[openssh.git] / contrib / cygwin / ssh-host-config

#!/bin/bash
#
# ssh-host-config, Copyright 2000-2009 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.

# ======================================================================
# Initialization
# ======================================================================
PROGNAME=$(basename $0)
_tdir=$(dirname $0)
PROGDIR=$(cd $_tdir && pwd)

CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh

# Subdirectory where the new package is being installed
PREFIX=/usr

# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var

source ${CSIH_SCRIPT}

port_number=22
privsep_configured=no
privsep_used=yes
cygwin_value=""
user_account=
password_value=
opt_force=no

# ======================================================================
# Routine: create_host_keys
# ======================================================================
create_host_keys() {
  if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
  then
    csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
    ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
  fi

  if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
  then
    csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
    ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
  fi

  if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
  then
    csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
    ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
  fi
} # --- End of create_host_keys --- #

# ======================================================================
# Routine: update_services_file
# ======================================================================
update_services_file() {
  local _my_etcdir="/ssh-host-config.$$"
  local _win_etcdir
  local _services
  local _spaces
  local _serv_tmp
  local _wservices

  if csih_is_nt
  then
    _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
    _services="${_my_etcdir}/services"
    # On NT, 27 spaces, no space after the hash
    _spaces="                           #"
  else
    _win_etcdir="${WINDIR}"
    _services="${_my_etcdir}/SERVICES"
    # On 9x, 18 spaces (95 is very touchy), a space after the hash
    _spaces="                  # "
  fi
  _serv_tmp="${_my_etcdir}/srv.out.$$"

  mount -o text -f "${_win_etcdir}" "${_my_etcdir}"

  # Depends on the above mount
  _wservices=`cygpath -w "${_services}"`

  # Remove sshd 22/port from services
  if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
  then
    grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
    if [ -f "${_serv_tmp}" ]
    then
      if mv "${_serv_tmp}" "${_services}"
      then
	csih_inform "Removing sshd from ${_wservices}"
      else
	csih_warning "Removing sshd from ${_wservices} failed!"
      fi
      rm -f "${_serv_tmp}"
    else
      csih_warning "Removing sshd from ${_wservices} failed!"
    fi
  fi

  # Add ssh 22/tcp  and ssh 22/udp to services
  if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
  then
    if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
    then
      if mv "${_serv_tmp}" "${_services}"
      then
	csih_inform "Added ssh to ${_wservices}"
      else
	csih_warning "Adding ssh to ${_wservices} failed!"
      fi
      rm -f "${_serv_tmp}"
    else
      csih_warning "Adding ssh to ${_wservices} failed!"
    fi
  fi
  umount "${_my_etcdir}"
} # --- End of update_services_file --- #

# ======================================================================
# Routine: sshd_privsep
#  MODIFIES: privsep_configured  privsep_used
# ======================================================================
sshd_privsep() {
  local sshdconfig_tmp

  if [ "${privsep_configured}" != "yes" ]
  then
    if csih_is_nt
    then
      csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
      csih_inform "However, this requires a non-privileged account called 'sshd'."
      csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
      if csih_request "Should privilege separation be used?"
      then
	privsep_used=yes
	if ! csih_create_unprivileged_user sshd
	then
  	  csih_warning "Couldn't create user 'sshd'!"
	  csih_warning "Privilege separation set to 'no' again!"
	  csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
  	  privsep_used=no
	fi
      else
	privsep_used=no
      fi
    else
      # On 9x don't use privilege separation.  Since security isn't
      # available it just adds useless additional processes.
      privsep_used=no
    fi
  fi

  # Create default sshd_config from skeleton files in /etc/defaults/etc or
  # modify to add the missing privsep configuration option
  if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
  then
    csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
    sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
    sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
  	  s/^#Port 22/Port ${port_number}/
  	  s/^#StrictModes yes/StrictModes no/" \
	< ${SYSCONFDIR}/sshd_config \
	> "${sshdconfig_tmp}"
    mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
  elif [ "${privsep_configured}" != "yes" ]
  then
    echo >> ${SYSCONFDIR}/sshd_config
    echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
  fi
} # --- End of sshd_privsep --- #

# ======================================================================
# Routine: update_inetd_conf
# ======================================================================
update_inetd_conf() {
  local _inetcnf="${SYSCONFDIR}/inetd.conf"
  local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
  local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
  local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
  local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
  local _with_comment=1

  if [ -d "${_inetcnf_dir}" ]
  then
    # we have inetutils-1.5 inetd.d support
    if [ -f "${_inetcnf}" ]
    then
      grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0

      # check for sshd OR ssh in top-level inetd.conf file, and remove
      # will be replaced by a file in inetd.d/
      if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
      then
	grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
	if [ -f "${_inetcnf_tmp}" ]
	then
	  if mv "${_inetcnf_tmp}" "${_inetcnf}"
	  then
  	    csih_inform "Removed ssh[d] from ${_inetcnf}"
	  else
  	    csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
	  fi
	  rm -f "${_inetcnf_tmp}"
	else
	  csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
	fi
      fi
    fi

    csih_install_config "${_sshd_inetd_conf}"   "${SYSCONFDIR}/defaults"
    if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
    then
      if [ "${_with_comment}" -eq 0 ]
      then
	sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
      else
	sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
      fi
      mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
      csih_inform "Updated ${_sshd_inetd_conf}"
    fi

  elif [ -f "${_inetcnf}" ]
  then
    grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0

    # check for sshd in top-level inetd.conf file, and remove
    # will be replaced by a file in inetd.d/
    if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
    then
      grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
      if [ -f "${_inetcnf_tmp}" ]
      then
	if mv "${_inetcnf_tmp}" "${_inetcnf}"
	then
	    csih_inform "Removed sshd from ${_inetcnf}"
	else
	    csih_warning "Removing sshd from ${_inetcnf} failed!"
	fi
	rm -f "${_inetcnf_tmp}"
      else
	csih_warning "Removing sshd from ${_inetcnf} failed!"
      fi
    fi

    # Add ssh line to inetd.conf
    if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
    then
      if [ "${_with_comment}" -eq 0 ]
      then
	echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
      else
	echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
      fi
      csih_inform "Added ssh to ${_inetcnf}"
    fi
  fi
} # --- End of update_inetd_conf --- #

# ======================================================================
# Routine: install_service
#   Install sshd as a service
# ======================================================================
install_service() {
  local run_service_as
  local password

  if csih_is_nt
  then
    if ! cygrunsrv -Q sshd >/dev/null 2>&1
    then
      echo
      echo
      csih_warning "The following functions require administrator privileges!"
      echo
      echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
      if csih_request "(Say \"no\" if it is already installed as a service)"
      then
	csih_get_cygenv "${cygwin_value}"

	if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
	then
	  csih_inform "On Windows Server 2003, Windows Vista, and above, the"
	  csih_inform "SYSTEM account cannot setuid to other users -- a capability"
	  csih_inform "sshd requires.  You need to have or to create a privileged"
	  csih_inform "account.  This script will help you do so."
	  echo

	  [ "${opt_force}" = "yes" ] && opt_f=-f
	  [ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
	  csih_select_privileged_username ${opt_f} ${opt_u} sshd

	  if ! csih_create_privileged_user "${password_value}"
	  then
	    csih_error_recoverable "There was a serious problem creating a privileged user."
	    csih_request "Do you want to proceed anyway?" || exit 1
	  fi
	fi

	# never returns empty if NT or above
	run_service_as=$(csih_service_should_run_as)

	if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
	then
	  password="${csih_PRIVILEGED_PASSWORD}"
	  if [ -z "${password}" ]
	  then
	    csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
	    password="${csih_value}"
	  fi
	fi

	# at this point, we either have $run_service_as = "system" and $password is empty,
	# or $run_service_as is some privileged user and (hopefully) $password contains
	# the correct password.  So, from here out, we use '-z "${password}"' to discriminate
	# the two cases.

	csih_check_user "${run_service_as}"

	if [ -n "${csih_cygenv}" ]
	then
	  cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
	fi
	if [ -z "${password}" ]
	then
	  if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
			    -a "-D" -y tcpip "${cygwin_env[@]}"
	  then
	    echo
	    csih_inform "The sshd service has been installed under the LocalSystem"
	    csih_inform "account (also known as SYSTEM). To start the service now, call"
	    csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'.  Otherwise, it"
	    csih_inform "will start automatically after the next reboot."
	  fi
	else
	  if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
			    -a "-D" -y tcpip "${cygwin_env[@]}" \
			    -u "${run_service_as}" -w "${password}"
	  then
	    echo
	    csih_inform "The sshd service has been installed under the '${run_service_as}'"
	    csih_inform "account.  To start the service now, call \`net start sshd' or"
	    csih_inform "\`cygrunsrv -S sshd'.  Otherwise, it will start automatically"
	    csih_inform "after the next reboot."
	  fi
	fi

	# now, if successfully installed, set ownership of the affected files
	if cygrunsrv -Q sshd >/dev/null 2>&1
	then
	  chown "${run_service_as}" ${SYSCONFDIR}/ssh*
	  chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
	  chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
	  if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
	  then
	    chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
	  fi
	else
	  csih_warning "Something went wrong installing the sshd service."
	fi
      fi # user allowed us to install as service
    fi # service not yet installed
  fi # csih_is_nt
} # --- End of install_service --- #

# ======================================================================
# Main Entry Point
# ======================================================================

# Check how the script has been started.  If
#   (1) it has been started by giving the full path and
#       that path is /etc/postinstall, OR
#   (2) Otherwise, if the environment variable
#       SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
# then set auto_answer to "no".  This allows automatic
# creation of the config files in /etc w/o overwriting
# them if they already exist.  In both cases, color
# escape sequences are suppressed, so as to prevent
# cluttering setup's logfiles.
if [ "$PROGDIR" = "/etc/postinstall" ]
then
  csih_auto_answer="no"
  csih_disable_color
  opt_force=yes
fi
if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
then
  csih_auto_answer="no"
  csih_disable_color
  opt_force=yes
fi

# ======================================================================
# Parse options
# ======================================================================
while :
do
  case $# in
  0)
    break
    ;;
  esac

  option=$1
  shift

  case "${option}" in
  -d | --debug )
    set -x
    csih_trace_on
    ;;

  -y | --yes )
    csih_auto_answer=yes
    opt_force=yes
    ;;

  -n | --no )
    csih_auto_answer=no
    opt_force=yes
    ;;

  -c | --cygwin )
    cygwin_value="$1"
    shift
    ;;

  -p | --port )
    port_number=$1
    shift
    ;;

  -u | --user )
    user_account="$1"
    shift
    ;;
    
  -w | --pwd )
    password_value="$1"
    shift
    ;;

  --privileged )
    csih_FORCE_PRIVILEGED_USER=yes
    ;;

  *)
    echo "usage: ${progname} [OPTION]..."
    echo
    echo "This script creates an OpenSSH host configuration."
    echo
    echo "Options:"
    echo "  --debug  -d            Enable shell's debug output."
    echo "  --yes    -y            Answer all questions with \"yes\" automatically."
    echo "  --no     -n            Answer all questions with \"no\" automatically."
    echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
    echo "  --port   -p <n>        sshd listens on port n."
    echo "  --user   -u <account>  privileged user for service."
    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for privileged user."
    echo "  --privileged           On Windows NT/2k/XP, require privileged user"
    echo "                         instead of LocalSystem for sshd service."
    echo
    exit 1
    ;;

  esac
done

# ======================================================================
# Action!
# ======================================================================

# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if ps -ef | grep -q '/sshd\?$'
then
  echo
  csih_error "There are still ssh processes running. Please shut them down first."
fi

# Check for ${SYSCONFDIR} directory
csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
chmod 775 "${SYSCONFDIR}"
setfacl -m u:system:rwx "${SYSCONFDIR}"

# Check for /var/log directory
csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
chmod 775 "${LOCALSTATEDIR}/log"
setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"

# Create /var/log/lastlog if not already exists
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
  echo
  csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
		   "Cannot create ssh host configuration."
fi
if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
then
  cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
  chmod 644 ${LOCALSTATEDIR}/log/lastlog
fi

# Create /var/empty file used as chroot jail for privilege separation
csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
chmod 755 "${LOCALSTATEDIR}/empty"
setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"

# host keys
create_host_keys

# use 'cmp' program to determine if a config file is identical
# to the default version of that config file
csih_check_program_or_error cmp diffutils


# handle ssh_config
csih_install_config "${SYSCONFDIR}/ssh_config"   "${SYSCONFDIR}/defaults"
if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
then
  if [ "${port_number}" != "22" ]
  then
    csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
    echo "    Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
  fi
fi

# handle sshd_config (and privsep)
csih_install_config "${SYSCONFDIR}/sshd_config"   "${SYSCONFDIR}/defaults"
if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
then
  grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
fi
sshd_privsep


update_services_file
update_inetd_conf
install_service

echo
csih_inform "Host configuration finished. Have fun!"
Commit	Line	Data
9e936326	1	#!/bin/bash
95273555	2	#
78576c54	3	# ssh-host-config, Copyright 2000-2009 Red Hat Inc.
95273555	4	#
	5	# This file is part of the Cygwin port of OpenSSH.
	6
7ea1abf7	7	# ======================================================================
	8	# Initialization
	9	# ======================================================================
	10	PROGNAME=$(basename $0)
	11	_tdir=$(dirname $0)
	12	PROGDIR=$(cd $_tdir && pwd)
	13
	14	CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
	15
95273555	16	# Subdirectory where the new package is being installed
	17	PREFIX=/usr
	18
	19	# Directory where the config files are stored
	20	SYSCONFDIR=/etc
9e936326	21	LOCALSTATEDIR=/var
95273555	22
7ea1abf7	23	source ${CSIH_SCRIPT}
f4ebf0e8	24
7ea1abf7	25	port_number=22
d2f95449	26	privsep_configured=no
d2f95449	27	privsep_used=yes
7f24626b	28	cygwin_value=""
78576c54	29	user_account=
7ea1abf7	30	password_value=
78576c54	31	opt_force=no
7ea1abf7	32
	33	# ======================================================================
	34	# Routine: create_host_keys
	35	# ======================================================================
	36	create_host_keys() {
	37	if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
	38	then
	39	csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
	40	ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
	41	fi
863ba23a	42
7ea1abf7	43	if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
	44	then
	45	csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
	46	ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
	47	fi
863ba23a	48
7ea1abf7	49	if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
	50	then
	51	csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
	52	ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
	53	fi
	54	} # --- End of create_host_keys --- #
	55
	56	# ======================================================================
	57	# Routine: update_services_file
	58	# ======================================================================
	59	update_services_file() {
	60	local _my_etcdir="/ssh-host-config.$$"
	61	local _win_etcdir
	62	local _services
	63	local _spaces
	64	local _serv_tmp
	65	local _wservices
	66
	67	if csih_is_nt
	68	then
	69	_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
	70	_services="${_my_etcdir}/services"
	71	# On NT, 27 spaces, no space after the hash
	72	_spaces=" #"
	73	else
	74	_win_etcdir="${WINDIR}"
	75	_services="${_my_etcdir}/SERVICES"
	76	# On 9x, 18 spaces (95 is very touchy), a space after the hash
	77	_spaces=" # "
	78	fi
	79	_serv_tmp="${_my_etcdir}/srv.out.$$"
863ba23a	80
7f24626b	81	mount -o text -f "${_win_etcdir}" "${_my_etcdir}"
863ba23a	82
7ea1abf7	83	# Depends on the above mount
7ea1abf7	84	_wservices=`cygpath -w "${_services}"`
863ba23a	85
7ea1abf7	86	# Remove sshd 22/port from services
	87	if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
	88	then
	89	grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
	90	if [ -f "${_serv_tmp}" ]
	91	then
	92	if mv "${_serv_tmp}" "${_services}"
	93	then
863ba23a	94	csih_inform "Removing sshd from ${_wservices}"
7ea1abf7	95	else
863ba23a	96	csih_warning "Removing sshd from ${_wservices} failed!"
7ea1abf7	97	fi
	98	rm -f "${_serv_tmp}"
	99	else
	100	csih_warning "Removing sshd from ${_wservices} failed!"
	101	fi
	102	fi
863ba23a	103
7ea1abf7	104	# Add ssh 22/tcp and ssh 22/udp to services
	105	if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
	106	then
	107	if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
	108	then
	109	if mv "${_serv_tmp}" "${_services}"
	110	then
863ba23a	111	csih_inform "Added ssh to ${_wservices}"
7ea1abf7	112	else
863ba23a	113	csih_warning "Adding ssh to ${_wservices} failed!"
7ea1abf7	114	fi
	115	rm -f "${_serv_tmp}"
	116	else
	117	csih_warning "Adding ssh to ${_wservices} failed!"
	118	fi
	119	fi
	120	umount "${_my_etcdir}"
	121	} # --- End of update_services_file --- #
d2f95449	122
7ea1abf7	123	# ======================================================================
	124	# Routine: sshd_privsep
	125	# MODIFIES: privsep_configured privsep_used
	126	# ======================================================================
	127	sshd_privsep() {
	128	local sshdconfig_tmp
	129
	130	if [ "${privsep_configured}" != "yes" ]
	131	then
	132	if csih_is_nt
	133	then
	134	csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
	135	csih_inform "However, this requires a non-privileged account called 'sshd'."
	136	csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
	137	if csih_request "Should privilege separation be used?"
	138	then
863ba23a	139	privsep_used=yes
	140	if ! csih_create_unprivileged_user sshd
	141	then
7ea1abf7	142	csih_warning "Couldn't create user 'sshd'!"
863ba23a	143	csih_warning "Privilege separation set to 'no' again!"
863ba23a	144	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
7ea1abf7	145	privsep_used=no
863ba23a	146	fi
7ea1abf7	147	else
863ba23a	148	privsep_used=no
7ea1abf7	149	fi
	150	else
	151	# On 9x don't use privilege separation. Since security isn't
	152	# available it just adds useless additional processes.
	153	privsep_used=no
	154	fi
	155	fi
863ba23a	156
7ea1abf7	157	# Create default sshd_config from skeleton files in /etc/defaults/etc or
	158	# modify to add the missing privsep configuration option
	159	if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
f4ebf0e8	160	then
7ea1abf7	161	csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
	162	sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
	163	sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
	164	s/^#Port 22/Port ${port_number}/
	165	s/^#StrictModes yes/StrictModes no/" \
863ba23a	166	< ${SYSCONFDIR}/sshd_config \
863ba23a	167	> "${sshdconfig_tmp}"
7ea1abf7	168	mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
7ea1abf7	169	elif [ "${privsep_configured}" != "yes" ]
f4ebf0e8	170	then
7ea1abf7	171	echo >> ${SYSCONFDIR}/sshd_config
7ea1abf7	172	echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
f4ebf0e8	173	fi
7ea1abf7	174	} # --- End of sshd_privsep --- #
	175
	176	# ======================================================================
	177	# Routine: update_inetd_conf
	178	# ======================================================================
	179	update_inetd_conf() {
	180	local _inetcnf="${SYSCONFDIR}/inetd.conf"
	181	local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
	182	local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
	183	local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
	184	local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
	185	local _with_comment=1
	186
	187	if [ -d "${_inetcnf_dir}" ]
	188	then
	189	# we have inetutils-1.5 inetd.d support
	190	if [ -f "${_inetcnf}" ]
	191	then
	192	grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
	193
	194	# check for sshd OR ssh in top-level inetd.conf file, and remove
	195	# will be replaced by a file in inetd.d/
	196	if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
	197	then
863ba23a	198	grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
	199	if [ -f "${_inetcnf_tmp}" ]
	200	then
	201	if mv "${_inetcnf_tmp}" "${_inetcnf}"
	202	then
7ea1abf7	203	csih_inform "Removed ssh[d] from ${_inetcnf}"
863ba23a	204	else
7ea1abf7	205	csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
863ba23a	206	fi
	207	rm -f "${_inetcnf_tmp}"
	208	else
	209	csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
	210	fi
7ea1abf7	211	fi
	212	fi
	213
	214	csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
	215	if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
	216	then
	217	if [ "${_with_comment}" -eq 0 ]
	218	then
863ba23a	219	sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
7ea1abf7	220	else
863ba23a	221	sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
7ea1abf7	222	fi
	223	mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
	224	csih_inform "Updated ${_sshd_inetd_conf}"
863ba23a	225	fi
f4ebf0e8	226
7ea1abf7	227	elif [ -f "${_inetcnf}" ]
95273555	228	then
7ea1abf7	229	grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
	230
	231	# check for sshd in top-level inetd.conf file, and remove
	232	# will be replaced by a file in inetd.d/
	233	if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
	234	then
	235	grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
	236	if [ -f "${_inetcnf_tmp}" ]
	237	then
863ba23a	238	if mv "${_inetcnf_tmp}" "${_inetcnf}"
863ba23a	239	then
7ea1abf7	240	csih_inform "Removed sshd from ${_inetcnf}"
863ba23a	241	else
7ea1abf7	242	csih_warning "Removing sshd from ${_inetcnf} failed!"
863ba23a	243	fi
863ba23a	244	rm -f "${_inetcnf_tmp}"
7ea1abf7	245	else
863ba23a	246	csih_warning "Removing sshd from ${_inetcnf} failed!"
7ea1abf7	247	fi
7ea1abf7	248	fi
863ba23a	249
7ea1abf7	250	# Add ssh line to inetd.conf
	251	if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
	252	then
	253	if [ "${_with_comment}" -eq 0 ]
	254	then
863ba23a	255	echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
7ea1abf7	256	else
863ba23a	257	echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
7ea1abf7	258	fi
	259	csih_inform "Added ssh to ${_inetcnf}"
	260	fi
95273555	261	fi
7ea1abf7	262	} # --- End of update_inetd_conf --- #
95273555	263
7ea1abf7	264	# ======================================================================
	265	# Routine: install_service
	266	# Install sshd as a service
	267	# ======================================================================
	268	install_service() {
	269	local run_service_as
	270	local password
f4ebf0e8	271
7ea1abf7	272	if csih_is_nt
	273	then
	274	if ! cygrunsrv -Q sshd >/dev/null 2>&1
	275	then
	276	echo
	277	echo
	278	csih_warning "The following functions require administrator privileges!"
	279	echo
	280	echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
	281	if csih_request "(Say \"no\" if it is already installed as a service)"
	282	then
863ba23a	283	csih_get_cygenv "${cygwin_value}"
	284
	285	if ( csih_is_nt2003 \|\| [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
	286	then
	287	csih_inform "On Windows Server 2003, Windows Vista, and above, the"
	288	csih_inform "SYSTEM account cannot setuid to other users -- a capability"
	289	csih_inform "sshd requires. You need to have or to create a privileged"
	290	csih_inform "account. This script will help you do so."
	291	echo
78576c54	292
	293	[ "${opt_force}" = "yes" ] && opt_f=-f
	294	[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
	295	csih_select_privileged_username ${opt_f} ${opt_u} sshd
	296
863ba23a	297	if ! csih_create_privileged_user "${password_value}"
	298	then
	299	csih_error_recoverable "There was a serious problem creating a privileged user."
	300	csih_request "Do you want to proceed anyway?" \|\| exit 1
	301	fi
	302	fi
	303
	304	# never returns empty if NT or above
	305	run_service_as=$(csih_service_should_run_as)
	306
	307	if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
	308	then
	309	password="${csih_PRIVILEGED_PASSWORD}"
	310	if [ -z "${password}" ]
	311	then
	312	csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
	313	password="${csih_value}"
	314	fi
	315	fi
	316
	317	# at this point, we either have $run_service_as = "system" and $password is empty,
	318	# or $run_service_as is some privileged user and (hopefully) $password contains
	319	# the correct password. So, from here out, we use '-z "${password}"' to discriminate
	320	# the two cases.
	321
	322	csih_check_user "${run_service_as}"
7ea1abf7	323
e1986e0a	324	if [ -n "${csih_cygenv}" ]
e1986e0a	325	then
78576c54	326	cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
e1986e0a	327	fi
863ba23a	328	if [ -z "${password}" ]
863ba23a	329	then
78576c54	330	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
78576c54	331	-a "-D" -y tcpip "${cygwin_env[@]}"
863ba23a	332	then
	333	echo
	334	csih_inform "The sshd service has been installed under the LocalSystem"
	335	csih_inform "account (also known as SYSTEM). To start the service now, call"
	336	csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
	337	csih_inform "will start automatically after the next reboot."
	338	fi
	339	else
78576c54	340	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
78576c54	341	-a "-D" -y tcpip "${cygwin_env[@]}" \
e1986e0a	342	-u "${run_service_as}" -w "${password}"
863ba23a	343	then
7ea1abf7	344	echo
	345	csih_inform "The sshd service has been installed under the '${run_service_as}'"
	346	csih_inform "account. To start the service now, call \`net start sshd' or"
863ba23a	347	csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
	348	csih_inform "after the next reboot."
	349	fi
	350	fi
	351
	352	# now, if successfully installed, set ownership of the affected files
	353	if cygrunsrv -Q sshd >/dev/null 2>&1
	354	then
	355	chown "${run_service_as}" ${SYSCONFDIR}/ssh*
	356	chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
	357	chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
	358	if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
	359	then
7ea1abf7	360	chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
863ba23a	361	fi
	362	else
	363	csih_warning "Something went wrong installing the sshd service."
	364	fi
7ea1abf7	365	fi # user allowed us to install as service
	366	fi # service not yet installed
	367	fi # csih_is_nt
	368	} # --- End of install_service --- #
	369
	370	# ======================================================================
	371	# Main Entry Point
	372	# ======================================================================
	373
	374	# Check how the script has been started. If
	375	# (1) it has been started by giving the full path and
	376	# that path is /etc/postinstall, OR
	377	# (2) Otherwise, if the environment variable
	378	# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
	379	# then set auto_answer to "no". This allows automatic
	380	# creation of the config files in /etc w/o overwriting
	381	# them if they already exist. In both cases, color
	382	# escape sequences are suppressed, so as to prevent
	383	# cluttering setup's logfiles.
	384	if [ "$PROGDIR" = "/etc/postinstall" ]
	385	then
	386	csih_auto_answer="no"
	387	csih_disable_color
78576c54	388	opt_force=yes
7ea1abf7	389	fi
	390	if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
	391	then
	392	csih_auto_answer="no"
	393	csih_disable_color
78576c54	394	opt_force=yes
7ea1abf7	395	fi
	396
	397	# ======================================================================
	398	# Parse options
	399	# ======================================================================
f4ebf0e8	400	while :
	401	do
	402	case $# in
	403	0)
	404	break
	405	;;
	406	esac
	407
	408	option=$1
	409	shift
	410
9e936326	411	case "${option}" in
f4ebf0e8	412	-d \| --debug )
f4ebf0e8	413	set -x
7ea1abf7	414	csih_trace_on
f4ebf0e8	415	;;
	416
	417	-y \| --yes )
7ea1abf7	418	csih_auto_answer=yes
78576c54	419	opt_force=yes
f4ebf0e8	420	;;
	421
	422	-n \| --no )
7ea1abf7	423	csih_auto_answer=no
78576c54	424	opt_force=yes
f4ebf0e8	425	;;
f4ebf0e8	426
9e936326	427	-c \| --cygwin )
	428	cygwin_value="$1"
	429	shift
	430	;;
	431
f52798a4	432	-p \| --port )
	433	port_number=$1
	434	shift
	435	;;
	436
78576c54	437	-u \| --user )
	438	user_account="$1"
	439	shift
	440	;;
	441
9e936326	442	-w \| --pwd )
	443	password_value="$1"
	444	shift
	445	;;
	446
7ea1abf7	447	--privileged )
	448	csih_FORCE_PRIVILEGED_USER=yes
	449	;;
	450
f4ebf0e8	451	*)
	452	echo "usage: ${progname} [OPTION]..."
	453	echo
	454	echo "This script creates an OpenSSH host configuration."
	455	echo
	456	echo "Options:"
9e936326	457	echo " --debug -d Enable shell's debug output."
	458	echo " --yes -y Answer all questions with \"yes\" automatically."
	459	echo " --no -n Answer all questions with \"no\" automatically."
	460	echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
	461	echo " --port -p <n> sshd listens on port n."
78576c54	462	echo " --user -u <account> privileged user for service."
7ea1abf7	463	echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
	464	echo " --privileged On Windows NT/2k/XP, require privileged user"
	465	echo " instead of LocalSystem for sshd service."
f4ebf0e8	466	echo
	467	exit 1
	468	;;
	469
	470	esac
	471	done
	472
7ea1abf7	473	# ======================================================================
	474	# Action!
	475	# ======================================================================
d2f95449	476
95273555	477	# Check for running ssh/sshd processes first. Refuse to do anything while
95273555	478	# some ssh processes are still running
de470c82	479	if ps -ef \| grep -q '/sshd\?$'
95273555	480	then
95273555	481	echo
7ea1abf7	482	csih_error "There are still ssh processes running. Please shut them down first."
95273555	483	fi
	484
	485	# Check for ${SYSCONFDIR} directory
7ea1abf7	486	csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
	487	chmod 775 "${SYSCONFDIR}"
	488	setfacl -m u:system:rwx "${SYSCONFDIR}"
95273555	489
7ea1abf7	490	# Check for /var/log directory
	491	csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
	492	chmod 775 "${LOCALSTATEDIR}/log"
	493	setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
f9b93ff8	494
7ea1abf7	495	# Create /var/log/lastlog if not already exists
f9b93ff8	496	if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
f9b93ff8	497	then
863ba23a	498	echo
7ea1abf7	499	csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
863ba23a	500	"Cannot create ssh host configuration."
f9b93ff8	501	fi
	502	if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
	503	then
	504	cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
	505	chmod 644 ${LOCALSTATEDIR}/log/lastlog
d2f95449	506	fi
	507
	508	# Create /var/empty file used as chroot jail for privilege separation
78576c54	509	csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
7ea1abf7	510	chmod 755 "${LOCALSTATEDIR}/empty"
7ea1abf7	511	setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"
95273555	512
7ea1abf7	513	# host keys
7ea1abf7	514	create_host_keys
95273555	515
7ea1abf7	516	# use 'cmp' program to determine if a config file is identical
	517	# to the default version of that config file
	518	csih_check_program_or_error cmp diffutils
95273555	519
95273555	520
7ea1abf7	521	# handle ssh_config
	522	csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults"
	523	if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
95273555	524	then
9e936326	525	if [ "${port_number}" != "22" ]
f52798a4	526	then
7ea1abf7	527	csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
f52798a4	528	echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
9e936326	529	echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
f52798a4	530	fi
95273555	531	fi
95273555	532
7ea1abf7	533	# handle sshd_config (and privsep)
	534	csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults"
	535	if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
95273555	536	then
7ea1abf7	537	grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
d2f95449	538	fi
7ea1abf7	539	sshd_privsep
d2f95449	540
d2f95449	541
c3d908f0	542
863ba23a	543	update_services_file
7ea1abf7	544	update_inetd_conf
7ea1abf7	545	install_service
41fcc457	546
95273555	547	echo
7ea1abf7	548	csih_inform "Host configuration finished. Have fun!"
7ea1abf7	549