* RE: Take 2: Testers for new ssh-*-config scripts wanted!
@ 2003-11-03 22:05 ` DePriest, Jason R.
2003-11-04 2:37 ` Alan Dobkin
2003-11-04 8:37 ` Corinna Vinschen
0 siblings, 2 replies; 9+ messages in thread
From: DePriest, Jason R. @ 2003-11-03 22:05 UTC (permalink / raw)
To: cygwin
> -----Original Message-----
> From: cygwin-owner@cygwin.com
> [mailto:cygwin-owner@cygwin.com] On Behalf Of Corinna Vinschen
> Sent: Monday, November 03, 2003 3:41 PM
> To: cygwin@cygwin.com
> Subject: Re: Take 2: Testers for new ssh-*-config scripts wanted!
[-<snip>-]
> However, I have still a problem. Does anybody know how I can set
> "Password never expires" from the command line? I know how to do this
> with dsadd, but that only works on domain machines so it's no generic
> solution. If I can't do this in the script, everybody would have to
> set this in the Computer Management Console by hand :-(
[-</snip>-]
[-<snip>-]
> Thanks,
> Corinna
>
> --
> Corinna Vinschen Please, send mails
> regarding Cygwin to
> Cygwin Developer
> mailto:cygwin@cygwin.com
> Red Hat, Inc.
Corinna,
User Accounts have a USER_FLAGS attribute that can be any combination of
a couple of values. One of these can be UF_DONT_EXPIRE_PASSWORD. If it
is present, the password never expires.
I typically manipulate it using Dave Roth's Win32::AdminMisc perl module
(UserGetMiscAttributes and UserSetMiscAttributes)... which is likely
beyond the scope of what you want this script to do.
The CREATEUSERS.VBS script from the Windows 2000 Resource Kit
(Supplement 1) looks promising. I haven't used it, but the code seems
capable of specifying the UF_DONT_EXPIRE_PASSWORD option.
I would attach the .vbs file (as a .txt file), but it is copyrighted by
Microsoft. If anyone knows if emailing it would be "bad" or not, let me
know.
-Jason
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Take 2: Testers for new ssh-*-config scripts wanted!
2003-11-03 22:05 ` Take 2: Testers for new ssh-*-config scripts wanted! DePriest, Jason R.
@ 2003-11-04 2:37 ` Alan Dobkin
2003-11-04 8:33 ` Corinna Vinschen
2003-11-04 8:37 ` Corinna Vinschen
1 sibling, 1 reply; 9+ messages in thread
From: Alan Dobkin @ 2003-11-04 2:37 UTC (permalink / raw)
To: Cygwin Mailing List
I use Dave Roth's perl module for more complex user flag settings,
but the hands down easiest way to do this is with the NET command:
NET USER username /EXPIRES:NEVER
This command is built-in on all Windows NT/2K/XP systems. For more
details see NET HELP USER.
Alan
--On Monday, November 03, 2003 4:05 PM -0600 "DePriest, Jason R."
<jrdepriest@ftb.com> wrote:
>> Does anybody know how I can set "Password never expires"
>> from the command line?
>
> Corinna,
>
> User Accounts have a USER_FLAGS attribute that can be any combination of
> a couple of values. One of these can be UF_DONT_EXPIRE_PASSWORD. If it
> is present, the password never expires.
>
> I typically manipulate it using Dave Roth's Win32::AdminMisc perl module
> (UserGetMiscAttributes and UserSetMiscAttributes)... which is likely
> beyond the scope of what you want this script to do.
>
> The CREATEUSERS.VBS script from the Windows 2000 Resource Kit
> (Supplement 1) looks promising. I haven't used it, but the code seems
> capable of specifying the UF_DONT_EXPIRE_PASSWORD option.
> I would attach the .vbs file (as a .txt file), but it is copyrighted by
> Microsoft. If anyone knows if emailing it would be "bad" or not, let me
> know.
>
> -Jason
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Take 2: Testers for new ssh-*-config scripts wanted!
2003-11-04 2:37 ` Alan Dobkin
@ 2003-11-04 8:33 ` Corinna Vinschen
0 siblings, 0 replies; 9+ messages in thread
From: Corinna Vinschen @ 2003-11-04 8:33 UTC (permalink / raw)
To: Cygwin Mailing List
On Mon, Nov 03, 2003 at 09:34:04PM -0500, Alan Dobkin wrote:
> I use Dave Roth's perl module for more complex user flag settings,
> but the hands down easiest way to do this is with the NET command:
>
> NET USER username /EXPIRES:NEVER
Unfortunately that's not right. I thought the same and used that
command line switch but it has another meaning. There's a difference
between expiry of a password and expiry of an account. /EXPIRES
means the latter while we need the former meaning. There seem to
be no `net user' switch for password expiry. Which in turn results
in the sshd_server password expiring after 42 days by default :-(
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Take 2: Testers for new ssh-*-config scripts wanted!
2003-11-03 22:05 ` Take 2: Testers for new ssh-*-config scripts wanted! DePriest, Jason R.
2003-11-04 2:37 ` Alan Dobkin
@ 2003-11-04 8:37 ` Corinna Vinschen
1 sibling, 0 replies; 9+ messages in thread
From: Corinna Vinschen @ 2003-11-04 8:37 UTC (permalink / raw)
To: cygwin
On Mon, Nov 03, 2003 at 04:05:43PM -0600, DePriest, Jason R. wrote:
> User Accounts have a USER_FLAGS attribute that can be any combination of
> a couple of values. One of these can be UF_DONT_EXPIRE_PASSWORD. If it
> is present, the password never expires.
>
> I typically manipulate it using Dave Roth's Win32::AdminMisc perl module
> (UserGetMiscAttributes and UserSetMiscAttributes)... which is likely
> beyond the scope of what you want this script to do.
>
> The CREATEUSERS.VBS script from the Windows 2000 Resource Kit
> (Supplement 1) looks promising. I haven't used it, but the code seems
> capable of specifying the UF_DONT_EXPIRE_PASSWORD option.
> I would attach the .vbs file (as a .txt file), but it is copyrighted by
> Microsoft. If anyone knows if emailing it would be "bad" or not, let me
> know.
While I'm somewhat reluctant to add a VB script to OpenSSH (for apparent
reasons I hop), this description leads me to looking into the "passwd"
tool again, which is part of the cygwin package itself. It should be
possible to add this functionality with not too much effort.
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Take 2: Testers for new ssh-*-config scripts wanted!
2003-11-03 21:40 ` Corinna Vinschen
@ 2003-11-04 13:03 ` Corinna Vinschen
0 siblings, 0 replies; 9+ messages in thread
From: Corinna Vinschen @ 2003-11-04 13:03 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 2190 bytes --]
On Mon, Nov 03, 2003 at 10:40:43PM +0100, Corinna Vinschen wrote:
> I'm running a 2003 Server as standalone (non-domain) server. In that
> setting, password complexity is disabled by default, so I missed that one,
> too. Thanks for the heads up. I changed the password to SSHD_server,
> which seem to be fine for the complexity rule.
>
> However, I have still a problem. Does anybody know how I can set
> "Password never expires" from the command line? I know how to do this
> with dsadd, but that only works on domain machines so it's no generic
> solution. If I can't do this in the script, everybody would have to
> set this in the Computer Management Console by hand :-(
I've again attached a new ssh-host-config file for testing. As it turned
out, I mis-tested the password complexity rule. The password SSHD_server
was not sufficient.
The script now calls the passwd utility from the cygwin base package
to set the user flags to "Password never expires". This will only
work with the new passwd from current CVS, version 1.5. The current
version released with Cygwin 1.5.5 is 1.4. Up to 1.4, the passwd tool
has no -e option to set the UF_DONT_EXPIRE_PASSWD flag. ssh-host-config
checks for the version number of the passwd tool and either calls it
or emits an additional warning that the expiry must be checked.
Please give it another try, even if it gets boring.
Thanks in advance,
Corinna
Changes:
- Don't use fixed password for sshd_server account but ask the user
now for a password.
- Extend some warning and info messages.
- Add -c/--cygwin option to allow automating the setting of the
environment variable CYGWIN for the sshd service.
- Add -w/--pwd option to allow automating the password setting
for the sshd_server account.
- Always recreate the sshd_server entry in /etc/passwd to overwrite
weird settings.
- If passwd supports the -e option, use it, otherwise emit warning
message that password expiry of sshd_server account should be
checked.
- A few code cleanups.
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.
[-- Attachment #2: ssh-host-config --]
[-- Type: text/plain, Size: 17334 bytes --]
#!/bin/bash
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
progname=$0
auto_answer=""
port_number=22
privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no
request()
{
if [ "${auto_answer}" = "yes" ]
then
echo "$1 (yes/no) yes"
return 0
elif [ "${auto_answer}" = "no" ]
then
echo "$1 (yes/no) no"
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read -e answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "${option}" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-c | --cygwin )
cygwin_value="$1"
shift
;;
-p | --port )
port_number=$1
shift
;;
-w | --pwd )
password_value="$1"
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
echo " --port -p <n> sshd listens on port n."
echo " --pwd -w <passwd> Use \"pwd\" as password for user 'sshd_server'."
echo
exit 1
;;
esac
done
# Check if running on NT
_sys="`uname`"
_nt=`expr "${_sys}" : "CYGWIN_NT"`
# If running on NT, check if running under 2003 Server or later
if [ ${_nt} -gt 0 ]
then
_nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
fi
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if ps -ef | grep -v grep | grep -q ssh
then
echo
echo "There are still ssh processes running. Please shut them down first."
echo
exit 1
fi
# Check for ${SYSCONFDIR} directory
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
echo
echo "${SYSCONFDIR} is existant but not a directory."
echo "Cannot create global configuration files."
echo
exit 1
fi
# Create it if necessary
if [ ! -e "${SYSCONFDIR}" ]
then
mkdir "${SYSCONFDIR}"
if [ ! -e "${SYSCONFDIR}" ]
then
echo
echo "Creating ${SYSCONFDIR} directory failed"
echo
exit 1
fi
fi
# Create /var/log and /var/log/lastlog if not already existing
if [ -f ${LOCALSTATEDIR}/log ]
then
echo "Creating ${LOCALSTATEDIR}/log failed!"
else
if [ ! -d ${LOCALSTATEDIR}/log ]
then
mkdir -p ${LOCALSTATEDIR}/log
fi
if [ -d ${LOCALSTATEDIR}/log/lastlog ]
then
chmod 777 ${LOCALSTATEDIR}/log/lastlog
elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
chmod 666 ${LOCALSTATEDIR}/log/lastlog
fi
fi
# Create /var/empty file used as chroot jail for privilege separation
if [ -f ${LOCALSTATEDIR}/empty ]
then
echo "Creating ${LOCALSTATEDIR}/empty failed!"
else
mkdir -p ${LOCALSTATEDIR}/empty
if [ ${_nt} -gt 0 ]
then
chmod 755 ${LOCALSTATEDIR}/empty
fi
fi
# First generate host keys if not already existing
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_key"
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi
# Check if ssh_config exists. If yes, ask for overwriting
if [ -f "${SYSCONFDIR}/ssh_config" ]
then
if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
then
rm -f "${SYSCONFDIR}/ssh_config"
if [ -f "${SYSCONFDIR}/ssh_config" ]
then
echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
fi
fi
fi
# Create default ssh_config from skeleton file in /etc/defaults/etc
if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
echo "Generating ${SYSCONFDIR}/ssh_config file"
cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
if [ "${port_number}" != "22" ]
then
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
fi
fi
# Check if sshd_config exists. If yes, ask for overwriting
if [ -f "${SYSCONFDIR}/sshd_config" ]
then
if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
then
rm -f "${SYSCONFDIR}/sshd_config"
if [ -f "${SYSCONFDIR}/sshd_config" ]
then
echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
fi
else
grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
fi
fi
# Prior to creating or modifying sshd_config, care for privilege separation
if [ "${privsep_configured}" != "yes" ]
then
if [ ${_nt} -gt 0 ]
then
echo "Privilege separation is set to yes by default since OpenSSH 3.3."
echo "However, this requires a non-privileged account called 'sshd'."
echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
echo
if request "Should privilege separation be used?"
then
privsep_used=yes
grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
if [ "${sshd_in_passwd}" != "yes" ]
then
if [ "${sshd_in_sam}" != "yes" ]
then
echo "Warning: The following function requires administrator privileges!"
if request "Should this script create a local user 'sshd' on this machine?"
then
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
if [ "${sshd_in_sam}" != "yes" ]
then
echo "Warning: Creating the user 'sshd' failed!"
fi
fi
fi
if [ "${sshd_in_sam}" != "yes" ]
then
echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
echo " Privilege separation set to 'no' again!"
echo " Check your ${SYSCONFDIR}/sshd_config file!"
privsep_used=no
else
mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
fi
fi
else
privsep_used=no
fi
else
# On 9x don't use privilege separation. Since security isn't
# available it just adds useless additional processes.
privsep_used=no
fi
fi
# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option
if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
echo "Generating ${SYSCONFDIR}/sshd_config file"
sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
s/^#Port 22/Port ${port_number}/
s/^#StrictModes yes/StrictModes no/" \
< ${SYSCONFDIR}/defaults/etc/sshd_config \
> ${SYSCONFDIR}/sshd_config
elif [ "${privsep_configured}" != "yes" ]
then
echo >> ${SYSCONFDIR}/sshd_config
echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
fi
# Care for services file
_my_etcdir="/ssh-host-config.$$"
if [ ${_nt} -gt 0 ]
then
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
_services="${_my_etcdir}/services"
# On NT, 27 spaces, no space after the hash
_spaces=" #"
else
_win_etcdir="${WINDIR}"
_services="${_my_etcdir}/SERVICES"
# On 9x, 18 spaces (95 is very touchy), a space after the hash
_spaces=" # "
fi
_serv_tmp="${_my_etcdir}/srv.out.$$"
mount -t -f "${_win_etcdir}" "${_my_etcdir}"
# Depends on the above mount
_wservices=`cygpath -w "${_services}"`
# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
if [ -f "${_serv_tmp}" ]
then
if mv "${_serv_tmp}" "${_services}"
then
echo "Removing sshd from ${_wservices}"
else
echo "Removing sshd from ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
echo "Removing sshd from ${_wservices} failed!"
fi
fi
# Add ssh 22/tcp and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
then
if mv "${_serv_tmp}" "${_services}"
then
echo "Added ssh to ${_wservices}"
else
echo "Adding ssh to ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
echo "WARNING: Adding ssh to ${_wservices} failed!"
fi
fi
umount "${_my_etcdir}"
# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
if [ -f "${_inetcnf}" ]
then
# Check if ssh service is already in use as sshd
with_comment=1
grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
# Remove sshd line from inetd.conf
if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
then
grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if mv "${_inetcnf_tmp}" "${_inetcnf}"
then
echo "Removed sshd from ${_inetcnf}"
else
echo "Removing sshd from ${_inetcnf} failed!"
fi
rm -f "${_inetcnf_tmp}"
else
echo "Removing sshd from ${_inetcnf} failed!"
fi
fi
# Add ssh line to inetd.conf
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
then
if [ "${with_comment}" -eq 0 ]
then
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
else
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
fi
echo "Added ssh to ${_inetcnf}"
fi
fi
# On NT ask if sshd should be installed as service
if [ ${_nt} -gt 0 ]
then
# But only if it is not already installed
if ! cygrunsrv -Q sshd > /dev/null 2>&1
then
echo
echo
echo "Warning: The following functions require administrator privileges!"
echo
echo "Do you want to install sshd as service?"
if request "(Say \"no\" if it's already installed as service)"
then
if [ $_nt2003 -gt 0 ]
then
grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
if [ "${sshd_server_in_passwd}" = "yes" ]
then
# Drop sshd_server from passwd since it could have wrong settings
grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
rm -f ${SYSCONFDIR}/passwd
mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
chmod g-w,o-w ${SYSCONFDIR}/passwd
fi
net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
if [ "${sshd_server_in_sam}" != "yes" ]
then
echo
echo "You appear to be running Windows 2003 Server or later. On 2003 and"
echo "later systems, it's not possible to use the LocalSystem account"
echo "if sshd should allow passwordless logon (e. g. public key authentication)."
echo "If you want to enable that functionality, it's required to create a new"
echo "account 'sshd_server' with special privileges, which is then used to run"
echo "the sshd service under."
echo
echo "Should this script create a new local account 'sshd_server' which has"
if request "the required privileges?"
then
_admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group`
if [ -z "${_admingroup}" ]
then
echo "There's no group with SID S-1-5-32-544 (Local administrators group) in"
echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'"
echo "and restart this script."
exit 1
fi
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
while [ "${sshd_server_in_sam}" != "yes" ]
do
if [ -n "${password_value}" ]
then
_password="${password_value}"
# Allow to ask for password if first try fails
password_value=""
else
echo
echo "Please enter a password for new user 'sshd_server'. Please be sure that"
echo "this password matches the password rules given on your system."
echo -n "Entering no password will exit the configuration. PASSWORD="
read -e _password
if [ -z "${_password}" ]
then
echo
echo "Exiting configuration. No user sshd_server has been created,"
echo "no sshd service installed."
exit 1
fi
fi
net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
if [ "${sshd_server_in_sam}" != "yes" ]
then
echo "Creating the user 'sshd_server' failed! Reason:"
cat /tmp/nu.$$
rm /tmp/nu.$$
fi
done
net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
if [ "${sshd_server_in_admingroup}" != "yes" ]
then
echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
echo "Please add sshd_server to local group ${_admingroup} before"
echo "starting the sshd service!"
echo
fi
passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
if [ "${passwd_has_expiry_flags}" != "yes" ]
then
echo
echo "WARNING: User sshd_server has password expiry set to system default."
echo "Please check that password never expires or set it to your needs."
elif ! passwd -e sshd_server
then
echo
echo "WARNING: Setting password expiry for user sshd_server failed!"
echo "Please check that password never expires or set it to your needs."
fi
editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
editrights -a SeCreateTokenPrivilege -u sshd_server &&
editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
editrights -a SeDenyNetworkLogonRight -u sshd_server &&
editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
editrights -a SeServiceLogonRight -u sshd_server &&
sshd_server_got_all_rights="yes"
if [ "${sshd_server_got_all_rights}" != "yes" ]
then
echo
echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
echo "Can't create sshd service!"
exit 1
fi
echo
echo "User 'sshd_server' has been created with password '${_password}'."
echo "If you change the password, please keep in mind to change the password"
echo "for the sshd service, too."
echo
echo "Also keep in mind that the user sshd_server needs read permissions on all"
echo "users' .ssh/authorized_keys file to allow public key authentication for"
echo "these users!. (Re-)running ssh-user-config for each user will set the"
echo "required permissions correctly."
echo
fi
fi
if [ "${sshd_server_in_sam}" = "yes" ]
then
mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
fi
fi
if [ -n "${cygwin_value}" ]
then
_cygwin="${cygwin_value}"
else
echo
echo "Which value should the environment variable CYGWIN have when"
echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
echo "able to change user context without password."
echo -n "Default is \"ntsec\". CYGWIN="
read -e _cygwin
fi
[ -z "${_cygwin}" ] && _cygwin="ntsec"
if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
then
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}"
then
echo
echo "The service has been installed under sshd_server account."
echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
fi
else
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
then
echo
echo "The service has been installed under LocalSystem account."
echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
fi
fi
fi
# Now check if sshd has been successfully installed. This allows to
# set the ownership of the affected files correctly.
if cygrunsrv -Q sshd > /dev/null 2>&1
then
if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
then
_user="sshd_server"
else
_user="system"
fi
chown "${_user}" ${SYSCONFDIR}/ssh*
chown "${_user}".544 ${LOCALSTATEDIR}/empty
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
then
chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
fi
fi
fi
fi
echo
echo "Host configuration finished. Have fun!"
[-- Attachment #3: Type: text/plain, Size: 218 bytes --]
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Take 2: Testers for new ssh-*-config scripts wanted!
2003-11-03 16:22 Corinna Vinschen
2003-11-03 17:51 ` Philippe Torche
@ 2003-11-04 7:52 ` Mader, Alexander
1 sibling, 0 replies; 9+ messages in thread
From: Mader, Alexander @ 2003-11-04 7:52 UTC (permalink / raw)
To: cygwin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hallo,
I proceeded as described and sshd works according to /etc/passwd and
ntsec after starting manually in the environment listed below.
Regards, Alexander.
8< ---------------------------------------------------- >8
$ cygcheck -sr
Cygwin Win95/NT Configuration Diagnostics
Current System Time: Tue Nov 04 08:14:41 2003
Windows 2000 Professional Ver 5.0 Build 2195 Service Pack 3
...
HKEY_CURRENT_USER\Software\Cygnus Solutions
HKEY_CURRENT_USER\Software\Cygnus Solutions\Cygwin
HKEY_CURRENT_USER\Software\Cygnus Solutions\Cygwin\mounts v2
HKEY_CURRENT_USER\Software\Cygnus Solutions\Cygwin\Program Options
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2
~ (default) = `/cygdrive'
~ cygdrive flags = 0x00000022
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/
~ (default) = `d:\cygwin'
~ flags = 0x0000000a
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/usr/bin
~ (default) = `d:\cygwin/bin'
~ flags = 0x0000000a
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/usr/lib
~ (default) = `d:\cygwin/lib'
~ flags = 0x0000000a
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts
v2\/usr/X11R6/lib/X11/fonts
~ (default) = `d:\cygwin\usr\X11R6\lib\X11\fonts'
~ flags = 0x0000000a
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\Program Options
...
~ 949k 2003/09/20 d:\cygwin\bin\cygwin1.dll
~ Cygwin DLL version info:
~ DLL version: 1.5.5
~ DLL epoch: 19
~ DLL bad signal mask: 19005
~ DLL old termios: 5
~ DLL malloc env: 28
~ API major: 0
~ API minor: 94
~ Shared data: 3
~ DLL identifier: cygwin1
~ Mount registry: 2
~ Cygnus registry name: Cygnus Solutions
~ Cygwin registry name: Cygwin
~ Program options name: Program Options
~ Cygwin mount registry name: mounts v2
~ Cygdrive flags: cygdrive flags
~ Cygdrive prefix: cygdrive prefix
~ Cygdrive default prefix:
~ Build date: Sat Sep 20 16:31:15 EDT 2003
~ CVS tag: cr-0x9b
~ Shared id: cygwin1S3
...
Cygwin Package Information
Package Version
_update-info-dir 00221-1
ash 20031007-1
autoconf 2.57a-1
autoconf-devel 2.57-2
autoconf-stable 2.13-5
automake 1.7.5a-1
automake-devel 1.7.6-2
automake-stable 1.4p5-6
base-files 2.6-1
base-passwd 1.1-1
bash 2.05b-16
binutils 20030901-1
bzip2 1.0.2-5
check 0.8.4-1
clear 1.0-1
cpio 2.5-3
crypt 1.1-1
ctags 5.5-4
cvs 1.11.6-3
cygipc 2.02-1
cygrunsrv 0.96-2
cygutils 1.2.2-1
cygwin 1.5.5-1
cygwin-doc 1.3-6
diff 1.0-1
diffutils 2.8.4-1
ed 0.2-1
editrights 1.01-1
emacs 21.2-12
emacs-X11 21.2-12
expat 1.95.6-2
file 4.03-2
fileutils 4.1-2
findutils 4.1.7-4
fontconfig 2.2.0-1
freetype2 2.1.5-1
gawk 3.1.3-4
gcc 3.3.1-3
gcc-mingw 20030911-4
gcc-mingw-core 20031020-1
gdb 20030919-1
gdbm 1.8.3-7
gettext 0.12.1-3
gettext-devel 0.12.1-3
ghostscript 7.05-2
ghostscript-base 7.05-2
ghostscript-x11 7.05-2
gnupg 1.2.2-3
grep 2.5-1
groff 1.18.1-2
gzip 1.3.5-1
inetutils 1.3.2-25
jpeg 6b-11
less 381-1
libbz2_1 1.0.2-5
libdb3.1 3.1.17-2
libfontconfig1 2.2.0-1
libfreetype26 2.1.5-1
libgdbm 1.8.0-5
libgdbm-devel 1.8.3-7
libgdbm3 1.8.3-3
libgdbm4 1.8.3-7
libgettextpo0 0.12.1-3
libiconv2 1.9.1-3
libintl 0.10.38-3
libintl1 0.10.40-1
libintl2 0.12.1-3
libjpeg62 6b-11
libjpeg6b 6b-8
libkpathsea3 2.0.2-13
libkpathsea3abi13 2.0.2-2
libltdl3 1.5-3
libncurses5 5.2-1
libncurses6 5.2-8
libncurses7 5.3-4
libpcre 4.1-1
libpcre0 4.4-2
libpng12 1.2.5-4
libpng12-devel 1.2.5-4
libpopt0 1.6.4-4
libreadline4 4.1-2
libreadline5 4.3-5
libtiff-devel 3.6.0-5
libtiff3 3.6.0-2
libtiff4 3.6.0-5
libtool 1.5a-1
libtool-devel 1.5-3
libtool-stable 1.4.3-2
login 1.9-7
m4 1.4-1
make 3.80-1
man 1.5j-2
mingw-runtime 3.2-1
mktemp 1.5-3
ncurses 5.3-4
openssh 3.7.1p2-1
openssl 0.9.7c-1
pcre 4.4-2
pcre-doc 4.4-2
perl 5.8.0-5
rcs 5.7-3
readline 4.3-5
rsync 2.5.6-2
sed 4.0.7-3
sh-utils 2.0.15-4
tar 1.13.25-3
tcltk 20030901-1
termcap 20021106-2
terminfo 5.3_20030726-1
tetex 2.0.2-13
tetex-base 2.0.2-13
tetex-bin 2.0.2-13
tetex-doc 2.0.2-13
tetex-extra 2.0.2-13
tetex-tiny 2.0.2-13
tetex-x11 2.0.2-13
texinfo 4.2-4
textutils 2.0.21-1
tiff 3.6.0-5
time 1.7-1
vim 6.2.098-1
w32api 2.4-1
which 1.5-2
XFree86-base 4.3.0-1
XFree86-bin 4.3.0-7
XFree86-doc 4.3.0-1
XFree86-etc 4.3.0-5
XFree86-fenc 4.2.0-3
XFree86-fnts 4.2.0-3
XFree86-html 4.3.0-1
XFree86-lib 4.3.0-1
XFree86-lib-compat 4.3.0-2
XFree86-man 4.3.0-2
XFree86-ps 4.3.0-1
XFree86-startup-scripts 4.2.0-5
XFree86-xserv 4.3.0-21
XFree86-xwinclip 4.3.0-2
zlib 1.1.4-4
8< ---------------------------------------------------- >8
- --
Alexander Mader <alexander.mader@niles.de> Fon: +49-30-93033-636
NILES Werkzeugmaschinen GmbH Fax: +49-30-93033-603
www.niles.de
GPG public key: http://mader.seppi.de/pubkey-dienst.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Cygwin)
iD8DBQE/p1qcUABVlkcx7ZMRAm6iAJ9LKKw2VNjJDS6TL29CE98HUIVs2QCgpJdf
tmA+OH5lRtLsredgtuZU/eY=
=VzVI
-----END PGP SIGNATURE-----
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Take 2: Testers for new ssh-*-config scripts wanted!
2003-11-03 17:51 ` Philippe Torche
@ 2003-11-03 21:40 ` Corinna Vinschen
2003-11-04 13:03 ` Corinna Vinschen
0 siblings, 1 reply; 9+ messages in thread
From: Corinna Vinschen @ 2003-11-03 21:40 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 1325 bytes --]
On Mon, Nov 03, 2003 at 06:51:04PM +0100, Philippe Torche wrote:
> Hi,
>
> 1. Line 488 (you will hate me !?) : read _cygwin --->>> read -e _cygwin
Uh, yes, I missed that one.
> 2. If password complexity is enabled (yes per default) use a more complex
> password : length of 7 min (max 14 to avoid some warning about W2K), lower
> case and upper case letters.
I'm running a 2003 Server as standalone (non-domain) server. In that
setting, password complexity is disabled by default, so I missed that one,
too. Thanks for the heads up. I changed the password to SSHD_server,
which seem to be fine for the complexity rule.
However, I have still a problem. Does anybody know how I can set
"Password never expires" from the command line? I know how to do this
with dsadd, but that only works on domain machines so it's no generic
solution. If I can't do this in the script, everybody would have to
set this in the Computer Management Console by hand :-(
I've attached a new ssh-host-config with the above two changes plus:
- Also deny remote interactive (aka terminal server) logon for the
sshd_server account.
> Good work, Philippe.
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.
[-- Attachment #2: ssh-host-config --]
[-- Type: text/plain, Size: 15043 bytes --]
#!/bin/bash
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
progname=$0
auto_answer=""
port_number=22
privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no
request()
{
if [ "${auto_answer}" = "yes" ]
then
return 0
elif [ "${auto_answer}" = "no" ]
then
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read -e answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "$option" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-p | --port )
port_number=$1
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --port -p <n> sshd listens on port n."
echo
exit 1
;;
esac
done
# Check if running on NT
_sys="`uname`"
_nt=`expr "$_sys" : "CYGWIN_NT"`
# If running on NT, check if running under 2003 Server or later
if [ $_nt -gt 0 ]
then
_nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
fi
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if ps -ef | grep -v grep | grep -q ssh
then
echo
echo "There are still ssh processes running. Please shut them down first."
echo
exit 1
fi
# Check for ${SYSCONFDIR} directory
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
echo
echo "${SYSCONFDIR} is existant but not a directory."
echo "Cannot create global configuration files."
echo
exit 1
fi
# Create it if necessary
if [ ! -e "${SYSCONFDIR}" ]
then
mkdir "${SYSCONFDIR}"
if [ ! -e "${SYSCONFDIR}" ]
then
echo
echo "Creating ${SYSCONFDIR} directory failed"
echo
exit 1
fi
fi
# Create /var/log and /var/log/lastlog if not already existing
if [ -f ${LOCALSTATEDIR}/log ]
then
echo "Creating ${LOCALSTATEDIR}/log failed!"
else
if [ ! -d ${LOCALSTATEDIR}/log ]
then
mkdir -p ${LOCALSTATEDIR}/log
fi
if [ -d ${LOCALSTATEDIR}/log/lastlog ]
then
chmod 777 ${LOCALSTATEDIR}/log/lastlog
elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
chmod 666 ${LOCALSTATEDIR}/log/lastlog
fi
fi
# Create /var/empty file used as chroot jail for privilege separation
if [ -f ${LOCALSTATEDIR}/empty ]
then
echo "Creating ${LOCALSTATEDIR}/empty failed!"
else
mkdir -p ${LOCALSTATEDIR}/empty
if [ $_nt -gt 0 ]
then
chmod 755 ${LOCALSTATEDIR}/empty
fi
fi
# First generate host keys if not already existing
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_key"
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi
# Check if ssh_config exists. If yes, ask for overwriting
if [ -f "${SYSCONFDIR}/ssh_config" ]
then
if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
then
rm -f "${SYSCONFDIR}/ssh_config"
if [ -f "${SYSCONFDIR}/ssh_config" ]
then
echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
fi
fi
fi
# Create default ssh_config from skeleton file in /etc/defaults/etc
if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
echo "Generating ${SYSCONFDIR}/ssh_config file"
cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
if [ "$port_number" != "22" ]
then
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config
fi
fi
# Check if sshd_config exists. If yes, ask for overwriting
if [ -f "${SYSCONFDIR}/sshd_config" ]
then
if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
then
rm -f "${SYSCONFDIR}/sshd_config"
if [ -f "${SYSCONFDIR}/sshd_config" ]
then
echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
fi
else
grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
fi
fi
# Prior to creating or modifying sshd_config, care for privilege separation
if [ "$privsep_configured" != "yes" ]
then
if [ $_nt -gt 0 ]
then
echo "Privilege separation is set to yes by default since OpenSSH 3.3."
echo "However, this requires a non-privileged account called 'sshd'."
echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
echo
if request "Should privilege separation be used?"
then
privsep_used=yes
grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
if [ "$sshd_in_passwd" != "yes" ]
then
if [ "$sshd_in_sam" != "yes" ]
then
echo "Warning: The following function requires administrator privileges!"
if request "Should this script create a local user 'sshd' on this machine?"
then
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
if [ "$sshd_in_sam" != "yes" ]
then
echo "Warning: Creating the user 'sshd' failed!"
fi
fi
fi
if [ "$sshd_in_sam" != "yes" ]
then
echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
echo " Privilege separation set to 'no' again!"
echo " Check your ${SYSCONFDIR}/sshd_config file!"
privsep_used=no
else
mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
fi
fi
else
privsep_used=no
fi
else
# On 9x don't use privilege separation. Since security isn't
# available it just adds useless additional processes.
privsep_used=no
fi
fi
# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option
if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
echo "Generating ${SYSCONFDIR}/sshd_config file"
sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation $privsep_used/
s/^#Port 22/Port $port_number/
s/^#StrictModes yes/StrictModes no/" \
< ${SYSCONFDIR}/defaults/etc/sshd_config \
> ${SYSCONFDIR}/sshd_config
elif [ "$privsep_configured" != "yes" ]
then
echo >> ${SYSCONFDIR}/sshd_config
echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
fi
# Care for services file
_my_etcdir="/ssh-host-config.$$"
if [ $_nt -gt 0 ]
then
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
_services="${_my_etcdir}/services"
# On NT, 27 spaces, no space after the hash
_spaces=" #"
else
_win_etcdir="${WINDIR}"
_services="${_my_etcdir}/SERVICES"
# On 9x, 18 spaces (95 is very touchy), a space after the hash
_spaces=" # "
fi
_serv_tmp="${_my_etcdir}/srv.out.$$"
mount -t -f "${_win_etcdir}" "${_my_etcdir}"
# Depends on the above mount
_wservices=`cygpath -w "${_services}"`
# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
if [ -f "${_serv_tmp}" ]
then
if mv "${_serv_tmp}" "${_services}"
then
echo "Removing sshd from ${_wservices}"
else
echo "Removing sshd from ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
echo "Removing sshd from ${_wservices} failed!"
fi
fi
# Add ssh 22/tcp and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
then
if mv "${_serv_tmp}" "${_services}"
then
echo "Added ssh to ${_wservices}"
else
echo "Adding ssh to ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
echo "WARNING: Adding ssh to ${_wservices} failed!"
fi
fi
umount "${_my_etcdir}"
# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
if [ -f "${_inetcnf}" ]
then
# Check if ssh service is already in use as sshd
with_comment=1
grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
# Remove sshd line from inetd.conf
if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
then
grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if mv "${_inetcnf_tmp}" "${_inetcnf}"
then
echo "Removed sshd from ${_inetcnf}"
else
echo "Removing sshd from ${_inetcnf} failed!"
fi
rm -f "${_inetcnf_tmp}"
else
echo "Removing sshd from ${_inetcnf} failed!"
fi
fi
# Add ssh line to inetd.conf
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
then
if [ "${with_comment}" -eq 0 ]
then
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
else
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
fi
echo "Added ssh to ${_inetcnf}"
fi
fi
# On NT ask if sshd should be installed as service
if [ $_nt -gt 0 ]
then
# But only if it is not already installed
if ! cygrunsrv -Q sshd > /dev/null 2>&1
then
echo
echo
echo "Warning: The following function requires administrator privileges!"
echo
echo "Do you want to install sshd as service?"
if request "(Say \"no\" if it's already installed as service)"
then
if [ $_nt2003 -gt 0 ]
then
grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
if [ "$sshd_server_in_sam" != "yes" ]
then
echo
echo "You appear to be running Windows 2003 Server or later. On 2003 and"
echo "later systems, it's not possible to use the LocalSystem account"
echo "if sshd should allow passwordless logon (e. g. public key authentication)."
echo "If you want to enable that functionality, it's required to create a new"
echo "account 'sshd_server' with special privileges, which is then used to run"
echo "the sshd service under."
echo
echo "Should this script create a new local account 'sshd_server' which has"
if request "the required privileges?"
then
_admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group`
if [ -z "${_admingroup}" ]
then
echo "There's no group with SID S-1-5-32-544 (Local administrators group) in"
echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'"
echo "and restart this script."
exit 1
fi
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
net user sshd_server SSHD_server /add /fullname:"sshd server account" "/homedir:$dos_var_empty" > /dev/null 2>&1 && sshd_server_in_sam=yes
if [ "$sshd_server_in_sam" != "yes" ]
then
echo "Creating the user 'sshd_server' failed!"
echo "Can't create sshd service!"
exit 1
fi
net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
if [ "$sshd_server_in_admingroup" != "yes" ]
then
echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
echo "Please add sshd_server to local group ${_admingroup} before"
echo "starting the sshd service!"
echo
fi
editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
editrights -a SeCreateTokenPrivilege -u sshd_server &&
editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
editrights -a SeDenyNetworkLogonRight -u sshd_server &&
editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
editrights -a SeServiceLogonRight -u sshd_server &&
sshd_server_got_all_rights="yes"
if [ "$sshd_server_got_all_rights" != "yes" ]
then
echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
echo "Can't create sshd service!"
exit 1
fi
echo
echo "User 'sshd_server' has been created with password 'sshd_server'."
echo "If you change the password, please keep in mind to change the password"
echo "for the sshd service, too."
echo
echo "Also keep in mind that the user sshd_server needs read permissions on all"
echo "users' .ssh/authorized_keys file to allow public key authentication for"
echo "these users!."
echo
fi
fi
if [ "$sshd_server_in_passwd" != "yes" ]
then
mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
fi
fi
echo
echo "Which value should the environment variable CYGWIN have when"
echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
echo "able to change user context without password."
echo -n "Default is \"ntsec\". CYGWIN="
read -e _cygwin
[ -z "${_cygwin}" ] && _cygwin="ntsec"
if [ $_nt2003 -gt 0 -a "$sshd_server_in_sam" = "yes" ]
then
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w sshd_server -e "CYGWIN=${_cygwin}"
then
echo
echo "The service has been installed under sshd_server account."
fi
else
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
then
echo
echo "The service has been installed under LocalSystem account."
fi
fi
fi
# Now check if sshd has been successfully installed. This allows to
# set the ownership of the affected files correctly.
if cygrunsrv -Q sshd > /dev/null 2>&1
then
if [ $_nt2003 -gt 0 -a "$sshd_server_in_sam" = "yes" ]
then
_user="sshd_server"
else
_user="system"
fi
chown "${_user}" ${SYSCONFDIR}/ssh*
chown "${_user}".544 ${LOCALSTATEDIR}/empty
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
then
chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
fi
fi
fi
fi
echo
echo "Host configuration finished. Have fun!"
[-- Attachment #3: Type: text/plain, Size: 218 bytes --]
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: Take 2: Testers for new ssh-*-config scripts wanted!
2003-11-03 16:22 Corinna Vinschen
@ 2003-11-03 17:51 ` Philippe Torche
2003-11-03 21:40 ` Corinna Vinschen
2003-11-04 7:52 ` Mader, Alexander
1 sibling, 1 reply; 9+ messages in thread
From: Philippe Torche @ 2003-11-03 17:51 UTC (permalink / raw)
To: cygwin
Hi,
1. Line 488 (you will hate me !?) : read _cygwin --->>> read -e _cygwin
2. If password complexity is enabled (yes per default) use a more complex
password : length of 7 min (max 14 to avoid some warning about W2K), lower
case and upper case letters.
Good work, Philippe.
> -----Message d'origine-----
> De : cygwin-owner@cygwin.com [mailto:cygwin-owner@cygwin.com]
> De la part de Corinna Vinschen
> Envoyé : lundi, 3. novembre 2003 17:22
> À : cygwin@cygwin.com
> Objet : Take 2: Testers for new ssh-*-config scripts wanted!
>
> Hi,
>
> I'd like to ask for more testing of the new ssh-host-config
> and ssh-user-config scripts.
>
> The new thing here is, that the ssh-host-config script now
> tries to figure out if the machine is a 2003 Server or newer
> system. If so, the script asks, if it should create a new
> account "sshd_server"
> to use as account to run sshd as service under. If you say
> "yes" at this point, a bunch of funny new activities is started:
>
> - The script creates a sshd_server account
>
> - It adds that account to the administrators group *iff* it's able
> to figure out the name of that group from the /etc/group file.
> This means, you must not change the name of the administrators
> group in /etc/group and the SID (S-1-5-32-544) must be available
> in that entry.
>
> - It uses the new editrights utility to add the necessary user rights
> to the new sshd_server account.
> These rights also explicitely deny logon locally and over network
> and allow logon only as service for security reasons.
>
> The ssh-user-config script has also been changed. It tries
> to figure out if the machine is a 2003 Server or newer and if
> so, it sets the permissions of the users ~/.ssh directory and
> the users ~/ssh/authorized_keys file so that the sshd_server
> account has read permissions on both. If it's an older
> system, it does the same for the SYSTEM account.
>
> Also on 2003, the sshd_server account is used for ownership
> of the important files (/etc/ssh*, /var/empty, /var/log/sshd.log).
>
> Further changes:
> - Require bash for both scripts.
> - Use `read -e' in both scripts to enable readline support.
>
> So, I'd like to ask especially users of a 2003 Server system
> to test that script. Users of other systems are of course
> also welcome since I want to be sure that I haven't broken
> these systems.
>
> Attached are both scripts plus the vanilla ssh_config and
> sshd_config file. The latter two have to be copied to
> /etc/defaults/etc. Please not that the "editrights" tool has
> to be installed on your system.
> You can find it in the Base category when updating with setup.exe.
>
> Thanks in advance,
> Corinna
>
> --
> Corinna Vinschen Please, send mails
> regarding Cygwin to
> Cygwin Developer
> mailto:cygwin@cygwin.com
> Red Hat, Inc.
>
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Take 2: Testers for new ssh-*-config scripts wanted!
@ 2003-11-03 16:22 Corinna Vinschen
2003-11-03 17:51 ` Philippe Torche
2003-11-04 7:52 ` Mader, Alexander
0 siblings, 2 replies; 9+ messages in thread
From: Corinna Vinschen @ 2003-11-03 16:22 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 2230 bytes --]
Hi,
I'd like to ask for more testing of the new ssh-host-config and
ssh-user-config scripts.
The new thing here is, that the ssh-host-config script now tries to
figure out if the machine is a 2003 Server or newer system. If so,
the script asks, if it should create a new account "sshd_server"
to use as account to run sshd as service under. If you say "yes" at
this point, a bunch of funny new activities is started:
- The script creates a sshd_server account
- It adds that account to the administrators group *iff* it's able
to figure out the name of that group from the /etc/group file.
This means, you must not change the name of the administrators
group in /etc/group and the SID (S-1-5-32-544) must be available
in that entry.
- It uses the new editrights utility to add the necessary user rights
to the new sshd_server account.
These rights also explicitely deny logon locally and over network
and allow logon only as service for security reasons.
The ssh-user-config script has also been changed. It tries to
figure out if the machine is a 2003 Server or newer and if so, it
sets the permissions of the users ~/.ssh directory and the users
~/ssh/authorized_keys file so that the sshd_server account has read
permissions on both. If it's an older system, it does the same for
the SYSTEM account.
Also on 2003, the sshd_server account is used for ownership of the
important files (/etc/ssh*, /var/empty, /var/log/sshd.log).
Further changes:
- Require bash for both scripts.
- Use `read -e' in both scripts to enable readline support.
So, I'd like to ask especially users of a 2003 Server system to test
that script. Users of other systems are of course also welcome since
I want to be sure that I haven't broken these systems.
Attached are both scripts plus the vanilla ssh_config and sshd_config
file. The latter two have to be copied to /etc/defaults/etc. Please
not that the "editrights" tool has to be installed on your system.
You can find it in the Base category when updating with setup.exe.
Thanks in advance,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.
[-- Attachment #2: ssh-host-config --]
[-- Type: text/plain, Size: 14992 bytes --]
#!/bin/bash
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
progname=$0
auto_answer=""
port_number=22
privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no
request()
{
if [ "${auto_answer}" = "yes" ]
then
return 0
elif [ "${auto_answer}" = "no" ]
then
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read -e answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "$option" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-p | --port )
port_number=$1
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --port -p <n> sshd listens on port n."
echo
exit 1
;;
esac
done
# Check if running on NT
_sys="`uname`"
_nt=`expr "$_sys" : "CYGWIN_NT"`
# If running on NT, check if running under 2003 Server or later
if [ $_nt -gt 0 ]
then
_nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
fi
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if ps -ef | grep -v grep | grep -q ssh
then
echo
echo "There are still ssh processes running. Please shut them down first."
echo
exit 1
fi
# Check for ${SYSCONFDIR} directory
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
echo
echo "${SYSCONFDIR} is existant but not a directory."
echo "Cannot create global configuration files."
echo
exit 1
fi
# Create it if necessary
if [ ! -e "${SYSCONFDIR}" ]
then
mkdir "${SYSCONFDIR}"
if [ ! -e "${SYSCONFDIR}" ]
then
echo
echo "Creating ${SYSCONFDIR} directory failed"
echo
exit 1
fi
fi
# Create /var/log and /var/log/lastlog if not already existing
if [ -f ${LOCALSTATEDIR}/log ]
then
echo "Creating ${LOCALSTATEDIR}/log failed!"
else
if [ ! -d ${LOCALSTATEDIR}/log ]
then
mkdir -p ${LOCALSTATEDIR}/log
fi
if [ -d ${LOCALSTATEDIR}/log/lastlog ]
then
chmod 777 ${LOCALSTATEDIR}/log/lastlog
elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
chmod 666 ${LOCALSTATEDIR}/log/lastlog
fi
fi
# Create /var/empty file used as chroot jail for privilege separation
if [ -f ${LOCALSTATEDIR}/empty ]
then
echo "Creating ${LOCALSTATEDIR}/empty failed!"
else
mkdir -p ${LOCALSTATEDIR}/empty
if [ $_nt -gt 0 ]
then
chmod 755 ${LOCALSTATEDIR}/empty
fi
fi
# First generate host keys if not already existing
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_key"
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi
# Check if ssh_config exists. If yes, ask for overwriting
if [ -f "${SYSCONFDIR}/ssh_config" ]
then
if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
then
rm -f "${SYSCONFDIR}/ssh_config"
if [ -f "${SYSCONFDIR}/ssh_config" ]
then
echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
fi
fi
fi
# Create default ssh_config from skeleton file in /etc/defaults/etc
if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
echo "Generating ${SYSCONFDIR}/ssh_config file"
cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
if [ "$port_number" != "22" ]
then
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config
fi
fi
# Check if sshd_config exists. If yes, ask for overwriting
if [ -f "${SYSCONFDIR}/sshd_config" ]
then
if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
then
rm -f "${SYSCONFDIR}/sshd_config"
if [ -f "${SYSCONFDIR}/sshd_config" ]
then
echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
fi
else
grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
fi
fi
# Prior to creating or modifying sshd_config, care for privilege separation
if [ "$privsep_configured" != "yes" ]
then
if [ $_nt -gt 0 ]
then
echo "Privilege separation is set to yes by default since OpenSSH 3.3."
echo "However, this requires a non-privileged account called 'sshd'."
echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
echo
if request "Should privilege separation be used?"
then
privsep_used=yes
grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
if [ "$sshd_in_passwd" != "yes" ]
then
if [ "$sshd_in_sam" != "yes" ]
then
echo "Warning: The following function requires administrator privileges!"
if request "Should this script create a local user 'sshd' on this machine?"
then
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /expires:never /active:no > /dev/null 2>&1 && sshd_in_sam=yes
if [ "$sshd_in_sam" != "yes" ]
then
echo "Warning: Creating the user 'sshd' failed!"
fi
fi
fi
if [ "$sshd_in_sam" != "yes" ]
then
echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
echo " Privilege separation set to 'no' again!"
echo " Check your ${SYSCONFDIR}/sshd_config file!"
privsep_used=no
else
mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
fi
fi
else
privsep_used=no
fi
else
# On 9x don't use privilege separation. Since security isn't
# available it just adds useless additional processes.
privsep_used=no
fi
fi
# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option
if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
echo "Generating ${SYSCONFDIR}/sshd_config file"
sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation $privsep_used/
s/^#Port 22/Port $port_number/
s/^#StrictModes yes/StrictModes no/" \
< ${SYSCONFDIR}/defaults/etc/sshd_config \
> ${SYSCONFDIR}/sshd_config
elif [ "$privsep_configured" != "yes" ]
then
echo >> ${SYSCONFDIR}/sshd_config
echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
fi
# Care for services file
_my_etcdir="/ssh-host-config.$$"
if [ $_nt -gt 0 ]
then
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
_services="${_my_etcdir}/services"
# On NT, 27 spaces, no space after the hash
_spaces=" #"
else
_win_etcdir="${WINDIR}"
_services="${_my_etcdir}/SERVICES"
# On 9x, 18 spaces (95 is very touchy), a space after the hash
_spaces=" # "
fi
_serv_tmp="${_my_etcdir}/srv.out.$$"
mount -t -f "${_win_etcdir}" "${_my_etcdir}"
# Depends on the above mount
_wservices=`cygpath -w "${_services}"`
# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
if [ -f "${_serv_tmp}" ]
then
if mv "${_serv_tmp}" "${_services}"
then
echo "Removing sshd from ${_wservices}"
else
echo "Removing sshd from ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
echo "Removing sshd from ${_wservices} failed!"
fi
fi
# Add ssh 22/tcp and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
then
if mv "${_serv_tmp}" "${_services}"
then
echo "Added ssh to ${_wservices}"
else
echo "Adding ssh to ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
echo "WARNING: Adding ssh to ${_wservices} failed!"
fi
fi
umount "${_my_etcdir}"
# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
if [ -f "${_inetcnf}" ]
then
# Check if ssh service is already in use as sshd
with_comment=1
grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
# Remove sshd line from inetd.conf
if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
then
grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if mv "${_inetcnf_tmp}" "${_inetcnf}"
then
echo "Removed sshd from ${_inetcnf}"
else
echo "Removing sshd from ${_inetcnf} failed!"
fi
rm -f "${_inetcnf_tmp}"
else
echo "Removing sshd from ${_inetcnf} failed!"
fi
fi
# Add ssh line to inetd.conf
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
then
if [ "${with_comment}" -eq 0 ]
then
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
else
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
fi
echo "Added ssh to ${_inetcnf}"
fi
fi
# On NT ask if sshd should be installed as service
if [ $_nt -gt 0 ]
then
# But only if it is not already installed
if ! cygrunsrv -Q sshd > /dev/null 2>&1
then
echo
echo
echo "Warning: The following function requires administrator privileges!"
echo
echo "Do you want to install sshd as service?"
if request "(Say \"no\" if it's already installed as service)"
then
if [ $_nt2003 -gt 0 ]
then
grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
if [ "$sshd_server_in_sam" != "yes" ]
then
echo
echo "You appear to be running Windows 2003 Server or later. On 2003 and"
echo "later systems, it's not possible to use the LocalSystem account"
echo "if sshd should allow passwordless logon (e. g. public key authentication)."
echo "If you want to enable that functionality, it's required to create a new"
echo "account 'sshd_server' with special privileges, which is then used to run"
echo "the sshd service under."
echo
echo "Should this script create a new local account 'sshd_server' which has"
if request "the required privileges?"
then
_admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group`
if [ -z "${_admingroup}" ]
then
echo "There's no group with SID S-1-5-32-544 (Local administrators group) in"
echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'"
echo "and restart this script."
exit 1
fi
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
net user sshd_server sshd_server /add /fullname:"sshd server account" "/homedir:$dos_var_empty" /expires:never > /dev/null 2>&1 && sshd_server_in_sam=yes
if [ "$sshd_server_in_sam" != "yes" ]
then
echo "Creating the user 'sshd_server' failed!"
echo "Can't create sshd service!"
exit 1
fi
net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
if [ "$sshd_server_in_admingroup" != "yes" ]
then
echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
echo "Please add sshd_server to local group ${_admingroup} before"
echo "starting the sshd service!"
echo
fi
editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
editrights -a SeCreateTokenPrivilege -u sshd_server &&
editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
editrights -a SeDenyNetworkLogonRight -u sshd_server &&
editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
editrights -a SeServiceLogonRight -u sshd_server &&
sshd_server_got_all_rights="yes"
if [ "$sshd_server_got_all_rights" != "yes" ]
then
echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
echo "Can't create sshd service!"
exit 1
fi
echo
echo "User 'sshd_server' has been created with password 'sshd_server'."
echo "If you change the password, please keep in mind to change the password"
echo "for the sshd service, too."
echo
echo "Also keep in mind that the user sshd_server needs read permissions on all"
echo "users' .ssh/authorized_keys file to allow public key authentication for"
echo "these users!."
echo
fi
fi
if [ "$sshd_server_in_passwd" != "yes" ]
then
mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
fi
fi
echo
echo "Which value should the environment variable CYGWIN have when"
echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
echo "able to change user context without password."
echo -n "Default is \"ntsec\". CYGWIN="
read _cygwin
[ -z "${_cygwin}" ] && _cygwin="ntsec"
if [ $_nt2003 -gt 0 -a "$sshd_server_in_sam" = "yes" ]
then
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w sshd_server -e "CYGWIN=${_cygwin}"
then
echo
echo "The service has been installed under sshd_server account."
fi
else
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
then
echo
echo "The service has been installed under LocalSystem account."
fi
fi
fi
# Now check if sshd has been successfully installed. This allows to
# set the ownership of the affected files correctly.
if cygrunsrv -Q sshd > /dev/null 2>&1
then
if [ $_nt2003 -gt 0 -a "$sshd_server_in_sam" = "yes" ]
then
_user="sshd_server"
else
_user="system"
fi
chown "${_user}" ${SYSCONFDIR}/ssh*
chown "${_user}".544 ${LOCALSTATEDIR}/empty
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
then
chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
fi
fi
fi
fi
echo
echo "Host configuration finished. Have fun!"
[-- Attachment #3: ssh-user-config --]
[-- Type: text/plain, Size: 6266 bytes --]
#!/bin/sh
#
# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Directory where the config files are stored
SYSCONFDIR=/etc
progname=$0
auto_answer=""
auto_passphrase="no"
passphrase=""
request()
{
if [ "${auto_answer}" = "yes" ]
then
return 0
elif [ "${auto_answer}" = "no" ]
then
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check if running on NT
_sys="`uname -a`"
_nt=`expr "$_sys" : "CYGWIN_NT"`
# If running on NT, check if running under 2003 Server or later
if [ $_nt -gt 0 ]
then
_nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
fi
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "$option" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-p | --passphrase )
with_passphrase="yes"
passphrase=$1
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH user configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --passphrase -p word Use \"word\" as passphrase automatically."
echo
exit 1
;;
esac
done
# Ask user if user identity should be generated
if [ ! -f ${SYSCONFDIR}/passwd ]
then
echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file"
echo 'first using mkpasswd. Check if it contains an entry for you and'
echo 'please care for the home directory in your entry as well.'
exit 1
fi
uid=`id -u`
pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd`
if [ "X${pwdhome}" = "X" ]
then
echo "There is no home directory set for you in ${SYSCONFDIR}/passwd."
echo 'Setting $HOME is not sufficient!'
exit 1
fi
if [ ! -d "${pwdhome}" ]
then
echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory"
echo 'but it is not a valid directory. Cannot create user identity files.'
exit 1
fi
# If home is the root dir, set home to empty string to avoid error messages
# in subsequent parts of that script.
if [ "X${pwdhome}" = "X/" ]
then
# But first raise a warning!
echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
if request "Would you like to proceed anyway?"
then
pwdhome=''
else
exit 1
fi
fi
if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
then
echo
echo 'WARNING: group and other have been revoked write permission to your home'
echo " directory ${pwdhome}."
echo ' This is required by OpenSSH to allow public key authentication using'
echo ' the key files stored in your .ssh subdirectory.'
echo ' Revert this change ONLY if you know what you are doing!'
echo
fi
if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
then
echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
exit 1
fi
if [ ! -e "${pwdhome}/.ssh" ]
then
mkdir "${pwdhome}/.ssh"
if [ ! -e "${pwdhome}/.ssh" ]
then
echo "Creating users ${pwdhome}/.ssh directory failed"
exit 1
fi
fi
if [ $_nt -gt 0 ]
then
_user="system"
if [ $_nt2003 -gt 0 ]
then
grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server"
fi
if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh"
then
echo "${pwdhome}/.ssh couldn't be given the correct permissions."
echo "Please try to solve this problem first."
exit 1
fi
fi
if [ ! -f "${pwdhome}/.ssh/identity" ]
then
if request "Shall I create an SSH1 RSA identity file for you?"
then
echo "Generating ${pwdhome}/.ssh/identity"
if [ "${with_passphrase}" = "yes" ]
then
ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null
else
ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null
fi
if request "Do you want to use this identity to login to this machine?"
then
echo "Adding to ${pwdhome}/.ssh/authorized_keys"
cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
then
if request "Shall I create an SSH2 RSA identity file for you? (yes/no) "
then
echo "Generating ${pwdhome}/.ssh/id_rsa"
if [ "${with_passphrase}" = "yes" ]
then
ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null
else
ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
fi
if request "Do you want to use this identity to login to this machine?"
then
echo "Adding to ${pwdhome}/.ssh/authorized_keys"
cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
then
if request "Shall I create an SSH2 DSA identity file for you? (yes/no) "
then
echo "Generating ${pwdhome}/.ssh/id_dsa"
if [ "${with_passphrase}" = "yes" ]
then
ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null
else
ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
fi
if request "Do you want to use this identity to login to this machine?"
then
echo "Adding to ${pwdhome}/.ssh/authorized_keys"
cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ]
then
if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
then
echo
echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
echo "failed. Please care for the correct permissions. The minimum requirement"
echo "is, the owner and ${_user} both need read permissions."
echo
fi
fi
echo
echo "Configuration finished. Have fun!"
[-- Attachment #4: ssh_config --]
[-- Type: text/plain, Size: 1159 bytes --]
# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
[-- Attachment #5: sshd_config --]
[-- Type: text/plain, Size: 2432 bytes --]
# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server
[-- Attachment #6: Type: text/plain, Size: 218 bytes --]
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2003-11-04 13:03 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <F67AB1DD14544242BE5BFE94F5939175575F59@E2KMEMMCS1.ftbco.ftn.com >
2003-11-03 22:05 ` Take 2: Testers for new ssh-*-config scripts wanted! DePriest, Jason R.
2003-11-04 2:37 ` Alan Dobkin
2003-11-04 8:33 ` Corinna Vinschen
2003-11-04 8:37 ` Corinna Vinschen
2003-11-03 16:22 Corinna Vinschen
2003-11-03 17:51 ` Philippe Torche
2003-11-03 21:40 ` Corinna Vinschen
2003-11-04 13:03 ` Corinna Vinschen
2003-11-04 7:52 ` Mader, Alexander
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).