diff options
Diffstat (limited to 'debian/openssh-server.postinst')
-rw-r--r-- | debian/openssh-server.postinst | 82 |
1 files changed, 63 insertions, 19 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index 28af3f490..dab8c94fd 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst | |||
@@ -29,12 +29,33 @@ check_idea_key() { | |||
29 | get_config_option() { | 29 | get_config_option() { |
30 | option="$1" | 30 | option="$1" |
31 | 31 | ||
32 | [ -f /etc/ssh/sshd_config ] || return | ||
33 | |||
32 | # TODO: actually only one '=' allowed after option | 34 | # TODO: actually only one '=' allowed after option |
33 | perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ | 35 | perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ |
34 | /etc/ssh/sshd_config | 36 | /etc/ssh/sshd_config |
35 | } | 37 | } |
36 | 38 | ||
37 | 39 | ||
40 | set_config_option() { | ||
41 | option="$1" | ||
42 | value="$2" | ||
43 | |||
44 | perl -e ' | ||
45 | $option = $ARGV[0]; $value = $ARGV[1]; $done = 0; | ||
46 | while (<STDIN>) { | ||
47 | if (s/^\s*\Q$option\E\s+.*/$option $value/) { | ||
48 | $done = 1; | ||
49 | } | ||
50 | print; | ||
51 | } | ||
52 | print "\n$option $value\n" unless $done;' \ | ||
53 | "$option" "$value" \ | ||
54 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
55 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
56 | } | ||
57 | |||
58 | |||
38 | host_keys_required() { | 59 | host_keys_required() { |
39 | hostkeys="$(get_config_option HostKey)" | 60 | hostkeys="$(get_config_option HostKey)" |
40 | if [ "$hostkeys" ]; then | 61 | if [ "$hostkeys" ]; then |
@@ -85,31 +106,54 @@ create_keys() { | |||
85 | } | 106 | } |
86 | 107 | ||
87 | 108 | ||
109 | check_password_auth() { | ||
110 | passwordauth="$(get_config_option PasswordAuthentication)" | ||
111 | crauth="$(get_config_option ChallengeResponseAuthentication)" | ||
112 | if [ "$passwordauth" = no ] && \ | ||
113 | ([ -z "$crauth" ] || [ "$crauth" = yes ]); then | ||
114 | db_get ssh/disable_cr_auth | ||
115 | if [ "$RET" = true ]; then | ||
116 | set_config_option ChallengeResponseAuthentication no | ||
117 | fi | ||
118 | fi | ||
119 | } | ||
120 | |||
121 | |||
88 | create_sshdconfig() { | 122 | create_sshdconfig() { |
89 | if [ -e /etc/ssh/sshd_config ] ; then | 123 | if [ -e /etc/ssh/sshd_config ] ; then |
90 | if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then | 124 | if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then |
91 | db_get ssh/new_config | 125 | db_get ssh/new_config |
92 | if [ "$RET" = "false" ] ; then return 0; fi | 126 | if [ "$RET" = "false" ] ; then return 0; fi |
93 | elif (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ | 127 | else |
94 | ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \ | 128 | # Upgrade sshd configuration from a sane version. |
95 | grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \ | 129 | |
96 | /etc/ssh/sshd_config ; then | 130 | if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ |
97 | # Upgrade from pre-3.7: UsePAM needed to maintain standard | 131 | ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \ |
98 | # Debian configuration. | 132 | grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \ |
99 | # Note that --compare-versions is sadly not reliable enough | 133 | /etc/ssh/sshd_config ; then |
100 | # here due to the package split of ssh into openssh-client | 134 | # Upgrade from pre-3.7: UsePAM needed to maintain standard |
101 | # and openssh-server. The extra grep for some deprecated | 135 | # Debian configuration. |
102 | # options should with any luck be a good enough heuristic. | 136 | # Note that --compare-versions is sadly not reliable enough |
103 | echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' | 137 | # here due to the package split of ssh into openssh-client |
104 | cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | 138 | # and openssh-server. The extra grep for some deprecated |
105 | perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ | 139 | # options should with any luck be a good enough heuristic. |
106 | /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | 140 | echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' |
107 | echo >> /etc/ssh/sshd_config.dpkg-new | 141 | cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old |
108 | echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new | 142 | perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ |
109 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | 143 | /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new |
110 | echo | 144 | echo >> /etc/ssh/sshd_config.dpkg-new |
145 | echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new | ||
146 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
147 | echo | ||
148 | fi | ||
149 | |||
150 | # An empty version means we're upgrading from before the | ||
151 | # package split, so check. | ||
152 | if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then | ||
153 | check_password_auth | ||
154 | fi | ||
155 | |||
111 | return 0 | 156 | return 0 |
112 | else return 0 | ||
113 | fi | 157 | fi |
114 | fi | 158 | fi |
115 | 159 | ||