12 files changed, 325 insertions, 68 deletions

diff --git a/debian/README.Debian b/debian/README.Debian
index 614dd08f6..13d005ac0 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -171,6 +171,39 @@ ssh is compiled without support for kerberos authentication, and there are
 no current plans to support this.  Thus the KerberosAuthentication and 
 KerberosTgtPassing options will not be recognised.
 
+Setgid ssh-agent and environment variables:
+-------------------------------------------
+ssh-agent is installed setgid as of version 1:3.5p1-1 to prevent ptrace()
+attacks retrieving private key material. This has the side-effect of causing
+glibc to remove certain environment variables which might have security
+implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
+TMPDIR.
+
+If you need to set any of these environment variables, you will need to do
+so in the program exec()ed by ssh-agent. This may involve creating a small
+wrapper script.
+
+Symlink Hostname invocation:
+----------------------------
+This version of ssh no longer includes support for invoking ssh with the
+hostname as the name of the file run.  People wanting this support should
+use the ssh-argv0 script.
+
+Interoperability between scp and the ssh.com SSH server:
+--------------------------------------------------------
+In version 2 and greater of the commercial SSH server produced by SSH
+Communications Security, scp was changed to use SFTP (SSH2's file transfer
+protocol) instead of the traditional rcp-over-ssh, thereby breaking
+compatibility. The OpenSSH developers regard this as a bug in the ssh.com
+server, and do not currently intend to change OpenSSH's scp to match.
+
+Workarounds for this problem are to install scp1 on the server (scp2 will
+fall back to it), to use sftp, or to use some other transfer mechanism such
+as rsync-over-ssh or tar-over-ssh.
+
 --
 Matthew Vernon
 <matthew@debian.org>
+and
+Colin Watson
+<cjwatson@debian.org>
diff --git a/debian/changelog b/debian/changelog
index 7f7fc33eb..7fb8079be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,29 @@
+openssh (1:3.5p1-3) unstable; urgency=low
+
+  * Happy new year!
+  * Use getent rather than id to find out whether the sshd user exists
+    (closes: #150974).
+  * Remove some duplication from the postinst's ssh-keysign setuid code.
+  * Replace db_text with db_input throughout debian/config. (db_text has
+    been a compatibility wrapper since debconf 0.1.5.)
+  * Warn about PermitUserEnvironment on upgrade (closes: #167895).
+  * Use 'make install-nokeys', and disable unused debhelper commands,
+    thereby forward-porting the last pieces of Zack Weinberg's patch
+    (closes: #68341).
+  * Move the man page for gnome-ssh-askpass from the ssh package to
+    ssh-askpass-gnome (closes: #174449).
+  * Build with -DLOGIN_NO_ENDOPT, since Debian's /bin/login doesn't accept
+    '--' to terminate the list of options (closes: #171554).
+  * Add Jonathan Amery's ssh-argv0 script (closes: #111341).
+  * Update Danish debconf template (thanks, Morten Brix Pedersen;
+    closes: #174757).
+  * Document setgid ssh-agent's effect on certain environment variables in
+    README.Debian (closes: #167974).
+  * Document interoperability problems between scp and ssh.com's server in
+    README.Debian, and suggest some workarounds (closes: #174662).
+
+ -- Colin Watson <cjwatson@debian.org>  Wed,  1 Jan 2003 14:18:30 +0000
+
 openssh (1:3.5p1-2) unstable; urgency=low
 
   * Mention in the ssh package description that it provides both ssh and
diff --git a/debian/config b/debian/config
index 0a5f42b2e..b794276fa 100644
--- a/debian/config
+++ b/debian/config
@@ -14,7 +14,7 @@ db_version 2.0
 
 if [ -n "$version" ] && dpkg --compare-versions "$version" lt 1:3.0p1-1
 then
-  db_text medium ssh/ssh2_keys_merged
+  db_input medium ssh/ssh2_keys_merged
 fi
 
 if [ -e /etc/init.d/ssh ] && ! grep -q pidfile /etc/init.d/ssh
@@ -43,11 +43,11 @@ then
         if [ "$RET" = "true" ];
         then db_input medium ssh/protocol2_only ||true
              db_input high ssh/privsep_ask ||true
-        else db_text high ssh/privsep_tell ||true
+        else db_input high ssh/privsep_tell ||true
         fi
-    else db_text high ssh/privsep_tell ||true
+    else db_input high ssh/privsep_tell ||true
     fi
-else db_text high ssh/privsep_tell ||true
+else db_input high ssh/privsep_tell ||true
 fi 
 
 db_input medium ssh/SUID_client || true
@@ -80,7 +80,12 @@ then
 fi
 
 
-db_text low ssh/forward_warning || true
+db_input low ssh/forward_warning || true
+
+if dpkg --compare-versions "$version" lt-nl 1:3.5p1-3; then
+    db_input high ssh/user_environment_tell || true
+fi
+
 db_go
 
 exit 0
diff --git a/debian/control b/debian/control
index cb25d58ba..d10c59857 100644
--- a/debian/control
+++ b/debian/control
@@ -37,6 +37,7 @@ Section: x11
 Priority: optional
 Architecture: any
 Depends: ${shlibs:Depends}, ssh (>=1:1.2pre7-4) | ssh-krb5
+Replaces: ssh (<< 1:3.5p1-3)
 Provides: ssh-askpass
 Description: under X, asks user for a passphrase for ssh-add
  This has been split out of the main ssh package, so that the ssh will
diff --git a/debian/postinst b/debian/postinst
index 41221b9d6..bd9ebd3aa 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -241,7 +241,7 @@ create_alternatives() {
 }
 
 setup_sshd_user() {
-        if ! id sshd > /dev/null 2>&1 ; then
+        if ! getent passwd | grep -q '^sshd:'; then
                 adduser --quiet --system --no-create-home --home /var/run/sshd sshd
         fi
 }
@@ -261,21 +261,13 @@ set_sshd_permissions() {
                 db_get ssh/SUID_client
                 suid="$RET"
         }
-       if [ -x /usr/sbin/dpkg-statoverride ] ; then
-               if ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then
-                       if [ "$suid" = "false" ] ; then
-                               chmod 0755 /usr/lib/ssh-keysign
-                       elif [ "$suid" = "true" ] ; then
-                               chmod 4755 /usr/lib/ssh-keysign
-                       fi
-               fi
-       else
+        if [ ! -x /usr/sbin/dpkg-statoverride ] || \
+             ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then
                if [ "$suid" = "false" ] ; then
                        chmod 0755 /usr/lib/ssh-keysign
                elif [ "$suid" = "true" ] ; then
                        chmod 4755 /usr/lib/ssh-keysign
                fi
-
         fi
 }
 
diff --git a/debian/rules b/debian/rules
index fb60b2270..42ecea8ef 100755
--- a/debian/rules
+++ b/debian/rules
@@ -21,7 +21,7 @@ build-stamp:
         fi
         ./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 --with-ipv4-default \
                 --with-privsep-path=/var/run/sshd  --without-rand-helper
-        $(MAKE) -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='-O2 -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED' \
+        $(MAKE) -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='-O2 -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED' \
                 SSH_KEYSIGN='/usr/lib/ssh-keysign'
         $(MAKE) -C contrib gnome-ssh-askpass1 CC='gcc -O2'
 
@@ -45,25 +45,25 @@ install: build
         dh_installdirs
 
         # Add here commands to install the package into debian/tmp.
-        $(MAKE) DESTDIR=`pwd`/debian/tmp install
+        $(MAKE) DESTDIR=`pwd`/debian/tmp install-nokeys
 
-        rm -f debian/tmp/etc/ssh/ssh_host_*key*
         rm -f debian/tmp/etc/ssh/sshd_config
         #Temporary hack: remove /usr/share/Ssh.bin, since we have no smartcard support anyway.
         rm -f debian/tmp/usr/share/Ssh.bin
 
         install -m 755 contrib/ssh-copy-id debian/tmp/usr/bin/ssh-copy-id
         install -m 644 -c contrib/ssh-copy-id.1 debian/tmp/usr/share/man/man1/ssh-copy-id.1
-        install -m 644 debian/gnome-ssh-askpass.1 debian/tmp/usr/share/man/man1/gnome-ssh-askpass.1
 
         install -s -o root -g root -m 755 contrib/gnome-ssh-askpass1 debian/ssh-askpass-gnome/usr/lib/ssh/gnome-ssh-askpass
+        install -m 644 debian/gnome-ssh-askpass.1 debian/ssh-askpass-gnome/usr/share/man/man1/gnome-ssh-askpass.1
+
+        install -m 755 debian/ssh-argv0 debian/tmp/usr/bin/ssh-argv0
+        install -m 644 debian/ssh-argv0.1 debian/tmp/usr/share/man/man1/ssh-argv0.1
 
         install -o root -g root debian/init debian/tmp/etc/init.d/ssh
 
         install -o root -g root -m 755 -d debian/tmp/var/run/sshd
 
-        dh_movefiles
-
 # Build architecture-independent files here.
 binary-indep: build install
         # nothing to do
@@ -75,16 +75,12 @@ binary-arch: build install
         dh_installdebconf
         dh_installdocs OVERVIEW README
         cat debian/copyright.head LICENCE > debian/tmp/usr/share/doc/ssh/copyright
-        dh_installexamples
-        dh_installmenu
         nroff RFC.nroff > debian/tmp/usr/share/doc/ssh/RFC
         gzip -9 debian/tmp/usr/share/doc/ssh/RFC
         rm -rf debian/tmp/usr/share/doc/ssh/RFC.nroff.gz
         dh_installpam
-        dh_installcron
         dh_installchangelogs ChangeLog
         dh_strip
-        dh_link
         dh_compress
         dh_fixperms
         dh_installdeb
diff --git a/debian/ssh-argv0 b/debian/ssh-argv0
new file mode 100644
index 000000000..67599aec2
--- /dev/null
+++ b/debian/ssh-argv0
@@ -0,0 +1,30 @@
+#! /bin/sh -e
+
+# Copyright (c) 2001 Jonathan Amery.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+if [ "${0##*/}" = "ssh-argv0" ]
+then
+  echo 'ssh-argv0: This script should not be run like this, see ssh-argv0(1) for details' 1>&2
+  exit 1
+fi
+exec ssh "${0##*/}" "$@"
diff --git a/debian/ssh-argv0.1 b/debian/ssh-argv0.1
new file mode 100644
index 000000000..a36a63d40
--- /dev/null
+++ b/debian/ssh-argv0.1
@@ -0,0 +1,64 @@
+.Dd September 7, 2001 
+.Dt SSH-ARGV0 1
+.Os Debian Project
+.Sh NAME
+.Nm ssh-argv0
+.Nd replaces the old ssh command-name as hostname handling
+.Sh SYNOPSIS
+.Ar hostname | user@hostname
+.Op Fl l Ar login_name
+.Op Ar command
+.Pp
+.Ar hostname | user@hostname
+.Op Fl afgknqstvxACNTX1246
+.Op Fl b Ar bind_address
+.Op Fl c Ar cipher_spec
+.Op Fl e Ar escape_char
+.Op Fl i Ar identity_file
+.Op Fl l Ar login_name
+.Op Fl m Ar mac_spec
+.Op Fl o Ar option
+.Op Fl p Ar port
+.Op Fl F Ar configfile
+.Oo Fl L Xo
+.Sm off
+.Ar port :
+.Ar host :
+.Ar hostport
+.Sm on
+.Xc
+.Oc
+.Oo Fl R Xo
+.Sm off
+.Ar port :
+.Ar host :
+.Ar hostport
+.Sm on
+.Xc
+.Oc
+.Op Fl D Ar port
+.Op Ar command
+.Sh DESCRIPTION
+.Nm
+replaces the old ssh command-name as hostname handling.
+If you link to this script with a hostname then executing the link is
+equivalent to having executed ssh with that hostname as an argument.
+All other arguments are passed to ssh and will be processed normally.
+.Sh OPTIONS
+See
+.Xr ssh 1 .
+.Sh FILES
+See
+.Xr ssh 1 .
+.Sh AUTHORS
+OpenSSH is a derivative of the original and free
+ssh 1.2.12 release by Tatu Ylonen.
+Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
+Theo de Raadt and Dug Song
+removed many bugs, re-added newer features and
+created OpenSSH.
+Markus Friedl contributed the support for SSH
+protocol versions 1.5 and 2.0.
+Jonathan Amery wrote this ssh-argv0 script and the associated documentation.
+.Sh SEE ALSO
+.Xr ssh 1
diff --git a/debian/ssh-askpass-gnome.dirs b/debian/ssh-askpass-gnome.dirs
index 6c255ea63..4d0ee7a32 100644
--- a/debian/ssh-askpass-gnome.dirs
+++ b/debian/ssh-askpass-gnome.dirs
@@ -1 +1,2 @@
-usr/lib/ssh/
+usr/lib/ssh
+usr/share/man/man1
diff --git a/debian/templates b/debian/templates
index b56f8a5ec..ea8565d29 100644
--- a/debian/templates
+++ b/debian/templates
@@ -149,3 +149,15 @@ Description: Do you want to run the sshd server ?
  If you are only interested in using the ssh client for outbound
  connections on this machine, and don't want to log into it at all
  using ssh, then you can disable sshd here.
+
+Template: ssh/user_environment_tell
+Type: note
+Description: Environment options on keys have been deprecated
+ This version of OpenSSH disables the environment option for public keys by
+ default, in order to avoid certain attacks (for example, LD_PRELOAD). If
+ you are using this option in an authorized_keys file, beware that the keys
+ in question will no longer work until the option is removed.
+ .
+ To re-enable this option, set "PermitUserEnvironment yes" in
+ /etc/ssh/sshd_config after the upgrade is complete, taking note of the
+ warning in the sshd_config(5) manual page.
diff --git a/debian/templates.da b/debian/templates.da
index c17c60039..b8fc9be18 100644
--- a/debian/templates.da
+++ b/debian/templates.da
@@ -1,3 +1,99 @@
+Template: ssh/privsep_tell
+Type: note
+Description: Privilege separation
+ This version of OpenSSH contains the new privilege separation option. This
+ significantly reduces the quantity of code that runs as root, and
+ therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any PAM
+ session modules that need to run as root (pam_mkhomedir, for example) will
+ fail, and PAM keyboard-interactive authentication won't work.
+ .
+ Privilege separation is turned on by default, so if you decide you want it
+ turned off, you need to add "UsePrivilegeSeparation no" to
+ /etc/ssh/sshd_config.
+ .
+ NB! If you are running a 2.0 series Linux kernel, then privilege
+ separation will not work at all, and your sshd will fail to start unless
+ you explicitly turn privilege separation off.
+Description-da: Privilegie adskillelse
+ Denne version af OpenSSH indeholder den nye privilegie adskillelses
+ mulighed. Det reducerer markant mængden af kode der kører som root, og
+ derfor reducerer det impakten på sikkerheds huller i sshd.
+ .
+ Desværre, arbejder det ikke godt sammen med PAM. Ethvert PAM session modul
+ der skal køres som root (pam_mkhomedir, f.eks.) vil fejle, og PAM
+ tastatur-interaktive autentifikationer vil ikke virke.
+ .
+ Privilegie adskillelse er slået til som standard, så hvis du beslutter at
+ slå det fra, skal du bruge "UsePrivilegeSeparation no" i
+ /etc/ssh/sshd_config.
+
+Template: ssh/privsep_ask
+Type: boolean
+Default: true
+Description: Enable Privilege separation
+ This version of OpenSSH contains the new privilege separation option. This
+ significantly reduces the quantity of code that runs as root, and
+ therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any PAM
+ session modules that need to run as root (pam_mkhomedir, for example) will
+ fail, and PAM keyboard-interactive authentication won't work.
+ .
+ Since you've opted to have me generate an sshd_config file for you, you
+ can choose whether or not to have Privilege Separation turned on or not.
+ Unless you are running 2.0 (in which case you *must* say no here or your
+ sshd won't start at all) or know you need to use PAM features that won't
+ work with this option, you should say yes here.
+Description-da: Aktiver Privilegie adskillelse
+ Denne version af OpenSSH indeholder den nye privilegie adskillelses
+ mulighed. Det reducerer markant mængden af kode der kører som root, og
+ derfor reducerer det impakten på sikkerheds huller i sshd.
+ .
+ Desværre, arbejder det ikke godt sammen med PAM. Ethvert PAM session modul
+ der skal køres som root (pam_mkhomedir, f.eks.) vil fejle, og PAM
+ tastatur-interaktive autentifikationer vil ikke virke.
+ .
+ Siden du har bedt mig om at lave en sshd_config fil til dig, kan du vælge
+ om du vil have privilegie adskillelse slået til eller ej. Medmindre du
+ kører 2.0 (i hvilket tilfælde du *skal* sige nej her, ellers vil din sshd
+ slet ikke starte) eller ved at du skal bruge PAM funktioner som ikke vil
+ virke med dette tilvalg, skal du sige ja her.
+
+Template: ssh/new_config
+Type: boolean
+Default: true
+Description: Generate new configuration file
+ This version of OpenSSH has a considerably changed configuration file from
+ the version shipped in Debian 'Potato', which you appear to be upgrading
+ from. I can now generate you a new configuration file
+ (/etc/ssh/sshd.config), which will work with the new server version, but
+ will not contain any customisations you made with the old version.
+ .
+ Please note that this new configuration file will set the value of
+ 'PermitRootLogin' to yes (meaning that anyone knowing the root password
+ can ssh directly in as root). It is the opinion of the maintainer that
+ this is the correct default (see README.Debian for more details), but you
+ can always edit sshd_config and set it to no if you wish.
+ .
+ It is strongly recommended that you let me generate a new configuration
+ file for you.
+Description-da: Opret ny konfigurations fil
+ Denne version af OpenSSH har en betydeligt ændret konfigurations fil fra
+ den version der kom med Debian 'Potato', som du ser ud til at opgradere fra.
+ Jeg kan nu oprette en ny konfigurations fil (//etc/ssh/sshd.config), som
+ vil virke med den nye server version, men det vil ikke beholde eventuelle
+ ændringer du lavede med den gamle version.
+ .
+ Venligst bemærk at den nye konfigurations fil vil sætte værdien af
+ 'PermitRootLogin' til ja (som betyder at alle der kender roots password,
+ kan tilgå maskinen via ssh direkte). Det er vedligeholderens mening, at det
+ er den korrekte standard-værdi (se README.Debian for flere detaljer), men
+ du kan altid redigere sshd_config og slå det fra, hvis du ønsker.
+ .
+ Du rådes stærkt til at lade mig genere en ny konfigurations fil for dig.
+
 Template: ssh/protocol2_only
 Type: boolean
 Default: true
@@ -5,19 +101,30 @@ Description: Allow SSH protocol 2 only
  This version of OpenSSH supports version 2 of the ssh protocol, which is
  much more secure.  Disabling ssh 1 is encouraged, however this will slow
  things down on low end machines and might prevent older clients from
- connecting.
+ connecting (the ssh client shipped with "potato" is affected).
  .
  Also please note that keys used for protocol 1 are different so you will
  not be able to use them if you only allow protocol 2 connections.
+ .
+ If you later change your mind about this setting, README.Debian has
+ instructions on what to do to your sshd_config file.
 Description-da: Tillad kun SSH protokol 2
  Denne udgave af OpenSSH understøtter version 2 af ssh-protokollen, som er
  betydeligt mere sikker. Det anbefales af deaktivere version 1. Dog kan det
- sløve langsomme maskiner, og forhindre ældre klienter i at opnå forbindelse.
+ sløve langsomme maskiner, og forhindre ældre klienter i at opnå
+ forbindelse (ssh klienten der kommer med "potato" er en af dem).
+ .
+ Du skal også bemærke at de nøgler som bliver anvendt til protokol 1 er
+ forskellige, så du vil ikke ævre i stand til at bruge dem, hvis du kun
+ tillader protokol 2 forbindelser.
+ .
+ Hvis du senere ændrer din mening om denne indstilling, har README.Debian
+ instruktioner på hvad du skal gøre ved din sshd_config fil.
 
 Template: ssh/ssh2_keys_merged
 Type: note
 Description: ssh2 keys merged in configuration files
- As of version 3 OpenSSH no longer uses seperate files for ssh1 and ssh2
+ As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2
  keys. This means the authorized_keys2 and known_hosts2 files are no longer
  needed. They will still be read in order to maintain backwards
  compatibility
@@ -38,14 +145,13 @@ Description: Do you want to continue (and risk killing active ssh sessions) ?
  You can fix this by adding "--pidfile /var/run/sshd.pid" to the
  start-stop-daemon line in the stop section of the file.
 Description-da: Vil du fortsætte (og risikere at afbryde aktive ssh-forbindelser)?
- Den udgave af /etc/init.d/ssh, du har installeret, vil sandsynligvis afbryde
- alle sshd-dæmoner. Det vil være en rigtigt dårlig idé, hvis du er ved at
- opgradering via en ssh-forbindelse.
+ Den udgave af /etc/init.d/ssh, du har installeret, vil sandsynligvis
+ afbryde alle sshd-dæmoner. Det vil være en rigtigt dårlig idé, hvis du er
+ ved at opgradering via en ssh-forbindelse.
  .
  Du kan afhjælpe dette ved at tilføje "--pidfile /var/run/sshd.pid" til
  'start-stop-daemon'-linjen i stop-afsnittet af filen.
 
-
 Template: ssh/forward_warning
 Type: note
 Description: NOTE: Forwarding of X11 and Authorization disabled by default.
@@ -57,8 +163,8 @@ Description: NOTE: Forwarding of X11 and Authorization disabled by default.
  .
  More details can be found in /usr/share/doc/ssh/README.Debian
 Description-da: BEMÆRK: Videregivelse af X11 og adgangkontrol er som standard deaktiveret.
- Af sikkerhedsgrunde har Debianudgaven af ssh sat ForwardX11 og ForwardAgent
- til 'off' som standard.
+ Af sikkerhedsgrunde har Debianudgaven af ssh sat ForwardX11 og
+ ForwardAgent til 'off' som standard.
  .
  Du kan aktivere dem for servere, du stoler på i en af opsætningsfilerne
  eller med kommandolinjetilvalget '-X'.
@@ -82,10 +188,11 @@ Description: Warning: telnetd is installed --- probably not a good idea
  least some chance that telnet sessions will not be sending unencrypted
  login/password and session information over the network.
 Description-da: Advarsel: telnetd er installeret --- sikkert ikke en god idé
- Jeg vil råde dig til enten at fjerne pakken telnetd (hvis du i virkeligheden
- ikke har brug for at tilbyde telnet-adgang) eller installere telnetd-ssl, så
- der i det mindste er en mulighed for, at telnet-sessioner ikke sender
- adgangskoder og sessions-oplysninger ukrypteret over netværket.
+ Jeg vil råde dig til enten at fjerne pakken telnetd (hvis du i
+ virkeligheden ikke har brug for at tilbyde telnet-adgang) eller installere
+ telnetd-ssl, så der i det mindste er en mulighed for, at telnet-sessioner
+ ikke sender adgangskoder og sessions-oplysninger ukrypteret over
+ netværket.
 
 Template: ssh/encrypted_host_key_but_no_keygen
 Type: note
@@ -102,37 +209,26 @@ Description-da: Advarsel: du skal oprette en ny værtsnøgle
 
 Template: ssh/SUID_client
 Type: boolean
-Default: false
-Description: Do you want /usr/bin/ssh to be installed SUID root?
- You have the option of installing the ssh client with the SUID bit set.
- .
- If you make ssh SUID, you will be able to use Rhosts/RhostsRSA
- authentication, but will not be able to use socks via the LD_PRELOAD
- trick.  This is the traditional approach.
+Default: true
+Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
+ You have the option of installing the ssh-keysign helper with the SUID bit
+ set.
  .
- If you do not make ssh SUID, you will be able to use socks, but
- Rhosts/RhostsRSA authentication will stop working, which may stop you
- logging in to remote systems.  It will also mean that the source port will
- be above 1024, which may confound firewall rules you've set up.
+ If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
+ host-based authentication.
  .
  If in doubt, I suggest you install it with SUID.  If it causes problems
- you can change your mind later by running:   dpkg-reconfigure ssh 
-Description-da: Vil du have, at /usr/bin/ssh bliver installeret 'SUID root'?
- Du har mulighed for at installere ssh-klienten med SUID-flaget sat.
- .
- Hvis du gør ssh SUID, vil du kunne bruge adgangskontrollen
- Rhosts/RhostsRSA, men vil ikke kunne bruge socks med LD_PRELOAD-tricket.
- Det vil være den almindelige fremgangsmåde.
- .
- Hvis du ikke gør ssh SUID, vil du kunne bruge socks, men adgangskontrol
- med Rhosts/RhostRSA vil holde op med at virke, hvilket kan forhindre dig
- i at logge ind på fjerne systemer. Det vil også betyde, at kildeporten
- vil ligge over 1024, hvilket kan kollidere med eventuelle brandmure, du
- har sat op.
- .
- Hvis du er i tvivl, foreslår jeg, at du installerer den med SUID. Hvis det
- giver problemer, kan du senere ombestemme dig ved at køre:
- 'dpkg-reconfigure ssh'.
+ you can change your mind later by running:   dpkg-reconfigure ssh
+Description-da: Vil du have, at /usr/bin/ssh-keysign bliver installeret 'SUID root'?
+ Du har mulighed for at installere ssh-keysign hjælperen med SUID-flaget
+ sat.
+ .
+ Hvis du gør ssh-keysign SUID, vil du blive i stand til at benytte SSH
+ protokol 2's værtsnavn-baserede autentifikation.
+ .
+ Hvis du er i tvivl, vil jeg råde dig til at installere den med SUID. Hvis
+ det skaber problemer, kan du ændre det tilbage igen ved at køre:
+ dpkg-reconfigure ssh
 
 Template: ssh/run_sshd
 Type: boolean
diff --git a/ssh.1 b/ssh.1
index d8999da48..ed2cbecb5 100644
--- a/ssh.1
+++ b/ssh.1
@@ -971,6 +971,7 @@ protocol versions 1.5 and 2.0.
 .Xr sftp 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
+.Xr ssh-argv0 1 ,
 .Xr ssh-keygen 1 ,
 .Xr telnet 1 ,
 .Xr ssh_config 5 ,