Patch: Solaris packages don't create privsep user or group

William R. Knox wknox at mitre.org
Wed Jul 17 07:09:57 EST 2002 

Here are the checkinstall script and the postinstall script that I use in
my openssh package for Solaris. They create the keys and the group and
user for ssh (sshd), and, if the package is being installed in a different
root, create an init script that will run these things and then remove
itself on the next reboot. Feel free to use any part of this. The
/var/empty directory is, by the way, installed by the package itself.

			Bill Knox
			Senior Operating Systems Programmer/Analyst
			The MITRE Corporation

On Tue, 16 Jul 2002, Ben Lindstrom wrote:

> Date: Tue, 16 Jul 2002 15:20:17 -0500 (CDT)
> From: Ben Lindstrom <mouring at etoh.eviladmin.org>
> To: Jim Knoble <jmknoble at pobox.com>
> Cc: OpenSSH Devel List <openssh-unix-dev at mindrot.org>
> Subject: Re: Patch: Solaris packages don't create privsep user or group
>
>
>
> On Tue, 16 Jul 2002, Jim Knoble wrote:
>
> > Circa 2002-Jul-16 10:50:30 +1000 dixit Darren Tucker:
> >
> > : Darren Tucker wrote:
> > : > Ben Lindstrom wrote:
> > : > > Hmm.. Does this work with JumpStart?  Can you add users at install time?
> > : >
> > : > I didn't even consider that. We use jumpstart to build machines but
> > : > don't install sshd until after the first boot (ie not in the
> > : > finish_script). I'll try to dig up some spare hardware to try it.
> > :
> > : OK I can confirm that it does NOT work with Jumpstart. useradd and
> > : groupadd try to modify the read-only files on the jumpstart NFS image.
> > :
> > : Should we:
> > : (a) move them to the /etc/init.d/openssh script same as the keygens
> > : (b) attempt to hand-hack $PKG_INSTALL_ROOT/etc/passwd
> > : (c) chroot tricks?
> > : (d) ?
> > :
> > : I prefer (a).
> >
> > My preference would be:
> >
> >   (d) Move them to an 'openssh-setup' script that does the following:
> >
>
> Admin required to manually run it, or a form of SysV 'first time' startup
> script?
>
> - Ben
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
-------------- next part --------------
if [ "$PKG_INSTALL_ROOT" = "/" -o "$PKG_INSTALL_ROOT" = "" ]; then
	if [ ${PRIVSEPGROUP} -eq 0 ]; then
		echo "Adding PrivSep group sshd"
		groupadd -g 60000 sshd
	else
		echo "PrivSep group sshd already exists"
	fi
	if [ ${PRIVSEPUSER} -eq 0 ]; then
		echo "Adding PrivSep user sshd"
		useradd -u 60000 -g sshd -c 'OpenSSH Privilege Separation user' -d /var/empty -s /bin/false sshd
	else
		echo "PrivSep user sshd already exists"
	fi
	installf MTopenssh /usr/local/etc/ssh_host_key
	installf MTopenssh /usr/local/etc/ssh_host_key.pub
	installf MTopenssh /usr/local/etc/ssh_host_rsa_key
	installf MTopenssh /usr/local/etc/ssh_host_rsa_key.pub
	installf MTopenssh /usr/local/etc/ssh_host_dsa_key
	installf MTopenssh /usr/local/etc/ssh_host_dsa_key.pub
	umask 022
	if test -f /usr/local/etc/ssh_host_key; then
		echo "You already have a host key in $PKG_INSTALL_ROOT/usr/local/etc/ssh_host_key."
	else
		echo "Generating protocol level 1 host key."
		/usr/local/bin/ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ''
	fi
	if test -f /usr/local/etc/ssh_host_rsa_key; then
		echo "You already have a host key in $PKG_INSTALL_ROOT/usr/local/etc/ssh_host_rsa_key."
	else
		echo "Generating protocol level 2 RSA host key."
		/usr/local/bin/ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ''
	fi
	if test -f /usr/local/etc/ssh_host_dsa_key; then
		echo "You already have a host key in $PKG_INSTALL_ROOT/usr/local/etc/ssh_host_dsa_key."
	else
		echo "Generating protocol level 2 DSA host key."
		/usr/local/bin/ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ''
	fi
	installf -f MTopenssh
	cat <<EOF
---
In order to start OpenSSH at this time, run the init script, i.e.
/etc/init.d/sshd.rc start
---
EOF

else
	TEMP_INIT_SCRIPT="$PKG_INSTALL_ROOT/etc/rc2.d/S84ssh_key_gen"
	if [ -s $TEMP_INIT_SCRIPT ]; then
		cat <<EOF
Cannot write out /etc/rc2.d/S84ssh_key_gen to create key files upon next
reboot as the file already exists. Upon reboot, generate the various key
files you need with these commands:

/usr/local/bin/ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ''
/usr/local/bin/ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ''
/usr/local/bin/ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ''
EOF
	else
		cat << EOF
Creating an init script at $PKG_INSTALL_ROOT/etc/rc2.d/S84ssh_key_gen to
create the necessary host keys when you reboot
EOF
		cat > $TEMP_INIT_SCRIPT <<EOF
if [ ${PRIVSEPGROUP} -eq 0 ]; then
	echo "Adding PrivSep group sshd"
	groupadd -g 60000 sshd
else
	echo "PrivSep group sshd already exists"
fi
if [ ${PRIVSEPUSER} -eq 0 ]; then
	echo "Adding PrivSep user sshd"
	useradd -u 60000 -g sshd -c 'OpenSSH Privilege Separation user' -d /var/empty -s /bin/false sshd
else
	echo "PrivSep user sshd already exists"
fi
installf MTopenssh /usr/local/etc/ssh_host_key
installf MTopenssh /usr/local/etc/ssh_host_key.pub
installf MTopenssh /usr/local/etc/ssh_host_rsa_key
installf MTopenssh /usr/local/etc/ssh_host_rsa_key.pub
installf MTopenssh /usr/local/etc/ssh_host_dsa_key
installf MTopenssh /usr/local/etc/ssh_host_dsa_key.pub
if test -f /usr/local/etc/ssh_host_key; then
	echo "You already have a host key in /usr/local/etc/ssh_host_key."
else
	echo "Generating protocol level 1 host key."
	/usr/local/bin/ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ''
fi
if test -f /usr/local/etc/ssh_host_rsa_key; then
	echo "You already have a host key in /usr/local/etc/ssh_host_rsa_key."
else
	echo "Generating protocol level 2 RSA host key."
	/usr/local/bin/ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ''
fi
if test -f /usr/local/etc/ssh_host_dsa_key; then
	echo "You already have a host key in /usr/local/etc/ssh_host_dsa_key."
else
	echo "Generating protocol level 2 DSA host key."
	/usr/local/bin/ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ''
fi
installf -f MTopenssh
rm /etc/rc2.d/S84ssh_key_gen
EOF
		chmod 755 $TEMP_INIT_SCRIPT
	fi
fi

-------------- next part --------------
PRIVSEPUSER=0
PRIVSEPGROUP=0

if [ "$PKG_INSTALL_ROOT" = "/" -o "$PKG_INSTALL_ROOT" = "" ]; then
	PKG_INSTALL_ROOT=""
fi

if grep "^sshd:" ${PKG_INSTALL_ROOT}/etc/group > /dev/null 2>&1; then
	PRIVSEPGROUP=1
fi

if grep "^sshd:" ${PKG_INSTALL_ROOT}/etc/passwd > /dev/null 2>&1; then
	PRIVSEPUSER=1
fi

/bin/cat >$1 <<!
PRIVSEPUSER=${PRIVSEPUSER}
PRIVSEPGROUP=${PRIVSEPGROUP}
!
exit 0

More information about the openssh-unix-dev mailing list