From 7c8da8e1c4e0aa9f156da721c1f1ecf1e87d6112 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 14 Jul 2006 16:08:37 +0000
Subject: * Change sshd user's shell to /usr/sbin/nologin (closes: #366541).  
 Introduces dependency on passwd for usermod.

---
 debian/changelog               |  2 ++
 debian/control                 |  2 +-
 debian/openssh-server.postinst | 11 ++++++++++-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 66a338497..dceddd7fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ openssh (1:4.3p2-3) UNRELEASED; urgency=low
 
   * Document KeepAlive->TCPKeepAlive renaming in sshd_config(5) (closes:
     https://launchpad.net/bugs/50702).
+  * Change sshd user's shell to /usr/sbin/nologin (closes: #366541).
+    Introduces dependency on passwd for usermod.
   * debconf template translations:
     - Update French (thanks, Denis Barbier; closes: #368503).
     - Update Dutch (thanks, Bart Cornelis; closes: #375100).
diff --git a/debian/control b/debian/control
index 3bf6f513d..b95d1f759 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Uploaders: Colin Watson <cjwatson@debian.org>
 
 Package: openssh-client
 Architecture: any
-Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0)
+Depends: ${shlibs:Depends}, ${debconf-depends}, adduser (>= 3.10), dpkg (>= 1.7.0), passwd
 Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5
 Replaces: ssh (<< 1:3.8.1p1-9), ssh-krb5
 Suggests: ssh-askpass, xbase-clients
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index ccacb411a..1ac6906da 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -289,9 +289,15 @@ fix_statoverride() {
 	fi
 }
 
+fix_sshd_shell() {
+	if getent passwd sshd | grep ':/bin/false$'; then
+		usermod -s /usr/sbin/nologin sshd
+	fi
+}
+
 setup_sshd_user() {
 	if ! getent passwd sshd >/dev/null; then
-		adduser --quiet --system --no-create-home --home /var/run/sshd sshd
+		adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
 	fi
 }
 
@@ -318,6 +324,9 @@ create_sshdconfig
 check_idea_key
 create_keys
 fix_statoverride
+if dpkg --compare-versions "$2" lt 1:4.3p2-3; then
+    fix_sshd_shell
+fi
 setup_sshd_user
 if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
     fix_conffile_permissions
-- 
cgit v1.2.3