path: root/debian/postinst.old

#!/bin/sh -e

action="$1"
oldversion="$2"

test -e /usr/share/debconf/confmodule && {
  . /usr/share/debconf/confmodule
    db_version 2.0
}


if [ "$action" != configure ]
  then
  exit 0
fi



check_idea_key() {
    #check for old host_key files using IDEA, which openssh does not support
	if [ -f /etc/ssh/ssh_host_key ] ; then
		if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
				grep -q 'unknown cipher' 2>/dev/null ; then
      mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
      mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
  fi
	fi
}


create_key() {
	local file="$1"
	shift

	if [ ! -f "$file" ] ; then
		( umask 022 ; \
		  ssh-keygen -f "$file" -N '' "$@" > /dev/null )
  fi
}


create_keys() {
	RET=true
test -e /usr/share/debconf/confmodule && {
		db_get ssh/protocol2_only
}

	if [ "$RET" = "false" ] ; then
		echo "Creating SSH1 key"
		create_key /etc/ssh/ssh_host_key
fi

	echo "Creating SSH2 RSA key"
	create_key /etc/ssh/ssh_host_rsa_key -t rsa
	echo "Creating SSH2 DSA key"
	create_key /etc/ssh/ssh_host_dsa_key -t dsa
}


create_sshdconfig() {
	[ -e /etc/ssh/sshd_config ] && return

RET=true
test -e /usr/share/debconf/confmodule && {
		db_get ssh/protocol2_only
}

	cat <<EOF > /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd(8) manpage for defails

# What ports, IPs and protocols we listen for
Port 22
# Uncomment the next entry to accept IPv6 traffic.
#ListenAddress ::
#ListenAddress 0.0.0.0
EOF
if [ "$RET" = "false" ]; then
		cat <<EOF >> /etc/ssh/sshd_config
Protocol 2,1
# HostKeys for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
EOF
else
	cat <<EOF >> /etc/ssh/sshd_config
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
EOF
fi


	cat <<EOF >> /etc/ssh/sshd_config
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To disable tunneled clear text passwords, change to no here!
PermitEmptyPasswords no

# Uncomment to disable s/key passwords 
#ChallengeResponseAuthentication no

# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user
PasswordAuthentication no
PAMAuthenticationViaKbdInt yes

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
#PrintLastLog no
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem	sftp	/usr/libexec/sftp-server
EOF
}


fix_rsh_diversion() {
# get rid of mistaken rsh diversion (circa 1.2.27-1)

	if [ -L /usr/bin/rsh ] &&
		dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
		for cmd in rlogin  rsh rcp ; do
			[ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
			dpkg-divert --package ssh --remove --rename \
				--divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd

			[ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
			dpkg-divert --package ssh --remove --rename \
				--divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
		done

		rmdir /usr/bin/rsh.real
	fi
}


fix_statoverride() {
# Remove an erronous override for sshd (we should have overridden ssh)
if [ -x /usr/sbin/dpkg-statoverride ]; then
		if dpkg-statoverride --list /usr/sbin/sshd 2>/dev/null ; then
			dpkg-statoverride --remote /usr/sbin/sshd
		fi
		fi
}


create_alternatives() {
# Create alternatives for the various r* tools
# Make sure we don't change existing alternatives that a user might have
# changed
	for cmd in rsh rlogin rcp ; do
		if ! update-alternatives --display $cmd | \
				grep -q ssh ; then
			update-alternatives --quiet --install /usr/bin/$cmd $cmd /usr/bin/ssh 20 \
				--slave /usr/share/man/man1/$cmd.1.gz $cmd.1.gz /usr/share/man/man1/ssh.1.gz
	fi
	done
	
}


set_sshd_permissions() {
	suid=no

	[ -e /usr/share/debconf/confmodule ] && {
		db_get ssh/SUID_client
		suid="$RET"
	}

	if [ "$suid" = "yes" ] ; then
		if [ -x /usr/sbin/dpkg-statoverride ] && \
			! dpkg-statoverride /usr/bin/ssh ; then
			dpkg-statoverride --add root root 04755 /usr/bin/ssh
fi
	fi
}


setup_startup() {
	start=yes
	[ -e /usr/share/debconf/confmodule ] && {
		db_get ssh/run_sshd
		start="$RET"
	}

	if [ "$start" != "true" ] ; then
		touch /etc/ssh/sshd_not_to_be_run
	else
		rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null
	fi
}


setup_init() {
if [ -e /etc/init.d/ssh ]; then
    update-rc.d ssh defaults >/dev/null
    /etc/init.d/ssh restart
fi
}

check_idea_key
create_keys
create_sshdconfig
fix_rsh_diversion
fix_statoverride
create_alternatives
set_sshd_permissions
setup_startup
setup_init


# Automatically added by dh_installdocs
if [ "$1" = "configure" ]; then
	if [ -d /usr/doc -a ! -e /usr/doc/ssh -a -d /usr/share/doc/ssh ]; then
		ln -sf ../share/doc/ssh /usr/doc/ssh
	fi
fi
# End automatically added section


[ -e /usr/share/debconf/confmodule ] && db_stop

exit 0