From 798ca84d606abba35ea790ba0a8abb25ca2b67cb Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 13 Nov 2003 11:28:49 +1100 Subject: - (dtucker) [README ssh-host-config ssh-user-config Makefile] (All contrib/cygwin). Major update from vinschen at redhat.com. - Makefile provides a `cygwin-postinstall' target to run right after `make install'. - Better support for Windows 2003 Server. - Try to get permissions as correct as possible. - New command line options to allow full automated host configuration. - Create configs from skeletons in /etc/defaults/etc. - Use /bin/bash, allows reading user input with readline support. - Remove really old configs from /usr/local. --- contrib/cygwin/ssh-host-config | 502 ++++++++++++++++++++--------------------- 1 file changed, 249 insertions(+), 253 deletions(-) (limited to 'contrib/cygwin/ssh-host-config') diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index c69cfd88b..18793ca85 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -1,6 +1,6 @@ -#!/bin/sh +#!/bin/bash # -# ssh-host-config, Copyright 2000, Red Hat Inc. +# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. @@ -9,10 +9,7 @@ PREFIX=/usr # Directory where the config files are stored SYSCONFDIR=/etc - -# Subdirectory where an old package might be installed -OLDPREFIX=/usr/local -OLDSYSCONFDIR=${OLDPREFIX}/etc +LOCALSTATEDIR=/var progname=$0 auto_answer="" @@ -27,9 +24,11 @@ request() { if [ "${auto_answer}" = "yes" ] then + echo "$1 (yes/no) yes" return 0 elif [ "${auto_answer}" = "no" ] then + echo "$1 (yes/no) no" return 1 fi @@ -37,7 +36,7 @@ request() while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] do echo -n "$1 (yes/no) " - read answer + read -e answer done if [ "X${answer}" = "Xyes" ] then @@ -60,7 +59,7 @@ do option=$1 shift - case "$option" in + case "${option}" in -d | --debug ) set -x ;; @@ -73,21 +72,33 @@ do auto_answer=no ;; + -c | --cygwin ) + cygwin_value="$1" + shift + ;; + -p | --port ) port_number=$1 shift ;; + -w | --pwd ) + password_value="$1" + shift + ;; + *) echo "usage: ${progname} [OPTION]..." echo echo "This script creates an OpenSSH host configuration." echo echo "Options:" - echo " --debug -d Enable shell's debug output." - echo " --yes -y Answer all questions with \"yes\" automatically." - echo " --no -n Answer all questions with \"no\" automatically." - echo " --port -p sshd listens on port n." + echo " --debug -d Enable shell's debug output." + echo " --yes -y Answer all questions with \"yes\" automatically." + echo " --no -n Answer all questions with \"no\" automatically." + echo " --cygwin -c Use \"options\" as value for CYGWIN environment var." + echo " --port -p sshd listens on port n." + echo " --pwd -w Use \"pwd\" as password for user 'sshd_server'." echo exit 1 ;; @@ -96,8 +107,13 @@ do done # Check if running on NT -_sys="`uname -a`" -_nt=`expr "$_sys" : "CYGWIN_NT"` +_sys="`uname`" +_nt=`expr "${_sys}" : "CYGWIN_NT"` +# If running on NT, check if running under 2003 Server or later +if [ ${_nt} -gt 0 ] +then + _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` +fi # Check for running ssh/sshd processes first. Refuse to do anything while # some ssh processes are still running @@ -137,87 +153,33 @@ fi # Create /var/log and /var/log/lastlog if not already existing -if [ -f /var/log ] +if [ -f ${LOCALSTATEDIR}/log ] then - echo "Creating /var/log failed\!" + echo "Creating ${LOCALSTATEDIR}/log failed!" else - if [ ! -d /var/log ] + if [ ! -d ${LOCALSTATEDIR}/log ] then - mkdir -p /var/log + mkdir -p ${LOCALSTATEDIR}/log fi - if [ -d /var/log/lastlog ] + if [ -d ${LOCALSTATEDIR}/log/lastlog ] then - echo "Creating /var/log/lastlog failed\!" - elif [ ! -f /var/log/lastlog ] + chmod 777 ${LOCALSTATEDIR}/log/lastlog + elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ] then - cat /dev/null > /var/log/lastlog + cat /dev/null > ${LOCALSTATEDIR}/log/lastlog + chmod 666 ${LOCALSTATEDIR}/log/lastlog fi fi # Create /var/empty file used as chroot jail for privilege separation -if [ -f /var/empty ] +if [ -f ${LOCALSTATEDIR}/empty ] then - echo "Creating /var/empty failed\!" + echo "Creating ${LOCALSTATEDIR}/empty failed!" else - mkdir -p /var/empty - # On NT change ownership of that dir to user "system" - if [ $_nt -gt 0 ] + mkdir -p ${LOCALSTATEDIR}/empty + if [ ${_nt} -gt 0 ] then - chmod 755 /var/empty - chown system.system /var/empty - fi -fi - -# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't -# the same as ${PREFIX} - -old_install=0 -if [ "${OLDPREFIX}" != "${PREFIX}" ] -then - if [ -f "${OLDPREFIX}/sbin/sshd" ] - then - echo - echo "You seem to have an older installation in ${OLDPREFIX}." - echo - # Check if old global configuration files exist - if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ] - then - if request "Do you want to copy your config files to your new installation?" - then - cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR} - fi - fi - if request "Do you want to erase your old installation?" - then - rm -f ${OLDPREFIX}/bin/ssh.exe - rm -f ${OLDPREFIX}/bin/ssh-config - rm -f ${OLDPREFIX}/bin/scp.exe - rm -f ${OLDPREFIX}/bin/ssh-add.exe - rm -f ${OLDPREFIX}/bin/ssh-agent.exe - rm -f ${OLDPREFIX}/bin/ssh-keygen.exe - rm -f ${OLDPREFIX}/bin/slogin - rm -f ${OLDSYSCONFDIR}/ssh_host_key - rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub - rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key - rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub - rm -f ${OLDSYSCONFDIR}/ssh_config - rm -f ${OLDSYSCONFDIR}/sshd_config - rm -f ${OLDPREFIX}/man/man1/ssh.1 - rm -f ${OLDPREFIX}/man/man1/scp.1 - rm -f ${OLDPREFIX}/man/man1/ssh-add.1 - rm -f ${OLDPREFIX}/man/man1/ssh-agent.1 - rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1 - rm -f ${OLDPREFIX}/man/man1/slogin.1 - rm -f ${OLDPREFIX}/man/man8/sshd.8 - rm -f ${OLDPREFIX}/sbin/sshd.exe - rm -f ${OLDPREFIX}/sbin/sftp-server.exe - fi - old_install=1 + chmod 755 ${LOCALSTATEDIR}/empty fi fi @@ -255,52 +217,16 @@ then fi fi -# Create default ssh_config from here script +# Create default ssh_config from skeleton file in /etc/defaults/etc if [ ! -f "${SYSCONFDIR}/ssh_config" ] then echo "Generating ${SYSCONFDIR}/ssh_config file" - cat > ${SYSCONFDIR}/ssh_config << EOF -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for various options - -# Host * -# ForwardAgent no -# ForwardX11 no -# RhostsRSAAuthentication no -# RSAAuthentication yes -# PasswordAuthentication yes -# HostbasedAuthentication no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity -# IdentityFile ~/.ssh/id_dsa -# IdentityFile ~/.ssh/id_rsa -# Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc -# EscapeChar ~ -EOF - if [ "$port_number" != "22" ] + cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config + if [ "${port_number}" != "22" ] then echo "Host localhost" >> ${SYSCONFDIR}/ssh_config - echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config + echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config fi fi @@ -322,35 +248,35 @@ fi # Prior to creating or modifying sshd_config, care for privilege separation -if [ "$privsep_configured" != "yes" ] +if [ "${privsep_configured}" != "yes" ] then - if [ $_nt -gt 0 ] + if [ ${_nt} -gt 0 ] then echo "Privilege separation is set to yes by default since OpenSSH 3.3." echo "However, this requires a non-privileged account called 'sshd'." - echo "For more info on privilege separation read /usr/doc/openssh/README.privsep." + echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." echo - if request "Shall privilege separation be used?" + if request "Should privilege separation be used?" then privsep_used=yes grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes net user sshd >/dev/null 2>&1 && sshd_in_sam=yes - if [ "$sshd_in_passwd" != "yes" ] + if [ "${sshd_in_passwd}" != "yes" ] then - if [ "$sshd_in_sam" != "yes" ] + if [ "${sshd_in_sam}" != "yes" ] then echo "Warning: The following function requires administrator privileges!" - if request "Shall this script create a local user 'sshd' on this machine?" + if request "Should this script create a local user 'sshd' on this machine?" then - dos_var_empty=`cygpath -w /var/empty` - net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes - if [ "$sshd_in_sam" != "yes" ] + dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` + net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes + if [ "${sshd_in_sam}" != "yes" ] then echo "Warning: Creating the user 'sshd' failed!" fi fi fi - if [ "$sshd_in_sam" != "yes" ] + if [ "${sshd_in_sam}" != "yes" ] then echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" echo " Privilege separation set to 'no' again!" @@ -365,117 +291,41 @@ then fi else # On 9x don't use privilege separation. Since security isn't - # available it just adds useless addtional processes. + # available it just adds useless additional processes. privsep_used=no fi fi -# Create default sshd_config from here script or modify to add the -# missing privsep configuration option +# Create default sshd_config from skeleton files in /etc/defaults/etc or +# modify to add the missing privsep configuration option if [ ! -f "${SYSCONFDIR}/sshd_config" ] then echo "Generating ${SYSCONFDIR}/sshd_config file" - cat > ${SYSCONFDIR}/sshd_config << EOF -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -Port $port_number -#Protocol 2,1 -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# HostKey for protocol version 1 -#HostKey ${SYSCONFDIR}/ssh_host_key -# HostKeys for protocol version 2 -#HostKey ${SYSCONFDIR}/ssh_host_rsa_key -#HostKey ${SYSCONFDIR}/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 - -# Logging -#obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin yes -# The following setting overrides permission checks on host key files -# and directories. For security reasons set this to "yes" when running -# NT/W2K, NTFS and CYGWIN=ntsec. -StrictModes no - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys - -# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#KeepAlive yes -#UseLogin no -UsePrivilegeSeparation $privsep_used -#PermitUserEnvironment no -#Compression yes -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 - -# no default banner path -#Banner /some/path - -# override default of no subsystems -Subsystem sftp /usr/sbin/sftp-server -EOF -elif [ "$privsep_configured" != "yes" ] + sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ + s/^#Port 22/Port ${port_number}/ + s/^#StrictModes yes/StrictModes no/" \ + < ${SYSCONFDIR}/defaults/etc/sshd_config \ + > ${SYSCONFDIR}/sshd_config +elif [ "${privsep_configured}" != "yes" ] then echo >> ${SYSCONFDIR}/sshd_config - echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config + echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config fi # Care for services file _my_etcdir="/ssh-host-config.$$" -if [ $_nt -gt 0 ] +if [ ${_nt} -gt 0 ] then _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" _services="${_my_etcdir}/services" + # On NT, 27 spaces, no space after the hash + _spaces=" #" else _win_etcdir="${WINDIR}" _services="${_my_etcdir}/SERVICES" + # On 9x, 18 spaces (95 is very touchy), a space after the hash + _spaces=" # " fi _serv_tmp="${_my_etcdir}/srv.out.$$" @@ -494,29 +344,28 @@ then then echo "Removing sshd from ${_wservices}" else - echo "Removing sshd from ${_wservices} failed\!" + echo "Removing sshd from ${_wservices} failed!" fi rm -f "${_serv_tmp}" else - echo "Removing sshd from ${_wservices} failed\!" + echo "Removing sshd from ${_wservices} failed!" fi fi # Add ssh 22/tcp and ssh 22/udp to services if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] then - awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" - if [ -f "${_serv_tmp}" ] + if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" then if mv "${_serv_tmp}" "${_services}" then echo "Added ssh to ${_wservices}" else - echo "Adding ssh to ${_wservices} failed\!" + echo "Adding ssh to ${_wservices} failed!" fi rm -f "${_serv_tmp}" else - echo "Adding ssh to ${_wservices} failed\!" + echo "WARNING: Adding ssh to ${_wservices} failed!" fi fi @@ -541,11 +390,11 @@ then then echo "Removed sshd from ${_inetcnf}" else - echo "Removing sshd from ${_inetcnf} failed\!" + echo "Removing sshd from ${_inetcnf} failed!" fi rm -f "${_inetcnf_tmp}" else - echo "Removing sshd from ${_inetcnf} failed\!" + echo "Removing sshd from ${_inetcnf} failed!" fi fi @@ -563,34 +412,181 @@ then fi # On NT ask if sshd should be installed as service -if [ $_nt -gt 0 ] +if [ ${_nt} -gt 0 ] then - echo - echo "Do you want to install sshd as service?" - if request "(Say \"no\" if it's already installed as service)" + # But only if it is not already installed + if ! cygrunsrv -Q sshd > /dev/null 2>&1 then echo - echo "Which value should the environment variable CYGWIN have when" - echo "sshd starts? It's recommended to set at least \"ntsec\" to be" - echo "able to change user context without password." - echo -n "Default is \"binmode ntsec tty\". CYGWIN=" - read _cygwin - [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" - if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" + echo + echo "Warning: The following functions require administrator privileges!" + echo + echo "Do you want to install sshd as service?" + if request "(Say \"no\" if it's already installed as service)" then - chown system ${SYSCONFDIR}/ssh* - echo - echo "The service has been installed under LocalSystem account." + if [ $_nt2003 -gt 0 ] + then + grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes + if [ "${sshd_server_in_passwd}" = "yes" ] + then + # Drop sshd_server from passwd since it could have wrong settings + grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$ + rm -f ${SYSCONFDIR}/passwd + mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd + chmod g-w,o-w ${SYSCONFDIR}/passwd + fi + net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes + if [ "${sshd_server_in_sam}" != "yes" ] + then + echo + echo "You appear to be running Windows 2003 Server or later. On 2003 and" + echo "later systems, it's not possible to use the LocalSystem account" + echo "if sshd should allow passwordless logon (e. g. public key authentication)." + echo "If you want to enable that functionality, it's required to create a new" + echo "account 'sshd_server' with special privileges, which is then used to run" + echo "the sshd service under." + echo + echo "Should this script create a new local account 'sshd_server' which has" + if request "the required privileges?" + then + _admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group` + if [ -z "${_admingroup}" ] + then + echo "There's no group with SID S-1-5-32-544 (Local administrators group) in" + echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'" + echo "and restart this script." + exit 1 + fi + dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` + while [ "${sshd_server_in_sam}" != "yes" ] + do + if [ -n "${password_value}" ] + then + _password="${password_value}" + # Allow to ask for password if first try fails + password_value="" + else + echo + echo "Please enter a password for new user 'sshd_server'. Please be sure that" + echo "this password matches the password rules given on your system." + echo -n "Entering no password will exit the configuration. PASSWORD=" + read -e _password + if [ -z "${_password}" ] + then + echo + echo "Exiting configuration. No user sshd_server has been created," + echo "no sshd service installed." + exit 1 + fi + fi + net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes + if [ "${sshd_server_in_sam}" != "yes" ] + then + echo "Creating the user 'sshd_server' failed! Reason:" + cat /tmp/nu.$$ + rm /tmp/nu.$$ + fi + done + net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes + if [ "${sshd_server_in_admingroup}" != "yes" ] + then + echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!" + echo "Please add sshd_server to local group ${_admingroup} before" + echo "starting the sshd service!" + echo + fi + passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'` + if [ "${passwd_has_expiry_flags}" != "yes" ] + then + echo + echo "WARNING: User sshd_server has password expiry set to system default." + echo "Please check that password never expires or set it to your needs." + elif ! passwd -e sshd_server + then + echo + echo "WARNING: Setting password expiry for user sshd_server failed!" + echo "Please check that password never expires or set it to your needs." + fi + editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server && + editrights -a SeCreateTokenPrivilege -u sshd_server && + editrights -a SeDenyInteractiveLogonRight -u sshd_server && + editrights -a SeDenyNetworkLogonRight -u sshd_server && + editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server && + editrights -a SeIncreaseQuotaPrivilege -u sshd_server && + editrights -a SeServiceLogonRight -u sshd_server && + sshd_server_got_all_rights="yes" + if [ "${sshd_server_got_all_rights}" != "yes" ] + then + echo + echo "Assigning the appropriate privileges to user 'sshd_server' failed!" + echo "Can't create sshd service!" + exit 1 + fi + echo + echo "User 'sshd_server' has been created with password '${_password}'." + echo "If you change the password, please keep in mind to change the password" + echo "for the sshd service, too." + echo + echo "Also keep in mind that the user sshd_server needs read permissions on all" + echo "users' .ssh/authorized_keys file to allow public key authentication for" + echo "these users!. (Re-)running ssh-user-config for each user will set the" + echo "required permissions correctly." + echo + fi + fi + if [ "${sshd_server_in_sam}" = "yes" ] + then + mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd + fi + fi + if [ -n "${cygwin_value}" ] + then + _cygwin="${cygwin_value}" + else + echo + echo "Which value should the environment variable CYGWIN have when" + echo "sshd starts? It's recommended to set at least \"ntsec\" to be" + echo "able to change user context without password." + echo -n "Default is \"ntsec\". CYGWIN=" + read -e _cygwin + fi + [ -z "${_cygwin}" ] && _cygwin="ntsec" + if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] + then + if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" + then + echo + echo "The service has been installed under sshd_server account." + echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." + fi + else + if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" + then + echo + echo "The service has been installed under LocalSystem account." + echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." + fi + fi + fi + # Now check if sshd has been successfully installed. This allows to + # set the ownership of the affected files correctly. + if cygrunsrv -Q sshd > /dev/null 2>&1 + then + if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] + then + _user="sshd_server" + else + _user="system" + fi + chown "${_user}" ${SYSCONFDIR}/ssh* + chown "${_user}".544 ${LOCALSTATEDIR}/empty + if [ -f ${LOCALSTATEDIR}/log/sshd.log ] + then + chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log + fi fi fi fi -if [ "${old_install}" = "1" ] -then - echo - echo "Note: If you have used sshd as service or from inetd, don't forget to" - echo " change the path to sshd.exe in the service entry or in inetd.conf." -fi - echo echo "Host configuration finished. Have fun!" -- cgit v1.2.3