summaryrefslogtreecommitdiffstats
path: root/debian/openssh-server.postinst
diff options
context:
space:
mode:
Diffstat (limited to 'debian/openssh-server.postinst')
-rw-r--r--debian/openssh-server.postinst167
1 files changed, 167 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 0000000..552b074
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,167 @@
+#!/bin/sh
+set -e
+
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+action="$1"
+oldversion="$2"
+
+umask 022
+
+
+get_config_option() {
+ option="$1"
+
+ [ -f /etc/ssh/sshd_config ] || return
+
+ # TODO: actually only one '=' allowed after option
+ perl -lne '
+ s/[[:space:]]+/ /g; s/[[:space:]]+$//;
+ print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+ /etc/ssh/sshd_config
+}
+
+
+host_keys_required() {
+ hostkeys="$(get_config_option HostKey)"
+ if [ "$hostkeys" ]; then
+ echo "$hostkeys"
+ else
+ # No HostKey directives at all, so the server picks some
+ # defaults.
+ echo /etc/ssh/ssh_host_rsa_key
+ echo /etc/ssh/ssh_host_ecdsa_key
+ echo /etc/ssh/ssh_host_ed25519_key
+ fi
+}
+
+
+create_key() {
+ msg="$1"
+ shift
+ hostkeys="$1"
+ shift
+ file="$1"
+ shift
+
+ if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+ [ ! -f "$file" ] ; then
+ echo -n $msg
+ ssh-keygen -q -f "$file" -N '' "$@"
+ echo
+ if which restorecon >/dev/null 2>&1; then
+ restorecon "$file" "$file.pub"
+ fi
+ ssh-keygen -l -f "$file.pub"
+ fi
+}
+
+
+create_keys() {
+ hostkeys="$(host_keys_required)"
+
+ create_key "Creating SSH2 RSA key; this may take some time ..." \
+ "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+ create_key "Creating SSH2 DSA key; this may take some time ..." \
+ "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+ create_key "Creating SSH2 ECDSA key; this may take some time ..." \
+ "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
+ create_key "Creating SSH2 ED25519 key; this may take some time ..." \
+ "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
+}
+
+
+new_config=
+
+cleanup() {
+ if [ "$new_config" ]; then
+ rm -f "$new_config"
+ fi
+}
+
+
+create_sshdconfig() {
+ # XXX cjwatson 2016-12-24: This debconf template is very confusingly
+ # named; its description is "Disable SSH password authentication for
+ # root?", so true -> prohibit-password (the upstream default),
+ # false -> yes.
+ db_get openssh-server/permit-root-login
+ permit_root_login="$RET"
+ db_get openssh-server/password-authentication
+ password_authentication="$RET"
+
+ trap cleanup EXIT
+ new_config="$(tempfile)"
+ cp -a /usr/share/openssh/sshd_config "$new_config"
+ if [ "$permit_root_login" != true ]; then
+ sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
+ "$new_config"
+ fi
+ if [ "$password_authentication" != true ]; then
+ sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \
+ "$new_config"
+ fi
+ mkdir -p /etc/ssh
+ ucf --three-way --debconf-ok \
+ --sum-file /usr/share/openssh/sshd_config.md5sum \
+ "$new_config" /etc/ssh/sshd_config
+ ucfr openssh-server /etc/ssh/sshd_config
+}
+
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+ if dpkg-statoverride --list /usr/sbin/sshd >/dev/null; then
+ dpkg-statoverride --remove /usr/sbin/sshd
+ fi
+}
+
+setup_sshd_user() {
+ if ! getent passwd sshd >/dev/null; then
+ adduser --quiet --system --no-create-home --home /run/sshd --shell /usr/sbin/nologin sshd
+ fi
+}
+
+if [ "$action" = configure ]; then
+ create_sshdconfig
+ create_keys
+ fix_statoverride
+ setup_sshd_user
+ # Renamed to /etc/ssh/moduli in 2.9.9 (!)
+ if dpkg --compare-versions "$2" lt-nl 1:4.7p1-1; then
+ rm -f /etc/ssh/primes
+ fi
+ if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then
+ rm -f /run/sshd/.placeholder
+ fi
+ if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \
+ deb-systemd-helper debian-installed ssh.socket && \
+ deb-systemd-helper --quiet was-enabled ssh.service && \
+ deb-systemd-helper --quiet was-enabled ssh.socket; then
+ # 1:6.5p1-1 mistakenly left both ssh.service and ssh.socket
+ # enabled.
+ deb-systemd-helper disable ssh.socket >/dev/null || true
+ fi
+ if dpkg --compare-versions "$2" lt-nl 1:6.5p1-3 && \
+ [ -d /run/systemd/system ]; then
+ # We must stop the sysvinit-controlled sshd before we can
+ # restart it under systemd.
+ start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd || true
+ fi
+ if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \
+ [ -f /etc/ssh/moduli.dpkg-bak ]; then
+ # Handle /etc/ssh/moduli being moved from openssh-client to
+ # openssh-server. If there were no user modifications, then we
+ # don't need to do anything special here; but if there were,
+ # then the dpkg-maintscript-helper calls from openssh-client's
+ # maintainer scripts will have saved the old file as .dpkg-bak,
+ # which we now move back into place.
+ mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli
+ fi
+fi
+
+#DEBHELPER#
+
+db_stop
+
+exit 0