diff options
Diffstat (limited to 'debian/openssh-server.postinst')
-rw-r--r-- | debian/openssh-server.postinst | 479 |
1 files changed, 479 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..b7ea210c4 --- /dev/null +++ b/debian/openssh-server.postinst | |||
@@ -0,0 +1,479 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action="$1" | ||
4 | oldversion="$2" | ||
5 | |||
6 | . /usr/share/debconf/confmodule | ||
7 | db_version 2.0 | ||
8 | |||
9 | umask 022 | ||
10 | |||
11 | if [ "$action" != configure ] | ||
12 | then | ||
13 | exit 0 | ||
14 | fi | ||
15 | |||
16 | |||
17 | fix_doc_symlink() { | ||
18 | if [ ! -L /usr/share/doc/openssh-server ] && \ | ||
19 | dpkg --compare-versions "$oldversion" lt-nl 1:4.1p1-5; then | ||
20 | rm -rf /usr/share/doc/openssh-server | ||
21 | ln -s openssh-client /usr/share/doc/openssh-server | ||
22 | fi | ||
23 | } | ||
24 | |||
25 | check_idea_key() { | ||
26 | # check for old host_key files using IDEA, which openssh does not | ||
27 | # support | ||
28 | if [ -f /etc/ssh/ssh_host_key ] ; then | ||
29 | cp -a /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.check_idea | ||
30 | if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key.check_idea 2>&1 | \ | ||
31 | grep -q 'unknown cipher' 2>/dev/null; then | ||
32 | mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old | ||
33 | mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old | ||
34 | fi | ||
35 | rm -f /etc/ssh/ssh_host_key.check_idea | ||
36 | fi | ||
37 | } | ||
38 | |||
39 | |||
40 | get_config_option() { | ||
41 | option="$1" | ||
42 | |||
43 | [ -f /etc/ssh/sshd_config ] || return | ||
44 | |||
45 | # TODO: actually only one '=' allowed after option | ||
46 | perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \ | ||
47 | /etc/ssh/sshd_config | ||
48 | } | ||
49 | |||
50 | |||
51 | set_config_option() { | ||
52 | option="$1" | ||
53 | value="$2" | ||
54 | |||
55 | perl -le ' | ||
56 | $option = $ARGV[0]; $value = $ARGV[1]; $done = 0; | ||
57 | while (<STDIN>) { | ||
58 | chomp; | ||
59 | (my $match = $_) =~ s/\s+/ /g; | ||
60 | if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) { | ||
61 | $_ = $match; | ||
62 | $done = 1; | ||
63 | } | ||
64 | print; | ||
65 | } | ||
66 | print "$option $value" unless $done;' \ | ||
67 | "$option" "$value" \ | ||
68 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
69 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
70 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
71 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
72 | } | ||
73 | |||
74 | |||
75 | disable_config_option() { | ||
76 | option="$1" | ||
77 | |||
78 | value="$(get_config_option "$option")" | ||
79 | [ "$value" ] || return 0 | ||
80 | |||
81 | perl -le ' | ||
82 | $option = $ARGV[0]; | ||
83 | while (<STDIN>) { | ||
84 | chomp; | ||
85 | (my $match = $_) =~ s/\s+/ /g; | ||
86 | # TODO: actually only one "=" allowed after option | ||
87 | if ($match =~ s/^(\s*\Q$option\E[[:space:]=]+.*)/#$1/i) { | ||
88 | $_ = $match; | ||
89 | } | ||
90 | print; | ||
91 | }' \ | ||
92 | "$option" \ | ||
93 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
94 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
95 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
96 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
97 | } | ||
98 | |||
99 | |||
100 | rename_config_option() { | ||
101 | oldoption="$1" | ||
102 | newoption="$2" | ||
103 | |||
104 | value="$(get_config_option "$oldoption")" | ||
105 | [ "$value" ] || return 0 | ||
106 | |||
107 | perl -le ' | ||
108 | $oldoption = $ARGV[0]; $newoption = $ARGV[1]; | ||
109 | while (<STDIN>) { | ||
110 | chomp; | ||
111 | (my $match = $_) =~ s/\s+/ /g; | ||
112 | # TODO: actually only one "=" allowed after option | ||
113 | if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) { | ||
114 | $_ = $match; | ||
115 | } | ||
116 | print; | ||
117 | }' \ | ||
118 | "$oldoption" "$newoption" \ | ||
119 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
120 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
121 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
122 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
123 | } | ||
124 | |||
125 | |||
126 | remove_obsolete_gssapi() { | ||
127 | disable_config_option GSSAPINoMICAuthentication | ||
128 | disable_config_option GSSUseSessionCCache | ||
129 | disable_config_option GSSAPIUseSessionCredCache | ||
130 | } | ||
131 | |||
132 | |||
133 | host_keys_required() { | ||
134 | hostkeys="$(get_config_option HostKey)" | ||
135 | if [ "$hostkeys" ]; then | ||
136 | echo "$hostkeys" | ||
137 | else | ||
138 | # No HostKey directives at all, so the server picks some | ||
139 | # defaults depending on the setting of Protocol. | ||
140 | protocol="$(get_config_option Protocol)" | ||
141 | [ "$protocol" ] || protocol=1,2 | ||
142 | if echo "$protocol" | grep 1 >/dev/null; then | ||
143 | echo /etc/ssh/ssh_host_key | ||
144 | fi | ||
145 | if echo "$protocol" | grep 2 >/dev/null; then | ||
146 | echo /etc/ssh/ssh_host_rsa_key | ||
147 | echo /etc/ssh/ssh_host_dsa_key | ||
148 | fi | ||
149 | fi | ||
150 | } | ||
151 | |||
152 | |||
153 | create_key() { | ||
154 | msg="$1" | ||
155 | shift | ||
156 | hostkeys="$1" | ||
157 | shift | ||
158 | file="$1" | ||
159 | shift | ||
160 | |||
161 | if echo "$hostkeys" | grep -x "$file" >/dev/null && \ | ||
162 | [ ! -f "$file" ] ; then | ||
163 | echo -n $msg | ||
164 | ssh-keygen -q -f "$file" -N '' "$@" | ||
165 | echo | ||
166 | if type restorecon >/dev/null 2>&1; then | ||
167 | restorecon "$file.pub" | ||
168 | fi | ||
169 | fi | ||
170 | } | ||
171 | |||
172 | |||
173 | create_keys() { | ||
174 | hostkeys="$(host_keys_required)" | ||
175 | |||
176 | create_key "Creating SSH1 key; this may take some time ..." \ | ||
177 | "$hostkeys" /etc/ssh/ssh_host_key -t rsa1 | ||
178 | |||
179 | create_key "Creating SSH2 RSA key; this may take some time ..." \ | ||
180 | "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa | ||
181 | create_key "Creating SSH2 DSA key; this may take some time ..." \ | ||
182 | "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa | ||
183 | } | ||
184 | |||
185 | |||
186 | vulnerable_host_keys() { | ||
187 | # If the admin has explicitly put the vulnerable keys back, we | ||
188 | # assume they can look after themselves. | ||
189 | db_fget ssh/vulnerable_host_keys seen | ||
190 | if [ "$RET" = true ]; then | ||
191 | return 0 | ||
192 | fi | ||
193 | |||
194 | hostkeys="$(host_keys_required)" | ||
195 | vulnerable= | ||
196 | for hostkey in $hostkeys; do | ||
197 | [ -f "$hostkey" ] || continue | ||
198 | if ssh-vulnkey -q "$hostkey"; then | ||
199 | vulnerable="${vulnerable:+$vulnerable }$hostkey" | ||
200 | fi | ||
201 | done | ||
202 | if [ "$vulnerable" ]; then | ||
203 | db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable" | ||
204 | db_input critical ssh/vulnerable_host_keys || true | ||
205 | db_go | ||
206 | for hostkey in $vulnerable; do | ||
207 | mv "$hostkey" "$hostkey.broken" || true | ||
208 | mv "$hostkey.pub" "$hostkey.pub.broken" || true | ||
209 | done | ||
210 | create_keys | ||
211 | fi | ||
212 | } | ||
213 | |||
214 | |||
215 | check_password_auth() { | ||
216 | passwordauth="$(get_config_option PasswordAuthentication)" | ||
217 | crauth="$(get_config_option ChallengeResponseAuthentication)" | ||
218 | if [ "$passwordauth" = no ] && \ | ||
219 | ([ -z "$crauth" ] || [ "$crauth" = yes ]); then | ||
220 | db_get ssh/disable_cr_auth | ||
221 | if [ "$RET" = true ]; then | ||
222 | set_config_option ChallengeResponseAuthentication no | ||
223 | fi | ||
224 | fi | ||
225 | } | ||
226 | |||
227 | |||
228 | move_subsystem_sftp() { | ||
229 | subsystem_sftp="$(get_config_option 'Subsystem sftp')" | ||
230 | if [ "$subsystem_sftp" = /usr/lib/sftp-server ] || \ | ||
231 | [ "$subsystem_sftp" = /usr/libexec/sftp-server ]; then | ||
232 | set_config_option 'Subsystem sftp' /usr/lib/openssh/sftp-server | ||
233 | fi | ||
234 | } | ||
235 | |||
236 | |||
237 | create_sshdconfig() { | ||
238 | if [ -e /etc/ssh/sshd_config ] ; then | ||
239 | if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then | ||
240 | db_get ssh/new_config | ||
241 | if [ "$RET" = "false" ] ; then return 0; fi | ||
242 | else | ||
243 | # Upgrade sshd configuration from a sane version. | ||
244 | |||
245 | if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ | ||
246 | ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \ | ||
247 | grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \ | ||
248 | /etc/ssh/sshd_config ; then | ||
249 | # Upgrade from pre-3.7: UsePAM needed to maintain standard | ||
250 | # Debian configuration. | ||
251 | # Note that --compare-versions is sadly not reliable enough | ||
252 | # here due to the package split of ssh into openssh-client | ||
253 | # and openssh-server. The extra grep for some deprecated | ||
254 | # options should with any luck be a good enough heuristic. | ||
255 | echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' | ||
256 | cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
257 | perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ | ||
258 | /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
259 | echo >> /etc/ssh/sshd_config.dpkg-new | ||
260 | echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new | ||
261 | chown --reference /etc/ssh/sshd_config \ | ||
262 | /etc/ssh/sshd_config.dpkg-new | ||
263 | chmod --reference /etc/ssh/sshd_config \ | ||
264 | /etc/ssh/sshd_config.dpkg-new | ||
265 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
266 | echo | ||
267 | fi | ||
268 | |||
269 | # An empty version means we're upgrading from before the | ||
270 | # package split, so check. | ||
271 | if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then | ||
272 | check_password_auth | ||
273 | fi | ||
274 | |||
275 | # libexecdir changed, so fix up 'Subsystem sftp'. | ||
276 | if dpkg --compare-versions "$oldversion" lt 1:4.1p1-1; then | ||
277 | move_subsystem_sftp | ||
278 | fi | ||
279 | |||
280 | # Remove obsolete GSSAPI options. | ||
281 | if dpkg --compare-versions "$oldversion" lt 1:4.3p2-8; then | ||
282 | remove_obsolete_gssapi | ||
283 | fi | ||
284 | |||
285 | # This option was renamed in 3.8p1, but we never took care | ||
286 | # of adjusting the configuration file until now. | ||
287 | if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then | ||
288 | rename_config_option KeepAlive TCPKeepAlive | ||
289 | fi | ||
290 | |||
291 | return 0 | ||
292 | fi | ||
293 | fi | ||
294 | |||
295 | #Preserve old sshd_config before generating a new one | ||
296 | if [ -e /etc/ssh/sshd_config ] ; then | ||
297 | mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
298 | fi | ||
299 | |||
300 | cat <<EOF > /etc/ssh/sshd_config | ||
301 | # Package generated configuration file | ||
302 | # See the sshd(8) manpage for details | ||
303 | |||
304 | # What ports, IPs and protocols we listen for | ||
305 | Port 22 | ||
306 | # Use these options to restrict which interfaces/protocols sshd will bind to | ||
307 | #ListenAddress :: | ||
308 | #ListenAddress 0.0.0.0 | ||
309 | Protocol 2 | ||
310 | # HostKeys for protocol version 2 | ||
311 | HostKey /etc/ssh/ssh_host_rsa_key | ||
312 | HostKey /etc/ssh/ssh_host_dsa_key | ||
313 | #Privilege Separation is turned on for security | ||
314 | UsePrivilegeSeparation yes | ||
315 | |||
316 | # Lifetime and size of ephemeral version 1 server key | ||
317 | KeyRegenerationInterval 3600 | ||
318 | ServerKeyBits 768 | ||
319 | |||
320 | # Logging | ||
321 | SyslogFacility AUTH | ||
322 | LogLevel INFO | ||
323 | |||
324 | # Authentication: | ||
325 | LoginGraceTime 120 | ||
326 | PermitRootLogin yes | ||
327 | StrictModes yes | ||
328 | |||
329 | RSAAuthentication yes | ||
330 | PubkeyAuthentication yes | ||
331 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
332 | |||
333 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
334 | IgnoreRhosts yes | ||
335 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
336 | RhostsRSAAuthentication no | ||
337 | # similar for protocol version 2 | ||
338 | HostbasedAuthentication no | ||
339 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
340 | #IgnoreUserKnownHosts yes | ||
341 | |||
342 | # To enable empty passwords, change to yes (NOT RECOMMENDED) | ||
343 | PermitEmptyPasswords no | ||
344 | |||
345 | # Change to yes to enable challenge-response passwords (beware issues with | ||
346 | # some PAM modules and threads) | ||
347 | ChallengeResponseAuthentication no | ||
348 | |||
349 | # Change to no to disable tunnelled clear text passwords | ||
350 | #PasswordAuthentication yes | ||
351 | |||
352 | # Kerberos options | ||
353 | #KerberosAuthentication no | ||
354 | #KerberosGetAFSToken no | ||
355 | #KerberosOrLocalPasswd yes | ||
356 | #KerberosTicketCleanup yes | ||
357 | |||
358 | # GSSAPI options | ||
359 | #GSSAPIAuthentication no | ||
360 | #GSSAPICleanupCredentials yes | ||
361 | |||
362 | X11Forwarding yes | ||
363 | X11DisplayOffset 10 | ||
364 | PrintMotd no | ||
365 | PrintLastLog yes | ||
366 | TCPKeepAlive yes | ||
367 | #UseLogin no | ||
368 | |||
369 | #MaxStartups 10:30:60 | ||
370 | #Banner /etc/issue.net | ||
371 | |||
372 | # Allow client to pass locale environment variables | ||
373 | AcceptEnv LANG LC_* | ||
374 | |||
375 | Subsystem sftp /usr/lib/openssh/sftp-server | ||
376 | |||
377 | UsePAM yes | ||
378 | EOF | ||
379 | } | ||
380 | |||
381 | fix_statoverride() { | ||
382 | # Remove an erronous override for sshd (we should have overridden ssh) | ||
383 | if [ -x /usr/sbin/dpkg-statoverride ]; then | ||
384 | if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then | ||
385 | dpkg-statoverride --remove /usr/sbin/sshd | ||
386 | fi | ||
387 | fi | ||
388 | } | ||
389 | |||
390 | fix_sshd_shell() { | ||
391 | if getent passwd sshd | grep -q ':/bin/false$'; then | ||
392 | usermod -s /usr/sbin/nologin sshd || true | ||
393 | fi | ||
394 | } | ||
395 | |||
396 | setup_sshd_user() { | ||
397 | if ! getent passwd sshd >/dev/null; then | ||
398 | adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd | ||
399 | fi | ||
400 | } | ||
401 | |||
402 | fix_conffile_permissions() { | ||
403 | # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg | ||
404 | # doesn't do this for us; see bug #192981. | ||
405 | chmod 644 /etc/default/ssh | ||
406 | } | ||
407 | |||
408 | remove_old_init_links() { | ||
409 | # Yes, this only works with the SysV init script layout. I know. | ||
410 | # The important thing is that it doesn't actually *break* with | ||
411 | # file-rc ... | ||
412 | if [ -e /etc/rc2.d/S20ssh ]; then | ||
413 | update-rc.d -f ssh remove >/dev/null 2>&1 | ||
414 | fi | ||
415 | rm -f /etc/rc0.d/K20ssh /etc/rc6.d/K20ssh | ||
416 | } | ||
417 | |||
418 | setup_init() { | ||
419 | if [ -x /etc/init.d/ssh ]; then | ||
420 | update-rc.d ssh start 16 2 3 4 5 . stop 84 1 . >/dev/null | ||
421 | if [ -x /usr/sbin/invoke-rc.d ]; then | ||
422 | invoke-rc.d ssh restart | ||
423 | else | ||
424 | /etc/init.d/ssh restart | ||
425 | fi | ||
426 | fi | ||
427 | } | ||
428 | |||
429 | commit_transfer_conffile () { | ||
430 | CONFFILE="$1" | ||
431 | if [ -e "$CONFFILE.moved-by-preinst" ]; then | ||
432 | rm -f "$CONFFILE.moved-by-preinst" | ||
433 | fi | ||
434 | } | ||
435 | |||
436 | commit_mv_conffile () { | ||
437 | OLDCONFFILE="$1" | ||
438 | NEWCONFFILE="$2" | ||
439 | |||
440 | if [ -e "$OLDCONFFILE.moving" ]; then | ||
441 | echo "Preserving user changes to $NEWCONFFILE ..." | ||
442 | mv -f "$NEWCONFFILE" "$NEWCONFFILE.dpkg-new" | ||
443 | mv -f "$OLDCONFFILE.moving" "$NEWCONFFILE" | ||
444 | elif [ -e "$OLDCONFFILE.dpkg-old" ]; then | ||
445 | rm -f "$OLDCONFFILE.dpkg-old" | ||
446 | fi | ||
447 | } | ||
448 | |||
449 | |||
450 | fix_doc_symlink | ||
451 | create_sshdconfig | ||
452 | check_idea_key | ||
453 | create_keys | ||
454 | vulnerable_host_keys | ||
455 | fix_statoverride | ||
456 | if dpkg --compare-versions "$2" lt 1:4.3p2-3; then | ||
457 | fix_sshd_shell | ||
458 | fi | ||
459 | setup_sshd_user | ||
460 | if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then | ||
461 | fix_conffile_permissions | ||
462 | fi | ||
463 | if dpkg --compare-versions "$2" lt 1:4.6p1-1; then | ||
464 | remove_old_init_links | ||
465 | fi | ||
466 | setup_init | ||
467 | commit_transfer_conffile /etc/default/ssh | ||
468 | commit_transfer_conffile /etc/init.d/ssh | ||
469 | commit_transfer_conffile /etc/pam.d/ssh | ||
470 | commit_mv_conffile /etc/pam.d/ssh /etc/pam.d/sshd | ||
471 | # Renamed to /etc/ssh/moduli in 2.9.9 (!) | ||
472 | if dpkg --compare-versions "$2" lt 1:4.7p1-1; then | ||
473 | rm -f /etc/ssh/primes | ||
474 | fi | ||
475 | |||
476 | |||
477 | db_stop | ||
478 | |||
479 | exit 0 | ||