Hi,
would you mind to apply the below patch? It fixes Cygwin's
ssh-host-config script in various ways:
- Remove old code to remove the "sshd/22" entry from /etc/services.
This code fixes a problem which only existed in installations which
are more than 10 years old.
- Handle the StrictMode setting interactively.
- Fix regular expressions looking for white spaces.
- Make the script independent of whether /etc/passwd exists or not.
This allows to run ssh-host-config under the upcoming Cygwin
release 1.7.30, which will introduce the passwd/group handling
via the existing Windows account databases (SAM/AD).
Thanks,
Corinna
Index: contrib/cygwin/ssh-host-config
==================================================================RCS file:
/cvs/openssh/contrib/cygwin/ssh-host-config,v
retrieving revision 1.34
diff -u -p -r1.34 ssh-host-config
--- contrib/cygwin/ssh-host-config 8 Nov 2013 13:19:23 -0000 1.34
+++ contrib/cygwin/ssh-host-config 15 May 2014 08:46:20 -0000
@@ -34,6 +34,7 @@ declare -a csih_required_commands=(
/usr/bin/mv coreutils
/usr/bin/rm coreutils
/usr/bin/cygpath cygwin
+ /usr/bin/mkpasswd cygwin
/usr/bin/mount cygwin
/usr/bin/ps cygwin
/usr/bin/setfacl cygwin
@@ -59,8 +60,9 @@ PREFIX=/usr
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
+sshd_config_configured=no
port_number=22
-privsep_configured=no
+strictmodes=yes
privsep_used=yes
cygwin_value=""
user_account@@ -89,28 +91,8 @@ update_services_file() {
# Depends on the above mount
_wservices=`cygpath -w "${_services}"`
- # Remove sshd 22/port from services
- if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}";
echo $?` -eq 0 ]
- then
- /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" >
"${_serv_tmp}"
- if [ -f "${_serv_tmp}" ]
- then
- if /usr/bin/mv "${_serv_tmp}" "${_services}"
- then
- csih_inform "Removing sshd from ${_wservices}"
- else
- csih_warning "Removing sshd from ${_wservices} failed!"
- let ++ret
- fi
- /usr/bin/rm -f "${_serv_tmp}"
- else
- csih_warning "Removing sshd from ${_wservices} failed!"
- let ++ret
- fi
- fi
-
# Add ssh 22/tcp and ssh 22/udp to services
- if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}";
echo $?` -ne 0 ]
+ if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22'
"${_services}"; echo $?` -ne 0 ]
then
if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh
22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh
22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0;
}' < "${_services}" > "${_serv_tmp}"
then
@@ -132,17 +114,45 @@ update_services_file() {
} # --- End of update_services_file --- #
# =====================================================================+#
Routine: sshd_strictmodes
+# MODIFIES: strictmodes
+#
=====================================================================+sshd_strictmodes()
{
+ if [ "${sshd_config_configured}" != "yes" ]
+ then
+ echo
+ csih_inform "StrictModes is set to 'yes' by default."
+ csih_inform "This is the recommended setting, but it requires that the
POSIX"
+ csih_inform "permissions of the user's home directory, the
user's .ssh"
+ csih_inform "directory, and the user's ssh key files are tight so
that"
+ csih_inform "only the user has write permissions."
+ csih_inform "On the other hand, StrictModes don't work well with
default"
+ csih_inform "Windows permissions of a home directory mounted with
the"
+ csih_inform "'noacl' option, and they don't work at all if
the home"
+ csih_inform "directory is on a FAT or FAT32 partition."
+ if ! csih_request "Should StrictModes be used?"
+ then
+ strictmodes=no
+ fi
+ fi
+ return 0
+}
+
+# ===================================================================== #
Routine: sshd_privsep
-# MODIFIES: privsep_configured privsep_used
+# MODIFIES: privsep_used
# =====================================================================
sshd_privsep() {
- local sshdconfig_tmp
local ret=0
- if [ "${privsep_configured}" != "yes" ]
+ if [ "${sshd_config_configured}" != "yes" ]
then
- csih_inform "Privilege separation is set to yes by default since
OpenSSH 3.3."
- csih_inform "However, this requires a non-privileged account called
'sshd'."
+ echo
+ csih_inform "Privilege separation is set to 'sandbox' by
default since"
+ csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be
set"
+ csih_inform "to 'yes' or 'no'."
+ csih_inform "However, using privilege separation requires a
non-privileged account"
+ csih_inform "called 'sshd'."
csih_inform "For more info on privilege separation read
/usr/share/doc/openssh/README.privsep."
if csih_request "Should privilege separation be used?"
then
@@ -159,36 +169,53 @@ sshd_privsep() {
privsep_used=no
fi
fi
+ return $ret
+} # --- End of sshd_privsep --- #
+
+# =====================================================================+#
Routine: sshd_config_tweak
+#
=====================================================================+sshd_config_tweak()
{
+ local ret=0
- # Create default sshd_config from skeleton files in /etc/defaults/etc or
- # modify to add the missing privsep configuration option
- if /usr/bin/cmp "${SYSCONFDIR}/sshd_config"
"${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null
2>&1
- then
- csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
- sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
- /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation
${privsep_used}/
- s/^#Port 22/Port ${port_number}/
- s/^#StrictModes yes/StrictModes no/" \
- < ${SYSCONFDIR}/sshd_config \
- > "${sshdconfig_tmp}"
- if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
+ # Modify sshd_config
+ csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
+ if [ "${port_number}" -ne 22 ]
+ then
+ /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port
${port_number}/" \
+ ${SYSCONFDIR}/sshd_config
+ if [ $? -ne 0 ]
then
- csih_warning "Setting privilege separation to 'yes' failed!"
- csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
- let ++ret
+ csih_warning "Setting listening port to ${port_number} failed!"
+ csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+ let ++ret
fi
- elif [ "${privsep_configured}" != "yes" ]
+ fi
+ if [ "${strictmodes}" = "no" ]
then
- echo >> ${SYSCONFDIR}/sshd_config
- if ! echo "UsePrivilegeSeparation ${privsep_used}" >>
${SYSCONFDIR}/sshd_config
+ /usr/bin/sed -i -e
"s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
+ ${SYSCONFDIR}/sshd_config
+ if [ $? -ne 0 ]
then
- csih_warning "Setting privilege separation to 'yes' failed!"
- csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
- let ++ret
+ csih_warning "Setting StrictModes to 'no' failed!"
+ csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+ let ++ret
+ fi
+ fi
+ if [ "${sshd_config_configured}" != "yes" ]
+ then
+ /usr/bin/sed -i -e "
+ s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation
${privsep_used}/" \
+ ${SYSCONFDIR}/sshd_config
+ if [ $? -ne 0 ]
+ then
+ csih_warning "Setting privilege separation failed!"
+ csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+ let ++ret
fi
fi
return $ret
-} # --- End of sshd_privsep --- #
+} # --- End of sshd_config_tweak --- #
# ===================================================================== #
Routine: update_inetd_conf
@@ -207,11 +234,11 @@ update_inetd_conf() {
# we have inetutils-1.5 inetd.d support
if [ -f "${_inetcnf}" ]
then
- /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" &&
_with_comment=0
+ /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}"
&& _with_comment=0
# check for sshd OR ssh in top-level inetd.conf file, and remove
# will be replaced by a file in inetd.d/
- if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}";
echo $?` -eq 0 ]
+ if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}";
echo $?) -eq 0 ]
then
/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >>
"${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
@@ -236,9 +263,9 @@ update_inetd_conf() {
then
if [ "${_with_comment}" -eq 0 ]
then
- /usr/bin/sed -e 's/@COMMENT@[ \t]*//' <
"${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+ /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' <
"${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
else
- /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' <
"${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+ /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' <
"${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
fi
if /usr/bin/mv "${_sshd_inetd_conf_tmp}"
"${_sshd_inetd_conf}"
then
@@ -251,13 +278,13 @@ update_inetd_conf() {
elif [ -f "${_inetcnf}" ]
then
- /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" &&
_with_comment=0
+ /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}"
&& _with_comment=0
# check for sshd in top-level inetd.conf file, and remove
# will be replaced by a file in inetd.d/
- if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo
$?` -eq 0 ]
+ if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd'
"${_inetcnf}"; echo $?` -eq 0 ]
then
- /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >>
"${_inetcnf_tmp}"
+ /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}"
>> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
@@ -305,17 +332,26 @@ check_service_files_ownership() {
if [ -z "${run_service_as}" ]
then
- accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account
*: *//gp')
+ accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
+ /usr/bin/sed -ne 's/^Account *: *//gp')
if [ "${accnt_name}" = "LocalSystem" ]
then
# Convert "LocalSystem" to "SYSTEM" as is the correct
account name
- accnt_name="SYSTEM:"
- elif [[ "${accnt_name}" =~ ^\.\\ ]]
- then
- # Convert "." domain to local machine name
- accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
+ run_service_as="SYSTEM"
+ else
+ dom="${accnt_name%%\\*}"
+ accnt_name="${accnt_name#*\\}"
+ if [ "${dom}" = '.' ]
+ then
+ # Check local account
+ run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
+ /usr/bin/awk -F: '{print $1;}')
+ else
+ # Check domain
+ run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u
"${accnt_name}" |
+ /usr/bin/awk -F: '{print $1;}')
+ fi
fi
- run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd |
/usr/bin/awk -F: '{print $1;}')
if [ -z "${run_service_as}" ]
then
csih_warning "Couldn't determine name of user running sshd
service from /etc/passwd!"
@@ -672,6 +708,7 @@ then
fi
# generate missing host keys
+csih_inform "Generating missing SSH host keys"
/usr/bin/ssh-keygen -A || let warning_cnt+=$?
# handle ssh_config
@@ -690,10 +727,11 @@ fi
csih_install_config "${SYSCONFDIR}/sshd_config"
"${SYSCONFDIR}/defaults" || let ++warning_cnt
if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config"
"${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null
2>&1
then
- /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config &&
privsep_configured=yes
+ sshd_config_configured=yes
fi
+sshd_strictmodes || let warning_cnt+=$?
sshd_privsep || let warning_cnt+=$?
-
+sshd_config_tweak || let warning_cnt+=$?
update_services_file || let warning_cnt+=$?
update_inetd_conf || let warning_cnt+=$?
install_service || let warning_cnt+=$?
--
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140515/9abeccaa/attachment.bin>
Ping? Thanks, Corinna On May 15 10:58, Corinna Vinschen wrote:> Hi, > > would you mind to apply the below patch? It fixes Cygwin's > ssh-host-config script in various ways: > > - Remove old code to remove the "sshd/22" entry from /etc/services. > This code fixes a problem which only existed in installations which > are more than 10 years old. > > - Handle the StrictMode setting interactively. > > - Fix regular expressions looking for white spaces. > > - Make the script independent of whether /etc/passwd exists or not. > This allows to run ssh-host-config under the upcoming Cygwin > release 1.7.30, which will introduce the passwd/group handling > via the existing Windows account databases (SAM/AD). > > > Thanks, > Corinna > > > Index: contrib/cygwin/ssh-host-config > ==================================================================> RCS file: /cvs/openssh/contrib/cygwin/ssh-host-config,v > retrieving revision 1.34 > diff -u -p -r1.34 ssh-host-config > --- contrib/cygwin/ssh-host-config 8 Nov 2013 13:19:23 -0000 1.34 > +++ contrib/cygwin/ssh-host-config 15 May 2014 08:46:20 -0000 > @@ -34,6 +34,7 @@ declare -a csih_required_commands=( > /usr/bin/mv coreutils > /usr/bin/rm coreutils > /usr/bin/cygpath cygwin > + /usr/bin/mkpasswd cygwin > /usr/bin/mount cygwin > /usr/bin/ps cygwin > /usr/bin/setfacl cygwin > @@ -59,8 +60,9 @@ PREFIX=/usr > SYSCONFDIR=/etc > LOCALSTATEDIR=/var > > +sshd_config_configured=no > port_number=22 > -privsep_configured=no > +strictmodes=yes > privsep_used=yes > cygwin_value="" > user_account> @@ -89,28 +91,8 @@ update_services_file() { > # Depends on the above mount > _wservices=`cygpath -w "${_services}"` > > - # Remove sshd 22/port from services > - if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] > - then > - /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" > - if [ -f "${_serv_tmp}" ] > - then > - if /usr/bin/mv "${_serv_tmp}" "${_services}" > - then > - csih_inform "Removing sshd from ${_wservices}" > - else > - csih_warning "Removing sshd from ${_wservices} failed!" > - let ++ret > - fi > - /usr/bin/rm -f "${_serv_tmp}" > - else > - csih_warning "Removing sshd from ${_wservices} failed!" > - let ++ret > - fi > - fi > - > # Add ssh 22/tcp and ssh 22/udp to services > - if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] > + if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ] > then > if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" > then > @@ -132,17 +114,45 @@ update_services_file() { > } # --- End of update_services_file --- # > > # =====================================================================> +# Routine: sshd_strictmodes > +# MODIFIES: strictmodes > +# =====================================================================> +sshd_strictmodes() { > + if [ "${sshd_config_configured}" != "yes" ] > + then > + echo > + csih_inform "StrictModes is set to 'yes' by default." > + csih_inform "This is the recommended setting, but it requires that the POSIX" > + csih_inform "permissions of the user's home directory, the user's .ssh" > + csih_inform "directory, and the user's ssh key files are tight so that" > + csih_inform "only the user has write permissions." > + csih_inform "On the other hand, StrictModes don't work well with default" > + csih_inform "Windows permissions of a home directory mounted with the" > + csih_inform "'noacl' option, and they don't work at all if the home" > + csih_inform "directory is on a FAT or FAT32 partition." > + if ! csih_request "Should StrictModes be used?" > + then > + strictmodes=no > + fi > + fi > + return 0 > +} > + > +# =====================================================================> # Routine: sshd_privsep > -# MODIFIES: privsep_configured privsep_used > +# MODIFIES: privsep_used > # =====================================================================> sshd_privsep() { > - local sshdconfig_tmp > local ret=0 > > - if [ "${privsep_configured}" != "yes" ] > + if [ "${sshd_config_configured}" != "yes" ] > then > - csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3." > - csih_inform "However, this requires a non-privileged account called 'sshd'." > + echo > + csih_inform "Privilege separation is set to 'sandbox' by default since" > + csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set" > + csih_inform "to 'yes' or 'no'." > + csih_inform "However, using privilege separation requires a non-privileged account" > + csih_inform "called 'sshd'." > csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." > if csih_request "Should privilege separation be used?" > then > @@ -159,36 +169,53 @@ sshd_privsep() { > privsep_used=no > fi > fi > + return $ret > +} # --- End of sshd_privsep --- # > + > +# =====================================================================> +# Routine: sshd_config_tweak > +# =====================================================================> +sshd_config_tweak() { > + local ret=0 > > - # Create default sshd_config from skeleton files in /etc/defaults/etc or > - # modify to add the missing privsep configuration option > - if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 > - then > - csih_inform "Updating ${SYSCONFDIR}/sshd_config file" > - sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$ > - /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ > - s/^#Port 22/Port ${port_number}/ > - s/^#StrictModes yes/StrictModes no/" \ > - < ${SYSCONFDIR}/sshd_config \ > - > "${sshdconfig_tmp}" > - if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config > + # Modify sshd_config > + csih_inform "Updating ${SYSCONFDIR}/sshd_config file" > + if [ "${port_number}" -ne 22 ] > + then > + /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \ > + ${SYSCONFDIR}/sshd_config > + if [ $? -ne 0 ] > then > - csih_warning "Setting privilege separation to 'yes' failed!" > - csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" > - let ++ret > + csih_warning "Setting listening port to ${port_number} failed!" > + csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" > + let ++ret > fi > - elif [ "${privsep_configured}" != "yes" ] > + fi > + if [ "${strictmodes}" = "no" ] > then > - echo >> ${SYSCONFDIR}/sshd_config > - if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config > + /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \ > + ${SYSCONFDIR}/sshd_config > + if [ $? -ne 0 ] > then > - csih_warning "Setting privilege separation to 'yes' failed!" > - csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" > - let ++ret > + csih_warning "Setting StrictModes to 'no' failed!" > + csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" > + let ++ret > + fi > + fi > + if [ "${sshd_config_configured}" != "yes" ] > + then > + /usr/bin/sed -i -e " > + s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \ > + ${SYSCONFDIR}/sshd_config > + if [ $? -ne 0 ] > + then > + csih_warning "Setting privilege separation failed!" > + csih_warning "Check your ${SYSCONFDIR}/sshd_config file!" > + let ++ret > fi > fi > return $ret > -} # --- End of sshd_privsep --- # > +} # --- End of sshd_config_tweak --- # > > # =====================================================================> # Routine: update_inetd_conf > @@ -207,11 +234,11 @@ update_inetd_conf() { > # we have inetutils-1.5 inetd.d support > if [ -f "${_inetcnf}" ] > then > - /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0 > + /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0 > > # check for sshd OR ssh in top-level inetd.conf file, and remove > # will be replaced by a file in inetd.d/ > - if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ] > + if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ] > then > /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}" > if [ -f "${_inetcnf_tmp}" ] > @@ -236,9 +263,9 @@ update_inetd_conf() { > then > if [ "${_with_comment}" -eq 0 ] > then > - /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" > + /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" > else > - /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" > + /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}" > fi > if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}" > then > @@ -251,13 +278,13 @@ update_inetd_conf() { > > elif [ -f "${_inetcnf}" ] > then > - /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0 > + /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0 > > # check for sshd in top-level inetd.conf file, and remove > # will be replaced by a file in inetd.d/ > - if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] > + if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] > then > - /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" > + /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" > if [ -f "${_inetcnf_tmp}" ] > then > if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}" > @@ -305,17 +332,26 @@ check_service_files_ownership() { > > if [ -z "${run_service_as}" ] > then > - accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp') > + accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | > + /usr/bin/sed -ne 's/^Account *: *//gp') > if [ "${accnt_name}" = "LocalSystem" ] > then > # Convert "LocalSystem" to "SYSTEM" as is the correct account name > - accnt_name="SYSTEM:" > - elif [[ "${accnt_name}" =~ ^\.\\ ]] > - then > - # Convert "." domain to local machine name > - accnt_name="U-${COMPUTERNAME}${accnt_name#.}," > + run_service_as="SYSTEM" > + else > + dom="${accnt_name%%\\*}" > + accnt_name="${accnt_name#*\\}" > + if [ "${dom}" = '.' ] > + then > + # Check local account > + run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" | > + /usr/bin/awk -F: '{print $1;}') > + else > + # Check domain > + run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" | > + /usr/bin/awk -F: '{print $1;}') > + fi > fi > - run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}') > if [ -z "${run_service_as}" ] > then > csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!" > @@ -672,6 +708,7 @@ then > fi > > # generate missing host keys > +csih_inform "Generating missing SSH host keys" > /usr/bin/ssh-keygen -A || let warning_cnt+=$? > > # handle ssh_config > @@ -690,10 +727,11 @@ fi > csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt > if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1 > then > - /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes > + sshd_config_configured=yes > fi > +sshd_strictmodes || let warning_cnt+=$? > sshd_privsep || let warning_cnt+=$? > - > +sshd_config_tweak || let warning_cnt+=$? > update_services_file || let warning_cnt+=$? > update_inetd_conf || let warning_cnt+=$? > install_service || let warning_cnt+=$? > > -- > Corinna Vinschen > Cygwin Maintainer > Red Hat> _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140521/08a46ba4/attachment-0001.bin>
Possibly Parallel Threads
- [PATCH/cygwin]: Revised sshh-host-config script
- [patch/Cygwin]: Simplify host key generation in ssh-host-config script
- [PATCH 2/2] Cygwin: only tweak sshd_config file if it's new, drop creating sshd user
- [patch/cygwin]: Remove setting extra permissions on system directories
- [PATCH] contrib/cygwin/ssh-host-config: Improve support for automated updates