[gssapi-openssh.git] / openssh / contrib / cygwin / ssh-host-config

#!/bin/sh
#
# ssh-host-config, Copyright 2000, Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.

# Subdirectory where the new package is being installed
PREFIX=/usr

# Directory where the config files are stored
SYSCONFDIR=/etc

# Subdirectory where an old package might be installed
OLDPREFIX=/usr/local
OLDSYSCONFDIR=${OLDPREFIX}/etc

progname=$0
auto_answer=""
port_number=22

privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no

request()
{
  if [ "${auto_answer}" = "yes" ]
  then
    return 0
  elif [ "${auto_answer}" = "no" ]
  then
    return 1
  fi

  answer=""
  while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
  do
    echo -n "$1 (yes/no) "
    read answer
  done
  if [ "X${answer}" = "Xyes" ]
  then
    return 0
  else
    return 1
  fi
}

# Check options

while :
do
  case $# in
  0)
    break
    ;;
  esac

  option=$1
  shift

  case "$option" in
  -d | --debug )
    set -x
    ;;

  -y | --yes )
    auto_answer=yes
    ;;

  -n | --no )
    auto_answer=no
    ;;

  -p | --port )
    port_number=$1
    shift
    ;;

  *)
    echo "usage: ${progname} [OPTION]..."
    echo
    echo "This script creates an OpenSSH host configuration."
    echo
    echo "Options:"
    echo "    --debug  -d     Enable shell's debug output."
    echo "    --yes    -y     Answer all questions with \"yes\" automatically."
    echo "    --no     -n     Answer all questions with \"no\" automatically."
    echo "    --port   -p <n> sshd listens on port n."
    echo
    exit 1
    ;;

  esac
done

# Check if running on NT
_sys="`uname -a`"
_nt=`expr "$_sys" : "CYGWIN_NT"`

# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running

if ps -ef | grep -v grep | grep -q ssh
then
  echo
  echo "There are still ssh processes running. Please shut them down first."
  echo
  exit 1
fi

# Check for ${SYSCONFDIR} directory

if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
  echo
  echo "${SYSCONFDIR} is existant but not a directory."
  echo "Cannot create global configuration files."
  echo
  exit 1
fi

# Create it if necessary

if [ ! -e "${SYSCONFDIR}" ]
then
  mkdir "${SYSCONFDIR}"
  if [ ! -e "${SYSCONFDIR}" ]
  then
    echo
    echo "Creating ${SYSCONFDIR} directory failed"
    echo
    exit 1
  fi
fi

# Create /var/log and /var/log/lastlog if not already existing

if [ -f /var/log ]
then
  echo "Creating /var/log failed\!"
else
  if [ ! -d /var/log ]
  then
    mkdir -p /var/log
  fi
  if [ -d /var/log/lastlog ]
  then
    echo "Creating /var/log/lastlog failed\!"
  elif [ ! -f /var/log/lastlog ]
  then
    cat /dev/null > /var/log/lastlog
  fi
fi

# Create /var/empty file used as chroot jail for privilege separation
if [ -f /var/empty ]
then
  echo "Creating /var/empty failed\!"
else
  mkdir -p /var/empty
  # On NT change ownership of that dir to user "system"
  if [ $_nt -gt 0 ]
  then
    chmod 755 /var/empty
    chown system.system /var/empty
  fi
fi

# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
# the same as ${PREFIX}

old_install=0
if [ "${OLDPREFIX}" != "${PREFIX}" ]
then
  if [ -f "${OLDPREFIX}/sbin/sshd" ]
  then
    echo
    echo "You seem to have an older installation in ${OLDPREFIX}."
    echo
    # Check if old global configuration files exist
    if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
    then
      if request "Do you want to copy your config files to your new installation?"
      then
        cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
      fi
    fi
    if request "Do you want to erase your old installation?"
    then
      rm -f ${OLDPREFIX}/bin/ssh.exe
      rm -f ${OLDPREFIX}/bin/ssh-config
      rm -f ${OLDPREFIX}/bin/scp.exe
      rm -f ${OLDPREFIX}/bin/ssh-add.exe
      rm -f ${OLDPREFIX}/bin/ssh-agent.exe
      rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
      rm -f ${OLDPREFIX}/bin/slogin
      rm -f ${OLDSYSCONFDIR}/ssh_host_key
      rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
      rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
      rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
      rm -f ${OLDSYSCONFDIR}/ssh_config
      rm -f ${OLDSYSCONFDIR}/sshd_config
      rm -f ${OLDPREFIX}/man/man1/ssh.1
      rm -f ${OLDPREFIX}/man/man1/scp.1
      rm -f ${OLDPREFIX}/man/man1/ssh-add.1
      rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
      rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
      rm -f ${OLDPREFIX}/man/man1/slogin.1
      rm -f ${OLDPREFIX}/man/man8/sshd.8
      rm -f ${OLDPREFIX}/sbin/sshd.exe
      rm -f ${OLDPREFIX}/sbin/sftp-server.exe
    fi
    old_install=1
  fi
fi

# First generate host keys if not already existing

if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_key"
  ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi

if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
  ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi

if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
  ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi

# Check if ssh_config exists. If yes, ask for overwriting

if [ -f "${SYSCONFDIR}/ssh_config" ]
then
  if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
  then
    rm -f "${SYSCONFDIR}/ssh_config"
    if [ -f "${SYSCONFDIR}/ssh_config" ]
    then
      echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
    fi
  fi
fi

# Create default ssh_config from here script

if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_config file"
  cat > ${SYSCONFDIR}/ssh_config << EOF
# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_rsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~
EOF
  if [ "$port_number" != "22" ]
  then
    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
    echo "    Port $port_number" >> ${SYSCONFDIR}/ssh_config
  fi
fi

# Check if sshd_config exists. If yes, ask for overwriting

if [ -f "${SYSCONFDIR}/sshd_config" ]
then
  if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
  then
    rm -f "${SYSCONFDIR}/sshd_config"
    if [ -f "${SYSCONFDIR}/sshd_config" ]
    then
      echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
    fi
  else
    grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
  fi
fi

# Prior to creating or modifying sshd_config, care for privilege separation

if [ "$privsep_configured" != "yes" ]
then
  if [ $_nt -gt 0 ]
  then
    echo "Privilege separation is set to yes by default since OpenSSH 3.3."
    echo "However, this requires a non-privileged account called 'sshd'."
    echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
    echo
    if request "Shall privilege separation be used?"
    then
      privsep_used=yes
      grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
      net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
      if [ "$sshd_in_passwd" != "yes" ]
      then
        if [ "$sshd_in_sam" != "yes" ]
	then
	  echo "Warning: The following function requires administrator privileges!"
	  if request "Shall this script create a local user 'sshd' on this machine?"
	  then
	    dos_var_empty=`cygpath -w /var/empty`
	    net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
	    if [ "$sshd_in_sam" != "yes" ]
	    then
	      echo "Warning: Creating the user 'sshd' failed!"
	    fi
	  fi
	fi
	if [ "$sshd_in_sam" != "yes" ]
	then
	  echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
	  echo "         Privilege separation set to 'no' again!"
	  echo "         Check your ${SYSCONFDIR}/sshd_config file!"
	  privsep_used=no
	else
	  mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
	fi
      fi
    else
      privsep_used=no
    fi
  else
    # On 9x don't use privilege separation.  Since security isn't
    # available it just adds useless addtional processes.
    privsep_used=no
  fi
fi

# Create default sshd_config from here script or modify to add the
# missing privsep configuration option

if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
  echo "Generating ${SYSCONFDIR}/sshd_config file"
  cat > ${SYSCONFDIR}/sshd_config << EOF
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port $port_number
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey ${SYSCONFDIR}/ssh_host_key
# HostKeys for protocol version 2
#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
#HostKey ${SYSCONFDIR}/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
# The following setting overrides permission checks on host key files
# and directories. For security reasons set this to "yes" when running
# NT/W2K, NTFS and CYGWIN=ntsec.
StrictModes no

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation $privsep_used
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem      sftp    /usr/sbin/sftp-server
EOF
elif [ "$privsep_configured" != "yes" ]
then
  echo >> ${SYSCONFDIR}/sshd_config
  echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
fi

# Care for services file
if [ $_nt -gt 0 ]
then
  _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
  _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$"
else
  _wservices="${WINDIR}\\SERVICES"
  _wserv_tmp="${WINDIR}\\SERV.$$"
fi
_services=`cygpath -u "${_wservices}"`
_serv_tmp=`cygpath -u "${_wserv_tmp}"`

mount -t -f "${_wservices}" "${_services}"
mount -t -f "${_wserv_tmp}" "${_serv_tmp}"

# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
  grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
  if [ -f "${_serv_tmp}" ]
  then 
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Removing sshd from ${_services}"
    else
      echo "Removing sshd from ${_services} failed\!"
    fi 
    rm -f "${_serv_tmp}"
  else
    echo "Removing sshd from ${_services} failed\!"
  fi
fi

# Add ssh 22/tcp  and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
  awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp                           #SSH Remote Login Protocol\nssh                22/udp                           #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
  if [ -f "${_serv_tmp}" ]
  then
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Added ssh to ${_services}"
    else
      echo "Adding ssh to ${_services} failed\!"
    fi
    rm -f "${_serv_tmp}"
  else
    echo "Adding ssh to ${_services} failed\!"
  fi
fi

umount "${_services}"
umount "${_serv_tmp}"

# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"

if [ -f "${_inetcnf}" ]
then
  # Check if ssh service is already in use as sshd
  with_comment=1
  grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
  # Remove sshd line from inetd.conf
  if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
  then
    grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
    if [ -f "${_inetcnf_tmp}" ]
    then
      if mv "${_inetcnf_tmp}" "${_inetcnf}"
      then
        echo "Removed sshd from ${_inetcnf}"
      else
        echo "Removing sshd from ${_inetcnf} failed\!"
      fi
      rm -f "${_inetcnf_tmp}"
    else
      echo "Removing sshd from ${_inetcnf} failed\!"
    fi
  fi

  # Add ssh line to inetd.conf
  if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
  then
    if [ "${with_comment}" -eq 0 ]
    then
      echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    else
      echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    fi
    echo "Added ssh to ${_inetcnf}"
  fi
fi

# On NT ask if sshd should be installed as service
if [ $_nt -gt 0 ]
then
  echo
  echo "Do you want to install sshd as service?"
  if request "(Say \"no\" if it's already installed as service)"
  then
    echo
    echo "Which value should the environment variable CYGWIN have when"
    echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
    echo "able to change user context without password."
    echo -n "Default is \"binmode ntsec tty\".  CYGWIN="
    read _cygwin
    [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
    if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
    then
      chown system ${SYSCONFDIR}/ssh*
      echo
      echo "The service has been installed under LocalSystem account."
    fi
  fi
fi

if [ "${old_install}" = "1" ]
then
  echo
  echo "Note: If you have used sshd as service or from inetd, don't forget to"
  echo "      change the path to sshd.exe in the service entry or in inetd.conf."
fi

echo
echo "Host configuration finished. Have fun!"
Commit	Line	Data
3c0ef626	1	#!/bin/sh
	2	#
	3	# ssh-host-config, Copyright 2000, Red Hat Inc.
	4	#
	5	# This file is part of the Cygwin port of OpenSSH.
	6
	7	# Subdirectory where the new package is being installed
	8	PREFIX=/usr
	9
	10	# Directory where the config files are stored
	11	SYSCONFDIR=/etc
	12
	13	# Subdirectory where an old package might be installed
	14	OLDPREFIX=/usr/local
	15	OLDSYSCONFDIR=${OLDPREFIX}/etc
	16
	17	progname=$0
	18	auto_answer=""
	19	port_number=22
	20
41b2f314	21	privsep_configured=no
	22	privsep_used=yes
	23	sshd_in_passwd=no
	24	sshd_in_sam=no
	25
3c0ef626	26	request()
	27	{
	28	if [ "${auto_answer}" = "yes" ]
	29	then
	30	return 0
	31	elif [ "${auto_answer}" = "no" ]
	32	then
	33	return 1
	34	fi
	35
	36	answer=""
	37	while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
	38	do
	39	echo -n "$1 (yes/no) "
	40	read answer
	41	done
	42	if [ "X${answer}" = "Xyes" ]
	43	then
	44	return 0
	45	else
	46	return 1
	47	fi
	48	}
	49
	50	# Check options
	51
	52	while :
	53	do
	54	case $# in
	55	0)
	56	break
	57	;;
	58	esac
	59
	60	option=$1
	61	shift
	62
	63	case "$option" in
	64	-d \| --debug )
	65	set -x
	66	;;
	67
	68	-y \| --yes )
	69	auto_answer=yes
	70	;;
	71
	72	-n \| --no )
	73	auto_answer=no
	74	;;
	75
	76	-p \| --port )
	77	port_number=$1
	78	shift
	79	;;
	80
	81	*)
	82	echo "usage: ${progname} [OPTION]..."
	83	echo
	84	echo "This script creates an OpenSSH host configuration."
	85	echo
	86	echo "Options:"
	87	echo " --debug -d Enable shell's debug output."
	88	echo " --yes -y Answer all questions with \"yes\" automatically."
	89	echo " --no -n Answer all questions with \"no\" automatically."
90	echo " --port -p <n> sshd listens on port n."
91	echo
92	exit 1
93	;;
94
95	esac
96	done
97
41b2f314	98	# Check if running on NT
	99	_sys="`uname -a`"
	100	_nt=`expr "$_sys" : "CYGWIN_NT"`
	101
3c0ef626	102	# Check for running ssh/sshd processes first. Refuse to do anything while
	103	# some ssh processes are still running
	104
	105	if ps -ef \| grep -v grep \| grep -q ssh
	106	then
	107	echo
	108	echo "There are still ssh processes running. Please shut them down first."
	109	echo
41b2f314	110	exit 1
3c0ef626	111	fi
	112
	113	# Check for ${SYSCONFDIR} directory
	114
	115	if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
	116	then
	117	echo
	118	echo "${SYSCONFDIR} is existant but not a directory."
	119	echo "Cannot create global configuration files."
	120	echo
	121	exit 1
	122	fi
	123
	124	# Create it if necessary
	125
	126	if [ ! -e "${SYSCONFDIR}" ]
	127	then
	128	mkdir "${SYSCONFDIR}"
	129	if [ ! -e "${SYSCONFDIR}" ]
	130	then
	131	echo
	132	echo "Creating ${SYSCONFDIR} directory failed"
	133	echo
	134	exit 1
	135	fi
	136	fi
	137
41b2f314	138	# Create /var/log and /var/log/lastlog if not already existing
	139
	140	if [ -f /var/log ]
	141	then
	142	echo "Creating /var/log failed\!"
	143	else
	144	if [ ! -d /var/log ]
	145	then
	146	mkdir -p /var/log
	147	fi
	148	if [ -d /var/log/lastlog ]
	149	then
	150	echo "Creating /var/log/lastlog failed\!"
	151	elif [ ! -f /var/log/lastlog ]
	152	then
	153	cat /dev/null > /var/log/lastlog
	154	fi
	155	fi
	156
	157	# Create /var/empty file used as chroot jail for privilege separation
	158	if [ -f /var/empty ]
	159	then
	160	echo "Creating /var/empty failed\!"
	161	else
	162	mkdir -p /var/empty
	163	# On NT change ownership of that dir to user "system"
	164	if [ $_nt -gt 0 ]
	165	then
	166	chmod 755 /var/empty
	167	chown system.system /var/empty
	168	fi
	169	fi
	170
3c0ef626	171	# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
	172	# the same as ${PREFIX}
	173
	174	old_install=0
	175	if [ "${OLDPREFIX}" != "${PREFIX}" ]
	176	then
	177	if [ -f "${OLDPREFIX}/sbin/sshd" ]
	178	then
	179	echo
	180	echo "You seem to have an older installation in ${OLDPREFIX}."
	181	echo
	182	# Check if old global configuration files exist
	183	if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
	184	then
	185	if request "Do you want to copy your config files to your new installation?"
	186	then
	187	cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
	188	cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
	189	cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
	190	cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
	191	cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
	192	cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
	193	fi
	194	fi
	195	if request "Do you want to erase your old installation?"
	196	then
	197	rm -f ${OLDPREFIX}/bin/ssh.exe
	198	rm -f ${OLDPREFIX}/bin/ssh-config
	199	rm -f ${OLDPREFIX}/bin/scp.exe
	200	rm -f ${OLDPREFIX}/bin/ssh-add.exe
	201	rm -f ${OLDPREFIX}/bin/ssh-agent.exe
	202	rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
	203	rm -f ${OLDPREFIX}/bin/slogin
	204	rm -f ${OLDSYSCONFDIR}/ssh_host_key
	205	rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
	206	rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
	207	rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
	208	rm -f ${OLDSYSCONFDIR}/ssh_config
	209	rm -f ${OLDSYSCONFDIR}/sshd_config
	210	rm -f ${OLDPREFIX}/man/man1/ssh.1
	211	rm -f ${OLDPREFIX}/man/man1/scp.1
	212	rm -f ${OLDPREFIX}/man/man1/ssh-add.1
	213	rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
	214	rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
	215	rm -f ${OLDPREFIX}/man/man1/slogin.1
	216	rm -f ${OLDPREFIX}/man/man8/sshd.8
	217	rm -f ${OLDPREFIX}/sbin/sshd.exe
	218	rm -f ${OLDPREFIX}/sbin/sftp-server.exe
	219	fi
	220	old_install=1
	221	fi
	222	fi
	223
	224	# First generate host keys if not already existing
	225
	226	if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
	227	then
	228	echo "Generating ${SYSCONFDIR}/ssh_host_key"
	229	ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
	230	fi
	231
	232	if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
	233	then
	234	echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
235	ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
236	fi
237
238	if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
239	then
240	echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
241	ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
242	fi
243
244	# Check if ssh_config exists. If yes, ask for overwriting
245
246	if [ -f "${SYSCONFDIR}/ssh_config" ]
247	then
248	if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
249	then
250	rm -f "${SYSCONFDIR}/ssh_config"
251	if [ -f "${SYSCONFDIR}/ssh_config" ]
252	then
253	echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
254	fi
255	fi
256	fi
257
258	# Create default ssh_config from here script
259
260	if [ ! -f "${SYSCONFDIR}/ssh_config" ]
261	then
262	echo "Generating ${SYSCONFDIR}/ssh_config file"
263	cat > ${SYSCONFDIR}/ssh_config << EOF
41b2f314	264	# This is the ssh client system-wide configuration file. See
	265	# ssh_config(5) for more information. This file provides defaults for
	266	# users, and the values can be changed in per-user configuration files
	267	# or on the command line.
3c0ef626	268
	269	# Configuration data is parsed as follows:
	270	# 1. command line options
	271	# 2. user-specific file
	272	# 3. system-wide file
	273	# Any configuration value is only changed the first time it is set.
	274	# Thus, host-specific definitions should be at the beginning of the
	275	# configuration file, and defaults at the end.
	276
	277	# Site-wide defaults for various options
	278
	279	# Host *
	280	# ForwardAgent no
	281	# ForwardX11 no
41b2f314	282	# RhostsRSAAuthentication no
3c0ef626	283	# RSAAuthentication yes
3c0ef626	284	# PasswordAuthentication yes
acc3d05e	285	# HostbasedAuthentication no
3c0ef626	286	# BatchMode no
3c0ef626	287	# CheckHostIP yes
acc3d05e	288	# AddressFamily any
acc3d05e	289	# ConnectTimeout 0
41b2f314	290	# StrictHostKeyChecking ask
3c0ef626	291	# IdentityFile ~/.ssh/identity
	292	# IdentityFile ~/.ssh/id_dsa
	293	# IdentityFile ~/.ssh/id_rsa
	294	# Port 22
	295	# Protocol 2,1
41b2f314	296	# Cipher 3des
41b2f314	297	# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
3c0ef626	298	# EscapeChar ~
	299	EOF
	300	if [ "$port_number" != "22" ]
	301	then
	302	echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
	303	echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config
	304	fi
	305	fi
	306
	307	# Check if sshd_config exists. If yes, ask for overwriting
	308
	309	if [ -f "${SYSCONFDIR}/sshd_config" ]
	310	then
	311	if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
	312	then
	313	rm -f "${SYSCONFDIR}/sshd_config"
	314	if [ -f "${SYSCONFDIR}/sshd_config" ]
	315	then
	316	echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
	317	fi
41b2f314	318	else
41b2f314	319	grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
3c0ef626	320	fi
	321	fi
	322
41b2f314	323	# Prior to creating or modifying sshd_config, care for privilege separation
	324
	325	if [ "$privsep_configured" != "yes" ]
	326	then
	327	if [ $_nt -gt 0 ]
	328	then
	329	echo "Privilege separation is set to yes by default since OpenSSH 3.3."
	330	echo "However, this requires a non-privileged account called 'sshd'."
	331	echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
	332	echo
	333	if request "Shall privilege separation be used?"
	334	then
	335	privsep_used=yes
	336	grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
	337	net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
	338	if [ "$sshd_in_passwd" != "yes" ]
	339	then
	340	if [ "$sshd_in_sam" != "yes" ]
	341	then
	342	echo "Warning: The following function requires administrator privileges!"
	343	if request "Shall this script create a local user 'sshd' on this machine?"
	344	then
	345	dos_var_empty=`cygpath -w /var/empty`
	346	net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
	347	if [ "$sshd_in_sam" != "yes" ]
	348	then
	349	echo "Warning: Creating the user 'sshd' failed!"
	350	fi
	351	fi
	352	fi
	353	if [ "$sshd_in_sam" != "yes" ]
	354	then
	355	echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
	356	echo " Privilege separation set to 'no' again!"
	357	echo " Check your ${SYSCONFDIR}/sshd_config file!"
	358	privsep_used=no
	359	else
	360	mkpasswd -l -u sshd \| sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
	361	fi
	362	fi
	363	else
	364	privsep_used=no
	365	fi
	366	else
	367	# On 9x don't use privilege separation. Since security isn't
	368	# available it just adds useless addtional processes.
	369	privsep_used=no
	370	fi
	371	fi
	372
	373	# Create default sshd_config from here script or modify to add the
	374	# missing privsep configuration option
3c0ef626	375
	376	if [ ! -f "${SYSCONFDIR}/sshd_config" ]
	377	then
	378	echo "Generating ${SYSCONFDIR}/sshd_config file"
	379	cat > ${SYSCONFDIR}/sshd_config << EOF
41b2f314	380	# This is the sshd server system-wide configuration file. See
	381	# sshd_config(5) for more information.
	382
6a9b3198	383	# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
6a9b3198	384
41b2f314	385	# The strategy used for options in the default sshd_config shipped with
	386	# OpenSSH is to specify options with their default value where
	387	# possible, but leave them commented. Uncommented options change a
	388	# default value.
3c0ef626	389
	390	Port $port_number
	391	#Protocol 2,1
	392	#ListenAddress 0.0.0.0
	393	#ListenAddress ::
	394
	395	# HostKey for protocol version 1
41b2f314	396	#HostKey ${SYSCONFDIR}/ssh_host_key
3c0ef626	397	# HostKeys for protocol version 2
41b2f314	398	#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
41b2f314	399	#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
3c0ef626	400
6a9b3198	401	# Lifetime and size of ephemeral version 1 server key
acc3d05e	402	#KeyRegenerationInterval 1h
41b2f314	403	#ServerKeyBits 768
3c0ef626	404
3c0ef626	405	# Logging
3c0ef626	406	#obsoletes QuietMode and FascistLogging
41b2f314	407	#SyslogFacility AUTH
41b2f314	408	#LogLevel INFO
3c0ef626	409
	410	# Authentication:
	411
acc3d05e	412	#LoginGraceTime 2m
41b2f314	413	#PermitRootLogin yes
3c0ef626	414	# The following setting overrides permission checks on host key files
	415	# and directories. For security reasons set this to "yes" when running
	416	# NT/W2K, NTFS and CYGWIN=ntsec.
	417	StrictModes no
	418
41b2f314	419	#RSAAuthentication yes
41b2f314	420	#PubkeyAuthentication yes
6a9b3198	421	#AuthorizedKeysFile .ssh/authorized_keys
3c0ef626	422
41b2f314	423	# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
41b2f314	424	#RhostsRSAAuthentication no
3c0ef626	425	# similar for protocol version 2
41b2f314	426	#HostbasedAuthentication no
	427	# Change to yes if you don't trust ~/.ssh/known_hosts for
	428	# RhostsRSAAuthentication and HostbasedAuthentication
	429	#IgnoreUserKnownHosts no
acc3d05e	430	# Don't read the user's ~/.rhosts and ~/.shosts files
acc3d05e	431	#IgnoreRhosts yes
3c0ef626	432
3c0ef626	433	# To disable tunneled clear text passwords, change to no here!
41b2f314	434	#PasswordAuthentication yes
	435	#PermitEmptyPasswords no
	436
	437	# Change to no to disable s/key passwords
	438	#ChallengeResponseAuthentication yes
	439
acc3d05e	440	#AllowTcpForwarding yes
acc3d05e	441	#GatewayPorts no
41b2f314	442	#X11Forwarding no
	443	#X11DisplayOffset 10
	444	#X11UseLocalhost yes
	445	#PrintMotd yes
	446	#PrintLastLog yes
	447	#KeepAlive yes
3c0ef626	448	#UseLogin no
41b2f314	449	UsePrivilegeSeparation $privsep_used
6a9b3198	450	#PermitUserEnvironment no
41b2f314	451	#Compression yes
acc3d05e	452	#ClientAliveInterval 0
	453	#ClientAliveCountMax 3
	454	#UseDNS yes
	455	#PidFile /var/run/sshd.pid
41b2f314	456	#MaxStartups 10
acc3d05e	457
41b2f314	458	# no default banner path
41b2f314	459	#Banner /some/path
3c0ef626	460
41b2f314	461	# override default of no subsystems
3c0ef626	462	Subsystem sftp /usr/sbin/sftp-server
3c0ef626	463	EOF
41b2f314	464	elif [ "$privsep_configured" != "yes" ]
	465	then
	466	echo >> ${SYSCONFDIR}/sshd_config
	467	echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
3c0ef626	468	fi
	469
	470	# Care for services file
3c0ef626	471	if [ $_nt -gt 0 ]
	472	then
	473	_wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
	474	_wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$"
	475	else
	476	_wservices="${WINDIR}\\SERVICES"
	477	_wserv_tmp="${WINDIR}\\SERV.$$"
	478	fi
	479	_services=`cygpath -u "${_wservices}"`
	480	_serv_tmp=`cygpath -u "${_wserv_tmp}"`
	481
	482	mount -t -f "${_wservices}" "${_services}"
	483	mount -t -f "${_wserv_tmp}" "${_serv_tmp}"
	484
	485	# Remove sshd 22/port from services
	486	if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
	487	then
	488	grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
	489	if [ -f "${_serv_tmp}" ]
	490	then
	491	if mv "${_serv_tmp}" "${_services}"
	492	then
	493	echo "Removing sshd from ${_services}"
	494	else
	495	echo "Removing sshd from ${_services} failed\!"
	496	fi
	497	rm -f "${_serv_tmp}"
	498	else
	499	echo "Removing sshd from ${_services} failed\!"
	500	fi
	501	fi
	502
	503	# Add ssh 22/tcp and ssh 22/udp to services
	504	if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
	505	then
	506	awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
	507	if [ -f "${_serv_tmp}" ]
	508	then
	509	if mv "${_serv_tmp}" "${_services}"
	510	then
	511	echo "Added ssh to ${_services}"
	512	else
	513	echo "Adding ssh to ${_services} failed\!"
	514	fi
	515	rm -f "${_serv_tmp}"
	516	else
	517	echo "Adding ssh to ${_services} failed\!"
	518	fi
	519	fi
	520
	521	umount "${_services}"
	522	umount "${_serv_tmp}"
	523
	524	# Care for inetd.conf file
41b2f314	525	_inetcnf="${SYSCONFDIR}/inetd.conf"
41b2f314	526	_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
3c0ef626	527
	528	if [ -f "${_inetcnf}" ]
	529	then
	530	# Check if ssh service is already in use as sshd
	531	with_comment=1
	532	grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
	533	# Remove sshd line from inetd.conf
	534	if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
	535	then
	536	grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
	537	if [ -f "${_inetcnf_tmp}" ]
	538	then
	539	if mv "${_inetcnf_tmp}" "${_inetcnf}"
	540	then
	541	echo "Removed sshd from ${_inetcnf}"
	542	else
	543	echo "Removing sshd from ${_inetcnf} failed\!"
	544	fi
	545	rm -f "${_inetcnf_tmp}"
	546	else
	547	echo "Removing sshd from ${_inetcnf} failed\!"
	548	fi
	549	fi
	550
	551	# Add ssh line to inetd.conf
	552	if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
	553	then
	554	if [ "${with_comment}" -eq 0 ]
	555	then
700318f3	556	echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
3c0ef626	557	else
700318f3	558	echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
3c0ef626	559	fi
	560	echo "Added ssh to ${_inetcnf}"
	561	fi
	562	fi
	563
3c0ef626	564	# On NT ask if sshd should be installed as service
	565	if [ $_nt -gt 0 ]
	566	then
	567	echo
	568	echo "Do you want to install sshd as service?"
	569	if request "(Say \"no\" if it's already installed as service)"
	570	then
	571	echo
	572	echo "Which value should the environment variable CYGWIN have when"
	573	echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
	574	echo "able to change user context without password."
	575	echo -n "Default is \"binmode ntsec tty\". CYGWIN="
	576	read _cygwin
	577	[ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
	578	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
	579	then
41b2f314	580	chown system ${SYSCONFDIR}/ssh*
3c0ef626	581	echo
	582	echo "The service has been installed under LocalSystem account."
	583	fi
	584	fi
	585	fi
	586
	587	if [ "${old_install}" = "1" ]
	588	then
	589	echo
	590	echo "Note: If you have used sshd as service or from inetd, don't forget to"
	591	echo " change the path to sshd.exe in the service entry or in inetd.conf."
	592	fi
	593
	594	echo
	595	echo "Host configuration finished. Have fun!"