summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog6
-rw-r--r--debian/postinst22
2 files changed, 17 insertions, 11 deletions
diff --git a/debian/changelog b/debian/changelog
index e7ddc918d..2af424687 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,12 @@
1openssh (1:3.7.1p2-1) UNRELEASED; urgency=low 1openssh (1:3.7.1p2-1) UNRELEASED; urgency=low
2 2
3 * New upstream release. 3 * New upstream release.
4 - New PAM implementation based on that in FreeBSD. This runs PAM session
5 modules before dropping privileges (closes: #150968).
6 * Add 'UsePAM yes' to /etc/ssh/sshd_config on upgrade from versions older
7 than this, to maintain the standard Debian sshd configuration.
8 * Comment out PAMAuthenticationViaKbdInt and RhostsAuthentication in
9 sshd_config on upgrade. Neither option is supported any more.
4 * Remove -fno-builtin-log, -DHAVE_MMAP_ANON_SHARED, and 10 * Remove -fno-builtin-log, -DHAVE_MMAP_ANON_SHARED, and
5 -D__FILE_OFFSET_BITS=64 compiler options, which are no longer necessary. 11 -D__FILE_OFFSET_BITS=64 compiler options, which are no longer necessary.
6 * Darren Tucker: 12 * Darren Tucker:
diff --git a/debian/postinst b/debian/postinst
index f3d4cf6d5..5d0e32fef 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -60,6 +60,16 @@ create_sshdconfig() {
60 if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then 60 if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
61 db_get ssh/new_config 61 db_get ssh/new_config
62 if [ "$RET" = "false" ] ; then return 0; fi 62 if [ "$RET" = "false" ] ; then return 0; fi
63 elif dpkg --compare-versions "$oldversion" lt-nl 1:3.7.1p2-1 && \
64 ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then
65 # Upgrade from pre-3.7: UsePAM needed to maintain standard
66 # Debian configuration.
67 cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
68 perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \
69 /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
70 echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
71 mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
72 return 0
63 else return 0 73 else return 0
64 fi 74 fi
65 fi 75 fi
@@ -103,20 +113,11 @@ if [ "$RET" = "false" ]; then
103 cat <<EOF >> /etc/ssh/sshd_config 113 cat <<EOF >> /etc/ssh/sshd_config
104#Explicitly set PrivSep off, as requested 114#Explicitly set PrivSep off, as requested
105UsePrivilegeSeparation no 115UsePrivilegeSeparation no
106
107# Use PAM authentication via keyboard-interactive so PAM modules can
108# properly interface with the user
109PAMAuthenticationViaKbdInt yes
110EOF 116EOF
111else 117else
112 cat <<EOF >> /etc/ssh/sshd_config 118 cat <<EOF >> /etc/ssh/sshd_config
113#Privilege Separation is turned on for security 119#Privilege Separation is turned on for security
114UsePrivilegeSeparation yes 120UsePrivilegeSeparation yes
115
116# ...but breaks Pam auth via kbdint, so we have to turn it off
117# Use PAM authentication via keyboard-interactive so PAM modules can
118# properly interface with the user (off due to PrivSep)
119PAMAuthenticationViaKbdInt no
120EOF 121EOF
121fi 122fi
122 123
@@ -138,8 +139,6 @@ RSAAuthentication yes
138PubkeyAuthentication yes 139PubkeyAuthentication yes
139#AuthorizedKeysFile %h/.ssh/authorized_keys 140#AuthorizedKeysFile %h/.ssh/authorized_keys
140 141
141# rhosts authentication should not be used
142RhostsAuthentication no
143# Don't read the user's ~/.rhosts and ~/.shosts files 142# Don't read the user's ~/.rhosts and ~/.shosts files
144IgnoreRhosts yes 143IgnoreRhosts yes
145# For this to work you will also need host keys in /etc/ssh_known_hosts 144# For this to work you will also need host keys in /etc/ssh_known_hosts
@@ -181,6 +180,7 @@ KeepAlive yes
181 180
182Subsystem sftp /usr/lib/sftp-server 181Subsystem sftp /usr/lib/sftp-server
183 182
183UsePAM yes
184EOF 184EOF
185} 185}
186 186