1 files changed, 386 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 000000000..443c567ee
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,386 @@
+#!/bin/sh -e
+action="$1"
+oldversion="$2"
+. /usr/share/debconf/confmodule
+db_version 2.0
+umask 022
+if [ "$action" != configure ]
+  then
+  exit 0
+fi
+fix_doc_symlink() {
+        if [ ! -L /usr/share/doc/openssh-server ] && \
+           dpkg --compare-versions "$oldversion" lt-nl 1:4.1p1-5; then
+                rm -rf /usr/share/doc/openssh-server
+                ln -s openssh-client /usr/share/doc/openssh-server
+        fi
+}
+check_idea_key() {
+        # check for old host_key files using IDEA, which openssh does not
+        # support
+        if [ -f /etc/ssh/ssh_host_key ] ; then
+                cp -a /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.check_idea
+                if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key.check_idea 2>&1 | \
+                                grep -q 'unknown cipher' 2>/dev/null; then
+                        mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
+                        mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
+                fi
+                rm -f /etc/ssh/ssh_host_key.check_idea
+        fi
+}
+get_config_option() {
+        option="$1"
+        [ -f /etc/ssh/sshd_config ] || return
+        # TODO: actually only one '=' allowed after option
+        perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \
+           /etc/ssh/sshd_config
+}
+set_config_option() {
+        option="$1"
+        value="$2"
+        perl -le '
+                $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
+                while (<STDIN>) {
+                        chomp;
+                        (my $match = $_) =~ s/\s+/ /g;
+                        if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) {
+                                $_ = $match;
+                                $done = 1;
+                        }
+                        print;
+                }
+                print "$option $value" unless $done;' \
+                "$option" "$value" \
+                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
+disable_config_option() {
+        option="$1"
+        value="$(get_config_option "$option")"
+        [ "$value" ] || return 0
+        perl -le '
+                $option = $ARGV[0];
+                while (<STDIN>) {
+                        chomp;
+                        (my $match = $_) =~ s/\s+/ /g;
+                        # TODO: actually only one "=" allowed after option
+                        if ($match =~ s/^(\s*\Q$option\E[[:space:]=]+.*)/#$1/i) {
+                                $_ = $match;
+                        }
+                        print;
+                }' \
+                "$option" \
+                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
+remove_obsolete_gssapi() {
+        disable_config_option GSSAPINoMICAuthentication
+        disable_config_option GSSUseSessionCCache
+        disable_config_option GSSAPIUseSessionCredCache
+}
+host_keys_required() {
+        hostkeys="$(get_config_option HostKey)"
+        if [ "$hostkeys" ]; then
+                echo "$hostkeys"
+        else
+                # No HostKey directives at all, so the server picks some
+                # defaults depending on the setting of Protocol.
+                protocol="$(get_config_option Protocol)"
+                [ "$protocol" ] || protocol=1,2
+                if echo "$protocol" | grep 1 >/dev/null; then
+                        echo /etc/ssh/ssh_host_key
+                fi
+                if echo "$protocol" | grep 2 >/dev/null; then
+                        echo /etc/ssh/ssh_host_rsa_key
+                        echo /etc/ssh/ssh_host_dsa_key
+                fi
+        fi
+}
+create_key() {
+        msg="$1"
+        shift
+        hostkeys="$1"
+        shift
+        file="$1"
+        shift
+        if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+           [ ! -f "$file" ] ; then
+                echo -n $msg
+                ssh-keygen -q -f "$file" -N '' "$@"
+                echo
+                if type restorecon >/dev/null 2>&1; then
+                        restorecon "$file.pub"
+                fi
+        fi
+}
+create_keys() {
+        hostkeys="$(host_keys_required)"
+        create_key "Creating SSH1 key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_key -t rsa1
+        create_key "Creating SSH2 RSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+        create_key "Creating SSH2 DSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+}
+check_password_auth() {
+        passwordauth="$(get_config_option PasswordAuthentication)"
+        crauth="$(get_config_option ChallengeResponseAuthentication)"
+        if [ "$passwordauth" = no ] && \
+           ([ -z "$crauth" ] || [ "$crauth" = yes ]); then
+                db_get ssh/disable_cr_auth
+                if [ "$RET" = true ]; then
+                        set_config_option ChallengeResponseAuthentication no
+                fi
+        fi
+}
+move_subsystem_sftp() {
+        subsystem_sftp="$(get_config_option 'Subsystem sftp')"
+        if [ "$subsystem_sftp" = /usr/lib/sftp-server ] || \
+           [ "$subsystem_sftp" = /usr/libexec/sftp-server ]; then
+                set_config_option 'Subsystem sftp' /usr/lib/openssh/sftp-server
+        fi
+}
+create_sshdconfig() {
+        if [ -e /etc/ssh/sshd_config ] ; then
+            if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
+                db_get ssh/new_config
+                if [ "$RET" = "false" ] ; then return 0; fi
+            else
+                # Upgrade sshd configuration from a sane version.
+                if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
+                    ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \
+                   grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \
+                     /etc/ssh/sshd_config ; then
+                    # Upgrade from pre-3.7: UsePAM needed to maintain standard
+                    # Debian configuration.
+                    # Note that --compare-versions is sadly not reliable enough
+                    # here due to the package split of ssh into openssh-client
+                    # and openssh-server. The extra grep for some deprecated
+                    # options should with any luck be a good enough heuristic.
+                    echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
+                    cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
+                    perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
+                        /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+                    echo >> /etc/ssh/sshd_config.dpkg-new
+                    echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
+                    chown --reference /etc/ssh/sshd_config \
+                                      /etc/ssh/sshd_config.dpkg-new
+                    chmod --reference /etc/ssh/sshd_config \
+                                      /etc/ssh/sshd_config.dpkg-new
+                    mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+                    echo
+                fi
+                # An empty version means we're upgrading from before the
+                # package split, so check.
+                if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then
+                    check_password_auth
+                fi
+                # libexecdir changed, so fix up 'Subsystem sftp'.
+                if dpkg --compare-versions "$oldversion" lt 1:4.1p1-1; then
+                    move_subsystem_sftp
+                fi
+                # Remove obsolete GSSAPI options.
+                if dpkg --compare-versions "$oldversion" lt 1:4.3p2-8; then
+                    remove_obsolete_gssapi
+                fi
+                return 0
+            fi
+        fi
+        #Preserve old sshd_config before generating a new one
+        if [ -e /etc/ssh/sshd_config ] ; then 
+            mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
+        fi
+        cat <<EOF > /etc/ssh/sshd_config
+# Package generated configuration file
+# See the sshd(8) manpage for details
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+Subsystem sftp /usr/lib/openssh/sftp-server
+UsePAM yes
+EOF
+}
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+        if [ -x /usr/sbin/dpkg-statoverride ]; then
+                if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
+                        dpkg-statoverride --remove /usr/sbin/sshd
+                fi
+        fi
+}
+fix_sshd_shell() {
+        if getent passwd sshd | grep -q ':/bin/false$'; then
+                usermod -s /usr/sbin/nologin sshd || true
+        fi
+}
+setup_sshd_user() {
+        if ! getent passwd sshd >/dev/null; then
+                adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
+        fi
+}
+fix_conffile_permissions() {
+        # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
+        # doesn't do this for us; see bug #192981.
+        chmod 644 /etc/default/ssh
+}
+setup_init() {
+        if [ -x /etc/init.d/ssh ]; then
+                update-rc.d ssh defaults >/dev/null
+                if [ -x /usr/sbin/invoke-rc.d ]; then
+                        invoke-rc.d ssh restart
+                else
+                        /etc/init.d/ssh restart
+                fi
+        fi
+}
+commit_transfer_conffile () {
+        CONFFILE="$1"
+        if [ -e "$CONFFILE.moved-by-preinst" ]; then
+                rm -f "$CONFFILE.moved-by-preinst"
+        fi
+}
+fix_doc_symlink
+create_sshdconfig
+check_idea_key
+create_keys
+fix_statoverride
+if dpkg --compare-versions "$2" lt 1:4.3p2-3; then
+    fix_sshd_shell
+fi
+setup_sshd_user
+if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
+    fix_conffile_permissions
+fi
+setup_init
+commit_transfer_conffile /etc/default/ssh
+commit_transfer_conffile /etc/init.d/ssh
+commit_transfer_conffile /etc/pam.d/ssh
+db_stop
+exit 0

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..443c567ee --- /dev/null +++ b/debian/openssh-server.postinst
@@ -0,0 +1,386 @@
	1	#!/bin/sh -e
	2
	3	action="$1"
	4	oldversion="$2"
	5
	6	. /usr/share/debconf/confmodule
	7	db_version 2.0
	8
	9	umask 022
	10
	11	if [ "$action" != configure ]
	12	then
	13	exit 0
	14	fi
	15
	16
	17	fix_doc_symlink() {
	18	if [ ! -L /usr/share/doc/openssh-server ] && \
	19	dpkg --compare-versions "$oldversion" lt-nl 1:4.1p1-5; then
	20	rm -rf /usr/share/doc/openssh-server
	21	ln -s openssh-client /usr/share/doc/openssh-server
	22	fi
	23	}
	24
	25	check_idea_key() {
	26	# check for old host_key files using IDEA, which openssh does not
	27	# support
	28	if [ -f /etc/ssh/ssh_host_key ] ; then
	29	cp -a /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.check_idea
	30	if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key.check_idea 2>&1 \| \
	31	grep -q 'unknown cipher' 2>/dev/null; then
	32	mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
	33	mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
	34	fi
	35	rm -f /etc/ssh/ssh_host_key.check_idea
	36	fi
	37	}
	38
	39
	40	get_config_option() {
	41	option="$1"
	42
	43	[ -f /etc/ssh/sshd_config ] \|\| return
	44
	45	# TODO: actually only one '=' allowed after option
	46	perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \
	47	/etc/ssh/sshd_config
	48	}
	49
	50
	51	set_config_option() {
	52	option="$1"
	53	value="$2"
	54
	55	perl -le '
	56	$option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
	57	while (<STDIN>) {
	58	chomp;
	59	(my $match = $_) =~ s/\s+/ /g;
	60	if ($match =~ s/^\s\Q$option\E\s+./$option $value/) {
	61	$_ = $match;
	62	$done = 1;
	63	}
	64	print;
	65	}
	66	print "$option $value" unless $done;' \
	67	"$option" "$value" \
	68	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	69	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	70	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	71	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	72	}
	73
	74
	75	disable_config_option() {
	76	option="$1"
	77
	78	value="$(get_config_option "$option")"
	79	[ "$value" ] \|\| return 0
	80
	81	perl -le '
	82	$option = $ARGV[0];
	83	while (<STDIN>) {
	84	chomp;
	85	(my $match = $_) =~ s/\s+/ /g;
	86	# TODO: actually only one "=" allowed after option
	87	if ($match =~ s/^(\s\Q$option\E[[:space:]=]+.)/#$1/i) {
	88	$_ = $match;
	89	}
	90	print;
	91	}' \
	92	"$option" \
	93	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	94	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	95	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	96	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	97	}
	98
	99
	100	remove_obsolete_gssapi() {
	101	disable_config_option GSSAPINoMICAuthentication
	102	disable_config_option GSSUseSessionCCache
	103	disable_config_option GSSAPIUseSessionCredCache
	104	}
	105
	106
	107	host_keys_required() {
	108	hostkeys="$(get_config_option HostKey)"
	109	if [ "$hostkeys" ]; then
	110	echo "$hostkeys"
	111	else
	112	# No HostKey directives at all, so the server picks some
	113	# defaults depending on the setting of Protocol.
	114	protocol="$(get_config_option Protocol)"
	115	[ "$protocol" ] \|\| protocol=1,2
	116	if echo "$protocol" \| grep 1 >/dev/null; then
	117	echo /etc/ssh/ssh_host_key
	118	fi
	119	if echo "$protocol" \| grep 2 >/dev/null; then
	120	echo /etc/ssh/ssh_host_rsa_key
	121	echo /etc/ssh/ssh_host_dsa_key
	122	fi
	123	fi
	124	}
	125
	126
	127	create_key() {
	128	msg="$1"
	129	shift
	130	hostkeys="$1"
	131	shift
	132	file="$1"
	133	shift
	134
	135	if echo "$hostkeys" \| grep -x "$file" >/dev/null && \
	136	[ ! -f "$file" ] ; then
	137	echo -n $msg
	138	ssh-keygen -q -f "$file" -N '' "$@"
	139	echo
	140	if type restorecon >/dev/null 2>&1; then
	141	restorecon "$file.pub"
	142	fi
	143	fi
	144	}
	145
	146
	147	create_keys() {
	148	hostkeys="$(host_keys_required)"
	149
	150	create_key "Creating SSH1 key; this may take some time ..." \
	151	"$hostkeys" /etc/ssh/ssh_host_key -t rsa1
	152
	153	create_key "Creating SSH2 RSA key; this may take some time ..." \
	154	"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
	155	create_key "Creating SSH2 DSA key; this may take some time ..." \
	156	"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
	157	}
	158
	159
	160	check_password_auth() {
	161	passwordauth="$(get_config_option PasswordAuthentication)"
	162	crauth="$(get_config_option ChallengeResponseAuthentication)"
	163	if [ "$passwordauth" = no ] && \
	164	([ -z "$crauth" ] \|\| [ "$crauth" = yes ]); then
	165	db_get ssh/disable_cr_auth
	166	if [ "$RET" = true ]; then
	167	set_config_option ChallengeResponseAuthentication no
	168	fi
	169	fi
	170	}
	171
	172
	173	move_subsystem_sftp() {
	174	subsystem_sftp="$(get_config_option 'Subsystem sftp')"
	175	if [ "$subsystem_sftp" = /usr/lib/sftp-server ] \|\| \
	176	[ "$subsystem_sftp" = /usr/libexec/sftp-server ]; then
	177	set_config_option 'Subsystem sftp' /usr/lib/openssh/sftp-server
	178	fi
	179	}
	180
	181
	182	create_sshdconfig() {
	183	if [ -e /etc/ssh/sshd_config ] ; then
	184	if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
	185	db_get ssh/new_config
	186	if [ "$RET" = "false" ] ; then return 0; fi
	187	else
	188	# Upgrade sshd configuration from a sane version.
	189
	190	if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
	191	! grep -iq ^UsePAM /etc/ssh/sshd_config) \|\| \
	192	grep -Eiq '^(PAMAuthenticationViaKbdInt\|RhostsAuthentication)' \
	193	/etc/ssh/sshd_config ; then
	194	# Upgrade from pre-3.7: UsePAM needed to maintain standard
	195	# Debian configuration.
	196	# Note that --compare-versions is sadly not reliable enough
	197	# here due to the package split of ssh into openssh-client
	198	# and openssh-server. The extra grep for some deprecated
	199	# options should with any luck be a good enough heuristic.
	200	echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
	201	cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
	202	perl -pe 's/^(PAMAuthenticationViaKbdInt\|RhostsAuthentication)\b/#$1/i' \
	203	/etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	204	echo >> /etc/ssh/sshd_config.dpkg-new
	205	echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
	206	chown --reference /etc/ssh/sshd_config \
	207	/etc/ssh/sshd_config.dpkg-new
	208	chmod --reference /etc/ssh/sshd_config \
	209	/etc/ssh/sshd_config.dpkg-new
	210	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	211	echo
	212	fi
	213
	214	# An empty version means we're upgrading from before the
	215	# package split, so check.
	216	if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then
	217	check_password_auth
	218	fi
	219
	220	# libexecdir changed, so fix up 'Subsystem sftp'.
	221	if dpkg --compare-versions "$oldversion" lt 1:4.1p1-1; then
	222	move_subsystem_sftp
	223	fi
	224
	225	# Remove obsolete GSSAPI options.
	226	if dpkg --compare-versions "$oldversion" lt 1:4.3p2-8; then
	227	remove_obsolete_gssapi
	228	fi
	229
	230	return 0
	231	fi
	232	fi
	233
	234	#Preserve old sshd_config before generating a new one
	235	if [ -e /etc/ssh/sshd_config ] ; then
	236	mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
	237	fi
	238
	239	cat <<EOF > /etc/ssh/sshd_config
	240	# Package generated configuration file
	241	# See the sshd(8) manpage for details
	242
	243	# What ports, IPs and protocols we listen for
	244	Port 22
	245	# Use these options to restrict which interfaces/protocols sshd will bind to
	246	#ListenAddress ::
	247	#ListenAddress 0.0.0.0
	248	Protocol 2
	249	# HostKeys for protocol version 2
	250	HostKey /etc/ssh/ssh_host_rsa_key
	251	HostKey /etc/ssh/ssh_host_dsa_key
	252	#Privilege Separation is turned on for security
	253	UsePrivilegeSeparation yes
	254
	255	# Lifetime and size of ephemeral version 1 server key
	256	KeyRegenerationInterval 3600
	257	ServerKeyBits 768
	258
	259	# Logging
	260	SyslogFacility AUTH
	261	LogLevel INFO
	262
	263	# Authentication:
	264	LoginGraceTime 120
	265	PermitRootLogin yes
	266	StrictModes yes
	267
	268	RSAAuthentication yes
	269	PubkeyAuthentication yes
	270	#AuthorizedKeysFile %h/.ssh/authorized_keys
	271
	272	# Don't read the user's ~/.rhosts and ~/.shosts files
	273	IgnoreRhosts yes
	274	# For this to work you will also need host keys in /etc/ssh_known_hosts
	275	RhostsRSAAuthentication no
	276	# similar for protocol version 2
	277	HostbasedAuthentication no
	278	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
	279	#IgnoreUserKnownHosts yes
	280
	281	# To enable empty passwords, change to yes (NOT RECOMMENDED)
	282	PermitEmptyPasswords no
	283
	284	# Change to yes to enable challenge-response passwords (beware issues with
	285	# some PAM modules and threads)
	286	ChallengeResponseAuthentication no
	287
	288	# Change to no to disable tunnelled clear text passwords
	289	#PasswordAuthentication yes
	290
	291	# Kerberos options
	292	#KerberosAuthentication no
	293	#KerberosGetAFSToken no
	294	#KerberosOrLocalPasswd yes
	295	#KerberosTicketCleanup yes
	296
	297	# GSSAPI options
	298	#GSSAPIAuthentication no
	299	#GSSAPICleanupCredentials yes
	300
	301	X11Forwarding yes
	302	X11DisplayOffset 10
	303	PrintMotd no
	304	PrintLastLog yes
	305	TCPKeepAlive yes
	306	#UseLogin no
	307
	308	#MaxStartups 10:30:60
	309	#Banner /etc/issue.net
	310
	311	# Allow client to pass locale environment variables
	312	AcceptEnv LANG LC_*
	313
	314	Subsystem sftp /usr/lib/openssh/sftp-server
	315
	316	UsePAM yes
	317	EOF
	318	}
	319
	320	fix_statoverride() {
	321	# Remove an erronous override for sshd (we should have overridden ssh)
	322	if [ -x /usr/sbin/dpkg-statoverride ]; then
	323	if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
	324	dpkg-statoverride --remove /usr/sbin/sshd
	325	fi
	326	fi
	327	}
	328
	329	fix_sshd_shell() {
	330	if getent passwd sshd \| grep -q ':/bin/false$'; then
	331	usermod -s /usr/sbin/nologin sshd \|\| true
	332	fi
	333	}
	334
	335	setup_sshd_user() {
	336	if ! getent passwd sshd >/dev/null; then
	337	adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
	338	fi
	339	}
	340
	341	fix_conffile_permissions() {
	342	# Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
	343	# doesn't do this for us; see bug #192981.
	344	chmod 644 /etc/default/ssh
	345	}
	346
	347	setup_init() {
	348	if [ -x /etc/init.d/ssh ]; then
	349	update-rc.d ssh defaults >/dev/null
	350	if [ -x /usr/sbin/invoke-rc.d ]; then
	351	invoke-rc.d ssh restart
	352	else
	353	/etc/init.d/ssh restart
	354	fi
	355	fi
	356	}
	357
	358	commit_transfer_conffile () {
	359	CONFFILE="$1"
	360	if [ -e "$CONFFILE.moved-by-preinst" ]; then
	361	rm -f "$CONFFILE.moved-by-preinst"
	362	fi
	363	}
	364
	365
	366	fix_doc_symlink
	367	create_sshdconfig
	368	check_idea_key
	369	create_keys
	370	fix_statoverride
	371	if dpkg --compare-versions "$2" lt 1:4.3p2-3; then
	372	fix_sshd_shell
	373	fi
	374	setup_sshd_user
	375	if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
	376	fix_conffile_permissions
	377	fi
	378	setup_init
	379	commit_transfer_conffile /etc/default/ssh
	380	commit_transfer_conffile /etc/init.d/ssh
	381	commit_transfer_conffile /etc/pam.d/ssh
	382
	383
	384	db_stop
	385
	386	exit 0