diff options
Diffstat (limited to 'debian/openssh-server.postinst')
-rw-r--r-- | debian/openssh-server.postinst | 255 |
1 files changed, 255 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..64f9985a8 --- /dev/null +++ b/debian/openssh-server.postinst | |||
@@ -0,0 +1,255 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action="$1" | ||
4 | oldversion="$2" | ||
5 | |||
6 | . /usr/share/debconf/confmodule | ||
7 | db_version 2.0 | ||
8 | |||
9 | umask 022 | ||
10 | |||
11 | if [ "$action" != configure ] | ||
12 | then | ||
13 | exit 0 | ||
14 | fi | ||
15 | |||
16 | |||
17 | check_idea_key() { | ||
18 | #check for old host_key files using IDEA, which openssh does not support | ||
19 | if [ -f /etc/ssh/ssh_host_key ] ; then | ||
20 | if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \ | ||
21 | grep -q 'unknown cipher' 2>/dev/null ; then | ||
22 | mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old | ||
23 | mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old | ||
24 | fi | ||
25 | fi | ||
26 | } | ||
27 | |||
28 | |||
29 | get_config_option() { | ||
30 | option="$1" | ||
31 | |||
32 | # TODO: actually only one '=' allowed after option | ||
33 | perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ | ||
34 | /etc/ssh/sshd_config | ||
35 | } | ||
36 | |||
37 | |||
38 | host_keys_required() { | ||
39 | hostkeys="$(get_config_option HostKey)" | ||
40 | if [ "$hostkeys" ]; then | ||
41 | echo "$hostkeys" | ||
42 | else | ||
43 | # No HostKey directives at all, so the server picks some | ||
44 | # defaults depending on the setting of Protocol. | ||
45 | protocol="$(get_config_option Protocol)" | ||
46 | [ "$protocol" ] || protocol=1,2 | ||
47 | if echo "$protocol" | grep 1 >/dev/null; then | ||
48 | echo /etc/ssh/ssh_host_key | ||
49 | fi | ||
50 | if echo "$protocol" | grep 2 >/dev/null; then | ||
51 | echo /etc/ssh/ssh_host_rsa_key | ||
52 | echo /etc/ssh/ssh_host_dsa_key | ||
53 | fi | ||
54 | fi | ||
55 | } | ||
56 | |||
57 | |||
58 | create_key() { | ||
59 | msg="$1" | ||
60 | shift | ||
61 | hostkeys="$1" | ||
62 | shift | ||
63 | file="$1" | ||
64 | shift | ||
65 | |||
66 | if echo "$hostkeys" | grep -x "$file" >/dev/null && \ | ||
67 | [ ! -f "$file" ] ; then | ||
68 | echo -n $msg | ||
69 | ssh-keygen -q -f "$file" -N '' "$@" | ||
70 | echo | ||
71 | fi | ||
72 | } | ||
73 | |||
74 | |||
75 | create_keys() { | ||
76 | hostkeys="$(host_keys_required)" | ||
77 | |||
78 | create_key "Creating SSH1 key; this may take some time ..." \ | ||
79 | "$hostkeys" /etc/ssh/ssh_host_key -t rsa1 | ||
80 | |||
81 | create_key "Creating SSH2 RSA key; this may take some time ..." \ | ||
82 | "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa | ||
83 | create_key "Creating SSH2 DSA key; this may take some time ..." \ | ||
84 | "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa | ||
85 | } | ||
86 | |||
87 | |||
88 | create_sshdconfig() { | ||
89 | if [ -e /etc/ssh/sshd_config ] ; then | ||
90 | if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then | ||
91 | db_get ssh/new_config | ||
92 | if [ "$RET" = "false" ] ; then return 0; fi | ||
93 | elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ | ||
94 | ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then | ||
95 | # Upgrade from pre-3.7: UsePAM needed to maintain standard | ||
96 | # Debian configuration. | ||
97 | echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' | ||
98 | cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
99 | perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ | ||
100 | /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
101 | echo >> /etc/ssh/sshd_config.dpkg-new | ||
102 | echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new | ||
103 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
104 | echo | ||
105 | return 0 | ||
106 | else return 0 | ||
107 | fi | ||
108 | fi | ||
109 | |||
110 | #Preserve old sshd_config before generating a new one | ||
111 | if [ -e /etc/ssh/sshd_config ] ; then | ||
112 | mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
113 | fi | ||
114 | |||
115 | cat <<EOF > /etc/ssh/sshd_config | ||
116 | # Package generated configuration file | ||
117 | # See the sshd(8) manpage for details | ||
118 | |||
119 | # What ports, IPs and protocols we listen for | ||
120 | Port 22 | ||
121 | # Use these options to restrict which interfaces/protocols sshd will bind to | ||
122 | #ListenAddress :: | ||
123 | #ListenAddress 0.0.0.0 | ||
124 | EOF | ||
125 | db_get ssh/protocol2_only | ||
126 | if [ "$RET" = "false" ]; then | ||
127 | cat <<EOF >> /etc/ssh/sshd_config | ||
128 | Protocol 2,1 | ||
129 | # HostKeys for protocol version 1 | ||
130 | HostKey /etc/ssh/ssh_host_key | ||
131 | # HostKeys for protocol version 2 | ||
132 | HostKey /etc/ssh/ssh_host_rsa_key | ||
133 | HostKey /etc/ssh/ssh_host_dsa_key | ||
134 | EOF | ||
135 | else | ||
136 | cat <<EOF >> /etc/ssh/sshd_config | ||
137 | Protocol 2 | ||
138 | # HostKeys for protocol version 2 | ||
139 | HostKey /etc/ssh/ssh_host_rsa_key | ||
140 | HostKey /etc/ssh/ssh_host_dsa_key | ||
141 | EOF | ||
142 | fi | ||
143 | |||
144 | cat <<EOF >> /etc/ssh/sshd_config | ||
145 | #Privilege Separation is turned on for security | ||
146 | UsePrivilegeSeparation yes | ||
147 | |||
148 | # Lifetime and size of ephemeral version 1 server key | ||
149 | KeyRegenerationInterval 3600 | ||
150 | ServerKeyBits 768 | ||
151 | |||
152 | # Logging | ||
153 | SyslogFacility AUTH | ||
154 | LogLevel INFO | ||
155 | |||
156 | # Authentication: | ||
157 | LoginGraceTime 600 | ||
158 | PermitRootLogin yes | ||
159 | StrictModes yes | ||
160 | |||
161 | RSAAuthentication yes | ||
162 | PubkeyAuthentication yes | ||
163 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
164 | |||
165 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
166 | IgnoreRhosts yes | ||
167 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
168 | RhostsRSAAuthentication no | ||
169 | # similar for protocol version 2 | ||
170 | HostbasedAuthentication no | ||
171 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
172 | #IgnoreUserKnownHosts yes | ||
173 | |||
174 | # To enable empty passwords, change to yes (NOT RECOMMENDED) | ||
175 | PermitEmptyPasswords no | ||
176 | |||
177 | # Change to no to disable s/key passwords | ||
178 | #ChallengeResponseAuthentication yes | ||
179 | |||
180 | # Change to yes to enable tunnelled clear text passwords | ||
181 | PasswordAuthentication no | ||
182 | |||
183 | |||
184 | # To change Kerberos options | ||
185 | #KerberosAuthentication no | ||
186 | #KerberosOrLocalPasswd yes | ||
187 | #AFSTokenPassing no | ||
188 | #KerberosTicketCleanup no | ||
189 | |||
190 | # Kerberos TGT Passing does only work with the AFS kaserver | ||
191 | #KerberosTgtPassing yes | ||
192 | |||
193 | X11Forwarding no | ||
194 | X11DisplayOffset 10 | ||
195 | PrintMotd no | ||
196 | PrintLastLog yes | ||
197 | KeepAlive yes | ||
198 | #UseLogin no | ||
199 | |||
200 | #MaxStartups 10:30:60 | ||
201 | #Banner /etc/issue.net | ||
202 | |||
203 | Subsystem sftp /usr/lib/sftp-server | ||
204 | |||
205 | UsePAM yes | ||
206 | EOF | ||
207 | } | ||
208 | |||
209 | fix_statoverride() { | ||
210 | # Remove an erronous override for sshd (we should have overridden ssh) | ||
211 | if [ -x /usr/sbin/dpkg-statoverride ]; then | ||
212 | if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then | ||
213 | dpkg-statoverride --remove /usr/sbin/sshd | ||
214 | fi | ||
215 | fi | ||
216 | } | ||
217 | |||
218 | setup_sshd_user() { | ||
219 | if ! getent passwd sshd >/dev/null; then | ||
220 | adduser --quiet --system --no-create-home --home /var/run/sshd sshd | ||
221 | fi | ||
222 | } | ||
223 | |||
224 | fix_conffile_permissions() { | ||
225 | # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg | ||
226 | # doesn't do this for us; see bug #192981. | ||
227 | chmod 644 /etc/default/ssh | ||
228 | } | ||
229 | |||
230 | setup_init() { | ||
231 | if [ -x /etc/init.d/ssh ]; then | ||
232 | update-rc.d ssh defaults >/dev/null | ||
233 | if [ -x /usr/sbin/invoke-rc.d ]; then | ||
234 | invoke-rc.d ssh restart | ||
235 | else | ||
236 | /etc/init.d/ssh restart | ||
237 | fi | ||
238 | fi | ||
239 | } | ||
240 | |||
241 | |||
242 | create_sshdconfig | ||
243 | check_idea_key | ||
244 | create_keys | ||
245 | fix_statoverride | ||
246 | setup_sshd_user | ||
247 | if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then | ||
248 | fix_conffile_permissions | ||
249 | fi | ||
250 | setup_init | ||
251 | |||
252 | |||
253 | db_stop | ||
254 | |||
255 | exit 0 | ||