Hi,
could somebody with checkin rights please apply the below patch?
It modernizes and improves readability of the Cygwin README file
(which hasn't been updated for ages), drops unsupported OSes from
the ssh-host-config help text, and drops an unneeded option from
ssh-user-config.
Thanks in advance,
Corinna
Index: contrib/cygwin/README
==================================================================RCS file:
/cvs/openssh/contrib/cygwin/README,v
retrieving revision 1.17
diff -u -p -r1.17 README
--- contrib/cygwin/README 17 Jun 2010 18:11:44 -0000 1.17
+++ contrib/cygwin/README 2 Jul 2013 08:16:43 -0000
@@ -4,115 +4,18 @@ The binary package is usually built for
not run on older versions. Please check http://cygwin.com/ for information
about current Cygwin releases.
-Build instructions are at the end of the file.
-
-==========================================================================-Important
change since 3.7.1p2-2:
-
-The ssh-host-config file doesn't create the /etc/ssh_config and
-/etc/sshd_config files from builtin here-scripts anymore, but it uses
-skeleton files installed in /etc/defaults/etc.
-
-Also it now tries hard to create appropriate permissions on files.
-Same applies for ssh-user-config.
-
-After creating the sshd service with ssh-host-config, it's advisable to
-call ssh-user-config for all affected users, also already exising user
-configurations. In the latter case, file and directory permissions are
-checked and changed, if requireed to match the host configuration.
-
-Important note for Windows 2003 Server users:
----------------------------------------------
-
-2003 Server has a funny new feature. When starting services under SYSTEM
-account, these services have nearly all user rights which SYSTEM holds...
-except for the "Create a token object" right, which is needed to
allow
-public key authentication :-(
-
-There's no way around this, except for creating a substitute account which
-has the appropriate privileges. Basically, this account should be member
-of the administrators group, plus it should have the following user rights:
-
- Create a token object
- Logon as a service
- Replace a process level token
- Increase Quota
-
-The ssh-host-config script asks you, if it should create such an account,
-called "sshd_server". If you say "no" here, you're on
your own. Please
-follow the instruction in ssh-host-config exactly if possible. Note that
-ssh-user-config sets the permissions on 2003 Server machines dependent of
-whether a sshd_server account exists or not.
-==========================================================================-
-==========================================================================-Important
change since 3.4p1-2:
-
-This version adds privilege separation as default setting, see
-/usr/doc/openssh/README.privsep. According to that document the
-privsep feature requires a non-privileged account called 'sshd'.
-
-The new ssh-host-config file which is part of this version asks
-to create 'sshd' as local user if you want to use privilege
-separation. If you confirm, it creates that NT user and adds
-the necessary entry to /etc/passwd.
-
-On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
-since that feature doesn't make any sense on a system which doesn't
-differ between privileged and unprivileged users.
-
-The new ssh-host-config script also adds the /var/empty directory
-needed by privilege separation. When creating the /var/empty directory
-by yourself, please note that in contrast to the README.privsep document
-the owner sshould not be "root" but the user which is running sshd.
So,
-in the standard configuration this is SYSTEM. The ssh-host-config script
-chowns /var/empty accordingly.
-==========================================================================-
-==========================================================================-Important
change since 3.0.1p1-2:
-
-This version introduces the ability to register sshd as service on
-Windows 9x/Me systems. This is done only when the options -D and/or
--d are not given.
-==========================================================================-
-==========================================================================-Important
change since 2.9p2:
-
-Since Cygwin is able to switch user context without password beginning
-with version 1.3.2, OpenSSH now allows to do so when it's running under
-a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
-allow that feature.
-==========================================================================-
-==========================================================================-Important
change since 2.3.0p1:
-
-When using `ntea' or `ntsec' you now have to care for the ownership
-and permission bits of your host key files and your private key files.
-The host key files have to be owned by the NT account which starts
-sshd. The user key files have to be owned by the user. The permission
-bits of the private key files (host and user) have to be at least
-rw------- (0600)!
-
-Note that this is forced under `ntsec' only if the files are on a NTFS
-filesystem (which is recommended) due to the lack of any basic security
-features of the FAT/FAT32 filesystems.
-==========================================================================+=================+Host
configuration
+=================
If you are installing OpenSSH the first time, you can generate global config
-files and server keys by running
+files and server keys, as well as installing sshd as a service, by running
/usr/bin/ssh-host-config
Note that this binary archive doesn't contain default config files in /etc.
That files are only created if ssh-host-config is started.
-If you are updating your installation you may run the above ssh-host-config
-as well to move your configuration files to the new location and to
-erase the files at the old location.
-
To support testing and unattended installation ssh-host-config got
some options:
@@ -123,17 +26,26 @@ Options:
--no -n Answer all questions with "no"
automatically.
--cygwin -c <options> Use "options" as value for CYGWIN
environment var.
--port -p <n> sshd listens on port n.
- --pwd -w <passwd> Use "pwd" as password for user
'sshd_server'.
-
-Additionally ssh-host-config now asks if it should install sshd as a
-service when running under NT/W2K. This requires cygrunsrv installed.
+ --user -u <account> privileged user for service, default
'cyg_server'.
+ --pwd -w <passwd> Use "pwd" as password for privileged
user.
+ --privileged On Windows XP, require privileged user
+ instead of LocalSystem for sshd service.
+
+Installing sshd as daemon via ssh-host-config is recommended.
+
+Alternatively you can start sshd via inetd, if you have the inetutils
+package installed. Just run ssh-host-config, but answer "no" when
asked
+to install sshd as service. The ssh-host-config script also adds the
+required lines to /etc/inetd.conf and /etc/services.
+
+=================+User configuration
+=================
-You can create the private and public keys for a user now by running
+Any user can simplify creating the own private and public keys by running
/usr/bin/ssh-user-config
-under the users account.
-
To support testing and unattended installation ssh-user-config got
some options as well:
@@ -144,88 +56,30 @@ Options:
--no -n Answer all questions with "no"
automatically.
--passphrase -p word Use "word" as passphrase automatically.
-Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
-(results in very slow deamon startup!) or from the command line (recommended
-on 9X/ME).
-
-If you start sshd as deamon via cygrunsrv.exe you MUST give the
-"-D" option to sshd. Otherwise the service can't get started at
all.
-
-If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
-following line to your inetd.conf file:
-
-ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
-
-Moreover you'll have to add the following line to your
-${SYSTEMROOT}/system32/drivers/etc/services file:
-
- ssh 22/tcp #SSH daemon
-
Please note that OpenSSH does never use the value of $HOME to
search for the users configuration files! It always uses the
value of the pw_dir field in /etc/passwd as the home directory.
If no home diretory is set in /etc/passwd, the root directory
is used instead!
-You may use all features of the CYGWIN=ntsec setting the same
-way as they are used by Cygwin's login(1) port:
-
- The pw_gecos field may contain an additional field, that begins
- with (upper case!) "U-", followed by the domain and the username
- separated by a backslash.
- CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
- BTW: The field separator in pw_gecos is the comma.
- The username in pw_name itself may be any nice name:
-
- domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
-
- Now you may use `domuser' as your login name with telnet!
- This is possible additionally for local users, if you don't like
- your NT login name ;-) You only have to leave out the domain:
-
- locuser::1104:513:John Doe,U-user,S-1-5-21-...
-
-Note that the CYGWIN=ntsec setting is required for public key authentication.
-
-SSH2 server and user keys are generated by the `ssh-*-config' scripts
-as well.
-
-If you want to build from source, the following options to
-configure are used for the Cygwin binary distribution:
-
- --prefix=/usr \
- --sysconfdir=/etc \
- --libexecdir='${sbindir}' \
- --localstatedir=/var \
- --datadir='${prefix}/share' \
- --mandir='${datadir}/man' \
- --infodir='${datadir}/info'
- --with-tcp-wrappers
- --with-libedit
-
-If you want to create a Cygwin package, equivalent to the one
-in the Cygwin binary distribution, install like this:
-
- mkdir /tmp/cygwin-ssh
- cd ${builddir}
- make install DESTDIR=/tmp/cygwin-ssh
- cd ${srcdir}/contrib/cygwin
- make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
- cd /tmp/cygwin-ssh
- find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
-
-You must have installed the following packages to be able to build OpenSSH:
-
-- zlib
-- openssl-devel
-
-If you want to build with --with-tcp-wrappers, you also need the package
-
-- tcp_wrappers
-
-If you want to build with --with-libedit, you also need the package
-
-- libedit-devel
+===============+Building OpenSSH
+===============+
+Building from source is easy. Just unpack the source archive, cd to that
+directory, and call cygport:
+
+ cygport openssh.cygport almostall
+
+You must have installed the following packages to be able to build OpenSSH
+with the aforementioned cygport script:
+
+ zlib
+ crypt
+ openssl-devel
+ libwrap-devel
+ libedit-devel
+ libkrb5-devel
Please send requests, error reports etc. to cygwin at cygwin.com.
Index: contrib/cygwin/ssh-host-config
==================================================================RCS file:
/cvs/openssh/contrib/cygwin/ssh-host-config,v
retrieving revision 1.32
diff -u -p -r1.32 ssh-host-config
--- contrib/cygwin/ssh-host-config 22 Jun 2012 12:02:43 -0000 1.32
+++ contrib/cygwin/ssh-host-config 2 Jul 2013 08:16:43 -0000
@@ -606,9 +606,9 @@ do
echo " --no -n Answer all questions with
\"no\" automatically."
echo " --cygwin -c <options> Use \"options\" as
value for CYGWIN environment var."
echo " --port -p <n> sshd listens on port n."
- echo " --user -u <account> privileged user for
service."
+ echo " --user -u <account> privileged user for service,
default 'cyg_server'."
echo " --pwd -w <passwd> Use \"pwd\" as password
for privileged user."
- echo " --privileged On Windows NT/2k/XP, require privileged
user"
+ echo " --privileged On Windows XP, require privileged
user"
echo " instead of LocalSystem for sshd
service."
echo
exit 1
Index: contrib/cygwin/ssh-user-config
==================================================================RCS file:
/cvs/openssh/contrib/cygwin/ssh-user-config,v
retrieving revision 1.8
diff -u -p -r1.8 ssh-user-config
--- contrib/cygwin/ssh-user-config 6 Feb 2011 02:31:25 -0000 1.8
+++ contrib/cygwin/ssh-user-config 2 Jul 2013 08:16:43 -0000
@@ -222,10 +222,6 @@ do
shift
;;
- --privileged )
- csih_FORCE_PRIVILEGED_USER=yes
- ;;
-
*)
echo "usage: ${PROGNAME} [OPTION]..."
echo
@@ -236,8 +232,6 @@ do
echo " --yes -y Answer all questions with
\"yes\" automatically."
echo " --no -n Answer all questions with
\"no\" automatically."
echo " --passphrase -p word Use \"word\" as passphrase
automatically."
- echo " --privileged On Windows NT/2k/XP, assume
privileged user"
- echo " instead of LocalSystem for sshd
service."
echo
exit 1
;;
--
Corinna Vinschen
Cygwin Maintainer
Red Hat