Mail Archives: cygwin/2019/01/28/13:39:18
X-Recipient: | archive-cygwin AT delorie DOT com
|
DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
|
| :list-unsubscribe:list-subscribe:list-archive:list-post
|
| :list-help:sender:date:from:to:cc:subject:message-id:reply-to
|
| :references:mime-version:content-type:in-reply-to; q=dns; s=
|
| default; b=sgn4QSGs8hdabXbaraUBj9V1wiHN++jFIXicT1QqjQLB+W6KNhuLn
|
| 8hs5nrvcUkOntUqIifqOqB+9kOyR574gMbHH8D7hbK+nqXyuNSbhMhIuIY5Vb7Mi
|
| m0dKo018ZTF6xjZDIkNqa5qiUfXW0HjnnGCtEqF4KNDci5e297JBls=
|
DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
|
| :list-unsubscribe:list-subscribe:list-archive:list-post
|
| :list-help:sender:date:from:to:cc:subject:message-id:reply-to
|
| :references:mime-version:content-type:in-reply-to; s=default;
|
| bh=Qqdufhu9CRO71Sr6bVpoaNS+6JE=; b=LdyBzPMa2ZvveNuArLOTXu+cXgXv
|
| hTxoi/2cis3YO/nwINR691koyHx5DziDe7tMANYj6hH+MbYtOEwmdwiaHA3ZfOr6
|
| MHKcSpwhNR7UmYIDEwXJPKXJJT1hFESJt8fTgQS6bj1uzsC5sm1KzlxrymYyln0U
|
| BARqZSIJUfHmaoI=
|
Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm
|
List-Id: | <cygwin.cygwin.com>
|
List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com>
|
List-Archive: | <http://sourceware.org/ml/cygwin/>
|
List-Post: | <mailto:cygwin AT cygwin DOT com>
|
List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
|
Sender: | cygwin-owner AT cygwin DOT com
|
Mail-Followup-To: | cygwin AT cygwin DOT com
|
Delivered-To: | mailing list cygwin AT cygwin DOT com
|
Authentication-Results: | sourceware.org; auth=none
|
X-Spam-SWARE-Status: | No, score=-105.1 required=5.0 tests=BAYES_00,GIT_PATCH_2,GOOD_FROM_CORINNA_CYGWIN,KAM_ASCII_DIVIDERS,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE,WEIRD_QUOTING autolearn=ham version=3.3.2 spammy=mount, Port, protocol, desktop
|
X-HELO: | mout.kundenserver.de
|
Date: | Mon, 28 Jan 2019 19:38:56 +0100
|
From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
|
To: | Bill Stewart <bstewart AT iname DOT com>
|
Cc: | cygwin AT cygwin DOT com
|
Subject: | Re: sshd permits logon using disabled user?
|
Message-ID: | <20190128183856.GT3912@calimero.vinschen.de>
|
Reply-To: | cygwin AT cygwin DOT com
|
Mail-Followup-To: | Bill Stewart <bstewart AT iname DOT com>, cygwin AT cygwin DOT com
|
References: | <1690850474 DOT 834980 DOT 1548391349102 DOT ref AT mail DOT yahoo DOT com> <1690850474 DOT 834980 DOT 1548391349102 AT mail DOT yahoo DOT com> <d6f98cbc-bd2f-1c13-98bb-7ef42c000115 AT baur-itcs DOT de> <CANV9t=RKVWPfiqNMbnSgevTBvm8S1G-oFWK3BEisdgaSGz2OzA AT mail DOT gmail DOT com> <20190125174833 DOT GA1710 AT zebra> <CANV9t=Q2ZRqVD99a+qdVTet1hn_aM6RY5B2Cm1oc0E4Lf9x2ig AT mail DOT gmail DOT com> <20190128095947 DOT GN3912 AT calimero DOT vinschen DOT de> <CANV9t=Tk=k5ohYw5TcvYy7TrWUBOTA4JXqE=75H+6n_-o53ZSQ AT mail DOT gmail DOT com> <20190128165227 DOT GQ3912 AT calimero DOT vinschen DOT de> <CANV9t=QMcDWWKY=Qqe-1jdbE1SNJ+uwGuV02uoqAYwMj85Ts8w AT mail DOT gmail DOT com>
|
MIME-Version: | 1.0
|
In-Reply-To: | <CANV9t=QMcDWWKY=Qqe-1jdbE1SNJ+uwGuV02uoqAYwMj85Ts8w@mail.gmail.com>
|
User-Agent: | Mutt/1.10.1 (2018-07-13)
|
--Ie5iOtK4e9kgqh2F
Content-Type: multipart/mixed; boundary="wAI/bQb0EMvlZCHl"
Content-Disposition: inline
--wAI/bQb0EMvlZCHl
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Jan 28 10:18, Bill Stewart wrote:
> On Mon, Jan 28, 2019 at 9:52 AM Corinna Vinschen
> <corinna-cygwin AT cygwin DOT com> wrote:
> >
> > On Jan 28 08:02, Bill Stewart wrote:
> > > On Mon, Jan 28, 2019 at 2:59 AM Corinna Vinschen
> > > <corinna-cygwin AT cygwin DOT com> wrote:
> > >
> > > > Can you please test again with the latest snapshot from
> > > > https://cygwin.com/snapshots/? The new S4U authentication method
> > > > used in this snapshot automatically applies the Windows account rul=
es so
> > > > in my testing the patch I applied originally is not required anymor=
e.
> > > > Consequentially I disabled it to rely fully on the Windows function=
's
> > > > behaviour. Can you test this, too, please, just to be sure?
> > >
> > > Thank you Corinna; I will test.
> > >
> > > Will the S4U authentication work on standalone (non domain-joined)
> > > machines also?
> >
> > It uses MsV1_0 S4U on standalone workstations, Kerberos S4U on domain
> > meber machines with fallback to MsV1_0 under some circumstances.
>=20
> Hi Corinna,
>=20
> This is great that the service can run using the SYSTEM account! It
> greatly simplifies management.
Along these lines I have an OpenSSH patch in the loop which reverts
the ssh-host-config script back to using the SYSTEM user, just as
in the olden Windows XP days. I'll send it upstream as soon as
Cygwin 3.0 is officially released. I attached the resulting
ssh-host-config script to this mail, if you or anybody else want
to test it.
> I tested and it worked as expected.
>=20
> Thank you!
Super, thank you! I guess I will role out a Cygwin test release in the
next couple of days.
Stay tuned,
Corinna
--=20
Corinna Vinschen
Cygwin Maintainer
--wAI/bQb0EMvlZCHl
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename=ssh-host-config
Content-Transfer-Encoding: quoted-printable
#!/bin/bash
#
# ssh-host-config, Copyright 2000-2014 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS=
=20=20
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.=20=
=20=20
# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,=20=
=20=20
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR=20=
=20=20=20
# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR=20=
=20=20=20
# THE USE OR OTHER DEALINGS IN THE SOFTWARE.=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# Initialization
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
CSIH_SCRIPT=3D/usr/share/csih/cygwin-service-installation-helper.sh
# List of apps used. This is checkad for existence in csih_sanity_check
# Don't use *any* transient commands before sourcing the csih helper script,
# otherwise the sanity checks are short-circuited.
declare -a csih_required_commands=3D(
/usr/bin/basename coreutils
/usr/bin/cat coreutils
/usr/bin/chmod coreutils
/usr/bin/dirname coreutils
/usr/bin/id coreutils
/usr/bin/mv coreutils
/usr/bin/rm coreutils
/usr/bin/cygpath cygwin
/usr/bin/mkpasswd cygwin
/usr/bin/mount cygwin
/usr/bin/ps cygwin
/usr/bin/umount cygwin
/usr/bin/cmp diffutils
/usr/bin/grep grep
/usr/bin/awk gawk
/usr/bin/ssh-keygen openssh
/usr/sbin/sshd openssh
/usr/bin/sed sed
)
csih_sanity_check_server=3Dyes
source ${CSIH_SCRIPT}
PROGNAME=3D$(/usr/bin/basename $0)
_tdir=3D$(/usr/bin/dirname $0)
PROGDIR=3D$(cd $_tdir && pwd)
# Subdirectory where the new package is being installed
PREFIX=3D/usr
# Directory where the config files are stored
SYSCONFDIR=3D/etc
LOCALSTATEDIR=3D/var
sshd_config_configured=3Dno
port_number=3D22
service_name=3Dcygsshd
strictmodes=3Dyes
cygwin_value=3D""
user_account=3D
password_value=3D
opt_force=3Dno
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# Routine: update_services_file
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
update_services_file() {
local _my_etcdir=3D"/ssh-host-config.$$"
local _win_etcdir
local _services
local _spaces
local _serv_tmp
local _wservices
local ret=3D0
_win_etcdir=3D"${SYSTEMROOT}\\system32\\drivers\\etc"
_services=3D"${_my_etcdir}/services"
_spaces=3D" #"
_serv_tmp=3D"${_my_etcdir}/srv.out.$$"
/usr/bin/mount -o text,posix=3D0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
# Depends on the above mount
_wservices=3D`cygpath -w "${_services}"`
# Add ssh 22/tcp and ssh 22/udp to services
if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; ech=
o $?` -ne 0 ]
then
if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/=
tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_s=
paces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_ser=
v_tmp}"
then
if /usr/bin/mv "${_serv_tmp}" "${_services}"
then
csih_inform "Added ssh to ${_wservices}"
else
csih_warning "Adding ssh to ${_wservices} failed!"
let ++ret
fi
/usr/bin/rm -f "${_serv_tmp}"
else
csih_warning "Adding ssh to ${_wservices} failed!"
let ++ret
fi
fi
/usr/bin/umount "${_my_etcdir}"
return $ret
} # --- End of update_services_file --- #
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# Routine: sshd_strictmodes
# MODIFIES: strictmodes
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
sshd_strictmodes() {
if [ "${sshd_config_configured}" !=3D "yes" ]
then
echo
csih_inform "StrictModes is set to 'yes' by default."
csih_inform "This is the recommended setting, but it requires that the =
POSIX"
csih_inform "permissions of the user's home directory, the user's .ssh"
csih_inform "directory, and the user's ssh key files are tight so that"
csih_inform "only the user has write permissions."
csih_inform "On the other hand, StrictModes don't work well with defaul=
t"
csih_inform "Windows permissions of a home directory mounted with the"
csih_inform "'noacl' option, and they don't work at all if the home"
csih_inform "directory is on a FAT or FAT32 partition."
if ! csih_request "Should StrictModes be used?"
then
strictmodes=3Dno
fi
fi
return 0
}
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# Routine: sshd_privsep
# Try to create ssshd user account
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
sshd_privsep() {
local ret=3D0
if [ "${sshd_config_configured}" !=3D "yes" ]
then
if ! csih_create_unprivileged_user sshd
then
csih_error_recoverable "Could not create user 'sshd'!"
csih_error_recoverable "You will not be able to run an sshd service"
csih_error_recoverable "under a privileged account successfully."
csih_error_recoverable "Make sure to create a non-privileged user 'ss=
hd'"
csih_error_recoverable "manually before trying to run the service!"
let ++ret
fi
fi
return $ret
} # --- End of sshd_privsep --- #
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# Routine: sshd_config_tweak
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
sshd_config_tweak() {
local ret=3D0
# Modify sshd_config
csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
if [ "${port_number}" -ne 22 ]
then
/usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_num=
ber}/" \
${SYSCONFDIR}/sshd_config
if [ $? -ne 0 ]
then
csih_warning "Setting listening port to ${port_number} failed!"
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
let ++ret
fi
fi
if [ "${strictmodes}" =3D "no" ]
then
/usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictMo=
des no/" \
${SYSCONFDIR}/sshd_config
if [ $? -ne 0 ]
then
csih_warning "Setting StrictModes to 'no' failed!"
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
let ++ret
fi
fi
return $ret
} # --- End of sshd_config_tweak --- #
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# Routine: update_inetd_conf
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
update_inetd_conf() {
local _inetcnf=3D"${SYSCONFDIR}/inetd.conf"
local _inetcnf_tmp=3D"${SYSCONFDIR}/inetd.conf.$$"
local _inetcnf_dir=3D"${SYSCONFDIR}/inetd.d"
local _sshd_inetd_conf=3D"${_inetcnf_dir}/sshd-inetd"
local _sshd_inetd_conf_tmp=3D"${_inetcnf_dir}/sshd-inetd.$$"
local _with_comment=3D1
local ret=3D0
if [ -d "${_inetcnf_dir}" ]
then
# we have inetutils-1.5 inetd.d support
if [ -f "${_inetcnf}" ]
then
/usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=3D0
# check for sshd OR ssh in top-level inetd.conf file, and remove
# will be replaced by a file in inetd.d/
if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
then
/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
then
csih_inform "Removed ssh[d] from ${_inetcnf}"
else
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
let ++ret
fi
/usr/bin/rm -f "${_inetcnf_tmp}"
else
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
let ++ret
fi
fi
fi
csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_in=
etd_conf}" >/dev/null 2>&1
then
if [ "${_with_comment}" -eq 0 ]
then
/usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_=
sshd_inetd_conf_tmp}"
else
/usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "$=
{_sshd_inetd_conf_tmp}"
fi
if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
then
csih_inform "Updated ${_sshd_inetd_conf}"
else
csih_warning "Updating ${_sshd_inetd_conf} failed!"
let ++ret
fi
fi
elif [ -f "${_inetcnf}" ]
then
/usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=3D0
# check for sshd in top-level inetd.conf file, and remove
# will be replaced by a file in inetd.d/
if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -=
eq 0 ]
then
/usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_=
tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
then
csih_inform "Removed sshd from ${_inetcnf}"
else
csih_warning "Removing sshd from ${_inetcnf} failed!"
let ++ret
fi
/usr/bin/rm -f "${_inetcnf_tmp}"
else
csih_warning "Removing sshd from ${_inetcnf} failed!"
let ++ret
fi
fi
# Add ssh line to inetd.conf
if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
then
if [ "${_with_comment}" -eq 0 ]
then
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_=
inetcnf}"
else
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "$=
{_inetcnf}"
fi
if [ $? -eq 0 ]
then
csih_inform "Added ssh to ${_inetcnf}"
else
csih_warning "Adding ssh to ${_inetcnf} failed!"
let ++ret
fi
fi
fi
return $ret
} # --- End of update_inetd_conf --- #
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# Routine: check_service_files_ownership
# Checks that the files in /etc and /var belong to the right owner
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
check_service_files_ownership() {
local run_service_as=3D$1
local ret=3D0
if [ -z "${run_service_as}" ]
then
accnt_name=3D$(/usr/bin/cygrunsrv -VQ "${service_name}" |
/usr/bin/sed -ne 's/^Account *: *//gp')
if [ "${accnt_name}" =3D "LocalSystem" ]
then
# Convert "LocalSystem" to "SYSTEM" as is the correct account name
run_service_as=3D"SYSTEM"
else
dom=3D"${accnt_name%%\\*}"
accnt_name=3D"${accnt_name#*\\}"
if [ "${dom}" =3D '.' ]
then
# Check local account
run_service_as=3D$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
/usr/bin/awk -F: '{print $1;}')
else
# Check domain
run_service_as=3D$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
/usr/bin/awk -F: '{print $1;}')
fi
fi
if [ -z "${run_service_as}" ]
then
csih_warning "Couldn't determine name of user running ${service_name}=
service from account database!"
csih_warning "As a result, this script cannot make sure that the file=
s used"
csih_warning "by the ${service_name} service belong to the user runni=
ng the service."
return 1
fi
fi
for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCON=
FDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
do
if [ -f "$i" ]
then
if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
then
csih_warning "Couldn't change owner of $i!"
let ++ret
fi
fi
done
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
then
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
let ++ret
fi
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/nul=
l 2>&1
then
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
let ++ret
fi
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
then
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/=
null 2>&1
then
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
let ++ret
fi
fi
if [ $ret -ne 0 ]
then
csih_warning "Couldn't change owner of important files to ${run_service=
_as}!"
csih_warning "This may cause the ${service_name} service to fail! Plea=
se make sure that"
csih_warning "you have sufficient permissions to change the ownership o=
f files"
csih_warning "and try to run the ssh-host-config script again."
fi
return $ret
} # --- End of check_service_files_ownership --- #
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# Routine: install_service
# Install sshd as a service
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
install_service() {
local run_service_as
local password
local ret=3D0
echo
if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
then
csih_inform "Sshd service is already installed."
check_service_files_ownership "" || let ret+=3D$?
else
echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
if csih_request "(Say \"no\" if it is already installed as a service)"
then
csih_get_cygenv "${cygwin_value}"
if ( [ "$csih_FORCE_PRIVILEGED_USER" =3D "yes" ] )
then
[ "${opt_force}" =3D "yes" ] && opt_f=3D-f
[ -n "${user_account}" ] && opt_u=3D"-u ""${user_account}"""
csih_select_privileged_username ${opt_f} ${opt_u} sshd
if ! csih_create_privileged_user "${password_value}"
then
csih_error_recoverable "There was a serious problem creating a privilege=
d user."
csih_request "Do you want to proceed anyway?" || exit 1
let ++ret
fi
# Never returns empty if NT or above
run_service_as=3D$(csih_service_should_run_as)
else
run_service_as=3D"SYSTEM"
fi
if [ "${run_service_as}" =3D "${csih_PRIVILEGED_USERNAME}" ]
then
password=3D"${csih_PRIVILEGED_PASSWORD}"
if [ -z "${password}" ]
then
csih_get_value "Please enter the password for user '${run_service_as}':"=
"-s"
password=3D"${csih_value}"
fi
fi
# At this point, we either have $run_service_as =3D "system" and
# $password is empty, or $run_service_as is some privileged user and
# (hopefully) $password contains the correct password. So, from here
# out, we use '-z "${password}"' to discriminate the two cases.
csih_check_user "${run_service_as}"
if [ -n "${csih_cygenv}" ]
then
cygwin_env=3D( -e "CYGWIN=3D${csih_cygenv}" )
fi
if [ -z "${password}" ]
then
if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /u=
sr/sbin/sshd \
-a "-D" -y tcpip "${cygwin_env[@]}"
then
echo
csih_inform "The sshd service has been installed under the LocalSystem"
csih_inform "account (also known as SYSTEM). To start the service now, c=
all"
csih_inform "\`net start ${service_name}' or \`cygrunsrv -S ${service_na=
me}'. Otherwise, it"
csih_inform "will start automatically after the next reboot."
fi
else
if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /u=
sr/sbin/sshd \
-a "-D" -y tcpip "${cygwin_env[@]}" \
-u "${run_service_as}" -w "${password}"
then
/usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
echo
csih_inform "The sshd service has been installed under the '${run_servic=
e_as}'"
csih_inform "account. To start the service now, call \`net start ${serv=
ice_name}' or"
csih_inform "\`cygrunsrv -S ${service_name}'. Otherwise, it will start =
automatically"
csih_inform "after the next reboot."
fi
fi
if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
then
check_service_files_ownership "${run_service_as}" || let ret+=3D$?
else
csih_error_recoverable "Installing sshd as a service failed!"
let ++ret
fi
fi # user allowed us to install as service
fi # service not yet installed
return $ret
} # --- End of install_service --- #
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# Main Entry Point
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# Check how the script has been started. If
# (1) it has been started by giving the full path and
# that path is /etc/postinstall, OR
# (2) Otherwise, if the environment variable
# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
# then set auto_answer to "no". This allows automatic
# creation of the config files in /etc w/o overwriting
# them if they already exist. In both cases, color
# escape sequences are suppressed, so as to prevent
# cluttering setup's logfiles.
if [ "$PROGDIR" =3D "/etc/postinstall" ]
then
csih_auto_answer=3D"no"
csih_disable_color
opt_force=3Dyes
fi
if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
then
csih_auto_answer=3D"no"
csih_disable_color
opt_force=3Dyes
fi
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# Parse options
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
while :
do
case $# in
0)
break
;;
esac
option=3D$1
shift
case "${option}" in
-d | --debug )
set -x
csih_trace_on
;;
-y | --yes )
csih_auto_answer=3Dyes
opt_force=3Dyes
;;
-n | --no )
csih_auto_answer=3Dno
opt_force=3Dyes
;;
-c | --cygwin )
cygwin_value=3D"$1"
shift
;;
-N | --name )
service_name=3D$1
shift
;;
-p | --port )
port_number=3D$1
shift
;;
-u | --user )
user_account=3D"$1"
shift
;;
=20=20=20=20
-w | --pwd )
password_value=3D"$1"
shift
;;
--privileged )
csih_FORCE_PRIVILEGED_USER=3Dyes
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo " --debug -d Enable shell's debug output."
echo " --yes -y Answer all questions with \"yes\" automa=
tically."
echo " --no -n Answer all questions with \"no\" automat=
ically."
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN envi=
ronment var."
echo " --name -N <name> sshd windows service name."
echo " --port -p <n> sshd listens on port n."
echo " --user -u <account> privileged user for service, default 'cy=
g_server'."
echo " --pwd -w <passwd> Use \"pwd\" as password for privileged u=
ser."
echo " --privileged On Windows XP, require privileged user"
echo " instead of LocalSystem for sshd service."
echo
exit 1
;;
esac
done
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# Action!
# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
then
echo
csih_error "There are still ssh processes running. Please shut them down =
first."
fi
# Make sure the user is running in an administrative context
admin=3D$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo =
no)
if [ "${admin}" !=3D "yes" ]
then
echo
csih_warning "Running this script typically requires administrator privil=
eges!"
csih_warning "However, it seems your account does not have these privileg=
es."
csih_warning "Here's the list of groups in your user token:"
echo
/usr/bin/id -Gnz | xargs -0n1 echo " "
echo
csih_warning "This usually means you're running this script from a non-ad=
min"
csih_warning "desktop session, or in a non-elevated shell under UAC contr=
ol."
echo
csih_warning "Make sure you have the appropriate privileges right now,"
csih_warning "otherwise parts of this script will probably fail!"
echo
echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no=
\" if you're not sure"
if ! csih_request "you have the required privileges)"
then
echo
csih_inform "Ok. Exiting. Make sure to switch to an administrative ac=
count"
csih_inform "or to start this script from an elevated shell."
exit 1
fi
fi
echo
warning_cnt=3D0
# Create /var/log/lastlog if not already exists
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
echo
csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file.=
" \
"Cannot create ssh host configuration."
fi
if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
then
/usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
then
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
let ++warning_cnt
fi
fi
# Create /var/empty file used as chroot jail for privilege separation
csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empt=
y directory."
if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
then
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
let ++warning_cnt
fi
# generate missing host keys
csih_inform "Generating missing SSH host keys"
/usr/bin/ssh-keygen -A || let warning_cnt+=3D$?
# handle ssh_config
csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || =
let ++warning_cnt
if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCON=
FDIR}/ssh_config" >/dev/null 2>&1
then
if [ "${port_number}" !=3D "22" ]
then
csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
fi
fi
# handle sshd_config
# make sure not to change the existing file
mod_before=3D""
if [ -e "${SYSCONFDIR}/sshd_config" ]
then
mod_before=3D$(stat "${SYSCONFDIR}/sshd_config" | grep '^Modify:')
fi
csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" ||=
let ++warning_cnt
mod_now=3D$(stat "${SYSCONFDIR}/sshd_config" | grep '^Modify:')
if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYS=
CONFDIR}/sshd_config" >/dev/null 2>&1
then
sshd_config_configured=3Dyes
fi
if [ "${mod_before}" !=3D "${mod_now}" ]
then
sshd_strictmodes || let warning_cnt+=3D$?
sshd_config_tweak || let warning_cnt+=3D$?
fi
#sshd_privsep || let warning_cnt+=3D$?
update_services_file || let warning_cnt+=3D$?
update_inetd_conf || let warning_cnt+=3D$?
install_service || let warning_cnt+=3D$?
echo
if [ $warning_cnt -eq 0 ]
then
csih_inform "Host configuration finished. Have fun!"
else
csih_warning "Host configuration exited with ${warning_cnt} errors or war=
nings!"
csih_warning "Make sure that all problems reported are fixed,"
csih_warning "then re-run ssh-host-config."
fi
exit $warning_cnt
--wAI/bQb0EMvlZCHl--
--Ie5iOtK4e9kgqh2F
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAlxPTEAACgkQ9TYGna5E
T6DIpg//fWWu/KAy7O85oO4azRRJptTi5vKZXYbGZRpH8QM35vEd6YMIW1Kf5WWh
9cHh0pd9t8qti1Fhr7BUMclU5o3wu5Fam0QAHXVyaUUpfi344f1PIGFCW8+2xoLp
GuH4/AtZpR+NcDwJ7sxmc9V1yreCd+ucwjPPEdzpBpwLYzd1617AzJActgrtE+Hz
6eGy+nsMCG41oERq6mg3x1B23ymH6gKc1AGUtGmXDBZMhR+MsgQDijJ5vzNw+6sA
llVKlnyhqho0SZPzZuUuOdLYMk+2Yxd7WELP21tg/zCNP1m3f28HFn1qkGnHS8P9
Ul5T48ti64Vlj2UVqcA+wVdm659LeBUaEo0v1tgWeFbSlpzgdRL04ZF2AzUTEbMh
daVyHNCpL5Tg6LZvMgQajAEE8w/2BULe3Y0YXpJ0bOik7/Gn12HfKToLDMoJi+tU
0kXf+1W/NH/eMdr3pVVuUfRAgHMJpvupPCuhpPeRGqdX/DXaQgPcj39n7IALIwKR
cJEiBc5Lz0ew+B1YVazogukbDXZW6VaHqYjdxvA3KXUy79Q9Z4KWhalkLZWmaACT
e6QPGiYk6krfzhDGMDwxWtTr3in083JvWqNWNZJaD1eLQokHyfHiwVcEVzNBNo3L
brCtH8AHzpmjTdpzd/rURsOrxWSBzedH6H5e6zI/QKEbkPp2OEI=
=PTMW
-----END PGP SIGNATURE-----
--Ie5iOtK4e9kgqh2F--
- Raw text -