xref: /freebsd/crypto/openssh/contrib/cygwin/ssh-host-config (revision 39ee7a7a6bdd1557b1c3532abf60d139798ac88b)
1#!/bin/bash
2#
3# ssh-host-config, Copyright 2000-2011 Red Hat Inc.
4#
5# This file is part of the Cygwin port of OpenSSH.
6#
7# Permission to use, copy, modify, and distribute this software for any
8# purpose with or without fee is hereby granted, provided that the above
9# copyright notice and this permission notice appear in all copies.
10#
11# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
13# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
14# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
15# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
16# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
17# THE USE OR OTHER DEALINGS IN THE SOFTWARE.
18
19# ======================================================================
20# Initialization
21# ======================================================================
22
23CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
24
25# List of apps used.  This is checkad for existance in csih_sanity_check
26# Don't use *any* transient commands before sourcing the csih helper script,
27# otherwise the sanity checks are short-circuited.
28declare -a csih_required_commands=(
29  /usr/bin/basename coreutils
30  /usr/bin/cat coreutils
31  /usr/bin/chmod coreutils
32  /usr/bin/dirname coreutils
33  /usr/bin/id coreutils
34  /usr/bin/mv coreutils
35  /usr/bin/rm coreutils
36  /usr/bin/cygpath cygwin
37  /usr/bin/mount cygwin
38  /usr/bin/ps cygwin
39  /usr/bin/setfacl cygwin
40  /usr/bin/umount cygwin
41  /usr/bin/cmp diffutils
42  /usr/bin/grep grep
43  /usr/bin/awk gawk
44  /usr/bin/ssh-keygen openssh
45  /usr/sbin/sshd openssh
46  /usr/bin/sed sed
47)
48csih_sanity_check_server=yes
49source ${CSIH_SCRIPT}
50
51PROGNAME=$(/usr/bin/basename $0)
52_tdir=$(/usr/bin/dirname $0)
53PROGDIR=$(cd $_tdir && pwd)
54
55# Subdirectory where the new package is being installed
56PREFIX=/usr
57
58# Directory where the config files are stored
59SYSCONFDIR=/etc
60LOCALSTATEDIR=/var
61
62port_number=22
63privsep_configured=no
64privsep_used=yes
65cygwin_value=""
66user_account=
67password_value=
68opt_force=no
69
70# ======================================================================
71# Routine: update_services_file
72# ======================================================================
73update_services_file() {
74  local _my_etcdir="/ssh-host-config.$$"
75  local _win_etcdir
76  local _services
77  local _spaces
78  local _serv_tmp
79  local _wservices
80  local ret=0
81
82  _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
83  _services="${_my_etcdir}/services"
84  _spaces="                           #"
85  _serv_tmp="${_my_etcdir}/srv.out.$$"
86
87  /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
88
89  # Depends on the above mount
90  _wservices=`cygpath -w "${_services}"`
91
92  # Remove sshd 22/port from services
93  if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
94  then
95    /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
96    if [ -f "${_serv_tmp}" ]
97    then
98      if /usr/bin/mv "${_serv_tmp}" "${_services}"
99      then
100	csih_inform "Removing sshd from ${_wservices}"
101      else
102	csih_warning "Removing sshd from ${_wservices} failed!"
103	let ++ret
104      fi
105      /usr/bin/rm -f "${_serv_tmp}"
106    else
107      csih_warning "Removing sshd from ${_wservices} failed!"
108      let ++ret
109    fi
110  fi
111
112  # Add ssh 22/tcp  and ssh 22/udp to services
113  if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
114  then
115    if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
116    then
117      if /usr/bin/mv "${_serv_tmp}" "${_services}"
118      then
119	csih_inform "Added ssh to ${_wservices}"
120      else
121	csih_warning "Adding ssh to ${_wservices} failed!"
122	let ++ret
123      fi
124      /usr/bin/rm -f "${_serv_tmp}"
125    else
126      csih_warning "Adding ssh to ${_wservices} failed!"
127      let ++ret
128    fi
129  fi
130  /usr/bin/umount "${_my_etcdir}"
131  return $ret
132} # --- End of update_services_file --- #
133
134# ======================================================================
135# Routine: sshd_privsep
136#  MODIFIES: privsep_configured  privsep_used
137# ======================================================================
138sshd_privsep() {
139  local sshdconfig_tmp
140  local ret=0
141
142  if [ "${privsep_configured}" != "yes" ]
143  then
144    csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
145    csih_inform "However, this requires a non-privileged account called 'sshd'."
146    csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
147    if csih_request "Should privilege separation be used?"
148    then
149      privsep_used=yes
150      if ! csih_create_unprivileged_user sshd
151      then
152	csih_error_recoverable "Couldn't create user 'sshd'!"
153	csih_error_recoverable "Privilege separation set to 'no' again!"
154	csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!"
155	let ++ret
156	privsep_used=no
157      fi
158    else
159      privsep_used=no
160    fi
161  fi
162
163  # Create default sshd_config from skeleton files in /etc/defaults/etc or
164  # modify to add the missing privsep configuration option
165  if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
166  then
167    csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
168    sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
169    /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
170  	  s/^#Port 22/Port ${port_number}/
171  	  s/^#StrictModes yes/StrictModes no/" \
172	< ${SYSCONFDIR}/sshd_config \
173	> "${sshdconfig_tmp}"
174    if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
175    then
176	csih_warning "Setting privilege separation to 'yes' failed!"
177	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
178	let ++ret
179    fi
180  elif [ "${privsep_configured}" != "yes" ]
181  then
182    echo >> ${SYSCONFDIR}/sshd_config
183    if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
184    then
185	csih_warning "Setting privilege separation to 'yes' failed!"
186	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
187	let ++ret
188    fi
189  fi
190  return $ret
191} # --- End of sshd_privsep --- #
192
193# ======================================================================
194# Routine: update_inetd_conf
195# ======================================================================
196update_inetd_conf() {
197  local _inetcnf="${SYSCONFDIR}/inetd.conf"
198  local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
199  local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
200  local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
201  local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
202  local _with_comment=1
203  local ret=0
204
205  if [ -d "${_inetcnf_dir}" ]
206  then
207    # we have inetutils-1.5 inetd.d support
208    if [ -f "${_inetcnf}" ]
209    then
210      /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
211
212      # check for sshd OR ssh in top-level inetd.conf file, and remove
213      # will be replaced by a file in inetd.d/
214      if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
215      then
216	/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
217	if [ -f "${_inetcnf_tmp}" ]
218	then
219	  if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
220	  then
221  	    csih_inform "Removed ssh[d] from ${_inetcnf}"
222	  else
223  	    csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
224	    let ++ret
225	  fi
226	  /usr/bin/rm -f "${_inetcnf_tmp}"
227	else
228	  csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
229	  let ++ret
230	fi
231      fi
232    fi
233
234    csih_install_config "${_sshd_inetd_conf}"   "${SYSCONFDIR}/defaults"
235    if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
236    then
237      if [ "${_with_comment}" -eq 0 ]
238      then
239	/usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
240      else
241	/usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
242      fi
243      if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
244      then
245	csih_inform "Updated ${_sshd_inetd_conf}"
246      else
247	csih_warning "Updating ${_sshd_inetd_conf} failed!"
248	let ++ret
249      fi
250    fi
251
252  elif [ -f "${_inetcnf}" ]
253  then
254    /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
255
256    # check for sshd in top-level inetd.conf file, and remove
257    # will be replaced by a file in inetd.d/
258    if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
259    then
260      /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
261      if [ -f "${_inetcnf_tmp}" ]
262      then
263	if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
264	then
265	    csih_inform "Removed sshd from ${_inetcnf}"
266	else
267	    csih_warning "Removing sshd from ${_inetcnf} failed!"
268	    let ++ret
269	fi
270	/usr/bin/rm -f "${_inetcnf_tmp}"
271      else
272	csih_warning "Removing sshd from ${_inetcnf} failed!"
273	let ++ret
274      fi
275    fi
276
277    # Add ssh line to inetd.conf
278    if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
279    then
280      if [ "${_with_comment}" -eq 0 ]
281      then
282	echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
283      else
284	echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
285      fi
286      if [ $? -eq 0 ]
287      then
288	csih_inform "Added ssh to ${_inetcnf}"
289      else
290	csih_warning "Adding ssh to ${_inetcnf} failed!"
291	let ++ret
292      fi
293    fi
294  fi
295  return $ret
296} # --- End of update_inetd_conf --- #
297
298# ======================================================================
299# Routine: check_service_files_ownership
300#   Checks that the files in /etc and /var belong to the right owner
301# ======================================================================
302check_service_files_ownership() {
303  local run_service_as=$1
304  local ret=0
305
306  if [ -z "${run_service_as}" ]
307  then
308    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
309    if [ "${accnt_name}" = "LocalSystem" ]
310    then
311      # Convert "LocalSystem" to "SYSTEM" as is the correct account name
312      accnt_name="SYSTEM:"
313    elif [[ "${accnt_name}" =~ ^\.\\ ]]
314    then
315      # Convert "." domain to local machine name
316      accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
317    fi
318    run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
319    if [ -z "${run_service_as}" ]
320    then
321      csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
322      csih_warning "As a result, this script cannot make sure that the files used"
323      csih_warning "by the sshd service belong to the user running the service."
324      csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd"
325      csih_warning "file is in a good shape."
326      return 1
327    fi
328  fi
329  for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
330  do
331    if [ -f "$i" ]
332    then
333      if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
334      then
335	csih_warning "Couldn't change owner of $i!"
336	let ++ret
337      fi
338    fi
339  done
340  if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
341  then
342    csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
343    let ++ret
344  fi
345  if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
346  then
347    csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
348    let ++ret
349  fi
350  if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
351  then
352    if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
353    then
354      csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
355      let ++ret
356    fi
357  fi
358  if [ $ret -ne 0 ]
359  then
360    csih_warning "Couldn't change owner of important files to ${run_service_as}!"
361    csih_warning "This may cause the sshd service to fail!  Please make sure that"
362    csih_warning "you have suufficient permissions to change the ownership of files"
363    csih_warning "and try to run the ssh-host-config script again."
364  fi
365  return $ret
366} # --- End of check_service_files_ownership --- #
367
368# ======================================================================
369# Routine: install_service
370#   Install sshd as a service
371# ======================================================================
372install_service() {
373  local run_service_as
374  local password
375  local ret=0
376
377  echo
378  if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
379  then
380    csih_inform "Sshd service is already installed."
381    check_service_files_ownership "" || let ret+=$?
382  else
383    echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
384    if csih_request "(Say \"no\" if it is already installed as a service)"
385    then
386      csih_get_cygenv "${cygwin_value}"
387
388      if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
389      then
390	csih_inform "On Windows Server 2003, Windows Vista, and above, the"
391	csih_inform "SYSTEM account cannot setuid to other users -- a capability"
392	csih_inform "sshd requires.  You need to have or to create a privileged"
393	csih_inform "account.  This script will help you do so."
394	echo
395
396	[ "${opt_force}" = "yes" ] && opt_f=-f
397	[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
398	csih_select_privileged_username ${opt_f} ${opt_u} sshd
399
400	if ! csih_create_privileged_user "${password_value}"
401	then
402	  csih_error_recoverable "There was a serious problem creating a privileged user."
403	  csih_request "Do you want to proceed anyway?" || exit 1
404	  let ++ret
405	fi
406      fi
407
408      # Never returns empty if NT or above
409      run_service_as=$(csih_service_should_run_as)
410
411      if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
412      then
413	password="${csih_PRIVILEGED_PASSWORD}"
414	if [ -z "${password}" ]
415	then
416	  csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
417	  password="${csih_value}"
418	fi
419      fi
420
421      # At this point, we either have $run_service_as = "system" and
422      # $password is empty, or $run_service_as is some privileged user and
423      # (hopefully) $password contains the correct password.  So, from here
424      # out, we use '-z "${password}"' to discriminate the two cases.
425
426      csih_check_user "${run_service_as}"
427
428      if [ -n "${csih_cygenv}" ]
429      then
430	cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
431      fi
432      if [ -z "${password}" ]
433      then
434	if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
435			      -a "-D" -y tcpip "${cygwin_env[@]}"
436	then
437	  echo
438	  csih_inform "The sshd service has been installed under the LocalSystem"
439	  csih_inform "account (also known as SYSTEM). To start the service now, call"
440	  csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'.  Otherwise, it"
441	  csih_inform "will start automatically after the next reboot."
442	fi
443      else
444	if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
445			      -a "-D" -y tcpip "${cygwin_env[@]}" \
446			      -u "${run_service_as}" -w "${password}"
447	then
448	  /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
449	  echo
450	  csih_inform "The sshd service has been installed under the '${run_service_as}'"
451	  csih_inform "account.  To start the service now, call \`net start sshd' or"
452	  csih_inform "\`cygrunsrv -S sshd'.  Otherwise, it will start automatically"
453	  csih_inform "after the next reboot."
454	fi
455      fi
456
457      if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
458      then
459	check_service_files_ownership "${run_service_as}" || let ret+=$?
460      else
461	csih_error_recoverable "Installing sshd as a service failed!"
462	let ++ret
463      fi
464    fi # user allowed us to install as service
465  fi # service not yet installed
466  return $ret
467} # --- End of install_service --- #
468
469# ======================================================================
470# Main Entry Point
471# ======================================================================
472
473# Check how the script has been started.  If
474#   (1) it has been started by giving the full path and
475#       that path is /etc/postinstall, OR
476#   (2) Otherwise, if the environment variable
477#       SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
478# then set auto_answer to "no".  This allows automatic
479# creation of the config files in /etc w/o overwriting
480# them if they already exist.  In both cases, color
481# escape sequences are suppressed, so as to prevent
482# cluttering setup's logfiles.
483if [ "$PROGDIR" = "/etc/postinstall" ]
484then
485  csih_auto_answer="no"
486  csih_disable_color
487  opt_force=yes
488fi
489if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
490then
491  csih_auto_answer="no"
492  csih_disable_color
493  opt_force=yes
494fi
495
496# ======================================================================
497# Parse options
498# ======================================================================
499while :
500do
501  case $# in
502  0)
503    break
504    ;;
505  esac
506
507  option=$1
508  shift
509
510  case "${option}" in
511  -d | --debug )
512    set -x
513    csih_trace_on
514    ;;
515
516  -y | --yes )
517    csih_auto_answer=yes
518    opt_force=yes
519    ;;
520
521  -n | --no )
522    csih_auto_answer=no
523    opt_force=yes
524    ;;
525
526  -c | --cygwin )
527    cygwin_value="$1"
528    shift
529    ;;
530
531  -p | --port )
532    port_number=$1
533    shift
534    ;;
535
536  -u | --user )
537    user_account="$1"
538    shift
539    ;;
540
541  -w | --pwd )
542    password_value="$1"
543    shift
544    ;;
545
546  --privileged )
547    csih_FORCE_PRIVILEGED_USER=yes
548    ;;
549
550  *)
551    echo "usage: ${progname} [OPTION]..."
552    echo
553    echo "This script creates an OpenSSH host configuration."
554    echo
555    echo "Options:"
556    echo "  --debug  -d            Enable shell's debug output."
557    echo "  --yes    -y            Answer all questions with \"yes\" automatically."
558    echo "  --no     -n            Answer all questions with \"no\" automatically."
559    echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
560    echo "  --port   -p <n>        sshd listens on port n."
561    echo "  --user   -u <account>  privileged user for service, default 'cyg_server'."
562    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for privileged user."
563    echo "  --privileged           On Windows XP, require privileged user"
564    echo "                         instead of LocalSystem for sshd service."
565    echo
566    exit 1
567    ;;
568
569  esac
570done
571
572# ======================================================================
573# Action!
574# ======================================================================
575
576# Check for running ssh/sshd processes first. Refuse to do anything while
577# some ssh processes are still running
578if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
579then
580  echo
581  csih_error "There are still ssh processes running. Please shut them down first."
582fi
583
584# Make sure the user is running in an administrative context
585admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
586if [ "${admin}" != "yes" ]
587then
588  echo
589  csih_warning "Running this script typically requires administrator privileges!"
590  csih_warning "However, it seems your account does not have these privileges."
591  csih_warning "Here's the list of groups in your user token:"
592  echo
593  for i in $(/usr/bin/id -G)
594  do
595    /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \"    \" \$1; }" /etc/group
596  done
597  echo
598  csih_warning "This usually means you're running this script from a non-admin"
599  csih_warning "desktop session, or in a non-elevated shell under UAC control."
600  echo
601  csih_warning "Make sure you have the appropriate privileges right now,"
602  csih_warning "otherwise parts of this script will probably fail!"
603  echo
604  echo -e "${_csih_QUERY_STR} Are you sure you want to continue?  (Say \"no\" if you're not sure"
605  if ! csih_request "you have the required privileges)"
606  then
607    echo
608    csih_inform "Ok.  Exiting.  Make sure to switch to an administrative account"
609    csih_inform "or to start this script from an elevated shell."
610    exit 1
611  fi
612fi
613
614echo
615
616warning_cnt=0
617
618# Check for ${SYSCONFDIR} directory
619csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
620if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
621then
622  csih_warning "Can't set permissions on ${SYSCONFDIR}!"
623  let ++warning_cnt
624fi
625if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
626then
627  csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
628  let ++warning_cnt
629fi
630
631# Check for /var/log directory
632csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
633if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
634then
635  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
636  let ++warning_cnt
637fi
638if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
639then
640  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
641  let ++warning_cnt
642fi
643
644# Create /var/log/lastlog if not already exists
645if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
646then
647  echo
648  csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
649		   "Cannot create ssh host configuration."
650fi
651if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
652then
653  /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
654  if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
655  then
656    csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
657    let ++warning_cnt
658  fi
659fi
660
661# Create /var/empty file used as chroot jail for privilege separation
662csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
663if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
664then
665  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
666  let ++warning_cnt
667fi
668if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
669then
670  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
671  let ++warning_cnt
672fi
673
674# generate missing host keys
675/usr/bin/ssh-keygen -A || let warning_cnt+=$?
676
677# handle ssh_config
678csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
679if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
680then
681  if [ "${port_number}" != "22" ]
682  then
683    csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
684    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
685    echo "    Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
686  fi
687fi
688
689# handle sshd_config (and privsep)
690csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
691if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
692then
693  /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
694fi
695sshd_privsep || let warning_cnt+=$?
696
697update_services_file || let warning_cnt+=$?
698update_inetd_conf || let warning_cnt+=$?
699install_service || let warning_cnt+=$?
700
701echo
702if [ $warning_cnt -eq 0 ]
703then
704  csih_inform "Host configuration finished. Have fun!"
705else
706  csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
707  csih_warning "Make sure that all problems reported are fixed,"
708  csih_warning "then re-run ssh-host-config."
709fi
710exit $warning_cnt
711