diff options
Diffstat (limited to 'debian/openssh-server.postinst.in')
-rw-r--r-- | debian/openssh-server.postinst.in | 123 |
1 files changed, 1 insertions, 122 deletions
diff --git a/debian/openssh-server.postinst.in b/debian/openssh-server.postinst.in index 7ef270d80..245333234 100644 --- a/debian/openssh-server.postinst.in +++ b/debian/openssh-server.postinst.in | |||
@@ -14,15 +14,6 @@ if [ "$action" != configure ] | |||
14 | fi | 14 | fi |
15 | 15 | ||
16 | 16 | ||
17 | fix_doc_symlink() { | ||
18 | if [ ! -L /usr/share/doc/openssh-server ] && \ | ||
19 | dpkg --compare-versions "$oldversion" lt-nl 1:4.1p1-5; then | ||
20 | rm -rf /usr/share/doc/openssh-server | ||
21 | ln -s openssh-client /usr/share/doc/openssh-server | ||
22 | fi | ||
23 | } | ||
24 | |||
25 | |||
26 | get_config_option() { | 17 | get_config_option() { |
27 | option="$1" | 18 | option="$1" |
28 | 19 | ||
@@ -58,31 +49,6 @@ set_config_option() { | |||
58 | } | 49 | } |
59 | 50 | ||
60 | 51 | ||
61 | disable_config_option() { | ||
62 | option="$1" | ||
63 | |||
64 | value="$(get_config_option "$option")" | ||
65 | [ "$value" ] || return 0 | ||
66 | |||
67 | perl -le ' | ||
68 | $option = $ARGV[0]; | ||
69 | while (<STDIN>) { | ||
70 | chomp; | ||
71 | (my $match = $_) =~ s/\s+/ /g; | ||
72 | # TODO: actually only one "=" allowed after option | ||
73 | if ($match =~ s/^(\s*\Q$option\E[[:space:]=]+.*)/#$1/i) { | ||
74 | $_ = $match; | ||
75 | } | ||
76 | print; | ||
77 | }' \ | ||
78 | "$option" \ | ||
79 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
80 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
81 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
82 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
83 | } | ||
84 | |||
85 | |||
86 | rename_config_option() { | 52 | rename_config_option() { |
87 | oldoption="$1" | 53 | oldoption="$1" |
88 | newoption="$2" | 54 | newoption="$2" |
@@ -109,13 +75,6 @@ rename_config_option() { | |||
109 | } | 75 | } |
110 | 76 | ||
111 | 77 | ||
112 | remove_obsolete_gssapi() { | ||
113 | disable_config_option GSSAPINoMICAuthentication | ||
114 | disable_config_option GSSUseSessionCCache | ||
115 | disable_config_option GSSAPIUseSessionCredCache | ||
116 | } | ||
117 | |||
118 | |||
119 | host_keys_required() { | 78 | host_keys_required() { |
120 | hostkeys="$(get_config_option HostKey)" | 79 | hostkeys="$(get_config_option HostKey)" |
121 | if [ "$hostkeys" ]; then | 80 | if [ "$hostkeys" ]; then |
@@ -201,28 +160,6 @@ vulnerable_host_keys() { | |||
201 | } | 160 | } |
202 | 161 | ||
203 | 162 | ||
204 | check_password_auth() { | ||
205 | passwordauth="$(get_config_option PasswordAuthentication)" | ||
206 | crauth="$(get_config_option ChallengeResponseAuthentication)" | ||
207 | if [ "$passwordauth" = no ] && \ | ||
208 | ([ -z "$crauth" ] || [ "$crauth" = yes ]); then | ||
209 | db_get ssh/disable_cr_auth | ||
210 | if [ "$RET" = true ]; then | ||
211 | set_config_option ChallengeResponseAuthentication no | ||
212 | fi | ||
213 | fi | ||
214 | } | ||
215 | |||
216 | |||
217 | move_subsystem_sftp() { | ||
218 | subsystem_sftp="$(get_config_option 'Subsystem sftp')" | ||
219 | if [ "$subsystem_sftp" = /usr/lib/sftp-server ] || \ | ||
220 | [ "$subsystem_sftp" = /usr/libexec/sftp-server ]; then | ||
221 | set_config_option 'Subsystem sftp' /usr/lib/openssh/sftp-server | ||
222 | fi | ||
223 | } | ||
224 | |||
225 | |||
226 | fix_loglevel_silent() { | 163 | fix_loglevel_silent() { |
227 | if [ "$(get_config_option LogLevel)" = SILENT ]; then | 164 | if [ "$(get_config_option LogLevel)" = SILENT ]; then |
228 | set_config_option LogLevel QUIET | 165 | set_config_option LogLevel QUIET |
@@ -234,46 +171,6 @@ create_sshdconfig() { | |||
234 | if [ -e /etc/ssh/sshd_config ] ; then | 171 | if [ -e /etc/ssh/sshd_config ] ; then |
235 | # Upgrade an existing sshd configuration. | 172 | # Upgrade an existing sshd configuration. |
236 | 173 | ||
237 | if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ | ||
238 | ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \ | ||
239 | grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \ | ||
240 | /etc/ssh/sshd_config ; then | ||
241 | # Upgrade from pre-3.7: UsePAM needed to maintain standard | ||
242 | # Debian configuration. | ||
243 | # Note that --compare-versions is sadly not reliable enough | ||
244 | # here due to the package split of ssh into openssh-client | ||
245 | # and openssh-server. The extra grep for some deprecated | ||
246 | # options should with any luck be a good enough heuristic. | ||
247 | echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' | ||
248 | cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
249 | perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ | ||
250 | /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
251 | echo >> /etc/ssh/sshd_config.dpkg-new | ||
252 | echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new | ||
253 | chown --reference /etc/ssh/sshd_config \ | ||
254 | /etc/ssh/sshd_config.dpkg-new | ||
255 | chmod --reference /etc/ssh/sshd_config \ | ||
256 | /etc/ssh/sshd_config.dpkg-new | ||
257 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
258 | echo | ||
259 | fi | ||
260 | |||
261 | # An empty version means we're upgrading from before the | ||
262 | # package split, so check. | ||
263 | if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then | ||
264 | check_password_auth | ||
265 | fi | ||
266 | |||
267 | # libexecdir changed, so fix up 'Subsystem sftp'. | ||
268 | if dpkg --compare-versions "$oldversion" lt 1:4.1p1-1; then | ||
269 | move_subsystem_sftp | ||
270 | fi | ||
271 | |||
272 | # Remove obsolete GSSAPI options. | ||
273 | if dpkg --compare-versions "$oldversion" lt 1:4.3p2-8; then | ||
274 | remove_obsolete_gssapi | ||
275 | fi | ||
276 | |||
277 | # This option was renamed in 3.8p1, but we never took care | 174 | # This option was renamed in 3.8p1, but we never took care |
278 | # of adjusting the configuration file until now. | 175 | # of adjusting the configuration file until now. |
279 | if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then | 176 | if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then |
@@ -388,24 +285,12 @@ fix_statoverride() { | |||
388 | fi | 285 | fi |
389 | } | 286 | } |
390 | 287 | ||
391 | fix_sshd_shell() { | ||
392 | if getent passwd sshd | grep -q ':/bin/false$'; then | ||
393 | usermod -s /usr/sbin/nologin sshd || true | ||
394 | fi | ||
395 | } | ||
396 | |||
397 | setup_sshd_user() { | 288 | setup_sshd_user() { |
398 | if ! getent passwd sshd >/dev/null; then | 289 | if ! getent passwd sshd >/dev/null; then |
399 | adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd | 290 | adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd |
400 | fi | 291 | fi |
401 | } | 292 | } |
402 | 293 | ||
403 | fix_conffile_permissions() { | ||
404 | # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg | ||
405 | # doesn't do this for us; see bug #192981. | ||
406 | chmod 644 /etc/default/ssh | ||
407 | } | ||
408 | |||
409 | remove_old_init_links() { | 294 | remove_old_init_links() { |
410 | # Yes, this only works with the SysV init script layout. I know. | 295 | # Yes, this only works with the SysV init script layout. I know. |
411 | # The important thing is that it doesn't actually *break* with | 296 | # The important thing is that it doesn't actually *break* with |
@@ -454,18 +339,11 @@ commit_mv_conffile () { | |||
454 | } | 339 | } |
455 | 340 | ||
456 | 341 | ||
457 | fix_doc_symlink | ||
458 | create_sshdconfig | 342 | create_sshdconfig |
459 | create_keys | 343 | create_keys |
460 | vulnerable_host_keys | 344 | vulnerable_host_keys |
461 | fix_statoverride | 345 | fix_statoverride |
462 | if dpkg --compare-versions "$2" lt 1:4.3p2-3; then | ||
463 | fix_sshd_shell | ||
464 | fi | ||
465 | setup_sshd_user | 346 | setup_sshd_user |
466 | if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then | ||
467 | fix_conffile_permissions | ||
468 | fi | ||
469 | if dpkg --compare-versions "$2" lt 1:5.2p1-1; then | 347 | if dpkg --compare-versions "$2" lt 1:5.2p1-1; then |
470 | remove_old_init_links | 348 | remove_old_init_links |
471 | fi | 349 | fi |
@@ -482,6 +360,7 @@ fi | |||
482 | # Clean up old debconf templates. | 360 | # Clean up old debconf templates. |
483 | db_unregister ssh/use_old_init_script | 361 | db_unregister ssh/use_old_init_script |
484 | db_unregister ssh/encrypted_host_key_but_no_keygen | 362 | db_unregister ssh/encrypted_host_key_but_no_keygen |
363 | db_unregister ssh/disable_cr_auth | ||
485 | 364 | ||
486 | 365 | ||
487 | db_stop | 366 | db_stop |