1ce3adf43SDag-Erling Smørgrav#!/bin/bash 2ce3adf43SDag-Erling Smørgrav# 3*bc5531deSDag-Erling Smørgrav# ssh-host-config, Copyright 2000-2014 Red Hat Inc. 4ce3adf43SDag-Erling Smørgrav# 5ce3adf43SDag-Erling Smørgrav# This file is part of the Cygwin port of OpenSSH. 6ce3adf43SDag-Erling Smørgrav# 7ce3adf43SDag-Erling Smørgrav# Permission to use, copy, modify, and distribute this software for any 8ce3adf43SDag-Erling Smørgrav# purpose with or without fee is hereby granted, provided that the above 9ce3adf43SDag-Erling Smørgrav# copyright notice and this permission notice appear in all copies. 10ce3adf43SDag-Erling Smørgrav# 11ce3adf43SDag-Erling Smørgrav# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12ce3adf43SDag-Erling Smørgrav# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 13ce3adf43SDag-Erling Smørgrav# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 14ce3adf43SDag-Erling Smørgrav# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 15ce3adf43SDag-Erling Smørgrav# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 16ce3adf43SDag-Erling Smørgrav# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR 17ce3adf43SDag-Erling Smørgrav# THE USE OR OTHER DEALINGS IN THE SOFTWARE. 18ce3adf43SDag-Erling Smørgrav 19ce3adf43SDag-Erling Smørgrav# ====================================================================== 20ce3adf43SDag-Erling Smørgrav# Initialization 21ce3adf43SDag-Erling Smørgrav# ====================================================================== 22ce3adf43SDag-Erling Smørgrav 23ce3adf43SDag-Erling SmørgravCSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh 24ce3adf43SDag-Erling Smørgrav 25ce3adf43SDag-Erling Smørgrav# List of apps used. This is checkad for existance in csih_sanity_check 26ce3adf43SDag-Erling Smørgrav# Don't use *any* transient commands before sourcing the csih helper script, 27ce3adf43SDag-Erling Smørgrav# otherwise the sanity checks are short-circuited. 28ce3adf43SDag-Erling Smørgravdeclare -a csih_required_commands=( 29ce3adf43SDag-Erling Smørgrav /usr/bin/basename coreutils 30ce3adf43SDag-Erling Smørgrav /usr/bin/cat coreutils 31ce3adf43SDag-Erling Smørgrav /usr/bin/chmod coreutils 32ce3adf43SDag-Erling Smørgrav /usr/bin/dirname coreutils 33ce3adf43SDag-Erling Smørgrav /usr/bin/id coreutils 34ce3adf43SDag-Erling Smørgrav /usr/bin/mv coreutils 35ce3adf43SDag-Erling Smørgrav /usr/bin/rm coreutils 36ce3adf43SDag-Erling Smørgrav /usr/bin/cygpath cygwin 37a0ee8cc6SDag-Erling Smørgrav /usr/bin/mkpasswd cygwin 38ce3adf43SDag-Erling Smørgrav /usr/bin/mount cygwin 39ce3adf43SDag-Erling Smørgrav /usr/bin/ps cygwin 40ce3adf43SDag-Erling Smørgrav /usr/bin/umount cygwin 41ce3adf43SDag-Erling Smørgrav /usr/bin/cmp diffutils 42ce3adf43SDag-Erling Smørgrav /usr/bin/grep grep 43ce3adf43SDag-Erling Smørgrav /usr/bin/awk gawk 44ce3adf43SDag-Erling Smørgrav /usr/bin/ssh-keygen openssh 45ce3adf43SDag-Erling Smørgrav /usr/sbin/sshd openssh 46ce3adf43SDag-Erling Smørgrav /usr/bin/sed sed 47ce3adf43SDag-Erling Smørgrav) 48ce3adf43SDag-Erling Smørgravcsih_sanity_check_server=yes 49ce3adf43SDag-Erling Smørgravsource ${CSIH_SCRIPT} 50ce3adf43SDag-Erling Smørgrav 51ce3adf43SDag-Erling SmørgravPROGNAME=$(/usr/bin/basename $0) 52ce3adf43SDag-Erling Smørgrav_tdir=$(/usr/bin/dirname $0) 53ce3adf43SDag-Erling SmørgravPROGDIR=$(cd $_tdir && pwd) 54ce3adf43SDag-Erling Smørgrav 55ce3adf43SDag-Erling Smørgrav# Subdirectory where the new package is being installed 56ce3adf43SDag-Erling SmørgravPREFIX=/usr 57ce3adf43SDag-Erling Smørgrav 58ce3adf43SDag-Erling Smørgrav# Directory where the config files are stored 59ce3adf43SDag-Erling SmørgravSYSCONFDIR=/etc 60ce3adf43SDag-Erling SmørgravLOCALSTATEDIR=/var 61ce3adf43SDag-Erling Smørgrav 62a0ee8cc6SDag-Erling Smørgravsshd_config_configured=no 63ce3adf43SDag-Erling Smørgravport_number=22 64*bc5531deSDag-Erling Smørgravservice_name=sshd 65a0ee8cc6SDag-Erling Smørgravstrictmodes=yes 66ce3adf43SDag-Erling Smørgravprivsep_used=yes 67ce3adf43SDag-Erling Smørgravcygwin_value="" 68ce3adf43SDag-Erling Smørgravuser_account= 69ce3adf43SDag-Erling Smørgravpassword_value= 70ce3adf43SDag-Erling Smørgravopt_force=no 71ce3adf43SDag-Erling Smørgrav 72ce3adf43SDag-Erling Smørgrav# ====================================================================== 73ce3adf43SDag-Erling Smørgrav# Routine: update_services_file 74ce3adf43SDag-Erling Smørgrav# ====================================================================== 75ce3adf43SDag-Erling Smørgravupdate_services_file() { 76ce3adf43SDag-Erling Smørgrav local _my_etcdir="/ssh-host-config.$$" 77ce3adf43SDag-Erling Smørgrav local _win_etcdir 78ce3adf43SDag-Erling Smørgrav local _services 79ce3adf43SDag-Erling Smørgrav local _spaces 80ce3adf43SDag-Erling Smørgrav local _serv_tmp 81ce3adf43SDag-Erling Smørgrav local _wservices 82ce3adf43SDag-Erling Smørgrav local ret=0 83ce3adf43SDag-Erling Smørgrav 84ce3adf43SDag-Erling Smørgrav _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" 85ce3adf43SDag-Erling Smørgrav _services="${_my_etcdir}/services" 86ce3adf43SDag-Erling Smørgrav _spaces=" #" 87ce3adf43SDag-Erling Smørgrav _serv_tmp="${_my_etcdir}/srv.out.$$" 88ce3adf43SDag-Erling Smørgrav 89ce3adf43SDag-Erling Smørgrav /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" 90ce3adf43SDag-Erling Smørgrav 91ce3adf43SDag-Erling Smørgrav # Depends on the above mount 92ce3adf43SDag-Erling Smørgrav _wservices=`cygpath -w "${_services}"` 93ce3adf43SDag-Erling Smørgrav 94ce3adf43SDag-Erling Smørgrav # Add ssh 22/tcp and ssh 22/udp to services 95a0ee8cc6SDag-Erling Smørgrav if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ] 96ce3adf43SDag-Erling Smørgrav then 97ce3adf43SDag-Erling Smørgrav if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" 98ce3adf43SDag-Erling Smørgrav then 99ce3adf43SDag-Erling Smørgrav if /usr/bin/mv "${_serv_tmp}" "${_services}" 100ce3adf43SDag-Erling Smørgrav then 101ce3adf43SDag-Erling Smørgrav csih_inform "Added ssh to ${_wservices}" 102ce3adf43SDag-Erling Smørgrav else 103ce3adf43SDag-Erling Smørgrav csih_warning "Adding ssh to ${_wservices} failed!" 104ce3adf43SDag-Erling Smørgrav let ++ret 105ce3adf43SDag-Erling Smørgrav fi 106ce3adf43SDag-Erling Smørgrav /usr/bin/rm -f "${_serv_tmp}" 107ce3adf43SDag-Erling Smørgrav else 108ce3adf43SDag-Erling Smørgrav csih_warning "Adding ssh to ${_wservices} failed!" 109ce3adf43SDag-Erling Smørgrav let ++ret 110ce3adf43SDag-Erling Smørgrav fi 111ce3adf43SDag-Erling Smørgrav fi 112ce3adf43SDag-Erling Smørgrav /usr/bin/umount "${_my_etcdir}" 113ce3adf43SDag-Erling Smørgrav return $ret 114ce3adf43SDag-Erling Smørgrav} # --- End of update_services_file --- # 115ce3adf43SDag-Erling Smørgrav 116ce3adf43SDag-Erling Smørgrav# ====================================================================== 117a0ee8cc6SDag-Erling Smørgrav# Routine: sshd_strictmodes 118a0ee8cc6SDag-Erling Smørgrav# MODIFIES: strictmodes 119a0ee8cc6SDag-Erling Smørgrav# ====================================================================== 120a0ee8cc6SDag-Erling Smørgravsshd_strictmodes() { 121a0ee8cc6SDag-Erling Smørgrav if [ "${sshd_config_configured}" != "yes" ] 122a0ee8cc6SDag-Erling Smørgrav then 123a0ee8cc6SDag-Erling Smørgrav echo 124a0ee8cc6SDag-Erling Smørgrav csih_inform "StrictModes is set to 'yes' by default." 125a0ee8cc6SDag-Erling Smørgrav csih_inform "This is the recommended setting, but it requires that the POSIX" 126a0ee8cc6SDag-Erling Smørgrav csih_inform "permissions of the user's home directory, the user's .ssh" 127a0ee8cc6SDag-Erling Smørgrav csih_inform "directory, and the user's ssh key files are tight so that" 128a0ee8cc6SDag-Erling Smørgrav csih_inform "only the user has write permissions." 129a0ee8cc6SDag-Erling Smørgrav csih_inform "On the other hand, StrictModes don't work well with default" 130a0ee8cc6SDag-Erling Smørgrav csih_inform "Windows permissions of a home directory mounted with the" 131a0ee8cc6SDag-Erling Smørgrav csih_inform "'noacl' option, and they don't work at all if the home" 132a0ee8cc6SDag-Erling Smørgrav csih_inform "directory is on a FAT or FAT32 partition." 133a0ee8cc6SDag-Erling Smørgrav if ! csih_request "Should StrictModes be used?" 134a0ee8cc6SDag-Erling Smørgrav then 135a0ee8cc6SDag-Erling Smørgrav strictmodes=no 136a0ee8cc6SDag-Erling Smørgrav fi 137a0ee8cc6SDag-Erling Smørgrav fi 138a0ee8cc6SDag-Erling Smørgrav return 0 139a0ee8cc6SDag-Erling Smørgrav} 140a0ee8cc6SDag-Erling Smørgrav 141a0ee8cc6SDag-Erling Smørgrav# ====================================================================== 142ce3adf43SDag-Erling Smørgrav# Routine: sshd_privsep 143a0ee8cc6SDag-Erling Smørgrav# MODIFIES: privsep_used 144ce3adf43SDag-Erling Smørgrav# ====================================================================== 145ce3adf43SDag-Erling Smørgravsshd_privsep() { 146ce3adf43SDag-Erling Smørgrav local ret=0 147ce3adf43SDag-Erling Smørgrav 148a0ee8cc6SDag-Erling Smørgrav if [ "${sshd_config_configured}" != "yes" ] 149ce3adf43SDag-Erling Smørgrav then 150a0ee8cc6SDag-Erling Smørgrav echo 151a0ee8cc6SDag-Erling Smørgrav csih_inform "Privilege separation is set to 'sandbox' by default since" 152a0ee8cc6SDag-Erling Smørgrav csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set" 153a0ee8cc6SDag-Erling Smørgrav csih_inform "to 'yes' or 'no'." 154a0ee8cc6SDag-Erling Smørgrav csih_inform "However, using privilege separation requires a non-privileged account" 155a0ee8cc6SDag-Erling Smørgrav csih_inform "called 'sshd'." 156ce3adf43SDag-Erling Smørgrav csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." 157ce3adf43SDag-Erling Smørgrav if csih_request "Should privilege separation be used?" 158ce3adf43SDag-Erling Smørgrav then 159ce3adf43SDag-Erling Smørgrav privsep_used=yes 160ce3adf43SDag-Erling Smørgrav if ! csih_create_unprivileged_user sshd 161ce3adf43SDag-Erling Smørgrav then 162ce3adf43SDag-Erling Smørgrav csih_error_recoverable "Couldn't create user 'sshd'!" 163ce3adf43SDag-Erling Smørgrav csih_error_recoverable "Privilege separation set to 'no' again!" 164ce3adf43SDag-Erling Smørgrav csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!" 165ce3adf43SDag-Erling Smørgrav let ++ret 166ce3adf43SDag-Erling Smørgrav privsep_used=no 167ce3adf43SDag-Erling Smørgrav fi 168ce3adf43SDag-Erling Smørgrav else 169ce3adf43SDag-Erling Smørgrav privsep_used=no 170ce3adf43SDag-Erling Smørgrav fi 171ce3adf43SDag-Erling Smørgrav fi 172a0ee8cc6SDag-Erling Smørgrav return $ret 173a0ee8cc6SDag-Erling Smørgrav} # --- End of sshd_privsep --- # 174ce3adf43SDag-Erling Smørgrav 175a0ee8cc6SDag-Erling Smørgrav# ====================================================================== 176a0ee8cc6SDag-Erling Smørgrav# Routine: sshd_config_tweak 177a0ee8cc6SDag-Erling Smørgrav# ====================================================================== 178a0ee8cc6SDag-Erling Smørgravsshd_config_tweak() { 179a0ee8cc6SDag-Erling Smørgrav local ret=0 180a0ee8cc6SDag-Erling Smørgrav 181a0ee8cc6SDag-Erling Smørgrav # Modify sshd_config 182ce3adf43SDag-Erling Smørgrav csih_inform "Updating ${SYSCONFDIR}/sshd_config file" 183a0ee8cc6SDag-Erling Smørgrav if [ "${port_number}" -ne 22 ] 184ce3adf43SDag-Erling Smørgrav then 185a0ee8cc6SDag-Erling Smørgrav /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \ 186a0ee8cc6SDag-Erling Smørgrav ${SYSCONFDIR}/sshd_config 187a0ee8cc6SDag-Erling Smørgrav if [ $? -ne 0 ] 188a0ee8cc6SDag-Erling Smørgrav then 189a0ee8cc6SDag-Erling Smørgrav csih_warning "Setting listening port to ${port_number} failed!" 190ce3adf43SDag-Erling Smørgrav csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 191ce3adf43SDag-Erling Smørgrav let ++ret 192ce3adf43SDag-Erling Smørgrav fi 193a0ee8cc6SDag-Erling Smørgrav fi 194a0ee8cc6SDag-Erling Smørgrav if [ "${strictmodes}" = "no" ] 195ce3adf43SDag-Erling Smørgrav then 196a0ee8cc6SDag-Erling Smørgrav /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \ 197a0ee8cc6SDag-Erling Smørgrav ${SYSCONFDIR}/sshd_config 198a0ee8cc6SDag-Erling Smørgrav if [ $? -ne 0 ] 199ce3adf43SDag-Erling Smørgrav then 200a0ee8cc6SDag-Erling Smørgrav csih_warning "Setting StrictModes to 'no' failed!" 201a0ee8cc6SDag-Erling Smørgrav csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 202a0ee8cc6SDag-Erling Smørgrav let ++ret 203a0ee8cc6SDag-Erling Smørgrav fi 204a0ee8cc6SDag-Erling Smørgrav fi 205a0ee8cc6SDag-Erling Smørgrav if [ "${sshd_config_configured}" != "yes" ] 206a0ee8cc6SDag-Erling Smørgrav then 207a0ee8cc6SDag-Erling Smørgrav /usr/bin/sed -i -e " 208a0ee8cc6SDag-Erling Smørgrav s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \ 209a0ee8cc6SDag-Erling Smørgrav ${SYSCONFDIR}/sshd_config 210a0ee8cc6SDag-Erling Smørgrav if [ $? -ne 0 ] 211a0ee8cc6SDag-Erling Smørgrav then 212a0ee8cc6SDag-Erling Smørgrav csih_warning "Setting privilege separation failed!" 213ce3adf43SDag-Erling Smørgrav csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 214ce3adf43SDag-Erling Smørgrav let ++ret 215ce3adf43SDag-Erling Smørgrav fi 216ce3adf43SDag-Erling Smørgrav fi 217ce3adf43SDag-Erling Smørgrav return $ret 218a0ee8cc6SDag-Erling Smørgrav} # --- End of sshd_config_tweak --- # 219ce3adf43SDag-Erling Smørgrav 220ce3adf43SDag-Erling Smørgrav# ====================================================================== 221ce3adf43SDag-Erling Smørgrav# Routine: update_inetd_conf 222ce3adf43SDag-Erling Smørgrav# ====================================================================== 223ce3adf43SDag-Erling Smørgravupdate_inetd_conf() { 224ce3adf43SDag-Erling Smørgrav local _inetcnf="${SYSCONFDIR}/inetd.conf" 225ce3adf43SDag-Erling Smørgrav local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" 226ce3adf43SDag-Erling Smørgrav local _inetcnf_dir="${SYSCONFDIR}/inetd.d" 227ce3adf43SDag-Erling Smørgrav local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" 228ce3adf43SDag-Erling Smørgrav local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" 229ce3adf43SDag-Erling Smørgrav local _with_comment=1 230ce3adf43SDag-Erling Smørgrav local ret=0 231ce3adf43SDag-Erling Smørgrav 232ce3adf43SDag-Erling Smørgrav if [ -d "${_inetcnf_dir}" ] 233ce3adf43SDag-Erling Smørgrav then 234ce3adf43SDag-Erling Smørgrav # we have inetutils-1.5 inetd.d support 235ce3adf43SDag-Erling Smørgrav if [ -f "${_inetcnf}" ] 236ce3adf43SDag-Erling Smørgrav then 237a0ee8cc6SDag-Erling Smørgrav /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0 238ce3adf43SDag-Erling Smørgrav 239ce3adf43SDag-Erling Smørgrav # check for sshd OR ssh in top-level inetd.conf file, and remove 240ce3adf43SDag-Erling Smørgrav # will be replaced by a file in inetd.d/ 241a0ee8cc6SDag-Erling Smørgrav if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ] 242ce3adf43SDag-Erling Smørgrav then 243ce3adf43SDag-Erling Smørgrav /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" 244ce3adf43SDag-Erling Smørgrav if [ -f "${_inetcnf_tmp}" ] 245ce3adf43SDag-Erling Smørgrav then 246ce3adf43SDag-Erling Smørgrav if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 247ce3adf43SDag-Erling Smørgrav then 248ce3adf43SDag-Erling Smørgrav csih_inform "Removed ssh[d] from ${_inetcnf}" 249ce3adf43SDag-Erling Smørgrav else 250ce3adf43SDag-Erling Smørgrav csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 251ce3adf43SDag-Erling Smørgrav let ++ret 252ce3adf43SDag-Erling Smørgrav fi 253ce3adf43SDag-Erling Smørgrav /usr/bin/rm -f "${_inetcnf_tmp}" 254ce3adf43SDag-Erling Smørgrav else 255ce3adf43SDag-Erling Smørgrav csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 256ce3adf43SDag-Erling Smørgrav let ++ret 257ce3adf43SDag-Erling Smørgrav fi 258ce3adf43SDag-Erling Smørgrav fi 259ce3adf43SDag-Erling Smørgrav fi 260ce3adf43SDag-Erling Smørgrav 261ce3adf43SDag-Erling Smørgrav csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" 262ce3adf43SDag-Erling Smørgrav if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 263ce3adf43SDag-Erling Smørgrav then 264ce3adf43SDag-Erling Smørgrav if [ "${_with_comment}" -eq 0 ] 265ce3adf43SDag-Erling Smørgrav then 266a0ee8cc6SDag-Erling Smørgrav /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 267ce3adf43SDag-Erling Smørgrav else 268a0ee8cc6SDag-Erling Smørgrav /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 269ce3adf43SDag-Erling Smørgrav fi 270ce3adf43SDag-Erling Smørgrav if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" 271ce3adf43SDag-Erling Smørgrav then 272ce3adf43SDag-Erling Smørgrav csih_inform "Updated ${_sshd_inetd_conf}" 273ce3adf43SDag-Erling Smørgrav else 274ce3adf43SDag-Erling Smørgrav csih_warning "Updating ${_sshd_inetd_conf} failed!" 275ce3adf43SDag-Erling Smørgrav let ++ret 276ce3adf43SDag-Erling Smørgrav fi 277ce3adf43SDag-Erling Smørgrav fi 278ce3adf43SDag-Erling Smørgrav 279ce3adf43SDag-Erling Smørgrav elif [ -f "${_inetcnf}" ] 280ce3adf43SDag-Erling Smørgrav then 281a0ee8cc6SDag-Erling Smørgrav /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0 282ce3adf43SDag-Erling Smørgrav 283ce3adf43SDag-Erling Smørgrav # check for sshd in top-level inetd.conf file, and remove 284ce3adf43SDag-Erling Smørgrav # will be replaced by a file in inetd.d/ 285a0ee8cc6SDag-Erling Smørgrav if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] 286ce3adf43SDag-Erling Smørgrav then 287a0ee8cc6SDag-Erling Smørgrav /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" 288ce3adf43SDag-Erling Smørgrav if [ -f "${_inetcnf_tmp}" ] 289ce3adf43SDag-Erling Smørgrav then 290ce3adf43SDag-Erling Smørgrav if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 291ce3adf43SDag-Erling Smørgrav then 292ce3adf43SDag-Erling Smørgrav csih_inform "Removed sshd from ${_inetcnf}" 293ce3adf43SDag-Erling Smørgrav else 294ce3adf43SDag-Erling Smørgrav csih_warning "Removing sshd from ${_inetcnf} failed!" 295ce3adf43SDag-Erling Smørgrav let ++ret 296ce3adf43SDag-Erling Smørgrav fi 297ce3adf43SDag-Erling Smørgrav /usr/bin/rm -f "${_inetcnf_tmp}" 298ce3adf43SDag-Erling Smørgrav else 299ce3adf43SDag-Erling Smørgrav csih_warning "Removing sshd from ${_inetcnf} failed!" 300ce3adf43SDag-Erling Smørgrav let ++ret 301ce3adf43SDag-Erling Smørgrav fi 302ce3adf43SDag-Erling Smørgrav fi 303ce3adf43SDag-Erling Smørgrav 304ce3adf43SDag-Erling Smørgrav # Add ssh line to inetd.conf 305ce3adf43SDag-Erling Smørgrav if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] 306ce3adf43SDag-Erling Smørgrav then 307ce3adf43SDag-Erling Smørgrav if [ "${_with_comment}" -eq 0 ] 308ce3adf43SDag-Erling Smørgrav then 309ce3adf43SDag-Erling Smørgrav echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 310ce3adf43SDag-Erling Smørgrav else 311ce3adf43SDag-Erling Smørgrav echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 312ce3adf43SDag-Erling Smørgrav fi 313ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ] 314ce3adf43SDag-Erling Smørgrav then 315ce3adf43SDag-Erling Smørgrav csih_inform "Added ssh to ${_inetcnf}" 316ce3adf43SDag-Erling Smørgrav else 317ce3adf43SDag-Erling Smørgrav csih_warning "Adding ssh to ${_inetcnf} failed!" 318ce3adf43SDag-Erling Smørgrav let ++ret 319ce3adf43SDag-Erling Smørgrav fi 320ce3adf43SDag-Erling Smørgrav fi 321ce3adf43SDag-Erling Smørgrav fi 322ce3adf43SDag-Erling Smørgrav return $ret 323ce3adf43SDag-Erling Smørgrav} # --- End of update_inetd_conf --- # 324ce3adf43SDag-Erling Smørgrav 325ce3adf43SDag-Erling Smørgrav# ====================================================================== 326ce3adf43SDag-Erling Smørgrav# Routine: check_service_files_ownership 327ce3adf43SDag-Erling Smørgrav# Checks that the files in /etc and /var belong to the right owner 328ce3adf43SDag-Erling Smørgrav# ====================================================================== 329ce3adf43SDag-Erling Smørgravcheck_service_files_ownership() { 330ce3adf43SDag-Erling Smørgrav local run_service_as=$1 331ce3adf43SDag-Erling Smørgrav local ret=0 332ce3adf43SDag-Erling Smørgrav 333ce3adf43SDag-Erling Smørgrav if [ -z "${run_service_as}" ] 334ce3adf43SDag-Erling Smørgrav then 335a0ee8cc6SDag-Erling Smørgrav accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | 336a0ee8cc6SDag-Erling Smørgrav /usr/bin/sed -ne 's/^Account *: *//gp') 337ce3adf43SDag-Erling Smørgrav if [ "${accnt_name}" = "LocalSystem" ] 338ce3adf43SDag-Erling Smørgrav then 339ce3adf43SDag-Erling Smørgrav # Convert "LocalSystem" to "SYSTEM" as is the correct account name 340a0ee8cc6SDag-Erling Smørgrav run_service_as="SYSTEM" 341a0ee8cc6SDag-Erling Smørgrav else 342a0ee8cc6SDag-Erling Smørgrav dom="${accnt_name%%\\*}" 343a0ee8cc6SDag-Erling Smørgrav accnt_name="${accnt_name#*\\}" 344a0ee8cc6SDag-Erling Smørgrav if [ "${dom}" = '.' ] 345ce3adf43SDag-Erling Smørgrav then 346a0ee8cc6SDag-Erling Smørgrav # Check local account 347a0ee8cc6SDag-Erling Smørgrav run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" | 348a0ee8cc6SDag-Erling Smørgrav /usr/bin/awk -F: '{print $1;}') 349a0ee8cc6SDag-Erling Smørgrav else 350a0ee8cc6SDag-Erling Smørgrav # Check domain 351a0ee8cc6SDag-Erling Smørgrav run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" | 352a0ee8cc6SDag-Erling Smørgrav /usr/bin/awk -F: '{print $1;}') 353ce3adf43SDag-Erling Smørgrav fi 354a0ee8cc6SDag-Erling Smørgrav fi 355ce3adf43SDag-Erling Smørgrav if [ -z "${run_service_as}" ] 356ce3adf43SDag-Erling Smørgrav then 357*bc5531deSDag-Erling Smørgrav csih_warning "Couldn't determine name of user running sshd service from account database!" 358ce3adf43SDag-Erling Smørgrav csih_warning "As a result, this script cannot make sure that the files used" 359ce3adf43SDag-Erling Smørgrav csih_warning "by the sshd service belong to the user running the service." 360ce3adf43SDag-Erling Smørgrav return 1 361ce3adf43SDag-Erling Smørgrav fi 362ce3adf43SDag-Erling Smørgrav fi 363ce3adf43SDag-Erling Smørgrav for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub 364ce3adf43SDag-Erling Smørgrav do 365ce3adf43SDag-Erling Smørgrav if [ -f "$i" ] 366ce3adf43SDag-Erling Smørgrav then 367ce3adf43SDag-Erling Smørgrav if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 368ce3adf43SDag-Erling Smørgrav then 369ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of $i!" 370ce3adf43SDag-Erling Smørgrav let ++ret 371ce3adf43SDag-Erling Smørgrav fi 372ce3adf43SDag-Erling Smørgrav fi 373ce3adf43SDag-Erling Smørgrav done 374ce3adf43SDag-Erling Smørgrav if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 375ce3adf43SDag-Erling Smørgrav then 376ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" 377ce3adf43SDag-Erling Smørgrav let ++ret 378ce3adf43SDag-Erling Smørgrav fi 379ce3adf43SDag-Erling Smørgrav if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 380ce3adf43SDag-Erling Smørgrav then 381ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" 382ce3adf43SDag-Erling Smørgrav let ++ret 383ce3adf43SDag-Erling Smørgrav fi 384ce3adf43SDag-Erling Smørgrav if [ -f ${LOCALSTATEDIR}/log/sshd.log ] 385ce3adf43SDag-Erling Smørgrav then 386ce3adf43SDag-Erling Smørgrav if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1 387ce3adf43SDag-Erling Smørgrav then 388ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" 389ce3adf43SDag-Erling Smørgrav let ++ret 390ce3adf43SDag-Erling Smørgrav fi 391ce3adf43SDag-Erling Smørgrav fi 392ce3adf43SDag-Erling Smørgrav if [ $ret -ne 0 ] 393ce3adf43SDag-Erling Smørgrav then 394ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of important files to ${run_service_as}!" 395ce3adf43SDag-Erling Smørgrav csih_warning "This may cause the sshd service to fail! Please make sure that" 396ce3adf43SDag-Erling Smørgrav csih_warning "you have suufficient permissions to change the ownership of files" 397ce3adf43SDag-Erling Smørgrav csih_warning "and try to run the ssh-host-config script again." 398ce3adf43SDag-Erling Smørgrav fi 399ce3adf43SDag-Erling Smørgrav return $ret 400ce3adf43SDag-Erling Smørgrav} # --- End of check_service_files_ownership --- # 401ce3adf43SDag-Erling Smørgrav 402ce3adf43SDag-Erling Smørgrav# ====================================================================== 403ce3adf43SDag-Erling Smørgrav# Routine: install_service 404ce3adf43SDag-Erling Smørgrav# Install sshd as a service 405ce3adf43SDag-Erling Smørgrav# ====================================================================== 406ce3adf43SDag-Erling Smørgravinstall_service() { 407ce3adf43SDag-Erling Smørgrav local run_service_as 408ce3adf43SDag-Erling Smørgrav local password 409ce3adf43SDag-Erling Smørgrav local ret=0 410ce3adf43SDag-Erling Smørgrav 411ce3adf43SDag-Erling Smørgrav echo 412*bc5531deSDag-Erling Smørgrav if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1 413ce3adf43SDag-Erling Smørgrav then 414ce3adf43SDag-Erling Smørgrav csih_inform "Sshd service is already installed." 415ce3adf43SDag-Erling Smørgrav check_service_files_ownership "" || let ret+=$? 416ce3adf43SDag-Erling Smørgrav else 417ce3adf43SDag-Erling Smørgrav echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" 418ce3adf43SDag-Erling Smørgrav if csih_request "(Say \"no\" if it is already installed as a service)" 419ce3adf43SDag-Erling Smørgrav then 420ce3adf43SDag-Erling Smørgrav csih_get_cygenv "${cygwin_value}" 421ce3adf43SDag-Erling Smørgrav 422ce3adf43SDag-Erling Smørgrav if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) 423ce3adf43SDag-Erling Smørgrav then 424ce3adf43SDag-Erling Smørgrav csih_inform "On Windows Server 2003, Windows Vista, and above, the" 425ce3adf43SDag-Erling Smørgrav csih_inform "SYSTEM account cannot setuid to other users -- a capability" 426ce3adf43SDag-Erling Smørgrav csih_inform "sshd requires. You need to have or to create a privileged" 427ce3adf43SDag-Erling Smørgrav csih_inform "account. This script will help you do so." 428ce3adf43SDag-Erling Smørgrav echo 429ce3adf43SDag-Erling Smørgrav 430ce3adf43SDag-Erling Smørgrav [ "${opt_force}" = "yes" ] && opt_f=-f 431ce3adf43SDag-Erling Smørgrav [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" 432ce3adf43SDag-Erling Smørgrav csih_select_privileged_username ${opt_f} ${opt_u} sshd 433ce3adf43SDag-Erling Smørgrav 434ce3adf43SDag-Erling Smørgrav if ! csih_create_privileged_user "${password_value}" 435ce3adf43SDag-Erling Smørgrav then 436ce3adf43SDag-Erling Smørgrav csih_error_recoverable "There was a serious problem creating a privileged user." 437ce3adf43SDag-Erling Smørgrav csih_request "Do you want to proceed anyway?" || exit 1 438ce3adf43SDag-Erling Smørgrav let ++ret 439ce3adf43SDag-Erling Smørgrav fi 440ce3adf43SDag-Erling Smørgrav fi 441ce3adf43SDag-Erling Smørgrav 442ce3adf43SDag-Erling Smørgrav # Never returns empty if NT or above 443ce3adf43SDag-Erling Smørgrav run_service_as=$(csih_service_should_run_as) 444ce3adf43SDag-Erling Smørgrav 445ce3adf43SDag-Erling Smørgrav if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] 446ce3adf43SDag-Erling Smørgrav then 447ce3adf43SDag-Erling Smørgrav password="${csih_PRIVILEGED_PASSWORD}" 448ce3adf43SDag-Erling Smørgrav if [ -z "${password}" ] 449ce3adf43SDag-Erling Smørgrav then 450ce3adf43SDag-Erling Smørgrav csih_get_value "Please enter the password for user '${run_service_as}':" "-s" 451ce3adf43SDag-Erling Smørgrav password="${csih_value}" 452ce3adf43SDag-Erling Smørgrav fi 453ce3adf43SDag-Erling Smørgrav fi 454ce3adf43SDag-Erling Smørgrav 455ce3adf43SDag-Erling Smørgrav # At this point, we either have $run_service_as = "system" and 456ce3adf43SDag-Erling Smørgrav # $password is empty, or $run_service_as is some privileged user and 457ce3adf43SDag-Erling Smørgrav # (hopefully) $password contains the correct password. So, from here 458ce3adf43SDag-Erling Smørgrav # out, we use '-z "${password}"' to discriminate the two cases. 459ce3adf43SDag-Erling Smørgrav 460ce3adf43SDag-Erling Smørgrav csih_check_user "${run_service_as}" 461ce3adf43SDag-Erling Smørgrav 462ce3adf43SDag-Erling Smørgrav if [ -n "${csih_cygenv}" ] 463ce3adf43SDag-Erling Smørgrav then 464ce3adf43SDag-Erling Smørgrav cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) 465ce3adf43SDag-Erling Smørgrav fi 466ce3adf43SDag-Erling Smørgrav if [ -z "${password}" ] 467ce3adf43SDag-Erling Smørgrav then 468*bc5531deSDag-Erling Smørgrav if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \ 469ce3adf43SDag-Erling Smørgrav -a "-D" -y tcpip "${cygwin_env[@]}" 470ce3adf43SDag-Erling Smørgrav then 471ce3adf43SDag-Erling Smørgrav echo 472ce3adf43SDag-Erling Smørgrav csih_inform "The sshd service has been installed under the LocalSystem" 473ce3adf43SDag-Erling Smørgrav csih_inform "account (also known as SYSTEM). To start the service now, call" 474ce3adf43SDag-Erling Smørgrav csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" 475ce3adf43SDag-Erling Smørgrav csih_inform "will start automatically after the next reboot." 476ce3adf43SDag-Erling Smørgrav fi 477ce3adf43SDag-Erling Smørgrav else 478*bc5531deSDag-Erling Smørgrav if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \ 479ce3adf43SDag-Erling Smørgrav -a "-D" -y tcpip "${cygwin_env[@]}" \ 480ce3adf43SDag-Erling Smørgrav -u "${run_service_as}" -w "${password}" 481ce3adf43SDag-Erling Smørgrav then 482ce3adf43SDag-Erling Smørgrav /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight 483ce3adf43SDag-Erling Smørgrav echo 484ce3adf43SDag-Erling Smørgrav csih_inform "The sshd service has been installed under the '${run_service_as}'" 485*bc5531deSDag-Erling Smørgrav csih_inform "account. To start the service now, call \`net start ${service_name}' or" 486*bc5531deSDag-Erling Smørgrav csih_inform "\`cygrunsrv -S ${service_name}'. Otherwise, it will start automatically" 487ce3adf43SDag-Erling Smørgrav csih_inform "after the next reboot." 488ce3adf43SDag-Erling Smørgrav fi 489ce3adf43SDag-Erling Smørgrav fi 490ce3adf43SDag-Erling Smørgrav 491*bc5531deSDag-Erling Smørgrav if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1 492ce3adf43SDag-Erling Smørgrav then 493ce3adf43SDag-Erling Smørgrav check_service_files_ownership "${run_service_as}" || let ret+=$? 494ce3adf43SDag-Erling Smørgrav else 495ce3adf43SDag-Erling Smørgrav csih_error_recoverable "Installing sshd as a service failed!" 496ce3adf43SDag-Erling Smørgrav let ++ret 497ce3adf43SDag-Erling Smørgrav fi 498ce3adf43SDag-Erling Smørgrav fi # user allowed us to install as service 499ce3adf43SDag-Erling Smørgrav fi # service not yet installed 500ce3adf43SDag-Erling Smørgrav return $ret 501ce3adf43SDag-Erling Smørgrav} # --- End of install_service --- # 502ce3adf43SDag-Erling Smørgrav 503ce3adf43SDag-Erling Smørgrav# ====================================================================== 504ce3adf43SDag-Erling Smørgrav# Main Entry Point 505ce3adf43SDag-Erling Smørgrav# ====================================================================== 506ce3adf43SDag-Erling Smørgrav 507ce3adf43SDag-Erling Smørgrav# Check how the script has been started. If 508ce3adf43SDag-Erling Smørgrav# (1) it has been started by giving the full path and 509ce3adf43SDag-Erling Smørgrav# that path is /etc/postinstall, OR 510ce3adf43SDag-Erling Smørgrav# (2) Otherwise, if the environment variable 511ce3adf43SDag-Erling Smørgrav# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set 512ce3adf43SDag-Erling Smørgrav# then set auto_answer to "no". This allows automatic 513ce3adf43SDag-Erling Smørgrav# creation of the config files in /etc w/o overwriting 514ce3adf43SDag-Erling Smørgrav# them if they already exist. In both cases, color 515ce3adf43SDag-Erling Smørgrav# escape sequences are suppressed, so as to prevent 516ce3adf43SDag-Erling Smørgrav# cluttering setup's logfiles. 517ce3adf43SDag-Erling Smørgravif [ "$PROGDIR" = "/etc/postinstall" ] 518ce3adf43SDag-Erling Smørgravthen 519ce3adf43SDag-Erling Smørgrav csih_auto_answer="no" 520ce3adf43SDag-Erling Smørgrav csih_disable_color 521ce3adf43SDag-Erling Smørgrav opt_force=yes 522ce3adf43SDag-Erling Smørgravfi 523ce3adf43SDag-Erling Smørgravif [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ] 524ce3adf43SDag-Erling Smørgravthen 525ce3adf43SDag-Erling Smørgrav csih_auto_answer="no" 526ce3adf43SDag-Erling Smørgrav csih_disable_color 527ce3adf43SDag-Erling Smørgrav opt_force=yes 528ce3adf43SDag-Erling Smørgravfi 529ce3adf43SDag-Erling Smørgrav 530ce3adf43SDag-Erling Smørgrav# ====================================================================== 531ce3adf43SDag-Erling Smørgrav# Parse options 532ce3adf43SDag-Erling Smørgrav# ====================================================================== 533ce3adf43SDag-Erling Smørgravwhile : 534ce3adf43SDag-Erling Smørgravdo 535ce3adf43SDag-Erling Smørgrav case $# in 536ce3adf43SDag-Erling Smørgrav 0) 537ce3adf43SDag-Erling Smørgrav break 538ce3adf43SDag-Erling Smørgrav ;; 539ce3adf43SDag-Erling Smørgrav esac 540ce3adf43SDag-Erling Smørgrav 541ce3adf43SDag-Erling Smørgrav option=$1 542ce3adf43SDag-Erling Smørgrav shift 543ce3adf43SDag-Erling Smørgrav 544ce3adf43SDag-Erling Smørgrav case "${option}" in 545ce3adf43SDag-Erling Smørgrav -d | --debug ) 546ce3adf43SDag-Erling Smørgrav set -x 547ce3adf43SDag-Erling Smørgrav csih_trace_on 548ce3adf43SDag-Erling Smørgrav ;; 549ce3adf43SDag-Erling Smørgrav 550ce3adf43SDag-Erling Smørgrav -y | --yes ) 551ce3adf43SDag-Erling Smørgrav csih_auto_answer=yes 552ce3adf43SDag-Erling Smørgrav opt_force=yes 553ce3adf43SDag-Erling Smørgrav ;; 554ce3adf43SDag-Erling Smørgrav 555ce3adf43SDag-Erling Smørgrav -n | --no ) 556ce3adf43SDag-Erling Smørgrav csih_auto_answer=no 557ce3adf43SDag-Erling Smørgrav opt_force=yes 558ce3adf43SDag-Erling Smørgrav ;; 559ce3adf43SDag-Erling Smørgrav 560ce3adf43SDag-Erling Smørgrav -c | --cygwin ) 561ce3adf43SDag-Erling Smørgrav cygwin_value="$1" 562ce3adf43SDag-Erling Smørgrav shift 563ce3adf43SDag-Erling Smørgrav ;; 564ce3adf43SDag-Erling Smørgrav 565*bc5531deSDag-Erling Smørgrav -N | --name ) 566*bc5531deSDag-Erling Smørgrav service_name=$1 567*bc5531deSDag-Erling Smørgrav shift 568*bc5531deSDag-Erling Smørgrav ;; 569*bc5531deSDag-Erling Smørgrav 570ce3adf43SDag-Erling Smørgrav -p | --port ) 571ce3adf43SDag-Erling Smørgrav port_number=$1 572ce3adf43SDag-Erling Smørgrav shift 573ce3adf43SDag-Erling Smørgrav ;; 574ce3adf43SDag-Erling Smørgrav 575ce3adf43SDag-Erling Smørgrav -u | --user ) 576ce3adf43SDag-Erling Smørgrav user_account="$1" 577ce3adf43SDag-Erling Smørgrav shift 578ce3adf43SDag-Erling Smørgrav ;; 579ce3adf43SDag-Erling Smørgrav 580ce3adf43SDag-Erling Smørgrav -w | --pwd ) 581ce3adf43SDag-Erling Smørgrav password_value="$1" 582ce3adf43SDag-Erling Smørgrav shift 583ce3adf43SDag-Erling Smørgrav ;; 584ce3adf43SDag-Erling Smørgrav 585ce3adf43SDag-Erling Smørgrav --privileged ) 586ce3adf43SDag-Erling Smørgrav csih_FORCE_PRIVILEGED_USER=yes 587ce3adf43SDag-Erling Smørgrav ;; 588ce3adf43SDag-Erling Smørgrav 589ce3adf43SDag-Erling Smørgrav *) 590ce3adf43SDag-Erling Smørgrav echo "usage: ${progname} [OPTION]..." 591ce3adf43SDag-Erling Smørgrav echo 592ce3adf43SDag-Erling Smørgrav echo "This script creates an OpenSSH host configuration." 593ce3adf43SDag-Erling Smørgrav echo 594ce3adf43SDag-Erling Smørgrav echo "Options:" 595ce3adf43SDag-Erling Smørgrav echo " --debug -d Enable shell's debug output." 596ce3adf43SDag-Erling Smørgrav echo " --yes -y Answer all questions with \"yes\" automatically." 597ce3adf43SDag-Erling Smørgrav echo " --no -n Answer all questions with \"no\" automatically." 598ce3adf43SDag-Erling Smørgrav echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." 599*bc5531deSDag-Erling Smørgrav echo " --name -N <name> sshd windows service name." 600ce3adf43SDag-Erling Smørgrav echo " --port -p <n> sshd listens on port n." 601ce3adf43SDag-Erling Smørgrav echo " --user -u <account> privileged user for service, default 'cyg_server'." 602ce3adf43SDag-Erling Smørgrav echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user." 603ce3adf43SDag-Erling Smørgrav echo " --privileged On Windows XP, require privileged user" 604ce3adf43SDag-Erling Smørgrav echo " instead of LocalSystem for sshd service." 605ce3adf43SDag-Erling Smørgrav echo 606ce3adf43SDag-Erling Smørgrav exit 1 607ce3adf43SDag-Erling Smørgrav ;; 608ce3adf43SDag-Erling Smørgrav 609ce3adf43SDag-Erling Smørgrav esac 610ce3adf43SDag-Erling Smørgravdone 611ce3adf43SDag-Erling Smørgrav 612ce3adf43SDag-Erling Smørgrav# ====================================================================== 613ce3adf43SDag-Erling Smørgrav# Action! 614ce3adf43SDag-Erling Smørgrav# ====================================================================== 615ce3adf43SDag-Erling Smørgrav 616ce3adf43SDag-Erling Smørgrav# Check for running ssh/sshd processes first. Refuse to do anything while 617ce3adf43SDag-Erling Smørgrav# some ssh processes are still running 618ce3adf43SDag-Erling Smørgravif /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' 619ce3adf43SDag-Erling Smørgravthen 620ce3adf43SDag-Erling Smørgrav echo 621ce3adf43SDag-Erling Smørgrav csih_error "There are still ssh processes running. Please shut them down first." 622ce3adf43SDag-Erling Smørgravfi 623ce3adf43SDag-Erling Smørgrav 624ce3adf43SDag-Erling Smørgrav# Make sure the user is running in an administrative context 625ce3adf43SDag-Erling Smørgravadmin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no) 626ce3adf43SDag-Erling Smørgravif [ "${admin}" != "yes" ] 627ce3adf43SDag-Erling Smørgravthen 628ce3adf43SDag-Erling Smørgrav echo 629ce3adf43SDag-Erling Smørgrav csih_warning "Running this script typically requires administrator privileges!" 630ce3adf43SDag-Erling Smørgrav csih_warning "However, it seems your account does not have these privileges." 631ce3adf43SDag-Erling Smørgrav csih_warning "Here's the list of groups in your user token:" 632ce3adf43SDag-Erling Smørgrav echo 633*bc5531deSDag-Erling Smørgrav /usr/bin/id -Gnz | xargs -0n1 echo " " 634ce3adf43SDag-Erling Smørgrav echo 635ce3adf43SDag-Erling Smørgrav csih_warning "This usually means you're running this script from a non-admin" 636ce3adf43SDag-Erling Smørgrav csih_warning "desktop session, or in a non-elevated shell under UAC control." 637ce3adf43SDag-Erling Smørgrav echo 638ce3adf43SDag-Erling Smørgrav csih_warning "Make sure you have the appropriate privileges right now," 639ce3adf43SDag-Erling Smørgrav csih_warning "otherwise parts of this script will probably fail!" 640ce3adf43SDag-Erling Smørgrav echo 641ce3adf43SDag-Erling Smørgrav echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure" 642ce3adf43SDag-Erling Smørgrav if ! csih_request "you have the required privileges)" 643ce3adf43SDag-Erling Smørgrav then 644ce3adf43SDag-Erling Smørgrav echo 645ce3adf43SDag-Erling Smørgrav csih_inform "Ok. Exiting. Make sure to switch to an administrative account" 646ce3adf43SDag-Erling Smørgrav csih_inform "or to start this script from an elevated shell." 647ce3adf43SDag-Erling Smørgrav exit 1 648ce3adf43SDag-Erling Smørgrav fi 649ce3adf43SDag-Erling Smørgravfi 650ce3adf43SDag-Erling Smørgrav 651ce3adf43SDag-Erling Smørgravecho 652ce3adf43SDag-Erling Smørgrav 653ce3adf43SDag-Erling Smørgravwarning_cnt=0 654ce3adf43SDag-Erling Smørgrav 655ce3adf43SDag-Erling Smørgrav# Create /var/log/lastlog if not already exists 656ce3adf43SDag-Erling Smørgravif [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 657ce3adf43SDag-Erling Smørgravthen 658ce3adf43SDag-Erling Smørgrav echo 659ce3adf43SDag-Erling Smørgrav csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ 660ce3adf43SDag-Erling Smørgrav "Cannot create ssh host configuration." 661ce3adf43SDag-Erling Smørgravfi 662ce3adf43SDag-Erling Smørgravif [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 663ce3adf43SDag-Erling Smørgravthen 664ce3adf43SDag-Erling Smørgrav /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog 665ce3adf43SDag-Erling Smørgrav if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 666ce3adf43SDag-Erling Smørgrav then 667ce3adf43SDag-Erling Smørgrav csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" 668ce3adf43SDag-Erling Smørgrav let ++warning_cnt 669ce3adf43SDag-Erling Smørgrav fi 670ce3adf43SDag-Erling Smørgravfi 671ce3adf43SDag-Erling Smørgrav 672ce3adf43SDag-Erling Smørgrav# Create /var/empty file used as chroot jail for privilege separation 673ce3adf43SDag-Erling Smørgravcsih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." 674ce3adf43SDag-Erling Smørgravif ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 675ce3adf43SDag-Erling Smørgravthen 676ce3adf43SDag-Erling Smørgrav csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" 677ce3adf43SDag-Erling Smørgrav let ++warning_cnt 678ce3adf43SDag-Erling Smørgravfi 679ce3adf43SDag-Erling Smørgrav 680f7167e0eSDag-Erling Smørgrav# generate missing host keys 681a0ee8cc6SDag-Erling Smørgravcsih_inform "Generating missing SSH host keys" 682f7167e0eSDag-Erling Smørgrav/usr/bin/ssh-keygen -A || let warning_cnt+=$? 683ce3adf43SDag-Erling Smørgrav 684ce3adf43SDag-Erling Smørgrav# handle ssh_config 685ce3adf43SDag-Erling Smørgravcsih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 686ce3adf43SDag-Erling Smørgravif /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 687ce3adf43SDag-Erling Smørgravthen 688ce3adf43SDag-Erling Smørgrav if [ "${port_number}" != "22" ] 689ce3adf43SDag-Erling Smørgrav then 690ce3adf43SDag-Erling Smørgrav csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port" 691ce3adf43SDag-Erling Smørgrav echo "Host localhost" >> ${SYSCONFDIR}/ssh_config 692ce3adf43SDag-Erling Smørgrav echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config 693ce3adf43SDag-Erling Smørgrav fi 694ce3adf43SDag-Erling Smørgravfi 695ce3adf43SDag-Erling Smørgrav 696ce3adf43SDag-Erling Smørgrav# handle sshd_config (and privsep) 697ce3adf43SDag-Erling Smørgravcsih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 698ce3adf43SDag-Erling Smørgravif ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 699ce3adf43SDag-Erling Smørgravthen 700a0ee8cc6SDag-Erling Smørgrav sshd_config_configured=yes 701ce3adf43SDag-Erling Smørgravfi 702a0ee8cc6SDag-Erling Smørgravsshd_strictmodes || let warning_cnt+=$? 703ce3adf43SDag-Erling Smørgravsshd_privsep || let warning_cnt+=$? 704a0ee8cc6SDag-Erling Smørgravsshd_config_tweak || let warning_cnt+=$? 705ce3adf43SDag-Erling Smørgravupdate_services_file || let warning_cnt+=$? 706ce3adf43SDag-Erling Smørgravupdate_inetd_conf || let warning_cnt+=$? 707ce3adf43SDag-Erling Smørgravinstall_service || let warning_cnt+=$? 708ce3adf43SDag-Erling Smørgrav 709ce3adf43SDag-Erling Smørgravecho 710ce3adf43SDag-Erling Smørgravif [ $warning_cnt -eq 0 ] 711ce3adf43SDag-Erling Smørgravthen 712ce3adf43SDag-Erling Smørgrav csih_inform "Host configuration finished. Have fun!" 713ce3adf43SDag-Erling Smørgravelse 714ce3adf43SDag-Erling Smørgrav csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!" 715ce3adf43SDag-Erling Smørgrav csih_warning "Make sure that all problems reported are fixed," 716ce3adf43SDag-Erling Smørgrav csih_warning "then re-run ssh-host-config." 717ce3adf43SDag-Erling Smørgravfi 718ce3adf43SDag-Erling Smørgravexit $warning_cnt 719