1#!/bin/bash
2#
3# ssh-host-config, Copyright 2000-2014 Red Hat Inc.
4#
5# This file is part of the Cygwin port of OpenSSH.
6#
7# Permission to use, copy, modify, and distribute this software for any
8# purpose with or without fee is hereby granted, provided that the above
9# copyright notice and this permission notice appear in all copies.
10#
11# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
13# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
14# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
15# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
16# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
17# THE USE OR OTHER DEALINGS IN THE SOFTWARE.
18
19# ======================================================================
20# Initialization
21# ======================================================================
22
23CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
24
25# List of apps used.  This is checkad for existance in csih_sanity_check
26# Don't use *any* transient commands before sourcing the csih helper script,
27# otherwise the sanity checks are short-circuited.
28declare -a csih_required_commands=(
29  /usr/bin/basename coreutils
30  /usr/bin/cat coreutils
31  /usr/bin/chmod coreutils
32  /usr/bin/dirname coreutils
33  /usr/bin/id coreutils
34  /usr/bin/mv coreutils
35  /usr/bin/rm coreutils
36  /usr/bin/cygpath cygwin
37  /usr/bin/mkpasswd cygwin
38  /usr/bin/mount cygwin
39  /usr/bin/ps cygwin
40  /usr/bin/umount cygwin
41  /usr/bin/cmp diffutils
42  /usr/bin/grep grep
43  /usr/bin/awk gawk
44  /usr/bin/ssh-keygen openssh
45  /usr/sbin/sshd openssh
46  /usr/bin/sed sed
47)
48csih_sanity_check_server=yes
49source ${CSIH_SCRIPT}
50
51PROGNAME=$(/usr/bin/basename $0)
52_tdir=$(/usr/bin/dirname $0)
53PROGDIR=$(cd $_tdir && pwd)
54
55# Subdirectory where the new package is being installed
56PREFIX=/usr
57
58# Directory where the config files are stored
59SYSCONFDIR=/etc
60LOCALSTATEDIR=/var
61
62sshd_config_configured=no
63port_number=22
64service_name=sshd
65strictmodes=yes
66cygwin_value=""
67user_account=
68password_value=
69opt_force=no
70
71# ======================================================================
72# Routine: update_services_file
73# ======================================================================
74update_services_file() {
75  local _my_etcdir="/ssh-host-config.$$"
76  local _win_etcdir
77  local _services
78  local _spaces
79  local _serv_tmp
80  local _wservices
81  local ret=0
82
83  _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
84  _services="${_my_etcdir}/services"
85  _spaces="                           #"
86  _serv_tmp="${_my_etcdir}/srv.out.$$"
87
88  /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
89
90  # Depends on the above mount
91  _wservices=`cygpath -w "${_services}"`
92
93  # Add ssh 22/tcp  and ssh 22/udp to services
94  if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
95  then
96    if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
97    then
98      if /usr/bin/mv "${_serv_tmp}" "${_services}"
99      then
100	csih_inform "Added ssh to ${_wservices}"
101      else
102	csih_warning "Adding ssh to ${_wservices} failed!"
103	let ++ret
104      fi
105      /usr/bin/rm -f "${_serv_tmp}"
106    else
107      csih_warning "Adding ssh to ${_wservices} failed!"
108      let ++ret
109    fi
110  fi
111  /usr/bin/umount "${_my_etcdir}"
112  return $ret
113} # --- End of update_services_file --- #
114
115# ======================================================================
116# Routine: sshd_strictmodes
117#  MODIFIES: strictmodes
118# ======================================================================
119sshd_strictmodes() {
120  if [ "${sshd_config_configured}" != "yes" ]
121  then
122    echo
123    csih_inform "StrictModes is set to 'yes' by default."
124    csih_inform "This is the recommended setting, but it requires that the POSIX"
125    csih_inform "permissions of the user's home directory, the user's .ssh"
126    csih_inform "directory, and the user's ssh key files are tight so that"
127    csih_inform "only the user has write permissions."
128    csih_inform "On the other hand, StrictModes don't work well with default"
129    csih_inform "Windows permissions of a home directory mounted with the"
130    csih_inform "'noacl' option, and they don't work at all if the home"
131    csih_inform "directory is on a FAT or FAT32 partition."
132    if ! csih_request "Should StrictModes be used?"
133    then
134      strictmodes=no
135    fi
136  fi
137  return 0
138}
139
140# ======================================================================
141# Routine: sshd_privsep
142# Try to create ssshd user account
143# ======================================================================
144sshd_privsep() {
145  local ret=0
146
147  if [ "${sshd_config_configured}" != "yes" ]
148  then
149    if ! csih_create_unprivileged_user sshd
150    then
151      csih_error_recoverable "Could not create user 'sshd'!"
152      csih_error_recoverable "You will not be able to run an sshd service"
153      csih_error_recoverable "under a privileged account successfully."
154      csih_error_recoverable "Make sure to create a non-privileged user 'sshd'"
155      csih_error_recoverable "manually before trying to run the service!"
156      let ++ret
157    fi
158  fi
159  return $ret
160} # --- End of sshd_privsep --- #
161
162# ======================================================================
163# Routine: sshd_config_tweak
164# ======================================================================
165sshd_config_tweak() {
166  local ret=0
167
168  # Modify sshd_config
169  csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
170  if [ "${port_number}" -ne 22 ]
171  then
172    /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
173      ${SYSCONFDIR}/sshd_config
174    if [ $? -ne 0 ]
175    then
176      csih_warning "Setting listening port to ${port_number} failed!"
177      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
178      let ++ret
179    fi
180  fi
181  if [ "${strictmodes}" = "no" ]
182  then
183    /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
184      ${SYSCONFDIR}/sshd_config
185    if [ $? -ne 0 ]
186    then
187      csih_warning "Setting StrictModes to 'no' failed!"
188      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
189      let ++ret
190    fi
191  fi
192  return $ret
193} # --- End of sshd_config_tweak --- #
194
195# ======================================================================
196# Routine: update_inetd_conf
197# ======================================================================
198update_inetd_conf() {
199  local _inetcnf="${SYSCONFDIR}/inetd.conf"
200  local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
201  local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
202  local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
203  local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
204  local _with_comment=1
205  local ret=0
206
207  if [ -d "${_inetcnf_dir}" ]
208  then
209    # we have inetutils-1.5 inetd.d support
210    if [ -f "${_inetcnf}" ]
211    then
212      /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
213
214      # check for sshd OR ssh in top-level inetd.conf file, and remove
215      # will be replaced by a file in inetd.d/
216      if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
217      then
218	/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
219	if [ -f "${_inetcnf_tmp}" ]
220	then
221	  if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
222	  then
223  	    csih_inform "Removed ssh[d] from ${_inetcnf}"
224	  else
225  	    csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
226	    let ++ret
227	  fi
228	  /usr/bin/rm -f "${_inetcnf_tmp}"
229	else
230	  csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
231	  let ++ret
232	fi
233      fi
234    fi
235
236    csih_install_config "${_sshd_inetd_conf}"   "${SYSCONFDIR}/defaults"
237    if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
238    then
239      if [ "${_with_comment}" -eq 0 ]
240      then
241	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
242      else
243	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
244      fi
245      if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
246      then
247	csih_inform "Updated ${_sshd_inetd_conf}"
248      else
249	csih_warning "Updating ${_sshd_inetd_conf} failed!"
250	let ++ret
251      fi
252    fi
253
254  elif [ -f "${_inetcnf}" ]
255  then
256    /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
257
258    # check for sshd in top-level inetd.conf file, and remove
259    # will be replaced by a file in inetd.d/
260    if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
261    then
262      /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
263      if [ -f "${_inetcnf_tmp}" ]
264      then
265	if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
266	then
267	    csih_inform "Removed sshd from ${_inetcnf}"
268	else
269	    csih_warning "Removing sshd from ${_inetcnf} failed!"
270	    let ++ret
271	fi
272	/usr/bin/rm -f "${_inetcnf_tmp}"
273      else
274	csih_warning "Removing sshd from ${_inetcnf} failed!"
275	let ++ret
276      fi
277    fi
278
279    # Add ssh line to inetd.conf
280    if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
281    then
282      if [ "${_with_comment}" -eq 0 ]
283      then
284	echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
285      else
286	echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
287      fi
288      if [ $? -eq 0 ]
289      then
290	csih_inform "Added ssh to ${_inetcnf}"
291      else
292	csih_warning "Adding ssh to ${_inetcnf} failed!"
293	let ++ret
294      fi
295    fi
296  fi
297  return $ret
298} # --- End of update_inetd_conf --- #
299
300# ======================================================================
301# Routine: check_service_files_ownership
302#   Checks that the files in /etc and /var belong to the right owner
303# ======================================================================
304check_service_files_ownership() {
305  local run_service_as=$1
306  local ret=0
307
308  if [ -z "${run_service_as}" ]
309  then
310    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
311    		 /usr/bin/sed -ne 's/^Account *: *//gp')
312    if [ "${accnt_name}" = "LocalSystem" ]
313    then
314      # Convert "LocalSystem" to "SYSTEM" as is the correct account name
315      run_service_as="SYSTEM"
316    else
317      dom="${accnt_name%%\\*}"
318      accnt_name="${accnt_name#*\\}"
319      if [ "${dom}" = '.' ]
320      then
321	# Check local account
322	run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
323			 /usr/bin/awk -F: '{print $1;}')
324      else
325      	# Check domain
326	run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
327			 /usr/bin/awk -F: '{print $1;}')
328      fi
329    fi
330    if [ -z "${run_service_as}" ]
331    then
332      csih_warning "Couldn't determine name of user running sshd service from account database!"
333      csih_warning "As a result, this script cannot make sure that the files used"
334      csih_warning "by the sshd service belong to the user running the service."
335      return 1
336    fi
337  fi
338  for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
339  do
340    if [ -f "$i" ]
341    then
342      if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
343      then
344	csih_warning "Couldn't change owner of $i!"
345	let ++ret
346      fi
347    fi
348  done
349  if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
350  then
351    csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
352    let ++ret
353  fi
354  if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
355  then
356    csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
357    let ++ret
358  fi
359  if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
360  then
361    if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
362    then
363      csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
364      let ++ret
365    fi
366  fi
367  if [ $ret -ne 0 ]
368  then
369    csih_warning "Couldn't change owner of important files to ${run_service_as}!"
370    csih_warning "This may cause the sshd service to fail!  Please make sure that"
371    csih_warning "you have suufficient permissions to change the ownership of files"
372    csih_warning "and try to run the ssh-host-config script again."
373  fi
374  return $ret
375} # --- End of check_service_files_ownership --- #
376
377# ======================================================================
378# Routine: install_service
379#   Install sshd as a service
380# ======================================================================
381install_service() {
382  local run_service_as
383  local password
384  local ret=0
385
386  echo
387  if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
388  then
389    csih_inform "Sshd service is already installed."
390    check_service_files_ownership "" || let ret+=$?
391  else
392    echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
393    if csih_request "(Say \"no\" if it is already installed as a service)"
394    then
395      csih_get_cygenv "${cygwin_value}"
396
397      if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
398      then
399	csih_inform "On Windows Server 2003, Windows Vista, and above, the"
400	csih_inform "SYSTEM account cannot setuid to other users -- a capability"
401	csih_inform "sshd requires.  You need to have or to create a privileged"
402	csih_inform "account.  This script will help you do so."
403	echo
404
405	[ "${opt_force}" = "yes" ] && opt_f=-f
406	[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
407	csih_select_privileged_username ${opt_f} ${opt_u} sshd
408
409	if ! csih_create_privileged_user "${password_value}"
410	then
411	  csih_error_recoverable "There was a serious problem creating a privileged user."
412	  csih_request "Do you want to proceed anyway?" || exit 1
413	  let ++ret
414	fi
415      fi
416
417      # Never returns empty if NT or above
418      run_service_as=$(csih_service_should_run_as)
419
420      if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
421      then
422	password="${csih_PRIVILEGED_PASSWORD}"
423	if [ -z "${password}" ]
424	then
425	  csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
426	  password="${csih_value}"
427	fi
428      fi
429
430      # At this point, we either have $run_service_as = "system" and
431      # $password is empty, or $run_service_as is some privileged user and
432      # (hopefully) $password contains the correct password.  So, from here
433      # out, we use '-z "${password}"' to discriminate the two cases.
434
435      csih_check_user "${run_service_as}"
436
437      if [ -n "${csih_cygenv}" ]
438      then
439	cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
440      fi
441      if [ -z "${password}" ]
442      then
443	if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \
444			      -a "-D" -y tcpip "${cygwin_env[@]}"
445	then
446	  echo
447	  csih_inform "The sshd service has been installed under the LocalSystem"
448	  csih_inform "account (also known as SYSTEM). To start the service now, call"
449	  csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'.  Otherwise, it"
450	  csih_inform "will start automatically after the next reboot."
451	fi
452      else
453	if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \
454			      -a "-D" -y tcpip "${cygwin_env[@]}" \
455			      -u "${run_service_as}" -w "${password}"
456	then
457	  /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
458	  echo
459	  csih_inform "The sshd service has been installed under the '${run_service_as}'"
460	  csih_inform "account.  To start the service now, call \`net start ${service_name}' or"
461	  csih_inform "\`cygrunsrv -S ${service_name}'.  Otherwise, it will start automatically"
462	  csih_inform "after the next reboot."
463	fi
464      fi
465
466      if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
467      then
468	check_service_files_ownership "${run_service_as}" || let ret+=$?
469      else
470	csih_error_recoverable "Installing sshd as a service failed!"
471	let ++ret
472      fi
473    fi # user allowed us to install as service
474  fi # service not yet installed
475  return $ret
476} # --- End of install_service --- #
477
478# ======================================================================
479# Main Entry Point
480# ======================================================================
481
482# Check how the script has been started.  If
483#   (1) it has been started by giving the full path and
484#       that path is /etc/postinstall, OR
485#   (2) Otherwise, if the environment variable
486#       SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
487# then set auto_answer to "no".  This allows automatic
488# creation of the config files in /etc w/o overwriting
489# them if they already exist.  In both cases, color
490# escape sequences are suppressed, so as to prevent
491# cluttering setup's logfiles.
492if [ "$PROGDIR" = "/etc/postinstall" ]
493then
494  csih_auto_answer="no"
495  csih_disable_color
496  opt_force=yes
497fi
498if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
499then
500  csih_auto_answer="no"
501  csih_disable_color
502  opt_force=yes
503fi
504
505# ======================================================================
506# Parse options
507# ======================================================================
508while :
509do
510  case $# in
511  0)
512    break
513    ;;
514  esac
515
516  option=$1
517  shift
518
519  case "${option}" in
520  -d | --debug )
521    set -x
522    csih_trace_on
523    ;;
524
525  -y | --yes )
526    csih_auto_answer=yes
527    opt_force=yes
528    ;;
529
530  -n | --no )
531    csih_auto_answer=no
532    opt_force=yes
533    ;;
534
535  -c | --cygwin )
536    cygwin_value="$1"
537    shift
538    ;;
539
540  -N | --name )
541    service_name=$1
542    shift
543    ;;
544
545  -p | --port )
546    port_number=$1
547    shift
548    ;;
549
550  -u | --user )
551    user_account="$1"
552    shift
553    ;;
554
555  -w | --pwd )
556    password_value="$1"
557    shift
558    ;;
559
560  --privileged )
561    csih_FORCE_PRIVILEGED_USER=yes
562    ;;
563
564  *)
565    echo "usage: ${progname} [OPTION]..."
566    echo
567    echo "This script creates an OpenSSH host configuration."
568    echo
569    echo "Options:"
570    echo "  --debug  -d            Enable shell's debug output."
571    echo "  --yes    -y            Answer all questions with \"yes\" automatically."
572    echo "  --no     -n            Answer all questions with \"no\" automatically."
573    echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
574    echo "  --name   -N <name>     sshd windows service name."
575    echo "  --port   -p <n>        sshd listens on port n."
576    echo "  --user   -u <account>  privileged user for service, default 'cyg_server'."
577    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for privileged user."
578    echo "  --privileged           On Windows XP, require privileged user"
579    echo "                         instead of LocalSystem for sshd service."
580    echo
581    exit 1
582    ;;
583
584  esac
585done
586
587# ======================================================================
588# Action!
589# ======================================================================
590
591# Check for running ssh/sshd processes first. Refuse to do anything while
592# some ssh processes are still running
593if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
594then
595  echo
596  csih_error "There are still ssh processes running. Please shut them down first."
597fi
598
599# Make sure the user is running in an administrative context
600admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
601if [ "${admin}" != "yes" ]
602then
603  echo
604  csih_warning "Running this script typically requires administrator privileges!"
605  csih_warning "However, it seems your account does not have these privileges."
606  csih_warning "Here's the list of groups in your user token:"
607  echo
608  /usr/bin/id -Gnz | xargs -0n1 echo "   "
609  echo
610  csih_warning "This usually means you're running this script from a non-admin"
611  csih_warning "desktop session, or in a non-elevated shell under UAC control."
612  echo
613  csih_warning "Make sure you have the appropriate privileges right now,"
614  csih_warning "otherwise parts of this script will probably fail!"
615  echo
616  echo -e "${_csih_QUERY_STR} Are you sure you want to continue?  (Say \"no\" if you're not sure"
617  if ! csih_request "you have the required privileges)"
618  then
619    echo
620    csih_inform "Ok.  Exiting.  Make sure to switch to an administrative account"
621    csih_inform "or to start this script from an elevated shell."
622    exit 1
623  fi
624fi
625
626echo
627
628warning_cnt=0
629
630# Create /var/log/lastlog if not already exists
631if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
632then
633  echo
634  csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
635		   "Cannot create ssh host configuration."
636fi
637if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
638then
639  /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
640  if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
641  then
642    csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
643    let ++warning_cnt
644  fi
645fi
646
647# Create /var/empty file used as chroot jail for privilege separation
648csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
649if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
650then
651  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
652  let ++warning_cnt
653fi
654
655# generate missing host keys
656csih_inform "Generating missing SSH host keys"
657/usr/bin/ssh-keygen -A || let warning_cnt+=$?
658
659# handle ssh_config
660csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
661if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
662then
663  if [ "${port_number}" != "22" ]
664  then
665    csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
666    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
667    echo "    Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
668  fi
669fi
670
671# handle sshd_config
672csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
673if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
674then
675  sshd_config_configured=yes
676fi
677sshd_strictmodes || let warning_cnt+=$?
678sshd_privsep || let warning_cnt+=$?
679sshd_config_tweak || let warning_cnt+=$?
680update_services_file || let warning_cnt+=$?
681update_inetd_conf || let warning_cnt+=$?
682install_service || let warning_cnt+=$?
683
684echo
685if [ $warning_cnt -eq 0 ]
686then
687  csih_inform "Host configuration finished. Have fun!"
688else
689  csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
690  csih_warning "Make sure that all problems reported are fixed,"
691  csih_warning "then re-run ssh-host-config."
692fi
693exit $warning_cnt
694