Update to 5.0.

I've decided to change BASEDIR to / and take all the init scripts and stuff out of the postintall script. This marks a change from how opensshs own make package target does it.
2008-04-28 19:26:05 +00:00
parent ee8cca6cfc
commit b541704ca1
8 changed files with 191 additions and 141 deletions
--- a/openssh/meta/postinstall.openssh
+++ b/openssh/meta/postinstall.openssh
@@ -1,125 +1,83 @@
-INSTALLF=/usr/sbin/installf
-REMOVEF=/usr/sbin/removef
 GROUPADD=/usr/sbin/groupadd
 USERADD=/usr/sbin/useradd
 GREP=/usr/bin/grep
 CUT=/usr/bin/cut
 CAT=/usr/bin/cat

-CONFDIR=${BASEDIR}/etc
-DESTBIN=${BASEDIR}/bin
+PREFIX=/usr/tgcware
+OLDCONFDIR=/usr/local/etc
+CONFDIR=${PREFIX}/etc/ssh
+DESTBIN=${PREFIX}/bin
 CHECKCONF=0
+OLDCONF=0
 SSHID=199

 # We provide default config-files, check and see if they should be installed.
-if [ ! -f "${CONFDIR}/ssh_config" ] ; then
-	cp -p ${CONFDIR}/ssh_config.default ${CONFDIR}/ssh_config
-	echo "Installing new ssh_config"
-else
-	echo "Keeping existing ssh_config"
-	CHECKCONF=1
-fi
-if [ ! -f "${CONFDIR}/sshd_config" ] ; then
-	cp -p ${CONFDIR}/sshd_config.default ${CONFDIR}/sshd_config
-	echo "Installing new sshd_config"
-else
-	echo "Keeping existing sshd_config"
-	CHECKCONF=1
-fi
-if [ -f "${CONFDIR}/ssh_prng_cmds" ] ; then
-	rm -f ${CONFDIR}/ssh_prng_cmds.default ${CONFDIR}/ssh_prng_cmds
-	echo "Removing unneeded ssh_prng_cmds file"
-
-fi
-if [ ! -f "${CONFDIR}/moduli" ] ; then
-	if [ -f "${CONFDIR}/primes" ]; then
-		echo "Keeping existing primes but renaming it to moduli"
-		mv ${CONFDIR}/primes ${CONFDIR}/moduli
+for config in ssh_config sshd_config; do
+    if [ ! -f "${CONFDIR}/$config" ] ; then
+	# No config, it might be an upgrade scenario
+	if [ -f "${OLDCONFDIR}/$config" ] ; then
+	    cp -p ${OLDCONFDIR}/$config ${CONFDIR}
+	    echo "Migrating $OLDCONFDIR/$config to $CONFDIR"
+	    OLDCONF=1
 	else
-		echo "Installing new moduli (formerly known as primes)"
-		cp -p ${CONFDIR}/moduli.default ${CONFDIR}/moduli
+	    cp -p ${CONFDIR}/$config.default ${CONFDIR}/$config
+	    echo "Installing new $config"
 	fi
-else
-	echo "Keeping existing moduli"
+    else
+	echo "Keeping existing $config"
+	CHECKCONF=1
+    fi
+done
+
+if [ -f "${CONFDIR}/ssh_prng_cmds" ] ; then
+    rm -f ${CONFDIR}/ssh_prng_cmds.default ${CONFDIR}/ssh_prng_cmds
+    echo "Removing unneeded ssh_prng_cmds file"
 fi

-# We will try to preserve any existing keys
-if [ -f "${CONFDIR}/ssh_host_key" ] ; then
-	echo "Keeping existing ssh_host_key"
+if [ ! -f "${CONFDIR}/moduli" ] ; then
+    if [ -f "${OLDCONFDIR}" ]; then
+	cp -p $OLDCONFDIR/moduli $CONFDIR
+	echo "Migrating $OLDCONFDIR/module to $CONFDIR"
+	OLDCONF=1
+    else
+	if [ -f "${CONFDIR}/primes" ]; then
+	    echo "Keeping existing primes but renaming it to moduli"
+	    mv ${CONFDIR}/primes ${CONFDIR}/moduli
+	else
+	    echo "Installing new moduli (formerly known as primes)"
+	    cp -p ${CONFDIR}/moduli.default ${CONFDIR}/moduli
+	fi
+    fi
 else
-	${DESTBIN}/ssh-keygen -t rsa1 -f ${CONFDIR}/ssh_host_key -N ""
-fi
-if [ -f "${CONFDIR}/ssh_host_dsa_key" ] ; then
-	echo "Keeping existing ssh_host_dsa_key"
-else
-	${DESTBIN}/ssh-keygen -t dsa -f ${CONFDIR}/ssh_host_dsa_key -N ""
-fi
-if [ -f "${CONFDIR}/ssh_host_rsa_key" ] ; then
-	echo "Keeping existing ssh_host_rsa_key"
-else
-	${DESTBIN}/ssh-keygen -t rsa -f ${CONFDIR}/ssh_host_rsa_key -N ""
+    echo "Keeping existing moduli"
 fi

-# Right, now move the init script into place and make some symlinks 
-# for automatic startup.
-
-# start by removing knowledge of sshd.init from the pkgdb
-${REMOVEF} ${PKGINST} /usr/local/etc/sshd.init 2>&1 > /dev/null # suppress output
-
-# confirm the changes to the pkgdb (removef -f)
-${REMOVEF} -f ${PKGINST}
-
-# Now that the holds from the pkgdb are gone, move the script to it's final destination.
-mv /usr/local/etc/sshd.init /etc/init.d/sshd.local
-
-# Install new *symlinks*
-ln -sf /etc/init.d/sshd.local /etc/rc0.d/K30sshd.local
-ln -sf /etc/init.d/sshd.local /etc/rc1.d/K30sshd.local
-ln -sf /etc/init.d/sshd.local /etc/rc2.d/S78sshd.local
-ln -sf /etc/init.d/sshd.local /etc/rcS.d/K30sshd.local
-
-# Then installf the new pathnames
-${INSTALLF} ${PKGINST} /etc/init.d/sshd.local f 744 root sys
-${INSTALLF} ${PKGINST} /etc/rc2.d/S78sshd.local=/etc/init.d/sshd.local s
-${INSTALLF} ${PKGINST} /etc/rc1.d/K30sshd.local=/etc/init.d/sshd.local s
-${INSTALLF} ${PKGINST} /etc/rc0.d/K30sshd.local=/etc/init.d/sshd.local s
-${INSTALLF} ${PKGINST} /etc/rcS.d/K30sshd.local=/etc/init.d/sshd.local s
-
-# confirm the changes to the pkgdb (installf -f)
-${INSTALLF} -f ${PKGINST}
-
-#uh yeah, better make sure that /var/run exists aswell (for pid files)
-echo "Checking to see if /var/run exists... \c"
-if [ ! -d /var/run ]; then
-   echo "no, creating..."
-   mkdir -p /var/run;
-   chown root:sys /var/run;
-   chmod 755 /var/run
-else
-    echo "yes"
-fi
-
-# New in OpenSSH 3.3+ is Privilege seperation, it requires an empty dir to chroot into
-# and an unprivileged user to run as.
-echo "Checking to see if /var/empty/sshd exists... \c"
-if [ ! -d /var/empty ]; then
-    echo "no, creating..."
-    mkdir -p /var/empty/sshd
-    chown root:sys /var/empty/sshd
-    chmod 755 /var/empty/sshd
-else
-    echo "yes"
-fi
+# We will try to preserve any existing keys from an old setup
+# Note that new keygen is done in the init script
+for keyfile in ssh_host_key ssh_host_dsa_key ssh_host_rsa_key; do
+    if [ ! -f "${CONFDIR}/$keyfile" ] ; then
+	# Check and see if we might find it in $OLDCONFDIR
+	if [ -f "${OLDCONFDIR}/$keyfile" ]; then
+	    cp -p $OLDCONFDIR/$keyfile $CONFDIR
+	    cp -p $OLDCONFDIR/${keyfile}.pub $CONFDIR
+	    echo "Migrating $OLDCONFDIR/$keyfile to $CONFDIR"
+	    OLDCONF=1
+	fi
+    fi
+done

+# OpenSSH 3.3+ has privilege seperation which requires a user/group to run
 # Attempt to create a group & user for sshd
 echo "Checking for sshd group... \c"
 temp=`$GREP sshd /etc/group`
 if [ -n "$temp" ]; then
    echo "yes"
-    gid=`echo $temp|$CUT -d : -f 3`
+    gid=`echo $temp|$CUT -d: -f3`
    if [ "$gid" != "$SSHID" ]; then
-	echo "  Group sshd found but gid does not match with the preferred ($SSHID)"
-	echo "  I will continue anyway, but please check up on this afterwards!"
+        echo "  Group sshd found but gid does not match with the preferred ($SSHID)!"
+	echo "  This is not a critical error but please make sure this group"
+	echo "  is one you actually want to use for sshd."
    fi
 else
    echo "no"
@@ -132,16 +90,28 @@ echo "Checking for sshd user... \c"
 temp=`$GREP sshd /etc/passwd`
 if [ -n "$temp" ]; then
    echo "yes"
-    uid=`echo $temp|$CUT -d : -f 3`
-    ugid=`echo $temp|$CUT -d : -f 4`
+    uid=`echo $temp|$CUT -d: -f3`
+    ugid=`echo $temp|$CUT -d: -f4`
    if [ "$uid" != "$SSHID" ]; then
-	echo "  User sshd found but uid doesn't match with the preferred ($SSHID)"
-	echo "  I will continue anyway, but please check up on this afterwards!"
+        echo "  User sshd found but uid doesn't match with the preferred ($SSHID)!"
+	echo "  This is not a critical error but please make sure this user"
+	echo "  is one you actually want to use for sshd."
    fi
    if [ "$ugid" != "$gid" ]; then
-	echo "  User sshd doesn't have group sshd!"
-	echo "  I will continue anyway, but this is a critical error that must be resolved"
-	echo "  before privilege seperation can be enabled!"
+        echo "  User sshd doesn't have group sshd!"
+        echo "  This is a critical error that must be resolved"
+        echo "  before privilege seperation can be enabled."
+	echo "  Since privilege seperation is on by default this problem"
+	echo "  will prevent sshd from starting."
+    fi
+    if [ "`echo $temp|$CUT -d: -f6`" != "/var/empty/sshd" ]; then
+	echo "  User sshd does not have homedir in /var/empty/sshd!"
+	echo "  This is a possible security risk so please make sure that"
+	echo "  user sshd has a homedir accessable only by root (perm 711)."
+    fi
+    if [ "`echo $temp|$CUT -d: -f7`" != "/bin/false" ]; then
+	echo "  User sshd does not have /bin/false as its shell!"
+	echo "  Please verify that the sshd user has a non-login shell."
    fi
 else
    echo "no"
@@ -149,10 +119,7 @@ else
    $USERADD -u $SSHID -g $SSHID -c "sshd privsep" -d /var/empty/sshd -s /bin/false sshd
 fi

-# FIXME Other stuff about the user/group situation should probably be checked
-# FIXME like the homedir and shell of the sshd user
-
-# Notice how the ssh host keys are not associated with the SBossh package.
+# Notice how the ssh host keys are not associated with the package.
 # I find that convenient as I'm sure that they don't disappear if someone
 # uninstalls the package.
 # This is nice because we can then avoid the "hostid changed" warnings.  
@@ -167,3 +134,16 @@ if [ "$CHECKCONF" = "1" ] ; then
 	echo "Please check the *.default config files for configuration hints"
 	echo "and update your existing config files accordingly."
 fi
+
+# Try and catch the upgrade scenario from previous packages which had
+# config in etc and not etc/ssh
+if [ "$OLDCONF" = "1" ] ; then
+	echo "#######"
+	echo ""
+	echo "Configuration files and keys was found in $OLDCONFDIR"
+	echo "If you're upgrading from a previous release then please"
+	echo "make sure to migrate any settings and keys to the new config location"
+	echo "in $CONFDIR and remove the old files."
+	echo "Also please check the *.default config files for configuration hints"
+	echo "and update your existing config files accordingly."
+fi