3 # ssh-host-config, Copyright 2000, Red Hat Inc.
5 # This file is part of the Cygwin port of OpenSSH.
7 # Subdirectory where the new package is being installed
10 # Directory where the config files are stored
13 # Subdirectory where an old package might be installed
15 OLDSYSCONFDIR=${OLDPREFIX}/etc
28 if [ "${auto_answer}" = "yes" ]
31 elif [ "${auto_answer}" = "no" ]
37 while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
39 echo -n "$1 (yes/no) "
42 if [ "X${answer}" = "Xyes" ]
82 echo "usage: ${progname} [OPTION]..."
84 echo "This script creates an OpenSSH host configuration."
87 echo " --debug -d Enable shell's debug output."
88 echo " --yes -y Answer all questions with \"yes\" automatically."
89 echo " --no -n Answer all questions with \"no\" automatically."
90 echo " --port -p <n> sshd listens on port n."
98 # Check if running on NT
100 _nt=`expr "$_sys" : "CYGWIN_NT"`
102 # Check for running ssh/sshd processes first. Refuse to do anything while
103 # some ssh processes are still running
105 if ps -ef | grep -v grep | grep -q ssh
108 echo "There are still ssh processes running. Please shut them down first."
113 # Check for ${SYSCONFDIR} directory
115 if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
118 echo "${SYSCONFDIR} is existant but not a directory."
119 echo "Cannot create global configuration files."
124 # Create it if necessary
126 if [ ! -e "${SYSCONFDIR}" ]
128 mkdir "${SYSCONFDIR}"
129 if [ ! -e "${SYSCONFDIR}" ]
132 echo "Creating ${SYSCONFDIR} directory failed"
138 # Create /var/log and /var/log/lastlog if not already existing
142 echo "Creating /var/log failed\!"
148 if [ -d /var/log/lastlog ]
150 echo "Creating /var/log/lastlog failed\!"
151 elif [ ! -f /var/log/lastlog ]
153 cat /dev/null > /var/log/lastlog
157 # Create /var/empty file used as chroot jail for privilege separation
160 echo "Creating /var/empty failed\!"
163 # On NT change ownership of that dir to user "system"
167 chown system.system /var/empty
171 # Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
172 # the same as ${PREFIX}
175 if [ "${OLDPREFIX}" != "${PREFIX}" ]
177 if [ -f "${OLDPREFIX}/sbin/sshd" ]
180 echo "You seem to have an older installation in ${OLDPREFIX}."
182 # Check if old global configuration files exist
183 if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
185 if request "Do you want to copy your config files to your new installation?"
187 cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
188 cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
189 cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
190 cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
191 cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
192 cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
195 if request "Do you want to erase your old installation?"
197 rm -f ${OLDPREFIX}/bin/ssh.exe
198 rm -f ${OLDPREFIX}/bin/ssh-config
199 rm -f ${OLDPREFIX}/bin/scp.exe
200 rm -f ${OLDPREFIX}/bin/ssh-add.exe
201 rm -f ${OLDPREFIX}/bin/ssh-agent.exe
202 rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
203 rm -f ${OLDPREFIX}/bin/slogin
204 rm -f ${OLDSYSCONFDIR}/ssh_host_key
205 rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
206 rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
207 rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
208 rm -f ${OLDSYSCONFDIR}/ssh_config
209 rm -f ${OLDSYSCONFDIR}/sshd_config
210 rm -f ${OLDPREFIX}/man/man1/ssh.1
211 rm -f ${OLDPREFIX}/man/man1/scp.1
212 rm -f ${OLDPREFIX}/man/man1/ssh-add.1
213 rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
214 rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
215 rm -f ${OLDPREFIX}/man/man1/slogin.1
216 rm -f ${OLDPREFIX}/man/man8/sshd.8
217 rm -f ${OLDPREFIX}/sbin/sshd.exe
218 rm -f ${OLDPREFIX}/sbin/sftp-server.exe
224 # First generate host keys if not already existing
226 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
228 echo "Generating ${SYSCONFDIR}/ssh_host_key"
229 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
232 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
234 echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
235 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
238 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
240 echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
241 ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
244 # Check if ssh_config exists. If yes, ask for overwriting
246 if [ -f "${SYSCONFDIR}/ssh_config" ]
248 if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
250 rm -f "${SYSCONFDIR}/ssh_config"
251 if [ -f "${SYSCONFDIR}/ssh_config" ]
253 echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
258 # Create default ssh_config from here script
260 if [ ! -f "${SYSCONFDIR}/ssh_config" ]
262 echo "Generating ${SYSCONFDIR}/ssh_config file"
263 cat > ${SYSCONFDIR}/ssh_config << EOF
264 # This is the ssh client system-wide configuration file. See
265 # ssh_config(5) for more information. This file provides defaults for
266 # users, and the values can be changed in per-user configuration files
267 # or on the command line.
269 # Configuration data is parsed as follows:
270 # 1. command line options
271 # 2. user-specific file
272 # 3. system-wide file
273 # Any configuration value is only changed the first time it is set.
274 # Thus, host-specific definitions should be at the beginning of the
275 # configuration file, and defaults at the end.
277 # Site-wide defaults for various options
282 # RhostsRSAAuthentication no
283 # RSAAuthentication yes
284 # PasswordAuthentication yes
285 # HostbasedAuthentication no
290 # StrictHostKeyChecking ask
291 # IdentityFile ~/.ssh/identity
292 # IdentityFile ~/.ssh/id_dsa
293 # IdentityFile ~/.ssh/id_rsa
297 # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
300 if [ "$port_number" != "22" ]
302 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
303 echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config
307 # Check if sshd_config exists. If yes, ask for overwriting
309 if [ -f "${SYSCONFDIR}/sshd_config" ]
311 if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
313 rm -f "${SYSCONFDIR}/sshd_config"
314 if [ -f "${SYSCONFDIR}/sshd_config" ]
316 echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
319 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
323 # Prior to creating or modifying sshd_config, care for privilege separation
325 if [ "$privsep_configured" != "yes" ]
329 echo "Privilege separation is set to yes by default since OpenSSH 3.3."
330 echo "However, this requires a non-privileged account called 'sshd'."
331 echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
333 if request "Shall privilege separation be used?"
336 grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
337 net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
338 if [ "$sshd_in_passwd" != "yes" ]
340 if [ "$sshd_in_sam" != "yes" ]
342 echo "Warning: The following function requires administrator privileges!"
343 if request "Shall this script create a local user 'sshd' on this machine?"
345 dos_var_empty=`cygpath -w /var/empty`
346 net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
347 if [ "$sshd_in_sam" != "yes" ]
349 echo "Warning: Creating the user 'sshd' failed!"
353 if [ "$sshd_in_sam" != "yes" ]
355 echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
356 echo " Privilege separation set to 'no' again!"
357 echo " Check your ${SYSCONFDIR}/sshd_config file!"
360 mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
367 # On 9x don't use privilege separation. Since security isn't
368 # available it just adds useless addtional processes.
373 # Create default sshd_config from here script or modify to add the
374 # missing privsep configuration option
376 if [ ! -f "${SYSCONFDIR}/sshd_config" ]
378 echo "Generating ${SYSCONFDIR}/sshd_config file"
379 cat > ${SYSCONFDIR}/sshd_config << EOF
380 # This is the sshd server system-wide configuration file. See
381 # sshd_config(5) for more information.
383 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
385 # The strategy used for options in the default sshd_config shipped with
386 # OpenSSH is to specify options with their default value where
387 # possible, but leave them commented. Uncommented options change a
392 #ListenAddress 0.0.0.0
395 # HostKey for protocol version 1
396 #HostKey ${SYSCONFDIR}/ssh_host_key
397 # HostKeys for protocol version 2
398 #HostKey ${SYSCONFDIR}/ssh_host_rsa_key
399 #HostKey ${SYSCONFDIR}/ssh_host_dsa_key
401 # Lifetime and size of ephemeral version 1 server key
402 #KeyRegenerationInterval 1h
406 #obsoletes QuietMode and FascistLogging
414 # The following setting overrides permission checks on host key files
415 # and directories. For security reasons set this to "yes" when running
416 # NT/W2K, NTFS and CYGWIN=ntsec.
419 #RSAAuthentication yes
420 #PubkeyAuthentication yes
421 #AuthorizedKeysFile .ssh/authorized_keys
423 # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
424 #RhostsRSAAuthentication no
425 # similar for protocol version 2
426 #HostbasedAuthentication no
427 # Change to yes if you don't trust ~/.ssh/known_hosts for
428 # RhostsRSAAuthentication and HostbasedAuthentication
429 #IgnoreUserKnownHosts no
430 # Don't read the user's ~/.rhosts and ~/.shosts files
433 # To disable tunneled clear text passwords, change to no here!
434 #PasswordAuthentication yes
435 #PermitEmptyPasswords no
437 # Change to no to disable s/key passwords
438 #ChallengeResponseAuthentication yes
440 #AllowTcpForwarding yes
449 UsePrivilegeSeparation $privsep_used
450 #PermitUserEnvironment no
452 #ClientAliveInterval 0
453 #ClientAliveCountMax 3
455 #PidFile /var/run/sshd.pid
458 # no default banner path
461 # override default of no subsystems
462 Subsystem sftp /usr/sbin/sftp-server
464 elif [ "$privsep_configured" != "yes" ]
466 echo >> ${SYSCONFDIR}/sshd_config
467 echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
470 # Care for services file
471 _my_etcdir="/ssh-host-config.$$"
474 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
475 _services="${_my_etcdir}/services"
477 _win_etcdir="${WINDIR}"
478 _services="${_my_etcdir}/SERVICES"
480 _serv_tmp="${_my_etcdir}/srv.out.$$"
482 mount -t -f "${_win_etcdir}" "${_my_etcdir}"
484 # Depends on the above mount
485 _wservices=`cygpath -w "${_services}"`
487 # Remove sshd 22/port from services
488 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
490 grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
491 if [ -f "${_serv_tmp}" ]
493 if mv "${_serv_tmp}" "${_services}"
495 echo "Removing sshd from ${_wservices}"
497 echo "Removing sshd from ${_wservices} failed\!"
501 echo "Removing sshd from ${_wservices} failed\!"
505 # Add ssh 22/tcp and ssh 22/udp to services
506 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
508 awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
509 if [ -f "${_serv_tmp}" ]
511 if mv "${_serv_tmp}" "${_services}"
513 echo "Added ssh to ${_wservices}"
515 echo "Adding ssh to ${_wservices} failed\!"
519 echo "Adding ssh to ${_wservices} failed\!"
523 umount "${_my_etcdir}"
525 # Care for inetd.conf file
526 _inetcnf="${SYSCONFDIR}/inetd.conf"
527 _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
529 if [ -f "${_inetcnf}" ]
531 # Check if ssh service is already in use as sshd
533 grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
534 # Remove sshd line from inetd.conf
535 if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
537 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
538 if [ -f "${_inetcnf_tmp}" ]
540 if mv "${_inetcnf_tmp}" "${_inetcnf}"
542 echo "Removed sshd from ${_inetcnf}"
544 echo "Removing sshd from ${_inetcnf} failed\!"
546 rm -f "${_inetcnf_tmp}"
548 echo "Removing sshd from ${_inetcnf} failed\!"
552 # Add ssh line to inetd.conf
553 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
555 if [ "${with_comment}" -eq 0 ]
557 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
559 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
561 echo "Added ssh to ${_inetcnf}"
565 # On NT ask if sshd should be installed as service
569 echo "Do you want to install sshd as service?"
570 if request "(Say \"no\" if it's already installed as service)"
573 echo "Which value should the environment variable CYGWIN have when"
574 echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
575 echo "able to change user context without password."
576 echo -n "Default is \"binmode ntsec tty\". CYGWIN="
578 [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
579 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
581 chown system ${SYSCONFDIR}/ssh*
583 echo "The service has been installed under LocalSystem account."
588 if [ "${old_install}" = "1" ]
591 echo "Note: If you have used sshd as service or from inetd, don't forget to"
592 echo " change the path to sshd.exe in the service entry or in inetd.conf."
596 echo "Host configuration finished. Have fun!"