-# Depends on the above mount
-_wservices=`cygpath -w "${_services}"`
-
-# Remove sshd 22/port from services
-if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
-then
- grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
- if [ -f "${_serv_tmp}" ]
- then
- if mv "${_serv_tmp}" "${_services}"
- then
- echo "Removing sshd from ${_wservices}"
- else
- echo "Removing sshd from ${_wservices} failed!"
- fi
- rm -f "${_serv_tmp}"
- else
- echo "Removing sshd from ${_wservices} failed!"
- fi
-fi
-
-# Add ssh 22/tcp and ssh 22/udp to services
-if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
-then
- if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
- then
- if mv "${_serv_tmp}" "${_services}"
- then
- echo "Added ssh to ${_wservices}"
- else
- echo "Adding ssh to ${_wservices} failed!"
- fi
- rm -f "${_serv_tmp}"
- else
- echo "WARNING: Adding ssh to ${_wservices} failed!"
- fi
-fi
-
-umount "${_my_etcdir}"
-
-# Care for inetd.conf file
-_inetcnf="${SYSCONFDIR}/inetd.conf"
-_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
-
-if [ -f "${_inetcnf}" ]
-then
- # Check if ssh service is already in use as sshd
- with_comment=1
- grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
- # Remove sshd line from inetd.conf
- if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
- then
- grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
- if [ -f "${_inetcnf_tmp}" ]
- then
- if mv "${_inetcnf_tmp}" "${_inetcnf}"
- then
- echo "Removed sshd from ${_inetcnf}"
- else
- echo "Removing sshd from ${_inetcnf} failed!"
- fi
- rm -f "${_inetcnf_tmp}"
- else
- echo "Removing sshd from ${_inetcnf} failed!"
- fi
- fi
-
- # Add ssh line to inetd.conf
- if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
- then
- if [ "${with_comment}" -eq 0 ]
- then
- echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
- else
- echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
- fi
- echo "Added ssh to ${_inetcnf}"
- fi
-fi
-
-# On NT ask if sshd should be installed as service
-if [ ${_nt} -gt 0 ]
-then
- # But only if it is not already installed
- if ! cygrunsrv -Q sshd > /dev/null 2>&1
- then
- echo
- echo
- echo "Warning: The following functions require administrator privileges!"
- echo
- echo "Do you want to install sshd as service?"
- if request "(Say \"no\" if it's already installed as service)"
- then
- if [ $_nt2003 -gt 0 ]
- then
- grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
- if [ "${sshd_server_in_passwd}" = "yes" ]
- then
- # Drop sshd_server from passwd since it could have wrong settings
- grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
- rm -f ${SYSCONFDIR}/passwd
- mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
- chmod g-w,o-w ${SYSCONFDIR}/passwd
- fi
- net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
- if [ "${sshd_server_in_sam}" != "yes" ]
- then
- echo
- echo "You appear to be running Windows 2003 Server or later. On 2003 and"
- echo "later systems, it's not possible to use the LocalSystem account"
- echo "if sshd should allow passwordless logon (e. g. public key authentication)."
- echo "If you want to enable that functionality, it's required to create a new"
- echo "account 'sshd_server' with special privileges, which is then used to run"
- echo "the sshd service under."
- echo
- echo "Should this script create a new local account 'sshd_server' which has"
- if request "the required privileges?"
- then
- _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
- if [ -z "${_admingroup}" ]
- then
- echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
- exit 1
- fi
- dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
- while [ "${sshd_server_in_sam}" != "yes" ]
- do
- if [ -n "${password_value}" ]
- then
- _password="${password_value}"
- # Allow to ask for password if first try fails
- password_value=""
- else
- echo
- echo "Please enter a password for new user 'sshd_server'. Please be sure that"
- echo "this password matches the password rules given on your system."
- echo -n "Entering no password will exit the configuration. PASSWORD="
- read -e _password
- if [ -z "${_password}" ]
- then
- echo
- echo "Exiting configuration. No user sshd_server has been created,"
- echo "no sshd service installed."
- exit 1
- fi
- fi
- net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
- if [ "${sshd_server_in_sam}" != "yes" ]
- then
- echo "Creating the user 'sshd_server' failed! Reason:"
- cat /tmp/nu.$$
- rm /tmp/nu.$$
- fi
- done
- net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
- if [ "${sshd_server_in_admingroup}" != "yes" ]
- then
- echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
- echo "Please add sshd_server to local group ${_admingroup} before"
- echo "starting the sshd service!"
- echo
- fi
- passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
- if [ "${passwd_has_expiry_flags}" != "yes" ]
- then
- echo
- echo "WARNING: User sshd_server has password expiry set to system default."
- echo "Please check that password never expires or set it to your needs."
- elif ! passwd -e sshd_server
- then
- echo
- echo "WARNING: Setting password expiry for user sshd_server failed!"
- echo "Please check that password never expires or set it to your needs."
- fi
- editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
- editrights -a SeCreateTokenPrivilege -u sshd_server &&
- editrights -a SeTcbPrivilege -u sshd_server &&
- editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
- editrights -a SeDenyNetworkLogonRight -u sshd_server &&
- editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
- editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
- editrights -a SeServiceLogonRight -u sshd_server &&
- sshd_server_got_all_rights="yes"
- if [ "${sshd_server_got_all_rights}" != "yes" ]
- then
- echo
- echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
- echo "Can't create sshd service!"
- exit 1
- fi
- echo
- echo "User 'sshd_server' has been created with password '${_password}'."
- echo "If you change the password, please keep in mind to change the password"
- echo "for the sshd service, too."
- echo
- echo "Also keep in mind that the user sshd_server needs read permissions on all"
- echo "users' .ssh/authorized_keys file to allow public key authentication for"
- echo "these users!. (Re-)running ssh-user-config for each user will set the"
- echo "required permissions correctly."
- echo
- fi
- fi
- if [ "${sshd_server_in_sam}" = "yes" ]
- then
- mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
- fi
- fi
- if [ -n "${cygwin_value}" ]
- then
- _cygwin="${cygwin_value}"
- else
- echo
- echo "Which value should the environment variable CYGWIN have when"
- echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
- echo "able to change user context without password."
- echo -n "Default is \"ntsec\". CYGWIN="
- read -e _cygwin
- fi
- [ -z "${_cygwin}" ] && _cygwin="ntsec"
- if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
- then
- if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
- then
- echo
- echo "The service has been installed under sshd_server account."
- echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
- fi
- else
- if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
- then
- echo
- echo "The service has been installed under LocalSystem account."
- echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
- fi
- fi
- fi
- # Now check if sshd has been successfully installed. This allows to
- # set the ownership of the affected files correctly.
- if cygrunsrv -Q sshd > /dev/null 2>&1
- then
- if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
- then
- _user="sshd_server"
- else
- _user="system"
- fi
- chown "${_user}" ${SYSCONFDIR}/ssh*
- chown "${_user}".544 ${LOCALSTATEDIR}/empty
- chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog
- if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
- then
- chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
- fi
- fi
- if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
- then
- echo
- echo "Warning: It appears that you have user mode mounts (\"Just me\""
- echo "chosen during install.) Any daemons installed as services will"
- echo "fail to function unless system mounts are used. To change this,"
- echo "re-run setup.exe and choose \"All users\"."
- echo
- echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
- fi
- fi
-fi