ssh-user-config revision 197670 
1#!/bin/bash
2#
3# ssh-user-config, Copyright 2000-2008 Red Hat Inc.
4#
5# This file is part of the Cygwin port of OpenSSH.
6#
7# Permission to use, copy, modify, and distribute this software for any
8# purpose with or without fee is hereby granted, provided that the above
9# copyright notice and this permission notice appear in all copies.
10#
11# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS  
12# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF               
13# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.   
14# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,   
15# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR    
16# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR    
17# THE USE OR OTHER DEALINGS IN THE SOFTWARE.                               
18
19# ======================================================================
20# Initialization
21# ======================================================================
22PROGNAME=$(basename -- $0)
23_tdir=$(dirname -- $0)
24PROGDIR=$(cd $_tdir && pwd)
25
26CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
27
28# Subdirectory where the new package is being installed
29PREFIX=/usr
30
31# Directory where the config files are stored
32SYSCONFDIR=/etc
33
34source ${CSIH_SCRIPT}
35
36auto_passphrase="no"
37passphrase=""
38pwdhome=
39with_passphrase=
40
41# ======================================================================
42# Routine: create_ssh1_identity
43#   optionally create ~/.ssh/identity[.pub]
44#   optionally add result to ~/.ssh/authorized_keys
45# ======================================================================
46create_ssh1_identity() {
47  if [ ! -f "${pwdhome}/.ssh/identity" ]
48  then
49    if csih_request "Shall I create an SSH1 RSA identity file for you?"
50    then
51      csih_inform "Generating ${pwdhome}/.ssh/identity"
52      if [ "${with_passphrase}" = "yes" ]
53      then
54        ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null
55      else
56        ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null
57      fi
58      if csih_request "Do you want to use this identity to login to this machine?"
59      then
60        csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
61        cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys"
62      fi
63    fi
64  fi
65} # === End of create_ssh1_identity() === #
66readonly -f create_ssh1_identity
67
68# ======================================================================
69# Routine: create_ssh2_rsa_identity
70#   optionally create ~/.ssh/id_rsa[.pub]
71#   optionally add result to ~/.ssh/authorized_keys
72# ======================================================================
73create_ssh2_rsa_identity() {
74  if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
75  then
76    if csih_request "Shall I create an SSH2 RSA identity file for you?"
77    then
78      csih_inform "Generating ${pwdhome}/.ssh/id_rsa"
79      if [ "${with_passphrase}" = "yes" ]
80      then
81        ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null
82      else
83        ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
84      fi
85      if csih_request "Do you want to use this identity to login to this machine?"
86      then
87        csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
88        cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
89      fi
90    fi
91  fi
92} # === End of create_ssh2_rsa_identity() === #
93readonly -f create_ssh2_rsa_identity
94
95# ======================================================================
96# Routine: create_ssh2_dsa_identity
97#   optionally create ~/.ssh/id_dsa[.pub]
98#   optionally add result to ~/.ssh/authorized_keys
99# ======================================================================
100create_ssh2_dsa_identity() {
101  if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
102  then
103    if csih_request "Shall I create an SSH2 DSA identity file for you?"
104    then
105      csih_inform "Generating ${pwdhome}/.ssh/id_dsa"
106      if [ "${with_passphrase}" = "yes" ]
107      then
108        ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null
109      else
110        ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
111      fi
112      if csih_request "Do you want to use this identity to login to this machine?"
113      then
114        csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
115        cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
116      fi
117    fi
118  fi
119} # === End of create_ssh2_dsa_identity() === #
120readonly -f create_ssh2_dsa_identity
121
122# ======================================================================
123# Routine: check_user_homedir
124#   Perform various checks on the user's home directory
125# SETS GLOBAL VARIABLE:
126#   pwdhome
127# ======================================================================
128check_user_homedir() {
129  local uid=$(id -u)
130  pwdhome=$(awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd)
131  if [ "X${pwdhome}" = "X" ]
132  then
133    csih_error_multi \
134      "There is no home directory set for you in ${SYSCONFDIR}/passwd." \
135      'Setting $HOME is not sufficient!'
136  fi
137  
138  if [ ! -d "${pwdhome}" ]
139  then
140    csih_error_multi \
141      "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" \
142      'but it is not a valid directory. Cannot create user identity files.'
143  fi
144  
145  # If home is the root dir, set home to empty string to avoid error messages
146  # in subsequent parts of that script.
147  if [ "X${pwdhome}" = "X/" ]
148  then
149    # But first raise a warning!
150    csih_warning "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
151    if csih_request "Would you like to proceed anyway?"
152    then
153      pwdhome=''
154    else
155      csih_warning "Exiting. Configuration is not complete"
156      exit 1
157    fi
158  fi
159  
160  if [ -d "${pwdhome}" -a csih_is_nt -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
161  then
162    echo
163    csih_warning 'group and other have been revoked write permission to your home'
164    csih_warning "directory ${pwdhome}."
165    csih_warning 'This is required by OpenSSH to allow public key authentication using'
166    csih_warning 'the key files stored in your .ssh subdirectory.'
167    csih_warning 'Revert this change ONLY if you know what you are doing!'
168    echo
169  fi
170} # === End of check_user_homedir() === #
171readonly -f check_user_homedir
172
173# ======================================================================
174# Routine: check_user_dot_ssh_dir
175#   Perform various checks on the ~/.ssh directory
176# PREREQUISITE:
177#   pwdhome -- check_user_homedir()
178# ======================================================================
179check_user_dot_ssh_dir() {
180  if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
181  then
182    csih_error "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
183  fi
184  
185  if [ ! -e "${pwdhome}/.ssh" ]
186  then
187    mkdir "${pwdhome}/.ssh"
188    if [ ! -e "${pwdhome}/.ssh" ]
189    then
190      csih_error "Creating users ${pwdhome}/.ssh directory failed"
191    fi
192  fi
193} # === End of check_user_dot_ssh_dir() === #
194readonly -f check_user_dot_ssh_dir
195
196# ======================================================================
197# Routine: fix_authorized_keys_perms
198#   Corrects the permissions of ~/.ssh/authorized_keys
199# PREREQUISITE:
200#   pwdhome   -- check_user_homedir()
201# ======================================================================
202fix_authorized_keys_perms() {
203  if [ csih_is_nt -a -e "${pwdhome}/.ssh/authorized_keys" ]
204  then
205    if ! setfacl -m "u::rw-,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
206    then
207      csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
208      csih_warning "failed.  Please care for the correct permissions.  The minimum requirement"
209      csih_warning "is, the owner needs read permissions."
210      echo
211    fi
212  fi
213} # === End of fix_authorized_keys_perms() === #
214readonly -f fix_authorized_keys_perms
215
216
217# ======================================================================
218# Main Entry Point
219# ======================================================================
220
221# Check how the script has been started.  If
222#   (1) it has been started by giving the full path and
223#       that path is /etc/postinstall, OR
224#   (2) Otherwise, if the environment variable
225#       SSH_USER_CONFIG_AUTO_ANSWER_NO is set
226# then set auto_answer to "no".  This allows automatic
227# creation of the config files in /etc w/o overwriting
228# them if they already exist.  In both cases, color
229# escape sequences are suppressed, so as to prevent
230# cluttering setup's logfiles.
231if [ "$PROGDIR" = "/etc/postinstall" ]
232then
233  csih_auto_answer="no"
234  csih_disable_color
235fi
236if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ]
237then
238  csih_auto_answer="no"
239  csih_disable_color
240fi
241
242# ======================================================================
243# Parse options
244# ======================================================================
245while :
246do
247  case $# in
248  0)
249    break
250    ;;
251  esac
252
253  option=$1
254  shift
255
256  case "$option" in
257  -d | --debug )
258    set -x
259    csih_trace_on
260    ;;
261
262  -y | --yes )
263    csih_auto_answer=yes
264    ;;
265
266  -n | --no )
267    csih_auto_answer=no
268    ;;
269
270  -p | --passphrase )
271    with_passphrase="yes"
272    passphrase=$1
273    shift
274    ;;
275
276  --privileged )
277    csih_FORCE_PRIVILEGED_USER=yes
278    ;;
279
280  *)
281    echo "usage: ${PROGNAME} [OPTION]..."
282    echo
283    echo "This script creates an OpenSSH user configuration."
284    echo
285    echo "Options:"
286    echo "    --debug      -d        Enable shell's debug output."
287    echo "    --yes        -y        Answer all questions with \"yes\" automatically."
288    echo "    --no         -n        Answer all questions with \"no\" automatically."
289    echo "    --passphrase -p word   Use \"word\" as passphrase automatically."
290    echo "    --privileged           On Windows NT/2k/XP, assume privileged user"
291    echo "                           instead of LocalSystem for sshd service."
292    echo
293    exit 1
294    ;;
295
296  esac
297done
298
299# ======================================================================
300# Action!
301# ======================================================================
302
303# Check passwd file
304if [ ! -f ${SYSCONFDIR}/passwd ]
305then
306  csih_error_multi \
307    "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" \
308    'first using mkpasswd. Check if it contains an entry for you and' \
309    'please care for the home directory in your entry as well.'
310fi
311
312check_user_homedir
313check_user_dot_ssh_dir
314create_ssh1_identity
315create_ssh2_rsa_identity
316create_ssh2_dsa_identity
317fix_authorized_keys_perms
318
319echo
320csih_inform "Configuration finished. Have fun!"
321
322
323