-#!/bin/sh
+#!/bin/bash
#
-# ssh-host-config, Copyright 2000, Red Hat Inc.
+# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Directory where the config files are stored
SYSCONFDIR=/etc
-
-# Subdirectory where an old package might be installed
-OLDPREFIX=/usr/local
-OLDSYSCONFDIR=${OLDPREFIX}/etc
+LOCALSTATEDIR=/var
progname=$0
auto_answer=""
{
if [ "${auto_answer}" = "yes" ]
then
+ echo "$1 (yes/no) yes"
return 0
elif [ "${auto_answer}" = "no" ]
then
+ echo "$1 (yes/no) no"
return 1
fi
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
- read answer
+ read -e answer
done
if [ "X${answer}" = "Xyes" ]
then
option=$1
shift
- case "$option" in
+ case "${option}" in
-d | --debug )
set -x
;;
auto_answer=no
;;
+ -c | --cygwin )
+ cygwin_value="$1"
+ shift
+ ;;
+
-p | --port )
port_number=$1
shift
;;
+ -w | --pwd )
+ password_value="$1"
+ shift
+ ;;
+
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
- echo " --debug -d Enable shell's debug output."
- echo " --yes -y Answer all questions with \"yes\" automatically."
- echo " --no -n Answer all questions with \"no\" automatically."
- echo " --port -p <n> sshd listens on port n."
+ echo " --debug -d Enable shell's debug output."
+ echo " --yes -y Answer all questions with \"yes\" automatically."
+ echo " --no -n Answer all questions with \"no\" automatically."
+ echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
+ echo " --port -p <n> sshd listens on port n."
+ echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'."
echo
exit 1
;;
done
# Check if running on NT
-_sys="`uname -a`"
-_nt=`expr "$_sys" : "CYGWIN_NT"`
+_sys="`uname`"
+_nt=`expr "${_sys}" : "CYGWIN_NT"`
+# If running on NT, check if running under 2003 Server or later
+if [ ${_nt} -gt 0 ]
+then
+ _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
+fi
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
echo
- echo "${SYSCONFDIR} is existant but not a directory."
+ echo "${SYSCONFDIR} exists but is not a directory."
echo "Cannot create global configuration files."
echo
exit 1
# Create /var/log and /var/log/lastlog if not already existing
-if [ -f /var/log ]
+if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ]
then
- echo "Creating /var/log failed\!"
-else
- if [ ! -d /var/log ]
- then
- mkdir -p /var/log
- fi
- if [ -d /var/log/lastlog ]
- then
- echo "Creating /var/log/lastlog failed\!"
- elif [ ! -f /var/log/lastlog ]
- then
- cat /dev/null > /var/log/lastlog
- fi
+ echo
+ echo "${LOCALSTATEDIR}/log exists but is not a directory."
+ echo "Cannot create ssh host configuration."
+ echo
+ exit 1
fi
-
-# Create /var/empty file used as chroot jail for privilege separation
-if [ -f /var/empty ]
+if [ ! -e ${LOCALSTATEDIR}/log ]
then
- echo "Creating /var/empty failed\!"
-else
- mkdir -p /var/empty
- # On NT change ownership of that dir to user "system"
- if [ $_nt -gt 0 ]
- then
- chmod 755 /var/empty
- chown system.system /var/empty
- fi
+ mkdir -p ${LOCALSTATEDIR}/log
fi
-# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
-# the same as ${PREFIX}
+if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
+then
+ echo
+ echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file."
+ echo "Cannot create ssh host configuration."
+ echo
+ exit 1
+fi
+if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
+then
+ cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
+ chmod 644 ${LOCALSTATEDIR}/log/lastlog
+fi
-old_install=0
-if [ "${OLDPREFIX}" != "${PREFIX}" ]
+# Create /var/empty file used as chroot jail for privilege separation
+if [ -e ${LOCALSTATEDIR}/empty -a ! -d ${LOCALSTATEDIR}/empty ]
then
- if [ -f "${OLDPREFIX}/sbin/sshd" ]
+ echo
+ echo "${LOCALSTATEDIR}/empty exists but is not a directory."
+ echo "Cannot create ssh host configuration."
+ echo
+ exit 1
+if [ ! -e ${LOCALSTATEDIR}/empty ]
+then
+ if ! mkdir -p ${LOCALSTATEDIR}/empty
then
echo
- echo "You seem to have an older installation in ${OLDPREFIX}."
+ echo "Creating ${LOCALSTATEDIR}/empty directory failed."
+ echo "Cannot create ssh host configuration."
echo
- # Check if old global configuration files exist
- if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
- then
- if request "Do you want to copy your config files to your new installation?"
- then
- cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
- cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
- cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
- cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
- cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
- cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
- fi
- fi
- if request "Do you want to erase your old installation?"
- then
- rm -f ${OLDPREFIX}/bin/ssh.exe
- rm -f ${OLDPREFIX}/bin/ssh-config
- rm -f ${OLDPREFIX}/bin/scp.exe
- rm -f ${OLDPREFIX}/bin/ssh-add.exe
- rm -f ${OLDPREFIX}/bin/ssh-agent.exe
- rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
- rm -f ${OLDPREFIX}/bin/slogin
- rm -f ${OLDSYSCONFDIR}/ssh_host_key
- rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
- rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
- rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
- rm -f ${OLDSYSCONFDIR}/ssh_config
- rm -f ${OLDSYSCONFDIR}/sshd_config
- rm -f ${OLDPREFIX}/man/man1/ssh.1
- rm -f ${OLDPREFIX}/man/man1/scp.1
- rm -f ${OLDPREFIX}/man/man1/ssh-add.1
- rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
- rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
- rm -f ${OLDPREFIX}/man/man1/slogin.1
- rm -f ${OLDPREFIX}/man/man8/sshd.8
- rm -f ${OLDPREFIX}/sbin/sshd.exe
- rm -f ${OLDPREFIX}/sbin/sftp-server.exe
- fi
- old_install=1
+ exit 1
+ fi
+ if [ ${_nt} -gt 0 ]
+ then
+ chmod 755 ${LOCALSTATEDIR}/empty
fi
fi
fi
fi
-# Create default ssh_config from here script
+# Create default ssh_config from skeleton file in /etc/defaults/etc
if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
echo "Generating ${SYSCONFDIR}/ssh_config file"
- cat > ${SYSCONFDIR}/ssh_config << EOF
-# This is the ssh client system-wide configuration file. See
-# ssh_config(5) for more information. This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.
-
-# Configuration data is parsed as follows:
-# 1. command line options
-# 2. user-specific file
-# 3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.
-
-# Site-wide defaults for various options
-
-# Host *
-# ForwardAgent no
-# ForwardX11 no
-# RhostsAuthentication no
-# RhostsRSAAuthentication no
-# RSAAuthentication yes
-# PasswordAuthentication yes
-# BatchMode no
-# CheckHostIP yes
-# StrictHostKeyChecking ask
-# IdentityFile ~/.ssh/identity
-# IdentityFile ~/.ssh/id_dsa
-# IdentityFile ~/.ssh/id_rsa
-# Port 22
-# Protocol 2,1
-# Cipher 3des
-# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
-# EscapeChar ~
-EOF
- if [ "$port_number" != "22" ]
+ cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
+ if [ "${port_number}" != "22" ]
then
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
- echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config
+ echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
fi
fi
# Prior to creating or modifying sshd_config, care for privilege separation
-if [ "$privsep_configured" != "yes" ]
+if [ "${privsep_configured}" != "yes" ]
then
- if [ $_nt -gt 0 ]
+ if [ ${_nt} -gt 0 ]
then
echo "Privilege separation is set to yes by default since OpenSSH 3.3."
echo "However, this requires a non-privileged account called 'sshd'."
- echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
+ echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
echo
- if request "Shall privilege separation be used?"
+ if request "Should privilege separation be used?"
then
privsep_used=yes
grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
- if [ "$sshd_in_passwd" != "yes" ]
+ if [ "${sshd_in_passwd}" != "yes" ]
then
- if [ "$sshd_in_sam" != "yes" ]
+ if [ "${sshd_in_sam}" != "yes" ]
then
echo "Warning: The following function requires administrator privileges!"
- if request "Shall this script create a local user 'sshd' on this machine?"
+ if request "Should this script create a local user 'sshd' on this machine?"
then
- dos_var_empty=`cygpath -w /var/empty`
- net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
- if [ "$sshd_in_sam" != "yes" ]
+ dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
+ net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
+ if [ "${sshd_in_sam}" != "yes" ]
then
echo "Warning: Creating the user 'sshd' failed!"
fi
fi
fi
- if [ "$sshd_in_sam" != "yes" ]
+ if [ "${sshd_in_sam}" != "yes" ]
then
echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
echo " Privilege separation set to 'no' again!"
fi
else
# On 9x don't use privilege separation. Since security isn't
- # available it just adds useless addtional processes.
+ # available it just adds useless additional processes.
privsep_used=no
fi
fi
-# Create default sshd_config from here script or modify to add the
-# missing privsep configuration option
+# Create default sshd_config from skeleton files in /etc/defaults/etc or
+# modify to add the missing privsep configuration option
if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
echo "Generating ${SYSCONFDIR}/sshd_config file"
- cat > ${SYSCONFDIR}/sshd_config << EOF
-# This is the sshd server system-wide configuration file. See
-# sshd_config(5) for more information.
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options change a
-# default value.
-
-Port $port_number
-#Protocol 2,1
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-# HostKey for protocol version 1
-#HostKey ${SYSCONFDIR}/ssh_host_key
-# HostKeys for protocol version 2
-#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
-#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
-
-# Lifetime and size of ephemeral version 1 server ke
-#KeyRegenerationInterval 3600
-#ServerKeyBits 768
-
-# Logging
-#obsoletes QuietMode and FascistLogging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 600
-#PermitRootLogin yes
-# The following setting overrides permission checks on host key files
-# and directories. For security reasons set this to "yes" when running
-# NT/W2K, NTFS and CYGWIN=ntsec.
-StrictModes no
-
-#RSAAuthentication yes
-#PubkeyAuthentication yes
-#AuthorizedKeysFile %h/.ssh/authorized_keys
-
-# rhosts authentication should not be used
-#RhostsAuthentication no
-# Don't read ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
-#IgnoreUserKnownHosts no
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
-
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PrintMotd yes
-#PrintLastLog yes
-#KeepAlive yes
-#UseLogin no
-UsePrivilegeSeparation $privsep_used
-#Compression yes
-
-#MaxStartups 10
-# no default banner path
-#Banner /some/path
-#VerifyReverseMapping no
-
-# override default of no subsystems
-Subsystem sftp /usr/sbin/sftp-server
-EOF
-elif [ "$privsep_configured" != "yes" ]
+ sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
+ s/^#Port 22/Port ${port_number}/
+ s/^#StrictModes yes/StrictModes no/" \
+ < ${SYSCONFDIR}/defaults/etc/sshd_config \
+ > ${SYSCONFDIR}/sshd_config
+elif [ "${privsep_configured}" != "yes" ]
then
echo >> ${SYSCONFDIR}/sshd_config
- echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
+ echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
fi
# Care for services file
-if [ $_nt -gt 0 ]
+_my_etcdir="/ssh-host-config.$$"
+if [ ${_nt} -gt 0 ]
then
- _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
- _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$"
+ _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
+ _services="${_my_etcdir}/services"
+ # On NT, 27 spaces, no space after the hash
+ _spaces=" #"
else
- _wservices="${WINDIR}\\SERVICES"
- _wserv_tmp="${WINDIR}\\SERV.$$"
+ _win_etcdir="${WINDIR}"
+ _services="${_my_etcdir}/SERVICES"
+ # On 9x, 18 spaces (95 is very touchy), a space after the hash
+ _spaces=" # "
fi
-_services=`cygpath -u "${_wservices}"`
-_serv_tmp=`cygpath -u "${_wserv_tmp}"`
+_serv_tmp="${_my_etcdir}/srv.out.$$"
+
+mount -t -f "${_win_etcdir}" "${_my_etcdir}"
-mount -t -f "${_wservices}" "${_services}"
-mount -t -f "${_wserv_tmp}" "${_serv_tmp}"
+# Depends on the above mount
+_wservices=`cygpath -w "${_services}"`
# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
if [ -f "${_serv_tmp}" ]
- then
+ then
if mv "${_serv_tmp}" "${_services}"
then
- echo "Removing sshd from ${_services}"
+ echo "Removing sshd from ${_wservices}"
else
- echo "Removing sshd from ${_services} failed\!"
- fi
+ echo "Removing sshd from ${_wservices} failed!"
+ fi
rm -f "${_serv_tmp}"
else
- echo "Removing sshd from ${_services} failed\!"
+ echo "Removing sshd from ${_wservices} failed!"
fi
fi
# Add ssh 22/tcp and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
- awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
- if [ -f "${_serv_tmp}" ]
+ if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
then
if mv "${_serv_tmp}" "${_services}"
then
- echo "Added ssh to ${_services}"
+ echo "Added ssh to ${_wservices}"
else
- echo "Adding ssh to ${_services} failed\!"
+ echo "Adding ssh to ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
- echo "Adding ssh to ${_services} failed\!"
+ echo "WARNING: Adding ssh to ${_wservices} failed!"
fi
fi
-umount "${_services}"
-umount "${_serv_tmp}"
+umount "${_my_etcdir}"
# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
then
if mv "${_inetcnf_tmp}" "${_inetcnf}"
then
- echo "Removed sshd from ${_inetcnf}"
+ echo "Removed sshd from ${_inetcnf}"
else
- echo "Removing sshd from ${_inetcnf} failed\!"
+ echo "Removing sshd from ${_inetcnf} failed!"
fi
rm -f "${_inetcnf_tmp}"
else
- echo "Removing sshd from ${_inetcnf} failed\!"
+ echo "Removing sshd from ${_inetcnf} failed!"
fi
fi
fi
# On NT ask if sshd should be installed as service
-if [ $_nt -gt 0 ]
+if [ ${_nt} -gt 0 ]
then
- echo
- echo "Do you want to install sshd as service?"
- if request "(Say \"no\" if it's already installed as service)"
+ # But only if it is not already installed
+ if ! cygrunsrv -Q sshd > /dev/null 2>&1
then
echo
- echo "Which value should the environment variable CYGWIN have when"
- echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
- echo "able to change user context without password."
- echo -n "Default is \"binmode ntsec tty\". CYGWIN="
- read _cygwin
- [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
- if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
+ echo
+ echo "Warning: The following functions require administrator privileges!"
+ echo
+ echo "Do you want to install sshd as service?"
+ if request "(Say \"no\" if it's already installed as service)"
+ then
+ if [ $_nt2003 -gt 0 ]
+ then
+ grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
+ if [ "${sshd_server_in_passwd}" = "yes" ]
+ then
+ # Drop sshd_server from passwd since it could have wrong settings
+ grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
+ rm -f ${SYSCONFDIR}/passwd
+ mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
+ chmod g-w,o-w ${SYSCONFDIR}/passwd
+ fi
+ net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
+ if [ "${sshd_server_in_sam}" != "yes" ]
+ then
+ echo
+ echo "You appear to be running Windows 2003 Server or later. On 2003 and"
+ echo "later systems, it's not possible to use the LocalSystem account"
+ echo "if sshd should allow passwordless logon (e. g. public key authentication)."
+ echo "If you want to enable that functionality, it's required to create a new"
+ echo "account 'sshd_server' with special privileges, which is then used to run"
+ echo "the sshd service under."
+ echo
+ echo "Should this script create a new local account 'sshd_server' which has"
+ if request "the required privileges?"
+ then
+ _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
+ if [ -z "${_admingroup}" ]
+ then
+ echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
+ exit 1
+ fi
+ dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
+ while [ "${sshd_server_in_sam}" != "yes" ]
+ do
+ if [ -n "${password_value}" ]
+ then
+ _password="${password_value}"
+ # Allow to ask for password if first try fails
+ password_value=""
+ else
+ echo
+ echo "Please enter a password for new user 'sshd_server'. Please be sure that"
+ echo "this password matches the password rules given on your system."
+ echo -n "Entering no password will exit the configuration. PASSWORD="
+ read -e _password
+ if [ -z "${_password}" ]
+ then
+ echo
+ echo "Exiting configuration. No user sshd_server has been created,"
+ echo "no sshd service installed."
+ exit 1
+ fi
+ fi
+ net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
+ if [ "${sshd_server_in_sam}" != "yes" ]
+ then
+ echo "Creating the user 'sshd_server' failed! Reason:"
+ cat /tmp/nu.$$
+ rm /tmp/nu.$$
+ fi
+ done
+ net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
+ if [ "${sshd_server_in_admingroup}" != "yes" ]
+ then
+ echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
+ echo "Please add sshd_server to local group ${_admingroup} before"
+ echo "starting the sshd service!"
+ echo
+ fi
+ passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
+ if [ "${passwd_has_expiry_flags}" != "yes" ]
+ then
+ echo
+ echo "WARNING: User sshd_server has password expiry set to system default."
+ echo "Please check that password never expires or set it to your needs."
+ elif ! passwd -e sshd_server
+ then
+ echo
+ echo "WARNING: Setting password expiry for user sshd_server failed!"
+ echo "Please check that password never expires or set it to your needs."
+ fi
+ editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
+ editrights -a SeCreateTokenPrivilege -u sshd_server &&
+ editrights -a SeTcbPrivilege -u sshd_server &&
+ editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
+ editrights -a SeDenyNetworkLogonRight -u sshd_server &&
+ editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
+ editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
+ editrights -a SeServiceLogonRight -u sshd_server &&
+ sshd_server_got_all_rights="yes"
+ if [ "${sshd_server_got_all_rights}" != "yes" ]
+ then
+ echo
+ echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
+ echo "Can't create sshd service!"
+ exit 1
+ fi
+ echo
+ echo "User 'sshd_server' has been created with password '${_password}'."
+ echo "If you change the password, please keep in mind to change the password"
+ echo "for the sshd service, too."
+ echo
+ echo "Also keep in mind that the user sshd_server needs read permissions on all"
+ echo "users' .ssh/authorized_keys file to allow public key authentication for"
+ echo "these users!. (Re-)running ssh-user-config for each user will set the"
+ echo "required permissions correctly."
+ echo
+ fi
+ fi
+ if [ "${sshd_server_in_sam}" = "yes" ]
+ then
+ mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
+ fi
+ fi
+ if [ -n "${cygwin_value}" ]
+ then
+ _cygwin="${cygwin_value}"
+ else
+ echo
+ echo "Which value should the environment variable CYGWIN have when"
+ echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
+ echo "able to change user context without password."
+ echo -n "Default is \"ntsec\". CYGWIN="
+ read -e _cygwin
+ fi
+ [ -z "${_cygwin}" ] && _cygwin="ntsec"
+ if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
+ then
+ if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
+ then
+ echo
+ echo "The service has been installed under sshd_server account."
+ echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
+ fi
+ else
+ if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
+ then
+ echo
+ echo "The service has been installed under LocalSystem account."
+ echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
+ fi
+ fi
+ fi
+ # Now check if sshd has been successfully installed. This allows to
+ # set the ownership of the affected files correctly.
+ if cygrunsrv -Q sshd > /dev/null 2>&1
+ then
+ if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
+ then
+ _user="sshd_server"
+ else
+ _user="system"
+ fi
+ chown "${_user}" ${SYSCONFDIR}/ssh*
+ chown "${_user}".544 ${LOCALSTATEDIR}/empty
+ chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog
+ if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
+ then
+ chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
+ fi
+ fi
+ if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
then
- chown system ${SYSCONFDIR}/ssh*
echo
- echo "The service has been installed under LocalSystem account."
+ echo "Warning: It appears that you have user mode mounts (\"Just me\""
+ echo "chosen during install.) Any daemons installed as services will"
+ echo "fail to function unless system mounts are used. To change this,"
+ echo "re-run setup.exe and choose \"All users\"."
+ echo
+ echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
fi
fi
fi
-if [ "${old_install}" = "1" ]
-then
- echo
- echo "Note: If you have used sshd as service or from inetd, don't forget to"
- echo " change the path to sshd.exe in the service entry or in inetd.conf."
-fi
-
echo
echo "Host configuration finished. Have fun!"
andersk / gssapi-openssh.git / blobdiff