summaryrefslogtreecommitdiff
path: root/debian/openssh-server.postinst
AgeCommit message (Collapse)Author
2014-02-12Bump guard version for sysvinit->systemd transition to 1:6.5p1-3; we may ↵Colin Watson
have got it wrong before, and it's fairly harmless to repeat it.
2014-02-12Fix sysvinit->systemd transition codeColin Watson
We need to cope with still-running sysvinit jobs being considered active by systemd (thanks, Uoti Urpala and Michael Biebl).
2014-02-11Only enable ssh.service for systemd, not both ssh.service and ssh.socket. ↵Colin Watson
Thanks to Michael Biebl for spotting this.
2014-02-10Add systemd support (thanks, Sven Joachim; closes: #676830).Colin Watson
2014-02-10Generate ED25519 host keys on fresh installations.Colin Watson
Upgraders who wish to add such host keys should manually add 'HostKey /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run 'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519'.
2013-11-12Increase ServerKeyBits value in package-generated sshd_config to 1024Colin Watson
(closes: #727622, LP: #1244272).
2013-06-13Use 'set -e' rather than '#! /bin/sh -e' in maintainer scripts andColin Watson
ssh-argv0.
2013-06-06Set SELinux context on private host keys as well as public host keysColin Watson
(closes: #687436).
2013-05-22If the running init daemon is Upstart, then, on the first upgrade toColin Watson
this version, check whether sysvinit is still managing sshd; if so, manually stop it so that it can be restarted under upstart. We do this near the end of the postinst, so it shouldn't result in any appreciable extra window where sshd is not running during upgrade.
2013-05-22* Remove the check for vulnerable host keys; this was first added fiveColin Watson
years ago, and everyone should have upgraded through a version that applied these checks by now. The ssh-vulnkey tool and the blacklisting support in sshd are still here, at least for the moment. * This removes the last of our uses of debconf (closes: #221531).
2013-05-22Switch to new unified layout for Upstart jobs as documented inColin Watson
https://wiki.ubuntu.com/UpstartCompatibleInitScripts: the init script checks for a running Upstart, and we now let dh_installinit handle most of the heavy lifting in maintainer scripts. Ubuntu users should be essentially unaffected except that sshd may no longer start automatically in chroots if the running Upstart predates 0.9.0; but the main goal is simply not to break when openssh-server is installed in a chroot.
2012-11-26Merge Upstart job scripting support from Ubuntu, to handle the Upstart job ↵Colin Watson
being primary there.
2011-04-04Remove unreachable code from openssh-server.postinst.Colin Watson
2011-01-24Generate ECDSA host keys. These will only be used on freshColin Watson
installations or if you manually add 'HostKey /etc/ssh/ssh_host_ecdsa_key' to /etc/ssh/sshd_config.
2010-12-26Touch /var/run/sshd/.placeholder in the preinst so that /var/run/sshd,Colin Watson
which is intentionally no longer shipped in the openssh-server package due to /var/run often being a temporary directory, is not removed on upgrade (closes: #575582).
2010-04-28Drop IDEA key check; I don't think it works properly any more due toColin Watson
textual changes in error output, it's only relevant for direct upgrades from truly ancient versions, and it breaks upgrades if /etc/ssh/ssh_host_key can't be loaded (closes: #579570).
2010-03-31Drop most of our "LogLevel SILENT" (-qq) patch. This was originallyColin Watson
introduced to match the behaviour of non-free SSH, in which -q does not suppress fatal errors, but matching the behaviour of OpenSSH upstream is much more important nowadays. We no longer document that -q does not suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to "LogLevel QUIET" in sshd_config on upgrade.
2010-01-04Refer to sshd_config(5) rather than sshd(8) in postinst-writtenColin Watson
/etc/ssh/sshd_config, and add UsePAM commentary from upstream-shipped configuration file (closes: #415008, although unfortunately this will only be conveniently visible on new installations).
2010-01-02Remove init script stop link in rc1, as killprocs handles it already.Colin Watson
2010-01-02Cope with insserv reordering of init script links.Colin Watson
2010-01-02Remove ssh/new_config, only needed for direct upgrades from potato whichColin Watson
are no longer particularly feasible anyway (closes: #420682).
2009-07-31Use 'which' rather than 'type' in maintainer scripts.Colin Watson
2008-05-12* Mitigate OpenSSL security vulnerability:Colin Watson
- Add key blacklisting support. Keys listed in /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by sshd, unless "PermitBlacklistedKeys yes" is set in /etc/ssh/sshd_config. - Add a new program, ssh-vulnkey, which can be used to check keys against these blacklists. - Depend on openssh-blacklist. - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least 0.9.8g-9. - Automatically regenerate known-compromised host keys, with a critical-priority debconf note. (I regret that there was no time to gather translations.)
2008-04-04Rename KeepAlive to TCPKeepAlive in sshd_config, cleaning up from oldColin Watson
configurations (LP: #211400).
2008-02-08* Move /etc/pam.d/ssh to /etc/pam.d/sshd, allowing us to stop definingColin Watson
SSHD_PAM_SERVICE (closes: #255870).
2007-12-24* Remove the hideously old /etc/ssh/primes on upgrade (closes: #123013).Colin Watson
2007-06-12stop link for rc1; fix function callColin Watson
2007-06-12* Move init script start links to S16, and remove stop links altogetherColin Watson
(closes: #122188).
2006-12-23fix disable_config_option to actually workColin Watson
2006-12-23* Make GSSAPICleanupCreds a compatibility alias forColin Watson
GSSAPICleanupCredentials. Mark GSSUseSessionCCache and GSSAPIUseSessionCredCache as known-but-unsupported options, and migrate away from them on upgrade.
2006-12-06* When installing openssh-client or openssh-server from scratch, removeColin Watson
any unchanged conffiles from the pre-split ssh package to work around a bug in sarge's dpkg (thanks, Justin Pryzby and others; closes: #335276).
2006-12-06* Create transitional ssh-krb5 package which enables GSSAPI configurationColin Watson
in sshd_config. * Default client to attempting GSSAPI authentication. * Remove obsolete GSSAPINoMICAuthentication from sshd_config if it's found.
2006-11-20* Ignore errors from usermod when changing sshd'\''s shell, since it willColin Watson
fail if the sshd user is not local (closes: #398436).
2006-07-26silence grep outputColin Watson
2006-07-14* Change sshd user's shell to /usr/sbin/nologin (closes: #366541).Colin Watson
Introduces dependency on passwd for usermod.
2006-04-16* Rename KeepAlive to TCPKeepAlive in default sshd_configColin Watson
(closes: #349896).
2005-09-14 - Update commented-out Kerberos/GSSAPI options in default sshd_config.Colin Watson
2005-09-14* Set X11Forwarding to yes in the default sshd_config (new installs only).Colin Watson
At least when X11UseLocalhost is turned on, which is the default, the security risks of using X11 forwarding are risks to the client, not to the server (closes: #320104).
2005-07-09Do the IDEA host key check on a temporary file to avoid alteringColin Watson
/etc/ssh/ssh_host_key itself (closes: #312312).
2005-07-09fix awful formatting in check_idea_keyColin Watson
2005-07-03Make /usr/share/doc/openssh-server and /usr/share/doc/ssh symlinks toColin Watson
/usr/share/doc/openssh-client.
2005-06-17Manoj Srivastava:Colin Watson
- Added SELinux capability, and turned it on be default. Added restorecon calls in preinst and postinst (should not matter if the machine is not SELinux aware). By and large, the changes made should have no effect unless the rules file calls --with-selinux; and even then there should be no performance hit for machines not actively running SELinux. - Modified the preinst and postinst to call restorecon to set the security context for the generated public key files. - Added a comment to /etc/pam.d/ssh to indicate that an SELinux system may want to also include pam_selinux.so.
2005-05-31Drop debconf support for allowing SSH protocol 1, which is discouraged andColin Watson
has not been the default since openssh 1:3.0.1p1-1. Users who need this should edit sshd_config instead (closes: #147212).
2005-05-31Fix up very old sshd_config files that refer to /usr/libexec/sftp-serverColin Watson
(closes: #141979).
2005-05-31Change libexecdir to /usr/lib/openssh, and fix up various alternatives andColin Watson
configuration files to match (closes: #87900, #151321).
2005-05-30Disable ChallengeResponseAuthentication in new installations, returning toColin Watson
PasswordAuthentication by default, since it now supports PAM and apparently works better with a non-threaded sshd.
2005-01-15Drop LoginGraceTime back to the upstream default of two minutes on newColin Watson
installs (closes: #289573).
2005-01-04Pass LANG and LC_* environment variables from the client by default, andColin Watson
accept them to the server by default in new installs, although not on upgrade (closes: #264024).
2004-10-24Forward-port from HEAD:Colin Watson
* Preserve /etc/ssh/sshd_config ownership/permissions (closes: #276754). * Shorten the version string from the form "OpenSSH_3.8.1p1 Debian 1:3.8.1p1-8.sarge.1" to "OpenSSH_3.8.1p1 Debian-8.sarge.1", as some SSH implementations apparently have problems with the long version string. This is of course a bug in those implementations, but since the extent of the problem is unknown it's best to play safe (closes: #275731). * debconf template translations: - Add Finnish (thanks, Matti Pöllä; closes: #265339). - Update Danish (thanks, Morten Brix Pedersen; closes: #275895). - Update French (thanks, Denis Barbier; closes: #276703). - Update Japanese (thanks, Kenshi Muto; closes: #277438).
2004-10-06Forward-port from HEAD:Colin Watson
* If PasswordAuthentication is disabled, then offer to disable ChallengeResponseAuthentication too. The current PAM code will attempt password-style authentication if ChallengeResponseAuthentication is enabled (closes: #250369). * This will ask a question of anyone who installed fresh with 1:3.8p1-2 or later and then upgraded. Sorry about that ... for this reason, the default answer is to leave ChallengeResponseAuthentication enabled.
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-02 10:30:52 +0000