1 #!/bin/bash 2 # 3 # ssh-host-config, Copyright 2000-2011 Red Hat Inc. 4 # 5 # This file is part of the Cygwin port of OpenSSH. 6 # 7 # Permission to use, copy, modify, and distribute this software for any 8 # purpose with or without fee is hereby granted, provided that the above 9 # copyright notice and this permission notice appear in all copies. 10 # 11 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12 # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 13 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 14 # IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 15 # DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 16 # OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR 17 # THE USE OR OTHER DEALINGS IN THE SOFTWARE. 18 19 # ====================================================================== 20 # Initialization 21 # ====================================================================== 22 23 CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh 24 25 # List of apps used. This is checkad for existance in csih_sanity_check 26 # Don't use *any* transient commands before sourcing the csih helper script, 27 # otherwise the sanity checks are short-circuited. 28 declare -a csih_required_commands=( 29 /usr/bin/basename coreutils 30 /usr/bin/cat coreutils 31 /usr/bin/chmod coreutils 32 /usr/bin/dirname coreutils 33 /usr/bin/id coreutils 34 /usr/bin/mv coreutils 35 /usr/bin/rm coreutils 36 /usr/bin/cygpath cygwin 37 /usr/bin/mount cygwin 38 /usr/bin/ps cygwin 39 /usr/bin/setfacl cygwin 40 /usr/bin/umount cygwin 41 /usr/bin/cmp diffutils 42 /usr/bin/grep grep 43 /usr/bin/awk gawk 44 /usr/bin/ssh-keygen openssh 45 /usr/sbin/sshd openssh 46 /usr/bin/sed sed 47 ) 48 csih_sanity_check_server=yes 49 source ${CSIH_SCRIPT} 50 51 PROGNAME=$(/usr/bin/basename $0) 52 _tdir=$(/usr/bin/dirname $0) 53 PROGDIR=$(cd $_tdir && pwd) 54 55 # Subdirectory where the new package is being installed 56 PREFIX=/usr 57 58 # Directory where the config files are stored 59 SYSCONFDIR=/etc 60 LOCALSTATEDIR=/var 61 62 port_number=22 63 privsep_configured=no 64 privsep_used=yes 65 cygwin_value="" 66 user_account= 67 password_value= 68 opt_force=no 69 70 # ====================================================================== 71 # Routine: create_host_keys 72 # ====================================================================== 73 create_host_keys() { 74 local ret=0 75 76 if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] 77 then 78 csih_inform "Generating ${SYSCONFDIR}/ssh_host_key" 79 if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null 80 then 81 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" 82 let ++ret 83 fi 84 fi 85 86 if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] 87 then 88 csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key" 89 if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null 90 then 91 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" 92 let ++ret 93 fi 94 fi 95 96 if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] 97 then 98 csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key" 99 if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null 100 then 101 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" 102 let ++ret 103 fi 104 fi 105 106 if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ] 107 then 108 csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key" 109 if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null 110 then 111 csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!" 112 let ++ret 113 fi 114 fi 115 return $ret 116 } # --- End of create_host_keys --- # 117 118 # ====================================================================== 119 # Routine: update_services_file 120 # ====================================================================== 121 update_services_file() { 122 local _my_etcdir="/ssh-host-config.$$" 123 local _win_etcdir 124 local _services 125 local _spaces 126 local _serv_tmp 127 local _wservices 128 local ret=0 129 130 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" 131 _services="${_my_etcdir}/services" 132 _spaces=" #" 133 _serv_tmp="${_my_etcdir}/srv.out.$$" 134 135 /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" 136 137 # Depends on the above mount 138 _wservices=`cygpath -w "${_services}"` 139 140 # Remove sshd 22/port from services 141 if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] 142 then 143 /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" 144 if [ -f "${_serv_tmp}" ] 145 then 146 if /usr/bin/mv "${_serv_tmp}" "${_services}" 147 then 148 csih_inform "Removing sshd from ${_wservices}" 149 else 150 csih_warning "Removing sshd from ${_wservices} failed!" 151 let ++ret 152 fi 153 /usr/bin/rm -f "${_serv_tmp}" 154 else 155 csih_warning "Removing sshd from ${_wservices} failed!" 156 let ++ret 157 fi 158 fi 159 160 # Add ssh 22/tcp and ssh 22/udp to services 161 if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] 162 then 163 if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" 164 then 165 if /usr/bin/mv "${_serv_tmp}" "${_services}" 166 then 167 csih_inform "Added ssh to ${_wservices}" 168 else 169 csih_warning "Adding ssh to ${_wservices} failed!" 170 let ++ret 171 fi 172 /usr/bin/rm -f "${_serv_tmp}" 173 else 174 csih_warning "Adding ssh to ${_wservices} failed!" 175 let ++ret 176 fi 177 fi 178 /usr/bin/umount "${_my_etcdir}" 179 return $ret 180 } # --- End of update_services_file --- # 181 182 # ====================================================================== 183 # Routine: sshd_privsep 184 # MODIFIES: privsep_configured privsep_used 185 # ====================================================================== 186 sshd_privsep() { 187 local sshdconfig_tmp 188 local ret=0 189 190 if [ "${privsep_configured}" != "yes" ] 191 then 192 csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." 193 csih_inform "However, this requires a non-privileged account called 'sshd'." 194 csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." 195 if csih_request "Should privilege separation be used?" 196 then 197 privsep_used=yes 198 if ! csih_create_unprivileged_user sshd 199 then 200 csih_error_recoverable "Couldn't create user 'sshd'!" 201 csih_error_recoverable "Privilege separation set to 'no' again!" 202 csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!" 203 let ++ret 204 privsep_used=no 205 fi 206 else 207 privsep_used=no 208 fi 209 fi 210 211 # Create default sshd_config from skeleton files in /etc/defaults/etc or 212 # modify to add the missing privsep configuration option 213 if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 214 then 215 csih_inform "Updating ${SYSCONFDIR}/sshd_config file" 216 sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ 217 /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ 218 s/^#Port 22/Port ${port_number}/ 219 s/^#StrictModes yes/StrictModes no/" \ 220 < ${SYSCONFDIR}/sshd_config \ 221 > "${sshdconfig_tmp}" 222 if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config 223 then 224 csih_warning "Setting privilege separation to 'yes' failed!" 225 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 226 let ++ret 227 fi 228 elif [ "${privsep_configured}" != "yes" ] 229 then 230 echo >> ${SYSCONFDIR}/sshd_config 231 if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config 232 then 233 csih_warning "Setting privilege separation to 'yes' failed!" 234 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 235 let ++ret 236 fi 237 fi 238 return $ret 239 } # --- End of sshd_privsep --- # 240 241 # ====================================================================== 242 # Routine: update_inetd_conf 243 # ====================================================================== 244 update_inetd_conf() { 245 local _inetcnf="${SYSCONFDIR}/inetd.conf" 246 local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" 247 local _inetcnf_dir="${SYSCONFDIR}/inetd.d" 248 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" 249 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" 250 local _with_comment=1 251 local ret=0 252 253 if [ -d "${_inetcnf_dir}" ] 254 then 255 # we have inetutils-1.5 inetd.d support 256 if [ -f "${_inetcnf}" ] 257 then 258 /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 259 260 # check for sshd OR ssh in top-level inetd.conf file, and remove 261 # will be replaced by a file in inetd.d/ 262 if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] 263 then 264 /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" 265 if [ -f "${_inetcnf_tmp}" ] 266 then 267 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 268 then 269 csih_inform "Removed ssh[d] from ${_inetcnf}" 270 else 271 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 272 let ++ret 273 fi 274 /usr/bin/rm -f "${_inetcnf_tmp}" 275 else 276 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 277 let ++ret 278 fi 279 fi 280 fi 281 282 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" 283 if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 284 then 285 if [ "${_with_comment}" -eq 0 ] 286 then 287 /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 288 else 289 /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 290 fi 291 if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" 292 then 293 csih_inform "Updated ${_sshd_inetd_conf}" 294 else 295 csih_warning "Updating ${_sshd_inetd_conf} failed!" 296 let ++ret 297 fi 298 fi 299 300 elif [ -f "${_inetcnf}" ] 301 then 302 /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 303 304 # check for sshd in top-level inetd.conf file, and remove 305 # will be replaced by a file in inetd.d/ 306 if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] 307 then 308 /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" 309 if [ -f "${_inetcnf_tmp}" ] 310 then 311 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 312 then 313 csih_inform "Removed sshd from ${_inetcnf}" 314 else 315 csih_warning "Removing sshd from ${_inetcnf} failed!" 316 let ++ret 317 fi 318 /usr/bin/rm -f "${_inetcnf_tmp}" 319 else 320 csih_warning "Removing sshd from ${_inetcnf} failed!" 321 let ++ret 322 fi 323 fi 324 325 # Add ssh line to inetd.conf 326 if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] 327 then 328 if [ "${_with_comment}" -eq 0 ] 329 then 330 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 331 else 332 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 333 fi 334 if [ $? -eq 0 ] 335 then 336 csih_inform "Added ssh to ${_inetcnf}" 337 else 338 csih_warning "Adding ssh to ${_inetcnf} failed!" 339 let ++ret 340 fi 341 fi 342 fi 343 return $ret 344 } # --- End of update_inetd_conf --- # 345 346 # ====================================================================== 347 # Routine: check_service_files_ownership 348 # Checks that the files in /etc and /var belong to the right owner 349 # ====================================================================== 350 check_service_files_ownership() { 351 local run_service_as=$1 352 local ret=0 353 354 if [ -z "${run_service_as}" ] 355 then 356 accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp') 357 if [ "${accnt_name}" = "LocalSystem" ] 358 then 359 # Convert "LocalSystem" to "SYSTEM" as is the correct account name 360 accnt_name="SYSTEM:" 361 elif [[ "${accnt_name}" =~ ^\.\\ ]] 362 then 363 # Convert "." domain to local machine name 364 accnt_name="U-${COMPUTERNAME}${accnt_name#.}," 365 fi 366 run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}') 367 if [ -z "${run_service_as}" ] 368 then 369 csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" 370 csih_warning "As a result, this script cannot make sure that the files used" 371 csih_warning "by the sshd service belong to the user running the service." 372 csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd" 373 csih_warning "file is in a good shape." 374 return 1 375 fi 376 fi 377 for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub 378 do 379 if [ -f "$i" ] 380 then 381 if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 382 then 383 csih_warning "Couldn't change owner of $i!" 384 let ++ret 385 fi 386 fi 387 done 388 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 389 then 390 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" 391 let ++ret 392 fi 393 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 394 then 395 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" 396 let ++ret 397 fi 398 if [ -f ${LOCALSTATEDIR}/log/sshd.log ] 399 then 400 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1 401 then 402 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" 403 let ++ret 404 fi 405 fi 406 if [ $ret -ne 0 ] 407 then 408 csih_warning "Couldn't change owner of important files to ${run_service_as}!" 409 csih_warning "This may cause the sshd service to fail! Please make sure that" 410 csih_warning "you have suufficient permissions to change the ownership of files" 411 csih_warning "and try to run the ssh-host-config script again." 412 fi 413 return $ret 414 } # --- End of check_service_files_ownership --- # 415 416 # ====================================================================== 417 # Routine: install_service 418 # Install sshd as a service 419 # ====================================================================== 420 install_service() { 421 local run_service_as 422 local password 423 local ret=0 424 425 echo 426 if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 427 then 428 csih_inform "Sshd service is already installed." 429 check_service_files_ownership "" || let ret+=$? 430 else 431 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" 432 if csih_request "(Say \"no\" if it is already installed as a service)" 433 then 434 csih_get_cygenv "${cygwin_value}" 435 436 if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) 437 then 438 csih_inform "On Windows Server 2003, Windows Vista, and above, the" 439 csih_inform "SYSTEM account cannot setuid to other users -- a capability" 440 csih_inform "sshd requires. You need to have or to create a privileged" 441 csih_inform "account. This script will help you do so." 442 echo 443 444 [ "${opt_force}" = "yes" ] && opt_f=-f 445 [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" 446 csih_select_privileged_username ${opt_f} ${opt_u} sshd 447 448 if ! csih_create_privileged_user "${password_value}" 449 then 450 csih_error_recoverable "There was a serious problem creating a privileged user." 451 csih_request "Do you want to proceed anyway?" || exit 1 452 let ++ret 453 fi 454 fi 455 456 # Never returns empty if NT or above 457 run_service_as=$(csih_service_should_run_as) 458 459 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] 460 then 461 password="${csih_PRIVILEGED_PASSWORD}" 462 if [ -z "${password}" ] 463 then 464 csih_get_value "Please enter the password for user '${run_service_as}':" "-s" 465 password="${csih_value}" 466 fi 467 fi 468 469 # At this point, we either have $run_service_as = "system" and 470 # $password is empty, or $run_service_as is some privileged user and 471 # (hopefully) $password contains the correct password. So, from here 472 # out, we use '-z "${password}"' to discriminate the two cases. 473 474 csih_check_user "${run_service_as}" 475 476 if [ -n "${csih_cygenv}" ] 477 then 478 cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) 479 fi 480 if [ -z "${password}" ] 481 then 482 if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ 483 -a "-D" -y tcpip "${cygwin_env[@]}" 484 then 485 echo 486 csih_inform "The sshd service has been installed under the LocalSystem" 487 csih_inform "account (also known as SYSTEM). To start the service now, call" 488 csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it" 489 csih_inform "will start automatically after the next reboot." 490 fi 491 else 492 if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \ 493 -a "-D" -y tcpip "${cygwin_env[@]}" \ 494 -u "${run_service_as}" -w "${password}" 495 then 496 echo 497 csih_inform "The sshd service has been installed under the '${run_service_as}'" 498 csih_inform "account. To start the service now, call \`net start sshd' or" 499 csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically" 500 csih_inform "after the next reboot." 501 fi 502 fi 503 504 if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1 505 then 506 check_service_files_ownership "${run_service_as}" || let ret+=$? 507 else 508 csih_error_recoverable "Installing sshd as a service failed!" 509 let ++ret 510 fi 511 fi # user allowed us to install as service 512 fi # service not yet installed 513 return $ret 514 } # --- End of install_service --- # 515 516 # ====================================================================== 517 # Main Entry Point 518 # ====================================================================== 519 520 # Check how the script has been started. If 521 # (1) it has been started by giving the full path and 522 # that path is /etc/postinstall, OR 523 # (2) Otherwise, if the environment variable 524 # SSH_HOST_CONFIG_AUTO_ANSWER_NO is set 525 # then set auto_answer to "no". This allows automatic 526 # creation of the config files in /etc w/o overwriting 527 # them if they already exist. In both cases, color 528 # escape sequences are suppressed, so as to prevent 529 # cluttering setup's logfiles. 530 if [ "$PROGDIR" = "/etc/postinstall" ] 531 then 532 csih_auto_answer="no" 533 csih_disable_color 534 opt_force=yes 535 fi 536 if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ] 537 then 538 csih_auto_answer="no" 539 csih_disable_color 540 opt_force=yes 541 fi 542 543 # ====================================================================== 544 # Parse options 545 # ====================================================================== 546 while : 547 do 548 case $# in 549 0) 550 break 551 ;; 552 esac 553 554 option=$1 555 shift 556 557 case "${option}" in 558 -d | --debug ) 559 set -x 560 csih_trace_on 561 ;; 562 563 -y | --yes ) 564 csih_auto_answer=yes 565 opt_force=yes 566 ;; 567 568 -n | --no ) 569 csih_auto_answer=no 570 opt_force=yes 571 ;; 572 573 -c | --cygwin ) 574 cygwin_value="$1" 575 shift 576 ;; 577 578 -p | --port ) 579 port_number=$1 580 shift 581 ;; 582 583 -u | --user ) 584 user_account="$1" 585 shift 586 ;; 587 588 -w | --pwd ) 589 password_value="$1" 590 shift 591 ;; 592 593 --privileged ) 594 csih_FORCE_PRIVILEGED_USER=yes 595 ;; 596 597 *) 598 echo "usage: ${progname} [OPTION]..." 599 echo 600 echo "This script creates an OpenSSH host configuration." 601 echo 602 echo "Options:" 603 echo " --debug -d Enable shell's debug output." 604 echo " --yes -y Answer all questions with \"yes\" automatically." 605 echo " --no -n Answer all questions with \"no\" automatically." 606 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." 607 echo " --port -p <n> sshd listens on port n." 608 echo " --user -u <account> privileged user for service." 609 echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user." 610 echo " --privileged On Windows NT/2k/XP, require privileged user" 611 echo " instead of LocalSystem for sshd service." 612 echo 613 exit 1 614 ;; 615 616 esac 617 done 618 619 # ====================================================================== 620 # Action! 621 # ====================================================================== 622 623 # Check for running ssh/sshd processes first. Refuse to do anything while 624 # some ssh processes are still running 625 if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' 626 then 627 echo 628 csih_error "There are still ssh processes running. Please shut them down first." 629 fi 630 631 # Make sure the user is running in an administrative context 632 admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no) 633 if [ "${admin}" != "yes" ] 634 then 635 echo 636 csih_warning "Running this script typically requires administrator privileges!" 637 csih_warning "However, it seems your account does not have these privileges." 638 csih_warning "Here's the list of groups in your user token:" 639 echo 640 for i in $(/usr/bin/id -G) 641 do 642 /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group 643 done 644 echo 645 csih_warning "This usually means you're running this script from a non-admin" 646 csih_warning "desktop session, or in a non-elevated shell under UAC control." 647 echo 648 csih_warning "Make sure you have the appropriate privileges right now," 649 csih_warning "otherwise parts of this script will probably fail!" 650 echo 651 echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure" 652 if ! csih_request "you have the required privileges)" 653 then 654 echo 655 csih_inform "Ok. Exiting. Make sure to switch to an administrative account" 656 csih_inform "or to start this script from an elevated shell." 657 exit 1 658 fi 659 fi 660 661 echo 662 663 warning_cnt=0 664 665 # Check for ${SYSCONFDIR} directory 666 csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files." 667 if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1 668 then 669 csih_warning "Can't set permissions on ${SYSCONFDIR}!" 670 let ++warning_cnt 671 fi 672 if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1 673 then 674 csih_warning "Can't set extended permissions on ${SYSCONFDIR}!" 675 let ++warning_cnt 676 fi 677 678 # Check for /var/log directory 679 csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory." 680 if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1 681 then 682 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!" 683 let ++warning_cnt 684 fi 685 if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1 686 then 687 csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!" 688 let ++warning_cnt 689 fi 690 691 # Create /var/log/lastlog if not already exists 692 if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 693 then 694 echo 695 csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ 696 "Cannot create ssh host configuration." 697 fi 698 if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 699 then 700 /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog 701 if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 702 then 703 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" 704 let ++warning_cnt 705 fi 706 fi 707 708 # Create /var/empty file used as chroot jail for privilege separation 709 csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." 710 if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 711 then 712 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" 713 let ++warning_cnt 714 fi 715 if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 716 then 717 csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!" 718 let ++warning_cnt 719 fi 720 721 # host keys 722 create_host_keys || let warning_cnt+=$? 723 724 # handle ssh_config 725 csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 726 if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 727 then 728 if [ "${port_number}" != "22" ] 729 then 730 csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port" 731 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config 732 echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config 733 fi 734 fi 735 736 # handle sshd_config (and privsep) 737 csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 738 if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 739 then 740 /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes 741 fi 742 sshd_privsep || let warning_cnt+=$? 743 744 update_services_file || let warning_cnt+=$? 745 update_inetd_conf || let warning_cnt+=$? 746 install_service || let warning_cnt+=$? 747 748 echo 749 if [ $warning_cnt -eq 0 ] 750 then 751 csih_inform "Host configuration finished. Have fun!" 752 else 753 csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!" 754 csih_warning "Make sure that all problems reported are fixed," 755 csih_warning "then re-run ssh-host-config." 756 fi 757 exit $warning_cnt 758
