contrib/cygwin/ssh-user-config

   1 #!/bin/bash
   2 #
   3 # ssh-user-config, Copyright 2000-2008 Red Hat Inc.
   4 #
   5 # This file is part of the Cygwin port of OpenSSH.
   6 #
   7 # Permission to use, copy, modify, and distribute this software for any
   8 # purpose with or without fee is hereby granted, provided that the above
   9 # copyright notice and this permission notice appear in all copies.
  10 #
  11 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12 # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  13 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
  14 # IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
  15 # DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
  16 # OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
  17 # THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  18
  19 # ======================================================================
  20 # Initialization
  21 # ======================================================================
  22 PROGNAME=$(basename -- $0)
  23 _tdir=$(dirname -- $0)
  24 PROGDIR=$(cd $_tdir && pwd)
  25
  26 CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
  27
  28 # Subdirectory where the new package is being installed
  29 PREFIX=/usr
  30
  31 # Directory where the config files are stored
  32 SYSCONFDIR=/etc
  33
  34 source ${CSIH_SCRIPT}
  35
  36 auto_passphrase="no"
  37 passphrase=""
  38 pwdhome=
  39 with_passphrase=
  40
  41 # ======================================================================
  42 # Routine: create_ssh1_identity
  43 #   optionally create ~/.ssh/identity[.pub]
  44 #   optionally add result to ~/.ssh/authorized_keys
  45 # ======================================================================
  46 create_ssh1_identity() {
  47   if [ ! -f "${pwdhome}/.ssh/identity" ]
  48   then
  49     if csih_request "Shall I create an SSH1 RSA identity file for you?"
  50     then
  51       csih_inform "Generating ${pwdhome}/.ssh/identity"
  52       if [ "${with_passphrase}" = "yes" ]
  53       then
  54         ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null
  55       else
  56         ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null
  57       fi
  58       if csih_request "Do you want to use this identity to login to this machine?"
  59       then
  60         csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
  61         cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys"
  62       fi
  63     fi
  64   fi
  65 } # === End of create_ssh1_identity() === #
  66 readonly -f create_ssh1_identity
  67
  68 # ======================================================================
  69 # Routine: create_ssh2_rsa_identity
  70 #   optionally create ~/.ssh/id_rsa[.pub]
  71 #   optionally add result to ~/.ssh/authorized_keys
  72 # ======================================================================
  73 create_ssh2_rsa_identity() {
  74   if [ ! -f "${pwdhome}/.ssh/id_rsa" ]
  75   then
  76     if csih_request "Shall I create an SSH2 RSA identity file for you?"
  77     then
  78       csih_inform "Generating ${pwdhome}/.ssh/id_rsa"
  79       if [ "${with_passphrase}" = "yes" ]
  80       then
  81         ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null
  82       else
  83         ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null
  84       fi
  85       if csih_request "Do you want to use this identity to login to this machine?"
  86       then
  87         csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
  88         cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
  89       fi
  90     fi
  91   fi
  92 } # === End of create_ssh2_rsa_identity() === #
  93 readonly -f create_ssh2_rsa_identity
  94
  95 # ======================================================================
  96 # Routine: create_ssh2_dsa_identity
  97 #   optionally create ~/.ssh/id_dsa[.pub]
  98 #   optionally add result to ~/.ssh/authorized_keys
  99 # ======================================================================
 100 create_ssh2_dsa_identity() {
 101   if [ ! -f "${pwdhome}/.ssh/id_dsa" ]
 102   then
 103     if csih_request "Shall I create an SSH2 DSA identity file for you?"
 104     then
 105       csih_inform "Generating ${pwdhome}/.ssh/id_dsa"
 106       if [ "${with_passphrase}" = "yes" ]
 107       then
 108         ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null
 109       else
 110         ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null
 111       fi
 112       if csih_request "Do you want to use this identity to login to this machine?"
 113       then
 114         csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
 115         cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
 116       fi
 117     fi
 118   fi
 119 } # === End of create_ssh2_dsa_identity() === #
 120 readonly -f create_ssh2_dsa_identity
 121
 122 # ======================================================================
 123 # Routine: check_user_homedir
 124 #   Perform various checks on the user's home directory
 125 # SETS GLOBAL VARIABLE:
 126 #   pwdhome
 127 # ======================================================================
 128 check_user_homedir() {
 129   local uid=$(id -u)
 130   pwdhome=$(awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd)
 131   if [ "X${pwdhome}" = "X" ]
 132   then
 133     csih_error_multi \
 134       "There is no home directory set for you in ${SYSCONFDIR}/passwd." \
 135       'Setting $HOME is not sufficient!'
 136   fi
 137
 138   if [ ! -d "${pwdhome}" ]
 139   then
 140     csih_error_multi \
 141       "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" \
 142       'but it is not a valid directory. Cannot create user identity files.'
 143   fi
 144
 145   # If home is the root dir, set home to empty string to avoid error messages
 146   # in subsequent parts of that script.
 147   if [ "X${pwdhome}" = "X/" ]
 148   then
 149     # But first raise a warning!
 150     csih_warning "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
 151     if csih_request "Would you like to proceed anyway?"
 152     then
 153       pwdhome=''
 154     else
 155       csih_warning "Exiting. Configuration is not complete"
 156       exit 1
 157     fi
 158   fi
 159
 160   if [ -d "${pwdhome}" -a csih_is_nt -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
 161   then
 162     echo
 163     csih_warning 'group and other have been revoked write permission to your home'
 164     csih_warning "directory ${pwdhome}."
 165     csih_warning 'This is required by OpenSSH to allow public key authentication using'
 166     csih_warning 'the key files stored in your .ssh subdirectory.'
 167     csih_warning 'Revert this change ONLY if you know what you are doing!'
 168     echo
 169   fi
 170 } # === End of check_user_homedir() === #
 171 readonly -f check_user_homedir
 172
 173 # ======================================================================
 174 # Routine: check_user_dot_ssh_dir
 175 #   Perform various checks on the ~/.ssh directory
 176 # PREREQUISITE:
 177 #   pwdhome -- check_user_homedir()
 178 # ======================================================================
 179 check_user_dot_ssh_dir() {
 180   if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
 181   then
 182     csih_error "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
 183   fi
 184
 185   if [ ! -e "${pwdhome}/.ssh" ]
 186   then
 187     mkdir "${pwdhome}/.ssh"
 188     if [ ! -e "${pwdhome}/.ssh" ]
 189     then
 190       csih_error "Creating users ${pwdhome}/.ssh directory failed"
 191     fi
 192   fi
 193 } # === End of check_user_dot_ssh_dir() === #
 194 readonly -f check_user_dot_ssh_dir
 195
 196 # ======================================================================
 197 # Routine: fix_authorized_keys_perms
 198 #   Corrects the permissions of ~/.ssh/authorized_keys
 199 # PREREQUISITE:
 200 #   pwdhome   -- check_user_homedir()
 201 # ======================================================================
 202 fix_authorized_keys_perms() {
 203   if [ csih_is_nt -a -e "${pwdhome}/.ssh/authorized_keys" ]
 204   then
 205     if ! setfacl -m "u::rw-,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
 206     then
 207       csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
 208       csih_warning "failed.  Please care for the correct permissions.  The minimum requirement"
 209       csih_warning "is, the owner needs read permissions."
 210       echo
 211     fi
 212   fi
 213 } # === End of fix_authorized_keys_perms() === #
 214 readonly -f fix_authorized_keys_perms
 215
 216
 217 # ======================================================================
 218 # Main Entry Point
 219 # ======================================================================
 220
 221 # Check how the script has been started.  If
 222 #   (1) it has been started by giving the full path and
 223 #       that path is /etc/postinstall, OR
 224 #   (2) Otherwise, if the environment variable
 225 #       SSH_USER_CONFIG_AUTO_ANSWER_NO is set
 226 # then set auto_answer to "no".  This allows automatic
 227 # creation of the config files in /etc w/o overwriting
 228 # them if they already exist.  In both cases, color
 229 # escape sequences are suppressed, so as to prevent
 230 # cluttering setup's logfiles.
 231 if [ "$PROGDIR" = "/etc/postinstall" ]
 232 then
 233   csih_auto_answer="no"
 234   csih_disable_color
 235 fi
 236 if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ]
 237 then
 238   csih_auto_answer="no"
 239   csih_disable_color
 240 fi
 241
 242 # ======================================================================
 243 # Parse options
 244 # ======================================================================
 245 while :
 246 do
 247   case $# in
 248   0)
 249     break
 250     ;;
 251   esac
 252
 253   option=$1
 254   shift
 255
 256   case "$option" in
 257   -d | --debug )
 258     set -x
 259     csih_trace_on
 260     ;;
 261
 262   -y | --yes )
 263     csih_auto_answer=yes
 264     ;;
 265
 266   -n | --no )
 267     csih_auto_answer=no
 268     ;;
 269
 270   -p | --passphrase )
 271     with_passphrase="yes"
 272     passphrase=$1
 273     shift
 274     ;;
 275
 276   --privileged )
 277     csih_FORCE_PRIVILEGED_USER=yes
 278     ;;
 279
 280   *)
 281     echo "usage: ${PROGNAME} [OPTION]..."
 282     echo
 283     echo "This script creates an OpenSSH user configuration."
 284     echo
 285     echo "Options:"
 286     echo "    --debug      -d        Enable shell's debug output."
 287     echo "    --yes        -y        Answer all questions with \"yes\" automatically."
 288     echo "    --no         -n        Answer all questions with \"no\" automatically."
 289     echo "    --passphrase -p word   Use \"word\" as passphrase automatically."
 290     echo "    --privileged           On Windows NT/2k/XP, assume privileged user"
 291     echo "                           instead of LocalSystem for sshd service."
 292     echo
 293     exit 1
 294     ;;
 295
 296   esac
 297 done
 298
 299 # ======================================================================
 300 # Action!
 301 # ======================================================================
 302
 303 # Check passwd file
 304 if [ ! -f ${SYSCONFDIR}/passwd ]
 305 then
 306   csih_error_multi \
 307     "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" \
 308     'first using mkpasswd. Check if it contains an entry for you and' \
 309     'please care for the home directory in your entry as well.'
 310 fi
 311
 312 check_user_homedir
 313 check_user_dot_ssh_dir
 314 create_ssh1_identity
 315 create_ssh2_rsa_identity
 316 create_ssh2_dsa_identity
 317 fix_authorized_keys_perms
 318
 319 echo
 320 csih_inform "Configuration finished. Have fun!"
 321
 322