tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- (dtucker) [README ssh-host-config ssh-user-config Makefile] (All 

contrib/cygwin).  Major update from vinschen at redhat.com.
   - Makefile provides a `cygwin-postinstall' target to run right after
     `make install'.
   - Better support for Windows 2003 Server.
   - Try to get permissions as correct as possible.
   - New command line options to allow full automated host configuration.
   - Create configs from skeletons in /etc/defaults/etc.
   - Use /bin/bash, allows reading user input with readline support.
   - Remove really old configs from /usr/local.
This commit is contained in:
Darren Tucker 2003-11-13 11:28:49 +11:00
parent 0947ddff72
commit 798ca84d60
5 changed files with 440 additions and 314 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ChangeLog
View File

@ -1,6 +1,16 @@
20031113
- (dtucker) [auth-pam.c] Append newlines to lines output by the
pam_chauthtok_conv().
- (dtucker) [README ssh-host-config ssh-user-config Makefile] (All
contrib/cygwin). Major update from vinschen at redhat.com.
- Makefile provides a `cygwin-postinstall' target to run right after
`make install'.
- Better support for Windows 2003 Server.
- Try to get permissions as correct as possible.
- New command line options to allow full automated host configuration.
- Create configs from skeletons in /etc/defaults/etc.
- Use /bin/bash, allows reading user input with readline support.
- Remove really old configs from /usr/local.
20031106
- (djm) Clarify UsePAM consequences a little more
@ -1401,4 +1411,4 @@
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
Report from murple@murple.net, diagnosis from dtucker@zip.com.au
$Id: ChangeLog,v 1.3094 2003/11/13 00:21:31 dtucker Exp $
$Id: ChangeLog,v 1.3095 2003/11/13 00:28:49 dtucker Exp $

56
contrib/cygwin/Makefile Normal file
View File

@ -0,0 +1,56 @@
srcdir=../..
prefix=/usr
exec_prefix=$(prefix)
bindir=$(prefix)/bin
datadir=$(prefix)/share
docdir=$(datadir)/doc
sshdocdir=$(docdir)/openssh
cygdocdir=$(docdir)/Cygwin
sysconfdir=/etc
defaultsdir=$(sysconfdir)/defaults/etc
PRIVSEP_PATH=/var/empty
INSTALL=/usr/bin/install -c
DESTDIR=
all:
@echo
@echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'"
@echo "Be sure having DESTDIR set correctly!"
@echo
move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config
$(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir)
mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir)
mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir)
remove-empty-dir:
rm -rf $(DESTDIR)$(PRIVSEP_PATH)
install-sshdoc:
$(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir)
$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
$(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard
$(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff
$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
$(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG
install-cygwindoc: README
$(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir)
$(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README
install-doc: install-sshdoc install-cygwindoc
install-scripts: ssh-host-config ssh-user-config
$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
$(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config
$(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config
cygwin-postinstall: move-config-files remove-empty-dir install-doc install-scripts
@echo "Cygwin specific configuration finished."

120
contrib/cygwin/README
View File

@ -1,4 +1,49 @@
This package is the actual port of OpenSSH to Cygwin 1.5.
This package describes important Cygwin specific stuff concerning OpenSSH.
The binary package is usually built for recent Cygwin versions and might
not run on older versions. Please check http://cygwin.com/ for information
about current Cygwin releases.
Build instructions are at the end of the file.
===========================================================================
Important change since 3.7.1p2-2:
The ssh-host-config file doesn't create the /etc/ssh_config and
/etc/sshd_config files from builtin here-scripts anymore, but it uses
skeleton files installed in /etc/defaults/etc.
Also it now tries hard to create appropriate permissions on files.
Same applies for ssh-user-config.
After creating the sshd service with ssh-host-config, it's advisable to
call ssh-user-config for all affected users, also already exising user
configurations. In the latter case, file and directory permissions are
checked and changed, if requireed to match the host configuration.
Important note for Windows 2003 Server users:
---------------------------------------------
2003 Server has a funny new feature. When starting services under SYSTEM
account, these services have nearly all user rights which SYSTEM holds...
except for the "Create a token object" right, which is needed to allow
public key authentication :-(
There's no way around this, except for creating a substitute account which
has the appropriate privileges. Basically, this account should be member
of the administrators group, plus it should have the following user rights:
Create a token object
Logon as a service
Replace a process level token
Increase Quota
The ssh-host-config script asks you, if it should create such an account,
called "sshd_server". If you say "no" here, you're on your own. Please
follow the instruction in ssh-host-config exactly if possible. Note that
ssh-user-config sets the permissions on 2003 Server machines dependent of
whether a sshd_server account exists or not.
===========================================================================
===========================================================================
Important change since 3.4p1-2:
@ -114,54 +159,6 @@ ${SYSTEMROOT}/system32/drivers/etc/services file:
ssh 22/tcp #SSH daemon
===========================================================================
The following restrictions only apply to Cygwin versions up to 1.3.1
===========================================================================
Authentication to sshd is possible in one of two ways.
You'll have to decide before starting sshd!
- If you want to authenticate via RSA and you want to login to that
machine to exactly one user account you can do so by running sshd
under that user account. You must change /etc/sshd_config
to contain the following:
RSAAuthentication yes
Moreover it's possible to use rhosts and/or rhosts with
RSA authentication by setting the following in sshd_config:
RhostsAuthentication yes
RhostsRSAAuthentication yes
- If you want to be able to login to different user accounts you'll
have to start sshd under system account or any other account that
is able to switch user context. Note that administrators are _not_
able to do that by default! You'll have to give the following
special user rights to the user:
"Act as part of the operating system"
"Replace process level token"
"Increase quotas"
and if used via service manager
"Logon as a service".
The system account does of course own that user rights by default.
Unfortunately, if you choose that way, you can only logon with
NT password authentification and you should change
/etc/sshd_config to contain the following:
PasswordAuthentication yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication no
However you can login to the user which has started sshd with
RSA authentication anyway. If you want that, change the RSA
authentication setting back to "yes":
RSAAuthentication yes
Please note that OpenSSH does never use the value of $HOME to
search for the users configuration files! It always uses the
value of the pw_dir field in /etc/passwd as the home directory.
@ -169,7 +166,7 @@ If no home diretory is set in /etc/passwd, the root directory
is used instead!
You may use all features of the CYGWIN=ntsec setting the same
way as they are used by the `login' port on sources.redhat.com:
way as they are used by Cygwin's login(1) port:
The pw_gecos field may contain an additional field, that begins
with (upper case!) "U-", followed by the domain and the username
@ -186,6 +183,8 @@ way as they are used by the `login' port on sources.redhat.com:
locuser::1104:513:John Doe,U-user,S-1-5-21-...
Note that the CYGWIN=ntsec setting is required for public key authentication.
SSH2 server and user keys are generated by the `ssh-*-config' scripts
as well.
@ -194,15 +193,30 @@ configure are used for the Cygwin binary distribution:
--prefix=/usr \
--sysconfdir=/etc \
--libexecdir='${exec_prefix}/sbin'
--libexecdir='$(sbindir)' \
--localstatedir=/var \
--datadir='$(prefix)/share' \
--mandir='$(datadir)/man' \
--with-tcp-wrappers
You must have installed the zlib and openssl packages to be able to
If you want to create a Cygwin package, equivalent to the one
in the Cygwin binary distribution, install like this:
mkdir /tmp/cygwin-ssh
cd $(builddir)
make install DESTDIR=/tmp/cygwin-ssh
cd $(srcdir)/contrib/cygwin
make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
cd /tmp/cygwin-ssh
find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
You must have installed the zlib and openssl-devel packages to be able to
build OpenSSH!
Please send requests, error reports etc. to cygwin@cygwin.com.
Have fun,
Corinna Vinschen <vinschen@redhat.com>
Corinna Vinschen
Cygwin Developer
Red Hat Inc.

502
contrib/cygwin/ssh-host-config
View File

@ -1,6 +1,6 @@
#!/bin/sh
#!/bin/bash
#
# ssh-host-config, Copyright 2000, Red Hat Inc.
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
@ -9,10 +9,7 @@ PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
# Subdirectory where an old package might be installed
OLDPREFIX=/usr/local
OLDSYSCONFDIR=${OLDPREFIX}/etc
LOCALSTATEDIR=/var
progname=$0
auto_answer=""
@ -27,9 +24,11 @@ request()
{
if [ "${auto_answer}" = "yes" ]
then
echo "$1 (yes/no) yes"
return 0
elif [ "${auto_answer}" = "no" ]
then
echo "$1 (yes/no) no"
return 1
fi
@ -37,7 +36,7 @@ request()
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read answer
read -e answer
done
if [ "X${answer}" = "Xyes" ]
then
@ -60,7 +59,7 @@ do
option=$1
shift
case "$option" in
case "${option}" in
-d | --debug )
set -x
;;
@ -73,21 +72,33 @@ do
auto_answer=no
;;
-c | --cygwin )
cygwin_value="$1"
shift
;;
-p | --port )
port_number=$1
shift
;;
-w | --pwd )
password_value="$1"
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --port -p <n> sshd listens on port n."
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
echo " --port -p <n> sshd listens on port n."
echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'."
echo
exit 1
;;
@ -96,8 +107,13 @@ do
done
# Check if running on NT
_sys="`uname -a`"
_nt=`expr "$_sys" : "CYGWIN_NT"`
_sys="`uname`"
_nt=`expr "${_sys}" : "CYGWIN_NT"`
# If running on NT, check if running under 2003 Server or later
if [ ${_nt} -gt 0 ]
then
_nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
fi
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
@ -137,87 +153,33 @@ fi
# Create /var/log and /var/log/lastlog if not already existing
if [ -f /var/log ]
if [ -f ${LOCALSTATEDIR}/log ]
then
echo "Creating /var/log failed\!"
echo "Creating ${LOCALSTATEDIR}/log failed!"
else
if [ ! -d /var/log ]
if [ ! -d ${LOCALSTATEDIR}/log ]
then
mkdir -p /var/log
mkdir -p ${LOCALSTATEDIR}/log
fi
if [ -d /var/log/lastlog ]
if [ -d ${LOCALSTATEDIR}/log/lastlog ]
then
echo "Creating /var/log/lastlog failed\!"
elif [ ! -f /var/log/lastlog ]
chmod 777 ${LOCALSTATEDIR}/log/lastlog
elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
cat /dev/null > /var/log/lastlog
cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
chmod 666 ${LOCALSTATEDIR}/log/lastlog
fi
fi
# Create /var/empty file used as chroot jail for privilege separation
if [ -f /var/empty ]
if [ -f ${LOCALSTATEDIR}/empty ]
then
echo "Creating /var/empty failed\!"
echo "Creating ${LOCALSTATEDIR}/empty failed!"
else
mkdir -p /var/empty
# On NT change ownership of that dir to user "system"
if [ $_nt -gt 0 ]
mkdir -p ${LOCALSTATEDIR}/empty
if [ ${_nt} -gt 0 ]
then
chmod 755 /var/empty
chown system.system /var/empty
fi
fi
# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
# the same as ${PREFIX}
old_install=0
if [ "${OLDPREFIX}" != "${PREFIX}" ]
then
if [ -f "${OLDPREFIX}/sbin/sshd" ]
then
echo
echo "You seem to have an older installation in ${OLDPREFIX}."
echo
# Check if old global configuration files exist
if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ]
then
if request "Do you want to copy your config files to your new installation?"
then
cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR}
cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR}
cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR}
cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR}
cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR}
cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR}
fi
fi
if request "Do you want to erase your old installation?"
then
rm -f ${OLDPREFIX}/bin/ssh.exe
rm -f ${OLDPREFIX}/bin/ssh-config
rm -f ${OLDPREFIX}/bin/scp.exe
rm -f ${OLDPREFIX}/bin/ssh-add.exe
rm -f ${OLDPREFIX}/bin/ssh-agent.exe
rm -f ${OLDPREFIX}/bin/ssh-keygen.exe
rm -f ${OLDPREFIX}/bin/slogin
rm -f ${OLDSYSCONFDIR}/ssh_host_key
rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub
rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key
rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub
rm -f ${OLDSYSCONFDIR}/ssh_config
rm -f ${OLDSYSCONFDIR}/sshd_config
rm -f ${OLDPREFIX}/man/man1/ssh.1
rm -f ${OLDPREFIX}/man/man1/scp.1
rm -f ${OLDPREFIX}/man/man1/ssh-add.1
rm -f ${OLDPREFIX}/man/man1/ssh-agent.1
rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1
rm -f ${OLDPREFIX}/man/man1/slogin.1
rm -f ${OLDPREFIX}/man/man8/sshd.8
rm -f ${OLDPREFIX}/sbin/sshd.exe
rm -f ${OLDPREFIX}/sbin/sftp-server.exe
fi
old_install=1
chmod 755 ${LOCALSTATEDIR}/empty
fi
fi
@ -255,52 +217,16 @@ then
fi
fi
# Create default ssh_config from here script
# Create default ssh_config from skeleton file in /etc/defaults/etc
if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
echo "Generating ${SYSCONFDIR}/ssh_config file"
cat > ${SYSCONFDIR}/ssh_config << EOF
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_rsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
EOF
if [ "$port_number" != "22" ]
cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
if [ "${port_number}" != "22" ]
then
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config
echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
fi
fi
@ -322,35 +248,35 @@ fi
# Prior to creating or modifying sshd_config, care for privilege separation
if [ "$privsep_configured" != "yes" ]
if [ "${privsep_configured}" != "yes" ]
then
if [ $_nt -gt 0 ]
if [ ${_nt} -gt 0 ]
then
echo "Privilege separation is set to yes by default since OpenSSH 3.3."
echo "However, this requires a non-privileged account called 'sshd'."
echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
echo
if request "Shall privilege separation be used?"
if request "Should privilege separation be used?"
then
privsep_used=yes
grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
if [ "$sshd_in_passwd" != "yes" ]
if [ "${sshd_in_passwd}" != "yes" ]
then
if [ "$sshd_in_sam" != "yes" ]
if [ "${sshd_in_sam}" != "yes" ]
then
echo "Warning: The following function requires administrator privileges!"
if request "Shall this script create a local user 'sshd' on this machine?"
if request "Should this script create a local user 'sshd' on this machine?"
then
dos_var_empty=`cygpath -w /var/empty`
net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
if [ "$sshd_in_sam" != "yes" ]
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
if [ "${sshd_in_sam}" != "yes" ]
then
echo "Warning: Creating the user 'sshd' failed!"
fi
fi
fi
if [ "$sshd_in_sam" != "yes" ]
if [ "${sshd_in_sam}" != "yes" ]
then
echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
echo " Privilege separation set to 'no' again!"
@ -365,117 +291,41 @@ then
fi
else
# On 9x don't use privilege separation. Since security isn't
# available it just adds useless addtional processes.
# available it just adds useless additional processes.
privsep_used=no
fi
fi
# Create default sshd_config from here script or modify to add the
# missing privsep configuration option
# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option
if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
echo "Generating ${SYSCONFDIR}/sshd_config file"
cat > ${SYSCONFDIR}/sshd_config << EOF
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port $port_number
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey ${SYSCONFDIR}/ssh_host_key
# HostKeys for protocol version 2
#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
# The following setting overrides permission checks on host key files
# and directories. For security reasons set this to "yes" when running
# NT/W2K, NTFS and CYGWIN=ntsec.
StrictModes no
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation $privsep_used
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server
EOF
elif [ "$privsep_configured" != "yes" ]
sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
s/^#Port 22/Port ${port_number}/
s/^#StrictModes yes/StrictModes no/" \
< ${SYSCONFDIR}/defaults/etc/sshd_config \
> ${SYSCONFDIR}/sshd_config
elif [ "${privsep_configured}" != "yes" ]
then
echo >> ${SYSCONFDIR}/sshd_config
echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
fi
# Care for services file
_my_etcdir="/ssh-host-config.$$"
if [ $_nt -gt 0 ]
if [ ${_nt} -gt 0 ]
then
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
_services="${_my_etcdir}/services"
# On NT, 27 spaces, no space after the hash
_spaces=" #"
else
_win_etcdir="${WINDIR}"
_services="${_my_etcdir}/SERVICES"
# On 9x, 18 spaces (95 is very touchy), a space after the hash
_spaces=" # "
fi
_serv_tmp="${_my_etcdir}/srv.out.$$"
@ -494,29 +344,28 @@ then
then
echo "Removing sshd from ${_wservices}"
else
echo "Removing sshd from ${_wservices} failed\!"
echo "Removing sshd from ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
echo "Removing sshd from ${_wservices} failed\!"
echo "Removing sshd from ${_wservices} failed!"
fi
fi
# Add ssh 22/tcp and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
if [ -f "${_serv_tmp}" ]
if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
then
if mv "${_serv_tmp}" "${_services}"
then
echo "Added ssh to ${_wservices}"
else
echo "Adding ssh to ${_wservices} failed\!"
echo "Adding ssh to ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
echo "Adding ssh to ${_wservices} failed\!"
echo "WARNING: Adding ssh to ${_wservices} failed!"
fi
fi
@ -541,11 +390,11 @@ then
then
echo "Removed sshd from ${_inetcnf}"
else
echo "Removing sshd from ${_inetcnf} failed\!"
echo "Removing sshd from ${_inetcnf} failed!"
fi
rm -f "${_inetcnf_tmp}"
else
echo "Removing sshd from ${_inetcnf} failed\!"
echo "Removing sshd from ${_inetcnf} failed!"
fi
fi
@ -563,34 +412,181 @@ then
fi
# On NT ask if sshd should be installed as service
if [ $_nt -gt 0 ]
if [ ${_nt} -gt 0 ]
then
echo
echo "Do you want to install sshd as service?"
if request "(Say \"no\" if it's already installed as service)"
# But only if it is not already installed
if ! cygrunsrv -Q sshd > /dev/null 2>&1
then
echo
echo "Which value should the environment variable CYGWIN have when"
echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
echo "able to change user context without password."
echo -n "Default is \"binmode ntsec tty\". CYGWIN="
read _cygwin
[ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
echo
echo "Warning: The following functions require administrator privileges!"
echo
echo "Do you want to install sshd as service?"
if request "(Say \"no\" if it's already installed as service)"
then
chown system ${SYSCONFDIR}/ssh*
echo
echo "The service has been installed under LocalSystem account."
if [ $_nt2003 -gt 0 ]
then
grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
if [ "${sshd_server_in_passwd}" = "yes" ]
then
# Drop sshd_server from passwd since it could have wrong settings
grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
rm -f ${SYSCONFDIR}/passwd
mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
chmod g-w,o-w ${SYSCONFDIR}/passwd
fi
net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
if [ "${sshd_server_in_sam}" != "yes" ]
then
echo
echo "You appear to be running Windows 2003 Server or later. On 2003 and"
echo "later systems, it's not possible to use the LocalSystem account"
echo "if sshd should allow passwordless logon (e. g. public key authentication)."
echo "If you want to enable that functionality, it's required to create a new"
echo "account 'sshd_server' with special privileges, which is then used to run"
echo "the sshd service under."
echo
echo "Should this script create a new local account 'sshd_server' which has"
if request "the required privileges?"
then
_admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group`
if [ -z "${_admingroup}" ]
then
echo "There's no group with SID S-1-5-32-544 (Local administrators group) in"
echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'"
echo "and restart this script."
exit 1
fi
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
while [ "${sshd_server_in_sam}" != "yes" ]
do
if [ -n "${password_value}" ]
then
_password="${password_value}"
# Allow to ask for password if first try fails
password_value=""
else
echo
echo "Please enter a password for new user 'sshd_server'. Please be sure that"
echo "this password matches the password rules given on your system."
echo -n "Entering no password will exit the configuration. PASSWORD="
read -e _password
if [ -z "${_password}" ]
then
echo
echo "Exiting configuration. No user sshd_server has been created,"
echo "no sshd service installed."
exit 1
fi
fi
net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
if [ "${sshd_server_in_sam}" != "yes" ]
then
echo "Creating the user 'sshd_server' failed! Reason:"
cat /tmp/nu.$$
rm /tmp/nu.$$
fi
done
net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
if [ "${sshd_server_in_admingroup}" != "yes" ]
then
echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
echo "Please add sshd_server to local group ${_admingroup} before"
echo "starting the sshd service!"
echo
fi
passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
if [ "${passwd_has_expiry_flags}" != "yes" ]
then
echo
echo "WARNING: User sshd_server has password expiry set to system default."
echo "Please check that password never expires or set it to your needs."
elif ! passwd -e sshd_server
then
echo
echo "WARNING: Setting password expiry for user sshd_server failed!"
echo "Please check that password never expires or set it to your needs."
fi
editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
editrights -a SeCreateTokenPrivilege -u sshd_server &&
editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
editrights -a SeDenyNetworkLogonRight -u sshd_server &&
editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
editrights -a SeServiceLogonRight -u sshd_server &&
sshd_server_got_all_rights="yes"
if [ "${sshd_server_got_all_rights}" != "yes" ]
then
echo
echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
echo "Can't create sshd service!"
exit 1
fi
echo
echo "User 'sshd_server' has been created with password '${_password}'."
echo "If you change the password, please keep in mind to change the password"
echo "for the sshd service, too."
echo
echo "Also keep in mind that the user sshd_server needs read permissions on all"
echo "users' .ssh/authorized_keys file to allow public key authentication for"
echo "these users!. (Re-)running ssh-user-config for each user will set the"
echo "required permissions correctly."
echo
fi
fi
if [ "${sshd_server_in_sam}" = "yes" ]
then
mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
fi
fi
if [ -n "${cygwin_value}" ]
then
_cygwin="${cygwin_value}"
else
echo
echo "Which value should the environment variable CYGWIN have when"
echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
echo "able to change user context without password."
echo -n "Default is \"ntsec\". CYGWIN="
read -e _cygwin
fi
[ -z "${_cygwin}" ] && _cygwin="ntsec"
if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
then
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}"
then
echo
echo "The service has been installed under sshd_server account."
echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
fi
else
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
then
echo
echo "The service has been installed under LocalSystem account."
echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
fi
fi
fi
# Now check if sshd has been successfully installed. This allows to
# set the ownership of the affected files correctly.
if cygrunsrv -Q sshd > /dev/null 2>&1
then
if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
then
_user="sshd_server"
else
_user="system"
fi
chown "${_user}" ${SYSCONFDIR}/ssh*
chown "${_user}".544 ${LOCALSTATEDIR}/empty
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
then
chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
fi
fi
fi
fi
if [ "${old_install}" = "1" ]
then
echo
echo "Note: If you have used sshd as service or from inetd, don't forget to"
echo " change the path to sshd.exe in the service entry or in inetd.conf."
fi
echo
echo "Host configuration finished. Have fun!"

64
contrib/cygwin/ssh-user-config
View File

@ -1,9 +1,12 @@
#!/bin/sh
#
# ssh-user-config, Copyright 2000, Red Hat Inc.
# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Directory where the config files are stored
SYSCONFDIR=/etc
progname=$0
auto_answer=""
auto_passphrase="no"
@ -33,6 +36,15 @@ request()
fi
}
# Check if running on NT
_sys="`uname -a`"
_nt=`expr "$_sys" : "CYGWIN_NT"`
# If running on NT, check if running under 2003 Server or later
if [ $_nt -gt 0 ]
then
_nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
fi
# Check options
while :
@ -84,27 +96,27 @@ done
# Ask user if user identity should be generated
if [ ! -f /etc/passwd ]
if [ ! -f ${SYSCONFDIR}/passwd ]
then
echo '/etc/passwd is nonexistant. Please generate an /etc/passwd file'
echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file"
echo 'first using mkpasswd. Check if it contains an entry for you and'
echo 'please care for the home directory in your entry as well.'
exit 1
fi
uid=`id -u`
pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < /etc/passwd`
pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd`
if [ "X${pwdhome}" = "X" ]
then
echo 'There is no home directory set for you in /etc/passwd.'
echo "There is no home directory set for you in ${SYSCONFDIR}/passwd."
echo 'Setting $HOME is not sufficient!'
exit 1
fi
if [ ! -d "${pwdhome}" ]
then
echo "${pwdhome} is set in /etc/passwd as your home directory"
echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory"
echo 'but it is not a valid directory. Cannot create user identity files.'
exit 1
fi
@ -114,7 +126,7 @@ fi
if [ "X${pwdhome}" = "X/" ]
then
# But first raise a warning!
echo 'Your home directory in /etc/passwd is set to root (/). This is not recommended!'
echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
if request "Would you like to proceed anyway?"
then
pwdhome=''
@ -123,6 +135,17 @@ then
fi
fi
if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
then
echo
echo 'WARNING: group and other have been revoked write permission to your home'
echo " directory ${pwdhome}."
echo ' This is required by OpenSSH to allow public key authentication using'
echo ' the key files stored in your .ssh subdirectory.'
echo ' Revert this change ONLY if you know what you are doing!'
echo
fi
if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
then
echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
@ -139,6 +162,21 @@ then
fi
fi
if [ $_nt -gt 0 ]
then
_user="system"
if [ $_nt2003 -gt 0 ]
then
grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server"
fi
if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh"
then
echo "${pwdhome}/.ssh couldn't be given the correct permissions."
echo "Please try to solve this problem first."
exit 1
fi
fi
if [ ! -f "${pwdhome}/.ssh/identity" ]
then
if request "Shall I create an SSH1 RSA identity file for you?"
@ -196,5 +234,17 @@ then
fi
fi
if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ]
then
if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
then
echo
echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
echo "failed. Please care for the correct permissions. The minimum requirement"
echo "is, the owner and ${_user} both need read permissions."
echo
fi
fi
echo
echo "Configuration finished. Have fun!"