summaryrefslogtreecommitdiff
path: root/debian/openssh-server.postinst
diff options
context:
space:
mode:
Diffstat (limited to 'debian/openssh-server.postinst')
-rw-r--r--debian/openssh-server.postinst479
1 files changed, 479 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 000000000..b7ea210c4
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,479 @@
1#!/bin/sh -e
2
3action="$1"
4oldversion="$2"
5
6. /usr/share/debconf/confmodule
7db_version 2.0
8
9umask 022
10
11if [ "$action" != configure ]
12 then
13 exit 0
14fi
15
16
17fix_doc_symlink() {
18 if [ ! -L /usr/share/doc/openssh-server ] && \
19 dpkg --compare-versions "$oldversion" lt-nl 1:4.1p1-5; then
20 rm -rf /usr/share/doc/openssh-server
21 ln -s openssh-client /usr/share/doc/openssh-server
22 fi
23}
24
25check_idea_key() {
26 # check for old host_key files using IDEA, which openssh does not
27 # support
28 if [ -f /etc/ssh/ssh_host_key ] ; then
29 cp -a /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.check_idea
30 if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key.check_idea 2>&1 | \
31 grep -q 'unknown cipher' 2>/dev/null; then
32 mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
33 mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
34 fi
35 rm -f /etc/ssh/ssh_host_key.check_idea
36 fi
37}
38
39
40get_config_option() {
41 option="$1"
42
43 [ -f /etc/ssh/sshd_config ] || return
44
45 # TODO: actually only one '=' allowed after option
46 perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \
47 /etc/ssh/sshd_config
48}
49
50
51set_config_option() {
52 option="$1"
53 value="$2"
54
55 perl -le '
56 $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
57 while (<STDIN>) {
58 chomp;
59 (my $match = $_) =~ s/\s+/ /g;
60 if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) {
61 $_ = $match;
62 $done = 1;
63 }
64 print;
65 }
66 print "$option $value" unless $done;' \
67 "$option" "$value" \
68 < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
69 chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
70 chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
71 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
72}
73
74
75disable_config_option() {
76 option="$1"
77
78 value="$(get_config_option "$option")"
79 [ "$value" ] || return 0
80
81 perl -le '
82 $option = $ARGV[0];
83 while (<STDIN>) {
84 chomp;
85 (my $match = $_) =~ s/\s+/ /g;
86 # TODO: actually only one "=" allowed after option
87 if ($match =~ s/^(\s*\Q$option\E[[:space:]=]+.*)/#$1/i) {
88 $_ = $match;
89 }
90 print;
91 }' \
92 "$option" \
93 < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
94 chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
95 chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
96 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
97}
98
99
100rename_config_option() {
101 oldoption="$1"
102 newoption="$2"
103
104 value="$(get_config_option "$oldoption")"
105 [ "$value" ] || return 0
106
107 perl -le '
108 $oldoption = $ARGV[0]; $newoption = $ARGV[1];
109 while (<STDIN>) {
110 chomp;
111 (my $match = $_) =~ s/\s+/ /g;
112 # TODO: actually only one "=" allowed after option
113 if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
114 $_ = $match;
115 }
116 print;
117 }' \
118 "$oldoption" "$newoption" \
119 < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
120 chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
121 chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
122 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
123}
124
125
126remove_obsolete_gssapi() {
127 disable_config_option GSSAPINoMICAuthentication
128 disable_config_option GSSUseSessionCCache
129 disable_config_option GSSAPIUseSessionCredCache
130}
131
132
133host_keys_required() {
134 hostkeys="$(get_config_option HostKey)"
135 if [ "$hostkeys" ]; then
136 echo "$hostkeys"
137 else
138 # No HostKey directives at all, so the server picks some
139 # defaults depending on the setting of Protocol.
140 protocol="$(get_config_option Protocol)"
141 [ "$protocol" ] || protocol=1,2
142 if echo "$protocol" | grep 1 >/dev/null; then
143 echo /etc/ssh/ssh_host_key
144 fi
145 if echo "$protocol" | grep 2 >/dev/null; then
146 echo /etc/ssh/ssh_host_rsa_key
147 echo /etc/ssh/ssh_host_dsa_key
148 fi
149 fi
150}
151
152
153create_key() {
154 msg="$1"
155 shift
156 hostkeys="$1"
157 shift
158 file="$1"
159 shift
160
161 if echo "$hostkeys" | grep -x "$file" >/dev/null && \
162 [ ! -f "$file" ] ; then
163 echo -n $msg
164 ssh-keygen -q -f "$file" -N '' "$@"
165 echo
166 if type restorecon >/dev/null 2>&1; then
167 restorecon "$file.pub"
168 fi
169 fi
170}
171
172
173create_keys() {
174 hostkeys="$(host_keys_required)"
175
176 create_key "Creating SSH1 key; this may take some time ..." \
177 "$hostkeys" /etc/ssh/ssh_host_key -t rsa1
178
179 create_key "Creating SSH2 RSA key; this may take some time ..." \
180 "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
181 create_key "Creating SSH2 DSA key; this may take some time ..." \
182 "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
183}
184
185
186vulnerable_host_keys() {
187 # If the admin has explicitly put the vulnerable keys back, we
188 # assume they can look after themselves.
189 db_fget ssh/vulnerable_host_keys seen
190 if [ "$RET" = true ]; then
191 return 0
192 fi
193
194 hostkeys="$(host_keys_required)"
195 vulnerable=
196 for hostkey in $hostkeys; do
197 [ -f "$hostkey" ] || continue
198 if ssh-vulnkey -q "$hostkey"; then
199 vulnerable="${vulnerable:+$vulnerable }$hostkey"
200 fi
201 done
202 if [ "$vulnerable" ]; then
203 db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable"
204 db_input critical ssh/vulnerable_host_keys || true
205 db_go
206 for hostkey in $vulnerable; do
207 mv "$hostkey" "$hostkey.broken" || true
208 mv "$hostkey.pub" "$hostkey.pub.broken" || true
209 done
210 create_keys
211 fi
212}
213
214
215check_password_auth() {
216 passwordauth="$(get_config_option PasswordAuthentication)"
217 crauth="$(get_config_option ChallengeResponseAuthentication)"
218 if [ "$passwordauth" = no ] && \
219 ([ -z "$crauth" ] || [ "$crauth" = yes ]); then
220 db_get ssh/disable_cr_auth
221 if [ "$RET" = true ]; then
222 set_config_option ChallengeResponseAuthentication no
223 fi
224 fi
225}
226
227
228move_subsystem_sftp() {
229 subsystem_sftp="$(get_config_option 'Subsystem sftp')"
230 if [ "$subsystem_sftp" = /usr/lib/sftp-server ] || \
231 [ "$subsystem_sftp" = /usr/libexec/sftp-server ]; then
232 set_config_option 'Subsystem sftp' /usr/lib/openssh/sftp-server
233 fi
234}
235
236
237create_sshdconfig() {
238 if [ -e /etc/ssh/sshd_config ] ; then
239 if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
240 db_get ssh/new_config
241 if [ "$RET" = "false" ] ; then return 0; fi
242 else
243 # Upgrade sshd configuration from a sane version.
244
245 if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
246 ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \
247 grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \
248 /etc/ssh/sshd_config ; then
249 # Upgrade from pre-3.7: UsePAM needed to maintain standard
250 # Debian configuration.
251 # Note that --compare-versions is sadly not reliable enough
252 # here due to the package split of ssh into openssh-client
253 # and openssh-server. The extra grep for some deprecated
254 # options should with any luck be a good enough heuristic.
255 echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
256 cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
257 perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
258 /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
259 echo >> /etc/ssh/sshd_config.dpkg-new
260 echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
261 chown --reference /etc/ssh/sshd_config \
262 /etc/ssh/sshd_config.dpkg-new
263 chmod --reference /etc/ssh/sshd_config \
264 /etc/ssh/sshd_config.dpkg-new
265 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
266 echo
267 fi
268
269 # An empty version means we're upgrading from before the
270 # package split, so check.
271 if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then
272 check_password_auth
273 fi
274
275 # libexecdir changed, so fix up 'Subsystem sftp'.
276 if dpkg --compare-versions "$oldversion" lt 1:4.1p1-1; then
277 move_subsystem_sftp
278 fi
279
280 # Remove obsolete GSSAPI options.
281 if dpkg --compare-versions "$oldversion" lt 1:4.3p2-8; then
282 remove_obsolete_gssapi
283 fi
284
285 # This option was renamed in 3.8p1, but we never took care
286 # of adjusting the configuration file until now.
287 if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
288 rename_config_option KeepAlive TCPKeepAlive
289 fi
290
291 return 0
292 fi
293 fi
294
295 #Preserve old sshd_config before generating a new one
296 if [ -e /etc/ssh/sshd_config ] ; then
297 mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
298 fi
299
300 cat <<EOF > /etc/ssh/sshd_config
301# Package generated configuration file
302# See the sshd(8) manpage for details
303
304# What ports, IPs and protocols we listen for
305Port 22
306# Use these options to restrict which interfaces/protocols sshd will bind to
307#ListenAddress ::
308#ListenAddress 0.0.0.0
309Protocol 2
310# HostKeys for protocol version 2
311HostKey /etc/ssh/ssh_host_rsa_key
312HostKey /etc/ssh/ssh_host_dsa_key
313#Privilege Separation is turned on for security
314UsePrivilegeSeparation yes
315
316# Lifetime and size of ephemeral version 1 server key
317KeyRegenerationInterval 3600
318ServerKeyBits 768
319
320# Logging
321SyslogFacility AUTH
322LogLevel INFO
323
324# Authentication:
325LoginGraceTime 120
326PermitRootLogin yes
327StrictModes yes
328
329RSAAuthentication yes
330PubkeyAuthentication yes
331#AuthorizedKeysFile %h/.ssh/authorized_keys
332
333# Don't read the user's ~/.rhosts and ~/.shosts files
334IgnoreRhosts yes
335# For this to work you will also need host keys in /etc/ssh_known_hosts
336RhostsRSAAuthentication no
337# similar for protocol version 2
338HostbasedAuthentication no
339# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
340#IgnoreUserKnownHosts yes
341
342# To enable empty passwords, change to yes (NOT RECOMMENDED)
343PermitEmptyPasswords no
344
345# Change to yes to enable challenge-response passwords (beware issues with
346# some PAM modules and threads)
347ChallengeResponseAuthentication no
348
349# Change to no to disable tunnelled clear text passwords
350#PasswordAuthentication yes
351
352# Kerberos options
353#KerberosAuthentication no
354#KerberosGetAFSToken no
355#KerberosOrLocalPasswd yes
356#KerberosTicketCleanup yes
357
358# GSSAPI options
359#GSSAPIAuthentication no
360#GSSAPICleanupCredentials yes
361
362X11Forwarding yes
363X11DisplayOffset 10
364PrintMotd no
365PrintLastLog yes
366TCPKeepAlive yes
367#UseLogin no
368
369#MaxStartups 10:30:60
370#Banner /etc/issue.net
371
372# Allow client to pass locale environment variables
373AcceptEnv LANG LC_*
374
375Subsystem sftp /usr/lib/openssh/sftp-server
376
377UsePAM yes
378EOF
379}
380
381fix_statoverride() {
382# Remove an erronous override for sshd (we should have overridden ssh)
383 if [ -x /usr/sbin/dpkg-statoverride ]; then
384 if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
385 dpkg-statoverride --remove /usr/sbin/sshd
386 fi
387 fi
388}
389
390fix_sshd_shell() {
391 if getent passwd sshd | grep -q ':/bin/false$'; then
392 usermod -s /usr/sbin/nologin sshd || true
393 fi
394}
395
396setup_sshd_user() {
397 if ! getent passwd sshd >/dev/null; then
398 adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
399 fi
400}
401
402fix_conffile_permissions() {
403 # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
404 # doesn't do this for us; see bug #192981.
405 chmod 644 /etc/default/ssh
406}
407
408remove_old_init_links() {
409 # Yes, this only works with the SysV init script layout. I know.
410 # The important thing is that it doesn't actually *break* with
411 # file-rc ...
412 if [ -e /etc/rc2.d/S20ssh ]; then
413 update-rc.d -f ssh remove >/dev/null 2>&1
414 fi
415 rm -f /etc/rc0.d/K20ssh /etc/rc6.d/K20ssh
416}
417
418setup_init() {
419 if [ -x /etc/init.d/ssh ]; then
420 update-rc.d ssh start 16 2 3 4 5 . stop 84 1 . >/dev/null
421 if [ -x /usr/sbin/invoke-rc.d ]; then
422 invoke-rc.d ssh restart
423 else
424 /etc/init.d/ssh restart
425 fi
426 fi
427}
428
429commit_transfer_conffile () {
430 CONFFILE="$1"
431 if [ -e "$CONFFILE.moved-by-preinst" ]; then
432 rm -f "$CONFFILE.moved-by-preinst"
433 fi
434}
435
436commit_mv_conffile () {
437 OLDCONFFILE="$1"
438 NEWCONFFILE="$2"
439
440 if [ -e "$OLDCONFFILE.moving" ]; then
441 echo "Preserving user changes to $NEWCONFFILE ..."
442 mv -f "$NEWCONFFILE" "$NEWCONFFILE.dpkg-new"
443 mv -f "$OLDCONFFILE.moving" "$NEWCONFFILE"
444 elif [ -e "$OLDCONFFILE.dpkg-old" ]; then
445 rm -f "$OLDCONFFILE.dpkg-old"
446 fi
447}
448
449
450fix_doc_symlink
451create_sshdconfig
452check_idea_key
453create_keys
454vulnerable_host_keys
455fix_statoverride
456if dpkg --compare-versions "$2" lt 1:4.3p2-3; then
457 fix_sshd_shell
458fi
459setup_sshd_user
460if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
461 fix_conffile_permissions
462fi
463if dpkg --compare-versions "$2" lt 1:4.6p1-1; then
464 remove_old_init_links
465fi
466setup_init
467commit_transfer_conffile /etc/default/ssh
468commit_transfer_conffile /etc/init.d/ssh
469commit_transfer_conffile /etc/pam.d/ssh
470commit_mv_conffile /etc/pam.d/ssh /etc/pam.d/sshd
471# Renamed to /etc/ssh/moduli in 2.9.9 (!)
472if dpkg --compare-versions "$2" lt 1:4.7p1-1; then
473 rm -f /etc/ssh/primes
474fi
475
476
477db_stop
478
479exit 0