summaryrefslogtreecommitdiff
path: root/debian/openssh-server.postinst
diff options
context:
space:
mode:
Diffstat (limited to 'debian/openssh-server.postinst')
-rw-r--r--debian/openssh-server.postinst312
1 files changed, 312 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 000000000..0189f5fbb
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,312 @@
1#!/bin/sh
2set -e
3
4action="$1"
5oldversion="$2"
6
7umask 022
8
9
10get_config_option() {
11 option="$1"
12
13 [ -f /etc/ssh/sshd_config ] || return
14
15 # TODO: actually only one '=' allowed after option
16 perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \
17 /etc/ssh/sshd_config
18}
19
20
21set_config_option() {
22 option="$1"
23 value="$2"
24
25 perl -le '
26 $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
27 while (<STDIN>) {
28 chomp;
29 (my $match = $_) =~ s/\s+/ /g;
30 if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) {
31 $_ = $match;
32 $done = 1;
33 }
34 print;
35 }
36 print "$option $value" unless $done;' \
37 "$option" "$value" \
38 < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
39 chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
40 chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
41 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
42}
43
44
45rename_config_option() {
46 oldoption="$1"
47 newoption="$2"
48
49 value="$(get_config_option "$oldoption")"
50 [ "$value" ] || return 0
51
52 perl -le '
53 $oldoption = $ARGV[0]; $newoption = $ARGV[1];
54 while (<STDIN>) {
55 chomp;
56 (my $match = $_) =~ s/\s+/ /g;
57 # TODO: actually only one "=" allowed after option
58 if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
59 $_ = $match;
60 }
61 print;
62 }' \
63 "$oldoption" "$newoption" \
64 < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
65 chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
66 chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
67 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
68}
69
70
71host_keys_required() {
72 hostkeys="$(get_config_option HostKey)"
73 if [ "$hostkeys" ]; then
74 echo "$hostkeys"
75 else
76 # No HostKey directives at all, so the server picks some
77 # defaults depending on the setting of Protocol.
78 protocol="$(get_config_option Protocol)"
79 [ "$protocol" ] || protocol=1,2
80 if echo "$protocol" | grep 1 >/dev/null; then
81 echo /etc/ssh/ssh_host_key
82 fi
83 if echo "$protocol" | grep 2 >/dev/null; then
84 echo /etc/ssh/ssh_host_rsa_key
85 echo /etc/ssh/ssh_host_dsa_key
86 echo /etc/ssh/ssh_host_ecdsa_key
87 echo /etc/ssh/ssh_host_ed25519_key
88 fi
89 fi
90}
91
92
93create_key() {
94 msg="$1"
95 shift
96 hostkeys="$1"
97 shift
98 file="$1"
99 shift
100
101 if echo "$hostkeys" | grep -x "$file" >/dev/null && \
102 [ ! -f "$file" ] ; then
103 echo -n $msg
104 ssh-keygen -q -f "$file" -N '' "$@"
105 echo
106 if which restorecon >/dev/null 2>&1; then
107 restorecon "$file" "$file.pub"
108 fi
109 fi
110}
111
112
113create_keys() {
114 hostkeys="$(host_keys_required)"
115
116 create_key "Creating SSH1 key; this may take some time ..." \
117 "$hostkeys" /etc/ssh/ssh_host_key -t rsa1
118
119 create_key "Creating SSH2 RSA key; this may take some time ..." \
120 "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
121 create_key "Creating SSH2 DSA key; this may take some time ..." \
122 "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
123 create_key "Creating SSH2 ECDSA key; this may take some time ..." \
124 "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
125 create_key "Creating SSH2 ED25519 key; this may take some time ..." \
126 "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
127}
128
129
130fix_loglevel_silent() {
131 if [ "$(get_config_option LogLevel)" = SILENT ]; then
132 set_config_option LogLevel QUIET
133 fi
134}
135
136
137update_server_key_bits() {
138 if [ "$(get_config_option ServerKeyBits)" = 768 ]; then
139 set_config_option ServerKeyBits 1024
140 fi
141}
142
143
144create_sshdconfig() {
145 if [ -e /etc/ssh/sshd_config ] ; then
146 # Upgrade an existing sshd configuration.
147
148 # This option was renamed in 3.8p1, but we never took care
149 # of adjusting the configuration file until now.
150 if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
151 rename_config_option KeepAlive TCPKeepAlive
152 fi
153
154 # 'LogLevel SILENT' is now equivalent to QUIET.
155 if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then
156 fix_loglevel_silent
157 fi
158
159 # Changed upstream in 5.1p1, but we forgot to update the
160 # package-generated configuration file until now.
161 if dpkg --compare-versions "$oldversion" lt 1:6.4p1-2; then
162 update_server_key_bits
163 fi
164
165 return 0
166 fi
167
168 cat <<EOF > /etc/ssh/sshd_config
169# Package generated configuration file
170# See the sshd_config(5) manpage for details
171
172# What ports, IPs and protocols we listen for
173Port 22
174# Use these options to restrict which interfaces/protocols sshd will bind to
175#ListenAddress ::
176#ListenAddress 0.0.0.0
177Protocol 2
178# HostKeys for protocol version 2
179HostKey /etc/ssh/ssh_host_rsa_key
180HostKey /etc/ssh/ssh_host_dsa_key
181HostKey /etc/ssh/ssh_host_ecdsa_key
182HostKey /etc/ssh/ssh_host_ed25519_key
183#Privilege Separation is turned on for security
184UsePrivilegeSeparation yes
185
186# Lifetime and size of ephemeral version 1 server key
187KeyRegenerationInterval 3600
188ServerKeyBits 1024
189
190# Logging
191SyslogFacility AUTH
192LogLevel INFO
193
194# Authentication:
195LoginGraceTime 120
196PermitRootLogin yes
197StrictModes yes
198
199RSAAuthentication yes
200PubkeyAuthentication yes
201#AuthorizedKeysFile %h/.ssh/authorized_keys
202
203# Don't read the user's ~/.rhosts and ~/.shosts files
204IgnoreRhosts yes
205# For this to work you will also need host keys in /etc/ssh_known_hosts
206RhostsRSAAuthentication no
207# similar for protocol version 2
208HostbasedAuthentication no
209# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
210#IgnoreUserKnownHosts yes
211
212# To enable empty passwords, change to yes (NOT RECOMMENDED)
213PermitEmptyPasswords no
214
215# Change to yes to enable challenge-response passwords (beware issues with
216# some PAM modules and threads)
217ChallengeResponseAuthentication no
218
219# Change to no to disable tunnelled clear text passwords
220#PasswordAuthentication yes
221
222# Kerberos options
223#KerberosAuthentication no
224#KerberosGetAFSToken no
225#KerberosOrLocalPasswd yes
226#KerberosTicketCleanup yes
227
228# GSSAPI options
229#GSSAPIAuthentication no
230#GSSAPICleanupCredentials yes
231
232X11Forwarding yes
233X11DisplayOffset 10
234PrintMotd no
235PrintLastLog yes
236TCPKeepAlive yes
237#UseLogin no
238
239#MaxStartups 10:30:60
240#Banner /etc/issue.net
241
242# Allow client to pass locale environment variables
243AcceptEnv LANG LC_*
244
245Subsystem sftp /usr/lib/openssh/sftp-server
246
247# Set this to 'yes' to enable PAM authentication, account processing,
248# and session processing. If this is enabled, PAM authentication will
249# be allowed through the ChallengeResponseAuthentication and
250# PasswordAuthentication. Depending on your PAM configuration,
251# PAM authentication via ChallengeResponseAuthentication may bypass
252# the setting of "PermitRootLogin without-password".
253# If you just want the PAM account and session checks to run without
254# PAM authentication, then enable this but set PasswordAuthentication
255# and ChallengeResponseAuthentication to 'no'.
256UsePAM yes
257EOF
258}
259
260fix_statoverride() {
261# Remove an erronous override for sshd (we should have overridden ssh)
262 if [ -x /usr/sbin/dpkg-statoverride ]; then
263 if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
264 dpkg-statoverride --remove /usr/sbin/sshd
265 fi
266 fi
267}
268
269setup_sshd_user() {
270 if ! getent passwd sshd >/dev/null; then
271 adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
272 fi
273}
274
275if [ "$action" = configure ]; then
276 create_sshdconfig
277 create_keys
278 fix_statoverride
279 setup_sshd_user
280 # Renamed to /etc/ssh/moduli in 2.9.9 (!)
281 if dpkg --compare-versions "$2" lt 1:4.7p1-1; then
282 rm -f /etc/ssh/primes
283 fi
284 if dpkg --compare-versions "$2" lt 1:5.5p1-6; then
285 rm -f /var/run/sshd/.placeholder
286 fi
287 if dpkg --compare-versions "$2" lt 1:6.2p2-3 && \
288 which initctl >/dev/null && initctl version | grep -q upstart && \
289 ! status ssh 2>/dev/null | grep -q ' start/'; then
290 # We must stop the sysvinit-controlled sshd before we can
291 # restart it under Upstart.
292 start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid || true
293 fi
294 if dpkg --compare-versions "$2" lt 1:6.5p1-2 && \
295 deb-systemd-helper debian-installed ssh.socket && \
296 deb-systemd-helper --quiet was-enabled ssh.service && \
297 deb-systemd-helper --quiet was-enabled ssh.socket; then
298 # 1:6.5p1-1 mistakenly left both ssh.service and ssh.socket
299 # enabled.
300 deb-systemd-helper disable ssh.socket >/dev/null || true
301 fi
302 if dpkg --compare-versions "$2" lt 1:6.5p1-3 && \
303 [ -d /run/systemd/system ]; then
304 # We must stop the sysvinit-controlled sshd before we can
305 # restart it under systemd.
306 start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || true
307 fi
308fi
309
310#DEBHELPER#
311
312exit 0