diff options
author | Colin Watson <cjwatson@debian.org> | 2003-11-15 15:55:19 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2003-11-15 15:55:19 +0000 |
commit | ac444049e27aa772e57d38b889ceee46e7331a50 (patch) | |
tree | 6f21f16b19de3ef8ba1812eb77c657b28c4b6a4e | |
parent | 72db1a31fddd41571369eecb058e78e9ac3f6c78 (diff) |
Implement New World Order for PAM configuration, including
/etc/pam.d/common-* from /etc/pam.d/ssh (closes: #212959).
Add more commentary to /etc/pam.d/ssh.
-rw-r--r-- | debian/README.Debian | 14 | ||||
-rw-r--r-- | debian/changelog | 5 | ||||
-rw-r--r-- | debian/control | 2 | ||||
-rwxr-xr-x | debian/rules | 31 | ||||
-rw-r--r-- | debian/ssh.pam | 34 |
5 files changed, 70 insertions, 16 deletions
diff --git a/debian/README.Debian b/debian/README.Debian index ca928f9f0..bb1f7cf48 100644 --- a/debian/README.Debian +++ b/debian/README.Debian | |||
@@ -16,6 +16,15 @@ Debian don't ship it. | |||
16 | 16 | ||
17 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | 17 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= |
18 | 18 | ||
19 | BUILD ISSUES | ||
20 | ============ | ||
21 | |||
22 | To build the openssh package for woody, set DEB_BUILD_SSH_WOODY=1 in | ||
23 | your environment. This is necessary due to non-backward-compatible | ||
24 | changes in PAM support. | ||
25 | |||
26 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | ||
27 | |||
19 | UPGRADE ISSUES | 28 | UPGRADE ISSUES |
20 | ============== | 29 | ============== |
21 | 30 | ||
@@ -87,7 +96,10 @@ Protocol 2,1 | |||
87 | Also add the line: | 96 | Also add the line: |
88 | HostKey /etc/ssh/ssh_host_key | 97 | HostKey /etc/ssh/ssh_host_key |
89 | 98 | ||
90 | (you may need to generate a host key if you do not already have one) | 99 | If you do not already have an RSA1 host key in /etc/ssh/ssh_host_key, |
100 | you will need to generate one. To do so, run this command as root: | ||
101 | |||
102 | ssh-keygen -f /etc/ssh/ssh_host_key -N '' -t rsa1 | ||
91 | 103 | ||
92 | X11 Forwarding | 104 | X11 Forwarding |
93 | -------------- | 105 | -------------- |
diff --git a/debian/changelog b/debian/changelog index 70523aeb9..05fc0c9c0 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -10,6 +10,11 @@ openssh (1:3.6.1p2-10) UNRELEASED; urgency=low | |||
10 | closes: #215372). | 10 | closes: #215372). |
11 | * Update config.guess and config.sub from autotools-dev 20031007.1 | 11 | * Update config.guess and config.sub from autotools-dev 20031007.1 |
12 | (closes: #217696). | 12 | (closes: #217696). |
13 | * Implement New World Order for PAM configuration, including | ||
14 | /etc/pam.d/common-* from /etc/pam.d/ssh (closes: #212959). | ||
15 | - To backport this release to woody, you need to set DEB_BUILD_SSH_WOODY | ||
16 | in your environment. See README.Debian. | ||
17 | * Add more commentary to /etc/pam.d/ssh. | ||
13 | 18 | ||
14 | -- Colin Watson <cjwatson@debian.org> Sat, 15 Nov 2003 14:07:29 +0000 | 19 | -- Colin Watson <cjwatson@debian.org> Sat, 15 Nov 2003 14:07:29 +0000 |
15 | 20 | ||
diff --git a/debian/control b/debian/control index 046f157e4..d7dc3a533 100644 --- a/debian/control +++ b/debian/control | |||
@@ -8,7 +8,7 @@ Uploaders: Colin Watson <cjwatson@debian.org> | |||
8 | 8 | ||
9 | Package: ssh | 9 | Package: ssh |
10 | Architecture: any | 10 | Architecture: any |
11 | Depends: ${shlibs:Depends}, ${debconf-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9) | 11 | Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9) |
12 | Conflicts: ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1) | 12 | Conflicts: ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1) |
13 | Suggests: ssh-askpass, xbase-clients, dpkg (>=1.8.3.1), dnsutils | 13 | Suggests: ssh-askpass, xbase-clients, dpkg (>=1.8.3.1), dnsutils |
14 | Provides: rsh-client | 14 | Provides: rsh-client |
diff --git a/debian/rules b/debian/rules index ec594ecb0..0bb40da4e 100755 --- a/debian/rules +++ b/debian/rules | |||
@@ -25,6 +25,20 @@ PO2DEBCONF := yes | |||
25 | MINDEBCONFVER := 1.2.0 | 25 | MINDEBCONFVER := 1.2.0 |
26 | endif | 26 | endif |
27 | 27 | ||
28 | # We need a new libpam-runtime for sane PAM handling | ||
29 | # (http://lists.debian.org/debian-devel-announce-0308/msg00012.html). | ||
30 | # Unfortunately it's hard to detect during the build whether this is | ||
31 | # appropriate, so woody-compatibility is a pain. I've had to punt and go for | ||
32 | # a DEB_BUILD_SSH_WOODY environment variable. We can remove this hack once | ||
33 | # we no longer care about woody. | ||
34 | ifeq ($(DEB_BUILD_SSH_WOODY),) | ||
35 | PAMSUBST := no | ||
36 | PAMDEP := libpam-runtime (>= 0.76-14) | ||
37 | else | ||
38 | PAMSUBST := yes | ||
39 | PAMDEP := libpam-runtime | ||
40 | endif | ||
41 | |||
28 | # Change the version string to include the Debian version | 42 | # Change the version string to include the Debian version |
29 | SSH_VERSION := $(shell sed -e '/define/!d; s/.*\"\(.*\)\".*/\1/; q' <version.h) Debian $(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p') | 43 | SSH_VERSION := $(shell sed -e '/define/!d; s/.*\"\(.*\)\".*/\1/; q' <version.h) Debian $(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p') |
30 | 44 | ||
@@ -61,6 +75,11 @@ ifeq ($(PO2DEBCONF),yes) | |||
61 | po2debconf debian/templates.master > debian/templates | 75 | po2debconf debian/templates.master > debian/templates |
62 | rm -f debian/po/output | 76 | rm -f debian/po/output |
63 | endif | 77 | endif |
78 | ifeq ($(PAMSUBST),yes) | ||
79 | if [ -f debian/ssh.pam.new-style ]; then \ | ||
80 | mv debian/ssh.pam.new-style debian/ssh.pam; \ | ||
81 | fi | ||
82 | endif | ||
64 | dh_clean | 83 | dh_clean |
65 | 84 | ||
66 | install: DH_OPTIONS= | 85 | install: DH_OPTIONS= |
@@ -113,6 +132,15 @@ endif | |||
113 | nroff RFC.nroff > debian/tmp/usr/share/doc/ssh/RFC | 132 | nroff RFC.nroff > debian/tmp/usr/share/doc/ssh/RFC |
114 | gzip -9 debian/tmp/usr/share/doc/ssh/RFC | 133 | gzip -9 debian/tmp/usr/share/doc/ssh/RFC |
115 | rm -rf debian/tmp/usr/share/doc/ssh/RFC.nroff.gz | 134 | rm -rf debian/tmp/usr/share/doc/ssh/RFC.nroff.gz |
135 | ifeq ($(PAMSUBST),yes) | ||
136 | cp -a debian/ssh.pam debian/ssh.pam.new-style | ||
137 | trailer='required pam_unix.so' \ | ||
138 | sed -e "s/@include common-auth/auth $$trailer" \ | ||
139 | -e "s/@include common-account/account $$trailer" \ | ||
140 | -e "s/@include common-session/session $$trailer" \ | ||
141 | -e "s/@include common-password/password $$trailer" \ | ||
142 | debian/ssh.pam.new-style > debian/ssh.pam | ||
143 | endif | ||
116 | dh_installpam | 144 | dh_installpam |
117 | dh_installchangelogs ChangeLog | 145 | dh_installchangelogs ChangeLog |
118 | dh_strip | 146 | dh_strip |
@@ -122,7 +150,8 @@ endif | |||
122 | test ! -e debian/tmp/etc/ssh/ssh_prng_cmds \ | 150 | test ! -e debian/tmp/etc/ssh/ssh_prng_cmds \ |
123 | || echo "/etc/ssh/ssh_prng_cmds" >> debian/tmp/DEBIAN/conffiles | 151 | || echo "/etc/ssh/ssh_prng_cmds" >> debian/tmp/DEBIAN/conffiles |
124 | dh_shlibdeps | 152 | dh_shlibdeps |
125 | dh_gencontrol -- -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' | 153 | dh_gencontrol -- -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \ |
154 | -V'pam-depends=$(PAMDEP)' | ||
126 | dh_md5sums | 155 | dh_md5sums |
127 | dh_builddeb | 156 | dh_builddeb |
128 | 157 | ||
diff --git a/debian/ssh.pam b/debian/ssh.pam index f6fbd3ebc..8882053df 100644 --- a/debian/ssh.pam +++ b/debian/ssh.pam | |||
@@ -1,21 +1,29 @@ | |||
1 | #%PAM-1.0 | 1 | # PAM configuration for the Secure Shell service |
2 | |||
3 | # Disallow non-root logins when /etc/nologin exists. | ||
2 | auth required pam_nologin.so | 4 | auth required pam_nologin.so |
3 | auth required pam_unix.so | 5 | |
6 | # Read environment variables from /etc/environment and | ||
7 | # /etc/security/pam_env.conf. | ||
4 | auth required pam_env.so # [1] | 8 | auth required pam_env.so # [1] |
5 | 9 | ||
6 | account required pam_unix.so | 10 | # Standard Un*x authentication. |
11 | @include common-auth | ||
12 | |||
13 | # Standard Un*x authorization. | ||
14 | @include common-account | ||
15 | |||
16 | # Standard Un*x session setup and teardown. | ||
17 | @include common-session | ||
7 | 18 | ||
8 | session required pam_unix.so | 19 | # Print the message of the day upon successful login. |
9 | session optional pam_motd.so # [1] | 20 | session optional pam_motd.so # [1] |
21 | |||
22 | # Print the status of the user's mailbox upon successful login. | ||
10 | session optional pam_mail.so standard noenv # [1] | 23 | session optional pam_mail.so standard noenv # [1] |
11 | session required pam_limits.so | ||
12 | 24 | ||
13 | password required pam_unix.so | 25 | # Set up user limits from /etc/security/limits.conf. |
26 | session required pam_limits.so | ||
14 | 27 | ||
15 | # Alternate strength checking for password. Note that this | 28 | # Standard Un*x password updating. |
16 | # requires the libpam-cracklib package to be installed. | 29 | @include common-password |
17 | # You will need to comment out the password line above and | ||
18 | # uncomment the next two in order to use this. | ||
19 | # | ||
20 | # password required pam_cracklib.so retry=3 minlen=6 difok=3 | ||
21 | # password required pam_unix.so use_authtok nullok md5 | ||