diff options
Diffstat (limited to 'debian/postinst')
-rw-r--r-- | debian/postinst | 360 |
1 files changed, 360 insertions, 0 deletions
diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 000000000..1baae1677 --- /dev/null +++ b/debian/postinst | |||
@@ -0,0 +1,360 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action="$1" | ||
4 | oldversion="$2" | ||
5 | |||
6 | . /usr/share/debconf/confmodule | ||
7 | db_version 2.0 | ||
8 | |||
9 | umask 022 | ||
10 | |||
11 | if [ "$action" != configure ] | ||
12 | then | ||
13 | exit 0 | ||
14 | fi | ||
15 | |||
16 | |||
17 | |||
18 | check_idea_key() { | ||
19 | #check for old host_key files using IDEA, which openssh does not support | ||
20 | if [ -f /etc/ssh/ssh_host_key ] ; then | ||
21 | if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \ | ||
22 | grep -q 'unknown cipher' 2>/dev/null ; then | ||
23 | mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old | ||
24 | mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old | ||
25 | fi | ||
26 | fi | ||
27 | } | ||
28 | |||
29 | |||
30 | get_config_option() { | ||
31 | option="$1" | ||
32 | |||
33 | # TODO: actually only one '=' allowed after option | ||
34 | perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ | ||
35 | /etc/ssh/sshd_config | ||
36 | } | ||
37 | |||
38 | |||
39 | host_keys_required() { | ||
40 | hostkeys="$(get_config_option HostKey)" | ||
41 | if [ "$hostkeys" ]; then | ||
42 | echo "$hostkeys" | ||
43 | else | ||
44 | # No HostKey directives at all, so the server picks some | ||
45 | # defaults depending on the setting of Protocol. | ||
46 | protocol="$(get_config_option Protocol)" | ||
47 | [ "$protocol" ] || protocol=1,2 | ||
48 | if echo "$protocol" | grep 1 >/dev/null; then | ||
49 | echo /etc/ssh/ssh_host_key | ||
50 | fi | ||
51 | if echo "$protocol" | grep 2 >/dev/null; then | ||
52 | echo /etc/ssh/ssh_host_rsa_key | ||
53 | echo /etc/ssh/ssh_host_dsa_key | ||
54 | fi | ||
55 | fi | ||
56 | } | ||
57 | |||
58 | |||
59 | create_key() { | ||
60 | msg="$1" | ||
61 | shift | ||
62 | hostkeys="$1" | ||
63 | shift | ||
64 | file="$1" | ||
65 | shift | ||
66 | |||
67 | if echo "$hostkeys" | grep -x "$file" >/dev/null && \ | ||
68 | [ ! -f "$file" ] ; then | ||
69 | echo -n $msg | ||
70 | ssh-keygen -q -f "$file" -N '' "$@" | ||
71 | echo | ||
72 | fi | ||
73 | } | ||
74 | |||
75 | |||
76 | create_keys() { | ||
77 | hostkeys="$(host_keys_required)" | ||
78 | |||
79 | create_key "Creating SSH1 key; this may take some time ..." \ | ||
80 | "$hostkeys" /etc/ssh/ssh_host_key -t rsa1 | ||
81 | |||
82 | create_key "Creating SSH2 RSA key; this may take some time ..." \ | ||
83 | "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa | ||
84 | create_key "Creating SSH2 DSA key; this may take some time ..." \ | ||
85 | "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa | ||
86 | } | ||
87 | |||
88 | |||
89 | create_sshdconfig() { | ||
90 | if [ -e /etc/ssh/sshd_config ] ; then | ||
91 | if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then | ||
92 | db_get ssh/new_config | ||
93 | if [ "$RET" = "false" ] ; then return 0; fi | ||
94 | elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ | ||
95 | ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then | ||
96 | # Upgrade from pre-3.7: UsePAM needed to maintain standard | ||
97 | # Debian configuration. | ||
98 | echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' | ||
99 | cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
100 | perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ | ||
101 | /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
102 | echo >> /etc/ssh/sshd_config.dpkg-new | ||
103 | echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new | ||
104 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
105 | echo | ||
106 | return 0 | ||
107 | else return 0 | ||
108 | fi | ||
109 | fi | ||
110 | |||
111 | #Preserve old sshd_config before generating a new one | ||
112 | if [ -e /etc/ssh/sshd_config ] ; then | ||
113 | mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
114 | fi | ||
115 | |||
116 | cat <<EOF > /etc/ssh/sshd_config | ||
117 | # Package generated configuration file | ||
118 | # See the sshd(8) manpage for details | ||
119 | |||
120 | # What ports, IPs and protocols we listen for | ||
121 | Port 22 | ||
122 | # Use these options to restrict which interfaces/protocols sshd will bind to | ||
123 | #ListenAddress :: | ||
124 | #ListenAddress 0.0.0.0 | ||
125 | EOF | ||
126 | db_get ssh/protocol2_only | ||
127 | if [ "$RET" = "false" ]; then | ||
128 | cat <<EOF >> /etc/ssh/sshd_config | ||
129 | Protocol 2,1 | ||
130 | # HostKeys for protocol version 1 | ||
131 | HostKey /etc/ssh/ssh_host_key | ||
132 | # HostKeys for protocol version 2 | ||
133 | HostKey /etc/ssh/ssh_host_rsa_key | ||
134 | HostKey /etc/ssh/ssh_host_dsa_key | ||
135 | EOF | ||
136 | else | ||
137 | cat <<EOF >> /etc/ssh/sshd_config | ||
138 | Protocol 2 | ||
139 | # HostKeys for protocol version 2 | ||
140 | HostKey /etc/ssh/ssh_host_rsa_key | ||
141 | HostKey /etc/ssh/ssh_host_dsa_key | ||
142 | EOF | ||
143 | fi | ||
144 | |||
145 | cat <<EOF >> /etc/ssh/sshd_config | ||
146 | #Privilege Separation is turned on for security | ||
147 | UsePrivilegeSeparation yes | ||
148 | |||
149 | # Lifetime and size of ephemeral version 1 server key | ||
150 | KeyRegenerationInterval 3600 | ||
151 | ServerKeyBits 768 | ||
152 | |||
153 | # Logging | ||
154 | SyslogFacility AUTH | ||
155 | LogLevel INFO | ||
156 | |||
157 | # Authentication: | ||
158 | LoginGraceTime 600 | ||
159 | PermitRootLogin yes | ||
160 | StrictModes yes | ||
161 | |||
162 | RSAAuthentication yes | ||
163 | PubkeyAuthentication yes | ||
164 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
165 | |||
166 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
167 | IgnoreRhosts yes | ||
168 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
169 | RhostsRSAAuthentication no | ||
170 | # similar for protocol version 2 | ||
171 | HostbasedAuthentication no | ||
172 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
173 | #IgnoreUserKnownHosts yes | ||
174 | |||
175 | # To enable empty passwords, change to yes (NOT RECOMMENDED) | ||
176 | PermitEmptyPasswords no | ||
177 | |||
178 | # Change to no to disable s/key passwords | ||
179 | #ChallengeResponseAuthentication yes | ||
180 | |||
181 | # Change to yes to enable tunnelled clear text passwords | ||
182 | PasswordAuthentication no | ||
183 | |||
184 | |||
185 | # To change Kerberos options | ||
186 | #KerberosAuthentication no | ||
187 | #KerberosOrLocalPasswd yes | ||
188 | #AFSTokenPassing no | ||
189 | #KerberosTicketCleanup no | ||
190 | |||
191 | # Kerberos TGT Passing does only work with the AFS kaserver | ||
192 | #KerberosTgtPassing yes | ||
193 | |||
194 | X11Forwarding no | ||
195 | X11DisplayOffset 10 | ||
196 | PrintMotd no | ||
197 | PrintLastLog yes | ||
198 | KeepAlive yes | ||
199 | #UseLogin no | ||
200 | |||
201 | #MaxStartups 10:30:60 | ||
202 | #Banner /etc/issue.net | ||
203 | |||
204 | Subsystem sftp /usr/lib/sftp-server | ||
205 | |||
206 | UsePAM yes | ||
207 | EOF | ||
208 | } | ||
209 | |||
210 | |||
211 | fix_rsh_diversion() { | ||
212 | # get rid of mistaken rsh diversion (circa 1.2.27-1) | ||
213 | |||
214 | if [ -L /usr/bin/rsh ] && | ||
215 | dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then | ||
216 | for cmd in rlogin rsh rcp ; do | ||
217 | [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd | ||
218 | dpkg-divert --package ssh --remove --rename \ | ||
219 | --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd | ||
220 | |||
221 | [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz | ||
222 | dpkg-divert --package ssh --remove --rename \ | ||
223 | --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz | ||
224 | done | ||
225 | |||
226 | rmdir /usr/bin/rsh.real | ||
227 | fi | ||
228 | } | ||
229 | |||
230 | |||
231 | fix_statoverride() { | ||
232 | # Remove an erronous override for sshd (we should have overridden ssh) | ||
233 | if [ -x /usr/sbin/dpkg-statoverride ]; then | ||
234 | if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then | ||
235 | dpkg-statoverride --remove /usr/sbin/sshd | ||
236 | fi | ||
237 | fi | ||
238 | } | ||
239 | |||
240 | |||
241 | create_alternatives() { | ||
242 | # Create alternatives for the various r* tools. | ||
243 | # Make sure we don't change existing alternatives that a user might have | ||
244 | # changed, but clean up after some old alternatives that mistakenly pointed | ||
245 | # rlogin and rcp to ssh. | ||
246 | update-alternatives --quiet --remove rlogin /usr/bin/ssh | ||
247 | update-alternatives --quiet --remove rcp /usr/bin/ssh | ||
248 | for cmd in rsh rlogin rcp; do | ||
249 | scmd="s${cmd#r}" | ||
250 | if ! update-alternatives --display "$cmd" | \ | ||
251 | grep -q "$scmd"; then | ||
252 | update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \ | ||
253 | --slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz" | ||
254 | fi | ||
255 | done | ||
256 | } | ||
257 | |||
258 | setup_sshd_user() { | ||
259 | if ! getent passwd sshd >/dev/null; then | ||
260 | adduser --quiet --system --no-create-home --home /var/run/sshd sshd | ||
261 | fi | ||
262 | } | ||
263 | |||
264 | set_sshd_permissions() { | ||
265 | if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then | ||
266 | if [ -x /usr/sbin/dpkg-statoverride ] ; then | ||
267 | if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then | ||
268 | dpkg-statoverride --remove /usr/bin/ssh >/dev/null | ||
269 | fi | ||
270 | fi | ||
271 | fi | ||
272 | |||
273 | if [ ! -x /usr/sbin/dpkg-statoverride ] || \ | ||
274 | ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then | ||
275 | db_get ssh/SUID_client | ||
276 | if [ "$RET" = "false" ] ; then | ||
277 | chmod 0755 /usr/lib/ssh-keysign | ||
278 | elif [ "$RET" = "true" ] ; then | ||
279 | chmod 4755 /usr/lib/ssh-keysign | ||
280 | fi | ||
281 | fi | ||
282 | } | ||
283 | |||
284 | |||
285 | fix_ssh_group() { | ||
286 | # Try to remove non-system group mistakenly created by 1:3.5p1-1. | ||
287 | # set_ssh_agent_permissions() below will re-create it properly. | ||
288 | if getent group ssh >/dev/null; then | ||
289 | delgroup --quiet ssh || true | ||
290 | fi | ||
291 | } | ||
292 | |||
293 | |||
294 | set_ssh_agent_permissions() { | ||
295 | if ! getent group ssh >/dev/null; then | ||
296 | addgroup --system --quiet ssh | ||
297 | fi | ||
298 | if ! [ -x /usr/sbin/dpkg-statoverride ] || \ | ||
299 | ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then | ||
300 | chgrp ssh /usr/bin/ssh-agent | ||
301 | chmod 2755 /usr/bin/ssh-agent | ||
302 | fi | ||
303 | } | ||
304 | |||
305 | |||
306 | fix_conffile_permissions() { | ||
307 | # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg | ||
308 | # doesn't do this for us; see bug #192981. | ||
309 | chmod 644 /etc/default/ssh | ||
310 | } | ||
311 | |||
312 | setup_startup() { | ||
313 | db_get ssh/run_sshd | ||
314 | if [ "$RET" = "false" ] ; then | ||
315 | if [ -x /usr/sbin/invoke-rc.d ]; then | ||
316 | invoke-rc.d --quiet ssh stop | ||
317 | else | ||
318 | /etc/init.d/ssh stop | ||
319 | fi | ||
320 | touch /etc/ssh/sshd_not_to_be_run | ||
321 | else | ||
322 | rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null | ||
323 | fi | ||
324 | } | ||
325 | |||
326 | |||
327 | setup_init() { | ||
328 | if [ -x /etc/init.d/ssh ]; then | ||
329 | update-rc.d ssh defaults >/dev/null | ||
330 | if [ -x /usr/sbin/invoke-rc.d ]; then | ||
331 | invoke-rc.d ssh restart | ||
332 | else | ||
333 | /etc/init.d/ssh restart | ||
334 | fi | ||
335 | fi | ||
336 | } | ||
337 | |||
338 | create_sshdconfig | ||
339 | check_idea_key | ||
340 | create_keys | ||
341 | fix_rsh_diversion | ||
342 | fix_statoverride | ||
343 | create_alternatives | ||
344 | setup_sshd_user | ||
345 | set_sshd_permissions | ||
346 | if [ "$2" = "1:3.5p1-1" ]; then | ||
347 | fix_ssh_group | ||
348 | fi | ||
349 | set_ssh_agent_permissions | ||
350 | if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then | ||
351 | fix_conffile_permissions | ||
352 | fi | ||
353 | setup_startup | ||
354 | setup_init | ||
355 | |||
356 | |||
357 | db_stop | ||
358 | |||
359 | exit 0 | ||
360 | |||