[openssh.git] / contrib / cygwin / ssh-host-config

#!/bin/bash
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.

# Subdirectory where the new package is being installed
PREFIX=/usr

# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var

progname=$0
auto_answer=""
port_number=22

privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no

request()
{
  if [ "${auto_answer}" = "yes" ]
  then
    echo "$1 (yes/no) yes"
    return 0
  elif [ "${auto_answer}" = "no" ]
  then
    echo "$1 (yes/no) no"
    return 1
  fi

  answer=""
  while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
  do
    echo -n "$1 (yes/no) "
    read -e answer
  done
  if [ "X${answer}" = "Xyes" ]
  then
    return 0
  else
    return 1
  fi
}

# Check options

while :
do
  case $# in
  0)
    break
    ;;
  esac

  option=$1
  shift

  case "${option}" in
  -d | --debug )
    set -x
    ;;

  -y | --yes )
    auto_answer=yes
    ;;

  -n | --no )
    auto_answer=no
    ;;

  -c | --cygwin )
    cygwin_value="$1"
    shift
    ;;

  -p | --port )
    port_number=$1
    shift
    ;;

  -w | --pwd )
    password_value="$1"
    shift
    ;;

  *)
    echo "usage: ${progname} [OPTION]..."
    echo
    echo "This script creates an OpenSSH host configuration."
    echo
    echo "Options:"
    echo "  --debug  -d            Enable shell's debug output."
    echo "  --yes    -y            Answer all questions with \"yes\" automatically."
    echo "  --no     -n            Answer all questions with \"no\" automatically."
    echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
    echo "  --port   -p <n>        sshd listens on port n."
    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for user 'sshd_server'."
    echo
    exit 1
    ;;

  esac
done

# Check if running on NT
_sys="`uname`"
_nt=`expr "${_sys}" : "CYGWIN_NT"`
# If running on NT, check if running under 2003 Server or later
if [ ${_nt} -gt 0 ]
then
  _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
fi

# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running

if ps -ef | grep -v grep | grep -q ssh
then
  echo
  echo "There are still ssh processes running. Please shut them down first."
  echo
  exit 1
fi

# Check for ${SYSCONFDIR} directory

if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
  echo
  echo "${SYSCONFDIR} is existant but not a directory."
  echo "Cannot create global configuration files."
  echo
  exit 1
fi

# Create it if necessary

if [ ! -e "${SYSCONFDIR}" ]
then
  mkdir "${SYSCONFDIR}"
  if [ ! -e "${SYSCONFDIR}" ]
  then
    echo
    echo "Creating ${SYSCONFDIR} directory failed"
    echo
    exit 1
  fi
fi

# Create /var/log and /var/log/lastlog if not already existing

if [ -f ${LOCALSTATEDIR}/log ]
then
  echo "Creating ${LOCALSTATEDIR}/log failed!"
else
  if [ ! -d ${LOCALSTATEDIR}/log ]
  then
    mkdir -p ${LOCALSTATEDIR}/log
  fi
  if [ -d ${LOCALSTATEDIR}/log/lastlog ]
  then
    chmod 777 ${LOCALSTATEDIR}/log/lastlog
  elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
  then
    cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
    chmod 666 ${LOCALSTATEDIR}/log/lastlog
  fi
fi

# Create /var/empty file used as chroot jail for privilege separation
if [ -f ${LOCALSTATEDIR}/empty ]
then
  echo "Creating ${LOCALSTATEDIR}/empty failed!"
else
  mkdir -p ${LOCALSTATEDIR}/empty
  if [ ${_nt} -gt 0 ]
  then
    chmod 755 ${LOCALSTATEDIR}/empty
  fi
fi

# First generate host keys if not already existing

if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_key"
  ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi

if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
  ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi

if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
  ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi

# Check if ssh_config exists. If yes, ask for overwriting

if [ -f "${SYSCONFDIR}/ssh_config" ]
then
  if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
  then
    rm -f "${SYSCONFDIR}/ssh_config"
    if [ -f "${SYSCONFDIR}/ssh_config" ]
    then
      echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
    fi
  fi
fi

# Create default ssh_config from skeleton file in /etc/defaults/etc

if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_config file"
  cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
  if [ "${port_number}" != "22" ]
  then
    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
    echo "    Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
  fi
fi

# Check if sshd_config exists. If yes, ask for overwriting

if [ -f "${SYSCONFDIR}/sshd_config" ]
then
  if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
  then
    rm -f "${SYSCONFDIR}/sshd_config"
    if [ -f "${SYSCONFDIR}/sshd_config" ]
    then
      echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
    fi
  else
    grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
  fi
fi

# Prior to creating or modifying sshd_config, care for privilege separation

if [ "${privsep_configured}" != "yes" ]
then
  if [ ${_nt} -gt 0 ]
  then
    echo "Privilege separation is set to yes by default since OpenSSH 3.3."
    echo "However, this requires a non-privileged account called 'sshd'."
    echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
    echo
    if request "Should privilege separation be used?"
    then
      privsep_used=yes
      grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
      net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
      if [ "${sshd_in_passwd}" != "yes" ]
      then
	if [ "${sshd_in_sam}" != "yes" ]
	then
	  echo "Warning: The following function requires administrator privileges!"
	  if request "Should this script create a local user 'sshd' on this machine?"
	  then
	    dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
	    net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
	    if [ "${sshd_in_sam}" != "yes" ]
	    then
	      echo "Warning: Creating the user 'sshd' failed!"
	    fi
	  fi
	fi
	if [ "${sshd_in_sam}" != "yes" ]
	then
	  echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
	  echo "         Privilege separation set to 'no' again!"
	  echo "         Check your ${SYSCONFDIR}/sshd_config file!"
	  privsep_used=no
	else
	  mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
	fi
      fi
    else
      privsep_used=no
    fi
  else
    # On 9x don't use privilege separation.  Since security isn't
    # available it just adds useless additional processes.
    privsep_used=no
  fi
fi

# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option

if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
  echo "Generating ${SYSCONFDIR}/sshd_config file"
  sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
	  s/^#Port 22/Port ${port_number}/
	  s/^#StrictModes yes/StrictModes no/" \
      < ${SYSCONFDIR}/defaults/etc/sshd_config \
      > ${SYSCONFDIR}/sshd_config
elif [ "${privsep_configured}" != "yes" ]
then
  echo >> ${SYSCONFDIR}/sshd_config
  echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
fi

# Care for services file
_my_etcdir="/ssh-host-config.$$"
if [ ${_nt} -gt 0 ]
then
  _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
  _services="${_my_etcdir}/services"
  # On NT, 27 spaces, no space after the hash
  _spaces="                           #"
else
  _win_etcdir="${WINDIR}"
  _services="${_my_etcdir}/SERVICES"
  # On 9x, 18 spaces (95 is very touchy), a space after the hash
  _spaces="                  # "
fi
_serv_tmp="${_my_etcdir}/srv.out.$$"

mount -t -f "${_win_etcdir}" "${_my_etcdir}"

# Depends on the above mount
_wservices=`cygpath -w "${_services}"`

# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
  grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
  if [ -f "${_serv_tmp}" ]
  then
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Removing sshd from ${_wservices}"
    else
      echo "Removing sshd from ${_wservices} failed!"
    fi
    rm -f "${_serv_tmp}"
  else
    echo "Removing sshd from ${_wservices} failed!"
  fi
fi

# Add ssh 22/tcp  and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
  if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
  then
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Added ssh to ${_wservices}"
    else
      echo "Adding ssh to ${_wservices} failed!"
    fi
    rm -f "${_serv_tmp}"
  else
    echo "WARNING: Adding ssh to ${_wservices} failed!"
  fi
fi

umount "${_my_etcdir}"

# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"

if [ -f "${_inetcnf}" ]
then
  # Check if ssh service is already in use as sshd
  with_comment=1
  grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
  # Remove sshd line from inetd.conf
  if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
  then
    grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
    if [ -f "${_inetcnf_tmp}" ]
    then
      if mv "${_inetcnf_tmp}" "${_inetcnf}"
      then
	echo "Removed sshd from ${_inetcnf}"
      else
	echo "Removing sshd from ${_inetcnf} failed!"
      fi
      rm -f "${_inetcnf_tmp}"
    else
      echo "Removing sshd from ${_inetcnf} failed!"
    fi
  fi

  # Add ssh line to inetd.conf
  if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
  then
    if [ "${with_comment}" -eq 0 ]
    then
      echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    else
      echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    fi
    echo "Added ssh to ${_inetcnf}"
  fi
fi

# On NT ask if sshd should be installed as service
if [ ${_nt} -gt 0 ]
then
  # But only if it is not already installed
  if ! cygrunsrv -Q sshd > /dev/null 2>&1
  then
    echo
    echo
    echo "Warning: The following functions require administrator privileges!"
    echo
    echo "Do you want to install sshd as service?"
    if request "(Say \"no\" if it's already installed as service)"
    then
      if [ $_nt2003 -gt 0 ]
      then
	grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
	if [ "${sshd_server_in_passwd}" = "yes" ]
	then
	  # Drop sshd_server from passwd since it could have wrong settings
	  grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
	  rm -f ${SYSCONFDIR}/passwd
	  mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
	  chmod g-w,o-w ${SYSCONFDIR}/passwd
	fi
	net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
	if [ "${sshd_server_in_sam}" != "yes" ]
	then
	  echo
	  echo "You appear to be running Windows 2003 Server or later.  On 2003 and"
	  echo "later systems, it's not possible to use the LocalSystem account"
	  echo "if sshd should allow passwordless logon (e. g. public key authentication)."
	  echo "If you want to enable that functionality, it's required to create a new"
	  echo "account 'sshd_server' with special privileges, which is then used to run"
	  echo "the sshd service under."
	  echo
	  echo "Should this script create a new local account 'sshd_server' which has"
	  if request "the required privileges?"
	  then
	    _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
	    if [ -z "${_admingroup}" ]
	    then
	      echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
	      exit 1
	    fi
	    dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
	    while [ "${sshd_server_in_sam}" != "yes" ]
	    do
	      if [ -n "${password_value}" ]
	      then
		_password="${password_value}"
		# Allow to ask for password if first try fails
		password_value=""
	      else
		echo
		echo "Please enter a password for new user 'sshd_server'.  Please be sure that"
		echo "this password matches the password rules given on your system."
		echo -n "Entering no password will exit the configuration.  PASSWORD="
		read -e _password
		if [ -z "${_password}" ]
		then
		  echo
		  echo "Exiting configuration.  No user sshd_server has been created,"
		  echo "no sshd service installed."
		  exit 1
		fi
	      fi
	      net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
	      if [ "${sshd_server_in_sam}" != "yes" ]
	      then
		echo "Creating the user 'sshd_server' failed!  Reason:"
		cat /tmp/nu.$$
		rm /tmp/nu.$$
	      fi
	    done
	    net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
	    if [ "${sshd_server_in_admingroup}" != "yes" ]
	    then
	      echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
	      echo "Please add sshd_server to local group ${_admingroup} before"
	      echo "starting the sshd service!"
	      echo
	    fi
	    passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
	    if [ "${passwd_has_expiry_flags}" != "yes" ]
	    then
	      echo
	      echo "WARNING: User sshd_server has password expiry set to system default."
	      echo "Please check that password never expires or set it to your needs."
	    elif ! passwd -e sshd_server
	    then
	      echo
	      echo "WARNING: Setting password expiry for user sshd_server failed!"
	      echo "Please check that password never expires or set it to your needs."
	    fi
	    editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
	    editrights -a SeCreateTokenPrivilege -u sshd_server &&
	    editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
	    editrights -a SeDenyNetworkLogonRight -u sshd_server &&
	    editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
	    editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
	    editrights -a SeServiceLogonRight -u sshd_server &&
	    sshd_server_got_all_rights="yes"
	    if [ "${sshd_server_got_all_rights}" != "yes" ]
	    then
	      echo
	      echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
	      echo "Can't create sshd service!"
	      exit 1
	    fi
	    echo
	    echo "User 'sshd_server' has been created with password '${_password}'."
	    echo "If you change the password, please keep in mind to change the password"
	    echo "for the sshd service, too."
	    echo
	    echo "Also keep in mind that the user sshd_server needs read permissions on all"
	    echo "users' .ssh/authorized_keys file to allow public key authentication for"
	    echo "these users!.  (Re-)running ssh-user-config for each user will set the"
	    echo "required permissions correctly."
	    echo
	  fi
	fi
	if [ "${sshd_server_in_sam}" = "yes" ]
	then
	  mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
	fi
      fi
      if [ -n "${cygwin_value}" ]
      then
	_cygwin="${cygwin_value}"
      else
	echo
	echo "Which value should the environment variable CYGWIN have when"
	echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
	echo "able to change user context without password."
	echo -n "Default is \"ntsec\".  CYGWIN="
	read -e _cygwin
      fi
      [ -z "${_cygwin}" ] && _cygwin="ntsec"
      if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
      then
	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}"
	then
	  echo
	  echo "The service has been installed under sshd_server account."
	  echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
	fi
      else
	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
	then
	  echo
	  echo "The service has been installed under LocalSystem account."
	  echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
	fi
      fi
    fi
    # Now check if sshd has been successfully installed.  This allows to
    # set the ownership of the affected files correctly.
    if cygrunsrv -Q sshd > /dev/null 2>&1
    then
      if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
      then
	_user="sshd_server"
      else
	_user="system"
      fi
      chown "${_user}" ${SYSCONFDIR}/ssh*
      chown "${_user}".544 ${LOCALSTATEDIR}/empty
      if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
      then
	chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
      fi
    fi
  fi
fi

echo
echo "Host configuration finished. Have fun!"
Commit	Line	Data
9e936326	1	#!/bin/bash
95273555	2	#
9e936326	3	# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
95273555	4	#
	5	# This file is part of the Cygwin port of OpenSSH.
	6
95273555	7	# Subdirectory where the new package is being installed
	8	PREFIX=/usr
	9
	10	# Directory where the config files are stored
	11	SYSCONFDIR=/etc
9e936326	12	LOCALSTATEDIR=/var
95273555	13
f4ebf0e8	14	progname=$0
f4ebf0e8	15	auto_answer=""
f52798a4	16	port_number=22
f4ebf0e8	17
d2f95449	18	privsep_configured=no
	19	privsep_used=yes
	20	sshd_in_passwd=no
	21	sshd_in_sam=no
	22
95273555	23	request()
95273555	24	{
f4ebf0e8	25	if [ "${auto_answer}" = "yes" ]
f4ebf0e8	26	then
9e936326	27	echo "$1 (yes/no) yes"
f4ebf0e8	28	return 0
	29	elif [ "${auto_answer}" = "no" ]
	30	then
9e936326	31	echo "$1 (yes/no) no"
f4ebf0e8	32	return 1
	33	fi
	34
95273555	35	answer=""
	36	while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
	37	do
	38	echo -n "$1 (yes/no) "
9e936326	39	read -e answer
95273555	40	done
	41	if [ "X${answer}" = "Xyes" ]
	42	then
	43	return 0
	44	else
	45	return 1
	46	fi
	47	}
	48
f4ebf0e8	49	# Check options
	50
	51	while :
	52	do
	53	case $# in
	54	0)
	55	break
	56	;;
	57	esac
	58
	59	option=$1
	60	shift
	61
9e936326	62	case "${option}" in
f4ebf0e8	63	-d \| --debug )
	64	set -x
	65	;;
	66
	67	-y \| --yes )
	68	auto_answer=yes
	69	;;
	70
	71	-n \| --no )
	72	auto_answer=no
	73	;;
	74
9e936326	75	-c \| --cygwin )
	76	cygwin_value="$1"
	77	shift
	78	;;
	79
f52798a4	80	-p \| --port )
	81	port_number=$1
	82	shift
	83	;;
	84
9e936326	85	-w \| --pwd )
	86	password_value="$1"
	87	shift
	88	;;
	89
f4ebf0e8	90	*)
	91	echo "usage: ${progname} [OPTION]..."
	92	echo
	93	echo "This script creates an OpenSSH host configuration."
	94	echo
	95	echo "Options:"
9e936326	96	echo " --debug -d Enable shell's debug output."
	97	echo " --yes -y Answer all questions with \"yes\" automatically."
	98	echo " --no -n Answer all questions with \"no\" automatically."
	99	echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
	100	echo " --port -p <n> sshd listens on port n."
	101	echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'."
f4ebf0e8	102	echo
	103	exit 1
	104	;;
	105
	106	esac
	107	done
	108
d2f95449	109	# Check if running on NT
9e936326	110	_sys="`uname`"
	111	_nt=`expr "${_sys}" : "CYGWIN_NT"`
	112	# If running on NT, check if running under 2003 Server or later
	113	if [ ${_nt} -gt 0 ]
	114	then
	115	_nt2003=`uname \| awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
	116	fi
d2f95449	117
95273555	118	# Check for running ssh/sshd processes first. Refuse to do anything while
	119	# some ssh processes are still running
	120
	121	if ps -ef \| grep -v grep \| grep -q ssh
	122	then
	123	echo
	124	echo "There are still ssh processes running. Please shut them down first."
	125	echo
d41f8eed	126	exit 1
95273555	127	fi
	128
	129	# Check for ${SYSCONFDIR} directory
	130
	131	if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
	132	then
	133	echo
	134	echo "${SYSCONFDIR} is existant but not a directory."
	135	echo "Cannot create global configuration files."
	136	echo
	137	exit 1
	138	fi
	139
	140	# Create it if necessary
	141
	142	if [ ! -e "${SYSCONFDIR}" ]
	143	then
	144	mkdir "${SYSCONFDIR}"
	145	if [ ! -e "${SYSCONFDIR}" ]
	146	then
	147	echo
	148	echo "Creating ${SYSCONFDIR} directory failed"
	149	echo
	150	exit 1
	151	fi
	152	fi
	153
d2f95449	154	# Create /var/log and /var/log/lastlog if not already existing
d2f95449	155
9e936326	156	if [ -f ${LOCALSTATEDIR}/log ]
d2f95449	157	then
9e936326	158	echo "Creating ${LOCALSTATEDIR}/log failed!"
d2f95449	159	else
9e936326	160	if [ ! -d ${LOCALSTATEDIR}/log ]
d2f95449	161	then
9e936326	162	mkdir -p ${LOCALSTATEDIR}/log
d2f95449	163	fi
9e936326	164	if [ -d ${LOCALSTATEDIR}/log/lastlog ]
d2f95449	165	then
9e936326	166	chmod 777 ${LOCALSTATEDIR}/log/lastlog
9e936326	167	elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
d2f95449	168	then
9e936326	169	cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
9e936326	170	chmod 666 ${LOCALSTATEDIR}/log/lastlog
d2f95449	171	fi
	172	fi
	173
	174	# Create /var/empty file used as chroot jail for privilege separation
9e936326	175	if [ -f ${LOCALSTATEDIR}/empty ]
d2f95449	176	then
9e936326	177	echo "Creating ${LOCALSTATEDIR}/empty failed!"
d2f95449	178	else
9e936326	179	mkdir -p ${LOCALSTATEDIR}/empty
9e936326	180	if [ ${_nt} -gt 0 ]
d2f95449	181	then
9e936326	182	chmod 755 ${LOCALSTATEDIR}/empty
95273555	183	fi
	184	fi
	185
	186	# First generate host keys if not already existing
	187
	188	if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
	189	then
	190	echo "Generating ${SYSCONFDIR}/ssh_host_key"
f4ebf0e8	191	ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
	192	fi
	193
	194	if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
	195	then
	196	echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
	197	ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
95273555	198	fi
	199
	200	if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
	201	then
	202	echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
f4ebf0e8	203	ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
95273555	204	fi
	205
	206	# Check if ssh_config exists. If yes, ask for overwriting
	207
	208	if [ -f "${SYSCONFDIR}/ssh_config" ]
	209	then
	210	if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
	211	then
	212	rm -f "${SYSCONFDIR}/ssh_config"
	213	if [ -f "${SYSCONFDIR}/ssh_config" ]
	214	then
	215	echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
	216	fi
	217	fi
	218	fi
	219
9e936326	220	# Create default ssh_config from skeleton file in /etc/defaults/etc
95273555	221
	222	if [ ! -f "${SYSCONFDIR}/ssh_config" ]
	223	then
f4ebf0e8	224	echo "Generating ${SYSCONFDIR}/ssh_config file"
9e936326	225	cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
9e936326	226	if [ "${port_number}" != "22" ]
f52798a4	227	then
f52798a4	228	echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
9e936326	229	echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
f52798a4	230	fi
95273555	231	fi
	232
	233	# Check if sshd_config exists. If yes, ask for overwriting
	234
	235	if [ -f "${SYSCONFDIR}/sshd_config" ]
	236	then
	237	if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
	238	then
	239	rm -f "${SYSCONFDIR}/sshd_config"
	240	if [ -f "${SYSCONFDIR}/sshd_config" ]
	241	then
	242	echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
	243	fi
d2f95449	244	else
	245	grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
	246	fi
	247	fi
	248
	249	# Prior to creating or modifying sshd_config, care for privilege separation
	250
9e936326	251	if [ "${privsep_configured}" != "yes" ]
d2f95449	252	then
9e936326	253	if [ ${_nt} -gt 0 ]
d2f95449	254	then
	255	echo "Privilege separation is set to yes by default since OpenSSH 3.3."
	256	echo "However, this requires a non-privileged account called 'sshd'."
9e936326	257	echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
d2f95449	258	echo
9e936326	259	if request "Should privilege separation be used?"
d2f95449	260	then
	261	privsep_used=yes
	262	grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
	263	net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
9e936326	264	if [ "${sshd_in_passwd}" != "yes" ]
d2f95449	265	then
aff51935	266	if [ "${sshd_in_sam}" != "yes" ]
d2f95449	267	then
d2f95449	268	echo "Warning: The following function requires administrator privileges!"
9e936326	269	if request "Should this script create a local user 'sshd' on this machine?"
d2f95449	270	then
9e936326	271	dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
	272	net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
	273	if [ "${sshd_in_sam}" != "yes" ]
d2f95449	274	then
	275	echo "Warning: Creating the user 'sshd' failed!"
	276	fi
	277	fi
	278	fi
9e936326	279	if [ "${sshd_in_sam}" != "yes" ]
d2f95449	280	then
	281	echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
	282	echo " Privilege separation set to 'no' again!"
	283	echo " Check your ${SYSCONFDIR}/sshd_config file!"
	284	privsep_used=no
	285	else
d41f8eed	286	mkpasswd -l -u sshd \| sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
d2f95449	287	fi
	288	fi
	289	else
	290	privsep_used=no
	291	fi
	292	else
	293	# On 9x don't use privilege separation. Since security isn't
9e936326	294	# available it just adds useless additional processes.
d2f95449	295	privsep_used=no
95273555	296	fi
	297	fi
	298
9e936326	299	# Create default sshd_config from skeleton files in /etc/defaults/etc or
9e936326	300	# modify to add the missing privsep configuration option
95273555	301
	302	if [ ! -f "${SYSCONFDIR}/sshd_config" ]
	303	then
f4ebf0e8	304	echo "Generating ${SYSCONFDIR}/sshd_config file"
9e936326	305	sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
	306	s/^#Port 22/Port ${port_number}/
	307	s/^#StrictModes yes/StrictModes no/" \
	308	< ${SYSCONFDIR}/defaults/etc/sshd_config \
	309	> ${SYSCONFDIR}/sshd_config
	310	elif [ "${privsep_configured}" != "yes" ]
d2f95449	311	then
d2f95449	312	echo >> ${SYSCONFDIR}/sshd_config
9e936326	313	echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
95273555	314	fi
95273555	315
f52798a4	316	# Care for services file
c3d908f0	317	_my_etcdir="/ssh-host-config.$$"
9e936326	318	if [ ${_nt} -gt 0 ]
95273555	319	then
c3d908f0	320	_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
c3d908f0	321	_services="${_my_etcdir}/services"
9e936326	322	# On NT, 27 spaces, no space after the hash
9e936326	323	_spaces=" #"
f4ebf0e8	324	else
c3d908f0	325	_win_etcdir="${WINDIR}"
c3d908f0	326	_services="${_my_etcdir}/SERVICES"
9e936326	327	# On 9x, 18 spaces (95 is very touchy), a space after the hash
9e936326	328	_spaces=" # "
95273555	329	fi
c3d908f0	330	_serv_tmp="${_my_etcdir}/srv.out.$$"
95273555	331
c3d908f0	332	mount -t -f "${_win_etcdir}" "${_my_etcdir}"
	333
	334	# Depends on the above mount
	335	_wservices=`cygpath -w "${_services}"`
f52798a4	336
	337	# Remove sshd 22/port from services
	338	if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
	339	then
	340	grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
	341	if [ -f "${_serv_tmp}" ]
aff51935	342	then
f52798a4	343	if mv "${_serv_tmp}" "${_services}"
f52798a4	344	then
c3d908f0	345	echo "Removing sshd from ${_wservices}"
f52798a4	346	else
9e936326	347	echo "Removing sshd from ${_wservices} failed!"
aff51935	348	fi
f52798a4	349	rm -f "${_serv_tmp}"
f52798a4	350	else
9e936326	351	echo "Removing sshd from ${_wservices} failed!"
f52798a4	352	fi
f52798a4	353	fi
95273555	354
f52798a4	355	# Add ssh 22/tcp and ssh 22/udp to services
f52798a4	356	if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
95273555	357	then
9e936326	358	if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
95273555	359	then
f4ebf0e8	360	if mv "${_serv_tmp}" "${_services}"
f4ebf0e8	361	then
c3d908f0	362	echo "Added ssh to ${_wservices}"
f4ebf0e8	363	else
9e936326	364	echo "Adding ssh to ${_wservices} failed!"
f4ebf0e8	365	fi
	366	rm -f "${_serv_tmp}"
	367	else
9e936326	368	echo "WARNING: Adding ssh to ${_wservices} failed!"
95273555	369	fi
	370	fi
	371
c3d908f0	372	umount "${_my_etcdir}"
f4ebf0e8	373
f52798a4	374	# Care for inetd.conf file
d2f95449	375	_inetcnf="${SYSCONFDIR}/inetd.conf"
d2f95449	376	_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
f52798a4	377
f52798a4	378	if [ -f "${_inetcnf}" ]
95273555	379	then
f52798a4	380	# Check if ssh service is already in use as sshd
	381	with_comment=1
	382	grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
	383	# Remove sshd line from inetd.conf
	384	if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
	385	then
	386	grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
	387	if [ -f "${_inetcnf_tmp}" ]
	388	then
	389	if mv "${_inetcnf_tmp}" "${_inetcnf}"
	390	then
aff51935	391	echo "Removed sshd from ${_inetcnf}"
f52798a4	392	else
aff51935	393	echo "Removing sshd from ${_inetcnf} failed!"
f52798a4	394	fi
	395	rm -f "${_inetcnf_tmp}"
	396	else
9e936326	397	echo "Removing sshd from ${_inetcnf} failed!"
f52798a4	398	fi
	399	fi
	400
	401	# Add ssh line to inetd.conf
	402	if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
	403	then
	404	if [ "${with_comment}" -eq 0 ]
	405	then
e2c9b9e3	406	echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
f52798a4	407	else
e2c9b9e3	408	echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
f52798a4	409	fi
	410	echo "Added ssh to ${_inetcnf}"
	411	fi
95273555	412	fi
95273555	413
41fcc457	414	# On NT ask if sshd should be installed as service
9e936326	415	if [ ${_nt} -gt 0 ]
41fcc457	416	then
9e936326	417	# But only if it is not already installed
9e936326	418	if ! cygrunsrv -Q sshd > /dev/null 2>&1
41fcc457	419	then
41fcc457	420	echo
9e936326	421	echo
	422	echo "Warning: The following functions require administrator privileges!"
	423	echo
	424	echo "Do you want to install sshd as service?"
	425	if request "(Say \"no\" if it's already installed as service)"
41fcc457	426	then
9e936326	427	if [ $_nt2003 -gt 0 ]
	428	then
	429	grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
	430	if [ "${sshd_server_in_passwd}" = "yes" ]
	431	then
	432	# Drop sshd_server from passwd since it could have wrong settings
	433	grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
	434	rm -f ${SYSCONFDIR}/passwd
	435	mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
	436	chmod g-w,o-w ${SYSCONFDIR}/passwd
	437	fi
	438	net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
	439	if [ "${sshd_server_in_sam}" != "yes" ]
	440	then
	441	echo
	442	echo "You appear to be running Windows 2003 Server or later. On 2003 and"
	443	echo "later systems, it's not possible to use the LocalSystem account"
	444	echo "if sshd should allow passwordless logon (e. g. public key authentication)."
	445	echo "If you want to enable that functionality, it's required to create a new"
	446	echo "account 'sshd_server' with special privileges, which is then used to run"
	447	echo "the sshd service under."
	448	echo
	449	echo "Should this script create a new local account 'sshd_server' which has"
	450	if request "the required privileges?"
	451	then
2b08c2fc	452	_admingroup=`mkgroup -l \| awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
9e936326	453	if [ -z "${_admingroup}" ]
9e936326	454	then
2b08c2fc	455	echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
9e936326	456	exit 1
	457	fi
	458	dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
	459	while [ "${sshd_server_in_sam}" != "yes" ]
	460	do
	461	if [ -n "${password_value}" ]
	462	then
aff51935	463	_password="${password_value}"
9e936326	464	# Allow to ask for password if first try fails
	465	password_value=""
	466	else
	467	echo
	468	echo "Please enter a password for new user 'sshd_server'. Please be sure that"
	469	echo "this password matches the password rules given on your system."
	470	echo -n "Entering no password will exit the configuration. PASSWORD="
	471	read -e _password
	472	if [ -z "${_password}" ]
	473	then
	474	echo
	475	echo "Exiting configuration. No user sshd_server has been created,"
	476	echo "no sshd service installed."
	477	exit 1
	478	fi
	479	fi
	480	net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
	481	if [ "${sshd_server_in_sam}" != "yes" ]
	482	then
	483	echo "Creating the user 'sshd_server' failed! Reason:"
	484	cat /tmp/nu.$$
	485	rm /tmp/nu.$$
	486	fi
	487	done
	488	net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
	489	if [ "${sshd_server_in_admingroup}" != "yes" ]
	490	then
	491	echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
	492	echo "Please add sshd_server to local group ${_admingroup} before"
	493	echo "starting the sshd service!"
	494	echo
	495	fi
	496	passwd_has_expiry_flags=`passwd -v \| awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
	497	if [ "${passwd_has_expiry_flags}" != "yes" ]
	498	then
	499	echo
	500	echo "WARNING: User sshd_server has password expiry set to system default."
	501	echo "Please check that password never expires or set it to your needs."
	502	elif ! passwd -e sshd_server
	503	then
	504	echo
	505	echo "WARNING: Setting password expiry for user sshd_server failed!"
	506	echo "Please check that password never expires or set it to your needs."
	507	fi
	508	editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
	509	editrights -a SeCreateTokenPrivilege -u sshd_server &&
	510	editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
	511	editrights -a SeDenyNetworkLogonRight -u sshd_server &&
	512	editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
	513	editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
	514	editrights -a SeServiceLogonRight -u sshd_server &&
	515	sshd_server_got_all_rights="yes"
	516	if [ "${sshd_server_got_all_rights}" != "yes" ]
	517	then
	518	echo
	519	echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
	520	echo "Can't create sshd service!"
	521	exit 1
	522	fi
	523	echo
	524	echo "User 'sshd_server' has been created with password '${_password}'."
	525	echo "If you change the password, please keep in mind to change the password"
	526	echo "for the sshd service, too."
	527	echo
528	echo "Also keep in mind that the user sshd_server needs read permissions on all"
529	echo "users' .ssh/authorized_keys file to allow public key authentication for"
530	echo "these users!. (Re-)running ssh-user-config for each user will set the"
531	echo "required permissions correctly."
532	echo
533	fi
534	fi
535	if [ "${sshd_server_in_sam}" = "yes" ]
536	then
537	mkpasswd -l -u sshd_server \| sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
538	fi
539	fi
540	if [ -n "${cygwin_value}" ]
541	then
aff51935	542	_cygwin="${cygwin_value}"
9e936326	543	else
	544	echo
	545	echo "Which value should the environment variable CYGWIN have when"
	546	echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
	547	echo "able to change user context without password."
	548	echo -n "Default is \"ntsec\". CYGWIN="
	549	read -e _cygwin
	550	fi
	551	[ -z "${_cygwin}" ] && _cygwin="ntsec"
	552	if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
	553	then
	554	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}"
	555	then
	556	echo
	557	echo "The service has been installed under sshd_server account."
	558	echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
	559	fi
	560	else
	561	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
	562	then
	563	echo
	564	echo "The service has been installed under LocalSystem account."
	565	echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
	566	fi
	567	fi
	568	fi
	569	# Now check if sshd has been successfully installed. This allows to
	570	# set the ownership of the affected files correctly.
	571	if cygrunsrv -Q sshd > /dev/null 2>&1
	572	then
	573	if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
	574	then
aff51935	575	_user="sshd_server"
9e936326	576	else
aff51935	577	_user="system"
9e936326	578	fi
	579	chown "${_user}" ${SYSCONFDIR}/ssh*
	580	chown "${_user}".544 ${LOCALSTATEDIR}/empty
	581	if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
	582	then
	583	chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
	584	fi
41fcc457	585	fi
	586	fi
	587	fi
	588
95273555	589	echo
f4ebf0e8	590	echo "Host configuration finished. Have fun!"