5 # Adapts the installed gsi-openssh environment to the current machine,
6 # performing actions that originally occurred during the package's
7 # 'make install' phase.
9 # Send comments/fixes/suggestions to:
10 # Chase Phillips <cphillip@ncsa.uiuc.edu>
14 # Get user's GPT_LOCATION since we may be installing this using a new(er)
18 $gptpath = $ENV{GPT_LOCATION};
21 # And the old standby..
24 $gpath = $ENV{GLOBUS_LOCATION};
27 exitDie("ERROR: GLOBUS_LOCATION needs to be set before running this script!\n");
31 # Include standard modules
39 # modify the ld library path for when we call ssh executables
42 $oldldpath = $ENV{LD_LIBRARY_PATH};
43 $newldpath = "$gpath/lib";
44 if (length($oldldpath) > 0)
46 $newldpath .= ":$oldldpath";
48 $ENV{LD_LIBRARY_PATH} = "$newldpath";
51 # i'm including this because other perl scripts in the gpt setup directories
55 if (defined($gptpath))
57 @INC = (@INC, "$gptpath/lib/perl", "$gpath/lib/perl");
61 @INC = (@INC, "$gpath/lib/perl");
64 require Grid::GPT::Setup;
67 # script-centred variable initialization
70 my $globusdir = $gpath;
71 my $myname = "setup-openssh.pl";
74 # Set up path prefixes for use in the path translations
77 $prefix = ${globusdir};
78 $exec_prefix = "${prefix}";
79 $bindir = "${exec_prefix}/bin";
80 $sbindir = "${exec_prefix}/sbin";
81 $sysconfdir = "$prefix/etc/ssh";
82 $localsshdir = "/etc/ssh";
83 $setupdir = "$prefix/setup/gsi_openssh_setup";
86 # standard key types and their root file name mappings
90 "dsa" => "ssh_host_dsa_key",
91 "rsa" => "ssh_host_rsa_key",
92 "rsa1" => "ssh_host_key",
96 # argument specification. we offload some processing work from later functions
97 # to verify correct args by using anon subs in various places.
100 my($prompt, $force, $verbose);
106 'prompt!' => \$prompt,
108 'verbose' => \$verbose,
112 # miscellaneous initialization functions
115 setPrivilegeSeparation(0);
118 # main execution. This should find its way into a subroutine at some future
122 debug0("Configuring gsi_openssh\n");
123 debug0("------------------------------------------------------------\n");
124 debug0("Executing...\n");
128 $keyhash = determineKeys();
129 runKeyGen($keyhash->{gen});
130 linkKeyFiles($keyhash->{link});
133 my $metadata = new Grid::GPT::Setup(package_name => "gsi_openssh_setup");
138 debug0("Notes:\n\n");
140 if ( getPrivilegeSeparation() )
142 debug0(" o Privilege separation is on.\n");
144 elsif ( !getPrivilegeSeparation() )
146 debug0(" o Privilege separation is off.\n");
149 debug0(" o GSI-OpenSSH website is <http://grid.ncsa.uiuc.edu/ssh/>.\n");
150 debug0("------------------------------------------------------------\n");
151 debug0("Finished configuring gsi_openssh.\n");
161 # initialize the PRNG pathname hash
167 # standard prng to executable conversion names
170 addPRNGCommand("\@PROG_LS\@", "ls");
171 addPRNGCommand("\@PROG_NETSTAT\@", "netstat");
172 addPRNGCommand("\@PROG_ARP\@", "arp");
173 addPRNGCommand("\@PROG_IFCONFIG\@", "ifconfig");
174 addPRNGCommand("\@PROG_PS\@", "ps");
175 addPRNGCommand("\@PROG_JSTAT\@", "jstat");
176 addPRNGCommand("\@PROG_W\@", "w");
177 addPRNGCommand("\@PROG_WHO\@", "who");
178 addPRNGCommand("\@PROG_LAST\@", "last");
179 addPRNGCommand("\@PROG_LASTLOG\@", "lastlog");
180 addPRNGCommand("\@PROG_DF\@", "df");
181 addPRNGCommand("\@PROG_SAR\@", "sar");
182 addPRNGCommand("\@PROG_VMSTAT\@", "vmstat");
183 addPRNGCommand("\@PROG_UPTIME\@", "uptime");
184 addPRNGCommand("\@PROG_IPCS\@", "ipcs");
185 addPRNGCommand("\@PROG_TAIL\@", "tail");
187 debug1("Determining paths for PRNG commands...\n");
189 $paths = determinePRNGPaths();
194 ### getDirectoryPaths( )
196 # return an array ref containing all of the directories in which we should search
197 # for our listing of executable names.
200 sub getDirectoryPaths( )
203 # read in the PATH environmental variable and prepend a set of 'safe'
204 # directories from which to test PRNG commands.
208 $path = "/bin:/usr/bin:/sbin:/usr/sbin:/etc:" . $path;
209 @dirs = split(/:/, $path);
212 # sanitize each directory listed in the array.
218 $tmp =~ s:^\s+|\s+$::g;
225 ### addPRNGCommand( $prng_name, $exec_name )
227 # given a PRNG name and a corresponding executable name, add it to our list of
228 # PRNG commands for which to find on the system.
233 my($prng_name, $exec_name) = @_;
235 prngAddNode($prng_name, $exec_name);
240 # read in ssh_prng_cmds.in, translate the program listings to the paths we have
241 # found on the local system, and then write the output to ssh_prng_cmds.
246 my($fileInput, $fileOutput);
247 my($mode, $uid, $gid);
250 if ( isPresent("$sysconfdir/ssh_prng_cmds") && !isForced() )
252 debug1("ssh_prng_cmds found and not forced. Not installing ssh_prng_cmds...\n");
258 debug1("Fixing paths in ssh_prng_cmds...\n");
260 $fileInput = "$setupdir/ssh_prng_cmds.in";
261 $fileOutput = "$sysconfdir/ssh_prng_cmds";
264 # verify that we are prepared to work with $fileInput
267 if ( !isReadable($fileInput) )
269 debug1("Cannot read $fileInput... skipping.\n");
274 # verify that we are prepared to work with $fileOuput
277 if ( !prepareFileWrite($fileOutput) )
283 # Grab the current mode/uid/gid for use later
286 $mode = (stat($fileInput))[2];
287 $uid = (stat($fileInput))[4];
288 $gid = (stat($fileInput))[5];
291 # Open the files for reading and writing, and loop over the input's contents
294 $data = readFile($fileInput);
295 for my $k (keys %$prngcmds)
297 $sub = prngGetExecPath($k);
298 $data =~ s:$k:$sub:g;
300 writeFile($fileOutput, $data);
303 # An attempt to revert the new file back to the original file's
307 chmod($mode, $fileOutput);
308 chown($uid, $gid, $fileOutput);
313 ### determinePRNGPaths( )
315 # for every entry in the PRNG hash, seek out and find the path for the
316 # corresponding executable name.
319 sub determinePRNGPaths
322 my($exec_name, $exec_path);
324 $dirs = getDirectoryPaths();
326 for my $k (keys %$prngcmds)
328 $exec_name = prngGetExecName($k);
329 $exec_path = findExecutable($exec_name, $dirs);
330 prngSetExecPath($k, $exec_path);
336 ### prngAddNode( $prng_name, $exec_name )
338 # add a new node to the PRNG hash
343 my($prng_name, $exec_name) = @_;
346 if (!defined($prngcmds))
352 $node->{prng} = $prng_name;
353 $node->{exec} = $exec_name;
355 $prngcmds->{$prng_name} = $node;
358 ### prngGetExecName( $key )
360 # get the executable name from the prng commands hash named by $key
367 return $prngcmds->{$key}->{exec};
370 ### prngGetExecPath( $key )
372 # get the executable path from the prng commands hash named by $key
379 return $prngcmds->{$key}->{exec_path};
382 ### prngGetNode( $key )
384 # return a reference to the node named by $key
391 return ${$prngcmds}{$key};
394 ### prngSetExecPath( $key, $path )
396 # given a key, set the executable path in that node to $path
401 my($key, $path) = @_;
403 $prngcmds->{$key}->{exec_path} = $path;
406 ### findExecutable( $exec_name, $dirs )
408 # given an executable name, test each possible path in $dirs to see if such
409 # an executable exists.
414 my($exec_name, $dirs) = @_;
418 $test = "$d/$exec_name";
420 if ( isExecutable($test) )
429 ### linkKeyFiles( $linklist )
431 # given an array of keys to link, link both the key and its public variant into
432 # the gsi-openssh configuration directory.
438 my($regex, $basename);
442 debug1("Linking ssh host keys...\n");
444 for my $f (@$linklist)
451 $pubkeyfile = "$f.pub";
453 linkFile("$localsshdir/$keyfile", "$sysconfdir/$keyfile");
454 linkFile("$localsshdir/$pubkeyfile", "$sysconfdir/$pubkeyfile");
462 # return true if the user passed in the force flag. return false otherwise.
467 if ( defined($force) && $force )
477 ### isReadable( $file )
479 # given a file, return true if that file both exists and is readable by the
480 # effective user id. return false otherwise.
487 if ( ( -e $file ) && ( -r $file ) )
497 ### isExecutable( $file )
499 # return true if $file is executable. return false otherwise.
516 ### isWritable( $file )
518 # given a file, return true if that file does not exist or is writable by the
519 # effective user id. return false otherwise.
526 if ( ( ! -e $file ) || ( -w $file ) )
536 ### isPresent( $file )
538 # given a file, return true if that file exists. return false otherwise.
557 # make the gsi-openssh configuration directory if it doesn't already exist.
562 if ( isPresent($sysconfdir) )
564 if ( -d $sysconfdir )
569 debug1("${sysconfdir} already exists and is not a directory!\n");
573 debug1("Could not find ${sysconfdir} directory... creating.\n");
574 action("mkdir -p $sysconfdir");
581 # based on a set of key types, triage them to determine if for each key type, that
582 # key type should be copied from the main ssh configuration directory, or if it
583 # should be generated using ssh-keygen.
588 my($keyhash, $keylist);
592 # initialize our variables
598 $keyhash->{gen} = []; # a list of keytypes to generate
599 $keyhash->{link} = []; # a list of files to link
601 $genlist = $keyhash->{gen};
602 $linklist = $keyhash->{link};
605 # loop over our keytypes and determine what we need to do for each of them
608 for my $keytype (keys %$keyfiles)
610 $basekeyfile = $keyfiles->{$keytype};
613 # if the key's are already present, we don't need to bother with this rigamarole
616 $gkeyfile = "$sysconfdir/$basekeyfile";
617 $gpubkeyfile = "$sysconfdir/$basekeyfile.pub";
619 if ( isPresent($gkeyfile) && isPresent($gpubkeyfile) )
623 if ( isWritable("$sysconfdir/$basekeyfile") && isWritable("$sysconfdir/$basekeyfile.pub") )
625 action("rm $sysconfdir/$basekeyfile");
626 action("rm $sysconfdir/$basekeyfile.pub");
636 # if we can find a copy of the keys in /etc/ssh, we'll link them to the user's
640 $mainkeyfile = "$localsshdir/$basekeyfile";
641 $mainpubkeyfile = "$localsshdir/$basekeyfile.pub";
643 if ( isReadable($mainkeyfile) && isReadable($mainpubkeyfile) )
645 push(@$linklist, $basekeyfile);
651 # otherwise, we need to generate the key
654 push(@$genlist, $keytype);
661 ### runKeyGen( $gen_keys )
663 # given a set of key types, generate private and public keys for that key type and
664 # place them in the gsi-openssh configuration directory.
670 my $keygen = "$bindir/ssh-keygen";
672 if (@$gen_keys && -x $keygen)
674 debug1("Generating ssh host keys...\n");
676 for my $k (@$gen_keys)
678 $keyfile = $keyfiles->{$k};
680 if ( !isPresent("$sysconfdir/$keyfile") )
682 action("$bindir/ssh-keygen -t $k -f $sysconfdir/$keyfile -N \"\"");
690 ### copySSHDConfigFile( )
692 # this subroutine 'edits' the paths in sshd_config to suit them to the current environment
693 # in which the setup script is being run.
696 sub copySSHDConfigFile
698 my($fileInput, $fileOutput);
699 my($mode, $uid, $gid);
701 my($privsep_enabled);
703 debug1("Fixing paths in sshd_config...\n");
705 $fileInput = "$setupdir/sshd_config.in";
706 $fileOutput = "$sysconfdir/sshd_config";
709 # verify that we are prepared to work with $fileInput
712 if ( !isReadable($fileInput) )
714 debug1("Cannot read $fileInput... skipping.\n");
719 # verify that we are prepared to work with $fileOuput
722 if ( !prepareFileWrite($fileOutput) )
728 # check to see whether we should enable privilege separation
731 if ( userExists("sshd") && ( -d "/var/empty" ) && ( getOwnerID("/var/empty") eq 0 ) )
733 setPrivilegeSeparation(1);
737 setPrivilegeSeparation(0);
740 if ( getPrivilegeSeparation() )
742 $privsep_enabled = "yes";
746 $privsep_enabled = "no";
750 # Grab the current mode/uid/gid for use later
753 $mode = (stat($fileInput))[2];
754 $uid = (stat($fileInput))[4];
755 $gid = (stat($fileInput))[5];
758 # Open the files for reading and writing, and loop over the input's contents
761 $data = readFile($fileInput);
764 # # alter the PidFile config
767 # $text = "PidFile\t$gpath/var/sshd.pid";
768 # $data =~ s:^[\s|#]*PidFile.*$:$text:gm;
771 # set the sftp directive
774 $text = "Subsystem\tsftp\t$gpath/libexec/sftp-server";
775 $data =~ s:^[\s|#]*Subsystem\s+sftp\s+.*$:$text:gm;
778 # set the privilege separation directive
781 $text = "UsePrivilegeSeparation\t${privsep_enabled}";
782 $data =~ s:^[\s|#]*UsePrivilegeSeparation.*$:$text:gm;
785 # dump the modified output to the config file
788 writeFile($fileOutput, $data);
791 # An attempt to revert the new file back to the original file's
795 chmod($mode, $fileOutput);
796 chown($uid, $gid, $fileOutput);
801 ### setPrivilegeSeparation( $value )
803 # set the privilege separation variable to $value
806 sub setPrivilegeSeparation
813 ### getPrivilegeSeparation( )
815 # return the value of the privilege separation variable
818 sub getPrivilegeSeparation
823 ### prepareFileWrite( $file )
825 # test $file to prepare for writing to it.
832 if ( isPresent($file) )
834 debug1("$file already exists... ");
838 if ( isWritable($file) )
840 debug1("removing.\n");
846 debug1("not writable -- skipping.\n");
852 debug1("skipping.\n");
860 ### copyConfigFiles( )
862 # subroutine that copies some extra config files to their proper location in
863 # $GLOBUS_LOCATION/etc/ssh.
869 # copy the sshd_config file into the ssh configuration directory and alter
870 # the paths in the file.
873 copySSHDConfigFile();
876 # do straight copies of the ssh_config and moduli files.
879 debug1("Copying ssh_config and moduli to their proper location...\n");
881 copyFile("$setupdir/ssh_config", "$sysconfdir/ssh_config");
882 copyFile("$setupdir/moduli", "$sysconfdir/moduli");
885 # copy and alter the SXXsshd script.
888 copySXXScript("$setupdir/SXXsshd.in", "$sbindir/SXXsshd");
891 ### linkFile( $src, $dest )
893 # create a symbolic link from $src to $dest.
898 my($src, $dest) = @_;
900 if ( !isReadable($src) )
902 debug1("$src is not readable... not creating $dest.\n");
906 if ( !prepareFileWrite($dest) )
911 action("ln -s $src $dest");
914 ### copyFile( $src, $dest )
916 # copy the file pointed to by $src to the location specified by $dest. in the
917 # process observe the rules regarding when the '-force' flag was passed to us.
922 my($src, $dest) = @_;
924 if ( !isReadable($src) )
926 debug1("$src is not readable... not creating $dest.\n");
930 if ( !prepareFileWrite($dest) )
935 action("cp $src $dest");
938 ### copySXXScript( $in, $out )
940 # parse the input file, substituting in place the value of GLOBUS_LOCATION, and
941 # write the result to the output file.
949 if ( !isReadable($in) )
951 debug1("$in is not readable... not creating $out.\n");
955 if ( !prepareFileWrite($out) )
961 # clean up any junk in the globus path variable
965 $tmpgpath =~ s:/+:/:g;
966 $tmpgpath =~ s:([^/]+)/$:\1:g;
969 # read in the script, substitute globus location, then write it back out
972 $data = readFile($in);
973 $data =~ s|\@GLOBUS_LOCATION\@|$tmpgpath|g;
974 writeFile($out, $data);
975 action("chmod 755 $out");
978 ### readFile( $filename )
980 # reads and returns $filename's contents
988 open(IN, "$filename") || exitDie("ERROR: Can't open '$filename': $!\n");
997 ### writeFile( $filename, $fileinput )
999 # create the inputs to the ssl program at $filename, appending the common name to the
1000 # stream in the process
1005 my($filename, $fileinput) = @_;
1008 # test for a valid $filename
1011 if ( !defined($filename) || (length($filename) lt 1) )
1013 exitDie("ERROR: Filename is undefined!\n");
1017 # verify that we are prepared to work with $filename
1020 if ( !prepareFileWrite($filename) )
1026 # write the output to $filename
1029 open(OUT, ">$filename");
1030 print OUT "$fileinput";
1034 ### debug1( $arg1, $arg2 )
1036 # Print out a debugging message at level 1.
1041 debug(string => \@_, level => 1);
1044 ### debug0( $arg1, $arg2 )
1046 # Print out a debugging message at level 0.
1051 debug(string => \@_, level => 0);
1054 ### debug( string => $string, level => $level )
1056 # Print out debugging messages at various levels. Feel free to use debugN() directly
1057 # which in turn calls this subroutine.
1064 if (!defined($args{'level'}))
1069 if ($verbose >= $args{'level'})
1071 printf(@{$args{'string'}});
1075 ### action( $command )
1077 # run $command within a proper system() command.
1084 debug1("$command\n");
1086 my $result = system("LD_LIBRARY_PATH=\"$gpath/lib:\$LD_LIBRARY_PATH\"; $command >/dev/null 2>&1");
1088 if (($result or $?) and $command !~ m!patch!)
1090 exitDie("ERROR: Unable to execute command: $!\n");
1094 ### exitDie( $error )
1096 # a horribly named method meant to look like die but only exit, thereby not causing
1097 # gpt-postinstall to croak.
1108 ### query_boolean( $query_text, $default )
1110 # query the user with a string, and expect a response. If the user hits
1111 # 'enter' instead of entering an input, then accept the default response.
1116 my($query_text, $default) = @_;
1117 my($nondefault, $foo, $bar);
1121 print "Prompt suppressed. Continuing...\n";
1126 # Set $nondefault to the boolean opposite of $default.
1129 if ($default eq "n")
1138 print "${query_text} ";
1139 print "[$default] ";
1142 ($bar) = split //, $foo;
1144 if ( grep(/\s/, $bar) )
1146 # this is debatable. all whitespace means 'default'
1154 elsif ($bar ne $default)
1156 # everything else means 'nondefault'.
1162 # extraneous step. to get here, $bar should be eq to $default anyway.
1170 ### absolutePath( $file )
1172 # converts a given pathname into a canonical path using the abs_path function.
1178 my $home = $ENV{'HOME'};
1179 $file =~ s!~!$home!;
1181 $file =~ s!^\./!$startd/!;
1182 $file = "$startd/$file" if $file !~ m!^\s*/!;
1183 $file = abs_path($file);
1187 ### getOwnerID( $file )
1189 # return the uid containing the owner ID of the given file.
1198 # call stat() to get the mode of the file
1201 $uid = (stat($file))[4];
1206 ### getMode( $file )
1208 # return a string containing the mode of the given file.
1214 my($tempmode, $mode);
1217 # call stat() to get the mode of the file
1220 $tempmode = (stat($file))[2];
1221 if (length($tempmode) < 1)
1227 # call sprintf to format the mode into a UNIX-like string
1230 $mode = sprintf("%04o", $tempmode & 07777);
1235 ### userExists( $username )
1237 # given a username, return true if the user exists on the system. return false
1247 # retrieve the userid of the user with the given username
1250 $uid = getpwnam($username);
1253 # return true if $uid is defined and has a length greater than 0
1256 if ( defined($uid) and (length($uid) > 0) )