To sum up many posts and hopefully wrap up this thread...
I've posted a new sshd.lrp at www.nothome.org:8000
The only change is a new /usr/sbin/add-sshd-user script, in response to Charles'
comment that it would be nice to have a script to add the sshd user. The script isn't
pretty, and it is fairly large (4K), but hopefully it covers 80% of the cases of
creating the sshd user and group. Yes, it normally takes 4 lines of script to do
that, but this script "tries real hard" (TM) to:
* (by default) add sshd UID 22, GID 22 to the password and group files
* If the GRP and GID variables at the top of the script are changed, it will use those
(perhaps "nogroup", as Michael D. Schleif suggested)
* Use a different UID, if desired for some reason
* Add the sshd user only if it does not already exist
* Add the sshd user with a different UID if the requested UID is already in use
* Add the defined group only if it does not exist
* Add the defined group with a different GID if the requested GID is already in use
* Insert the user and group into passwd & group in numerical order, not "at the end of
the file"
* Reset the permissions & ownership on the new passwd,group, and shadow files even if
your group file is broken
* Allow you to run all of this on a test directory first (see PTH variable, at top)
---
The script is *not* listed in the package list, and is specifically listed in the
exclude.list, so that it won't get backed up when sshd.lrp is backed up.
The idea is to install sshd, run add-sshd-user as root, backup etc, backup sshd, and
never think about this again.
For those interested in the script only, I've placed it at the web site mentioned
above as a text file (add-sshd-user.txt) Anyone is welcome to do anything they want
with this script.
-----
George Georgalis asked if it was possible to compile sshd without zlib (which makes
sense, since compression must be turned off to use privilege separation). As far as I
was able to tell, zlib is required to compile sshd. But the space requirements
aren't that bad, since sshd and ssh are both dynamically linked against zlib.
Finally, Greg Morgan pointed out that he hadn't seen many port 22 probes recently ...
dshield.org doesn't list port 22 very high either. Such is life; at least we were
prepared. :-)
Thank you all for your comments and suggestions.
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Bringing you mounds of caffeinated joy.
http://thinkgeek.com/sf
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
