diff options
Diffstat (limited to 'debian/openssh-server.postinst')
-rw-r--r-- | debian/openssh-server.postinst | 307 |
1 files changed, 307 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..54dbe13a2 --- /dev/null +++ b/debian/openssh-server.postinst | |||
@@ -0,0 +1,307 @@ | |||
1 | #!/bin/sh | ||
2 | set -e | ||
3 | |||
4 | action="$1" | ||
5 | oldversion="$2" | ||
6 | |||
7 | umask 022 | ||
8 | |||
9 | |||
10 | get_config_option() { | ||
11 | option="$1" | ||
12 | |||
13 | [ -f /etc/ssh/sshd_config ] || return | ||
14 | |||
15 | # TODO: actually only one '=' allowed after option | ||
16 | perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \ | ||
17 | /etc/ssh/sshd_config | ||
18 | } | ||
19 | |||
20 | |||
21 | set_config_option() { | ||
22 | option="$1" | ||
23 | value="$2" | ||
24 | |||
25 | perl -le ' | ||
26 | $option = $ARGV[0]; $value = $ARGV[1]; $done = 0; | ||
27 | while (<STDIN>) { | ||
28 | chomp; | ||
29 | (my $match = $_) =~ s/\s+/ /g; | ||
30 | if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) { | ||
31 | $_ = $match; | ||
32 | $done = 1; | ||
33 | } | ||
34 | print; | ||
35 | } | ||
36 | print "$option $value" unless $done;' \ | ||
37 | "$option" "$value" \ | ||
38 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
39 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
40 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
41 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
42 | } | ||
43 | |||
44 | |||
45 | rename_config_option() { | ||
46 | oldoption="$1" | ||
47 | newoption="$2" | ||
48 | |||
49 | value="$(get_config_option "$oldoption")" | ||
50 | [ "$value" ] || return 0 | ||
51 | |||
52 | perl -le ' | ||
53 | $oldoption = $ARGV[0]; $newoption = $ARGV[1]; | ||
54 | while (<STDIN>) { | ||
55 | chomp; | ||
56 | (my $match = $_) =~ s/\s+/ /g; | ||
57 | # TODO: actually only one "=" allowed after option | ||
58 | if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) { | ||
59 | $_ = $match; | ||
60 | } | ||
61 | print; | ||
62 | }' \ | ||
63 | "$oldoption" "$newoption" \ | ||
64 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
65 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
66 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
67 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
68 | } | ||
69 | |||
70 | |||
71 | host_keys_required() { | ||
72 | hostkeys="$(get_config_option HostKey)" | ||
73 | if [ "$hostkeys" ]; then | ||
74 | echo "$hostkeys" | ||
75 | else | ||
76 | # No HostKey directives at all, so the server picks some | ||
77 | # defaults depending on the setting of Protocol. | ||
78 | protocol="$(get_config_option Protocol)" | ||
79 | [ "$protocol" ] || protocol=1,2 | ||
80 | if echo "$protocol" | grep 1 >/dev/null; then | ||
81 | echo /etc/ssh/ssh_host_key | ||
82 | fi | ||
83 | if echo "$protocol" | grep 2 >/dev/null; then | ||
84 | echo /etc/ssh/ssh_host_rsa_key | ||
85 | echo /etc/ssh/ssh_host_dsa_key | ||
86 | echo /etc/ssh/ssh_host_ecdsa_key | ||
87 | fi | ||
88 | fi | ||
89 | } | ||
90 | |||
91 | |||
92 | create_key() { | ||
93 | msg="$1" | ||
94 | shift | ||
95 | hostkeys="$1" | ||
96 | shift | ||
97 | file="$1" | ||
98 | shift | ||
99 | |||
100 | if echo "$hostkeys" | grep -x "$file" >/dev/null && \ | ||
101 | [ ! -f "$file" ] ; then | ||
102 | echo -n $msg | ||
103 | ssh-keygen -q -f "$file" -N '' "$@" | ||
104 | echo | ||
105 | if which restorecon >/dev/null 2>&1; then | ||
106 | restorecon "$file" "$file.pub" | ||
107 | fi | ||
108 | fi | ||
109 | } | ||
110 | |||
111 | |||
112 | create_keys() { | ||
113 | hostkeys="$(host_keys_required)" | ||
114 | |||
115 | create_key "Creating SSH1 key; this may take some time ..." \ | ||
116 | "$hostkeys" /etc/ssh/ssh_host_key -t rsa1 | ||
117 | |||
118 | create_key "Creating SSH2 RSA key; this may take some time ..." \ | ||
119 | "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa | ||
120 | create_key "Creating SSH2 DSA key; this may take some time ..." \ | ||
121 | "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa | ||
122 | create_key "Creating SSH2 ECDSA key; this may take some time ..." \ | ||
123 | "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa | ||
124 | } | ||
125 | |||
126 | |||
127 | fix_loglevel_silent() { | ||
128 | if [ "$(get_config_option LogLevel)" = SILENT ]; then | ||
129 | set_config_option LogLevel QUIET | ||
130 | fi | ||
131 | } | ||
132 | |||
133 | |||
134 | update_server_key_bits() { | ||
135 | if [ "$(get_config_option ServerKeyBits)" = 768 ]; then | ||
136 | set_config_option ServerKeyBits 1024 | ||
137 | fi | ||
138 | } | ||
139 | |||
140 | |||
141 | create_sshdconfig() { | ||
142 | if [ -e /etc/ssh/sshd_config ] ; then | ||
143 | # Upgrade an existing sshd configuration. | ||
144 | |||
145 | # This option was renamed in 3.8p1, but we never took care | ||
146 | # of adjusting the configuration file until now. | ||
147 | if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then | ||
148 | rename_config_option KeepAlive TCPKeepAlive | ||
149 | fi | ||
150 | |||
151 | # 'LogLevel SILENT' is now equivalent to QUIET. | ||
152 | if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then | ||
153 | fix_loglevel_silent | ||
154 | fi | ||
155 | |||
156 | # Changed upstream in 5.1p1, but we forgot to update the | ||
157 | # package-generated configuration file until now. | ||
158 | if dpkg --compare-versions "$oldversion" lt 1:6.4p1-2; then | ||
159 | update_server_key_bits | ||
160 | fi | ||
161 | |||
162 | return 0 | ||
163 | fi | ||
164 | |||
165 | cat <<EOF > /etc/ssh/sshd_config | ||
166 | # Package generated configuration file | ||
167 | # See the sshd_config(5) manpage for details | ||
168 | |||
169 | # What ports, IPs and protocols we listen for | ||
170 | Port 22 | ||
171 | # Use these options to restrict which interfaces/protocols sshd will bind to | ||
172 | #ListenAddress :: | ||
173 | #ListenAddress 0.0.0.0 | ||
174 | Protocol 2 | ||
175 | # HostKeys for protocol version 2 | ||
176 | HostKey /etc/ssh/ssh_host_rsa_key | ||
177 | HostKey /etc/ssh/ssh_host_dsa_key | ||
178 | HostKey /etc/ssh/ssh_host_ecdsa_key | ||
179 | #Privilege Separation is turned on for security | ||
180 | UsePrivilegeSeparation yes | ||
181 | |||
182 | # Lifetime and size of ephemeral version 1 server key | ||
183 | KeyRegenerationInterval 3600 | ||
184 | ServerKeyBits 1024 | ||
185 | |||
186 | # Logging | ||
187 | SyslogFacility AUTH | ||
188 | LogLevel INFO | ||
189 | |||
190 | # Authentication: | ||
191 | LoginGraceTime 120 | ||
192 | PermitRootLogin yes | ||
193 | StrictModes yes | ||
194 | |||
195 | RSAAuthentication yes | ||
196 | PubkeyAuthentication yes | ||
197 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
198 | |||
199 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
200 | IgnoreRhosts yes | ||
201 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
202 | RhostsRSAAuthentication no | ||
203 | # similar for protocol version 2 | ||
204 | HostbasedAuthentication no | ||
205 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
206 | #IgnoreUserKnownHosts yes | ||
207 | |||
208 | # To enable empty passwords, change to yes (NOT RECOMMENDED) | ||
209 | PermitEmptyPasswords no | ||
210 | |||
211 | # Change to yes to enable challenge-response passwords (beware issues with | ||
212 | # some PAM modules and threads) | ||
213 | ChallengeResponseAuthentication no | ||
214 | |||
215 | # Change to no to disable tunnelled clear text passwords | ||
216 | #PasswordAuthentication yes | ||
217 | |||
218 | # Kerberos options | ||
219 | #KerberosAuthentication no | ||
220 | #KerberosGetAFSToken no | ||
221 | #KerberosOrLocalPasswd yes | ||
222 | #KerberosTicketCleanup yes | ||
223 | |||
224 | # GSSAPI options | ||
225 | #GSSAPIAuthentication no | ||
226 | #GSSAPICleanupCredentials yes | ||
227 | |||
228 | X11Forwarding yes | ||
229 | X11DisplayOffset 10 | ||
230 | PrintMotd no | ||
231 | PrintLastLog yes | ||
232 | TCPKeepAlive yes | ||
233 | #UseLogin no | ||
234 | |||
235 | #MaxStartups 10:30:60 | ||
236 | #Banner /etc/issue.net | ||
237 | |||
238 | # Allow client to pass locale environment variables | ||
239 | AcceptEnv LANG LC_* | ||
240 | |||
241 | Subsystem sftp /usr/lib/openssh/sftp-server | ||
242 | |||
243 | # Set this to 'yes' to enable PAM authentication, account processing, | ||
244 | # and session processing. If this is enabled, PAM authentication will | ||
245 | # be allowed through the ChallengeResponseAuthentication and | ||
246 | # PasswordAuthentication. Depending on your PAM configuration, | ||
247 | # PAM authentication via ChallengeResponseAuthentication may bypass | ||
248 | # the setting of "PermitRootLogin without-password". | ||
249 | # If you just want the PAM account and session checks to run without | ||
250 | # PAM authentication, then enable this but set PasswordAuthentication | ||
251 | # and ChallengeResponseAuthentication to 'no'. | ||
252 | UsePAM yes | ||
253 | EOF | ||
254 | } | ||
255 | |||
256 | fix_statoverride() { | ||
257 | # Remove an erronous override for sshd (we should have overridden ssh) | ||
258 | if [ -x /usr/sbin/dpkg-statoverride ]; then | ||
259 | if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then | ||
260 | dpkg-statoverride --remove /usr/sbin/sshd | ||
261 | fi | ||
262 | fi | ||
263 | } | ||
264 | |||
265 | setup_sshd_user() { | ||
266 | if ! getent passwd sshd >/dev/null; then | ||
267 | adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd | ||
268 | fi | ||
269 | } | ||
270 | |||
271 | remove_old_init_links() { | ||
272 | # Yes, this only works with the SysV init script layout. I know. | ||
273 | # The important thing is that it doesn't actually *break* with | ||
274 | # file-rc ... | ||
275 | if [ -e /etc/rc2.d/S20ssh ]; then | ||
276 | update-rc.d -f ssh remove >/dev/null 2>&1 | ||
277 | fi | ||
278 | rm -f /etc/rc0.d/K??ssh /etc/rc1.d/K??ssh /etc/rc6.d/K??ssh | ||
279 | } | ||
280 | |||
281 | if [ "$action" = configure ]; then | ||
282 | create_sshdconfig | ||
283 | create_keys | ||
284 | fix_statoverride | ||
285 | setup_sshd_user | ||
286 | if dpkg --compare-versions "$2" lt 1:5.2p1-1; then | ||
287 | remove_old_init_links | ||
288 | fi | ||
289 | # Renamed to /etc/ssh/moduli in 2.9.9 (!) | ||
290 | if dpkg --compare-versions "$2" lt 1:4.7p1-1; then | ||
291 | rm -f /etc/ssh/primes | ||
292 | fi | ||
293 | if dpkg --compare-versions "$2" lt 1:5.5p1-6; then | ||
294 | rm -f /var/run/sshd/.placeholder | ||
295 | fi | ||
296 | if dpkg --compare-versions "$2" lt 1:6.2p2-3 && \ | ||
297 | which initctl >/dev/null && initctl version | grep -q upstart && \ | ||
298 | ! status ssh 2>/dev/null | grep -q ' start/'; then | ||
299 | # We must stop the sysvinit-controlled sshd before we can | ||
300 | # restart it under Upstart. | ||
301 | start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid || true | ||
302 | fi | ||
303 | fi | ||
304 | |||
305 | #DEBHELPER# | ||
306 | |||
307 | exit 0 | ||