run-format-readme.sh: pass -e to format-readme
[girocco.git] / jailsetup.sh
blobc941308e0d37102b87890a7de2ee6b01eb37da07
1 #!/bin/sh
2 # The Girocco jail setup script
4 # If the first parameter is "dbonly", setup the database only
6 # We are designed to set up the chroot based on the output of
7 # `uname -s` by sourcing a suitable system-specific script.
8 # Unrecognized systems will generate an error. When using
9 # "dbonly" the setup of the chroot binaries is skipped so the
10 # output of `uname -s` does not matter in that case.
12 set -e
14 curdir="$(pwd)"
15 srcdir="$curdir/src"
16 getent="$srcdir/getent"
17 . ./shlib.sh
19 # find_std_utility should always come up with the full path to the standard
20 # version of the utility whose name is passed as "$1"
21 getconf="/usr/bin/getconf"
22 [ -x "$getconf" ] || getconf="/bin/getconf"
23 [ -x "$getconf" ] || getconf="getconf"
24 stdpath="$("unset" -f command; "command" "$getconf" "PATH" 2>/dev/null)" || :
25 ":" "${stdpath:=/bin:/usr/bin}"
26 stdpath="$stdpath:/sbin:/usr/sbin"
27 find_std_utility() (
28 "unset" -f unalias command "$1" >/dev/null 2>&1 || :
29 "unalias" -a >/dev/null 2>&1 || :
30 PATH="$stdpath" && "export" PATH || :
31 "command" -v "$1"
32 ) 2>/dev/null
34 dbonly=
35 [ "$1" != "dbonly" ] || dbonly=1
37 reserved_users="root sshd _sshd mob git lock bundle nobody everyone $cfg_cgi_user $cfg_mirror_user"
39 # Require either sshd or _sshd user unless "dbonly"
40 sshd_user=sshd
41 if ! "$getent" passwd sshd >/dev/null && ! "$getent" passwd _sshd >/dev/null; then
42 if [ -n "$dbonly" ]; then
43 if ! [ -s etc/passwd ]; then
44 # Only complain on initial etc/passwd creation
45 echo "WARNING: no sshd or _sshd user, omitting entries from chroot etc/passwd"
47 sshd_user=
48 else
49 echo "*** Error: You do not have required sshd or _sshd user in system." >&2
50 exit 1
52 else
53 "$getent" passwd sshd >/dev/null || sshd_user=_sshd
56 # Verify we have all we need
57 if ! "$getent" passwd "$cfg_mirror_user" >/dev/null; then
58 echo "*** Error: You do not have \"$cfg_mirror_user\" user in system yet." >&2
59 exit 1
61 if ! "$getent" passwd "$cfg_cgi_user" >/dev/null; then
62 echo "*** Error: You do not have \"$cfg_cgi_user\" user in system yet." >&2
63 exit 1
65 if [ -n "$dbonly" ] && [ -z "$cfg_owning_group" ]; then
66 cfg_owning_group="$("$getent" passwd "$cfg_mirror_user" | cut -d : -f 4)"
67 elif ! "$getent" group "$cfg_owning_group" >/dev/null; then
68 echo "*** Error: You do not have \"$cfg_owning_group\" group in system yet." >&2
69 exit 1
72 # One last paranoid check before we go writing all over everything
73 if [ -z "$cfg_chroot" ] || [ "$cfg_chroot" = "/" ]; then
74 echo "*** Error: chroot location is not set or is invalid." >&2
75 echo "*** Error: perhaps you have an incorrect Config.pm?" >&2
76 exit 1
79 umask 022
80 mkdir -p "$cfg_chroot"
81 cd "$cfg_chroot"
82 chmod 755 "$cfg_chroot" ||
83 echo "WARNING: Cannot chmod $cfg_chroot"
85 mkdir -p var/empty
86 chmod 0555 var/empty ||
87 echo "WARNING: Cannot chmod a=rx $cfg_chroot/var/empty"
89 # Set up basic user/group configuration; if there isn't any already
90 mobpass=
91 [ -n "$cfg_mob" ] || mobpass='x'
92 mkdir -p etc
93 if ! [ -s etc/passwd ]; then
94 cat >etc/passwd <<EOT
95 root:x:0:0:system administrator:/var/empty:/bin/false
96 nobody:x:$("$getent" passwd nobody | cut -d : -f 3-4):unprivileged user:/var/empty:/bin/false
97 EOT
98 [ -z "$sshd_user" ] || cat >>etc/passwd <<EOT
99 sshd:x:$("$getent" passwd $sshd_user | cut -d : -f 3-4):privilege separation:/var/empty:/bin/false
100 _sshd:x:$("$getent" passwd $sshd_user | cut -d : -f 3-4):privilege separation:/var/empty:/bin/false
102 [ "$cfg_cgi_user" = "$cfg_mirror_user" ] || cat >>etc/passwd <<EOT
103 $cfg_cgi_user:x:$("$getent" passwd "$cfg_cgi_user" | cut -d : -f 3-5):/:/bin/true
105 cat >>etc/passwd <<EOT
106 $cfg_mirror_user:x:$("$getent" passwd "$cfg_mirror_user" | cut -d : -f 3-5):/:/bin/true
107 everyone:x:65537:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):every user:/:/bin/false
108 mob:$mobpass:65538:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):the mob:/:/bin/git-shell-verify
109 git::65539:$("$getent" passwd nobody | cut -d : -f 4):read-only access:/:/bin/git-shell-verify
111 elif [ -z "$dbonly" ]; then
112 # Make sure an sshd entry is present
113 if ! grep -q '^sshd:' etc/passwd; then
114 echo "*** Error: chroot etc/passwd exists but lacks sshd entry." >&2
115 exit 1
119 if ! [ -s etc/group ]; then
120 cat >etc/group <<EOT
121 _repo:x:$("$getent" group "$cfg_owning_group" | cut -d : -f 3):$cfg_mirror_user
125 # Set up basic default Git configuration
126 # Initialize one if none exists or update critical variables for an existing one
127 mkdir -p etc/girocco
128 didchmod=
129 if [ -e etc/girocco/.gitconfig ] && ! [ -f etc/girocco/.gitconfig ]; then
130 echo "*** Error: chroot etc/girocco/.gitconfig exists but is not a file." >&2
131 exit 1
133 if [ -f etc/girocco/.gitconfig ]; then
134 gcerr=0
135 x="$(git config --file etc/girocco/.gitconfig --get "no--such--section.no such subsection.no--such--key")" || gcerr=$?
136 if [ $gcerr -gt 1 ]; then
137 echo "*** Error: chroot etc/girocco/.gitconfig exists but is corrupt." >&2
138 echo "*** Error: either remove it or edit it to correct the problem." >&2
139 exit 1
142 if ! [ -s etc/girocco/.gitconfig ]; then
143 chmod u+w etc/girocco
144 didchmod=1
145 cat >etc/girocco/.gitconfig <<EOT
146 # Any values set here will take effect whenever Girocco runs a git command
150 # $1 => name, $2 => value, $3 => overwrite_flag
151 # if $3 is "2" and $2 is "" value will be unset
152 update_config_item() {
153 _existsnot=
154 _oldval=
155 _oldval="$(git config --file etc/girocco/.gitconfig --get "$1")" || _existsnot=1
156 if [ -n "$_existsnot" ]; then
157 [ -n "$2" ] || [ "$3" != "2" ] || return 0
158 else
159 [ -n "$3" ] || return 0
160 [ "$_oldval" != "$2" ] || { [ "$3" = "2" ] && [ -z "$2" ]; } || return 0
162 [ -n "$didchmod" ] || { chmod u+w etc/girocco; didchmod=1; }
163 if [ "$3" = "2" ] && [ -z "$2" ]; then
164 git config --file etc/girocco/.gitconfig --unset "$1"
165 else
166 git config --file etc/girocco/.gitconfig "$1" "$2"
168 if [ -n "$_existsnot" ]; then
169 echo "chroot: etc/girocco/.gitconfig: config $1: (created) \"$2\""
170 elif [ "$3" = "2" ] && [ -z "$2" ]; then
171 echo "chroot: etc/girocco/.gitconfig: config $1: (removed)"
172 else
173 echo "chroot: etc/girocco/.gitconfig: config $1: \"$_oldval\" -> \"$2\""
176 if [ -n "$cfg_git_no_mmap" ]; then
177 update_config_item core.packedGitWindowSize 1m 1
178 else
179 update_config_item core.packedGitWindowSize 32m 1
181 if [ -n "$var_window_memory" ]; then
182 update_config_item pack.windowMemory "$var_window_memory" 1
184 if [ -n "$cfg_jgit_compatible_bitmaps" ]; then
185 update_config_item pack.writeBitmapHashCache false 1
186 else
187 update_config_item pack.writeBitmapHashCache true 1
189 update_config_item core.pager "cat" 1
190 update_config_item core.compression 5
191 update_config_item diff.renameLimit 250
192 update_config_item transfer.unpackLimit 1 1
193 update_config_item http.lowSpeedLimit 1
194 update_config_item http.lowSpeedTime 600
195 update_config_item receive.advertisePushOptions false 1
196 update_config_item receive.maxInputSize "${cfg_max_receive_size:-0}" 1
197 update_config_item girocco.notifyHook "${cfg_default_notifyhook}" 2
198 if [ -n "$defined_cfg_git_client_ua" ]; then
199 update_config_item http.userAgent "$cfg_git_client_ua" 1
200 else
201 update_config_item http.userAgent "" 2
204 # set up some default ssh client config just in case
205 if [ -e etc/girocco/.ssh ] && ! [ -d etc/girocco/.ssh ]; then
206 echo "*** Error: chroot etc/girocco/.ssh exists but is not a directory." >&2
207 exit 1
209 if [ -e etc/girocco/.ssh/config ] && ! [ -f etc/girocco/.ssh/config ]; then
210 echo "*** Error: chroot etc/girocco/.ssh/config exists but is not a file." >&2
211 exit 1
213 if ! [ -s etc/girocco/.ssh/config ]; then
214 chmod u+w etc/girocco
215 didchmod=1
216 [ -d etc/girocco/.ssh ] || mkdir etc/girocco/.ssh
217 cat >etc/girocco/.ssh/config <<EOT
218 # Any values set here will take effect whenever Girocco runs an ssh client command
219 BatchMode yes
220 StrictHostKeyChecking no
221 CheckHostIP no
222 UserKnownHostsFile /dev/null
226 [ -z "$didchmod" ] || chmod a-w etc/girocco
228 mkdir -p etc/sshkeys etc/sshcerts etc/sshactive
229 for ruser in $reserved_users; do
230 touch etc/sshkeys/$ruser
231 done
232 chgrp $cfg_owning_group etc etc/sshkeys etc/sshcerts etc/sshactive ||
233 echo "WARNING: Cannot chgrp $cfg_owning_group the etc directories"
234 chgrp $cfg_owning_group etc/passwd ||
235 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/passwd"
236 chgrp $cfg_owning_group etc/group ||
237 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/group"
238 chgrp $cfg_owning_group etc/girocco etc/girocco/.gitconfig ||
239 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/girocco"
240 chgrp $cfg_owning_group etc/girocco/.ssh etc/girocco/.ssh/config ||
241 echo "WARNING: Cannot chgrp $cfg_owning_group $cfg_chroot/etc/.ssh"
242 chmod g+s etc etc/sshkeys etc/sshcerts etc/sshactive ||
243 echo "WARNING: Cannot chmod g+s the etc directories"
244 chmod g+w etc etc/sshkeys etc/sshcerts etc/sshactive ||
245 echo "WARNING: Cannot chmod g+w the etc directories"
246 chmod g+w etc/passwd etc/group ||
247 echo "WARNING: Cannot chmod g+w the etc/passwd and/or etc/group files"
248 chmod go-w etc/passwd etc/girocco etc/girocco/.gitconfig ||
249 echo "WARNING: Cannot chmod go-w etc/girocco and/or etc/girocco/.gitconfig"
250 chmod go-w etc/girocco/.ssh etc/girocco/.ssh/config ||
251 echo "WARNING: Cannot chmod go-w etc/girocco/.ssh and/or etc/girocco/.ssh/config"
252 chmod go-rwx etc/girocco/.ssh/config ||
253 echo "WARNING: Cannot chmod go-rwx etc/girocco/.ssh/config"
254 chmod a-w etc/girocco/.ssh ||
255 echo "WARNING: Cannot chmod a-w etc/girocco/.ssh"
256 chmod a-w etc/girocco ||
257 echo "WARNING: Cannot chmod a-w etc/girocco"
258 chmod -R g+w etc/sshkeys etc/sshcerts etc/sshactive 2>/dev/null ||
259 echo "WARNING: Cannot chmod g+w the sshkeys, sshcerts and/or sshactive files"
261 # Note time of last install
262 >etc/sshactive/_install
264 [ -z "$dbonly" ] || exit 0
266 # Make sure the system type is supported for chroot
267 sysname="$(uname -s | tr A-Z a-z)" || :
268 : ${sysname:=linux}
269 nosshdir=
270 # These equivalents may need to be expanded at some point
271 case "$sysname" in
272 *kfreebsd*)
273 sysname=linux;;
274 *darwin*)
275 sysname=darwin;;
276 *dragonfly*)
277 sysname=dragonfly;;
278 *freebsd*)
279 sysname=freebsd;;
280 *linux*)
281 sysname=linux;;
282 esac
284 chrootsetup="$curdir/chrootsetup_$sysname.sh"
285 if ! [ -f "$chrootsetup" ] || ! [ -r "$chrootsetup" ] || ! [ -s "$chrootsetup" ]; then
286 echo "*** Error: $chrootsetup not found" >&2
287 echo "*** Error: creating a chroot for a $(uname -s) system is not supported" >&2
288 exit 1
291 # validate reporoot, chroot, jailreporoot and sshd_bin before doing anything more
293 # validates the passed in dir if a second argument is not empty dir must NOT
294 # start with / otherwise it must. A trailing '/' is removed and any duplicated
295 # // are removed and a sole / or empty is disallowed.
296 make_valid_dir() {
297 _check="$(echo "$1" | tr -s /)"
298 _check="${_check%/}"
299 [ -n "$_check" ] && [ "$_check" != "/" ] || return 1
300 if [ -z "$2" ]; then
301 # must start with '/'
302 case "$_check" in /*) :;; *) return 1; esac
303 else
304 # must NOT start with '/'
305 case "$_check" in /*) return 1; esac
307 echo "$_check"
310 if ! reporoot="$(make_valid_dir "$cfg_reporoot")"; then
311 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
312 echo "*** Error: MUST start with '/' and MUST NOT be '/'" >&2
313 exit 1
315 if ! chroot="$(make_valid_dir "$cfg_chroot")"; then
316 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
317 echo "*** Error: MUST start with '/' and MUST NOT be '/'" >&2
318 exit 1
320 if ! jailreporoot="$(make_valid_dir "$cfg_jailreporoot" 1)"; then
321 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
322 echo "*** Error: MUST NOT start with '/' and MUST NOT be ''" >&2
323 exit 1
326 # chroot MUST NOT be reporoot
327 if [ "$chroot" = "$reporoot" ]; then
328 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
329 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
330 echo "*** Error: reporoot and chroot MUST NOT be the same" >&2
331 exit 1
334 # chroot MUST NOT be a subdirectory of reporoot
335 case "$chroot" in "$reporoot"/*)
336 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
337 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
338 echo "*** Error: chroot MUST NOT be a subdirectory of reporoot" >&2
339 exit 1
340 esac
342 # chroot/jailreporoot MUST NOT be a subdirectory of reporoot
343 case "$chroot/$jailreporoot" in "$reporoot"/*)
344 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
345 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
346 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
347 echo "*** Error: chroot/jailreporoot MUST NOT be a subdirectory of reporoot" >&2
348 exit 1
349 esac
351 # reporoot MUST NOT be a subdirectory of chroot/jailreporoot
352 case "$reporoot" in "$chroot/$jailreporoot"/*)
353 echo "*** Error: invalid Config::reporoot: $cfg_reporoot" >&2
354 echo "*** Error: invalid Config::chroot: $cfg_chroot" >&2
355 echo "*** Error: invalid Config::jailreporoot: $cfg_jailreporoot" >&2
356 echo "*** Error: reporoot MUST NOT be a subdirectory of chroot/jailreporoot" >&2
357 exit 1
358 esac
360 # sshd_bin MUST be undef (or empty) or a full absolute path
361 sshd_bin_bad=
362 case "$cfg_sshd_bin" in *"/../"*) sshd_bin_bad=1;; ""|/?*) :;; *) sshd_bin_bad=1;; esac
363 [ -z "$sshd_bin_bad" ] || {
364 echo "*** Error: invalid Config::sshd_bin $cfg_sshd_bin" >&2
365 echo "*** Error: if set, sshd_bin must be an absolute path" >&2
366 exit 1
368 sshd_bin="$cfg_sshd_bin"
369 [ -n "$sshd_bin" ] || sshd_bin="$(find_std_utility "sshd")" || {
370 echo "*** Error: Config::sshd_bin is not set and no sshd could be found" >&2
371 echo "*** Error: please set Config::sshd_bin to an absolute path to sshd" >&2
372 exit 1
374 [ -x "$sshd_bin" ] && [ -r "$sshd_bin" ] && [ -f "$sshd_bin" ] || {
375 echo "*** Error: the selected sshd ('$sshd_bin') was not found, not readable or not executable" >&2
376 exit 1
379 # Set the user and group on the top of the chroot before creating anything else
380 chown 0:0 "$chroot"
382 # When we create a fork, the alternates always have an absolute path.
383 # If reporoot is not --bind mounted at the same location in chroot we must
384 # create a suitable symlink so the absolute path alternates continue to work
385 # in the ssh chroot or else forks will be broken in there.
386 if [ "$reporoot" != "/$jailreporoot" ]; then
387 mkdirp="$(dirname "${reporoot#/}")"
388 [ "$mkdirp" = "." ] && mkdirp=
389 lnback=
390 [ -z "$mkdirp" ] || lnback="$(echo "$mkdirp/" | sed -e 's,[^/]*/,../,g')"
391 [ -z "$mkdirp" ] || mkdir -p "$chroot/$mkdirp"
392 (umask 0; ln -s -f -n "$lnback$jailreporoot" "$chroot$reporoot")
393 [ $? -eq 0 ] || exit 1
396 # First, setup basic platform-independent directory structure
397 mkdir -p bin dev etc lib sbin var/empty var/run "$jailreporoot"
398 chmod 0555 var/empty
399 rm -rf usr local
400 ln -s . usr
401 ln -s . local
403 # Now source the platform-specific script that is responsible for dev device
404 # setup, proc setup (if needed), lib64 setup (if needed) and basic library
405 # installation to make a chroot operational. Additionally it will define a
406 # pull_in_bin function that can be used to add executables and their library
407 # dependencies to the chroot and finally will install a suitable nc.openbsd
408 # compatible version of netcat that supports connections to unix sockets.
409 . "$chrootsetup"
411 # Now, bring in sshd, sh etc.
412 # The $chrootsetup script should have already provided a suitable nc.openbsd
413 install -p "$cfg_basedir/bin/git-shell-verify" bin/git-shell-verify.new
414 install -p "$cfg_basedir/bin/git-askpass-password" bin/git-askpass-password.new
415 perl -i -p \
416 -e 's|^#!.*|#!/bin/sh| if $. == 1;' \
417 -e 'close ARGV if eof;' \
418 bin/git-shell-verify.new bin/git-askpass-password.new
419 mv -f bin/git-askpass-password.new bin/git-askpass-password
420 mv -f bin/git-shell-verify.new bin/git-shell-verify
421 pull_in_bin "$cfg_basedir/bin/can_user_push" bin
422 pull_in_bin "$cfg_basedir/bin/list_packs" bin
423 pull_in_bin "$cfg_basedir/bin/strftime" bin
424 pull_in_bin "$cfg_basedir/bin/ulimit512" bin
425 pull_in_bin "$var_sh_bin" bin/sh
426 # be paranoid since these are going into the chroot and make sure
427 # that we get the "standard" versions of them (they are all standard "POSIX"
428 # utilities) not some wayward version picked up by a haphazard PATH
429 pull_in_bin "$(find_std_utility cat )" bin
430 pull_in_bin "$(find_std_utility chmod )" bin
431 pull_in_bin "$(find_std_utility date )" bin
432 pull_in_bin "$(find_std_utility find )" bin
433 pull_in_bin "$(find_std_utility mkdir )" bin
434 pull_in_bin "$(find_std_utility mv )" bin
435 pull_in_bin "$(find_std_utility rm )" bin
436 pull_in_bin "$(find_std_utility sleep )" bin
437 pull_in_bin "$(find_std_utility sort )" bin
438 pull_in_bin "$(find_std_utility touch )" bin
439 pull_in_bin "$(find_std_utility tr )" bin
440 pull_in_bin "$(find_std_utility wc )" bin
441 # this one's already been validated and might be in a non-standard location
442 pull_in_bin "$sshd_bin" sbin
444 # ...and the bits of git we need,
445 # being sure to use the configured git and its --exec-path to find the pieces
446 for i in git git-index-pack git-receive-pack git-shell git-update-server-info \
447 git-upload-archive git-upload-pack git-unpack-objects git-config \
448 git-for-each-ref git-rev-list git-rev-parse git-symbolic-ref; do
449 pull_in_bin "$var_git_exec_path/$i" bin git
450 done
452 # ...and any extras identified by install.sh
453 # these are also all standard "POSIX" utilities
454 # ones that a decent sh implementation would have built-in already...
455 if [ -n "$GIROCCO_CHROOT_EXTRA_INSTALLS" ]; then
456 for i in $GIROCCO_CHROOT_EXTRA_INSTALLS; do
457 pull_in_bin "$(find_std_utility "$(basename "$i")")" bin
458 done
461 # Note time of last jailsetup
462 >etc/sshactive/_jailsetup
464 # Update permissions on the database files
465 chown $cfg_cgi_user:$cfg_owning_group etc/passwd etc/group
466 chown -R $cfg_cgi_user:$cfg_owning_group etc/sshkeys etc/sshcerts etc/sshactive
467 chown $cfg_mirror_user:$cfg_owning_group etc etc/girocco etc/girocco/.gitconfig
468 chown $cfg_mirror_user:$cfg_owning_group etc/girocco/.ssh etc/girocco/.ssh/config
470 # Set up basic sshd configuration:
471 if [ -n "$nosshdir" ]; then
472 rm -rf etc/ssh
473 ln -s . etc/ssh
474 ! [ -f /etc/moduli ] || { cp -p /etc/moduli etc/; chown 0:0 etc/moduli; }
475 else
476 ! [ -e etc/ssh ] || [ -d etc/ssh ] || rm -rf etc/ssh
477 mkdir -p etc/ssh
478 ! [ -f /etc/ssh/moduli ] || { cp -p /etc/ssh/moduli etc/ssh/; chown 0:0 etc/ssh/moduli; }
480 mkdir -p var/run/sshd
481 if ! [ -s etc/ssh/sshd_config ]; then
482 cat >etc/ssh/sshd_config <<EOT
483 Protocol 2
484 Port $cfg_sshd_jail_port
485 UsePAM no
486 X11Forwarding no
487 AllowAgentForwarding no
488 AllowTcpForwarding no
489 PermitTunnel no
490 IgnoreUserKnownHosts yes
491 PrintLastLog no
492 PrintMotd no
493 UseDNS no
494 PermitRootLogin no
495 UsePrivilegeSeparation yes
497 HostKey /etc/ssh/ssh_host_rsa_key
499 if [ -z "$cfg_disable_dsa" ]; then
500 cat >>etc/ssh/sshd_config <<EOT
501 HostKey /etc/ssh/ssh_host_dsa_key
504 cat >>etc/ssh/sshd_config <<EOT
505 AuthorizedKeysFile /etc/sshkeys/%u
506 StrictModes no
508 # mob and git users:
509 PermitEmptyPasswords yes
510 ChallengeResponseAuthentication no
511 PasswordAuthentication yes
514 if ! [ -s etc/ssh/ssh_host_rsa_key ]; then
515 bits=2048
516 if [ "$cfg_rsakeylength" -gt "$bits" ] 2>/dev/null; then
517 bits="$cfg_rsakeylength"
519 yes | ssh-keygen -b "$bits" -t rsa -N "" -C Girocco -f etc/ssh/ssh_host_rsa_key
521 if [ -z "$cfg_disable_dsa" ] && ! [ -s etc/ssh/ssh_host_dsa_key ]; then
522 # ssh-keygen can only create 1024 bit DSA keys
523 yes | ssh-keygen -b 1024 -t dsa -N "" -C Girocco -f etc/ssh/ssh_host_dsa_key
526 # Set the final permissions on the binaries and perform any final twiddling
527 chroot_update_permissions
529 # Change the owner of the sshd-related files
530 chown 0:0 etc/ssh/ssh_* etc/ssh/sshd_*
532 echo "--- Add to your boot scripts: mount --bind $reporoot $chroot/$jailreporoot"
533 echo "--- Add to your boot scripts: mount --bind /proc $chroot/proc"
534 echo "--- Add to your syslog configuration: listening on socket $chroot/dev/log"
535 echo "--- To restart a running jail's sshd: sudo kill -HUP \$(cat $chroot/var/run/sshd.pid)"