Hi, would you mind to apply the below patch? It fixes Cygwin's ssh-host-config script in various ways: - Remove old code to remove the "sshd/22" entry from /etc/services. This code fixes a problem which only existed in installations which are more than 10 years old. - Handle the StrictMode setting interactively. - Fix regular expressions looking for white spaces. - Make the script independent of whether /etc/passwd exists or not. This allows to run ssh-host-config under the upcoming Cygwin release 1.7.30, which will introduce the passwd/group handling via the existing Windows account databases (SAM/AD). Thanks, Corinna Index: contrib/cygwin/ssh-host-config =================================================================== RCS file: /cvs/openssh/contrib/cygwin/ssh-host-config,v retrieving revision 1.34 diff -u -p -r1.34 ssh-host-config --- contrib/cygwin/ssh-host-config 8 Nov 2013 13:19:23 -0000 1.34 +++ contrib/cygwin/ssh-host-config 15 May 2014 08:46:20 -0000 @@ -34,6 +34,7 @@ declare -a csih_required_commands=( /usr/bin/mv coreutils /usr/bin/rm coreutils /usr/bin/cygpath cygwin + /usr/bin/mkpasswd cygwin /usr/bin/mount cygwin /usr/bin/ps cygwin /usr/bin/setfacl cygwin @@ -59,8 +60,9 @@ PREFIX=/usr SYSCONFDIR=/etc LOCALSTATEDIR=/var +sshd_config_configured=no port_number=22 -privsep_configured=no +strictmodes=yes privsep_used=yes cygwin_value="" user_account= @@ -89,28 +91,8 @@ update_services_file() { # Depends on the above mount _wservices=`cygpath -w "${_services}"` - # Remove sshd 22/port from services - if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] - then - /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" - if [ -f "${_serv_tmp}" ] - then - if /usr/bin/mv "${_serv_tmp}" "${_services}" - then - csih_inform "Removing sshd from ${_wservices}" - else - csih_warning "Removing sshd from ${_wservices} failed!" - let ++ret - fi - /usr/bin/rm -f "${_serv_tmp}" - else - csih_warning "Removing sshd from ${_wservices} failed!" - let ++ret - fi - fi - # Add ssh 22/tcp and ssh 22/udp to services - if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] + if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ] then if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" then @@ -132,17 +114,45 @@ update_services_file() { } # --- End of update_services_file --- # # ====================================================================== +# Routine: sshd_strictmodes +# MODIFIES: strictmodes +# ====================================================================== +sshd_strictmodes() { + if [ "${sshd_config_configured}" != "yes" ] + then + echo + csih_inform "StrictModes is set to 'yes' by default." + csih_inform "This is the recommended setting, but it requires that the POSIX" + csih_inform "permissions of the user's home directory, the user's .ssh" + csih_inform "directory, and the user's ssh key files are tight so that" + csih_inform "only the user has write permissions." + csih_inform "On the other hand, StrictModes don't work well with default" + csih_inform "Windows permissions of a home directory mounted with the" + csih_inform "'noacl' option, and they don't work at all if the home" + csih_inform "directory is on a FAT or FAT32 partition." + if ! csih_request "Should StrictModes be used?" + then + strictmodes=no + fi + fi + return 0 +} + +# ====================================================================== # Routine: sshd_privsep -# MODIFIES: privsep_configured privsep_used +# MODIFIES: privsep_used # ====================================================================== sshd_privsep() { - local sshdconfig_tmp local ret=0 - if [ "${privsep_configured}" != "yes" ] + if [ "${sshd_config_configured}" != "yes" ] then - csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." - csih_inform "However, this requires a non-privileged account called 'sshd'." + echo + csih_inform "Privilege separation is set to 'sandbox' by default since" + csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set" + csih_inform "to 'yes' or 'no'." + csih_inform "However, using privilege separation requires a non-privileged account" + csih_inform "called 'sshd'." csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." if csih_request "Should privilege separation be used?" then @@ -159,36 +169,53 @@ sshd_privsep() { privsep_used=no fi fi + return $ret +} # --- End of sshd_privsep --- # + +# ====================================================================== +# Routine: sshd_config_tweak +# ====================================================================== +sshd_config_tweak() { + local ret=0 - # Create default sshd_config from skeleton files in /etc/defaults/etc or - # modify to add the missing privsep configuration option - if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 - then - csih_inform "Updating ${SYSCONFDIR}/sshd_config file" - sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ - /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ - s/^#Port 22/Port ${port_number}/ - s/^#StrictModes yes/StrictModes no/" \ - < ${SYSCONFDIR}/sshd_config \ - > "${sshdconfig_tmp}" - if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config + # Modify sshd_config + csih_inform "Updating ${SYSCONFDIR}/sshd_config file" + if [ "${port_number}" -ne 22 ] + then + /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \ + ${SYSCONFDIR}/sshd_config + if [ $? -ne 0 ] then - csih_warning "Setting privilege separation to 'yes' failed!" - csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" - let ++ret + csih_warning "Setting listening port to ${port_number} failed!" + csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" + let ++ret fi - elif [ "${privsep_configured}" != "yes" ] + fi + if [ "${strictmodes}" = "no" ] then - echo >> ${SYSCONFDIR}/sshd_config - if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config + /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \ + ${SYSCONFDIR}/sshd_config + if [ $? -ne 0 ] then - csih_warning "Setting privilege separation to 'yes' failed!" - csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" - let ++ret + csih_warning "Setting StrictModes to 'no' failed!" + csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" + let ++ret + fi + fi + if [ "${sshd_config_configured}" != "yes" ] + then + /usr/bin/sed -i -e " + s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \ + ${SYSCONFDIR}/sshd_config + if [ $? -ne 0 ] + then + csih_warning "Setting privilege separation failed!" + csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" + let ++ret fi fi return $ret -} # --- End of sshd_privsep --- # +} # --- End of sshd_config_tweak --- # # ====================================================================== # Routine: update_inetd_conf @@ -207,11 +234,11 @@ update_inetd_conf() { # we have inetutils-1.5 inetd.d support if [ -f "${_inetcnf}" ] then - /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 + /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0 # check for sshd OR ssh in top-level inetd.conf file, and remove # will be replaced by a file in inetd.d/ - if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] + if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ] then /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" if [ -f "${_inetcnf_tmp}" ] @@ -236,9 +263,9 @@ update_inetd_conf() { then if [ "${_with_comment}" -eq 0 ] then - /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" + /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" else - /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" + /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" fi if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" then @@ -251,13 +278,13 @@ update_inetd_conf() { elif [ -f "${_inetcnf}" ] then - /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 + /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0 # check for sshd in top-level inetd.conf file, and remove # will be replaced by a file in inetd.d/ - if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] + if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] then - /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" + /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" if [ -f "${_inetcnf_tmp}" ] then if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" @@ -305,17 +332,26 @@ check_service_files_ownership() { if [ -z "${run_service_as}" ] then - accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp') + accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | + /usr/bin/sed -ne 's/^Account *: *//gp') if [ "${accnt_name}" = "LocalSystem" ] then # Convert "LocalSystem" to "SYSTEM" as is the correct account name - accnt_name="SYSTEM:" - elif [[ "${accnt_name}" =~ ^\.\\ ]] - then - # Convert "." domain to local machine name - accnt_name="U-${COMPUTERNAME}${accnt_name#.}," + run_service_as="SYSTEM" + else + dom="${accnt_name%%\\*}" + accnt_name="${accnt_name#*\\}" + if [ "${dom}" = '.' ] + then + # Check local account + run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" | + /usr/bin/awk -F: '{print $1;}') + else + # Check domain + run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" | + /usr/bin/awk -F: '{print $1;}') + fi fi - run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}') if [ -z "${run_service_as}" ] then csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" @@ -672,6 +708,7 @@ then fi # generate missing host keys +csih_inform "Generating missing SSH host keys" /usr/bin/ssh-keygen -A || let warning_cnt+=$? # handle ssh_config @@ -690,10 +727,11 @@ fi csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 then - /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes + sshd_config_configured=yes fi +sshd_strictmodes || let warning_cnt+=$? sshd_privsep || let warning_cnt+=$? - +sshd_config_tweak || let warning_cnt+=$? update_services_file || let warning_cnt+=$? update_inetd_conf || let warning_cnt+=$? install_service || let warning_cnt+=$? -- Corinna Vinschen Cygwin Maintainer Red Hat
Attachment:
pgpVvuex1Bh1k.pgp
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev