Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 54e3773ccb55500087fc722c79869679700dc318 / . / contrib / cygwin / ssh-host-config
blob: e2ad69f19f81146d58d2fdc229781a67b036ffd7 [file] [log] [blame]
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]1#!/bin/bash
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]2#
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]3# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]4#
5# This file is part of the Cygwin port of OpenSSH.
6
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]7# Subdirectory where the new package is being installed
8PREFIX=/usr
9
10# Directory where the config files are stored
11SYSCONFDIR=/etc
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]12LOCALSTATEDIR=/var
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]13
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]14progname=$0
15auto_answer=""
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]16port_number=22
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]17
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]18privsep_configured=no
19privsep_used=yes
20sshd_in_passwd=no
21sshd_in_sam=no
22
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]23request()
24{
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]25 if [ "${auto_answer}" = "yes" ]
26 then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]27 echo "$1 (yes/no) yes"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]28 return 0
29 elif [ "${auto_answer}" = "no" ]
30 then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]31 echo "$1 (yes/no) no"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]32 return 1
33 fi
34
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]35 answer=""
36 while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
37 do
38 echo -n "$1 (yes/no) "
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]39 read -e answer
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]40 done
41 if [ "X${answer}" = "Xyes" ]
42 then
43 return 0
44 else
45 return 1
46 fi
47}
48
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]49# Check options
50
51while :
52do
53 case $# in
54 0)
55 break
56 ;;
57 esac
58
59 option=$1
60 shift
61
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]62 case "${option}" in
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]63 -d | --debug )
64 set -x
65 ;;
66
67 -y | --yes )
68 auto_answer=yes
69 ;;
70
71 -n | --no )
72 auto_answer=no
73 ;;
74
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]75 -c | --cygwin )
76 cygwin_value="$1"
77 shift
78 ;;
79
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]80 -p | --port )
81 port_number=$1
82 shift
83 ;;
84
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]85 -w | --pwd )
86 password_value="$1"
87 shift
88 ;;
89
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]90 *)
91 echo "usage: ${progname} [OPTION]..."
92 echo
93 echo "This script creates an OpenSSH host configuration."
94 echo
95 echo "Options:"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]96 echo " --debug -d Enable shell's debug output."
97 echo " --yes -y Answer all questions with \"yes\" automatically."
98 echo " --no -n Answer all questions with \"no\" automatically."
99 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
100 echo " --port -p <n> sshd listens on port n."
101 echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'."
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]102 echo
103 exit 1
104 ;;
105
106 esac
107done
108
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]109# Check if running on NT
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]110_sys="`uname`"
111_nt=`expr "${_sys}" : "CYGWIN_NT"`
112# If running on NT, check if running under 2003 Server or later
113if [ ${_nt} -gt 0 ]
114then
115 _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
116fi
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]117
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]118# Check for running ssh/sshd processes first. Refuse to do anything while
119# some ssh processes are still running
120
121if ps -ef | grep -v grep | grep -q ssh
122then
123 echo
124 echo "There are still ssh processes running. Please shut them down first."
125 echo
Tim Ricee475a3c2002-07-07 14:07:46 -0700[diff] [blame]126 exit 1
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]127fi
128
129# Check for ${SYSCONFDIR} directory
130
131if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
132then
133 echo
134 echo "${SYSCONFDIR} is existant but not a directory."
135 echo "Cannot create global configuration files."
136 echo
137 exit 1
138fi
139
140# Create it if necessary
141
142if [ ! -e "${SYSCONFDIR}" ]
143then
144 mkdir "${SYSCONFDIR}"
145 if [ ! -e "${SYSCONFDIR}" ]
146 then
147 echo
148 echo "Creating ${SYSCONFDIR} directory failed"
149 echo
150 exit 1
151 fi
152fi
153
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]154# Create /var/log and /var/log/lastlog if not already existing
155
Darren Tucker18614c22006-03-04 08:50:31 +1100[diff] [blame]156if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]157then
Darren Tucker18614c22006-03-04 08:50:31 +1100[diff] [blame]158 echo
159 echo "${LOCALSTATEDIR}/log is existant but not a directory."
160 echo "Cannot create ssh host configuration."
161 echo
162 exit 1
163fi
164if [ ! -e ${LOCALSTATEDIR}/log ]
165then
166 mkdir -p ${LOCALSTATEDIR}/log
167fi
168
169if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
170then
171 echo
172 echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file."
173 echo "Cannot create ssh host configuration."
174 echo
175 exit 1
176fi
177if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
178then
179 cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
180 chmod 644 ${LOCALSTATEDIR}/log/lastlog
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]181fi
182
183# Create /var/empty file used as chroot jail for privilege separation
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]184if [ -f ${LOCALSTATEDIR}/empty ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]185then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]186 echo "Creating ${LOCALSTATEDIR}/empty failed!"
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]187else
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]188 mkdir -p ${LOCALSTATEDIR}/empty
189 if [ ${_nt} -gt 0 ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]190 then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]191 chmod 755 ${LOCALSTATEDIR}/empty
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]192 fi
193fi
194
195# First generate host keys if not already existing
196
197if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
198then
199 echo "Generating ${SYSCONFDIR}/ssh_host_key"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]200 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
201fi
202
203if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
204then
205 echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
206 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]207fi
208
209if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
210then
211 echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]212 ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]213fi
214
215# Check if ssh_config exists. If yes, ask for overwriting
216
217if [ -f "${SYSCONFDIR}/ssh_config" ]
218then
219 if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
220 then
221 rm -f "${SYSCONFDIR}/ssh_config"
222 if [ -f "${SYSCONFDIR}/ssh_config" ]
223 then
224 echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
225 fi
226 fi
227fi
228
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]229# Create default ssh_config from skeleton file in /etc/defaults/etc
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]230
231if [ ! -f "${SYSCONFDIR}/ssh_config" ]
232then
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]233 echo "Generating ${SYSCONFDIR}/ssh_config file"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]234 cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
235 if [ "${port_number}" != "22" ]
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]236 then
237 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]238 echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]239 fi
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]240fi
241
242# Check if sshd_config exists. If yes, ask for overwriting
243
244if [ -f "${SYSCONFDIR}/sshd_config" ]
245then
246 if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
247 then
248 rm -f "${SYSCONFDIR}/sshd_config"
249 if [ -f "${SYSCONFDIR}/sshd_config" ]
250 then
251 echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
252 fi
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]253 else
254 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]255 fi
256fi
257
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]258# Prior to creating or modifying sshd_config, care for privilege separation
259
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]260if [ "${privsep_configured}" != "yes" ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]261then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]262 if [ ${_nt} -gt 0 ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]263 then
264 echo "Privilege separation is set to yes by default since OpenSSH 3.3."
265 echo "However, this requires a non-privileged account called 'sshd'."
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]266 echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]267 echo
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]268 if request "Should privilege separation be used?"
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]269 then
270 privsep_used=yes
271 grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
272 net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]273 if [ "${sshd_in_passwd}" != "yes" ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]274 then
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]275 if [ "${sshd_in_sam}" != "yes" ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]276 then
277 echo "Warning: The following function requires administrator privileges!"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]278 if request "Should this script create a local user 'sshd' on this machine?"
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]279 then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]280 dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
281 net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
282 if [ "${sshd_in_sam}" != "yes" ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]283 then
284 echo "Warning: Creating the user 'sshd' failed!"
285 fi
286 fi
287 fi
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]288 if [ "${sshd_in_sam}" != "yes" ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]289 then
290 echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
291 echo " Privilege separation set to 'no' again!"
292 echo " Check your ${SYSCONFDIR}/sshd_config file!"
293 privsep_used=no
294 else
Tim Ricee475a3c2002-07-07 14:07:46 -0700[diff] [blame]295 mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]296 fi
297 fi
298 else
299 privsep_used=no
300 fi
301 else
302 # On 9x don't use privilege separation. Since security isn't
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]303 # available it just adds useless additional processes.
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]304 privsep_used=no
305 fi
306fi
307
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]308# Create default sshd_config from skeleton files in /etc/defaults/etc or
309# modify to add the missing privsep configuration option
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]310
311if [ ! -f "${SYSCONFDIR}/sshd_config" ]
312then
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]313 echo "Generating ${SYSCONFDIR}/sshd_config file"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]314 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
315 s/^#Port 22/Port ${port_number}/
316 s/^#StrictModes yes/StrictModes no/" \
317 < ${SYSCONFDIR}/defaults/etc/sshd_config \
318 > ${SYSCONFDIR}/sshd_config
319elif [ "${privsep_configured}" != "yes" ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]320then
321 echo >> ${SYSCONFDIR}/sshd_config
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]322 echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]323fi
324
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]325# Care for services file
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]326_my_etcdir="/ssh-host-config.$$"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]327if [ ${_nt} -gt 0 ]
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]328then
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]329 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
330 _services="${_my_etcdir}/services"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]331 # On NT, 27 spaces, no space after the hash
332 _spaces=" #"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]333else
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]334 _win_etcdir="${WINDIR}"
335 _services="${_my_etcdir}/SERVICES"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]336 # On 9x, 18 spaces (95 is very touchy), a space after the hash
337 _spaces=" # "
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]338fi
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]339_serv_tmp="${_my_etcdir}/srv.out.$$"
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]340
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]341mount -t -f "${_win_etcdir}" "${_my_etcdir}"
342
343# Depends on the above mount
344_wservices=`cygpath -w "${_services}"`
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]345
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]346# Remove sshd 22/port from services
347if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]348then
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]349 grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
350 if [ -f "${_serv_tmp}" ]
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]351 then
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]352 if mv "${_serv_tmp}" "${_services}"
353 then
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]354 echo "Removing sshd from ${_wservices}"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]355 else
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]356 echo "Removing sshd from ${_wservices} failed!"
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]357 fi
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]358 rm -f "${_serv_tmp}"
359 else
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]360 echo "Removing sshd from ${_wservices} failed!"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]361 fi
362fi
363
364# Add ssh 22/tcp and ssh 22/udp to services
365if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
366then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]367 if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]368 then
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]369 if mv "${_serv_tmp}" "${_services}"
370 then
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]371 echo "Added ssh to ${_wservices}"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]372 else
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]373 echo "Adding ssh to ${_wservices} failed!"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]374 fi
375 rm -f "${_serv_tmp}"
376 else
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]377 echo "WARNING: Adding ssh to ${_wservices} failed!"
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]378 fi
379fi
380
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]381umount "${_my_etcdir}"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]382
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]383# Care for inetd.conf file
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]384_inetcnf="${SYSCONFDIR}/inetd.conf"
385_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]386
387if [ -f "${_inetcnf}" ]
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]388then
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]389 # Check if ssh service is already in use as sshd
390 with_comment=1
391 grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
392 # Remove sshd line from inetd.conf
393 if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
394 then
395 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
396 if [ -f "${_inetcnf_tmp}" ]
397 then
398 if mv "${_inetcnf_tmp}" "${_inetcnf}"
399 then
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]400 echo "Removed sshd from ${_inetcnf}"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]401 else
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]402 echo "Removing sshd from ${_inetcnf} failed!"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]403 fi
404 rm -f "${_inetcnf_tmp}"
405 else
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]406 echo "Removing sshd from ${_inetcnf} failed!"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]407 fi
408 fi
409
410 # Add ssh line to inetd.conf
411 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
412 then
413 if [ "${with_comment}" -eq 0 ]
414 then
Ben Lindstromc42f7cf2002-04-12 17:44:13 +0000[diff] [blame]415 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]416 else
Ben Lindstromc42f7cf2002-04-12 17:44:13 +0000[diff] [blame]417 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]418 fi
419 echo "Added ssh to ${_inetcnf}"
420 fi
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]421fi
422
Ben Lindstroma5820292001-07-18 16:25:41 +0000[diff] [blame]423# On NT ask if sshd should be installed as service
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]424if [ ${_nt} -gt 0 ]
Ben Lindstroma5820292001-07-18 16:25:41 +0000[diff] [blame]425then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]426 # But only if it is not already installed
427 if ! cygrunsrv -Q sshd > /dev/null 2>&1
Ben Lindstroma5820292001-07-18 16:25:41 +0000[diff] [blame]428 then
429 echo
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]430 echo
431 echo "Warning: The following functions require administrator privileges!"
432 echo
433 echo "Do you want to install sshd as service?"
434 if request "(Say \"no\" if it's already installed as service)"
Ben Lindstroma5820292001-07-18 16:25:41 +0000[diff] [blame]435 then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]436 if [ $_nt2003 -gt 0 ]
437 then
438 grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
439 if [ "${sshd_server_in_passwd}" = "yes" ]
440 then
441 # Drop sshd_server from passwd since it could have wrong settings
442 grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
443 rm -f ${SYSCONFDIR}/passwd
444 mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
445 chmod g-w,o-w ${SYSCONFDIR}/passwd
446 fi
447 net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
448 if [ "${sshd_server_in_sam}" != "yes" ]
449 then
450 echo
451 echo "You appear to be running Windows 2003 Server or later. On 2003 and"
452 echo "later systems, it's not possible to use the LocalSystem account"
453 echo "if sshd should allow passwordless logon (e. g. public key authentication)."
454 echo "If you want to enable that functionality, it's required to create a new"
455 echo "account 'sshd_server' with special privileges, which is then used to run"
456 echo "the sshd service under."
457 echo
458 echo "Should this script create a new local account 'sshd_server' which has"
459 if request "the required privileges?"
460 then
Darren Tuckera21380b2005-03-13 21:20:18 +1100[diff] [blame]461 _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]462 if [ -z "${_admingroup}" ]
463 then
Darren Tuckera21380b2005-03-13 21:20:18 +1100[diff] [blame]464 echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]465 exit 1
466 fi
467 dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
468 while [ "${sshd_server_in_sam}" != "yes" ]
469 do
470 if [ -n "${password_value}" ]
471 then
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]472 _password="${password_value}"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]473 # Allow to ask for password if first try fails
474 password_value=""
475 else
476 echo
477 echo "Please enter a password for new user 'sshd_server'. Please be sure that"
478 echo "this password matches the password rules given on your system."
479 echo -n "Entering no password will exit the configuration. PASSWORD="
480 read -e _password
481 if [ -z "${_password}" ]
482 then
483 echo
484 echo "Exiting configuration. No user sshd_server has been created,"
485 echo "no sshd service installed."
486 exit 1
487 fi
488 fi
489 net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
490 if [ "${sshd_server_in_sam}" != "yes" ]
491 then
492 echo "Creating the user 'sshd_server' failed! Reason:"
493 cat /tmp/nu.$$
494 rm /tmp/nu.$$
495 fi
496 done
497 net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
498 if [ "${sshd_server_in_admingroup}" != "yes" ]
499 then
500 echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
501 echo "Please add sshd_server to local group ${_admingroup} before"
502 echo "starting the sshd service!"
503 echo
504 fi
505 passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
506 if [ "${passwd_has_expiry_flags}" != "yes" ]
507 then
508 echo
509 echo "WARNING: User sshd_server has password expiry set to system default."
510 echo "Please check that password never expires or set it to your needs."
511 elif ! passwd -e sshd_server
512 then
513 echo
514 echo "WARNING: Setting password expiry for user sshd_server failed!"
515 echo "Please check that password never expires or set it to your needs."
516 fi
517 editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
518 editrights -a SeCreateTokenPrivilege -u sshd_server &&
Darren Tucker288cbbd2006-08-31 11:28:49 +1000[diff] [blame]519 editrights -a SeTcbPrivilege -u sshd_server &&
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]520 editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
521 editrights -a SeDenyNetworkLogonRight -u sshd_server &&
522 editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
523 editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
524 editrights -a SeServiceLogonRight -u sshd_server &&
525 sshd_server_got_all_rights="yes"
526 if [ "${sshd_server_got_all_rights}" != "yes" ]
527 then
528 echo
529 echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
530 echo "Can't create sshd service!"
531 exit 1
532 fi
533 echo
534 echo "User 'sshd_server' has been created with password '${_password}'."
535 echo "If you change the password, please keep in mind to change the password"
536 echo "for the sshd service, too."
537 echo
538 echo "Also keep in mind that the user sshd_server needs read permissions on all"
539 echo "users' .ssh/authorized_keys file to allow public key authentication for"
540 echo "these users!. (Re-)running ssh-user-config for each user will set the"
541 echo "required permissions correctly."
542 echo
543 fi
544 fi
545 if [ "${sshd_server_in_sam}" = "yes" ]
546 then
547 mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
548 fi
549 fi
550 if [ -n "${cygwin_value}" ]
551 then
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]552 _cygwin="${cygwin_value}"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]553 else
554 echo
555 echo "Which value should the environment variable CYGWIN have when"
556 echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
557 echo "able to change user context without password."
558 echo -n "Default is \"ntsec\". CYGWIN="
559 read -e _cygwin
560 fi
561 [ -z "${_cygwin}" ] && _cygwin="ntsec"
562 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
563 then
Darren Tuckere78c6ce2006-01-10 00:02:44 +1100[diff] [blame]564 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]565 then
566 echo
567 echo "The service has been installed under sshd_server account."
568 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
569 fi
570 else
Darren Tuckere78c6ce2006-01-10 00:02:44 +1100[diff] [blame]571 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]572 then
573 echo
574 echo "The service has been installed under LocalSystem account."
575 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
576 fi
577 fi
578 fi
579 # Now check if sshd has been successfully installed. This allows to
580 # set the ownership of the affected files correctly.
581 if cygrunsrv -Q sshd > /dev/null 2>&1
582 then
583 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
584 then
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]585 _user="sshd_server"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]586 else
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]587 _user="system"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]588 fi
589 chown "${_user}" ${SYSCONFDIR}/ssh*
590 chown "${_user}".544 ${LOCALSTATEDIR}/empty
Darren Tucker18614c22006-03-04 08:50:31 +1100[diff] [blame]591 chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]592 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
593 then
594 chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
595 fi
Ben Lindstroma5820292001-07-18 16:25:41 +0000[diff] [blame]596 fi
Darren Tuckerfa2211d2005-05-09 23:48:17 +1000[diff] [blame]597 if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
598 then
599 echo
600 echo "Warning: It appears that you have user mode mounts (\"Just me\""
601 echo "chosen during install.) Any daemons installed as services will"
602 echo "fail to function unless system mounts are used. To change this,"
603 echo "re-run setup.exe and choose \"All users\"."
604 echo
605 echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
606 fi
Ben Lindstroma5820292001-07-18 16:25:41 +0000[diff] [blame]607 fi
608fi
609
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]610echo
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]611echo "Host configuration finished. Have fun!"