3 # ssh-host-config, Copyright 2000-2014 Red Hat Inc.
5 # This file is part of the Cygwin port of OpenSSH.
7 # Permission to use, copy, modify, and distribute this software for any
8 # purpose with or without fee is hereby granted, provided that the above
9 # copyright notice and this permission notice appear in all copies.
11 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
13 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
14 # IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
15 # DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
16 # OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
17 # THE USE OR OTHER DEALINGS IN THE SOFTWARE.
19 # ======================================================================
21 # ======================================================================
23 CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
25 # List of apps used. This is checkad for existance in csih_sanity_check
26 # Don't use *any* transient commands before sourcing the csih helper script,
27 # otherwise the sanity checks are short-circuited.
28 declare -a csih_required_commands=(
29 /usr/bin/basename coreutils
30 /usr/bin/cat coreutils
31 /usr/bin/chmod coreutils
32 /usr/bin/dirname coreutils
36 /usr/bin/cygpath cygwin
37 /usr/bin/mkpasswd cygwin
40 /usr/bin/umount cygwin
41 /usr/bin/cmp diffutils
44 /usr/bin/ssh-keygen openssh
45 /usr/sbin/sshd openssh
48 csih_sanity_check_server=yes
51 PROGNAME=$(/usr/bin/basename $0)
52 _tdir=$(/usr/bin/dirname $0)
53 PROGDIR=$(cd $_tdir && pwd)
55 # Subdirectory where the new package is being installed
58 # Directory where the config files are stored
62 sshd_config_configured=no
71 # ======================================================================
72 # Routine: update_services_file
73 # ======================================================================
74 update_services_file() {
75 local _my_etcdir="/ssh-host-config.$$"
83 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
84 _services="${_my_etcdir}/services"
86 _serv_tmp="${_my_etcdir}/srv.out.$$"
88 /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
90 # Depends on the above mount
91 _wservices=`cygpath -w "${_services}"`
93 # Add ssh 22/tcp and ssh 22/udp to services
94 if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
96 if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
98 if /usr/bin/mv "${_serv_tmp}" "${_services}"
100 csih_inform "Added ssh to ${_wservices}"
102 csih_warning "Adding ssh to ${_wservices} failed!"
105 /usr/bin/rm -f "${_serv_tmp}"
107 csih_warning "Adding ssh to ${_wservices} failed!"
111 /usr/bin/umount "${_my_etcdir}"
113 } # --- End of update_services_file --- #
115 # ======================================================================
116 # Routine: sshd_strictmodes
117 # MODIFIES: strictmodes
118 # ======================================================================
120 if [ "${sshd_config_configured}" != "yes" ]
123 csih_inform "StrictModes is set to 'yes' by default."
124 csih_inform "This is the recommended setting, but it requires that the POSIX"
125 csih_inform "permissions of the user's home directory, the user's .ssh"
126 csih_inform "directory, and the user's ssh key files are tight so that"
127 csih_inform "only the user has write permissions."
128 csih_inform "On the other hand, StrictModes don't work well with default"
129 csih_inform "Windows permissions of a home directory mounted with the"
130 csih_inform "'noacl' option, and they don't work at all if the home"
131 csih_inform "directory is on a FAT or FAT32 partition."
132 if ! csih_request "Should StrictModes be used?"
140 # ======================================================================
141 # Routine: sshd_privsep
142 # Try to create ssshd user account
143 # ======================================================================
147 if [ "${sshd_config_configured}" != "yes" ]
149 if ! csih_create_unprivileged_user sshd
151 csih_error_recoverable "Could not create user 'sshd'!"
152 csih_error_recoverable "You will not be able to run an sshd service"
153 csih_error_recoverable "under a privileged account successfully."
154 csih_error_recoverable "Make sure to create a non-privileged user 'sshd'"
155 csih_error_recoverable "manually before trying to run the service!"
160 } # --- End of sshd_privsep --- #
162 # ======================================================================
163 # Routine: sshd_config_tweak
164 # ======================================================================
165 sshd_config_tweak() {
169 csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
170 if [ "${port_number}" -ne 22 ]
172 /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
173 ${SYSCONFDIR}/sshd_config
176 csih_warning "Setting listening port to ${port_number} failed!"
177 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
181 if [ "${strictmodes}" = "no" ]
183 /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
184 ${SYSCONFDIR}/sshd_config
187 csih_warning "Setting StrictModes to 'no' failed!"
188 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
193 } # --- End of sshd_config_tweak --- #
195 # ======================================================================
196 # Routine: update_inetd_conf
197 # ======================================================================
198 update_inetd_conf() {
199 local _inetcnf="${SYSCONFDIR}/inetd.conf"
200 local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
201 local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
202 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
203 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
204 local _with_comment=1
207 if [ -d "${_inetcnf_dir}" ]
209 # we have inetutils-1.5 inetd.d support
210 if [ -f "${_inetcnf}" ]
212 /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
214 # check for sshd OR ssh in top-level inetd.conf file, and remove
215 # will be replaced by a file in inetd.d/
216 if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
218 /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
219 if [ -f "${_inetcnf_tmp}" ]
221 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
223 csih_inform "Removed ssh[d] from ${_inetcnf}"
225 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
228 /usr/bin/rm -f "${_inetcnf_tmp}"
230 csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
236 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
237 if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
239 if [ "${_with_comment}" -eq 0 ]
241 /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
243 /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
245 if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
247 csih_inform "Updated ${_sshd_inetd_conf}"
249 csih_warning "Updating ${_sshd_inetd_conf} failed!"
254 elif [ -f "${_inetcnf}" ]
256 /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
258 # check for sshd in top-level inetd.conf file, and remove
259 # will be replaced by a file in inetd.d/
260 if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
262 /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
263 if [ -f "${_inetcnf_tmp}" ]
265 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
267 csih_inform "Removed sshd from ${_inetcnf}"
269 csih_warning "Removing sshd from ${_inetcnf} failed!"
272 /usr/bin/rm -f "${_inetcnf_tmp}"
274 csih_warning "Removing sshd from ${_inetcnf} failed!"
279 # Add ssh line to inetd.conf
280 if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
282 if [ "${_with_comment}" -eq 0 ]
284 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
286 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
290 csih_inform "Added ssh to ${_inetcnf}"
292 csih_warning "Adding ssh to ${_inetcnf} failed!"
298 } # --- End of update_inetd_conf --- #
300 # ======================================================================
301 # Routine: check_service_files_ownership
302 # Checks that the files in /etc and /var belong to the right owner
303 # ======================================================================
304 check_service_files_ownership() {
305 local run_service_as=$1
308 if [ -z "${run_service_as}" ]
310 accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
311 /usr/bin/sed -ne 's/^Account *: *//gp')
312 if [ "${accnt_name}" = "LocalSystem" ]
314 # Convert "LocalSystem" to "SYSTEM" as is the correct account name
315 run_service_as="SYSTEM"
317 dom="${accnt_name%%\\*}"
318 accnt_name="${accnt_name#*\\}"
319 if [ "${dom}" = '.' ]
321 # Check local account
322 run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
323 /usr/bin/awk -F: '{print $1;}')
326 run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
327 /usr/bin/awk -F: '{print $1;}')
330 if [ -z "${run_service_as}" ]
332 csih_warning "Couldn't determine name of user running sshd service from account database!"
333 csih_warning "As a result, this script cannot make sure that the files used"
334 csih_warning "by the sshd service belong to the user running the service."
338 for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
342 if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
344 csih_warning "Couldn't change owner of $i!"
349 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
351 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
354 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
356 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
359 if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
361 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
363 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
369 csih_warning "Couldn't change owner of important files to ${run_service_as}!"
370 csih_warning "This may cause the sshd service to fail! Please make sure that"
371 csih_warning "you have suufficient permissions to change the ownership of files"
372 csih_warning "and try to run the ssh-host-config script again."
375 } # --- End of check_service_files_ownership --- #
377 # ======================================================================
378 # Routine: install_service
379 # Install sshd as a service
380 # ======================================================================
387 if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
389 csih_inform "Sshd service is already installed."
390 check_service_files_ownership "" || let ret+=$?
392 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
393 if csih_request "(Say \"no\" if it is already installed as a service)"
395 csih_get_cygenv "${cygwin_value}"
397 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
399 csih_inform "On Windows Server 2003, Windows Vista, and above, the"
400 csih_inform "SYSTEM account cannot setuid to other users -- a capability"
401 csih_inform "sshd requires. You need to have or to create a privileged"
402 csih_inform "account. This script will help you do so."
405 [ "${opt_force}" = "yes" ] && opt_f=-f
406 [ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
407 csih_select_privileged_username ${opt_f} ${opt_u} sshd
409 if ! csih_create_privileged_user "${password_value}"
411 csih_error_recoverable "There was a serious problem creating a privileged user."
412 csih_request "Do you want to proceed anyway?" || exit 1
417 # Never returns empty if NT or above
418 run_service_as=$(csih_service_should_run_as)
420 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
422 password="${csih_PRIVILEGED_PASSWORD}"
423 if [ -z "${password}" ]
425 csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
426 password="${csih_value}"
430 # At this point, we either have $run_service_as = "system" and
431 # $password is empty, or $run_service_as is some privileged user and
432 # (hopefully) $password contains the correct password. So, from here
433 # out, we use '-z "${password}"' to discriminate the two cases.
435 csih_check_user "${run_service_as}"
437 if [ -n "${csih_cygenv}" ]
439 cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
441 if [ -z "${password}" ]
443 if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \
444 -a "-D" -y tcpip "${cygwin_env[@]}"
447 csih_inform "The sshd service has been installed under the LocalSystem"
448 csih_inform "account (also known as SYSTEM). To start the service now, call"
449 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
450 csih_inform "will start automatically after the next reboot."
453 if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \
454 -a "-D" -y tcpip "${cygwin_env[@]}" \
455 -u "${run_service_as}" -w "${password}"
457 /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
459 csih_inform "The sshd service has been installed under the '${run_service_as}'"
460 csih_inform "account. To start the service now, call \`net start ${service_name}' or"
461 csih_inform "\`cygrunsrv -S ${service_name}'. Otherwise, it will start automatically"
462 csih_inform "after the next reboot."
466 if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
468 check_service_files_ownership "${run_service_as}" || let ret+=$?
470 csih_error_recoverable "Installing sshd as a service failed!"
473 fi # user allowed us to install as service
474 fi # service not yet installed
476 } # --- End of install_service --- #
478 # ======================================================================
480 # ======================================================================
482 # Check how the script has been started. If
483 # (1) it has been started by giving the full path and
484 # that path is /etc/postinstall, OR
485 # (2) Otherwise, if the environment variable
486 # SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
487 # then set auto_answer to "no". This allows automatic
488 # creation of the config files in /etc w/o overwriting
489 # them if they already exist. In both cases, color
490 # escape sequences are suppressed, so as to prevent
491 # cluttering setup's logfiles.
492 if [ "$PROGDIR" = "/etc/postinstall" ]
494 csih_auto_answer="no"
498 if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
500 csih_auto_answer="no"
505 # ======================================================================
507 # ======================================================================
561 csih_FORCE_PRIVILEGED_USER=yes
565 echo "usage: ${progname} [OPTION]..."
567 echo "This script creates an OpenSSH host configuration."
570 echo " --debug -d Enable shell's debug output."
571 echo " --yes -y Answer all questions with \"yes\" automatically."
572 echo " --no -n Answer all questions with \"no\" automatically."
573 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
574 echo " --name -N <name> sshd windows service name."
575 echo " --port -p <n> sshd listens on port n."
576 echo " --user -u <account> privileged user for service, default 'cyg_server'."
577 echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
578 echo " --privileged On Windows XP, require privileged user"
579 echo " instead of LocalSystem for sshd service."
587 # ======================================================================
589 # ======================================================================
591 # Check for running ssh/sshd processes first. Refuse to do anything while
592 # some ssh processes are still running
593 if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
596 csih_error "There are still ssh processes running. Please shut them down first."
599 # Make sure the user is running in an administrative context
600 admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
601 if [ "${admin}" != "yes" ]
604 csih_warning "Running this script typically requires administrator privileges!"
605 csih_warning "However, it seems your account does not have these privileges."
606 csih_warning "Here's the list of groups in your user token:"
608 /usr/bin/id -Gnz | xargs -0n1 echo " "
610 csih_warning "This usually means you're running this script from a non-admin"
611 csih_warning "desktop session, or in a non-elevated shell under UAC control."
613 csih_warning "Make sure you have the appropriate privileges right now,"
614 csih_warning "otherwise parts of this script will probably fail!"
616 echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure"
617 if ! csih_request "you have the required privileges)"
620 csih_inform "Ok. Exiting. Make sure to switch to an administrative account"
621 csih_inform "or to start this script from an elevated shell."
630 # Create /var/log/lastlog if not already exists
631 if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
634 csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
635 "Cannot create ssh host configuration."
637 if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
639 /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
640 if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
642 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
647 # Create /var/empty file used as chroot jail for privilege separation
648 csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
649 if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
651 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
655 # generate missing host keys
656 csih_inform "Generating missing SSH host keys"
657 /usr/bin/ssh-keygen -A || let warning_cnt+=$?
660 csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
661 if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
663 if [ "${port_number}" != "22" ]
665 csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
666 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
667 echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
672 csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
673 if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
675 sshd_config_configured=yes
677 sshd_strictmodes || let warning_cnt+=$?
678 sshd_privsep || let warning_cnt+=$?
679 sshd_config_tweak || let warning_cnt+=$?
680 update_services_file || let warning_cnt+=$?
681 update_inetd_conf || let warning_cnt+=$?
682 install_service || let warning_cnt+=$?
685 if [ $warning_cnt -eq 0 ]
687 csih_inform "Host configuration finished. Have fun!"
689 csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
690 csih_warning "Make sure that all problems reported are fixed,"
691 csih_warning "then re-run ssh-host-config."
projects / FreeBSD / FreeBSD.git / blob