1 files changed, 63 insertions, 19 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 28af3f490..dab8c94fd 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -29,12 +29,33 @@ check_idea_key() {
 get_config_option() {
        option="$1"
+        [ -f /etc/ssh/sshd_config ] || return
        # TODO: actually only one '=' allowed after option
        perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
           /etc/ssh/sshd_config
 }
+set_config_option() {
+        option="$1"
+        value="$2"
+        perl -e '
+                $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
+                while (<STDIN>) {
+                        if (s/^\s*\Q$option\E\s+.*/$option $value/) {
+                                $done = 1;
+                        }
+                        print;
+                }
+                print "\n$option $value\n" unless $done;' \
+                "$option" "$value" \
+                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
 host_keys_required() {
        hostkeys="$(get_config_option HostKey)"
        if [ "$hostkeys" ]; then
@@ -85,31 +106,54 @@ create_keys() {
 }
+check_password_auth() {
+        passwordauth="$(get_config_option PasswordAuthentication)"
+        crauth="$(get_config_option ChallengeResponseAuthentication)"
+        if [ "$passwordauth" = no ] && \
+           ([ -z "$crauth" ] || [ "$crauth" = yes ]); then
+                db_get ssh/disable_cr_auth
+                if [ "$RET" = true ]; then
+                        set_config_option ChallengeResponseAuthentication no
+                fi
+        fi
+}
 create_sshdconfig() {
        if [ -e /etc/ssh/sshd_config ] ; then
            if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
                db_get ssh/new_config
                if [ "$RET" = "false" ] ; then return 0; fi
-            elif (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
+            else
-                  ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \
+                # Upgrade sshd configuration from a sane version.
-                 grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \
-                   /etc/ssh/sshd_config ; then
+                if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
-                # Upgrade from pre-3.7: UsePAM needed to maintain standard
+                    ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \
-                # Debian configuration.
+                   grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \
-                # Note that --compare-versions is sadly not reliable enough
+                     /etc/ssh/sshd_config ; then
-                # here due to the package split of ssh into openssh-client
+                    # Upgrade from pre-3.7: UsePAM needed to maintain standard
-                # and openssh-server. The extra grep for some deprecated
+                    # Debian configuration.
-                # options should with any luck be a good enough heuristic.
+                    # Note that --compare-versions is sadly not reliable enough
-                echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
+                    # here due to the package split of ssh into openssh-client
-                cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
+                    # and openssh-server. The extra grep for some deprecated
-                perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
+                    # options should with any luck be a good enough heuristic.
-                    /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+                    echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
-                echo >> /etc/ssh/sshd_config.dpkg-new
+                    cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
-                echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
+                    perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
-                mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+                        /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
-                echo
+                    echo >> /etc/ssh/sshd_config.dpkg-new
+                    echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
+                    mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+                    echo
+                fi
+                # An empty version means we're upgrading from before the
+                # package split, so check.
+                if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then
+                    check_password_auth
+                fi
                return 0
-            else return 0
            fi
        fi

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index 28af3f490..dab8c94fd 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst
@@ -29,12 +29,33 @@ check_idea_key() {
29	get_config_option() {	29	get_config_option() {
30	option="$1"	30	option="$1"
31		31
		32	[ -f /etc/ssh/sshd_config ] \|\| return
		33
32	# TODO: actually only one '=' allowed after option	34	# TODO: actually only one '=' allowed after option
33	perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \	35	perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
34	/etc/ssh/sshd_config	36	/etc/ssh/sshd_config
35	}	37	}
36		38
37		39
		40	set_config_option() {
		41	option="$1"
		42	value="$2"
		43
		44	perl -e '
		45	$option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
		46	while (<STDIN>) {
		47	if (s/^\s\Q$option\E\s+./$option $value/) {
		48	$done = 1;
		49	}
		50	print;
		51	}
		52	print "\n$option $value\n" unless $done;' \
		53	"$option" "$value" \
		54	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
		55	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
		56	}
		57
		58
38	host_keys_required() {	59	host_keys_required() {
39	hostkeys="$(get_config_option HostKey)"	60	hostkeys="$(get_config_option HostKey)"
40	if [ "$hostkeys" ]; then	61	if [ "$hostkeys" ]; then
@@ -85,31 +106,54 @@ create_keys() {
85	}	106	}
86		107
87		108
		109	check_password_auth() {
		110	passwordauth="$(get_config_option PasswordAuthentication)"
		111	crauth="$(get_config_option ChallengeResponseAuthentication)"
		112	if [ "$passwordauth" = no ] && \
		113	([ -z "$crauth" ] \|\| [ "$crauth" = yes ]); then
		114	db_get ssh/disable_cr_auth
		115	if [ "$RET" = true ]; then
		116	set_config_option ChallengeResponseAuthentication no
		117	fi
		118	fi
		119	}
		120
		121
88	create_sshdconfig() {	122	create_sshdconfig() {
89	if [ -e /etc/ssh/sshd_config ] ; then	123	if [ -e /etc/ssh/sshd_config ] ; then
90	if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then	124	if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
91	db_get ssh/new_config	125	db_get ssh/new_config
92	if [ "$RET" = "false" ] ; then return 0; fi	126	if [ "$RET" = "false" ] ; then return 0; fi
93	elif (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \	127	else
94	! grep -iq ^UsePAM /etc/ssh/sshd_config) \|\| \	128	# Upgrade sshd configuration from a sane version.
95	grep -Eiq '^(PAMAuthenticationViaKbdInt\|RhostsAuthentication)' \	129
96	/etc/ssh/sshd_config ; then	130	if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
97	# Upgrade from pre-3.7: UsePAM needed to maintain standard	131	! grep -iq ^UsePAM /etc/ssh/sshd_config) \|\| \
98	# Debian configuration.	132	grep -Eiq '^(PAMAuthenticationViaKbdInt\|RhostsAuthentication)' \
99	# Note that --compare-versions is sadly not reliable enough	133	/etc/ssh/sshd_config ; then
100	# here due to the package split of ssh into openssh-client	134	# Upgrade from pre-3.7: UsePAM needed to maintain standard
101	# and openssh-server. The extra grep for some deprecated	135	# Debian configuration.
102	# options should with any luck be a good enough heuristic.	136	# Note that --compare-versions is sadly not reliable enough
103	echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'	137	# here due to the package split of ssh into openssh-client
104	cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old	138	# and openssh-server. The extra grep for some deprecated
105	perl -pe 's/^(PAMAuthenticationViaKbdInt\|RhostsAuthentication)\b/#$1/i' \	139	# options should with any luck be a good enough heuristic.
106	/etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new	140	echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
107	echo >> /etc/ssh/sshd_config.dpkg-new	141	cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
108	echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new	142	perl -pe 's/^(PAMAuthenticationViaKbdInt\|RhostsAuthentication)\b/#$1/i' \
109	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config	143	/etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
110	echo	144	echo >> /etc/ssh/sshd_config.dpkg-new
		145	echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
		146	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
		147	echo
		148	fi
		149
		150	# An empty version means we're upgrading from before the
		151	# package split, so check.
		152	if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then
		153	check_password_auth
		154	fi
		155
111	return 0	156	return 0
112	else return 0
113	fi	157	fi
114	fi	158	fi
115		159