summaryrefslogtreecommitdiff
path: root/debian/openssh-server.postinst.in
diff options
context:
space:
mode:
Diffstat (limited to 'debian/openssh-server.postinst.in')
-rw-r--r--debian/openssh-server.postinst.in123
1 files changed, 1 insertions, 122 deletions
diff --git a/debian/openssh-server.postinst.in b/debian/openssh-server.postinst.in
index 7ef270d80..245333234 100644
--- a/debian/openssh-server.postinst.in
+++ b/debian/openssh-server.postinst.in
@@ -14,15 +14,6 @@ if [ "$action" != configure ]
14fi 14fi
15 15
16 16
17fix_doc_symlink() {
18 if [ ! -L /usr/share/doc/openssh-server ] && \
19 dpkg --compare-versions "$oldversion" lt-nl 1:4.1p1-5; then
20 rm -rf /usr/share/doc/openssh-server
21 ln -s openssh-client /usr/share/doc/openssh-server
22 fi
23}
24
25
26get_config_option() { 17get_config_option() {
27 option="$1" 18 option="$1"
28 19
@@ -58,31 +49,6 @@ set_config_option() {
58} 49}
59 50
60 51
61disable_config_option() {
62 option="$1"
63
64 value="$(get_config_option "$option")"
65 [ "$value" ] || return 0
66
67 perl -le '
68 $option = $ARGV[0];
69 while (<STDIN>) {
70 chomp;
71 (my $match = $_) =~ s/\s+/ /g;
72 # TODO: actually only one "=" allowed after option
73 if ($match =~ s/^(\s*\Q$option\E[[:space:]=]+.*)/#$1/i) {
74 $_ = $match;
75 }
76 print;
77 }' \
78 "$option" \
79 < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
80 chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
81 chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
82 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
83}
84
85
86rename_config_option() { 52rename_config_option() {
87 oldoption="$1" 53 oldoption="$1"
88 newoption="$2" 54 newoption="$2"
@@ -109,13 +75,6 @@ rename_config_option() {
109} 75}
110 76
111 77
112remove_obsolete_gssapi() {
113 disable_config_option GSSAPINoMICAuthentication
114 disable_config_option GSSUseSessionCCache
115 disable_config_option GSSAPIUseSessionCredCache
116}
117
118
119host_keys_required() { 78host_keys_required() {
120 hostkeys="$(get_config_option HostKey)" 79 hostkeys="$(get_config_option HostKey)"
121 if [ "$hostkeys" ]; then 80 if [ "$hostkeys" ]; then
@@ -201,28 +160,6 @@ vulnerable_host_keys() {
201} 160}
202 161
203 162
204check_password_auth() {
205 passwordauth="$(get_config_option PasswordAuthentication)"
206 crauth="$(get_config_option ChallengeResponseAuthentication)"
207 if [ "$passwordauth" = no ] && \
208 ([ -z "$crauth" ] || [ "$crauth" = yes ]); then
209 db_get ssh/disable_cr_auth
210 if [ "$RET" = true ]; then
211 set_config_option ChallengeResponseAuthentication no
212 fi
213 fi
214}
215
216
217move_subsystem_sftp() {
218 subsystem_sftp="$(get_config_option 'Subsystem sftp')"
219 if [ "$subsystem_sftp" = /usr/lib/sftp-server ] || \
220 [ "$subsystem_sftp" = /usr/libexec/sftp-server ]; then
221 set_config_option 'Subsystem sftp' /usr/lib/openssh/sftp-server
222 fi
223}
224
225
226fix_loglevel_silent() { 163fix_loglevel_silent() {
227 if [ "$(get_config_option LogLevel)" = SILENT ]; then 164 if [ "$(get_config_option LogLevel)" = SILENT ]; then
228 set_config_option LogLevel QUIET 165 set_config_option LogLevel QUIET
@@ -234,46 +171,6 @@ create_sshdconfig() {
234 if [ -e /etc/ssh/sshd_config ] ; then 171 if [ -e /etc/ssh/sshd_config ] ; then
235 # Upgrade an existing sshd configuration. 172 # Upgrade an existing sshd configuration.
236 173
237 if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
238 ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \
239 grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \
240 /etc/ssh/sshd_config ; then
241 # Upgrade from pre-3.7: UsePAM needed to maintain standard
242 # Debian configuration.
243 # Note that --compare-versions is sadly not reliable enough
244 # here due to the package split of ssh into openssh-client
245 # and openssh-server. The extra grep for some deprecated
246 # options should with any luck be a good enough heuristic.
247 echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
248 cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
249 perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
250 /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
251 echo >> /etc/ssh/sshd_config.dpkg-new
252 echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
253 chown --reference /etc/ssh/sshd_config \
254 /etc/ssh/sshd_config.dpkg-new
255 chmod --reference /etc/ssh/sshd_config \
256 /etc/ssh/sshd_config.dpkg-new
257 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
258 echo
259 fi
260
261 # An empty version means we're upgrading from before the
262 # package split, so check.
263 if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then
264 check_password_auth
265 fi
266
267 # libexecdir changed, so fix up 'Subsystem sftp'.
268 if dpkg --compare-versions "$oldversion" lt 1:4.1p1-1; then
269 move_subsystem_sftp
270 fi
271
272 # Remove obsolete GSSAPI options.
273 if dpkg --compare-versions "$oldversion" lt 1:4.3p2-8; then
274 remove_obsolete_gssapi
275 fi
276
277 # This option was renamed in 3.8p1, but we never took care 174 # This option was renamed in 3.8p1, but we never took care
278 # of adjusting the configuration file until now. 175 # of adjusting the configuration file until now.
279 if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then 176 if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
@@ -388,24 +285,12 @@ fix_statoverride() {
388 fi 285 fi
389} 286}
390 287
391fix_sshd_shell() {
392 if getent passwd sshd | grep -q ':/bin/false$'; then
393 usermod -s /usr/sbin/nologin sshd || true
394 fi
395}
396
397setup_sshd_user() { 288setup_sshd_user() {
398 if ! getent passwd sshd >/dev/null; then 289 if ! getent passwd sshd >/dev/null; then
399 adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd 290 adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
400 fi 291 fi
401} 292}
402 293
403fix_conffile_permissions() {
404 # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
405 # doesn't do this for us; see bug #192981.
406 chmod 644 /etc/default/ssh
407}
408
409remove_old_init_links() { 294remove_old_init_links() {
410 # Yes, this only works with the SysV init script layout. I know. 295 # Yes, this only works with the SysV init script layout. I know.
411 # The important thing is that it doesn't actually *break* with 296 # The important thing is that it doesn't actually *break* with
@@ -454,18 +339,11 @@ commit_mv_conffile () {
454} 339}
455 340
456 341
457fix_doc_symlink
458create_sshdconfig 342create_sshdconfig
459create_keys 343create_keys
460vulnerable_host_keys 344vulnerable_host_keys
461fix_statoverride 345fix_statoverride
462if dpkg --compare-versions "$2" lt 1:4.3p2-3; then
463 fix_sshd_shell
464fi
465setup_sshd_user 346setup_sshd_user
466if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
467 fix_conffile_permissions
468fi
469if dpkg --compare-versions "$2" lt 1:5.2p1-1; then 347if dpkg --compare-versions "$2" lt 1:5.2p1-1; then
470 remove_old_init_links 348 remove_old_init_links
471fi 349fi
@@ -482,6 +360,7 @@ fi
482# Clean up old debconf templates. 360# Clean up old debconf templates.
483db_unregister ssh/use_old_init_script 361db_unregister ssh/use_old_init_script
484db_unregister ssh/encrypted_host_key_but_no_keygen 362db_unregister ssh/encrypted_host_key_but_no_keygen
363db_unregister ssh/disable_cr_auth
485 364
486 365
487db_stop 366db_stop