summaryrefslogtreecommitdiffstats
path: root/debian/openssh-server.postinst
blob: a871eb15996057e58501a3caee2e57aa2a46b43d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#!/bin/sh
set -e

. /usr/share/debconf/confmodule
db_version 2.0

action="$1"

umask 022


get_config_option() {
	option="$1"

	[ -f /etc/ssh/sshd_config ] || return

	/usr/sbin/sshd -G | sed -n "s/^$option //Ip"
}


create_key() {
	msg="$1"
	shift
	hostkeys="$1"
	shift
	file="$1"
	shift

	if echo "$hostkeys" | grep -x "$file" >/dev/null && \
	   [ ! -f "$file" ] ; then
		printf %s "$msg"
		ssh-keygen -q -f "$file" -N '' "$@"
		echo
		if command -v restorecon >/dev/null 2>&1; then
			restorecon "$file" "$file.pub"
		fi
		ssh-keygen -l -f "$file.pub"
	fi
}


create_keys() {
	hostkeys="$(get_config_option HostKey)"

	create_key "Creating SSH2 RSA key; this may take some time ..." \
		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
	create_key "Creating SSH2 ECDSA key; this may take some time ..." \
		"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
	create_key "Creating SSH2 ED25519 key; this may take some time ..." \
		"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
}


new_config=

cleanup() {
	if [ "$new_config" ]; then
		rm -f "$new_config"
	fi
}


create_sshdconfig() {
	# XXX cjwatson 2016-12-24: This debconf template is very confusingly
	# named; its description is "Disable SSH password authentication for
	# root?", so true -> prohibit-password (the upstream default),
	# false -> yes.
	db_get openssh-server/permit-root-login
	permit_root_login="$RET"
	db_get openssh-server/password-authentication
	password_authentication="$RET"

	trap cleanup EXIT
	new_config="$(mktemp)"
	cp -aZ /usr/share/openssh/sshd_config "$new_config"
	if [ "$permit_root_login" != true ]; then
		sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
			"$new_config"
	fi
	if [ "$password_authentication" != true ]; then
		sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \
			"$new_config"
	fi
	mkdir -pZ /etc/ssh
	ucf --three-way --debconf-ok \
		--sum-file /usr/share/openssh/sshd_config.md5sum \
		"$new_config" /etc/ssh/sshd_config
	ucfr openssh-server /etc/ssh/sshd_config
}

setup_sshd_user() {
	if ! getent passwd sshd >/dev/null; then
		adduser --quiet --system --no-create-home --home /run/sshd --shell /usr/sbin/nologin sshd
	fi
}

if [ "$action" = configure ]; then
	create_sshdconfig
	create_keys
	setup_sshd_user
	if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \
	   [ -f /etc/ssh/moduli.dpkg-bak ]; then
	    # Handle /etc/ssh/moduli being moved from openssh-client to
	    # openssh-server.  If there were no user modifications, then we
	    # don't need to do anything special here; but if there were,
	    # then the dpkg-maintscript-helper calls from openssh-client's
	    # maintainer scripts will have saved the old file as .dpkg-bak,
	    # which we now move back into place.
	    mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli
	fi
	if dpkg --compare-versions "$2" lt-nl 1:9.1p1-1~ && \
	   deb-systemd-helper --quiet was-enabled ssh.socket && \
	   [ -d /run/systemd/system ]
	then
		# migrate to systemd socket activation.
		systemctl unmask ssh.service
		systemctl disable ssh.service
	fi
fi

#DEBHELPER#

db_stop

exit 0