summaryrefslogtreecommitdiff
path: root/contrib/cygwin/ssh-host-config
blob: b41a2e49b65f47be3fc13328757780ab73222c5a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
#!/bin/bash
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.

# Subdirectory where the new package is being installed
PREFIX=/usr

# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var

progname=$0
auto_answer=""
port_number=22

privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no

request()
{
  if [ "${auto_answer}" = "yes" ]
  then
    echo "$1 (yes/no) yes"
    return 0
  elif [ "${auto_answer}" = "no" ]
  then
    echo "$1 (yes/no) no"
    return 1
  fi

  answer=""
  while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
  do
    echo -n "$1 (yes/no) "
    read -e answer
  done
  if [ "X${answer}" = "Xyes" ]
  then
    return 0
  else
    return 1
  fi
}

# Check options

while :
do
  case $# in
  0)
    break
    ;;
  esac

  option=$1
  shift

  case "${option}" in
  -d | --debug )
    set -x
    ;;

  -y | --yes )
    auto_answer=yes
    ;;

  -n | --no )
    auto_answer=no
    ;;

  -c | --cygwin )
    cygwin_value="$1"
    shift
    ;;

  -p | --port )
    port_number=$1
    shift
    ;;

  -w | --pwd )
    password_value="$1"
    shift
    ;;

  *)
    echo "usage: ${progname} [OPTION]..."
    echo
    echo "This script creates an OpenSSH host configuration."
    echo
    echo "Options:"
    echo "  --debug  -d            Enable shell's debug output."
    echo "  --yes    -y            Answer all questions with \"yes\" automatically."
    echo "  --no     -n            Answer all questions with \"no\" automatically."
    echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
    echo "  --port   -p <n>        sshd listens on port n."
    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for user 'sshd_server'."
    echo
    exit 1
    ;;

  esac
done

# Check if running on NT
_sys="`uname`"
_nt=`expr "${_sys}" : "CYGWIN_NT"`
# If running on NT, check if running under 2003 Server or later
if [ ${_nt} -gt 0 ]
then
  _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
fi

# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running

if ps -ef | grep -v grep | grep -q ssh
then
  echo
  echo "There are still ssh processes running. Please shut them down first."
  echo
  exit 1
fi

# Check for ${SYSCONFDIR} directory

if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
  echo
  echo "${SYSCONFDIR} is existant but not a directory."
  echo "Cannot create global configuration files."
  echo
  exit 1
fi

# Create it if necessary

if [ ! -e "${SYSCONFDIR}" ]
then
  mkdir "${SYSCONFDIR}"
  if [ ! -e "${SYSCONFDIR}" ]
  then
    echo
    echo "Creating ${SYSCONFDIR} directory failed"
    echo
    exit 1
  fi
fi

# Create /var/log and /var/log/lastlog if not already existing

if [ -f ${LOCALSTATEDIR}/log ]
then
  echo "Creating ${LOCALSTATEDIR}/log failed!"
else
  if [ ! -d ${LOCALSTATEDIR}/log ]
  then
    mkdir -p ${LOCALSTATEDIR}/log
  fi
  if [ -d ${LOCALSTATEDIR}/log/lastlog ]
  then
    chmod 777 ${LOCALSTATEDIR}/log/lastlog
  elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
  then
    cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
    chmod 666 ${LOCALSTATEDIR}/log/lastlog
  fi
fi

# Create /var/empty file used as chroot jail for privilege separation
if [ -f ${LOCALSTATEDIR}/empty ]
then
  echo "Creating ${LOCALSTATEDIR}/empty failed!"
else
  mkdir -p ${LOCALSTATEDIR}/empty
  if [ ${_nt} -gt 0 ]
  then
    chmod 755 ${LOCALSTATEDIR}/empty
  fi
fi

# First generate host keys if not already existing

if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_key"
  ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi

if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
  ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi

if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
  ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi

# Check if ssh_config exists. If yes, ask for overwriting

if [ -f "${SYSCONFDIR}/ssh_config" ]
then
  if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
  then
    rm -f "${SYSCONFDIR}/ssh_config"
    if [ -f "${SYSCONFDIR}/ssh_config" ]
    then
      echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
    fi
  fi
fi

# Create default ssh_config from skeleton file in /etc/defaults/etc

if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_config file"
  cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
  if [ "${port_number}" != "22" ]
  then
    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
    echo "    Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
  fi
fi

# Check if sshd_config exists. If yes, ask for overwriting

if [ -f "${SYSCONFDIR}/sshd_config" ]
then
  if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
  then
    rm -f "${SYSCONFDIR}/sshd_config"
    if [ -f "${SYSCONFDIR}/sshd_config" ]
    then
      echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
    fi
  else
    grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
  fi
fi

# Prior to creating or modifying sshd_config, care for privilege separation

if [ "${privsep_configured}" != "yes" ]
then
  if [ ${_nt} -gt 0 ]
  then
    echo "Privilege separation is set to yes by default since OpenSSH 3.3."
    echo "However, this requires a non-privileged account called 'sshd'."
    echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
    echo
    if request "Should privilege separation be used?"
    then
      privsep_used=yes
      grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
      net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
      if [ "${sshd_in_passwd}" != "yes" ]
      then
	if [ "${sshd_in_sam}" != "yes" ]
	then
	  echo "Warning: The following function requires administrator privileges!"
	  if request "Should this script create a local user 'sshd' on this machine?"
	  then
	    dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
	    net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
	    if [ "${sshd_in_sam}" != "yes" ]
	    then
	      echo "Warning: Creating the user 'sshd' failed!"
	    fi
	  fi
	fi
	if [ "${sshd_in_sam}" != "yes" ]
	then
	  echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
	  echo "         Privilege separation set to 'no' again!"
	  echo "         Check your ${SYSCONFDIR}/sshd_config file!"
	  privsep_used=no
	else
	  mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
	fi
      fi
    else
      privsep_used=no
    fi
  else
    # On 9x don't use privilege separation.  Since security isn't
    # available it just adds useless additional processes.
    privsep_used=no
  fi
fi

# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option

if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
  echo "Generating ${SYSCONFDIR}/sshd_config file"
  sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
	  s/^#Port 22/Port ${port_number}/
	  s/^#StrictModes yes/StrictModes no/" \
      < ${SYSCONFDIR}/defaults/etc/sshd_config \
      > ${SYSCONFDIR}/sshd_config
elif [ "${privsep_configured}" != "yes" ]
then
  echo >> ${SYSCONFDIR}/sshd_config
  echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
fi

# Care for services file
_my_etcdir="/ssh-host-config.$$"
if [ ${_nt} -gt 0 ]
then
  _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
  _services="${_my_etcdir}/services"
  # On NT, 27 spaces, no space after the hash
  _spaces="                           #"
else
  _win_etcdir="${WINDIR}"
  _services="${_my_etcdir}/SERVICES"
  # On 9x, 18 spaces (95 is very touchy), a space after the hash
  _spaces="                  # "
fi
_serv_tmp="${_my_etcdir}/srv.out.$$"

mount -t -f "${_win_etcdir}" "${_my_etcdir}"

# Depends on the above mount
_wservices=`cygpath -w "${_services}"`

# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
  grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
  if [ -f "${_serv_tmp}" ]
  then
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Removing sshd from ${_wservices}"
    else
      echo "Removing sshd from ${_wservices} failed!"
    fi
    rm -f "${_serv_tmp}"
  else
    echo "Removing sshd from ${_wservices} failed!"
  fi
fi

# Add ssh 22/tcp  and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
  if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
  then
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Added ssh to ${_wservices}"
    else
      echo "Adding ssh to ${_wservices} failed!"
    fi
    rm -f "${_serv_tmp}"
  else
    echo "WARNING: Adding ssh to ${_wservices} failed!"
  fi
fi

umount "${_my_etcdir}"

# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"

if [ -f "${_inetcnf}" ]
then
  # Check if ssh service is already in use as sshd
  with_comment=1
  grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
  # Remove sshd line from inetd.conf
  if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
  then
    grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
    if [ -f "${_inetcnf_tmp}" ]
    then
      if mv "${_inetcnf_tmp}" "${_inetcnf}"
      then
	echo "Removed sshd from ${_inetcnf}"
      else
	echo "Removing sshd from ${_inetcnf} failed!"
      fi
      rm -f "${_inetcnf_tmp}"
    else
      echo "Removing sshd from ${_inetcnf} failed!"
    fi
  fi

  # Add ssh line to inetd.conf
  if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
  then
    if [ "${with_comment}" -eq 0 ]
    then
      echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    else
      echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    fi
    echo "Added ssh to ${_inetcnf}"
  fi
fi

# On NT ask if sshd should be installed as service
if [ ${_nt} -gt 0 ]
then
  # But only if it is not already installed
  if ! cygrunsrv -Q sshd > /dev/null 2>&1
  then
    echo
    echo
    echo "Warning: The following functions require administrator privileges!"
    echo
    echo "Do you want to install sshd as service?"
    if request "(Say \"no\" if it's already installed as service)"
    then
      if [ $_nt2003 -gt 0 ]
      then
	grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
	if [ "${sshd_server_in_passwd}" = "yes" ]
	then
	  # Drop sshd_server from passwd since it could have wrong settings
	  grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
	  rm -f ${SYSCONFDIR}/passwd
	  mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
	  chmod g-w,o-w ${SYSCONFDIR}/passwd
	fi
	net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
	if [ "${sshd_server_in_sam}" != "yes" ]
	then
	  echo
	  echo "You appear to be running Windows 2003 Server or later.  On 2003 and"
	  echo "later systems, it's not possible to use the LocalSystem account"
	  echo "if sshd should allow passwordless logon (e. g. public key authentication)."
	  echo "If you want to enable that functionality, it's required to create a new"
	  echo "account 'sshd_server' with special privileges, which is then used to run"
	  echo "the sshd service under."
	  echo
	  echo "Should this script create a new local account 'sshd_server' which has"
	  if request "the required privileges?"
	  then
	    _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
	    if [ -z "${_admingroup}" ]
	    then
	      echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
	      exit 1
	    fi
	    dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
	    while [ "${sshd_server_in_sam}" != "yes" ]
	    do
	      if [ -n "${password_value}" ]
	      then
		_password="${password_value}"
		# Allow to ask for password if first try fails
		password_value=""
	      else
		echo
		echo "Please enter a password for new user 'sshd_server'.  Please be sure that"
		echo "this password matches the password rules given on your system."
		echo -n "Entering no password will exit the configuration.  PASSWORD="
		read -e _password
		if [ -z "${_password}" ]
		then
		  echo
		  echo "Exiting configuration.  No user sshd_server has been created,"
		  echo "no sshd service installed."
		  exit 1
		fi
	      fi
	      net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
	      if [ "${sshd_server_in_sam}" != "yes" ]
	      then
		echo "Creating the user 'sshd_server' failed!  Reason:"
		cat /tmp/nu.$$
		rm /tmp/nu.$$
	      fi
	    done
	    net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
	    if [ "${sshd_server_in_admingroup}" != "yes" ]
	    then
	      echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
	      echo "Please add sshd_server to local group ${_admingroup} before"
	      echo "starting the sshd service!"
	      echo
	    fi
	    passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
	    if [ "${passwd_has_expiry_flags}" != "yes" ]
	    then
	      echo
	      echo "WARNING: User sshd_server has password expiry set to system default."
	      echo "Please check that password never expires or set it to your needs."
	    elif ! passwd -e sshd_server
	    then
	      echo
	      echo "WARNING: Setting password expiry for user sshd_server failed!"
	      echo "Please check that password never expires or set it to your needs."
	    fi
	    editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
	    editrights -a SeCreateTokenPrivilege -u sshd_server &&
	    editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
	    editrights -a SeDenyNetworkLogonRight -u sshd_server &&
	    editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
	    editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
	    editrights -a SeServiceLogonRight -u sshd_server &&
	    sshd_server_got_all_rights="yes"
	    if [ "${sshd_server_got_all_rights}" != "yes" ]
	    then
	      echo
	      echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
	      echo "Can't create sshd service!"
	      exit 1
	    fi
	    echo
	    echo "User 'sshd_server' has been created with password '${_password}'."
	    echo "If you change the password, please keep in mind to change the password"
	    echo "for the sshd service, too."
	    echo
	    echo "Also keep in mind that the user sshd_server needs read permissions on all"
	    echo "users' .ssh/authorized_keys file to allow public key authentication for"
	    echo "these users!.  (Re-)running ssh-user-config for each user will set the"
	    echo "required permissions correctly."
	    echo
	  fi
	fi
	if [ "${sshd_server_in_sam}" = "yes" ]
	then
	  mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
	fi
      fi
      if [ -n "${cygwin_value}" ]
      then
	_cygwin="${cygwin_value}"
      else
	echo
	echo "Which value should the environment variable CYGWIN have when"
	echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
	echo "able to change user context without password."
	echo -n "Default is \"ntsec\".  CYGWIN="
	read -e _cygwin
      fi
      [ -z "${_cygwin}" ] && _cygwin="ntsec"
      if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
      then
	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}"
	then
	  echo
	  echo "The service has been installed under sshd_server account."
	  echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
	fi
      else
	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
	then
	  echo
	  echo "The service has been installed under LocalSystem account."
	  echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
	fi
      fi
    fi
    # Now check if sshd has been successfully installed.  This allows to
    # set the ownership of the affected files correctly.
    if cygrunsrv -Q sshd > /dev/null 2>&1
    then
      if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
      then
	_user="sshd_server"
      else
	_user="system"
      fi
      chown "${_user}" ${SYSCONFDIR}/ssh*
      chown "${_user}".544 ${LOCALSTATEDIR}/empty
      if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
      then
	chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
      fi
    fi
  fi
fi

echo
echo "Host configuration finished. Have fun!"