#!/bin/sh set -e #DEBHELPER# case "$1" in configure) EXEC_OVERRIDE='ExecStart=/usr/sbin/sshd -D -o "AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys %%u %%f" -o "AuthorizedKeysCommandUser ec2-instance-connect" $SSHD_OPTS' modified=1 # If there is nothing in the AuthorizedKeysCommand field of sshd_config *and* nothing in any sshd override, add our config if ! grep -q '^[^#]*AuthorizedKeysCommand[[:blank:]]\+.*$' /etc/ssh/sshd_config ; then if ! grep -q '^[^#]*AuthorizedKeysCommandUser[[:blank:]]\+.*$' /etc/ssh/sshd_config ; then if ! grep -q '^[^#]*AuthorizedKeysCommandRunAs[[:blank:]]\+.*$' /etc/ssh/sshd_config ; then # If systemd unit contains AKC don't override it if ! grep -q "AuthorizedKeysCommand" /lib/systemd/system/ssh.service ; then can_modify=1 if [ -d /lib/systemd/system/ssh.service.d ] ; then # If *any* override contains an ExecStart, don't override it if ! grep -Rq "ExecStart" /lib/systemd/system/ssh.service.d/ ; then can_modify=0 fi else # Or there are no overrides mkdir /lib/systemd/system/ssh.service.d can_modify=0 fi if [ $can_modify -eq 0 ] ; then # Add our configuration printf "%s\n%s\n%s\n" "[Service]" "ExecStart=" "${EXEC_OVERRIDE}" > /lib/systemd/system/ssh.service.d/ec2-instance-connect.conf modified=0 fi fi fi fi fi if [ $modified -eq 0 ] ; then systemctl daemon-reload echo "sshd override added, restarting daemon" deb-systemd-invoke restart ssh.service fi ;; esac