summaryrefslogtreecommitdiff
path: root/debian/openssh-server.postinst
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2004-10-06 13:22:30 +0000
committerColin Watson <cjwatson@debian.org>2004-10-06 13:22:30 +0000
commit23ad7ca187d4b40b45b18903c6e96b4cc3ea9ec1 (patch)
treeb30b75b82f92948e8721ca68cb874178f72ed67c /debian/openssh-server.postinst
parent77be91fc874d0bdfb00e2da57550ff9c8969a6d4 (diff)
Forward-port from HEAD:
* If PasswordAuthentication is disabled, then offer to disable ChallengeResponseAuthentication too. The current PAM code will attempt password-style authentication if ChallengeResponseAuthentication is enabled (closes: #250369). * This will ask a question of anyone who installed fresh with 1:3.8p1-2 or later and then upgraded. Sorry about that ... for this reason, the default answer is to leave ChallengeResponseAuthentication enabled.
Diffstat (limited to 'debian/openssh-server.postinst')
-rw-r--r--debian/openssh-server.postinst82
1 files changed, 63 insertions, 19 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 28af3f490..dab8c94fd 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -29,12 +29,33 @@ check_idea_key() {
29get_config_option() { 29get_config_option() {
30 option="$1" 30 option="$1"
31 31
32 [ -f /etc/ssh/sshd_config ] || return
33
32 # TODO: actually only one '=' allowed after option 34 # TODO: actually only one '=' allowed after option
33 perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ 35 perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
34 /etc/ssh/sshd_config 36 /etc/ssh/sshd_config
35} 37}
36 38
37 39
40set_config_option() {
41 option="$1"
42 value="$2"
43
44 perl -e '
45 $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
46 while (<STDIN>) {
47 if (s/^\s*\Q$option\E\s+.*/$option $value/) {
48 $done = 1;
49 }
50 print;
51 }
52 print "\n$option $value\n" unless $done;' \
53 "$option" "$value" \
54 < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
55 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
56}
57
58
38host_keys_required() { 59host_keys_required() {
39 hostkeys="$(get_config_option HostKey)" 60 hostkeys="$(get_config_option HostKey)"
40 if [ "$hostkeys" ]; then 61 if [ "$hostkeys" ]; then
@@ -85,31 +106,54 @@ create_keys() {
85} 106}
86 107
87 108
109check_password_auth() {
110 passwordauth="$(get_config_option PasswordAuthentication)"
111 crauth="$(get_config_option ChallengeResponseAuthentication)"
112 if [ "$passwordauth" = no ] && \
113 ([ -z "$crauth" ] || [ "$crauth" = yes ]); then
114 db_get ssh/disable_cr_auth
115 if [ "$RET" = true ]; then
116 set_config_option ChallengeResponseAuthentication no
117 fi
118 fi
119}
120
121
88create_sshdconfig() { 122create_sshdconfig() {
89 if [ -e /etc/ssh/sshd_config ] ; then 123 if [ -e /etc/ssh/sshd_config ] ; then
90 if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then 124 if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
91 db_get ssh/new_config 125 db_get ssh/new_config
92 if [ "$RET" = "false" ] ; then return 0; fi 126 if [ "$RET" = "false" ] ; then return 0; fi
93 elif (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ 127 else
94 ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \ 128 # Upgrade sshd configuration from a sane version.
95 grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \ 129
96 /etc/ssh/sshd_config ; then 130 if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
97 # Upgrade from pre-3.7: UsePAM needed to maintain standard 131 ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \
98 # Debian configuration. 132 grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \
99 # Note that --compare-versions is sadly not reliable enough 133 /etc/ssh/sshd_config ; then
100 # here due to the package split of ssh into openssh-client 134 # Upgrade from pre-3.7: UsePAM needed to maintain standard
101 # and openssh-server. The extra grep for some deprecated 135 # Debian configuration.
102 # options should with any luck be a good enough heuristic. 136 # Note that --compare-versions is sadly not reliable enough
103 echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' 137 # here due to the package split of ssh into openssh-client
104 cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old 138 # and openssh-server. The extra grep for some deprecated
105 perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ 139 # options should with any luck be a good enough heuristic.
106 /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new 140 echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
107 echo >> /etc/ssh/sshd_config.dpkg-new 141 cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
108 echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new 142 perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
109 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config 143 /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
110 echo 144 echo >> /etc/ssh/sshd_config.dpkg-new
145 echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
146 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
147 echo
148 fi
149
150 # An empty version means we're upgrading from before the
151 # package split, so check.
152 if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then
153 check_password_auth
154 fi
155
111 return 0 156 return 0
112 else return 0
113 fi 157 fi
114 fi 158 fi
115 159
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 13:16:59 +0000