6
. /usr/share/debconf/confmodule
11
if [ "$action" != configure ]
18
#check for old host_key files using IDEA, which openssh does not support
19
if [ -f /etc/ssh/ssh_host_key ] ; then
20
if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
21
grep -q 'unknown cipher' 2>/dev/null ; then
22
mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
23
mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
32
[ -f /etc/ssh/sshd_config ] || return
34
# TODO: actually only one '=' allowed after option
35
perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
45
$option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
47
if (s/^\s*\Q$option\E\s+.*/$option $value/) {
52
print "\n$option $value\n" unless $done;' \
54
< /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
55
mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
59
host_keys_required() {
60
hostkeys="$(get_config_option HostKey)"
61
if [ "$hostkeys" ]; then
64
# No HostKey directives at all, so the server picks some
65
# defaults depending on the setting of Protocol.
66
protocol="$(get_config_option Protocol)"
67
[ "$protocol" ] || protocol=1,2
68
if echo "$protocol" | grep 1 >/dev/null; then
69
echo /etc/ssh/ssh_host_key
71
if echo "$protocol" | grep 2 >/dev/null; then
72
echo /etc/ssh/ssh_host_rsa_key
73
echo /etc/ssh/ssh_host_dsa_key
87
if echo "$hostkeys" | grep -x "$file" >/dev/null && \
88
[ ! -f "$file" ] ; then
90
ssh-keygen -q -f "$file" -N '' "$@"
97
hostkeys="$(host_keys_required)"
99
create_key "Creating SSH1 key; this may take some time ..." \
100
"$hostkeys" /etc/ssh/ssh_host_key -t rsa1
102
create_key "Creating SSH2 RSA key; this may take some time ..." \
103
"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
104
create_key "Creating SSH2 DSA key; this may take some time ..." \
105
"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
109
check_password_auth() {
110
passwordauth="$(get_config_option PasswordAuthentication)"
111
crauth="$(get_config_option ChallengeResponseAuthentication)"
112
if [ "$passwordauth" = no ] && \
113
([ -z "$crauth" ] || [ "$crauth" = yes ]); then
114
db_get ssh/disable_cr_auth
115
if [ "$RET" = true ]; then
116
set_config_option ChallengeResponseAuthentication no
122
create_sshdconfig() {
123
if [ -e /etc/ssh/sshd_config ] ; then
124
if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
125
db_get ssh/new_config
126
if [ "$RET" = "false" ] ; then return 0; fi
128
# Upgrade sshd configuration from a sane version.
130
if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
131
! grep -iq ^UsePAM /etc/ssh/sshd_config) || \
132
grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \
133
/etc/ssh/sshd_config ; then
134
# Upgrade from pre-3.7: UsePAM needed to maintain standard
135
# Debian configuration.
136
# Note that --compare-versions is sadly not reliable enough
137
# here due to the package split of ssh into openssh-client
138
# and openssh-server. The extra grep for some deprecated
139
# options should with any luck be a good enough heuristic.
140
echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
141
cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
142
perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
143
/etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
144
echo >> /etc/ssh/sshd_config.dpkg-new
145
echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
146
mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
150
# An empty version means we're upgrading from before the
151
# package split, so check.
152
if dpkg --compare-versions "$oldversion" lt 1:3.8p1-1; then
160
#Preserve old sshd_config before generating a new one
161
if [ -e /etc/ssh/sshd_config ] ; then
162
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
165
cat <<EOF > /etc/ssh/sshd_config
166
# Package generated configuration file
167
# See the sshd(8) manpage for details
169
# What ports, IPs and protocols we listen for
171
# Use these options to restrict which interfaces/protocols sshd will bind to
173
#ListenAddress 0.0.0.0
175
db_get ssh/protocol2_only
176
if [ "$RET" = "false" ]; then
177
cat <<EOF >> /etc/ssh/sshd_config
179
# HostKeys for protocol version 1
180
HostKey /etc/ssh/ssh_host_key
181
# HostKeys for protocol version 2
182
HostKey /etc/ssh/ssh_host_rsa_key
183
HostKey /etc/ssh/ssh_host_dsa_key
186
cat <<EOF >> /etc/ssh/sshd_config
188
# HostKeys for protocol version 2
189
HostKey /etc/ssh/ssh_host_rsa_key
190
HostKey /etc/ssh/ssh_host_dsa_key
194
cat <<EOF >> /etc/ssh/sshd_config
195
#Privilege Separation is turned on for security
196
UsePrivilegeSeparation yes
198
# Lifetime and size of ephemeral version 1 server key
199
KeyRegenerationInterval 3600
211
RSAAuthentication yes
212
PubkeyAuthentication yes
213
#AuthorizedKeysFile %h/.ssh/authorized_keys
215
# Don't read the user's ~/.rhosts and ~/.shosts files
217
# For this to work you will also need host keys in /etc/ssh_known_hosts
218
RhostsRSAAuthentication no
219
# similar for protocol version 2
220
HostbasedAuthentication no
221
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
222
#IgnoreUserKnownHosts yes
224
# To enable empty passwords, change to yes (NOT RECOMMENDED)
225
PermitEmptyPasswords no
227
# Change to no to disable s/key passwords
228
#ChallengeResponseAuthentication yes
230
# Change to yes to enable tunnelled clear text passwords
231
PasswordAuthentication no
234
# To change Kerberos options
235
#KerberosAuthentication no
236
#KerberosOrLocalPasswd yes
238
#KerberosTicketCleanup no
240
# Kerberos TGT Passing does only work with the AFS kaserver
241
#KerberosTgtPassing yes
250
#MaxStartups 10:30:60
251
#Banner /etc/issue.net
253
Subsystem sftp /usr/lib/sftp-server
260
# Remove an erronous override for sshd (we should have overridden ssh)
261
if [ -x /usr/sbin/dpkg-statoverride ]; then
262
if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
263
dpkg-statoverride --remove /usr/sbin/sshd
269
if ! getent passwd sshd >/dev/null; then
270
adduser --quiet --system --no-create-home --home /var/run/sshd sshd
274
fix_conffile_permissions() {
275
# Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
276
# doesn't do this for us; see bug #192981.
277
chmod 644 /etc/default/ssh
281
if [ -x /etc/init.d/ssh ]; then
282
update-rc.d ssh defaults >/dev/null
283
if [ -x /usr/sbin/invoke-rc.d ]; then
284
invoke-rc.d ssh restart
286
/etc/init.d/ssh restart
297
if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
298
fix_conffile_permissions