Debian release 3.4p1-1.

1 files changed, 153 insertions, 0 deletions

diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 000000000..c2858d2f9
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,153 @@
+OpenSSH for Debian
+------------------
+
+Although this package is widely referred to as OpenSSH, it is actually
+a branch of an early version of ssh which has been tidied up by the
+OpenBSD folks.
+
+It has been decided that this version should have the privilege of
+carrying the ``ssh'' name in Debian, since it is the only version of
+ssh that is going to make it into Debian proper, being the only one 
+that complies with the Debian Free Software Guidelines.
+
+If you were expecting to get the non-free version of ssh (1.2.27 or
+whatever) when you installed this package, please install ssh-nonfree
+instead, which is what we're now calling the non-free version.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+PermitRootLogin set to yes
+--------------------------
+
+This is now the default setting (in line with upstream), and people
+who asked for an automatically-generated configuration file when
+upgrading from potato (or on a new install) will have this setting in
+their /etc/ssh/sshd_config file. 
+
+Should you wish to change this setting, edit /etc/ssh/sshd_config, and
+change:
+PermitRootLogin yes
+to:
+PermitRootLogin no
+
+Having PermitRootLogin set to yes means that an attacker that knows
+the root password can ssh in directly (without having to go via a user
+account). If you set it to no, then they must compromise a normal user
+account. In the vast majority of cases, this does not give added
+security; remember that any account you su to root from is equivalent
+to root - compromising this account gives an attacker access to root
+easily. If you only ever log in as root from the physical console,
+then you probably want to set this value to no.
+
+As an aside, PermitRootLogin can also be set to "without-password" or
+"forced-commands-only" - see sshd(8) for more details.
+
+DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
+
+The argument above is somewhat condensed; I have had this discussion
+at great length with many people. If you think the default is
+incorrect, and feel strongly enough to want to argue with me about it,
+then send me email to matthew@debian.org. I will close bug reports
+claiming the default is incorrect.
+
+SSH now uses protocol 2 by default
+----------------------------------
+
+This means all your keyfiles you used for protocol version 1 need to
+be re-generated. The server keys are done automatically, but for RSA
+authentication, please read the ssh-keygen manpage.
+
+If you have an automatically generated configuration file, and decide
+at a later stage that you do want to support protocol version 1 (not
+recommended, but note that the ssh client shipped with Debian potato
+only supported protocol version 1), then you need to do the following:
+
+Change /etc/ssh/sshd_config such that:
+Protocol 2
+becomes:
+Protocol 2,1
+Also add the line:
+HostKey /etc/ssh/ssh_host_key
+
+(you may need to generate a host key if you do not already have one)
+
+/usr/bin/ssh not SUID:
+----------------------
+If you have not installed debconf, you'll have missed the chance to
+install ssh SUID, which means you won't be able to do Rhosts
+authentication.  If that upsets you, use:
+
+   dpkg-statoverride 
+
+or if that's also missing, use this:
+
+   chown root.root /usr/bin/ssh
+   chmod 04755 /usr/bin/ssh
+
+X11 Forwarding:
+---------------
+ssh's default for ForwardX11 has been changed to ``no'' because it has
+been pointed out that logging into remote systems administered by
+untrusted people is likely to open you up to X11 attacks, so you
+should have to actively decide that you trust the remote machine's
+root, before enabling X11.  I strongly recommend that you do this on a
+machine-by-machine basis, rather than just enabling it in the default
+host settings.
+
+Authorization Forwarding:
+-------------------------
+Similarly, root on a remote server could make use of your ssh-agent
+(while you're logged into their machine) to obtain access to machines
+which trust your keys.  This feature is therefore disabled by default.
+You should only re-enable it for those hosts (in your ~/.ssh/config or
+/etc/ssh/ssh_config) where you are confident that the remote machine
+is not a threat.
+
+Fallback to RSH:
+----------------
+The default for this setting has been changed from Yes to No, for
+security reasons, and to stop the delay attempting to rsh to machines
+that don't offer the service.  Simply switch it back on in either
+/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
+it for.
+
+Problems logging in with RSA authentication:
+--------------------------------------------
+If you have trouble logging in with RSA authentication then the
+problem is probably caused by the fact that you have your home
+directory writable by group, as well as user (this is the default on
+Debian systems).
+
+Depending upon other settings on your system (i.e. other users being
+in your group) this could open a security hole, so you will need to
+make your home directory writable only by yourself.  Run this command,
+as yourself:
+
+  chmod g-w ~/
+
+to remove group write permissions.  If you use ssh-copy-id to install your
+keys, it does this for you.
+
+-L option of ssh nonfree:
+-------------------------
+non-free ssh supported the usage of the option -L to use a non privileged
+port for scp. This option will not be supported by scp from openssh. 
+
+Please use instead scp -o "UsePrivilegedPort=no" as documented in the 
+manpage to scp itself. 
+
+Problem logging in because of TCP-Wrappers:
+-------------------------------------------
+ssh is compiled with support for tcp-wrappers. So if you can no longer
+log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
+are configured so that ssh is not blocked. 
+
+Kerberos Authentication:
+------------------------
+ssh is compiled without support for kerberos authentication, and there are
+no current plans to support this.  Thus the KerberosAuthentication and 
+KerberosTgtPassing options will not be recognised.
+
+--
+Matthew Vernon
+<matthew@debian.org>