diff options
author | Colin Watson <cjwatson@debian.org> | 2004-07-31 03:22:20 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2004-07-31 03:22:20 +0000 |
commit | 9749ef7f9b382d743b186bf06c7c2aeb0b9bebee (patch) | |
tree | aadbcc936c4e05d344f3ae856925b62bafc8debb /debian/openssh-server.postinst | |
parent | c57fe5be57af965042484e8669767f95e558b0ef (diff) |
* Split the ssh binary package into openssh-client and openssh-server
(closes: #39741). openssh-server depends on openssh-client for some
common functionality; it didn't seem worth creating yet another package
for this.
* New transitional ssh package, depending on openssh-client and
openssh-server. May be removed once nothing depends on it.
* When upgrading from ssh to openssh-{client,server}, it's very difficult
for the maintainer scripts to find out what version we're upgrading from
without dodgy dpkg hackery. I've therefore taken the opportunity to move
a couple of debconf notes into NEWS files, namely ssh/ssh2_keys_merged
and ssh/user_environment_tell.
* In general, upgrading to this version directly from woody without first
upgrading to the version in sarge is not currently guaranteed to work
very smoothly due to the aforementioned version discovery problems.
Diffstat (limited to 'debian/openssh-server.postinst')
-rw-r--r-- | debian/openssh-server.postinst | 255 |
1 files changed, 255 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..64f9985a8 --- /dev/null +++ b/debian/openssh-server.postinst | |||
@@ -0,0 +1,255 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action="$1" | ||
4 | oldversion="$2" | ||
5 | |||
6 | . /usr/share/debconf/confmodule | ||
7 | db_version 2.0 | ||
8 | |||
9 | umask 022 | ||
10 | |||
11 | if [ "$action" != configure ] | ||
12 | then | ||
13 | exit 0 | ||
14 | fi | ||
15 | |||
16 | |||
17 | check_idea_key() { | ||
18 | #check for old host_key files using IDEA, which openssh does not support | ||
19 | if [ -f /etc/ssh/ssh_host_key ] ; then | ||
20 | if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \ | ||
21 | grep -q 'unknown cipher' 2>/dev/null ; then | ||
22 | mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old | ||
23 | mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old | ||
24 | fi | ||
25 | fi | ||
26 | } | ||
27 | |||
28 | |||
29 | get_config_option() { | ||
30 | option="$1" | ||
31 | |||
32 | # TODO: actually only one '=' allowed after option | ||
33 | perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ | ||
34 | /etc/ssh/sshd_config | ||
35 | } | ||
36 | |||
37 | |||
38 | host_keys_required() { | ||
39 | hostkeys="$(get_config_option HostKey)" | ||
40 | if [ "$hostkeys" ]; then | ||
41 | echo "$hostkeys" | ||
42 | else | ||
43 | # No HostKey directives at all, so the server picks some | ||
44 | # defaults depending on the setting of Protocol. | ||
45 | protocol="$(get_config_option Protocol)" | ||
46 | [ "$protocol" ] || protocol=1,2 | ||
47 | if echo "$protocol" | grep 1 >/dev/null; then | ||
48 | echo /etc/ssh/ssh_host_key | ||
49 | fi | ||
50 | if echo "$protocol" | grep 2 >/dev/null; then | ||
51 | echo /etc/ssh/ssh_host_rsa_key | ||
52 | echo /etc/ssh/ssh_host_dsa_key | ||
53 | fi | ||
54 | fi | ||
55 | } | ||
56 | |||
57 | |||
58 | create_key() { | ||
59 | msg="$1" | ||
60 | shift | ||
61 | hostkeys="$1" | ||
62 | shift | ||
63 | file="$1" | ||
64 | shift | ||
65 | |||
66 | if echo "$hostkeys" | grep -x "$file" >/dev/null && \ | ||
67 | [ ! -f "$file" ] ; then | ||
68 | echo -n $msg | ||
69 | ssh-keygen -q -f "$file" -N '' "$@" | ||
70 | echo | ||
71 | fi | ||
72 | } | ||
73 | |||
74 | |||
75 | create_keys() { | ||
76 | hostkeys="$(host_keys_required)" | ||
77 | |||
78 | create_key "Creating SSH1 key; this may take some time ..." \ | ||
79 | "$hostkeys" /etc/ssh/ssh_host_key -t rsa1 | ||
80 | |||
81 | create_key "Creating SSH2 RSA key; this may take some time ..." \ | ||
82 | "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa | ||
83 | create_key "Creating SSH2 DSA key; this may take some time ..." \ | ||
84 | "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa | ||
85 | } | ||
86 | |||
87 | |||
88 | create_sshdconfig() { | ||
89 | if [ -e /etc/ssh/sshd_config ] ; then | ||
90 | if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then | ||
91 | db_get ssh/new_config | ||
92 | if [ "$RET" = "false" ] ; then return 0; fi | ||
93 | elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ | ||
94 | ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then | ||
95 | # Upgrade from pre-3.7: UsePAM needed to maintain standard | ||
96 | # Debian configuration. | ||
97 | echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' | ||
98 | cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
99 | perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ | ||
100 | /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
101 | echo >> /etc/ssh/sshd_config.dpkg-new | ||
102 | echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new | ||
103 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
104 | echo | ||
105 | return 0 | ||
106 | else return 0 | ||
107 | fi | ||
108 | fi | ||
109 | |||
110 | #Preserve old sshd_config before generating a new one | ||
111 | if [ -e /etc/ssh/sshd_config ] ; then | ||
112 | mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
113 | fi | ||
114 | |||
115 | cat <<EOF > /etc/ssh/sshd_config | ||
116 | # Package generated configuration file | ||
117 | # See the sshd(8) manpage for details | ||
118 | |||
119 | # What ports, IPs and protocols we listen for | ||
120 | Port 22 | ||
121 | # Use these options to restrict which interfaces/protocols sshd will bind to | ||
122 | #ListenAddress :: | ||
123 | #ListenAddress 0.0.0.0 | ||
124 | EOF | ||
125 | db_get ssh/protocol2_only | ||
126 | if [ "$RET" = "false" ]; then | ||
127 | cat <<EOF >> /etc/ssh/sshd_config | ||
128 | Protocol 2,1 | ||
129 | # HostKeys for protocol version 1 | ||
130 | HostKey /etc/ssh/ssh_host_key | ||
131 | # HostKeys for protocol version 2 | ||
132 | HostKey /etc/ssh/ssh_host_rsa_key | ||
133 | HostKey /etc/ssh/ssh_host_dsa_key | ||
134 | EOF | ||
135 | else | ||
136 | cat <<EOF >> /etc/ssh/sshd_config | ||
137 | Protocol 2 | ||
138 | # HostKeys for protocol version 2 | ||
139 | HostKey /etc/ssh/ssh_host_rsa_key | ||
140 | HostKey /etc/ssh/ssh_host_dsa_key | ||
141 | EOF | ||
142 | fi | ||
143 | |||
144 | cat <<EOF >> /etc/ssh/sshd_config | ||
145 | #Privilege Separation is turned on for security | ||
146 | UsePrivilegeSeparation yes | ||
147 | |||
148 | # Lifetime and size of ephemeral version 1 server key | ||
149 | KeyRegenerationInterval 3600 | ||
150 | ServerKeyBits 768 | ||
151 | |||
152 | # Logging | ||
153 | SyslogFacility AUTH | ||
154 | LogLevel INFO | ||
155 | |||
156 | # Authentication: | ||
157 | LoginGraceTime 600 | ||
158 | PermitRootLogin yes | ||
159 | StrictModes yes | ||
160 | |||
161 | RSAAuthentication yes | ||
162 | PubkeyAuthentication yes | ||
163 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
164 | |||
165 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
166 | IgnoreRhosts yes | ||
167 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
168 | RhostsRSAAuthentication no | ||
169 | # similar for protocol version 2 | ||
170 | HostbasedAuthentication no | ||
171 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
172 | #IgnoreUserKnownHosts yes | ||
173 | |||
174 | # To enable empty passwords, change to yes (NOT RECOMMENDED) | ||
175 | PermitEmptyPasswords no | ||
176 | |||
177 | # Change to no to disable s/key passwords | ||
178 | #ChallengeResponseAuthentication yes | ||
179 | |||
180 | # Change to yes to enable tunnelled clear text passwords | ||
181 | PasswordAuthentication no | ||
182 | |||
183 | |||
184 | # To change Kerberos options | ||
185 | #KerberosAuthentication no | ||
186 | #KerberosOrLocalPasswd yes | ||
187 | #AFSTokenPassing no | ||
188 | #KerberosTicketCleanup no | ||
189 | |||
190 | # Kerberos TGT Passing does only work with the AFS kaserver | ||
191 | #KerberosTgtPassing yes | ||
192 | |||
193 | X11Forwarding no | ||
194 | X11DisplayOffset 10 | ||
195 | PrintMotd no | ||
196 | PrintLastLog yes | ||
197 | KeepAlive yes | ||
198 | #UseLogin no | ||
199 | |||
200 | #MaxStartups 10:30:60 | ||
201 | #Banner /etc/issue.net | ||
202 | |||
203 | Subsystem sftp /usr/lib/sftp-server | ||
204 | |||
205 | UsePAM yes | ||
206 | EOF | ||
207 | } | ||
208 | |||
209 | fix_statoverride() { | ||
210 | # Remove an erronous override for sshd (we should have overridden ssh) | ||
211 | if [ -x /usr/sbin/dpkg-statoverride ]; then | ||
212 | if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then | ||
213 | dpkg-statoverride --remove /usr/sbin/sshd | ||
214 | fi | ||
215 | fi | ||
216 | } | ||
217 | |||
218 | setup_sshd_user() { | ||
219 | if ! getent passwd sshd >/dev/null; then | ||
220 | adduser --quiet --system --no-create-home --home /var/run/sshd sshd | ||
221 | fi | ||
222 | } | ||
223 | |||
224 | fix_conffile_permissions() { | ||
225 | # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg | ||
226 | # doesn't do this for us; see bug #192981. | ||
227 | chmod 644 /etc/default/ssh | ||
228 | } | ||
229 | |||
230 | setup_init() { | ||
231 | if [ -x /etc/init.d/ssh ]; then | ||
232 | update-rc.d ssh defaults >/dev/null | ||
233 | if [ -x /usr/sbin/invoke-rc.d ]; then | ||
234 | invoke-rc.d ssh restart | ||
235 | else | ||
236 | /etc/init.d/ssh restart | ||
237 | fi | ||
238 | fi | ||
239 | } | ||
240 | |||
241 | |||
242 | create_sshdconfig | ||
243 | check_idea_key | ||
244 | create_keys | ||
245 | fix_statoverride | ||
246 | setup_sshd_user | ||
247 | if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then | ||
248 | fix_conffile_permissions | ||
249 | fi | ||
250 | setup_init | ||
251 | |||
252 | |||
253 | db_stop | ||
254 | |||
255 | exit 0 | ||