summaryrefslogtreecommitdiff
path: root/debian/postinst
diff options
context:
space:
mode:
Diffstat (limited to 'debian/postinst')
-rw-r--r--debian/postinst329
1 files changed, 329 insertions, 0 deletions
diff --git a/debian/postinst b/debian/postinst
new file mode 100644
index 000000000..b641769ba
--- /dev/null
+++ b/debian/postinst
@@ -0,0 +1,329 @@
1#!/bin/sh -e
2
3action="$1"
4oldversion="$2"
5
6. /usr/share/debconf/confmodule
7db_version 2.0
8
9umask 022
10
11if [ "$action" != configure ]
12 then
13 exit 0
14fi
15
16
17
18check_idea_key() {
19 #check for old host_key files using IDEA, which openssh does not support
20 if [ -f /etc/ssh/ssh_host_key ] ; then
21 if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
22 grep -q 'unknown cipher' 2>/dev/null ; then
23 mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
24 mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
25 fi
26 fi
27}
28
29
30create_key() {
31 local msg="$1"
32 shift
33 local file="$1"
34 shift
35
36 if [ ! -f "$file" ] ; then
37 echo -n $msg
38 ssh-keygen -q -f "$file" -N '' "$@"
39 echo
40 fi
41}
42
43
44create_keys() {
45 db_get ssh/protocol2_only
46 if [ "$RET" = "false" ] ; then
47 create_key "Creating SSH1 key; this may take some time ..." \
48 /etc/ssh/ssh_host_key -t rsa1
49 fi
50
51 create_key "Creating SSH2 RSA key; this may take some time ..." \
52 /etc/ssh/ssh_host_rsa_key -t rsa
53 create_key "Creating SSH2 DSA key; this may take some time ..." \
54 /etc/ssh/ssh_host_dsa_key -t dsa
55}
56
57
58create_sshdconfig() {
59 if [ -e /etc/ssh/sshd_config ] ; then
60 if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
61 db_get ssh/new_config
62 if [ "$RET" = "false" ] ; then return 0; fi
63 elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
64 ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then
65 # Upgrade from pre-3.7: UsePAM needed to maintain standard
66 # Debian configuration.
67 echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
68 cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
69 perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
70 /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
71 echo >> /etc/ssh/sshd_config.dpkg-new
72 echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
73 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
74 echo
75 return 0
76 else return 0
77 fi
78 fi
79
80 #Preserve old sshd_config before generating a new one
81 if [ -e /etc/ssh/sshd_config ] ; then
82 mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
83 fi
84
85 cat <<EOF > /etc/ssh/sshd_config
86# Package generated configuration file
87# See the sshd(8) manpage for details
88
89# What ports, IPs and protocols we listen for
90Port 22
91# Use these options to restrict which interfaces/protocols sshd will bind to
92#ListenAddress ::
93#ListenAddress 0.0.0.0
94EOF
95 db_get ssh/protocol2_only
96if [ "$RET" = "false" ]; then
97 cat <<EOF >> /etc/ssh/sshd_config
98Protocol 2,1
99# HostKeys for protocol version 1
100HostKey /etc/ssh/ssh_host_key
101# HostKeys for protocol version 2
102HostKey /etc/ssh/ssh_host_rsa_key
103HostKey /etc/ssh/ssh_host_dsa_key
104EOF
105else
106 cat <<EOF >> /etc/ssh/sshd_config
107Protocol 2
108# HostKeys for protocol version 2
109HostKey /etc/ssh/ssh_host_rsa_key
110HostKey /etc/ssh/ssh_host_dsa_key
111EOF
112fi
113
114 cat <<EOF >> /etc/ssh/sshd_config
115#Privilege Separation is turned on for security
116UsePrivilegeSeparation yes
117
118# Lifetime and size of ephemeral version 1 server key
119KeyRegenerationInterval 3600
120ServerKeyBits 768
121
122# Logging
123SyslogFacility AUTH
124LogLevel INFO
125
126# Authentication:
127LoginGraceTime 600
128PermitRootLogin yes
129StrictModes yes
130
131RSAAuthentication yes
132PubkeyAuthentication yes
133#AuthorizedKeysFile %h/.ssh/authorized_keys
134
135# Don't read the user's ~/.rhosts and ~/.shosts files
136IgnoreRhosts yes
137# For this to work you will also need host keys in /etc/ssh_known_hosts
138RhostsRSAAuthentication no
139# similar for protocol version 2
140HostbasedAuthentication no
141# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
142#IgnoreUserKnownHosts yes
143
144# To enable empty passwords, change to yes (NOT RECOMMENDED)
145PermitEmptyPasswords no
146
147# Change to no to disable s/key passwords
148#ChallengeResponseAuthentication yes
149
150# Change to yes to enable tunnelled clear text passwords
151PasswordAuthentication no
152
153
154# To change Kerberos options
155#KerberosAuthentication no
156#KerberosOrLocalPasswd yes
157#AFSTokenPassing no
158#KerberosTicketCleanup no
159
160# Kerberos TGT Passing does only work with the AFS kaserver
161#KerberosTgtPassing yes
162
163X11Forwarding no
164X11DisplayOffset 10
165PrintMotd no
166PrintLastLog yes
167KeepAlive yes
168#UseLogin no
169
170#MaxStartups 10:30:60
171#Banner /etc/issue.net
172
173Subsystem sftp /usr/lib/sftp-server
174
175UsePAM yes
176EOF
177}
178
179
180fix_rsh_diversion() {
181# get rid of mistaken rsh diversion (circa 1.2.27-1)
182
183 if [ -L /usr/bin/rsh ] &&
184 dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
185 for cmd in rlogin rsh rcp ; do
186 [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
187 dpkg-divert --package ssh --remove --rename \
188 --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd
189
190 [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
191 dpkg-divert --package ssh --remove --rename \
192 --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
193 done
194
195 rmdir /usr/bin/rsh.real
196 fi
197}
198
199
200fix_statoverride() {
201# Remove an erronous override for sshd (we should have overridden ssh)
202 if [ -x /usr/sbin/dpkg-statoverride ]; then
203 if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
204 dpkg-statoverride --remove /usr/sbin/sshd
205 fi
206 fi
207}
208
209
210create_alternatives() {
211# Create alternatives for the various r* tools.
212# Make sure we don't change existing alternatives that a user might have
213# changed, but clean up after some old alternatives that mistakenly pointed
214# rlogin and rcp to ssh.
215 update-alternatives --quiet --remove rlogin /usr/bin/ssh
216 update-alternatives --quiet --remove rcp /usr/bin/ssh
217 for cmd in rsh rlogin rcp; do
218 scmd="s${cmd#r}"
219 if ! update-alternatives --display "$cmd" | \
220 grep -q "$scmd"; then
221 update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \
222 --slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz"
223 fi
224 done
225}
226
227setup_sshd_user() {
228 if ! getent passwd sshd >/dev/null; then
229 adduser --quiet --system --no-create-home --home /var/run/sshd sshd
230 fi
231}
232
233set_sshd_permissions() {
234 if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then
235 if [ -x /usr/sbin/dpkg-statoverride ] ; then
236 if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then
237 dpkg-statoverride --remove /usr/bin/ssh >/dev/null
238 fi
239 fi
240 fi
241
242 if [ ! -x /usr/sbin/dpkg-statoverride ] || \
243 ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then
244 db_get ssh/SUID_client
245 if [ "$RET" = "false" ] ; then
246 chmod 0755 /usr/lib/ssh-keysign
247 elif [ "$RET" = "true" ] ; then
248 chmod 4755 /usr/lib/ssh-keysign
249 fi
250 fi
251}
252
253
254fix_ssh_group() {
255 # Try to remove non-system group mistakenly created by 1:3.5p1-1.
256 # set_ssh_agent_permissions() below will re-create it properly.
257 if getent group ssh >/dev/null; then
258 delgroup --quiet ssh || true
259 fi
260}
261
262
263set_ssh_agent_permissions() {
264 if ! getent group ssh >/dev/null; then
265 addgroup --system --quiet ssh
266 fi
267 if ! [ -x /usr/sbin/dpkg-statoverride ] || \
268 ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then
269 chgrp ssh /usr/bin/ssh-agent
270 chmod 2755 /usr/bin/ssh-agent
271 fi
272}
273
274
275fix_conffile_permissions() {
276 # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
277 # doesn't do this for us; see bug #192981.
278 chmod 644 /etc/default/ssh
279}
280
281setup_startup() {
282 db_get ssh/run_sshd
283 if [ "$RET" = "false" ] ; then
284 if [ -x /usr/sbin/invoke-rc.d ]; then
285 invoke-rc.d --quiet ssh stop
286 else
287 /etc/init.d/ssh stop
288 fi
289 touch /etc/ssh/sshd_not_to_be_run
290 else
291 rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null
292 fi
293}
294
295
296setup_init() {
297 if [ -x /etc/init.d/ssh ]; then
298 update-rc.d ssh defaults >/dev/null
299 if [ -x /usr/sbin/invoke-rc.d ]; then
300 invoke-rc.d ssh restart
301 else
302 /etc/init.d/ssh restart
303 fi
304 fi
305}
306
307check_idea_key
308create_keys
309create_sshdconfig
310fix_rsh_diversion
311fix_statoverride
312create_alternatives
313setup_sshd_user
314set_sshd_permissions
315if [ "$2" = "1:3.5p1-1" ]; then
316 fix_ssh_group
317fi
318set_ssh_agent_permissions
319if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
320 fix_conffile_permissions
321fi
322setup_startup
323setup_init
324
325
326db_stop
327
328exit 0
329