ssh-host-config

openssh47的源码

# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option

if [ ! -f "${SYSCONFDIR}/sshd_config" ]
then
  echo "Generating ${SYSCONFDIR}/sshd_config file"
  sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
	  s/^#Port 22/Port ${port_number}/
	  s/^#StrictModes yes/StrictModes no/" \
      < ${SYSCONFDIR}/defaults/etc/sshd_config \
      > ${SYSCONFDIR}/sshd_config
elif [ "${privsep_configured}" != "yes" ]
then
  echo >> ${SYSCONFDIR}/sshd_config
  echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
fi

# Care for services file
_my_etcdir="/ssh-host-config.$$"
if [ ${_nt} -gt 0 ]
then
  _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
  _services="${_my_etcdir}/services"
  # On NT, 27 spaces, no space after the hash
  _spaces="                           #"
else
  _win_etcdir="${WINDIR}"
  _services="${_my_etcdir}/SERVICES"
  # On 9x, 18 spaces (95 is very touchy), a space after the hash
  _spaces="                  # "
fi
_serv_tmp="${_my_etcdir}/srv.out.$$"

mount -t -f "${_win_etcdir}" "${_my_etcdir}"

# Depends on the above mount
_wservices=`cygpath -w "${_services}"`

# Remove sshd 22/port from services
if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
  grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
  if [ -f "${_serv_tmp}" ]
  then
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Removing sshd from ${_wservices}"
    else
      echo "Removing sshd from ${_wservices} failed!"
    fi
    rm -f "${_serv_tmp}"
  else
    echo "Removing sshd from ${_wservices} failed!"
  fi
fi

# Add ssh 22/tcp  and ssh 22/udp to services
if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
then
  if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
  then
    if mv "${_serv_tmp}" "${_services}"
    then
      echo "Added ssh to ${_wservices}"
    else
      echo "Adding ssh to ${_wservices} failed!"
    fi
    rm -f "${_serv_tmp}"
  else
    echo "WARNING: Adding ssh to ${_wservices} failed!"
  fi
fi

umount "${_my_etcdir}"

# Care for inetd.conf file
_inetcnf="${SYSCONFDIR}/inetd.conf"
_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"

if [ -f "${_inetcnf}" ]
then
  # Check if ssh service is already in use as sshd
  with_comment=1
  grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0
  # Remove sshd line from inetd.conf
  if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
  then
    grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
    if [ -f "${_inetcnf_tmp}" ]
    then
      if mv "${_inetcnf_tmp}" "${_inetcnf}"
      then
	echo "Removed sshd from ${_inetcnf}"
      else
	echo "Removing sshd from ${_inetcnf} failed!"
      fi
      rm -f "${_inetcnf_tmp}"
    else
      echo "Removing sshd from ${_inetcnf} failed!"
    fi
  fi

  # Add ssh line to inetd.conf
  if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
  then
    if [ "${with_comment}" -eq 0 ]
    then
      echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    else
      echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
    fi
    echo "Added ssh to ${_inetcnf}"
  fi
fi

# On NT ask if sshd should be installed as service
if [ ${_nt} -gt 0 ]
then
  # But only if it is not already installed
  if ! cygrunsrv -Q sshd > /dev/null 2>&1
  then
    echo
    echo
    echo "Warning: The following functions require administrator privileges!"
    echo
    echo "Do you want to install sshd as service?"
    if request "(Say \"no\" if it's already installed as service)"
    then
      if [ $_nt2003 -gt 0 ]
      then
	grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes
	if [ "${sshd_server_in_passwd}" = "yes" ]
	then
	  # Drop sshd_server from passwd since it could have wrong settings
	  grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$
	  rm -f ${SYSCONFDIR}/passwd
	  mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd
	  chmod g-w,o-w ${SYSCONFDIR}/passwd
	fi
	net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes
	if [ "${sshd_server_in_sam}" != "yes" ]
	then
	  echo
	  echo "You appear to be running Windows 2003 Server or later.  On 2003 and"
	  echo "later systems, it's not possible to use the LocalSystem account"
	  echo "if sshd should allow passwordless logon (e. g. public key authentication)."
	  echo "If you want to enable that functionality, it's required to create a new"
	  echo "account 'sshd_server' with special privileges, which is then used to run"
	  echo "the sshd service under."
	  echo
	  echo "Should this script create a new local account 'sshd_server' which has"
	  if request "the required privileges?"
	  then
	    _admingroup=`mkgroup -l | awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' `
	    if [ -z "${_admingroup}" ]
	    then
	      echo "mkgroup -l produces no group with SID S-1-5-32-544 (Local administrators group)."
	      exit 1
	    fi
	    dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty`
	    while [ "${sshd_server_in_sam}" != "yes" ]
	    do
	      if [ -n "${password_value}" ]
	      then
		_password="${password_value}"
		# Allow to ask for password if first try fails
		password_value=""
	      else
		echo
		echo "Please enter a password for new user 'sshd_server'.  Please be sure that"
		echo "this password matches the password rules given on your system."
		echo -n "Entering no password will exit the configuration.  PASSWORD="
		read -e _password
		if [ -z "${_password}" ]
		then
		  echo
		  echo "Exiting configuration.  No user sshd_server has been created,"
		  echo "no sshd service installed."
		  exit 1
		fi
	      fi
	      net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes
	      if [ "${sshd_server_in_sam}" != "yes" ]
	      then
		echo "Creating the user 'sshd_server' failed!  Reason:"
		cat /tmp/nu.$$
		rm /tmp/nu.$$
	      fi
	    done
	    net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes
	    if [ "${sshd_server_in_admingroup}" != "yes" ]
	    then
	      echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!"
	      echo "Please add sshd_server to local group ${_admingroup} before"
	      echo "starting the sshd service!"
	      echo
	    fi
	    passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'`
	    if [ "${passwd_has_expiry_flags}" != "yes" ]
	    then
	      echo
	      echo "WARNING: User sshd_server has password expiry set to system default."
	      echo "Please check that password never expires or set it to your needs."
	    elif ! passwd -e sshd_server
	    then
	      echo
	      echo "WARNING: Setting password expiry for user sshd_server failed!"
	      echo "Please check that password never expires or set it to your needs."
	    fi
	    editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server &&
	    editrights -a SeCreateTokenPrivilege -u sshd_server &&
	    editrights -a SeTcbPrivilege -u sshd_server &&
	    editrights -a SeDenyInteractiveLogonRight -u sshd_server &&
	    editrights -a SeDenyNetworkLogonRight -u sshd_server &&
	    editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server &&
	    editrights -a SeIncreaseQuotaPrivilege -u sshd_server &&
	    editrights -a SeServiceLogonRight -u sshd_server &&
	    sshd_server_got_all_rights="yes"
	    if [ "${sshd_server_got_all_rights}" != "yes" ]
	    then
	      echo
	      echo "Assigning the appropriate privileges to user 'sshd_server' failed!"
	      echo "Can't create sshd service!"
	      exit 1
	    fi
	    echo
	    echo "User 'sshd_server' has been created with password '${_password}'."
	    echo "If you change the password, please keep in mind to change the password"
	    echo "for the sshd service, too."
	    echo
	    echo "Also keep in mind that the user sshd_server needs read permissions on all"
	    echo "users' .ssh/authorized_keys file to allow public key authentication for"
	    echo "these users!.  (Re-)running ssh-user-config for each user will set the"
	    echo "required permissions correctly."
	    echo
	  fi
	fi
	if [ "${sshd_server_in_sam}" = "yes" ]
	then
	  mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
	fi
      fi
      if [ -n "${cygwin_value}" ]
      then
	_cygwin="${cygwin_value}"
      else
	echo
	echo "Which value should the environment variable CYGWIN have when"
	echo "sshd starts? It's recommended to set at least \"ntsec\" to be"
	echo "able to change user context without password."
	echo -n "Default is \"ntsec\".  CYGWIN="
	read -e _cygwin
      fi
      [ -z "${_cygwin}" ] && _cygwin="ntsec"
      if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
      then
	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" -y tcpip
	then
	  echo
	  echo "The service has been installed under sshd_server account."
	  echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
	fi
      else
	if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" -y tcpip
	then
	  echo
	  echo "The service has been installed under LocalSystem account."
	  echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'."
	fi
      fi
    fi
    # Now check if sshd has been successfully installed.  This allows to
    # set the ownership of the affected files correctly.
    if cygrunsrv -Q sshd > /dev/null 2>&1
    then
      if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ]
      then
	_user="sshd_server"
      else
	_user="system"
      fi
      chown "${_user}" ${SYSCONFDIR}/ssh*
      chown "${_user}".544 ${LOCALSTATEDIR}/empty
      chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog
      if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
      then
	chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log
      fi
    fi
    if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' )
    then
      echo
      echo "Warning: It appears that you have user mode mounts (\"Just me\""
      echo "chosen during install.)  Any daemons installed as services will"
      echo "fail to function unless system mounts are used.  To change this,"
      echo "re-run setup.exe and choose \"All users\"."
      echo
      echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33"
    fi
  fi
fi

echo
echo "Host configuration finished. Have fun!"