Implement New World Order for PAM configuration, including

/etc/pam.d/common-* from /etc/pam.d/ssh (closes: #212959). Add more commentary to /etc/pam.d/ssh.
author: Colin Watson <cjwatson@debian.org> 2003-11-15 15:55:19 +0000
committer: Colin Watson <cjwatson@debian.org> 2003-11-15 15:55:19 +0000
commit: ac444049e27aa772e57d38b889ceee46e7331a50 (patch)
tree: 6f21f16b19de3ef8ba1812eb77c657b28c4b6a4e
parent: 72db1a31fddd41571369eecb058e78e9ac3f6c78 (diff)
5 files changed, 70 insertions, 16 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
index ca928f9f0..bb1f7cf48 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -16,6 +16,15 @@ Debian don't ship it.
 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+BUILD ISSUES
+============
+To build the openssh package for woody, set DEB_BUILD_SSH_WOODY=1 in
+your environment. This is necessary due to non-backward-compatible
+changes in PAM support.
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 UPGRADE ISSUES
 ==============
@@ -87,7 +96,10 @@ Protocol 2,1
 Also add the line:
 HostKey /etc/ssh/ssh_host_key
-(you may need to generate a host key if you do not already have one)
+If you do not already have an RSA1 host key in /etc/ssh/ssh_host_key,
+you will need to generate one. To do so, run this command as root:
+  ssh-keygen -f /etc/ssh/ssh_host_key -N '' -t rsa1
 X11 Forwarding
 --------------
diff --git a/debian/changelog b/debian/changelog
index 70523aeb9..05fc0c9c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,11 @@ openssh (1:3.6.1p2-10) UNRELEASED; urgency=low
    closes: #215372).
  * Update config.guess and config.sub from autotools-dev 20031007.1
    (closes: #217696).
+  * Implement New World Order for PAM configuration, including
+    /etc/pam.d/common-* from /etc/pam.d/ssh (closes: #212959).
+    - To backport this release to woody, you need to set DEB_BUILD_SSH_WOODY
+      in your environment. See README.Debian.
+  * Add more commentary to /etc/pam.d/ssh.
 -- Colin Watson <cjwatson@debian.org>  Sat, 15 Nov 2003 14:07:29 +0000
diff --git a/debian/control b/debian/control
index 046f157e4..d7dc3a533 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Uploaders: Colin Watson <cjwatson@debian.org>
 Package: ssh
 Architecture: any
-Depends: ${shlibs:Depends}, ${debconf-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9)
+Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9)
 Conflicts: ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1)
 Suggests: ssh-askpass, xbase-clients, dpkg (>=1.8.3.1), dnsutils
 Provides: rsh-client
diff --git a/debian/rules b/debian/rules
index ec594ecb0..0bb40da4e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -25,6 +25,20 @@ PO2DEBCONF := yes
 MINDEBCONFVER := 1.2.0
 endif
+# We need a new libpam-runtime for sane PAM handling
+# (http://lists.debian.org/debian-devel-announce-0308/msg00012.html).
+# Unfortunately it's hard to detect during the build whether this is
+# appropriate, so woody-compatibility is a pain. I've had to punt and go for
+# a DEB_BUILD_SSH_WOODY environment variable. We can remove this hack once
+# we no longer care about woody.
+ifeq ($(DEB_BUILD_SSH_WOODY),)
+PAMSUBST := no
+PAMDEP := libpam-runtime (>= 0.76-14)
+else
+PAMSUBST := yes
+PAMDEP := libpam-runtime
+endif
 # Change the version string to include the Debian version
 SSH_VERSION := $(shell sed -e '/define/!d; s/.*\"\(.*\)\".*/\1/; q' <version.h) Debian $(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p')
@@ -61,6 +75,11 @@ ifeq ($(PO2DEBCONF),yes)
        po2debconf debian/templates.master > debian/templates
        rm -f debian/po/output
 endif
+ifeq ($(PAMSUBST),yes)
+        if [ -f debian/ssh.pam.new-style ]; then \
+                mv debian/ssh.pam.new-style debian/ssh.pam; \
+        fi
+endif
        dh_clean
 install: DH_OPTIONS=
@@ -113,6 +132,15 @@ endif
        nroff RFC.nroff > debian/tmp/usr/share/doc/ssh/RFC
        gzip -9 debian/tmp/usr/share/doc/ssh/RFC
        rm -rf debian/tmp/usr/share/doc/ssh/RFC.nroff.gz
+ifeq ($(PAMSUBST),yes)
+        cp -a debian/ssh.pam debian/ssh.pam.new-style
+        trailer='required     pam_unix.so' \
+        sed -e "s/@include common-auth/auth       $$trailer" \
+            -e "s/@include common-account/account    $$trailer" \
+            -e "s/@include common-session/session    $$trailer" \
+            -e "s/@include common-password/password   $$trailer" \
+            debian/ssh.pam.new-style > debian/ssh.pam
+endif
        dh_installpam
        dh_installchangelogs ChangeLog
        dh_strip
@@ -122,7 +150,8 @@ endif
        test ! -e debian/tmp/etc/ssh/ssh_prng_cmds \
          || echo "/etc/ssh/ssh_prng_cmds" >> debian/tmp/DEBIAN/conffiles
        dh_shlibdeps
-        dh_gencontrol -- -V'debconf-depends=debconf (>= $(MINDEBCONFVER))'
+        dh_gencontrol -- -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+                         -V'pam-depends=$(PAMDEP)'
        dh_md5sums
        dh_builddeb
diff --git a/debian/ssh.pam b/debian/ssh.pam
index f6fbd3ebc..8882053df 100644
--- a/debian/ssh.pam
+++ b/debian/ssh.pam
@@ -1,21 +1,29 @@
-#%PAM-1.0
+# PAM configuration for the Secure Shell service
+# Disallow non-root logins when /etc/nologin exists.
 auth       required     pam_nologin.so
-auth       required     pam_unix.so
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
 auth       required     pam_env.so # [1]
-account    required     pam_unix.so
+# Standard Un*x authentication.
+@include common-auth
+# Standard Un*x authorization.
+@include common-account
+# Standard Un*x session setup and teardown.
+@include common-session
-session    required     pam_unix.so
+# Print the message of the day upon successful login.
 session    optional     pam_motd.so # [1]
+# Print the status of the user's mailbox upon successful login.
 session    optional     pam_mail.so standard noenv # [1]
-session    required     pam_limits.so
-password   required     pam_unix.so
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
-# Alternate strength checking for password. Note that this
+# Standard Un*x password updating.
-# requires the libpam-cracklib package to be installed.
+@include common-password
-# You will need to comment out the password line above and
-# uncomment the next two in order to use this.
-#
-# password required       pam_cracklib.so retry=3 minlen=6 difok=3
-# password required       pam_unix.so use_authtok nullok md5
author	Colin Watson <cjwatson@debian.org>	2003-11-15 15:55:19 +0000
committer	Colin Watson <cjwatson@debian.org>	2003-11-15 15:55:19 +0000
commit	ac444049e27aa772e57d38b889ceee46e7331a50 (patch)
tree	6f21f16b19de3ef8ba1812eb77c657b28c4b6a4e
parent	72db1a31fddd41571369eecb058e78e9ac3f6c78 (diff)

diff --git a/debian/README.Debian b/debian/README.Debian index ca928f9f0..bb1f7cf48 100644 --- a/debian/README.Debian +++ b/debian/README.Debian
@@ -16,6 +16,15 @@ Debian don't ship it.
16		16
17	=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=	17	=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
18		18
		19	BUILD ISSUES
		20	============
		21
		22	To build the openssh package for woody, set DEB_BUILD_SSH_WOODY=1 in
		23	your environment. This is necessary due to non-backward-compatible
		24	changes in PAM support.
		25
		26	=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
		27
19	UPGRADE ISSUES	28	UPGRADE ISSUES
20	==============	29	==============
21		30
@@ -87,7 +96,10 @@ Protocol 2,1
87	Also add the line:	96	Also add the line:
88	HostKey /etc/ssh/ssh_host_key	97	HostKey /etc/ssh/ssh_host_key
89		98
90	(you may need to generate a host key if you do not already have one)	99	If you do not already have an RSA1 host key in /etc/ssh/ssh_host_key,
		100	you will need to generate one. To do so, run this command as root:
		101
		102	ssh-keygen -f /etc/ssh/ssh_host_key -N '' -t rsa1
91		103
92	X11 Forwarding	104	X11 Forwarding
93	--------------	105	--------------


diff --git a/debian/changelog b/debian/changelog index 70523aeb9..05fc0c9c0 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -10,6 +10,11 @@ openssh (1:3.6.1p2-10) UNRELEASED; urgency=low
10	closes: #215372).	10	closes: #215372).
11	* Update config.guess and config.sub from autotools-dev 20031007.1	11	* Update config.guess and config.sub from autotools-dev 20031007.1
12	(closes: #217696).	12	(closes: #217696).
		13	* Implement New World Order for PAM configuration, including
		14	/etc/pam.d/common-* from /etc/pam.d/ssh (closes: #212959).
		15	- To backport this release to woody, you need to set DEB_BUILD_SSH_WOODY
		16	in your environment. See README.Debian.
		17	* Add more commentary to /etc/pam.d/ssh.
13		18
14	-- Colin Watson <cjwatson@debian.org> Sat, 15 Nov 2003 14:07:29 +0000	19	-- Colin Watson <cjwatson@debian.org> Sat, 15 Nov 2003 14:07:29 +0000
15		20


diff --git a/debian/control b/debian/control index 046f157e4..d7dc3a533 100644 --- a/debian/control +++ b/debian/control
@@ -8,7 +8,7 @@ Uploaders: Colin Watson <cjwatson@debian.org>
8		8
9	Package: ssh	9	Package: ssh
10	Architecture: any	10	Architecture: any
11	Depends: ${shlibs:Depends}, ${debconf-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9)	11	Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9)
12	Conflicts: ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1)	12	Conflicts: ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1)
13	Suggests: ssh-askpass, xbase-clients, dpkg (>=1.8.3.1), dnsutils	13	Suggests: ssh-askpass, xbase-clients, dpkg (>=1.8.3.1), dnsutils
14	Provides: rsh-client	14	Provides: rsh-client


diff --git a/debian/rules b/debian/rules index ec594ecb0..0bb40da4e 100755 --- a/debian/rules +++ b/debian/rules
@@ -25,6 +25,20 @@ PO2DEBCONF := yes
25	MINDEBCONFVER := 1.2.0	25	MINDEBCONFVER := 1.2.0
26	endif	26	endif
27		27
		28	# We need a new libpam-runtime for sane PAM handling
		29	# (http://lists.debian.org/debian-devel-announce-0308/msg00012.html).
		30	# Unfortunately it's hard to detect during the build whether this is
		31	# appropriate, so woody-compatibility is a pain. I've had to punt and go for
		32	# a DEB_BUILD_SSH_WOODY environment variable. We can remove this hack once
		33	# we no longer care about woody.
		34	ifeq ($(DEB_BUILD_SSH_WOODY),)
		35	PAMSUBST := no
		36	PAMDEP := libpam-runtime (>= 0.76-14)
		37	else
		38	PAMSUBST := yes
		39	PAMDEP := libpam-runtime
		40	endif
		41
28	# Change the version string to include the Debian version	42	# Change the version string to include the Debian version
29	SSH_VERSION := $(shell sed -e '/define/!d; s/.\"\(.\)\".*/\1/; q' <version.h) Debian $(shell dpkg-parsechangelog \| sed -n -e '/^Version:/s/Version: //p')	43	SSH_VERSION := $(shell sed -e '/define/!d; s/.\"\(.\)\".*/\1/; q' <version.h) Debian $(shell dpkg-parsechangelog \| sed -n -e '/^Version:/s/Version: //p')
30		44
@@ -61,6 +75,11 @@ ifeq ($(PO2DEBCONF),yes)
61	po2debconf debian/templates.master > debian/templates	75	po2debconf debian/templates.master > debian/templates
62	rm -f debian/po/output	76	rm -f debian/po/output
63	endif	77	endif
		78	ifeq ($(PAMSUBST),yes)
		79	if [ -f debian/ssh.pam.new-style ]; then \
		80	mv debian/ssh.pam.new-style debian/ssh.pam; \
		81	fi
		82	endif
64	dh_clean	83	dh_clean
65		84
66	install: DH_OPTIONS=	85	install: DH_OPTIONS=
@@ -113,6 +132,15 @@ endif
113	nroff RFC.nroff > debian/tmp/usr/share/doc/ssh/RFC	132	nroff RFC.nroff > debian/tmp/usr/share/doc/ssh/RFC
114	gzip -9 debian/tmp/usr/share/doc/ssh/RFC	133	gzip -9 debian/tmp/usr/share/doc/ssh/RFC
115	rm -rf debian/tmp/usr/share/doc/ssh/RFC.nroff.gz	134	rm -rf debian/tmp/usr/share/doc/ssh/RFC.nroff.gz
		135	ifeq ($(PAMSUBST),yes)
		136	cp -a debian/ssh.pam debian/ssh.pam.new-style
		137	trailer='required pam_unix.so' \
		138	sed -e "s/@include common-auth/auth $$trailer" \
		139	-e "s/@include common-account/account $$trailer" \
		140	-e "s/@include common-session/session $$trailer" \
		141	-e "s/@include common-password/password $$trailer" \
		142	debian/ssh.pam.new-style > debian/ssh.pam
		143	endif
116	dh_installpam	144	dh_installpam
117	dh_installchangelogs ChangeLog	145	dh_installchangelogs ChangeLog
118	dh_strip	146	dh_strip
@@ -122,7 +150,8 @@ endif
122	test ! -e debian/tmp/etc/ssh/ssh_prng_cmds \	150	test ! -e debian/tmp/etc/ssh/ssh_prng_cmds \
123	\|\| echo "/etc/ssh/ssh_prng_cmds" >> debian/tmp/DEBIAN/conffiles	151	\|\| echo "/etc/ssh/ssh_prng_cmds" >> debian/tmp/DEBIAN/conffiles
124	dh_shlibdeps	152	dh_shlibdeps
125	dh_gencontrol -- -V'debconf-depends=debconf (>= $(MINDEBCONFVER))'	153	dh_gencontrol -- -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
		154	-V'pam-depends=$(PAMDEP)'
126	dh_md5sums	155	dh_md5sums
127	dh_builddeb	156	dh_builddeb
128		157


diff --git a/debian/ssh.pam b/debian/ssh.pam index f6fbd3ebc..8882053df 100644 --- a/debian/ssh.pam +++ b/debian/ssh.pam
@@ -1,21 +1,29 @@
1	#%PAM-1.0	1	# PAM configuration for the Secure Shell service
		2
		3	# Disallow non-root logins when /etc/nologin exists.
2	auth required pam_nologin.so	4	auth required pam_nologin.so
3	auth required pam_unix.so	5
		6	# Read environment variables from /etc/environment and
		7	# /etc/security/pam_env.conf.
4	auth required pam_env.so # [1]	8	auth required pam_env.so # [1]
5		9
6	account required pam_unix.so	10	# Standard Un*x authentication.
		11	@include common-auth
		12
		13	# Standard Un*x authorization.
		14	@include common-account
		15
		16	# Standard Un*x session setup and teardown.
		17	@include common-session
7		18
8	session required pam_unix.so	19	# Print the message of the day upon successful login.
9	session optional pam_motd.so # [1]	20	session optional pam_motd.so # [1]
		21
		22	# Print the status of the user's mailbox upon successful login.
10	session optional pam_mail.so standard noenv # [1]	23	session optional pam_mail.so standard noenv # [1]
11	session required pam_limits.so
12		24
13	password required pam_unix.so	25	# Set up user limits from /etc/security/limits.conf.
		26	session required pam_limits.so
14		27
15	# Alternate strength checking for password. Note that this	28	# Standard Un*x password updating.
16	# requires the libpam-cracklib package to be installed.	29	@include common-password
17	# You will need to comment out the password line above and
18	# uncomment the next two in order to use this.
19	#
20	# password required pam_cracklib.so retry=3 minlen=6 difok=3
21	# password required pam_unix.so use_authtok nullok md5