1*ce3adf43SDag-Erling Smørgrav#!/bin/bash 2*ce3adf43SDag-Erling Smørgrav# 3*ce3adf43SDag-Erling Smørgrav# ssh-host-config, Copyright 2000-2011 Red Hat Inc. 4*ce3adf43SDag-Erling Smørgrav# 5*ce3adf43SDag-Erling Smørgrav# This file is part of the Cygwin port of OpenSSH. 6*ce3adf43SDag-Erling Smørgrav# 7*ce3adf43SDag-Erling Smørgrav# Permission to use, copy, modify, and distribute this software for any 8*ce3adf43SDag-Erling Smørgrav# purpose with or without fee is hereby granted, provided that the above 9*ce3adf43SDag-Erling Smørgrav# copyright notice and this permission notice appear in all copies. 10*ce3adf43SDag-Erling Smørgrav# 11*ce3adf43SDag-Erling Smørgrav# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12*ce3adf43SDag-Erling Smørgrav# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 13*ce3adf43SDag-Erling Smørgrav# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 14*ce3adf43SDag-Erling Smørgrav# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 15*ce3adf43SDag-Erling Smørgrav# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 16*ce3adf43SDag-Erling Smørgrav# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR 17*ce3adf43SDag-Erling Smørgrav# THE USE OR OTHER DEALINGS IN THE SOFTWARE. 18*ce3adf43SDag-Erling Smørgrav 19*ce3adf43SDag-Erling Smørgrav# ====================================================================== 20*ce3adf43SDag-Erling Smørgrav# Initialization 21*ce3adf43SDag-Erling Smørgrav# ====================================================================== 22*ce3adf43SDag-Erling Smørgrav 23*ce3adf43SDag-Erling SmørgravCSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh 24*ce3adf43SDag-Erling Smørgrav 25*ce3adf43SDag-Erling Smørgrav# List of apps used. This is checkad for existance in csih_sanity_check 26*ce3adf43SDag-Erling Smørgrav# Don't use *any* transient commands before sourcing the csih helper script, 27*ce3adf43SDag-Erling Smørgrav# otherwise the sanity checks are short-circuited. 28*ce3adf43SDag-Erling Smørgravdeclare -a csih_required_commands=( 29*ce3adf43SDag-Erling Smørgrav /usr/bin/basename coreutils 30*ce3adf43SDag-Erling Smørgrav /usr/bin/cat coreutils 31*ce3adf43SDag-Erling Smørgrav /usr/bin/chmod coreutils 32*ce3adf43SDag-Erling Smørgrav /usr/bin/dirname coreutils 33*ce3adf43SDag-Erling Smørgrav /usr/bin/id coreutils 34*ce3adf43SDag-Erling Smørgrav /usr/bin/mv coreutils 35*ce3adf43SDag-Erling Smørgrav /usr/bin/rm coreutils 36*ce3adf43SDag-Erling Smørgrav /usr/bin/cygpath cygwin 37*ce3adf43SDag-Erling Smørgrav /usr/bin/mount cygwin 38*ce3adf43SDag-Erling Smørgrav /usr/bin/ps cygwin 39*ce3adf43SDag-Erling Smørgrav /usr/bin/setfacl cygwin 40*ce3adf43SDag-Erling Smørgrav /usr/bin/umount cygwin 41*ce3adf43SDag-Erling Smørgrav /usr/bin/cmp diffutils 42*ce3adf43SDag-Erling Smørgrav /usr/bin/grep grep 43*ce3adf43SDag-Erling Smørgrav /usr/bin/awk gawk 44*ce3adf43SDag-Erling Smørgrav /usr/bin/ssh-keygen openssh 45*ce3adf43SDag-Erling Smørgrav /usr/sbin/sshd openssh 46*ce3adf43SDag-Erling Smørgrav /usr/bin/sed sed 47*ce3adf43SDag-Erling Smørgrav) 48*ce3adf43SDag-Erling Smørgravcsih_sanity_check_server=yes 49*ce3adf43SDag-Erling Smørgravsource ${CSIH_SCRIPT} 50*ce3adf43SDag-Erling Smørgrav 51*ce3adf43SDag-Erling SmørgravPROGNAME=$(/usr/bin/basename $0) 52*ce3adf43SDag-Erling Smørgrav_tdir=$(/usr/bin/dirname $0) 53*ce3adf43SDag-Erling SmørgravPROGDIR=$(cd $_tdir && pwd) 54*ce3adf43SDag-Erling Smørgrav 55*ce3adf43SDag-Erling Smørgrav# Subdirectory where the new package is being installed 56*ce3adf43SDag-Erling SmørgravPREFIX=/usr 57*ce3adf43SDag-Erling Smørgrav 58*ce3adf43SDag-Erling Smørgrav# Directory where the config files are stored 59*ce3adf43SDag-Erling SmørgravSYSCONFDIR=/etc 60*ce3adf43SDag-Erling SmørgravLOCALSTATEDIR=/var 61*ce3adf43SDag-Erling Smørgrav 62*ce3adf43SDag-Erling Smørgravport_number=22 63*ce3adf43SDag-Erling Smørgravprivsep_configured=no 64*ce3adf43SDag-Erling Smørgravprivsep_used=yes 65*ce3adf43SDag-Erling Smørgravcygwin_value="" 66*ce3adf43SDag-Erling Smørgravuser_account= 67*ce3adf43SDag-Erling Smørgravpassword_value= 68*ce3adf43SDag-Erling Smørgravopt_force=no 69*ce3adf43SDag-Erling Smørgrav 70*ce3adf43SDag-Erling Smørgrav# ====================================================================== 71*ce3adf43SDag-Erling Smørgrav# Routine: create_host_keys 72*ce3adf43SDag-Erling Smørgrav# ====================================================================== 73*ce3adf43SDag-Erling Smørgravcreate_host_keys() { 74*ce3adf43SDag-Erling Smørgrav local ret=0 75*ce3adf43SDag-Erling Smørgrav 76*ce3adf43SDag-Erling Smørgrav if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] 77*ce3adf43SDag-Erling Smørgrav then 78*ce3adf43SDag-Erling Smørgrav csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" 79*ce3adf43SDag-Erling Smørgrav if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null 80*ce3adf43SDag-Erling Smørgrav then 81*ce3adf43SDag-Erling Smørgrav csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" 82*ce3adf43SDag-Erling Smørgrav let ++ret 83*ce3adf43SDag-Erling Smørgrav fi 84*ce3adf43SDag-Erling Smørgrav fi 85*ce3adf43SDag-Erling Smørgrav 86*ce3adf43SDag-Erling Smørgrav if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] 87*ce3adf43SDag-Erling Smørgrav then 88*ce3adf43SDag-Erling Smørgrav csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" 89*ce3adf43SDag-Erling Smørgrav if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null 90*ce3adf43SDag-Erling Smørgrav then 91*ce3adf43SDag-Erling Smørgrav csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" 92*ce3adf43SDag-Erling Smørgrav let ++ret 93*ce3adf43SDag-Erling Smørgrav fi 94*ce3adf43SDag-Erling Smørgrav fi 95*ce3adf43SDag-Erling Smørgrav 96*ce3adf43SDag-Erling Smørgrav if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] 97*ce3adf43SDag-Erling Smørgrav then 98*ce3adf43SDag-Erling Smørgrav csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" 99*ce3adf43SDag-Erling Smørgrav if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null 100*ce3adf43SDag-Erling Smørgrav then 101*ce3adf43SDag-Erling Smørgrav csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" 102*ce3adf43SDag-Erling Smørgrav let ++ret 103*ce3adf43SDag-Erling Smørgrav fi 104*ce3adf43SDag-Erling Smørgrav fi 105*ce3adf43SDag-Erling Smørgrav 106*ce3adf43SDag-Erling Smørgrav if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ] 107*ce3adf43SDag-Erling Smørgrav then 108*ce3adf43SDag-Erling Smørgrav csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key" 109*ce3adf43SDag-Erling Smørgrav if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null 110*ce3adf43SDag-Erling Smørgrav then 111*ce3adf43SDag-Erling Smørgrav csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" 112*ce3adf43SDag-Erling Smørgrav let ++ret 113*ce3adf43SDag-Erling Smørgrav fi 114*ce3adf43SDag-Erling Smørgrav fi 115*ce3adf43SDag-Erling Smørgrav return $ret 116*ce3adf43SDag-Erling Smørgrav} # --- End of create_host_keys --- # 117*ce3adf43SDag-Erling Smørgrav 118*ce3adf43SDag-Erling Smørgrav# ====================================================================== 119*ce3adf43SDag-Erling Smørgrav# Routine: update_services_file 120*ce3adf43SDag-Erling Smørgrav# ====================================================================== 121*ce3adf43SDag-Erling Smørgravupdate_services_file() { 122*ce3adf43SDag-Erling Smørgrav local _my_etcdir="/ssh-host-config.$$" 123*ce3adf43SDag-Erling Smørgrav local _win_etcdir 124*ce3adf43SDag-Erling Smørgrav local _services 125*ce3adf43SDag-Erling Smørgrav local _spaces 126*ce3adf43SDag-Erling Smørgrav local _serv_tmp 127*ce3adf43SDag-Erling Smørgrav local _wservices 128*ce3adf43SDag-Erling Smørgrav local ret=0 129*ce3adf43SDag-Erling Smørgrav 130*ce3adf43SDag-Erling Smørgrav _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" 131*ce3adf43SDag-Erling Smørgrav _services="${_my_etcdir}/services" 132*ce3adf43SDag-Erling Smørgrav _spaces=" #" 133*ce3adf43SDag-Erling Smørgrav _serv_tmp="${_my_etcdir}/srv.out.$$" 134*ce3adf43SDag-Erling Smørgrav 135*ce3adf43SDag-Erling Smørgrav /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" 136*ce3adf43SDag-Erling Smørgrav 137*ce3adf43SDag-Erling Smørgrav # Depends on the above mount 138*ce3adf43SDag-Erling Smørgrav _wservices=`cygpath -w "${_services}"` 139*ce3adf43SDag-Erling Smørgrav 140*ce3adf43SDag-Erling Smørgrav # Remove sshd 22/port from services 141*ce3adf43SDag-Erling Smørgrav if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] 142*ce3adf43SDag-Erling Smørgrav then 143*ce3adf43SDag-Erling Smørgrav /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" 144*ce3adf43SDag-Erling Smørgrav if [ -f "${_serv_tmp}" ] 145*ce3adf43SDag-Erling Smørgrav then 146*ce3adf43SDag-Erling Smørgrav if /usr/bin/mv "${_serv_tmp}" "${_services}" 147*ce3adf43SDag-Erling Smørgrav then 148*ce3adf43SDag-Erling Smørgrav csih_inform "Removing sshd from ${_wservices}" 149*ce3adf43SDag-Erling Smørgrav else 150*ce3adf43SDag-Erling Smørgrav csih_warning "Removing sshd from ${_wservices} failed!" 151*ce3adf43SDag-Erling Smørgrav let ++ret 152*ce3adf43SDag-Erling Smørgrav fi 153*ce3adf43SDag-Erling Smørgrav /usr/bin/rm -f "${_serv_tmp}" 154*ce3adf43SDag-Erling Smørgrav else 155*ce3adf43SDag-Erling Smørgrav csih_warning "Removing sshd from ${_wservices} failed!" 156*ce3adf43SDag-Erling Smørgrav let ++ret 157*ce3adf43SDag-Erling Smørgrav fi 158*ce3adf43SDag-Erling Smørgrav fi 159*ce3adf43SDag-Erling Smørgrav 160*ce3adf43SDag-Erling Smørgrav # Add ssh 22/tcp and ssh 22/udp to services 161*ce3adf43SDag-Erling Smørgrav if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] 162*ce3adf43SDag-Erling Smørgrav then 163*ce3adf43SDag-Erling Smørgrav if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" 164*ce3adf43SDag-Erling Smørgrav then 165*ce3adf43SDag-Erling Smørgrav if /usr/bin/mv "${_serv_tmp}" "${_services}" 166*ce3adf43SDag-Erling Smørgrav then 167*ce3adf43SDag-Erling Smørgrav csih_inform "Added ssh to ${_wservices}" 168*ce3adf43SDag-Erling Smørgrav else 169*ce3adf43SDag-Erling Smørgrav csih_warning "Adding ssh to ${_wservices} failed!" 170*ce3adf43SDag-Erling Smørgrav let ++ret 171*ce3adf43SDag-Erling Smørgrav fi 172*ce3adf43SDag-Erling Smørgrav /usr/bin/rm -f "${_serv_tmp}" 173*ce3adf43SDag-Erling Smørgrav else 174*ce3adf43SDag-Erling Smørgrav csih_warning "Adding ssh to ${_wservices} failed!" 175*ce3adf43SDag-Erling Smørgrav let ++ret 176*ce3adf43SDag-Erling Smørgrav fi 177*ce3adf43SDag-Erling Smørgrav fi 178*ce3adf43SDag-Erling Smørgrav /usr/bin/umount "${_my_etcdir}" 179*ce3adf43SDag-Erling Smørgrav return $ret 180*ce3adf43SDag-Erling Smørgrav} # --- End of update_services_file --- # 181*ce3adf43SDag-Erling Smørgrav 182*ce3adf43SDag-Erling Smørgrav# ====================================================================== 183*ce3adf43SDag-Erling Smørgrav# Routine: sshd_privsep 184*ce3adf43SDag-Erling Smørgrav# MODIFIES: privsep_configured privsep_used 185*ce3adf43SDag-Erling Smørgrav# ====================================================================== 186*ce3adf43SDag-Erling Smørgravsshd_privsep() { 187*ce3adf43SDag-Erling Smørgrav local sshdconfig_tmp 188*ce3adf43SDag-Erling Smørgrav local ret=0 189*ce3adf43SDag-Erling Smørgrav 190*ce3adf43SDag-Erling Smørgrav if [ "${privsep_configured}" != "yes" ] 191*ce3adf43SDag-Erling Smørgrav then 192*ce3adf43SDag-Erling Smørgrav csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." 193*ce3adf43SDag-Erling Smørgrav csih_inform "However, this requires a non-privileged account called 'sshd'." 194*ce3adf43SDag-Erling Smørgrav csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." 195*ce3adf43SDag-Erling Smørgrav if csih_request "Should privilege separation be used?" 196*ce3adf43SDag-Erling Smørgrav then 197*ce3adf43SDag-Erling Smørgrav privsep_used=yes 198*ce3adf43SDag-Erling Smørgrav if ! csih_create_unprivileged_user sshd 199*ce3adf43SDag-Erling Smørgrav then 200*ce3adf43SDag-Erling Smørgrav csih_error_recoverable "Couldn't create user 'sshd'!" 201*ce3adf43SDag-Erling Smørgrav csih_error_recoverable "Privilege separation set to 'no' again!" 202*ce3adf43SDag-Erling Smørgrav csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!" 203*ce3adf43SDag-Erling Smørgrav let ++ret 204*ce3adf43SDag-Erling Smørgrav privsep_used=no 205*ce3adf43SDag-Erling Smørgrav fi 206*ce3adf43SDag-Erling Smørgrav else 207*ce3adf43SDag-Erling Smørgrav privsep_used=no 208*ce3adf43SDag-Erling Smørgrav fi 209*ce3adf43SDag-Erling Smørgrav fi 210*ce3adf43SDag-Erling Smørgrav 211*ce3adf43SDag-Erling Smørgrav # Create default sshd_config from skeleton files in /etc/defaults/etc or 212*ce3adf43SDag-Erling Smørgrav # modify to add the missing privsep configuration option 213*ce3adf43SDag-Erling Smørgrav if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 214*ce3adf43SDag-Erling Smørgrav then 215*ce3adf43SDag-Erling Smørgrav csih_inform "Updating ${SYSCONFDIR}/sshd_config file" 216*ce3adf43SDag-Erling Smørgrav sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ 217*ce3adf43SDag-Erling Smørgrav /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ 218*ce3adf43SDag-Erling Smørgrav s/^#Port 22/Port ${port_number}/ 219*ce3adf43SDag-Erling Smørgrav s/^#StrictModes yes/StrictModes no/" \ 220*ce3adf43SDag-Erling Smørgrav < ${SYSCONFDIR}/sshd_config \ 221*ce3adf43SDag-Erling Smørgrav > "${sshdconfig_tmp}" 222*ce3adf43SDag-Erling Smørgrav if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config 223*ce3adf43SDag-Erling Smørgrav then 224*ce3adf43SDag-Erling Smørgrav csih_warning "Setting privilege separation to 'yes' failed!" 225*ce3adf43SDag-Erling Smørgrav csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 226*ce3adf43SDag-Erling Smørgrav let ++ret 227*ce3adf43SDag-Erling Smørgrav fi 228*ce3adf43SDag-Erling Smørgrav elif [ "${privsep_configured}" != "yes" ] 229*ce3adf43SDag-Erling Smørgrav then 230*ce3adf43SDag-Erling Smørgrav echo >> ${SYSCONFDIR}/sshd_config 231*ce3adf43SDag-Erling Smørgrav if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config 232*ce3adf43SDag-Erling Smørgrav then 233*ce3adf43SDag-Erling Smørgrav csih_warning "Setting privilege separation to 'yes' failed!" 234*ce3adf43SDag-Erling Smørgrav csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 235*ce3adf43SDag-Erling Smørgrav let ++ret 236*ce3adf43SDag-Erling Smørgrav fi 237*ce3adf43SDag-Erling Smørgrav fi 238*ce3adf43SDag-Erling Smørgrav return $ret 239*ce3adf43SDag-Erling Smørgrav} # --- End of sshd_privsep --- # 240*ce3adf43SDag-Erling Smørgrav 241*ce3adf43SDag-Erling Smørgrav# ====================================================================== 242*ce3adf43SDag-Erling Smørgrav# Routine: update_inetd_conf 243*ce3adf43SDag-Erling Smørgrav# ====================================================================== 244*ce3adf43SDag-Erling Smørgravupdate_inetd_conf() { 245*ce3adf43SDag-Erling Smørgrav local _inetcnf="${SYSCONFDIR}/inetd.conf" 246*ce3adf43SDag-Erling Smørgrav local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" 247*ce3adf43SDag-Erling Smørgrav local _inetcnf_dir="${SYSCONFDIR}/inetd.d" 248*ce3adf43SDag-Erling Smørgrav local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" 249*ce3adf43SDag-Erling Smørgrav local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" 250*ce3adf43SDag-Erling Smørgrav local _with_comment=1 251*ce3adf43SDag-Erling Smørgrav local ret=0 252*ce3adf43SDag-Erling Smørgrav 253*ce3adf43SDag-Erling Smørgrav if [ -d "${_inetcnf_dir}" ] 254*ce3adf43SDag-Erling Smørgrav then 255*ce3adf43SDag-Erling Smørgrav # we have inetutils-1.5 inetd.d support 256*ce3adf43SDag-Erling Smørgrav if [ -f "${_inetcnf}" ] 257*ce3adf43SDag-Erling Smørgrav then 258*ce3adf43SDag-Erling Smørgrav /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 259*ce3adf43SDag-Erling Smørgrav 260*ce3adf43SDag-Erling Smørgrav # check for sshd OR ssh in top-level inetd.conf file, and remove 261*ce3adf43SDag-Erling Smørgrav # will be replaced by a file in inetd.d/ 262*ce3adf43SDag-Erling Smørgrav if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] 263*ce3adf43SDag-Erling Smørgrav then 264*ce3adf43SDag-Erling Smørgrav /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" 265*ce3adf43SDag-Erling Smørgrav if [ -f "${_inetcnf_tmp}" ] 266*ce3adf43SDag-Erling Smørgrav then 267*ce3adf43SDag-Erling Smørgrav if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 268*ce3adf43SDag-Erling Smørgrav then 269*ce3adf43SDag-Erling Smørgrav csih_inform "Removed ssh[d] from ${_inetcnf}" 270*ce3adf43SDag-Erling Smørgrav else 271*ce3adf43SDag-Erling Smørgrav csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 272*ce3adf43SDag-Erling Smørgrav let ++ret 273*ce3adf43SDag-Erling Smørgrav fi 274*ce3adf43SDag-Erling Smørgrav /usr/bin/rm -f "${_inetcnf_tmp}" 275*ce3adf43SDag-Erling Smørgrav else 276*ce3adf43SDag-Erling Smørgrav csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 277*ce3adf43SDag-Erling Smørgrav let ++ret 278*ce3adf43SDag-Erling Smørgrav fi 279*ce3adf43SDag-Erling Smørgrav fi 280*ce3adf43SDag-Erling Smørgrav fi 281*ce3adf43SDag-Erling Smørgrav 282*ce3adf43SDag-Erling Smørgrav csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" 283*ce3adf43SDag-Erling Smørgrav if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 284*ce3adf43SDag-Erling Smørgrav then 285*ce3adf43SDag-Erling Smørgrav if [ "${_with_comment}" -eq 0 ] 286*ce3adf43SDag-Erling Smørgrav then 287*ce3adf43SDag-Erling Smørgrav /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 288*ce3adf43SDag-Erling Smørgrav else 289*ce3adf43SDag-Erling Smørgrav /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 290*ce3adf43SDag-Erling Smørgrav fi 291*ce3adf43SDag-Erling Smørgrav if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" 292*ce3adf43SDag-Erling Smørgrav then 293*ce3adf43SDag-Erling Smørgrav csih_inform "Updated ${_sshd_inetd_conf}" 294*ce3adf43SDag-Erling Smørgrav else 295*ce3adf43SDag-Erling Smørgrav csih_warning "Updating ${_sshd_inetd_conf} failed!" 296*ce3adf43SDag-Erling Smørgrav let ++ret 297*ce3adf43SDag-Erling Smørgrav fi 298*ce3adf43SDag-Erling Smørgrav fi 299*ce3adf43SDag-Erling Smørgrav 300*ce3adf43SDag-Erling Smørgrav elif [ -f "${_inetcnf}" ] 301*ce3adf43SDag-Erling Smørgrav then 302*ce3adf43SDag-Erling Smørgrav /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 303*ce3adf43SDag-Erling Smørgrav 304*ce3adf43SDag-Erling Smørgrav # check for sshd in top-level inetd.conf file, and remove 305*ce3adf43SDag-Erling Smørgrav # will be replaced by a file in inetd.d/ 306*ce3adf43SDag-Erling Smørgrav if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] 307*ce3adf43SDag-Erling Smørgrav then 308*ce3adf43SDag-Erling Smørgrav /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" 309*ce3adf43SDag-Erling Smørgrav if [ -f "${_inetcnf_tmp}" ] 310*ce3adf43SDag-Erling Smørgrav then 311*ce3adf43SDag-Erling Smørgrav if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 312*ce3adf43SDag-Erling Smørgrav then 313*ce3adf43SDag-Erling Smørgrav csih_inform "Removed sshd from ${_inetcnf}" 314*ce3adf43SDag-Erling Smørgrav else 315*ce3adf43SDag-Erling Smørgrav csih_warning "Removing sshd from ${_inetcnf} failed!" 316*ce3adf43SDag-Erling Smørgrav let ++ret 317*ce3adf43SDag-Erling Smørgrav fi 318*ce3adf43SDag-Erling Smørgrav /usr/bin/rm -f "${_inetcnf_tmp}" 319*ce3adf43SDag-Erling Smørgrav else 320*ce3adf43SDag-Erling Smørgrav csih_warning "Removing sshd from ${_inetcnf} failed!" 321*ce3adf43SDag-Erling Smørgrav let ++ret 322*ce3adf43SDag-Erling Smørgrav fi 323*ce3adf43SDag-Erling Smørgrav fi 324*ce3adf43SDag-Erling Smørgrav 325*ce3adf43SDag-Erling Smørgrav # Add ssh line to inetd.conf 326*ce3adf43SDag-Erling Smørgrav if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] 327*ce3adf43SDag-Erling Smørgrav then 328*ce3adf43SDag-Erling Smørgrav if [ "${_with_comment}" -eq 0 ] 329*ce3adf43SDag-Erling Smørgrav then 330*ce3adf43SDag-Erling Smørgrav echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 331*ce3adf43SDag-Erling Smørgrav else 332*ce3adf43SDag-Erling Smørgrav echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 333*ce3adf43SDag-Erling Smørgrav fi 334*ce3adf43SDag-Erling Smørgrav if [ $? -eq 0 ] 335*ce3adf43SDag-Erling Smørgrav then 336*ce3adf43SDag-Erling Smørgrav csih_inform "Added ssh to ${_inetcnf}" 337*ce3adf43SDag-Erling Smørgrav else 338*ce3adf43SDag-Erling Smørgrav csih_warning "Adding ssh to ${_inetcnf} failed!" 339*ce3adf43SDag-Erling Smørgrav let ++ret 340*ce3adf43SDag-Erling Smørgrav fi 341*ce3adf43SDag-Erling Smørgrav fi 342*ce3adf43SDag-Erling Smørgrav fi 343*ce3adf43SDag-Erling Smørgrav return $ret 344*ce3adf43SDag-Erling Smørgrav} # --- End of update_inetd_conf --- # 345*ce3adf43SDag-Erling Smørgrav 346*ce3adf43SDag-Erling Smørgrav# ====================================================================== 347*ce3adf43SDag-Erling Smørgrav# Routine: check_service_files_ownership 348*ce3adf43SDag-Erling Smørgrav# Checks that the files in /etc and /var belong to the right owner 349*ce3adf43SDag-Erling Smørgrav# ====================================================================== 350*ce3adf43SDag-Erling Smørgravcheck_service_files_ownership() { 351*ce3adf43SDag-Erling Smørgrav local run_service_as=$1 352*ce3adf43SDag-Erling Smørgrav local ret=0 353*ce3adf43SDag-Erling Smørgrav 354*ce3adf43SDag-Erling Smørgrav if [ -z "${run_service_as}" ] 355*ce3adf43SDag-Erling Smørgrav then 356*ce3adf43SDag-Erling Smørgrav accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp') 357*ce3adf43SDag-Erling Smørgrav if [ "${accnt_name}" = "LocalSystem" ] 358*ce3adf43SDag-Erling Smørgrav then 359*ce3adf43SDag-Erling Smørgrav # Convert "LocalSystem" to "SYSTEM" as is the correct account name 360*ce3adf43SDag-Erling Smørgrav accnt_name="SYSTEM:" 361*ce3adf43SDag-Erling Smørgrav elif [[ "${accnt_name}" =~ ^\.\\ ]] 362*ce3adf43SDag-Erling Smørgrav then 363*ce3adf43SDag-Erling Smørgrav # Convert "." domain to local machine name 364*ce3adf43SDag-Erling Smørgrav accnt_name="U-${COMPUTERNAME}${accnt_name#.}," 365*ce3adf43SDag-Erling Smørgrav fi 366*ce3adf43SDag-Erling Smørgrav run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}') 367*ce3adf43SDag-Erling Smørgrav if [ -z "${run_service_as}" ] 368*ce3adf43SDag-Erling Smørgrav then 369*ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" 370*ce3adf43SDag-Erling Smørgrav csih_warning "As a result, this script cannot make sure that the files used" 371*ce3adf43SDag-Erling Smørgrav csih_warning "by the sshd service belong to the user running the service." 372*ce3adf43SDag-Erling Smørgrav csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd" 373*ce3adf43SDag-Erling Smørgrav csih_warning "file is in a good shape." 374*ce3adf43SDag-Erling Smørgrav return 1 375*ce3adf43SDag-Erling Smørgrav fi 376*ce3adf43SDag-Erling Smørgrav fi 377*ce3adf43SDag-Erling Smørgrav for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub 378*ce3adf43SDag-Erling Smørgrav do 379*ce3adf43SDag-Erling Smørgrav if [ -f "$i" ] 380*ce3adf43SDag-Erling Smørgrav then 381*ce3adf43SDag-Erling Smørgrav if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 382*ce3adf43SDag-Erling Smørgrav then 383*ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of $i!" 384*ce3adf43SDag-Erling Smørgrav let ++ret 385*ce3adf43SDag-Erling Smørgrav fi 386*ce3adf43SDag-Erling Smørgrav fi 387*ce3adf43SDag-Erling Smørgrav done 388*ce3adf43SDag-Erling Smørgrav if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 389*ce3adf43SDag-Erling Smørgrav then 390*ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" 391*ce3adf43SDag-Erling Smørgrav let ++ret 392*ce3adf43SDag-Erling Smørgrav fi 393*ce3adf43SDag-Erling Smørgrav if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 394*ce3adf43SDag-Erling Smørgrav then 395*ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" 396*ce3adf43SDag-Erling Smørgrav let ++ret 397*ce3adf43SDag-Erling Smørgrav fi 398*ce3adf43SDag-Erling Smørgrav if [ -f ${LOCALSTATEDIR}/log/sshd.log ] 399*ce3adf43SDag-Erling Smørgrav then 400*ce3adf43SDag-Erling Smørgrav if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1 401*ce3adf43SDag-Erling Smørgrav then 402*ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" 403*ce3adf43SDag-Erling Smørgrav let ++ret 404*ce3adf43SDag-Erling Smørgrav fi 405*ce3adf43SDag-Erling Smørgrav fi 406*ce3adf43SDag-Erling Smørgrav if [ $ret -ne 0 ] 407*ce3adf43SDag-Erling Smørgrav then 408*ce3adf43SDag-Erling Smørgrav csih_warning "Couldn't change owner of important files to ${run_service_as}!" 409*ce3adf43SDag-Erling Smørgrav csih_warning "This may cause the sshd service to fail! Please make sure that" 410*ce3adf43SDag-Erling Smørgrav csih_warning "you have suufficient permissions to change the ownership of files" 411*ce3adf43SDag-Erling Smørgrav csih_warning "and try to run the ssh-host-config script again." 412*ce3adf43SDag-Erling Smørgrav fi 413*ce3adf43SDag-Erling Smørgrav return $ret 414*ce3adf43SDag-Erling Smørgrav} # --- End of check_service_files_ownership --- # 415*ce3adf43SDag-Erling Smørgrav 416*ce3adf43SDag-Erling Smørgrav# ====================================================================== 417*ce3adf43SDag-Erling Smørgrav# Routine: install_service 418*ce3adf43SDag-Erling Smørgrav# Install sshd as a service 419*ce3adf43SDag-Erling Smørgrav# ====================================================================== 420*ce3adf43SDag-Erling Smørgravinstall_service() { 421*ce3adf43SDag-Erling Smørgrav local run_service_as 422*ce3adf43SDag-Erling Smørgrav local password 423*ce3adf43SDag-Erling Smørgrav local ret=0 424*ce3adf43SDag-Erling Smørgrav 425*ce3adf43SDag-Erling Smørgrav echo 426*ce3adf43SDag-Erling Smørgrav if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 427*ce3adf43SDag-Erling Smørgrav then 428*ce3adf43SDag-Erling Smørgrav csih_inform "Sshd service is already installed." 429*ce3adf43SDag-Erling Smørgrav check_service_files_ownership "" || let ret+=$? 430*ce3adf43SDag-Erling Smørgrav else 431*ce3adf43SDag-Erling Smørgrav echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" 432*ce3adf43SDag-Erling Smørgrav if csih_request "(Say \"no\" if it is already installed as a service)" 433*ce3adf43SDag-Erling Smørgrav then 434*ce3adf43SDag-Erling Smørgrav csih_get_cygenv "${cygwin_value}" 435*ce3adf43SDag-Erling Smørgrav 436*ce3adf43SDag-Erling Smørgrav if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) 437*ce3adf43SDag-Erling Smørgrav then 438*ce3adf43SDag-Erling Smørgrav csih_inform "On Windows Server 2003, Windows Vista, and above, the" 439*ce3adf43SDag-Erling Smørgrav csih_inform "SYSTEM account cannot setuid to other users -- a capability" 440*ce3adf43SDag-Erling Smørgrav csih_inform "sshd requires. You need to have or to create a privileged" 441*ce3adf43SDag-Erling Smørgrav csih_inform "account. This script will help you do so." 442*ce3adf43SDag-Erling Smørgrav echo 443*ce3adf43SDag-Erling Smørgrav 444*ce3adf43SDag-Erling Smørgrav [ "${opt_force}" = "yes" ] && opt_f=-f 445*ce3adf43SDag-Erling Smørgrav [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" 446*ce3adf43SDag-Erling Smørgrav csih_select_privileged_username ${opt_f} ${opt_u} sshd 447*ce3adf43SDag-Erling Smørgrav 448*ce3adf43SDag-Erling Smørgrav if ! csih_create_privileged_user "${password_value}" 449*ce3adf43SDag-Erling Smørgrav then 450*ce3adf43SDag-Erling Smørgrav csih_error_recoverable "There was a serious problem creating a privileged user." 451*ce3adf43SDag-Erling Smørgrav csih_request "Do you want to proceed anyway?" || exit 1 452*ce3adf43SDag-Erling Smørgrav let ++ret 453*ce3adf43SDag-Erling Smørgrav fi 454*ce3adf43SDag-Erling Smørgrav fi 455*ce3adf43SDag-Erling Smørgrav 456*ce3adf43SDag-Erling Smørgrav # Never returns empty if NT or above 457*ce3adf43SDag-Erling Smørgrav run_service_as=$(csih_service_should_run_as) 458*ce3adf43SDag-Erling Smørgrav 459*ce3adf43SDag-Erling Smørgrav if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] 460*ce3adf43SDag-Erling Smørgrav then 461*ce3adf43SDag-Erling Smørgrav password="${csih_PRIVILEGED_PASSWORD}" 462*ce3adf43SDag-Erling Smørgrav if [ -z "${password}" ] 463*ce3adf43SDag-Erling Smørgrav then 464*ce3adf43SDag-Erling Smørgrav csih_get_value "Please enter the password for user '${run_service_as}':" "-s" 465*ce3adf43SDag-Erling Smørgrav password="${csih_value}" 466*ce3adf43SDag-Erling Smørgrav fi 467*ce3adf43SDag-Erling Smørgrav fi 468*ce3adf43SDag-Erling Smørgrav 469*ce3adf43SDag-Erling Smørgrav # At this point, we either have $run_service_as = "system" and 470*ce3adf43SDag-Erling Smørgrav # $password is empty, or $run_service_as is some privileged user and 471*ce3adf43SDag-Erling Smørgrav # (hopefully) $password contains the correct password. So, from here 472*ce3adf43SDag-Erling Smørgrav # out, we use '-z "${password}"' to discriminate the two cases. 473*ce3adf43SDag-Erling Smørgrav 474*ce3adf43SDag-Erling Smørgrav csih_check_user "${run_service_as}" 475*ce3adf43SDag-Erling Smørgrav 476*ce3adf43SDag-Erling Smørgrav if [ -n "${csih_cygenv}" ] 477*ce3adf43SDag-Erling Smørgrav then 478*ce3adf43SDag-Erling Smørgrav cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) 479*ce3adf43SDag-Erling Smørgrav fi 480*ce3adf43SDag-Erling Smørgrav if [ -z "${password}" ] 481*ce3adf43SDag-Erling Smørgrav then 482*ce3adf43SDag-Erling Smørgrav if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ 483*ce3adf43SDag-Erling Smørgrav -a "-D" -y tcpip "${cygwin_env[@]}" 484*ce3adf43SDag-Erling Smørgrav then 485*ce3adf43SDag-Erling Smørgrav echo 486*ce3adf43SDag-Erling Smørgrav csih_inform "The sshd service has been installed under the LocalSystem" 487*ce3adf43SDag-Erling Smørgrav csih_inform "account (also known as SYSTEM). To start the service now, call" 488*ce3adf43SDag-Erling Smørgrav csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" 489*ce3adf43SDag-Erling Smørgrav csih_inform "will start automatically after the next reboot." 490*ce3adf43SDag-Erling Smørgrav fi 491*ce3adf43SDag-Erling Smørgrav else 492*ce3adf43SDag-Erling Smørgrav if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ 493*ce3adf43SDag-Erling Smørgrav -a "-D" -y tcpip "${cygwin_env[@]}" \ 494*ce3adf43SDag-Erling Smørgrav -u "${run_service_as}" -w "${password}" 495*ce3adf43SDag-Erling Smørgrav then 496*ce3adf43SDag-Erling Smørgrav /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight 497*ce3adf43SDag-Erling Smørgrav echo 498*ce3adf43SDag-Erling Smørgrav csih_inform "The sshd service has been installed under the '${run_service_as}'" 499*ce3adf43SDag-Erling Smørgrav csih_inform "account. To start the service now, call \`net start sshd' or" 500*ce3adf43SDag-Erling Smørgrav csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" 501*ce3adf43SDag-Erling Smørgrav csih_inform "after the next reboot." 502*ce3adf43SDag-Erling Smørgrav fi 503*ce3adf43SDag-Erling Smørgrav fi 504*ce3adf43SDag-Erling Smørgrav 505*ce3adf43SDag-Erling Smørgrav if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 506*ce3adf43SDag-Erling Smørgrav then 507*ce3adf43SDag-Erling Smørgrav check_service_files_ownership "${run_service_as}" || let ret+=$? 508*ce3adf43SDag-Erling Smørgrav else 509*ce3adf43SDag-Erling Smørgrav csih_error_recoverable "Installing sshd as a service failed!" 510*ce3adf43SDag-Erling Smørgrav let ++ret 511*ce3adf43SDag-Erling Smørgrav fi 512*ce3adf43SDag-Erling Smørgrav fi # user allowed us to install as service 513*ce3adf43SDag-Erling Smørgrav fi # service not yet installed 514*ce3adf43SDag-Erling Smørgrav return $ret 515*ce3adf43SDag-Erling Smørgrav} # --- End of install_service --- # 516*ce3adf43SDag-Erling Smørgrav 517*ce3adf43SDag-Erling Smørgrav# ====================================================================== 518*ce3adf43SDag-Erling Smørgrav# Main Entry Point 519*ce3adf43SDag-Erling Smørgrav# ====================================================================== 520*ce3adf43SDag-Erling Smørgrav 521*ce3adf43SDag-Erling Smørgrav# Check how the script has been started. If 522*ce3adf43SDag-Erling Smørgrav# (1) it has been started by giving the full path and 523*ce3adf43SDag-Erling Smørgrav# that path is /etc/postinstall, OR 524*ce3adf43SDag-Erling Smørgrav# (2) Otherwise, if the environment variable 525*ce3adf43SDag-Erling Smørgrav# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set 526*ce3adf43SDag-Erling Smørgrav# then set auto_answer to "no". This allows automatic 527*ce3adf43SDag-Erling Smørgrav# creation of the config files in /etc w/o overwriting 528*ce3adf43SDag-Erling Smørgrav# them if they already exist. In both cases, color 529*ce3adf43SDag-Erling Smørgrav# escape sequences are suppressed, so as to prevent 530*ce3adf43SDag-Erling Smørgrav# cluttering setup's logfiles. 531*ce3adf43SDag-Erling Smørgravif [ "$PROGDIR" = "/etc/postinstall" ] 532*ce3adf43SDag-Erling Smørgravthen 533*ce3adf43SDag-Erling Smørgrav csih_auto_answer="no" 534*ce3adf43SDag-Erling Smørgrav csih_disable_color 535*ce3adf43SDag-Erling Smørgrav opt_force=yes 536*ce3adf43SDag-Erling Smørgravfi 537*ce3adf43SDag-Erling Smørgravif [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ] 538*ce3adf43SDag-Erling Smørgravthen 539*ce3adf43SDag-Erling Smørgrav csih_auto_answer="no" 540*ce3adf43SDag-Erling Smørgrav csih_disable_color 541*ce3adf43SDag-Erling Smørgrav opt_force=yes 542*ce3adf43SDag-Erling Smørgravfi 543*ce3adf43SDag-Erling Smørgrav 544*ce3adf43SDag-Erling Smørgrav# ====================================================================== 545*ce3adf43SDag-Erling Smørgrav# Parse options 546*ce3adf43SDag-Erling Smørgrav# ====================================================================== 547*ce3adf43SDag-Erling Smørgravwhile : 548*ce3adf43SDag-Erling Smørgravdo 549*ce3adf43SDag-Erling Smørgrav case $# in 550*ce3adf43SDag-Erling Smørgrav 0) 551*ce3adf43SDag-Erling Smørgrav break 552*ce3adf43SDag-Erling Smørgrav ;; 553*ce3adf43SDag-Erling Smørgrav esac 554*ce3adf43SDag-Erling Smørgrav 555*ce3adf43SDag-Erling Smørgrav option=$1 556*ce3adf43SDag-Erling Smørgrav shift 557*ce3adf43SDag-Erling Smørgrav 558*ce3adf43SDag-Erling Smørgrav case "${option}" in 559*ce3adf43SDag-Erling Smørgrav -d | --debug ) 560*ce3adf43SDag-Erling Smørgrav set -x 561*ce3adf43SDag-Erling Smørgrav csih_trace_on 562*ce3adf43SDag-Erling Smørgrav ;; 563*ce3adf43SDag-Erling Smørgrav 564*ce3adf43SDag-Erling Smørgrav -y | --yes ) 565*ce3adf43SDag-Erling Smørgrav csih_auto_answer=yes 566*ce3adf43SDag-Erling Smørgrav opt_force=yes 567*ce3adf43SDag-Erling Smørgrav ;; 568*ce3adf43SDag-Erling Smørgrav 569*ce3adf43SDag-Erling Smørgrav -n | --no ) 570*ce3adf43SDag-Erling Smørgrav csih_auto_answer=no 571*ce3adf43SDag-Erling Smørgrav opt_force=yes 572*ce3adf43SDag-Erling Smørgrav ;; 573*ce3adf43SDag-Erling Smørgrav 574*ce3adf43SDag-Erling Smørgrav -c | --cygwin ) 575*ce3adf43SDag-Erling Smørgrav cygwin_value="$1" 576*ce3adf43SDag-Erling Smørgrav shift 577*ce3adf43SDag-Erling Smørgrav ;; 578*ce3adf43SDag-Erling Smørgrav 579*ce3adf43SDag-Erling Smørgrav -p | --port ) 580*ce3adf43SDag-Erling Smørgrav port_number=$1 581*ce3adf43SDag-Erling Smørgrav shift 582*ce3adf43SDag-Erling Smørgrav ;; 583*ce3adf43SDag-Erling Smørgrav 584*ce3adf43SDag-Erling Smørgrav -u | --user ) 585*ce3adf43SDag-Erling Smørgrav user_account="$1" 586*ce3adf43SDag-Erling Smørgrav shift 587*ce3adf43SDag-Erling Smørgrav ;; 588*ce3adf43SDag-Erling Smørgrav 589*ce3adf43SDag-Erling Smørgrav -w | --pwd ) 590*ce3adf43SDag-Erling Smørgrav password_value="$1" 591*ce3adf43SDag-Erling Smørgrav shift 592*ce3adf43SDag-Erling Smørgrav ;; 593*ce3adf43SDag-Erling Smørgrav 594*ce3adf43SDag-Erling Smørgrav --privileged ) 595*ce3adf43SDag-Erling Smørgrav csih_FORCE_PRIVILEGED_USER=yes 596*ce3adf43SDag-Erling Smørgrav ;; 597*ce3adf43SDag-Erling Smørgrav 598*ce3adf43SDag-Erling Smørgrav *) 599*ce3adf43SDag-Erling Smørgrav echo "usage: ${progname} [OPTION]..." 600*ce3adf43SDag-Erling Smørgrav echo 601*ce3adf43SDag-Erling Smørgrav echo "This script creates an OpenSSH host configuration." 602*ce3adf43SDag-Erling Smørgrav echo 603*ce3adf43SDag-Erling Smørgrav echo "Options:" 604*ce3adf43SDag-Erling Smørgrav echo " --debug -d Enable shell's debug output." 605*ce3adf43SDag-Erling Smørgrav echo " --yes -y Answer all questions with \"yes\" automatically." 606*ce3adf43SDag-Erling Smørgrav echo " --no -n Answer all questions with \"no\" automatically." 607*ce3adf43SDag-Erling Smørgrav echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." 608*ce3adf43SDag-Erling Smørgrav echo " --port -p <n> sshd listens on port n." 609*ce3adf43SDag-Erling Smørgrav echo " --user -u <account> privileged user for service, default 'cyg_server'." 610*ce3adf43SDag-Erling Smørgrav echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user." 611*ce3adf43SDag-Erling Smørgrav echo " --privileged On Windows XP, require privileged user" 612*ce3adf43SDag-Erling Smørgrav echo " instead of LocalSystem for sshd service." 613*ce3adf43SDag-Erling Smørgrav echo 614*ce3adf43SDag-Erling Smørgrav exit 1 615*ce3adf43SDag-Erling Smørgrav ;; 616*ce3adf43SDag-Erling Smørgrav 617*ce3adf43SDag-Erling Smørgrav esac 618*ce3adf43SDag-Erling Smørgravdone 619*ce3adf43SDag-Erling Smørgrav 620*ce3adf43SDag-Erling Smørgrav# ====================================================================== 621*ce3adf43SDag-Erling Smørgrav# Action! 622*ce3adf43SDag-Erling Smørgrav# ====================================================================== 623*ce3adf43SDag-Erling Smørgrav 624*ce3adf43SDag-Erling Smørgrav# Check for running ssh/sshd processes first. Refuse to do anything while 625*ce3adf43SDag-Erling Smørgrav# some ssh processes are still running 626*ce3adf43SDag-Erling Smørgravif /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' 627*ce3adf43SDag-Erling Smørgravthen 628*ce3adf43SDag-Erling Smørgrav echo 629*ce3adf43SDag-Erling Smørgrav csih_error "There are still ssh processes running. Please shut them down first." 630*ce3adf43SDag-Erling Smørgravfi 631*ce3adf43SDag-Erling Smørgrav 632*ce3adf43SDag-Erling Smørgrav# Make sure the user is running in an administrative context 633*ce3adf43SDag-Erling Smørgravadmin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no) 634*ce3adf43SDag-Erling Smørgravif [ "${admin}" != "yes" ] 635*ce3adf43SDag-Erling Smørgravthen 636*ce3adf43SDag-Erling Smørgrav echo 637*ce3adf43SDag-Erling Smørgrav csih_warning "Running this script typically requires administrator privileges!" 638*ce3adf43SDag-Erling Smørgrav csih_warning "However, it seems your account does not have these privileges." 639*ce3adf43SDag-Erling Smørgrav csih_warning "Here's the list of groups in your user token:" 640*ce3adf43SDag-Erling Smørgrav echo 641*ce3adf43SDag-Erling Smørgrav for i in $(/usr/bin/id -G) 642*ce3adf43SDag-Erling Smørgrav do 643*ce3adf43SDag-Erling Smørgrav /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group 644*ce3adf43SDag-Erling Smørgrav done 645*ce3adf43SDag-Erling Smørgrav echo 646*ce3adf43SDag-Erling Smørgrav csih_warning "This usually means you're running this script from a non-admin" 647*ce3adf43SDag-Erling Smørgrav csih_warning "desktop session, or in a non-elevated shell under UAC control." 648*ce3adf43SDag-Erling Smørgrav echo 649*ce3adf43SDag-Erling Smørgrav csih_warning "Make sure you have the appropriate privileges right now," 650*ce3adf43SDag-Erling Smørgrav csih_warning "otherwise parts of this script will probably fail!" 651*ce3adf43SDag-Erling Smørgrav echo 652*ce3adf43SDag-Erling Smørgrav echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure" 653*ce3adf43SDag-Erling Smørgrav if ! csih_request "you have the required privileges)" 654*ce3adf43SDag-Erling Smørgrav then 655*ce3adf43SDag-Erling Smørgrav echo 656*ce3adf43SDag-Erling Smørgrav csih_inform "Ok. Exiting. Make sure to switch to an administrative account" 657*ce3adf43SDag-Erling Smørgrav csih_inform "or to start this script from an elevated shell." 658*ce3adf43SDag-Erling Smørgrav exit 1 659*ce3adf43SDag-Erling Smørgrav fi 660*ce3adf43SDag-Erling Smørgravfi 661*ce3adf43SDag-Erling Smørgrav 662*ce3adf43SDag-Erling Smørgravecho 663*ce3adf43SDag-Erling Smørgrav 664*ce3adf43SDag-Erling Smørgravwarning_cnt=0 665*ce3adf43SDag-Erling Smørgrav 666*ce3adf43SDag-Erling Smørgrav# Check for ${SYSCONFDIR} directory 667*ce3adf43SDag-Erling Smørgravcsih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." 668*ce3adf43SDag-Erling Smørgravif ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1 669*ce3adf43SDag-Erling Smørgravthen 670*ce3adf43SDag-Erling Smørgrav csih_warning "Can't set permissions on ${SYSCONFDIR}!" 671*ce3adf43SDag-Erling Smørgrav let ++warning_cnt 672*ce3adf43SDag-Erling Smørgravfi 673*ce3adf43SDag-Erling Smørgravif ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1 674*ce3adf43SDag-Erling Smørgravthen 675*ce3adf43SDag-Erling Smørgrav csih_warning "Can't set extended permissions on ${SYSCONFDIR}!" 676*ce3adf43SDag-Erling Smørgrav let ++warning_cnt 677*ce3adf43SDag-Erling Smørgravfi 678*ce3adf43SDag-Erling Smørgrav 679*ce3adf43SDag-Erling Smørgrav# Check for /var/log directory 680*ce3adf43SDag-Erling Smørgravcsih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." 681*ce3adf43SDag-Erling Smørgravif ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1 682*ce3adf43SDag-Erling Smørgravthen 683*ce3adf43SDag-Erling Smørgrav csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!" 684*ce3adf43SDag-Erling Smørgrav let ++warning_cnt 685*ce3adf43SDag-Erling Smørgravfi 686*ce3adf43SDag-Erling Smørgravif ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1 687*ce3adf43SDag-Erling Smørgravthen 688*ce3adf43SDag-Erling Smørgrav csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!" 689*ce3adf43SDag-Erling Smørgrav let ++warning_cnt 690*ce3adf43SDag-Erling Smørgravfi 691*ce3adf43SDag-Erling Smørgrav 692*ce3adf43SDag-Erling Smørgrav# Create /var/log/lastlog if not already exists 693*ce3adf43SDag-Erling Smørgravif [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 694*ce3adf43SDag-Erling Smørgravthen 695*ce3adf43SDag-Erling Smørgrav echo 696*ce3adf43SDag-Erling Smørgrav csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ 697*ce3adf43SDag-Erling Smørgrav "Cannot create ssh host configuration." 698*ce3adf43SDag-Erling Smørgravfi 699*ce3adf43SDag-Erling Smørgravif [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 700*ce3adf43SDag-Erling Smørgravthen 701*ce3adf43SDag-Erling Smørgrav /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog 702*ce3adf43SDag-Erling Smørgrav if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 703*ce3adf43SDag-Erling Smørgrav then 704*ce3adf43SDag-Erling Smørgrav csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" 705*ce3adf43SDag-Erling Smørgrav let ++warning_cnt 706*ce3adf43SDag-Erling Smørgrav fi 707*ce3adf43SDag-Erling Smørgravfi 708*ce3adf43SDag-Erling Smørgrav 709*ce3adf43SDag-Erling Smørgrav# Create /var/empty file used as chroot jail for privilege separation 710*ce3adf43SDag-Erling Smørgravcsih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." 711*ce3adf43SDag-Erling Smørgravif ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 712*ce3adf43SDag-Erling Smørgravthen 713*ce3adf43SDag-Erling Smørgrav csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" 714*ce3adf43SDag-Erling Smørgrav let ++warning_cnt 715*ce3adf43SDag-Erling Smørgravfi 716*ce3adf43SDag-Erling Smørgravif ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 717*ce3adf43SDag-Erling Smørgravthen 718*ce3adf43SDag-Erling Smørgrav csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!" 719*ce3adf43SDag-Erling Smørgrav let ++warning_cnt 720*ce3adf43SDag-Erling Smørgravfi 721*ce3adf43SDag-Erling Smørgrav 722*ce3adf43SDag-Erling Smørgrav# host keys 723*ce3adf43SDag-Erling Smørgravcreate_host_keys || let warning_cnt+=$? 724*ce3adf43SDag-Erling Smørgrav 725*ce3adf43SDag-Erling Smørgrav# handle ssh_config 726*ce3adf43SDag-Erling Smørgravcsih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 727*ce3adf43SDag-Erling Smørgravif /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 728*ce3adf43SDag-Erling Smørgravthen 729*ce3adf43SDag-Erling Smørgrav if [ "${port_number}" != "22" ] 730*ce3adf43SDag-Erling Smørgrav then 731*ce3adf43SDag-Erling Smørgrav csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port" 732*ce3adf43SDag-Erling Smørgrav echo "Host localhost" >> ${SYSCONFDIR}/ssh_config 733*ce3adf43SDag-Erling Smørgrav echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config 734*ce3adf43SDag-Erling Smørgrav fi 735*ce3adf43SDag-Erling Smørgravfi 736*ce3adf43SDag-Erling Smørgrav 737*ce3adf43SDag-Erling Smørgrav# handle sshd_config (and privsep) 738*ce3adf43SDag-Erling Smørgravcsih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 739*ce3adf43SDag-Erling Smørgravif ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 740*ce3adf43SDag-Erling Smørgravthen 741*ce3adf43SDag-Erling Smørgrav /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes 742*ce3adf43SDag-Erling Smørgravfi 743*ce3adf43SDag-Erling Smørgravsshd_privsep || let warning_cnt+=$? 744*ce3adf43SDag-Erling Smørgrav 745*ce3adf43SDag-Erling Smørgravupdate_services_file || let warning_cnt+=$? 746*ce3adf43SDag-Erling Smørgravupdate_inetd_conf || let warning_cnt+=$? 747*ce3adf43SDag-Erling Smørgravinstall_service || let warning_cnt+=$? 748*ce3adf43SDag-Erling Smørgrav 749*ce3adf43SDag-Erling Smørgravecho 750*ce3adf43SDag-Erling Smørgravif [ $warning_cnt -eq 0 ] 751*ce3adf43SDag-Erling Smørgravthen 752*ce3adf43SDag-Erling Smørgrav csih_inform "Host configuration finished. Have fun!" 753*ce3adf43SDag-Erling Smørgravelse 754*ce3adf43SDag-Erling Smørgrav csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!" 755*ce3adf43SDag-Erling Smørgrav csih_warning "Make sure that all problems reported are fixed," 756*ce3adf43SDag-Erling Smørgrav csih_warning "then re-run ssh-host-config." 757*ce3adf43SDag-Erling Smørgravfi 758*ce3adf43SDag-Erling Smørgravexit $warning_cnt 759