diff options
Diffstat (limited to 'debian/openssh-server.postinst')
-rw-r--r-- | debian/openssh-server.postinst | 315 |
1 files changed, 315 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..ff61c4f1b --- /dev/null +++ b/debian/openssh-server.postinst | |||
@@ -0,0 +1,315 @@ | |||
1 | #!/bin/sh | ||
2 | set -e | ||
3 | |||
4 | . /usr/share/debconf/confmodule | ||
5 | db_version 2.0 | ||
6 | |||
7 | action="$1" | ||
8 | oldversion="$2" | ||
9 | |||
10 | umask 022 | ||
11 | |||
12 | |||
13 | get_config_option() { | ||
14 | option="$1" | ||
15 | |||
16 | [ -f /etc/ssh/sshd_config ] || return | ||
17 | |||
18 | # TODO: actually only one '=' allowed after option | ||
19 | perl -lne ' | ||
20 | s/[[:space:]]+/ /g; s/[[:space:]]+$//; | ||
21 | print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ | ||
22 | /etc/ssh/sshd_config | ||
23 | } | ||
24 | |||
25 | |||
26 | set_config_option() { | ||
27 | option="$1" | ||
28 | value="$2" | ||
29 | |||
30 | perl -le ' | ||
31 | $option = $ARGV[0]; $value = $ARGV[1]; $done = 0; | ||
32 | while (<STDIN>) { | ||
33 | chomp; | ||
34 | (my $match = $_) =~ s/\s+/ /g; | ||
35 | if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) { | ||
36 | $_ = $match; | ||
37 | $done = 1; | ||
38 | } | ||
39 | print; | ||
40 | } | ||
41 | print "$option $value" unless $done;' \ | ||
42 | "$option" "$value" \ | ||
43 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
44 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
45 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
46 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
47 | } | ||
48 | |||
49 | |||
50 | rename_config_option() { | ||
51 | oldoption="$1" | ||
52 | newoption="$2" | ||
53 | |||
54 | value="$(get_config_option "$oldoption")" | ||
55 | [ "$value" ] || return 0 | ||
56 | |||
57 | perl -le ' | ||
58 | $oldoption = $ARGV[0]; $newoption = $ARGV[1]; | ||
59 | while (<STDIN>) { | ||
60 | chomp; | ||
61 | (my $match = $_) =~ s/\s+/ /g; | ||
62 | # TODO: actually only one "=" allowed after option | ||
63 | if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) { | ||
64 | $_ = $match; | ||
65 | } | ||
66 | print; | ||
67 | }' \ | ||
68 | "$oldoption" "$newoption" \ | ||
69 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
70 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
71 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
72 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
73 | } | ||
74 | |||
75 | |||
76 | host_keys_required() { | ||
77 | hostkeys="$(get_config_option HostKey)" | ||
78 | if [ "$hostkeys" ]; then | ||
79 | echo "$hostkeys" | ||
80 | else | ||
81 | # No HostKey directives at all, so the server picks some | ||
82 | # defaults. | ||
83 | echo /etc/ssh/ssh_host_rsa_key | ||
84 | echo /etc/ssh/ssh_host_ecdsa_key | ||
85 | echo /etc/ssh/ssh_host_ed25519_key | ||
86 | fi | ||
87 | } | ||
88 | |||
89 | |||
90 | create_key() { | ||
91 | msg="$1" | ||
92 | shift | ||
93 | hostkeys="$1" | ||
94 | shift | ||
95 | file="$1" | ||
96 | shift | ||
97 | |||
98 | if echo "$hostkeys" | grep -x "$file" >/dev/null && \ | ||
99 | [ ! -f "$file" ] ; then | ||
100 | echo -n $msg | ||
101 | ssh-keygen -q -f "$file" -N '' "$@" | ||
102 | echo | ||
103 | if which restorecon >/dev/null 2>&1; then | ||
104 | restorecon "$file" "$file.pub" | ||
105 | fi | ||
106 | ssh-keygen -l -f "$file.pub" | ||
107 | fi | ||
108 | } | ||
109 | |||
110 | |||
111 | create_keys() { | ||
112 | hostkeys="$(host_keys_required)" | ||
113 | |||
114 | create_key "Creating SSH2 RSA key; this may take some time ..." \ | ||
115 | "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa | ||
116 | create_key "Creating SSH2 DSA key; this may take some time ..." \ | ||
117 | "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa | ||
118 | create_key "Creating SSH2 ECDSA key; this may take some time ..." \ | ||
119 | "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa | ||
120 | create_key "Creating SSH2 ED25519 key; this may take some time ..." \ | ||
121 | "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 | ||
122 | } | ||
123 | |||
124 | |||
125 | fix_loglevel_silent() { | ||
126 | if [ "$(get_config_option LogLevel)" = SILENT ]; then | ||
127 | set_config_option LogLevel QUIET | ||
128 | fi | ||
129 | } | ||
130 | |||
131 | |||
132 | update_server_key_bits() { | ||
133 | if [ "$(get_config_option ServerKeyBits)" = 768 ]; then | ||
134 | set_config_option ServerKeyBits 1024 | ||
135 | fi | ||
136 | } | ||
137 | |||
138 | |||
139 | create_sshdconfig() { | ||
140 | if [ -e /etc/ssh/sshd_config ] ; then | ||
141 | # Upgrade an existing sshd configuration. | ||
142 | |||
143 | # This option was renamed in 3.8p1, but we never took care | ||
144 | # of adjusting the configuration file until now. | ||
145 | if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then | ||
146 | rename_config_option KeepAlive TCPKeepAlive | ||
147 | fi | ||
148 | |||
149 | # 'LogLevel SILENT' is now equivalent to QUIET. | ||
150 | if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then | ||
151 | fix_loglevel_silent | ||
152 | fi | ||
153 | |||
154 | # Changed upstream in 5.1p1, but we forgot to update the | ||
155 | # package-generated configuration file until now. | ||
156 | if dpkg --compare-versions "$oldversion" lt 1:6.4p1-2; then | ||
157 | update_server_key_bits | ||
158 | fi | ||
159 | |||
160 | return 0 | ||
161 | fi | ||
162 | |||
163 | cat <<EOF > /etc/ssh/sshd_config | ||
164 | # Package generated configuration file | ||
165 | # See the sshd_config(5) manpage for details | ||
166 | |||
167 | # What ports, IPs and protocols we listen for | ||
168 | Port 22 | ||
169 | # Use these options to restrict which interfaces/protocols sshd will bind to | ||
170 | #ListenAddress :: | ||
171 | #ListenAddress 0.0.0.0 | ||
172 | Protocol 2 | ||
173 | # HostKeys for protocol version 2 | ||
174 | HostKey /etc/ssh/ssh_host_rsa_key | ||
175 | HostKey /etc/ssh/ssh_host_ecdsa_key | ||
176 | HostKey /etc/ssh/ssh_host_ed25519_key | ||
177 | #Privilege Separation is turned on for security | ||
178 | UsePrivilegeSeparation yes | ||
179 | |||
180 | # Lifetime and size of ephemeral version 1 server key | ||
181 | KeyRegenerationInterval 3600 | ||
182 | ServerKeyBits 1024 | ||
183 | |||
184 | # Logging | ||
185 | SyslogFacility AUTH | ||
186 | LogLevel INFO | ||
187 | |||
188 | # Authentication: | ||
189 | LoginGraceTime 120 | ||
190 | PermitRootLogin prohibit-password | ||
191 | StrictModes yes | ||
192 | |||
193 | RSAAuthentication yes | ||
194 | PubkeyAuthentication yes | ||
195 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
196 | |||
197 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
198 | IgnoreRhosts yes | ||
199 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
200 | RhostsRSAAuthentication no | ||
201 | # similar for protocol version 2 | ||
202 | HostbasedAuthentication no | ||
203 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
204 | #IgnoreUserKnownHosts yes | ||
205 | |||
206 | # To enable empty passwords, change to yes (NOT RECOMMENDED) | ||
207 | PermitEmptyPasswords no | ||
208 | |||
209 | # Change to yes to enable challenge-response passwords (beware issues with | ||
210 | # some PAM modules and threads) | ||
211 | ChallengeResponseAuthentication no | ||
212 | |||
213 | # Change to no to disable tunnelled clear text passwords | ||
214 | #PasswordAuthentication yes | ||
215 | |||
216 | # Kerberos options | ||
217 | #KerberosAuthentication no | ||
218 | #KerberosGetAFSToken no | ||
219 | #KerberosOrLocalPasswd yes | ||
220 | #KerberosTicketCleanup yes | ||
221 | |||
222 | # GSSAPI options | ||
223 | #GSSAPIAuthentication no | ||
224 | #GSSAPICleanupCredentials yes | ||
225 | |||
226 | X11Forwarding yes | ||
227 | X11DisplayOffset 10 | ||
228 | PrintMotd no | ||
229 | PrintLastLog yes | ||
230 | TCPKeepAlive yes | ||
231 | #UseLogin no | ||
232 | |||
233 | #MaxStartups 10:30:60 | ||
234 | #Banner /etc/issue.net | ||
235 | |||
236 | # Allow client to pass locale environment variables | ||
237 | AcceptEnv LANG LC_* | ||
238 | |||
239 | Subsystem sftp /usr/lib/openssh/sftp-server | ||
240 | |||
241 | # Set this to 'yes' to enable PAM authentication, account processing, | ||
242 | # and session processing. If this is enabled, PAM authentication will | ||
243 | # be allowed through the ChallengeResponseAuthentication and | ||
244 | # PasswordAuthentication. Depending on your PAM configuration, | ||
245 | # PAM authentication via ChallengeResponseAuthentication may bypass | ||
246 | # the setting of "PermitRootLogin without-password". | ||
247 | # If you just want the PAM account and session checks to run without | ||
248 | # PAM authentication, then enable this but set PasswordAuthentication | ||
249 | # and ChallengeResponseAuthentication to 'no'. | ||
250 | UsePAM yes | ||
251 | EOF | ||
252 | } | ||
253 | |||
254 | fix_statoverride() { | ||
255 | # Remove an erronous override for sshd (we should have overridden ssh) | ||
256 | if dpkg-statoverride --list /usr/sbin/sshd >/dev/null; then | ||
257 | dpkg-statoverride --remove /usr/sbin/sshd | ||
258 | fi | ||
259 | } | ||
260 | |||
261 | setup_sshd_user() { | ||
262 | if ! getent passwd sshd >/dev/null; then | ||
263 | adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd | ||
264 | fi | ||
265 | } | ||
266 | |||
267 | if [ "$action" = configure ]; then | ||
268 | create_sshdconfig | ||
269 | create_keys | ||
270 | fix_statoverride | ||
271 | setup_sshd_user | ||
272 | # Renamed to /etc/ssh/moduli in 2.9.9 (!) | ||
273 | if dpkg --compare-versions "$2" lt-nl 1:4.7p1-1; then | ||
274 | rm -f /etc/ssh/primes | ||
275 | fi | ||
276 | if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then | ||
277 | rm -f /var/run/sshd/.placeholder | ||
278 | fi | ||
279 | if dpkg --compare-versions "$2" lt-nl 1:6.2p2-3 && \ | ||
280 | which initctl >/dev/null && initctl version 2>/dev/null | grep -q upstart && \ | ||
281 | ! status ssh 2>/dev/null | grep -q ' start/'; then | ||
282 | # We must stop the sysvinit-controlled sshd before we can | ||
283 | # restart it under Upstart. | ||
284 | start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid || true | ||
285 | fi | ||
286 | if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \ | ||
287 | deb-systemd-helper debian-installed ssh.socket && \ | ||
288 | deb-systemd-helper --quiet was-enabled ssh.service && \ | ||
289 | deb-systemd-helper --quiet was-enabled ssh.socket; then | ||
290 | # 1:6.5p1-1 mistakenly left both ssh.service and ssh.socket | ||
291 | # enabled. | ||
292 | deb-systemd-helper disable ssh.socket >/dev/null || true | ||
293 | fi | ||
294 | if dpkg --compare-versions "$2" lt-nl 1:6.5p1-3 && \ | ||
295 | [ -d /run/systemd/system ]; then | ||
296 | # We must stop the sysvinit-controlled sshd before we can | ||
297 | # restart it under systemd. | ||
298 | start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || true | ||
299 | fi | ||
300 | if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \ | ||
301 | [ "$(get_config_option PermitRootLogin)" = yes ] && | ||
302 | db_get openssh-server/permit-root-login && [ "$RET" = true ]; then | ||
303 | set_config_option PermitRootLogin prohibit-password | ||
304 | fi | ||
305 | if dpkg --compare-versions "$2" lt-nl 1:7.1p1-1 && \ | ||
306 | [ "$(get_config_option PermitRootLogin)" = without-password ]; then | ||
307 | set_config_option PermitRootLogin prohibit-password | ||
308 | fi | ||
309 | fi | ||
310 | |||
311 | #DEBHELPER# | ||
312 | |||
313 | db_stop | ||
314 | |||
315 | exit 0 | ||