1 files changed, 311 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 000000000..1da6cdfc5
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,311 @@
+#!/bin/sh -e
+action="$1"
+oldversion="$2"
+. /usr/share/debconf/confmodule
+db_version 2.0
+umask 022
+if [ "$action" != configure ]
+  then
+  exit 0
+fi
+check_idea_key() {
+    #check for old host_key files using IDEA, which openssh does not support
+        if [ -f /etc/ssh/ssh_host_key ] ; then
+                if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
+                                grep -q 'unknown cipher' 2>/dev/null ; then
+      mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
+      mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
+  fi
+        fi
+}
+get_config_option() {
+        option="$1"
+        [ -f /etc/ssh/sshd_config ] || return
+        # TODO: actually only one '=' allowed after option
+        perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+           /etc/ssh/sshd_config
+}
+set_config_option() {
+        option="$1"
+        value="$2"
+        perl -e '
+                $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
+                while (<STDIN>) {
+                        if (s/^\s*\Q$option\E\s+.*/$option $value/) {
+                                $done = 1;
+                        }
+                        print;
+                }
+                print "\n$option $value\n" unless $done;' \
+                "$option" "$value" \
+                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
+host_keys_required() {
+        hostkeys="$(get_config_option HostKey)"
+        if [ "$hostkeys" ]; then
+                echo "$hostkeys"
+        else
+                # No HostKey directives at all, so the server picks some
+                # defaults depending on the setting of Protocol.
+                protocol="$(get_config_option Protocol)"
+                [ "$protocol" ] || protocol=1,2
+                if echo "$protocol" | grep 1 >/dev/null; then
+                        echo /etc/ssh/ssh_host_key
+                fi
+                if echo "$protocol" | grep 2 >/dev/null; then
+                        echo /etc/ssh/ssh_host_rsa_key
+                        echo /etc/ssh/ssh_host_dsa_key
+                fi
+        fi
+}
+create_key() {
+        msg="$1"
+        shift
+        hostkeys="$1"
+        shift
+        file="$1"
+        shift
+        if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+           [ ! -f "$file" ] ; then
+                echo -n $msg
+                ssh-keygen -q -f "$file" -N '' "$@"
+                echo
+        fi
+}
+create_keys() {
+        hostkeys="$(host_keys_required)"
+        create_key "Creating SSH1 key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_key -t rsa1
+        create_key "Creating SSH2 RSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+        create_key "Creating SSH2 DSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+}
+check_password_auth() {
+        passwordauth="$(get_config_option PasswordAuthentication)"
+        crauth="$(get_config_option ChallengeResponseAuthentication)"
+        if [ "$passwordauth" = no ] && \
+           ([ -z "$crauth" ] || [ "$crauth" = yes ]); then
+                db_get ssh/disable_cr_auth
+                if [ "$RET" = true ]; then
+                        set_config_option ChallengeResponseAuthentication no
+                fi
+        fi
+}
+create_sshdconfig() {
+        if [ -e /etc/ssh/sshd_config ] ; then
+            if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
+                db_get ssh/new_config
+                if [ "$RET" = "false" ] ; then return 0; fi
+            else
+                # Upgrade sshd configuration from a sane version.
+                if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
+                    ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \
+                   grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \
+                     /etc/ssh/sshd_config ; then
+                    # Upgrade from pre-3.7: UsePAM needed to maintain standard
+                    # Debian configuration.
+                    # Note that --compare-versions is sadly not reliable enough
+                    # here due to the package split of ssh into openssh-client
+                    # and openssh-server. The extra grep for some deprecated
+                    # options should with any luck be a good enough heuristic.
+                    echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
+                    cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
+                    perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
+                        /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+                    echo >> /etc/ssh/sshd_config.dpkg-new
+                    echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
+                    chown --reference /etc/ssh/sshd_config \
+                                      /etc/ssh/sshd_config.dpkg-new
+                    chmod --reference /etc/ssh/sshd_config \
+                                      /etc/ssh/sshd_config.dpkg-new
+                    mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+                    echo
+                fi
+                # An empty version means we're upgrading from before the
+                # package split, so check.
+                if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then
+                    check_password_auth
+                fi
+                return 0
+            fi
+        fi
+        #Preserve old sshd_config before generating a new one
+        if [ -e /etc/ssh/sshd_config ] ; then 
+            mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
+        fi
+        cat <<EOF > /etc/ssh/sshd_config
+# Package generated configuration file
+# See the sshd(8) manpage for details
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+EOF
+        db_get ssh/protocol2_only
+if [ "$RET" = "false" ]; then
+                cat <<EOF >> /etc/ssh/sshd_config
+Protocol 2,1
+# HostKeys for protocol version 1
+HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+EOF
+else
+        cat <<EOF >> /etc/ssh/sshd_config
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+EOF
+fi
+        cat <<EOF >> /etc/ssh/sshd_config
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+# Authentication:
+LoginGraceTime 600
+PermitRootLogin yes
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+# Change to yes to enable tunnelled clear text passwords
+PasswordAuthentication no
+# To change Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#AFSTokenPassing no
+#KerberosTicketCleanup no
+# Kerberos TGT Passing does only work with the AFS kaserver
+#KerberosTgtPassing yes
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+KeepAlive yes
+#UseLogin no
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+Subsystem       sftp    /usr/lib/sftp-server
+UsePAM yes
+EOF
+}
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+        if [ -x /usr/sbin/dpkg-statoverride ]; then
+                if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
+                        dpkg-statoverride --remove /usr/sbin/sshd
+                fi
+        fi
+}
+setup_sshd_user() {
+        if ! getent passwd sshd >/dev/null; then
+                adduser --quiet --system --no-create-home --home /var/run/sshd sshd
+        fi
+}
+fix_conffile_permissions() {
+        # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
+        # doesn't do this for us; see bug #192981.
+        chmod 644 /etc/default/ssh
+}
+setup_init() {
+        if [ -x /etc/init.d/ssh ]; then
+                update-rc.d ssh defaults >/dev/null
+                if [ -x /usr/sbin/invoke-rc.d ]; then
+                        invoke-rc.d ssh restart
+                else
+                        /etc/init.d/ssh restart
+                fi
+        fi
+}
+create_sshdconfig
+check_idea_key
+create_keys
+fix_statoverride
+setup_sshd_user
+if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
+    fix_conffile_permissions
+fi
+setup_init
+db_stop
+exit 0

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..1da6cdfc5 --- /dev/null +++ b/debian/openssh-server.postinst
@@ -0,0 +1,311 @@
	1	#!/bin/sh -e
	2
	3	action="$1"
	4	oldversion="$2"
	5
	6	. /usr/share/debconf/confmodule
	7	db_version 2.0
	8
	9	umask 022
	10
	11	if [ "$action" != configure ]
	12	then
	13	exit 0
	14	fi
	15
	16
	17	check_idea_key() {
	18	#check for old host_key files using IDEA, which openssh does not support
	19	if [ -f /etc/ssh/ssh_host_key ] ; then
	20	if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 \| \
	21	grep -q 'unknown cipher' 2>/dev/null ; then
	22	mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
	23	mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
	24	fi
	25	fi
	26	}
	27
	28
	29	get_config_option() {
	30	option="$1"
	31
	32	[ -f /etc/ssh/sshd_config ] \|\| return
	33
	34	# TODO: actually only one '=' allowed after option
	35	perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
	36	/etc/ssh/sshd_config
	37	}
	38
	39
	40	set_config_option() {
	41	option="$1"
	42	value="$2"
	43
	44	perl -e '
	45	$option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
	46	while (<STDIN>) {
	47	if (s/^\s\Q$option\E\s+./$option $value/) {
	48	$done = 1;
	49	}
	50	print;
	51	}
	52	print "\n$option $value\n" unless $done;' \
	53	"$option" "$value" \
	54	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	55	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	56	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	57	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	58	}
	59
	60
	61	host_keys_required() {
	62	hostkeys="$(get_config_option HostKey)"
	63	if [ "$hostkeys" ]; then
	64	echo "$hostkeys"
	65	else
	66	# No HostKey directives at all, so the server picks some
	67	# defaults depending on the setting of Protocol.
	68	protocol="$(get_config_option Protocol)"
	69	[ "$protocol" ] \|\| protocol=1,2
	70	if echo "$protocol" \| grep 1 >/dev/null; then
	71	echo /etc/ssh/ssh_host_key
	72	fi
	73	if echo "$protocol" \| grep 2 >/dev/null; then
	74	echo /etc/ssh/ssh_host_rsa_key
	75	echo /etc/ssh/ssh_host_dsa_key
	76	fi
	77	fi
	78	}
	79
	80
	81	create_key() {
	82	msg="$1"
	83	shift
	84	hostkeys="$1"
	85	shift
	86	file="$1"
	87	shift
	88
	89	if echo "$hostkeys" \| grep -x "$file" >/dev/null && \
	90	[ ! -f "$file" ] ; then
	91	echo -n $msg
	92	ssh-keygen -q -f "$file" -N '' "$@"
	93	echo
	94	fi
	95	}
	96
	97
	98	create_keys() {
	99	hostkeys="$(host_keys_required)"
	100
	101	create_key "Creating SSH1 key; this may take some time ..." \
	102	"$hostkeys" /etc/ssh/ssh_host_key -t rsa1
	103
	104	create_key "Creating SSH2 RSA key; this may take some time ..." \
	105	"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
	106	create_key "Creating SSH2 DSA key; this may take some time ..." \
	107	"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
	108	}
	109
	110
	111	check_password_auth() {
	112	passwordauth="$(get_config_option PasswordAuthentication)"
	113	crauth="$(get_config_option ChallengeResponseAuthentication)"
	114	if [ "$passwordauth" = no ] && \
	115	([ -z "$crauth" ] \|\| [ "$crauth" = yes ]); then
	116	db_get ssh/disable_cr_auth
	117	if [ "$RET" = true ]; then
	118	set_config_option ChallengeResponseAuthentication no
	119	fi
	120	fi
	121	}
	122
	123
	124	create_sshdconfig() {
	125	if [ -e /etc/ssh/sshd_config ] ; then
	126	if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
	127	db_get ssh/new_config
	128	if [ "$RET" = "false" ] ; then return 0; fi
	129	else
	130	# Upgrade sshd configuration from a sane version.
	131
	132	if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
	133	! grep -iq ^UsePAM /etc/ssh/sshd_config) \|\| \
	134	grep -Eiq '^(PAMAuthenticationViaKbdInt\|RhostsAuthentication)' \
	135	/etc/ssh/sshd_config ; then
	136	# Upgrade from pre-3.7: UsePAM needed to maintain standard
	137	# Debian configuration.
	138	# Note that --compare-versions is sadly not reliable enough
	139	# here due to the package split of ssh into openssh-client
	140	# and openssh-server. The extra grep for some deprecated
	141	# options should with any luck be a good enough heuristic.
	142	echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
	143	cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
	144	perl -pe 's/^(PAMAuthenticationViaKbdInt\|RhostsAuthentication)\b/#$1/i' \
	145	/etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	146	echo >> /etc/ssh/sshd_config.dpkg-new
	147	echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
	148	chown --reference /etc/ssh/sshd_config \
	149	/etc/ssh/sshd_config.dpkg-new
	150	chmod --reference /etc/ssh/sshd_config \
	151	/etc/ssh/sshd_config.dpkg-new
	152	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	153	echo
	154	fi
	155
	156	# An empty version means we're upgrading from before the
	157	# package split, so check.
	158	if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then
	159	check_password_auth
	160	fi
	161
	162	return 0
	163	fi
	164	fi
	165
	166	#Preserve old sshd_config before generating a new one
	167	if [ -e /etc/ssh/sshd_config ] ; then
	168	mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
	169	fi
	170
	171	cat <<EOF > /etc/ssh/sshd_config
	172	# Package generated configuration file
	173	# See the sshd(8) manpage for details
	174
	175	# What ports, IPs and protocols we listen for
	176	Port 22
	177	# Use these options to restrict which interfaces/protocols sshd will bind to
	178	#ListenAddress ::
	179	#ListenAddress 0.0.0.0
	180	EOF
	181	db_get ssh/protocol2_only
	182	if [ "$RET" = "false" ]; then
	183	cat <<EOF >> /etc/ssh/sshd_config
	184	Protocol 2,1
	185	# HostKeys for protocol version 1
	186	HostKey /etc/ssh/ssh_host_key
	187	# HostKeys for protocol version 2
	188	HostKey /etc/ssh/ssh_host_rsa_key
	189	HostKey /etc/ssh/ssh_host_dsa_key
	190	EOF
	191	else
	192	cat <<EOF >> /etc/ssh/sshd_config
	193	Protocol 2
	194	# HostKeys for protocol version 2
	195	HostKey /etc/ssh/ssh_host_rsa_key
	196	HostKey /etc/ssh/ssh_host_dsa_key
	197	EOF
	198	fi
	199
	200	cat <<EOF >> /etc/ssh/sshd_config
	201	#Privilege Separation is turned on for security
	202	UsePrivilegeSeparation yes
	203
	204	# Lifetime and size of ephemeral version 1 server key
	205	KeyRegenerationInterval 3600
	206	ServerKeyBits 768
	207
	208	# Logging
	209	SyslogFacility AUTH
	210	LogLevel INFO
	211
	212	# Authentication:
	213	LoginGraceTime 600
	214	PermitRootLogin yes
	215	StrictModes yes
	216
	217	RSAAuthentication yes
	218	PubkeyAuthentication yes
	219	#AuthorizedKeysFile %h/.ssh/authorized_keys
	220
	221	# Don't read the user's ~/.rhosts and ~/.shosts files
	222	IgnoreRhosts yes
	223	# For this to work you will also need host keys in /etc/ssh_known_hosts
	224	RhostsRSAAuthentication no
	225	# similar for protocol version 2
	226	HostbasedAuthentication no
	227	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
	228	#IgnoreUserKnownHosts yes
	229
	230	# To enable empty passwords, change to yes (NOT RECOMMENDED)
	231	PermitEmptyPasswords no
	232
	233	# Change to no to disable s/key passwords
	234	#ChallengeResponseAuthentication yes
	235
	236	# Change to yes to enable tunnelled clear text passwords
	237	PasswordAuthentication no
	238
	239
	240	# To change Kerberos options
	241	#KerberosAuthentication no
	242	#KerberosOrLocalPasswd yes
	243	#AFSTokenPassing no
	244	#KerberosTicketCleanup no
	245
	246	# Kerberos TGT Passing does only work with the AFS kaserver
	247	#KerberosTgtPassing yes
	248
	249	X11Forwarding no
	250	X11DisplayOffset 10
	251	PrintMotd no
	252	PrintLastLog yes
	253	KeepAlive yes
	254	#UseLogin no
	255
	256	#MaxStartups 10:30:60
	257	#Banner /etc/issue.net
	258
	259	Subsystem sftp /usr/lib/sftp-server
	260
	261	UsePAM yes
	262	EOF
	263	}
	264
	265	fix_statoverride() {
	266	# Remove an erronous override for sshd (we should have overridden ssh)
	267	if [ -x /usr/sbin/dpkg-statoverride ]; then
	268	if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
	269	dpkg-statoverride --remove /usr/sbin/sshd
	270	fi
	271	fi
	272	}
	273
	274	setup_sshd_user() {
	275	if ! getent passwd sshd >/dev/null; then
	276	adduser --quiet --system --no-create-home --home /var/run/sshd sshd
	277	fi
	278	}
	279
	280	fix_conffile_permissions() {
	281	# Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
	282	# doesn't do this for us; see bug #192981.
	283	chmod 644 /etc/default/ssh
	284	}
	285
	286	setup_init() {
	287	if [ -x /etc/init.d/ssh ]; then
	288	update-rc.d ssh defaults >/dev/null
	289	if [ -x /usr/sbin/invoke-rc.d ]; then
	290	invoke-rc.d ssh restart
	291	else
	292	/etc/init.d/ssh restart
	293	fi
	294	fi
	295	}
	296
	297
	298	create_sshdconfig
	299	check_idea_key
	300	create_keys
	301	fix_statoverride
	302	setup_sshd_user
	303	if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
	304	fix_conffile_permissions
	305	fi
	306	setup_init
	307
	308
	309	db_stop
	310
	311	exit 0