnoreUserKnownHosts no | ||
430 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
431 | #IgnoreRhosts yes | ||
432 | |||
433 | # To disable tunneled clear text passwords, change to no here! | ||
434 | #PasswordAuthentication yes | ||
435 | #PermitEmptyPasswords no | ||
436 | |||
437 | # Change to no to disable s/key passwords | ||
438 | #ChallengeResponseAuthentication yes | ||
439 | |||
440 | #AllowTcpForwarding yes | ||
441 | #GatewayPorts no | ||
442 | #X11Forwarding no | ||
443 | #X11DisplayOffset 10 | ||
444 | #X11UseLocalhost yes | ||
445 | #PrintMotd yes | ||
446 | #PrintLastLog yes | ||
447 | #KeepAlive yes | ||
448 | #UseLogin no | ||
449 | UsePrivilegeSeparation $privsep_used | ||
450 | #PermitUserEnvironment no | ||
451 | #Compression yes | ||
452 | #ClientAliveInterval 0 | ||
453 | #ClientAliveCountMax 3 | ||
454 | #UseDNS yes | ||
455 | #PidFile /var/run/sshd.pid | ||
456 | #MaxStartups 10 | ||
457 | |||
458 | # no default banner path | ||
459 | #Banner /some/path | ||
460 | |||
461 | # override default of no subsystems | ||
462 | Subsystem sftp /usr/sbin/sftp-server | ||
463 | EOF | ||
464 | elif [ "$privsep_configured" != "yes" ] | ||
465 | then | 311 | then |
466 | echo >> ${SYSCONFDIR}/sshd_config | 312 | echo >> ${SYSCONFDIR}/sshd_config |
467 | echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config | 313 | echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config |
468 | fi | 314 | fi |
469 | 315 | ||
470 | # Care for services file | 316 | # Care for services file |
471 | if [ $_nt -gt 0 ] | 317 | _my_etcdir="/ssh-host-config.$$" |
318 | if [ ${_nt} -gt 0 ] | ||
472 | then | 319 | then |
473 | _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services" | 320 | _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" |
474 | _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$" | 321 | _services="${_my_etcdir}/services" |
322 | # On NT, 27 spaces, no space after the hash | ||
323 | _spaces=" #" | ||
475 | else | 324 | else |
476 | _wservices="${WINDIR}\\SERVICES" | 325 | _win_etcdir="${WINDIR}" |
477 | _wserv_tmp="${WINDIR}\\SERV.$$" | 326 | _services="${_my_etcdir}/SERVICES" |
327 | # On 9x, 18 spaces (95 is very touchy), a space after the hash | ||
328 | _spaces=" # " | ||
478 | fi | 329 | fi |
479 | _services=`cygpath -u "${_wservices}"` | 330 | _serv_tmp="${_my_etcdir}/srv.out.$$" |
480 | _serv_tmp=`cygpath -u "${_wserv_tmp}"` | ||
481 | 331 | ||
482 | mount -t -f "${_wservices}" "${_services}" | 332 | mount -t -f "${_win_etcdir}" "${_my_etcdir}" |
483 | mount -t -f "${_wserv_tmp}" "${_serv_tmp}" | 333 | |
334 | # Depends on the above mount | ||
335 | _wservices=`cygpath -w "${_services}"` | ||
484 | 336 | ||
485 | # Remove sshd 22/port from services | 337 | # Remove sshd 22/port from services |
486 | if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] | 338 | if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] |
487 | then | 339 | then |
488 | grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" | 340 | grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" |
489 | if [ -f "${_serv_tmp}" ] | 341 | if [ -f "${_serv_tmp}" ] |
490 | then | 342 | then |
491 | if mv "${_serv_tmp}" "${_services}" | 343 | if mv "${_serv_tmp}" "${_services}" |
492 | then | 344 | then |
493 | echo "Removing sshd from ${_services}" | 345 | echo "Removing sshd from ${_wservices}" |
494 | else | 346 | else |
495 | echo "Removing sshd from ${_services} failed\!" | 347 | echo "Removing sshd from ${_wservices} failed!" |
496 | fi | 348 | fi |
497 | rm -f "${_serv_tmp}" | 349 | rm -f "${_serv_tmp}" |
498 | else | 350 | else |
499 | echo "Removing sshd from ${_services} failed\!" | 351 | echo "Removing sshd from ${_wservices} failed!" |
500 | fi | 352 | fi |
501 | fi | 353 | fi |
502 | 354 | ||
503 | # Add ssh 22/tcp and ssh 22/udp to services | 355 | # Add ssh 22/tcp and ssh 22/udp to services |
504 | if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] | 356 | if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] |
505 | then | 357 | then |
506 | awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" | 358 | if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" |
507 | if [ -f "${_serv_tmp}" ] | ||
508 | then | 359 | then |
509 | if mv "${_serv_tmp}" "${_services}" | 360 | if mv "${_serv_tmp}" "${_services}" |
510 | then | 361 | then |
511 | echo "Added ssh to ${_services}" | 362 | echo "Added ssh to ${_wservices}" |
512 | else | 363 | else |
513 | echo "Adding ssh to ${_services} failed\!" | 364 | echo "Adding ssh to ${_wservices} failed!" |
514 | fi | 365 | fi |
515 | rm -f "${_serv_tmp}" | 366 | rm -f "${_serv_tmp}" |
516 | else | 367 | else |
517 | echo "Adding ssh to ${_services} failed\!" | 368 | echo "WARNING: Adding ssh to ${_wservices} failed!" |
518 | fi | 369 | fi |
519 | fi | 370 | fi |
520 | 371 | ||
521 | umount "${_services}" | 372 | umount "${_my_etcdir}" |
522 | umount "${_serv_tmp}" | ||
523 | 373 | ||
524 | # Care for inetd.conf file | 374 | # Care for inetd.conf file |
525 | _inetcnf="${SYSCONFDIR}/inetd.conf" | 375 | _inetcnf="${SYSCONFDIR}/inetd.conf" |
@@ -538,13 +388,13 @@ then | |||
538 | then | 388 | then |
539 | if mv "${_inetcnf_tmp}" "${_inetcnf}" | 389 | if mv "${_inetcnf_tmp}" "${_inetcnf}" |
540 | then | 390 | then |
541 | echo "Removed sshd from ${_inetcnf}" | 391 | echo "Removed sshd from ${_inetcnf}" |
542 | else | 392 | else |
543 | echo "Removing sshd from ${_inetcnf} failed\!" | 393 | echo "Removing sshd from ${_inetcnf} failed!" |
544 | fi | 394 | fi |
545 | rm -f "${_inetcnf_tmp}" | 395 | rm -f "${_inetcnf_tmp}" |
546 | else | 396 | else |
547 | echo "Removing sshd from ${_inetcnf} failed\!" | 397 | echo "Removing sshd from ${_inetcnf} failed!" |
548 | fi | 398 | fi |
549 | fi | 399 | fi |
550 | 400 | ||
@@ -562,34 +412,181 @@ then | |||
562 | fi | 412 | fi |
563 | 413 | ||
564 | # On NT ask if sshd should be installed as service | 414 | # On NT ask if sshd should be installed as service |
565 | if [ $_nt -gt 0 ] | 415 | if [ ${_nt} -gt 0 ] |
566 | then | 416 | then |
567 | echo | 417 | # But only if it is not already installed |
568 | echo "Do you want to install sshd as service?" | 418 | if ! cygrunsrv -Q sshd > /dev/null 2>&1 |
569 | if request "(Say \"no\" if it's already installed as service)" | ||
570 | then | 419 | then |
571 | echo | 420 | echo |
572 | echo "Which value should the environment variable CYGWIN have when" | 421 | echo |
573 | echo "sshd starts? It's recommended to set at least \"ntsec\" to be" | 422 | echo "Warning: The following functions require administrator privileges!" |
574 | echo "able to change user context without password." | 423 | echo |
575 | echo -n "Default is \"binmode ntsec tty\". CYGWIN=" | 424 | echo "Do you want to install sshd as service?" |
576 | read _cygwin | 425 | if request "(Say \"no\" if it's already installed as service)" |
577 | [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" | 426 | then |
578 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" | 427 | if [ $_nt2003 -gt 0 ] |
428 | then | ||
429 | grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes | ||
430 | if [ "${sshd_server_in_passwd}" = "yes" ] | ||
431 | then | ||
432 | # Drop sshd_server from passwd since it could have wrong settings | ||
433 | grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$ | ||
434 | rm -f ${SYSCONFDIR}/passwd | ||
435 | mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd | ||
436 | chmod g-w,o-w ${SYSCONFDIR}/passwd | ||
437 | fi | ||
438 | net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes | ||
439 | if [ "${sshd_server_in_sam}" != "yes" ] | ||
440 | then | ||
441 | echo | ||
442 | echo "You appear to be running Windows 2003 Server or later. On 2003 and" | ||
443 | echo "later systems, it's not possible to use the LocalSystem account" | ||
444 | echo "if sshd should allow passwordless logon (e. g. public key authentication)." | ||
445 | echo "If you want to enable that functionality, it's required to create a new" | ||
446 | echo "account 'sshd_server' with special privileges, which is then used to run" | ||
447 | echo "the sshd service under." | ||
448 | echo | ||
449 | echo "Should this script create a new local account 'sshd_server' which has" | ||
450 | if request "the required privileges?" | ||
451 | then | ||
452 | _admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group` | ||
453 | if [ -z "${_admingroup}" ] | ||
454 | then | ||
455 | echo "There's no group with SID S-1-5-32-544 (Local administrators group) in" | ||
456 | echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'" | ||
457 | echo "and restart this script." | ||
458 | exit 1 | ||
459 | fi | ||
460 | dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` | ||
461 | while [ "${sshd_server_in_sam}" != "yes" ] | ||
462 | do | ||
463 | if [ -n "${password_value}" ] | ||
464 | then | ||
465 | _password="${password_value}" | ||
466 | # Allow to ask for password if first try fails | ||
467 | password_value="" | ||
468 | else | ||
469 | echo | ||
470 | echo "Please enter a password for new user 'sshd_server'. Please be sure that" | ||
471 | echo "this password matches the password rules given on your system." | ||
472 | echo -n "Entering no password will exit the configuration. PASSWORD=" | ||
473 | read -e _password | ||
474 | if [ -z "${_password}" ] | ||
475 | then | ||
476 | echo | ||
477 | echo "Exiting configuration. No user sshd_server has been created," | ||
478 | echo "no sshd service installed." | ||
479 | exit 1 | ||
480 | fi | ||
481 | fi | ||
482 | net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes | ||
483 | if [ "${sshd_server_in_sam}" != "yes" ] | ||
484 | then | ||
485 | echo "Creating the user 'sshd_server' failed! Reason:" | ||
486 | cat /tmp/nu.$$ | ||
487 | rm /tmp/nu.$$ | ||
488 | fi | ||
489 | done | ||
490 | net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes | ||
491 | if [ "${sshd_server_in_admingroup}" != "yes" ] | ||
492 | then | ||
493 | echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!" | ||
494 | echo "Please add sshd_server to local group ${_admingroup} before" | ||
495 | echo "starting the sshd service!" | ||
496 | echo | ||
497 | fi | ||
498 | passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'` | ||
499 | if [ "${passwd_has_expiry_flags}" != "yes" ] | ||
500 | then | ||
501 | echo | ||
502 | echo "WARNING: User sshd_server has password expiry set to system default." | ||
503 | echo "Please check that password never expires or set it to your needs." | ||
504 | elif ! passwd -e sshd_server | ||
505 | then | ||
506 | echo | ||
507 | echo "WARNING: Setting password expiry for user sshd_server failed!" | ||
508 | echo "Please check that password never expires or set it to your needs." | ||
509 | fi | ||
510 | editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server && | ||
511 | editrights -a SeCreateTokenPrivilege -u sshd_server && | ||
512 | editrights -a SeDenyInteractiveLogonRight -u sshd_server && | ||
513 | editrights -a SeDenyNetworkLogonRight -u sshd_server && | ||
514 | editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server && | ||
515 | editrights -a SeIncreaseQuotaPrivilege -u sshd_server && | ||
516 | editrights -a SeServiceLogonRight -u sshd_server && | ||
517 | sshd_server_got_all_rights="yes" | ||
518 | if [ "${sshd_server_got_all_rights}" != "yes" ] | ||
519 | then | ||
520 | echo | ||
521 | echo "Assigning the appropriate privileges to user 'sshd_server' failed!" | ||
522 | echo "Can't create sshd service!" | ||
523 | exit 1 | ||
524 | fi | ||
525 | echo | ||
526 | echo "User 'sshd_server' has been created with password '${_password}'." | ||
527 | echo "If you change the password, please keep in mind to change the password" | ||
528 | echo "for the sshd service, too." | ||
529 | echo | ||
530 | echo "Also keep in mind that the user sshd_server needs read permissions on all" | ||
531 | echo "users' .ssh/authorized_keys file to allow public key authentication for" | ||
532 | echo "these users!. (Re-)running ssh-user-config for each user will set the" | ||
533 | echo "required permissions correctly." | ||
534 | echo | ||
535 | fi | ||
536 | fi | ||
537 | if [ "${sshd_server_in_sam}" = "yes" ] | ||
538 | then | ||
539 | mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd | ||
540 | fi | ||
541 | fi | ||
542 | if [ -n "${cygwin_value}" ] | ||
543 | then | ||
544 | _cygwin="${cygwin_value}" | ||
545 | else | ||
546 | echo | ||
547 | echo "Which value should the environment variable CYGWIN have when" | ||
548 | echo "sshd starts? It's recommended to set at least \"ntsec\" to be" | ||
549 | echo "able to change user context without password." | ||
550 | echo -n "Default is \"ntsec\". CYGWIN=" | ||
551 | read -e _cygwin | ||
552 | fi | ||
553 | [ -z "${_cygwin}" ] && _cygwin="ntsec" | ||
554 | if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] | ||
555 | then | ||
556 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" | ||
557 | then | ||
558 | echo | ||
559 | echo "The service has been installed under sshd_server account." | ||
560 | echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." | ||
561 | fi | ||
562 | else | ||
563 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" | ||
564 | then | ||
565 | echo | ||
566 | echo "The service has been installed under LocalSystem account." | ||
567 | echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." | ||
568 | fi | ||
569 | fi | ||
570 | fi | ||
571 | # Now check if sshd has been successfully installed. This allows to | ||
572 | # set the ownership of the affected files correctly. | ||
573 | if cygrunsrv -Q sshd > /dev/null 2>&1 | ||
579 | then | 574 | then |
580 | chown system ${SYSCONFDIR}/ssh* | 575 | if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] |
581 | echo | 576 | then |
582 | echo "The service has been installed under LocalSystem account." | 577 | _user="sshd_server" |
578 | else | ||
579 | _user="system" | ||
580 | fi | ||
581 | chown "${_user}" ${SYSCONFDIR}/ssh* | ||
582 | chown "${_user}".544 ${LOCALSTATEDIR}/empty | ||
583 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] | ||
584 | then | ||
585 | chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log | ||
586 | fi | ||
583 | fi | 587 | fi |
584 | fi | 588 | fi |
585 | fi | 589 | fi |
586 | 590 | ||
587 | if [ "${old_install}" = "1" ] | ||
588 | then | ||
589 | echo | ||
590 | echo "Note: If you have used sshd as service or from inetd, don't forget to" | ||
591 | echo " change the path to sshd.exe in the service entry or in inetd.conf." | ||
592 | fi | ||
593 | |||
594 | echo | 591 | echo |
595 | echo "Host configuration finished. Have fun!" | 592 | echo "Host configuration finished. Have fun!" |
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config index 4da113181..fe07ce360 100644 --- a/contrib/cygwin/ssh-user-config +++ b/contrib/cygwin/ssh-user-config | |||
@@ -1,9 +1,12 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # | 2 | # |
3 | # ssh-user-config, Copyright 2000, Red Hat Inc. | 3 | # ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc. |
4 | # | 4 | # |
5 | # This file is part of the Cygwin port of OpenSSH. | 5 | # This file is part of the Cygwin port of OpenSSH. |
6 | 6 | ||
7 | # Directory where the config files are stored | ||
8 | SYSCONFDIR=/etc | ||
9 | |||
7 | progname=$0 | 10 | progname=$0 |
8 | auto_answer="" | 11 | auto_answer="" |
9 | auto_passphrase="no" | 12 | auto_passphrase="no" |
@@ -33,6 +36,15 @@ request() | |||
33 | fi | 36 | fi |
34 | } | 37 | } |
35 | 38 | ||
39 | # Check if running on NT | ||
40 | _sys="`uname -a`" | ||
41 | _nt=`expr "$_sys" : "CYGWIN_NT"` | ||
42 | # If running on NT, check if running under 2003 Server or later | ||
43 | if [ $_nt -gt 0 ] | ||
44 | then | ||
45 | _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` | ||
46 | fi | ||
47 | |||
36 | # Check options | 48 | # Check options |
37 | 49 | ||
38 | while : | 50 | while : |
@@ -84,27 +96,27 @@ done | |||
84 | 96 | ||
85 | # Ask user if user identity should be generated | 97 | # Ask user if user identity should be generated |
86 | 98 | ||
87 | if [ ! -f /etc/passwd ] | 99 | if [ ! -f ${SYSCONFDIR}/passwd ] |
88 | then | 100 | then |
89 | echo '/etc/passwd is nonexistant. Please generate an /etc/passwd file' | 101 | echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" |
90 | echo 'first using mkpasswd. Check if it contains an entry for you and' | 102 | echo 'first using mkpasswd. Check if it contains an entry for you and' |
91 | echo 'please care for the home directory in your entry as well.' | 103 | echo 'please care for the home directory in your entry as well.' |
92 | exit 1 | 104 | exit 1 |
93 | fi | 105 | fi |
94 | 106 | ||
95 | uid=`id -u` | 107 | uid=`id -u` |
96 | pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < /etc/passwd` | 108 | pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd` |
97 | 109 | ||
98 | if [ "X${pwdhome}" = "X" ] | 110 | if [ "X${pwdhome}" = "X" ] |
99 | then | 111 | then |
100 | echo 'There is no home directory set for you in /etc/passwd.' | 112 | echo "There is no home directory set for you in ${SYSCONFDIR}/passwd." |
101 | echo 'Setting $HOME is not sufficient!' | 113 | echo 'Setting $HOME is not sufficient!' |
102 | exit 1 | 114 | exit 1 |
103 | fi | 115 | fi |
104 | 116 | ||
105 | if [ ! -d "${pwdhome}" ] | 117 | if [ ! -d "${pwdhome}" ] |
106 | then | 118 | then |
107 | echo "${pwdhome} is set in /etc/passwd as your home directory" | 119 | echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" |
108 | echo 'but it is not a valid directory. Cannot create user identity files.' | 120 | echo 'but it is not a valid directory. Cannot create user identity files.' |
109 | exit 1 | 121 | exit 1 |
110 | fi | 122 | fi |
@@ -114,7 +126,7 @@ fi | |||
114 | if [ "X${pwdhome}" = "X/" ] | 126 | if [ "X${pwdhome}" = "X/" ] |
115 | then | 127 | then |
116 | # But first raise a warning! | 128 | # But first raise a warning! |
117 | echo 'Your home directory in /etc/passwd is set to root (/). This is not recommended!' | 129 | echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!" |
118 | if request "Would you like to proceed anyway?" | 130 | if request "Would you like to proceed anyway?" |
119 | then | 131 | then |
120 | pwdhome='' | 132 | pwdhome='' |
@@ -123,6 +135,17 @@ then | |||
123 | fi | 135 | fi |
124 | fi | 136 | fi |
125 | 137 | ||
138 | if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ] | ||
139 | then | ||
140 | echo | ||
141 | echo 'WARNING: group and other have been revoked write permission to your home' | ||
142 | echo " directory ${pwdhome}." | ||
143 | echo ' This is required by OpenSSH to allow public key authentication using' | ||
144 | echo ' the key files stored in your .ssh subdirectory.' | ||
145 | echo ' Revert this change ONLY if you know what you are doing!' | ||
146 | echo | ||
147 | fi | ||
148 | |||
126 | if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] | 149 | if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] |
127 | then | 150 | then |
128 | echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." | 151 | echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." |
@@ -139,6 +162,21 @@ then | |||
139 | fi | 162 | fi |
140 | fi | 163 | fi |
141 | 164 | ||
165 | if [ $_nt -gt 0 ] | ||
166 | then | ||
167 | _user="system" | ||
168 | if [ $_nt2003 -gt 0 ] | ||
169 | then | ||
170 | grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server" | ||
171 | fi | ||
172 | if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh" | ||
173 | then | ||
174 | echo "${pwdhome}/.ssh couldn't be given the correct permissions." | ||
175 | echo "Please try to solve this problem first." | ||
176 | exit 1 | ||
177 | fi | ||
178 | fi | ||
179 | |||
142 | if [ ! -f "${pwdhome}/.ssh/identity" ] | 180 | if [ ! -f "${pwdhome}/.ssh/identity" ] |
143 | then | 181 | then |
144 | if request "Shall I create an SSH1 RSA identity file for you?" | 182 | if request "Shall I create an SSH1 RSA identity file for you?" |
@@ -196,5 +234,17 @@ then | |||
196 | fi | 234 | fi |
197 | fi | 235 | fi |
198 | 236 | ||
237 | if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ] | ||
238 | then | ||
239 | if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys" | ||
240 | then | ||
241 | echo | ||
242 | echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys" | ||
243 | echo "failed. Please care for the correct permissions. The minimum requirement" | ||
244 | echo "is, the owner and ${_user} both need read permissions." | ||
245 | echo | ||
246 | fi | ||
247 | fi | ||
248 | |||
199 | echo | 249 | echo |
200 | echo "Configuration finished. Have fun!" | 250 | echo "Configuration finished. Have fun!" |
diff --git a/contrib/findssl.sh b/contrib/findssl.sh index 87a4abce2..0c08d4a18 100644 --- a/contrib/findssl.sh +++ b/contrib/findssl.sh | |||
@@ -9,24 +9,24 @@ | |||
9 | # Written by Darren Tucker (dtucker at zip dot com dot au) | 9 | # Written by Darren Tucker (dtucker at zip dot com dot au) |
10 | # This file is placed in the public domain. | 10 | # This file is placed in the public domain. |
11 | # | 11 | # |
12 | # $Id: findssl.sh,v 1.1 2003/06/24 10:22:10 dtucker Exp $ | 12 | # $Id: findssl.sh,v 1.2 2003/11/21 12:48:56 djm Exp $ |
13 | # 2002-07-27: Initial release. | 13 | # 2002-07-27: Initial release. |
14 | # 2002-08-04: Added public domain notice. | 14 | # 2002-08-04: Added public domain notice. |
15 | # 2003-06-24: Incorporated readme, set library paths. First cvs version. | 15 | # 2003-06-24: Incorporated readme, set library paths. First cvs version. |
16 | # | 16 | # |
17 | # "OpenSSL headers do not match your library" are usually caused by | 17 | # "OpenSSL headers do not match your library" are usually caused by |
18 | # OpenSSH's configure picking up an older version of OpenSSL headers | 18 | # OpenSSH's configure picking up an older version of OpenSSL headers |
19 | # or libraries. You can use the following # procedure to help identify | 19 | # or libraries. You can use the following # procedure to help identify |
20 | # the cause. | 20 | # the cause. |
21 | # | 21 | # |
22 | # The output of configure will tell you the versions of the OpenSSL | 22 | # The output of configure will tell you the versions of the OpenSSL |
23 | # headers and libraries that were picked up, for example: | 23 | # headers and libraries that were picked up, for example: |
24 | # | 24 | # |
25 | # checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002) | 25 | # checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002) |
26 | # checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001) | 26 | # checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001) |
27 | # checking whether OpenSSL's headers match the library... no | 27 | # checking whether OpenSSL's headers match the library... no |
28 | # configure: error: Your OpenSSL headers do not match your library | 28 | # configure: error: Your OpenSSL headers do not match your library |
29 | # | 29 | # |
30 | # Now run findssl.sh. This should identify the headers and libraries | 30 | # Now run findssl.sh. This should identify the headers and libraries |
31 | # present and their versions. You should be able to identify the | 31 | # present and their versions. You should be able to identify the |
32 | # libraries and headers used and adjust your CFLAGS or remove incorrect | 32 | # libraries and headers used and adjust your CFLAGS or remove incorrect |
@@ -37,7 +37,7 @@ | |||
37 | # Searching for OpenSSL header files. | 37 | # Searching for OpenSSL header files. |
38 | # 0x0090604fL /usr/include/openssl/opensslv.h | 38 | # 0x0090604fL /usr/include/openssl/opensslv.h |
39 | # 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h | 39 | # 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h |
40 | # | 40 | # |
41 | # Searching for OpenSSL shared library files. | 41 | # Searching for OpenSSL shared library files. |
42 | # 0x0090602fL /lib/libcrypto.so.0.9.6b | 42 | # 0x0090602fL /lib/libcrypto.so.0.9.6b |
43 | # 0x0090602fL /lib/libcrypto.so.2 | 43 | # 0x0090602fL /lib/libcrypto.so.2 |
@@ -46,11 +46,11 @@ | |||
46 | # 0x0090581fL /usr/lib/libcrypto.so.0.9.5a | 46 | # 0x0090581fL /usr/lib/libcrypto.so.0.9.5a |
47 | # 0x0090600fL /usr/lib/libcrypto.so.0.9.6 | 47 | # 0x0090600fL /usr/lib/libcrypto.so.0.9.6 |
48 | # 0x0090600fL /usr/lib/libcrypto.so.1 | 48 | # 0x0090600fL /usr/lib/libcrypto.so.1 |
49 | # | 49 | # |
50 | # Searching for OpenSSL static library files. | 50 | # Searching for OpenSSL static library files. |
51 | # 0x0090602fL /usr/lib/libcrypto.a | 51 | # 0x0090602fL /usr/lib/libcrypto.a |
52 | # 0x0090604fL /usr/local/ssl/lib/libcrypto.a | 52 | # 0x0090604fL /usr/local/ssl/lib/libcrypto.a |
53 | # | 53 | # |
54 | # In this example, I gave configure no extra flags, so it's picking up | 54 | # In this example, I gave configure no extra flags, so it's picking up |
55 | # the OpenSSL header from /usr/include/openssl (90604f) and the library | 55 | # the OpenSSL header from /usr/include/openssl (90604f) and the library |
56 | # from /usr/lib/ (90602f). | 56 | # from /usr/lib/ (90602f). |
diff --git a/contrib/gnome-ssh-askpass1.c b/contrib/gnome-ssh-askpass1.c index b6b342b84..4d51032d1 100644 --- a/contrib/gnome-ssh-askpass1.c +++ b/contrib/gnome-ssh-askpass1.c | |||
@@ -23,14 +23,14 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | /* | 25 | /* |
26 | * This is a simple GNOME SSH passphrase grabber. To use it, set the | 26 | * This is a simple GNOME SSH passphrase grabber. To use it, set the |
27 | * environment variable SSH_ASKPASS to point to the location of | 27 | * environment variable SSH_ASKPASS to point to the location of |
28 | * gnome-ssh-askpass before calling "ssh-add < /dev/null". | 28 | * gnome-ssh-askpass before calling "ssh-add < /dev/null". |
29 | * | 29 | * |
30 | * There is only two run-time options: if you set the environment variable | 30 | * There is only two run-time options: if you set the environment variable |
31 | * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab | 31 | * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab |
32 | * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the | 32 | * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the |
33 | * pointer will be grabbed too. These may have some benefit to security if | 33 | * pointer will be grabbed too. These may have some benefit to security if |
34 | * you don't trust your X server. We grab the keyboard always. | 34 | * you don't trust your X server. We grab the keyboard always. |
35 | */ | 35 | */ |
36 | 36 | ||
@@ -87,7 +87,7 @@ passphrase_dialog(char *message) | |||
87 | } | 87 | } |
88 | 88 | ||
89 | entry = gtk_entry_new(); | 89 | entry = gtk_entry_new(); |
90 | gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, | 90 | gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, |
91 | FALSE, 0); | 91 | FALSE, 0); |
92 | gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); | 92 | gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); |
93 | gtk_widget_grab_focus(entry); | 93 | gtk_widget_grab_focus(entry); |
@@ -105,7 +105,7 @@ passphrase_dialog(char *message) | |||
105 | /* Grab focus */ | 105 | /* Grab focus */ |
106 | if (grab_server) | 106 | if (grab_server) |
107 | XGrabServer(GDK_DISPLAY()); | 107 | XGrabServer(GDK_DISPLAY()); |
108 | if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0, | 108 | if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0, |
109 | NULL, NULL, GDK_CURRENT_TIME)) | 109 | NULL, NULL, GDK_CURRENT_TIME)) |
110 | goto nograb; | 110 | goto nograb; |
111 | if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME)) | 111 | if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME)) |
diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c index 9e8eaf920..0ce8daec9 100644 --- a/contrib/gnome-ssh-askpass2.c +++ b/contrib/gnome-ssh-askpass2.c | |||
@@ -25,14 +25,14 @@ | |||
25 | /* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */ | 25 | /* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */ |
26 | 26 | ||
27 | /* | 27 | /* |
28 | * This is a simple GNOME SSH passphrase grabber. To use it, set the | 28 | * This is a simple GNOME SSH passphrase grabber. To use it, set the |
29 | * environment variable SSH_ASKPASS to point to the location of | 29 | * environment variable SSH_ASKPASS to point to the location of |
30 | * gnome-ssh-askpass before calling "ssh-add < /dev/null". | 30 | * gnome-ssh-askpass before calling "ssh-add < /dev/null". |
31 | * | 31 | * |
32 | * There is only two run-time options: if you set the environment variable | 32 | * There is only two run-time options: if you set the environment variable |
33 | * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab | 33 | * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab |
34 | * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the | 34 | * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the |
35 | * pointer will be grabbed too. These may have some benefit to security if | 35 | * pointer will be grabbed too. These may have some benefit to security if |
36 | * you don't trust your X server. We grab the keyboard always. | 36 | * you don't trust your X server. We grab the keyboard always. |
37 | */ | 37 | */ |
38 | 38 | ||
@@ -103,7 +103,7 @@ passphrase_dialog(char *message) | |||
103 | message); | 103 | message); |
104 | 104 | ||
105 | entry = gtk_entry_new(); | 105 | entry = gtk_entry_new(); |
106 | gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE, | 106 | gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE, |
107 | FALSE, 0); | 107 | FALSE, 0); |
108 | gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); | 108 | gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); |
109 | gtk_widget_grab_focus(entry); | 109 | gtk_widget_grab_focus(entry); |
@@ -124,7 +124,7 @@ passphrase_dialog(char *message) | |||
124 | if (grab_pointer) { | 124 | if (grab_pointer) { |
125 | for(;;) { | 125 | for(;;) { |
126 | status = gdk_pointer_grab( | 126 | status = gdk_pointer_grab( |
127 | (GTK_WIDGET(dialog))->window, TRUE, 0, NULL, | 127 | (GTK_WIDGET(dialog))->window, TRUE, 0, NULL, |
128 | NULL, GDK_CURRENT_TIME); | 128 | NULL, GDK_CURRENT_TIME); |
129 | if (status == GDK_GRAB_SUCCESS) | 129 | if (status == GDK_GRAB_SUCCESS) |
130 | break; | 130 | break; |
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index ce7c564c3..05750e3a9 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec | |||
@@ -1,4 +1,4 @@ | |||
1 | %define ver 3.7p1 | 1 | %define ver 3.8p1 |
2 | %define rel 1 | 2 | %define rel 1 |
3 | 3 | ||
4 | # OpenSSH privilege separation requires a user & group ID | 4 | # OpenSSH privilege separation requires a user & group ID |
@@ -34,6 +34,11 @@ | |||
34 | %{?skip_x11_askpass:%define no_x11_askpass 1} | 34 | %{?skip_x11_askpass:%define no_x11_askpass 1} |
35 | %{?skip_gnome_askpass:%define no_gnome_askpass 1} | 35 | %{?skip_gnome_askpass:%define no_gnome_askpass 1} |
36 | 36 | ||
37 | # Add option to build without GTK2 for older platforms with only GTK+. | ||
38 | # RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples. | ||
39 | # rpm -ba|--rebuild --define 'no_gtk2 1' | ||
40 | %{?no_gtk2:%define gtk2 0} | ||
41 | |||
37 | # Is this a build for RHL 6.x or earlier? | 42 | # Is this a build for RHL 6.x or earlier? |
38 | %{?build_6x:%define build6x 1} | 43 | %{?build_6x:%define build6x 1} |
39 | 44 | ||
@@ -176,6 +181,11 @@ environment. | |||
176 | CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS | 181 | CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS |
177 | %endif | 182 | %endif |
178 | 183 | ||
184 | %if %{kerberos5} | ||
185 | K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'` | ||
186 | echo K5DIR=$K5DIR | ||
187 | %endif | ||
188 | |||
179 | %configure \ | 189 | %configure \ |
180 | --sysconfdir=%{_sysconfdir}/ssh \ | 190 | --sysconfdir=%{_sysconfdir}/ssh \ |
181 | --libexecdir=%{_libexecdir}/openssh \ | 191 | --libexecdir=%{_libexecdir}/openssh \ |
@@ -185,16 +195,17 @@ CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS | |||
185 | --with-default-path=/usr/local/bin:/bin:/usr/bin \ | 195 | --with-default-path=/usr/local/bin:/bin:/usr/bin \ |
186 | --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \ | 196 | --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \ |
187 | --with-privsep-path=%{_var}/empty/sshd \ | 197 | --with-privsep-path=%{_var}/empty/sshd \ |
198 | --with-md5-passwords \ | ||
188 | %if %{scard} | 199 | %if %{scard} |
189 | --with-smartcard \ | 200 | --with-smartcard \ |
190 | %endif | 201 | %endif |
191 | %if %{rescue} | 202 | %if %{rescue} |
192 | --without-pam --with-md5-passwords \ | 203 | --without-pam \ |
193 | %else | 204 | %else |
194 | --with-pam \ | 205 | --with-pam \ |
195 | %endif | 206 | %endif |
196 | %if %{kerberos5} | 207 | %if %{kerberos5} |
197 | --with-kerberos5=/usr/kerberos \ | 208 | --with-kerberos5=$K5DIR \ |
198 | %endif | 209 | %endif |
199 | 210 | ||
200 | 211 | ||
@@ -392,7 +403,7 @@ fi | |||
392 | 403 | ||
393 | %changelog | 404 | %changelog |
394 | * Mon Jun 2 2003 Damien Miller <djm@mindrot.org> | 405 | * Mon Jun 2 2003 Damien Miller <djm@mindrot.org> |
395 | - Remove noip6 option. This may be controlled at run-time in client config | 406 | - Remove noip6 option. This may be controlled at run-time in client config |
396 | file using new AddressFamily directive | 407 | file using new AddressFamily directive |
397 | 408 | ||
398 | * Mon May 12 2003 Damien Miller <djm@mindrot.org> | 409 | * Mon May 12 2003 Damien Miller <djm@mindrot.org> |
@@ -552,7 +563,7 @@ fi | |||
552 | 563 | ||
553 | * Sun Apr 8 2001 Preston Brown <pbrown@redhat.com> | 564 | * Sun Apr 8 2001 Preston Brown <pbrown@redhat.com> |
554 | - remove explicit openssl requirement, fixes builddistro issue | 565 | - remove explicit openssl requirement, fixes builddistro issue |
555 | - make initscript stop() function wait until sshd really dead to avoid | 566 | - make initscript stop() function wait until sshd really dead to avoid |
556 | races in condrestart | 567 | races in condrestart |
557 | 568 | ||
558 | * Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com> | 569 | * Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com> |
diff --git a/contrib/solaris/README b/contrib/solaris/README index 9b0a46e29..eb4c590f4 100755 --- a/contrib/solaris/README +++ b/contrib/solaris/README | |||
@@ -17,7 +17,7 @@ Directions: | |||
17 | 17 | ||
18 | If all goes well you should have a solaris package ready to be installed. | 18 | If all goes well you should have a solaris package ready to be installed. |
19 | 19 | ||
20 | If you have any problems with this script please post them to | 20 | If you have any problems with this script please post them to |
21 | openssh-unix-dev@mindrot.org and I will try to assist you as best as I can. | 21 | openssh-unix-dev@mindrot.org and I will try to assist you as best as I can. |
22 | 22 | ||
23 | - Ben Lindstrom | 23 | - Ben Lindstrom |
diff --git a/contrib/solaris/buildpkg.sh b/contrib/solaris/buildpkg.sh index c41b3f963..29d096306 100755 --- a/contrib/solaris/buildpkg.sh +++ b/contrib/solaris/buildpkg.sh | |||
@@ -5,7 +5,7 @@ | |||
5 | # The following code has been provide under Public Domain License. I really | 5 | # The following code has been provide under Public Domain License. I really |
6 | # don't care what you use it for. Just as long as you don't complain to me | 6 | # don't care what you use it for. Just as long as you don't complain to me |
7 | # nor my employer if you break it. - Ben Lindstrom (mouring@eviladmin.org) | 7 | # nor my employer if you break it. - Ben Lindstrom (mouring@eviladmin.org) |
8 | # | 8 | # |
9 | umask 022 | 9 | umask 022 |
10 | # | 10 | # |
11 | # Options for building the package | 11 | # Options for building the package |
@@ -13,7 +13,7 @@ umask 022 | |||
13 | # | 13 | # |
14 | # uncommenting TEST_DIR and using | 14 | # uncommenting TEST_DIR and using |
15 | # configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty | 15 | # configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty |
16 | # and | 16 | # and |
17 | # PKGNAME=tOpenSSH should allow testing a package without interfering | 17 | # PKGNAME=tOpenSSH should allow testing a package without interfering |
18 | # with a real OpenSSH package on a system. This is not needed on systems | 18 | # with a real OpenSSH package on a system. This is not needed on systems |
19 | # that support the -R option to pkgadd. | 19 | # that support the -R option to pkgadd. |
@@ -23,9 +23,10 @@ SYSVINIT_NAME=opensshd | |||
23 | MAKE=${MAKE:="make"} | 23 | MAKE=${MAKE:="make"} |
24 | SSHDUID=67 # Default privsep uid | 24 | SSHDUID=67 # Default privsep uid |
25 | SSHDGID=67 # Default privsep gid | 25 | SSHDGID=67 # Default privsep gid |
26 | # uncomment these next two as needed | 26 | # uncomment these next three as needed |
27 | #PERMIT_ROOT_LOGIN=no | 27 | #PERMIT_ROOT_LOGIN=no |
28 | #X11_FORWARDING=yes | 28 | #X11_FORWARDING=yes |
29 | #USR_LOCAL_IS_SYMLINK=yes | ||
29 | # list of system directories we do NOT want to change owner/group/perms | 30 | # list of system directories we do NOT want to change owner/group/perms |
30 | # when installing our package | 31 | # when installing our package |
31 | SYSTEM_DIR="/etc \ | 32 | SYSTEM_DIR="/etc \ |
@@ -81,7 +82,7 @@ export PATH | |||
81 | # we will look for config.local to override the above options | 82 | # we will look for config.local to override the above options |
82 | [ -s ./config.local ] && . ./config.local | 83 | [ -s ./config.local ] && . ./config.local |
83 | 84 | ||
84 | ## Start by faking root install | 85 | ## Start by faking root install |
85 | echo "Faking root install..." | 86 | echo "Faking root install..." |
86 | START=`pwd` | 87 | START=`pwd` |
87 | OPENSSHD_IN=`dirname $0`/opensshd.in | 88 | OPENSSHD_IN=`dirname $0`/opensshd.in |
@@ -98,20 +99,20 @@ fi | |||
98 | ## Fill in some details, like prefix and sysconfdir | 99 | ## Fill in some details, like prefix and sysconfdir |
99 | for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir sysconfdir piddir | 100 | for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir sysconfdir piddir |
100 | do | 101 | do |
101 | eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2` | 102 | eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2` |
102 | done | 103 | done |
103 | 104 | ||
104 | 105 | ||
105 | ## Collect value of privsep user | 106 | ## Collect value of privsep user |
106 | for confvar in SSH_PRIVSEP_USER | 107 | for confvar in SSH_PRIVSEP_USER |
107 | do | 108 | do |
108 | eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h` | 109 | eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h` |
109 | done | 110 | done |
110 | 111 | ||
111 | ## Set privsep defaults if not defined | 112 | ## Set privsep defaults if not defined |
112 | if [ -z "$SSH_PRIVSEP_USER" ] | 113 | if [ -z "$SSH_PRIVSEP_USER" ] |
113 | then | 114 | then |
114 | SSH_PRIVSEP_USER=sshd | 115 | SSH_PRIVSEP_USER=sshd |
115 | fi | 116 | fi |
116 | 117 | ||
117 | ## Extract common info requires for the 'info' part of the package. | 118 | ## Extract common info requires for the 'info' part of the package. |
@@ -243,16 +244,16 @@ fi | |||
243 | 244 | ||
244 | if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null | 245 | if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null |
245 | then | 246 | then |
246 | echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user" | 247 | echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user" |
247 | echo "or group." | 248 | echo "or group." |
248 | else | 249 | else |
249 | echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." | 250 | echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." |
250 | 251 | ||
251 | # create group if required | 252 | # create group if required |
252 | if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null | 253 | if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null |
253 | then | 254 | then |
254 | echo "PrivSep group $SSH_PRIVSEP_USER already exists." | 255 | echo "PrivSep group $SSH_PRIVSEP_USER already exists." |
255 | else | 256 | else |
256 | # Use gid of 67 if possible | 257 | # Use gid of 67 if possible |
257 | if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null | 258 | if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null |
258 | then | 259 | then |
@@ -260,15 +261,15 @@ else | |||
260 | else | 261 | else |
261 | sshdgid="-g $SSHDGID" | 262 | sshdgid="-g $SSHDGID" |
262 | fi | 263 | fi |
263 | echo "Creating PrivSep group $SSH_PRIVSEP_USER." | 264 | echo "Creating PrivSep group $SSH_PRIVSEP_USER." |
264 | \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER | 265 | \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER |
265 | fi | 266 | fi |
266 | 267 | ||
267 | # Create user if required | 268 | # Create user if required |
268 | if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null | 269 | if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null |
269 | then | 270 | then |
270 | echo "PrivSep user $SSH_PRIVSEP_USER already exists." | 271 | echo "PrivSep user $SSH_PRIVSEP_USER already exists." |
271 | else | 272 | else |
272 | # Use uid of 67 if possible | 273 | # Use uid of 67 if possible |
273 | if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null | 274 | if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null |
274 | then | 275 | then |
@@ -276,10 +277,10 @@ else | |||
276 | else | 277 | else |
277 | sshduid="-u $SSHDUID" | 278 | sshduid="-u $SSHDUID" |
278 | fi | 279 | fi |
279 | echo "Creating PrivSep user $SSH_PRIVSEP_USER." | 280 | echo "Creating PrivSep user $SSH_PRIVSEP_USER." |
280 | \$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER | 281 | \$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER |
281 | \$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER | 282 | \$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER |
282 | fi | 283 | fi |
283 | fi | 284 | fi |
284 | 285 | ||
285 | [ "\${POST_INS_START}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start | 286 | [ "\${POST_INS_START}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start |
@@ -358,18 +359,24 @@ cat >mk-proto.awk << _EOF | |||
358 | BEGIN { print "i pkginfo"; print "i preinstall"; \\ | 359 | BEGIN { print "i pkginfo"; print "i preinstall"; \\ |
359 | print "i postinstall"; print "i preremove"; \\ | 360 | print "i postinstall"; print "i preremove"; \\ |
360 | print "i request"; print "i space"; \\ | 361 | print "i request"; print "i space"; \\ |
361 | split("$SYSTEM_DIR",sys_files); } | 362 | split("$SYSTEM_DIR",sys_files); } |
362 | { | 363 | { |
363 | for (dir in sys_files) { if ( \$3 != sys_files[dir] ) | 364 | for (dir in sys_files) { if ( \$3 != sys_files[dir] ) |
364 | { \$5="root"; \$6="sys"; } | 365 | { \$5="root"; \$6="sys"; } |
365 | else | 366 | else |
366 | { \$4="?"; \$5="?"; \$6="?"; break;} | 367 | { \$4="?"; \$5="?"; \$6="?"; break;} |
367 | } } | 368 | } } |
368 | { print; } | 369 | { print; } |
369 | _EOF | 370 | _EOF |
370 | find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \ | 371 | find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \ |
371 | pkgproto $PROTO_ARGS | nawk -f mk-proto.awk > prototype | 372 | pkgproto $PROTO_ARGS | nawk -f mk-proto.awk > prototype |
372 | 373 | ||
374 | # /usr/local is a symlink on some systems | ||
375 | [ "${USR_LOCAL_IS_SYMLINK}" = yes ] && { | ||
376 | grep -v "^d none /usr/local ? ? ?$" prototype > prototype.new | ||
377 | mv prototype.new prototype | ||
378 | } | ||
379 | |||
373 | ## Step back a directory and now build the package. | 380 | ## Step back a directory and now build the package. |
374 | echo "Building package.." | 381 | echo "Building package.." |
375 | cd .. | 382 | cd .. |
diff --git a/contrib/solaris/opensshd.in b/contrib/solaris/opensshd.in index 48b6c5702..50e18deea 100755 --- a/contrib/solaris/opensshd.in +++ b/contrib/solaris/opensshd.in | |||
@@ -22,24 +22,24 @@ HOST_KEY_RSA=$etcdir/ssh_host_rsa_key | |||
22 | 22 | ||
23 | checkkeys() { | 23 | checkkeys() { |
24 | if [ ! -f $HOST_KEY_RSA1 ]; then | 24 | if [ ! -f $HOST_KEY_RSA1 ]; then |
25 | ${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N "" | 25 | ${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N "" |
26 | fi | 26 | fi |
27 | if [ ! -f $HOST_KEY_DSA ]; then | 27 | if [ ! -f $HOST_KEY_DSA ]; then |
28 | ${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N "" | 28 | ${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N "" |
29 | fi | 29 | fi |
30 | if [ ! -f $HOST_KEY_RSA ]; then | 30 | if [ ! -f $HOST_KEY_RSA ]; then |
31 | ${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N "" | 31 | ${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N "" |
32 | fi | 32 | fi |
33 | } | 33 | } |
34 | 34 | ||
35 | stop_service() { | 35 | stop_service() { |
36 | if [ -r $PIDFILE -a ! -z ${PIDFILE} ]; then | 36 | if [ -r $PIDFILE -a ! -z ${PIDFILE} ]; then |
37 | PID=`${CAT} ${PIDFILE}` | 37 | PID=`${CAT} ${PIDFILE}` |
38 | fi | 38 | fi |
39 | if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then | 39 | if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then |
40 | ${KILL} ${PID} | 40 | ${KILL} ${PID} |
41 | else | 41 | else |
42 | echo "Unable to read PID file" | 42 | echo "Unable to read PID file" |
43 | fi | 43 | fi |
44 | } | 44 | } |
45 | 45 | ||
@@ -55,8 +55,8 @@ start_service() { | |||
55 | 55 | ||
56 | sshd_rc=$? | 56 | sshd_rc=$? |
57 | if [ $sshd_rc -ne 0 ]; then | 57 | if [ $sshd_rc -ne 0 ]; then |
58 | echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing." | 58 | echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing." |
59 | exit $sshd_rc | 59 | exit $sshd_rc |
60 | fi | 60 | fi |
61 | echo done. | 61 | echo done. |
62 | } | 62 | } |
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index ca7437bd6..7eb71adf4 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec | |||
@@ -1,6 +1,6 @@ | |||
1 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation | 1 | Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation |
2 | Name: openssh | 2 | Name: openssh |
3 | Version: 3.7p1 | 3 | Version: 3.8p1 |
4 | URL: http://www.openssh.com/ | 4 | URL: http://www.openssh.com/ |
5 | Release: 1 | 5 | Release: 1 |
6 | Source0: openssh-%{version}.tar.gz | 6 | Source0: openssh-%{version}.tar.gz |
@@ -30,7 +30,7 @@ two untrusted hosts over an insecure network. X11 connections and | |||
30 | arbitrary TCP/IP ports can also be forwarded over the secure channel. | 30 | arbitrary TCP/IP ports can also be forwarded over the secure channel. |
31 | 31 | ||
32 | OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it | 32 | OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it |
33 | up to date in terms of security and features, as well as removing all | 33 | up to date in terms of security and features, as well as removing all |
34 | patented algorithms to seperate libraries (OpenSSL). | 34 | patented algorithms to seperate libraries (OpenSSL). |
35 | 35 | ||
36 | This package includes all files necessary for both the OpenSSH | 36 | This package includes all files necessary for both the OpenSSH |
@@ -100,8 +100,8 @@ make | |||
100 | 100 | ||
101 | cd contrib | 101 | cd contrib |
102 | gcc -O -g `gnome-config --cflags gnome gnomeui` \ | 102 | gcc -O -g `gnome-config --cflags gnome gnomeui` \ |
103 | gnome-ssh-askpass.c -o gnome-ssh-askpass \ | 103 | gnome-ssh-askpass.c -o gnome-ssh-askpass \ |
104 | `gnome-config --libs gnome gnomeui` | 104 | `gnome-config --libs gnome gnomeui` |
105 | cd .. | 105 | cd .. |
106 | 106 | ||
107 | %install | 107 | %install |
@@ -140,34 +140,34 @@ else | |||
140 | echo " /var/adm/fillup-templates/rc.config.sshd" | 140 | echo " /var/adm/fillup-templates/rc.config.sshd" |
141 | fi | 141 | fi |
142 | if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then | 142 | if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then |
143 | echo "Generating SSH host key..." | 143 | echo "Generating SSH host key..." |
144 | /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 | 144 | /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 |
145 | fi | 145 | fi |
146 | if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then | 146 | if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then |
147 | echo "Generating SSH DSA host key..." | 147 | echo "Generating SSH DSA host key..." |
148 | /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 | 148 | /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 |
149 | fi | 149 | fi |
150 | if test -r /var/run/sshd.pid | 150 | if test -r /var/run/sshd.pid |
151 | then | 151 | then |
152 | echo "Restarting the running SSH daemon..." | 152 | echo "Restarting the running SSH daemon..." |
153 | /usr/sbin/rcsshd restart >&2 | 153 | /usr/sbin/rcsshd restart >&2 |
154 | fi | 154 | fi |
155 | 155 | ||
156 | %preun | 156 | %preun |
157 | if [ "$1" = 0 ] | 157 | if [ "$1" = 0 ] |
158 | then | 158 | then |
159 | echo "Stopping the SSH daemon..." | 159 | echo "Stopping the SSH daemon..." |
160 | /usr/sbin/rcsshd stop >&2 | 160 | /usr/sbin/rcsshd stop >&2 |
161 | echo "Removing SSH stop/start scripts from the rc directories..." | 161 | echo "Removing SSH stop/start scripts from the rc directories..." |
162 | rm /sbin/init.d/rc2.d/K20sshd | 162 | rm /sbin/init.d/rc2.d/K20sshd |
163 | rm /sbin/init.d/rc2.d/S20sshd | 163 | rm /sbin/init.d/rc2.d/S20sshd |
164 | rm /sbin/init.d/rc3.d/K20sshd | 164 | rm /sbin/init.d/rc3.d/K20sshd |
165 | rm /sbin/init.d/rc3.d/S20sshd | 165 | rm /sbin/init.d/rc3.d/S20sshd |
166 | fi | 166 | fi |
167 | 167 | ||
168 | %files | 168 | %files |
169 | %defattr(-,root,root) | 169 | %defattr(-,root,root) |
170 | %doc ChangeLog OVERVIEW README* | 170 | %doc ChangeLog OVERVIEW README* |
171 | %doc RFC.nroff TODO CREDITS LICENCE | 171 | %doc RFC.nroff TODO CREDITS LICENCE |
172 | %attr(0755,root,root) %dir /etc/ssh | 172 | %attr(0755,root,root) %dir /etc/ssh |
173 | %attr(0644,root,root) %config /etc/ssh/ssh_config | 173 | %attr(0644,root,root) %config /etc/ssh/ssh_config |