Re: Take 2: Testers for new ssh-*-config scripts wanted!
On Mon, Nov 03, 2003 at 10:40:43PM +0100, Corinna Vinschen wrote:
> I'm running a 2003 Server as standalone (non-domain) server. In that
> setting, password complexity is disabled by default, so I missed that one,
> too. Thanks for the heads up. I changed the password to SSHD_server,
> which seem to be fine for the complexity rule.
>
> However, I have still a problem. Does anybody know how I can set
> "Password never expires" from the command line? I know how to do this
> with dsadd, but that only works on domain machines so it's no generic
> solution. If I can't do this in the script, everybody would have to
> set this in the Computer Management Console by hand :-(
I've again attached a new ssh-host-config file for testing. As it turned
out, I mis-tested the password complexity rule. The password SSHD_server
was not sufficient.
The script now calls the passwd utility from the cygwin base package
to set the user flags to "Password never expires". This will only
work with the new passwd from current CVS, version 1.5. The current
version released with Cygwin 1.5.5 is 1.4. Up to 1.4, the passwd tool
has no -e option to set the UF_DONT_EXPIRE_PASSWD flag. ssh-host-config
checks for the version number of the passwd tool and either calls it
or emits an additional warning that the expiry must be checked.
Please give it another try, even if it gets boring.
Thanks in advance,
Corinna
Changes:
- Don't use fixed password for sshd_server account but ask the user
now for a password.
- Extend some warning and info messages.
- Add -c/--cygwin option to allow automating the setting of the
environment variable CYGWIN for the sshd service.
- Add -w/--pwd option to allow automating the password setting
for the sshd_server account.
- Always recreate the sshd_server entry in /etc/passwd to overwrite
weird settings.
- If passwd supports the -e option, use it, otherwise emit warning
message that password expiry of sshd_server account should be
checked.
- A few code cleanups.
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developermailto:[EMAIL PROTECTED]
Red Hat, Inc.
#!/bin/bash
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
progname=$0
auto_answer=""
port_number=22
privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no
request()
{
if [ "${auto_answer}" = "yes" ]
then
echo "$1 (yes/no) yes"
return 0
elif [ "${auto_answer}" = "no" ]
then
echo "$1 (yes/no) no"
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read -e answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "${option}" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-c | --cygwin )
cygwin_value="$1"
shift
;;
-p | --port )
port_number=$1
shift
;;
-w | --pwd )
password_value="$1"
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo " --debug -dEnable shell's debug output."
echo " --yes-yAnswer all questions with \"yes\" automatically."
echo " --no -nAnswer all questions with \"no\" automatically."
echo " --cygwin -c Use \"options\" as value for CYGWIN environment
var."
echo " --port -p sshd listens on port n."
echo " --pwd-wUse \"pwd\" as password for user 'sshd_server'."
echo
exit 1
;;
esac
done
# Check if running on NT
_sys="`uname`"
_nt=`expr "${_sys}" : "CYGWIN_NT"`
# If running on NT, check if running under 2003 Server or later
if [ ${_nt} -gt 0 ]
then
_nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
fi
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if ps -ef | grep -v grep | grep -q ssh
then
echo
echo "There are still ssh processes running. Please shut them down first."
echo
exit 1
fi
# Check for ${SYSCONFDIR} directory
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
echo
echo "${SYSCONFDIR} is existant but not a directory."
echo "Cannot create global configuration files."
echo
exit 1
fi
# Create it if necessary
if [ ! -e "${SYSCONFDIR}" ]
then
mkdir "${SYSCONFDIR}"
if [ ! -e "${SYSCONFDIR}" ]
then
echo
echo "Creating ${SYSCONFDIR} directory failed"
echo
exit 1
fi
fi
# Create /var/log and /var/log/lastlog if not already ex
Re: Take 2: Testers for new ssh-*-config scripts wanted!
On Mon, Nov 03, 2003 at 04:05:43PM -0600, DePriest, Jason R. wrote: > User Accounts have a USER_FLAGS attribute that can be any combination of > a couple of values. One of these can be UF_DONT_EXPIRE_PASSWORD. If it > is present, the password never expires. > > I typically manipulate it using Dave Roth's Win32::AdminMisc perl module > (UserGetMiscAttributes and UserSetMiscAttributes)... which is likely > beyond the scope of what you want this script to do. > > The CREATEUSERS.VBS script from the Windows 2000 Resource Kit > (Supplement 1) looks promising. I haven't used it, but the code seems > capable of specifying the UF_DONT_EXPIRE_PASSWORD option. > I would attach the .vbs file (as a .txt file), but it is copyrighted by > Microsoft. If anyone knows if emailing it would be "bad" or not, let me > know. While I'm somewhat reluctant to add a VB script to OpenSSH (for apparent reasons I hop), this description leads me to looking into the "passwd" tool again, which is part of the cygwin package itself. It should be possible to add this functionality with not too much effort. Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:[EMAIL PROTECTED] Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Take 2: Testers for new ssh-*-config scripts wanted!
On Mon, Nov 03, 2003 at 09:34:04PM -0500, Alan Dobkin wrote: > I use Dave Roth's perl module for more complex user flag settings, > but the hands down easiest way to do this is with the NET command: > > NET USER username /EXPIRES:NEVER Unfortunately that's not right. I thought the same and used that command line switch but it has another meaning. There's a difference between expiry of a password and expiry of an account. /EXPIRES means the latter while we need the former meaning. There seem to be no `net user' switch for password expiry. Which in turn results in the sshd_server password expiring after 42 days by default :-( Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:[EMAIL PROTECTED] Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Take 2: Testers for new ssh-*-config scripts wanted!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hallo, I proceeded as described and sshd works according to /etc/passwd and ntsec after starting manually in the environment listed below. Regards, Alexander. 8< >8 $ cygcheck -sr Cygwin Win95/NT Configuration Diagnostics Current System Time: Tue Nov 04 08:14:41 2003 Windows 2000 Professional Ver 5.0 Build 2195 Service Pack 3 ... HKEY_CURRENT_USER\Software\Cygnus Solutions HKEY_CURRENT_USER\Software\Cygnus Solutions\Cygwin HKEY_CURRENT_USER\Software\Cygnus Solutions\Cygwin\mounts v2 HKEY_CURRENT_USER\Software\Cygnus Solutions\Cygwin\Program Options HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2 ~ (default) = `/cygdrive' ~ cygdrive flags = 0x0022 HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/ ~ (default) = `d:\cygwin' ~ flags = 0x000a HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/usr/bin ~ (default) = `d:\cygwin/bin' ~ flags = 0x000a HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/usr/lib ~ (default) = `d:\cygwin/lib' ~ flags = 0x000a HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/usr/X11R6/lib/X11/fonts ~ (default) = `d:\cygwin\usr\X11R6\lib\X11\fonts' ~ flags = 0x000a HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\Program Options ... ~ 949k 2003/09/20 d:\cygwin\bin\cygwin1.dll ~Cygwin DLL version info: ~DLL version: 1.5.5 ~DLL epoch: 19 ~DLL bad signal mask: 19005 ~DLL old termios: 5 ~DLL malloc env: 28 ~API major: 0 ~API minor: 94 ~Shared data: 3 ~DLL identifier: cygwin1 ~Mount registry: 2 ~Cygnus registry name: Cygnus Solutions ~Cygwin registry name: Cygwin ~Program options name: Program Options ~Cygwin mount registry name: mounts v2 ~Cygdrive flags: cygdrive flags ~Cygdrive prefix: cygdrive prefix ~Cygdrive default prefix: ~Build date: Sat Sep 20 16:31:15 EDT 2003 ~CVS tag: cr-0x9b ~Shared id: cygwin1S3 ... Cygwin Package Information Package Version _update-info-dir00221-1 ash 20031007-1 autoconf2.57a-1 autoconf-devel 2.57-2 autoconf-stable 2.13-5 automake1.7.5a-1 automake-devel 1.7.6-2 automake-stable 1.4p5-6 base-files 2.6-1 base-passwd 1.1-1 bash2.05b-16 binutils20030901-1 bzip2 1.0.2-5 check 0.8.4-1 clear 1.0-1 cpio2.5-3 crypt 1.1-1 ctags 5.5-4 cvs 1.11.6-3 cygipc 2.02-1 cygrunsrv 0.96-2 cygutils1.2.2-1 cygwin 1.5.5-1 cygwin-doc 1.3-6 diff1.0-1 diffutils 2.8.4-1 ed 0.2-1 editrights 1.01-1 emacs 21.2-12 emacs-X11 21.2-12 expat 1.95.6-2 file4.03-2 fileutils 4.1-2 findutils 4.1.7-4 fontconfig 2.2.0-1 freetype2 2.1.5-1 gawk3.1.3-4 gcc 3.3.1-3 gcc-mingw 20030911-4 gcc-mingw-core 20031020-1 gdb 20030919-1 gdbm1.8.3-7 gettext 0.12.1-3 gettext-devel 0.12.1-3 ghostscript 7.05-2 ghostscript-base7.05-2 ghostscript-x11 7.05-2 gnupg 1.2.2-3 grep2.5-1 groff 1.18.1-2 gzip1.3.5-1 inetutils 1.3.2-25 jpeg6b-11 less381-1 libbz2_11.0.2-5 libdb3.13.1.17-2 libfontconfig1 2.2.0-1 libfreetype26 2.1.5-1 libgdbm 1.8.0-5 libgdbm-devel 1.8.3-7 libgdbm31.8.3-3 libgdbm41.8.3-7 libgettextpo0 0.12.1-3 libiconv2 1.9.1-3 libintl 0.10.38-3 libintl10.10.40-1 libintl20.12.1-3 libjpeg62 6b-11 libjpeg6b 6b-8 libkpathsea32.0.2-13 libkpathsea3abi13 2.0.2-2 libltdl31.5-3 libncurses5 5.2-1 libncurses6 5.2-8 libncurses7 5.3-4 libpcre 4.1-1 libpcre04.4-2 libpng121.2.5-4 libpng12-devel 1.2.5-4 libpopt01.6.4-4 libreadline44.1-2 libreadline54.3-5 libtiff-devel 3.6.0-5 libtiff33.6.0-2 libtiff43.6.0-5 libtool
RE: Take 2: Testers for new ssh-*-config scripts wanted!
I use Dave Roth's perl module for more complex user flag settings, but the hands down easiest way to do this is with the NET command: NET USER username /EXPIRES:NEVER This command is built-in on all Windows NT/2K/XP systems. For more details see NET HELP USER. Alan --On Monday, November 03, 2003 4:05 PM -0600 "DePriest, Jason R." <[EMAIL PROTECTED]> wrote: Does anybody know how I can set "Password never expires" from the command line? Corinna, User Accounts have a USER_FLAGS attribute that can be any combination of a couple of values. One of these can be UF_DONT_EXPIRE_PASSWORD. If it is present, the password never expires. I typically manipulate it using Dave Roth's Win32::AdminMisc perl module (UserGetMiscAttributes and UserSetMiscAttributes)... which is likely beyond the scope of what you want this script to do. The CREATEUSERS.VBS script from the Windows 2000 Resource Kit (Supplement 1) looks promising. I haven't used it, but the code seems capable of specifying the UF_DONT_EXPIRE_PASSWORD option. I would attach the .vbs file (as a .txt file), but it is copyrighted by Microsoft. If anyone knows if emailing it would be "bad" or not, let me know. -Jason -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Take 2: Testers for new ssh-*-config scripts wanted!
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Corinna Vinschen > Sent: Monday, November 03, 2003 3:41 PM > To: [EMAIL PROTECTED] > Subject: Re: Take 2: Testers for new ssh-*-config scripts wanted! [--] > However, I have still a problem. Does anybody know how I can set > "Password never expires" from the command line? I know how to do this > with dsadd, but that only works on domain machines so it's no generic > solution. If I can't do this in the script, everybody would have to > set this in the Computer Management Console by hand :-( [--] [--] > Thanks, > Corinna > > -- > Corinna Vinschen Please, send mails > regarding Cygwin to > Cygwin Developer > mailto:[EMAIL PROTECTED] > Red Hat, Inc. Corinna, User Accounts have a USER_FLAGS attribute that can be any combination of a couple of values. One of these can be UF_DONT_EXPIRE_PASSWORD. If it is present, the password never expires. I typically manipulate it using Dave Roth's Win32::AdminMisc perl module (UserGetMiscAttributes and UserSetMiscAttributes)... which is likely beyond the scope of what you want this script to do. The CREATEUSERS.VBS script from the Windows 2000 Resource Kit (Supplement 1) looks promising. I haven't used it, but the code seems capable of specifying the UF_DONT_EXPIRE_PASSWORD option. I would attach the .vbs file (as a .txt file), but it is copyrighted by Microsoft. If anyone knows if emailing it would be "bad" or not, let me know. -Jason -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Take 2: Testers for new ssh-*-config scripts wanted!
On Mon, Nov 03, 2003 at 06:51:04PM +0100, Philippe Torche wrote:
> Hi,
>
> 1. Line 488 (you will hate me !?) : read _cygwin --->>> read -e _cygwin
Uh, yes, I missed that one.
> 2. If password complexity is enabled (yes per default) use a more complex
> password : length of 7 min (max 14 to avoid some warning about W2K), lower
> case and upper case letters.
I'm running a 2003 Server as standalone (non-domain) server. In that
setting, password complexity is disabled by default, so I missed that one,
too. Thanks for the heads up. I changed the password to SSHD_server,
which seem to be fine for the complexity rule.
However, I have still a problem. Does anybody know how I can set
"Password never expires" from the command line? I know how to do this
with dsadd, but that only works on domain machines so it's no generic
solution. If I can't do this in the script, everybody would have to
set this in the Computer Management Console by hand :-(
I've attached a new ssh-host-config with the above two changes plus:
- Also deny remote interactive (aka terminal server) logon for the
sshd_server account.
> Good work, Philippe.
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developermailto:[EMAIL PROTECTED]
Red Hat, Inc.
#!/bin/bash
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
progname=$0
auto_answer=""
port_number=22
privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no
request()
{
if [ "${auto_answer}" = "yes" ]
then
return 0
elif [ "${auto_answer}" = "no" ]
then
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read -e answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "$option" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-p | --port )
port_number=$1
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo "--debug -d Enable shell's debug output."
echo "--yes-y Answer all questions with \"yes\" automatically."
echo "--no -n Answer all questions with \"no\" automatically."
echo "--port -p sshd listens on port n."
echo
exit 1
;;
esac
done
# Check if running on NT
_sys="`uname`"
_nt=`expr "$_sys" : "CYGWIN_NT"`
# If running on NT, check if running under 2003 Server or later
if [ $_nt -gt 0 ]
then
_nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
fi
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if ps -ef | grep -v grep | grep -q ssh
then
echo
echo "There are still ssh processes running. Please shut them down first."
echo
exit 1
fi
# Check for ${SYSCONFDIR} directory
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
echo
echo "${SYSCONFDIR} is existant but not a directory."
echo "Cannot create global configuration files."
echo
exit 1
fi
# Create it if necessary
if [ ! -e "${SYSCONFDIR}" ]
then
mkdir "${SYSCONFDIR}"
if [ ! -e "${SYSCONFDIR}" ]
then
echo
echo "Creating ${SYSCONFDIR} directory failed"
echo
exit 1
fi
fi
# Create /var/log and /var/log/lastlog if not already existing
if [ -f ${LOCALSTATEDIR}/log ]
then
echo "Creating ${LOCALSTATEDIR}/log failed!"
else
if [ ! -d ${LOCALSTATEDIR}/log ]
then
mkdir -p ${LOCALSTATEDIR}/log
fi
if [ -d ${LOCALSTATEDIR}/log/lastlog ]
then
chmod 777 ${LOCALSTATEDIR}/log/lastlog
elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
chmod 666 ${LOCALSTATEDIR}/log/lastlog
fi
fi
# Create /var/empty file used as chroot jail for privilege separation
if [ -f ${LOCALSTATEDIR}/empty ]
then
echo "Creating ${LOCALSTATEDIR}/empty failed!"
else
mkdir -p ${LOCALSTATEDIR}/empty
if [ $_nt -gt 0 ]
then
chmod 755 ${LOCALSTATEDIR}/empty
fi
fi
# First generate host keys if not already existing
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_key"
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
ssh-keygen -t dsa -f ${SYSCO
RE: Take 2: Testers for new ssh-*-config scripts wanted!
Hi, 1. Line 488 (you will hate me !?) : read _cygwin --->>> read -e _cygwin 2. If password complexity is enabled (yes per default) use a more complex password : length of 7 min (max 14 to avoid some warning about W2K), lower case and upper case letters. Good work, Philippe. > -Message d'origine- > De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > De la part de Corinna Vinschen > Envoyé : lundi, 3. novembre 2003 17:22 > À : [EMAIL PROTECTED] > Objet : Take 2: Testers for new ssh-*-config scripts wanted! > > Hi, > > I'd like to ask for more testing of the new ssh-host-config > and ssh-user-config scripts. > > The new thing here is, that the ssh-host-config script now > tries to figure out if the machine is a 2003 Server or newer > system. If so, the script asks, if it should create a new > account "sshd_server" > to use as account to run sshd as service under. If you say > "yes" at this point, a bunch of funny new activities is started: > > - The script creates a sshd_server account > > - It adds that account to the administrators group *iff* it's able > to figure out the name of that group from the /etc/group file. > This means, you must not change the name of the administrators > group in /etc/group and the SID (S-1-5-32-544) must be available > in that entry. > > - It uses the new editrights utility to add the necessary user rights > to the new sshd_server account. > These rights also explicitely deny logon locally and over network > and allow logon only as service for security reasons. > > The ssh-user-config script has also been changed. It tries > to figure out if the machine is a 2003 Server or newer and if > so, it sets the permissions of the users ~/.ssh directory and > the users ~/ssh/authorized_keys file so that the sshd_server > account has read permissions on both. If it's an older > system, it does the same for the SYSTEM account. > > Also on 2003, the sshd_server account is used for ownership > of the important files (/etc/ssh*, /var/empty, /var/log/sshd.log). > > Further changes: > - Require bash for both scripts. > - Use `read -e' in both scripts to enable readline support. > > So, I'd like to ask especially users of a 2003 Server system > to test that script. Users of other systems are of course > also welcome since I want to be sure that I haven't broken > these systems. > > Attached are both scripts plus the vanilla ssh_config and > sshd_config file. The latter two have to be copied to > /etc/defaults/etc. Please not that the "editrights" tool has > to be installed on your system. > You can find it in the Base category when updating with setup.exe. > > Thanks in advance, > Corinna > > -- > Corinna Vinschen Please, send mails > regarding Cygwin to > Cygwin Developer > mailto:[EMAIL PROTECTED] > Red Hat, Inc. > -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Take 2: Testers for new ssh-*-config scripts wanted!
Hi,
I'd like to ask for more testing of the new ssh-host-config and
ssh-user-config scripts.
The new thing here is, that the ssh-host-config script now tries to
figure out if the machine is a 2003 Server or newer system. If so,
the script asks, if it should create a new account "sshd_server"
to use as account to run sshd as service under. If you say "yes" at
this point, a bunch of funny new activities is started:
- The script creates a sshd_server account
- It adds that account to the administrators group *iff* it's able
to figure out the name of that group from the /etc/group file.
This means, you must not change the name of the administrators
group in /etc/group and the SID (S-1-5-32-544) must be available
in that entry.
- It uses the new editrights utility to add the necessary user rights
to the new sshd_server account.
These rights also explicitely deny logon locally and over network
and allow logon only as service for security reasons.
The ssh-user-config script has also been changed. It tries to
figure out if the machine is a 2003 Server or newer and if so, it
sets the permissions of the users ~/.ssh directory and the users
~/ssh/authorized_keys file so that the sshd_server account has read
permissions on both. If it's an older system, it does the same for
the SYSTEM account.
Also on 2003, the sshd_server account is used for ownership of the
important files (/etc/ssh*, /var/empty, /var/log/sshd.log).
Further changes:
- Require bash for both scripts.
- Use `read -e' in both scripts to enable readline support.
So, I'd like to ask especially users of a 2003 Server system to test
that script. Users of other systems are of course also welcome since
I want to be sure that I haven't broken these systems.
Attached are both scripts plus the vanilla ssh_config and sshd_config
file. The latter two have to be copied to /etc/defaults/etc. Please
not that the "editrights" tool has to be installed on your system.
You can find it in the Base category when updating with setup.exe.
Thanks in advance,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developermailto:[EMAIL PROTECTED]
Red Hat, Inc.
#!/bin/bash
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
progname=$0
auto_answer=""
port_number=22
privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no
request()
{
if [ "${auto_answer}" = "yes" ]
then
return 0
elif [ "${auto_answer}" = "no" ]
then
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read -e answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "$option" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-p | --port )
port_number=$1
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo "--debug -d Enable shell's debug output."
echo "--yes-y Answer all questions with \"yes\" automatically."
echo "--no -n Answer all questions with \"no\" automatically."
echo "--port -p sshd listens on port n."
echo
exit 1
;;
esac
done
# Check if running on NT
_sys="`uname`"
_nt=`expr "$_sys" : "CYGWIN_NT"`
# If running on NT, check if running under 2003 Server or later
if [ $_nt -gt 0 ]
then
_nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'`
fi
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if ps -ef | grep -v grep | grep -q ssh
then
echo
echo "There are still ssh processes running. Please shut them down first."
echo
exit 1
fi
# Check for ${SYSCONFDIR} directory
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
echo
echo "${SYSCONFDIR} is existant but not a directory."
echo "Cannot create global configuration files."
echo
exit 1
fi
# Create it if necessary
if [ ! -e "${SYSCONFDIR}" ]
then
mkdir "${SYSCONFDIR}"
if [ ! -e "${SYSCONFDIR}" ]
then
echo
echo "Creating ${SYSCONFDIR} directory failed"
echo
exit 1
fi
fi
# Create /var/log and /var/log/lastlog if not already existing
if [ -f ${LOCALSTATEDIR}/log ]
then
echo "Creating ${LOCALSTATEDIR}/log failed!"
else
if [ ! -d ${LOCALSTATEDIR}/log ]
then
mkdir -p ${LOCALSTATEDIR}/log
fi
if [ -d ${LOCALSTATEDIR}/log/lastlog ]
then
chmod 777 ${LOCALSTATEDIR}/log/lastlog
elif [ ! -f ${LOCALSTATEDIR}/log/lastlog
Re: Testers for new ssh-*-config scripts wanted!
On Mon, Nov 03, 2003 at 09:38:16AM +0100, Philippe Torche wrote: > Sorry but, > > The doc of bash explains this behavior (help read). You can experiment the > same think on Redhat per exemple. And don't forget to use "echo $_cygwin | > od -t x1" to show what is stored in the variable. I did, of course. Backspace works w/o -e, too. I'll use -e nevertheless to allow complete readline support. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:[EMAIL PROTECTED] Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Testers for new ssh-*-config scripts wanted!
Sorry but, The doc of bash explains this behavior (help read). You can experiment the same think on Redhat per exemple. And don't forget to use "echo $_cygwin | od -t x1" to show what is stored in the variable. Have a nice cygweek, Philippe. > -Message d'origine- > De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > De la part de Corinna Vinschen > Envoyé : vendredi, 31. octobre 2003 18:24 > À : [EMAIL PROTECTED] > Objet : Re: Testers for new ssh-*-config scripts wanted! > > On Fri, Oct 31, 2003 at 05:07:18PM +0100, Philippe Torche wrote: > > Nope, > > > > read from bash don't reconize control caracters without -e > parameter: > > $ read _cygwin > > Ntser[Backspace]c > > $ echo $_cygwin | od -t x1 > > 000 6e 74 73 65 72 08 63 0a > > 010 > > > > BUT OK with "-e" > > > > $ read -e _cygwin > > Ntser[Backspace]c > > $ echo $_cygwin | od -t x1 > > 000 6e 74 73 65 63 0a > > 006 > > Erm... when I use bash, read always recognizes the backspace > correctly. > *dig dig dig* > Even better, when using /bin/sh (ash), I don't have your > above problem either. I can change the string and no control > code shows up in the variable's value. What's different on > your machine? Nothing ! > > Corinna > > -- > Corinna Vinschen Please, send mails > regarding Cygwin to > Cygwin Developer > mailto:[EMAIL PROTECTED] > Red Hat, Inc. > > -- > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > Problem reports: http://cygwin.com/problems.html > Documentation: http://cygwin.com/docs.html > FAQ: http://cygwin.com/faq/ > > -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Testers for new ssh-*-config scripts wanted!
On Fri, Oct 31, 2003 at 05:07:18PM +0100, Philippe Torche wrote: > Nope, > > read from bash don't reconize control caracters without -e parameter: > $ read _cygwin > Ntser[Backspace]c > $ echo $_cygwin | od -t x1 > 000 6e 74 73 65 72 08 63 0a > 010 > > BUT OK with "-e" > > $ read -e _cygwin > Ntser[Backspace]c > $ echo $_cygwin | od -t x1 > 000 6e 74 73 65 63 0a > 006 Erm... when I use bash, read always recognizes the backspace correctly. *dig dig dig* Even better, when using /bin/sh (ash), I don't have your above problem either. I can change the string and no control code shows up in the variable's value. What's different on your machine? Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:[EMAIL PROTECTED] Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Testers for new ssh-*-config scripts wanted!
Nope, read from bash don't reconize control caracters without -e parameter: $ read _cygwin Ntser[Backspace]c $ echo $_cygwin | od -t x1 000 6e 74 73 65 72 08 63 0a 010 BUT OK with "-e" $ read -e _cygwin Ntser[Backspace]c $ echo $_cygwin | od -t x1 000 6e 74 73 65 63 0a 006 Thanks, Philippe. > -Message d'origine- > De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > De la part de Corinna Vinschen > Envoyé : vendredi, 31. octobre 2003 12:08 > À : [EMAIL PROTECTED] > Objet : RE: Testers for new ssh-*-config scripts wanted! > > On Fri, Oct 31, 2003 at 09:55:04AM +0100, Philippe Torche wrote: > > Script ssh-host-config works for me, but when I've entered > the CYGWIN > > env var, I've do a error and type "ntser", then backspace > and then the > > correct "c" caracters. > > Thus CYGWIN key in the registry has now "ntser\x08c" > instead of "ntsec"! > > This is caused by the read command! > > Yeah, but that's not a fault of the script but of the shell. > Nothing I can do about in the script. Except if I require > the script to run under bash instead of sh, to allow readline support. > > Would that be acceptable? I have attached a new version of > ssh-host-config to this mail, which requires bash now. If > that's not ok, it's easy to revert again. > > I've also attached the two vanilla files ssh_config and > sshd_config to put into /etc/defaults/etc. This should > simplify testing. > > Changed in this version of ssh-host-config: > > - Require bash. > - Remove annoying backslashes when echoing a bang (!). > - Allow /var/log/lastlog to be a directory (But that can again create > problems with permissions, Pierre!) > > Please don't forget to test ssh-user-config, too. Thanks. > > > PS Wait for a "Windows 2003 Server" version > > You know, PGA and PTC. See wtf ;-) > > Thanks to all testers, > Corinna > > -- > Corinna Vinschen Please, send mails > regarding Cygwin to > Cygwin Developer > mailto:[EMAIL PROTECTED] > Red Hat, Inc. > -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Testers for new ssh-*-config scripts wanted!
On Fri, Oct 31, 2003 at 09:55:04AM +0100, Philippe Torche wrote:
> Script ssh-host-config works for me, but when I've entered the CYGWIN env
> var, I've do a error and type "ntser", then backspace and then the correct
> "c" caracters.
> Thus CYGWIN key in the registry has now "ntser\x08c" instead of "ntsec"!
> This is caused by the read command!
Yeah, but that's not a fault of the script but of the shell. Nothing
I can do about in the script. Except if I require the script to run
under bash instead of sh, to allow readline support.
Would that be acceptable? I have attached a new version of ssh-host-config
to this mail, which requires bash now. If that's not ok, it's easy to
revert again.
I've also attached the two vanilla files ssh_config and sshd_config to
put into /etc/defaults/etc. This should simplify testing.
Changed in this version of ssh-host-config:
- Require bash.
- Remove annoying backslashes when echoing a bang (!).
- Allow /var/log/lastlog to be a directory (But that can again create
problems with permissions, Pierre!)
Please don't forget to test ssh-user-config, too. Thanks.
> PS Wait for a "Windows 2003 Server" version
You know, PGA and PTC. See wtf ;-)
Thanks to all testers,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developermailto:[EMAIL PROTECTED]
Red Hat, Inc.
#!/bin/bash
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
progname=$0
auto_answer=""
port_number=22
privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no
request()
{
if [ "${auto_answer}" = "yes" ]
then
return 0
elif [ "${auto_answer}" = "no" ]
then
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "$option" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-p | --port )
port_number=$1
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo "--debug -d Enable shell's debug output."
echo "--yes-y Answer all questions with \"yes\" automatically."
echo "--no -n Answer all questions with \"no\" automatically."
echo "--port -p sshd listens on port n."
echo
exit 1
;;
esac
done
# Check if running on NT
_sys="`uname -a`"
_nt=`expr "$_sys" : "CYGWIN_NT"`
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if ps -ef | grep -v grep | grep -q ssh
then
echo
echo "There are still ssh processes running. Please shut them down first."
echo
exit 1
fi
# Check for ${SYSCONFDIR} directory
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
echo
echo "${SYSCONFDIR} is existant but not a directory."
echo "Cannot create global configuration files."
echo
exit 1
fi
# Create it if necessary
if [ ! -e "${SYSCONFDIR}" ]
then
mkdir "${SYSCONFDIR}"
if [ ! -e "${SYSCONFDIR}" ]
then
echo
echo "Creating ${SYSCONFDIR} directory failed"
echo
exit 1
fi
fi
# Create /var/log and /var/log/lastlog if not already existing
if [ -f ${LOCALSTATEDIR}/log ]
then
echo "Creating ${LOCALSTATEDIR}/log failed!"
else
if [ ! -d ${LOCALSTATEDIR}/log ]
then
mkdir -p ${LOCALSTATEDIR}/log
fi
if [ -d ${LOCALSTATEDIR}/log/lastlog ]
then
chmod 777 ${LOCALSTATEDIR}/log/lastlog
elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
chmod 666 ${LOCALSTATEDIR}/log/lastlog
fi
fi
# Create /var/empty file used as chroot jail for privilege separation
if [ -f ${LOCALSTATEDIR}/empty ]
then
echo "Creating ${LOCALSTATEDIR}/empty failed!"
else
mkdir -p ${LOCALSTATEDIR}/empty
if [ $_nt -gt 0 ]
then
chmod 755 ${LOCALSTATEDIR}/empty
fi
fi
# First generate host keys if not already existing
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_key"
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
fi
# Check if ssh_config exists. I
RE: Testers for new ssh-*-config scripts wanted!
Script ssh-host-config works for me, but when I've entered the CYGWIN env var, I've do a error and type "ntser", then backspace and then the correct "c" caracters. Thus CYGWIN key in the registry has now "ntser\x08c" instead of "ntsec"! This is caused by the read command! Thanks. PS Wait for a "Windows 2003 Server" version > -Message d'origine- > De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > De la part de Corinna Vinschen > Envoyé : jeudi, 30. octobre 2003 18:11 > À : [EMAIL PROTECTED] > Objet : Testers for new ssh-*-config scripts wanted! > > Hi, > > is anybody here willing to give my new ssh-host-config and > ssh-user-config shell scripts a thorough test? I tested them > by myself but I have this nagging feeling I missed something > important. > > The important changes: > > - On NT, try to set permissions on files and directories to a > useful value. > - On NT, try to set ownership on files and directories to a > useful value. > > Only in ssh-host-config: > > - Write the /etc/services entries for ssh now with CRLF lineendings. > - Remove the code to accomplish old style installations, with "old > being older than roughly 3 years. > - /etc/ssh_config and /etc/sshd_config are not hardcoded here-scripts > in the ssh-host-config script anymore, but they are copied and > modified from ssh_config and sshd_config files in /etc/defaults/etc. > This allows to accomodate changes in the vanilla scripts without > having to change the shh-host-config script. > - On NT, always set ownership of various files to SYSTEM, if sshd > has been installed as service. > > Both scripts are attached. When testing the new "copy config > files from /etc/defaults/etc" functionality, please think of > copying the ssh_config and sshd_config files (if possible the > vanilla versions) to /etc/defaults/etc first. > > Feedback and patches welcome and thanks in advance, Corinna > > -- > Corinna Vinschen Please, send mails > regarding Cygwin to > Cygwin Developer > mailto:[EMAIL PROTECTED] > Red Hat, Inc. > -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Testers for new ssh-*-config scripts wanted!
OK. Thanks! I will extract the contents of the here documents and put them in /etc/defaults/etc/sshd_config and /etc/defaults/etc/ssh_config. I don't trust my files in /etc/ to be vanilla at this point. > -Original Message- > From: Brian Ford [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 30, 2003 5:35 PM > To: [EMAIL PROTECTED] > Subject: RE: Testers for new ssh-*-config scripts wanted! > > > On Thu, 30 Oct 2003, Harig, Mark wrote: > > > I have OpenSSH 3.7.1p2-1 installed, but I > > do not have the 'ssh_config' or 'sshd_config' > > template files that the 'ssh-host-config' script > > expects. Am I missing a step here that I should > > have taken to generate these files? > > > Yes, see: > > > Corinna Vinschen wrote: > > > Both scripts are attached. When testing the new "copy > config files > > > from /etc/defaults/etc" functionality, please think of copying the > > > ssh_config and sshd_config files (if possible the vanilla > versions) > > > to /etc/defaults/etc first. > > > > She meant the ones you would have in /etc if you had previously > run the old ssh-host-config script. If you had not, they can be found > embeded in the old ssh-host-config script as mentioned here: > > > > - /etc/ssh_config and /etc/sshd_config are not hardcoded > here-scripts > > > in the ssh-host-config script anymore, but they are copied and > > > modified from ssh_config and sshd_config files in > /etc/defaults/etc. > > > This allows to accomodate changes in the vanilla scripts without > > > having to change the shh-host-config script. > > > > > -- > Brian Ford > Senior Realtime Software Engineer > VITAL - Visual Simulation Systems > FlightSafety International > Phone: 314-551-8460 > Fax: 314-551-8444 > > -- > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > Problem reports: http://cygwin.com/problems.html > Documentation: http://cygwin.com/docs.html > FAQ: http://cygwin.com/faq/ > > -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Testers for new ssh-*-config scripts wanted!
On Thu, 30 Oct 2003, Harig, Mark wrote: > I have OpenSSH 3.7.1p2-1 installed, but I > do not have the 'ssh_config' or 'sshd_config' > template files that the 'ssh-host-config' script > expects. Am I missing a step here that I should > have taken to generate these files? > Yes, see: > Corinna Vinschen wrote: > > Both scripts are attached. When testing the new "copy config files > > from /etc/defaults/etc" functionality, please think of copying the > > ssh_config and sshd_config files (if possible the vanilla versions) > > to /etc/defaults/etc first. > > She meant the ones you would have in /etc if you had previously run the old ssh-host-config script. If you had not, they can be found embeded in the old ssh-host-config script as mentioned here: > > - /etc/ssh_config and /etc/sshd_config are not hardcoded here-scripts > > in the ssh-host-config script anymore, but they are copied and > > modified from ssh_config and sshd_config files in /etc/defaults/etc. > > This allows to accomodate changes in the vanilla scripts without > > having to change the shh-host-config script. > > -- Brian Ford Senior Realtime Software Engineer VITAL - Visual Simulation Systems FlightSafety International Phone: 314-551-8460 Fax: 314-551-8444 -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Testers for new ssh-*-config scripts wanted!
I have OpenSSH 3.7.1p2-1 installed, but I do not have the 'ssh_config' or 'sshd_config' template files that the 'ssh-host-config' script expects. Am I missing a step here that I should have taken to generate these files? I ran 'cygcheck -f /etc/defaults/etc/ssh_config' and searched the Cygwin Package List at http://cygwin.com/packages, but both searches did not find any packages that should contain these template files. > -Original Message- > From: Corinna Vinschen [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 30, 2003 12:11 PM > To: [EMAIL PROTECTED] > Subject: Testers for new ssh-*-config scripts wanted! > > > Hi, > > is anybody here willing to give my new ssh-host-config and > ssh-user-config > shell scripts a thorough test? I tested them by myself but I > have this > nagging feeling I missed something important. > > The important changes: > > - On NT, try to set permissions on files and directories to a > useful value. > - On NT, try to set ownership on files and directories to a > useful value. > > Only in ssh-host-config: > > - Write the /etc/services entries for ssh now with CRLF lineendings. > - Remove the code to accomplish old style installations, with "old > being older than roughly 3 years. > - /etc/ssh_config and /etc/sshd_config are not hardcoded here-scripts > in the ssh-host-config script anymore, but they are copied and > modified from ssh_config and sshd_config files in /etc/defaults/etc. > This allows to accomodate changes in the vanilla scripts without > having to change the shh-host-config script. > - On NT, always set ownership of various files to SYSTEM, if sshd > has been installed as service. > > Both scripts are attached. When testing the new "copy config files > from /etc/defaults/etc" functionality, please think of copying the > ssh_config and sshd_config files (if possible the vanilla versions) > to /etc/defaults/etc first. > > Feedback and patches welcome and thanks in advance, > Corinna > > -- > Corinna Vinschen Please, send mails > regarding Cygwin to > Cygwin Developer > mailto:[EMAIL PROTECTED] > Red Hat, Inc. > -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Testers for new ssh-*-config scripts wanted!
I will read these two scripts "soon". This won't be a thorough test, but it will be another set of eyes reading the code. Of course, a much better candidate for reading (and testing the scripts would be someone who is knowledgeable about OpenSSH. I'm simply a user of it. > -Original Message- > From: Corinna Vinschen [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 30, 2003 12:11 PM > To: [EMAIL PROTECTED] > Subject: Testers for new ssh-*-config scripts wanted! > > > Hi, > > is anybody here willing to give my new ssh-host-config and > ssh-user-config > shell scripts a thorough test? I tested them by myself but I > have this > nagging feeling I missed something important. > > The important changes: > > - On NT, try to set permissions on files and directories to a > useful value. > - On NT, try to set ownership on files and directories to a > useful value. > > Only in ssh-host-config: > > - Write the /etc/services entries for ssh now with CRLF lineendings. > - Remove the code to accomplish old style installations, with "old > being older than roughly 3 years. > - /etc/ssh_config and /etc/sshd_config are not hardcoded here-scripts > in the ssh-host-config script anymore, but they are copied and > modified from ssh_config and sshd_config files in /etc/defaults/etc. > This allows to accomodate changes in the vanilla scripts without > having to change the shh-host-config script. > - On NT, always set ownership of various files to SYSTEM, if sshd > has been installed as service. > > Both scripts are attached. When testing the new "copy config files > from /etc/defaults/etc" functionality, please think of copying the > ssh_config and sshd_config files (if possible the vanilla versions) > to /etc/defaults/etc first. > > Feedback and patches welcome and thanks in advance, > Corinna > > -- > Corinna Vinschen Please, send mails > regarding Cygwin to > Cygwin Developer mailto:[EMAIL PROTECTED] Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Testers for new ssh-*-config scripts wanted!
Hi,
is anybody here willing to give my new ssh-host-config and ssh-user-config
shell scripts a thorough test? I tested them by myself but I have this
nagging feeling I missed something important.
The important changes:
- On NT, try to set permissions on files and directories to a useful value.
- On NT, try to set ownership on files and directories to a useful value.
Only in ssh-host-config:
- Write the /etc/services entries for ssh now with CRLF lineendings.
- Remove the code to accomplish old style installations, with "old
being older than roughly 3 years.
- /etc/ssh_config and /etc/sshd_config are not hardcoded here-scripts
in the ssh-host-config script anymore, but they are copied and
modified from ssh_config and sshd_config files in /etc/defaults/etc.
This allows to accomodate changes in the vanilla scripts without
having to change the shh-host-config script.
- On NT, always set ownership of various files to SYSTEM, if sshd
has been installed as service.
Both scripts are attached. When testing the new "copy config files
from /etc/defaults/etc" functionality, please think of copying the
ssh_config and sshd_config files (if possible the vanilla versions)
to /etc/defaults/etc first.
Feedback and patches welcome and thanks in advance,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developermailto:[EMAIL PROTECTED]
Red Hat, Inc.
#!/bin/sh
#
# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
# Subdirectory where the new package is being installed
PREFIX=/usr
# Directory where the config files are stored
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
progname=$0
auto_answer=""
port_number=22
privsep_configured=no
privsep_used=yes
sshd_in_passwd=no
sshd_in_sam=no
request()
{
if [ "${auto_answer}" = "yes" ]
then
return 0
elif [ "${auto_answer}" = "no" ]
then
return 1
fi
answer=""
while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ]
do
echo -n "$1 (yes/no) "
read answer
done
if [ "X${answer}" = "Xyes" ]
then
return 0
else
return 1
fi
}
# Check options
while :
do
case $# in
0)
break
;;
esac
option=$1
shift
case "$option" in
-d | --debug )
set -x
;;
-y | --yes )
auto_answer=yes
;;
-n | --no )
auto_answer=no
;;
-p | --port )
port_number=$1
shift
;;
*)
echo "usage: ${progname} [OPTION]..."
echo
echo "This script creates an OpenSSH host configuration."
echo
echo "Options:"
echo "--debug -d Enable shell's debug output."
echo "--yes-y Answer all questions with \"yes\" automatically."
echo "--no -n Answer all questions with \"no\" automatically."
echo "--port -p sshd listens on port n."
echo
exit 1
;;
esac
done
# Check if running on NT
_sys="`uname -a`"
_nt=`expr "$_sys" : "CYGWIN_NT"`
# Check for running ssh/sshd processes first. Refuse to do anything while
# some ssh processes are still running
if ps -ef | grep -v grep | grep -q ssh
then
echo
echo "There are still ssh processes running. Please shut them down first."
echo
exit 1
fi
# Check for ${SYSCONFDIR} directory
if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ]
then
echo
echo "${SYSCONFDIR} is existant but not a directory."
echo "Cannot create global configuration files."
echo
exit 1
fi
# Create it if necessary
if [ ! -e "${SYSCONFDIR}" ]
then
mkdir "${SYSCONFDIR}"
if [ ! -e "${SYSCONFDIR}" ]
then
echo
echo "Creating ${SYSCONFDIR} directory failed"
echo
exit 1
fi
fi
# Create /var/log and /var/log/lastlog if not already existing
if [ -f ${LOCALSTATEDIR}/log ]
then
echo "Creating ${LOCALSTATEDIR}/log failed\!"
else
if [ ! -d ${LOCALSTATEDIR}/log ]
then
mkdir -p ${LOCALSTATEDIR}/log
fi
if [ -d ${LOCALSTATEDIR}/log/lastlog ]
then
echo "Creating ${LOCALSTATEDIR}/log/lastlog failed\!"
elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
chmod 666 ${LOCALSTATEDIR}/log/lastlog
fi
fi
# Create /var/empty file used as chroot jail for privilege separation
if [ -f ${LOCALSTATEDIR}/empty ]
then
echo "Creating ${LOCALSTATEDIR}/empty failed\!"
else
mkdir -p ${LOCALSTATEDIR}/empty
if [ $_nt -gt 0 ]
then
chmod 755 ${LOCALSTATEDIR}/empty
fi
fi
# First generate host keys if not already existing
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_key"
ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_h
