1bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#!/bin/bash
2bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#
3d059297112922cabb0c674840589be8db821fd9aAdam Langley# ssh-host-config, Copyright 2000-2014 Red Hat Inc.
4bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#
5bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# This file is part of the Cygwin port of OpenSSH.
6bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#
7bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Permission to use, copy, modify, and distribute this software for any
8bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# purpose with or without fee is hereby granted, provided that the above
9bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# copyright notice and this permission notice appear in all copies.
10bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#
11bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS  
12bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF               
13bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.   
14bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,   
15bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR    
16bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR    
17bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# THE USE OR OTHER DEALINGS IN THE SOFTWARE.                               
18bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
19bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
20bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Initialization
21bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
22bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
23bd77cf78387b72b7b3ea870459077672bf75c3b5Greg HartmanCSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
24bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
25bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# List of apps used.  This is checkad for existance in csih_sanity_check
26bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Don't use *any* transient commands before sourcing the csih helper script,
27bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# otherwise the sanity checks are short-circuited.
28bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmandeclare -a csih_required_commands=(
29bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/basename coreutils
30bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/cat coreutils
31bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/chmod coreutils
32bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/dirname coreutils
33bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/id coreutils
34bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/mv coreutils
35bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/rm coreutils
36bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/cygpath cygwin
37d059297112922cabb0c674840589be8db821fd9aAdam Langley  /usr/bin/mkpasswd cygwin
38bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/mount cygwin
39bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/ps cygwin
40bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/umount cygwin
41bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/cmp diffutils
42bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/grep grep
43bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/awk gawk
44bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/ssh-keygen openssh
45bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/sbin/sshd openssh
46bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/sed sed
47bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman)
48bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmancsih_sanity_check_server=yes
49bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmansource ${CSIH_SCRIPT}
50bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
51bd77cf78387b72b7b3ea870459077672bf75c3b5Greg HartmanPROGNAME=$(/usr/bin/basename $0)
52bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman_tdir=$(/usr/bin/dirname $0)
53bd77cf78387b72b7b3ea870459077672bf75c3b5Greg HartmanPROGDIR=$(cd $_tdir && pwd)
54bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
55bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Subdirectory where the new package is being installed
56bd77cf78387b72b7b3ea870459077672bf75c3b5Greg HartmanPREFIX=/usr
57bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
58bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Directory where the config files are stored
59bd77cf78387b72b7b3ea870459077672bf75c3b5Greg HartmanSYSCONFDIR=/etc
60bd77cf78387b72b7b3ea870459077672bf75c3b5Greg HartmanLOCALSTATEDIR=/var
61bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
62d059297112922cabb0c674840589be8db821fd9aAdam Langleysshd_config_configured=no
63bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanport_number=22
64d059297112922cabb0c674840589be8db821fd9aAdam Langleyservice_name=sshd
65d059297112922cabb0c674840589be8db821fd9aAdam Langleystrictmodes=yes
66bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanprivsep_used=yes
67bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmancygwin_value=""
68bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanuser_account=
69bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanpassword_value=
70bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanopt_force=no
71bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
72bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
73bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Routine: update_services_file
74bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
75bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanupdate_services_file() {
76bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local _my_etcdir="/ssh-host-config.$$"
77bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local _win_etcdir
78bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local _services
79bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local _spaces
80bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local _serv_tmp
81bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local _wservices
82bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local ret=0
83bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
84bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
85bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  _services="${_my_etcdir}/services"
86bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  _spaces="                           #"
87bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  _serv_tmp="${_my_etcdir}/srv.out.$$"
88bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
89bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
90bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
91bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  # Depends on the above mount
92bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  _wservices=`cygpath -w "${_services}"`
93bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
94bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  # Add ssh 22/tcp  and ssh 22/udp to services
95d059297112922cabb0c674840589be8db821fd9aAdam Langley  if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
96bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
97bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
98bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    then
99bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      if /usr/bin/mv "${_serv_tmp}" "${_services}"
100bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      then
101bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_inform "Added ssh to ${_wservices}"
102bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      else
103bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_warning "Adding ssh to ${_wservices} failed!"
104bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	let ++ret
105bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      fi
106bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      /usr/bin/rm -f "${_serv_tmp}"
107bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    else
108bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      csih_warning "Adding ssh to ${_wservices} failed!"
109bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      let ++ret
110bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    fi
111bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  fi
112bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/umount "${_my_etcdir}"
113bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  return $ret
114bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman} # --- End of update_services_file --- #
115bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
116bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
117d059297112922cabb0c674840589be8db821fd9aAdam Langley# Routine: sshd_strictmodes
118d059297112922cabb0c674840589be8db821fd9aAdam Langley#  MODIFIES: strictmodes
119d059297112922cabb0c674840589be8db821fd9aAdam Langley# ======================================================================
120d059297112922cabb0c674840589be8db821fd9aAdam Langleysshd_strictmodes() {
121d059297112922cabb0c674840589be8db821fd9aAdam Langley  if [ "${sshd_config_configured}" != "yes" ]
122d059297112922cabb0c674840589be8db821fd9aAdam Langley  then
123d059297112922cabb0c674840589be8db821fd9aAdam Langley    echo
124d059297112922cabb0c674840589be8db821fd9aAdam Langley    csih_inform "StrictModes is set to 'yes' by default."
125d059297112922cabb0c674840589be8db821fd9aAdam Langley    csih_inform "This is the recommended setting, but it requires that the POSIX"
126d059297112922cabb0c674840589be8db821fd9aAdam Langley    csih_inform "permissions of the user's home directory, the user's .ssh"
127d059297112922cabb0c674840589be8db821fd9aAdam Langley    csih_inform "directory, and the user's ssh key files are tight so that"
128d059297112922cabb0c674840589be8db821fd9aAdam Langley    csih_inform "only the user has write permissions."
129d059297112922cabb0c674840589be8db821fd9aAdam Langley    csih_inform "On the other hand, StrictModes don't work well with default"
130d059297112922cabb0c674840589be8db821fd9aAdam Langley    csih_inform "Windows permissions of a home directory mounted with the"
131d059297112922cabb0c674840589be8db821fd9aAdam Langley    csih_inform "'noacl' option, and they don't work at all if the home"
132d059297112922cabb0c674840589be8db821fd9aAdam Langley    csih_inform "directory is on a FAT or FAT32 partition."
133d059297112922cabb0c674840589be8db821fd9aAdam Langley    if ! csih_request "Should StrictModes be used?"
134d059297112922cabb0c674840589be8db821fd9aAdam Langley    then
135d059297112922cabb0c674840589be8db821fd9aAdam Langley      strictmodes=no
136d059297112922cabb0c674840589be8db821fd9aAdam Langley    fi
137d059297112922cabb0c674840589be8db821fd9aAdam Langley  fi
138d059297112922cabb0c674840589be8db821fd9aAdam Langley  return 0
139d059297112922cabb0c674840589be8db821fd9aAdam Langley}
140d059297112922cabb0c674840589be8db821fd9aAdam Langley
141d059297112922cabb0c674840589be8db821fd9aAdam Langley# ======================================================================
142bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Routine: sshd_privsep
143d059297112922cabb0c674840589be8db821fd9aAdam Langley#  MODIFIES: privsep_used
144bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
145bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmansshd_privsep() {
146bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local ret=0
147bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
148d059297112922cabb0c674840589be8db821fd9aAdam Langley  if [ "${sshd_config_configured}" != "yes" ]
149bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
150d059297112922cabb0c674840589be8db821fd9aAdam Langley    echo
151d059297112922cabb0c674840589be8db821fd9aAdam Langley    csih_inform "Privilege separation is set to 'sandbox' by default since"
152d059297112922cabb0c674840589be8db821fd9aAdam Langley    csih_inform "OpenSSH 6.1.  This is unsupported by Cygwin and has to be set"
153d059297112922cabb0c674840589be8db821fd9aAdam Langley    csih_inform "to 'yes' or 'no'."
154d059297112922cabb0c674840589be8db821fd9aAdam Langley    csih_inform "However, using privilege separation requires a non-privileged account"
155d059297112922cabb0c674840589be8db821fd9aAdam Langley    csih_inform "called 'sshd'."
156bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
157bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    if csih_request "Should privilege separation be used?"
158bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    then
159bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      privsep_used=yes
160bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      if ! csih_create_unprivileged_user sshd
161bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      then
162bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_error_recoverable "Couldn't create user 'sshd'!"
163bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_error_recoverable "Privilege separation set to 'no' again!"
164bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!"
165bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	let ++ret
166bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	privsep_used=no
167bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      fi
168bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    else
169bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      privsep_used=no
170bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    fi
171bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  fi
172d059297112922cabb0c674840589be8db821fd9aAdam Langley  return $ret
173d059297112922cabb0c674840589be8db821fd9aAdam Langley} # --- End of sshd_privsep --- #
174d059297112922cabb0c674840589be8db821fd9aAdam Langley
175d059297112922cabb0c674840589be8db821fd9aAdam Langley# ======================================================================
176d059297112922cabb0c674840589be8db821fd9aAdam Langley# Routine: sshd_config_tweak
177d059297112922cabb0c674840589be8db821fd9aAdam Langley# ======================================================================
178d059297112922cabb0c674840589be8db821fd9aAdam Langleysshd_config_tweak() {
179d059297112922cabb0c674840589be8db821fd9aAdam Langley  local ret=0
180bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
181d059297112922cabb0c674840589be8db821fd9aAdam Langley  # Modify sshd_config
182d059297112922cabb0c674840589be8db821fd9aAdam Langley  csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
183d059297112922cabb0c674840589be8db821fd9aAdam Langley  if [ "${port_number}" -ne 22 ]
184bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
185d059297112922cabb0c674840589be8db821fd9aAdam Langley    /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
186d059297112922cabb0c674840589be8db821fd9aAdam Langley      ${SYSCONFDIR}/sshd_config
187d059297112922cabb0c674840589be8db821fd9aAdam Langley    if [ $? -ne 0 ]
188bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    then
189d059297112922cabb0c674840589be8db821fd9aAdam Langley      csih_warning "Setting listening port to ${port_number} failed!"
190d059297112922cabb0c674840589be8db821fd9aAdam Langley      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
191d059297112922cabb0c674840589be8db821fd9aAdam Langley      let ++ret
192d059297112922cabb0c674840589be8db821fd9aAdam Langley    fi
193d059297112922cabb0c674840589be8db821fd9aAdam Langley  fi
194d059297112922cabb0c674840589be8db821fd9aAdam Langley  if [ "${strictmodes}" = "no" ]
195d059297112922cabb0c674840589be8db821fd9aAdam Langley  then
196d059297112922cabb0c674840589be8db821fd9aAdam Langley    /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
197d059297112922cabb0c674840589be8db821fd9aAdam Langley      ${SYSCONFDIR}/sshd_config
198d059297112922cabb0c674840589be8db821fd9aAdam Langley    if [ $? -ne 0 ]
199d059297112922cabb0c674840589be8db821fd9aAdam Langley    then
200d059297112922cabb0c674840589be8db821fd9aAdam Langley      csih_warning "Setting StrictModes to 'no' failed!"
201d059297112922cabb0c674840589be8db821fd9aAdam Langley      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
202d059297112922cabb0c674840589be8db821fd9aAdam Langley      let ++ret
203bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    fi
204d059297112922cabb0c674840589be8db821fd9aAdam Langley  fi
205d059297112922cabb0c674840589be8db821fd9aAdam Langley  if [ "${sshd_config_configured}" != "yes" ]
206bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
207d059297112922cabb0c674840589be8db821fd9aAdam Langley    /usr/bin/sed -i -e "
208d059297112922cabb0c674840589be8db821fd9aAdam Langley      s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
209d059297112922cabb0c674840589be8db821fd9aAdam Langley      ${SYSCONFDIR}/sshd_config
210d059297112922cabb0c674840589be8db821fd9aAdam Langley    if [ $? -ne 0 ]
211bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    then
212d059297112922cabb0c674840589be8db821fd9aAdam Langley      csih_warning "Setting privilege separation failed!"
213d059297112922cabb0c674840589be8db821fd9aAdam Langley      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
214d059297112922cabb0c674840589be8db821fd9aAdam Langley      let ++ret
215bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    fi
216bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  fi
217bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  return $ret
218d059297112922cabb0c674840589be8db821fd9aAdam Langley} # --- End of sshd_config_tweak --- #
219bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
220bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
221bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Routine: update_inetd_conf
222bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
223bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanupdate_inetd_conf() {
224bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local _inetcnf="${SYSCONFDIR}/inetd.conf"
225bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
226bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
227bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
228bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
229bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local _with_comment=1
230bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local ret=0
231bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
232bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  if [ -d "${_inetcnf_dir}" ]
233bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
234bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    # we have inetutils-1.5 inetd.d support
235bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    if [ -f "${_inetcnf}" ]
236bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    then
237d059297112922cabb0c674840589be8db821fd9aAdam Langley      /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
238bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
239bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      # check for sshd OR ssh in top-level inetd.conf file, and remove
240bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      # will be replaced by a file in inetd.d/
241d059297112922cabb0c674840589be8db821fd9aAdam Langley      if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
242bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      then
243bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
244bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	if [ -f "${_inetcnf_tmp}" ]
245bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	then
246bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
247bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  then
248bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  	    csih_inform "Removed ssh[d] from ${_inetcnf}"
249bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  else
250bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  	    csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
251bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	    let ++ret
252bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  fi
253bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  /usr/bin/rm -f "${_inetcnf_tmp}"
254bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	else
255bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
256bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  let ++ret
257bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	fi
258bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      fi
259bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    fi
260bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
261bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_install_config "${_sshd_inetd_conf}"   "${SYSCONFDIR}/defaults"
262bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
263bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    then
264bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      if [ "${_with_comment}" -eq 0 ]
265bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      then
266d059297112922cabb0c674840589be8db821fd9aAdam Langley	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
267bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      else
268d059297112922cabb0c674840589be8db821fd9aAdam Langley	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
269bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      fi
270bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
271bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      then
272bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_inform "Updated ${_sshd_inetd_conf}"
273bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      else
274bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_warning "Updating ${_sshd_inetd_conf} failed!"
275bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	let ++ret
276bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      fi
277bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    fi
278bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
279bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  elif [ -f "${_inetcnf}" ]
280bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
281d059297112922cabb0c674840589be8db821fd9aAdam Langley    /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
282bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
283bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    # check for sshd in top-level inetd.conf file, and remove
284bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    # will be replaced by a file in inetd.d/
285d059297112922cabb0c674840589be8db821fd9aAdam Langley    if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
286bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    then
287d059297112922cabb0c674840589be8db821fd9aAdam Langley      /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
288bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      if [ -f "${_inetcnf_tmp}" ]
289bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      then
290bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
291bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	then
292bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	    csih_inform "Removed sshd from ${_inetcnf}"
293bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	else
294bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	    csih_warning "Removing sshd from ${_inetcnf} failed!"
295bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	    let ++ret
296bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	fi
297bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	/usr/bin/rm -f "${_inetcnf_tmp}"
298bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      else
299bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_warning "Removing sshd from ${_inetcnf} failed!"
300bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	let ++ret
301bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      fi
302bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    fi
303bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
304bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    # Add ssh line to inetd.conf
305bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
306bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    then
307bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      if [ "${_with_comment}" -eq 0 ]
308bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      then
309bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
310bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      else
311bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
312bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      fi
313bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      if [ $? -eq 0 ]
314bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      then
315bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_inform "Added ssh to ${_inetcnf}"
316bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      else
317bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_warning "Adding ssh to ${_inetcnf} failed!"
318bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	let ++ret
319bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      fi
320bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    fi
321bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  fi
322bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  return $ret
323bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman} # --- End of update_inetd_conf --- #
324bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
325bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
326bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Routine: check_service_files_ownership
327bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#   Checks that the files in /etc and /var belong to the right owner
328bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
329bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmancheck_service_files_ownership() {
330bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local run_service_as=$1
331bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local ret=0
332bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
333bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  if [ -z "${run_service_as}" ]
334bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
335d059297112922cabb0c674840589be8db821fd9aAdam Langley    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
336d059297112922cabb0c674840589be8db821fd9aAdam Langley    		 /usr/bin/sed -ne 's/^Account *: *//gp')
337bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    if [ "${accnt_name}" = "LocalSystem" ]
338bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    then
339bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      # Convert "LocalSystem" to "SYSTEM" as is the correct account name
340d059297112922cabb0c674840589be8db821fd9aAdam Langley      run_service_as="SYSTEM"
341d059297112922cabb0c674840589be8db821fd9aAdam Langley    else
342d059297112922cabb0c674840589be8db821fd9aAdam Langley      dom="${accnt_name%%\\*}"
343d059297112922cabb0c674840589be8db821fd9aAdam Langley      accnt_name="${accnt_name#*\\}"
344d059297112922cabb0c674840589be8db821fd9aAdam Langley      if [ "${dom}" = '.' ]
345d059297112922cabb0c674840589be8db821fd9aAdam Langley      then
346d059297112922cabb0c674840589be8db821fd9aAdam Langley	# Check local account
347d059297112922cabb0c674840589be8db821fd9aAdam Langley	run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
348d059297112922cabb0c674840589be8db821fd9aAdam Langley			 /usr/bin/awk -F: '{print $1;}')
349d059297112922cabb0c674840589be8db821fd9aAdam Langley      else
350d059297112922cabb0c674840589be8db821fd9aAdam Langley      	# Check domain
351d059297112922cabb0c674840589be8db821fd9aAdam Langley	run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
352d059297112922cabb0c674840589be8db821fd9aAdam Langley			 /usr/bin/awk -F: '{print $1;}')
353d059297112922cabb0c674840589be8db821fd9aAdam Langley      fi
354bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    fi
355bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    if [ -z "${run_service_as}" ]
356bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    then
357d059297112922cabb0c674840589be8db821fd9aAdam Langley      csih_warning "Couldn't determine name of user running sshd service from account database!"
358bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      csih_warning "As a result, this script cannot make sure that the files used"
359bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      csih_warning "by the sshd service belong to the user running the service."
360bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      return 1
361bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    fi
362bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  fi
363bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
364bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  do
365bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    if [ -f "$i" ]
366bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    then
367bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
368bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      then
369bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_warning "Couldn't change owner of $i!"
370bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	let ++ret
371bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      fi
372bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    fi
373bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  done
374bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
375bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
376bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
377bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    let ++ret
378bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  fi
379bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
380bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
381bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
382bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    let ++ret
383bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  fi
384bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
385bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
386bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
387bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    then
388bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
389bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      let ++ret
390bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    fi
391bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  fi
392bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  if [ $ret -ne 0 ]
393bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
394bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_warning "Couldn't change owner of important files to ${run_service_as}!"
395bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_warning "This may cause the sshd service to fail!  Please make sure that"
396bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_warning "you have suufficient permissions to change the ownership of files"
397bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_warning "and try to run the ssh-host-config script again."
398bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  fi
399bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  return $ret
400bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman} # --- End of check_service_files_ownership --- #
401bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
402bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
403bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Routine: install_service
404bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#   Install sshd as a service
405bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
406bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmaninstall_service() {
407bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local run_service_as
408bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local password
409bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  local ret=0
410bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
411bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  echo
412d059297112922cabb0c674840589be8db821fd9aAdam Langley  if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
413bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
414bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_inform "Sshd service is already installed."
415bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    check_service_files_ownership "" || let ret+=$?
416bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  else
417bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
418bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    if csih_request "(Say \"no\" if it is already installed as a service)"
419bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    then
420bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      csih_get_cygenv "${cygwin_value}"
421bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
422bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
423bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      then
424bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_inform "On Windows Server 2003, Windows Vista, and above, the"
425bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_inform "SYSTEM account cannot setuid to other users -- a capability"
426bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_inform "sshd requires.  You need to have or to create a privileged"
427bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_inform "account.  This script will help you do so."
428bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	echo
429bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
430bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	[ "${opt_force}" = "yes" ] && opt_f=-f
431bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
432bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_select_privileged_username ${opt_f} ${opt_u} sshd
433bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
434bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	if ! csih_create_privileged_user "${password_value}"
435bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	then
436bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  csih_error_recoverable "There was a serious problem creating a privileged user."
437bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  csih_request "Do you want to proceed anyway?" || exit 1
438bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  let ++ret
439bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	fi
440bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      fi
441bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
442bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      # Never returns empty if NT or above
443bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      run_service_as=$(csih_service_should_run_as)
444bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
445bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
446bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      then
447bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	password="${csih_PRIVILEGED_PASSWORD}"
448bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	if [ -z "${password}" ]
449bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	then
450bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
451bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  password="${csih_value}"
452bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	fi
453bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      fi
454bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
455bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      # At this point, we either have $run_service_as = "system" and
456bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      # $password is empty, or $run_service_as is some privileged user and
457bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      # (hopefully) $password contains the correct password.  So, from here
458bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      # out, we use '-z "${password}"' to discriminate the two cases.
459bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
460bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      csih_check_user "${run_service_as}"
461bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
462bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      if [ -n "${csih_cygenv}" ]
463bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      then
464bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
465bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      fi
466bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      if [ -z "${password}" ]
467bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      then
468d059297112922cabb0c674840589be8db821fd9aAdam Langley	if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \
469bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman			      -a "-D" -y tcpip "${cygwin_env[@]}"
470bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	then
471bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  echo
472bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  csih_inform "The sshd service has been installed under the LocalSystem"
473bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  csih_inform "account (also known as SYSTEM). To start the service now, call"
474bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'.  Otherwise, it"
475bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  csih_inform "will start automatically after the next reboot."
476bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	fi
477bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      else
478d059297112922cabb0c674840589be8db821fd9aAdam Langley	if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \
479bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman			      -a "-D" -y tcpip "${cygwin_env[@]}" \
480bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman			      -u "${run_service_as}" -w "${password}"
481bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	then
482d059297112922cabb0c674840589be8db821fd9aAdam Langley	  /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
483bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  echo
484bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  csih_inform "The sshd service has been installed under the '${run_service_as}'"
485d059297112922cabb0c674840589be8db821fd9aAdam Langley	  csih_inform "account.  To start the service now, call \`net start ${service_name}' or"
486d059297112922cabb0c674840589be8db821fd9aAdam Langley	  csih_inform "\`cygrunsrv -S ${service_name}'.  Otherwise, it will start automatically"
487bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	  csih_inform "after the next reboot."
488bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	fi
489bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      fi
490bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
491d059297112922cabb0c674840589be8db821fd9aAdam Langley      if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
492bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      then
493bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	check_service_files_ownership "${run_service_as}" || let ret+=$?
494bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      else
495bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	csih_error_recoverable "Installing sshd as a service failed!"
496bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman	let ++ret
497bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman      fi
498bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    fi # user allowed us to install as service
499bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  fi # service not yet installed
500bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  return $ret
501bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman} # --- End of install_service --- #
502bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
503bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
504bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Main Entry Point
505bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
506bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
507bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Check how the script has been started.  If
508bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#   (1) it has been started by giving the full path and
509bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#       that path is /etc/postinstall, OR
510bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#   (2) Otherwise, if the environment variable
511bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#       SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
512bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# then set auto_answer to "no".  This allows automatic
513bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# creation of the config files in /etc w/o overwriting
514bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# them if they already exist.  In both cases, color
515bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# escape sequences are suppressed, so as to prevent
516bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# cluttering setup's logfiles.
517bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif [ "$PROGDIR" = "/etc/postinstall" ]
518bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen
519bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_auto_answer="no"
520bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_disable_color
521bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  opt_force=yes
522bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi
523bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
524bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen
525bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_auto_answer="no"
526bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_disable_color
527bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  opt_force=yes
528bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi
529bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
530bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
531bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Parse options
532bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
533bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanwhile :
534bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmando
535bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  case $# in
536bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  0)
537bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    break
538bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    ;;
539bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  esac
540bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
541bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  option=$1
542bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  shift
543bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
544bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  case "${option}" in
545bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  -d | --debug )
546bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    set -x
547bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_trace_on
548bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    ;;
549bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
550bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  -y | --yes )
551bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_auto_answer=yes
552bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    opt_force=yes
553bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    ;;
554bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
555bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  -n | --no )
556bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_auto_answer=no
557bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    opt_force=yes
558bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    ;;
559bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
560bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  -c | --cygwin )
561bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    cygwin_value="$1"
562bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    shift
563bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    ;;
564bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
565d059297112922cabb0c674840589be8db821fd9aAdam Langley  -N | --name )
566d059297112922cabb0c674840589be8db821fd9aAdam Langley    service_name=$1
567d059297112922cabb0c674840589be8db821fd9aAdam Langley    shift
568d059297112922cabb0c674840589be8db821fd9aAdam Langley    ;;
569d059297112922cabb0c674840589be8db821fd9aAdam Langley
570bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  -p | --port )
571bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    port_number=$1
572bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    shift
573bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    ;;
574bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
575bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  -u | --user )
576bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    user_account="$1"
577bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    shift
578bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    ;;
579bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    
580bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  -w | --pwd )
581bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    password_value="$1"
582bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    shift
583bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    ;;
584bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
585bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  --privileged )
586bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_FORCE_PRIVILEGED_USER=yes
587bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    ;;
588bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
589bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  *)
590bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo "usage: ${progname} [OPTION]..."
591bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo
592bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo "This script creates an OpenSSH host configuration."
593bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo
594bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo "Options:"
595bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo "  --debug  -d            Enable shell's debug output."
596bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo "  --yes    -y            Answer all questions with \"yes\" automatically."
597bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo "  --no     -n            Answer all questions with \"no\" automatically."
598bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
599d059297112922cabb0c674840589be8db821fd9aAdam Langley    echo "  --name   -N <name>     sshd windows service name."
600bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo "  --port   -p <n>        sshd listens on port n."
601d059297112922cabb0c674840589be8db821fd9aAdam Langley    echo "  --user   -u <account>  privileged user for service, default 'cyg_server'."
602bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for privileged user."
603d059297112922cabb0c674840589be8db821fd9aAdam Langley    echo "  --privileged           On Windows XP, require privileged user"
604bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo "                         instead of LocalSystem for sshd service."
605bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo
606bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    exit 1
607bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    ;;
608bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
609bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  esac
610bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmandone
611bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
612bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
613bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Action!
614bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# ======================================================================
615bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
616bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Check for running ssh/sshd processes first. Refuse to do anything while
617bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# some ssh processes are still running
618bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
619bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen
620bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  echo
621bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_error "There are still ssh processes running. Please shut them down first."
622bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi
623bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
624bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Make sure the user is running in an administrative context
625bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanadmin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
626bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif [ "${admin}" != "yes" ]
627bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen
628bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  echo
629bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_warning "Running this script typically requires administrator privileges!"
630bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_warning "However, it seems your account does not have these privileges."
631bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_warning "Here's the list of groups in your user token:"
632bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  echo
633d059297112922cabb0c674840589be8db821fd9aAdam Langley  /usr/bin/id -Gnz | xargs -0n1 echo "   "
634bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  echo
635bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_warning "This usually means you're running this script from a non-admin"
636bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_warning "desktop session, or in a non-elevated shell under UAC control."
637bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  echo
638bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_warning "Make sure you have the appropriate privileges right now,"
639bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_warning "otherwise parts of this script will probably fail!"
640bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  echo
641bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  echo -e "${_csih_QUERY_STR} Are you sure you want to continue?  (Say \"no\" if you're not sure"
642bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  if ! csih_request "you have the required privileges)"
643bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
644bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo
645bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_inform "Ok.  Exiting.  Make sure to switch to an administrative account"
646bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_inform "or to start this script from an elevated shell."
647bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    exit 1
648bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  fi
649bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi
650bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
651bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanecho
652bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
653bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanwarning_cnt=0
654bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
655bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Create /var/log/lastlog if not already exists
656bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
657bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen
658bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  echo
659bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
660bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman		   "Cannot create ssh host configuration."
661bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi
662bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
663bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen
664bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
665bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
666bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
667bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
668bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    let ++warning_cnt
669bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  fi
670bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi
671bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
672bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# Create /var/empty file used as chroot jail for privilege separation
673bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmancsih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
674bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
675bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen
676bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
677bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  let ++warning_cnt
678bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi
679bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
680d059297112922cabb0c674840589be8db821fd9aAdam Langley# generate missing host keys
681d059297112922cabb0c674840589be8db821fd9aAdam Langleycsih_inform "Generating missing SSH host keys"
682d059297112922cabb0c674840589be8db821fd9aAdam Langley/usr/bin/ssh-keygen -A || let warning_cnt+=$?
683bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
684bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# handle ssh_config
685bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmancsih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
686bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
687bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen
688bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  if [ "${port_number}" != "22" ]
689bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  then
690bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
691bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
692bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman    echo "    Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
693bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  fi
694bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi
695bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
696bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman# handle sshd_config (and privsep)
697bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmancsih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
698bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
699bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen
700d059297112922cabb0c674840589be8db821fd9aAdam Langley  sshd_config_configured=yes
701bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi
702d059297112922cabb0c674840589be8db821fd9aAdam Langleysshd_strictmodes || let warning_cnt+=$?
703bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmansshd_privsep || let warning_cnt+=$?
704d059297112922cabb0c674840589be8db821fd9aAdam Langleysshd_config_tweak || let warning_cnt+=$?
705bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanupdate_services_file || let warning_cnt+=$?
706bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanupdate_inetd_conf || let warning_cnt+=$?
707bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmaninstall_service || let warning_cnt+=$?
708bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman
709bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanecho
710bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanif [ $warning_cnt -eq 0 ]
711bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanthen
712bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_inform "Host configuration finished. Have fun!"
713bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanelse
714bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
715bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_warning "Make sure that all problems reported are fixed,"
716bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman  csih_warning "then re-run ssh-host-config."
717bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanfi
718bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanexit $warning_cnt
719