ssh-user-config revision 197670
1#!/bin/bash 2# 3# ssh-user-config, Copyright 2000-2008 Red Hat Inc. 4# 5# This file is part of the Cygwin port of OpenSSH. 6# 7# Permission to use, copy, modify, and distribute this software for any 8# purpose with or without fee is hereby granted, provided that the above 9# copyright notice and this permission notice appear in all copies. 10# 11# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 13# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 14# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 15# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 16# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR 17# THE USE OR OTHER DEALINGS IN THE SOFTWARE. 18 19# ====================================================================== 20# Initialization 21# ====================================================================== 22PROGNAME=$(basename -- $0) 23_tdir=$(dirname -- $0) 24PROGDIR=$(cd $_tdir && pwd) 25 26CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh 27 28# Subdirectory where the new package is being installed 29PREFIX=/usr 30 31# Directory where the config files are stored 32SYSCONFDIR=/etc 33 34source ${CSIH_SCRIPT} 35 36auto_passphrase="no" 37passphrase="" 38pwdhome= 39with_passphrase= 40 41# ====================================================================== 42# Routine: create_ssh1_identity 43# optionally create ~/.ssh/identity[.pub] 44# optionally add result to ~/.ssh/authorized_keys 45# ====================================================================== 46create_ssh1_identity() { 47 if [ ! -f "${pwdhome}/.ssh/identity" ] 48 then 49 if csih_request "Shall I create an SSH1 RSA identity file for you?" 50 then 51 csih_inform "Generating ${pwdhome}/.ssh/identity" 52 if [ "${with_passphrase}" = "yes" ] 53 then 54 ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null 55 else 56 ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null 57 fi 58 if csih_request "Do you want to use this identity to login to this machine?" 59 then 60 csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" 61 cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys" 62 fi 63 fi 64 fi 65} # === End of create_ssh1_identity() === # 66readonly -f create_ssh1_identity 67 68# ====================================================================== 69# Routine: create_ssh2_rsa_identity 70# optionally create ~/.ssh/id_rsa[.pub] 71# optionally add result to ~/.ssh/authorized_keys 72# ====================================================================== 73create_ssh2_rsa_identity() { 74 if [ ! -f "${pwdhome}/.ssh/id_rsa" ] 75 then 76 if csih_request "Shall I create an SSH2 RSA identity file for you?" 77 then 78 csih_inform "Generating ${pwdhome}/.ssh/id_rsa" 79 if [ "${with_passphrase}" = "yes" ] 80 then 81 ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null 82 else 83 ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null 84 fi 85 if csih_request "Do you want to use this identity to login to this machine?" 86 then 87 csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" 88 cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys" 89 fi 90 fi 91 fi 92} # === End of create_ssh2_rsa_identity() === # 93readonly -f create_ssh2_rsa_identity 94 95# ====================================================================== 96# Routine: create_ssh2_dsa_identity 97# optionally create ~/.ssh/id_dsa[.pub] 98# optionally add result to ~/.ssh/authorized_keys 99# ====================================================================== 100create_ssh2_dsa_identity() { 101 if [ ! -f "${pwdhome}/.ssh/id_dsa" ] 102 then 103 if csih_request "Shall I create an SSH2 DSA identity file for you?" 104 then 105 csih_inform "Generating ${pwdhome}/.ssh/id_dsa" 106 if [ "${with_passphrase}" = "yes" ] 107 then 108 ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null 109 else 110 ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null 111 fi 112 if csih_request "Do you want to use this identity to login to this machine?" 113 then 114 csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" 115 cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys" 116 fi 117 fi 118 fi 119} # === End of create_ssh2_dsa_identity() === # 120readonly -f create_ssh2_dsa_identity 121 122# ====================================================================== 123# Routine: check_user_homedir 124# Perform various checks on the user's home directory 125# SETS GLOBAL VARIABLE: 126# pwdhome 127# ====================================================================== 128check_user_homedir() { 129 local uid=$(id -u) 130 pwdhome=$(awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd) 131 if [ "X${pwdhome}" = "X" ] 132 then 133 csih_error_multi \ 134 "There is no home directory set for you in ${SYSCONFDIR}/passwd." \ 135 'Setting $HOME is not sufficient!' 136 fi 137 138 if [ ! -d "${pwdhome}" ] 139 then 140 csih_error_multi \ 141 "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" \ 142 'but it is not a valid directory. Cannot create user identity files.' 143 fi 144 145 # If home is the root dir, set home to empty string to avoid error messages 146 # in subsequent parts of that script. 147 if [ "X${pwdhome}" = "X/" ] 148 then 149 # But first raise a warning! 150 csih_warning "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!" 151 if csih_request "Would you like to proceed anyway?" 152 then 153 pwdhome='' 154 else 155 csih_warning "Exiting. Configuration is not complete" 156 exit 1 157 fi 158 fi 159 160 if [ -d "${pwdhome}" -a csih_is_nt -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ] 161 then 162 echo 163 csih_warning 'group and other have been revoked write permission to your home' 164 csih_warning "directory ${pwdhome}." 165 csih_warning 'This is required by OpenSSH to allow public key authentication using' 166 csih_warning 'the key files stored in your .ssh subdirectory.' 167 csih_warning 'Revert this change ONLY if you know what you are doing!' 168 echo 169 fi 170} # === End of check_user_homedir() === # 171readonly -f check_user_homedir 172 173# ====================================================================== 174# Routine: check_user_dot_ssh_dir 175# Perform various checks on the ~/.ssh directory 176# PREREQUISITE: 177# pwdhome -- check_user_homedir() 178# ====================================================================== 179check_user_dot_ssh_dir() { 180 if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] 181 then 182 csih_error "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." 183 fi 184 185 if [ ! -e "${pwdhome}/.ssh" ] 186 then 187 mkdir "${pwdhome}/.ssh" 188 if [ ! -e "${pwdhome}/.ssh" ] 189 then 190 csih_error "Creating users ${pwdhome}/.ssh directory failed" 191 fi 192 fi 193} # === End of check_user_dot_ssh_dir() === # 194readonly -f check_user_dot_ssh_dir 195 196# ====================================================================== 197# Routine: fix_authorized_keys_perms 198# Corrects the permissions of ~/.ssh/authorized_keys 199# PREREQUISITE: 200# pwdhome -- check_user_homedir() 201# ====================================================================== 202fix_authorized_keys_perms() { 203 if [ csih_is_nt -a -e "${pwdhome}/.ssh/authorized_keys" ] 204 then 205 if ! setfacl -m "u::rw-,g::---,o::---" "${pwdhome}/.ssh/authorized_keys" 206 then 207 csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys" 208 csih_warning "failed. Please care for the correct permissions. The minimum requirement" 209 csih_warning "is, the owner needs read permissions." 210 echo 211 fi 212 fi 213} # === End of fix_authorized_keys_perms() === # 214readonly -f fix_authorized_keys_perms 215 216 217# ====================================================================== 218# Main Entry Point 219# ====================================================================== 220 221# Check how the script has been started. If 222# (1) it has been started by giving the full path and 223# that path is /etc/postinstall, OR 224# (2) Otherwise, if the environment variable 225# SSH_USER_CONFIG_AUTO_ANSWER_NO is set 226# then set auto_answer to "no". This allows automatic 227# creation of the config files in /etc w/o overwriting 228# them if they already exist. In both cases, color 229# escape sequences are suppressed, so as to prevent 230# cluttering setup's logfiles. 231if [ "$PROGDIR" = "/etc/postinstall" ] 232then 233 csih_auto_answer="no" 234 csih_disable_color 235fi 236if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ] 237then 238 csih_auto_answer="no" 239 csih_disable_color 240fi 241 242# ====================================================================== 243# Parse options 244# ====================================================================== 245while : 246do 247 case $# in 248 0) 249 break 250 ;; 251 esac 252 253 option=$1 254 shift 255 256 case "$option" in 257 -d | --debug ) 258 set -x 259 csih_trace_on 260 ;; 261 262 -y | --yes ) 263 csih_auto_answer=yes 264 ;; 265 266 -n | --no ) 267 csih_auto_answer=no 268 ;; 269 270 -p | --passphrase ) 271 with_passphrase="yes" 272 passphrase=$1 273 shift 274 ;; 275 276 --privileged ) 277 csih_FORCE_PRIVILEGED_USER=yes 278 ;; 279 280 *) 281 echo "usage: ${PROGNAME} [OPTION]..." 282 echo 283 echo "This script creates an OpenSSH user configuration." 284 echo 285 echo "Options:" 286 echo " --debug -d Enable shell's debug output." 287 echo " --yes -y Answer all questions with \"yes\" automatically." 288 echo " --no -n Answer all questions with \"no\" automatically." 289 echo " --passphrase -p word Use \"word\" as passphrase automatically." 290 echo " --privileged On Windows NT/2k/XP, assume privileged user" 291 echo " instead of LocalSystem for sshd service." 292 echo 293 exit 1 294 ;; 295 296 esac 297done 298 299# ====================================================================== 300# Action! 301# ====================================================================== 302 303# Check passwd file 304if [ ! -f ${SYSCONFDIR}/passwd ] 305then 306 csih_error_multi \ 307 "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" \ 308 'first using mkpasswd. Check if it contains an entry for you and' \ 309 'please care for the home directory in your entry as well.' 310fi 311 312check_user_homedir 313check_user_dot_ssh_dir 314create_ssh1_identity 315create_ssh2_rsa_identity 316create_ssh2_dsa_identity 317fix_authorized_keys_perms 318 319echo 320csih_inform "Configuration finished. Have fun!" 321 322 323