summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2017-03-05 02:05:52 +0000
committerColin Watson <cjwatson@debian.org>2017-03-05 02:11:09 +0000
commit22be89909c7578b94f1a5f733682a599b5d7c38f (patch)
treeeaf0ae8330fe3094a33eb43cd69c5ee05560566e
parenteec09be133d0f8d4a17b5331c897f4cba3811dde (diff)
parente18d2ba71e6bf009c53e65509da84b712c300471 (diff)
Restore reading authorized_keys2 by default
Upstream seems to intend to gradually phase this out, so don't assume that this will remain the default forever. However, we were late in adopting the upstream sshd_config changes, so it makes sense to extend the grace period (closes: #852320).
Diffstat
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/NEWS12
-rw-r--r--debian/changelog5
-rw-r--r--debian/patches/restore-authorized_keys2.patch35
-rw-r--r--debian/patches/series1
-rw-r--r--sshd_config5
6 files changed, 57 insertions, 5 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index a923bac35..78ca32622 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
23f1016b4535faf6e48aa71e21569aa714a25193f 2e18d2ba71e6bf009c53e65509da84b712c300471
33f1016b4535faf6e48aa71e21569aa714a25193f 3e18d2ba71e6bf009c53e65509da84b712c300471
4971a7653746a6972b907dfe0ce139c06e4a6f482 4971a7653746a6972b907dfe0ce139c06e4a6f482
5971a7653746a6972b907dfe0ce139c06e4a6f482 5971a7653746a6972b907dfe0ce139c06e4a6f482
6openssh_7.4p1.orig.tar.gz 6openssh_7.4p1.orig.tar.gz
diff --git a/debian/NEWS b/debian/NEWS
index cfdf7b5e1..542603ec1 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,15 @@
1openssh (1:7.4p1-7) UNRELEASED; urgency=medium
2
3 This version restores the default for AuthorizedKeysFile to search both
4 ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
5 Debian configurations before 1:7.4p1-1. Upstream intends to phase out
6 searching ~/.ssh/authorized_keys2 by default, so you should ensure that
7 you are only using ~/.ssh/authorized_keys, at least for critical
8 administrative access; do not assume that the current default will remain
9 in place forever.
10
11 -- Colin Watson <cjwatson@debian.org> Sun, 29 Jan 2017 11:39:05 +0000
12
1openssh (1:7.4p1-1) unstable; urgency=medium 13openssh (1:7.4p1-1) unstable; urgency=medium
2 14
3 OpenSSH 7.4 includes a number of changes that may affect existing 15 OpenSSH 7.4 includes a number of changes that may affect existing
diff --git a/debian/changelog b/debian/changelog
index 4be3d4b21..54b9379af 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,11 @@ openssh (1:7.4p1-7) UNRELEASED; urgency=medium
2 2
3 * Don't set "PermitRootLogin yes" on fresh installations (regression 3 * Don't set "PermitRootLogin yes" on fresh installations (regression
4 introduced in 1:7.4p1-1; closes: #852781). 4 introduced in 1:7.4p1-1; closes: #852781).
5 * Restore reading authorized_keys2 by default. Upstream seems to intend
6 to gradually phase this out, so don't assume that this will remain the
7 default forever. However, we were late in adopting the upstream
8 sshd_config changes, so it makes sense to extend the grace period
9 (closes: #852320).
5 10
6 -- Colin Watson <cjwatson@debian.org> Sun, 29 Jan 2017 11:39:05 +0000 11 -- Colin Watson <cjwatson@debian.org> Sun, 29 Jan 2017 11:39:05 +0000
7 12
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
new file mode 100644
index 000000000..86da09c7e
--- /dev/null
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -0,0 +1,35 @@
1From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 5 Mar 2017 02:02:11 +0000
4Subject: Restore reading authorized_keys2 by default
5
6Upstream seems to intend to gradually phase this out, so don't assume
7that this will remain the default forever. However, we were late in
8adopting the upstream sshd_config changes, so it makes sense to extend
9the grace period.
10
11Bug-Debian: https://bugs.debian.org/852320
12Forwarded: not-needed
13Last-Update: 2017-03-05
14
15Patch-Name: restore-authorized_keys2.patch
16---
17 sshd_config | 5 ++---
18 1 file changed, 2 insertions(+), 3 deletions(-)
19
20diff --git a/sshd_config b/sshd_config
21index 4aea6c72..bcf3ac17 100644
22--- a/sshd_config
23+++ b/sshd_config
24@@ -36,9 +36,8 @@
25
26 #PubkeyAuthentication yes
27
28-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
29-# but this is overridden so installations will only check .ssh/authorized_keys
30-AuthorizedKeysFile .ssh/authorized_keys
31+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
32+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
33
34 #AuthorizedPrincipalsFile none
35
diff --git a/debian/patches/series b/debian/patches/series
index 6eae81080..6f0004748 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -29,3 +29,4 @@ regress-forwarding-race.patch
29regress-mktemp.patch 29regress-mktemp.patch
30sandbox-x32-workaround.patch 30sandbox-x32-workaround.patch
31no-dsa-host-key-by-default.patch 31no-dsa-host-key-by-default.patch
32restore-authorized_keys2.patch
diff --git a/sshd_config b/sshd_config
index 4aea6c729..bcf3ac178 100644
--- a/sshd_config
+++ b/sshd_config
@@ -36,9 +36,8 @@
36 36
37#PubkeyAuthentication yes 37#PubkeyAuthentication yes
38 38
39# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 39# Expect .ssh/authorized_keys2 to be disregarded by default in future.
40# but this is overridden so installations will only check .ssh/authorized_keys 40#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
41AuthorizedKeysFile .ssh/authorized_keys
42 41
43#AuthorizedPrincipalsFile none 42#AuthorizedPrincipalsFile none
44 43
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 06:18:51 +0000