[patch/cygwin] contrib/cygwin/ssh-host-config

Corinna Vinschen vinschen at redhat.com
Wed May 21 18:13:43 EST 2014


Ping?


Thanks,
Corinna


On May 15 10:58, Corinna Vinschen wrote:
> Hi,
> 
> would you mind to apply the below patch?  It fixes Cygwin's
> ssh-host-config script in various ways:
> 
> - Remove old code to remove the "sshd/22" entry from /etc/services.
>   This code fixes a problem which only existed in installations which
>   are more than 10 years old.
> 
> - Handle the StrictMode setting interactively.
> 
> - Fix regular expressions looking for white spaces.
> 
> - Make the script independent of whether /etc/passwd exists or not.
>   This allows to run ssh-host-config under the upcoming Cygwin
>   release 1.7.30, which will introduce the passwd/group handling
>   via the existing Windows account databases (SAM/AD).
> 
> 
> Thanks,
> Corinna
> 
> 
> Index: contrib/cygwin/ssh-host-config
> ===================================================================
> RCS file: /cvs/openssh/contrib/cygwin/ssh-host-config,v
> retrieving revision 1.34
> diff -u -p -r1.34 ssh-host-config
> --- contrib/cygwin/ssh-host-config	8 Nov 2013 13:19:23 -0000	1.34
> +++ contrib/cygwin/ssh-host-config	15 May 2014 08:46:20 -0000
> @@ -34,6 +34,7 @@ declare -a csih_required_commands=(
>    /usr/bin/mv coreutils
>    /usr/bin/rm coreutils
>    /usr/bin/cygpath cygwin
> +  /usr/bin/mkpasswd cygwin
>    /usr/bin/mount cygwin
>    /usr/bin/ps cygwin
>    /usr/bin/setfacl cygwin
> @@ -59,8 +60,9 @@ PREFIX=/usr
>  SYSCONFDIR=/etc
>  LOCALSTATEDIR=/var
>  
> +sshd_config_configured=no
>  port_number=22
> -privsep_configured=no
> +strictmodes=yes
>  privsep_used=yes
>  cygwin_value=""
>  user_account=
> @@ -89,28 +91,8 @@ update_services_file() {
>    # Depends on the above mount
>    _wservices=`cygpath -w "${_services}"`
>  
> -  # Remove sshd 22/port from services
> -  if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
> -  then
> -    /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
> -    if [ -f "${_serv_tmp}" ]
> -    then
> -      if /usr/bin/mv "${_serv_tmp}" "${_services}"
> -      then
> -	csih_inform "Removing sshd from ${_wservices}"
> -      else
> -	csih_warning "Removing sshd from ${_wservices} failed!"
> -	let ++ret
> -      fi
> -      /usr/bin/rm -f "${_serv_tmp}"
> -    else
> -      csih_warning "Removing sshd from ${_wservices} failed!"
> -      let ++ret
> -    fi
> -  fi
> -
>    # Add ssh 22/tcp  and ssh 22/udp to services
> -  if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
> +  if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
>    then
>      if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
>      then
> @@ -132,17 +114,45 @@ update_services_file() {
>  } # --- End of update_services_file --- #
>  
>  # ======================================================================
> +# Routine: sshd_strictmodes
> +#  MODIFIES: strictmodes
> +# ======================================================================
> +sshd_strictmodes() {
> +  if [ "${sshd_config_configured}" != "yes" ]
> +  then
> +    echo
> +    csih_inform "StrictModes is set to 'yes' by default."
> +    csih_inform "This is the recommended setting, but it requires that the POSIX"
> +    csih_inform "permissions of the user's home directory, the user's .ssh"
> +    csih_inform "directory, and the user's ssh key files are tight so that"
> +    csih_inform "only the user has write permissions."
> +    csih_inform "On the other hand, StrictModes don't work well with default"
> +    csih_inform "Windows permissions of a home directory mounted with the"
> +    csih_inform "'noacl' option, and they don't work at all if the home"
> +    csih_inform "directory is on a FAT or FAT32 partition."
> +    if ! csih_request "Should StrictModes be used?"
> +    then
> +      strictmodes=no
> +    fi
> +  fi
> +  return 0
> +}
> +
> +# ======================================================================
>  # Routine: sshd_privsep
> -#  MODIFIES: privsep_configured  privsep_used
> +#  MODIFIES: privsep_used
>  # ======================================================================
>  sshd_privsep() {
> -  local sshdconfig_tmp
>    local ret=0
>  
> -  if [ "${privsep_configured}" != "yes" ]
> +  if [ "${sshd_config_configured}" != "yes" ]
>    then
> -    csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
> -    csih_inform "However, this requires a non-privileged account called 'sshd'."
> +    echo
> +    csih_inform "Privilege separation is set to 'sandbox' by default since"
> +    csih_inform "OpenSSH 6.1.  This is unsupported by Cygwin and has to be set"
> +    csih_inform "to 'yes' or 'no'."
> +    csih_inform "However, using privilege separation requires a non-privileged account"
> +    csih_inform "called 'sshd'."
>      csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
>      if csih_request "Should privilege separation be used?"
>      then
> @@ -159,36 +169,53 @@ sshd_privsep() {
>        privsep_used=no
>      fi
>    fi
> +  return $ret
> +} # --- End of sshd_privsep --- #
> +
> +# ======================================================================
> +# Routine: sshd_config_tweak
> +# ======================================================================
> +sshd_config_tweak() {
> +  local ret=0
>  
> -  # Create default sshd_config from skeleton files in /etc/defaults/etc or
> -  # modify to add the missing privsep configuration option
> -  if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
> -  then
> -    csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
> -    sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
> -    /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
> -  	  s/^#Port 22/Port ${port_number}/
> -  	  s/^#StrictModes yes/StrictModes no/" \
> -	< ${SYSCONFDIR}/sshd_config \
> -	> "${sshdconfig_tmp}"
> -    if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
> +  # Modify sshd_config
> +  csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
> +  if [ "${port_number}" -ne 22 ]
> +  then
> +    /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
> +      ${SYSCONFDIR}/sshd_config
> +    if [ $? -ne 0 ]
>      then
> -	csih_warning "Setting privilege separation to 'yes' failed!"
> -	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
> -	let ++ret
> +      csih_warning "Setting listening port to ${port_number} failed!"
> +      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
> +      let ++ret
>      fi
> -  elif [ "${privsep_configured}" != "yes" ]
> +  fi
> +  if [ "${strictmodes}" = "no" ]
>    then
> -    echo >> ${SYSCONFDIR}/sshd_config
> -    if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
> +    /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
> +      ${SYSCONFDIR}/sshd_config
> +    if [ $? -ne 0 ]
>      then
> -	csih_warning "Setting privilege separation to 'yes' failed!"
> -	csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
> -	let ++ret
> +      csih_warning "Setting StrictModes to 'no' failed!"
> +      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
> +      let ++ret
> +    fi
> +  fi
> +  if [ "${sshd_config_configured}" != "yes" ]
> +  then
> +    /usr/bin/sed -i -e "
> +      s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
> +      ${SYSCONFDIR}/sshd_config
> +    if [ $? -ne 0 ]
> +    then
> +      csih_warning "Setting privilege separation failed!"
> +      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
> +      let ++ret
>      fi
>    fi
>    return $ret
> -} # --- End of sshd_privsep --- #
> +} # --- End of sshd_config_tweak --- #
>  
>  # ======================================================================
>  # Routine: update_inetd_conf
> @@ -207,11 +234,11 @@ update_inetd_conf() {
>      # we have inetutils-1.5 inetd.d support
>      if [ -f "${_inetcnf}" ]
>      then
> -      /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
> +      /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
>  
>        # check for sshd OR ssh in top-level inetd.conf file, and remove
>        # will be replaced by a file in inetd.d/
> -      if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
> +      if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
>        then
>  	/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
>  	if [ -f "${_inetcnf_tmp}" ]
> @@ -236,9 +263,9 @@ update_inetd_conf() {
>      then
>        if [ "${_with_comment}" -eq 0 ]
>        then
> -	/usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
> +	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
>        else
> -	/usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
> +	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
>        fi
>        if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
>        then
> @@ -251,13 +278,13 @@ update_inetd_conf() {
>  
>    elif [ -f "${_inetcnf}" ]
>    then
> -    /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
> +    /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
>  
>      # check for sshd in top-level inetd.conf file, and remove
>      # will be replaced by a file in inetd.d/
> -    if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
> +    if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
>      then
> -      /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
> +      /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
>        if [ -f "${_inetcnf_tmp}" ]
>        then
>  	if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
> @@ -305,17 +332,26 @@ check_service_files_ownership() {
>  
>    if [ -z "${run_service_as}" ]
>    then
> -    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
> +    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
> +    		 /usr/bin/sed -ne 's/^Account *: *//gp')
>      if [ "${accnt_name}" = "LocalSystem" ]
>      then
>        # Convert "LocalSystem" to "SYSTEM" as is the correct account name
> -      accnt_name="SYSTEM:"
> -    elif [[ "${accnt_name}" =~ ^\.\\ ]]
> -    then
> -      # Convert "." domain to local machine name
> -      accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
> +      run_service_as="SYSTEM"
> +    else
> +      dom="${accnt_name%%\\*}"
> +      accnt_name="${accnt_name#*\\}"
> +      if [ "${dom}" = '.' ]
> +      then
> +	# Check local account
> +	run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
> +			 /usr/bin/awk -F: '{print $1;}')
> +      else
> +      	# Check domain
> +	run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
> +			 /usr/bin/awk -F: '{print $1;}')
> +      fi
>      fi
> -    run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
>      if [ -z "${run_service_as}" ]
>      then
>        csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
> @@ -672,6 +708,7 @@ then
>  fi
>  
>  # generate missing host keys
> +csih_inform "Generating missing SSH host keys"
>  /usr/bin/ssh-keygen -A || let warning_cnt+=$?
>  
>  # handle ssh_config
> @@ -690,10 +727,11 @@ fi
>  csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
>  if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
>  then
> -  /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
> +  sshd_config_configured=yes
>  fi
> +sshd_strictmodes || let warning_cnt+=$?
>  sshd_privsep || let warning_cnt+=$?
> -
> +sshd_config_tweak || let warning_cnt+=$?
>  update_services_file || let warning_cnt+=$?
>  update_inetd_conf || let warning_cnt+=$?
>  install_service || let warning_cnt+=$?
> 
> -- 
> Corinna Vinschen
> Cygwin Maintainer
> Red Hat



> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140521/08a46ba4/attachment-0001.bin>


More information about the openssh-unix-dev mailing list