summaryrefslogtreecommitdiffstats
path: root/debian/openssh-server.postinst
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/openssh-server.postinst144
1 files changed, 144 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
new file mode 100644
index 0000000..d38695f
--- /dev/null
+++ b/debian/openssh-server.postinst
@@ -0,0 +1,144 @@
+#!/bin/sh
+set -e
+
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+action="$1"
+
+umask 022
+
+
+get_config_option() {
+ option="$1"
+
+ [ -f /etc/ssh/sshd_config ] || return
+
+ # TODO: actually only one '=' allowed after option
+ sed -E -n -e 's/[[:space:]]+/ /g' -e 's/[[:space:]]+$//' \
+ -e 's/^[[:space:]]*'"$option"'[[:space:]=]+//Ip' \
+ /etc/ssh/sshd_config
+}
+
+
+host_keys_required() {
+ hostkeys="$(get_config_option HostKey)"
+ if [ "$hostkeys" ]; then
+ echo "$hostkeys"
+ else
+ # No HostKey directives at all, so the server picks some
+ # defaults.
+ echo /etc/ssh/ssh_host_rsa_key
+ echo /etc/ssh/ssh_host_ecdsa_key
+ echo /etc/ssh/ssh_host_ed25519_key
+ fi
+}
+
+
+create_key() {
+ msg="$1"
+ shift
+ hostkeys="$1"
+ shift
+ file="$1"
+ shift
+
+ if echo "$hostkeys" | grep -x "$file" >/dev/null && \
+ [ ! -f "$file" ] ; then
+ printf %s "$msg"
+ ssh-keygen -q -f "$file" -N '' "$@"
+ echo
+ if command -v restorecon >/dev/null 2>&1; then
+ restorecon "$file" "$file.pub"
+ fi
+ ssh-keygen -l -f "$file.pub"
+ fi
+}
+
+
+create_keys() {
+ hostkeys="$(host_keys_required)"
+
+ create_key "Creating SSH2 RSA key; this may take some time ..." \
+ "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+ create_key "Creating SSH2 DSA key; this may take some time ..." \
+ "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
+ create_key "Creating SSH2 ECDSA key; this may take some time ..." \
+ "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
+ create_key "Creating SSH2 ED25519 key; this may take some time ..." \
+ "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
+}
+
+
+new_config=
+
+cleanup() {
+ if [ "$new_config" ]; then
+ rm -f "$new_config"
+ fi
+}
+
+
+create_sshdconfig() {
+ # XXX cjwatson 2016-12-24: This debconf template is very confusingly
+ # named; its description is "Disable SSH password authentication for
+ # root?", so true -> prohibit-password (the upstream default),
+ # false -> yes.
+ db_get openssh-server/permit-root-login
+ permit_root_login="$RET"
+ db_get openssh-server/password-authentication
+ password_authentication="$RET"
+
+ trap cleanup EXIT
+ new_config="$(mktemp)"
+ cp -aZ /usr/share/openssh/sshd_config "$new_config"
+ if [ "$permit_root_login" != true ]; then
+ sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
+ "$new_config"
+ fi
+ if [ "$password_authentication" != true ]; then
+ sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \
+ "$new_config"
+ fi
+ mkdir -pZ /etc/ssh
+ ucf --three-way --debconf-ok \
+ --sum-file /usr/share/openssh/sshd_config.md5sum \
+ "$new_config" /etc/ssh/sshd_config
+ ucfr openssh-server /etc/ssh/sshd_config
+}
+
+setup_sshd_user() {
+ if ! getent passwd sshd >/dev/null; then
+ adduser --quiet --system --no-create-home --home /run/sshd --shell /usr/sbin/nologin sshd
+ fi
+}
+
+if [ "$action" = configure ]; then
+ create_sshdconfig
+ create_keys
+ setup_sshd_user
+ if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \
+ [ -f /etc/ssh/moduli.dpkg-bak ]; then
+ # Handle /etc/ssh/moduli being moved from openssh-client to
+ # openssh-server. If there were no user modifications, then we
+ # don't need to do anything special here; but if there were,
+ # then the dpkg-maintscript-helper calls from openssh-client's
+ # maintainer scripts will have saved the old file as .dpkg-bak,
+ # which we now move back into place.
+ mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli
+ fi
+ if dpkg --compare-versions "$2" lt-nl 1:9.1p1-1~ && \
+ deb-systemd-helper --quiet was-enabled ssh.socket && \
+ [ -d /run/systemd/system ]
+ then
+ # migrate to systemd socket activation.
+ systemctl unmask ssh.service
+ systemctl disable ssh.service
+ fi
+fi
+
+#DEBHELPER#
+
+db_stop
+
+exit 0