150 lines
5.1 KiB
Plaintext
150 lines
5.1 KiB
Plaintext
GROUPADD=/usr/sbin/groupadd
|
|
USERADD=/usr/sbin/useradd
|
|
GREP=/usr/bin/grep
|
|
CUT=/usr/bin/cut
|
|
CAT=/usr/bin/cat
|
|
|
|
PREFIX=/usr/tgcware
|
|
OLDCONFDIR=/usr/local/etc
|
|
CONFDIR=${PREFIX}/etc/ssh
|
|
DESTBIN=${PREFIX}/bin
|
|
CHECKCONF=0
|
|
OLDCONF=0
|
|
SSHID=199
|
|
|
|
# We provide default config-files, check and see if they should be installed.
|
|
for config in ssh_config sshd_config; do
|
|
if [ ! -f "${CONFDIR}/$config" ] ; then
|
|
# No config, it might be an upgrade scenario
|
|
if [ -f "${OLDCONFDIR}/$config" ] ; then
|
|
cp -p ${OLDCONFDIR}/$config ${CONFDIR}
|
|
echo "Migrating $OLDCONFDIR/$config to $CONFDIR"
|
|
OLDCONF=1
|
|
else
|
|
cp -p ${CONFDIR}/$config.default ${CONFDIR}/$config
|
|
echo "Installing new $config"
|
|
fi
|
|
else
|
|
echo "Keeping existing $config"
|
|
CHECKCONF=1
|
|
fi
|
|
done
|
|
|
|
if [ -f "${CONFDIR}/ssh_prng_cmds" ] ; then
|
|
rm -f ${CONFDIR}/ssh_prng_cmds.default ${CONFDIR}/ssh_prng_cmds
|
|
echo "Removing unneeded ssh_prng_cmds file"
|
|
fi
|
|
|
|
if [ ! -f "${CONFDIR}/moduli" ] ; then
|
|
if [ -f "${OLDCONFDIR}" ]; then
|
|
cp -p $OLDCONFDIR/moduli $CONFDIR
|
|
echo "Migrating $OLDCONFDIR/module to $CONFDIR"
|
|
OLDCONF=1
|
|
else
|
|
if [ -f "${CONFDIR}/primes" ]; then
|
|
echo "Keeping existing primes but renaming it to moduli"
|
|
mv ${CONFDIR}/primes ${CONFDIR}/moduli
|
|
else
|
|
echo "Installing new moduli"
|
|
cp -p ${CONFDIR}/moduli.default ${CONFDIR}/moduli
|
|
fi
|
|
fi
|
|
else
|
|
echo "Keeping existing moduli"
|
|
fi
|
|
|
|
# We will try to preserve any existing keys from an old setup
|
|
# Note that new keygen is done in the init script
|
|
for keyfile in ssh_host_key ssh_host_dsa_key ssh_host_rsa_key ssh_host_ecdsa_key; do
|
|
if [ ! -f "${CONFDIR}/$keyfile" ] ; then
|
|
# Check and see if we might find it in $OLDCONFDIR
|
|
if [ -f "${OLDCONFDIR}/$keyfile" ]; then
|
|
cp -p $OLDCONFDIR/$keyfile $CONFDIR
|
|
cp -p $OLDCONFDIR/${keyfile}.pub $CONFDIR
|
|
echo "Migrating $OLDCONFDIR/$keyfile to $CONFDIR"
|
|
OLDCONF=1
|
|
fi
|
|
fi
|
|
done
|
|
|
|
# OpenSSH 3.3+ has privilege seperation which requires a user/group to run
|
|
# Attempt to create a group & user for sshd
|
|
echo "Checking for sshd group... \c"
|
|
temp=`$GREP sshd /etc/group`
|
|
if [ -n "$temp" ]; then
|
|
echo "yes"
|
|
gid=`echo $temp|$CUT -d: -f3`
|
|
if [ "$gid" != "$SSHID" ]; then
|
|
echo " Group sshd found but gid does not match with the preferred ($SSHID)!"
|
|
echo " This is not a critical error but please make sure this group"
|
|
echo " is one you actually want to use for sshd."
|
|
fi
|
|
else
|
|
echo "no"
|
|
echo " Attempting to create sshd group (gid=$SSHID)"
|
|
$GROUPADD -g $SSHID sshd
|
|
gid=$SSHID
|
|
fi
|
|
|
|
echo "Checking for sshd user... \c"
|
|
temp=`$GREP sshd /etc/passwd`
|
|
if [ -n "$temp" ]; then
|
|
echo "yes"
|
|
uid=`echo $temp|$CUT -d: -f3`
|
|
ugid=`echo $temp|$CUT -d: -f4`
|
|
if [ "$uid" != "$SSHID" ]; then
|
|
echo " User sshd found but uid doesn't match with the preferred ($SSHID)!"
|
|
echo " This is not a critical error but please make sure this user"
|
|
echo " is one you actually want to use for sshd."
|
|
fi
|
|
if [ "$ugid" != "$gid" ]; then
|
|
echo " User sshd doesn't have group sshd!"
|
|
echo " This is a critical error that must be resolved"
|
|
echo " before privilege seperation can be enabled."
|
|
echo " Since privilege seperation is on by default this problem"
|
|
echo " will prevent sshd from starting."
|
|
fi
|
|
if [ "`echo $temp|$CUT -d: -f6`" != "/var/empty/sshd" ]; then
|
|
echo " User sshd does not have homedir in /var/empty/sshd!"
|
|
echo " This is a possible security risk so please make sure that"
|
|
echo " user sshd has a homedir accessable only by root (perm 711)."
|
|
fi
|
|
if [ "`echo $temp|$CUT -d: -f7`" != "/bin/false" ]; then
|
|
echo " User sshd does not have /bin/false as its shell!"
|
|
echo " Please verify that the sshd user has a non-login shell."
|
|
fi
|
|
else
|
|
echo "no"
|
|
echo " Attempting to create sshd user (uid=$SSHID, gid=$SSHID)"
|
|
$USERADD -u $SSHID -g $SSHID -c "sshd privsep" -d /var/empty/sshd -s /bin/false sshd
|
|
fi
|
|
|
|
# Notice how the ssh host keys are not associated with the package.
|
|
# I find that convenient as I'm sure that they don't disappear if someone
|
|
# uninstalls the package.
|
|
# This is nice because we can then avoid the "hostid changed" warnings.
|
|
# The config files will not be associated with the package either, this way when
|
|
# installing a newer version the config files will be in place and will be preserved
|
|
|
|
# If original config-files where preserved, urge the operator
|
|
# to check the new default files for hints on recommended configuration
|
|
if [ "$CHECKCONF" = "1" ] ; then
|
|
echo "#######"
|
|
echo ""
|
|
echo "Please check the *.default config files for configuration hints"
|
|
echo "and update your existing config files accordingly."
|
|
fi
|
|
|
|
# Try and catch the upgrade scenario from previous packages which had
|
|
# config in etc and not etc/ssh
|
|
if [ "$OLDCONF" = "1" ] ; then
|
|
echo "#######"
|
|
echo ""
|
|
echo "Configuration files and keys was found in $OLDCONFDIR"
|
|
echo "If you're upgrading from a previous release then please"
|
|
echo "make sure to migrate any settings and keys to the new config location"
|
|
echo "in $CONFDIR and remove the old files."
|
|
echo "Also please check the *.default config files for configuration hints"
|
|
echo "and update your existing config files accordingly."
|
|
fi
|