diff options
author | Colin Watson <cjwatson@debian.org> | 2017-03-05 02:05:52 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2017-03-05 02:11:09 +0000 |
commit | 22be89909c7578b94f1a5f733682a599b5d7c38f (patch) | |
tree | eaf0ae8330fe3094a33eb43cd69c5ee05560566e /debian | |
parent | eec09be133d0f8d4a17b5331c897f4cba3811dde (diff) | |
parent | e18d2ba71e6bf009c53e65509da84b712c300471 (diff) |
Restore reading authorized_keys2 by default
Upstream seems to intend to gradually phase this out, so don't assume
that this will remain the default forever. However, we were late in
adopting the upstream sshd_config changes, so it makes sense to extend
the grace period (closes: #852320).
Diffstat (limited to 'debian')
-rw-r--r-- | debian/.git-dpm | 4 | ||||
-rw-r--r-- | debian/NEWS | 12 | ||||
-rw-r--r-- | debian/changelog | 5 | ||||
-rw-r--r-- | debian/patches/restore-authorized_keys2.patch | 35 | ||||
-rw-r--r-- | debian/patches/series | 1 |
5 files changed, 55 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index a923bac35..78ca32622 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
@@ -1,6 +1,6 @@ | |||
1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
2 | 3f1016b4535faf6e48aa71e21569aa714a25193f | 2 | e18d2ba71e6bf009c53e65509da84b712c300471 |
3 | 3f1016b4535faf6e48aa71e21569aa714a25193f | 3 | e18d2ba71e6bf009c53e65509da84b712c300471 |
4 | 971a7653746a6972b907dfe0ce139c06e4a6f482 | 4 | 971a7653746a6972b907dfe0ce139c06e4a6f482 |
5 | 971a7653746a6972b907dfe0ce139c06e4a6f482 | 5 | 971a7653746a6972b907dfe0ce139c06e4a6f482 |
6 | openssh_7.4p1.orig.tar.gz | 6 | openssh_7.4p1.orig.tar.gz |
diff --git a/debian/NEWS b/debian/NEWS index cfdf7b5e1..542603ec1 100644 --- a/debian/NEWS +++ b/debian/NEWS | |||
@@ -1,3 +1,15 @@ | |||
1 | openssh (1:7.4p1-7) UNRELEASED; urgency=medium | ||
2 | |||
3 | This version restores the default for AuthorizedKeysFile to search both | ||
4 | ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in | ||
5 | Debian configurations before 1:7.4p1-1. Upstream intends to phase out | ||
6 | searching ~/.ssh/authorized_keys2 by default, so you should ensure that | ||
7 | you are only using ~/.ssh/authorized_keys, at least for critical | ||
8 | administrative access; do not assume that the current default will remain | ||
9 | in place forever. | ||
10 | |||
11 | -- Colin Watson <cjwatson@debian.org> Sun, 29 Jan 2017 11:39:05 +0000 | ||
12 | |||
1 | openssh (1:7.4p1-1) unstable; urgency=medium | 13 | openssh (1:7.4p1-1) unstable; urgency=medium |
2 | 14 | ||
3 | OpenSSH 7.4 includes a number of changes that may affect existing | 15 | OpenSSH 7.4 includes a number of changes that may affect existing |
diff --git a/debian/changelog b/debian/changelog index 4be3d4b21..54b9379af 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -2,6 +2,11 @@ openssh (1:7.4p1-7) UNRELEASED; urgency=medium | |||
2 | 2 | ||
3 | * Don't set "PermitRootLogin yes" on fresh installations (regression | 3 | * Don't set "PermitRootLogin yes" on fresh installations (regression |
4 | introduced in 1:7.4p1-1; closes: #852781). | 4 | introduced in 1:7.4p1-1; closes: #852781). |
5 | * Restore reading authorized_keys2 by default. Upstream seems to intend | ||
6 | to gradually phase this out, so don't assume that this will remain the | ||
7 | default forever. However, we were late in adopting the upstream | ||
8 | sshd_config changes, so it makes sense to extend the grace period | ||
9 | (closes: #852320). | ||
5 | 10 | ||
6 | -- Colin Watson <cjwatson@debian.org> Sun, 29 Jan 2017 11:39:05 +0000 | 11 | -- Colin Watson <cjwatson@debian.org> Sun, 29 Jan 2017 11:39:05 +0000 |
7 | 12 | ||
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch new file mode 100644 index 000000000..86da09c7e --- /dev/null +++ b/debian/patches/restore-authorized_keys2.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Sun, 5 Mar 2017 02:02:11 +0000 | ||
4 | Subject: Restore reading authorized_keys2 by default | ||
5 | |||
6 | Upstream seems to intend to gradually phase this out, so don't assume | ||
7 | that this will remain the default forever. However, we were late in | ||
8 | adopting the upstream sshd_config changes, so it makes sense to extend | ||
9 | the grace period. | ||
10 | |||
11 | Bug-Debian: https://bugs.debian.org/852320 | ||
12 | Forwarded: not-needed | ||
13 | Last-Update: 2017-03-05 | ||
14 | |||
15 | Patch-Name: restore-authorized_keys2.patch | ||
16 | --- | ||
17 | sshd_config | 5 ++--- | ||
18 | 1 file changed, 2 insertions(+), 3 deletions(-) | ||
19 | |||
20 | diff --git a/sshd_config b/sshd_config | ||
21 | index 4aea6c72..bcf3ac17 100644 | ||
22 | --- a/sshd_config | ||
23 | +++ b/sshd_config | ||
24 | @@ -36,9 +36,8 @@ | ||
25 | |||
26 | #PubkeyAuthentication yes | ||
27 | |||
28 | -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 | ||
29 | -# but this is overridden so installations will only check .ssh/authorized_keys | ||
30 | -AuthorizedKeysFile .ssh/authorized_keys | ||
31 | +# Expect .ssh/authorized_keys2 to be disregarded by default in future. | ||
32 | +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 | ||
33 | |||
34 | #AuthorizedPrincipalsFile none | ||
35 | |||
diff --git a/debian/patches/series b/debian/patches/series index 6eae81080..6f0004748 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -29,3 +29,4 @@ regress-forwarding-race.patch | |||
29 | regress-mktemp.patch | 29 | regress-mktemp.patch |
30 | sandbox-x32-workaround.patch | 30 | sandbox-x32-workaround.patch |
31 | no-dsa-host-key-by-default.patch | 31 | no-dsa-host-key-by-default.patch |
32 | restore-authorized_keys2.patch | ||