diff options
author | Colin Watson <cjwatson@debian.org> | 2016-12-24 19:26:39 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-12-26 00:30:30 +0000 |
commit | de911c73504da8dd7d9bbaddcf0c0845dd6eb9a0 (patch) | |
tree | c1be675cab068c60f7461a67b396961227c9ae6d /debian/openssh-server.postinst | |
parent | 9477f029ee259b25daff503e02e6b011aea82ce3 (diff) | |
parent | af54c22db774b37a15df5e599d08a83d4bbe5079 (diff) |
Start handling /etc/ssh/sshd_config using ucf.
* Start handling /etc/ssh/sshd_config using ucf. The immediate motivation
for this is to deal with deprecations of options related to protocol 1,
but something like this has been needed for a long time (closes:
#419574, #848089):
- sshd_config is now a slightly-patched version of upstream's, and only
contains non-default settings (closes: #147201).
- I've included as many historical md5sums of default versions of
sshd_config as I could reconstruct from version control, but I'm sure
I've missed some.
- Explicitly synchronise the debconf database with the current
configuration file state in openssh-server.config, to ensure that the
PermitRootLogin setting is properly preserved.
- UsePrivilegeSeparation now defaults to the stronger "sandbox" rather
than "yes", per upstream.
Diffstat (limited to 'debian/openssh-server.postinst')
-rw-r--r-- | debian/openssh-server.postinst | 195 |
1 files changed, 16 insertions, 179 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index 5635a60a6..391efc43b 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst | |||
@@ -23,56 +23,6 @@ get_config_option() { | |||
23 | } | 23 | } |
24 | 24 | ||
25 | 25 | ||
26 | set_config_option() { | ||
27 | option="$1" | ||
28 | value="$2" | ||
29 | |||
30 | perl -le ' | ||
31 | $option = $ARGV[0]; $value = $ARGV[1]; $done = 0; | ||
32 | while (<STDIN>) { | ||
33 | chomp; | ||
34 | (my $match = $_) =~ s/\s+/ /g; | ||
35 | if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) { | ||
36 | $_ = $match; | ||
37 | $done = 1; | ||
38 | } | ||
39 | print; | ||
40 | } | ||
41 | print "$option $value" unless $done;' \ | ||
42 | "$option" "$value" \ | ||
43 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
44 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
45 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
46 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
47 | } | ||
48 | |||
49 | |||
50 | rename_config_option() { | ||
51 | oldoption="$1" | ||
52 | newoption="$2" | ||
53 | |||
54 | value="$(get_config_option "$oldoption")" | ||
55 | [ "$value" ] || return 0 | ||
56 | |||
57 | perl -le ' | ||
58 | $oldoption = $ARGV[0]; $newoption = $ARGV[1]; | ||
59 | while (<STDIN>) { | ||
60 | chomp; | ||
61 | (my $match = $_) =~ s/\s+/ /g; | ||
62 | # TODO: actually only one "=" allowed after option | ||
63 | if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) { | ||
64 | $_ = $match; | ||
65 | } | ||
66 | print; | ||
67 | }' \ | ||
68 | "$oldoption" "$newoption" \ | ||
69 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
70 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
71 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
72 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
73 | } | ||
74 | |||
75 | |||
76 | host_keys_required() { | 26 | host_keys_required() { |
77 | hostkeys="$(get_config_option HostKey)" | 27 | hostkeys="$(get_config_option HostKey)" |
78 | if [ "$hostkeys" ]; then | 28 | if [ "$hostkeys" ]; then |
@@ -122,137 +72,24 @@ create_keys() { | |||
122 | } | 72 | } |
123 | 73 | ||
124 | 74 | ||
125 | fix_loglevel_silent() { | ||
126 | if [ "$(get_config_option LogLevel)" = SILENT ]; then | ||
127 | set_config_option LogLevel QUIET | ||
128 | fi | ||
129 | } | ||
130 | |||
131 | |||
132 | update_server_key_bits() { | ||
133 | if [ "$(get_config_option ServerKeyBits)" = 768 ]; then | ||
134 | set_config_option ServerKeyBits 1024 | ||
135 | fi | ||
136 | } | ||
137 | |||
138 | |||
139 | create_sshdconfig() { | 75 | create_sshdconfig() { |
140 | if [ -e /etc/ssh/sshd_config ] ; then | 76 | # XXX cjwatson 2016-12-24: This debconf template is very confusingly |
141 | # Upgrade an existing sshd configuration. | 77 | # named; its description is "Disable SSH password authentication for |
142 | 78 | # root?", so true -> prohibit-password (the upstream default), | |
143 | # This option was renamed in 3.8p1, but we never took care | 79 | # false -> yes. |
144 | # of adjusting the configuration file until now. | 80 | db_get openssh-server/permit-root-login |
145 | if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then | 81 | permit_root_login="$RET" |
146 | rename_config_option KeepAlive TCPKeepAlive | 82 | |
147 | fi | 83 | new_config="$(tempfile)" |
148 | 84 | cp -a /usr/share/openssh/sshd_config "$new_config" | |
149 | # 'LogLevel SILENT' is now equivalent to QUIET. | 85 | if [ "$permit_root_login" != true ]; then |
150 | if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then | 86 | sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \ |
151 | fix_loglevel_silent | 87 | "$new_config" |
152 | fi | ||
153 | |||
154 | # Changed upstream in 5.1p1, but we forgot to update the | ||
155 | # package-generated configuration file until now. | ||
156 | if dpkg --compare-versions "$oldversion" lt 1:6.4p1-2; then | ||
157 | update_server_key_bits | ||
158 | fi | ||
159 | |||
160 | if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \ | ||
161 | [ "$(get_config_option PermitRootLogin)" = yes ] && | ||
162 | db_get openssh-server/permit-root-login && [ "$RET" = true ]; then | ||
163 | set_config_option PermitRootLogin prohibit-password | ||
164 | fi | ||
165 | |||
166 | if dpkg --compare-versions "$2" lt-nl 1:7.1p1-1 && \ | ||
167 | [ "$(get_config_option PermitRootLogin)" = without-password ]; then | ||
168 | set_config_option PermitRootLogin prohibit-password | ||
169 | fi | ||
170 | |||
171 | return 0 | ||
172 | fi | 88 | fi |
173 | 89 | ucf --three-way --debconf-ok \ | |
174 | cat <<EOF > /etc/ssh/sshd_config | 90 | --sum-file /usr/share/openssh/sshd_config.md5sum \ |
175 | # Package generated configuration file | 91 | "$new_config" /etc/ssh/sshd_config |
176 | # See the sshd_config(5) manpage for details | 92 | ucfr openssh-server /etc/ssh/sshd_config |
177 | |||
178 | # What ports, IPs and protocols we listen for | ||
179 | Port 22 | ||
180 | # Use these options to restrict which interfaces/protocols sshd will bind to | ||
181 | #ListenAddress :: | ||
182 | #ListenAddress 0.0.0.0 | ||
183 | Protocol 2 | ||
184 | # HostKeys for protocol version 2 | ||
185 | HostKey /etc/ssh/ssh_host_rsa_key | ||
186 | HostKey /etc/ssh/ssh_host_ecdsa_key | ||
187 | HostKey /etc/ssh/ssh_host_ed25519_key | ||
188 | #Privilege Separation is turned on for security | ||
189 | UsePrivilegeSeparation yes | ||
190 | |||
191 | # Logging | ||
192 | SyslogFacility AUTH | ||
193 | LogLevel INFO | ||
194 | |||
195 | # Authentication: | ||
196 | LoginGraceTime 120 | ||
197 | PermitRootLogin prohibit-password | ||
198 | StrictModes yes | ||
199 | |||
200 | PubkeyAuthentication yes | ||
201 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
202 | |||
203 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
204 | IgnoreRhosts yes | ||
205 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
206 | HostbasedAuthentication no | ||
207 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
208 | #IgnoreUserKnownHosts yes | ||
209 | |||
210 | # To enable empty passwords, change to yes (NOT RECOMMENDED) | ||
211 | PermitEmptyPasswords no | ||
212 | |||
213 | # Change to yes to enable challenge-response passwords (beware issues with | ||
214 | # some PAM modules and threads) | ||
215 | ChallengeResponseAuthentication no | ||
216 | |||
217 | # Change to no to disable tunnelled clear text passwords | ||
218 | #PasswordAuthentication yes | ||
219 | |||
220 | # Kerberos options | ||
221 | #KerberosAuthentication no | ||
222 | #KerberosGetAFSToken no | ||
223 | #KerberosOrLocalPasswd yes | ||
224 | #KerberosTicketCleanup yes | ||
225 | |||
226 | # GSSAPI options | ||
227 | #GSSAPIAuthentication no | ||
228 | #GSSAPICleanupCredentials yes | ||
229 | |||
230 | X11Forwarding yes | ||
231 | X11DisplayOffset 10 | ||
232 | PrintMotd no | ||
233 | PrintLastLog yes | ||
234 | TCPKeepAlive yes | ||
235 | #UseLogin no | ||
236 | |||
237 | #MaxStartups 10:30:60 | ||
238 | #Banner /etc/issue.net | ||
239 | |||
240 | # Allow client to pass locale environment variables | ||
241 | AcceptEnv LANG LC_* | ||
242 | |||
243 | Subsystem sftp /usr/lib/openssh/sftp-server | ||
244 | |||
245 | # Set this to 'yes' to enable PAM authentication, account processing, | ||
246 | # and session processing. If this is enabled, PAM authentication will | ||
247 | # be allowed through the ChallengeResponseAuthentication and | ||
248 | # PasswordAuthentication. Depending on your PAM configuration, | ||
249 | # PAM authentication via ChallengeResponseAuthentication may bypass | ||
250 | # the setting of "PermitRootLogin without-password". | ||
251 | # If you just want the PAM account and session checks to run without | ||
252 | # PAM authentication, then enable this but set PasswordAuthentication | ||
253 | # and ChallengeResponseAuthentication to 'no'. | ||
254 | UsePAM yes | ||
255 | EOF | ||
256 | } | 93 | } |
257 | 94 | ||
258 | fix_statoverride() { | 95 | fix_statoverride() { |