1 files changed, 360 insertions, 0 deletions
diff --git a/debian/postinst b/debian/postinst
new file mode 100644
index 000000000..1baae1677
--- /dev/null
+++ b/debian/postinst
@@ -0,0 +1,360 @@
+#!/bin/sh -e
+action="$1"
+oldversion="$2"
+. /usr/share/debconf/confmodule
+db_version 2.0
+umask 022
+if [ "$action" != configure ]
+  then
+  exit 0
+fi
+check_idea_key() {
+    #check for old host_key files using IDEA, which openssh does not support
+        if [ -f /etc/ssh/ssh_host_key ] ; then
+                if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
+                                grep -q 'unknown cipher' 2>/dev/null ; then
+      mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
+      mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
+  fi
+        fi
+}
+get_config_option() {
+        option="$1"
+        # TODO: actually only one '=' allowed after option
+        perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+           /etc/ssh/sshd_config
+}
+host_keys_required() {
+        hostkeys="$(get_config_option HostKey)"
+        if [ "$hostkeys" ]; then
+                echo "$hostkeys"
+        else
+                # No HostKey directives at all, so the server picks some
+                # defaults depending on the setting of Protocol.
+                protocol="$(get_config_option Protocol)"
+                [ "$protocol" ] || protocol=1,2
+                if echo "$protocol" | grep 1 >/dev/null; then
+                        echo /etc/ssh/ssh_host_key
+                fi
+                if echo "$protocol" | grep 2 >/dev/null; then
+                        echo /etc/ssh/ssh_host_rsa_key
+                        echo /etc/ssh/ssh_host_dsa_key
+                fi
+        fi
+}
+create_key() {
+        msg="$1"
+        shift
+        hostkeys="$1"
+        shift
+        file="$1"
+        shift
+        if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+           [ ! -f "$file" ] ; then
+                echo -n $msg
+                ssh-keygen -q -f "$file" -N '' "$@"
+                echo
+        fi
+}
+create_keys() {
+        hostkeys="$(host_keys_required)"
+        create_key "Creating SSH1 key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_key -t rsa1
+        create_key "Creating SSH2 RSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+        create_key "Creating SSH2 DSA key; this may take some time ..." \
+                "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+}
+create_sshdconfig() {
+        if [ -e /etc/ssh/sshd_config ] ; then
+            if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
+                db_get ssh/new_config
+                if [ "$RET" = "false" ] ; then return 0; fi
+            elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
+                 ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then
+                # Upgrade from pre-3.7: UsePAM needed to maintain standard
+                # Debian configuration.
+                echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
+                cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
+                perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
+                    /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+                echo >> /etc/ssh/sshd_config.dpkg-new
+                echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
+                mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+                echo
+                return 0
+            else return 0
+            fi
+        fi
+        #Preserve old sshd_config before generating a new one
+        if [ -e /etc/ssh/sshd_config ] ; then 
+            mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
+        fi
+        cat <<EOF > /etc/ssh/sshd_config
+# Package generated configuration file
+# See the sshd(8) manpage for details
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+EOF
+        db_get ssh/protocol2_only
+if [ "$RET" = "false" ]; then
+                cat <<EOF >> /etc/ssh/sshd_config
+Protocol 2,1
+# HostKeys for protocol version 1
+HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+EOF
+else
+        cat <<EOF >> /etc/ssh/sshd_config
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+EOF
+fi
+        cat <<EOF >> /etc/ssh/sshd_config
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+# Authentication:
+LoginGraceTime 600
+PermitRootLogin yes
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+# Change to yes to enable tunnelled clear text passwords
+PasswordAuthentication no
+# To change Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#AFSTokenPassing no
+#KerberosTicketCleanup no
+# Kerberos TGT Passing does only work with the AFS kaserver
+#KerberosTgtPassing yes
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+KeepAlive yes
+#UseLogin no
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+Subsystem       sftp    /usr/lib/sftp-server
+UsePAM yes
+EOF
+}
+fix_rsh_diversion() {
+# get rid of mistaken rsh diversion (circa 1.2.27-1)
+        if [ -L /usr/bin/rsh ] &&
+                dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
+                for cmd in rlogin  rsh rcp ; do
+                        [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
+                        dpkg-divert --package ssh --remove --rename \
+                                --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd
+                        [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
+                        dpkg-divert --package ssh --remove --rename \
+                                --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
+                done
+                rmdir /usr/bin/rsh.real
+        fi
+}
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+        if [ -x /usr/sbin/dpkg-statoverride ]; then
+                if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
+                        dpkg-statoverride --remove /usr/sbin/sshd
+                fi
+        fi
+}
+create_alternatives() {
+# Create alternatives for the various r* tools.
+# Make sure we don't change existing alternatives that a user might have
+# changed, but clean up after some old alternatives that mistakenly pointed
+# rlogin and rcp to ssh.
+        update-alternatives --quiet --remove rlogin /usr/bin/ssh
+        update-alternatives --quiet --remove rcp /usr/bin/ssh
+        for cmd in rsh rlogin rcp; do
+                scmd="s${cmd#r}"
+                if ! update-alternatives --display "$cmd" | \
+                                grep -q "$scmd"; then
+                        update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \
+                                --slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz"
+                fi
+        done
+}
+setup_sshd_user() {
+        if ! getent passwd sshd >/dev/null; then
+                adduser --quiet --system --no-create-home --home /var/run/sshd sshd
+        fi
+}
+set_sshd_permissions() {
+        if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then
+            if [ -x /usr/sbin/dpkg-statoverride ] ; then
+                if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then
+                    dpkg-statoverride --remove /usr/bin/ssh >/dev/null
+                fi 
+            fi
+        fi
+        if [ ! -x /usr/sbin/dpkg-statoverride ] || \
+             ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then
+                db_get ssh/SUID_client
+                if [ "$RET" = "false" ] ; then
+                        chmod 0755 /usr/lib/ssh-keysign
+                elif [ "$RET" = "true" ] ; then
+                        chmod 4755 /usr/lib/ssh-keysign
+                fi
+        fi
+}
+fix_ssh_group() {
+        # Try to remove non-system group mistakenly created by 1:3.5p1-1.
+        # set_ssh_agent_permissions() below will re-create it properly.
+        if getent group ssh >/dev/null; then
+                delgroup --quiet ssh || true
+        fi
+}
+set_ssh_agent_permissions() {
+        if ! getent group ssh >/dev/null; then
+                addgroup --system --quiet ssh
+        fi
+        if ! [ -x /usr/sbin/dpkg-statoverride ] || \
+            ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then
+                chgrp ssh /usr/bin/ssh-agent
+                chmod 2755 /usr/bin/ssh-agent
+        fi
+}
+fix_conffile_permissions() {
+        # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
+        # doesn't do this for us; see bug #192981.
+        chmod 644 /etc/default/ssh
+}
+setup_startup() {
+        db_get ssh/run_sshd
+        if [ "$RET" = "false" ] ; then
+                if [ -x /usr/sbin/invoke-rc.d ]; then
+                        invoke-rc.d --quiet ssh stop
+                else
+                        /etc/init.d/ssh stop
+                fi
+                touch /etc/ssh/sshd_not_to_be_run
+        else
+                rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null
+        fi
+}
+setup_init() {
+        if [ -x /etc/init.d/ssh ]; then
+                update-rc.d ssh defaults >/dev/null
+                if [ -x /usr/sbin/invoke-rc.d ]; then
+                        invoke-rc.d ssh restart
+                else
+                        /etc/init.d/ssh restart
+                fi
+        fi
+}
+create_sshdconfig
+check_idea_key
+create_keys
+fix_rsh_diversion
+fix_statoverride
+create_alternatives
+setup_sshd_user
+set_sshd_permissions
+if [ "$2" = "1:3.5p1-1" ]; then
+    fix_ssh_group
+fi
+set_ssh_agent_permissions
+if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
+    fix_conffile_permissions
+fi
+setup_startup
+setup_init
+db_stop
+exit 0

diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 000000000..1baae1677 --- /dev/null +++ b/debian/postinst
@@ -0,0 +1,360 @@
	1	#!/bin/sh -e
	2
	3	action="$1"
	4	oldversion="$2"
	5
	6	. /usr/share/debconf/confmodule
	7	db_version 2.0
	8
	9	umask 022
	10
	11	if [ "$action" != configure ]
	12	then
	13	exit 0
	14	fi
	15
	16
	17
	18	check_idea_key() {
	19	#check for old host_key files using IDEA, which openssh does not support
	20	if [ -f /etc/ssh/ssh_host_key ] ; then
	21	if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 \| \
	22	grep -q 'unknown cipher' 2>/dev/null ; then
	23	mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
	24	mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
	25	fi
	26	fi
	27	}
	28
	29
	30	get_config_option() {
	31	option="$1"
	32
	33	# TODO: actually only one '=' allowed after option
	34	perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
	35	/etc/ssh/sshd_config
	36	}
	37
	38
	39	host_keys_required() {
	40	hostkeys="$(get_config_option HostKey)"
	41	if [ "$hostkeys" ]; then
	42	echo "$hostkeys"
	43	else
	44	# No HostKey directives at all, so the server picks some
	45	# defaults depending on the setting of Protocol.
	46	protocol="$(get_config_option Protocol)"
	47	[ "$protocol" ] \|\| protocol=1,2
	48	if echo "$protocol" \| grep 1 >/dev/null; then
	49	echo /etc/ssh/ssh_host_key
	50	fi
	51	if echo "$protocol" \| grep 2 >/dev/null; then
	52	echo /etc/ssh/ssh_host_rsa_key
	53	echo /etc/ssh/ssh_host_dsa_key
	54	fi
	55	fi
	56	}
	57
	58
	59	create_key() {
	60	msg="$1"
	61	shift
	62	hostkeys="$1"
	63	shift
	64	file="$1"
	65	shift
	66
	67	if echo "$hostkeys" \| grep -x "$file" >/dev/null && \
	68	[ ! -f "$file" ] ; then
	69	echo -n $msg
	70	ssh-keygen -q -f "$file" -N '' "$@"
	71	echo
	72	fi
	73	}
	74
	75
	76	create_keys() {
	77	hostkeys="$(host_keys_required)"
	78
	79	create_key "Creating SSH1 key; this may take some time ..." \
	80	"$hostkeys" /etc/ssh/ssh_host_key -t rsa1
	81
	82	create_key "Creating SSH2 RSA key; this may take some time ..." \
	83	"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
	84	create_key "Creating SSH2 DSA key; this may take some time ..." \
	85	"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
	86	}
	87
	88
	89	create_sshdconfig() {
	90	if [ -e /etc/ssh/sshd_config ] ; then
	91	if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
	92	db_get ssh/new_config
	93	if [ "$RET" = "false" ] ; then return 0; fi
	94	elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
	95	! grep -iq ^UsePAM /etc/ssh/sshd_config ; then
	96	# Upgrade from pre-3.7: UsePAM needed to maintain standard
	97	# Debian configuration.
	98	echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
	99	cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
	100	perl -pe 's/^(PAMAuthenticationViaKbdInt\|RhostsAuthentication)\b/#$1/i' \
	101	/etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	102	echo >> /etc/ssh/sshd_config.dpkg-new
	103	echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
	104	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	105	echo
	106	return 0
	107	else return 0
	108	fi
	109	fi
	110
	111	#Preserve old sshd_config before generating a new one
	112	if [ -e /etc/ssh/sshd_config ] ; then
	113	mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
	114	fi
	115
	116	cat <<EOF > /etc/ssh/sshd_config
	117	# Package generated configuration file
	118	# See the sshd(8) manpage for details
	119
	120	# What ports, IPs and protocols we listen for
	121	Port 22
	122	# Use these options to restrict which interfaces/protocols sshd will bind to
	123	#ListenAddress ::
	124	#ListenAddress 0.0.0.0
	125	EOF
	126	db_get ssh/protocol2_only
	127	if [ "$RET" = "false" ]; then
	128	cat <<EOF >> /etc/ssh/sshd_config
	129	Protocol 2,1
	130	# HostKeys for protocol version 1
	131	HostKey /etc/ssh/ssh_host_key
	132	# HostKeys for protocol version 2
	133	HostKey /etc/ssh/ssh_host_rsa_key
	134	HostKey /etc/ssh/ssh_host_dsa_key
	135	EOF
	136	else
	137	cat <<EOF >> /etc/ssh/sshd_config
	138	Protocol 2
	139	# HostKeys for protocol version 2
	140	HostKey /etc/ssh/ssh_host_rsa_key
	141	HostKey /etc/ssh/ssh_host_dsa_key
	142	EOF
	143	fi
	144
	145	cat <<EOF >> /etc/ssh/sshd_config
	146	#Privilege Separation is turned on for security
	147	UsePrivilegeSeparation yes
	148
	149	# Lifetime and size of ephemeral version 1 server key
	150	KeyRegenerationInterval 3600
	151	ServerKeyBits 768
	152
	153	# Logging
	154	SyslogFacility AUTH
	155	LogLevel INFO
	156
	157	# Authentication:
	158	LoginGraceTime 600
	159	PermitRootLogin yes
	160	StrictModes yes
	161
	162	RSAAuthentication yes
	163	PubkeyAuthentication yes
	164	#AuthorizedKeysFile %h/.ssh/authorized_keys
	165
	166	# Don't read the user's ~/.rhosts and ~/.shosts files
	167	IgnoreRhosts yes
	168	# For this to work you will also need host keys in /etc/ssh_known_hosts
	169	RhostsRSAAuthentication no
	170	# similar for protocol version 2
	171	HostbasedAuthentication no
	172	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
	173	#IgnoreUserKnownHosts yes
	174
	175	# To enable empty passwords, change to yes (NOT RECOMMENDED)
	176	PermitEmptyPasswords no
	177
	178	# Change to no to disable s/key passwords
	179	#ChallengeResponseAuthentication yes
	180
	181	# Change to yes to enable tunnelled clear text passwords
	182	PasswordAuthentication no
	183
	184
	185	# To change Kerberos options
	186	#KerberosAuthentication no
	187	#KerberosOrLocalPasswd yes
	188	#AFSTokenPassing no
	189	#KerberosTicketCleanup no
	190
	191	# Kerberos TGT Passing does only work with the AFS kaserver
	192	#KerberosTgtPassing yes
	193
	194	X11Forwarding no
	195	X11DisplayOffset 10
	196	PrintMotd no
	197	PrintLastLog yes
	198	KeepAlive yes
	199	#UseLogin no
	200
	201	#MaxStartups 10:30:60
	202	#Banner /etc/issue.net
	203
	204	Subsystem sftp /usr/lib/sftp-server
	205
	206	UsePAM yes
	207	EOF
	208	}
	209
	210
	211	fix_rsh_diversion() {
	212	# get rid of mistaken rsh diversion (circa 1.2.27-1)
	213
	214	if [ -L /usr/bin/rsh ] &&
	215	dpkg-divert --list '/usr/bin/rsh.real/rsh' \| grep -q ' ssh$' ; then
	216	for cmd in rlogin rsh rcp ; do
	217	[ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
	218	dpkg-divert --package ssh --remove --rename \
	219	--divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd
	220
	221	[ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
	222	dpkg-divert --package ssh --remove --rename \
	223	--divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
	224	done
	225
	226	rmdir /usr/bin/rsh.real
	227	fi
	228	}
	229
	230
	231	fix_statoverride() {
	232	# Remove an erronous override for sshd (we should have overridden ssh)
	233	if [ -x /usr/sbin/dpkg-statoverride ]; then
	234	if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
	235	dpkg-statoverride --remove /usr/sbin/sshd
	236	fi
	237	fi
	238	}
	239
	240
	241	create_alternatives() {
	242	# Create alternatives for the various r* tools.
	243	# Make sure we don't change existing alternatives that a user might have
	244	# changed, but clean up after some old alternatives that mistakenly pointed
	245	# rlogin and rcp to ssh.
	246	update-alternatives --quiet --remove rlogin /usr/bin/ssh
	247	update-alternatives --quiet --remove rcp /usr/bin/ssh
	248	for cmd in rsh rlogin rcp; do
	249	scmd="s${cmd#r}"
	250	if ! update-alternatives --display "$cmd" \| \
	251	grep -q "$scmd"; then
	252	update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \
	253	--slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz"
	254	fi
	255	done
	256	}
	257
	258	setup_sshd_user() {
	259	if ! getent passwd sshd >/dev/null; then
	260	adduser --quiet --system --no-create-home --home /var/run/sshd sshd
	261	fi
	262	}
	263
	264	set_sshd_permissions() {
	265	if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then
	266	if [ -x /usr/sbin/dpkg-statoverride ] ; then
	267	if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then
	268	dpkg-statoverride --remove /usr/bin/ssh >/dev/null
	269	fi
	270	fi
	271	fi
	272
	273	if [ ! -x /usr/sbin/dpkg-statoverride ] \|\| \
	274	! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then
	275	db_get ssh/SUID_client
	276	if [ "$RET" = "false" ] ; then
	277	chmod 0755 /usr/lib/ssh-keysign
	278	elif [ "$RET" = "true" ] ; then
	279	chmod 4755 /usr/lib/ssh-keysign
	280	fi
	281	fi
	282	}
	283
	284
	285	fix_ssh_group() {
	286	# Try to remove non-system group mistakenly created by 1:3.5p1-1.
	287	# set_ssh_agent_permissions() below will re-create it properly.
	288	if getent group ssh >/dev/null; then
	289	delgroup --quiet ssh \|\| true
	290	fi
	291	}
	292
	293
	294	set_ssh_agent_permissions() {
	295	if ! getent group ssh >/dev/null; then
	296	addgroup --system --quiet ssh
	297	fi
	298	if ! [ -x /usr/sbin/dpkg-statoverride ] \|\| \
	299	! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then
	300	chgrp ssh /usr/bin/ssh-agent
	301	chmod 2755 /usr/bin/ssh-agent
	302	fi
	303	}
	304
	305
	306	fix_conffile_permissions() {
	307	# Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
	308	# doesn't do this for us; see bug #192981.
	309	chmod 644 /etc/default/ssh
	310	}
	311
	312	setup_startup() {
	313	db_get ssh/run_sshd
	314	if [ "$RET" = "false" ] ; then
	315	if [ -x /usr/sbin/invoke-rc.d ]; then
	316	invoke-rc.d --quiet ssh stop
	317	else
	318	/etc/init.d/ssh stop
	319	fi
	320	touch /etc/ssh/sshd_not_to_be_run
	321	else
	322	rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null
	323	fi
	324	}
	325
	326
	327	setup_init() {
	328	if [ -x /etc/init.d/ssh ]; then
	329	update-rc.d ssh defaults >/dev/null
	330	if [ -x /usr/sbin/invoke-rc.d ]; then
	331	invoke-rc.d ssh restart
	332	else
	333	/etc/init.d/ssh restart
	334	fi
	335	fi
	336	}
	337
	338	create_sshdconfig
	339	check_idea_key
	340	create_keys
	341	fix_rsh_diversion
	342	fix_statoverride
	343	create_alternatives
	344	setup_sshd_user
	345	set_sshd_permissions
	346	if [ "$2" = "1:3.5p1-1" ]; then
	347	fix_ssh_group
	348	fi
	349	set_ssh_agent_permissions
	350	if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
	351	fix_conffile_permissions
	352	fi
	353	setup_startup
	354	setup_init
	355
	356
	357	db_stop
	358
	359	exit 0
	360