#!/bin/sh set -e . /usr/share/debconf/confmodule db_version 2.0 action="$1" umask 022 get_config_option() { option="$1" [ -f /etc/ssh/sshd_config ] || return # TODO: actually only one '=' allowed after option sed -E -n -e 's/[[:space:]]+/ /g' -e 's/[[:space:]]+$//' \ -e 's/^[[:space:]]*'"$option"'[[:space:]=]+//Ip' \ /etc/ssh/sshd_config } host_keys_required() { hostkeys="$(get_config_option HostKey)" if [ "$hostkeys" ]; then echo "$hostkeys" else # No HostKey directives at all, so the server picks some # defaults. echo /etc/ssh/ssh_host_rsa_key echo /etc/ssh/ssh_host_ed25519_key fi } create_key() { msg="$1" shift hostkeys="$1" shift file="$1" shift if echo "$hostkeys" | grep -x "$file" >/dev/null && \ [ ! -f "$file" ] ; then printf %s "$msg" ssh-keygen -q -f "$file" -N '' "$@" echo if command -v restorecon >/dev/null 2>&1; then restorecon "$file" "$file.pub" fi ssh-keygen -l -f "$file.pub" fi } create_keys() { hostkeys="$(host_keys_required)" create_key "Creating SSH2 RSA key; this may take some time ..." \ "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa create_key "Creating SSH2 DSA key; this may take some time ..." \ "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa create_key "Creating SSH2 ECDSA key; this may take some time ..." \ "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa create_key "Creating SSH2 ED25519 key; this may take some time ..." \ "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 } new_config= cleanup() { if [ "$new_config" ]; then rm -f "$new_config" fi } create_sshdconfig() { # XXX cjwatson 2016-12-24: This debconf template is very confusingly # named; its description is "Disable SSH password authentication for # root?", so true -> prohibit-password (the upstream default), # false -> yes. db_get openssh-server/permit-root-login permit_root_login="$RET" db_get openssh-server/password-authentication password_authentication="$RET" trap cleanup EXIT new_config="$(mktemp)" cp -aZ /usr/share/openssh/sshd_config "$new_config" if [ "$permit_root_login" != true ]; then sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \ "$new_config" fi if [ "$password_authentication" != true ]; then sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \ "$new_config" fi mkdir -pZ /etc/ssh ucf --three-way --debconf-ok \ --sum-file /usr/share/openssh/sshd_config.md5sum \ "$new_config" /etc/ssh/sshd_config ucfr openssh-server /etc/ssh/sshd_config } setup_sshd_user() { if ! getent passwd sshd >/dev/null; then adduser --quiet --system --no-create-home --home /run/sshd --shell /usr/sbin/nologin sshd fi } if [ "$action" = configure ]; then create_sshdconfig create_keys setup_sshd_user if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \ [ -f /etc/ssh/moduli.dpkg-bak ]; then # Handle /etc/ssh/moduli being moved from openssh-client to # openssh-server. If there were no user modifications, then we # don't need to do anything special here; but if there were, # then the dpkg-maintscript-helper calls from openssh-client's # maintainer scripts will have saved the old file as .dpkg-bak, # which we now move back into place. mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli fi if dpkg --compare-versions "$2" lt-nl 1:9.1p1-1~ && \ deb-systemd-helper --quiet was-enabled ssh.socket && \ [ -d /run/systemd/system ] then # migrate to systemd socket activation. systemctl unmask ssh.service systemctl disable ssh.service fi fi #DEBHELPER# db_stop exit 0