6 files changed, 57 insertions, 5 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index a923bac35..78ca32622 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-3f1016b4535faf6e48aa71e21569aa714a25193f
+e18d2ba71e6bf009c53e65509da84b712c300471
-3f1016b4535faf6e48aa71e21569aa714a25193f
+e18d2ba71e6bf009c53e65509da84b712c300471
 971a7653746a6972b907dfe0ce139c06e4a6f482
 971a7653746a6972b907dfe0ce139c06e4a6f482
 openssh_7.4p1.orig.tar.gz
diff --git a/debian/NEWS b/debian/NEWS
index cfdf7b5e1..542603ec1 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,15 @@
+openssh (1:7.4p1-7) UNRELEASED; urgency=medium
+  This version restores the default for AuthorizedKeysFile to search both
+  ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
+  Debian configurations before 1:7.4p1-1.  Upstream intends to phase out
+  searching ~/.ssh/authorized_keys2 by default, so you should ensure that
+  you are only using ~/.ssh/authorized_keys, at least for critical
+  administrative access; do not assume that the current default will remain
+  in place forever.
+ -- Colin Watson <cjwatson@debian.org>  Sun, 29 Jan 2017 11:39:05 +0000
 openssh (1:7.4p1-1) unstable; urgency=medium
  OpenSSH 7.4 includes a number of changes that may affect existing
diff --git a/debian/changelog b/debian/changelog
index 4be3d4b21..54b9379af 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,11 @@ openssh (1:7.4p1-7) UNRELEASED; urgency=medium
  * Don't set "PermitRootLogin yes" on fresh installations (regression
    introduced in 1:7.4p1-1; closes: #852781).
+  * Restore reading authorized_keys2 by default.  Upstream seems to intend
+    to gradually phase this out, so don't assume that this will remain the
+    default forever.  However, we were late in adopting the upstream
+    sshd_config changes, so it makes sense to extend the grace period
+    (closes: #852320).
 -- Colin Watson <cjwatson@debian.org>  Sun, 29 Jan 2017 11:39:05 +0000
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
new file mode 100644
index 000000000..86da09c7e
--- /dev/null
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -0,0 +1,35 @@
+From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 5 Mar 2017 02:02:11 +0000
+Subject: Restore reading authorized_keys2 by default
+Upstream seems to intend to gradually phase this out, so don't assume
+that this will remain the default forever.  However, we were late in
+adopting the upstream sshd_config changes, so it makes sense to extend
+the grace period.
+Bug-Debian: https://bugs.debian.org/852320
+Forwarded: not-needed
+Last-Update: 2017-03-05
+Patch-Name: restore-authorized_keys2.patch
+---
+ sshd_config | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+diff --git a/sshd_config b/sshd_config
+index 4aea6c72..bcf3ac17 100644
+--- a/sshd_config
+++ b/sshd_config
+@@ -36,9 +36,8 @@
+ 
+ #PubkeyAuthentication yes
+ 
+-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+-# but this is overridden so installations will only check .ssh/authorized_keys
+-AuthorizedKeysFile     .ssh/authorized_keys
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile    .ssh/authorized_keys .ssh/authorized_keys2
+ 
+ #AuthorizedPrincipalsFile none
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 6eae81080..6f0004748 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -29,3 +29,4 @@ regress-forwarding-race.patch
 regress-mktemp.patch
 sandbox-x32-workaround.patch
 no-dsa-host-key-by-default.patch
+restore-authorized_keys2.patch
diff --git a/sshd_config b/sshd_config
index 4aea6c729..bcf3ac178 100644
--- a/sshd_config
+++ b/sshd_config
@@ -36,9 +36,8 @@
 #PubkeyAuthentication yes
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
-# but this is overridden so installations will only check .ssh/authorized_keys
+#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
-AuthorizedKeysFile      .ssh/authorized_keys
 #AuthorizedPrincipalsFile none

diff --git a/debian/.git-dpm b/debian/.git-dpm index a923bac35..78ca32622 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	3f1016b4535faf6e48aa71e21569aa714a25193f	2	e18d2ba71e6bf009c53e65509da84b712c300471
3	3f1016b4535faf6e48aa71e21569aa714a25193f	3	e18d2ba71e6bf009c53e65509da84b712c300471
4	971a7653746a6972b907dfe0ce139c06e4a6f482	4	971a7653746a6972b907dfe0ce139c06e4a6f482
5	971a7653746a6972b907dfe0ce139c06e4a6f482	5	971a7653746a6972b907dfe0ce139c06e4a6f482
6	openssh_7.4p1.orig.tar.gz	6	openssh_7.4p1.orig.tar.gz


diff --git a/debian/NEWS b/debian/NEWS index cfdf7b5e1..542603ec1 100644 --- a/debian/NEWS +++ b/debian/NEWS
@@ -1,3 +1,15 @@
		1	openssh (1:7.4p1-7) UNRELEASED; urgency=medium
		2
		3	This version restores the default for AuthorizedKeysFile to search both
		4	~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
		5	Debian configurations before 1:7.4p1-1. Upstream intends to phase out
		6	searching ~/.ssh/authorized_keys2 by default, so you should ensure that
		7	you are only using ~/.ssh/authorized_keys, at least for critical
		8	administrative access; do not assume that the current default will remain
		9	in place forever.
		10
		11	-- Colin Watson <cjwatson@debian.org> Sun, 29 Jan 2017 11:39:05 +0000
		12
1	openssh (1:7.4p1-1) unstable; urgency=medium	13	openssh (1:7.4p1-1) unstable; urgency=medium
2		14
3	OpenSSH 7.4 includes a number of changes that may affect existing	15	OpenSSH 7.4 includes a number of changes that may affect existing


diff --git a/debian/changelog b/debian/changelog index 4be3d4b21..54b9379af 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -2,6 +2,11 @@ openssh (1:7.4p1-7) UNRELEASED; urgency=medium
2		2
3	* Don't set "PermitRootLogin yes" on fresh installations (regression	3	* Don't set "PermitRootLogin yes" on fresh installations (regression
4	introduced in 1:7.4p1-1; closes: #852781).	4	introduced in 1:7.4p1-1; closes: #852781).
		5	* Restore reading authorized_keys2 by default. Upstream seems to intend
		6	to gradually phase this out, so don't assume that this will remain the
		7	default forever. However, we were late in adopting the upstream
		8	sshd_config changes, so it makes sense to extend the grace period
		9	(closes: #852320).
5		10
6	-- Colin Watson <cjwatson@debian.org> Sun, 29 Jan 2017 11:39:05 +0000	11	-- Colin Watson <cjwatson@debian.org> Sun, 29 Jan 2017 11:39:05 +0000
7		12


diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch new file mode 100644 index 000000000..86da09c7e --- /dev/null +++ b/debian/patches/restore-authorized_keys2.patch
@@ -0,0 +1,35 @@
		1	From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001
		2	From: Colin Watson <cjwatson@debian.org>
		3	Date: Sun, 5 Mar 2017 02:02:11 +0000
		4	Subject: Restore reading authorized_keys2 by default
		5
		6	Upstream seems to intend to gradually phase this out, so don't assume
		7	that this will remain the default forever. However, we were late in
		8	adopting the upstream sshd_config changes, so it makes sense to extend
		9	the grace period.
		10
		11	Bug-Debian: https://bugs.debian.org/852320
		12	Forwarded: not-needed
		13	Last-Update: 2017-03-05
		14
		15	Patch-Name: restore-authorized_keys2.patch
		16	---
		17	sshd_config \| 5 ++---
		18	1 file changed, 2 insertions(+), 3 deletions(-)
		19
		20	diff --git a/sshd_config b/sshd_config
		21	index 4aea6c72..bcf3ac17 100644
		22	--- a/sshd_config
		23	+++ b/sshd_config
		24	@@ -36,9 +36,8 @@
		25
		26	#PubkeyAuthentication yes
		27
		28	-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
		29	-# but this is overridden so installations will only check .ssh/authorized_keys
		30	-AuthorizedKeysFile .ssh/authorized_keys
		31	+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
		32	+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
		33
		34	#AuthorizedPrincipalsFile none
		35


diff --git a/debian/patches/series b/debian/patches/series index 6eae81080..6f0004748 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -29,3 +29,4 @@ regress-forwarding-race.patch
29	regress-mktemp.patch	29	regress-mktemp.patch
30	sandbox-x32-workaround.patch	30	sandbox-x32-workaround.patch
31	no-dsa-host-key-by-default.patch	31	no-dsa-host-key-by-default.patch
		32	restore-authorized_keys2.patch


diff --git a/sshd_config b/sshd_config index 4aea6c729..bcf3ac178 100644 --- a/sshd_config +++ b/sshd_config
@@ -36,9 +36,8 @@
36		36
37	#PubkeyAuthentication yes	37	#PubkeyAuthentication yes
38		38
39	# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2	39	# Expect .ssh/authorized_keys2 to be disregarded by default in future.
40	# but this is overridden so installations will only check .ssh/authorized_keys	40	#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
41	AuthorizedKeysFile .ssh/authorized_keys
42		41
43	#AuthorizedPrincipalsFile none	42	#AuthorizedPrincipalsFile none
44		43