blob: a871eb15996057e58501a3caee2e57aa2a46b43d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
#!/bin/sh
set -e
. /usr/share/debconf/confmodule
db_version 2.0
action="$1"
umask 022
get_config_option() {
option="$1"
[ -f /etc/ssh/sshd_config ] || return
/usr/sbin/sshd -G | sed -n "s/^$option //Ip"
}
create_key() {
msg="$1"
shift
hostkeys="$1"
shift
file="$1"
shift
if echo "$hostkeys" | grep -x "$file" >/dev/null && \
[ ! -f "$file" ] ; then
printf %s "$msg"
ssh-keygen -q -f "$file" -N '' "$@"
echo
if command -v restorecon >/dev/null 2>&1; then
restorecon "$file" "$file.pub"
fi
ssh-keygen -l -f "$file.pub"
fi
}
create_keys() {
hostkeys="$(get_config_option HostKey)"
create_key "Creating SSH2 RSA key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
create_key "Creating SSH2 ECDSA key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
create_key "Creating SSH2 ED25519 key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
}
new_config=
cleanup() {
if [ "$new_config" ]; then
rm -f "$new_config"
fi
}
create_sshdconfig() {
# XXX cjwatson 2016-12-24: This debconf template is very confusingly
# named; its description is "Disable SSH password authentication for
# root?", so true -> prohibit-password (the upstream default),
# false -> yes.
db_get openssh-server/permit-root-login
permit_root_login="$RET"
db_get openssh-server/password-authentication
password_authentication="$RET"
trap cleanup EXIT
new_config="$(mktemp)"
cp -aZ /usr/share/openssh/sshd_config "$new_config"
if [ "$permit_root_login" != true ]; then
sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
"$new_config"
fi
if [ "$password_authentication" != true ]; then
sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \
"$new_config"
fi
mkdir -pZ /etc/ssh
ucf --three-way --debconf-ok \
--sum-file /usr/share/openssh/sshd_config.md5sum \
"$new_config" /etc/ssh/sshd_config
ucfr openssh-server /etc/ssh/sshd_config
}
setup_sshd_user() {
if ! getent passwd sshd >/dev/null; then
adduser --quiet --system --no-create-home --home /run/sshd --shell /usr/sbin/nologin sshd
fi
}
if [ "$action" = configure ]; then
create_sshdconfig
create_keys
setup_sshd_user
if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \
[ -f /etc/ssh/moduli.dpkg-bak ]; then
# Handle /etc/ssh/moduli being moved from openssh-client to
# openssh-server. If there were no user modifications, then we
# don't need to do anything special here; but if there were,
# then the dpkg-maintscript-helper calls from openssh-client's
# maintainer scripts will have saved the old file as .dpkg-bak,
# which we now move back into place.
mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli
fi
if dpkg --compare-versions "$2" lt-nl 1:9.1p1-1~ && \
deb-systemd-helper --quiet was-enabled ssh.socket && \
[ -d /run/systemd/system ]
then
# migrate to systemd socket activation.
systemctl unmask ssh.service
systemctl disable ssh.service
fi
fi
#DEBHELPER#
db_stop
exit 0
|