1 files changed, 326 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 000000000..94461083e
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,326 @@
+#!/bin/sh -e
+action="$1"
+oldversion="$2"
+. /usr/share/debconf/confmodule
+db_version 2.0
+umask 022
+get_config_option() {
+        option="$1"
+        [ -f /etc/ssh/sshd_config ] || return
+        # TODO: actually only one '=' allowed after option
+        perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \
+           /etc/ssh/sshd_config
+}
+set_config_option() {
+        option="$1"
+        value="$2"
+        perl -le '
+                $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
+                while (<STDIN>) {
+                        chomp;
+                        (my $match = $_) =~ s/\s+/ /g;
+                        if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) {
+                                $_ = $match;
+                                $done = 1;
+                        }
+                        print;
+                }
+                print "$option $value" unless $done;' \
+                "$option" "$value" \
+                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
+rename_config_option() {
+        oldoption="$1"
+        newoption="$2"
+        value="$(get_config_option "$oldoption")"
+        [ "$value" ] || return 0
+        perl -le '
+                $oldoption = $ARGV[0]; $newoption = $ARGV[1];
+                while (<STDIN>) {
+                        chomp;
+                        (my $match = $_) =~ s/\s+/ /g;
+                        # TODO: actually only one "=" allowed after option
+                        if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
+                                $_ = $match;
+                        }
+                        print;
+                }' \
+                "$oldoption" "$newoption" \
+                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
+        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+}
+host_keys_required() {
+        hostkeys="$(get_config_option HostKey)"
+        if [ "$hostkeys" ]; then
+                echo "$hostkeys"
+        else
+                # No HostKey directives at all, so the server picks some
+                # defaults depending on the setting of Protocol.
+                protocol="$(get_config_option Protocol)"
+                [ "$protocol" ] || protocol=1,2
+                if echo "$protocol" | grep 1 >/dev/null; then
+                        echo /etc/ssh/ssh_host_key
+                fi
+                if echo "$protocol" | grep 2 >/dev/null; then
+                        echo /etc/ssh/ssh_host_rsa_key
+                        echo /etc/ssh/ssh_host_dsa_key
+                        echo /etc/ssh/ssh_host_ecdsa_key
+                fi
+        fi
+}
+create_key() {
+        msg="$1"
+        shift
+        hostkeys="$1"
+        shift
+        file="$1"
+        shift
+        if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+           [ ! -f "$file" ] ; then
+                echo -n $msg
+                ssh-keygen -q -f "$file" -N '' "$@"
+                echo
+                if which restorecon >/dev/null 2>&1; then
+                        restorecon "$file.pub"
+                fi
+        fi
+}
+create_keys() {
+        hostkeys="$(host_keys_required)"
+        create_key "Creating SSH1 key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_key -t rsa1
+        create_key "Creating SSH2 RSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+        create_key "Creating SSH2 DSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+        create_key "Creating SSH2 ECDSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
+}
+vulnerable_host_keys() {
+        # If the admin has explicitly put the vulnerable keys back, we
+        # assume they can look after themselves.
+        db_fget ssh/vulnerable_host_keys seen
+        if [ "$RET" = true ]; then
+                return 0
+        fi
+        hostkeys="$(host_keys_required)"
+        vulnerable=
+        for hostkey in $hostkeys; do
+                [ -f "$hostkey" ] || continue
+                if ssh-vulnkey -q "$hostkey"; then
+                        vulnerable="${vulnerable:+$vulnerable }$hostkey"
+                fi
+        done
+        if [ "$vulnerable" ]; then
+                db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable"
+                db_input critical ssh/vulnerable_host_keys || true
+                db_go
+                for hostkey in $vulnerable; do
+                        mv "$hostkey" "$hostkey.broken" || true
+                        mv "$hostkey.pub" "$hostkey.pub.broken" || true
+                done
+                create_keys
+        fi
+}
+fix_loglevel_silent() {
+        if [ "$(get_config_option LogLevel)" = SILENT ]; then
+                set_config_option LogLevel QUIET
+        fi
+}
+create_sshdconfig() {
+        if [ -e /etc/ssh/sshd_config ] ; then
+            # Upgrade an existing sshd configuration.
+            # This option was renamed in 3.8p1, but we never took care
+            # of adjusting the configuration file until now.
+            if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
+                rename_config_option KeepAlive TCPKeepAlive
+            fi
+            # 'LogLevel SILENT' is now equivalent to QUIET.
+            if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then
+                fix_loglevel_silent
+            fi
+            return 0
+        fi
+        cat <<EOF > /etc/ssh/sshd_config
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+Subsystem sftp /usr/lib/openssh/sftp-server
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+EOF
+}
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+        if [ -x /usr/sbin/dpkg-statoverride ]; then
+                if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
+                        dpkg-statoverride --remove /usr/sbin/sshd
+                fi
+        fi
+}
+setup_sshd_user() {
+        if ! getent passwd sshd >/dev/null; then
+                adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
+        fi
+}
+remove_old_init_links() {
+        # Yes, this only works with the SysV init script layout. I know.
+        # The important thing is that it doesn't actually *break* with
+        # file-rc ...
+        if [ -e /etc/rc2.d/S20ssh ]; then
+                update-rc.d -f ssh remove >/dev/null 2>&1
+        fi
+        rm -f /etc/rc0.d/K??ssh /etc/rc1.d/K??ssh /etc/rc6.d/K??ssh
+}
+if [ "$action" = configure ]; then
+        create_sshdconfig
+        create_keys
+        vulnerable_host_keys
+        fix_statoverride
+        setup_sshd_user
+        if dpkg --compare-versions "$2" lt 1:5.2p1-1; then
+            remove_old_init_links
+        fi
+        # Renamed to /etc/ssh/moduli in 2.9.9 (!)
+        if dpkg --compare-versions "$2" lt 1:4.7p1-1; then
+            rm -f /etc/ssh/primes
+        fi
+        if dpkg --compare-versions "$2" lt 1:5.5p1-6; then
+            rm -f /var/run/sshd/.placeholder
+        fi
+        # Clean up old debconf templates.
+        db_unregister ssh/use_old_init_script
+        db_unregister ssh/encrypted_host_key_but_no_keygen
+        db_unregister ssh/disable_cr_auth
+fi
+#DEBHELPER#
+db_stop
+exit 0

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..94461083e --- /dev/null +++ b/debian/openssh-server.postinst
@@ -0,0 +1,326 @@
	1	#!/bin/sh -e
	2
	3	action="$1"
	4	oldversion="$2"
	5
	6	. /usr/share/debconf/confmodule
	7	db_version 2.0
	8
	9	umask 022
	10
	11
	12	get_config_option() {
	13	option="$1"
	14
	15	[ -f /etc/ssh/sshd_config ] \|\| return
	16
	17	# TODO: actually only one '=' allowed after option
	18	perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \
	19	/etc/ssh/sshd_config
	20	}
	21
	22
	23	set_config_option() {
	24	option="$1"
	25	value="$2"
	26
	27	perl -le '
	28	$option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
	29	while (<STDIN>) {
	30	chomp;
	31	(my $match = $_) =~ s/\s+/ /g;
	32	if ($match =~ s/^\s\Q$option\E\s+./$option $value/) {
	33	$_ = $match;
	34	$done = 1;
	35	}
	36	print;
	37	}
	38	print "$option $value" unless $done;' \
	39	"$option" "$value" \
	40	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	41	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	42	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	43	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	44	}
	45
	46
	47	rename_config_option() {
	48	oldoption="$1"
	49	newoption="$2"
	50
	51	value="$(get_config_option "$oldoption")"
	52	[ "$value" ] \|\| return 0
	53
	54	perl -le '
	55	$oldoption = $ARGV[0]; $newoption = $ARGV[1];
	56	while (<STDIN>) {
	57	chomp;
	58	(my $match = $_) =~ s/\s+/ /g;
	59	# TODO: actually only one "=" allowed after option
	60	if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
	61	$_ = $match;
	62	}
	63	print;
	64	}' \
	65	"$oldoption" "$newoption" \
	66	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	67	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	68	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	69	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	70	}
	71
	72
	73	host_keys_required() {
	74	hostkeys="$(get_config_option HostKey)"
	75	if [ "$hostkeys" ]; then
	76	echo "$hostkeys"
	77	else
	78	# No HostKey directives at all, so the server picks some
	79	# defaults depending on the setting of Protocol.
	80	protocol="$(get_config_option Protocol)"
	81	[ "$protocol" ] \|\| protocol=1,2
	82	if echo "$protocol" \| grep 1 >/dev/null; then
	83	echo /etc/ssh/ssh_host_key
	84	fi
	85	if echo "$protocol" \| grep 2 >/dev/null; then
	86	echo /etc/ssh/ssh_host_rsa_key
	87	echo /etc/ssh/ssh_host_dsa_key
	88	echo /etc/ssh/ssh_host_ecdsa_key
	89	fi
	90	fi
	91	}
	92
	93
	94	create_key() {
	95	msg="$1"
	96	shift
	97	hostkeys="$1"
	98	shift
	99	file="$1"
	100	shift
	101
	102	if echo "$hostkeys" \| grep -x "$file" >/dev/null && \
	103	[ ! -f "$file" ] ; then
	104	echo -n $msg
	105	ssh-keygen -q -f "$file" -N '' "$@"
	106	echo
	107	if which restorecon >/dev/null 2>&1; then
	108	restorecon "$file.pub"
	109	fi
	110	fi
	111	}
	112
	113
	114	create_keys() {
	115	hostkeys="$(host_keys_required)"
	116
	117	create_key "Creating SSH1 key; this may take some time ..." \
	118	"$hostkeys" /etc/ssh/ssh_host_key -t rsa1
	119
	120	create_key "Creating SSH2 RSA key; this may take some time ..." \
	121	"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
	122	create_key "Creating SSH2 DSA key; this may take some time ..." \
	123	"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
	124	create_key "Creating SSH2 ECDSA key; this may take some time ..." \
	125	"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
	126	}
	127
	128
	129	vulnerable_host_keys() {
	130	# If the admin has explicitly put the vulnerable keys back, we
	131	# assume they can look after themselves.
	132	db_fget ssh/vulnerable_host_keys seen
	133	if [ "$RET" = true ]; then
	134	return 0
	135	fi
	136
	137	hostkeys="$(host_keys_required)"
	138	vulnerable=
	139	for hostkey in $hostkeys; do
	140	[ -f "$hostkey" ] \|\| continue
	141	if ssh-vulnkey -q "$hostkey"; then
	142	vulnerable="${vulnerable:+$vulnerable }$hostkey"
	143	fi
	144	done
	145	if [ "$vulnerable" ]; then
	146	db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable"
	147	db_input critical ssh/vulnerable_host_keys \|\| true
	148	db_go
	149	for hostkey in $vulnerable; do
	150	mv "$hostkey" "$hostkey.broken" \|\| true
	151	mv "$hostkey.pub" "$hostkey.pub.broken" \|\| true
	152	done
	153	create_keys
	154	fi
	155	}
	156
	157
	158	fix_loglevel_silent() {
	159	if [ "$(get_config_option LogLevel)" = SILENT ]; then
	160	set_config_option LogLevel QUIET
	161	fi
	162	}
	163
	164
	165	create_sshdconfig() {
	166	if [ -e /etc/ssh/sshd_config ] ; then
	167	# Upgrade an existing sshd configuration.
	168
	169	# This option was renamed in 3.8p1, but we never took care
	170	# of adjusting the configuration file until now.
	171	if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
	172	rename_config_option KeepAlive TCPKeepAlive
	173	fi
	174
	175	# 'LogLevel SILENT' is now equivalent to QUIET.
	176	if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then
	177	fix_loglevel_silent
	178	fi
	179
	180	return 0
	181	fi
	182
	183	cat <<EOF > /etc/ssh/sshd_config
	184	# Package generated configuration file
	185	# See the sshd_config(5) manpage for details
	186
	187	# What ports, IPs and protocols we listen for
	188	Port 22
	189	# Use these options to restrict which interfaces/protocols sshd will bind to
	190	#ListenAddress ::
	191	#ListenAddress 0.0.0.0
	192	Protocol 2
	193	# HostKeys for protocol version 2
	194	HostKey /etc/ssh/ssh_host_rsa_key
	195	HostKey /etc/ssh/ssh_host_dsa_key
	196	HostKey /etc/ssh/ssh_host_ecdsa_key
	197	#Privilege Separation is turned on for security
	198	UsePrivilegeSeparation yes
	199
	200	# Lifetime and size of ephemeral version 1 server key
	201	KeyRegenerationInterval 3600
	202	ServerKeyBits 768
	203
	204	# Logging
	205	SyslogFacility AUTH
	206	LogLevel INFO
	207
	208	# Authentication:
	209	LoginGraceTime 120
	210	PermitRootLogin yes
	211	StrictModes yes
	212
	213	RSAAuthentication yes
	214	PubkeyAuthentication yes
	215	#AuthorizedKeysFile %h/.ssh/authorized_keys
	216
	217	# Don't read the user's ~/.rhosts and ~/.shosts files
	218	IgnoreRhosts yes
	219	# For this to work you will also need host keys in /etc/ssh_known_hosts
	220	RhostsRSAAuthentication no
	221	# similar for protocol version 2
	222	HostbasedAuthentication no
	223	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
	224	#IgnoreUserKnownHosts yes
	225
	226	# To enable empty passwords, change to yes (NOT RECOMMENDED)
	227	PermitEmptyPasswords no
	228
	229	# Change to yes to enable challenge-response passwords (beware issues with
	230	# some PAM modules and threads)
	231	ChallengeResponseAuthentication no
	232
	233	# Change to no to disable tunnelled clear text passwords
	234	#PasswordAuthentication yes
	235
	236	# Kerberos options
	237	#KerberosAuthentication no
	238	#KerberosGetAFSToken no
	239	#KerberosOrLocalPasswd yes
	240	#KerberosTicketCleanup yes
	241
	242	# GSSAPI options
	243	#GSSAPIAuthentication no
	244	#GSSAPICleanupCredentials yes
	245
	246	X11Forwarding yes
	247	X11DisplayOffset 10
	248	PrintMotd no
	249	PrintLastLog yes
	250	TCPKeepAlive yes
	251	#UseLogin no
	252
	253	#MaxStartups 10:30:60
	254	#Banner /etc/issue.net
	255
	256	# Allow client to pass locale environment variables
	257	AcceptEnv LANG LC_*
	258
	259	Subsystem sftp /usr/lib/openssh/sftp-server
	260
	261	# Set this to 'yes' to enable PAM authentication, account processing,
	262	# and session processing. If this is enabled, PAM authentication will
	263	# be allowed through the ChallengeResponseAuthentication and
	264	# PasswordAuthentication. Depending on your PAM configuration,
	265	# PAM authentication via ChallengeResponseAuthentication may bypass
	266	# the setting of "PermitRootLogin without-password".
	267	# If you just want the PAM account and session checks to run without
	268	# PAM authentication, then enable this but set PasswordAuthentication
	269	# and ChallengeResponseAuthentication to 'no'.
	270	UsePAM yes
	271	EOF
	272	}
	273
	274	fix_statoverride() {
	275	# Remove an erronous override for sshd (we should have overridden ssh)
	276	if [ -x /usr/sbin/dpkg-statoverride ]; then
	277	if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
	278	dpkg-statoverride --remove /usr/sbin/sshd
	279	fi
	280	fi
	281	}
	282
	283	setup_sshd_user() {
	284	if ! getent passwd sshd >/dev/null; then
	285	adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
	286	fi
	287	}
	288
	289	remove_old_init_links() {
	290	# Yes, this only works with the SysV init script layout. I know.
	291	# The important thing is that it doesn't actually break with
	292	# file-rc ...
	293	if [ -e /etc/rc2.d/S20ssh ]; then
	294	update-rc.d -f ssh remove >/dev/null 2>&1
	295	fi
	296	rm -f /etc/rc0.d/K??ssh /etc/rc1.d/K??ssh /etc/rc6.d/K??ssh
	297	}
	298
	299	if [ "$action" = configure ]; then
	300	create_sshdconfig
	301	create_keys
	302	vulnerable_host_keys
	303	fix_statoverride
	304	setup_sshd_user
	305	if dpkg --compare-versions "$2" lt 1:5.2p1-1; then
	306	remove_old_init_links
	307	fi
	308	# Renamed to /etc/ssh/moduli in 2.9.9 (!)
	309	if dpkg --compare-versions "$2" lt 1:4.7p1-1; then
	310	rm -f /etc/ssh/primes
	311	fi
	312	if dpkg --compare-versions "$2" lt 1:5.5p1-6; then
	313	rm -f /var/run/sshd/.placeholder
	314	fi
	315
	316	# Clean up old debconf templates.
	317	db_unregister ssh/use_old_init_script
	318	db_unregister ssh/encrypted_host_key_but_no_keygen
	319	db_unregister ssh/disable_cr_auth
	320	fi
	321
	322	#DEBHELPER#
	323
	324	db_stop
	325
	326	exit 0