3 # ssh-host-config, Copyright 2000, Red Hat Inc.
5 # This file is part of the Cygwin port of OpenSSH.
7 # Subdirectory where the new package is being installed
10 # Directory where the config files are stored
13 # Subdirectory where an old package might be installed
15 OLDSYSCONFDIR=${OLDPREFIX}/etc
28 if [ "${auto_answer}" = "yes" ]
31 elif [ "${auto_answer}" = "no" ]
37 while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
39 echo -n "$1 (yes/no) "
42 if [ "X${answer}" = "Xyes" ]
82 echo "usage: ${progname} [OPTION]..."
84 echo "This script creates an OpenSSH host configuration."
87 echo " --debug -d Enable shell's debug output."
88 echo " --yes -y Answer all questions with \"yes\" automatically."
89 echo " --no -n Answer all questions with \"no\" automatically."
90 echo " --port -p <n> sshd listens on port n."
98 # Check if running on NT
100 _nt=`expr "$_sys" : "CYGWIN_NT"`
102 # Check for running ssh/sshd processes first. Refuse to do anything while
103 # some ssh processes are still running
105 if ps -ef | grep -v grep | grep -q ssh
108 echo "There are still ssh processes running. Please shut them down first."
113 # Check for ${SYSCONFDIR} directory
115 if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
118 echo "${SYSCONFDIR} is existant but not a directory."
119 echo "Cannot create global configuration files."
124 # Create it if necessary
126 if [ ! -e "${SYSCONFDIR}" ]
128 mkdir "${SYSCONFDIR}"
129 if [ ! -e "${SYSCONFDIR}" ]
132 echo "Creating ${SYSCONFDIR} directory failed"
138 # Create /var/log and /var/log/lastlog if not already existing
142 echo "Creating /var/log failed\!"
148 if [ -d /var/log/lastlog ]
150 echo "Creating /var/log/lastlog failed\!"
151 elif [ ! -f /var/log/lastlog ]
153 cat /dev/null > /var/log/lastlog
157 # Create /var/empty file used as chroot jail for privilege separation
160 echo "Creating /var/empty failed\!"
163 # On NT change ownership of that dir to user "system"
167 chown system.system /var/empty
171 # Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
172 # the same as ${PREFIX}
175 if [ "${OLDPREFIX}" != "${PREFIX}" ]
177 if [ -f "${OLDPREFIX}/sbin/sshd" ]
180 echo "You seem to have an older installation in ${OLDPREFIX}."
182 # Check if old global configuration files exist
183 if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
185 if request "Do you want to copy your config files to your new installation?"
187 cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
188 cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
189 cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
190 cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
191 cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
192 cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
195 if request "Do you want to erase your old installation?"
197 rm -f ${OLDPREFIX}/bin/ssh.exe
198 rm -f ${OLDPREFIX}/bin/ssh-config
199 rm -f ${OLDPREFIX}/bin/scp.exe
200 rm -f ${OLDPREFIX}/bin/ssh-add.exe
201 rm -f ${OLDPREFIX}/bin/ssh-agent.exe
202 rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
203 rm -f ${OLDPREFIX}/bin/slogin
204 rm -f ${OLDSYSCONFDIR}/ssh_host_key
205 rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
206 rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
207 rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
208 rm -f ${OLDSYSCONFDIR}/ssh_config
209 rm -f ${OLDSYSCONFDIR}/sshd_config
210 rm -f ${OLDPREFIX}/man/man1/ssh.1
211 rm -f ${OLDPREFIX}/man/man1/scp.1
212 rm -f ${OLDPREFIX}/man/man1/ssh-add.1
213 rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
214 rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
215 rm -f ${OLDPREFIX}/man/man1/slogin.1
216 rm -f ${OLDPREFIX}/man/man8/sshd.8
217 rm -f ${OLDPREFIX}/sbin/sshd.exe
218 rm -f ${OLDPREFIX}/sbin/sftp-server.exe
224 # First generate host keys if not already existing
226 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
228 echo "Generating ${SYSCONFDIR}/ssh_host_key"
229 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
232 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
234 echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
235 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
238 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
240 echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
241 ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
244 # Check if ssh_config exists. If yes, ask for overwriting
246 if [ -f "${SYSCONFDIR}/ssh_config" ]
248 if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
250 rm -f "${SYSCONFDIR}/ssh_config"
251 if [ -f "${SYSCONFDIR}/ssh_config" ]
253 echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
258 # Create default ssh_config from here script
260 if [ ! -f "${SYSCONFDIR}/ssh_config" ]
262 echo "Generating ${SYSCONFDIR}/ssh_config file"
263 cat > ${SYSCONFDIR}/ssh_config << EOF
264 # This is the ssh client system-wide configuration file. See
265 # ssh_config(5) for more information. This file provides defaults for
266 # users, and the values can be changed in per-user configuration files
267 # or on the command line.
269 # Configuration data is parsed as follows:
270 # 1. command line options
271 # 2. user-specific file
272 # 3. system-wide file
273 # Any configuration value is only changed the first time it is set.
274 # Thus, host-specific definitions should be at the beginning of the
275 # configuration file, and defaults at the end.
277 # Site-wide defaults for various options
282 # RhostsAuthentication no
283 # RhostsRSAAuthentication no
284 # RSAAuthentication yes
285 # PasswordAuthentication yes
288 # StrictHostKeyChecking ask
289 # IdentityFile ~/.ssh/identity
290 # IdentityFile ~/.ssh/id_dsa
291 # IdentityFile ~/.ssh/id_rsa
295 # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
298 if [ "$port_number" != "22" ]
300 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
301 echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config
305 # Check if sshd_config exists. If yes, ask for overwriting
307 if [ -f "${SYSCONFDIR}/sshd_config" ]
309 if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
311 rm -f "${SYSCONFDIR}/sshd_config"
312 if [ -f "${SYSCONFDIR}/sshd_config" ]
314 echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
317 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
321 # Prior to creating or modifying sshd_config, care for privilege separation
323 if [ "$privsep_configured" != "yes" ]
327 echo "Privilege separation is set to yes by default since OpenSSH 3.3."
328 echo "However, this requires a non-privileged account called 'sshd'."
329 echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
331 if request "Shall privilege separation be used?"
334 grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
335 net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
336 if [ "$sshd_in_passwd" != "yes" ]
338 if [ "$sshd_in_sam" != "yes" ]
340 echo "Warning: The following function requires administrator privileges!"
341 if request "Shall this script create a local user 'sshd' on this machine?"
343 dos_var_empty=`cygpath -w /var/empty`
344 net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
345 if [ "$sshd_in_sam" != "yes" ]
347 echo "Warning: Creating the user 'sshd' failed!"
351 if [ "$sshd_in_sam" != "yes" ]
353 echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
354 echo " Privilege separation set to 'no' again!"
355 echo " Check your ${SYSCONFDIR}/sshd_config file!"
358 mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
365 # On 9x don't use privilege separation. Since security isn't
366 # available it just adds useless addtional processes.
371 # Create default sshd_config from here script or modify to add the
372 # missing privsep configuration option
374 if [ ! -f "${SYSCONFDIR}/sshd_config" ]
376 echo "Generating ${SYSCONFDIR}/sshd_config file"
377 cat > ${SYSCONFDIR}/sshd_config << EOF
378 # This is the sshd server system-wide configuration file. See
379 # sshd_config(5) for more information.
381 # The strategy used for options in the default sshd_config shipped with
382 # OpenSSH is to specify options with their default value where
383 # possible, but leave them commented. Uncommented options change a
388 #ListenAddress 0.0.0.0
391 # HostKey for protocol version 1
392 #HostKey ${SYSCONFDIR}/ssh_host_key
393 # HostKeys for protocol version 2
394 #HostKey ${SYSCONFDIR}/ssh_host_rsa_key
395 #HostKey ${SYSCONFDIR}/ssh_host_dsa_key
397 # Lifetime and size of ephemeral version 1 server ke
398 #KeyRegenerationInterval 3600
402 #obsoletes QuietMode and FascistLogging
410 # The following setting overrides permission checks on host key files
411 # and directories. For security reasons set this to "yes" when running
412 # NT/W2K, NTFS and CYGWIN=ntsec.
415 #RSAAuthentication yes
416 #PubkeyAuthentication yes
417 #AuthorizedKeysFile %h/.ssh/authorized_keys
419 # rhosts authentication should not be used
420 #RhostsAuthentication no
421 # Don't read ~/.rhosts and ~/.shosts files
423 # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
424 #RhostsRSAAuthentication no
425 # similar for protocol version 2
426 #HostbasedAuthentication no
427 # Change to yes if you don't trust ~/.ssh/known_hosts for
428 # RhostsRSAAuthentication and HostbasedAuthentication
429 #IgnoreUserKnownHosts no
431 # To disable tunneled clear text passwords, change to no here!
432 #PasswordAuthentication yes
433 #PermitEmptyPasswords no
435 # Change to no to disable s/key passwords
436 #ChallengeResponseAuthentication yes
445 UsePrivilegeSeparation $privsep_used
449 # no default banner path
451 #VerifyReverseMapping no
453 # override default of no subsystems
454 Subsystem sftp /usr/sbin/sftp-server
456 elif [ "$privsep_configured" != "yes" ]
458 echo >> ${SYSCONFDIR}/sshd_config
459 echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
462 # Care for services file
465 _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
466 _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$"
468 _wservices="${WINDIR}\\SERVICES"
469 _wserv_tmp="${WINDIR}\\SERV.$$"
471 _services=`cygpath -u "${_wservices}"`
472 _serv_tmp=`cygpath -u "${_wserv_tmp}"`
474 mount -t -f "${_wservices}" "${_services}"
475 mount -t -f "${_wserv_tmp}" "${_serv_tmp}"
477 # Remove sshd 22/port from services
478 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
480 grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
481 if [ -f "${_serv_tmp}" ]
483 if mv "${_serv_tmp}" "${_services}"
485 echo "Removing sshd from ${_services}"
487 echo "Removing sshd from ${_services} failed\!"
491 echo "Removing sshd from ${_services} failed\!"
495 # Add ssh 22/tcp and ssh 22/udp to services
496 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
498 awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
499 if [ -f "${_serv_tmp}" ]
501 if mv "${_serv_tmp}" "${_services}"
503 echo "Added ssh to ${_services}"
505 echo "Adding ssh to ${_services} failed\!"
509 echo "Adding ssh to ${_services} failed\!"
513 umount "${_services}"
514 umount "${_serv_tmp}"
516 # Care for inetd.conf file
517 _inetcnf="${SYSCONFDIR}/inetd.conf"
518 _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
520 if [ -f "${_inetcnf}" ]
522 # Check if ssh service is already in use as sshd
524 grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
525 # Remove sshd line from inetd.conf
526 if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
528 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
529 if [ -f "${_inetcnf_tmp}" ]
531 if mv "${_inetcnf_tmp}" "${_inetcnf}"
533 echo "Removed sshd from ${_inetcnf}"
535 echo "Removing sshd from ${_inetcnf} failed\!"
537 rm -f "${_inetcnf_tmp}"
539 echo "Removing sshd from ${_inetcnf} failed\!"
543 # Add ssh line to inetd.conf
544 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
546 if [ "${with_comment}" -eq 0 ]
548 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
550 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
552 echo "Added ssh to ${_inetcnf}"
556 # On NT ask if sshd should be installed as service
560 echo "Do you want to install sshd as service?"
561 if request "(Say \"no\" if it's already installed as service)"
564 echo "Which value should the environment variable CYGWIN have when"
565 echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
566 echo "able to change user context without password."
567 echo -n "Default is \"binmode ntsec tty\". CYGWIN="
569 [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
570 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
572 chown system ${SYSCONFDIR}/ssh*
574 echo "The service has been installed under LocalSystem account."
579 if [ "${old_install}" = "1" ]
582 echo "Note: If you have used sshd as service or from inetd, don't forget to"
583 echo " change the path to sshd.exe in the service entry or in inetd.conf."
587 echo "Host configuration finished. Have fun!"