[gssapi-openssh.git] / openssh / contrib / cygwin / ssh-host-config

#!/bin/sh
#
# ssh-host-config, Copyright 2000, Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.

# Subdirectory where the new package is being installed
PREFIX=/usr

# Directory where the config files are stored
SYSCONFDIR=/etc

# Subdirectory where an old package might be installed
OLDPREFIX=/usr/local
OLDSYSCONFDIR=${OLDPREFIX}/etc

progname=$0
auto_answer=""
port_number=22

privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no

request()
{
  if [ "${auto_answer}" = "yes" ]
  then
    return 0
  elif [ "${auto_answer}" = "no" ]
  then
    return 1
  fi

  answer=""
  while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
  do
    echo -n "$1 (yes/no) "
    read answer
  done
  if [ "X${answer}" = "Xyes" ]
  then
    return 0
  else
    return 1
  fi
}

# Check options

while :
do
  case $# in
  0)
    break
    ;;
  esac

  option=$1
  shift

  case "$option" in
  -d | --debug )
    set -x
    ;;

  -y | --yes )
    auto_answer=yes
    ;;

  -n | --no )
    auto_answer=no
    ;;

  -p | --port )
    port_number=$1
    shift
    ;;

  *)
    echo "usage: ${progname} [OPTION]..."
    echo
    echo "This script creates an OpenSSH host configuration."
    echo
    echo "Options:"
    echo "    --debug  -d     Enable shell's debug output."
    echo "    --yes    -y     Answer all questions with \"yes\" automatically."
    echo "    --no     -n     Answer all questions with \"no\" automatically."
    echo "    --port   -p <n> sshd listens on port n."
    echo
    exit 1
    ;;

  esac
done

# Check if running on NT
_sys="`uname -a`"
_nt=`expr "$_sys" : "CYGWIN_NT"`

# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running

if ps -ef | grep -v grep | grep -q ssh
then
  echo
  echo "There are still ssh processes running. Please shut them down first."
  echo
  exit 1
fi

# Check for ${SYSCONFDIR} directory

if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
  echo
  echo "${SYSCONFDIR} is existant but not a directory."
  echo "Cannot create global configuration files."
  echo
  exit 1
fi

# Create it if necessary

if [ ! -e "${SYSCONFDIR}" ]
then
  mkdir "${SYSCONFDIR}"
  if [ ! -e "${SYSCONFDIR}" ]
  then
    echo
    echo "Creating ${SYSCONFDIR} directory failed"
    echo
    exit 1
  fi
fi

# Create /var/log and /var/log/lastlog if not already existing

if [ -f /var/log ]
then
  echo "Creating /var/log failed\!"
else
  if [ ! -d /var/log ]
  then
    mkdir -p /var/log
  fi
  if [ -d /var/log/lastlog ]
  then
    echo "Creating /var/log/lastlog failed\!"
  elif [ ! -f /var/log/lastlog ]
  then
    cat /dev/null > /var/log/lastlog
  fi
fi

# Create /var/empty file used as chroot jail for privilege separation
if [ -f /var/empty ]
then
  echo "Creating /var/empty failed\!"
else
  mkdir -p /var/empty
  # On NT change ownership of that dir to user "system"
  if [ $_nt -gt 0 ]
  then
    chmod 755 /var/empty
    chown system.system /var/empty
  fi
fi

# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
# the same as ${PREFIX}

old_install=0
if [ "${OLDPREFIX}" != "${PREFIX}" ]
then
  if [ -f "${OLDPREFIX}/sbin/sshd" ]
  then
    echo
    echo "You seem to have an older installation in ${OLDPREFIX}."
    echo
    # Check if old global configuration files exist
    if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
    then
      if request "Do you want to copy your config files to your new installation?"
      then
        cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
      fi
    fi
    if request "Do you want to erase your old installation?"
    then
      rm -f ${OLDPREFIX}/bin/ssh.exe
      rm -f ${OLDPREFIX}/bin/ssh-config
      rm -f ${OLDPREFIX}/bin/scp.exe
      rm -f ${OLDPREFIX}/bin/ssh-add.exe
      rm -f ${OLDPREFIX}/bin/ssh-agent.exe
      rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
      rm -f ${OLDPREFIX}/bin/slogin
      rm -f ${OLDSYSCONFDIR}/ssh_host_key
      rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
      rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
      rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
      rm -f ${OLDSYSCONFDIR}/ssh_config
      rm -f ${OLDSYSCONFDIR}/sshd_config
      rm -f ${OLDPREFIX}/man/man1/ssh.1
      rm -f ${OLDPREFIX}/man/man1/scp.1
      rm -f ${OLDPREFIX}/man/man1/ssh-add.1
      rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
      rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
      rm -f ${OLDPREFIX}/man/man1/slogin.1
      rm -f ${OLDPREFIX}/man/man8/sshd.8
      rm -f ${OLDPREFIX}/sbin/sshd.exe
      rm -f ${OLDPREFIX}/sbin/sftp-server.exe
    fi
    old_install=1
  fi
fi

# First generate host keys if not already existing

if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_key"
  ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi

if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
  ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi

if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
  ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi

# Check if ssh_config exists. If yes, ask for overwriting

if [ -f "${SYSCONFDIR}/ssh_config" ]
then
  if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
  then
    rm -f "${SYSCONFDIR}/ssh_config"
    if [ -f "${SYSCONFDIR}/ssh_config" ]
    then
      echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
    fi
  fi
fi

# Create default ssh_config from here script

if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_config file"
  cat > ${SYSCONFDIR}/ssh_config << EOF
# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_rsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~
EOF
  if [ "$port_number" != "22" ]
  then
    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
    echo "    Port $port_number" >> ${SYSCONFDIR}/ssh_config
  fi
fi

# Check if sshd_config exists. If yes, ask for overwriting

if [ -f "${SYSCONFDIR}/sshd_config" ]
then
  if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
  then
    rm -f "${SYSCONFDIR}/sshd_config"
    if [ -f "${SYSCONFDIR}/sshd_config" ]
    then
      echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
    fi
  else
    grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
  fi
fi

# Prior to creating or modifying sshd_config, care for privilege separation

if [ "$privsep_configured" != "yes" ]
then
  if [ $_nt -gt 0 ]
  then
    echo "Privilege separation is set to yes by default since OpenSSH 3.3."
    echo "However, this requires a non-privileged account called 'sshd'."
    echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
    echo
    if request "Shall privilege separation be used?"
    then
      privsep_used=yes
      grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
      net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
      if [ "$sshd_in_passwd" != "yes" ]
      then
        if [ "$sshd_in_sam" != "yes" ]
	then
	  echo "Warning: The following function requires administrator privileges!"
	  if request "Shall this script create a local user 'sshd' on this machine?"
	  then
	    dos_var_empty=`cygpath -w /var/empty`
	    net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
	    if [ "$sshd_in_sam" != "yes" ]
	    then
	      echo "Warning: Creating the user 'sshd' failed!"
	    fi
	  fi
	fi
	if [ "$sshd_in_sam" != "yes" ]
	then
	  echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
	  echo "         Privilege separation set to 'no' again!"
	  echo "         Check your ${SYSCONFDIR}/sshd_config file!"
	  privsep_used=no
	else
	  mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
	fi
      fi
    else
      privsep_used=no
    fi
  else
    # On 9x don't use privilege separation.  Since security isn't
    # available it just adds useless addtional processes.
    privsep_used=no
  fi
fi

# Create default sshd_config from here script or modify to add the
# missing privsep configuration option

if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
  echo "Generating ${SYSCONFDIR}/sshd_config file"
  cat > ${SYSCONFDIR}/sshd_config << EOF
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port $port_number
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey ${SYSCONFDIR}/ssh_host_key
# HostKeys for protocol version 2
#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
#HostKey ${SYSCONFDIR}/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
# The following setting overrides permission checks on host key files
# and directories. For security reasons set this to "yes" when running
# NT/W2K, NTFS and CYGWIN=ntsec.
StrictModes no

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation $privsep_used
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem      sftp    /usr/sbin/sftp-server
EOF
elif [ "$privsep_configured" != "yes" ]
then
  echo >> ${SYSCONFDIR}/sshd_config
  echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
fi

# Care for services file
if [ $_nt -gt 0 ]
then
  _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
  _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$"
else
  _wservices="${WINDIR}\\SERVICES"
  _wserv_tmp="${WINDIR}\\SERV.$$"
fi
_services=`cygpath -u "${_wservices}"`
_serv_tmp=`cygpath -u "${_wserv_tmp}"`

mount -t -f "${_wservices}" "${_services}"
mount -t -f "${_wserv_tmp}" "${_serv_tmp}"

# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
  grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
  if [ -f "${_serv_tmp}" ]
  then 
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Removing sshd from ${_services}"
    else
      echo "Removing sshd from ${_services} failed\!"
    fi 
    rm -f "${_serv_tmp}"
  else
    echo "Removing sshd from ${_services} failed\!"
  fi
fi

# Add ssh 22/tcp  and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
  awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp                           #SSH Remote Login Protocol\nssh                22/udp                           #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
  if [ -f "${_serv_tmp}" ]
  then
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Added ssh to ${_services}"
    else
      echo "Adding ssh to ${_services} failed\!"
    fi
    rm -f "${_serv_tmp}"
  else
    echo "Adding ssh to ${_services} failed\!"
  fi
fi

umount "${_services}"
umount "${_serv_tmp}"

# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"

if [ -f "${_inetcnf}" ]
then
  # Check if ssh service is already in use as sshd
  with_comment=1
  grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
  # Remove sshd line from inetd.conf
  if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
  then
    grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
    if [ -f "${_inetcnf_tmp}" ]
    then
      if mv "${_inetcnf_tmp}" "${_inetcnf}"
      then
        echo "Removed sshd from ${_inetcnf}"
      else
        echo "Removing sshd from ${_inetcnf} failed\!"
      fi
      rm -f "${_inetcnf_tmp}"
    else
      echo "Removing sshd from ${_inetcnf} failed\!"
    fi
  fi

  # Add ssh line to inetd.conf
  if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
  then
    if [ "${with_comment}" -eq 0 ]
    then
      echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    else
      echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    fi
    echo "Added ssh to ${_inetcnf}"
  fi
fi

# On NT ask if sshd should be installed as service
if [ $_nt -gt 0 ]
then
  echo
  echo "Do you want to install sshd as service?"
  if request "(Say \"no\" if it's already installed as service)"
  then
    echo
    echo "Which value should the environment variable CYGWIN have when"
    echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
    echo "able to change user context without password."
    echo -n "Default is \"binmode ntsec tty\".  CYGWIN="
    read _cygwin
    [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
    if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
    then
      chown system ${SYSCONFDIR}/ssh*
      echo
      echo "The service has been installed under LocalSystem account."
    fi
  fi
fi

if [ "${old_install}" = "1" ]
then
  echo
  echo "Note: If you have used sshd as service or from inetd, don't forget to"
  echo "      change the path to sshd.exe in the service entry or in inetd.conf."
fi

echo
echo "Host configuration finished. Have fun!"
Commit	Line	Data
9cb1827b	1	#!/bin/sh
3c0ef626	2	#
9cb1827b	3	# ssh-host-config, Copyright 2000, Red Hat Inc.
3c0ef626	4	#
	5	# This file is part of the Cygwin port of OpenSSH.
	6
	7	# Subdirectory where the new package is being installed
	8	PREFIX=/usr
	9
	10	# Directory where the config files are stored
	11	SYSCONFDIR=/etc
9cb1827b	12
	13	# Subdirectory where an old package might be installed
	14	OLDPREFIX=/usr/local
	15	OLDSYSCONFDIR=${OLDPREFIX}/etc
3c0ef626	16
	17	progname=$0
	18	auto_answer=""
	19	port_number=22
	20
41b2f314	21	privsep_configured=no
	22	privsep_used=yes
	23	sshd_in_passwd=no
	24	sshd_in_sam=no
	25
3c0ef626	26	request()
	27	{
	28	if [ "${auto_answer}" = "yes" ]
	29	then
	30	return 0
	31	elif [ "${auto_answer}" = "no" ]
	32	then
	33	return 1
	34	fi
	35
	36	answer=""
	37	while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
	38	do
	39	echo -n "$1 (yes/no) "
9cb1827b	40	read answer
3c0ef626	41	done
	42	if [ "X${answer}" = "Xyes" ]
	43	then
	44	return 0
	45	else
	46	return 1
	47	fi
	48	}
	49
	50	# Check options
	51
	52	while :
	53	do
	54	case $# in
	55	0)
	56	break
	57	;;
	58	esac
	59
	60	option=$1
	61	shift
	62
9cb1827b	63	case "$option" in
3c0ef626	64	-d \| --debug )
	65	set -x
	66	;;
	67
	68	-y \| --yes )
	69	auto_answer=yes
	70	;;
	71
	72	-n \| --no )
	73	auto_answer=no
	74	;;
	75
	76	-p \| --port )
	77	port_number=$1
	78	shift
	79	;;
	80
	81	*)
	82	echo "usage: ${progname} [OPTION]..."
	83	echo
	84	echo "This script creates an OpenSSH host configuration."
	85	echo
	86	echo "Options:"
9cb1827b	87	echo " --debug -d Enable shell's debug output."
	88	echo " --yes -y Answer all questions with \"yes\" automatically."
	89	echo " --no -n Answer all questions with \"no\" automatically."
	90	echo " --port -p <n> sshd listens on port n."
3c0ef626	91	echo
	92	exit 1
	93	;;
	94
	95	esac
	96	done
	97
41b2f314	98	# Check if running on NT
9cb1827b	99	_sys="`uname -a`"
9cb1827b	100	_nt=`expr "$_sys" : "CYGWIN_NT"`
41b2f314	101
3c0ef626	102	# Check for running ssh/sshd processes first. Refuse to do anything while
	103	# some ssh processes are still running
	104
	105	if ps -ef \| grep -v grep \| grep -q ssh
	106	then
	107	echo
	108	echo "There are still ssh processes running. Please shut them down first."
	109	echo
41b2f314	110	exit 1
3c0ef626	111	fi
	112
	113	# Check for ${SYSCONFDIR} directory
	114
	115	if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
	116	then
	117	echo
	118	echo "${SYSCONFDIR} is existant but not a directory."
	119	echo "Cannot create global configuration files."
	120	echo
	121	exit 1
	122	fi
	123
	124	# Create it if necessary
	125
	126	if [ ! -e "${SYSCONFDIR}" ]
	127	then
	128	mkdir "${SYSCONFDIR}"
	129	if [ ! -e "${SYSCONFDIR}" ]
	130	then
	131	echo
	132	echo "Creating ${SYSCONFDIR} directory failed"
	133	echo
	134	exit 1
	135	fi
	136	fi
	137
41b2f314	138	# Create /var/log and /var/log/lastlog if not already existing
41b2f314	139
9cb1827b	140	if [ -f /var/log ]
41b2f314	141	then
9cb1827b	142	echo "Creating /var/log failed\!"
41b2f314	143	else
9cb1827b	144	if [ ! -d /var/log ]
41b2f314	145	then
9cb1827b	146	mkdir -p /var/log
41b2f314	147	fi
9cb1827b	148	if [ -d /var/log/lastlog ]
41b2f314	149	then
9cb1827b	150	echo "Creating /var/log/lastlog failed\!"
9cb1827b	151	elif [ ! -f /var/log/lastlog ]
41b2f314	152	then
9cb1827b	153	cat /dev/null > /var/log/lastlog
41b2f314	154	fi
	155	fi
	156
	157	# Create /var/empty file used as chroot jail for privilege separation
9cb1827b	158	if [ -f /var/empty ]
41b2f314	159	then
9cb1827b	160	echo "Creating /var/empty failed\!"
41b2f314	161	else
9cb1827b	162	mkdir -p /var/empty
	163	# On NT change ownership of that dir to user "system"
	164	if [ $_nt -gt 0 ]
41b2f314	165	then
9cb1827b	166	chmod 755 /var/empty
	167	chown system.system /var/empty
	168	fi
	169	fi
	170
	171	# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
	172	# the same as ${PREFIX}
	173
	174	old_install=0
	175	if [ "${OLDPREFIX}" != "${PREFIX}" ]
	176	then
	177	if [ -f "${OLDPREFIX}/sbin/sshd" ]
	178	then
	179	echo
	180	echo "You seem to have an older installation in ${OLDPREFIX}."
	181	echo
	182	# Check if old global configuration files exist
	183	if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
	184	then
	185	if request "Do you want to copy your config files to your new installation?"
	186	then
	187	cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
	188	cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
	189	cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
	190	cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
	191	cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
	192	cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
	193	fi
	194	fi
	195	if request "Do you want to erase your old installation?"
	196	then
	197	rm -f ${OLDPREFIX}/bin/ssh.exe
	198	rm -f ${OLDPREFIX}/bin/ssh-config
	199	rm -f ${OLDPREFIX}/bin/scp.exe
	200	rm -f ${OLDPREFIX}/bin/ssh-add.exe
	201	rm -f ${OLDPREFIX}/bin/ssh-agent.exe
	202	rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
	203	rm -f ${OLDPREFIX}/bin/slogin
	204	rm -f ${OLDSYSCONFDIR}/ssh_host_key
	205	rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
	206	rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
	207	rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
	208	rm -f ${OLDSYSCONFDIR}/ssh_config
	209	rm -f ${OLDSYSCONFDIR}/sshd_config
	210	rm -f ${OLDPREFIX}/man/man1/ssh.1
	211	rm -f ${OLDPREFIX}/man/man1/scp.1
	212	rm -f ${OLDPREFIX}/man/man1/ssh-add.1
	213	rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
	214	rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
	215	rm -f ${OLDPREFIX}/man/man1/slogin.1
	216	rm -f ${OLDPREFIX}/man/man8/sshd.8
	217	rm -f ${OLDPREFIX}/sbin/sshd.exe
	218	rm -f ${OLDPREFIX}/sbin/sftp-server.exe
	219	fi
	220	old_install=1
3c0ef626	221	fi
	222	fi
	223
	224	# First generate host keys if not already existing
	225
	226	if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
	227	then
	228	echo "Generating ${SYSCONFDIR}/ssh_host_key"
	229	ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
	230	fi
	231
	232	if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
	233	then
	234	echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
	235	ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
	236	fi
	237
	238	if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
	239	then
	240	echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
	241	ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
	242	fi
	243
	244	# Check if ssh_config exists. If yes, ask for overwriting
	245
	246	if [ -f "${SYSCONFDIR}/ssh_config" ]
	247	then
	248	if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
	249	then
	250	rm -f "${SYSCONFDIR}/ssh_config"
	251	if [ -f "${SYSCONFDIR}/ssh_config" ]
	252	then
	253	echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
	254	fi
	255	fi
	256	fi
	257
9cb1827b	258	# Create default ssh_config from here script
3c0ef626	259
	260	if [ ! -f "${SYSCONFDIR}/ssh_config" ]
	261	then
	262	echo "Generating ${SYSCONFDIR}/ssh_config file"
9cb1827b	263	cat > ${SYSCONFDIR}/ssh_config << EOF
	264	# This is the ssh client system-wide configuration file. See
	265	# ssh_config(5) for more information. This file provides defaults for
	266	# users, and the values can be changed in per-user configuration files
	267	# or on the command line.
	268
	269	# Configuration data is parsed as follows:
	270	# 1. command line options
	271	# 2. user-specific file
	272	# 3. system-wide file
	273	# Any configuration value is only changed the first time it is set.
	274	# Thus, host-specific definitions should be at the beginning of the
	275	# configuration file, and defaults at the end.
	276
	277	# Site-wide defaults for various options
	278
	279	# Host *
	280	# ForwardAgent no
	281	# ForwardX11 no
	282	# RhostsRSAAuthentication no
	283	# RSAAuthentication yes
	284	# PasswordAuthentication yes
	285	# HostbasedAuthentication no
	286	# BatchMode no
	287	# CheckHostIP yes
	288	# AddressFamily any
	289	# ConnectTimeout 0
	290	# StrictHostKeyChecking ask
	291	# IdentityFile ~/.ssh/identity
	292	# IdentityFile ~/.ssh/id_dsa
	293	# IdentityFile ~/.ssh/id_rsa
	294	# Port 22
	295	# Protocol 2,1
	296	# Cipher 3des
	297	# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
	298	# EscapeChar ~
	299	EOF
	300	if [ "$port_number" != "22" ]
3c0ef626	301	then
3c0ef626	302	echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
9cb1827b	303	echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config
3c0ef626	304	fi
	305	fi
	306
	307	# Check if sshd_config exists. If yes, ask for overwriting
	308
	309	if [ -f "${SYSCONFDIR}/sshd_config" ]
	310	then
	311	if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
	312	then
	313	rm -f "${SYSCONFDIR}/sshd_config"
	314	if [ -f "${SYSCONFDIR}/sshd_config" ]
	315	then
	316	echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
	317	fi
41b2f314	318	else
41b2f314	319	grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
3c0ef626	320	fi
	321	fi
	322
41b2f314	323	# Prior to creating or modifying sshd_config, care for privilege separation
41b2f314	324
9cb1827b	325	if [ "$privsep_configured" != "yes" ]
41b2f314	326	then
9cb1827b	327	if [ $_nt -gt 0 ]
41b2f314	328	then
	329	echo "Privilege separation is set to yes by default since OpenSSH 3.3."
	330	echo "However, this requires a non-privileged account called 'sshd'."
9cb1827b	331	echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
41b2f314	332	echo
9cb1827b	333	if request "Shall privilege separation be used?"
41b2f314	334	then
	335	privsep_used=yes
	336	grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
	337	net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
9cb1827b	338	if [ "$sshd_in_passwd" != "yes" ]
41b2f314	339	then
9cb1827b	340	if [ "$sshd_in_sam" != "yes" ]
41b2f314	341	then
41b2f314	342	echo "Warning: The following function requires administrator privileges!"
9cb1827b	343	if request "Shall this script create a local user 'sshd' on this machine?"
41b2f314	344	then
9cb1827b	345	dos_var_empty=`cygpath -w /var/empty`
	346	net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
	347	if [ "$sshd_in_sam" != "yes" ]
41b2f314	348	then
	349	echo "Warning: Creating the user 'sshd' failed!"
	350	fi
	351	fi
	352	fi
9cb1827b	353	if [ "$sshd_in_sam" != "yes" ]
41b2f314	354	then
	355	echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
	356	echo " Privilege separation set to 'no' again!"
	357	echo " Check your ${SYSCONFDIR}/sshd_config file!"
	358	privsep_used=no
	359	else
	360	mkpasswd -l -u sshd \| sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
	361	fi
	362	fi
	363	else
	364	privsep_used=no
	365	fi
	366	else
	367	# On 9x don't use privilege separation. Since security isn't
9cb1827b	368	# available it just adds useless addtional processes.
41b2f314	369	privsep_used=no
	370	fi
	371	fi
	372
9cb1827b	373	# Create default sshd_config from here script or modify to add the
9cb1827b	374	# missing privsep configuration option
3c0ef626	375
	376	if [ ! -f "${SYSCONFDIR}/sshd_config" ]
	377	then
	378	echo "Generating ${SYSCONFDIR}/sshd_config file"
9cb1827b	379	cat > ${SYSCONFDIR}/sshd_config << EOF
	380	# This is the sshd server system-wide configuration file. See
	381	# sshd_config(5) for more information.
	382
	383	# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
	384
	385	# The strategy used for options in the default sshd_config shipped with
	386	# OpenSSH is to specify options with their default value where
	387	# possible, but leave them commented. Uncommented options change a
	388	# default value.
	389
	390	Port $port_number
	391	#Protocol 2,1
	392	#ListenAddress 0.0.0.0
	393	#ListenAddress ::
	394
	395	# HostKey for protocol version 1
	396	#HostKey ${SYSCONFDIR}/ssh_host_key
	397	# HostKeys for protocol version 2
	398	#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
	399	#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
	400
	401	# Lifetime and size of ephemeral version 1 server key
	402	#KeyRegenerationInterval 1h
	403	#ServerKeyBits 768
	404
	405	# Logging
	406	#obsoletes QuietMode and FascistLogging
	407	#SyslogFacility AUTH
	408	#LogLevel INFO
	409
	410	# Authentication:
	411
	412	#LoginGraceTime 2m
	413	#PermitRootLogin yes
	414	# The following setting overrides permission checks on host key files
	415	# and directories. For security reasons set this to "yes" when running
	416	# NT/W2K, NTFS and CYGWIN=ntsec.
	417	StrictModes no
	418
	419	#RSAAuthentication yes
	420	#PubkeyAuthentication yes
	421	#AuthorizedKeysFile .ssh/authorized_keys
	422
	423	# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
	424	#RhostsRSAAuthentication no
	425	# similar for protocol version 2
	426	#HostbasedAuthentication no
	427	# Change to yes if you don't trust ~/.ssh/known_hosts for
	428	# RhostsRSAAuthentication and HostbasedAuthentication
	429	#IgnoreUserKnownHosts no
	430	# Don't read the user's ~/.rhosts and ~/.shosts files
	431	#IgnoreRhosts yes
	432
	433	# To disable tunneled clear text passwords, change to no here!
	434	#PasswordAuthentication yes
	435	#PermitEmptyPasswords no
	436
	437	# Change to no to disable s/key passwords
	438	#ChallengeResponseAuthentication yes
	439
	440	#AllowTcpForwarding yes
	441	#GatewayPorts no
	442	#X11Forwarding no
443	#X11DisplayOffset 10
444	#X11UseLocalhost yes
445	#PrintMotd yes
446	#PrintLastLog yes
447	#KeepAlive yes
448	#UseLogin no
449	UsePrivilegeSeparation $privsep_used
450	#PermitUserEnvironment no
451	#Compression yes
452	#ClientAliveInterval 0
453	#ClientAliveCountMax 3
454	#UseDNS yes
455	#PidFile /var/run/sshd.pid
456	#MaxStartups 10
457
458	# no default banner path
459	#Banner /some/path
460
461	# override default of no subsystems
462	Subsystem sftp /usr/sbin/sftp-server
463	EOF
464	elif [ "$privsep_configured" != "yes" ]
41b2f314	465	then
41b2f314	466	echo >> ${SYSCONFDIR}/sshd_config
9cb1827b	467	echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
3c0ef626	468	fi
	469
	470	# Care for services file
9cb1827b	471	if [ $_nt -gt 0 ]
3c0ef626	472	then
9cb1827b	473	_wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
9cb1827b	474	_wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$"
3c0ef626	475	else
9cb1827b	476	_wservices="${WINDIR}\\SERVICES"
9cb1827b	477	_wserv_tmp="${WINDIR}\\SERV.$$"
3c0ef626	478	fi
9cb1827b	479	_services=`cygpath -u "${_wservices}"`
9cb1827b	480	_serv_tmp=`cygpath -u "${_wserv_tmp}"`
3c0ef626	481
9cb1827b	482	mount -t -f "${_wservices}" "${_services}"
9cb1827b	483	mount -t -f "${_wserv_tmp}" "${_serv_tmp}"
3c0ef626	484
	485	# Remove sshd 22/port from services
	486	if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
	487	then
	488	grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
	489	if [ -f "${_serv_tmp}" ]
9cb1827b	490	then
3c0ef626	491	if mv "${_serv_tmp}" "${_services}"
3c0ef626	492	then
9cb1827b	493	echo "Removing sshd from ${_services}"
3c0ef626	494	else
9cb1827b	495	echo "Removing sshd from ${_services} failed\!"
9cb1827b	496	fi
3c0ef626	497	rm -f "${_serv_tmp}"
3c0ef626	498	else
9cb1827b	499	echo "Removing sshd from ${_services} failed\!"
3c0ef626	500	fi
	501	fi
	502
	503	# Add ssh 22/tcp and ssh 22/udp to services
	504	if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
	505	then
9cb1827b	506	awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
9cb1827b	507	if [ -f "${_serv_tmp}" ]
3c0ef626	508	then
	509	if mv "${_serv_tmp}" "${_services}"
	510	then
9cb1827b	511	echo "Added ssh to ${_services}"
3c0ef626	512	else
9cb1827b	513	echo "Adding ssh to ${_services} failed\!"
3c0ef626	514	fi
	515	rm -f "${_serv_tmp}"
	516	else
9cb1827b	517	echo "Adding ssh to ${_services} failed\!"
3c0ef626	518	fi
	519	fi
	520
9cb1827b	521	umount "${_services}"
9cb1827b	522	umount "${_serv_tmp}"
3c0ef626	523
3c0ef626	524	# Care for inetd.conf file
41b2f314	525	_inetcnf="${SYSCONFDIR}/inetd.conf"
41b2f314	526	_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
3c0ef626	527
	528	if [ -f "${_inetcnf}" ]
	529	then
	530	# Check if ssh service is already in use as sshd
	531	with_comment=1
	532	grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
	533	# Remove sshd line from inetd.conf
	534	if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
	535	then
	536	grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
	537	if [ -f "${_inetcnf_tmp}" ]
	538	then
	539	if mv "${_inetcnf_tmp}" "${_inetcnf}"
	540	then
9cb1827b	541	echo "Removed sshd from ${_inetcnf}"
3c0ef626	542	else
9cb1827b	543	echo "Removing sshd from ${_inetcnf} failed\!"
3c0ef626	544	fi
	545	rm -f "${_inetcnf_tmp}"
	546	else
9cb1827b	547	echo "Removing sshd from ${_inetcnf} failed\!"
3c0ef626	548	fi
	549	fi
	550
	551	# Add ssh line to inetd.conf
	552	if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
	553	then
	554	if [ "${with_comment}" -eq 0 ]
	555	then
700318f3	556	echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
3c0ef626	557	else
700318f3	558	echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
3c0ef626	559	fi
	560	echo "Added ssh to ${_inetcnf}"
	561	fi
	562	fi
	563
3c0ef626	564	# On NT ask if sshd should be installed as service
9cb1827b	565	if [ $_nt -gt 0 ]
3c0ef626	566	then
9cb1827b	567	echo
	568	echo "Do you want to install sshd as service?"
	569	if request "(Say \"no\" if it's already installed as service)"
3c0ef626	570	then
3c0ef626	571	echo
9cb1827b	572	echo "Which value should the environment variable CYGWIN have when"
	573	echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
	574	echo "able to change user context without password."
	575	echo -n "Default is \"binmode ntsec tty\". CYGWIN="
	576	read _cygwin
	577	[ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
	578	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
3c0ef626	579	then
9cb1827b	580	chown system ${SYSCONFDIR}/ssh*
	581	echo
	582	echo "The service has been installed under LocalSystem account."
3c0ef626	583	fi
	584	fi
	585	fi
	586
9cb1827b	587	if [ "${old_install}" = "1" ]
	588	then
	589	echo
	590	echo "Note: If you have used sshd as service or from inetd, don't forget to"
	591	echo " change the path to sshd.exe in the service entry or in inetd.conf."
	592	fi
	593
3c0ef626	594	echo
3c0ef626	595	echo "Host configuration finished. Have fun!"