From 25505898530a333011f4fd5cbc841ad6b26c089c Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 16:40:04 +0200 Subject: Adding upstream version 1:9.2p1. Signed-off-by: Daniel Baumann --- contrib/cygwin/Makefile | 78 +++++ contrib/cygwin/README | 91 ++++++ contrib/cygwin/ssh-host-config | 714 +++++++++++++++++++++++++++++++++++++++++ contrib/cygwin/ssh-user-config | 257 +++++++++++++++ contrib/cygwin/sshd-inetd | 4 + 5 files changed, 1144 insertions(+) create mode 100644 contrib/cygwin/Makefile create mode 100644 contrib/cygwin/README create mode 100644 contrib/cygwin/ssh-host-config create mode 100644 contrib/cygwin/ssh-user-config create mode 100644 contrib/cygwin/sshd-inetd (limited to 'contrib/cygwin') diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile new file mode 100644 index 0000000..4b78cd9 --- /dev/null +++ b/contrib/cygwin/Makefile @@ -0,0 +1,78 @@ +srcdir=../.. +copyidsrcdir=.. +prefix=/usr +exec_prefix=$(prefix) +bindir=$(prefix)/bin +datadir=$(prefix)/share +mandir=$(datadir)/man +docdir=$(datadir)/doc +sshdocdir=$(docdir)/openssh +cygdocdir=$(docdir)/Cygwin +sysconfdir=/etc +defaultsdir=$(sysconfdir)/defaults/etc +inetdefdir=$(defaultsdir)/inetd.d +PRIVSEP_PATH=/var/empty +INSTALL=/usr/bin/install -c +MKDIR_P=$(srcdir)/mkinstalldirs + +DESTDIR= + +all: + @echo + @echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'" + @echo "Be sure having DESTDIR set correctly!" + @echo + +move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config + $(MKDIR_P) $(DESTDIR)$(defaultsdir) + mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir) + mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir) + +remove-empty-dir: + rm -rf $(DESTDIR)$(PRIVSEP_PATH) + +install-inetd-config: + $(MKDIR_P) $(DESTDIR)$(inetdefdir) + $(INSTALL) -m 644 sshd-inetd $(DESTDIR)$(inetdefdir)/sshd-inetd + +install-sshdoc: + $(MKDIR_P) $(DESTDIR)$(sshdocdir) + -$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS + -$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog + -$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE + -$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW + -$(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL + -$(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent + -$(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys + -$(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux + -$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README + -$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns + -$(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform + -$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep + -$(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.tun + -$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO + +install-cygwindoc: README + $(MKDIR_P) $(DESTDIR)$(cygdocdir) + $(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README + +install-doc: install-sshdoc install-cygwindoc + +install-scripts: ssh-host-config ssh-user-config + $(MKDIR_P) $(DESTDIR)$(bindir) + $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config + $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config + +install-copy-id: $(copyidsrcdir)/ssh-copy-id $(copyidsrcdir)/ssh-copy-id.1 + $(INSTALL) -m 755 $(copyidsrcdir)/ssh-copy-id $(DESTDIR)$(bindir)/ssh-copy-id + $(INSTALL) -m 644 $(copyidsrcdir)/ssh-copy-id.1 $(DESTDIR)$(mandir)/man1/ssh-copy-id.1 + +gzip-man-pages: + rm $(DESTDIR)$(mandir)/man1/slogin.1 + gzip $(DESTDIR)$(mandir)/man1/*.1 + gzip $(DESTDIR)$(mandir)/man5/*.5 + gzip $(DESTDIR)$(mandir)/man8/*.8 + cd $(DESTDIR)$(mandir)/man1 && ln -s ssh.1.gz slogin.1.gz + +cygwin-postinstall: move-config-files remove-empty-dir install-inetd-config install-doc install-scripts install-copy-id gzip-man-pages + @echo "Cygwin specific configuration finished." diff --git a/contrib/cygwin/README b/contrib/cygwin/README new file mode 100644 index 0000000..3745051 --- /dev/null +++ b/contrib/cygwin/README @@ -0,0 +1,91 @@ +This package describes important Cygwin specific stuff concerning OpenSSH. + +The binary package is usually built for recent Cygwin versions and might +not run on older versions. Please check http://cygwin.com/ for information +about current Cygwin releases. + +================== +Host configuration +================== + +If you are installing OpenSSH the first time, you can generate global config +files and server keys, as well as installing sshd as a service, by running + + /usr/bin/ssh-host-config + +Note that this binary archive doesn't contain default config files in /etc. +That files are only created if ssh-host-config is started. + +To support testing and unattended installation ssh-host-config got +some options: + +usage: ssh-host-config [OPTION]... +Options: + --debug -d Enable shell's debug output. + --yes -y Answer all questions with "yes" automatically. + --no -n Answer all questions with "no" automatically. + --cygwin -c Use "options" as value for CYGWIN environment var. + --name -N sshd windows service name. + --port -p sshd listens on port n. + --user -u privileged user for service, default 'cyg_server'. + --pwd -w Use "pwd" as password for privileged user. + --privileged On Windows XP, require privileged user + instead of LocalSystem for sshd service. + +Installing sshd as daemon via ssh-host-config is recommended. + +Alternatively you can start sshd via inetd, if you have the inetutils +package installed. Just run ssh-host-config, but answer "no" when asked +to install sshd as service. The ssh-host-config script also adds the +required lines to /etc/inetd.conf and /etc/services. + +================== +User configuration +================== + +Any user can simplify creating the own private and public keys by running + + /usr/bin/ssh-user-config + +To support testing and unattended installation ssh-user-config got +some options as well: + +usage: ssh-user-config [OPTION]... +Options: + --debug -d Enable shell's debug output. + --yes -y Answer all questions with "yes" automatically. + --no -n Answer all questions with "no" automatically. + --passphrase -p word Use "word" as passphrase automatically. + +Please note that OpenSSH does never use the value of $HOME to +search for the users configuration files! It always uses the +value of the pw_dir field in /etc/passwd as the home directory. +If no home directory is set in /etc/passwd, the root directory +is used instead! + +================ +Building OpenSSH +================ + +Building from source is easy. Just unpack the source archive, cd to that +directory, and call cygport: + + cygport openssh.cygport all + +You must have installed the following packages to be able to build OpenSSH +with the aforementioned cygport script: + + zlib + crypt + libssl-devel + libedit-devel + libkrb5-devel + +Please send requests, error reports etc. to cygwin@cygwin.com. + + +Have fun, + +Corinna Vinschen +Cygwin Developer +Red Hat Inc. diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config new file mode 100644 index 0000000..a8572e2 --- /dev/null +++ b/contrib/cygwin/ssh-host-config @@ -0,0 +1,714 @@ +#!/bin/bash +# +# ssh-host-config, Copyright 2000-2014 Red Hat Inc. +# +# This file is part of the Cygwin port of OpenSSH. +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR +# THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +# ====================================================================== +# Initialization +# ====================================================================== + +CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh + +# List of apps used. This is checkad for existence in csih_sanity_check +# Don't use *any* transient commands before sourcing the csih helper script, +# otherwise the sanity checks are short-circuited. +declare -a csih_required_commands=( + /usr/bin/basename coreutils + /usr/bin/cat coreutils + /usr/bin/chmod coreutils + /usr/bin/dirname coreutils + /usr/bin/id coreutils + /usr/bin/mv coreutils + /usr/bin/rm coreutils + /usr/bin/cygpath cygwin + /usr/bin/mkpasswd cygwin + /usr/bin/mount cygwin + /usr/bin/ps cygwin + /usr/bin/umount cygwin + /usr/bin/cmp diffutils + /usr/bin/grep grep + /usr/bin/awk gawk + /usr/bin/ssh-keygen openssh + /usr/sbin/sshd openssh + /usr/bin/sed sed +) +csih_sanity_check_server=yes +source ${CSIH_SCRIPT} + +PROGNAME=$(/usr/bin/basename $0) +_tdir=$(/usr/bin/dirname $0) +PROGDIR=$(cd $_tdir && pwd) + +# Subdirectory where the new package is being installed +PREFIX=/usr + +# Directory where the config files are stored +SYSCONFDIR=/etc +LOCALSTATEDIR=/var + +sshd_config_configured=no +port_number=22 +service_name=cygsshd +strictmodes=yes +cygwin_value="" +user_account= +password_value= +opt_force=no + +# ====================================================================== +# Routine: update_services_file +# ====================================================================== +update_services_file() { + local _my_etcdir="/ssh-host-config.$$" + local _win_etcdir + local _services + local _spaces + local _serv_tmp + local _wservices + local ret=0 + + _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" + _services="${_my_etcdir}/services" + _spaces=" #" + _serv_tmp="${_my_etcdir}/srv.out.$$" + + /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" + + # Depends on the above mount + _wservices=`cygpath -w "${_services}"` + + # Add ssh 22/tcp and ssh 22/udp to services + if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ] + then + if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" + then + if /usr/bin/mv "${_serv_tmp}" "${_services}" + then + csih_inform "Added ssh to ${_wservices}" + else + csih_warning "Adding ssh to ${_wservices} failed!" + let ++ret + fi + /usr/bin/rm -f "${_serv_tmp}" + else + csih_warning "Adding ssh to ${_wservices} failed!" + let ++ret + fi + fi + /usr/bin/umount "${_my_etcdir}" + return $ret +} # --- End of update_services_file --- # + +# ====================================================================== +# Routine: sshd_strictmodes +# MODIFIES: strictmodes +# ====================================================================== +sshd_strictmodes() { + if [ "${sshd_config_configured}" != "yes" ] + then + echo + csih_inform "StrictModes is set to 'yes' by default." + csih_inform "This is the recommended setting, but it requires that the POSIX" + csih_inform "permissions of the user's home directory, the user's .ssh" + csih_inform "directory, and the user's ssh key files are tight so that" + csih_inform "only the user has write permissions." + csih_inform "On the other hand, StrictModes don't work well with default" + csih_inform "Windows permissions of a home directory mounted with the" + csih_inform "'noacl' option, and they don't work at all if the home" + csih_inform "directory is on a FAT or FAT32 partition." + if ! csih_request "Should StrictModes be used?" + then + strictmodes=no + fi + fi + return 0 +} + +# ====================================================================== +# Routine: sshd_privsep +# Try to create ssshd user account +# ====================================================================== +sshd_privsep() { + local ret=0 + + if [ "${sshd_config_configured}" != "yes" ] + then + if ! csih_create_unprivileged_user sshd + then + csih_error_recoverable "Could not create user 'sshd'!" + csih_error_recoverable "You will not be able to run an sshd service" + csih_error_recoverable "under a privileged account successfully." + csih_error_recoverable "Make sure to create a non-privileged user 'sshd'" + csih_error_recoverable "manually before trying to run the service!" + let ++ret + fi + fi + return $ret +} # --- End of sshd_privsep --- # + +# ====================================================================== +# Routine: sshd_config_tweak +# ====================================================================== +sshd_config_tweak() { + local ret=0 + + # Modify sshd_config + csih_inform "Updating ${SYSCONFDIR}/sshd_config file" + if [ "${port_number}" -ne 22 ] + then + /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \ + ${SYSCONFDIR}/sshd_config + if [ $? -ne 0 ] + then + csih_warning "Setting listening port to ${port_number} failed!" + csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" + let ++ret + fi + fi + if [ "${strictmodes}" = "no" ] + then + /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \ + ${SYSCONFDIR}/sshd_config + if [ $? -ne 0 ] + then + csih_warning "Setting StrictModes to 'no' failed!" + csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" + let ++ret + fi + fi + return $ret +} # --- End of sshd_config_tweak --- # + +# ====================================================================== +# Routine: update_inetd_conf +# ====================================================================== +update_inetd_conf() { + local _inetcnf="${SYSCONFDIR}/inetd.conf" + local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" + local _inetcnf_dir="${SYSCONFDIR}/inetd.d" + local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" + local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" + local _with_comment=1 + local ret=0 + + if [ -d "${_inetcnf_dir}" ] + then + # we have inetutils-1.5 inetd.d support + if [ -f "${_inetcnf}" ] + then + /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0 + + # check for sshd OR ssh in top-level inetd.conf file, and remove + # will be replaced by a file in inetd.d/ + if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ] + then + /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" + if [ -f "${_inetcnf_tmp}" ] + then + if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" + then + csih_inform "Removed ssh[d] from ${_inetcnf}" + else + csih_warning "Removing ssh[d] from ${_inetcnf} failed!" + let ++ret + fi + /usr/bin/rm -f "${_inetcnf_tmp}" + else + csih_warning "Removing ssh[d] from ${_inetcnf} failed!" + let ++ret + fi + fi + fi + + csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" + if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 + then + if [ "${_with_comment}" -eq 0 ] + then + /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" + else + /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" + fi + if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" + then + csih_inform "Updated ${_sshd_inetd_conf}" + else + csih_warning "Updating ${_sshd_inetd_conf} failed!" + let ++ret + fi + fi + + elif [ -f "${_inetcnf}" ] + then + /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0 + + # check for sshd in top-level inetd.conf file, and remove + # will be replaced by a file in inetd.d/ + if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] + then + /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" + if [ -f "${_inetcnf_tmp}" ] + then + if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" + then + csih_inform "Removed sshd from ${_inetcnf}" + else + csih_warning "Removing sshd from ${_inetcnf} failed!" + let ++ret + fi + /usr/bin/rm -f "${_inetcnf_tmp}" + else + csih_warning "Removing sshd from ${_inetcnf} failed!" + let ++ret + fi + fi + + # Add ssh line to inetd.conf + if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] + then + if [ "${_with_comment}" -eq 0 ] + then + echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" + else + echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" + fi + if [ $? -eq 0 ] + then + csih_inform "Added ssh to ${_inetcnf}" + else + csih_warning "Adding ssh to ${_inetcnf} failed!" + let ++ret + fi + fi + fi + return $ret +} # --- End of update_inetd_conf --- # + +# ====================================================================== +# Routine: check_service_files_ownership +# Checks that the files in /etc and /var belong to the right owner +# ====================================================================== +check_service_files_ownership() { + local run_service_as=$1 + local ret=0 + + if [ -z "${run_service_as}" ] + then + accnt_name=$(/usr/bin/cygrunsrv -VQ "${service_name}" | + /usr/bin/sed -ne 's/^Account *: *//gp') + if [ "${accnt_name}" = "LocalSystem" ] + then + # Convert "LocalSystem" to "SYSTEM" as is the correct account name + run_service_as="SYSTEM" + else + dom="${accnt_name%%\\*}" + accnt_name="${accnt_name#*\\}" + if [ "${dom}" = '.' ] + then + # Check local account + run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" | + /usr/bin/awk -F: '{print $1;}') + else + # Check domain + run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" | + /usr/bin/awk -F: '{print $1;}') + fi + fi + if [ -z "${run_service_as}" ] + then + csih_warning "Couldn't determine name of user running ${service_name} service from account database!" + csih_warning "As a result, this script cannot make sure that the files used" + csih_warning "by the ${service_name} service belong to the user running the service." + return 1 + fi + fi + for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub + do + if [ -f "$i" ] + then + if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 + then + csih_warning "Couldn't change owner of $i!" + let ++ret + fi + fi + done + if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 + then + csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" + let ++ret + fi + if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 + then + csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" + let ++ret + fi + if [ -f ${LOCALSTATEDIR}/log/sshd.log ] + then + if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1 + then + csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" + let ++ret + fi + fi + if [ $ret -ne 0 ] + then + csih_warning "Couldn't change owner of important files to ${run_service_as}!" + csih_warning "This may cause the ${service_name} service to fail! Please make sure that" + csih_warning "you have sufficient permissions to change the ownership of files" + csih_warning "and try to run the ssh-host-config script again." + fi + return $ret +} # --- End of check_service_files_ownership --- # + +# ====================================================================== +# Routine: install_service +# Install sshd as a service +# ====================================================================== +install_service() { + local run_service_as + local password + local ret=0 + + echo + if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1 + then + csih_inform "Sshd service is already installed." + check_service_files_ownership "" || let ret+=$? + else + echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" + if csih_request "(Say \"no\" if it is already installed as a service)" + then + csih_get_cygenv "${cygwin_value}" + + if ( [ "$csih_FORCE_PRIVILEGED_USER" != "yes" ] ) + then + # Enforce using privileged user on 64 bit Vista or W7 under WOW64 + is_wow64=$(/usr/bin/uname | /usr/bin/grep -q 'WOW' && echo 1 || echo 0) + + if ( csih_is_nt2003 && ! csih_is_windows8 && [ "${is_wow64}" = "1" ] ) + then + csih_inform "Running 32 bit Cygwin on 64 bit Windows Vista or Windows 7" + csih_inform "the SYSTEM account is not sufficient to setuid to a local" + csih_inform "user account. You need to have or to create a privileged" + csih_inform "account. This script will help you do so." + echo + csih_FORCE_PRIVILEGED_USER=yes + fi + fi + + if ( [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) + then + [ "${opt_force}" = "yes" ] && opt_f=-f + [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" + csih_select_privileged_username ${opt_f} ${opt_u} sshd + + if ! csih_create_privileged_user "${password_value}" + then + csih_error_recoverable "There was a serious problem creating a privileged user." + csih_request "Do you want to proceed anyway?" || exit 1 + let ++ret + fi + # Never returns empty if NT or above + run_service_as=$(csih_service_should_run_as) + else + run_service_as="SYSTEM" + fi + + if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] + then + password="${csih_PRIVILEGED_PASSWORD}" + if [ -z "${password}" ] + then + csih_get_value "Please enter the password for user '${run_service_as}':" "-s" + password="${csih_value}" + fi + fi + + # At this point, we either have $run_service_as = "system" and + # $password is empty, or $run_service_as is some privileged user and + # (hopefully) $password contains the correct password. So, from here + # out, we use '-z "${password}"' to discriminate the two cases. + + csih_check_user "${run_service_as}" + + if [ -n "${csih_cygenv}" ] + then + cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) + fi + if [ -z "${password}" ] + then + if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \ + -a "-D" -y tcpip "${cygwin_env[@]}" + then + echo + csih_inform "The sshd service has been installed under the LocalSystem" + csih_inform "account (also known as SYSTEM). To start the service now, call" + csih_inform "\`net start ${service_name}' or \`cygrunsrv -S ${service_name}'. Otherwise, it" + csih_inform "will start automatically after the next reboot." + fi + else + if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \ + -a "-D" -y tcpip "${cygwin_env[@]}" \ + -u "${run_service_as}" -w "${password}" + then + /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight + echo + csih_inform "The sshd service has been installed under the '${run_service_as}'" + csih_inform "account. To start the service now, call \`net start ${service_name}' or" + csih_inform "\`cygrunsrv -S ${service_name}'. Otherwise, it will start automatically" + csih_inform "after the next reboot." + fi + fi + + if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1 + then + check_service_files_ownership "${run_service_as}" || let ret+=$? + else + csih_error_recoverable "Installing sshd as a service failed!" + let ++ret + fi + fi # user allowed us to install as service + fi # service not yet installed + return $ret +} # --- End of install_service --- # + +# ====================================================================== +# Main Entry Point +# ====================================================================== + +# Check how the script has been started. If +# (1) it has been started by giving the full path and +# that path is /etc/postinstall, OR +# (2) Otherwise, if the environment variable +# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set +# then set auto_answer to "no". This allows automatic +# creation of the config files in /etc w/o overwriting +# them if they already exist. In both cases, color +# escape sequences are suppressed, so as to prevent +# cluttering setup's logfiles. +if [ "$PROGDIR" = "/etc/postinstall" ] +then + csih_auto_answer="no" + csih_disable_color + opt_force=yes +fi +if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ] +then + csih_auto_answer="no" + csih_disable_color + opt_force=yes +fi + +# ====================================================================== +# Parse options +# ====================================================================== +while : +do + case $# in + 0) + break + ;; + esac + + option=$1 + shift + + case "${option}" in + -d | --debug ) + set -x + csih_trace_on + ;; + + -y | --yes ) + csih_auto_answer=yes + opt_force=yes + ;; + + -n | --no ) + csih_auto_answer=no + opt_force=yes + ;; + + -c | --cygwin ) + cygwin_value="$1" + shift + ;; + + -N | --name ) + service_name=$1 + shift + ;; + + -p | --port ) + port_number=$1 + shift + ;; + + -u | --user ) + user_account="$1" + shift + ;; + + -w | --pwd ) + password_value="$1" + shift + ;; + + --privileged ) + csih_FORCE_PRIVILEGED_USER=yes + ;; + + *) + echo "usage: ${progname} [OPTION]..." + echo + echo "This script creates an OpenSSH host configuration." + echo + echo "Options:" + echo " --debug -d Enable shell's debug output." + echo " --yes -y Answer all questions with \"yes\" automatically." + echo " --no -n Answer all questions with \"no\" automatically." + echo " --cygwin -c Use \"options\" as value for CYGWIN environment var." + echo " --name -N sshd windows service name." + echo " --port -p sshd listens on port n." + echo " --user -u privileged user for service, default 'cyg_server'." + echo " --pwd -w Use \"pwd\" as password for privileged user." + echo " --privileged On Windows XP, require privileged user" + echo " instead of LocalSystem for sshd service." + echo + exit 1 + ;; + + esac +done + +# ====================================================================== +# Action! +# ====================================================================== + +# Check for running ssh/sshd processes first. Refuse to do anything while +# some ssh processes are still running +if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' +then + echo + csih_error "There are still ssh processes running. Please shut them down first." +fi + +# Make sure the user is running in an administrative context +admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no) +if [ "${admin}" != "yes" ] +then + echo + csih_warning "Running this script typically requires administrator privileges!" + csih_warning "However, it seems your account does not have these privileges." + csih_warning "Here's the list of groups in your user token:" + echo + /usr/bin/id -Gnz | xargs -0n1 echo " " + echo + csih_warning "This usually means you're running this script from a non-admin" + csih_warning "desktop session, or in a non-elevated shell under UAC control." + echo + csih_warning "Make sure you have the appropriate privileges right now," + csih_warning "otherwise parts of this script will probably fail!" + echo + echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure" + if ! csih_request "you have the required privileges)" + then + echo + csih_inform "Ok. Exiting. Make sure to switch to an administrative account" + csih_inform "or to start this script from an elevated shell." + exit 1 + fi +fi + +echo + +warning_cnt=0 + +# Create /var/log/lastlog if not already exists +if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] +then + echo + csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ + "Cannot create ssh host configuration." +fi +if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] +then + /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog + if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 + then + csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" + let ++warning_cnt + fi +fi + +# Create /var/empty file used as chroot jail for privilege separation +csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." +if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 +then + csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" + let ++warning_cnt +fi + +# generate missing host keys +csih_inform "Generating missing SSH host keys" +/usr/bin/ssh-keygen -A || let warning_cnt+=$? + +# handle ssh_config +csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt +if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 +then + if [ "${port_number}" != "22" ] + then + csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port" + echo "Host localhost" >> ${SYSCONFDIR}/ssh_config + echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config + fi +fi + +# handle sshd_config +# make sure not to change the existing file +mod_before="" +if [ -e "${SYSCONFDIR}/sshd_config" ] +then + mod_before=$(stat "${SYSCONFDIR}/sshd_config" | grep '^Modify:') +fi +csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt +mod_now=$(stat "${SYSCONFDIR}/sshd_config" | grep '^Modify:') +if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 +then + sshd_config_configured=yes +fi +if [ "${mod_before}" != "${mod_now}" ] +then + sshd_strictmodes || let warning_cnt+=$? + sshd_config_tweak || let warning_cnt+=$? +fi +#sshd_privsep || let warning_cnt+=$? +update_services_file || let warning_cnt+=$? +update_inetd_conf || let warning_cnt+=$? +install_service || let warning_cnt+=$? + +echo +if [ $warning_cnt -eq 0 ] +then + csih_inform "Host configuration finished. Have fun!" +else + csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!" + csih_warning "Make sure that all problems reported are fixed," + csih_warning "then re-run ssh-host-config." +fi +exit $warning_cnt diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config new file mode 100644 index 0000000..6fa4bb3 --- /dev/null +++ b/contrib/cygwin/ssh-user-config @@ -0,0 +1,257 @@ +#!/bin/bash +# +# ssh-user-config, Copyright 2000-2014 Red Hat Inc. +# +# This file is part of the Cygwin port of OpenSSH. +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR +# THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +# ====================================================================== +# Initialization +# ====================================================================== +PROGNAME=$(basename -- $0) +_tdir=$(dirname -- $0) +PROGDIR=$(cd $_tdir && pwd) + +CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh + +# Subdirectory where the new package is being installed +PREFIX=/usr + +# Directory where the config files are stored +SYSCONFDIR=/etc + +source ${CSIH_SCRIPT} + +auto_passphrase="no" +passphrase="" +pwdhome= +with_passphrase= + +# ====================================================================== +# Routine: create_identity +# optionally create identity of type argument in ~/.ssh +# optionally add result to ~/.ssh/authorized_keys +# ====================================================================== +create_identity() { + local file="$1" + local type="$2" + local name="$3" + if [ ! -f "${pwdhome}/.ssh/${file}" ] + then + if csih_request "Shall I create a ${name} identity file for you?" + then + csih_inform "Generating ${pwdhome}/.ssh/${file}" + if [ "${with_passphrase}" = "yes" ] + then + ssh-keygen -t "${type}" -N "${passphrase}" -f "${pwdhome}/.ssh/${file}" > /dev/null + else + ssh-keygen -t "${type}" -f "${pwdhome}/.ssh/${file}" > /dev/null + fi + if csih_request "Do you want to use this identity to login to this machine?" + then + csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" + cat "${pwdhome}/.ssh/${file}.pub" >> "${pwdhome}/.ssh/authorized_keys" + fi + fi + fi +} # === End of create_ssh1_identity() === # +readonly -f create_identity + +# ====================================================================== +# Routine: check_user_homedir +# Perform various checks on the user's home directory +# SETS GLOBAL VARIABLE: +# pwdhome +# ====================================================================== +check_user_homedir() { + pwdhome=$(getent passwd $UID | awk -F: '{ print $6; }') + if [ "X${pwdhome}" = "X" ] + then + csih_error_multi \ + "There is no home directory set for you in the account database." \ + 'Setting $HOME is not sufficient!' + fi + + if [ ! -d "${pwdhome}" ] + then + csih_error_multi \ + "${pwdhome} is set in the account database as your home directory" \ + 'but it is not a valid directory. Cannot create user identity files.' + fi + + # If home is the root dir, set home to empty string to avoid error messages + # in subsequent parts of that script. + if [ "X${pwdhome}" = "X/" ] + then + # But first raise a warning! + csih_warning "Your home directory in the account database is set to root (/). This is not recommended!" + if csih_request "Would you like to proceed anyway?" + then + pwdhome='' + else + csih_warning "Exiting. Configuration is not complete" + exit 1 + fi + fi + + if [ -d "${pwdhome}" -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ] + then + echo + csih_warning 'group and other have been revoked write permission to your home' + csih_warning "directory ${pwdhome}." + csih_warning 'This is required by OpenSSH to allow public key authentication using' + csih_warning 'the key files stored in your .ssh subdirectory.' + csih_warning 'Revert this change ONLY if you know what you are doing!' + echo + fi +} # === End of check_user_homedir() === # +readonly -f check_user_homedir + +# ====================================================================== +# Routine: check_user_dot_ssh_dir +# Perform various checks on the ~/.ssh directory +# PREREQUISITE: +# pwdhome -- check_user_homedir() +# ====================================================================== +check_user_dot_ssh_dir() { + if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] + then + csih_error "${pwdhome}/.ssh is existent but not a directory. Cannot create user identity files." + fi + + if [ ! -e "${pwdhome}/.ssh" ] + then + mkdir "${pwdhome}/.ssh" + if [ ! -e "${pwdhome}/.ssh" ] + then + csih_error "Creating users ${pwdhome}/.ssh directory failed" + fi + fi +} # === End of check_user_dot_ssh_dir() === # +readonly -f check_user_dot_ssh_dir + +# ====================================================================== +# Routine: fix_authorized_keys_perms +# Corrects the permissions of ~/.ssh/authorized_keys +# PREREQUISITE: +# pwdhome -- check_user_homedir() +# ====================================================================== +fix_authorized_keys_perms() { + if [ -e "${pwdhome}/.ssh/authorized_keys" ] + then + setfacl -b "${pwdhome}/.ssh/authorized_keys" 2>/dev/null || echo -n + if ! chmod u-x,g-wx,o-wx "${pwdhome}/.ssh/authorized_keys" + then + csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys" + csih_warning "failed. Please care for the correct permissions. The minimum requirement" + csih_warning "is, the owner needs read permissions." + echo + fi + fi +} # === End of fix_authorized_keys_perms() === # +readonly -f fix_authorized_keys_perms + + +# ====================================================================== +# Main Entry Point +# ====================================================================== + +# Check how the script has been started. If +# (1) it has been started by giving the full path and +# that path is /etc/postinstall, OR +# (2) Otherwise, if the environment variable +# SSH_USER_CONFIG_AUTO_ANSWER_NO is set +# then set auto_answer to "no". This allows automatic +# creation of the config files in /etc w/o overwriting +# them if they already exist. In both cases, color +# escape sequences are suppressed, so as to prevent +# cluttering setup's logfiles. +if [ "$PROGDIR" = "/etc/postinstall" ] +then + csih_auto_answer="no" + csih_disable_color +fi +if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ] +then + csih_auto_answer="no" + csih_disable_color +fi + +# ====================================================================== +# Parse options +# ====================================================================== +while : +do + case $# in + 0) + break + ;; + esac + + option=$1 + shift + + case "$option" in + -d | --debug ) + set -x + csih_trace_on + ;; + + -y | --yes ) + csih_auto_answer=yes + ;; + + -n | --no ) + csih_auto_answer=no + ;; + + -p | --passphrase ) + with_passphrase="yes" + passphrase=$1 + shift + ;; + + *) + echo "usage: ${PROGNAME} [OPTION]..." + echo + echo "This script creates an OpenSSH user configuration." + echo + echo "Options:" + echo " --debug -d Enable shell's debug output." + echo " --yes -y Answer all questions with \"yes\" automatically." + echo " --no -n Answer all questions with \"no\" automatically." + echo " --passphrase -p word Use \"word\" as passphrase automatically." + echo + exit 1 + ;; + + esac +done + +# ====================================================================== +# Action! +# ====================================================================== + +check_user_homedir +check_user_dot_ssh_dir +create_identity id_rsa rsa "SSH2 RSA" +create_identity id_dsa dsa "SSH2 DSA" +create_identity id_ecdsa ecdsa "SSH2 ECDSA" +create_identity identity rsa1 "(deprecated) SSH1 RSA" +fix_authorized_keys_perms + +echo +csih_inform "Configuration finished. Have fun!" + + diff --git a/contrib/cygwin/sshd-inetd b/contrib/cygwin/sshd-inetd new file mode 100644 index 0000000..aa6bf07 --- /dev/null +++ b/contrib/cygwin/sshd-inetd @@ -0,0 +1,4 @@ +# This file can be used to enable sshd as a slave of the inetd service +# To do so, the line below should be uncommented. +@COMMENT@ ssh stream tcp nowait root /usr/sbin/sshd sshd -i + -- cgit v1.2.3