From 0cf35bd0df53b4e540a8b8525b5519f55737c327 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Fri, 8 Feb 2008 00:29:23 +0000 Subject: * Move /etc/pam.d/ssh to /etc/pam.d/sshd, allowing us to stop defining SSHD_PAM_SERVICE (closes: #255870). --- debian/changelog | 2 ++ debian/openssh-server.postinst | 14 ++++++++++++++ debian/openssh-server.postrm | 25 +++++++++++++++++++++++++ debian/openssh-server.preinst | 17 +++++++++++++++++ debian/openssh-server.ssh.pam | 39 --------------------------------------- debian/openssh-server.sshd.pam | 39 +++++++++++++++++++++++++++++++++++++++ debian/rules | 3 +-- 7 files changed, 98 insertions(+), 41 deletions(-) delete mode 100644 debian/openssh-server.ssh.pam create mode 100644 debian/openssh-server.sshd.pam diff --git a/debian/changelog b/debian/changelog index 8b1f8d856..4a8c1798b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,8 @@ openssh (1:4.7p1-4) UNRELEASED; urgency=low [ Colin Watson ] * Include the autogenerated debian/copyright in the source package. + * Move /etc/pam.d/ssh to /etc/pam.d/sshd, allowing us to stop defining + SSHD_PAM_SERVICE (closes: #255870). -- Colin Watson Mon, 04 Feb 2008 09:47:31 +0000 diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index 61d34d281..ed7590c87 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst @@ -372,6 +372,19 @@ commit_transfer_conffile () { fi } +commit_mv_conffile () { + OLDCONFFILE="$1" + NEWCONFFILE="$2" + + if [ -e "$OLDCONFFILE.moving" ]; then + echo "Preserving user changes to $NEWCONFFILE ..." + mv -f "$NEWCONFFILE" "$NEWCONFFILE.dpkg-new" + mv -f "$OLDCONFFILE.moving" "$NEWCONFFILE" + elif [ -e "$OLDCONFFILE.dpkg-old" ]; then + rm -f "$OLDCONFFILE.dpkg-old" + fi +} + fix_doc_symlink create_sshdconfig @@ -392,6 +405,7 @@ setup_init commit_transfer_conffile /etc/default/ssh commit_transfer_conffile /etc/init.d/ssh commit_transfer_conffile /etc/pam.d/ssh +commit_mv_conffile /etc/pam.d/ssh /etc/pam.d/sshd # Renamed to /etc/ssh/moduli in 2.9.9 (!) if dpkg --compare-versions "$2" lt 1:4.7p1-1; then rm -f /etc/ssh/primes diff --git a/debian/openssh-server.postrm b/debian/openssh-server.postrm index 32471c718..30682d6d0 100644 --- a/debian/openssh-server.postrm +++ b/debian/openssh-server.postrm @@ -2,6 +2,26 @@ #DEBHELPER# +abort_mv_conffile () { + CONFFILE="$1" + + if [ ! -e "$CONFFILE" ]; then + if [ -e "$CONFFILE.dpkg-old" ]; then + mv -f "$CONFFILE.dpkg-old" "$CONFFILE" + elif [ -e "$CONFFILE.moving" ]; then + mv -f "$CONFFILE.moving" "$CONFFILE" + fi + fi +} + +finish_mv_conffile () { + CONFFILE="$1" + + if [ -e "$CONFFILE.dpkg-old" ]; then + rm -f "$CONFFILE.dpkg-old" + fi +} + abort_transfer_conffile () { CONFFILE="$1" if [ -e "$CONFFILE.moved-by-preinst" ]; then @@ -13,6 +33,9 @@ abort_transfer_conffile () { case $1 in abort-install|abort-upgrade) + if dpkg --compare-versions "$2" lt 1:4.7p1-4; then + abort_mv_conffile /etc/pam.d/ssh + fi abort_transfer_conffile /etc/default/ssh abort_transfer_conffile /etc/init.d/ssh abort_transfer_conffile /etc/pam.d/ssh @@ -34,6 +57,8 @@ case $1 in if type deluser >/dev/null 2>&1; then deluser --quiet sshd > /dev/null || true fi + + finish_mv_conffile /etc/pam.d/ssh ;; esac diff --git a/debian/openssh-server.preinst b/debian/openssh-server.preinst index 87871bdaa..4ca7f2f6e 100644 --- a/debian/openssh-server.preinst +++ b/debian/openssh-server.preinst @@ -36,6 +36,19 @@ prepare_transfer_conffile () { fi } +prepare_mv_conffile () { + CONFFILE="$1" + [ -e "$CONFFILE" ] || return 0 + + md5sum="$(md5sum "$CONFFILE" | sed -e 's/ .*//')" + old_md5sum="$(dpkg-query -W -f '${Conffiles}\n' openssh-server 2>/dev/null | sed 's/^ *//' | awk '$1 == "'"$CONFFILE"'" { print $2 }')" + if [ "$md5sum" = "$old_md5sum" ]; then + mv -f "$CONFFILE" "$CONFFILE.dpkg-old" + else + mv -f "$CONFFILE" "$CONFFILE.moving" + fi +} + if [ -d /etc/ssh-nonfree ] && [ ! -d /etc/ssh ]; then version=1.2.27 fi @@ -117,6 +130,10 @@ EOF prepare_transfer_conffile /etc/init.d/ssh "$ETC_INIT_D_SSH" 0755 prepare_transfer_conffile /etc/pam.d/ssh "$ETC_PAM_D_SSH" 0644 fi + + if dpkg --compare-versions "$version" lt 1:4.7p1-4; then + prepare_mv_conffile /etc/pam.d/ssh + fi fi #DEBHELPER# diff --git a/debian/openssh-server.ssh.pam b/debian/openssh-server.ssh.pam deleted file mode 100644 index 9b7695184..000000000 --- a/debian/openssh-server.ssh.pam +++ /dev/null @@ -1,39 +0,0 @@ -# PAM configuration for the Secure Shell service - -# Read environment variables from /etc/environment and -# /etc/security/pam_env.conf. -auth required pam_env.so # [1] -# In Debian 4.0 (etch), locale-related environment variables were moved to -# /etc/default/locale, so read that as well. -auth required pam_env.so envfile=/etc/default/locale - -# Standard Un*x authentication. -@include common-auth - -# Disallow non-root logins when /etc/nologin exists. -account required pam_nologin.so - -# Uncomment and edit /etc/security/access.conf if you need to set complex -# access limits that are hard to express in sshd_config. -# account required pam_access.so - -# Standard Un*x authorization. -@include common-account - -# Standard Un*x session setup and teardown. -@include common-session - -# Print the message of the day upon successful login. -session optional pam_motd.so # [1] - -# Print the status of the user's mailbox upon successful login. -session optional pam_mail.so standard noenv # [1] - -# Set up user limits from /etc/security/limits.conf. -session required pam_limits.so - -# Set up SELinux capabilities (need modified pam) -# session required pam_selinux.so multiple - -# Standard Un*x password updating. -@include common-password diff --git a/debian/openssh-server.sshd.pam b/debian/openssh-server.sshd.pam new file mode 100644 index 000000000..9b7695184 --- /dev/null +++ b/debian/openssh-server.sshd.pam @@ -0,0 +1,39 @@ +# PAM configuration for the Secure Shell service + +# Read environment variables from /etc/environment and +# /etc/security/pam_env.conf. +auth required pam_env.so # [1] +# In Debian 4.0 (etch), locale-related environment variables were moved to +# /etc/default/locale, so read that as well. +auth required pam_env.so envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# Disallow non-root logins when /etc/nologin exists. +account required pam_nologin.so + +# Uncomment and edit /etc/security/access.conf if you need to set complex +# access limits that are hard to express in sshd_config. +# account required pam_access.so + +# Standard Un*x authorization. +@include common-account + +# Standard Un*x session setup and teardown. +@include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so # [1] + +# Print the status of the user's mailbox upon successful login. +session optional pam_mail.so standard noenv # [1] + +# Set up user limits from /etc/security/limits.conf. +session required pam_limits.so + +# Set up SELinux capabilities (need modified pam) +# session required pam_selinux.so multiple + +# Standard Un*x password updating. +@include common-password diff --git a/debian/rules b/debian/rules index 964f320cb..746624498 100755 --- a/debian/rules +++ b/debian/rules @@ -96,7 +96,6 @@ confflags_udeb += --with-default-path=/usr/local/bin:/usr/bin:/bin --with-superu # Compiler flags. cflags := $(OPTFLAGS) $(PIE_CFLAGS) cflags += -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -cflags += -DSSHD_PAM_SERVICE=\"ssh\" cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\" cflags_udeb := -Os cflags_udeb += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\" @@ -241,7 +240,7 @@ binary-openssh-server: build install dh_installdocs mv debian/openssh-server/usr/share/doc/openssh-server debian/openssh-server/usr/share/doc/openssh-client rm -f debian/openssh-server/usr/share/doc/openssh-client/copyright - dh_installpam --name ssh + dh_installpam --name sshd dh_link dh_strip dh_compress -- cgit v1.2.3