[patch/cygwin] contrib/cygwin/ssh-host-config

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

would you mind to apply the below patch?  It fixes Cygwin's
ssh-host-config script in various ways:

- Remove old code to remove the "sshd/22" entry from /etc/services.
  This code fixes a problem which only existed in installations which
  are more than 10 years old.

- Handle the StrictMode setting interactively.

- Fix regular expressions looking for white spaces.

- Make the script independent of whether /etc/passwd exists or not.
  This allows to run ssh-host-config under the upcoming Cygwin
  release 1.7.30, which will introduce the passwd/group handling
  via the existing Windows account databases (SAM/AD).


Thanks,
Corinna


Index: contrib/cygwin/ssh-host-config
===================================================================
RCS file: /cvs/openssh/contrib/cygwin/ssh-host-config,v
retrieving revision 1.34
diff -u -p -r1.34 ssh-host-config
--- contrib/cygwin/ssh-host-config	8 Nov 2013 13:19:23 -0000	1.34
+++ contrib/cygwin/ssh-host-config	15 May 2014 08:46:20 -0000
@@ -34,6 +34,7 @@ declare -a csih_required_commands=(
   /usr/bin/mv coreutils
   /usr/bin/rm coreutils
   /usr/bin/cygpath cygwin
+  /usr/bin/mkpasswd cygwin
   /usr/bin/mount cygwin
   /usr/bin/ps cygwin
   /usr/bin/setfacl cygwin
@@ -59,8 +60,9 @@ PREFIX=/usr
 SYSCONFDIR=/etc
 LOCALSTATEDIR=/var
 
+sshd_config_configured=no
 port_number=22
-privsep_configured=no
+strictmodes=yes
 privsep_used=yes
 cygwin_value=""
 user_account=
@@ -89,28 +91,8 @@ update_services_file() {
   # Depends on the above mount
   _wservices=`cygpath -w "${_services}"`
 
-  # Remove sshd 22/port from services
-  if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
-  then
-    /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
-    if [ -f "${_serv_tmp}" ]
-    then
-      if /usr/bin/mv "${_serv_tmp}" "${_services}"
-      then
-	csih_inform "Removing sshd from ${_wservices}"
-      else
-	csih_warning "Removing sshd from ${_wservices} failed!"
-	let ++ret
-      fi
-      /usr/bin/rm -f "${_serv_tmp}"
-    else
-      csih_warning "Removing sshd from ${_wservices} failed!"
-      let ++ret
-    fi
-  fi
-
   # Add ssh 22/tcp  and ssh 22/udp to services
-  if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
+  if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
   then
     if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
     then
@@ -132,17 +114,45 @@ update_services_file() {
 } # --- End of update_services_file --- #
 
 # ======================================================================
+# Routine: sshd_strictmodes
+#  MODIFIES: strictmodes
+# ======================================================================
+sshd_strictmodes() {
+  if [ "${sshd_config_configured}" != "yes" ]
+  then
+    echo
+    csih_inform "StrictModes is set to 'yes' by default."
+    csih_inform "This is the recommended setting, but it requires that the POSIX"
+    csih_inform "permissions of the user's home directory, the user's .ssh"
+    csih_inform "directory, and the user's ssh key files are tight so that"
+    csih_inform "only the user has write permissions."
+    csih_inform "On the other hand, StrictModes don't work well with default"
+    csih_inform "Windows permissions of a home directory mounted with the"
+    csih_inform "'noacl' option, and they don't work at all if the home"
+    csih_inform "directory is on a FAT or FAT32 partition."
+    if ! csih_request "Should StrictModes be used?"
+    then
+      strictmodes=no
+    fi
+  fi
+  return 0
+}
+
+# ======================================================================
 # Routine: sshd_privsep
-#  MODIFIES: privsep_configured  privsep_used
+#  MODIFIES: privsep_used
 # ======================================================================
 sshd_privsep() {
-  local sshdconfig_tmp
   local ret=0
 
-  if [ "${privsep_configured}" != "yes" ]
+  if [ "${sshd_config_configured}" != "yes" ]
   then
-    csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
-    csih_inform "However, this requires a non-privileged account called 'sshd'."
+    echo
+    csih_inform "Privilege separation is set to 'sandbox' by default since"
+    csih_inform "OpenSSH 6.1.  This is unsupported by Cygwin and has to be set"
+    csih_inform "to 'yes' or 'no'."
+    csih_inform "However, using privilege separation requires a non-privileged account"
+    csih_inform "called 'sshd'."
     csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
     if csih_request "Should privilege separation be used?"
     then
@@ -159,36 +169,53 @@ sshd_privsep() {
       privsep_used=no
     fi
   fi
+  return $ret
+} # --- End of sshd_privsep --- #
+
+# ======================================================================
+# Routine: sshd_config_tweak
+# ======================================================================
+sshd_config_tweak() {
+  local ret=0
 
-  # Create default sshd_config from skeleton files in /etc/defaults/etc or
-  # modify to add the missing privsep configuration option
-  if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
-  then
-    csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
-    sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
-    /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
-  	  s/^#Port 22/Port ${port_number}/
-  	  s/^#StrictModes yes/StrictModes no/" \
-	< ${SYSCONFDIR}/sshd_config \
-	> "${sshdconfig_tmp}"
-    if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
+  # Modify sshd_config
+  csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
+  if [ "${port_number}" -ne 22 ]
+  then
+    /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
+      ${SYSCONFDIR}/sshd_config
+    if [ $? -ne 0 ]
     then
-	csih_warning "Setting privilege separation to 'yes' failed!"
-	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
-	let ++ret
+      csih_warning "Setting listening port to ${port_number} failed!"
+      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+      let ++ret
     fi
-  elif [ "${privsep_configured}" != "yes" ]
+  fi
+  if [ "${strictmodes}" = "no" ]
   then
-    echo >> ${SYSCONFDIR}/sshd_config
-    if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
+    /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
+      ${SYSCONFDIR}/sshd_config
+    if [ $? -ne 0 ]
     then
-	csih_warning "Setting privilege separation to 'yes' failed!"
-	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
-	let ++ret
+      csih_warning "Setting StrictModes to 'no' failed!"
+      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+      let ++ret
+    fi
+  fi
+  if [ "${sshd_config_configured}" != "yes" ]
+  then
+    /usr/bin/sed -i -e "
+      s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
+      ${SYSCONFDIR}/sshd_config
+    if [ $? -ne 0 ]
+    then
+      csih_warning "Setting privilege separation failed!"
+      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+      let ++ret
     fi
   fi
   return $ret
-} # --- End of sshd_privsep --- #
+} # --- End of sshd_config_tweak --- #
 
 # ======================================================================
 # Routine: update_inetd_conf
@@ -207,11 +234,11 @@ update_inetd_conf() {
     # we have inetutils-1.5 inetd.d support
     if [ -f "${_inetcnf}" ]
     then
-      /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
+      /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
 
       # check for sshd OR ssh in top-level inetd.conf file, and remove
       # will be replaced by a file in inetd.d/
-      if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
+      if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
       then
 	/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
 	if [ -f "${_inetcnf_tmp}" ]
@@ -236,9 +263,9 @@ update_inetd_conf() {
     then
       if [ "${_with_comment}" -eq 0 ]
       then
-	/usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
       else
-	/usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
       fi
       if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
       then
@@ -251,13 +278,13 @@ update_inetd_conf() {
 
   elif [ -f "${_inetcnf}" ]
   then
-    /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
+    /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
 
     # check for sshd in top-level inetd.conf file, and remove
     # will be replaced by a file in inetd.d/
-    if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
+    if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
     then
-      /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
+      /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
       if [ -f "${_inetcnf_tmp}" ]
       then
 	if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
@@ -305,17 +332,26 @@ check_service_files_ownership() {
 
   if [ -z "${run_service_as}" ]
   then
-    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
+    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
+    		 /usr/bin/sed -ne 's/^Account *: *//gp')
     if [ "${accnt_name}" = "LocalSystem" ]
     then
       # Convert "LocalSystem" to "SYSTEM" as is the correct account name
-      accnt_name="SYSTEM:"
-    elif [[ "${accnt_name}" =~ ^\.\\ ]]
-    then
-      # Convert "." domain to local machine name
-      accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
+      run_service_as="SYSTEM"
+    else
+      dom="${accnt_name%%\\*}"
+      accnt_name="${accnt_name#*\\}"
+      if [ "${dom}" = '.' ]
+      then
+	# Check local account
+	run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
+			 /usr/bin/awk -F: '{print $1;}')
+      else
+      	# Check domain
+	run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
+			 /usr/bin/awk -F: '{print $1;}')
+      fi
     fi
-    run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
     if [ -z "${run_service_as}" ]
     then
       csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
@@ -672,6 +708,7 @@ then
 fi
 
 # generate missing host keys
+csih_inform "Generating missing SSH host keys"
 /usr/bin/ssh-keygen -A || let warning_cnt+=$?
 
 # handle ssh_config
@@ -690,10 +727,11 @@ fi
 csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
 if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
 then
-  /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
+  sshd_config_configured=yes
 fi
+sshd_strictmodes || let warning_cnt+=$?
 sshd_privsep || let warning_cnt+=$?
-
+sshd_config_tweak || let warning_cnt+=$?
 update_services_file || let warning_cnt+=$?
 update_inetd_conf || let warning_cnt+=$?
 install_service || let warning_cnt+=$?

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat

Attachment: pgpVvuex1Bh1k.pgp
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux