Switch to new unified layout for Upstart jobs as documented in

https://wiki.ubuntu.com/UpstartCompatibleInitScripts: the init script checks for a running Upstart, and we now let dh_installinit handle most of the heavy lifting in maintainer scripts. Ubuntu users should be essentially unaffected except that sshd may no longer start automatically in chroots if the running Upstart predates 0.9.0; but the main goal is simply not to break when openssh-server is installed in a chroot.
author: Colin Watson <cjwatson@debian.org> 2013-05-22 01:45:40 +0100
committer: Colin Watson <cjwatson@debian.org> 2013-05-22 01:45:40 +0100
commit: 6e950945da7a2acbb48fa4138208018f09d66991 (patch)
tree: 1e99c1fb54755277a8c441cf503b71bb2c5be748 /debian/openssh-server.postinst
parent: afd3292952a9f0bb107046785ddcfad446d69b89 (diff)
1 files changed, 326 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 000000000..94461083e
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,326 @@
+#!/bin/sh -e
+action="$1"
+oldversion="$2"
+. /usr/share/debconf/confmodule
+db_version 2.0
+umask 022
+get_config_option() {
+        option="$1"
+        [ -f /etc/ssh/sshd_config ] || return
+        # TODO: actually only one '=' allowed after option
+        perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \
+           /etc/ssh/sshd_config
+}
+set_config_option() {
+        option="$1"
+        value="$2"
+        perl -le '
+                $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
+                while (<STDIN>) {
+                        chomp;
+                        (my $match = $_) =~ s/\s+/ /g;
+                        if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) {
+                                $_ = $match;
+                                $done = 1;
+                        }
+                        print;
+                }
+                print "$option $value" unless $done;' \
+                "$option" "$value" \
+                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
+rename_config_option() {
+        oldoption="$1"
+        newoption="$2"
+        value="$(get_config_option "$oldoption")"
+        [ "$value" ] || return 0
+        perl -le '
+                $oldoption = $ARGV[0]; $newoption = $ARGV[1];
+                while (<STDIN>) {
+                        chomp;
+                        (my $match = $_) =~ s/\s+/ /g;
+                        # TODO: actually only one "=" allowed after option
+                        if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
+                                $_ = $match;
+                        }
+                        print;
+                }' \
+                "$oldoption" "$newoption" \
+                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
+host_keys_required() {
+        hostkeys="$(get_config_option HostKey)"
+        if [ "$hostkeys" ]; then
+                echo "$hostkeys"
+        else
+                # No HostKey directives at all, so the server picks some
+                # defaults depending on the setting of Protocol.
+                protocol="$(get_config_option Protocol)"
+                [ "$protocol" ] || protocol=1,2
+                if echo "$protocol" | grep 1 >/dev/null; then
+                        echo /etc/ssh/ssh_host_key
+                fi
+                if echo "$protocol" | grep 2 >/dev/null; then
+                        echo /etc/ssh/ssh_host_rsa_key
+                        echo /etc/ssh/ssh_host_dsa_key
+                        echo /etc/ssh/ssh_host_ecdsa_key
+                fi
+        fi
+}
+create_key() {
+        msg="$1"
+        shift
+        hostkeys="$1"
+        shift
+        file="$1"
+        shift
+        if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+           [ ! -f "$file" ] ; then
+                echo -n $msg
+                ssh-keygen -q -f "$file" -N '' "$@"
+                echo
+                if which restorecon >/dev/null 2>&1; then
+                        restorecon "$file.pub"
+                fi
+        fi
+}
+create_keys() {
+        hostkeys="$(host_keys_required)"
+        create_key "Creating SSH1 key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_key -t rsa1
+        create_key "Creating SSH2 RSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+        create_key "Creating SSH2 DSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+        create_key "Creating SSH2 ECDSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
+}
+vulnerable_host_keys() {
+        # If the admin has explicitly put the vulnerable keys back, we
+        # assume they can look after themselves.
+        db_fget ssh/vulnerable_host_keys seen
+        if [ "$RET" = true ]; then
+                return 0
+        fi
+        hostkeys="$(host_keys_required)"
+        vulnerable=
+        for hostkey in $hostkeys; do
+                [ -f "$hostkey" ] || continue
+                if ssh-vulnkey -q "$hostkey"; then
+                        vulnerable="${vulnerable:+$vulnerable }$hostkey"
+                fi
+        done
+        if [ "$vulnerable" ]; then
+                db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable"
+                db_input critical ssh/vulnerable_host_keys || true
+                db_go
+                for hostkey in $vulnerable; do
+                        mv "$hostkey" "$hostkey.broken" || true
+                        mv "$hostkey.pub" "$hostkey.pub.broken" || true
+                done
+                create_keys
+        fi
+}
+fix_loglevel_silent() {
+        if [ "$(get_config_option LogLevel)" = SILENT ]; then
+                set_config_option LogLevel QUIET
+        fi
+}
+create_sshdconfig() {
+        if [ -e /etc/ssh/sshd_config ] ; then
+            # Upgrade an existing sshd configuration.
+            # This option was renamed in 3.8p1, but we never took care
+            # of adjusting the configuration file until now.
+            if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
+                rename_config_option KeepAlive TCPKeepAlive
+            fi
+            # 'LogLevel SILENT' is now equivalent to QUIET.
+            if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then
+                fix_loglevel_silent
+            fi
+            return 0
+        fi
+        cat <<EOF > /etc/ssh/sshd_config
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+Subsystem sftp /usr/lib/openssh/sftp-server
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+EOF
+}
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+        if [ -x /usr/sbin/dpkg-statoverride ]; then
+                if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
+                        dpkg-statoverride --remove /usr/sbin/sshd
+                fi
+        fi
+}
+setup_sshd_user() {
+        if ! getent passwd sshd >/dev/null; then
+                adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
+        fi
+}
+remove_old_init_links() {
+        # Yes, this only works with the SysV init script layout. I know.
+        # The important thing is that it doesn't actually *break* with
+        # file-rc ...
+        if [ -e /etc/rc2.d/S20ssh ]; then
+                update-rc.d -f ssh remove >/dev/null 2>&1
+        fi
+        rm -f /etc/rc0.d/K??ssh /etc/rc1.d/K??ssh /etc/rc6.d/K??ssh
+}
+if [ "$action" = configure ]; then
+        create_sshdconfig
+        create_keys
+        vulnerable_host_keys
+        fix_statoverride
+        setup_sshd_user
+        if dpkg --compare-versions "$2" lt 1:5.2p1-1; then
+            remove_old_init_links
+        fi
+        # Renamed to /etc/ssh/moduli in 2.9.9 (!)
+        if dpkg --compare-versions "$2" lt 1:4.7p1-1; then
+            rm -f /etc/ssh/primes
+        fi
+        if dpkg --compare-versions "$2" lt 1:5.5p1-6; then
+            rm -f /var/run/sshd/.placeholder
+        fi
+        # Clean up old debconf templates.
+        db_unregister ssh/use_old_init_script
+        db_unregister ssh/encrypted_host_key_but_no_keygen
+        db_unregister ssh/disable_cr_auth
+fi
+#DEBHELPER#
+db_stop
+exit 0
author	Colin Watson <cjwatson@debian.org>	2013-05-22 01:45:40 +0100
committer	Colin Watson <cjwatson@debian.org>	2013-05-22 01:45:40 +0100
commit	6e950945da7a2acbb48fa4138208018f09d66991 (patch)
tree	1e99c1fb54755277a8c441cf503b71bb2c5be748 /debian/openssh-server.postinst
parent	afd3292952a9f0bb107046785ddcfad446d69b89 (diff)

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..94461083e --- /dev/null +++ b/debian/openssh-server.postinst
@@ -0,0 +1,326 @@
	1	#!/bin/sh -e
	2
	3	action="$1"
	4	oldversion="$2"
	5
	6	. /usr/share/debconf/confmodule
	7	db_version 2.0
	8
	9	umask 022
	10
	11
	12	get_config_option() {
	13	option="$1"
	14
	15	[ -f /etc/ssh/sshd_config ] \|\| return
	16
	17	# TODO: actually only one '=' allowed after option
	18	perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \
	19	/etc/ssh/sshd_config
	20	}
	21
	22
	23	set_config_option() {
	24	option="$1"
	25	value="$2"
	26
	27	perl -le '
	28	$option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
	29	while (<STDIN>) {
	30	chomp;
	31	(my $match = $_) =~ s/\s+/ /g;
	32	if ($match =~ s/^\s\Q$option\E\s+./$option $value/) {
	33	$_ = $match;
	34	$done = 1;
	35	}
	36	print;
	37	}
	38	print "$option $value" unless $done;' \
	39	"$option" "$value" \
	40	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	41	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	42	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	43	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	44	}
	45
	46
	47	rename_config_option() {
	48	oldoption="$1"
	49	newoption="$2"
	50
	51	value="$(get_config_option "$oldoption")"
	52	[ "$value" ] \|\| return 0
	53
	54	perl -le '
	55	$oldoption = $ARGV[0]; $newoption = $ARGV[1];
	56	while (<STDIN>) {
	57	chomp;
	58	(my $match = $_) =~ s/\s+/ /g;
	59	# TODO: actually only one "=" allowed after option
	60	if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
	61	$_ = $match;
	62	}
	63	print;
	64	}' \
	65	"$oldoption" "$newoption" \
	66	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	67	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	68	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	69	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	70	}
	71
	72
	73	host_keys_required() {
	74	hostkeys="$(get_config_option HostKey)"
	75	if [ "$hostkeys" ]; then
	76	echo "$hostkeys"
	77	else
	78	# No HostKey directives at all, so the server picks some
	79	# defaults depending on the setting of Protocol.
	80	protocol="$(get_config_option Protocol)"
	81	[ "$protocol" ] \|\| protocol=1,2
	82	if echo "$protocol" \| grep 1 >/dev/null; then
	83	echo /etc/ssh/ssh_host_key
	84	fi
	85	if echo "$protocol" \| grep 2 >/dev/null; then
	86	echo /etc/ssh/ssh_host_rsa_key
	87	echo /etc/ssh/ssh_host_dsa_key
	88	echo /etc/ssh/ssh_host_ecdsa_key
	89	fi
	90	fi
	91	}
	92
	93
	94	create_key() {
	95	msg="$1"
	96	shift
	97	hostkeys="$1"
	98	shift
	99	file="$1"
	100	shift
	101
	102	if echo "$hostkeys" \| grep -x "$file" >/dev/null && \
	103	[ ! -f "$file" ] ; then
	104	echo -n $msg
	105	ssh-keygen -q -f "$file" -N '' "$@"
	106	echo
	107	if which restorecon >/dev/null 2>&1; then
	108	restorecon "$file.pub"
	109	fi
	110	fi
	111	}
	112
	113
	114	create_keys() {
	115	hostkeys="$(host_keys_required)"
	116
	117	create_key "Creating SSH1 key; this may take some time ..." \
	118	"$hostkeys" /etc/ssh/ssh_host_key -t rsa1
	119
	120	create_key "Creating SSH2 RSA key; this may take some time ..." \
	121	"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
	122	create_key "Creating SSH2 DSA key; this may take some time ..." \
	123	"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
	124	create_key "Creating SSH2 ECDSA key; this may take some time ..." \
	125	"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
	126	}
	127
	128
	129	vulnerable_host_keys() {
	130	# If the admin has explicitly put the vulnerable keys back, we
	131	# assume they can look after themselves.
	132	db_fget ssh/vulnerable_host_keys seen
	133	if [ "$RET" = true ]; then
	134	return 0
	135	fi
	136
	137	hostkeys="$(host_keys_required)"
	138	vulnerable=
	139	for hostkey in $hostkeys; do
	140	[ -f "$hostkey" ] \|\| continue
	141	if ssh-vulnkey -q "$hostkey"; then
	142	vulnerable="${vulnerable:+$vulnerable }$hostkey"
	143	fi
	144	done
	145	if [ "$vulnerable" ]; then
	146	db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable"
	147	db_input critical ssh/vulnerable_host_keys \|\| true
	148	db_go
	149	for hostkey in $vulnerable; do
	150	mv "$hostkey" "$hostkey.broken" \|\| true
	151	mv "$hostkey.pub" "$hostkey.pub.broken" \|\| true
	152	done
	153	create_keys
	154	fi
	155	}
	156
	157
	158	fix_loglevel_silent() {
	159	if [ "$(get_config_option LogLevel)" = SILENT ]; then
	160	set_config_option LogLevel QUIET
	161	fi
	162	}
	163
	164
	165	create_sshdconfig() {
	166	if [ -e /etc/ssh/sshd_config ] ; then
	167	# Upgrade an existing sshd configuration.
	168
	169	# This option was renamed in 3.8p1, but we never took care
	170	# of adjusting the configuration file until now.
	171	if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
	172	rename_config_option KeepAlive TCPKeepAlive
	173	fi
	174
	175	# 'LogLevel SILENT' is now equivalent to QUIET.
	176	if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then
	177	fix_loglevel_silent
	178	fi
	179
	180	return 0
	181	fi
	182
	183	cat <<EOF > /etc/ssh/sshd_config
	184	# Package generated configuration file
	185	# See the sshd_config(5) manpage for details
	186
	187	# What ports, IPs and protocols we listen for
	188	Port 22
	189	# Use these options to restrict which interfaces/protocols sshd will bind to
	190	#ListenAddress ::
	191	#ListenAddress 0.0.0.0
	192	Protocol 2
	193	# HostKeys for protocol version 2
	194	HostKey /etc/ssh/ssh_host_rsa_key
	195	HostKey /etc/ssh/ssh_host_dsa_key
	196	HostKey /etc/ssh/ssh_host_ecdsa_key
	197	#Privilege Separation is turned on for security
	198	UsePrivilegeSeparation yes
	199
	200	# Lifetime and size of ephemeral version 1 server key
	201	KeyRegenerationInterval 3600
	202	ServerKeyBits 768
	203
	204	# Logging
	205	SyslogFacility AUTH
	206	LogLevel INFO
	207
	208	# Authentication:
	209	LoginGraceTime 120
	210	PermitRootLogin yes
	211	StrictModes yes
	212
	213	RSAAuthentication yes
	214	PubkeyAuthentication yes
	215	#AuthorizedKeysFile %h/.ssh/authorized_keys
	216
	217	# Don't read the user's ~/.rhosts and ~/.shosts files
	218	IgnoreRhosts yes
	219	# For this to work you will also need host keys in /etc/ssh_known_hosts
	220	RhostsRSAAuthentication no
	221	# similar for protocol version 2
	222	HostbasedAuthentication no
	223	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
	224	#IgnoreUserKnownHosts yes
	225
	226	# To enable empty passwords, change to yes (NOT RECOMMENDED)
	227	PermitEmptyPasswords no
	228
	229	# Change to yes to enable challenge-response passwords (beware issues with
	230	# some PAM modules and threads)
	231	ChallengeResponseAuthentication no
	232
	233	# Change to no to disable tunnelled clear text passwords
	234	#PasswordAuthentication yes
	235
	236	# Kerberos options
	237	#KerberosAuthentication no
	238	#KerberosGetAFSToken no
	239	#KerberosOrLocalPasswd yes
	240	#KerberosTicketCleanup yes
	241
	242	# GSSAPI options
	243	#GSSAPIAuthentication no
	244	#GSSAPICleanupCredentials yes
	245
	246	X11Forwarding yes
	247	X11DisplayOffset 10
	248	PrintMotd no
	249	PrintLastLog yes
	250	TCPKeepAlive yes
	251	#UseLogin no
	252
	253	#MaxStartups 10:30:60
	254	#Banner /etc/issue.net
	255
	256	# Allow client to pass locale environment variables
	257	AcceptEnv LANG LC_*
	258
	259	Subsystem sftp /usr/lib/openssh/sftp-server
	260
	261	# Set this to 'yes' to enable PAM authentication, account processing,
	262	# and session processing. If this is enabled, PAM authentication will
	263	# be allowed through the ChallengeResponseAuthentication and
	264	# PasswordAuthentication. Depending on your PAM configuration,
	265	# PAM authentication via ChallengeResponseAuthentication may bypass
	266	# the setting of "PermitRootLogin without-password".
	267	# If you just want the PAM account and session checks to run without
	268	# PAM authentication, then enable this but set PasswordAuthentication
	269	# and ChallengeResponseAuthentication to 'no'.
	270	UsePAM yes
	271	EOF
	272	}
	273
	274	fix_statoverride() {
	275	# Remove an erronous override for sshd (we should have overridden ssh)
	276	if [ -x /usr/sbin/dpkg-statoverride ]; then
	277	if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
	278	dpkg-statoverride --remove /usr/sbin/sshd
	279	fi
	280	fi
	281	}
	282
	283	setup_sshd_user() {
	284	if ! getent passwd sshd >/dev/null; then
	285	adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
	286	fi
	287	}
	288
	289	remove_old_init_links() {
	290	# Yes, this only works with the SysV init script layout. I know.
	291	# The important thing is that it doesn't actually break with
	292	# file-rc ...
	293	if [ -e /etc/rc2.d/S20ssh ]; then
	294	update-rc.d -f ssh remove >/dev/null 2>&1
	295	fi
	296	rm -f /etc/rc0.d/K??ssh /etc/rc1.d/K??ssh /etc/rc6.d/K??ssh
	297	}
	298
	299	if [ "$action" = configure ]; then
	300	create_sshdconfig
	301	create_keys
	302	vulnerable_host_keys
	303	fix_statoverride
	304	setup_sshd_user
	305	if dpkg --compare-versions "$2" lt 1:5.2p1-1; then
	306	remove_old_init_links
	307	fi
	308	# Renamed to /etc/ssh/moduli in 2.9.9 (!)
	309	if dpkg --compare-versions "$2" lt 1:4.7p1-1; then
	310	rm -f /etc/ssh/primes
	311	fi
	312	if dpkg --compare-versions "$2" lt 1:5.5p1-6; then
	313	rm -f /var/run/sshd/.placeholder
	314	fi
	315
	316	# Clean up old debconf templates.
	317	db_unregister ssh/use_old_init_script
	318	db_unregister ssh/encrypted_host_key_but_no_keygen
	319	db_unregister ssh/disable_cr_auth
	320	fi
	321
	322	#DEBHELPER#
	323
	324	db_stop
	325
	326	exit 0