diff options
Diffstat (limited to 'debian/openssh-server.config')
-rw-r--r-- | debian/openssh-server.config | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/debian/openssh-server.config b/debian/openssh-server.config new file mode 100644 index 000000000..0cd0a4b8d --- /dev/null +++ b/debian/openssh-server.config | |||
@@ -0,0 +1,95 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | action=$1 | ||
4 | version=$2 | ||
5 | |||
6 | # Source debconf library. | ||
7 | . /usr/share/debconf/confmodule | ||
8 | db_version 2.0 | ||
9 | |||
10 | |||
11 | get_config_option() { | ||
12 | option="$1" | ||
13 | |||
14 | [ -f /etc/ssh/sshd_config ] || return | ||
15 | |||
16 | # TODO: actually only one '=' allowed after option | ||
17 | perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ | ||
18 | /etc/ssh/sshd_config 2>/dev/null | ||
19 | } | ||
20 | |||
21 | |||
22 | if [ -e /etc/init.d/ssh ] && ! grep -q pidfile /etc/init.d/ssh | ||
23 | then | ||
24 | db_fset ssh/use_old_init_script seen false | ||
25 | db_input medium ssh/use_old_init_script || true | ||
26 | db_go | ||
27 | |||
28 | db_get ssh/use_old_init_script | ||
29 | [ "$RET" = "false" ] && exit 0 | ||
30 | else | ||
31 | db_set ssh/use_old_init_script true | ||
32 | db_fset ssh/use_old_init_script seen true | ||
33 | fi | ||
34 | |||
35 | if [ -z "$version" ] && [ ! -e /etc/ssh/sshd_config ] | ||
36 | then | ||
37 | db_input medium ssh/protocol2_only || true | ||
38 | fi | ||
39 | |||
40 | if [ -e /etc/ssh/sshd_config ] | ||
41 | then | ||
42 | if dpkg --compare-versions "$version" lt-nl 1:1.3 ; | ||
43 | then db_input medium ssh/new_config || true | ||
44 | db_go | ||
45 | db_get ssh/new_config | ||
46 | if [ "$RET" = "true" ]; | ||
47 | then db_input medium ssh/protocol2_only ||true | ||
48 | fi | ||
49 | fi | ||
50 | |||
51 | # An empty version means we're upgrading from before the package split, | ||
52 | # so check. | ||
53 | if dpkg --compare-versions "$version" lt 1:3.8.1p1-11 | ||
54 | then | ||
55 | passwordauth="$(get_config_option PasswordAuthentication)" | ||
56 | crauth="$(get_config_option ChallengeResponseAuthentication)" | ||
57 | if [ "$passwordauth" = no ] && \ | ||
58 | ([ -z "$crauth" ] || [ "$crauth" = yes ]) | ||
59 | then | ||
60 | db_input critical ssh/disable_cr_auth || true | ||
61 | fi | ||
62 | fi | ||
63 | fi | ||
64 | |||
65 | if [ -x /usr/sbin/in.telnetd ] && grep -q "^telnet\b" /etc/inetd.conf | ||
66 | then | ||
67 | if ! /usr/sbin/in.telnetd -? 2>&1 | grep -q ssl 2>/dev/null | ||
68 | then | ||
69 | db_input low ssh/insecure_telnetd || true | ||
70 | fi | ||
71 | fi | ||
72 | |||
73 | key=/etc/ssh/ssh_host_key | ||
74 | export key | ||
75 | if [ -n "$version" ] && [ -f $key ] && [ ! -x /usr/bin/ssh-keygen ] && | ||
76 | dpkg --compare-versions "$version" lt 1.2.28 | ||
77 | then | ||
78 | # make sure that keys get updated to get rid of IDEA; preinst | ||
79 | # actually does the work, but if the old ssh-keygen is not found, | ||
80 | # it can't do that -- thus, we tell the user that he must create | ||
81 | # a new host key. | ||
82 | echo -en '\0\0' | 3<&0 sh -c \ | ||
83 | 'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || { | ||
84 | # this means that bytes 32&33 of the key were not both zero, in which | ||
85 | # case the key is encrypted, which we need to fix | ||
86 | db_input high ssh/encrypted_host_key_but_no_keygen || true | ||
87 | } | ||
88 | fi | ||
89 | |||
90 | |||
91 | db_input low ssh/forward_warning || true | ||
92 | |||
93 | db_go | ||
94 | |||
95 | exit 0 | ||