diff options
Diffstat (limited to 'debian/openssh-server.postinst')
-rw-r--r-- | debian/openssh-server.postinst | 322 |
1 files changed, 322 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..daa0f6796 --- /dev/null +++ b/debian/openssh-server.postinst | |||
@@ -0,0 +1,322 @@ | |||
1 | #!/bin/sh | ||
2 | set -e | ||
3 | |||
4 | . /usr/share/debconf/confmodule | ||
5 | db_version 2.0 | ||
6 | |||
7 | action="$1" | ||
8 | oldversion="$2" | ||
9 | |||
10 | umask 022 | ||
11 | |||
12 | |||
13 | get_config_option() { | ||
14 | option="$1" | ||
15 | |||
16 | [ -f /etc/ssh/sshd_config ] || return | ||
17 | |||
18 | # TODO: actually only one '=' allowed after option | ||
19 | perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \ | ||
20 | /etc/ssh/sshd_config | ||
21 | } | ||
22 | |||
23 | |||
24 | set_config_option() { | ||
25 | option="$1" | ||
26 | value="$2" | ||
27 | |||
28 | perl -le ' | ||
29 | $option = $ARGV[0]; $value = $ARGV[1]; $done = 0; | ||
30 | while (<STDIN>) { | ||
31 | chomp; | ||
32 | (my $match = $_) =~ s/\s+/ /g; | ||
33 | if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) { | ||
34 | $_ = $match; | ||
35 | $done = 1; | ||
36 | } | ||
37 | print; | ||
38 | } | ||
39 | print "$option $value" unless $done;' \ | ||
40 | "$option" "$value" \ | ||
41 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
42 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
43 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
44 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
45 | } | ||
46 | |||
47 | |||
48 | rename_config_option() { | ||
49 | oldoption="$1" | ||
50 | newoption="$2" | ||
51 | |||
52 | value="$(get_config_option "$oldoption")" | ||
53 | [ "$value" ] || return 0 | ||
54 | |||
55 | perl -le ' | ||
56 | $oldoption = $ARGV[0]; $newoption = $ARGV[1]; | ||
57 | while (<STDIN>) { | ||
58 | chomp; | ||
59 | (my $match = $_) =~ s/\s+/ /g; | ||
60 | # TODO: actually only one "=" allowed after option | ||
61 | if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) { | ||
62 | $_ = $match; | ||
63 | } | ||
64 | print; | ||
65 | }' \ | ||
66 | "$oldoption" "$newoption" \ | ||
67 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
68 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
69 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
70 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
71 | } | ||
72 | |||
73 | |||
74 | host_keys_required() { | ||
75 | hostkeys="$(get_config_option HostKey)" | ||
76 | if [ "$hostkeys" ]; then | ||
77 | echo "$hostkeys" | ||
78 | else | ||
79 | # No HostKey directives at all, so the server picks some | ||
80 | # defaults depending on the setting of Protocol. | ||
81 | protocol="$(get_config_option Protocol)" | ||
82 | [ "$protocol" ] || protocol=1,2 | ||
83 | if echo "$protocol" | grep 1 >/dev/null; then | ||
84 | echo /etc/ssh/ssh_host_key | ||
85 | fi | ||
86 | if echo "$protocol" | grep 2 >/dev/null; then | ||
87 | echo /etc/ssh/ssh_host_rsa_key | ||
88 | echo /etc/ssh/ssh_host_dsa_key | ||
89 | echo /etc/ssh/ssh_host_ecdsa_key | ||
90 | echo /etc/ssh/ssh_host_ed25519_key | ||
91 | fi | ||
92 | fi | ||
93 | } | ||
94 | |||
95 | |||
96 | create_key() { | ||
97 | msg="$1" | ||
98 | shift | ||
99 | hostkeys="$1" | ||
100 | shift | ||
101 | file="$1" | ||
102 | shift | ||
103 | |||
104 | if echo "$hostkeys" | grep -x "$file" >/dev/null && \ | ||
105 | [ ! -f "$file" ] ; then | ||
106 | echo -n $msg | ||
107 | ssh-keygen -q -f "$file" -N '' "$@" | ||
108 | echo | ||
109 | if which restorecon >/dev/null 2>&1; then | ||
110 | restorecon "$file" "$file.pub" | ||
111 | fi | ||
112 | fi | ||
113 | } | ||
114 | |||
115 | |||
116 | create_keys() { | ||
117 | hostkeys="$(host_keys_required)" | ||
118 | |||
119 | create_key "Creating SSH1 key; this may take some time ..." \ | ||
120 | "$hostkeys" /etc/ssh/ssh_host_key -t rsa1 | ||
121 | |||
122 | create_key "Creating SSH2 RSA key; this may take some time ..." \ | ||
123 | "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa | ||
124 | create_key "Creating SSH2 DSA key; this may take some time ..." \ | ||
125 | "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa | ||
126 | create_key "Creating SSH2 ECDSA key; this may take some time ..." \ | ||
127 | "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa | ||
128 | create_key "Creating SSH2 ED25519 key; this may take some time ..." \ | ||
129 | "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 | ||
130 | } | ||
131 | |||
132 | |||
133 | fix_loglevel_silent() { | ||
134 | if [ "$(get_config_option LogLevel)" = SILENT ]; then | ||
135 | set_config_option LogLevel QUIET | ||
136 | fi | ||
137 | } | ||
138 | |||
139 | |||
140 | update_server_key_bits() { | ||
141 | if [ "$(get_config_option ServerKeyBits)" = 768 ]; then | ||
142 | set_config_option ServerKeyBits 1024 | ||
143 | fi | ||
144 | } | ||
145 | |||
146 | |||
147 | create_sshdconfig() { | ||
148 | if [ -e /etc/ssh/sshd_config ] ; then | ||
149 | # Upgrade an existing sshd configuration. | ||
150 | |||
151 | # This option was renamed in 3.8p1, but we never took care | ||
152 | # of adjusting the configuration file until now. | ||
153 | if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then | ||
154 | rename_config_option KeepAlive TCPKeepAlive | ||
155 | fi | ||
156 | |||
157 | # 'LogLevel SILENT' is now equivalent to QUIET. | ||
158 | if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then | ||
159 | fix_loglevel_silent | ||
160 | fi | ||
161 | |||
162 | # Changed upstream in 5.1p1, but we forgot to update the | ||
163 | # package-generated configuration file until now. | ||
164 | if dpkg --compare-versions "$oldversion" lt 1:6.4p1-2; then | ||
165 | update_server_key_bits | ||
166 | fi | ||
167 | |||
168 | return 0 | ||
169 | fi | ||
170 | |||
171 | cat <<EOF > /etc/ssh/sshd_config | ||
172 | # Package generated configuration file | ||
173 | # See the sshd_config(5) manpage for details | ||
174 | |||
175 | # What ports, IPs and protocols we listen for | ||
176 | Port 22 | ||
177 | # Use these options to restrict which interfaces/protocols sshd will bind to | ||
178 | #ListenAddress :: | ||
179 | #ListenAddress 0.0.0.0 | ||
180 | Protocol 2 | ||
181 | # HostKeys for protocol version 2 | ||
182 | HostKey /etc/ssh/ssh_host_rsa_key | ||
183 | HostKey /etc/ssh/ssh_host_dsa_key | ||
184 | HostKey /etc/ssh/ssh_host_ecdsa_key | ||
185 | HostKey /etc/ssh/ssh_host_ed25519_key | ||
186 | #Privilege Separation is turned on for security | ||
187 | UsePrivilegeSeparation yes | ||
188 | |||
189 | # Lifetime and size of ephemeral version 1 server key | ||
190 | KeyRegenerationInterval 3600 | ||
191 | ServerKeyBits 1024 | ||
192 | |||
193 | # Logging | ||
194 | SyslogFacility AUTH | ||
195 | LogLevel INFO | ||
196 | |||
197 | # Authentication: | ||
198 | LoginGraceTime 120 | ||
199 | PermitRootLogin without-password | ||
200 | StrictModes yes | ||
201 | |||
202 | RSAAuthentication yes | ||
203 | PubkeyAuthentication yes | ||
204 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
205 | |||
206 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
207 | IgnoreRhosts yes | ||
208 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
209 | RhostsRSAAuthentication no | ||
210 | # similar for protocol version 2 | ||
211 | HostbasedAuthentication no | ||
212 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
213 | #IgnoreUserKnownHosts yes | ||
214 | |||
215 | # To enable empty passwords, change to yes (NOT RECOMMENDED) | ||
216 | PermitEmptyPasswords no | ||
217 | |||
218 | # Change to yes to enable challenge-response passwords (beware issues with | ||
219 | # some PAM modules and threads) | ||
220 | ChallengeResponseAuthentication no | ||
221 | |||
222 | # Change to no to disable tunnelled clear text passwords | ||
223 | #PasswordAuthentication yes | ||
224 | |||
225 | # Kerberos options | ||
226 | #KerberosAuthentication no | ||
227 | #KerberosGetAFSToken no | ||
228 | #KerberosOrLocalPasswd yes | ||
229 | #KerberosTicketCleanup yes | ||
230 | |||
231 | # GSSAPI options | ||
232 | #GSSAPIAuthentication no | ||
233 | #GSSAPICleanupCredentials yes | ||
234 | |||
235 | X11Forwarding yes | ||
236 | X11DisplayOffset 10 | ||
237 | PrintMotd no | ||
238 | PrintLastLog yes | ||
239 | TCPKeepAlive yes | ||
240 | #UseLogin no | ||
241 | |||
242 | #MaxStartups 10:30:60 | ||
243 | #Banner /etc/issue.net | ||
244 | |||
245 | # Allow client to pass locale environment variables | ||
246 | AcceptEnv LANG LC_* | ||
247 | |||
248 | Subsystem sftp /usr/lib/openssh/sftp-server | ||
249 | |||
250 | # Set this to 'yes' to enable PAM authentication, account processing, | ||
251 | # and session processing. If this is enabled, PAM authentication will | ||
252 | # be allowed through the ChallengeResponseAuthentication and | ||
253 | # PasswordAuthentication. Depending on your PAM configuration, | ||
254 | # PAM authentication via ChallengeResponseAuthentication may bypass | ||
255 | # the setting of "PermitRootLogin without-password". | ||
256 | # If you just want the PAM account and session checks to run without | ||
257 | # PAM authentication, then enable this but set PasswordAuthentication | ||
258 | # and ChallengeResponseAuthentication to 'no'. | ||
259 | UsePAM yes | ||
260 | EOF | ||
261 | } | ||
262 | |||
263 | fix_statoverride() { | ||
264 | # Remove an erronous override for sshd (we should have overridden ssh) | ||
265 | if [ -x /usr/sbin/dpkg-statoverride ]; then | ||
266 | if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then | ||
267 | dpkg-statoverride --remove /usr/sbin/sshd | ||
268 | fi | ||
269 | fi | ||
270 | } | ||
271 | |||
272 | setup_sshd_user() { | ||
273 | if ! getent passwd sshd >/dev/null; then | ||
274 | adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd | ||
275 | fi | ||
276 | } | ||
277 | |||
278 | if [ "$action" = configure ]; then | ||
279 | create_sshdconfig | ||
280 | create_keys | ||
281 | fix_statoverride | ||
282 | setup_sshd_user | ||
283 | # Renamed to /etc/ssh/moduli in 2.9.9 (!) | ||
284 | if dpkg --compare-versions "$2" lt 1:4.7p1-1; then | ||
285 | rm -f /etc/ssh/primes | ||
286 | fi | ||
287 | if dpkg --compare-versions "$2" lt 1:5.5p1-6; then | ||
288 | rm -f /var/run/sshd/.placeholder | ||
289 | fi | ||
290 | if dpkg --compare-versions "$2" lt 1:6.2p2-3 && \ | ||
291 | which initctl >/dev/null && initctl version | grep -q upstart && \ | ||
292 | ! status ssh 2>/dev/null | grep -q ' start/'; then | ||
293 | # We must stop the sysvinit-controlled sshd before we can | ||
294 | # restart it under Upstart. | ||
295 | start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid || true | ||
296 | fi | ||
297 | if dpkg --compare-versions "$2" lt 1:6.5p1-2 && \ | ||
298 | deb-systemd-helper debian-installed ssh.socket && \ | ||
299 | deb-systemd-helper --quiet was-enabled ssh.service && \ | ||
300 | deb-systemd-helper --quiet was-enabled ssh.socket; then | ||
301 | # 1:6.5p1-1 mistakenly left both ssh.service and ssh.socket | ||
302 | # enabled. | ||
303 | deb-systemd-helper disable ssh.socket >/dev/null || true | ||
304 | fi | ||
305 | if dpkg --compare-versions "$2" lt 1:6.5p1-3 && \ | ||
306 | [ -d /run/systemd/system ]; then | ||
307 | # We must stop the sysvinit-controlled sshd before we can | ||
308 | # restart it under systemd. | ||
309 | start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || true | ||
310 | fi | ||
311 | if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \ | ||
312 | [ "$(get_config_option PermitRootLogin)" = yes ] && | ||
313 | db_get openssh-server/permit-root-login && [ "$RET" = true ]; then | ||
314 | set_config_option PermitRootLogin without-password | ||
315 | fi | ||
316 | fi | ||
317 | |||
318 | #DEBHELPER# | ||
319 | |||
320 | db_stop | ||
321 | |||
322 | exit 0 | ||