2 files changed, 29 insertions, 2 deletions

diff --git a/debian/README.Debian b/debian/README.Debian
index c2858d2f9..fd969d7c9 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -11,11 +11,31 @@ ssh that is going to make it into Debian proper, being the only one
 that complies with the Debian Free Software Guidelines.
 
 If you were expecting to get the non-free version of ssh (1.2.27 or
-whatever) when you installed this package, please install ssh-nonfree
-instead, which is what we're now calling the non-free version.
+whatever) when you installed this package, then you're out of luck, as
+Debian don't ship it.
 
 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 
+Privilege Separation
+--------------------
+
+As of 3.3, openssh has employed privilege separation to reduce the
+quantity of code that runs as root, thereby reducing the impact of
+some security holes in sshd.
+
+Unfortunately, privilege separation interacts badly with PAM. Any PAM
+session modules that need to run as root (pam_mkhomedir, for example)
+will fail, and PAM keyboard-interactive authentication won't work.
+
+Privilege separation is turned on by default, so if you decide you
+want it turned off, you need to add "UsePrivilegeSeparation no" to
+/etc/ssh/sshd_config
+
+NB! If you are running a 2.0 series Linux kernel, then privilege
+separation will not work at all, and your sshd will fail to start
+unless you explicity turn privilege separation off.
+
+
 PermitRootLogin set to yes
 --------------------------
 
diff --git a/debian/changelog b/debian/changelog
index 32f541a0f..f2e32f13e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+openssh (1:3.4p1-2) unstable; urgency=high
+
+  * Get a security-fixed version into unstable
+  * Also tidy README.Debian up a little
+
+ -- Matthew Vernon <matthew@debian.org>  Fri, 28 Jun 2002 17:20:59 +0100
+        
 openssh (1:3.4p1-1) testing; urgency=high
 
   * Extend my tendrils back into this package (Closes: #150915, #151098)