Debian release 3.6.1p2-1.

7 files changed, 143 insertions, 99 deletions

diff --git a/debian/README.Debian b/debian/README.Debian
index 13d005ac0..5deac15be 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -16,6 +16,9 @@ Debian don't ship it.
 
 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 
+UPGRADE ISSUES
+==============
+
 Privilege Separation
 --------------------
 
@@ -33,8 +36,7 @@ want it turned off, you need to add "UsePrivilegeSeparation no" to
 
 NB! If you are running a 2.0 series Linux kernel, then privilege
 separation will not work at all, and your sshd will fail to start
-unless you explicity turn privilege separation off.
-
+unless you explicitly turn privilege separation off.
 
 PermitRootLogin set to yes
 --------------------------
@@ -91,21 +93,9 @@ HostKey /etc/ssh/ssh_host_key
 
 (you may need to generate a host key if you do not already have one)
 
-/usr/bin/ssh not SUID:
-----------------------
-If you have not installed debconf, you'll have missed the chance to
-install ssh SUID, which means you won't be able to do Rhosts
-authentication.  If that upsets you, use:
-
-   dpkg-statoverride 
-
-or if that's also missing, use this:
+X11 Forwarding
+--------------
 
-   chown root.root /usr/bin/ssh
-   chmod 04755 /usr/bin/ssh
-
-X11 Forwarding:
----------------
 ssh's default for ForwardX11 has been changed to ``no'' because it has
 been pointed out that logging into remote systems administered by
 untrusted people is likely to open you up to X11 attacks, so you
@@ -117,8 +107,60 @@ host settings.
 In order for X11 forwarding to work, you need to install xauth on the
 server. In Debian this is in the xbase-clients package.
 
-Authorization Forwarding:
--------------------------
+As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
+the security risks of X11 forwarding. Look up X11UseLocalhost in
+sshd_config(8) if this is a problem.
+
+Fallback to RSH
+---------------
+
+The default for this setting has been changed from Yes to No, for
+security reasons, and to stop the delay attempting to rsh to machines
+that don't offer the service.  Simply switch it back on in either
+/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
+it for.
+
+Setgid ssh-agent and environment variables
+------------------------------------------
+
+As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace()
+attacks retrieving private key material. This has the side-effect of causing
+glibc to remove certain environment variables which might have security
+implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
+TMPDIR.
+
+If you need to set any of these environment variables, you will need to do
+so in the program exec()ed by ssh-agent. This may involve creating a small
+wrapper script.
+
+Symlink Hostname invocation
+---------------------------
+
+This version of ssh no longer includes support for invoking ssh with the
+hostname as the name of the file run.  People wanting this support should
+use the ssh-argv0 script.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+
+OTHER ISSUES
+============
+
+/usr/bin/ssh not SUID
+---------------------
+
+Due to Debian bug #164325, RhostsRSAAuthentication can only be used if ssh
+is SUID.  Until this is fixed, if that is a problem, use:
+
+   dpkg-statoverride 
+
+or if that's also missing, use this:
+
+   chown root.root /usr/bin/ssh
+   chmod 04755 /usr/bin/ssh
+
+Authorization Forwarding
+------------------------
+
 Similarly, root on a remote server could make use of your ssh-agent
 (while you're logged into their machine) to obtain access to machines
 which trust your keys.  This feature is therefore disabled by default.
@@ -126,16 +168,9 @@ You should only re-enable it for those hosts (in your ~/.ssh/config or
 /etc/ssh/ssh_config) where you are confident that the remote machine
 is not a threat.
 
-Fallback to RSH:
-----------------
-The default for this setting has been changed from Yes to No, for
-security reasons, and to stop the delay attempting to rsh to machines
-that don't offer the service.  Simply switch it back on in either
-/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
-it for.
+Problems logging in with RSA authentication
+-------------------------------------------
 
-Problems logging in with RSA authentication:
---------------------------------------------
 If you have trouble logging in with RSA authentication then the
 problem is probably caused by the fact that you have your home
 directory writable by group, as well as user (this is the default on
@@ -151,46 +186,32 @@ as yourself:
 to remove group write permissions.  If you use ssh-copy-id to install your
 keys, it does this for you.
 
--L option of ssh nonfree:
--------------------------
+-L option of ssh nonfree
+------------------------
+
 non-free ssh supported the usage of the option -L to use a non privileged
 port for scp. This option will not be supported by scp from openssh. 
 
 Please use instead scp -o "UsePrivilegedPort=no" as documented in the 
 manpage to scp itself. 
 
-Problem logging in because of TCP-Wrappers:
--------------------------------------------
+Problem logging in because of TCP-Wrappers
+------------------------------------------
+
 ssh is compiled with support for tcp-wrappers. So if you can no longer
 log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
 are configured so that ssh is not blocked. 
 
-Kerberos Authentication:
-------------------------
+Kerberos Authentication
+-----------------------
+
 ssh is compiled without support for kerberos authentication, and there are
 no current plans to support this.  Thus the KerberosAuthentication and 
 KerberosTgtPassing options will not be recognised.
 
-Setgid ssh-agent and environment variables:
--------------------------------------------
-ssh-agent is installed setgid as of version 1:3.5p1-1 to prevent ptrace()
-attacks retrieving private key material. This has the side-effect of causing
-glibc to remove certain environment variables which might have security
-implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
-TMPDIR.
-
-If you need to set any of these environment variables, you will need to do
-so in the program exec()ed by ssh-agent. This may involve creating a small
-wrapper script.
-
-Symlink Hostname invocation:
-----------------------------
-This version of ssh no longer includes support for invoking ssh with the
-hostname as the name of the file run.  People wanting this support should
-use the ssh-argv0 script.
+Interoperability between scp and the ssh.com SSH server
+-------------------------------------------------------
 
-Interoperability between scp and the ssh.com SSH server:
---------------------------------------------------------
 In version 2 and greater of the commercial SSH server produced by SSH
 Communications Security, scp was changed to use SFTP (SSH2's file transfer
 protocol) instead of the traditional rcp-over-ssh, thereby breaking
diff --git a/debian/changelog b/debian/changelog
index cc9ad5184..ebfce0d9d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,32 @@
+openssh (1:3.6.1p2-1) unstable; urgency=medium
+
+  * New upstream release, including fix for PAM user-discovery security hole
+    (closes: #191681).
+  * Fix ChallengeResponseAuthentication default in generated sshd_config
+    (closes: #106037).
+  * Put newlines after full stops in man page documentation for
+    ProtocolKeepAlives and SetupTimeOut.
+  * Policy version 3.5.9: support DEB_BUILD_OPTIONS=noopt, build
+    gnome-ssh-askpass with -g and -Wall flags.
+  * Really ask ssh/new_config debconf question before trying to fetch its
+    value (closes: #188721).
+  * On purge, remove only the files we know about in /etc/ssh rather than
+    the whole thing, and remove the directory if that leaves it empty
+    (closes: #176679).
+  * ssh has depended on debconf for some time now with no complaints, so:
+    - Simplify the postinst by relying on debconf being present. (The absent
+      case was buggy anyway.)
+    - Get rid of "if you have not installed debconf" text in README.Debian,
+      and generally update the "/usr/bin/ssh not SUID" entry.
+  * More README.Debian work:
+    - Reorganize into "UPGRADE ISSUES" and "OTHER ISSUES", in an effort to
+      make it easier for people to find the former. The upgrade issues
+      should probably be sorted by version somehow.
+    - Document X11UseLocalhost under "X11 Forwarding" (closes: #150913).
+  * Fix setting of IP flags for interactive sessions (upstream bug #541).
+
+ -- Colin Watson <cjwatson@debian.org>  Mon,  5 May 2003 17:47:40 +0100
+
 openssh (1:3.6.1p1-1) unstable; urgency=low
 
   * New upstream release (thanks, Laurence J. Lane).
diff --git a/debian/config b/debian/config
index 7b4f85b43..c27b69590 100644
--- a/debian/config
+++ b/debian/config
@@ -39,6 +39,7 @@ if [ -e /etc/ssh/sshd_config ]
 then
     if dpkg --compare-versions "$version" lt-nl 1:1.3 ; 
     then db_input medium ssh/new_config || true
+        db_go
         db_get ssh/new_config
         if [ "$RET" = "true" ];
         then db_input medium ssh/protocol2_only ||true
diff --git a/debian/control b/debian/control
index 1cfb93d58..885a474de 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: net
 Priority: standard
 Maintainer: Matthew Vernon <matthew@debian.org>
 Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) | libgnome-dev, groff, debhelper (>=1.1.17), sharutils
-Standards-Version: 3.5.6
+Standards-Version: 3.5.9
 Uploaders: Colin Watson <cjwatson@debian.org>
 
 Package: ssh
diff --git a/debian/postinst b/debian/postinst
index 4d3598a31..8a1c7c588 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -3,10 +3,8 @@
 action="$1"
 oldversion="$2"
 
-test -e /usr/share/debconf/confmodule && {
-  . /usr/share/debconf/confmodule
-    db_version 2.0
-}
+. /usr/share/debconf/confmodule
+db_version 2.0
 
 umask 022
 
@@ -44,11 +42,7 @@ create_key() {
 
 
 create_keys() {
-        RET=true
-        test -e /usr/share/debconf/confmodule && {
-                db_get ssh/protocol2_only
-        }
-
+        db_get ssh/protocol2_only
         if [ "$RET" = "false" ] ; then
                 create_key "Creating SSH1 key; this may take some time ..." \
                         /etc/ssh/ssh_host_key -t rsa1
@@ -64,18 +58,11 @@ create_keys() {
 create_sshdconfig() {
         if [ -e /etc/ssh/sshd_config ] ; then
             if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
-                RET=true
-                test -e /usr/share/debconf/confmodule && {
-                    db_get ssh/new_config
-                }
+                db_get ssh/new_config
                 if [ "$RET" = "false" ] ; then return 0; fi
             else return 0
             fi
         fi
-        RET=true
-        test -e /usr/share/debconf/confmodule && {
-                db_get ssh/protocol2_only
-        }
 
         #Preserve old sshd_config before generating a new on
         if [ -e /etc/ssh/sshd_config ] ; then 
@@ -92,6 +79,7 @@ Port 22
 #ListenAddress ::
 #ListenAddress 0.0.0.0
 EOF
+        db_get ssh/protocol2_only
 if [ "$RET" = "false" ]; then
                 cat <<EOF >> /etc/ssh/sshd_config
 Protocol 2,1
@@ -110,9 +98,7 @@ HostKey /etc/ssh/ssh_host_dsa_key
 EOF
 fi
 
-test -e /usr/share/debconf/confmodule && {
-    db_get ssh/privsep_ask
-}
+db_get ssh/privsep_ask
 if [ "$RET" = "false" ]; then
     cat <<EOF >> /etc/ssh/sshd_config
 #Explicitly set PrivSep off, as requested
@@ -166,8 +152,8 @@ HostbasedAuthentication no
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
 PermitEmptyPasswords no
 
-# Uncomment to disable s/key passwords 
-#ChallengeResponseAuthentication no
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
 
 # To disable tunneled clear text passwords, change to no here!
 PasswordAuthentication yes
@@ -253,8 +239,6 @@ setup_sshd_user() {
 }
 
 set_sshd_permissions() {
-        suid=false
-
         if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then
             if [ -x /usr/sbin/dpkg-statoverride ] ; then
                 if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then
@@ -263,17 +247,14 @@ set_sshd_permissions() {
             fi
         fi
 
-        [ -e /usr/share/debconf/confmodule ] && {
+        if [ ! -x /usr/sbin/dpkg-statoverride ] || \
+             ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then
                 db_get ssh/SUID_client
-                suid="$RET"
-        }
-        if [ ! -x /usr/sbin/dpkg-statoverride ] || \
-             ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then
-               if [ "$suid" = "false" ] ; then
-                       chmod 0755 /usr/lib/ssh-keysign
-               elif [ "$suid" = "true" ] ; then
-                       chmod 4755 /usr/lib/ssh-keysign
-               fi
+                if [ "$RET" = "false" ] ; then
+                        chmod 0755 /usr/lib/ssh-keysign
+                elif [ "$RET" = "true" ] ; then
+                        chmod 4755 /usr/lib/ssh-keysign
+                fi
         fi
 }
 
@@ -300,13 +281,8 @@ set_ssh_agent_permissions() {
 
 
 setup_startup() {
-        start=yes
-        [ -e /usr/share/debconf/confmodule ] && {
-                db_get ssh/run_sshd
-                start="$RET"
-        }
-
-        if [ "$start" != "true" ] ; then
+        db_get ssh/run_sshd
+        if [ "$RET" = "false" ] ; then
                 /etc/init.d/ssh stop 2>&1 >/dev/null
                 touch /etc/ssh/sshd_not_to_be_run
         else
@@ -336,7 +312,7 @@ setup_startup
 setup_init
 
 
-[ -e /usr/share/debconf/confmodule ] && db_stop
+db_stop
 
 exit 0
 
diff --git a/debian/postrm b/debian/postrm
index c76f662df..73eeeb463 100644
--- a/debian/postrm
+++ b/debian/postrm
@@ -4,7 +4,18 @@
 
 if [ "$1" = "purge" ]
 then
-  rm -rf /etc/ssh
+    # Remove all non-conffiles that ssh might create, so that we can
+    # smoothly remove /etc/ssh if and only if the user hasn't dropped some
+    # other files in there. Conffiles have already been removed at this
+    # point.
+    rm -f /etc/ssh/moduli /etc/ssh/primes
+    rm -f /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub
+    rm -f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub
+    rm -f /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub
+    rm -f /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
+    rm -f /etc/ssh/sshd_config
+    rm -f /etc/ssh/sshd_not_to_be_run
+    rmdir --ignore-fail-on-non-empty /etc/ssh
 fi
 
 if [ "$1" = "purge" ] ; then
diff --git a/debian/rules b/debian/rules
index dcf406f24..d3dcf8df9 100755
--- a/debian/rules
+++ b/debian/rules
@@ -9,6 +9,12 @@ export DH_COMPAT=1
 # This has to be exported to make some magic below work.
 export DH_OPTIONS
 
+ifeq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
+OPTFLAGS := -O2
+else
+OPTFLAGS := -O0
+endif
+
 #PKG_VER = $(shell perl -e 'print <> =~ /\((.*)\)/' debian/changelog)
 
 build: build-stamp
@@ -21,13 +27,13 @@ build-stamp:
         fi
         ./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin --with-superuser-path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 \
                 --with-privsep-path=/var/run/sshd  --without-rand-helper
-        $(MAKE) -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='-O2 -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED' \
+        $(MAKE) -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='$(OPTFLAGS) -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED' \
                 SSH_KEYSIGN='/usr/lib/ssh-keysign'
         # Support building on Debian 3.0 (with GNOME 1.4) and later.
         if [ -f /usr/include/libgnomeui-2.0/gnome.h ]; then \
-                $(MAKE) -C contrib gnome-ssh-askpass2 CC='gcc -O2'; \
+                $(MAKE) -C contrib gnome-ssh-askpass2 CC='gcc $(OPTFLAGS) -g -Wall'; \
         elif [ -f /usr/include/gnome-1.0/gnome.h ]; then \
-                $(MAKE) -C contrib gnome-ssh-askpass1 CC='gcc -O2'; \
+                $(MAKE) -C contrib gnome-ssh-askpass1 CC='gcc $(OPTFLAGS) -g -Wall'; \
         fi
 
         touch build-stamp