summaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'contrib')
-rw-r--r--contrib/cygwin/Makefile56
-rw-r--r--contrib/cygwin/README122
-rw-r--r--contrib/cygwin/ssh-host-config502
-rw-r--r--contrib/cygwin/ssh-user-config64
4 files changed, 430 insertions, 314 deletions
diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile
new file mode 100644
index 000000000..09e8ea2db
--- /dev/null
+++ b/contrib/cygwin/Makefile
@@ -0,0 +1,56 @@
1srcdir=../..
2prefix=/usr
3exec_prefix=$(prefix)
4bindir=$(prefix)/bin
5datadir=$(prefix)/share
6docdir=$(datadir)/doc
7sshdocdir=$(docdir)/openssh
8cygdocdir=$(docdir)/Cygwin
9sysconfdir=/etc
10defaultsdir=$(sysconfdir)/defaults/etc
11PRIVSEP_PATH=/var/empty
12INSTALL=/usr/bin/install -c
13
14DESTDIR=
15
16all:
17 @echo
18 @echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'"
19 @echo "Be sure having DESTDIR set correctly!"
20 @echo
21
22move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config
23 $(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir)
24 mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir)
25 mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir)
26
27remove-empty-dir:
28 rm -rf $(DESTDIR)$(PRIVSEP_PATH)
29
30install-sshdoc:
31 $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir)
32 $(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
33 $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
34 $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
35 $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
36 $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
37 $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
38 $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
39 $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard
40 $(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff
41 $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
42 $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG
43
44install-cygwindoc: README
45 $(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir)
46 $(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README
47
48install-doc: install-sshdoc install-cygwindoc
49
50install-scripts: ssh-host-config ssh-user-config
51 $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
52 $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config
53 $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config
54
55cygwin-postinstall: move-config-files remove-empty-dir install-doc install-scripts
56 @echo "Cygwin specific configuration finished."
diff --git a/contrib/cygwin/README b/contrib/cygwin/README
index ec58964c9..1cc6ae65c 100644
--- a/contrib/cygwin/README
+++ b/contrib/cygwin/README
@@ -1,4 +1,49 @@
1This package is the actual port of OpenSSH to Cygwin 1.5. 1This package describes important Cygwin specific stuff concerning OpenSSH.
2
3The binary package is usually built for recent Cygwin versions and might
4not run on older versions. Please check http://cygwin.com/ for information
5about current Cygwin releases.
6
7Build instructions are at the end of the file.
8
9===========================================================================
10Important change since 3.7.1p2-2:
11
12The ssh-host-config file doesn't create the /etc/ssh_config and
13/etc/sshd_config files from builtin here-scripts anymore, but it uses
14skeleton files installed in /etc/defaults/etc.
15
16Also it now tries hard to create appropriate permissions on files.
17Same applies for ssh-user-config.
18
19After creating the sshd service with ssh-host-config, it's advisable to
20call ssh-user-config for all affected users, also already exising user
21configurations. In the latter case, file and directory permissions are
22checked and changed, if requireed to match the host configuration.
23
24Important note for Windows 2003 Server users:
25---------------------------------------------
26
272003 Server has a funny new feature. When starting services under SYSTEM
28account, these services have nearly all user rights which SYSTEM holds...
29except for the "Create a token object" right, which is needed to allow
30public key authentication :-(
31
32There's no way around this, except for creating a substitute account which
33has the appropriate privileges. Basically, this account should be member
34of the administrators group, plus it should have the following user rights:
35
36 Create a token object
37 Logon as a service
38 Replace a process level token
39 Increase Quota
40
41The ssh-host-config script asks you, if it should create such an account,
42called "sshd_server". If you say "no" here, you're on your own. Please
43follow the instruction in ssh-host-config exactly if possible. Note that
44ssh-user-config sets the permissions on 2003 Server machines dependent of
45whether a sshd_server account exists or not.
46===========================================================================
2 47
3=========================================================================== 48===========================================================================
4Important change since 3.4p1-2: 49Important change since 3.4p1-2:
@@ -114,54 +159,6 @@ ${SYSTEMROOT}/system32/drivers/etc/services file:
114 159
115 ssh 22/tcp #SSH daemon 160 ssh 22/tcp #SSH daemon
116 161
117===========================================================================
118The following restrictions only apply to Cygwin versions up to 1.3.1
119===========================================================================
120
121Authentication to sshd is possible in one of two ways.
122You'll have to decide before starting sshd!
123
124- If you want to authenticate via RSA and you want to login to that
125 machine to exactly one user account you can do so by running sshd
126 under that user account. You must change /etc/sshd_config
127 to contain the following:
128
129 RSAAuthentication yes
130
131 Moreover it's possible to use rhosts and/or rhosts with
132 RSA authentication by setting the following in sshd_config:
133
134 RhostsAuthentication yes
135 RhostsRSAAuthentication yes
136
137- If you want to be able to login to different user accounts you'll
138 have to start sshd under system account or any other account that
139 is able to switch user context. Note that administrators are _not_
140 able to do that by default! You'll have to give the following
141 special user rights to the user:
142 "Act as part of the operating system"
143 "Replace process level token"
144 "Increase quotas"
145 and if used via service manager
146 "Logon as a service".
147
148 The system account does of course own that user rights by default.
149
150 Unfortunately, if you choose that way, you can only logon with
151 NT password authentification and you should change
152 /etc/sshd_config to contain the following:
153
154 PasswordAuthentication yes
155 RhostsAuthentication no
156 RhostsRSAAuthentication no
157 RSAAuthentication no
158
159 However you can login to the user which has started sshd with
160 RSA authentication anyway. If you want that, change the RSA
161 authentication setting back to "yes":
162
163 RSAAuthentication yes
164
165Please note that OpenSSH does never use the value of $HOME to 162Please note that OpenSSH does never use the value of $HOME to
166search for the users configuration files! It always uses the 163search for the users configuration files! It always uses the
167value of the pw_dir field in /etc/passwd as the home directory. 164value of the pw_dir field in /etc/passwd as the home directory.
@@ -169,7 +166,7 @@ If no home diretory is set in /etc/passwd, the root directory
169is used instead! 166is used instead!
170 167
171You may use all features of the CYGWIN=ntsec setting the same 168You may use all features of the CYGWIN=ntsec setting the same
172way as they are used by the `login' port on sources.redhat.com: 169way as they are used by Cygwin's login(1) port:
173 170
174 The pw_gecos field may contain an additional field, that begins 171 The pw_gecos field may contain an additional field, that begins
175 with (upper case!) "U-", followed by the domain and the username 172 with (upper case!) "U-", followed by the domain and the username
@@ -186,6 +183,8 @@ way as they are used by the `login' port on sources.redhat.com:
186 183
187 locuser::1104:513:John Doe,U-user,S-1-5-21-... 184 locuser::1104:513:John Doe,U-user,S-1-5-21-...
188 185
186Note that the CYGWIN=ntsec setting is required for public key authentication.
187
189SSH2 server and user keys are generated by the `ssh-*-config' scripts 188SSH2 server and user keys are generated by the `ssh-*-config' scripts
190as well. 189as well.
191 190
@@ -194,15 +193,30 @@ configure are used for the Cygwin binary distribution:
194 193
195 --prefix=/usr \ 194 --prefix=/usr \
196 --sysconfdir=/etc \ 195 --sysconfdir=/etc \
197 --libexecdir='${exec_prefix}/sbin' 196 --libexecdir='$(sbindir)' \
198 197 --localstatedir=/var \
199You must have installed the zlib and openssl packages to be able to 198 --datadir='$(prefix)/share' \
199 --mandir='$(datadir)/man' \
200 --with-tcp-wrappers
201
202If you want to create a Cygwin package, equivalent to the one
203in the Cygwin binary distribution, install like this:
204
205 mkdir /tmp/cygwin-ssh
206 cd $(builddir)
207 make install DESTDIR=/tmp/cygwin-ssh
208 cd $(srcdir)/contrib/cygwin
209 make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
210 cd /tmp/cygwin-ssh
211 find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
212
213You must have installed the zlib and openssl-devel packages to be able to
200build OpenSSH! 214build OpenSSH!
201 215
202Please send requests, error reports etc. to cygwin@cygwin.com. 216Please send requests, error reports etc. to cygwin@cygwin.com.
203 217
204Have fun, 218Have fun,
205 219
206Corinna Vinschen <vinschen@redhat.com> 220Corinna Vinschen
207Cygwin Developer 221Cygwin Developer
208Red Hat Inc. 222Red Hat Inc.
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index c69cfd88b..18793ca85 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -1,6 +1,6 @@
1#!/bin/sh 1#!/bin/bash
2# 2#
3# ssh-host-config, Copyright 2000, Red Hat Inc. 3# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
4# 4#
5# This file is part of the Cygwin port of OpenSSH. 5# This file is part of the Cygwin port of OpenSSH.
6 6
@@ -9,10 +9,7 @@ PREFIX=/usr
9 9
10# Directory where the config files are stored 10# Directory where the config files are stored
11SYSCONFDIR=/etc 11SYSCONFDIR=/etc
12 12LOCALSTATEDIR=/var
13# Subdirectory where an old package might be installed
14OLDPREFIX=/usr/local
15OLDSYSCONFDIR=${OLDPREFIX}/etc
16 13
17progname=$0 14progname=$0
18auto_answer="" 15auto_answer=""
@@ -27,9 +24,11 @@ request()
27{ 24{
28 if [ "${auto_answer}" = "yes" ] 25 if [ "${auto_answer}" = "yes" ]
29 then 26 then
27 echo "$1 (yes/no) yes"
30 return 0 28 return 0
31 elif [ "${auto_answer}" = "no" ] 29 elif [ "${auto_answer}" = "no" ]
32 then 30 then
31 echo "$1 (yes/no) no"
33 return 1 32 return 1
34 fi 33 fi
35 34
@@ -37,7 +36,7 @@ request()
37 while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] 36 while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
38 do 37 do
39 echo -n "$1 (yes/no) " 38 echo -n "$1 (yes/no) "
40 read answer 39 read -e answer
41 done 40 done
42 if [ "X${answer}" = "Xyes" ] 41 if [ "X${answer}" = "Xyes" ]
43 then 42 then
@@ -60,7 +59,7 @@ do
60 option=$1 59 option=$1
61 shift 60 shift
62 61
63 case "$option" in 62 case "${option}" in
64 -d | --debug ) 63 -d | --debug )
65 set -x 64 set -x
66 ;; 65 ;;
@@ -73,21 +72,33 @@ do
73 auto_answer=no 72 auto_answer=no
74 ;; 73 ;;
75 74
75 -c | --cygwin )
76 cygwin_value="$1"
77 shift
78 ;;
79
76 -p | --port ) 80 -p | --port )
77 port_number=$1 81 port_number=$1
78 shift 82 shift
79 ;; 83 ;;
80 84
85 -w | --pwd )
86 password_value="$1"
87 shift
88 ;;
89
81 *) 90 *)
82 echo "usage: ${progname} [OPTION]..." 91 echo "usage: ${progname} [OPTION]..."
83 echo 92 echo
84 echo "This script creates an OpenSSH host configuration." 93 echo "This script creates an OpenSSH host configuration."
85 echo 94 echo
86 echo "Options:" 95 echo "Options:"
87 echo " --debug -d Enable shell's debug output." 96 echo " --debug -d Enable shell's debug output."
88 echo " --yes -y Answer all questions with \"yes\" automatically." 97 echo " --yes -y Answer all questions with \"yes\" automatically."
89 echo " --no -n Answer all questions with \"no\" automatically." 98 echo " --no -n Answer all questions with \"no\" automatically."
90 echo " --port -p <n> sshd listens on port n." 99 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
100 echo " --port -p <n> sshd listens on port n."
101 echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'."
91 echo 102 echo
92 exit 1 103 exit 1
93 ;; 104 ;;
@@ -96,8 +107,13 @@ do
96done 107done
97 108
98# Check if running on NT 109# Check if running on NT
99_sys="`uname -a`" 110_sys="`uname`"
100_nt=`expr "$_sys" : "CYGWIN_NT"` 111_nt=`expr "${_sys}" : "CYGWIN_NT"`
112# If running on NT, check if running under 2003 Server or later
113if [ ${_nt} -gt 0 ]
114then
115 _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
116fi
101 117
102# Check for running ssh/sshd processes first. Refuse to do anything while 118# Check for running ssh/sshd processes first. Refuse to do anything while
103# some ssh processes are still running 119# some ssh processes are still running
@@ -137,87 +153,33 @@ fi
137 153
138# Create /var/log and /var/log/lastlog if not already existing 154# Create /var/log and /var/log/lastlog if not already existing
139 155
140if [ -f /var/log ] 156if [ -f ${LOCALSTATEDIR}/log ]
141then 157then
142 echo "Creating /var/log failed\!" 158 echo "Creating ${LOCALSTATEDIR}/log failed!"
143else 159else
144 if [ ! -d /var/log ] 160 if [ ! -d ${LOCALSTATEDIR}/log ]
145 then 161 then
146 mkdir -p /var/log 162 mkdir -p ${LOCALSTATEDIR}/log
147 fi 163 fi
148 if [ -d /var/log/lastlog ] 164 if [ -d ${LOCALSTATEDIR}/log/lastlog ]
149 then 165 then
150 echo "Creating /var/log/lastlog failed\!" 166 chmod 777 ${LOCALSTATEDIR}/log/lastlog
151 elif [ ! -f /var/log/lastlog ] 167 elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
152 then 168 then
153 cat /dev/null > /var/log/lastlog 169 cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
170 chmod 666 ${LOCALSTATEDIR}/log/lastlog
154 fi 171 fi
155fi 172fi
156 173
157# Create /var/empty file used as chroot jail for privilege separation 174# Create /var/empty file used as chroot jail for privilege separation
158if [ -f /var/empty ] 175if [ -f ${LOCALSTATEDIR}/empty ]
159then 176then
160 echo "Creating /var/empty failed\!" 177 echo "Creating ${LOCALSTATEDIR}/empty failed!"
161else 178else
162 mkdir -p /var/empty 179 mkdir -p ${LOCALSTATEDIR}/empty
163 # On NT change ownership of that dir to user "system" 180 if [ ${_nt} -gt 0 ]
164 if [ $_nt -gt 0 ]
165 then 181 then
166 chmod 755 /var/empty 182 chmod 755 ${LOCALSTATEDIR}/empty
167 chown system.system /var/empty
168 fi
169fi
170
171# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
172# the same as ${PREFIX}
173
174old_install=0
175if [ "${OLDPREFIX}" != "${PREFIX}" ]
176then
177 if [ -f "${OLDPREFIX}/sbin/sshd" ]
178 then
179 echo
180 echo "You seem to have an older installation in ${OLDPREFIX}."
181 echo
182 # Check if old global configuration files exist
183 if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
184 then
185 if request "Do you want to copy your config files to your new installation?"
186 then
187 cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
188 cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
189 cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
190 cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
191 cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
192 cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
193 fi
194 fi
195 if request "Do you want to erase your old installation?"
196 then
197 rm -f ${OLDPREFIX}/bin/ssh.exe
198 rm -f ${OLDPREFIX}/bin/ssh-config
199 rm -f ${OLDPREFIX}/bin/scp.exe
200 rm -f ${OLDPREFIX}/bin/ssh-add.exe
201 rm -f ${OLDPREFIX}/bin/ssh-agent.exe
202 rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
203 rm -f ${OLDPREFIX}/bin/slogin
204 rm -f ${OLDSYSCONFDIR}/ssh_host_key
205 rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
206 rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
207 rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
208 rm -f ${OLDSYSCONFDIR}/ssh_config
209 rm -f ${OLDSYSCONFDIR}/sshd_config
210 rm -f ${OLDPREFIX}/man/man1/ssh.1
211 rm -f ${OLDPREFIX}/man/man1/scp.1
212 rm -f ${OLDPREFIX}/man/man1/ssh-add.1
213 rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
214 rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
215 rm -f ${OLDPREFIX}/man/man1/slogin.1
216 rm -f ${OLDPREFIX}/man/man8/sshd.8
217 rm -f ${OLDPREFIX}/sbin/sshd.exe
218 rm -f ${OLDPREFIX}/sbin/sftp-server.exe
219 fi
220 old_install=1
221 fi 183 fi
222fi 184fi
223 185
@@ -255,52 +217,16 @@ then
255 fi 217 fi
256fi 218fi
257 219
258# Create default ssh_config from here script 220# Create default ssh_config from skeleton file in /etc/defaults/etc
259 221
260if [ ! -f "${SYSCONFDIR}/ssh_config" ] 222if [ ! -f "${SYSCONFDIR}/ssh_config" ]
261then 223then
262 echo "Generating ${SYSCONFDIR}/ssh_config file" 224 echo "Generating ${SYSCONFDIR}/ssh_config file"
263 cat > ${SYSCONFDIR}/ssh_config << EOF 225 cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
264# This is the ssh client system-wide configuration file. See 226 if [ "${port_number}" != "22" ]
265# ssh_config(5) for more information. This file provides defaults for
266# users, and the values can be changed in per-user configuration files
267# or on the command line.
268
269# Configuration data is parsed as follows:
270# 1. command line options
271# 2. user-specific file
272# 3. system-wide file
273# Any configuration value is only changed the first time it is set.
274# Thus, host-specific definitions should be at the beginning of the
275# configuration file, and defaults at the end.
276
277# Site-wide defaults for various options
278
279# Host *
280# ForwardAgent no
281# ForwardX11 no
282# RhostsRSAAuthentication no
283# RSAAuthentication yes
284# PasswordAuthentication yes
285# HostbasedAuthentication no
286# BatchMode no
287# CheckHostIP yes
288# AddressFamily any
289# ConnectTimeout 0
290# StrictHostKeyChecking ask
291# IdentityFile ~/.ssh/identity
292# IdentityFile ~/.ssh/id_dsa
293# IdentityFile ~/.ssh/id_rsa
294# Port 22
295# Protocol 2,1
296# Cipher 3des
297# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
298# EscapeChar ~
299EOF
300 if [ "$port_number" != "22" ]
301 then 227 then
302 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config 228 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
303 echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config 229 echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
304 fi 230 fi
305fi 231fi
306 232
@@ -322,35 +248,35 @@ fi
322 248
323# Prior to creating or modifying sshd_config, care for privilege separation 249# Prior to creating or modifying sshd_config, care for privilege separation
324 250
325if [ "$privsep_configured" != "yes" ] 251if [ "${privsep_configured}" != "yes" ]
326then 252then
327 if [ $_nt -gt 0 ] 253 if [ ${_nt} -gt 0 ]
328 then 254 then
329 echo "Privilege separation is set to yes by default since OpenSSH 3.3." 255 echo "Privilege separation is set to yes by default since OpenSSH 3.3."
330 echo "However, this requires a non-privileged account called 'sshd'." 256 echo "However, this requires a non-privileged account called 'sshd'."
331 echo "For more info on privilege separation read /usr/doc/openssh/README.privsep." 257 echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
332 echo 258 echo
333 if request "Shall privilege separation be used?" 259 if request "Should privilege separation be used?"
334 then 260 then
335 privsep_used=yes 261 privsep_used=yes
336 grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes 262 grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
337 net user sshd >/dev/null 2>&1 && sshd_in_sam=yes 263 net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
338 if [ "$sshd_in_passwd" != "yes" ] 264 if [ "${sshd_in_passwd}" != "yes" ]
339 then 265 then
340 if [ "$sshd_in_sam" != "yes" ] 266 if [ "${sshd_in_sam}" != "yes" ]
341 then 267 then
342 echo "Warning: The following function requires administrator privileges!" 268 echo "Warning: The following function requires administrator privileges!"
343 if request "Shall this script create a local user 'sshd' on this machine?" 269 if request "Should this script create a local user 'sshd' on this machine?"
344 then 270 then
345 dos_var_empty=`cygpath -w /var/empty` 271 dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
346 net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes 272 net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
347 if [ "$sshd_in_sam" != "yes" ] 273 if [ "${sshd_in_sam}" != "yes" ]
348 then 274 then
349 echo "Warning: Creating the user 'sshd' failed!" 275 echo "Warning: Creating the user 'sshd' failed!"
350 fi 276 fi
351 fi 277 fi
352 fi 278 fi
353 if [ "$sshd_in_sam" != "yes" ] 279 if [ "${sshd_in_sam}" != "yes" ]
354 then 280 then
355 echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" 281 echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
356 echo " Privilege separation set to 'no' again!" 282 echo " Privilege separation set to 'no' again!"
@@ -365,117 +291,41 @@ then
365 fi 291 fi
366 else 292 else
367 # On 9x don't use privilege separation. Since security isn't 293 # On 9x don't use privilege separation. Since security isn't
368 # available it just adds useless addtional processes. 294 # available it just adds useless additional processes.
369 privsep_used=no 295 privsep_used=no
370 fi 296 fi
371fi 297fi
372 298
373# Create default sshd_config from here script or modify to add the 299# Create default sshd_config from skeleton files in /etc/defaults/etc or
374# missing privsep configuration option 300# modify to add the missing privsep configuration option
375 301
376if [ ! -f "${SYSCONFDIR}/sshd_config" ] 302if [ ! -f "${SYSCONFDIR}/sshd_config" ]
377then 303then
378 echo "Generating ${SYSCONFDIR}/sshd_config file" 304 echo "Generating ${SYSCONFDIR}/sshd_config file"
379 cat > ${SYSCONFDIR}/sshd_config << EOF 305 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
380# This is the sshd server system-wide configuration file. See 306 s/^#Port 22/Port ${port_number}/
381# sshd_config(5) for more information. 307 s/^#StrictModes yes/StrictModes no/" \
382 308 < ${SYSCONFDIR}/defaults/etc/sshd_config \
383# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 309 > ${SYSCONFDIR}/sshd_config
384 310elif [ "${privsep_configured}" != "yes" ]
385# The strategy used for options in the default sshd_config shipped with
386# OpenSSH is to specify options with their default value where
387# possible, but leave them commented. Uncommented options change a
388# default value.
389
390Port $port_number
391#Protocol 2,1
392#ListenAddress 0.0.0.0
393#ListenAddress ::
394
395# HostKey for protocol version 1
396#HostKey ${SYSCONFDIR}/ssh_host_key
397# HostKeys for protocol version 2
398#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
399#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
400
401# Lifetime and size of ephemeral version 1 server key
402#KeyRegenerationInterval 1h
403#ServerKeyBits 768
404
405# Logging
406#obsoletes QuietMode and FascistLogging
407#SyslogFacility AUTH
408#LogLevel INFO
409
410# Authentication:
411
412#LoginGraceTime 2m
413#PermitRootLogin yes
414# The following setting overrides permission checks on host key files
415# and directories. For security reasons set this to "yes" when running
416# NT/W2K, NTFS and CYGWIN=ntsec.
417StrictModes no
418
419#RSAAuthentication yes
420#PubkeyAuthentication yes
421#AuthorizedKeysFile .ssh/authorized_keys
422
423# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
424#RhostsRSAAuthentication no
425# similar for protocol version 2
426#HostbasedAuthentication no
427# Change to yes if you don't trust ~/.ssh/known_hosts for
428# RhostsRSAAuthentication and HostbasedAuthentication
429#IgnoreUserKnownHosts no
430# Don't read the user's ~/.rhosts and ~/.shosts files
431#IgnoreRhosts yes
432
433# To disable tunneled clear text passwords, change to no here!
434#PasswordAuthentication yes
435#PermitEmptyPasswords no
436
437# Change to no to disable s/key passwords
438#ChallengeResponseAuthentication yes
439
440#AllowTcpForwarding yes
441#GatewayPorts no
442#X11Forwarding no
443#X11DisplayOffset 10
444#X11UseLocalhost yes
445#PrintMotd yes
446#PrintLastLog yes
447#KeepAlive yes
448#UseLogin no
449UsePrivilegeSeparation $privsep_used
450#PermitUserEnvironment no
451#Compression yes
452#ClientAliveInterval 0
453#ClientAliveCountMax 3
454#UseDNS yes
455#PidFile /var/run/sshd.pid
456#MaxStartups 10
457
458# no default banner path
459#Banner /some/path
460
461# override default of no subsystems
462Subsystem sftp /usr/sbin/sftp-server
463EOF
464elif [ "$privsep_configured" != "yes" ]
465then 311then
466 echo >> ${SYSCONFDIR}/sshd_config 312 echo >> ${SYSCONFDIR}/sshd_config
467 echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config 313 echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
468fi 314fi
469 315
470# Care for services file 316# Care for services file
471_my_etcdir="/ssh-host-config.$$" 317_my_etcdir="/ssh-host-config.$$"
472if [ $_nt -gt 0 ] 318if [ ${_nt} -gt 0 ]
473then 319then
474 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" 320 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
475 _services="${_my_etcdir}/services" 321 _services="${_my_etcdir}/services"
322 # On NT, 27 spaces, no space after the hash
323 _spaces=" #"
476else 324else
477 _win_etcdir="${WINDIR}" 325 _win_etcdir="${WINDIR}"
478 _services="${_my_etcdir}/SERVICES" 326 _services="${_my_etcdir}/SERVICES"
327 # On 9x, 18 spaces (95 is very touchy), a space after the hash
328 _spaces=" # "
479fi 329fi
480_serv_tmp="${_my_etcdir}/srv.out.$$" 330_serv_tmp="${_my_etcdir}/srv.out.$$"
481 331
@@ -494,29 +344,28 @@ then
494 then 344 then
495 echo "Removing sshd from ${_wservices}" 345 echo "Removing sshd from ${_wservices}"
496 else 346 else
497 echo "Removing sshd from ${_wservices} failed\!" 347 echo "Removing sshd from ${_wservices} failed!"
498 fi 348 fi
499 rm -f "${_serv_tmp}" 349 rm -f "${_serv_tmp}"
500 else 350 else
501 echo "Removing sshd from ${_wservices} failed\!" 351 echo "Removing sshd from ${_wservices} failed!"
502 fi 352 fi
503fi 353fi
504 354
505# Add ssh 22/tcp and ssh 22/udp to services 355# Add ssh 22/tcp and ssh 22/udp to services
506if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] 356if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
507then 357then
508 awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" 358 if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
509 if [ -f "${_serv_tmp}" ]
510 then 359 then
511 if mv "${_serv_tmp}" "${_services}" 360 if mv "${_serv_tmp}" "${_services}"
512 then 361 then
513 echo "Added ssh to ${_wservices}" 362 echo "Added ssh to ${_wservices}"
514 else 363 else
515 echo "Adding ssh to ${_wservices} failed\!" 364 echo "Adding ssh to ${_wservices} failed!"
516 fi 365 fi
517 rm -f "${_serv_tmp}" 366 rm -f "${_serv_tmp}"
518 else 367 else
519 echo "Adding ssh to ${_wservices} failed\!" 368 echo "WARNING: Adding ssh to ${_wservices} failed!"
520 fi 369 fi
521fi 370fi
522 371
@@ -541,11 +390,11 @@ then
541 then 390 then
542 echo "Removed sshd from ${_inetcnf}" 391 echo "Removed sshd from ${_inetcnf}"
543 else 392 else
544 echo "Removing sshd from ${_inetcnf} failed\!" 393 echo "Removing sshd from ${_inetcnf} failed!"
545 fi 394 fi
546 rm -f "${_inetcnf_tmp}" 395 rm -f "${_inetcnf_tmp}"
547 else 396 else
548 echo "Removing sshd from ${_inetcnf} failed\!" 397 echo "Removing sshd from ${_inetcnf} failed!"
549 fi 398 fi
550 fi 399 fi
551 400
@@ -563,34 +412,181 @@ then
563fi 412fi
564 413
565# On NT ask if sshd should be installed as service 414# On NT ask if sshd should be installed as service
566if [ $_nt -gt 0 ] 415if [ ${_nt} -gt 0 ]
567then 416then
568 echo 417 # But only if it is not already installed
569 echo "Do you want to install sshd as service?" 418 if ! cygrunsrv -Q sshd > /dev/null 2>&1
570 if request "(Say \"no\" if it's already installed as service)"
571 then 419 then
572 echo 420 echo
573 echo "Which value should the environment variable CYGWIN have when" 421 echo
574 echo "sshd starts? It's recommended to set at least \"ntsec\" to be" 422 echo "Warning: The following functions require administrator privileges!"
575 echo "able to change user context without password." 423 echo
576 echo -n "Default is \"binmode ntsec tty\". CYGWIN=" 424 echo "Do you want to install sshd as service?"
577 read _cygwin 425 if request "(Say \"no\" if it's already installed as service)"
578 [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
579 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
580 then 426 then
581 chown system ${SYSCONFDIR}/ssh* 427 if [ $_nt2003 -gt 0 ]
582 echo 428 then
583 echo "The service has been installed under LocalSystem account." 429 grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
430 if [ "${sshd_server_in_passwd}" = "yes" ]
431 then
432 # Drop sshd_server from passwd since it could have wrong settings
433 grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
434 rm -f ${SYSCONFDIR}/passwd
435 mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
436 chmod g-w,o-w ${SYSCONFDIR}/passwd
437 fi
438 net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
439 if [ "${sshd_server_in_sam}" != "yes" ]
440 then
441 echo
442 echo "You appear to be running Windows 2003 Server or later. On 2003 and"
443 echo "later systems, it's not possible to use the LocalSystem account"
444 echo "if sshd should allow passwordless logon (e. g. public key authentication)."
445 echo "If you want to enable that functionality, it's required to create a new"
446 echo "account 'sshd_server' with special privileges, which is then used to run"
447 echo "the sshd service under."
448 echo
449 echo "Should this script create a new local account 'sshd_server' which has"
450 if request "the required privileges?"
451 then
452 _admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group`
453 if [ -z "${_admingroup}" ]
454 then
455 echo "There's no group with SID S-1-5-32-544 (Local administrators group) in"
456 echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'"
457 echo "and restart this script."
458 exit 1
459 fi
460 dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
461 while [ "${sshd_server_in_sam}" != "yes" ]
462 do
463 if [ -n "${password_value}" ]
464 then
465 _password="${password_value}"
466 # Allow to ask for password if first try fails
467 password_value=""
468 else
469 echo
470 echo "Please enter a password for new user 'sshd_server'. Please be sure that"
471 echo "this password matches the password rules given on your system."
472 echo -n "Entering no password will exit the configuration. PASSWORD="
473 read -e _password
474 if [ -z "${_password}" ]
475 then
476 echo
477 echo "Exiting configuration. No user sshd_server has been created,"
478 echo "no sshd service installed."
479 exit 1
480 fi
481 fi
482 net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
483 if [ "${sshd_server_in_sam}" != "yes" ]
484 then
485 echo "Creating the user 'sshd_server' failed! Reason:"
486 cat /tmp/nu.$$
487 rm /tmp/nu.$$
488 fi
489 done
490 net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
491 if [ "${sshd_server_in_admingroup}" != "yes" ]
492 then
493 echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
494 echo "Please add sshd_server to local group ${_admingroup} before"
495 echo "starting the sshd service!"
496 echo
497 fi
498 passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
499 if [ "${passwd_has_expiry_flags}" != "yes" ]
500 then
501 echo
502 echo "WARNING: User sshd_server has password expiry set to system default."
503 echo "Please check that password never expires or set it to your needs."
504 elif ! passwd -e sshd_server
505 then
506 echo
507 echo "WARNING: Setting password expiry for user sshd_server failed!"
508 echo "Please check that password never expires or set it to your needs."
509 fi
510 editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
511 editrights -a SeCreateTokenPrivilege -u sshd_server &&
512 editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
513 editrights -a SeDenyNetworkLogonRight -u sshd_server &&
514 editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
515 editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
516 editrights -a SeServiceLogonRight -u sshd_server &&
517 sshd_server_got_all_rights="yes"
518 if [ "${sshd_server_got_all_rights}" != "yes" ]
519 then
520 echo
521 echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
522 echo "Can't create sshd service!"
523 exit 1
524 fi
525 echo
526 echo "User 'sshd_server' has been created with password '${_password}'."
527 echo "If you change the password, please keep in mind to change the password"
528 echo "for the sshd service, too."
529 echo
530 echo "Also keep in mind that the user sshd_server needs read permissions on all"
531 echo "users' .ssh/authorized_keys file to allow public key authentication for"
532 echo "these users!. (Re-)running ssh-user-config for each user will set the"
533 echo "required permissions correctly."
534 echo
535 fi
536 fi
537 if [ "${sshd_server_in_sam}" = "yes" ]
538 then
539 mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
540 fi
541 fi
542 if [ -n "${cygwin_value}" ]
543 then
544 _cygwin="${cygwin_value}"
545 else
546 echo
547 echo "Which value should the environment variable CYGWIN have when"
548 echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
549 echo "able to change user context without password."
550 echo -n "Default is \"ntsec\". CYGWIN="
551 read -e _cygwin
552 fi
553 [ -z "${_cygwin}" ] && _cygwin="ntsec"
554 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
555 then
556 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}"
557 then
558 echo
559 echo "The service has been installed under sshd_server account."
560 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
561 fi
562 else
563 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
564 then
565 echo
566 echo "The service has been installed under LocalSystem account."
567 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
568 fi
569 fi
570 fi
571 # Now check if sshd has been successfully installed. This allows to
572 # set the ownership of the affected files correctly.
573 if cygrunsrv -Q sshd > /dev/null 2>&1
574 then
575 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
576 then
577 _user="sshd_server"
578 else
579 _user="system"
580 fi
581 chown "${_user}" ${SYSCONFDIR}/ssh*
582 chown "${_user}".544 ${LOCALSTATEDIR}/empty
583 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
584 then
585 chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
586 fi
584 fi 587 fi
585 fi 588 fi
586fi 589fi
587 590
588if [ "${old_install}" = "1" ]
589then
590 echo
591 echo "Note: If you have used sshd as service or from inetd, don't forget to"
592 echo " change the path to sshd.exe in the service entry or in inetd.conf."
593fi
594
595echo 591echo
596echo "Host configuration finished. Have fun!" 592echo "Host configuration finished. Have fun!"
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config
index 4da113181..fe07ce360 100644
--- a/contrib/cygwin/ssh-user-config
+++ b/contrib/cygwin/ssh-user-config
@@ -1,9 +1,12 @@
1#!/bin/sh 1#!/bin/sh
2# 2#
3# ssh-user-config, Copyright 2000, Red Hat Inc. 3# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc.
4# 4#
5# This file is part of the Cygwin port of OpenSSH. 5# This file is part of the Cygwin port of OpenSSH.
6 6
7# Directory where the config files are stored
8SYSCONFDIR=/etc
9
7progname=$0 10progname=$0
8auto_answer="" 11auto_answer=""
9auto_passphrase="no" 12auto_passphrase="no"
@@ -33,6 +36,15 @@ request()
33 fi 36 fi
34} 37}
35 38
39# Check if running on NT
40_sys="`uname -a`"
41_nt=`expr "$_sys" : "CYGWIN_NT"`
42# If running on NT, check if running under 2003 Server or later
43if [ $_nt -gt 0 ]
44then
45 _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
46fi
47
36# Check options 48# Check options
37 49
38while : 50while :
@@ -84,27 +96,27 @@ done
84 96
85# Ask user if user identity should be generated 97# Ask user if user identity should be generated
86 98
87if [ ! -f /etc/passwd ] 99if [ ! -f ${SYSCONFDIR}/passwd ]
88then 100then
89 echo '/etc/passwd is nonexistant. Please generate an /etc/passwd file' 101 echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file"
90 echo 'first using mkpasswd. Check if it contains an entry for you and' 102 echo 'first using mkpasswd. Check if it contains an entry for you and'
91 echo 'please care for the home directory in your entry as well.' 103 echo 'please care for the home directory in your entry as well.'
92 exit 1 104 exit 1
93fi 105fi
94 106
95uid=`id -u` 107uid=`id -u`
96pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < /etc/passwd` 108pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd`
97 109
98if [ "X${pwdhome}" = "X" ] 110if [ "X${pwdhome}" = "X" ]
99then 111then
100 echo 'There is no home directory set for you in /etc/passwd.' 112 echo "There is no home directory set for you in ${SYSCONFDIR}/passwd."
101 echo 'Setting $HOME is not sufficient!' 113 echo 'Setting $HOME is not sufficient!'
102 exit 1 114 exit 1
103fi 115fi
104 116
105if [ ! -d "${pwdhome}" ] 117if [ ! -d "${pwdhome}" ]
106then 118then
107 echo "${pwdhome} is set in /etc/passwd as your home directory" 119 echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory"
108 echo 'but it is not a valid directory. Cannot create user identity files.' 120 echo 'but it is not a valid directory. Cannot create user identity files.'
109 exit 1 121 exit 1
110fi 122fi
@@ -114,7 +126,7 @@ fi
114if [ "X${pwdhome}" = "X/" ] 126if [ "X${pwdhome}" = "X/" ]
115then 127then
116 # But first raise a warning! 128 # But first raise a warning!
117 echo 'Your home directory in /etc/passwd is set to root (/). This is not recommended!' 129 echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
118 if request "Would you like to proceed anyway?" 130 if request "Would you like to proceed anyway?"
119 then 131 then
120 pwdhome='' 132 pwdhome=''
@@ -123,6 +135,17 @@ then
123 fi 135 fi
124fi 136fi
125 137
138if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
139then
140 echo
141 echo 'WARNING: group and other have been revoked write permission to your home'
142 echo " directory ${pwdhome}."
143 echo ' This is required by OpenSSH to allow public key authentication using'
144 echo ' the key files stored in your .ssh subdirectory.'
145 echo ' Revert this change ONLY if you know what you are doing!'
146 echo
147fi
148
126if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] 149if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
127then 150then
128 echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." 151 echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
@@ -139,6 +162,21 @@ then
139 fi 162 fi
140fi 163fi
141 164
165if [ $_nt -gt 0 ]
166then
167 _user="system"
168 if [ $_nt2003 -gt 0 ]
169 then
170 grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server"
171 fi
172 if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh"
173 then
174 echo "${pwdhome}/.ssh couldn't be given the correct permissions."
175 echo "Please try to solve this problem first."
176 exit 1
177 fi
178fi
179
142if [ ! -f "${pwdhome}/.ssh/identity" ] 180if [ ! -f "${pwdhome}/.ssh/identity" ]
143then 181then
144 if request "Shall I create an SSH1 RSA identity file for you?" 182 if request "Shall I create an SSH1 RSA identity file for you?"
@@ -196,5 +234,17 @@ then
196 fi 234 fi
197fi 235fi
198 236
237if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ]
238then
239 if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
240 then
241 echo
242 echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
243 echo "failed. Please care for the correct permissions. The minimum requirement"
244 echo "is, the owner and ${_user} both need read permissions."
245 echo
246 fi
247fi
248
199echo 249echo
200echo "Configuration finished. Have fun!" 250echo "Configuration finished. Have fun!"