- (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config
contrib/cygwin/ssh-user-config] Modernizes and improve readability of the Cygwin README file (which hasn't been updated for ages), drop unsupported OSes from the ssh-host-config help text, and drop an unneeded option from ssh-user-config. Patch from vinschen at redhat com.
This commit is contained in:
parent
b8ae92d08b
commit
b7482cff46
|
@ -1,3 +1,10 @@
|
|||
20130702
|
||||
- (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config
|
||||
contrib/cygwin/ssh-user-config] Modernizes and improve readability of
|
||||
the Cygwin README file (which hasn't been updated for ages), drop
|
||||
unsupported OSes from the ssh-host-config help text, and drop an
|
||||
unneeded option from ssh-user-config. Patch from vinschen at redhat com.
|
||||
|
||||
20130610
|
||||
- (djm) OpenBSD CVS Sync
|
||||
- dtucker@cvs.openbsd.org 2013/06/07 15:37:52
|
||||
|
|
|
@ -4,115 +4,18 @@ The binary package is usually built for recent Cygwin versions and might
|
|||
not run on older versions. Please check http://cygwin.com/ for information
|
||||
about current Cygwin releases.
|
||||
|
||||
Build instructions are at the end of the file.
|
||||
|
||||
===========================================================================
|
||||
Important change since 3.7.1p2-2:
|
||||
|
||||
The ssh-host-config file doesn't create the /etc/ssh_config and
|
||||
/etc/sshd_config files from builtin here-scripts anymore, but it uses
|
||||
skeleton files installed in /etc/defaults/etc.
|
||||
|
||||
Also it now tries hard to create appropriate permissions on files.
|
||||
Same applies for ssh-user-config.
|
||||
|
||||
After creating the sshd service with ssh-host-config, it's advisable to
|
||||
call ssh-user-config for all affected users, also already exising user
|
||||
configurations. In the latter case, file and directory permissions are
|
||||
checked and changed, if requireed to match the host configuration.
|
||||
|
||||
Important note for Windows 2003 Server users:
|
||||
---------------------------------------------
|
||||
|
||||
2003 Server has a funny new feature. When starting services under SYSTEM
|
||||
account, these services have nearly all user rights which SYSTEM holds...
|
||||
except for the "Create a token object" right, which is needed to allow
|
||||
public key authentication :-(
|
||||
|
||||
There's no way around this, except for creating a substitute account which
|
||||
has the appropriate privileges. Basically, this account should be member
|
||||
of the administrators group, plus it should have the following user rights:
|
||||
|
||||
Create a token object
|
||||
Logon as a service
|
||||
Replace a process level token
|
||||
Increase Quota
|
||||
|
||||
The ssh-host-config script asks you, if it should create such an account,
|
||||
called "sshd_server". If you say "no" here, you're on your own. Please
|
||||
follow the instruction in ssh-host-config exactly if possible. Note that
|
||||
ssh-user-config sets the permissions on 2003 Server machines dependent of
|
||||
whether a sshd_server account exists or not.
|
||||
===========================================================================
|
||||
|
||||
===========================================================================
|
||||
Important change since 3.4p1-2:
|
||||
|
||||
This version adds privilege separation as default setting, see
|
||||
/usr/doc/openssh/README.privsep. According to that document the
|
||||
privsep feature requires a non-privileged account called 'sshd'.
|
||||
|
||||
The new ssh-host-config file which is part of this version asks
|
||||
to create 'sshd' as local user if you want to use privilege
|
||||
separation. If you confirm, it creates that NT user and adds
|
||||
the necessary entry to /etc/passwd.
|
||||
|
||||
On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
|
||||
since that feature doesn't make any sense on a system which doesn't
|
||||
differ between privileged and unprivileged users.
|
||||
|
||||
The new ssh-host-config script also adds the /var/empty directory
|
||||
needed by privilege separation. When creating the /var/empty directory
|
||||
by yourself, please note that in contrast to the README.privsep document
|
||||
the owner sshould not be "root" but the user which is running sshd. So,
|
||||
in the standard configuration this is SYSTEM. The ssh-host-config script
|
||||
chowns /var/empty accordingly.
|
||||
===========================================================================
|
||||
|
||||
===========================================================================
|
||||
Important change since 3.0.1p1-2:
|
||||
|
||||
This version introduces the ability to register sshd as service on
|
||||
Windows 9x/Me systems. This is done only when the options -D and/or
|
||||
-d are not given.
|
||||
===========================================================================
|
||||
|
||||
===========================================================================
|
||||
Important change since 2.9p2:
|
||||
|
||||
Since Cygwin is able to switch user context without password beginning
|
||||
with version 1.3.2, OpenSSH now allows to do so when it's running under
|
||||
a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
|
||||
allow that feature.
|
||||
===========================================================================
|
||||
|
||||
===========================================================================
|
||||
Important change since 2.3.0p1:
|
||||
|
||||
When using `ntea' or `ntsec' you now have to care for the ownership
|
||||
and permission bits of your host key files and your private key files.
|
||||
The host key files have to be owned by the NT account which starts
|
||||
sshd. The user key files have to be owned by the user. The permission
|
||||
bits of the private key files (host and user) have to be at least
|
||||
rw------- (0600)!
|
||||
|
||||
Note that this is forced under `ntsec' only if the files are on a NTFS
|
||||
filesystem (which is recommended) due to the lack of any basic security
|
||||
features of the FAT/FAT32 filesystems.
|
||||
===========================================================================
|
||||
==================
|
||||
Host configuration
|
||||
==================
|
||||
|
||||
If you are installing OpenSSH the first time, you can generate global config
|
||||
files and server keys by running
|
||||
files and server keys, as well as installing sshd as a service, by running
|
||||
|
||||
/usr/bin/ssh-host-config
|
||||
|
||||
Note that this binary archive doesn't contain default config files in /etc.
|
||||
That files are only created if ssh-host-config is started.
|
||||
|
||||
If you are updating your installation you may run the above ssh-host-config
|
||||
as well to move your configuration files to the new location and to
|
||||
erase the files at the old location.
|
||||
|
||||
To support testing and unattended installation ssh-host-config got
|
||||
some options:
|
||||
|
||||
|
@ -123,17 +26,26 @@ Options:
|
|||
--no -n Answer all questions with "no" automatically.
|
||||
--cygwin -c <options> Use "options" as value for CYGWIN environment var.
|
||||
--port -p <n> sshd listens on port n.
|
||||
--pwd -w <passwd> Use "pwd" as password for user 'sshd_server'.
|
||||
--user -u <account> privileged user for service, default 'cyg_server'.
|
||||
--pwd -w <passwd> Use "pwd" as password for privileged user.
|
||||
--privileged On Windows XP, require privileged user
|
||||
instead of LocalSystem for sshd service.
|
||||
|
||||
Additionally ssh-host-config now asks if it should install sshd as a
|
||||
service when running under NT/W2K. This requires cygrunsrv installed.
|
||||
Installing sshd as daemon via ssh-host-config is recommended.
|
||||
|
||||
You can create the private and public keys for a user now by running
|
||||
Alternatively you can start sshd via inetd, if you have the inetutils
|
||||
package installed. Just run ssh-host-config, but answer "no" when asked
|
||||
to install sshd as service. The ssh-host-config script also adds the
|
||||
required lines to /etc/inetd.conf and /etc/services.
|
||||
|
||||
==================
|
||||
User configuration
|
||||
==================
|
||||
|
||||
Any user can simplify creating the own private and public keys by running
|
||||
|
||||
/usr/bin/ssh-user-config
|
||||
|
||||
under the users account.
|
||||
|
||||
To support testing and unattended installation ssh-user-config got
|
||||
some options as well:
|
||||
|
||||
|
@ -144,88 +56,30 @@ Options:
|
|||
--no -n Answer all questions with "no" automatically.
|
||||
--passphrase -p word Use "word" as passphrase automatically.
|
||||
|
||||
Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
|
||||
(results in very slow deamon startup!) or from the command line (recommended
|
||||
on 9X/ME).
|
||||
|
||||
If you start sshd as deamon via cygrunsrv.exe you MUST give the
|
||||
"-D" option to sshd. Otherwise the service can't get started at all.
|
||||
|
||||
If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
|
||||
following line to your inetd.conf file:
|
||||
|
||||
ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
|
||||
|
||||
Moreover you'll have to add the following line to your
|
||||
${SYSTEMROOT}/system32/drivers/etc/services file:
|
||||
|
||||
ssh 22/tcp #SSH daemon
|
||||
|
||||
Please note that OpenSSH does never use the value of $HOME to
|
||||
search for the users configuration files! It always uses the
|
||||
value of the pw_dir field in /etc/passwd as the home directory.
|
||||
If no home diretory is set in /etc/passwd, the root directory
|
||||
is used instead!
|
||||
|
||||
You may use all features of the CYGWIN=ntsec setting the same
|
||||
way as they are used by Cygwin's login(1) port:
|
||||
================
|
||||
Building OpenSSH
|
||||
================
|
||||
|
||||
The pw_gecos field may contain an additional field, that begins
|
||||
with (upper case!) "U-", followed by the domain and the username
|
||||
separated by a backslash.
|
||||
CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
|
||||
BTW: The field separator in pw_gecos is the comma.
|
||||
The username in pw_name itself may be any nice name:
|
||||
Building from source is easy. Just unpack the source archive, cd to that
|
||||
directory, and call cygport:
|
||||
|
||||
domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
|
||||
cygport openssh.cygport almostall
|
||||
|
||||
Now you may use `domuser' as your login name with telnet!
|
||||
This is possible additionally for local users, if you don't like
|
||||
your NT login name ;-) You only have to leave out the domain:
|
||||
You must have installed the following packages to be able to build OpenSSH
|
||||
with the aforementioned cygport script:
|
||||
|
||||
locuser::1104:513:John Doe,U-user,S-1-5-21-...
|
||||
|
||||
Note that the CYGWIN=ntsec setting is required for public key authentication.
|
||||
|
||||
SSH2 server and user keys are generated by the `ssh-*-config' scripts
|
||||
as well.
|
||||
|
||||
If you want to build from source, the following options to
|
||||
configure are used for the Cygwin binary distribution:
|
||||
|
||||
--prefix=/usr \
|
||||
--sysconfdir=/etc \
|
||||
--libexecdir='${sbindir}' \
|
||||
--localstatedir=/var \
|
||||
--datadir='${prefix}/share' \
|
||||
--mandir='${datadir}/man' \
|
||||
--infodir='${datadir}/info'
|
||||
--with-tcp-wrappers
|
||||
--with-libedit
|
||||
|
||||
If you want to create a Cygwin package, equivalent to the one
|
||||
in the Cygwin binary distribution, install like this:
|
||||
|
||||
mkdir /tmp/cygwin-ssh
|
||||
cd ${builddir}
|
||||
make install DESTDIR=/tmp/cygwin-ssh
|
||||
cd ${srcdir}/contrib/cygwin
|
||||
make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
|
||||
cd /tmp/cygwin-ssh
|
||||
find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
|
||||
|
||||
You must have installed the following packages to be able to build OpenSSH:
|
||||
|
||||
- zlib
|
||||
- openssl-devel
|
||||
|
||||
If you want to build with --with-tcp-wrappers, you also need the package
|
||||
|
||||
- tcp_wrappers
|
||||
|
||||
If you want to build with --with-libedit, you also need the package
|
||||
|
||||
- libedit-devel
|
||||
zlib
|
||||
crypt
|
||||
openssl-devel
|
||||
libwrap-devel
|
||||
libedit-devel
|
||||
libkrb5-devel
|
||||
|
||||
Please send requests, error reports etc. to cygwin@cygwin.com.
|
||||
|
||||
|
|
|
@ -606,9 +606,9 @@ do
|
|||
echo " --no -n Answer all questions with \"no\" automatically."
|
||||
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
|
||||
echo " --port -p <n> sshd listens on port n."
|
||||
echo " --user -u <account> privileged user for service."
|
||||
echo " --user -u <account> privileged user for service, default 'cyg_server'."
|
||||
echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
|
||||
echo " --privileged On Windows NT/2k/XP, require privileged user"
|
||||
echo " --privileged On Windows XP, require privileged user"
|
||||
echo " instead of LocalSystem for sshd service."
|
||||
echo
|
||||
exit 1
|
||||
|
|
|
@ -222,10 +222,6 @@ do
|
|||
shift
|
||||
;;
|
||||
|
||||
--privileged )
|
||||
csih_FORCE_PRIVILEGED_USER=yes
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "usage: ${PROGNAME} [OPTION]..."
|
||||
echo
|
||||
|
@ -236,8 +232,6 @@ do
|
|||
echo " --yes -y Answer all questions with \"yes\" automatically."
|
||||
echo " --no -n Answer all questions with \"no\" automatically."
|
||||
echo " --passphrase -p word Use \"word\" as passphrase automatically."
|
||||
echo " --privileged On Windows NT/2k/XP, assume privileged user"
|
||||
echo " instead of LocalSystem for sshd service."
|
||||
echo
|
||||
exit 1
|
||||
;;
|
||||
|
|
Loading…
Reference in New Issue