* Split the ssh binary package into openssh-client and openssh-server

(closes: #39741). openssh-server depends on openssh-client for some common functionality; it didn't seem worth creating yet another package for this. * New transitional ssh package, depending on openssh-client and openssh-server. May be removed once nothing depends on it. * When upgrading from ssh to openssh-{client,server}, it's very difficult for the maintainer scripts to find out what version we're upgrading from without dodgy dpkg hackery. I've therefore taken the opportunity to move a couple of debconf notes into NEWS files, namely ssh/ssh2_keys_merged and ssh/user_environment_tell. * In general, upgrading to this version directly from woody without first upgrading to the version in sarge is not currently guaranteed to work very smoothly due to the aforementioned version discovery problems.
author: Colin Watson <cjwatson@debian.org> 2004-07-31 03:22:20 +0000
committer: Colin Watson <cjwatson@debian.org> 2004-07-31 03:22:20 +0000
commit: 9749ef7f9b382d743b186bf06c7c2aeb0b9bebee (patch)
tree: aadbcc936c4e05d344f3ae856925b62bafc8debb /debian/openssh-server.postinst
parent: c57fe5be57af965042484e8669767f95e558b0ef (diff)
1 files changed, 255 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 000000000..64f9985a8
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,255 @@
+#!/bin/sh -e
+action="$1"
+oldversion="$2"
+. /usr/share/debconf/confmodule
+db_version 2.0
+umask 022
+if [ "$action" != configure ]
+  then
+  exit 0
+fi
+check_idea_key() {
+    #check for old host_key files using IDEA, which openssh does not support
+        if [ -f /etc/ssh/ssh_host_key ] ; then
+                if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
+                                grep -q 'unknown cipher' 2>/dev/null ; then
+      mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
+      mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
+  fi
+        fi
+}
+get_config_option() {
+        option="$1"
+        # TODO: actually only one '=' allowed after option
+        perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+           /etc/ssh/sshd_config
+}
+host_keys_required() {
+        hostkeys="$(get_config_option HostKey)"
+        if [ "$hostkeys" ]; then
+                echo "$hostkeys"
+        else
+                # No HostKey directives at all, so the server picks some
+                # defaults depending on the setting of Protocol.
+                protocol="$(get_config_option Protocol)"
+                [ "$protocol" ] || protocol=1,2
+                if echo "$protocol" | grep 1 >/dev/null; then
+                        echo /etc/ssh/ssh_host_key
+                fi
+                if echo "$protocol" | grep 2 >/dev/null; then
+                        echo /etc/ssh/ssh_host_rsa_key
+                        echo /etc/ssh/ssh_host_dsa_key
+                fi
+        fi
+}
+create_key() {
+        msg="$1"
+        shift
+        hostkeys="$1"
+        shift
+        file="$1"
+        shift
+        if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+           [ ! -f "$file" ] ; then
+                echo -n $msg
+                ssh-keygen -q -f "$file" -N '' "$@"
+                echo
+        fi
+}
+create_keys() {
+        hostkeys="$(host_keys_required)"
+        create_key "Creating SSH1 key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_key -t rsa1
+        create_key "Creating SSH2 RSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+        create_key "Creating SSH2 DSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+}
+create_sshdconfig() {
+        if [ -e /etc/ssh/sshd_config ] ; then
+            if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
+                db_get ssh/new_config
+                if [ "$RET" = "false" ] ; then return 0; fi
+            elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
+                 ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then
+                # Upgrade from pre-3.7: UsePAM needed to maintain standard
+                # Debian configuration.
+                echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
+                cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
+                perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
+                    /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+                echo >> /etc/ssh/sshd_config.dpkg-new
+                echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
+                mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+                echo
+                return 0
+            else return 0
+            fi
+        fi
+        #Preserve old sshd_config before generating a new one
+        if [ -e /etc/ssh/sshd_config ] ; then 
+            mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
+        fi
+        cat <<EOF > /etc/ssh/sshd_config
+# Package generated configuration file
+# See the sshd(8) manpage for details
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+EOF
+        db_get ssh/protocol2_only
+if [ "$RET" = "false" ]; then
+                cat <<EOF >> /etc/ssh/sshd_config
+Protocol 2,1
+# HostKeys for protocol version 1
+HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+EOF
+else
+        cat <<EOF >> /etc/ssh/sshd_config
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+EOF
+fi
+        cat <<EOF >> /etc/ssh/sshd_config
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+# Authentication:
+LoginGraceTime 600
+PermitRootLogin yes
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+# Change to yes to enable tunnelled clear text passwords
+PasswordAuthentication no
+# To change Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#AFSTokenPassing no
+#KerberosTicketCleanup no
+# Kerberos TGT Passing does only work with the AFS kaserver
+#KerberosTgtPassing yes
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+KeepAlive yes
+#UseLogin no
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+Subsystem       sftp    /usr/lib/sftp-server
+UsePAM yes
+EOF
+}
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+        if [ -x /usr/sbin/dpkg-statoverride ]; then
+                if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
+                        dpkg-statoverride --remove /usr/sbin/sshd
+                fi
+        fi
+}
+setup_sshd_user() {
+        if ! getent passwd sshd >/dev/null; then
+                adduser --quiet --system --no-create-home --home /var/run/sshd sshd
+        fi
+}
+fix_conffile_permissions() {
+        # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
+        # doesn't do this for us; see bug #192981.
+        chmod 644 /etc/default/ssh
+}
+setup_init() {
+        if [ -x /etc/init.d/ssh ]; then
+                update-rc.d ssh defaults >/dev/null
+                if [ -x /usr/sbin/invoke-rc.d ]; then
+                        invoke-rc.d ssh restart
+                else
+                        /etc/init.d/ssh restart
+                fi
+        fi
+}
+create_sshdconfig
+check_idea_key
+create_keys
+fix_statoverride
+setup_sshd_user
+if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
+    fix_conffile_permissions
+fi
+setup_init
+db_stop
+exit 0
author	Colin Watson <cjwatson@debian.org>	2004-07-31 03:22:20 +0000
committer	Colin Watson <cjwatson@debian.org>	2004-07-31 03:22:20 +0000
commit	9749ef7f9b382d743b186bf06c7c2aeb0b9bebee (patch)
tree	aadbcc936c4e05d344f3ae856925b62bafc8debb /debian/openssh-server.postinst
parent	c57fe5be57af965042484e8669767f95e558b0ef (diff)

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..64f9985a8 --- /dev/null +++ b/debian/openssh-server.postinst
@@ -0,0 +1,255 @@
	1	#!/bin/sh -e
	2
	3	action="$1"
	4	oldversion="$2"
	5
	6	. /usr/share/debconf/confmodule
	7	db_version 2.0
	8
	9	umask 022
	10
	11	if [ "$action" != configure ]
	12	then
	13	exit 0
	14	fi
	15
	16
	17	check_idea_key() {
	18	#check for old host_key files using IDEA, which openssh does not support
	19	if [ -f /etc/ssh/ssh_host_key ] ; then
	20	if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 \| \
	21	grep -q 'unknown cipher' 2>/dev/null ; then
	22	mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
	23	mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
	24	fi
	25	fi
	26	}
	27
	28
	29	get_config_option() {
	30	option="$1"
	31
	32	# TODO: actually only one '=' allowed after option
	33	perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
	34	/etc/ssh/sshd_config
	35	}
	36
	37
	38	host_keys_required() {
	39	hostkeys="$(get_config_option HostKey)"
	40	if [ "$hostkeys" ]; then
	41	echo "$hostkeys"
	42	else
	43	# No HostKey directives at all, so the server picks some
	44	# defaults depending on the setting of Protocol.
	45	protocol="$(get_config_option Protocol)"
	46	[ "$protocol" ] \|\| protocol=1,2
	47	if echo "$protocol" \| grep 1 >/dev/null; then
	48	echo /etc/ssh/ssh_host_key
	49	fi
	50	if echo "$protocol" \| grep 2 >/dev/null; then
	51	echo /etc/ssh/ssh_host_rsa_key
	52	echo /etc/ssh/ssh_host_dsa_key
	53	fi
	54	fi
	55	}
	56
	57
	58	create_key() {
	59	msg="$1"
	60	shift
	61	hostkeys="$1"
	62	shift
	63	file="$1"
	64	shift
	65
	66	if echo "$hostkeys" \| grep -x "$file" >/dev/null && \
	67	[ ! -f "$file" ] ; then
	68	echo -n $msg
	69	ssh-keygen -q -f "$file" -N '' "$@"
	70	echo
	71	fi
	72	}
	73
	74
	75	create_keys() {
	76	hostkeys="$(host_keys_required)"
	77
	78	create_key "Creating SSH1 key; this may take some time ..." \
	79	"$hostkeys" /etc/ssh/ssh_host_key -t rsa1
	80
	81	create_key "Creating SSH2 RSA key; this may take some time ..." \
	82	"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
	83	create_key "Creating SSH2 DSA key; this may take some time ..." \
	84	"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
	85	}
	86
	87
	88	create_sshdconfig() {
	89	if [ -e /etc/ssh/sshd_config ] ; then
	90	if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
	91	db_get ssh/new_config
	92	if [ "$RET" = "false" ] ; then return 0; fi
	93	elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
	94	! grep -iq ^UsePAM /etc/ssh/sshd_config ; then
	95	# Upgrade from pre-3.7: UsePAM needed to maintain standard
	96	# Debian configuration.
	97	echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
	98	cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
	99	perl -pe 's/^(PAMAuthenticationViaKbdInt\|RhostsAuthentication)\b/#$1/i' \
	100	/etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	101	echo >> /etc/ssh/sshd_config.dpkg-new
	102	echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
	103	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	104	echo
	105	return 0
	106	else return 0
	107	fi
	108	fi
	109
	110	#Preserve old sshd_config before generating a new one
	111	if [ -e /etc/ssh/sshd_config ] ; then
	112	mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
	113	fi
	114
	115	cat <<EOF > /etc/ssh/sshd_config
	116	# Package generated configuration file
	117	# See the sshd(8) manpage for details
	118
	119	# What ports, IPs and protocols we listen for
	120	Port 22
	121	# Use these options to restrict which interfaces/protocols sshd will bind to
	122	#ListenAddress ::
	123	#ListenAddress 0.0.0.0
	124	EOF
	125	db_get ssh/protocol2_only
	126	if [ "$RET" = "false" ]; then
	127	cat <<EOF >> /etc/ssh/sshd_config
	128	Protocol 2,1
	129	# HostKeys for protocol version 1
	130	HostKey /etc/ssh/ssh_host_key
	131	# HostKeys for protocol version 2
	132	HostKey /etc/ssh/ssh_host_rsa_key
	133	HostKey /etc/ssh/ssh_host_dsa_key
	134	EOF
	135	else
	136	cat <<EOF >> /etc/ssh/sshd_config
	137	Protocol 2
	138	# HostKeys for protocol version 2
	139	HostKey /etc/ssh/ssh_host_rsa_key
	140	HostKey /etc/ssh/ssh_host_dsa_key
	141	EOF
	142	fi
	143
	144	cat <<EOF >> /etc/ssh/sshd_config
	145	#Privilege Separation is turned on for security
	146	UsePrivilegeSeparation yes
	147
	148	# Lifetime and size of ephemeral version 1 server key
	149	KeyRegenerationInterval 3600
	150	ServerKeyBits 768
	151
	152	# Logging
	153	SyslogFacility AUTH
	154	LogLevel INFO
	155
	156	# Authentication:
	157	LoginGraceTime 600
	158	PermitRootLogin yes
	159	StrictModes yes
	160
	161	RSAAuthentication yes
	162	PubkeyAuthentication yes
	163	#AuthorizedKeysFile %h/.ssh/authorized_keys
	164
	165	# Don't read the user's ~/.rhosts and ~/.shosts files
	166	IgnoreRhosts yes
	167	# For this to work you will also need host keys in /etc/ssh_known_hosts
	168	RhostsRSAAuthentication no
	169	# similar for protocol version 2
	170	HostbasedAuthentication no
	171	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
	172	#IgnoreUserKnownHosts yes
	173
	174	# To enable empty passwords, change to yes (NOT RECOMMENDED)
	175	PermitEmptyPasswords no
	176
	177	# Change to no to disable s/key passwords
	178	#ChallengeResponseAuthentication yes
	179
	180	# Change to yes to enable tunnelled clear text passwords
	181	PasswordAuthentication no
	182
	183
	184	# To change Kerberos options
	185	#KerberosAuthentication no
	186	#KerberosOrLocalPasswd yes
	187	#AFSTokenPassing no
	188	#KerberosTicketCleanup no
	189
	190	# Kerberos TGT Passing does only work with the AFS kaserver
	191	#KerberosTgtPassing yes
	192
	193	X11Forwarding no
	194	X11DisplayOffset 10
	195	PrintMotd no
	196	PrintLastLog yes
	197	KeepAlive yes
	198	#UseLogin no
	199
	200	#MaxStartups 10:30:60
	201	#Banner /etc/issue.net
	202
	203	Subsystem sftp /usr/lib/sftp-server
	204
	205	UsePAM yes
	206	EOF
	207	}
	208
	209	fix_statoverride() {
	210	# Remove an erronous override for sshd (we should have overridden ssh)
	211	if [ -x /usr/sbin/dpkg-statoverride ]; then
	212	if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
	213	dpkg-statoverride --remove /usr/sbin/sshd
	214	fi
	215	fi
	216	}
	217
	218	setup_sshd_user() {
	219	if ! getent passwd sshd >/dev/null; then
	220	adduser --quiet --system --no-create-home --home /var/run/sshd sshd
	221	fi
	222	}
	223
	224	fix_conffile_permissions() {
	225	# Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
	226	# doesn't do this for us; see bug #192981.
	227	chmod 644 /etc/default/ssh
	228	}
	229
	230	setup_init() {
	231	if [ -x /etc/init.d/ssh ]; then
	232	update-rc.d ssh defaults >/dev/null
	233	if [ -x /usr/sbin/invoke-rc.d ]; then
	234	invoke-rc.d ssh restart
	235	else
	236	/etc/init.d/ssh restart
	237	fi
	238	fi
	239	}
	240
	241
	242	create_sshdconfig
	243	check_idea_key
	244	create_keys
	245	fix_statoverride
	246	setup_sshd_user
	247	if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
	248	fix_conffile_permissions
	249	fi
	250	setup_init
	251
	252
	253	db_stop
	254
	255	exit 0