mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-16 23:24:38 +00:00
224313cdae
ntsec now default if cygwin version beginning w/ version 56. Patch by Corinna Vinschen <vinschen@redhat.com>
591 lines
15 KiB
Bash
591 lines
15 KiB
Bash
#!/bin/sh
|
|
#
|
|
# ssh-host-config, Copyright 2000, Red Hat Inc.
|
|
#
|
|
# This file is part of the Cygwin port of OpenSSH.
|
|
|
|
# Subdirectory where the new package is being installed
|
|
PREFIX=/usr
|
|
|
|
# Directory where the config files are stored
|
|
SYSCONFDIR=/etc
|
|
|
|
# Subdirectory where an old package might be installed
|
|
OLDPREFIX=/usr/local
|
|
OLDSYSCONFDIR=${OLDPREFIX}/etc
|
|
|
|
progname=$0
|
|
auto_answer=""
|
|
port_number=22
|
|
|
|
privsep_configured=no
|
|
privsep_used=yes
|
|
sshd_in_passwd=no
|
|
sshd_in_sam=no
|
|
|
|
request()
|
|
{
|
|
if [ "${auto_answer}" = "yes" ]
|
|
then
|
|
return 0
|
|
elif [ "${auto_answer}" = "no" ]
|
|
then
|
|
return 1
|
|
fi
|
|
|
|
answer=""
|
|
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
|
|
do
|
|
echo -n "$1 (yes/no) "
|
|
read answer
|
|
done
|
|
if [ "X${answer}" = "Xyes" ]
|
|
then
|
|
return 0
|
|
else
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
# Check options
|
|
|
|
while :
|
|
do
|
|
case $# in
|
|
0)
|
|
break
|
|
;;
|
|
esac
|
|
|
|
option=$1
|
|
shift
|
|
|
|
case "$option" in
|
|
-d | --debug )
|
|
set -x
|
|
;;
|
|
|
|
-y | --yes )
|
|
auto_answer=yes
|
|
;;
|
|
|
|
-n | --no )
|
|
auto_answer=no
|
|
;;
|
|
|
|
-p | --port )
|
|
port_number=$1
|
|
shift
|
|
;;
|
|
|
|
*)
|
|
echo "usage: ${progname} [OPTION]..."
|
|
echo
|
|
echo "This script creates an OpenSSH host configuration."
|
|
echo
|
|
echo "Options:"
|
|
echo " --debug -d Enable shell's debug output."
|
|
echo " --yes -y Answer all questions with \"yes\" automatically."
|
|
echo " --no -n Answer all questions with \"no\" automatically."
|
|
echo " --port -p <n> sshd listens on port n."
|
|
echo
|
|
exit 1
|
|
;;
|
|
|
|
esac
|
|
done
|
|
|
|
# Check if running on NT
|
|
_sys="`uname -a`"
|
|
_nt=`expr "$_sys" : "CYGWIN_NT"`
|
|
|
|
# Check for running ssh/sshd processes first. Refuse to do anything while
|
|
# some ssh processes are still running
|
|
|
|
if ps -ef | grep -v grep | grep -q ssh
|
|
then
|
|
echo
|
|
echo "There are still ssh processes running. Please shut them down first."
|
|
echo
|
|
exit 1
|
|
fi
|
|
|
|
# Check for ${SYSCONFDIR} directory
|
|
|
|
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
|
|
then
|
|
echo
|
|
echo "${SYSCONFDIR} is existant but not a directory."
|
|
echo "Cannot create global configuration files."
|
|
echo
|
|
exit 1
|
|
fi
|
|
|
|
# Create it if necessary
|
|
|
|
if [ ! -e "${SYSCONFDIR}" ]
|
|
then
|
|
mkdir "${SYSCONFDIR}"
|
|
if [ ! -e "${SYSCONFDIR}" ]
|
|
then
|
|
echo
|
|
echo "Creating ${SYSCONFDIR} directory failed"
|
|
echo
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# Create /var/log and /var/log/lastlog if not already existing
|
|
|
|
if [ -f /var/log ]
|
|
then
|
|
echo "Creating /var/log failed\!"
|
|
else
|
|
if [ ! -d /var/log ]
|
|
then
|
|
mkdir -p /var/log
|
|
fi
|
|
if [ -d /var/log/lastlog ]
|
|
then
|
|
echo "Creating /var/log/lastlog failed\!"
|
|
elif [ ! -f /var/log/lastlog ]
|
|
then
|
|
cat /dev/null > /var/log/lastlog
|
|
fi
|
|
fi
|
|
|
|
# Create /var/empty file used as chroot jail for privilege separation
|
|
if [ -f /var/empty ]
|
|
then
|
|
echo "Creating /var/empty failed\!"
|
|
else
|
|
mkdir -p /var/empty
|
|
# On NT change ownership of that dir to user "system"
|
|
if [ $_nt -gt 0 ]
|
|
then
|
|
chmod 755 /var/empty
|
|
chown system.system /var/empty
|
|
fi
|
|
fi
|
|
|
|
# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
|
|
# the same as ${PREFIX}
|
|
|
|
old_install=0
|
|
if [ "${OLDPREFIX}" != "${PREFIX}" ]
|
|
then
|
|
if [ -f "${OLDPREFIX}/sbin/sshd" ]
|
|
then
|
|
echo
|
|
echo "You seem to have an older installation in ${OLDPREFIX}."
|
|
echo
|
|
# Check if old global configuration files exist
|
|
if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
|
|
then
|
|
if request "Do you want to copy your config files to your new installation?"
|
|
then
|
|
cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
|
|
cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
|
|
cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
|
|
cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
|
|
cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
|
|
cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
|
|
fi
|
|
fi
|
|
if request "Do you want to erase your old installation?"
|
|
then
|
|
rm -f ${OLDPREFIX}/bin/ssh.exe
|
|
rm -f ${OLDPREFIX}/bin/ssh-config
|
|
rm -f ${OLDPREFIX}/bin/scp.exe
|
|
rm -f ${OLDPREFIX}/bin/ssh-add.exe
|
|
rm -f ${OLDPREFIX}/bin/ssh-agent.exe
|
|
rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
|
|
rm -f ${OLDPREFIX}/bin/slogin
|
|
rm -f ${OLDSYSCONFDIR}/ssh_host_key
|
|
rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
|
|
rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
|
|
rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
|
|
rm -f ${OLDSYSCONFDIR}/ssh_config
|
|
rm -f ${OLDSYSCONFDIR}/sshd_config
|
|
rm -f ${OLDPREFIX}/man/man1/ssh.1
|
|
rm -f ${OLDPREFIX}/man/man1/scp.1
|
|
rm -f ${OLDPREFIX}/man/man1/ssh-add.1
|
|
rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
|
|
rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
|
|
rm -f ${OLDPREFIX}/man/man1/slogin.1
|
|
rm -f ${OLDPREFIX}/man/man8/sshd.8
|
|
rm -f ${OLDPREFIX}/sbin/sshd.exe
|
|
rm -f ${OLDPREFIX}/sbin/sftp-server.exe
|
|
fi
|
|
old_install=1
|
|
fi
|
|
fi
|
|
|
|
# First generate host keys if not already existing
|
|
|
|
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
|
|
then
|
|
echo "Generating ${SYSCONFDIR}/ssh_host_key"
|
|
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
|
|
fi
|
|
|
|
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
|
|
then
|
|
echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
|
|
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
|
|
fi
|
|
|
|
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
|
|
then
|
|
echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
|
|
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
|
|
fi
|
|
|
|
# Check if ssh_config exists. If yes, ask for overwriting
|
|
|
|
if [ -f "${SYSCONFDIR}/ssh_config" ]
|
|
then
|
|
if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
|
|
then
|
|
rm -f "${SYSCONFDIR}/ssh_config"
|
|
if [ -f "${SYSCONFDIR}/ssh_config" ]
|
|
then
|
|
echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
# Create default ssh_config from here script
|
|
|
|
if [ ! -f "${SYSCONFDIR}/ssh_config" ]
|
|
then
|
|
echo "Generating ${SYSCONFDIR}/ssh_config file"
|
|
cat > ${SYSCONFDIR}/ssh_config << EOF
|
|
# This is the ssh client system-wide configuration file. See
|
|
# ssh_config(5) for more information. This file provides defaults for
|
|
# users, and the values can be changed in per-user configuration files
|
|
# or on the command line.
|
|
|
|
# Configuration data is parsed as follows:
|
|
# 1. command line options
|
|
# 2. user-specific file
|
|
# 3. system-wide file
|
|
# Any configuration value is only changed the first time it is set.
|
|
# Thus, host-specific definitions should be at the beginning of the
|
|
# configuration file, and defaults at the end.
|
|
|
|
# Site-wide defaults for various options
|
|
|
|
# Host *
|
|
# ForwardAgent no
|
|
# ForwardX11 no
|
|
# RhostsAuthentication no
|
|
# RhostsRSAAuthentication no
|
|
# RSAAuthentication yes
|
|
# PasswordAuthentication yes
|
|
# BatchMode no
|
|
# CheckHostIP yes
|
|
# StrictHostKeyChecking ask
|
|
# IdentityFile ~/.ssh/identity
|
|
# IdentityFile ~/.ssh/id_dsa
|
|
# IdentityFile ~/.ssh/id_rsa
|
|
# Port 22
|
|
# Protocol 2,1
|
|
# Cipher 3des
|
|
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
|
|
# EscapeChar ~
|
|
EOF
|
|
if [ "$port_number" != "22" ]
|
|
then
|
|
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
|
|
echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config
|
|
fi
|
|
fi
|
|
|
|
# Check if sshd_config exists. If yes, ask for overwriting
|
|
|
|
if [ -f "${SYSCONFDIR}/sshd_config" ]
|
|
then
|
|
if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
|
|
then
|
|
rm -f "${SYSCONFDIR}/sshd_config"
|
|
if [ -f "${SYSCONFDIR}/sshd_config" ]
|
|
then
|
|
echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
|
|
fi
|
|
else
|
|
grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
|
|
fi
|
|
fi
|
|
|
|
# Prior to creating or modifying sshd_config, care for privilege separation
|
|
|
|
if [ "$privsep_configured" != "yes" ]
|
|
then
|
|
if [ $_nt -gt 0 ]
|
|
then
|
|
echo "Privilege separation is set to yes by default since OpenSSH 3.3."
|
|
echo "However, this requires a non-privileged account called 'sshd'."
|
|
echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
|
|
echo
|
|
if request "Shall privilege separation be used?"
|
|
then
|
|
privsep_used=yes
|
|
grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
|
|
net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
|
|
if [ "$sshd_in_passwd" != "yes" ]
|
|
then
|
|
if [ "$sshd_in_sam" != "yes" ]
|
|
then
|
|
echo "Warning: The following function requires administrator privileges!"
|
|
if request "Shall this script create a local user 'sshd' on this machine?"
|
|
then
|
|
dos_var_empty=`cygpath -w /var/empty`
|
|
net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
|
|
if [ "$sshd_in_sam" != "yes" ]
|
|
then
|
|
echo "Warning: Creating the user 'sshd' failed!"
|
|
fi
|
|
fi
|
|
fi
|
|
if [ "$sshd_in_sam" != "yes" ]
|
|
then
|
|
echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
|
|
echo " Privilege separation set to 'no' again!"
|
|
echo " Check your ${SYSCONFDIR}/sshd_config file!"
|
|
privsep_used=no
|
|
else
|
|
mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
|
|
fi
|
|
fi
|
|
else
|
|
privsep_used=no
|
|
fi
|
|
else
|
|
# On 9x don't use privilege separation. Since security isn't
|
|
# available it just adds useless addtional processes.
|
|
privsep_used=no
|
|
fi
|
|
fi
|
|
|
|
# Create default sshd_config from here script or modify to add the
|
|
# missing privsep configuration option
|
|
|
|
if [ ! -f "${SYSCONFDIR}/sshd_config" ]
|
|
then
|
|
echo "Generating ${SYSCONFDIR}/sshd_config file"
|
|
cat > ${SYSCONFDIR}/sshd_config << EOF
|
|
# This is the sshd server system-wide configuration file. See
|
|
# sshd_config(5) for more information.
|
|
|
|
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
|
|
|
|
# The strategy used for options in the default sshd_config shipped with
|
|
# OpenSSH is to specify options with their default value where
|
|
# possible, but leave them commented. Uncommented options change a
|
|
# default value.
|
|
|
|
Port $port_number
|
|
#Protocol 2,1
|
|
#ListenAddress 0.0.0.0
|
|
#ListenAddress ::
|
|
|
|
# HostKey for protocol version 1
|
|
#HostKey ${SYSCONFDIR}/ssh_host_key
|
|
# HostKeys for protocol version 2
|
|
#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
|
|
#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
|
|
|
|
# Lifetime and size of ephemeral version 1 server key
|
|
#KeyRegenerationInterval 3600
|
|
#ServerKeyBits 768
|
|
|
|
# Logging
|
|
#obsoletes QuietMode and FascistLogging
|
|
#SyslogFacility AUTH
|
|
#LogLevel INFO
|
|
|
|
# Authentication:
|
|
|
|
#LoginGraceTime 120
|
|
#PermitRootLogin yes
|
|
# The following setting overrides permission checks on host key files
|
|
# and directories. For security reasons set this to "yes" when running
|
|
# NT/W2K, NTFS and CYGWIN=ntsec.
|
|
StrictModes no
|
|
|
|
#RSAAuthentication yes
|
|
#PubkeyAuthentication yes
|
|
#AuthorizedKeysFile .ssh/authorized_keys
|
|
|
|
# rhosts authentication should not be used
|
|
#RhostsAuthentication no
|
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
|
#IgnoreRhosts yes
|
|
# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
|
|
#RhostsRSAAuthentication no
|
|
# similar for protocol version 2
|
|
#HostbasedAuthentication no
|
|
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
|
# RhostsRSAAuthentication and HostbasedAuthentication
|
|
#IgnoreUserKnownHosts no
|
|
|
|
# To disable tunneled clear text passwords, change to no here!
|
|
#PasswordAuthentication yes
|
|
#PermitEmptyPasswords no
|
|
|
|
# Change to no to disable s/key passwords
|
|
#ChallengeResponseAuthentication yes
|
|
|
|
#X11Forwarding no
|
|
#X11DisplayOffset 10
|
|
#X11UseLocalhost yes
|
|
#PrintMotd yes
|
|
#PrintLastLog yes
|
|
#KeepAlive yes
|
|
#UseLogin no
|
|
UsePrivilegeSeparation $privsep_used
|
|
#PermitUserEnvironment no
|
|
#Compression yes
|
|
|
|
#MaxStartups 10
|
|
# no default banner path
|
|
#Banner /some/path
|
|
#VerifyReverseMapping no
|
|
|
|
# override default of no subsystems
|
|
Subsystem sftp /usr/sbin/sftp-server
|
|
EOF
|
|
elif [ "$privsep_configured" != "yes" ]
|
|
then
|
|
echo >> ${SYSCONFDIR}/sshd_config
|
|
echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
|
|
fi
|
|
|
|
# Care for services file
|
|
if [ $_nt -gt 0 ]
|
|
then
|
|
_wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
|
|
_wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$"
|
|
else
|
|
_wservices="${WINDIR}\\SERVICES"
|
|
_wserv_tmp="${WINDIR}\\SERV.$$"
|
|
fi
|
|
_services=`cygpath -u "${_wservices}"`
|
|
_serv_tmp=`cygpath -u "${_wserv_tmp}"`
|
|
|
|
mount -t -f "${_wservices}" "${_services}"
|
|
mount -t -f "${_wserv_tmp}" "${_serv_tmp}"
|
|
|
|
# Remove sshd 22/port from services
|
|
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
|
|
then
|
|
grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
|
|
if [ -f "${_serv_tmp}" ]
|
|
then
|
|
if mv "${_serv_tmp}" "${_services}"
|
|
then
|
|
echo "Removing sshd from ${_services}"
|
|
else
|
|
echo "Removing sshd from ${_services} failed\!"
|
|
fi
|
|
rm -f "${_serv_tmp}"
|
|
else
|
|
echo "Removing sshd from ${_services} failed\!"
|
|
fi
|
|
fi
|
|
|
|
# Add ssh 22/tcp and ssh 22/udp to services
|
|
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
|
|
then
|
|
awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
|
|
if [ -f "${_serv_tmp}" ]
|
|
then
|
|
if mv "${_serv_tmp}" "${_services}"
|
|
then
|
|
echo "Added ssh to ${_services}"
|
|
else
|
|
echo "Adding ssh to ${_services} failed\!"
|
|
fi
|
|
rm -f "${_serv_tmp}"
|
|
else
|
|
echo "Adding ssh to ${_services} failed\!"
|
|
fi
|
|
fi
|
|
|
|
umount "${_services}"
|
|
umount "${_serv_tmp}"
|
|
|
|
# Care for inetd.conf file
|
|
_inetcnf="${SYSCONFDIR}/inetd.conf"
|
|
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
|
|
|
|
if [ -f "${_inetcnf}" ]
|
|
then
|
|
# Check if ssh service is already in use as sshd
|
|
with_comment=1
|
|
grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
|
|
# Remove sshd line from inetd.conf
|
|
if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
|
|
then
|
|
grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
|
|
if [ -f "${_inetcnf_tmp}" ]
|
|
then
|
|
if mv "${_inetcnf_tmp}" "${_inetcnf}"
|
|
then
|
|
echo "Removed sshd from ${_inetcnf}"
|
|
else
|
|
echo "Removing sshd from ${_inetcnf} failed\!"
|
|
fi
|
|
rm -f "${_inetcnf_tmp}"
|
|
else
|
|
echo "Removing sshd from ${_inetcnf} failed\!"
|
|
fi
|
|
fi
|
|
|
|
# Add ssh line to inetd.conf
|
|
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
|
|
then
|
|
if [ "${with_comment}" -eq 0 ]
|
|
then
|
|
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
|
|
else
|
|
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
|
|
fi
|
|
echo "Added ssh to ${_inetcnf}"
|
|
fi
|
|
fi
|
|
|
|
# On NT ask if sshd should be installed as service
|
|
if [ $_nt -gt 0 ]
|
|
then
|
|
echo
|
|
echo "Do you want to install sshd as service?"
|
|
if request "(Say \"no\" if it's already installed as service)"
|
|
then
|
|
echo
|
|
echo "Which value should the environment variable CYGWIN have when"
|
|
echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
|
|
echo "able to change user context without password."
|
|
echo -n "Default is \"binmode ntsec tty\". CYGWIN="
|
|
read _cygwin
|
|
[ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
|
|
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
|
|
then
|
|
chown system ${SYSCONFDIR}/ssh*
|
|
echo
|
|
echo "The service has been installed under LocalSystem account."
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
if [ "${old_install}" = "1" ]
|
|
then
|
|
echo
|
|
echo "Note: If you have used sshd as service or from inetd, don't forget to"
|
|
echo " change the path to sshd.exe in the service entry or in inetd.conf."
|
|
fi
|
|
|
|
echo
|
|
echo "Host configuration finished. Have fun!"
|