mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-22 01:50:16 +00:00
83795d61d2
and tweak the is-sshd-running check in ssh-host-config. Patch from vinschen at redhat com.
530 lines
17 KiB
Bash
530 lines
17 KiB
Bash
#!/bin/bash
|
|
#
|
|
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
|
|
#
|
|
# This file is part of the Cygwin port of OpenSSH.
|
|
|
|
# ======================================================================
|
|
# Initialization
|
|
# ======================================================================
|
|
PROGNAME=$(basename $0)
|
|
_tdir=$(dirname $0)
|
|
PROGDIR=$(cd $_tdir && pwd)
|
|
|
|
CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
|
|
|
|
# Subdirectory where the new package is being installed
|
|
PREFIX=/usr
|
|
|
|
# Directory where the config files are stored
|
|
SYSCONFDIR=/etc
|
|
LOCALSTATEDIR=/var
|
|
|
|
source ${CSIH_SCRIPT}
|
|
|
|
port_number=22
|
|
privsep_configured=no
|
|
privsep_used=yes
|
|
cygwin_value="ntsec"
|
|
password_value=
|
|
|
|
# ======================================================================
|
|
# Routine: create_host_keys
|
|
# ======================================================================
|
|
create_host_keys() {
|
|
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
|
|
then
|
|
csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
|
|
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
|
|
fi
|
|
|
|
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
|
|
then
|
|
csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
|
|
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
|
|
fi
|
|
|
|
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
|
|
then
|
|
csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
|
|
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
|
|
fi
|
|
} # --- End of create_host_keys --- #
|
|
|
|
# ======================================================================
|
|
# Routine: update_services_file
|
|
# ======================================================================
|
|
update_services_file() {
|
|
local _my_etcdir="/ssh-host-config.$$"
|
|
local _win_etcdir
|
|
local _services
|
|
local _spaces
|
|
local _serv_tmp
|
|
local _wservices
|
|
|
|
if csih_is_nt
|
|
then
|
|
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
|
|
_services="${_my_etcdir}/services"
|
|
# On NT, 27 spaces, no space after the hash
|
|
_spaces=" #"
|
|
else
|
|
_win_etcdir="${WINDIR}"
|
|
_services="${_my_etcdir}/SERVICES"
|
|
# On 9x, 18 spaces (95 is very touchy), a space after the hash
|
|
_spaces=" # "
|
|
fi
|
|
_serv_tmp="${_my_etcdir}/srv.out.$$"
|
|
|
|
mount -t -f "${_win_etcdir}" "${_my_etcdir}"
|
|
|
|
# Depends on the above mount
|
|
_wservices=`cygpath -w "${_services}"`
|
|
|
|
# Remove sshd 22/port from services
|
|
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
|
|
then
|
|
grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
|
|
if [ -f "${_serv_tmp}" ]
|
|
then
|
|
if mv "${_serv_tmp}" "${_services}"
|
|
then
|
|
csih_inform "Removing sshd from ${_wservices}"
|
|
else
|
|
csih_warning "Removing sshd from ${_wservices} failed!"
|
|
fi
|
|
rm -f "${_serv_tmp}"
|
|
else
|
|
csih_warning "Removing sshd from ${_wservices} failed!"
|
|
fi
|
|
fi
|
|
|
|
# Add ssh 22/tcp and ssh 22/udp to services
|
|
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
|
|
then
|
|
if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
|
|
then
|
|
if mv "${_serv_tmp}" "${_services}"
|
|
then
|
|
csih_inform "Added ssh to ${_wservices}"
|
|
else
|
|
csih_warning "Adding ssh to ${_wservices} failed!"
|
|
fi
|
|
rm -f "${_serv_tmp}"
|
|
else
|
|
csih_warning "Adding ssh to ${_wservices} failed!"
|
|
fi
|
|
fi
|
|
umount "${_my_etcdir}"
|
|
} # --- End of update_services_file --- #
|
|
|
|
# ======================================================================
|
|
# Routine: sshd_privsep
|
|
# MODIFIES: privsep_configured privsep_used
|
|
# ======================================================================
|
|
sshd_privsep() {
|
|
local sshdconfig_tmp
|
|
|
|
if [ "${privsep_configured}" != "yes" ]
|
|
then
|
|
if csih_is_nt
|
|
then
|
|
csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
|
|
csih_inform "However, this requires a non-privileged account called 'sshd'."
|
|
csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
|
|
if csih_request "Should privilege separation be used?"
|
|
then
|
|
privsep_used=yes
|
|
if ! csih_create_unprivileged_user sshd
|
|
then
|
|
csih_warning "Couldn't create user 'sshd'!"
|
|
csih_warning "Privilege separation set to 'no' again!"
|
|
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
|
|
privsep_used=no
|
|
fi
|
|
else
|
|
privsep_used=no
|
|
fi
|
|
else
|
|
# On 9x don't use privilege separation. Since security isn't
|
|
# available it just adds useless additional processes.
|
|
privsep_used=no
|
|
fi
|
|
fi
|
|
|
|
# Create default sshd_config from skeleton files in /etc/defaults/etc or
|
|
# modify to add the missing privsep configuration option
|
|
if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
|
|
then
|
|
csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
|
|
sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
|
|
sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
|
|
s/^#Port 22/Port ${port_number}/
|
|
s/^#StrictModes yes/StrictModes no/" \
|
|
< ${SYSCONFDIR}/sshd_config \
|
|
> "${sshdconfig_tmp}"
|
|
mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
|
|
elif [ "${privsep_configured}" != "yes" ]
|
|
then
|
|
echo >> ${SYSCONFDIR}/sshd_config
|
|
echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
|
|
fi
|
|
} # --- End of sshd_privsep --- #
|
|
|
|
# ======================================================================
|
|
# Routine: update_inetd_conf
|
|
# ======================================================================
|
|
update_inetd_conf() {
|
|
local _inetcnf="${SYSCONFDIR}/inetd.conf"
|
|
local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
|
|
local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
|
|
local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
|
|
local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
|
|
local _with_comment=1
|
|
|
|
if [ -d "${_inetcnf_dir}" ]
|
|
then
|
|
# we have inetutils-1.5 inetd.d support
|
|
if [ -f "${_inetcnf}" ]
|
|
then
|
|
grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
|
|
|
|
# check for sshd OR ssh in top-level inetd.conf file, and remove
|
|
# will be replaced by a file in inetd.d/
|
|
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
|
|
then
|
|
grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
|
|
if [ -f "${_inetcnf_tmp}" ]
|
|
then
|
|
if mv "${_inetcnf_tmp}" "${_inetcnf}"
|
|
then
|
|
csih_inform "Removed ssh[d] from ${_inetcnf}"
|
|
else
|
|
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
|
|
fi
|
|
rm -f "${_inetcnf_tmp}"
|
|
else
|
|
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
|
|
if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
|
|
then
|
|
if [ "${_with_comment}" -eq 0 ]
|
|
then
|
|
sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
|
|
else
|
|
sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
|
|
fi
|
|
mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
|
|
csih_inform "Updated ${_sshd_inetd_conf}"
|
|
fi
|
|
|
|
elif [ -f "${_inetcnf}" ]
|
|
then
|
|
grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
|
|
|
|
# check for sshd in top-level inetd.conf file, and remove
|
|
# will be replaced by a file in inetd.d/
|
|
if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
|
|
then
|
|
grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
|
|
if [ -f "${_inetcnf_tmp}" ]
|
|
then
|
|
if mv "${_inetcnf_tmp}" "${_inetcnf}"
|
|
then
|
|
csih_inform "Removed sshd from ${_inetcnf}"
|
|
else
|
|
csih_warning "Removing sshd from ${_inetcnf} failed!"
|
|
fi
|
|
rm -f "${_inetcnf_tmp}"
|
|
else
|
|
csih_warning "Removing sshd from ${_inetcnf} failed!"
|
|
fi
|
|
fi
|
|
|
|
# Add ssh line to inetd.conf
|
|
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
|
|
then
|
|
if [ "${_with_comment}" -eq 0 ]
|
|
then
|
|
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
|
|
else
|
|
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
|
|
fi
|
|
csih_inform "Added ssh to ${_inetcnf}"
|
|
fi
|
|
fi
|
|
} # --- End of update_inetd_conf --- #
|
|
|
|
# ======================================================================
|
|
# Routine: install_service
|
|
# Install sshd as a service
|
|
# ======================================================================
|
|
install_service() {
|
|
local run_service_as
|
|
local password
|
|
|
|
if csih_is_nt
|
|
then
|
|
if ! cygrunsrv -Q sshd >/dev/null 2>&1
|
|
then
|
|
echo
|
|
echo
|
|
csih_warning "The following functions require administrator privileges!"
|
|
echo
|
|
echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
|
|
if csih_request "(Say \"no\" if it is already installed as a service)"
|
|
then
|
|
csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\""
|
|
csih_inform "for sshd to be able to change user context without password."
|
|
csih_get_cygenv "${cygwin_value}"
|
|
|
|
if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
|
|
then
|
|
csih_inform "On Windows Server 2003, Windows Vista, and above, the"
|
|
csih_inform "SYSTEM account cannot setuid to other users -- a capability"
|
|
csih_inform "sshd requires. You need to have or to create a privileged"
|
|
csih_inform "account. This script will help you do so."
|
|
echo
|
|
if ! csih_create_privileged_user "${password_value}"
|
|
then
|
|
csih_error_recoverable "There was a serious problem creating a privileged user."
|
|
csih_request "Do you want to proceed anyway?" || exit 1
|
|
fi
|
|
fi
|
|
|
|
# never returns empty if NT or above
|
|
run_service_as=$(csih_service_should_run_as)
|
|
|
|
if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
|
|
then
|
|
password="${csih_PRIVILEGED_PASSWORD}"
|
|
if [ -z "${password}" ]
|
|
then
|
|
csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
|
|
password="${csih_value}"
|
|
fi
|
|
fi
|
|
|
|
# at this point, we either have $run_service_as = "system" and $password is empty,
|
|
# or $run_service_as is some privileged user and (hopefully) $password contains
|
|
# the correct password. So, from here out, we use '-z "${password}"' to discriminate
|
|
# the two cases.
|
|
|
|
csih_check_user "${run_service_as}"
|
|
|
|
if [ -z "${password}" ]
|
|
then
|
|
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
|
|
-e CYGWIN="${csih_cygenv}"
|
|
then
|
|
echo
|
|
csih_inform "The sshd service has been installed under the LocalSystem"
|
|
csih_inform "account (also known as SYSTEM). To start the service now, call"
|
|
csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
|
|
csih_inform "will start automatically after the next reboot."
|
|
fi
|
|
else
|
|
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
|
|
-e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}"
|
|
then
|
|
echo
|
|
csih_inform "The sshd service has been installed under the '${run_service_as}'"
|
|
csih_inform "account. To start the service now, call \`net start sshd' or"
|
|
csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
|
|
csih_inform "after the next reboot."
|
|
fi
|
|
fi
|
|
|
|
# now, if successfully installed, set ownership of the affected files
|
|
if cygrunsrv -Q sshd >/dev/null 2>&1
|
|
then
|
|
chown "${run_service_as}" ${SYSCONFDIR}/ssh*
|
|
chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
|
|
chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
|
|
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
|
|
then
|
|
chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
|
|
fi
|
|
else
|
|
csih_warning "Something went wrong installing the sshd service."
|
|
fi
|
|
fi # user allowed us to install as service
|
|
fi # service not yet installed
|
|
fi # csih_is_nt
|
|
} # --- End of install_service --- #
|
|
|
|
# ======================================================================
|
|
# Main Entry Point
|
|
# ======================================================================
|
|
|
|
# Check how the script has been started. If
|
|
# (1) it has been started by giving the full path and
|
|
# that path is /etc/postinstall, OR
|
|
# (2) Otherwise, if the environment variable
|
|
# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
|
|
# then set auto_answer to "no". This allows automatic
|
|
# creation of the config files in /etc w/o overwriting
|
|
# them if they already exist. In both cases, color
|
|
# escape sequences are suppressed, so as to prevent
|
|
# cluttering setup's logfiles.
|
|
if [ "$PROGDIR" = "/etc/postinstall" ]
|
|
then
|
|
csih_auto_answer="no"
|
|
csih_disable_color
|
|
fi
|
|
if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
|
|
then
|
|
csih_auto_answer="no"
|
|
csih_disable_color
|
|
fi
|
|
|
|
# ======================================================================
|
|
# Parse options
|
|
# ======================================================================
|
|
while :
|
|
do
|
|
case $# in
|
|
0)
|
|
break
|
|
;;
|
|
esac
|
|
|
|
option=$1
|
|
shift
|
|
|
|
case "${option}" in
|
|
-d | --debug )
|
|
set -x
|
|
csih_trace_on
|
|
;;
|
|
|
|
-y | --yes )
|
|
csih_auto_answer=yes
|
|
;;
|
|
|
|
-n | --no )
|
|
csih_auto_answer=no
|
|
;;
|
|
|
|
-c | --cygwin )
|
|
cygwin_value="$1"
|
|
shift
|
|
;;
|
|
|
|
-p | --port )
|
|
port_number=$1
|
|
shift
|
|
;;
|
|
|
|
-w | --pwd )
|
|
password_value="$1"
|
|
shift
|
|
;;
|
|
|
|
--privileged )
|
|
csih_FORCE_PRIVILEGED_USER=yes
|
|
;;
|
|
|
|
*)
|
|
echo "usage: ${progname} [OPTION]..."
|
|
echo
|
|
echo "This script creates an OpenSSH host configuration."
|
|
echo
|
|
echo "Options:"
|
|
echo " --debug -d Enable shell's debug output."
|
|
echo " --yes -y Answer all questions with \"yes\" automatically."
|
|
echo " --no -n Answer all questions with \"no\" automatically."
|
|
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
|
|
echo " --port -p <n> sshd listens on port n."
|
|
echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
|
|
echo " --privileged On Windows NT/2k/XP, require privileged user"
|
|
echo " instead of LocalSystem for sshd service."
|
|
echo
|
|
exit 1
|
|
;;
|
|
|
|
esac
|
|
done
|
|
|
|
# ======================================================================
|
|
# Action!
|
|
# ======================================================================
|
|
|
|
# Check for running ssh/sshd processes first. Refuse to do anything while
|
|
# some ssh processes are still running
|
|
if ps -ef | grep -q '/sshd\?$'
|
|
then
|
|
echo
|
|
csih_error "There are still ssh processes running. Please shut them down first."
|
|
fi
|
|
|
|
# Check for ${SYSCONFDIR} directory
|
|
csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
|
|
chmod 775 "${SYSCONFDIR}"
|
|
setfacl -m u:system:rwx "${SYSCONFDIR}"
|
|
|
|
# Check for /var/log directory
|
|
csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
|
|
chmod 775 "${LOCALSTATEDIR}/log"
|
|
setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
|
|
|
|
# Create /var/log/lastlog if not already exists
|
|
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
|
|
then
|
|
echo
|
|
csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
|
|
"Cannot create ssh host configuration."
|
|
fi
|
|
if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
|
|
then
|
|
cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
|
|
chmod 644 ${LOCALSTATEDIR}/log/lastlog
|
|
fi
|
|
|
|
# Create /var/empty file used as chroot jail for privilege separation
|
|
csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create log directory."
|
|
chmod 755 "${LOCALSTATEDIR}/empty"
|
|
setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"
|
|
|
|
# host keys
|
|
create_host_keys
|
|
|
|
# use 'cmp' program to determine if a config file is identical
|
|
# to the default version of that config file
|
|
csih_check_program_or_error cmp diffutils
|
|
|
|
|
|
# handle ssh_config
|
|
csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults"
|
|
if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
|
|
then
|
|
if [ "${port_number}" != "22" ]
|
|
then
|
|
csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
|
|
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
|
|
echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
|
|
fi
|
|
fi
|
|
|
|
# handle sshd_config (and privsep)
|
|
csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults"
|
|
if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
|
|
then
|
|
grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
|
|
fi
|
|
sshd_privsep
|
|
|
|
|
|
|
|
update_services_file
|
|
update_inetd_conf
|
|
install_service
|
|
|
|
echo
|
|
csih_inform "Host configuration finished. Have fun!"
|
|
|