$gpath = $ENV{GLOBUS_LOCATION};
if (!defined($gpath))
{
- die "GLOBUS_LOCATION needs to be set before running this script"
+ exitDie("ERROR: GLOBUS_LOCATION needs to be set before running this script!\n");
}
#
use Cwd;
use Cwd 'abs_path';
-#
-# modify the ld library path for when we call ssh executables
-#
-
-$oldldpath = $ENV{LD_LIBRARY_PATH};
-$newldpath = "$gpath/lib";
-if (length($oldldpath) > 0)
-{
- $newldpath .= ":$oldldpath";
-}
-$ENV{LD_LIBRARY_PATH} = "$newldpath";
-
#
# i'm including this because other perl scripts in the gpt setup directories
# do so
$prefix = ${globusdir};
$exec_prefix = "${prefix}";
-$bindir = "${exec_prefix}/bin";
+$bindir = "${exec_prefix}/bin/ssh.d";
$sbindir = "${exec_prefix}/sbin";
$sysconfdir = "$prefix/etc/ssh";
$localsshdir = "/etc/ssh";
my($prompt, $force, $verbose);
$prompt = 1;
+$verbose = 0;
GetOptions(
'prompt!' => \$prompt,
# point.
#
-print "$myname: Configuring package 'gsi_openssh'...\n";
-print "---------------------------------------------------------------------\n";
-print "Hi, I'm the setup script for the gsi_openssh package! I will create\n";
-print "a number of configuration files based on your local system setup. I\n";
-print "will also attempt to copy or create a number of SSH key pairs for\n";
-print "this machine. (Loosely, if I find a pair of host keys in /etc/ssh,\n";
-print "I will copy them into \$GLOBUS_LOCATION/etc/ssh. Otherwise, I will\n";
-print "generate them for you.)\n";
-print "\n";
-
-if ( isForced() )
-{
- print "WARNING:\n";
- print "\n";
- print " Using the '-force' flag will cause all gsi_openssh_setup files to\n";
- print " be removed and replaced by new versions! Backup any critical\n";
- print " SSH configuration files before you choose to continue!\n";
- print "\n";
-}
-
-$response = query_boolean("Do you wish to continue with the setup package?","y");
-if ($response eq "n")
-{
- print "\n";
- print "Exiting gsi_openssh setup.\n";
-
- exit 0;
-}
-
-print "\n";
+debug0("Configuring gsi_openssh\n");
+debug0("------------------------------------------------------------\n");
+debug0("Executing...\n");
makeConfDir();
copyPRNGFile();
$keyhash = determineKeys();
runKeyGen($keyhash->{gen});
-copyKeyFiles($keyhash->{copy});
+linkKeyFiles($keyhash->{link});
copyConfigFiles();
my $metadata = new Grid::GPT::Setup(package_name => "gsi_openssh_setup");
$metadata->finish();
-print "\n";
-print "Additional Notes:\n";
-print "\n";
-print " o I see that you have your GLOBUS_LOCATION environmental variable\n";
-print " set to:\n";
-print "\n";
-print " \"$gpath\"\n";
-print "\n";
-print " Remember to keep this variable set (correctly) when you want to\n";
-print " use the executables that came with this package.\n";
-print "\n";
-print " After that you may execute, for example:\n";
-print "\n";
-print " \$ . \$GLOBUS_LOCATION/etc/globus-user-env.sh\n";
-print "\n";
-print " to prepare your environment for running the gsi_openssh\n";
-print " executables.\n";
-print "\n";
-print " o I recommend you review and customize to your liking the contents of\n";
-print "\n";
-print " \$GLOBUS_LOCATION/etc/ssh\n";
-print "\n";
-print " \"I can only show you the door. You have to walk through it.\"\n";
-
-if ( !getPrivilegeSeparation() )
+debug0("\n");
+debug0("Notes:\n\n");
+
+if ( getPrivilegeSeparation() )
{
- print "\n";
- print " o For System Administrators:\n";
- print "\n";
- print " If you are going to run the GSI-OpenSSH server, we recommend\n";
- print " enabling privilege separation. Although this package supports\n";
- print " this feature, your system appears to require some additional\n";
- print " configuration.\n";
- print "\n";
- print " From the file README.privsep, included as a part of the OpenSSH\n";
- print " distribution:\n";
- print "\n";
- print " When privsep is enabled, during the pre-authentication\n";
- print " phase sshd will chroot(2) to \"/var/empty\" and change its\n";
- print " privileges to the \"sshd\" user and its primary group. sshd\n";
- print " is a pseudo-account that should not be used by other\n";
- print " daemons, and must be locked and should contain a \"nologin\"\n";
- print " or invalid shell.\n";
- print "\n";
- print " You should do something like the following to prepare the\n";
- print " privsep preauth environment:\n";
- print "\n";
- print " \# mkdir /var/empty\n";
- print " \# chown root:sys /var/empty\n";
- print " \# chmod 755 /var/empty\n";
- print " \# groupadd sshd\n";
- print " \# useradd -g sshd -c 'sshd privsep' -d /var/empty \\\n";
- print " -s /bin/false sshd\n";
- print "\n";
- print " /var/empty should not contain any files.\n";
+ debug0(" o Privilege separation is on.\n");
}
-
-print "\n";
-print " o For more information about GSI-Enabled OpenSSH, visit:\n";
-print " <http://grid.ncsa.uiuc.edu/ssh/>\n";
-
-#
-# give the user a chance to read all of this output
-#
-
-if ( $prompt )
+elsif ( !getPrivilegeSeparation() )
{
- print "\n";
- print "Press <return> to continue... ";
- $trash = <STDIN>;
+ debug0(" o Privilege separation is off.\n");
}
-print "---------------------------------------------------------------------\n";
-print "$myname: Finished configuring package 'gsi_openssh'.\n";
+debug0(" o GSI-OpenSSH website is <http://grid.ncsa.uiuc.edu/ssh/>.\n");
+debug0("------------------------------------------------------------\n");
+debug0("Finished configuring gsi_openssh.\n");
exit;
addPRNGCommand("\@PROG_IPCS\@", "ipcs");
addPRNGCommand("\@PROG_TAIL\@", "tail");
- print "Determining paths for PRNG commands...\n";
+ debug1("Determining paths for PRNG commands...\n");
$paths = determinePRNGPaths();
if ( isPresent("$sysconfdir/ssh_prng_cmds") && !isForced() )
{
- printf("ssh_prng_cmds found and not forced. Not installing ssh_prng_cmds...\n");
+ debug1("ssh_prng_cmds found and not forced. Not installing ssh_prng_cmds...\n");
return;
}
initPRNGHash();
- print "Fixing paths in ssh_prng_cmds...\n";
+ debug1("Fixing paths in ssh_prng_cmds...\n");
$fileInput = "$setupdir/ssh_prng_cmds.in";
$fileOutput = "$sysconfdir/ssh_prng_cmds";
if ( !isReadable($fileInput) )
{
- printf("Cannot read $fileInput... skipping.\n");
+ debug1("Cannot read $fileInput... skipping.\n");
return;
}
return "undef";
}
-### copyKeyFiles( $copylist )
+### linkKeyFiles( $linklist )
#
-# given an array of keys to copy, copy both the key and its public variant into
+# given an array of keys to link, link both the key and its public variant into
# the gsi-openssh configuration directory.
#
-sub copyKeyFiles
+sub linkKeyFiles
{
- my($copylist) = @_;
+ my($linklist) = @_;
my($regex, $basename);
- if (@$copylist)
+ if (@$linklist)
{
- print "Copying ssh host keys...\n";
+ debug1("Linking ssh host keys...\n");
- for my $f (@$copylist)
+ for my $f (@$linklist)
{
$f =~ s:/+:/:g;
$keyfile = "$f";
$pubkeyfile = "$f.pub";
- copyFile("$localsshdir/$keyfile", "$sysconfdir/$keyfile");
- copyFile("$localsshdir/$pubkeyfile", "$sysconfdir/$pubkeyfile");
+ linkFile("$localsshdir/$keyfile", "$sysconfdir/$keyfile");
+ linkFile("$localsshdir/$pubkeyfile", "$sysconfdir/$pubkeyfile");
}
}
}
return;
}
- die("${sysconfdir} already exists and is not a directory!\n");
+ debug1("${sysconfdir} already exists and is not a directory!\n");
+ exit;
}
- print "Could not find ${sysconfdir} directory... creating.\n";
+ debug1("Could not find ${sysconfdir} directory... creating.\n");
action("mkdir -p $sysconfdir");
return;
$keyhash = {};
$keyhash->{gen} = []; # a list of keytypes to generate
- $keyhash->{copy} = []; # a list of files to copy from the
+ $keyhash->{link} = []; # a list of files to link
$genlist = $keyhash->{gen};
- $copylist = $keyhash->{copy};
+ $linklist = $keyhash->{link};
#
# loop over our keytypes and determine what we need to do for each of them
}
#
- # if we can find a copy of the keys in /etc/ssh, we'll copy them to the user's
+ # if we can find a copy of the keys in /etc/ssh, we'll link them to the user's
# globus location
#
$mainkeyfile = "$localsshdir/$basekeyfile";
$mainpubkeyfile = "$localsshdir/$basekeyfile.pub";
- if ( isReadable($mainkeyfile) && isReadable($mainpubkeyfile) )
+ if ( isPresent($mainkeyfile) && isPresent($mainpubkeyfile) )
{
- push(@$copylist, $basekeyfile);
+ push(@$linklist, $basekeyfile);
$count++;
next;
}
if (@$gen_keys && -x $keygen)
{
- print "Generating ssh host keys...\n";
+ debug1("Generating ssh host keys...\n");
for my $k (@$gen_keys)
{
my($line, $newline);
my($privsep_enabled);
- print "Fixing paths in sshd_config...\n";
+ debug1("Fixing paths in sshd_config...\n");
$fileInput = "$setupdir/sshd_config.in";
$fileOutput = "$sysconfdir/sshd_config";
if ( !isReadable($fileInput) )
{
- printf("Cannot read $fileInput... skipping.\n");
+ debug1("Cannot read $fileInput... skipping.\n");
return;
}
$data = readFile($fileInput);
- #
- # alter the PidFile config
- #
-
- $text = "PidFile\t$gpath/var/sshd.pid";
- $data =~ s:^[\s|#]*PidFile.*$:$text:gm;
+ # #
+ # # alter the PidFile config
+ # #
+ #
+ # $text = "PidFile\t$gpath/var/sshd.pid";
+ # $data =~ s:^[\s|#]*PidFile.*$:$text:gm;
#
# set the sftp directive
if ( isPresent($file) )
{
- printf("$file already exists... ");
+ debug1("$file already exists... ");
if ( isForced() )
{
if ( isWritable($file) )
{
- printf("removing.\n");
+ debug1("removing.\n");
action("rm $file");
return 1;
}
else
{
- printf("not writable -- skipping.\n");
+ debug1("not writable -- skipping.\n");
return 0;
}
}
else
{
- printf("skipping.\n");
+ debug1("skipping.\n");
return 0;
}
}
# do straight copies of the ssh_config and moduli files.
#
- printf("Copying ssh_config and moduli to their proper location...\n");
+ debug1("Copying ssh_config and moduli to their proper location...\n");
copyFile("$setupdir/ssh_config", "$sysconfdir/ssh_config");
copyFile("$setupdir/moduli", "$sysconfdir/moduli");
copySXXScript("$setupdir/SXXsshd.in", "$sbindir/SXXsshd");
}
+### linkFile( $src, $dest )
+#
+# create a symbolic link from $src to $dest.
+#
+
+sub linkFile
+{
+ my($src, $dest) = @_;
+
+ if ( !isPresent($src) )
+ {
+ debug1("$src is not readable... not creating $dest.\n");
+ return;
+ }
+
+ if ( !prepareFileWrite($dest) )
+ {
+ return;
+ }
+
+ action("ln -s $src $dest");
+}
+
### copyFile( $src, $dest )
#
# copy the file pointed to by $src to the location specified by $dest. in the
if ( !isReadable($src) )
{
- printf("$src is not readable... not creating $dest.\n");
+ debug1("$src is not readable... not creating $dest.\n");
return;
}
if ( !isReadable($in) )
{
- printf("$in is not readable... not creating $out.\n");
+ debug1("$in is not readable... not creating $out.\n");
return;
}
my($filename) = @_;
my($data);
- open(IN, "$filename") || die "Can't open '$filename': $!";
+ open(IN, "$filename") || exitDie("ERROR: Can't open '$filename': $!\n");
$/ = undef;
$data = <IN>;
$/ = "\n";
if ( !defined($filename) || (length($filename) lt 1) )
{
- die "Filename is undefined";
+ exitDie("ERROR: Filename is undefined!\n");
}
#
close(OUT);
}
+### debug1( $arg1, $arg2 )
+#
+# Print out a debugging message at level 1.
+#
+
+sub debug1
+{
+ debug(string => \@_, level => 1);
+}
+
+### debug0( $arg1, $arg2 )
+#
+# Print out a debugging message at level 0.
+#
+
+sub debug0
+{
+ debug(string => \@_, level => 0);
+}
+
+### debug( string => $string, level => $level )
+#
+# Print out debugging messages at various levels. Feel free to use debugN() directly
+# which in turn calls this subroutine.
+#
+
+sub debug
+{
+ my %args = @_;
+
+ if (!defined($args{'level'}))
+ {
+ $args{'level'} = 0;
+ }
+
+ if ($verbose >= $args{'level'})
+ {
+ printf(@{$args{'string'}});
+ }
+}
+
### action( $command )
#
# run $command within a proper system() command.
{
my($command) = @_;
- printf "$command\n";
+ debug1("$command\n");
- my $result = system("LD_LIBRARY_PATH=\"$gpath/lib:\$LD_LIBRARY_PATH\"; $command 2>&1");
+ my $result = system("$command >/dev/null 2>&1");
if (($result or $?) and $command !~ m!patch!)
{
- die "ERROR: Unable to execute command: $!\n";
+ exitDie("ERROR: Unable to execute $command: $!\n");
}
}
+### exitDie( $error )
+#
+# a horribly named method meant to look like die but only exit, thereby not causing
+# gpt-postinstall to croak.
+#
+
+sub exitDie
+{
+ my($error) = @_;
+
+ print $error;
+ exit;
+}
+
### query_boolean( $query_text, $default )
#
# query the user with a string, and expect a response. If the user hits
andersk / gssapi-openssh.git / blobdiff