]>
Commit | Line | Data |
---|---|---|
3c0ef626 | 1 | #!/bin/sh |
2 | # | |
3 | # ssh-host-config, Copyright 2000, Red Hat Inc. | |
4 | # | |
5 | # This file is part of the Cygwin port of OpenSSH. | |
6 | ||
7 | # Subdirectory where the new package is being installed | |
8 | PREFIX=/usr | |
9 | ||
10 | # Directory where the config files are stored | |
11 | SYSCONFDIR=/etc | |
12 | ||
13 | # Subdirectory where an old package might be installed | |
14 | OLDPREFIX=/usr/local | |
15 | OLDSYSCONFDIR=${OLDPREFIX}/etc | |
16 | ||
17 | progname=$0 | |
18 | auto_answer="" | |
19 | port_number=22 | |
20 | ||
21 | request() | |
22 | { | |
23 | if [ "${auto_answer}" = "yes" ] | |
24 | then | |
25 | return 0 | |
26 | elif [ "${auto_answer}" = "no" ] | |
27 | then | |
28 | return 1 | |
29 | fi | |
30 | ||
31 | answer="" | |
32 | while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] | |
33 | do | |
34 | echo -n "$1 (yes/no) " | |
35 | read answer | |
36 | done | |
37 | if [ "X${answer}" = "Xyes" ] | |
38 | then | |
39 | return 0 | |
40 | else | |
41 | return 1 | |
42 | fi | |
43 | } | |
44 | ||
45 | # Check options | |
46 | ||
47 | while : | |
48 | do | |
49 | case $# in | |
50 | 0) | |
51 | break | |
52 | ;; | |
53 | esac | |
54 | ||
55 | option=$1 | |
56 | shift | |
57 | ||
58 | case "$option" in | |
59 | -d | --debug ) | |
60 | set -x | |
61 | ;; | |
62 | ||
63 | -y | --yes ) | |
64 | auto_answer=yes | |
65 | ;; | |
66 | ||
67 | -n | --no ) | |
68 | auto_answer=no | |
69 | ;; | |
70 | ||
71 | -p | --port ) | |
72 | port_number=$1 | |
73 | shift | |
74 | ;; | |
75 | ||
76 | *) | |
77 | echo "usage: ${progname} [OPTION]..." | |
78 | echo | |
79 | echo "This script creates an OpenSSH host configuration." | |
80 | echo | |
81 | echo "Options:" | |
82 | echo " --debug -d Enable shell's debug output." | |
83 | echo " --yes -y Answer all questions with \"yes\" automatically." | |
84 | echo " --no -n Answer all questions with \"no\" automatically." | |
85 | echo " --port -p <n> sshd listens on port n." | |
86 | echo | |
87 | exit 1 | |
88 | ;; | |
89 | ||
90 | esac | |
91 | done | |
92 | ||
93 | # Check for running ssh/sshd processes first. Refuse to do anything while | |
94 | # some ssh processes are still running | |
95 | ||
96 | if ps -ef | grep -v grep | grep -q ssh | |
97 | then | |
98 | echo | |
99 | echo "There are still ssh processes running. Please shut them down first." | |
100 | echo | |
101 | #exit 1 | |
102 | fi | |
103 | ||
104 | # Check for ${SYSCONFDIR} directory | |
105 | ||
106 | if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ] | |
107 | then | |
108 | echo | |
109 | echo "${SYSCONFDIR} is existant but not a directory." | |
110 | echo "Cannot create global configuration files." | |
111 | echo | |
112 | exit 1 | |
113 | fi | |
114 | ||
115 | # Create it if necessary | |
116 | ||
117 | if [ ! -e "${SYSCONFDIR}" ] | |
118 | then | |
119 | mkdir "${SYSCONFDIR}" | |
120 | if [ ! -e "${SYSCONFDIR}" ] | |
121 | then | |
122 | echo | |
123 | echo "Creating ${SYSCONFDIR} directory failed" | |
124 | echo | |
125 | exit 1 | |
126 | fi | |
127 | fi | |
128 | ||
129 | # Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't | |
130 | # the same as ${PREFIX} | |
131 | ||
132 | old_install=0 | |
133 | if [ "${OLDPREFIX}" != "${PREFIX}" ] | |
134 | then | |
135 | if [ -f "${OLDPREFIX}/sbin/sshd" ] | |
136 | then | |
137 | echo | |
138 | echo "You seem to have an older installation in ${OLDPREFIX}." | |
139 | echo | |
140 | # Check if old global configuration files exist | |
141 | if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ] | |
142 | then | |
143 | if request "Do you want to copy your config files to your new installation?" | |
144 | then | |
145 | cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR} | |
146 | cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR} | |
147 | cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR} | |
148 | cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR} | |
149 | cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR} | |
150 | cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR} | |
151 | fi | |
152 | fi | |
153 | if request "Do you want to erase your old installation?" | |
154 | then | |
155 | rm -f ${OLDPREFIX}/bin/ssh.exe | |
156 | rm -f ${OLDPREFIX}/bin/ssh-config | |
157 | rm -f ${OLDPREFIX}/bin/scp.exe | |
158 | rm -f ${OLDPREFIX}/bin/ssh-add.exe | |
159 | rm -f ${OLDPREFIX}/bin/ssh-agent.exe | |
160 | rm -f ${OLDPREFIX}/bin/ssh-keygen.exe | |
161 | rm -f ${OLDPREFIX}/bin/slogin | |
162 | rm -f ${OLDSYSCONFDIR}/ssh_host_key | |
163 | rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub | |
164 | rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key | |
165 | rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub | |
166 | rm -f ${OLDSYSCONFDIR}/ssh_config | |
167 | rm -f ${OLDSYSCONFDIR}/sshd_config | |
168 | rm -f ${OLDPREFIX}/man/man1/ssh.1 | |
169 | rm -f ${OLDPREFIX}/man/man1/scp.1 | |
170 | rm -f ${OLDPREFIX}/man/man1/ssh-add.1 | |
171 | rm -f ${OLDPREFIX}/man/man1/ssh-agent.1 | |
172 | rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1 | |
173 | rm -f ${OLDPREFIX}/man/man1/slogin.1 | |
174 | rm -f ${OLDPREFIX}/man/man8/sshd.8 | |
175 | rm -f ${OLDPREFIX}/sbin/sshd.exe | |
176 | rm -f ${OLDPREFIX}/sbin/sftp-server.exe | |
177 | fi | |
178 | old_install=1 | |
179 | fi | |
180 | fi | |
181 | ||
182 | # First generate host keys if not already existing | |
183 | ||
184 | if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] | |
185 | then | |
186 | echo "Generating ${SYSCONFDIR}/ssh_host_key" | |
187 | ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null | |
188 | fi | |
189 | ||
190 | if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] | |
191 | then | |
192 | echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key" | |
193 | ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null | |
194 | fi | |
195 | ||
196 | if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] | |
197 | then | |
198 | echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key" | |
199 | ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null | |
200 | fi | |
201 | ||
202 | # Check if ssh_config exists. If yes, ask for overwriting | |
203 | ||
204 | if [ -f "${SYSCONFDIR}/ssh_config" ] | |
205 | then | |
206 | if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?" | |
207 | then | |
208 | rm -f "${SYSCONFDIR}/ssh_config" | |
209 | if [ -f "${SYSCONFDIR}/ssh_config" ] | |
210 | then | |
211 | echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected." | |
212 | fi | |
213 | fi | |
214 | fi | |
215 | ||
216 | # Create default ssh_config from here script | |
217 | ||
218 | if [ ! -f "${SYSCONFDIR}/ssh_config" ] | |
219 | then | |
220 | echo "Generating ${SYSCONFDIR}/ssh_config file" | |
221 | cat > ${SYSCONFDIR}/ssh_config << EOF | |
222 | # This is ssh client systemwide configuration file. This file provides | |
223 | # defaults for users, and the values can be changed in per-user configuration | |
224 | # files or on the command line. | |
225 | ||
226 | # Configuration data is parsed as follows: | |
227 | # 1. command line options | |
228 | # 2. user-specific file | |
229 | # 3. system-wide file | |
230 | # Any configuration value is only changed the first time it is set. | |
231 | # Thus, host-specific definitions should be at the beginning of the | |
232 | # configuration file, and defaults at the end. | |
233 | ||
234 | # Site-wide defaults for various options | |
235 | ||
236 | # Host * | |
237 | # ForwardAgent no | |
238 | # ForwardX11 no | |
239 | # RhostsAuthentication no | |
240 | # RhostsRSAAuthentication yes | |
241 | # RSAAuthentication yes | |
242 | # PasswordAuthentication yes | |
243 | # FallBackToRsh no | |
244 | # UseRsh no | |
245 | # BatchMode no | |
246 | # CheckHostIP yes | |
247 | # StrictHostKeyChecking yes | |
248 | # IdentityFile ~/.ssh/identity | |
249 | # IdentityFile ~/.ssh/id_dsa | |
250 | # IdentityFile ~/.ssh/id_rsa | |
251 | # Port 22 | |
252 | # Protocol 2,1 | |
253 | # Cipher blowfish | |
254 | # EscapeChar ~ | |
255 | EOF | |
256 | if [ "$port_number" != "22" ] | |
257 | then | |
258 | echo "Host localhost" >> ${SYSCONFDIR}/ssh_config | |
259 | echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config | |
260 | fi | |
261 | fi | |
262 | ||
263 | # Check if sshd_config exists. If yes, ask for overwriting | |
264 | ||
265 | if [ -f "${SYSCONFDIR}/sshd_config" ] | |
266 | then | |
267 | if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?" | |
268 | then | |
269 | rm -f "${SYSCONFDIR}/sshd_config" | |
270 | if [ -f "${SYSCONFDIR}/sshd_config" ] | |
271 | then | |
272 | echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." | |
273 | fi | |
274 | fi | |
275 | fi | |
276 | ||
277 | # Create default sshd_config from here script | |
278 | ||
279 | if [ ! -f "${SYSCONFDIR}/sshd_config" ] | |
280 | then | |
281 | echo "Generating ${SYSCONFDIR}/sshd_config file" | |
282 | cat > ${SYSCONFDIR}/sshd_config << EOF | |
283 | # This is the sshd server system-wide configuration file. See sshd(8) | |
284 | # for more information. | |
285 | ||
286 | Port $port_number | |
287 | #Protocol 2,1 | |
288 | #ListenAddress 0.0.0.0 | |
289 | #ListenAddress :: | |
290 | ||
291 | # HostKey for protocol version 1 | |
292 | HostKey /etc/ssh_host_key | |
293 | # HostKeys for protocol version 2 | |
294 | HostKey /etc/ssh_host_rsa_key | |
295 | HostKey /etc/ssh_host_dsa_key | |
296 | ||
297 | # Lifetime and size of ephemeral version 1 server ke | |
298 | KeyRegenerationInterval 3600 | |
299 | ServerKeyBits 768 | |
300 | ||
301 | # Logging | |
302 | SyslogFacility AUTH | |
303 | LogLevel INFO | |
304 | #obsoletes QuietMode and FascistLogging | |
305 | ||
306 | # Authentication: | |
307 | ||
308 | LoginGraceTime 600 | |
309 | PermitRootLogin yes | |
310 | # The following setting overrides permission checks on host key files | |
311 | # and directories. For security reasons set this to "yes" when running | |
312 | # NT/W2K, NTFS and CYGWIN=ntsec. | |
313 | StrictModes no | |
314 | ||
315 | RSAAuthentication yes | |
316 | PubkeyAuthentication yes | |
317 | #AuthorizedKeysFile %h/.ssh/authorized_keys | |
318 | ||
319 | # rhosts authentication should not be used | |
320 | RhostsAuthentication no | |
321 | # Don't read ~/.rhosts and ~/.shosts files | |
322 | IgnoreRhosts yes | |
323 | # For this to work you will also need host keys in /etc/ssh_known_hosts | |
324 | RhostsRSAAuthentication no | |
325 | # similar for protocol version 2 | |
326 | HostbasedAuthentication no | |
327 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | |
328 | #IgnoreUserKnownHosts yes | |
329 | ||
330 | # To disable tunneled clear text passwords, change to no here! | |
331 | PasswordAuthentication yes | |
332 | PermitEmptyPasswords no | |
333 | ||
334 | X11Forwarding no | |
335 | X11DisplayOffset 10 | |
336 | PrintMotd yes | |
337 | #PrintLastLog no | |
338 | KeepAlive yes | |
339 | #UseLogin no | |
340 | ||
341 | #MaxStartups 10:30:60 | |
342 | #Banner /etc/issue.net | |
343 | #ReverseMappingCheck yes | |
344 | ||
345 | Subsystem sftp /usr/sbin/sftp-server | |
346 | EOF | |
347 | fi | |
348 | ||
349 | # Care for services file | |
350 | _sys="`uname -a`" | |
351 | _nt=`expr "$_sys" : "CYGWIN_NT"` | |
352 | if [ $_nt -gt 0 ] | |
353 | then | |
354 | _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services" | |
355 | _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$" | |
356 | else | |
357 | _wservices="${WINDIR}\\SERVICES" | |
358 | _wserv_tmp="${WINDIR}\\SERV.$$" | |
359 | fi | |
360 | _services=`cygpath -u "${_wservices}"` | |
361 | _serv_tmp=`cygpath -u "${_wserv_tmp}"` | |
362 | ||
363 | mount -t -f "${_wservices}" "${_services}" | |
364 | mount -t -f "${_wserv_tmp}" "${_serv_tmp}" | |
365 | ||
366 | # Remove sshd 22/port from services | |
367 | if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] | |
368 | then | |
369 | grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" | |
370 | if [ -f "${_serv_tmp}" ] | |
371 | then | |
372 | if mv "${_serv_tmp}" "${_services}" | |
373 | then | |
374 | echo "Removing sshd from ${_services}" | |
375 | else | |
376 | echo "Removing sshd from ${_services} failed\!" | |
377 | fi | |
378 | rm -f "${_serv_tmp}" | |
379 | else | |
380 | echo "Removing sshd from ${_services} failed\!" | |
381 | fi | |
382 | fi | |
383 | ||
384 | # Add ssh 22/tcp and ssh 22/udp to services | |
385 | if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] | |
386 | then | |
387 | awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" | |
388 | if [ -f "${_serv_tmp}" ] | |
389 | then | |
390 | if mv "${_serv_tmp}" "${_services}" | |
391 | then | |
392 | echo "Added ssh to ${_services}" | |
393 | else | |
394 | echo "Adding ssh to ${_services} failed\!" | |
395 | fi | |
396 | rm -f "${_serv_tmp}" | |
397 | else | |
398 | echo "Adding ssh to ${_services} failed\!" | |
399 | fi | |
400 | fi | |
401 | ||
402 | umount "${_services}" | |
403 | umount "${_serv_tmp}" | |
404 | ||
405 | # Care for inetd.conf file | |
406 | _inetcnf="/etc/inetd.conf" | |
407 | _inetcnf_tmp="/etc/inetd.conf.$$" | |
408 | ||
409 | if [ -f "${_inetcnf}" ] | |
410 | then | |
411 | # Check if ssh service is already in use as sshd | |
412 | with_comment=1 | |
413 | grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0 | |
414 | # Remove sshd line from inetd.conf | |
415 | if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] | |
416 | then | |
417 | grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" | |
418 | if [ -f "${_inetcnf_tmp}" ] | |
419 | then | |
420 | if mv "${_inetcnf_tmp}" "${_inetcnf}" | |
421 | then | |
422 | echo "Removed sshd from ${_inetcnf}" | |
423 | else | |
424 | echo "Removing sshd from ${_inetcnf} failed\!" | |
425 | fi | |
426 | rm -f "${_inetcnf_tmp}" | |
427 | else | |
428 | echo "Removing sshd from ${_inetcnf} failed\!" | |
429 | fi | |
430 | fi | |
431 | ||
432 | # Add ssh line to inetd.conf | |
433 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] | |
434 | then | |
435 | if [ "${with_comment}" -eq 0 ] | |
436 | then | |
700318f3 | 437 | echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
3c0ef626 | 438 | else |
700318f3 | 439 | echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
3c0ef626 | 440 | fi |
441 | echo "Added ssh to ${_inetcnf}" | |
442 | fi | |
443 | fi | |
444 | ||
445 | # Create /var/log and /var/log/lastlog if not already existing | |
446 | ||
447 | if [ -f /var/log ] | |
448 | then | |
449 | echo "Creating /var/log failed\!" | |
450 | else | |
451 | if [ ! -d /var/log ] | |
452 | then | |
453 | mkdir /var/log | |
454 | fi | |
455 | if [ -d /var/log/lastlog ] | |
456 | then | |
457 | echo "Creating /var/log/lastlog failed\!" | |
458 | elif [ ! -f /var/log/lastlog ] | |
459 | then | |
460 | cat /dev/null > /var/log/lastlog | |
461 | fi | |
462 | fi | |
463 | ||
464 | # On NT ask if sshd should be installed as service | |
465 | if [ $_nt -gt 0 ] | |
466 | then | |
467 | echo | |
468 | echo "Do you want to install sshd as service?" | |
469 | if request "(Say \"no\" if it's already installed as service)" | |
470 | then | |
471 | echo | |
472 | echo "Which value should the environment variable CYGWIN have when" | |
473 | echo "sshd starts? It's recommended to set at least \"ntsec\" to be" | |
474 | echo "able to change user context without password." | |
475 | echo -n "Default is \"binmode ntsec tty\". CYGWIN=" | |
476 | read _cygwin | |
477 | [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" | |
478 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" | |
479 | then | |
480 | chown system /etc/ssh* | |
481 | echo | |
482 | echo "The service has been installed under LocalSystem account." | |
483 | fi | |
484 | fi | |
485 | fi | |
486 | ||
487 | if [ "${old_install}" = "1" ] | |
488 | then | |
489 | echo | |
490 | echo "Note: If you have used sshd as service or from inetd, don't forget to" | |
491 | echo " change the path to sshd.exe in the service entry or in inetd.conf." | |
492 | fi | |
493 | ||
494 | echo | |
495 | echo "Host configuration finished. Have fun!" |