summaryrefslogtreecommitdiff
path: root/debian/openssh-server.postinst
diff options
context:
space:
mode:
Diffstat (limited to 'debian/openssh-server.postinst')
-rw-r--r--debian/openssh-server.postinst307
1 files changed, 307 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 000000000..54dbe13a2
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,307 @@
1#!/bin/sh
2set -e
3
4action="$1"
5oldversion="$2"
6
7umask 022
8
9
10get_config_option() {
11 option="$1"
12
13 [ -f /etc/ssh/sshd_config ] || return
14
15 # TODO: actually only one '=' allowed after option
16 perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \
17 /etc/ssh/sshd_config
18}
19
20
21set_config_option() {
22 option="$1"
23 value="$2"
24
25 perl -le '
26 $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
27 while (<STDIN>) {
28 chomp;
29 (my $match = $_) =~ s/\s+/ /g;
30 if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) {
31 $_ = $match;
32 $done = 1;
33 }
34 print;
35 }
36 print "$option $value" unless $done;' \
37 "$option" "$value" \
38 < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
39 chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
40 chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
41 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
42}
43
44
45rename_config_option() {
46 oldoption="$1"
47 newoption="$2"
48
49 value="$(get_config_option "$oldoption")"
50 [ "$value" ] || return 0
51
52 perl -le '
53 $oldoption = $ARGV[0]; $newoption = $ARGV[1];
54 while (<STDIN>) {
55 chomp;
56 (my $match = $_) =~ s/\s+/ /g;
57 # TODO: actually only one "=" allowed after option
58 if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
59 $_ = $match;
60 }
61 print;
62 }' \
63 "$oldoption" "$newoption" \
64 < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
65 chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
66 chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
67 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
68}
69
70
71host_keys_required() {
72 hostkeys="$(get_config_option HostKey)"
73 if [ "$hostkeys" ]; then
74 echo "$hostkeys"
75 else
76 # No HostKey directives at all, so the server picks some
77 # defaults depending on the setting of Protocol.
78 protocol="$(get_config_option Protocol)"
79 [ "$protocol" ] || protocol=1,2
80 if echo "$protocol" | grep 1 >/dev/null; then
81 echo /etc/ssh/ssh_host_key
82 fi
83 if echo "$protocol" | grep 2 >/dev/null; then
84 echo /etc/ssh/ssh_host_rsa_key
85 echo /etc/ssh/ssh_host_dsa_key
86 echo /etc/ssh/ssh_host_ecdsa_key
87 fi
88 fi
89}
90
91
92create_key() {
93 msg="$1"
94 shift
95 hostkeys="$1"
96 shift
97 file="$1"
98 shift
99
100 if echo "$hostkeys" | grep -x "$file" >/dev/null && \
101 [ ! -f "$file" ] ; then
102 echo -n $msg
103 ssh-keygen -q -f "$file" -N '' "$@"
104 echo
105 if which restorecon >/dev/null 2>&1; then
106 restorecon "$file" "$file.pub"
107 fi
108 fi
109}
110
111
112create_keys() {
113 hostkeys="$(host_keys_required)"
114
115 create_key "Creating SSH1 key; this may take some time ..." \
116 "$hostkeys" /etc/ssh/ssh_host_key -t rsa1
117
118 create_key "Creating SSH2 RSA key; this may take some time ..." \
119 "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
120 create_key "Creating SSH2 DSA key; this may take some time ..." \
121 "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
122 create_key "Creating SSH2 ECDSA key; this may take some time ..." \
123 "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
124}
125
126
127fix_loglevel_silent() {
128 if [ "$(get_config_option LogLevel)" = SILENT ]; then
129 set_config_option LogLevel QUIET
130 fi
131}
132
133
134update_server_key_bits() {
135 if [ "$(get_config_option ServerKeyBits)" = 768 ]; then
136 set_config_option ServerKeyBits 1024
137 fi
138}
139
140
141create_sshdconfig() {
142 if [ -e /etc/ssh/sshd_config ] ; then
143 # Upgrade an existing sshd configuration.
144
145 # This option was renamed in 3.8p1, but we never took care
146 # of adjusting the configuration file until now.
147 if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
148 rename_config_option KeepAlive TCPKeepAlive
149 fi
150
151 # 'LogLevel SILENT' is now equivalent to QUIET.
152 if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then
153 fix_loglevel_silent
154 fi
155
156 # Changed upstream in 5.1p1, but we forgot to update the
157 # package-generated configuration file until now.
158 if dpkg --compare-versions "$oldversion" lt 1:6.4p1-2; then
159 update_server_key_bits
160 fi
161
162 return 0
163 fi
164
165 cat <<EOF > /etc/ssh/sshd_config
166# Package generated configuration file
167# See the sshd_config(5) manpage for details
168
169# What ports, IPs and protocols we listen for
170Port 22
171# Use these options to restrict which interfaces/protocols sshd will bind to
172#ListenAddress ::
173#ListenAddress 0.0.0.0
174Protocol 2
175# HostKeys for protocol version 2
176HostKey /etc/ssh/ssh_host_rsa_key
177HostKey /etc/ssh/ssh_host_dsa_key
178HostKey /etc/ssh/ssh_host_ecdsa_key
179#Privilege Separation is turned on for security
180UsePrivilegeSeparation yes
181
182# Lifetime and size of ephemeral version 1 server key
183KeyRegenerationInterval 3600
184ServerKeyBits 1024
185
186# Logging
187SyslogFacility AUTH
188LogLevel INFO
189
190# Authentication:
191LoginGraceTime 120
192PermitRootLogin yes
193StrictModes yes
194
195RSAAuthentication yes
196PubkeyAuthentication yes
197#AuthorizedKeysFile %h/.ssh/authorized_keys
198
199# Don't read the user's ~/.rhosts and ~/.shosts files
200IgnoreRhosts yes
201# For this to work you will also need host keys in /etc/ssh_known_hosts
202RhostsRSAAuthentication no
203# similar for protocol version 2
204HostbasedAuthentication no
205# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
206#IgnoreUserKnownHosts yes
207
208# To enable empty passwords, change to yes (NOT RECOMMENDED)
209PermitEmptyPasswords no
210
211# Change to yes to enable challenge-response passwords (beware issues with
212# some PAM modules and threads)
213ChallengeResponseAuthentication no
214
215# Change to no to disable tunnelled clear text passwords
216#PasswordAuthentication yes
217
218# Kerberos options
219#KerberosAuthentication no
220#KerberosGetAFSToken no
221#KerberosOrLocalPasswd yes
222#KerberosTicketCleanup yes
223
224# GSSAPI options
225#GSSAPIAuthentication no
226#GSSAPICleanupCredentials yes
227
228X11Forwarding yes
229X11DisplayOffset 10
230PrintMotd no
231PrintLastLog yes
232TCPKeepAlive yes
233#UseLogin no
234
235#MaxStartups 10:30:60
236#Banner /etc/issue.net
237
238# Allow client to pass locale environment variables
239AcceptEnv LANG LC_*
240
241Subsystem sftp /usr/lib/openssh/sftp-server
242
243# Set this to 'yes' to enable PAM authentication, account processing,
244# and session processing. If this is enabled, PAM authentication will
245# be allowed through the ChallengeResponseAuthentication and
246# PasswordAuthentication. Depending on your PAM configuration,
247# PAM authentication via ChallengeResponseAuthentication may bypass
248# the setting of "PermitRootLogin without-password".
249# If you just want the PAM account and session checks to run without
250# PAM authentication, then enable this but set PasswordAuthentication
251# and ChallengeResponseAuthentication to 'no'.
252UsePAM yes
253EOF
254}
255
256fix_statoverride() {
257# Remove an erronous override for sshd (we should have overridden ssh)
258 if [ -x /usr/sbin/dpkg-statoverride ]; then
259 if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
260 dpkg-statoverride --remove /usr/sbin/sshd
261 fi
262 fi
263}
264
265setup_sshd_user() {
266 if ! getent passwd sshd >/dev/null; then
267 adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
268 fi
269}
270
271remove_old_init_links() {
272 # Yes, this only works with the SysV init script layout. I know.
273 # The important thing is that it doesn't actually *break* with
274 # file-rc ...
275 if [ -e /etc/rc2.d/S20ssh ]; then
276 update-rc.d -f ssh remove >/dev/null 2>&1
277 fi
278 rm -f /etc/rc0.d/K??ssh /etc/rc1.d/K??ssh /etc/rc6.d/K??ssh
279}
280
281if [ "$action" = configure ]; then
282 create_sshdconfig
283 create_keys
284 fix_statoverride
285 setup_sshd_user
286 if dpkg --compare-versions "$2" lt 1:5.2p1-1; then
287 remove_old_init_links
288 fi
289 # Renamed to /etc/ssh/moduli in 2.9.9 (!)
290 if dpkg --compare-versions "$2" lt 1:4.7p1-1; then
291 rm -f /etc/ssh/primes
292 fi
293 if dpkg --compare-versions "$2" lt 1:5.5p1-6; then
294 rm -f /var/run/sshd/.placeholder
295 fi
296 if dpkg --compare-versions "$2" lt 1:6.2p2-3 && \
297 which initctl >/dev/null && initctl version | grep -q upstart && \
298 ! status ssh 2>/dev/null | grep -q ' start/'; then
299 # We must stop the sysvinit-controlled sshd before we can
300 # restart it under Upstart.
301 start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid || true
302 fi
303fi
304
305#DEBHELPER#
306
307exit 0