X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=YHwOFbFwEESAlOiY+y7mr/kPq0cI7FzGbBA6Fi777mKu2XdvLnlBN JPpMhqTjmox6udaW4q0I4o6Cy+VV2JbIyLGH1UDa1CjcUgasea9FE3sjPwd7hS4r EjYWMkrWB1n2E5ONKTmw6rEf6gKT0CnYWhj0MddwiatWVsGri5bITU= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=AXzRu0IkMw1B8cVjqm9YjzpkAhA=; b=mL13ORhSVVPgchu4P/94ADaD17jm KCn4anBacrPP1BiKPybBcpFEaWd5Jf/jupEAfZykURIjNgoyi0f22SJ3UGlkp21Q jJ9yGgHfEEiO57dhw9sTJsrujYCYlU1OyrUw8JaipEOXRg3KQN0ItJwPZiCb4PvQ 4F+h97db4bhn/f4= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.0 required=5.0 tests=AWL,BAYES_50,SCAM_SUBJECT,URI_HEX,WEIRD_QUOTING autolearn=no version=3.3.2 X-HELO: calimero.vinschen.de Date: Wed, 19 Mar 2014 17:57:24 +0100 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: Silently configure sshd fails via system account Message-ID: <20140319165724.GE2715@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <5307BB89 DOT 80405 AT cse DOT yorku DOT ca> <1395192297365-107203 DOT post AT n5 DOT nabble DOT com> <5329BDA5 DOT 8060507 AT cse DOT yorku DOT ca> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tqI+Z3u+9OQ7kwn0" Content-Disposition: inline In-Reply-To: <5329BDA5.8060507@cse.yorku.ca> User-Agent: Mutt/1.5.21 (2010-09-15) --tqI+Z3u+9OQ7kwn0 Content-Type: multipart/mixed; boundary="1LKvkjL3sHcu1TtY" Content-Disposition: inline --1LKvkjL3sHcu1TtY Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mar 19 11:54, Paul Griffith wrote: > On 03/18/2014 09:24 PM, PolarStorm wrote: > > Paul Griffith wrote > >> ... > >> /usr/bin/ssh-host-config --yes --cygwin ntsec --user cyg_server --pwd = blah > >> ... > >=20 > > Just a few things... > >=20 > > 1) Don't do that (manually). > > First of all, "ntsec" is deprecated. Second, there are a lot of strange > > issues when > > using "--yes", just answer the questions manually, especially since you > > don't need > > all those keys just to have ssh work. > >=20 > > 2) Make sure you run the ssh-host-config from an "administrator: cygwin > > shell. > >=20 > > 3) Check your /etc/sshd-config for: "UsePrivilegeSeparation sandbox" wh= ich > > is > > the new default. The ssh-host-config script has a bug on line 169 that > > attempts > > to set this to "no", but where the regex fails. (I told people in THIS > > > > nabble post, but I > > don't think it ever reached the main mailing list.) > >=20 > > 4) The sshd user pas-wor-d is set to expire by default after 42 days, in > > Windows 8.1. > > Fix it if you're using that. > >=20 >=20 >=20 > Thanks Gene for the heads up, it will help me fine tune my setup! I need= to use the "--yes" option because I am building a automated installation f= or Windows 7. I attached a new incarnation of the ssh-host-config script to this mail. Would interested parties be so kind to test this new script? Changes compared to the released version from the openssh package: - The "StrictModes" setting in /etc/sshd_config is now asked for, rather th= an setting it always to "no". =20=20 The background is that "StrictModes yes" is the more secure setting. "StrictModes no" is only required for users with home directories on a "noacl" mount or on FAT/FAT32 partitions, so I think the administrator should have a choice here. - The "UsePrivilegeSeparation" setting in /etc/sshd_config now takes into account that the default setting is "sandbox", which doesn't make sense on Cygwin. - Changes to /etc/sshd_config are now only written to the file, if the file has been just generated or if the question "Overwrite existing /etc/sshd_config file?" has been answered with "yes". I also tweaked the script slightly to support the new passwd/group code I'm working on, but that's not yet finished. Thanks a lot, Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --1LKvkjL3sHcu1TtY Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename=ssh-host-config Content-Transfer-Encoding: quoted-printable #!/bin/bash # # ssh-host-config, Copyright 2000-2011 Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS= =20=20 # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.=20= =20=20 # IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,=20= =20=20 # DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR=20= =20=20=20 # OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR=20= =20=20=20 # THE USE OR OTHER DEALINGS IN THE SOFTWARE.=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Initialization # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D CSIH_SCRIPT=3D/usr/share/csih/cygwin-service-installation-helper.sh # List of apps used. This is checkad for existance in csih_sanity_check # Don't use *any* transient commands before sourcing the csih helper script, # otherwise the sanity checks are short-circuited. declare -a csih_required_commands=3D( /usr/bin/basename coreutils /usr/bin/cat coreutils /usr/bin/chmod coreutils /usr/bin/dirname coreutils /usr/bin/id coreutils /usr/bin/mv coreutils /usr/bin/rm coreutils /usr/bin/cygpath cygwin /usr/bin/mkpasswd cygwin /usr/bin/mount cygwin /usr/bin/ps cygwin /usr/bin/setfacl cygwin /usr/bin/umount cygwin /usr/bin/cmp diffutils /usr/bin/grep grep /usr/bin/awk gawk /usr/bin/ssh-keygen openssh /usr/sbin/sshd openssh /usr/bin/sed sed ) csih_sanity_check_server=3Dyes source ${CSIH_SCRIPT} PROGNAME=3D$(/usr/bin/basename $0) _tdir=3D$(/usr/bin/dirname $0) PROGDIR=3D$(cd $_tdir && pwd) # Subdirectory where the new package is being installed PREFIX=3D/usr # Directory where the config files are stored SYSCONFDIR=3D/etc LOCALSTATEDIR=3D/var ssdh_config_configured=3Dno port_number=3D22 strictmodes=3Dyes privsep_used=3Dyes cygwin_value=3D"" user_account=3D password_value=3D opt_force=3Dno # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Routine: update_services_file # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D update_services_file() { local _my_etcdir=3D"/ssh-host-config.$$" local _win_etcdir local _services local _spaces local _serv_tmp local _wservices local ret=3D0 _win_etcdir=3D"${SYSTEMROOT}\\system32\\drivers\\etc" _services=3D"${_my_etcdir}/services" _spaces=3D" #" _serv_tmp=3D"${_my_etcdir}/srv.out.$$" /usr/bin/mount -o text,posix=3D0,noacl -f "${_win_etcdir}" "${_my_etcdir}" # Depends on the above mount _wservices=3D`cygpath -w "${_services}"` # Add ssh 22/tcp and ssh 22/udp to services if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; ech= o $?` -ne 0 ] then if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/= tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_s= paces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_ser= v_tmp}" then if /usr/bin/mv "${_serv_tmp}" "${_services}" then csih_inform "Added ssh to ${_wservices}" else csih_warning "Adding ssh to ${_wservices} failed!" let ++ret fi /usr/bin/rm -f "${_serv_tmp}" else csih_warning "Adding ssh to ${_wservices} failed!" let ++ret fi fi /usr/bin/umount "${_my_etcdir}" return $ret } # --- End of update_services_file --- # # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Routine: sshd_strictmodes # MODIFIES: strictmodes # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_strictmodes() { if [ "${ssdh_config_configured}" !=3D "yes" ] then echo csih_inform "StrictModes is set to 'yes' by default." csih_inform "This is the recommended setting, but it requires that the = POSIX" csih_inform "permissions of the user's home directory, the user's .ssh" csih_inform "directory, and the user's ssh key files are tight so that" csih_inform "only the user has write permissions." csih_inform "On the other hand, StrictModes don't work well with defaul= t" csih_inform "Windows permissions of a home directory mounted with the" csih_inform "'noacl' option, and they don't work at all if the home" csih_inform "directory is on a FAT or FAT32 partition." if ! csih_request "Should StrictModes be used?" then strictmodes=3Dno fi fi return 0 } # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Routine: sshd_privsep # MODIFIES: privsep_used # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_privsep() { local ret=3D0 if [ "${ssdh_config_configured}" !=3D "yes" ] then echo csih_inform "Privilege separation is set to 'sandbox' by default since" csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be = set" csih_inform "to 'yes' or 'no'." csih_inform "However, using privilege separation requires a non-privile= ged account" csih_inform "called 'sshd'." csih_inform "For more info on privilege separation read /usr/share/doc/= openssh/README.privsep." if csih_request "Should privilege separation be used?" then privsep_used=3Dyes if ! csih_create_unprivileged_user sshd then csih_error_recoverable "Couldn't create user 'sshd'!" csih_error_recoverable "Privilege separation set to 'no' again!" csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!" let ++ret privsep_used=3Dno fi else privsep_used=3Dno fi fi return $ret } # --- End of sshd_privsep --- # # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Routine: sshd_config_tweak # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_config_tweak() { local ret=3D0 # Modify sshd_config csih_inform "Updating ${SYSCONFDIR}/sshd_config file" if [ "${port_number}" -ne 22 ] then /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_num= ber}/" \ ${SYSCONFDIR}/sshd_config if [ $? -ne 0 ] then csih_warning "Setting listening port to ${port_number} failed!" csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" let ++ret fi fi if [ "${strictmodes}" =3D "no" ] then /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictMo= des no/" \ ${SYSCONFDIR}/sshd_config if [ $? -ne 0 ] then csih_warning "Setting StrictModes to 'no' failed!" csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" let ++ret fi fi if [ "${ssdh_config_configured}" !=3D "yes" ] then /usr/bin/sed -i -e " s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used= }/" \ ${SYSCONFDIR}/sshd_config if [ $? -ne 0 ] then csih_warning "Setting privilege separation failed!" csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" let ++ret fi fi return $ret } # --- End of sshd_config_tweak --- # # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Routine: update_inetd_conf # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D update_inetd_conf() { local _inetcnf=3D"${SYSCONFDIR}/inetd.conf" local _inetcnf_tmp=3D"${SYSCONFDIR}/inetd.conf.$$" local _inetcnf_dir=3D"${SYSCONFDIR}/inetd.d" local _sshd_inetd_conf=3D"${_inetcnf_dir}/sshd-inetd" local _sshd_inetd_conf_tmp=3D"${_inetcnf_dir}/sshd-inetd.$$" local _with_comment=3D1 local ret=3D0 if [ -d "${_inetcnf_dir}" ] then # we have inetutils-1.5 inetd.d support if [ -f "${_inetcnf}" ] then /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=3D0 # check for sshd OR ssh in top-level inetd.conf file, and remove # will be replaced by a file in inetd.d/ if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ] then /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" if [ -f "${_inetcnf_tmp}" ] then if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" then csih_inform "Removed ssh[d] from ${_inetcnf}" else csih_warning "Removing ssh[d] from ${_inetcnf} failed!" let ++ret fi /usr/bin/rm -f "${_inetcnf_tmp}" else csih_warning "Removing ssh[d] from ${_inetcnf} failed!" let ++ret fi fi fi csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_in= etd_conf}" >/dev/null 2>&1 then if [ "${_with_comment}" -eq 0 ] then /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_= sshd_inetd_conf_tmp}" else /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "$= {_sshd_inetd_conf_tmp}" fi if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" then csih_inform "Updated ${_sshd_inetd_conf}" else csih_warning "Updating ${_sshd_inetd_conf} failed!" let ++ret fi fi elif [ -f "${_inetcnf}" ] then /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=3D0 # check for sshd in top-level inetd.conf file, and remove # will be replaced by a file in inetd.d/ if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -= eq 0 ] then /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_= tmp}" if [ -f "${_inetcnf_tmp}" ] then if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" then csih_inform "Removed sshd from ${_inetcnf}" else csih_warning "Removing sshd from ${_inetcnf} failed!" let ++ret fi /usr/bin/rm -f "${_inetcnf_tmp}" else csih_warning "Removing sshd from ${_inetcnf} failed!" let ++ret fi fi # Add ssh line to inetd.conf if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] then if [ "${_with_comment}" -eq 0 ] then echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_= inetcnf}" else echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "$= {_inetcnf}" fi if [ $? -eq 0 ] then csih_inform "Added ssh to ${_inetcnf}" else csih_warning "Adding ssh to ${_inetcnf} failed!" let ++ret fi fi fi return $ret } # --- End of update_inetd_conf --- # # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Routine: check_service_files_ownership # Checks that the files in /etc and /var belong to the right owner # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D check_service_files_ownership() { local run_service_as=3D$1 local ret=3D0 if [ -z "${run_service_as}" ] then accnt_name=3D$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp') if [ "${accnt_name}" =3D "LocalSystem" ] then # Convert "LocalSystem" to "SYSTEM" as is the correct account name run_service_as=3D"SYSTEM" else dom=3D"${accnt_name%%\\*}" accnt_name=3D"${accnt_name#*\\}" if [ "${dom}" =3D '.' ] then # Check local account run_service_as=3D$(/usr/bin/mkpasswd -l -u "${accnt_name}" | /usr/bin/awk -F: '{print $1;}') else # Check domain run_service_as=3D$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" | /usr/bin/awk -F: '{print $1;}') fi fi if [ -z "${run_service_as}" ] then csih_warning "Couldn't determine name of user running sshd service fr= om /etc/passwd!" csih_warning "As a result, this script cannot make sure that the file= s used" csih_warning "by the sshd service belong to the user running the serv= ice." csih_warning "Please re-run the mkpasswd tool to make sure the /etc/p= asswd" csih_warning "file is in a good shape." return 1 fi fi for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCON= FDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub do if [ -f "$i" ] then if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 then csih_warning "Couldn't change owner of $i!" let ++ret fi fi done if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 then csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" let ++ret fi if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/nul= l 2>&1 then csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" let ++ret fi if [ -f ${LOCALSTATEDIR}/log/sshd.log ] then if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/= null 2>&1 then csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" let ++ret fi fi if [ $ret -ne 0 ] then csih_warning "Couldn't change owner of important files to ${run_service= _as}!" csih_warning "This may cause the sshd service to fail! Please make sur= e that" csih_warning "you have suufficient permissions to change the ownership = of files" csih_warning "and try to run the ssh-host-config script again." fi return $ret } # --- End of check_service_files_ownership --- # # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Routine: install_service # Install sshd as a service # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D install_service() { local run_service_as local password local ret=3D0 echo if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 then csih_inform "Sshd service is already installed." check_service_files_ownership "" || let ret+=3D$? else echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" if csih_request "(Say \"no\" if it is already installed as a service)" then csih_get_cygenv "${cygwin_value}" if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" =3D "yes" ] ) then csih_inform "On Windows Server 2003, Windows Vista, and above, the" csih_inform "SYSTEM account cannot setuid to other users -- a capability" csih_inform "sshd requires. You need to have or to create a privileged" csih_inform "account. This script will help you do so." echo [ "${opt_force}" =3D "yes" ] && opt_f=3D-f [ -n "${user_account}" ] && opt_u=3D"-u ""${user_account}""" csih_select_privileged_username ${opt_f} ${opt_u} sshd if ! csih_create_privileged_user "${password_value}" then csih_error_recoverable "There was a serious problem creating a privilege= d user." csih_request "Do you want to proceed anyway?" || exit 1 let ++ret fi fi # Never returns empty if NT or above run_service_as=3D$(csih_service_should_run_as) if [ "${run_service_as}" =3D "${csih_PRIVILEGED_USERNAME}" ] then password=3D"${csih_PRIVILEGED_PASSWORD}" if [ -z "${password}" ] then csih_get_value "Please enter the password for user '${run_service_as}':"= "-s" password=3D"${csih_value}" fi fi # At this point, we either have $run_service_as =3D "system" and # $password is empty, or $run_service_as is some privileged user and # (hopefully) $password contains the correct password. So, from here # out, we use '-z "${password}"' to discriminate the two cases. csih_check_user "${run_service_as}" if [ -n "${csih_cygenv}" ] then cygwin_env=3D( -e "CYGWIN=3D${csih_cygenv}" ) fi if [ -z "${password}" ] then if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ -a "-D" -y tcpip "${cygwin_env[@]}" then echo csih_inform "The sshd service has been installed under the LocalSystem" csih_inform "account (also known as SYSTEM). To start the service now, c= all" csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" csih_inform "will start automatically after the next reboot." fi else if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ -a "-D" -y tcpip "${cygwin_env[@]}" \ -u "${run_service_as}" -w "${password}" then /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight echo csih_inform "The sshd service has been installed under the '${run_servic= e_as}'" csih_inform "account. To start the service now, call \`net start sshd' = or" csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatical= ly" csih_inform "after the next reboot." fi fi if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 then check_service_files_ownership "${run_service_as}" || let ret+=3D$? else csih_error_recoverable "Installing sshd as a service failed!" let ++ret fi fi # user allowed us to install as service fi # service not yet installed return $ret } # --- End of install_service --- # # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Main Entry Point # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Check how the script has been started. If # (1) it has been started by giving the full path and # that path is /etc/postinstall, OR # (2) Otherwise, if the environment variable # SSH_HOST_CONFIG_AUTO_ANSWER_NO is set # then set auto_answer to "no". This allows automatic # creation of the config files in /etc w/o overwriting # them if they already exist. In both cases, color # escape sequences are suppressed, so as to prevent # cluttering setup's logfiles. if [ "$PROGDIR" =3D "/etc/postinstall" ] then csih_auto_answer=3D"no" csih_disable_color opt_force=3Dyes fi if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ] then csih_auto_answer=3D"no" csih_disable_color opt_force=3Dyes fi # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Parse options # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D while : do case $# in 0) break ;; esac option=3D$1 shift case "${option}" in -d | --debug ) set -x csih_trace_on ;; -y | --yes ) csih_auto_answer=3Dyes opt_force=3Dyes ;; -n | --no ) csih_auto_answer=3Dno opt_force=3Dyes ;; -c | --cygwin ) cygwin_value=3D"$1" shift ;; -p | --port ) port_number=3D$1 shift ;; -u | --user ) user_account=3D"$1" shift ;; =20=20=20=20 -w | --pwd ) password_value=3D"$1" shift ;; --privileged ) csih_FORCE_PRIVILEGED_USER=3Dyes ;; *) echo "usage: ${progname} [OPTION]..." echo echo "This script creates an OpenSSH host configuration." echo echo "Options:" echo " --debug -d Enable shell's debug output." echo " --yes -y Answer all questions with \"yes\" automa= tically." echo " --no -n Answer all questions with \"no\" automat= ically." echo " --cygwin -c Use \"options\" as value for CYGWIN envi= ronment var." echo " --port -p sshd listens on port n." echo " --user -u privileged user for service, default 'cy= g_server'." echo " --pwd -w Use \"pwd\" as password for privileged u= ser." echo " --privileged On Windows XP, require privileged user" echo " instead of LocalSystem for sshd service." echo exit 1 ;; esac done # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Action! # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Check for running ssh/sshd processes first. Refuse to do anything while # some ssh processes are still running if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' then echo csih_error "There are still ssh processes running. Please shut them down = first." fi # Make sure the user is running in an administrative context admin=3D$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo = no) if [ "${admin}" !=3D "yes" ] then echo csih_warning "Running this script typically requires administrator privil= eges!" csih_warning "However, it seems your account does not have these privileg= es." csih_warning "Here's the list of groups in your user token:" echo for i in $(/usr/bin/id -G) do /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group done echo csih_warning "This usually means you're running this script from a non-ad= min" csih_warning "desktop session, or in a non-elevated shell under UAC contr= ol." echo csih_warning "Make sure you have the appropriate privileges right now," csih_warning "otherwise parts of this script will probably fail!" echo echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no= \" if you're not sure" if ! csih_request "you have the required privileges)" then echo csih_inform "Ok. Exiting. Make sure to switch to an administrative ac= count" csih_inform "or to start this script from an elevated shell." exit 1 fi fi echo warning_cnt=3D0 # Check for ${SYSCONFDIR} directory csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1 then csih_warning "Can't set permissions on ${SYSCONFDIR}!" let ++warning_cnt fi if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1 then csih_warning "Can't set extended permissions on ${SYSCONFDIR}!" let ++warning_cnt fi # Check for /var/log directory csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1 then csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!" let ++warning_cnt fi if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1 then csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!" let ++warning_cnt fi # Create /var/log/lastlog if not already exists if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] then echo csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file.= " \ "Cannot create ssh host configuration." fi if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] then /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 then csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" let ++warning_cnt fi fi # Create /var/empty file used as chroot jail for privilege separation csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empt= y directory." if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 then csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" let ++warning_cnt fi if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2= >&1 then csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!" let ++warning_cnt fi # generate missing host keys csih_inform "Generating missing SSH host keys" /usr/bin/ssh-keygen -A || let warning_cnt+=3D$? # handle ssh_config csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || = let ++warning_cnt if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCON= FDIR}/ssh_config" >/dev/null 2>&1 then if [ "${port_number}" !=3D "22" ] then csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port" echo "Host localhost" >> ${SYSCONFDIR}/ssh_config echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config fi fi # handle sshd_config (and privsep) csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" ||= let ++warning_cnt if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYS= CONFDIR}/sshd_config" >/dev/null 2>&1 then ssdh_config_configured=3Dyes fi sshd_strictmodes || let warning_cnt+=3D$? sshd_privsep || let warning_cnt+=3D$? sshd_config_tweak || let warning_cnt+=3D$? update_services_file || let warning_cnt+=3D$? update_inetd_conf || let warning_cnt+=3D$? install_service || let warning_cnt+=3D$? echo if [ $warning_cnt -eq 0 ] then csih_inform "Host configuration finished. Have fun!" else csih_warning "Host configuration exited with ${warning_cnt} errors or war= nings!" csih_warning "Make sure that all problems reported are fixed," csih_warning "then re-run ssh-host-config." fi exit $warning_cnt --1LKvkjL3sHcu1TtY-- --tqI+Z3u+9OQ7kwn0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTKcxzAAoJEPU2Bp2uRE+gkCoQAKYD0VI7w//NKgdNXwb8or34 yitCvYEm9t61OVf++k7u70pelWCwga4VCvhq7jBdCrJehl/svMVb+jCVQT8BeGNQ SJ2xblkn+NsyW6zvLwbHuRvYmRk5+lTCVFYE7GIwPdfX+WKSwy4rPrYgIJCMaptr CJ7rwCLp83qtSOmFU9kkSD894QvfN2XUxctOujE9l1kjXrPqFdJyX8uy2VWCnYVw B0O06/gOxaMuVusIg4iAVfDEuMH5+F92PS8Rw1Th36toIGHF23OBbbgE9xChgitn /9HGDexgnPXO0QOVMMyPzwQY/cHmnQJB3vNAUaE2dM09mjvYnEGINu4KkJ4OvC+E UZyCtns2dIz4xCOyEsUhTq+1OiGGE9PaiGRtui4if0+oRkSfjBDi9yz+wgeSY8Mj 3QU4Q+KxLF8+3JP7z7aLPujHeRc57+GJlKTW/Bvi/za4Y47YnYo7M5FJYRe4AIYR 9LJb4Toij44W8mZREa1Z74LGlmI6eDgX57zs6FfGNXaxAPC6qNixAv1yV3PUsuri HHXNT5bMddlOnrO8QlIv/WYfn1c4OnWevXDoKQnv3YiNXZ/ltaFgkVrNCpJgVpjy IEKwvlc1FqbnsP4/eHAxLEY/YW8jFQm7iJ9croDnpXNIzSbt+YWinGRykdFdxJQS DMvNX09fPzWb/kkcFD9V =btIz -----END PGP SIGNATURE----- --tqI+Z3u+9OQ7kwn0--