| #!/bin/sh |
| # |
| # ssh-host-config, Copyright 2000, Red Hat Inc. |
| # |
| # This file is part of the Cygwin port of OpenSSH. |
| |
| # Subdirectory where the new package is being installed |
| PREFIX=/usr |
| |
| # Directory where the config files are stored |
| SYSCONFDIR=/etc |
| |
| # Subdirectory where an old package might be installed |
| OLDPREFIX=/usr/local |
| OLDSYSCONFDIR=${OLDPREFIX}/etc |
| |
| progname=$0 |
| auto_answer="" |
| port_number=22 |
| |
| privsep_configured=no |
| privsep_used=yes |
| sshd_in_passwd=no |
| sshd_in_sam=no |
| |
| request() |
| { |
| if [ "${auto_answer}" = "yes" ] |
| then |
| return 0 |
| elif [ "${auto_answer}" = "no" ] |
| then |
| return 1 |
| fi |
| |
| answer="" |
| while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] |
| do |
| echo -n "$1 (yes/no) " |
| read answer |
| done |
| if [ "X${answer}" = "Xyes" ] |
| then |
| return 0 |
| else |
| return 1 |
| fi |
| } |
| |
| # Check options |
| |
| while : |
| do |
| case $# in |
| 0) |
| break |
| ;; |
| esac |
| |
| option=$1 |
| shift |
| |
| case "$option" in |
| -d | --debug ) |
| set -x |
| ;; |
| |
| -y | --yes ) |
| auto_answer=yes |
| ;; |
| |
| -n | --no ) |
| auto_answer=no |
| ;; |
| |
| -p | --port ) |
| port_number=$1 |
| shift |
| ;; |
| |
| *) |
| echo "usage: ${progname} [OPTION]..." |
| echo |
| echo "This script creates an OpenSSH host configuration." |
| echo |
| echo "Options:" |
| echo " --debug -d Enable shell's debug output." |
| echo " --yes -y Answer all questions with \"yes\" automatically." |
| echo " --no -n Answer all questions with \"no\" automatically." |
| echo " --port -p <n> sshd listens on port n." |
| echo |
| exit 1 |
| ;; |
| |
| esac |
| done |
| |
| # Check if running on NT |
| _sys="`uname -a`" |
| _nt=`expr "$_sys" : "CYGWIN_NT"` |
| |
| # Check for running ssh/sshd processes first. Refuse to do anything while |
| # some ssh processes are still running |
| |
| if ps -ef | grep -v grep | grep -q ssh |
| then |
| echo |
| echo "There are still ssh processes running. Please shut them down first." |
| echo |
| exit 1 |
| fi |
| |
| # Check for ${SYSCONFDIR} directory |
| |
| if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ] |
| then |
| echo |
| echo "${SYSCONFDIR} is existant but not a directory." |
| echo "Cannot create global configuration files." |
| echo |
| exit 1 |
| fi |
| |
| # Create it if necessary |
| |
| if [ ! -e "${SYSCONFDIR}" ] |
| then |
| mkdir "${SYSCONFDIR}" |
| if [ ! -e "${SYSCONFDIR}" ] |
| then |
| echo |
| echo "Creating ${SYSCONFDIR} directory failed" |
| echo |
| exit 1 |
| fi |
| fi |
| |
| # Create /var/log and /var/log/lastlog if not already existing |
| |
| if [ -f /var/log ] |
| then |
| echo "Creating /var/log failed\!" |
| else |
| if [ ! -d /var/log ] |
| then |
| mkdir -p /var/log |
| fi |
| if [ -d /var/log/lastlog ] |
| then |
| echo "Creating /var/log/lastlog failed\!" |
| elif [ ! -f /var/log/lastlog ] |
| then |
| cat /dev/null > /var/log/lastlog |
| fi |
| fi |
| |
| # Create /var/empty file used as chroot jail for privilege separation |
| if [ -f /var/empty ] |
| then |
| echo "Creating /var/empty failed\!" |
| else |
| mkdir -p /var/empty |
| # On NT change ownership of that dir to user "system" |
| if [ $_nt -gt 0 ] |
| then |
| chmod 755 /var/empty |
| chown system.system /var/empty |
| fi |
| fi |
| |
| # Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't |
| # the same as ${PREFIX} |
| |
| old_install=0 |
| if [ "${OLDPREFIX}" != "${PREFIX}" ] |
| then |
| if [ -f "${OLDPREFIX}/sbin/sshd" ] |
| then |
| echo |
| echo "You seem to have an older installation in ${OLDPREFIX}." |
| echo |
| # Check if old global configuration files exist |
| if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ] |
| then |
| if request "Do you want to copy your config files to your new installation?" |
| then |
| cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR} |
| cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR} |
| cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR} |
| cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR} |
| cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR} |
| cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR} |
| fi |
| fi |
| if request "Do you want to erase your old installation?" |
| then |
| rm -f ${OLDPREFIX}/bin/ssh.exe |
| rm -f ${OLDPREFIX}/bin/ssh-config |
| rm -f ${OLDPREFIX}/bin/scp.exe |
| rm -f ${OLDPREFIX}/bin/ssh-add.exe |
| rm -f ${OLDPREFIX}/bin/ssh-agent.exe |
| rm -f ${OLDPREFIX}/bin/ssh-keygen.exe |
| rm -f ${OLDPREFIX}/bin/slogin |
| rm -f ${OLDSYSCONFDIR}/ssh_host_key |
| rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub |
| rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key |
| rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub |
| rm -f ${OLDSYSCONFDIR}/ssh_config |
| rm -f ${OLDSYSCONFDIR}/sshd_config |
| rm -f ${OLDPREFIX}/man/man1/ssh.1 |
| rm -f ${OLDPREFIX}/man/man1/scp.1 |
| rm -f ${OLDPREFIX}/man/man1/ssh-add.1 |
| rm -f ${OLDPREFIX}/man/man1/ssh-agent.1 |
| rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1 |
| rm -f ${OLDPREFIX}/man/man1/slogin.1 |
| rm -f ${OLDPREFIX}/man/man8/sshd.8 |
| rm -f ${OLDPREFIX}/sbin/sshd.exe |
| rm -f ${OLDPREFIX}/sbin/sftp-server.exe |
| fi |
| old_install=1 |
| fi |
| fi |
| |
| # First generate host keys if not already existing |
| |
| if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] |
| then |
| echo "Generating ${SYSCONFDIR}/ssh_host_key" |
| ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null |
| fi |
| |
| if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] |
| then |
| echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key" |
| ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null |
| fi |
| |
| if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] |
| then |
| echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key" |
| ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null |
| fi |
| |
| # Check if ssh_config exists. If yes, ask for overwriting |
| |
| if [ -f "${SYSCONFDIR}/ssh_config" ] |
| then |
| if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?" |
| then |
| rm -f "${SYSCONFDIR}/ssh_config" |
| if [ -f "${SYSCONFDIR}/ssh_config" ] |
| then |
| echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected." |
| fi |
| fi |
| fi |
| |
| # Create default ssh_config from here script |
| |
| if [ ! -f "${SYSCONFDIR}/ssh_config" ] |
| then |
| echo "Generating ${SYSCONFDIR}/ssh_config file" |
| cat > ${SYSCONFDIR}/ssh_config << EOF |
| # This is the ssh client system-wide configuration file. See |
| # ssh_config(5) for more information. This file provides defaults for |
| # users, and the values can be changed in per-user configuration files |
| # or on the command line. |
| |
| # Configuration data is parsed as follows: |
| # 1. command line options |
| # 2. user-specific file |
| # 3. system-wide file |
| # Any configuration value is only changed the first time it is set. |
| # Thus, host-specific definitions should be at the beginning of the |
| # configuration file, and defaults at the end. |
| |
| # Site-wide defaults for various options |
| |
| # Host * |
| # ForwardAgent no |
| # ForwardX11 no |
| # RhostsRSAAuthentication no |
| # RSAAuthentication yes |
| # PasswordAuthentication yes |
| # HostbasedAuthentication no |
| # BatchMode no |
| # CheckHostIP yes |
| # AddressFamily any |
| # ConnectTimeout 0 |
| # StrictHostKeyChecking ask |
| # IdentityFile ~/.ssh/identity |
| # IdentityFile ~/.ssh/id_dsa |
| # IdentityFile ~/.ssh/id_rsa |
| # Port 22 |
| # Protocol 2,1 |
| # Cipher 3des |
| # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc |
| # EscapeChar ~ |
| EOF |
| if [ "$port_number" != "22" ] |
| then |
| echo "Host localhost" >> ${SYSCONFDIR}/ssh_config |
| echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config |
| fi |
| fi |
| |
| # Check if sshd_config exists. If yes, ask for overwriting |
| |
| if [ -f "${SYSCONFDIR}/sshd_config" ] |
| then |
| if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?" |
| then |
| rm -f "${SYSCONFDIR}/sshd_config" |
| if [ -f "${SYSCONFDIR}/sshd_config" ] |
| then |
| echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." |
| fi |
| else |
| grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes |
| fi |
| fi |
| |
| # Prior to creating or modifying sshd_config, care for privilege separation |
| |
| if [ "$privsep_configured" != "yes" ] |
| then |
| if [ $_nt -gt 0 ] |
| then |
| echo "Privilege separation is set to yes by default since OpenSSH 3.3." |
| echo "However, this requires a non-privileged account called 'sshd'." |
| echo "For more info on privilege separation read /usr/doc/openssh/README.privsep." |
| echo |
| if request "Shall privilege separation be used?" |
| then |
| privsep_used=yes |
| grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes |
| net user sshd >/dev/null 2>&1 && sshd_in_sam=yes |
| if [ "$sshd_in_passwd" != "yes" ] |
| then |
| if [ "$sshd_in_sam" != "yes" ] |
| then |
| echo "Warning: The following function requires administrator privileges!" |
| if request "Shall this script create a local user 'sshd' on this machine?" |
| then |
| dos_var_empty=`cygpath -w /var/empty` |
| net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes |
| if [ "$sshd_in_sam" != "yes" ] |
| then |
| echo "Warning: Creating the user 'sshd' failed!" |
| fi |
| fi |
| fi |
| if [ "$sshd_in_sam" != "yes" ] |
| then |
| echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" |
| echo " Privilege separation set to 'no' again!" |
| echo " Check your ${SYSCONFDIR}/sshd_config file!" |
| privsep_used=no |
| else |
| mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd |
| fi |
| fi |
| else |
| privsep_used=no |
| fi |
| else |
| # On 9x don't use privilege separation. Since security isn't |
| # available it just adds useless addtional processes. |
| privsep_used=no |
| fi |
| fi |
| |
| # Create default sshd_config from here script or modify to add the |
| # missing privsep configuration option |
| |
| if [ ! -f "${SYSCONFDIR}/sshd_config" ] |
| then |
| echo "Generating ${SYSCONFDIR}/sshd_config file" |
| cat > ${SYSCONFDIR}/sshd_config << EOF |
| # This is the sshd server system-wide configuration file. See |
| # sshd_config(5) for more information. |
| |
| # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin |
| |
| # The strategy used for options in the default sshd_config shipped with |
| # OpenSSH is to specify options with their default value where |
| # possible, but leave them commented. Uncommented options change a |
| # default value. |
| |
| Port $port_number |
| #Protocol 2,1 |
| #ListenAddress 0.0.0.0 |
| #ListenAddress :: |
| |
| # HostKey for protocol version 1 |
| #HostKey ${SYSCONFDIR}/ssh_host_key |
| # HostKeys for protocol version 2 |
| #HostKey ${SYSCONFDIR}/ssh_host_rsa_key |
| #HostKey ${SYSCONFDIR}/ssh_host_dsa_key |
| |
| # Lifetime and size of ephemeral version 1 server key |
| #KeyRegenerationInterval 1h |
| #ServerKeyBits 768 |
| |
| # Logging |
| #obsoletes QuietMode and FascistLogging |
| #SyslogFacility AUTH |
| #LogLevel INFO |
| |
| # Authentication: |
| |
| #LoginGraceTime 2m |
| #PermitRootLogin yes |
| # The following setting overrides permission checks on host key files |
| # and directories. For security reasons set this to "yes" when running |
| # NT/W2K, NTFS and CYGWIN=ntsec. |
| StrictModes no |
| |
| #RSAAuthentication yes |
| #PubkeyAuthentication yes |
| #AuthorizedKeysFile .ssh/authorized_keys |
| |
| # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts |
| #RhostsRSAAuthentication no |
| # similar for protocol version 2 |
| #HostbasedAuthentication no |
| # Change to yes if you don't trust ~/.ssh/known_hosts for |
| # RhostsRSAAuthentication and HostbasedAuthentication |
| #IgnoreUserKnownHosts no |
| # Don't read the user's ~/.rhosts and ~/.shosts files |
| #IgnoreRhosts yes |
| |
| # To disable tunneled clear text passwords, change to no here! |
| #PasswordAuthentication yes |
| #PermitEmptyPasswords no |
| |
| # Change to no to disable s/key passwords |
| #ChallengeResponseAuthentication yes |
| |
| #AllowTcpForwarding yes |
| #GatewayPorts no |
| #X11Forwarding no |
| #X11DisplayOffset 10 |
| #X11UseLocalhost yes |
| #PrintMotd yes |
| #PrintLastLog yes |
| #KeepAlive yes |
| #UseLogin no |
| UsePrivilegeSeparation $privsep_used |
| #PermitUserEnvironment no |
| #Compression yes |
| #ClientAliveInterval 0 |
| #ClientAliveCountMax 3 |
| #UseDNS yes |
| #PidFile /var/run/sshd.pid |
| #MaxStartups 10 |
| |
| # no default banner path |
| #Banner /some/path |
| |
| # override default of no subsystems |
| Subsystem sftp /usr/sbin/sftp-server |
| EOF |
| elif [ "$privsep_configured" != "yes" ] |
| then |
| echo >> ${SYSCONFDIR}/sshd_config |
| echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config |
| fi |
| |
| # Care for services file |
| if [ $_nt -gt 0 ] |
| then |
| _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services" |
| _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$" |
| else |
| _wservices="${WINDIR}\\SERVICES" |
| _wserv_tmp="${WINDIR}\\SERV.$$" |
| fi |
| _services=`cygpath -u "${_wservices}"` |
| _serv_tmp=`cygpath -u "${_wserv_tmp}"` |
| |
| mount -t -f "${_wservices}" "${_services}" |
| mount -t -f "${_wserv_tmp}" "${_serv_tmp}" |
| |
| # Remove sshd 22/port from services |
| if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] |
| then |
| grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" |
| if [ -f "${_serv_tmp}" ] |
| then |
| if mv "${_serv_tmp}" "${_services}" |
| then |
| echo "Removing sshd from ${_services}" |
| else |
| echo "Removing sshd from ${_services} failed\!" |
| fi |
| rm -f "${_serv_tmp}" |
| else |
| echo "Removing sshd from ${_services} failed\!" |
| fi |
| fi |
| |
| # Add ssh 22/tcp and ssh 22/udp to services |
| if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] |
| then |
| awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" |
| if [ -f "${_serv_tmp}" ] |
| then |
| if mv "${_serv_tmp}" "${_services}" |
| then |
| echo "Added ssh to ${_services}" |
| else |
| echo "Adding ssh to ${_services} failed\!" |
| fi |
| rm -f "${_serv_tmp}" |
| else |
| echo "Adding ssh to ${_services} failed\!" |
| fi |
| fi |
| |
| umount "${_services}" |
| umount "${_serv_tmp}" |
| |
| # Care for inetd.conf file |
| _inetcnf="${SYSCONFDIR}/inetd.conf" |
| _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" |
| |
| if [ -f "${_inetcnf}" ] |
| then |
| # Check if ssh service is already in use as sshd |
| with_comment=1 |
| grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0 |
| # Remove sshd line from inetd.conf |
| if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] |
| then |
| grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" |
| if [ -f "${_inetcnf_tmp}" ] |
| then |
| if mv "${_inetcnf_tmp}" "${_inetcnf}" |
| then |
| echo "Removed sshd from ${_inetcnf}" |
| else |
| echo "Removing sshd from ${_inetcnf} failed\!" |
| fi |
| rm -f "${_inetcnf_tmp}" |
| else |
| echo "Removing sshd from ${_inetcnf} failed\!" |
| fi |
| fi |
| |
| # Add ssh line to inetd.conf |
| if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] |
| then |
| if [ "${with_comment}" -eq 0 ] |
| then |
| echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
| else |
| echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
| fi |
| echo "Added ssh to ${_inetcnf}" |
| fi |
| fi |
| |
| # On NT ask if sshd should be installed as service |
| if [ $_nt -gt 0 ] |
| then |
| echo |
| echo "Do you want to install sshd as service?" |
| if request "(Say \"no\" if it's already installed as service)" |
| then |
| echo |
| echo "Which value should the environment variable CYGWIN have when" |
| echo "sshd starts? It's recommended to set at least \"ntsec\" to be" |
| echo "able to change user context without password." |
| echo -n "Default is \"binmode ntsec tty\". CYGWIN=" |
| read _cygwin |
| [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" |
| if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" |
| then |
| chown system ${SYSCONFDIR}/ssh* |
| echo |
| echo "The service has been installed under LocalSystem account." |
| fi |
| fi |
| fi |
| |
| if [ "${old_install}" = "1" ] |
| then |
| echo |
| echo "Note: If you have used sshd as service or from inetd, don't forget to" |
| echo " change the path to sshd.exe in the service entry or in inetd.conf." |
| fi |
| |
| echo |
| echo "Host configuration finished. Have fun!" |