[gssapi-openssh.git] / openssh / contrib / cygwin / ssh-host-config

#!/bin/sh
#
# ssh-host-config, Copyright 2000, Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.

# Subdirectory where the new package is being installed
PREFIX=/usr

# Directory where the config files are stored
SYSCONFDIR=/etc

# Subdirectory where an old package might be installed
OLDPREFIX=/usr/local
OLDSYSCONFDIR=${OLDPREFIX}/etc

progname=$0
auto_answer=""
port_number=22

privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no

request()
{
  if [ "${auto_answer}" = "yes" ]
  then
    return 0
  elif [ "${auto_answer}" = "no" ]
  then
    return 1
  fi

  answer=""
  while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
  do
    echo -n "$1 (yes/no) "
    read answer
  done
  if [ "X${answer}" = "Xyes" ]
  then
    return 0
  else
    return 1
  fi
}

# Check options

while :
do
  case $# in
  0)
    break
    ;;
  esac

  option=$1
  shift

  case "$option" in
  -d | --debug )
    set -x
    ;;

  -y | --yes )
    auto_answer=yes
    ;;

  -n | --no )
    auto_answer=no
    ;;

  -p | --port )
    port_number=$1
    shift
    ;;

  *)
    echo "usage: ${progname} [OPTION]..."
    echo
    echo "This script creates an OpenSSH host configuration."
    echo
    echo "Options:"
    echo "    --debug  -d     Enable shell's debug output."
    echo "    --yes    -y     Answer all questions with \"yes\" automatically."
    echo "    --no     -n     Answer all questions with \"no\" automatically."
    echo "    --port   -p <n> sshd listens on port n."
    echo
    exit 1
    ;;

  esac
done

# Check if running on NT
_sys="`uname -a`"
_nt=`expr "$_sys" : "CYGWIN_NT"`

# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running

if ps -ef | grep -v grep | grep -q ssh
then
  echo
  echo "There are still ssh processes running. Please shut them down first."
  echo
  exit 1
fi

# Check for ${SYSCONFDIR} directory

if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
  echo
  echo "${SYSCONFDIR} is existant but not a directory."
  echo "Cannot create global configuration files."
  echo
  exit 1
fi

# Create it if necessary

if [ ! -e "${SYSCONFDIR}" ]
then
  mkdir "${SYSCONFDIR}"
  if [ ! -e "${SYSCONFDIR}" ]
  then
    echo
    echo "Creating ${SYSCONFDIR} directory failed"
    echo
    exit 1
  fi
fi

# Create /var/log and /var/log/lastlog if not already existing

if [ -f /var/log ]
then
  echo "Creating /var/log failed\!"
else
  if [ ! -d /var/log ]
  then
    mkdir -p /var/log
  fi
  if [ -d /var/log/lastlog ]
  then
    echo "Creating /var/log/lastlog failed\!"
  elif [ ! -f /var/log/lastlog ]
  then
    cat /dev/null > /var/log/lastlog
  fi
fi

# Create /var/empty file used as chroot jail for privilege separation
if [ -f /var/empty ]
then
  echo "Creating /var/empty failed\!"
else
  mkdir -p /var/empty
  # On NT change ownership of that dir to user "system"
  if [ $_nt -gt 0 ]
  then
    chmod 755 /var/empty
    chown system.system /var/empty
  fi
fi

# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
# the same as ${PREFIX}

old_install=0
if [ "${OLDPREFIX}" != "${PREFIX}" ]
then
  if [ -f "${OLDPREFIX}/sbin/sshd" ]
  then
    echo
    echo "You seem to have an older installation in ${OLDPREFIX}."
    echo
    # Check if old global configuration files exist
    if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
    then
      if request "Do you want to copy your config files to your new installation?"
      then
        cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
      fi
    fi
    if request "Do you want to erase your old installation?"
    then
      rm -f ${OLDPREFIX}/bin/ssh.exe
      rm -f ${OLDPREFIX}/bin/ssh-config
      rm -f ${OLDPREFIX}/bin/scp.exe
      rm -f ${OLDPREFIX}/bin/ssh-add.exe
      rm -f ${OLDPREFIX}/bin/ssh-agent.exe
      rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
      rm -f ${OLDPREFIX}/bin/slogin
      rm -f ${OLDSYSCONFDIR}/ssh_host_key
      rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
      rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
      rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
      rm -f ${OLDSYSCONFDIR}/ssh_config
      rm -f ${OLDSYSCONFDIR}/sshd_config
      rm -f ${OLDPREFIX}/man/man1/ssh.1
      rm -f ${OLDPREFIX}/man/man1/scp.1
      rm -f ${OLDPREFIX}/man/man1/ssh-add.1
      rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
      rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
      rm -f ${OLDPREFIX}/man/man1/slogin.1
      rm -f ${OLDPREFIX}/man/man8/sshd.8
      rm -f ${OLDPREFIX}/sbin/sshd.exe
      rm -f ${OLDPREFIX}/sbin/sftp-server.exe
    fi
    old_install=1
  fi
fi

# First generate host keys if not already existing

if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_key"
  ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi

if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
  ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi

if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
  ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi

# Check if ssh_config exists. If yes, ask for overwriting

if [ -f "${SYSCONFDIR}/ssh_config" ]
then
  if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
  then
    rm -f "${SYSCONFDIR}/ssh_config"
    if [ -f "${SYSCONFDIR}/ssh_config" ]
    then
      echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
    fi
  fi
fi

# Create default ssh_config from here script

if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_config file"
  cat > ${SYSCONFDIR}/ssh_config << EOF
# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsAuthentication no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   BatchMode no
#   CheckHostIP yes
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_rsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~
EOF
  if [ "$port_number" != "22" ]
  then
    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
    echo "    Port $port_number" >> ${SYSCONFDIR}/ssh_config
  fi
fi

# Check if sshd_config exists. If yes, ask for overwriting

if [ -f "${SYSCONFDIR}/sshd_config" ]
then
  if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
  then
    rm -f "${SYSCONFDIR}/sshd_config"
    if [ -f "${SYSCONFDIR}/sshd_config" ]
    then
      echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
    fi
  else
    grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
  fi
fi

# Prior to creating or modifying sshd_config, care for privilege separation

if [ "$privsep_configured" != "yes" ]
then
  if [ $_nt -gt 0 ]
  then
    echo "Privilege separation is set to yes by default since OpenSSH 3.3."
    echo "However, this requires a non-privileged account called 'sshd'."
    echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
    echo
    if request "Shall privilege separation be used?"
    then
      privsep_used=yes
      grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
      net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
      if [ "$sshd_in_passwd" != "yes" ]
      then
        if [ "$sshd_in_sam" != "yes" ]
	then
	  echo "Warning: The following function requires administrator privileges!"
	  if request "Shall this script create a local user 'sshd' on this machine?"
	  then
	    dos_var_empty=`cygpath -w /var/empty`
	    net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
	    if [ "$sshd_in_sam" != "yes" ]
	    then
	      echo "Warning: Creating the user 'sshd' failed!"
	    fi
	  fi
	fi
	if [ "$sshd_in_sam" != "yes" ]
	then
	  echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
	  echo "         Privilege separation set to 'no' again!"
	  echo "         Check your ${SYSCONFDIR}/sshd_config file!"
	  privsep_used=no
	else
	  mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
	fi
      fi
    else
      privsep_used=no
    fi
  else
    # On 9x don't use privilege separation.  Since security isn't
    # available it just adds useless addtional processes.
    privsep_used=no
  fi
fi

# Create default sshd_config from here script or modify to add the
# missing privsep configuration option

if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
  echo "Generating ${SYSCONFDIR}/sshd_config file"
  cat > ${SYSCONFDIR}/sshd_config << EOF
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port $port_number
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey ${SYSCONFDIR}/ssh_host_key
# HostKeys for protocol version 2
#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
#HostKey ${SYSCONFDIR}/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 120
#PermitRootLogin yes
# The following setting overrides permission checks on host key files
# and directories. For security reasons set this to "yes" when running
# NT/W2K, NTFS and CYGWIN=ntsec.
StrictModes no

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation $privsep_used
#PermitUserEnvironment no
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem      sftp    /usr/sbin/sftp-server
EOF
elif [ "$privsep_configured" != "yes" ]
then
  echo >> ${SYSCONFDIR}/sshd_config
  echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
fi

# Care for services file
if [ $_nt -gt 0 ]
then
  _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
  _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$"
else
  _wservices="${WINDIR}\\SERVICES"
  _wserv_tmp="${WINDIR}\\SERV.$$"
fi
_services=`cygpath -u "${_wservices}"`
_serv_tmp=`cygpath -u "${_wserv_tmp}"`

mount -t -f "${_wservices}" "${_services}"
mount -t -f "${_wserv_tmp}" "${_serv_tmp}"

# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
  grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
  if [ -f "${_serv_tmp}" ]
  then 
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Removing sshd from ${_services}"
    else
      echo "Removing sshd from ${_services} failed\!"
    fi 
    rm -f "${_serv_tmp}"
  else
    echo "Removing sshd from ${_services} failed\!"
  fi
fi

# Add ssh 22/tcp  and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
  awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp                           #SSH Remote Login Protocol\nssh                22/udp                           #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
  if [ -f "${_serv_tmp}" ]
  then
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Added ssh to ${_services}"
    else
      echo "Adding ssh to ${_services} failed\!"
    fi
    rm -f "${_serv_tmp}"
  else
    echo "Adding ssh to ${_services} failed\!"
  fi
fi

umount "${_services}"
umount "${_serv_tmp}"

# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"

if [ -f "${_inetcnf}" ]
then
  # Check if ssh service is already in use as sshd
  with_comment=1
  grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
  # Remove sshd line from inetd.conf
  if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
  then
    grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
    if [ -f "${_inetcnf_tmp}" ]
    then
      if mv "${_inetcnf_tmp}" "${_inetcnf}"
      then
        echo "Removed sshd from ${_inetcnf}"
      else
        echo "Removing sshd from ${_inetcnf} failed\!"
      fi
      rm -f "${_inetcnf_tmp}"
    else
      echo "Removing sshd from ${_inetcnf} failed\!"
    fi
  fi

  # Add ssh line to inetd.conf
  if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
  then
    if [ "${with_comment}" -eq 0 ]
    then
      echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    else
      echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    fi
    echo "Added ssh to ${_inetcnf}"
  fi
fi

# On NT ask if sshd should be installed as service
if [ $_nt -gt 0 ]
then
  echo
  echo "Do you want to install sshd as service?"
  if request "(Say \"no\" if it's already installed as service)"
  then
    echo
    echo "Which value should the environment variable CYGWIN have when"
    echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
    echo "able to change user context without password."
    echo -n "Default is \"binmode ntsec tty\".  CYGWIN="
    read _cygwin
    [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
    if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
    then
      chown system ${SYSCONFDIR}/ssh*
      echo
      echo "The service has been installed under LocalSystem account."
    fi
  fi
fi

if [ "${old_install}" = "1" ]
then
  echo
  echo "Note: If you have used sshd as service or from inetd, don't forget to"
  echo "      change the path to sshd.exe in the service entry or in inetd.conf."
fi

echo
echo "Host configuration finished. Have fun!"
Commit	Line	Data
3c0ef626	1	#!/bin/sh
	2	#
	3	# ssh-host-config, Copyright 2000, Red Hat Inc.
	4	#
	5	# This file is part of the Cygwin port of OpenSSH.
	6
	7	# Subdirectory where the new package is being installed
	8	PREFIX=/usr
	9
	10	# Directory where the config files are stored
	11	SYSCONFDIR=/etc
	12
	13	# Subdirectory where an old package might be installed
	14	OLDPREFIX=/usr/local
	15	OLDSYSCONFDIR=${OLDPREFIX}/etc
	16
	17	progname=$0
	18	auto_answer=""
	19	port_number=22
	20
41b2f314	21	privsep_configured=no
	22	privsep_used=yes
	23	sshd_in_passwd=no
	24	sshd_in_sam=no
	25
3c0ef626	26	request()
	27	{
	28	if [ "${auto_answer}" = "yes" ]
	29	then
	30	return 0
	31	elif [ "${auto_answer}" = "no" ]
	32	then
	33	return 1
	34	fi
	35
	36	answer=""
	37	while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
	38	do
	39	echo -n "$1 (yes/no) "
	40	read answer
	41	done
	42	if [ "X${answer}" = "Xyes" ]
	43	then
	44	return 0
	45	else
	46	return 1
	47	fi
	48	}
	49
	50	# Check options
	51
	52	while :
	53	do
	54	case $# in
	55	0)
	56	break
	57	;;
	58	esac
	59
	60	option=$1
	61	shift
	62
	63	case "$option" in
	64	-d \| --debug )
	65	set -x
	66	;;
	67
	68	-y \| --yes )
	69	auto_answer=yes
	70	;;
	71
	72	-n \| --no )
	73	auto_answer=no
	74	;;
	75
	76	-p \| --port )
	77	port_number=$1
	78	shift
	79	;;
	80
	81	*)
	82	echo "usage: ${progname} [OPTION]..."
	83	echo
	84	echo "This script creates an OpenSSH host configuration."
	85	echo
	86	echo "Options:"
	87	echo " --debug -d Enable shell's debug output."
	88	echo " --yes -y Answer all questions with \"yes\" automatically."
	89	echo " --no -n Answer all questions with \"no\" automatically."
90	echo " --port -p <n> sshd listens on port n."
91	echo
92	exit 1
93	;;
94
95	esac
96	done
97
41b2f314	98	# Check if running on NT
	99	_sys="`uname -a`"
	100	_nt=`expr "$_sys" : "CYGWIN_NT"`
	101
3c0ef626	102	# Check for running ssh/sshd processes first. Refuse to do anything while
	103	# some ssh processes are still running
	104
	105	if ps -ef \| grep -v grep \| grep -q ssh
	106	then
	107	echo
	108	echo "There are still ssh processes running. Please shut them down first."
	109	echo
41b2f314	110	exit 1
3c0ef626	111	fi
	112
	113	# Check for ${SYSCONFDIR} directory
	114
	115	if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
	116	then
	117	echo
	118	echo "${SYSCONFDIR} is existant but not a directory."
	119	echo "Cannot create global configuration files."
	120	echo
	121	exit 1
	122	fi
	123
	124	# Create it if necessary
	125
	126	if [ ! -e "${SYSCONFDIR}" ]
	127	then
	128	mkdir "${SYSCONFDIR}"
	129	if [ ! -e "${SYSCONFDIR}" ]
	130	then
	131	echo
	132	echo "Creating ${SYSCONFDIR} directory failed"
	133	echo
	134	exit 1
	135	fi
	136	fi
	137
41b2f314	138	# Create /var/log and /var/log/lastlog if not already existing
	139
	140	if [ -f /var/log ]
	141	then
	142	echo "Creating /var/log failed\!"
	143	else
	144	if [ ! -d /var/log ]
	145	then
	146	mkdir -p /var/log
	147	fi
	148	if [ -d /var/log/lastlog ]
	149	then
	150	echo "Creating /var/log/lastlog failed\!"
	151	elif [ ! -f /var/log/lastlog ]
	152	then
	153	cat /dev/null > /var/log/lastlog
	154	fi
	155	fi
	156
	157	# Create /var/empty file used as chroot jail for privilege separation
	158	if [ -f /var/empty ]
	159	then
	160	echo "Creating /var/empty failed\!"
	161	else
	162	mkdir -p /var/empty
	163	# On NT change ownership of that dir to user "system"
	164	if [ $_nt -gt 0 ]
	165	then
	166	chmod 755 /var/empty
	167	chown system.system /var/empty
	168	fi
	169	fi
	170
3c0ef626	171	# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
	172	# the same as ${PREFIX}
	173
	174	old_install=0
	175	if [ "${OLDPREFIX}" != "${PREFIX}" ]
	176	then
	177	if [ -f "${OLDPREFIX}/sbin/sshd" ]
	178	then
	179	echo
	180	echo "You seem to have an older installation in ${OLDPREFIX}."
	181	echo
	182	# Check if old global configuration files exist
	183	if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
	184	then
	185	if request "Do you want to copy your config files to your new installation?"
	186	then
	187	cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
	188	cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
	189	cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
	190	cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
	191	cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
	192	cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
	193	fi
	194	fi
	195	if request "Do you want to erase your old installation?"
	196	then
	197	rm -f ${OLDPREFIX}/bin/ssh.exe
	198	rm -f ${OLDPREFIX}/bin/ssh-config
	199	rm -f ${OLDPREFIX}/bin/scp.exe
	200	rm -f ${OLDPREFIX}/bin/ssh-add.exe
	201	rm -f ${OLDPREFIX}/bin/ssh-agent.exe
	202	rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
	203	rm -f ${OLDPREFIX}/bin/slogin
	204	rm -f ${OLDSYSCONFDIR}/ssh_host_key
	205	rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
	206	rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
	207	rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
	208	rm -f ${OLDSYSCONFDIR}/ssh_config
	209	rm -f ${OLDSYSCONFDIR}/sshd_config
	210	rm -f ${OLDPREFIX}/man/man1/ssh.1
	211	rm -f ${OLDPREFIX}/man/man1/scp.1
	212	rm -f ${OLDPREFIX}/man/man1/ssh-add.1
	213	rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
	214	rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
	215	rm -f ${OLDPREFIX}/man/man1/slogin.1
	216	rm -f ${OLDPREFIX}/man/man8/sshd.8
	217	rm -f ${OLDPREFIX}/sbin/sshd.exe
	218	rm -f ${OLDPREFIX}/sbin/sftp-server.exe
	219	fi
	220	old_install=1
	221	fi
	222	fi
	223
	224	# First generate host keys if not already existing
	225
	226	if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
	227	then
	228	echo "Generating ${SYSCONFDIR}/ssh_host_key"
	229	ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
	230	fi
	231
	232	if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
	233	then
	234	echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
235	ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
236	fi
237
238	if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
239	then
240	echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
241	ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
242	fi
243
244	# Check if ssh_config exists. If yes, ask for overwriting
245
246	if [ -f "${SYSCONFDIR}/ssh_config" ]
247	then
248	if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
249	then
250	rm -f "${SYSCONFDIR}/ssh_config"
251	if [ -f "${SYSCONFDIR}/ssh_config" ]
252	then
253	echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
254	fi
255	fi
256	fi
257
258	# Create default ssh_config from here script
259
260	if [ ! -f "${SYSCONFDIR}/ssh_config" ]
261	then
262	echo "Generating ${SYSCONFDIR}/ssh_config file"
263	cat > ${SYSCONFDIR}/ssh_config << EOF
41b2f314	264	# This is the ssh client system-wide configuration file. See
	265	# ssh_config(5) for more information. This file provides defaults for
	266	# users, and the values can be changed in per-user configuration files
	267	# or on the command line.
3c0ef626	268
	269	# Configuration data is parsed as follows:
	270	# 1. command line options
	271	# 2. user-specific file
	272	# 3. system-wide file
	273	# Any configuration value is only changed the first time it is set.
	274	# Thus, host-specific definitions should be at the beginning of the
	275	# configuration file, and defaults at the end.
	276
	277	# Site-wide defaults for various options
	278
	279	# Host *
	280	# ForwardAgent no
	281	# ForwardX11 no
	282	# RhostsAuthentication no
41b2f314	283	# RhostsRSAAuthentication no
3c0ef626	284	# RSAAuthentication yes
3c0ef626	285	# PasswordAuthentication yes
3c0ef626	286	# BatchMode no
3c0ef626	287	# CheckHostIP yes
41b2f314	288	# StrictHostKeyChecking ask
3c0ef626	289	# IdentityFile ~/.ssh/identity
	290	# IdentityFile ~/.ssh/id_dsa
	291	# IdentityFile ~/.ssh/id_rsa
	292	# Port 22
	293	# Protocol 2,1
41b2f314	294	# Cipher 3des
41b2f314	295	# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
3c0ef626	296	# EscapeChar ~
	297	EOF
	298	if [ "$port_number" != "22" ]
	299	then
	300	echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
	301	echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config
	302	fi
	303	fi
	304
	305	# Check if sshd_config exists. If yes, ask for overwriting
	306
	307	if [ -f "${SYSCONFDIR}/sshd_config" ]
	308	then
	309	if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
	310	then
	311	rm -f "${SYSCONFDIR}/sshd_config"
	312	if [ -f "${SYSCONFDIR}/sshd_config" ]
	313	then
	314	echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
	315	fi
41b2f314	316	else
41b2f314	317	grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
3c0ef626	318	fi
	319	fi
	320
41b2f314	321	# Prior to creating or modifying sshd_config, care for privilege separation
	322
	323	if [ "$privsep_configured" != "yes" ]
	324	then
	325	if [ $_nt -gt 0 ]
	326	then
	327	echo "Privilege separation is set to yes by default since OpenSSH 3.3."
	328	echo "However, this requires a non-privileged account called 'sshd'."
	329	echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
	330	echo
	331	if request "Shall privilege separation be used?"
	332	then
	333	privsep_used=yes
	334	grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
	335	net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
	336	if [ "$sshd_in_passwd" != "yes" ]
	337	then
	338	if [ "$sshd_in_sam" != "yes" ]
	339	then
	340	echo "Warning: The following function requires administrator privileges!"
	341	if request "Shall this script create a local user 'sshd' on this machine?"
	342	then
	343	dos_var_empty=`cygpath -w /var/empty`
	344	net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
	345	if [ "$sshd_in_sam" != "yes" ]
	346	then
	347	echo "Warning: Creating the user 'sshd' failed!"
	348	fi
	349	fi
	350	fi
	351	if [ "$sshd_in_sam" != "yes" ]
	352	then
	353	echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
	354	echo " Privilege separation set to 'no' again!"
	355	echo " Check your ${SYSCONFDIR}/sshd_config file!"
	356	privsep_used=no
	357	else
	358	mkpasswd -l -u sshd \| sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
	359	fi
	360	fi
	361	else
	362	privsep_used=no
	363	fi
	364	else
	365	# On 9x don't use privilege separation. Since security isn't
	366	# available it just adds useless addtional processes.
	367	privsep_used=no
	368	fi
	369	fi
	370
	371	# Create default sshd_config from here script or modify to add the
	372	# missing privsep configuration option
3c0ef626	373
	374	if [ ! -f "${SYSCONFDIR}/sshd_config" ]
	375	then
	376	echo "Generating ${SYSCONFDIR}/sshd_config file"
	377	cat > ${SYSCONFDIR}/sshd_config << EOF
41b2f314	378	# This is the sshd server system-wide configuration file. See
	379	# sshd_config(5) for more information.
	380
6a9b3198	381	# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
6a9b3198	382
41b2f314	383	# The strategy used for options in the default sshd_config shipped with
	384	# OpenSSH is to specify options with their default value where
	385	# possible, but leave them commented. Uncommented options change a
	386	# default value.
3c0ef626	387
	388	Port $port_number
	389	#Protocol 2,1
	390	#ListenAddress 0.0.0.0
	391	#ListenAddress ::
	392
	393	# HostKey for protocol version 1
41b2f314	394	#HostKey ${SYSCONFDIR}/ssh_host_key
3c0ef626	395	# HostKeys for protocol version 2
41b2f314	396	#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
41b2f314	397	#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
3c0ef626	398
6a9b3198	399	# Lifetime and size of ephemeral version 1 server key
41b2f314	400	#KeyRegenerationInterval 3600
41b2f314	401	#ServerKeyBits 768
3c0ef626	402
3c0ef626	403	# Logging
3c0ef626	404	#obsoletes QuietMode and FascistLogging
41b2f314	405	#SyslogFacility AUTH
41b2f314	406	#LogLevel INFO
3c0ef626	407
	408	# Authentication:
	409
6a9b3198	410	#LoginGraceTime 120
41b2f314	411	#PermitRootLogin yes
3c0ef626	412	# The following setting overrides permission checks on host key files
	413	# and directories. For security reasons set this to "yes" when running
	414	# NT/W2K, NTFS and CYGWIN=ntsec.
	415	StrictModes no
	416
41b2f314	417	#RSAAuthentication yes
41b2f314	418	#PubkeyAuthentication yes
6a9b3198	419	#AuthorizedKeysFile .ssh/authorized_keys
3c0ef626	420
3c0ef626	421	# rhosts authentication should not be used
41b2f314	422	#RhostsAuthentication no
6a9b3198	423	# Don't read the user's ~/.rhosts and ~/.shosts files
41b2f314	424	#IgnoreRhosts yes
	425	# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
	426	#RhostsRSAAuthentication no
3c0ef626	427	# similar for protocol version 2
41b2f314	428	#HostbasedAuthentication no
	429	# Change to yes if you don't trust ~/.ssh/known_hosts for
	430	# RhostsRSAAuthentication and HostbasedAuthentication
	431	#IgnoreUserKnownHosts no
3c0ef626	432
3c0ef626	433	# To disable tunneled clear text passwords, change to no here!
41b2f314	434	#PasswordAuthentication yes
	435	#PermitEmptyPasswords no
	436
	437	# Change to no to disable s/key passwords
	438	#ChallengeResponseAuthentication yes
	439
	440	#X11Forwarding no
	441	#X11DisplayOffset 10
	442	#X11UseLocalhost yes
	443	#PrintMotd yes
	444	#PrintLastLog yes
	445	#KeepAlive yes
3c0ef626	446	#UseLogin no
41b2f314	447	UsePrivilegeSeparation $privsep_used
6a9b3198	448	#PermitUserEnvironment no
41b2f314	449	#Compression yes
3c0ef626	450
41b2f314	451	#MaxStartups 10
	452	# no default banner path
	453	#Banner /some/path
	454	#VerifyReverseMapping no
3c0ef626	455
41b2f314	456	# override default of no subsystems
3c0ef626	457	Subsystem sftp /usr/sbin/sftp-server
3c0ef626	458	EOF
41b2f314	459	elif [ "$privsep_configured" != "yes" ]
	460	then
	461	echo >> ${SYSCONFDIR}/sshd_config
	462	echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
3c0ef626	463	fi
	464
	465	# Care for services file
3c0ef626	466	if [ $_nt -gt 0 ]
	467	then
	468	_wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
	469	_wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$"
	470	else
	471	_wservices="${WINDIR}\\SERVICES"
	472	_wserv_tmp="${WINDIR}\\SERV.$$"
	473	fi
	474	_services=`cygpath -u "${_wservices}"`
	475	_serv_tmp=`cygpath -u "${_wserv_tmp}"`
	476
	477	mount -t -f "${_wservices}" "${_services}"
	478	mount -t -f "${_wserv_tmp}" "${_serv_tmp}"
	479
	480	# Remove sshd 22/port from services
	481	if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
	482	then
	483	grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
	484	if [ -f "${_serv_tmp}" ]
	485	then
	486	if mv "${_serv_tmp}" "${_services}"
	487	then
	488	echo "Removing sshd from ${_services}"
	489	else
	490	echo "Removing sshd from ${_services} failed\!"
	491	fi
	492	rm -f "${_serv_tmp}"
	493	else
	494	echo "Removing sshd from ${_services} failed\!"
	495	fi
	496	fi
	497
	498	# Add ssh 22/tcp and ssh 22/udp to services
	499	if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
	500	then
	501	awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
	502	if [ -f "${_serv_tmp}" ]
	503	then
	504	if mv "${_serv_tmp}" "${_services}"
	505	then
	506	echo "Added ssh to ${_services}"
	507	else
	508	echo "Adding ssh to ${_services} failed\!"
	509	fi
	510	rm -f "${_serv_tmp}"
	511	else
	512	echo "Adding ssh to ${_services} failed\!"
	513	fi
	514	fi
	515
	516	umount "${_services}"
	517	umount "${_serv_tmp}"
	518
	519	# Care for inetd.conf file
41b2f314	520	_inetcnf="${SYSCONFDIR}/inetd.conf"
41b2f314	521	_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
3c0ef626	522
	523	if [ -f "${_inetcnf}" ]
	524	then
	525	# Check if ssh service is already in use as sshd
	526	with_comment=1
	527	grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
	528	# Remove sshd line from inetd.conf
	529	if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
	530	then
	531	grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
	532	if [ -f "${_inetcnf_tmp}" ]
	533	then
	534	if mv "${_inetcnf_tmp}" "${_inetcnf}"
	535	then
	536	echo "Removed sshd from ${_inetcnf}"
	537	else
	538	echo "Removing sshd from ${_inetcnf} failed\!"
	539	fi
	540	rm -f "${_inetcnf_tmp}"
	541	else
	542	echo "Removing sshd from ${_inetcnf} failed\!"
	543	fi
	544	fi
	545
	546	# Add ssh line to inetd.conf
	547	if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
	548	then
	549	if [ "${with_comment}" -eq 0 ]
	550	then
700318f3	551	echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
3c0ef626	552	else
700318f3	553	echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
3c0ef626	554	fi
	555	echo "Added ssh to ${_inetcnf}"
	556	fi
	557	fi
	558
3c0ef626	559	# On NT ask if sshd should be installed as service
	560	if [ $_nt -gt 0 ]
	561	then
	562	echo
	563	echo "Do you want to install sshd as service?"
	564	if request "(Say \"no\" if it's already installed as service)"
	565	then
	566	echo
	567	echo "Which value should the environment variable CYGWIN have when"
	568	echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
	569	echo "able to change user context without password."
	570	echo -n "Default is \"binmode ntsec tty\". CYGWIN="
	571	read _cygwin
	572	[ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
	573	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
	574	then
41b2f314	575	chown system ${SYSCONFDIR}/ssh*
3c0ef626	576	echo
	577	echo "The service has been installed under LocalSystem account."
	578	fi
	579	fi
	580	fi
	581
	582	if [ "${old_install}" = "1" ]
	583	then
	584	echo
	585	echo "Note: If you have used sshd as service or from inetd, don't forget to"
	586	echo " change the path to sshd.exe in the service entry or in inetd.conf."
	587	fi
	588
	589	echo
	590	echo "Host configuration finished. Have fun!"