#!/bin/sh -e action="$1" oldversion="$2" . /usr/share/debconf/confmodule db_version 2.0 umask 022 if [ "$action" != configure ] then exit 0 fi check_idea_key() { #check for old host_key files using IDEA, which openssh does not support if [ -f /etc/ssh/ssh_host_key ] ; then if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \ grep -q 'unknown cipher' 2>/dev/null ; then mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old fi fi } get_config_option() { option="$1" [ -f /etc/ssh/sshd_config ] || return # TODO: actually only one '=' allowed after option perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ /etc/ssh/sshd_config } set_config_option() { option="$1" value="$2" perl -e ' $option = $ARGV[0]; $value = $ARGV[1]; $done = 0; while () { if (s/^\s*\Q$option\E\s+.*/$option $value/) { $done = 1; } print; } print "\n$option $value\n" unless $done;' \ "$option" "$value" \ < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config } host_keys_required() { hostkeys="$(get_config_option HostKey)" if [ "$hostkeys" ]; then echo "$hostkeys" else # No HostKey directives at all, so the server picks some # defaults depending on the setting of Protocol. protocol="$(get_config_option Protocol)" [ "$protocol" ] || protocol=1,2 if echo "$protocol" | grep 1 >/dev/null; then echo /etc/ssh/ssh_host_key fi if echo "$protocol" | grep 2 >/dev/null; then echo /etc/ssh/ssh_host_rsa_key echo /etc/ssh/ssh_host_dsa_key fi fi } create_key() { msg="$1" shift hostkeys="$1" shift file="$1" shift if echo "$hostkeys" | grep -x "$file" >/dev/null && \ [ ! -f "$file" ] ; then echo -n $msg ssh-keygen -q -f "$file" -N '' "$@" echo fi } create_keys() { hostkeys="$(host_keys_required)" create_key "Creating SSH1 key; this may take some time ..." \ "$hostkeys" /etc/ssh/ssh_host_key -t rsa1 create_key "Creating SSH2 RSA key; this may take some time ..." \ "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa create_key "Creating SSH2 DSA key; this may take some time ..." \ "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa } check_password_auth() { passwordauth="$(get_config_option PasswordAuthentication)" crauth="$(get_config_option ChallengeResponseAuthentication)" if [ "$passwordauth" = no ] && \ ([ -z "$crauth" ] || [ "$crauth" = yes ]); then db_get ssh/disable_cr_auth if [ "$RET" = true ]; then set_config_option ChallengeResponseAuthentication no fi fi } create_sshdconfig() { if [ -e /etc/ssh/sshd_config ] ; then if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then db_get ssh/new_config if [ "$RET" = "false" ] ; then return 0; fi else # Upgrade sshd configuration from a sane version. if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \ grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \ /etc/ssh/sshd_config ; then # Upgrade from pre-3.7: UsePAM needed to maintain standard # Debian configuration. # Note that --compare-versions is sadly not reliable enough # here due to the package split of ssh into openssh-client # and openssh-server. The extra grep for some deprecated # options should with any luck be a good enough heuristic. echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new echo >> /etc/ssh/sshd_config.dpkg-new echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config echo fi # An empty version means we're upgrading from before the # package split, so check. if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then check_password_auth fi return 0 fi fi #Preserve old sshd_config before generating a new one if [ -e /etc/ssh/sshd_config ] ; then mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old fi cat < /etc/ssh/sshd_config # Package generated configuration file # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 EOF db_get ssh/protocol2_only if [ "$RET" = "false" ]; then cat <> /etc/ssh/sshd_config Protocol 2,1 # HostKeys for protocol version 1 HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key EOF else cat <> /etc/ssh/sshd_config Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key EOF fi cat <> /etc/ssh/sshd_config #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 600 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Change to yes to enable tunnelled clear text passwords PasswordAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes X11Forwarding no X11DisplayOffset 10 PrintMotd no PrintLastLog yes KeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net Subsystem sftp /usr/lib/sftp-server UsePAM yes EOF } fix_statoverride() { # Remove an erronous override for sshd (we should have overridden ssh) if [ -x /usr/sbin/dpkg-statoverride ]; then if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then dpkg-statoverride --remove /usr/sbin/sshd fi fi } setup_sshd_user() { if ! getent passwd sshd >/dev/null; then adduser --quiet --system --no-create-home --home /var/run/sshd sshd fi } fix_conffile_permissions() { # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg # doesn't do this for us; see bug #192981. chmod 644 /etc/default/ssh } setup_init() { if [ -x /etc/init.d/ssh ]; then update-rc.d ssh defaults >/dev/null if [ -x /usr/sbin/invoke-rc.d ]; then invoke-rc.d ssh restart else /etc/init.d/ssh restart fi fi } create_sshdconfig check_idea_key create_keys fix_statoverride setup_sshd_user if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then fix_conffile_permissions fi setup_init db_stop exit 0