~ubuntu-branches/ubuntu/lucid/openssh/lucid : contents of debian/openssh-server.postinst at revision 57

~ubuntu-branches/ubuntu/lucid/openssh/lucid : (revision 57)

#!/bin/sh -e

action="$1"
oldversion="$2"

. /usr/share/debconf/confmodule
db_version 2.0

umask 022

if [ "$action" != configure ]
  then
  exit 0
fi


fix_doc_symlink() {
	if [ ! -L /usr/share/doc/openssh-server ] && \
	   dpkg --compare-versions "$oldversion" lt-nl 1:4.1p1-5; then
		rm -rf /usr/share/doc/openssh-server
		ln -s openssh-client /usr/share/doc/openssh-server
	fi
}

check_idea_key() {
	# check for old host_key files using IDEA, which openssh does not
	# support
	if [ -f /etc/ssh/ssh_host_key ] ; then
		cp -a /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.check_idea
		if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key.check_idea 2>&1 | \
				grep -q 'unknown cipher' 2>/dev/null; then
			mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
			mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
		fi
		rm -f /etc/ssh/ssh_host_key.check_idea
	fi
}


get_config_option() {
	option="$1"

	[ -f /etc/ssh/sshd_config ] || return

	# TODO: actually only one '=' allowed after option
	perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \
	   /etc/ssh/sshd_config
}


set_config_option() {
	option="$1"
	value="$2"

	perl -le '
		$option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
		while (<STDIN>) {
			chomp;
			(my $match = $_) =~ s/\s+/ /g;
			if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) {
				$_ = $match;
				$done = 1;
			}
			print;
		}
		print "$option $value" unless $done;' \
		"$option" "$value" \
		< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
}


disable_config_option() {
	option="$1"

	value="$(get_config_option "$option")"
	[ "$value" ] || return 0

	perl -le '
		$option = $ARGV[0];
		while (<STDIN>) {
			chomp;
			(my $match = $_) =~ s/\s+/ /g;
			# TODO: actually only one "=" allowed after option
			if ($match =~ s/^(\s*\Q$option\E[[:space:]=]+.*)/#$1/i) {
				$_ = $match;
			}
			print;
		}' \
		"$option" \
		< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
}


rename_config_option() {
	oldoption="$1"
	newoption="$2"

	value="$(get_config_option "$oldoption")"
	[ "$value" ] || return 0

	perl -le '
		$oldoption = $ARGV[0]; $newoption = $ARGV[1];
		while (<STDIN>) {
			chomp;
			(my $match = $_) =~ s/\s+/ /g;
			# TODO: actually only one "=" allowed after option
			if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
				$_ = $match;
			}
			print;
		}' \
		"$oldoption" "$newoption" \
		< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
}


remove_obsolete_gssapi() {
	disable_config_option GSSAPINoMICAuthentication
	disable_config_option GSSUseSessionCCache
	disable_config_option GSSAPIUseSessionCredCache
}


host_keys_required() {
	hostkeys="$(get_config_option HostKey)"
	if [ "$hostkeys" ]; then
		echo "$hostkeys"
	else
		# No HostKey directives at all, so the server picks some
		# defaults depending on the setting of Protocol.
		protocol="$(get_config_option Protocol)"
		[ "$protocol" ] || protocol=1,2
		if echo "$protocol" | grep 1 >/dev/null; then
			echo /etc/ssh/ssh_host_key
		fi
		if echo "$protocol" | grep 2 >/dev/null; then
			echo /etc/ssh/ssh_host_rsa_key
			echo /etc/ssh/ssh_host_dsa_key
		fi
	fi
}


create_key() {
	msg="$1"
	shift
	hostkeys="$1"
	shift
	file="$1"
	shift

	if echo "$hostkeys" | grep -x "$file" >/dev/null && \
	   [ ! -f "$file" ] ; then
		echo -n $msg
		ssh-keygen -q -f "$file" -N '' "$@"
		echo
		if which restorecon >/dev/null 2>&1; then
			restorecon "$file.pub"
		fi
	fi
}


create_keys() {
	hostkeys="$(host_keys_required)"

	create_key "Creating SSH1 key; this may take some time ..." \
		"$hostkeys" /etc/ssh/ssh_host_key -t rsa1

	create_key "Creating SSH2 RSA key; this may take some time ..." \
		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
	create_key "Creating SSH2 DSA key; this may take some time ..." \
		"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
}


vulnerable_host_keys() {
	# If the admin has explicitly put the vulnerable keys back, we
	# assume they can look after themselves.
	db_fget ssh/vulnerable_host_keys seen
	if [ "$RET" = true ]; then
		return 0
	fi

	hostkeys="$(host_keys_required)"
	vulnerable=
	for hostkey in $hostkeys; do
		[ -f "$hostkey" ] || continue
		if ssh-vulnkey -q "$hostkey"; then
			vulnerable="${vulnerable:+$vulnerable }$hostkey"
		fi
	done
	if [ "$vulnerable" ]; then
		db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable"
		db_input critical ssh/vulnerable_host_keys || true
		db_go
		for hostkey in $vulnerable; do
			mv "$hostkey" "$hostkey.broken" || true
			mv "$hostkey.pub" "$hostkey.pub.broken" || true
		done
		create_keys
	fi
}


check_password_auth() {
	passwordauth="$(get_config_option PasswordAuthentication)"
	crauth="$(get_config_option ChallengeResponseAuthentication)"
	if [ "$passwordauth" = no ] && \
	   ([ -z "$crauth" ] || [ "$crauth" = yes ]); then
		db_get ssh/disable_cr_auth
		if [ "$RET" = true ]; then
			set_config_option ChallengeResponseAuthentication no
		fi
	fi
}


move_subsystem_sftp() {
	subsystem_sftp="$(get_config_option 'Subsystem sftp')"
	if [ "$subsystem_sftp" = /usr/lib/sftp-server ] || \
	   [ "$subsystem_sftp" = /usr/libexec/sftp-server ]; then
		set_config_option 'Subsystem sftp' /usr/lib/openssh/sftp-server
	fi
}


create_sshdconfig() {
	if [ -e /etc/ssh/sshd_config ] ; then
	    # Upgrade an existing sshd configuration.

	    if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
		! grep -iq ^UsePAM /etc/ssh/sshd_config) || \
	       grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \
		 /etc/ssh/sshd_config ; then
		# Upgrade from pre-3.7: UsePAM needed to maintain standard
		# Debian configuration.
		# Note that --compare-versions is sadly not reliable enough
		# here due to the package split of ssh into openssh-client
		# and openssh-server. The extra grep for some deprecated
		# options should with any luck be a good enough heuristic.
		echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
		cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
		perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
		    /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
		echo >> /etc/ssh/sshd_config.dpkg-new
		echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
		chown --reference /etc/ssh/sshd_config \
				  /etc/ssh/sshd_config.dpkg-new
		chmod --reference /etc/ssh/sshd_config \
				  /etc/ssh/sshd_config.dpkg-new
		mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
		echo
	    fi

	    # An empty version means we're upgrading from before the
	    # package split, so check.
	    if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then
		check_password_auth
	    fi

	    # libexecdir changed, so fix up 'Subsystem sftp'.
	    if dpkg --compare-versions "$oldversion" lt 1:4.1p1-1; then
		move_subsystem_sftp
	    fi

	    # Remove obsolete GSSAPI options.
	    if dpkg --compare-versions "$oldversion" lt 1:4.3p2-8; then
		remove_obsolete_gssapi
	    fi

	    # This option was renamed in 3.8p1, but we never took care
	    # of adjusting the configuration file until now.
	    if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
		rename_config_option KeepAlive TCPKeepAlive
	    fi

	    return 0
	fi

	#Preserve old sshd_config before generating a new one
	if [ -e /etc/ssh/sshd_config ] ; then 
	    mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
	fi

	cat <<EOF > /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
EOF
}

fix_statoverride() {
# Remove an erronous override for sshd (we should have overridden ssh)
	if [ -x /usr/sbin/dpkg-statoverride ]; then
		if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
			dpkg-statoverride --remove /usr/sbin/sshd
		fi
	fi
}

fix_sshd_shell() {
	if getent passwd sshd | grep -q ':/bin/false$'; then
		usermod -s /usr/sbin/nologin sshd || true
	fi
}

setup_sshd_user() {
	if ! getent passwd sshd >/dev/null; then
		adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
	fi
}

fix_conffile_permissions() {
	# Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
	# doesn't do this for us; see bug #192981.
	chmod 644 /etc/default/ssh
}

remove_old_init_links() {
	# Yes, this only works with the SysV init script layout. I know.
	# The important thing is that it doesn't actually *break* with
	# file-rc ...
	if [ -e /etc/rc2.d/S20ssh ]; then
		update-rc.d -f ssh remove >/dev/null 2>&1
	fi
	rm -f /etc/rc0.d/K??ssh /etc/rc1.d/K??ssh /etc/rc6.d/K??ssh
}

setup_init() {
	if [ -e /etc/init/ssh.conf ]; then
		if dpkg --compare-versions "$oldversion" lt 1:5.1p1-8ubuntu2; then
			if [ -x /usr/sbin/invoke-rc.d ]; then
				invoke-rc.d ssh stop
			else
				/etc/init.d/ssh stop
			fi
		fi
		stop ssh 2>/dev/null || true
		start ssh || true
	fi
	update-rc.d -f ssh remove >/dev/null || true
}

commit_transfer_conffile () {
	CONFFILE="$1"
	if [ -e "$CONFFILE.moved-by-preinst" ]; then
		rm -f "$CONFFILE.moved-by-preinst"
	fi
}

commit_mv_conffile () {
	OLDCONFFILE="$1"
	NEWCONFFILE="$2"

	if [ -e "$OLDCONFFILE.moving" ]; then
		echo "Preserving user changes to $NEWCONFFILE ..."
		mv -f "$NEWCONFFILE" "$NEWCONFFILE.dpkg-new"
		mv -f "$OLDCONFFILE.moving" "$NEWCONFFILE"
	elif [ -e "$OLDCONFFILE.dpkg-old" ]; then
		rm -f "$OLDCONFFILE.dpkg-old"
	fi
}


fix_doc_symlink
create_sshdconfig
check_idea_key
create_keys
vulnerable_host_keys
fix_statoverride
if dpkg --compare-versions "$2" lt 1:4.3p2-3; then
    fix_sshd_shell
fi
setup_sshd_user
if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
    fix_conffile_permissions
fi
if dpkg --compare-versions "$2" lt 1:5.2p1-1; then
    remove_old_init_links
fi
setup_init
commit_transfer_conffile /etc/default/ssh
commit_transfer_conffile /etc/init.d/ssh
commit_transfer_conffile /etc/pam.d/ssh
commit_mv_conffile /etc/pam.d/ssh /etc/pam.d/sshd
# Renamed to /etc/ssh/moduli in 2.9.9 (!)
if dpkg --compare-versions "$2" lt 1:4.7p1-1; then
    rm -f /etc/ssh/primes
fi


db_stop

exit 0

2 by Colin Watson * Nathaniel McCallum:	1	#!/bin/sh -e
	2
	3	action="$1"
	4	oldversion="$2"
	5
	6	. /usr/share/debconf/confmodule
	7	db_version 2.0
	8
	9	umask 022
	10
	11	if [ "$action" != configure ]
	12	then
	13	exit 0
	14	fi
	15
	16
4 by Colin Watson * Add /usr/games to the default $PATH for non-privileged users.	17	fix_doc_symlink() {
	18	if [ ! -L /usr/share/doc/openssh-server ] && \
	19	dpkg --compare-versions "$oldversion" lt-nl 1:4.1p1-5; then
	20	rm -rf /usr/share/doc/openssh-server
	21	ln -s openssh-client /usr/share/doc/openssh-server
	22	fi
	23	}
	24
2 by Colin Watson * Nathaniel McCallum:	25	check_idea_key() {
4 by Colin Watson * Add /usr/games to the default $PATH for non-privileged users.	26	# check for old host_key files using IDEA, which openssh does not
	27	# support
2 by Colin Watson * Nathaniel McCallum:	28	if [ -f /etc/ssh/ssh_host_key ] ; then
4 by Colin Watson * Add /usr/games to the default $PATH for non-privileged users.	29	cp -a /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.check_idea
	30	if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key.check_idea 2>&1 \| \
	31	grep -q 'unknown cipher' 2>/dev/null; then
	32	mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
	33	mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
	34	fi
	35	rm -f /etc/ssh/ssh_host_key.check_idea
2 by Colin Watson * Nathaniel McCallum:	36	fi
	37	}
	38
	39
	40	get_config_option() {
	41	option="$1"
	42
	43	[ -f /etc/ssh/sshd_config ] \|\| return
	44
	45	# TODO: actually only one '=' allowed after option
4 by Colin Watson * Add /usr/games to the default $PATH for non-privileged users.	46	perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \
2 by Colin Watson * Nathaniel McCallum:	47	/etc/ssh/sshd_config
	48	}
	49
	50
	51	set_config_option() {
	52	option="$1"
	53	value="$2"
	54
4 by Colin Watson * Add /usr/games to the default $PATH for non-privileged users.	55	perl -le '
2 by Colin Watson * Nathaniel McCallum:	56	$option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
2 by Colin Watson * Nathaniel McCallum:	57	while (<STDIN>) {
4 by Colin Watson * Add /usr/games to the default $PATH for non-privileged users.	58	chomp;
	59	(my $match = $_) =~ s/\s+/ /g;
	60	if ($match =~ s/^\s\Q$option\E\s+./$option $value/) {
	61	$_ = $match;
2 by Colin Watson * Nathaniel McCallum:	62	$done = 1;
	63	}
	64	print;
	65	}
4 by Colin Watson * Add /usr/games to the default $PATH for non-privileged users.	66	print "$option $value" unless $done;' \
2 by Colin Watson * Nathaniel McCallum:	67	"$option" "$value" \
2 by Colin Watson * Nathaniel McCallum:	68	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
3 by Colin Watson Don't ask unnecessary and misplaced ssh/forward_warning debconf note	69	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	70	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
2 by Colin Watson * Nathaniel McCallum:	71	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	72	}
	73
	74
19 by Colin Watson * Resynchronise with Debian. Remaining changes:	75	disable_config_option() {
	76	option="$1"
	77
	78	value="$(get_config_option "$option")"
	79	[ "$value" ] \|\| return 0
	80
	81	perl -le '
	82	$option = $ARGV[0];
	83	while (<STDIN>) {
	84	chomp;
	85	(my $match = $_) =~ s/\s+/ /g;
	86	# TODO: actually only one "=" allowed after option
	87	if ($match =~ s/^(\s\Q$option\E[[:space:]=]+.)/#$1/i) {
	88	$_ = $match;
	89	}
	90	print;
	91	}' \
	92	"$option" \
	93	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	94	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	95	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	96	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	97	}
	98
	99
34 by Colin Watson * Resynchronise with Debian. Remaining changes:	100	rename_config_option() {
	101	oldoption="$1"
	102	newoption="$2"
	103
	104	value="$(get_config_option "$oldoption")"
	105	[ "$value" ] \|\| return 0
	106
	107	perl -le '
	108	$oldoption = $ARGV[0]; $newoption = $ARGV[1];
	109	while (<STDIN>) {
	110	chomp;
	111	(my $match = $_) =~ s/\s+/ /g;
	112	# TODO: actually only one "=" allowed after option
	113	if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
	114	$_ = $match;
	115	}
	116	print;
	117	}' \
	118	"$oldoption" "$newoption" \
	119	< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	120	chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	121	chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
	122	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	123	}
	124
	125
18 by Colin Watson * Resynchronise with Debian. Remaining changes:	126	remove_obsolete_gssapi() {
19 by Colin Watson * Resynchronise with Debian. Remaining changes:	127	disable_config_option GSSAPINoMICAuthentication
	128	disable_config_option GSSUseSessionCCache
	129	disable_config_option GSSAPIUseSessionCredCache
18 by Colin Watson * Resynchronise with Debian. Remaining changes:	130	}
	131
	132
2 by Colin Watson * Nathaniel McCallum:	133	host_keys_required() {
	134	hostkeys="$(get_config_option HostKey)"
	135	if [ "$hostkeys" ]; then
	136	echo "$hostkeys"
	137	else
	138	# No HostKey directives at all, so the server picks some
	139	# defaults depending on the setting of Protocol.
	140	protocol="$(get_config_option Protocol)"
	141	[ "$protocol" ] \|\| protocol=1,2
	142	if echo "$protocol" \| grep 1 >/dev/null; then
	143	echo /etc/ssh/ssh_host_key
	144	fi
	145	if echo "$protocol" \| grep 2 >/dev/null; then
	146	echo /etc/ssh/ssh_host_rsa_key
	147	echo /etc/ssh/ssh_host_dsa_key
	148	fi
	149	fi
	150	}
	151
	152
	153	create_key() {
	154	msg="$1"
	155	shift
	156	hostkeys="$1"
	157	shift
	158	file="$1"
	159	shift
	160
	161	if echo "$hostkeys" \| grep -x "$file" >/dev/null && \
	162	[ ! -f "$file" ] ; then
	163	echo -n $msg
	164	ssh-keygen -q -f "$file" -N '' "$@"
	165	echo
23.1.5 by Colin Watson * Update config.guess and config.sub from autotools-dev 20090611.1	166	if which restorecon >/dev/null 2>&1; then
4 by Colin Watson * Add /usr/games to the default $PATH for non-privileged users.	167	restorecon "$file.pub"
	168	fi
2 by Colin Watson * Nathaniel McCallum:	169	fi
	170	}
	171
	172
	173	create_keys() {
	174	hostkeys="$(host_keys_required)"
	175
	176	create_key "Creating SSH1 key; this may take some time ..." \
	177	"$hostkeys" /etc/ssh/ssh_host_key -t rsa1
	178
	179	create_key "Creating SSH2 RSA key; this may take some time ..." \
	180	"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
	181	create_key "Creating SSH2 DSA key; this may take some time ..." \
	182	"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
	183	}
	184
	185
35 by Colin Watson * Resynchronise with Debian. Remaining changes:	186	vulnerable_host_keys() {
	187	# If the admin has explicitly put the vulnerable keys back, we
	188	# assume they can look after themselves.
	189	db_fget ssh/vulnerable_host_keys seen
	190	if [ "$RET" = true ]; then
	191	return 0
	192	fi
	193
	194	hostkeys="$(host_keys_required)"
	195	vulnerable=
	196	for hostkey in $hostkeys; do
	197	[ -f "$hostkey" ] \|\| continue
	198	if ssh-vulnkey -q "$hostkey"; then
	199	vulnerable="${vulnerable:+$vulnerable }$hostkey"
	200	fi
	201	done
	202	if [ "$vulnerable" ]; then
	203	db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable"
	204	db_input critical ssh/vulnerable_host_keys \|\| true
	205	db_go
	206	for hostkey in $vulnerable; do
	207	mv "$hostkey" "$hostkey.broken" \|\| true
	208	mv "$hostkey.pub" "$hostkey.pub.broken" \|\| true
	209	done
	210	create_keys
	211	fi
	212	}
	213
	214
2 by Colin Watson * Nathaniel McCallum:	215	check_password_auth() {
	216	passwordauth="$(get_config_option PasswordAuthentication)"
	217	crauth="$(get_config_option ChallengeResponseAuthentication)"
	218	if [ "$passwordauth" = no ] && \
	219	([ -z "$crauth" ] \|\| [ "$crauth" = yes ]); then
	220	db_get ssh/disable_cr_auth
	221	if [ "$RET" = true ]; then
	222	set_config_option ChallengeResponseAuthentication no
	223	fi
	224	fi
	225	}
	226
	227
4 by Colin Watson * Add /usr/games to the default $PATH for non-privileged users.	228	move_subsystem_sftp() {
	229	subsystem_sftp="$(get_config_option 'Subsystem sftp')"
	230	if [ "$subsystem_sftp" = /usr/lib/sftp-server ] \|\| \
	231	[ "$subsystem_sftp" = /usr/libexec/sftp-server ]; then
	232	set_config_option 'Subsystem sftp' /usr/lib/openssh/sftp-server
	233	fi
	234	}
	235
	236
2 by Colin Watson * Nathaniel McCallum:	237	create_sshdconfig() {
2 by Colin Watson * Nathaniel McCallum:	238	if [ -e /etc/ssh/sshd_config ] ; then
23.1.7 by Colin Watson * New upstream release (closes: #536182). Yes, I know 5.3p1 has been out	239	# Upgrade an existing sshd configuration.
	240
	241	if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
	242	! grep -iq ^UsePAM /etc/ssh/sshd_config) \|\| \
	243	grep -Eiq '^(PAMAuthenticationViaKbdInt\|RhostsAuthentication)' \
	244	/etc/ssh/sshd_config ; then
	245	# Upgrade from pre-3.7: UsePAM needed to maintain standard
	246	# Debian configuration.
	247	# Note that --compare-versions is sadly not reliable enough
	248	# here due to the package split of ssh into openssh-client
	249	# and openssh-server. The extra grep for some deprecated
	250	# options should with any luck be a good enough heuristic.
	251	echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
	252	cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
	253	perl -pe 's/^(PAMAuthenticationViaKbdInt\|RhostsAuthentication)\b/#$1/i' \
	254	/etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
	255	echo >> /etc/ssh/sshd_config.dpkg-new
	256	echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
	257	chown --reference /etc/ssh/sshd_config \
	258	/etc/ssh/sshd_config.dpkg-new
	259	chmod --reference /etc/ssh/sshd_config \
	260	/etc/ssh/sshd_config.dpkg-new
	261	mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
	262	echo
	263	fi
	264
	265	# An empty version means we're upgrading from before the
	266	# package split, so check.
	267	if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then
	268	check_password_auth
	269	fi
	270
	271	# libexecdir changed, so fix up 'Subsystem sftp'.
	272	if dpkg --compare-versions "$oldversion" lt 1:4.1p1-1; then
	273	move_subsystem_sftp
	274	fi
	275
	276	# Remove obsolete GSSAPI options.
	277	if dpkg --compare-versions "$oldversion" lt 1:4.3p2-8; then
	278	remove_obsolete_gssapi
	279	fi
	280
	281	# This option was renamed in 3.8p1, but we never took care
	282	# of adjusting the configuration file until now.
	283	if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
	284	rename_config_option KeepAlive TCPKeepAlive
	285	fi
	286
	287	return 0
2 by Colin Watson * Nathaniel McCallum:	288	fi
	289
	290	#Preserve old sshd_config before generating a new one
	291	if [ -e /etc/ssh/sshd_config ] ; then
	292	mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
	293	fi
	294
	295	cat <<EOF > /etc/ssh/sshd_config
	296	# Package generated configuration file
23.1.7 by Colin Watson * New upstream release (closes: #536182). Yes, I know 5.3p1 has been out	297	# See the sshd_config(5) manpage for details
2 by Colin Watson * Nathaniel McCallum:	298
	299	# What ports, IPs and protocols we listen for
	300	Port 22
	301	# Use these options to restrict which interfaces/protocols sshd will bind to
	302	#ListenAddress ::
	303	#ListenAddress 0.0.0.0
	304	Protocol 2
	305	# HostKeys for protocol version 2
	306	HostKey /etc/ssh/ssh_host_rsa_key
	307	HostKey /etc/ssh/ssh_host_dsa_key
	308	#Privilege Separation is turned on for security
	309	UsePrivilegeSeparation yes
	310
	311	# Lifetime and size of ephemeral version 1 server key
	312	KeyRegenerationInterval 3600
	313	ServerKeyBits 768
	314
	315	# Logging
	316	SyslogFacility AUTH
	317	LogLevel INFO
	318
	319	# Authentication:
4 by Colin Watson * Add /usr/games to the default $PATH for non-privileged users.	320	LoginGraceTime 120
2 by Colin Watson * Nathaniel McCallum:	321	PermitRootLogin yes
	322	StrictModes yes
	323
	324	RSAAuthentication yes
	325	PubkeyAuthentication yes
	326	#AuthorizedKeysFile %h/.ssh/authorized_keys
	327
	328	# Don't read the user's ~/.rhosts and ~/.shosts files
	329	IgnoreRhosts yes
	330	# For this to work you will also need host keys in /etc/ssh_known_hosts
	331	RhostsRSAAuthentication no
	332	# similar for protocol version 2
	333	HostbasedAuthentication no
	334	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
	335	#IgnoreUserKnownHosts yes
	336
	337	# To enable empty passwords, change to yes (NOT RECOMMENDED)
	338	PermitEmptyPasswords no
	339
4 by Colin Watson * Add /usr/games to the default $PATH for non-privileged users.	340	# Change to yes to enable challenge-response passwords (beware issues with
	341	# some PAM modules and threads)
	342	ChallengeResponseAuthentication no
2 by Colin Watson * Nathaniel McCallum:	343
4 by Colin Watson * Add /usr/games to the default $PATH for non-privileged users.	344	# Change to no to disable tunnelled clear text passwords
	345	#PasswordAuthentication yes
2 by Colin Watson * Nathaniel McCallum:	346
5 by Colin Watson Resynchronise with Debian.	347	# Kerberos options
2 by Colin Watson * Nathaniel McCallum:	348	#KerberosAuthentication no
5 by Colin Watson Resynchronise with Debian.	349	#KerberosGetAFSToken no
2 by Colin Watson * Nathaniel McCallum:	350	#KerberosOrLocalPasswd yes
5 by Colin Watson Resynchronise with Debian.	351	#KerberosTicketCleanup yes
2 by Colin Watson * Nathaniel McCallum:	352
5 by Colin Watson Resynchronise with Debian.	353	# GSSAPI options
	354	#GSSAPIAuthentication no
	355	#GSSAPICleanupCredentials yes
2 by Colin Watson * Nathaniel McCallum:	356
	357	X11Forwarding yes
	358	X11DisplayOffset 10
	359	PrintMotd no
	360	PrintLastLog yes
10 by Colin Watson * Resynchronise with Debian.	361	TCPKeepAlive yes
2 by Colin Watson * Nathaniel McCallum:	362	#UseLogin no
	363
	364	#MaxStartups 10:30:60
	365	#Banner /etc/issue.net
	366
3 by Colin Watson Don't ask unnecessary and misplaced ssh/forward_warning debconf note	367	# Allow client to pass locale environment variables
	368	AcceptEnv LANG LC_*
	369
4 by Colin Watson * Add /usr/games to the default $PATH for non-privileged users.	370	Subsystem sftp /usr/lib/openssh/sftp-server
2 by Colin Watson * Nathaniel McCallum:	371
23.1.7 by Colin Watson * New upstream release (closes: #536182). Yes, I know 5.3p1 has been out	372	# Set this to 'yes' to enable PAM authentication, account processing,
	373	# and session processing. If this is enabled, PAM authentication will
	374	# be allowed through the ChallengeResponseAuthentication and
	375	# PasswordAuthentication. Depending on your PAM configuration,
	376	# PAM authentication via ChallengeResponseAuthentication may bypass
	377	# the setting of "PermitRootLogin without-password".
	378	# If you just want the PAM account and session checks to run without
	379	# PAM authentication, then enable this but set PasswordAuthentication
	380	# and ChallengeResponseAuthentication to 'no'.
2 by Colin Watson * Nathaniel McCallum:	381	UsePAM yes
	382	EOF
	383	}
	384
	385	fix_statoverride() {
	386	# Remove an erronous override for sshd (we should have overridden ssh)
	387	if [ -x /usr/sbin/dpkg-statoverride ]; then
	388	if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
	389	dpkg-statoverride --remove /usr/sbin/sshd
	390	fi
	391	fi
	392	}
	393
15 by Colin Watson Resynchronise with Debian.	394	fix_sshd_shell() {
15 by Colin Watson Resynchronise with Debian.	395	if getent passwd sshd \| grep -q ':/bin/false$'; then
18 by Colin Watson * Resynchronise with Debian. Remaining changes:	396	usermod -s /usr/sbin/nologin sshd \|\| true
15 by Colin Watson Resynchronise with Debian.	397	fi
	398	}
	399
2 by Colin Watson * Nathaniel McCallum:	400	setup_sshd_user() {
2 by Colin Watson * Nathaniel McCallum:	401	if ! getent passwd sshd >/dev/null; then
15 by Colin Watson Resynchronise with Debian.	402	adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
2 by Colin Watson * Nathaniel McCallum:	403	fi
	404	}
	405
	406	fix_conffile_permissions() {
	407	# Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
	408	# doesn't do this for us; see bug #192981.
	409	chmod 644 /etc/default/ssh
	410	}
	411
21 by Colin Watson * New upstream release (closes: #395507, #397961, #420035). Important	412	remove_old_init_links() {
	413	# Yes, this only works with the SysV init script layout. I know.
	414	# The important thing is that it doesn't actually break with
	415	# file-rc ...
	416	if [ -e /etc/rc2.d/S20ssh ]; then
	417	update-rc.d -f ssh remove >/dev/null 2>&1
	418	fi
23.1.7 by Colin Watson * New upstream release (closes: #536182). Yes, I know 5.3p1 has been out	419	rm -f /etc/rc0.d/K??ssh /etc/rc1.d/K??ssh /etc/rc6.d/K??ssh
21 by Colin Watson * New upstream release (closes: #395507, #397961, #420035). Important	420	}
	421
2 by Colin Watson * Nathaniel McCallum:	422	setup_init() {
51 by Colin Watson * Resynchronise with Debian. Remaining changes:	423	if [ -e /etc/init/ssh.conf ]; then
	424	if dpkg --compare-versions "$oldversion" lt 1:5.1p1-8ubuntu2; then
	425	if [ -x /usr/sbin/invoke-rc.d ]; then
	426	invoke-rc.d ssh stop
	427	else
	428	/etc/init.d/ssh stop
	429	fi
2 by Colin Watson * Nathaniel McCallum:	430	fi
51 by Colin Watson * Resynchronise with Debian. Remaining changes:	431	stop ssh 2>/dev/null \|\| true
	432	start ssh \|\| true
2 by Colin Watson * Nathaniel McCallum:	433	fi
51 by Colin Watson * Resynchronise with Debian. Remaining changes:	434	update-rc.d -f ssh remove >/dev/null \|\| true
2 by Colin Watson * Nathaniel McCallum:	435	}
2 by Colin Watson * Nathaniel McCallum:	436
18 by Colin Watson * Resynchronise with Debian. Remaining changes:	437	commit_transfer_conffile () {
	438	CONFFILE="$1"
	439	if [ -e "$CONFFILE.moved-by-preinst" ]; then
	440	rm -f "$CONFFILE.moved-by-preinst"
	441	fi
	442	}
	443
30 by Colin Watson Add support for registering ConsoleKit sessions on login.	444	commit_mv_conffile () {
	445	OLDCONFFILE="$1"
	446	NEWCONFFILE="$2"
	447
	448	if [ -e "$OLDCONFFILE.moving" ]; then
	449	echo "Preserving user changes to $NEWCONFFILE ..."
	450	mv -f "$NEWCONFFILE" "$NEWCONFFILE.dpkg-new"
	451	mv -f "$OLDCONFFILE.moving" "$NEWCONFFILE"
	452	elif [ -e "$OLDCONFFILE.dpkg-old" ]; then
	453	rm -f "$OLDCONFFILE.dpkg-old"
	454	fi
	455	}
	456
2 by Colin Watson * Nathaniel McCallum:	457
4 by Colin Watson * Add /usr/games to the default $PATH for non-privileged users.	458	fix_doc_symlink
2 by Colin Watson * Nathaniel McCallum:	459	create_sshdconfig
	460	check_idea_key
	461	create_keys
35 by Colin Watson * Resynchronise with Debian. Remaining changes:	462	vulnerable_host_keys
2 by Colin Watson * Nathaniel McCallum:	463	fix_statoverride
15 by Colin Watson Resynchronise with Debian.	464	if dpkg --compare-versions "$2" lt 1:4.3p2-3; then
	465	fix_sshd_shell
	466	fi
2 by Colin Watson * Nathaniel McCallum:	467	setup_sshd_user
	468	if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
	469	fix_conffile_permissions
	470	fi
23.1.7 by Colin Watson * New upstream release (closes: #536182). Yes, I know 5.3p1 has been out	471	if dpkg --compare-versions "$2" lt 1:5.2p1-1; then
21 by Colin Watson * New upstream release (closes: #395507, #397961, #420035). Important	472	remove_old_init_links
	473	fi
2 by Colin Watson * Nathaniel McCallum:	474	setup_init
18 by Colin Watson * Resynchronise with Debian. Remaining changes:	475	commit_transfer_conffile /etc/default/ssh
	476	commit_transfer_conffile /etc/init.d/ssh
	477	commit_transfer_conffile /etc/pam.d/ssh
30 by Colin Watson Add support for registering ConsoleKit sessions on login.	478	commit_mv_conffile /etc/pam.d/ssh /etc/pam.d/sshd
27 by Colin Watson * New upstream release (closes: #453367).	479	# Renamed to /etc/ssh/moduli in 2.9.9 (!)
	480	if dpkg --compare-versions "$2" lt 1:4.7p1-1; then
	481	rm -f /etc/ssh/primes
	482	fi
2 by Colin Watson * Nathaniel McCallum:	483
	484
	485	db_stop
	486
	487	exit 0