5 # Adapts the installed gsi-openssh environment to the current machine,
6 # performing actions that originally occurred during the package's
7 # 'make install' phase.
9 # Send comments/fixes/suggestions to:
10 # Chase Phillips <cphillip@ncsa.uiuc.edu>
14 # Get user's GPT_LOCATION since we may be installing this using a new(er)
18 $gptpath = $ENV{GPT_LOCATION};
21 # And the old standby..
24 $gpath = $ENV{GLOBUS_LOCATION};
27 die "GLOBUS_LOCATION needs to be set before running this script"
31 # Include standard modules
39 # modify the ld library path for when we call ssh executables
42 $oldldpath = $ENV{LD_LIBRARY_PATH};
43 $newldpath = "$gpath/lib";
44 if (length($oldldpath) > 0)
46 $newldpath .= ":$oldldpath";
48 $ENV{LD_LIBRARY_PATH} = "$newldpath";
51 # i'm including this because other perl scripts in the gpt setup directories
55 if (defined($gptpath))
57 @INC = (@INC, "$gptpath/lib/perl", "$gpath/lib/perl");
61 @INC = (@INC, "$gpath/lib/perl");
64 require Grid::GPT::Setup;
67 # script-centred variable initialization
70 my $globusdir = $gpath;
71 my $myname = "setup-openssh.pl";
74 # Set up path prefixes for use in the path translations
77 $prefix = ${globusdir};
78 $exec_prefix = "${prefix}";
79 $bindir = "${exec_prefix}/bin";
80 $sbindir = "${exec_prefix}/sbin";
81 $sysconfdir = "$prefix/etc/ssh";
82 $localsshdir = "/etc/ssh";
83 $setupdir = "$prefix/setup/gsi_openssh_setup";
86 # standard key types and their root file name mappings
90 "dsa" => "ssh_host_dsa_key",
91 "rsa" => "ssh_host_rsa_key",
92 "rsa1" => "ssh_host_key",
96 # argument specification. we offload some processing work from later functions
97 # to verify correct args by using anon subs in various places.
100 my($interactive, $force, $verbose);
103 'interactive!' => \$interactive,
105 'verbose' => \$verbose,
109 # main execution. This should find its way into a subroutine at some future
113 print "$myname: Configuring package 'gsi_openssh'...\n";
114 print "---------------------------------------------------------------------\n";
115 print "Hi, I'm the setup script for the gsi_openssh package! I will create\n";
116 print "a number of configuration files based on your local system setup. I\n";
117 print "will also attempt to copy or create a number of SSH key pairs for\n";
118 print "this machine. (Loosely, if I find a pair of host keys in /etc/ssh,\n";
119 print "I will copy them into \$GLOBUS_LOCATION/etc/ssh. Otherwise, I will\n";
120 print "generate them for you.)\n";
122 print " Jacobim Mugatu says,\n";
123 print " \"Utopian Prime Minister Bad! GSI-OpenSSH Good!\"\n";
130 print " Using the '-force' flag will cause all gsi_openssh_setup files to\n";
131 print " be removed and replaced by new versions! Backup any critical\n";
132 print " SSH configuration files before you choose to continue!\n";
136 $response = query_boolean("Do you wish to continue with the setup package?","y");
137 if ($response eq "n")
140 print "Exiting gsi_openssh setup.\n";
149 $keyhash = determineKeys();
150 runKeyGen($keyhash->{gen});
151 copyKeyFiles($keyhash->{copy});
154 my $metadata = new Grid::GPT::Setup(package_name => "gsi_openssh_setup");
159 print "Additional Notes:\n";
161 print " o I see that you have your GLOBUS_LOCATION environmental variable\n";
164 print " \"$gpath\"\n";
166 print " Remember to keep this variable set (correctly) when you want to\n";
167 print " use the executables that came with this package.\n";
169 print " After that you may execute, for example:\n";
171 print " \$ . \$GLOBUS_LOCATION/etc/globus-user-env.sh\n";
173 print " to prepare your environment for running the gsi_openssh\n";
174 print " executables.\n";
176 if ( !getPrivilegeSeparation() )
179 print " o For System Administrators:\n";
181 print " If you are going to run the GSI-OpenSSH server, we recommend\n";
182 print " enabling privilege separation. Although this package supports\n";
183 print " this feature, your system appears to require some additional\n";
184 print " configuration.\n";
186 print " From the file README.privsep, included as a part of the OpenSSH\n";
187 print " distribution:\n";
189 print " When privsep is enabled, during the pre-authentication\n";
190 print " phase sshd will chroot(2) to \"/var/empty\" and change its\n";
191 print " privileges to the \"sshd\" user and its primary group. sshd\n";
192 print " is a pseudo-account that should not be used by other\n";
193 print " daemons, and must be locked and should contain a \"nologin\"\n";
194 print " or invalid shell.\n";
196 print " You should do something like the following to prepare the\n";
197 print " privsep preauth environment:\n";
199 print " \# mkdir /var/empty\n";
200 print " \# chown root:sys /var/empty\n";
201 print " \# chmod 755 /var/empty\n";
202 print " \# groupadd sshd\n";
203 print " \# useradd -g sshd -c 'sshd privsep' -d /var/empty \\\n";
204 print " -s /bin/false sshd\n";
206 print " /var/empty should not contain any files.\n";
210 print " o For more information about GSI-Enabled OpenSSH, visit:\n";
211 print " <http://www.ncsa.uiuc.edu/Divisions/ACES/GSI/openssh/>\n";
214 # give the user a chance to read all of this output
218 print "Press <return> to continue... ";
221 print "---------------------------------------------------------------------\n";
222 print "$myname: Finished configuring package 'gsi_openssh'.\n";
232 # initialize the PRNG pathname hash
238 # standard prng to executable conversion names
241 addPRNGCommand("\@PROG_LS\@", "ls");
242 addPRNGCommand("\@PROG_NETSTAT\@", "netstat");
243 addPRNGCommand("\@PROG_ARP\@", "arp");
244 addPRNGCommand("\@PROG_IFCONFIG\@", "ifconfig");
245 addPRNGCommand("\@PROG_PS\@", "ps");
246 addPRNGCommand("\@PROG_JSTAT\@", "jstat");
247 addPRNGCommand("\@PROG_W\@", "w");
248 addPRNGCommand("\@PROG_WHO\@", "who");
249 addPRNGCommand("\@PROG_LAST\@", "last");
250 addPRNGCommand("\@PROG_LASTLOG\@", "lastlog");
251 addPRNGCommand("\@PROG_DF\@", "df");
252 addPRNGCommand("\@PROG_SAR\@", "sar");
253 addPRNGCommand("\@PROG_VMSTAT\@", "vmstat");
254 addPRNGCommand("\@PROG_UPTIME\@", "uptime");
255 addPRNGCommand("\@PROG_IPCS\@", "ipcs");
256 addPRNGCommand("\@PROG_TAIL\@", "tail");
258 print "Determining paths for PRNG commands...\n";
260 $paths = determinePRNGPaths();
265 ### getDirectoryPaths( )
267 # return an array ref containing all of the directories in which we should search
268 # for our listing of executable names.
271 sub getDirectoryPaths( )
274 # read in the PATH environmental variable and prepend a set of 'safe'
275 # directories from which to test PRNG commands.
279 $path = "/bin:/usr/bin:/sbin:/usr/sbin:/etc:" . $path;
280 @dirs = split(/:/, $path);
283 # sanitize each directory listed in the array.
289 $tmp =~ s:^\s+|\s+$::g;
296 ### addPRNGCommand( $prng_name, $exec_name )
298 # given a PRNG name and a corresponding executable name, add it to our list of
299 # PRNG commands for which to find on the system.
304 my($prng_name, $exec_name) = @_;
306 prngAddNode($prng_name, $exec_name);
311 # read in ssh_prng_cmds.in, translate the program listings to the paths we have
312 # found on the local system, and then write the output to ssh_prng_cmds.
317 my($fileInput, $fileOutput);
318 my($mode, $uid, $gid);
321 if ( isPresent("/dev/random") && !isForced() )
323 printf("/dev/random found and not forced. Not installing ssh_prng_cmds...\n");
329 print "Fixing paths in ssh_prng_cmds...\n";
331 $fileInput = "$setupdir/ssh_prng_cmds.in";
332 $fileOutput = "$sysconfdir/ssh_prng_cmds";
335 # verify that we are prepared to work with $fileInput
338 if ( !isReadable($fileInput) )
340 printf("Cannot read $fileInput... skipping.\n");
345 # verify that we are prepared to work with $fileOuput
348 if ( !prepareFileWrite($fileOutput) )
354 # Grab the current mode/uid/gid for use later
357 $mode = (stat($fileInput))[2];
358 $uid = (stat($fileInput))[4];
359 $gid = (stat($fileInput))[5];
362 # Open the files for reading and writing, and loop over the input's contents
365 $data = readFile($fileInput);
366 for my $k (keys %$prngcmds)
368 $sub = prngGetExecPath($k);
369 $data =~ s:$k:$sub:g;
371 writeFile($fileOutput, $data);
374 # An attempt to revert the new file back to the original file's
378 chmod($mode, $fileOutput);
379 chown($uid, $gid, $fileOutput);
384 ### determinePRNGPaths( )
386 # for every entry in the PRNG hash, seek out and find the path for the
387 # corresponding executable name.
390 sub determinePRNGPaths
393 my($exec_name, $exec_path);
395 $dirs = getDirectoryPaths();
397 for my $k (keys %$prngcmds)
399 $exec_name = prngGetExecName($k);
400 $exec_path = findExecutable($exec_name, $dirs);
401 prngSetExecPath($k, $exec_path);
407 ### prngAddNode( $prng_name, $exec_name )
409 # add a new node to the PRNG hash
414 my($prng_name, $exec_name) = @_;
417 if (!defined($prngcmds))
423 $node->{prng} = $prng_name;
424 $node->{exec} = $exec_name;
426 $prngcmds->{$prng_name} = $node;
429 ### prngGetExecName( $key )
431 # get the executable name from the prng commands hash named by $key
438 return $prngcmds->{$key}->{exec};
441 ### prngGetExecPath( $key )
443 # get the executable path from the prng commands hash named by $key
450 return $prngcmds->{$key}->{exec_path};
453 ### prngGetNode( $key )
455 # return a reference to the node named by $key
462 return ${$prngcmds}{$key};
465 ### prngSetExecPath( $key, $path )
467 # given a key, set the executable path in that node to $path
472 my($key, $path) = @_;
474 $prngcmds->{$key}->{exec_path} = $path;
477 ### findExecutable( $exec_name, $dirs )
479 # given an executable name, test each possible path in $dirs to see if such
480 # an executable exists.
485 my($exec_name, $dirs) = @_;
489 $test = "$d/$exec_name";
491 if ( isExecutable($test) )
500 ### copyKeyFiles( $copylist )
502 # given an array of keys to copy, copy both the key and its public variant into
503 # the gsi-openssh configuration directory.
509 my($regex, $basename);
513 print "Copying ssh host keys...\n";
515 for my $f (@$copylist)
522 $pubkeyfile = "$f.pub";
524 copyFile("$localsshdir/$keyfile", "$sysconfdir/$keyfile");
525 copyFile("$localsshdir/$pubkeyfile", "$sysconfdir/$pubkeyfile");
533 # return true if the user passed in the force flag. return false otherwise.
538 if ( defined($force) && $force )
548 ### isReadable( $file )
550 # given a file, return true if that file both exists and is readable by the
551 # effective user id. return false otherwise.
558 if ( ( -e $file ) && ( -r $file ) )
568 ### isExecutable( $file )
570 # return true if $file is executable. return false otherwise.
587 ### isWritable( $file )
589 # given a file, return true if that file does not exist or is writable by the
590 # effective user id. return false otherwise.
597 if ( ( ! -e $file ) || ( -w $file ) )
607 ### isPresent( $file )
609 # given a file, return true if that file exists. return false otherwise.
628 # make the gsi-openssh configuration directory if it doesn't already exist.
633 if ( isPresent($sysconfdir) )
635 if ( -d $sysconfdir )
640 die("${sysconfdir} already exists and is not a directory!\n");
643 print "Could not find ${sysconfdir} directory... creating.\n";
644 action("mkdir -p $sysconfdir");
651 # based on a set of key types, triage them to determine if for each key type, that
652 # key type should be copied from the main ssh configuration directory, or if it
653 # should be generated using ssh-keygen.
658 my($keyhash, $keylist);
662 # initialize our variables
668 $keyhash->{gen} = []; # a list of keytypes to generate
669 $keyhash->{copy} = []; # a list of files to copy from the
671 $genlist = $keyhash->{gen};
672 $copylist = $keyhash->{copy};
675 # loop over our keytypes and determine what we need to do for each of them
678 for my $keytype (keys %$keyfiles)
680 $basekeyfile = $keyfiles->{$keytype};
683 # if the key's are already present, we don't need to bother with this rigamarole
686 $gkeyfile = "$sysconfdir/$basekeyfile";
687 $gpubkeyfile = "$sysconfdir/$basekeyfile.pub";
689 if ( isPresent($gkeyfile) && isPresent($gpubkeyfile) )
693 if ( isWritable("$sysconfdir/$basekeyfile") && isWritable("$sysconfdir/$basekeyfile.pub") )
695 action("rm $sysconfdir/$basekeyfile");
696 action("rm $sysconfdir/$basekeyfile.pub");
706 # if we can find a copy of the keys in /etc/ssh, we'll copy them to the user's
710 $mainkeyfile = "$localsshdir/$basekeyfile";
711 $mainpubkeyfile = "$localsshdir/$basekeyfile.pub";
713 if ( isReadable($mainkeyfile) && isReadable($mainpubkeyfile) )
715 push(@$copylist, $basekeyfile);
721 # otherwise, we need to generate the key
724 push(@$genlist, $keytype);
731 ### runKeyGen( $gen_keys )
733 # given a set of key types, generate private and public keys for that key type and
734 # place them in the gsi-openssh configuration directory.
740 my $keygen = "$bindir/ssh-keygen";
742 if (@$gen_keys && -x $keygen)
744 print "Generating ssh host keys...\n";
746 for my $k (@$gen_keys)
748 $keyfile = $keyfiles->{$k};
750 if ( !isPresent("$sysconfdir/$keyfile") )
752 action("$bindir/ssh-keygen -t $k -f $sysconfdir/$keyfile -N \"\"");
760 ### copySSHDConfigFile( )
762 # this subroutine 'edits' the paths in sshd_config to suit them to the current environment
763 # in which the setup script is being run.
766 sub copySSHDConfigFile
768 my($fileInput, $fileOutput);
769 my($mode, $uid, $gid);
771 my($privsep_enabled);
773 print "Fixing paths in sshd_config...\n";
775 $fileInput = "$setupdir/sshd_config.in";
776 $fileOutput = "$sysconfdir/sshd_config";
779 # verify that we are prepared to work with $fileInput
782 if ( !isReadable($fileInput) )
784 printf("Cannot read $fileInput... skipping.\n");
789 # verify that we are prepared to work with $fileOuput
792 if ( !prepareFileWrite($fileOutput) )
798 # check to see whether we should enable privilege separation
801 if ( userExists("sshd") && ( -d "/var/empty" ) && ( getOwnerID("/var/empty") eq 0 ) )
803 setPrivilegeSeparation(1);
807 setPrivilegeSeparation(0);
810 if ( getPrivilegeSeparation() )
812 $privsep_enabled = "yes";
816 $privsep_enabled = "no";
820 # Grab the current mode/uid/gid for use later
823 $mode = (stat($fileInput))[2];
824 $uid = (stat($fileInput))[4];
825 $gid = (stat($fileInput))[5];
828 # Open the files for reading and writing, and loop over the input's contents
831 $data = readFile($fileInput);
834 # alter the PidFile config
837 $text = "PidFile\t$gpath/var/sshd.pid";
838 $data =~ s:^[\s|#]*PidFile.*$:$text:gm;
841 # set the sftp directive
844 $text = "Subsystem\tsftp\t$gpath/libxec/sftp-server";
845 $data =~ s:^[\s|#]*Subsystem\s+sftp\s+.*$:$text:gm;
848 # set the privilege separation directive
851 $text = "UsePrivilegeSeparation\t${privsep_enabled}";
852 $data =~ s:^[\s|#]*UsePrivilegeSeparation.*$:$text:gm;
855 # dump the modified output to the config file
858 writeFile($fileOutput, $data);
861 # An attempt to revert the new file back to the original file's
865 chmod($mode, $fileOutput);
866 chown($uid, $gid, $fileOutput);
871 ### setPrivilegeSeparation( $value )
873 # set the privilege separation variable to $value
876 sub setPrivilegeSeparation
883 ### getPrivilegeSeparation( )
885 # return the value of the privilege separation variable
888 sub getPrivilegeSeparation
893 ### prepareFileWrite( $file )
895 # test $file to prepare for writing to it.
902 if ( isPresent($file) )
904 printf("$file already exists... ");
908 if ( isWritable($file) )
910 printf("removing.\n");
916 printf("not writable -- skipping.\n");
922 printf("skipping.\n");
930 ### copyConfigFiles( )
932 # subroutine that copies some extra config files to their proper location in
933 # $GLOBUS_LOCATION/etc/ssh.
939 # copy the sshd_config file into the ssh configuration directory and alter
940 # the paths in the file.
943 copySSHDConfigFile();
946 # do straight copies of the ssh_config and moduli files.
949 printf("Copying ssh_config and moduli to their proper location...\n");
951 copyFile("$setupdir/ssh_config", "$sysconfdir/ssh_config");
952 copyFile("$setupdir/moduli", "$sysconfdir/moduli");
955 # copy and alter the SXXsshd script.
958 copySXXScript("$setupdir/SXXsshd.in", "$sbindir/SXXsshd");
961 ### copyFile( $src, $dest )
963 # copy the file pointed to by $src to the location specified by $dest. in the
964 # process observe the rules regarding when the '-force' flag was passed to us.
969 my($src, $dest) = @_;
971 if ( !isReadable($src) )
973 printf("$src is not readable... not creating $dest.\n");
977 if ( !prepareFileWrite($dest) )
982 action("cp $src $dest");
985 ### copySXXScript( $in, $out )
987 # parse the input file, substituting in place the value of GLOBUS_LOCATION, and
988 # write the result to the output file.
995 if ( !isReadable($in) )
997 printf("$in is not readable... not creating $out.\n");
1001 if ( !prepareFileWrite($out) )
1006 $data = readFile($in);
1007 $data =~ s|\@GLOBUS_LOCATION\@|$gpath|g;
1008 writeFile($out, $data);
1009 action("chmod 755 $out");
1012 ### readFile( $filename )
1014 # reads and returns $filename's contents
1022 open(IN, "$filename") || die "Can't open '$filename': $!";
1031 ### writeFile( $filename, $fileinput )
1033 # create the inputs to the ssl program at $filename, appending the common name to the
1034 # stream in the process
1039 my($filename, $fileinput) = @_;
1042 # test for a valid $filename
1045 if ( !defined($filename) || (length($filename) lt 1) )
1047 die "Filename is undefined";
1051 # verify that we are prepared to work with $filename
1054 if ( !prepareFileWrite($filename) )
1060 # write the output to $filename
1063 open(OUT, ">$filename");
1064 print OUT "$fileinput";
1068 ### action( $command )
1070 # run $command within a proper system() command.
1077 printf "$command\n";
1079 my $result = system("LD_LIBRARY_PATH=\"$gpath/lib:\$LD_LIBRARY_PATH\"; $command 2>&1");
1081 if (($result or $?) and $command !~ m!patch!)
1083 die "ERROR: Unable to execute command: $!\n";
1087 ### query_boolean( $query_text, $default )
1089 # query the user with a string, and expect a response. If the user hits
1090 # 'enter' instead of entering an input, then accept the default response.
1095 my($query_text, $default) = @_;
1096 my($nondefault, $foo, $bar);
1099 # Set $nondefault to the boolean opposite of $default.
1102 if ($default eq "n")
1111 print "${query_text} ";
1112 print "[$default] ";
1115 ($bar) = split //, $foo;
1117 if ( grep(/\s/, $bar) )
1119 # this is debatable. all whitespace means 'default'
1123 elsif ($bar ne $default)
1125 # everything else means 'nondefault'.
1131 # extraneous step. to get here, $bar should be eq to $default anyway.
1139 ### absolutePath( $file )
1141 # converts a given pathname into a canonical path using the abs_path function.
1147 my $home = $ENV{'HOME'};
1148 $file =~ s!~!$home!;
1150 $file =~ s!^\./!$startd/!;
1151 $file = "$startd/$file" if $file !~ m!^\s*/!;
1152 $file = abs_path($file);
1156 ### getOwnerID( $file )
1158 # return the uid containing the owner ID of the given file.
1167 # call stat() to get the mode of the file
1170 $uid = (stat($file))[4];
1175 ### getMode( $file )
1177 # return a string containing the mode of the given file.
1183 my($tempmode, $mode);
1186 # call stat() to get the mode of the file
1189 $tempmode = (stat($file))[2];
1190 if (length($tempmode) < 1)
1196 # call sprintf to format the mode into a UNIX-like string
1199 $mode = sprintf("%04o", $tempmode & 07777);
1204 ### userExists( $username )
1206 # given a username, return true if the user exists on the system. return false
1216 # retrieve the userid of the user with the given username
1219 $uid = getpwnam($username);
1222 # return true if $uid is defined and has a length greater than 0
1225 if ( defined($uid) and (length($uid) > 0) )