118 lines
2.8 KiB
Bash
118 lines
2.8 KiB
Bash
#!/bin/sh
|
|
set -e
|
|
|
|
. /usr/share/debconf/confmodule
|
|
db_version 2.0
|
|
|
|
action="$1"
|
|
|
|
umask 022
|
|
|
|
|
|
get_config_option() {
|
|
option="$1"
|
|
|
|
[ -f /etc/ssh/sshd_config ] || return
|
|
|
|
/usr/sbin/sshd -G | sed -n "s/^$option //Ip"
|
|
}
|
|
|
|
|
|
create_key() {
|
|
msg="$1"
|
|
shift
|
|
hostkeys="$1"
|
|
shift
|
|
file="$1"
|
|
shift
|
|
|
|
if echo "$hostkeys" | grep -x "$file" >/dev/null && \
|
|
[ ! -f "$file" ] ; then
|
|
printf %s "$msg"
|
|
ssh-keygen -q -f "$file" -N '' "$@"
|
|
echo
|
|
if command -v restorecon >/dev/null 2>&1; then
|
|
restorecon "$file" "$file.pub"
|
|
fi
|
|
ssh-keygen -l -f "$file.pub"
|
|
fi
|
|
}
|
|
|
|
|
|
create_keys() {
|
|
hostkeys="$(get_config_option HostKey)"
|
|
|
|
create_key "Creating SSH2 RSA key; this may take some time ..." \
|
|
"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
|
|
create_key "Creating SSH2 ECDSA key; this may take some time ..." \
|
|
"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
|
|
create_key "Creating SSH2 ED25519 key; this may take some time ..." \
|
|
"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
|
|
}
|
|
|
|
|
|
new_config=
|
|
|
|
cleanup() {
|
|
if [ "$new_config" ]; then
|
|
rm -f "$new_config"
|
|
fi
|
|
}
|
|
|
|
|
|
create_sshdconfig() {
|
|
# XXX cjwatson 2016-12-24: This debconf template is very confusingly
|
|
# named; its description is "Disable SSH password authentication for
|
|
# root?", so true -> prohibit-password (the upstream default),
|
|
# false -> yes.
|
|
db_get openssh-server/permit-root-login
|
|
permit_root_login="$RET"
|
|
db_get openssh-server/password-authentication
|
|
password_authentication="$RET"
|
|
|
|
trap cleanup EXIT
|
|
new_config="$(mktemp)"
|
|
cp -aZ /usr/share/openssh/sshd_config "$new_config"
|
|
if [ "$permit_root_login" != true ]; then
|
|
sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
|
|
"$new_config"
|
|
fi
|
|
if [ "$password_authentication" != true ]; then
|
|
sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \
|
|
"$new_config"
|
|
fi
|
|
mkdir -pZ /etc/ssh
|
|
ucf --three-way --debconf-ok \
|
|
--sum-file /usr/share/openssh/sshd_config.md5sum \
|
|
"$new_config" /etc/ssh/sshd_config
|
|
ucfr openssh-server /etc/ssh/sshd_config
|
|
}
|
|
|
|
if [ "$action" = configure ]; then
|
|
create_sshdconfig
|
|
create_keys
|
|
if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \
|
|
[ -f /etc/ssh/moduli.dpkg-bak ]; then
|
|
# Handle /etc/ssh/moduli being moved from openssh-client to
|
|
# openssh-server. If there were no user modifications, then we
|
|
# don't need to do anything special here; but if there were,
|
|
# then the dpkg-maintscript-helper calls from openssh-client's
|
|
# maintainer scripts will have saved the old file as .dpkg-bak,
|
|
# which we now move back into place.
|
|
mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli
|
|
fi
|
|
if dpkg --compare-versions "$2" lt-nl 1:9.1p1-1~ && \
|
|
deb-systemd-helper --quiet was-enabled ssh.socket && \
|
|
[ -d /run/systemd/system ]
|
|
then
|
|
# migrate to systemd socket activation.
|
|
systemctl unmask ssh.service
|
|
systemctl disable ssh.service
|
|
fi
|
|
fi
|
|
|
|
#DEBHELPER#
|
|
|
|
db_stop
|
|
|
|
exit 0
|