From 9be6e267b5769f0783fdb83b38a19418c6bd83d1 Mon Sep 17 00:00:00 2001 From: Kevin Steves Date: Sun, 29 Oct 2000 19:18:49 +0000 Subject: - (stevesk) Create contrib/cygwin/ directory; patch from Corinna Vinschen --- contrib/cygwin/README | 137 ++++++++++++++++++++ contrib/cygwin/ssh-config | 324 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 461 insertions(+) create mode 100644 contrib/cygwin/README create mode 100755 contrib/cygwin/ssh-config (limited to 'contrib') diff --git a/contrib/cygwin/README b/contrib/cygwin/README new file mode 100644 index 000000000..8c9d0bb73 --- /dev/null +++ b/contrib/cygwin/README @@ -0,0 +1,137 @@ +This package is the actual port of OpenSSH to Cygwin 1.1. + +=========================================================================== +Important change since 2.3.0p1: + +When using `ntea' or `ntsec' you now have to care for the ownership +and permission bits of your host key files and your private key files. +The host key files have to be owned by the NT account which starts +sshd. The user key files have to be owned by the user. The permission +bits of the private key files (host and user) have to be at least +rw------- (0600)! + +Note that this is forced under `ntsec' only if the files are on a NTFS +filesystem (which is recommended) due to the lack of any basic security +features of the FAT/FAT32 filesystems. +=========================================================================== + +Since this package is part of the base distribution now, the location +of the files has changed from /usr/local to /usr. The global configuration +files are in /etc now. + +If you are installing OpenSSH the first time, you can generate +global config files, server keys and your own user keys by running + + /usr/bin/ssh-config + +If you are updating your installation you may run the above ssh-config +as well to move your configuration files to the new location and to +erase the files at the old location. + +Be sure to start the new ssh-config when updating! + +Note that this binary archive doesn't contain default config files in /etc. +That files are only created if ssh-config is started. + +Install sshd as daemon via SRVANY.EXE (recommended on NT/W2K), via inetd +(results in very slow deamon startup!) or from the command line (recommended +on 9X/ME). + +If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the +following line to your inetd.conf file: + +sshd stream tcp nowait root /usr/sbin/in.sshd sshd -i + +Moreover you'll have to add the following line to your +${SYSTEMROOT}/system32/drivers/etc/services file: + + sshd 22/tcp #SSH daemon + +Authentication to sshd is possible in one of two ways. +You'll have to decide before starting sshd! + +- If you want to authenticate via RSA and you want to login to that + machine to exactly one user account you can do so by running sshd + under that user account. You must change /etc/sshd_config + to contain the following: + + RSAAuthentication yes + + Moreover it's possible to use rhosts and/or rhosts with + RSA authentication by setting the following in sshd_config: + + RhostsAuthentication yes + RhostsRSAAuthentication yes + +- If you want to be able to login to different user accounts you'll + have to start sshd under system account or any other account that + is able to switch user context. Note that administrators are _not_ + able to do that by default! You'll have to give the following + special user rights to the user: + "Act as part of the operating system" + "Replace process level token" + "Increase quotas" + and if used via service manager + "Logon as a service". + + The system account does of course own that user rights by default. + + Unfortunately, if you choose that way, you can only logon with + NT password authentification and you should change + /etc/sshd_config to contain the following: + + PasswordAuthentication yes + RhostsAuthentication no + RhostsRSAAuthentication no + RSAAuthentication no + + However you can login to the user which has started sshd with + RSA authentication anyway. If you want that, change the RSA + authentication setting back to "yes": + + RSAAuthentication yes + +You may use all features of the CYGWIN=ntsec setting the same +way as they are used by the `login' port on sources.redhat.com: + + The pw_gecos field may contain an additional field, that begins + with (upper case!) "U-", followed by the domain and the username + separated by a backslash. + CAUTION: The SID _must_ remain the _last_ field in pw_gecos! + BTW: The field separator in pw_gecos is the comma. + The username in pw_name itself may be any nice name: + + domuser::1104:513:John Doe,U-domain\user,S-1-5-21-... + + Now you may use `domuser' as your login name with telnet! + This is possible additionally for local users, if you don't like + your NT login name ;-) You only have to leave out the domain: + + locuser::1104:513:John Doe,U-user,S-1-5-21-... + +V2 server and user keys are generated by `ssh-config'. If you want to +create DSA keys by yourself, call ssh-keygen with `-d' option. + +DSA authentication similar to RSA: + Add keys to ~/.ssh/authorized_keys2 +Interop. w/ ssh.com dsa-keys: + ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2 +and vice versa: + ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub + echo Key mykey.pub >> ~/.ssh2/authorization + +If you want to build from source, the following options to +configure are used for the Cygwin binary distribution: + +--prefix=/usr --sysconfdir=/etc --libexecdir='${exec_prefix}/sbin + +You must have installed the zlib, openssl and regex packages to +be able to build OpenSSH! + +Please send requests, error reports etc. to cygwin@sources.redhat.com. + +Have fun, + +Corinna Vinschen +Cygwin Developer +Red Hat Inc. diff --git a/contrib/cygwin/ssh-config b/contrib/cygwin/ssh-config new file mode 100755 index 000000000..20c8cceb0 --- /dev/null +++ b/contrib/cygwin/ssh-config @@ -0,0 +1,324 @@ +#!/bin/sh +# +# ssh-config, Copyright 2000, Red Hat Inc. +# +# This file is part of the Cygwin port of OpenSSH. + +# set -x + +# Subdirectory where the new package is being installed +PREFIX=/usr + +# Directory where the config files are stored +SYSCONFDIR=/etc + +# Subdirectory where an old package might be installed +OLDPREFIX=/usr/local +OLDSYSCONFDIR=${OLDPREFIX}/etc + +request() +{ + answer="" + while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] + do + echo -n "$1 (yes/no) " + read answer + done + if [ "X${answer}" = "Xyes" ] + then + return 0 + else + return 1 + fi +} + +# Check for running ssh/sshd processes first. Refuse to do anything while +# some ssh processes are still running + +if ps -ef | grep -v grep | grep -q ssh +then + echo + echo "There are still ssh processes running. Please shut them down first." + echo + exit 1 +fi + +# Check for ${SYSCONFDIR} directory + +if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ] +then + echo + echo "${SYSCONFDIR} is existant but not a directory." + echo "Cannot create global configuration files." + echo + exit 1 +fi + +# Create it if necessary + +if [ ! -e "${SYSCONFDIR}" ] +then + mkdir "${SYSCONFDIR}" + if [ ! -e "${SYSCONFDIR}" ] + then + echo + echo "Creating ${SYSCONFDIR} directory failed" + echo + exit 1 + fi +fi + +# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't +# the same as ${PREFIX} + +if [ "${OLDPREFIX}" != "${PREFIX}" ] +then + if [ -f "${OLDPREFIX}/sbin/sshd" ] + then + echo + echo "You seem to have an older installation in ${OLDPREFIX}." + echo + # Check if old global configuration files exist + if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ] + then + if request "Do you want to copy your config files to your new installation?" + then + cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR} + cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR} + cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR} + cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR} + cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR} + cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR} + fi + fi + if request "Do you want to erase your old installation?" + then + rm -f ${OLDPREFIX}/bin/ssh.exe + rm -f ${OLDPREFIX}/bin/ssh-config + rm -f ${OLDPREFIX}/bin/scp.exe + rm -f ${OLDPREFIX}/bin/ssh-add.exe + rm -f ${OLDPREFIX}/bin/ssh-agent.exe + rm -f ${OLDPREFIX}/bin/ssh-keygen.exe + rm -f ${OLDPREFIX}/bin/slogin + rm -f ${OLDSYSCONFDIR}/ssh_host_key + rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub + rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key + rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub + rm -f ${OLDSYSCONFDIR}/ssh_config + rm -f ${OLDSYSCONFDIR}/sshd_config + rm -f ${OLDPREFIX}/man/man1/ssh.1 + rm -f ${OLDPREFIX}/man/man1/scp.1 + rm -f ${OLDPREFIX}/man/man1/ssh-add.1 + rm -f ${OLDPREFIX}/man/man1/ssh-agent.1 + rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1 + rm -f ${OLDPREFIX}/man/man1/slogin.1 + rm -f ${OLDPREFIX}/man/man8/sshd.8 + rm -f ${OLDPREFIX}/sbin/sshd.exe + rm -f ${OLDPREFIX}/sbin/sftp-server.exe + fi + fi +fi + +# First generate host keys if not already existing + +if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] +then + echo "Generating ${SYSCONFDIR}/ssh_host_key" + ssh-keygen -f ${SYSCONFDIR}/ssh_host_key -N '' +fi + +if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] +then + echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key" + ssh-keygen -d -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' +fi + +# Check if ssh_config exists. If yes, ask for overwriting + +if [ -f "${SYSCONFDIR}/ssh_config" ] +then + if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?" + then + rm -f "${SYSCONFDIR}/ssh_config" + if [ -f "${SYSCONFDIR}/ssh_config" ] + then + echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected." + fi + fi +fi + +# Create default ssh_config from here script + +if [ ! -f "${SYSCONFDIR}/ssh_config" ] +then + echo "Creating default ${SYSCONFDIR}/ssh_config file" + cat > ${SYSCONFDIR}/ssh_config << EOF +# This is ssh client systemwide configuration file. This file provides +# defaults for users, and the values can be changed in per-user configuration +# files or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for various options + +# Host * +# ForwardAgent yes +# ForwardX11 yes +# RhostsAuthentication yes +# RhostsRSAAuthentication yes +# RSAAuthentication yes +# PasswordAuthentication yes +# FallBackToRsh no +# UseRsh no +# BatchMode no +# CheckHostIP yes +# StrictHostKeyChecking no +# IdentityFile ~/.ssh/identity +# Port 22 +# Protocol 2,1 +# Cipher 3des +# EscapeChar ~ + +# Be paranoid by default +Host * + ForwardAgent no + ForwardX11 no + FallBackToRsh no +EOF +fi + +# Check if sshd_config exists. If yes, ask for overwriting + +if [ -f "${SYSCONFDIR}/sshd_config" ] +then + if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?" + then + rm -f "${SYSCONFDIR}/sshd_config" + if [ -f "${SYSCONFDIR}/sshd_config" ] + then + echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." + fi + fi +fi + +# Create default sshd_config from here script + +if [ ! -f "${SYSCONFDIR}/sshd_config" ] +then + echo "Creating default ${SYSCONFDIR}/sshd_config file" + cat > ${SYSCONFDIR}/sshd_config << EOF +# This is ssh server systemwide configuration file. + +Port 22 +#Protocol 2,1 +ListenAddress 0.0.0.0 +#ListenAddress :: +#HostKey /etc/ssh_host_key +ServerKeyBits 768 +LoginGraceTime 600 +KeyRegenerationInterval 3600 +PermitRootLogin yes +# +# Don't read ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes +StrictModes yes +X11Forwarding no +X11DisplayOffset 10 +PrintMotd yes +KeepAlive yes + +# Logging +SyslogFacility AUTH +LogLevel INFO +#obsoletes QuietMode and FascistLogging + +RhostsAuthentication no +# +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no + +# To install for logon to different user accounts change to "no" here +RSAAuthentication yes + +# To install for logon to different user accounts change to "yes" here +PasswordAuthentication no + +PermitEmptyPasswords no + +CheckMail no +UseLogin no + +#Uncomment if you want to enable sftp +#Subsystem sftp /usr/sbin/sftp-server +#MaxStartups 10:30:60 +EOF +fi + +# Ask user if user identity should be generated + +if [ "X${HOME}" = "X" ] +then + echo '$HOME is nonexistant. Cannot create user identity files.' + exit 1 +fi + +if [ ! -d "${HOME}" ] +then + echo '$HOME is not a valid directory. Cannot create user identity files.' + exit 1 +fi + +# If HOME is the root dir, set HOME to empty string to avoid error messages +# in subsequent parts of that script. +if [ "X${HOME}" = "X/" ] +then + HOME='' +fi + +if [ -e "${HOME}/.ssh" -a ! -d "${HOME}/.ssh" ] +then + echo '$HOME/.ssh is existant but not a directory. Cannot create user identity files.' + exit 1 +fi + +if [ ! -e "${HOME}/.ssh" ] +then + mkdir "${HOME}/.ssh" + if [ ! -e "${HOME}/.ssh" ] + then + echo "Creating users ${HOME}/.ssh directory failed" + exit 1 + fi +fi + +if [ ! -f "${HOME}/.ssh/identity" ] +then + if request "Shall I create an RSA identity file for you?" + then + echo "Generating ${HOME}/.ssh/identity" + ssh-keygen -f "${HOME}/.ssh/identity" + fi +fi + +if [ ! -f "${HOME}/.ssh/id_dsa" ] +then + if request "Shall I create an DSA identity file for you? (yes/no) " + then + echo "Generating ${HOME}/.ssh/id_dsa" + ssh-keygen -d -f "${HOME}/.ssh/id_dsa" + fi +fi + +echo +echo "Note: If you have used sshd as service or from inetd, don't forget to" +echo " change the path to sshd.exe in the service entry or in inetd.conf." +echo +echo "Configuration finished. Have fun!" -- cgit v1.2.3