diff options
Diffstat (limited to 'debian/postinst')
| -rw-r--r-- | debian/postinst | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/debian/postinst b/debian/postinst index f3d4cf6d5..5d0e32fef 100644 --- a/debian/postinst +++ b/debian/postinst | |||
| @@ -60,6 +60,16 @@ create_sshdconfig() { | |||
| 60 | if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then | 60 | if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then |
| 61 | db_get ssh/new_config | 61 | db_get ssh/new_config |
| 62 | if [ "$RET" = "false" ] ; then return 0; fi | 62 | if [ "$RET" = "false" ] ; then return 0; fi |
| 63 | elif dpkg --compare-versions "$oldversion" lt-nl 1:3.7.1p2-1 && \ | ||
| 64 | ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then | ||
| 65 | # Upgrade from pre-3.7: UsePAM needed to maintain standard | ||
| 66 | # Debian configuration. | ||
| 67 | cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
| 68 | perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ | ||
| 69 | /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
| 70 | echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new | ||
| 71 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
| 72 | return 0 | ||
| 63 | else return 0 | 73 | else return 0 |
| 64 | fi | 74 | fi |
| 65 | fi | 75 | fi |
| @@ -103,20 +113,11 @@ if [ "$RET" = "false" ]; then | |||
| 103 | cat <<EOF >> /etc/ssh/sshd_config | 113 | cat <<EOF >> /etc/ssh/sshd_config |
| 104 | #Explicitly set PrivSep off, as requested | 114 | #Explicitly set PrivSep off, as requested |
| 105 | UsePrivilegeSeparation no | 115 | UsePrivilegeSeparation no |
| 106 | |||
| 107 | # Use PAM authentication via keyboard-interactive so PAM modules can | ||
| 108 | # properly interface with the user | ||
| 109 | PAMAuthenticationViaKbdInt yes | ||
| 110 | EOF | 116 | EOF |
| 111 | else | 117 | else |
| 112 | cat <<EOF >> /etc/ssh/sshd_config | 118 | cat <<EOF >> /etc/ssh/sshd_config |
| 113 | #Privilege Separation is turned on for security | 119 | #Privilege Separation is turned on for security |
| 114 | UsePrivilegeSeparation yes | 120 | UsePrivilegeSeparation yes |
| 115 | |||
| 116 | # ...but breaks Pam auth via kbdint, so we have to turn it off | ||
| 117 | # Use PAM authentication via keyboard-interactive so PAM modules can | ||
| 118 | # properly interface with the user (off due to PrivSep) | ||
| 119 | PAMAuthenticationViaKbdInt no | ||
| 120 | EOF | 121 | EOF |
| 121 | fi | 122 | fi |
| 122 | 123 | ||
| @@ -138,8 +139,6 @@ RSAAuthentication yes | |||
| 138 | PubkeyAuthentication yes | 139 | PubkeyAuthentication yes |
| 139 | #AuthorizedKeysFile %h/.ssh/authorized_keys | 140 | #AuthorizedKeysFile %h/.ssh/authorized_keys |
| 140 | 141 | ||
| 141 | # rhosts authentication should not be used | ||
| 142 | RhostsAuthentication no | ||
| 143 | # Don't read the user's ~/.rhosts and ~/.shosts files | 142 | # Don't read the user's ~/.rhosts and ~/.shosts files |
| 144 | IgnoreRhosts yes | 143 | IgnoreRhosts yes |
| 145 | # For this to work you will also need host keys in /etc/ssh_known_hosts | 144 | # For this to work you will also need host keys in /etc/ssh_known_hosts |
| @@ -181,6 +180,7 @@ KeepAlive yes | |||
| 181 | 180 | ||
| 182 | Subsystem sftp /usr/lib/sftp-server | 181 | Subsystem sftp /usr/lib/sftp-server |
| 183 | 182 | ||
| 183 | UsePAM yes | ||
| 184 | EOF | 184 | EOF |
| 185 | } | 185 | } |
| 186 | 186 | ||