Perhaps we should issue a special DSA about openssh fixes in d-i once the next point release is available? In particular, anyone using d-i with network-console needs to make sure to update their installation media / netboot files.
Also, network-console's copying of the ssh_host_rsa_key in
finish-install looks like it was a bad choice, because it doesn't allow
ssh to overrule the key. For lenny, it would be better if it used a
base-installer hook to install the keys before ssh got installed.
ssh's postinst will behave sanely if host keys are already present when
it's first installed: It will not overwrite them, and will check that
they're strong and prompt with debconf about overwriting them.
So, untested:
Index: debian/changelog
===================================================================
--- debian/changelog (revision 54461)
+++ debian/changelog (working copy)
@@ -1,8 +1,13 @@
network-console (1.18) UNRELEASED; urgency=low
+ [ Martin Michlmayr ]
* Change the health LED to solid blue on the HP mv2120 to indicate
when the installer is ready for ssh connections.
+ [ Joey Hess ]
+ * Install ssh keys before ssh is installed, to allow it to check them for
+ weakness.
+
-- Martin Michlmayr <[EMAIL PROTECTED]> Mon, 14 Jul 2008 22:46:28 +0300
network-console (1.17) unstable; urgency=low
Index: finish-install
===================================================================
--- finish-install (revision 54461)
+++ finish-install (working copy)
@@ -1,8 +0,0 @@
-#!/bin/sh
-set -e
-
-DIR=/etc/ssh/
-
-[ -d /target/$DIR ] || exit 0
-
-cp $DIR/ssh_host_rsa_key* /target/$DIR
Index: post-base-installer
===================================================================
--- post-base-installer (revision 0)
+++ post-base-installer (revision 0)
@@ -0,0 +1,7 @@
+#!/bin/sh
+set -e
+
+DIR=/etc/ssh/
+
+mkdir -p /target/$DIR
+cp $DIR/ssh_host_rsa_key* /target/$DIR
Property changes on: post-base-installer
___________________________________________________________________
Added: svn:executable
+ *
Index: Makefile
===================================================================
--- Makefile (revision 54461)
+++ Makefile (working copy)
@@ -9,8 +9,8 @@
install -m755 gen-crypt network-console network-console-menu
$(DESTDIR)/bin
install -d $(DESTDIR)/etc/ssh
install -m644 sshd_config $(DESTDIR)/etc/ssh
- install -d $(DESTDIR)/usr/lib/finish-install.d/
- install -m755 finish-install
$(DESTDIR)/usr/lib/finish-install.d/80network-console
+ install -d $(DESTDIR)/usr/lib/post-base-installer.d/
+ install -m755 post-base-installer
$(DESTDIR)/usr/lib/post-base-installer.d/80network-console
clean:
rm -f gen-crypt
--
see shy jo
signature.asc
Description: Digital signature
