GROUPADD=/usr/sbin/groupadd
USERADD=/usr/sbin/useradd
GREP=/usr/bin/grep
CUT=/usr/bin/cut
CAT=/usr/bin/cat

PREFIX=/usr/tgcware
OLDCONFDIR=/usr/local/etc
CONFDIR=${PREFIX}/etc/ssh
DESTBIN=${PREFIX}/bin
CHECKCONF=0
OLDCONF=0
SSHID=199

# We provide default config-files, check and see if they should be installed.
for config in ssh_config sshd_config; do
    if [ ! -f "${CONFDIR}/$config" ] ; then
	# No config, it might be an upgrade scenario
	if [ -f "${OLDCONFDIR}/$config" ] ; then
	    cp -p ${OLDCONFDIR}/$config ${CONFDIR}
	    echo "Migrating $OLDCONFDIR/$config to $CONFDIR"
	    OLDCONF=1
	else
	    cp -p ${CONFDIR}/$config.default ${CONFDIR}/$config
	    echo "Installing new $config"
	fi
    else
	echo "Keeping existing $config"
	CHECKCONF=1
    fi
done

if [ -f "${CONFDIR}/ssh_prng_cmds" ] ; then
    rm -f ${CONFDIR}/ssh_prng_cmds.default ${CONFDIR}/ssh_prng_cmds
    echo "Removing unneeded ssh_prng_cmds file"
fi

if [ ! -f "${CONFDIR}/moduli" ] ; then
    if [ -f "${OLDCONFDIR}" ]; then
	cp -p $OLDCONFDIR/moduli $CONFDIR
	echo "Migrating $OLDCONFDIR/module to $CONFDIR"
	OLDCONF=1
    else
	if [ -f "${CONFDIR}/primes" ]; then
	    echo "Keeping existing primes but renaming it to moduli"
	    mv ${CONFDIR}/primes ${CONFDIR}/moduli
	else
	    echo "Installing new moduli"
	    cp -p ${CONFDIR}/moduli.default ${CONFDIR}/moduli
	fi
    fi
else
    echo "Keeping existing moduli"
fi

# We will try to preserve any existing keys from an old setup
# Note that new keygen is done in the init script
for keyfile in ssh_host_key ssh_host_dsa_key ssh_host_rsa_key ssh_host_ecdsa_key; do
    if [ ! -f "${CONFDIR}/$keyfile" ] ; then
	# Check and see if we might find it in $OLDCONFDIR
	if [ -f "${OLDCONFDIR}/$keyfile" ]; then
	    cp -p $OLDCONFDIR/$keyfile $CONFDIR
	    cp -p $OLDCONFDIR/${keyfile}.pub $CONFDIR
	    echo "Migrating $OLDCONFDIR/$keyfile to $CONFDIR"
	    OLDCONF=1
	fi
    fi
done

# OpenSSH 3.3+ has privilege seperation which requires a user/group to run
# Attempt to create a group & user for sshd
echo "Checking for sshd group... \c"
temp=`$GREP sshd /etc/group`
if [ -n "$temp" ]; then
    echo "yes"
    gid=`echo $temp|$CUT -d: -f3`
    if [ "$gid" != "$SSHID" ]; then
        echo "  Group sshd found but gid does not match with the preferred ($SSHID)!"
	echo "  This is not a critical error but please make sure this group"
	echo "  is one you actually want to use for sshd."
    fi
else
    echo "no"
    echo "  Attempting to create sshd group (gid=$SSHID)"
    $GROUPADD -g $SSHID sshd
    gid=$SSHID
fi

echo "Checking for sshd user... \c"
temp=`$GREP sshd /etc/passwd`
if [ -n "$temp" ]; then
    echo "yes"
    uid=`echo $temp|$CUT -d: -f3`
    ugid=`echo $temp|$CUT -d: -f4`
    if [ "$uid" != "$SSHID" ]; then
        echo "  User sshd found but uid doesn't match with the preferred ($SSHID)!"
	echo "  This is not a critical error but please make sure this user"
	echo "  is one you actually want to use for sshd."
    fi
    if [ "$ugid" != "$gid" ]; then
        echo "  User sshd doesn't have group sshd!"
        echo "  This is a critical error that must be resolved"
        echo "  before privilege seperation can be enabled."
	echo "  Since privilege seperation is on by default this problem"
	echo "  will prevent sshd from starting."
    fi
    if [ "`echo $temp|$CUT -d: -f6`" != "/var/empty/sshd" ]; then
	echo "  User sshd does not have homedir in /var/empty/sshd!"
	echo "  This is a possible security risk so please make sure that"
	echo "  user sshd has a homedir accessable only by root (perm 711)."
    fi
    if [ "`echo $temp|$CUT -d: -f7`" != "/bin/false" ]; then
	echo "  User sshd does not have /bin/false as its shell!"
	echo "  Please verify that the sshd user has a non-login shell."
    fi
else
    echo "no"
    echo "  Attempting to create sshd user (uid=$SSHID, gid=$SSHID)"
    $USERADD -u $SSHID -g $SSHID -c "sshd privsep" -d /var/empty/sshd -s /bin/false sshd
fi

# Notice how the ssh host keys are not associated with the package.
# I find that convenient as I'm sure that they don't disappear if someone
# uninstalls the package.
# This is nice because we can then avoid the "hostid changed" warnings.  
# The config files will not be associated with the package either, this way when 
# installing a newer version the config files will be in place and will be preserved

# If original config-files where preserved, urge the operator
# to check the new default files for hints on recommended configuration
if [ "$CHECKCONF" = "1" ] ; then
	echo "#######"
	echo ""
	echo "Please check the *.default config files for configuration hints"
	echo "and update your existing config files accordingly."
fi

# Try and catch the upgrade scenario from previous packages which had
# config in etc and not etc/ssh
if [ "$OLDCONF" = "1" ] ; then
	echo "#######"
	echo ""
	echo "Configuration files and keys was found in $OLDCONFDIR"
	echo "If you're upgrading from a previous release then please"
	echo "make sure to migrate any settings and keys to the new config location"
	echo "in $CONFDIR and remove the old files."
	echo "Also please check the *.default config files for configuration hints"
	echo "and update your existing config files accordingly."
fi