1#!/bin/bash 2# 3# ssh-host-config, Copyright 2000-2011 Red Hat Inc. 4# 5# This file is part of the Cygwin port of OpenSSH. 6# 7# Permission to use, copy, modify, and distribute this software for any 8# purpose with or without fee is hereby granted, provided that the above 9# copyright notice and this permission notice appear in all copies. 10# 11# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 13# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 14# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 15# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 16# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR 17# THE USE OR OTHER DEALINGS IN THE SOFTWARE. 18 19# ====================================================================== 20# Initialization 21# ====================================================================== 22 23CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh 24 25# List of apps used. This is checkad for existance in csih_sanity_check 26# Don't use *any* transient commands before sourcing the csih helper script, 27# otherwise the sanity checks are short-circuited. 28declare -a csih_required_commands=( 29 /usr/bin/basename coreutils 30 /usr/bin/cat coreutils 31 /usr/bin/chmod coreutils 32 /usr/bin/dirname coreutils 33 /usr/bin/id coreutils 34 /usr/bin/mv coreutils 35 /usr/bin/rm coreutils 36 /usr/bin/cygpath cygwin 37 /usr/bin/mkpasswd cygwin 38 /usr/bin/mount cygwin 39 /usr/bin/ps cygwin 40 /usr/bin/umount cygwin 41 /usr/bin/cmp diffutils 42 /usr/bin/grep grep 43 /usr/bin/awk gawk 44 /usr/bin/ssh-keygen openssh 45 /usr/sbin/sshd openssh 46 /usr/bin/sed sed 47) 48csih_sanity_check_server=yes 49source ${CSIH_SCRIPT} 50 51PROGNAME=$(/usr/bin/basename $0) 52_tdir=$(/usr/bin/dirname $0) 53PROGDIR=$(cd $_tdir && pwd) 54 55# Subdirectory where the new package is being installed 56PREFIX=/usr 57 58# Directory where the config files are stored 59SYSCONFDIR=/etc 60LOCALSTATEDIR=/var 61 62sshd_config_configured=no 63port_number=22 64strictmodes=yes 65privsep_used=yes 66cygwin_value="" 67user_account= 68password_value= 69opt_force=no 70 71# ====================================================================== 72# Routine: update_services_file 73# ====================================================================== 74update_services_file() { 75 local _my_etcdir="/ssh-host-config.$$" 76 local _win_etcdir 77 local _services 78 local _spaces 79 local _serv_tmp 80 local _wservices 81 local ret=0 82 83 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" 84 _services="${_my_etcdir}/services" 85 _spaces=" #" 86 _serv_tmp="${_my_etcdir}/srv.out.$$" 87 88 /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" 89 90 # Depends on the above mount 91 _wservices=`cygpath -w "${_services}"` 92 93 # Add ssh 22/tcp and ssh 22/udp to services 94 if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ] 95 then 96 if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" 97 then 98 if /usr/bin/mv "${_serv_tmp}" "${_services}" 99 then 100 csih_inform "Added ssh to ${_wservices}" 101 else 102 csih_warning "Adding ssh to ${_wservices} failed!" 103 let ++ret 104 fi 105 /usr/bin/rm -f "${_serv_tmp}" 106 else 107 csih_warning "Adding ssh to ${_wservices} failed!" 108 let ++ret 109 fi 110 fi 111 /usr/bin/umount "${_my_etcdir}" 112 return $ret 113} # --- End of update_services_file --- # 114 115# ====================================================================== 116# Routine: sshd_strictmodes 117# MODIFIES: strictmodes 118# ====================================================================== 119sshd_strictmodes() { 120 if [ "${sshd_config_configured}" != "yes" ] 121 then 122 echo 123 csih_inform "StrictModes is set to 'yes' by default." 124 csih_inform "This is the recommended setting, but it requires that the POSIX" 125 csih_inform "permissions of the user's home directory, the user's .ssh" 126 csih_inform "directory, and the user's ssh key files are tight so that" 127 csih_inform "only the user has write permissions." 128 csih_inform "On the other hand, StrictModes don't work well with default" 129 csih_inform "Windows permissions of a home directory mounted with the" 130 csih_inform "'noacl' option, and they don't work at all if the home" 131 csih_inform "directory is on a FAT or FAT32 partition." 132 if ! csih_request "Should StrictModes be used?" 133 then 134 strictmodes=no 135 fi 136 fi 137 return 0 138} 139 140# ====================================================================== 141# Routine: sshd_privsep 142# MODIFIES: privsep_used 143# ====================================================================== 144sshd_privsep() { 145 local ret=0 146 147 if [ "${sshd_config_configured}" != "yes" ] 148 then 149 echo 150 csih_inform "Privilege separation is set to 'sandbox' by default since" 151 csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set" 152 csih_inform "to 'yes' or 'no'." 153 csih_inform "However, using privilege separation requires a non-privileged account" 154 csih_inform "called 'sshd'." 155 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." 156 if csih_request "Should privilege separation be used?" 157 then 158 privsep_used=yes 159 if ! csih_create_unprivileged_user sshd 160 then 161 csih_error_recoverable "Couldn't create user 'sshd'!" 162 csih_error_recoverable "Privilege separation set to 'no' again!" 163 csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!" 164 let ++ret 165 privsep_used=no 166 fi 167 else 168 privsep_used=no 169 fi 170 fi 171 return $ret 172} # --- End of sshd_privsep --- # 173 174# ====================================================================== 175# Routine: sshd_config_tweak 176# ====================================================================== 177sshd_config_tweak() { 178 local ret=0 179 180 # Modify sshd_config 181 csih_inform "Updating ${SYSCONFDIR}/sshd_config file" 182 if [ "${port_number}" -ne 22 ] 183 then 184 /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \ 185 ${SYSCONFDIR}/sshd_config 186 if [ $? -ne 0 ] 187 then 188 csih_warning "Setting listening port to ${port_number} failed!" 189 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 190 let ++ret 191 fi 192 fi 193 if [ "${strictmodes}" = "no" ] 194 then 195 /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \ 196 ${SYSCONFDIR}/sshd_config 197 if [ $? -ne 0 ] 198 then 199 csih_warning "Setting StrictModes to 'no' failed!" 200 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 201 let ++ret 202 fi 203 fi 204 if [ "${sshd_config_configured}" != "yes" ] 205 then 206 /usr/bin/sed -i -e " 207 s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \ 208 ${SYSCONFDIR}/sshd_config 209 if [ $? -ne 0 ] 210 then 211 csih_warning "Setting privilege separation failed!" 212 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 213 let ++ret 214 fi 215 fi 216 return $ret 217} # --- End of sshd_config_tweak --- # 218 219# ====================================================================== 220# Routine: update_inetd_conf 221# ====================================================================== 222update_inetd_conf() { 223 local _inetcnf="${SYSCONFDIR}/inetd.conf" 224 local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" 225 local _inetcnf_dir="${SYSCONFDIR}/inetd.d" 226 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" 227 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" 228 local _with_comment=1 229 local ret=0 230 231 if [ -d "${_inetcnf_dir}" ] 232 then 233 # we have inetutils-1.5 inetd.d support 234 if [ -f "${_inetcnf}" ] 235 then 236 /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0 237 238 # check for sshd OR ssh in top-level inetd.conf file, and remove 239 # will be replaced by a file in inetd.d/ 240 if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ] 241 then 242 /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" 243 if [ -f "${_inetcnf_tmp}" ] 244 then 245 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 246 then 247 csih_inform "Removed ssh[d] from ${_inetcnf}" 248 else 249 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 250 let ++ret 251 fi 252 /usr/bin/rm -f "${_inetcnf_tmp}" 253 else 254 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 255 let ++ret 256 fi 257 fi 258 fi 259 260 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" 261 if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 262 then 263 if [ "${_with_comment}" -eq 0 ] 264 then 265 /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 266 else 267 /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 268 fi 269 if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" 270 then 271 csih_inform "Updated ${_sshd_inetd_conf}" 272 else 273 csih_warning "Updating ${_sshd_inetd_conf} failed!" 274 let ++ret 275 fi 276 fi 277 278 elif [ -f "${_inetcnf}" ] 279 then 280 /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0 281 282 # check for sshd in top-level inetd.conf file, and remove 283 # will be replaced by a file in inetd.d/ 284 if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] 285 then 286 /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" 287 if [ -f "${_inetcnf_tmp}" ] 288 then 289 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 290 then 291 csih_inform "Removed sshd from ${_inetcnf}" 292 else 293 csih_warning "Removing sshd from ${_inetcnf} failed!" 294 let ++ret 295 fi 296 /usr/bin/rm -f "${_inetcnf_tmp}" 297 else 298 csih_warning "Removing sshd from ${_inetcnf} failed!" 299 let ++ret 300 fi 301 fi 302 303 # Add ssh line to inetd.conf 304 if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] 305 then 306 if [ "${_with_comment}" -eq 0 ] 307 then 308 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 309 else 310 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 311 fi 312 if [ $? -eq 0 ] 313 then 314 csih_inform "Added ssh to ${_inetcnf}" 315 else 316 csih_warning "Adding ssh to ${_inetcnf} failed!" 317 let ++ret 318 fi 319 fi 320 fi 321 return $ret 322} # --- End of update_inetd_conf --- # 323 324# ====================================================================== 325# Routine: check_service_files_ownership 326# Checks that the files in /etc and /var belong to the right owner 327# ====================================================================== 328check_service_files_ownership() { 329 local run_service_as=$1 330 local ret=0 331 332 if [ -z "${run_service_as}" ] 333 then 334 accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | 335 /usr/bin/sed -ne 's/^Account *: *//gp') 336 if [ "${accnt_name}" = "LocalSystem" ] 337 then 338 # Convert "LocalSystem" to "SYSTEM" as is the correct account name 339 run_service_as="SYSTEM" 340 else 341 dom="${accnt_name%%\\*}" 342 accnt_name="${accnt_name#*\\}" 343 if [ "${dom}" = '.' ] 344 then 345 # Check local account 346 run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" | 347 /usr/bin/awk -F: '{print $1;}') 348 else 349 # Check domain 350 run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" | 351 /usr/bin/awk -F: '{print $1;}') 352 fi 353 fi 354 if [ -z "${run_service_as}" ] 355 then 356 csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" 357 csih_warning "As a result, this script cannot make sure that the files used" 358 csih_warning "by the sshd service belong to the user running the service." 359 csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd" 360 csih_warning "file is in a good shape." 361 return 1 362 fi 363 fi 364 for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub 365 do 366 if [ -f "$i" ] 367 then 368 if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 369 then 370 csih_warning "Couldn't change owner of $i!" 371 let ++ret 372 fi 373 fi 374 done 375 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 376 then 377 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" 378 let ++ret 379 fi 380 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 381 then 382 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" 383 let ++ret 384 fi 385 if [ -f ${LOCALSTATEDIR}/log/sshd.log ] 386 then 387 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1 388 then 389 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" 390 let ++ret 391 fi 392 fi 393 if [ $ret -ne 0 ] 394 then 395 csih_warning "Couldn't change owner of important files to ${run_service_as}!" 396 csih_warning "This may cause the sshd service to fail! Please make sure that" 397 csih_warning "you have suufficient permissions to change the ownership of files" 398 csih_warning "and try to run the ssh-host-config script again." 399 fi 400 return $ret 401} # --- End of check_service_files_ownership --- # 402 403# ====================================================================== 404# Routine: install_service 405# Install sshd as a service 406# ====================================================================== 407install_service() { 408 local run_service_as 409 local password 410 local ret=0 411 412 echo 413 if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 414 then 415 csih_inform "Sshd service is already installed." 416 check_service_files_ownership "" || let ret+=$? 417 else 418 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" 419 if csih_request "(Say \"no\" if it is already installed as a service)" 420 then 421 csih_get_cygenv "${cygwin_value}" 422 423 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) 424 then 425 csih_inform "On Windows Server 2003, Windows Vista, and above, the" 426 csih_inform "SYSTEM account cannot setuid to other users -- a capability" 427 csih_inform "sshd requires. You need to have or to create a privileged" 428 csih_inform "account. This script will help you do so." 429 echo 430 431 [ "${opt_force}" = "yes" ] && opt_f=-f 432 [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" 433 csih_select_privileged_username ${opt_f} ${opt_u} sshd 434 435 if ! csih_create_privileged_user "${password_value}" 436 then 437 csih_error_recoverable "There was a serious problem creating a privileged user." 438 csih_request "Do you want to proceed anyway?" || exit 1 439 let ++ret 440 fi 441 fi 442 443 # Never returns empty if NT or above 444 run_service_as=$(csih_service_should_run_as) 445 446 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] 447 then 448 password="${csih_PRIVILEGED_PASSWORD}" 449 if [ -z "${password}" ] 450 then 451 csih_get_value "Please enter the password for user '${run_service_as}':" "-s" 452 password="${csih_value}" 453 fi 454 fi 455 456 # At this point, we either have $run_service_as = "system" and 457 # $password is empty, or $run_service_as is some privileged user and 458 # (hopefully) $password contains the correct password. So, from here 459 # out, we use '-z "${password}"' to discriminate the two cases. 460 461 csih_check_user "${run_service_as}" 462 463 if [ -n "${csih_cygenv}" ] 464 then 465 cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) 466 fi 467 if [ -z "${password}" ] 468 then 469 if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ 470 -a "-D" -y tcpip "${cygwin_env[@]}" 471 then 472 echo 473 csih_inform "The sshd service has been installed under the LocalSystem" 474 csih_inform "account (also known as SYSTEM). To start the service now, call" 475 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" 476 csih_inform "will start automatically after the next reboot." 477 fi 478 else 479 if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ 480 -a "-D" -y tcpip "${cygwin_env[@]}" \ 481 -u "${run_service_as}" -w "${password}" 482 then 483 /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight 484 echo 485 csih_inform "The sshd service has been installed under the '${run_service_as}'" 486 csih_inform "account. To start the service now, call \`net start sshd' or" 487 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" 488 csih_inform "after the next reboot." 489 fi 490 fi 491 492 if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 493 then 494 check_service_files_ownership "${run_service_as}" || let ret+=$? 495 else 496 csih_error_recoverable "Installing sshd as a service failed!" 497 let ++ret 498 fi 499 fi # user allowed us to install as service 500 fi # service not yet installed 501 return $ret 502} # --- End of install_service --- # 503 504# ====================================================================== 505# Main Entry Point 506# ====================================================================== 507 508# Check how the script has been started. If 509# (1) it has been started by giving the full path and 510# that path is /etc/postinstall, OR 511# (2) Otherwise, if the environment variable 512# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set 513# then set auto_answer to "no". This allows automatic 514# creation of the config files in /etc w/o overwriting 515# them if they already exist. In both cases, color 516# escape sequences are suppressed, so as to prevent 517# cluttering setup's logfiles. 518if [ "$PROGDIR" = "/etc/postinstall" ] 519then 520 csih_auto_answer="no" 521 csih_disable_color 522 opt_force=yes 523fi 524if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ] 525then 526 csih_auto_answer="no" 527 csih_disable_color 528 opt_force=yes 529fi 530 531# ====================================================================== 532# Parse options 533# ====================================================================== 534while : 535do 536 case $# in 537 0) 538 break 539 ;; 540 esac 541 542 option=$1 543 shift 544 545 case "${option}" in 546 -d | --debug ) 547 set -x 548 csih_trace_on 549 ;; 550 551 -y | --yes ) 552 csih_auto_answer=yes 553 opt_force=yes 554 ;; 555 556 -n | --no ) 557 csih_auto_answer=no 558 opt_force=yes 559 ;; 560 561 -c | --cygwin ) 562 cygwin_value="$1" 563 shift 564 ;; 565 566 -p | --port ) 567 port_number=$1 568 shift 569 ;; 570 571 -u | --user ) 572 user_account="$1" 573 shift 574 ;; 575 576 -w | --pwd ) 577 password_value="$1" 578 shift 579 ;; 580 581 --privileged ) 582 csih_FORCE_PRIVILEGED_USER=yes 583 ;; 584 585 *) 586 echo "usage: ${progname} [OPTION]..." 587 echo 588 echo "This script creates an OpenSSH host configuration." 589 echo 590 echo "Options:" 591 echo " --debug -d Enable shell's debug output." 592 echo " --yes -y Answer all questions with \"yes\" automatically." 593 echo " --no -n Answer all questions with \"no\" automatically." 594 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." 595 echo " --port -p <n> sshd listens on port n." 596 echo " --user -u <account> privileged user for service, default 'cyg_server'." 597 echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user." 598 echo " --privileged On Windows XP, require privileged user" 599 echo " instead of LocalSystem for sshd service." 600 echo 601 exit 1 602 ;; 603 604 esac 605done 606 607# ====================================================================== 608# Action! 609# ====================================================================== 610 611# Check for running ssh/sshd processes first. Refuse to do anything while 612# some ssh processes are still running 613if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' 614then 615 echo 616 csih_error "There are still ssh processes running. Please shut them down first." 617fi 618 619# Make sure the user is running in an administrative context 620admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no) 621if [ "${admin}" != "yes" ] 622then 623 echo 624 csih_warning "Running this script typically requires administrator privileges!" 625 csih_warning "However, it seems your account does not have these privileges." 626 csih_warning "Here's the list of groups in your user token:" 627 echo 628 for i in $(/usr/bin/id -G) 629 do 630 /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group 631 done 632 echo 633 csih_warning "This usually means you're running this script from a non-admin" 634 csih_warning "desktop session, or in a non-elevated shell under UAC control." 635 echo 636 csih_warning "Make sure you have the appropriate privileges right now," 637 csih_warning "otherwise parts of this script will probably fail!" 638 echo 639 echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure" 640 if ! csih_request "you have the required privileges)" 641 then 642 echo 643 csih_inform "Ok. Exiting. Make sure to switch to an administrative account" 644 csih_inform "or to start this script from an elevated shell." 645 exit 1 646 fi 647fi 648 649echo 650 651warning_cnt=0 652 653# Create /var/log/lastlog if not already exists 654if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 655then 656 echo 657 csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ 658 "Cannot create ssh host configuration." 659fi 660if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 661then 662 /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog 663 if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 664 then 665 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" 666 let ++warning_cnt 667 fi 668fi 669 670# Create /var/empty file used as chroot jail for privilege separation 671csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." 672if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 673then 674 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" 675 let ++warning_cnt 676fi 677 678# generate missing host keys 679csih_inform "Generating missing SSH host keys" 680/usr/bin/ssh-keygen -A || let warning_cnt+=$? 681 682# handle ssh_config 683csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 684if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 685then 686 if [ "${port_number}" != "22" ] 687 then 688 csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port" 689 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config 690 echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config 691 fi 692fi 693 694# handle sshd_config (and privsep) 695csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 696if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 697then 698 sshd_config_configured=yes 699fi 700sshd_strictmodes || let warning_cnt+=$? 701sshd_privsep || let warning_cnt+=$? 702sshd_config_tweak || let warning_cnt+=$? 703update_services_file || let warning_cnt+=$? 704update_inetd_conf || let warning_cnt+=$? 705install_service || let warning_cnt+=$? 706 707echo 708if [ $warning_cnt -eq 0 ] 709then 710 csih_inform "Host configuration finished. Have fun!" 711else 712 csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!" 713 csih_warning "Make sure that all problems reported are fixed," 714 csih_warning "then re-run ssh-host-config." 715fi 716exit $warning_cnt 717