diff options
| author | Colin Watson <cjwatson@debian.org> | 2003-09-01 19:03:02 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2003-09-01 19:03:02 +0000 |
| commit | 4a4400f027c87b8b8182ecad3e821c0a0db49df0 (patch) | |
| tree | b2ea7235c6f34ddb60f5f7001f23dfcfe1766fa3 /debian/README.Debian | |
| parent | 1501d1e253613aba573e163869a2f704abd73a44 (diff) | |
| parent | 854156dd39acbde9b4a47ec0fc54a042ea7358e0 (diff) | |
Debian release 3.6.1p2-1.
Diffstat (limited to 'debian/README.Debian')
| -rw-r--r-- | debian/README.Debian | 125 |
1 files changed, 73 insertions, 52 deletions
diff --git a/debian/README.Debian b/debian/README.Debian index 13d005ac0..5deac15be 100644 --- a/debian/README.Debian +++ b/debian/README.Debian | |||
| @@ -16,6 +16,9 @@ Debian don't ship it. | |||
| 16 | 16 | ||
| 17 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | 17 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= |
| 18 | 18 | ||
| 19 | UPGRADE ISSUES | ||
| 20 | ============== | ||
| 21 | |||
| 19 | Privilege Separation | 22 | Privilege Separation |
| 20 | -------------------- | 23 | -------------------- |
| 21 | 24 | ||
| @@ -33,8 +36,7 @@ want it turned off, you need to add "UsePrivilegeSeparation no" to | |||
| 33 | 36 | ||
| 34 | NB! If you are running a 2.0 series Linux kernel, then privilege | 37 | NB! If you are running a 2.0 series Linux kernel, then privilege |
| 35 | separation will not work at all, and your sshd will fail to start | 38 | separation will not work at all, and your sshd will fail to start |
| 36 | unless you explicity turn privilege separation off. | 39 | unless you explicitly turn privilege separation off. |
| 37 | |||
| 38 | 40 | ||
| 39 | PermitRootLogin set to yes | 41 | PermitRootLogin set to yes |
| 40 | -------------------------- | 42 | -------------------------- |
| @@ -91,21 +93,9 @@ HostKey /etc/ssh/ssh_host_key | |||
| 91 | 93 | ||
| 92 | (you may need to generate a host key if you do not already have one) | 94 | (you may need to generate a host key if you do not already have one) |
| 93 | 95 | ||
| 94 | /usr/bin/ssh not SUID: | 96 | X11 Forwarding |
| 95 | ---------------------- | 97 | -------------- |
| 96 | If you have not installed debconf, you'll have missed the chance to | ||
| 97 | install ssh SUID, which means you won't be able to do Rhosts | ||
| 98 | authentication. If that upsets you, use: | ||
| 99 | |||
| 100 | dpkg-statoverride | ||
| 101 | |||
| 102 | or if that's also missing, use this: | ||
| 103 | 98 | ||
| 104 | chown root.root /usr/bin/ssh | ||
| 105 | chmod 04755 /usr/bin/ssh | ||
| 106 | |||
| 107 | X11 Forwarding: | ||
| 108 | --------------- | ||
| 109 | ssh's default for ForwardX11 has been changed to ``no'' because it has | 99 | ssh's default for ForwardX11 has been changed to ``no'' because it has |
| 110 | been pointed out that logging into remote systems administered by | 100 | been pointed out that logging into remote systems administered by |
| 111 | untrusted people is likely to open you up to X11 attacks, so you | 101 | untrusted people is likely to open you up to X11 attacks, so you |
| @@ -117,8 +107,60 @@ host settings. | |||
| 117 | In order for X11 forwarding to work, you need to install xauth on the | 107 | In order for X11 forwarding to work, you need to install xauth on the |
| 118 | server. In Debian this is in the xbase-clients package. | 108 | server. In Debian this is in the xbase-clients package. |
| 119 | 109 | ||
| 120 | Authorization Forwarding: | 110 | As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce |
| 121 | ------------------------- | 111 | the security risks of X11 forwarding. Look up X11UseLocalhost in |
| 112 | sshd_config(8) if this is a problem. | ||
| 113 | |||
| 114 | Fallback to RSH | ||
| 115 | --------------- | ||
| 116 | |||
| 117 | The default for this setting has been changed from Yes to No, for | ||
| 118 | security reasons, and to stop the delay attempting to rsh to machines | ||
| 119 | that don't offer the service. Simply switch it back on in either | ||
| 120 | /etc/ssh/ssh_config or ~/.ssh/config for those machines that you need | ||
| 121 | it for. | ||
| 122 | |||
| 123 | Setgid ssh-agent and environment variables | ||
| 124 | ------------------------------------------ | ||
| 125 | |||
| 126 | As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace() | ||
| 127 | attacks retrieving private key material. This has the side-effect of causing | ||
| 128 | glibc to remove certain environment variables which might have security | ||
| 129 | implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and | ||
| 130 | TMPDIR. | ||
| 131 | |||
| 132 | If you need to set any of these environment variables, you will need to do | ||
| 133 | so in the program exec()ed by ssh-agent. This may involve creating a small | ||
| 134 | wrapper script. | ||
| 135 | |||
| 136 | Symlink Hostname invocation | ||
| 137 | --------------------------- | ||
| 138 | |||
| 139 | This version of ssh no longer includes support for invoking ssh with the | ||
| 140 | hostname as the name of the file run. People wanting this support should | ||
| 141 | use the ssh-argv0 script. | ||
| 142 | |||
| 143 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | ||
| 144 | |||
| 145 | OTHER ISSUES | ||
| 146 | ============ | ||
| 147 | |||
| 148 | /usr/bin/ssh not SUID | ||
| 149 | --------------------- | ||
| 150 | |||
| 151 | Due to Debian bug #164325, RhostsRSAAuthentication can only be used if ssh | ||
| 152 | is SUID. Until this is fixed, if that is a problem, use: | ||
| 153 | |||
| 154 | dpkg-statoverride | ||
| 155 | |||
| 156 | or if that's also missing, use this: | ||
| 157 | |||
| 158 | chown root.root /usr/bin/ssh | ||
| 159 | chmod 04755 /usr/bin/ssh | ||
| 160 | |||
| 161 | Authorization Forwarding | ||
| 162 | ------------------------ | ||
| 163 | |||
| 122 | Similarly, root on a remote server could make use of your ssh-agent | 164 | Similarly, root on a remote server could make use of your ssh-agent |
| 123 | (while you're logged into their machine) to obtain access to machines | 165 | (while you're logged into their machine) to obtain access to machines |
| 124 | which trust your keys. This feature is therefore disabled by default. | 166 | which trust your keys. This feature is therefore disabled by default. |
| @@ -126,16 +168,9 @@ You should only re-enable it for those hosts (in your ~/.ssh/config or | |||
| 126 | /etc/ssh/ssh_config) where you are confident that the remote machine | 168 | /etc/ssh/ssh_config) where you are confident that the remote machine |
| 127 | is not a threat. | 169 | is not a threat. |
| 128 | 170 | ||
| 129 | Fallback to RSH: | 171 | Problems logging in with RSA authentication |
| 130 | ---------------- | 172 | ------------------------------------------- |
| 131 | The default for this setting has been changed from Yes to No, for | ||
| 132 | security reasons, and to stop the delay attempting to rsh to machines | ||
| 133 | that don't offer the service. Simply switch it back on in either | ||
| 134 | /etc/ssh/ssh_config or ~/.ssh/config for those machines that you need | ||
| 135 | it for. | ||
| 136 | 173 | ||
| 137 | Problems logging in with RSA authentication: | ||
| 138 | -------------------------------------------- | ||
| 139 | If you have trouble logging in with RSA authentication then the | 174 | If you have trouble logging in with RSA authentication then the |
| 140 | problem is probably caused by the fact that you have your home | 175 | problem is probably caused by the fact that you have your home |
| 141 | directory writable by group, as well as user (this is the default on | 176 | directory writable by group, as well as user (this is the default on |
| @@ -151,46 +186,32 @@ as yourself: | |||
| 151 | to remove group write permissions. If you use ssh-copy-id to install your | 186 | to remove group write permissions. If you use ssh-copy-id to install your |
| 152 | keys, it does this for you. | 187 | keys, it does this for you. |
| 153 | 188 | ||
| 154 | -L option of ssh nonfree: | 189 | -L option of ssh nonfree |
| 155 | ------------------------- | 190 | ------------------------ |
| 191 | |||
| 156 | non-free ssh supported the usage of the option -L to use a non privileged | 192 | non-free ssh supported the usage of the option -L to use a non privileged |
| 157 | port for scp. This option will not be supported by scp from openssh. | 193 | port for scp. This option will not be supported by scp from openssh. |
| 158 | 194 | ||
| 159 | Please use instead scp -o "UsePrivilegedPort=no" as documented in the | 195 | Please use instead scp -o "UsePrivilegedPort=no" as documented in the |
| 160 | manpage to scp itself. | 196 | manpage to scp itself. |
| 161 | 197 | ||
| 162 | Problem logging in because of TCP-Wrappers: | 198 | Problem logging in because of TCP-Wrappers |
| 163 | ------------------------------------------- | 199 | ------------------------------------------ |
| 200 | |||
| 164 | ssh is compiled with support for tcp-wrappers. So if you can no longer | 201 | ssh is compiled with support for tcp-wrappers. So if you can no longer |
| 165 | log into your system, please check that /etc/hosts.allow and /etc/hosts.deny | 202 | log into your system, please check that /etc/hosts.allow and /etc/hosts.deny |
| 166 | are configured so that ssh is not blocked. | 203 | are configured so that ssh is not blocked. |
| 167 | 204 | ||
| 168 | Kerberos Authentication: | 205 | Kerberos Authentication |
| 169 | ------------------------ | 206 | ----------------------- |
| 207 | |||
| 170 | ssh is compiled without support for kerberos authentication, and there are | 208 | ssh is compiled without support for kerberos authentication, and there are |
| 171 | no current plans to support this. Thus the KerberosAuthentication and | 209 | no current plans to support this. Thus the KerberosAuthentication and |
| 172 | KerberosTgtPassing options will not be recognised. | 210 | KerberosTgtPassing options will not be recognised. |
| 173 | 211 | ||
| 174 | Setgid ssh-agent and environment variables: | 212 | Interoperability between scp and the ssh.com SSH server |
| 175 | ------------------------------------------- | 213 | ------------------------------------------------------- |
| 176 | ssh-agent is installed setgid as of version 1:3.5p1-1 to prevent ptrace() | ||
| 177 | attacks retrieving private key material. This has the side-effect of causing | ||
| 178 | glibc to remove certain environment variables which might have security | ||
| 179 | implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and | ||
| 180 | TMPDIR. | ||
| 181 | |||
| 182 | If you need to set any of these environment variables, you will need to do | ||
| 183 | so in the program exec()ed by ssh-agent. This may involve creating a small | ||
| 184 | wrapper script. | ||
| 185 | |||
| 186 | Symlink Hostname invocation: | ||
| 187 | ---------------------------- | ||
| 188 | This version of ssh no longer includes support for invoking ssh with the | ||
| 189 | hostname as the name of the file run. People wanting this support should | ||
| 190 | use the ssh-argv0 script. | ||
| 191 | 214 | ||
| 192 | Interoperability between scp and the ssh.com SSH server: | ||
| 193 | -------------------------------------------------------- | ||
| 194 | In version 2 and greater of the commercial SSH server produced by SSH | 215 | In version 2 and greater of the commercial SSH server produced by SSH |
| 195 | Communications Security, scp was changed to use SFTP (SSH2's file transfer | 216 | Communications Security, scp was changed to use SFTP (SSH2's file transfer |
| 196 | protocol) instead of the traditional rcp-over-ssh, thereby breaking | 217 | protocol) instead of the traditional rcp-over-ssh, thereby breaking |