#
# This file is part of the Cygwin port of OpenSSH.
+# ======================================================================
+# Initialization
+# ======================================================================
+PROGNAME=$(basename $0)
+_tdir=$(dirname $0)
+PROGDIR=$(cd $_tdir && pwd)
+
+CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
+
# Subdirectory where the new package is being installed
PREFIX=/usr
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
-progname=$0
-auto_answer=""
-port_number=22
+source ${CSIH_SCRIPT}
+port_number=22
privsep_configured=no
privsep_used=yes
-sshd_in_passwd=no
-sshd_in_sam=no
+cygwin_value="ntsec"
+password_value=
+
+# ======================================================================
+# Routine: create_host_keys
+# ======================================================================
+create_host_keys() {
+ if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
+ then
+ csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
+ ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
+ fi
+
+ if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
+ then
+ csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
+ ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
+ fi
+
+ if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
+ then
+ csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
+ ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
+ fi
+} # --- End of create_host_keys --- #
+
+# ======================================================================
+# Routine: update_services_file
+# ======================================================================
+update_services_file() {
+ local _my_etcdir="/ssh-host-config.$$"
+ local _win_etcdir
+ local _services
+ local _spaces
+ local _serv_tmp
+ local _wservices
+
+ if csih_is_nt
+ then
+ _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
+ _services="${_my_etcdir}/services"
+ # On NT, 27 spaces, no space after the hash
+ _spaces=" #"
+ else
+ _win_etcdir="${WINDIR}"
+ _services="${_my_etcdir}/SERVICES"
+ # On 9x, 18 spaces (95 is very touchy), a space after the hash
+ _spaces=" # "
+ fi
+ _serv_tmp="${_my_etcdir}/srv.out.$$"
+
+ mount -t -f "${_win_etcdir}" "${_my_etcdir}"
+
+ # Depends on the above mount
+ _wservices=`cygpath -w "${_services}"`
+
+ # Remove sshd 22/port from services
+ if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
+ then
+ grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
+ if [ -f "${_serv_tmp}" ]
+ then
+ if mv "${_serv_tmp}" "${_services}"
+ then
+ csih_inform "Removing sshd from ${_wservices}"
+ else
+ csih_warning "Removing sshd from ${_wservices} failed!"
+ fi
+ rm -f "${_serv_tmp}"
+ else
+ csih_warning "Removing sshd from ${_wservices} failed!"
+ fi
+ fi
+
+ # Add ssh 22/tcp and ssh 22/udp to services
+ if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
+ then
+ if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
+ then
+ if mv "${_serv_tmp}" "${_services}"
+ then
+ csih_inform "Added ssh to ${_wservices}"
+ else
+ csih_warning "Adding ssh to ${_wservices} failed!"
+ fi
+ rm -f "${_serv_tmp}"
+ else
+ csih_warning "Adding ssh to ${_wservices} failed!"
+ fi
+ fi
+ umount "${_my_etcdir}"
+} # --- End of update_services_file --- #
-request()
-{
- if [ "${auto_answer}" = "yes" ]
+# ======================================================================
+# Routine: sshd_privsep
+# MODIFIES: privsep_configured privsep_used
+# ======================================================================
+sshd_privsep() {
+ local sshdconfig_tmp
+
+ if [ "${privsep_configured}" != "yes" ]
+ then
+ if csih_is_nt
+ then
+ csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
+ csih_inform "However, this requires a non-privileged account called 'sshd'."
+ csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
+ if csih_request "Should privilege separation be used?"
+ then
+ privsep_used=yes
+ if ! csih_create_unprivileged_user sshd
+ then
+ csih_warning "Couldn't create user 'sshd'!"
+ csih_warning "Privilege separation set to 'no' again!"
+ csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+ privsep_used=no
+ fi
+ else
+ privsep_used=no
+ fi
+ else
+ # On 9x don't use privilege separation. Since security isn't
+ # available it just adds useless additional processes.
+ privsep_used=no
+ fi
+ fi
+
+ # Create default sshd_config from skeleton files in /etc/defaults/etc or
+ # modify to add the missing privsep configuration option
+ if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
then
- echo "$1 (yes/no) yes"
- return 0
- elif [ "${auto_answer}" = "no" ]
+ csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
+ sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
+ sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
+ s/^#Port 22/Port ${port_number}/
+ s/^#StrictModes yes/StrictModes no/" \
+ < ${SYSCONFDIR}/sshd_config \
+ > "${sshdconfig_tmp}"
+ mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
+ elif [ "${privsep_configured}" != "yes" ]
then
- echo "$1 (yes/no) no"
- return 1
+ echo >> ${SYSCONFDIR}/sshd_config
+ echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
fi
+} # --- End of sshd_privsep --- #
+
+# ======================================================================
+# Routine: update_inetd_conf
+# ======================================================================
+update_inetd_conf() {
+ local _inetcnf="${SYSCONFDIR}/inetd.conf"
+ local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
+ local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
+ local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
+ local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
+ local _with_comment=1
+
+ if [ -d "${_inetcnf_dir}" ]
+ then
+ # we have inetutils-1.5 inetd.d support
+ if [ -f "${_inetcnf}" ]
+ then
+ grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
+
+ # check for sshd OR ssh in top-level inetd.conf file, and remove
+ # will be replaced by a file in inetd.d/
+ if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
+ then
+ grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
+ if [ -f "${_inetcnf_tmp}" ]
+ then
+ if mv "${_inetcnf_tmp}" "${_inetcnf}"
+ then
+ csih_inform "Removed ssh[d] from ${_inetcnf}"
+ else
+ csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
+ fi
+ rm -f "${_inetcnf_tmp}"
+ else
+ csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
+ fi
+ fi
+ fi
+
+ csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
+ if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
+ then
+ if [ "${_with_comment}" -eq 0 ]
+ then
+ sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+ else
+ sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+ fi
+ mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
+ csih_inform "Updated ${_sshd_inetd_conf}"
+ fi
- answer=""
- while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
- do
- echo -n "$1 (yes/no) "
- read -e answer
- done
- if [ "X${answer}" = "Xyes" ]
+ elif [ -f "${_inetcnf}" ]
then
- return 0
- else
- return 1
+ grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
+
+ # check for sshd in top-level inetd.conf file, and remove
+ # will be replaced by a file in inetd.d/
+ if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
+ then
+ grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
+ if [ -f "${_inetcnf_tmp}" ]
+ then
+ if mv "${_inetcnf_tmp}" "${_inetcnf}"
+ then
+ csih_inform "Removed sshd from ${_inetcnf}"
+ else
+ csih_warning "Removing sshd from ${_inetcnf} failed!"
+ fi
+ rm -f "${_inetcnf_tmp}"
+ else
+ csih_warning "Removing sshd from ${_inetcnf} failed!"
+ fi
+ fi
+
+ # Add ssh line to inetd.conf
+ if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
+ then
+ if [ "${_with_comment}" -eq 0 ]
+ then
+ echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
+ else
+ echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
+ fi
+ csih_inform "Added ssh to ${_inetcnf}"
+ fi
fi
-}
+} # --- End of update_inetd_conf --- #
-# Check options
+# ======================================================================
+# Routine: install_service
+# Install sshd as a service
+# ======================================================================
+install_service() {
+ local run_service_as
+ local password
+ if csih_is_nt
+ then
+ if ! cygrunsrv -Q sshd >/dev/null 2>&1
+ then
+ echo
+ echo
+ csih_warning "The following functions require administrator privileges!"
+ echo
+ echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
+ if csih_request "(Say \"no\" if it is already installed as a service)"
+ then
+ csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\""
+ csih_inform "for sshd to be able to change user context without password."
+ csih_get_cygenv "${cygwin_value}"
+
+ if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
+ then
+ csih_inform "On Windows Server 2003, Windows Vista, and above, the"
+ csih_inform "SYSTEM account cannot setuid to other users -- a capability"
+ csih_inform "sshd requires. You need to have or to create a privileged"
+ csih_inform "account. This script will help you do so."
+ echo
+ if ! csih_create_privileged_user "${password_value}"
+ then
+ csih_error_recoverable "There was a serious problem creating a privileged user."
+ csih_request "Do you want to proceed anyway?" || exit 1
+ fi
+ fi
+
+ # never returns empty if NT or above
+ run_service_as=$(csih_service_should_run_as)
+
+ if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
+ then
+ password="${csih_PRIVILEGED_PASSWORD}"
+ if [ -z "${password}" ]
+ then
+ csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
+ password="${csih_value}"
+ fi
+ fi
+
+ # at this point, we either have $run_service_as = "system" and $password is empty,
+ # or $run_service_as is some privileged user and (hopefully) $password contains
+ # the correct password. So, from here out, we use '-z "${password}"' to discriminate
+ # the two cases.
+
+ csih_check_user "${run_service_as}"
+
+ if [ -z "${password}" ]
+ then
+ if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
+ -e CYGWIN="${csih_cygenv}"
+ then
+ echo
+ csih_inform "The sshd service has been installed under the LocalSystem"
+ csih_inform "account (also known as SYSTEM). To start the service now, call"
+ csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
+ csih_inform "will start automatically after the next reboot."
+ fi
+ else
+ if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
+ -e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}"
+ then
+ echo
+ csih_inform "The sshd service has been installed under the '${run_service_as}'"
+ csih_inform "account. To start the service now, call \`net start sshd' or"
+ csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
+ csih_inform "after the next reboot."
+ fi
+ fi
+
+ # now, if successfully installed, set ownership of the affected files
+ if cygrunsrv -Q sshd >/dev/null 2>&1
+ then
+ chown "${run_service_as}" ${SYSCONFDIR}/ssh*
+ chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
+ chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
+ if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
+ then
+ chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
+ fi
+ else
+ csih_warning "Something went wrong installing the sshd service."
+ fi
+ fi # user allowed us to install as service
+ fi # service not yet installed
+ fi # csih_is_nt
+} # --- End of install_service --- #
+
+# ======================================================================
+# Main Entry Point
+# ======================================================================
+
+# Check how the script has been started. If
+# (1) it has been started by giving the full path and
+# that path is /etc/postinstall, OR
+# (2) Otherwise, if the environment variable
+# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
+# then set auto_answer to "no". This allows automatic
+# creation of the config files in /etc w/o overwriting
+# them if they already exist. In both cases, color
+# escape sequences are suppressed, so as to prevent
+# cluttering setup's logfiles.
+if [ "$PROGDIR" = "/etc/postinstall" ]
+then
+ csih_auto_answer="no"
+ csih_disable_color
+fi
+if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
+then
+ csih_auto_answer="no"
+ csih_disable_color
+fi
+
+# ======================================================================
+# Parse options
+# ======================================================================
while :
do
case $# in
case "${option}" in
-d | --debug )
set -x
+ csih_trace_on
;;
-y | --yes )
- auto_answer=yes
+ csih_auto_answer=yes
;;
-n | --no )
- auto_answer=no
+ csih_auto_answer=no
;;
-c | --cygwin )
shift
;;
+ --privileged )
+ csih_FORCE_PRIVILEGED_USER=yes
+ ;;
+
*)
echo "usage: ${progname} [OPTION]..."
echo
echo " --no -n Answer all questions with \"no\" automatically."
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
echo " --port -p <n> sshd listens on port n."
- echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'."
+ echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
+ echo " --privileged On Windows NT/2k/XP, require privileged user"
+ echo " instead of LocalSystem for sshd service."
echo
exit 1
;;
esac
done
-# Check if running on NT
-_sys="`uname`"
-_nt=`expr "${_sys}" : "CYGWIN_NT"`
-# If running on NT, check if running under 2003 Server or later
-if [ ${_nt} -gt 0 ]
-then
- _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
-fi
+# ======================================================================
+# Action!
+# ======================================================================
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
-
if ps -ef | grep -v grep | grep -q ssh
then
echo
- echo "There are still ssh processes running. Please shut them down first."
- echo
- exit 1
+ csih_error "There are still ssh processes running. Please shut them down first."
fi
# Check for ${SYSCONFDIR} directory
+csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
+chmod 775 "${SYSCONFDIR}"
+setfacl -m u:system:rwx "${SYSCONFDIR}"
-if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
-then
- echo
- echo "${SYSCONFDIR} exists but is not a directory."
- echo "Cannot create global configuration files."
- echo
- exit 1
-fi
-
-# Create it if necessary
-
-if [ ! -e "${SYSCONFDIR}" ]
-then
- mkdir "${SYSCONFDIR}"
- if [ ! -e "${SYSCONFDIR}" ]
- then
- echo
- echo "Creating ${SYSCONFDIR} directory failed"
- echo
- exit 1
- fi
-fi
-
-# Create /var/log and /var/log/lastlog if not already existing
-
-if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ]
-then
- echo
- echo "${LOCALSTATEDIR}/log exists but is not a directory."
- echo "Cannot create ssh host configuration."
- echo
- exit 1
-fi
-if [ ! -e ${LOCALSTATEDIR}/log ]
-then
- mkdir -p ${LOCALSTATEDIR}/log
-fi
+# Check for /var/log directory
+csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
+chmod 775 "${LOCALSTATEDIR}/log"
+setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
+# Create /var/log/lastlog if not already exists
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
echo
- echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file."
- echo "Cannot create ssh host configuration."
- echo
- exit 1
+ csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
+ "Cannot create ssh host configuration."
fi
if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
then
fi
# Create /var/empty file used as chroot jail for privilege separation
-if [ -e ${LOCALSTATEDIR}/empty -a ! -d ${LOCALSTATEDIR}/empty ]
-then
- echo
- echo "${LOCALSTATEDIR}/empty exists but is not a directory."
- echo "Cannot create ssh host configuration."
- echo
- exit 1
-if [ ! -e ${LOCALSTATEDIR}/empty ]
-then
- if ! mkdir -p ${LOCALSTATEDIR}/empty
- then
- echo
- echo "Creating ${LOCALSTATEDIR}/empty directory failed."
- echo "Cannot create ssh host configuration."
- echo
- exit 1
- fi
- if [ ${_nt} -gt 0 ]
- then
- chmod 755 ${LOCALSTATEDIR}/empty
- fi
-fi
+csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create log directory."
+chmod 755 "${LOCALSTATEDIR}/empty"
+setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"
-# First generate host keys if not already existing
+# host keys
+create_host_keys
-if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
-then
- echo "Generating ${SYSCONFDIR}/ssh_host_key"
- ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
-fi
-
-if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
-then
- echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
- ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
-fi
-
-if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
-then
- echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
- ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
-fi
+# use 'cmp' program to determine if a config file is identical
+# to the default version of that config file
+csih_check_program_or_error cmp diffutils
-# Check if ssh_config exists. If yes, ask for overwriting
-if [ -f "${SYSCONFDIR}/ssh_config" ]
+# handle ssh_config
+csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults"
+if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
then
- if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
- then
- rm -f "${SYSCONFDIR}/ssh_config"
- if [ -f "${SYSCONFDIR}/ssh_config" ]
- then
- echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
- fi
- fi
-fi
-
-# Create default ssh_config from skeleton file in /etc/defaults/etc
-
-if [ ! -f "${SYSCONFDIR}/ssh_config" ]
-then
- echo "Generating ${SYSCONFDIR}/ssh_config file"
- cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
if [ "${port_number}" != "22" ]
then
+ csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
fi
fi
-# Check if sshd_config exists. If yes, ask for overwriting
-
-if [ -f "${SYSCONFDIR}/sshd_config" ]
+# handle sshd_config (and privsep)
+csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults"
+if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
then
- if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
- then
- rm -f "${SYSCONFDIR}/sshd_config"
- if [ -f "${SYSCONFDIR}/sshd_config" ]
- then
- echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
- fi
- else
- grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
- fi
+ grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
fi
+sshd_privsep
-# Prior to creating or modifying sshd_config, care for privilege separation
-if [ "${privsep_configured}" != "yes" ]
-then
- if [ ${_nt} -gt 0 ]
- then
- echo "Privilege separation is set to yes by default since OpenSSH 3.3."
- echo "However, this requires a non-privileged account called 'sshd'."
- echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
- echo
- if request "Should privilege separation be used?"
- then
- privsep_used=yes
- grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
- net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
- if [ "${sshd_in_passwd}" != "yes" ]
- then
- if [ "${sshd_in_sam}" != "yes" ]
- then
- echo "Warning: The following function requires administrator privileges!"
- if request "Should this script create a local user 'sshd' on this machine?"
- then
- dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
- net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
- if [ "${sshd_in_sam}" != "yes" ]
- then
- echo "Warning: Creating the user 'sshd' failed!"
- fi
- fi
- fi
- if [ "${sshd_in_sam}" != "yes" ]
- then
- echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
- echo " Privilege separation set to 'no' again!"
- echo " Check your ${SYSCONFDIR}/sshd_config file!"
- privsep_used=no
- else
- mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
- fi
- fi
- else
- privsep_used=no
- fi
- else
- # On 9x don't use privilege separation. Since security isn't
- # available it just adds useless additional processes.
- privsep_used=no
- fi
-fi
-
-# Create default sshd_config from skeleton files in /etc/defaults/etc or
-# modify to add the missing privsep configuration option
-
-if [ ! -f "${SYSCONFDIR}/sshd_config" ]
-then
- echo "Generating ${SYSCONFDIR}/sshd_config file"
- sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
- s/^#Port 22/Port ${port_number}/
- s/^#StrictModes yes/StrictModes no/" \
- < ${SYSCONFDIR}/defaults/etc/sshd_config \
- > ${SYSCONFDIR}/sshd_config
-elif [ "${privsep_configured}" != "yes" ]
-then
- echo >> ${SYSCONFDIR}/sshd_config
- echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
-fi
-
-# Care for services file
-_my_etcdir="/ssh-host-config.$$"
-if [ ${_nt} -gt 0 ]
-then
- _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
- _services="${_my_etcdir}/services"
- # On NT, 27 spaces, no space after the hash
- _spaces=" #"
-else
- _win_etcdir="${WINDIR}"
- _services="${_my_etcdir}/SERVICES"
- # On 9x, 18 spaces (95 is very touchy), a space after the hash
- _spaces=" # "
-fi
-_serv_tmp="${_my_etcdir}/srv.out.$$"
-
-mount -t -f "${_win_etcdir}" "${_my_etcdir}"
-# Depends on the above mount
-_wservices=`cygpath -w "${_services}"`
-
-# Remove sshd 22/port from services
-if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
-then
- grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
- if [ -f "${_serv_tmp}" ]
- then
- if mv "${_serv_tmp}" "${_services}"
- then
- echo "Removing sshd from ${_wservices}"
- else
- echo "Removing sshd from ${_wservices} failed!"
- fi
- rm -f "${_serv_tmp}"
- else
- echo "Removing sshd from ${_wservices} failed!"
- fi
-fi
-
-# Add ssh 22/tcp and ssh 22/udp to services
-if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
-then
- if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
- then
- if mv "${_serv_tmp}" "${_services}"
- then
- echo "Added ssh to ${_wservices}"
- else
- echo "Adding ssh to ${_wservices} failed!"
- fi
- rm -f "${_serv_tmp}"
- else
- echo "WARNING: Adding ssh to ${_wservices} failed!"
- fi
-fi
-
-umount "${_my_etcdir}"
-
-# Care for inetd.conf file
-_inetcnf="${SYSCONFDIR}/inetd.conf"
-_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
-
-if [ -f "${_inetcnf}" ]
-then
- # Check if ssh service is already in use as sshd
- with_comment=1
- grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
- # Remove sshd line from inetd.conf
- if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
- then
- grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
- if [ -f "${_inetcnf_tmp}" ]
- then
- if mv "${_inetcnf_tmp}" "${_inetcnf}"
- then
- echo "Removed sshd from ${_inetcnf}"
- else
- echo "Removing sshd from ${_inetcnf} failed!"
- fi
- rm -f "${_inetcnf_tmp}"
- else
- echo "Removing sshd from ${_inetcnf} failed!"
- fi
- fi
-
- # Add ssh line to inetd.conf
- if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
- then
- if [ "${with_comment}" -eq 0 ]
- then
- echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
- else
- echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
- fi
- echo "Added ssh to ${_inetcnf}"
- fi
-fi
-
-# On NT ask if sshd should be installed as service
-if [ ${_nt} -gt 0 ]
-then
- # But only if it is not already installed
- if ! cygrunsrv -Q sshd > /dev/null 2>&1
- then
- echo
- echo
- echo "Warning: The following functions require administrator privileges!"
- echo
- echo "Do you want to install sshd as service?"
- if request "(Say \"no\" if it's already installed as service)"
- then
- if [ $_nt2003 -gt 0 ]
- then
- grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
- if [ "${sshd_server_in_passwd}" = "yes" ]
- then
- # Drop sshd_server from passwd since it could have wrong settings
- grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
- rm -f ${SYSCONFDIR}/passwd
- mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
- chmod g-w,o-w ${SYSCONFDIR}/passwd
- fi
- net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
- if [ "${sshd_server_in_sam}" != "yes" ]
- then
- echo
- echo "You appear to be running Windows 2003 Server or later. On 2003 and"
- echo "later systems, it's not possible to use the LocalSystem account"
- echo "if sshd should allow passwordless logon (e. g. public key authentication)."
- echo "If you want to enable that functionality, it's required to create a new"
- echo "account 'sshd_server' with special privileges, which is then used to run"
- echo "the sshd service under."
- echo
- echo "Should this script create a new local account 'sshd_server' which has"
- if request "the required privileges?"
- then
- _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
- if [ -z "${_admingroup}" ]
- then
- echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
- exit 1
- fi
- dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
- while [ "${sshd_server_in_sam}" != "yes" ]
- do
- if [ -n "${password_value}" ]
- then
- _password="${password_value}"
- # Allow to ask for password if first try fails
- password_value=""
- else
- echo
- echo "Please enter a password for new user 'sshd_server'. Please be sure that"
- echo "this password matches the password rules given on your system."
- echo -n "Entering no password will exit the configuration. PASSWORD="
- read -e _password
- if [ -z "${_password}" ]
- then
- echo
- echo "Exiting configuration. No user sshd_server has been created,"
- echo "no sshd service installed."
- exit 1
- fi
- fi
- net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
- if [ "${sshd_server_in_sam}" != "yes" ]
- then
- echo "Creating the user 'sshd_server' failed! Reason:"
- cat /tmp/nu.$$
- rm /tmp/nu.$$
- fi
- done
- net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
- if [ "${sshd_server_in_admingroup}" != "yes" ]
- then
- echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
- echo "Please add sshd_server to local group ${_admingroup} before"
- echo "starting the sshd service!"
- echo
- fi
- passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
- if [ "${passwd_has_expiry_flags}" != "yes" ]
- then
- echo
- echo "WARNING: User sshd_server has password expiry set to system default."
- echo "Please check that password never expires or set it to your needs."
- elif ! passwd -e sshd_server
- then
- echo
- echo "WARNING: Setting password expiry for user sshd_server failed!"
- echo "Please check that password never expires or set it to your needs."
- fi
- editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
- editrights -a SeCreateTokenPrivilege -u sshd_server &&
- editrights -a SeTcbPrivilege -u sshd_server &&
- editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
- editrights -a SeDenyNetworkLogonRight -u sshd_server &&
- editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
- editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
- editrights -a SeServiceLogonRight -u sshd_server &&
- sshd_server_got_all_rights="yes"
- if [ "${sshd_server_got_all_rights}" != "yes" ]
- then
- echo
- echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
- echo "Can't create sshd service!"
- exit 1
- fi
- echo
- echo "User 'sshd_server' has been created with password '${_password}'."
- echo "If you change the password, please keep in mind to change the password"
- echo "for the sshd service, too."
- echo
- echo "Also keep in mind that the user sshd_server needs read permissions on all"
- echo "users' .ssh/authorized_keys file to allow public key authentication for"
- echo "these users!. (Re-)running ssh-user-config for each user will set the"
- echo "required permissions correctly."
- echo
- fi
- fi
- if [ "${sshd_server_in_sam}" = "yes" ]
- then
- mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
- fi
- fi
- if [ -n "${cygwin_value}" ]
- then
- _cygwin="${cygwin_value}"
- else
- echo
- echo "Which value should the environment variable CYGWIN have when"
- echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
- echo "able to change user context without password."
- echo -n "Default is \"ntsec\". CYGWIN="
- read -e _cygwin
- fi
- [ -z "${_cygwin}" ] && _cygwin="ntsec"
- if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
- then
- if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
- then
- echo
- echo "The service has been installed under sshd_server account."
- echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
- fi
- else
- if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
- then
- echo
- echo "The service has been installed under LocalSystem account."
- echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
- fi
- fi
- fi
- # Now check if sshd has been successfully installed. This allows to
- # set the ownership of the affected files correctly.
- if cygrunsrv -Q sshd > /dev/null 2>&1
- then
- if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
- then
- _user="sshd_server"
- else
- _user="system"
- fi
- chown "${_user}" ${SYSCONFDIR}/ssh*
- chown "${_user}".544 ${LOCALSTATEDIR}/empty
- chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog
- if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
- then
- chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
- fi
- fi
- if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
- then
- echo
- echo "Warning: It appears that you have user mode mounts (\"Just me\""
- echo "chosen during install.) Any daemons installed as services will"
- echo "fail to function unless system mounts are used. To change this,"
- echo "re-run setup.exe and choose \"All users\"."
- echo
- echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
- fi
- fi
-fi
+update_services_file
+update_inetd_conf
+install_service
echo
-echo "Host configuration finished. Have fun!"
+csih_inform "Host configuration finished. Have fun!"
+
-#!/bin/sh
+#!/bin/bash
#
# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
+# ======================================================================
+# Initialization
+# ======================================================================
+PROGNAME=$(basename -- $0)
+_tdir=$(dirname -- $0)
+PROGDIR=$(cd $_tdir && pwd)
+
+CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
+
+# Subdirectory where the new package is being installed
+PREFIX=/usr
+
# Directory where the config files are stored
SYSCONFDIR=/etc
-progname=$0
-auto_answer=""
+source ${CSIH_SCRIPT}
+
auto_passphrase="no"
passphrase=""
+pwdhome=
+with_passphrase=
+
+# ======================================================================
+# Routine: create_ssh1_identity
+# optionally create ~/.ssh/identity[.pub]
+# optionally add result to ~/.ssh/authorized_keys
+# ======================================================================
+create_ssh1_identity() {
+ if [ ! -f "${pwdhome}/.ssh/identity" ]
+ then
+ if csih_request "Shall I create an SSH1 RSA identity file for you?"
+ then
+ csih_inform "Generating ${pwdhome}/.ssh/identity"
+ if [ "${with_passphrase}" = "yes" ]
+ then
+ ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null
+ else
+ ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null
+ fi
+ if csih_request "Do you want to use this identity to login to this machine?"
+ then
+ csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
+ cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys"
+ fi
+ fi
+ fi
+} # === End of create_ssh1_identity() === #
+readonly -f create_ssh1_identity
+
+# ======================================================================
+# Routine: create_ssh2_rsa_identity
+# optionally create ~/.ssh/id_rsa[.pub]
+# optionally add result to ~/.ssh/authorized_keys
+# ======================================================================
+create_ssh2_rsa_identity() {
+ if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
+ then
+ if csih_request "Shall I create an SSH2 RSA identity file for you?"
+ then
+ csih_inform "Generating ${pwdhome}/.ssh/id_rsa"
+ if [ "${with_passphrase}" = "yes" ]
+ then
+ ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null
+ else
+ ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
+ fi
+ if csih_request "Do you want to use this identity to login to this machine?"
+ then
+ csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
+ cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
+ fi
+ fi
+ fi
+} # === End of create_ssh2_rsa_identity() === #
+readonly -f create_ssh2_rsa_identity
+
+# ======================================================================
+# Routine: create_ssh2_dsa_identity
+# optionally create ~/.ssh/id_dsa[.pub]
+# optionally add result to ~/.ssh/authorized_keys
+# ======================================================================
+create_ssh2_dsa_identity() {
+ if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
+ then
+ if csih_request "Shall I create an SSH2 DSA identity file for you?"
+ then
+ csih_inform "Generating ${pwdhome}/.ssh/id_dsa"
+ if [ "${with_passphrase}" = "yes" ]
+ then
+ ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null
+ else
+ ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
+ fi
+ if csih_request "Do you want to use this identity to login to this machine?"
+ then
+ csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
+ cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
+ fi
+ fi
+ fi
+} # === End of create_ssh2_dsa_identity() === #
+readonly -f create_ssh2_dsa_identity
+
+# ======================================================================
+# Routine: check_user_homedir
+# Perform various checks on the user's home directory
+# SETS GLOBAL VARIABLE:
+# pwdhome
+# ======================================================================
+check_user_homedir() {
+ local uid=$(id -u)
+ pwdhome=$(awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd)
+ if [ "X${pwdhome}" = "X" ]
+ then
+ csih_error_multiline \
+ "There is no home directory set for you in ${SYSCONFDIR}/passwd." \
+ 'Setting $HOME is not sufficient!'
+ fi
+
+ if [ ! -d "${pwdhome}" ]
+ then
+ csih_error_multiline \
+ "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" \
+ 'but it is not a valid directory. Cannot create user identity files.'
+ fi
+
+ # If home is the root dir, set home to empty string to avoid error messages
+ # in subsequent parts of that script.
+ if [ "X${pwdhome}" = "X/" ]
+ then
+ # But first raise a warning!
+ csih_warning "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
+ if csih_request "Would you like to proceed anyway?"
+ then
+ pwdhome=''
+ else
+ csih_warning "Exiting. Configuration is not complete"
+ exit 1
+ fi
+ fi
+
+ if [ -d "${pwdhome}" -a csih_is_nt -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
+ then
+ echo
+ csih_warning 'group and other have been revoked write permission to your home'
+ csih_warning "directory ${pwdhome}."
+ csih_warning 'This is required by OpenSSH to allow public key authentication using'
+ csih_warning 'the key files stored in your .ssh subdirectory.'
+ csih_warning 'Revert this change ONLY if you know what you are doing!'
+ echo
+ fi
+} # === End of check_user_homedir() === #
+readonly -f check_user_homedir
-request()
-{
- if [ "${auto_answer}" = "yes" ]
+# ======================================================================
+# Routine: check_user_dot_ssh_dir
+# Perform various checks on the ~/.ssh directory
+# PREREQUISITE:
+# pwdhome -- check_user_homedir()
+# ======================================================================
+check_user_dot_ssh_dir() {
+ if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
then
- return 0
- elif [ "${auto_answer}" = "no" ]
+ csih_error "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
+ fi
+
+ if [ ! -e "${pwdhome}/.ssh" ]
then
- return 1
+ mkdir "${pwdhome}/.ssh"
+ if [ ! -e "${pwdhome}/.ssh" ]
+ then
+ csih_error "Creating users ${pwdhome}/.ssh directory failed"
+ fi
fi
+} # === End of check_user_dot_ssh_dir() === #
+readonly -f check_user_dot_ssh_dir
- answer=""
- while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
- do
- echo -n "$1 (yes/no) "
- read answer
- done
- if [ "X${answer}" = "Xyes" ]
+# ======================================================================
+# Routine: fix_authorized_keys_perms
+# Corrects the permissions of ~/.ssh/authorized_keys
+# PREREQUISITE:
+# pwdhome -- check_user_homedir()
+# ======================================================================
+fix_authorized_keys_perms() {
+ if [ csih_is_nt -a -e "${pwdhome}/.ssh/authorized_keys" ]
then
- return 0
- else
- return 1
+ if ! setfacl -m "u::rw-,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
+ then
+ csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
+ csih_warning "failed. Please care for the correct permissions. The minimum requirement"
+ csih_warning "is, the owner needs read permissions."
+ echo
+ fi
fi
-}
+} # === End of fix_authorized_keys_perms() === #
+readonly -f fix_authorized_keys_perms
+
+
+# ======================================================================
+# Main Entry Point
+# ======================================================================
-# Check if running on NT
-_sys="`uname -a`"
-_nt=`expr "$_sys" : "CYGWIN_NT"`
-# If running on NT, check if running under 2003 Server or later
-if [ $_nt -gt 0 ]
+# Check how the script has been started. If
+# (1) it has been started by giving the full path and
+# that path is /etc/postinstall, OR
+# (2) Otherwise, if the environment variable
+# SSH_USER_CONFIG_AUTO_ANSWER_NO is set
+# then set auto_answer to "no". This allows automatic
+# creation of the config files in /etc w/o overwriting
+# them if they already exist. In both cases, color
+# escape sequences are suppressed, so as to prevent
+# cluttering setup's logfiles.
+if [ "$PROGDIR" = "/etc/postinstall" ]
then
- _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
+ csih_auto_answer="no"
+ csih_disable_color
+fi
+if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ]
+then
+ csih_auto_answer="no"
+ csih_disable_color
fi
-# Check options
-
+# ======================================================================
+# Parse options
+# ======================================================================
while :
do
case $# in
case "$option" in
-d | --debug )
set -x
+ csih_trace_on
;;
-y | --yes )
- auto_answer=yes
+ csih_auto_answer=yes
;;
-n | --no )
- auto_answer=no
+ csih_auto_answer=no
;;
-p | --passphrase )
shift
;;
+ --privileged )
+ csih_FORCE_PRIVILEGED_USER=yes
+ ;;
+
*)
- echo "usage: ${progname} [OPTION]..."
+ echo "usage: ${PROGNAME} [OPTION]..."
echo
echo "This script creates an OpenSSH user configuration."
echo
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --passphrase -p word Use \"word\" as passphrase automatically."
+ echo " --privileged On Windows NT/2k/XP, assume privileged user"
+ echo " instead of LocalSystem for sshd service."
echo
exit 1
;;
esac
done
-# Ask user if user identity should be generated
+# ======================================================================
+# Action!
+# ======================================================================
+# Check passwd file
if [ ! -f ${SYSCONFDIR}/passwd ]
then
- echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file"
- echo 'first using mkpasswd. Check if it contains an entry for you and'
- echo 'please care for the home directory in your entry as well.'
- exit 1
-fi
-
-uid=`id -u`
-pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd`
-
-if [ "X${pwdhome}" = "X" ]
-then
- echo "There is no home directory set for you in ${SYSCONFDIR}/passwd."
- echo 'Setting $HOME is not sufficient!'
- exit 1
-fi
-
-if [ ! -d "${pwdhome}" ]
-then
- echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory"
- echo 'but it is not a valid directory. Cannot create user identity files.'
- exit 1
-fi
-
-# If home is the root dir, set home to empty string to avoid error messages
-# in subsequent parts of that script.
-if [ "X${pwdhome}" = "X/" ]
-then
- # But first raise a warning!
- echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
- if request "Would you like to proceed anyway?"
- then
- pwdhome=''
- else
- exit 1
- fi
-fi
-
-if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
-then
- echo
- echo 'WARNING: group and other have been revoked write permission to your home'
- echo " directory ${pwdhome}."
- echo ' This is required by OpenSSH to allow public key authentication using'
- echo ' the key files stored in your .ssh subdirectory.'
- echo ' Revert this change ONLY if you know what you are doing!'
- echo
-fi
-
-if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
-then
- echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
- exit 1
-fi
-
-if [ ! -e "${pwdhome}/.ssh" ]
-then
- mkdir "${pwdhome}/.ssh"
- if [ ! -e "${pwdhome}/.ssh" ]
- then
- echo "Creating users ${pwdhome}/.ssh directory failed"
- exit 1
- fi
-fi
-
-if [ $_nt -gt 0 ]
-then
- _user="system"
- if [ $_nt2003 -gt 0 ]
- then
- grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server"
- fi
- if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh"
- then
- echo "${pwdhome}/.ssh couldn't be given the correct permissions."
- echo "Please try to solve this problem first."
- exit 1
- fi
-fi
-
-if [ ! -f "${pwdhome}/.ssh/identity" ]
-then
- if request "Shall I create an SSH1 RSA identity file for you?"
- then
- echo "Generating ${pwdhome}/.ssh/identity"
- if [ "${with_passphrase}" = "yes" ]
- then
- ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null
- else
- ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null
- fi
- if request "Do you want to use this identity to login to this machine?"
- then
- echo "Adding to ${pwdhome}/.ssh/authorized_keys"
- cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys"
- fi
- fi
+ csih_error_multiline \
+ "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" \
+ 'first using mkpasswd. Check if it contains an entry for you and' \
+ 'please care for the home directory in your entry as well.'
fi
-if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
-then
- if request "Shall I create an SSH2 RSA identity file for you?"
- then
- echo "Generating ${pwdhome}/.ssh/id_rsa"
- if [ "${with_passphrase}" = "yes" ]
- then
- ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null
- else
- ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
- fi
- if request "Do you want to use this identity to login to this machine?"
- then
- echo "Adding to ${pwdhome}/.ssh/authorized_keys"
- cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
- fi
- fi
-fi
+check_user_homedir
+check_user_dot_ssh_dir
+create_ssh1_identity
+create_ssh2_rsa_identity
+create_ssh2_dsa_identity
+fix_authorized_keys_perms
-if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
-then
- if request "Shall I create an SSH2 DSA identity file for you?"
- then
- echo "Generating ${pwdhome}/.ssh/id_dsa"
- if [ "${with_passphrase}" = "yes" ]
- then
- ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null
- else
- ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
- fi
- if request "Do you want to use this identity to login to this machine?"
- then
- echo "Adding to ${pwdhome}/.ssh/authorized_keys"
- cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
- fi
- fi
-fi
+echo
+csih_inform "Configuration finished. Have fun!"
-if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ]
-then
- if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
- then
- echo
- echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
- echo "failed. Please care for the correct permissions. The minimum requirement"
- echo "is, the owner and ${_user} both need read permissions."
- echo
- fi
-fi
-echo
-echo "Configuration finished. Have fun!"