1ce3adf43SDag-Erling Smørgrav#!/bin/bash 2ce3adf43SDag-Erling Smørgrav# 3bc5531deSDag-Erling Smørgrav# ssh-user-config, Copyright 2000-2014 Red Hat Inc. 4ce3adf43SDag-Erling Smørgrav# 5ce3adf43SDag-Erling Smørgrav# This file is part of the Cygwin port of OpenSSH. 6ce3adf43SDag-Erling Smørgrav# 7ce3adf43SDag-Erling Smørgrav# Permission to use, copy, modify, and distribute this software for any 8ce3adf43SDag-Erling Smørgrav# purpose with or without fee is hereby granted, provided that the above 9ce3adf43SDag-Erling Smørgrav# copyright notice and this permission notice appear in all copies. 10ce3adf43SDag-Erling Smørgrav# 11ce3adf43SDag-Erling Smørgrav# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 12ce3adf43SDag-Erling Smørgrav# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 13ce3adf43SDag-Erling Smørgrav# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 14ce3adf43SDag-Erling Smørgrav# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 15ce3adf43SDag-Erling Smørgrav# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 16ce3adf43SDag-Erling Smørgrav# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR 17ce3adf43SDag-Erling Smørgrav# THE USE OR OTHER DEALINGS IN THE SOFTWARE. 18ce3adf43SDag-Erling Smørgrav 19ce3adf43SDag-Erling Smørgrav# ====================================================================== 20ce3adf43SDag-Erling Smørgrav# Initialization 21ce3adf43SDag-Erling Smørgrav# ====================================================================== 22ce3adf43SDag-Erling SmørgravPROGNAME=$(basename -- $0) 23ce3adf43SDag-Erling Smørgrav_tdir=$(dirname -- $0) 24ce3adf43SDag-Erling SmørgravPROGDIR=$(cd $_tdir && pwd) 25ce3adf43SDag-Erling Smørgrav 26ce3adf43SDag-Erling SmørgravCSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh 27ce3adf43SDag-Erling Smørgrav 28ce3adf43SDag-Erling Smørgrav# Subdirectory where the new package is being installed 29ce3adf43SDag-Erling SmørgravPREFIX=/usr 30ce3adf43SDag-Erling Smørgrav 31ce3adf43SDag-Erling Smørgrav# Directory where the config files are stored 32ce3adf43SDag-Erling SmørgravSYSCONFDIR=/etc 33ce3adf43SDag-Erling Smørgrav 34ce3adf43SDag-Erling Smørgravsource ${CSIH_SCRIPT} 35ce3adf43SDag-Erling Smørgrav 36ce3adf43SDag-Erling Smørgravauto_passphrase="no" 37ce3adf43SDag-Erling Smørgravpassphrase="" 38ce3adf43SDag-Erling Smørgravpwdhome= 39ce3adf43SDag-Erling Smørgravwith_passphrase= 40ce3adf43SDag-Erling Smørgrav 41ce3adf43SDag-Erling Smørgrav# ====================================================================== 42ce3adf43SDag-Erling Smørgrav# Routine: create_identity 43ce3adf43SDag-Erling Smørgrav# optionally create identity of type argument in ~/.ssh 44ce3adf43SDag-Erling Smørgrav# optionally add result to ~/.ssh/authorized_keys 45ce3adf43SDag-Erling Smørgrav# ====================================================================== 46ce3adf43SDag-Erling Smørgravcreate_identity() { 47ce3adf43SDag-Erling Smørgrav local file="$1" 48ce3adf43SDag-Erling Smørgrav local type="$2" 49ce3adf43SDag-Erling Smørgrav local name="$3" 50ce3adf43SDag-Erling Smørgrav if [ ! -f "${pwdhome}/.ssh/${file}" ] 51ce3adf43SDag-Erling Smørgrav then 52ce3adf43SDag-Erling Smørgrav if csih_request "Shall I create a ${name} identity file for you?" 53ce3adf43SDag-Erling Smørgrav then 54ce3adf43SDag-Erling Smørgrav csih_inform "Generating ${pwdhome}/.ssh/${file}" 55ce3adf43SDag-Erling Smørgrav if [ "${with_passphrase}" = "yes" ] 56ce3adf43SDag-Erling Smørgrav then 57ce3adf43SDag-Erling Smørgrav ssh-keygen -t "${type}" -N "${passphrase}" -f "${pwdhome}/.ssh/${file}" > /dev/null 58ce3adf43SDag-Erling Smørgrav else 59ce3adf43SDag-Erling Smørgrav ssh-keygen -t "${type}" -f "${pwdhome}/.ssh/${file}" > /dev/null 60ce3adf43SDag-Erling Smørgrav fi 61ce3adf43SDag-Erling Smørgrav if csih_request "Do you want to use this identity to login to this machine?" 62ce3adf43SDag-Erling Smørgrav then 63ce3adf43SDag-Erling Smørgrav csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys" 64ce3adf43SDag-Erling Smørgrav cat "${pwdhome}/.ssh/${file}.pub" >> "${pwdhome}/.ssh/authorized_keys" 65ce3adf43SDag-Erling Smørgrav fi 66ce3adf43SDag-Erling Smørgrav fi 67ce3adf43SDag-Erling Smørgrav fi 68ce3adf43SDag-Erling Smørgrav} # === End of create_ssh1_identity() === # 69ce3adf43SDag-Erling Smørgravreadonly -f create_identity 70ce3adf43SDag-Erling Smørgrav 71ce3adf43SDag-Erling Smørgrav# ====================================================================== 72ce3adf43SDag-Erling Smørgrav# Routine: check_user_homedir 73ce3adf43SDag-Erling Smørgrav# Perform various checks on the user's home directory 74ce3adf43SDag-Erling Smørgrav# SETS GLOBAL VARIABLE: 75ce3adf43SDag-Erling Smørgrav# pwdhome 76ce3adf43SDag-Erling Smørgrav# ====================================================================== 77ce3adf43SDag-Erling Smørgravcheck_user_homedir() { 78bc5531deSDag-Erling Smørgrav pwdhome=$(getent passwd $UID | awk -F: '{ print $6; }') 79ce3adf43SDag-Erling Smørgrav if [ "X${pwdhome}" = "X" ] 80ce3adf43SDag-Erling Smørgrav then 81ce3adf43SDag-Erling Smørgrav csih_error_multi \ 82bc5531deSDag-Erling Smørgrav "There is no home directory set for you in the account database." \ 83ce3adf43SDag-Erling Smørgrav 'Setting $HOME is not sufficient!' 84ce3adf43SDag-Erling Smørgrav fi 85ce3adf43SDag-Erling Smørgrav 86ce3adf43SDag-Erling Smørgrav if [ ! -d "${pwdhome}" ] 87ce3adf43SDag-Erling Smørgrav then 88ce3adf43SDag-Erling Smørgrav csih_error_multi \ 89bc5531deSDag-Erling Smørgrav "${pwdhome} is set in the account database as your home directory" \ 90ce3adf43SDag-Erling Smørgrav 'but it is not a valid directory. Cannot create user identity files.' 91ce3adf43SDag-Erling Smørgrav fi 92ce3adf43SDag-Erling Smørgrav 93ce3adf43SDag-Erling Smørgrav # If home is the root dir, set home to empty string to avoid error messages 94ce3adf43SDag-Erling Smørgrav # in subsequent parts of that script. 95ce3adf43SDag-Erling Smørgrav if [ "X${pwdhome}" = "X/" ] 96ce3adf43SDag-Erling Smørgrav then 97ce3adf43SDag-Erling Smørgrav # But first raise a warning! 98bc5531deSDag-Erling Smørgrav csih_warning "Your home directory in the account database is set to root (/). This is not recommended!" 99ce3adf43SDag-Erling Smørgrav if csih_request "Would you like to proceed anyway?" 100ce3adf43SDag-Erling Smørgrav then 101ce3adf43SDag-Erling Smørgrav pwdhome='' 102ce3adf43SDag-Erling Smørgrav else 103ce3adf43SDag-Erling Smørgrav csih_warning "Exiting. Configuration is not complete" 104ce3adf43SDag-Erling Smørgrav exit 1 105ce3adf43SDag-Erling Smørgrav fi 106ce3adf43SDag-Erling Smørgrav fi 107ce3adf43SDag-Erling Smørgrav 108bc5531deSDag-Erling Smørgrav if [ -d "${pwdhome}" -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ] 109ce3adf43SDag-Erling Smørgrav then 110ce3adf43SDag-Erling Smørgrav echo 111ce3adf43SDag-Erling Smørgrav csih_warning 'group and other have been revoked write permission to your home' 112ce3adf43SDag-Erling Smørgrav csih_warning "directory ${pwdhome}." 113ce3adf43SDag-Erling Smørgrav csih_warning 'This is required by OpenSSH to allow public key authentication using' 114ce3adf43SDag-Erling Smørgrav csih_warning 'the key files stored in your .ssh subdirectory.' 115ce3adf43SDag-Erling Smørgrav csih_warning 'Revert this change ONLY if you know what you are doing!' 116ce3adf43SDag-Erling Smørgrav echo 117ce3adf43SDag-Erling Smørgrav fi 118ce3adf43SDag-Erling Smørgrav} # === End of check_user_homedir() === # 119ce3adf43SDag-Erling Smørgravreadonly -f check_user_homedir 120ce3adf43SDag-Erling Smørgrav 121ce3adf43SDag-Erling Smørgrav# ====================================================================== 122ce3adf43SDag-Erling Smørgrav# Routine: check_user_dot_ssh_dir 123ce3adf43SDag-Erling Smørgrav# Perform various checks on the ~/.ssh directory 124ce3adf43SDag-Erling Smørgrav# PREREQUISITE: 125ce3adf43SDag-Erling Smørgrav# pwdhome -- check_user_homedir() 126ce3adf43SDag-Erling Smørgrav# ====================================================================== 127ce3adf43SDag-Erling Smørgravcheck_user_dot_ssh_dir() { 128ce3adf43SDag-Erling Smørgrav if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] 129ce3adf43SDag-Erling Smørgrav then 130*190cef3dSDag-Erling Smørgrav csih_error "${pwdhome}/.ssh is existent but not a directory. Cannot create user identity files." 131ce3adf43SDag-Erling Smørgrav fi 132ce3adf43SDag-Erling Smørgrav 133ce3adf43SDag-Erling Smørgrav if [ ! -e "${pwdhome}/.ssh" ] 134ce3adf43SDag-Erling Smørgrav then 135ce3adf43SDag-Erling Smørgrav mkdir "${pwdhome}/.ssh" 136ce3adf43SDag-Erling Smørgrav if [ ! -e "${pwdhome}/.ssh" ] 137ce3adf43SDag-Erling Smørgrav then 138ce3adf43SDag-Erling Smørgrav csih_error "Creating users ${pwdhome}/.ssh directory failed" 139ce3adf43SDag-Erling Smørgrav fi 140ce3adf43SDag-Erling Smørgrav fi 141ce3adf43SDag-Erling Smørgrav} # === End of check_user_dot_ssh_dir() === # 142ce3adf43SDag-Erling Smørgravreadonly -f check_user_dot_ssh_dir 143ce3adf43SDag-Erling Smørgrav 144ce3adf43SDag-Erling Smørgrav# ====================================================================== 145ce3adf43SDag-Erling Smørgrav# Routine: fix_authorized_keys_perms 146ce3adf43SDag-Erling Smørgrav# Corrects the permissions of ~/.ssh/authorized_keys 147ce3adf43SDag-Erling Smørgrav# PREREQUISITE: 148ce3adf43SDag-Erling Smørgrav# pwdhome -- check_user_homedir() 149ce3adf43SDag-Erling Smørgrav# ====================================================================== 150ce3adf43SDag-Erling Smørgravfix_authorized_keys_perms() { 151bc5531deSDag-Erling Smørgrav if [ -e "${pwdhome}/.ssh/authorized_keys" ] 152ce3adf43SDag-Erling Smørgrav then 153bc5531deSDag-Erling Smørgrav setfacl -b "${pwdhome}/.ssh/authorized_keys" 2>/dev/null || echo -n 154bc5531deSDag-Erling Smørgrav if ! chmod u-x,g-wx,o-wx "${pwdhome}/.ssh/authorized_keys" 155ce3adf43SDag-Erling Smørgrav then 156ce3adf43SDag-Erling Smørgrav csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys" 157ce3adf43SDag-Erling Smørgrav csih_warning "failed. Please care for the correct permissions. The minimum requirement" 158ce3adf43SDag-Erling Smørgrav csih_warning "is, the owner needs read permissions." 159ce3adf43SDag-Erling Smørgrav echo 160ce3adf43SDag-Erling Smørgrav fi 161ce3adf43SDag-Erling Smørgrav fi 162ce3adf43SDag-Erling Smørgrav} # === End of fix_authorized_keys_perms() === # 163ce3adf43SDag-Erling Smørgravreadonly -f fix_authorized_keys_perms 164ce3adf43SDag-Erling Smørgrav 165ce3adf43SDag-Erling Smørgrav 166ce3adf43SDag-Erling Smørgrav# ====================================================================== 167ce3adf43SDag-Erling Smørgrav# Main Entry Point 168ce3adf43SDag-Erling Smørgrav# ====================================================================== 169ce3adf43SDag-Erling Smørgrav 170ce3adf43SDag-Erling Smørgrav# Check how the script has been started. If 171ce3adf43SDag-Erling Smørgrav# (1) it has been started by giving the full path and 172ce3adf43SDag-Erling Smørgrav# that path is /etc/postinstall, OR 173ce3adf43SDag-Erling Smørgrav# (2) Otherwise, if the environment variable 174ce3adf43SDag-Erling Smørgrav# SSH_USER_CONFIG_AUTO_ANSWER_NO is set 175ce3adf43SDag-Erling Smørgrav# then set auto_answer to "no". This allows automatic 176ce3adf43SDag-Erling Smørgrav# creation of the config files in /etc w/o overwriting 177ce3adf43SDag-Erling Smørgrav# them if they already exist. In both cases, color 178ce3adf43SDag-Erling Smørgrav# escape sequences are suppressed, so as to prevent 179ce3adf43SDag-Erling Smørgrav# cluttering setup's logfiles. 180ce3adf43SDag-Erling Smørgravif [ "$PROGDIR" = "/etc/postinstall" ] 181ce3adf43SDag-Erling Smørgravthen 182ce3adf43SDag-Erling Smørgrav csih_auto_answer="no" 183ce3adf43SDag-Erling Smørgrav csih_disable_color 184ce3adf43SDag-Erling Smørgravfi 185ce3adf43SDag-Erling Smørgravif [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ] 186ce3adf43SDag-Erling Smørgravthen 187ce3adf43SDag-Erling Smørgrav csih_auto_answer="no" 188ce3adf43SDag-Erling Smørgrav csih_disable_color 189ce3adf43SDag-Erling Smørgravfi 190ce3adf43SDag-Erling Smørgrav 191ce3adf43SDag-Erling Smørgrav# ====================================================================== 192ce3adf43SDag-Erling Smørgrav# Parse options 193ce3adf43SDag-Erling Smørgrav# ====================================================================== 194ce3adf43SDag-Erling Smørgravwhile : 195ce3adf43SDag-Erling Smørgravdo 196ce3adf43SDag-Erling Smørgrav case $# in 197ce3adf43SDag-Erling Smørgrav 0) 198ce3adf43SDag-Erling Smørgrav break 199ce3adf43SDag-Erling Smørgrav ;; 200ce3adf43SDag-Erling Smørgrav esac 201ce3adf43SDag-Erling Smørgrav 202ce3adf43SDag-Erling Smørgrav option=$1 203ce3adf43SDag-Erling Smørgrav shift 204ce3adf43SDag-Erling Smørgrav 205ce3adf43SDag-Erling Smørgrav case "$option" in 206ce3adf43SDag-Erling Smørgrav -d | --debug ) 207ce3adf43SDag-Erling Smørgrav set -x 208ce3adf43SDag-Erling Smørgrav csih_trace_on 209ce3adf43SDag-Erling Smørgrav ;; 210ce3adf43SDag-Erling Smørgrav 211ce3adf43SDag-Erling Smørgrav -y | --yes ) 212ce3adf43SDag-Erling Smørgrav csih_auto_answer=yes 213ce3adf43SDag-Erling Smørgrav ;; 214ce3adf43SDag-Erling Smørgrav 215ce3adf43SDag-Erling Smørgrav -n | --no ) 216ce3adf43SDag-Erling Smørgrav csih_auto_answer=no 217ce3adf43SDag-Erling Smørgrav ;; 218ce3adf43SDag-Erling Smørgrav 219ce3adf43SDag-Erling Smørgrav -p | --passphrase ) 220ce3adf43SDag-Erling Smørgrav with_passphrase="yes" 221ce3adf43SDag-Erling Smørgrav passphrase=$1 222ce3adf43SDag-Erling Smørgrav shift 223ce3adf43SDag-Erling Smørgrav ;; 224ce3adf43SDag-Erling Smørgrav 225ce3adf43SDag-Erling Smørgrav *) 226ce3adf43SDag-Erling Smørgrav echo "usage: ${PROGNAME} [OPTION]..." 227ce3adf43SDag-Erling Smørgrav echo 228ce3adf43SDag-Erling Smørgrav echo "This script creates an OpenSSH user configuration." 229ce3adf43SDag-Erling Smørgrav echo 230ce3adf43SDag-Erling Smørgrav echo "Options:" 231ce3adf43SDag-Erling Smørgrav echo " --debug -d Enable shell's debug output." 232ce3adf43SDag-Erling Smørgrav echo " --yes -y Answer all questions with \"yes\" automatically." 233ce3adf43SDag-Erling Smørgrav echo " --no -n Answer all questions with \"no\" automatically." 234ce3adf43SDag-Erling Smørgrav echo " --passphrase -p word Use \"word\" as passphrase automatically." 235ce3adf43SDag-Erling Smørgrav echo 236ce3adf43SDag-Erling Smørgrav exit 1 237ce3adf43SDag-Erling Smørgrav ;; 238ce3adf43SDag-Erling Smørgrav 239ce3adf43SDag-Erling Smørgrav esac 240ce3adf43SDag-Erling Smørgravdone 241ce3adf43SDag-Erling Smørgrav 242ce3adf43SDag-Erling Smørgrav# ====================================================================== 243ce3adf43SDag-Erling Smørgrav# Action! 244ce3adf43SDag-Erling Smørgrav# ====================================================================== 245ce3adf43SDag-Erling Smørgrav 246ce3adf43SDag-Erling Smørgravcheck_user_homedir 247ce3adf43SDag-Erling Smørgravcheck_user_dot_ssh_dir 248ce3adf43SDag-Erling Smørgravcreate_identity id_rsa rsa "SSH2 RSA" 249ce3adf43SDag-Erling Smørgravcreate_identity id_dsa dsa "SSH2 DSA" 250ce3adf43SDag-Erling Smørgravcreate_identity id_ecdsa ecdsa "SSH2 ECDSA" 251ce3adf43SDag-Erling Smørgravcreate_identity identity rsa1 "(deprecated) SSH1 RSA" 252ce3adf43SDag-Erling Smørgravfix_authorized_keys_perms 253ce3adf43SDag-Erling Smørgrav 254ce3adf43SDag-Erling Smørgravecho 255ce3adf43SDag-Erling Smørgravcsih_inform "Configuration finished. Have fun!" 256ce3adf43SDag-Erling Smørgrav 257ce3adf43SDag-Erling Smørgrav 258