From 798ca84d606abba35ea790ba0a8abb25ca2b67cb Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 13 Nov 2003 11:28:49 +1100 Subject: [PATCH] - (dtucker) [README ssh-host-config ssh-user-config Makefile] (All contrib/cygwin). Major update from vinschen at redhat.com. - Makefile provides a `cygwin-postinstall' target to run right after `make install'. - Better support for Windows 2003 Server. - Try to get permissions as correct as possible. - New command line options to allow full automated host configuration. - Create configs from skeletons in /etc/defaults/etc. - Use /bin/bash, allows reading user input with readline support. - Remove really old configs from /usr/local. --- ChangeLog | 12 +- contrib/cygwin/Makefile | 56 ++++ contrib/cygwin/README | 120 ++++---- contrib/cygwin/ssh-host-config | 502 ++++++++++++++++----------------- contrib/cygwin/ssh-user-config | 64 ++++- 5 files changed, 440 insertions(+), 314 deletions(-) create mode 100644 contrib/cygwin/Makefile diff --git a/ChangeLog b/ChangeLog index 1cb4a8e1d..4a1c55a57 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,16 @@ 20031113 - (dtucker) [auth-pam.c] Append newlines to lines output by the pam_chauthtok_conv(). + - (dtucker) [README ssh-host-config ssh-user-config Makefile] (All + contrib/cygwin). Major update from vinschen at redhat.com. + - Makefile provides a `cygwin-postinstall' target to run right after + `make install'. + - Better support for Windows 2003 Server. + - Try to get permissions as correct as possible. + - New command line options to allow full automated host configuration. + - Create configs from skeletons in /etc/defaults/etc. + - Use /bin/bash, allows reading user input with readline support. + - Remove really old configs from /usr/local. 20031106 - (djm) Clarify UsePAM consequences a little more @@ -1401,4 +1411,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3094 2003/11/13 00:21:31 dtucker Exp $ +$Id: ChangeLog,v 1.3095 2003/11/13 00:28:49 dtucker Exp $ diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile new file mode 100644 index 000000000..09e8ea2db --- /dev/null +++ b/contrib/cygwin/Makefile @@ -0,0 +1,56 @@ +srcdir=../.. +prefix=/usr +exec_prefix=$(prefix) +bindir=$(prefix)/bin +datadir=$(prefix)/share +docdir=$(datadir)/doc +sshdocdir=$(docdir)/openssh +cygdocdir=$(docdir)/Cygwin +sysconfdir=/etc +defaultsdir=$(sysconfdir)/defaults/etc +PRIVSEP_PATH=/var/empty +INSTALL=/usr/bin/install -c + +DESTDIR= + +all: + @echo + @echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'" + @echo "Be sure having DESTDIR set correctly!" + @echo + +move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config + $(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir) + mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir) + mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir) + +remove-empty-dir: + rm -rf $(DESTDIR)$(PRIVSEP_PATH) + +install-sshdoc: + $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir) + $(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS + $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog + $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE + $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW + $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README + $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns + $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep + $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard + $(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff + $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO + $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG + +install-cygwindoc: README + $(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir) + $(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README + +install-doc: install-sshdoc install-cygwindoc + +install-scripts: ssh-host-config ssh-user-config + $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) + $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config + $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config + +cygwin-postinstall: move-config-files remove-empty-dir install-doc install-scripts + @echo "Cygwin specific configuration finished." diff --git a/contrib/cygwin/README b/contrib/cygwin/README index ec58964c9..1cc6ae65c 100644 --- a/contrib/cygwin/README +++ b/contrib/cygwin/README @@ -1,4 +1,49 @@ -This package is the actual port of OpenSSH to Cygwin 1.5. +This package describes important Cygwin specific stuff concerning OpenSSH. + +The binary package is usually built for recent Cygwin versions and might +not run on older versions. Please check http://cygwin.com/ for information +about current Cygwin releases. + +Build instructions are at the end of the file. + +=========================================================================== +Important change since 3.7.1p2-2: + +The ssh-host-config file doesn't create the /etc/ssh_config and +/etc/sshd_config files from builtin here-scripts anymore, but it uses +skeleton files installed in /etc/defaults/etc. + +Also it now tries hard to create appropriate permissions on files. +Same applies for ssh-user-config. + +After creating the sshd service with ssh-host-config, it's advisable to +call ssh-user-config for all affected users, also already exising user +configurations. In the latter case, file and directory permissions are +checked and changed, if requireed to match the host configuration. + +Important note for Windows 2003 Server users: +--------------------------------------------- + +2003 Server has a funny new feature. When starting services under SYSTEM +account, these services have nearly all user rights which SYSTEM holds... +except for the "Create a token object" right, which is needed to allow +public key authentication :-( + +There's no way around this, except for creating a substitute account which +has the appropriate privileges. Basically, this account should be member +of the administrators group, plus it should have the following user rights: + + Create a token object + Logon as a service + Replace a process level token + Increase Quota + +The ssh-host-config script asks you, if it should create such an account, +called "sshd_server". If you say "no" here, you're on your own. Please +follow the instruction in ssh-host-config exactly if possible. Note that +ssh-user-config sets the permissions on 2003 Server machines dependent of +whether a sshd_server account exists or not. +=========================================================================== =========================================================================== Important change since 3.4p1-2: @@ -114,54 +159,6 @@ ${SYSTEMROOT}/system32/drivers/etc/services file: ssh 22/tcp #SSH daemon -=========================================================================== -The following restrictions only apply to Cygwin versions up to 1.3.1 -=========================================================================== - -Authentication to sshd is possible in one of two ways. -You'll have to decide before starting sshd! - -- If you want to authenticate via RSA and you want to login to that - machine to exactly one user account you can do so by running sshd - under that user account. You must change /etc/sshd_config - to contain the following: - - RSAAuthentication yes - - Moreover it's possible to use rhosts and/or rhosts with - RSA authentication by setting the following in sshd_config: - - RhostsAuthentication yes - RhostsRSAAuthentication yes - -- If you want to be able to login to different user accounts you'll - have to start sshd under system account or any other account that - is able to switch user context. Note that administrators are _not_ - able to do that by default! You'll have to give the following - special user rights to the user: - "Act as part of the operating system" - "Replace process level token" - "Increase quotas" - and if used via service manager - "Logon as a service". - - The system account does of course own that user rights by default. - - Unfortunately, if you choose that way, you can only logon with - NT password authentification and you should change - /etc/sshd_config to contain the following: - - PasswordAuthentication yes - RhostsAuthentication no - RhostsRSAAuthentication no - RSAAuthentication no - - However you can login to the user which has started sshd with - RSA authentication anyway. If you want that, change the RSA - authentication setting back to "yes": - - RSAAuthentication yes - Please note that OpenSSH does never use the value of $HOME to search for the users configuration files! It always uses the value of the pw_dir field in /etc/passwd as the home directory. @@ -169,7 +166,7 @@ If no home diretory is set in /etc/passwd, the root directory is used instead! You may use all features of the CYGWIN=ntsec setting the same -way as they are used by the `login' port on sources.redhat.com: +way as they are used by Cygwin's login(1) port: The pw_gecos field may contain an additional field, that begins with (upper case!) "U-", followed by the domain and the username @@ -186,6 +183,8 @@ way as they are used by the `login' port on sources.redhat.com: locuser::1104:513:John Doe,U-user,S-1-5-21-... +Note that the CYGWIN=ntsec setting is required for public key authentication. + SSH2 server and user keys are generated by the `ssh-*-config' scripts as well. @@ -194,15 +193,30 @@ configure are used for the Cygwin binary distribution: --prefix=/usr \ --sysconfdir=/etc \ - --libexecdir='${exec_prefix}/sbin' + --libexecdir='$(sbindir)' \ + --localstatedir=/var \ + --datadir='$(prefix)/share' \ + --mandir='$(datadir)/man' \ + --with-tcp-wrappers -You must have installed the zlib and openssl packages to be able to +If you want to create a Cygwin package, equivalent to the one +in the Cygwin binary distribution, install like this: + + mkdir /tmp/cygwin-ssh + cd $(builddir) + make install DESTDIR=/tmp/cygwin-ssh + cd $(srcdir)/contrib/cygwin + make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh + cd /tmp/cygwin-ssh + find * \! -type d | tar cvjfT my-openssh.tar.bz2 - + +You must have installed the zlib and openssl-devel packages to be able to build OpenSSH! Please send requests, error reports etc. to cygwin@cygwin.com. Have fun, -Corinna Vinschen +Corinna Vinschen Cygwin Developer Red Hat Inc. diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index c69cfd88b..18793ca85 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -1,6 +1,6 @@ -#!/bin/sh +#!/bin/bash # -# ssh-host-config, Copyright 2000, Red Hat Inc. +# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. @@ -9,10 +9,7 @@ PREFIX=/usr # Directory where the config files are stored SYSCONFDIR=/etc - -# Subdirectory where an old package might be installed -OLDPREFIX=/usr/local -OLDSYSCONFDIR=${OLDPREFIX}/etc +LOCALSTATEDIR=/var progname=$0 auto_answer="" @@ -27,9 +24,11 @@ request() { if [ "${auto_answer}" = "yes" ] then + echo "$1 (yes/no) yes" return 0 elif [ "${auto_answer}" = "no" ] then + echo "$1 (yes/no) no" return 1 fi @@ -37,7 +36,7 @@ request() while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] do echo -n "$1 (yes/no) " - read answer + read -e answer done if [ "X${answer}" = "Xyes" ] then @@ -60,7 +59,7 @@ do option=$1 shift - case "$option" in + case "${option}" in -d | --debug ) set -x ;; @@ -73,21 +72,33 @@ do auto_answer=no ;; + -c | --cygwin ) + cygwin_value="$1" + shift + ;; + -p | --port ) port_number=$1 shift ;; + -w | --pwd ) + password_value="$1" + shift + ;; + *) echo "usage: ${progname} [OPTION]..." echo echo "This script creates an OpenSSH host configuration." echo echo "Options:" - echo " --debug -d Enable shell's debug output." - echo " --yes -y Answer all questions with \"yes\" automatically." - echo " --no -n Answer all questions with \"no\" automatically." - echo " --port -p sshd listens on port n." + echo " --debug -d Enable shell's debug output." + echo " --yes -y Answer all questions with \"yes\" automatically." + echo " --no -n Answer all questions with \"no\" automatically." + echo " --cygwin -c Use \"options\" as value for CYGWIN environment var." + echo " --port -p sshd listens on port n." + echo " --pwd -w Use \"pwd\" as password for user 'sshd_server'." echo exit 1 ;; @@ -96,8 +107,13 @@ do done # Check if running on NT -_sys="`uname -a`" -_nt=`expr "$_sys" : "CYGWIN_NT"` +_sys="`uname`" +_nt=`expr "${_sys}" : "CYGWIN_NT"` +# If running on NT, check if running under 2003 Server or later +if [ ${_nt} -gt 0 ] +then + _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` +fi # Check for running ssh/sshd processes first. Refuse to do anything while # some ssh processes are still running @@ -137,87 +153,33 @@ fi # Create /var/log and /var/log/lastlog if not already existing -if [ -f /var/log ] +if [ -f ${LOCALSTATEDIR}/log ] then - echo "Creating /var/log failed\!" + echo "Creating ${LOCALSTATEDIR}/log failed!" else - if [ ! -d /var/log ] + if [ ! -d ${LOCALSTATEDIR}/log ] then - mkdir -p /var/log + mkdir -p ${LOCALSTATEDIR}/log fi - if [ -d /var/log/lastlog ] + if [ -d ${LOCALSTATEDIR}/log/lastlog ] then - echo "Creating /var/log/lastlog failed\!" - elif [ ! -f /var/log/lastlog ] + chmod 777 ${LOCALSTATEDIR}/log/lastlog + elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ] then - cat /dev/null > /var/log/lastlog + cat /dev/null > ${LOCALSTATEDIR}/log/lastlog + chmod 666 ${LOCALSTATEDIR}/log/lastlog fi fi # Create /var/empty file used as chroot jail for privilege separation -if [ -f /var/empty ] +if [ -f ${LOCALSTATEDIR}/empty ] then - echo "Creating /var/empty failed\!" + echo "Creating ${LOCALSTATEDIR}/empty failed!" else - mkdir -p /var/empty - # On NT change ownership of that dir to user "system" - if [ $_nt -gt 0 ] + mkdir -p ${LOCALSTATEDIR}/empty + if [ ${_nt} -gt 0 ] then - chmod 755 /var/empty - chown system.system /var/empty - fi -fi - -# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't -# the same as ${PREFIX} - -old_install=0 -if [ "${OLDPREFIX}" != "${PREFIX}" ] -then - if [ -f "${OLDPREFIX}/sbin/sshd" ] - then - echo - echo "You seem to have an older installation in ${OLDPREFIX}." - echo - # Check if old global configuration files exist - if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ] - then - if request "Do you want to copy your config files to your new installation?" - then - cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR} - fi - fi - if request "Do you want to erase your old installation?" - then - rm -f ${OLDPREFIX}/bin/ssh.exe - rm -f ${OLDPREFIX}/bin/ssh-config - rm -f ${OLDPREFIX}/bin/scp.exe - rm -f ${OLDPREFIX}/bin/ssh-add.exe - rm -f ${OLDPREFIX}/bin/ssh-agent.exe - rm -f ${OLDPREFIX}/bin/ssh-keygen.exe - rm -f ${OLDPREFIX}/bin/slogin - rm -f ${OLDSYSCONFDIR}/ssh_host_key - rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub - rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key - rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub - rm -f ${OLDSYSCONFDIR}/ssh_config - rm -f ${OLDSYSCONFDIR}/sshd_config - rm -f ${OLDPREFIX}/man/man1/ssh.1 - rm -f ${OLDPREFIX}/man/man1/scp.1 - rm -f ${OLDPREFIX}/man/man1/ssh-add.1 - rm -f ${OLDPREFIX}/man/man1/ssh-agent.1 - rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1 - rm -f ${OLDPREFIX}/man/man1/slogin.1 - rm -f ${OLDPREFIX}/man/man8/sshd.8 - rm -f ${OLDPREFIX}/sbin/sshd.exe - rm -f ${OLDPREFIX}/sbin/sftp-server.exe - fi - old_install=1 + chmod 755 ${LOCALSTATEDIR}/empty fi fi @@ -255,52 +217,16 @@ then fi fi -# Create default ssh_config from here script +# Create default ssh_config from skeleton file in /etc/defaults/etc if [ ! -f "${SYSCONFDIR}/ssh_config" ] then echo "Generating ${SYSCONFDIR}/ssh_config file" - cat > ${SYSCONFDIR}/ssh_config << EOF -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for various options - -# Host * -# ForwardAgent no -# ForwardX11 no -# RhostsRSAAuthentication no -# RSAAuthentication yes -# PasswordAuthentication yes -# HostbasedAuthentication no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity -# IdentityFile ~/.ssh/id_dsa -# IdentityFile ~/.ssh/id_rsa -# Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc -# EscapeChar ~ -EOF - if [ "$port_number" != "22" ] + cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config + if [ "${port_number}" != "22" ] then echo "Host localhost" >> ${SYSCONFDIR}/ssh_config - echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config + echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config fi fi @@ -322,35 +248,35 @@ fi # Prior to creating or modifying sshd_config, care for privilege separation -if [ "$privsep_configured" != "yes" ] +if [ "${privsep_configured}" != "yes" ] then - if [ $_nt -gt 0 ] + if [ ${_nt} -gt 0 ] then echo "Privilege separation is set to yes by default since OpenSSH 3.3." echo "However, this requires a non-privileged account called 'sshd'." - echo "For more info on privilege separation read /usr/doc/openssh/README.privsep." + echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." echo - if request "Shall privilege separation be used?" + if request "Should privilege separation be used?" then privsep_used=yes grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes net user sshd >/dev/null 2>&1 && sshd_in_sam=yes - if [ "$sshd_in_passwd" != "yes" ] + if [ "${sshd_in_passwd}" != "yes" ] then - if [ "$sshd_in_sam" != "yes" ] + if [ "${sshd_in_sam}" != "yes" ] then echo "Warning: The following function requires administrator privileges!" - if request "Shall this script create a local user 'sshd' on this machine?" + if request "Should this script create a local user 'sshd' on this machine?" then - dos_var_empty=`cygpath -w /var/empty` - net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes - if [ "$sshd_in_sam" != "yes" ] + dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` + net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes + if [ "${sshd_in_sam}" != "yes" ] then echo "Warning: Creating the user 'sshd' failed!" fi fi fi - if [ "$sshd_in_sam" != "yes" ] + if [ "${sshd_in_sam}" != "yes" ] then echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" echo " Privilege separation set to 'no' again!" @@ -365,117 +291,41 @@ then fi else # On 9x don't use privilege separation. Since security isn't - # available it just adds useless addtional processes. + # available it just adds useless additional processes. privsep_used=no fi fi -# Create default sshd_config from here script or modify to add the -# missing privsep configuration option +# Create default sshd_config from skeleton files in /etc/defaults/etc or +# modify to add the missing privsep configuration option if [ ! -f "${SYSCONFDIR}/sshd_config" ] then echo "Generating ${SYSCONFDIR}/sshd_config file" - cat > ${SYSCONFDIR}/sshd_config << EOF -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -Port $port_number -#Protocol 2,1 -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# HostKey for protocol version 1 -#HostKey ${SYSCONFDIR}/ssh_host_key -# HostKeys for protocol version 2 -#HostKey ${SYSCONFDIR}/ssh_host_rsa_key -#HostKey ${SYSCONFDIR}/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 - -# Logging -#obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin yes -# The following setting overrides permission checks on host key files -# and directories. For security reasons set this to "yes" when running -# NT/W2K, NTFS and CYGWIN=ntsec. -StrictModes no - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys - -# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#KeepAlive yes -#UseLogin no -UsePrivilegeSeparation $privsep_used -#PermitUserEnvironment no -#Compression yes -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 - -# no default banner path -#Banner /some/path - -# override default of no subsystems -Subsystem sftp /usr/sbin/sftp-server -EOF -elif [ "$privsep_configured" != "yes" ] + sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ + s/^#Port 22/Port ${port_number}/ + s/^#StrictModes yes/StrictModes no/" \ + < ${SYSCONFDIR}/defaults/etc/sshd_config \ + > ${SYSCONFDIR}/sshd_config +elif [ "${privsep_configured}" != "yes" ] then echo >> ${SYSCONFDIR}/sshd_config - echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config + echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config fi # Care for services file _my_etcdir="/ssh-host-config.$$" -if [ $_nt -gt 0 ] +if [ ${_nt} -gt 0 ] then _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" _services="${_my_etcdir}/services" + # On NT, 27 spaces, no space after the hash + _spaces=" #" else _win_etcdir="${WINDIR}" _services="${_my_etcdir}/SERVICES" + # On 9x, 18 spaces (95 is very touchy), a space after the hash + _spaces=" # " fi _serv_tmp="${_my_etcdir}/srv.out.$$" @@ -494,29 +344,28 @@ then then echo "Removing sshd from ${_wservices}" else - echo "Removing sshd from ${_wservices} failed\!" + echo "Removing sshd from ${_wservices} failed!" fi rm -f "${_serv_tmp}" else - echo "Removing sshd from ${_wservices} failed\!" + echo "Removing sshd from ${_wservices} failed!" fi fi # Add ssh 22/tcp and ssh 22/udp to services if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] then - awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" - if [ -f "${_serv_tmp}" ] + if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" then if mv "${_serv_tmp}" "${_services}" then echo "Added ssh to ${_wservices}" else - echo "Adding ssh to ${_wservices} failed\!" + echo "Adding ssh to ${_wservices} failed!" fi rm -f "${_serv_tmp}" else - echo "Adding ssh to ${_wservices} failed\!" + echo "WARNING: Adding ssh to ${_wservices} failed!" fi fi @@ -541,11 +390,11 @@ then then echo "Removed sshd from ${_inetcnf}" else - echo "Removing sshd from ${_inetcnf} failed\!" + echo "Removing sshd from ${_inetcnf} failed!" fi rm -f "${_inetcnf_tmp}" else - echo "Removing sshd from ${_inetcnf} failed\!" + echo "Removing sshd from ${_inetcnf} failed!" fi fi @@ -563,34 +412,181 @@ then fi # On NT ask if sshd should be installed as service -if [ $_nt -gt 0 ] +if [ ${_nt} -gt 0 ] then - echo - echo "Do you want to install sshd as service?" - if request "(Say \"no\" if it's already installed as service)" + # But only if it is not already installed + if ! cygrunsrv -Q sshd > /dev/null 2>&1 then echo - echo "Which value should the environment variable CYGWIN have when" - echo "sshd starts? It's recommended to set at least \"ntsec\" to be" - echo "able to change user context without password." - echo -n "Default is \"binmode ntsec tty\". CYGWIN=" - read _cygwin - [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" - if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" + echo + echo "Warning: The following functions require administrator privileges!" + echo + echo "Do you want to install sshd as service?" + if request "(Say \"no\" if it's already installed as service)" then - chown system ${SYSCONFDIR}/ssh* - echo - echo "The service has been installed under LocalSystem account." + if [ $_nt2003 -gt 0 ] + then + grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes + if [ "${sshd_server_in_passwd}" = "yes" ] + then + # Drop sshd_server from passwd since it could have wrong settings + grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$ + rm -f ${SYSCONFDIR}/passwd + mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd + chmod g-w,o-w ${SYSCONFDIR}/passwd + fi + net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes + if [ "${sshd_server_in_sam}" != "yes" ] + then + echo + echo "You appear to be running Windows 2003 Server or later. On 2003 and" + echo "later systems, it's not possible to use the LocalSystem account" + echo "if sshd should allow passwordless logon (e. g. public key authentication)." + echo "If you want to enable that functionality, it's required to create a new" + echo "account 'sshd_server' with special privileges, which is then used to run" + echo "the sshd service under." + echo + echo "Should this script create a new local account 'sshd_server' which has" + if request "the required privileges?" + then + _admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group` + if [ -z "${_admingroup}" ] + then + echo "There's no group with SID S-1-5-32-544 (Local administrators group) in" + echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'" + echo "and restart this script." + exit 1 + fi + dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` + while [ "${sshd_server_in_sam}" != "yes" ] + do + if [ -n "${password_value}" ] + then + _password="${password_value}" + # Allow to ask for password if first try fails + password_value="" + else + echo + echo "Please enter a password for new user 'sshd_server'. Please be sure that" + echo "this password matches the password rules given on your system." + echo -n "Entering no password will exit the configuration. PASSWORD=" + read -e _password + if [ -z "${_password}" ] + then + echo + echo "Exiting configuration. No user sshd_server has been created," + echo "no sshd service installed." + exit 1 + fi + fi + net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes + if [ "${sshd_server_in_sam}" != "yes" ] + then + echo "Creating the user 'sshd_server' failed! Reason:" + cat /tmp/nu.$$ + rm /tmp/nu.$$ + fi + done + net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes + if [ "${sshd_server_in_admingroup}" != "yes" ] + then + echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!" + echo "Please add sshd_server to local group ${_admingroup} before" + echo "starting the sshd service!" + echo + fi + passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'` + if [ "${passwd_has_expiry_flags}" != "yes" ] + then + echo + echo "WARNING: User sshd_server has password expiry set to system default." + echo "Please check that password never expires or set it to your needs." + elif ! passwd -e sshd_server + then + echo + echo "WARNING: Setting password expiry for user sshd_server failed!" + echo "Please check that password never expires or set it to your needs." + fi + editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server && + editrights -a SeCreateTokenPrivilege -u sshd_server && + editrights -a SeDenyInteractiveLogonRight -u sshd_server && + editrights -a SeDenyNetworkLogonRight -u sshd_server && + editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server && + editrights -a SeIncreaseQuotaPrivilege -u sshd_server && + editrights -a SeServiceLogonRight -u sshd_server && + sshd_server_got_all_rights="yes" + if [ "${sshd_server_got_all_rights}" != "yes" ] + then + echo + echo "Assigning the appropriate privileges to user 'sshd_server' failed!" + echo "Can't create sshd service!" + exit 1 + fi + echo + echo "User 'sshd_server' has been created with password '${_password}'." + echo "If you change the password, please keep in mind to change the password" + echo "for the sshd service, too." + echo + echo "Also keep in mind that the user sshd_server needs read permissions on all" + echo "users' .ssh/authorized_keys file to allow public key authentication for" + echo "these users!. (Re-)running ssh-user-config for each user will set the" + echo "required permissions correctly." + echo + fi + fi + if [ "${sshd_server_in_sam}" = "yes" ] + then + mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd + fi + fi + if [ -n "${cygwin_value}" ] + then + _cygwin="${cygwin_value}" + else + echo + echo "Which value should the environment variable CYGWIN have when" + echo "sshd starts? It's recommended to set at least \"ntsec\" to be" + echo "able to change user context without password." + echo -n "Default is \"ntsec\". CYGWIN=" + read -e _cygwin + fi + [ -z "${_cygwin}" ] && _cygwin="ntsec" + if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] + then + if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" + then + echo + echo "The service has been installed under sshd_server account." + echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." + fi + else + if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" + then + echo + echo "The service has been installed under LocalSystem account." + echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." + fi + fi + fi + # Now check if sshd has been successfully installed. This allows to + # set the ownership of the affected files correctly. + if cygrunsrv -Q sshd > /dev/null 2>&1 + then + if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] + then + _user="sshd_server" + else + _user="system" + fi + chown "${_user}" ${SYSCONFDIR}/ssh* + chown "${_user}".544 ${LOCALSTATEDIR}/empty + if [ -f ${LOCALSTATEDIR}/log/sshd.log ] + then + chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log + fi fi fi fi -if [ "${old_install}" = "1" ] -then - echo - echo "Note: If you have used sshd as service or from inetd, don't forget to" - echo " change the path to sshd.exe in the service entry or in inetd.conf." -fi - echo echo "Host configuration finished. Have fun!" diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config index 4da113181..fe07ce360 100644 --- a/contrib/cygwin/ssh-user-config +++ b/contrib/cygwin/ssh-user-config @@ -1,9 +1,12 @@ #!/bin/sh # -# ssh-user-config, Copyright 2000, Red Hat Inc. +# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. +# Directory where the config files are stored +SYSCONFDIR=/etc + progname=$0 auto_answer="" auto_passphrase="no" @@ -33,6 +36,15 @@ request() fi } +# Check if running on NT +_sys="`uname -a`" +_nt=`expr "$_sys" : "CYGWIN_NT"` +# If running on NT, check if running under 2003 Server or later +if [ $_nt -gt 0 ] +then + _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` +fi + # Check options while : @@ -84,27 +96,27 @@ done # Ask user if user identity should be generated -if [ ! -f /etc/passwd ] +if [ ! -f ${SYSCONFDIR}/passwd ] then - echo '/etc/passwd is nonexistant. Please generate an /etc/passwd file' + echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" echo 'first using mkpasswd. Check if it contains an entry for you and' echo 'please care for the home directory in your entry as well.' exit 1 fi uid=`id -u` -pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < /etc/passwd` +pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd` if [ "X${pwdhome}" = "X" ] then - echo 'There is no home directory set for you in /etc/passwd.' + echo "There is no home directory set for you in ${SYSCONFDIR}/passwd." echo 'Setting $HOME is not sufficient!' exit 1 fi if [ ! -d "${pwdhome}" ] then - echo "${pwdhome} is set in /etc/passwd as your home directory" + echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" echo 'but it is not a valid directory. Cannot create user identity files.' exit 1 fi @@ -114,7 +126,7 @@ fi if [ "X${pwdhome}" = "X/" ] then # But first raise a warning! - echo 'Your home directory in /etc/passwd is set to root (/). This is not recommended!' + echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!" if request "Would you like to proceed anyway?" then pwdhome='' @@ -123,6 +135,17 @@ then fi fi +if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ] +then + echo + echo 'WARNING: group and other have been revoked write permission to your home' + echo " directory ${pwdhome}." + echo ' This is required by OpenSSH to allow public key authentication using' + echo ' the key files stored in your .ssh subdirectory.' + echo ' Revert this change ONLY if you know what you are doing!' + echo +fi + if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] then echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." @@ -139,6 +162,21 @@ then fi fi +if [ $_nt -gt 0 ] +then + _user="system" + if [ $_nt2003 -gt 0 ] + then + grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server" + fi + if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh" + then + echo "${pwdhome}/.ssh couldn't be given the correct permissions." + echo "Please try to solve this problem first." + exit 1 + fi +fi + if [ ! -f "${pwdhome}/.ssh/identity" ] then if request "Shall I create an SSH1 RSA identity file for you?" @@ -196,5 +234,17 @@ then fi fi +if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ] +then + if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys" + then + echo + echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys" + echo "failed. Please care for the correct permissions. The minimum requirement" + echo "is, the owner and ${_user} both need read permissions." + echo + fi +fi + echo echo "Configuration finished. Have fun!"