1 files changed, 147 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 000000000..391efc43b
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,147 @@
+#!/bin/sh
+set -e
+. /usr/share/debconf/confmodule
+db_version 2.0
+action="$1"
+oldversion="$2"
+umask 022
+get_config_option() {
+        option="$1"
+        [ -f /etc/ssh/sshd_config ] || return
+        # TODO: actually only one '=' allowed after option
+        perl -lne '
+                s/[[:space:]]+/ /g; s/[[:space:]]+$//;
+                print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+           /etc/ssh/sshd_config
+}
+host_keys_required() {
+        hostkeys="$(get_config_option HostKey)"
+        if [ "$hostkeys" ]; then
+                echo "$hostkeys"
+        else
+                # No HostKey directives at all, so the server picks some
+                # defaults.
+                echo /etc/ssh/ssh_host_rsa_key
+                echo /etc/ssh/ssh_host_ecdsa_key
+                echo /etc/ssh/ssh_host_ed25519_key
+        fi
+}
+create_key() {
+        msg="$1"
+        shift
+        hostkeys="$1"
+        shift
+        file="$1"
+        shift
+        if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+           [ ! -f "$file" ] ; then
+                echo -n $msg
+                ssh-keygen -q -f "$file" -N '' "$@"
+                echo
+                if which restorecon >/dev/null 2>&1; then
+                        restorecon "$file" "$file.pub"
+                fi
+                ssh-keygen -l -f "$file.pub"
+        fi
+}
+create_keys() {
+        hostkeys="$(host_keys_required)"
+        create_key "Creating SSH2 RSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+        create_key "Creating SSH2 DSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+        create_key "Creating SSH2 ECDSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
+        create_key "Creating SSH2 ED25519 key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
+}
+create_sshdconfig() {
+        # XXX cjwatson 2016-12-24: This debconf template is very confusingly
+        # named; its description is "Disable SSH password authentication for
+        # root?", so true -> prohibit-password (the upstream default),
+        # false -> yes.
+        db_get openssh-server/permit-root-login
+        permit_root_login="$RET"
+        new_config="$(tempfile)"
+        cp -a /usr/share/openssh/sshd_config "$new_config"
+        if [ "$permit_root_login" != true ]; then
+                sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
+                        "$new_config"
+        fi
+        ucf --three-way --debconf-ok \
+                --sum-file /usr/share/openssh/sshd_config.md5sum \
+                "$new_config" /etc/ssh/sshd_config
+        ucfr openssh-server /etc/ssh/sshd_config
+}
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+        if dpkg-statoverride --list /usr/sbin/sshd >/dev/null; then
+                dpkg-statoverride --remove /usr/sbin/sshd
+        fi
+}
+setup_sshd_user() {
+        if ! getent passwd sshd >/dev/null; then
+                adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
+        fi
+}
+if [ "$action" = configure ]; then
+        create_sshdconfig
+        create_keys
+        fix_statoverride
+        setup_sshd_user
+        # Renamed to /etc/ssh/moduli in 2.9.9 (!)
+        if dpkg --compare-versions "$2" lt-nl 1:4.7p1-1; then
+            rm -f /etc/ssh/primes
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then
+            rm -f /var/run/sshd/.placeholder
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:6.2p2-3 && \
+           which initctl >/dev/null && initctl version 2>/dev/null | grep -q upstart && \
+           ! status ssh 2>/dev/null | grep -q ' start/'; then
+            # We must stop the sysvinit-controlled sshd before we can
+            # restart it under Upstart.
+            start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid || true
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \
+           deb-systemd-helper debian-installed ssh.socket && \
+           deb-systemd-helper --quiet was-enabled ssh.service && \
+           deb-systemd-helper --quiet was-enabled ssh.socket; then
+            # 1:6.5p1-1 mistakenly left both ssh.service and ssh.socket
+            # enabled.
+            deb-systemd-helper disable ssh.socket >/dev/null || true
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:6.5p1-3 && \
+           [ -d /run/systemd/system ]; then
+            # We must stop the sysvinit-controlled sshd before we can
+            # restart it under systemd.
+            start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || true
+        fi
+fi
+#DEBHELPER#
+db_stop
+exit 0

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..391efc43b --- /dev/null +++ b/debian/openssh-server.postinst
@@ -0,0 +1,147 @@
	1	#!/bin/sh
	2	set -e
	3
	4	. /usr/share/debconf/confmodule
	5	db_version 2.0
	6
	7	action="$1"
	8	oldversion="$2"
	9
	10	umask 022
	11
	12
	13	get_config_option() {
	14	option="$1"
	15
	16	[ -f /etc/ssh/sshd_config ] \|\| return
	17
	18	# TODO: actually only one '=' allowed after option
	19	perl -lne '
	20	s/[[:space:]]+/ /g; s/[[:space:]]+$//;
	21	print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
	22	/etc/ssh/sshd_config
	23	}
	24
	25
	26	host_keys_required() {
	27	hostkeys="$(get_config_option HostKey)"
	28	if [ "$hostkeys" ]; then
	29	echo "$hostkeys"
	30	else
	31	# No HostKey directives at all, so the server picks some
	32	# defaults.
	33	echo /etc/ssh/ssh_host_rsa_key
	34	echo /etc/ssh/ssh_host_ecdsa_key
	35	echo /etc/ssh/ssh_host_ed25519_key
	36	fi
	37	}
	38
	39
	40	create_key() {
	41	msg="$1"
	42	shift
	43	hostkeys="$1"
	44	shift
	45	file="$1"
	46	shift
	47
	48	if echo "$hostkeys" \| grep -x "$file" >/dev/null && \
	49	[ ! -f "$file" ] ; then
	50	echo -n $msg
	51	ssh-keygen -q -f "$file" -N '' "$@"
	52	echo
	53	if which restorecon >/dev/null 2>&1; then
	54	restorecon "$file" "$file.pub"
	55	fi
	56	ssh-keygen -l -f "$file.pub"
	57	fi
	58	}
	59
	60
	61	create_keys() {
	62	hostkeys="$(host_keys_required)"
	63
	64	create_key "Creating SSH2 RSA key; this may take some time ..." \
	65	"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
	66	create_key "Creating SSH2 DSA key; this may take some time ..." \
	67	"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
	68	create_key "Creating SSH2 ECDSA key; this may take some time ..." \
	69	"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
	70	create_key "Creating SSH2 ED25519 key; this may take some time ..." \
	71	"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
	72	}
	73
	74
	75	create_sshdconfig() {
	76	# XXX cjwatson 2016-12-24: This debconf template is very confusingly
	77	# named; its description is "Disable SSH password authentication for
	78	# root?", so true -> prohibit-password (the upstream default),
	79	# false -> yes.
	80	db_get openssh-server/permit-root-login
	81	permit_root_login="$RET"
	82
	83	new_config="$(tempfile)"
	84	cp -a /usr/share/openssh/sshd_config "$new_config"
	85	if [ "$permit_root_login" != true ]; then
	86	sed -i 's/^#PermitRootLogin ./PermitRootLogin yes/' \
	87	"$new_config"
	88	fi
	89	ucf --three-way --debconf-ok \
	90	--sum-file /usr/share/openssh/sshd_config.md5sum \
	91	"$new_config" /etc/ssh/sshd_config
	92	ucfr openssh-server /etc/ssh/sshd_config
	93	}
	94
	95	fix_statoverride() {
	96	# Remove an erronous override for sshd (we should have overridden ssh)
	97	if dpkg-statoverride --list /usr/sbin/sshd >/dev/null; then
	98	dpkg-statoverride --remove /usr/sbin/sshd
	99	fi
	100	}
	101
	102	setup_sshd_user() {
	103	if ! getent passwd sshd >/dev/null; then
	104	adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
	105	fi
	106	}
	107
	108	if [ "$action" = configure ]; then
	109	create_sshdconfig
	110	create_keys
	111	fix_statoverride
	112	setup_sshd_user
	113	# Renamed to /etc/ssh/moduli in 2.9.9 (!)
	114	if dpkg --compare-versions "$2" lt-nl 1:4.7p1-1; then
	115	rm -f /etc/ssh/primes
	116	fi
	117	if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then
	118	rm -f /var/run/sshd/.placeholder
	119	fi
	120	if dpkg --compare-versions "$2" lt-nl 1:6.2p2-3 && \
	121	which initctl >/dev/null && initctl version 2>/dev/null \| grep -q upstart && \
	122	! status ssh 2>/dev/null \| grep -q ' start/'; then
	123	# We must stop the sysvinit-controlled sshd before we can
	124	# restart it under Upstart.
	125	start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid \|\| true
	126	fi
	127	if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \
	128	deb-systemd-helper debian-installed ssh.socket && \
	129	deb-systemd-helper --quiet was-enabled ssh.service && \
	130	deb-systemd-helper --quiet was-enabled ssh.socket; then
	131	# 1:6.5p1-1 mistakenly left both ssh.service and ssh.socket
	132	# enabled.
	133	deb-systemd-helper disable ssh.socket >/dev/null \|\| true
	134	fi
	135	if dpkg --compare-versions "$2" lt-nl 1:6.5p1-3 && \
	136	[ -d /run/systemd/system ]; then
	137	# We must stop the sysvinit-controlled sshd before we can
	138	# restart it under systemd.
	139	start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd \|\| true
	140	fi
	141	fi
	142
	143	#DEBHELPER#
	144
	145	db_stop
	146
	147	exit 0