summaryrefslogtreecommitdiff
path: root/debian/config
blob: 6670b4cae154d685102399ef85b1756cf7ea2aab (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#!/bin/sh 

action=$1
version=$2

if [ -d /etc/ssh-nonfree ] && [ ! -d /etc/ssh ]; then
  version=1.2.27
  cp -a /etc/ssh-nonfree /etc/ssh
fi

# Source debconf library.
. /usr/share/debconf/confmodule
db_version 2.0


get_config_option() {
	option="$1"

	[ -f /etc/ssh/sshd_config ] || return

	# TODO: actually only one '=' allowed after option
	perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
	   /etc/ssh/sshd_config
}


if [ -n "$version" ] && dpkg --compare-versions "$version" lt 1:3.0p1-1
then
  db_input medium ssh/ssh2_keys_merged
fi

if [ -e /etc/init.d/ssh ] && ! grep -q pidfile /etc/init.d/ssh
then
  db_fset ssh/use_old_init_script seen false
  db_input medium ssh/use_old_init_script || true
  db_go

  db_get ssh/use_old_init_script
  [ "$RET" = "false" ] && exit 0
else
  db_set ssh/use_old_init_script true
  db_fset ssh/use_old_init_script seen true
fi

if [ -z "$version" ] && [ ! -e /etc/ssh/sshd_config ]
then
  db_input medium ssh/protocol2_only || true
fi

if [ -e /etc/ssh/sshd_config ]
then
    if dpkg --compare-versions "$version" lt-nl 1:1.3 ; 
    then db_input medium ssh/new_config || true
	db_go
	db_get ssh/new_config
	if [ "$RET" = "true" ];
	then db_input medium ssh/protocol2_only ||true
	fi
    fi

    if dpkg --compare-versions "$version" lt-nl 1:3.8.1p1-8.sarge.1
    then
	passwordauth="$(get_config_option PasswordAuthentication)"
	crauth="$(get_config_option ChallengeResponseAuthentication)"
	if [ "$passwordauth" = no ] && \
	   ([ -z "$crauth" ] || [ "$crauth" = yes ])
	then
	    db_input critical ssh/disable_cr_auth || true
	fi
    fi
fi 

db_input medium ssh/SUID_client || true

# To be correct during initial installation, this relies on the desired
# default for run_sshd being "true".
if [ -e /etc/ssh/sshd_not_to_be_run ]
then
    db_set ssh/run_sshd false
else
    db_set ssh/run_sshd true
fi
db_input medium ssh/run_sshd || true

if [ -x /usr/sbin/in.telnetd ] && grep -q "^telnet\b" /etc/inetd.conf
then
  if ! /usr/sbin/in.telnetd -? 2>&1 | grep -q ssl 2>/dev/null
  then 
    db_input low ssh/insecure_telnetd || true
  fi
fi

key=/etc/ssh/ssh_host_key
export key
if [ -n "$version" ] && [ -f $key ] && [ ! -x /usr/bin/ssh-keygen ] &&
     dpkg --compare-versions "$version" lt 1.2.28
then
  # make sure that keys get updated to get rid of IDEA; preinst
  # actually does the work, but if the old ssh-keygen is not found,
  # it can't do that -- thus, we tell the user that he must create
  # a new host key.
  echo -en '\0\0' | 3<&0 sh -c \
      'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || {
    # this means that bytes 32&33 of the key were not both zero, in which
    # case the key is encrypted, which we need to fix
    db_input high ssh/encrypted_host_key_but_no_keygen || true
  }
fi


db_input low ssh/forward_warning || true

if dpkg --compare-versions "$version" lt-nl 1:3.5p1-3; then
    db_input high ssh/user_environment_tell || true
fi

db_go

exit 0