Debian release 3.4p1-2.

author: Colin Watson <cjwatson@debian.org> 2003-09-01 01:04:24 +0000
committer: Colin Watson <cjwatson@debian.org> 2003-09-01 01:04:24 +0000
commit: 509e7c7f3c55082eead9c5f83093b2f082e9896b (patch)
tree: 7a094fd20ab5b516bf413483e81975659b8816a8 /debian/README.Debian
parent: 79cf0b3654d7b597de323153eb57015cdfbd90a4 (diff)
1 files changed, 22 insertions, 2 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
index c2858d2f9..fd969d7c9 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -11,11 +11,31 @@ ssh that is going to make it into Debian proper, being the only one
 that complies with the Debian Free Software Guidelines.
 If you were expecting to get the non-free version of ssh (1.2.27 or
-whatever) when you installed this package, please install ssh-nonfree
+whatever) when you installed this package, then you're out of luck, as
-instead, which is what we're now calling the non-free version.
+Debian don't ship it.
 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Privilege Separation
+--------------------
+As of 3.3, openssh has employed privilege separation to reduce the
+quantity of code that runs as root, thereby reducing the impact of
+some security holes in sshd.
+Unfortunately, privilege separation interacts badly with PAM. Any PAM
+session modules that need to run as root (pam_mkhomedir, for example)
+will fail, and PAM keyboard-interactive authentication won't work.
+Privilege separation is turned on by default, so if you decide you
+want it turned off, you need to add "UsePrivilegeSeparation no" to
+/etc/ssh/sshd_config
+NB! If you are running a 2.0 series Linux kernel, then privilege
+separation will not work at all, and your sshd will fail to start
+unless you explicity turn privilege separation off.
 PermitRootLogin set to yes
 --------------------------
author	Colin Watson <cjwatson@debian.org>	2003-09-01 01:04:24 +0000
committer	Colin Watson <cjwatson@debian.org>	2003-09-01 01:04:24 +0000
commit	509e7c7f3c55082eead9c5f83093b2f082e9896b (patch)
tree	7a094fd20ab5b516bf413483e81975659b8816a8 /debian/README.Debian
parent	79cf0b3654d7b597de323153eb57015cdfbd90a4 (diff)

diff --git a/debian/README.Debian b/debian/README.Debian index c2858d2f9..fd969d7c9 100644 --- a/debian/README.Debian +++ b/debian/README.Debian
@@ -11,11 +11,31 @@ ssh that is going to make it into Debian proper, being the only one
11	that complies with the Debian Free Software Guidelines.	11	that complies with the Debian Free Software Guidelines.
12		12
13	If you were expecting to get the non-free version of ssh (1.2.27 or	13	If you were expecting to get the non-free version of ssh (1.2.27 or
14	whatever) when you installed this package, please install ssh-nonfree	14	whatever) when you installed this package, then you're out of luck, as
15	instead, which is what we're now calling the non-free version.	15	Debian don't ship it.
16		16
17	=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=	17	=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
18		18
		19	Privilege Separation
		20	--------------------
		21
		22	As of 3.3, openssh has employed privilege separation to reduce the
		23	quantity of code that runs as root, thereby reducing the impact of
		24	some security holes in sshd.
		25
		26	Unfortunately, privilege separation interacts badly with PAM. Any PAM
		27	session modules that need to run as root (pam_mkhomedir, for example)
		28	will fail, and PAM keyboard-interactive authentication won't work.
		29
		30	Privilege separation is turned on by default, so if you decide you
		31	want it turned off, you need to add "UsePrivilegeSeparation no" to
		32	/etc/ssh/sshd_config
		33
		34	NB! If you are running a 2.0 series Linux kernel, then privilege
		35	separation will not work at all, and your sshd will fail to start
		36	unless you explicity turn privilege separation off.
		37
		38
19	PermitRootLogin set to yes	39	PermitRootLogin set to yes
20	--------------------------	40	--------------------------
21		41