Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / fa2211d93d3ad66ec16e4d23a14e5730a105c559 / . / contrib / cygwin / ssh-host-config
blob: fbfb5c195a33d5b44c2bdb2711f6a6e328a0e7bc [file] [log] [blame]
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]1#!/bin/bash
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]2#
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]3# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]4#
5# This file is part of the Cygwin port of OpenSSH.
6
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]7# Subdirectory where the new package is being installed
8PREFIX=/usr
9
10# Directory where the config files are stored
11SYSCONFDIR=/etc
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]12LOCALSTATEDIR=/var
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]13
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]14progname=$0
15auto_answer=""
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]16port_number=22
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]17
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]18privsep_configured=no
19privsep_used=yes
20sshd_in_passwd=no
21sshd_in_sam=no
22
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]23request()
24{
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]25 if [ "${auto_answer}" = "yes" ]
26 then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]27 echo "$1 (yes/no) yes"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]28 return 0
29 elif [ "${auto_answer}" = "no" ]
30 then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]31 echo "$1 (yes/no) no"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]32 return 1
33 fi
34
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]35 answer=""
36 while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
37 do
38 echo -n "$1 (yes/no) "
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]39 read -e answer
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]40 done
41 if [ "X${answer}" = "Xyes" ]
42 then
43 return 0
44 else
45 return 1
46 fi
47}
48
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]49# Check options
50
51while :
52do
53 case $# in
54 0)
55 break
56 ;;
57 esac
58
59 option=$1
60 shift
61
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]62 case "${option}" in
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]63 -d | --debug )
64 set -x
65 ;;
66
67 -y | --yes )
68 auto_answer=yes
69 ;;
70
71 -n | --no )
72 auto_answer=no
73 ;;
74
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]75 -c | --cygwin )
76 cygwin_value="$1"
77 shift
78 ;;
79
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]80 -p | --port )
81 port_number=$1
82 shift
83 ;;
84
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]85 -w | --pwd )
86 password_value="$1"
87 shift
88 ;;
89
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]90 *)
91 echo "usage: ${progname} [OPTION]..."
92 echo
93 echo "This script creates an OpenSSH host configuration."
94 echo
95 echo "Options:"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]96 echo " --debug -d Enable shell's debug output."
97 echo " --yes -y Answer all questions with \"yes\" automatically."
98 echo " --no -n Answer all questions with \"no\" automatically."
99 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
100 echo " --port -p <n> sshd listens on port n."
101 echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'."
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]102 echo
103 exit 1
104 ;;
105
106 esac
107done
108
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]109# Check if running on NT
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]110_sys="`uname`"
111_nt=`expr "${_sys}" : "CYGWIN_NT"`
112# If running on NT, check if running under 2003 Server or later
113if [ ${_nt} -gt 0 ]
114then
115 _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
116fi
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]117
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]118# Check for running ssh/sshd processes first. Refuse to do anything while
119# some ssh processes are still running
120
121if ps -ef | grep -v grep | grep -q ssh
122then
123 echo
124 echo "There are still ssh processes running. Please shut them down first."
125 echo
Tim Ricee475a3c2002-07-07 14:07:46 -0700[diff] [blame]126 exit 1
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]127fi
128
129# Check for ${SYSCONFDIR} directory
130
131if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
132then
133 echo
134 echo "${SYSCONFDIR} is existant but not a directory."
135 echo "Cannot create global configuration files."
136 echo
137 exit 1
138fi
139
140# Create it if necessary
141
142if [ ! -e "${SYSCONFDIR}" ]
143then
144 mkdir "${SYSCONFDIR}"
145 if [ ! -e "${SYSCONFDIR}" ]
146 then
147 echo
148 echo "Creating ${SYSCONFDIR} directory failed"
149 echo
150 exit 1
151 fi
152fi
153
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]154# Create /var/log and /var/log/lastlog if not already existing
155
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]156if [ -f ${LOCALSTATEDIR}/log ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]157then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]158 echo "Creating ${LOCALSTATEDIR}/log failed!"
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]159else
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]160 if [ ! -d ${LOCALSTATEDIR}/log ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]161 then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]162 mkdir -p ${LOCALSTATEDIR}/log
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]163 fi
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]164 if [ -d ${LOCALSTATEDIR}/log/lastlog ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]165 then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]166 chmod 777 ${LOCALSTATEDIR}/log/lastlog
167 elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]168 then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]169 cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
170 chmod 666 ${LOCALSTATEDIR}/log/lastlog
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]171 fi
172fi
173
174# Create /var/empty file used as chroot jail for privilege separation
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]175if [ -f ${LOCALSTATEDIR}/empty ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]176then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]177 echo "Creating ${LOCALSTATEDIR}/empty failed!"
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]178else
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]179 mkdir -p ${LOCALSTATEDIR}/empty
180 if [ ${_nt} -gt 0 ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]181 then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]182 chmod 755 ${LOCALSTATEDIR}/empty
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]183 fi
184fi
185
186# First generate host keys if not already existing
187
188if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
189then
190 echo "Generating ${SYSCONFDIR}/ssh_host_key"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]191 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
192fi
193
194if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
195then
196 echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
197 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]198fi
199
200if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
201then
202 echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]203 ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]204fi
205
206# Check if ssh_config exists. If yes, ask for overwriting
207
208if [ -f "${SYSCONFDIR}/ssh_config" ]
209then
210 if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
211 then
212 rm -f "${SYSCONFDIR}/ssh_config"
213 if [ -f "${SYSCONFDIR}/ssh_config" ]
214 then
215 echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
216 fi
217 fi
218fi
219
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]220# Create default ssh_config from skeleton file in /etc/defaults/etc
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]221
222if [ ! -f "${SYSCONFDIR}/ssh_config" ]
223then
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]224 echo "Generating ${SYSCONFDIR}/ssh_config file"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]225 cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
226 if [ "${port_number}" != "22" ]
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]227 then
228 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]229 echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]230 fi
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]231fi
232
233# Check if sshd_config exists. If yes, ask for overwriting
234
235if [ -f "${SYSCONFDIR}/sshd_config" ]
236then
237 if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
238 then
239 rm -f "${SYSCONFDIR}/sshd_config"
240 if [ -f "${SYSCONFDIR}/sshd_config" ]
241 then
242 echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
243 fi
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]244 else
245 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]246 fi
247fi
248
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]249# Prior to creating or modifying sshd_config, care for privilege separation
250
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]251if [ "${privsep_configured}" != "yes" ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]252then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]253 if [ ${_nt} -gt 0 ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]254 then
255 echo "Privilege separation is set to yes by default since OpenSSH 3.3."
256 echo "However, this requires a non-privileged account called 'sshd'."
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]257 echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]258 echo
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]259 if request "Should privilege separation be used?"
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]260 then
261 privsep_used=yes
262 grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
263 net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]264 if [ "${sshd_in_passwd}" != "yes" ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]265 then
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]266 if [ "${sshd_in_sam}" != "yes" ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]267 then
268 echo "Warning: The following function requires administrator privileges!"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]269 if request "Should this script create a local user 'sshd' on this machine?"
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]270 then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]271 dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
272 net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
273 if [ "${sshd_in_sam}" != "yes" ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]274 then
275 echo "Warning: Creating the user 'sshd' failed!"
276 fi
277 fi
278 fi
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]279 if [ "${sshd_in_sam}" != "yes" ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]280 then
281 echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
282 echo " Privilege separation set to 'no' again!"
283 echo " Check your ${SYSCONFDIR}/sshd_config file!"
284 privsep_used=no
285 else
Tim Ricee475a3c2002-07-07 14:07:46 -0700[diff] [blame]286 mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]287 fi
288 fi
289 else
290 privsep_used=no
291 fi
292 else
293 # On 9x don't use privilege separation. Since security isn't
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]294 # available it just adds useless additional processes.
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]295 privsep_used=no
296 fi
297fi
298
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]299# Create default sshd_config from skeleton files in /etc/defaults/etc or
300# modify to add the missing privsep configuration option
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]301
302if [ ! -f "${SYSCONFDIR}/sshd_config" ]
303then
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]304 echo "Generating ${SYSCONFDIR}/sshd_config file"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]305 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
306 s/^#Port 22/Port ${port_number}/
307 s/^#StrictModes yes/StrictModes no/" \
308 < ${SYSCONFDIR}/defaults/etc/sshd_config \
309 > ${SYSCONFDIR}/sshd_config
310elif [ "${privsep_configured}" != "yes" ]
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]311then
312 echo >> ${SYSCONFDIR}/sshd_config
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]313 echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]314fi
315
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]316# Care for services file
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]317_my_etcdir="/ssh-host-config.$$"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]318if [ ${_nt} -gt 0 ]
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]319then
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]320 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
321 _services="${_my_etcdir}/services"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]322 # On NT, 27 spaces, no space after the hash
323 _spaces=" #"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]324else
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]325 _win_etcdir="${WINDIR}"
326 _services="${_my_etcdir}/SERVICES"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]327 # On 9x, 18 spaces (95 is very touchy), a space after the hash
328 _spaces=" # "
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]329fi
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]330_serv_tmp="${_my_etcdir}/srv.out.$$"
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]331
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]332mount -t -f "${_win_etcdir}" "${_my_etcdir}"
333
334# Depends on the above mount
335_wservices=`cygpath -w "${_services}"`
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]336
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]337# Remove sshd 22/port from services
338if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]339then
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]340 grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
341 if [ -f "${_serv_tmp}" ]
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]342 then
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]343 if mv "${_serv_tmp}" "${_services}"
344 then
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]345 echo "Removing sshd from ${_wservices}"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]346 else
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]347 echo "Removing sshd from ${_wservices} failed!"
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]348 fi
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]349 rm -f "${_serv_tmp}"
350 else
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]351 echo "Removing sshd from ${_wservices} failed!"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]352 fi
353fi
354
355# Add ssh 22/tcp and ssh 22/udp to services
356if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
357then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]358 if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]359 then
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]360 if mv "${_serv_tmp}" "${_services}"
361 then
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]362 echo "Added ssh to ${_wservices}"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]363 else
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]364 echo "Adding ssh to ${_wservices} failed!"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]365 fi
366 rm -f "${_serv_tmp}"
367 else
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]368 echo "WARNING: Adding ssh to ${_wservices} failed!"
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]369 fi
370fi
371
Darren Tucker7c582db2003-11-03 18:59:29 +1100[diff] [blame]372umount "${_my_etcdir}"
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]373
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]374# Care for inetd.conf file
Ben Lindstrom6dbf3002002-07-03 23:33:19 +0000[diff] [blame]375_inetcnf="${SYSCONFDIR}/inetd.conf"
376_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]377
378if [ -f "${_inetcnf}" ]
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]379then
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]380 # Check if ssh service is already in use as sshd
381 with_comment=1
382 grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
383 # Remove sshd line from inetd.conf
384 if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
385 then
386 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
387 if [ -f "${_inetcnf_tmp}" ]
388 then
389 if mv "${_inetcnf_tmp}" "${_inetcnf}"
390 then
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]391 echo "Removed sshd from ${_inetcnf}"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]392 else
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]393 echo "Removing sshd from ${_inetcnf} failed!"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]394 fi
395 rm -f "${_inetcnf_tmp}"
396 else
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]397 echo "Removing sshd from ${_inetcnf} failed!"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]398 fi
399 fi
400
401 # Add ssh line to inetd.conf
402 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
403 then
404 if [ "${with_comment}" -eq 0 ]
405 then
Ben Lindstromc42f7cf2002-04-12 17:44:13 +0000[diff] [blame]406 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]407 else
Ben Lindstromc42f7cf2002-04-12 17:44:13 +0000[diff] [blame]408 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
Damien Miller8ac0a7e2001-03-07 21:38:19 +1100[diff] [blame]409 fi
410 echo "Added ssh to ${_inetcnf}"
411 fi
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]412fi
413
Ben Lindstroma5820292001-07-18 16:25:41 +0000[diff] [blame]414# On NT ask if sshd should be installed as service
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]415if [ ${_nt} -gt 0 ]
Ben Lindstroma5820292001-07-18 16:25:41 +0000[diff] [blame]416then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]417 # But only if it is not already installed
418 if ! cygrunsrv -Q sshd > /dev/null 2>&1
Ben Lindstroma5820292001-07-18 16:25:41 +0000[diff] [blame]419 then
420 echo
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]421 echo
422 echo "Warning: The following functions require administrator privileges!"
423 echo
424 echo "Do you want to install sshd as service?"
425 if request "(Say \"no\" if it's already installed as service)"
Ben Lindstroma5820292001-07-18 16:25:41 +0000[diff] [blame]426 then
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]427 if [ $_nt2003 -gt 0 ]
428 then
429 grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
430 if [ "${sshd_server_in_passwd}" = "yes" ]
431 then
432 # Drop sshd_server from passwd since it could have wrong settings
433 grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
434 rm -f ${SYSCONFDIR}/passwd
435 mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
436 chmod g-w,o-w ${SYSCONFDIR}/passwd
437 fi
438 net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
439 if [ "${sshd_server_in_sam}" != "yes" ]
440 then
441 echo
442 echo "You appear to be running Windows 2003 Server or later. On 2003 and"
443 echo "later systems, it's not possible to use the LocalSystem account"
444 echo "if sshd should allow passwordless logon (e. g. public key authentication)."
445 echo "If you want to enable that functionality, it's required to create a new"
446 echo "account 'sshd_server' with special privileges, which is then used to run"
447 echo "the sshd service under."
448 echo
449 echo "Should this script create a new local account 'sshd_server' which has"
450 if request "the required privileges?"
451 then
Darren Tuckera21380b2005-03-13 21:20:18 +1100[diff] [blame]452 _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]453 if [ -z "${_admingroup}" ]
454 then
Darren Tuckera21380b2005-03-13 21:20:18 +1100[diff] [blame]455 echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]456 exit 1
457 fi
458 dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
459 while [ "${sshd_server_in_sam}" != "yes" ]
460 do
461 if [ -n "${password_value}" ]
462 then
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]463 _password="${password_value}"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]464 # Allow to ask for password if first try fails
465 password_value=""
466 else
467 echo
468 echo "Please enter a password for new user 'sshd_server'. Please be sure that"
469 echo "this password matches the password rules given on your system."
470 echo -n "Entering no password will exit the configuration. PASSWORD="
471 read -e _password
472 if [ -z "${_password}" ]
473 then
474 echo
475 echo "Exiting configuration. No user sshd_server has been created,"
476 echo "no sshd service installed."
477 exit 1
478 fi
479 fi
480 net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
481 if [ "${sshd_server_in_sam}" != "yes" ]
482 then
483 echo "Creating the user 'sshd_server' failed! Reason:"
484 cat /tmp/nu.$$
485 rm /tmp/nu.$$
486 fi
487 done
488 net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
489 if [ "${sshd_server_in_admingroup}" != "yes" ]
490 then
491 echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
492 echo "Please add sshd_server to local group ${_admingroup} before"
493 echo "starting the sshd service!"
494 echo
495 fi
496 passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
497 if [ "${passwd_has_expiry_flags}" != "yes" ]
498 then
499 echo
500 echo "WARNING: User sshd_server has password expiry set to system default."
501 echo "Please check that password never expires or set it to your needs."
502 elif ! passwd -e sshd_server
503 then
504 echo
505 echo "WARNING: Setting password expiry for user sshd_server failed!"
506 echo "Please check that password never expires or set it to your needs."
507 fi
508 editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
509 editrights -a SeCreateTokenPrivilege -u sshd_server &&
510 editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
511 editrights -a SeDenyNetworkLogonRight -u sshd_server &&
512 editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
513 editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
514 editrights -a SeServiceLogonRight -u sshd_server &&
515 sshd_server_got_all_rights="yes"
516 if [ "${sshd_server_got_all_rights}" != "yes" ]
517 then
518 echo
519 echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
520 echo "Can't create sshd service!"
521 exit 1
522 fi
523 echo
524 echo "User 'sshd_server' has been created with password '${_password}'."
525 echo "If you change the password, please keep in mind to change the password"
526 echo "for the sshd service, too."
527 echo
528 echo "Also keep in mind that the user sshd_server needs read permissions on all"
529 echo "users' .ssh/authorized_keys file to allow public key authentication for"
530 echo "these users!. (Re-)running ssh-user-config for each user will set the"
531 echo "required permissions correctly."
532 echo
533 fi
534 fi
535 if [ "${sshd_server_in_sam}" = "yes" ]
536 then
537 mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
538 fi
539 fi
540 if [ -n "${cygwin_value}" ]
541 then
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]542 _cygwin="${cygwin_value}"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]543 else
544 echo
545 echo "Which value should the environment variable CYGWIN have when"
546 echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
547 echo "able to change user context without password."
548 echo -n "Default is \"ntsec\". CYGWIN="
549 read -e _cygwin
550 fi
551 [ -z "${_cygwin}" ] && _cygwin="ntsec"
552 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
553 then
554 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}"
555 then
556 echo
557 echo "The service has been installed under sshd_server account."
558 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
559 fi
560 else
561 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
562 then
563 echo
564 echo "The service has been installed under LocalSystem account."
565 echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
566 fi
567 fi
568 fi
569 # Now check if sshd has been successfully installed. This allows to
570 # set the ownership of the affected files correctly.
571 if cygrunsrv -Q sshd > /dev/null 2>&1
572 then
573 if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
574 then
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]575 _user="sshd_server"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]576 else
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]577 _user="system"
Darren Tucker798ca842003-11-13 11:28:49 +1100[diff] [blame]578 fi
579 chown "${_user}" ${SYSCONFDIR}/ssh*
580 chown "${_user}".544 ${LOCALSTATEDIR}/empty
581 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
582 then
583 chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
584 fi
Ben Lindstroma5820292001-07-18 16:25:41 +0000[diff] [blame]585 fi
Darren Tuckerfa2211d2005-05-09 23:48:17 +1000[diff] [blame^]586 if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
587 then
588 echo
589 echo "Warning: It appears that you have user mode mounts (\"Just me\""
590 echo "chosen during install.) Any daemons installed as services will"
591 echo "fail to function unless system mounts are used. To change this,"
592 echo "re-run setup.exe and choose \"All users\"."
593 echo
594 echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
595 fi
Ben Lindstroma5820292001-07-18 16:25:41 +0000[diff] [blame]596 fi
597fi
598
Kevin Steves9be6e262000-10-29 19:18:49 +0000[diff] [blame]599echo
Ben Lindstromb100ec92001-01-19 05:37:32 +0000[diff] [blame]600echo "Host configuration finished. Have fun!"