1 files changed, 327 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 000000000..2c6c53d88
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,327 @@
+#!/bin/sh
+set -e
+. /usr/share/debconf/confmodule
+db_version 2.0
+action="$1"
+oldversion="$2"
+umask 022
+get_config_option() {
+        option="$1"
+        [ -f /etc/ssh/sshd_config ] || return
+        # TODO: actually only one '=' allowed after option
+        perl -lne '
+                s/[[:space:]]+/ /g; s/[[:space:]]+$//;
+                print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+           /etc/ssh/sshd_config
+}
+set_config_option() {
+        option="$1"
+        value="$2"
+        perl -le '
+                $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
+                while (<STDIN>) {
+                        chomp;
+                        (my $match = $_) =~ s/\s+/ /g;
+                        if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) {
+                                $_ = $match;
+                                $done = 1;
+                        }
+                        print;
+                }
+                print "$option $value" unless $done;' \
+                "$option" "$value" \
+                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
+rename_config_option() {
+        oldoption="$1"
+        newoption="$2"
+        value="$(get_config_option "$oldoption")"
+        [ "$value" ] || return 0
+        perl -le '
+                $oldoption = $ARGV[0]; $newoption = $ARGV[1];
+                while (<STDIN>) {
+                        chomp;
+                        (my $match = $_) =~ s/\s+/ /g;
+                        # TODO: actually only one "=" allowed after option
+                        if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
+                                $_ = $match;
+                        }
+                        print;
+                }' \
+                "$oldoption" "$newoption" \
+                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
+host_keys_required() {
+        hostkeys="$(get_config_option HostKey)"
+        if [ "$hostkeys" ]; then
+                echo "$hostkeys"
+        else
+                # No HostKey directives at all, so the server picks some
+                # defaults depending on the setting of Protocol.
+                protocol="$(get_config_option Protocol)"
+                [ "$protocol" ] || protocol=1,2
+                if echo "$protocol" | grep 1 >/dev/null; then
+                        echo /etc/ssh/ssh_host_key
+                fi
+                if echo "$protocol" | grep 2 >/dev/null; then
+                        echo /etc/ssh/ssh_host_rsa_key
+                        echo /etc/ssh/ssh_host_dsa_key
+                        echo /etc/ssh/ssh_host_ecdsa_key
+                        echo /etc/ssh/ssh_host_ed25519_key
+                fi
+        fi
+}
+create_key() {
+        msg="$1"
+        shift
+        hostkeys="$1"
+        shift
+        file="$1"
+        shift
+        if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+           [ ! -f "$file" ] ; then
+                echo -n $msg
+                ssh-keygen -q -f "$file" -N '' "$@"
+                echo
+                if which restorecon >/dev/null 2>&1; then
+                        restorecon "$file" "$file.pub"
+                fi
+                ssh-keygen -l -f "$file.pub"
+        fi
+}
+create_keys() {
+        hostkeys="$(host_keys_required)"
+        create_key "Creating SSH1 key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_key -t rsa1
+        create_key "Creating SSH2 RSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+        create_key "Creating SSH2 DSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+        create_key "Creating SSH2 ECDSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
+        create_key "Creating SSH2 ED25519 key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
+}
+fix_loglevel_silent() {
+        if [ "$(get_config_option LogLevel)" = SILENT ]; then
+                set_config_option LogLevel QUIET
+        fi
+}
+update_server_key_bits() {
+        if [ "$(get_config_option ServerKeyBits)" = 768 ]; then
+                set_config_option ServerKeyBits 1024
+        fi
+}
+create_sshdconfig() {
+        if [ -e /etc/ssh/sshd_config ] ; then
+            # Upgrade an existing sshd configuration.
+            # This option was renamed in 3.8p1, but we never took care
+            # of adjusting the configuration file until now.
+            if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
+                rename_config_option KeepAlive TCPKeepAlive
+            fi
+            # 'LogLevel SILENT' is now equivalent to QUIET.
+            if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then
+                fix_loglevel_silent
+            fi
+            # Changed upstream in 5.1p1, but we forgot to update the
+            # package-generated configuration file until now.
+            if dpkg --compare-versions "$oldversion" lt 1:6.4p1-2; then
+                update_server_key_bits
+            fi
+            return 0
+        fi
+        cat <<EOF > /etc/ssh/sshd_config
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin prohibit-password
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+Subsystem sftp /usr/lib/openssh/sftp-server
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+EOF
+}
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+        if dpkg-statoverride --list /usr/sbin/sshd >/dev/null; then
+                dpkg-statoverride --remove /usr/sbin/sshd
+        fi
+}
+setup_sshd_user() {
+        if ! getent passwd sshd >/dev/null; then
+                adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
+        fi
+}
+if [ "$action" = configure ]; then
+        create_sshdconfig
+        create_keys
+        fix_statoverride
+        setup_sshd_user
+        # Renamed to /etc/ssh/moduli in 2.9.9 (!)
+        if dpkg --compare-versions "$2" lt-nl 1:4.7p1-1; then
+            rm -f /etc/ssh/primes
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then
+            rm -f /var/run/sshd/.placeholder
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:6.2p2-3 && \
+           which initctl >/dev/null && initctl version 2>/dev/null | grep -q upstart && \
+           ! status ssh 2>/dev/null | grep -q ' start/'; then
+            # We must stop the sysvinit-controlled sshd before we can
+            # restart it under Upstart.
+            start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid || true
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \
+           deb-systemd-helper debian-installed ssh.socket && \
+           deb-systemd-helper --quiet was-enabled ssh.service && \
+           deb-systemd-helper --quiet was-enabled ssh.socket; then
+            # 1:6.5p1-1 mistakenly left both ssh.service and ssh.socket
+            # enabled.
+            deb-systemd-helper disable ssh.socket >/dev/null || true
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:6.5p1-3 && \
+           [ -d /run/systemd/system ]; then
+            # We must stop the sysvinit-controlled sshd before we can
+            # restart it under systemd.
+            start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || true
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
+           [ "$(get_config_option PermitRootLogin)" = yes ] &&
+           db_get openssh-server/permit-root-login && [ "$RET" = true ]; then
+            set_config_option PermitRootLogin prohibit-password
+        fi
+        if dpkg --compare-versions "$2" lt-nl 1:7.1p1-1 && \
+           [ "$(get_config_option PermitRootLogin)" = without-password ]; then
+            set_config_option PermitRootLogin prohibit-password
+        fi
+fi
+#DEBHELPER#
+db_stop
+exit 0

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..2c6c53d88 --- /dev/null +++ b/debian/openssh-server.postinst
@@ -0,0 +1,327 @@
	1	#!/bin/sh
	2	set -e
	3
	4	. /usr/share/debconf/confmodule
	5	db_version 2.0
	6
	7	action="$1"
	8	oldversion="$2"
	9
	10	umask 022
	11
	12
	13	get_config_option() {
	14	option="$1"
	15
	16	[ -f /etc/ssh/sshd_config ] \|\| return
	17
	18	# TODO: actually only one '=' allowed after option
	19	perl -lne '
	20	s/[[:space:]]+/ /g; s/[[:space:]]+$//;
	21	print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
	22	/etc/ssh/sshd_config
	23	}
	24
	25
	26	set_config_option() {
	27	option="$1"
	28	value="$2"
	29
	30	perl -le '
	31	$option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
	32	while (<STDIN>) {
	33	chomp;
	34	(my $match = $_) =~ s/\s+/ /g;
	35	if ($match =~ s/^\s\Q$option\E\s+./$option $value/) {
	36	$_ = $match;
	37	$done = 1;
	38	}
	39	print;
	40	}
	41	print "$option $value" unless $done;' \
	42	"$option" "$value" \
	43	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	44	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	45	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	46	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	47	}
	48
	49
	50	rename_config_option() {
	51	oldoption="$1"
	52	newoption="$2"
	53
	54	value="$(get_config_option "$oldoption")"
	55	[ "$value" ] \|\| return 0
	56
	57	perl -le '
	58	$oldoption = $ARGV[0]; $newoption = $ARGV[1];
	59	while (<STDIN>) {
	60	chomp;
	61	(my $match = $_) =~ s/\s+/ /g;
	62	# TODO: actually only one "=" allowed after option
	63	if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
	64	$_ = $match;
	65	}
	66	print;
	67	}' \
	68	"$oldoption" "$newoption" \
	69	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	70	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	71	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	72	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	73	}
	74
	75
	76	host_keys_required() {
	77	hostkeys="$(get_config_option HostKey)"
	78	if [ "$hostkeys" ]; then
	79	echo "$hostkeys"
	80	else
	81	# No HostKey directives at all, so the server picks some
	82	# defaults depending on the setting of Protocol.
	83	protocol="$(get_config_option Protocol)"
	84	[ "$protocol" ] \|\| protocol=1,2
	85	if echo "$protocol" \| grep 1 >/dev/null; then
	86	echo /etc/ssh/ssh_host_key
	87	fi
	88	if echo "$protocol" \| grep 2 >/dev/null; then
	89	echo /etc/ssh/ssh_host_rsa_key
	90	echo /etc/ssh/ssh_host_dsa_key
	91	echo /etc/ssh/ssh_host_ecdsa_key
	92	echo /etc/ssh/ssh_host_ed25519_key
	93	fi
	94	fi
	95	}
	96
	97
	98	create_key() {
	99	msg="$1"
	100	shift
	101	hostkeys="$1"
	102	shift
	103	file="$1"
	104	shift
	105
	106	if echo "$hostkeys" \| grep -x "$file" >/dev/null && \
	107	[ ! -f "$file" ] ; then
	108	echo -n $msg
	109	ssh-keygen -q -f "$file" -N '' "$@"
	110	echo
	111	if which restorecon >/dev/null 2>&1; then
	112	restorecon "$file" "$file.pub"
	113	fi
	114	ssh-keygen -l -f "$file.pub"
	115	fi
	116	}
	117
	118
	119	create_keys() {
	120	hostkeys="$(host_keys_required)"
	121
	122	create_key "Creating SSH1 key; this may take some time ..." \
	123	"$hostkeys" /etc/ssh/ssh_host_key -t rsa1
	124
	125	create_key "Creating SSH2 RSA key; this may take some time ..." \
	126	"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
	127	create_key "Creating SSH2 DSA key; this may take some time ..." \
	128	"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
	129	create_key "Creating SSH2 ECDSA key; this may take some time ..." \
	130	"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
	131	create_key "Creating SSH2 ED25519 key; this may take some time ..." \
	132	"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
	133	}
	134
	135
	136	fix_loglevel_silent() {
	137	if [ "$(get_config_option LogLevel)" = SILENT ]; then
	138	set_config_option LogLevel QUIET
	139	fi
	140	}
	141
	142
	143	update_server_key_bits() {
	144	if [ "$(get_config_option ServerKeyBits)" = 768 ]; then
	145	set_config_option ServerKeyBits 1024
	146	fi
	147	}
	148
	149
	150	create_sshdconfig() {
	151	if [ -e /etc/ssh/sshd_config ] ; then
	152	# Upgrade an existing sshd configuration.
	153
	154	# This option was renamed in 3.8p1, but we never took care
	155	# of adjusting the configuration file until now.
	156	if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
	157	rename_config_option KeepAlive TCPKeepAlive
	158	fi
	159
	160	# 'LogLevel SILENT' is now equivalent to QUIET.
	161	if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then
	162	fix_loglevel_silent
	163	fi
	164
	165	# Changed upstream in 5.1p1, but we forgot to update the
	166	# package-generated configuration file until now.
	167	if dpkg --compare-versions "$oldversion" lt 1:6.4p1-2; then
	168	update_server_key_bits
	169	fi
	170
	171	return 0
	172	fi
	173
	174	cat <<EOF > /etc/ssh/sshd_config
	175	# Package generated configuration file
	176	# See the sshd_config(5) manpage for details
	177
	178	# What ports, IPs and protocols we listen for
	179	Port 22
	180	# Use these options to restrict which interfaces/protocols sshd will bind to
	181	#ListenAddress ::
	182	#ListenAddress 0.0.0.0
	183	Protocol 2
	184	# HostKeys for protocol version 2
	185	HostKey /etc/ssh/ssh_host_rsa_key
	186	HostKey /etc/ssh/ssh_host_dsa_key
	187	HostKey /etc/ssh/ssh_host_ecdsa_key
	188	HostKey /etc/ssh/ssh_host_ed25519_key
	189	#Privilege Separation is turned on for security
	190	UsePrivilegeSeparation yes
	191
	192	# Lifetime and size of ephemeral version 1 server key
	193	KeyRegenerationInterval 3600
	194	ServerKeyBits 1024
	195
	196	# Logging
	197	SyslogFacility AUTH
	198	LogLevel INFO
	199
	200	# Authentication:
	201	LoginGraceTime 120
	202	PermitRootLogin prohibit-password
	203	StrictModes yes
	204
	205	RSAAuthentication yes
	206	PubkeyAuthentication yes
	207	#AuthorizedKeysFile %h/.ssh/authorized_keys
	208
	209	# Don't read the user's ~/.rhosts and ~/.shosts files
	210	IgnoreRhosts yes
	211	# For this to work you will also need host keys in /etc/ssh_known_hosts
	212	RhostsRSAAuthentication no
	213	# similar for protocol version 2
	214	HostbasedAuthentication no
	215	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
	216	#IgnoreUserKnownHosts yes
	217
	218	# To enable empty passwords, change to yes (NOT RECOMMENDED)
	219	PermitEmptyPasswords no
	220
	221	# Change to yes to enable challenge-response passwords (beware issues with
	222	# some PAM modules and threads)
	223	ChallengeResponseAuthentication no
	224
	225	# Change to no to disable tunnelled clear text passwords
	226	#PasswordAuthentication yes
	227
	228	# Kerberos options
	229	#KerberosAuthentication no
	230	#KerberosGetAFSToken no
	231	#KerberosOrLocalPasswd yes
	232	#KerberosTicketCleanup yes
	233
	234	# GSSAPI options
	235	#GSSAPIAuthentication no
	236	#GSSAPICleanupCredentials yes
	237
	238	X11Forwarding yes
	239	X11DisplayOffset 10
	240	PrintMotd no
	241	PrintLastLog yes
	242	TCPKeepAlive yes
	243	#UseLogin no
	244
	245	#MaxStartups 10:30:60
	246	#Banner /etc/issue.net
	247
	248	# Allow client to pass locale environment variables
	249	AcceptEnv LANG LC_*
	250
	251	Subsystem sftp /usr/lib/openssh/sftp-server
	252
	253	# Set this to 'yes' to enable PAM authentication, account processing,
	254	# and session processing. If this is enabled, PAM authentication will
	255	# be allowed through the ChallengeResponseAuthentication and
	256	# PasswordAuthentication. Depending on your PAM configuration,
	257	# PAM authentication via ChallengeResponseAuthentication may bypass
	258	# the setting of "PermitRootLogin without-password".
	259	# If you just want the PAM account and session checks to run without
	260	# PAM authentication, then enable this but set PasswordAuthentication
	261	# and ChallengeResponseAuthentication to 'no'.
	262	UsePAM yes
	263	EOF
	264	}
	265
	266	fix_statoverride() {
	267	# Remove an erronous override for sshd (we should have overridden ssh)
	268	if dpkg-statoverride --list /usr/sbin/sshd >/dev/null; then
	269	dpkg-statoverride --remove /usr/sbin/sshd
	270	fi
	271	}
	272
	273	setup_sshd_user() {
	274	if ! getent passwd sshd >/dev/null; then
	275	adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
	276	fi
	277	}
	278
	279	if [ "$action" = configure ]; then
	280	create_sshdconfig
	281	create_keys
	282	fix_statoverride
	283	setup_sshd_user
	284	# Renamed to /etc/ssh/moduli in 2.9.9 (!)
	285	if dpkg --compare-versions "$2" lt-nl 1:4.7p1-1; then
	286	rm -f /etc/ssh/primes
	287	fi
	288	if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then
	289	rm -f /var/run/sshd/.placeholder
	290	fi
	291	if dpkg --compare-versions "$2" lt-nl 1:6.2p2-3 && \
	292	which initctl >/dev/null && initctl version 2>/dev/null \| grep -q upstart && \
	293	! status ssh 2>/dev/null \| grep -q ' start/'; then
	294	# We must stop the sysvinit-controlled sshd before we can
	295	# restart it under Upstart.
	296	start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid \|\| true
	297	fi
	298	if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \
	299	deb-systemd-helper debian-installed ssh.socket && \
	300	deb-systemd-helper --quiet was-enabled ssh.service && \
	301	deb-systemd-helper --quiet was-enabled ssh.socket; then
	302	# 1:6.5p1-1 mistakenly left both ssh.service and ssh.socket
	303	# enabled.
	304	deb-systemd-helper disable ssh.socket >/dev/null \|\| true
	305	fi
	306	if dpkg --compare-versions "$2" lt-nl 1:6.5p1-3 && \
	307	[ -d /run/systemd/system ]; then
	308	# We must stop the sysvinit-controlled sshd before we can
	309	# restart it under systemd.
	310	start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd \|\| true
	311	fi
	312	if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
	313	[ "$(get_config_option PermitRootLogin)" = yes ] &&
	314	db_get openssh-server/permit-root-login && [ "$RET" = true ]; then
	315	set_config_option PermitRootLogin prohibit-password
	316	fi
	317	if dpkg --compare-versions "$2" lt-nl 1:7.1p1-1 && \
	318	[ "$(get_config_option PermitRootLogin)" = without-password ]; then
	319	set_config_option PermitRootLogin prohibit-password
	320	fi
	321	fi
	322
	323	#DEBHELPER#
	324
	325	db_stop
	326
	327	exit 0