From db393ffdb5103db641bb18219da7cc1934bb5d6f Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 21 Jul 2004 14:16:40 +0000
Subject: Generate host keys in postinst only if the relevant HostKey
 directives are found in sshd_config (closes: #87946).

---
 debian/changelog |  2 ++
 debian/postinst  | 49 ++++++++++++++++++++++++++++++++++++++++---------
 2 files changed, 42 insertions(+), 9 deletions(-)

(limited to 'debian')

diff --git a/debian/changelog b/debian/changelog
index a588623bd..5768423fe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ openssh (1:3.8.1p1-6) UNRELEASED; urgency=low
     http://lists.debian.org/debian-boot/2004/07/msg01207.html to get
     openssh-client-udeb to show up as a retrievable debian-installer
     component.
+  * Generate host keys in postinst only if the relevant HostKey directives
+    are found in sshd_config (closes: #87946).
 
  -- Colin Watson <cjwatson@debian.org>  Mon, 19 Jul 2004 20:22:39 +0100
 
diff --git a/debian/postinst b/debian/postinst
index ac5e1c555..1baae1677 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -27,13 +27,45 @@ check_idea_key() {
 }
 
 
+get_config_option() {
+	option="$1"
+
+	# TODO: actually only one '=' allowed after option
+	perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+	   /etc/ssh/sshd_config
+}
+
+
+host_keys_required() {
+	hostkeys="$(get_config_option HostKey)"
+	if [ "$hostkeys" ]; then
+		echo "$hostkeys"
+	else
+		# No HostKey directives at all, so the server picks some
+		# defaults depending on the setting of Protocol.
+		protocol="$(get_config_option Protocol)"
+		[ "$protocol" ] || protocol=1,2
+		if echo "$protocol" | grep 1 >/dev/null; then
+			echo /etc/ssh/ssh_host_key
+		fi
+		if echo "$protocol" | grep 2 >/dev/null; then
+			echo /etc/ssh/ssh_host_rsa_key
+			echo /etc/ssh/ssh_host_dsa_key
+		fi
+	fi
+}
+
+
 create_key() {
 	msg="$1"
 	shift
+	hostkeys="$1"
+	shift
 	file="$1"
 	shift
 
-	if [ ! -f "$file" ] ; then
+	if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+	   [ ! -f "$file" ] ; then
 		echo -n $msg
 		ssh-keygen -q -f "$file" -N '' "$@"
 		echo
@@ -42,16 +74,15 @@ create_key() {
 
 
 create_keys() {
-	db_get ssh/protocol2_only
-	if [ "$RET" = "false" ] ; then
-		create_key "Creating SSH1 key; this may take some time ..." \
-			/etc/ssh/ssh_host_key -t rsa1
-	fi
+	hostkeys="$(host_keys_required)"
+
+	create_key "Creating SSH1 key; this may take some time ..." \
+		"$hostkeys" /etc/ssh/ssh_host_key -t rsa1
 
 	create_key "Creating SSH2 RSA key; this may take some time ..." \
-		/etc/ssh/ssh_host_rsa_key -t rsa
+		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
 	create_key "Creating SSH2 DSA key; this may take some time ..." \
-		/etc/ssh/ssh_host_dsa_key -t dsa
+		"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
 }
 
 
@@ -304,9 +335,9 @@ setup_init() {
 	fi
 }
 
+create_sshdconfig
 check_idea_key
 create_keys
-create_sshdconfig
 fix_rsh_diversion
 fix_statoverride
 create_alternatives
-- 
cgit v1.2.3