1#!/bin/bash
2#
3# ssh-host-config, Copyright 2000-2011 Red Hat Inc.
4#
5# This file is part of the Cygwin port of OpenSSH.
6#
7# Permission to use, copy, modify, and distribute this software for any
8# purpose with or without fee is hereby granted, provided that the above
9# copyright notice and this permission notice appear in all copies.
10#
11# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
13# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
14# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
15# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
16# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
17# THE USE OR OTHER DEALINGS IN THE SOFTWARE.
18
19# ======================================================================
20# Initialization
21# ======================================================================
22
23CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
24
25# List of apps used.  This is checkad for existance in csih_sanity_check
26# Don't use *any* transient commands before sourcing the csih helper script,
27# otherwise the sanity checks are short-circuited.
28declare -a csih_required_commands=(
29  /usr/bin/basename coreutils
30  /usr/bin/cat coreutils
31  /usr/bin/chmod coreutils
32  /usr/bin/dirname coreutils
33  /usr/bin/id coreutils
34  /usr/bin/mv coreutils
35  /usr/bin/rm coreutils
36  /usr/bin/cygpath cygwin
37  /usr/bin/mkpasswd cygwin
38  /usr/bin/mount cygwin
39  /usr/bin/ps cygwin
40  /usr/bin/umount cygwin
41  /usr/bin/cmp diffutils
42  /usr/bin/grep grep
43  /usr/bin/awk gawk
44  /usr/bin/ssh-keygen openssh
45  /usr/sbin/sshd openssh
46  /usr/bin/sed sed
47)
48csih_sanity_check_server=yes
49source ${CSIH_SCRIPT}
50
51PROGNAME=$(/usr/bin/basename $0)
52_tdir=$(/usr/bin/dirname $0)
53PROGDIR=$(cd $_tdir && pwd)
54
55# Subdirectory where the new package is being installed
56PREFIX=/usr
57
58# Directory where the config files are stored
59SYSCONFDIR=/etc
60LOCALSTATEDIR=/var
61
62sshd_config_configured=no
63port_number=22
64strictmodes=yes
65privsep_used=yes
66cygwin_value=""
67user_account=
68password_value=
69opt_force=no
70
71# ======================================================================
72# Routine: update_services_file
73# ======================================================================
74update_services_file() {
75  local _my_etcdir="/ssh-host-config.$$"
76  local _win_etcdir
77  local _services
78  local _spaces
79  local _serv_tmp
80  local _wservices
81  local ret=0
82
83  _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
84  _services="${_my_etcdir}/services"
85  _spaces="                           #"
86  _serv_tmp="${_my_etcdir}/srv.out.$$"
87
88  /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
89
90  # Depends on the above mount
91  _wservices=`cygpath -w "${_services}"`
92
93  # Add ssh 22/tcp  and ssh 22/udp to services
94  if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
95  then
96    if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
97    then
98      if /usr/bin/mv "${_serv_tmp}" "${_services}"
99      then
100	csih_inform "Added ssh to ${_wservices}"
101      else
102	csih_warning "Adding ssh to ${_wservices} failed!"
103	let ++ret
104      fi
105      /usr/bin/rm -f "${_serv_tmp}"
106    else
107      csih_warning "Adding ssh to ${_wservices} failed!"
108      let ++ret
109    fi
110  fi
111  /usr/bin/umount "${_my_etcdir}"
112  return $ret
113} # --- End of update_services_file --- #
114
115# ======================================================================
116# Routine: sshd_strictmodes
117#  MODIFIES: strictmodes
118# ======================================================================
119sshd_strictmodes() {
120  if [ "${sshd_config_configured}" != "yes" ]
121  then
122    echo
123    csih_inform "StrictModes is set to 'yes' by default."
124    csih_inform "This is the recommended setting, but it requires that the POSIX"
125    csih_inform "permissions of the user's home directory, the user's .ssh"
126    csih_inform "directory, and the user's ssh key files are tight so that"
127    csih_inform "only the user has write permissions."
128    csih_inform "On the other hand, StrictModes don't work well with default"
129    csih_inform "Windows permissions of a home directory mounted with the"
130    csih_inform "'noacl' option, and they don't work at all if the home"
131    csih_inform "directory is on a FAT or FAT32 partition."
132    if ! csih_request "Should StrictModes be used?"
133    then
134      strictmodes=no
135    fi
136  fi
137  return 0
138}
139
140# ======================================================================
141# Routine: sshd_privsep
142#  MODIFIES: privsep_used
143# ======================================================================
144sshd_privsep() {
145  local ret=0
146
147  if [ "${sshd_config_configured}" != "yes" ]
148  then
149    echo
150    csih_inform "Privilege separation is set to 'sandbox' by default since"
151    csih_inform "OpenSSH 6.1.  This is unsupported by Cygwin and has to be set"
152    csih_inform "to 'yes' or 'no'."
153    csih_inform "However, using privilege separation requires a non-privileged account"
154    csih_inform "called 'sshd'."
155    csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
156    if csih_request "Should privilege separation be used?"
157    then
158      privsep_used=yes
159      if ! csih_create_unprivileged_user sshd
160      then
161	csih_error_recoverable "Couldn't create user 'sshd'!"
162	csih_error_recoverable "Privilege separation set to 'no' again!"
163	csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!"
164	let ++ret
165	privsep_used=no
166      fi
167    else
168      privsep_used=no
169    fi
170  fi
171  return $ret
172} # --- End of sshd_privsep --- #
173
174# ======================================================================
175# Routine: sshd_config_tweak
176# ======================================================================
177sshd_config_tweak() {
178  local ret=0
179
180  # Modify sshd_config
181  csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
182  if [ "${port_number}" -ne 22 ]
183  then
184    /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
185      ${SYSCONFDIR}/sshd_config
186    if [ $? -ne 0 ]
187    then
188      csih_warning "Setting listening port to ${port_number} failed!"
189      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
190      let ++ret
191    fi
192  fi
193  if [ "${strictmodes}" = "no" ]
194  then
195    /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
196      ${SYSCONFDIR}/sshd_config
197    if [ $? -ne 0 ]
198    then
199      csih_warning "Setting StrictModes to 'no' failed!"
200      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
201      let ++ret
202    fi
203  fi
204  if [ "${sshd_config_configured}" != "yes" ]
205  then
206    /usr/bin/sed -i -e "
207      s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
208      ${SYSCONFDIR}/sshd_config
209    if [ $? -ne 0 ]
210    then
211      csih_warning "Setting privilege separation failed!"
212      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
213      let ++ret
214    fi
215  fi
216  return $ret
217} # --- End of sshd_config_tweak --- #
218
219# ======================================================================
220# Routine: update_inetd_conf
221# ======================================================================
222update_inetd_conf() {
223  local _inetcnf="${SYSCONFDIR}/inetd.conf"
224  local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
225  local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
226  local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
227  local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
228  local _with_comment=1
229  local ret=0
230
231  if [ -d "${_inetcnf_dir}" ]
232  then
233    # we have inetutils-1.5 inetd.d support
234    if [ -f "${_inetcnf}" ]
235    then
236      /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
237
238      # check for sshd OR ssh in top-level inetd.conf file, and remove
239      # will be replaced by a file in inetd.d/
240      if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
241      then
242	/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
243	if [ -f "${_inetcnf_tmp}" ]
244	then
245	  if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
246	  then
247  	    csih_inform "Removed ssh[d] from ${_inetcnf}"
248	  else
249  	    csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
250	    let ++ret
251	  fi
252	  /usr/bin/rm -f "${_inetcnf_tmp}"
253	else
254	  csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
255	  let ++ret
256	fi
257      fi
258    fi
259
260    csih_install_config "${_sshd_inetd_conf}"   "${SYSCONFDIR}/defaults"
261    if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
262    then
263      if [ "${_with_comment}" -eq 0 ]
264      then
265	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
266      else
267	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
268      fi
269      if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
270      then
271	csih_inform "Updated ${_sshd_inetd_conf}"
272      else
273	csih_warning "Updating ${_sshd_inetd_conf} failed!"
274	let ++ret
275      fi
276    fi
277
278  elif [ -f "${_inetcnf}" ]
279  then
280    /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
281
282    # check for sshd in top-level inetd.conf file, and remove
283    # will be replaced by a file in inetd.d/
284    if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
285    then
286      /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
287      if [ -f "${_inetcnf_tmp}" ]
288      then
289	if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
290	then
291	    csih_inform "Removed sshd from ${_inetcnf}"
292	else
293	    csih_warning "Removing sshd from ${_inetcnf} failed!"
294	    let ++ret
295	fi
296	/usr/bin/rm -f "${_inetcnf_tmp}"
297      else
298	csih_warning "Removing sshd from ${_inetcnf} failed!"
299	let ++ret
300      fi
301    fi
302
303    # Add ssh line to inetd.conf
304    if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
305    then
306      if [ "${_with_comment}" -eq 0 ]
307      then
308	echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
309      else
310	echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
311      fi
312      if [ $? -eq 0 ]
313      then
314	csih_inform "Added ssh to ${_inetcnf}"
315      else
316	csih_warning "Adding ssh to ${_inetcnf} failed!"
317	let ++ret
318      fi
319    fi
320  fi
321  return $ret
322} # --- End of update_inetd_conf --- #
323
324# ======================================================================
325# Routine: check_service_files_ownership
326#   Checks that the files in /etc and /var belong to the right owner
327# ======================================================================
328check_service_files_ownership() {
329  local run_service_as=$1
330  local ret=0
331
332  if [ -z "${run_service_as}" ]
333  then
334    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
335    		 /usr/bin/sed -ne 's/^Account *: *//gp')
336    if [ "${accnt_name}" = "LocalSystem" ]
337    then
338      # Convert "LocalSystem" to "SYSTEM" as is the correct account name
339      run_service_as="SYSTEM"
340    else
341      dom="${accnt_name%%\\*}"
342      accnt_name="${accnt_name#*\\}"
343      if [ "${dom}" = '.' ]
344      then
345	# Check local account
346	run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
347			 /usr/bin/awk -F: '{print $1;}')
348      else
349      	# Check domain
350	run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
351			 /usr/bin/awk -F: '{print $1;}')
352      fi
353    fi
354    if [ -z "${run_service_as}" ]
355    then
356      csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
357      csih_warning "As a result, this script cannot make sure that the files used"
358      csih_warning "by the sshd service belong to the user running the service."
359      csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd"
360      csih_warning "file is in a good shape."
361      return 1
362    fi
363  fi
364  for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
365  do
366    if [ -f "$i" ]
367    then
368      if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
369      then
370	csih_warning "Couldn't change owner of $i!"
371	let ++ret
372      fi
373    fi
374  done
375  if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
376  then
377    csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
378    let ++ret
379  fi
380  if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
381  then
382    csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
383    let ++ret
384  fi
385  if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
386  then
387    if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
388    then
389      csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
390      let ++ret
391    fi
392  fi
393  if [ $ret -ne 0 ]
394  then
395    csih_warning "Couldn't change owner of important files to ${run_service_as}!"
396    csih_warning "This may cause the sshd service to fail!  Please make sure that"
397    csih_warning "you have suufficient permissions to change the ownership of files"
398    csih_warning "and try to run the ssh-host-config script again."
399  fi
400  return $ret
401} # --- End of check_service_files_ownership --- #
402
403# ======================================================================
404# Routine: install_service
405#   Install sshd as a service
406# ======================================================================
407install_service() {
408  local run_service_as
409  local password
410  local ret=0
411
412  echo
413  if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
414  then
415    csih_inform "Sshd service is already installed."
416    check_service_files_ownership "" || let ret+=$?
417  else
418    echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
419    if csih_request "(Say \"no\" if it is already installed as a service)"
420    then
421      csih_get_cygenv "${cygwin_value}"
422
423      if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
424      then
425	csih_inform "On Windows Server 2003, Windows Vista, and above, the"
426	csih_inform "SYSTEM account cannot setuid to other users -- a capability"
427	csih_inform "sshd requires.  You need to have or to create a privileged"
428	csih_inform "account.  This script will help you do so."
429	echo
430
431	[ "${opt_force}" = "yes" ] && opt_f=-f
432	[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
433	csih_select_privileged_username ${opt_f} ${opt_u} sshd
434
435	if ! csih_create_privileged_user "${password_value}"
436	then
437	  csih_error_recoverable "There was a serious problem creating a privileged user."
438	  csih_request "Do you want to proceed anyway?" || exit 1
439	  let ++ret
440	fi
441      fi
442
443      # Never returns empty if NT or above
444      run_service_as=$(csih_service_should_run_as)
445
446      if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
447      then
448	password="${csih_PRIVILEGED_PASSWORD}"
449	if [ -z "${password}" ]
450	then
451	  csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
452	  password="${csih_value}"
453	fi
454      fi
455
456      # At this point, we either have $run_service_as = "system" and
457      # $password is empty, or $run_service_as is some privileged user and
458      # (hopefully) $password contains the correct password.  So, from here
459      # out, we use '-z "${password}"' to discriminate the two cases.
460
461      csih_check_user "${run_service_as}"
462
463      if [ -n "${csih_cygenv}" ]
464      then
465	cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
466      fi
467      if [ -z "${password}" ]
468      then
469	if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
470			      -a "-D" -y tcpip "${cygwin_env[@]}"
471	then
472	  echo
473	  csih_inform "The sshd service has been installed under the LocalSystem"
474	  csih_inform "account (also known as SYSTEM). To start the service now, call"
475	  csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'.  Otherwise, it"
476	  csih_inform "will start automatically after the next reboot."
477	fi
478      else
479	if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
480			      -a "-D" -y tcpip "${cygwin_env[@]}" \
481			      -u "${run_service_as}" -w "${password}"
482	then
483	  /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
484	  echo
485	  csih_inform "The sshd service has been installed under the '${run_service_as}'"
486	  csih_inform "account.  To start the service now, call \`net start sshd' or"
487	  csih_inform "\`cygrunsrv -S sshd'.  Otherwise, it will start automatically"
488	  csih_inform "after the next reboot."
489	fi
490      fi
491
492      if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
493      then
494	check_service_files_ownership "${run_service_as}" || let ret+=$?
495      else
496	csih_error_recoverable "Installing sshd as a service failed!"
497	let ++ret
498      fi
499    fi # user allowed us to install as service
500  fi # service not yet installed
501  return $ret
502} # --- End of install_service --- #
503
504# ======================================================================
505# Main Entry Point
506# ======================================================================
507
508# Check how the script has been started.  If
509#   (1) it has been started by giving the full path and
510#       that path is /etc/postinstall, OR
511#   (2) Otherwise, if the environment variable
512#       SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
513# then set auto_answer to "no".  This allows automatic
514# creation of the config files in /etc w/o overwriting
515# them if they already exist.  In both cases, color
516# escape sequences are suppressed, so as to prevent
517# cluttering setup's logfiles.
518if [ "$PROGDIR" = "/etc/postinstall" ]
519then
520  csih_auto_answer="no"
521  csih_disable_color
522  opt_force=yes
523fi
524if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
525then
526  csih_auto_answer="no"
527  csih_disable_color
528  opt_force=yes
529fi
530
531# ======================================================================
532# Parse options
533# ======================================================================
534while :
535do
536  case $# in
537  0)
538    break
539    ;;
540  esac
541
542  option=$1
543  shift
544
545  case "${option}" in
546  -d | --debug )
547    set -x
548    csih_trace_on
549    ;;
550
551  -y | --yes )
552    csih_auto_answer=yes
553    opt_force=yes
554    ;;
555
556  -n | --no )
557    csih_auto_answer=no
558    opt_force=yes
559    ;;
560
561  -c | --cygwin )
562    cygwin_value="$1"
563    shift
564    ;;
565
566  -p | --port )
567    port_number=$1
568    shift
569    ;;
570
571  -u | --user )
572    user_account="$1"
573    shift
574    ;;
575
576  -w | --pwd )
577    password_value="$1"
578    shift
579    ;;
580
581  --privileged )
582    csih_FORCE_PRIVILEGED_USER=yes
583    ;;
584
585  *)
586    echo "usage: ${progname} [OPTION]..."
587    echo
588    echo "This script creates an OpenSSH host configuration."
589    echo
590    echo "Options:"
591    echo "  --debug  -d            Enable shell's debug output."
592    echo "  --yes    -y            Answer all questions with \"yes\" automatically."
593    echo "  --no     -n            Answer all questions with \"no\" automatically."
594    echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
595    echo "  --port   -p <n>        sshd listens on port n."
596    echo "  --user   -u <account>  privileged user for service, default 'cyg_server'."
597    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for privileged user."
598    echo "  --privileged           On Windows XP, require privileged user"
599    echo "                         instead of LocalSystem for sshd service."
600    echo
601    exit 1
602    ;;
603
604  esac
605done
606
607# ======================================================================
608# Action!
609# ======================================================================
610
611# Check for running ssh/sshd processes first. Refuse to do anything while
612# some ssh processes are still running
613if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
614then
615  echo
616  csih_error "There are still ssh processes running. Please shut them down first."
617fi
618
619# Make sure the user is running in an administrative context
620admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
621if [ "${admin}" != "yes" ]
622then
623  echo
624  csih_warning "Running this script typically requires administrator privileges!"
625  csih_warning "However, it seems your account does not have these privileges."
626  csih_warning "Here's the list of groups in your user token:"
627  echo
628  for i in $(/usr/bin/id -G)
629  do
630    /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \"    \" \$1; }" /etc/group
631  done
632  echo
633  csih_warning "This usually means you're running this script from a non-admin"
634  csih_warning "desktop session, or in a non-elevated shell under UAC control."
635  echo
636  csih_warning "Make sure you have the appropriate privileges right now,"
637  csih_warning "otherwise parts of this script will probably fail!"
638  echo
639  echo -e "${_csih_QUERY_STR} Are you sure you want to continue?  (Say \"no\" if you're not sure"
640  if ! csih_request "you have the required privileges)"
641  then
642    echo
643    csih_inform "Ok.  Exiting.  Make sure to switch to an administrative account"
644    csih_inform "or to start this script from an elevated shell."
645    exit 1
646  fi
647fi
648
649echo
650
651warning_cnt=0
652
653# Create /var/log/lastlog if not already exists
654if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
655then
656  echo
657  csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
658		   "Cannot create ssh host configuration."
659fi
660if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
661then
662  /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
663  if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
664  then
665    csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
666    let ++warning_cnt
667  fi
668fi
669
670# Create /var/empty file used as chroot jail for privilege separation
671csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
672if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
673then
674  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
675  let ++warning_cnt
676fi
677
678# generate missing host keys
679csih_inform "Generating missing SSH host keys"
680/usr/bin/ssh-keygen -A || let warning_cnt+=$?
681
682# handle ssh_config
683csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
684if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
685then
686  if [ "${port_number}" != "22" ]
687  then
688    csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
689    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
690    echo "    Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
691  fi
692fi
693
694# handle sshd_config (and privsep)
695csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
696if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
697then
698  sshd_config_configured=yes
699fi
700sshd_strictmodes || let warning_cnt+=$?
701sshd_privsep || let warning_cnt+=$?
702sshd_config_tweak || let warning_cnt+=$?
703update_services_file || let warning_cnt+=$?
704update_inetd_conf || let warning_cnt+=$?
705install_service || let warning_cnt+=$?
706
707echo
708if [ $warning_cnt -eq 0 ]
709then
710  csih_inform "Host configuration finished. Have fun!"
711else
712  csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
713  csih_warning "Make sure that all problems reported are fixed,"
714  csih_warning "then re-run ssh-host-config."
715fi
716exit $warning_cnt
717