1ce3adf43SDag-Erling Smørgrav#!/bin/bash 2ce3adf43SDag-Erling Smørgrav# 3bc5531deSDag-Erling Smørgrav# ssh-host-config, Copyright 2000-2014 Red Hat Inc. 4ce3adf43SDag-Erling Smørgrav# 5ce3adf43SDag-Erling Smørgrav# This file is part of the Cygwin port of OpenSSH. 6ce3adf43SDag-Erling Smørgrav# 7ce3adf43SDag-Erling Smørgrav# Permission to use, copy, modify, and distribute this software for any 8ce3adf43SDag-Erling Smørgrav# purpose with or without fee is hereby granted, provided that the above 9ce3adf43SDag-Erling Smørgrav# copyright notice and this permission notice appear in all copies. 10ce3adf43SDag-Erling Smørgrav# 11ce3adf43SDag-Erling Smørgrav# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12ce3adf43SDag-Erling Smørgrav# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 13ce3adf43SDag-Erling Smørgrav# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 14ce3adf43SDag-Erling Smørgrav# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 15ce3adf43SDag-Erling Smørgrav# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 16ce3adf43SDag-Erling Smørgrav# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR 17ce3adf43SDag-Erling Smørgrav# THE USE OR OTHER DEALINGS IN THE SOFTWARE. 18ce3adf43SDag-Erling Smørgrav 19ce3adf43SDag-Erling Smørgrav# ====================================================================== 20ce3adf43SDag-Erling Smørgrav# Initialization 21ce3adf43SDag-Erling Smørgrav# ====================================================================== 22ce3adf43SDag-Erling Smørgrav 23ce3adf43SDag-Erling SmørgravCSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh 24ce3adf43SDag-Erling Smørgrav 25190cef3dSDag-Erling Smørgrav# List of apps used. This is checkad for existence in csih_sanity_check 26ce3adf43SDag-Erling Smørgrav# Don't use *any* transient commands before sourcing the csih helper script, 27ce3adf43SDag-Erling Smørgrav# otherwise the sanity checks are short-circuited. 28ce3adf43SDag-Erling Smørgravdeclare -a csih_required_commands=( 29ce3adf43SDag-Erling Smørgrav /usr/bin/basename coreutils 30ce3adf43SDag-Erling Smørgrav /usr/bin/cat coreutils 31ce3adf43SDag-Erling Smørgrav /usr/bin/chmod coreutils 32ce3adf43SDag-Erling Smørgrav /usr/bin/dirname coreutils 33ce3adf43SDag-Erling Smørgrav /usr/bin/id coreutils 34ce3adf43SDag-Erling Smørgrav /usr/bin/mv coreutils 35ce3adf43SDag-Erling Smørgrav /usr/bin/rm coreutils 36ce3adf43SDag-Erling Smørgrav /usr/bin/cygpath cygwin 37a0ee8cc6SDag-Erling Smørgrav /usr/bin/mkpasswd cygwin 38ce3adf43SDag-Erling Smørgrav /usr/bin/mount cygwin 39ce3adf43SDag-Erling Smørgrav /usr/bin/ps cygwin 40ce3adf43SDag-Erling Smørgrav /usr/bin/umount cygwin 41ce3adf43SDag-Erling Smørgrav /usr/bin/cmp diffutils 42ce3adf43SDag-Erling Smørgrav /usr/bin/grep grep 43ce3adf43SDag-Erling Smørgrav /usr/bin/awk gawk 44ce3adf43SDag-Erling Smørgrav /usr/bin/ssh-keygen openssh 45ce3adf43SDag-Erling Smørgrav /usr/sbin/sshd openssh 46ce3adf43SDag-Erling Smørgrav /usr/bin/sed sed 47ce3adf43SDag-Erling Smørgrav) 48ce3adf43SDag-Erling Smørgravcsih_sanity_check_server=yes 49ce3adf43SDag-Erling Smørgravsource ${CSIH_SCRIPT} 50ce3adf43SDag-Erling Smørgrav 51ce3adf43SDag-Erling SmørgravPROGNAME=$(/usr/bin/basename $0) 52ce3adf43SDag-Erling Smørgrav_tdir=$(/usr/bin/dirname $0) 53ce3adf43SDag-Erling SmørgravPROGDIR=$(cd $_tdir && pwd) 54ce3adf43SDag-Erling Smørgrav 55ce3adf43SDag-Erling Smørgrav# Subdirectory where the new package is being installed 56ce3adf43SDag-Erling SmørgravPREFIX=/usr 57ce3adf43SDag-Erling Smørgrav 58ce3adf43SDag-Erling Smørgrav# Directory where the config files are stored 59ce3adf43SDag-Erling SmørgravSYSCONFDIR=/etc 60ce3adf43SDag-Erling SmørgravLOCALSTATEDIR=/var 61ce3adf43SDag-Erling Smørgrav 62a0ee8cc6SDag-Erling Smørgravsshd_config_configured=no 63ce3adf43SDag-Erling Smørgravport_number=22 64*19261079SEd Masteservice_name=cygsshd 65a0ee8cc6SDag-Erling Smørgravstrictmodes=yes 66ce3adf43SDag-Erling Smørgravcygwin_value="" 67ce3adf43SDag-Erling Smørgravuser_account= 68ce3adf43SDag-Erling Smørgravpassword_value= 69ce3adf43SDag-Erling Smørgravopt_force=no 70ce3adf43SDag-Erling Smørgrav 71ce3adf43SDag-Erling Smørgrav# ====================================================================== 72ce3adf43SDag-Erling Smørgrav# Routine: update_services_file 73ce3adf43SDag-Erling Smørgrav# ====================================================================== 74ce3adf43SDag-Erling Smørgravupdate_services_file() { 75ce3adf43SDag-Erling Smørgrav local _my_etcdir="/ssh-host-config.$$" 76ce3adf43SDag-Erling Smørgrav local _win_etcdir 77ce3adf43SDag-Erling Smørgrav local _services 78ce3adf43SDag-Erling Smørgrav local _spaces 79ce3adf43SDag-Erling Smørgrav local _serv_tmp 80ce3adf43SDag-Erling Smørgrav local _wservices 81ce3adf43SDag-Erling Smørgrav local ret=0 82ce3adf43SDag-Erling Smørgrav 83ce3adf43SDag-Erling Smørgrav _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" 84ce3adf43SDag-Erling Smørgrav _services="${_my_etcdir}/services" 85ce3adf43SDag-Erling Smørgrav _spaces=" #" 86ce3adf43SDag-Erling Smørgrav _serv_tmp="${_my_etcdir}/srv.out.$$" 87ce3adf43SDag-Erling Smørgrav 88ce3adf43SDag-Erling Smørgrav /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" 89ce3adf43SDag-Erling Smørgrav 90ce3adf43SDag-Erling Smørgrav # Depends on the above mount 91ce3adf43SDag-Erling Smørgrav _wservices=`cygpath -w "${_services}"` 92ce3adf43SDag-Erling Smørgrav 93ce3adf43SDag-Erling Smørgrav # Add ssh 22/tcp and ssh 22/udp to services 94a0ee8cc6SDag-Erling Smørgrav if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ] 95ce3adf43SDag-Erling Smørgrav then 96ce3adf43SDag-Erling Smørgrav if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" 97ce3adf43SDag-Erling Smørgrav then 98ce3adf43SDag-Erling Smørgrav if /usr/bin/mv "${_serv_tmp}" "${_services}" 99ce3adf43SDag-Erling Smørgrav then 100ce3adf43SDag-Erling Smørgrav csih_inform "Added ssh to ${_wservices}" 101ce3adf43SDag-Erling Smørgrav else 102ce3adf43SDag-Erling Smørgrav csih_warning "Adding ssh to ${_wservices} failed!" 103ce3adf43SDag-Erling Smørgrav let ++ret 104ce3adf43SDag-Erling Smørgrav fi 105ce3adf43SDag-Erling Smørgrav /usr/bin/rm -f "${_serv_tmp}" 106ce3adf43SDag-Erling Smørgrav else 107ce3adf43SDag-Erling Smørgrav csih_warning "Adding ssh to ${_wservices} failed!" 108ce3adf43SDag-Erling Smørgrav let ++ret 109ce3adf43SDag-Erling Smørgrav fi 110ce3adf43SDag-Erling Smørgrav fi 111ce3adf43SDag-Erling Smørgrav /usr/bin/umount "${_my_etcdir}" 112ce3adf43SDag-Erling Smørgrav return $ret 113ce3adf43SDag-Erling Smørgrav} # --- End of update_services_file --- # 114ce3adf43SDag-Erling Smørgrav 115ce3adf43SDag-Erling Smørgrav# ====================================================================== 116a0ee8cc6SDag-Erling Smørgrav# Routine: sshd_strictmodes 117a0ee8cc6SDag-Erling Smørgrav# MODIFIES: strictmodes 118a0ee8cc6SDag-Erling Smørgrav# ====================================================================== 119a0ee8cc6SDag-Erling Smørgravsshd_strictmodes() { 120a0ee8cc6SDag-Erling Smørgrav if [ "${sshd_config_configured}" != "yes" ] 121a0ee8cc6SDag-Erling Smørgrav then 122a0ee8cc6SDag-Erling Smørgrav echo 123a0ee8cc6SDag-Erling Smørgrav csih_inform "StrictModes is set to 'yes' by default." 124a0ee8cc6SDag-Erling Smørgrav csih_inform "This is the recommended setting, but it requires that the POSIX" 125a0ee8cc6SDag-Erling Smørgrav csih_inform "permissions of the user's home directory, the user's .ssh" 126a0ee8cc6SDag-Erling Smørgrav csih_inform "directory, and the user's ssh key files are tight so that" 127a0ee8cc6SDag-Erling Smørgrav csih_inform "only the user has write permissions." 128a0ee8cc6SDag-Erling Smørgrav csih_inform "On the other hand, StrictModes don't work well with default" 129a0ee8cc6SDag-Erling Smørgrav csih_inform "Windows permissions of a home directory mounted with the" 130a0ee8cc6SDag-Erling Smørgrav csih_inform "'noacl' option, and they don't work at all if the home" 131a0ee8cc6SDag-Erling Smørgrav csih_inform "directory is on a FAT or FAT32 partition." 132a0ee8cc6SDag-Erling Smørgrav if ! csih_request "Should StrictModes be used?" 133a0ee8cc6SDag-Erling Smørgrav then 134a0ee8cc6SDag-Erling Smørgrav strictmodes=no 135a0ee8cc6SDag-Erling Smørgrav fi 136a0ee8cc6SDag-Erling Smørgrav fi 137a0ee8cc6SDag-Erling Smørgrav return 0 138a0ee8cc6SDag-Erling Smørgrav} 139a0ee8cc6SDag-Erling Smørgrav 140a0ee8cc6SDag-Erling Smørgrav# ====================================================================== 141ce3adf43SDag-Erling Smørgrav# Routine: sshd_privsep 142d93a896eSDag-Erling Smørgrav# Try to create ssshd user account 143ce3adf43SDag-Erling Smørgrav# ====================================================================== 144ce3adf43SDag-Erling Smørgravsshd_privsep() { 145ce3adf43SDag-Erling Smørgrav local ret=0 146ce3adf43SDag-Erling Smørgrav 147a0ee8cc6SDag-Erling Smørgrav if [ "${sshd_config_configured}" != "yes" ] 148ce3adf43SDag-Erling Smørgrav then 149ce3adf43SDag-Erling Smørgrav if ! csih_create_unprivileged_user sshd 150ce3adf43SDag-Erling Smørgrav then 151d93a896eSDag-Erling Smørgrav csih_error_recoverable "Could not create user 'sshd'!" 152d93a896eSDag-Erling Smørgrav csih_error_recoverable "You will not be able to run an sshd service" 153d93a896eSDag-Erling Smørgrav csih_error_recoverable "under a privileged account successfully." 154d93a896eSDag-Erling Smørgrav csih_error_recoverable "Make sure to create a non-privileged user 'sshd'" 155d93a896eSDag-Erling Smørgrav csih_error_recoverable "manually before trying to run the service!" 156ce3adf43SDag-Erling Smørgrav let ++ret 157ce3adf43SDag-Erling Smørgrav fi 158ce3adf43SDag-Erling Smørgrav fi 159a0ee8cc6SDag-Erling Smørgrav return $ret 160a0ee8cc6SDag-Erling Smørgrav} # --- End of sshd_privsep --- # 161ce3adf43SDag-Erling Smørgrav 162a0ee8cc6SDag-Erling Smørgrav# ====================================================================== 163a0ee8cc6SDag-Erling Smørgrav# Routine: sshd_config_tweak 164a0ee8cc6SDag-Erling Smørgrav# ====================================================================== 165a0ee8cc6SDag-Erling Smørgravsshd_config_tweak() { 166a0ee8cc6SDag-Erling Smørgrav local ret=0 167a0ee8cc6SDag-Erling Smørgrav 168a0ee8cc6SDag-Erling Smørgrav # Modify sshd_config 169ce3adf43SDag-Erling Smørgrav csih_inform "Updating ${SYSCONFDIR}/sshd_config file" 170a0ee8cc6SDag-Erling Smørgrav if [ "${port_number}" -ne 22 ] 171ce3adf43SDag-Erling Smørgrav then 172a0ee8cc6SDag-Erling Smørgrav /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \ 173a0ee8cc6SDag-Erling Smørgrav ${SYSCONFDIR}/sshd_config 174a0ee8cc6SDag-Erling Smørgrav if [ $? -ne 0 ] 175a0ee8cc6SDag-Erling Smørgrav then 176a0ee8cc6SDag-Erling Smørgrav csih_warning "Setting listening port to ${port_number} failed!" 177ce3adf43SDag-Erling Smørgrav csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 178ce3adf43SDag-Erling Smørgrav let ++ret 179ce3adf43SDag-Erling Smørgrav fi 180a0ee8cc6SDag-Erling Smørgrav fi 181a0ee8cc6SDag-Erling Smørgrav if [ "${strictmodes}" = "no" ] 182ce3adf43SDag-Erling Smørgrav then 183a0ee8cc6SDag-Erling Smørgrav /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \ 184a0ee8cc6SDag-Erling Smørgrav ${SYSCONFDIR}/sshd_config 185a0ee8cc6SDag-Erling Smørgrav if [ $? -ne 0 ] 186ce3adf43SDag-Erling Smørgrav then 187a0ee8cc6SDag-Erling Smørgrav csih_warning "Setting StrictModes to 'no' failed!" 188a0ee8cc6SDag-Erling Smørgrav csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 189a0ee8cc6SDag-Erling Smørgrav let ++ret 190a0ee8cc6SDag-Erling Smørgrav fi 191a0ee8cc6SDag-Erling Smørgrav fi 192ce3adf43SDag-Erling Smørgrav return $ret 193a0ee8cc6SDag-Erling Smørgrav} # --- End of sshd_config_tweak --- # 194ce3adf43SDag-Erling Smørgrav 195ce3adf43SDag-Erling Smørgrav# ====================================================================== 196ce3adf43SDag-Erling Smørgrav# Routine: update_inetd_conf 197ce3adf43SDag-Erling Smørgrav# ====================================================================== 198ce3adf43SDag-Erling Smørgravupdate_inetd_conf() { 199ce3adf43SDag-Erling Smørgrav local _inetcnf="${SYSCONFDIR}/inetd.conf" 200ce3adf43SDag-Erling Smørgrav local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" 201ce3adf43SDag-Erling Smørgrav local _inetcnf_dir="${SYSCONFDIR}/inetd.d" 202ce3adf43SDag-Erling Smørgrav local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" 203ce3adf43SDag-Erling Smørgrav local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" 204ce3adf43SDag-Erling Smørgrav local _with_comment=1 205ce3adf43SDag-Erling Smørgrav local ret=0 206ce3adf43SDag-Erling Smørgrav 207ce3adf43SDag-Erling Smørgrav if [ -d "${_inetcnf_dir}" ] 208ce3adf43SDag-Erling Smørgrav then 209ce3adf43SDag-Erling Smørgrav # we have inetutils-1.5 inetd.d support 210ce3adf43SDag-Erling Smørgrav if [ -f "${_inetcnf}" ] 211ce3adf43SDag-Erling Smørgrav then 212a0ee8cc6SDag-Erling Smørgrav /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0 213ce3adf43SDag-Erling Smørgrav 214ce3adf43SDag-Erling Smørgrav # check for sshd OR ssh in top-level inetd.conf file, and remove 215ce3adf43SDag-Erling Smørgrav # will be replaced by a file in inetd.d/ 216a0ee8cc6SDag-Erling Smørgrav if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ] 217ce3adf43SDag-Erling Smørgrav then 218ce3adf43SDag-Erling Smørgrav /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" 219ce3adf43SDag-Erling Smørgrav if [ -f "${_inetcnf_tmp}" ] 220ce3adf43SDag-Erling Smørgrav then 221ce3adf43SDag-Erling Smørgrav if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 222ce3adf43SDag-Erling Smørgrav then 223ce3adf43SDag-Erling Smørgrav csih_inform "Removed ssh[d] from ${_inetcnf}" 224ce3adf43SDag-Erling Smørgrav else 225ce3adf43SDag-Erling Smørgrav csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 226ce3adf43SDag-Erling Smørgrav let ++ret 227ce3adf43SDag-Erling Smørgrav fi 228ce3adf43SDag-Erling Smørgrav /usr/bin/rm -f "${_inetcnf_tmp}" 229ce3adf43SDag-Erling Smørgrav else 230ce3adf43SDag-Erling Smørgrav csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 231ce3adf43SDag-Erling Smørgrav let ++ret 232ce3adf43SDag-Erling Smørgrav fi 233ce3adf43SDag-Erling Smørgrav fi 234ce3adf43SDag-Erling Smørgrav fi 235ce3adf43SDag-Erling Smørgrav 236ce3adf43SDag-Erling Smørgrav csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" 237ce3adf43SDag-Erling Smørgrav if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 238ce3adf43SDag-Erling Smørgrav then 239ce3adf43SDag-Erling Smørgrav if [ "${_with_comment}" -eq 0 ] 240ce3adf43SDag-Erling Smørgrav then 241a0ee8cc6SDag-Erling Smørgrav /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 242ce3adf43SDag-Erling Smørgrav else 243a0ee8cc6SDag-Erling Smørgrav /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 244ce3adf43SDag-Erling Smørgrav fi 245ce3adf43SDag-Erling Smørgrav if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" 246ce3adf43SDag-Erling Smørgrav then 247ce3adf43SDag-Erling Smørgrav csih_inform "Updated ${_sshd_inetd_conf}" 248ce3adf43SDag-Erling Smørgrav else 249ce3adf43SDag-Erling Smørgrav csih_warning "Updating ${_sshd_inetd_conf} failed!" 250ce3adf43SDag-Erling Smørgrav let ++ret 251ce3adf43SDag-Erling Smørgrav fi 252ce3adf43SDag-Erling Smørgrav fi 253ce3adf43SDag-Erling Smørgrav 254ce3adf43SDag-Erling Smørgrav elif [ -f "${_inetcnf}" ] 255ce3adf43SDag-Erling Smørgrav then 256a0ee8cc6SDag-Erling Smørgrav /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0 257ce3adf43SDag-Erling Smørgrav 258ce3adf43SDag-Erling Smørgrav # check for sshd in top-level inetd.conf file, and remove 259ce3adf43SDag-Erling Smørgrav # will be replaced by a file in inetd.d/ 260a0ee8cc6SDag-Erling Smørgrav if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] 261ce3adf43SDag-Erling Smørgrav then 262a0ee8cc6SDag-Erling Smørgrav /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" 263ce3adf43SDag-Erling Smørgrav if [ -f "${_inetcnf_tmp}" ] 264ce3adf43SDag-Erling Smørgrav then 265ce3adf43SDag-Erling Smørgrav if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 266ce3adf43SDag-Erling Smørgrav then 267ce3adf43SDag-Erling Smørgrav csih_inform "Removed sshd from ${_inetcnf}" 268ce3adf43SDag-Erling Smørgrav else 269ce3adf43SDag-Erling Smørgrav csih_warning "Removing sshd from ${_inetcnf} failed!" 270ce3adf43SDag-Erling Smørgrav let ++ret 271ce3adf43SDag-Erling Smørgrav fi 272ce3adf43SDag-Erling Smørgrav /usr/bin/rm -f "${_inetcnf_tmp}" 273ce3adf43SDag-Erling Smørgrav else 274ce3adf43SDag-Erling Smørgrav csih_warning "Removing sshd from ${_inetcnf} failed!" 275ce3adf43SDag-Erling Smørgrav let ++ret 276ce3adf43SDag-Erling Smørgrav fi 277ce3adf43SDag-Erling Smørgrav fi 278ce3adf43SDag-Erling Smørgrav 279ce3adf43SDag-Erling Smørgrav # Add ssh line to inetd.conf 280ce3adf43SDag-Erling Smørgrav if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] 281ce3adf43SDag-Erling Smørgrav then 282ce3adf43SDag-Erling Smørgrav if [ "${_with_comment}" -eq 0 ] 283ce3adf43SDag-Erling Smørgrav then 284ce3adf43SDag-Erling Smørgrav echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 285ce3adf43SDag-Erling Smørgrav else 286ce3adf43SDag-Erling Smørgrav echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 287ce3adf43SDag-Erling Smørgrav fi 288ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ] 289ce3adf43SDag-Erling Smørgrav then 290ce3adf43SDag-Erling Smørgrav csih_inform "Added ssh to ${_inetcnf}" 291ce3adf43SDag-Erling Smørgrav else 292ce3adf43SDag-Erling Smørgrav csih_warning "Adding ssh to ${_inetcnf} failed!" 293ce3adf43SDag-Erling Smørgrav let ++ret 294ce3adf43SDag-Erling Smørgrav fi 295ce3adf43SDag-Erling Smørgrav fi 296ce3adf43SDag-Erling Smørgrav fi 297ce3adf43SDag-Erling Smørgrav return $ret 298ce3adf43SDag-Erling Smørgrav} # --- End of update_inetd_conf --- # 299ce3adf43SDag-Erling Smørgrav 300ce3adf43SDag-Erling Smørgrav# ====================================================================== 301ce3adf43SDag-Erling Smørgrav# Routine: check_service_files_ownership 302ce3adf43SDag-Erling Smørgrav# Checks that the files in /etc and /var belong to the right owner 303ce3adf43SDag-Erling Smørgrav# ====================================================================== 304ce3adf43SDag-Erling Smørgravcheck_service_files_ownership() { 305ce3adf43SDag-Erling Smørgrav local run_service_as=$1 306ce3adf43SDag-Erling Smørgrav local ret=0 307ce3adf43SDag-Erling Smørgrav 308ce3adf43SDag-Erling Smørgrav if [ -z "${run_service_as}" ] 309ce3adf43SDag-Erling Smørgrav then 310*19261079SEd Maste accnt_name=$(/usr/bin/cygrunsrv -VQ "${service_name}" | 311a0ee8cc6SDag-Erling Smørgrav /usr/bin/sed -ne 's/^Account *: *//gp') 312ce3adf43SDag-Erling Smørgrav if [ "${accnt_name}" = "LocalSystem" ] 313ce3adf43SDag-Erling Smørgrav then 314ce3adf43SDag-Erling Smørgrav # Convert "LocalSystem" to "SYSTEM" as is the correct account name 315a0ee8cc6SDag-Erling Smørgrav run_service_as="SYSTEM" 316a0ee8cc6SDag-Erling Smørgrav else 317a0ee8cc6SDag-Erling Smørgrav dom="${accnt_name%%\\*}" 318a0ee8cc6SDag-Erling Smørgrav accnt_name="${accnt_name#*\\}" 319a0ee8cc6SDag-Erling Smørgrav if [ "${dom}" = '.' ] 320ce3adf43SDag-Erling Smørgrav then 321a0ee8cc6SDag-Erling Smørgrav # Check local account 322a0ee8cc6SDag-Erling Smørgrav run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" | 323a0ee8cc6SDag-Erling Smørgrav /usr/bin/awk -F: '{print $1;}') 324a0ee8cc6SDag-Erling Smørgrav else 325a0ee8cc6SDag-Erling Smørgrav # Check domain 326a0ee8cc6SDag-Erling Smørgrav run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" | 327a0ee8cc6SDag-Erling Smørgrav /usr/bin/awk -F: '{print $1;}') 328ce3adf43SDag-Erling Smørgrav fi 329a0ee8cc6SDag-Erling Smørgrav fi 330ce3adf43SDag-Erling Smørgrav if [ -z "${run_service_as}" ] 331ce3adf43SDag-Erling Smørgrav then 332*19261079SEd Maste csih_warning "Couldn't determine name of user running ${service_name} service from account database!" 333ce3adf43SDag-Erling Smørgrav csih_warning "As a result, this script cannot make sure that the files used" 334*19261079SEd Maste csih_warning "by the ${service_name} service belong to the user running the service." 335ce3adf43SDag-Erling Smørgrav return 1 336ce3adf43SDag-Erling Smørgrav fi 337ce3adf43SDag-Erling Smørgrav fi 338ce3adf43SDag-Erling Smørgrav for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub 339ce3adf43SDag-Erling Smørgrav do 340ce3adf43SDag-Erling Smørgrav if [ -f "$i" ] 341ce3adf43SDag-Erling Smørgrav then 342ce3adf43SDag-Erling Smørgrav if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 343ce3adf43SDag-Erling Smørgrav then 344ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of $i!" 345ce3adf43SDag-Erling Smørgrav let ++ret 346ce3adf43SDag-Erling Smørgrav fi 347ce3adf43SDag-Erling Smørgrav fi 348ce3adf43SDag-Erling Smørgrav done 349ce3adf43SDag-Erling Smørgrav if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 350ce3adf43SDag-Erling Smørgrav then 351ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" 352ce3adf43SDag-Erling Smørgrav let ++ret 353ce3adf43SDag-Erling Smørgrav fi 354ce3adf43SDag-Erling Smørgrav if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 355ce3adf43SDag-Erling Smørgrav then 356ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" 357ce3adf43SDag-Erling Smørgrav let ++ret 358ce3adf43SDag-Erling Smørgrav fi 359ce3adf43SDag-Erling Smørgrav if [ -f ${LOCALSTATEDIR}/log/sshd.log ] 360ce3adf43SDag-Erling Smørgrav then 361ce3adf43SDag-Erling Smørgrav if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1 362ce3adf43SDag-Erling Smørgrav then 363ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" 364ce3adf43SDag-Erling Smørgrav let ++ret 365ce3adf43SDag-Erling Smørgrav fi 366ce3adf43SDag-Erling Smørgrav fi 367ce3adf43SDag-Erling Smørgrav if [ $ret -ne 0 ] 368ce3adf43SDag-Erling Smørgrav then 369ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of important files to ${run_service_as}!" 370*19261079SEd Maste csih_warning "This may cause the ${service_name} service to fail! Please make sure that" 371*19261079SEd Maste csih_warning "you have sufficient permissions to change the ownership of files" 372ce3adf43SDag-Erling Smørgrav csih_warning "and try to run the ssh-host-config script again." 373ce3adf43SDag-Erling Smørgrav fi 374ce3adf43SDag-Erling Smørgrav return $ret 375ce3adf43SDag-Erling Smørgrav} # --- End of check_service_files_ownership --- # 376ce3adf43SDag-Erling Smørgrav 377ce3adf43SDag-Erling Smørgrav# ====================================================================== 378ce3adf43SDag-Erling Smørgrav# Routine: install_service 379ce3adf43SDag-Erling Smørgrav# Install sshd as a service 380ce3adf43SDag-Erling Smørgrav# ====================================================================== 381ce3adf43SDag-Erling Smørgravinstall_service() { 382ce3adf43SDag-Erling Smørgrav local run_service_as 383ce3adf43SDag-Erling Smørgrav local password 384ce3adf43SDag-Erling Smørgrav local ret=0 385ce3adf43SDag-Erling Smørgrav 386ce3adf43SDag-Erling Smørgrav echo 387bc5531deSDag-Erling Smørgrav if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1 388ce3adf43SDag-Erling Smørgrav then 389ce3adf43SDag-Erling Smørgrav csih_inform "Sshd service is already installed." 390ce3adf43SDag-Erling Smørgrav check_service_files_ownership "" || let ret+=$? 391ce3adf43SDag-Erling Smørgrav else 392ce3adf43SDag-Erling Smørgrav echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" 393ce3adf43SDag-Erling Smørgrav if csih_request "(Say \"no\" if it is already installed as a service)" 394ce3adf43SDag-Erling Smørgrav then 395ce3adf43SDag-Erling Smørgrav csih_get_cygenv "${cygwin_value}" 396ce3adf43SDag-Erling Smørgrav 397*19261079SEd Maste if ( [ "$csih_FORCE_PRIVILEGED_USER" != "yes" ] ) 398ce3adf43SDag-Erling Smørgrav then 399*19261079SEd Maste # Enforce using privileged user on 64 bit Vista or W7 under WOW64 400*19261079SEd Maste is_wow64=$(/usr/bin/uname | /usr/bin/grep -q 'WOW' && echo 1 || echo 0) 401*19261079SEd Maste 402*19261079SEd Maste if ( csih_is_nt2003 && ! csih_is_windows8 && [ "${is_wow64}" = "1" ] ) 403*19261079SEd Maste then 404*19261079SEd Maste csih_inform "Running 32 bit Cygwin on 64 bit Windows Vista or Windows 7" 405*19261079SEd Maste csih_inform "the SYSTEM account is not sufficient to setuid to a local" 406*19261079SEd Maste csih_inform "user account. You need to have or to create a privileged" 407ce3adf43SDag-Erling Smørgrav csih_inform "account. This script will help you do so." 408ce3adf43SDag-Erling Smørgrav echo 409*19261079SEd Maste csih_FORCE_PRIVILEGED_USER=yes 410*19261079SEd Maste fi 411*19261079SEd Maste fi 412ce3adf43SDag-Erling Smørgrav 413*19261079SEd Maste if ( [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) 414*19261079SEd Maste then 415ce3adf43SDag-Erling Smørgrav [ "${opt_force}" = "yes" ] && opt_f=-f 416ce3adf43SDag-Erling Smørgrav [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" 417ce3adf43SDag-Erling Smørgrav csih_select_privileged_username ${opt_f} ${opt_u} sshd 418ce3adf43SDag-Erling Smørgrav 419ce3adf43SDag-Erling Smørgrav if ! csih_create_privileged_user "${password_value}" 420ce3adf43SDag-Erling Smørgrav then 421ce3adf43SDag-Erling Smørgrav csih_error_recoverable "There was a serious problem creating a privileged user." 422ce3adf43SDag-Erling Smørgrav csih_request "Do you want to proceed anyway?" || exit 1 423ce3adf43SDag-Erling Smørgrav let ++ret 424ce3adf43SDag-Erling Smørgrav fi 425ce3adf43SDag-Erling Smørgrav # Never returns empty if NT or above 426ce3adf43SDag-Erling Smørgrav run_service_as=$(csih_service_should_run_as) 427*19261079SEd Maste else 428*19261079SEd Maste run_service_as="SYSTEM" 429*19261079SEd Maste fi 430ce3adf43SDag-Erling Smørgrav 431ce3adf43SDag-Erling Smørgrav if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] 432ce3adf43SDag-Erling Smørgrav then 433ce3adf43SDag-Erling Smørgrav password="${csih_PRIVILEGED_PASSWORD}" 434ce3adf43SDag-Erling Smørgrav if [ -z "${password}" ] 435ce3adf43SDag-Erling Smørgrav then 436ce3adf43SDag-Erling Smørgrav csih_get_value "Please enter the password for user '${run_service_as}':" "-s" 437ce3adf43SDag-Erling Smørgrav password="${csih_value}" 438ce3adf43SDag-Erling Smørgrav fi 439ce3adf43SDag-Erling Smørgrav fi 440ce3adf43SDag-Erling Smørgrav 441ce3adf43SDag-Erling Smørgrav # At this point, we either have $run_service_as = "system" and 442ce3adf43SDag-Erling Smørgrav # $password is empty, or $run_service_as is some privileged user and 443ce3adf43SDag-Erling Smørgrav # (hopefully) $password contains the correct password. So, from here 444ce3adf43SDag-Erling Smørgrav # out, we use '-z "${password}"' to discriminate the two cases. 445ce3adf43SDag-Erling Smørgrav 446ce3adf43SDag-Erling Smørgrav csih_check_user "${run_service_as}" 447ce3adf43SDag-Erling Smørgrav 448ce3adf43SDag-Erling Smørgrav if [ -n "${csih_cygenv}" ] 449ce3adf43SDag-Erling Smørgrav then 450ce3adf43SDag-Erling Smørgrav cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) 451ce3adf43SDag-Erling Smørgrav fi 452ce3adf43SDag-Erling Smørgrav if [ -z "${password}" ] 453ce3adf43SDag-Erling Smørgrav then 454bc5531deSDag-Erling Smørgrav if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \ 455ce3adf43SDag-Erling Smørgrav -a "-D" -y tcpip "${cygwin_env[@]}" 456ce3adf43SDag-Erling Smørgrav then 457ce3adf43SDag-Erling Smørgrav echo 458ce3adf43SDag-Erling Smørgrav csih_inform "The sshd service has been installed under the LocalSystem" 459ce3adf43SDag-Erling Smørgrav csih_inform "account (also known as SYSTEM). To start the service now, call" 460*19261079SEd Maste csih_inform "\`net start ${service_name}' or \`cygrunsrv -S ${service_name}'. Otherwise, it" 461ce3adf43SDag-Erling Smørgrav csih_inform "will start automatically after the next reboot." 462ce3adf43SDag-Erling Smørgrav fi 463ce3adf43SDag-Erling Smørgrav else 464bc5531deSDag-Erling Smørgrav if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \ 465ce3adf43SDag-Erling Smørgrav -a "-D" -y tcpip "${cygwin_env[@]}" \ 466ce3adf43SDag-Erling Smørgrav -u "${run_service_as}" -w "${password}" 467ce3adf43SDag-Erling Smørgrav then 468ce3adf43SDag-Erling Smørgrav /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight 469ce3adf43SDag-Erling Smørgrav echo 470ce3adf43SDag-Erling Smørgrav csih_inform "The sshd service has been installed under the '${run_service_as}'" 471bc5531deSDag-Erling Smørgrav csih_inform "account. To start the service now, call \`net start ${service_name}' or" 472bc5531deSDag-Erling Smørgrav csih_inform "\`cygrunsrv -S ${service_name}'. Otherwise, it will start automatically" 473ce3adf43SDag-Erling Smørgrav csih_inform "after the next reboot." 474ce3adf43SDag-Erling Smørgrav fi 475ce3adf43SDag-Erling Smørgrav fi 476ce3adf43SDag-Erling Smørgrav 477bc5531deSDag-Erling Smørgrav if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1 478ce3adf43SDag-Erling Smørgrav then 479ce3adf43SDag-Erling Smørgrav check_service_files_ownership "${run_service_as}" || let ret+=$? 480ce3adf43SDag-Erling Smørgrav else 481ce3adf43SDag-Erling Smørgrav csih_error_recoverable "Installing sshd as a service failed!" 482ce3adf43SDag-Erling Smørgrav let ++ret 483ce3adf43SDag-Erling Smørgrav fi 484ce3adf43SDag-Erling Smørgrav fi # user allowed us to install as service 485ce3adf43SDag-Erling Smørgrav fi # service not yet installed 486ce3adf43SDag-Erling Smørgrav return $ret 487ce3adf43SDag-Erling Smørgrav} # --- End of install_service --- # 488ce3adf43SDag-Erling Smørgrav 489ce3adf43SDag-Erling Smørgrav# ====================================================================== 490ce3adf43SDag-Erling Smørgrav# Main Entry Point 491ce3adf43SDag-Erling Smørgrav# ====================================================================== 492ce3adf43SDag-Erling Smørgrav 493ce3adf43SDag-Erling Smørgrav# Check how the script has been started. If 494ce3adf43SDag-Erling Smørgrav# (1) it has been started by giving the full path and 495ce3adf43SDag-Erling Smørgrav# that path is /etc/postinstall, OR 496ce3adf43SDag-Erling Smørgrav# (2) Otherwise, if the environment variable 497ce3adf43SDag-Erling Smørgrav# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set 498ce3adf43SDag-Erling Smørgrav# then set auto_answer to "no". This allows automatic 499ce3adf43SDag-Erling Smørgrav# creation of the config files in /etc w/o overwriting 500ce3adf43SDag-Erling Smørgrav# them if they already exist. In both cases, color 501ce3adf43SDag-Erling Smørgrav# escape sequences are suppressed, so as to prevent 502ce3adf43SDag-Erling Smørgrav# cluttering setup's logfiles. 503ce3adf43SDag-Erling Smørgravif [ "$PROGDIR" = "/etc/postinstall" ] 504ce3adf43SDag-Erling Smørgravthen 505ce3adf43SDag-Erling Smørgrav csih_auto_answer="no" 506ce3adf43SDag-Erling Smørgrav csih_disable_color 507ce3adf43SDag-Erling Smørgrav opt_force=yes 508ce3adf43SDag-Erling Smørgravfi 509ce3adf43SDag-Erling Smørgravif [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ] 510ce3adf43SDag-Erling Smørgravthen 511ce3adf43SDag-Erling Smørgrav csih_auto_answer="no" 512ce3adf43SDag-Erling Smørgrav csih_disable_color 513ce3adf43SDag-Erling Smørgrav opt_force=yes 514ce3adf43SDag-Erling Smørgravfi 515ce3adf43SDag-Erling Smørgrav 516ce3adf43SDag-Erling Smørgrav# ====================================================================== 517ce3adf43SDag-Erling Smørgrav# Parse options 518ce3adf43SDag-Erling Smørgrav# ====================================================================== 519ce3adf43SDag-Erling Smørgravwhile : 520ce3adf43SDag-Erling Smørgravdo 521ce3adf43SDag-Erling Smørgrav case $# in 522ce3adf43SDag-Erling Smørgrav 0) 523ce3adf43SDag-Erling Smørgrav break 524ce3adf43SDag-Erling Smørgrav ;; 525ce3adf43SDag-Erling Smørgrav esac 526ce3adf43SDag-Erling Smørgrav 527ce3adf43SDag-Erling Smørgrav option=$1 528ce3adf43SDag-Erling Smørgrav shift 529ce3adf43SDag-Erling Smørgrav 530ce3adf43SDag-Erling Smørgrav case "${option}" in 531ce3adf43SDag-Erling Smørgrav -d | --debug ) 532ce3adf43SDag-Erling Smørgrav set -x 533ce3adf43SDag-Erling Smørgrav csih_trace_on 534ce3adf43SDag-Erling Smørgrav ;; 535ce3adf43SDag-Erling Smørgrav 536ce3adf43SDag-Erling Smørgrav -y | --yes ) 537ce3adf43SDag-Erling Smørgrav csih_auto_answer=yes 538ce3adf43SDag-Erling Smørgrav opt_force=yes 539ce3adf43SDag-Erling Smørgrav ;; 540ce3adf43SDag-Erling Smørgrav 541ce3adf43SDag-Erling Smørgrav -n | --no ) 542ce3adf43SDag-Erling Smørgrav csih_auto_answer=no 543ce3adf43SDag-Erling Smørgrav opt_force=yes 544ce3adf43SDag-Erling Smørgrav ;; 545ce3adf43SDag-Erling Smørgrav 546ce3adf43SDag-Erling Smørgrav -c | --cygwin ) 547ce3adf43SDag-Erling Smørgrav cygwin_value="$1" 548ce3adf43SDag-Erling Smørgrav shift 549ce3adf43SDag-Erling Smørgrav ;; 550ce3adf43SDag-Erling Smørgrav 551bc5531deSDag-Erling Smørgrav -N | --name ) 552bc5531deSDag-Erling Smørgrav service_name=$1 553bc5531deSDag-Erling Smørgrav shift 554bc5531deSDag-Erling Smørgrav ;; 555bc5531deSDag-Erling Smørgrav 556ce3adf43SDag-Erling Smørgrav -p | --port ) 557ce3adf43SDag-Erling Smørgrav port_number=$1 558ce3adf43SDag-Erling Smørgrav shift 559ce3adf43SDag-Erling Smørgrav ;; 560ce3adf43SDag-Erling Smørgrav 561ce3adf43SDag-Erling Smørgrav -u | --user ) 562ce3adf43SDag-Erling Smørgrav user_account="$1" 563ce3adf43SDag-Erling Smørgrav shift 564ce3adf43SDag-Erling Smørgrav ;; 565ce3adf43SDag-Erling Smørgrav 566ce3adf43SDag-Erling Smørgrav -w | --pwd ) 567ce3adf43SDag-Erling Smørgrav password_value="$1" 568ce3adf43SDag-Erling Smørgrav shift 569ce3adf43SDag-Erling Smørgrav ;; 570ce3adf43SDag-Erling Smørgrav 571ce3adf43SDag-Erling Smørgrav --privileged ) 572ce3adf43SDag-Erling Smørgrav csih_FORCE_PRIVILEGED_USER=yes 573ce3adf43SDag-Erling Smørgrav ;; 574ce3adf43SDag-Erling Smørgrav 575ce3adf43SDag-Erling Smørgrav *) 576ce3adf43SDag-Erling Smørgrav echo "usage: ${progname} [OPTION]..." 577ce3adf43SDag-Erling Smørgrav echo 578ce3adf43SDag-Erling Smørgrav echo "This script creates an OpenSSH host configuration." 579ce3adf43SDag-Erling Smørgrav echo 580ce3adf43SDag-Erling Smørgrav echo "Options:" 581ce3adf43SDag-Erling Smørgrav echo " --debug -d Enable shell's debug output." 582ce3adf43SDag-Erling Smørgrav echo " --yes -y Answer all questions with \"yes\" automatically." 583ce3adf43SDag-Erling Smørgrav echo " --no -n Answer all questions with \"no\" automatically." 584ce3adf43SDag-Erling Smørgrav echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." 585bc5531deSDag-Erling Smørgrav echo " --name -N <name> sshd windows service name." 586ce3adf43SDag-Erling Smørgrav echo " --port -p <n> sshd listens on port n." 587ce3adf43SDag-Erling Smørgrav echo " --user -u <account> privileged user for service, default 'cyg_server'." 588ce3adf43SDag-Erling Smørgrav echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user." 589ce3adf43SDag-Erling Smørgrav echo " --privileged On Windows XP, require privileged user" 590ce3adf43SDag-Erling Smørgrav echo " instead of LocalSystem for sshd service." 591ce3adf43SDag-Erling Smørgrav echo 592ce3adf43SDag-Erling Smørgrav exit 1 593ce3adf43SDag-Erling Smørgrav ;; 594ce3adf43SDag-Erling Smørgrav 595ce3adf43SDag-Erling Smørgrav esac 596ce3adf43SDag-Erling Smørgravdone 597ce3adf43SDag-Erling Smørgrav 598ce3adf43SDag-Erling Smørgrav# ====================================================================== 599ce3adf43SDag-Erling Smørgrav# Action! 600ce3adf43SDag-Erling Smørgrav# ====================================================================== 601ce3adf43SDag-Erling Smørgrav 602ce3adf43SDag-Erling Smørgrav# Check for running ssh/sshd processes first. Refuse to do anything while 603ce3adf43SDag-Erling Smørgrav# some ssh processes are still running 604ce3adf43SDag-Erling Smørgravif /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' 605ce3adf43SDag-Erling Smørgravthen 606ce3adf43SDag-Erling Smørgrav echo 607ce3adf43SDag-Erling Smørgrav csih_error "There are still ssh processes running. Please shut them down first." 608ce3adf43SDag-Erling Smørgravfi 609ce3adf43SDag-Erling Smørgrav 610ce3adf43SDag-Erling Smørgrav# Make sure the user is running in an administrative context 611ce3adf43SDag-Erling Smørgravadmin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no) 612ce3adf43SDag-Erling Smørgravif [ "${admin}" != "yes" ] 613ce3adf43SDag-Erling Smørgravthen 614ce3adf43SDag-Erling Smørgrav echo 615ce3adf43SDag-Erling Smørgrav csih_warning "Running this script typically requires administrator privileges!" 616ce3adf43SDag-Erling Smørgrav csih_warning "However, it seems your account does not have these privileges." 617ce3adf43SDag-Erling Smørgrav csih_warning "Here's the list of groups in your user token:" 618ce3adf43SDag-Erling Smørgrav echo 619bc5531deSDag-Erling Smørgrav /usr/bin/id -Gnz | xargs -0n1 echo " " 620ce3adf43SDag-Erling Smørgrav echo 621ce3adf43SDag-Erling Smørgrav csih_warning "This usually means you're running this script from a non-admin" 622ce3adf43SDag-Erling Smørgrav csih_warning "desktop session, or in a non-elevated shell under UAC control." 623ce3adf43SDag-Erling Smørgrav echo 624ce3adf43SDag-Erling Smørgrav csih_warning "Make sure you have the appropriate privileges right now," 625ce3adf43SDag-Erling Smørgrav csih_warning "otherwise parts of this script will probably fail!" 626ce3adf43SDag-Erling Smørgrav echo 627ce3adf43SDag-Erling Smørgrav echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure" 628ce3adf43SDag-Erling Smørgrav if ! csih_request "you have the required privileges)" 629ce3adf43SDag-Erling Smørgrav then 630ce3adf43SDag-Erling Smørgrav echo 631ce3adf43SDag-Erling Smørgrav csih_inform "Ok. Exiting. Make sure to switch to an administrative account" 632ce3adf43SDag-Erling Smørgrav csih_inform "or to start this script from an elevated shell." 633ce3adf43SDag-Erling Smørgrav exit 1 634ce3adf43SDag-Erling Smørgrav fi 635ce3adf43SDag-Erling Smørgravfi 636ce3adf43SDag-Erling Smørgrav 637ce3adf43SDag-Erling Smørgravecho 638ce3adf43SDag-Erling Smørgrav 639ce3adf43SDag-Erling Smørgravwarning_cnt=0 640ce3adf43SDag-Erling Smørgrav 641ce3adf43SDag-Erling Smørgrav# Create /var/log/lastlog if not already exists 642ce3adf43SDag-Erling Smørgravif [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 643ce3adf43SDag-Erling Smørgravthen 644ce3adf43SDag-Erling Smørgrav echo 645ce3adf43SDag-Erling Smørgrav csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ 646ce3adf43SDag-Erling Smørgrav "Cannot create ssh host configuration." 647ce3adf43SDag-Erling Smørgravfi 648ce3adf43SDag-Erling Smørgravif [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 649ce3adf43SDag-Erling Smørgravthen 650ce3adf43SDag-Erling Smørgrav /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog 651ce3adf43SDag-Erling Smørgrav if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 652ce3adf43SDag-Erling Smørgrav then 653ce3adf43SDag-Erling Smørgrav csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" 654ce3adf43SDag-Erling Smørgrav let ++warning_cnt 655ce3adf43SDag-Erling Smørgrav fi 656ce3adf43SDag-Erling Smørgravfi 657ce3adf43SDag-Erling Smørgrav 658ce3adf43SDag-Erling Smørgrav# Create /var/empty file used as chroot jail for privilege separation 659ce3adf43SDag-Erling Smørgravcsih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." 660ce3adf43SDag-Erling Smørgravif ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 661ce3adf43SDag-Erling Smørgravthen 662ce3adf43SDag-Erling Smørgrav csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" 663ce3adf43SDag-Erling Smørgrav let ++warning_cnt 664ce3adf43SDag-Erling Smørgravfi 665ce3adf43SDag-Erling Smørgrav 666f7167e0eSDag-Erling Smørgrav# generate missing host keys 667a0ee8cc6SDag-Erling Smørgravcsih_inform "Generating missing SSH host keys" 668f7167e0eSDag-Erling Smørgrav/usr/bin/ssh-keygen -A || let warning_cnt+=$? 669ce3adf43SDag-Erling Smørgrav 670ce3adf43SDag-Erling Smørgrav# handle ssh_config 671ce3adf43SDag-Erling Smørgravcsih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 672ce3adf43SDag-Erling Smørgravif /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 673ce3adf43SDag-Erling Smørgravthen 674ce3adf43SDag-Erling Smørgrav if [ "${port_number}" != "22" ] 675ce3adf43SDag-Erling Smørgrav then 676ce3adf43SDag-Erling Smørgrav csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port" 677ce3adf43SDag-Erling Smørgrav echo "Host localhost" >> ${SYSCONFDIR}/ssh_config 678ce3adf43SDag-Erling Smørgrav echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config 679ce3adf43SDag-Erling Smørgrav fi 680ce3adf43SDag-Erling Smørgravfi 681ce3adf43SDag-Erling Smørgrav 682d93a896eSDag-Erling Smørgrav# handle sshd_config 683*19261079SEd Maste# make sure not to change the existing file 684*19261079SEd Mastemod_before="" 685*19261079SEd Masteif [ -e "${SYSCONFDIR}/sshd_config" ] 686*19261079SEd Mastethen 687*19261079SEd Maste mod_before=$(stat "${SYSCONFDIR}/sshd_config" | grep '^Modify:') 688*19261079SEd Mastefi 689ce3adf43SDag-Erling Smørgravcsih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 690*19261079SEd Mastemod_now=$(stat "${SYSCONFDIR}/sshd_config" | grep '^Modify:') 691ce3adf43SDag-Erling Smørgravif ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 692ce3adf43SDag-Erling Smørgravthen 693a0ee8cc6SDag-Erling Smørgrav sshd_config_configured=yes 694ce3adf43SDag-Erling Smørgravfi 695*19261079SEd Masteif [ "${mod_before}" != "${mod_now}" ] 696*19261079SEd Mastethen 697a0ee8cc6SDag-Erling Smørgrav sshd_strictmodes || let warning_cnt+=$? 698a0ee8cc6SDag-Erling Smørgrav sshd_config_tweak || let warning_cnt+=$? 699*19261079SEd Mastefi 700*19261079SEd Maste#sshd_privsep || let warning_cnt+=$? 701ce3adf43SDag-Erling Smørgravupdate_services_file || let warning_cnt+=$? 702ce3adf43SDag-Erling Smørgravupdate_inetd_conf || let warning_cnt+=$? 703ce3adf43SDag-Erling Smørgravinstall_service || let warning_cnt+=$? 704ce3adf43SDag-Erling Smørgrav 705ce3adf43SDag-Erling Smørgravecho 706ce3adf43SDag-Erling Smørgravif [ $warning_cnt -eq 0 ] 707ce3adf43SDag-Erling Smørgravthen 708ce3adf43SDag-Erling Smørgrav csih_inform "Host configuration finished. Have fun!" 709ce3adf43SDag-Erling Smørgravelse 710ce3adf43SDag-Erling Smørgrav csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!" 711ce3adf43SDag-Erling Smørgrav csih_warning "Make sure that all problems reported are fixed," 712ce3adf43SDag-Erling Smørgrav csih_warning "then re-run ssh-host-config." 713ce3adf43SDag-Erling Smørgravfi 714ce3adf43SDag-Erling Smørgravexit $warning_cnt 715