1 files changed, 16 insertions, 179 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 5635a60a6..391efc43b 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -23,56 +23,6 @@ get_config_option() {
 }
-set_config_option() {
-        option="$1"
-        value="$2"
-        perl -le '
-                $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
-                while (<STDIN>) {
-                        chomp;
-                        (my $match = $_) =~ s/\s+/ /g;
-                        if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) {
-                                $_ = $match;
-                                $done = 1;
-                        }
-                        print;
-                }
-                print "$option $value" unless $done;' \
-                "$option" "$value" \
-                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
-        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
-        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
-        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
-}
-rename_config_option() {
-        oldoption="$1"
-        newoption="$2"
-        value="$(get_config_option "$oldoption")"
-        [ "$value" ] || return 0
-        perl -le '
-                $oldoption = $ARGV[0]; $newoption = $ARGV[1];
-                while (<STDIN>) {
-                        chomp;
-                        (my $match = $_) =~ s/\s+/ /g;
-                        # TODO: actually only one "=" allowed after option
-                        if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
-                                $_ = $match;
-                        }
-                        print;
-                }' \
-                "$oldoption" "$newoption" \
-                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
-        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
-        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
-        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
-}
 host_keys_required() {
        hostkeys="$(get_config_option HostKey)"
        if [ "$hostkeys" ]; then
@@ -122,137 +72,24 @@ create_keys() {
 }
-fix_loglevel_silent() {
-        if [ "$(get_config_option LogLevel)" = SILENT ]; then
-                set_config_option LogLevel QUIET
-        fi
-}
-update_server_key_bits() {
-        if [ "$(get_config_option ServerKeyBits)" = 768 ]; then
-                set_config_option ServerKeyBits 1024
-        fi
-}
 create_sshdconfig() {
-        if [ -e /etc/ssh/sshd_config ] ; then
+        # XXX cjwatson 2016-12-24: This debconf template is very confusingly
-            # Upgrade an existing sshd configuration.
+        # named; its description is "Disable SSH password authentication for
+        # root?", so true -> prohibit-password (the upstream default),
-            # This option was renamed in 3.8p1, but we never took care
+        # false -> yes.
-            # of adjusting the configuration file until now.
+        db_get openssh-server/permit-root-login
-            if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
+        permit_root_login="$RET"
-                rename_config_option KeepAlive TCPKeepAlive
-            fi
+        new_config="$(tempfile)"
+        cp -a /usr/share/openssh/sshd_config "$new_config"
-            # 'LogLevel SILENT' is now equivalent to QUIET.
+        if [ "$permit_root_login" != true ]; then
-            if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then
+                sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
-                fix_loglevel_silent
+                        "$new_config"
-            fi
-            # Changed upstream in 5.1p1, but we forgot to update the
-            # package-generated configuration file until now.
-            if dpkg --compare-versions "$oldversion" lt 1:6.4p1-2; then
-                update_server_key_bits
-            fi
-            if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
-               [ "$(get_config_option PermitRootLogin)" = yes ] &&
-               db_get openssh-server/permit-root-login && [ "$RET" = true ]; then
-                set_config_option PermitRootLogin prohibit-password
-            fi
-            if dpkg --compare-versions "$2" lt-nl 1:7.1p1-1 && \
-               [ "$(get_config_option PermitRootLogin)" = without-password ]; then
-                set_config_option PermitRootLogin prohibit-password
-            fi
-            return 0
        fi
+        ucf --three-way --debconf-ok \
-        cat <<EOF > /etc/ssh/sshd_config
+                --sum-file /usr/share/openssh/sshd_config.md5sum \
-# Package generated configuration file
+                "$new_config" /etc/ssh/sshd_config
-# See the sshd_config(5) manpage for details
+        ucfr openssh-server /etc/ssh/sshd_config
-# What ports, IPs and protocols we listen for
-Port 22
-# Use these options to restrict which interfaces/protocols sshd will bind to
-#ListenAddress ::
-#ListenAddress 0.0.0.0
-Protocol 2
-# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
-#Privilege Separation is turned on for security
-UsePrivilegeSeparation yes
-# Logging
-SyslogFacility AUTH
-LogLevel INFO
-# Authentication:
-LoginGraceTime 120
-PermitRootLogin prohibit-password
-StrictModes yes
-PubkeyAuthentication yes
-#AuthorizedKeysFile     %h/.ssh/authorized_keys
-# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-HostbasedAuthentication no
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-#IgnoreUserKnownHosts yes
-# To enable empty passwords, change to yes (NOT RECOMMENDED)
-PermitEmptyPasswords no
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-# Change to no to disable tunnelled clear text passwords
-#PasswordAuthentication yes
-# Kerberos options
-#KerberosAuthentication no
-#KerberosGetAFSToken no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-X11Forwarding yes
-X11DisplayOffset 10
-PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-#UseLogin no
-#MaxStartups 10:30:60
-#Banner /etc/issue.net
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-Subsystem sftp /usr/lib/openssh/sftp-server
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-EOF
 }
 fix_statoverride() {

diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index 5635a60a6..391efc43b 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst
@@ -23,56 +23,6 @@ get_config_option() {
23	}	23	}
24		24
25		25
26	set_config_option() {
27	option="$1"
28	value="$2"
29
30	perl -le '
31	$option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
32	while (<STDIN>) {
33	chomp;
34	(my $match = $_) =~ s/\s+/ /g;
35	if ($match =~ s/^\s\Q$option\E\s+./$option $value/) {
36	$_ = $match;
37	$done = 1;
38	}
39	print;
40	}
41	print "$option $value" unless $done;' \
42	"$option" "$value" \
43	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
44	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
45	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
46	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
47	}
48
49
50	rename_config_option() {
51	oldoption="$1"
52	newoption="$2"
53
54	value="$(get_config_option "$oldoption")"
55	[ "$value" ] \|\| return 0
56
57	perl -le '
58	$oldoption = $ARGV[0]; $newoption = $ARGV[1];
59	while (<STDIN>) {
60	chomp;
61	(my $match = $_) =~ s/\s+/ /g;
62	# TODO: actually only one "=" allowed after option
63	if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
64	$_ = $match;
65	}
66	print;
67	}' \
68	"$oldoption" "$newoption" \
69	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
70	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
71	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
72	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
73	}
74
75
76	host_keys_required() {	26	host_keys_required() {
77	hostkeys="$(get_config_option HostKey)"	27	hostkeys="$(get_config_option HostKey)"
78	if [ "$hostkeys" ]; then	28	if [ "$hostkeys" ]; then
@@ -122,137 +72,24 @@ create_keys() {
122	}	72	}
123		73
124		74
125	fix_loglevel_silent() {
126	if [ "$(get_config_option LogLevel)" = SILENT ]; then
127	set_config_option LogLevel QUIET
128	fi
129	}
130
131
132	update_server_key_bits() {
133	if [ "$(get_config_option ServerKeyBits)" = 768 ]; then
134	set_config_option ServerKeyBits 1024
135	fi
136	}
137
138
139	create_sshdconfig() {	75	create_sshdconfig() {
140	if [ -e /etc/ssh/sshd_config ] ; then	76	# XXX cjwatson 2016-12-24: This debconf template is very confusingly
141	# Upgrade an existing sshd configuration.	77	# named; its description is "Disable SSH password authentication for
142		78	# root?", so true -> prohibit-password (the upstream default),
143	# This option was renamed in 3.8p1, but we never took care	79	# false -> yes.
144	# of adjusting the configuration file until now.	80	db_get openssh-server/permit-root-login
145	if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then	81	permit_root_login="$RET"
146	rename_config_option KeepAlive TCPKeepAlive	82
147	fi	83	new_config="$(tempfile)"
148		84	cp -a /usr/share/openssh/sshd_config "$new_config"
149	# 'LogLevel SILENT' is now equivalent to QUIET.	85	if [ "$permit_root_login" != true ]; then
150	if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then	86	sed -i 's/^#PermitRootLogin ./PermitRootLogin yes/' \
151	fix_loglevel_silent	87	"$new_config"
152	fi
153
154	# Changed upstream in 5.1p1, but we forgot to update the
155	# package-generated configuration file until now.
156	if dpkg --compare-versions "$oldversion" lt 1:6.4p1-2; then
157	update_server_key_bits
158	fi
159
160	if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
161	[ "$(get_config_option PermitRootLogin)" = yes ] &&
162	db_get openssh-server/permit-root-login && [ "$RET" = true ]; then
163	set_config_option PermitRootLogin prohibit-password
164	fi
165
166	if dpkg --compare-versions "$2" lt-nl 1:7.1p1-1 && \
167	[ "$(get_config_option PermitRootLogin)" = without-password ]; then
168	set_config_option PermitRootLogin prohibit-password
169	fi
170
171	return 0
172	fi	88	fi
173		89	ucf --three-way --debconf-ok \
174	cat <<EOF > /etc/ssh/sshd_config	90	--sum-file /usr/share/openssh/sshd_config.md5sum \
175	# Package generated configuration file	91	"$new_config" /etc/ssh/sshd_config
176	# See the sshd_config(5) manpage for details	92	ucfr openssh-server /etc/ssh/sshd_config
177
178	# What ports, IPs and protocols we listen for
179	Port 22
180	# Use these options to restrict which interfaces/protocols sshd will bind to
181	#ListenAddress ::
182	#ListenAddress 0.0.0.0
183	Protocol 2
184	# HostKeys for protocol version 2
185	HostKey /etc/ssh/ssh_host_rsa_key
186	HostKey /etc/ssh/ssh_host_ecdsa_key
187	HostKey /etc/ssh/ssh_host_ed25519_key
188	#Privilege Separation is turned on for security
189	UsePrivilegeSeparation yes
190
191	# Logging
192	SyslogFacility AUTH
193	LogLevel INFO
194
195	# Authentication:
196	LoginGraceTime 120
197	PermitRootLogin prohibit-password
198	StrictModes yes
199
200	PubkeyAuthentication yes
201	#AuthorizedKeysFile %h/.ssh/authorized_keys
202
203	# Don't read the user's ~/.rhosts and ~/.shosts files
204	IgnoreRhosts yes
205	# For this to work you will also need host keys in /etc/ssh_known_hosts
206	HostbasedAuthentication no
207	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
208	#IgnoreUserKnownHosts yes
209
210	# To enable empty passwords, change to yes (NOT RECOMMENDED)
211	PermitEmptyPasswords no
212
213	# Change to yes to enable challenge-response passwords (beware issues with
214	# some PAM modules and threads)
215	ChallengeResponseAuthentication no
216
217	# Change to no to disable tunnelled clear text passwords
218	#PasswordAuthentication yes
219
220	# Kerberos options
221	#KerberosAuthentication no
222	#KerberosGetAFSToken no
223	#KerberosOrLocalPasswd yes
224	#KerberosTicketCleanup yes
225
226	# GSSAPI options
227	#GSSAPIAuthentication no
228	#GSSAPICleanupCredentials yes
229
230	X11Forwarding yes
231	X11DisplayOffset 10
232	PrintMotd no
233	PrintLastLog yes
234	TCPKeepAlive yes
235	#UseLogin no
236
237	#MaxStartups 10:30:60
238	#Banner /etc/issue.net
239
240	# Allow client to pass locale environment variables
241	AcceptEnv LANG LC_*
242
243	Subsystem sftp /usr/lib/openssh/sftp-server
244
245	# Set this to 'yes' to enable PAM authentication, account processing,
246	# and session processing. If this is enabled, PAM authentication will
247	# be allowed through the ChallengeResponseAuthentication and
248	# PasswordAuthentication. Depending on your PAM configuration,
249	# PAM authentication via ChallengeResponseAuthentication may bypass
250	# the setting of "PermitRootLogin without-password".
251	# If you just want the PAM account and session checks to run without
252	# PAM authentication, then enable this but set PasswordAuthentication
253	# and ChallengeResponseAuthentication to 'no'.
254	UsePAM yes
255	EOF
256	}	93	}
257		94
258	fix_statoverride() {	95	fix_statoverride() {