add ssh key blacklists

2 files changed, 18 insertions, 1 deletions

diff --git a/debian/control b/debian/control
index 4b5692bb..877ee68c 100644
--- a/debian/control
+++ b/debian/control
@@ -24,7 +24,8 @@ Depends: sed (>= 4.1.5),
  snmpd,
  vyatta-keepalived,
  bridge-utils,
- ssh,
+ ssh (>= 5.1p1-3),
+ openssh-server (>= 5.1p1-3),
  ed,
  tshark,
  iputils-arping
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 0dd6248f..fe50fa79 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -66,6 +66,20 @@ EOF
 %users ALL=NOPASSWD: ${bindir}/sudo-users/
 ### END VYATTA
 EOF
+
+    # set up blacklists
+    for f in blacklist.DSA-1024 blacklist.RSA-2048; do
+        if [ -r "/etc/ssh/$f" ]; then
+            l=$(head -1 $sysconfdir/$f)
+            if ! grep -q "$l" /etc/ssh/$f; then
+                tmp=$(mktemp /tmp/bl.XXXXXXXXXX)
+                cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp
+                mv $tmp /etc/ssh/$f
+            fi
+        else
+            cp $sysconfdir/$f /etc/ssh/$f
+        fi
+    done
 fi
 
 # update crontab for logrotate
@@ -87,6 +101,8 @@ fi
 
 sed -i 's/^set /builtin set /' /etc/bash_completion
 
+/usr/sbin/dpkg-reconfigure -f noninteractive openssh-server
+
 # Local Variables:
 # mode: shell-script
 # sh-indentation: 4