170 lines
		
	
	
		
			5.5 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			170 lines
		
	
	
		
			5.5 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| INSTALLF=/usr/sbin/installf
 | |
| REMOVEF=/usr/sbin/removef
 | |
| GROUPADD=/usr/sbin/groupadd
 | |
| USERADD=/usr/sbin/useradd
 | |
| GREP=/usr/bin/grep
 | |
| CUT=/usr/bin/cut
 | |
| CAT=/usr/bin/cat
 | |
| 
 | |
| CONFDIR=${BASEDIR}/etc
 | |
| DESTBIN=${BASEDIR}/bin
 | |
| CHECKCONF=0
 | |
| SSHID=199
 | |
| 
 | |
| # We provide default config-files, check and see if they should be installed.
 | |
| if [ ! -f "${CONFDIR}/ssh_config" ] ; then
 | |
| 	cp -p ${CONFDIR}/ssh_config.default ${CONFDIR}/ssh_config
 | |
| 	echo "Installing new ssh_config"
 | |
| else
 | |
| 	echo "Keeping existing ssh_config"
 | |
| 	CHECKCONF=1
 | |
| fi
 | |
| if [ ! -f "${CONFDIR}/sshd_config" ] ; then
 | |
| 	cp -p ${CONFDIR}/sshd_config.default ${CONFDIR}/sshd_config
 | |
| 	echo "Installing new sshd_config"
 | |
| else
 | |
| 	echo "Keeping existing sshd_config"
 | |
| 	CHECKCONF=1
 | |
| fi
 | |
| if [ -f "${CONFDIR}/ssh_prng_cmds" ] ; then
 | |
| 	rm -f ${CONFDIR}/ssh_prng_cmds.default ${CONFDIR}/ssh_prng_cmds
 | |
| 	echo "Removing unneeded ssh_prng_cmds file"
 | |
| 
 | |
| fi
 | |
| if [ ! -f "${CONFDIR}/moduli" ] ; then
 | |
| 	if [ -f "${CONFDIR}/primes" ]; then
 | |
| 		echo "Keeping existing primes but renaming it to moduli"
 | |
| 		mv ${CONFDIR}/primes ${CONFDIR}/moduli
 | |
| 	else
 | |
| 		echo "Installing new moduli (formerly known as primes)"
 | |
| 		cp -p ${CONFDIR}/moduli.default ${CONFDIR}/moduli
 | |
| 	fi
 | |
| else
 | |
| 	echo "Keeping existing moduli"
 | |
| fi
 | |
| 
 | |
| # We will try to preserve any existing keys
 | |
| if [ -f "${CONFDIR}/ssh_host_key" ] ; then
 | |
| 	echo "Keeping existing ssh_host_key"
 | |
| else
 | |
| 	${DESTBIN}/ssh-keygen -t rsa1 -f ${CONFDIR}/ssh_host_key -N ""
 | |
| fi
 | |
| if [ -f "${CONFDIR}/ssh_host_dsa_key" ] ; then
 | |
| 	echo "Keeping existing ssh_host_dsa_key"
 | |
| else
 | |
| 	${DESTBIN}/ssh-keygen -t dsa -f ${CONFDIR}/ssh_host_dsa_key -N ""
 | |
| fi
 | |
| if [ -f "${CONFDIR}/ssh_host_rsa_key" ] ; then
 | |
| 	echo "Keeping existing ssh_host_rsa_key"
 | |
| else
 | |
| 	${DESTBIN}/ssh-keygen -t rsa -f ${CONFDIR}/ssh_host_rsa_key -N ""
 | |
| fi
 | |
| 
 | |
| # Right, now move the init script into place and make some symlinks 
 | |
| # for automatic startup.
 | |
| 
 | |
| # start by removing knowledge of sshd.init from the pkgdb
 | |
| ${REMOVEF} ${PKGINST} /usr/local/etc/sshd.init 2>&1 > /dev/null # suppress output
 | |
| 
 | |
| # confirm the changes to the pkgdb (removef -f)
 | |
| ${REMOVEF} -f ${PKGINST}
 | |
| 
 | |
| # Now that the holds from the pkgdb are gone, move the script to it's final destination.
 | |
| mv /usr/local/etc/sshd.init /etc/init.d/sshd.local
 | |
| 
 | |
| # Install new *symlinks*
 | |
| ln -sf /etc/init.d/sshd.local /etc/rc0.d/K30sshd.local
 | |
| ln -sf /etc/init.d/sshd.local /etc/rc1.d/K30sshd.local
 | |
| ln -sf /etc/init.d/sshd.local /etc/rc2.d/S78sshd.local
 | |
| ln -sf /etc/init.d/sshd.local /etc/rcS.d/K30sshd.local
 | |
| 
 | |
| # Then installf the new pathnames
 | |
| ${INSTALLF} ${PKGINST} /etc/init.d/sshd.local f 744 root sys
 | |
| ${INSTALLF} ${PKGINST} /etc/rc2.d/S78sshd.local=/etc/init.d/sshd.local s
 | |
| ${INSTALLF} ${PKGINST} /etc/rc1.d/K30sshd.local=/etc/init.d/sshd.local s
 | |
| ${INSTALLF} ${PKGINST} /etc/rc0.d/K30sshd.local=/etc/init.d/sshd.local s
 | |
| ${INSTALLF} ${PKGINST} /etc/rcS.d/K30sshd.local=/etc/init.d/sshd.local s
 | |
| 
 | |
| # confirm the changes to the pkgdb (installf -f)
 | |
| ${INSTALLF} -f ${PKGINST}
 | |
| 
 | |
| #uh yeah, better make sure that /var/run exists aswell (for pid files)
 | |
| echo "Checking to see if /var/run exists... \c"
 | |
| if [ ! -d /var/run ]; then
 | |
|    echo "no, creating..."
 | |
|    mkdir -p /var/run;
 | |
|    chown root:sys /var/run;
 | |
|    chmod 755 /var/run
 | |
| else
 | |
|     echo "yes"
 | |
| fi
 | |
| 
 | |
| # New in OpenSSH 3.3+ is Privilege seperation, it requires an empty dir to chroot into
 | |
| # and an unprivileged user to run as.
 | |
| echo "Checking to see if /var/empty/sshd exists... \c"
 | |
| if [ ! -d /var/empty ]; then
 | |
|     echo "no, creating..."
 | |
|     mkdir -p /var/empty/sshd
 | |
|     chown root:sys /var/empty/sshd
 | |
|     chmod 755 /var/empty/sshd
 | |
| else
 | |
|     echo "yes"
 | |
| fi
 | |
| 
 | |
| # Attempt to create a group & user for sshd
 | |
| echo "Checking for sshd group... \c"
 | |
| temp=`$GREP sshd /etc/group`
 | |
| if [ -n "$temp" ]; then
 | |
|     echo "yes"
 | |
|     gid=`echo $temp|$CUT -d : -f 3`
 | |
|     if [ "$gid" != "$SSHID" ]; then
 | |
| 	echo "  Group sshd found but gid does not match with the preferred ($SSHID)"
 | |
| 	echo "  I will continue anyway, but please check up on this afterwards!"
 | |
|     fi
 | |
| else
 | |
|     echo "no"
 | |
|     echo "  Attempting to create sshd group (gid=$SSHID)"
 | |
|     $GROUPADD -g $SSHID sshd
 | |
|     gid=$SSHID
 | |
| fi
 | |
| 
 | |
| echo "Checking for sshd user... \c"
 | |
| temp=`$GREP sshd /etc/passwd`
 | |
| if [ -n "$temp" ]; then
 | |
|     echo "yes"
 | |
|     uid=`echo $temp|$CUT -d : -f 3`
 | |
|     ugid=`echo $temp|$CUT -d : -f 4`
 | |
|     if [ "$uid" != "$SSHID" ]; then
 | |
| 	echo "  User sshd found but uid doesn't match with the preferred ($SSHID)"
 | |
| 	echo "  I will continue anyway, but please check up on this afterwards!"
 | |
|     fi
 | |
|     if [ "$ugid" != "$gid" ]; then
 | |
| 	echo "  User sshd doesn't have group sshd!"
 | |
| 	echo "  I will continue anyway, but this is a critical error that must be resolved"
 | |
| 	echo "  before privilege seperation can be enabled!"
 | |
|     fi
 | |
| else
 | |
|     echo "no"
 | |
|     echo "  Attempting to create sshd user (uid=$SSHID, gid=$SSHID)"
 | |
|     $USERADD -u $SSHID -g $SSHID -c "sshd privsep" -d /var/empty/sshd -s /bin/false sshd
 | |
| fi
 | |
| 
 | |
| # FIXME Other stuff about the user/group situation should probably be checked
 | |
| # FIXME like the homedir and shell of the sshd user
 | |
| 
 | |
| # Notice how the ssh host keys are not associated with the SBossh package.
 | |
| # I find that convenient as I'm sure that they don't disappear if someone
 | |
| # uninstalls the package.
 | |
| # This is nice because we can then avoid the "hostid changed" warnings.  
 | |
| # The config files will not be associated with the package either, this way when 
 | |
| # installing a newer version the config files will be in place and will be preserved
 | |
| 
 | |
| # If original config-files where preserved, urge the operator
 | |
| # to check the new default files for hints on recommended configuration
 | |
| if [ "$CHECKCONF" = "1" ] ; then
 | |
| 	echo "#######"
 | |
| 	echo ""
 | |
| 	echo "Please check the *.default config files for configuration hints"
 | |
| 	echo "and update your existing config files accordingly."
 | |
| fi
 |