Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Date: Mon, 3 Nov 2003 17:22:01 +0100 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Take 2: Testers for new ssh-*-config scripts wanted! Message-ID: <20031103162201.GF18706@cygbert.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline User-Agent: Mutt/1.4.1i --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, I'd like to ask for more testing of the new ssh-host-config and ssh-user-config scripts. The new thing here is, that the ssh-host-config script now tries to figure out if the machine is a 2003 Server or newer system. If so, the script asks, if it should create a new account "sshd_server" to use as account to run sshd as service under. If you say "yes" at this point, a bunch of funny new activities is started: - The script creates a sshd_server account - It adds that account to the administrators group *iff* it's able to figure out the name of that group from the /etc/group file. This means, you must not change the name of the administrators group in /etc/group and the SID (S-1-5-32-544) must be available in that entry. - It uses the new editrights utility to add the necessary user rights to the new sshd_server account. These rights also explicitely deny logon locally and over network and allow logon only as service for security reasons. The ssh-user-config script has also been changed. It tries to figure out if the machine is a 2003 Server or newer and if so, it sets the permissions of the users ~/.ssh directory and the users ~/ssh/authorized_keys file so that the sshd_server account has read permissions on both. If it's an older system, it does the same for the SYSTEM account. Also on 2003, the sshd_server account is used for ownership of the important files (/etc/ssh*, /var/empty, /var/log/sshd.log). Further changes: - Require bash for both scripts. - Use `read -e' in both scripts to enable readline support. So, I'd like to ask especially users of a 2003 Server system to test that script. Users of other systems are of course also welcome since I want to be sure that I haven't broken these systems. Attached are both scripts plus the vanilla ssh_config and sshd_config file. The latter two have to be copied to /etc/defaults/etc. Please not that the "editrights" tool has to be installed on your system. You can find it in the Base category when updating with setup.exe. Thanks in advance, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin AT cygwin DOT com Red Hat, Inc. --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=ssh-host-config #!/bin/bash # # ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. # Subdirectory where the new package is being installed PREFIX=/usr # Directory where the config files are stored SYSCONFDIR=/etc LOCALSTATEDIR=/var progname=$0 auto_answer="" port_number=22 privsep_configured=no privsep_used=yes sshd_in_passwd=no sshd_in_sam=no request() { if [ "${auto_answer}" = "yes" ] then return 0 elif [ "${auto_answer}" = "no" ] then return 1 fi answer="" while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] do echo -n "$1 (yes/no) " read -e answer done if [ "X${answer}" = "Xyes" ] then return 0 else return 1 fi } # Check options while : do case $# in 0) break ;; esac option=$1 shift case "$option" in -d | --debug ) set -x ;; -y | --yes ) auto_answer=yes ;; -n | --no ) auto_answer=no ;; -p | --port ) port_number=$1 shift ;; *) echo "usage: ${progname} [OPTION]..." echo echo "This script creates an OpenSSH host configuration." echo echo "Options:" echo " --debug -d Enable shell's debug output." echo " --yes -y Answer all questions with \"yes\" automatically." echo " --no -n Answer all questions with \"no\" automatically." echo " --port -p sshd listens on port n." echo exit 1 ;; esac done # Check if running on NT _sys="`uname`" _nt=`expr "$_sys" : "CYGWIN_NT"` # If running on NT, check if running under 2003 Server or later if [ $_nt -gt 0 ] then _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` fi # Check for running ssh/sshd processes first. Refuse to do anything while # some ssh processes are still running if ps -ef | grep -v grep | grep -q ssh then echo echo "There are still ssh processes running. Please shut them down first." echo exit 1 fi # Check for ${SYSCONFDIR} directory if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ] then echo echo "${SYSCONFDIR} is existant but not a directory." echo "Cannot create global configuration files." echo exit 1 fi # Create it if necessary if [ ! -e "${SYSCONFDIR}" ] then mkdir "${SYSCONFDIR}" if [ ! -e "${SYSCONFDIR}" ] then echo echo "Creating ${SYSCONFDIR} directory failed" echo exit 1 fi fi # Create /var/log and /var/log/lastlog if not already existing if [ -f ${LOCALSTATEDIR}/log ] then echo "Creating ${LOCALSTATEDIR}/log failed!" else if [ ! -d ${LOCALSTATEDIR}/log ] then mkdir -p ${LOCALSTATEDIR}/log fi if [ -d ${LOCALSTATEDIR}/log/lastlog ] then chmod 777 ${LOCALSTATEDIR}/log/lastlog elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ] then cat /dev/null > ${LOCALSTATEDIR}/log/lastlog chmod 666 ${LOCALSTATEDIR}/log/lastlog fi fi # Create /var/empty file used as chroot jail for privilege separation if [ -f ${LOCALSTATEDIR}/empty ] then echo "Creating ${LOCALSTATEDIR}/empty failed!" else mkdir -p ${LOCALSTATEDIR}/empty if [ $_nt -gt 0 ] then chmod 755 ${LOCALSTATEDIR}/empty fi fi # First generate host keys if not already existing if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] then echo "Generating ${SYSCONFDIR}/ssh_host_key" ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null fi if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] then echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key" ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null fi if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] then echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key" ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null fi # Check if ssh_config exists. If yes, ask for overwriting if [ -f "${SYSCONFDIR}/ssh_config" ] then if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?" then rm -f "${SYSCONFDIR}/ssh_config" if [ -f "${SYSCONFDIR}/ssh_config" ] then echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected." fi fi fi # Create default ssh_config from skeleton file in /etc/defaults/etc if [ ! -f "${SYSCONFDIR}/ssh_config" ] then echo "Generating ${SYSCONFDIR}/ssh_config file" cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config if [ "$port_number" != "22" ] then echo "Host localhost" >> ${SYSCONFDIR}/ssh_config echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config fi fi # Check if sshd_config exists. If yes, ask for overwriting if [ -f "${SYSCONFDIR}/sshd_config" ] then if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?" then rm -f "${SYSCONFDIR}/sshd_config" if [ -f "${SYSCONFDIR}/sshd_config" ] then echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." fi else grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes fi fi # Prior to creating or modifying sshd_config, care for privilege separation if [ "$privsep_configured" != "yes" ] then if [ $_nt -gt 0 ] then echo "Privilege separation is set to yes by default since OpenSSH 3.3." echo "However, this requires a non-privileged account called 'sshd'." echo "For more info on privilege separation read /usr/doc/openssh/README.privsep." echo if request "Should privilege separation be used?" then privsep_used=yes grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes net user sshd >/dev/null 2>&1 && sshd_in_sam=yes if [ "$sshd_in_passwd" != "yes" ] then if [ "$sshd_in_sam" != "yes" ] then echo "Warning: The following function requires administrator privileges!" if request "Should this script create a local user 'sshd' on this machine?" then dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /expires:never /active:no > /dev/null 2>&1 && sshd_in_sam=yes if [ "$sshd_in_sam" != "yes" ] then echo "Warning: Creating the user 'sshd' failed!" fi fi fi if [ "$sshd_in_sam" != "yes" ] then echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" echo " Privilege separation set to 'no' again!" echo " Check your ${SYSCONFDIR}/sshd_config file!" privsep_used=no else mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd fi fi else privsep_used=no fi else # On 9x don't use privilege separation. Since security isn't # available it just adds useless additional processes. privsep_used=no fi fi # Create default sshd_config from skeleton files in /etc/defaults/etc or # modify to add the missing privsep configuration option if [ ! -f "${SYSCONFDIR}/sshd_config" ] then echo "Generating ${SYSCONFDIR}/sshd_config file" sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation $privsep_used/ s/^#Port 22/Port $port_number/ s/^#StrictModes yes/StrictModes no/" \ < ${SYSCONFDIR}/defaults/etc/sshd_config \ > ${SYSCONFDIR}/sshd_config elif [ "$privsep_configured" != "yes" ] then echo >> ${SYSCONFDIR}/sshd_config echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config fi # Care for services file _my_etcdir="/ssh-host-config.$$" if [ $_nt -gt 0 ] then _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" _services="${_my_etcdir}/services" # On NT, 27 spaces, no space after the hash _spaces=" #" else _win_etcdir="${WINDIR}" _services="${_my_etcdir}/SERVICES" # On 9x, 18 spaces (95 is very touchy), a space after the hash _spaces=" # " fi _serv_tmp="${_my_etcdir}/srv.out.$$" mount -t -f "${_win_etcdir}" "${_my_etcdir}" # Depends on the above mount _wservices=`cygpath -w "${_services}"` # Remove sshd 22/port from services if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] then grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" if [ -f "${_serv_tmp}" ] then if mv "${_serv_tmp}" "${_services}" then echo "Removing sshd from ${_wservices}" else echo "Removing sshd from ${_wservices} failed!" fi rm -f "${_serv_tmp}" else echo "Removing sshd from ${_wservices} failed!" fi fi # Add ssh 22/tcp and ssh 22/udp to services if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] then if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" then if mv "${_serv_tmp}" "${_services}" then echo "Added ssh to ${_wservices}" else echo "Adding ssh to ${_wservices} failed!" fi rm -f "${_serv_tmp}" else echo "WARNING: Adding ssh to ${_wservices} failed!" fi fi umount "${_my_etcdir}" # Care for inetd.conf file _inetcnf="${SYSCONFDIR}/inetd.conf" _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" if [ -f "${_inetcnf}" ] then # Check if ssh service is already in use as sshd with_comment=1 grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0 # Remove sshd line from inetd.conf if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] then grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" if [ -f "${_inetcnf_tmp}" ] then if mv "${_inetcnf_tmp}" "${_inetcnf}" then echo "Removed sshd from ${_inetcnf}" else echo "Removing sshd from ${_inetcnf} failed!" fi rm -f "${_inetcnf_tmp}" else echo "Removing sshd from ${_inetcnf} failed!" fi fi # Add ssh line to inetd.conf if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] then if [ "${with_comment}" -eq 0 ] then echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" else echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" fi echo "Added ssh to ${_inetcnf}" fi fi # On NT ask if sshd should be installed as service if [ $_nt -gt 0 ] then # But only if it is not already installed if ! cygrunsrv -Q sshd > /dev/null 2>&1 then echo echo echo "Warning: The following function requires administrator privileges!" echo echo "Do you want to install sshd as service?" if request "(Say \"no\" if it's already installed as service)" then if [ $_nt2003 -gt 0 ] then grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes if [ "$sshd_server_in_sam" != "yes" ] then echo echo "You appear to be running Windows 2003 Server or later. On 2003 and" echo "later systems, it's not possible to use the LocalSystem account" echo "if sshd should allow passwordless logon (e. g. public key authentication)." echo "If you want to enable that functionality, it's required to create a new" echo "account 'sshd_server' with special privileges, which is then used to run" echo "the sshd service under." echo echo "Should this script create a new local account 'sshd_server' which has" if request "the required privileges?" then _admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group` if [ -z "${_admingroup}" ] then echo "There's no group with SID S-1-5-32-544 (Local administrators group) in" echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'" echo "and restart this script." exit 1 fi dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` net user sshd_server sshd_server /add /fullname:"sshd server account" "/homedir:$dos_var_empty" /expires:never > /dev/null 2>&1 && sshd_server_in_sam=yes if [ "$sshd_server_in_sam" != "yes" ] then echo "Creating the user 'sshd_server' failed!" echo "Can't create sshd service!" exit 1 fi net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes if [ "$sshd_server_in_admingroup" != "yes" ] then echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!" echo "Please add sshd_server to local group ${_admingroup} before" echo "starting the sshd service!" echo fi editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server && editrights -a SeCreateTokenPrivilege -u sshd_server && editrights -a SeDenyInteractiveLogonRight -u sshd_server && editrights -a SeDenyNetworkLogonRight -u sshd_server && editrights -a SeIncreaseQuotaPrivilege -u sshd_server && editrights -a SeServiceLogonRight -u sshd_server && sshd_server_got_all_rights="yes" if [ "$sshd_server_got_all_rights" != "yes" ] then echo "Assigning the appropriate privileges to user 'sshd_server' failed!" echo "Can't create sshd service!" exit 1 fi echo echo "User 'sshd_server' has been created with password 'sshd_server'." echo "If you change the password, please keep in mind to change the password" echo "for the sshd service, too." echo echo "Also keep in mind that the user sshd_server needs read permissions on all" echo "users' .ssh/authorized_keys file to allow public key authentication for" echo "these users!." echo fi fi if [ "$sshd_server_in_passwd" != "yes" ] then mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd fi fi echo echo "Which value should the environment variable CYGWIN have when" echo "sshd starts? It's recommended to set at least \"ntsec\" to be" echo "able to change user context without password." echo -n "Default is \"ntsec\". CYGWIN=" read _cygwin [ -z "${_cygwin}" ] && _cygwin="ntsec" if [ $_nt2003 -gt 0 -a "$sshd_server_in_sam" = "yes" ] then if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w sshd_server -e "CYGWIN=${_cygwin}" then echo echo "The service has been installed under sshd_server account." fi else if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" then echo echo "The service has been installed under LocalSystem account." fi fi fi # Now check if sshd has been successfully installed. This allows to # set the ownership of the affected files correctly. if cygrunsrv -Q sshd > /dev/null 2>&1 then if [ $_nt2003 -gt 0 -a "$sshd_server_in_sam" = "yes" ] then _user="sshd_server" else _user="system" fi chown "${_user}" ${SYSCONFDIR}/ssh* chown "${_user}".544 ${LOCALSTATEDIR}/empty if [ -f ${LOCALSTATEDIR}/log/sshd.log ] then chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log fi fi fi fi echo echo "Host configuration finished. Have fun!" --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=ssh-user-config #!/bin/sh # # ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. # Directory where the config files are stored SYSCONFDIR=/etc progname=$0 auto_answer="" auto_passphrase="no" passphrase="" request() { if [ "${auto_answer}" = "yes" ] then return 0 elif [ "${auto_answer}" = "no" ] then return 1 fi answer="" while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] do echo -n "$1 (yes/no) " read answer done if [ "X${answer}" = "Xyes" ] then return 0 else return 1 fi } # Check if running on NT _sys="`uname -a`" _nt=`expr "$_sys" : "CYGWIN_NT"` # If running on NT, check if running under 2003 Server or later if [ $_nt -gt 0 ] then _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` fi # Check options while : do case $# in 0) break ;; esac option=$1 shift case "$option" in -d | --debug ) set -x ;; -y | --yes ) auto_answer=yes ;; -n | --no ) auto_answer=no ;; -p | --passphrase ) with_passphrase="yes" passphrase=$1 shift ;; *) echo "usage: ${progname} [OPTION]..." echo echo "This script creates an OpenSSH user configuration." echo echo "Options:" echo " --debug -d Enable shell's debug output." echo " --yes -y Answer all questions with \"yes\" automatically." echo " --no -n Answer all questions with \"no\" automatically." echo " --passphrase -p word Use \"word\" as passphrase automatically." echo exit 1 ;; esac done # Ask user if user identity should be generated if [ ! -f ${SYSCONFDIR}/passwd ] then echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" echo 'first using mkpasswd. Check if it contains an entry for you and' echo 'please care for the home directory in your entry as well.' exit 1 fi uid=`id -u` pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd` if [ "X${pwdhome}" = "X" ] then echo "There is no home directory set for you in ${SYSCONFDIR}/passwd." echo 'Setting $HOME is not sufficient!' exit 1 fi if [ ! -d "${pwdhome}" ] then echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" echo 'but it is not a valid directory. Cannot create user identity files.' exit 1 fi # If home is the root dir, set home to empty string to avoid error messages # in subsequent parts of that script. if [ "X${pwdhome}" = "X/" ] then # But first raise a warning! echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!" if request "Would you like to proceed anyway?" then pwdhome='' else exit 1 fi fi if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ] then echo echo 'WARNING: group and other have been revoked write permission to your home' echo " directory ${pwdhome}." echo ' This is required by OpenSSH to allow public key authentication using' echo ' the key files stored in your .ssh subdirectory.' echo ' Revert this change ONLY if you know what you are doing!' echo fi if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] then echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." exit 1 fi if [ ! -e "${pwdhome}/.ssh" ] then mkdir "${pwdhome}/.ssh" if [ ! -e "${pwdhome}/.ssh" ] then echo "Creating users ${pwdhome}/.ssh directory failed" exit 1 fi fi if [ $_nt -gt 0 ] then _user="system" if [ $_nt2003 -gt 0 ] then grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server" fi if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh" then echo "${pwdhome}/.ssh couldn't be given the correct permissions." echo "Please try to solve this problem first." exit 1 fi fi if [ ! -f "${pwdhome}/.ssh/identity" ] then if request "Shall I create an SSH1 RSA identity file for you?" then echo "Generating ${pwdhome}/.ssh/identity" if [ "${with_passphrase}" = "yes" ] then ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null else ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null fi if request "Do you want to use this identity to login to this machine?" then echo "Adding to ${pwdhome}/.ssh/authorized_keys" cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys" fi fi fi if [ ! -f "${pwdhome}/.ssh/id_rsa" ] then if request "Shall I create an SSH2 RSA identity file for you? (yes/no) " then echo "Generating ${pwdhome}/.ssh/id_rsa" if [ "${with_passphrase}" = "yes" ] then ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null else ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null fi if request "Do you want to use this identity to login to this machine?" then echo "Adding to ${pwdhome}/.ssh/authorized_keys" cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys" fi fi fi if [ ! -f "${pwdhome}/.ssh/id_dsa" ] then if request "Shall I create an SSH2 DSA identity file for you? (yes/no) " then echo "Generating ${pwdhome}/.ssh/id_dsa" if [ "${with_passphrase}" = "yes" ] then ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null else ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null fi if request "Do you want to use this identity to login to this machine?" then echo "Adding to ${pwdhome}/.ssh/authorized_keys" cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys" fi fi fi if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ] then if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys" then echo echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys" echo "failed. Please care for the correct permissions. The minimum requirement" echo "is, the owner and ${_user} both need read permissions." echo fi fi echo echo "Configuration finished. Have fun!" --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=ssh_config # $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options # Host * # ForwardAgent no # ForwardX11 no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=sshd_config # $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh_host_rsa_key #HostKey /etc/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCreds yes # Set this to 'yes' to enable PAM authentication (via challenge-response) # and session processing. Depending on your PAM configuration, this may # bypass the setting of 'PasswordAuthentication' #UsePAM yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/sbin/sftp-server --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ --RnlQjJ0d97Da+TV1--