diff options
Diffstat (limited to '')
-rw-r--r-- | debian/openssh-server.postinst | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 0000000..d38695f --- /dev/null +++ b/debian/openssh-server.postinst @@ -0,0 +1,144 @@ +#!/bin/sh +set -e + +. /usr/share/debconf/confmodule +db_version 2.0 + +action="$1" + +umask 022 + + +get_config_option() { + option="$1" + + [ -f /etc/ssh/sshd_config ] || return + + # TODO: actually only one '=' allowed after option + sed -E -n -e 's/[[:space:]]+/ /g' -e 's/[[:space:]]+$//' \ + -e 's/^[[:space:]]*'"$option"'[[:space:]=]+//Ip' \ + /etc/ssh/sshd_config +} + + +host_keys_required() { + hostkeys="$(get_config_option HostKey)" + if [ "$hostkeys" ]; then + echo "$hostkeys" + else + # No HostKey directives at all, so the server picks some + # defaults. + echo /etc/ssh/ssh_host_rsa_key + echo /etc/ssh/ssh_host_ecdsa_key + echo /etc/ssh/ssh_host_ed25519_key + fi +} + + +create_key() { + msg="$1" + shift + hostkeys="$1" + shift + file="$1" + shift + + if echo "$hostkeys" | grep -x "$file" >/dev/null && \ + [ ! -f "$file" ] ; then + printf %s "$msg" + ssh-keygen -q -f "$file" -N '' "$@" + echo + if command -v restorecon >/dev/null 2>&1; then + restorecon "$file" "$file.pub" + fi + ssh-keygen -l -f "$file.pub" + fi +} + + +create_keys() { + hostkeys="$(host_keys_required)" + + create_key "Creating SSH2 RSA key; this may take some time ..." \ + "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa + create_key "Creating SSH2 DSA key; this may take some time ..." \ + "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa + create_key "Creating SSH2 ECDSA key; this may take some time ..." \ + "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa + create_key "Creating SSH2 ED25519 key; this may take some time ..." \ + "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 +} + + +new_config= + +cleanup() { + if [ "$new_config" ]; then + rm -f "$new_config" + fi +} + + +create_sshdconfig() { + # XXX cjwatson 2016-12-24: This debconf template is very confusingly + # named; its description is "Disable SSH password authentication for + # root?", so true -> prohibit-password (the upstream default), + # false -> yes. + db_get openssh-server/permit-root-login + permit_root_login="$RET" + db_get openssh-server/password-authentication + password_authentication="$RET" + + trap cleanup EXIT + new_config="$(mktemp)" + cp -aZ /usr/share/openssh/sshd_config "$new_config" + if [ "$permit_root_login" != true ]; then + sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \ + "$new_config" + fi + if [ "$password_authentication" != true ]; then + sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \ + "$new_config" + fi + mkdir -pZ /etc/ssh + ucf --three-way --debconf-ok \ + --sum-file /usr/share/openssh/sshd_config.md5sum \ + "$new_config" /etc/ssh/sshd_config + ucfr openssh-server /etc/ssh/sshd_config +} + +setup_sshd_user() { + if ! getent passwd sshd >/dev/null; then + adduser --quiet --system --no-create-home --home /run/sshd --shell /usr/sbin/nologin sshd + fi +} + +if [ "$action" = configure ]; then + create_sshdconfig + create_keys + setup_sshd_user + if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \ + [ -f /etc/ssh/moduli.dpkg-bak ]; then + # Handle /etc/ssh/moduli being moved from openssh-client to + # openssh-server. If there were no user modifications, then we + # don't need to do anything special here; but if there were, + # then the dpkg-maintscript-helper calls from openssh-client's + # maintainer scripts will have saved the old file as .dpkg-bak, + # which we now move back into place. + mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli + fi + if dpkg --compare-versions "$2" lt-nl 1:9.1p1-1~ && \ + deb-systemd-helper --quiet was-enabled ssh.socket && \ + [ -d /run/systemd/system ] + then + # migrate to systemd socket activation. + systemctl unmask ssh.service + systemctl disable ssh.service + fi +fi + +#DEBHELPER# + +db_stop + +exit 0 |