Mike Lockwood | 1305e95 | 2011-12-07 08:17:59 -0800 | [diff] [blame] | 1 | #!/bin/bash |
| 2 | # |
| 3 | # ssh-host-config, Copyright 2000-2011 Red Hat Inc. |
| 4 | # |
| 5 | # This file is part of the Cygwin port of OpenSSH. |
| 6 | # |
| 7 | # Permission to use, copy, modify, and distribute this software for any |
| 8 | # purpose with or without fee is hereby granted, provided that the above |
| 9 | # copyright notice and this permission notice appear in all copies. |
| 10 | # |
| 11 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS |
| 12 | # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF |
| 13 | # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. |
| 14 | # IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, |
| 15 | # DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR |
| 16 | # OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR |
| 17 | # THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
| 18 | |
| 19 | # ====================================================================== |
| 20 | # Initialization |
| 21 | # ====================================================================== |
| 22 | |
| 23 | CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh |
| 24 | |
| 25 | # List of apps used. This is checkad for existance in csih_sanity_check |
| 26 | # Don't use *any* transient commands before sourcing the csih helper script, |
| 27 | # otherwise the sanity checks are short-circuited. |
| 28 | declare -a csih_required_commands=( |
| 29 | /usr/bin/basename coreutils |
| 30 | /usr/bin/cat coreutils |
| 31 | /usr/bin/chmod coreutils |
| 32 | /usr/bin/dirname coreutils |
| 33 | /usr/bin/id coreutils |
| 34 | /usr/bin/mv coreutils |
| 35 | /usr/bin/rm coreutils |
| 36 | /usr/bin/cygpath cygwin |
| 37 | /usr/bin/mount cygwin |
| 38 | /usr/bin/ps cygwin |
| 39 | /usr/bin/setfacl cygwin |
| 40 | /usr/bin/umount cygwin |
| 41 | /usr/bin/cmp diffutils |
| 42 | /usr/bin/grep grep |
| 43 | /usr/bin/awk gawk |
| 44 | /usr/bin/ssh-keygen openssh |
| 45 | /usr/sbin/sshd openssh |
| 46 | /usr/bin/sed sed |
| 47 | ) |
| 48 | csih_sanity_check_server=yes |
| 49 | source ${CSIH_SCRIPT} |
| 50 | |
| 51 | PROGNAME=$(/usr/bin/basename $0) |
| 52 | _tdir=$(/usr/bin/dirname $0) |
| 53 | PROGDIR=$(cd $_tdir && pwd) |
| 54 | |
| 55 | # Subdirectory where the new package is being installed |
| 56 | PREFIX=/usr |
| 57 | |
| 58 | # Directory where the config files are stored |
| 59 | SYSCONFDIR=/etc |
| 60 | LOCALSTATEDIR=/var |
| 61 | |
| 62 | port_number=22 |
| 63 | privsep_configured=no |
| 64 | privsep_used=yes |
| 65 | cygwin_value="" |
| 66 | user_account= |
| 67 | password_value= |
| 68 | opt_force=no |
| 69 | |
| 70 | # ====================================================================== |
| 71 | # Routine: create_host_keys |
| 72 | # ====================================================================== |
| 73 | create_host_keys() { |
| 74 | local ret=0 |
| 75 | |
| 76 | if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] |
| 77 | then |
| 78 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" |
| 79 | if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null |
| 80 | then |
| 81 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" |
| 82 | let ++ret |
| 83 | fi |
| 84 | fi |
| 85 | |
| 86 | if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] |
| 87 | then |
| 88 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" |
| 89 | if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null |
| 90 | then |
| 91 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" |
| 92 | let ++ret |
| 93 | fi |
| 94 | fi |
| 95 | |
| 96 | if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] |
| 97 | then |
| 98 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" |
| 99 | if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null |
| 100 | then |
| 101 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" |
| 102 | let ++ret |
| 103 | fi |
| 104 | fi |
| 105 | |
| 106 | if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ] |
| 107 | then |
| 108 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key" |
| 109 | if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null |
| 110 | then |
| 111 | csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" |
| 112 | let ++ret |
| 113 | fi |
| 114 | fi |
| 115 | return $ret |
| 116 | } # --- End of create_host_keys --- # |
| 117 | |
| 118 | # ====================================================================== |
| 119 | # Routine: update_services_file |
| 120 | # ====================================================================== |
| 121 | update_services_file() { |
| 122 | local _my_etcdir="/ssh-host-config.$$" |
| 123 | local _win_etcdir |
| 124 | local _services |
| 125 | local _spaces |
| 126 | local _serv_tmp |
| 127 | local _wservices |
| 128 | local ret=0 |
| 129 | |
| 130 | _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" |
| 131 | _services="${_my_etcdir}/services" |
| 132 | _spaces=" #" |
| 133 | _serv_tmp="${_my_etcdir}/srv.out.$$" |
| 134 | |
| 135 | /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" |
| 136 | |
| 137 | # Depends on the above mount |
| 138 | _wservices=`cygpath -w "${_services}"` |
| 139 | |
| 140 | # Remove sshd 22/port from services |
| 141 | if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] |
| 142 | then |
| 143 | /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" |
| 144 | if [ -f "${_serv_tmp}" ] |
| 145 | then |
| 146 | if /usr/bin/mv "${_serv_tmp}" "${_services}" |
| 147 | then |
| 148 | csih_inform "Removing sshd from ${_wservices}" |
| 149 | else |
| 150 | csih_warning "Removing sshd from ${_wservices} failed!" |
| 151 | let ++ret |
| 152 | fi |
| 153 | /usr/bin/rm -f "${_serv_tmp}" |
| 154 | else |
| 155 | csih_warning "Removing sshd from ${_wservices} failed!" |
| 156 | let ++ret |
| 157 | fi |
| 158 | fi |
| 159 | |
| 160 | # Add ssh 22/tcp and ssh 22/udp to services |
| 161 | if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] |
| 162 | then |
| 163 | if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" |
| 164 | then |
| 165 | if /usr/bin/mv "${_serv_tmp}" "${_services}" |
| 166 | then |
| 167 | csih_inform "Added ssh to ${_wservices}" |
| 168 | else |
| 169 | csih_warning "Adding ssh to ${_wservices} failed!" |
| 170 | let ++ret |
| 171 | fi |
| 172 | /usr/bin/rm -f "${_serv_tmp}" |
| 173 | else |
| 174 | csih_warning "Adding ssh to ${_wservices} failed!" |
| 175 | let ++ret |
| 176 | fi |
| 177 | fi |
| 178 | /usr/bin/umount "${_my_etcdir}" |
| 179 | return $ret |
| 180 | } # --- End of update_services_file --- # |
| 181 | |
| 182 | # ====================================================================== |
| 183 | # Routine: sshd_privsep |
| 184 | # MODIFIES: privsep_configured privsep_used |
| 185 | # ====================================================================== |
| 186 | sshd_privsep() { |
| 187 | local sshdconfig_tmp |
| 188 | local ret=0 |
| 189 | |
| 190 | if [ "${privsep_configured}" != "yes" ] |
| 191 | then |
| 192 | csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." |
| 193 | csih_inform "However, this requires a non-privileged account called 'sshd'." |
| 194 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." |
| 195 | if csih_request "Should privilege separation be used?" |
| 196 | then |
| 197 | privsep_used=yes |
| 198 | if ! csih_create_unprivileged_user sshd |
| 199 | then |
| 200 | csih_error_recoverable "Couldn't create user 'sshd'!" |
| 201 | csih_error_recoverable "Privilege separation set to 'no' again!" |
| 202 | csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!" |
| 203 | let ++ret |
| 204 | privsep_used=no |
| 205 | fi |
| 206 | else |
| 207 | privsep_used=no |
| 208 | fi |
| 209 | fi |
| 210 | |
| 211 | # Create default sshd_config from skeleton files in /etc/defaults/etc or |
| 212 | # modify to add the missing privsep configuration option |
| 213 | if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 |
| 214 | then |
| 215 | csih_inform "Updating ${SYSCONFDIR}/sshd_config file" |
| 216 | sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ |
| 217 | /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ |
| 218 | s/^#Port 22/Port ${port_number}/ |
| 219 | s/^#StrictModes yes/StrictModes no/" \ |
| 220 | < ${SYSCONFDIR}/sshd_config \ |
| 221 | > "${sshdconfig_tmp}" |
| 222 | if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config |
| 223 | then |
| 224 | csih_warning "Setting privilege separation to 'yes' failed!" |
| 225 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" |
| 226 | let ++ret |
| 227 | fi |
| 228 | elif [ "${privsep_configured}" != "yes" ] |
| 229 | then |
| 230 | echo >> ${SYSCONFDIR}/sshd_config |
| 231 | if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config |
| 232 | then |
| 233 | csih_warning "Setting privilege separation to 'yes' failed!" |
| 234 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" |
| 235 | let ++ret |
| 236 | fi |
| 237 | fi |
| 238 | return $ret |
| 239 | } # --- End of sshd_privsep --- # |
| 240 | |
| 241 | # ====================================================================== |
| 242 | # Routine: update_inetd_conf |
| 243 | # ====================================================================== |
| 244 | update_inetd_conf() { |
| 245 | local _inetcnf="${SYSCONFDIR}/inetd.conf" |
| 246 | local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" |
| 247 | local _inetcnf_dir="${SYSCONFDIR}/inetd.d" |
| 248 | local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" |
| 249 | local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" |
| 250 | local _with_comment=1 |
| 251 | local ret=0 |
| 252 | |
| 253 | if [ -d "${_inetcnf_dir}" ] |
| 254 | then |
| 255 | # we have inetutils-1.5 inetd.d support |
| 256 | if [ -f "${_inetcnf}" ] |
| 257 | then |
| 258 | /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 |
| 259 | |
| 260 | # check for sshd OR ssh in top-level inetd.conf file, and remove |
| 261 | # will be replaced by a file in inetd.d/ |
| 262 | if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] |
| 263 | then |
| 264 | /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" |
| 265 | if [ -f "${_inetcnf_tmp}" ] |
| 266 | then |
| 267 | if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" |
| 268 | then |
| 269 | csih_inform "Removed ssh[d] from ${_inetcnf}" |
| 270 | else |
| 271 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" |
| 272 | let ++ret |
| 273 | fi |
| 274 | /usr/bin/rm -f "${_inetcnf_tmp}" |
| 275 | else |
| 276 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" |
| 277 | let ++ret |
| 278 | fi |
| 279 | fi |
| 280 | fi |
| 281 | |
| 282 | csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" |
| 283 | if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 |
| 284 | then |
| 285 | if [ "${_with_comment}" -eq 0 ] |
| 286 | then |
| 287 | /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" |
| 288 | else |
| 289 | /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" |
| 290 | fi |
| 291 | if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" |
| 292 | then |
| 293 | csih_inform "Updated ${_sshd_inetd_conf}" |
| 294 | else |
| 295 | csih_warning "Updating ${_sshd_inetd_conf} failed!" |
| 296 | let ++ret |
| 297 | fi |
| 298 | fi |
| 299 | |
| 300 | elif [ -f "${_inetcnf}" ] |
| 301 | then |
| 302 | /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 |
| 303 | |
| 304 | # check for sshd in top-level inetd.conf file, and remove |
| 305 | # will be replaced by a file in inetd.d/ |
| 306 | if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] |
| 307 | then |
| 308 | /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" |
| 309 | if [ -f "${_inetcnf_tmp}" ] |
| 310 | then |
| 311 | if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" |
| 312 | then |
| 313 | csih_inform "Removed sshd from ${_inetcnf}" |
| 314 | else |
| 315 | csih_warning "Removing sshd from ${_inetcnf} failed!" |
| 316 | let ++ret |
| 317 | fi |
| 318 | /usr/bin/rm -f "${_inetcnf_tmp}" |
| 319 | else |
| 320 | csih_warning "Removing sshd from ${_inetcnf} failed!" |
| 321 | let ++ret |
| 322 | fi |
| 323 | fi |
| 324 | |
| 325 | # Add ssh line to inetd.conf |
| 326 | if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] |
| 327 | then |
| 328 | if [ "${_with_comment}" -eq 0 ] |
| 329 | then |
| 330 | echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
| 331 | else |
| 332 | echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
| 333 | fi |
| 334 | if [ $? -eq 0 ] |
| 335 | then |
| 336 | csih_inform "Added ssh to ${_inetcnf}" |
| 337 | else |
| 338 | csih_warning "Adding ssh to ${_inetcnf} failed!" |
| 339 | let ++ret |
| 340 | fi |
| 341 | fi |
| 342 | fi |
| 343 | return $ret |
| 344 | } # --- End of update_inetd_conf --- # |
| 345 | |
| 346 | # ====================================================================== |
| 347 | # Routine: check_service_files_ownership |
| 348 | # Checks that the files in /etc and /var belong to the right owner |
| 349 | # ====================================================================== |
| 350 | check_service_files_ownership() { |
| 351 | local run_service_as=$1 |
| 352 | local ret=0 |
| 353 | |
| 354 | if [ -z "${run_service_as}" ] |
| 355 | then |
| 356 | accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp') |
| 357 | if [ "${accnt_name}" = "LocalSystem" ] |
| 358 | then |
| 359 | # Convert "LocalSystem" to "SYSTEM" as is the correct account name |
| 360 | accnt_name="SYSTEM:" |
| 361 | elif [[ "${accnt_name}" =~ ^\.\\ ]] |
| 362 | then |
| 363 | # Convert "." domain to local machine name |
| 364 | accnt_name="U-${COMPUTERNAME}${accnt_name#.}," |
| 365 | fi |
| 366 | run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}') |
| 367 | if [ -z "${run_service_as}" ] |
| 368 | then |
| 369 | csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" |
| 370 | csih_warning "As a result, this script cannot make sure that the files used" |
| 371 | csih_warning "by the sshd service belong to the user running the service." |
| 372 | csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd" |
| 373 | csih_warning "file is in a good shape." |
| 374 | return 1 |
| 375 | fi |
| 376 | fi |
| 377 | for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub |
| 378 | do |
| 379 | if [ -f "$i" ] |
| 380 | then |
| 381 | if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 |
| 382 | then |
| 383 | csih_warning "Couldn't change owner of $i!" |
| 384 | let ++ret |
| 385 | fi |
| 386 | fi |
| 387 | done |
| 388 | if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 |
| 389 | then |
| 390 | csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" |
| 391 | let ++ret |
| 392 | fi |
| 393 | if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 |
| 394 | then |
| 395 | csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" |
| 396 | let ++ret |
| 397 | fi |
| 398 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] |
| 399 | then |
| 400 | if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1 |
| 401 | then |
| 402 | csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" |
| 403 | let ++ret |
| 404 | fi |
| 405 | fi |
| 406 | if [ $ret -ne 0 ] |
| 407 | then |
| 408 | csih_warning "Couldn't change owner of important files to ${run_service_as}!" |
| 409 | csih_warning "This may cause the sshd service to fail! Please make sure that" |
| 410 | csih_warning "you have suufficient permissions to change the ownership of files" |
| 411 | csih_warning "and try to run the ssh-host-config script again." |
| 412 | fi |
| 413 | return $ret |
| 414 | } # --- End of check_service_files_ownership --- # |
| 415 | |
| 416 | # ====================================================================== |
| 417 | # Routine: install_service |
| 418 | # Install sshd as a service |
| 419 | # ====================================================================== |
| 420 | install_service() { |
| 421 | local run_service_as |
| 422 | local password |
| 423 | local ret=0 |
| 424 | |
| 425 | echo |
| 426 | if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 |
| 427 | then |
| 428 | csih_inform "Sshd service is already installed." |
| 429 | check_service_files_ownership "" || let ret+=$? |
| 430 | else |
| 431 | echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" |
| 432 | if csih_request "(Say \"no\" if it is already installed as a service)" |
| 433 | then |
| 434 | csih_get_cygenv "${cygwin_value}" |
| 435 | |
| 436 | if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) |
| 437 | then |
| 438 | csih_inform "On Windows Server 2003, Windows Vista, and above, the" |
| 439 | csih_inform "SYSTEM account cannot setuid to other users -- a capability" |
| 440 | csih_inform "sshd requires. You need to have or to create a privileged" |
| 441 | csih_inform "account. This script will help you do so." |
| 442 | echo |
| 443 | |
| 444 | [ "${opt_force}" = "yes" ] && opt_f=-f |
| 445 | [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" |
| 446 | csih_select_privileged_username ${opt_f} ${opt_u} sshd |
| 447 | |
| 448 | if ! csih_create_privileged_user "${password_value}" |
| 449 | then |
| 450 | csih_error_recoverable "There was a serious problem creating a privileged user." |
| 451 | csih_request "Do you want to proceed anyway?" || exit 1 |
| 452 | let ++ret |
| 453 | fi |
| 454 | fi |
| 455 | |
| 456 | # Never returns empty if NT or above |
| 457 | run_service_as=$(csih_service_should_run_as) |
| 458 | |
| 459 | if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] |
| 460 | then |
| 461 | password="${csih_PRIVILEGED_PASSWORD}" |
| 462 | if [ -z "${password}" ] |
| 463 | then |
| 464 | csih_get_value "Please enter the password for user '${run_service_as}':" "-s" |
| 465 | password="${csih_value}" |
| 466 | fi |
| 467 | fi |
| 468 | |
| 469 | # At this point, we either have $run_service_as = "system" and |
| 470 | # $password is empty, or $run_service_as is some privileged user and |
| 471 | # (hopefully) $password contains the correct password. So, from here |
| 472 | # out, we use '-z "${password}"' to discriminate the two cases. |
| 473 | |
| 474 | csih_check_user "${run_service_as}" |
| 475 | |
| 476 | if [ -n "${csih_cygenv}" ] |
| 477 | then |
| 478 | cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) |
| 479 | fi |
| 480 | if [ -z "${password}" ] |
| 481 | then |
| 482 | if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ |
| 483 | -a "-D" -y tcpip "${cygwin_env[@]}" |
| 484 | then |
| 485 | echo |
| 486 | csih_inform "The sshd service has been installed under the LocalSystem" |
| 487 | csih_inform "account (also known as SYSTEM). To start the service now, call" |
| 488 | csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" |
| 489 | csih_inform "will start automatically after the next reboot." |
| 490 | fi |
| 491 | else |
| 492 | if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ |
| 493 | -a "-D" -y tcpip "${cygwin_env[@]}" \ |
| 494 | -u "${run_service_as}" -w "${password}" |
| 495 | then |
| 496 | echo |
| 497 | csih_inform "The sshd service has been installed under the '${run_service_as}'" |
| 498 | csih_inform "account. To start the service now, call \`net start sshd' or" |
| 499 | csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" |
| 500 | csih_inform "after the next reboot." |
| 501 | fi |
| 502 | fi |
| 503 | |
| 504 | if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 |
| 505 | then |
| 506 | check_service_files_ownership "${run_service_as}" || let ret+=$? |
| 507 | else |
| 508 | csih_error_recoverable "Installing sshd as a service failed!" |
| 509 | let ++ret |
| 510 | fi |
| 511 | fi # user allowed us to install as service |
| 512 | fi # service not yet installed |
| 513 | return $ret |
| 514 | } # --- End of install_service --- # |
| 515 | |
| 516 | # ====================================================================== |
| 517 | # Main Entry Point |
| 518 | # ====================================================================== |
| 519 | |
| 520 | # Check how the script has been started. If |
| 521 | # (1) it has been started by giving the full path and |
| 522 | # that path is /etc/postinstall, OR |
| 523 | # (2) Otherwise, if the environment variable |
| 524 | # SSH_HOST_CONFIG_AUTO_ANSWER_NO is set |
| 525 | # then set auto_answer to "no". This allows automatic |
| 526 | # creation of the config files in /etc w/o overwriting |
| 527 | # them if they already exist. In both cases, color |
| 528 | # escape sequences are suppressed, so as to prevent |
| 529 | # cluttering setup's logfiles. |
| 530 | if [ "$PROGDIR" = "/etc/postinstall" ] |
| 531 | then |
| 532 | csih_auto_answer="no" |
| 533 | csih_disable_color |
| 534 | opt_force=yes |
| 535 | fi |
| 536 | if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ] |
| 537 | then |
| 538 | csih_auto_answer="no" |
| 539 | csih_disable_color |
| 540 | opt_force=yes |
| 541 | fi |
| 542 | |
| 543 | # ====================================================================== |
| 544 | # Parse options |
| 545 | # ====================================================================== |
| 546 | while : |
| 547 | do |
| 548 | case $# in |
| 549 | 0) |
| 550 | break |
| 551 | ;; |
| 552 | esac |
| 553 | |
| 554 | option=$1 |
| 555 | shift |
| 556 | |
| 557 | case "${option}" in |
| 558 | -d | --debug ) |
| 559 | set -x |
| 560 | csih_trace_on |
| 561 | ;; |
| 562 | |
| 563 | -y | --yes ) |
| 564 | csih_auto_answer=yes |
| 565 | opt_force=yes |
| 566 | ;; |
| 567 | |
| 568 | -n | --no ) |
| 569 | csih_auto_answer=no |
| 570 | opt_force=yes |
| 571 | ;; |
| 572 | |
| 573 | -c | --cygwin ) |
| 574 | cygwin_value="$1" |
| 575 | shift |
| 576 | ;; |
| 577 | |
| 578 | -p | --port ) |
| 579 | port_number=$1 |
| 580 | shift |
| 581 | ;; |
| 582 | |
| 583 | -u | --user ) |
| 584 | user_account="$1" |
| 585 | shift |
| 586 | ;; |
| 587 | |
| 588 | -w | --pwd ) |
| 589 | password_value="$1" |
| 590 | shift |
| 591 | ;; |
| 592 | |
| 593 | --privileged ) |
| 594 | csih_FORCE_PRIVILEGED_USER=yes |
| 595 | ;; |
| 596 | |
| 597 | *) |
| 598 | echo "usage: ${progname} [OPTION]..." |
| 599 | echo |
| 600 | echo "This script creates an OpenSSH host configuration." |
| 601 | echo |
| 602 | echo "Options:" |
| 603 | echo " --debug -d Enable shell's debug output." |
| 604 | echo " --yes -y Answer all questions with \"yes\" automatically." |
| 605 | echo " --no -n Answer all questions with \"no\" automatically." |
| 606 | echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." |
| 607 | echo " --port -p <n> sshd listens on port n." |
| 608 | echo " --user -u <account> privileged user for service." |
| 609 | echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user." |
| 610 | echo " --privileged On Windows NT/2k/XP, require privileged user" |
| 611 | echo " instead of LocalSystem for sshd service." |
| 612 | echo |
| 613 | exit 1 |
| 614 | ;; |
| 615 | |
| 616 | esac |
| 617 | done |
| 618 | |
| 619 | # ====================================================================== |
| 620 | # Action! |
| 621 | # ====================================================================== |
| 622 | |
| 623 | # Check for running ssh/sshd processes first. Refuse to do anything while |
| 624 | # some ssh processes are still running |
| 625 | if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' |
| 626 | then |
| 627 | echo |
| 628 | csih_error "There are still ssh processes running. Please shut them down first." |
| 629 | fi |
| 630 | |
| 631 | # Make sure the user is running in an administrative context |
| 632 | admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no) |
| 633 | if [ "${admin}" != "yes" ] |
| 634 | then |
| 635 | echo |
| 636 | csih_warning "Running this script typically requires administrator privileges!" |
| 637 | csih_warning "However, it seems your account does not have these privileges." |
| 638 | csih_warning "Here's the list of groups in your user token:" |
| 639 | echo |
| 640 | for i in $(/usr/bin/id -G) |
| 641 | do |
| 642 | /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group |
| 643 | done |
| 644 | echo |
| 645 | csih_warning "This usually means you're running this script from a non-admin" |
| 646 | csih_warning "desktop session, or in a non-elevated shell under UAC control." |
| 647 | echo |
| 648 | csih_warning "Make sure you have the appropriate privileges right now," |
| 649 | csih_warning "otherwise parts of this script will probably fail!" |
| 650 | echo |
| 651 | echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure" |
| 652 | if ! csih_request "you have the required privileges)" |
| 653 | then |
| 654 | echo |
| 655 | csih_inform "Ok. Exiting. Make sure to switch to an administrative account" |
| 656 | csih_inform "or to start this script from an elevated shell." |
| 657 | exit 1 |
| 658 | fi |
| 659 | fi |
| 660 | |
| 661 | echo |
| 662 | |
| 663 | warning_cnt=0 |
| 664 | |
| 665 | # Check for ${SYSCONFDIR} directory |
| 666 | csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." |
| 667 | if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1 |
| 668 | then |
| 669 | csih_warning "Can't set permissions on ${SYSCONFDIR}!" |
| 670 | let ++warning_cnt |
| 671 | fi |
| 672 | if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1 |
| 673 | then |
| 674 | csih_warning "Can't set extended permissions on ${SYSCONFDIR}!" |
| 675 | let ++warning_cnt |
| 676 | fi |
| 677 | |
| 678 | # Check for /var/log directory |
| 679 | csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." |
| 680 | if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1 |
| 681 | then |
| 682 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!" |
| 683 | let ++warning_cnt |
| 684 | fi |
| 685 | if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1 |
| 686 | then |
| 687 | csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!" |
| 688 | let ++warning_cnt |
| 689 | fi |
| 690 | |
| 691 | # Create /var/log/lastlog if not already exists |
| 692 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] |
| 693 | then |
| 694 | echo |
| 695 | csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ |
| 696 | "Cannot create ssh host configuration." |
| 697 | fi |
| 698 | if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] |
| 699 | then |
| 700 | /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog |
| 701 | if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 |
| 702 | then |
| 703 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" |
| 704 | let ++warning_cnt |
| 705 | fi |
| 706 | fi |
| 707 | |
| 708 | # Create /var/empty file used as chroot jail for privilege separation |
| 709 | csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." |
| 710 | if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 |
| 711 | then |
| 712 | csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" |
| 713 | let ++warning_cnt |
| 714 | fi |
| 715 | if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 |
| 716 | then |
| 717 | csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!" |
| 718 | let ++warning_cnt |
| 719 | fi |
| 720 | |
| 721 | # host keys |
| 722 | create_host_keys || let warning_cnt+=$? |
| 723 | |
| 724 | # handle ssh_config |
| 725 | csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt |
| 726 | if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 |
| 727 | then |
| 728 | if [ "${port_number}" != "22" ] |
| 729 | then |
| 730 | csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port" |
| 731 | echo "Host localhost" >> ${SYSCONFDIR}/ssh_config |
| 732 | echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config |
| 733 | fi |
| 734 | fi |
| 735 | |
| 736 | # handle sshd_config (and privsep) |
| 737 | csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt |
| 738 | if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 |
| 739 | then |
| 740 | /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes |
| 741 | fi |
| 742 | sshd_privsep || let warning_cnt+=$? |
| 743 | |
| 744 | update_services_file || let warning_cnt+=$? |
| 745 | update_inetd_conf || let warning_cnt+=$? |
| 746 | install_service || let warning_cnt+=$? |
| 747 | |
| 748 | echo |
| 749 | if [ $warning_cnt -eq 0 ] |
| 750 | then |
| 751 | csih_inform "Host configuration finished. Have fun!" |
| 752 | else |
| 753 | csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!" |
| 754 | csih_warning "Make sure that all problems reported are fixed," |
| 755 | csih_warning "then re-run ssh-host-config." |
| 756 | fi |
| 757 | exit $warning_cnt |