#!/bin/sh -e ETC_DEFAULT_SSH='# Default settings for openssh-server. This file is sourced by /bin/sh from # /etc/init.d/ssh. # Options to pass to sshd SSHD_OPTS= # OOM-killer adjustment for sshd (see # linux/Documentation/filesystems/proc.txt; lower values reduce likelihood # of being killed, while -17 means the OOM-killer will ignore sshd; set to # the empty string to skip adjustment) SSHD_OOM_ADJUST=-17 ' ETC_INIT_D_SSH='#! /bin/sh ### BEGIN INIT INFO # Provides: sshd # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: # Short-Description: OpenBSD Secure Shell server ### END INIT INFO set -e # /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon test -x /usr/sbin/sshd || exit 0 ( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0 chrooted() { # borrowed from udev'\''s postinst # and then borrowed from initramfs-tools'\''s preinst if [ "$(stat -c %d/%i /)" = "$(stat -Lc %d/%i /proc/1/root 2>/dev/null)" ]; then # the devicenumber/inode pair of / is the same as that of # /sbin/init'\''s root, so we'\''re *not* in a chroot and hence # return false. return 1 fi return 0 } # The init.d script is only for chroots if [ -e /etc/init/ssh.conf ] && ! chrooted; then exec /lib/init/upstart-job ssh "$@" fi umask 022 export SSHD_OOM_ADJUST=-17 if test -f /etc/default/ssh; then . /etc/default/ssh fi # Are we in a virtual environment that doesn'\''t support modifying # /proc/self/oom_adj? if grep -q '\''envID:.*[1-9]'\'' /proc/self/status; then unset SSHD_OOM_ADJUST fi . /lib/lsb/init-functions if [ -n "$2" ]; then SSHD_OPTS="$SSHD_OPTS $2" fi # Are we running from init? run_by_init() { ([ "$previous" ] && [ "$runlevel" ]) || [ "$runlevel" = S ] } check_for_no_start() { # forget it if we'\''re trying to start, and /etc/ssh/sshd_not_to_be_run exists if [ -e /etc/ssh/sshd_not_to_be_run ]; then if [ "$1" = log_end_msg ]; then log_end_msg 0 fi if ! run_by_init; then log_action_msg "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)" fi exit 0 fi } check_dev_null() { if [ ! -c /dev/null ]; then if [ "$1" = log_end_msg ]; then log_end_msg 1 || true fi if ! run_by_init; then log_action_msg "/dev/null is not a character device!" fi exit 1 fi } check_privsep_dir() { # Create the PrivSep empty dir if necessary if [ ! -d /var/run/sshd ]; then mkdir /var/run/sshd chmod 0755 /var/run/sshd fi } check_config() { if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then /usr/sbin/sshd $SSHD_OPTS -t || exit 1 fi } export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" case "$1" in start) check_privsep_dir check_for_no_start check_dev_null log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then log_end_msg 0 else log_end_msg 1 fi ;; stop) log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" if start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid; then log_end_msg 0 else log_end_msg 1 fi ;; reload|force-reload) check_for_no_start check_config log_daemon_msg "Reloading OpenBSD Secure Shell server'\''s configuration" "sshd" if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd; then log_end_msg 0 else log_end_msg 1 fi ;; restart) check_privsep_dir check_config log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/sshd.pid check_for_no_start log_end_msg check_dev_null log_end_msg if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then log_end_msg 0 else log_end_msg 1 fi ;; try-restart) check_privsep_dir check_config log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" set +e start-stop-daemon --stop --quiet --retry 30 --pidfile /var/run/sshd.pid RET="$?" set -e case $RET in 0) # old daemon stopped check_for_no_start log_end_msg check_dev_null log_end_msg if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then log_end_msg 0 else log_end_msg 1 fi ;; 1) # daemon not running log_progress_msg "(not running)" log_end_msg 0 ;; *) # failed to stop log_progress_msg "(failed to stop)" log_end_msg 1 ;; esac ;; status) status_of_proc -p /var/run/sshd.pid /usr/sbin/sshd sshd && exit 0 || exit $? ;; *) log_action_msg "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart|try-restart|status}" exit 1 esac exit 0 ' ETC_PAM_D_SSH='' action=$1 version=$2 prepare_transfer_conffile () { CONFFILE="$1" TEXT="$2" MODE="$3" [ "$CONFFILES" ] || return 0 [ -e "$CONFFILE" ] || return 0 md5sum="$(md5sum "$CONFFILE" |sed -e 's/ .*//')" old_md5sum="$(echo "$CONFFILES" | awk '$1 == "'"$CONFFILE"'" { print $2 }')" if [ "$md5sum" = "$old_md5sum" ]; then echo >&2 "Transferring ownership of conffile $CONFFILE ..." # We have to write out the desired new text of the conffile, # which is tricky in the preinst, hence the nasty way we # have to hardcode the text here. Fortunately, this is only # necessary with sarge's dpkg and older. if echo "$TEXT" | head -n1 | grep -q '^@.*@$'; then echo >&2 'Unsubstituted conffile text! Please report this bug.' exit 1 fi printf '%s' "$TEXT" >"$CONFFILE.dpkg-new" chmod "$MODE" "$CONFFILE.dpkg-new" mv -f "$CONFFILE" "$CONFFILE.moved-by-preinst" mv -f "$CONFFILE.dpkg-new" "$CONFFILE" return 0 fi } prepare_mv_conffile () { CONFFILE="$1" [ -e "$CONFFILE" ] || return 0 md5sum="$(md5sum "$CONFFILE" | sed -e 's/ .*//')" old_md5sum="$(dpkg-query -W -f '${Conffiles}\n' openssh-server 2>/dev/null | sed 's/^ *//' | awk '$1 == "'"$CONFFILE"'" { print $2 }')" if [ "$md5sum" = "$old_md5sum" ]; then mv -f "$CONFFILE" "$CONFFILE.dpkg-old" else mv -f "$CONFFILE" "$CONFFILE.moving" fi } if [ -d /etc/ssh-nonfree ] && [ ! -d /etc/ssh ]; then version=1.2.27 fi if [ "$action" = upgrade ] || [ "$action" = install ] then # check if debconf is missing if ! test -f /usr/share/debconf/confmodule then cat </dev/null || exit 1 # work around for missing debconf db_get() { : ; } RET=true if [ -d /etc/ssh-nonfree ] && [ ! -d /etc/ssh ]; then cp -a /etc/ssh-nonfree /etc/ssh fi else # Source debconf library. . /usr/share/debconf/confmodule db_version 2.0 fi db_get ssh/use_old_init_script if [ "$RET" = "false" ]; then echo "ssh config: Aborting because ssh/use_old_init_script = false" >&2 exit 1 fi # deal with upgrading from pre-OpenSSH versions key=/etc/ssh/ssh_host_key export key if [ -n "$version" ] && [ -x /usr/bin/ssh-keygen ] && [ -f $key ] && dpkg --compare-versions "$version" lt 1.2.28 then # make sure that keys get updated to get rid of IDEA # # N.B. this only works because we've still got the old # nonfree ssh-keygen at this point # # First, check if we need to bother printf '\0\0' | 3<&0 sh -c \ 'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || { # this means that bytes 32&33 of the key were not both zero, in which # case the key is encrypted, which we need to fix chmod 600 $key ssh-keygen -u -f $key >/dev/null if which restorecon >/dev/null 2>&1; then restorecon "$key.pub" fi } fi if dpkg --compare-versions "$version" lt 0; then CONFFILES="$(dpkg-query -W -f '${Conffiles}\n' ssh 2>/dev/null | sed 's/^ *//')" prepare_transfer_conffile /etc/default/ssh "$ETC_DEFAULT_SSH" 0644 prepare_transfer_conffile /etc/init.d/ssh "$ETC_INIT_D_SSH" 0755 prepare_transfer_conffile /etc/pam.d/ssh "$ETC_PAM_D_SSH" 0644 fi if dpkg --compare-versions "$version" lt 1:4.7p1-4; then prepare_mv_conffile /etc/pam.d/ssh fi fi