3 # ssh-host-config, Copyright 2000, Red Hat Inc.
5 # This file is part of the Cygwin port of OpenSSH.
7 # Subdirectory where the new package is being installed
10 # Directory where the config files are stored
13 # Subdirectory where an old package might be installed
15 OLDSYSCONFDIR=${OLDPREFIX}/etc
28 if [ "${auto_answer}" = "yes" ]
31 elif [ "${auto_answer}" = "no" ]
37 while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
39 echo -n "$1 (yes/no) "
42 if [ "X${answer}" = "Xyes" ]
82 echo "usage: ${progname} [OPTION]..."
84 echo "This script creates an OpenSSH host configuration."
87 echo " --debug -d Enable shell's debug output."
88 echo " --yes -y Answer all questions with \"yes\" automatically."
89 echo " --no -n Answer all questions with \"no\" automatically."
90 echo " --port -p <n> sshd listens on port n."
98 # Check if running on NT
100 _nt=`expr "$_sys" : "CYGWIN_NT"`
102 # Check for running ssh/sshd processes first. Refuse to do anything while
103 # some ssh processes are still running
105 if ps -ef | grep -v grep | grep -q ssh
108 echo "There are still ssh processes running. Please shut them down first."
113 # Check for ${SYSCONFDIR} directory
115 if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
118 echo "${SYSCONFDIR} is existant but not a directory."
119 echo "Cannot create global configuration files."
124 # Create it if necessary
126 if [ ! -e "${SYSCONFDIR}" ]
128 mkdir "${SYSCONFDIR}"
129 if [ ! -e "${SYSCONFDIR}" ]
132 echo "Creating ${SYSCONFDIR} directory failed"
138 # Create /var/log and /var/log/lastlog if not already existing
142 echo "Creating /var/log failed\!"
148 if [ -d /var/log/lastlog ]
150 echo "Creating /var/log/lastlog failed\!"
151 elif [ ! -f /var/log/lastlog ]
153 cat /dev/null > /var/log/lastlog
157 # Create /var/empty file used as chroot jail for privilege separation
160 echo "Creating /var/empty failed\!"
163 # On NT change ownership of that dir to user "system"
167 chown system.system /var/empty
171 # Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
172 # the same as ${PREFIX}
175 if [ "${OLDPREFIX}" != "${PREFIX}" ]
177 if [ -f "${OLDPREFIX}/sbin/sshd" ]
180 echo "You seem to have an older installation in ${OLDPREFIX}."
182 # Check if old global configuration files exist
183 if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
185 if request "Do you want to copy your config files to your new installation?"
187 cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
188 cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
189 cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
190 cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
191 cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
192 cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
195 if request "Do you want to erase your old installation?"
197 rm -f ${OLDPREFIX}/bin/ssh.exe
198 rm -f ${OLDPREFIX}/bin/ssh-config
199 rm -f ${OLDPREFIX}/bin/scp.exe
200 rm -f ${OLDPREFIX}/bin/ssh-add.exe
201 rm -f ${OLDPREFIX}/bin/ssh-agent.exe
202 rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
203 rm -f ${OLDPREFIX}/bin/slogin
204 rm -f ${OLDSYSCONFDIR}/ssh_host_key
205 rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
206 rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
207 rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
208 rm -f ${OLDSYSCONFDIR}/ssh_config
209 rm -f ${OLDSYSCONFDIR}/sshd_config
210 rm -f ${OLDPREFIX}/man/man1/ssh.1
211 rm -f ${OLDPREFIX}/man/man1/scp.1
212 rm -f ${OLDPREFIX}/man/man1/ssh-add.1
213 rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
214 rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
215 rm -f ${OLDPREFIX}/man/man1/slogin.1
216 rm -f ${OLDPREFIX}/man/man8/sshd.8
217 rm -f ${OLDPREFIX}/sbin/sshd.exe
218 rm -f ${OLDPREFIX}/sbin/sftp-server.exe
224 # First generate host keys if not already existing
226 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
228 echo "Generating ${SYSCONFDIR}/ssh_host_key"
229 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
232 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
234 echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
235 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
238 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
240 echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
241 ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
244 # Check if ssh_config exists. If yes, ask for overwriting
246 if [ -f "${SYSCONFDIR}/ssh_config" ]
248 if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
250 rm -f "${SYSCONFDIR}/ssh_config"
251 if [ -f "${SYSCONFDIR}/ssh_config" ]
253 echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
258 # Create default ssh_config from here script
260 if [ ! -f "${SYSCONFDIR}/ssh_config" ]
262 echo "Generating ${SYSCONFDIR}/ssh_config file"
263 cat > ${SYSCONFDIR}/ssh_config << EOF
264 # This is the ssh client system-wide configuration file. See
265 # ssh_config(5) for more information. This file provides defaults for
266 # users, and the values can be changed in per-user configuration files
267 # or on the command line.
269 # Configuration data is parsed as follows:
270 # 1. command line options
271 # 2. user-specific file
272 # 3. system-wide file
273 # Any configuration value is only changed the first time it is set.
274 # Thus, host-specific definitions should be at the beginning of the
275 # configuration file, and defaults at the end.
277 # Site-wide defaults for various options
282 # RhostsAuthentication no
283 # RhostsRSAAuthentication no
284 # RSAAuthentication yes
285 # PasswordAuthentication yes
288 # StrictHostKeyChecking ask
289 # IdentityFile ~/.ssh/identity
290 # IdentityFile ~/.ssh/id_dsa
291 # IdentityFile ~/.ssh/id_rsa
295 # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
298 if [ "$port_number" != "22" ]
300 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
301 echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config
305 # Check if sshd_config exists. If yes, ask for overwriting
307 if [ -f "${SYSCONFDIR}/sshd_config" ]
309 if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
311 rm -f "${SYSCONFDIR}/sshd_config"
312 if [ -f "${SYSCONFDIR}/sshd_config" ]
314 echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
317 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
321 # Prior to creating or modifying sshd_config, care for privilege separation
323 if [ "$privsep_configured" != "yes" ]
327 echo "Privilege separation is set to yes by default since OpenSSH 3.3."
328 echo "However, this requires a non-privileged account called 'sshd'."
329 echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
331 if request "Shall privilege separation be used?"
334 grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
335 net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
336 if [ "$sshd_in_passwd" != "yes" ]
338 if [ "$sshd_in_sam" != "yes" ]
340 echo "Warning: The following function requires administrator privileges!"
341 if request "Shall this script create a local user 'sshd' on this machine?"
343 dos_var_empty=`cygpath -w /var/empty`
344 net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
345 if [ "$sshd_in_sam" != "yes" ]
347 echo "Warning: Creating the user 'sshd' failed!"
351 if [ "$sshd_in_sam" != "yes" ]
353 echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
354 echo " Privilege separation set to 'no' again!"
355 echo " Check your ${SYSCONFDIR}/sshd_config file!"
358 mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
365 # On 9x don't use privilege separation. Since security isn't
366 # available it just adds useless addtional processes.
371 # Create default sshd_config from here script or modify to add the
372 # missing privsep configuration option
374 if [ ! -f "${SYSCONFDIR}/sshd_config" ]
376 echo "Generating ${SYSCONFDIR}/sshd_config file"
377 cat > ${SYSCONFDIR}/sshd_config << EOF
378 # This is the sshd server system-wide configuration file. See
379 # sshd_config(5) for more information.
381 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
383 # The strategy used for options in the default sshd_config shipped with
384 # OpenSSH is to specify options with their default value where
385 # possible, but leave them commented. Uncommented options change a
390 #ListenAddress 0.0.0.0
393 # HostKey for protocol version 1
394 #HostKey ${SYSCONFDIR}/ssh_host_key
395 # HostKeys for protocol version 2
396 #HostKey ${SYSCONFDIR}/ssh_host_rsa_key
397 #HostKey ${SYSCONFDIR}/ssh_host_dsa_key
399 # Lifetime and size of ephemeral version 1 server key
400 #KeyRegenerationInterval 3600
404 #obsoletes QuietMode and FascistLogging
412 # The following setting overrides permission checks on host key files
413 # and directories. For security reasons set this to "yes" when running
414 # NT/W2K, NTFS and CYGWIN=ntsec.
417 #RSAAuthentication yes
418 #PubkeyAuthentication yes
419 #AuthorizedKeysFile .ssh/authorized_keys
421 # rhosts authentication should not be used
422 #RhostsAuthentication no
423 # Don't read the user's ~/.rhosts and ~/.shosts files
425 # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
426 #RhostsRSAAuthentication no
427 # similar for protocol version 2
428 #HostbasedAuthentication no
429 # Change to yes if you don't trust ~/.ssh/known_hosts for
430 # RhostsRSAAuthentication and HostbasedAuthentication
431 #IgnoreUserKnownHosts no
433 # To disable tunneled clear text passwords, change to no here!
434 #PasswordAuthentication yes
435 #PermitEmptyPasswords no
437 # Change to no to disable s/key passwords
438 #ChallengeResponseAuthentication yes
447 UsePrivilegeSeparation $privsep_used
448 #PermitUserEnvironment no
452 # no default banner path
454 #VerifyReverseMapping no
456 # override default of no subsystems
457 Subsystem sftp /usr/sbin/sftp-server
459 elif [ "$privsep_configured" != "yes" ]
461 echo >> ${SYSCONFDIR}/sshd_config
462 echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
465 # Care for services file
468 _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
469 _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$"
471 _wservices="${WINDIR}\\SERVICES"
472 _wserv_tmp="${WINDIR}\\SERV.$$"
474 _services=`cygpath -u "${_wservices}"`
475 _serv_tmp=`cygpath -u "${_wserv_tmp}"`
477 mount -t -f "${_wservices}" "${_services}"
478 mount -t -f "${_wserv_tmp}" "${_serv_tmp}"
480 # Remove sshd 22/port from services
481 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
483 grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
484 if [ -f "${_serv_tmp}" ]
486 if mv "${_serv_tmp}" "${_services}"
488 echo "Removing sshd from ${_services}"
490 echo "Removing sshd from ${_services} failed\!"
494 echo "Removing sshd from ${_services} failed\!"
498 # Add ssh 22/tcp and ssh 22/udp to services
499 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
501 awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
502 if [ -f "${_serv_tmp}" ]
504 if mv "${_serv_tmp}" "${_services}"
506 echo "Added ssh to ${_services}"
508 echo "Adding ssh to ${_services} failed\!"
512 echo "Adding ssh to ${_services} failed\!"
516 umount "${_services}"
517 umount "${_serv_tmp}"
519 # Care for inetd.conf file
520 _inetcnf="${SYSCONFDIR}/inetd.conf"
521 _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
523 if [ -f "${_inetcnf}" ]
525 # Check if ssh service is already in use as sshd
527 grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
528 # Remove sshd line from inetd.conf
529 if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
531 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
532 if [ -f "${_inetcnf_tmp}" ]
534 if mv "${_inetcnf_tmp}" "${_inetcnf}"
536 echo "Removed sshd from ${_inetcnf}"
538 echo "Removing sshd from ${_inetcnf} failed\!"
540 rm -f "${_inetcnf_tmp}"
542 echo "Removing sshd from ${_inetcnf} failed\!"
546 # Add ssh line to inetd.conf
547 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
549 if [ "${with_comment}" -eq 0 ]
551 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
553 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
555 echo "Added ssh to ${_inetcnf}"
559 # On NT ask if sshd should be installed as service
563 echo "Do you want to install sshd as service?"
564 if request "(Say \"no\" if it's already installed as service)"
567 echo "Which value should the environment variable CYGWIN have when"
568 echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
569 echo "able to change user context without password."
570 echo -n "Default is \"binmode ntsec tty\". CYGWIN="
572 [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
573 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
575 chown system ${SYSCONFDIR}/ssh*
577 echo "The service has been installed under LocalSystem account."
582 if [ "${old_install}" = "1" ]
585 echo "Note: If you have used sshd as service or from inetd, don't forget to"
586 echo " change the path to sshd.exe in the service entry or in inetd.conf."
590 echo "Host configuration finished. Have fun!"