diff options
Diffstat (limited to 'debian/postinst')
-rw-r--r-- | debian/postinst | 329 |
1 files changed, 329 insertions, 0 deletions
diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 000000000..b641769ba --- /dev/null +++ b/debian/postinst | |||
@@ -0,0 +1,329 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action="$1" | ||
4 | oldversion="$2" | ||
5 | |||
6 | . /usr/share/debconf/confmodule | ||
7 | db_version 2.0 | ||
8 | |||
9 | umask 022 | ||
10 | |||
11 | if [ "$action" != configure ] | ||
12 | then | ||
13 | exit 0 | ||
14 | fi | ||
15 | |||
16 | |||
17 | |||
18 | check_idea_key() { | ||
19 | #check for old host_key files using IDEA, which openssh does not support | ||
20 | if [ -f /etc/ssh/ssh_host_key ] ; then | ||
21 | if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \ | ||
22 | grep -q 'unknown cipher' 2>/dev/null ; then | ||
23 | mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old | ||
24 | mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old | ||
25 | fi | ||
26 | fi | ||
27 | } | ||
28 | |||
29 | |||
30 | create_key() { | ||
31 | local msg="$1" | ||
32 | shift | ||
33 | local file="$1" | ||
34 | shift | ||
35 | |||
36 | if [ ! -f "$file" ] ; then | ||
37 | echo -n $msg | ||
38 | ssh-keygen -q -f "$file" -N '' "$@" | ||
39 | echo | ||
40 | fi | ||
41 | } | ||
42 | |||
43 | |||
44 | create_keys() { | ||
45 | db_get ssh/protocol2_only | ||
46 | if [ "$RET" = "false" ] ; then | ||
47 | create_key "Creating SSH1 key; this may take some time ..." \ | ||
48 | /etc/ssh/ssh_host_key -t rsa1 | ||
49 | fi | ||
50 | |||
51 | create_key "Creating SSH2 RSA key; this may take some time ..." \ | ||
52 | /etc/ssh/ssh_host_rsa_key -t rsa | ||
53 | create_key "Creating SSH2 DSA key; this may take some time ..." \ | ||
54 | /etc/ssh/ssh_host_dsa_key -t dsa | ||
55 | } | ||
56 | |||
57 | |||
58 | create_sshdconfig() { | ||
59 | if [ -e /etc/ssh/sshd_config ] ; then | ||
60 | if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then | ||
61 | db_get ssh/new_config | ||
62 | if [ "$RET" = "false" ] ; then return 0; fi | ||
63 | elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ | ||
64 | ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then | ||
65 | # Upgrade from pre-3.7: UsePAM needed to maintain standard | ||
66 | # Debian configuration. | ||
67 | echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' | ||
68 | cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
69 | perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ | ||
70 | /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
71 | echo >> /etc/ssh/sshd_config.dpkg-new | ||
72 | echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new | ||
73 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
74 | echo | ||
75 | return 0 | ||
76 | else return 0 | ||
77 | fi | ||
78 | fi | ||
79 | |||
80 | #Preserve old sshd_config before generating a new one | ||
81 | if [ -e /etc/ssh/sshd_config ] ; then | ||
82 | mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
83 | fi | ||
84 | |||
85 | cat <<EOF > /etc/ssh/sshd_config | ||
86 | # Package generated configuration file | ||
87 | # See the sshd(8) manpage for details | ||
88 | |||
89 | # What ports, IPs and protocols we listen for | ||
90 | Port 22 | ||
91 | # Use these options to restrict which interfaces/protocols sshd will bind to | ||
92 | #ListenAddress :: | ||
93 | #ListenAddress 0.0.0.0 | ||
94 | EOF | ||
95 | db_get ssh/protocol2_only | ||
96 | if [ "$RET" = "false" ]; then | ||
97 | cat <<EOF >> /etc/ssh/sshd_config | ||
98 | Protocol 2,1 | ||
99 | # HostKeys for protocol version 1 | ||
100 | HostKey /etc/ssh/ssh_host_key | ||
101 | # HostKeys for protocol version 2 | ||
102 | HostKey /etc/ssh/ssh_host_rsa_key | ||
103 | HostKey /etc/ssh/ssh_host_dsa_key | ||
104 | EOF | ||
105 | else | ||
106 | cat <<EOF >> /etc/ssh/sshd_config | ||
107 | Protocol 2 | ||
108 | # HostKeys for protocol version 2 | ||
109 | HostKey /etc/ssh/ssh_host_rsa_key | ||
110 | HostKey /etc/ssh/ssh_host_dsa_key | ||
111 | EOF | ||
112 | fi | ||
113 | |||
114 | cat <<EOF >> /etc/ssh/sshd_config | ||
115 | #Privilege Separation is turned on for security | ||
116 | UsePrivilegeSeparation yes | ||
117 | |||
118 | # Lifetime and size of ephemeral version 1 server key | ||
119 | KeyRegenerationInterval 3600 | ||
120 | ServerKeyBits 768 | ||
121 | |||
122 | # Logging | ||
123 | SyslogFacility AUTH | ||
124 | LogLevel INFO | ||
125 | |||
126 | # Authentication: | ||
127 | LoginGraceTime 600 | ||
128 | PermitRootLogin yes | ||
129 | StrictModes yes | ||
130 | |||
131 | RSAAuthentication yes | ||
132 | PubkeyAuthentication yes | ||
133 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
134 | |||
135 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
136 | IgnoreRhosts yes | ||
137 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
138 | RhostsRSAAuthentication no | ||
139 | # similar for protocol version 2 | ||
140 | HostbasedAuthentication no | ||
141 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
142 | #IgnoreUserKnownHosts yes | ||
143 | |||
144 | # To enable empty passwords, change to yes (NOT RECOMMENDED) | ||
145 | PermitEmptyPasswords no | ||
146 | |||
147 | # Change to no to disable s/key passwords | ||
148 | #ChallengeResponseAuthentication yes | ||
149 | |||
150 | # Change to yes to enable tunnelled clear text passwords | ||
151 | PasswordAuthentication no | ||
152 | |||
153 | |||
154 | # To change Kerberos options | ||
155 | #KerberosAuthentication no | ||
156 | #KerberosOrLocalPasswd yes | ||
157 | #AFSTokenPassing no | ||
158 | #KerberosTicketCleanup no | ||
159 | |||
160 | # Kerberos TGT Passing does only work with the AFS kaserver | ||
161 | #KerberosTgtPassing yes | ||
162 | |||
163 | X11Forwarding no | ||
164 | X11DisplayOffset 10 | ||
165 | PrintMotd no | ||
166 | PrintLastLog yes | ||
167 | KeepAlive yes | ||
168 | #UseLogin no | ||
169 | |||
170 | #MaxStartups 10:30:60 | ||
171 | #Banner /etc/issue.net | ||
172 | |||
173 | Subsystem sftp /usr/lib/sftp-server | ||
174 | |||
175 | UsePAM yes | ||
176 | EOF | ||
177 | } | ||
178 | |||
179 | |||
180 | fix_rsh_diversion() { | ||
181 | # get rid of mistaken rsh diversion (circa 1.2.27-1) | ||
182 | |||
183 | if [ -L /usr/bin/rsh ] && | ||
184 | dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then | ||
185 | for cmd in rlogin rsh rcp ; do | ||
186 | [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd | ||
187 | dpkg-divert --package ssh --remove --rename \ | ||
188 | --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd | ||
189 | |||
190 | [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz | ||
191 | dpkg-divert --package ssh --remove --rename \ | ||
192 | --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz | ||
193 | done | ||
194 | |||
195 | rmdir /usr/bin/rsh.real | ||
196 | fi | ||
197 | } | ||
198 | |||
199 | |||
200 | fix_statoverride() { | ||
201 | # Remove an erronous override for sshd (we should have overridden ssh) | ||
202 | if [ -x /usr/sbin/dpkg-statoverride ]; then | ||
203 | if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then | ||
204 | dpkg-statoverride --remove /usr/sbin/sshd | ||
205 | fi | ||
206 | fi | ||
207 | } | ||
208 | |||
209 | |||
210 | create_alternatives() { | ||
211 | # Create alternatives for the various r* tools. | ||
212 | # Make sure we don't change existing alternatives that a user might have | ||
213 | # changed, but clean up after some old alternatives that mistakenly pointed | ||
214 | # rlogin and rcp to ssh. | ||
215 | update-alternatives --quiet --remove rlogin /usr/bin/ssh | ||
216 | update-alternatives --quiet --remove rcp /usr/bin/ssh | ||
217 | for cmd in rsh rlogin rcp; do | ||
218 | scmd="s${cmd#r}" | ||
219 | if ! update-alternatives --display "$cmd" | \ | ||
220 | grep -q "$scmd"; then | ||
221 | update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \ | ||
222 | --slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz" | ||
223 | fi | ||
224 | done | ||
225 | } | ||
226 | |||
227 | setup_sshd_user() { | ||
228 | if ! getent passwd sshd >/dev/null; then | ||
229 | adduser --quiet --system --no-create-home --home /var/run/sshd sshd | ||
230 | fi | ||
231 | } | ||
232 | |||
233 | set_sshd_permissions() { | ||
234 | if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then | ||
235 | if [ -x /usr/sbin/dpkg-statoverride ] ; then | ||
236 | if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then | ||
237 | dpkg-statoverride --remove /usr/bin/ssh >/dev/null | ||
238 | fi | ||
239 | fi | ||
240 | fi | ||
241 | |||
242 | if [ ! -x /usr/sbin/dpkg-statoverride ] || \ | ||
243 | ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then | ||
244 | db_get ssh/SUID_client | ||
245 | if [ "$RET" = "false" ] ; then | ||
246 | chmod 0755 /usr/lib/ssh-keysign | ||
247 | elif [ "$RET" = "true" ] ; then | ||
248 | chmod 4755 /usr/lib/ssh-keysign | ||
249 | fi | ||
250 | fi | ||
251 | } | ||
252 | |||
253 | |||
254 | fix_ssh_group() { | ||
255 | # Try to remove non-system group mistakenly created by 1:3.5p1-1. | ||
256 | # set_ssh_agent_permissions() below will re-create it properly. | ||
257 | if getent group ssh >/dev/null; then | ||
258 | delgroup --quiet ssh || true | ||
259 | fi | ||
260 | } | ||
261 | |||
262 | |||
263 | set_ssh_agent_permissions() { | ||
264 | if ! getent group ssh >/dev/null; then | ||
265 | addgroup --system --quiet ssh | ||
266 | fi | ||
267 | if ! [ -x /usr/sbin/dpkg-statoverride ] || \ | ||
268 | ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then | ||
269 | chgrp ssh /usr/bin/ssh-agent | ||
270 | chmod 2755 /usr/bin/ssh-agent | ||
271 | fi | ||
272 | } | ||
273 | |||
274 | |||
275 | fix_conffile_permissions() { | ||
276 | # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg | ||
277 | # doesn't do this for us; see bug #192981. | ||
278 | chmod 644 /etc/default/ssh | ||
279 | } | ||
280 | |||
281 | setup_startup() { | ||
282 | db_get ssh/run_sshd | ||
283 | if [ "$RET" = "false" ] ; then | ||
284 | if [ -x /usr/sbin/invoke-rc.d ]; then | ||
285 | invoke-rc.d --quiet ssh stop | ||
286 | else | ||
287 | /etc/init.d/ssh stop | ||
288 | fi | ||
289 | touch /etc/ssh/sshd_not_to_be_run | ||
290 | else | ||
291 | rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null | ||
292 | fi | ||
293 | } | ||
294 | |||
295 | |||
296 | setup_init() { | ||
297 | if [ -x /etc/init.d/ssh ]; then | ||
298 | update-rc.d ssh defaults >/dev/null | ||
299 | if [ -x /usr/sbin/invoke-rc.d ]; then | ||
300 | invoke-rc.d ssh restart | ||
301 | else | ||
302 | /etc/init.d/ssh restart | ||
303 | fi | ||
304 | fi | ||
305 | } | ||
306 | |||
307 | check_idea_key | ||
308 | create_keys | ||
309 | create_sshdconfig | ||
310 | fix_rsh_diversion | ||
311 | fix_statoverride | ||
312 | create_alternatives | ||
313 | setup_sshd_user | ||
314 | set_sshd_permissions | ||
315 | if [ "$2" = "1:3.5p1-1" ]; then | ||
316 | fix_ssh_group | ||
317 | fi | ||
318 | set_ssh_agent_permissions | ||
319 | if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then | ||
320 | fix_conffile_permissions | ||
321 | fi | ||
322 | setup_startup | ||
323 | setup_init | ||
324 | |||
325 | |||
326 | db_stop | ||
327 | |||
328 | exit 0 | ||
329 | |||