← Back to branch summary

~ubuntu-branches/ubuntu/edgy/openssh/edgy

« back to all changes in this revision

Viewing changes to debian/openssh-server.postinst

  • Committer: Bazaar Package Importer
  • Author(s): Colin Watson
  • Date: 2004-10-07 18:03:06 UTC
  • Revision ID: james.westby@ubuntu.com-20041007180306-0l8ii961txetbucx
Tags: 1:3.8.1p1-11ubuntu3
* Nathaniel McCallum:
  - debian/openssh-server.init: pretty initscript
  - debian/control: versioned depend on lsb-base

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/openssh-server.postinst
 
1
#!/bin/sh -e
 
2
 
 
3
action="$1"
 
4
oldversion="$2"
 
5
 
 
6
. /usr/share/debconf/confmodule
 
7
db_version 2.0
 
8
 
 
9
umask 022
 
10
 
 
11
if [ "$action" != configure ]
 
12
  then
 
13
  exit 0
 
14
fi
 
15
 
 
16
 
 
17
check_idea_key() {
 
18
    #check for old host_key files using IDEA, which openssh does not support
 
19
        if [ -f /etc/ssh/ssh_host_key ] ; then
 
20
                if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
 
21
                                grep -q 'unknown cipher' 2>/dev/null ; then
 
22
      mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
 
23
      mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
 
24
  fi
 
25
        fi
 
26
}
 
27
 
 
28
 
 
29
get_config_option() {
 
30
        option="$1"
 
31
 
 
32
        [ -f /etc/ssh/sshd_config ] || return
 
33
 
 
34
        # TODO: actually only one '=' allowed after option
 
35
        perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
 
36
           /etc/ssh/sshd_config
 
37
}
 
38
 
 
39
 
 
40
set_config_option() {
 
41
        option="$1"
 
42
        value="$2"
 
43
 
 
44
        perl -e '
 
45
                $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
 
46
                while (<STDIN>) {
 
47
                        if (s/^\s*\Q$option\E\s+.*/$option $value/) {
 
48
                                $done = 1;
 
49
                        }
 
50
                        print;
 
51
                }
 
52
                print "\n$option $value\n" unless $done;' \
 
53
                "$option" "$value" \
 
54
                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
 
55
        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
 
56
}
 
57
 
 
58
 
 
59
host_keys_required() {
 
60
        hostkeys="$(get_config_option HostKey)"
 
61
        if [ "$hostkeys" ]; then
 
62
                echo "$hostkeys"
 
63
        else
 
64
                # No HostKey directives at all, so the server picks some
 
65
                # defaults depending on the setting of Protocol.
 
66
                protocol="$(get_config_option Protocol)"
 
67
                [ "$protocol" ] || protocol=1,2
 
68
                if echo "$protocol" | grep 1 >/dev/null; then
 
69
                        echo /etc/ssh/ssh_host_key
 
70
                fi
 
71
                if echo "$protocol" | grep 2 >/dev/null; then
 
72
                        echo /etc/ssh/ssh_host_rsa_key
 
73
                        echo /etc/ssh/ssh_host_dsa_key
 
74
                fi
 
75
        fi
 
76
}
 
77
 
 
78
 
 
79
create_key() {
 
80
        msg="$1"
 
81
        shift
 
82
        hostkeys="$1"
 
83
        shift
 
84
        file="$1"
 
85
        shift
 
86
 
 
87
        if echo "$hostkeys" | grep -x "$file" >/dev/null && \
 
88
           [ ! -f "$file" ] ; then
 
89
                echo -n $msg
 
90
                ssh-keygen -q -f "$file" -N '' "$@"
 
91
                echo
 
92
        fi
 
93
}
 
94
 
 
95
 
 
96
create_keys() {
 
97
        hostkeys="$(host_keys_required)"
 
98
 
 
99
        create_key "Creating SSH1 key; this may take some time ..." \
 
100
                "$hostkeys" /etc/ssh/ssh_host_key -t rsa1
 
101
 
 
102
        create_key "Creating SSH2 RSA key; this may take some time ..." \
 
103
                "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
 
104
        create_key "Creating SSH2 DSA key; this may take some time ..." \
 
105
                "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
 
106
}
 
107
 
 
108
 
 
109
check_password_auth() {
 
110
        passwordauth="$(get_config_option PasswordAuthentication)"
 
111
        crauth="$(get_config_option ChallengeResponseAuthentication)"
 
112
        if [ "$passwordauth" = no ] && \
 
113
           ([ -z "$crauth" ] || [ "$crauth" = yes ]); then
 
114
                db_get ssh/disable_cr_auth
 
115
                if [ "$RET" = true ]; then
 
116
                        set_config_option ChallengeResponseAuthentication no
 
117
                fi
 
118
        fi
 
119
}
 
120
 
 
121
 
 
122
create_sshdconfig() {
 
123
        if [ -e /etc/ssh/sshd_config ] ; then
 
124
            if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
 
125
                db_get ssh/new_config
 
126
                if [ "$RET" = "false" ] ; then return 0; fi
 
127
            else
 
128
                # Upgrade sshd configuration from a sane version.
 
129
 
 
130
                if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
 
131
                    ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \
 
132
                   grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \
 
133
                     /etc/ssh/sshd_config ; then
 
134
                    # Upgrade from pre-3.7: UsePAM needed to maintain standard
 
135
                    # Debian configuration.
 
136
                    # Note that --compare-versions is sadly not reliable enough
 
137
                    # here due to the package split of ssh into openssh-client
 
138
                    # and openssh-server. The extra grep for some deprecated
 
139
                    # options should with any luck be a good enough heuristic.
 
140
                    echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
 
141
                    cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
 
142
                    perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
 
143
                        /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
 
144
                    echo >> /etc/ssh/sshd_config.dpkg-new
 
145
                    echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
 
146
                    mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
 
147
                    echo
 
148
                fi
 
149
 
 
150
                # An empty version means we're upgrading from before the
 
151
                # package split, so check.
 
152
                if dpkg --compare-versions "$oldversion" lt 1:3.8p1-1; then
 
153
                    check_password_auth
 
154
                fi
 
155
 
 
156
                return 0
 
157
            fi
 
158
        fi
 
159
 
 
160
        #Preserve old sshd_config before generating a new one
 
161
        if [ -e /etc/ssh/sshd_config ] ; then 
 
162
            mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
 
163
        fi
 
164
 
 
165
        cat <<EOF > /etc/ssh/sshd_config
 
166
# Package generated configuration file
 
167
# See the sshd(8) manpage for details
 
168
 
 
169
# What ports, IPs and protocols we listen for
 
170
Port 22
 
171
# Use these options to restrict which interfaces/protocols sshd will bind to
 
172
#ListenAddress ::
 
173
#ListenAddress 0.0.0.0
 
174
EOF
 
175
        db_get ssh/protocol2_only
 
176
if [ "$RET" = "false" ]; then
 
177
                cat <<EOF >> /etc/ssh/sshd_config
 
178
Protocol 2,1
 
179
# HostKeys for protocol version 1
 
180
HostKey /etc/ssh/ssh_host_key
 
181
# HostKeys for protocol version 2
 
182
HostKey /etc/ssh/ssh_host_rsa_key
 
183
HostKey /etc/ssh/ssh_host_dsa_key
 
184
EOF
 
185
else
 
186
        cat <<EOF >> /etc/ssh/sshd_config
 
187
Protocol 2
 
188
# HostKeys for protocol version 2
 
189
HostKey /etc/ssh/ssh_host_rsa_key
 
190
HostKey /etc/ssh/ssh_host_dsa_key
 
191
EOF
 
192
fi
 
193
 
 
194
        cat <<EOF >> /etc/ssh/sshd_config
 
195
#Privilege Separation is turned on for security
 
196
UsePrivilegeSeparation yes
 
197
 
 
198
# Lifetime and size of ephemeral version 1 server key
 
199
KeyRegenerationInterval 3600
 
200
ServerKeyBits 768
 
201
 
 
202
# Logging
 
203
SyslogFacility AUTH
 
204
LogLevel INFO
 
205
 
 
206
# Authentication:
 
207
LoginGraceTime 600
 
208
PermitRootLogin yes
 
209
StrictModes yes
 
210
 
 
211
RSAAuthentication yes
 
212
PubkeyAuthentication yes
 
213
#AuthorizedKeysFile     %h/.ssh/authorized_keys
 
214
 
 
215
# Don't read the user's ~/.rhosts and ~/.shosts files
 
216
IgnoreRhosts yes
 
217
# For this to work you will also need host keys in /etc/ssh_known_hosts
 
218
RhostsRSAAuthentication no
 
219
# similar for protocol version 2
 
220
HostbasedAuthentication no
 
221
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 
222
#IgnoreUserKnownHosts yes
 
223
 
 
224
# To enable empty passwords, change to yes (NOT RECOMMENDED)
 
225
PermitEmptyPasswords no
 
226
 
 
227
# Change to no to disable s/key passwords
 
228
#ChallengeResponseAuthentication yes
 
229
 
 
230
# Change to yes to enable tunnelled clear text passwords
 
231
PasswordAuthentication no
 
232
 
 
233
 
 
234
# To change Kerberos options
 
235
#KerberosAuthentication no
 
236
#KerberosOrLocalPasswd yes
 
237
#AFSTokenPassing no
 
238
#KerberosTicketCleanup no
 
239
 
 
240
# Kerberos TGT Passing does only work with the AFS kaserver
 
241
#KerberosTgtPassing yes
 
242
 
 
243
X11Forwarding yes
 
244
X11DisplayOffset 10
 
245
PrintMotd no
 
246
PrintLastLog yes
 
247
KeepAlive yes
 
248
#UseLogin no
 
249
 
 
250
#MaxStartups 10:30:60
 
251
#Banner /etc/issue.net
 
252
 
 
253
Subsystem       sftp    /usr/lib/sftp-server
 
254
 
 
255
UsePAM yes
 
256
EOF
 
257
}
 
258
 
 
259
fix_statoverride() {
 
260
# Remove an erronous override for sshd (we should have overridden ssh)
 
261
        if [ -x /usr/sbin/dpkg-statoverride ]; then
 
262
                if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
 
263
                        dpkg-statoverride --remove /usr/sbin/sshd
 
264
                fi
 
265
        fi
 
266
}
 
267
 
 
268
setup_sshd_user() {
 
269
        if ! getent passwd sshd >/dev/null; then
 
270
                adduser --quiet --system --no-create-home --home /var/run/sshd sshd
 
271
        fi
 
272
}
 
273
 
 
274
fix_conffile_permissions() {
 
275
        # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg
 
276
        # doesn't do this for us; see bug #192981.
 
277
        chmod 644 /etc/default/ssh
 
278
}
 
279
 
 
280
setup_init() {
 
281
        if [ -x /etc/init.d/ssh ]; then
 
282
                update-rc.d ssh defaults >/dev/null
 
283
                if [ -x /usr/sbin/invoke-rc.d ]; then
 
284
                        invoke-rc.d ssh restart
 
285
                else
 
286
                        /etc/init.d/ssh restart
 
287
                fi
 
288
        fi
 
289
}
 
290
 
 
291
 
 
292
create_sshdconfig
 
293
check_idea_key
 
294
create_keys
 
295
fix_statoverride
 
296
setup_sshd_user
 
297
if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then
 
298
    fix_conffile_permissions
 
299
fi
 
300
setup_init
 
301
 
 
302
 
 
303
db_stop
 
304
 
 
305
exit 0