]>
Commit | Line | Data |
---|---|---|
9e936326 | 1 | #!/bin/bash |
95273555 | 2 | # |
78576c54 | 3 | # ssh-host-config, Copyright 2000-2009 Red Hat Inc. |
95273555 | 4 | # |
5 | # This file is part of the Cygwin port of OpenSSH. | |
6 | ||
7ea1abf7 | 7 | # ====================================================================== |
8 | # Initialization | |
9 | # ====================================================================== | |
10 | PROGNAME=$(basename $0) | |
11 | _tdir=$(dirname $0) | |
12 | PROGDIR=$(cd $_tdir && pwd) | |
13 | ||
14 | CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh | |
15 | ||
95273555 | 16 | # Subdirectory where the new package is being installed |
17 | PREFIX=/usr | |
18 | ||
19 | # Directory where the config files are stored | |
20 | SYSCONFDIR=/etc | |
9e936326 | 21 | LOCALSTATEDIR=/var |
95273555 | 22 | |
7ea1abf7 | 23 | source ${CSIH_SCRIPT} |
f4ebf0e8 | 24 | |
7ea1abf7 | 25 | port_number=22 |
d2f95449 | 26 | privsep_configured=no |
27 | privsep_used=yes | |
7f24626b | 28 | cygwin_value="" |
78576c54 | 29 | user_account= |
7ea1abf7 | 30 | password_value= |
78576c54 | 31 | opt_force=no |
7ea1abf7 | 32 | |
33 | # ====================================================================== | |
34 | # Routine: create_host_keys | |
35 | # ====================================================================== | |
36 | create_host_keys() { | |
37 | if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] | |
38 | then | |
39 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" | |
40 | ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null | |
41 | fi | |
863ba23a | 42 | |
7ea1abf7 | 43 | if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] |
44 | then | |
45 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" | |
46 | ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null | |
47 | fi | |
863ba23a | 48 | |
7ea1abf7 | 49 | if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] |
50 | then | |
51 | csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" | |
52 | ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null | |
53 | fi | |
54 | } # --- End of create_host_keys --- # | |
55 | ||
56 | # ====================================================================== | |
57 | # Routine: update_services_file | |
58 | # ====================================================================== | |
59 | update_services_file() { | |
60 | local _my_etcdir="/ssh-host-config.$$" | |
61 | local _win_etcdir | |
62 | local _services | |
63 | local _spaces | |
64 | local _serv_tmp | |
65 | local _wservices | |
66 | ||
67 | if csih_is_nt | |
68 | then | |
69 | _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" | |
70 | _services="${_my_etcdir}/services" | |
71 | # On NT, 27 spaces, no space after the hash | |
72 | _spaces=" #" | |
73 | else | |
74 | _win_etcdir="${WINDIR}" | |
75 | _services="${_my_etcdir}/SERVICES" | |
76 | # On 9x, 18 spaces (95 is very touchy), a space after the hash | |
77 | _spaces=" # " | |
78 | fi | |
79 | _serv_tmp="${_my_etcdir}/srv.out.$$" | |
863ba23a | 80 | |
7f24626b | 81 | mount -o text -f "${_win_etcdir}" "${_my_etcdir}" |
863ba23a | 82 | |
7ea1abf7 | 83 | # Depends on the above mount |
84 | _wservices=`cygpath -w "${_services}"` | |
863ba23a | 85 | |
7ea1abf7 | 86 | # Remove sshd 22/port from services |
87 | if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] | |
88 | then | |
89 | grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" | |
90 | if [ -f "${_serv_tmp}" ] | |
91 | then | |
92 | if mv "${_serv_tmp}" "${_services}" | |
93 | then | |
863ba23a | 94 | csih_inform "Removing sshd from ${_wservices}" |
7ea1abf7 | 95 | else |
863ba23a | 96 | csih_warning "Removing sshd from ${_wservices} failed!" |
7ea1abf7 | 97 | fi |
98 | rm -f "${_serv_tmp}" | |
99 | else | |
100 | csih_warning "Removing sshd from ${_wservices} failed!" | |
101 | fi | |
102 | fi | |
863ba23a | 103 | |
7ea1abf7 | 104 | # Add ssh 22/tcp and ssh 22/udp to services |
105 | if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] | |
106 | then | |
107 | if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" | |
108 | then | |
109 | if mv "${_serv_tmp}" "${_services}" | |
110 | then | |
863ba23a | 111 | csih_inform "Added ssh to ${_wservices}" |
7ea1abf7 | 112 | else |
863ba23a | 113 | csih_warning "Adding ssh to ${_wservices} failed!" |
7ea1abf7 | 114 | fi |
115 | rm -f "${_serv_tmp}" | |
116 | else | |
117 | csih_warning "Adding ssh to ${_wservices} failed!" | |
118 | fi | |
119 | fi | |
120 | umount "${_my_etcdir}" | |
121 | } # --- End of update_services_file --- # | |
d2f95449 | 122 | |
7ea1abf7 | 123 | # ====================================================================== |
124 | # Routine: sshd_privsep | |
125 | # MODIFIES: privsep_configured privsep_used | |
126 | # ====================================================================== | |
127 | sshd_privsep() { | |
128 | local sshdconfig_tmp | |
129 | ||
130 | if [ "${privsep_configured}" != "yes" ] | |
131 | then | |
132 | if csih_is_nt | |
133 | then | |
134 | csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." | |
135 | csih_inform "However, this requires a non-privileged account called 'sshd'." | |
136 | csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." | |
137 | if csih_request "Should privilege separation be used?" | |
138 | then | |
863ba23a | 139 | privsep_used=yes |
140 | if ! csih_create_unprivileged_user sshd | |
141 | then | |
7ea1abf7 | 142 | csih_warning "Couldn't create user 'sshd'!" |
863ba23a | 143 | csih_warning "Privilege separation set to 'no' again!" |
144 | csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" | |
7ea1abf7 | 145 | privsep_used=no |
863ba23a | 146 | fi |
7ea1abf7 | 147 | else |
863ba23a | 148 | privsep_used=no |
7ea1abf7 | 149 | fi |
150 | else | |
151 | # On 9x don't use privilege separation. Since security isn't | |
152 | # available it just adds useless additional processes. | |
153 | privsep_used=no | |
154 | fi | |
155 | fi | |
863ba23a | 156 | |
7ea1abf7 | 157 | # Create default sshd_config from skeleton files in /etc/defaults/etc or |
158 | # modify to add the missing privsep configuration option | |
159 | if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 | |
f4ebf0e8 | 160 | then |
7ea1abf7 | 161 | csih_inform "Updating ${SYSCONFDIR}/sshd_config file" |
162 | sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ | |
163 | sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ | |
164 | s/^#Port 22/Port ${port_number}/ | |
165 | s/^#StrictModes yes/StrictModes no/" \ | |
863ba23a | 166 | < ${SYSCONFDIR}/sshd_config \ |
167 | > "${sshdconfig_tmp}" | |
7ea1abf7 | 168 | mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config |
169 | elif [ "${privsep_configured}" != "yes" ] | |
f4ebf0e8 | 170 | then |
7ea1abf7 | 171 | echo >> ${SYSCONFDIR}/sshd_config |
172 | echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config | |
f4ebf0e8 | 173 | fi |
7ea1abf7 | 174 | } # --- End of sshd_privsep --- # |
175 | ||
176 | # ====================================================================== | |
177 | # Routine: update_inetd_conf | |
178 | # ====================================================================== | |
179 | update_inetd_conf() { | |
180 | local _inetcnf="${SYSCONFDIR}/inetd.conf" | |
181 | local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" | |
182 | local _inetcnf_dir="${SYSCONFDIR}/inetd.d" | |
183 | local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" | |
184 | local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" | |
185 | local _with_comment=1 | |
186 | ||
187 | if [ -d "${_inetcnf_dir}" ] | |
188 | then | |
189 | # we have inetutils-1.5 inetd.d support | |
190 | if [ -f "${_inetcnf}" ] | |
191 | then | |
192 | grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 | |
193 | ||
194 | # check for sshd OR ssh in top-level inetd.conf file, and remove | |
195 | # will be replaced by a file in inetd.d/ | |
196 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] | |
197 | then | |
863ba23a | 198 | grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" |
199 | if [ -f "${_inetcnf_tmp}" ] | |
200 | then | |
201 | if mv "${_inetcnf_tmp}" "${_inetcnf}" | |
202 | then | |
7ea1abf7 | 203 | csih_inform "Removed ssh[d] from ${_inetcnf}" |
863ba23a | 204 | else |
7ea1abf7 | 205 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" |
863ba23a | 206 | fi |
207 | rm -f "${_inetcnf_tmp}" | |
208 | else | |
209 | csih_warning "Removing ssh[d] from ${_inetcnf} failed!" | |
210 | fi | |
7ea1abf7 | 211 | fi |
212 | fi | |
213 | ||
214 | csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" | |
215 | if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 | |
216 | then | |
217 | if [ "${_with_comment}" -eq 0 ] | |
218 | then | |
863ba23a | 219 | sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" |
7ea1abf7 | 220 | else |
863ba23a | 221 | sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" |
7ea1abf7 | 222 | fi |
223 | mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" | |
224 | csih_inform "Updated ${_sshd_inetd_conf}" | |
863ba23a | 225 | fi |
f4ebf0e8 | 226 | |
7ea1abf7 | 227 | elif [ -f "${_inetcnf}" ] |
95273555 | 228 | then |
7ea1abf7 | 229 | grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 |
230 | ||
231 | # check for sshd in top-level inetd.conf file, and remove | |
232 | # will be replaced by a file in inetd.d/ | |
233 | if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] | |
234 | then | |
235 | grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" | |
236 | if [ -f "${_inetcnf_tmp}" ] | |
237 | then | |
863ba23a | 238 | if mv "${_inetcnf_tmp}" "${_inetcnf}" |
239 | then | |
7ea1abf7 | 240 | csih_inform "Removed sshd from ${_inetcnf}" |
863ba23a | 241 | else |
7ea1abf7 | 242 | csih_warning "Removing sshd from ${_inetcnf} failed!" |
863ba23a | 243 | fi |
244 | rm -f "${_inetcnf_tmp}" | |
7ea1abf7 | 245 | else |
863ba23a | 246 | csih_warning "Removing sshd from ${_inetcnf} failed!" |
7ea1abf7 | 247 | fi |
248 | fi | |
863ba23a | 249 | |
7ea1abf7 | 250 | # Add ssh line to inetd.conf |
251 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] | |
252 | then | |
253 | if [ "${_with_comment}" -eq 0 ] | |
254 | then | |
863ba23a | 255 | echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
7ea1abf7 | 256 | else |
863ba23a | 257 | echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
7ea1abf7 | 258 | fi |
259 | csih_inform "Added ssh to ${_inetcnf}" | |
260 | fi | |
95273555 | 261 | fi |
7ea1abf7 | 262 | } # --- End of update_inetd_conf --- # |
95273555 | 263 | |
7ea1abf7 | 264 | # ====================================================================== |
265 | # Routine: install_service | |
266 | # Install sshd as a service | |
267 | # ====================================================================== | |
268 | install_service() { | |
269 | local run_service_as | |
270 | local password | |
f4ebf0e8 | 271 | |
7ea1abf7 | 272 | if csih_is_nt |
273 | then | |
274 | if ! cygrunsrv -Q sshd >/dev/null 2>&1 | |
275 | then | |
276 | echo | |
277 | echo | |
278 | csih_warning "The following functions require administrator privileges!" | |
279 | echo | |
280 | echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" | |
281 | if csih_request "(Say \"no\" if it is already installed as a service)" | |
282 | then | |
863ba23a | 283 | csih_get_cygenv "${cygwin_value}" |
284 | ||
285 | if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) | |
286 | then | |
287 | csih_inform "On Windows Server 2003, Windows Vista, and above, the" | |
288 | csih_inform "SYSTEM account cannot setuid to other users -- a capability" | |
289 | csih_inform "sshd requires. You need to have or to create a privileged" | |
290 | csih_inform "account. This script will help you do so." | |
291 | echo | |
78576c54 | 292 | |
293 | [ "${opt_force}" = "yes" ] && opt_f=-f | |
294 | [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" | |
295 | csih_select_privileged_username ${opt_f} ${opt_u} sshd | |
296 | ||
863ba23a | 297 | if ! csih_create_privileged_user "${password_value}" |
298 | then | |
299 | csih_error_recoverable "There was a serious problem creating a privileged user." | |
300 | csih_request "Do you want to proceed anyway?" || exit 1 | |
301 | fi | |
302 | fi | |
303 | ||
304 | # never returns empty if NT or above | |
305 | run_service_as=$(csih_service_should_run_as) | |
306 | ||
307 | if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] | |
308 | then | |
309 | password="${csih_PRIVILEGED_PASSWORD}" | |
310 | if [ -z "${password}" ] | |
311 | then | |
312 | csih_get_value "Please enter the password for user '${run_service_as}':" "-s" | |
313 | password="${csih_value}" | |
314 | fi | |
315 | fi | |
316 | ||
317 | # at this point, we either have $run_service_as = "system" and $password is empty, | |
318 | # or $run_service_as is some privileged user and (hopefully) $password contains | |
319 | # the correct password. So, from here out, we use '-z "${password}"' to discriminate | |
320 | # the two cases. | |
321 | ||
322 | csih_check_user "${run_service_as}" | |
7ea1abf7 | 323 | |
e1986e0a | 324 | if [ -n "${csih_cygenv}" ] |
325 | then | |
78576c54 | 326 | cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) |
e1986e0a | 327 | fi |
863ba23a | 328 | if [ -z "${password}" ] |
329 | then | |
78576c54 | 330 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ |
331 | -a "-D" -y tcpip "${cygwin_env[@]}" | |
863ba23a | 332 | then |
333 | echo | |
334 | csih_inform "The sshd service has been installed under the LocalSystem" | |
335 | csih_inform "account (also known as SYSTEM). To start the service now, call" | |
336 | csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" | |
337 | csih_inform "will start automatically after the next reboot." | |
338 | fi | |
339 | else | |
78576c54 | 340 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ |
341 | -a "-D" -y tcpip "${cygwin_env[@]}" \ | |
e1986e0a | 342 | -u "${run_service_as}" -w "${password}" |
863ba23a | 343 | then |
7ea1abf7 | 344 | echo |
345 | csih_inform "The sshd service has been installed under the '${run_service_as}'" | |
346 | csih_inform "account. To start the service now, call \`net start sshd' or" | |
863ba23a | 347 | csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" |
348 | csih_inform "after the next reboot." | |
349 | fi | |
350 | fi | |
351 | ||
352 | # now, if successfully installed, set ownership of the affected files | |
353 | if cygrunsrv -Q sshd >/dev/null 2>&1 | |
354 | then | |
355 | chown "${run_service_as}" ${SYSCONFDIR}/ssh* | |
356 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty | |
357 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog | |
358 | if [ -f ${LOCALSTATEDIR}/log/sshd.log ] | |
359 | then | |
7ea1abf7 | 360 | chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log |
863ba23a | 361 | fi |
362 | else | |
363 | csih_warning "Something went wrong installing the sshd service." | |
364 | fi | |
7ea1abf7 | 365 | fi # user allowed us to install as service |
366 | fi # service not yet installed | |
367 | fi # csih_is_nt | |
368 | } # --- End of install_service --- # | |
369 | ||
370 | # ====================================================================== | |
371 | # Main Entry Point | |
372 | # ====================================================================== | |
373 | ||
374 | # Check how the script has been started. If | |
375 | # (1) it has been started by giving the full path and | |
376 | # that path is /etc/postinstall, OR | |
377 | # (2) Otherwise, if the environment variable | |
378 | # SSH_HOST_CONFIG_AUTO_ANSWER_NO is set | |
379 | # then set auto_answer to "no". This allows automatic | |
380 | # creation of the config files in /etc w/o overwriting | |
381 | # them if they already exist. In both cases, color | |
382 | # escape sequences are suppressed, so as to prevent | |
383 | # cluttering setup's logfiles. | |
384 | if [ "$PROGDIR" = "/etc/postinstall" ] | |
385 | then | |
386 | csih_auto_answer="no" | |
387 | csih_disable_color | |
78576c54 | 388 | opt_force=yes |
7ea1abf7 | 389 | fi |
390 | if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ] | |
391 | then | |
392 | csih_auto_answer="no" | |
393 | csih_disable_color | |
78576c54 | 394 | opt_force=yes |
7ea1abf7 | 395 | fi |
396 | ||
397 | # ====================================================================== | |
398 | # Parse options | |
399 | # ====================================================================== | |
f4ebf0e8 | 400 | while : |
401 | do | |
402 | case $# in | |
403 | 0) | |
404 | break | |
405 | ;; | |
406 | esac | |
407 | ||
408 | option=$1 | |
409 | shift | |
410 | ||
9e936326 | 411 | case "${option}" in |
f4ebf0e8 | 412 | -d | --debug ) |
413 | set -x | |
7ea1abf7 | 414 | csih_trace_on |
f4ebf0e8 | 415 | ;; |
416 | ||
417 | -y | --yes ) | |
7ea1abf7 | 418 | csih_auto_answer=yes |
78576c54 | 419 | opt_force=yes |
f4ebf0e8 | 420 | ;; |
421 | ||
422 | -n | --no ) | |
7ea1abf7 | 423 | csih_auto_answer=no |
78576c54 | 424 | opt_force=yes |
f4ebf0e8 | 425 | ;; |
426 | ||
9e936326 | 427 | -c | --cygwin ) |
428 | cygwin_value="$1" | |
429 | shift | |
430 | ;; | |
431 | ||
f52798a4 | 432 | -p | --port ) |
433 | port_number=$1 | |
434 | shift | |
435 | ;; | |
436 | ||
78576c54 | 437 | -u | --user ) |
438 | user_account="$1" | |
439 | shift | |
440 | ;; | |
441 | ||
9e936326 | 442 | -w | --pwd ) |
443 | password_value="$1" | |
444 | shift | |
445 | ;; | |
446 | ||
7ea1abf7 | 447 | --privileged ) |
448 | csih_FORCE_PRIVILEGED_USER=yes | |
449 | ;; | |
450 | ||
f4ebf0e8 | 451 | *) |
452 | echo "usage: ${progname} [OPTION]..." | |
453 | echo | |
454 | echo "This script creates an OpenSSH host configuration." | |
455 | echo | |
456 | echo "Options:" | |
9e936326 | 457 | echo " --debug -d Enable shell's debug output." |
458 | echo " --yes -y Answer all questions with \"yes\" automatically." | |
459 | echo " --no -n Answer all questions with \"no\" automatically." | |
460 | echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." | |
461 | echo " --port -p <n> sshd listens on port n." | |
78576c54 | 462 | echo " --user -u <account> privileged user for service." |
7ea1abf7 | 463 | echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user." |
464 | echo " --privileged On Windows NT/2k/XP, require privileged user" | |
465 | echo " instead of LocalSystem for sshd service." | |
f4ebf0e8 | 466 | echo |
467 | exit 1 | |
468 | ;; | |
469 | ||
470 | esac | |
471 | done | |
472 | ||
7ea1abf7 | 473 | # ====================================================================== |
474 | # Action! | |
475 | # ====================================================================== | |
d2f95449 | 476 | |
95273555 | 477 | # Check for running ssh/sshd processes first. Refuse to do anything while |
478 | # some ssh processes are still running | |
de470c82 | 479 | if ps -ef | grep -q '/sshd\?$' |
95273555 | 480 | then |
481 | echo | |
7ea1abf7 | 482 | csih_error "There are still ssh processes running. Please shut them down first." |
95273555 | 483 | fi |
484 | ||
485 | # Check for ${SYSCONFDIR} directory | |
7ea1abf7 | 486 | csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." |
487 | chmod 775 "${SYSCONFDIR}" | |
488 | setfacl -m u:system:rwx "${SYSCONFDIR}" | |
95273555 | 489 | |
7ea1abf7 | 490 | # Check for /var/log directory |
491 | csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." | |
492 | chmod 775 "${LOCALSTATEDIR}/log" | |
493 | setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" | |
f9b93ff8 | 494 | |
7ea1abf7 | 495 | # Create /var/log/lastlog if not already exists |
f9b93ff8 | 496 | if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] |
497 | then | |
863ba23a | 498 | echo |
7ea1abf7 | 499 | csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ |
863ba23a | 500 | "Cannot create ssh host configuration." |
f9b93ff8 | 501 | fi |
502 | if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] | |
503 | then | |
504 | cat /dev/null > ${LOCALSTATEDIR}/log/lastlog | |
505 | chmod 644 ${LOCALSTATEDIR}/log/lastlog | |
d2f95449 | 506 | fi |
507 | ||
508 | # Create /var/empty file used as chroot jail for privilege separation | |
78576c54 | 509 | csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." |
7ea1abf7 | 510 | chmod 755 "${LOCALSTATEDIR}/empty" |
511 | setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" | |
95273555 | 512 | |
7ea1abf7 | 513 | # host keys |
514 | create_host_keys | |
95273555 | 515 | |
7ea1abf7 | 516 | # use 'cmp' program to determine if a config file is identical |
517 | # to the default version of that config file | |
518 | csih_check_program_or_error cmp diffutils | |
95273555 | 519 | |
95273555 | 520 | |
7ea1abf7 | 521 | # handle ssh_config |
522 | csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" | |
523 | if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 | |
95273555 | 524 | then |
9e936326 | 525 | if [ "${port_number}" != "22" ] |
f52798a4 | 526 | then |
7ea1abf7 | 527 | csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port" |
f52798a4 | 528 | echo "Host localhost" >> ${SYSCONFDIR}/ssh_config |
9e936326 | 529 | echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config |
f52798a4 | 530 | fi |
95273555 | 531 | fi |
532 | ||
7ea1abf7 | 533 | # handle sshd_config (and privsep) |
534 | csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" | |
535 | if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 | |
95273555 | 536 | then |
7ea1abf7 | 537 | grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes |
d2f95449 | 538 | fi |
7ea1abf7 | 539 | sshd_privsep |
d2f95449 | 540 | |
d2f95449 | 541 | |
c3d908f0 | 542 | |
863ba23a | 543 | update_services_file |
7ea1abf7 | 544 | update_inetd_conf |
545 | install_service | |
41fcc457 | 546 | |
95273555 | 547 | echo |
7ea1abf7 | 548 | csih_inform "Host configuration finished. Have fun!" |
549 |