summaryrefslogtreecommitdiff
path: root/debian/openssh-server.postinst
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2013-05-22 01:45:40 +0100
committerColin Watson <cjwatson@debian.org>2013-05-22 01:45:40 +0100
commit6e950945da7a2acbb48fa4138208018f09d66991 (patch)
tree1e99c1fb54755277a8c441cf503b71bb2c5be748 /debian/openssh-server.postinst
parentafd3292952a9f0bb107046785ddcfad446d69b89 (diff)
Switch to new unified layout for Upstart jobs as documented in
https://wiki.ubuntu.com/UpstartCompatibleInitScripts: the init script checks for a running Upstart, and we now let dh_installinit handle most of the heavy lifting in maintainer scripts. Ubuntu users should be essentially unaffected except that sshd may no longer start automatically in chroots if the running Upstart predates 0.9.0; but the main goal is simply not to break when openssh-server is installed in a chroot.
Diffstat (limited to 'debian/openssh-server.postinst')
-rw-r--r--debian/openssh-server.postinst326
1 files changed, 326 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 000000000..94461083e
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,326 @@
1#!/bin/sh -e
2
3action="$1"
4oldversion="$2"
5
6. /usr/share/debconf/confmodule
7db_version 2.0
8
9umask 022
10
11
12get_config_option() {
13 option="$1"
14
15 [ -f /etc/ssh/sshd_config ] || return
16
17 # TODO: actually only one '=' allowed after option
18 perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \
19 /etc/ssh/sshd_config
20}
21
22
23set_config_option() {
24 option="$1"
25 value="$2"
26
27 perl -le '
28 $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
29 while (<STDIN>) {
30 chomp;
31 (my $match = $_) =~ s/\s+/ /g;
32 if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) {
33 $_ = $match;
34 $done = 1;
35 }
36 print;
37 }
38 print "$option $value" unless $done;' \
39 "$option" "$value" \
40 < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
41 chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
42 chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
43 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
44}
45
46
47rename_config_option() {
48 oldoption="$1"
49 newoption="$2"
50
51 value="$(get_config_option "$oldoption")"
52 [ "$value" ] || return 0
53
54 perl -le '
55 $oldoption = $ARGV[0]; $newoption = $ARGV[1];
56 while (<STDIN>) {
57 chomp;
58 (my $match = $_) =~ s/\s+/ /g;
59 # TODO: actually only one "=" allowed after option
60 if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
61 $_ = $match;
62 }
63 print;
64 }' \
65 "$oldoption" "$newoption" \
66 < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
67 chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
68 chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
69 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
70}
71
72
73host_keys_required() {
74 hostkeys="$(get_config_option HostKey)"
75 if [ "$hostkeys" ]; then
76 echo "$hostkeys"
77 else
78 # No HostKey directives at all, so the server picks some
79 # defaults depending on the setting of Protocol.
80 protocol="$(get_config_option Protocol)"
81 [ "$protocol" ] || protocol=1,2
82 if echo "$protocol" | grep 1 >/dev/null; then
83 echo /etc/ssh/ssh_host_key
84 fi
85 if echo "$protocol" | grep 2 >/dev/null; then
86 echo /etc/ssh/ssh_host_rsa_key
87 echo /etc/ssh/ssh_host_dsa_key
88 echo /etc/ssh/ssh_host_ecdsa_key
89 fi
90 fi
91}
92
93
94create_key() {
95 msg="$1"
96 shift
97 hostkeys="$1"
98 shift
99 file="$1"
100 shift
101
102 if echo "$hostkeys" | grep -x "$file" >/dev/null && \
103 [ ! -f "$file" ] ; then
104 echo -n $msg
105 ssh-keygen -q -f "$file" -N '' "$@"
106 echo
107 if which restorecon >/dev/null 2>&1; then
108 restorecon "$file.pub"
109 fi
110 fi
111}
112
113
114create_keys() {
115 hostkeys="$(host_keys_required)"
116
117 create_key "Creating SSH1 key; this may take some time ..." \
118 "$hostkeys" /etc/ssh/ssh_host_key -t rsa1
119
120 create_key "Creating SSH2 RSA key; this may take some time ..." \
121 "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
122 create_key "Creating SSH2 DSA key; this may take some time ..." \
123 "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
124 create_key "Creating SSH2 ECDSA key; this may take some time ..." \
125 "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
126}
127
128
129vulnerable_host_keys() {
130 # If the admin has explicitly put the vulnerable keys back, we
131 # assume they can look after themselves.
132 db_fget ssh/vulnerable_host_keys seen
133 if [ "$RET" = true ]; then
134 return 0
135 fi
136
137 hostkeys="$(host_keys_required)"
138 vulnerable=
139 for hostkey in $hostkeys; do
140 [ -f "$hostkey" ] || continue
141 if ssh-vulnkey -q "$hostkey"; then
142 vulnerable="${vulnerable:+$vulnerable }$hostkey"
143 fi
144 done
145 if [ "$vulnerable" ]; then
146 db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable"
147 db_input critical ssh/vulnerable_host_keys || true
148 db_go
149 for hostkey in $vulnerable; do
150 mv "$hostkey" "$hostkey.broken" || true
151 mv "$hostkey.pub" "$hostkey.pub.broken" || true
152 done
153 create_keys
154 fi
155}
156
157
158fix_loglevel_silent() {
159 if [ "$(get_config_option LogLevel)" = SILENT ]; then
160 set_config_option LogLevel QUIET
161 fi
162}
163
164
165create_sshdconfig() {
166 if [ -e /etc/ssh/sshd_config ] ; then
167 # Upgrade an existing sshd configuration.
168
169 # This option was renamed in 3.8p1, but we never took care
170 # of adjusting the configuration file until now.
171 if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
172 rename_config_option KeepAlive TCPKeepAlive
173 fi
174
175 # 'LogLevel SILENT' is now equivalent to QUIET.
176 if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then
177 fix_loglevel_silent
178 fi
179
180 return 0
181 fi
182
183 cat <<EOF > /etc/ssh/sshd_config
184# Package generated configuration file
185# See the sshd_config(5) manpage for details
186
187# What ports, IPs and protocols we listen for
188Port 22
189# Use these options to restrict which interfaces/protocols sshd will bind to
190#ListenAddress ::
191#ListenAddress 0.0.0.0
192Protocol 2
193# HostKeys for protocol version 2
194HostKey /etc/ssh/ssh_host_rsa_key
195HostKey /etc/ssh/ssh_host_dsa_key
196HostKey /etc/ssh/ssh_host_ecdsa_key
197#Privilege Separation is turned on for security
198UsePrivilegeSeparation yes
199
200# Lifetime and size of ephemeral version 1 server key
201KeyRegenerationInterval 3600
202ServerKeyBits 768
203
204# Logging
205SyslogFacility AUTH
206LogLevel INFO
207
208# Authentication:
209LoginGraceTime 120
210PermitRootLogin yes
211StrictModes yes
212
213RSAAuthentication yes
214PubkeyAuthentication yes
215#AuthorizedKeysFile %h/.ssh/authorized_keys
216
217# Don't read the user's ~/.rhosts and ~/.shosts files
218IgnoreRhosts yes
219# For this to work you will also need host keys in /etc/ssh_known_hosts
220RhostsRSAAuthentication no
221# similar for protocol version 2
222HostbasedAuthentication no
223# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
224#IgnoreUserKnownHosts yes
225
226# To enable empty passwords, change to yes (NOT RECOMMENDED)
227PermitEmptyPasswords no
228
229# Change to yes to enable challenge-response passwords (beware issues with
230# some PAM modules and threads)
231ChallengeResponseAuthentication no
232
233# Change to no to disable tunnelled clear text passwords
234#PasswordAuthentication yes
235
236# Kerberos options
237#KerberosAuthentication no
238#KerberosGetAFSToken no
239#KerberosOrLocalPasswd yes
240#KerberosTicketCleanup yes
241
242# GSSAPI options
243#GSSAPIAuthentication no
244#GSSAPICleanupCredentials yes
245
246X11Forwarding yes
247X11DisplayOffset 10
248PrintMotd no
249PrintLastLog yes
250TCPKeepAlive yes
251#UseLogin no
252
253#MaxStartups 10:30:60
254#Banner /etc/issue.net
255
256# Allow client to pass locale environment variables
257AcceptEnv LANG LC_*
258
259Subsystem sftp /usr/lib/openssh/sftp-server
260
261# Set this to 'yes' to enable PAM authentication, account processing,
262# and session processing. If this is enabled, PAM authentication will
263# be allowed through the ChallengeResponseAuthentication and
264# PasswordAuthentication. Depending on your PAM configuration,
265# PAM authentication via ChallengeResponseAuthentication may bypass
266# the setting of "PermitRootLogin without-password".
267# If you just want the PAM account and session checks to run without
268# PAM authentication, then enable this but set PasswordAuthentication
269# and ChallengeResponseAuthentication to 'no'.
270UsePAM yes
271EOF
272}
273
274fix_statoverride() {
275# Remove an erronous override for sshd (we should have overridden ssh)
276 if [ -x /usr/sbin/dpkg-statoverride ]; then
277 if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
278 dpkg-statoverride --remove /usr/sbin/sshd
279 fi
280 fi
281}
282
283setup_sshd_user() {
284 if ! getent passwd sshd >/dev/null; then
285 adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
286 fi
287}
288
289remove_old_init_links() {
290 # Yes, this only works with the SysV init script layout. I know.
291 # The important thing is that it doesn't actually *break* with
292 # file-rc ...
293 if [ -e /etc/rc2.d/S20ssh ]; then
294 update-rc.d -f ssh remove >/dev/null 2>&1
295 fi
296 rm -f /etc/rc0.d/K??ssh /etc/rc1.d/K??ssh /etc/rc6.d/K??ssh
297}
298
299if [ "$action" = configure ]; then
300 create_sshdconfig
301 create_keys
302 vulnerable_host_keys
303 fix_statoverride
304 setup_sshd_user
305 if dpkg --compare-versions "$2" lt 1:5.2p1-1; then
306 remove_old_init_links
307 fi
308 # Renamed to /etc/ssh/moduli in 2.9.9 (!)
309 if dpkg --compare-versions "$2" lt 1:4.7p1-1; then
310 rm -f /etc/ssh/primes
311 fi
312 if dpkg --compare-versions "$2" lt 1:5.5p1-6; then
313 rm -f /var/run/sshd/.placeholder
314 fi
315
316 # Clean up old debconf templates.
317 db_unregister ssh/use_old_init_script
318 db_unregister ssh/encrypted_host_key_but_no_keygen
319 db_unregister ssh/disable_cr_auth
320fi
321
322#DEBHELPER#
323
324db_stop
325
326exit 0