summaryrefslogtreecommitdiff
path: root/debian/openssh-server.postinst
AgeCommit message (Collapse)Author
2020-05-23Fix or suppress various shellcheck errors under debian/Colin Watson
2019-02-28Correctly handle conffile move to openssh-serverDominik George
Closes: #919344
2018-01-26Add debconf template to disable password authColin Watson
The new template is called openssh-server/password-authentication, and is preseeding-only (at least for now). Closes: #878945
2017-08-22Drop upstart system and user jobs.Dimitri John Ledkov
2017-04-22Ensure that /etc/ssh exists before trying to create /etc/ssh/sshd_config ↵Colin Watson
(LP: #1685022).
2017-03-30Move privilege separation directory and PID file from /var/run/ to /run/ ↵Colin Watson
(closes: #760422, #856825).
2017-01-06Remove temporary file on exit from postinst (closes: #850275).Colin Watson
2016-12-26Start handling /etc/ssh/sshd_config using ucf.Colin Watson
* Start handling /etc/ssh/sshd_config using ucf. The immediate motivation for this is to deal with deprecations of options related to protocol 1, but something like this has been needed for a long time (closes: #419574, #848089): - sshd_config is now a slightly-patched version of upstream's, and only contains non-default settings (closes: #147201). - I've included as many historical md5sums of default versions of sshd_config as I could reconstruct from version control, but I'm sure I've missed some. - Explicitly synchronise the debconf database with the current configuration file state in openssh-server.config, to ensure that the PermitRootLogin setting is properly preserved. - UsePrivilegeSeparation now defaults to the stronger "sandbox" rather than "yes", per upstream.
2016-12-24Move PermitRootLogin handling into create_sshdconfig.Colin Watson
2016-12-23Remove entries related to protocol 1 from the default sshd_config generated ↵Colin Watson
on new installations.
2016-07-22Stop generating DSA host keys by default (thanks, Santiago Vila; closes: ↵Colin Watson
#823827).
2016-01-17Remove protocol 1 host key generation from openssh-server.postinst (closes: ↵Colin Watson
#811265).
2015-11-29New upstream release (7.1p1).Colin Watson
2015-11-29Change "PermitRootLogin without-password" to the new preferred spelling of ↵Colin Watson
"PermitRootLogin prohibit-password" in sshd_config, and update documentation to reflect the new upstream default.
2015-04-19Silence confusing messages if Upstart is installed but not activeMartin Pitt
* openssh-server.postinst: Quiesce "Unable to connect to Upstart" error message from initctl if upstart is installed, but not the current init system. (LP: #1440070) * openssh-server.postinst: Fix version comparisons of upgrade adjustments to not apply to fresh installs.
2015-03-22Revert LC_* configuration change (closes: #780797).Colin Watson
2014-11-06Send/accept only specific known LC_* variables, rather than using a wildcard ↵Colin Watson
(closes: #765633).
2014-11-03Assume that dpkg-statoverride exists and drop the test for an obsolete ↵Colin Watson
compatibility path.
2014-09-20Show fingerprints of new keys after creating them in the postinst (closes: ↵Colin Watson
#762128).
2014-06-28Make get_config_option more robust against trailing whitespace (thanks, ↵Colin Watson
LaMont Jones).
2014-03-27Change to "PermitRootLogin without-password" for new installationsColin Watson
Also ask a debconf question when upgrading systems with "PermitRootLogin yes" from previous versions. Closes: #298138
2014-02-13Remove code related to non-dependency-based sysv-rc ordering, since that is ↵Colin Watson
no longer supported.
2014-02-12Reorder transition code by guard version.Colin Watson
2014-02-12Bump guard version for sysvinit->systemd transition to 1:6.5p1-3; we may ↵Colin Watson
have got it wrong before, and it's fairly harmless to repeat it.
2014-02-12Fix sysvinit->systemd transition codeColin Watson
We need to cope with still-running sysvinit jobs being considered active by systemd (thanks, Uoti Urpala and Michael Biebl).
2014-02-11Only enable ssh.service for systemd, not both ssh.service and ssh.socket. ↵Colin Watson
Thanks to Michael Biebl for spotting this.
2014-02-10Add systemd support (thanks, Sven Joachim; closes: #676830).Colin Watson
2014-02-10Generate ED25519 host keys on fresh installations.Colin Watson
Upgraders who wish to add such host keys should manually add 'HostKey /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run 'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519'.
2013-11-12Increase ServerKeyBits value in package-generated sshd_config to 1024Colin Watson
(closes: #727622, LP: #1244272).
2013-06-13Use 'set -e' rather than '#! /bin/sh -e' in maintainer scripts andColin Watson
ssh-argv0.
2013-06-06Set SELinux context on private host keys as well as public host keysColin Watson
(closes: #687436).
2013-05-22If the running init daemon is Upstart, then, on the first upgrade toColin Watson
this version, check whether sysvinit is still managing sshd; if so, manually stop it so that it can be restarted under upstart. We do this near the end of the postinst, so it shouldn't result in any appreciable extra window where sshd is not running during upgrade.
2013-05-22* Remove the check for vulnerable host keys; this was first added fiveColin Watson
years ago, and everyone should have upgraded through a version that applied these checks by now. The ssh-vulnkey tool and the blacklisting support in sshd are still here, at least for the moment. * This removes the last of our uses of debconf (closes: #221531).
2013-05-22Switch to new unified layout for Upstart jobs as documented inColin Watson
https://wiki.ubuntu.com/UpstartCompatibleInitScripts: the init script checks for a running Upstart, and we now let dh_installinit handle most of the heavy lifting in maintainer scripts. Ubuntu users should be essentially unaffected except that sshd may no longer start automatically in chroots if the running Upstart predates 0.9.0; but the main goal is simply not to break when openssh-server is installed in a chroot.
2012-11-26Merge Upstart job scripting support from Ubuntu, to handle the Upstart job ↵Colin Watson
being primary there.
2011-04-04Remove unreachable code from openssh-server.postinst.Colin Watson
2011-01-24Generate ECDSA host keys. These will only be used on freshColin Watson
installations or if you manually add 'HostKey /etc/ssh/ssh_host_ecdsa_key' to /etc/ssh/sshd_config.
2010-12-26Touch /var/run/sshd/.placeholder in the preinst so that /var/run/sshd,Colin Watson
which is intentionally no longer shipped in the openssh-server package due to /var/run often being a temporary directory, is not removed on upgrade (closes: #575582).
2010-04-28Drop IDEA key check; I don't think it works properly any more due toColin Watson
textual changes in error output, it's only relevant for direct upgrades from truly ancient versions, and it breaks upgrades if /etc/ssh/ssh_host_key can't be loaded (closes: #579570).
2010-03-31Drop most of our "LogLevel SILENT" (-qq) patch. This was originallyColin Watson
introduced to match the behaviour of non-free SSH, in which -q does not suppress fatal errors, but matching the behaviour of OpenSSH upstream is much more important nowadays. We no longer document that -q does not suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to "LogLevel QUIET" in sshd_config on upgrade.
2010-01-04Refer to sshd_config(5) rather than sshd(8) in postinst-writtenColin Watson
/etc/ssh/sshd_config, and add UsePAM commentary from upstream-shipped configuration file (closes: #415008, although unfortunately this will only be conveniently visible on new installations).
2010-01-02Remove init script stop link in rc1, as killprocs handles it already.Colin Watson
2010-01-02Cope with insserv reordering of init script links.Colin Watson
2010-01-02Remove ssh/new_config, only needed for direct upgrades from potato whichColin Watson
are no longer particularly feasible anyway (closes: #420682).
2009-07-31Use 'which' rather than 'type' in maintainer scripts.Colin Watson
2008-05-12* Mitigate OpenSSL security vulnerability:Colin Watson
- Add key blacklisting support. Keys listed in /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by sshd, unless "PermitBlacklistedKeys yes" is set in /etc/ssh/sshd_config. - Add a new program, ssh-vulnkey, which can be used to check keys against these blacklists. - Depend on openssh-blacklist. - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least 0.9.8g-9. - Automatically regenerate known-compromised host keys, with a critical-priority debconf note. (I regret that there was no time to gather translations.)
2008-04-04Rename KeepAlive to TCPKeepAlive in sshd_config, cleaning up from oldColin Watson
configurations (LP: #211400).
2008-02-08* Move /etc/pam.d/ssh to /etc/pam.d/sshd, allowing us to stop definingColin Watson
SSHD_PAM_SERVICE (closes: #255870).
2007-12-24* Remove the hideously old /etc/ssh/primes on upgrade (closes: #123013).Colin Watson
2007-06-12stop link for rc1; fix function callColin Watson