1 files changed, 166 insertions, 0 deletions

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 000000000..f45f5851c
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,166 @@
+#!/bin/sh
+set -e
+
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+action="$1"
+
+umask 022
+
+
+get_config_option() {
+        option="$1"
+
+        [ -f /etc/ssh/sshd_config ] || return
+
+        # TODO: actually only one '=' allowed after option
+        perl -lne '
+                s/[[:space:]]+/ /g; s/[[:space:]]+$//;
+                print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+           /etc/ssh/sshd_config
+}
+
+
+host_keys_required() {
+        hostkeys="$(get_config_option HostKey)"
+        if [ "$hostkeys" ]; then
+                echo "$hostkeys"
+        else
+                # No HostKey directives at all, so the server picks some
+                # defaults.
+                echo /etc/ssh/ssh_host_rsa_key
+                echo /etc/ssh/ssh_host_ecdsa_key
+                echo /etc/ssh/ssh_host_ed25519_key
+        fi
+}
+
+
+create_key() {
+        msg="$1"
+        shift
+        hostkeys="$1"
+        shift
+        file="$1"
+        shift
+
+        if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+           [ ! -f "$file" ] ; then
+                printf %s "$msg"
+                ssh-keygen -q -f "$file" -N '' "$@"
+                echo
+                if which restorecon >/dev/null 2>&1; then
+                        restorecon "$file" "$file.pub"
+                fi
+                ssh-keygen -l -f "$file.pub"
+        fi
+}
+
+
+create_keys() {
+        hostkeys="$(host_keys_required)"
+
+        create_key "Creating SSH2 RSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+        create_key "Creating SSH2 DSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+        create_key "Creating SSH2 ECDSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
+        create_key "Creating SSH2 ED25519 key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
+}
+
+
+new_config=
+
+cleanup() {
+        if [ "$new_config" ]; then
+                rm -f "$new_config"
+        fi
+}
+
+
+create_sshdconfig() {
+        # XXX cjwatson 2016-12-24: This debconf template is very confusingly
+        # named; its description is "Disable SSH password authentication for
+        # root?", so true -> prohibit-password (the upstream default),
+        # false -> yes.
+        db_get openssh-server/permit-root-login
+        permit_root_login="$RET"
+        db_get openssh-server/password-authentication
+        password_authentication="$RET"
+
+        trap cleanup EXIT
+        new_config="$(mktemp)"
+        cp -a /usr/share/openssh/sshd_config "$new_config"
+        if [ "$permit_root_login" != true ]; then
+                sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
+                        "$new_config"
+        fi
+        if [ "$password_authentication" != true ]; then
+                sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \
+                        "$new_config"
+        fi
+        mkdir -p /etc/ssh
+        ucf --three-way --debconf-ok \
+                --sum-file /usr/share/openssh/sshd_config.md5sum \
+                "$new_config" /etc/ssh/sshd_config
+        ucfr openssh-server /etc/ssh/sshd_config
+}
+
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+        if dpkg-statoverride --list /usr/sbin/sshd >/dev/null; then
+                dpkg-statoverride --remove /usr/sbin/sshd
+        fi
+}
+
+setup_sshd_user() {
+        if ! getent passwd sshd >/dev/null; then
+                adduser --quiet --system --no-create-home --home /run/sshd --shell /usr/sbin/nologin sshd
+        fi
+}
+
+if [ "$action" = configure ]; then
+        create_sshdconfig
+        create_keys
+        fix_statoverride
+        setup_sshd_user
+        # Renamed to /etc/ssh/moduli in 2.9.9 (!)
+        if dpkg --compare-versions "$2" lt-nl 1:4.7p1-1; then
+            rm -f /etc/ssh/primes
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then
+            rm -f /run/sshd/.placeholder
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \
+           deb-systemd-helper debian-installed ssh.socket && \
+           deb-systemd-helper --quiet was-enabled ssh.service && \
+           deb-systemd-helper --quiet was-enabled ssh.socket; then
+            # 1:6.5p1-1 mistakenly left both ssh.service and ssh.socket
+            # enabled.
+            deb-systemd-helper disable ssh.socket >/dev/null || true
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:6.5p1-3 && \
+           [ -d /run/systemd/system ]; then
+            # We must stop the sysvinit-controlled sshd before we can
+            # restart it under systemd.
+            start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd || true
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \
+           [ -f /etc/ssh/moduli.dpkg-bak ]; then
+            # Handle /etc/ssh/moduli being moved from openssh-client to
+            # openssh-server.  If there were no user modifications, then we
+            # don't need to do anything special here; but if there were,
+            # then the dpkg-maintscript-helper calls from openssh-client's
+            # maintainer scripts will have saved the old file as .dpkg-bak,
+            # which we now move back into place.
+            mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli
+        fi
+fi
+
+#DEBHELPER#
+
+db_stop
+
+exit 0