2003-11-13 00:28:49 +00:00
|
|
|
#!/bin/bash
|
2000-10-29 19:18:49 +00:00
|
|
|
#
|
2003-11-13 00:28:49 +00:00
|
|
|
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
|
2000-10-29 19:18:49 +00:00
|
|
|
#
|
|
|
|
# This file is part of the Cygwin port of OpenSSH.
|
|
|
|
|
|
|
|
# Subdirectory where the new package is being installed
|
|
|
|
PREFIX=/usr
|
|
|
|
|
|
|
|
# Directory where the config files are stored
|
|
|
|
SYSCONFDIR=/etc
|
2003-11-13 00:28:49 +00:00
|
|
|
LOCALSTATEDIR=/var
|
2000-10-29 19:18:49 +00:00
|
|
|
|
2001-01-19 05:37:32 +00:00
|
|
|
progname=$0
|
|
|
|
auto_answer=""
|
2001-03-07 10:38:19 +00:00
|
|
|
port_number=22
|
2001-01-19 05:37:32 +00:00
|
|
|
|
2002-07-03 23:33:19 +00:00
|
|
|
privsep_configured=no
|
|
|
|
privsep_used=yes
|
|
|
|
sshd_in_passwd=no
|
|
|
|
sshd_in_sam=no
|
|
|
|
|
2000-10-29 19:18:49 +00:00
|
|
|
request()
|
|
|
|
{
|
2001-01-19 05:37:32 +00:00
|
|
|
if [ "${auto_answer}" = "yes" ]
|
|
|
|
then
|
2003-11-13 00:28:49 +00:00
|
|
|
echo "$1 (yes/no) yes"
|
2001-01-19 05:37:32 +00:00
|
|
|
return 0
|
|
|
|
elif [ "${auto_answer}" = "no" ]
|
|
|
|
then
|
2003-11-13 00:28:49 +00:00
|
|
|
echo "$1 (yes/no) no"
|
2001-01-19 05:37:32 +00:00
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
|
2000-10-29 19:18:49 +00:00
|
|
|
answer=""
|
|
|
|
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
|
|
|
|
do
|
|
|
|
echo -n "$1 (yes/no) "
|
2003-11-13 00:28:49 +00:00
|
|
|
read -e answer
|
2000-10-29 19:18:49 +00:00
|
|
|
done
|
|
|
|
if [ "X${answer}" = "Xyes" ]
|
|
|
|
then
|
|
|
|
return 0
|
|
|
|
else
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2001-01-19 05:37:32 +00:00
|
|
|
# Check options
|
|
|
|
|
|
|
|
while :
|
|
|
|
do
|
|
|
|
case $# in
|
|
|
|
0)
|
|
|
|
break
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
option=$1
|
|
|
|
shift
|
|
|
|
|
2003-11-13 00:28:49 +00:00
|
|
|
case "${option}" in
|
2001-01-19 05:37:32 +00:00
|
|
|
-d | --debug )
|
|
|
|
set -x
|
|
|
|
;;
|
|
|
|
|
|
|
|
-y | --yes )
|
|
|
|
auto_answer=yes
|
|
|
|
;;
|
|
|
|
|
|
|
|
-n | --no )
|
|
|
|
auto_answer=no
|
|
|
|
;;
|
|
|
|
|
2003-11-13 00:28:49 +00:00
|
|
|
-c | --cygwin )
|
|
|
|
cygwin_value="$1"
|
|
|
|
shift
|
|
|
|
;;
|
|
|
|
|
2001-03-07 10:38:19 +00:00
|
|
|
-p | --port )
|
|
|
|
port_number=$1
|
|
|
|
shift
|
|
|
|
;;
|
|
|
|
|
2003-11-13 00:28:49 +00:00
|
|
|
-w | --pwd )
|
|
|
|
password_value="$1"
|
|
|
|
shift
|
|
|
|
;;
|
|
|
|
|
2001-01-19 05:37:32 +00:00
|
|
|
*)
|
|
|
|
echo "usage: ${progname} [OPTION]..."
|
|
|
|
echo
|
|
|
|
echo "This script creates an OpenSSH host configuration."
|
|
|
|
echo
|
|
|
|
echo "Options:"
|
2003-11-13 00:28:49 +00:00
|
|
|
echo " --debug -d Enable shell's debug output."
|
|
|
|
echo " --yes -y Answer all questions with \"yes\" automatically."
|
|
|
|
echo " --no -n Answer all questions with \"no\" automatically."
|
|
|
|
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
|
|
|
|
echo " --port -p <n> sshd listens on port n."
|
|
|
|
echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'."
|
2001-01-19 05:37:32 +00:00
|
|
|
echo
|
|
|
|
exit 1
|
|
|
|
;;
|
|
|
|
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
|
2002-07-03 23:33:19 +00:00
|
|
|
# Check if running on NT
|
2003-11-13 00:28:49 +00:00
|
|
|
_sys="`uname`"
|
|
|
|
_nt=`expr "${_sys}" : "CYGWIN_NT"`
|
|
|
|
# If running on NT, check if running under 2003 Server or later
|
|
|
|
if [ ${_nt} -gt 0 ]
|
|
|
|
then
|
|
|
|
_nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
|
|
|
|
fi
|
2002-07-03 23:33:19 +00:00
|
|
|
|
2000-10-29 19:18:49 +00:00
|
|
|
# Check for running ssh/sshd processes first. Refuse to do anything while
|
|
|
|
# some ssh processes are still running
|
|
|
|
|
|
|
|
if ps -ef | grep -v grep | grep -q ssh
|
|
|
|
then
|
|
|
|
echo
|
|
|
|
echo "There are still ssh processes running. Please shut them down first."
|
|
|
|
echo
|
2002-07-07 21:07:46 +00:00
|
|
|
exit 1
|
2000-10-29 19:18:49 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
# Check for ${SYSCONFDIR} directory
|
|
|
|
|
|
|
|
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
|
|
|
|
then
|
|
|
|
echo
|
|
|
|
echo "${SYSCONFDIR} is existant but not a directory."
|
|
|
|
echo "Cannot create global configuration files."
|
|
|
|
echo
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Create it if necessary
|
|
|
|
|
|
|
|
if [ ! -e "${SYSCONFDIR}" ]
|
|
|
|
then
|
|
|
|
mkdir "${SYSCONFDIR}"
|
|
|
|
if [ ! -e "${SYSCONFDIR}" ]
|
|
|
|
then
|
|
|
|
echo
|
|
|
|
echo "Creating ${SYSCONFDIR} directory failed"
|
|
|
|
echo
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2002-07-03 23:33:19 +00:00
|
|
|
# Create /var/log and /var/log/lastlog if not already existing
|
|
|
|
|
2003-11-13 00:28:49 +00:00
|
|
|
if [ -f ${LOCALSTATEDIR}/log ]
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
2003-11-13 00:28:49 +00:00
|
|
|
echo "Creating ${LOCALSTATEDIR}/log failed!"
|
2002-07-03 23:33:19 +00:00
|
|
|
else
|
2003-11-13 00:28:49 +00:00
|
|
|
if [ ! -d ${LOCALSTATEDIR}/log ]
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
2003-11-13 00:28:49 +00:00
|
|
|
mkdir -p ${LOCALSTATEDIR}/log
|
2002-07-03 23:33:19 +00:00
|
|
|
fi
|
2003-11-13 00:28:49 +00:00
|
|
|
if [ -d ${LOCALSTATEDIR}/log/lastlog ]
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
2003-11-13 00:28:49 +00:00
|
|
|
chmod 777 ${LOCALSTATEDIR}/log/lastlog
|
|
|
|
elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
2003-11-13 00:28:49 +00:00
|
|
|
cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
|
|
|
|
chmod 666 ${LOCALSTATEDIR}/log/lastlog
|
2002-07-03 23:33:19 +00:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Create /var/empty file used as chroot jail for privilege separation
|
2003-11-13 00:28:49 +00:00
|
|
|
if [ -f ${LOCALSTATEDIR}/empty ]
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
2003-11-13 00:28:49 +00:00
|
|
|
echo "Creating ${LOCALSTATEDIR}/empty failed!"
|
2002-07-03 23:33:19 +00:00
|
|
|
else
|
2003-11-13 00:28:49 +00:00
|
|
|
mkdir -p ${LOCALSTATEDIR}/empty
|
|
|
|
if [ ${_nt} -gt 0 ]
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
2003-11-13 00:28:49 +00:00
|
|
|
chmod 755 ${LOCALSTATEDIR}/empty
|
2000-10-29 19:18:49 +00:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
# First generate host keys if not already existing
|
|
|
|
|
|
|
|
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
|
|
|
|
then
|
|
|
|
echo "Generating ${SYSCONFDIR}/ssh_host_key"
|
2001-01-19 05:37:32 +00:00
|
|
|
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
|
|
|
|
then
|
|
|
|
echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
|
|
|
|
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
|
2000-10-29 19:18:49 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
|
|
|
|
then
|
|
|
|
echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
|
2001-01-19 05:37:32 +00:00
|
|
|
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
|
2000-10-29 19:18:49 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
# Check if ssh_config exists. If yes, ask for overwriting
|
|
|
|
|
|
|
|
if [ -f "${SYSCONFDIR}/ssh_config" ]
|
|
|
|
then
|
|
|
|
if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
|
|
|
|
then
|
|
|
|
rm -f "${SYSCONFDIR}/ssh_config"
|
|
|
|
if [ -f "${SYSCONFDIR}/ssh_config" ]
|
|
|
|
then
|
|
|
|
echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2003-11-13 00:28:49 +00:00
|
|
|
# Create default ssh_config from skeleton file in /etc/defaults/etc
|
2000-10-29 19:18:49 +00:00
|
|
|
|
|
|
|
if [ ! -f "${SYSCONFDIR}/ssh_config" ]
|
|
|
|
then
|
2001-01-19 05:37:32 +00:00
|
|
|
echo "Generating ${SYSCONFDIR}/ssh_config file"
|
2003-11-13 00:28:49 +00:00
|
|
|
cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
|
|
|
|
if [ "${port_number}" != "22" ]
|
2001-03-07 10:38:19 +00:00
|
|
|
then
|
|
|
|
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
|
2003-11-13 00:28:49 +00:00
|
|
|
echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
|
2001-03-07 10:38:19 +00:00
|
|
|
fi
|
2000-10-29 19:18:49 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
# Check if sshd_config exists. If yes, ask for overwriting
|
|
|
|
|
|
|
|
if [ -f "${SYSCONFDIR}/sshd_config" ]
|
|
|
|
then
|
|
|
|
if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
|
|
|
|
then
|
|
|
|
rm -f "${SYSCONFDIR}/sshd_config"
|
|
|
|
if [ -f "${SYSCONFDIR}/sshd_config" ]
|
|
|
|
then
|
|
|
|
echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
|
|
|
|
fi
|
2002-07-03 23:33:19 +00:00
|
|
|
else
|
|
|
|
grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Prior to creating or modifying sshd_config, care for privilege separation
|
|
|
|
|
2003-11-13 00:28:49 +00:00
|
|
|
if [ "${privsep_configured}" != "yes" ]
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
2003-11-13 00:28:49 +00:00
|
|
|
if [ ${_nt} -gt 0 ]
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
|
|
|
echo "Privilege separation is set to yes by default since OpenSSH 3.3."
|
|
|
|
echo "However, this requires a non-privileged account called 'sshd'."
|
2003-11-13 00:28:49 +00:00
|
|
|
echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
|
2002-07-03 23:33:19 +00:00
|
|
|
echo
|
2003-11-13 00:28:49 +00:00
|
|
|
if request "Should privilege separation be used?"
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
|
|
|
privsep_used=yes
|
|
|
|
grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
|
|
|
|
net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
|
2003-11-13 00:28:49 +00:00
|
|
|
if [ "${sshd_in_passwd}" != "yes" ]
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
2003-11-21 12:48:55 +00:00
|
|
|
if [ "${sshd_in_sam}" != "yes" ]
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
|
|
|
echo "Warning: The following function requires administrator privileges!"
|
2003-11-13 00:28:49 +00:00
|
|
|
if request "Should this script create a local user 'sshd' on this machine?"
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
2003-11-13 00:28:49 +00:00
|
|
|
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
|
|
|
|
net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
|
|
|
|
if [ "${sshd_in_sam}" != "yes" ]
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
|
|
|
echo "Warning: Creating the user 'sshd' failed!"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
2003-11-13 00:28:49 +00:00
|
|
|
if [ "${sshd_in_sam}" != "yes" ]
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
|
|
|
echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
|
|
|
|
echo " Privilege separation set to 'no' again!"
|
|
|
|
echo " Check your ${SYSCONFDIR}/sshd_config file!"
|
|
|
|
privsep_used=no
|
|
|
|
else
|
2002-07-07 21:07:46 +00:00
|
|
|
mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
|
2002-07-03 23:33:19 +00:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
privsep_used=no
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
# On 9x don't use privilege separation. Since security isn't
|
2003-11-13 00:28:49 +00:00
|
|
|
# available it just adds useless additional processes.
|
2002-07-03 23:33:19 +00:00
|
|
|
privsep_used=no
|
2000-10-29 19:18:49 +00:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2003-11-13 00:28:49 +00:00
|
|
|
# Create default sshd_config from skeleton files in /etc/defaults/etc or
|
|
|
|
# modify to add the missing privsep configuration option
|
2000-10-29 19:18:49 +00:00
|
|
|
|
|
|
|
if [ ! -f "${SYSCONFDIR}/sshd_config" ]
|
|
|
|
then
|
2001-01-19 05:37:32 +00:00
|
|
|
echo "Generating ${SYSCONFDIR}/sshd_config file"
|
2003-11-13 00:28:49 +00:00
|
|
|
sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
|
|
|
|
s/^#Port 22/Port ${port_number}/
|
|
|
|
s/^#StrictModes yes/StrictModes no/" \
|
|
|
|
< ${SYSCONFDIR}/defaults/etc/sshd_config \
|
|
|
|
> ${SYSCONFDIR}/sshd_config
|
|
|
|
elif [ "${privsep_configured}" != "yes" ]
|
2002-07-03 23:33:19 +00:00
|
|
|
then
|
|
|
|
echo >> ${SYSCONFDIR}/sshd_config
|
2003-11-13 00:28:49 +00:00
|
|
|
echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
|
2000-10-29 19:18:49 +00:00
|
|
|
fi
|
|
|
|
|
2001-03-07 10:38:19 +00:00
|
|
|
# Care for services file
|
2003-11-03 07:59:29 +00:00
|
|
|
_my_etcdir="/ssh-host-config.$$"
|
2003-11-13 00:28:49 +00:00
|
|
|
if [ ${_nt} -gt 0 ]
|
2000-10-29 19:18:49 +00:00
|
|
|
then
|
2003-11-03 07:59:29 +00:00
|
|
|
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
|
|
|
|
_services="${_my_etcdir}/services"
|
2003-11-13 00:28:49 +00:00
|
|
|
# On NT, 27 spaces, no space after the hash
|
|
|
|
_spaces=" #"
|
2001-01-19 05:37:32 +00:00
|
|
|
else
|
2003-11-03 07:59:29 +00:00
|
|
|
_win_etcdir="${WINDIR}"
|
|
|
|
_services="${_my_etcdir}/SERVICES"
|
2003-11-13 00:28:49 +00:00
|
|
|
# On 9x, 18 spaces (95 is very touchy), a space after the hash
|
|
|
|
_spaces=" # "
|
2000-10-29 19:18:49 +00:00
|
|
|
fi
|
2003-11-03 07:59:29 +00:00
|
|
|
_serv_tmp="${_my_etcdir}/srv.out.$$"
|
2000-10-29 19:18:49 +00:00
|
|
|
|
2003-11-03 07:59:29 +00:00
|
|
|
mount -t -f "${_win_etcdir}" "${_my_etcdir}"
|
|
|
|
|
|
|
|
# Depends on the above mount
|
|
|
|
_wservices=`cygpath -w "${_services}"`
|
2001-03-07 10:38:19 +00:00
|
|
|
|
|
|
|
# Remove sshd 22/port from services
|
|
|
|
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
|
|
|
|
then
|
|
|
|
grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
|
|
|
|
if [ -f "${_serv_tmp}" ]
|
2003-11-21 12:48:55 +00:00
|
|
|
then
|
2001-03-07 10:38:19 +00:00
|
|
|
if mv "${_serv_tmp}" "${_services}"
|
|
|
|
then
|
2003-11-03 07:59:29 +00:00
|
|
|
echo "Removing sshd from ${_wservices}"
|
2001-03-07 10:38:19 +00:00
|
|
|
else
|
2003-11-13 00:28:49 +00:00
|
|
|
echo "Removing sshd from ${_wservices} failed!"
|
2003-11-21 12:48:55 +00:00
|
|
|
fi
|
2001-03-07 10:38:19 +00:00
|
|
|
rm -f "${_serv_tmp}"
|
|
|
|
else
|
2003-11-13 00:28:49 +00:00
|
|
|
echo "Removing sshd from ${_wservices} failed!"
|
2001-03-07 10:38:19 +00:00
|
|
|
fi
|
|
|
|
fi
|
2000-10-29 19:18:49 +00:00
|
|
|
|
2001-03-07 10:38:19 +00:00
|
|
|
# Add ssh 22/tcp and ssh 22/udp to services
|
|
|
|
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
|
2000-10-29 19:18:49 +00:00
|
|
|
then
|
2003-11-13 00:28:49 +00:00
|
|
|
if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
|
2000-10-29 19:18:49 +00:00
|
|
|
then
|
2001-01-19 05:37:32 +00:00
|
|
|
if mv "${_serv_tmp}" "${_services}"
|
|
|
|
then
|
2003-11-03 07:59:29 +00:00
|
|
|
echo "Added ssh to ${_wservices}"
|
2001-01-19 05:37:32 +00:00
|
|
|
else
|
2003-11-13 00:28:49 +00:00
|
|
|
echo "Adding ssh to ${_wservices} failed!"
|
2001-01-19 05:37:32 +00:00
|
|
|
fi
|
|
|
|
rm -f "${_serv_tmp}"
|
|
|
|
else
|
2003-11-13 00:28:49 +00:00
|
|
|
echo "WARNING: Adding ssh to ${_wservices} failed!"
|
2000-10-29 19:18:49 +00:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2003-11-03 07:59:29 +00:00
|
|
|
umount "${_my_etcdir}"
|
2001-01-19 05:37:32 +00:00
|
|
|
|
2001-03-07 10:38:19 +00:00
|
|
|
# Care for inetd.conf file
|
2002-07-03 23:33:19 +00:00
|
|
|
_inetcnf="${SYSCONFDIR}/inetd.conf"
|
|
|
|
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
|
2001-03-07 10:38:19 +00:00
|
|
|
|
|
|
|
if [ -f "${_inetcnf}" ]
|
2000-10-29 19:18:49 +00:00
|
|
|
then
|
2001-03-07 10:38:19 +00:00
|
|
|
# Check if ssh service is already in use as sshd
|
|
|
|
with_comment=1
|
|
|
|
grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
|
|
|
|
# Remove sshd line from inetd.conf
|
|
|
|
if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
|
|
|
|
then
|
|
|
|
grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
|
|
|
|
if [ -f "${_inetcnf_tmp}" ]
|
|
|
|
then
|
|
|
|
if mv "${_inetcnf_tmp}" "${_inetcnf}"
|
|
|
|
then
|
2003-11-21 12:48:55 +00:00
|
|
|
echo "Removed sshd from ${_inetcnf}"
|
2001-03-07 10:38:19 +00:00
|
|
|
else
|
2003-11-21 12:48:55 +00:00
|
|
|
echo "Removing sshd from ${_inetcnf} failed!"
|
2001-03-07 10:38:19 +00:00
|
|
|
fi
|
|
|
|
rm -f "${_inetcnf_tmp}"
|
|
|
|
else
|
2003-11-13 00:28:49 +00:00
|
|
|
echo "Removing sshd from ${_inetcnf} failed!"
|
2001-03-07 10:38:19 +00:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Add ssh line to inetd.conf
|
|
|
|
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
|
|
|
|
then
|
|
|
|
if [ "${with_comment}" -eq 0 ]
|
|
|
|
then
|
2002-04-12 17:44:13 +00:00
|
|
|
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
|
2001-03-07 10:38:19 +00:00
|
|
|
else
|
2002-04-12 17:44:13 +00:00
|
|
|
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
|
2001-03-07 10:38:19 +00:00
|
|
|
fi
|
|
|
|
echo "Added ssh to ${_inetcnf}"
|
|
|
|
fi
|
2000-10-29 19:18:49 +00:00
|
|
|
fi
|
|
|
|
|
2001-07-18 16:25:41 +00:00
|
|
|
# On NT ask if sshd should be installed as service
|
2003-11-13 00:28:49 +00:00
|
|
|
if [ ${_nt} -gt 0 ]
|
2001-07-18 16:25:41 +00:00
|
|
|
then
|
2003-11-13 00:28:49 +00:00
|
|
|
# But only if it is not already installed
|
|
|
|
if ! cygrunsrv -Q sshd > /dev/null 2>&1
|
2001-07-18 16:25:41 +00:00
|
|
|
then
|
|
|
|
echo
|
2003-11-13 00:28:49 +00:00
|
|
|
echo
|
|
|
|
echo "Warning: The following functions require administrator privileges!"
|
|
|
|
echo
|
|
|
|
echo "Do you want to install sshd as service?"
|
|
|
|
if request "(Say \"no\" if it's already installed as service)"
|
2001-07-18 16:25:41 +00:00
|
|
|
then
|
2003-11-13 00:28:49 +00:00
|
|
|
if [ $_nt2003 -gt 0 ]
|
|
|
|
then
|
|
|
|
grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
|
|
|
|
if [ "${sshd_server_in_passwd}" = "yes" ]
|
|
|
|
then
|
|
|
|
# Drop sshd_server from passwd since it could have wrong settings
|
|
|
|
grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
|
|
|
|
rm -f ${SYSCONFDIR}/passwd
|
|
|
|
mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
|
|
|
|
chmod g-w,o-w ${SYSCONFDIR}/passwd
|
|
|
|
fi
|
|
|
|
net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
|
|
|
|
if [ "${sshd_server_in_sam}" != "yes" ]
|
|
|
|
then
|
|
|
|
echo
|
|
|
|
echo "You appear to be running Windows 2003 Server or later. On 2003 and"
|
|
|
|
echo "later systems, it's not possible to use the LocalSystem account"
|
|
|
|
echo "if sshd should allow passwordless logon (e. g. public key authentication)."
|
|
|
|
echo "If you want to enable that functionality, it's required to create a new"
|
|
|
|
echo "account 'sshd_server' with special privileges, which is then used to run"
|
|
|
|
echo "the sshd service under."
|
|
|
|
echo
|
|
|
|
echo "Should this script create a new local account 'sshd_server' which has"
|
|
|
|
if request "the required privileges?"
|
|
|
|
then
|
|
|
|
_admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group`
|
|
|
|
if [ -z "${_admingroup}" ]
|
|
|
|
then
|
|
|
|
echo "There's no group with SID S-1-5-32-544 (Local administrators group) in"
|
|
|
|
echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'"
|
|
|
|
echo "and restart this script."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
|
|
|
|
while [ "${sshd_server_in_sam}" != "yes" ]
|
|
|
|
do
|
|
|
|
if [ -n "${password_value}" ]
|
|
|
|
then
|
2003-11-21 12:48:55 +00:00
|
|
|
_password="${password_value}"
|
2003-11-13 00:28:49 +00:00
|
|
|
# Allow to ask for password if first try fails
|
|
|
|
password_value=""
|
|
|
|
else
|
|
|
|
echo
|
|
|
|
echo "Please enter a password for new user 'sshd_server'. Please be sure that"
|
|
|
|
echo "this password matches the password rules given on your system."
|
|
|
|
echo -n "Entering no password will exit the configuration. PASSWORD="
|
|
|
|
read -e _password
|
|
|
|
if [ -z "${_password}" ]
|
|
|
|
then
|
|
|
|
echo
|
|
|
|
echo "Exiting configuration. No user sshd_server has been created,"
|
|
|
|
echo "no sshd service installed."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
|
|
|
|
if [ "${sshd_server_in_sam}" != "yes" ]
|
|
|
|
then
|
|
|
|
echo "Creating the user 'sshd_server' failed! Reason:"
|
|
|
|
cat /tmp/nu.$$
|
|
|
|
rm /tmp/nu.$$
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
|
|
|
|
if [ "${sshd_server_in_admingroup}" != "yes" ]
|
|
|
|
then
|
|
|
|
echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
|
|
|
|
echo "Please add sshd_server to local group ${_admingroup} before"
|
|
|
|
echo "starting the sshd service!"
|
|
|
|
echo
|
|
|
|
fi
|
|
|
|
passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
|
|
|
|
if [ "${passwd_has_expiry_flags}" != "yes" ]
|
|
|
|
then
|
|
|
|
echo
|
|
|
|
echo "WARNING: User sshd_server has password expiry set to system default."
|
|
|
|
echo "Please check that password never expires or set it to your needs."
|
|
|
|
elif ! passwd -e sshd_server
|
|
|
|
then
|
|
|
|
echo
|
|
|
|
echo "WARNING: Setting password expiry for user sshd_server failed!"
|
|
|
|
echo "Please check that password never expires or set it to your needs."
|
|
|
|
fi
|
|
|
|
editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
|
|
|
|
editrights -a SeCreateTokenPrivilege -u sshd_server &&
|
|
|
|
editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
|
|
|
|
editrights -a SeDenyNetworkLogonRight -u sshd_server &&
|
|
|
|
editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
|
|
|
|
editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
|
|
|
|
editrights -a SeServiceLogonRight -u sshd_server &&
|
|
|
|
sshd_server_got_all_rights="yes"
|
|
|
|
if [ "${sshd_server_got_all_rights}" != "yes" ]
|
|
|
|
then
|
|
|
|
echo
|
|
|
|
echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
|
|
|
|
echo "Can't create sshd service!"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
echo
|
|
|
|
echo "User 'sshd_server' has been created with password '${_password}'."
|
|
|
|
echo "If you change the password, please keep in mind to change the password"
|
|
|
|
echo "for the sshd service, too."
|
|
|
|
echo
|
|
|
|
echo "Also keep in mind that the user sshd_server needs read permissions on all"
|
|
|
|
echo "users' .ssh/authorized_keys file to allow public key authentication for"
|
|
|
|
echo "these users!. (Re-)running ssh-user-config for each user will set the"
|
|
|
|
echo "required permissions correctly."
|
|
|
|
echo
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
if [ "${sshd_server_in_sam}" = "yes" ]
|
|
|
|
then
|
|
|
|
mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
if [ -n "${cygwin_value}" ]
|
|
|
|
then
|
2003-11-21 12:48:55 +00:00
|
|
|
_cygwin="${cygwin_value}"
|
2003-11-13 00:28:49 +00:00
|
|
|
else
|
|
|
|
echo
|
|
|
|
echo "Which value should the environment variable CYGWIN have when"
|
|
|
|
echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
|
|
|
|
echo "able to change user context without password."
|
|
|
|
echo -n "Default is \"ntsec\". CYGWIN="
|
|
|
|
read -e _cygwin
|
|
|
|
fi
|
|
|
|
[ -z "${_cygwin}" ] && _cygwin="ntsec"
|
|
|
|
if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
|
|
|
|
then
|
|
|
|
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}"
|
|
|
|
then
|
|
|
|
echo
|
|
|
|
echo "The service has been installed under sshd_server account."
|
|
|
|
echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
|
|
|
|
then
|
|
|
|
echo
|
|
|
|
echo "The service has been installed under LocalSystem account."
|
|
|
|
echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
# Now check if sshd has been successfully installed. This allows to
|
|
|
|
# set the ownership of the affected files correctly.
|
|
|
|
if cygrunsrv -Q sshd > /dev/null 2>&1
|
|
|
|
then
|
|
|
|
if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
|
|
|
|
then
|
2003-11-21 12:48:55 +00:00
|
|
|
_user="sshd_server"
|
2003-11-13 00:28:49 +00:00
|
|
|
else
|
2003-11-21 12:48:55 +00:00
|
|
|
_user="system"
|
2003-11-13 00:28:49 +00:00
|
|
|
fi
|
|
|
|
chown "${_user}" ${SYSCONFDIR}/ssh*
|
|
|
|
chown "${_user}".544 ${LOCALSTATEDIR}/empty
|
|
|
|
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
|
|
|
|
then
|
|
|
|
chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
|
|
|
|
fi
|
2001-07-18 16:25:41 +00:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2000-10-29 19:18:49 +00:00
|
|
|
echo
|
2001-01-19 05:37:32 +00:00
|
|
|
echo "Host configuration finished. Have fun!"
|