1 files changed, 0 insertions, 351 deletions
diff --git a/debian/openssh-server.postinst.in b/debian/openssh-server.postinst.in
deleted file mode 100644
index ce1165ac9..000000000
--- a/debian/openssh-server.postinst.in
+++ /dev/null
@@ -1,351 +0,0 @@
-#!/bin/sh -e
-action="$1"
-oldversion="$2"
-. /usr/share/debconf/confmodule
-db_version 2.0
-umask 022
-get_config_option() {
-        option="$1"
-        [ -f /etc/ssh/sshd_config ] || return
-        # TODO: actually only one '=' allowed after option
-        perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \
-           /etc/ssh/sshd_config
-}
-set_config_option() {
-        option="$1"
-        value="$2"
-        perl -le '
-                $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
-                while (<STDIN>) {
-                        chomp;
-                        (my $match = $_) =~ s/\s+/ /g;
-                        if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) {
-                                $_ = $match;
-                                $done = 1;
-                        }
-                        print;
-                }
-                print "$option $value" unless $done;' \
-                "$option" "$value" \
-                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
-        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
-        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
-        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
-}
-rename_config_option() {
-        oldoption="$1"
-        newoption="$2"
-        value="$(get_config_option "$oldoption")"
-        [ "$value" ] || return 0
-        perl -le '
-                $oldoption = $ARGV[0]; $newoption = $ARGV[1];
-                while (<STDIN>) {
-                        chomp;
-                        (my $match = $_) =~ s/\s+/ /g;
-                        # TODO: actually only one "=" allowed after option
-                        if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
-                                $_ = $match;
-                        }
-                        print;
-                }' \
-                "$oldoption" "$newoption" \
-                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
-        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
-        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
-        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
-}
-host_keys_required() {
-        hostkeys="$(get_config_option HostKey)"
-        if [ "$hostkeys" ]; then
-                echo "$hostkeys"
-        else
-                # No HostKey directives at all, so the server picks some
-                # defaults depending on the setting of Protocol.
-                protocol="$(get_config_option Protocol)"
-                [ "$protocol" ] || protocol=1,2
-                if echo "$protocol" | grep 1 >/dev/null; then
-                        echo /etc/ssh/ssh_host_key
-                fi
-                if echo "$protocol" | grep 2 >/dev/null; then
-                        echo /etc/ssh/ssh_host_rsa_key
-                        echo /etc/ssh/ssh_host_dsa_key
-                        echo /etc/ssh/ssh_host_ecdsa_key
-                fi
-        fi
-}
-create_key() {
-        msg="$1"
-        shift
-        hostkeys="$1"
-        shift
-        file="$1"
-        shift
-        if echo "$hostkeys" | grep -x "$file" >/dev/null && \
-           [ ! -f "$file" ] ; then
-                echo -n $msg
-                ssh-keygen -q -f "$file" -N '' "$@"
-                echo
-                if which restorecon >/dev/null 2>&1; then
-                        restorecon "$file.pub"
-                fi
-        fi
-}
-create_keys() {
-        hostkeys="$(host_keys_required)"
-        create_key "Creating SSH1 key; this may take some time ..." \
-                "$hostkeys" /etc/ssh/ssh_host_key -t rsa1
-        create_key "Creating SSH2 RSA key; this may take some time ..." \
-                "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
-        create_key "Creating SSH2 DSA key; this may take some time ..." \
-                "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
-        create_key "Creating SSH2 ECDSA key; this may take some time ..." \
-                "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
-}
-vulnerable_host_keys() {
-        # If the admin has explicitly put the vulnerable keys back, we
-        # assume they can look after themselves.
-        db_fget ssh/vulnerable_host_keys seen
-        if [ "$RET" = true ]; then
-                return 0
-        fi
-        hostkeys="$(host_keys_required)"
-        vulnerable=
-        for hostkey in $hostkeys; do
-                [ -f "$hostkey" ] || continue
-                if ssh-vulnkey -q "$hostkey"; then
-                        vulnerable="${vulnerable:+$vulnerable }$hostkey"
-                fi
-        done
-        if [ "$vulnerable" ]; then
-                db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable"
-                db_input critical ssh/vulnerable_host_keys || true
-                db_go
-                for hostkey in $vulnerable; do
-                        mv "$hostkey" "$hostkey.broken" || true
-                        mv "$hostkey.pub" "$hostkey.pub.broken" || true
-                done
-                create_keys
-        fi
-}
-fix_loglevel_silent() {
-        if [ "$(get_config_option LogLevel)" = SILENT ]; then
-                set_config_option LogLevel QUIET
-        fi
-}
-create_sshdconfig() {
-        if [ -e /etc/ssh/sshd_config ] ; then
-            # Upgrade an existing sshd configuration.
-            # This option was renamed in 3.8p1, but we never took care
-            # of adjusting the configuration file until now.
-            if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
-                rename_config_option KeepAlive TCPKeepAlive
-            fi
-            # 'LogLevel SILENT' is now equivalent to QUIET.
-            if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then
-                fix_loglevel_silent
-            fi
-            return 0
-        fi
-        cat <<EOF > /etc/ssh/sshd_config
-# Package generated configuration file
-# See the sshd_config(5) manpage for details
-# What ports, IPs and protocols we listen for
-Port 22
-# Use these options to restrict which interfaces/protocols sshd will bind to
-#ListenAddress ::
-#ListenAddress 0.0.0.0
-Protocol 2
-# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-#Privilege Separation is turned on for security
-UsePrivilegeSeparation yes
-# Lifetime and size of ephemeral version 1 server key
-KeyRegenerationInterval 3600
-ServerKeyBits 768
-# Logging
-SyslogFacility AUTH
-LogLevel INFO
-# Authentication:
-LoginGraceTime 120
-PermitRootLogin yes
-StrictModes yes
-RSAAuthentication yes
-PubkeyAuthentication yes
-#AuthorizedKeysFile     %h/.ssh/authorized_keys
-# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-RhostsRSAAuthentication no
-# similar for protocol version 2
-HostbasedAuthentication no
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-#IgnoreUserKnownHosts yes
-# To enable empty passwords, change to yes (NOT RECOMMENDED)
-PermitEmptyPasswords no
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-# Change to no to disable tunnelled clear text passwords
-#PasswordAuthentication yes
-# Kerberos options
-#KerberosAuthentication no
-#KerberosGetAFSToken no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-X11Forwarding yes
-X11DisplayOffset 10
-PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-#UseLogin no
-#MaxStartups 10:30:60
-#Banner /etc/issue.net
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-Subsystem sftp /usr/lib/openssh/sftp-server
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-EOF
-}
-fix_statoverride() {
-# Remove an erronous override for sshd (we should have overridden ssh)
-        if [ -x /usr/sbin/dpkg-statoverride ]; then
-                if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
-                        dpkg-statoverride --remove /usr/sbin/sshd
-                fi
-        fi
-}
-setup_sshd_user() {
-        if ! getent passwd sshd >/dev/null; then
-                adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
-        fi
-}
-remove_old_init_links() {
-        # Yes, this only works with the SysV init script layout. I know.
-        # The important thing is that it doesn't actually *break* with
-        # file-rc ...
-        if [ -e /etc/rc2.d/S20ssh ]; then
-                update-rc.d -f ssh remove >/dev/null 2>&1
-        fi
-        rm -f /etc/rc0.d/K??ssh /etc/rc1.d/K??ssh /etc/rc6.d/K??ssh
-}
-setup_init() {
-        case '@DISTRIBUTOR@' in
-            Ubuntu)
-                # Both init script and Upstart job are present; we want to
-                # operate on the Upstart job.
-                if [ -e /etc/init/ssh.conf ]; then
-                        stop ssh 2>/dev/null || true
-                        start ssh || true
-                fi
-                update-rc.d -f ssh remove >/dev/null || true
-                ;;
-            *)
-                if [ -x /etc/init.d/ssh ]; then
-                        update-rc.d ssh start 16 2 3 4 5 . >/dev/null
-                        if [ -x /usr/sbin/invoke-rc.d ]; then
-                                invoke-rc.d ssh restart
-                        else
-                                /etc/init.d/ssh restart
-                        fi
-                fi
-                ;;
-        esac
-}
-if [ "$action" = configure ]; then
-        create_sshdconfig
-        create_keys
-        vulnerable_host_keys
-        fix_statoverride
-        setup_sshd_user
-        if dpkg --compare-versions "$2" lt 1:5.2p1-1; then
-            remove_old_init_links
-        fi
-        setup_init
-        # Renamed to /etc/ssh/moduli in 2.9.9 (!)
-        if dpkg --compare-versions "$2" lt 1:4.7p1-1; then
-            rm -f /etc/ssh/primes
-        fi
-        if dpkg --compare-versions "$2" lt 1:5.5p1-6; then
-            rm -f /var/run/sshd/.placeholder
-        fi
-        # Clean up old debconf templates.
-        db_unregister ssh/use_old_init_script
-        db_unregister ssh/encrypted_host_key_but_no_keygen
-        db_unregister ssh/disable_cr_auth
-fi
-#DEBHELPER#
-db_stop
-exit 0

diff --git a/debian/openssh-server.postinst.in b/debian/openssh-server.postinst.in deleted file mode 100644 index ce1165ac9..000000000 --- a/debian/openssh-server.postinst.in +++ /dev/null
@@ -1,351 +0,0 @@
1	#!/bin/sh -e
2
3	action="$1"
4	oldversion="$2"
5
6	. /usr/share/debconf/confmodule
7	db_version 2.0
8
9	umask 022
10
11
12	get_config_option() {
13	option="$1"
14
15	[ -f /etc/ssh/sshd_config ] \|\| return
16
17	# TODO: actually only one '=' allowed after option
18	perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \
19	/etc/ssh/sshd_config
20	}
21
22
23	set_config_option() {
24	option="$1"
25	value="$2"
26
27	perl -le '
28	$option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
29	while (<STDIN>) {
30	chomp;
31	(my $match = $_) =~ s/\s+/ /g;
32	if ($match =~ s/^\s\Q$option\E\s+./$option $value/) {
33	$_ = $match;
34	$done = 1;
35	}
36	print;
37	}
38	print "$option $value" unless $done;' \
39	"$option" "$value" \
40	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
41	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
42	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
43	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
44	}
45
46
47	rename_config_option() {
48	oldoption="$1"
49	newoption="$2"
50
51	value="$(get_config_option "$oldoption")"
52	[ "$value" ] \|\| return 0
53
54	perl -le '
55	$oldoption = $ARGV[0]; $newoption = $ARGV[1];
56	while (<STDIN>) {
57	chomp;
58	(my $match = $_) =~ s/\s+/ /g;
59	# TODO: actually only one "=" allowed after option
60	if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
61	$_ = $match;
62	}
63	print;
64	}' \
65	"$oldoption" "$newoption" \
66	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
67	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
68	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
69	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
70	}
71
72
73	host_keys_required() {
74	hostkeys="$(get_config_option HostKey)"
75	if [ "$hostkeys" ]; then
76	echo "$hostkeys"
77	else
78	# No HostKey directives at all, so the server picks some
79	# defaults depending on the setting of Protocol.
80	protocol="$(get_config_option Protocol)"
81	[ "$protocol" ] \|\| protocol=1,2
82	if echo "$protocol" \| grep 1 >/dev/null; then
83	echo /etc/ssh/ssh_host_key
84	fi
85	if echo "$protocol" \| grep 2 >/dev/null; then
86	echo /etc/ssh/ssh_host_rsa_key
87	echo /etc/ssh/ssh_host_dsa_key
88	echo /etc/ssh/ssh_host_ecdsa_key
89	fi
90	fi
91	}
92
93
94	create_key() {
95	msg="$1"
96	shift
97	hostkeys="$1"
98	shift
99	file="$1"
100	shift
101
102	if echo "$hostkeys" \| grep -x "$file" >/dev/null && \
103	[ ! -f "$file" ] ; then
104	echo -n $msg
105	ssh-keygen -q -f "$file" -N '' "$@"
106	echo
107	if which restorecon >/dev/null 2>&1; then
108	restorecon "$file.pub"
109	fi
110	fi
111	}
112
113
114	create_keys() {
115	hostkeys="$(host_keys_required)"
116
117	create_key "Creating SSH1 key; this may take some time ..." \
118	"$hostkeys" /etc/ssh/ssh_host_key -t rsa1
119
120	create_key "Creating SSH2 RSA key; this may take some time ..." \
121	"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
122	create_key "Creating SSH2 DSA key; this may take some time ..." \
123	"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
124	create_key "Creating SSH2 ECDSA key; this may take some time ..." \
125	"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
126	}
127
128
129	vulnerable_host_keys() {
130	# If the admin has explicitly put the vulnerable keys back, we
131	# assume they can look after themselves.
132	db_fget ssh/vulnerable_host_keys seen
133	if [ "$RET" = true ]; then
134	return 0
135	fi
136
137	hostkeys="$(host_keys_required)"
138	vulnerable=
139	for hostkey in $hostkeys; do
140	[ -f "$hostkey" ] \|\| continue
141	if ssh-vulnkey -q "$hostkey"; then
142	vulnerable="${vulnerable:+$vulnerable }$hostkey"
143	fi
144	done
145	if [ "$vulnerable" ]; then
146	db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable"
147	db_input critical ssh/vulnerable_host_keys \|\| true
148	db_go
149	for hostkey in $vulnerable; do
150	mv "$hostkey" "$hostkey.broken" \|\| true
151	mv "$hostkey.pub" "$hostkey.pub.broken" \|\| true
152	done
153	create_keys
154	fi
155	}
156
157
158	fix_loglevel_silent() {
159	if [ "$(get_config_option LogLevel)" = SILENT ]; then
160	set_config_option LogLevel QUIET
161	fi
162	}
163
164
165	create_sshdconfig() {
166	if [ -e /etc/ssh/sshd_config ] ; then
167	# Upgrade an existing sshd configuration.
168
169	# This option was renamed in 3.8p1, but we never took care
170	# of adjusting the configuration file until now.
171	if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
172	rename_config_option KeepAlive TCPKeepAlive
173	fi
174
175	# 'LogLevel SILENT' is now equivalent to QUIET.
176	if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then
177	fix_loglevel_silent
178	fi
179
180	return 0
181	fi
182
183	cat <<EOF > /etc/ssh/sshd_config
184	# Package generated configuration file
185	# See the sshd_config(5) manpage for details
186
187	# What ports, IPs and protocols we listen for
188	Port 22
189	# Use these options to restrict which interfaces/protocols sshd will bind to
190	#ListenAddress ::
191	#ListenAddress 0.0.0.0
192	Protocol 2
193	# HostKeys for protocol version 2
194	HostKey /etc/ssh/ssh_host_rsa_key
195	HostKey /etc/ssh/ssh_host_dsa_key
196	HostKey /etc/ssh/ssh_host_ecdsa_key
197	#Privilege Separation is turned on for security
198	UsePrivilegeSeparation yes
199
200	# Lifetime and size of ephemeral version 1 server key
201	KeyRegenerationInterval 3600
202	ServerKeyBits 768
203
204	# Logging
205	SyslogFacility AUTH
206	LogLevel INFO
207
208	# Authentication:
209	LoginGraceTime 120
210	PermitRootLogin yes
211	StrictModes yes
212
213	RSAAuthentication yes
214	PubkeyAuthentication yes
215	#AuthorizedKeysFile %h/.ssh/authorized_keys
216
217	# Don't read the user's ~/.rhosts and ~/.shosts files
218	IgnoreRhosts yes
219	# For this to work you will also need host keys in /etc/ssh_known_hosts
220	RhostsRSAAuthentication no
221	# similar for protocol version 2
222	HostbasedAuthentication no
223	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
224	#IgnoreUserKnownHosts yes
225
226	# To enable empty passwords, change to yes (NOT RECOMMENDED)
227	PermitEmptyPasswords no
228
229	# Change to yes to enable challenge-response passwords (beware issues with
230	# some PAM modules and threads)
231	ChallengeResponseAuthentication no
232
233	# Change to no to disable tunnelled clear text passwords
234	#PasswordAuthentication yes
235
236	# Kerberos options
237	#KerberosAuthentication no
238	#KerberosGetAFSToken no
239	#KerberosOrLocalPasswd yes
240	#KerberosTicketCleanup yes
241
242	# GSSAPI options
243	#GSSAPIAuthentication no
244	#GSSAPICleanupCredentials yes
245
246	X11Forwarding yes
247	X11DisplayOffset 10
248	PrintMotd no
249	PrintLastLog yes
250	TCPKeepAlive yes
251	#UseLogin no
252
253	#MaxStartups 10:30:60
254	#Banner /etc/issue.net
255
256	# Allow client to pass locale environment variables
257	AcceptEnv LANG LC_*
258
259	Subsystem sftp /usr/lib/openssh/sftp-server
260
261	# Set this to 'yes' to enable PAM authentication, account processing,
262	# and session processing. If this is enabled, PAM authentication will
263	# be allowed through the ChallengeResponseAuthentication and
264	# PasswordAuthentication. Depending on your PAM configuration,
265	# PAM authentication via ChallengeResponseAuthentication may bypass
266	# the setting of "PermitRootLogin without-password".
267	# If you just want the PAM account and session checks to run without
268	# PAM authentication, then enable this but set PasswordAuthentication
269	# and ChallengeResponseAuthentication to 'no'.
270	UsePAM yes
271	EOF
272	}
273
274	fix_statoverride() {
275	# Remove an erronous override for sshd (we should have overridden ssh)
276	if [ -x /usr/sbin/dpkg-statoverride ]; then
277	if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
278	dpkg-statoverride --remove /usr/sbin/sshd
279	fi
280	fi
281	}
282
283	setup_sshd_user() {
284	if ! getent passwd sshd >/dev/null; then
285	adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
286	fi
287	}
288
289	remove_old_init_links() {
290	# Yes, this only works with the SysV init script layout. I know.
291	# The important thing is that it doesn't actually break with
292	# file-rc ...
293	if [ -e /etc/rc2.d/S20ssh ]; then
294	update-rc.d -f ssh remove >/dev/null 2>&1
295	fi
296	rm -f /etc/rc0.d/K??ssh /etc/rc1.d/K??ssh /etc/rc6.d/K??ssh
297	}
298
299	setup_init() {
300	case '@DISTRIBUTOR@' in
301	Ubuntu)
302	# Both init script and Upstart job are present; we want to
303	# operate on the Upstart job.
304	if [ -e /etc/init/ssh.conf ]; then
305	stop ssh 2>/dev/null \|\| true
306	start ssh \|\| true
307	fi
308	update-rc.d -f ssh remove >/dev/null \|\| true
309	;;
310	*)
311	if [ -x /etc/init.d/ssh ]; then
312	update-rc.d ssh start 16 2 3 4 5 . >/dev/null
313	if [ -x /usr/sbin/invoke-rc.d ]; then
314	invoke-rc.d ssh restart
315	else
316	/etc/init.d/ssh restart
317	fi
318	fi
319	;;
320	esac
321	}
322
323	if [ "$action" = configure ]; then
324	create_sshdconfig
325	create_keys
326	vulnerable_host_keys
327	fix_statoverride
328	setup_sshd_user
329	if dpkg --compare-versions "$2" lt 1:5.2p1-1; then
330	remove_old_init_links
331	fi
332	setup_init
333	# Renamed to /etc/ssh/moduli in 2.9.9 (!)
334	if dpkg --compare-versions "$2" lt 1:4.7p1-1; then
335	rm -f /etc/ssh/primes
336	fi
337	if dpkg --compare-versions "$2" lt 1:5.5p1-6; then
338	rm -f /var/run/sshd/.placeholder
339	fi
340
341	# Clean up old debconf templates.
342	db_unregister ssh/use_old_init_script
343	db_unregister ssh/encrypted_host_key_but_no_keygen
344	db_unregister ssh/disable_cr_auth
345	fi
346
347	#DEBHELPER#
348
349	db_stop
350
351	exit 0