8 files changed, 86 insertions, 36 deletions
diff --git a/debian/changelog b/debian/changelog
index 7fb8079be..b4d6b4258 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,32 @@
+openssh (1:3.5p1-4) unstable; urgency=low
+  * Point rlogin and rcp alternatives at slogin and scp respectively rather
+    than ssh (closes: #121103, #151666). Fix alternative removal to match;
+    previously it was completely wrong anyway.
+  * Find out whether /etc/ssh/sshd_not_to_be_run exists and set the debconf
+    question's default using that information, rather than using debconf as
+    a registry. Other solutions may be better in the long run, but this is
+    at least correct (thanks, Matthew Woodcraft; closes: #84725).
+  * Stop using pam_lastlog, as it doesn't currently work well as a session
+    module when privilege separation is enabled; it can usually read
+    /var/log/lastlog but can't write to it. Instead, just use sshd's
+    built-in support, already enabled by default (closes: #151297, #169938).
+  * Use 'ssh-keygen -q' rather than redirecting output to /dev/null.
+  * Add a "this may take some time" warning when creating host keys on
+    installation (part of #110094).
+  * When restarting via the init script, check for sshd_not_to_be_run after
+    stopping sshd (idea from Tomas Pospisek; closes: #149850).
+  * Append /usr/sbin:/sbin to the init script's $PATH, just in case of
+    strangeness (closes: #115138).
+  * Fix a dpkg-statoverride call to redirect stdout to /dev/null, not
+    stderr.
+  * Correct copyright file typo: "orignal" -> "original" (closes: #176490).
+  * Rebuild with libssl0.9.7 (closes: #176983).
+  * We're up to policy version 3.5.6. DEB_BUILD_OPTIONS stuff still needs to
+    be looked at.
+ -- Colin Watson <cjwatson@debian.org>  Sat, 18 Jan 2003 01:37:23 +0000
 openssh (1:3.5p1-3) unstable; urgency=low
  * Happy new year!
diff --git a/debian/config b/debian/config
index b794276fa..7b4f85b43 100644
--- a/debian/config
+++ b/debian/config
@@ -52,6 +52,14 @@ fi
 db_input medium ssh/SUID_client || true
+# To be correct during initial installation, this relies on the desired
+# default for run_sshd being "true".
+if [ -e /etc/ssh/sshd_not_to_be_run ]
+then
+    db_set ssh/run_sshd false
+else
+    db_set ssh/run_sshd true
+fi
 db_input medium ssh/run_sshd || true
 if [ -x /usr/sbin/in.telnetd ] && grep -q "^telnet\b" /etc/inetd.conf
diff --git a/debian/control b/debian/control
index d10c59857..034286457 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: net
 Priority: standard
 Maintainer: Matthew Vernon <matthew@debian.org>
 Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnome-dev, groff, debhelper (>=1.1.17), sharutils
-Standards-Version: 3.5.2
+Standards-Version: 3.5.6
 Uploaders: Colin Watson <cjwatson@debian.org>
 Package: ssh
diff --git a/debian/copyright.head b/debian/copyright.head
index 1e1282f98..5bd397447 100644
--- a/debian/copyright.head
+++ b/debian/copyright.head
@@ -30,7 +30,7 @@ X11-style license (see source file for details).
 make-ssh-known-hosts is Copyright Tero Kivinen <Tero.Kivinen@hut.fi>,
 and is distributed under the GPL (see source file for details).
-The copyright for the orignal SSH version follows.  It has been
+The copyright for the original SSH version follows.  It has been
 modified with [comments] to reflect the changes that the OpenBSD folks
 have made:
diff --git a/debian/init b/debian/init
index fe59584e6..ea39a8bd0 100644
--- a/debian/init
+++ b/debian/init
@@ -5,25 +5,32 @@
 test -x /usr/sbin/sshd || exit 0
 ( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
-# forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
+check_for_no_start() {
-if [ -e /etc/ssh/sshd_not_to_be_run ]; then 
+    # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
-    echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"
+    if [ -e /etc/ssh/sshd_not_to_be_run ]; then 
-    exit 0
+        echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"
-fi
+        exit 0
+    fi
+}
+check_privsep_dir() {
+    # Create the PrivSep empty dir if necessary
+    if [ ! -d /var/run/sshd ]; then
+        mkdir /var/run/sshd
+        chmod 0755 /var/run/sshd
+    fi
+}
 check_config() {
        /usr/sbin/sshd -t || exit 1
 }
-# Configurable options:
+export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
 case "$1" in
  start)
-        test -f /etc/ssh/sshd_not_to_be_run && exit 0
+        check_for_no_start
-#Create the PrivSep empty dir if necessary
+        check_privsep_dir
-        if [ ! -d /var/run/sshd ]; then
-            mkdir /var/run/sshd; chmod 0755 /var/run/sshd
-        fi
        echo -n "Starting OpenBSD Secure Shell server: sshd"
        start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd
        echo "."
@@ -35,7 +42,7 @@ case "$1" in
        ;;
  reload|force-reload)
-        test -f /etc/ssh/sshd_not_to_be_run && exit 0
+        check_for_no_start
        check_config
        echo -n "Reloading OpenBSD Secure Shell server's configuration"
        start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd
@@ -43,10 +50,11 @@ case "$1" in
        ;;
  restart)
-        test -f /etc/ssh/sshd_not_to_be_run && exit 0
        check_config
        echo -n "Restarting OpenBSD Secure Shell server: sshd"
        start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid
+        check_for_no_start
+        check_privsep_dir
        sleep 2
        start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd
        echo "."
diff --git a/debian/postinst b/debian/postinst
index bd9ebd3aa..4d3598a31 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -37,7 +37,7 @@ create_key() {
        if [ ! -f "$file" ] ; then
                echo -n $msg
-                ssh-keygen -f "$file" -N '' "$@" > /dev/null
+                ssh-keygen -q -f "$file" -N '' "$@"
                echo
        fi
 }
@@ -50,11 +50,14 @@ create_keys() {
        }
        if [ "$RET" = "false" ] ; then
-                create_key "Creating SSH1 key" /etc/ssh/ssh_host_key -t rsa1
+                create_key "Creating SSH1 key; this may take some time ..." \
+                        /etc/ssh/ssh_host_key -t rsa1
        fi
-        create_key "Creating SSH2 RSA key" /etc/ssh/ssh_host_rsa_key -t rsa
+        create_key "Creating SSH2 RSA key; this may take some time ..." \
-        create_key "Creating SSH2 DSA key" /etc/ssh/ssh_host_dsa_key -t dsa
+                /etc/ssh/ssh_host_rsa_key -t rsa
+        create_key "Creating SSH2 DSA key; this may take some time ..." \
+                /etc/ssh/ssh_host_dsa_key -t dsa
 }
@@ -182,7 +185,7 @@ PasswordAuthentication yes
 X11Forwarding no
 X11DisplayOffset 10
 PrintMotd no
-#PrintLastLog no
+PrintLastLog yes
 KeepAlive yes
 #UseLogin no
@@ -219,7 +222,7 @@ fix_rsh_diversion() {
 fix_statoverride() {
 # Remove an erronous override for sshd (we should have overridden ssh)
        if [ -x /usr/sbin/dpkg-statoverride ]; then
-                if dpkg-statoverride --list /usr/sbin/sshd 2>/dev/null ; then
+                if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then
                        dpkg-statoverride --remove /usr/sbin/sshd
                fi
        fi
@@ -227,17 +230,20 @@ fix_statoverride() {
 create_alternatives() {
-# Create alternatives for the various r* tools
+# Create alternatives for the various r* tools.
 # Make sure we don't change existing alternatives that a user might have
-# changed
+# changed, but clean up after some old alternatives that mistakenly pointed
-        for cmd in rsh rlogin rcp ; do
+# rlogin and rcp to ssh.
-                if ! update-alternatives --display $cmd | \
+        update-alternatives --quiet --remove rlogin /usr/bin/ssh
-                                grep -q ssh ; then
+        update-alternatives --quiet --remove rcp /usr/bin/ssh
-                        update-alternatives --quiet --install /usr/bin/$cmd $cmd /usr/bin/ssh 20 \
+        for cmd in rsh rlogin rcp; do
-                                --slave /usr/share/man/man1/$cmd.1.gz $cmd.1.gz /usr/share/man/man1/ssh.1.gz
+                scmd="s${cmd#r}"
+                if ! update-alternatives --display "$cmd" | \
+                                grep -q "$scmd"; then
+                        update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \
+                                --slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz"
                fi
        done
-        
 }
 setup_sshd_user() {
diff --git a/debian/prerm b/debian/prerm
index 17aa45e1f..8ed7e07ec 100644
--- a/debian/prerm
+++ b/debian/prerm
@@ -17,12 +17,12 @@ set -e
 case "$1" in
    remove|deconfigure)
-        update-alternatives --quiet --remove ssh /usr/bin/ssh
+        update-alternatives --quiet --remove rsh /usr/bin/ssh
-        update-alternatives --quiet --remove ssh /usr/bin/slogin
+        update-alternatives --quiet --remove rlogin /usr/bin/slogin
-        update-alternatives --quiet --remove ssh /usr/bin/scp
+        update-alternatives --quiet --remove rcp /usr/bin/scp
-    if [ -e /etc/init.d/ssh ]; then
+        if [ -e /etc/init.d/ssh ]; then
-        /etc/init.d/ssh stop
+                /etc/init.d/ssh stop
-    fi
+        fi
 #       install-info --quiet --remove /usr/info/ssh-askpass.info.gz
        ;;
    upgrade)
diff --git a/debian/ssh.pam b/debian/ssh.pam
index a4478cf4a..f6fbd3ebc 100644
--- a/debian/ssh.pam
+++ b/debian/ssh.pam
@@ -6,7 +6,6 @@ auth       required     pam_env.so # [1]
 account    required     pam_unix.so
 session    required     pam_unix.so
-session    optional     pam_lastlog.so # [1]
 session    optional     pam_motd.so # [1]
 session    optional     pam_mail.so standard noenv # [1]
 session    required     pam_limits.so