* RE: Testers for new ssh-*-config scripts wanted!
@ 2003-10-30 22:58 Harig, Mark
2003-10-31 1:34 ` Brian Ford
0 siblings, 1 reply; 11+ messages in thread
From: Harig, Mark @ 2003-10-30 22:58 UTC (permalink / raw)
To: cygwin
I have OpenSSH 3.7.1p2-1 installed, but I
do not have the 'ssh_config' or 'sshd_config'
template files that the 'ssh-host-config' script
expects. Am I missing a step here that I should
have taken to generate these files?
I ran 'cygcheck -f /etc/defaults/etc/ssh_config'
and searched the Cygwin Package List at
http://cygwin.com/packages, but both searches
did not find any packages that should contain these
template files.
> -----Original Message-----
> From: Corinna Vinschen [mailto:corinna-cygwin@cygwin.com]
> Sent: Thursday, October 30, 2003 12:11 PM
> To: cygwin@cygwin.com
> Subject: Testers for new ssh-*-config scripts wanted!
>
>
> Hi,
>
> is anybody here willing to give my new ssh-host-config and
> ssh-user-config
> shell scripts a thorough test? I tested them by myself but I
> have this
> nagging feeling I missed something important.
>
> The important changes:
>
> - On NT, try to set permissions on files and directories to a
> useful value.
> - On NT, try to set ownership on files and directories to a
> useful value.
>
> Only in ssh-host-config:
>
> - Write the /etc/services entries for ssh now with CRLF lineendings.
> - Remove the code to accomplish old style installations, with "old
> being older than roughly 3 years.
> - /etc/ssh_config and /etc/sshd_config are not hardcoded here-scripts
> in the ssh-host-config script anymore, but they are copied and
> modified from ssh_config and sshd_config files in /etc/defaults/etc.
> This allows to accomodate changes in the vanilla scripts without
> having to change the shh-host-config script.
> - On NT, always set ownership of various files to SYSTEM, if sshd
> has been installed as service.
>
> Both scripts are attached. When testing the new "copy config files
> from /etc/defaults/etc" functionality, please think of copying the
> ssh_config and sshd_config files (if possible the vanilla versions)
> to /etc/defaults/etc first.
>
> Feedback and patches welcome and thanks in advance,
> Corinna
>
> --
> Corinna Vinschen Please, send mails
> regarding Cygwin to
> Cygwin Developer
> mailto:cygwin@cygwin.com
> Red Hat, Inc.
>
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: Testers for new ssh-*-config scripts wanted!
2003-10-30 22:58 Testers for new ssh-*-config scripts wanted! Harig, Mark
@ 2003-10-31 1:34 ` Brian Ford
0 siblings, 0 replies; 11+ messages in thread
From: Brian Ford @ 2003-10-31 1:34 UTC (permalink / raw)
To: cygwin
On Thu, 30 Oct 2003, Harig, Mark wrote:
> I have OpenSSH 3.7.1p2-1 installed, but I
> do not have the 'ssh_config' or 'sshd_config'
> template files that the 'ssh-host-config' script
> expects. Am I missing a step here that I should
> have taken to generate these files?
>
Yes, see:
> Corinna Vinschen wrote:
> > Both scripts are attached. When testing the new "copy config files
> > from /etc/defaults/etc" functionality, please think of copying the
> > ssh_config and sshd_config files (if possible the vanilla versions)
> > to /etc/defaults/etc first.
> >
She meant the ones you would have in /etc if you had previously
run the old ssh-host-config script. If you had not, they can be found
embeded in the old ssh-host-config script as mentioned here:
> > - /etc/ssh_config and /etc/sshd_config are not hardcoded here-scripts
> > in the ssh-host-config script anymore, but they are copied and
> > modified from ssh_config and sshd_config files in /etc/defaults/etc.
> > This allows to accomodate changes in the vanilla scripts without
> > having to change the shh-host-config script.
> >
--
Brian Ford
Senior Realtime Software Engineer
VITAL - Visual Simulation Systems
FlightSafety International
Phone: 314-551-8460
Fax: 314-551-8444
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Testers for new ssh-*-config scripts wanted!
2003-11-03 8:38 ` Philippe Torche
@ 2003-11-03 8:51 ` Corinna Vinschen
0 siblings, 0 replies; 11+ messages in thread
From: Corinna Vinschen @ 2003-11-03 8:51 UTC (permalink / raw)
To: cygwin
On Mon, Nov 03, 2003 at 09:38:16AM +0100, Philippe Torche wrote:
> Sorry but,
>
> The doc of bash explains this behavior (help read). You can experiment the
> same think on Redhat per exemple. And don't forget to use "echo $_cygwin |
> od -t x1" to show what is stored in the variable.
I did, of course. Backspace works w/o -e, too.
I'll use -e nevertheless to allow complete readline support.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: Testers for new ssh-*-config scripts wanted!
2003-10-31 18:09 ` Corinna Vinschen
@ 2003-11-03 8:38 ` Philippe Torche
2003-11-03 8:51 ` Corinna Vinschen
0 siblings, 1 reply; 11+ messages in thread
From: Philippe Torche @ 2003-11-03 8:38 UTC (permalink / raw)
To: cygwin
Sorry but,
The doc of bash explains this behavior (help read). You can experiment the
same think on Redhat per exemple. And don't forget to use "echo $_cygwin |
od -t x1" to show what is stored in the variable.
Have a nice cygweek, Philippe.
> -----Message d'origine-----
> De : cygwin-owner@cygwin.com [mailto:cygwin-owner@cygwin.com]
> De la part de Corinna Vinschen
> Envoyé : vendredi, 31. octobre 2003 18:24
> À : cygwin@cygwin.com
> Objet : Re: Testers for new ssh-*-config scripts wanted!
>
> On Fri, Oct 31, 2003 at 05:07:18PM +0100, Philippe Torche wrote:
> > Nope,
> >
> > read from bash don't reconize control caracters without -e
> parameter:
> > $ read _cygwin
> > Ntser[Backspace]c
> > $ echo $_cygwin | od -t x1
> > 0000000 6e 74 73 65 72 08 63 0a
> > 0000010
> >
> > BUT OK with "-e"
> >
> > $ read -e _cygwin
> > Ntser[Backspace]c
> > $ echo $_cygwin | od -t x1
> > 0000000 6e 74 73 65 63 0a
> > 0000006
>
> Erm... when I use bash, read always recognizes the backspace
> correctly.
> *dig dig dig*
> Even better, when using /bin/sh (ash), I don't have your
> above problem either. I can change the string and no control
> code shows up in the variable's value. What's different on
> your machine?
Nothing !
>
> Corinna
>
> --
> Corinna Vinschen Please, send mails
> regarding Cygwin to
> Cygwin Developer
> mailto:cygwin@cygwin.com
> Red Hat, Inc.
>
> --
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
> Problem reports: http://cygwin.com/problems.html
> Documentation: http://cygwin.com/docs.html
> FAQ: http://cygwin.com/faq/
>
>
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Testers for new ssh-*-config scripts wanted!
2003-10-31 16:19 ` Philippe Torche
@ 2003-10-31 18:09 ` Corinna Vinschen
2003-11-03 8:38 ` Philippe Torche
0 siblings, 1 reply; 11+ messages in thread
From: Corinna Vinschen @ 2003-10-31 18:09 UTC (permalink / raw)
To: cygwin
On Fri, Oct 31, 2003 at 05:07:18PM +0100, Philippe Torche wrote:
> Nope,
>
> read from bash don't reconize control caracters without -e parameter:
> $ read _cygwin
> Ntser[Backspace]c
> $ echo $_cygwin | od -t x1
> 0000000 6e 74 73 65 72 08 63 0a
> 0000010
>
> BUT OK with "-e"
>
> $ read -e _cygwin
> Ntser[Backspace]c
> $ echo $_cygwin | od -t x1
> 0000000 6e 74 73 65 63 0a
> 0000006
Erm... when I use bash, read always recognizes the backspace correctly.
*dig dig dig*
Even better, when using /bin/sh (ash), I don't have your above problem
either. I can change the string and no control code shows up in the
variable's value. What's different on your machine?
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: Testers for new ssh-*-config scripts wanted!
2003-10-31 11:20 ` Corinna Vinschen
@ 2003-10-31 16:19 ` Philippe Torche
2003-10-31 18:09 ` Corinna Vinschen
0 siblings, 1 reply; 11+ messages in thread
From: Philippe Torche @ 2003-10-31 16:19 UTC (permalink / raw)
To: cygwin
Nope,
read from bash don't reconize control caracters without -e parameter:
$ read _cygwin
Ntser[Backspace]c
$ echo $_cygwin | od -t x1
0000000 6e 74 73 65 72 08 63 0a
0000010
BUT OK with "-e"
$ read -e _cygwin
Ntser[Backspace]c
$ echo $_cygwin | od -t x1
0000000 6e 74 73 65 63 0a
0000006
Thanks, Philippe.
> -----Message d'origine-----
> De : cygwin-owner@cygwin.com [mailto:cygwin-owner@cygwin.com]
> De la part de Corinna Vinschen
> Envoyé : vendredi, 31. octobre 2003 12:08
> À : cygwin@cygwin.com
> Objet : RE: Testers for new ssh-*-config scripts wanted!
>
> On Fri, Oct 31, 2003 at 09:55:04AM +0100, Philippe Torche wrote:
> > Script ssh-host-config works for me, but when I've entered
> the CYGWIN
> > env var, I've do a error and type "ntser", then backspace
> and then the
> > correct "c" caracters.
> > Thus CYGWIN key in the registry has now "ntser\x08c"
> instead of "ntsec"!
> > This is caused by the read command!
>
> Yeah, but that's not a fault of the script but of the shell.
> Nothing I can do about in the script. Except if I require
> the script to run under bash instead of sh, to allow readline support.
>
> Would that be acceptable? I have attached a new version of
> ssh-host-config to this mail, which requires bash now. If
> that's not ok, it's easy to revert again.
>
> I've also attached the two vanilla files ssh_config and
> sshd_config to put into /etc/defaults/etc. This should
> simplify testing.
>
> Changed in this version of ssh-host-config:
>
> - Require bash.
> - Remove annoying backslashes when echoing a bang (!).
> - Allow /var/log/lastlog to be a directory (But that can again create
> problems with permissions, Pierre!)
>
> Please don't forget to test ssh-user-config, too. Thanks.
>
> > PS Wait for a "Windows 2003 Server" version
>
> You know, PGA and PTC. See wtf ;-)
>
> Thanks to all testers,
> Corinna
>
> --
> Corinna Vinschen Please, send mails
> regarding Cygwin to
> Cygwin Developer
> mailto:cygwin@cygwin.com
> Red Hat, Inc.
>
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: Testers for new ssh-*-config scripts wanted!
2003-10-31 9:31 ` Philippe Torche
@ 2003-10-31 11:20 ` Corinna Vinschen
2003-10-31 16:19 ` Philippe Torche
0 siblings, 1 reply; 11+ messages in thread
From: Corinna Vinschen @ 2003-10-31 11:20 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 1399 bytes --]
On Fri, Oct 31, 2003 at 09:55:04AM +0100, Philippe Torche wrote:
> Script ssh-host-config works for me, but when I've entered the CYGWIN env
> var, I've do a error and type "ntser", then backspace and then the correct
> "c" caracters.
> Thus CYGWIN key in the registry has now "ntser\x08c" instead of "ntsec"!
> This is caused by the read command!
Yeah, but that's not a fault of the script but of the shell. Nothing
I can do about in the script. Except if I require the script to run
under bash instead of sh, to allow readline support.
Would that be acceptable? I have attached a new version of ssh-host-config
to this mail, which requires bash now. If that's not ok, it's easy to
revert again.
I've also attached the two vanilla files ssh_config and sshd_config to
put into /etc/defaults/etc. This should simplify testing.
Changed in this version of ssh-host-config:
- Require bash.
- Remove annoying backslashes when echoing a bang (!).
- Allow /var/log/lastlog to be a directory (But that can again create
problems with permissions, Pierre!)
Please don't forget to test ssh-user-config, too. Thanks.
> PS Wait for a "Windows 2003 Server" version
You know, PGA and PTC. See wtf ;-)
Thanks to all testers,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.
[-- Attachment #2: ssh-host-config --]
[-- Type: text/plain, Size: 11361 bytes --]
#!/bin/bash
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
progname=$0
auto_answer=""
port_number=22
privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no
request()
{
if [ "${auto_answer}" = "yes" ]
then
return 0
elif [ "${auto_answer}" = "no" ]
then
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "$option" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-p | --port )
port_number=$1
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --port -p <n> sshd listens on port n."
echo
exit 1
;;
esac
done
# Check if running on NT
_sys="`uname -a`"
_nt=`expr "$_sys" : "CYGWIN_NT"`
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if ps -ef | grep -v grep | grep -q ssh
then
echo
echo "There are still ssh processes running. Please shut them down first."
echo
exit 1
fi
# Check for ${SYSCONFDIR} directory
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
echo
echo "${SYSCONFDIR} is existant but not a directory."
echo "Cannot create global configuration files."
echo
exit 1
fi
# Create it if necessary
if [ ! -e "${SYSCONFDIR}" ]
then
mkdir "${SYSCONFDIR}"
if [ ! -e "${SYSCONFDIR}" ]
then
echo
echo "Creating ${SYSCONFDIR} directory failed"
echo
exit 1
fi
fi
# Create /var/log and /var/log/lastlog if not already existing
if [ -f ${LOCALSTATEDIR}/log ]
then
echo "Creating ${LOCALSTATEDIR}/log failed!"
else
if [ ! -d ${LOCALSTATEDIR}/log ]
then
mkdir -p ${LOCALSTATEDIR}/log
fi
if [ -d ${LOCALSTATEDIR}/log/lastlog ]
then
chmod 777 ${LOCALSTATEDIR}/log/lastlog
elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
chmod 666 ${LOCALSTATEDIR}/log/lastlog
fi
fi
# Create /var/empty file used as chroot jail for privilege separation
if [ -f ${LOCALSTATEDIR}/empty ]
then
echo "Creating ${LOCALSTATEDIR}/empty failed!"
else
mkdir -p ${LOCALSTATEDIR}/empty
if [ $_nt -gt 0 ]
then
chmod 755 ${LOCALSTATEDIR}/empty
fi
fi
# First generate host keys if not already existing
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_key"
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi
# Check if ssh_config exists. If yes, ask for overwriting
if [ -f "${SYSCONFDIR}/ssh_config" ]
then
if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
then
rm -f "${SYSCONFDIR}/ssh_config"
if [ -f "${SYSCONFDIR}/ssh_config" ]
then
echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
fi
fi
fi
# Create default ssh_config from skeleton file in /etc/defaults/etc
if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
echo "Generating ${SYSCONFDIR}/ssh_config file"
cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
if [ "$port_number" != "22" ]
then
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config
fi
fi
# Check if sshd_config exists. If yes, ask for overwriting
if [ -f "${SYSCONFDIR}/sshd_config" ]
then
if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
then
rm -f "${SYSCONFDIR}/sshd_config"
if [ -f "${SYSCONFDIR}/sshd_config" ]
then
echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
fi
else
grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
fi
fi
# Prior to creating or modifying sshd_config, care for privilege separation
if [ "$privsep_configured" != "yes" ]
then
if [ $_nt -gt 0 ]
then
echo "Privilege separation is set to yes by default since OpenSSH 3.3."
echo "However, this requires a non-privileged account called 'sshd'."
echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
echo
if request "Shall privilege separation be used?"
then
privsep_used=yes
grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
if [ "$sshd_in_passwd" != "yes" ]
then
if [ "$sshd_in_sam" != "yes" ]
then
echo "Warning: The following function requires administrator privileges!"
if request "Shall this script create a local user 'sshd' on this machine?"
then
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
if [ "$sshd_in_sam" != "yes" ]
then
echo "Warning: Creating the user 'sshd' failed!"
fi
fi
fi
if [ "$sshd_in_sam" != "yes" ]
then
echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
echo " Privilege separation set to 'no' again!"
echo " Check your ${SYSCONFDIR}/sshd_config file!"
privsep_used=no
else
mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
fi
fi
else
privsep_used=no
fi
else
# On 9x don't use privilege separation. Since security isn't
# available it just adds useless additional processes.
privsep_used=no
fi
fi
# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option
if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
echo "Generating ${SYSCONFDIR}/sshd_config file"
sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation $privsep_used/
s/^#Port 22/Port $port_number/
s/^#StrictModes yes/StrictModes no/" \
< ${SYSCONFDIR}/defaults/etc/sshd_config \
> ${SYSCONFDIR}/sshd_config
elif [ "$privsep_configured" != "yes" ]
then
echo >> ${SYSCONFDIR}/sshd_config
echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
fi
# Care for services file
_my_etcdir="/ssh-host-config.$$"
if [ $_nt -gt 0 ]
then
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
_services="${_my_etcdir}/services"
else
_win_etcdir="${WINDIR}"
_services="${_my_etcdir}/SERVICES"
fi
_serv_tmp="${_my_etcdir}/srv.out.$$"
mount -t -f "${_win_etcdir}" "${_my_etcdir}"
# Depends on the above mount
_wservices=`cygpath -w "${_services}"`
# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
if [ -f "${_serv_tmp}" ]
then
if mv "${_serv_tmp}" "${_services}"
then
echo "Removing sshd from ${_wservices}"
else
echo "Removing sshd from ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
echo "Removing sshd from ${_wservices} failed!"
fi
fi
# Add ssh 22/tcp and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
if [ -f "${_serv_tmp}" ]
then
if mv "${_serv_tmp}" "${_services}"
then
echo "Added ssh to ${_wservices}"
else
echo "Adding ssh to ${_wservices} failed!"
fi
rm -f "${_serv_tmp}"
else
echo "Adding ssh to ${_wservices} failed!"
fi
fi
umount "${_my_etcdir}"
# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
if [ -f "${_inetcnf}" ]
then
# Check if ssh service is already in use as sshd
with_comment=1
grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
# Remove sshd line from inetd.conf
if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
then
grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if mv "${_inetcnf_tmp}" "${_inetcnf}"
then
echo "Removed sshd from ${_inetcnf}"
else
echo "Removing sshd from ${_inetcnf} failed!"
fi
rm -f "${_inetcnf_tmp}"
else
echo "Removing sshd from ${_inetcnf} failed!"
fi
fi
# Add ssh line to inetd.conf
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
then
if [ "${with_comment}" -eq 0 ]
then
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
else
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
fi
echo "Added ssh to ${_inetcnf}"
fi
fi
# On NT ask if sshd should be installed as service
if [ $_nt -gt 0 ]
then
echo
echo "Do you want to install sshd as service?"
if request "(Say \"no\" if it's already installed as service)"
then
echo
echo "Which value should the environment variable CYGWIN have when"
echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
echo "able to change user context without password."
echo -n "Default is \"ntsec\". CYGWIN="
read _cygwin
[ -z "${_cygwin}" ] && _cygwin="ntsec"
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
then
echo
echo "The service has been installed under LocalSystem account."
fi
fi
# Now check if sshd has been installed as service. This allows to
# set the ownership of the affected files correctly.
#
# NOTE: This doesn't work flawlessly so far on Windows 2003 Server.
# The SYSTEM account on 2003 has not the appropriate privileges to allow
# passwordless logon (pubkey authentication). This requires to run the
# service under a special account, which has administrator privileges
# plus (at least, AFAIK) the SeCreateTokenPrivilege.
# The next step will be, to extend this script to create an approriate
# account for that, using the new editrights tool.
if cygrunsrv -Q sshd > /dev/null 2>&1
then
chown system ${SYSCONFDIR}/ssh*
chown system.system ${LOCALSTATEDIR}/empty
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
then
chown system.system ${LOCALSTATEDIR}/log/sshd.log
fi
fi
fi
echo
echo "Host configuration finished. Have fun!"
[-- Attachment #3: ssh_config --]
[-- Type: text/plain, Size: 1159 bytes --]
# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
[-- Attachment #4: sshd_config --]
[-- Type: text/plain, Size: 2432 bytes --]
# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server
[-- Attachment #5: Type: text/plain, Size: 218 bytes --]
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: Testers for new ssh-*-config scripts wanted!
2003-10-30 18:07 Corinna Vinschen
@ 2003-10-31 9:31 ` Philippe Torche
2003-10-31 11:20 ` Corinna Vinschen
0 siblings, 1 reply; 11+ messages in thread
From: Philippe Torche @ 2003-10-31 9:31 UTC (permalink / raw)
To: cygwin
Script ssh-host-config works for me, but when I've entered the CYGWIN env
var, I've do a error and type "ntser", then backspace and then the correct
"c" caracters.
Thus CYGWIN key in the registry has now "ntser\x08c" instead of "ntsec"!
This is caused by the read command!
Thanks.
PS Wait for a "Windows 2003 Server" version
> -----Message d'origine-----
> De : cygwin-owner@cygwin.com [mailto:cygwin-owner@cygwin.com]
> De la part de Corinna Vinschen
> Envoyé : jeudi, 30. octobre 2003 18:11
> À : cygwin@cygwin.com
> Objet : Testers for new ssh-*-config scripts wanted!
>
> Hi,
>
> is anybody here willing to give my new ssh-host-config and
> ssh-user-config shell scripts a thorough test? I tested them
> by myself but I have this nagging feeling I missed something
> important.
>
> The important changes:
>
> - On NT, try to set permissions on files and directories to a
> useful value.
> - On NT, try to set ownership on files and directories to a
> useful value.
>
> Only in ssh-host-config:
>
> - Write the /etc/services entries for ssh now with CRLF lineendings.
> - Remove the code to accomplish old style installations, with "old
> being older than roughly 3 years.
> - /etc/ssh_config and /etc/sshd_config are not hardcoded here-scripts
> in the ssh-host-config script anymore, but they are copied and
> modified from ssh_config and sshd_config files in /etc/defaults/etc.
> This allows to accomodate changes in the vanilla scripts without
> having to change the shh-host-config script.
> - On NT, always set ownership of various files to SYSTEM, if sshd
> has been installed as service.
>
> Both scripts are attached. When testing the new "copy config
> files from /etc/defaults/etc" functionality, please think of
> copying the ssh_config and sshd_config files (if possible the
> vanilla versions) to /etc/defaults/etc first.
>
> Feedback and patches welcome and thanks in advance, Corinna
>
> --
> Corinna Vinschen Please, send mails
> regarding Cygwin to
> Cygwin Developer
> mailto:cygwin@cygwin.com
> Red Hat, Inc.
>
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: Testers for new ssh-*-config scripts wanted!
@ 2003-10-31 1:50 Harig, Mark
0 siblings, 0 replies; 11+ messages in thread
From: Harig, Mark @ 2003-10-31 1:50 UTC (permalink / raw)
To: Brian Ford, cygwin
OK. Thanks! I will extract the contents
of the here documents and put them in
/etc/defaults/etc/sshd_config and
/etc/defaults/etc/ssh_config. I don't
trust my files in /etc/ to be vanilla
at this point.
> -----Original Message-----
> From: Brian Ford [mailto:ford@vss.fsi.com]
> Sent: Thursday, October 30, 2003 5:35 PM
> To: cygwin@cygwin.com
> Subject: RE: Testers for new ssh-*-config scripts wanted!
>
>
> On Thu, 30 Oct 2003, Harig, Mark wrote:
>
> > I have OpenSSH 3.7.1p2-1 installed, but I
> > do not have the 'ssh_config' or 'sshd_config'
> > template files that the 'ssh-host-config' script
> > expects. Am I missing a step here that I should
> > have taken to generate these files?
> >
> Yes, see:
>
> > Corinna Vinschen wrote:
> > > Both scripts are attached. When testing the new "copy
> config files
> > > from /etc/defaults/etc" functionality, please think of copying the
> > > ssh_config and sshd_config files (if possible the vanilla
> versions)
> > > to /etc/defaults/etc first.
> > >
> She meant the ones you would have in /etc if you had previously
> run the old ssh-host-config script. If you had not, they can be found
> embeded in the old ssh-host-config script as mentioned here:
>
> > > - /etc/ssh_config and /etc/sshd_config are not hardcoded
> here-scripts
> > > in the ssh-host-config script anymore, but they are copied and
> > > modified from ssh_config and sshd_config files in
> /etc/defaults/etc.
> > > This allows to accomodate changes in the vanilla scripts without
> > > having to change the shh-host-config script.
> > >
>
> --
> Brian Ford
> Senior Realtime Software Engineer
> VITAL - Visual Simulation Systems
> FlightSafety International
> Phone: 314-551-8460
> Fax: 314-551-8444
>
> --
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
> Problem reports: http://cygwin.com/problems.html
> Documentation: http://cygwin.com/docs.html
> FAQ: http://cygwin.com/faq/
>
>
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: Testers for new ssh-*-config scripts wanted!
@ 2003-10-30 18:47 Harig, Mark
0 siblings, 0 replies; 11+ messages in thread
From: Harig, Mark @ 2003-10-30 18:47 UTC (permalink / raw)
To: cygwin
I will read these two scripts "soon".
This won't be a thorough test, but it
will be another set of eyes reading the
code.
Of course, a much better candidate for
reading (and testing the scripts would
be someone who is knowledgeable about
OpenSSH. I'm simply a user of it.
> -----Original Message-----
> From: Corinna Vinschen [mailto:corinna-cygwin@cygwin.com]
> Sent: Thursday, October 30, 2003 12:11 PM
> To: cygwin@cygwin.com
> Subject: Testers for new ssh-*-config scripts wanted!
>
>
> Hi,
>
> is anybody here willing to give my new ssh-host-config and
> ssh-user-config
> shell scripts a thorough test? I tested them by myself but I
> have this
> nagging feeling I missed something important.
>
> The important changes:
>
> - On NT, try to set permissions on files and directories to a
> useful value.
> - On NT, try to set ownership on files and directories to a
> useful value.
>
> Only in ssh-host-config:
>
> - Write the /etc/services entries for ssh now with CRLF lineendings.
> - Remove the code to accomplish old style installations, with "old
> being older than roughly 3 years.
> - /etc/ssh_config and /etc/sshd_config are not hardcoded here-scripts
> in the ssh-host-config script anymore, but they are copied and
> modified from ssh_config and sshd_config files in /etc/defaults/etc.
> This allows to accomodate changes in the vanilla scripts without
> having to change the shh-host-config script.
> - On NT, always set ownership of various files to SYSTEM, if sshd
> has been installed as service.
>
> Both scripts are attached. When testing the new "copy config files
> from /etc/defaults/etc" functionality, please think of copying the
> ssh_config and sshd_config files (if possible the vanilla versions)
> to /etc/defaults/etc first.
>
> Feedback and patches welcome and thanks in advance,
> Corinna
>
> --
> Corinna Vinschen Please, send mails
> regarding Cygwin to
> Cygwin Developer
mailto:cygwin@cygwin.com
Red Hat, Inc.
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Testers for new ssh-*-config scripts wanted!
@ 2003-10-30 18:07 Corinna Vinschen
2003-10-31 9:31 ` Philippe Torche
0 siblings, 1 reply; 11+ messages in thread
From: Corinna Vinschen @ 2003-10-30 18:07 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 1449 bytes --]
Hi,
is anybody here willing to give my new ssh-host-config and ssh-user-config
shell scripts a thorough test? I tested them by myself but I have this
nagging feeling I missed something important.
The important changes:
- On NT, try to set permissions on files and directories to a useful value.
- On NT, try to set ownership on files and directories to a useful value.
Only in ssh-host-config:
- Write the /etc/services entries for ssh now with CRLF lineendings.
- Remove the code to accomplish old style installations, with "old
being older than roughly 3 years.
- /etc/ssh_config and /etc/sshd_config are not hardcoded here-scripts
in the ssh-host-config script anymore, but they are copied and
modified from ssh_config and sshd_config files in /etc/defaults/etc.
This allows to accomodate changes in the vanilla scripts without
having to change the shh-host-config script.
- On NT, always set ownership of various files to SYSTEM, if sshd
has been installed as service.
Both scripts are attached. When testing the new "copy config files
from /etc/defaults/etc" functionality, please think of copying the
ssh_config and sshd_config files (if possible the vanilla versions)
to /etc/defaults/etc first.
Feedback and patches welcome and thanks in advance,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin@cygwin.com
Red Hat, Inc.
[-- Attachment #2: ssh-host-config --]
[-- Type: text/plain, Size: 11382 bytes --]
#!/bin/sh
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
progname=$0
auto_answer=""
port_number=22
privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no
request()
{
if [ "${auto_answer}" = "yes" ]
then
return 0
elif [ "${auto_answer}" = "no" ]
then
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "$option" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-p | --port )
port_number=$1
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --port -p <n> sshd listens on port n."
echo
exit 1
;;
esac
done
# Check if running on NT
_sys="`uname -a`"
_nt=`expr "$_sys" : "CYGWIN_NT"`
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if ps -ef | grep -v grep | grep -q ssh
then
echo
echo "There are still ssh processes running. Please shut them down first."
echo
exit 1
fi
# Check for ${SYSCONFDIR} directory
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
echo
echo "${SYSCONFDIR} is existant but not a directory."
echo "Cannot create global configuration files."
echo
exit 1
fi
# Create it if necessary
if [ ! -e "${SYSCONFDIR}" ]
then
mkdir "${SYSCONFDIR}"
if [ ! -e "${SYSCONFDIR}" ]
then
echo
echo "Creating ${SYSCONFDIR} directory failed"
echo
exit 1
fi
fi
# Create /var/log and /var/log/lastlog if not already existing
if [ -f ${LOCALSTATEDIR}/log ]
then
echo "Creating ${LOCALSTATEDIR}/log failed\!"
else
if [ ! -d ${LOCALSTATEDIR}/log ]
then
mkdir -p ${LOCALSTATEDIR}/log
fi
if [ -d ${LOCALSTATEDIR}/log/lastlog ]
then
echo "Creating ${LOCALSTATEDIR}/log/lastlog failed\!"
elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
chmod 666 ${LOCALSTATEDIR}/log/lastlog
fi
fi
# Create /var/empty file used as chroot jail for privilege separation
if [ -f ${LOCALSTATEDIR}/empty ]
then
echo "Creating ${LOCALSTATEDIR}/empty failed\!"
else
mkdir -p ${LOCALSTATEDIR}/empty
if [ $_nt -gt 0 ]
then
chmod 755 ${LOCALSTATEDIR}/empty
fi
fi
# First generate host keys if not already existing
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_key"
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi
# Check if ssh_config exists. If yes, ask for overwriting
if [ -f "${SYSCONFDIR}/ssh_config" ]
then
if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?"
then
rm -f "${SYSCONFDIR}/ssh_config"
if [ -f "${SYSCONFDIR}/ssh_config" ]
then
echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected."
fi
fi
fi
# Create default ssh_config from skeleton file in /etc/defaults/etc
if [ ! -f "${SYSCONFDIR}/ssh_config" ]
then
echo "Generating ${SYSCONFDIR}/ssh_config file"
cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config
if [ "$port_number" != "22" ]
then
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config
fi
fi
# Check if sshd_config exists. If yes, ask for overwriting
if [ -f "${SYSCONFDIR}/sshd_config" ]
then
if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?"
then
rm -f "${SYSCONFDIR}/sshd_config"
if [ -f "${SYSCONFDIR}/sshd_config" ]
then
echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
fi
else
grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
fi
fi
# Prior to creating or modifying sshd_config, care for privilege separation
if [ "$privsep_configured" != "yes" ]
then
if [ $_nt -gt 0 ]
then
echo "Privilege separation is set to yes by default since OpenSSH 3.3."
echo "However, this requires a non-privileged account called 'sshd'."
echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
echo
if request "Shall privilege separation be used?"
then
privsep_used=yes
grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
if [ "$sshd_in_passwd" != "yes" ]
then
if [ "$sshd_in_sam" != "yes" ]
then
echo "Warning: The following function requires administrator privileges!"
if request "Shall this script create a local user 'sshd' on this machine?"
then
dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
if [ "$sshd_in_sam" != "yes" ]
then
echo "Warning: Creating the user 'sshd' failed!"
fi
fi
fi
if [ "$sshd_in_sam" != "yes" ]
then
echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
echo " Privilege separation set to 'no' again!"
echo " Check your ${SYSCONFDIR}/sshd_config file!"
privsep_used=no
else
mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
fi
fi
else
privsep_used=no
fi
else
# On 9x don't use privilege separation. Since security isn't
# available it just adds useless additional processes.
privsep_used=no
fi
fi
# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option
if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
echo "Generating ${SYSCONFDIR}/sshd_config file"
sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation $privsep_used/
s/^#Port 22/Port $port_number/
s/^#StrictModes yes/StrictModes no/" \
< ${SYSCONFDIR}/defaults/etc/sshd_config \
> ${SYSCONFDIR}/sshd_config
elif [ "$privsep_configured" != "yes" ]
then
echo >> ${SYSCONFDIR}/sshd_config
echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
fi
# Care for services file
_my_etcdir="/ssh-host-config.$$"
if [ $_nt -gt 0 ]
then
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
_services="${_my_etcdir}/services"
else
_win_etcdir="${WINDIR}"
_services="${_my_etcdir}/SERVICES"
fi
_serv_tmp="${_my_etcdir}/srv.out.$$"
mount -t -f "${_win_etcdir}" "${_my_etcdir}"
# Depends on the above mount
_wservices=`cygpath -w "${_services}"`
# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
if [ -f "${_serv_tmp}" ]
then
if mv "${_serv_tmp}" "${_services}"
then
echo "Removing sshd from ${_wservices}"
else
echo "Removing sshd from ${_wservices} failed\!"
fi
rm -f "${_serv_tmp}"
else
echo "Removing sshd from ${_wservices} failed\!"
fi
fi
# Add ssh 22/tcp and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
if [ -f "${_serv_tmp}" ]
then
if mv "${_serv_tmp}" "${_services}"
then
echo "Added ssh to ${_wservices}"
else
echo "Adding ssh to ${_wservices} failed\!"
fi
rm -f "${_serv_tmp}"
else
echo "Adding ssh to ${_wservices} failed\!"
fi
fi
umount "${_my_etcdir}"
# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
if [ -f "${_inetcnf}" ]
then
# Check if ssh service is already in use as sshd
with_comment=1
grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
# Remove sshd line from inetd.conf
if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
then
grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if mv "${_inetcnf_tmp}" "${_inetcnf}"
then
echo "Removed sshd from ${_inetcnf}"
else
echo "Removing sshd from ${_inetcnf} failed\!"
fi
rm -f "${_inetcnf_tmp}"
else
echo "Removing sshd from ${_inetcnf} failed\!"
fi
fi
# Add ssh line to inetd.conf
if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
then
if [ "${with_comment}" -eq 0 ]
then
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
else
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
fi
echo "Added ssh to ${_inetcnf}"
fi
fi
# On NT ask if sshd should be installed as service
if [ $_nt -gt 0 ]
then
echo
echo "Do you want to install sshd as service?"
if request "(Say \"no\" if it's already installed as service)"
then
echo
echo "Which value should the environment variable CYGWIN have when"
echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
echo "able to change user context without password."
echo -n "Default is \"ntsec\". CYGWIN="
read _cygwin
[ -z "${_cygwin}" ] && _cygwin="ntsec"
if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
then
echo
echo "The service has been installed under LocalSystem account."
fi
fi
# Now check if sshd has been installed as service. This allows to
# set the ownership of the affected files correctly.
#
# NOTE: This doesn't work flawlessly so far on Windows 2003 Server.
# The SYSTEM account on 2003 has not the appropriate privileges to allow
# passwordless logon (pubkey authentication). This requires to run the
# service under a special account, which has administrator privileges
# plus (at least, AFAIK) the SeCreateTokenPrivilege.
# The next step will be, to extend this script to create an approriate
# account for that, using the new editrights tool.
if cygrunsrv -Q sshd > /dev/null 2>&1
then
chown system ${SYSCONFDIR}/ssh*
chown system.system ${LOCALSTATEDIR}/empty
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
then
chown system.system ${LOCALSTATEDIR}/log/sshd.log
fi
fi
fi
echo
echo "Host configuration finished. Have fun!"
[-- Attachment #3: ssh-user-config --]
[-- Type: text/plain, Size: 5564 bytes --]
#!/bin/sh
#
# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
progname=$0
auto_answer=""
auto_passphrase="no"
passphrase=""
request()
{
if [ "${auto_answer}" = "yes" ]
then
return 0
elif [ "${auto_answer}" = "no" ]
then
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check if running on NT
_sys="`uname -a`"
_nt=`expr "$_sys" : "CYGWIN_NT"`
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "$option" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-p | --passphrase )
with_passphrase="yes"
passphrase=$1
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH user configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --passphrase -p word Use \"word\" as passphrase automatically."
echo
exit 1
;;
esac
done
# Ask user if user identity should be generated
if [ ! -f /etc/passwd ]
then
echo '/etc/passwd is nonexistant. Please generate an /etc/passwd file'
echo 'first using mkpasswd. Check if it contains an entry for you and'
echo 'please care for the home directory in your entry as well.'
exit 1
fi
uid=`id -u`
pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < /etc/passwd`
if [ "X${pwdhome}" = "X" ]
then
echo 'There is no home directory set for you in /etc/passwd.'
echo 'Setting $HOME is not sufficient!'
exit 1
fi
if [ ! -d "${pwdhome}" ]
then
echo "${pwdhome} is set in /etc/passwd as your home directory"
echo 'but it is not a valid directory. Cannot create user identity files.'
exit 1
fi
# If home is the root dir, set home to empty string to avoid error messages
# in subsequent parts of that script.
if [ "X${pwdhome}" = "X/" ]
then
# But first raise a warning!
echo 'Your home directory in /etc/passwd is set to root (/). This is not recommended!'
if request "Would you like to proceed anyway?"
then
pwdhome=''
else
exit 1
fi
fi
if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
then
echo
echo 'WARNING: group and other have been revoked write permission to your home'
echo " directory ${pwdhome}."
echo ' This is required by OpenSSH to allow public key authentication using'
echo ' the key files stored in your .ssh subdirectory.'
echo ' Revert this change ONLY if you know what you are doing!'
echo
fi
if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
then
echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
exit 1
fi
if [ ! -e "${pwdhome}/.ssh" ]
then
mkdir "${pwdhome}/.ssh"
if [ ! -e "${pwdhome}/.ssh" ]
then
echo "Creating users ${pwdhome}/.ssh directory failed"
exit 1
fi
fi
if [ $_nt -gt 0 ]
then
if ! setfacl -m 'u::rwx,u:system:r--,g::---,o::---' "${pwdhome}/.ssh"
then
echo "${pwdhome}/.ssh couldn't be given the correct permissions."
echo "Please try to solve this problem first."
exit 1
fi
fi
if [ ! -f "${pwdhome}/.ssh/identity" ]
then
if request "Shall I create an SSH1 RSA identity file for you?"
then
echo "Generating ${pwdhome}/.ssh/identity"
if [ "${with_passphrase}" = "yes" ]
then
ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null
else
ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null
fi
if request "Do you want to use this identity to login to this machine?"
then
echo "Adding to ${pwdhome}/.ssh/authorized_keys"
cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
then
if request "Shall I create an SSH2 RSA identity file for you? (yes/no) "
then
echo "Generating ${pwdhome}/.ssh/id_rsa"
if [ "${with_passphrase}" = "yes" ]
then
ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null
else
ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
fi
if request "Do you want to use this identity to login to this machine?"
then
echo "Adding to ${pwdhome}/.ssh/authorized_keys"
cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
then
if request "Shall I create an SSH2 DSA identity file for you? (yes/no) "
then
echo "Generating ${pwdhome}/.ssh/id_dsa"
if [ "${with_passphrase}" = "yes" ]
then
ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null
else
ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
fi
if request "Do you want to use this identity to login to this machine?"
then
echo "Adding to ${pwdhome}/.ssh/authorized_keys"
cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
fi
fi
fi
if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ]
then
chmod u-x,g-wx,o-wx "${pwdhome}/.ssh/authorized_keys"
fi
echo
echo "Configuration finished. Have fun!"
[-- Attachment #4: Type: text/plain, Size: 218 bytes --]
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2003-11-03 8:51 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-10-30 22:58 Testers for new ssh-*-config scripts wanted! Harig, Mark
2003-10-31 1:34 ` Brian Ford
-- strict thread matches above, loose matches on Subject: below --
2003-10-31 1:50 Harig, Mark
2003-10-30 18:47 Harig, Mark
2003-10-30 18:07 Corinna Vinschen
2003-10-31 9:31 ` Philippe Torche
2003-10-31 11:20 ` Corinna Vinschen
2003-10-31 16:19 ` Philippe Torche
2003-10-31 18:09 ` Corinna Vinschen
2003-11-03 8:38 ` Philippe Torche
2003-11-03 8:51 ` Corinna Vinschen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).