1 files changed, 157 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 000000000..90d346674
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,157 @@
+#!/bin/sh
+set -e
+. /usr/share/debconf/confmodule
+db_version 2.0
+action="$1"
+oldversion="$2"
+umask 022
+get_config_option() {
+        option="$1"
+        [ -f /etc/ssh/sshd_config ] || return
+        # TODO: actually only one '=' allowed after option
+        perl -lne '
+                s/[[:space:]]+/ /g; s/[[:space:]]+$//;
+                print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+           /etc/ssh/sshd_config
+}
+host_keys_required() {
+        hostkeys="$(get_config_option HostKey)"
+        if [ "$hostkeys" ]; then
+                echo "$hostkeys"
+        else
+                # No HostKey directives at all, so the server picks some
+                # defaults.
+                echo /etc/ssh/ssh_host_rsa_key
+                echo /etc/ssh/ssh_host_ecdsa_key
+                echo /etc/ssh/ssh_host_ed25519_key
+        fi
+}
+create_key() {
+        msg="$1"
+        shift
+        hostkeys="$1"
+        shift
+        file="$1"
+        shift
+        if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+           [ ! -f "$file" ] ; then
+                echo -n $msg
+                ssh-keygen -q -f "$file" -N '' "$@"
+                echo
+                if which restorecon >/dev/null 2>&1; then
+                        restorecon "$file" "$file.pub"
+                fi
+                ssh-keygen -l -f "$file.pub"
+        fi
+}
+create_keys() {
+        hostkeys="$(host_keys_required)"
+        create_key "Creating SSH2 RSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+        create_key "Creating SSH2 DSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+        create_key "Creating SSH2 ECDSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
+        create_key "Creating SSH2 ED25519 key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
+}
+new_config=
+cleanup() {
+        if [ "$new_config" ]; then
+                rm -f "$new_config"
+        fi
+}
+create_sshdconfig() {
+        # XXX cjwatson 2016-12-24: This debconf template is very confusingly
+        # named; its description is "Disable SSH password authentication for
+        # root?", so true -> prohibit-password (the upstream default),
+        # false -> yes.
+        db_get openssh-server/permit-root-login
+        permit_root_login="$RET"
+        trap cleanup EXIT
+        new_config="$(tempfile)"
+        cp -a /usr/share/openssh/sshd_config "$new_config"
+        if [ "$permit_root_login" != true ]; then
+                sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
+                        "$new_config"
+        fi
+        ucf --three-way --debconf-ok \
+                --sum-file /usr/share/openssh/sshd_config.md5sum \
+                "$new_config" /etc/ssh/sshd_config
+        ucfr openssh-server /etc/ssh/sshd_config
+}
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+        if dpkg-statoverride --list /usr/sbin/sshd >/dev/null; then
+                dpkg-statoverride --remove /usr/sbin/sshd
+        fi
+}
+setup_sshd_user() {
+        if ! getent passwd sshd >/dev/null; then
+                adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
+        fi
+}
+if [ "$action" = configure ]; then
+        create_sshdconfig
+        create_keys
+        fix_statoverride
+        setup_sshd_user
+        # Renamed to /etc/ssh/moduli in 2.9.9 (!)
+        if dpkg --compare-versions "$2" lt-nl 1:4.7p1-1; then
+            rm -f /etc/ssh/primes
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then
+            rm -f /var/run/sshd/.placeholder
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:6.2p2-3 && \
+           which initctl >/dev/null && initctl version 2>/dev/null | grep -q upstart && \
+           ! status ssh 2>/dev/null | grep -q ' start/'; then
+            # We must stop the sysvinit-controlled sshd before we can
+            # restart it under Upstart.
+            start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid || true
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \
+           deb-systemd-helper debian-installed ssh.socket && \
+           deb-systemd-helper --quiet was-enabled ssh.service && \
+           deb-systemd-helper --quiet was-enabled ssh.socket; then
+            # 1:6.5p1-1 mistakenly left both ssh.service and ssh.socket
+            # enabled.
+            deb-systemd-helper disable ssh.socket >/dev/null || true
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:6.5p1-3 && \
+           [ -d /run/systemd/system ]; then
+            # We must stop the sysvinit-controlled sshd before we can
+            # restart it under systemd.
+            start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || true
+        fi
+fi
+#DEBHELPER#
+db_stop
+exit 0

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..90d346674 --- /dev/null +++ b/debian/openssh-server.postinst
@@ -0,0 +1,157 @@
	1	#!/bin/sh
	2	set -e
	3
	4	. /usr/share/debconf/confmodule
	5	db_version 2.0
	6
	7	action="$1"
	8	oldversion="$2"
	9
	10	umask 022
	11
	12
	13	get_config_option() {
	14	option="$1"
	15
	16	[ -f /etc/ssh/sshd_config ] \|\| return
	17
	18	# TODO: actually only one '=' allowed after option
	19	perl -lne '
	20	s/[[:space:]]+/ /g; s/[[:space:]]+$//;
	21	print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
	22	/etc/ssh/sshd_config
	23	}
	24
	25
	26	host_keys_required() {
	27	hostkeys="$(get_config_option HostKey)"
	28	if [ "$hostkeys" ]; then
	29	echo "$hostkeys"
	30	else
	31	# No HostKey directives at all, so the server picks some
	32	# defaults.
	33	echo /etc/ssh/ssh_host_rsa_key
	34	echo /etc/ssh/ssh_host_ecdsa_key
	35	echo /etc/ssh/ssh_host_ed25519_key
	36	fi
	37	}
	38
	39
	40	create_key() {
	41	msg="$1"
	42	shift
	43	hostkeys="$1"
	44	shift
	45	file="$1"
	46	shift
	47
	48	if echo "$hostkeys" \| grep -x "$file" >/dev/null && \
	49	[ ! -f "$file" ] ; then
	50	echo -n $msg
	51	ssh-keygen -q -f "$file" -N '' "$@"
	52	echo
	53	if which restorecon >/dev/null 2>&1; then
	54	restorecon "$file" "$file.pub"
	55	fi
	56	ssh-keygen -l -f "$file.pub"
	57	fi
	58	}
	59
	60
	61	create_keys() {
	62	hostkeys="$(host_keys_required)"
	63
	64	create_key "Creating SSH2 RSA key; this may take some time ..." \
	65	"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
	66	create_key "Creating SSH2 DSA key; this may take some time ..." \
	67	"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
	68	create_key "Creating SSH2 ECDSA key; this may take some time ..." \
	69	"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
	70	create_key "Creating SSH2 ED25519 key; this may take some time ..." \
	71	"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
	72	}
	73
	74
	75	new_config=
	76
	77	cleanup() {
	78	if [ "$new_config" ]; then
	79	rm -f "$new_config"
	80	fi
	81	}
	82
	83
	84	create_sshdconfig() {
	85	# XXX cjwatson 2016-12-24: This debconf template is very confusingly
	86	# named; its description is "Disable SSH password authentication for
	87	# root?", so true -> prohibit-password (the upstream default),
	88	# false -> yes.
	89	db_get openssh-server/permit-root-login
	90	permit_root_login="$RET"
	91
	92	trap cleanup EXIT
	93	new_config="$(tempfile)"
	94	cp -a /usr/share/openssh/sshd_config "$new_config"
	95	if [ "$permit_root_login" != true ]; then
	96	sed -i 's/^#PermitRootLogin ./PermitRootLogin yes/' \
	97	"$new_config"
	98	fi
	99	ucf --three-way --debconf-ok \
	100	--sum-file /usr/share/openssh/sshd_config.md5sum \
	101	"$new_config" /etc/ssh/sshd_config
	102	ucfr openssh-server /etc/ssh/sshd_config
	103	}
	104
	105	fix_statoverride() {
	106	# Remove an erronous override for sshd (we should have overridden ssh)
	107	if dpkg-statoverride --list /usr/sbin/sshd >/dev/null; then
	108	dpkg-statoverride --remove /usr/sbin/sshd
	109	fi
	110	}
	111
	112	setup_sshd_user() {
	113	if ! getent passwd sshd >/dev/null; then
	114	adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
	115	fi
	116	}
	117
	118	if [ "$action" = configure ]; then
	119	create_sshdconfig
	120	create_keys
	121	fix_statoverride
	122	setup_sshd_user
	123	# Renamed to /etc/ssh/moduli in 2.9.9 (!)
	124	if dpkg --compare-versions "$2" lt-nl 1:4.7p1-1; then
	125	rm -f /etc/ssh/primes
	126	fi
	127	if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then
	128	rm -f /var/run/sshd/.placeholder
	129	fi
	130	if dpkg --compare-versions "$2" lt-nl 1:6.2p2-3 && \
	131	which initctl >/dev/null && initctl version 2>/dev/null \| grep -q upstart && \
	132	! status ssh 2>/dev/null \| grep -q ' start/'; then
	133	# We must stop the sysvinit-controlled sshd before we can
	134	# restart it under Upstart.
	135	start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid \|\| true
	136	fi
	137	if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \
	138	deb-systemd-helper debian-installed ssh.socket && \
	139	deb-systemd-helper --quiet was-enabled ssh.service && \
	140	deb-systemd-helper --quiet was-enabled ssh.socket; then
	141	# 1:6.5p1-1 mistakenly left both ssh.service and ssh.socket
	142	# enabled.
	143	deb-systemd-helper disable ssh.socket >/dev/null \|\| true
	144	fi
	145	if dpkg --compare-versions "$2" lt-nl 1:6.5p1-3 && \
	146	[ -d /run/systemd/system ]; then
	147	# We must stop the sysvinit-controlled sshd before we can
	148	# restart it under systemd.
	149	start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd \|\| true
	150	fi
	151	fi
	152
	153	#DEBHELPER#
	154
	155	db_stop
	156
	157	exit 0