From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 17699 invoked by alias); 30 Oct 2014 14:06:59 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 17684 invoked by uid 89); 30 Oct 2014 14:06:58 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.2 X-HELO: calimero.vinschen.de Received: from aquarius.hirmke.de (HELO calimero.vinschen.de) (217.91.18.234) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 30 Oct 2014 14:06:56 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id 7F0048E0A28; Thu, 30 Oct 2014 15:06:53 +0100 (CET) Date: Thu, 30 Oct 2014 14:06:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: Re: [ANNOUNCEMENT] TEST RELEASE: Cygwin 1.7.33-0.4 Message-ID: <20141030140653.GA16225@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com References: <20141029200355.GG20607@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3Gf/FFewwPeBMqCJ" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-SW-Source: 2014-10/txt/msg00537.txt.bz2 --3Gf/FFewwPeBMqCJ Content-Type: multipart/mixed; boundary="4jXrM3lyYWu4nBt5" Content-Disposition: inline --4jXrM3lyYWu4nBt5 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 1382 On Oct 30 13:02, Habermann, Dave (DA) wrote: > On Oct 29 19:27, Habermann, Dave (DA) wrote: > >> issue to a line in the /bin/ssh-user-config file: > >>=20 > >> pwdhome=3D$(awk -F: '{ if ( $3 =3D=3D '${uid}' ) print $6; }' < ${SY= SCONFDIR}/passwd) > >> > > Ouch. I missed that when scanning the ssh scripts. > > > > Sorry, but I'm pretty sure this isn't the only place in the distro > > still checking the passwd and group files :( >=20 > No worries...I've got my keys rebuilt and working. My Dad always told > me that "beggars can't be choosers", and I'm clearly the "beggar" > here. I use your stuff routinely every day and am so grateful for the > power it brings into my forced-to-be-on-windows environment. > Hopefully I can be of more service some day. Hey, you *are* helpful. By testing the test release, by reporting problems and bugs, by helping with the documentation and last but not least by being a part of the community on this list discussing stuff and helping others. But no good deed goes unpunished, so... ... would you mind to test a new incarnation of ssh-user-config which I plan to use in a bugfix-release of OpenSSH 6.7p1 and to push upstream. :} The script is attached to this mail. Thanks, Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --4jXrM3lyYWu4nBt5 Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename=ssh-user-config Content-Transfer-Encoding: quoted-printable Content-length: 10745 #!/bin/bash # # ssh-user-config, Copyright 2000-2014 Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS= =20=20 # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.=20= =20=20 # IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,=20= =20=20 # DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR=20= =20=20=20 # OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR=20= =20=20=20 # THE USE OR OTHER DEALINGS IN THE SOFTWARE.=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Initialization # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D PROGNAME=3D$(basename -- $0) _tdir=3D$(dirname -- $0) PROGDIR=3D$(cd $_tdir && pwd) CSIH_SCRIPT=3D/usr/share/csih/cygwin-service-installation-helper.sh # Subdirectory where the new package is being installed PREFIX=3D/usr # Directory where the config files are stored SYSCONFDIR=3D/etc source ${CSIH_SCRIPT} auto_passphrase=3D"no" passphrase=3D"" pwdhome=3D with_passphrase=3D # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Routine: create_identity # optionally create identity of type argument in ~/.ssh # optionally add result to ~/.ssh/authorized_keys # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D create_identity() { local file=3D"$1" local type=3D"$2" local name=3D"$3" if [ ! -f "${pwdhome}/.ssh/${file}" ] then if csih_request "Shall I create a ${name} identity file for you?" then csih_inform "Generating ${pwdhome}/.ssh/${file}" if [ "${with_passphrase}" =3D "yes" ] then ssh-keygen -t "${type}" -N "${passphrase}" -f "${pwdhome}/.ssh/${fi= le}" > /dev/null else ssh-keygen -t "${type}" -f "${pwdhome}/.ssh/${file}" > /dev/null fi if csih_request "Do you want to use this identity to login to this ma= chine?" then csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" cat "${pwdhome}/.ssh/${file}.pub" >> "${pwdhome}/.ssh/authorized_ke= ys" fi fi fi } # =3D=3D=3D End of create_ssh1_identity() =3D=3D=3D # readonly -f create_identity # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Routine: check_user_homedir # Perform various checks on the user's home directory # SETS GLOBAL VARIABLE: # pwdhome # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D check_user_homedir() { pwdhome=3D$(getent passwd $UID | awk -F: '{ print $6; }') if [ "X${pwdhome}" =3D "X" ] then csih_error_multi \ "There is no home directory set for you in the account database." \ 'Setting $HOME is not sufficient!' fi =20=20 if [ ! -d "${pwdhome}" ] then csih_error_multi \ "${pwdhome} is set in the account database as your home directory" \ 'but it is not a valid directory. Cannot create user identity files.' fi =20=20 # If home is the root dir, set home to empty string to avoid error messag= es # in subsequent parts of that script. if [ "X${pwdhome}" =3D "X/" ] then # But first raise a warning! csih_warning "Your home directory in the account database is set to roo= t (/). This is not recommended!" if csih_request "Would you like to proceed anyway?" then pwdhome=3D'' else csih_warning "Exiting. Configuration is not complete" exit 1 fi fi =20=20 if [ -d "${pwdhome}" -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ] then echo csih_warning 'group and other have been revoked write permission to you= r home' csih_warning "directory ${pwdhome}." csih_warning 'This is required by OpenSSH to allow public key authentic= ation using' csih_warning 'the key files stored in your .ssh subdirectory.' csih_warning 'Revert this change ONLY if you know what you are doing!' echo fi } # =3D=3D=3D End of check_user_homedir() =3D=3D=3D # readonly -f check_user_homedir # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Routine: check_user_dot_ssh_dir # Perform various checks on the ~/.ssh directory # PREREQUISITE: # pwdhome -- check_user_homedir() # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D check_user_dot_ssh_dir() { if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] then csih_error "${pwdhome}/.ssh is existant but not a directory. Cannot cre= ate user identity files." fi =20=20 if [ ! -e "${pwdhome}/.ssh" ] then mkdir "${pwdhome}/.ssh" if [ ! -e "${pwdhome}/.ssh" ] then csih_error "Creating users ${pwdhome}/.ssh directory failed" fi fi } # =3D=3D=3D End of check_user_dot_ssh_dir() =3D=3D=3D # readonly -f check_user_dot_ssh_dir # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Routine: fix_authorized_keys_perms # Corrects the permissions of ~/.ssh/authorized_keys # PREREQUISITE: # pwdhome -- check_user_homedir() # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D fix_authorized_keys_perms() { if [ -e "${pwdhome}/.ssh/authorized_keys" ] then setfacl -b "${pwdhome}/.ssh/authorized_keys" 2>/dev/null || echo -n if ! chmod u-x,g-wx,o-wx "${pwdhome}/.ssh/authorized_keys" then csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authoriz= ed_keys" csih_warning "failed. Please care for the correct permissions. The = minimum requirement" csih_warning "is, the owner needs read permissions." echo fi fi } # =3D=3D=3D End of fix_authorized_keys_perms() =3D=3D=3D # readonly -f fix_authorized_keys_perms # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Main Entry Point # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Check how the script has been started. If # (1) it has been started by giving the full path and # that path is /etc/postinstall, OR # (2) Otherwise, if the environment variable # SSH_USER_CONFIG_AUTO_ANSWER_NO is set # then set auto_answer to "no". This allows automatic # creation of the config files in /etc w/o overwriting # them if they already exist. In both cases, color # escape sequences are suppressed, so as to prevent # cluttering setup's logfiles. if [ "$PROGDIR" =3D "/etc/postinstall" ] then csih_auto_answer=3D"no" csih_disable_color fi if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ] then csih_auto_answer=3D"no" csih_disable_color fi # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Parse options # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D while : do case $# in 0) break ;; esac option=3D$1 shift case "$option" in -d | --debug ) set -x csih_trace_on ;; -y | --yes ) csih_auto_answer=3Dyes ;; -n | --no ) csih_auto_answer=3Dno ;; -p | --passphrase ) with_passphrase=3D"yes" passphrase=3D$1 shift ;; *) echo "usage: ${PROGNAME} [OPTION]..." echo echo "This script creates an OpenSSH user configuration." echo echo "Options:" echo " --debug -d Enable shell's debug output." echo " --yes -y Answer all questions with \"yes\" auto= matically." echo " --no -n Answer all questions with \"no\" autom= atically." echo " --passphrase -p word Use \"word\" as passphrase automatical= ly." echo exit 1 ;; esac done # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Action! # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D check_user_homedir check_user_dot_ssh_dir create_identity id_rsa rsa "SSH2 RSA" create_identity id_dsa dsa "SSH2 DSA" create_identity id_ecdsa ecdsa "SSH2 ECDSA" create_identity identity rsa1 "(deprecated) SSH1 RSA" fix_authorized_keys_perms echo csih_inform "Configuration finished. Have fun!" --4jXrM3lyYWu4nBt5-- --3Gf/FFewwPeBMqCJ Content-Type: application/pgp-signature Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUUkX9AAoJEPU2Bp2uRE+gerUP/RjtxjzsnGsw5aDb9TIypMlQ pw4hIfaEFbWWDoecQOjwyYSPSoIXDgiNVOEkMO4ZfJ1SCKOs7KiM7JNpUFBBtQFL DvcuITQvdsqKk3RBFVDvC2HUM70sXNzLg2sP4HM3m681v8tVZt5ZfX5BT3Vz4nbi VsqyFoNMQldNchM/PvZYYa/zUdBpIMNaHYDIaBm0qkShHNBim3KcliJfsOZCK6P3 GoAE4P8CBOvl3IcwEUHt26+JgsfXjD8x6xPmuA44pAEEKZzk9HiJBKsCaydZOx0/ qPYc0kkrKw3U9izQRFFW/cSViUNNZZrFWQGfg2ZDsKtCdOD84Mj8iuDM2DMy7Yuu 2cLDb1aE0UqKOR+V1PmX5QD5KyIv2ZKFl2V6UGSfJNCuzXo5VBL/JlKEquOGP0B6 khue+kPM/ugAr9d2+4ujzPUgwrmhkvSQlpfVzT4zPhPomVG6pkeHceBZaOaLN+l/ gJdmMJUkRK/vf1RozpMn1bh/gtcOJ9El2feWe74T2nmX6mBbRxU2cnFty3hcIzFL wZ3IxCILOPNF6oKhenUDYFlK9jBFqYVAmId0ueuybHzBshymzaa/J8BgNxf9MMnp kcZt2Txq2NN1WdcqPPzZXp3L16PrXwR1i4JXe2SVoQcybwMaihYwA/FpcxrZVpJz LUxPkSlHpS3apQhputUA =rfvx -----END PGP SIGNATURE----- --3Gf/FFewwPeBMqCJ--