[openssh.git] / contrib / cygwin / ssh-host-config

#!/bin/bash
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.

# Subdirectory where the new package is being installed
PREFIX=/usr

# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var

progname=$0
auto_answer=""
port_number=22

privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no

request()
{
  if [ "${auto_answer}" = "yes" ]
  then
    echo "$1 (yes/no) yes"
    return 0
  elif [ "${auto_answer}" = "no" ]
  then
    echo "$1 (yes/no) no"
    return 1
  fi

  answer=""
  while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
  do
    echo -n "$1 (yes/no) "
    read -e answer
  done
  if [ "X${answer}" = "Xyes" ]
  then
    return 0
  else
    return 1
  fi
}

# Check options

while :
do
  case $# in
  0)
    break
    ;;
  esac

  option=$1
  shift

  case "${option}" in
  -d | --debug )
    set -x
    ;;

  -y | --yes )
    auto_answer=yes
    ;;

  -n | --no )
    auto_answer=no
    ;;

  -c | --cygwin )
    cygwin_value="$1"
    shift
    ;;

  -p | --port )
    port_number=$1
    shift
    ;;

  -w | --pwd )
    password_value="$1"
    shift
    ;;

  *)
    echo "usage: ${progname} [OPTION]..."
    echo
    echo "This script creates an OpenSSH host configuration."
    echo
    echo "Options:"
    echo "  --debug  -d            Enable shell's debug output."
    echo "  --yes    -y            Answer all questions with \"yes\" automatically."
    echo "  --no     -n            Answer all questions with \"no\" automatically."
    echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
    echo "  --port   -p <n>        sshd listens on port n."
    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for user 'sshd_server'."
    echo
    exit 1
    ;;

  esac
done

# Check if running on NT
_sys="`uname`"
_nt=`expr "${_sys}" : "CYGWIN_NT"`
# If running on NT, check if running under 2003 Server or later
if [ ${_nt} -gt 0 ]
then
  _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
fi

# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running

if ps -ef | grep -v grep | grep -q ssh
then
  echo
  echo "There are still ssh processes running. Please shut them down first."
  echo
  exit 1
fi

# Check for ${SYSCONFDIR} directory

if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
  echo
  echo "${SYSCONFDIR} is existant but not a directory."
  echo "Cannot create global configuration files."
  echo
  exit 1
fi

# Create it if necessary

if [ ! -e "${SYSCONFDIR}" ]
then
  mkdir "${SYSCONFDIR}"
  if [ ! -e "${SYSCONFDIR}" ]
  then
    echo
    echo "Creating ${SYSCONFDIR} directory failed"
    echo
    exit 1
  fi
fi

# Create /var/log and /var/log/lastlog if not already existing

if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ]
then
  echo
  echo "${LOCALSTATEDIR}/log is existant but not a directory."
  echo "Cannot create ssh host configuration."
  echo
  exit 1
fi
if [ ! -e ${LOCALSTATEDIR}/log ]
then
  mkdir -p ${LOCALSTATEDIR}/log
fi

if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
  echo 
  echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file."
  echo "Cannot create ssh host configuration."
  echo 
  exit 1
fi
if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
then
  cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
  chmod 644 ${LOCALSTATEDIR}/log/lastlog
fi

# Create /var/empty file used as chroot jail for privilege separation
if [ -f ${LOCALSTATEDIR}/empty ]
then
  echo "Creating ${LOCALSTATEDIR}/empty failed!"
else
  mkdir -p ${LOCALSTATEDIR}/empty
  if [ ${_nt} -gt 0 ]
  then
    chmod 755 ${LOCALSTATEDIR}/empty
  fi
fi

# First generate host keys if not already existing

if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_key"
  ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi

if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
  ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi

if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
  ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi

# Check if ssh_config exists. If yes, ask for overwriting

if [ -f "${SYSCONFDIR}/ssh_config" ]
then
  if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
  then
    rm -f "${SYSCONFDIR}/ssh_config"
    if [ -f "${SYSCONFDIR}/ssh_config" ]
    then
      echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
    fi
  fi
fi

# Create default ssh_config from skeleton file in /etc/defaults/etc

if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
  echo "Generating ${SYSCONFDIR}/ssh_config file"
  cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
  if [ "${port_number}" != "22" ]
  then
    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
    echo "    Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
  fi
fi

# Check if sshd_config exists. If yes, ask for overwriting

if [ -f "${SYSCONFDIR}/sshd_config" ]
then
  if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
  then
    rm -f "${SYSCONFDIR}/sshd_config"
    if [ -f "${SYSCONFDIR}/sshd_config" ]
    then
      echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
    fi
  else
    grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
  fi
fi

# Prior to creating or modifying sshd_config, care for privilege separation

if [ "${privsep_configured}" != "yes" ]
then
  if [ ${_nt} -gt 0 ]
  then
    echo "Privilege separation is set to yes by default since OpenSSH 3.3."
    echo "However, this requires a non-privileged account called 'sshd'."
    echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
    echo
    if request "Should privilege separation be used?"
    then
      privsep_used=yes
      grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
      net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
      if [ "${sshd_in_passwd}" != "yes" ]
      then
	if [ "${sshd_in_sam}" != "yes" ]
	then
	  echo "Warning: The following function requires administrator privileges!"
	  if request "Should this script create a local user 'sshd' on this machine?"
	  then
	    dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
	    net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
	    if [ "${sshd_in_sam}" != "yes" ]
	    then
	      echo "Warning: Creating the user 'sshd' failed!"
	    fi
	  fi
	fi
	if [ "${sshd_in_sam}" != "yes" ]
	then
	  echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
	  echo "         Privilege separation set to 'no' again!"
	  echo "         Check your ${SYSCONFDIR}/sshd_config file!"
	  privsep_used=no
	else
	  mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
	fi
      fi
    else
      privsep_used=no
    fi
  else
    # On 9x don't use privilege separation.  Since security isn't
    # available it just adds useless additional processes.
    privsep_used=no
  fi
fi

# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option

if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
  echo "Generating ${SYSCONFDIR}/sshd_config file"
  sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
	  s/^#Port 22/Port ${port_number}/
	  s/^#StrictModes yes/StrictModes no/" \
      < ${SYSCONFDIR}/defaults/etc/sshd_config \
      > ${SYSCONFDIR}/sshd_config
elif [ "${privsep_configured}" != "yes" ]
then
  echo >> ${SYSCONFDIR}/sshd_config
  echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
fi

# Care for services file
_my_etcdir="/ssh-host-config.$$"
if [ ${_nt} -gt 0 ]
then
  _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
  _services="${_my_etcdir}/services"
  # On NT, 27 spaces, no space after the hash
  _spaces="                           #"
else
  _win_etcdir="${WINDIR}"
  _services="${_my_etcdir}/SERVICES"
  # On 9x, 18 spaces (95 is very touchy), a space after the hash
  _spaces="                  # "
fi
_serv_tmp="${_my_etcdir}/srv.out.$$"

mount -t -f "${_win_etcdir}" "${_my_etcdir}"

# Depends on the above mount
_wservices=`cygpath -w "${_services}"`

# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
  grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
  if [ -f "${_serv_tmp}" ]
  then
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Removing sshd from ${_wservices}"
    else
      echo "Removing sshd from ${_wservices} failed!"
    fi
    rm -f "${_serv_tmp}"
  else
    echo "Removing sshd from ${_wservices} failed!"
  fi
fi

# Add ssh 22/tcp  and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
  if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
  then
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Added ssh to ${_wservices}"
    else
      echo "Adding ssh to ${_wservices} failed!"
    fi
    rm -f "${_serv_tmp}"
  else
    echo "WARNING: Adding ssh to ${_wservices} failed!"
  fi
fi

umount "${_my_etcdir}"

# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"

if [ -f "${_inetcnf}" ]
then
  # Check if ssh service is already in use as sshd
  with_comment=1
  grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
  # Remove sshd line from inetd.conf
  if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
  then
    grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
    if [ -f "${_inetcnf_tmp}" ]
    then
      if mv "${_inetcnf_tmp}" "${_inetcnf}"
      then
	echo "Removed sshd from ${_inetcnf}"
      else
	echo "Removing sshd from ${_inetcnf} failed!"
      fi
      rm -f "${_inetcnf_tmp}"
    else
      echo "Removing sshd from ${_inetcnf} failed!"
    fi
  fi

  # Add ssh line to inetd.conf
  if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
  then
    if [ "${with_comment}" -eq 0 ]
    then
      echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    else
      echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    fi
    echo "Added ssh to ${_inetcnf}"
  fi
fi

# On NT ask if sshd should be installed as service
if [ ${_nt} -gt 0 ]
then
  # But only if it is not already installed
  if ! cygrunsrv -Q sshd > /dev/null 2>&1
  then
    echo
    echo
    echo "Warning: The following functions require administrator privileges!"
    echo
    echo "Do you want to install sshd as service?"
    if request "(Say \"no\" if it's already installed as service)"
    then
      if [ $_nt2003 -gt 0 ]
      then
	grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
	if [ "${sshd_server_in_passwd}" = "yes" ]
	then
	  # Drop sshd_server from passwd since it could have wrong settings
	  grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
	  rm -f ${SYSCONFDIR}/passwd
	  mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
	  chmod g-w,o-w ${SYSCONFDIR}/passwd
	fi
	net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
	if [ "${sshd_server_in_sam}" != "yes" ]
	then
	  echo
	  echo "You appear to be running Windows 2003 Server or later.  On 2003 and"
	  echo "later systems, it's not possible to use the LocalSystem account"
	  echo "if sshd should allow passwordless logon (e. g. public key authentication)."
	  echo "If you want to enable that functionality, it's required to create a new"
	  echo "account 'sshd_server' with special privileges, which is then used to run"
	  echo "the sshd service under."
	  echo
	  echo "Should this script create a new local account 'sshd_server' which has"
	  if request "the required privileges?"
	  then
	    _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
	    if [ -z "${_admingroup}" ]
	    then
	      echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
	      exit 1
	    fi
	    dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
	    while [ "${sshd_server_in_sam}" != "yes" ]
	    do
	      if [ -n "${password_value}" ]
	      then
		_password="${password_value}"
		# Allow to ask for password if first try fails
		password_value=""
	      else
		echo
		echo "Please enter a password for new user 'sshd_server'.  Please be sure that"
		echo "this password matches the password rules given on your system."
		echo -n "Entering no password will exit the configuration.  PASSWORD="
		read -e _password
		if [ -z "${_password}" ]
		then
		  echo
		  echo "Exiting configuration.  No user sshd_server has been created,"
		  echo "no sshd service installed."
		  exit 1
		fi
	      fi
	      net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
	      if [ "${sshd_server_in_sam}" != "yes" ]
	      then
		echo "Creating the user 'sshd_server' failed!  Reason:"
		cat /tmp/nu.$$
		rm /tmp/nu.$$
	      fi
	    done
	    net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
	    if [ "${sshd_server_in_admingroup}" != "yes" ]
	    then
	      echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
	      echo "Please add sshd_server to local group ${_admingroup} before"
	      echo "starting the sshd service!"
	      echo
	    fi
	    passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
	    if [ "${passwd_has_expiry_flags}" != "yes" ]
	    then
	      echo
	      echo "WARNING: User sshd_server has password expiry set to system default."
	      echo "Please check that password never expires or set it to your needs."
	    elif ! passwd -e sshd_server
	    then
	      echo
	      echo "WARNING: Setting password expiry for user sshd_server failed!"
	      echo "Please check that password never expires or set it to your needs."
	    fi
	    editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
	    editrights -a SeCreateTokenPrivilege -u sshd_server &&
	    editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
	    editrights -a SeDenyNetworkLogonRight -u sshd_server &&
	    editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
	    editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
	    editrights -a SeServiceLogonRight -u sshd_server &&
	    sshd_server_got_all_rights="yes"
	    if [ "${sshd_server_got_all_rights}" != "yes" ]
	    then
	      echo
	      echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
	      echo "Can't create sshd service!"
	      exit 1
	    fi
	    echo
	    echo "User 'sshd_server' has been created with password '${_password}'."
	    echo "If you change the password, please keep in mind to change the password"
	    echo "for the sshd service, too."
	    echo
	    echo "Also keep in mind that the user sshd_server needs read permissions on all"
	    echo "users' .ssh/authorized_keys file to allow public key authentication for"
	    echo "these users!.  (Re-)running ssh-user-config for each user will set the"
	    echo "required permissions correctly."
	    echo
	  fi
	fi
	if [ "${sshd_server_in_sam}" = "yes" ]
	then
	  mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
	fi
      fi
      if [ -n "${cygwin_value}" ]
      then
	_cygwin="${cygwin_value}"
      else
	echo
	echo "Which value should the environment variable CYGWIN have when"
	echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
	echo "able to change user context without password."
	echo -n "Default is \"ntsec\".  CYGWIN="
	read -e _cygwin
      fi
      [ -z "${_cygwin}" ] && _cygwin="ntsec"
      if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
      then
	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
	then
	  echo
	  echo "The service has been installed under sshd_server account."
	  echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
	fi
      else
	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
	then
	  echo
	  echo "The service has been installed under LocalSystem account."
	  echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
	fi
      fi
    fi
    # Now check if sshd has been successfully installed.  This allows to
    # set the ownership of the affected files correctly.
    if cygrunsrv -Q sshd > /dev/null 2>&1
    then
      if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
      then
	_user="sshd_server"
      else
	_user="system"
      fi
      chown "${_user}" ${SYSCONFDIR}/ssh*
      chown "${_user}".544 ${LOCALSTATEDIR}/empty
      chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog
      if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
      then
	chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
      fi
    fi
    if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
    then
      echo
      echo "Warning: It appears that you have user mode mounts (\"Just me\""
      echo "chosen during install.)  Any daemons installed as services will"
      echo "fail to function unless system mounts are used.  To change this,"
      echo "re-run setup.exe and choose \"All users\"."
      echo
      echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
    fi
  fi
fi

echo
echo "Host configuration finished. Have fun!"
Commit	Line	Data
9e936326	1	#!/bin/bash
95273555	2	#
9e936326	3	# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
95273555	4	#
	5	# This file is part of the Cygwin port of OpenSSH.
	6
95273555	7	# Subdirectory where the new package is being installed
	8	PREFIX=/usr
	9
	10	# Directory where the config files are stored
	11	SYSCONFDIR=/etc
9e936326	12	LOCALSTATEDIR=/var
95273555	13
f4ebf0e8	14	progname=$0
f4ebf0e8	15	auto_answer=""
f52798a4	16	port_number=22
f4ebf0e8	17
d2f95449	18	privsep_configured=no
	19	privsep_used=yes
	20	sshd_in_passwd=no
	21	sshd_in_sam=no
	22
95273555	23	request()
95273555	24	{
f4ebf0e8	25	if [ "${auto_answer}" = "yes" ]
f4ebf0e8	26	then
9e936326	27	echo "$1 (yes/no) yes"
f4ebf0e8	28	return 0
	29	elif [ "${auto_answer}" = "no" ]
	30	then
9e936326	31	echo "$1 (yes/no) no"
f4ebf0e8	32	return 1
	33	fi
	34
95273555	35	answer=""
	36	while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
	37	do
	38	echo -n "$1 (yes/no) "
9e936326	39	read -e answer
95273555	40	done
	41	if [ "X${answer}" = "Xyes" ]
	42	then
	43	return 0
	44	else
	45	return 1
	46	fi
	47	}
	48
f4ebf0e8	49	# Check options
	50
	51	while :
	52	do
	53	case $# in
	54	0)
	55	break
	56	;;
	57	esac
	58
	59	option=$1
	60	shift
	61
9e936326	62	case "${option}" in
f4ebf0e8	63	-d \| --debug )
	64	set -x
	65	;;
	66
	67	-y \| --yes )
	68	auto_answer=yes
	69	;;
	70
	71	-n \| --no )
	72	auto_answer=no
	73	;;
	74
9e936326	75	-c \| --cygwin )
	76	cygwin_value="$1"
	77	shift
	78	;;
	79
f52798a4	80	-p \| --port )
	81	port_number=$1
	82	shift
	83	;;
	84
9e936326	85	-w \| --pwd )
	86	password_value="$1"
	87	shift
	88	;;
	89
f4ebf0e8	90	*)
	91	echo "usage: ${progname} [OPTION]..."
	92	echo
	93	echo "This script creates an OpenSSH host configuration."
	94	echo
	95	echo "Options:"
9e936326	96	echo " --debug -d Enable shell's debug output."
	97	echo " --yes -y Answer all questions with \"yes\" automatically."
	98	echo " --no -n Answer all questions with \"no\" automatically."
	99	echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
	100	echo " --port -p <n> sshd listens on port n."
	101	echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'."
f4ebf0e8	102	echo
	103	exit 1
	104	;;
	105
	106	esac
	107	done
	108
d2f95449	109	# Check if running on NT
9e936326	110	_sys="`uname`"
	111	_nt=`expr "${_sys}" : "CYGWIN_NT"`
	112	# If running on NT, check if running under 2003 Server or later
	113	if [ ${_nt} -gt 0 ]
	114	then
	115	_nt2003=`uname \| awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
	116	fi
d2f95449	117
95273555	118	# Check for running ssh/sshd processes first. Refuse to do anything while
	119	# some ssh processes are still running
	120
	121	if ps -ef \| grep -v grep \| grep -q ssh
	122	then
	123	echo
	124	echo "There are still ssh processes running. Please shut them down first."
	125	echo
d41f8eed	126	exit 1
95273555	127	fi
	128
	129	# Check for ${SYSCONFDIR} directory
	130
	131	if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
	132	then
	133	echo
	134	echo "${SYSCONFDIR} is existant but not a directory."
	135	echo "Cannot create global configuration files."
	136	echo
	137	exit 1
	138	fi
	139
	140	# Create it if necessary
	141
	142	if [ ! -e "${SYSCONFDIR}" ]
	143	then
	144	mkdir "${SYSCONFDIR}"
	145	if [ ! -e "${SYSCONFDIR}" ]
	146	then
	147	echo
	148	echo "Creating ${SYSCONFDIR} directory failed"
	149	echo
	150	exit 1
	151	fi
	152	fi
	153
d2f95449	154	# Create /var/log and /var/log/lastlog if not already existing
d2f95449	155
f9b93ff8	156	if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ]
d2f95449	157	then
f9b93ff8	158	echo
	159	echo "${LOCALSTATEDIR}/log is existant but not a directory."
	160	echo "Cannot create ssh host configuration."
	161	echo
	162	exit 1
	163	fi
	164	if [ ! -e ${LOCALSTATEDIR}/log ]
	165	then
	166	mkdir -p ${LOCALSTATEDIR}/log
	167	fi
	168
	169	if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
	170	then
	171	echo
	172	echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file."
	173	echo "Cannot create ssh host configuration."
	174	echo
	175	exit 1
	176	fi
	177	if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
	178	then
	179	cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
	180	chmod 644 ${LOCALSTATEDIR}/log/lastlog
d2f95449	181	fi
	182
	183	# Create /var/empty file used as chroot jail for privilege separation
9e936326	184	if [ -f ${LOCALSTATEDIR}/empty ]
d2f95449	185	then
9e936326	186	echo "Creating ${LOCALSTATEDIR}/empty failed!"
d2f95449	187	else
9e936326	188	mkdir -p ${LOCALSTATEDIR}/empty
9e936326	189	if [ ${_nt} -gt 0 ]
d2f95449	190	then
9e936326	191	chmod 755 ${LOCALSTATEDIR}/empty
95273555	192	fi
	193	fi
	194
	195	# First generate host keys if not already existing
	196
	197	if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
	198	then
	199	echo "Generating ${SYSCONFDIR}/ssh_host_key"
f4ebf0e8	200	ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
	201	fi
	202
	203	if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
	204	then
	205	echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
	206	ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
95273555	207	fi
	208
	209	if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
	210	then
	211	echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
f4ebf0e8	212	ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
95273555	213	fi
	214
	215	# Check if ssh_config exists. If yes, ask for overwriting
	216
	217	if [ -f "${SYSCONFDIR}/ssh_config" ]
	218	then
	219	if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
	220	then
	221	rm -f "${SYSCONFDIR}/ssh_config"
	222	if [ -f "${SYSCONFDIR}/ssh_config" ]
	223	then
	224	echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
	225	fi
	226	fi
	227	fi
	228
9e936326	229	# Create default ssh_config from skeleton file in /etc/defaults/etc
95273555	230
	231	if [ ! -f "${SYSCONFDIR}/ssh_config" ]
	232	then
f4ebf0e8	233	echo "Generating ${SYSCONFDIR}/ssh_config file"
9e936326	234	cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
9e936326	235	if [ "${port_number}" != "22" ]
f52798a4	236	then
f52798a4	237	echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
9e936326	238	echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
f52798a4	239	fi
95273555	240	fi
	241
	242	# Check if sshd_config exists. If yes, ask for overwriting
	243
	244	if [ -f "${SYSCONFDIR}/sshd_config" ]
	245	then
	246	if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
	247	then
	248	rm -f "${SYSCONFDIR}/sshd_config"
	249	if [ -f "${SYSCONFDIR}/sshd_config" ]
	250	then
	251	echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
	252	fi
d2f95449	253	else
	254	grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
	255	fi
	256	fi
	257
	258	# Prior to creating or modifying sshd_config, care for privilege separation
	259
9e936326	260	if [ "${privsep_configured}" != "yes" ]
d2f95449	261	then
9e936326	262	if [ ${_nt} -gt 0 ]
d2f95449	263	then
	264	echo "Privilege separation is set to yes by default since OpenSSH 3.3."
	265	echo "However, this requires a non-privileged account called 'sshd'."
9e936326	266	echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
d2f95449	267	echo
9e936326	268	if request "Should privilege separation be used?"
d2f95449	269	then
	270	privsep_used=yes
	271	grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
	272	net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
9e936326	273	if [ "${sshd_in_passwd}" != "yes" ]
d2f95449	274	then
aff51935	275	if [ "${sshd_in_sam}" != "yes" ]
d2f95449	276	then
d2f95449	277	echo "Warning: The following function requires administrator privileges!"
9e936326	278	if request "Should this script create a local user 'sshd' on this machine?"
d2f95449	279	then
9e936326	280	dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
	281	net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
	282	if [ "${sshd_in_sam}" != "yes" ]
d2f95449	283	then
	284	echo "Warning: Creating the user 'sshd' failed!"
	285	fi
	286	fi
	287	fi
9e936326	288	if [ "${sshd_in_sam}" != "yes" ]
d2f95449	289	then
	290	echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
	291	echo " Privilege separation set to 'no' again!"
	292	echo " Check your ${SYSCONFDIR}/sshd_config file!"
	293	privsep_used=no
	294	else
d41f8eed	295	mkpasswd -l -u sshd \| sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
d2f95449	296	fi
	297	fi
	298	else
	299	privsep_used=no
	300	fi
	301	else
	302	# On 9x don't use privilege separation. Since security isn't
9e936326	303	# available it just adds useless additional processes.
d2f95449	304	privsep_used=no
95273555	305	fi
	306	fi
	307
9e936326	308	# Create default sshd_config from skeleton files in /etc/defaults/etc or
9e936326	309	# modify to add the missing privsep configuration option
95273555	310
	311	if [ ! -f "${SYSCONFDIR}/sshd_config" ]
	312	then
f4ebf0e8	313	echo "Generating ${SYSCONFDIR}/sshd_config file"
9e936326	314	sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
	315	s/^#Port 22/Port ${port_number}/
	316	s/^#StrictModes yes/StrictModes no/" \
	317	< ${SYSCONFDIR}/defaults/etc/sshd_config \
	318	> ${SYSCONFDIR}/sshd_config
	319	elif [ "${privsep_configured}" != "yes" ]
d2f95449	320	then
d2f95449	321	echo >> ${SYSCONFDIR}/sshd_config
9e936326	322	echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
95273555	323	fi
95273555	324
f52798a4	325	# Care for services file
c3d908f0	326	_my_etcdir="/ssh-host-config.$$"
9e936326	327	if [ ${_nt} -gt 0 ]
95273555	328	then
c3d908f0	329	_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
c3d908f0	330	_services="${_my_etcdir}/services"
9e936326	331	# On NT, 27 spaces, no space after the hash
9e936326	332	_spaces=" #"
f4ebf0e8	333	else
c3d908f0	334	_win_etcdir="${WINDIR}"
c3d908f0	335	_services="${_my_etcdir}/SERVICES"
9e936326	336	# On 9x, 18 spaces (95 is very touchy), a space after the hash
9e936326	337	_spaces=" # "
95273555	338	fi
c3d908f0	339	_serv_tmp="${_my_etcdir}/srv.out.$$"
95273555	340
c3d908f0	341	mount -t -f "${_win_etcdir}" "${_my_etcdir}"
	342
	343	# Depends on the above mount
	344	_wservices=`cygpath -w "${_services}"`
f52798a4	345
	346	# Remove sshd 22/port from services
	347	if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
	348	then
	349	grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
	350	if [ -f "${_serv_tmp}" ]
aff51935	351	then
f52798a4	352	if mv "${_serv_tmp}" "${_services}"
f52798a4	353	then
c3d908f0	354	echo "Removing sshd from ${_wservices}"
f52798a4	355	else
9e936326	356	echo "Removing sshd from ${_wservices} failed!"
aff51935	357	fi
f52798a4	358	rm -f "${_serv_tmp}"
f52798a4	359	else
9e936326	360	echo "Removing sshd from ${_wservices} failed!"
f52798a4	361	fi
f52798a4	362	fi
95273555	363
f52798a4	364	# Add ssh 22/tcp and ssh 22/udp to services
f52798a4	365	if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
95273555	366	then
9e936326	367	if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
95273555	368	then
f4ebf0e8	369	if mv "${_serv_tmp}" "${_services}"
f4ebf0e8	370	then
c3d908f0	371	echo "Added ssh to ${_wservices}"
f4ebf0e8	372	else
9e936326	373	echo "Adding ssh to ${_wservices} failed!"
f4ebf0e8	374	fi
	375	rm -f "${_serv_tmp}"
	376	else
9e936326	377	echo "WARNING: Adding ssh to ${_wservices} failed!"
95273555	378	fi
	379	fi
	380
c3d908f0	381	umount "${_my_etcdir}"
f4ebf0e8	382
f52798a4	383	# Care for inetd.conf file
d2f95449	384	_inetcnf="${SYSCONFDIR}/inetd.conf"
d2f95449	385	_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
f52798a4	386
f52798a4	387	if [ -f "${_inetcnf}" ]
95273555	388	then
f52798a4	389	# Check if ssh service is already in use as sshd
	390	with_comment=1
	391	grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
	392	# Remove sshd line from inetd.conf
	393	if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
	394	then
	395	grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
	396	if [ -f "${_inetcnf_tmp}" ]
	397	then
	398	if mv "${_inetcnf_tmp}" "${_inetcnf}"
	399	then
aff51935	400	echo "Removed sshd from ${_inetcnf}"
f52798a4	401	else
aff51935	402	echo "Removing sshd from ${_inetcnf} failed!"
f52798a4	403	fi
	404	rm -f "${_inetcnf_tmp}"
	405	else
9e936326	406	echo "Removing sshd from ${_inetcnf} failed!"
f52798a4	407	fi
	408	fi
	409
	410	# Add ssh line to inetd.conf
	411	if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
	412	then
	413	if [ "${with_comment}" -eq 0 ]
	414	then
e2c9b9e3	415	echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
f52798a4	416	else
e2c9b9e3	417	echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
f52798a4	418	fi
	419	echo "Added ssh to ${_inetcnf}"
	420	fi
95273555	421	fi
95273555	422
41fcc457	423	# On NT ask if sshd should be installed as service
9e936326	424	if [ ${_nt} -gt 0 ]
41fcc457	425	then
9e936326	426	# But only if it is not already installed
9e936326	427	if ! cygrunsrv -Q sshd > /dev/null 2>&1
41fcc457	428	then
41fcc457	429	echo
9e936326	430	echo
	431	echo "Warning: The following functions require administrator privileges!"
	432	echo
	433	echo "Do you want to install sshd as service?"
	434	if request "(Say \"no\" if it's already installed as service)"
41fcc457	435	then
9e936326	436	if [ $_nt2003 -gt 0 ]
	437	then
	438	grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
	439	if [ "${sshd_server_in_passwd}" = "yes" ]
	440	then
	441	# Drop sshd_server from passwd since it could have wrong settings
	442	grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
	443	rm -f ${SYSCONFDIR}/passwd
	444	mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
	445	chmod g-w,o-w ${SYSCONFDIR}/passwd
	446	fi
	447	net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
	448	if [ "${sshd_server_in_sam}" != "yes" ]
	449	then
	450	echo
	451	echo "You appear to be running Windows 2003 Server or later. On 2003 and"
	452	echo "later systems, it's not possible to use the LocalSystem account"
	453	echo "if sshd should allow passwordless logon (e. g. public key authentication)."
	454	echo "If you want to enable that functionality, it's required to create a new"
	455	echo "account 'sshd_server' with special privileges, which is then used to run"
	456	echo "the sshd service under."
	457	echo
	458	echo "Should this script create a new local account 'sshd_server' which has"
	459	if request "the required privileges?"
	460	then
2b08c2fc	461	_admingroup=`mkgroup -l \| awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
9e936326	462	if [ -z "${_admingroup}" ]
9e936326	463	then
2b08c2fc	464	echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
9e936326	465	exit 1
	466	fi
	467	dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
	468	while [ "${sshd_server_in_sam}" != "yes" ]
	469	do
	470	if [ -n "${password_value}" ]
	471	then
aff51935	472	_password="${password_value}"
9e936326	473	# Allow to ask for password if first try fails
	474	password_value=""
	475	else
	476	echo
	477	echo "Please enter a password for new user 'sshd_server'. Please be sure that"
	478	echo "this password matches the password rules given on your system."
	479	echo -n "Entering no password will exit the configuration. PASSWORD="
	480	read -e _password
	481	if [ -z "${_password}" ]
	482	then
	483	echo
	484	echo "Exiting configuration. No user sshd_server has been created,"
	485	echo "no sshd service installed."
	486	exit 1
	487	fi
	488	fi
	489	net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
	490	if [ "${sshd_server_in_sam}" != "yes" ]
	491	then
	492	echo "Creating the user 'sshd_server' failed! Reason:"
	493	cat /tmp/nu.$$
	494	rm /tmp/nu.$$
	495	fi
	496	done
	497	net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
	498	if [ "${sshd_server_in_admingroup}" != "yes" ]
	499	then
	500	echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
	501	echo "Please add sshd_server to local group ${_admingroup} before"
	502	echo "starting the sshd service!"
	503	echo
	504	fi
	505	passwd_has_expiry_flags=`passwd -v \| awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
	506	if [ "${passwd_has_expiry_flags}" != "yes" ]
	507	then
	508	echo
	509	echo "WARNING: User sshd_server has password expiry set to system default."
	510	echo "Please check that password never expires or set it to your needs."
	511	elif ! passwd -e sshd_server
	512	then
	513	echo
	514	echo "WARNING: Setting password expiry for user sshd_server failed!"
	515	echo "Please check that password never expires or set it to your needs."
	516	fi
	517	editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
	518	editrights -a SeCreateTokenPrivilege -u sshd_server &&
	519	editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
	520	editrights -a SeDenyNetworkLogonRight -u sshd_server &&
	521	editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
	522	editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
	523	editrights -a SeServiceLogonRight -u sshd_server &&
	524	sshd_server_got_all_rights="yes"
	525	if [ "${sshd_server_got_all_rights}" != "yes" ]
	526	then
	527	echo
	528	echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
	529	echo "Can't create sshd service!"
	530	exit 1
	531	fi
	532	echo
	533	echo "User 'sshd_server' has been created with password '${_password}'."
	534	echo "If you change the password, please keep in mind to change the password"
	535	echo "for the sshd service, too."
	536	echo
537	echo "Also keep in mind that the user sshd_server needs read permissions on all"
538	echo "users' .ssh/authorized_keys file to allow public key authentication for"
539	echo "these users!. (Re-)running ssh-user-config for each user will set the"
540	echo "required permissions correctly."
541	echo
542	fi
543	fi
544	if [ "${sshd_server_in_sam}" = "yes" ]
545	then
546	mkpasswd -l -u sshd_server \| sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
547	fi
548	fi
549	if [ -n "${cygwin_value}" ]
550	then
aff51935	551	_cygwin="${cygwin_value}"
9e936326	552	else
	553	echo
	554	echo "Which value should the environment variable CYGWIN have when"
	555	echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
	556	echo "able to change user context without password."
	557	echo -n "Default is \"ntsec\". CYGWIN="
	558	read -e _cygwin
	559	fi
	560	[ -z "${_cygwin}" ] && _cygwin="ntsec"
	561	if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
	562	then
794febd2	563	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
9e936326	564	then
	565	echo
	566	echo "The service has been installed under sshd_server account."
	567	echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
	568	fi
	569	else
794febd2	570	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
9e936326	571	then
	572	echo
	573	echo "The service has been installed under LocalSystem account."
	574	echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
	575	fi
	576	fi
	577	fi
	578	# Now check if sshd has been successfully installed. This allows to
	579	# set the ownership of the affected files correctly.
	580	if cygrunsrv -Q sshd > /dev/null 2>&1
	581	then
	582	if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
	583	then
aff51935	584	_user="sshd_server"
9e936326	585	else
aff51935	586	_user="system"
9e936326	587	fi
	588	chown "${_user}" ${SYSCONFDIR}/ssh*
	589	chown "${_user}".544 ${LOCALSTATEDIR}/empty
f9b93ff8	590	chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog
9e936326	591	if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
	592	then
	593	chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
	594	fi
41fcc457	595	fi
25882b6d	596	if ! ( mount \| egrep -q 'on /(\|usr/(bin\|lib)) type system' )
	597	then
	598	echo
	599	echo "Warning: It appears that you have user mode mounts (\"Just me\""
	600	echo "chosen during install.) Any daemons installed as services will"
	601	echo "fail to function unless system mounts are used. To change this,"
	602	echo "re-run setup.exe and choose \"All users\"."
	603	echo
	604	echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
	605	fi
41fcc457	606	fi
	607	fi
	608
95273555	609	echo
f4ebf0e8	610	echo "Host configuration finished. Have fun!"