[openssh.git] / contrib / cygwin / ssh-host-config

#!/bin/sh
#
# ssh-host-config, Copyright 2000, Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.

# Subdirectory where the new package is being installed
PREFIX=/usr

# Directory where the config files are stored
SYSCONFDIR=/etc

# Subdirectory where an old package might be installed
OLDPREFIX=/usr/local
OLDSYSCONFDIR=${OLDPREFIX}/etc

progname=$0
auto_answer=""
port_number=22

privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no

request()
{
  if [ "${auto_answer}" = "yes" ]
  then
    return 0
  elif [ "${auto_answer}" = "no" ]
  then
    return 1
  fi

  answer=""
  while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
  do
    echo -n "$1 (yes/no) "
    read answer
  done
  if [ "X${answer}" = "Xyes" ]
  then
    return 0
  else
    return 1
  fi
}

# Check options

while :
do
  case $# in
  0)
    break
    ;;
  esac

  option=$1
  shift

  case "$option" in
  -d | --debug )
    set -x
    ;;

  -y | --yes )
    auto_answer=yes
    ;;

  -n | --no )
    auto_answer=no
    ;;

  -p | --port )
    port_number=$1
    shift
    ;;

  *)
    echo "usage: ${progname} [OPTION]..."
    echo
    echo "This script creates an OpenSSH host configuration."
    echo
    echo "Options:"
    echo "    --debug  -d     Enable shell's debug output."
    echo "    --yes    -y     Answer all questions with \"yes\" automatically."
    echo "    --no     -n     Answer all questions with \"no\" automatically."
    echo "    --port   -p <n> sshd listens on port n."
    echo
    exit 1
    ;;

  esac
done

# Check if running on NT
_sys="`uname -a`"
_nt=`expr "$_sys" : "CYGWIN_NT"`

# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running

if ps -ef | grep -v grep | grep -q ssh
then
  echo
  echo "There are still ssh processes running. Please shut them down first."
  echo
  exit 1
fi

# Check for ${SYSCONFDIR} directory

if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
  echo
  echo "${SYSCONFDIR} is existant but not a directory."
  echo "Cannot create global configuration files."
  echo
  exit 1
fi

# Create it if necessary

if [ ! -e "${SYSCONFDIR}" ]
then
  mkdir "${SYSCONFDIR}"
  if [ ! -e "${SYSCONFDIR}" ]
  then
    echo
    echo "Creating ${SYSCONFDIR} directory failed"
    echo
    exit 1
  fi
fi

# Create /var/log and /var/log/lastlog if not already existing

if [ -f /var/log ]
then
  echo "Creating /var/log failed\!"
else
  if [ ! -d /var/log ]
  then
    mkdir -p /var/log
  fi
  if [ -d /var/log/lastlog ]
  then
    echo "Creating /var/log/lastlog failed\!"
  elif [ ! -f /var/log/lastlog ]
  then
    cat /dev/null > /var/log/lastlog
  fi
fi

# Create /var/empty file used as chroot jail for privilege separation
if [ -f /var/empty ]
then
  echo "Creating /var/empty failed\!"
else
  mkdir -p /var/empty
  # On NT change ownership of that dir to user "system"
  if [ $_nt -gt 0 ]
  then
    chmod 755 /var/empty
    chown system.system /var/empty
  fi
fi

# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
# the same as ${PREFIX}

old_install=0
if [ "${OLDPREFIX}" != "${PREFIX}" ]
then
  if [ -f "${OLDPREFIX}/sbin/sshd" ]
  then
    echo
    echo "You seem to have an older installation in ${OLDPREFIX}."
    echo
    # Check if old global configuration files exist
    if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
    then
      if request "Do you want to copy your config files to your new installation?"
      then
        cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
        cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
      fi
    fi
    if request "Do you want to erase your old installation?"
    then
      rm -f ${OLDPREFIX}/bin/ssh.exe
      rm -f ${OLDPREFIX}/bin/ssh-config
      rm -f ${OLDPREFIX}/bin/scp.exe
      rm -f ${OLDPREFIX}/bin/ssh-add.exe
      rm -f ${OLDPREFIX}/bin/ssh-agent.exe
      rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
      rm -f ${OLDPREFIX}/bin/slogin
      rm -f ${OLDSYSCONFDIR}/ssh_host_key
      rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
      rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
      rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
      rm -f ${OLDSYSCONFDIR}/ssh_config
      rm -f ${OLDSYSCONFDIR}/sshd_config
      rm -f ${OLDPREFIX}/man/man1/ssh.1
      rm -f ${OLDPREFIX}/man/man1/scp.1
      rm -f ${OLDPREFIX}/man/man1/ssh-add.1
      rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
      rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
      rm -f ${OLDPREFIX}/man/man1/slogin.1
      rm -f ${OLDPREFIX}/man/man8/sshd.8
      rm -f ${OLDPREFIX}/sbin/sshd.exe
      rm -f ${OLDPREFIX}/sbin/sftp-server.exe
    fi
    old_install=1
  fi
fi

# First generate host keys if not already existing

if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_key"
  ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi

if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
  ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi

if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
  ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi

# Check if ssh_config exists. If yes, ask for overwriting

if [ -f "${SYSCONFDIR}/ssh_config" ]
then
  if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
  then
    rm -f "${SYSCONFDIR}/ssh_config"
    if [ -f "${SYSCONFDIR}/ssh_config" ]
    then
      echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
    fi
  fi
fi

# Create default ssh_config from here script

if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_config file"
  cat > ${SYSCONFDIR}/ssh_config << EOF
# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_rsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~
EOF
  if [ "$port_number" != "22" ]
  then
    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
    echo "    Port $port_number" >> ${SYSCONFDIR}/ssh_config
  fi
fi

# Check if sshd_config exists. If yes, ask for overwriting

if [ -f "${SYSCONFDIR}/sshd_config" ]
then
  if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
  then
    rm -f "${SYSCONFDIR}/sshd_config"
    if [ -f "${SYSCONFDIR}/sshd_config" ]
    then
      echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
    fi
  else
    grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
  fi
fi

# Prior to creating or modifying sshd_config, care for privilege separation

if [ "$privsep_configured" != "yes" ]
then
  if [ $_nt -gt 0 ]
  then
    echo "Privilege separation is set to yes by default since OpenSSH 3.3."
    echo "However, this requires a non-privileged account called 'sshd'."
    echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
    echo
    if request "Shall privilege separation be used?"
    then
      privsep_used=yes
      grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
      net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
      if [ "$sshd_in_passwd" != "yes" ]
      then
        if [ "$sshd_in_sam" != "yes" ]
	then
	  echo "Warning: The following function requires administrator privileges!"
	  if request "Shall this script create a local user 'sshd' on this machine?"
	  then
	    dos_var_empty=`cygpath -w /var/empty`
	    net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
	    if [ "$sshd_in_sam" != "yes" ]
	    then
	      echo "Warning: Creating the user 'sshd' failed!"
	    fi
	  fi
	fi
	if [ "$sshd_in_sam" != "yes" ]
	then
	  echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
	  echo "         Privilege separation set to 'no' again!"
	  echo "         Check your ${SYSCONFDIR}/sshd_config file!"
	  privsep_used=no
	else
	  mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
	fi
      fi
    else
      privsep_used=no
    fi
  else
    # On 9x don't use privilege separation.  Since security isn't
    # available it just adds useless addtional processes.
    privsep_used=no
  fi
fi

# Create default sshd_config from here script or modify to add the
# missing privsep configuration option

if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
  echo "Generating ${SYSCONFDIR}/sshd_config file"
  cat > ${SYSCONFDIR}/sshd_config << EOF
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port $port_number
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey ${SYSCONFDIR}/ssh_host_key
# HostKeys for protocol version 2
#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
#HostKey ${SYSCONFDIR}/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
# The following setting overrides permission checks on host key files
# and directories. For security reasons set this to "yes" when running
# NT/W2K, NTFS and CYGWIN=ntsec.
StrictModes no

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation $privsep_used
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem      sftp    /usr/sbin/sftp-server
EOF
elif [ "$privsep_configured" != "yes" ]
then
  echo >> ${SYSCONFDIR}/sshd_config
  echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
fi

# Care for services file
if [ $_nt -gt 0 ]
then
  _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
  _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$"
else
  _wservices="${WINDIR}\\SERVICES"
  _wserv_tmp="${WINDIR}\\SERV.$$"
fi
_services=`cygpath -u "${_wservices}"`
_serv_tmp=`cygpath -u "${_wserv_tmp}"`

mount -t -f "${_wservices}" "${_services}"
mount -t -f "${_wserv_tmp}" "${_serv_tmp}"

# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
  grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
  if [ -f "${_serv_tmp}" ]
  then 
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Removing sshd from ${_services}"
    else
      echo "Removing sshd from ${_services} failed\!"
    fi 
    rm -f "${_serv_tmp}"
  else
    echo "Removing sshd from ${_services} failed\!"
  fi
fi

# Add ssh 22/tcp  and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
  awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp                           #SSH Remote Login Protocol\nssh                22/udp                           #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
  if [ -f "${_serv_tmp}" ]
  then
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Added ssh to ${_services}"
    else
      echo "Adding ssh to ${_services} failed\!"
    fi
    rm -f "${_serv_tmp}"
  else
    echo "Adding ssh to ${_services} failed\!"
  fi
fi

umount "${_services}"
umount "${_serv_tmp}"

# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"

if [ -f "${_inetcnf}" ]
then
  # Check if ssh service is already in use as sshd
  with_comment=1
  grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
  # Remove sshd line from inetd.conf
  if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
  then
    grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
    if [ -f "${_inetcnf_tmp}" ]
    then
      if mv "${_inetcnf_tmp}" "${_inetcnf}"
      then
        echo "Removed sshd from ${_inetcnf}"
      else
        echo "Removing sshd from ${_inetcnf} failed\!"
      fi
      rm -f "${_inetcnf_tmp}"
    else
      echo "Removing sshd from ${_inetcnf} failed\!"
    fi
  fi

  # Add ssh line to inetd.conf
  if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
  then
    if [ "${with_comment}" -eq 0 ]
    then
      echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    else
      echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    fi
    echo "Added ssh to ${_inetcnf}"
  fi
fi

# On NT ask if sshd should be installed as service
if [ $_nt -gt 0 ]
then
  echo
  echo "Do you want to install sshd as service?"
  if request "(Say \"no\" if it's already installed as service)"
  then
    echo
    echo "Which value should the environment variable CYGWIN have when"
    echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
    echo "able to change user context without password."
    echo -n "Default is \"binmode ntsec tty\".  CYGWIN="
    read _cygwin
    [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
    if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
    then
      chown system ${SYSCONFDIR}/ssh*
      echo
      echo "The service has been installed under LocalSystem account."
    fi
  fi
fi

if [ "${old_install}" = "1" ]
then
  echo
  echo "Note: If you have used sshd as service or from inetd, don't forget to"
  echo "      change the path to sshd.exe in the service entry or in inetd.conf."
fi

echo
echo "Host configuration finished. Have fun!"
Commit	Line	Data
95273555	1	#!/bin/sh
95273555	2	#
f4ebf0e8	3	# ssh-host-config, Copyright 2000, Red Hat Inc.
95273555	4	#
	5	# This file is part of the Cygwin port of OpenSSH.
	6
95273555	7	# Subdirectory where the new package is being installed
	8	PREFIX=/usr
	9
	10	# Directory where the config files are stored
	11	SYSCONFDIR=/etc
	12
	13	# Subdirectory where an old package might be installed
	14	OLDPREFIX=/usr/local
	15	OLDSYSCONFDIR=${OLDPREFIX}/etc
	16
f4ebf0e8	17	progname=$0
f4ebf0e8	18	auto_answer=""
f52798a4	19	port_number=22
f4ebf0e8	20
d2f95449	21	privsep_configured=no
	22	privsep_used=yes
	23	sshd_in_passwd=no
	24	sshd_in_sam=no
	25
95273555	26	request()
95273555	27	{
f4ebf0e8	28	if [ "${auto_answer}" = "yes" ]
	29	then
	30	return 0
	31	elif [ "${auto_answer}" = "no" ]
	32	then
	33	return 1
	34	fi
	35
95273555	36	answer=""
	37	while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
	38	do
	39	echo -n "$1 (yes/no) "
	40	read answer
	41	done
	42	if [ "X${answer}" = "Xyes" ]
	43	then
	44	return 0
	45	else
	46	return 1
	47	fi
	48	}
	49
f4ebf0e8	50	# Check options
	51
	52	while :
	53	do
	54	case $# in
	55	0)
	56	break
	57	;;
	58	esac
	59
	60	option=$1
	61	shift
	62
	63	case "$option" in
	64	-d \| --debug )
	65	set -x
	66	;;
	67
	68	-y \| --yes )
	69	auto_answer=yes
	70	;;
	71
	72	-n \| --no )
	73	auto_answer=no
	74	;;
	75
f52798a4	76	-p \| --port )
	77	port_number=$1
	78	shift
	79	;;
	80
f4ebf0e8	81	*)
	82	echo "usage: ${progname} [OPTION]..."
	83	echo
	84	echo "This script creates an OpenSSH host configuration."
	85	echo
	86	echo "Options:"
	87	echo " --debug -d Enable shell's debug output."
	88	echo " --yes -y Answer all questions with \"yes\" automatically."
	89	echo " --no -n Answer all questions with \"no\" automatically."
f52798a4	90	echo " --port -p <n> sshd listens on port n."
f4ebf0e8	91	echo
	92	exit 1
	93	;;
	94
	95	esac
	96	done
	97
d2f95449	98	# Check if running on NT
	99	_sys="`uname -a`"
	100	_nt=`expr "$_sys" : "CYGWIN_NT"`
	101
95273555	102	# Check for running ssh/sshd processes first. Refuse to do anything while
	103	# some ssh processes are still running
	104
	105	if ps -ef \| grep -v grep \| grep -q ssh
	106	then
	107	echo
	108	echo "There are still ssh processes running. Please shut them down first."
	109	echo
d41f8eed	110	exit 1
95273555	111	fi
	112
	113	# Check for ${SYSCONFDIR} directory
	114
	115	if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
	116	then
	117	echo
	118	echo "${SYSCONFDIR} is existant but not a directory."
	119	echo "Cannot create global configuration files."
	120	echo
	121	exit 1
	122	fi
	123
	124	# Create it if necessary
	125
	126	if [ ! -e "${SYSCONFDIR}" ]
	127	then
	128	mkdir "${SYSCONFDIR}"
	129	if [ ! -e "${SYSCONFDIR}" ]
	130	then
	131	echo
	132	echo "Creating ${SYSCONFDIR} directory failed"
	133	echo
	134	exit 1
	135	fi
	136	fi
	137
d2f95449	138	# Create /var/log and /var/log/lastlog if not already existing
	139
	140	if [ -f /var/log ]
	141	then
	142	echo "Creating /var/log failed\!"
	143	else
	144	if [ ! -d /var/log ]
	145	then
	146	mkdir -p /var/log
	147	fi
	148	if [ -d /var/log/lastlog ]
	149	then
	150	echo "Creating /var/log/lastlog failed\!"
	151	elif [ ! -f /var/log/lastlog ]
	152	then
	153	cat /dev/null > /var/log/lastlog
	154	fi
	155	fi
	156
	157	# Create /var/empty file used as chroot jail for privilege separation
	158	if [ -f /var/empty ]
	159	then
	160	echo "Creating /var/empty failed\!"
	161	else
	162	mkdir -p /var/empty
	163	# On NT change ownership of that dir to user "system"
	164	if [ $_nt -gt 0 ]
	165	then
249f9903	166	chmod 755 /var/empty
d2f95449	167	chown system.system /var/empty
	168	fi
	169	fi
	170
95273555	171	# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
	172	# the same as ${PREFIX}
	173
f4ebf0e8	174	old_install=0
95273555	175	if [ "${OLDPREFIX}" != "${PREFIX}" ]
	176	then
	177	if [ -f "${OLDPREFIX}/sbin/sshd" ]
	178	then
	179	echo
	180	echo "You seem to have an older installation in ${OLDPREFIX}."
	181	echo
	182	# Check if old global configuration files exist
	183	if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
	184	then
	185	if request "Do you want to copy your config files to your new installation?"
	186	then
	187	cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
	188	cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
	189	cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
	190	cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
	191	cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
	192	cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
	193	fi
	194	fi
	195	if request "Do you want to erase your old installation?"
	196	then
	197	rm -f ${OLDPREFIX}/bin/ssh.exe
	198	rm -f ${OLDPREFIX}/bin/ssh-config
	199	rm -f ${OLDPREFIX}/bin/scp.exe
	200	rm -f ${OLDPREFIX}/bin/ssh-add.exe
	201	rm -f ${OLDPREFIX}/bin/ssh-agent.exe
	202	rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
	203	rm -f ${OLDPREFIX}/bin/slogin
	204	rm -f ${OLDSYSCONFDIR}/ssh_host_key
	205	rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
	206	rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
	207	rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
	208	rm -f ${OLDSYSCONFDIR}/ssh_config
	209	rm -f ${OLDSYSCONFDIR}/sshd_config
	210	rm -f ${OLDPREFIX}/man/man1/ssh.1
	211	rm -f ${OLDPREFIX}/man/man1/scp.1
	212	rm -f ${OLDPREFIX}/man/man1/ssh-add.1
	213	rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
	214	rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
	215	rm -f ${OLDPREFIX}/man/man1/slogin.1
	216	rm -f ${OLDPREFIX}/man/man8/sshd.8
	217	rm -f ${OLDPREFIX}/sbin/sshd.exe
	218	rm -f ${OLDPREFIX}/sbin/sftp-server.exe
	219	fi
f4ebf0e8	220	old_install=1
95273555	221	fi
	222	fi
	223
	224	# First generate host keys if not already existing
	225
	226	if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
	227	then
	228	echo "Generating ${SYSCONFDIR}/ssh_host_key"
f4ebf0e8	229	ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
	230	fi
	231
	232	if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
	233	then
	234	echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
	235	ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
95273555	236	fi
	237
	238	if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
	239	then
	240	echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
f4ebf0e8	241	ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
95273555	242	fi
	243
	244	# Check if ssh_config exists. If yes, ask for overwriting
	245
	246	if [ -f "${SYSCONFDIR}/ssh_config" ]
	247	then
	248	if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
	249	then
	250	rm -f "${SYSCONFDIR}/ssh_config"
	251	if [ -f "${SYSCONFDIR}/ssh_config" ]
	252	then
	253	echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
	254	fi
	255	fi
	256	fi
	257
	258	# Create default ssh_config from here script
	259
	260	if [ ! -f "${SYSCONFDIR}/ssh_config" ]
	261	then
f4ebf0e8	262	echo "Generating ${SYSCONFDIR}/ssh_config file"
95273555	263	cat > ${SYSCONFDIR}/ssh_config << EOF
d2f95449	264	# This is the ssh client system-wide configuration file. See
	265	# ssh_config(5) for more information. This file provides defaults for
	266	# users, and the values can be changed in per-user configuration files
	267	# or on the command line.
95273555	268
	269	# Configuration data is parsed as follows:
	270	# 1. command line options
	271	# 2. user-specific file
	272	# 3. system-wide file
	273	# Any configuration value is only changed the first time it is set.
	274	# Thus, host-specific definitions should be at the beginning of the
	275	# configuration file, and defaults at the end.
	276
	277	# Site-wide defaults for various options
	278
	279	# Host *
d36ae718	280	# ForwardAgent no
d36ae718	281	# ForwardX11 no
d2f95449	282	# RhostsRSAAuthentication no
95273555	283	# RSAAuthentication yes
95273555	284	# PasswordAuthentication yes
35283c00	285	# HostbasedAuthentication no
95273555	286	# BatchMode no
95273555	287	# CheckHostIP yes
35283c00	288	# AddressFamily any
35283c00	289	# ConnectTimeout 0
d2f95449	290	# StrictHostKeyChecking ask
d36ae718	291	# IdentityFile ~/.ssh/identity
	292	# IdentityFile ~/.ssh/id_dsa
	293	# IdentityFile ~/.ssh/id_rsa
95273555	294	# Port 22
95273555	295	# Protocol 2,1
d2f95449	296	# Cipher 3des
d2f95449	297	# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
95273555	298	# EscapeChar ~
95273555	299	EOF
f52798a4	300	if [ "$port_number" != "22" ]
	301	then
	302	echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
	303	echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config
	304	fi
95273555	305	fi
	306
	307	# Check if sshd_config exists. If yes, ask for overwriting
	308
	309	if [ -f "${SYSCONFDIR}/sshd_config" ]
	310	then
	311	if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
	312	then
	313	rm -f "${SYSCONFDIR}/sshd_config"
	314	if [ -f "${SYSCONFDIR}/sshd_config" ]
	315	then
	316	echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
	317	fi
d2f95449	318	else
	319	grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
	320	fi
	321	fi
	322
	323	# Prior to creating or modifying sshd_config, care for privilege separation
	324
	325	if [ "$privsep_configured" != "yes" ]
	326	then
	327	if [ $_nt -gt 0 ]
	328	then
	329	echo "Privilege separation is set to yes by default since OpenSSH 3.3."
	330	echo "However, this requires a non-privileged account called 'sshd'."
	331	echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
	332	echo
	333	if request "Shall privilege separation be used?"
	334	then
	335	privsep_used=yes
	336	grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
	337	net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
	338	if [ "$sshd_in_passwd" != "yes" ]
	339	then
	340	if [ "$sshd_in_sam" != "yes" ]
	341	then
	342	echo "Warning: The following function requires administrator privileges!"
	343	if request "Shall this script create a local user 'sshd' on this machine?"
	344	then
	345	dos_var_empty=`cygpath -w /var/empty`
d41f8eed	346	net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
d2f95449	347	if [ "$sshd_in_sam" != "yes" ]
	348	then
	349	echo "Warning: Creating the user 'sshd' failed!"
	350	fi
	351	fi
	352	fi
	353	if [ "$sshd_in_sam" != "yes" ]
	354	then
	355	echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
	356	echo " Privilege separation set to 'no' again!"
	357	echo " Check your ${SYSCONFDIR}/sshd_config file!"
	358	privsep_used=no
	359	else
d41f8eed	360	mkpasswd -l -u sshd \| sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
d2f95449	361	fi
	362	fi
	363	else
	364	privsep_used=no
	365	fi
	366	else
	367	# On 9x don't use privilege separation. Since security isn't
	368	# available it just adds useless addtional processes.
	369	privsep_used=no
95273555	370	fi
	371	fi
	372
d2f95449	373	# Create default sshd_config from here script or modify to add the
d2f95449	374	# missing privsep configuration option
95273555	375
	376	if [ ! -f "${SYSCONFDIR}/sshd_config" ]
	377	then
f4ebf0e8	378	echo "Generating ${SYSCONFDIR}/sshd_config file"
95273555	379	cat > ${SYSCONFDIR}/sshd_config << EOF
d2f95449	380	# This is the sshd server system-wide configuration file. See
	381	# sshd_config(5) for more information.
	382
f00addc9	383	# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
f00addc9	384
d2f95449	385	# The strategy used for options in the default sshd_config shipped with
	386	# OpenSSH is to specify options with their default value where
	387	# possible, but leave them commented. Uncommented options change a
	388	# default value.
95273555	389
f52798a4	390	Port $port_number
d36ae718	391	#Protocol 2,1
d36ae718	392	#ListenAddress 0.0.0.0
95273555	393	#ListenAddress ::
d36ae718	394
d36ae718	395	# HostKey for protocol version 1
d2f95449	396	#HostKey ${SYSCONFDIR}/ssh_host_key
d36ae718	397	# HostKeys for protocol version 2
d2f95449	398	#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
d2f95449	399	#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
d36ae718	400
f00addc9	401	# Lifetime and size of ephemeral version 1 server key
35283c00	402	#KeyRegenerationInterval 1h
d2f95449	403	#ServerKeyBits 768
d36ae718	404
d36ae718	405	# Logging
d36ae718	406	#obsoletes QuietMode and FascistLogging
d2f95449	407	#SyslogFacility AUTH
d2f95449	408	#LogLevel INFO
d36ae718	409
	410	# Authentication:
	411
35283c00	412	#LoginGraceTime 2m
d2f95449	413	#PermitRootLogin yes
41fcc457	414	# The following setting overrides permission checks on host key files
	415	# and directories. For security reasons set this to "yes" when running
	416	# NT/W2K, NTFS and CYGWIN=ntsec.
	417	StrictModes no
	418
d2f95449	419	#RSAAuthentication yes
d2f95449	420	#PubkeyAuthentication yes
f00addc9	421	#AuthorizedKeysFile .ssh/authorized_keys
95273555	422
d2f95449	423	# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
d2f95449	424	#RhostsRSAAuthentication no
d36ae718	425	# similar for protocol version 2
d2f95449	426	#HostbasedAuthentication no
	427	# Change to yes if you don't trust ~/.ssh/known_hosts for
	428	# RhostsRSAAuthentication and HostbasedAuthentication
	429	#IgnoreUserKnownHosts no
35283c00	430	# Don't read the user's ~/.rhosts and ~/.shosts files
35283c00	431	#IgnoreRhosts yes
95273555	432
d36ae718	433	# To disable tunneled clear text passwords, change to no here!
d2f95449	434	#PasswordAuthentication yes
	435	#PermitEmptyPasswords no
	436
	437	# Change to no to disable s/key passwords
	438	#ChallengeResponseAuthentication yes
	439
35283c00	440	#AllowTcpForwarding yes
35283c00	441	#GatewayPorts no
d2f95449	442	#X11Forwarding no
	443	#X11DisplayOffset 10
	444	#X11UseLocalhost yes
	445	#PrintMotd yes
	446	#PrintLastLog yes
	447	#KeepAlive yes
d36ae718	448	#UseLogin no
d2f95449	449	UsePrivilegeSeparation $privsep_used
f00addc9	450	#PermitUserEnvironment no
d2f95449	451	#Compression yes
35283c00	452	#ClientAliveInterval 0
	453	#ClientAliveCountMax 3
	454	#UseDNS yes
	455	#PidFile /var/run/sshd.pid
d2f95449	456	#MaxStartups 10
35283c00	457
d2f95449	458	# no default banner path
d2f95449	459	#Banner /some/path
d36ae718	460
d2f95449	461	# override default of no subsystems
d36ae718	462	Subsystem sftp /usr/sbin/sftp-server
95273555	463	EOF
d2f95449	464	elif [ "$privsep_configured" != "yes" ]
	465	then
	466	echo >> ${SYSCONFDIR}/sshd_config
	467	echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
95273555	468	fi
95273555	469
f52798a4	470	# Care for services file
f4ebf0e8	471	if [ $_nt -gt 0 ]
95273555	472	then
f4ebf0e8	473	_wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
	474	_wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$"
	475	else
	476	_wservices="${WINDIR}\\SERVICES"
	477	_wserv_tmp="${WINDIR}\\SERV.$$"
95273555	478	fi
f4ebf0e8	479	_services=`cygpath -u "${_wservices}"`
f4ebf0e8	480	_serv_tmp=`cygpath -u "${_wserv_tmp}"`
95273555	481
f52798a4	482	mount -t -f "${_wservices}" "${_services}"
	483	mount -t -f "${_wserv_tmp}" "${_serv_tmp}"
	484
	485	# Remove sshd 22/port from services
	486	if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
	487	then
	488	grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
	489	if [ -f "${_serv_tmp}" ]
	490	then
	491	if mv "${_serv_tmp}" "${_services}"
	492	then
	493	echo "Removing sshd from ${_services}"
	494	else
	495	echo "Removing sshd from ${_services} failed\!"
	496	fi
	497	rm -f "${_serv_tmp}"
	498	else
	499	echo "Removing sshd from ${_services} failed\!"
	500	fi
	501	fi
95273555	502
f52798a4	503	# Add ssh 22/tcp and ssh 22/udp to services
f52798a4	504	if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
95273555	505	then
f52798a4	506	awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
f4ebf0e8	507	if [ -f "${_serv_tmp}" ]
95273555	508	then
f4ebf0e8	509	if mv "${_serv_tmp}" "${_services}"
f4ebf0e8	510	then
f52798a4	511	echo "Added ssh to ${_services}"
f4ebf0e8	512	else
f52798a4	513	echo "Adding ssh to ${_services} failed\!"
f4ebf0e8	514	fi
	515	rm -f "${_serv_tmp}"
	516	else
f52798a4	517	echo "Adding ssh to ${_services} failed\!"
95273555	518	fi
	519	fi
	520
f4ebf0e8	521	umount "${_services}"
	522	umount "${_serv_tmp}"
	523
f52798a4	524	# Care for inetd.conf file
d2f95449	525	_inetcnf="${SYSCONFDIR}/inetd.conf"
d2f95449	526	_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
f52798a4	527
f52798a4	528	if [ -f "${_inetcnf}" ]
95273555	529	then
f52798a4	530	# Check if ssh service is already in use as sshd
	531	with_comment=1
	532	grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
	533	# Remove sshd line from inetd.conf
	534	if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
	535	then
	536	grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
	537	if [ -f "${_inetcnf_tmp}" ]
	538	then
	539	if mv "${_inetcnf_tmp}" "${_inetcnf}"
	540	then
	541	echo "Removed sshd from ${_inetcnf}"
	542	else
	543	echo "Removing sshd from ${_inetcnf} failed\!"
	544	fi
	545	rm -f "${_inetcnf_tmp}"
	546	else
	547	echo "Removing sshd from ${_inetcnf} failed\!"
	548	fi
	549	fi
	550
	551	# Add ssh line to inetd.conf
	552	if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
	553	then
	554	if [ "${with_comment}" -eq 0 ]
	555	then
e2c9b9e3	556	echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
f52798a4	557	else
e2c9b9e3	558	echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
f52798a4	559	fi
	560	echo "Added ssh to ${_inetcnf}"
	561	fi
95273555	562	fi
95273555	563
41fcc457	564	# On NT ask if sshd should be installed as service
	565	if [ $_nt -gt 0 ]
	566	then
	567	echo
	568	echo "Do you want to install sshd as service?"
	569	if request "(Say \"no\" if it's already installed as service)"
	570	then
	571	echo
	572	echo "Which value should the environment variable CYGWIN have when"
	573	echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
	574	echo "able to change user context without password."
	575	echo -n "Default is \"binmode ntsec tty\". CYGWIN="
	576	read _cygwin
	577	[ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
	578	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
	579	then
e12659f4	580	chown system ${SYSCONFDIR}/ssh*
41fcc457	581	echo
	582	echo "The service has been installed under LocalSystem account."
	583	fi
	584	fi
	585	fi
	586
f4ebf0e8	587	if [ "${old_install}" = "1" ]
95273555	588	then
f4ebf0e8	589	echo
	590	echo "Note: If you have used sshd as service or from inetd, don't forget to"
	591	echo " change the path to sshd.exe in the service entry or in inetd.conf."
95273555	592	fi
	593
	594	echo
f4ebf0e8	595	echo "Host configuration finished. Have fun!"