From 83795d61d277df3f090f12336ea3e21b6946ef4f Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 1 Dec 2008 21:34:28 +1100 Subject: - (dtucker) [contrib/cygwin/{Makefile,ssh-host-config}] Add new doc files and tweak the is-sshd-running check in ssh-host-config. Patch from vinschen at redhat com. --- contrib/cygwin/Makefile | 4 +++- contrib/cygwin/ssh-host-config | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'contrib/cygwin') diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile index 3e2d26404..2ebd143dc 100644 --- a/contrib/cygwin/Makefile +++ b/contrib/cygwin/Makefile @@ -38,11 +38,13 @@ install-sshdoc: $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW + $(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL + $(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns + $(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard - $(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index bbb6da4c4..2d367d314 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -456,7 +456,7 @@ done # Check for running ssh/sshd processes first. Refuse to do anything while # some ssh processes are still running -if ps -ef | grep -v grep | grep -q ssh +if ps -ef | grep -q '/sshd\?$' then echo csih_error "There are still ssh processes running. Please shut them down first." -- cgit v1.2.3 From ca3692d1a9f8c384d3cf799369dcb9c54bb5ec55 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Wed, 28 Jan 2009 12:50:04 -0800 Subject: - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x. The information given for the setting of the CYGWIN environment variable is wrong for both releases so I just removed it, together with the unnecessary (Cygwin 1.5.x) or wrong (Cygwin 1.7.x) default setting. --- ChangeLog | 9 ++++++++- contrib/cygwin/ssh-host-config | 6 ++---- 2 files changed, 10 insertions(+), 5 deletions(-) (limited to 'contrib/cygwin') diff --git a/ChangeLog b/ChangeLog index 8584ff316..25ce43ed1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20090128 + - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. + Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x. + The information given for the setting of the CYGWIN environment variable + is wrong for both releases so I just removed it, together with the + unnecessary (Cygwin 1.5.x) or wrong (Cygwin 1.7.x) default setting. + 20081228 - (djm) OpenBSD CVS Sync - stevesk@cvs.openbsd.org 2008/12/09 03:20:42 @@ -5095,5 +5102,5 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5179 2009/01/28 05:38:41 djm Exp $ +$Id: ChangeLog,v 1.5180 2009/01/28 20:50:04 tim Exp $ diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 2d367d314..d4f5f32d0 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -25,7 +25,7 @@ source ${CSIH_SCRIPT} port_number=22 privsep_configured=no privsep_used=yes -cygwin_value="ntsec" +cygwin_value="" password_value= # ====================================================================== @@ -76,7 +76,7 @@ update_services_file() { fi _serv_tmp="${_my_etcdir}/srv.out.$$" - mount -t -f "${_win_etcdir}" "${_my_etcdir}" + mount -o text -f "${_win_etcdir}" "${_my_etcdir}" # Depends on the above mount _wservices=`cygpath -w "${_services}"` @@ -278,8 +278,6 @@ install_service() { echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" if csih_request "(Say \"no\" if it is already installed as a service)" then - csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\"" - csih_inform "for sshd to be able to change user context without password." csih_get_cygenv "${cygwin_value}" if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) -- cgit v1.2.3 From 6a3253496843abf7b10d1aadb46847e8b11039ec Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 29 Jan 2009 12:30:01 -0800 Subject: - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. If the CYGWIN environment variable is empty, the installer script should not install the service with an empty CYGWIN variable, but rather without setting CYGWNI entirely. --- ChangeLog | 8 +++++++- contrib/cygwin/ssh-host-config | 13 +++++++++---- 2 files changed, 16 insertions(+), 5 deletions(-) (limited to 'contrib/cygwin') diff --git a/ChangeLog b/ChangeLog index 25ce43ed1..affb5e501 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20090129 + - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. + If the CYGWIN environment variable is empty, the installer script + should not install the service with an empty CYGWIN variable, but + rather without setting CYGWNI entirely. + 20090128 - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x. @@ -5102,5 +5108,5 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5180 2009/01/28 20:50:04 tim Exp $ +$Id: ChangeLog,v 1.5181 2009/01/29 20:30:01 tim Exp $ diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index d4f5f32d0..ec03f163d 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -314,10 +314,14 @@ install_service() { csih_check_user "${run_service_as}" + if [ -n "${csih_cygenv}" ] + then + cygwin_env="-e CYGWIN=\"${csih_cygenv}\"" + fi if [ -z "${password}" ] then - if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \ - -e CYGWIN="${csih_cygenv}" + if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \ + -a "-D" -y tcpip ${cygwin_env} then echo csih_inform "The sshd service has been installed under the LocalSystem" @@ -326,8 +330,9 @@ install_service() { csih_inform "will start automatically after the next reboot." fi else - if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \ - -e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}" + if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \ + -a "-D" -y tcpip ${cygwin_env} \ + -u "${run_service_as}" -w "${password}" then echo csih_inform "The sshd service has been installed under the '${run_service_as}'" -- cgit v1.2.3 From 0d8f2f3afa1663386ac80a0b7835b6776d5bcae1 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 29 Jan 2009 12:40:30 -0800 Subject: - (tim) [contrib/cygwin/ssh-host-config] Whitespace cleanup. No code changes. --- ChangeLog | 3 +- contrib/cygwin/ssh-host-config | 218 ++++++++++++++++++++--------------------- 2 files changed, 111 insertions(+), 110 deletions(-) (limited to 'contrib/cygwin') diff --git a/ChangeLog b/ChangeLog index affb5e501..abb2f7bf5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ If the CYGWIN environment variable is empty, the installer script should not install the service with an empty CYGWIN variable, but rather without setting CYGWNI entirely. + - (tim) [contrib/cygwin/ssh-host-config] Whitespace cleanup. No code changes. 20090128 - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. @@ -5108,5 +5109,5 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5181 2009/01/29 20:30:01 tim Exp $ +$Id: ChangeLog,v 1.5182 2009/01/29 20:40:30 tim Exp $ diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index ec03f163d..57e728fbc 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -37,13 +37,13 @@ create_host_keys() { csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null fi - + if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] then csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null fi - + if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] then csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" @@ -75,12 +75,12 @@ update_services_file() { _spaces=" # " fi _serv_tmp="${_my_etcdir}/srv.out.$$" - + mount -o text -f "${_win_etcdir}" "${_my_etcdir}" - + # Depends on the above mount _wservices=`cygpath -w "${_services}"` - + # Remove sshd 22/port from services if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] then @@ -89,16 +89,16 @@ update_services_file() { then if mv "${_serv_tmp}" "${_services}" then - csih_inform "Removing sshd from ${_wservices}" + csih_inform "Removing sshd from ${_wservices}" else - csih_warning "Removing sshd from ${_wservices} failed!" + csih_warning "Removing sshd from ${_wservices} failed!" fi rm -f "${_serv_tmp}" else csih_warning "Removing sshd from ${_wservices} failed!" fi fi - + # Add ssh 22/tcp and ssh 22/udp to services if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] then @@ -106,9 +106,9 @@ update_services_file() { then if mv "${_serv_tmp}" "${_services}" then - csih_inform "Added ssh to ${_wservices}" + csih_inform "Added ssh to ${_wservices}" else - csih_warning "Adding ssh to ${_wservices} failed!" + csih_warning "Adding ssh to ${_wservices} failed!" fi rm -f "${_serv_tmp}" else @@ -134,16 +134,16 @@ sshd_privsep() { csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." if csih_request "Should privilege separation be used?" then - privsep_used=yes - if ! csih_create_unprivileged_user sshd - then + privsep_used=yes + if ! csih_create_unprivileged_user sshd + then csih_warning "Couldn't create user 'sshd'!" - csih_warning "Privilege separation set to 'no' again!" - csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" + csih_warning "Privilege separation set to 'no' again!" + csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" privsep_used=no - fi + fi else - privsep_used=no + privsep_used=no fi else # On 9x don't use privilege separation. Since security isn't @@ -151,7 +151,7 @@ sshd_privsep() { privsep_used=no fi fi - + # Create default sshd_config from skeleton files in /etc/defaults/etc or # modify to add the missing privsep configuration option if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 @@ -161,8 +161,8 @@ sshd_privsep() { sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ s/^#Port 22/Port ${port_number}/ s/^#StrictModes yes/StrictModes no/" \ - < ${SYSCONFDIR}/sshd_config \ - > "${sshdconfig_tmp}" + < ${SYSCONFDIR}/sshd_config \ + > "${sshdconfig_tmp}" mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config elif [ "${privsep_configured}" != "yes" ] then @@ -193,19 +193,19 @@ update_inetd_conf() { # will be replaced by a file in inetd.d/ if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] then - grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" - if [ -f "${_inetcnf_tmp}" ] - then - if mv "${_inetcnf_tmp}" "${_inetcnf}" - then + grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" + if [ -f "${_inetcnf_tmp}" ] + then + if mv "${_inetcnf_tmp}" "${_inetcnf}" + then csih_inform "Removed ssh[d] from ${_inetcnf}" - else + else csih_warning "Removing ssh[d] from ${_inetcnf} failed!" - fi - rm -f "${_inetcnf_tmp}" - else - csih_warning "Removing ssh[d] from ${_inetcnf} failed!" - fi + fi + rm -f "${_inetcnf_tmp}" + else + csih_warning "Removing ssh[d] from ${_inetcnf} failed!" + fi fi fi @@ -214,13 +214,13 @@ update_inetd_conf() { then if [ "${_with_comment}" -eq 0 ] then - sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" + sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" else - sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" + sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" fi mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" csih_inform "Updated ${_sshd_inetd_conf}" - fi + fi elif [ -f "${_inetcnf}" ] then @@ -233,26 +233,26 @@ update_inetd_conf() { grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" if [ -f "${_inetcnf_tmp}" ] then - if mv "${_inetcnf_tmp}" "${_inetcnf}" - then + if mv "${_inetcnf_tmp}" "${_inetcnf}" + then csih_inform "Removed sshd from ${_inetcnf}" - else + else csih_warning "Removing sshd from ${_inetcnf} failed!" - fi - rm -f "${_inetcnf_tmp}" + fi + rm -f "${_inetcnf_tmp}" else - csih_warning "Removing sshd from ${_inetcnf} failed!" + csih_warning "Removing sshd from ${_inetcnf} failed!" fi fi - + # Add ssh line to inetd.conf if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] then if [ "${_with_comment}" -eq 0 ] then - echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" + echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" else - echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" + echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" fi csih_inform "Added ssh to ${_inetcnf}" fi @@ -278,83 +278,83 @@ install_service() { echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" if csih_request "(Say \"no\" if it is already installed as a service)" then - csih_get_cygenv "${cygwin_value}" - - if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) - then - csih_inform "On Windows Server 2003, Windows Vista, and above, the" - csih_inform "SYSTEM account cannot setuid to other users -- a capability" - csih_inform "sshd requires. You need to have or to create a privileged" - csih_inform "account. This script will help you do so." - echo - if ! csih_create_privileged_user "${password_value}" - then - csih_error_recoverable "There was a serious problem creating a privileged user." - csih_request "Do you want to proceed anyway?" || exit 1 - fi - fi - - # never returns empty if NT or above - run_service_as=$(csih_service_should_run_as) - - if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] - then - password="${csih_PRIVILEGED_PASSWORD}" - if [ -z "${password}" ] - then - csih_get_value "Please enter the password for user '${run_service_as}':" "-s" - password="${csih_value}" - fi - fi - - # at this point, we either have $run_service_as = "system" and $password is empty, - # or $run_service_as is some privileged user and (hopefully) $password contains - # the correct password. So, from here out, we use '-z "${password}"' to discriminate - # the two cases. - - csih_check_user "${run_service_as}" + csih_get_cygenv "${cygwin_value}" + + if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) + then + csih_inform "On Windows Server 2003, Windows Vista, and above, the" + csih_inform "SYSTEM account cannot setuid to other users -- a capability" + csih_inform "sshd requires. You need to have or to create a privileged" + csih_inform "account. This script will help you do so." + echo + if ! csih_create_privileged_user "${password_value}" + then + csih_error_recoverable "There was a serious problem creating a privileged user." + csih_request "Do you want to proceed anyway?" || exit 1 + fi + fi + + # never returns empty if NT or above + run_service_as=$(csih_service_should_run_as) + + if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] + then + password="${csih_PRIVILEGED_PASSWORD}" + if [ -z "${password}" ] + then + csih_get_value "Please enter the password for user '${run_service_as}':" "-s" + password="${csih_value}" + fi + fi + + # at this point, we either have $run_service_as = "system" and $password is empty, + # or $run_service_as is some privileged user and (hopefully) $password contains + # the correct password. So, from here out, we use '-z "${password}"' to discriminate + # the two cases. + + csih_check_user "${run_service_as}" if [ -n "${csih_cygenv}" ] then cygwin_env="-e CYGWIN=\"${csih_cygenv}\"" fi - if [ -z "${password}" ] - then + if [ -z "${password}" ] + then if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \ -a "-D" -y tcpip ${cygwin_env} - then - echo - csih_inform "The sshd service has been installed under the LocalSystem" - csih_inform "account (also known as SYSTEM). To start the service now, call" - csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" - csih_inform "will start automatically after the next reboot." - fi - else + then + echo + csih_inform "The sshd service has been installed under the LocalSystem" + csih_inform "account (also known as SYSTEM). To start the service now, call" + csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" + csih_inform "will start automatically after the next reboot." + fi + else if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \ -a "-D" -y tcpip ${cygwin_env} \ -u "${run_service_as}" -w "${password}" - then + then echo csih_inform "The sshd service has been installed under the '${run_service_as}'" csih_inform "account. To start the service now, call \`net start sshd' or" - csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" - csih_inform "after the next reboot." - fi - fi - - # now, if successfully installed, set ownership of the affected files - if cygrunsrv -Q sshd >/dev/null 2>&1 - then - chown "${run_service_as}" ${SYSCONFDIR}/ssh* - chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty - chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog - if [ -f ${LOCALSTATEDIR}/log/sshd.log ] - then + csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" + csih_inform "after the next reboot." + fi + fi + + # now, if successfully installed, set ownership of the affected files + if cygrunsrv -Q sshd >/dev/null 2>&1 + then + chown "${run_service_as}" ${SYSCONFDIR}/ssh* + chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty + chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog + if [ -f ${LOCALSTATEDIR}/log/sshd.log ] + then chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log - fi - else - csih_warning "Something went wrong installing the sshd service." - fi + fi + else + csih_warning "Something went wrong installing the sshd service." + fi fi # user allowed us to install as service fi # service not yet installed fi # csih_is_nt @@ -478,9 +478,9 @@ setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" # Create /var/log/lastlog if not already exists if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] then - echo + echo csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ - "Cannot create ssh host configuration." + "Cannot create ssh host configuration." fi if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] then @@ -523,7 +523,7 @@ sshd_privsep -update_services_file +update_services_file update_inetd_conf install_service -- cgit v1.2.3