1#!/bin/bash 2# 3# ssh-host-config, Copyright 2000-2014 Red Hat Inc. 4# 5# This file is part of the Cygwin port of OpenSSH. 6# 7# Permission to use, copy, modify, and distribute this software for any 8# purpose with or without fee is hereby granted, provided that the above 9# copyright notice and this permission notice appear in all copies. 10# 11# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 13# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 14# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 15# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 16# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR 17# THE USE OR OTHER DEALINGS IN THE SOFTWARE. 18 19# ====================================================================== 20# Initialization 21# ====================================================================== 22 23CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh 24 25# List of apps used. This is checkad for existence in csih_sanity_check 26# Don't use *any* transient commands before sourcing the csih helper script, 27# otherwise the sanity checks are short-circuited. 28declare -a csih_required_commands=( 29 /usr/bin/basename coreutils 30 /usr/bin/cat coreutils 31 /usr/bin/chmod coreutils 32 /usr/bin/dirname coreutils 33 /usr/bin/id coreutils 34 /usr/bin/mv coreutils 35 /usr/bin/rm coreutils 36 /usr/bin/cygpath cygwin 37 /usr/bin/mkpasswd cygwin 38 /usr/bin/mount cygwin 39 /usr/bin/ps cygwin 40 /usr/bin/umount cygwin 41 /usr/bin/cmp diffutils 42 /usr/bin/grep grep 43 /usr/bin/awk gawk 44 /usr/bin/ssh-keygen openssh 45 /usr/sbin/sshd openssh 46 /usr/bin/sed sed 47) 48csih_sanity_check_server=yes 49source ${CSIH_SCRIPT} 50 51PROGNAME=$(/usr/bin/basename $0) 52_tdir=$(/usr/bin/dirname $0) 53PROGDIR=$(cd $_tdir && pwd) 54 55# Subdirectory where the new package is being installed 56PREFIX=/usr 57 58# Directory where the config files are stored 59SYSCONFDIR=/etc 60LOCALSTATEDIR=/var 61 62sshd_config_configured=no 63port_number=22 64service_name=cygsshd 65strictmodes=yes 66cygwin_value="" 67user_account= 68password_value= 69opt_force=no 70 71# ====================================================================== 72# Routine: update_services_file 73# ====================================================================== 74update_services_file() { 75 local _my_etcdir="/ssh-host-config.$$" 76 local _win_etcdir 77 local _services 78 local _spaces 79 local _serv_tmp 80 local _wservices 81 local ret=0 82 83 _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" 84 _services="${_my_etcdir}/services" 85 _spaces=" #" 86 _serv_tmp="${_my_etcdir}/srv.out.$$" 87 88 /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" 89 90 # Depends on the above mount 91 _wservices=`cygpath -w "${_services}"` 92 93 # Add ssh 22/tcp and ssh 22/udp to services 94 if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ] 95 then 96 if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" 97 then 98 if /usr/bin/mv "${_serv_tmp}" "${_services}" 99 then 100 csih_inform "Added ssh to ${_wservices}" 101 else 102 csih_warning "Adding ssh to ${_wservices} failed!" 103 let ++ret 104 fi 105 /usr/bin/rm -f "${_serv_tmp}" 106 else 107 csih_warning "Adding ssh to ${_wservices} failed!" 108 let ++ret 109 fi 110 fi 111 /usr/bin/umount "${_my_etcdir}" 112 return $ret 113} # --- End of update_services_file --- # 114 115# ====================================================================== 116# Routine: sshd_strictmodes 117# MODIFIES: strictmodes 118# ====================================================================== 119sshd_strictmodes() { 120 if [ "${sshd_config_configured}" != "yes" ] 121 then 122 echo 123 csih_inform "StrictModes is set to 'yes' by default." 124 csih_inform "This is the recommended setting, but it requires that the POSIX" 125 csih_inform "permissions of the user's home directory, the user's .ssh" 126 csih_inform "directory, and the user's ssh key files are tight so that" 127 csih_inform "only the user has write permissions." 128 csih_inform "On the other hand, StrictModes don't work well with default" 129 csih_inform "Windows permissions of a home directory mounted with the" 130 csih_inform "'noacl' option, and they don't work at all if the home" 131 csih_inform "directory is on a FAT or FAT32 partition." 132 if ! csih_request "Should StrictModes be used?" 133 then 134 strictmodes=no 135 fi 136 fi 137 return 0 138} 139 140# ====================================================================== 141# Routine: sshd_privsep 142# Try to create ssshd user account 143# ====================================================================== 144sshd_privsep() { 145 local ret=0 146 147 if [ "${sshd_config_configured}" != "yes" ] 148 then 149 if ! csih_create_unprivileged_user sshd 150 then 151 csih_error_recoverable "Could not create user 'sshd'!" 152 csih_error_recoverable "You will not be able to run an sshd service" 153 csih_error_recoverable "under a privileged account successfully." 154 csih_error_recoverable "Make sure to create a non-privileged user 'sshd'" 155 csih_error_recoverable "manually before trying to run the service!" 156 let ++ret 157 fi 158 fi 159 return $ret 160} # --- End of sshd_privsep --- # 161 162# ====================================================================== 163# Routine: sshd_config_tweak 164# ====================================================================== 165sshd_config_tweak() { 166 local ret=0 167 168 # Modify sshd_config 169 csih_inform "Updating ${SYSCONFDIR}/sshd_config file" 170 if [ "${port_number}" -ne 22 ] 171 then 172 /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \ 173 ${SYSCONFDIR}/sshd_config 174 if [ $? -ne 0 ] 175 then 176 csih_warning "Setting listening port to ${port_number} failed!" 177 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 178 let ++ret 179 fi 180 fi 181 if [ "${strictmodes}" = "no" ] 182 then 183 /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \ 184 ${SYSCONFDIR}/sshd_config 185 if [ $? -ne 0 ] 186 then 187 csih_warning "Setting StrictModes to 'no' failed!" 188 csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" 189 let ++ret 190 fi 191 fi 192 return $ret 193} # --- End of sshd_config_tweak --- # 194 195# ====================================================================== 196# Routine: update_inetd_conf 197# ====================================================================== 198update_inetd_conf() { 199 local _inetcnf="${SYSCONFDIR}/inetd.conf" 200 local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" 201 local _inetcnf_dir="${SYSCONFDIR}/inetd.d" 202 local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd" 203 local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$" 204 local _with_comment=1 205 local ret=0 206 207 if [ -d "${_inetcnf_dir}" ] 208 then 209 # we have inetutils-1.5 inetd.d support 210 if [ -f "${_inetcnf}" ] 211 then 212 /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0 213 214 # check for sshd OR ssh in top-level inetd.conf file, and remove 215 # will be replaced by a file in inetd.d/ 216 if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ] 217 then 218 /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" 219 if [ -f "${_inetcnf_tmp}" ] 220 then 221 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 222 then 223 csih_inform "Removed ssh[d] from ${_inetcnf}" 224 else 225 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 226 let ++ret 227 fi 228 /usr/bin/rm -f "${_inetcnf_tmp}" 229 else 230 csih_warning "Removing ssh[d] from ${_inetcnf} failed!" 231 let ++ret 232 fi 233 fi 234 fi 235 236 csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults" 237 if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1 238 then 239 if [ "${_with_comment}" -eq 0 ] 240 then 241 /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 242 else 243 /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" 244 fi 245 if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" 246 then 247 csih_inform "Updated ${_sshd_inetd_conf}" 248 else 249 csih_warning "Updating ${_sshd_inetd_conf} failed!" 250 let ++ret 251 fi 252 fi 253 254 elif [ -f "${_inetcnf}" ] 255 then 256 /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0 257 258 # check for sshd in top-level inetd.conf file, and remove 259 # will be replaced by a file in inetd.d/ 260 if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] 261 then 262 /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" 263 if [ -f "${_inetcnf_tmp}" ] 264 then 265 if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" 266 then 267 csih_inform "Removed sshd from ${_inetcnf}" 268 else 269 csih_warning "Removing sshd from ${_inetcnf} failed!" 270 let ++ret 271 fi 272 /usr/bin/rm -f "${_inetcnf_tmp}" 273 else 274 csih_warning "Removing sshd from ${_inetcnf} failed!" 275 let ++ret 276 fi 277 fi 278 279 # Add ssh line to inetd.conf 280 if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] 281 then 282 if [ "${_with_comment}" -eq 0 ] 283 then 284 echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 285 else 286 echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" 287 fi 288 if [ $? -eq 0 ] 289 then 290 csih_inform "Added ssh to ${_inetcnf}" 291 else 292 csih_warning "Adding ssh to ${_inetcnf} failed!" 293 let ++ret 294 fi 295 fi 296 fi 297 return $ret 298} # --- End of update_inetd_conf --- # 299 300# ====================================================================== 301# Routine: check_service_files_ownership 302# Checks that the files in /etc and /var belong to the right owner 303# ====================================================================== 304check_service_files_ownership() { 305 local run_service_as=$1 306 local ret=0 307 308 if [ -z "${run_service_as}" ] 309 then 310 accnt_name=$(/usr/bin/cygrunsrv -VQ "${service_name}" | 311 /usr/bin/sed -ne 's/^Account *: *//gp') 312 if [ "${accnt_name}" = "LocalSystem" ] 313 then 314 # Convert "LocalSystem" to "SYSTEM" as is the correct account name 315 run_service_as="SYSTEM" 316 else 317 dom="${accnt_name%%\\*}" 318 accnt_name="${accnt_name#*\\}" 319 if [ "${dom}" = '.' ] 320 then 321 # Check local account 322 run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" | 323 /usr/bin/awk -F: '{print $1;}') 324 else 325 # Check domain 326 run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" | 327 /usr/bin/awk -F: '{print $1;}') 328 fi 329 fi 330 if [ -z "${run_service_as}" ] 331 then 332 csih_warning "Couldn't determine name of user running ${service_name} service from account database!" 333 csih_warning "As a result, this script cannot make sure that the files used" 334 csih_warning "by the ${service_name} service belong to the user running the service." 335 return 1 336 fi 337 fi 338 for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub 339 do 340 if [ -f "$i" ] 341 then 342 if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1 343 then 344 csih_warning "Couldn't change owner of $i!" 345 let ++ret 346 fi 347 fi 348 done 349 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1 350 then 351 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!" 352 let ++ret 353 fi 354 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 355 then 356 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!" 357 let ++ret 358 fi 359 if [ -f ${LOCALSTATEDIR}/log/sshd.log ] 360 then 361 if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1 362 then 363 csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!" 364 let ++ret 365 fi 366 fi 367 if [ $ret -ne 0 ] 368 then 369 csih_warning "Couldn't change owner of important files to ${run_service_as}!" 370 csih_warning "This may cause the ${service_name} service to fail! Please make sure that" 371 csih_warning "you have sufficient permissions to change the ownership of files" 372 csih_warning "and try to run the ssh-host-config script again." 373 fi 374 return $ret 375} # --- End of check_service_files_ownership --- # 376 377# ====================================================================== 378# Routine: install_service 379# Install sshd as a service 380# ====================================================================== 381install_service() { 382 local run_service_as 383 local password 384 local ret=0 385 386 echo 387 if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1 388 then 389 csih_inform "Sshd service is already installed." 390 check_service_files_ownership "" || let ret+=$? 391 else 392 echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?" 393 if csih_request "(Say \"no\" if it is already installed as a service)" 394 then 395 csih_get_cygenv "${cygwin_value}" 396 397 if ( [ "$csih_FORCE_PRIVILEGED_USER" != "yes" ] ) 398 then 399 # Enforce using privileged user on 64 bit Vista or W7 under WOW64 400 is_wow64=$(/usr/bin/uname | /usr/bin/grep -q 'WOW' && echo 1 || echo 0) 401 402 if ( csih_is_nt2003 && ! csih_is_windows8 && [ "${is_wow64}" = "1" ] ) 403 then 404 csih_inform "Running 32 bit Cygwin on 64 bit Windows Vista or Windows 7" 405 csih_inform "the SYSTEM account is not sufficient to setuid to a local" 406 csih_inform "user account. You need to have or to create a privileged" 407 csih_inform "account. This script will help you do so." 408 echo 409 csih_FORCE_PRIVILEGED_USER=yes 410 fi 411 fi 412 413 if ( [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] ) 414 then 415 [ "${opt_force}" = "yes" ] && opt_f=-f 416 [ -n "${user_account}" ] && opt_u="-u ""${user_account}""" 417 csih_select_privileged_username ${opt_f} ${opt_u} sshd 418 419 if ! csih_create_privileged_user "${password_value}" 420 then 421 csih_error_recoverable "There was a serious problem creating a privileged user." 422 csih_request "Do you want to proceed anyway?" || exit 1 423 let ++ret 424 fi 425 # Never returns empty if NT or above 426 run_service_as=$(csih_service_should_run_as) 427 else 428 run_service_as="SYSTEM" 429 fi 430 431 if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ] 432 then 433 password="${csih_PRIVILEGED_PASSWORD}" 434 if [ -z "${password}" ] 435 then 436 csih_get_value "Please enter the password for user '${run_service_as}':" "-s" 437 password="${csih_value}" 438 fi 439 fi 440 441 # At this point, we either have $run_service_as = "system" and 442 # $password is empty, or $run_service_as is some privileged user and 443 # (hopefully) $password contains the correct password. So, from here 444 # out, we use '-z "${password}"' to discriminate the two cases. 445 446 csih_check_user "${run_service_as}" 447 448 if [ -n "${csih_cygenv}" ] 449 then 450 cygwin_env=( -e "CYGWIN=${csih_cygenv}" ) 451 fi 452 if [ -z "${password}" ] 453 then 454 if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \ 455 -a "-D" -y tcpip "${cygwin_env[@]}" 456 then 457 echo 458 csih_inform "The sshd service has been installed under the LocalSystem" 459 csih_inform "account (also known as SYSTEM). To start the service now, call" 460 csih_inform "\`net start ${service_name}' or \`cygrunsrv -S ${service_name}'. Otherwise, it" 461 csih_inform "will start automatically after the next reboot." 462 fi 463 else 464 if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \ 465 -a "-D" -y tcpip "${cygwin_env[@]}" \ 466 -u "${run_service_as}" -w "${password}" 467 then 468 /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight 469 echo 470 csih_inform "The sshd service has been installed under the '${run_service_as}'" 471 csih_inform "account. To start the service now, call \`net start ${service_name}' or" 472 csih_inform "\`cygrunsrv -S ${service_name}'. Otherwise, it will start automatically" 473 csih_inform "after the next reboot." 474 fi 475 fi 476 477 if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1 478 then 479 check_service_files_ownership "${run_service_as}" || let ret+=$? 480 else 481 csih_error_recoverable "Installing sshd as a service failed!" 482 let ++ret 483 fi 484 fi # user allowed us to install as service 485 fi # service not yet installed 486 return $ret 487} # --- End of install_service --- # 488 489# ====================================================================== 490# Main Entry Point 491# ====================================================================== 492 493# Check how the script has been started. If 494# (1) it has been started by giving the full path and 495# that path is /etc/postinstall, OR 496# (2) Otherwise, if the environment variable 497# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set 498# then set auto_answer to "no". This allows automatic 499# creation of the config files in /etc w/o overwriting 500# them if they already exist. In both cases, color 501# escape sequences are suppressed, so as to prevent 502# cluttering setup's logfiles. 503if [ "$PROGDIR" = "/etc/postinstall" ] 504then 505 csih_auto_answer="no" 506 csih_disable_color 507 opt_force=yes 508fi 509if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ] 510then 511 csih_auto_answer="no" 512 csih_disable_color 513 opt_force=yes 514fi 515 516# ====================================================================== 517# Parse options 518# ====================================================================== 519while : 520do 521 case $# in 522 0) 523 break 524 ;; 525 esac 526 527 option=$1 528 shift 529 530 case "${option}" in 531 -d | --debug ) 532 set -x 533 csih_trace_on 534 ;; 535 536 -y | --yes ) 537 csih_auto_answer=yes 538 opt_force=yes 539 ;; 540 541 -n | --no ) 542 csih_auto_answer=no 543 opt_force=yes 544 ;; 545 546 -c | --cygwin ) 547 cygwin_value="$1" 548 shift 549 ;; 550 551 -N | --name ) 552 service_name=$1 553 shift 554 ;; 555 556 -p | --port ) 557 port_number=$1 558 shift 559 ;; 560 561 -u | --user ) 562 user_account="$1" 563 shift 564 ;; 565 566 -w | --pwd ) 567 password_value="$1" 568 shift 569 ;; 570 571 --privileged ) 572 csih_FORCE_PRIVILEGED_USER=yes 573 ;; 574 575 *) 576 echo "usage: ${progname} [OPTION]..." 577 echo 578 echo "This script creates an OpenSSH host configuration." 579 echo 580 echo "Options:" 581 echo " --debug -d Enable shell's debug output." 582 echo " --yes -y Answer all questions with \"yes\" automatically." 583 echo " --no -n Answer all questions with \"no\" automatically." 584 echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var." 585 echo " --name -N <name> sshd windows service name." 586 echo " --port -p <n> sshd listens on port n." 587 echo " --user -u <account> privileged user for service, default 'cyg_server'." 588 echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user." 589 echo " --privileged On Windows XP, require privileged user" 590 echo " instead of LocalSystem for sshd service." 591 echo 592 exit 1 593 ;; 594 595 esac 596done 597 598# ====================================================================== 599# Action! 600# ====================================================================== 601 602# Check for running ssh/sshd processes first. Refuse to do anything while 603# some ssh processes are still running 604if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$' 605then 606 echo 607 csih_error "There are still ssh processes running. Please shut them down first." 608fi 609 610# Make sure the user is running in an administrative context 611admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no) 612if [ "${admin}" != "yes" ] 613then 614 echo 615 csih_warning "Running this script typically requires administrator privileges!" 616 csih_warning "However, it seems your account does not have these privileges." 617 csih_warning "Here's the list of groups in your user token:" 618 echo 619 /usr/bin/id -Gnz | xargs -0n1 echo " " 620 echo 621 csih_warning "This usually means you're running this script from a non-admin" 622 csih_warning "desktop session, or in a non-elevated shell under UAC control." 623 echo 624 csih_warning "Make sure you have the appropriate privileges right now," 625 csih_warning "otherwise parts of this script will probably fail!" 626 echo 627 echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure" 628 if ! csih_request "you have the required privileges)" 629 then 630 echo 631 csih_inform "Ok. Exiting. Make sure to switch to an administrative account" 632 csih_inform "or to start this script from an elevated shell." 633 exit 1 634 fi 635fi 636 637echo 638 639warning_cnt=0 640 641# Create /var/log/lastlog if not already exists 642if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] 643then 644 echo 645 csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \ 646 "Cannot create ssh host configuration." 647fi 648if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] 649then 650 /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog 651 if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1 652 then 653 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!" 654 let ++warning_cnt 655 fi 656fi 657 658# Create /var/empty file used as chroot jail for privilege separation 659csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory." 660if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1 661then 662 csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!" 663 let ++warning_cnt 664fi 665 666# generate missing host keys 667csih_inform "Generating missing SSH host keys" 668/usr/bin/ssh-keygen -A || let warning_cnt+=$? 669 670# handle ssh_config 671csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 672if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1 673then 674 if [ "${port_number}" != "22" ] 675 then 676 csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port" 677 echo "Host localhost" >> ${SYSCONFDIR}/ssh_config 678 echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config 679 fi 680fi 681 682# handle sshd_config 683# make sure not to change the existing file 684mod_before="" 685if [ -e "${SYSCONFDIR}/sshd_config" ] 686then 687 mod_before=$(stat "${SYSCONFDIR}/sshd_config" | grep '^Modify:') 688fi 689csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt 690mod_now=$(stat "${SYSCONFDIR}/sshd_config" | grep '^Modify:') 691if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 692then 693 sshd_config_configured=yes 694fi 695if [ "${mod_before}" != "${mod_now}" ] 696then 697 sshd_strictmodes || let warning_cnt+=$? 698 sshd_config_tweak || let warning_cnt+=$? 699fi 700#sshd_privsep || let warning_cnt+=$? 701update_services_file || let warning_cnt+=$? 702update_inetd_conf || let warning_cnt+=$? 703install_service || let warning_cnt+=$? 704 705echo 706if [ $warning_cnt -eq 0 ] 707then 708 csih_inform "Host configuration finished. Have fun!" 709else 710 csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!" 711 csih_warning "Make sure that all problems reported are fixed," 712 csih_warning "then re-run ssh-host-config." 713fi 714exit $warning_cnt 715