18
26
privsep_configured=no
25
if [ "${auto_answer}" = "yes" ]
27
echo "$1 (yes/no) yes"
29
elif [ "${auto_answer}" = "no" ]
36
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
38
echo -n "$1 (yes/no) "
41
if [ "X${answer}" = "Xyes" ]
31
# ======================================================================
32
# Routine: create_host_keys
33
# ======================================================================
35
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
37
csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
38
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
41
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
43
csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
44
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
47
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
49
csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
50
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
52
} # --- End of create_host_keys --- #
54
# ======================================================================
55
# Routine: update_services_file
56
# ======================================================================
57
update_services_file() {
58
local _my_etcdir="/ssh-host-config.$$"
67
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
68
_services="${_my_etcdir}/services"
69
# On NT, 27 spaces, no space after the hash
72
_win_etcdir="${WINDIR}"
73
_services="${_my_etcdir}/SERVICES"
74
# On 9x, 18 spaces (95 is very touchy), a space after the hash
77
_serv_tmp="${_my_etcdir}/srv.out.$$"
79
mount -t -f "${_win_etcdir}" "${_my_etcdir}"
81
# Depends on the above mount
82
_wservices=`cygpath -w "${_services}"`
84
# Remove sshd 22/port from services
85
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
87
grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
88
if [ -f "${_serv_tmp}" ]
90
if mv "${_serv_tmp}" "${_services}"
92
csih_inform "Removing sshd from ${_wservices}"
94
csih_warning "Removing sshd from ${_wservices} failed!"
98
csih_warning "Removing sshd from ${_wservices} failed!"
102
# Add ssh 22/tcp and ssh 22/udp to services
103
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
105
if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
107
if mv "${_serv_tmp}" "${_services}"
109
csih_inform "Added ssh to ${_wservices}"
111
csih_warning "Adding ssh to ${_wservices} failed!"
115
csih_warning "Adding ssh to ${_wservices} failed!"
118
umount "${_my_etcdir}"
119
} # --- End of update_services_file --- #
121
# ======================================================================
122
# Routine: sshd_privsep
123
# MODIFIES: privsep_configured privsep_used
124
# ======================================================================
128
if [ "${privsep_configured}" != "yes" ]
132
csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
133
csih_inform "However, this requires a non-privileged account called 'sshd'."
134
csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
135
if csih_request "Should privilege separation be used?"
138
if ! csih_create_unprivileged_user sshd
140
csih_warning "Couldn't create user 'sshd'!"
141
csih_warning "Privilege separation set to 'no' again!"
142
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
149
# On 9x don't use privilege separation. Since security isn't
150
# available it just adds useless additional processes.
155
# Create default sshd_config from skeleton files in /etc/defaults/etc or
156
# modify to add the missing privsep configuration option
157
if cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
159
csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
160
sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
161
sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
162
s/^#Port 22/Port ${port_number}/
163
s/^#StrictModes yes/StrictModes no/" \
164
< ${SYSCONFDIR}/sshd_config \
165
> "${sshdconfig_tmp}"
166
mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
167
elif [ "${privsep_configured}" != "yes" ]
169
echo >> ${SYSCONFDIR}/sshd_config
170
echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
172
} # --- End of sshd_privsep --- #
174
# ======================================================================
175
# Routine: update_inetd_conf
176
# ======================================================================
177
update_inetd_conf() {
178
local _inetcnf="${SYSCONFDIR}/inetd.conf"
179
local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
180
local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
181
local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
182
local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
183
local _with_comment=1
185
if [ -d "${_inetcnf_dir}" ]
187
# we have inetutils-1.5 inetd.d support
188
if [ -f "${_inetcnf}" ]
190
grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
192
# check for sshd OR ssh in top-level inetd.conf file, and remove
193
# will be replaced by a file in inetd.d/
194
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
196
grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
197
if [ -f "${_inetcnf_tmp}" ]
199
if mv "${_inetcnf_tmp}" "${_inetcnf}"
201
csih_inform "Removed ssh[d] from ${_inetcnf}"
203
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
205
rm -f "${_inetcnf_tmp}"
207
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
212
csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
213
if cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
215
if [ "${_with_comment}" -eq 0 ]
217
sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
219
sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
221
mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
222
csih_inform "Updated ${_sshd_inetd_conf}"
225
elif [ -f "${_inetcnf}" ]
227
grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
229
# check for sshd in top-level inetd.conf file, and remove
230
# will be replaced by a file in inetd.d/
231
if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
233
grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
234
if [ -f "${_inetcnf_tmp}" ]
236
if mv "${_inetcnf_tmp}" "${_inetcnf}"
238
csih_inform "Removed sshd from ${_inetcnf}"
240
csih_warning "Removing sshd from ${_inetcnf} failed!"
242
rm -f "${_inetcnf_tmp}"
244
csih_warning "Removing sshd from ${_inetcnf} failed!"
248
# Add ssh line to inetd.conf
249
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
251
if [ "${_with_comment}" -eq 0 ]
253
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
255
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
257
csih_inform "Added ssh to ${_inetcnf}"
260
} # --- End of update_inetd_conf --- #
262
# ======================================================================
263
# Routine: install_service
264
# Install sshd as a service
265
# ======================================================================
272
if ! cygrunsrv -Q sshd >/dev/null 2>&1
276
csih_warning "The following functions require administrator privileges!"
278
echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
279
if csih_request "(Say \"no\" if it is already installed as a service)"
281
csih_inform "Note that the CYGWIN variable must contain at least \"ntsec\""
282
csih_inform "for sshd to be able to change user context without password."
283
csih_get_cygenv "${cygwin_value}"
285
if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
287
csih_inform "On Windows Server 2003, Windows Vista, and above, the"
288
csih_inform "SYSTEM account cannot setuid to other users -- a capability"
289
csih_inform "sshd requires. You need to have or to create a privileged"
290
csih_inform "account. This script will help you do so."
292
if ! csih_create_privileged_user "${password_value}"
294
csih_error_recoverable "There was a serious problem creating a privileged user."
295
csih_request "Do you want to proceed anyway?" || exit 1
299
# never returns empty if NT or above
300
run_service_as=$(csih_service_should_run_as)
302
if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
304
password="${csih_PRIVILEGED_PASSWORD}"
305
if [ -z "${password}" ]
307
csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
308
password="${csih_value}"
312
# at this point, we either have $run_service_as = "system" and $password is empty,
313
# or $run_service_as is some privileged user and (hopefully) $password contains
314
# the correct password. So, from here out, we use '-z "${password}"' to discriminate
317
csih_check_user "${run_service_as}"
319
if [ -z "${password}" ]
321
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
322
-e CYGWIN="${csih_cygenv}"
325
csih_inform "The sshd service has been installed under the LocalSystem"
326
csih_inform "account (also known as SYSTEM). To start the service now, call"
327
csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
328
csih_inform "will start automatically after the next reboot."
331
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a "-D" -y tcpip \
332
-e CYGWIN="${csih_cygenv}" -u "${run_service_as}" -w "${password}"
335
csih_inform "The sshd service has been installed under the '${run_service_as}'"
336
csih_inform "account. To start the service now, call \`net start sshd' or"
337
csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
338
csih_inform "after the next reboot."
342
# now, if successfully installed, set ownership of the affected files
343
if cygrunsrv -Q sshd >/dev/null 2>&1
345
chown "${run_service_as}" ${SYSCONFDIR}/ssh*
346
chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty
347
chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog
348
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
350
chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log
353
csih_warning "Something went wrong installing the sshd service."
355
fi # user allowed us to install as service
356
fi # service not yet installed
358
} # --- End of install_service --- #
360
# ======================================================================
362
# ======================================================================
364
# Check how the script has been started. If
365
# (1) it has been started by giving the full path and
366
# that path is /etc/postinstall, OR
367
# (2) Otherwise, if the environment variable
368
# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
369
# then set auto_answer to "no". This allows automatic
370
# creation of the config files in /etc w/o overwriting
371
# them if they already exist. In both cases, color
372
# escape sequences are suppressed, so as to prevent
373
# cluttering setup's logfiles.
374
if [ "$PROGDIR" = "/etc/postinstall" ]
376
csih_auto_answer="no"
379
if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
381
csih_auto_answer="no"
385
# ======================================================================
387
# ======================================================================
183
488
# Create /var/empty file used as chroot jail for privilege separation
184
if [ -f ${LOCALSTATEDIR}/empty ]
186
echo "Creating ${LOCALSTATEDIR}/empty failed!"
188
mkdir -p ${LOCALSTATEDIR}/empty
191
chmod 755 ${LOCALSTATEDIR}/empty
195
# First generate host keys if not already existing
197
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
199
echo "Generating ${SYSCONFDIR}/ssh_host_key"
200
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
203
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
205
echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
206
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
209
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
211
echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
212
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
215
# Check if ssh_config exists. If yes, ask for overwriting
217
if [ -f "${SYSCONFDIR}/ssh_config" ]
219
if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
221
rm -f "${SYSCONFDIR}/ssh_config"
222
if [ -f "${SYSCONFDIR}/ssh_config" ]
224
echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
229
# Create default ssh_config from skeleton file in /etc/defaults/etc
231
if [ ! -f "${SYSCONFDIR}/ssh_config" ]
233
echo "Generating ${SYSCONFDIR}/ssh_config file"
234
cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
489
csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create log directory."
490
chmod 755 "${LOCALSTATEDIR}/empty"
491
setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty"
496
# use 'cmp' program to determine if a config file is identical
497
# to the default version of that config file
498
csih_check_program_or_error cmp diffutils
502
csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults"
503
if cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
235
505
if [ "${port_number}" != "22" ]
507
csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
237
508
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
238
509
echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
242
# Check if sshd_config exists. If yes, ask for overwriting
244
if [ -f "${SYSCONFDIR}/sshd_config" ]
246
if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
248
rm -f "${SYSCONFDIR}/sshd_config"
249
if [ -f "${SYSCONFDIR}/sshd_config" ]
251
echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
254
grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
258
# Prior to creating or modifying sshd_config, care for privilege separation
260
if [ "${privsep_configured}" != "yes" ]
264
echo "Privilege separation is set to yes by default since OpenSSH 3.3."
265
echo "However, this requires a non-privileged account called 'sshd'."
266
echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
268
if request "Should privilege separation be used?"
271
grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
272
net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
273
if [ "${sshd_in_passwd}" != "yes" ]
275
if [ "${sshd_in_sam}" != "yes" ]
277
echo "Warning: The following function requires administrator privileges!"
278
if request "Should this script create a local user 'sshd' on this machine?"
280
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
281
net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
282
if [ "${sshd_in_sam}" != "yes" ]
284
echo "Warning: Creating the user 'sshd' failed!"
288
if [ "${sshd_in_sam}" != "yes" ]
290
echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
291
echo " Privilege separation set to 'no' again!"
292
echo " Check your ${SYSCONFDIR}/sshd_config file!"
295
mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
302
# On 9x don't use privilege separation. Since security isn't
303
# available it just adds useless additional processes.
308
# Create default sshd_config from skeleton files in /etc/defaults/etc or
309
# modify to add the missing privsep configuration option
311
if [ ! -f "${SYSCONFDIR}/sshd_config" ]
313
echo "Generating ${SYSCONFDIR}/sshd_config file"
314
sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
315
s/^#Port 22/Port ${port_number}/
316
s/^#StrictModes yes/StrictModes no/" \
317
< ${SYSCONFDIR}/defaults/etc/sshd_config \
318
> ${SYSCONFDIR}/sshd_config
319
elif [ "${privsep_configured}" != "yes" ]
321
echo >> ${SYSCONFDIR}/sshd_config
322
echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
325
# Care for services file
326
_my_etcdir="/ssh-host-config.$$"
329
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
330
_services="${_my_etcdir}/services"
331
# On NT, 27 spaces, no space after the hash
334
_win_etcdir="${WINDIR}"
335
_services="${_my_etcdir}/SERVICES"
336
# On 9x, 18 spaces (95 is very touchy), a space after the hash
339
_serv_tmp="${_my_etcdir}/srv.out.$$"
341
mount -t -f "${_win_etcdir}" "${_my_etcdir}"
343
# Depends on the above mount
344
_wservices=`cygpath -w "${_services}"`
346
# Remove sshd 22/port from services
347
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
349
grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
350
if [ -f "${_serv_tmp}" ]
352
if mv "${_serv_tmp}" "${_services}"
354
echo "Removing sshd from ${_wservices}"
356
echo "Removing sshd from ${_wservices} failed!"
360
echo "Removing sshd from ${_wservices} failed!"
364
# Add ssh 22/tcp and ssh 22/udp to services
365
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
367
if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
369
if mv "${_serv_tmp}" "${_services}"
371
echo "Added ssh to ${_wservices}"
373
echo "Adding ssh to ${_wservices} failed!"
377
echo "WARNING: Adding ssh to ${_wservices} failed!"
381
umount "${_my_etcdir}"
383
# Care for inetd.conf file
384
_inetcnf="${SYSCONFDIR}/inetd.conf"
385
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
387
if [ -f "${_inetcnf}" ]
389
# Check if ssh service is already in use as sshd
391
grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
392
# Remove sshd line from inetd.conf
393
if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
395
grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
396
if [ -f "${_inetcnf_tmp}" ]
398
if mv "${_inetcnf_tmp}" "${_inetcnf}"
400
echo "Removed sshd from ${_inetcnf}"
402
echo "Removing sshd from ${_inetcnf} failed!"
404
rm -f "${_inetcnf_tmp}"
406
echo "Removing sshd from ${_inetcnf} failed!"
410
# Add ssh line to inetd.conf
411
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
413
if [ "${with_comment}" -eq 0 ]
415
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
417
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
419
echo "Added ssh to ${_inetcnf}"
423
# On NT ask if sshd should be installed as service
426
# But only if it is not already installed
427
if ! cygrunsrv -Q sshd > /dev/null 2>&1
431
echo "Warning: The following functions require administrator privileges!"
433
echo "Do you want to install sshd as service?"
434
if request "(Say \"no\" if it's already installed as service)"
436
if [ $_nt2003 -gt 0 ]
438
grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
439
if [ "${sshd_server_in_passwd}" = "yes" ]
441
# Drop sshd_server from passwd since it could have wrong settings
442
grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
443
rm -f ${SYSCONFDIR}/passwd
444
mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
445
chmod g-w,o-w ${SYSCONFDIR}/passwd
447
net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
448
if [ "${sshd_server_in_sam}" != "yes" ]
451
echo "You appear to be running Windows 2003 Server or later. On 2003 and"
452
echo "later systems, it's not possible to use the LocalSystem account"
453
echo "if sshd should allow passwordless logon (e. g. public key authentication)."
454
echo "If you want to enable that functionality, it's required to create a new"
455
echo "account 'sshd_server' with special privileges, which is then used to run"
456
echo "the sshd service under."
458
echo "Should this script create a new local account 'sshd_server' which has"
459
if request "the required privileges?"
461
_admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
462
if [ -z "${_admingroup}" ]
464
echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
467
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
468
while [ "${sshd_server_in_sam}" != "yes" ]
470
if [ -n "${password_value}" ]
472
_password="${password_value}"
473
# Allow to ask for password if first try fails
477
echo "Please enter a password for new user 'sshd_server'. Please be sure that"
478
echo "this password matches the password rules given on your system."
479
echo -n "Entering no password will exit the configuration. PASSWORD="
481
if [ -z "${_password}" ]
484
echo "Exiting configuration. No user sshd_server has been created,"
485
echo "no sshd service installed."
489
net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
490
if [ "${sshd_server_in_sam}" != "yes" ]
492
echo "Creating the user 'sshd_server' failed! Reason:"
497
net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
498
if [ "${sshd_server_in_admingroup}" != "yes" ]
500
echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
501
echo "Please add sshd_server to local group ${_admingroup} before"
502
echo "starting the sshd service!"
505
passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
506
if [ "${passwd_has_expiry_flags}" != "yes" ]
509
echo "WARNING: User sshd_server has password expiry set to system default."
510
echo "Please check that password never expires or set it to your needs."
511
elif ! passwd -e sshd_server
514
echo "WARNING: Setting password expiry for user sshd_server failed!"
515
echo "Please check that password never expires or set it to your needs."
517
editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
518
editrights -a SeCreateTokenPrivilege -u sshd_server &&
519
editrights -a SeTcbPrivilege -u sshd_server &&
520
editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
521
editrights -a SeDenyNetworkLogonRight -u sshd_server &&
522
editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
523
editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
524
editrights -a SeServiceLogonRight -u sshd_server &&
525
sshd_server_got_all_rights="yes"
526
if [ "${sshd_server_got_all_rights}" != "yes" ]
529
echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
530
echo "Can't create sshd service!"
534
echo "User 'sshd_server' has been created with password '${_password}'."
535
echo "If you change the password, please keep in mind to change the password"
536
echo "for the sshd service, too."
538
echo "Also keep in mind that the user sshd_server needs read permissions on all"
539
echo "users' .ssh/authorized_keys file to allow public key authentication for"
540
echo "these users!. (Re-)running ssh-user-config for each user will set the"
541
echo "required permissions correctly."
545
if [ "${sshd_server_in_sam}" = "yes" ]
547
mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
550
if [ -n "${cygwin_value}" ]
552
_cygwin="${cygwin_value}"
555
echo "Which value should the environment variable CYGWIN have when"
556
echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
557
echo "able to change user context without password."
558
echo -n "Default is \"ntsec\". CYGWIN="
561
[ -z "${_cygwin}" ] && _cygwin="ntsec"
562
if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
564
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
567
echo "The service has been installed under sshd_server account."
568
echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
571
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
574
echo "The service has been installed under LocalSystem account."
575
echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
579
# Now check if sshd has been successfully installed. This allows to
580
# set the ownership of the affected files correctly.
581
if cygrunsrv -Q sshd > /dev/null 2>&1
583
if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
589
chown "${_user}" ${SYSCONFDIR}/ssh*
590
chown "${_user}".544 ${LOCALSTATEDIR}/empty
591
chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog
592
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
594
chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
597
if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
600
echo "Warning: It appears that you have user mode mounts (\"Just me\""
601
echo "chosen during install.) Any daemons installed as services will"
602
echo "fail to function unless system mounts are used. To change this,"
603
echo "re-run setup.exe and choose \"All users\"."
605
echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
513
# handle sshd_config (and privsep)
514
csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults"
515
if ! cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
517
grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
611
echo "Host configuration finished. Have fun!"
528
csih_inform "Host configuration finished. Have fun!"