summaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'contrib')
-rw-r--r--contrib/cygwin/ssh-host-config540
1 files changed, 365 insertions, 175 deletions
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index 0af6907dc..3ac39a621 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -1,6 +1,6 @@
1#!/bin/bash 1#!/bin/bash
2# 2#
3# ssh-host-config, Copyright 2000-2009 Red Hat Inc. 3# ssh-host-config, Copyright 2000-2011 Red Hat Inc.
4# 4#
5# This file is part of the Cygwin port of OpenSSH. 5# This file is part of the Cygwin port of OpenSSH.
6# 6#
@@ -19,12 +19,39 @@
19# ====================================================================== 19# ======================================================================
20# Initialization 20# Initialization
21# ====================================================================== 21# ======================================================================
22PROGNAME=$(basename $0)
23_tdir=$(dirname $0)
24PROGDIR=$(cd $_tdir && pwd)
25 22
26CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh 23CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
27 24
25# List of apps used. This is checkad for existance in csih_sanity_check
26# Don't use *any* transient commands before sourcing the csih helper script,
27# otherwise the sanity checks are short-circuited.
28declare -a csih_required_commands=(
29 /usr/bin/basename coreutils
30 /usr/bin/cat coreutils
31 /usr/bin/chmod coreutils
32 /usr/bin/dirname coreutils
33 /usr/bin/id coreutils
34 /usr/bin/mv coreutils
35 /usr/bin/rm coreutils
36 /usr/bin/cygpath cygwin
37 /usr/bin/mount cygwin
38 /usr/bin/ps cygwin
39 /usr/bin/setfacl cygwin
40 /usr/bin/umount cygwin
41 /usr/bin/cmp diffutils
42 /usr/bin/grep grep
43 /usr/bin/awk gawk
44 /usr/bin/ssh-keygen openssh
45 /usr/sbin/sshd openssh
46 /usr/bin/sed sed
47)
48csih_sanity_check_server=yes
49source ${CSIH_SCRIPT}
50
51PROGNAME=$(/usr/bin/basename $0)
52_tdir=$(/usr/bin/dirname $0)
53PROGDIR=$(cd $_tdir && pwd)
54
28# Subdirectory where the new package is being installed 55# Subdirectory where the new package is being installed
29PREFIX=/usr 56PREFIX=/usr
30 57
@@ -32,8 +59,6 @@ PREFIX=/usr
32SYSCONFDIR=/etc 59SYSCONFDIR=/etc
33LOCALSTATEDIR=/var 60LOCALSTATEDIR=/var
34 61
35source ${CSIH_SCRIPT}
36
37port_number=22 62port_number=22
38privsep_configured=no 63privsep_configured=no
39privsep_used=yes 64privsep_used=yes
@@ -46,29 +71,48 @@ opt_force=no
46# Routine: create_host_keys 71# Routine: create_host_keys
47# ====================================================================== 72# ======================================================================
48create_host_keys() { 73create_host_keys() {
74 local ret=0
75
49 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] 76 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
50 then 77 then
51 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" 78 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
52 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null 79 if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
80 then
81 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
82 let ++ret
83 fi
53 fi 84 fi
54 85
55 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] 86 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
56 then 87 then
57 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" 88 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
58 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null 89 if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
90 then
91 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
92 let ++ret
93 fi
59 fi 94 fi
60 95
61 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] 96 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
62 then 97 then
63 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" 98 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
64 ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null 99 if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
100 then
101 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
102 let ++ret
103 fi
65 fi 104 fi
66 105
67 if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ] 106 if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ]
68 then 107 then
69 csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key" 108 csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key"
70 ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null 109 if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null
110 then
111 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
112 let ++ret
113 fi
71 fi 114 fi
115 return $ret
72} # --- End of create_host_keys --- # 116} # --- End of create_host_keys --- #
73 117
74# ====================================================================== 118# ======================================================================
@@ -81,61 +125,58 @@ update_services_file() {
81 local _spaces 125 local _spaces
82 local _serv_tmp 126 local _serv_tmp
83 local _wservices 127 local _wservices
128 local ret=0
84 129
85 if csih_is_nt 130 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
86 then 131 _services="${_my_etcdir}/services"
87 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" 132 _spaces=" #"
88 _services="${_my_etcdir}/services"
89 # On NT, 27 spaces, no space after the hash
90 _spaces=" #"
91 else
92 _win_etcdir="${WINDIR}"
93 _services="${_my_etcdir}/SERVICES"
94 # On 9x, 18 spaces (95 is very touchy), a space after the hash
95 _spaces=" # "
96 fi
97 _serv_tmp="${_my_etcdir}/srv.out.$$" 133 _serv_tmp="${_my_etcdir}/srv.out.$$"
98 134
99 mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" 135 /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
100 136
101 # Depends on the above mount 137 # Depends on the above mount
102 _wservices=`cygpath -w "${_services}"` 138 _wservices=`cygpath -w "${_services}"`
103 139
104 # Remove sshd 22/port from services 140 # Remove sshd 22/port from services
105 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] 141 if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
106 then 142 then
107 grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" 143 /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
108 if [ -f "${_serv_tmp}" ] 144 if [ -f "${_serv_tmp}" ]
109 then 145 then
110 if mv "${_serv_tmp}" "${_services}" 146 if /usr/bin/mv "${_serv_tmp}" "${_services}"
111 then 147 then
112 csih_inform "Removing sshd from ${_wservices}" 148 csih_inform "Removing sshd from ${_wservices}"
113 else 149 else
114 csih_warning "Removing sshd from ${_wservices} failed!" 150 csih_warning "Removing sshd from ${_wservices} failed!"
151 let ++ret
115 fi 152 fi
116 rm -f "${_serv_tmp}" 153 /usr/bin/rm -f "${_serv_tmp}"
117 else 154 else
118 csih_warning "Removing sshd from ${_wservices} failed!" 155 csih_warning "Removing sshd from ${_wservices} failed!"
156 let ++ret
119 fi 157 fi
120 fi 158 fi
121 159
122 # Add ssh 22/tcp and ssh 22/udp to services 160 # Add ssh 22/tcp and ssh 22/udp to services
123 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] 161 if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
124 then 162 then
125 if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" 163 if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
126 then 164 then
127 if mv "${_serv_tmp}" "${_services}" 165 if /usr/bin/mv "${_serv_tmp}" "${_services}"
128 then 166 then
129 csih_inform "Added ssh to ${_wservices}" 167 csih_inform "Added ssh to ${_wservices}"
130 else 168 else
131 csih_warning "Adding ssh to ${_wservices} failed!" 169 csih_warning "Adding ssh to ${_wservices} failed!"
170 let ++ret
132 fi 171 fi
133 rm -f "${_serv_tmp}" 172 /usr/bin/rm -f "${_serv_tmp}"
134 else 173 else
135 csih_warning "Adding ssh to ${_wservices} failed!" 174 csih_warning "Adding ssh to ${_wservices} failed!"
175 let ++ret
136 fi 176 fi
137 fi 177 fi
138 umount "${_my_etcdir}" 178 /usr/bin/umount "${_my_etcdir}"
179 return $ret
139} # --- End of update_services_file --- # 180} # --- End of update_services_file --- #
140 181
141# ====================================================================== 182# ======================================================================
@@ -144,51 +185,57 @@ update_services_file() {
144# ====================================================================== 185# ======================================================================
145sshd_privsep() { 186sshd_privsep() {
146 local sshdconfig_tmp 187 local sshdconfig_tmp
188 local ret=0
147 189
148 if [ "${privsep_configured}" != "yes" ] 190 if [ "${privsep_configured}" != "yes" ]
149 then 191 then
150 if csih_is_nt 192 csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
193 csih_inform "However, this requires a non-privileged account called 'sshd'."
194 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
195 if csih_request "Should privilege separation be used?"
151 then 196 then
152 csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." 197 privsep_used=yes
153 csih_inform "However, this requires a non-privileged account called 'sshd'." 198 if ! csih_create_unprivileged_user sshd
154 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
155 if csih_request "Should privilege separation be used?"
156 then 199 then
157 privsep_used=yes 200 csih_error_recoverable "Couldn't create user 'sshd'!"
158 if ! csih_create_unprivileged_user sshd 201 csih_error_recoverable "Privilege separation set to 'no' again!"
159 then 202 csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!"
160 csih_warning "Couldn't create user 'sshd'!" 203 let ++ret
161 csih_warning "Privilege separation set to 'no' again!"
162 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
163 privsep_used=no
164 fi
165 else
166 privsep_used=no 204 privsep_used=no
167 fi 205 fi
168 else 206 else
169 # On 9x don't use privilege separation. Since security isn't
170 # available it just adds useless additional processes.
171 privsep_used=no 207 privsep_used=no
172 fi 208 fi
173 fi 209 fi
174 210
175 # Create default sshd_config from skeleton files in /etc/defaults/etc or 211 # Create default sshd_config from skeleton files in /etc/defaults/etc or
176 # modify to add the missing privsep configuration option 212 # modify to add the missing privsep configuration option
177 if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 213 if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
178 then 214 then
179 csih_inform "Updating ${SYSCONFDIR}/sshd_config file" 215 csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
180 sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ 216 sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
181 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ 217 /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
182 s/^#Port 22/Port ${port_number}/ 218 s/^#Port 22/Port ${port_number}/
183 s/^#StrictModes yes/StrictModes no/" \ 219 s/^#StrictModes yes/StrictModes no/" \
184 < ${SYSCONFDIR}/sshd_config \ 220 < ${SYSCONFDIR}/sshd_config \
185 > "${sshdconfig_tmp}" 221 > "${sshdconfig_tmp}"
186 mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config 222 if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
223 then
224 csih_warning "Setting privilege separation to 'yes' failed!"
225 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
226 let ++ret
227 fi
187 elif [ "${privsep_configured}" != "yes" ] 228 elif [ "${privsep_configured}" != "yes" ]
188 then 229 then
189 echo >> ${SYSCONFDIR}/sshd_config 230 echo >> ${SYSCONFDIR}/sshd_config
190 echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config 231 if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
232 then
233 csih_warning "Setting privilege separation to 'yes' failed!"
234 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
235 let ++ret
236 fi
191 fi 237 fi
238 return $ret
192} # --- End of sshd_privsep --- # 239} # --- End of sshd_privsep --- #
193 240
194# ====================================================================== 241# ======================================================================
@@ -201,72 +248,82 @@ update_inetd_conf() {
201 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" 248 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
202 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" 249 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
203 local _with_comment=1 250 local _with_comment=1
251 local ret=0
204 252
205 if [ -d "${_inetcnf_dir}" ] 253 if [ -d "${_inetcnf_dir}" ]
206 then 254 then
207 # we have inetutils-1.5 inetd.d support 255 # we have inetutils-1.5 inetd.d support
208 if [ -f "${_inetcnf}" ] 256 if [ -f "${_inetcnf}" ]
209 then 257 then
210 grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 258 /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
211 259
212 # check for sshd OR ssh in top-level inetd.conf file, and remove 260 # check for sshd OR ssh in top-level inetd.conf file, and remove
213 # will be replaced by a file in inetd.d/ 261 # will be replaced by a file in inetd.d/
214 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] 262 if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
215 then 263 then
216 grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" 264 /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
217 if [ -f "${_inetcnf_tmp}" ] 265 if [ -f "${_inetcnf_tmp}" ]
218 then 266 then
219 if mv "${_inetcnf_tmp}" "${_inetcnf}" 267 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
220 then 268 then
221 csih_inform "Removed ssh[d] from ${_inetcnf}" 269 csih_inform "Removed ssh[d] from ${_inetcnf}"
222 else 270 else
223 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 271 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
272 let ++ret
224 fi 273 fi
225 rm -f "${_inetcnf_tmp}" 274 /usr/bin/rm -f "${_inetcnf_tmp}"
226 else 275 else
227 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 276 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
277 let ++ret
228 fi 278 fi
229 fi 279 fi
230 fi 280 fi
231 281
232 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" 282 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
233 if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 283 if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
234 then 284 then
235 if [ "${_with_comment}" -eq 0 ] 285 if [ "${_with_comment}" -eq 0 ]
236 then 286 then
237 sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 287 /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
288 else
289 /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
290 fi
291 if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
292 then
293 csih_inform "Updated ${_sshd_inetd_conf}"
238 else 294 else
239 sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 295 csih_warning "Updating ${_sshd_inetd_conf} failed!"
296 let ++ret
240 fi 297 fi
241 mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
242 csih_inform "Updated ${_sshd_inetd_conf}"
243 fi 298 fi
244 299
245 elif [ -f "${_inetcnf}" ] 300 elif [ -f "${_inetcnf}" ]
246 then 301 then
247 grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 302 /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
248 303
249 # check for sshd in top-level inetd.conf file, and remove 304 # check for sshd in top-level inetd.conf file, and remove
250 # will be replaced by a file in inetd.d/ 305 # will be replaced by a file in inetd.d/
251 if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] 306 if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
252 then 307 then
253 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" 308 /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
254 if [ -f "${_inetcnf_tmp}" ] 309 if [ -f "${_inetcnf_tmp}" ]
255 then 310 then
256 if mv "${_inetcnf_tmp}" "${_inetcnf}" 311 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
257 then 312 then
258 csih_inform "Removed sshd from ${_inetcnf}" 313 csih_inform "Removed sshd from ${_inetcnf}"
259 else 314 else
260 csih_warning "Removing sshd from ${_inetcnf} failed!" 315 csih_warning "Removing sshd from ${_inetcnf} failed!"
316 let ++ret
261 fi 317 fi
262 rm -f "${_inetcnf_tmp}" 318 /usr/bin/rm -f "${_inetcnf_tmp}"
263 else 319 else
264 csih_warning "Removing sshd from ${_inetcnf} failed!" 320 csih_warning "Removing sshd from ${_inetcnf} failed!"
321 let ++ret
265 fi 322 fi
266 fi 323 fi
267 324
268 # Add ssh line to inetd.conf 325 # Add ssh line to inetd.conf
269 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] 326 if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
270 then 327 then
271 if [ "${_with_comment}" -eq 0 ] 328 if [ "${_with_comment}" -eq 0 ]
272 then 329 then
@@ -274,115 +331,186 @@ update_inetd_conf() {
274 else 331 else
275 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 332 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
276 fi 333 fi
277 csih_inform "Added ssh to ${_inetcnf}" 334 if [ $? -eq 0 ]
335 then
336 csih_inform "Added ssh to ${_inetcnf}"
337 else
338 csih_warning "Adding ssh to ${_inetcnf} failed!"
339 let ++ret
340 fi
278 fi 341 fi
279 fi 342 fi
343 return $ret
280} # --- End of update_inetd_conf --- # 344} # --- End of update_inetd_conf --- #
281 345
282# ====================================================================== 346# ======================================================================
347# Routine: check_service_files_ownership
348# Checks that the files in /etc and /var belong to the right owner
349# ======================================================================
350check_service_files_ownership() {
351 local run_service_as=$1
352 local ret=0
353
354 if [ -z "${run_service_as}" ]
355 then
356 accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
357 if [ "${accnt_name}" = "LocalSystem" ]
358 then
359 # Convert "LocalSystem" to "SYSTEM" as is the correct account name
360 accnt_name="SYSTEM:"
361 elif [[ "${accnt_name}" =~ ^\.\\ ]]
362 then
363 # Convert "." domain to local machine name
364 accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
365 fi
366 run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
367 if [ -z "${run_service_as}" ]
368 then
369 csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
370 csih_warning "As a result, this script cannot make sure that the files used"
371 csih_warning "by the sshd service belong to the user running the service."
372 csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd"
373 csih_warning "file is in a good shape."
374 return 1
375 fi
376 fi
377 for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
378 do
379 if [ -f "$i" ]
380 then
381 if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
382 then
383 csih_warning "Couldn't change owner of $i!"
384 let ++ret
385 fi
386 fi
387 done
388 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
389 then
390 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
391 let ++ret
392 fi
393 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
394 then
395 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
396 let ++ret
397 fi
398 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
399 then
400 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
401 then
402 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
403 let ++ret
404 fi
405 fi
406 if [ $ret -ne 0 ]
407 then
408 csih_warning "Couldn't change owner of important files to ${run_service_as}!"
409 csih_warning "This may cause the sshd service to fail! Please make sure that"
410 csih_warning "you have suufficient permissions to change the ownership of files"
411 csih_warning "and try to run the ssh-host-config script again."
412 fi
413 return $ret
414} # --- End of check_service_files_ownership --- #
415
416# ======================================================================
283# Routine: install_service 417# Routine: install_service
284# Install sshd as a service 418# Install sshd as a service
285# ====================================================================== 419# ======================================================================
286install_service() { 420install_service() {
287 local run_service_as 421 local run_service_as
288 local password 422 local password
423 local ret=0
289 424
290 if csih_is_nt 425 echo
426 if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
291 then 427 then
292 if ! cygrunsrv -Q sshd >/dev/null 2>&1 428 csih_inform "Sshd service is already installed."
429 check_service_files_ownership "" || let ret+=$?
430 else
431 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
432 if csih_request "(Say \"no\" if it is already installed as a service)"
293 then 433 then
294 echo 434 csih_get_cygenv "${cygwin_value}"
295 echo
296 csih_warning "The following functions require administrator privileges!"
297 echo
298 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
299 if csih_request "(Say \"no\" if it is already installed as a service)"
300 then
301 csih_get_cygenv "${cygwin_value}"
302 435
303 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) 436 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
304 then 437 then
305 csih_inform "On Windows Server 2003, Windows Vista, and above, the" 438 csih_inform "On Windows Server 2003, Windows Vista, and above, the"
306 csih_inform "SYSTEM account cannot setuid to other users -- a capability" 439 csih_inform "SYSTEM account cannot setuid to other users -- a capability"
307 csih_inform "sshd requires. You need to have or to create a privileged" 440 csih_inform "sshd requires. You need to have or to create a privileged"
308 csih_inform "account. This script will help you do so." 441 csih_inform "account. This script will help you do so."
309 echo 442 echo
310 443
311 [ "${opt_force}" = "yes" ] && opt_f=-f 444 [ "${opt_force}" = "yes" ] && opt_f=-f
312 [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" 445 [ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
313 csih_select_privileged_username ${opt_f} ${opt_u} sshd 446 csih_select_privileged_username ${opt_f} ${opt_u} sshd
314 447
315 if ! csih_create_privileged_user "${password_value}" 448 if ! csih_create_privileged_user "${password_value}"
316 then 449 then
317 csih_error_recoverable "There was a serious problem creating a privileged user." 450 csih_error_recoverable "There was a serious problem creating a privileged user."
318 csih_request "Do you want to proceed anyway?" || exit 1 451 csih_request "Do you want to proceed anyway?" || exit 1
319 fi 452 let ++ret
320 fi 453 fi
454 fi
321 455
322 # never returns empty if NT or above 456 # Never returns empty if NT or above
323 run_service_as=$(csih_service_should_run_as) 457 run_service_as=$(csih_service_should_run_as)
324 458
325 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] 459 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
460 then
461 password="${csih_PRIVILEGED_PASSWORD}"
462 if [ -z "${password}" ]
326 then 463 then
327 password="${csih_PRIVILEGED_PASSWORD}" 464 csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
328 if [ -z "${password}" ] 465 password="${csih_value}"
329 then
330 csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
331 password="${csih_value}"
332 fi
333 fi 466 fi
467 fi
334 468
335 # at this point, we either have $run_service_as = "system" and $password is empty, 469 # At this point, we either have $run_service_as = "system" and
336 # or $run_service_as is some privileged user and (hopefully) $password contains 470 # $password is empty, or $run_service_as is some privileged user and
337 # the correct password. So, from here out, we use '-z "${password}"' to discriminate 471 # (hopefully) $password contains the correct password. So, from here
338 # the two cases. 472 # out, we use '-z "${password}"' to discriminate the two cases.
339 473
340 csih_check_user "${run_service_as}" 474 csih_check_user "${run_service_as}"
341 475
342 if [ -n "${csih_cygenv}" ] 476 if [ -n "${csih_cygenv}" ]
477 then
478 cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
479 fi
480 if [ -z "${password}" ]
481 then
482 if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
483 -a "-D" -y tcpip "${cygwin_env[@]}"
343 then 484 then
344 cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) 485 echo
486 csih_inform "The sshd service has been installed under the LocalSystem"
487 csih_inform "account (also known as SYSTEM). To start the service now, call"
488 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
489 csih_inform "will start automatically after the next reboot."
345 fi 490 fi
346 if [ -z "${password}" ] 491 else
492 if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
493 -a "-D" -y tcpip "${cygwin_env[@]}" \
494 -u "${run_service_as}" -w "${password}"
347 then 495 then
348 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ 496 echo
349 -a "-D" -y tcpip "${cygwin_env[@]}" 497 csih_inform "The sshd service has been installed under the '${run_service_as}'"
350 then 498 csih_inform "account. To start the service now, call \`net start sshd' or"
351 echo 499 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
352 csih_inform "The sshd service has been installed under the LocalSystem" 500 csih_inform "after the next reboot."
353 csih_inform "account (also known as SYSTEM). To start the service now, call"
354 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
355 csih_inform "will start automatically after the next reboot."
356 fi
357 else
358 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
359 -a "-D" -y tcpip "${cygwin_env[@]}" \
360 -u "${run_service_as}" -w "${password}"
361 then
362 echo
363 csih_inform "The sshd service has been installed under the '${run_service_as}'"
364 csih_inform "account. To start the service now, call \`net start sshd' or"
365 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
366 csih_inform "after the next reboot."
367 fi
368 fi 501 fi
502 fi
369 503
370 # now, if successfully installed, set ownership of the affected files 504 if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
371 if cygrunsrv -Q sshd >/dev/null 2>&1 505 then
372 then 506 check_service_files_ownership "${run_service_as}" || let ret+=$?
373 chown "${run_service_as}" ${SYSCONFDIR}/ssh* 507 else
374 chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty 508 csih_error_recoverable "Installing sshd as a service failed!"
375 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog 509 let ++ret
376 if [ -f ${LOCALSTATEDIR}/log/sshd.log ] 510 fi
377 then 511 fi # user allowed us to install as service
378 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log 512 fi # service not yet installed
379 fi 513 return $ret
380 else
381 csih_warning "Something went wrong installing the sshd service."
382 fi
383 fi # user allowed us to install as service
384 fi # service not yet installed
385 fi # csih_is_nt
386} # --- End of install_service --- # 514} # --- End of install_service --- #
387 515
388# ====================================================================== 516# ======================================================================
@@ -494,21 +622,71 @@ done
494 622
495# Check for running ssh/sshd processes first. Refuse to do anything while 623# Check for running ssh/sshd processes first. Refuse to do anything while
496# some ssh processes are still running 624# some ssh processes are still running
497if ps -ef | grep -q '/sshd\?$' 625if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
498then 626then
499 echo 627 echo
500 csih_error "There are still ssh processes running. Please shut them down first." 628 csih_error "There are still ssh processes running. Please shut them down first."
501fi 629fi
502 630
631# Make sure the user is running in an administrative context
632admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
633if [ "${admin}" != "yes" ]
634then
635 echo
636 csih_warning "Running this script typically requires administrator privileges!"
637 csih_warning "However, it seems your account does not have these privileges."
638 csih_warning "Here's the list of groups in your user token:"
639 echo
640 for i in $(/usr/bin/id -G)
641 do
642 /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group
643 done
644 echo
645 csih_warning "This usually means you're running this script from a non-admin"
646 csih_warning "desktop session, or in a non-elevated shell under UAC control."
647 echo
648 csih_warning "Make sure you have the appropriate privileges right now,"
649 csih_warning "otherwise parts of this script will probably fail!"
650 echo
651 echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure"
652 if ! csih_request "you have the required privileges)"
653 then
654 echo
655 csih_inform "Ok. Exiting. Make sure to switch to an administrative account"
656 csih_inform "or to start this script from an elevated shell."
657 exit 1
658 fi
659fi
660
661echo
662
663warning_cnt=0
664
503# Check for ${SYSCONFDIR} directory 665# Check for ${SYSCONFDIR} directory
504csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." 666csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
505chmod 775 "${SYSCONFDIR}" 667if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
506setfacl -m u:system:rwx "${SYSCONFDIR}" 668then
669 csih_warning "Can't set permissions on ${SYSCONFDIR}!"
670 let ++warning_cnt
671fi
672if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
673then
674 csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
675 let ++warning_cnt
676fi
507 677
508# Check for /var/log directory 678# Check for /var/log directory
509csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." 679csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
510chmod 775 "${LOCALSTATEDIR}/log" 680if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
511setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" 681then
682 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
683 let ++warning_cnt
684fi
685if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
686then
687 csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
688 let ++warning_cnt
689fi
512 690
513# Create /var/log/lastlog if not already exists 691# Create /var/log/lastlog if not already exists
514if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 692if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
@@ -519,26 +697,33 @@ then
519fi 697fi
520if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 698if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
521then 699then
522 cat /dev/null > ${LOCALSTATEDIR}/log/lastlog 700 /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
523 chmod 644 ${LOCALSTATEDIR}/log/lastlog 701 if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
702 then
703 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
704 let ++warning_cnt
705 fi
524fi 706fi
525 707
526# Create /var/empty file used as chroot jail for privilege separation 708# Create /var/empty file used as chroot jail for privilege separation
527csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." 709csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
528chmod 755 "${LOCALSTATEDIR}/empty" 710if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
529setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" 711then
712 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
713 let ++warning_cnt
714fi
715if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
716then
717 csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
718 let ++warning_cnt
719fi
530 720
531# host keys 721# host keys
532create_host_keys 722create_host_keys || let warning_cnt+=$?
533
534# use 'cmp' program to determine if a config file is identical
535# to the default version of that config file
536csih_check_program_or_error cmp diffutils
537
538 723
539# handle ssh_config 724# handle ssh_config
540csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" 725csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
541if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 726if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
542then 727then
543 if [ "${port_number}" != "22" ] 728 if [ "${port_number}" != "22" ]
544 then 729 then
@@ -549,19 +734,24 @@ then
549fi 734fi
550 735
551# handle sshd_config (and privsep) 736# handle sshd_config (and privsep)
552csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" 737csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
553if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 738if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
554then 739then
555 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes 740 /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
556fi 741fi
557sshd_privsep 742sshd_privsep || let warning_cnt+=$?
558
559 743
560 744update_services_file || let warning_cnt+=$?
561update_services_file 745update_inetd_conf || let warning_cnt+=$?
562update_inetd_conf 746install_service || let warning_cnt+=$?
563install_service
564 747
565echo 748echo
566csih_inform "Host configuration finished. Have fun!" 749if [ $warning_cnt -eq 0 ]
567 750then
751 csih_inform "Host configuration finished. Have fun!"
752else
753 csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
754 csih_warning "Make sure that all problems reported are fixed,"
755 csih_warning "then re-run ssh-host-config."
756fi
757exit $warning_cnt