3 # ssh-host-config, Copyright 2000-2009 Red Hat Inc.
5 # This file is part of the Cygwin port of OpenSSH.
7 # Permission to use, copy, modify, and distribute this software for any
8 # purpose with or without fee is hereby granted, provided that the above
9 # copyright notice and this permission notice appear in all copies.
11 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
13 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
14 # IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
15 # DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
16 # OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
17 # THE USE OR OTHER DEALINGS IN THE SOFTWARE.
19 # ======================================================================
21 # ======================================================================
22 PROGNAME=$(basename $0)
24 PROGDIR=$(cd $_tdir && pwd)
26 CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
28 # Subdirectory where the new package is being installed
31 # Directory where the config files are stored
45 # ======================================================================
46 # Routine: create_host_keys
47 # ======================================================================
49 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
51 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
52 ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
55 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
57 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
58 ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
61 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
63 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
64 ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
66 } # --- End of create_host_keys --- #
68 # ======================================================================
69 # Routine: update_services_file
70 # ======================================================================
71 update_services_file() {
72 local _my_etcdir="/ssh-host-config.$$"
81 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
82 _services="${_my_etcdir}/services"
83 # On NT, 27 spaces, no space after the hash
86 _win_etcdir="${WINDIR}"
87 _services="${_my_etcdir}/SERVICES"
88 # On 9x, 18 spaces (95 is very touchy), a space after the hash
91 _serv_tmp="${_my_etcdir}/srv.out.$$"
93 mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
95 # Depends on the above mount
96 _wservices=`cygpath -w "${_services}"`
98 # Remove sshd 22/port from services
99 if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
101 grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
102 if [ -f "${_serv_tmp}" ]
104 if mv "${_serv_tmp}" "${_services}"
106 csih_inform "Removing sshd from ${_wservices}"
108 csih_warning "Removing sshd from ${_wservices} failed!"
112 csih_warning "Removing sshd from ${_wservices} failed!"
116 # Add ssh 22/tcp and ssh 22/udp to services
117 if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
119 if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
121 if mv "${_serv_tmp}" "${_services}"
123 csih_inform "Added ssh to ${_wservices}"
125 csih_warning "Adding ssh to ${_wservices} failed!"
129 csih_warning "Adding ssh to ${_wservices} failed!"
132 umount "${_my_etcdir}"
133 } # --- End of update_services_file --- #
135 # ======================================================================
136 # Routine: sshd_privsep
137 # MODIFIES: privsep_configured privsep_used
138 # ======================================================================
142 if [ "${privsep_configured}" != "yes" ]
146 csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
147 csih_inform "However, this requires a non-privileged account called 'sshd'."
148 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
149 if csih_request "Should privilege separation be used?"
152 if ! csih_create_unprivileged_user sshd
154 csih_warning "Couldn't create user 'sshd'!"
155 csih_warning "Privilege separation set to 'no' again!"
156 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
163 # On 9x don't use privilege separation. Since security isn't
164 # available it just adds useless additional processes.
169 # Create default sshd_config from skeleton files in /etc/defaults/etc or
170 # modify to add the missing privsep configuration option
171 if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
173 csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
174 sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
175 sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
176 s/^#Port 22/Port ${port_number}/
177 s/^#StrictModes yes/StrictModes no/" \
178 < ${SYSCONFDIR}/sshd_config \
179 > "${sshdconfig_tmp}"
180 mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
181 elif [ "${privsep_configured}" != "yes" ]
183 echo >> ${SYSCONFDIR}/sshd_config
184 echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
186 } # --- End of sshd_privsep --- #
188 # ======================================================================
189 # Routine: update_inetd_conf
190 # ======================================================================
191 update_inetd_conf() {
192 local _inetcnf="${SYSCONFDIR}/inetd.conf"
193 local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
194 local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
195 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
196 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
197 local _with_comment=1
199 if [ -d "${_inetcnf_dir}" ]
201 # we have inetutils-1.5 inetd.d support
202 if [ -f "${_inetcnf}" ]
204 grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
206 # check for sshd OR ssh in top-level inetd.conf file, and remove
207 # will be replaced by a file in inetd.d/
208 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
210 grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
211 if [ -f "${_inetcnf_tmp}" ]
213 if mv "${_inetcnf_tmp}" "${_inetcnf}"
215 csih_inform "Removed ssh[d] from ${_inetcnf}"
217 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
219 rm -f "${_inetcnf_tmp}"
221 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
226 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
227 if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
229 if [ "${_with_comment}" -eq 0 ]
231 sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
233 sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
235 mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
236 csih_inform "Updated ${_sshd_inetd_conf}"
239 elif [ -f "${_inetcnf}" ]
241 grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
243 # check for sshd in top-level inetd.conf file, and remove
244 # will be replaced by a file in inetd.d/
245 if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
247 grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
248 if [ -f "${_inetcnf_tmp}" ]
250 if mv "${_inetcnf_tmp}" "${_inetcnf}"
252 csih_inform "Removed sshd from ${_inetcnf}"
254 csih_warning "Removing sshd from ${_inetcnf} failed!"
256 rm -f "${_inetcnf_tmp}"
258 csih_warning "Removing sshd from ${_inetcnf} failed!"
262 # Add ssh line to inetd.conf
263 if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
265 if [ "${_with_comment}" -eq 0 ]
267 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
269 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
271 csih_inform "Added ssh to ${_inetcnf}"
274 } # --- End of update_inetd_conf --- #
276 # ======================================================================
277 # Routine: install_service
278 # Install sshd as a service
279 # ======================================================================
286 if ! cygrunsrv -Q sshd >/dev/null 2>&1
290 csih_warning "The following functions require administrator privileges!"
292 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
293 if csih_request "(Say \"no\" if it is already installed as a service)"
295 csih_get_cygenv "${cygwin_value}"
297 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
299 csih_inform "On Windows Server 2003, Windows Vista, and above, the"
300 csih_inform "SYSTEM account cannot setuid to other users -- a capability"
301 csih_inform "sshd requires. You need to have or to create a privileged"
302 csih_inform "account. This script will help you do so."
305 [ "${opt_force}" = "yes" ] && opt_f=-f
306 [ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
307 csih_select_privileged_username ${opt_f} ${opt_u} sshd
309 if ! csih_create_privileged_user "${password_value}"
311 csih_error_recoverable "There was a serious problem creating a privileged user."
312 csih_request "Do you want to proceed anyway?" || exit 1
316 # never returns empty if NT or above
317 run_service_as=$(csih_service_should_run_as)
319 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
321 password="${csih_PRIVILEGED_PASSWORD}"
322 if [ -z "${password}" ]
324 csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
325 password="${csih_value}"
329 # at this point, we either have $run_service_as = "system" and $password is empty,
330 # or $run_service_as is some privileged user and (hopefully) $password contains
331 # the correct password. So, from here out, we use '-z "${password}"' to discriminate
334 csih_check_user "${run_service_as}"
336 if [ -n "${csih_cygenv}" ]
338 cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
340 if [ -z "${password}" ]
342 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
343 -a "-D" -y tcpip "${cygwin_env[@]}"
346 csih_inform "The sshd service has been installed under the LocalSystem"
347 csih_inform "account (also known as SYSTEM). To start the service now, call"
348 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
349 csih_inform "will start automatically after the next reboot."
352 if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
353 -a "-D" -y tcpip "${cygwin_env[@]}" \
354 -u "${run_service_as}" -w "${password}"
357 csih_inform "The sshd service has been installed under the '${run_service_as}'"
358 csih_inform "account. To start the service now, call \`net start sshd' or"
359 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
360 csih_inform "after the next reboot."
364 # now, if successfully installed, set ownership of the affected files
365 if cygrunsrv -Q sshd >/dev/null 2>&1
367 chown "${run_service_as}" ${SYSCONFDIR}/ssh*
368 chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
369 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
370 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
372 chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
375 csih_warning "Something went wrong installing the sshd service."
377 fi # user allowed us to install as service
378 fi # service not yet installed
380 } # --- End of install_service --- #
382 # ======================================================================
384 # ======================================================================
386 # Check how the script has been started. If
387 # (1) it has been started by giving the full path and
388 # that path is /etc/postinstall, OR
389 # (2) Otherwise, if the environment variable
390 # SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
391 # then set auto_answer to "no". This allows automatic
392 # creation of the config files in /etc w/o overwriting
393 # them if they already exist. In both cases, color
394 # escape sequences are suppressed, so as to prevent
395 # cluttering setup's logfiles.
396 if [ "$PROGDIR" = "/etc/postinstall" ]
398 csih_auto_answer="no"
402 if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
404 csih_auto_answer="no"
409 # ======================================================================
411 # ======================================================================
460 csih_FORCE_PRIVILEGED_USER=yes
464 echo "usage: ${progname} [OPTION]..."
466 echo "This script creates an OpenSSH host configuration."
469 echo " --debug -d Enable shell's debug output."
470 echo " --yes -y Answer all questions with \"yes\" automatically."
471 echo " --no -n Answer all questions with \"no\" automatically."
472 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
473 echo " --port -p <n> sshd listens on port n."
474 echo " --user -u <account> privileged user for service."
475 echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
476 echo " --privileged On Windows NT/2k/XP, require privileged user"
477 echo " instead of LocalSystem for sshd service."
485 # ======================================================================
487 # ======================================================================
489 # Check for running ssh/sshd processes first. Refuse to do anything while
490 # some ssh processes are still running
491 if ps -ef | grep -q '/sshd\?$'
494 csih_error "There are still ssh processes running. Please shut them down first."
497 # Check for ${SYSCONFDIR} directory
498 csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
499 chmod 775 "${SYSCONFDIR}"
500 setfacl -m u:system:rwx "${SYSCONFDIR}"
502 # Check for /var/log directory
503 csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
504 chmod 775 "${LOCALSTATEDIR}/log"
505 setfacl -m u:system:rwx "${LOCALSTATEDIR}/log"
507 # Create /var/log/lastlog if not already exists
508 if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
511 csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
512 "Cannot create ssh host configuration."
514 if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
516 cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
517 chmod 644 ${LOCALSTATEDIR}/log/lastlog
520 # Create /var/empty file used as chroot jail for privilege separation
521 csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
522 chmod 755 "${LOCALSTATEDIR}/empty"
523 setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"
528 # use 'cmp' program to determine if a config file is identical
529 # to the default version of that config file
530 csih_check_program_or_error cmp diffutils
534 csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults"
535 if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
537 if [ "${port_number}" != "22" ]
539 csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
540 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
541 echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
545 # handle sshd_config (and privsep)
546 csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults"
547 if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
549 grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
560 csih_inform "Host configuration finished. Have fun!"