1 files changed, 30 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 1d26a7b55..b7ea210c4 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -183,6 +183,35 @@ create_keys() {
 }
+vulnerable_host_keys() {
+        # If the admin has explicitly put the vulnerable keys back, we
+        # assume they can look after themselves.
+        db_fget ssh/vulnerable_host_keys seen
+        if [ "$RET" = true ]; then
+                return 0
+        fi
+        hostkeys="$(host_keys_required)"
+        vulnerable=
+        for hostkey in $hostkeys; do
+                [ -f "$hostkey" ] || continue
+                if ssh-vulnkey -q "$hostkey"; then
+                        vulnerable="${vulnerable:+$vulnerable }$hostkey"
+                fi
+        done
+        if [ "$vulnerable" ]; then
+                db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable"
+                db_input critical ssh/vulnerable_host_keys || true
+                db_go
+                for hostkey in $vulnerable; do
+                        mv "$hostkey" "$hostkey.broken" || true
+                        mv "$hostkey.pub" "$hostkey.pub.broken" || true
+                done
+                create_keys
+        fi
+}
 check_password_auth() {
        passwordauth="$(get_config_option PasswordAuthentication)"
        crauth="$(get_config_option ChallengeResponseAuthentication)"
@@ -422,6 +451,7 @@ fix_doc_symlink
 create_sshdconfig
 check_idea_key
 create_keys
+vulnerable_host_keys
 fix_statoverride
 if dpkg --compare-versions "$2" lt 1:4.3p2-3; then
    fix_sshd_shell

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index 1d26a7b55..b7ea210c4 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst
@@ -183,6 +183,35 @@ create_keys() {
183	}	183	}
184		184
185		185
		186	vulnerable_host_keys() {
		187	# If the admin has explicitly put the vulnerable keys back, we
		188	# assume they can look after themselves.
		189	db_fget ssh/vulnerable_host_keys seen
		190	if [ "$RET" = true ]; then
		191	return 0
		192	fi
		193
		194	hostkeys="$(host_keys_required)"
		195	vulnerable=
		196	for hostkey in $hostkeys; do
		197	[ -f "$hostkey" ] \|\| continue
		198	if ssh-vulnkey -q "$hostkey"; then
		199	vulnerable="${vulnerable:+$vulnerable }$hostkey"
		200	fi
		201	done
		202	if [ "$vulnerable" ]; then
		203	db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable"
		204	db_input critical ssh/vulnerable_host_keys \|\| true
		205	db_go
		206	for hostkey in $vulnerable; do
		207	mv "$hostkey" "$hostkey.broken" \|\| true
		208	mv "$hostkey.pub" "$hostkey.pub.broken" \|\| true
		209	done
		210	create_keys
		211	fi
		212	}
		213
		214
186	check_password_auth() {	215	check_password_auth() {
187	passwordauth="$(get_config_option PasswordAuthentication)"	216	passwordauth="$(get_config_option PasswordAuthentication)"
188	crauth="$(get_config_option ChallengeResponseAuthentication)"	217	crauth="$(get_config_option ChallengeResponseAuthentication)"
@@ -422,6 +451,7 @@ fix_doc_symlink
422	create_sshdconfig	451	create_sshdconfig
423	check_idea_key	452	check_idea_key
424	create_keys	453	create_keys
		454	vulnerable_host_keys
425	fix_statoverride	455	fix_statoverride
426	if dpkg --compare-versions "$2" lt 1:4.3p2-3; then	456	if dpkg --compare-versions "$2" lt 1:4.3p2-3; then
427	fix_sshd_shell	457	fix_sshd_shell