1bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#!/bin/bash 2bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# 3d059297112922cabb0c674840589be8db821fd9aAdam Langley# ssh-host-config, Copyright 2000-2014 Red Hat Inc. 4bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# 5bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# This file is part of the Cygwin port of OpenSSH. 6bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# 7bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Permission to use, copy, modify, and distribute this software for any 8bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# purpose with or without fee is hereby granted, provided that the above 9bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# copyright notice and this permission notice appear in all copies. 10bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# 11bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 13bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 14bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 15bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 16bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR 17bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# THE USE OR OTHER DEALINGS IN THE SOFTWARE. 18bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 19bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 20bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Initialization 21bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 22bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 23bd77cf78387b72b7b3ea870459077672bf75c3b5Greg HartmanCSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh 24bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 25bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# List of apps used. This is checkad for existance in csih_sanity_check 26bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Don't use *any* transient commands before sourcing the csih helper script, 27bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# otherwise the sanity checks are short-circuited. 28bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmandeclare -a csih_required_commands=( 29bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/basename coreutils 30bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/cat coreutils 31bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/chmod coreutils 32bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/dirname coreutils 33bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/id coreutils 34bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/mv coreutils 35bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/rm coreutils 36bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/cygpath cygwin 37d059297112922cabb0c674840589be8db821fd9aAdam Langley /usr/bin/mkpasswd cygwin 38bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/mount cygwin 39bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/ps cygwin 40bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/umount cygwin 41bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/cmp diffutils 42bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/grep grep 43bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/awk gawk 44bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/ssh-keygen openssh 45bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/sbin/sshd openssh 46bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/sed sed 47bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman) 48bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmancsih_sanity_check_server=yes 49bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmansource ${CSIH_SCRIPT} 50bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 51bd77cf78387b72b7b3ea870459077672bf75c3b5Greg HartmanPROGNAME=$(/usr/bin/basename $0) 52bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman_tdir=$(/usr/bin/dirname $0) 53bd77cf78387b72b7b3ea870459077672bf75c3b5Greg HartmanPROGDIR=$(cd $_tdir && pwd) 54bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 55bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Subdirectory where the new package is being installed 56bd77cf78387b72b7b3ea870459077672bf75c3b5Greg HartmanPREFIX=/usr 57bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 58bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Directory where the config files are stored 59bd77cf78387b72b7b3ea870459077672bf75c3b5Greg HartmanSYSCONFDIR=/etc 60bd77cf78387b72b7b3ea870459077672bf75c3b5Greg HartmanLOCALSTATEDIR=/var 61bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 62d059297112922cabb0c674840589be8db821fd9aAdam Langleysshd_config_configured=no 63bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanport_number=22 64d059297112922cabb0c674840589be8db821fd9aAdam Langleyservice_name=sshd 65d059297112922cabb0c674840589be8db821fd9aAdam Langleystrictmodes=yes 66bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanprivsep_used=yes 67bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmancygwin_value="" 68bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanuser_account= 69bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanpassword_value= 70bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanopt_force=no 71bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 72bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 73bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Routine: update_services_file 74bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 75bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanupdate_services_file() { 76bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local _my_etcdir="/ssh-host-config.$$" 77bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local _win_etcdir 78bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local _services 79bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local _spaces 80bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local _serv_tmp 81bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local _wservices 82bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local ret=0 83bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 84bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" 85bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman _services="${_my_etcdir}/services" 86bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman _spaces=" #" 87bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman _serv_tmp="${_my_etcdir}/srv.out.$$" 88bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 89bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" 90bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 91bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman # Depends on the above mount 92bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman _wservices=`cygpath -w "${_services}"` 93bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 94bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman # Add ssh 22/tcp and ssh 22/udp to services 95d059297112922cabb0c674840589be8db821fd9aAdam Langley if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ] 96bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 97bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" 98bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 99bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if /usr/bin/mv "${_serv_tmp}" "${_services}" 100bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 101bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "Added ssh to ${_wservices}" 102bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman else 103bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Adding ssh to ${_wservices} failed!" 104bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 105bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 106bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/rm -f "${_serv_tmp}" 107bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman else 108bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Adding ssh to ${_wservices} failed!" 109bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 110bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 111bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 112bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/umount "${_my_etcdir}" 113bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman return $ret 114bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman} # --- End of update_services_file --- # 115bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 116bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 117d059297112922cabb0c674840589be8db821fd9aAdam Langley# Routine: sshd_strictmodes 118d059297112922cabb0c674840589be8db821fd9aAdam Langley# MODIFIES: strictmodes 119d059297112922cabb0c674840589be8db821fd9aAdam Langley# ====================================================================== 120d059297112922cabb0c674840589be8db821fd9aAdam Langleysshd_strictmodes() { 121d059297112922cabb0c674840589be8db821fd9aAdam Langley if [ "${sshd_config_configured}" != "yes" ] 122d059297112922cabb0c674840589be8db821fd9aAdam Langley then 123d059297112922cabb0c674840589be8db821fd9aAdam Langley echo 124d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "StrictModes is set to 'yes' by default." 125d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "This is the recommended setting, but it requires that the POSIX" 126d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "permissions of the user's home directory, the user's .ssh" 127d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "directory, and the user's ssh key files are tight so that" 128d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "only the user has write permissions." 129d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "On the other hand, StrictModes don't work well with default" 130d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "Windows permissions of a home directory mounted with the" 131d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "'noacl' option, and they don't work at all if the home" 132d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "directory is on a FAT or FAT32 partition." 133d059297112922cabb0c674840589be8db821fd9aAdam Langley if ! csih_request "Should StrictModes be used?" 134d059297112922cabb0c674840589be8db821fd9aAdam Langley then 135d059297112922cabb0c674840589be8db821fd9aAdam Langley strictmodes=no 136d059297112922cabb0c674840589be8db821fd9aAdam Langley fi 137d059297112922cabb0c674840589be8db821fd9aAdam Langley fi 138d059297112922cabb0c674840589be8db821fd9aAdam Langley return 0 139d059297112922cabb0c674840589be8db821fd9aAdam Langley} 140d059297112922cabb0c674840589be8db821fd9aAdam Langley 141d059297112922cabb0c674840589be8db821fd9aAdam Langley# ====================================================================== 142bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Routine: sshd_privsep 143d059297112922cabb0c674840589be8db821fd9aAdam Langley# MODIFIES: privsep_used 144bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 145bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmansshd_privsep() { 146bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local ret=0 147bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 148d059297112922cabb0c674840589be8db821fd9aAdam Langley if [ "${sshd_config_configured}" != "yes" ] 149bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 150d059297112922cabb0c674840589be8db821fd9aAdam Langley echo 151d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "Privilege separation is set to 'sandbox' by default since" 152d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set" 153d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "to 'yes' or 'no'." 154d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "However, using privilege separation requires a non-privileged account" 155d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "called 'sshd'." 156bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." 157bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if csih_request "Should privilege separation be used?" 158bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 159bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman privsep_used=yes 160bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if ! csih_create_unprivileged_user sshd 161bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 162bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_error_recoverable "Couldn't create user 'sshd'!" 163bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_error_recoverable "Privilege separation set to 'no' again!" 164bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!" 165bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 166bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman privsep_used=no 167bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 168bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman else 169bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman privsep_used=no 170bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 171bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 172d059297112922cabb0c674840589be8db821fd9aAdam Langley return $ret 173d059297112922cabb0c674840589be8db821fd9aAdam Langley} # --- End of sshd_privsep --- # 174d059297112922cabb0c674840589be8db821fd9aAdam Langley 175d059297112922cabb0c674840589be8db821fd9aAdam Langley# ====================================================================== 176d059297112922cabb0c674840589be8db821fd9aAdam Langley# Routine: sshd_config_tweak 177d059297112922cabb0c674840589be8db821fd9aAdam Langley# ====================================================================== 178d059297112922cabb0c674840589be8db821fd9aAdam Langleysshd_config_tweak() { 179d059297112922cabb0c674840589be8db821fd9aAdam Langley local ret=0 180bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 181d059297112922cabb0c674840589be8db821fd9aAdam Langley # Modify sshd_config 182d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "Updating ${SYSCONFDIR}/sshd_config file" 183d059297112922cabb0c674840589be8db821fd9aAdam Langley if [ "${port_number}" -ne 22 ] 184bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 185d059297112922cabb0c674840589be8db821fd9aAdam Langley /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \ 186d059297112922cabb0c674840589be8db821fd9aAdam Langley ${SYSCONFDIR}/sshd_config 187d059297112922cabb0c674840589be8db821fd9aAdam Langley if [ $? -ne 0 ] 188bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 189d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_warning "Setting listening port to ${port_number} failed!" 190d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 191d059297112922cabb0c674840589be8db821fd9aAdam Langley let ++ret 192d059297112922cabb0c674840589be8db821fd9aAdam Langley fi 193d059297112922cabb0c674840589be8db821fd9aAdam Langley fi 194d059297112922cabb0c674840589be8db821fd9aAdam Langley if [ "${strictmodes}" = "no" ] 195d059297112922cabb0c674840589be8db821fd9aAdam Langley then 196d059297112922cabb0c674840589be8db821fd9aAdam Langley /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \ 197d059297112922cabb0c674840589be8db821fd9aAdam Langley ${SYSCONFDIR}/sshd_config 198d059297112922cabb0c674840589be8db821fd9aAdam Langley if [ $? -ne 0 ] 199d059297112922cabb0c674840589be8db821fd9aAdam Langley then 200d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_warning "Setting StrictModes to 'no' failed!" 201d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 202d059297112922cabb0c674840589be8db821fd9aAdam Langley let ++ret 203bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 204d059297112922cabb0c674840589be8db821fd9aAdam Langley fi 205d059297112922cabb0c674840589be8db821fd9aAdam Langley if [ "${sshd_config_configured}" != "yes" ] 206bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 207d059297112922cabb0c674840589be8db821fd9aAdam Langley /usr/bin/sed -i -e " 208d059297112922cabb0c674840589be8db821fd9aAdam Langley s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \ 209d059297112922cabb0c674840589be8db821fd9aAdam Langley ${SYSCONFDIR}/sshd_config 210d059297112922cabb0c674840589be8db821fd9aAdam Langley if [ $? -ne 0 ] 211bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 212d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_warning "Setting privilege separation failed!" 213d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 214d059297112922cabb0c674840589be8db821fd9aAdam Langley let ++ret 215bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 216bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 217bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman return $ret 218d059297112922cabb0c674840589be8db821fd9aAdam Langley} # --- End of sshd_config_tweak --- # 219bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 220bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 221bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Routine: update_inetd_conf 222bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 223bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanupdate_inetd_conf() { 224bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local _inetcnf="${SYSCONFDIR}/inetd.conf" 225bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" 226bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local _inetcnf_dir="${SYSCONFDIR}/inetd.d" 227bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" 228bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" 229bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local _with_comment=1 230bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local ret=0 231bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 232bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ -d "${_inetcnf_dir}" ] 233bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 234bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman # we have inetutils-1.5 inetd.d support 235bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ -f "${_inetcnf}" ] 236bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 237d059297112922cabb0c674840589be8db821fd9aAdam Langley /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0 238bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 239bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman # check for sshd OR ssh in top-level inetd.conf file, and remove 240bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman # will be replaced by a file in inetd.d/ 241d059297112922cabb0c674840589be8db821fd9aAdam Langley if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ] 242bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 243bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" 244bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ -f "${_inetcnf_tmp}" ] 245bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 246bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 247bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 248bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "Removed ssh[d] from ${_inetcnf}" 249bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman else 250bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 251bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 252bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 253bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/rm -f "${_inetcnf_tmp}" 254bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman else 255bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 256bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 257bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 258bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 259bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 260bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 261bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" 262bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 263bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 264bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ "${_with_comment}" -eq 0 ] 265bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 266d059297112922cabb0c674840589be8db821fd9aAdam Langley /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 267bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman else 268d059297112922cabb0c674840589be8db821fd9aAdam Langley /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 269bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 270bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" 271bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 272bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "Updated ${_sshd_inetd_conf}" 273bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman else 274bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Updating ${_sshd_inetd_conf} failed!" 275bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 276bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 277bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 278bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 279bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman elif [ -f "${_inetcnf}" ] 280bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 281d059297112922cabb0c674840589be8db821fd9aAdam Langley /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0 282bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 283bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman # check for sshd in top-level inetd.conf file, and remove 284bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman # will be replaced by a file in inetd.d/ 285d059297112922cabb0c674840589be8db821fd9aAdam Langley if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] 286bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 287d059297112922cabb0c674840589be8db821fd9aAdam Langley /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" 288bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ -f "${_inetcnf_tmp}" ] 289bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 290bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 291bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 292bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "Removed sshd from ${_inetcnf}" 293bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman else 294bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Removing sshd from ${_inetcnf} failed!" 295bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 296bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 297bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/rm -f "${_inetcnf_tmp}" 298bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman else 299bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Removing sshd from ${_inetcnf} failed!" 300bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 301bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 302bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 303bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 304bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman # Add ssh line to inetd.conf 305bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] 306bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 307bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ "${_with_comment}" -eq 0 ] 308bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 309bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 310bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman else 311bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 312bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 313bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ $? -eq 0 ] 314bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 315bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "Added ssh to ${_inetcnf}" 316bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman else 317bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Adding ssh to ${_inetcnf} failed!" 318bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 319bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 320bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 321bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 322bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman return $ret 323bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman} # --- End of update_inetd_conf --- # 324bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 325bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 326bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Routine: check_service_files_ownership 327bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Checks that the files in /etc and /var belong to the right owner 328bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 329bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmancheck_service_files_ownership() { 330bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local run_service_as=$1 331bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local ret=0 332bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 333bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ -z "${run_service_as}" ] 334bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 335d059297112922cabb0c674840589be8db821fd9aAdam Langley accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | 336d059297112922cabb0c674840589be8db821fd9aAdam Langley /usr/bin/sed -ne 's/^Account *: *//gp') 337bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ "${accnt_name}" = "LocalSystem" ] 338bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 339bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman # Convert "LocalSystem" to "SYSTEM" as is the correct account name 340d059297112922cabb0c674840589be8db821fd9aAdam Langley run_service_as="SYSTEM" 341d059297112922cabb0c674840589be8db821fd9aAdam Langley else 342d059297112922cabb0c674840589be8db821fd9aAdam Langley dom="${accnt_name%%\\*}" 343d059297112922cabb0c674840589be8db821fd9aAdam Langley accnt_name="${accnt_name#*\\}" 344d059297112922cabb0c674840589be8db821fd9aAdam Langley if [ "${dom}" = '.' ] 345d059297112922cabb0c674840589be8db821fd9aAdam Langley then 346d059297112922cabb0c674840589be8db821fd9aAdam Langley # Check local account 347d059297112922cabb0c674840589be8db821fd9aAdam Langley run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" | 348d059297112922cabb0c674840589be8db821fd9aAdam Langley /usr/bin/awk -F: '{print $1;}') 349d059297112922cabb0c674840589be8db821fd9aAdam Langley else 350d059297112922cabb0c674840589be8db821fd9aAdam Langley # Check domain 351d059297112922cabb0c674840589be8db821fd9aAdam Langley run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" | 352d059297112922cabb0c674840589be8db821fd9aAdam Langley /usr/bin/awk -F: '{print $1;}') 353d059297112922cabb0c674840589be8db821fd9aAdam Langley fi 354bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 355bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ -z "${run_service_as}" ] 356bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 357d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_warning "Couldn't determine name of user running sshd service from account database!" 358bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "As a result, this script cannot make sure that the files used" 359bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "by the sshd service belong to the user running the service." 360bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman return 1 361bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 362bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 363bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub 364bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman do 365bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ -f "$i" ] 366bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 367bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 368bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 369bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Couldn't change owner of $i!" 370bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 371bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 372bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 373bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman done 374bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 375bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 376bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" 377bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 378bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 379bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 380bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 381bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" 382bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 383bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 384bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ -f ${LOCALSTATEDIR}/log/sshd.log ] 385bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 386bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1 387bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 388bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" 389bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 390bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 391bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 392bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ $ret -ne 0 ] 393bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 394bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Couldn't change owner of important files to ${run_service_as}!" 395bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "This may cause the sshd service to fail! Please make sure that" 396bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "you have suufficient permissions to change the ownership of files" 397bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "and try to run the ssh-host-config script again." 398bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 399bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman return $ret 400bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman} # --- End of check_service_files_ownership --- # 401bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 402bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 403bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Routine: install_service 404bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Install sshd as a service 405bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 406bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmaninstall_service() { 407bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local run_service_as 408bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local password 409bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman local ret=0 410bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 411bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 412d059297112922cabb0c674840589be8db821fd9aAdam Langley if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1 413bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 414bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "Sshd service is already installed." 415bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman check_service_files_ownership "" || let ret+=$? 416bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman else 417bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" 418bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if csih_request "(Say \"no\" if it is already installed as a service)" 419bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 420bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_get_cygenv "${cygwin_value}" 421bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 422bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) 423bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 424bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "On Windows Server 2003, Windows Vista, and above, the" 425bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "SYSTEM account cannot setuid to other users -- a capability" 426bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "sshd requires. You need to have or to create a privileged" 427bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "account. This script will help you do so." 428bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 429bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 430bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman [ "${opt_force}" = "yes" ] && opt_f=-f 431bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" 432bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_select_privileged_username ${opt_f} ${opt_u} sshd 433bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 434bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if ! csih_create_privileged_user "${password_value}" 435bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 436bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_error_recoverable "There was a serious problem creating a privileged user." 437bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_request "Do you want to proceed anyway?" || exit 1 438bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 439bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 440bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 441bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 442bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman # Never returns empty if NT or above 443bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman run_service_as=$(csih_service_should_run_as) 444bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 445bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] 446bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 447bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman password="${csih_PRIVILEGED_PASSWORD}" 448bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ -z "${password}" ] 449bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 450bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_get_value "Please enter the password for user '${run_service_as}':" "-s" 451bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman password="${csih_value}" 452bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 453bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 454bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 455bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman # At this point, we either have $run_service_as = "system" and 456bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman # $password is empty, or $run_service_as is some privileged user and 457bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman # (hopefully) $password contains the correct password. So, from here 458bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman # out, we use '-z "${password}"' to discriminate the two cases. 459bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 460bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_check_user "${run_service_as}" 461bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 462bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ -n "${csih_cygenv}" ] 463bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 464bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) 465bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 466bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ -z "${password}" ] 467bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 468d059297112922cabb0c674840589be8db821fd9aAdam Langley if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \ 469bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman -a "-D" -y tcpip "${cygwin_env[@]}" 470bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 471bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 472bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "The sshd service has been installed under the LocalSystem" 473bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "account (also known as SYSTEM). To start the service now, call" 474bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" 475bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "will start automatically after the next reboot." 476bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 477bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman else 478d059297112922cabb0c674840589be8db821fd9aAdam Langley if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \ 479bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman -a "-D" -y tcpip "${cygwin_env[@]}" \ 480bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman -u "${run_service_as}" -w "${password}" 481bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 482d059297112922cabb0c674840589be8db821fd9aAdam Langley /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight 483bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 484bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "The sshd service has been installed under the '${run_service_as}'" 485d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "account. To start the service now, call \`net start ${service_name}' or" 486d059297112922cabb0c674840589be8db821fd9aAdam Langley csih_inform "\`cygrunsrv -S ${service_name}'. Otherwise, it will start automatically" 487bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "after the next reboot." 488bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 489bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 490bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 491d059297112922cabb0c674840589be8db821fd9aAdam Langley if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1 492bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 493bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman check_service_files_ownership "${run_service_as}" || let ret+=$? 494bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman else 495bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_error_recoverable "Installing sshd as a service failed!" 496bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++ret 497bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 498bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi # user allowed us to install as service 499bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi # service not yet installed 500bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman return $ret 501bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman} # --- End of install_service --- # 502bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 503bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 504bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Main Entry Point 505bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 506bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 507bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Check how the script has been started. If 508bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# (1) it has been started by giving the full path and 509bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# that path is /etc/postinstall, OR 510bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# (2) Otherwise, if the environment variable 511bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set 512bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# then set auto_answer to "no". This allows automatic 513bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# creation of the config files in /etc w/o overwriting 514bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# them if they already exist. In both cases, color 515bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# escape sequences are suppressed, so as to prevent 516bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# cluttering setup's logfiles. 517bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif [ "$PROGDIR" = "/etc/postinstall" ] 518bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen 519bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_auto_answer="no" 520bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_disable_color 521bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman opt_force=yes 522bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi 523bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ] 524bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen 525bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_auto_answer="no" 526bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_disable_color 527bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman opt_force=yes 528bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi 529bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 530bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 531bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Parse options 532bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 533bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanwhile : 534bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmando 535bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman case $# in 536bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 0) 537bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman break 538bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman ;; 539bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman esac 540bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 541bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman option=$1 542bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman shift 543bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 544bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman case "${option}" in 545bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman -d | --debug ) 546bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman set -x 547bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_trace_on 548bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman ;; 549bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 550bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman -y | --yes ) 551bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_auto_answer=yes 552bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman opt_force=yes 553bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman ;; 554bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 555bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman -n | --no ) 556bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_auto_answer=no 557bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman opt_force=yes 558bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman ;; 559bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 560bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman -c | --cygwin ) 561bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman cygwin_value="$1" 562bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman shift 563bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman ;; 564bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 565d059297112922cabb0c674840589be8db821fd9aAdam Langley -N | --name ) 566d059297112922cabb0c674840589be8db821fd9aAdam Langley service_name=$1 567d059297112922cabb0c674840589be8db821fd9aAdam Langley shift 568d059297112922cabb0c674840589be8db821fd9aAdam Langley ;; 569d059297112922cabb0c674840589be8db821fd9aAdam Langley 570bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman -p | --port ) 571bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman port_number=$1 572bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman shift 573bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman ;; 574bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 575bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman -u | --user ) 576bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman user_account="$1" 577bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman shift 578bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman ;; 579bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 580bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman -w | --pwd ) 581bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman password_value="$1" 582bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman shift 583bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman ;; 584bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 585bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman --privileged ) 586bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_FORCE_PRIVILEGED_USER=yes 587bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman ;; 588bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 589bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman *) 590bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo "usage: ${progname} [OPTION]..." 591bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 592bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo "This script creates an OpenSSH host configuration." 593bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 594bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo "Options:" 595bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo " --debug -d Enable shell's debug output." 596bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo " --yes -y Answer all questions with \"yes\" automatically." 597bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo " --no -n Answer all questions with \"no\" automatically." 598bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." 599d059297112922cabb0c674840589be8db821fd9aAdam Langley echo " --name -N <name> sshd windows service name." 600bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo " --port -p <n> sshd listens on port n." 601d059297112922cabb0c674840589be8db821fd9aAdam Langley echo " --user -u <account> privileged user for service, default 'cyg_server'." 602bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user." 603d059297112922cabb0c674840589be8db821fd9aAdam Langley echo " --privileged On Windows XP, require privileged user" 604bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo " instead of LocalSystem for sshd service." 605bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 606bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman exit 1 607bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman ;; 608bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 609bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman esac 610bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmandone 611bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 612bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 613bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Action! 614bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ====================================================================== 615bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 616bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Check for running ssh/sshd processes first. Refuse to do anything while 617bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# some ssh processes are still running 618bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' 619bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen 620bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 621bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_error "There are still ssh processes running. Please shut them down first." 622bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi 623bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 624bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Make sure the user is running in an administrative context 625bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanadmin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no) 626bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif [ "${admin}" != "yes" ] 627bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen 628bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 629bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Running this script typically requires administrator privileges!" 630bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "However, it seems your account does not have these privileges." 631bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Here's the list of groups in your user token:" 632bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 633d059297112922cabb0c674840589be8db821fd9aAdam Langley /usr/bin/id -Gnz | xargs -0n1 echo " " 634bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 635bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "This usually means you're running this script from a non-admin" 636bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "desktop session, or in a non-elevated shell under UAC control." 637bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 638bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Make sure you have the appropriate privileges right now," 639bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "otherwise parts of this script will probably fail!" 640bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 641bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure" 642bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if ! csih_request "you have the required privileges)" 643bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 644bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 645bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "Ok. Exiting. Make sure to switch to an administrative account" 646bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "or to start this script from an elevated shell." 647bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman exit 1 648bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 649bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi 650bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 651bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanecho 652bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 653bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanwarning_cnt=0 654bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 655bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Create /var/log/lastlog if not already exists 656bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 657bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen 658bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo 659bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ 660bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman "Cannot create ssh host configuration." 661bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi 662bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 663bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen 664bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog 665bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 666bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 667bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" 668bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++warning_cnt 669bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 670bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi 671bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 672bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Create /var/empty file used as chroot jail for privilege separation 673bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmancsih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." 674bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 675bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen 676bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" 677bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman let ++warning_cnt 678bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi 679bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 680d059297112922cabb0c674840589be8db821fd9aAdam Langley# generate missing host keys 681d059297112922cabb0c674840589be8db821fd9aAdam Langleycsih_inform "Generating missing SSH host keys" 682d059297112922cabb0c674840589be8db821fd9aAdam Langley/usr/bin/ssh-keygen -A || let warning_cnt+=$? 683bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 684bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# handle ssh_config 685bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmancsih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 686bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 687bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen 688bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if [ "${port_number}" != "22" ] 689bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman then 690bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port" 691bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo "Host localhost" >> ${SYSCONFDIR}/ssh_config 692bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config 693bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman fi 694bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi 695bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 696bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# handle sshd_config (and privsep) 697bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmancsih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 698bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 699bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen 700d059297112922cabb0c674840589be8db821fd9aAdam Langley sshd_config_configured=yes 701bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi 702d059297112922cabb0c674840589be8db821fd9aAdam Langleysshd_strictmodes || let warning_cnt+=$? 703bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmansshd_privsep || let warning_cnt+=$? 704d059297112922cabb0c674840589be8db821fd9aAdam Langleysshd_config_tweak || let warning_cnt+=$? 705bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanupdate_services_file || let warning_cnt+=$? 706bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanupdate_inetd_conf || let warning_cnt+=$? 707bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmaninstall_service || let warning_cnt+=$? 708bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 709bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanecho 710bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif [ $warning_cnt -eq 0 ] 711bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen 712bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_inform "Host configuration finished. Have fun!" 713bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanelse 714bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!" 715bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "Make sure that all problems reported are fixed," 716bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman csih_warning "then re-run ssh-host-config." 717bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi 718bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanexit $warning_cnt 719