diff options
Diffstat (limited to 'debian/postinst')
-rw-r--r-- | debian/postinst | 342 |
1 files changed, 342 insertions, 0 deletions
diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 000000000..4d3598a31 --- /dev/null +++ b/debian/postinst | |||
@@ -0,0 +1,342 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action="$1" | ||
4 | oldversion="$2" | ||
5 | |||
6 | test -e /usr/share/debconf/confmodule && { | ||
7 | . /usr/share/debconf/confmodule | ||
8 | db_version 2.0 | ||
9 | } | ||
10 | |||
11 | umask 022 | ||
12 | |||
13 | if [ "$action" != configure ] | ||
14 | then | ||
15 | exit 0 | ||
16 | fi | ||
17 | |||
18 | |||
19 | |||
20 | check_idea_key() { | ||
21 | #check for old host_key files using IDEA, which openssh does not support | ||
22 | if [ -f /etc/ssh/ssh_host_key ] ; then | ||
23 | if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \ | ||
24 | grep -q 'unknown cipher' 2>/dev/null ; then | ||
25 | mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old | ||
26 | mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old | ||
27 | fi | ||
28 | fi | ||
29 | } | ||
30 | |||
31 | |||
32 | create_key() { | ||
33 | local msg="$1" | ||
34 | shift | ||
35 | local file="$1" | ||
36 | shift | ||
37 | |||
38 | if [ ! -f "$file" ] ; then | ||
39 | echo -n $msg | ||
40 | ssh-keygen -q -f "$file" -N '' "$@" | ||
41 | echo | ||
42 | fi | ||
43 | } | ||
44 | |||
45 | |||
46 | create_keys() { | ||
47 | RET=true | ||
48 | test -e /usr/share/debconf/confmodule && { | ||
49 | db_get ssh/protocol2_only | ||
50 | } | ||
51 | |||
52 | if [ "$RET" = "false" ] ; then | ||
53 | create_key "Creating SSH1 key; this may take some time ..." \ | ||
54 | /etc/ssh/ssh_host_key -t rsa1 | ||
55 | fi | ||
56 | |||
57 | create_key "Creating SSH2 RSA key; this may take some time ..." \ | ||
58 | /etc/ssh/ssh_host_rsa_key -t rsa | ||
59 | create_key "Creating SSH2 DSA key; this may take some time ..." \ | ||
60 | /etc/ssh/ssh_host_dsa_key -t dsa | ||
61 | } | ||
62 | |||
63 | |||
64 | create_sshdconfig() { | ||
65 | if [ -e /etc/ssh/sshd_config ] ; then | ||
66 | if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then | ||
67 | RET=true | ||
68 | test -e /usr/share/debconf/confmodule && { | ||
69 | db_get ssh/new_config | ||
70 | } | ||
71 | if [ "$RET" = "false" ] ; then return 0; fi | ||
72 | else return 0 | ||
73 | fi | ||
74 | fi | ||
75 | RET=true | ||
76 | test -e /usr/share/debconf/confmodule && { | ||
77 | db_get ssh/protocol2_only | ||
78 | } | ||
79 | |||
80 | #Preserve old sshd_config before generating a new on | ||
81 | if [ -e /etc/ssh/sshd_config ] ; then | ||
82 | mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
83 | fi | ||
84 | |||
85 | cat <<EOF > /etc/ssh/sshd_config | ||
86 | # Package generated configuration file | ||
87 | # See the sshd(8) manpage for defails | ||
88 | |||
89 | # What ports, IPs and protocols we listen for | ||
90 | Port 22 | ||
91 | # Use these options to restrict which interfaces/protocols sshd will bind to | ||
92 | #ListenAddress :: | ||
93 | #ListenAddress 0.0.0.0 | ||
94 | EOF | ||
95 | if [ "$RET" = "false" ]; then | ||
96 | cat <<EOF >> /etc/ssh/sshd_config | ||
97 | Protocol 2,1 | ||
98 | # HostKeys for protocol version 1 | ||
99 | HostKey /etc/ssh/ssh_host_key | ||
100 | # HostKeys for protocol version 2 | ||
101 | HostKey /etc/ssh/ssh_host_rsa_key | ||
102 | HostKey /etc/ssh/ssh_host_dsa_key | ||
103 | EOF | ||
104 | else | ||
105 | cat <<EOF >> /etc/ssh/sshd_config | ||
106 | Protocol 2 | ||
107 | # HostKeys for protocol version 2 | ||
108 | HostKey /etc/ssh/ssh_host_rsa_key | ||
109 | HostKey /etc/ssh/ssh_host_dsa_key | ||
110 | EOF | ||
111 | fi | ||
112 | |||
113 | test -e /usr/share/debconf/confmodule && { | ||
114 | db_get ssh/privsep_ask | ||
115 | } | ||
116 | if [ "$RET" = "false" ]; then | ||
117 | cat <<EOF >> /etc/ssh/sshd_config | ||
118 | #Explicitly set PrivSep off, as requested | ||
119 | UsePrivilegeSeparation no | ||
120 | |||
121 | # Use PAM authentication via keyboard-interactive so PAM modules can | ||
122 | # properly interface with the user | ||
123 | PAMAuthenticationViaKbdInt yes | ||
124 | EOF | ||
125 | else | ||
126 | cat <<EOF >> /etc/ssh/sshd_config | ||
127 | #Privilege Separation is turned on for security | ||
128 | UsePrivilegeSeparation yes | ||
129 | |||
130 | # ...but breaks Pam auth via kbdint, so we have to turn it off | ||
131 | # Use PAM authentication via keyboard-interactive so PAM modules can | ||
132 | # properly interface with the user (off due to PrivSep) | ||
133 | PAMAuthenticationViaKbdInt no | ||
134 | EOF | ||
135 | fi | ||
136 | |||
137 | cat <<EOF >> /etc/ssh/sshd_config | ||
138 | # Lifetime and size of ephemeral version 1 server key | ||
139 | KeyRegenerationInterval 3600 | ||
140 | ServerKeyBits 768 | ||
141 | |||
142 | # Logging | ||
143 | SyslogFacility AUTH | ||
144 | LogLevel INFO | ||
145 | |||
146 | # Authentication: | ||
147 | LoginGraceTime 600 | ||
148 | PermitRootLogin yes | ||
149 | StrictModes yes | ||
150 | |||
151 | RSAAuthentication yes | ||
152 | PubkeyAuthentication yes | ||
153 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
154 | |||
155 | # rhosts authentication should not be used | ||
156 | RhostsAuthentication no | ||
157 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
158 | IgnoreRhosts yes | ||
159 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
160 | RhostsRSAAuthentication no | ||
161 | # similar for protocol version 2 | ||
162 | HostbasedAuthentication no | ||
163 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
164 | #IgnoreUserKnownHosts yes | ||
165 | |||
166 | # To enable empty passwords, change to yes (NOT RECOMMENDED) | ||
167 | PermitEmptyPasswords no | ||
168 | |||
169 | # Uncomment to disable s/key passwords | ||
170 | #ChallengeResponseAuthentication no | ||
171 | |||
172 | # To disable tunneled clear text passwords, change to no here! | ||
173 | PasswordAuthentication yes | ||
174 | |||
175 | |||
176 | # To change Kerberos options | ||
177 | #KerberosAuthentication no | ||
178 | #KerberosOrLocalPasswd yes | ||
179 | #AFSTokenPassing no | ||
180 | #KerberosTicketCleanup no | ||
181 | |||
182 | # Kerberos TGT Passing does only work with the AFS kaserver | ||
183 | #KerberosTgtPassing yes | ||
184 | |||
185 | X11Forwarding no | ||
186 | X11DisplayOffset 10 | ||
187 | PrintMotd no | ||
188 | PrintLastLog yes | ||
189 | KeepAlive yes | ||
190 | #UseLogin no | ||
191 | |||
192 | #MaxStartups 10:30:60 | ||
193 | #Banner /etc/issue.net | ||
194 | #ReverseMappingCheck yes | ||
195 | |||
196 | Subsystem sftp /usr/lib/sftp-server | ||
197 | |||
198 | EOF | ||
199 | } | ||
200 | |||
201 | |||
202 | fix_rsh_diversion() { | ||
203 | # get rid of mistaken rsh diversion (circa 1.2.27-1) | ||
204 | |||
205 | if [ -L /usr/bin/rsh ] && | ||
206 | dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then | ||
207 | for cmd in rlogin rsh rcp ; do | ||
208 | [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd | ||
209 | dpkg-divert --package ssh --remove --rename \ | ||
210 | --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd | ||
211 | |||
212 | [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz | ||
213 | dpkg-divert --package ssh --remove --rename \ | ||
214 | --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz | ||
215 | done | ||
216 | |||
217 | rmdir /usr/bin/rsh.real | ||
218 | fi | ||
219 | } | ||
220 | |||
221 | |||
222 | fix_statoverride() { | ||
223 | # Remove an erronous override for sshd (we should have overridden ssh) | ||
224 | if [ -x /usr/sbin/dpkg-statoverride ]; then | ||
225 | if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then | ||
226 | dpkg-statoverride --remove /usr/sbin/sshd | ||
227 | fi | ||
228 | fi | ||
229 | } | ||
230 | |||
231 | |||
232 | create_alternatives() { | ||
233 | # Create alternatives for the various r* tools. | ||
234 | # Make sure we don't change existing alternatives that a user might have | ||
235 | # changed, but clean up after some old alternatives that mistakenly pointed | ||
236 | # rlogin and rcp to ssh. | ||
237 | update-alternatives --quiet --remove rlogin /usr/bin/ssh | ||
238 | update-alternatives --quiet --remove rcp /usr/bin/ssh | ||
239 | for cmd in rsh rlogin rcp; do | ||
240 | scmd="s${cmd#r}" | ||
241 | if ! update-alternatives --display "$cmd" | \ | ||
242 | grep -q "$scmd"; then | ||
243 | update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \ | ||
244 | --slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz" | ||
245 | fi | ||
246 | done | ||
247 | } | ||
248 | |||
249 | setup_sshd_user() { | ||
250 | if ! getent passwd | grep -q '^sshd:'; then | ||
251 | adduser --quiet --system --no-create-home --home /var/run/sshd sshd | ||
252 | fi | ||
253 | } | ||
254 | |||
255 | set_sshd_permissions() { | ||
256 | suid=false | ||
257 | |||
258 | if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then | ||
259 | if [ -x /usr/sbin/dpkg-statoverride ] ; then | ||
260 | if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then | ||
261 | dpkg-statoverride --remove /usr/bin/ssh >/dev/null | ||
262 | fi | ||
263 | fi | ||
264 | fi | ||
265 | |||
266 | [ -e /usr/share/debconf/confmodule ] && { | ||
267 | db_get ssh/SUID_client | ||
268 | suid="$RET" | ||
269 | } | ||
270 | if [ ! -x /usr/sbin/dpkg-statoverride ] || \ | ||
271 | ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then | ||
272 | if [ "$suid" = "false" ] ; then | ||
273 | chmod 0755 /usr/lib/ssh-keysign | ||
274 | elif [ "$suid" = "true" ] ; then | ||
275 | chmod 4755 /usr/lib/ssh-keysign | ||
276 | fi | ||
277 | fi | ||
278 | } | ||
279 | |||
280 | |||
281 | fix_ssh_group() { | ||
282 | # Try to remove non-system group mistakenly created by 1:3.5p1-1. | ||
283 | # set_ssh_agent_permissions() below will re-create it properly. | ||
284 | if getent group | grep -q '^ssh:'; then | ||
285 | delgroup --quiet ssh || true | ||
286 | fi | ||
287 | } | ||
288 | |||
289 | |||
290 | set_ssh_agent_permissions() { | ||
291 | if ! getent group | grep -q '^ssh:'; then | ||
292 | addgroup --system --quiet ssh | ||
293 | fi | ||
294 | if ! [ -x /usr/sbin/dpkg-statoverride ] || \ | ||
295 | ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then | ||
296 | chgrp ssh /usr/bin/ssh-agent | ||
297 | chmod 2755 /usr/bin/ssh-agent | ||
298 | fi | ||
299 | } | ||
300 | |||
301 | |||
302 | setup_startup() { | ||
303 | start=yes | ||
304 | [ -e /usr/share/debconf/confmodule ] && { | ||
305 | db_get ssh/run_sshd | ||
306 | start="$RET" | ||
307 | } | ||
308 | |||
309 | if [ "$start" != "true" ] ; then | ||
310 | /etc/init.d/ssh stop 2>&1 >/dev/null | ||
311 | touch /etc/ssh/sshd_not_to_be_run | ||
312 | else | ||
313 | rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null | ||
314 | fi | ||
315 | } | ||
316 | |||
317 | |||
318 | setup_init() { | ||
319 | if [ -e /etc/init.d/ssh ]; then | ||
320 | update-rc.d ssh defaults >/dev/null | ||
321 | /etc/init.d/ssh restart | ||
322 | fi | ||
323 | } | ||
324 | |||
325 | check_idea_key | ||
326 | create_keys | ||
327 | create_sshdconfig | ||
328 | fix_rsh_diversion | ||
329 | fix_statoverride | ||
330 | create_alternatives | ||
331 | setup_sshd_user | ||
332 | set_sshd_permissions | ||
333 | if [ "$2" = "1:3.5p1-1" ]; then fix_ssh_group; fi | ||
334 | set_ssh_agent_permissions | ||
335 | setup_startup | ||
336 | setup_init | ||
337 | |||
338 | |||
339 | [ -e /usr/share/debconf/confmodule ] && db_stop | ||
340 | |||
341 | exit 0 | ||
342 | |||