diff options
-rw-r--r-- | debian/changelog | 6 | ||||
-rw-r--r-- | debian/postinst | 22 |
2 files changed, 17 insertions, 11 deletions
diff --git a/debian/changelog b/debian/changelog index e7ddc918d..2af424687 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,6 +1,12 @@ | |||
1 | openssh (1:3.7.1p2-1) UNRELEASED; urgency=low | 1 | openssh (1:3.7.1p2-1) UNRELEASED; urgency=low |
2 | 2 | ||
3 | * New upstream release. | 3 | * New upstream release. |
4 | - New PAM implementation based on that in FreeBSD. This runs PAM session | ||
5 | modules before dropping privileges (closes: #150968). | ||
6 | * Add 'UsePAM yes' to /etc/ssh/sshd_config on upgrade from versions older | ||
7 | than this, to maintain the standard Debian sshd configuration. | ||
8 | * Comment out PAMAuthenticationViaKbdInt and RhostsAuthentication in | ||
9 | sshd_config on upgrade. Neither option is supported any more. | ||
4 | * Remove -fno-builtin-log, -DHAVE_MMAP_ANON_SHARED, and | 10 | * Remove -fno-builtin-log, -DHAVE_MMAP_ANON_SHARED, and |
5 | -D__FILE_OFFSET_BITS=64 compiler options, which are no longer necessary. | 11 | -D__FILE_OFFSET_BITS=64 compiler options, which are no longer necessary. |
6 | * Darren Tucker: | 12 | * Darren Tucker: |
diff --git a/debian/postinst b/debian/postinst index f3d4cf6d5..5d0e32fef 100644 --- a/debian/postinst +++ b/debian/postinst | |||
@@ -60,6 +60,16 @@ create_sshdconfig() { | |||
60 | if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then | 60 | if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then |
61 | db_get ssh/new_config | 61 | db_get ssh/new_config |
62 | if [ "$RET" = "false" ] ; then return 0; fi | 62 | if [ "$RET" = "false" ] ; then return 0; fi |
63 | elif dpkg --compare-versions "$oldversion" lt-nl 1:3.7.1p2-1 && \ | ||
64 | ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then | ||
65 | # Upgrade from pre-3.7: UsePAM needed to maintain standard | ||
66 | # Debian configuration. | ||
67 | cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
68 | perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ | ||
69 | /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
70 | echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new | ||
71 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
72 | return 0 | ||
63 | else return 0 | 73 | else return 0 |
64 | fi | 74 | fi |
65 | fi | 75 | fi |
@@ -103,20 +113,11 @@ if [ "$RET" = "false" ]; then | |||
103 | cat <<EOF >> /etc/ssh/sshd_config | 113 | cat <<EOF >> /etc/ssh/sshd_config |
104 | #Explicitly set PrivSep off, as requested | 114 | #Explicitly set PrivSep off, as requested |
105 | UsePrivilegeSeparation no | 115 | UsePrivilegeSeparation no |
106 | |||
107 | # Use PAM authentication via keyboard-interactive so PAM modules can | ||
108 | # properly interface with the user | ||
109 | PAMAuthenticationViaKbdInt yes | ||
110 | EOF | 116 | EOF |
111 | else | 117 | else |
112 | cat <<EOF >> /etc/ssh/sshd_config | 118 | cat <<EOF >> /etc/ssh/sshd_config |
113 | #Privilege Separation is turned on for security | 119 | #Privilege Separation is turned on for security |
114 | UsePrivilegeSeparation yes | 120 | UsePrivilegeSeparation yes |
115 | |||
116 | # ...but breaks Pam auth via kbdint, so we have to turn it off | ||
117 | # Use PAM authentication via keyboard-interactive so PAM modules can | ||
118 | # properly interface with the user (off due to PrivSep) | ||
119 | PAMAuthenticationViaKbdInt no | ||
120 | EOF | 121 | EOF |
121 | fi | 122 | fi |
122 | 123 | ||
@@ -138,8 +139,6 @@ RSAAuthentication yes | |||
138 | PubkeyAuthentication yes | 139 | PubkeyAuthentication yes |
139 | #AuthorizedKeysFile %h/.ssh/authorized_keys | 140 | #AuthorizedKeysFile %h/.ssh/authorized_keys |
140 | 141 | ||
141 | # rhosts authentication should not be used | ||
142 | RhostsAuthentication no | ||
143 | # Don't read the user's ~/.rhosts and ~/.shosts files | 142 | # Don't read the user's ~/.rhosts and ~/.shosts files |
144 | IgnoreRhosts yes | 143 | IgnoreRhosts yes |
145 | # For this to work you will also need host keys in /etc/ssh_known_hosts | 144 | # For this to work you will also need host keys in /etc/ssh_known_hosts |
@@ -181,6 +180,7 @@ KeepAlive yes | |||
181 | 180 | ||
182 | Subsystem sftp /usr/lib/sftp-server | 181 | Subsystem sftp /usr/lib/sftp-server |
183 | 182 | ||
183 | UsePAM yes | ||
184 | EOF | 184 | EOF |
185 | } | 185 | } |
186 | 186 | ||