Add 'UsePAM yes' to /etc/ssh/sshd_config on upgrade from versions older

than this, to maintain the standard Debian sshd configuration. Comment out PAMAuthenticationViaKbdInt and RhostsAuthentication in sshd_config on upgrade. Neither option is supported any more.
author: Colin Watson <cjwatson@debian.org> 2004-02-22 17:23:06 +0000
committer: Colin Watson <cjwatson@debian.org> 2004-02-22 17:23:06 +0000
commit: e7543fec567f746f56936475a7db9cffb947d7e2 (patch)
tree: 3508d05a8ee614b7d23a5c7716099e4e2501f2a8 /debian
parent: 25c1926976afaf66e12c125d698adf301de0dc5c (diff)
2 files changed, 17 insertions, 11 deletions
diff --git a/debian/changelog b/debian/changelog
index e7ddc918d..2af424687 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,12 @@
 openssh (1:3.7.1p2-1) UNRELEASED; urgency=low
  * New upstream release.
+    - New PAM implementation based on that in FreeBSD. This runs PAM session
+      modules before dropping privileges (closes: #150968).
+  * Add 'UsePAM yes' to /etc/ssh/sshd_config on upgrade from versions older
+    than this, to maintain the standard Debian sshd configuration.
+  * Comment out PAMAuthenticationViaKbdInt and RhostsAuthentication in
+    sshd_config on upgrade. Neither option is supported any more.
  * Remove -fno-builtin-log, -DHAVE_MMAP_ANON_SHARED, and
    -D__FILE_OFFSET_BITS=64 compiler options, which are no longer necessary.
  * Darren Tucker:
diff --git a/debian/postinst b/debian/postinst
index f3d4cf6d5..5d0e32fef 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -60,6 +60,16 @@ create_sshdconfig() {
            if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
                db_get ssh/new_config
                if [ "$RET" = "false" ] ; then return 0; fi
+            elif dpkg --compare-versions "$oldversion" lt-nl 1:3.7.1p2-1 && \
+                 ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then
+                # Upgrade from pre-3.7: UsePAM needed to maintain standard
+                # Debian configuration.
+                cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
+                perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
+                    /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
+                echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
+                mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
+                return 0
            else return 0
            fi
        fi
@@ -103,20 +113,11 @@ if [ "$RET" = "false" ]; then
    cat <<EOF >> /etc/ssh/sshd_config
 #Explicitly set PrivSep off, as requested
 UsePrivilegeSeparation no
-# Use PAM authentication via keyboard-interactive so PAM modules can
-# properly interface with the user
-PAMAuthenticationViaKbdInt yes
 EOF
 else
        cat <<EOF >> /etc/ssh/sshd_config
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
-# ...but breaks Pam auth via kbdint, so we have to turn it off
-# Use PAM authentication via keyboard-interactive so PAM modules can
-# properly interface with the user (off due to PrivSep)
-PAMAuthenticationViaKbdInt no
 EOF
 fi
@@ -138,8 +139,6 @@ RSAAuthentication yes
 PubkeyAuthentication yes
 #AuthorizedKeysFile     %h/.ssh/authorized_keys
-# rhosts authentication should not be used
-RhostsAuthentication no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh_known_hosts
@@ -181,6 +180,7 @@ KeepAlive yes
 Subsystem       sftp    /usr/lib/sftp-server
+UsePAM yes
 EOF
 }
author	Colin Watson <cjwatson@debian.org>	2004-02-22 17:23:06 +0000
committer	Colin Watson <cjwatson@debian.org>	2004-02-22 17:23:06 +0000
commit	e7543fec567f746f56936475a7db9cffb947d7e2 (patch)
tree	3508d05a8ee614b7d23a5c7716099e4e2501f2a8 /debian
parent	25c1926976afaf66e12c125d698adf301de0dc5c (diff)