#!/bin/bash # # ssh-host-config, Copyright 2000-2009 Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. # IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, # DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR # OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR # THE USE OR OTHER DEALINGS IN THE SOFTWARE. # ====================================================================== # Initialization # ====================================================================== PROGNAME=$(basename $0) _tdir=$(dirname $0) PROGDIR=$(cd $_tdir && pwd) CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh # Subdirectory where the new package is being installed PREFIX=/usr # Directory where the config files are stored SYSCONFDIR=/etc LOCALSTATEDIR=/var source ${CSIH_SCRIPT} port_number=22 privsep_configured=no privsep_used=yes cygwin_value="" user_account= password_value= opt_force=no # ====================================================================== # Routine: create_host_keys # ====================================================================== create_host_keys() { if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] then csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null fi if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] then csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null fi if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] then csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null fi } # --- End of create_host_keys --- # # ====================================================================== # Routine: update_services_file # ====================================================================== update_services_file() { local _my_etcdir="/ssh-host-config.$$" local _win_etcdir local _services local _spaces local _serv_tmp local _wservices if csih_is_nt then _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" _services="${_my_etcdir}/services" # On NT, 27 spaces, no space after the hash _spaces=" #" else _win_etcdir="${WINDIR}" _services="${_my_etcdir}/SERVICES" # On 9x, 18 spaces (95 is very touchy), a space after the hash _spaces=" # " fi _serv_tmp="${_my_etcdir}/srv.out.$$" mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" # Depends on the above mount _wservices=`cygpath -w "${_services}"` # Remove sshd 22/port from services if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] then grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" if [ -f "${_serv_tmp}" ] then if mv "${_serv_tmp}" "${_services}" then csih_inform "Removing sshd from ${_wservices}" else csih_warning "Removing sshd from ${_wservices} failed!" fi rm -f "${_serv_tmp}" else csih_warning "Removing sshd from ${_wservices} failed!" fi fi # Add ssh 22/tcp and ssh 22/udp to services if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] then if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" then if mv "${_serv_tmp}" "${_services}" then csih_inform "Added ssh to ${_wservices}" else csih_warning "Adding ssh to ${_wservices} failed!" fi rm -f "${_serv_tmp}" else csih_warning "Adding ssh to ${_wservices} failed!" fi fi umount "${_my_etcdir}" } # --- End of update_services_file --- # # ====================================================================== # Routine: sshd_privsep # MODIFIES: privsep_configured privsep_used # ====================================================================== sshd_privsep() { local sshdconfig_tmp if [ "${privsep_configured}" != "yes" ] then if csih_is_nt then csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." csih_inform "However, this requires a non-privileged account called 'sshd'." csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." if csih_request "Should privilege separation be used?" then privsep_used=yes if ! csih_create_unprivileged_user sshd then csih_warning "Couldn't create user 'sshd'!" csih_warning "Privilege separation set to 'no' again!" csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" privsep_used=no fi else privsep_used=no fi else # On 9x don't use privilege separation. Since security isn't # available it just adds useless additional processes. privsep_used=no fi fi # Create default sshd_config from skeleton files in /etc/defaults/etc or # modify to add the missing privsep configuration option if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 then csih_inform "Updating ${SYSCONFDIR}/sshd_config file" sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ s/^#Port 22/Port ${port_number}/ s/^#StrictModes yes/StrictModes no/" \ < ${SYSCONFDIR}/sshd_config \ > "${sshdconfig_tmp}" mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config elif [ "${privsep_configured}" != "yes" ] then echo >> ${SYSCONFDIR}/sshd_config echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config fi } # --- End of sshd_privsep --- # # ====================================================================== # Routine: update_inetd_conf # ====================================================================== update_inetd_conf() { local _inetcnf="${SYSCONFDIR}/inetd.conf" local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" local _inetcnf_dir="${SYSCONFDIR}/inetd.d" local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" local _with_comment=1 if [ -d "${_inetcnf_dir}" ] then # we have inetutils-1.5 inetd.d support if [ -f "${_inetcnf}" ] then grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 # check for sshd OR ssh in top-level inetd.conf file, and remove # will be replaced by a file in inetd.d/ if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] then grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" if [ -f "${_inetcnf_tmp}" ] then if mv "${_inetcnf_tmp}" "${_inetcnf}" then csih_inform "Removed ssh[d] from ${_inetcnf}" else csih_warning "Removing ssh[d] from ${_inetcnf} failed!" fi rm -f "${_inetcnf_tmp}" else csih_warning "Removing ssh[d] from ${_inetcnf} failed!" fi fi fi csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 then if [ "${_with_comment}" -eq 0 ] then sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" else sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" fi mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" csih_inform "Updated ${_sshd_inetd_conf}" fi elif [ -f "${_inetcnf}" ] then grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 # check for sshd in top-level inetd.conf file, and remove # will be replaced by a file in inetd.d/ if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] then grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" if [ -f "${_inetcnf_tmp}" ] then if mv "${_inetcnf_tmp}" "${_inetcnf}" then csih_inform "Removed sshd from ${_inetcnf}" else csih_warning "Removing sshd from ${_inetcnf} failed!" fi rm -f "${_inetcnf_tmp}" else csih_warning "Removing sshd from ${_inetcnf} failed!" fi fi # Add ssh line to inetd.conf if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] then if [ "${_with_comment}" -eq 0 ] then echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" else echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" fi csih_inform "Added ssh to ${_inetcnf}" fi fi } # --- End of update_inetd_conf --- # # ====================================================================== # Routine: install_service # Install sshd as a service # ====================================================================== install_service() { local run_service_as local password if csih_is_nt then if ! cygrunsrv -Q sshd >/dev/null 2>&1 then echo echo csih_warning "The following functions require administrator privileges!" echo echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" if csih_request "(Say \"no\" if it is already installed as a service)" then csih_get_cygenv "${cygwin_value}" if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) then csih_inform "On Windows Server 2003, Windows Vista, and above, the" csih_inform "SYSTEM account cannot setuid to other users -- a capability" csih_inform "sshd requires. You need to have or to create a privileged" csih_inform "account. This script will help you do so." echo [ "${opt_force}" = "yes" ] && opt_f=-f [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" csih_select_privileged_username ${opt_f} ${opt_u} sshd if ! csih_create_privileged_user "${password_value}" then csih_error_recoverable "There was a serious problem creating a privileged user." csih_request "Do you want to proceed anyway?" || exit 1 fi fi # never returns empty if NT or above run_service_as=$(csih_service_should_run_as) if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] then password="${csih_PRIVILEGED_PASSWORD}" if [ -z "${password}" ] then csih_get_value "Please enter the password for user '${run_service_as}':" "-s" password="${csih_value}" fi fi # at this point, we either have $run_service_as = "system" and $password is empty, # or $run_service_as is some privileged user and (hopefully) $password contains # the correct password. So, from here out, we use '-z "${password}"' to discriminate # the two cases. csih_check_user "${run_service_as}" if [ -n "${csih_cygenv}" ] then cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) fi if [ -z "${password}" ] then if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ -a "-D" -y tcpip "${cygwin_env[@]}" then echo csih_inform "The sshd service has been installed under the LocalSystem" csih_inform "account (also known as SYSTEM). To start the service now, call" csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" csih_inform "will start automatically after the next reboot." fi else if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ -a "-D" -y tcpip "${cygwin_env[@]}" \ -u "${run_service_as}" -w "${password}" then echo csih_inform "The sshd service has been installed under the '${run_service_as}'" csih_inform "account. To start the service now, call \`net start sshd' or" csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" csih_inform "after the next reboot." fi fi # now, if successfully installed, set ownership of the affected files if cygrunsrv -Q sshd >/dev/null 2>&1 then chown "${run_service_as}" ${SYSCONFDIR}/ssh* chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog if [ -f ${LOCALSTATEDIR}/log/sshd.log ] then chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log fi else csih_warning "Something went wrong installing the sshd service." fi fi # user allowed us to install as service fi # service not yet installed fi # csih_is_nt } # --- End of install_service --- # # ====================================================================== # Main Entry Point # ====================================================================== # Check how the script has been started. If # (1) it has been started by giving the full path and # that path is /etc/postinstall, OR # (2) Otherwise, if the environment variable # SSH_HOST_CONFIG_AUTO_ANSWER_NO is set # then set auto_answer to "no". This allows automatic # creation of the config files in /etc w/o overwriting # them if they already exist. In both cases, color # escape sequences are suppressed, so as to prevent # cluttering setup's logfiles. if [ "$PROGDIR" = "/etc/postinstall" ] then csih_auto_answer="no" csih_disable_color opt_force=yes fi if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ] then csih_auto_answer="no" csih_disable_color opt_force=yes fi # ====================================================================== # Parse options # ====================================================================== while : do case $# in 0) break ;; esac option=$1 shift case "${option}" in -d | --debug ) set -x csih_trace_on ;; -y | --yes ) csih_auto_answer=yes opt_force=yes ;; -n | --no ) csih_auto_answer=no opt_force=yes ;; -c | --cygwin ) cygwin_value="$1" shift ;; -p | --port ) port_number=$1 shift ;; -u | --user ) user_account="$1" shift ;; -w | --pwd ) password_value="$1" shift ;; --privileged ) csih_FORCE_PRIVILEGED_USER=yes ;; *) echo "usage: ${progname} [OPTION]..." echo echo "This script creates an OpenSSH host configuration." echo echo "Options:" echo " --debug -d Enable shell's debug output." echo " --yes -y Answer all questions with \"yes\" automatically." echo " --no -n Answer all questions with \"no\" automatically." echo " --cygwin -c Use \"options\" as value for CYGWIN environment var." echo " --port -p sshd listens on port n." echo " --user -u privileged user for service." echo " --pwd -w Use \"pwd\" as password for privileged user." echo " --privileged On Windows NT/2k/XP, require privileged user" echo " instead of LocalSystem for sshd service." echo exit 1 ;; esac done # ====================================================================== # Action! # ====================================================================== # Check for running ssh/sshd processes first. Refuse to do anything while # some ssh processes are still running if ps -ef | grep -q '/sshd\?$' then echo csih_error "There are still ssh processes running. Please shut them down first." fi # Check for ${SYSCONFDIR} directory csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." chmod 775 "${SYSCONFDIR}" setfacl -m u:system:rwx "${SYSCONFDIR}" # Check for /var/log directory csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." chmod 775 "${LOCALSTATEDIR}/log" setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" # Create /var/log/lastlog if not already exists if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] then echo csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ "Cannot create ssh host configuration." fi if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] then cat /dev/null > ${LOCALSTATEDIR}/log/lastlog chmod 644 ${LOCALSTATEDIR}/log/lastlog fi # Create /var/empty file used as chroot jail for privilege separation csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." chmod 755 "${LOCALSTATEDIR}/empty" setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" # host keys create_host_keys # use 'cmp' program to determine if a config file is identical # to the default version of that config file csih_check_program_or_error cmp diffutils # handle ssh_config csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 then if [ "${port_number}" != "22" ] then csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port" echo "Host localhost" >> ${SYSCONFDIR}/ssh_config echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config fi fi # handle sshd_config (and privsep) csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 then grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes fi sshd_privsep update_services_file update_inetd_conf install_service echo csih_inform "Host configuration finished. Have fun!"