diff options
172 files changed, 22122 insertions, 82 deletions
diff --git a/.bzrignore b/.bzrignore new file mode 100644 index 000000000..0f130a704 --- /dev/null +++ b/.bzrignore | |||
@@ -0,0 +1,51 @@ | |||
1 | ./.pc | ||
2 | ./*.out | ||
3 | ./Makefile | ||
4 | ./autom4te.cache | ||
5 | ./build-deb | ||
6 | ./build-deb-stamp | ||
7 | ./build-udeb | ||
8 | ./build-udeb-stamp | ||
9 | ./buildit.sh | ||
10 | ./buildpkg.sh | ||
11 | ./config.cache | ||
12 | ./config.h | ||
13 | ./config.log | ||
14 | ./config.status | ||
15 | ./openssh.xml | ||
16 | ./opensshd.init | ||
17 | ./scp | ||
18 | ./sftp | ||
19 | ./sftp-server | ||
20 | ./ssh | ||
21 | ./ssh-add | ||
22 | ./ssh-agent | ||
23 | ./ssh-keygen | ||
24 | ./ssh-keyscan | ||
25 | ./ssh-keysign | ||
26 | ./ssh-rand-helper | ||
27 | ./ssh_prng_cmds | ||
28 | ./sshd | ||
29 | ./stamp-h.in | ||
30 | ./survey | ||
31 | ./survey.sh | ||
32 | contrib/gnome-ssh-askpass1 | ||
33 | contrib/gnome-ssh-askpass2 | ||
34 | openbsd-compat/Makefile | ||
35 | scard/Makefile | ||
36 | debian/*.debhelper* | ||
37 | debian/*substvars | ||
38 | debian/copyright | ||
39 | debian/files | ||
40 | debian/openssh-client | ||
41 | debian/openssh-client-udeb | ||
42 | debian/openssh-server | ||
43 | debian/openssh-server-udeb | ||
44 | debian/ssh | ||
45 | debian/ssh-askpass-gnome | ||
46 | debian/ssh-krb5 | ||
47 | debian/tests/key1 | ||
48 | debian/tests/key1.pub | ||
49 | debian/tests/key2 | ||
50 | debian/tests/key2.pub | ||
51 | debian/tmp | ||
diff --git a/Makefile.in b/Makefile.in index 83237a333..debebe448 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server | |||
27 | SSH_KEYSIGN=$(libexecdir)/ssh-keysign | 27 | SSH_KEYSIGN=$(libexecdir)/ssh-keysign |
28 | SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper | 28 | SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper |
29 | RAND_HELPER=$(libexecdir)/ssh-rand-helper | 29 | RAND_HELPER=$(libexecdir)/ssh-rand-helper |
30 | SSH_DATADIR=$(datadir)/ssh | ||
30 | PRIVSEP_PATH=@PRIVSEP_PATH@ | 31 | PRIVSEP_PATH=@PRIVSEP_PATH@ |
31 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ | 32 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ |
32 | STRIP_OPT=@STRIP_OPT@ | 33 | STRIP_OPT=@STRIP_OPT@ |
@@ -39,7 +40,8 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \ | |||
39 | -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ | 40 | -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ |
40 | -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ | 41 | -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ |
41 | -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ | 42 | -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ |
42 | -DSSH_RAND_HELPER=\"$(RAND_HELPER)\" | 43 | -DSSH_RAND_HELPER=\"$(RAND_HELPER)\" \ |
44 | -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" | ||
43 | 45 | ||
44 | CC=@CC@ | 46 | CC=@CC@ |
45 | LD=@LD@ | 47 | LD=@LD@ |
@@ -62,7 +64,7 @@ EXEEXT=@EXEEXT@ | |||
62 | INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ | 64 | INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ |
63 | INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ | 65 | INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ |
64 | 66 | ||
65 | TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) | 67 | TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) |
66 | 68 | ||
67 | LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | 69 | LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ |
68 | canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ | 70 | canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ |
@@ -93,8 +95,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | |||
93 | audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ | 95 | audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ |
94 | roaming_common.o roaming_serv.o | 96 | roaming_common.o roaming_serv.o |
95 | 97 | ||
96 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out | 98 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out |
97 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 | 99 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5 |
98 | MANTYPE = @MANTYPE@ | 100 | MANTYPE = @MANTYPE@ |
99 | 101 | ||
100 | CONFIGFILES=sshd_config.out ssh_config.out moduli.out | 102 | CONFIGFILES=sshd_config.out ssh_config.out moduli.out |
@@ -174,6 +176,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glo | |||
174 | ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o | 176 | ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o |
175 | $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | 177 | $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
176 | 178 | ||
179 | ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o | ||
180 | $(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | ||
181 | |||
177 | # test driver for the loginrec code - not built by default | 182 | # test driver for the loginrec code - not built by default |
178 | logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o | 183 | logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o |
179 | $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) | 184 | $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) |
@@ -268,6 +273,7 @@ install-files: | |||
268 | $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) | 273 | $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) |
269 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) | 274 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) |
270 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | 275 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) |
276 | $(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey$(EXEEXT) $(DESTDIR)$(bindir)/ssh-vulnkey$(EXEEXT) | ||
271 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 | 277 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 |
272 | $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 | 278 | $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 |
273 | $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 | 279 | $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 |
@@ -278,6 +284,7 @@ install-files: | |||
278 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 | 284 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 |
279 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 | 285 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 |
280 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | 286 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 |
287 | ln -s ../$(mansubdir)8/sshd.8 $(DESTDIR)$(mandir)/$(mansubdir)5/authorized_keys.5 | ||
281 | if [ ! -z "$(INSTALL_SSH_RAND_HELPER)" ]; then \ | 288 | if [ ! -z "$(INSTALL_SSH_RAND_HELPER)" ]; then \ |
282 | $(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 ; \ | 289 | $(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 ; \ |
283 | fi | 290 | fi |
@@ -285,10 +292,11 @@ install-files: | |||
285 | $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 | 292 | $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 |
286 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | 293 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |
287 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | 294 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
295 | $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 | ||
288 | -rm -f $(DESTDIR)$(bindir)/slogin | 296 | -rm -f $(DESTDIR)$(bindir)/slogin |
289 | ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin | 297 | ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin |
290 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 | 298 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 |
291 | ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 | 299 | ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 |
292 | 300 | ||
293 | install-sysconf: | 301 | install-sysconf: |
294 | if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ | 302 | if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ |
@@ -366,6 +374,7 @@ uninstall: | |||
366 | -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) | 374 | -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) |
367 | -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) | 375 | -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) |
368 | -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) | 376 | -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) |
377 | -rm -f $(DESTDIR)$(bindir)/ssh-vulnkey$(EXEEXT) | ||
369 | -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) | 378 | -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) |
370 | -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) | 379 | -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) |
371 | -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | 380 | -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) |
@@ -379,6 +388,7 @@ uninstall: | |||
379 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 | 388 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 |
380 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 | 389 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 |
381 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 | 390 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 |
391 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 | ||
382 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | 392 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 |
383 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 | 393 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 |
384 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 | 394 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 |
diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index b21a0f4a2..891ec3297 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c | |||
@@ -44,7 +44,7 @@ auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost, | |||
44 | { | 44 | { |
45 | HostStatus host_status; | 45 | HostStatus host_status; |
46 | 46 | ||
47 | if (auth_key_is_revoked(client_host_key)) | 47 | if (auth_key_is_revoked(client_host_key, 0)) |
48 | return 0; | 48 | return 0; |
49 | 49 | ||
50 | /* Check if we would accept it using rhosts authentication. */ | 50 | /* Check if we would accept it using rhosts authentication. */ |
diff --git a/auth-rsa.c b/auth-rsa.c index 65571a890..250e9cf78 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
@@ -94,7 +94,7 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) | |||
94 | MD5_CTX md; | 94 | MD5_CTX md; |
95 | int len; | 95 | int len; |
96 | 96 | ||
97 | if (auth_key_is_revoked(key)) | 97 | if (auth_key_is_revoked(key, 0)) |
98 | return 0; | 98 | return 0; |
99 | 99 | ||
100 | /* don't allow short keys */ | 100 | /* don't allow short keys */ |
@@ -59,6 +59,7 @@ | |||
59 | #include "servconf.h" | 59 | #include "servconf.h" |
60 | #include "key.h" | 60 | #include "key.h" |
61 | #include "hostfile.h" | 61 | #include "hostfile.h" |
62 | #include "authfile.h" | ||
62 | #include "auth.h" | 63 | #include "auth.h" |
63 | #include "auth-options.h" | 64 | #include "auth-options.h" |
64 | #include "canohost.h" | 65 | #include "canohost.h" |
@@ -593,10 +594,34 @@ getpwnamallow(const char *user) | |||
593 | 594 | ||
594 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ | 595 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ |
595 | int | 596 | int |
596 | auth_key_is_revoked(Key *key) | 597 | auth_key_is_revoked(Key *key, int hostkey) |
597 | { | 598 | { |
598 | char *key_fp; | 599 | char *key_fp; |
599 | 600 | ||
601 | if (blacklisted_key(key, &key_fp) == 1) { | ||
602 | if (options.permit_blacklisted_keys) { | ||
603 | if (hostkey) | ||
604 | error("Host key %s blacklisted (see " | ||
605 | "ssh-vulnkey(1)); continuing anyway", | ||
606 | key_fp); | ||
607 | else | ||
608 | logit("Public key %s from %s blacklisted (see " | ||
609 | "ssh-vulnkey(1)); continuing anyway", | ||
610 | key_fp, get_remote_ipaddr()); | ||
611 | xfree(key_fp); | ||
612 | } else { | ||
613 | if (hostkey) | ||
614 | error("Host key %s blacklisted (see " | ||
615 | "ssh-vulnkey(1))", key_fp); | ||
616 | else | ||
617 | logit("Public key %s from %s blacklisted (see " | ||
618 | "ssh-vulnkey(1))", | ||
619 | key_fp, get_remote_ipaddr()); | ||
620 | xfree(key_fp); | ||
621 | return 1; | ||
622 | } | ||
623 | } | ||
624 | |||
600 | if (options.revoked_keys_file == NULL) | 625 | if (options.revoked_keys_file == NULL) |
601 | return 0; | 626 | return 0; |
602 | 627 | ||
@@ -59,6 +59,7 @@ struct Authctxt { | |||
59 | char *service; | 59 | char *service; |
60 | struct passwd *pw; /* set if 'valid' */ | 60 | struct passwd *pw; /* set if 'valid' */ |
61 | char *style; | 61 | char *style; |
62 | char *role; | ||
62 | void *kbdintctxt; | 63 | void *kbdintctxt; |
63 | void *jpake_ctx; | 64 | void *jpake_ctx; |
64 | #ifdef BSD_AUTH | 65 | #ifdef BSD_AUTH |
@@ -172,7 +173,7 @@ char *authorized_keys_file(struct passwd *); | |||
172 | char *authorized_keys_file2(struct passwd *); | 173 | char *authorized_keys_file2(struct passwd *); |
173 | 174 | ||
174 | FILE *auth_openkeyfile(const char *, struct passwd *, int); | 175 | FILE *auth_openkeyfile(const char *, struct passwd *, int); |
175 | int auth_key_is_revoked(Key *); | 176 | int auth_key_is_revoked(Key *, int); |
176 | 177 | ||
177 | HostStatus | 178 | HostStatus |
178 | check_key_in_hostfiles(struct passwd *, Key *, const char *, | 179 | check_key_in_hostfiles(struct passwd *, Key *, const char *, |
@@ -383,7 +383,7 @@ void | |||
383 | do_authentication(Authctxt *authctxt) | 383 | do_authentication(Authctxt *authctxt) |
384 | { | 384 | { |
385 | u_int ulen; | 385 | u_int ulen; |
386 | char *user, *style = NULL; | 386 | char *user, *style = NULL, *role = NULL; |
387 | 387 | ||
388 | /* Get the name of the user that we wish to log in as. */ | 388 | /* Get the name of the user that we wish to log in as. */ |
389 | packet_read_expect(SSH_CMSG_USER); | 389 | packet_read_expect(SSH_CMSG_USER); |
@@ -392,11 +392,17 @@ do_authentication(Authctxt *authctxt) | |||
392 | user = packet_get_string(&ulen); | 392 | user = packet_get_string(&ulen); |
393 | packet_check_eom(); | 393 | packet_check_eom(); |
394 | 394 | ||
395 | if ((role = strchr(user, '/')) != NULL) | ||
396 | *role++ = '\0'; | ||
397 | |||
395 | if ((style = strchr(user, ':')) != NULL) | 398 | if ((style = strchr(user, ':')) != NULL) |
396 | *style++ = '\0'; | 399 | *style++ = '\0'; |
400 | else if (role && (style = strchr(role, ':')) != NULL) | ||
401 | *style++ = '\0'; | ||
397 | 402 | ||
398 | authctxt->user = user; | 403 | authctxt->user = user; |
399 | authctxt->style = style; | 404 | authctxt->style = style; |
405 | authctxt->role = role; | ||
400 | 406 | ||
401 | /* Verify that the user is a valid user. */ | 407 | /* Verify that the user is a valid user. */ |
402 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) | 408 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) |
diff --git a/auth2-hostbased.c b/auth2-hostbased.c index 721646520..32c06bbdc 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c | |||
@@ -145,7 +145,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, | |||
145 | HostStatus host_status; | 145 | HostStatus host_status; |
146 | int len; | 146 | int len; |
147 | 147 | ||
148 | if (auth_key_is_revoked(key)) | 148 | if (auth_key_is_revoked(key, 0)) |
149 | return 0; | 149 | return 0; |
150 | 150 | ||
151 | resolvedname = get_canonical_hostname(options.use_dns); | 151 | resolvedname = get_canonical_hostname(options.use_dns); |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index c4cadf4e7..49bb062af 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -328,9 +328,10 @@ user_key_allowed(struct passwd *pw, Key *key) | |||
328 | int success; | 328 | int success; |
329 | char *file; | 329 | char *file; |
330 | 330 | ||
331 | if (auth_key_is_revoked(key)) | 331 | if (auth_key_is_revoked(key, 0)) |
332 | return 0; | 332 | return 0; |
333 | if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) | 333 | if (key_is_cert(key) && |
334 | auth_key_is_revoked(key->cert->signature_key, 0)) | ||
334 | return 0; | 335 | return 0; |
335 | 336 | ||
336 | success = user_cert_trusted_ca(pw, key); | 337 | success = user_cert_trusted_ca(pw, key); |
@@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
217 | { | 217 | { |
218 | Authctxt *authctxt = ctxt; | 218 | Authctxt *authctxt = ctxt; |
219 | Authmethod *m = NULL; | 219 | Authmethod *m = NULL; |
220 | char *user, *service, *method, *style = NULL; | 220 | char *user, *service, *method, *style = NULL, *role = NULL; |
221 | int authenticated = 0; | 221 | int authenticated = 0; |
222 | 222 | ||
223 | if (authctxt == NULL) | 223 | if (authctxt == NULL) |
@@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
229 | debug("userauth-request for user %s service %s method %s", user, service, method); | 229 | debug("userauth-request for user %s service %s method %s", user, service, method); |
230 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 230 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
231 | 231 | ||
232 | if ((role = strchr(user, '/')) != NULL) | ||
233 | *role++ = 0; | ||
234 | |||
232 | if ((style = strchr(user, ':')) != NULL) | 235 | if ((style = strchr(user, ':')) != NULL) |
233 | *style++ = 0; | 236 | *style++ = 0; |
237 | else if (role && (style = strchr(role, ':')) != NULL) | ||
238 | *style++ = '\0'; | ||
234 | 239 | ||
235 | if (authctxt->attempt++ == 0) { | 240 | if (authctxt->attempt++ == 0) { |
236 | /* setup auth context */ | 241 | /* setup auth context */ |
@@ -254,8 +259,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
254 | use_privsep ? " [net]" : ""); | 259 | use_privsep ? " [net]" : ""); |
255 | authctxt->service = xstrdup(service); | 260 | authctxt->service = xstrdup(service); |
256 | authctxt->style = style ? xstrdup(style) : NULL; | 261 | authctxt->style = style ? xstrdup(style) : NULL; |
262 | authctxt->role = role ? xstrdup(role) : NULL; | ||
257 | if (use_privsep) | 263 | if (use_privsep) |
258 | mm_inform_authserv(service, style); | 264 | mm_inform_authserv(service, style, role); |
259 | userauth_banner(); | 265 | userauth_banner(); |
260 | } else if (strcmp(user, authctxt->user) != 0 || | 266 | } else if (strcmp(user, authctxt->user) != 0 || |
261 | strcmp(service, authctxt->service) != 0) { | 267 | strcmp(service, authctxt->service) != 0) { |
diff --git a/authfile.c b/authfile.c index 224c6aa80..4d0823209 100644 --- a/authfile.c +++ b/authfile.c | |||
@@ -68,6 +68,7 @@ | |||
68 | #include "rsa.h" | 68 | #include "rsa.h" |
69 | #include "misc.h" | 69 | #include "misc.h" |
70 | #include "atomicio.h" | 70 | #include "atomicio.h" |
71 | #include "pathnames.h" | ||
71 | 72 | ||
72 | /* Version identification string for SSH v1 identity files. */ | 73 | /* Version identification string for SSH v1 identity files. */ |
73 | static const char authfile_id_string[] = | 74 | static const char authfile_id_string[] = |
@@ -754,3 +755,140 @@ key_in_file(Key *key, const char *filename, int strict_type) | |||
754 | return ret; | 755 | return ret; |
755 | } | 756 | } |
756 | 757 | ||
758 | /* Scan a blacklist of known-vulnerable keys in blacklist_file. */ | ||
759 | static int | ||
760 | blacklisted_key_in_file(const Key *key, const char *blacklist_file, char **fp) | ||
761 | { | ||
762 | int fd = -1; | ||
763 | char *dgst_hex = NULL; | ||
764 | char *dgst_packed = NULL, *p; | ||
765 | int i; | ||
766 | size_t line_len; | ||
767 | struct stat st; | ||
768 | char buf[256]; | ||
769 | off_t start, lower, upper; | ||
770 | int ret = 0; | ||
771 | |||
772 | debug("Checking blacklist file %s", blacklist_file); | ||
773 | fd = open(blacklist_file, O_RDONLY); | ||
774 | if (fd < 0) { | ||
775 | ret = -1; | ||
776 | goto out; | ||
777 | } | ||
778 | |||
779 | dgst_hex = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | ||
780 | /* Remove all colons */ | ||
781 | dgst_packed = xcalloc(1, strlen(dgst_hex) + 1); | ||
782 | for (i = 0, p = dgst_packed; dgst_hex[i]; i++) | ||
783 | if (dgst_hex[i] != ':') | ||
784 | *p++ = dgst_hex[i]; | ||
785 | /* Only compare least-significant 80 bits (to keep the blacklist | ||
786 | * size down) | ||
787 | */ | ||
788 | line_len = strlen(dgst_packed + 12); | ||
789 | if (line_len > 32) | ||
790 | goto out; | ||
791 | |||
792 | /* Skip leading comments */ | ||
793 | start = 0; | ||
794 | for (;;) { | ||
795 | ssize_t r; | ||
796 | char *newline; | ||
797 | |||
798 | r = atomicio(read, fd, buf, sizeof(buf)); | ||
799 | if (r <= 0) | ||
800 | goto out; | ||
801 | if (buf[0] != '#') | ||
802 | break; | ||
803 | |||
804 | newline = memchr(buf, '\n', sizeof(buf)); | ||
805 | if (!newline) | ||
806 | goto out; | ||
807 | start += newline + 1 - buf; | ||
808 | if (lseek(fd, start, SEEK_SET) < 0) | ||
809 | goto out; | ||
810 | } | ||
811 | |||
812 | /* Initialise binary search record numbers */ | ||
813 | if (fstat(fd, &st) < 0) | ||
814 | goto out; | ||
815 | lower = 0; | ||
816 | upper = (st.st_size - start) / (line_len + 1); | ||
817 | |||
818 | while (lower != upper) { | ||
819 | off_t cur; | ||
820 | int cmp; | ||
821 | |||
822 | cur = lower + (upper - lower) / 2; | ||
823 | |||
824 | /* Read this line and compare to digest; this is | ||
825 | * overflow-safe since cur < max(off_t) / (line_len + 1) */ | ||
826 | if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0) | ||
827 | break; | ||
828 | if (atomicio(read, fd, buf, line_len) != line_len) | ||
829 | break; | ||
830 | cmp = memcmp(buf, dgst_packed + 12, line_len); | ||
831 | if (cmp < 0) { | ||
832 | if (cur == lower) | ||
833 | break; | ||
834 | lower = cur; | ||
835 | } else if (cmp > 0) { | ||
836 | if (cur == upper) | ||
837 | break; | ||
838 | upper = cur; | ||
839 | } else { | ||
840 | debug("Found %s in blacklist", dgst_hex); | ||
841 | ret = 1; | ||
842 | break; | ||
843 | } | ||
844 | } | ||
845 | |||
846 | out: | ||
847 | if (dgst_packed) | ||
848 | xfree(dgst_packed); | ||
849 | if (ret != 1 && dgst_hex) { | ||
850 | xfree(dgst_hex); | ||
851 | dgst_hex = NULL; | ||
852 | } | ||
853 | if (fp) | ||
854 | *fp = dgst_hex; | ||
855 | if (fd >= 0) | ||
856 | close(fd); | ||
857 | return ret; | ||
858 | } | ||
859 | |||
860 | /* | ||
861 | * Scan blacklists of known-vulnerable keys. If a vulnerable key is found, | ||
862 | * its fingerprint is returned in *fp, unless fp is NULL. | ||
863 | */ | ||
864 | int | ||
865 | blacklisted_key(const Key *key, char **fp) | ||
866 | { | ||
867 | Key *public; | ||
868 | char *blacklist_file; | ||
869 | int ret, ret2; | ||
870 | |||
871 | public = key_demote(key); | ||
872 | if (public->type == KEY_RSA1) | ||
873 | public->type = KEY_RSA; | ||
874 | |||
875 | xasprintf(&blacklist_file, "%s.%s-%u", | ||
876 | _PATH_BLACKLIST, key_type(public), key_size(public)); | ||
877 | ret = blacklisted_key_in_file(public, blacklist_file, fp); | ||
878 | xfree(blacklist_file); | ||
879 | if (ret > 0) { | ||
880 | key_free(public); | ||
881 | return ret; | ||
882 | } | ||
883 | |||
884 | xasprintf(&blacklist_file, "%s.%s-%u", | ||
885 | _PATH_BLACKLIST_CONFIG, key_type(public), key_size(public)); | ||
886 | ret2 = blacklisted_key_in_file(public, blacklist_file, fp); | ||
887 | xfree(blacklist_file); | ||
888 | if (ret2 > ret) | ||
889 | ret = ret2; | ||
890 | |||
891 | key_free(public); | ||
892 | return ret; | ||
893 | } | ||
894 | |||
diff --git a/authfile.h b/authfile.h index 6dfa478e7..674fc939f 100644 --- a/authfile.h +++ b/authfile.h | |||
@@ -24,4 +24,6 @@ Key *key_load_private_pem(int, int, const char *, char **); | |||
24 | int key_perm_ok(int, const char *); | 24 | int key_perm_ok(int, const char *); |
25 | int key_in_file(Key *, const char *, int); | 25 | int key_in_file(Key *, const char *, int); |
26 | 26 | ||
27 | int blacklisted_key(const Key *key, char **fp); | ||
28 | |||
27 | #endif | 29 | #endif |
diff --git a/clientloop.c b/clientloop.c index cbbb3df1f..05e7de067 100644 --- a/clientloop.c +++ b/clientloop.c | |||
@@ -507,16 +507,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) | |||
507 | static void | 507 | static void |
508 | server_alive_check(void) | 508 | server_alive_check(void) |
509 | { | 509 | { |
510 | if (packet_inc_alive_timeouts() > options.server_alive_count_max) { | 510 | if (compat20) { |
511 | logit("Timeout, server not responding."); | 511 | if (packet_inc_alive_timeouts() > options.server_alive_count_max) { |
512 | cleanup_exit(255); | 512 | logit("Timeout, server not responding."); |
513 | cleanup_exit(255); | ||
514 | } | ||
515 | packet_start(SSH2_MSG_GLOBAL_REQUEST); | ||
516 | packet_put_cstring("keepalive@openssh.com"); | ||
517 | packet_put_char(1); /* boolean: want reply */ | ||
518 | packet_send(); | ||
519 | /* Insert an empty placeholder to maintain ordering */ | ||
520 | client_register_global_confirm(NULL, NULL); | ||
521 | } else { | ||
522 | packet_send_ignore(0); | ||
523 | packet_send(); | ||
513 | } | 524 | } |
514 | packet_start(SSH2_MSG_GLOBAL_REQUEST); | ||
515 | packet_put_cstring("keepalive@openssh.com"); | ||
516 | packet_put_char(1); /* boolean: want reply */ | ||
517 | packet_send(); | ||
518 | /* Insert an empty placeholder to maintain ordering */ | ||
519 | client_register_global_confirm(NULL, NULL); | ||
520 | } | 525 | } |
521 | 526 | ||
522 | /* | 527 | /* |
@@ -574,7 +579,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, | |||
574 | * event pending. | 579 | * event pending. |
575 | */ | 580 | */ |
576 | 581 | ||
577 | if (options.server_alive_interval == 0 || !compat20) | 582 | if (options.server_alive_interval == 0) |
578 | tvp = NULL; | 583 | tvp = NULL; |
579 | else { | 584 | else { |
580 | tv.tv_sec = options.server_alive_interval; | 585 | tv.tv_sec = options.server_alive_interval; |
@@ -1525,8 +1530,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | |||
1525 | exit_status = 0; | 1530 | exit_status = 0; |
1526 | } | 1531 | } |
1527 | 1532 | ||
1528 | if (received_signal) | 1533 | if (received_signal) { |
1529 | fatal("Killed by signal %d.", (int) received_signal); | 1534 | debug("Killed by signal %d.", (int) received_signal); |
1535 | cleanup_exit((int) received_signal + 128); | ||
1536 | } | ||
1530 | 1537 | ||
1531 | /* | 1538 | /* |
1532 | * In interactive mode (with pseudo tty) display a message indicating | 1539 | * In interactive mode (with pseudo tty) display a message indicating |
diff --git a/config.h.in b/config.h.in index a43ad5711..a609d72ba 100644 --- a/config.h.in +++ b/config.h.in | |||
@@ -1384,6 +1384,9 @@ | |||
1384 | /* Use btmp to log bad logins */ | 1384 | /* Use btmp to log bad logins */ |
1385 | #undef USE_BTMP | 1385 | #undef USE_BTMP |
1386 | 1386 | ||
1387 | /* platform uses an in-memory credentials cache */ | ||
1388 | #undef USE_CCAPI | ||
1389 | |||
1387 | /* Use libedit for sftp */ | 1390 | /* Use libedit for sftp */ |
1388 | #undef USE_LIBEDIT | 1391 | #undef USE_LIBEDIT |
1389 | 1392 | ||
@@ -1396,6 +1399,9 @@ | |||
1396 | /* Use PIPES instead of a socketpair() */ | 1399 | /* Use PIPES instead of a socketpair() */ |
1397 | #undef USE_PIPES | 1400 | #undef USE_PIPES |
1398 | 1401 | ||
1402 | /* platform has the Security Authorization Session API */ | ||
1403 | #undef USE_SECURITY_SESSION_API | ||
1404 | |||
1399 | /* Define if you have Solaris process contracts */ | 1405 | /* Define if you have Solaris process contracts */ |
1400 | #undef USE_SOLARIS_PROCESS_CONTRACTS | 1406 | #undef USE_SOLARIS_PROCESS_CONTRACTS |
1401 | 1407 | ||
diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c index 9d97c30c0..04b3a110e 100644 --- a/contrib/gnome-ssh-askpass2.c +++ b/contrib/gnome-ssh-askpass2.c | |||
@@ -209,6 +209,8 @@ main(int argc, char **argv) | |||
209 | 209 | ||
210 | gtk_init(&argc, &argv); | 210 | gtk_init(&argc, &argv); |
211 | 211 | ||
212 | gtk_window_set_default_icon_from_file ("/usr/share/pixmaps/ssh-askpass-gnome.png", NULL); | ||
213 | |||
212 | if (argc > 1) { | 214 | if (argc > 1) { |
213 | message = g_strjoinv(" ", argv + 1); | 215 | message = g_strjoinv(" ", argv + 1); |
214 | } else { | 216 | } else { |
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index 65c0a8cd8..2f757de4b 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id | |||
@@ -38,10 +38,10 @@ if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then | |||
38 | exit 1 | 38 | exit 1 |
39 | fi | 39 | fi |
40 | 40 | ||
41 | { eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1 | 41 | { eval "$GET_ID" ; } | ssh ${1%:} "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1 |
42 | 42 | ||
43 | cat <<EOF | 43 | cat <<EOF |
44 | Now try logging into the machine, with "ssh '$1'", and check in: | 44 | Now try logging into the machine, with "ssh '${1%:}'", and check in: |
45 | 45 | ||
46 | .ssh/authorized_keys | 46 | .ssh/authorized_keys |
47 | 47 | ||
diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 000000000..7a67e1528 --- /dev/null +++ b/debian/NEWS | |||
@@ -0,0 +1,42 @@ | |||
1 | openssh (1:5.4p1-2) unstable; urgency=low | ||
2 | |||
3 | Smartcard support is now available using PKCS#11 tokens. If you were | ||
4 | previously using an unofficial build of Debian's OpenSSH package with | ||
5 | OpenSC-based smartcard support added, then note that commands like | ||
6 | 'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s | ||
7 | /usr/lib/opensc-pkcs11.so' instead. | ||
8 | |||
9 | -- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100 | ||
10 | |||
11 | openssh (1:3.8.1p1-9) experimental; urgency=low | ||
12 | |||
13 | The ssh package has been split into openssh-client and openssh-server. If | ||
14 | you had previously requested that the sshd server should not be run, then | ||
15 | that request will still be honoured. However, the recommended approach is | ||
16 | now to remove the openssh-server package if you do not want to run sshd. | ||
17 | You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing | ||
18 | that. | ||
19 | |||
20 | -- Colin Watson <cjwatson@debian.org> Mon, 2 Aug 2004 20:48:54 +0100 | ||
21 | |||
22 | openssh (1:3.5p1-1) unstable; urgency=low | ||
23 | |||
24 | This version of OpenSSH disables the environment option for public keys by | ||
25 | default, in order to avoid certain attacks (for example, LD_PRELOAD). If | ||
26 | you are using this option in an authorized_keys file, beware that the keys | ||
27 | in question will no longer work until the option is removed. | ||
28 | |||
29 | To re-enable this option, set "PermitUserEnvironment yes" in | ||
30 | /etc/ssh/sshd_config after the upgrade is complete, taking note of the | ||
31 | warning in the sshd_config(5) manual page. | ||
32 | |||
33 | -- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100 | ||
34 | |||
35 | openssh (1:3.0.1p1-1) unstable; urgency=high | ||
36 | |||
37 | As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2 | ||
38 | keys. This means the authorized_keys2 and known_hosts2 files are no longer | ||
39 | needed. They will still be read in order to maintain backward | ||
40 | compatibility. | ||
41 | |||
42 | -- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000 | ||
diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 000000000..f37cce4b0 --- /dev/null +++ b/debian/README.Debian | |||
@@ -0,0 +1,234 @@ | |||
1 | OpenSSH for Debian | ||
2 | ------------------ | ||
3 | |||
4 | UPGRADE ISSUES | ||
5 | ============== | ||
6 | |||
7 | Privilege Separation | ||
8 | -------------------- | ||
9 | |||
10 | As of 3.3, openssh has employed privilege separation to reduce the | ||
11 | quantity of code that runs as root, thereby reducing the impact of | ||
12 | some security holes in sshd. This now also works properly with PAM. | ||
13 | |||
14 | Privilege separation is turned on by default, so, if you decide you | ||
15 | want it turned off, you need to add "UsePrivilegeSeparation no" to | ||
16 | /etc/ssh/sshd_config. | ||
17 | |||
18 | PermitRootLogin set to yes | ||
19 | -------------------------- | ||
20 | |||
21 | This is now the default setting (in line with upstream), and people | ||
22 | who asked for an automatically-generated configuration file when | ||
23 | upgrading from potato (or on a new install) will have this setting in | ||
24 | their /etc/ssh/sshd_config file. | ||
25 | |||
26 | Should you wish to change this setting, edit /etc/ssh/sshd_config, and | ||
27 | change: | ||
28 | PermitRootLogin yes | ||
29 | to: | ||
30 | PermitRootLogin no | ||
31 | |||
32 | Having PermitRootLogin set to yes means that an attacker that knows | ||
33 | the root password can ssh in directly (without having to go via a user | ||
34 | account). If you set it to no, then they must compromise a normal user | ||
35 | account. In the vast majority of cases, this does not give added | ||
36 | security; remember that any account you su to root from is equivalent | ||
37 | to root - compromising this account gives an attacker access to root | ||
38 | easily. If you only ever log in as root from the physical console, | ||
39 | then you probably want to set this value to no. | ||
40 | |||
41 | As an aside, PermitRootLogin can also be set to "without-password" or | ||
42 | "forced-commands-only" - see sshd(8) for more details. | ||
43 | |||
44 | DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT! | ||
45 | |||
46 | The argument above is somewhat condensed; I have had this discussion | ||
47 | at great length with many people. If you think the default is | ||
48 | incorrect, and feel strongly enough to want to argue about it, then | ||
49 | send email to debian-ssh@lists.debian.org. I will close bug reports | ||
50 | claiming the default is incorrect. | ||
51 | |||
52 | SSH now uses protocol 2 by default | ||
53 | ---------------------------------- | ||
54 | |||
55 | This means all your keyfiles you used for protocol version 1 need to | ||
56 | be re-generated. The server keys are done automatically, but for RSA | ||
57 | authentication, please read the ssh-keygen manpage. | ||
58 | |||
59 | If you have an automatically generated configuration file, and decide | ||
60 | at a later stage that you do want to support protocol version 1 (not | ||
61 | recommended, but note that the ssh client shipped with Debian potato | ||
62 | only supported protocol version 1), then you need to do the following: | ||
63 | |||
64 | Change /etc/ssh/sshd_config such that: | ||
65 | Protocol 2 | ||
66 | becomes: | ||
67 | Protocol 2,1 | ||
68 | Also add the line: | ||
69 | HostKey /etc/ssh/ssh_host_key | ||
70 | |||
71 | If you do not already have an RSA1 host key in /etc/ssh/ssh_host_key, | ||
72 | you will need to generate one. To do so, run this command as root: | ||
73 | |||
74 | ssh-keygen -f /etc/ssh/ssh_host_key -N '' -t rsa1 | ||
75 | |||
76 | As of openssh-server 1:4.1p1-2, the option to support protocol version 1 | ||
77 | is no longer available via debconf. You must edit the configuration file | ||
78 | instead. | ||
79 | |||
80 | X11 Forwarding | ||
81 | -------------- | ||
82 | |||
83 | ssh's default for ForwardX11 has been changed to ``no'' because it has | ||
84 | been pointed out that logging into remote systems administered by | ||
85 | untrusted people is likely to open you up to X11 attacks, so you | ||
86 | should have to actively decide that you trust the remote machine's | ||
87 | root, before enabling X11. I strongly recommend that you do this on a | ||
88 | machine-by-machine basis, rather than just enabling it in the default | ||
89 | host settings. | ||
90 | |||
91 | In order for X11 forwarding to work, you need to install xauth on the | ||
92 | server. In Debian this is in the xbase-clients package. | ||
93 | |||
94 | As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce | ||
95 | the security risks of X11 forwarding. Look up X11UseLocalhost in | ||
96 | sshd_config(8) if this is a problem. | ||
97 | |||
98 | OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the | ||
99 | ssh client to create an untrusted X cookie so that attacks on the | ||
100 | forwarded X11 connection can't become attacks on X clients on the remote | ||
101 | machine. However, this has some problems in implementation - notably a | ||
102 | very short timeout of the untrusted cookie - breaks large numbers of | ||
103 | existing setups, and generally seems immature. The Debian package | ||
104 | therefore sets the default for this option to "yes" (in ssh itself, | ||
105 | rather than in ssh_config). | ||
106 | |||
107 | Fallback to RSH | ||
108 | --------------- | ||
109 | |||
110 | The default for this setting has been changed from Yes to No, for | ||
111 | security reasons, and to stop the delay attempting to rsh to machines | ||
112 | that don't offer the service. Simply switch it back on in either | ||
113 | /etc/ssh/ssh_config or ~/.ssh/config for those machines that you need | ||
114 | it for. | ||
115 | |||
116 | Setgid ssh-agent and environment variables | ||
117 | ------------------------------------------ | ||
118 | |||
119 | As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace() | ||
120 | attacks retrieving private key material. This has the side-effect of causing | ||
121 | glibc to remove certain environment variables which might have security | ||
122 | implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and | ||
123 | TMPDIR. | ||
124 | |||
125 | If you need to set any of these environment variables, you will need to do | ||
126 | so in the program exec()ed by ssh-agent. This may involve creating a small | ||
127 | wrapper script. | ||
128 | |||
129 | Symlink Hostname invocation | ||
130 | --------------------------- | ||
131 | |||
132 | This version of ssh no longer includes support for invoking ssh with the | ||
133 | hostname as the name of the file run. People wanting this support should | ||
134 | use the ssh-argv0 script. | ||
135 | |||
136 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | ||
137 | |||
138 | OTHER ISSUES | ||
139 | ============ | ||
140 | |||
141 | /usr/bin/ssh not SUID | ||
142 | --------------------- | ||
143 | |||
144 | Due to Debian bug #164325, RhostsRSAAuthentication can only be used if ssh | ||
145 | is SUID. Until this is fixed, if that is a problem, use: | ||
146 | |||
147 | dpkg-statoverride | ||
148 | |||
149 | or if that's also missing, use this: | ||
150 | |||
151 | chown root.root /usr/bin/ssh | ||
152 | chmod 04755 /usr/bin/ssh | ||
153 | |||
154 | Authorization Forwarding | ||
155 | ------------------------ | ||
156 | |||
157 | Similarly, root on a remote server could make use of your ssh-agent | ||
158 | (while you're logged into their machine) to obtain access to machines | ||
159 | which trust your keys. This feature is therefore disabled by default. | ||
160 | You should only re-enable it for those hosts (in your ~/.ssh/config or | ||
161 | /etc/ssh/ssh_config) where you are confident that the remote machine | ||
162 | is not a threat. | ||
163 | |||
164 | Problems logging in with RSA authentication | ||
165 | ------------------------------------------- | ||
166 | |||
167 | If you have trouble logging in with RSA authentication then the | ||
168 | problem is probably caused by the fact that you have your home | ||
169 | directory writable by group, as well as user (this is the default on | ||
170 | Debian systems). | ||
171 | |||
172 | Depending upon other settings on your system (i.e. other users being | ||
173 | in your group) this could open a security hole, so you will need to | ||
174 | make your home directory writable only by yourself. Run this command, | ||
175 | as yourself: | ||
176 | |||
177 | chmod g-w ~/ | ||
178 | |||
179 | to remove group write permissions. If you use ssh-copy-id to install your | ||
180 | keys, it does this for you. | ||
181 | |||
182 | -L option of ssh nonfree | ||
183 | ------------------------ | ||
184 | |||
185 | non-free ssh supported the usage of the option -L to use a non privileged | ||
186 | port for scp. This option will not be supported by scp from openssh. | ||
187 | |||
188 | Please use instead scp -o "UsePrivilegedPort=no" as documented in the | ||
189 | manpage to scp itself. | ||
190 | |||
191 | Problem logging in because of TCP-Wrappers | ||
192 | ------------------------------------------ | ||
193 | |||
194 | ssh is compiled with support for tcp-wrappers. So if you can no longer | ||
195 | log into your system, please check that /etc/hosts.allow and /etc/hosts.deny | ||
196 | are configured so that ssh is not blocked. | ||
197 | |||
198 | Kerberos support | ||
199 | ---------------- | ||
200 | |||
201 | ssh is now compiled with Kerberos support. Unfortunately, privilege | ||
202 | separation is incompatible with Kerberos support for SSH protocol 1 and | ||
203 | parts of the support for protocol 2; you may need to run kinit after logging | ||
204 | in. | ||
205 | |||
206 | Interoperability between scp and the ssh.com SSH server | ||
207 | ------------------------------------------------------- | ||
208 | |||
209 | In version 2 and greater of the commercial SSH server produced by SSH | ||
210 | Communications Security, scp was changed to use SFTP (SSH2's file transfer | ||
211 | protocol) instead of the traditional rcp-over-ssh, thereby breaking | ||
212 | compatibility. The OpenSSH developers regard this as a bug in the ssh.com | ||
213 | server, and do not currently intend to change OpenSSH's scp to match. | ||
214 | |||
215 | Workarounds for this problem are to install scp1 on the server (scp2 will | ||
216 | fall back to it), to use sftp, or to use some other transfer mechanism such | ||
217 | as rsync-over-ssh or tar-over-ssh. | ||
218 | |||
219 | Running sshd from inittab | ||
220 | ------------------------- | ||
221 | |||
222 | Some people find it useful to run the sshd server from inittab, to make sure | ||
223 | that it always stays running. To do this, stop sshd ('/etc/init.d/ssh | ||
224 | stop'), add the following line to /etc/inittab, and run 'telinit q': | ||
225 | |||
226 | ss:2345:respawn:/usr/sbin/sshd -D | ||
227 | |||
228 | If you do this, note that you will need to stop sshd being started in the | ||
229 | normal way ('rm -f /etc/rc[2345].d/S16ssh') and that you will need to | ||
230 | restart this sshd manually on upgrades. | ||
231 | |||
232 | -- | ||
233 | Matthew Vernon <matthew@debian.org> | ||
234 | Colin Watson <cjwatson@debian.org> | ||
diff --git a/debian/README.compromised-keys b/debian/README.compromised-keys new file mode 100644 index 000000000..7a9cb7657 --- /dev/null +++ b/debian/README.compromised-keys | |||
@@ -0,0 +1,167 @@ | |||
1 | The following instructions relate to CVE-2008-0166. They were prepared by | ||
2 | Matt Zimmerman, assisted by Colin Watson. | ||
3 | |||
4 | == What Happened == | ||
5 | |||
6 | A weakness has been discovered in the random number generator used by OpenSSL | ||
7 | on Debian and Ubuntu systems. As a result of this weakness, certain encryption | ||
8 | keys are much more common than they should be, such that an attacker could | ||
9 | guess the key through a brute-force attack given minimal knowledge of the | ||
10 | system. This particularly affects the use of encryption keys in OpenSSH, | ||
11 | OpenVPN and SSL certificates. | ||
12 | |||
13 | This vulnerability only affects operating systems which (like Ubuntu) are based | ||
14 | on Debian. However, other systems can be indirectly affected if weak keys are | ||
15 | imported into them. | ||
16 | |||
17 | We consider this an extremely serious vulnerability, and urge all users to act | ||
18 | immediately to secure their systems. | ||
19 | |||
20 | == Who is affected == | ||
21 | |||
22 | Systems which are running any of the following releases: | ||
23 | |||
24 | * Debian 4.0 (etch) | ||
25 | * Ubuntu 7.04 (Feisty) | ||
26 | * Ubuntu 7.10 (Gutsy) | ||
27 | * Ubuntu 8.04 LTS (Hardy) | ||
28 | * Ubuntu "Intrepid Ibex" (development): libssl <= 0.9.8g-8 | ||
29 | |||
30 | and have openssh-server installed or have been used to create an OpenSSH key or | ||
31 | X.509 (SSL) certificate. | ||
32 | |||
33 | All OpenSSH and X.509 keys generated on such systems must be considered | ||
34 | untrustworthy, regardless of the system on which they are used, even after the | ||
35 | update has been applied. | ||
36 | |||
37 | This includes the automatically generated host keys used by OpenSSH, which are | ||
38 | the basis for its server spoofing and man-in-the-middle protection. | ||
39 | |||
40 | The specific package versions affected are: | ||
41 | |||
42 | * Debian 4.0: libssl <= 0.9.8c-4etch3 | ||
43 | * Ubuntu 7.04: libssl <= 0.9.8c-4ubuntu0.2 | ||
44 | * Ubuntu 7.10: libssl <= 0.9.8e-5ubuntu3.1 | ||
45 | * Ubuntu 8.04: libssl <= 0.9.8g-4ubuntu3 | ||
46 | |||
47 | == What to do if you are affected == | ||
48 | |||
49 | OpenSSH: | ||
50 | |||
51 | 1. Install the security updates | ||
52 | |||
53 | Once the update is applied, weak user keys will be automatically rejected | ||
54 | where possible (though they cannot be detected in all cases). If you are | ||
55 | using such keys for user authentication, they will immediately stop working | ||
56 | and will need to be replaced (see step 3). | ||
57 | |||
58 | OpenSSH host keys can be automatically regenerated when the OpenSSH security | ||
59 | update is applied. The update will prompt for confirmation before taking | ||
60 | this step. | ||
61 | |||
62 | 2. Update OpenSSH known_hosts files | ||
63 | |||
64 | The regeneration of host keys will cause a warning to be displayed when | ||
65 | connecting to the system using SSH until the host key is updated in the | ||
66 | known_hosts file. The warning will look like this: | ||
67 | |||
68 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | ||
69 | @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ | ||
70 | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | ||
71 | IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! | ||
72 | Someone could be eavesdropping on you right now (man-in-the-middle attack)! | ||
73 | It is also possible that the RSA host key has just been changed. | ||
74 | |||
75 | In this case, the host key has simply been changed, and you should update | ||
76 | the relevant known_hosts file as indicated in the error message. | ||
77 | |||
78 | 3. Check all OpenSSH user keys | ||
79 | |||
80 | The safest course of action is to regenerate all OpenSSH user keys, | ||
81 | except where it can be established to a high degree of certainty that the | ||
82 | key was generated on an unaffected system. | ||
83 | |||
84 | Check whether your key is affected by running the ssh-vulnkey tool, included | ||
85 | in the security update. By default, ssh-vulnkey will check the standard | ||
86 | location for user keys (~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity), | ||
87 | your authorized_keys file (~/.ssh/authorized_keys and | ||
88 | ~/.ssh/authorized_keys2), and the system's host keys | ||
89 | (/etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key). | ||
90 | |||
91 | To check all your own keys, assuming they are in the standard | ||
92 | locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity): | ||
93 | |||
94 | ssh-vulnkey | ||
95 | |||
96 | To check all keys on your system: | ||
97 | |||
98 | sudo ssh-vulnkey -a | ||
99 | |||
100 | To check a key in a non-standard location: | ||
101 | |||
102 | ssh-vulnkey /path/to/key | ||
103 | |||
104 | If ssh-vulnkey says "Unknown (no blacklist information)", then it has no | ||
105 | information about whether that key is affected. If in doubt, destroy the | ||
106 | key and generate a new one. | ||
107 | |||
108 | 4. Regenerate any affected user keys | ||
109 | |||
110 | OpenSSH keys used for user authentication must be manually regenerated, | ||
111 | including those which may have since been transferred to a different system | ||
112 | after being generated. | ||
113 | |||
114 | New keys can be generated using ssh-keygen, e.g.: | ||
115 | |||
116 | $ ssh-keygen | ||
117 | Generating public/private rsa key pair. | ||
118 | Enter file in which to save the key (/home/user/.ssh/id_rsa): | ||
119 | Enter passphrase (empty for no passphrase): | ||
120 | Enter same passphrase again: | ||
121 | Your identification has been saved in /home/user/.ssh/id_rsa. | ||
122 | Your public key has been saved in /home/user/.ssh/id_rsa.pub. | ||
123 | The key fingerprint is: | ||
124 | 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 user@host | ||
125 | |||
126 | 5. Update authorized_keys files (if necessary) | ||
127 | |||
128 | Once the user keys have been regenerated, the relevant public keys must | ||
129 | be propagated to any authorized_keys files on remote systems. Be sure to | ||
130 | delete the affected key. | ||
131 | |||
132 | OpenSSL: | ||
133 | |||
134 | 1. Install the security update | ||
135 | |||
136 | 2. Create new certificates to replace any server or client certificates in use | ||
137 | on the system | ||
138 | |||
139 | 3. If certificates have been generated for use on other systems, they must be | ||
140 | found and replaced as well. | ||
141 | |||
142 | == Removing openssh-blacklist == | ||
143 | |||
144 | For the moment, the openssh-server package depends on openssh-blacklist, in | ||
145 | order that the blacklist is deployed to the maximum possible number of | ||
146 | systems to reduce the potential spread of worms exploiting this | ||
147 | vulnerability. We acknowledge that this may be inconvenient for some small | ||
148 | systems, but nevertheless feel that this was the best course of action. | ||
149 | |||
150 | If you absolutely need to remove the blacklist from your system, then you | ||
151 | can run the following commands to substitute a fake package for | ||
152 | openssh-blacklist: | ||
153 | |||
154 | sudo apt-get install equivs | ||
155 | equivs-control openssh-blacklist.ctl | ||
156 | sed -i 's/^Package:.*/Package: openssh-blacklist/' openssh-blacklist.ctl | ||
157 | sed -i 's/^# Version:.*/Version: 9:1.0/' openssh-blacklist.ctl | ||
158 | equivs-build openssh-blacklist.ctl | ||
159 | sudo dpkg -i openssh-blacklist_1.0_all.deb | ||
160 | |||
161 | Be warned: this circumvents a security measure for the sake of disk space. | ||
162 | You should only do this if you have no other option, and if you are certain | ||
163 | that no compromised keys will ever be generated on or copied onto this | ||
164 | system. | ||
165 | |||
166 | Once a sufficient amount of time and number of releases have passed, the | ||
167 | openssh-blacklist package will be phased out. | ||
diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 000000000..d99ddb7a7 --- /dev/null +++ b/debian/README.source | |||
@@ -0,0 +1,222 @@ | |||
1 | Debian OpenSSH source package handling | ||
2 | ====================================== | ||
3 | |||
4 | The Debian package of OpenSSH is maintained in Bazaar | ||
5 | (http://bazaar-vcs.org/, or the 'bzr' package in Debian). You will need at | ||
6 | least version 1.16.1; the version in Debian testing as of the time of | ||
7 | writing (2009-12-21) is fine, or you can use the version in lenny-backports. | ||
8 | URLs are as follows: | ||
9 | |||
10 | Anonymous branch: http://bzr.debian.org/pkg-ssh/openssh/trunk | ||
11 | Web browsing: http://bzr.debian.org/loggerhead/pkg-ssh/openssh/trunk | ||
12 | Authenticated, for developers with commit access only: | ||
13 | bzr+ssh://bzr.debian.org/bzr/pkg-ssh/openssh/trunk | ||
14 | |||
15 | Although it's possible that I may use something like bzr-loom in the future | ||
16 | to better manage things like the Kerberos/GSSAPI patch, right now there's no | ||
17 | funny business and all that developers need to do is: | ||
18 | |||
19 | # To check out: | ||
20 | bzr co bzr+ssh://bzr.debian.org/bzr/pkg-ssh/openssh/trunk openssh | ||
21 | |||
22 | # To update: | ||
23 | bzr up | ||
24 | |||
25 | # To edit: | ||
26 | # hack hack hack, and 'bzr add' any new files | ||
27 | debcommit # or bzr commit | ||
28 | # note that this pushes automatically; you can use 'bzr unbind' to | ||
29 | # temporarily prevent this, or 'bzr branch' to create a local branch which | ||
30 | # you can merge later | ||
31 | |||
32 | # To release: | ||
33 | dch -r && debcommit -r | ||
34 | |||
35 | If you have lots of branches, you'll probably want to use a shared | ||
36 | repository to save space. Run 'bzr init-repo .' in an ancestor directory of | ||
37 | all your OpenSSH working directories. For example, I have a shared | ||
38 | repository in ~/src/debian/openssh/, upstream checkouts in | ||
39 | ~/src/debian/openssh/upstream/, and my own working trees in | ||
40 | ~/src/debian/openssh/trunk/. | ||
41 | |||
42 | Patch handling | ||
43 | -------------- | ||
44 | |||
45 | This package uses quilt to manage all modifications to the upstream source. | ||
46 | Changes are stored in the source package as diffs in debian/patches and | ||
47 | applied automatically by dpkg-source when the source package is extracted. | ||
48 | |||
49 | To configure quilt to use debian/patches instead of patches, you want either | ||
50 | to export QUILT_PATCHES=debian/patches in your environment or use this | ||
51 | snippet in your ~/.quiltrc: | ||
52 | |||
53 | for where in ./ ../ ../../ ../../../ ../../../../ ../../../../../; do | ||
54 | if [ -e ${where}debian/rules -a -d ${where}debian/patches ]; then | ||
55 | export QUILT_PATCHES=debian/patches | ||
56 | break | ||
57 | fi | ||
58 | done | ||
59 | |||
60 | After unpacking the source package, all patches will be applied, and you can | ||
61 | use quilt normally. | ||
62 | |||
63 | If you check out the source code from bzr, then all patches will be applied, | ||
64 | but you will need to inform quilt of this manually. Do this by running: | ||
65 | |||
66 | debian/rules quilt-setup | ||
67 | |||
68 | To add a new set of changes, first run quilt push -a, and then run: | ||
69 | |||
70 | quilt new <patch> | ||
71 | |||
72 | where <patch> is a descriptive name for the patch, used as the filename in | ||
73 | debian/patches. Then, for every file that will be modified by this patch, | ||
74 | run: | ||
75 | |||
76 | quilt add <file> | ||
77 | |||
78 | before editing those files. You must tell quilt with quilt add what files | ||
79 | will be part of the patch before making changes or quilt will not work | ||
80 | properly. After editing the files, run: | ||
81 | |||
82 | quilt refresh | ||
83 | |||
84 | to save the results as a patch. | ||
85 | |||
86 | Alternately, if you already have an external patch and you just want to add | ||
87 | it to the build system, run quilt push -a and then: | ||
88 | |||
89 | quilt import -P <patch> /path/to/patch | ||
90 | quilt push -a | ||
91 | |||
92 | (add -p 0 to quilt import if needed). <patch> as above is the filename to | ||
93 | use in debian/patches. The last quilt push -a will apply the patch to make | ||
94 | sure it works properly. | ||
95 | |||
96 | To remove an existing patch from the list of patches that will be applied, | ||
97 | run: | ||
98 | |||
99 | quilt delete <patch> | ||
100 | |||
101 | You may need to run quilt pop -a to unapply patches first before running | ||
102 | this command. | ||
103 | |||
104 | You should only commit changes to bzr with all patches applied, i.e. after | ||
105 | 'quilt push -a'. | ||
106 | |||
107 | Merging new upstream releases | ||
108 | ----------------------------- | ||
109 | |||
110 | (Most developers will not need to read this section.) | ||
111 | |||
112 | Thanks to the import from Portable OpenSSH CVS provided by Launchpad | ||
113 | (https://code.launchpad.net/~vcs-imports/openssh/main, accessible by the | ||
114 | shortcut 'lp:openssh' from the bzr client), the Debian branch is a true DVCS | ||
115 | branch from upstream. This is a worthwhile property, but preserving it does | ||
116 | take a little bit of work. | ||
117 | |||
118 | Launchpad only imports CVS HEAD, but upstream sometimes produces releases | ||
119 | from a branch. We use the same software used by Launchpad to import the | ||
120 | branch as well, but a few small hacks are necessary to do good branch | ||
121 | imports. In Bazaar, it's important that the same file in different branches | ||
122 | should have the same file-id, otherwise merge attempts will try to delete | ||
123 | and re-add the file which usually doesn't work out very well. Occasionally a | ||
124 | file is added to CVS HEAD and then also added to a branch, and cscvs isn't | ||
125 | quite smart enough to spot this and copy over the file-id. We need to help | ||
126 | it out. | ||
127 | |||
128 | To fetch the necessary code: | ||
129 | |||
130 | bzr get lp:~cjwatson/launchpad-cscvs/openssh-branch-imports | ||
131 | # or 'bzr pull' in the appropriate directory to update this, if you | ||
132 | # already have a copy | ||
133 | |||
134 | To import a branch, V_5_3 in this example: | ||
135 | |||
136 | export PATH="/path/to/cscvs/openssh-branch-imports:$PATH" | ||
137 | export PYTHONPATH=/path/to/cscvs/openssh-branch-imports/modules:/path/to/cscvs/openssh-branch-imports | ||
138 | # in a CVS checkout of :ext:anoncvs@anoncvs.mindrot.org:/cvs module | ||
139 | # openssh: | ||
140 | cscvs cache -b | ||
141 | # or 'cscvs cache -u' if you've done this before and want to update | ||
142 | cvs up -rV_5_3 | ||
143 | |||
144 | # Now we need to get a few bits of information from cscvs' cache. | ||
145 | sqlite CVS/Catalog.sqlite | ||
146 | sqlite> select csnum,log from changeset where branch = 'V_5_3' order by startdate; | ||
147 | # There will be a solid block of "Creation of branch V_5_3" changesets at | ||
148 | # the start; look for the first revision *after* this. Substitute this in | ||
149 | # the following wherever you see "CSX". | ||
150 | sqlite> select revision,filename from revision where branch = 'V_5_3' and csnum >= CSX and revision not like '%.%.%' order by filename; | ||
151 | # Anything listed here will need to be added to the openssh_ids dictionary | ||
152 | # in modules/CVS/StorageLayer.py in cscvs. Please send Colin Watson a | ||
153 | # patch if you do this. | ||
154 | |||
155 | # Next, look up the branchpoint revision in the main bzr import (bzr get | ||
156 | # lp:openssh). It's usually easiest to just look it up by commit message | ||
157 | # and double-check the timestamp. Substitute this revision number for | ||
158 | # "BPR" in the following. /path/to/openssh/main is wherever you've checked | ||
159 | # out lp:openssh. | ||
160 | bzr get -rBPR /path/to/openssh/main /path/to/openssh/5.3 | ||
161 | # If you're using Bazaar signed commits with a GPG agent, make sure that | ||
162 | # your agent has seen your passphrase recently. Now you can start the | ||
163 | # actual import! | ||
164 | cscvs -D4 totla -SC V_5_3.CSX: /path/to/openssh/5.3 | ||
165 | # If this fails at the end with a "directories differ" message, you may | ||
166 | # have forgotten to switch your CVS checkout to the appropriate branch | ||
167 | # with 'cvs up -r...' above. Otherwise you'll have to debug this for | ||
168 | # yourself. It's also worth double-checking that any files added to the | ||
169 | # branch have file-ids matching those on the trunk, using 'bzr ls -R | ||
170 | # --show-ids'. | ||
171 | |||
172 | Now we have a Bazaar branch corresponding to what's in CVS. Previous such | ||
173 | branches are available from Launchpad, for reference purposes: | ||
174 | |||
175 | https://code.launchpad.net/openssh | ||
176 | |||
177 | However, upstream releases involve a 'make distprep' step as well to | ||
178 | construct the tarball, and we need to import the results of this as well to | ||
179 | get a clean package. | ||
180 | |||
181 | Start by unpacking the upstream tarball (remember to check its GPG signature | ||
182 | first!). Copy the .bzr directory from the upstream branch you prepared | ||
183 | earlier. Now we have another branch, but with a working tree corresponding | ||
184 | to the upstream tarball. Modifications and deletions are handled | ||
185 | automatically, but we need to handle additions explicitly to make sure | ||
186 | file-ids are correct (see above). Run: | ||
187 | |||
188 | bzr add --file-ids-from=/path/to/openssh/debian/trunk | ||
189 | bzr st --show-ids | ||
190 | # compare this with 'bzr ls --show-ids' in the Debian trunk to make sure | ||
191 | # the result will be mergeable | ||
192 | bzr ci -m 'Import 5.3p1 tarball' | ||
193 | |||
194 | Add a parent revision for the previous tarball branch, to make it easier for | ||
195 | bzr to compute accurate merges. | ||
196 | |||
197 | bzr log -n0 /path/to/openssh/debian/trunk | less | ||
198 | # find revision number for previous tarball import, hence 'PREVIOUS' | ||
199 | bzr merge -rPREVIOUS /path/to/openssh/debian/trunk | ||
200 | # merge history only, no file changes | ||
201 | bzr revert . | ||
202 | bzr ci -m 'add 5.2p1 tarball parent revision' | ||
203 | |||
204 | Next, merge this into the gssapi branch | ||
205 | (bzr+ssh://bzr.debian.org/bzr/pkg-ssh/openssh/gssapi/). For this branch, we | ||
206 | want to ignore the normal results of merging and take only the patch from | ||
207 | http://www.sxw.org.uk/computing/patches/openssh.html; of course such a patch | ||
208 | needs to exist first! To do this, run this in the gssapi branch: | ||
209 | |||
210 | bzr merge /path/to/openssh/tarball/branch | ||
211 | bzr revert -rrevno:-1:/path/to/openssh/tarball/branch . | ||
212 | patch -p1 </path/to/openssh/gssapi/patch | ||
213 | bzr add --file-ids-from=/path/to/openssh/debian/trunk | ||
214 | # you may need to deal with applying configure.ac changes to configure | ||
215 | # here | ||
216 | bzr ci -m 'import openssh-5.3p1-gsskex-all-20100124.patch' | ||
217 | |||
218 | You should now be able to 'bzr merge' from the gssapi branch into the Debian | ||
219 | trunk, resolve conflicts, and commit. If you see lots of "Contents conflict" | ||
220 | messages, you may have got the file-ids wrong. Once you've committed the | ||
221 | merge, you can throw away the tarball branch, as all its history will have | ||
222 | been incorporated. | ||
diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 000000000..a116a76eb --- /dev/null +++ b/debian/changelog | |||
@@ -0,0 +1,3060 @@ | |||
1 | openssh (1:5.5p1-1) UNRELEASED; urgency=low | ||
2 | |||
3 | * New upstream release: | ||
4 | - Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative | ||
5 | paths. | ||
6 | - Include a language tag when sending a protocol 2 disconnection | ||
7 | message. | ||
8 | - Make logging of certificates used for user authentication more clear | ||
9 | and consistent between CAs specified using TrustedUserCAKeys and | ||
10 | authorized_keys. | ||
11 | |||
12 | -- Colin Watson <cjwatson@ubuntu.com> Fri, 16 Apr 2010 10:21:10 +0100 | ||
13 | |||
14 | openssh (1:5.4p1-2) unstable; urgency=low | ||
15 | |||
16 | * Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is | ||
17 | installed, the host key is published in an SSHFP RR secured with DNSSEC, | ||
18 | and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key | ||
19 | verification (closes: #572049). | ||
20 | * Convert to dh(1), and use dh_installdocs --link-doc. | ||
21 | * Drop lpia support, since Ubuntu no longer supports this architecture. | ||
22 | * Use dh_install more effectively. | ||
23 | * Add a NEWS.Debian entry about changes in smartcard support relative to | ||
24 | previous unofficial builds (closes: #231472). | ||
25 | |||
26 | -- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100 | ||
27 | |||
28 | openssh (1:5.4p1-1) unstable; urgency=low | ||
29 | |||
30 | * New upstream release (LP: #535029). | ||
31 | - After a transition period of about 10 years, this release disables SSH | ||
32 | protocol 1 by default. Clients and servers that need to use the | ||
33 | legacy protocol must explicitly enable it in ssh_config / sshd_config | ||
34 | or on the command-line. | ||
35 | - Remove the libsectok/OpenSC-based smartcard code and add support for | ||
36 | PKCS#11 tokens. This support is enabled by default in the Debian | ||
37 | packaging, since it now doesn't involve additional library | ||
38 | dependencies (closes: #231472, LP: #16918). | ||
39 | - Add support for certificate authentication of users and hosts using a | ||
40 | new, minimal OpenSSH certificate format (closes: #482806). | ||
41 | - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". | ||
42 | - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian | ||
43 | package, this overlaps with the key blacklisting facility added in | ||
44 | openssh 1:4.7p1-9, but with different file formats and slightly | ||
45 | different scopes; for the moment, I've roughly merged the two.) | ||
46 | - Various multiplexing improvements, including support for requesting | ||
47 | port-forwardings via the multiplex protocol (closes: #360151). | ||
48 | - Allow setting an explicit umask on the sftp-server(8) commandline to | ||
49 | override whatever default the user has (closes: #496843). | ||
50 | - Many sftp client improvements, including tab-completion, more options, | ||
51 | and recursive transfer support for get/put (LP: #33378). The old | ||
52 | mget/mput commands never worked properly and have been removed | ||
53 | (closes: #270399, #428082). | ||
54 | - Do not prompt for a passphrase if we fail to open a keyfile, and log | ||
55 | the reason why the open failed to debug (closes: #431538). | ||
56 | - Prevent sftp from crashing when given a "-" without a command. Also, | ||
57 | allow whitespace to follow a "-" (closes: #531561). | ||
58 | |||
59 | * Fix 'debian/rules quilt-setup' to avoid writing .orig files if some | ||
60 | patches apply with offsets. | ||
61 | * Include debian/ssh-askpass-gnome.png in the Debian tarball now that | ||
62 | we're using a source format that permits this, rather than messing | ||
63 | around with uudecode. | ||
64 | * Drop compatibility with the old gssapi mechanism used in ssh-krb5 << | ||
65 | 3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi | ||
66 | mechanism was removed due to a serious security hole, and since these | ||
67 | versions of ssh-krb5 are no longer security-supported by Debian I don't | ||
68 | think there's any point keeping client compatibility for them. | ||
69 | * Fix substitution of ETC_PAM_D_SSH, following the rename in 1:4.7p1-4. | ||
70 | * Hardcode the location of xauth to /usr/bin/xauth rather than | ||
71 | /usr/bin/X11/xauth (thanks, Aron Griffis; closes: #575725, LP: #8440). | ||
72 | xauth no longer depends on x11-common, so we're no longer guaranteed to | ||
73 | have the /usr/bin/X11 symlink available. I was taking advantage of the | ||
74 | /usr/bin/X11 symlink to smooth X's move to /usr/bin, but this is far | ||
75 | enough in the past now that it's probably safe to just use /usr/bin. | ||
76 | * Remove SSHD_OOM_ADJUST configuration. sshd now unconditionally makes | ||
77 | itself non-OOM-killable, and doesn't require configuration to avoid log | ||
78 | spam in virtualisation containers (closes: #555625). | ||
79 | * Drop Debian-specific removal of OpenSSL version check. Upstream ignores | ||
80 | the two patchlevel nybbles now, which is sufficient to address the | ||
81 | original reason this change was introduced, and it appears that any | ||
82 | change in the major/minor/fix nybbles would involve a new libssl package | ||
83 | name. (We'd still lose if the status nybble were ever changed, but that | ||
84 | would mean somebody had packaged a development/beta version rather than | ||
85 | a proper release, which doesn't appear to be normal practice.) | ||
86 | * Drop most of our "LogLevel SILENT" (-qq) patch. This was originally | ||
87 | introduced to match the behaviour of non-free SSH, in which -q does not | ||
88 | suppress fatal errors, but matching the behaviour of OpenSSH upstream is | ||
89 | much more important nowadays. We no longer document that -q does not | ||
90 | suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to | ||
91 | "LogLevel QUIET" in sshd_config on upgrade. | ||
92 | * Policy version 3.8.4: | ||
93 | - Add a Homepage field. | ||
94 | |||
95 | -- Colin Watson <cjwatson@debian.org> Tue, 06 Apr 2010 22:38:31 +0100 | ||
96 | |||
97 | openssh (1:5.3p1-3) unstable; urgency=low | ||
98 | |||
99 | * Convert to source format 3.0 (quilt). | ||
100 | * Update README.source to match, and add a 'quilt-setup' target to | ||
101 | debian/rules for the benefit of those checking out the package from | ||
102 | revision control. | ||
103 | * All patches are now maintained separately and tagged according to DEP-3. | ||
104 | * Add GSSAPIStoreCredentialsOnRekey to 'sshd -T' configuration dump. | ||
105 | * Remove documentation of building for Debian 3.0 in README.Debian. | ||
106 | Support for this was removed in 1:4.7p1-2. | ||
107 | * Remove obsolete header from README.Debian dating from when people | ||
108 | expected non-free SSH. | ||
109 | * Update copyright years for GSSAPI patch. | ||
110 | |||
111 | -- Colin Watson <cjwatson@debian.org> Sun, 28 Feb 2010 01:35:53 +0000 | ||
112 | |||
113 | openssh (1:5.3p1-2) unstable; urgency=low | ||
114 | |||
115 | * Link with -Wl,--as-needed (closes: #560155). | ||
116 | * Install upstream sshd_config as an example (closes: #415008). | ||
117 | * Use dh_lintian. | ||
118 | * Honour DEB_BUILD_OPTIONS=nocheck. | ||
119 | |||
120 | -- Colin Watson <cjwatson@debian.org> Mon, 22 Feb 2010 12:43:24 +0000 | ||
121 | |||
122 | openssh (1:5.3p1-1) unstable; urgency=low | ||
123 | |||
124 | * New upstream release. | ||
125 | * Update to GSSAPI patch from | ||
126 | http://www.sxw.org.uk/computing/patches/openssh-5.3p1-gsskex-all-20100124.patch. | ||
127 | * Backport from upstream: | ||
128 | - Do not fall back to adding keys without constraints (ssh-add -c / -t | ||
129 | ...) when the agent refuses the constrained add request. This was a | ||
130 | useful migration measure back in 2002 when constraints were new, but | ||
131 | just adds risk now (LP: #209447). | ||
132 | * Drop change from 1:3.8p1-3 to avoid setresuid() and setresgid() system | ||
133 | calls. This only applied to Linux 2.2, which it's no longer feasible to | ||
134 | run anyway (see 1:5.2p1-2 changelog). | ||
135 | |||
136 | -- Colin Watson <cjwatson@debian.org> Tue, 26 Jan 2010 11:55:29 +0000 | ||
137 | |||
138 | openssh (1:5.2p1-2) unstable; urgency=low | ||
139 | |||
140 | [ Colin Watson ] | ||
141 | * Backport from upstream: | ||
142 | - After sshd receives a SIGHUP, ignore subsequent HUPs while sshd | ||
143 | re-execs itself. Prevents two HUPs in quick succession from resulting | ||
144 | in sshd dying (LP: #497781). | ||
145 | - Output a debug if we can't open an existing keyfile (LP: #505301). | ||
146 | * Use host compiler for ssh-askpass-gnome when cross-compiling. | ||
147 | * Don't run tests when cross-compiling. | ||
148 | * Drop change from 1:3.6.1p2-5 to disable cmsg_type check for file | ||
149 | descriptor passing when running on Linux 2.0. The previous stable | ||
150 | release of Debian dropped support for Linux 2.4, let alone 2.0, so this | ||
151 | very likely has no remaining users depending on it. | ||
152 | |||
153 | [ Kees Cook ] | ||
154 | * Implement DebianBanner server configuration flag that can be set to "no" | ||
155 | to allow sshd to run without the Debian-specific extra version in the | ||
156 | initial protocol handshake (closes: #562048). | ||
157 | |||
158 | -- Colin Watson <cjwatson@debian.org> Sat, 16 Jan 2010 01:28:58 +0000 | ||
159 | |||
160 | openssh (1:5.2p1-1) unstable; urgency=low | ||
161 | |||
162 | * New upstream release (closes: #536182). Yes, I know 5.3p1 has been out | ||
163 | for a while, but there's no GSSAPI patch available for it yet. | ||
164 | - Change the default cipher order to prefer the AES CTR modes and the | ||
165 | revised "arcfour256" mode to CBC mode ciphers that are susceptible to | ||
166 | CPNI-957037 "Plaintext Recovery Attack Against SSH". | ||
167 | - Add countermeasures to mitigate CPNI-957037-style attacks against the | ||
168 | SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid | ||
169 | packet length or Message Authentication Code, ssh/sshd will continue | ||
170 | reading up to the maximum supported packet length rather than | ||
171 | immediately terminating the connection. This eliminates most of the | ||
172 | known differences in behaviour that leaked information about the | ||
173 | plaintext of injected data which formed the basis of this attack | ||
174 | (closes: #506115, LP: #379329). | ||
175 | - ForceCommand directive now accepts commandline arguments for the | ||
176 | internal-sftp server (closes: #524423, LP: #362511). | ||
177 | - Add AllowAgentForwarding to available Match keywords list (closes: | ||
178 | #540623). | ||
179 | - Make ssh(1) send the correct channel number for | ||
180 | SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to | ||
181 | avoid triggering 'Non-public channel' error messages on sshd(8) in | ||
182 | openssh-5.1. | ||
183 | - Avoid printing 'Non-public channel' warnings in sshd(8), since the | ||
184 | ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a | ||
185 | behaviour introduced in openssh-5.1; closes: #496017). | ||
186 | - Disable nonfunctional ssh(1) ~C escape handler in multiplex slave | ||
187 | connections (closes: #507541). | ||
188 | - Fix "whitepsace" typo in ssh_config(5) (closes: #514313, LP: #303835). | ||
189 | * Update to GSSAPI patch from | ||
190 | http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch, | ||
191 | including cascading credentials support (LP: #416958). | ||
192 | * Use x11.pc when compiling/linking gnome-ssh-askpass2 (closes: #555951). | ||
193 | * Moved to bzr.debian.org; add Vcs-Bzr and Vcs-Browser control fields. | ||
194 | * Add debian/README.source with instructions on bzr handling. | ||
195 | * Make ChrootDirectory work with SELinux (thanks, Russell Coker; closes: | ||
196 | #556644). | ||
197 | * Initialise sc to NULL in ssh_selinux_getctxbyname (thanks, Václav OvsÃk; | ||
198 | closes: #498684). | ||
199 | * Don't duplicate backslashes when displaying server banner (thanks, | ||
200 | Michał Górny; closes: #505378, LP: #425346). | ||
201 | * Use hardening-includes for hardening logic (thanks, Kees Cook; closes: | ||
202 | #561887). | ||
203 | * Update OpenSSH FAQ to revision 1.110. | ||
204 | * Remove ssh/new_config, only needed for direct upgrades from potato which | ||
205 | are no longer particularly feasible anyway (closes: #420682). | ||
206 | * Cope with insserv reordering of init script links. | ||
207 | * Remove init script stop link in rc1, as killprocs handles it already. | ||
208 | * Adjust short descriptions to avoid relying on previous experience with | ||
209 | rsh, based on suggestions from Reuben Thomas (closes: #512198). | ||
210 | * Remove manual page references to login.conf, which aren't applicable on | ||
211 | non-BSD systems (closes: #154434). | ||
212 | * Remove/adjust manual page references to BSD-specific /etc/rc (closes: | ||
213 | #513417). | ||
214 | * Refer to sshd_config(5) rather than sshd(8) in postinst-written | ||
215 | /etc/ssh/sshd_config, and add UsePAM commentary from upstream-shipped | ||
216 | configuration file (closes: #415008, although unfortunately this will | ||
217 | only be conveniently visible on new installations). | ||
218 | * Include URL to OpenBSD's ssl(8) in ssh(1), since I don't see a better | ||
219 | source for the same information among Debian's manual pages (closes: | ||
220 | #530692, LP: #456660). | ||
221 | |||
222 | -- Colin Watson <cjwatson@debian.org> Mon, 04 Jan 2010 13:23:35 +0000 | ||
223 | |||
224 | openssh (1:5.1p1-8) unstable; urgency=low | ||
225 | |||
226 | * Build with just -fPIC on mips/mipsel, not -fPIE as well (thanks, LIU Qi; | ||
227 | closes: #538313). | ||
228 | * Build-depend on libselinux1-dev on sh4 too (thanks, Nobuhiro Iwamatsu; | ||
229 | closes: #547103). | ||
230 | * Fix grammar in if-up script (closes: #549128). | ||
231 | * Pass $SSHD_OPTS when checking configuration too (thanks, "sobtwmxt"; | ||
232 | closes: #548662). | ||
233 | |||
234 | -- Colin Watson <cjwatson@debian.org> Mon, 05 Oct 2009 13:30:49 +0100 | ||
235 | |||
236 | openssh (1:5.1p1-7) unstable; urgency=low | ||
237 | |||
238 | * Update config.guess and config.sub from autotools-dev 20090611.1 | ||
239 | (closes: #538301). | ||
240 | * Set umask to 022 in the init script as well as postinsts (closes: | ||
241 | #539030). | ||
242 | * Add ${misc:Depends} to keep Lintian happy. | ||
243 | * Use 'which' rather than 'type' in maintainer scripts. | ||
244 | * Upgrade to debhelper v7. | ||
245 | |||
246 | -- Colin Watson <cjwatson@debian.org> Fri, 31 Jul 2009 16:28:10 +0100 | ||
247 | |||
248 | openssh (1:5.1p1-6) unstable; urgency=low | ||
249 | |||
250 | * Open /proc/self/oom_adj with O_RDONLY or O_WRONLY as necessary, rather | ||
251 | than O_RDWR. | ||
252 | * Disable OOM adjustment for vserver/OpenVZ (thanks, Karl Chen; closes: | ||
253 | #511771). | ||
254 | * Add ufw integration (thanks, Didier Roche; see | ||
255 | https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages; | ||
256 | LP: #261884). | ||
257 | * Add a comment above PermitRootLogin in sshd_config pointing to | ||
258 | README.Debian. | ||
259 | * Check if delgroup is present in openssh-client.postrm (closes: #530501). | ||
260 | * Build with -fPIC on mips/mipsel (thanks, Luk Claes; closes: #531942). | ||
261 | * Remove /var/run/sshd from openssh-server package; it will be created at | ||
262 | run-time before starting the server. | ||
263 | * Use invoke-rc.d in openssh-server's if-up script. | ||
264 | |||
265 | -- Colin Watson <cjwatson@debian.org> Fri, 05 Jun 2009 11:56:03 +0100 | ||
266 | |||
267 | openssh (1:5.1p1-5) unstable; urgency=low | ||
268 | |||
269 | * Backport from upstream CVS (Markus Friedl): | ||
270 | - packet_disconnect() on padding error, too. Should reduce the success | ||
271 | probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18. | ||
272 | * Check that /var/run/sshd.pid exists and that the process ID listed there | ||
273 | corresponds to sshd before running '/etc/init.d/ssh reload' from if-up | ||
274 | script; SIGHUP is racy if called at boot before sshd has a chance to | ||
275 | install its signal handler, but fortunately the pid file is written | ||
276 | after that which lets us avoid the race (closes: #502444). | ||
277 | * While the above is a valuable sanity-check, it turns out that it doesn't | ||
278 | really fix the bug (thanks to Kevin Price for testing), so for the | ||
279 | meantime we'll just use '/etc/init.d/ssh restart', even though it is | ||
280 | unfortunately heavyweight. | ||
281 | |||
282 | -- Colin Watson <cjwatson@debian.org> Wed, 14 Jan 2009 00:34:08 +0000 | ||
283 | |||
284 | openssh (1:5.1p1-4) unstable; urgency=low | ||
285 | |||
286 | * ssh-copy-id: Strip trailing colons from hostname (closes: #226172, | ||
287 | LP: #249706; thanks to Karl Goetz for nudging this along; forwarded | ||
288 | upstream as https://bugzilla.mindrot.org/show_bug.cgi?id=1530). | ||
289 | * Backport from upstream CVS (Markus Friedl): | ||
290 | - Only send eow and no-more-sessions requests to openssh 5 and newer; | ||
291 | fixes interop problems with broken ssh v2 implementations (closes: | ||
292 | #495917). | ||
293 | * Fix double-free when failing to parse a forwarding specification given | ||
294 | using ~C (closes: #505330; forwarded upstream as | ||
295 | https://bugzilla.mindrot.org/show_bug.cgi?id=1539). | ||
296 | |||
297 | -- Colin Watson <cjwatson@debian.org> Sun, 23 Nov 2008 14:46:10 +0000 | ||
298 | |||
299 | openssh (1:5.1p1-3) unstable; urgency=low | ||
300 | |||
301 | * Remove unnecessary ssh-vulnkey output in non-verbose mode when no | ||
302 | compromised or unknown keys were found (closes: #496495). | ||
303 | * Configure with --disable-strip; dh_strip will deal with stripping | ||
304 | binaries and will honour DEB_BUILD_OPTIONS (thanks, Bernhard R. Link; | ||
305 | closes: #498681). | ||
306 | * Fix handling of zero-length server banners (thanks, Tomas Mraz; closes: | ||
307 | #497026). | ||
308 | |||
309 | -- Colin Watson <cjwatson@debian.org> Tue, 30 Sep 2008 23:09:58 +0100 | ||
310 | |||
311 | openssh (1:5.1p1-2) unstable; urgency=low | ||
312 | |||
313 | * Look for $SHELL on the path when executing ProxyCommands or | ||
314 | LocalCommands (closes: #492728). | ||
315 | |||
316 | -- Colin Watson <cjwatson@debian.org> Tue, 29 Jul 2008 15:31:25 +0100 | ||
317 | |||
318 | openssh (1:5.1p1-1) unstable; urgency=low | ||
319 | |||
320 | * New upstream release (closes: #474301). Important changes not previously | ||
321 | backported to 4.7p1: | ||
322 | - 4.9/4.9p1 (http://www.openssh.com/txt/release-4.9): | ||
323 | + Added chroot(2) support for sshd(8), controlled by a new option | ||
324 | "ChrootDirectory" (closes: #139047, LP: #24777). | ||
325 | + Linked sftp-server(8) into sshd(8). The internal sftp server is used | ||
326 | when the command "internal-sftp" is specified in a Subsystem or | ||
327 | ForceCommand declaration. When used with ChrootDirectory, the | ||
328 | internal sftp server requires no special configuration of files | ||
329 | inside the chroot environment. | ||
330 | + Added a protocol extension method "posix-rename@openssh.com" for | ||
331 | sftp-server(8) to perform POSIX atomic rename() operations; sftp(1) | ||
332 | prefers this if available (closes: #308561). | ||
333 | + Removed the fixed limit of 100 file handles in sftp-server(8). | ||
334 | + ssh(8) will now skip generation of SSH protocol 1 ephemeral server | ||
335 | keys when in inetd mode and protocol 2 connections are negotiated. | ||
336 | This speeds up protocol 2 connections to inetd-mode servers that | ||
337 | also allow Protocol 1. | ||
338 | + Accept the PermitRootLogin directive in a sshd_config(5) Match | ||
339 | block. Allows for, e.g. permitting root only from the local network. | ||
340 | + Reworked sftp(1) argument splitting and escaping to be more | ||
341 | internally consistent (i.e. between sftp commands) and more | ||
342 | consistent with sh(1). Please note that this will change the | ||
343 | interpretation of some quoted strings, especially those with | ||
344 | embedded backslash escape sequences. | ||
345 | + Support "Banner=none" in sshd_config(5) to disable sending of a | ||
346 | pre-login banner (e.g. in a Match block). | ||
347 | + ssh(1) ProxyCommands are now executed with $SHELL rather than | ||
348 | /bin/sh. | ||
349 | + ssh(1)'s ConnectTimeout option is now applied to both the TCP | ||
350 | connection and the SSH banner exchange (previously it just covered | ||
351 | the TCP connection). This allows callers of ssh(1) to better detect | ||
352 | and deal with stuck servers that accept a TCP connection but don't | ||
353 | progress the protocol, and also makes ConnectTimeout useful for | ||
354 | connections via a ProxyCommand. | ||
355 | + scp(1) incorrectly reported "stalled" on slow copies (closes: | ||
356 | #140828). | ||
357 | + scp(1) date underflow for timestamps before epoch. | ||
358 | + ssh(1) used the obsolete SIG DNS RRtype for host keys in DNS, | ||
359 | instead of the current standard RRSIG. | ||
360 | + Correctly drain ACKs when a sftp(1) upload write fails midway, | ||
361 | avoids a fatal() exit from what should be a recoverable condition. | ||
362 | + Fixed ssh-keygen(1) selective host key hashing (i.e. "ssh-keygen -HF | ||
363 | hostname") to not include any IP address in the data to be hashed. | ||
364 | + Make ssh(1) skip listening on the IPv6 wildcard address when a | ||
365 | binding address of 0.0.0.0 is used against an old SSH server that | ||
366 | does not support the RFC4254 syntax for wildcard bind addresses. | ||
367 | + Enable IPV6_V6ONLY socket option on sshd(8) listen socket, as is | ||
368 | already done for X11/TCP forwarding sockets (closes: #439661). | ||
369 | + Fix FD leak that could hang a ssh(1) connection multiplexing master. | ||
370 | + Make ssh(1) -q option documentation consistent with reality. | ||
371 | + Fixed sshd(8) PAM support not calling pam_session_close(), or | ||
372 | failing to call it with root privileges (closes: #372680). | ||
373 | + Fix activation of OpenSSL engine support when requested in configure | ||
374 | (LP: #119295). | ||
375 | + Cache SELinux status earlier so we know if it's enabled after a | ||
376 | chroot (LP: #237557). | ||
377 | - 5.1/5.1p1 (http://www.openssh.com/txt/release-5.1): | ||
378 | + Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1) | ||
379 | and ssh-keygen(1). Visual fingerprint display is controlled by a new | ||
380 | ssh_config(5) option "VisualHostKey". The intent is to render SSH | ||
381 | host keys in a visual form that is amenable to easy recall and | ||
382 | rejection of changed host keys. | ||
383 | + sshd_config(5) now supports CIDR address/masklen matching in "Match | ||
384 | address" blocks, with a fallback to classic wildcard matching. | ||
385 | + sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys | ||
386 | from="..." restrictions, also with a fallback to classic wildcard | ||
387 | matching. | ||
388 | + Added an extended test mode (-T) to sshd(8) to request that it write | ||
389 | its effective configuration to stdout and exit. Extended test mode | ||
390 | also supports the specification of connection parameters (username, | ||
391 | source address and hostname) to test the application of | ||
392 | sshd_config(5) Match rules. | ||
393 | + ssh(1) now prints the number of bytes transferred and the overall | ||
394 | connection throughput for SSH protocol 2 sessions when in verbose | ||
395 | mode (previously these statistics were displayed for protocol 1 | ||
396 | connections only). | ||
397 | + sftp-server(8) now supports extension methods statvfs@openssh.com | ||
398 | and fstatvfs@openssh.com that implement statvfs(2)-like operations. | ||
399 | + sftp(1) now has a "df" command to the sftp client that uses the | ||
400 | statvfs@openssh.com to produce a df(1)-like display of filesystem | ||
401 | space and inode utilisation (requires statvfs@openssh.com support on | ||
402 | the server). | ||
403 | + Added a MaxSessions option to sshd_config(5) to allow control of the | ||
404 | number of multiplexed sessions supported over a single TCP | ||
405 | connection. This allows increasing the number of allowed sessions | ||
406 | above the previous default of 10, disabling connection multiplexing | ||
407 | (MaxSessions=1) or disallowing login/shell/subsystem sessions | ||
408 | entirely (MaxSessions=0). | ||
409 | + Added a no-more-sessions@openssh.com global request extension that | ||
410 | is sent from ssh(1) to sshd(8) when the client knows that it will | ||
411 | never request another session (i.e. when session multiplexing is | ||
412 | disabled). This allows a server to disallow further session requests | ||
413 | and terminate the session in cases where the client has been | ||
414 | hijacked. | ||
415 | + ssh-keygen(1) now supports the use of the -l option in combination | ||
416 | with -F to search for a host in ~/.ssh/known_hosts and display its | ||
417 | fingerprint. | ||
418 | + ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of | ||
419 | "rsa1" (LP: #129794). | ||
420 | + Added an AllowAgentForwarding option to sshd_config(8) to control | ||
421 | whether authentication agent forwarding is permitted. Note that this | ||
422 | is a loose control, as a client may install their own unofficial | ||
423 | forwarder. | ||
424 | + ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when | ||
425 | receiving network data, resulting in a ~10% speedup. | ||
426 | + ssh(1) and sshd(8) will now try additional addresses when connecting | ||
427 | to a port forward destination whose DNS name resolves to more than | ||
428 | one address. The previous behaviour was to try the only first | ||
429 | address and give up if that failed. | ||
430 | + ssh(1) and sshd(8) now support signalling that channels are | ||
431 | half-closed for writing, through a channel protocol extension | ||
432 | notification "eow@openssh.com". This allows propagation of closed | ||
433 | file descriptors, so that commands such as "ssh -2 localhost od | ||
434 | /bin/ls | true" do not send unnecessary data over the wire. | ||
435 | + sshd(8): increased the default size of ssh protocol 1 ephemeral keys | ||
436 | from 768 to 1024 bits. | ||
437 | + When ssh(1) has been requested to fork after authentication ("ssh | ||
438 | -f") with ExitOnForwardFailure enabled, delay the fork until after | ||
439 | replies for any -R forwards have been seen. Allows for robust | ||
440 | detection of -R forward failure when using -f. | ||
441 | + "Match group" blocks in sshd_config(5) now support negation of | ||
442 | groups. E.g. "Match group staff,!guests". | ||
443 | + sftp(1) and sftp-server(8) now allow chmod-like operations to set | ||
444 | set[ug]id/sticky bits. | ||
445 | + The MaxAuthTries option is now permitted in sshd_config(5) match | ||
446 | blocks. | ||
447 | + Multiplexed ssh(1) sessions now support a subset of the ~ escapes | ||
448 | that are available to a primary connection. | ||
449 | + ssh(1) connection multiplexing will now fall back to creating a new | ||
450 | connection in most error cases (closes: #352830). | ||
451 | + Make ssh(1) deal more gracefully with channel requests that fail. | ||
452 | Previously it would optimistically assume that requests would always | ||
453 | succeed, which could cause hangs if they did not (e.g. when the | ||
454 | server runs out of file descriptors). | ||
455 | + ssh(1) now reports multiplexing errors via the multiplex slave's | ||
456 | stderr where possible (subject to LogLevel in the mux master). | ||
457 | + Fixed an UMAC alignment problem that manifested on Itanium | ||
458 | platforms. | ||
459 | * Remove our local version of moduli(5) now that there's one upstream. | ||
460 | * Say "GTK+" rather than "GTK" in ssh-askpass-gnome's description. | ||
461 | * Add lintian overrides for empty /usr/share/doc/openssh-client | ||
462 | directories in openssh-server and ssh (necessary due to being symlink | ||
463 | targets). | ||
464 | * Merge from Ubuntu: | ||
465 | - Add 'status' action to openssh-server init script, requiring lsb-base | ||
466 | (>= 3.2-13) (thanks, Dustin Kirkland). | ||
467 | * debconf template translations: | ||
468 | - Update Korean (thanks, Sunjae Park; closes: #484821). | ||
469 | |||
470 | -- Colin Watson <cjwatson@debian.org> Fri, 25 Jul 2008 10:45:08 +0100 | ||
471 | |||
472 | openssh (1:4.7p1-13) unstable; urgency=low | ||
473 | |||
474 | * Add some helpful advice to the end of ssh-vulnkey's output if there are | ||
475 | unknown or compromised keys (thanks, Dan Jacobson; closes: #483756). | ||
476 | * Check compromised key blacklist in ssh or ssh-add, as well as in the | ||
477 | server (LP: #232391). To override the blacklist check in ssh | ||
478 | temporarily, use 'ssh -o UseBlacklistedKeys=yes'; there is no override | ||
479 | for the blacklist check in ssh-add. | ||
480 | * Add cross-references to ssh-vulnkey(1) to ssh(1), ssh-add(1), | ||
481 | ssh-keygen(1), and sshd(8) (closes: #484451). | ||
482 | * Change openssh-client-udeb's Installer-Menu-Item from 99900 to 99999 | ||
483 | (thanks, Frans Pop). | ||
484 | * Drop openssh-client-udeb isinstallable hack, as main-menu (>= 1.26) now | ||
485 | takes care of that (thanks, Frans Pop; closes: #484404). | ||
486 | * Update DEB_BUILD_OPTIONS parsing code from policy 3.8.0. | ||
487 | * Add documentation on removing openssh-blacklist locally (see #484269). | ||
488 | * Clarify documentation of SSHD_OOM_ADJUST, and make setting it to the | ||
489 | empty string actually skip adjustment as intended (closes: #487325). | ||
490 | * Remove empty /usr/share/applications directory in ssh-askpass-gnome. | ||
491 | * debconf template translations: | ||
492 | - Update Romanian (thanks, Cătălin Feștilă; closes: #485415). | ||
493 | |||
494 | -- Colin Watson <cjwatson@debian.org> Mon, 21 Jul 2008 12:18:28 +0100 | ||
495 | |||
496 | openssh (1:4.7p1-12) unstable; urgency=low | ||
497 | |||
498 | * Fill in CVE identifier for ssh-vulnkey bug fixed in 1:4.7p1-10. | ||
499 | * Refactor rejection of blacklisted user keys into a single | ||
500 | reject_blacklisted_key function in auth.c (thanks, Dmitry V. Levin). | ||
501 | * Fix memory leak of blacklisted host keys (thanks, Dmitry V. Levin). | ||
502 | * debconf template translations: | ||
503 | - Update Dutch (thanks, Bart Cornelis; closes: #483004). | ||
504 | - Update Brazilian Portuguese (thanks, Eder L. Marques; closes: | ||
505 | #483142). | ||
506 | - Update Slovak (thanks, Ivan Masár; closes: #483517). | ||
507 | |||
508 | -- Colin Watson <cjwatson@debian.org> Thu, 29 May 2008 21:41:29 +0100 | ||
509 | |||
510 | openssh (1:4.7p1-11) unstable; urgency=low | ||
511 | |||
512 | * Make init script depend on $syslog, and fix some other dependency | ||
513 | glitches (thanks, Petter Reinholdtsen; closes: #481018). | ||
514 | * Remove 0 and 6 from Default-Stop in init script (thanks, Kel Modderman; | ||
515 | closes: #481151). | ||
516 | * Restore OOM killer adjustment for child processes (thanks, Vaclav Ovsik; | ||
517 | closes: #480020). | ||
518 | * Allow building with heimdal-dev (LP: #125805). | ||
519 | |||
520 | * Check RSA1 keys without the need for a separate blacklist. Thanks to | ||
521 | Simon Tatham for the idea. | ||
522 | * Generate two keys with the PID forced to the same value and test that | ||
523 | they differ, to defend against recurrences of the recent Debian OpenSSL | ||
524 | vulnerability. | ||
525 | * Recommend openssh-blacklist from openssh-client (closes: #481187). | ||
526 | * Recommend openssh-blacklist-extra from openssh-client and | ||
527 | openssh-server. | ||
528 | * Make ssh-vulnkey report the file name and line number for each key | ||
529 | (thanks, Heiko Schlittermann and Christopher Perry; closes: #481398). | ||
530 | * Check for blacklists in /usr/share/ssh/ as well as /etc/ssh/ (see | ||
531 | #481283). | ||
532 | * Log IP addresses of hosts attempting to use blacklisted keys (closes: | ||
533 | #481721). | ||
534 | * Incorporate various ssh-vulnkey suggestions from Hugh Daniel: | ||
535 | - Add -v (verbose) option, and don't print output for keys that have a | ||
536 | blacklist file but that are not listed unless in verbose mode. | ||
537 | - Move exit status documentation to a separate section. | ||
538 | - Document key status descriptions. | ||
539 | - Add key type to output. | ||
540 | - Fix error output if ssh-vulnkey fails to read key files, with the | ||
541 | exception of host keys unless -a was given. | ||
542 | - In verbose mode, output the name of each file examined. | ||
543 | * Handle leading IP addresses in ssh-vulnkey input (LP: #230497). | ||
544 | * Fix various ssh-vulnkey problems pointed out by Solar Designer: | ||
545 | - Fix some buffer handling inconsistencies. | ||
546 | - Use xasprintf to build user key file names, avoiding truncation | ||
547 | problems. | ||
548 | - Drop to the user's UID when reading user keys with -a. | ||
549 | - Use EUID rather than UID when run with no file names and without -a. | ||
550 | - Reword "Unknown (no blacklist information)" to "Unknown (blacklist | ||
551 | file not installed)". | ||
552 | |||
553 | * Fix typo in ssh/vulnerable_host_keys message (thanks, Esko Arajärvi). | ||
554 | * debconf template translations: | ||
555 | - Update Finnish (thanks, Esko Arajärvi; closes: #481530). | ||
556 | - Update French (thanks, Christian Perrier; closes: #481576). | ||
557 | - Update Norwegian Bokmål (thanks, Bjørn Steensrud; closes: #481591). | ||
558 | - Update Galician (thanks, Jacobo Tarrio; closes: #481596). | ||
559 | - Update Japanese (thanks, Kenshi Muto; closes: #481621). | ||
560 | - Update Czech (thanks, Miroslav Kure; closes: #481624). | ||
561 | - Update German (thanks, Helge Kreutzmann; closes: #481676). | ||
562 | - Update Portuguese (thanks, Ricardo Silva; closes: #481781). | ||
563 | - Update Basque (thanks, Piarres Beobide; closes: #481836). | ||
564 | - Update Bulgarian (thanks, Damyan Ivanov; closes: #481870). | ||
565 | - Update Vietnamese (thanks, Clytie Siddall; closes: #481876). | ||
566 | - Update Spanish (thanks, Javier Fernandez-Sanguino Peña; closes: | ||
567 | #482341). | ||
568 | - Update Turkish (thanks, Mert Dirik; closes: #482548). | ||
569 | - Update Russian (thanks, Yuri Kozlov; closes: #482887). | ||
570 | - Update Swedish (thanks, Martin Bagge; closes: #482464). | ||
571 | - Update Italian (thanks, Luca Monducci; closes: #482808). | ||
572 | |||
573 | -- Colin Watson <cjwatson@debian.org> Mon, 26 May 2008 12:21:39 +0100 | ||
574 | |||
575 | openssh (1:4.7p1-10) unstable; urgency=low | ||
576 | |||
577 | * Add a FILES section to ssh-vulnkey(1) (thanks, Hugh Daniel). | ||
578 | * CVE-2008-2285: ssh-vulnkey handles options in authorized_keys | ||
579 | (LP: #230029), and treats # as introducing a comment even if it is | ||
580 | preceded by whitespace. | ||
581 | |||
582 | -- Colin Watson <cjwatson@debian.org> Wed, 14 May 2008 12:35:05 +0100 | ||
583 | |||
584 | openssh (1:4.7p1-9) unstable; urgency=critical | ||
585 | |||
586 | * Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-8. | ||
587 | * Mitigate OpenSSL security vulnerability (CVE-2008-0166): | ||
588 | - Add key blacklisting support. Keys listed in | ||
589 | /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by | ||
590 | sshd, unless "PermitBlacklistedKeys yes" is set in | ||
591 | /etc/ssh/sshd_config. | ||
592 | - Add a new program, ssh-vulnkey, which can be used to check keys | ||
593 | against these blacklists. | ||
594 | - Depend on openssh-blacklist. | ||
595 | - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least | ||
596 | 0.9.8g-9. | ||
597 | - Automatically regenerate known-compromised host keys, with a | ||
598 | critical-priority debconf note. (I regret that there was no time to | ||
599 | gather translations.) | ||
600 | |||
601 | -- Colin Watson <cjwatson@debian.org> Tue, 13 May 2008 12:33:38 +0100 | ||
602 | |||
603 | openssh (1:4.7p1-8) unstable; urgency=high | ||
604 | |||
605 | * Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-5. | ||
606 | * Rename KeepAlive to TCPKeepAlive in sshd_config, cleaning up from old | ||
607 | configurations (LP: #211400). | ||
608 | * Tweak scp's reporting of filenames in verbose mode to be a bit less | ||
609 | confusing with spaces (thanks, Nicolas Valcárcel; LP: #89945). | ||
610 | * Backport from 4.9p1: | ||
611 | - CVE-2008-1657: Ignore ~/.ssh/rc if a sshd_config ForceCommand is | ||
612 | specified. | ||
613 | - Add no-user-rc authorized_keys option to disable execution of | ||
614 | ~/.ssh/rc. | ||
615 | * Backport from Simon Wilkinson's GSSAPI key exchange patch for 5.0p1: | ||
616 | - Add code to actually implement GSSAPIStrictAcceptorCheck, which had | ||
617 | somehow been omitted from a previous version of this patch (closes: | ||
618 | #474246). | ||
619 | |||
620 | -- Colin Watson <cjwatson@debian.org> Sun, 06 Apr 2008 12:34:19 +0100 | ||
621 | |||
622 | openssh (1:4.7p1-7) unstable; urgency=low | ||
623 | |||
624 | * Ignore errors writing to oom_adj (closes: #473573). | ||
625 | |||
626 | -- Colin Watson <cjwatson@debian.org> Mon, 31 Mar 2008 16:24:44 +0100 | ||
627 | |||
628 | openssh (1:4.7p1-6) unstable; urgency=low | ||
629 | |||
630 | * Disable the Linux kernel's OOM-killer for the sshd parent; tweak | ||
631 | SSHD_OOM_ADJUST in /etc/default/ssh to change this (closes: #341767). | ||
632 | |||
633 | -- Colin Watson <cjwatson@debian.org> Sun, 30 Mar 2008 21:14:12 +0100 | ||
634 | |||
635 | openssh (1:4.7p1-5) unstable; urgency=low | ||
636 | |||
637 | * Recommends: xauth rather than Suggests: xbase-clients. | ||
638 | * Document in ssh(1) that '-S none' disables connection sharing | ||
639 | (closes: #471437). | ||
640 | * Patch from Red Hat / Fedora: | ||
641 | - CVE-2008-1483: Don't use X11 forwarding port which can't be bound on | ||
642 | all address families, preventing hijacking of X11 forwarding by | ||
643 | unprivileged users when both IPv4 and IPv6 are configured (closes: | ||
644 | #463011). | ||
645 | * Use printf rather than echo -en (a bashism) in openssh-server.config and | ||
646 | openssh-server.preinst. | ||
647 | * debconf template translations: | ||
648 | - Update Finnish (thanks, Esko Arajärvi; closes: #468563). | ||
649 | |||
650 | -- Colin Watson <cjwatson@debian.org> Sat, 22 Mar 2008 12:37:00 +0000 | ||
651 | |||
652 | openssh (1:4.7p1-4) unstable; urgency=low | ||
653 | |||
654 | [ Caleb Case ] | ||
655 | * Fix configure detection of getseuserbyname and | ||
656 | get_default_context_with_level (closes: #465614, LP: #188136). | ||
657 | |||
658 | [ Colin Watson ] | ||
659 | * Include the autogenerated debian/copyright in the source package. | ||
660 | * Move /etc/pam.d/ssh to /etc/pam.d/sshd, allowing us to stop defining | ||
661 | SSHD_PAM_SERVICE (closes: #255870). | ||
662 | |||
663 | -- Colin Watson <cjwatson@debian.org> Wed, 13 Feb 2008 18:18:52 +0000 | ||
664 | |||
665 | openssh (1:4.7p1-3) unstable; urgency=low | ||
666 | |||
667 | * Improve grammar of ssh-askpass-gnome description. | ||
668 | * Backport from upstream: | ||
669 | - Use the correct packet maximum sizes for remote port and agent | ||
670 | forwarding. Prevents the server from killing the connection if too | ||
671 | much data is queued and an excessively large packet gets sent | ||
672 | (https://bugzilla.mindrot.org/show_bug.cgi?id=1360). | ||
673 | * Allow passing temporary daemon parameters on the init script's command | ||
674 | line, e.g. '/etc/init.d/ssh start "-o PermitRootLogin=yes"' (thanks, | ||
675 | Marc Haber; closes: #458547). | ||
676 | |||
677 | -- Colin Watson <cjwatson@debian.org> Fri, 01 Feb 2008 21:59:59 +0000 | ||
678 | |||
679 | openssh (1:4.7p1-2) unstable; urgency=low | ||
680 | |||
681 | * Adjust many relative links in faq.html to point to | ||
682 | http://www.openssh.org/ (thanks, Dan Jacobson; mentioned in #459807). | ||
683 | * Pass --with-mantype=doc to configure rather than build-depending on | ||
684 | groff (closes: #460121). | ||
685 | * Add armel to architecture list for libselinux1-dev build-dependency | ||
686 | (closes: #460136). | ||
687 | * Drop source-compatibility with Debian 3.0: | ||
688 | - Remove support for building with GNOME 1. This allows simplification | ||
689 | of our GNOME build-dependencies (see #460136). | ||
690 | - Remove hacks to support the old PAM configuration scheme. | ||
691 | - Remove compatibility for building without po-debconf. | ||
692 | * Build-depend on libgtk2.0-dev rather than libgnomeui-dev. As far as I | ||
693 | can see, the GTK2 version of ssh-askpass-gnome has never required | ||
694 | libgnomeui-dev. | ||
695 | |||
696 | -- Colin Watson <cjwatson@debian.org> Fri, 11 Jan 2008 00:14:10 +0000 | ||
697 | |||
698 | openssh (1:4.7p1-1) unstable; urgency=low | ||
699 | |||
700 | * New upstream release (closes: #453367). | ||
701 | - CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if | ||
702 | creation of an untrusted cookie fails; found and fixed by Jan Pechanec | ||
703 | (closes: #444738). | ||
704 | - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing | ||
705 | installations are unchanged. | ||
706 | - The SSH channel window size has been increased, and both ssh(1) | ||
707 | sshd(8) now send window updates more aggressively. These improves | ||
708 | performance on high-BDP (Bandwidth Delay Product) networks. | ||
709 | - ssh(1) and sshd(8) now preserve MAC contexts between packets, which | ||
710 | saves 2 hash calls per packet and results in 12-16% speedup for | ||
711 | arcfour256/hmac-md5. | ||
712 | - A new MAC algorithm has been added, UMAC-64 (RFC4418) as | ||
713 | "umac-64@openssh.com". UMAC-64 has been measured to be approximately | ||
714 | 20% faster than HMAC-MD5. | ||
715 | - Failure to establish a ssh(1) TunnelForward is now treated as a fatal | ||
716 | error when the ExitOnForwardFailure option is set. | ||
717 | - ssh(1) returns a sensible exit status if the control master goes away | ||
718 | without passing the full exit status. | ||
719 | - When using a ProxyCommand in ssh(1), set the outgoing hostname with | ||
720 | gethostname(2), allowing hostbased authentication to work. | ||
721 | - Make scp(1) skip FIFOs rather than hanging (closes: #246774). | ||
722 | - Encode non-printing characters in scp(1) filenames. These could cause | ||
723 | copies to be aborted with a "protocol error". | ||
724 | - Handle SIGINT in sshd(8) privilege separation child process to ensure | ||
725 | that wtmp and lastlog records are correctly updated. | ||
726 | - Report GSSAPI mechanism in errors, for libraries that support multiple | ||
727 | mechanisms. | ||
728 | - Improve documentation for ssh-add(1)'s -d option. | ||
729 | - Rearrange and tidy GSSAPI code, removing server-only code being linked | ||
730 | into the client. | ||
731 | - Delay execution of ssh(1)'s LocalCommand until after all forwardings | ||
732 | have been established. | ||
733 | - In scp(1), do not truncate non-regular files. | ||
734 | - Improve exit message from ControlMaster clients. | ||
735 | - Prevent sftp-server(8) from reading until it runs out of buffer space, | ||
736 | whereupon it would exit with a fatal error (closes: #365541). | ||
737 | - pam_end() was not being called if authentication failed | ||
738 | (closes: #405041). | ||
739 | - Manual page datestamps updated (closes: #433181). | ||
740 | * Install the OpenSSH FAQ in /usr/share/doc/openssh-client. | ||
741 | - Includes documentation on copying files with colons using scp | ||
742 | (closes: #303453). | ||
743 | * Create /var/run/sshd on start even if /etc/ssh/sshd_not_to_be_run exists | ||
744 | (closes: #453285). | ||
745 | * Fix "overriden" typo in ssh(1) (thanks, A. Costa; closes: #390699). | ||
746 | * Refactor debian/rules configure and make invocations to make development | ||
747 | easier. | ||
748 | * Remove the hideously old /etc/ssh/primes on upgrade (closes: #123013). | ||
749 | * Update moduli(5) to revision 1.11 from OpenBSD CVS. | ||
750 | * Document the non-default options we set as standard in ssh_config(5) and | ||
751 | sshd_config(5) (closes: #327886, #345628). | ||
752 | * Recode LICENCE to UTF-8 when concatenating it to debian/copyright. | ||
753 | * Override desktop-file-but-no-dh_desktop-call lintian warning; the | ||
754 | .desktop file is intentionally not installed (see 1:3.8.1p1-10). | ||
755 | * Update copyright dates for Kerberos patch in debian/copyright.head. | ||
756 | * Policy version 3.7.3: no changes required. | ||
757 | |||
758 | -- Colin Watson <cjwatson@debian.org> Mon, 24 Dec 2007 16:43:02 +0000 | ||
759 | |||
760 | openssh (1:4.6p1-7) unstable; urgency=low | ||
761 | |||
762 | * Don't build PIE executables on m68k (closes: #451192). | ||
763 | * Use autotools-dev's recommended configure --build and --host options. | ||
764 | * Adjust README.Debian to suggest mailing debian-ssh@lists.debian.org | ||
765 | rather than Matthew. | ||
766 | * Check whether deluser exists in postrm (closes: #454085). | ||
767 | |||
768 | -- Colin Watson <cjwatson@debian.org> Mon, 03 Dec 2007 11:11:02 +0000 | ||
769 | |||
770 | openssh (1:4.6p1-6) unstable; urgency=low | ||
771 | |||
772 | * Remove blank line between head comment and first template in | ||
773 | debian/openssh-server.templates.master; apparently it confuses some | ||
774 | versions of debconf. | ||
775 | * Install authorized_keys(5) as a symlink to sshd(8) (thanks, Tomas | ||
776 | Pospisek; closes: #441817). | ||
777 | * Discard error output from dpkg-query in preinsts, in case the ssh | ||
778 | metapackage is not installed. | ||
779 | * Fix sshd/inittab advice in README.Debian to account for rc.d movement | ||
780 | (closes: #450632). | ||
781 | * Suppress error from debian/rules if lsb-release is not installed. | ||
782 | * Don't ignore errors from 'make -C contrib clean'. | ||
783 | * Adjust categories in ssh-askpass-gnome.desktop to comply with the | ||
784 | Desktop Menu Specification. | ||
785 | * debconf template translations: | ||
786 | - Add Slovak (thanks, Ivan Masár; closes: #441690). | ||
787 | - Update Brazilian Portuguese (thanks, Eder L. Marques; | ||
788 | closes: #447145). | ||
789 | |||
790 | -- Colin Watson <cjwatson@debian.org> Mon, 12 Nov 2007 11:47:28 +0000 | ||
791 | |||
792 | openssh (1:4.6p1-5) unstable; urgency=low | ||
793 | |||
794 | * Identify ssh as a metapackage rather than a transitional package. It's | ||
795 | still useful as a quick way to install both the client and the server. | ||
796 | * ssh-copy-id now checks the exit status of ssh-add -L (thanks, Adeodato | ||
797 | Simó; closes: #221675). | ||
798 | * ssh-copy-id no longer prints the output of expr (thanks, Peter | ||
799 | Eisentraut; closes: #291534). | ||
800 | * ssh-copy-id defaults to ~/.ssh/id_rsa.pub rather than | ||
801 | ~/.ssh/identity.pub, in line with ssh-keygen (thanks, Greg Norris; | ||
802 | closes: #234627). | ||
803 | * Build-depend on libselinux1-dev on lpia. | ||
804 | * openssh-client Suggests: keychain. | ||
805 | * debconf template translations: | ||
806 | - Update Catalan (thanks, Jordà Polo; closes: #431970). | ||
807 | |||
808 | -- Colin Watson <cjwatson@debian.org> Mon, 30 Jul 2007 09:34:38 +0100 | ||
809 | |||
810 | openssh (1:4.6p1-4) unstable; urgency=low | ||
811 | |||
812 | * Don't build PIE executables on hppa, as they crash. | ||
813 | |||
814 | -- Colin Watson <cjwatson@debian.org> Thu, 05 Jul 2007 11:06:54 +0100 | ||
815 | |||
816 | openssh (1:4.6p1-3) unstable; urgency=low | ||
817 | |||
818 | * Only build PIE executables on Linux and NetBSD (closes: #430455). | ||
819 | * Fix broken switch fallthrough when SELinux is running in permissive mode | ||
820 | (closes: #430838). | ||
821 | * Document that HashKnownHosts may break tab-completion (closes: #430154). | ||
822 | |||
823 | -- Colin Watson <cjwatson@debian.org> Fri, 29 Jun 2007 07:15:38 +0100 | ||
824 | |||
825 | openssh (1:4.6p1-2) unstable; urgency=low | ||
826 | |||
827 | * Fix ordering of SYSLOG_LEVEL_QUIET and SYSLOG_LEVEL_FATAL. | ||
828 | * Clarify that 'ssh -q -q' still prints errors caused by bad arguments | ||
829 | (i.e. before the logging system is initialised). | ||
830 | * Suppress "Connection to <host> closed" and "Connection to master closed" | ||
831 | messages at loglevel SILENT (thanks, Jaap Eldering; closes: #409788). | ||
832 | * Suppress "Pseudo-terminal will not be allocated because stdin is not a | ||
833 | terminal" message at loglevels QUIET and SILENT (closes: #366814). | ||
834 | * Document the SILENT loglevel in sftp-server(8), ssh_config(5), and | ||
835 | sshd_config(5). | ||
836 | * Add try-restart action to init script. | ||
837 | * Add /etc/network/if-up.d/openssh-server to restart sshd when new | ||
838 | interfaces appear (LP: #103436). | ||
839 | * Backport from upstream: | ||
840 | - Move C/R -> kbdint special case to after the defaults have been | ||
841 | loaded, which makes ChallengeResponse default to yes again. This was | ||
842 | broken by the Match changes and not fixed properly subsequently | ||
843 | (closes: #428968). | ||
844 | - Silence spurious error messages from hang-on-exit fix | ||
845 | (http://bugzilla.mindrot.org/show_bug.cgi?id=1306, closes: #429531). | ||
846 | |||
847 | -- Colin Watson <cjwatson@debian.org> Wed, 20 Jun 2007 11:52:44 +0100 | ||
848 | |||
849 | openssh (1:4.6p1-1) unstable; urgency=low | ||
850 | |||
851 | * New upstream release (closes: #395507, #397961, #420035). Important | ||
852 | changes not previously backported to 4.3p2: | ||
853 | - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): | ||
854 | + On portable OpenSSH, fix a GSSAPI authentication abort that could be | ||
855 | used to determine the validity of usernames on some platforms. | ||
856 | + Implemented conditional configuration in sshd_config(5) using the | ||
857 | "Match" directive. This allows some configuration options to be | ||
858 | selectively overridden if specific criteria (based on user, group, | ||
859 | hostname and/or address) are met. So far a useful subset of | ||
860 | post-authentication options are supported and more are expected to | ||
861 | be added in future releases. | ||
862 | + Add support for Diffie-Hellman group exchange key agreement with a | ||
863 | final hash of SHA256. | ||
864 | + Added a "ForceCommand" directive to sshd_config(5). Similar to the | ||
865 | command="..." option accepted in ~/.ssh/authorized_keys, this forces | ||
866 | the execution of the specified command regardless of what the user | ||
867 | requested. This is very useful in conjunction with the new "Match" | ||
868 | option. | ||
869 | + Add a "PermitOpen" directive to sshd_config(5). This mirrors the | ||
870 | permitopen="..." authorized_keys option, allowing fine-grained | ||
871 | control over the port-forwardings that a user is allowed to | ||
872 | establish. | ||
873 | + Add optional logging of transactions to sftp-server(8). | ||
874 | + ssh(1) will now record port numbers for hosts stored in | ||
875 | ~/.ssh/known_hosts when a non-standard port has been requested | ||
876 | (closes: #50612). | ||
877 | + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a | ||
878 | non-zero exit code) when requested port forwardings could not be | ||
879 | established. | ||
880 | + Extend sshd_config(5) "SubSystem" declarations to allow the | ||
881 | specification of command-line arguments. | ||
882 | + Replacement of all integer overflow susceptible invocations of | ||
883 | malloc(3) and realloc(3) with overflow-checking equivalents. | ||
884 | + Many manpage fixes and improvements. | ||
885 | + Add optional support for OpenSSL hardware accelerators (engines), | ||
886 | enabled using the --with-ssl-engine configure option. | ||
887 | + Tokens in configuration files may be double-quoted in order to | ||
888 | contain spaces (closes: #319639). | ||
889 | + Move a debug() call out of a SIGCHLD handler, fixing a hang when the | ||
890 | session exits very quickly (closes: #307890). | ||
891 | + Fix some incorrect buffer allocation calculations (closes: #410599). | ||
892 | + ssh-add doesn't ask for a passphrase if key file permissions are too | ||
893 | liberal (closes: #103677). | ||
894 | + Likewise, ssh doesn't ask either (closes: #99675). | ||
895 | - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): | ||
896 | + sshd now allows the enabling and disabling of authentication methods | ||
897 | on a per user, group, host and network basis via the Match directive | ||
898 | in sshd_config. | ||
899 | + Fixed an inconsistent check for a terminal when displaying scp | ||
900 | progress meter (closes: #257524). | ||
901 | + Fix "hang on exit" when background processes are running at the time | ||
902 | of exit on a ttyful/login session (closes: #88337). | ||
903 | * Update to current GSSAPI patch from | ||
904 | http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; | ||
905 | install ChangeLog.gssapi. | ||
906 | * Build the .deb --with-ssl-engine (closes: #408027, LP: #119295). | ||
907 | * Use LSB functions in init scripts, and add an LSB-style header (partly | ||
908 | from Ubuntu and partly thanks to Christian Perrier; closes: #389038). | ||
909 | * Move init script start links to S16, move rc1 stop link to K84, and | ||
910 | remove rc0 and rc6 stop links altogether (the last part from Ubuntu; | ||
911 | closes: #122188). | ||
912 | * Emit a slightly more informative message from the init script if | ||
913 | /dev/null has somehow become not a character device (closes: #369964). | ||
914 | * Belatedly build-depend on zlib1g-dev (>= 1:1.2.3-1) (closes: #333447). | ||
915 | * Merge from Ubuntu: | ||
916 | - Build position-independent executables (only for debs, not for udebs) | ||
917 | to take advantage of address space layout randomisation. | ||
918 | - If building on Ubuntu, add /sbin, /usr/sbin, and /usr/local/sbin to | ||
919 | the default path. | ||
920 | * Use ${binary:Version} rather than ${Source-Version} in openssh-server -> | ||
921 | openssh-client dependency. | ||
922 | |||
923 | -- Colin Watson <cjwatson@debian.org> Wed, 13 Jun 2007 00:28:26 +0100 | ||
924 | |||
925 | openssh (1:4.3p2-11) unstable; urgency=low | ||
926 | |||
927 | * It's been four and a half years now since I took over as "temporary" | ||
928 | maintainer, so the Maintainer field is getting a bit inaccurate. Set | ||
929 | Maintainer to debian-ssh@lists.debian.org and leave Matthew and myself | ||
930 | as Uploaders. | ||
931 | * Use dpkg-query to fetch conffile md5sums rather than parsing | ||
932 | /var/lib/dpkg/status directly. | ||
933 | * openssh-client Suggests: libpam-ssh (closes: #427840). | ||
934 | * Use 'start-stop-daemon --oknodo' so that openssh-server's init script | ||
935 | exits successfully if sshd is already running (closes: #426858). | ||
936 | |||
937 | * Apply results of debconf templates and package descriptions review by | ||
938 | debian-l10n-english (closes: #420107, #420742). | ||
939 | * debconf template translations: | ||
940 | - Update Dutch (thanks, Machteld de Kok; closes: #419260). | ||
941 | - Update Norwegian Bokmål (thanks, Bjørn Steensrud; closes: #420630). | ||
942 | - Update Galician (thanks, Jacobo Tarrio; closes: #420635). | ||
943 | - Update Spanish (thanks, Javier Fernández-Sanguino Peña; | ||
944 | closes: #420651). | ||
945 | - Update Swedish (thanks, Daniel Nylander; closes: #420663). | ||
946 | - Add Bulgarian (thanks, Damyan Ivanov; closes: #420703). | ||
947 | - Add Tamil (thanks, Tirumurti Vasudevan; closes: #420739). | ||
948 | - Update German (thanks, Helge Kreutzmann; closes: #420743). | ||
949 | - Update Japanese (thanks, Kenshi Muto; closes: #420946). | ||
950 | - Add Basque (thanks, Piarres Beobide; closes: #421238). | ||
951 | - Update Italian (thanks, Luca Monducci; closes: #421348). | ||
952 | - Update Czech (thanks, Miroslav Kure; closes: #421484). | ||
953 | - Update Romanian (thanks, Igor Stirbu; closes: #421760). | ||
954 | - Update Russian (thanks, Yuriy Talakan' and Sergey Alyoshin; | ||
955 | closes: #420862). | ||
956 | - Update Dutch (thanks, Bart Cornelis; closes: #422767). | ||
957 | - Update Portuguese (thanks, Ricardo Silva; closes: #423112). | ||
958 | - Update French (thanks, Christian Perrier). | ||
959 | - Add Korean (thanks, Sunjae Park; closes: #424008). | ||
960 | - Update Vietnamese (thanks, Clytie Siddall; closes: #426991). | ||
961 | |||
962 | -- Colin Watson <cjwatson@debian.org> Sun, 10 Jun 2007 08:59:42 +0100 | ||
963 | |||
964 | openssh (1:4.3p2-10) unstable; urgency=low | ||
965 | |||
966 | * Multiply openssh-client-udeb's Installer-Menu-Item by 100. | ||
967 | * Increase MAX_SESSIONS to 64. | ||
968 | |||
969 | -- Colin Watson <cjwatson@debian.org> Tue, 10 Apr 2007 19:17:20 +0100 | ||
970 | |||
971 | openssh (1:4.3p2-9) unstable; urgency=high | ||
972 | |||
973 | [ Russ Allbery ] | ||
974 | * Fix GSSAPIKeyExchange configuration file handling logic in ssh-krb5 | ||
975 | (closes: #404863). | ||
976 | * Fix uncommenting of GSSAPI options by ssh-krb5 (closes: #407766). | ||
977 | |||
978 | [ Colin Watson ] | ||
979 | * debconf template translations: | ||
980 | - Add Norwegian Bokmål (thanks, Bjørn Steensrud; closes: #412330). | ||
981 | |||
982 | -- Colin Watson <cjwatson@debian.org> Mon, 5 Mar 2007 16:13:50 +0000 | ||
983 | |||
984 | openssh (1:4.3p2-8) unstable; urgency=medium | ||
985 | |||
986 | [ Vincent Untz ] | ||
987 | * Give the ssh-askpass-gnome window a default icon; remove unnecessary | ||
988 | icon extension from .desktop file (closes: | ||
989 | https://launchpad.net/bugs/27152). | ||
990 | |||
991 | [ Colin Watson ] | ||
992 | * Drop versioning on ssh/ssh-krb5 Replaces, as otherwise it isn't | ||
993 | sufficient to replace conffiles (closes: #402804). | ||
994 | * Make GSSAPICleanupCreds a compatibility alias for | ||
995 | GSSAPICleanupCredentials. Mark GSSUseSessionCCache and | ||
996 | GSSAPIUseSessionCredCache as known-but-unsupported options, and migrate | ||
997 | away from them on upgrade. | ||
998 | * It turns out that the people who told me that removing a conffile in the | ||
999 | preinst was sufficient to have dpkg replace it without prompting when | ||
1000 | moving a conffile between packages were very much mistaken. As far as I | ||
1001 | can tell, the only way to do this reliably is to write out the desired | ||
1002 | new text of the conffile in the preinst. This is gross, and requires | ||
1003 | shipping the text of all conffiles in the preinst too, but there's | ||
1004 | nothing for it. Fortunately this nonsense is only required for smooth | ||
1005 | upgrades from sarge. | ||
1006 | * debconf template translations: | ||
1007 | - Add Romanian (thanks, Stan Ioan-Eugen; closes: #403528). | ||
1008 | |||
1009 | -- Colin Watson <cjwatson@debian.org> Sat, 23 Dec 2006 18:38:33 +0000 | ||
1010 | |||
1011 | openssh (1:4.3p2-7) unstable; urgency=medium | ||
1012 | |||
1013 | [ Colin Watson ] | ||
1014 | * Ignore errors from usermod when changing sshd's shell, since it will | ||
1015 | fail if the sshd user is not local (closes: #398436). | ||
1016 | * Remove version control tags from /etc/ssh/moduli and /etc/ssh/ssh_config | ||
1017 | to avoid unnecessary conffile resolution steps for administrators | ||
1018 | (thanks, Jari Aalto; closes: #335259). | ||
1019 | * Fix quoting error in configure.ac and regenerate configure (thanks, Ben | ||
1020 | Pfaff; closes: #391248). | ||
1021 | * When installing openssh-client or openssh-server from scratch, remove | ||
1022 | any unchanged conffiles from the pre-split ssh package to work around a | ||
1023 | bug in sarge's dpkg (thanks, Justin Pryzby and others; closes: #335276). | ||
1024 | |||
1025 | [ Russ Allbery ] | ||
1026 | * Create transitional ssh-krb5 package which enables GSSAPI configuration | ||
1027 | in sshd_config (closes: #390986). | ||
1028 | * Default client to attempting GSSAPI authentication. | ||
1029 | * Remove obsolete GSSAPINoMICAuthentication from sshd_config if it's | ||
1030 | found. | ||
1031 | * Add ssh -K option, the converse of -k, to enable GSSAPI credential | ||
1032 | delegation (closes: #401483). | ||
1033 | |||
1034 | -- Colin Watson <cjwatson@debian.org> Wed, 6 Dec 2006 23:00:49 +0000 | ||
1035 | |||
1036 | openssh (1:4.3p2-6) unstable; urgency=low | ||
1037 | |||
1038 | * Acknowledge NMU (thanks, Manoj; closes: #394795). | ||
1039 | * Backport from 4.5p1: | ||
1040 | - Fix a bug in the sshd privilege separation monitor that weakened its | ||
1041 | verification of successful authentication. This bug is not known to be | ||
1042 | exploitable in the absence of additional vulnerabilities. | ||
1043 | * openssh-server Suggests: molly-guard (closes: #395473). | ||
1044 | * debconf template translations: | ||
1045 | - Update German (thanks, Helge Kreutzmann; closes: #395947). | ||
1046 | |||
1047 | -- Colin Watson <cjwatson@debian.org> Wed, 15 Nov 2006 00:07:32 +0000 | ||
1048 | |||
1049 | openssh (1:4.3p2-5.1) unstable; urgency=low | ||
1050 | |||
1051 | * NMU to update SELinux patch, bringing it in line with current selinux | ||
1052 | releases. The patch for this NMU is simply the Bug#394795 patch, | ||
1053 | and no other changes. (closes: #394795) | ||
1054 | |||
1055 | -- Manoj Srivastava <srivasta@debian.org> Mon, 23 Oct 2006 14:11:24 -0500 | ||
1056 | |||
1057 | openssh (1:4.3p2-5) unstable; urgency=low | ||
1058 | |||
1059 | * Remove ssh/insecure_telnetd check altogether (closes: #391081). | ||
1060 | * debconf template translations: | ||
1061 | - Update Danish (thanks, Claus Hindsgaul; closes: #390612). | ||
1062 | |||
1063 | -- Colin Watson <cjwatson@debian.org> Thu, 5 Oct 2006 09:04:19 +0100 | ||
1064 | |||
1065 | openssh (1:4.3p2-4) unstable; urgency=high | ||
1066 | |||
1067 | * Backport from 4.4p1 (since I don't have an updated version of the GSSAPI | ||
1068 | patch yet): | ||
1069 | - CVE-2006-4924: Fix a pre-authentication denial of service found by | ||
1070 | Tavis Ormandy, that would cause sshd(8) to spin until the login grace | ||
1071 | time expired (closes: #389995). | ||
1072 | - CVE-2006-5051: Fix an unsafe signal hander reported by Mark Dowd. The | ||
1073 | signal handler was vulnerable to a race condition that could be | ||
1074 | exploited to perform a pre-authentication denial of service. On | ||
1075 | portable OpenSSH, this vulnerability could theoretically lead to | ||
1076 | pre-authentication remote code execution if GSSAPI authentication is | ||
1077 | enabled, but the likelihood of successful exploitation appears remote. | ||
1078 | |||
1079 | * Read /etc/default/locale as well as /etc/environment (thanks, Raphaël | ||
1080 | Hertzog; closes: #369395). | ||
1081 | * Remove no-longer-used ssh/insecure_rshd debconf template. | ||
1082 | * Make ssh/insecure_telnetd Type: error (closes: #388946). | ||
1083 | |||
1084 | * debconf template translations: | ||
1085 | - Update Portuguese (thanks, Rui Branco; closes: #381942). | ||
1086 | - Update Spanish (thanks, Javier Fernández-Sanguino Peña; | ||
1087 | closes: #382966). | ||
1088 | |||
1089 | -- Colin Watson <cjwatson@debian.org> Fri, 29 Sep 2006 16:28:24 +0100 | ||
1090 | |||
1091 | openssh (1:4.3p2-3) unstable; urgency=low | ||
1092 | |||
1093 | * Document KeepAlive->TCPKeepAlive renaming in sshd_config(5) (closes: | ||
1094 | https://launchpad.net/bugs/50702). | ||
1095 | * Change sshd user's shell to /usr/sbin/nologin (closes: #366541). | ||
1096 | Introduces dependency on passwd for usermod. | ||
1097 | * debconf template translations: | ||
1098 | - Update French (thanks, Denis Barbier; closes: #368503). | ||
1099 | - Update Dutch (thanks, Bart Cornelis; closes: #375100). | ||
1100 | - Update Japanese (thanks, Kenshi Muto; closes: #379950). | ||
1101 | |||
1102 | -- Colin Watson <cjwatson@debian.org> Thu, 27 Jul 2006 00:12:36 +0100 | ||
1103 | |||
1104 | openssh (1:4.3p2-2) unstable; urgency=low | ||
1105 | |||
1106 | * Include commented-out pam_access example in /etc/pam.d/ssh. | ||
1107 | * On '/etc/init.d/ssh restart', create /var/run/sshd before checking the | ||
1108 | server configuration, as otherwise 'sshd -t' will complain about the | ||
1109 | lack of /var/run/sshd (closes: https://launchpad.net/bugs/45234). | ||
1110 | * debconf template translations: | ||
1111 | - Update Russian (thanks, Yuriy Talakan'; closes: #367143). | ||
1112 | - Update Czech (thanks, Miroslav Kure; closes: #367161). | ||
1113 | - Update Italian (thanks, Luca Monducci; closes: #367186). | ||
1114 | - Update Galician (thanks, Jacobo Tarrio; closes: #367318). | ||
1115 | - Update Swedish (thanks, Daniel Nylander; closes: #367971). | ||
1116 | |||
1117 | -- Colin Watson <cjwatson@debian.org> Fri, 19 May 2006 09:14:27 +0100 | ||
1118 | |||
1119 | openssh (1:4.3p2-1) unstable; urgency=low | ||
1120 | |||
1121 | * New upstream release (closes: #361032). | ||
1122 | - CVE-2006-0225: scp (as does rcp, on which it is based) invoked a | ||
1123 | subshell to perform local to local, and remote to remote copy | ||
1124 | operations. This subshell exposed filenames to shell expansion twice; | ||
1125 | allowing a local attacker to create filenames containing shell | ||
1126 | metacharacters that, if matched by a wildcard, could lead to execution | ||
1127 | of attacker-specified commands with the privilege of the user running | ||
1128 | scp (closes: #349645). | ||
1129 | - Add support for tunneling arbitrary network packets over a connection | ||
1130 | between an OpenSSH client and server via tun(4) virtual network | ||
1131 | interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN | ||
1132 | between the client and server providing real network connectivity at | ||
1133 | layer 2 or 3. This feature is experimental. | ||
1134 | - Reduce default key length for new DSA keys generated by ssh-keygen | ||
1135 | back to 1024 bits. DSA is not specified for longer lengths and does | ||
1136 | not fully benefit from simply making keys longer. As per FIPS 186-2 | ||
1137 | Change Notice 1, ssh-keygen will refuse to generate a new DSA key | ||
1138 | smaller or larger than 1024 bits. | ||
1139 | - Fixed X forwarding failing to start when the X11 client is executed in | ||
1140 | background at the time of session exit. | ||
1141 | - Change ssh-keygen to generate a protocol 2 RSA key when invoked | ||
1142 | without arguments (closes: #114894). | ||
1143 | - Fix timing variance for valid vs. invalid accounts when attempting | ||
1144 | Kerberos authentication. | ||
1145 | - Ensure that ssh always returns code 255 on internal error | ||
1146 | (closes: #259865). | ||
1147 | - Cleanup wtmp files on SIGTERM when not using privsep. | ||
1148 | - Set SO_REUSEADDR on X11 listeners to avoid problems caused by | ||
1149 | lingering sockets from previous session (X11 applications can | ||
1150 | sometimes not connect to 127.0.0.1:60xx) (closes: | ||
1151 | https://launchpad.net/bugs/25528). | ||
1152 | - Ensure that fds 0, 1 and 2 are always attached in all programs, by | ||
1153 | duping /dev/null to them if necessary. | ||
1154 | - Xauth list invocation had bogus "." argument. | ||
1155 | - Remove internal assumptions on key exchange hash algorithm and output | ||
1156 | length, preparing OpenSSH for KEX methods with alternate hashes. | ||
1157 | - Ignore junk sent by a server before it sends the "SSH-" banner. | ||
1158 | - Many manual page improvements. | ||
1159 | - Lots of cleanups, including fixes to memory leaks on error paths and | ||
1160 | possible crashes. | ||
1161 | * Update to current GSSAPI patch from | ||
1162 | http://www.sxw.org.uk/computing/patches/openssh-4.3p2-gsskex-20060223.patch | ||
1163 | (closes: #352042). | ||
1164 | * debian/rules: Resynchronise CFLAGS with that generated by configure. | ||
1165 | * Restore pam_nologin to /etc/pam.d/ssh; sshd no longer checks this itself | ||
1166 | when PAM is enabled, but relies on PAM to do it. | ||
1167 | * Rename KeepAlive to TCPKeepAlive in default sshd_config | ||
1168 | (closes: #349896). | ||
1169 | * Rephrase ssh/new_config and ssh/encrypted_host_key_but_no_keygen debconf | ||
1170 | templates to make boolean short descriptions end with a question mark | ||
1171 | and to avoid use of the first person. | ||
1172 | * Ship README.tun. | ||
1173 | * Policy version 3.7.2: no changes required. | ||
1174 | * debconf template translations: | ||
1175 | - Update Italian (thanks, Luca Monducci; closes: #360348). | ||
1176 | - Add Galician (thanks, Jacobo Tarrio; closes: #361220). | ||
1177 | |||
1178 | -- Colin Watson <cjwatson@debian.org> Fri, 12 May 2006 12:48:24 +0100 | ||
1179 | |||
1180 | openssh (1:4.2p1-8) unstable; urgency=low | ||
1181 | |||
1182 | [ Frans Pop ] | ||
1183 | * Use udeb support introduced in debhelper 4.2.0 (available in sarge) | ||
1184 | rather than constructing udebs by steam. | ||
1185 | * Require debhelper 5.0.22, which generates correct shared library | ||
1186 | dependencies for udebs (closes: #360068). This build-dependency can be | ||
1187 | ignored if building on sarge. | ||
1188 | |||
1189 | [ Colin Watson ] | ||
1190 | * Switch to debhelper compatibility level 4, since we now require | ||
1191 | debhelper 4 even on sarge anyway for udeb support. | ||
1192 | |||
1193 | -- Colin Watson <cjwatson@debian.org> Fri, 31 Mar 2006 09:44:55 +0100 | ||
1194 | |||
1195 | openssh (1:4.2p1-7) unstable; urgency=low | ||
1196 | |||
1197 | * I accidentally applied the default $PATH change in 1:4.2p1-6 to the udeb | ||
1198 | rather than the deb. Fixed. | ||
1199 | |||
1200 | -- Colin Watson <cjwatson@debian.org> Wed, 1 Mar 2006 16:19:00 +0000 | ||
1201 | |||
1202 | openssh (1:4.2p1-6) unstable; urgency=low | ||
1203 | |||
1204 | * Sync default values of $PATH from shadow 1:4.0.12-6, adding /usr/bin/X11 | ||
1205 | to the normal and superuser paths and /usr/games to the normal path. | ||
1206 | * When the client receives a signal, don't fatal() with "Killed by signal | ||
1207 | %d." (which produces unhelpful noise on stderr and causes confusion for | ||
1208 | users of some applications that wrap ssh); instead, generate a debug | ||
1209 | message and exit with the traditional status (closes: #313371). | ||
1210 | * debconf template translations: | ||
1211 | - Add Swedish (thanks, Daniel Nylander; closes: #333133). | ||
1212 | - Update Spanish (thanks, Javier Fernández-Sanguino Peña; | ||
1213 | closes: #341371). | ||
1214 | - Correct erroneously-changed Last-Translator headers in Greek and | ||
1215 | Spanish translations. | ||
1216 | |||
1217 | -- Colin Watson <cjwatson@debian.org> Mon, 20 Feb 2006 16:50:55 +0000 | ||
1218 | |||
1219 | openssh (1:4.2p1-5) unstable; urgency=low | ||
1220 | |||
1221 | * Add a CVE name to the 1:4.0p1-1 changelog entry. | ||
1222 | * Build-depend on libselinux1-dev on armeb. | ||
1223 | * Only send GSSAPI proposal if GSSAPIAuthentication is enabled. | ||
1224 | * Build-depend on libssl-dev (>= 0.9.8-1) to cope with surprise OpenSSL | ||
1225 | transition, since otherwise who knows what the buildds will do. If | ||
1226 | you're building openssh yourself, you can safely ignore this and use an | ||
1227 | older libssl-dev. | ||
1228 | |||
1229 | -- Colin Watson <cjwatson@debian.org> Fri, 7 Oct 2005 12:23:42 +0100 | ||
1230 | |||
1231 | openssh (1:4.2p1-4) unstable; urgency=low | ||
1232 | |||
1233 | * Initialise token to GSS_C_EMPTY_BUFFER in ssh_gssapi_check_mechanism | ||
1234 | (closes: #328606). | ||
1235 | |||
1236 | -- Colin Watson <cjwatson@debian.org> Fri, 16 Sep 2005 12:50:16 +0100 | ||
1237 | |||
1238 | openssh (1:4.2p1-3) unstable; urgency=low | ||
1239 | |||
1240 | * Add prototype for ssh_gssapi_server_mechanisms (closes: #328372). | ||
1241 | * Interoperate with ssh-krb5 << 3.8.1p1-1 servers, which used a slightly | ||
1242 | different version of the gssapi authentication method (thanks, Aaron M. | ||
1243 | Ucko; closes: #328388). | ||
1244 | * Explicitly tell po2debconf to use the 'popular' output encoding, so that | ||
1245 | the woody-compatibility hack works even with po-debconf 0.9.0. | ||
1246 | |||
1247 | -- Colin Watson <cjwatson@debian.org> Thu, 15 Sep 2005 09:28:21 +0100 | ||
1248 | |||
1249 | openssh (1:4.2p1-2) unstable; urgency=low | ||
1250 | |||
1251 | * Annotate 1:4.2p1-1 changelog with CVE references. | ||
1252 | * Add remaining pieces of Kerberos support (closes: #152657, #275472): | ||
1253 | - Add GSSAPI key exchange support from | ||
1254 | http://www.sxw.org.uk/computing/patches/openssh.html (thanks, Stephen | ||
1255 | Frost). | ||
1256 | - Build-depend on libkrb5-dev and configure --with-kerberos5=/usr. | ||
1257 | - openssh-client and openssh-server replace ssh-krb5. | ||
1258 | - Update commented-out Kerberos/GSSAPI options in default sshd_config. | ||
1259 | - Fix HAVE_GSSAPI_KRB5_H/HAVE_GSSAPI_GSSAPI_KRB5_H typos in | ||
1260 | gss-serv-krb5.c. | ||
1261 | |||
1262 | -- Colin Watson <cjwatson@debian.org> Wed, 14 Sep 2005 18:28:49 +0100 | ||
1263 | |||
1264 | openssh (1:4.2p1-1) unstable; urgency=low | ||
1265 | |||
1266 | * New upstream release. | ||
1267 | - SECURITY (CAN-2005-2797): Fix a bug introduced in OpenSSH 4.0 that | ||
1268 | caused GatewayPorts to be incorrectly activated for dynamic ("-D") | ||
1269 | port forwardings when no listen address was explicitly specified | ||
1270 | (closes: #326065). | ||
1271 | - SECURITY (CAN-2005-2798): Fix improper delegation of GSSAPI | ||
1272 | credentials. This code is only built in openssh-krb5, not openssh, but | ||
1273 | I mention the CVE reference here anyway for completeness. | ||
1274 | - Add a new compression method ("Compression delayed") that delays zlib | ||
1275 | compression until after authentication, eliminating the risk of zlib | ||
1276 | vulnerabilities being exploited by unauthenticated users. Note that | ||
1277 | users of OpenSSH versions earlier than 3.5 will need to disable | ||
1278 | compression on the client or set "Compression yes" (losing this | ||
1279 | security benefit) on the server. | ||
1280 | - Increase the default size of new RSA/DSA keys generated by ssh-keygen | ||
1281 | from 1024 to 2048 bits (closes: #181162). | ||
1282 | - Many bugfixes and improvements to connection multiplexing. | ||
1283 | - Don't pretend to accept $HOME (closes: #208648). | ||
1284 | * debian/rules: Resynchronise CFLAGS with that generated by configure. | ||
1285 | * openssh-client and openssh-server conflict with pre-split ssh to avoid | ||
1286 | problems when ssh is left un-upgraded (closes: #324695). | ||
1287 | * Set X11Forwarding to yes in the default sshd_config (new installs only). | ||
1288 | At least when X11UseLocalhost is turned on, which is the default, the | ||
1289 | security risks of using X11 forwarding are risks to the client, not to | ||
1290 | the server (closes: #320104). | ||
1291 | |||
1292 | -- Colin Watson <cjwatson@debian.org> Wed, 14 Sep 2005 15:16:14 +0100 | ||
1293 | |||
1294 | openssh (1:4.1p1-7) unstable; urgency=low | ||
1295 | |||
1296 | * Do the IDEA host key check on a temporary file to avoid altering | ||
1297 | /etc/ssh/ssh_host_key itself (closes: #312312). | ||
1298 | * Work around the ssh-askpass alternative somehow ending up in manual mode | ||
1299 | pointing to the obsolete /usr/lib/ssh/gnome-ssh-askpass. | ||
1300 | * Add GNU/kFreeBSD support (thanks, Aurelien Jarno; closes: #318113). | ||
1301 | * Fix XSIish uses of 'test' in openssh-server.preinst. | ||
1302 | * Policy version 3.6.2: no changes required. | ||
1303 | |||
1304 | -- Colin Watson <cjwatson@debian.org> Fri, 2 Sep 2005 16:18:11 +0100 | ||
1305 | |||
1306 | openssh (1:4.1p1-6) unstable; urgency=low | ||
1307 | |||
1308 | * Fix one-character typo that meant the binaries in openssh-client and | ||
1309 | openssh-server got recompiled with the wrong options during | ||
1310 | 'debian/rules install' (closes: #317088, #317238, #317241). | ||
1311 | |||
1312 | -- Colin Watson <cjwatson@debian.org> Thu, 7 Jul 2005 10:56:16 +0100 | ||
1313 | |||
1314 | openssh (1:4.1p1-5) unstable; urgency=low | ||
1315 | |||
1316 | * Build-depend on libselinux1-dev on ppc64 too (closes: #314625). | ||
1317 | * Drop priority of ssh to extra to match the override file. | ||
1318 | * Make /usr/share/doc/openssh-server and /usr/share/doc/ssh symlinks to | ||
1319 | /usr/share/doc/openssh-client (closes: #314745). | ||
1320 | * Ship README.dns (closes: #284874). | ||
1321 | * Disable btmp logging, since Debian's /var/log/btmp has inappropriate | ||
1322 | permissions (closes: #314956). | ||
1323 | * Allow ~/.ssh/config to be group-writable, provided that the group in | ||
1324 | question contains only the file's owner (closes: #314347). | ||
1325 | * debconf template translations: | ||
1326 | - Update Brazilian Portuguese (thanks, André LuÃs Lopes; | ||
1327 | closes: #315477). | ||
1328 | - Add Vietnamese (thanks, Clytie Siddall; closes: #316636). | ||
1329 | |||
1330 | -- Colin Watson <cjwatson@debian.org> Sun, 3 Jul 2005 17:08:08 +0100 | ||
1331 | |||
1332 | openssh (1:4.1p1-4) unstable; urgency=low | ||
1333 | |||
1334 | * openssh-client and openssh-server conflict with ssh-krb5, as ssh-krb5 | ||
1335 | only conflicts with ssh (closes: #312475). | ||
1336 | * SELinux support (thanks, Manoj Srivastava; closes: #308555): | ||
1337 | - Added SELinux capability, and turned it on be default. Added | ||
1338 | restorecon calls in preinst and postinst (should not matter if the | ||
1339 | machine is not SELinux aware). By and large, the changes made should | ||
1340 | have no effect unless the rules file calls --with-selinux; and even | ||
1341 | then there should be no performance hit for machines not actively | ||
1342 | running SELinux. | ||
1343 | - Modified the preinst and postinst to call restorecon to set the | ||
1344 | security context for the generated public key files. | ||
1345 | - Added a comment to /etc/pam.d/ssh to indicate that an SELinux system | ||
1346 | may want to also include pam_selinux.so. | ||
1347 | * Re-enable ssh-askpass-gnome on the Hurd, now that its build-dependencies | ||
1348 | are available. | ||
1349 | * Restore /usr/lib/sftp-server temporarily, as a symlink to | ||
1350 | /usr/lib/openssh/sftp-server (closes: #312891). | ||
1351 | * Switch to debhelper compatibility level 3, since 2 is deprecated. | ||
1352 | * debconf template translations: | ||
1353 | - Update German (thanks, Jens Seidel; closes: #313949). | ||
1354 | |||
1355 | -- Colin Watson <cjwatson@debian.org> Fri, 17 Jun 2005 14:20:20 +0100 | ||
1356 | |||
1357 | openssh (1:4.1p1-3) unstable; urgency=low | ||
1358 | |||
1359 | * Upload to unstable. | ||
1360 | |||
1361 | -- Colin Watson <cjwatson@debian.org> Mon, 6 Jun 2005 22:28:33 +0100 | ||
1362 | |||
1363 | openssh (1:4.1p1-2) experimental; urgency=low | ||
1364 | |||
1365 | * Drop debconf support for allowing SSH protocol 1, which is discouraged | ||
1366 | and has not been the default since openssh 1:3.0.1p1-1. Users who need | ||
1367 | this should edit sshd_config instead (closes: #147212). | ||
1368 | * Since ssh-keysign isn't used by default (you need to set | ||
1369 | EnableSSHKeysign to "yes" in /etc/ssh/ssh_config), having a debconf | ||
1370 | question to ask whether it should be setuid is overkill, and the | ||
1371 | question text had got out of date anyway. Remove this question, ship | ||
1372 | ssh-keysign setuid in openssh-client.deb, and set a statoverride if the | ||
1373 | debconf question was previously set to false. | ||
1374 | * Add lintian overrides for the above (setuid-binary, | ||
1375 | no-debconf-templates). | ||
1376 | * Fix picky lintian errors about slogin symlinks. | ||
1377 | * Fix DEB_HOST_ARCH_OS/DEB_HOST_GNU_SYSTEM compatibility handling. | ||
1378 | * Apply Linux 2.2 workaround (see #239999) only on Linux. | ||
1379 | |||
1380 | -- Colin Watson <cjwatson@debian.org> Thu, 2 Jun 2005 00:55:58 +0100 | ||
1381 | |||
1382 | openssh (1:4.1p1-1) experimental; urgency=low | ||
1383 | |||
1384 | * New upstream release. | ||
1385 | - Normalise socket addresses returned by get_remote_hostname(), fixing | ||
1386 | 4-in-6 mapping issues with AllowUsers et al (closes: #192234). | ||
1387 | * Take upstream's hint and disable the unsupported USE_POSIX_THREADS | ||
1388 | (closes: #295757, #308868, and possibly others; may open other bugs). | ||
1389 | Use PAM password authentication to avoid #278394. In future I may | ||
1390 | provide two sets of binaries built with and without this option, since | ||
1391 | it seems I can't win. | ||
1392 | * Disable ChallengeResponseAuthentication in new installations, returning | ||
1393 | to PasswordAuthentication by default, since it now supports PAM and | ||
1394 | apparently works better with a non-threaded sshd (closes: #247521). | ||
1395 | * openssh-server Suggests: rssh (closes: #233012). | ||
1396 | * Change libexecdir to /usr/lib/openssh, and fix up various alternatives | ||
1397 | and configuration files to match (closes: #87900, #151321). | ||
1398 | * Fix up very old sshd_config files that refer to /usr/libexec/sftp-server | ||
1399 | (closes: #141979). | ||
1400 | |||
1401 | -- Colin Watson <cjwatson@debian.org> Tue, 31 May 2005 01:33:33 +0100 | ||
1402 | |||
1403 | openssh (1:4.0p1-1) experimental; urgency=low | ||
1404 | |||
1405 | * New upstream release. | ||
1406 | - Port-forwarding specifications now take optional bind addresses, and | ||
1407 | the server allows client-specified bind addresses for remote port | ||
1408 | forwardings when configured with "GatewayPorts clientspecified" | ||
1409 | (closes: #87253, #192206). | ||
1410 | - ssh and ssh-keyscan now support hashing of known_hosts files for | ||
1411 | improved privacy (CAN-2005-2666). ssh-keygen has new options for | ||
1412 | managing known_hosts files, which understand hashing. | ||
1413 | - sftp supports command history and editing support using libedit | ||
1414 | (closes: #287013). | ||
1415 | - Have scp and sftp wait for the spawned ssh to exit before they exit | ||
1416 | themselves, allowing ssh to restore terminal modes (closes: #257130). | ||
1417 | - Improved the handling of bad data in authorized_keys files, | ||
1418 | eliminating fatal errors on corrupt or very large keys; e.g. linefeeds | ||
1419 | in keys only produce errors in auth.log now (closes: #220726). | ||
1420 | - Add "command mode" to ssh connection multiplexing (closes: #303452). | ||
1421 | - Mention $HOME/.hushlogin in sshd(8) FILES section (closes: #163933). | ||
1422 | * Make gnome-ssh-askpass stay above other windows (thanks, Liyang HU; | ||
1423 | closes: #296487). | ||
1424 | * Remove obsolete and unnecessary ssh/forward_warning debconf note. | ||
1425 | * Hurd build fixes (although sshd still doesn't work): | ||
1426 | - Restore X forwarding fix from #102991, lost somewhere along the way. | ||
1427 | - Link with -lcrypt. | ||
1428 | - Link with -lpthread rather than -pthread. | ||
1429 | - Don't build ssh-askpass-gnome on the Hurd, until GNOME is available to | ||
1430 | satisfy build-dependencies. | ||
1431 | * Drop workaround for #242462 on amd64; it's been fixed properly upstream. | ||
1432 | * Enable HashKnownHosts by default. This only affects new entries; use | ||
1433 | 'ssh-keygen -H' to convert an entire known_hosts file to hashed format. | ||
1434 | * Note in ssh_config(5) that the SetupTimeOut option is Debian-specific | ||
1435 | (closes: #307069). | ||
1436 | * debconf template translations: | ||
1437 | - Update Czech (thanks, Miroslav Kure; closes: #298744). | ||
1438 | - Update Finnish (thanks, Matti Pöllä; closes: #303787). | ||
1439 | - Synchronise Spanish with sarge branch (thanks, Javier | ||
1440 | Fernández-Sanguino Peña; closes: #298536). | ||
1441 | - Add Ukrainian (thanks, Eugeniy Meshcheryakov; closes: #301852). | ||
1442 | |||
1443 | -- Colin Watson <cjwatson@debian.org> Thu, 26 May 2005 11:23:18 +0100 | ||
1444 | |||
1445 | openssh (1:3.9p1-3) experimental; urgency=low | ||
1446 | |||
1447 | * Explain how to run sshd from inittab in README.Debian (closes: #147360). | ||
1448 | * Add debian/watch file. | ||
1449 | |||
1450 | -- Colin Watson <cjwatson@debian.org> Fri, 18 Feb 2005 00:20:16 +0000 | ||
1451 | |||
1452 | openssh (1:3.9p1-2) experimental; urgency=low | ||
1453 | |||
1454 | * Remove pam_nologin from /etc/pam.d/ssh, as sshd's built-in support | ||
1455 | appears to be sufficient and more useful (closes: #162996). | ||
1456 | * Depend on debconf | debconf-2.0. | ||
1457 | * Drop LoginGraceTime back to the upstream default of two minutes on new | ||
1458 | installs (closes: #289573). | ||
1459 | * debconf template translations from Ubuntu bug #1232: | ||
1460 | - Update Greek (thanks, Logiotatidis George). | ||
1461 | - Update Spanish (thanks, Santiago Erquicia). | ||
1462 | |||
1463 | -- Colin Watson <cjwatson@debian.org> Sat, 15 Jan 2005 12:37:54 +0000 | ||
1464 | |||
1465 | openssh (1:3.9p1-1) experimental; urgency=low | ||
1466 | |||
1467 | * New upstream release. | ||
1468 | - PAM password authentication implemented again (closes: #238699, | ||
1469 | #242119). | ||
1470 | - Implemented the ability to pass selected environment variables between | ||
1471 | the client and the server. | ||
1472 | - Fix ssh-keyscan breakage when remote server doesn't speak SSH protocol | ||
1473 | (closes: #228828). | ||
1474 | - Fix res_query detection (closes: #242462). | ||
1475 | - 'ssh -c' documentation improved (closes: #265627). | ||
1476 | * Pass LANG and LC_* environment variables from the client by default, and | ||
1477 | accept them to the server by default in new installs, although not on | ||
1478 | upgrade (closes: #264024). | ||
1479 | * Build ssh in binary-indep, not binary-arch (thanks, LaMont Jones). | ||
1480 | * Expand on openssh-client package description (closes: #273831). | ||
1481 | |||
1482 | -- Colin Watson <cjwatson@debian.org> Tue, 4 Jan 2005 14:18:31 +0000 | ||
1483 | |||
1484 | openssh (1:3.8.1p1-14) experimental; urgency=low | ||
1485 | |||
1486 | * We use DH_COMPAT=2, so build-depend on debhelper (>= 2). | ||
1487 | * Fix timing information leak allowing discovery of invalid usernames in | ||
1488 | PAM keyboard-interactive authentication (backported from a patch by | ||
1489 | Darren Tucker; closes: #281595). | ||
1490 | * Make sure that there's a delay in PAM keyboard-interactive | ||
1491 | authentication when PermitRootLogin is not set to yes and the correct | ||
1492 | root password is entered (closes: #248747). | ||
1493 | |||
1494 | -- Colin Watson <cjwatson@debian.org> Sun, 28 Nov 2004 18:09:37 +0000 | ||
1495 | |||
1496 | openssh (1:3.8.1p1-13) experimental; urgency=low | ||
1497 | |||
1498 | * Enable threading for PAM, on Sam Hartman's advice (closes: #278394). | ||
1499 | * debconf template translations: | ||
1500 | - Update Dutch (thanks, cobaco; closes: #278715). | ||
1501 | * Correct README.Debian's ForwardX11Trusted description (closes: #280190). | ||
1502 | |||
1503 | -- Colin Watson <cjwatson@debian.org> Fri, 12 Nov 2004 12:03:13 +0000 | ||
1504 | |||
1505 | openssh (1:3.8.1p1-12) experimental; urgency=low | ||
1506 | |||
1507 | * Preserve /etc/ssh/sshd_config ownership/permissions (closes: #276754). | ||
1508 | * Shorten the version string from the form "OpenSSH_3.8.1p1 Debian | ||
1509 | 1:3.8.1p1-8.sarge.1" to "OpenSSH_3.8.1p1 Debian-8.sarge.1", as some SSH | ||
1510 | implementations apparently have problems with the long version string. | ||
1511 | This is of course a bug in those implementations, but since the extent | ||
1512 | of the problem is unknown it's best to play safe (closes: #275731). | ||
1513 | * debconf template translations: | ||
1514 | - Add Finnish (thanks, Matti Pöllä; closes: #265339). | ||
1515 | - Update Danish (thanks, Morten Brix Pedersen; closes: #275895). | ||
1516 | - Update French (thanks, Denis Barbier; closes: #276703). | ||
1517 | - Update Japanese (thanks, Kenshi Muto; closes: #277438). | ||
1518 | |||
1519 | -- Colin Watson <cjwatson@debian.org> Sun, 24 Oct 2004 19:21:17 +0100 | ||
1520 | |||
1521 | openssh (1:3.8.1p1-11) experimental; urgency=high | ||
1522 | |||
1523 | * Move sshd_config(5) to openssh-server, where it belongs. | ||
1524 | * If PasswordAuthentication is disabled, then offer to disable | ||
1525 | ChallengeResponseAuthentication too. The current PAM code will attempt | ||
1526 | password-style authentication if ChallengeResponseAuthentication is | ||
1527 | enabled (closes: #250369). | ||
1528 | * This will ask a question of anyone who installed fresh with 1:3.8p1-2 or | ||
1529 | later and then upgraded. Sorry about that ... for this reason, the | ||
1530 | default answer is to leave ChallengeResponseAuthentication enabled. | ||
1531 | |||
1532 | -- Colin Watson <cjwatson@debian.org> Wed, 6 Oct 2004 14:28:20 +0100 | ||
1533 | |||
1534 | openssh (1:3.8.1p1-10) experimental; urgency=low | ||
1535 | |||
1536 | * Don't install the ssh-askpass-gnome .desktop file by default; I've had | ||
1537 | too many GNOME people tell me it's the wrong thing to be doing. I've | ||
1538 | left it in /usr/share/doc/ssh-askpass-gnome/examples/ for now. | ||
1539 | |||
1540 | -- Colin Watson <cjwatson@debian.org> Wed, 25 Aug 2004 18:18:14 +0100 | ||
1541 | |||
1542 | openssh (1:3.8.1p1-9) experimental; urgency=low | ||
1543 | |||
1544 | * Split the ssh binary package into openssh-client and openssh-server | ||
1545 | (closes: #39741). openssh-server depends on openssh-client for some | ||
1546 | common functionality; it didn't seem worth creating yet another package | ||
1547 | for this. openssh-client is priority standard, openssh-server optional. | ||
1548 | * New transitional ssh package, priority optional, depending on | ||
1549 | openssh-client and openssh-server. May be removed once nothing depends | ||
1550 | on it. | ||
1551 | * When upgrading from ssh to openssh-{client,server}, it's very difficult | ||
1552 | for the maintainer scripts to find out what version we're upgrading from | ||
1553 | without dodgy dpkg hackery. I've therefore taken the opportunity to move | ||
1554 | a couple of debconf notes into NEWS files, namely ssh/ssh2_keys_merged | ||
1555 | and ssh/user_environment_tell. | ||
1556 | * Add a heuristic to try to make sure the sshd_config upgrade to >= 3.7 | ||
1557 | happens even though we don't know what version we're upgrading from. | ||
1558 | * Remove /etc/ssh/sshd_not_to_be_run on purge of openssh-server. For now | ||
1559 | (until sarge+2) it's still honoured to avoid breaking existing | ||
1560 | configurations, but the right approach is now to remove the | ||
1561 | openssh-server package if you don't want to run the server. Add a NEWS | ||
1562 | item to that effect. | ||
1563 | |||
1564 | -- Colin Watson <cjwatson@debian.org> Mon, 2 Aug 2004 20:48:54 +0100 | ||
1565 | |||
1566 | openssh (1:3.8.1p1-8.sarge.4) unstable; urgency=high | ||
1567 | |||
1568 | * Fix timing information leak allowing discovery of invalid usernames in | ||
1569 | PAM keyboard-interactive authentication (backported from a patch by | ||
1570 | Darren Tucker; closes: #281595). | ||
1571 | * Make sure that there's a delay in PAM keyboard-interactive | ||
1572 | authentication when PermitRootLogin is not set to yes and the correct | ||
1573 | root password is entered (closes: #248747). | ||
1574 | |||
1575 | -- Colin Watson <cjwatson@debian.org> Sun, 28 Nov 2004 12:37:16 +0000 | ||
1576 | |||
1577 | openssh (1:3.8.1p1-8.sarge.3) unstable; urgency=low | ||
1578 | |||
1579 | * Enable threading for PAM, on Sam Hartman's advice (closes: #278394). | ||
1580 | * debconf template translations: | ||
1581 | - Update Dutch (thanks, cobaco; closes: #278715). | ||
1582 | * Correct README.Debian's ForwardX11Trusted description (closes: #280190). | ||
1583 | |||
1584 | -- Colin Watson <cjwatson@debian.org> Fri, 12 Nov 2004 10:31:12 +0000 | ||
1585 | |||
1586 | openssh (1:3.8.1p1-8.sarge.2) unstable; urgency=low | ||
1587 | |||
1588 | * Preserve /etc/ssh/sshd_config ownership/permissions (closes: #276754). | ||
1589 | * Shorten the version string from the form "OpenSSH_3.8.1p1 Debian | ||
1590 | 1:3.8.1p1-8.sarge.1" to "OpenSSH_3.8.1p1 Debian-8.sarge.1", as some SSH | ||
1591 | implementations apparently have problems with the long version string. | ||
1592 | This is of course a bug in those implementations, but since the extent | ||
1593 | of the problem is unknown it's best to play safe (closes: #275731). | ||
1594 | * debconf template translations: | ||
1595 | - Add Finnish (thanks, Matti Pöllä; closes: #265339). | ||
1596 | - Update Danish (thanks, Morten Brix Pedersen; closes: #275895). | ||
1597 | - Update French (thanks, Denis Barbier; closes: #276703). | ||
1598 | - Update Japanese (thanks, Kenshi Muto; closes: #277438). | ||
1599 | |||
1600 | -- Colin Watson <cjwatson@debian.org> Sun, 24 Oct 2004 17:57:14 +0100 | ||
1601 | |||
1602 | openssh (1:3.8.1p1-8.sarge.1) unstable; urgency=high | ||
1603 | |||
1604 | * If PasswordAuthentication is disabled, then offer to disable | ||
1605 | ChallengeResponseAuthentication too. The current PAM code will attempt | ||
1606 | password-style authentication if ChallengeResponseAuthentication is | ||
1607 | enabled (closes: #250369). | ||
1608 | * This will ask a question of anyone who installed fresh with 1:3.8p1-2 or | ||
1609 | later and then upgraded. Sorry about that ... for this reason, the | ||
1610 | default answer is to leave ChallengeResponseAuthentication enabled. | ||
1611 | |||
1612 | -- Colin Watson <cjwatson@debian.org> Wed, 6 Oct 2004 14:21:55 +0100 | ||
1613 | |||
1614 | openssh (1:3.8.1p1-8) unstable; urgency=high | ||
1615 | |||
1616 | * Matthew Vernon: | ||
1617 | - Add a GPL exception to the licensing terms of the Debian patch | ||
1618 | (closes: #211644). | ||
1619 | |||
1620 | -- Colin Watson <cjwatson@debian.org> Thu, 29 Jul 2004 13:28:47 +0100 | ||
1621 | |||
1622 | openssh (1:3.8.1p1-7) unstable; urgency=low | ||
1623 | |||
1624 | * Re-enable shadow password support in openssh-server-udeb, at Bastian | ||
1625 | Blank's request (closes: #260800). | ||
1626 | |||
1627 | -- Colin Watson <cjwatson@debian.org> Thu, 22 Jul 2004 10:56:06 +0100 | ||
1628 | |||
1629 | openssh (1:3.8.1p1-6) unstable; urgency=low | ||
1630 | |||
1631 | * Implement hack in | ||
1632 | http://lists.debian.org/debian-boot/2004/07/msg01207.html to get | ||
1633 | openssh-client-udeb to show up as a retrievable debian-installer | ||
1634 | component. | ||
1635 | * Generate host keys in postinst only if the relevant HostKey directives | ||
1636 | are found in sshd_config (closes: #87946). | ||
1637 | |||
1638 | -- Colin Watson <cjwatson@debian.org> Wed, 21 Jul 2004 15:14:46 +0100 | ||
1639 | |||
1640 | openssh (1:3.8.1p1-5) unstable; urgency=medium | ||
1641 | |||
1642 | * Update German debconf template translation (thanks, Helge Kreutzmann; | ||
1643 | closes: #252226). | ||
1644 | * Remove Suggests: dnsutils, as it was only needed for | ||
1645 | make-ssh-known-hosts (#93265), which has been replaced by ssh-keyscan. | ||
1646 | * Disable shadow password support in openssh-server-udeb. | ||
1647 | * Fix non-portable shell constructs in maintainer scripts, Makefile, and | ||
1648 | ssh-copy-id (thanks, David Weinehall; closes: #258517). | ||
1649 | * Apply patch from Darren Tucker to make the PAM authentication SIGCHLD | ||
1650 | handler kill the PAM thread if its waitpid() call returns 0, as well as | ||
1651 | the previous check for -1 (closes: #252676). | ||
1652 | * Add scp and sftp to openssh-client-udeb. It might not be very 'u' any | ||
1653 | more; oh well. | ||
1654 | |||
1655 | -- Colin Watson <cjwatson@debian.org> Sat, 10 Jul 2004 13:57:27 +0100 | ||
1656 | |||
1657 | openssh (1:3.8.1p1-4) unstable; urgency=medium | ||
1658 | |||
1659 | * Kill off PAM thread if privsep slave dies (closes: #248125). | ||
1660 | |||
1661 | -- Colin Watson <cjwatson@debian.org> Fri, 28 May 2004 17:58:45 -0300 | ||
1662 | |||
1663 | openssh (1:3.8.1p1-3) unstable; urgency=low | ||
1664 | |||
1665 | * Add ssh-keygen to openssh-server-udeb. | ||
1666 | |||
1667 | -- Colin Watson <cjwatson@debian.org> Thu, 20 May 2004 16:31:52 +0100 | ||
1668 | |||
1669 | openssh (1:3.8.1p1-2) unstable; urgency=low | ||
1670 | |||
1671 | * Add Catalan debconf template translation (thanks, Aleix Badia i Bosch; | ||
1672 | closes: #248748). | ||
1673 | * openssh-client-udeb and openssh-server-udeb depend on libnss-files-udeb | ||
1674 | (not yet uploaded). | ||
1675 | * Restore ssh-askpass-gnome binary, lost by mistake. | ||
1676 | * Don't link against libnsl in udeb builds. | ||
1677 | |||
1678 | -- Colin Watson <cjwatson@debian.org> Thu, 20 May 2004 11:15:58 +0100 | ||
1679 | |||
1680 | openssh (1:3.8.1p1-1) unstable; urgency=low | ||
1681 | |||
1682 | * New upstream release. | ||
1683 | - Use a longer buffer for tty names in utmp (closes: #247538). | ||
1684 | * Make sure there's a newline at the end of sshd_config before adding | ||
1685 | 'UsePAM yes' (closes: #244829). | ||
1686 | * Generate a new .orig.tar.gz without RFC.nroff, and remove | ||
1687 | /usr/share/doc/ssh/RFC.gz (closes: #211640). It isn't DFSG-free and only | ||
1688 | documents the obsolete SSH1 protocol, not to mention that it was never a | ||
1689 | real RFC but only an Internet-Draft. It's available from | ||
1690 | http://www.free.lp.se/bamse/draft-ylonen-ssh-protocol-00.txt if you want | ||
1691 | it for some reason. | ||
1692 | * Add openssh-client-udeb and openssh-server-udeb binary packages for use | ||
1693 | in debian-installer. They still need libnss_files to be supplied in udeb | ||
1694 | form by glibc. | ||
1695 | * Work around lack of res_query weak alias in libresolv on amd64 (see | ||
1696 | #242462, awaiting real fix upstream). | ||
1697 | * Fix grammar in sshd(8) (closes: #238753). | ||
1698 | * Add .desktop file and icon for ssh-askpass-gnome (closes: #232333). | ||
1699 | * Update Polish debconf template translation (thanks, Emil Nowak; | ||
1700 | closes: #242808). | ||
1701 | * Add Turkish debconf template translation (thanks, Recai OktaÅŸ; | ||
1702 | closes: #246068). | ||
1703 | |||
1704 | -- Colin Watson <cjwatson@debian.org> Tue, 11 May 2004 23:38:10 +0100 | ||
1705 | |||
1706 | openssh (1:3.8p1-3) unstable; urgency=low | ||
1707 | |||
1708 | * Remove deprecated ReverseMappingCheck option from newly generated | ||
1709 | sshd_config files (closes: #239987). | ||
1710 | * Build everything apart from contrib in a subdirectory, to allow for | ||
1711 | multiple builds. | ||
1712 | * Some older kernels are missing setresuid() and setresgid(), so don't try | ||
1713 | to use them. setreuid() and setregid() will do well enough for our | ||
1714 | purposes (closes: #239999). | ||
1715 | |||
1716 | -- Colin Watson <cjwatson@debian.org> Mon, 5 Apr 2004 21:23:43 +0100 | ||
1717 | |||
1718 | openssh (1:3.8p1-2) unstable; urgency=medium | ||
1719 | |||
1720 | * Disable PasswordAuthentication for new installations (closes: #236810). | ||
1721 | * Turn off the new ForwardX11Trusted by default, returning to the | ||
1722 | semantics of 3.7 and earlier, since it seems immature and causes far too | ||
1723 | many problems with existing setups. See README.Debian for details | ||
1724 | (closes: #237021). | ||
1725 | |||
1726 | -- Colin Watson <cjwatson@debian.org> Wed, 10 Mar 2004 10:33:07 +0000 | ||
1727 | |||
1728 | openssh (1:3.8p1-1) unstable; urgency=low | ||
1729 | |||
1730 | * New upstream release (closes: #232281): | ||
1731 | - New PAM implementation based on that in FreeBSD. This runs PAM session | ||
1732 | modules before dropping privileges (closes: #132681, #150968). | ||
1733 | - Since PAM session modules are run as root, we can turn pam_limits back | ||
1734 | on by default, and it no longer spits out "Operation not permitted" to | ||
1735 | syslog (closes: #171673). | ||
1736 | - Password expiry works again (closes: #153235). | ||
1737 | - 'ssh -q' suppresses login banner (closes: #134589). | ||
1738 | - sshd doesn't lie to PAM about invalid usernames (closes: #157078). | ||
1739 | - ssh-add prints key comment on each prompt (closes: #181869). | ||
1740 | - Punctuation formatting fixed in man pages (closes: #191131). | ||
1741 | - EnableSSHKeysign documented in ssh_config(5) (closes: #224457). | ||
1742 | * Add 'UsePAM yes' to /etc/ssh/sshd_config on upgrade from versions older | ||
1743 | than this, to maintain the standard Debian sshd configuration. | ||
1744 | * Comment out PAMAuthenticationViaKbdInt and RhostsAuthentication in | ||
1745 | sshd_config on upgrade. Neither option is supported any more. | ||
1746 | * Privilege separation and PAM are now properly supported together, so | ||
1747 | remove both debconf questions related to them and simply set it | ||
1748 | unconditionally in newly generated sshd_config files (closes: #228838). | ||
1749 | * ServerAliveInterval implemented upstream, so ProtocolKeepAlives is now a | ||
1750 | compatibility alias. The semantics differ slightly, though; see | ||
1751 | ssh_config(5) for details. | ||
1752 | * Implement SSH1 support for ServerAliveInterval using SSH_MSG_IGNORE. As | ||
1753 | documented in ssh_config(5), it's not as good as the SSH2 version. | ||
1754 | * Remove -fno-builtin-log, -DHAVE_MMAP_ANON_SHARED, and | ||
1755 | -D__FILE_OFFSET_BITS=64 compiler options, which are no longer necessary. | ||
1756 | * Update config.guess and config.sub from autotools-dev 20040105.1. | ||
1757 | * Darren Tucker: | ||
1758 | - Reset signal status when starting pam auth thread, prevent hanging | ||
1759 | during PAM keyboard-interactive authentications. | ||
1760 | - Fix a non-security-critical segfault in PAM authentication. | ||
1761 | * Add debconf template translations: | ||
1762 | - Greek (thanks, Konstantinos Margaritis; closes: #232843). | ||
1763 | - Italian (thanks, Renato Gini; closes: #234777). | ||
1764 | |||
1765 | -- Colin Watson <cjwatson@debian.org> Sat, 6 Mar 2004 18:43:44 +0000 | ||
1766 | |||
1767 | openssh (1:3.6.1p2-12) unstable; urgency=low | ||
1768 | |||
1769 | * Update Spanish debconf template translation (thanks, Javier | ||
1770 | Fernández-Sanguino Peña; closes: #228242). | ||
1771 | * Add debconf template translations: | ||
1772 | - Czech (thanks, Miroslav Kure; closes: #230110). | ||
1773 | - Simplified Chinese (thanks, Hiei Xu; closes: #230726). | ||
1774 | |||
1775 | -- Colin Watson <cjwatson@debian.org> Wed, 11 Feb 2004 09:37:57 +0000 | ||
1776 | |||
1777 | openssh (1:3.6.1p2-11) unstable; urgency=low | ||
1778 | |||
1779 | * Comment out pam_limits in default configuration, for now at least | ||
1780 | (closes: #198254). | ||
1781 | * Use invoke-rc.d (if it exists) to run the init script. | ||
1782 | * Backport format string bug fix in sshconnect.c (closes: #225238). | ||
1783 | * ssh-copy-id exits if ssh fails (closes: #215252). | ||
1784 | |||
1785 | -- Colin Watson <cjwatson@debian.org> Sun, 4 Jan 2004 18:59:21 +0000 | ||
1786 | |||
1787 | openssh (1:3.6.1p2-10) unstable; urgency=low | ||
1788 | |||
1789 | * Use --retry in init script when restarting rather than sleeping, to make | ||
1790 | sure the old process is dead (thanks, Herbert Xu; closes: #212117). | ||
1791 | Depend on dpkg (>= 1.9.0) for start-stop-daemon's --retry option. | ||
1792 | * Update debconf template translations: | ||
1793 | - Brazilian Portuguese (thanks, Andre Luis Lopes; closes: #219844). | ||
1794 | - Danish (thanks, Morten Brix Pedersen; closes: #217964). | ||
1795 | - Japanese (thanks, Kenshi Muto; closes: #212497). | ||
1796 | - Russian (thanks, Ilgiz Kalmetev). | ||
1797 | - Spanish (thanks, Carlos Valdivia Yagüe; closes: #211832). | ||
1798 | * Add Dutch debconf template translation (thanks, cobaco; | ||
1799 | closes: #215372). | ||
1800 | * Update config.guess and config.sub from autotools-dev 20031007.1 | ||
1801 | (closes: #217696). | ||
1802 | * Implement New World Order for PAM configuration, including | ||
1803 | /etc/pam.d/common-* from /etc/pam.d/ssh (closes: #212959). | ||
1804 | - To backport this release to woody, you need to set DEB_BUILD_SSH_WOODY | ||
1805 | in your environment. See README.Debian. | ||
1806 | * Add more commentary to /etc/pam.d/ssh. | ||
1807 | |||
1808 | -- Colin Watson <cjwatson@debian.org> Sun, 16 Nov 2003 01:14:16 +0000 | ||
1809 | |||
1810 | openssh (1:3.6.1p2-9) unstable; urgency=high | ||
1811 | |||
1812 | * Merge even more buffer allocation fixes from upstream (CAN-2003-0682; | ||
1813 | closes: #211434). | ||
1814 | |||
1815 | -- Colin Watson <cjwatson@debian.org> Fri, 19 Sep 2003 10:25:25 +0100 | ||
1816 | |||
1817 | openssh (1:3.6.1p2-8) unstable; urgency=high | ||
1818 | |||
1819 | * Merge more buffer allocation fixes from new upstream version 3.7.1p1 | ||
1820 | (closes: #211324). | ||
1821 | |||
1822 | -- Colin Watson <cjwatson@debian.org> Wed, 17 Sep 2003 03:07:19 +0100 | ||
1823 | |||
1824 | openssh (1:3.6.1p2-7) unstable; urgency=high | ||
1825 | |||
1826 | * Update debconf template translations: | ||
1827 | - French (thanks, Christian Perrier; closes: #208801). | ||
1828 | - Japanese (thanks, Kenshi Muto; closes: #210380). | ||
1829 | * Some small improvements to the English templates courtesy of Christian | ||
1830 | Perrier. I've manually unfuzzied a few translations where it was | ||
1831 | obvious, on Christian's advice, but the others will have to be updated. | ||
1832 | * Document how to generate an RSA1 host key (closes: #141703). | ||
1833 | * Incorporate NMU fix for early buffer expansion vulnerability, | ||
1834 | CAN-2003-0693 (closes: #211205). Thanks to Michael Stone. | ||
1835 | |||
1836 | -- Colin Watson <cjwatson@debian.org> Tue, 16 Sep 2003 14:32:28 +0100 | ||
1837 | |||
1838 | openssh (1:3.6.1p2-6.0) unstable; urgency=high | ||
1839 | |||
1840 | * SECURITY: fix for CAN-2003-0693, buffer allocation error | ||
1841 | |||
1842 | -- Michael Stone <mstone@debian.org> Tue, 16 Sep 2003 08:27:07 -0400 | ||
1843 | |||
1844 | openssh (1:3.6.1p2-6) unstable; urgency=medium | ||
1845 | |||
1846 | * Use a more CVS-friendly means of setting SSH_VERSION. | ||
1847 | * Update Brazilian Portuguese debconf template translation (thanks, Andre | ||
1848 | Luis Lopes; closes: #208036). | ||
1849 | * Don't run 'sshd -t' in init script if the server isn't to be run | ||
1850 | (closes: #197576). | ||
1851 | * Fix login delay, spurious auth.log entry, and PermitRootLogin | ||
1852 | information leakage due to PAM issues with upstream's recent security | ||
1853 | update (thanks, Darren Tucker; closes: #99168, #192207, #193546). | ||
1854 | * Policy version 3.6.1: recode this changelog to UTF-8. | ||
1855 | |||
1856 | -- Colin Watson <cjwatson@debian.org> Wed, 3 Sep 2003 19:14:02 +0100 | ||
1857 | |||
1858 | openssh (1:3.6.1p2-5) unstable; urgency=low | ||
1859 | |||
1860 | * Disable cmsg_type check for file descriptor passing when running on | ||
1861 | Linux 2.0 (closes: #150976). Remove comments about non-functional | ||
1862 | privilege separation on 2.0 from ssh/privsep_ask and ssh/privsep_tell | ||
1863 | debconf questions and from README.Debian, since it should all now work. | ||
1864 | * Fix "defails" typo in generated sshd_config (closes: #206484). | ||
1865 | * Backport upstream patch to strip trailing whitespace (including | ||
1866 | newlines) from configuration directives (closes: #192079). | ||
1867 | |||
1868 | -- Colin Watson <cjwatson@debian.org> Wed, 27 Aug 2003 02:19:57 +0100 | ||
1869 | |||
1870 | openssh (1:3.6.1p2-4) unstable; urgency=low | ||
1871 | |||
1872 | * getent can get just one key; no need to use grep (thanks, James Troup). | ||
1873 | * Move /usr/local/bin to the front of the default path, following | ||
1874 | /etc/login.defs (closes: #201150). | ||
1875 | * Remove specifics of problematic countries from package description | ||
1876 | (closes: #197040). | ||
1877 | * Update Spanish debconf template translation (thanks, Carlos Valdivia | ||
1878 | Yagüe; closes: #198456). | ||
1879 | * Backport upstream patch to pass monitor signals through to child | ||
1880 | (closes: #164797). | ||
1881 | |||
1882 | -- Colin Watson <cjwatson@debian.org> Sun, 27 Jul 2003 17:31:15 +0100 | ||
1883 | |||
1884 | openssh (1:3.6.1p2-3) unstable; urgency=low | ||
1885 | |||
1886 | * Update French debconf template translation (thanks, Christian Perrier; | ||
1887 | closes: #194323). | ||
1888 | * Version the adduser dependency for --no-create-home (closes: #195756). | ||
1889 | * Add a version of moduli(5), namely revision 1.7 of | ||
1890 | http://www.openbsd.org/cgi-bin/cvsweb/src/share/man/man5/moduli.5 with | ||
1891 | '/etc/moduli' changed to '/etc/ssh/moduli' throughout (closes: #196061). | ||
1892 | |||
1893 | -- Colin Watson <cjwatson@debian.org> Mon, 9 Jun 2003 02:51:35 +0100 | ||
1894 | |||
1895 | openssh (1:3.6.1p2-2) unstable; urgency=low | ||
1896 | |||
1897 | * Force /etc/default/ssh to be non-executable, since dpkg apparently | ||
1898 | doesn't deal with permissions changes on conffiles (closes: #192966). | ||
1899 | * Use debconf 0.5's seen flag rather than the deprecated isdefault. | ||
1900 | * Add GPL location to copyright file. | ||
1901 | * Remove debian/postinst.old. | ||
1902 | * Switch to po-debconf, with some careful manual use of po2debconf to | ||
1903 | ensure that the source package continues to build smoothly on woody | ||
1904 | (closes: #183986). | ||
1905 | * Update debconf template translations: | ||
1906 | - Brazilian Portugese (thanks, Andre Luis Lopes; see #183986). | ||
1907 | - Japanese (thanks, Tomohiro KUBOTA; closes: #192429). | ||
1908 | * Compile with -fno-builtin-log for now, otherwise gcc-3.3 complains | ||
1909 | "log.h:59: warning: conflicting types for built-in function `log'". The | ||
1910 | OpenSSH log() function has been renamed in upstream CVS. | ||
1911 | |||
1912 | -- Colin Watson <cjwatson@debian.org> Mon, 19 May 2003 01:52:38 +0100 | ||
1913 | |||
1914 | openssh (1:3.6.1p2-1) unstable; urgency=medium | ||
1915 | |||
1916 | * New upstream release, including fix for PAM user-discovery security hole | ||
1917 | (closes: #191681). | ||
1918 | * Fix ChallengeResponseAuthentication default in generated sshd_config | ||
1919 | (closes: #106037). | ||
1920 | * Put newlines after full stops in man page documentation for | ||
1921 | ProtocolKeepAlives and SetupTimeOut. | ||
1922 | * Policy version 3.5.9: support DEB_BUILD_OPTIONS=noopt, build | ||
1923 | gnome-ssh-askpass with -g and -Wall flags. | ||
1924 | * Really ask ssh/new_config debconf question before trying to fetch its | ||
1925 | value (closes: #188721). | ||
1926 | * On purge, remove only the files we know about in /etc/ssh rather than | ||
1927 | the whole thing, and remove the directory if that leaves it empty | ||
1928 | (closes: #176679). | ||
1929 | * ssh has depended on debconf for some time now with no complaints, so: | ||
1930 | - Simplify the postinst by relying on debconf being present. (The absent | ||
1931 | case was buggy anyway.) | ||
1932 | - Get rid of "if you have not installed debconf" text in README.Debian, | ||
1933 | and generally update the "/usr/bin/ssh not SUID" entry. | ||
1934 | * More README.Debian work: | ||
1935 | - Reorganize into "UPGRADE ISSUES" and "OTHER ISSUES", in an effort to | ||
1936 | make it easier for people to find the former. The upgrade issues | ||
1937 | should probably be sorted by version somehow. | ||
1938 | - Document X11UseLocalhost under "X11 Forwarding" (closes: #150913). | ||
1939 | * Fix setting of IP flags for interactive sessions (upstream bug #541). | ||
1940 | |||
1941 | -- Colin Watson <cjwatson@debian.org> Mon, 5 May 2003 17:47:40 +0100 | ||
1942 | |||
1943 | openssh (1:3.6.1p1-1) unstable; urgency=low | ||
1944 | |||
1945 | * New upstream release (thanks, Laurence J. Lane). | ||
1946 | * debian/control: ssh-askpass-gnome is now Section: gnome, following the | ||
1947 | override file. | ||
1948 | |||
1949 | -- Colin Watson <cjwatson@debian.org> Wed, 2 Apr 2003 00:51:02 +0100 | ||
1950 | |||
1951 | openssh (1:3.6p1-1) unstable; urgency=low | ||
1952 | |||
1953 | * New upstream release. | ||
1954 | - Workaround applied upstream for a bug in the interaction of glibc's | ||
1955 | getaddrinfo() with the Linux 2.2 kernel (closes: #155814). | ||
1956 | - As such, it should now be safe to remove --with-ipv4-default, so | ||
1957 | starting sshd with -6 is no longer necessary (closes: #79861 and lots | ||
1958 | of other merged bugs). | ||
1959 | - ssh-copy-id prints usage when run without arguments (closes: #71376). | ||
1960 | - scp exits 1 if ssh fails (closes: #138400). | ||
1961 | - sshd writes to utmp's ut_addr_v6 field in IPv6 mode (closes: #167867). | ||
1962 | - 'ssh-add -c' causes ssh-agent to ask the user each time a key is used | ||
1963 | (closes: #109795). | ||
1964 | * Install /etc/default/ssh non-executable (closes: #185537). | ||
1965 | |||
1966 | -- Colin Watson <cjwatson@debian.org> Mon, 31 Mar 2003 23:00:59 +0100 | ||
1967 | |||
1968 | openssh (1:3.5p1-5) unstable; urgency=low | ||
1969 | |||
1970 | * Add /etc/default/ssh (closes: #161049). | ||
1971 | * Run the init script under 'set -e' (closes: #175010). | ||
1972 | * Change the default superuser path to include /sbin, /usr/sbin, and | ||
1973 | /usr/local/sbin (closes: #128235, #151267). Using login.defs would be | ||
1974 | nice, but that belongs to another package. Without a defined API to | ||
1975 | retrieve its settings, parsing it is off-limits. | ||
1976 | * Build ssh-askpass-gnome with GNOME 2. The source package should still | ||
1977 | support building on stable with GNOME 1, using the alternate | ||
1978 | libgnome-dev build-dependency (thanks, Colin Walters; closes: #167582). | ||
1979 | |||
1980 | -- Colin Watson <cjwatson@debian.org> Sun, 9 Mar 2003 20:12:10 +0000 | ||
1981 | |||
1982 | openssh (1:3.5p1-4) unstable; urgency=low | ||
1983 | |||
1984 | * Point rlogin and rcp alternatives at slogin and scp respectively rather | ||
1985 | than ssh (closes: #121103, #151666). Fix alternative removal to match; | ||
1986 | previously it was completely wrong anyway. | ||
1987 | * Find out whether /etc/ssh/sshd_not_to_be_run exists and set the debconf | ||
1988 | question's default using that information, rather than using debconf as | ||
1989 | a registry. Other solutions may be better in the long run, but this is | ||
1990 | at least correct (thanks, Matthew Woodcraft; closes: #84725). | ||
1991 | * Stop using pam_lastlog, as it doesn't currently work well as a session | ||
1992 | module when privilege separation is enabled; it can usually read | ||
1993 | /var/log/lastlog but can't write to it. Instead, just use sshd's | ||
1994 | built-in support, already enabled by default (closes: #151297, #169938). | ||
1995 | * Use 'ssh-keygen -q' rather than redirecting output to /dev/null. | ||
1996 | * Add a "this may take some time" warning when creating host keys on | ||
1997 | installation (part of #110094). | ||
1998 | * When restarting via the init script, check for sshd_not_to_be_run after | ||
1999 | stopping sshd (idea from Tomas Pospisek; closes: #149850). | ||
2000 | * Append /usr/sbin:/sbin to the init script's $PATH, just in case of | ||
2001 | strangeness (closes: #115138). | ||
2002 | * Fix a dpkg-statoverride call to redirect stdout to /dev/null, not | ||
2003 | stderr. | ||
2004 | * Correct copyright file typo: "orignal" -> "original" (closes: #176490). | ||
2005 | * Rebuild with libssl0.9.7 (closes: #176983). | ||
2006 | * We're up to policy version 3.5.6. DEB_BUILD_OPTIONS stuff still needs to | ||
2007 | be looked at. | ||
2008 | |||
2009 | -- Colin Watson <cjwatson@debian.org> Sat, 18 Jan 2003 01:37:23 +0000 | ||
2010 | |||
2011 | openssh (1:3.5p1-3) unstable; urgency=low | ||
2012 | |||
2013 | * Happy new year! | ||
2014 | * Use getent rather than id to find out whether the sshd user exists | ||
2015 | (closes: #150974). | ||
2016 | * Remove some duplication from the postinst's ssh-keysign setuid code. | ||
2017 | * Replace db_text with db_input throughout debian/config. (db_text has | ||
2018 | been a compatibility wrapper since debconf 0.1.5.) | ||
2019 | * Warn about PermitUserEnvironment on upgrade (closes: #167895). | ||
2020 | * Use 'make install-nokeys', and disable unused debhelper commands, | ||
2021 | thereby forward-porting the last pieces of Zack Weinberg's patch | ||
2022 | (closes: #68341). | ||
2023 | * Move the man page for gnome-ssh-askpass from the ssh package to | ||
2024 | ssh-askpass-gnome (closes: #174449). | ||
2025 | * Build with -DLOGIN_NO_ENDOPT, since Debian's /bin/login doesn't accept | ||
2026 | '--' to terminate the list of options (closes: #171554). | ||
2027 | * Add Jonathan Amery's ssh-argv0 script (closes: #111341). | ||
2028 | * Update Danish debconf template (thanks, Morten Brix Pedersen; | ||
2029 | closes: #174757). | ||
2030 | * Document setgid ssh-agent's effect on certain environment variables in | ||
2031 | README.Debian (closes: #167974). | ||
2032 | * Document interoperability problems between scp and ssh.com's server in | ||
2033 | README.Debian, and suggest some workarounds (closes: #174662). | ||
2034 | |||
2035 | -- Colin Watson <cjwatson@debian.org> Wed, 1 Jan 2003 14:18:30 +0000 | ||
2036 | |||
2037 | openssh (1:3.5p1-2) unstable; urgency=low | ||
2038 | |||
2039 | * Mention in the ssh package description that it provides both ssh and | ||
2040 | sshd (closes: #99680). | ||
2041 | * Create a system group for ssh-agent, not a user group (closes: #167669). | ||
2042 | |||
2043 | -- Colin Watson <cjwatson@debian.org> Mon, 4 Nov 2002 13:43:53 +0000 | ||
2044 | |||
2045 | openssh (1:3.5p1-1) unstable; urgency=low | ||
2046 | |||
2047 | * New upstream release. | ||
2048 | - Fixes typo in ssh-add usage (closes: #152239). | ||
2049 | - Fixes 'PermitRootLogin forced-commands-only' (closes: #166184). | ||
2050 | - ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys | ||
2051 | are deprecated for security reasons and will eventually go away. For | ||
2052 | now they can be re-enabled by setting 'PermitUserEnvironment yes' in | ||
2053 | sshd_config. | ||
2054 | - ssh-agent is installed setgid to prevent ptrace() attacks. The group | ||
2055 | actually doesn't matter, as it drops privileges immediately, but to | ||
2056 | avoid confusion the postinst creates a new 'ssh' group for it. | ||
2057 | * Obsolete patches: | ||
2058 | - Solar Designer's privsep+compression patch for Linux 2.2 (see | ||
2059 | 1:3.3p1-0.0woody1). | ||
2060 | - Hostbased auth ssh-keysign backport (see 1:3.4p1-4). | ||
2061 | |||
2062 | * Remove duplicated phrase in ssh_config(5) (closes: #152404). | ||
2063 | * Source the debconf confmodule at the top of the postrm rather than at | ||
2064 | the bottom, to avoid making future non-idempotency problems worse (see | ||
2065 | #151035). | ||
2066 | * Debconf templates: | ||
2067 | - Add Polish (thanks, Grzegorz Kusnierz). | ||
2068 | - Update French (thanks, Denis Barbier; closes: #132509). | ||
2069 | - Update Spanish (thanks, Carlos Valdivia Yagüe; closes: #164716). | ||
2070 | * Write a man page for gnome-ssh-askpass, and link it to ssh-askpass.1 if | ||
2071 | this is the selected ssh-askpass alternative (closes: #67775). | ||
2072 | |||
2073 | -- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100 | ||
2074 | |||
2075 | openssh (1:3.4p1-4) unstable; urgency=low | ||
2076 | |||
2077 | * Allow ssh-krb5 in ssh-askpass-gnome's dependencies (closes: #129532). | ||
2078 | * Restore Russia to list of countries where encryption is problematic (see | ||
2079 | #148951 and http://www.average.org/freecrypto/). | ||
2080 | * Drop ssh-askpass-gnome's priority to optional, per the override file. | ||
2081 | * Drop the PAM special case for hurd-i386 (closes: #99157). | ||
2082 | * s/dile/idle/ in ssh_config(5) (closes: #118331). | ||
2083 | * Note in README.Debian that you need xauth from xbase-clients on the | ||
2084 | server for X11 forwarding (closes: #140269). | ||
2085 | * Use correct path to upstream README in copyright file (closes: #146037). | ||
2086 | * Document the units for ProtocolKeepAlives (closes: #159479). | ||
2087 | * Backport upstream patch to fix hostbased auth (closes: #117114). | ||
2088 | * Add -g to CFLAGS. | ||
2089 | |||
2090 | -- Colin Watson <cjwatson@debian.org> Sun, 13 Oct 2002 18:58:53 +0100 | ||
2091 | |||
2092 | openssh (1:3.4p1-3) unstable; urgency=low | ||
2093 | |||
2094 | * Add myself to Uploaders: and begin acting as temporary maintainer, at | ||
2095 | Matthew's request. (Normal service will resume in some months' time.) | ||
2096 | * Add sharutils to Build-Depends (closes: #138465). | ||
2097 | * Stop creating the /usr/doc/ssh symlink. | ||
2098 | |||
2099 | * Fix some debconf template typos (closes: #160358). | ||
2100 | * Split debconf templates into one file per language. | ||
2101 | * Add debconf template translations: | ||
2102 | - Brazilian Portuguese (thanks, Andre Luis Lopes; closes: #106173). | ||
2103 | - Danish (thanks, Claus Hindsgaul; closes: #126607). | ||
2104 | - Japanese (thanks, Tomohiro KUBOTA; closes: #137427). | ||
2105 | - Russian (thanks, Ilgiz Kalmetev; closes: #136610). | ||
2106 | - Spanish (thanks, Carlos Valdivia Yagüe; closes: #129041). | ||
2107 | * Update debconf template translations: | ||
2108 | - French (thanks, Igor Genibel; closes: #151361). | ||
2109 | - German (thanks, Axel Noetzold; closes: #147069). | ||
2110 | * Some of these translations are fuzzy. Please send updates. | ||
2111 | |||
2112 | -- Colin Watson <cjwatson@debian.org> Sun, 13 Oct 2002 14:09:57 +0100 | ||
2113 | |||
2114 | openssh (1:3.4p1-2) unstable; urgency=high | ||
2115 | |||
2116 | * Get a security-fixed version into unstable | ||
2117 | * Also tidy README.Debian up a little | ||
2118 | |||
2119 | -- Matthew Vernon <matthew@debian.org> Fri, 28 Jun 2002 17:20:59 +0100 | ||
2120 | |||
2121 | openssh (1:3.4p1-1) testing; urgency=high | ||
2122 | |||
2123 | * Extend my tendrils back into this package (Closes: #150915, #151098) | ||
2124 | * thanks to the security team for their work | ||
2125 | * no thanks to ISS/Theo de Raadt for their handling of these bugs | ||
2126 | * save old sshd_configs to sshd_config.dpkg-old when auto-generating a | ||
2127 | new one | ||
2128 | * tell/ask the user about PriviledgeSeparation | ||
2129 | * /etc/init.d/ssh run will now create the chroot empty dir if necessary | ||
2130 | * Remove our previous statoverride on /usr/bin/ssh (only for people | ||
2131 | upgrading from a version where we'd put one in ourselves!) | ||
2132 | * Stop slandering Russia, since someone asked so nicely (Closes: #148951) | ||
2133 | * Reduce the sleep time in /etc/init.d/ssh during a restart | ||
2134 | |||
2135 | -- Matthew Vernon <matthew@debian.org> Fri, 28 Jun 2002 15:52:10 +0100 | ||
2136 | |||
2137 | openssh (1:3.4p1-0.0woody1) testing-security; urgency=high | ||
2138 | |||
2139 | * NMU by the security team. | ||
2140 | * New upstream version | ||
2141 | |||
2142 | -- Michael Stone <mstone@debian.org> Wed, 26 Jun 2002 15:40:38 -0400 | ||
2143 | |||
2144 | openssh (1:3.3p1-0.0woody4) testing-security; urgency=high | ||
2145 | |||
2146 | * NMU by the security team. | ||
2147 | * fix error when /etc/ssh/sshd_config exists on new install | ||
2148 | * check that user doesn't exist before running adduser | ||
2149 | * use openssl internal random unconditionally | ||
2150 | |||
2151 | -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 19:44:39 -0400 | ||
2152 | |||
2153 | openssh (1:3.3p1-0.0woody3) testing-security; urgency=high | ||
2154 | |||
2155 | * NMU by the security team. | ||
2156 | * use correct home directory when sshd user is created | ||
2157 | |||
2158 | -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 08:59:50 -0400 | ||
2159 | |||
2160 | openssh (1:3.3p1-0.0woody2) testing-security; urgency=high | ||
2161 | |||
2162 | * NMU by the security team. | ||
2163 | * Fix rsa1 key creation (Closes: #150949) | ||
2164 | * don't fail if sshd user removal fails | ||
2165 | * depends: on adduser (Closes: #150907) | ||
2166 | |||
2167 | -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 08:59:50 -0400 | ||
2168 | |||
2169 | openssh (1:3.3p1-0.0woody1) testing-security; urgency=high | ||
2170 | |||
2171 | * NMU by the security team. | ||
2172 | * New upstream version. | ||
2173 | - Enable privilege separation by default. | ||
2174 | * Include patch from Solar Designer for privilege separation and | ||
2175 | compression on 2.2.x kernels. | ||
2176 | * Remove --disable-suid-ssh from configure. | ||
2177 | * Support setuid ssh-keysign binary instead of setuid ssh client. | ||
2178 | * Check sshd configuration before restarting. | ||
2179 | |||
2180 | -- Daniel Jacobowitz <dan@debian.org> Mon, 24 Jun 2002 13:43:44 -0400 | ||
2181 | |||
2182 | openssh (1:3.0.2p1-9) unstable; urgency=high | ||
2183 | |||
2184 | * Thanks to those who NMUd | ||
2185 | * The only change in this version is to debian/control - I've removed | ||
2186 | the bit that says you can't export it from the US - it would look | ||
2187 | pretty daft to say this about a package in main! Also, it's now OK | ||
2188 | to use crypto in France, so I've edited that comment slightly | ||
2189 | * Correct a path in README.Debian too (Closes: #138634) | ||
2190 | |||
2191 | -- Matthew Vernon <matthew@debian.org> Sun, 4 Apr 2002 09:52:59 +0100 | ||
2192 | |||
2193 | openssh (1:3.0.2p1-8.3) unstable; urgency=medium | ||
2194 | |||
2195 | * NMU | ||
2196 | * Really set urgency to medium this time (oops) | ||
2197 | * Fix priority to standard per override while I'm at it | ||
2198 | |||
2199 | -- Aaron M. Ucko <ucko@debian.org> Sun, 24 Mar 2002 09:00:08 -0500 | ||
2200 | |||
2201 | openssh (1:3.0.2p1-8.2) unstable; urgency=low | ||
2202 | |||
2203 | * NMU with maintainer's permission | ||
2204 | * Prepare for upcoming ssh-nonfree transitional packages per | ||
2205 | <http://lists.debian.org/debian-ssh/2002/debian-ssh-200203/msg00008.html> | ||
2206 | * Urgency medium because it would really be good to get this into woody | ||
2207 | before it releases | ||
2208 | * Fix sections to match override file | ||
2209 | * Reissued due to clash with non-US -> main move | ||
2210 | |||
2211 | -- Aaron M. Ucko <ucko@debian.org> Sat, 23 Mar 2002 21:21:52 -0500 | ||
2212 | |||
2213 | openssh (1:3.0.2p1-8.1) unstable; urgency=low | ||
2214 | |||
2215 | * NMU | ||
2216 | * Move from non-US to mani | ||
2217 | |||
2218 | -- LaMont Jones <lamont@debian.org> Thu, 21 Mar 2002 09:33:50 -0700 | ||
2219 | |||
2220 | openssh (1:3.0.2p1-8) unstable; urgency=critical | ||
2221 | |||
2222 | * Security fix - patch from upstream (Closes: #137209, #137210) | ||
2223 | * Undo the changes in the unreleased -7, since they appear to break | ||
2224 | things here. Accordingly, the code change is minimal, and I'm | ||
2225 | happy to get it into testing ASAP | ||
2226 | |||
2227 | -- Matthew Vernon <matthew@debian.org> Thu, 7 Mar 2002 14:25:23 +0000 | ||
2228 | |||
2229 | openssh (1:3.0.2p1-7) unstable; urgency=high | ||
2230 | |||
2231 | * Build to support IPv6 and IPv4 by default again | ||
2232 | |||
2233 | -- Matthew Vernon <matthew@debian.org> Sat, 2 Mar 2002 00:25:05 +0000 | ||
2234 | |||
2235 | openssh (1:3.0.2p1-6) unstable; urgency=high | ||
2236 | |||
2237 | * Correct error in the clean target (Closes: #130868) | ||
2238 | |||
2239 | -- Matthew Vernon <matthew@debian.org> Sat, 26 Jan 2002 00:32:00 +0000 | ||
2240 | |||
2241 | openssh (1:3.0.2p1-5) unstable; urgency=medium | ||
2242 | |||
2243 | * Include the Debian version in our identification, to make it easier to | ||
2244 | audit networks for patched versions in future | ||
2245 | |||
2246 | -- Matthew Vernon <matthew@debian.org> Mon, 21 Jan 2002 17:16:10 +0000 | ||
2247 | |||
2248 | openssh (1:3.0.2p1-4) unstable; urgency=medium | ||
2249 | |||
2250 | * If we're asked to not run sshd, stop any running sshd's first | ||
2251 | (Closes: #129327) | ||
2252 | |||
2253 | -- Matthew Vernon <matthew@debian.org> Wed, 16 Jan 2002 21:24:16 +0000 | ||
2254 | |||
2255 | openssh (1:3.0.2p1-3) unstable; urgency=high | ||
2256 | |||
2257 | * Fix /etc/pam.d/ssh to not set $MAIL (Closes: #128913) | ||
2258 | * Remove extra debconf suggestion (Closes: #128094) | ||
2259 | * Mmm. speedy bug-fixing :-) | ||
2260 | |||
2261 | -- Matthew Vernon <matthew@debian.org> Sat, 12 Jan 2002 17:23:58 +0000 | ||
2262 | |||
2263 | openssh (1:3.0.2p1-2) unstable; urgency=high | ||
2264 | |||
2265 | * Fix postinst to not automatically overwrite sshd_config (!) | ||
2266 | (Closes: #127842, #127867) | ||
2267 | * Add section in README.Debian about the PermitRootLogin setting | ||
2268 | |||
2269 | -- Matthew Vernon <matthew@debian.org> Sat, 5 Jan 2003 05:26:30 +0000 | ||
2270 | |||
2271 | openssh (1:3.0.2p1-1) unstable; urgency=high | ||
2272 | |||
2273 | * Incorporate fix from Colin's NMU | ||
2274 | * New upstream version (fixes the bug Wichert fixed) (Closes: #124035) | ||
2275 | * Capitalise IETF (Closes: #125379) | ||
2276 | * Refer to the correct sftp-server location (Closes: #126854, #126224) | ||
2277 | * Do what we're asked re SetUID ssh (Closes: #124065, #124154, #123247) | ||
2278 | * Ask people upgrading from potato if they want a new conffile | ||
2279 | (Closes: #125642) | ||
2280 | * Fix a typo in postinst (Closes: #122192, #122410, #123440) | ||
2281 | * Frob the default config a little (Closes: #122284, #125827, #125696, | ||
2282 | #123854) | ||
2283 | * Make /etc/init.d/ssh be more clear about ssh not running (Closes: | ||
2284 | #123552) | ||
2285 | * Fix typo in templates file (Closes: #123411) | ||
2286 | |||
2287 | -- Matthew Vernon <matthew@debian.org> Fri, 4 Jan 2002 16:01:52 +0000 | ||
2288 | |||
2289 | openssh (1:3.0.1p1-1.2) unstable; urgency=high | ||
2290 | |||
2291 | * Non-maintainer upload | ||
2292 | * Prevent local users from passing environment variables to the login | ||
2293 | process when UseLogin is enabled | ||
2294 | |||
2295 | -- Wichert Akkerman <wakkerma@debian.org> Mon, 3 Dec 2001 19:34:45 +0100 | ||
2296 | |||
2297 | openssh (1:3.0.1p1-1.1) unstable; urgency=low | ||
2298 | |||
2299 | * Non-maintainer upload, at Matthew's request. | ||
2300 | * Remove sa_restorer assignment to fix compilation on alpha, hppa, and | ||
2301 | ia64 (closes: #122086). | ||
2302 | |||
2303 | -- Colin Watson <cjwatson@debian.org> Sun, 2 Dec 2001 18:54:16 +0000 | ||
2304 | |||
2305 | openssh (1:3.0.1p1-1) unstable; urgency=high | ||
2306 | |||
2307 | * New upstream version (Closes: #113646, #113513, #114707, #118564) | ||
2308 | * Building with a libc that works (!) (Closes: #115228) | ||
2309 | * Patches forward-ported are -1/-2 options for scp, the improvement to | ||
2310 | 'waiting for forwarded connections to terminate...' | ||
2311 | * Fix /etc/init.d/ssh to stop sshd properly (Closes: #115228) | ||
2312 | * /etc/ssh/sshd_config is no longer a conffile but generated in the postinst | ||
2313 | * Remove suidregister leftover from postrm | ||
2314 | * Mention key we are making in the postinst | ||
2315 | * Default to not enable SSH protocol 1 support, since protocol 2 is | ||
2316 | much safer anyway. | ||
2317 | * New version of the vpn-fixes patch, from Ian Jackson | ||
2318 | * New handling of -q, and added new -qq option; thanks to Jon Amery | ||
2319 | * Experimental smartcard support not enabled, since I have no way of | ||
2320 | testing it. | ||
2321 | |||
2322 | -- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000 | ||
2323 | |||
2324 | openssh (1:2.9p2-6) unstable; urgency=low | ||
2325 | |||
2326 | * check for correct file in /etc/init.d/ssh (Closes: #110876) | ||
2327 | * correct location of version 2 keys in ssh.1 (Closes: #110439) | ||
2328 | * call update-alternatives --quiet (Closes: #103314) | ||
2329 | * hack ssh-copy-id to chmod go-w (Closes: #95551) | ||
2330 | * TEMPORARY fix to provide largefile support using a -D in the cflags | ||
2331 | line. long-term, upstream will patch the autoconf stuff | ||
2332 | (Closes: #106809, #111849) | ||
2333 | * remove /etc/rc references in ssh-keygen.1 (Closes: #68350) | ||
2334 | * scp.1 patch from Adam McKenna to document -r properly (Closes: #76054) | ||
2335 | * Check for files containing a newline character (Closes: #111692) | ||
2336 | |||
2337 | -- Matthew Vernon <matthew@debian.org> Thu, 13 Sep 2001 16:47:36 +0100 | ||
2338 | |||
2339 | openssh (1:2.9p2-5) unstable; urgency=high | ||
2340 | |||
2341 | * Thanks to all the bug-fixers who helped! | ||
2342 | * remove sa_restorer assignment (Closes: #102837) | ||
2343 | * patch from Peter Benie to DTRT wrt X forwarding if the server refuses | ||
2344 | us access (Closes: #48297) | ||
2345 | * patch from upstream CVS to fix port forwarding (Closes: #107132) | ||
2346 | * patch from Jonathan Amery to document ssh-keygen behaviour | ||
2347 | (Closes:#106643, #107512) | ||
2348 | * patch to postinst from Jonathan Amery (Closes: #106411) | ||
2349 | * patch to manpage from Jonathan Amery (Closes: #107364) | ||
2350 | * patch from Matthew Vernon to make -q emit fatal errors as that is the | ||
2351 | documented behaviour (Closes: #64347) | ||
2352 | * patch from Ian Jackson to cause us to destroy a file when we scp it | ||
2353 | onto itself, rather than dumping bits of our memory into it, which was | ||
2354 | a security hole (see #51955) | ||
2355 | * patch from Jonathan Amery to document lack of Kerberos support | ||
2356 | (Closes: #103726) | ||
2357 | * patch from Matthew Vernon to make the 'waiting for connections to | ||
2358 | terminate' message more helpful (Closes: #50308) | ||
2359 | |||
2360 | -- Matthew Vernon <matthew@debian.org> Thu, 23 Aug 2001 02:14:09 +0100 | ||
2361 | |||
2362 | openssh (1:2.9p2-4) unstable; urgency=high | ||
2363 | |||
2364 | * Today's build of ssh is strawberry flavoured | ||
2365 | * Patch from mhp to reduce length of time sshd is stopped for (Closes: #106176) | ||
2366 | * Tidy up debconf template (Closes: #106152) | ||
2367 | * If called non-setuid, then setgid()'s failure should not be fatal (see | ||
2368 | #105854) | ||
2369 | |||
2370 | -- Matthew Vernon <matthew@debian.org> Sun, 22 Jul 2001 14:19:43 +0100 | ||
2371 | |||
2372 | openssh (1:2.9p2-3) unstable; urgency=low | ||
2373 | |||
2374 | * Patch from yours truly to add -1 and -2 options to scp (Closes: #106061) | ||
2375 | * Improve the IdentityFile section in the man page (Closes: #106038) | ||
2376 | |||
2377 | -- Matthew Vernon <matthew@debian.org> Sat, 21 Jul 2001 14:47:27 +0100 | ||
2378 | |||
2379 | openssh (1:2.9p2-2) unstable; urgency=low | ||
2380 | |||
2381 | * Document the protocol version 2 and IPV6 changes (Closes: #105845, #105868) | ||
2382 | * Make PrintLastLog 'no' by default (Closes: #105893) | ||
2383 | |||
2384 | -- Matthew Vernon <matthew@debian.org> Thu, 19 Jul 2001 18:36:41 +0100 | ||
2385 | |||
2386 | openssh (1:2.9p2-1) unstable; urgency=low | ||
2387 | |||
2388 | * new (several..) upstream version (Closes: #96726, #81856, #96335) | ||
2389 | * Hopefully, this will close some other bugs too | ||
2390 | |||
2391 | -- Matthew Vernon <matthew@debian.org> Tue, 17 Jul 2001 19:41:58 +0100 | ||
2392 | |||
2393 | openssh (1:2.5.2p2-3) unstable; urgency=low | ||
2394 | |||
2395 | * Taking Over this package | ||
2396 | * Patches from Robert Bihlmeyer for the Hurd (Closes: #102991) | ||
2397 | * Put PermitRootLogin back to yes (Closes: #67334, #67371, #78274) | ||
2398 | * Don't fiddle with conf-files any more (Closes: #69501) | ||
2399 | |||
2400 | -- Matthew Vernon <matthew@debian.org> Tue, 03 Jul 2001 02:58:13 +0100 | ||
2401 | |||
2402 | openssh (1:2.5.2p2-2.2) unstable; urgency=low | ||
2403 | |||
2404 | * NMU | ||
2405 | * Include Hurd compatibility patches from Robert Bihlmeyer (Closes: #76033) | ||
2406 | * Patch from Richard Kettlewell for protocolkeepalives (Closes: #99273) | ||
2407 | * Patch from Matthew Vernon for BannerTimeOut, batchmode, and | ||
2408 | documentation for protocolkeepalives. Makes ssh more generally useful | ||
2409 | for scripting uses (Closes: #82877, #99275) | ||
2410 | * Set a umask, so ourpidfile isn't world-writable (closes: #100012, | ||
2411 | #98286, #97391) | ||
2412 | |||
2413 | -- Matthew Vernon <matthew@debian.org> Thu, 28 Jun 2001 23:15:42 +0100 | ||
2414 | |||
2415 | openssh (1:2.5.2p2-2.1) unstable; urgency=low | ||
2416 | |||
2417 | * NMU | ||
2418 | * Remove duplicate Build-Depends for libssl096-dev and change it to | ||
2419 | depend on libssl-dev instaed. Also adding in virtual | real package | ||
2420 | style build-deps. (Closes: #93793, #75228) | ||
2421 | * Removing add-log entry (Closes: #79266) | ||
2422 | * This was a pam bug from a while back (Closes: #86908, #88457, #86843) | ||
2423 | * pam build-dep already exists (Closes: #93683) | ||
2424 | * libgnome-dev build-dep already exists (Closes: #93694) | ||
2425 | * No longer in non-free (Closes: #85401) | ||
2426 | * Adding in fr debconf translations (Closes: #83783) | ||
2427 | * Already suggests xbase-clients (Closes: #79741) | ||
2428 | * No need to suggest libpam-pwdb anymore (Closes: #81658) | ||
2429 | * Providing rsh-client (Closes: #79437) | ||
2430 | * hurd patch was already applied (Closes: #76033) | ||
2431 | * default set to no (Closes: #73682) | ||
2432 | * Adding in a suggests for dnsutils (Closes: #93265) | ||
2433 | * postinst bugs fixed (Closes: #88057, #88066, #88196, #88405, #88612) | ||
2434 | (Closes: #88774, #88196, #89556, #90123, #90228, #90833, #87814, #85465) | ||
2435 | * Adding in debconf dependency | ||
2436 | |||
2437 | -- Ivan E. Moore II <rkrusty@debian.org> Mon, 16 Apr 2001 14:11:04 +0100 | ||
2438 | |||
2439 | openssh (1:2.5.2p2-2) unstable; urgency=high | ||
2440 | |||
2441 | * disable the OpenSSL version check in entropy.c | ||
2442 | (closes: #93581, #93588, #93590, #93614, #93619, #93635, #93648) | ||
2443 | |||
2444 | -- Philip Hands <phil@uk.alcove.com> Wed, 11 Apr 2001 20:30:04 +0100 | ||
2445 | |||
2446 | openssh (1:2.5.2p2-1) unstable; urgency=low | ||
2447 | |||
2448 | * New upstream release | ||
2449 | * removed make-ssh-known-hosts, since ssh-keyscan does that job (closes: #86069, #87748) | ||
2450 | * fix double space indent in german templates (closes: #89493) | ||
2451 | * make postinst check for ssh_host_rsa_key | ||
2452 | * get rid of the last of the misguided debian/rules NMU debris :-/ | ||
2453 | |||
2454 | -- Philip Hands <phil@hands.com> Sat, 24 Mar 2001 20:59:33 +0000 | ||
2455 | |||
2456 | openssh (1:2.5.1p2-2) unstable; urgency=low | ||
2457 | |||
2458 | * rebuild with new debhelper (closes: #89558, #89536, #90225) | ||
2459 | * fix broken dpkg-statoverride test in postinst | ||
2460 | (closes: #89612, #90474, #90460, #89605) | ||
2461 | * NMU bug fixed but not closed in last upload (closes: #88206) | ||
2462 | |||
2463 | -- Philip Hands <phil@hands.com> Fri, 23 Mar 2001 16:11:33 +0000 | ||
2464 | |||
2465 | openssh (1:2.5.1p2-1) unstable; urgency=high | ||
2466 | |||
2467 | * New upstream release | ||
2468 | * fix typo in postinst (closes: #88110) | ||
2469 | * revert to setting PAM service name in debian/rules, backing out last | ||
2470 | NMU, which also (closes: #88101) | ||
2471 | * restore the pam lastlog/motd lines, lost during the NMUs, and sshd_config | ||
2472 | * restore printlastlog option patch | ||
2473 | * revert to using debhelper, which had been partially disabled in NMUs | ||
2474 | |||
2475 | -- Philip Hands <phil@hands.com> Tue, 13 Mar 2001 01:41:34 +0000 | ||
2476 | |||
2477 | openssh (1:2.5.1p1-1.8) unstable; urgency=high | ||
2478 | |||
2479 | * And now the old pam-bug s/sshd/ssh in ssh.c is also fixed | ||
2480 | |||
2481 | -- Christian Kurz <shorty@debian.org> Thu, 1 Mar 2001 19:48:01 +0100 | ||
2482 | |||
2483 | openssh (1:2.5.1p1-1.7) unstable; urgency=high | ||
2484 | |||
2485 | * And now we mark the correct binary as setuid, when a user requested | ||
2486 | to install it setuid. | ||
2487 | |||
2488 | -- Christian Kurz <shorty@debian.org> Thu, 1 Mar 2001 07:19:56 +0100 | ||
2489 | |||
2490 | openssh (1:2.5.1p1-1.6) unstable; urgency=high | ||
2491 | |||
2492 | * Fixes postinst to handle overrides that are already there. Damn, I | ||
2493 | should have noticed the bug earlier. | ||
2494 | |||
2495 | -- Christian Kurz <shorty@debian.org> Wed, 28 Feb 2001 22:35:00 +0100 | ||
2496 | |||
2497 | openssh (1:2.5.1p1-1.5) unstable; urgency=high | ||
2498 | |||
2499 | * Rebuild ssh with pam-support. | ||
2500 | |||
2501 | -- Christian Kurz <shorty@debian.org> Mon, 26 Feb 2001 21:55:51 +0100 | ||
2502 | |||
2503 | openssh (1:2.5.1p1-1.4) unstable; urgency=low | ||
2504 | |||
2505 | * Added Build-Depends on libssl096-dev. | ||
2506 | * Fixed sshd_config file to disallow root logins again. | ||
2507 | |||
2508 | -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 20:03:55 +0100 | ||
2509 | |||
2510 | openssh (1:2.5.1p1-1.3) unstable; urgency=low | ||
2511 | |||
2512 | * Fixed missing manpages for sftp.1 and ssh-keyscan.1 | ||
2513 | * Made package policy 3.5.2 compliant. | ||
2514 | |||
2515 | -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 15:46:26 +0100 | ||
2516 | |||
2517 | openssh (1:2.5.1p1-1.2) unstable; urgency=low | ||
2518 | |||
2519 | * Added Conflict with sftp, since we now provide our own sftp-client. | ||
2520 | * Added a fix for our broken dpkg-statoverride call in the | ||
2521 | 2.3.0p1-13. | ||
2522 | * Fixed some config pathes in the comments of sshd_config. | ||
2523 | * Removed ssh-key-exchange-vulnerability-patch since it's not needed | ||
2524 | anymore because upstream included the fix. | ||
2525 | |||
2526 | -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 13:46:58 +0100 | ||
2527 | |||
2528 | openssh (1:2.5.1p1-1.1) unstable; urgency=high | ||
2529 | |||
2530 | * Another NMU to get the new upstream version 2.5.1p1 into | ||
2531 | unstable. (Closes: #87123) | ||
2532 | * Corrected postinst to mark ssh as setuid. (Closes: #86391, #85766) | ||
2533 | * Key Exchange patch is already included by upstream. (Closes: #86015) | ||
2534 | * Upgrading should be possible now. (Closes: #85525, #85523) | ||
2535 | * Added --disable-suid-ssh as compile option, so ssh won't get installed | ||
2536 | suid per default. | ||
2537 | * Fixed postinst to run dpkg-statoverride only, when dpkg-statoverride | ||
2538 | is available and the mode of the binary should be 4755. And also added | ||
2539 | suggestion for a newer dpkg. | ||
2540 | (Closes: #85734, #85741, #86876) | ||
2541 | * sftp and ssh-keyscan will also be included from now on. (Closes: #79994) | ||
2542 | * scp now understands spaces in filenames (Closes: #53783, #58958, | ||
2543 | #66723) | ||
2544 | * ssh-keygen now supports showing DSA fingerprints. (Closes: #68623) | ||
2545 | * ssh doesn' t show motd anymore when switch -t is used. (Closes #69035) | ||
2546 | * ssh supports the usage of other dsa keys via the ssh command line | ||
2547 | options. (Closes: #81250) | ||
2548 | * Documentation in sshd_config fixed. (Closes: #81088) | ||
2549 | * primes file included by upstream and included now. (Closes: #82101) | ||
2550 | * scp now allows dots in the username. (Closes: #82477) | ||
2551 | * Spelling error in ssh-copy-id.1 corrected by upstream. (Closes: #78124) | ||
2552 | |||
2553 | -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 10:06:08 +0100 | ||
2554 | |||
2555 | openssh (1:2.3.0p1-1.13) unstable; urgency=low | ||
2556 | |||
2557 | * Config should now also be fixed with this hopefully last NMU. | ||
2558 | |||
2559 | -- Christian Kurz <shorty@debian.org> Sat, 10 Feb 2001 22:56:36 +0100 | ||
2560 | |||
2561 | openssh (1:2.3.0p1-1.12) unstable; urgency=high | ||
2562 | |||
2563 | * Added suggest for xbase-clients to control-file. (Closes #85227) | ||
2564 | * Applied patch from Markus Friedl to fix a vulnerability in | ||
2565 | the rsa keyexchange. | ||
2566 | * Fixed position of horizontal line. (Closes: #83613) | ||
2567 | * Fixed hopefully the grep problem in the config-file. (Closes: #78802) | ||
2568 | * Converted package from suidregister to dpkg-statoverride. | ||
2569 | |||
2570 | -- Christian Kurz <shorty@debian.org> Fri, 9 Feb 2001 19:43:55 +0100 | ||
2571 | |||
2572 | openssh (1:2.3.0p1-1.11) unstable; urgency=medium | ||
2573 | |||
2574 | * Fixed some typos in the german translation of the debconf | ||
2575 | template. | ||
2576 | |||
2577 | -- Christian Kurz <shorty@debian.org> Wed, 24 Jan 2001 18:22:38 +0100 | ||
2578 | |||
2579 | openssh (1:2.3.0p1-1.10) unstable; urgency=medium | ||
2580 | |||
2581 | * Fixed double printing of motd. (Closes: #82618) | ||
2582 | |||
2583 | -- Christian Kurz <shorty@debian.org> Tue, 23 Jan 2001 21:03:43 +0100 | ||
2584 | |||
2585 | openssh (1:2.3.0p1-1.9) unstable; urgency=high | ||
2586 | |||
2587 | * And the next NMU which includes the patch from Andrew Bartlett | ||
2588 | and Markus Friedl to fix the root privileges handling of openssh. | ||
2589 | (Closes: #82657) | ||
2590 | |||
2591 | -- Christian Kurz <shorty@debian.org> Wed, 17 Jan 2001 22:20:54 +0100 | ||
2592 | |||
2593 | openssh (1:2.3.0p1-1.8) unstable; urgency=high | ||
2594 | |||
2595 | * Applied fix from Ryan Murray to allow building on other architectures | ||
2596 | since the hurd patch was wrong. (Closes: #82471) | ||
2597 | |||
2598 | -- Christian Kurz <shorty@debian.org> Tue, 16 Jan 2001 22:45:51 +0100 | ||
2599 | |||
2600 | openssh (1:2.3.0p1-1.7) unstable; urgency=medium | ||
2601 | |||
2602 | * Fixed another typo on sshd_config | ||
2603 | |||
2604 | -- Christian Kurz <shorty@debian.org> Sun, 14 Jan 2001 19:01:31 +0100 | ||
2605 | |||
2606 | openssh (1:2.3.0p1-1.6) unstable; urgency=high | ||
2607 | |||
2608 | * Added Build-Dependency on groff (Closes: #81886) | ||
2609 | * Added Build-Depencency on debhelper (Closes: #82072) | ||
2610 | * Fixed entry for known_hosts in sshd_config (Closes: #82096) | ||
2611 | |||
2612 | -- Christian Kurz <shorty@debian.org> Thu, 11 Jan 2001 23:08:16 +0100 | ||
2613 | |||
2614 | openssh (1:2.3.0p1-1.5) unstable; urgency=high | ||
2615 | |||
2616 | * Fixed now also the problem with sshd used as default ipv4 and | ||
2617 | didn't use IPv6. This should be now fixed. | ||
2618 | |||
2619 | -- Christian Kurz <shorty@debian.org> Thu, 11 Jan 2001 21:25:55 +0100 | ||
2620 | |||
2621 | openssh (1:2.3.0p1-1.4) unstable; urgency=high | ||
2622 | |||
2623 | * Fixed buggy entry in postinst. | ||
2624 | |||
2625 | -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 23:12:16 +0100 | ||
2626 | |||
2627 | openssh (1:2.3.0p1-1.3) unstable; urgency=high | ||
2628 | |||
2629 | * After finishing the rewrite of the rules-file I had to notice that | ||
2630 | the manpage installation was broken. This should now work again. | ||
2631 | |||
2632 | -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 22:11:59 +0100 | ||
2633 | |||
2634 | openssh (1:2.3.0p1-1.2) unstable; urgency=high | ||
2635 | |||
2636 | * Fixed the screwed up build-dependency. | ||
2637 | * Removed --with-ipv4-default to support ipv6. | ||
2638 | * Changed makefile to use /etc/pam.d/ssh instead of /etc/pam.d/sshd. | ||
2639 | * Fixed location to sftp-server in config. | ||
2640 | * Since debian still relies on /etc/pam.d/ssh instead of moving to | ||
2641 | /etc/pam.d/sshd, I had to hack ssh.h to get ssh to use this name. | ||
2642 | * Fixed path to host key in sshd_config. | ||
2643 | |||
2644 | -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 08:23:47 +0100 | ||
2645 | |||
2646 | openssh (1:2.3.0p1-1.1) unstable; urgency=medium | ||
2647 | |||
2648 | * NMU with permission of Phil Hands. | ||
2649 | * New upstream release | ||
2650 | * Update Build-Depends to point to new libssl096. | ||
2651 | * This upstream release doesn't leak any information depending | ||
2652 | on the setting of PermitRootLogin (Closes: #59933) | ||
2653 | * New upstream release contains fix against forcing a client to | ||
2654 | do X/agent forwarding (Closes: #76788) | ||
2655 | * Changed template to contain correct path to the documentation | ||
2656 | (Closes: #67245) | ||
2657 | * Added --with-4in6 switch as compile option into debian/rules. | ||
2658 | * Added --with-ipv4-default as compile option into debian/rules. | ||
2659 | (Closes: #75037) | ||
2660 | * Changed default path to also contain /usr/local/bin and | ||
2661 | /usr/X11R6/bin (Closes: #62472,#54567,#62810) | ||
2662 | * Changed path to sftp-server in sshd_config to match the | ||
2663 | our package (Closes: #68347) | ||
2664 | * Replaced OpenBSDh with OpenBSD in the init-script. | ||
2665 | * Changed location to original source in copyright.head | ||
2666 | * Changed behaviour of init-script when invoked with the option | ||
2667 | restart (Closes: #68706,#72560) | ||
2668 | * Added a note about -L option of scp to README.Debian | ||
2669 | * ssh won't print now the motd if invoked with -t option | ||
2670 | (Closes: #59933) | ||
2671 | * RFC.nroff.gz get's now converted into RFC.gz. (Closes: #63867) | ||
2672 | * Added a note about tcp-wrapper support to README.Debian | ||
2673 | (Closes: #72807,#22190) | ||
2674 | * Removed two unneeded options from building process. | ||
2675 | * Added sshd.pam into debian dir and install it. | ||
2676 | * Commented out unnecessary call to dh_installinfo. | ||
2677 | * Added a line to sshd.pam so that limits will be paid attention | ||
2678 | to (Closes: #66904) | ||
2679 | * Restart Option has a Timeout of 10 seconds (Closes: 51264) | ||
2680 | * scp won't override files anymore (Closes: 51955) | ||
2681 | * Removed pam_lastlog module, so that the lastlog is now printed | ||
2682 | only once (Closes: #71742, #68335, #69592, #71495, #77781) | ||
2683 | * If password is expired, openssh now forces the user to change it. | ||
2684 | (Closes: #51747) | ||
2685 | * scp should now have no more problems with shell-init-files that | ||
2686 | produces ouput (Closes: #56280,#59873) | ||
2687 | * ssh now prints the motd correctly (Closes: #66926) | ||
2688 | * ssh upgrade should disable ssh daemon only if users has choosen | ||
2689 | to do so (Closes: #67478) | ||
2690 | * ssh can now be installed suid (Closes: #70879) | ||
2691 | * Modified debian/rules to support hurd. | ||
2692 | |||
2693 | -- Christian Kurz <shorty@debian.org> Wed, 27 Dec 2000 20:06:57 +0100 | ||
2694 | |||
2695 | openssh (1:2.2.0p1-1.1) unstable; urgency=medium | ||
2696 | |||
2697 | * Non-Maintainer Upload | ||
2698 | * Check for new returns in the new libc | ||
2699 | (closes: #72803, #74393, #72797, #71307, #71702) | ||
2700 | * Link against libssl095a (closes: #66304) | ||
2701 | * Correct check for PermitRootLogin (closes: #69448) | ||
2702 | |||
2703 | -- Ryan Murray <rmurray@debian.org> Wed, 18 Oct 2000 00:48:18 -0700 | ||
2704 | |||
2705 | openssh (1:2.2.0p1-1) unstable; urgency=low | ||
2706 | |||
2707 | * New upstream release | ||
2708 | |||
2709 | -- Philip Hands <phil@hands.com> Mon, 11 Sep 2000 14:49:43 +0100 | ||
2710 | |||
2711 | openssh (1:2.1.1p4-3) unstable; urgency=low | ||
2712 | |||
2713 | * add rsh alternatives | ||
2714 | * add -S option to scp (using Tommi Virtanen's patch) (closes: #63097) | ||
2715 | * do the IPV4_DEFAULT thing properly this time | ||
2716 | |||
2717 | -- Philip Hands <phil@hands.com> Fri, 11 Aug 2000 18:14:37 +0100 | ||
2718 | |||
2719 | openssh (1:2.1.1p4-2) unstable; urgency=low | ||
2720 | |||
2721 | * reinstate manpage .out patch from 1:1.2.3 | ||
2722 | * fix typo in postinst | ||
2723 | * only compile ssh with IPV4_DEFAULT | ||
2724 | * apply James Troup's patch to add a -o option to scp and updated manpage | ||
2725 | |||
2726 | -- Philip Hands <phil@hands.com> Sun, 30 Jul 2000 00:12:49 +0100 | ||
2727 | |||
2728 | openssh (1:2.1.1p4-1) unstable; urgency=low | ||
2729 | |||
2730 | * New upstream release | ||
2731 | |||
2732 | -- Philip Hands <phil@hands.com> Sat, 29 Jul 2000 14:46:16 +0100 | ||
2733 | |||
2734 | openssh (1:1.2.3-10) unstable; urgency=low | ||
2735 | |||
2736 | * add version to libpam-modules dependency, because old versions of | ||
2737 | pam_motd make it impossible to log in. | ||
2738 | |||
2739 | -- Philip Hands <phil@hands.com> Sat, 29 Jul 2000 13:28:22 +0100 | ||
2740 | |||
2741 | openssh (1:1.2.3-9) frozen unstable; urgency=low | ||
2742 | |||
2743 | * force location of /usr/bin/X11/xauth | ||
2744 | (closes: #64424, #66437, #66859) *RC* | ||
2745 | * typos in config (closes: #66779, #66780) | ||
2746 | * sshd_not_to_be_run could be assumed to be true, in error, if the config | ||
2747 | script died in an unusual way --- I've reversed this (closes: #66335) | ||
2748 | * Apply Zack Weinberg <zack@wolery.cumb.org>'s patch to ssh-askpass-ptk | ||
2749 | (closes: #65981) | ||
2750 | * change default for PermitRootLogin to "no" (closes: #66406) | ||
2751 | |||
2752 | -- Philip Hands <phil@hands.com> Tue, 11 Jul 2000 20:51:18 +0100 | ||
2753 | |||
2754 | openssh (1:1.2.3-8) frozen unstable; urgency=low | ||
2755 | |||
2756 | * get rid of Provides: rsh-server (this will mean that rstartd | ||
2757 | will need to change it's depends to deal with #63948, which I'm | ||
2758 | reopening) (closes: #66257) | ||
2759 | Given that this is also a trivial change, and is a reversal of a | ||
2760 | change that was mistakenly made after the freeze, I think this should | ||
2761 | also go into frozen. | ||
2762 | |||
2763 | -- Philip Hands <phil@hands.com> Wed, 28 Jun 2000 03:26:30 +0100 | ||
2764 | |||
2765 | openssh (1:1.2.3-7) frozen unstable; urgency=low | ||
2766 | |||
2767 | * check if debconf is installed before calling db_stop in postinst. | ||
2768 | This is required to allow ssh to be installed when debconf is not | ||
2769 | wanted, which probably makes it an RC upload (hopefully the last of | ||
2770 | too many). | ||
2771 | |||
2772 | -- Philip Hands <phil@hands.com> Wed, 28 Jun 2000 03:19:47 +0100 | ||
2773 | |||
2774 | openssh (1:1.2.3-6) frozen unstable; urgency=low | ||
2775 | |||
2776 | * fixed depressing little bug involving a line wrap looking like | ||
2777 | a blank line in the templates file *RC* | ||
2778 | (closes: #66090, #66078, #66083, #66182) | ||
2779 | |||
2780 | -- Philip Hands <phil@hands.com> Mon, 26 Jun 2000 00:45:05 +0100 | ||
2781 | |||
2782 | openssh (1:1.2.3-5) frozen unstable; urgency=low | ||
2783 | |||
2784 | * add code to prevent UseLogin exploit, although I think our PAM | ||
2785 | conditional code breaks UseLogin in a way that protects us from this | ||
2786 | exploit anyway. ;-) (closes: #65495) *RC* | ||
2787 | * Apply Zack Weinberg <zack@wolery.cumb.org>'s patch to fix keyboard | ||
2788 | grab vulnerability in ssh-askpass-gnome (closes: #64795) *RC* | ||
2789 | * stop redirection of sshd's file descriptors (introduced in 1:1.2.3-3) | ||
2790 | and use db_stop in the postinst to solve that problem instead | ||
2791 | (closes: #65104) | ||
2792 | * add Provides: rsh-server to ssh (closes: #63948) | ||
2793 | * provide config option not to run sshd | ||
2794 | |||
2795 | -- Philip Hands <phil@hands.com> Mon, 12 Jun 2000 23:05:11 +0100 | ||
2796 | |||
2797 | openssh (1:1.2.3-4) frozen unstable; urgency=low | ||
2798 | |||
2799 | * fixes #63436 which is *RC* | ||
2800 | * add 10 second pause in init.d restart (closes: #63844) | ||
2801 | * get rid of noenv in PAM mail line (closes: #63856) | ||
2802 | * fix host key path in make-ssh-known-hosts (closes: #63713) | ||
2803 | * change wording of SUID template (closes: #62788, #63436) | ||
2804 | |||
2805 | -- Philip Hands <phil@hands.com> Sat, 27 May 2000 11:18:06 +0100 | ||
2806 | |||
2807 | openssh (1:1.2.3-3) frozen unstable; urgency=low | ||
2808 | |||
2809 | * redirect sshd's file descriptors to /dev/null in init to | ||
2810 | prevent debconf from locking up during installation | ||
2811 | ** grave bug just submited by me ** | ||
2812 | |||
2813 | -- Philip Hands <phil@hands.com> Thu, 20 Apr 2000 17:10:59 +0100 | ||
2814 | |||
2815 | openssh (1:1.2.3-2) frozen unstable; urgency=low | ||
2816 | |||
2817 | * allow user to select SUID status of /usr/bin/ssh (closes: 62462) ** RC ** | ||
2818 | * suggest debconf | ||
2819 | * conflict with debconf{,-tiny} (<<0.2.17) so I can clean up the preinst | ||
2820 | |||
2821 | -- Philip Hands <phil@hands.com> Wed, 19 Apr 2000 17:49:15 +0100 | ||
2822 | |||
2823 | openssh (1:1.2.3-1) frozen unstable; urgency=low | ||
2824 | |||
2825 | * New upstream release | ||
2826 | * patch sshd to create extra xauth key required for localhost | ||
2827 | (closes: #49944) *** RC *** | ||
2828 | * FallbacktoRsh now defaults to ``no'' to match impression | ||
2829 | given in sshd_config | ||
2830 | * stop setting suid bit on ssh (closes: #58711, #58558) | ||
2831 | This breaks Rhosts authentication (which nobody uses) and allows | ||
2832 | the LD_PRELOAD trick to get socks working, so seems like a net benefit. | ||
2833 | |||
2834 | -- Philip Hands <phil@hands.com> Thu, 13 Apr 2000 20:01:54 +0100 | ||
2835 | |||
2836 | openssh (1:1.2.2-1.4) frozen unstable; urgency=low | ||
2837 | |||
2838 | * Recompile for frozen, contains fix for RC bug. | ||
2839 | |||
2840 | -- Tommi Virtanen <tv@debian.org> Tue, 29 Feb 2000 22:14:58 +0200 | ||
2841 | |||
2842 | openssh (1:1.2.2-1.3) unstable; urgency=low | ||
2843 | |||
2844 | * Integrated man page addition for PrintLastLog. | ||
2845 | This bug was filed on "openssh", and I ended up | ||
2846 | creating my own patch for this (closes: #59054) | ||
2847 | * Improved error message when ssh_exchange_identification | ||
2848 | gets EOF (closes: #58904) | ||
2849 | * Fixed typo (your -> you're) in debian/preinst. | ||
2850 | * Added else-clauses to config to make this upgradepath possible: | ||
2851 | oldssh -> openssh preinst fails due to upgrade_to_openssh=false | ||
2852 | -> ssh-nonfree -> openssh. Without these, debconf remembered | ||
2853 | the old answer, config didn't force asking it, and preinst always | ||
2854 | aborted (closes: #56596, #57782) | ||
2855 | * Moved setting upgrade_to_openssh isdefault flag to the place | ||
2856 | where preinst would abort. This means no double question to most | ||
2857 | users, people who currently suffer from "can't upgrade" may need | ||
2858 | to run apt-get install ssh twice. Did not do the same for | ||
2859 | use_old_init_script, as the situation is a bit different, and | ||
2860 | less common (closes: #54010, #56224) | ||
2861 | * Check for existance of ssh-keygen before attempting to use it in | ||
2862 | preinst, added warning for non-existant ssh-keygen in config. This | ||
2863 | happens when the old ssh is removed (say, due to ssh-nonfree getting | ||
2864 | installed). | ||
2865 | |||
2866 | -- Tommi Virtanen <tv@debian.org> Sun, 27 Feb 2000 21:36:43 +0200 | ||
2867 | |||
2868 | openssh (1:1.2.2-1.2) frozen unstable; urgency=low | ||
2869 | |||
2870 | * Non-maintainer upload. | ||
2871 | * Added configuration option PrintLastLog, default off due to PAM | ||
2872 | (closes: #54007, #55042) | ||
2873 | * ssh-askpass-{gnome,ptk} now provide ssh-askpass, making ssh's | ||
2874 | Suggests: line more accurate. Also closing related bugs fixed | ||
2875 | earlier, when default ssh-askpass moved to /usr/bin. | ||
2876 | (closes: #52403, #54741, #50607, #52298, #50967, #51661) | ||
2877 | * Patched to call vhangup, with autoconf detection and all | ||
2878 | (closes: #55379) | ||
2879 | * Added --with-ipv4-default workaround to a glibc bug causing | ||
2880 | slow DNS lookups, as per UPGRADING. Use -6 to really use | ||
2881 | IPv6 addresses. (closes: #57891, #58744, #58713, #57970) | ||
2882 | * Added noenv to PAM pam_mail line. Thanks to Ben Collins. | ||
2883 | (closes: #58429) | ||
2884 | * Added the UPGRADING file to the package. | ||
2885 | * Added frozen to the changelog line and recompiled before | ||
2886 | package was installed into the archive. | ||
2887 | |||
2888 | -- Tommi Virtanen <tv@debian.org> Fri, 25 Feb 2000 22:08:57 +0200 | ||
2889 | |||
2890 | openssh (1:1.2.2-1.1) frozen unstable; urgency=low | ||
2891 | |||
2892 | * Non-maintainer upload. | ||
2893 | * Integrated scp pipe buffer patch from Ben Collins | ||
2894 | <benc@debian.org>, should now work even if reading | ||
2895 | a pipe gives less than fstat st_blksize bytes. | ||
2896 | Should now work on Alpha and Sparc Linux (closes: #53697, #52071) | ||
2897 | * Made ssh depend on libssl09 (>= 0.9.4-3) (closes: #51393) | ||
2898 | * Integrated patch from Ben Collins <benc@debian.org> | ||
2899 | to do full shadow account locking and expiration | ||
2900 | checking (closes: #58165, #51747) | ||
2901 | |||
2902 | -- Tommi Virtanen <tv@debian.org> Tue, 22 Feb 2000 20:46:12 +0200 | ||
2903 | |||
2904 | openssh (1:1.2.2-1) frozen unstable; urgency=medium | ||
2905 | |||
2906 | * New upstream release (closes: #56870, #56346) | ||
2907 | * built against new libesd (closes: #56805) | ||
2908 | * add Colin Watson <cjw44@cam.ac.uk> =NULL patch | ||
2909 | (closes: #49902, #54894) | ||
2910 | * use socketpairs as suggested by Andrew Tridgell to eliminate rsync | ||
2911 | (and other) lockups | ||
2912 | * patch SSHD_PAM_SERVICE back into auth-pam.c, again :-/ | ||
2913 | (closes: #49902, #55872, #56959) | ||
2914 | * uncoment the * line in ssh_config (closes: #56444) | ||
2915 | |||
2916 | * #54894 & #49902 are release critical, so this should go in frozen | ||
2917 | |||
2918 | -- Philip Hands <phil@hands.com> Wed, 9 Feb 2000 04:52:04 +0000 | ||
2919 | |||
2920 | openssh (1:1.2.1pre24-1) unstable; urgency=low | ||
2921 | |||
2922 | * New upstream release | ||
2923 | |||
2924 | -- Philip Hands <phil@hands.com> Fri, 31 Dec 1999 02:47:24 +0000 | ||
2925 | |||
2926 | openssh (1:1.2.1pre23-1) unstable; urgency=low | ||
2927 | |||
2928 | * New upstream release | ||
2929 | * excape ? in /etc/init.d/ssh (closes: #53269) | ||
2930 | |||
2931 | -- Philip Hands <phil@hands.com> Wed, 29 Dec 1999 16:50:46 +0000 | ||
2932 | |||
2933 | openssh (1:1.2pre17-1) unstable; urgency=low | ||
2934 | |||
2935 | * New upstream release | ||
2936 | |||
2937 | -- Philip Hands <phil@hands.com> Thu, 9 Dec 1999 16:50:40 +0000 | ||
2938 | |||
2939 | openssh (1:1.2pre16-1) unstable; urgency=low | ||
2940 | |||
2941 | * New upstream release | ||
2942 | * upstream release (1.2pre14) (closes: #50299) | ||
2943 | * make ssh depend on libwrap0 (>= 7.6-1.1) (closes: #50973, #50776) | ||
2944 | * dispose of grep -q broken pipe message in config script (closes: #50855) | ||
2945 | * add make-ssh-known-hosts (closes: #50660) | ||
2946 | * add -i option to ssh-copy-id (closes: #50657) | ||
2947 | * add check for *LK* in password, indicating a locked account | ||
2948 | |||
2949 | -- Philip Hands <phil@hands.com> Wed, 8 Dec 1999 22:59:38 +0000 | ||
2950 | |||
2951 | openssh (1:1.2pre13-1) unstable; urgency=low | ||
2952 | |||
2953 | * New upstream release | ||
2954 | * make sshd.c use SSHD_PAM_SERVICE and define it as "ssh" in debian/rules | ||
2955 | * remove duplicate line in /etc/pam.d/ssh (closes: #50310) | ||
2956 | * mention ssh -A option in ssh.1 & ssh_config | ||
2957 | * enable forwarding to localhost in default ssh_config (closes: #50373) | ||
2958 | * tweak preinst to deal with debconf being `unpacked' | ||
2959 | * use --with-tcp-wrappers (closes: #49545) | ||
2960 | |||
2961 | -- Philip Hands <phil@hands.com> Sat, 20 Nov 1999 14:20:04 +0000 | ||
2962 | |||
2963 | openssh (1:1.2pre11-2) unstable; urgency=low | ||
2964 | |||
2965 | * oops, just realised that I forgot to strip out the unpleasant | ||
2966 | fiddling mentioned below (which turned not to be a fix anyway) | ||
2967 | |||
2968 | -- Philip Hands <phil@hands.com> Mon, 15 Nov 1999 01:35:23 +0000 | ||
2969 | |||
2970 | openssh (1:1.2pre11-1) unstable; urgency=low | ||
2971 | |||
2972 | * New upstream release (closes: #49722) | ||
2973 | * add 2>/dev/null to dispose of spurious message casused by grep -q | ||
2974 | (closes: #49876, #49604) | ||
2975 | * fix typo in debian/control (closes: #49841) | ||
2976 | * Do some unpleasant fiddling with upgraded keys in the preinst, which | ||
2977 | should make the keylength problem go away. (closes: #49676) | ||
2978 | * make pam_start in sshd use ``ssh'' as the service name (closes: #49956) | ||
2979 | * If /etc/ssh/NOSERVER exist, stop sshd from starting (closes: #47107) | ||
2980 | * apply Ben Collins <bcollins@debian.org>'s shadow patch | ||
2981 | * disable lastlogin and motd printing if using pam (closes: #49957) | ||
2982 | * add ssh-copy-id script and manpage | ||
2983 | |||
2984 | -- Philip Hands <phil@hands.com> Fri, 12 Nov 1999 01:03:38 +0000 | ||
2985 | |||
2986 | openssh (1:1.2pre9-1) unstable; urgency=low | ||
2987 | |||
2988 | * New upstream release | ||
2989 | * apply Chip Salzenberg <chip@valinux.com>'s SO_REUSEADDR patch | ||
2990 | to channels.c, to make forwarded ports instantly reusable | ||
2991 | * replace Pre-Depend: debconf with some check code in preinst | ||
2992 | * make the ssh-add ssh-askpass failure message more helpful | ||
2993 | * fix the ssh-agent getopts bug (closes: #49426) | ||
2994 | * fixed typo on Suggests: line (closes: #49704, #49571) | ||
2995 | * tidy up ssh package description (closes: #49642) | ||
2996 | * make ssh suid (closes: #49635) | ||
2997 | * in preinst upgrade code, ensure ssh_host_keys is mode 600 (closes: #49606) | ||
2998 | * disable agent forwarding by default, for the similar reasons as | ||
2999 | X forwarding (closes: #49586) | ||
3000 | |||
3001 | -- Philip Hands <phil@hands.com> Tue, 9 Nov 1999 09:57:47 +0000 | ||
3002 | |||
3003 | openssh (1:1.2pre7-4) unstable; urgency=low | ||
3004 | |||
3005 | * predepend on debconf (>= 0.2.17) should now allow preinst questions | ||
3006 | |||
3007 | -- Philip Hands <phil@hands.com> Sat, 6 Nov 1999 10:31:06 +0000 | ||
3008 | |||
3009 | openssh (1:1.2pre7-3) unstable; urgency=low | ||
3010 | |||
3011 | * add ssh-askpass package using Tommi Virtanen's perl-tk script | ||
3012 | * add ssh-preconfig package cludge | ||
3013 | * add usage hints to ssh-agent.1 | ||
3014 | |||
3015 | -- Philip Hands <phil@hands.com> Fri, 5 Nov 1999 00:38:33 +0000 | ||
3016 | |||
3017 | openssh (1:1.2pre7-2) unstable; urgency=low | ||
3018 | |||
3019 | * use pam patch from Ben Collins <bcollins@debian.org> | ||
3020 | * add slogin symlink to Makefile.in | ||
3021 | * change /usr/bin/login to LOGIN_PROGRAM define of /bin/login | ||
3022 | * sort out debconf usage | ||
3023 | * patch from Tommi Virtanen <tv@debian.org>'s makes ssh-add use ssh-askpass | ||
3024 | |||
3025 | -- Philip Hands <phil@hands.com> Thu, 4 Nov 1999 11:08:54 +0000 | ||
3026 | |||
3027 | openssh (1:1.2pre7-1) unstable; urgency=low | ||
3028 | |||
3029 | * New upstream release | ||
3030 | |||
3031 | -- Philip Hands <phil@hands.com> Tue, 2 Nov 1999 21:02:37 +0000 | ||
3032 | |||
3033 | openssh (1:1.2.0.pre6db1-2) unstable; urgency=low | ||
3034 | |||
3035 | * change the binary package name to ssh (the non-free branch of ssh has | ||
3036 | been renamed to ssh-nonfree) | ||
3037 | * make pam file comply with Debian standards | ||
3038 | * use an epoch to make sure openssh supercedes ssh-nonfree | ||
3039 | |||
3040 | -- Philip Hands <phil@hands.com> Sat, 30 Oct 1999 16:26:05 +0100 | ||
3041 | |||
3042 | openssh (1.2pre6db1-1) unstable; urgency=low | ||
3043 | |||
3044 | * New upstream source | ||
3045 | * sshd accepts logins now! | ||
3046 | |||
3047 | -- Dan Brosemer <odin@linuxfreak.com> Fri, 29 Oct 1999 11:13:38 -0500 | ||
3048 | |||
3049 | openssh (1.2.0.19991028-1) unstable; urgency=low | ||
3050 | |||
3051 | * New upstream source | ||
3052 | * Added test for -lnsl to configure script | ||
3053 | |||
3054 | -- Dan Brosemer <odin@linuxfreak.com> Thu, 28 Oct 1999 18:52:09 -0500 | ||
3055 | |||
3056 | openssh (1.2.0.19991027-3) unstable; urgency=low | ||
3057 | |||
3058 | * Initial release | ||
3059 | |||
3060 | -- Dan Brosemer <odin@linuxfreak.com> Wed, 27 Oct 1999 19:39:46 -0500 | ||
diff --git a/debian/clean b/debian/clean new file mode 100644 index 000000000..5da17f8eb --- /dev/null +++ b/debian/clean | |||
@@ -0,0 +1 @@ | |||
config.log | |||
diff --git a/debian/compat b/debian/compat new file mode 100644 index 000000000..7f8f011eb --- /dev/null +++ b/debian/compat | |||
@@ -0,0 +1 @@ | |||
7 | |||
diff --git a/debian/control b/debian/control new file mode 100644 index 000000000..176272b9a --- /dev/null +++ b/debian/control | |||
@@ -0,0 +1,133 @@ | |||
1 | Source: openssh | ||
2 | Section: net | ||
3 | Priority: standard | ||
4 | Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> | ||
5 | Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 7.4.2~), libselinux1-dev [alpha amd64 arm armeb armel hppa i386 ia64 m68k mips mipsel powerpc ppc64 s390 sh4 sparc], libkrb5-dev | heimdal-dev, hardening-includes | ||
6 | Standards-Version: 3.8.4 | ||
7 | Uploaders: Colin Watson <cjwatson@debian.org>, Matthew Vernon <matthew@debian.org> | ||
8 | Homepage: http://www.openssh.org/ | ||
9 | Vcs-Bzr: http://bzr.debian.org/pkg-ssh/openssh/trunk | ||
10 | Vcs-Browser: http://bzr.debian.org/loggerhead/pkg-ssh/openssh/trunk | ||
11 | |||
12 | Package: openssh-client | ||
13 | Architecture: any | ||
14 | Depends: ${shlibs:Depends}, ${misc:Depends}, debconf (>= 1.2.0) | debconf-2.0, adduser (>= 3.10), dpkg (>= 1.7.0), passwd, libssl0.9.8 (>= 0.9.8g-9) | ||
15 | Recommends: xauth, openssh-blacklist, openssh-blacklist-extra | ||
16 | Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7) | ||
17 | Replaces: ssh, ssh-krb5 | ||
18 | Suggests: ssh-askpass, libpam-ssh, keychain | ||
19 | Provides: rsh-client, ssh-client | ||
20 | Description: secure shell (SSH) client, for secure access to remote machines | ||
21 | This is the portable version of OpenSSH, a free implementation of | ||
22 | the Secure Shell protocol as specified by the IETF secsh working | ||
23 | group. | ||
24 | . | ||
25 | Ssh (Secure Shell) is a program for logging into a remote machine | ||
26 | and for executing commands on a remote machine. | ||
27 | It provides secure encrypted communications between two untrusted | ||
28 | hosts over an insecure network. X11 connections and arbitrary TCP/IP | ||
29 | ports can also be forwarded over the secure channel. | ||
30 | It can be used to provide applications with a secure communication | ||
31 | channel. | ||
32 | . | ||
33 | This package provides the ssh, scp and sftp clients, the ssh-agent | ||
34 | and ssh-add programs to make public key authentication more convenient, | ||
35 | and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities. | ||
36 | . | ||
37 | In some countries it may be illegal to use any encryption at all | ||
38 | without a special permit. | ||
39 | . | ||
40 | ssh replaces the insecure rsh, rcp and rlogin programs, which are | ||
41 | obsolete for most purposes. | ||
42 | |||
43 | Package: openssh-server | ||
44 | Priority: optional | ||
45 | Architecture: any | ||
46 | Depends: ${shlibs:Depends}, ${misc:Depends}, debconf (>= 1.2.0) | debconf-2.0, libpam-runtime (>= 0.76-14), libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${binary:Version}), lsb-base (>= 3.2-13), libssl0.9.8 (>= 0.9.8g-9), openssh-blacklist, procps | ||
47 | Recommends: xauth, openssh-blacklist-extra | ||
48 | Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7) | ||
49 | Replaces: ssh, openssh-client (<< 1:3.8.1p1-11), ssh-krb5 | ||
50 | Suggests: ssh-askpass, rssh, molly-guard, ufw | ||
51 | Provides: ssh-server | ||
52 | Description: secure shell (SSH) server, for secure access from remote machines | ||
53 | This is the portable version of OpenSSH, a free implementation of | ||
54 | the Secure Shell protocol as specified by the IETF secsh working | ||
55 | group. | ||
56 | . | ||
57 | Ssh (Secure Shell) is a program for logging into a remote machine | ||
58 | and for executing commands on a remote machine. | ||
59 | It provides secure encrypted communications between two untrusted | ||
60 | hosts over an insecure network. X11 connections and arbitrary TCP/IP | ||
61 | ports can also be forwarded over the secure channel. | ||
62 | It can be used to provide applications with a secure communication | ||
63 | channel. | ||
64 | . | ||
65 | This package provides the sshd server. | ||
66 | . | ||
67 | In some countries it may be illegal to use any encryption at all | ||
68 | without a special permit. | ||
69 | . | ||
70 | sshd replaces the insecure rshd program, which is obsolete for most | ||
71 | purposes. | ||
72 | |||
73 | Package: ssh | ||
74 | Priority: extra | ||
75 | Architecture: all | ||
76 | Depends: ${misc:Depends}, openssh-client, openssh-server | ||
77 | Description: secure shell client and server (metapackage) | ||
78 | This metapackage is a convenient way to install both the OpenSSH client | ||
79 | and the OpenSSH server. It provides nothing in and of itself, so you | ||
80 | may remove it if nothing depends on it. | ||
81 | |||
82 | Package: ssh-krb5 | ||
83 | Priority: extra | ||
84 | Architecture: all | ||
85 | Depends: ${misc:Depends}, openssh-client, openssh-server | ||
86 | Description: secure shell client and server (transitional package) | ||
87 | This is a transitional package depending on the regular Debian OpenSSH | ||
88 | client and server, which now support GSSAPI natively. It will add the | ||
89 | necessary GSSAPI options to the server configuration file. You can | ||
90 | remove it once the upgrade is complete and nothing depends on it. | ||
91 | |||
92 | Package: ssh-askpass-gnome | ||
93 | Section: gnome | ||
94 | Priority: optional | ||
95 | Architecture: any | ||
96 | Depends: ${shlibs:Depends}, ${misc:Depends}, openssh-client | ssh (>= 1:1.2pre7-4) | ssh-krb5 | ||
97 | Replaces: ssh (<< 1:3.5p1-3) | ||
98 | Provides: ssh-askpass | ||
99 | Description: interactive X program to prompt users for a passphrase for ssh-add | ||
100 | This has been split out of the main openssh-client package so that | ||
101 | openssh-client does not need to depend on GTK+. | ||
102 | . | ||
103 | You probably want the ssh-askpass package instead, but this is | ||
104 | provided to add to your choice and/or confusion. | ||
105 | |||
106 | Package: openssh-client-udeb | ||
107 | XC-Package-Type: udeb | ||
108 | Section: debian-installer | ||
109 | Priority: optional | ||
110 | Architecture: any | ||
111 | Depends: ${shlibs:Depends}, libnss-files-udeb, libcrypto0.9.8-udeb (>= 0.9.8g-9) | ||
112 | XB-Installer-Menu-Item: 99999 | ||
113 | Description: secure shell client for the Debian installer | ||
114 | This is the portable version of OpenSSH, a free implementation of | ||
115 | the Secure Shell protocol as specified by the IETF secsh working | ||
116 | group. | ||
117 | . | ||
118 | This package provides the ssh client for use in debian-installer. | ||
119 | |||
120 | Package: openssh-server-udeb | ||
121 | XC-Package-Type: udeb | ||
122 | Section: debian-installer | ||
123 | Priority: optional | ||
124 | Architecture: any | ||
125 | Depends: ${shlibs:Depends}, libnss-files-udeb, libcrypto0.9.8-udeb (>= 0.9.8g-9) | ||
126 | Description: secure shell server for the Debian installer | ||
127 | This is the portable version of OpenSSH, a free implementation of | ||
128 | the Secure Shell protocol as specified by the IETF secsh working | ||
129 | group. | ||
130 | . | ||
131 | This package provides the sshd server for use in debian-installer. | ||
132 | Since it is expected to be used in specialized situations (e.g. S/390 | ||
133 | installs with no console), it does not provide any configuration. | ||
diff --git a/debian/copyright.head b/debian/copyright.head new file mode 100644 index 000000000..311a06a7e --- /dev/null +++ b/debian/copyright.head | |||
@@ -0,0 +1,52 @@ | |||
1 | This package was debianized by Philip Hands <phil@hands.com> on 31 Oct 1999 | ||
2 | (with help from Dan Brosemer <odin@linuxfreak.com>) | ||
3 | |||
4 | It was downloaded from here: | ||
5 | ftp://ftp.fu-berlin.de/unix/security/openssh/openssh-2.3.0p1.tar.gz | ||
6 | |||
7 | worldwide mirrors are listed here: | ||
8 | http://www.openssh.com/ftp.html | ||
9 | |||
10 | The Debian specific parts of the package are mostly taken from the | ||
11 | original ssh package, which has since been renamed as ssh-nonfree. | ||
12 | |||
13 | The Debian patch is distributed under the terms of the GPL, which you | ||
14 | can find in /usr/share/common-licenses/GPL. | ||
15 | |||
16 | In addition, as a special exception, Matthew Vernon gives permission | ||
17 | to link the code of the Debian patch with any version of the OpenSSH | ||
18 | code which is distributed under a license identical to that listed in | ||
19 | the included Copyright file, and distribute linked combinations | ||
20 | including the two. You must obey the GNU General Public License in | ||
21 | all respects for all of the code used other than OpenSSH. If you | ||
22 | modify this file, you may extend this exception to your version of the | ||
23 | file, but you are not obligated to do so. If you do not wish to do | ||
24 | so, delete this exception statement from your version. | ||
25 | |||
26 | The upstream source for this package is a combination of the ssh | ||
27 | branch that is being maintained by the OpenBSD team (starting from | ||
28 | the last version of SSH that was distributed under a free license), | ||
29 | and porting work by Damien Miller <damien@ibs.com.au> to get it | ||
30 | working on Linux. Other people also contributed to this, and are | ||
31 | credited in /usr/share/doc/ssh/README. | ||
32 | |||
33 | This package contains Kerberos version 5 patches from | ||
34 | http://www.sxw.org.uk/computing/patches/openssh.html; this is Copyright | ||
35 | (c) 2001-2009 Simon Wilkinson and provided under the standard 2-term BSD | ||
36 | licence used elsewhere in OpenSSH. | ||
37 | |||
38 | Copyright: | ||
39 | |||
40 | Code in helper.[ch] is Copyright Internet Business Solutions and is | ||
41 | released under a X11-style license (see source file for details). | ||
42 | |||
43 | (A)RC4 code in rc4.[ch] is Copyright Damien Miller. It too is under a | ||
44 | X11-style license (see source file for details). | ||
45 | |||
46 | make-ssh-known-hosts is Copyright Tero Kivinen <Tero.Kivinen@hut.fi>, | ||
47 | and is distributed under the GPL (see source file for details). | ||
48 | |||
49 | The copyright for the original SSH version follows. It has been | ||
50 | modified with [comments] to reflect the changes that the OpenBSD folks | ||
51 | have made: | ||
52 | |||
diff --git a/debian/faq.html b/debian/faq.html new file mode 100644 index 000000000..812234d2f --- /dev/null +++ b/debian/faq.html | |||
@@ -0,0 +1,1182 @@ | |||
1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> | ||
2 | <html> | ||
3 | <head> | ||
4 | <title>OpenSSH FAQ</title> | ||
5 | <link rev= "made" href= "mailto:www@openbsd.org"> | ||
6 | <meta name= "resource-type" content= "document"> | ||
7 | <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> | ||
8 | <meta name= "description" content= "the OpenSSH FAQ page"> | ||
9 | <meta name= "keywords" content= "OpenSSH,SSH,Secure Shell,faq"> | ||
10 | <meta name= "distribution" content= "global"> | ||
11 | <meta name= "copyright" content= "This document copyright 1999-2005 OpenBSD."> | ||
12 | </head> | ||
13 | |||
14 | <body bgcolor= "#ffffff" text= "#000000" link= "#23238E"> | ||
15 | <a href="http://www.openssh.org/index.html"><img alt="[OpenSSH]" height="30" width="141" src="images/smalltitle.gif" border="0"></a> | ||
16 | <p> | ||
17 | |||
18 | <h1>OpenSSH FAQ (Frequently asked questions)</h1> | ||
19 | |||
20 | <strong>Date: 2005/09/20</strong> | ||
21 | |||
22 | <hr> | ||
23 | |||
24 | <blockquote> | ||
25 | <h3><a href= "#1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></h3> | ||
26 | <ul> | ||
27 | <li><a href= "#1.1">1.1 - What is OpenSSH and where can I download it?</a> | ||
28 | <li><a href= "#1.2">1.2 - Why should it be used?</a> | ||
29 | <li><a href= "#1.3">1.3 - What Operating Systems are supported?</a> | ||
30 | <li><a href= "#1.4">1.4 - What about copyright, usage and patents?</a> | ||
31 | <li><a href= "#1.5">1.5 - Where should I ask for help?</a> | ||
32 | <li><a href= "#1.6">1.6 - I have found a bug. Where do I report it?</a> | ||
33 | </ul> | ||
34 | |||
35 | <h3><a href= "#2.0">2.0 - General Questions</a></h3> | ||
36 | <ul> | ||
37 | <li><a href= "#2.1">2.1 - Why does ssh/scp make connections from low-numbered ports. My firewall blocks these.</a> | ||
38 | <li><a href= "#2.2">2.2 - Why is the ssh client setuid root?</a> | ||
39 | <li><a href= "#2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a> | ||
40 | <li><a href= "#2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a> | ||
41 | <li><a href= "#2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a> | ||
42 | <li><a href= "#2.6">2.6 - What are these warning messages about key lengths?</a> | ||
43 | <li><a href= "#2.7">2.7 - X11 and/or agent forwarding does not work.</a> | ||
44 | <li><a href= "#2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a> | ||
45 | <li><a href= "#2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a> | ||
46 | <li><a href= "#2.10">2.10 - Will you add [foo] to scp?</a> | ||
47 | <li><a href= "#2.11">2.11 - How do I use port forwarding?</a> | ||
48 | <li><a href= "#2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a> | ||
49 | <li><a href= "#2.13">2.13 - How do I use scp to copy a file with a colon in it?</a> | ||
50 | <li><a href= "#2.14">2.14 - Why does OpenSSH report its version to clients?</a> | ||
51 | </ul> | ||
52 | |||
53 | <h3><a href= "#3.0">3.0 - Portable OpenSSH Questions</a></h3> | ||
54 | <ul> | ||
55 | <li><a href= "#3.1">3.1 - Spurious PAM authentication messages in logfiles.</a> | ||
56 | <li><a href= "#3.2">3.2 - Empty passwords not allowed with PAM authentication.</a> | ||
57 | <li><a href= "#3.3">3.3 - ssh(1) takes a long time to connect or log in</a> | ||
58 | <li><a href= "#3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a> | ||
59 | <li><a href= "#3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat Linux 6.x)</a> | ||
60 | <li><a href= "#3.6">3.6 - Configure or sshd(8) complain about lack of RSA support</a> | ||
61 | <li><a href= "#3.7">3.7 - "scp: command not found" errors</a> | ||
62 | <li><a href= "#3.8">3.8 - Unable to read passphrase</a> | ||
63 | <li><a href= "#3.9">3.9 - 'configure' missing or make fails</a> | ||
64 | <li><a href= "#3.10">3.10 - Hangs when exiting ssh</a> | ||
65 | <li><a href= "#3.11">3.11 - Why does ssh hang on exit?</a> | ||
66 | <li><a href= "#3.12">3.12 - I upgraded to OpenSSH 3.1 and X11 forwarding stopped working.</a> | ||
67 | <li><a href= "#3.13">3.13 - I upgraded to OpenSSH 3.8 and some X11 programs stopped working.</a> | ||
68 | <li><a href= "#3.14">3.14 - I copied my public key to authorized_keys but public-key authentication still doesn't work.</a> | ||
69 | <li><a href= "#3.15">3.15 - OpenSSH versions and PAM behaviour.</a> | ||
70 | <li><a href= "#3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users logged in via ssh?</a> | ||
71 | </ul> | ||
72 | |||
73 | </blockquote> | ||
74 | |||
75 | <hr> | ||
76 | |||
77 | <h2><u><a name= "1.0">1.0 - What Is OpenSSH and Where Can I Get It?</a></u></h2> | ||
78 | |||
79 | <h2><a name= "1.1">1.1 - What is OpenSSH and where can I download it?</a></h2> | ||
80 | |||
81 | <p> | ||
82 | OpenSSH is a <b>FREE</b> version of the SSH suite of network connectivity | ||
83 | tools that increasing numbers of people on the Internet are coming to | ||
84 | rely on. Many users of telnet, rlogin, ftp, and other such programs might | ||
85 | not realize that their password is transmitted across the Internet | ||
86 | unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) | ||
87 | to effectively eliminate eavesdropping, connection hijacking, | ||
88 | and other network-level attacks. | ||
89 | |||
90 | <p> | ||
91 | The OpenSSH suite includes the | ||
92 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> | ||
93 | program which replaces rlogin and telnet, and | ||
94 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> | ||
95 | which replaces | ||
96 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rcp&sektion=1">rcp(1)</a> and | ||
97 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftp&sektion=1">ftp(1)</a>. | ||
98 | OpenSSH has also added | ||
99 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> and | ||
100 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a> | ||
101 | which implement an easier solution for file-transfer. This is based upon the | ||
102 | <a href="http://www.openssh.org/txt/draft-ietf-secsh-filexfer-02.txt">secsh-filexfer</a> IETF draft. | ||
103 | |||
104 | |||
105 | <p><strong>OpenSSH consists of a number of programs.</strong> | ||
106 | |||
107 | <ul> | ||
108 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> - Server program run on the server machine. This listens for connections from client machines, and whenever it receives a connection, it performs authentication and starts serving the client. | ||
109 | Its behaviour is controlled by the config file <i><a | ||
110 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5"> | ||
111 | sshd_config(5)</a></i>. | ||
112 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> - This is the client program used to log into another machine or to execute commands on the other machine. <i>slogin</i> is another name for this program. | ||
113 | Its behaviour is controlled by the global config file <i><a | ||
114 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5"> | ||
115 | ssh_config(5)</a></i> and individual users' <i>$HOME/.ssh/config</i> files. | ||
116 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> - Securely copies files from one machine to another. | ||
117 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> - Used to create Pubkey Authentication (RSA or DSA) keys (host keys and user authentication keys). | ||
118 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a> - Authentication agent. This can be used to hold RSA keys for authentication. | ||
119 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a> - Used to register new keys with the agent. | ||
120 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a> - SFTP server subsystem. | ||
121 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> - Secure file transfer program. | ||
122 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a> - gather ssh public keys. | ||
123 | <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign&sektion=8">ssh-keysign(8)</a> - ssh helper program for hostbased authentication. | ||
124 | </ul> | ||
125 | |||
126 | <h3>Downloading</h3> | ||
127 | |||
128 | <p> | ||
129 | OpenSSH comes in two downloadable distributions: the native <a | ||
130 | href="http://www.openssh.org/openbsd.html">OpenBSD</a> distribution and the multi-platform | ||
131 | <a href="http://www.openssh.org/portable.html">Portable</a> distribution. If you want | ||
132 | OpenSSH for a recent OpenBSD or integration into a product, you | ||
133 | probably want the <a href="http://www.openssh.org/openbsd.html">OpenBSD</a> distribution. | ||
134 | If you want OpenSSH for another platform, or an older OpenBSD, you | ||
135 | probably want the <a href="http://www.openssh.org/portable.html">Portable</a> distribution. | ||
136 | |||
137 | <p> | ||
138 | When downloading, please use a <a href="http://www.openssh.org/portable.html#mirrors">mirror</a> | ||
139 | near you. | ||
140 | |||
141 | <h2><a name= "1.2">1.2 - Why should it be used?</a></h2> | ||
142 | |||
143 | <p> | ||
144 | OpenSSH is a suite of tools to help secure your network | ||
145 | connections. Here is a list of features: | ||
146 | |||
147 | |||
148 | <ul> | ||
149 | <li>Strong authentication. Closes several security holes (e.g., IP, routing, and DNS spoofing). | ||
150 | <li>Improved privacy. All communications are automatically and transparently encrypted. | ||
151 | <li>Secure X11 sessions. The program automatically sets DISPLAY on the server machine, and forwards any X11 connections over the secure channel. | ||
152 | <li>Arbitrary TCP/IP ports can be redirected through the encrypted channel in both directions (e.g., for e-cash transactions). | ||
153 | <li>No retraining needed for normal users. | ||
154 | <li>Never trusts the network. Minimal trust on the remote side of the connection. Minimal trust on domain name servers. Pure RSA authentication never trusts anything but the private key. | ||
155 | <li>Client RSA-authenticates the server machine in the beginning of every connection to prevent trojan horses (by routing or DNS spoofing) and man-in-the-middle attacks, and the server RSA-authenticates the client machine before accepting <i>.rhosts</i> or <i>/etc/hosts.equiv</i> authentication (to prevent DNS, routing, or IP-spoofing). | ||
156 | <li>Host authentication key distribution can be centrally by the administration, automatically when the first connection is made to a machine. | ||
157 | <li>Any user can create any number of user authentication RSA keys for his/her own use. | ||
158 | <li>The server program has its own server RSA key which is automatically regenerated every hour. | ||
159 | <li>An authentication agent, running in the user's laptop or local workstation, can be used to hold the user's RSA authentication keys. | ||
160 | <li>The software can be installed and used (with restricted functionality) even without root privileges. | ||
161 | <li>The client is customizable in system-wide and per-user configuration files. | ||
162 | <li>Optional compression of all data with gzip (including forwarded X11 and TCP/IP port data), which may result in significant speedups on slow connections. | ||
163 | <li>Complete replacement for rlogin, rsh, and rcp. | ||
164 | </ul> | ||
165 | |||
166 | <p> | ||
167 | Currently, almost all communications in computer networks are done | ||
168 | without encryption. As a consequence, anyone who has access to any | ||
169 | machine connected to the network can listen in on any communication. | ||
170 | This is being done by hackers, curious administrators, employers, | ||
171 | criminals, industrial spies, and governments. Some networks leak off | ||
172 | enough electromagnetic radiation that data may be captured even from a | ||
173 | distance. | ||
174 | |||
175 | |||
176 | <p> | ||
177 | When you log in, your password goes in the network in plain | ||
178 | text. Thus, any listener can then use your account to do any evil he | ||
179 | likes. Many incidents have been encountered worldwide where crackers | ||
180 | have started programs on workstations without the owner's knowledge | ||
181 | just to listen to the network and collect passwords. Programs for | ||
182 | doing this are available on the Internet, or can be built by a | ||
183 | competent programmer in a few hours. | ||
184 | |||
185 | |||
186 | <p> | ||
187 | Businesses have trade secrets, patent applications in preparation, | ||
188 | pricing information, subcontractor information, client data, personnel | ||
189 | data, financial information, etc. Currently, anyone with access to | ||
190 | the network (any machine on the network) can listen to anything that | ||
191 | goes in the network, without any regard to normal access restrictions. | ||
192 | |||
193 | |||
194 | <p> | ||
195 | Many companies are not aware that information can so easily be | ||
196 | recovered from the network. They trust that their data is safe | ||
197 | since nobody is supposed to know that there is sensitive information | ||
198 | in the network, or because so much other data is transferred in the | ||
199 | network. This is not a safe policy. | ||
200 | |||
201 | |||
202 | <h2><a name= "1.3">1.3 - What operating systems are supported?</a></h2> | ||
203 | |||
204 | <p> | ||
205 | Even though OpenSSH is developed on | ||
206 | <a href="http://www.openbsd.org/">OpenBSD</a> a wide variety of | ||
207 | ports to other operating systems exist. The portable version of OpenSSH | ||
208 | is headed by <a href="mailto:djm@openbsd.org">Damien Miller</a>. | ||
209 | For a quick overview of the portable version of OpenSSH see | ||
210 | <a href="http://www.openssh.org/portable.html">OpenSSH Portable Release</a>. | ||
211 | Currently, the supported operating systems are: | ||
212 | |||
213 | |||
214 | <ul> | ||
215 | <li>OpenBSD | ||
216 | <li>NetBSD | ||
217 | <li>FreeBSD | ||
218 | <li>AIX | ||
219 | <li>HP-UX | ||
220 | <li>IRIX | ||
221 | <li>Linux | ||
222 | <li>NeXT | ||
223 | <li>SCO | ||
224 | <li>SNI/Reliant Unix | ||
225 | <li>Solaris | ||
226 | <li>Digital Unix/Tru64/OSF | ||
227 | <li>Mac OS X | ||
228 | <li>Cygwin | ||
229 | </ul> | ||
230 | |||
231 | <p> | ||
232 | A list of vendors that include OpenSSH in their distributions | ||
233 | is located in the <a href="http://www.openssh.org/users.html">OpenSSH Users page</a>. | ||
234 | |||
235 | <h2><a name= "1.4">1.4 - What about copyrights, usage and patents?</a></h2> | ||
236 | <p> | ||
237 | The OpenSSH developers have tried very hard to keep OpenSSH free of any | ||
238 | patent or copyright problems. To do this, some options had to be | ||
239 | stripped from OpenSSH. Namely support for patented algorithms. | ||
240 | |||
241 | <p> | ||
242 | OpenSSH does not support any patented transport algorithms. In SSH1 mode, | ||
243 | only 3DES and Blowfish are available options. In SSH2 mode, only 3DES, | ||
244 | Blowfish, CAST128, Arcfour and AES can be selected. | ||
245 | The patented IDEA algorithm is not supported. | ||
246 | |||
247 | <p> | ||
248 | OpenSSH provides support for both SSH1 and SSH2 protocols. | ||
249 | |||
250 | <p> | ||
251 | Since the RSA patent has expired, there are no restrictions on the use | ||
252 | of RSA algorithm using software, including OpenBSD. | ||
253 | |||
254 | <h2><a name= "1.5">1.5 - Where should I ask for help?</a></h2> | ||
255 | <p> | ||
256 | There are many places to turn to for help. In addition to the main | ||
257 | <a href="http://www.openssh.org/index.html">OpenSSH website</a>, | ||
258 | there are many mailing lists to try. Before trying any mailing lists, | ||
259 | please search through all mailing list archives to see if your question | ||
260 | has already been answered. The OpenSSH Mailing List has been archived and | ||
261 | put in searchable form and can be found at | ||
262 | <a href="http://marc.info/?l=openssh-unix-dev&r=1&w=2">marc.info</a>. | ||
263 | |||
264 | <p> | ||
265 | For more information on subscribing to OpenSSH related mailing lists, | ||
266 | please see <a href="http://www.openssh.org/list.html">OpenSSH Mailing lists</a>. | ||
267 | |||
268 | <h2><a name= "1.6">1.6 - I have found a bug. Where do I report it?</a></h2> | ||
269 | <p> | ||
270 | Information about submitting bug reports can be found at the OpenSSH | ||
271 | <a href="http://www.openssh.org/report.html">Reporting bugs</a> page. | ||
272 | <p> | ||
273 | If you wish to report a security bug, please contact the private developers | ||
274 | list <<a href="mailto:openssh@openssh.com">openssh@openssh.com</a>>. | ||
275 | |||
276 | <h2><u><a name= "2.0">2.0 - General Questions</a></u></h2> | ||
277 | |||
278 | <h2><a name= "2.1">2.1 - Why does ssh/scp make connections from low-numbered ports.</a></h2> | ||
279 | <p> | ||
280 | The OpenSSH client uses low numbered ports for rhosts and rhosts-rsa | ||
281 | authentication because the server needs to trust the username provided by | ||
282 | the client. To get around this, you can add the below example to your | ||
283 | <i>ssh_config</i> or <i>~/.ssh/config</i> file. | ||
284 | |||
285 | |||
286 | <blockquote> | ||
287 | <table border=0 width="800"> | ||
288 | <tr> | ||
289 | <td nowrap bgcolor="#EEEEEE"> | ||
290 | <b>UsePrivilegedPort no</b> | ||
291 | </td> | ||
292 | </tr> | ||
293 | </table> | ||
294 | </blockquote> | ||
295 | |||
296 | <p> | ||
297 | Or you can specify this option on the command line, using the <b>-o</b> | ||
298 | option to | ||
299 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> command. | ||
300 | |||
301 | <blockquote> | ||
302 | <table border=0 width="800"> | ||
303 | <tr> | ||
304 | <td nowrap bgcolor="#EEEEEE"> | ||
305 | $ <b>ssh -o "UsePrivilegedPort no" host.com</b> | ||
306 | </td> | ||
307 | </tr> | ||
308 | </table> | ||
309 | </blockquote> | ||
310 | |||
311 | <h2><a name= "2.2">2.2 - Why is the ssh client setuid root?</a></h2> | ||
312 | |||
313 | <p> | ||
314 | In conjunction with the previous question, (<a href="#2.1">2.1</a>) | ||
315 | OpenSSH needs root authority to be able to bind to low-numbered ports to | ||
316 | facilitate <i>rhosts authentication</i>. | ||
317 | A privileged port is also required for rhosts-rsa authentication to older | ||
318 | SSH releases. | ||
319 | |||
320 | <p> | ||
321 | Additionally, for both <i>rhosts-rsa authentication</i> (in protocol | ||
322 | version 1) and <i>hostbased authentication</i> (in protocol version 2) | ||
323 | the ssh client needs to access the <i>private host key</i> in order to | ||
324 | authenticate the client machine to the server. | ||
325 | OpenSSH versions prior to 3.3 required the <code>ssh</code> binary to be | ||
326 | setuid root to enable this, and you may safely remove it if you don't | ||
327 | want to use these authentication methods. | ||
328 | |||
329 | <p> | ||
330 | Starting in OpenSSH 3.3, <code>ssh</code> is not setuid by default. <a | ||
331 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign">ssh-keysign</a>, | ||
332 | is used for access to the private hosts keys, and ssh does not use privileged | ||
333 | source ports by default. If you wish to use a privileged source port, you must | ||
334 | manually set the setuid bit on <code>ssh</code>. | ||
335 | |||
336 | <h2><a name= "2.3">2.3 - Why does SSH 2.3 have problems interoperating with OpenSSH 2.1.1?</a></h2> | ||
337 | |||
338 | <p> | ||
339 | SSH 2.3 and earlier versions contain a flaw in their HMAC implementation. | ||
340 | Their code was not supplying the full data block output from the digest, | ||
341 | and instead always provided 128 bits. For longer digests, this caused | ||
342 | SSH 2.3 to not interoperate with OpenSSH. | ||
343 | |||
344 | <p> | ||
345 | OpenSSH 2.2.0 detects that SSH 2.3 has this flaw. Recent versions of SSH | ||
346 | will have this bug fixed. Or you can add the following to | ||
347 | SSH 2.3 <i>sshd2_config</i>. | ||
348 | |||
349 | |||
350 | <blockquote> | ||
351 | <table border=0 width="800"> | ||
352 | <tr> | ||
353 | <td nowrap bgcolor="#EEEEEE"> | ||
354 | <b>Mac hmac-md5</b> | ||
355 | </td> | ||
356 | </tr> | ||
357 | </table> | ||
358 | </blockquote> | ||
359 | |||
360 | <h2><a name= "2.4">2.4 - Why does OpenSSH print: Dispatch protocol error: type 20</a></h2> | ||
361 | |||
362 | <p> | ||
363 | Problems in interoperation have been seen because older versions of | ||
364 | OpenSSH did not support session rekeying. However the commercial SSH 2.3 | ||
365 | tries to negotiate this feature, and you might experience connection | ||
366 | freezes or see the error message "<b>Dispatch protocol error: | ||
367 | type 20 </b>". | ||
368 | To solve this problem, either upgrade to a recent OpenSSH release or | ||
369 | disable rekeying by adding the following to your commercial SSH 2.3's | ||
370 | <i>ssh2_config</i> or <i>sshd2_config</i>. | ||
371 | |||
372 | |||
373 | <blockquote> | ||
374 | <table border=0 width="800"> | ||
375 | <tr> | ||
376 | <td nowrap bgcolor="#EEEEEE"> | ||
377 | <b>RekeyIntervalSeconds 0</b> | ||
378 | </td> | ||
379 | </tr> | ||
380 | </table> | ||
381 | </blockquote> | ||
382 | |||
383 | <h2><a name= "2.5">2.5 - Old versions of commercial SSH encrypt host keys with IDEA.</a></h2> | ||
384 | |||
385 | <p> | ||
386 | The old versions of SSH used a patented algorithm to encrypt their | ||
387 | <i>/etc/ssh/ssh_host_key</i>. This problem will manifest as | ||
388 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> | ||
389 | not being able to read its host key. To solve this, use the command below | ||
390 | to convert your ssh_host_key to use 3DES. | ||
391 | <b>NOTE:</b> Use the | ||
392 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> | ||
393 | program from the Commercial SSH product, *NOT* OpenSSH for the example | ||
394 | below. | ||
395 | |||
396 | |||
397 | <blockquote> | ||
398 | <table border=0 width="800"> | ||
399 | <tr> | ||
400 | <td nowrap bgcolor="#EEEEEE"> | ||
401 | # <b>ssh-keygen -u -f /etc/ssh/ssh_host_key</b> | ||
402 | </td> | ||
403 | </tr> | ||
404 | </table> | ||
405 | </blockquote> | ||
406 | |||
407 | <h2><a name= "2.6">2.6 - What are these warning messages about key lengths</a></h2> | ||
408 | |||
409 | <p> | ||
410 | Commercial SSH's | ||
411 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> | ||
412 | program contained a bug which caused it to occasionally generate Pubkey | ||
413 | Authentication (RSA or DSA) keys which had their Most Significant Bit | ||
414 | (MSB) unset. Such keys were advertised as being full-length, but are | ||
415 | actually, half the time, smaller than advertised. | ||
416 | |||
417 | <p> | ||
418 | OpenSSH will print warning messages when it encounters such keys. To rid | ||
419 | yourself of these message, edit your <i>known_hosts</i> files and replace the | ||
420 | incorrect key length (usually "1024") with the correct key length | ||
421 | (usually "1023"). | ||
422 | |||
423 | <h2><a name= "2.7">2.7 - X11 and/or agent forwarding does not work.</a></h2> | ||
424 | |||
425 | <p> | ||
426 | Check your <i>ssh_config</i> and <i>sshd_config</i>. The default | ||
427 | configuration files disable authentication agent and X11 forwarding. To | ||
428 | enable it, put the line below in <i>sshd_config</i>: | ||
429 | |||
430 | <blockquote> | ||
431 | <table border=0 width="800"> | ||
432 | <tr> | ||
433 | <td nowrap bgcolor="#EEEEEE"> | ||
434 | <b>X11Forwarding yes</b> | ||
435 | </td> | ||
436 | </tr> | ||
437 | </table> | ||
438 | </blockquote> | ||
439 | |||
440 | <p> | ||
441 | and put the following lines in <i>ssh_config</i>: | ||
442 | |||
443 | <blockquote> | ||
444 | <table border=0 width="800"> | ||
445 | <tr> | ||
446 | <td nowrap bgcolor="#EEEEEE"> | ||
447 | <b>ForwardAgent yes</b><br> | ||
448 | <b>ForwardX11 yes</b> | ||
449 | </td> | ||
450 | </tr> | ||
451 | </table> | ||
452 | </blockquote> | ||
453 | |||
454 | <p> | ||
455 | X11 forwarding requires a working <a | ||
456 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=xauth&sektion=1" | ||
457 | >xauth(1)</a> binary. On OpenBSD this is in the <i>xbase</i> file | ||
458 | set but will probably be different on other platforms. For OpenSSH | ||
459 | Portable, xauth must be either found at configure time or specified | ||
460 | via <b>XAuthLocation</b> in sshd_config(5) and ssh_config(5). | ||
461 | |||
462 | <p> | ||
463 | Note on agent interoperability: There are two different and | ||
464 | incompatible agent forwarding mechanisms within the SSH2 protocol. | ||
465 | OpenSSH has always used an extension of the original SSH1 agent | ||
466 | requests, however some commercial products use a different, non-free | ||
467 | agent forwarding protocol. This means that agent forwarding cannot | ||
468 | be used between OpenSSH and those products. | ||
469 | |||
470 | <p> | ||
471 | <b>NOTE:</b> For users of Linux Mandrake 7.2, Mandrake modifies the | ||
472 | <i>XAUTHORITY</i> environment variable in <i>/etc/skel/.bashrc</i>, | ||
473 | and thus any bash user's home directory. This variable is set by OpenSSH | ||
474 | and for either of the above options to work, you need to comment out | ||
475 | the line: | ||
476 | |||
477 | |||
478 | <blockquote> | ||
479 | <table border=0 width="800"> | ||
480 | <tr> | ||
481 | <td nowrap bgcolor="#EEEEEE"> | ||
482 | <b># export XAUTHORITY=$HOME/.Xauthority</b> | ||
483 | </td> | ||
484 | </tr> | ||
485 | </table> | ||
486 | </blockquote> | ||
487 | |||
488 | <h2><a name= "2.8">2.8 - After upgrading OpenSSH I lost SSH2 support.</a></h2> | ||
489 | |||
490 | <p> | ||
491 | Between versions changes can be made to <i>sshd_config</i> or | ||
492 | <i>ssh_config</i>. You should always check on these changes when upgrading | ||
493 | versions of OpenSSH. After OpenSSH Version 2.3.0 you need to add the | ||
494 | following to your <i>sshd_config</i>: | ||
495 | |||
496 | |||
497 | <blockquote> | ||
498 | <table border=0 width="800"> | ||
499 | <tr> | ||
500 | <td nowrap bgcolor="#EEEEEE"> | ||
501 | <b>HostKey /etc/ssh_host_dsa_key</b><br> | ||
502 | <b>HostKey /etc/ssh_host_rsa_key</b> | ||
503 | </td> | ||
504 | </tr> | ||
505 | </table> | ||
506 | </blockquote> | ||
507 | |||
508 | <h2><a name= "2.9">2.9 - sftp/scp fails at connection, but ssh is OK.</a></h2> | ||
509 | |||
510 | <p> | ||
511 | sftp and/or scp may fail at connection time if you have shell | ||
512 | initialization (.profile, .bashrc, .cshrc, etc) which produces output | ||
513 | for non-interactive sessions. This output confuses the sftp/scp client. | ||
514 | You can verify if your shell is doing this by executing: | ||
515 | |||
516 | <blockquote> | ||
517 | <table border=0 width="800"> | ||
518 | <tr> | ||
519 | <td nowrap bgcolor="#EEEEEE"> | ||
520 | <b>ssh yourhost /usr/bin/true</b> | ||
521 | </td> | ||
522 | </tr> | ||
523 | </table> | ||
524 | </blockquote> | ||
525 | |||
526 | <p> | ||
527 | If the above command produces any output, then you need to modify your | ||
528 | shell initialization. | ||
529 | |||
530 | <h2><a name= "2.10">2.10 - Will you add [foo] to scp?</a></h2> | ||
531 | |||
532 | <p> | ||
533 | Short Answer: no. | ||
534 | |||
535 | <p> | ||
536 | Long Answer: scp is not standardized. The closest thing it has to a | ||
537 | specification is "what rcp does". Since the same command is used on both ends | ||
538 | of the connection, adding features or options risks breaking interoperability with other | ||
539 | implementations. | ||
540 | |||
541 | <p> | ||
542 | New features are more likely in sftp, since the protocol is standardized | ||
543 | (well, a <a href="http://www.ietf.org/html.charters/OLD/secsh-charter.html"> | ||
544 | draft standard</a>), extensible, and the client and server are decoupled. | ||
545 | |||
546 | <h2><a name= "2.11">2.11 - How do I use port forwarding?</a></h2> | ||
547 | |||
548 | <p> | ||
549 | If the remote server is running sshd(8), it may be possible to | ||
550 | ``tunnel'' certain services via ssh. This may be desirable, for | ||
551 | example, to encrypt POP or SMTP connections, even though the software | ||
552 | does not directly support encrypted communications. Tunnelling uses | ||
553 | port forwarding to create a connection between the client and server. | ||
554 | The client software must be able to specify a non-standard port to | ||
555 | connect to for this to work. | ||
556 | |||
557 | <p> | ||
558 | The idea is that the user connects to the remote host using ssh, | ||
559 | and specifies which port on the client's machine should be used to | ||
560 | forward connections to the remote server. After that it is possible | ||
561 | to start the service which is to be encrypted (e.g. fetchmail, irc) | ||
562 | on the client machine, specifying the same local port passed to | ||
563 | ssh, and the connection will be tunnelled through ssh. By default, | ||
564 | the system running the forward will only accept connections from | ||
565 | itself. | ||
566 | |||
567 | <p> | ||
568 | The options most relevant to tunnelling are the -L and -R options, | ||
569 | which allow the user to forward connections, the -D option, which | ||
570 | permits dynamic port forwarding, the -g option, which permits other | ||
571 | hosts to use port forwards, and the -f option, which instructs ssh | ||
572 | to put itself in the background after authentication. See the <a | ||
573 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1" | ||
574 | >ssh(1)</a> man page for further details. | ||
575 | |||
576 | <p> | ||
577 | This is an example of tunnelling an IRC session from client machine | ||
578 | ``127.0.0.1'' (localhost) to remote server ``server.example.com'': | ||
579 | |||
580 | <blockquote> | ||
581 | <table border=0 width="800"> | ||
582 | <tr> | ||
583 | <td nowrap bgcolor="#EEEEEE"> | ||
584 | <b>ssh -f -L 1234:server.example.com:6667 server.example.com sleep 10<br> | ||
585 | irc -c '#users' -p 1234 pinky 127.0.0.1</b> | ||
586 | </td> | ||
587 | </tr> | ||
588 | </table> | ||
589 | </blockquote> | ||
590 | |||
591 | <p> | ||
592 | This tunnels a connection to IRC server server.example.com, joining | ||
593 | channel ``#users'', using the nickname ``pinky''. The local port used | ||
594 | in this example is 1234. It does not matter which port is used, as | ||
595 | long as it's greater than 1023 (remember, only root can open sockets on | ||
596 | privileged ports) and doesn't conflict with any ports already in use. | ||
597 | The connection is forwarded to port 6667 on the remote server, since | ||
598 | that's the standard port for IRC services. | ||
599 | |||
600 | <p> | ||
601 | The remote command ``sleep 10'' was specified to allow an amount | ||
602 | of time (10 seconds, in the example) to start the service which is to | ||
603 | be tunnelled. If no connections are made within the time specified, | ||
604 | ssh will exit. If more time is required, the sleep(1) value can be | ||
605 | increased appropriately or, alternatively, the example above could | ||
606 | be added as a function to the user's shell. See ksh(1) and csh(1) | ||
607 | for more details about user-defined functions. | ||
608 | |||
609 | <p> | ||
610 | ssh also has an -N option, convenient for use with port forwarding: | ||
611 | if -N is specified, it is not necessary to specify a remote command | ||
612 | (``sleep 10'' in the example above). However, use of this option | ||
613 | causes ssh to wait around for ever (as opposed to exiting after a | ||
614 | remote command has completed), and the user must take care to manually | ||
615 | kill(1) the process afterwards. | ||
616 | |||
617 | <h2><a name= "2.12">2.12 - My ssh connection freezes or drops out after N minutes of inactivity.</a></h2> | ||
618 | |||
619 | <p> | ||
620 | This is usually the result of a packet filter or NAT device | ||
621 | timing out your TCP connection due to inactivity. You can enable | ||
622 | <b>ClientAliveInterval</b> in the server's <i><a | ||
623 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5"> | ||
624 | sshd_config</a></i>, or enable <b>ServerAliveInterval</b> in the | ||
625 | client's <i><a | ||
626 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5"> | ||
627 | ssh_config</a></i> (the latter is available in OpenSSH 3.8 and newer). | ||
628 | |||
629 | <p> | ||
630 | Enabling either option and setting the interval for less than the time | ||
631 | it takes to time out your session will ensure that the connection is | ||
632 | kept "fresh" in the device's connection table. | ||
633 | |||
634 | <h2><a name= "2.13">2.13 - How do I use scp to copy a file with a colon in it?</a></h2> | ||
635 | |||
636 | <b><a | ||
637 | href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1"> | ||
638 | scp</a></b> will interpret the component before the colon to be a remote | ||
639 | server name and attempt to connect to it. To prevent this, refer to | ||
640 | the file by a relative or absolute path, eg: | ||
641 | |||
642 | <blockquote> | ||
643 | <table border=0 width="800"> | ||
644 | <tr> | ||
645 | <td nowrap bgcolor="#EEEEEE"> | ||
646 | $ scp ./source:file sshserver: | ||
647 | </td> | ||
648 | </tr> | ||
649 | </table> | ||
650 | </blockquote> | ||
651 | |||
652 | <h2><a name= "2.14">2.14 - Why does OpenSSH report its version to clients?</a></h2> | ||
653 | |||
654 | <p> | ||
655 | OpenSSH, like most SSH implementations, reports its name and version to clients | ||
656 | when they connect, e.g. | ||
657 | </p> | ||
658 | |||
659 | <blockquote> | ||
660 | SSH-2.0-OpenSSH_3.9 | ||
661 | </blockquote> | ||
662 | |||
663 | <p> | ||
664 | This information is used by clients and servers to enable protocol | ||
665 | compatibility tweaks to work around changed, buggy or missing features in | ||
666 | the implementation they are talking to. This protocol feature checking is | ||
667 | still required at present because versions with incompatibilities are still | ||
668 | in wide use. | ||
669 | </p> | ||
670 | |||
671 | <h2><u><a name= "3.0">3.0 - Portable OpenSSH Questions</a></u></h2> | ||
672 | |||
673 | <h2><a name= "3.1">3.1 - Spurious PAM authentication messages in logfiles.</a></h2> | ||
674 | |||
675 | <p> | ||
676 | The portable version of OpenSSH will generate spurious authentication | ||
677 | failures at every login, similar to: | ||
678 | |||
679 | |||
680 | <blockquote> | ||
681 | <table border=0 width="800"> | ||
682 | <tr> | ||
683 | <td nowrap bgcolor="#EEEEEE"> | ||
684 | "<b>authentication failure; (uid=0) -> root for sshd service</b>" | ||
685 | </td> | ||
686 | </tr> | ||
687 | </table> | ||
688 | </blockquote> | ||
689 | |||
690 | <p> | ||
691 | These are generated because OpenSSH first tries to determine whether a | ||
692 | user needs authentication to login (e.g. empty password). Unfortunately | ||
693 | PAM likes to log all authentication events, this one included. | ||
694 | |||
695 | <p> | ||
696 | If it annoys you too much, set "<b>PermitEmptyPasswords no</b>" | ||
697 | in <i>sshd_config</i>. This will quiet the error message at the expense | ||
698 | of disabling logins to accounts with no password set. | ||
699 | This is the default if you use the supplied <i>sshd_config</i> file. | ||
700 | |||
701 | <h2><a name= "3.2">3.2 - Empty passwords not allowed with PAM authentication.</a></h2> | ||
702 | |||
703 | <p> | ||
704 | To enable empty passwords with a version of OpenSSH built with PAM you | ||
705 | must add the flag nullok to the end of the password checking module | ||
706 | in the <i>/etc/pam.d/sshd</i> file. For example: | ||
707 | |||
708 | <blockquote> | ||
709 | <table border=0 width="800"> | ||
710 | <tr> | ||
711 | <td nowrap bgcolor="#EEEEEE"> | ||
712 | auth required/lib/security/pam_unix.so shadow nodelay nullok | ||
713 | </td> | ||
714 | </tr> | ||
715 | </table> | ||
716 | </blockquote> | ||
717 | |||
718 | <p> | ||
719 | This must be done in addition to setting "<b>PermitEmptyPasswords | ||
720 | yes</b>" in the <i>sshd_config</i> file. | ||
721 | |||
722 | <p> | ||
723 | There is one caveat when using empty passwords with PAM authentication: | ||
724 | PAM will allow any password when authenticating an account with an empty | ||
725 | password. This breaks the check that | ||
726 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> | ||
727 | uses to determine whether an account has no password set and grant | ||
728 | users access to the account regardless of the policy specified by | ||
729 | <b>PermitEmptyPasswords</b>. For this reason, it is recommended that you | ||
730 | do not add the <b>nullok</b> directive to your PAM configuration file | ||
731 | unless you specifically wish to allow empty passwords. | ||
732 | |||
733 | |||
734 | <h2><a name= "3.3">3.3 - ssh(1) takes a long time to connect or log | ||
735 | in</a></h2> | ||
736 | |||
737 | <p> | ||
738 | Large delays (more that 10 seconds) are typically caused a problem with | ||
739 | name resolution: | ||
740 | <ul> | ||
741 | <li>Some versions of glibc (notably glibc 2.1 shipped with Red Hat 6.1) | ||
742 | can take a long time to resolve "IPv6 or IPv4" addresses from domain | ||
743 | names. This can be worked around with by specifying <b>AddressFamily | ||
744 | inet</b> option in <i>ssh_config</i>.</li> | ||
745 | |||
746 | <li>There may be a DNS lookup problem, either at the client or server. | ||
747 | You can use the <code>nslookup</code> command to check this on both client | ||
748 | and server by looking up the other end's name and IP address. In | ||
749 | addition, on the server look up the name returned by the client's | ||
750 | IP-name lookup. You can disable most of the server-side lookups by | ||
751 | setting <b>UseDNS no</b> in <i>sshd_config</i>.</li> | ||
752 | </ul> | ||
753 | |||
754 | <p> | ||
755 | Delays less than 10 seconds can have other causes. | ||
756 | |||
757 | <ul> | ||
758 | |||
759 | <li>OpenSSH releases prior to 3.8 had an <i>moduli</i> file with | ||
760 | moduli that were just smaller than what sshd would look for, and | ||
761 | as a result, sshd would end up using moduli significantly larger | ||
762 | than requested, which resulted in a speed penalty. Replacing the | ||
763 | <i>moduli</i> file will resolve this (note that in most cases this | ||
764 | file will not be replaced during an upgrade and must be replaced | ||
765 | manually).</li> | ||
766 | |||
767 | <li>OpenSSH releases prior to 3.8 had a flaw in <code>ssh</code> that | ||
768 | would cause it to request moduli larger than intended (which when | ||
769 | combined with the above resulted in significant slowdowns). | ||
770 | Upgrading the client to 3.8 or higher will resolve this issue.</li> | ||
771 | |||
772 | <li>If either the client or server lack a kernel-based random number | ||
773 | device (eg Solaris < 9, AIX < 5.2, HP-UX < 11.11) and no | ||
774 | substitute is available (eg <a href= | ||
775 | "ftp://ftp.ayamura.org/pub/prngd/">prngd</a>) it's possible that | ||
776 | one of the programs called by <code>ssh-rand-helper</code> to | ||
777 | generate entropy is hanging. This can be investigated by running | ||
778 | it in debug mode: | ||
779 | |||
780 | <blockquote> | ||
781 | <table border=0 width="800"> | ||
782 | <tr> | ||
783 | <td nowrap bgcolor="#EEEEEE"> | ||
784 | /usr/local/libexec/ssh-rand-helper -vvv | ||
785 | </td> | ||
786 | </tr> | ||
787 | </table> | ||
788 | </blockquote> | ||
789 | |||
790 | Any significant delays should be investigated and rectified, or the | ||
791 | corresponding commands should be removed from <i>ssh_prng_cmds</i>. | ||
792 | </li> | ||
793 | |||
794 | </ul> | ||
795 | |||
796 | <h3>How slow is "slow"?</h3> | ||
797 | Under normal conditions, the speed of SSH logins is dependant on | ||
798 | CPU speed of client and server. For comparison the following are | ||
799 | typical connect times for <code>time ssh localhost true</code> | ||
800 | with a 1024-bit RSA key on otherwise unloaded hosts. OpenSSH and | ||
801 | OpenSSL were compiled with gcc 3.3.x. | ||
802 | |||
803 | <p> | ||
804 | <table> | ||
805 | <tr><th>CPU</th><th>Time (SSHv1)<a href="#3.3fn1">[1]</a></th> | ||
806 | <th>Time (SSHv2)</th></tr> | ||
807 | <tr><td>170MHz SPARC/sun4m</td><td>0.74 sec</td><td>1.25 sec</td></tr> | ||
808 | <tr><td>236MHz HPPA/8200<a href="#3.3fn2">[2]</a></td><td>0.44 sec</td> | ||
809 | <td>0.79 sec</td></tr> | ||
810 | <tr><td>375MHz PowerPC/604e</td><td>0.38 sec</td><td>0.51 sec</td></tr> | ||
811 | <tr><td>933MHz VIA Ezra</td><td>0.34 sec</td><td>0.44 sec</td></tr> | ||
812 | <tr><td>2.1GHz Athlon XP 2600+</td><td>0.14 sec</td><td>0.22 sec</td></tr> | ||
813 | </table> | ||
814 | |||
815 | <br> | ||
816 | |||
817 | <a name="3.3fn1">[1]</a> The SSHv1 protocol is faster but is | ||
818 | cryptographically weaker than SSHv2.<br> | ||
819 | |||
820 | <a name="3.3fn2">[2]</a> At the time of writing, gcc generates | ||
821 | relatively slow code on HPPA for RSA and Diffie-Hellman operations | ||
822 | (see <a href= "http://gcc.gnu.org/bugzilla/show_bug.cgi?id=7625">gcc | ||
823 | bug #7625</a> and <a | ||
824 | href="http://marc.info/?l=openssh-unix-dev&m=102646106016694"> | ||
825 | discussion on openssh-unix-dev</a>). | ||
826 | |||
827 | <h2><a name= "3.4">3.4 - "Can't locate module net-pf-10" messages in log under Linux.</a></h2> | ||
828 | |||
829 | <p> | ||
830 | The Linux kernel is looking (via modprobe) for protocol family 10 (IPv6). | ||
831 | Either load the appropriate kernel module, enter the correct alias in | ||
832 | <i>/etc/modules.conf</i> or disable IPv6 in <i>/etc/modules.conf</i>. | ||
833 | |||
834 | |||
835 | <p> | ||
836 | For some silly reason <i>/etc/modules.conf</i> may also be named | ||
837 | <i>/etc/conf.modules</i>. | ||
838 | |||
839 | |||
840 | <h2><a name= "3.5">3.5 - Password authentication doesn't work (eg on Slackware 7.0 or Red Hat 6.x)</a></h2> | ||
841 | |||
842 | <p> | ||
843 | If the password is correct password the login is still denied, the | ||
844 | usual cause is that the system is configured to use MD5-type passwords | ||
845 | but the | ||
846 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&sektion=3" | ||
847 | >crypt(3)</a> function used by sshd doesn't understand them. | ||
848 | |||
849 | <p> | ||
850 | Affected accounts will have password strings in <i>/etc/passwd</i> | ||
851 | or <i>/etc/shadow</i> that start with <b>$1$</b>. | ||
852 | If password authentication fails for new accounts or accounts with | ||
853 | recently changed passwords, but works for old accounts, this is the | ||
854 | likely culprit. | ||
855 | |||
856 | <p> | ||
857 | The underlying cause is that some versions of OpenSSL have a crypt(3) | ||
858 | function that does not understand MD5 passwords, and the link order of | ||
859 | sshd means that OpenSSL's crypt(3) is used instead of the system's. | ||
860 | OpensSSH's configure attempts to correct for this but is not always | ||
861 | successful. | ||
862 | |||
863 | <p> | ||
864 | There are several possible solutions: | ||
865 | |||
866 | <ul> | ||
867 | <li> | ||
868 | <p> | ||
869 | Enable sshd's built-in support for MD5 passwords at build time. | ||
870 | |||
871 | <blockquote> | ||
872 | <table border=0 width="800"> | ||
873 | <tr> | ||
874 | <td nowrap bgcolor="#EEEEEE"> | ||
875 | ./configure --with-md5-passwords [options] | ||
876 | </td> | ||
877 | </tr> | ||
878 | </table> | ||
879 | </blockquote> | ||
880 | |||
881 | This is safe even if you have both types of encryption as sshd will | ||
882 | select the correct algorithm for each account automatically. | ||
883 | |||
884 | <li> | ||
885 | <p> | ||
886 | If your system has a separate libcrypt library (eg Slackware 7) then you | ||
887 | can manually add -lcrypt to the LIBS list so it's used instead of | ||
888 | OpenSSL's: | ||
889 | |||
890 | <blockquote> | ||
891 | <table border=0 width="800"> | ||
892 | <tr> | ||
893 | <td nowrap bgcolor="#EEEEEE"> | ||
894 | LIBS=-lcrypt ./configure [options] | ||
895 | </td> | ||
896 | </tr> | ||
897 | </table> | ||
898 | </blockquote> | ||
899 | |||
900 | <li> | ||
901 | <p> | ||
902 | If your platforms supports PAM, you may configure sshd to use it | ||
903 | (see <a href= "#3.15" >section 3.15</a>). This will mean that sshd will | ||
904 | not verify passwords itself but will defer to the configured PAM modules. | ||
905 | </ul> | ||
906 | |||
907 | <h2><a name= "3.6">3.6 - Configure or sshd(8) complain about lack of RSA or DSA support</a></h2> | ||
908 | |||
909 | <p> | ||
910 | Ensure that your OpenSSL libraries have been built to include RSA or DSA | ||
911 | support either internally or through RSAref. | ||
912 | |||
913 | |||
914 | <h2><a name= "3.7">3.7 - "scp: command not found" errors</a></h2> | ||
915 | |||
916 | <p> | ||
917 | <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> | ||
918 | must be in the default PATH on both the client and the server. You may | ||
919 | need to use the <b>--with-default-path</b> option to specify a custom | ||
920 | path to search on the server. This option replaces the default path, | ||
921 | so you need to specify all the current directories on your path as well | ||
922 | as where you have installed scp. For example: | ||
923 | |||
924 | <blockquote> | ||
925 | <table border=0 width="800"> | ||
926 | <tr> | ||
927 | <td nowrap bgcolor="#EEEEEE"> | ||
928 | $ <b>./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp</b> | ||
929 | </td> | ||
930 | </tr> | ||
931 | </table> | ||
932 | </blockquote> | ||
933 | |||
934 | <p> | ||
935 | Note that configuration by the server's admin will take precedence over the | ||
936 | setting of <b>--with-default-path</b>. This includes resetting PATH in | ||
937 | <i>/etc/profile</i>, PATH in <i>/etc/environment</i> on AIX, or (for 3.7p1 and | ||
938 | above) setting PATH or SUPATH in <i>/etc/default/login</i> on Solaris or | ||
939 | Reliant Unix. | ||
940 | |||
941 | <h2><a name= "3.8">3.8 - Unable to read passphrase</a></h2> | ||
942 | |||
943 | <p> | ||
944 | Some operating systems set <i>/dev/tty</i> with incorrect modes, causing | ||
945 | the reading of passwords to fail with the following error: | ||
946 | |||
947 | <blockquote> | ||
948 | <table border=0 width="800"> | ||
949 | <tr> | ||
950 | <td nowrap bgcolor="#EEEEEE"> | ||
951 | You have no controlling tty. Cannot read passphrase. | ||
952 | </td> | ||
953 | </tr> | ||
954 | </table> | ||
955 | </blockquote> | ||
956 | |||
957 | <p> | ||
958 | The solution to this is to reset the permissions on <i>/dev/tty</i> | ||
959 | to mode 0666 and report the error as a bug to your OS vendor. | ||
960 | |||
961 | |||
962 | <h2><a name= "3.9">3.9 - 'configure' missing or make fails</a></h2> | ||
963 | |||
964 | <p> | ||
965 | If there is no 'configure' file in the tar.gz file that you downloaded | ||
966 | or make fails with "missing separator" errors, you have probably | ||
967 | downloaded the OpenBSD distribution of OpenSSH and are attempting to | ||
968 | compile it on another platform. Please refer to the information on the | ||
969 | <a href="http://www.openssh.org/portable.html">portable version</a>. | ||
970 | |||
971 | |||
972 | <h2><a name= "3.10">3.10 - Hangs when exiting ssh</a></h2> | ||
973 | |||
974 | <p> | ||
975 | OpenSSH may hang when exiting. This can occur when there is an active | ||
976 | background process. This is known to occur on Linux and HP-UX. | ||
977 | The problem can be verified by doing the following: | ||
978 | |||
979 | <blockquote> | ||
980 | <table border=0 width="800"> | ||
981 | <tr> | ||
982 | <td nowrap bgcolor="#EEEEEE"> | ||
983 | $ <b>sleep 20 & exit</b> | ||
984 | </td> | ||
985 | </tr> | ||
986 | </table> | ||
987 | </blockquote> | ||
988 | |||
989 | Try to use this instead: | ||
990 | <blockquote> | ||
991 | <table border=0 width="800"> | ||
992 | <tr> | ||
993 | <td nowrap bgcolor="#EEEEEE"> | ||
994 | $ <b>sleep 20 < /dev/null > /dev/null 2>&1 &</b> | ||
995 | </td> | ||
996 | </tr> | ||
997 | </table> | ||
998 | </blockquote> | ||
999 | |||
1000 | <p> | ||
1001 | A work around for bash users is to place <b>"shopt -s huponexit"</b> | ||
1002 | in either /etc/bashrc or ~/.bashrc. Otherwise, consult your shell's | ||
1003 | man page for an option to enable it to send a HUP signal to active | ||
1004 | jobs when exiting. See <a | ||
1005 | href="http://bugzilla.mindrot.org/show_bug.cgi?id=52">bug #52</a> | ||
1006 | for other workarounds. | ||
1007 | |||
1008 | <h2><a name= "3.11">3.11 - Why does ssh hang on exit?</a></h2> | ||
1009 | |||
1010 | <p> | ||
1011 | When executing | ||
1012 | <blockquote> | ||
1013 | <table border=0 width="800"> | ||
1014 | <tr> | ||
1015 | <td nowrap bgcolor="#EEEEEE"> | ||
1016 | $ <b>ssh host command</b> | ||
1017 | </td> | ||
1018 | </tr> | ||
1019 | </table> | ||
1020 | </blockquote> | ||
1021 | ssh <b>needs</b> to hang, because it needs to wait: | ||
1022 | <ul> | ||
1023 | <li> | ||
1024 | until it can be sure that <code>command</code> does not need | ||
1025 | more input. | ||
1026 | <li> | ||
1027 | until it can be sure that <code>command</code> does not produce | ||
1028 | more output. | ||
1029 | <li> | ||
1030 | until <code>command</code> exits because sshd needs to tell | ||
1031 | the exit status from <code>command</code> to ssh. | ||
1032 | </ul> | ||
1033 | <p> | ||
1034 | |||
1035 | <h2><a name= "3.12">3.12 - I upgraded to OpenSSH 3.1 and X11 | ||
1036 | forwarding stopped working.</a></h2> | ||
1037 | |||
1038 | Starting with OpenSSH 3.1, the sshd x11 forwarding server listens on | ||
1039 | localhost by default; see the sshd <b>X11UseLocalhost</b> option to | ||
1040 | revert to prior behaviour if your older X11 clients do not function | ||
1041 | with this configuration.<p> | ||
1042 | |||
1043 | In general, X11 clients using X11 R6 should work with the default | ||
1044 | setting. Some vendors, including HP, ship X11 clients with R6 | ||
1045 | and R5 libs, so some clients will work, and others will not work. | ||
1046 | This is true for HP-UX 11.X.<p> | ||
1047 | |||
1048 | <h2><a name= "3.13">3.13 - I upgraded to OpenSSH 3.8 and some | ||
1049 | X11 programs stopped working.</a></h2> | ||
1050 | |||
1051 | <p> | ||
1052 | As documented in the <a href="http://www.openssh.org/txt/release-3.8">3.8 release notes</a>, | ||
1053 | <code>ssh</code> will now use untrusted X11 cookies by | ||
1054 | default. The previous behaviour can be restored by setting | ||
1055 | <b>ForwardX11Trusted yes</b> in <i>ssh_config</i>. | ||
1056 | |||
1057 | <p> | ||
1058 | Possible symptoms include:<br> | ||
1059 | <code>BadWindow (invalid Window parameter)<br> | ||
1060 | BadAccess (attempt to access private resource denied)<br> | ||
1061 | X Error of failed request: BadAtom (invalid Atom parameter)<br> | ||
1062 | Major opcode of failed request: 20 (X_GetProperty)<br></code> | ||
1063 | |||
1064 | <h2><a name= "3.14">3.14 - I copied my public key to authorized_keys | ||
1065 | but public-key authentication still doesn't work.</a></h2> | ||
1066 | |||
1067 | <p> | ||
1068 | Typically this is caused by the file permissions on $HOME, $HOME/.ssh or | ||
1069 | $HOME/.ssh/authorized_keys being more permissive than sshd allows by default. | ||
1070 | |||
1071 | <p> | ||
1072 | In this case, it can be solved by executing the following on the server. | ||
1073 | <blockquote> | ||
1074 | <table border=0 width="800"> | ||
1075 | <tr> | ||
1076 | <td nowrap bgcolor="#EEEEEE"> | ||
1077 | $ <b>chmod go-w $HOME $HOME/.ssh</b><br> | ||
1078 | $ <b>chmod 600 $HOME/.ssh/authorized_keys</b> | ||
1079 | $ <b>chown `whoami` $HOME/.ssh/authorized_keys</b><br> | ||
1080 | </td> | ||
1081 | </tr> | ||
1082 | </table> | ||
1083 | </blockquote> | ||
1084 | |||
1085 | <p> | ||
1086 | If this is not possible for some reason, an alternative is to set | ||
1087 | <b>StrictModes no</b> in <i>sshd_config</i>, however this is not | ||
1088 | recommended. | ||
1089 | |||
1090 | <h2><a name= "3.15">3.15 - OpenSSH versions and PAM behaviour.</a></h2> | ||
1091 | |||
1092 | Portable OpenSSH has a configure-time option to enable sshd's use of the | ||
1093 | <a href="http://www.opengroup.org/onlinepubs/008329799/">PAM</a> | ||
1094 | (Pluggable Authentication Modules) interface. | ||
1095 | |||
1096 | <blockquote> | ||
1097 | <table border=0 width="800"> | ||
1098 | <tr> | ||
1099 | <td nowrap bgcolor="#EEEEEE"> | ||
1100 | ./configure --with-pam [options] | ||
1101 | </td> | ||
1102 | </tr> | ||
1103 | </table> | ||
1104 | </blockquote> | ||
1105 | |||
1106 | To use PAM at all, this option must be provided at build time. | ||
1107 | The run-time behaviour when PAM is built in varies with the version of | ||
1108 | Portable OpenSSH, and on later versions it must also be enabled by setting | ||
1109 | <b>UsePAM</b> to <b>yes</b> in <i>sshd_config</i>. | ||
1110 | |||
1111 | <p> | ||
1112 | The behaviour of the relevant authentications options when PAM support is built | ||
1113 | in is summarised by the following table. | ||
1114 | |||
1115 | <p> | ||
1116 | <table border="1"> | ||
1117 | <tr> <th>Version</th> <th>UsePAM</th> <th>PasswordAuthentication</th> <th>ChallengeResponseAuthentication</th> </tr> | ||
1118 | <tr> | ||
1119 | <td><=3.6.1p2</td> | ||
1120 | <td>Not applicable</td> | ||
1121 | <td>Uses PAM</td> | ||
1122 | <td>Uses PAM if <b>PAMAuthenticationViaKbdInt</b> is enabled</td> | ||
1123 | </tr> | ||
1124 | <tr> | ||
1125 | <td>3.7p1 - 3.7.1p1</td> | ||
1126 | <td>Defaults to <b>yes</b></td> | ||
1127 | <td>Does not use PAM</td> | ||
1128 | <td>Uses PAM if <b>UsePAM</b> is enabled</td> | ||
1129 | </tr> | ||
1130 | <tr> | ||
1131 | <td>3.7.1p2 - 3.8.1p1</td> | ||
1132 | <td>Defaults to <b>no</b></td> | ||
1133 | <td>Does not use PAM <a href="#3.15fn1">[1]</a></td> | ||
1134 | <td>Uses PAM if <b>UsePAM</b> is enabled</td> | ||
1135 | </tr> | ||
1136 | <tr> | ||
1137 | <td>3.9p1</td> | ||
1138 | <td>Defaults to <b>no</b></td> | ||
1139 | <td>Uses PAM if <b>UsePAM</b> is enabled</td> | ||
1140 | <td>Uses PAM if <b>UsePAM</b> is enabled</td> | ||
1141 | </tr> | ||
1142 | </table> | ||
1143 | <p> | ||
1144 | |||
1145 | <a name= "3.15fn1">[1]</a> Some vendors, notably Redhat/Fedora, have | ||
1146 | backported the PasswordAuthentication from 3.9p1 to their 3.8x based | ||
1147 | packages. If you're using a vendor-supplied package then consult their | ||
1148 | documentation. | ||
1149 | |||
1150 | <p> | ||
1151 | OpenSSH Portable's PAM interface still has problems with a few modules, | ||
1152 | however we hope that this number will reduce in the future. As at the | ||
1153 | 3.9p1 release, the known problems are: | ||
1154 | |||
1155 | <ul> | ||
1156 | <li>Modules relying on module-private data (eg pam_dhkeys, pam_krb5, AFS) | ||
1157 | may fail to correctly establish credentials (bug <a | ||
1158 | href="http://bugzilla.mindrot.org/show_bug.cgi?id=688">#688</a>) when | ||
1159 | authenticating via <b>ChallengeResponseAuthentication</b>. | ||
1160 | <b>PasswordAuthentication</b> with 3.9p1 and above should work. | ||
1161 | </ul> | ||
1162 | |||
1163 | You can also check <a | ||
1164 | href="http://bugzilla.mindrot.org/buglist.cgi?product=Portable+OpenSSH&bug_status=RESOLVED&bug_status=NEW&bug_status=ACCEPTED&component=PAM+support" | ||
1165 | >bugzilla for current PAM issues</a>. | ||
1166 | |||
1167 | <h2><a name= "3.16">3.16 - Why doesn't "w" or "who" on AIX 5.x show users | ||
1168 | logged in via ssh?</a></h2> | ||
1169 | |||
1170 | Between AIX 4.3.3 and AIX 5.x, the format of the wtmp struct changed. This | ||
1171 | means that sshd binaries built on AIX 4.x will not correctly write wtmp | ||
1172 | entries when run on AIX 5.x. This can be fixed by simply recompiling | ||
1173 | sshd on an AIX 5.x system and using that. | ||
1174 | |||
1175 | <hr> | ||
1176 | <a href="http://www.openssh.org/index.html"><img height=24 width=24 src="back.gif" border=0 alt=OpenSSH></a> | ||
1177 | <a href="mailto:www@openbsd.org">www@openbsd.org</a> | ||
1178 | <br> | ||
1179 | <small>$OpenBSD: faq.html,v 1.110 2009/11/23 23:38:17 dtucker Exp $</small> | ||
1180 | |||
1181 | </body> | ||
1182 | </html> | ||
diff --git a/debian/gnome-ssh-askpass.1 b/debian/gnome-ssh-askpass.1 new file mode 100644 index 000000000..b74c410a8 --- /dev/null +++ b/debian/gnome-ssh-askpass.1 | |||
@@ -0,0 +1,51 @@ | |||
1 | .TH GNOME-SSH-ASKPASS 1 | ||
2 | .SH NAME | ||
3 | gnome\-ssh\-askpass \- prompts a user for a passphrase using GNOME | ||
4 | .SH SYNOPSIS | ||
5 | .B gnome\-ssh\-askpass | ||
6 | .SH DESCRIPTION | ||
7 | .B gnome\-ssh\-askpass | ||
8 | is a GNOME-based passphrase dialog for use with OpenSSH. | ||
9 | It is intended to be called by the | ||
10 | .BR ssh\-add (1) | ||
11 | program and not invoked directly. | ||
12 | It allows | ||
13 | .BR ssh\-add (1) | ||
14 | to obtain a passphrase from a user, even if not connected to a terminal | ||
15 | (assuming that an X display is available). | ||
16 | This happens automatically in the case where | ||
17 | .B ssh\-add | ||
18 | is invoked from one's | ||
19 | .B ~/.xsession | ||
20 | or as one of the GNOME startup programs, for example. | ||
21 | .PP | ||
22 | In order to be called automatically by | ||
23 | .BR ssh\-add , | ||
24 | .B gnome\-ssh\-askpass | ||
25 | should be installed as | ||
26 | .IR /usr/bin/ssh\-askpass . | ||
27 | .SH "ENVIRONMENT VARIABLES" | ||
28 | The following environment variables are recognized: | ||
29 | .TP | ||
30 | .I GNOME_SSH_ASKPASS_GRAB_SERVER | ||
31 | Causes | ||
32 | .B gnome\-ssh\-askpass | ||
33 | to grab the X server before asking for a passphrase. | ||
34 | .TP | ||
35 | .I GNOME_SSH_ASKPASS_GRAB_POINTER | ||
36 | Causes | ||
37 | .B gnome\-ssh\-askpass | ||
38 | to grab the mouse pointer using | ||
39 | .IR gdk_pointer_grab () | ||
40 | before asking for a passphrase. | ||
41 | .PP | ||
42 | Regardless of whether either of these environment variables is set, | ||
43 | .B gnome\-ssh\-askpass | ||
44 | will grab the keyboard using | ||
45 | .IR gdk_keyboard_grab (). | ||
46 | .SH AUTHOR | ||
47 | This manual page was written by Colin Watson <cjwatson@debian.org> | ||
48 | for the Debian system (but may be used by others). | ||
49 | It was based on that for | ||
50 | .B x11\-ssh\-askpass | ||
51 | by Philip Hands. | ||
diff --git a/debian/openssh-client-udeb.dirs b/debian/openssh-client-udeb.dirs new file mode 100644 index 000000000..e77248175 --- /dev/null +++ b/debian/openssh-client-udeb.dirs | |||
@@ -0,0 +1 @@ | |||
usr/bin | |||
diff --git a/debian/openssh-client-udeb.install b/debian/openssh-client-udeb.install new file mode 100644 index 000000000..b3891f02d --- /dev/null +++ b/debian/openssh-client-udeb.install | |||
@@ -0,0 +1,3 @@ | |||
1 | scp usr/bin | ||
2 | sftp usr/bin | ||
3 | ssh usr/bin | ||
diff --git a/debian/openssh-client.config b/debian/openssh-client.config new file mode 100644 index 000000000..736e464ed --- /dev/null +++ b/debian/openssh-client.config | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | action=$1 | ||
4 | version=$2 | ||
5 | |||
6 | # Source debconf library. | ||
7 | . /usr/share/debconf/confmodule | ||
8 | db_version 2.0 | ||
9 | |||
10 | if [ -d /etc/ssh-nonfree ] && [ ! -d /etc/ssh ]; then | ||
11 | version=1.2.27 | ||
12 | cp -a /etc/ssh-nonfree /etc/ssh | ||
13 | fi | ||
14 | |||
15 | # Was ssh-keysign's setuid bit turned off using the obsolete debconf | ||
16 | # question? If so, turn this into a statoverride. (Ugh.) | ||
17 | if dpkg --compare-versions "$2" lt 1:4.1p1-2 && \ | ||
18 | db_get ssh/SUID_client && [ "$RET" = false ] && | ||
19 | [ -x /usr/sbin/dpkg-statoverride ] && \ | ||
20 | ! dpkg-statoverride --list /usr/lib/ssh-keysign && \ | ||
21 | ! dpkg-statoverride --list /usr/lib/openssh/ssh-keysign; then | ||
22 | dpkg-statoverride --update --add root root 0755 \ | ||
23 | /usr/lib/openssh/ssh-keysign | ||
24 | fi | ||
25 | |||
26 | exit 0 | ||
diff --git a/debian/openssh-client.dirs b/debian/openssh-client.dirs new file mode 100644 index 000000000..1da8fba83 --- /dev/null +++ b/debian/openssh-client.dirs | |||
@@ -0,0 +1 @@ | |||
usr/share/lintian/overrides | |||
diff --git a/debian/openssh-client.docs b/debian/openssh-client.docs new file mode 100644 index 000000000..00fd691c4 --- /dev/null +++ b/debian/openssh-client.docs | |||
@@ -0,0 +1,7 @@ | |||
1 | ChangeLog.gssapi | ||
2 | OVERVIEW | ||
3 | README | ||
4 | README.dns | ||
5 | README.tun | ||
6 | debian/faq.html | ||
7 | debian/README.compromised-keys | ||
diff --git a/debian/openssh-client.install b/debian/openssh-client.install new file mode 100644 index 000000000..fd9e8feab --- /dev/null +++ b/debian/openssh-client.install | |||
@@ -0,0 +1,29 @@ | |||
1 | etc/ssh/moduli | ||
2 | etc/ssh/ssh_config | ||
3 | usr/bin/scp | ||
4 | usr/bin/sftp | ||
5 | usr/bin/slogin | ||
6 | usr/bin/ssh | ||
7 | usr/bin/ssh-add | ||
8 | usr/bin/ssh-agent | ||
9 | usr/bin/ssh-keygen | ||
10 | usr/bin/ssh-keyscan | ||
11 | usr/bin/ssh-vulnkey | ||
12 | usr/lib/openssh/ssh-keysign | ||
13 | usr/lib/openssh/ssh-pkcs11-helper | ||
14 | usr/share/man/man1/scp.1 | ||
15 | usr/share/man/man1/sftp.1 | ||
16 | usr/share/man/man1/slogin.1 | ||
17 | usr/share/man/man1/ssh-add.1 | ||
18 | usr/share/man/man1/ssh-agent.1 | ||
19 | usr/share/man/man1/ssh-keygen.1 | ||
20 | usr/share/man/man1/ssh-keyscan.1 | ||
21 | usr/share/man/man1/ssh-vulnkey.1 | ||
22 | usr/share/man/man1/ssh.1 | ||
23 | usr/share/man/man5/moduli.5 | ||
24 | usr/share/man/man5/ssh_config.5 | ||
25 | usr/share/man/man8/ssh-keysign.8 | ||
26 | usr/share/man/man8/ssh-pkcs11-helper.8 | ||
27 | |||
28 | contrib/ssh-copy-id usr/bin | ||
29 | debian/ssh-argv0 usr/bin | ||
diff --git a/debian/openssh-client.lintian-overrides b/debian/openssh-client.lintian-overrides new file mode 100644 index 000000000..8c4bd1751 --- /dev/null +++ b/debian/openssh-client.lintian-overrides | |||
@@ -0,0 +1,2 @@ | |||
1 | openssh-client: setuid-binary usr/lib/openssh/ssh-keysign 4755 root/root | ||
2 | openssh-client: no-debconf-templates | ||
diff --git a/debian/openssh-client.manpages b/debian/openssh-client.manpages new file mode 100644 index 000000000..690bd8a22 --- /dev/null +++ b/debian/openssh-client.manpages | |||
@@ -0,0 +1,2 @@ | |||
1 | contrib/ssh-copy-id.1 | ||
2 | debian/ssh-argv0.1 | ||
diff --git a/debian/openssh-client.postinst b/debian/openssh-client.postinst new file mode 100644 index 000000000..3e33aeb82 --- /dev/null +++ b/debian/openssh-client.postinst | |||
@@ -0,0 +1,115 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action="$1" | ||
4 | oldversion="$2" | ||
5 | |||
6 | . /usr/share/debconf/confmodule | ||
7 | db_version 2.0 | ||
8 | |||
9 | umask 022 | ||
10 | |||
11 | if [ "$action" != configure ] | ||
12 | then | ||
13 | exit 0 | ||
14 | fi | ||
15 | |||
16 | |||
17 | fix_rsh_diversion() { | ||
18 | # get rid of mistaken rsh diversion (circa 1.2.27-1) | ||
19 | |||
20 | if [ -L /usr/bin/rsh ] && | ||
21 | dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then | ||
22 | for cmd in rlogin rsh rcp ; do | ||
23 | [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd | ||
24 | dpkg-divert --package ssh --remove --rename \ | ||
25 | --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd | ||
26 | |||
27 | [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz | ||
28 | dpkg-divert --package ssh --remove --rename \ | ||
29 | --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz | ||
30 | done | ||
31 | |||
32 | rmdir /usr/bin/rsh.real | ||
33 | fi | ||
34 | } | ||
35 | |||
36 | create_alternatives() { | ||
37 | # Create alternatives for the various r* tools. | ||
38 | # Make sure we don't change existing alternatives that a user might have | ||
39 | # changed, but clean up after some old alternatives that mistakenly pointed | ||
40 | # rlogin and rcp to ssh. | ||
41 | update-alternatives --quiet --remove rlogin /usr/bin/ssh | ||
42 | update-alternatives --quiet --remove rcp /usr/bin/ssh | ||
43 | for cmd in rsh rlogin rcp; do | ||
44 | scmd="s${cmd#r}" | ||
45 | if ! update-alternatives --display "$cmd" | \ | ||
46 | grep -q "$scmd"; then | ||
47 | update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \ | ||
48 | --slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz" | ||
49 | fi | ||
50 | done | ||
51 | } | ||
52 | |||
53 | set_ssh_permissions() { | ||
54 | if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then | ||
55 | if [ -x /usr/sbin/dpkg-statoverride ] ; then | ||
56 | if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then | ||
57 | dpkg-statoverride --remove /usr/bin/ssh >/dev/null | ||
58 | fi | ||
59 | fi | ||
60 | fi | ||
61 | |||
62 | # libexecdir changed, so migrate old statoverrides. | ||
63 | if [ -x /usr/sbin/dpkg-statoverride ] && | ||
64 | override="$(dpkg-statoverride --list /usr/lib/ssh-keysign)"; then | ||
65 | override_user="${override%% *}" | ||
66 | override="${override#* }" | ||
67 | override_group="${override%% *}" | ||
68 | override="${override#* }" | ||
69 | override_mode="${override%% *}" | ||
70 | if dpkg-statoverride --update --add \ | ||
71 | "$override_user" "$override_group" "$override_mode" \ | ||
72 | /usr/lib/openssh/ssh-keysign; then | ||
73 | dpkg-statoverride --remove /usr/lib/ssh-keysign || true | ||
74 | fi | ||
75 | fi | ||
76 | } | ||
77 | |||
78 | fix_ssh_group() { | ||
79 | # Try to remove non-system group mistakenly created by 1:3.5p1-1. | ||
80 | # set_ssh_agent_permissions() below will re-create it properly. | ||
81 | if getent group ssh >/dev/null; then | ||
82 | delgroup --quiet ssh || true | ||
83 | fi | ||
84 | } | ||
85 | |||
86 | set_ssh_agent_permissions() { | ||
87 | if ! getent group ssh >/dev/null; then | ||
88 | addgroup --system --quiet ssh | ||
89 | fi | ||
90 | if ! [ -x /usr/sbin/dpkg-statoverride ] || \ | ||
91 | ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then | ||
92 | chgrp ssh /usr/bin/ssh-agent | ||
93 | chmod 2755 /usr/bin/ssh-agent | ||
94 | fi | ||
95 | } | ||
96 | |||
97 | commit_transfer_conffile () { | ||
98 | CONFFILE="$1" | ||
99 | if [ -e "$CONFFILE.moved-by-preinst" ]; then | ||
100 | rm -f "$CONFFILE.moved-by-preinst" | ||
101 | fi | ||
102 | } | ||
103 | |||
104 | |||
105 | fix_rsh_diversion | ||
106 | create_alternatives | ||
107 | set_ssh_permissions | ||
108 | if [ "$2" = "1:3.5p1-1" ]; then | ||
109 | fix_ssh_group | ||
110 | fi | ||
111 | set_ssh_agent_permissions | ||
112 | commit_transfer_conffile /etc/ssh/moduli | ||
113 | commit_transfer_conffile /etc/ssh/ssh_config | ||
114 | |||
115 | exit 0 | ||
diff --git a/debian/openssh-client.postrm b/debian/openssh-client.postrm new file mode 100644 index 000000000..eb6fde06b --- /dev/null +++ b/debian/openssh-client.postrm | |||
@@ -0,0 +1,34 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | #DEBHELPER# | ||
4 | |||
5 | abort_transfer_conffile () { | ||
6 | CONFFILE="$1" | ||
7 | if [ -e "$CONFFILE.moved-by-preinst" ]; then | ||
8 | echo >&2 "Aborting ownership transfer of conffile $CONFFILE ..." | ||
9 | mv -f "$CONFFILE.moved-by-preinst" "$CONFFILE" | ||
10 | return 0 | ||
11 | fi | ||
12 | } | ||
13 | |||
14 | case $1 in | ||
15 | abort-install|abort-upgrade) | ||
16 | abort_transfer_conffile /etc/ssh/moduli | ||
17 | abort_transfer_conffile /etc/ssh/ssh_config | ||
18 | ;; | ||
19 | purge) | ||
20 | # Remove all non-conffiles that ssh might create, so that we | ||
21 | # can smoothly remove /etc/ssh if and only if the user | ||
22 | # hasn't dropped some other files in there. Conffiles have | ||
23 | # already been removed at this point. | ||
24 | rm -f /etc/ssh/moduli /etc/ssh/primes | ||
25 | rm -f /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 | ||
26 | rmdir --ignore-fail-on-non-empty /etc/ssh | ||
27 | |||
28 | if which delgroup; then | ||
29 | delgroup --quiet ssh > /dev/null || true | ||
30 | fi | ||
31 | ;; | ||
32 | esac | ||
33 | |||
34 | exit 0 | ||
diff --git a/debian/openssh-client.preinst b/debian/openssh-client.preinst new file mode 100644 index 000000000..0b29c051d --- /dev/null +++ b/debian/openssh-client.preinst | |||
@@ -0,0 +1,49 @@ | |||
1 | #! /bin/sh -e | ||
2 | |||
3 | ETC_SSH_MODULI=@ETC_SSH_MODULI@ | ||
4 | |||
5 | ETC_SSH_SSH_CONFIG=@ETC_SSH_SSH_CONFIG@ | ||
6 | |||
7 | action="$1" | ||
8 | version="$2" | ||
9 | |||
10 | prepare_transfer_conffile () { | ||
11 | CONFFILE="$1" | ||
12 | TEXT="$2" | ||
13 | MODE="$3" | ||
14 | [ "$CONFFILES" ] || return 0 | ||
15 | [ -e "$CONFFILE" ] || return 0 | ||
16 | |||
17 | md5sum="$(md5sum "$CONFFILE" |sed -e 's/ .*//')" | ||
18 | old_md5sum="$(echo "$CONFFILES" | awk '$1 == "'"$CONFFILE"'" { print $2 }')" | ||
19 | if [ "$md5sum" = "$old_md5sum" ]; then | ||
20 | echo >&2 "Transferring ownership of conffile $CONFFILE ..." | ||
21 | # We have to write out the desired new text of the conffile, | ||
22 | # which is tricky in the preinst, hence the nasty way we | ||
23 | # have to hardcode the text here. Fortunately, this is only | ||
24 | # necessary with sarge's dpkg and older. | ||
25 | if echo "$TEXT" | head -n1 | grep -q '^@.*@$'; then | ||
26 | echo >&2 'Unsubstituted conffile text! Please report this bug.' | ||
27 | exit 1 | ||
28 | fi | ||
29 | printf '%s' "$TEXT" >"$CONFFILE.dpkg-new" | ||
30 | chmod "$MODE" "$CONFFILE.dpkg-new" | ||
31 | mv -f "$CONFFILE" "$CONFFILE.moved-by-preinst" | ||
32 | mv -f "$CONFFILE.dpkg-new" "$CONFFILE" | ||
33 | return 0 | ||
34 | fi | ||
35 | } | ||
36 | |||
37 | case $action in | ||
38 | install|upgrade) | ||
39 | if dpkg --compare-versions "$version" lt 0; then | ||
40 | CONFFILES="$(dpkg-query -W -f '${Conffiles}\n' ssh 2>/dev/null | sed 's/^ *//')" | ||
41 | prepare_transfer_conffile /etc/ssh/moduli "$ETC_SSH_MODULI" 0644 | ||
42 | prepare_transfer_conffile /etc/ssh/ssh_config "$ETC_SSH_SSH_CONFIG" 0644 | ||
43 | fi | ||
44 | ;; | ||
45 | esac | ||
46 | |||
47 | #DEBHELPER# | ||
48 | |||
49 | exit 0 | ||
diff --git a/debian/openssh-client.prerm b/debian/openssh-client.prerm new file mode 100644 index 000000000..2d631cb9c --- /dev/null +++ b/debian/openssh-client.prerm | |||
@@ -0,0 +1,39 @@ | |||
1 | #! /bin/sh | ||
2 | # prerm script for ssh | ||
3 | # | ||
4 | # see: dh_installdeb(1) | ||
5 | |||
6 | set -e | ||
7 | |||
8 | # summary of how this script can be called: | ||
9 | # * <prerm> `remove' | ||
10 | # * <old-prerm> `upgrade' <new-version> | ||
11 | # * <new-prerm> `failed-upgrade' <old-version> | ||
12 | # * <conflictor's-prerm> `remove' `in-favour' <package> <new-version> | ||
13 | # * <deconfigured's-prerm> `deconfigure' `in-favour' | ||
14 | # <package-being-installed> <version> `removing' | ||
15 | # <conflicting-package> <version> | ||
16 | # for details, see /usr/share/doc/packaging-manual/ | ||
17 | |||
18 | case "$1" in | ||
19 | remove|deconfigure) | ||
20 | update-alternatives --quiet --remove rsh /usr/bin/ssh | ||
21 | update-alternatives --quiet --remove rlogin /usr/bin/slogin | ||
22 | update-alternatives --quiet --remove rcp /usr/bin/scp | ||
23 | ;; | ||
24 | upgrade) | ||
25 | ;; | ||
26 | failed-upgrade) | ||
27 | ;; | ||
28 | *) | ||
29 | echo "prerm called with unknown argument \`$1'" >&2 | ||
30 | exit 0 | ||
31 | ;; | ||
32 | esac | ||
33 | |||
34 | # dh_installdeb will replace this with shell code automatically | ||
35 | # generated by other debhelper scripts. | ||
36 | |||
37 | #DEBHELPER# | ||
38 | |||
39 | exit 0 | ||
diff --git a/debian/openssh-server-udeb.dirs b/debian/openssh-server-udeb.dirs new file mode 100644 index 000000000..f2b0bd9da --- /dev/null +++ b/debian/openssh-server-udeb.dirs | |||
@@ -0,0 +1,3 @@ | |||
1 | usr/bin | ||
2 | usr/sbin | ||
3 | var/run/sshd | ||
diff --git a/debian/openssh-server-udeb.install b/debian/openssh-server-udeb.install new file mode 100644 index 000000000..05ccbf7af --- /dev/null +++ b/debian/openssh-server-udeb.install | |||
@@ -0,0 +1,2 @@ | |||
1 | sshd usr/sbin | ||
2 | ssh-keygen usr/bin | ||
diff --git a/debian/openssh-server.config b/debian/openssh-server.config new file mode 100644 index 000000000..2a01aa806 --- /dev/null +++ b/debian/openssh-server.config | |||
@@ -0,0 +1,71 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | action=$1 | ||
4 | version=$2 | ||
5 | |||
6 | # Source debconf library. | ||
7 | . /usr/share/debconf/confmodule | ||
8 | db_version 2.0 | ||
9 | |||
10 | |||
11 | get_config_option() { | ||
12 | option="$1" | ||
13 | |||
14 | [ -f /etc/ssh/sshd_config ] || return | ||
15 | |||
16 | # TODO: actually only one '=' allowed after option | ||
17 | perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ | ||
18 | /etc/ssh/sshd_config 2>/dev/null | ||
19 | } | ||
20 | |||
21 | |||
22 | if [ -e /etc/init.d/ssh ] && ! grep -q pidfile /etc/init.d/ssh | ||
23 | then | ||
24 | db_fset ssh/use_old_init_script seen false | ||
25 | db_input medium ssh/use_old_init_script || true | ||
26 | db_go | ||
27 | |||
28 | db_get ssh/use_old_init_script | ||
29 | [ "$RET" = "false" ] && exit 0 | ||
30 | else | ||
31 | db_set ssh/use_old_init_script true | ||
32 | db_fset ssh/use_old_init_script seen true | ||
33 | fi | ||
34 | |||
35 | if [ -e /etc/ssh/sshd_config ] | ||
36 | then | ||
37 | # An empty version means we're upgrading from before the package split, | ||
38 | # so check. | ||
39 | if dpkg --compare-versions "$version" lt 1:3.8.1p1-11 | ||
40 | then | ||
41 | passwordauth="$(get_config_option PasswordAuthentication)" | ||
42 | crauth="$(get_config_option ChallengeResponseAuthentication)" | ||
43 | if [ "$passwordauth" = no ] && \ | ||
44 | ([ -z "$crauth" ] || [ "$crauth" = yes ]) | ||
45 | then | ||
46 | db_input critical ssh/disable_cr_auth || true | ||
47 | fi | ||
48 | fi | ||
49 | fi | ||
50 | |||
51 | key=/etc/ssh/ssh_host_key | ||
52 | export key | ||
53 | if [ -n "$version" ] && [ -f $key ] && [ ! -x /usr/bin/ssh-keygen ] && | ||
54 | dpkg --compare-versions "$version" lt 1.2.28 | ||
55 | then | ||
56 | # make sure that keys get updated to get rid of IDEA; preinst | ||
57 | # actually does the work, but if the old ssh-keygen is not found, | ||
58 | # it can't do that -- thus, we tell the user that he must create | ||
59 | # a new host key. | ||
60 | printf '\0\0' | 3<&0 sh -c \ | ||
61 | 'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || { | ||
62 | # this means that bytes 32&33 of the key were not both zero, in which | ||
63 | # case the key is encrypted, which we need to fix | ||
64 | db_input high ssh/encrypted_host_key_but_no_keygen || true | ||
65 | } | ||
66 | fi | ||
67 | |||
68 | |||
69 | db_go | ||
70 | |||
71 | exit 0 | ||
diff --git a/debian/openssh-server.dirs b/debian/openssh-server.dirs new file mode 100644 index 000000000..b008fbf2c --- /dev/null +++ b/debian/openssh-server.dirs | |||
@@ -0,0 +1,9 @@ | |||
1 | etc/init.d | ||
2 | etc/default | ||
3 | etc/network/if-up.d | ||
4 | etc/ufw/applications.d | ||
5 | usr/lib/openssh | ||
6 | usr/sbin | ||
7 | usr/share/lintian/overrides | ||
8 | usr/share/man/man5 | ||
9 | usr/share/man/man8 | ||
diff --git a/debian/openssh-server.examples b/debian/openssh-server.examples new file mode 100644 index 000000000..0d0e55a7a --- /dev/null +++ b/debian/openssh-server.examples | |||
@@ -0,0 +1 @@ | |||
sshd_config | |||
diff --git a/debian/openssh-server.if-up b/debian/openssh-server.if-up new file mode 100644 index 000000000..ce5d4dd17 --- /dev/null +++ b/debian/openssh-server.if-up | |||
@@ -0,0 +1,40 @@ | |||
1 | #! /bin/sh | ||
2 | # Reload the OpenSSH server when an interface comes up, to allow it to start | ||
3 | # listening on new addresses. | ||
4 | |||
5 | set -e | ||
6 | |||
7 | # Don't bother to restart sshd when lo is configured. | ||
8 | if [ "$IFACE" = lo ]; then | ||
9 | exit 0 | ||
10 | fi | ||
11 | |||
12 | # Only run from ifup. | ||
13 | if [ "$MODE" != start ]; then | ||
14 | exit 0 | ||
15 | fi | ||
16 | |||
17 | # OpenSSH only cares about inet and inet6. Get ye gone, strange people | ||
18 | # still using ipx. | ||
19 | if [ "$ADDRFAM" != inet ] && [ "$ADDRFAM" != inet6 ]; then | ||
20 | exit 0 | ||
21 | fi | ||
22 | |||
23 | # Is /usr mounted? | ||
24 | if [ ! -e /usr/sbin/sshd ]; then | ||
25 | exit 0 | ||
26 | fi | ||
27 | |||
28 | if [ ! -f /var/run/sshd.pid ] || \ | ||
29 | [ "$(ps -p "$(cat /var/run/sshd.pid)" -o comm=)" != sshd ]; then | ||
30 | exit 0 | ||
31 | fi | ||
32 | |||
33 | # We'd like to use 'reload' here, but it has some problems; see #502444. | ||
34 | if [ -x /usr/sbin/invoke-rc.d ]; then | ||
35 | invoke-rc.d ssh restart >/dev/null 2>&1 || true | ||
36 | else | ||
37 | /etc/init.d/ssh restart >/dev/null 2>&1 || true | ||
38 | fi | ||
39 | |||
40 | exit 0 | ||
diff --git a/debian/openssh-server.install b/debian/openssh-server.install new file mode 100644 index 000000000..8e04c4170 --- /dev/null +++ b/debian/openssh-server.install | |||
@@ -0,0 +1,6 @@ | |||
1 | usr/lib/openssh/sftp-server | ||
2 | usr/sbin/sshd | ||
3 | usr/share/man/man5/authorized_keys.5 | ||
4 | usr/share/man/man5/sshd_config.5 | ||
5 | usr/share/man/man8/sftp-server.8 | ||
6 | usr/share/man/man8/sshd.8 | ||
diff --git a/debian/openssh-server.links b/debian/openssh-server.links new file mode 100644 index 000000000..2d98b1dcb --- /dev/null +++ b/debian/openssh-server.links | |||
@@ -0,0 +1 @@ | |||
usr/lib/openssh/sftp-server usr/lib/sftp-server | |||
diff --git a/debian/openssh-server.lintian-overrides b/debian/openssh-server.lintian-overrides new file mode 100644 index 000000000..17d912cb0 --- /dev/null +++ b/debian/openssh-server.lintian-overrides | |||
@@ -0,0 +1 @@ | |||
openssh-server: package-contains-empty-directory usr/share/doc/openssh-client/ | |||
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst new file mode 100644 index 000000000..d415f3f0d --- /dev/null +++ b/debian/openssh-server.postinst | |||
@@ -0,0 +1,495 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action="$1" | ||
4 | oldversion="$2" | ||
5 | |||
6 | . /usr/share/debconf/confmodule | ||
7 | db_version 2.0 | ||
8 | |||
9 | umask 022 | ||
10 | |||
11 | if [ "$action" != configure ] | ||
12 | then | ||
13 | exit 0 | ||
14 | fi | ||
15 | |||
16 | |||
17 | fix_doc_symlink() { | ||
18 | if [ ! -L /usr/share/doc/openssh-server ] && \ | ||
19 | dpkg --compare-versions "$oldversion" lt-nl 1:4.1p1-5; then | ||
20 | rm -rf /usr/share/doc/openssh-server | ||
21 | ln -s openssh-client /usr/share/doc/openssh-server | ||
22 | fi | ||
23 | } | ||
24 | |||
25 | check_idea_key() { | ||
26 | # check for old host_key files using IDEA, which openssh does not | ||
27 | # support | ||
28 | if [ -f /etc/ssh/ssh_host_key ] ; then | ||
29 | cp -a /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.check_idea | ||
30 | if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key.check_idea 2>&1 | \ | ||
31 | grep -q 'unknown cipher' 2>/dev/null; then | ||
32 | mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old | ||
33 | mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old | ||
34 | fi | ||
35 | rm -f /etc/ssh/ssh_host_key.check_idea | ||
36 | fi | ||
37 | } | ||
38 | |||
39 | |||
40 | get_config_option() { | ||
41 | option="$1" | ||
42 | |||
43 | [ -f /etc/ssh/sshd_config ] || return | ||
44 | |||
45 | # TODO: actually only one '=' allowed after option | ||
46 | perl -lne 's/\s+/ /g; print if s/^\s*'"$option"'[[:space:]=]+//i' \ | ||
47 | /etc/ssh/sshd_config | ||
48 | } | ||
49 | |||
50 | |||
51 | set_config_option() { | ||
52 | option="$1" | ||
53 | value="$2" | ||
54 | |||
55 | perl -le ' | ||
56 | $option = $ARGV[0]; $value = $ARGV[1]; $done = 0; | ||
57 | while (<STDIN>) { | ||
58 | chomp; | ||
59 | (my $match = $_) =~ s/\s+/ /g; | ||
60 | if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) { | ||
61 | $_ = $match; | ||
62 | $done = 1; | ||
63 | } | ||
64 | print; | ||
65 | } | ||
66 | print "$option $value" unless $done;' \ | ||
67 | "$option" "$value" \ | ||
68 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
69 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
70 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
71 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
72 | } | ||
73 | |||
74 | |||
75 | disable_config_option() { | ||
76 | option="$1" | ||
77 | |||
78 | value="$(get_config_option "$option")" | ||
79 | [ "$value" ] || return 0 | ||
80 | |||
81 | perl -le ' | ||
82 | $option = $ARGV[0]; | ||
83 | while (<STDIN>) { | ||
84 | chomp; | ||
85 | (my $match = $_) =~ s/\s+/ /g; | ||
86 | # TODO: actually only one "=" allowed after option | ||
87 | if ($match =~ s/^(\s*\Q$option\E[[:space:]=]+.*)/#$1/i) { | ||
88 | $_ = $match; | ||
89 | } | ||
90 | print; | ||
91 | }' \ | ||
92 | "$option" \ | ||
93 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
94 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
95 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
96 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
97 | } | ||
98 | |||
99 | |||
100 | rename_config_option() { | ||
101 | oldoption="$1" | ||
102 | newoption="$2" | ||
103 | |||
104 | value="$(get_config_option "$oldoption")" | ||
105 | [ "$value" ] || return 0 | ||
106 | |||
107 | perl -le ' | ||
108 | $oldoption = $ARGV[0]; $newoption = $ARGV[1]; | ||
109 | while (<STDIN>) { | ||
110 | chomp; | ||
111 | (my $match = $_) =~ s/\s+/ /g; | ||
112 | # TODO: actually only one "=" allowed after option | ||
113 | if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) { | ||
114 | $_ = $match; | ||
115 | } | ||
116 | print; | ||
117 | }' \ | ||
118 | "$oldoption" "$newoption" \ | ||
119 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
120 | chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
121 | chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new | ||
122 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
123 | } | ||
124 | |||
125 | |||
126 | remove_obsolete_gssapi() { | ||
127 | disable_config_option GSSAPINoMICAuthentication | ||
128 | disable_config_option GSSUseSessionCCache | ||
129 | disable_config_option GSSAPIUseSessionCredCache | ||
130 | } | ||
131 | |||
132 | |||
133 | host_keys_required() { | ||
134 | hostkeys="$(get_config_option HostKey)" | ||
135 | if [ "$hostkeys" ]; then | ||
136 | echo "$hostkeys" | ||
137 | else | ||
138 | # No HostKey directives at all, so the server picks some | ||
139 | # defaults depending on the setting of Protocol. | ||
140 | protocol="$(get_config_option Protocol)" | ||
141 | [ "$protocol" ] || protocol=1,2 | ||
142 | if echo "$protocol" | grep 1 >/dev/null; then | ||
143 | echo /etc/ssh/ssh_host_key | ||
144 | fi | ||
145 | if echo "$protocol" | grep 2 >/dev/null; then | ||
146 | echo /etc/ssh/ssh_host_rsa_key | ||
147 | echo /etc/ssh/ssh_host_dsa_key | ||
148 | fi | ||
149 | fi | ||
150 | } | ||
151 | |||
152 | |||
153 | create_key() { | ||
154 | msg="$1" | ||
155 | shift | ||
156 | hostkeys="$1" | ||
157 | shift | ||
158 | file="$1" | ||
159 | shift | ||
160 | |||
161 | if echo "$hostkeys" | grep -x "$file" >/dev/null && \ | ||
162 | [ ! -f "$file" ] ; then | ||
163 | echo -n $msg | ||
164 | ssh-keygen -q -f "$file" -N '' "$@" | ||
165 | echo | ||
166 | if which restorecon >/dev/null 2>&1; then | ||
167 | restorecon "$file.pub" | ||
168 | fi | ||
169 | fi | ||
170 | } | ||
171 | |||
172 | |||
173 | create_keys() { | ||
174 | hostkeys="$(host_keys_required)" | ||
175 | |||
176 | create_key "Creating SSH1 key; this may take some time ..." \ | ||
177 | "$hostkeys" /etc/ssh/ssh_host_key -t rsa1 | ||
178 | |||
179 | create_key "Creating SSH2 RSA key; this may take some time ..." \ | ||
180 | "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa | ||
181 | create_key "Creating SSH2 DSA key; this may take some time ..." \ | ||
182 | "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa | ||
183 | } | ||
184 | |||
185 | |||
186 | vulnerable_host_keys() { | ||
187 | # If the admin has explicitly put the vulnerable keys back, we | ||
188 | # assume they can look after themselves. | ||
189 | db_fget ssh/vulnerable_host_keys seen | ||
190 | if [ "$RET" = true ]; then | ||
191 | return 0 | ||
192 | fi | ||
193 | |||
194 | hostkeys="$(host_keys_required)" | ||
195 | vulnerable= | ||
196 | for hostkey in $hostkeys; do | ||
197 | [ -f "$hostkey" ] || continue | ||
198 | if ssh-vulnkey -q "$hostkey"; then | ||
199 | vulnerable="${vulnerable:+$vulnerable }$hostkey" | ||
200 | fi | ||
201 | done | ||
202 | if [ "$vulnerable" ]; then | ||
203 | db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable" | ||
204 | db_input critical ssh/vulnerable_host_keys || true | ||
205 | db_go | ||
206 | for hostkey in $vulnerable; do | ||
207 | mv "$hostkey" "$hostkey.broken" || true | ||
208 | mv "$hostkey.pub" "$hostkey.pub.broken" || true | ||
209 | done | ||
210 | create_keys | ||
211 | fi | ||
212 | } | ||
213 | |||
214 | |||
215 | check_password_auth() { | ||
216 | passwordauth="$(get_config_option PasswordAuthentication)" | ||
217 | crauth="$(get_config_option ChallengeResponseAuthentication)" | ||
218 | if [ "$passwordauth" = no ] && \ | ||
219 | ([ -z "$crauth" ] || [ "$crauth" = yes ]); then | ||
220 | db_get ssh/disable_cr_auth | ||
221 | if [ "$RET" = true ]; then | ||
222 | set_config_option ChallengeResponseAuthentication no | ||
223 | fi | ||
224 | fi | ||
225 | } | ||
226 | |||
227 | |||
228 | move_subsystem_sftp() { | ||
229 | subsystem_sftp="$(get_config_option 'Subsystem sftp')" | ||
230 | if [ "$subsystem_sftp" = /usr/lib/sftp-server ] || \ | ||
231 | [ "$subsystem_sftp" = /usr/libexec/sftp-server ]; then | ||
232 | set_config_option 'Subsystem sftp' /usr/lib/openssh/sftp-server | ||
233 | fi | ||
234 | } | ||
235 | |||
236 | |||
237 | fix_loglevel_silent() { | ||
238 | if [ "$(get_config_option LogLevel)" = SILENT ]; then | ||
239 | set_config_option LogLevel QUIET | ||
240 | fi | ||
241 | } | ||
242 | |||
243 | |||
244 | create_sshdconfig() { | ||
245 | if [ -e /etc/ssh/sshd_config ] ; then | ||
246 | # Upgrade an existing sshd configuration. | ||
247 | |||
248 | if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ | ||
249 | ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \ | ||
250 | grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \ | ||
251 | /etc/ssh/sshd_config ; then | ||
252 | # Upgrade from pre-3.7: UsePAM needed to maintain standard | ||
253 | # Debian configuration. | ||
254 | # Note that --compare-versions is sadly not reliable enough | ||
255 | # here due to the package split of ssh into openssh-client | ||
256 | # and openssh-server. The extra grep for some deprecated | ||
257 | # options should with any luck be a good enough heuristic. | ||
258 | echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' | ||
259 | cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
260 | perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ | ||
261 | /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
262 | echo >> /etc/ssh/sshd_config.dpkg-new | ||
263 | echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new | ||
264 | chown --reference /etc/ssh/sshd_config \ | ||
265 | /etc/ssh/sshd_config.dpkg-new | ||
266 | chmod --reference /etc/ssh/sshd_config \ | ||
267 | /etc/ssh/sshd_config.dpkg-new | ||
268 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
269 | echo | ||
270 | fi | ||
271 | |||
272 | # An empty version means we're upgrading from before the | ||
273 | # package split, so check. | ||
274 | if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then | ||
275 | check_password_auth | ||
276 | fi | ||
277 | |||
278 | # libexecdir changed, so fix up 'Subsystem sftp'. | ||
279 | if dpkg --compare-versions "$oldversion" lt 1:4.1p1-1; then | ||
280 | move_subsystem_sftp | ||
281 | fi | ||
282 | |||
283 | # Remove obsolete GSSAPI options. | ||
284 | if dpkg --compare-versions "$oldversion" lt 1:4.3p2-8; then | ||
285 | remove_obsolete_gssapi | ||
286 | fi | ||
287 | |||
288 | # This option was renamed in 3.8p1, but we never took care | ||
289 | # of adjusting the configuration file until now. | ||
290 | if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then | ||
291 | rename_config_option KeepAlive TCPKeepAlive | ||
292 | fi | ||
293 | |||
294 | # 'LogLevel SILENT' is now equivalent to QUIET. | ||
295 | if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then | ||
296 | fix_loglevel_silent | ||
297 | fi | ||
298 | |||
299 | return 0 | ||
300 | fi | ||
301 | |||
302 | #Preserve old sshd_config before generating a new one | ||
303 | if [ -e /etc/ssh/sshd_config ] ; then | ||
304 | mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
305 | fi | ||
306 | |||
307 | cat <<EOF > /etc/ssh/sshd_config | ||
308 | # Package generated configuration file | ||
309 | # See the sshd_config(5) manpage for details | ||
310 | |||
311 | # What ports, IPs and protocols we listen for | ||
312 | Port 22 | ||
313 | # Use these options to restrict which interfaces/protocols sshd will bind to | ||
314 | #ListenAddress :: | ||
315 | #ListenAddress 0.0.0.0 | ||
316 | Protocol 2 | ||
317 | # HostKeys for protocol version 2 | ||
318 | HostKey /etc/ssh/ssh_host_rsa_key | ||
319 | HostKey /etc/ssh/ssh_host_dsa_key | ||
320 | #Privilege Separation is turned on for security | ||
321 | UsePrivilegeSeparation yes | ||
322 | |||
323 | # Lifetime and size of ephemeral version 1 server key | ||
324 | KeyRegenerationInterval 3600 | ||
325 | ServerKeyBits 768 | ||
326 | |||
327 | # Logging | ||
328 | SyslogFacility AUTH | ||
329 | LogLevel INFO | ||
330 | |||
331 | # Authentication: | ||
332 | LoginGraceTime 120 | ||
333 | PermitRootLogin yes | ||
334 | StrictModes yes | ||
335 | |||
336 | RSAAuthentication yes | ||
337 | PubkeyAuthentication yes | ||
338 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
339 | |||
340 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
341 | IgnoreRhosts yes | ||
342 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
343 | RhostsRSAAuthentication no | ||
344 | # similar for protocol version 2 | ||
345 | HostbasedAuthentication no | ||
346 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
347 | #IgnoreUserKnownHosts yes | ||
348 | |||
349 | # To enable empty passwords, change to yes (NOT RECOMMENDED) | ||
350 | PermitEmptyPasswords no | ||
351 | |||
352 | # Change to yes to enable challenge-response passwords (beware issues with | ||
353 | # some PAM modules and threads) | ||
354 | ChallengeResponseAuthentication no | ||
355 | |||
356 | # Change to no to disable tunnelled clear text passwords | ||
357 | #PasswordAuthentication yes | ||
358 | |||
359 | # Kerberos options | ||
360 | #KerberosAuthentication no | ||
361 | #KerberosGetAFSToken no | ||
362 | #KerberosOrLocalPasswd yes | ||
363 | #KerberosTicketCleanup yes | ||
364 | |||
365 | # GSSAPI options | ||
366 | #GSSAPIAuthentication no | ||
367 | #GSSAPICleanupCredentials yes | ||
368 | |||
369 | X11Forwarding yes | ||
370 | X11DisplayOffset 10 | ||
371 | PrintMotd no | ||
372 | PrintLastLog yes | ||
373 | TCPKeepAlive yes | ||
374 | #UseLogin no | ||
375 | |||
376 | #MaxStartups 10:30:60 | ||
377 | #Banner /etc/issue.net | ||
378 | |||
379 | # Allow client to pass locale environment variables | ||
380 | AcceptEnv LANG LC_* | ||
381 | |||
382 | Subsystem sftp /usr/lib/openssh/sftp-server | ||
383 | |||
384 | # Set this to 'yes' to enable PAM authentication, account processing, | ||
385 | # and session processing. If this is enabled, PAM authentication will | ||
386 | # be allowed through the ChallengeResponseAuthentication and | ||
387 | # PasswordAuthentication. Depending on your PAM configuration, | ||
388 | # PAM authentication via ChallengeResponseAuthentication may bypass | ||
389 | # the setting of "PermitRootLogin without-password". | ||
390 | # If you just want the PAM account and session checks to run without | ||
391 | # PAM authentication, then enable this but set PasswordAuthentication | ||
392 | # and ChallengeResponseAuthentication to 'no'. | ||
393 | UsePAM yes | ||
394 | EOF | ||
395 | } | ||
396 | |||
397 | fix_statoverride() { | ||
398 | # Remove an erronous override for sshd (we should have overridden ssh) | ||
399 | if [ -x /usr/sbin/dpkg-statoverride ]; then | ||
400 | if dpkg-statoverride --list /usr/sbin/sshd >/dev/null ; then | ||
401 | dpkg-statoverride --remove /usr/sbin/sshd | ||
402 | fi | ||
403 | fi | ||
404 | } | ||
405 | |||
406 | fix_sshd_shell() { | ||
407 | if getent passwd sshd | grep -q ':/bin/false$'; then | ||
408 | usermod -s /usr/sbin/nologin sshd || true | ||
409 | fi | ||
410 | } | ||
411 | |||
412 | setup_sshd_user() { | ||
413 | if ! getent passwd sshd >/dev/null; then | ||
414 | adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd | ||
415 | fi | ||
416 | } | ||
417 | |||
418 | fix_conffile_permissions() { | ||
419 | # Clean up after executable /etc/default/ssh in 1:3.5p1-5. dpkg | ||
420 | # doesn't do this for us; see bug #192981. | ||
421 | chmod 644 /etc/default/ssh | ||
422 | } | ||
423 | |||
424 | remove_old_init_links() { | ||
425 | # Yes, this only works with the SysV init script layout. I know. | ||
426 | # The important thing is that it doesn't actually *break* with | ||
427 | # file-rc ... | ||
428 | if [ -e /etc/rc2.d/S20ssh ]; then | ||
429 | update-rc.d -f ssh remove >/dev/null 2>&1 | ||
430 | fi | ||
431 | rm -f /etc/rc0.d/K??ssh /etc/rc1.d/K??ssh /etc/rc6.d/K??ssh | ||
432 | } | ||
433 | |||
434 | setup_init() { | ||
435 | if [ -x /etc/init.d/ssh ]; then | ||
436 | update-rc.d ssh start 16 2 3 4 5 . >/dev/null | ||
437 | if [ -x /usr/sbin/invoke-rc.d ]; then | ||
438 | invoke-rc.d ssh restart | ||
439 | else | ||
440 | /etc/init.d/ssh restart | ||
441 | fi | ||
442 | fi | ||
443 | } | ||
444 | |||
445 | commit_transfer_conffile () { | ||
446 | CONFFILE="$1" | ||
447 | if [ -e "$CONFFILE.moved-by-preinst" ]; then | ||
448 | rm -f "$CONFFILE.moved-by-preinst" | ||
449 | fi | ||
450 | } | ||
451 | |||
452 | commit_mv_conffile () { | ||
453 | OLDCONFFILE="$1" | ||
454 | NEWCONFFILE="$2" | ||
455 | |||
456 | if [ -e "$OLDCONFFILE.moving" ]; then | ||
457 | echo "Preserving user changes to $NEWCONFFILE ..." | ||
458 | mv -f "$NEWCONFFILE" "$NEWCONFFILE.dpkg-new" | ||
459 | mv -f "$OLDCONFFILE.moving" "$NEWCONFFILE" | ||
460 | elif [ -e "$OLDCONFFILE.dpkg-old" ]; then | ||
461 | rm -f "$OLDCONFFILE.dpkg-old" | ||
462 | fi | ||
463 | } | ||
464 | |||
465 | |||
466 | fix_doc_symlink | ||
467 | create_sshdconfig | ||
468 | check_idea_key | ||
469 | create_keys | ||
470 | vulnerable_host_keys | ||
471 | fix_statoverride | ||
472 | if dpkg --compare-versions "$2" lt 1:4.3p2-3; then | ||
473 | fix_sshd_shell | ||
474 | fi | ||
475 | setup_sshd_user | ||
476 | if dpkg --compare-versions "$2" lt 1:3.6.1p2-2; then | ||
477 | fix_conffile_permissions | ||
478 | fi | ||
479 | if dpkg --compare-versions "$2" lt 1:5.2p1-1; then | ||
480 | remove_old_init_links | ||
481 | fi | ||
482 | setup_init | ||
483 | commit_transfer_conffile /etc/default/ssh | ||
484 | commit_transfer_conffile /etc/init.d/ssh | ||
485 | commit_transfer_conffile /etc/pam.d/ssh | ||
486 | commit_mv_conffile /etc/pam.d/ssh /etc/pam.d/sshd | ||
487 | # Renamed to /etc/ssh/moduli in 2.9.9 (!) | ||
488 | if dpkg --compare-versions "$2" lt 1:4.7p1-1; then | ||
489 | rm -f /etc/ssh/primes | ||
490 | fi | ||
491 | |||
492 | |||
493 | db_stop | ||
494 | |||
495 | exit 0 | ||
diff --git a/debian/openssh-server.postrm b/debian/openssh-server.postrm new file mode 100644 index 000000000..7258d5f99 --- /dev/null +++ b/debian/openssh-server.postrm | |||
@@ -0,0 +1,65 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | #DEBHELPER# | ||
4 | |||
5 | abort_mv_conffile () { | ||
6 | CONFFILE="$1" | ||
7 | |||
8 | if [ ! -e "$CONFFILE" ]; then | ||
9 | if [ -e "$CONFFILE.dpkg-old" ]; then | ||
10 | mv -f "$CONFFILE.dpkg-old" "$CONFFILE" | ||
11 | elif [ -e "$CONFFILE.moving" ]; then | ||
12 | mv -f "$CONFFILE.moving" "$CONFFILE" | ||
13 | fi | ||
14 | fi | ||
15 | } | ||
16 | |||
17 | finish_mv_conffile () { | ||
18 | CONFFILE="$1" | ||
19 | |||
20 | if [ -e "$CONFFILE.dpkg-old" ]; then | ||
21 | rm -f "$CONFFILE.dpkg-old" | ||
22 | fi | ||
23 | } | ||
24 | |||
25 | abort_transfer_conffile () { | ||
26 | CONFFILE="$1" | ||
27 | if [ -e "$CONFFILE.moved-by-preinst" ]; then | ||
28 | echo >&2 "Aborting ownership transfer of conffile $CONFFILE ..." | ||
29 | mv -f "$CONFFILE.moved-by-preinst" "$CONFFILE" | ||
30 | return 0 | ||
31 | fi | ||
32 | } | ||
33 | |||
34 | case $1 in | ||
35 | abort-install|abort-upgrade) | ||
36 | if dpkg --compare-versions "$2" lt 1:4.7p1-4; then | ||
37 | abort_mv_conffile /etc/pam.d/ssh | ||
38 | fi | ||
39 | abort_transfer_conffile /etc/default/ssh | ||
40 | abort_transfer_conffile /etc/init.d/ssh | ||
41 | abort_transfer_conffile /etc/pam.d/ssh | ||
42 | ;; | ||
43 | purge) | ||
44 | # Remove all non-conffiles that ssh might create, so that we | ||
45 | # can smoothly remove /etc/ssh if and only if the user | ||
46 | # hasn't dropped some other files in there. Conffiles have | ||
47 | # already been removed at this point. | ||
48 | rm -f /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub | ||
49 | rm -f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub | ||
50 | rm -f /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub | ||
51 | rm -f /etc/ssh/sshd_config | ||
52 | rm -f /etc/ssh/sshd_not_to_be_run | ||
53 | rmdir --ignore-fail-on-non-empty /etc/ssh | ||
54 | |||
55 | update-rc.d ssh remove >/dev/null | ||
56 | |||
57 | if which deluser >/dev/null 2>&1; then | ||
58 | deluser --quiet sshd > /dev/null || true | ||
59 | fi | ||
60 | |||
61 | finish_mv_conffile /etc/pam.d/ssh | ||
62 | ;; | ||
63 | esac | ||
64 | |||
65 | exit 0 | ||
diff --git a/debian/openssh-server.preinst b/debian/openssh-server.preinst new file mode 100644 index 000000000..43c4b57f9 --- /dev/null +++ b/debian/openssh-server.preinst | |||
@@ -0,0 +1,139 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | ETC_DEFAULT_SSH=@ETC_DEFAULT_SSH@ | ||
4 | |||
5 | ETC_INIT_D_SSH=@ETC_INIT_D_SSH@ | ||
6 | |||
7 | ETC_PAM_D_SSH=@ETC_PAM_D_SSH@ | ||
8 | |||
9 | action=$1 | ||
10 | version=$2 | ||
11 | |||
12 | prepare_transfer_conffile () { | ||
13 | CONFFILE="$1" | ||
14 | TEXT="$2" | ||
15 | MODE="$3" | ||
16 | [ "$CONFFILES" ] || return 0 | ||
17 | [ -e "$CONFFILE" ] || return 0 | ||
18 | |||
19 | md5sum="$(md5sum "$CONFFILE" |sed -e 's/ .*//')" | ||
20 | old_md5sum="$(echo "$CONFFILES" | awk '$1 == "'"$CONFFILE"'" { print $2 }')" | ||
21 | if [ "$md5sum" = "$old_md5sum" ]; then | ||
22 | echo >&2 "Transferring ownership of conffile $CONFFILE ..." | ||
23 | # We have to write out the desired new text of the conffile, | ||
24 | # which is tricky in the preinst, hence the nasty way we | ||
25 | # have to hardcode the text here. Fortunately, this is only | ||
26 | # necessary with sarge's dpkg and older. | ||
27 | if echo "$TEXT" | head -n1 | grep -q '^@.*@$'; then | ||
28 | echo >&2 'Unsubstituted conffile text! Please report this bug.' | ||
29 | exit 1 | ||
30 | fi | ||
31 | printf '%s' "$TEXT" >"$CONFFILE.dpkg-new" | ||
32 | chmod "$MODE" "$CONFFILE.dpkg-new" | ||
33 | mv -f "$CONFFILE" "$CONFFILE.moved-by-preinst" | ||
34 | mv -f "$CONFFILE.dpkg-new" "$CONFFILE" | ||
35 | return 0 | ||
36 | fi | ||
37 | } | ||
38 | |||
39 | prepare_mv_conffile () { | ||
40 | CONFFILE="$1" | ||
41 | [ -e "$CONFFILE" ] || return 0 | ||
42 | |||
43 | md5sum="$(md5sum "$CONFFILE" | sed -e 's/ .*//')" | ||
44 | old_md5sum="$(dpkg-query -W -f '${Conffiles}\n' openssh-server 2>/dev/null | sed 's/^ *//' | awk '$1 == "'"$CONFFILE"'" { print $2 }')" | ||
45 | if [ "$md5sum" = "$old_md5sum" ]; then | ||
46 | mv -f "$CONFFILE" "$CONFFILE.dpkg-old" | ||
47 | else | ||
48 | mv -f "$CONFFILE" "$CONFFILE.moving" | ||
49 | fi | ||
50 | } | ||
51 | |||
52 | if [ -d /etc/ssh-nonfree ] && [ ! -d /etc/ssh ]; then | ||
53 | version=1.2.27 | ||
54 | fi | ||
55 | |||
56 | if [ "$action" = upgrade ] || [ "$action" = install ] | ||
57 | then | ||
58 | # check if debconf is missing | ||
59 | if ! test -f /usr/share/debconf/confmodule | ||
60 | then | ||
61 | cat <<EOF | ||
62 | |||
63 | WARNING: ssh's pre-configuration script relies on debconf to tell you | ||
64 | about some problems that might prevent you from logging in if you are | ||
65 | upgrading from the old, Non-free version of ssh. | ||
66 | |||
67 | If this is a new installation, you don't need to worry about this. | ||
68 | Just go ahead and install ssh (make sure to read .../ssh/README.Debian). | ||
69 | |||
70 | If you are upgrading, but you have alternative ways of logging into | ||
71 | the machine (i.e. you're sitting in front of it, or you have telnetd | ||
72 | running), then you also don't need to worry too much, because you can | ||
73 | fix it up afterwards if there's a problem. | ||
74 | |||
75 | If you're upgrading from an older (non-free) version of ssh, and ssh | ||
76 | is the only way you have to access this machine, then you should | ||
77 | probably abort the installation of ssh, install debconf, and then | ||
78 | retry the installation of ssh. | ||
79 | |||
80 | EOF | ||
81 | echo -n "Do you want to install SSH anyway [yN]: " | ||
82 | read input | ||
83 | expr "$input" : '[Yy]' >/dev/null || exit 1 | ||
84 | |||
85 | # work around for missing debconf | ||
86 | db_get() { : ; } | ||
87 | RET=true | ||
88 | if [ -d /etc/ssh-nonfree ] && [ ! -d /etc/ssh ]; then | ||
89 | cp -a /etc/ssh-nonfree /etc/ssh | ||
90 | fi | ||
91 | else | ||
92 | # Source debconf library. | ||
93 | . /usr/share/debconf/confmodule | ||
94 | db_version 2.0 | ||
95 | fi | ||
96 | |||
97 | db_get ssh/use_old_init_script | ||
98 | if [ "$RET" = "false" ]; then | ||
99 | echo "ssh config: Aborting because ssh/use_old_init_script = false" >&2 | ||
100 | exit 1 | ||
101 | fi | ||
102 | |||
103 | # deal with upgrading from pre-OpenSSH versions | ||
104 | key=/etc/ssh/ssh_host_key | ||
105 | export key | ||
106 | if [ -n "$version" ] && [ -x /usr/bin/ssh-keygen ] && [ -f $key ] && | ||
107 | dpkg --compare-versions "$version" lt 1.2.28 | ||
108 | then | ||
109 | # make sure that keys get updated to get rid of IDEA | ||
110 | # | ||
111 | # N.B. this only works because we've still got the old | ||
112 | # nonfree ssh-keygen at this point | ||
113 | # | ||
114 | # First, check if we need to bother | ||
115 | printf '\0\0' | 3<&0 sh -c \ | ||
116 | 'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || { | ||
117 | # this means that bytes 32&33 of the key were not both zero, in which | ||
118 | # case the key is encrypted, which we need to fix | ||
119 | chmod 600 $key | ||
120 | ssh-keygen -u -f $key >/dev/null | ||
121 | if which restorecon >/dev/null 2>&1; then | ||
122 | restorecon "$key.pub" | ||
123 | fi | ||
124 | } | ||
125 | fi | ||
126 | |||
127 | if dpkg --compare-versions "$version" lt 0; then | ||
128 | CONFFILES="$(dpkg-query -W -f '${Conffiles}\n' ssh 2>/dev/null | sed 's/^ *//')" | ||
129 | prepare_transfer_conffile /etc/default/ssh "$ETC_DEFAULT_SSH" 0644 | ||
130 | prepare_transfer_conffile /etc/init.d/ssh "$ETC_INIT_D_SSH" 0755 | ||
131 | prepare_transfer_conffile /etc/pam.d/ssh "$ETC_PAM_D_SSH" 0644 | ||
132 | fi | ||
133 | |||
134 | if dpkg --compare-versions "$version" lt 1:4.7p1-4; then | ||
135 | prepare_mv_conffile /etc/pam.d/ssh | ||
136 | fi | ||
137 | fi | ||
138 | |||
139 | #DEBHELPER# | ||
diff --git a/debian/openssh-server.prerm b/debian/openssh-server.prerm new file mode 100644 index 000000000..9c3313aac --- /dev/null +++ b/debian/openssh-server.prerm | |||
@@ -0,0 +1,48 @@ | |||
1 | #! /bin/sh | ||
2 | # prerm script for ssh | ||
3 | # | ||
4 | # see: dh_installdeb(1) | ||
5 | |||
6 | set -e | ||
7 | |||
8 | # summary of how this script can be called: | ||
9 | # * <prerm> `remove' | ||
10 | # * <old-prerm> `upgrade' <new-version> | ||
11 | # * <new-prerm> `failed-upgrade' <old-version> | ||
12 | # * <conflictor's-prerm> `remove' `in-favour' <package> <new-version> | ||
13 | # * <deconfigured's-prerm> `deconfigure' `in-favour' | ||
14 | # <package-being-installed> <version> `removing' | ||
15 | # <conflicting-package> <version> | ||
16 | # for details, see /usr/share/doc/packaging-manual/ | ||
17 | |||
18 | case "$1" in | ||
19 | remove|deconfigure) | ||
20 | if [ -x /etc/init.d/ssh ]; then | ||
21 | if [ -x /usr/sbin/invoke-rc.d ]; then | ||
22 | invoke-rc.d ssh stop | ||
23 | else | ||
24 | /etc/init.d/ssh stop | ||
25 | fi | ||
26 | fi | ||
27 | ;; | ||
28 | upgrade) | ||
29 | # remove symlink on downgrade to when it was a directory | ||
30 | if [ -L /usr/share/doc/openssh-server ] && \ | ||
31 | dpkg --compare-versions "$2" lt-nl 1:4.1p1-5; then | ||
32 | rm -f /usr/share/doc/openssh-server | ||
33 | fi | ||
34 | ;; | ||
35 | failed-upgrade) | ||
36 | ;; | ||
37 | *) | ||
38 | echo "prerm called with unknown argument \`$1'" >&2 | ||
39 | exit 0 | ||
40 | ;; | ||
41 | esac | ||
42 | |||
43 | # dh_installdeb will replace this with shell code automatically | ||
44 | # generated by other debhelper scripts. | ||
45 | |||
46 | #DEBHELPER# | ||
47 | |||
48 | exit 0 | ||
diff --git a/debian/openssh-server.ssh.default b/debian/openssh-server.ssh.default new file mode 100644 index 000000000..304042224 --- /dev/null +++ b/debian/openssh-server.ssh.default | |||
@@ -0,0 +1,5 @@ | |||
1 | # Default settings for openssh-server. This file is sourced by /bin/sh from | ||
2 | # /etc/init.d/ssh. | ||
3 | |||
4 | # Options to pass to sshd | ||
5 | SSHD_OPTS= | ||
diff --git a/debian/openssh-server.ssh.init b/debian/openssh-server.ssh.init new file mode 100644 index 000000000..62bcc21d4 --- /dev/null +++ b/debian/openssh-server.ssh.init | |||
@@ -0,0 +1,164 @@ | |||
1 | #! /bin/sh | ||
2 | |||
3 | ### BEGIN INIT INFO | ||
4 | # Provides: sshd | ||
5 | # Required-Start: $remote_fs $syslog | ||
6 | # Required-Stop: $remote_fs $syslog | ||
7 | # Default-Start: 2 3 4 5 | ||
8 | # Default-Stop: | ||
9 | # Short-Description: OpenBSD Secure Shell server | ||
10 | ### END INIT INFO | ||
11 | |||
12 | set -e | ||
13 | |||
14 | # /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon | ||
15 | |||
16 | test -x /usr/sbin/sshd || exit 0 | ||
17 | ( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0 | ||
18 | |||
19 | umask 022 | ||
20 | |||
21 | if test -f /etc/default/ssh; then | ||
22 | . /etc/default/ssh | ||
23 | fi | ||
24 | |||
25 | . /lib/lsb/init-functions | ||
26 | |||
27 | if [ -n "$2" ]; then | ||
28 | SSHD_OPTS="$SSHD_OPTS $2" | ||
29 | fi | ||
30 | |||
31 | # Are we running from init? | ||
32 | run_by_init() { | ||
33 | ([ "$previous" ] && [ "$runlevel" ]) || [ "$runlevel" = S ] | ||
34 | } | ||
35 | |||
36 | check_for_no_start() { | ||
37 | # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists | ||
38 | if [ -e /etc/ssh/sshd_not_to_be_run ]; then | ||
39 | if [ "$1" = log_end_msg ]; then | ||
40 | log_end_msg 0 | ||
41 | fi | ||
42 | if ! run_by_init; then | ||
43 | log_action_msg "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)" | ||
44 | fi | ||
45 | exit 0 | ||
46 | fi | ||
47 | } | ||
48 | |||
49 | check_dev_null() { | ||
50 | if [ ! -c /dev/null ]; then | ||
51 | if [ "$1" = log_end_msg ]; then | ||
52 | log_end_msg 1 || true | ||
53 | fi | ||
54 | if ! run_by_init; then | ||
55 | log_action_msg "/dev/null is not a character device!" | ||
56 | fi | ||
57 | exit 1 | ||
58 | fi | ||
59 | } | ||
60 | |||
61 | check_privsep_dir() { | ||
62 | # Create the PrivSep empty dir if necessary | ||
63 | if [ ! -d /var/run/sshd ]; then | ||
64 | mkdir /var/run/sshd | ||
65 | chmod 0755 /var/run/sshd | ||
66 | fi | ||
67 | } | ||
68 | |||
69 | check_config() { | ||
70 | if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then | ||
71 | /usr/sbin/sshd $SSHD_OPTS -t || exit 1 | ||
72 | fi | ||
73 | } | ||
74 | |||
75 | export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" | ||
76 | |||
77 | case "$1" in | ||
78 | start) | ||
79 | check_privsep_dir | ||
80 | check_for_no_start | ||
81 | check_dev_null | ||
82 | log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" | ||
83 | if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then | ||
84 | log_end_msg 0 | ||
85 | else | ||
86 | log_end_msg 1 | ||
87 | fi | ||
88 | ;; | ||
89 | stop) | ||
90 | log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" | ||
91 | if start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid; then | ||
92 | log_end_msg 0 | ||
93 | else | ||
94 | log_end_msg 1 | ||
95 | fi | ||
96 | ;; | ||
97 | |||
98 | reload|force-reload) | ||
99 | check_for_no_start | ||
100 | check_config | ||
101 | log_daemon_msg "Reloading OpenBSD Secure Shell server's configuration" "sshd" | ||
102 | if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd; then | ||
103 | log_end_msg 0 | ||
104 | else | ||
105 | log_end_msg 1 | ||
106 | fi | ||
107 | ;; | ||
108 | |||
109 | restart) | ||
110 | check_privsep_dir | ||
111 | check_config | ||
112 | log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" | ||
113 | start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/sshd.pid | ||
114 | check_for_no_start log_end_msg | ||
115 | check_dev_null log_end_msg | ||
116 | if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then | ||
117 | log_end_msg 0 | ||
118 | else | ||
119 | log_end_msg 1 | ||
120 | fi | ||
121 | ;; | ||
122 | |||
123 | try-restart) | ||
124 | check_privsep_dir | ||
125 | check_config | ||
126 | log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" | ||
127 | set +e | ||
128 | start-stop-daemon --stop --quiet --retry 30 --pidfile /var/run/sshd.pid | ||
129 | RET="$?" | ||
130 | set -e | ||
131 | case $RET in | ||
132 | 0) | ||
133 | # old daemon stopped | ||
134 | check_for_no_start log_end_msg | ||
135 | check_dev_null log_end_msg | ||
136 | if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then | ||
137 | log_end_msg 0 | ||
138 | else | ||
139 | log_end_msg 1 | ||
140 | fi | ||
141 | ;; | ||
142 | 1) | ||
143 | # daemon not running | ||
144 | log_progress_msg "(not running)" | ||
145 | log_end_msg 0 | ||
146 | ;; | ||
147 | *) | ||
148 | # failed to stop | ||
149 | log_progress_msg "(failed to stop)" | ||
150 | log_end_msg 1 | ||
151 | ;; | ||
152 | esac | ||
153 | ;; | ||
154 | |||
155 | status) | ||
156 | status_of_proc -p /var/run/sshd.pid /usr/sbin/sshd sshd && exit 0 || exit $? | ||
157 | ;; | ||
158 | |||
159 | *) | ||
160 | log_action_msg "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart|try-restart|status}" | ||
161 | exit 1 | ||
162 | esac | ||
163 | |||
164 | exit 0 | ||
diff --git a/debian/openssh-server.sshd.pam b/debian/openssh-server.sshd.pam new file mode 100644 index 000000000..9b7695184 --- /dev/null +++ b/debian/openssh-server.sshd.pam | |||
@@ -0,0 +1,39 @@ | |||
1 | # PAM configuration for the Secure Shell service | ||
2 | |||
3 | # Read environment variables from /etc/environment and | ||
4 | # /etc/security/pam_env.conf. | ||
5 | auth required pam_env.so # [1] | ||
6 | # In Debian 4.0 (etch), locale-related environment variables were moved to | ||
7 | # /etc/default/locale, so read that as well. | ||
8 | auth required pam_env.so envfile=/etc/default/locale | ||
9 | |||
10 | # Standard Un*x authentication. | ||
11 | @include common-auth | ||
12 | |||
13 | # Disallow non-root logins when /etc/nologin exists. | ||
14 | account required pam_nologin.so | ||
15 | |||
16 | # Uncomment and edit /etc/security/access.conf if you need to set complex | ||
17 | # access limits that are hard to express in sshd_config. | ||
18 | # account required pam_access.so | ||
19 | |||
20 | # Standard Un*x authorization. | ||
21 | @include common-account | ||
22 | |||
23 | # Standard Un*x session setup and teardown. | ||
24 | @include common-session | ||
25 | |||
26 | # Print the message of the day upon successful login. | ||
27 | session optional pam_motd.so # [1] | ||
28 | |||
29 | # Print the status of the user's mailbox upon successful login. | ||
30 | session optional pam_mail.so standard noenv # [1] | ||
31 | |||
32 | # Set up user limits from /etc/security/limits.conf. | ||
33 | session required pam_limits.so | ||
34 | |||
35 | # Set up SELinux capabilities (need modified pam) | ||
36 | # session required pam_selinux.so multiple | ||
37 | |||
38 | # Standard Un*x password updating. | ||
39 | @include common-password | ||
diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates new file mode 100644 index 000000000..6c7d3999d --- /dev/null +++ b/debian/openssh-server.templates | |||
@@ -0,0 +1,68 @@ | |||
1 | # These templates have been reviewed by the debian-l10n-english | ||
2 | # team | ||
3 | # | ||
4 | # If modifications/additions/rewording are needed, please ask | ||
5 | # for an advice to debian-l10n-english@lists.debian.org | ||
6 | # | ||
7 | # Even minor modifications require translation updates and such | ||
8 | # changes should be coordinated with translators and reviewers. | ||
9 | # | ||
10 | Template: ssh/use_old_init_script | ||
11 | Type: boolean | ||
12 | Default: false | ||
13 | _Description: Do you want to risk killing active SSH sessions? | ||
14 | The currently installed version of /etc/init.d/ssh is likely to kill | ||
15 | all running sshd instances. If you are doing this upgrade via an SSH | ||
16 | session, you're likely to be disconnected and leave the upgrade | ||
17 | procedure unfinished. | ||
18 | . | ||
19 | This can be fixed by manually adding "--pidfile /var/run/sshd.pid" to | ||
20 | the start-stop-daemon line in the stop section of the file. | ||
21 | |||
22 | Template: ssh/encrypted_host_key_but_no_keygen | ||
23 | Type: note | ||
24 | _Description: New host key mandatory | ||
25 | The current host key, in /etc/ssh/ssh_host_key, is encrypted with the | ||
26 | IDEA algorithm. OpenSSH can not handle this host key file, and the | ||
27 | ssh-keygen utility from the old (non-free) SSH installation does not | ||
28 | appear to be available. | ||
29 | . | ||
30 | You need to manually generate a new host key. | ||
31 | |||
32 | Template: ssh/disable_cr_auth | ||
33 | Type: boolean | ||
34 | Default: false | ||
35 | _Description: Disable challenge-response authentication? | ||
36 | Password authentication appears to be disabled in the current OpenSSH | ||
37 | server configuration. In order to prevent users from logging in using | ||
38 | passwords (perhaps using only public key authentication instead) with | ||
39 | recent versions of OpenSSH, you must disable challenge-response | ||
40 | authentication, or else ensure that your PAM configuration does not allow | ||
41 | Unix password file authentication. | ||
42 | . | ||
43 | If you disable challenge-response authentication, then users will not be | ||
44 | able to log in using passwords. If you leave it enabled (the default | ||
45 | answer), then the 'PasswordAuthentication no' option will have no useful | ||
46 | effect unless you also adjust your PAM configuration in /etc/pam.d/ssh. | ||
47 | |||
48 | Template: ssh/vulnerable_host_keys | ||
49 | Type: note | ||
50 | #flag:translate!:5 | ||
51 | _Description: Vulnerable host keys will be regenerated | ||
52 | Some of the OpenSSH server host keys on this system were generated with a | ||
53 | version of OpenSSL that had a broken random number generator. As a result, | ||
54 | these host keys are from a well-known set, are subject to brute-force | ||
55 | attacks, and must be regenerated. | ||
56 | . | ||
57 | Users of this system should be informed of this change, as they will be | ||
58 | prompted about the host key change the next time they log in. Use | ||
59 | 'ssh-keygen -l -f HOST_KEY_FILE' after the upgrade to print the | ||
60 | fingerprints of the new host keys. | ||
61 | . | ||
62 | The affected host keys are: | ||
63 | . | ||
64 | ${HOST_KEYS} | ||
65 | . | ||
66 | User keys may also be affected by this problem. The 'ssh-vulnkey' command | ||
67 | may be used as a partial test for this. See | ||
68 | /usr/share/doc/openssh-server/README.compromised-keys.gz for more details. | ||
diff --git a/debian/openssh-server.ufw.profile b/debian/openssh-server.ufw.profile new file mode 100644 index 000000000..9bbe906bc --- /dev/null +++ b/debian/openssh-server.ufw.profile | |||
@@ -0,0 +1,4 @@ | |||
1 | [OpenSSH] | ||
2 | title=Secure shell server, an rshd replacement | ||
3 | description=OpenSSH is a free implementation of the Secure Shell protocol. | ||
4 | ports=22/tcp | ||
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch new file mode 100644 index 000000000..34535f001 --- /dev/null +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -0,0 +1,18 @@ | |||
1 | Description: Install authorized_keys(5) as a symlink to sshd(8) | ||
2 | Author: Tomas Pospisek <tpo_deb@sourcepole.ch> | ||
3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 | ||
4 | Bug-Debian: http://bugs.debian.org/441817 | ||
5 | Last-Update: 2010-03-01 | ||
6 | |||
7 | Index: b/Makefile.in | ||
8 | =================================================================== | ||
9 | --- a/Makefile.in | ||
10 | +++ b/Makefile.in | ||
11 | @@ -284,6 +284,7 @@ | ||
12 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 | ||
13 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 | ||
14 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | ||
15 | + ln -s ../$(mansubdir)8/sshd.8 $(DESTDIR)$(mandir)/$(mansubdir)5/authorized_keys.5 | ||
16 | if [ ! -z "$(INSTALL_SSH_RAND_HELPER)" ]; then \ | ||
17 | $(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 ; \ | ||
18 | fi | ||
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch new file mode 100644 index 000000000..e608bd20d --- /dev/null +++ b/debian/patches/debian-banner.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | Description: Add DebianBanner server configuration option | ||
2 | Setting this to "no" causes sshd to omit the Debian revision from its | ||
3 | initial protocol handshake, for those scared by package-versioning.patch. | ||
4 | Author: Kees Cook <kees@debian.org> | ||
5 | Bug-Debian: http://bugs.debian.org/562048 | ||
6 | Forwarded: not-needed | ||
7 | Last-Update: 2010-02-28 | ||
8 | |||
9 | Index: b/servconf.c | ||
10 | =================================================================== | ||
11 | --- a/servconf.c | ||
12 | +++ b/servconf.c | ||
13 | @@ -135,6 +135,7 @@ | ||
14 | options->zero_knowledge_password_authentication = -1; | ||
15 | options->revoked_keys_file = NULL; | ||
16 | options->trusted_user_ca_keys = NULL; | ||
17 | + options->debian_banner = -1; | ||
18 | } | ||
19 | |||
20 | void | ||
21 | @@ -277,6 +278,8 @@ | ||
22 | options->permit_tun = SSH_TUNMODE_NO; | ||
23 | if (options->zero_knowledge_password_authentication == -1) | ||
24 | options->zero_knowledge_password_authentication = 0; | ||
25 | + if (options->debian_banner == -1) | ||
26 | + options->debian_banner = 1; | ||
27 | |||
28 | /* Turn privilege separation on by default */ | ||
29 | if (use_privsep == -1) | ||
30 | @@ -325,6 +328,7 @@ | ||
31 | sUsePrivilegeSeparation, sAllowAgentForwarding, | ||
32 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | ||
33 | sRevokedKeys, sTrustedUserCAKeys, | ||
34 | + sDebianBanner, | ||
35 | sDeprecated, sUnsupported | ||
36 | } ServerOpCodes; | ||
37 | |||
38 | @@ -457,6 +461,7 @@ | ||
39 | { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, | ||
40 | { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, | ||
41 | { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, | ||
42 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | ||
43 | { NULL, sBadOption, 0 } | ||
44 | }; | ||
45 | |||
46 | @@ -1386,6 +1391,10 @@ | ||
47 | charptr = &options->revoked_keys_file; | ||
48 | goto parse_filename; | ||
49 | |||
50 | + case sDebianBanner: | ||
51 | + intptr = &options->debian_banner; | ||
52 | + goto parse_int; | ||
53 | + | ||
54 | case sDeprecated: | ||
55 | logit("%s line %d: Deprecated option %s", | ||
56 | filename, linenum, arg); | ||
57 | Index: b/servconf.h | ||
58 | =================================================================== | ||
59 | --- a/servconf.h | ||
60 | +++ b/servconf.h | ||
61 | @@ -157,6 +157,8 @@ | ||
62 | |||
63 | int num_permitted_opens; | ||
64 | |||
65 | + int debian_banner; | ||
66 | + | ||
67 | char *chroot_directory; | ||
68 | char *revoked_keys_file; | ||
69 | char *trusted_user_ca_keys; | ||
70 | Index: b/sshd.c | ||
71 | =================================================================== | ||
72 | --- a/sshd.c | ||
73 | +++ b/sshd.c | ||
74 | @@ -422,7 +422,8 @@ | ||
75 | minor = PROTOCOL_MINOR_1; | ||
76 | } | ||
77 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, | ||
78 | - SSH_RELEASE, newline); | ||
79 | + options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, | ||
80 | + newline); | ||
81 | server_version_string = xstrdup(buf); | ||
82 | |||
83 | /* Send our protocol version identification. */ | ||
84 | Index: b/sshd_config.5 | ||
85 | =================================================================== | ||
86 | --- a/sshd_config.5 | ||
87 | +++ b/sshd_config.5 | ||
88 | @@ -295,6 +295,11 @@ | ||
89 | .Dq no . | ||
90 | The default is | ||
91 | .Dq delayed . | ||
92 | +.It Cm DebianBanner | ||
93 | +Specifies whether the distribution-specified extra version suffix is | ||
94 | +included during initial protocol handshake. | ||
95 | +The default is | ||
96 | +.Dq yes . | ||
97 | .It Cm DenyGroups | ||
98 | This keyword can be followed by a list of group name patterns, separated | ||
99 | by spaces. | ||
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 000000000..a395d43a0 --- /dev/null +++ b/debian/patches/debian-config.patch | |||
@@ -0,0 +1,146 @@ | |||
1 | Description: Various Debian-specific configuration changes | ||
2 | ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause | ||
3 | fewer problems with existing setups (http://bugs.debian.org/237021). | ||
4 | . | ||
5 | ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). | ||
6 | . | ||
7 | ssh: Enable HashKnownHosts by default to try to limit the spread of ssh | ||
8 | worms. | ||
9 | . | ||
10 | ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by | ||
11 | default. | ||
12 | . | ||
13 | sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside | ||
14 | PermitRootLogin default. | ||
15 | . | ||
16 | Document all of this, along with several sshd defaults set in | ||
17 | debian/openssh-server.postinst. | ||
18 | Author: Colin Watson <cjwatson@debian.org> | ||
19 | Author: Russ Allbery <rra@debian.org> | ||
20 | Forwarded: not-needed | ||
21 | Last-Update: 2010-02-28 | ||
22 | |||
23 | Index: b/readconf.c | ||
24 | =================================================================== | ||
25 | --- a/readconf.c | ||
26 | +++ b/readconf.c | ||
27 | @@ -1152,7 +1152,7 @@ | ||
28 | if (options->forward_x11 == -1) | ||
29 | options->forward_x11 = 0; | ||
30 | if (options->forward_x11_trusted == -1) | ||
31 | - options->forward_x11_trusted = 0; | ||
32 | + options->forward_x11_trusted = 1; | ||
33 | if (options->exit_on_forward_failure == -1) | ||
34 | options->exit_on_forward_failure = 0; | ||
35 | if (options->xauth_location == NULL) | ||
36 | Index: b/ssh_config | ||
37 | =================================================================== | ||
38 | --- a/ssh_config | ||
39 | +++ b/ssh_config | ||
40 | @@ -17,9 +17,10 @@ | ||
41 | # list of available options, their meanings and defaults, please see the | ||
42 | # ssh_config(5) man page. | ||
43 | |||
44 | -# Host * | ||
45 | +Host * | ||
46 | # ForwardAgent no | ||
47 | # ForwardX11 no | ||
48 | +# ForwardX11Trusted yes | ||
49 | # RhostsRSAAuthentication no | ||
50 | # RSAAuthentication yes | ||
51 | # PasswordAuthentication yes | ||
52 | @@ -47,3 +48,7 @@ | ||
53 | # PermitLocalCommand no | ||
54 | # VisualHostKey no | ||
55 | # ProxyCommand ssh -q -W %h:%p gateway.example.com | ||
56 | + SendEnv LANG LC_* | ||
57 | + HashKnownHosts yes | ||
58 | + GSSAPIAuthentication yes | ||
59 | + GSSAPIDelegateCredentials no | ||
60 | Index: b/ssh_config.5 | ||
61 | =================================================================== | ||
62 | --- a/ssh_config.5 | ||
63 | +++ b/ssh_config.5 | ||
64 | @@ -72,6 +72,22 @@ | ||
65 | host-specific declarations should be given near the beginning of the | ||
66 | file, and general defaults at the end. | ||
67 | .Pp | ||
68 | +Note that the Debian | ||
69 | +.Ic openssh-client | ||
70 | +package sets several options as standard in | ||
71 | +.Pa /etc/ssh/ssh_config | ||
72 | +which are not the default in | ||
73 | +.Xr ssh 1 : | ||
74 | +.Pp | ||
75 | +.Bl -bullet -offset indent -compact | ||
76 | +.It | ||
77 | +.Cm SendEnv No LANG LC_* | ||
78 | +.It | ||
79 | +.Cm HashKnownHosts No yes | ||
80 | +.It | ||
81 | +.Cm GSSAPIAuthentication No yes | ||
82 | +.El | ||
83 | +.Pp | ||
84 | The configuration file has the following format: | ||
85 | .Pp | ||
86 | Empty lines and lines starting with | ||
87 | @@ -452,7 +468,8 @@ | ||
88 | Remote clients will be refused access after this time. | ||
89 | .Pp | ||
90 | The default is | ||
91 | -.Dq no . | ||
92 | +.Dq yes | ||
93 | +(Debian-specific). | ||
94 | .Pp | ||
95 | See the X11 SECURITY extension specification for full details on | ||
96 | the restrictions imposed on untrusted clients. | ||
97 | Index: b/sshd_config | ||
98 | =================================================================== | ||
99 | --- a/sshd_config | ||
100 | +++ b/sshd_config | ||
101 | @@ -36,6 +36,7 @@ | ||
102 | # Authentication: | ||
103 | |||
104 | #LoginGraceTime 2m | ||
105 | +# See /usr/share/doc/openssh-server/README.Debian.gz. | ||
106 | #PermitRootLogin yes | ||
107 | #StrictModes yes | ||
108 | #MaxAuthTries 6 | ||
109 | Index: b/sshd_config.5 | ||
110 | =================================================================== | ||
111 | --- a/sshd_config.5 | ||
112 | +++ b/sshd_config.5 | ||
113 | @@ -58,6 +58,33 @@ | ||
114 | .Pq \&" | ||
115 | in order to represent arguments containing spaces. | ||
116 | .Pp | ||
117 | +Note that the Debian | ||
118 | +.Ic openssh-server | ||
119 | +package sets several options as standard in | ||
120 | +.Pa /etc/ssh/sshd_config | ||
121 | +which are not the default in | ||
122 | +.Xr sshd 8 . | ||
123 | +The exact list depends on whether the package was installed fresh or | ||
124 | +upgraded from various possible previous versions, but includes at least the | ||
125 | +following: | ||
126 | +.Pp | ||
127 | +.Bl -bullet -offset indent -compact | ||
128 | +.It | ||
129 | +.Cm Protocol No 2 | ||
130 | +.It | ||
131 | +.Cm ChallengeResponseAuthentication No no | ||
132 | +.It | ||
133 | +.Cm X11Forwarding No yes | ||
134 | +.It | ||
135 | +.Cm PrintMotd No no | ||
136 | +.It | ||
137 | +.Cm AcceptEnv No LANG LC_* | ||
138 | +.It | ||
139 | +.Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
140 | +.It | ||
141 | +.Cm UsePAM No yes | ||
142 | +.El | ||
143 | +.Pp | ||
144 | The possible | ||
145 | keywords and their meanings are as follows (note that | ||
146 | keywords are case-insensitive and arguments are case-sensitive): | ||
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch new file mode 100644 index 000000000..a71b42f0f --- /dev/null +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -0,0 +1,82 @@ | |||
1 | Description: Force use of DNSSEC even if "options edns0" isn't in resolv.conf | ||
2 | This allows SSHFP DNS records to be verified if glibc 2.11 is installed. | ||
3 | Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup | ||
4 | Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 | ||
5 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 | ||
6 | Last-Update: 2010-04-06 | ||
7 | |||
8 | Index: b/dns.c | ||
9 | =================================================================== | ||
10 | --- a/dns.c | ||
11 | +++ b/dns.c | ||
12 | @@ -176,6 +176,7 @@ | ||
13 | { | ||
14 | u_int counter; | ||
15 | int result; | ||
16 | + unsigned int rrset_flags = 0; | ||
17 | struct rrsetinfo *fingerprints = NULL; | ||
18 | |||
19 | u_int8_t hostkey_algorithm; | ||
20 | @@ -199,8 +200,19 @@ | ||
21 | return -1; | ||
22 | } | ||
23 | |||
24 | + /* | ||
25 | + * Original getrrsetbyname function, found on OpenBSD for example, | ||
26 | + * doesn't accept any flag and prerequisite for obtaining AD bit in | ||
27 | + * DNS response is set by "options edns0" in resolv.conf. | ||
28 | + * | ||
29 | + * Our version is more clever and use RRSET_FORCE_EDNS0 flag. | ||
30 | + */ | ||
31 | +#ifndef HAVE_GETRRSETBYNAME | ||
32 | + rrset_flags |= RRSET_FORCE_EDNS0; | ||
33 | +#endif | ||
34 | result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, | ||
35 | - DNS_RDATATYPE_SSHFP, 0, &fingerprints); | ||
36 | + DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints); | ||
37 | + | ||
38 | if (result) { | ||
39 | verbose("DNS lookup error: %s", dns_result_totext(result)); | ||
40 | return -1; | ||
41 | Index: b/openbsd-compat/getrrsetbyname.c | ||
42 | =================================================================== | ||
43 | --- a/openbsd-compat/getrrsetbyname.c | ||
44 | +++ b/openbsd-compat/getrrsetbyname.c | ||
45 | @@ -209,8 +209,8 @@ | ||
46 | goto fail; | ||
47 | } | ||
48 | |||
49 | - /* don't allow flags yet, unimplemented */ | ||
50 | - if (flags) { | ||
51 | + /* Allow RRSET_FORCE_EDNS0 flag only. */ | ||
52 | + if ((flags & !RRSET_FORCE_EDNS0) != 0) { | ||
53 | result = ERRSET_INVAL; | ||
54 | goto fail; | ||
55 | } | ||
56 | @@ -226,9 +226,9 @@ | ||
57 | #endif /* DEBUG */ | ||
58 | |||
59 | #ifdef RES_USE_DNSSEC | ||
60 | - /* turn on DNSSEC if EDNS0 is configured */ | ||
61 | - if (_resp->options & RES_USE_EDNS0) | ||
62 | - _resp->options |= RES_USE_DNSSEC; | ||
63 | + /* turn on DNSSEC if required */ | ||
64 | + if (flags & RRSET_FORCE_EDNS0) | ||
65 | + _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC); | ||
66 | #endif /* RES_USE_DNSEC */ | ||
67 | |||
68 | /* make query */ | ||
69 | Index: b/openbsd-compat/getrrsetbyname.h | ||
70 | =================================================================== | ||
71 | --- a/openbsd-compat/getrrsetbyname.h | ||
72 | +++ b/openbsd-compat/getrrsetbyname.h | ||
73 | @@ -72,6 +72,9 @@ | ||
74 | #ifndef RRSET_VALIDATED | ||
75 | # define RRSET_VALIDATED 1 | ||
76 | #endif | ||
77 | +#ifndef RRSET_FORCE_EDNS0 | ||
78 | +# define RRSET_FORCE_EDNS0 0x0001 | ||
79 | +#endif | ||
80 | |||
81 | /* | ||
82 | * Return codes for getrrsetbyname() | ||
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch new file mode 100644 index 000000000..4c555799f --- /dev/null +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -0,0 +1,20 @@ | |||
1 | Description: Document that HashKnownHosts may break tab-completion | ||
2 | Author: Colin Watson <cjwatson@debian.org> | ||
3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 | ||
4 | Bug-Debian: http://bugs.debian.org/430154 | ||
5 | Last-Update: 2010-03-01 | ||
6 | |||
7 | Index: b/ssh_config.5 | ||
8 | =================================================================== | ||
9 | --- a/ssh_config.5 | ||
10 | +++ b/ssh_config.5 | ||
11 | @@ -531,6 +531,9 @@ | ||
12 | will not be converted automatically, | ||
13 | but may be manually hashed using | ||
14 | .Xr ssh-keygen 1 . | ||
15 | +Use of this option may break facilities such as tab-completion that rely | ||
16 | +on being able to read unhashed host names from | ||
17 | +.Pa ~/.ssh/known_hosts . | ||
18 | .It Cm HostbasedAuthentication | ||
19 | Specifies whether to try rhosts based authentication with public key | ||
20 | authentication. | ||
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch new file mode 100644 index 000000000..96bbf3a09 --- /dev/null +++ b/debian/patches/gnome-ssh-askpass2-icon.patch | |||
@@ -0,0 +1,18 @@ | |||
1 | Description: Give the ssh-askpass-gnome window a default icon | ||
2 | Author: Vincent Untz <vuntz@ubuntu.com> | ||
3 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 | ||
4 | Last-Update: 2010-02-28 | ||
5 | |||
6 | Index: b/contrib/gnome-ssh-askpass2.c | ||
7 | =================================================================== | ||
8 | --- a/contrib/gnome-ssh-askpass2.c | ||
9 | +++ b/contrib/gnome-ssh-askpass2.c | ||
10 | @@ -209,6 +209,8 @@ | ||
11 | |||
12 | gtk_init(&argc, &argv); | ||
13 | |||
14 | + gtk_window_set_default_icon_from_file ("/usr/share/pixmaps/ssh-askpass-gnome.png", NULL); | ||
15 | + | ||
16 | if (argc > 1) { | ||
17 | message = g_strjoinv(" ", argv + 1); | ||
18 | } else { | ||
diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch new file mode 100644 index 000000000..3ea221834 --- /dev/null +++ b/debian/patches/gssapi-autoconf.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | Description: Update config.h.in following GSSAPI patch | ||
2 | Author: Colin Watson <cjwatson@debian.org> | ||
3 | Forwarded: not-needed | ||
4 | Last-Updated: 2010-02-27 | ||
5 | |||
6 | Index: b/config.h.in | ||
7 | =================================================================== | ||
8 | --- a/config.h.in | ||
9 | +++ b/config.h.in | ||
10 | @@ -1384,6 +1384,9 @@ | ||
11 | /* Use btmp to log bad logins */ | ||
12 | #undef USE_BTMP | ||
13 | |||
14 | +/* platform uses an in-memory credentials cache */ | ||
15 | +#undef USE_CCAPI | ||
16 | + | ||
17 | /* Use libedit for sftp */ | ||
18 | #undef USE_LIBEDIT | ||
19 | |||
20 | @@ -1396,6 +1399,9 @@ | ||
21 | /* Use PIPES instead of a socketpair() */ | ||
22 | #undef USE_PIPES | ||
23 | |||
24 | +/* platform has the Security Authorization Session API */ | ||
25 | +#undef USE_SECURITY_SESSION_API | ||
26 | + | ||
27 | /* Define if you have Solaris process contracts */ | ||
28 | #undef USE_SOLARIS_PROCESS_CONTRACTS | ||
29 | |||
diff --git a/debian/patches/gssapi-compat.patch b/debian/patches/gssapi-compat.patch new file mode 100644 index 000000000..369a23360 --- /dev/null +++ b/debian/patches/gssapi-compat.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | Description: Compatibility with old GSSAPI option names | ||
2 | These options were supported by the old ssh-krb5 package in Debian. | ||
3 | . | ||
4 | Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch. | ||
5 | Author: Colin Watson <cjwatson@debian.org> | ||
6 | Forwarded: yes | ||
7 | Last-Updated: 2010-03-01 | ||
8 | |||
9 | Index: b/servconf.c | ||
10 | =================================================================== | ||
11 | --- a/servconf.c | ||
12 | +++ b/servconf.c | ||
13 | @@ -380,16 +380,20 @@ | ||
14 | #ifdef GSSAPI | ||
15 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | ||
16 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | ||
17 | + { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, | ||
18 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, | ||
19 | { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, | ||
20 | { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, | ||
21 | #else | ||
22 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, | ||
23 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | ||
24 | + { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, | ||
25 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, | ||
26 | { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, | ||
27 | { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, | ||
28 | #endif | ||
29 | + { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, | ||
30 | + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, | ||
31 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | ||
32 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | ||
33 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | ||
diff --git a/debian/patches/gssapi-dump.patch b/debian/patches/gssapi-dump.patch new file mode 100644 index 000000000..6e09df484 --- /dev/null +++ b/debian/patches/gssapi-dump.patch | |||
@@ -0,0 +1,24 @@ | |||
1 | Description: GSSAPI configuration dump fixes | ||
2 | Add GSSAPIKeyExchange, GSSAPIStrictAcceptorCheck, and | ||
3 | GSSAPIStoreCredentialsOnRekey to sshd -T configuration dump. | ||
4 | . | ||
5 | Forwarded to Simon Wilkinson for inclusion in the GSSAPI patch. | ||
6 | Author: Colin Watson <cjwatson@debian.org> | ||
7 | Forwarded: yes | ||
8 | Last-Updated: 2010-02-27 | ||
9 | |||
10 | Index: b/servconf.c | ||
11 | =================================================================== | ||
12 | --- a/servconf.c | ||
13 | +++ b/servconf.c | ||
14 | @@ -1677,7 +1677,10 @@ | ||
15 | #endif | ||
16 | #ifdef GSSAPI | ||
17 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | ||
18 | + dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); | ||
19 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); | ||
20 | + dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); | ||
21 | + dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey); | ||
22 | #endif | ||
23 | #ifdef JPAKE | ||
24 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, | ||
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch new file mode 100644 index 000000000..e39239fbd --- /dev/null +++ b/debian/patches/gssapi.patch | |||
@@ -0,0 +1,2991 @@ | |||
1 | Description: GSSAPI key exchange support | ||
2 | This patch has been rejected upstream: "None of the OpenSSH developers are | ||
3 | in favour of adding this, and this situation has not changed for several | ||
4 | years. This is not a slight on Simon's patch, which is of fine quality, | ||
5 | but just that a) we don't trust GSSAPI implementations that much and b) we | ||
6 | don't like adding new KEX since they are pre-auth attack surface. This one | ||
7 | is particularly scary, since it requires hooks out to typically root-owned | ||
8 | system resources." | ||
9 | . | ||
10 | However, quite a lot of people rely on this in Debian, and it's better to | ||
11 | have it merged into the main openssh package rather than having separate | ||
12 | -krb5 packages (as we used to have). It seems to have a generally good | ||
13 | security history. | ||
14 | Author: Simon Wilkinson <simon@sxw.org.uk> | ||
15 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | ||
16 | Last-Updated: 2010-02-27 | ||
17 | |||
18 | Index: b/ChangeLog.gssapi | ||
19 | =================================================================== | ||
20 | --- /dev/null | ||
21 | +++ b/ChangeLog.gssapi | ||
22 | @@ -0,0 +1,103 @@ | ||
23 | +20100124 | ||
24 | + - [ sshconnect2.c ] | ||
25 | + Adapt to deal with additional element in Authmethod structure. Thanks to | ||
26 | + Colin Wilson | ||
27 | + - [ clientloop.c ] | ||
28 | + Protect credentials updated code with suitable #ifdefs. Thanks to Colin | ||
29 | + Wilson | ||
30 | + | ||
31 | +20090615 | ||
32 | + - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c | ||
33 | + sshd.c ] | ||
34 | + Fix issues identified by Greg Hudson following a code review | ||
35 | + Check return value of gss_indicate_mechs | ||
36 | + Protect GSSAPI calls in monitor, so they can only be used if enabled | ||
37 | + Check return values of bignum functions in key exchange | ||
38 | + Use BN_clear_free to clear other side's DH value | ||
39 | + Make ssh_gssapi_id_kex more robust | ||
40 | + Only configure kex table pointers if GSSAPI is enabled | ||
41 | + Don't leak mechanism list, or gss mechanism list | ||
42 | + Cast data.length before printing | ||
43 | + If serverkey isn't provided, use an empty string, rather than NULL | ||
44 | + | ||
45 | +20090201 | ||
46 | + - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h | ||
47 | + ssh_config.5 sshconnet2.c ] | ||
48 | + Add support for the GSSAPIClientIdentity option, which allows the user | ||
49 | + to specify which GSSAPI identity to use to contact a given server | ||
50 | + | ||
51 | +20080404 | ||
52 | + - [ gss-serv.c ] | ||
53 | + Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow | ||
54 | + been omitted from a previous version of this patch. Reported by Borislav | ||
55 | + Stoichkov | ||
56 | + | ||
57 | +20070317 | ||
58 | + - [ gss-serv-krb5.c ] | ||
59 | + Remove C99ism, where new_ccname was being declared in the middle of a | ||
60 | + function | ||
61 | + | ||
62 | +20061220 | ||
63 | + - [ servconf.c ] | ||
64 | + Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and | ||
65 | + documented, behaviour. Reported by Dan Watson. | ||
66 | + | ||
67 | +20060910 | ||
68 | + - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c | ||
69 | + ssh-gss.h ] | ||
70 | + add support for gss-group14-sha1 key exchange mechanisms | ||
71 | + - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ] | ||
72 | + Add GSSAPIStrictAcceptorCheck option to allow the disabling of | ||
73 | + acceptor principal checking on multi-homed machines. | ||
74 | + <Bugzilla #928> | ||
75 | + - [ sshd_config ssh_config ] | ||
76 | + Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample | ||
77 | + configuration files | ||
78 | + - [ kexgss.c kegsss.c sshconnect2.c sshd.c ] | ||
79 | + Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf() | ||
80 | + Limit length of error messages displayed by client | ||
81 | + | ||
82 | +20060909 | ||
83 | + - [ gss-genr.c gss-serv.c ] | ||
84 | + move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server | ||
85 | + only, where they belong | ||
86 | + <Bugzilla #1225> | ||
87 | + | ||
88 | +20060829 | ||
89 | + - [ gss-serv-krb5.c ] | ||
90 | + Fix CCAPI credentials cache name when creating KRB5CCNAME environment | ||
91 | + variable | ||
92 | + | ||
93 | +20060828 | ||
94 | + - [ gss-genr.c ] | ||
95 | + Avoid Heimdal context freeing problem | ||
96 | + <Fixed upstream 20060829> | ||
97 | + | ||
98 | +20060818 | ||
99 | + - [ gss-genr.c ssh-gss.h sshconnect2.c ] | ||
100 | + Make sure that SPENGO is disabled | ||
101 | + <Bugzilla #1218 - Fixed upstream 20060818> | ||
102 | + | ||
103 | +20060421 | ||
104 | + - [ gssgenr.c, sshconnect2.c ] | ||
105 | + a few type changes (signed versus unsigned, int versus size_t) to | ||
106 | + fix compiler errors/warnings | ||
107 | + (from jbasney AT ncsa.uiuc.edu) | ||
108 | + - [ kexgssc.c, sshconnect2.c ] | ||
109 | + fix uninitialized variable warnings | ||
110 | + (from jbasney AT ncsa.uiuc.edu) | ||
111 | + - [ gssgenr.c ] | ||
112 | + pass oid to gss_display_status (helpful when using GSSAPI mechglue) | ||
113 | + (from jbasney AT ncsa.uiuc.edu) | ||
114 | + <Bugzilla #1220 > | ||
115 | + - [ gss-serv-krb5.c ] | ||
116 | + #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H | ||
117 | + (from jbasney AT ncsa.uiuc.edu) | ||
118 | + <Fixed upstream 20060304> | ||
119 | + - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c | ||
120 | + add client-side GssapiKeyExchange option | ||
121 | + (from jbasney AT ncsa.uiuc.edu) | ||
122 | + - [ sshconnect2.c ] | ||
123 | + add support for GssapiTrustDns option for gssapi-with-mic | ||
124 | + (from jbasney AT ncsa.uiuc.edu) | ||
125 | + <gssapi-with-mic support is Bugzilla #1008> | ||
126 | Index: b/Makefile.in | ||
127 | =================================================================== | ||
128 | --- a/Makefile.in | ||
129 | +++ b/Makefile.in | ||
130 | @@ -74,7 +74,7 @@ | ||
131 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ | ||
132 | kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ | ||
133 | entropy.o gss-genr.o umac.o jpake.o schnorr.o \ | ||
134 | - ssh-pkcs11.o | ||
135 | + ssh-pkcs11.o kexgssc.o | ||
136 | |||
137 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ | ||
138 | sshconnect.o sshconnect1.o sshconnect2.o mux.o \ | ||
139 | @@ -88,7 +88,7 @@ | ||
140 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ | ||
141 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ | ||
142 | auth-krb5.o \ | ||
143 | - auth2-gss.o gss-serv.o gss-serv-krb5.o \ | ||
144 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ | ||
145 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | ||
146 | audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ | ||
147 | roaming_common.o roaming_serv.o | ||
148 | Index: b/auth-krb5.c | ||
149 | =================================================================== | ||
150 | --- a/auth-krb5.c | ||
151 | +++ b/auth-krb5.c | ||
152 | @@ -170,8 +170,13 @@ | ||
153 | |||
154 | len = strlen(authctxt->krb5_ticket_file) + 6; | ||
155 | authctxt->krb5_ccname = xmalloc(len); | ||
156 | +#ifdef USE_CCAPI | ||
157 | + snprintf(authctxt->krb5_ccname, len, "API:%s", | ||
158 | + authctxt->krb5_ticket_file); | ||
159 | +#else | ||
160 | snprintf(authctxt->krb5_ccname, len, "FILE:%s", | ||
161 | authctxt->krb5_ticket_file); | ||
162 | +#endif | ||
163 | |||
164 | #ifdef USE_PAM | ||
165 | if (options.use_pam) | ||
166 | @@ -226,15 +231,22 @@ | ||
167 | #ifndef HEIMDAL | ||
168 | krb5_error_code | ||
169 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { | ||
170 | - int tmpfd, ret; | ||
171 | + int ret; | ||
172 | char ccname[40]; | ||
173 | mode_t old_umask; | ||
174 | +#ifdef USE_CCAPI | ||
175 | + char cctemplate[] = "API:krb5cc_%d"; | ||
176 | +#else | ||
177 | + char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX"; | ||
178 | + int tmpfd; | ||
179 | +#endif | ||
180 | |||
181 | ret = snprintf(ccname, sizeof(ccname), | ||
182 | - "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); | ||
183 | + cctemplate, geteuid()); | ||
184 | if (ret < 0 || (size_t)ret >= sizeof(ccname)) | ||
185 | return ENOMEM; | ||
186 | |||
187 | +#ifndef USE_CCAPI | ||
188 | old_umask = umask(0177); | ||
189 | tmpfd = mkstemp(ccname + strlen("FILE:")); | ||
190 | umask(old_umask); | ||
191 | @@ -249,6 +261,7 @@ | ||
192 | return errno; | ||
193 | } | ||
194 | close(tmpfd); | ||
195 | +#endif | ||
196 | |||
197 | return (krb5_cc_resolve(ctx, ccname, ccache)); | ||
198 | } | ||
199 | Index: b/auth.h | ||
200 | =================================================================== | ||
201 | --- a/auth.h | ||
202 | +++ b/auth.h | ||
203 | @@ -53,6 +53,7 @@ | ||
204 | int valid; /* user exists and is allowed to login */ | ||
205 | int attempt; | ||
206 | int failures; | ||
207 | + int server_caused_failure; | ||
208 | int force_pwchange; | ||
209 | char *user; /* username sent by the client */ | ||
210 | char *service; | ||
211 | Index: b/auth2-gss.c | ||
212 | =================================================================== | ||
213 | --- a/auth2-gss.c | ||
214 | +++ b/auth2-gss.c | ||
215 | @@ -1,7 +1,7 @@ | ||
216 | /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ | ||
217 | |||
218 | /* | ||
219 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | ||
220 | + * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. | ||
221 | * | ||
222 | * Redistribution and use in source and binary forms, with or without | ||
223 | * modification, are permitted provided that the following conditions | ||
224 | @@ -52,6 +52,40 @@ | ||
225 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); | ||
226 | static void input_gssapi_errtok(int, u_int32_t, void *); | ||
227 | |||
228 | +/* | ||
229 | + * The 'gssapi_keyex' userauth mechanism. | ||
230 | + */ | ||
231 | +static int | ||
232 | +userauth_gsskeyex(Authctxt *authctxt) | ||
233 | +{ | ||
234 | + int authenticated = 0; | ||
235 | + Buffer b; | ||
236 | + gss_buffer_desc mic, gssbuf; | ||
237 | + u_int len; | ||
238 | + | ||
239 | + mic.value = packet_get_string(&len); | ||
240 | + mic.length = len; | ||
241 | + | ||
242 | + packet_check_eom(); | ||
243 | + | ||
244 | + ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, | ||
245 | + "gssapi-keyex"); | ||
246 | + | ||
247 | + gssbuf.value = buffer_ptr(&b); | ||
248 | + gssbuf.length = buffer_len(&b); | ||
249 | + | ||
250 | + /* gss_kex_context is NULL with privsep, so we can't check it here */ | ||
251 | + if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, | ||
252 | + &gssbuf, &mic)))) | ||
253 | + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, | ||
254 | + authctxt->pw)); | ||
255 | + | ||
256 | + buffer_free(&b); | ||
257 | + xfree(mic.value); | ||
258 | + | ||
259 | + return (authenticated); | ||
260 | +} | ||
261 | + | ||
262 | /* | ||
263 | * We only support those mechanisms that we know about (ie ones that we know | ||
264 | * how to check local user kuserok and the like) | ||
265 | @@ -102,6 +136,7 @@ | ||
266 | |||
267 | if (!present) { | ||
268 | xfree(doid); | ||
269 | + authctxt->server_caused_failure = 1; | ||
270 | return (0); | ||
271 | } | ||
272 | |||
273 | @@ -109,6 +144,7 @@ | ||
274 | if (ctxt != NULL) | ||
275 | ssh_gssapi_delete_ctx(&ctxt); | ||
276 | xfree(doid); | ||
277 | + authctxt->server_caused_failure = 1; | ||
278 | return (0); | ||
279 | } | ||
280 | |||
281 | @@ -242,7 +278,8 @@ | ||
282 | |||
283 | packet_check_eom(); | ||
284 | |||
285 | - authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); | ||
286 | + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, | ||
287 | + authctxt->pw)); | ||
288 | |||
289 | authctxt->postponed = 0; | ||
290 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | ||
291 | @@ -277,7 +314,8 @@ | ||
292 | gssbuf.length = buffer_len(&b); | ||
293 | |||
294 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) | ||
295 | - authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); | ||
296 | + authenticated = | ||
297 | + PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw)); | ||
298 | else | ||
299 | logit("GSSAPI MIC check failed"); | ||
300 | |||
301 | @@ -292,6 +330,12 @@ | ||
302 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); | ||
303 | } | ||
304 | |||
305 | +Authmethod method_gsskeyex = { | ||
306 | + "gssapi-keyex", | ||
307 | + userauth_gsskeyex, | ||
308 | + &options.gss_authentication | ||
309 | +}; | ||
310 | + | ||
311 | Authmethod method_gssapi = { | ||
312 | "gssapi-with-mic", | ||
313 | userauth_gssapi, | ||
314 | Index: b/auth2.c | ||
315 | =================================================================== | ||
316 | --- a/auth2.c | ||
317 | +++ b/auth2.c | ||
318 | @@ -69,6 +69,7 @@ | ||
319 | extern Authmethod method_kbdint; | ||
320 | extern Authmethod method_hostbased; | ||
321 | #ifdef GSSAPI | ||
322 | +extern Authmethod method_gsskeyex; | ||
323 | extern Authmethod method_gssapi; | ||
324 | #endif | ||
325 | #ifdef JPAKE | ||
326 | @@ -79,6 +80,7 @@ | ||
327 | &method_none, | ||
328 | &method_pubkey, | ||
329 | #ifdef GSSAPI | ||
330 | + &method_gsskeyex, | ||
331 | &method_gssapi, | ||
332 | #endif | ||
333 | #ifdef JPAKE | ||
334 | @@ -274,6 +276,7 @@ | ||
335 | #endif | ||
336 | |||
337 | authctxt->postponed = 0; | ||
338 | + authctxt->server_caused_failure = 0; | ||
339 | |||
340 | /* try to authenticate user */ | ||
341 | m = authmethod_lookup(method); | ||
342 | @@ -346,7 +349,8 @@ | ||
343 | } else { | ||
344 | |||
345 | /* Allow initial try of "none" auth without failure penalty */ | ||
346 | - if (authctxt->attempt > 1 || strcmp(method, "none") != 0) | ||
347 | + if (!authctxt->server_caused_failure && | ||
348 | + (authctxt->attempt > 1 || strcmp(method, "none") != 0)) | ||
349 | authctxt->failures++; | ||
350 | if (authctxt->failures >= options.max_authtries) { | ||
351 | #ifdef SSH_AUDIT_EVENTS | ||
352 | Index: b/clientloop.c | ||
353 | =================================================================== | ||
354 | --- a/clientloop.c | ||
355 | +++ b/clientloop.c | ||
356 | @@ -111,6 +111,10 @@ | ||
357 | #include "msg.h" | ||
358 | #include "roaming.h" | ||
359 | |||
360 | +#ifdef GSSAPI | ||
361 | +#include "ssh-gss.h" | ||
362 | +#endif | ||
363 | + | ||
364 | /* import options */ | ||
365 | extern Options options; | ||
366 | |||
367 | @@ -1431,6 +1435,15 @@ | ||
368 | /* Do channel operations unless rekeying in progress. */ | ||
369 | if (!rekeying) { | ||
370 | channel_after_select(readset, writeset); | ||
371 | + | ||
372 | +#ifdef GSSAPI | ||
373 | + if (options.gss_renewal_rekey && | ||
374 | + ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) { | ||
375 | + debug("credentials updated - forcing rekey"); | ||
376 | + need_rekeying = 1; | ||
377 | + } | ||
378 | +#endif | ||
379 | + | ||
380 | if (need_rekeying || packet_need_rekeying()) { | ||
381 | debug("need rekeying"); | ||
382 | xxx_kex->done = 0; | ||
383 | Index: b/configure.ac | ||
384 | =================================================================== | ||
385 | --- a/configure.ac | ||
386 | +++ b/configure.ac | ||
387 | @@ -477,6 +477,30 @@ | ||
388 | [Use tunnel device compatibility to OpenBSD]) | ||
389 | AC_DEFINE(SSH_TUN_PREPEND_AF, 1, | ||
390 | [Prepend the address family to IP tunnel traffic]) | ||
391 | + AC_MSG_CHECKING(if we have the Security Authorization Session API) | ||
392 | + AC_TRY_COMPILE([#include <Security/AuthSession.h>], | ||
393 | + [SessionCreate(0, 0);], | ||
394 | + [ac_cv_use_security_session_api="yes" | ||
395 | + AC_DEFINE(USE_SECURITY_SESSION_API, 1, | ||
396 | + [platform has the Security Authorization Session API]) | ||
397 | + LIBS="$LIBS -framework Security" | ||
398 | + AC_MSG_RESULT(yes)], | ||
399 | + [ac_cv_use_security_session_api="no" | ||
400 | + AC_MSG_RESULT(no)]) | ||
401 | + AC_MSG_CHECKING(if we have an in-memory credentials cache) | ||
402 | + AC_TRY_COMPILE( | ||
403 | + [#include <Kerberos/Kerberos.h>], | ||
404 | + [cc_context_t c; | ||
405 | + (void) cc_initialize (&c, 0, NULL, NULL);], | ||
406 | + [AC_DEFINE(USE_CCAPI, 1, | ||
407 | + [platform uses an in-memory credentials cache]) | ||
408 | + LIBS="$LIBS -framework Security" | ||
409 | + AC_MSG_RESULT(yes) | ||
410 | + if test "x$ac_cv_use_security_session_api" = "xno"; then | ||
411 | + AC_MSG_ERROR(*** Need a security framework to use the credentials cache API ***) | ||
412 | + fi], | ||
413 | + [AC_MSG_RESULT(no)] | ||
414 | + ) | ||
415 | m4_pattern_allow(AU_IPv) | ||
416 | AC_CHECK_DECL(AU_IPv4, [], | ||
417 | AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) | ||
418 | Index: b/gss-genr.c | ||
419 | =================================================================== | ||
420 | --- a/gss-genr.c | ||
421 | +++ b/gss-genr.c | ||
422 | @@ -1,7 +1,7 @@ | ||
423 | /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ | ||
424 | |||
425 | /* | ||
426 | - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. | ||
427 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | ||
428 | * | ||
429 | * Redistribution and use in source and binary forms, with or without | ||
430 | * modification, are permitted provided that the following conditions | ||
431 | @@ -39,12 +39,167 @@ | ||
432 | #include "buffer.h" | ||
433 | #include "log.h" | ||
434 | #include "ssh2.h" | ||
435 | +#include "cipher.h" | ||
436 | +#include "key.h" | ||
437 | +#include "kex.h" | ||
438 | +#include <openssl/evp.h> | ||
439 | |||
440 | #include "ssh-gss.h" | ||
441 | |||
442 | extern u_char *session_id2; | ||
443 | extern u_int session_id2_len; | ||
444 | |||
445 | +typedef struct { | ||
446 | + char *encoded; | ||
447 | + gss_OID oid; | ||
448 | +} ssh_gss_kex_mapping; | ||
449 | + | ||
450 | +/* | ||
451 | + * XXX - It would be nice to find a more elegant way of handling the | ||
452 | + * XXX passing of the key exchange context to the userauth routines | ||
453 | + */ | ||
454 | + | ||
455 | +Gssctxt *gss_kex_context = NULL; | ||
456 | + | ||
457 | +static ssh_gss_kex_mapping *gss_enc2oid = NULL; | ||
458 | + | ||
459 | +int | ||
460 | +ssh_gssapi_oid_table_ok() { | ||
461 | + return (gss_enc2oid != NULL); | ||
462 | +} | ||
463 | + | ||
464 | +/* | ||
465 | + * Return a list of the gss-group1-sha1 mechanisms supported by this program | ||
466 | + * | ||
467 | + * We test mechanisms to ensure that we can use them, to avoid starting | ||
468 | + * a key exchange with a bad mechanism | ||
469 | + */ | ||
470 | + | ||
471 | +char * | ||
472 | +ssh_gssapi_client_mechanisms(const char *host, const char *client) { | ||
473 | + gss_OID_set gss_supported; | ||
474 | + OM_uint32 min_status; | ||
475 | + | ||
476 | + if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported))) | ||
477 | + return NULL; | ||
478 | + | ||
479 | + return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism, | ||
480 | + host, client)); | ||
481 | +} | ||
482 | + | ||
483 | +char * | ||
484 | +ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check, | ||
485 | + const char *host, const char *client) { | ||
486 | + Buffer buf; | ||
487 | + size_t i; | ||
488 | + int oidpos, enclen; | ||
489 | + char *mechs, *encoded; | ||
490 | + u_char digest[EVP_MAX_MD_SIZE]; | ||
491 | + char deroid[2]; | ||
492 | + const EVP_MD *evp_md = EVP_md5(); | ||
493 | + EVP_MD_CTX md; | ||
494 | + | ||
495 | + if (gss_enc2oid != NULL) { | ||
496 | + for (i = 0; gss_enc2oid[i].encoded != NULL; i++) | ||
497 | + xfree(gss_enc2oid[i].encoded); | ||
498 | + xfree(gss_enc2oid); | ||
499 | + } | ||
500 | + | ||
501 | + gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) * | ||
502 | + (gss_supported->count + 1)); | ||
503 | + | ||
504 | + buffer_init(&buf); | ||
505 | + | ||
506 | + oidpos = 0; | ||
507 | + for (i = 0; i < gss_supported->count; i++) { | ||
508 | + if (gss_supported->elements[i].length < 128 && | ||
509 | + (*check)(NULL, &(gss_supported->elements[i]), host, client)) { | ||
510 | + | ||
511 | + deroid[0] = SSH_GSS_OIDTYPE; | ||
512 | + deroid[1] = gss_supported->elements[i].length; | ||
513 | + | ||
514 | + EVP_DigestInit(&md, evp_md); | ||
515 | + EVP_DigestUpdate(&md, deroid, 2); | ||
516 | + EVP_DigestUpdate(&md, | ||
517 | + gss_supported->elements[i].elements, | ||
518 | + gss_supported->elements[i].length); | ||
519 | + EVP_DigestFinal(&md, digest, NULL); | ||
520 | + | ||
521 | + encoded = xmalloc(EVP_MD_size(evp_md) * 2); | ||
522 | + enclen = __b64_ntop(digest, EVP_MD_size(evp_md), | ||
523 | + encoded, EVP_MD_size(evp_md) * 2); | ||
524 | + | ||
525 | + if (oidpos != 0) | ||
526 | + buffer_put_char(&buf, ','); | ||
527 | + | ||
528 | + buffer_append(&buf, KEX_GSS_GEX_SHA1_ID, | ||
529 | + sizeof(KEX_GSS_GEX_SHA1_ID) - 1); | ||
530 | + buffer_append(&buf, encoded, enclen); | ||
531 | + buffer_put_char(&buf, ','); | ||
532 | + buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, | ||
533 | + sizeof(KEX_GSS_GRP1_SHA1_ID) - 1); | ||
534 | + buffer_append(&buf, encoded, enclen); | ||
535 | + buffer_put_char(&buf, ','); | ||
536 | + buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID, | ||
537 | + sizeof(KEX_GSS_GRP14_SHA1_ID) - 1); | ||
538 | + buffer_append(&buf, encoded, enclen); | ||
539 | + | ||
540 | + gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]); | ||
541 | + gss_enc2oid[oidpos].encoded = encoded; | ||
542 | + oidpos++; | ||
543 | + } | ||
544 | + } | ||
545 | + gss_enc2oid[oidpos].oid = NULL; | ||
546 | + gss_enc2oid[oidpos].encoded = NULL; | ||
547 | + | ||
548 | + buffer_put_char(&buf, '\0'); | ||
549 | + | ||
550 | + mechs = xmalloc(buffer_len(&buf)); | ||
551 | + buffer_get(&buf, mechs, buffer_len(&buf)); | ||
552 | + buffer_free(&buf); | ||
553 | + | ||
554 | + if (strlen(mechs) == 0) { | ||
555 | + xfree(mechs); | ||
556 | + mechs = NULL; | ||
557 | + } | ||
558 | + | ||
559 | + return (mechs); | ||
560 | +} | ||
561 | + | ||
562 | +gss_OID | ||
563 | +ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) { | ||
564 | + int i = 0; | ||
565 | + | ||
566 | + switch (kex_type) { | ||
567 | + case KEX_GSS_GRP1_SHA1: | ||
568 | + if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID)) | ||
569 | + return GSS_C_NO_OID; | ||
570 | + name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1; | ||
571 | + break; | ||
572 | + case KEX_GSS_GRP14_SHA1: | ||
573 | + if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID)) | ||
574 | + return GSS_C_NO_OID; | ||
575 | + name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1; | ||
576 | + break; | ||
577 | + case KEX_GSS_GEX_SHA1: | ||
578 | + if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID)) | ||
579 | + return GSS_C_NO_OID; | ||
580 | + name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1; | ||
581 | + break; | ||
582 | + default: | ||
583 | + return GSS_C_NO_OID; | ||
584 | + } | ||
585 | + | ||
586 | + while (gss_enc2oid[i].encoded != NULL && | ||
587 | + strcmp(name, gss_enc2oid[i].encoded) != 0) | ||
588 | + i++; | ||
589 | + | ||
590 | + if (gss_enc2oid[i].oid != NULL && ctx != NULL) | ||
591 | + ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid); | ||
592 | + | ||
593 | + return gss_enc2oid[i].oid; | ||
594 | +} | ||
595 | + | ||
596 | /* Check that the OID in a data stream matches that in the context */ | ||
597 | int | ||
598 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) | ||
599 | @@ -197,7 +352,7 @@ | ||
600 | } | ||
601 | |||
602 | ctx->major = gss_init_sec_context(&ctx->minor, | ||
603 | - GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid, | ||
604 | + ctx->client_creds, &ctx->context, ctx->name, ctx->oid, | ||
605 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, | ||
606 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); | ||
607 | |||
608 | @@ -227,8 +382,42 @@ | ||
609 | } | ||
610 | |||
611 | OM_uint32 | ||
612 | +ssh_gssapi_client_identity(Gssctxt *ctx, const char *name) | ||
613 | +{ | ||
614 | + gss_buffer_desc gssbuf; | ||
615 | + gss_name_t gssname; | ||
616 | + OM_uint32 status; | ||
617 | + gss_OID_set oidset; | ||
618 | + | ||
619 | + gssbuf.value = (void *) name; | ||
620 | + gssbuf.length = strlen(gssbuf.value); | ||
621 | + | ||
622 | + gss_create_empty_oid_set(&status, &oidset); | ||
623 | + gss_add_oid_set_member(&status, ctx->oid, &oidset); | ||
624 | + | ||
625 | + ctx->major = gss_import_name(&ctx->minor, &gssbuf, | ||
626 | + GSS_C_NT_USER_NAME, &gssname); | ||
627 | + | ||
628 | + if (!ctx->major) | ||
629 | + ctx->major = gss_acquire_cred(&ctx->minor, | ||
630 | + gssname, 0, oidset, GSS_C_INITIATE, | ||
631 | + &ctx->client_creds, NULL, NULL); | ||
632 | + | ||
633 | + gss_release_name(&status, &gssname); | ||
634 | + gss_release_oid_set(&status, &oidset); | ||
635 | + | ||
636 | + if (ctx->major) | ||
637 | + ssh_gssapi_error(ctx); | ||
638 | + | ||
639 | + return(ctx->major); | ||
640 | +} | ||
641 | + | ||
642 | +OM_uint32 | ||
643 | ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) | ||
644 | { | ||
645 | + if (ctx == NULL) | ||
646 | + return -1; | ||
647 | + | ||
648 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, | ||
649 | GSS_C_QOP_DEFAULT, buffer, hash))) | ||
650 | ssh_gssapi_error(ctx); | ||
651 | @@ -236,6 +425,19 @@ | ||
652 | return (ctx->major); | ||
653 | } | ||
654 | |||
655 | +/* Priviledged when used by server */ | ||
656 | +OM_uint32 | ||
657 | +ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | ||
658 | +{ | ||
659 | + if (ctx == NULL) | ||
660 | + return -1; | ||
661 | + | ||
662 | + ctx->major = gss_verify_mic(&ctx->minor, ctx->context, | ||
663 | + gssbuf, gssmic, NULL); | ||
664 | + | ||
665 | + return (ctx->major); | ||
666 | +} | ||
667 | + | ||
668 | void | ||
669 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, | ||
670 | const char *context) | ||
671 | @@ -249,11 +451,16 @@ | ||
672 | } | ||
673 | |||
674 | int | ||
675 | -ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | ||
676 | +ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host, | ||
677 | + const char *client) | ||
678 | { | ||
679 | gss_buffer_desc token = GSS_C_EMPTY_BUFFER; | ||
680 | OM_uint32 major, minor; | ||
681 | gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"}; | ||
682 | + Gssctxt *intctx = NULL; | ||
683 | + | ||
684 | + if (ctx == NULL) | ||
685 | + ctx = &intctx; | ||
686 | |||
687 | /* RFC 4462 says we MUST NOT do SPNEGO */ | ||
688 | if (oid->length == spnego_oid.length && | ||
689 | @@ -263,6 +470,10 @@ | ||
690 | ssh_gssapi_build_ctx(ctx); | ||
691 | ssh_gssapi_set_oid(*ctx, oid); | ||
692 | major = ssh_gssapi_import_name(*ctx, host); | ||
693 | + | ||
694 | + if (!GSS_ERROR(major) && client) | ||
695 | + major = ssh_gssapi_client_identity(*ctx, client); | ||
696 | + | ||
697 | if (!GSS_ERROR(major)) { | ||
698 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, | ||
699 | NULL); | ||
700 | @@ -272,10 +483,67 @@ | ||
701 | GSS_C_NO_BUFFER); | ||
702 | } | ||
703 | |||
704 | - if (GSS_ERROR(major)) | ||
705 | + if (GSS_ERROR(major) || intctx != NULL) | ||
706 | ssh_gssapi_delete_ctx(ctx); | ||
707 | |||
708 | return (!GSS_ERROR(major)); | ||
709 | } | ||
710 | |||
711 | +int | ||
712 | +ssh_gssapi_credentials_updated(Gssctxt *ctxt) { | ||
713 | + static gss_name_t saved_name = GSS_C_NO_NAME; | ||
714 | + static OM_uint32 saved_lifetime = 0; | ||
715 | + static gss_OID saved_mech = GSS_C_NO_OID; | ||
716 | + static gss_name_t name; | ||
717 | + static OM_uint32 last_call = 0; | ||
718 | + OM_uint32 lifetime, now, major, minor; | ||
719 | + int equal; | ||
720 | + gss_cred_usage_t usage = GSS_C_INITIATE; | ||
721 | + | ||
722 | + now = time(NULL); | ||
723 | + | ||
724 | + if (ctxt) { | ||
725 | + debug("Rekey has happened - updating saved versions"); | ||
726 | + | ||
727 | + if (saved_name != GSS_C_NO_NAME) | ||
728 | + gss_release_name(&minor, &saved_name); | ||
729 | + | ||
730 | + major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, | ||
731 | + &saved_name, &saved_lifetime, NULL, NULL); | ||
732 | + | ||
733 | + if (!GSS_ERROR(major)) { | ||
734 | + saved_mech = ctxt->oid; | ||
735 | + saved_lifetime+= now; | ||
736 | + } else { | ||
737 | + /* Handle the error */ | ||
738 | + } | ||
739 | + return 0; | ||
740 | + } | ||
741 | + | ||
742 | + if (now - last_call < 10) | ||
743 | + return 0; | ||
744 | + | ||
745 | + last_call = now; | ||
746 | + | ||
747 | + if (saved_mech == GSS_C_NO_OID) | ||
748 | + return 0; | ||
749 | + | ||
750 | + major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, | ||
751 | + &name, &lifetime, NULL, NULL); | ||
752 | + if (major == GSS_S_CREDENTIALS_EXPIRED) | ||
753 | + return 0; | ||
754 | + else if (GSS_ERROR(major)) | ||
755 | + return 0; | ||
756 | + | ||
757 | + major = gss_compare_name(&minor, saved_name, name, &equal); | ||
758 | + gss_release_name(&minor, &name); | ||
759 | + if (GSS_ERROR(major)) | ||
760 | + return 0; | ||
761 | + | ||
762 | + if (equal && (saved_lifetime < lifetime + now - 10)) | ||
763 | + return 1; | ||
764 | + | ||
765 | + return 0; | ||
766 | +} | ||
767 | + | ||
768 | #endif /* GSSAPI */ | ||
769 | Index: b/gss-serv-krb5.c | ||
770 | =================================================================== | ||
771 | --- a/gss-serv-krb5.c | ||
772 | +++ b/gss-serv-krb5.c | ||
773 | @@ -1,7 +1,7 @@ | ||
774 | /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ | ||
775 | |||
776 | /* | ||
777 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | ||
778 | + * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. | ||
779 | * | ||
780 | * Redistribution and use in source and binary forms, with or without | ||
781 | * modification, are permitted provided that the following conditions | ||
782 | @@ -120,6 +120,7 @@ | ||
783 | krb5_principal princ; | ||
784 | OM_uint32 maj_status, min_status; | ||
785 | int len; | ||
786 | + const char *new_ccname; | ||
787 | |||
788 | if (client->creds == NULL) { | ||
789 | debug("No credentials stored"); | ||
790 | @@ -168,11 +169,16 @@ | ||
791 | return; | ||
792 | } | ||
793 | |||
794 | - client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); | ||
795 | + new_ccname = krb5_cc_get_name(krb_context, ccache); | ||
796 | + | ||
797 | client->store.envvar = "KRB5CCNAME"; | ||
798 | - len = strlen(client->store.filename) + 6; | ||
799 | - client->store.envval = xmalloc(len); | ||
800 | - snprintf(client->store.envval, len, "FILE:%s", client->store.filename); | ||
801 | +#ifdef USE_CCAPI | ||
802 | + xasprintf(&client->store.envval, "API:%s", new_ccname); | ||
803 | + client->store.filename = NULL; | ||
804 | +#else | ||
805 | + xasprintf(&client->store.envval, "FILE:%s", new_ccname); | ||
806 | + client->store.filename = xstrdup(new_ccname); | ||
807 | +#endif | ||
808 | |||
809 | #ifdef USE_PAM | ||
810 | if (options.use_pam) | ||
811 | @@ -184,6 +190,71 @@ | ||
812 | return; | ||
813 | } | ||
814 | |||
815 | +int | ||
816 | +ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, | ||
817 | + ssh_gssapi_client *client) | ||
818 | +{ | ||
819 | + krb5_ccache ccache = NULL; | ||
820 | + krb5_principal principal = NULL; | ||
821 | + char *name = NULL; | ||
822 | + krb5_error_code problem; | ||
823 | + OM_uint32 maj_status, min_status; | ||
824 | + | ||
825 | + if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) { | ||
826 | + logit("krb5_cc_resolve(): %.100s", | ||
827 | + krb5_get_err_text(krb_context, problem)); | ||
828 | + return 0; | ||
829 | + } | ||
830 | + | ||
831 | + /* Find out who the principal in this cache is */ | ||
832 | + if ((problem = krb5_cc_get_principal(krb_context, ccache, | ||
833 | + &principal))) { | ||
834 | + logit("krb5_cc_get_principal(): %.100s", | ||
835 | + krb5_get_err_text(krb_context, problem)); | ||
836 | + krb5_cc_close(krb_context, ccache); | ||
837 | + return 0; | ||
838 | + } | ||
839 | + | ||
840 | + if ((problem = krb5_unparse_name(krb_context, principal, &name))) { | ||
841 | + logit("krb5_unparse_name(): %.100s", | ||
842 | + krb5_get_err_text(krb_context, problem)); | ||
843 | + krb5_free_principal(krb_context, principal); | ||
844 | + krb5_cc_close(krb_context, ccache); | ||
845 | + return 0; | ||
846 | + } | ||
847 | + | ||
848 | + | ||
849 | + if (strcmp(name,client->exportedname.value)!=0) { | ||
850 | + debug("Name in local credentials cache differs. Not storing"); | ||
851 | + krb5_free_principal(krb_context, principal); | ||
852 | + krb5_cc_close(krb_context, ccache); | ||
853 | + krb5_free_unparsed_name(krb_context, name); | ||
854 | + return 0; | ||
855 | + } | ||
856 | + krb5_free_unparsed_name(krb_context, name); | ||
857 | + | ||
858 | + /* Name matches, so lets get on with it! */ | ||
859 | + | ||
860 | + if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) { | ||
861 | + logit("krb5_cc_initialize(): %.100s", | ||
862 | + krb5_get_err_text(krb_context, problem)); | ||
863 | + krb5_free_principal(krb_context, principal); | ||
864 | + krb5_cc_close(krb_context, ccache); | ||
865 | + return 0; | ||
866 | + } | ||
867 | + | ||
868 | + krb5_free_principal(krb_context, principal); | ||
869 | + | ||
870 | + if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds, | ||
871 | + ccache))) { | ||
872 | + logit("gss_krb5_copy_ccache() failed. Sorry!"); | ||
873 | + krb5_cc_close(krb_context, ccache); | ||
874 | + return 0; | ||
875 | + } | ||
876 | + | ||
877 | + return 1; | ||
878 | +} | ||
879 | + | ||
880 | ssh_gssapi_mech gssapi_kerberos_mech = { | ||
881 | "toWM5Slw5Ew8Mqkay+al2g==", | ||
882 | "Kerberos", | ||
883 | @@ -191,7 +262,8 @@ | ||
884 | NULL, | ||
885 | &ssh_gssapi_krb5_userok, | ||
886 | NULL, | ||
887 | - &ssh_gssapi_krb5_storecreds | ||
888 | + &ssh_gssapi_krb5_storecreds, | ||
889 | + &ssh_gssapi_krb5_updatecreds | ||
890 | }; | ||
891 | |||
892 | #endif /* KRB5 */ | ||
893 | Index: b/gss-serv.c | ||
894 | =================================================================== | ||
895 | --- a/gss-serv.c | ||
896 | +++ b/gss-serv.c | ||
897 | @@ -1,7 +1,7 @@ | ||
898 | /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ | ||
899 | |||
900 | /* | ||
901 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | ||
902 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | ||
903 | * | ||
904 | * Redistribution and use in source and binary forms, with or without | ||
905 | * modification, are permitted provided that the following conditions | ||
906 | @@ -45,15 +45,20 @@ | ||
907 | #include "channels.h" | ||
908 | #include "session.h" | ||
909 | #include "misc.h" | ||
910 | +#include "servconf.h" | ||
911 | +#include "uidswap.h" | ||
912 | |||
913 | #include "ssh-gss.h" | ||
914 | +#include "monitor_wrap.h" | ||
915 | + | ||
916 | +extern ServerOptions options; | ||
917 | |||
918 | static ssh_gssapi_client gssapi_client = | ||
919 | { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, | ||
920 | - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; | ||
921 | + GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0}; | ||
922 | |||
923 | ssh_gssapi_mech gssapi_null_mech = | ||
924 | - { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; | ||
925 | + { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL}; | ||
926 | |||
927 | #ifdef KRB5 | ||
928 | extern ssh_gssapi_mech gssapi_kerberos_mech; | ||
929 | @@ -81,25 +86,32 @@ | ||
930 | char lname[MAXHOSTNAMELEN]; | ||
931 | gss_OID_set oidset; | ||
932 | |||
933 | - gss_create_empty_oid_set(&status, &oidset); | ||
934 | - gss_add_oid_set_member(&status, ctx->oid, &oidset); | ||
935 | + if (options.gss_strict_acceptor) { | ||
936 | + gss_create_empty_oid_set(&status, &oidset); | ||
937 | + gss_add_oid_set_member(&status, ctx->oid, &oidset); | ||
938 | + | ||
939 | + if (gethostname(lname, MAXHOSTNAMELEN)) { | ||
940 | + gss_release_oid_set(&status, &oidset); | ||
941 | + return (-1); | ||
942 | + } | ||
943 | |||
944 | - if (gethostname(lname, MAXHOSTNAMELEN)) { | ||
945 | - gss_release_oid_set(&status, &oidset); | ||
946 | - return (-1); | ||
947 | - } | ||
948 | + if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | ||
949 | + gss_release_oid_set(&status, &oidset); | ||
950 | + return (ctx->major); | ||
951 | + } | ||
952 | + | ||
953 | + if ((ctx->major = gss_acquire_cred(&ctx->minor, | ||
954 | + ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, | ||
955 | + NULL, NULL))) | ||
956 | + ssh_gssapi_error(ctx); | ||
957 | |||
958 | - if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | ||
959 | gss_release_oid_set(&status, &oidset); | ||
960 | return (ctx->major); | ||
961 | + } else { | ||
962 | + ctx->name = GSS_C_NO_NAME; | ||
963 | + ctx->creds = GSS_C_NO_CREDENTIAL; | ||
964 | } | ||
965 | - | ||
966 | - if ((ctx->major = gss_acquire_cred(&ctx->minor, | ||
967 | - ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) | ||
968 | - ssh_gssapi_error(ctx); | ||
969 | - | ||
970 | - gss_release_oid_set(&status, &oidset); | ||
971 | - return (ctx->major); | ||
972 | + return GSS_S_COMPLETE; | ||
973 | } | ||
974 | |||
975 | /* Privileged */ | ||
976 | @@ -114,6 +126,29 @@ | ||
977 | } | ||
978 | |||
979 | /* Unprivileged */ | ||
980 | +char * | ||
981 | +ssh_gssapi_server_mechanisms() { | ||
982 | + gss_OID_set supported; | ||
983 | + | ||
984 | + ssh_gssapi_supported_oids(&supported); | ||
985 | + return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech, | ||
986 | + NULL, NULL)); | ||
987 | +} | ||
988 | + | ||
989 | +/* Unprivileged */ | ||
990 | +int | ||
991 | +ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data, | ||
992 | + const char *dummy) { | ||
993 | + Gssctxt *ctx = NULL; | ||
994 | + int res; | ||
995 | + | ||
996 | + res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid))); | ||
997 | + ssh_gssapi_delete_ctx(&ctx); | ||
998 | + | ||
999 | + return (res); | ||
1000 | +} | ||
1001 | + | ||
1002 | +/* Unprivileged */ | ||
1003 | void | ||
1004 | ssh_gssapi_supported_oids(gss_OID_set *oidset) | ||
1005 | { | ||
1006 | @@ -123,7 +158,9 @@ | ||
1007 | gss_OID_set supported; | ||
1008 | |||
1009 | gss_create_empty_oid_set(&min_status, oidset); | ||
1010 | - gss_indicate_mechs(&min_status, &supported); | ||
1011 | + | ||
1012 | + if (GSS_ERROR(gss_indicate_mechs(&min_status, &supported))) | ||
1013 | + return; | ||
1014 | |||
1015 | while (supported_mechs[i]->name != NULL) { | ||
1016 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, | ||
1017 | @@ -247,8 +284,48 @@ | ||
1018 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | ||
1019 | { | ||
1020 | int i = 0; | ||
1021 | + int equal = 0; | ||
1022 | + gss_name_t new_name = GSS_C_NO_NAME; | ||
1023 | + gss_buffer_desc ename = GSS_C_EMPTY_BUFFER; | ||
1024 | + | ||
1025 | + if (options.gss_store_rekey && client->used && ctx->client_creds) { | ||
1026 | + if (client->mech->oid.length != ctx->oid->length || | ||
1027 | + (memcmp(client->mech->oid.elements, | ||
1028 | + ctx->oid->elements, ctx->oid->length) !=0)) { | ||
1029 | + debug("Rekeyed credentials have different mechanism"); | ||
1030 | + return GSS_S_COMPLETE; | ||
1031 | + } | ||
1032 | + | ||
1033 | + if ((ctx->major = gss_inquire_cred_by_mech(&ctx->minor, | ||
1034 | + ctx->client_creds, ctx->oid, &new_name, | ||
1035 | + NULL, NULL, NULL))) { | ||
1036 | + ssh_gssapi_error(ctx); | ||
1037 | + return (ctx->major); | ||
1038 | + } | ||
1039 | + | ||
1040 | + ctx->major = gss_compare_name(&ctx->minor, client->name, | ||
1041 | + new_name, &equal); | ||
1042 | |||
1043 | - gss_buffer_desc ename; | ||
1044 | + if (GSS_ERROR(ctx->major)) { | ||
1045 | + ssh_gssapi_error(ctx); | ||
1046 | + return (ctx->major); | ||
1047 | + } | ||
1048 | + | ||
1049 | + if (!equal) { | ||
1050 | + debug("Rekeyed credentials have different name"); | ||
1051 | + return GSS_S_COMPLETE; | ||
1052 | + } | ||
1053 | + | ||
1054 | + debug("Marking rekeyed credentials for export"); | ||
1055 | + | ||
1056 | + gss_release_name(&ctx->minor, &client->name); | ||
1057 | + gss_release_cred(&ctx->minor, &client->creds); | ||
1058 | + client->name = new_name; | ||
1059 | + client->creds = ctx->client_creds; | ||
1060 | + ctx->client_creds = GSS_C_NO_CREDENTIAL; | ||
1061 | + client->updated = 1; | ||
1062 | + return GSS_S_COMPLETE; | ||
1063 | + } | ||
1064 | |||
1065 | client->mech = NULL; | ||
1066 | |||
1067 | @@ -263,6 +340,13 @@ | ||
1068 | if (client->mech == NULL) | ||
1069 | return GSS_S_FAILURE; | ||
1070 | |||
1071 | + if (ctx->client_creds && | ||
1072 | + (ctx->major = gss_inquire_cred_by_mech(&ctx->minor, | ||
1073 | + ctx->client_creds, ctx->oid, &client->name, NULL, NULL, NULL))) { | ||
1074 | + ssh_gssapi_error(ctx); | ||
1075 | + return (ctx->major); | ||
1076 | + } | ||
1077 | + | ||
1078 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, | ||
1079 | &client->displayname, NULL))) { | ||
1080 | ssh_gssapi_error(ctx); | ||
1081 | @@ -280,6 +364,8 @@ | ||
1082 | return (ctx->major); | ||
1083 | } | ||
1084 | |||
1085 | + gss_release_buffer(&ctx->minor, &ename); | ||
1086 | + | ||
1087 | /* We can't copy this structure, so we just move the pointer to it */ | ||
1088 | client->creds = ctx->client_creds; | ||
1089 | ctx->client_creds = GSS_C_NO_CREDENTIAL; | ||
1090 | @@ -327,7 +413,7 @@ | ||
1091 | |||
1092 | /* Privileged */ | ||
1093 | int | ||
1094 | -ssh_gssapi_userok(char *user) | ||
1095 | +ssh_gssapi_userok(char *user, struct passwd *pw) | ||
1096 | { | ||
1097 | OM_uint32 lmin; | ||
1098 | |||
1099 | @@ -337,9 +423,11 @@ | ||
1100 | return 0; | ||
1101 | } | ||
1102 | if (gssapi_client.mech && gssapi_client.mech->userok) | ||
1103 | - if ((*gssapi_client.mech->userok)(&gssapi_client, user)) | ||
1104 | + if ((*gssapi_client.mech->userok)(&gssapi_client, user)) { | ||
1105 | + gssapi_client.used = 1; | ||
1106 | + gssapi_client.store.owner = pw; | ||
1107 | return 1; | ||
1108 | - else { | ||
1109 | + } else { | ||
1110 | /* Destroy delegated credentials if userok fails */ | ||
1111 | gss_release_buffer(&lmin, &gssapi_client.displayname); | ||
1112 | gss_release_buffer(&lmin, &gssapi_client.exportedname); | ||
1113 | @@ -352,14 +440,90 @@ | ||
1114 | return (0); | ||
1115 | } | ||
1116 | |||
1117 | -/* Privileged */ | ||
1118 | -OM_uint32 | ||
1119 | -ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | ||
1120 | +/* These bits are only used for rekeying. The unpriviledged child is running | ||
1121 | + * as the user, the monitor is root. | ||
1122 | + * | ||
1123 | + * In the child, we want to : | ||
1124 | + * *) Ask the monitor to store our credentials into the store we specify | ||
1125 | + * *) If it succeeds, maybe do a PAM update | ||
1126 | + */ | ||
1127 | + | ||
1128 | +/* Stuff for PAM */ | ||
1129 | + | ||
1130 | +#ifdef USE_PAM | ||
1131 | +static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg, | ||
1132 | + struct pam_response **resp, void *data) | ||
1133 | { | ||
1134 | - ctx->major = gss_verify_mic(&ctx->minor, ctx->context, | ||
1135 | - gssbuf, gssmic, NULL); | ||
1136 | + return (PAM_CONV_ERR); | ||
1137 | +} | ||
1138 | +#endif | ||
1139 | |||
1140 | - return (ctx->major); | ||
1141 | +void | ||
1142 | +ssh_gssapi_rekey_creds() { | ||
1143 | + int ok; | ||
1144 | + int ret; | ||
1145 | +#ifdef USE_PAM | ||
1146 | + pam_handle_t *pamh = NULL; | ||
1147 | + struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL}; | ||
1148 | + char *envstr; | ||
1149 | +#endif | ||
1150 | + | ||
1151 | + if (gssapi_client.store.filename == NULL && | ||
1152 | + gssapi_client.store.envval == NULL && | ||
1153 | + gssapi_client.store.envvar == NULL) | ||
1154 | + return; | ||
1155 | + | ||
1156 | + ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store)); | ||
1157 | + | ||
1158 | + if (!ok) | ||
1159 | + return; | ||
1160 | + | ||
1161 | + debug("Rekeyed credentials stored successfully"); | ||
1162 | + | ||
1163 | + /* Actually managing to play with the ssh pam stack from here will | ||
1164 | + * be next to impossible. In any case, we may want different options | ||
1165 | + * for rekeying. So, use our own :) | ||
1166 | + */ | ||
1167 | +#ifdef USE_PAM | ||
1168 | + if (!use_privsep) { | ||
1169 | + debug("Not even going to try and do PAM with privsep disabled"); | ||
1170 | + return; | ||
1171 | + } | ||
1172 | + | ||
1173 | + ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name, | ||
1174 | + &pamconv, &pamh); | ||
1175 | + if (ret) | ||
1176 | + return; | ||
1177 | + | ||
1178 | + xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar, | ||
1179 | + gssapi_client.store.envval); | ||
1180 | + | ||
1181 | + ret = pam_putenv(pamh, envstr); | ||
1182 | + if (!ret) | ||
1183 | + pam_setcred(pamh, PAM_REINITIALIZE_CRED); | ||
1184 | + pam_end(pamh, PAM_SUCCESS); | ||
1185 | +#endif | ||
1186 | +} | ||
1187 | + | ||
1188 | +int | ||
1189 | +ssh_gssapi_update_creds(ssh_gssapi_ccache *store) { | ||
1190 | + int ok = 0; | ||
1191 | + | ||
1192 | + /* Check we've got credentials to store */ | ||
1193 | + if (!gssapi_client.updated) | ||
1194 | + return 0; | ||
1195 | + | ||
1196 | + gssapi_client.updated = 0; | ||
1197 | + | ||
1198 | + temporarily_use_uid(gssapi_client.store.owner); | ||
1199 | + if (gssapi_client.mech && gssapi_client.mech->updatecreds) | ||
1200 | + ok = (*gssapi_client.mech->updatecreds)(store, &gssapi_client); | ||
1201 | + else | ||
1202 | + debug("No update function for this mechanism"); | ||
1203 | + | ||
1204 | + restore_uid(); | ||
1205 | + | ||
1206 | + return ok; | ||
1207 | } | ||
1208 | |||
1209 | #endif | ||
1210 | Index: b/kex.c | ||
1211 | =================================================================== | ||
1212 | --- a/kex.c | ||
1213 | +++ b/kex.c | ||
1214 | @@ -50,6 +50,10 @@ | ||
1215 | #include "monitor.h" | ||
1216 | #include "roaming.h" | ||
1217 | |||
1218 | +#ifdef GSSAPI | ||
1219 | +#include "ssh-gss.h" | ||
1220 | +#endif | ||
1221 | + | ||
1222 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | ||
1223 | # if defined(HAVE_EVP_SHA256) | ||
1224 | # define evp_ssh_sha256 EVP_sha256 | ||
1225 | @@ -326,6 +330,20 @@ | ||
1226 | k->kex_type = KEX_DH_GEX_SHA256; | ||
1227 | k->evp_md = evp_ssh_sha256(); | ||
1228 | #endif | ||
1229 | +#ifdef GSSAPI | ||
1230 | + } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, | ||
1231 | + sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) { | ||
1232 | + k->kex_type = KEX_GSS_GEX_SHA1; | ||
1233 | + k->evp_md = EVP_sha1(); | ||
1234 | + } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID, | ||
1235 | + sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) { | ||
1236 | + k->kex_type = KEX_GSS_GRP1_SHA1; | ||
1237 | + k->evp_md = EVP_sha1(); | ||
1238 | + } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID, | ||
1239 | + sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) { | ||
1240 | + k->kex_type = KEX_GSS_GRP14_SHA1; | ||
1241 | + k->evp_md = EVP_sha1(); | ||
1242 | +#endif | ||
1243 | } else | ||
1244 | fatal("bad kex alg %s", k->name); | ||
1245 | } | ||
1246 | Index: b/kex.h | ||
1247 | =================================================================== | ||
1248 | --- a/kex.h | ||
1249 | +++ b/kex.h | ||
1250 | @@ -67,6 +67,9 @@ | ||
1251 | KEX_DH_GRP14_SHA1, | ||
1252 | KEX_DH_GEX_SHA1, | ||
1253 | KEX_DH_GEX_SHA256, | ||
1254 | + KEX_GSS_GRP1_SHA1, | ||
1255 | + KEX_GSS_GRP14_SHA1, | ||
1256 | + KEX_GSS_GEX_SHA1, | ||
1257 | KEX_MAX | ||
1258 | }; | ||
1259 | |||
1260 | @@ -123,6 +126,12 @@ | ||
1261 | sig_atomic_t done; | ||
1262 | int flags; | ||
1263 | const EVP_MD *evp_md; | ||
1264 | +#ifdef GSSAPI | ||
1265 | + int gss_deleg_creds; | ||
1266 | + int gss_trust_dns; | ||
1267 | + char *gss_host; | ||
1268 | + char *gss_client; | ||
1269 | +#endif | ||
1270 | char *client_version_string; | ||
1271 | char *server_version_string; | ||
1272 | int (*verify_host_key)(Key *); | ||
1273 | @@ -146,6 +155,11 @@ | ||
1274 | void kexgex_client(Kex *); | ||
1275 | void kexgex_server(Kex *); | ||
1276 | |||
1277 | +#ifdef GSSAPI | ||
1278 | +void kexgss_client(Kex *); | ||
1279 | +void kexgss_server(Kex *); | ||
1280 | +#endif | ||
1281 | + | ||
1282 | void | ||
1283 | kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, | ||
1284 | BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); | ||
1285 | Index: b/kexgssc.c | ||
1286 | =================================================================== | ||
1287 | --- /dev/null | ||
1288 | +++ b/kexgssc.c | ||
1289 | @@ -0,0 +1,334 @@ | ||
1290 | +/* | ||
1291 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | ||
1292 | + * | ||
1293 | + * Redistribution and use in source and binary forms, with or without | ||
1294 | + * modification, are permitted provided that the following conditions | ||
1295 | + * are met: | ||
1296 | + * 1. Redistributions of source code must retain the above copyright | ||
1297 | + * notice, this list of conditions and the following disclaimer. | ||
1298 | + * 2. Redistributions in binary form must reproduce the above copyright | ||
1299 | + * notice, this list of conditions and the following disclaimer in the | ||
1300 | + * documentation and/or other materials provided with the distribution. | ||
1301 | + * | ||
1302 | + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR | ||
1303 | + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
1304 | + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
1305 | + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
1306 | + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
1307 | + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
1308 | + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
1309 | + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
1310 | + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
1311 | + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
1312 | + */ | ||
1313 | + | ||
1314 | +#include "includes.h" | ||
1315 | + | ||
1316 | +#ifdef GSSAPI | ||
1317 | + | ||
1318 | +#include "includes.h" | ||
1319 | + | ||
1320 | +#include <openssl/crypto.h> | ||
1321 | +#include <openssl/bn.h> | ||
1322 | + | ||
1323 | +#include <string.h> | ||
1324 | + | ||
1325 | +#include "xmalloc.h" | ||
1326 | +#include "buffer.h" | ||
1327 | +#include "ssh2.h" | ||
1328 | +#include "key.h" | ||
1329 | +#include "cipher.h" | ||
1330 | +#include "kex.h" | ||
1331 | +#include "log.h" | ||
1332 | +#include "packet.h" | ||
1333 | +#include "dh.h" | ||
1334 | + | ||
1335 | +#include "ssh-gss.h" | ||
1336 | + | ||
1337 | +void | ||
1338 | +kexgss_client(Kex *kex) { | ||
1339 | + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | ||
1340 | + gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr; | ||
1341 | + Gssctxt *ctxt; | ||
1342 | + OM_uint32 maj_status, min_status, ret_flags; | ||
1343 | + u_int klen, kout, slen = 0, hashlen, strlen; | ||
1344 | + DH *dh; | ||
1345 | + BIGNUM *dh_server_pub = NULL; | ||
1346 | + BIGNUM *shared_secret = NULL; | ||
1347 | + BIGNUM *p = NULL; | ||
1348 | + BIGNUM *g = NULL; | ||
1349 | + u_char *kbuf, *hash; | ||
1350 | + u_char *serverhostkey = NULL; | ||
1351 | + u_char *empty = ""; | ||
1352 | + char *msg; | ||
1353 | + char *lang; | ||
1354 | + int type = 0; | ||
1355 | + int first = 1; | ||
1356 | + int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX; | ||
1357 | + | ||
1358 | + /* Initialise our GSSAPI world */ | ||
1359 | + ssh_gssapi_build_ctx(&ctxt); | ||
1360 | + if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type) | ||
1361 | + == GSS_C_NO_OID) | ||
1362 | + fatal("Couldn't identify host exchange"); | ||
1363 | + | ||
1364 | + if (ssh_gssapi_import_name(ctxt, kex->gss_host)) | ||
1365 | + fatal("Couldn't import hostname"); | ||
1366 | + | ||
1367 | + if (kex->gss_client && | ||
1368 | + ssh_gssapi_client_identity(ctxt, kex->gss_client)) | ||
1369 | + fatal("Couldn't acquire client credentials"); | ||
1370 | + | ||
1371 | + switch (kex->kex_type) { | ||
1372 | + case KEX_GSS_GRP1_SHA1: | ||
1373 | + dh = dh_new_group1(); | ||
1374 | + break; | ||
1375 | + case KEX_GSS_GRP14_SHA1: | ||
1376 | + dh = dh_new_group14(); | ||
1377 | + break; | ||
1378 | + case KEX_GSS_GEX_SHA1: | ||
1379 | + debug("Doing group exchange\n"); | ||
1380 | + nbits = dh_estimate(kex->we_need * 8); | ||
1381 | + packet_start(SSH2_MSG_KEXGSS_GROUPREQ); | ||
1382 | + packet_put_int(min); | ||
1383 | + packet_put_int(nbits); | ||
1384 | + packet_put_int(max); | ||
1385 | + | ||
1386 | + packet_send(); | ||
1387 | + | ||
1388 | + packet_read_expect(SSH2_MSG_KEXGSS_GROUP); | ||
1389 | + | ||
1390 | + if ((p = BN_new()) == NULL) | ||
1391 | + fatal("BN_new() failed"); | ||
1392 | + packet_get_bignum2(p); | ||
1393 | + if ((g = BN_new()) == NULL) | ||
1394 | + fatal("BN_new() failed"); | ||
1395 | + packet_get_bignum2(g); | ||
1396 | + packet_check_eom(); | ||
1397 | + | ||
1398 | + if (BN_num_bits(p) < min || BN_num_bits(p) > max) | ||
1399 | + fatal("GSSGRP_GEX group out of range: %d !< %d !< %d", | ||
1400 | + min, BN_num_bits(p), max); | ||
1401 | + | ||
1402 | + dh = dh_new_group(g, p); | ||
1403 | + break; | ||
1404 | + default: | ||
1405 | + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); | ||
1406 | + } | ||
1407 | + | ||
1408 | + /* Step 1 - e is dh->pub_key */ | ||
1409 | + dh_gen_key(dh, kex->we_need * 8); | ||
1410 | + | ||
1411 | + /* This is f, we initialise it now to make life easier */ | ||
1412 | + dh_server_pub = BN_new(); | ||
1413 | + if (dh_server_pub == NULL) | ||
1414 | + fatal("dh_server_pub == NULL"); | ||
1415 | + | ||
1416 | + token_ptr = GSS_C_NO_BUFFER; | ||
1417 | + | ||
1418 | + do { | ||
1419 | + debug("Calling gss_init_sec_context"); | ||
1420 | + | ||
1421 | + maj_status = ssh_gssapi_init_ctx(ctxt, | ||
1422 | + kex->gss_deleg_creds, token_ptr, &send_tok, | ||
1423 | + &ret_flags); | ||
1424 | + | ||
1425 | + if (GSS_ERROR(maj_status)) { | ||
1426 | + if (send_tok.length != 0) { | ||
1427 | + packet_start(SSH2_MSG_KEXGSS_CONTINUE); | ||
1428 | + packet_put_string(send_tok.value, | ||
1429 | + send_tok.length); | ||
1430 | + } | ||
1431 | + fatal("gss_init_context failed"); | ||
1432 | + } | ||
1433 | + | ||
1434 | + /* If we've got an old receive buffer get rid of it */ | ||
1435 | + if (token_ptr != GSS_C_NO_BUFFER) | ||
1436 | + xfree(recv_tok.value); | ||
1437 | + | ||
1438 | + if (maj_status == GSS_S_COMPLETE) { | ||
1439 | + /* If mutual state flag is not true, kex fails */ | ||
1440 | + if (!(ret_flags & GSS_C_MUTUAL_FLAG)) | ||
1441 | + fatal("Mutual authentication failed"); | ||
1442 | + | ||
1443 | + /* If integ avail flag is not true kex fails */ | ||
1444 | + if (!(ret_flags & GSS_C_INTEG_FLAG)) | ||
1445 | + fatal("Integrity check failed"); | ||
1446 | + } | ||
1447 | + | ||
1448 | + /* | ||
1449 | + * If we have data to send, then the last message that we | ||
1450 | + * received cannot have been a 'complete'. | ||
1451 | + */ | ||
1452 | + if (send_tok.length != 0) { | ||
1453 | + if (first) { | ||
1454 | + packet_start(SSH2_MSG_KEXGSS_INIT); | ||
1455 | + packet_put_string(send_tok.value, | ||
1456 | + send_tok.length); | ||
1457 | + packet_put_bignum2(dh->pub_key); | ||
1458 | + first = 0; | ||
1459 | + } else { | ||
1460 | + packet_start(SSH2_MSG_KEXGSS_CONTINUE); | ||
1461 | + packet_put_string(send_tok.value, | ||
1462 | + send_tok.length); | ||
1463 | + } | ||
1464 | + packet_send(); | ||
1465 | + gss_release_buffer(&min_status, &send_tok); | ||
1466 | + | ||
1467 | + /* If we've sent them data, they should reply */ | ||
1468 | + do { | ||
1469 | + type = packet_read(); | ||
1470 | + if (type == SSH2_MSG_KEXGSS_HOSTKEY) { | ||
1471 | + debug("Received KEXGSS_HOSTKEY"); | ||
1472 | + if (serverhostkey) | ||
1473 | + fatal("Server host key received more than once"); | ||
1474 | + serverhostkey = | ||
1475 | + packet_get_string(&slen); | ||
1476 | + } | ||
1477 | + } while (type == SSH2_MSG_KEXGSS_HOSTKEY); | ||
1478 | + | ||
1479 | + switch (type) { | ||
1480 | + case SSH2_MSG_KEXGSS_CONTINUE: | ||
1481 | + debug("Received GSSAPI_CONTINUE"); | ||
1482 | + if (maj_status == GSS_S_COMPLETE) | ||
1483 | + fatal("GSSAPI Continue received from server when complete"); | ||
1484 | + recv_tok.value = packet_get_string(&strlen); | ||
1485 | + recv_tok.length = strlen; | ||
1486 | + break; | ||
1487 | + case SSH2_MSG_KEXGSS_COMPLETE: | ||
1488 | + debug("Received GSSAPI_COMPLETE"); | ||
1489 | + packet_get_bignum2(dh_server_pub); | ||
1490 | + msg_tok.value = packet_get_string(&strlen); | ||
1491 | + msg_tok.length = strlen; | ||
1492 | + | ||
1493 | + /* Is there a token included? */ | ||
1494 | + if (packet_get_char()) { | ||
1495 | + recv_tok.value= | ||
1496 | + packet_get_string(&strlen); | ||
1497 | + recv_tok.length = strlen; | ||
1498 | + /* If we're already complete - protocol error */ | ||
1499 | + if (maj_status == GSS_S_COMPLETE) | ||
1500 | + packet_disconnect("Protocol error: received token when complete"); | ||
1501 | + } else { | ||
1502 | + /* No token included */ | ||
1503 | + if (maj_status != GSS_S_COMPLETE) | ||
1504 | + packet_disconnect("Protocol error: did not receive final token"); | ||
1505 | + } | ||
1506 | + break; | ||
1507 | + case SSH2_MSG_KEXGSS_ERROR: | ||
1508 | + debug("Received Error"); | ||
1509 | + maj_status = packet_get_int(); | ||
1510 | + min_status = packet_get_int(); | ||
1511 | + msg = packet_get_string(NULL); | ||
1512 | + lang = packet_get_string(NULL); | ||
1513 | + fatal("GSSAPI Error: \n%.400s",msg); | ||
1514 | + default: | ||
1515 | + packet_disconnect("Protocol error: didn't expect packet type %d", | ||
1516 | + type); | ||
1517 | + } | ||
1518 | + token_ptr = &recv_tok; | ||
1519 | + } else { | ||
1520 | + /* No data, and not complete */ | ||
1521 | + if (maj_status != GSS_S_COMPLETE) | ||
1522 | + fatal("Not complete, and no token output"); | ||
1523 | + } | ||
1524 | + } while (maj_status & GSS_S_CONTINUE_NEEDED); | ||
1525 | + | ||
1526 | + /* | ||
1527 | + * We _must_ have received a COMPLETE message in reply from the | ||
1528 | + * server, which will have set dh_server_pub and msg_tok | ||
1529 | + */ | ||
1530 | + | ||
1531 | + if (type != SSH2_MSG_KEXGSS_COMPLETE) | ||
1532 | + fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it"); | ||
1533 | + | ||
1534 | + /* Check f in range [1, p-1] */ | ||
1535 | + if (!dh_pub_is_valid(dh, dh_server_pub)) | ||
1536 | + packet_disconnect("bad server public DH value"); | ||
1537 | + | ||
1538 | + /* compute K=f^x mod p */ | ||
1539 | + klen = DH_size(dh); | ||
1540 | + kbuf = xmalloc(klen); | ||
1541 | + kout = DH_compute_key(kbuf, dh_server_pub, dh); | ||
1542 | + if (kout < 0) | ||
1543 | + fatal("DH_compute_key: failed"); | ||
1544 | + | ||
1545 | + shared_secret = BN_new(); | ||
1546 | + if (shared_secret == NULL) | ||
1547 | + fatal("kexgss_client: BN_new failed"); | ||
1548 | + | ||
1549 | + if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) | ||
1550 | + fatal("kexdh_client: BN_bin2bn failed"); | ||
1551 | + | ||
1552 | + memset(kbuf, 0, klen); | ||
1553 | + xfree(kbuf); | ||
1554 | + | ||
1555 | + switch (kex->kex_type) { | ||
1556 | + case KEX_GSS_GRP1_SHA1: | ||
1557 | + case KEX_GSS_GRP14_SHA1: | ||
1558 | + kex_dh_hash( kex->client_version_string, | ||
1559 | + kex->server_version_string, | ||
1560 | + buffer_ptr(&kex->my), buffer_len(&kex->my), | ||
1561 | + buffer_ptr(&kex->peer), buffer_len(&kex->peer), | ||
1562 | + (serverhostkey ? serverhostkey : empty), slen, | ||
1563 | + dh->pub_key, /* e */ | ||
1564 | + dh_server_pub, /* f */ | ||
1565 | + shared_secret, /* K */ | ||
1566 | + &hash, &hashlen | ||
1567 | + ); | ||
1568 | + break; | ||
1569 | + case KEX_GSS_GEX_SHA1: | ||
1570 | + kexgex_hash( | ||
1571 | + kex->evp_md, | ||
1572 | + kex->client_version_string, | ||
1573 | + kex->server_version_string, | ||
1574 | + buffer_ptr(&kex->my), buffer_len(&kex->my), | ||
1575 | + buffer_ptr(&kex->peer), buffer_len(&kex->peer), | ||
1576 | + (serverhostkey ? serverhostkey : empty), slen, | ||
1577 | + min, nbits, max, | ||
1578 | + dh->p, dh->g, | ||
1579 | + dh->pub_key, | ||
1580 | + dh_server_pub, | ||
1581 | + shared_secret, | ||
1582 | + &hash, &hashlen | ||
1583 | + ); | ||
1584 | + break; | ||
1585 | + default: | ||
1586 | + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); | ||
1587 | + } | ||
1588 | + | ||
1589 | + gssbuf.value = hash; | ||
1590 | + gssbuf.length = hashlen; | ||
1591 | + | ||
1592 | + /* Verify that the hash matches the MIC we just got. */ | ||
1593 | + if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) | ||
1594 | + packet_disconnect("Hash's MIC didn't verify"); | ||
1595 | + | ||
1596 | + xfree(msg_tok.value); | ||
1597 | + | ||
1598 | + DH_free(dh); | ||
1599 | + if (serverhostkey) | ||
1600 | + xfree(serverhostkey); | ||
1601 | + BN_clear_free(dh_server_pub); | ||
1602 | + | ||
1603 | + /* save session id */ | ||
1604 | + if (kex->session_id == NULL) { | ||
1605 | + kex->session_id_len = hashlen; | ||
1606 | + kex->session_id = xmalloc(kex->session_id_len); | ||
1607 | + memcpy(kex->session_id, hash, kex->session_id_len); | ||
1608 | + } | ||
1609 | + | ||
1610 | + if (kex->gss_deleg_creds) | ||
1611 | + ssh_gssapi_credentials_updated(ctxt); | ||
1612 | + | ||
1613 | + if (gss_kex_context == NULL) | ||
1614 | + gss_kex_context = ctxt; | ||
1615 | + else | ||
1616 | + ssh_gssapi_delete_ctx(&ctxt); | ||
1617 | + | ||
1618 | + kex_derive_keys(kex, hash, hashlen, shared_secret); | ||
1619 | + BN_clear_free(shared_secret); | ||
1620 | + kex_finish(kex); | ||
1621 | +} | ||
1622 | + | ||
1623 | +#endif /* GSSAPI */ | ||
1624 | Index: b/kexgsss.c | ||
1625 | =================================================================== | ||
1626 | --- /dev/null | ||
1627 | +++ b/kexgsss.c | ||
1628 | @@ -0,0 +1,288 @@ | ||
1629 | +/* | ||
1630 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | ||
1631 | + * | ||
1632 | + * Redistribution and use in source and binary forms, with or without | ||
1633 | + * modification, are permitted provided that the following conditions | ||
1634 | + * are met: | ||
1635 | + * 1. Redistributions of source code must retain the above copyright | ||
1636 | + * notice, this list of conditions and the following disclaimer. | ||
1637 | + * 2. Redistributions in binary form must reproduce the above copyright | ||
1638 | + * notice, this list of conditions and the following disclaimer in the | ||
1639 | + * documentation and/or other materials provided with the distribution. | ||
1640 | + * | ||
1641 | + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR | ||
1642 | + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
1643 | + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
1644 | + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
1645 | + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
1646 | + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
1647 | + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
1648 | + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
1649 | + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
1650 | + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
1651 | + */ | ||
1652 | + | ||
1653 | +#include "includes.h" | ||
1654 | + | ||
1655 | +#ifdef GSSAPI | ||
1656 | + | ||
1657 | +#include <string.h> | ||
1658 | + | ||
1659 | +#include <openssl/crypto.h> | ||
1660 | +#include <openssl/bn.h> | ||
1661 | + | ||
1662 | +#include "xmalloc.h" | ||
1663 | +#include "buffer.h" | ||
1664 | +#include "ssh2.h" | ||
1665 | +#include "key.h" | ||
1666 | +#include "cipher.h" | ||
1667 | +#include "kex.h" | ||
1668 | +#include "log.h" | ||
1669 | +#include "packet.h" | ||
1670 | +#include "dh.h" | ||
1671 | +#include "ssh-gss.h" | ||
1672 | +#include "monitor_wrap.h" | ||
1673 | +#include "servconf.h" | ||
1674 | + | ||
1675 | +extern ServerOptions options; | ||
1676 | + | ||
1677 | +void | ||
1678 | +kexgss_server(Kex *kex) | ||
1679 | +{ | ||
1680 | + OM_uint32 maj_status, min_status; | ||
1681 | + | ||
1682 | + /* | ||
1683 | + * Some GSSAPI implementations use the input value of ret_flags (an | ||
1684 | + * output variable) as a means of triggering mechanism specific | ||
1685 | + * features. Initializing it to zero avoids inadvertently | ||
1686 | + * activating this non-standard behaviour. | ||
1687 | + */ | ||
1688 | + | ||
1689 | + OM_uint32 ret_flags = 0; | ||
1690 | + gss_buffer_desc gssbuf, recv_tok, msg_tok; | ||
1691 | + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | ||
1692 | + Gssctxt *ctxt = NULL; | ||
1693 | + u_int slen, klen, kout, hashlen; | ||
1694 | + u_char *kbuf, *hash; | ||
1695 | + DH *dh; | ||
1696 | + int min = -1, max = -1, nbits = -1; | ||
1697 | + BIGNUM *shared_secret = NULL; | ||
1698 | + BIGNUM *dh_client_pub = NULL; | ||
1699 | + int type = 0; | ||
1700 | + gss_OID oid; | ||
1701 | + char *mechs; | ||
1702 | + | ||
1703 | + /* Initialise GSSAPI */ | ||
1704 | + | ||
1705 | + /* If we're rekeying, privsep means that some of the private structures | ||
1706 | + * in the GSSAPI code are no longer available. This kludges them back | ||
1707 | + * into life | ||
1708 | + */ | ||
1709 | + if (!ssh_gssapi_oid_table_ok()) | ||
1710 | + if ((mechs = ssh_gssapi_server_mechanisms())) | ||
1711 | + xfree(mechs); | ||
1712 | + | ||
1713 | + debug2("%s: Identifying %s", __func__, kex->name); | ||
1714 | + oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); | ||
1715 | + if (oid == GSS_C_NO_OID) | ||
1716 | + fatal("Unknown gssapi mechanism"); | ||
1717 | + | ||
1718 | + debug2("%s: Acquiring credentials", __func__); | ||
1719 | + | ||
1720 | + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) | ||
1721 | + fatal("Unable to acquire credentials for the server"); | ||
1722 | + | ||
1723 | + switch (kex->kex_type) { | ||
1724 | + case KEX_GSS_GRP1_SHA1: | ||
1725 | + dh = dh_new_group1(); | ||
1726 | + break; | ||
1727 | + case KEX_GSS_GRP14_SHA1: | ||
1728 | + dh = dh_new_group14(); | ||
1729 | + break; | ||
1730 | + case KEX_GSS_GEX_SHA1: | ||
1731 | + debug("Doing group exchange"); | ||
1732 | + packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ); | ||
1733 | + min = packet_get_int(); | ||
1734 | + nbits = packet_get_int(); | ||
1735 | + max = packet_get_int(); | ||
1736 | + min = MAX(DH_GRP_MIN, min); | ||
1737 | + max = MIN(DH_GRP_MAX, max); | ||
1738 | + packet_check_eom(); | ||
1739 | + if (max < min || nbits < min || max < nbits) | ||
1740 | + fatal("GSS_GEX, bad parameters: %d !< %d !< %d", | ||
1741 | + min, nbits, max); | ||
1742 | + dh = PRIVSEP(choose_dh(min, nbits, max)); | ||
1743 | + if (dh == NULL) | ||
1744 | + packet_disconnect("Protocol error: no matching group found"); | ||
1745 | + | ||
1746 | + packet_start(SSH2_MSG_KEXGSS_GROUP); | ||
1747 | + packet_put_bignum2(dh->p); | ||
1748 | + packet_put_bignum2(dh->g); | ||
1749 | + packet_send(); | ||
1750 | + | ||
1751 | + packet_write_wait(); | ||
1752 | + break; | ||
1753 | + default: | ||
1754 | + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); | ||
1755 | + } | ||
1756 | + | ||
1757 | + dh_gen_key(dh, kex->we_need * 8); | ||
1758 | + | ||
1759 | + do { | ||
1760 | + debug("Wait SSH2_MSG_GSSAPI_INIT"); | ||
1761 | + type = packet_read(); | ||
1762 | + switch(type) { | ||
1763 | + case SSH2_MSG_KEXGSS_INIT: | ||
1764 | + if (dh_client_pub != NULL) | ||
1765 | + fatal("Received KEXGSS_INIT after initialising"); | ||
1766 | + recv_tok.value = packet_get_string(&slen); | ||
1767 | + recv_tok.length = slen; | ||
1768 | + | ||
1769 | + if ((dh_client_pub = BN_new()) == NULL) | ||
1770 | + fatal("dh_client_pub == NULL"); | ||
1771 | + | ||
1772 | + packet_get_bignum2(dh_client_pub); | ||
1773 | + | ||
1774 | + /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */ | ||
1775 | + break; | ||
1776 | + case SSH2_MSG_KEXGSS_CONTINUE: | ||
1777 | + recv_tok.value = packet_get_string(&slen); | ||
1778 | + recv_tok.length = slen; | ||
1779 | + break; | ||
1780 | + default: | ||
1781 | + packet_disconnect( | ||
1782 | + "Protocol error: didn't expect packet type %d", | ||
1783 | + type); | ||
1784 | + } | ||
1785 | + | ||
1786 | + maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, | ||
1787 | + &send_tok, &ret_flags)); | ||
1788 | + | ||
1789 | + xfree(recv_tok.value); | ||
1790 | + | ||
1791 | + if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) | ||
1792 | + fatal("Zero length token output when incomplete"); | ||
1793 | + | ||
1794 | + if (dh_client_pub == NULL) | ||
1795 | + fatal("No client public key"); | ||
1796 | + | ||
1797 | + if (maj_status & GSS_S_CONTINUE_NEEDED) { | ||
1798 | + debug("Sending GSSAPI_CONTINUE"); | ||
1799 | + packet_start(SSH2_MSG_KEXGSS_CONTINUE); | ||
1800 | + packet_put_string(send_tok.value, send_tok.length); | ||
1801 | + packet_send(); | ||
1802 | + gss_release_buffer(&min_status, &send_tok); | ||
1803 | + } | ||
1804 | + } while (maj_status & GSS_S_CONTINUE_NEEDED); | ||
1805 | + | ||
1806 | + if (GSS_ERROR(maj_status)) { | ||
1807 | + if (send_tok.length > 0) { | ||
1808 | + packet_start(SSH2_MSG_KEXGSS_CONTINUE); | ||
1809 | + packet_put_string(send_tok.value, send_tok.length); | ||
1810 | + packet_send(); | ||
1811 | + } | ||
1812 | + fatal("accept_ctx died"); | ||
1813 | + } | ||
1814 | + | ||
1815 | + if (!(ret_flags & GSS_C_MUTUAL_FLAG)) | ||
1816 | + fatal("Mutual Authentication flag wasn't set"); | ||
1817 | + | ||
1818 | + if (!(ret_flags & GSS_C_INTEG_FLAG)) | ||
1819 | + fatal("Integrity flag wasn't set"); | ||
1820 | + | ||
1821 | + if (!dh_pub_is_valid(dh, dh_client_pub)) | ||
1822 | + packet_disconnect("bad client public DH value"); | ||
1823 | + | ||
1824 | + klen = DH_size(dh); | ||
1825 | + kbuf = xmalloc(klen); | ||
1826 | + kout = DH_compute_key(kbuf, dh_client_pub, dh); | ||
1827 | + if (kout < 0) | ||
1828 | + fatal("DH_compute_key: failed"); | ||
1829 | + | ||
1830 | + shared_secret = BN_new(); | ||
1831 | + if (shared_secret == NULL) | ||
1832 | + fatal("kexgss_server: BN_new failed"); | ||
1833 | + | ||
1834 | + if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) | ||
1835 | + fatal("kexgss_server: BN_bin2bn failed"); | ||
1836 | + | ||
1837 | + memset(kbuf, 0, klen); | ||
1838 | + xfree(kbuf); | ||
1839 | + | ||
1840 | + switch (kex->kex_type) { | ||
1841 | + case KEX_GSS_GRP1_SHA1: | ||
1842 | + case KEX_GSS_GRP14_SHA1: | ||
1843 | + kex_dh_hash( | ||
1844 | + kex->client_version_string, kex->server_version_string, | ||
1845 | + buffer_ptr(&kex->peer), buffer_len(&kex->peer), | ||
1846 | + buffer_ptr(&kex->my), buffer_len(&kex->my), | ||
1847 | + NULL, 0, /* Change this if we start sending host keys */ | ||
1848 | + dh_client_pub, dh->pub_key, shared_secret, | ||
1849 | + &hash, &hashlen | ||
1850 | + ); | ||
1851 | + break; | ||
1852 | + case KEX_GSS_GEX_SHA1: | ||
1853 | + kexgex_hash( | ||
1854 | + kex->evp_md, | ||
1855 | + kex->client_version_string, kex->server_version_string, | ||
1856 | + buffer_ptr(&kex->peer), buffer_len(&kex->peer), | ||
1857 | + buffer_ptr(&kex->my), buffer_len(&kex->my), | ||
1858 | + NULL, 0, | ||
1859 | + min, nbits, max, | ||
1860 | + dh->p, dh->g, | ||
1861 | + dh_client_pub, | ||
1862 | + dh->pub_key, | ||
1863 | + shared_secret, | ||
1864 | + &hash, &hashlen | ||
1865 | + ); | ||
1866 | + break; | ||
1867 | + default: | ||
1868 | + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); | ||
1869 | + } | ||
1870 | + | ||
1871 | + BN_clear_free(dh_client_pub); | ||
1872 | + | ||
1873 | + if (kex->session_id == NULL) { | ||
1874 | + kex->session_id_len = hashlen; | ||
1875 | + kex->session_id = xmalloc(kex->session_id_len); | ||
1876 | + memcpy(kex->session_id, hash, kex->session_id_len); | ||
1877 | + } | ||
1878 | + | ||
1879 | + gssbuf.value = hash; | ||
1880 | + gssbuf.length = hashlen; | ||
1881 | + | ||
1882 | + if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok)))) | ||
1883 | + fatal("Couldn't get MIC"); | ||
1884 | + | ||
1885 | + packet_start(SSH2_MSG_KEXGSS_COMPLETE); | ||
1886 | + packet_put_bignum2(dh->pub_key); | ||
1887 | + packet_put_string(msg_tok.value,msg_tok.length); | ||
1888 | + | ||
1889 | + if (send_tok.length != 0) { | ||
1890 | + packet_put_char(1); /* true */ | ||
1891 | + packet_put_string(send_tok.value, send_tok.length); | ||
1892 | + } else { | ||
1893 | + packet_put_char(0); /* false */ | ||
1894 | + } | ||
1895 | + packet_send(); | ||
1896 | + | ||
1897 | + gss_release_buffer(&min_status, &send_tok); | ||
1898 | + gss_release_buffer(&min_status, &msg_tok); | ||
1899 | + | ||
1900 | + if (gss_kex_context == NULL) | ||
1901 | + gss_kex_context = ctxt; | ||
1902 | + else | ||
1903 | + ssh_gssapi_delete_ctx(&ctxt); | ||
1904 | + | ||
1905 | + DH_free(dh); | ||
1906 | + | ||
1907 | + kex_derive_keys(kex, hash, hashlen, shared_secret); | ||
1908 | + BN_clear_free(shared_secret); | ||
1909 | + kex_finish(kex); | ||
1910 | + | ||
1911 | + /* If this was a rekey, then save out any delegated credentials we | ||
1912 | + * just exchanged. */ | ||
1913 | + if (options.gss_store_rekey) | ||
1914 | + ssh_gssapi_rekey_creds(); | ||
1915 | +} | ||
1916 | +#endif /* GSSAPI */ | ||
1917 | Index: b/key.c | ||
1918 | =================================================================== | ||
1919 | --- a/key.c | ||
1920 | +++ b/key.c | ||
1921 | @@ -982,6 +982,8 @@ | ||
1922 | return KEY_RSA_CERT; | ||
1923 | } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { | ||
1924 | return KEY_DSA_CERT; | ||
1925 | + } else if (strcmp(name, "null") == 0) { | ||
1926 | + return KEY_NULL; | ||
1927 | } | ||
1928 | debug2("key_type_from_name: unknown key type '%s'", name); | ||
1929 | return KEY_UNSPEC; | ||
1930 | Index: b/key.h | ||
1931 | =================================================================== | ||
1932 | --- a/key.h | ||
1933 | +++ b/key.h | ||
1934 | @@ -37,6 +37,7 @@ | ||
1935 | KEY_DSA, | ||
1936 | KEY_RSA_CERT, | ||
1937 | KEY_DSA_CERT, | ||
1938 | + KEY_NULL, | ||
1939 | KEY_UNSPEC | ||
1940 | }; | ||
1941 | enum fp_type { | ||
1942 | Index: b/monitor.c | ||
1943 | =================================================================== | ||
1944 | --- a/monitor.c | ||
1945 | +++ b/monitor.c | ||
1946 | @@ -172,6 +172,8 @@ | ||
1947 | int mm_answer_gss_accept_ctx(int, Buffer *); | ||
1948 | int mm_answer_gss_userok(int, Buffer *); | ||
1949 | int mm_answer_gss_checkmic(int, Buffer *); | ||
1950 | +int mm_answer_gss_sign(int, Buffer *); | ||
1951 | +int mm_answer_gss_updatecreds(int, Buffer *); | ||
1952 | #endif | ||
1953 | |||
1954 | #ifdef SSH_AUDIT_EVENTS | ||
1955 | @@ -241,6 +243,7 @@ | ||
1956 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | ||
1957 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | ||
1958 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | ||
1959 | + {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, | ||
1960 | #endif | ||
1961 | #ifdef JPAKE | ||
1962 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, | ||
1963 | @@ -253,6 +256,12 @@ | ||
1964 | }; | ||
1965 | |||
1966 | struct mon_table mon_dispatch_postauth20[] = { | ||
1967 | +#ifdef GSSAPI | ||
1968 | + {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, | ||
1969 | + {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, | ||
1970 | + {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, | ||
1971 | + {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, | ||
1972 | +#endif | ||
1973 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | ||
1974 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | ||
1975 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | ||
1976 | @@ -357,6 +366,10 @@ | ||
1977 | /* Permit requests for moduli and signatures */ | ||
1978 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | ||
1979 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | ||
1980 | +#ifdef GSSAPI | ||
1981 | + /* and for the GSSAPI key exchange */ | ||
1982 | + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
1983 | +#endif | ||
1984 | } else { | ||
1985 | mon_dispatch = mon_dispatch_proto15; | ||
1986 | |||
1987 | @@ -443,6 +456,10 @@ | ||
1988 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | ||
1989 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | ||
1990 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | ||
1991 | +#ifdef GSSAPI | ||
1992 | + /* and for the GSSAPI key exchange */ | ||
1993 | + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); | ||
1994 | +#endif | ||
1995 | } else { | ||
1996 | mon_dispatch = mon_dispatch_postauth15; | ||
1997 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | ||
1998 | @@ -1691,6 +1708,13 @@ | ||
1999 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | ||
2000 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | ||
2001 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | ||
2002 | +#ifdef GSSAPI | ||
2003 | + if (options.gss_keyex) { | ||
2004 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | ||
2005 | + kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; | ||
2006 | + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; | ||
2007 | + } | ||
2008 | +#endif | ||
2009 | kex->server = 1; | ||
2010 | kex->hostkey_type = buffer_get_int(m); | ||
2011 | kex->kex_type = buffer_get_int(m); | ||
2012 | @@ -1897,6 +1921,9 @@ | ||
2013 | OM_uint32 major; | ||
2014 | u_int len; | ||
2015 | |||
2016 | + if (!options.gss_authentication && !options.gss_keyex) | ||
2017 | + fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2018 | + | ||
2019 | goid.elements = buffer_get_string(m, &len); | ||
2020 | goid.length = len; | ||
2021 | |||
2022 | @@ -1924,6 +1951,9 @@ | ||
2023 | OM_uint32 flags = 0; /* GSI needs this */ | ||
2024 | u_int len; | ||
2025 | |||
2026 | + if (!options.gss_authentication && !options.gss_keyex) | ||
2027 | + fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2028 | + | ||
2029 | in.value = buffer_get_string(m, &len); | ||
2030 | in.length = len; | ||
2031 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | ||
2032 | @@ -1941,6 +1971,7 @@ | ||
2033 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | ||
2034 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | ||
2035 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | ||
2036 | + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); | ||
2037 | } | ||
2038 | return (0); | ||
2039 | } | ||
2040 | @@ -1952,6 +1983,9 @@ | ||
2041 | OM_uint32 ret; | ||
2042 | u_int len; | ||
2043 | |||
2044 | + if (!options.gss_authentication && !options.gss_keyex) | ||
2045 | + fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2046 | + | ||
2047 | gssbuf.value = buffer_get_string(m, &len); | ||
2048 | gssbuf.length = len; | ||
2049 | mic.value = buffer_get_string(m, &len); | ||
2050 | @@ -1978,7 +2012,11 @@ | ||
2051 | { | ||
2052 | int authenticated; | ||
2053 | |||
2054 | - authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); | ||
2055 | + if (!options.gss_authentication && !options.gss_keyex) | ||
2056 | + fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2057 | + | ||
2058 | + authenticated = authctxt->valid && | ||
2059 | + ssh_gssapi_userok(authctxt->user, authctxt->pw); | ||
2060 | |||
2061 | buffer_clear(m); | ||
2062 | buffer_put_int(m, authenticated); | ||
2063 | @@ -1991,6 +2029,74 @@ | ||
2064 | /* Monitor loop will terminate if authenticated */ | ||
2065 | return (authenticated); | ||
2066 | } | ||
2067 | + | ||
2068 | +int | ||
2069 | +mm_answer_gss_sign(int socket, Buffer *m) | ||
2070 | +{ | ||
2071 | + gss_buffer_desc data; | ||
2072 | + gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; | ||
2073 | + OM_uint32 major, minor; | ||
2074 | + u_int len; | ||
2075 | + | ||
2076 | + if (!options.gss_authentication && !options.gss_keyex) | ||
2077 | + fatal("In GSSAPI monitor when GSSAPI is disabled"); | ||
2078 | + | ||
2079 | + data.value = buffer_get_string(m, &len); | ||
2080 | + data.length = len; | ||
2081 | + if (data.length != 20) | ||
2082 | + fatal("%s: data length incorrect: %d", __func__, | ||
2083 | + (int) data.length); | ||
2084 | + | ||
2085 | + /* Save the session ID on the first time around */ | ||
2086 | + if (session_id2_len == 0) { | ||
2087 | + session_id2_len = data.length; | ||
2088 | + session_id2 = xmalloc(session_id2_len); | ||
2089 | + memcpy(session_id2, data.value, session_id2_len); | ||
2090 | + } | ||
2091 | + major = ssh_gssapi_sign(gsscontext, &data, &hash); | ||
2092 | + | ||
2093 | + xfree(data.value); | ||
2094 | + | ||
2095 | + buffer_clear(m); | ||
2096 | + buffer_put_int(m, major); | ||
2097 | + buffer_put_string(m, hash.value, hash.length); | ||
2098 | + | ||
2099 | + mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); | ||
2100 | + | ||
2101 | + gss_release_buffer(&minor, &hash); | ||
2102 | + | ||
2103 | + /* Turn on getpwnam permissions */ | ||
2104 | + monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); | ||
2105 | + | ||
2106 | + /* And credential updating, for when rekeying */ | ||
2107 | + monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1); | ||
2108 | + | ||
2109 | + return (0); | ||
2110 | +} | ||
2111 | + | ||
2112 | +int | ||
2113 | +mm_answer_gss_updatecreds(int socket, Buffer *m) { | ||
2114 | + ssh_gssapi_ccache store; | ||
2115 | + int ok; | ||
2116 | + | ||
2117 | + store.filename = buffer_get_string(m, NULL); | ||
2118 | + store.envvar = buffer_get_string(m, NULL); | ||
2119 | + store.envval = buffer_get_string(m, NULL); | ||
2120 | + | ||
2121 | + ok = ssh_gssapi_update_creds(&store); | ||
2122 | + | ||
2123 | + xfree(store.filename); | ||
2124 | + xfree(store.envvar); | ||
2125 | + xfree(store.envval); | ||
2126 | + | ||
2127 | + buffer_clear(m); | ||
2128 | + buffer_put_int(m, ok); | ||
2129 | + | ||
2130 | + mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m); | ||
2131 | + | ||
2132 | + return(0); | ||
2133 | +} | ||
2134 | + | ||
2135 | #endif /* GSSAPI */ | ||
2136 | |||
2137 | #ifdef JPAKE | ||
2138 | Index: b/monitor.h | ||
2139 | =================================================================== | ||
2140 | --- a/monitor.h | ||
2141 | +++ b/monitor.h | ||
2142 | @@ -53,6 +53,8 @@ | ||
2143 | MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, | ||
2144 | MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, | ||
2145 | MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, | ||
2146 | + MONITOR_REQ_GSSSIGN, MONITOR_ANS_GSSSIGN, | ||
2147 | + MONITOR_REQ_GSSUPCREDS, MONITOR_ANS_GSSUPCREDS, | ||
2148 | MONITOR_REQ_PAM_START, | ||
2149 | MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, | ||
2150 | MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, | ||
2151 | Index: b/monitor_wrap.c | ||
2152 | =================================================================== | ||
2153 | --- a/monitor_wrap.c | ||
2154 | +++ b/monitor_wrap.c | ||
2155 | @@ -1231,7 +1231,7 @@ | ||
2156 | } | ||
2157 | |||
2158 | int | ||
2159 | -mm_ssh_gssapi_userok(char *user) | ||
2160 | +mm_ssh_gssapi_userok(char *user, struct passwd *pw) | ||
2161 | { | ||
2162 | Buffer m; | ||
2163 | int authenticated = 0; | ||
2164 | @@ -1248,6 +1248,51 @@ | ||
2165 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | ||
2166 | return (authenticated); | ||
2167 | } | ||
2168 | + | ||
2169 | +OM_uint32 | ||
2170 | +mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash) | ||
2171 | +{ | ||
2172 | + Buffer m; | ||
2173 | + OM_uint32 major; | ||
2174 | + u_int len; | ||
2175 | + | ||
2176 | + buffer_init(&m); | ||
2177 | + buffer_put_string(&m, data->value, data->length); | ||
2178 | + | ||
2179 | + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m); | ||
2180 | + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m); | ||
2181 | + | ||
2182 | + major = buffer_get_int(&m); | ||
2183 | + hash->value = buffer_get_string(&m, &len); | ||
2184 | + hash->length = len; | ||
2185 | + | ||
2186 | + buffer_free(&m); | ||
2187 | + | ||
2188 | + return(major); | ||
2189 | +} | ||
2190 | + | ||
2191 | +int | ||
2192 | +mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) | ||
2193 | +{ | ||
2194 | + Buffer m; | ||
2195 | + int ok; | ||
2196 | + | ||
2197 | + buffer_init(&m); | ||
2198 | + | ||
2199 | + buffer_put_cstring(&m, store->filename ? store->filename : ""); | ||
2200 | + buffer_put_cstring(&m, store->envvar ? store->envvar : ""); | ||
2201 | + buffer_put_cstring(&m, store->envval ? store->envval : ""); | ||
2202 | + | ||
2203 | + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m); | ||
2204 | + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m); | ||
2205 | + | ||
2206 | + ok = buffer_get_int(&m); | ||
2207 | + | ||
2208 | + buffer_free(&m); | ||
2209 | + | ||
2210 | + return (ok); | ||
2211 | +} | ||
2212 | + | ||
2213 | #endif /* GSSAPI */ | ||
2214 | |||
2215 | #ifdef JPAKE | ||
2216 | Index: b/monitor_wrap.h | ||
2217 | =================================================================== | ||
2218 | --- a/monitor_wrap.h | ||
2219 | +++ b/monitor_wrap.h | ||
2220 | @@ -57,8 +57,10 @@ | ||
2221 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); | ||
2222 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, | ||
2223 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); | ||
2224 | -int mm_ssh_gssapi_userok(char *user); | ||
2225 | +int mm_ssh_gssapi_userok(char *user, struct passwd *); | ||
2226 | OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); | ||
2227 | +OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); | ||
2228 | +int mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *); | ||
2229 | #endif | ||
2230 | |||
2231 | #ifdef USE_PAM | ||
2232 | Index: b/readconf.c | ||
2233 | =================================================================== | ||
2234 | --- a/readconf.c | ||
2235 | +++ b/readconf.c | ||
2236 | @@ -127,6 +127,7 @@ | ||
2237 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | ||
2238 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | ||
2239 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | ||
2240 | + oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, | ||
2241 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | ||
2242 | oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, | ||
2243 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | ||
2244 | @@ -164,10 +165,18 @@ | ||
2245 | { "afstokenpassing", oUnsupported }, | ||
2246 | #if defined(GSSAPI) | ||
2247 | { "gssapiauthentication", oGssAuthentication }, | ||
2248 | + { "gssapikeyexchange", oGssKeyEx }, | ||
2249 | { "gssapidelegatecredentials", oGssDelegateCreds }, | ||
2250 | + { "gssapitrustdns", oGssTrustDns }, | ||
2251 | + { "gssapiclientidentity", oGssClientIdentity }, | ||
2252 | + { "gssapirenewalforcesrekey", oGssRenewalRekey }, | ||
2253 | #else | ||
2254 | { "gssapiauthentication", oUnsupported }, | ||
2255 | + { "gssapikeyexchange", oUnsupported }, | ||
2256 | { "gssapidelegatecredentials", oUnsupported }, | ||
2257 | + { "gssapitrustdns", oUnsupported }, | ||
2258 | + { "gssapiclientidentity", oUnsupported }, | ||
2259 | + { "gssapirenewalforcesrekey", oUnsupported }, | ||
2260 | #endif | ||
2261 | { "fallbacktorsh", oDeprecated }, | ||
2262 | { "usersh", oDeprecated }, | ||
2263 | @@ -456,10 +465,26 @@ | ||
2264 | intptr = &options->gss_authentication; | ||
2265 | goto parse_flag; | ||
2266 | |||
2267 | + case oGssKeyEx: | ||
2268 | + intptr = &options->gss_keyex; | ||
2269 | + goto parse_flag; | ||
2270 | + | ||
2271 | case oGssDelegateCreds: | ||
2272 | intptr = &options->gss_deleg_creds; | ||
2273 | goto parse_flag; | ||
2274 | |||
2275 | + case oGssTrustDns: | ||
2276 | + intptr = &options->gss_trust_dns; | ||
2277 | + goto parse_flag; | ||
2278 | + | ||
2279 | + case oGssClientIdentity: | ||
2280 | + charptr = &options->gss_client_identity; | ||
2281 | + goto parse_string; | ||
2282 | + | ||
2283 | + case oGssRenewalRekey: | ||
2284 | + intptr = &options->gss_renewal_rekey; | ||
2285 | + goto parse_flag; | ||
2286 | + | ||
2287 | case oBatchMode: | ||
2288 | intptr = &options->batch_mode; | ||
2289 | goto parse_flag; | ||
2290 | @@ -1015,7 +1040,11 @@ | ||
2291 | options->pubkey_authentication = -1; | ||
2292 | options->challenge_response_authentication = -1; | ||
2293 | options->gss_authentication = -1; | ||
2294 | + options->gss_keyex = -1; | ||
2295 | options->gss_deleg_creds = -1; | ||
2296 | + options->gss_trust_dns = -1; | ||
2297 | + options->gss_renewal_rekey = -1; | ||
2298 | + options->gss_client_identity = NULL; | ||
2299 | options->password_authentication = -1; | ||
2300 | options->kbd_interactive_authentication = -1; | ||
2301 | options->kbd_interactive_devices = NULL; | ||
2302 | @@ -1107,8 +1136,14 @@ | ||
2303 | options->challenge_response_authentication = 1; | ||
2304 | if (options->gss_authentication == -1) | ||
2305 | options->gss_authentication = 0; | ||
2306 | + if (options->gss_keyex == -1) | ||
2307 | + options->gss_keyex = 0; | ||
2308 | if (options->gss_deleg_creds == -1) | ||
2309 | options->gss_deleg_creds = 0; | ||
2310 | + if (options->gss_trust_dns == -1) | ||
2311 | + options->gss_trust_dns = 0; | ||
2312 | + if (options->gss_renewal_rekey == -1) | ||
2313 | + options->gss_renewal_rekey = 0; | ||
2314 | if (options->password_authentication == -1) | ||
2315 | options->password_authentication = 1; | ||
2316 | if (options->kbd_interactive_authentication == -1) | ||
2317 | Index: b/readconf.h | ||
2318 | =================================================================== | ||
2319 | --- a/readconf.h | ||
2320 | +++ b/readconf.h | ||
2321 | @@ -44,7 +44,11 @@ | ||
2322 | int challenge_response_authentication; | ||
2323 | /* Try S/Key or TIS, authentication. */ | ||
2324 | int gss_authentication; /* Try GSS authentication */ | ||
2325 | + int gss_keyex; /* Try GSS key exchange */ | ||
2326 | int gss_deleg_creds; /* Delegate GSS credentials */ | ||
2327 | + int gss_trust_dns; /* Trust DNS for GSS canonicalization */ | ||
2328 | + int gss_renewal_rekey; /* Credential renewal forces rekey */ | ||
2329 | + char *gss_client_identity; /* Principal to initiate GSSAPI with */ | ||
2330 | int password_authentication; /* Try password | ||
2331 | * authentication. */ | ||
2332 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | ||
2333 | Index: b/servconf.c | ||
2334 | =================================================================== | ||
2335 | --- a/servconf.c | ||
2336 | +++ b/servconf.c | ||
2337 | @@ -93,7 +93,10 @@ | ||
2338 | options->kerberos_ticket_cleanup = -1; | ||
2339 | options->kerberos_get_afs_token = -1; | ||
2340 | options->gss_authentication=-1; | ||
2341 | + options->gss_keyex = -1; | ||
2342 | options->gss_cleanup_creds = -1; | ||
2343 | + options->gss_strict_acceptor = -1; | ||
2344 | + options->gss_store_rekey = -1; | ||
2345 | options->password_authentication = -1; | ||
2346 | options->kbd_interactive_authentication = -1; | ||
2347 | options->challenge_response_authentication = -1; | ||
2348 | @@ -214,8 +217,14 @@ | ||
2349 | options->kerberos_get_afs_token = 0; | ||
2350 | if (options->gss_authentication == -1) | ||
2351 | options->gss_authentication = 0; | ||
2352 | + if (options->gss_keyex == -1) | ||
2353 | + options->gss_keyex = 0; | ||
2354 | if (options->gss_cleanup_creds == -1) | ||
2355 | options->gss_cleanup_creds = 1; | ||
2356 | + if (options->gss_strict_acceptor == -1) | ||
2357 | + options->gss_strict_acceptor = 1; | ||
2358 | + if (options->gss_store_rekey == -1) | ||
2359 | + options->gss_store_rekey = 0; | ||
2360 | if (options->password_authentication == -1) | ||
2361 | options->password_authentication = 1; | ||
2362 | if (options->kbd_interactive_authentication == -1) | ||
2363 | @@ -306,7 +315,9 @@ | ||
2364 | sBanner, sUseDNS, sHostbasedAuthentication, | ||
2365 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | ||
2366 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, | ||
2367 | - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, | ||
2368 | + sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | ||
2369 | + sGssKeyEx, sGssStoreRekey, | ||
2370 | + sAcceptEnv, sPermitTunnel, | ||
2371 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | ||
2372 | sUsePrivilegeSeparation, sAllowAgentForwarding, | ||
2373 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | ||
2374 | @@ -369,9 +380,15 @@ | ||
2375 | #ifdef GSSAPI | ||
2376 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | ||
2377 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | ||
2378 | + { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, | ||
2379 | + { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, | ||
2380 | + { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, | ||
2381 | #else | ||
2382 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, | ||
2383 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | ||
2384 | + { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, | ||
2385 | + { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, | ||
2386 | + { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, | ||
2387 | #endif | ||
2388 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | ||
2389 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | ||
2390 | @@ -924,10 +941,22 @@ | ||
2391 | intptr = &options->gss_authentication; | ||
2392 | goto parse_flag; | ||
2393 | |||
2394 | + case sGssKeyEx: | ||
2395 | + intptr = &options->gss_keyex; | ||
2396 | + goto parse_flag; | ||
2397 | + | ||
2398 | case sGssCleanupCreds: | ||
2399 | intptr = &options->gss_cleanup_creds; | ||
2400 | goto parse_flag; | ||
2401 | |||
2402 | + case sGssStrictAcceptor: | ||
2403 | + intptr = &options->gss_strict_acceptor; | ||
2404 | + goto parse_flag; | ||
2405 | + | ||
2406 | + case sGssStoreRekey: | ||
2407 | + intptr = &options->gss_store_rekey; | ||
2408 | + goto parse_flag; | ||
2409 | + | ||
2410 | case sPasswordAuthentication: | ||
2411 | intptr = &options->password_authentication; | ||
2412 | goto parse_flag; | ||
2413 | Index: b/servconf.h | ||
2414 | =================================================================== | ||
2415 | --- a/servconf.h | ||
2416 | +++ b/servconf.h | ||
2417 | @@ -94,7 +94,10 @@ | ||
2418 | int kerberos_get_afs_token; /* If true, try to get AFS token if | ||
2419 | * authenticated with Kerberos. */ | ||
2420 | int gss_authentication; /* If true, permit GSSAPI authentication */ | ||
2421 | + int gss_keyex; /* If true, permit GSSAPI key exchange */ | ||
2422 | int gss_cleanup_creds; /* If true, destroy cred cache on logout */ | ||
2423 | + int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ | ||
2424 | + int gss_store_rekey; | ||
2425 | int password_authentication; /* If true, permit password | ||
2426 | * authentication. */ | ||
2427 | int kbd_interactive_authentication; /* If true, permit */ | ||
2428 | Index: b/ssh-gss.h | ||
2429 | =================================================================== | ||
2430 | --- a/ssh-gss.h | ||
2431 | +++ b/ssh-gss.h | ||
2432 | @@ -1,6 +1,6 @@ | ||
2433 | /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ | ||
2434 | /* | ||
2435 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | ||
2436 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | ||
2437 | * | ||
2438 | * Redistribution and use in source and binary forms, with or without | ||
2439 | * modification, are permitted provided that the following conditions | ||
2440 | @@ -60,10 +60,22 @@ | ||
2441 | |||
2442 | #define SSH_GSS_OIDTYPE 0x06 | ||
2443 | |||
2444 | +#define SSH2_MSG_KEXGSS_INIT 30 | ||
2445 | +#define SSH2_MSG_KEXGSS_CONTINUE 31 | ||
2446 | +#define SSH2_MSG_KEXGSS_COMPLETE 32 | ||
2447 | +#define SSH2_MSG_KEXGSS_HOSTKEY 33 | ||
2448 | +#define SSH2_MSG_KEXGSS_ERROR 34 | ||
2449 | +#define SSH2_MSG_KEXGSS_GROUPREQ 40 | ||
2450 | +#define SSH2_MSG_KEXGSS_GROUP 41 | ||
2451 | +#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-" | ||
2452 | +#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-" | ||
2453 | +#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-" | ||
2454 | + | ||
2455 | typedef struct { | ||
2456 | char *filename; | ||
2457 | char *envvar; | ||
2458 | char *envval; | ||
2459 | + struct passwd *owner; | ||
2460 | void *data; | ||
2461 | } ssh_gssapi_ccache; | ||
2462 | |||
2463 | @@ -71,8 +83,11 @@ | ||
2464 | gss_buffer_desc displayname; | ||
2465 | gss_buffer_desc exportedname; | ||
2466 | gss_cred_id_t creds; | ||
2467 | + gss_name_t name; | ||
2468 | struct ssh_gssapi_mech_struct *mech; | ||
2469 | ssh_gssapi_ccache store; | ||
2470 | + int used; | ||
2471 | + int updated; | ||
2472 | } ssh_gssapi_client; | ||
2473 | |||
2474 | typedef struct ssh_gssapi_mech_struct { | ||
2475 | @@ -83,6 +98,7 @@ | ||
2476 | int (*userok) (ssh_gssapi_client *, char *); | ||
2477 | int (*localname) (ssh_gssapi_client *, char **); | ||
2478 | void (*storecreds) (ssh_gssapi_client *); | ||
2479 | + int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *); | ||
2480 | } ssh_gssapi_mech; | ||
2481 | |||
2482 | typedef struct { | ||
2483 | @@ -93,10 +109,11 @@ | ||
2484 | gss_OID oid; /* client */ | ||
2485 | gss_cred_id_t creds; /* server */ | ||
2486 | gss_name_t client; /* server */ | ||
2487 | - gss_cred_id_t client_creds; /* server */ | ||
2488 | + gss_cred_id_t client_creds; /* both */ | ||
2489 | } Gssctxt; | ||
2490 | |||
2491 | extern ssh_gssapi_mech *supported_mechs[]; | ||
2492 | +extern Gssctxt *gss_kex_context; | ||
2493 | |||
2494 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); | ||
2495 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); | ||
2496 | @@ -116,16 +133,30 @@ | ||
2497 | void ssh_gssapi_delete_ctx(Gssctxt **); | ||
2498 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); | ||
2499 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); | ||
2500 | -int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); | ||
2501 | +int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *); | ||
2502 | +OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *); | ||
2503 | +int ssh_gssapi_credentials_updated(Gssctxt *); | ||
2504 | |||
2505 | /* In the server */ | ||
2506 | +typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *, | ||
2507 | + const char *); | ||
2508 | +char *ssh_gssapi_client_mechanisms(const char *, const char *); | ||
2509 | +char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *, | ||
2510 | + const char *); | ||
2511 | +gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int); | ||
2512 | +int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *, | ||
2513 | + const char *); | ||
2514 | OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); | ||
2515 | -int ssh_gssapi_userok(char *name); | ||
2516 | +int ssh_gssapi_userok(char *name, struct passwd *); | ||
2517 | OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); | ||
2518 | void ssh_gssapi_do_child(char ***, u_int *); | ||
2519 | void ssh_gssapi_cleanup_creds(void); | ||
2520 | void ssh_gssapi_storecreds(void); | ||
2521 | |||
2522 | +char *ssh_gssapi_server_mechanisms(void); | ||
2523 | +int ssh_gssapi_oid_table_ok(); | ||
2524 | + | ||
2525 | +int ssh_gssapi_update_creds(ssh_gssapi_ccache *store); | ||
2526 | #endif /* GSSAPI */ | ||
2527 | |||
2528 | #endif /* _SSH_GSS_H */ | ||
2529 | Index: b/ssh_config | ||
2530 | =================================================================== | ||
2531 | --- a/ssh_config | ||
2532 | +++ b/ssh_config | ||
2533 | @@ -26,6 +26,8 @@ | ||
2534 | # HostbasedAuthentication no | ||
2535 | # GSSAPIAuthentication no | ||
2536 | # GSSAPIDelegateCredentials no | ||
2537 | +# GSSAPIKeyExchange no | ||
2538 | +# GSSAPITrustDNS no | ||
2539 | # BatchMode no | ||
2540 | # CheckHostIP yes | ||
2541 | # AddressFamily any | ||
2542 | Index: b/ssh_config.5 | ||
2543 | =================================================================== | ||
2544 | --- a/ssh_config.5 | ||
2545 | +++ b/ssh_config.5 | ||
2546 | @@ -478,11 +478,38 @@ | ||
2547 | The default is | ||
2548 | .Dq no . | ||
2549 | Note that this option applies to protocol version 2 only. | ||
2550 | +.It Cm GSSAPIKeyExchange | ||
2551 | +Specifies whether key exchange based on GSSAPI may be used. When using | ||
2552 | +GSSAPI key exchange the server need not have a host key. | ||
2553 | +The default is | ||
2554 | +.Dq no . | ||
2555 | +Note that this option applies to protocol version 2 only. | ||
2556 | +.It Cm GSSAPIClientIdentity | ||
2557 | +If set, specifies the GSSAPI client identity that ssh should use when | ||
2558 | +connecting to the server. The default is unset, which means that the default | ||
2559 | +identity will be used. | ||
2560 | .It Cm GSSAPIDelegateCredentials | ||
2561 | Forward (delegate) credentials to the server. | ||
2562 | The default is | ||
2563 | .Dq no . | ||
2564 | -Note that this option applies to protocol version 2 only. | ||
2565 | +Note that this option applies to protocol version 2 connections using GSSAPI. | ||
2566 | +.It Cm GSSAPIRenewalForcesRekey | ||
2567 | +If set to | ||
2568 | +.Dq yes | ||
2569 | +then renewal of the client's GSSAPI credentials will force the rekeying of the | ||
2570 | +ssh connection. With a compatible server, this can delegate the renewed | ||
2571 | +credentials to a session on the server. | ||
2572 | +The default is | ||
2573 | +.Dq no . | ||
2574 | +.It Cm GSSAPITrustDns | ||
2575 | +Set to | ||
2576 | +.Dq yes to indicate that the DNS is trusted to securely canonicalize | ||
2577 | +the name of the host being connected to. If | ||
2578 | +.Dq no, the hostname entered on the | ||
2579 | +command line will be passed untouched to the GSSAPI library. | ||
2580 | +The default is | ||
2581 | +.Dq no . | ||
2582 | +This option only applies to protocol version 2 connections using GSSAPI. | ||
2583 | .It Cm HashKnownHosts | ||
2584 | Indicates that | ||
2585 | .Xr ssh 1 | ||
2586 | Index: b/sshconnect2.c | ||
2587 | =================================================================== | ||
2588 | --- a/sshconnect2.c | ||
2589 | +++ b/sshconnect2.c | ||
2590 | @@ -106,9 +106,34 @@ | ||
2591 | { | ||
2592 | Kex *kex; | ||
2593 | |||
2594 | +#ifdef GSSAPI | ||
2595 | + char *orig = NULL, *gss = NULL; | ||
2596 | + char *gss_host = NULL; | ||
2597 | +#endif | ||
2598 | + | ||
2599 | xxx_host = host; | ||
2600 | xxx_hostaddr = hostaddr; | ||
2601 | |||
2602 | +#ifdef GSSAPI | ||
2603 | + if (options.gss_keyex) { | ||
2604 | + /* Add the GSSAPI mechanisms currently supported on this | ||
2605 | + * client to the key exchange algorithm proposal */ | ||
2606 | + orig = myproposal[PROPOSAL_KEX_ALGS]; | ||
2607 | + | ||
2608 | + if (options.gss_trust_dns) | ||
2609 | + gss_host = (char *)get_canonical_hostname(1); | ||
2610 | + else | ||
2611 | + gss_host = host; | ||
2612 | + | ||
2613 | + gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); | ||
2614 | + if (gss) { | ||
2615 | + debug("Offering GSSAPI proposal: %s", gss); | ||
2616 | + xasprintf(&myproposal[PROPOSAL_KEX_ALGS], | ||
2617 | + "%s,%s", gss, orig); | ||
2618 | + } | ||
2619 | + } | ||
2620 | +#endif | ||
2621 | + | ||
2622 | if (options.ciphers == (char *)-1) { | ||
2623 | logit("No valid ciphers for protocol version 2 given, using defaults."); | ||
2624 | options.ciphers = NULL; | ||
2625 | @@ -136,6 +161,17 @@ | ||
2626 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | ||
2627 | options.hostkeyalgorithms; | ||
2628 | |||
2629 | +#ifdef GSSAPI | ||
2630 | + /* If we've got GSSAPI algorithms, then we also support the | ||
2631 | + * 'null' hostkey, as a last resort */ | ||
2632 | + if (options.gss_keyex && gss) { | ||
2633 | + orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; | ||
2634 | + xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], | ||
2635 | + "%s,null", orig); | ||
2636 | + xfree(gss); | ||
2637 | + } | ||
2638 | +#endif | ||
2639 | + | ||
2640 | if (options.rekey_limit) | ||
2641 | packet_set_rekey_limit((u_int32_t)options.rekey_limit); | ||
2642 | |||
2643 | @@ -145,10 +181,26 @@ | ||
2644 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client; | ||
2645 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | ||
2646 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; | ||
2647 | +#ifdef GSSAPI | ||
2648 | + if (options.gss_keyex) { | ||
2649 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; | ||
2650 | + kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client; | ||
2651 | + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; | ||
2652 | + } | ||
2653 | +#endif | ||
2654 | kex->client_version_string=client_version_string; | ||
2655 | kex->server_version_string=server_version_string; | ||
2656 | kex->verify_host_key=&verify_host_key_callback; | ||
2657 | |||
2658 | +#ifdef GSSAPI | ||
2659 | + if (options.gss_keyex) { | ||
2660 | + kex->gss_deleg_creds = options.gss_deleg_creds; | ||
2661 | + kex->gss_trust_dns = options.gss_trust_dns; | ||
2662 | + kex->gss_client = options.gss_client_identity; | ||
2663 | + kex->gss_host = gss_host; | ||
2664 | + } | ||
2665 | +#endif | ||
2666 | + | ||
2667 | xxx_kex = kex; | ||
2668 | |||
2669 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | ||
2670 | @@ -243,6 +295,7 @@ | ||
2671 | void input_gssapi_hash(int type, u_int32_t, void *); | ||
2672 | void input_gssapi_error(int, u_int32_t, void *); | ||
2673 | void input_gssapi_errtok(int, u_int32_t, void *); | ||
2674 | +int userauth_gsskeyex(Authctxt *authctxt); | ||
2675 | #endif | ||
2676 | |||
2677 | void userauth(Authctxt *, char *); | ||
2678 | @@ -258,6 +311,11 @@ | ||
2679 | |||
2680 | Authmethod authmethods[] = { | ||
2681 | #ifdef GSSAPI | ||
2682 | + {"gssapi-keyex", | ||
2683 | + userauth_gsskeyex, | ||
2684 | + NULL, | ||
2685 | + &options.gss_authentication, | ||
2686 | + NULL}, | ||
2687 | {"gssapi-with-mic", | ||
2688 | userauth_gssapi, | ||
2689 | NULL, | ||
2690 | @@ -564,19 +622,29 @@ | ||
2691 | static u_int mech = 0; | ||
2692 | OM_uint32 min; | ||
2693 | int ok = 0; | ||
2694 | + const char *gss_host; | ||
2695 | + | ||
2696 | + if (options.gss_trust_dns) | ||
2697 | + gss_host = get_canonical_hostname(1); | ||
2698 | + else | ||
2699 | + gss_host = authctxt->host; | ||
2700 | |||
2701 | /* Try one GSSAPI method at a time, rather than sending them all at | ||
2702 | * once. */ | ||
2703 | |||
2704 | if (gss_supported == NULL) | ||
2705 | - gss_indicate_mechs(&min, &gss_supported); | ||
2706 | + if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) { | ||
2707 | + gss_supported = NULL; | ||
2708 | + return 0; | ||
2709 | + } | ||
2710 | |||
2711 | /* Check to see if the mechanism is usable before we offer it */ | ||
2712 | while (mech < gss_supported->count && !ok) { | ||
2713 | /* My DER encoding requires length<128 */ | ||
2714 | if (gss_supported->elements[mech].length < 128 && | ||
2715 | ssh_gssapi_check_mechanism(&gssctxt, | ||
2716 | - &gss_supported->elements[mech], authctxt->host)) { | ||
2717 | + &gss_supported->elements[mech], gss_host, | ||
2718 | + options.gss_client_identity)) { | ||
2719 | ok = 1; /* Mechanism works */ | ||
2720 | } else { | ||
2721 | mech++; | ||
2722 | @@ -673,8 +741,8 @@ | ||
2723 | { | ||
2724 | Authctxt *authctxt = ctxt; | ||
2725 | Gssctxt *gssctxt; | ||
2726 | - int oidlen; | ||
2727 | - char *oidv; | ||
2728 | + u_int oidlen; | ||
2729 | + u_char *oidv; | ||
2730 | |||
2731 | if (authctxt == NULL) | ||
2732 | fatal("input_gssapi_response: no authentication context"); | ||
2733 | @@ -784,6 +852,48 @@ | ||
2734 | xfree(msg); | ||
2735 | xfree(lang); | ||
2736 | } | ||
2737 | + | ||
2738 | +int | ||
2739 | +userauth_gsskeyex(Authctxt *authctxt) | ||
2740 | +{ | ||
2741 | + Buffer b; | ||
2742 | + gss_buffer_desc gssbuf; | ||
2743 | + gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; | ||
2744 | + OM_uint32 ms; | ||
2745 | + | ||
2746 | + static int attempt = 0; | ||
2747 | + if (attempt++ >= 1) | ||
2748 | + return (0); | ||
2749 | + | ||
2750 | + if (gss_kex_context == NULL) { | ||
2751 | + debug("No valid Key exchange context"); | ||
2752 | + return (0); | ||
2753 | + } | ||
2754 | + | ||
2755 | + ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service, | ||
2756 | + "gssapi-keyex"); | ||
2757 | + | ||
2758 | + gssbuf.value = buffer_ptr(&b); | ||
2759 | + gssbuf.length = buffer_len(&b); | ||
2760 | + | ||
2761 | + if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) { | ||
2762 | + buffer_free(&b); | ||
2763 | + return (0); | ||
2764 | + } | ||
2765 | + | ||
2766 | + packet_start(SSH2_MSG_USERAUTH_REQUEST); | ||
2767 | + packet_put_cstring(authctxt->server_user); | ||
2768 | + packet_put_cstring(authctxt->service); | ||
2769 | + packet_put_cstring(authctxt->method->name); | ||
2770 | + packet_put_string(mic.value, mic.length); | ||
2771 | + packet_send(); | ||
2772 | + | ||
2773 | + buffer_free(&b); | ||
2774 | + gss_release_buffer(&ms, &mic); | ||
2775 | + | ||
2776 | + return (1); | ||
2777 | +} | ||
2778 | + | ||
2779 | #endif /* GSSAPI */ | ||
2780 | |||
2781 | int | ||
2782 | Index: b/sshd.c | ||
2783 | =================================================================== | ||
2784 | --- a/sshd.c | ||
2785 | +++ b/sshd.c | ||
2786 | @@ -120,6 +120,10 @@ | ||
2787 | #include "roaming.h" | ||
2788 | #include "version.h" | ||
2789 | |||
2790 | +#ifdef USE_SECURITY_SESSION_API | ||
2791 | +#include <Security/AuthSession.h> | ||
2792 | +#endif | ||
2793 | + | ||
2794 | #ifdef LIBWRAP | ||
2795 | #include <tcpd.h> | ||
2796 | #include <syslog.h> | ||
2797 | @@ -1577,10 +1581,13 @@ | ||
2798 | logit("Disabling protocol version 1. Could not load host key"); | ||
2799 | options.protocol &= ~SSH_PROTO_1; | ||
2800 | } | ||
2801 | +#ifndef GSSAPI | ||
2802 | + /* The GSSAPI key exchange can run without a host key */ | ||
2803 | if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) { | ||
2804 | logit("Disabling protocol version 2. Could not load host key"); | ||
2805 | options.protocol &= ~SSH_PROTO_2; | ||
2806 | } | ||
2807 | +#endif | ||
2808 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | ||
2809 | logit("sshd: no hostkeys available -- exiting."); | ||
2810 | exit(1); | ||
2811 | @@ -1909,6 +1916,60 @@ | ||
2812 | /* Log the connection. */ | ||
2813 | verbose("Connection from %.500s port %d", remote_ip, remote_port); | ||
2814 | |||
2815 | +#ifdef USE_SECURITY_SESSION_API | ||
2816 | + /* | ||
2817 | + * Create a new security session for use by the new user login if | ||
2818 | + * the current session is the root session or we are not launched | ||
2819 | + * by inetd (eg: debugging mode or server mode). We do not | ||
2820 | + * necessarily need to create a session if we are launched from | ||
2821 | + * inetd because Panther xinetd will create a session for us. | ||
2822 | + * | ||
2823 | + * The only case where this logic will fail is if there is an | ||
2824 | + * inetd running in a non-root session which is not creating | ||
2825 | + * new sessions for us. Then all the users will end up in the | ||
2826 | + * same session (bad). | ||
2827 | + * | ||
2828 | + * When the client exits, the session will be destroyed for us | ||
2829 | + * automatically. | ||
2830 | + * | ||
2831 | + * We must create the session before any credentials are stored | ||
2832 | + * (including AFS pags, which happens a few lines below). | ||
2833 | + */ | ||
2834 | + { | ||
2835 | + OSStatus err = 0; | ||
2836 | + SecuritySessionId sid = 0; | ||
2837 | + SessionAttributeBits sattrs = 0; | ||
2838 | + | ||
2839 | + err = SessionGetInfo(callerSecuritySession, &sid, &sattrs); | ||
2840 | + if (err) | ||
2841 | + error("SessionGetInfo() failed with error %.8X", | ||
2842 | + (unsigned) err); | ||
2843 | + else | ||
2844 | + debug("Current Session ID is %.8X / Session Attributes are %.8X", | ||
2845 | + (unsigned) sid, (unsigned) sattrs); | ||
2846 | + | ||
2847 | + if (inetd_flag && !(sattrs & sessionIsRoot)) | ||
2848 | + debug("Running in inetd mode in a non-root session... " | ||
2849 | + "assuming inetd created the session for us."); | ||
2850 | + else { | ||
2851 | + debug("Creating new security session..."); | ||
2852 | + err = SessionCreate(0, sessionHasTTY | sessionIsRemote); | ||
2853 | + if (err) | ||
2854 | + error("SessionCreate() failed with error %.8X", | ||
2855 | + (unsigned) err); | ||
2856 | + | ||
2857 | + err = SessionGetInfo(callerSecuritySession, &sid, | ||
2858 | + &sattrs); | ||
2859 | + if (err) | ||
2860 | + error("SessionGetInfo() failed with error %.8X", | ||
2861 | + (unsigned) err); | ||
2862 | + else | ||
2863 | + debug("New Session ID is %.8X / Session Attributes are %.8X", | ||
2864 | + (unsigned) sid, (unsigned) sattrs); | ||
2865 | + } | ||
2866 | + } | ||
2867 | +#endif | ||
2868 | + | ||
2869 | /* | ||
2870 | * We don't want to listen forever unless the other side | ||
2871 | * successfully authenticates itself. So we set up an alarm which is | ||
2872 | @@ -2287,12 +2348,61 @@ | ||
2873 | |||
2874 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | ||
2875 | |||
2876 | +#ifdef GSSAPI | ||
2877 | + { | ||
2878 | + char *orig; | ||
2879 | + char *gss = NULL; | ||
2880 | + char *newstr = NULL; | ||
2881 | + orig = myproposal[PROPOSAL_KEX_ALGS]; | ||
2882 | + | ||
2883 | + /* | ||
2884 | + * If we don't have a host key, then there's no point advertising | ||
2885 | + * the other key exchange algorithms | ||
2886 | + */ | ||
2887 | + | ||
2888 | + if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) | ||
2889 | + orig = NULL; | ||
2890 | + | ||
2891 | + if (options.gss_keyex) | ||
2892 | + gss = ssh_gssapi_server_mechanisms(); | ||
2893 | + else | ||
2894 | + gss = NULL; | ||
2895 | + | ||
2896 | + if (gss && orig) | ||
2897 | + xasprintf(&newstr, "%s,%s", gss, orig); | ||
2898 | + else if (gss) | ||
2899 | + newstr = gss; | ||
2900 | + else if (orig) | ||
2901 | + newstr = orig; | ||
2902 | + | ||
2903 | + /* | ||
2904 | + * If we've got GSSAPI mechanisms, then we've got the 'null' host | ||
2905 | + * key alg, but we can't tell people about it unless its the only | ||
2906 | + * host key algorithm we support | ||
2907 | + */ | ||
2908 | + if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0) | ||
2909 | + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null"; | ||
2910 | + | ||
2911 | + if (newstr) | ||
2912 | + myproposal[PROPOSAL_KEX_ALGS] = newstr; | ||
2913 | + else | ||
2914 | + fatal("No supported key exchange algorithms"); | ||
2915 | + } | ||
2916 | +#endif | ||
2917 | + | ||
2918 | /* start key exchange */ | ||
2919 | kex = kex_setup(myproposal); | ||
2920 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | ||
2921 | kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | ||
2922 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | ||
2923 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | ||
2924 | +#ifdef GSSAPI | ||
2925 | + if (options.gss_keyex) { | ||
2926 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | ||
2927 | + kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; | ||
2928 | + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; | ||
2929 | + } | ||
2930 | +#endif | ||
2931 | kex->server = 1; | ||
2932 | kex->client_version_string=client_version_string; | ||
2933 | kex->server_version_string=server_version_string; | ||
2934 | Index: b/sshd_config | ||
2935 | =================================================================== | ||
2936 | --- a/sshd_config | ||
2937 | +++ b/sshd_config | ||
2938 | @@ -71,6 +71,8 @@ | ||
2939 | # GSSAPI options | ||
2940 | #GSSAPIAuthentication no | ||
2941 | #GSSAPICleanupCredentials yes | ||
2942 | +#GSSAPIStrictAcceptorCheck yes | ||
2943 | +#GSSAPIKeyExchange no | ||
2944 | |||
2945 | # Set this to 'yes' to enable PAM authentication, account processing, | ||
2946 | # and session processing. If this is enabled, PAM authentication will | ||
2947 | Index: b/sshd_config.5 | ||
2948 | =================================================================== | ||
2949 | --- a/sshd_config.5 | ||
2950 | +++ b/sshd_config.5 | ||
2951 | @@ -379,12 +379,40 @@ | ||
2952 | The default is | ||
2953 | .Dq no . | ||
2954 | Note that this option applies to protocol version 2 only. | ||
2955 | +.It Cm GSSAPIKeyExchange | ||
2956 | +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange | ||
2957 | +doesn't rely on ssh keys to verify host identity. | ||
2958 | +The default is | ||
2959 | +.Dq no . | ||
2960 | +Note that this option applies to protocol version 2 only. | ||
2961 | .It Cm GSSAPICleanupCredentials | ||
2962 | Specifies whether to automatically destroy the user's credentials cache | ||
2963 | on logout. | ||
2964 | The default is | ||
2965 | .Dq yes . | ||
2966 | Note that this option applies to protocol version 2 only. | ||
2967 | +.It Cm GSSAPIStrictAcceptorCheck | ||
2968 | +Determines whether to be strict about the identity of the GSSAPI acceptor | ||
2969 | +a client authenticates against. If | ||
2970 | +.Dq yes | ||
2971 | +then the client must authenticate against the | ||
2972 | +.Pa host | ||
2973 | +service on the current hostname. If | ||
2974 | +.Dq no | ||
2975 | +then the client may authenticate against any service key stored in the | ||
2976 | +machine's default store. This facility is provided to assist with operation | ||
2977 | +on multi homed machines. | ||
2978 | +The default is | ||
2979 | +.Dq yes . | ||
2980 | +Note that this option applies only to protocol version 2 GSSAPI connections, | ||
2981 | +and setting it to | ||
2982 | +.Dq no | ||
2983 | +may only work with recent Kerberos GSSAPI libraries. | ||
2984 | +.It Cm GSSAPIStoreCredentialsOnRekey | ||
2985 | +Controls whether the user's GSSAPI credentials should be updated following a | ||
2986 | +successful connection rekeying. This option can be used to accepted renewed | ||
2987 | +or updated credentials from a compatible client. The default is | ||
2988 | +.Dq no . | ||
2989 | .It Cm HostbasedAuthentication | ||
2990 | Specifies whether rhosts or /etc/hosts.equiv authentication together | ||
2991 | with successful public key client host authentication is allowed | ||
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch new file mode 100644 index 000000000..857f86456 --- /dev/null +++ b/debian/patches/helpful-wait-terminate.patch | |||
@@ -0,0 +1,18 @@ | |||
1 | Description: Mention ~& when waiting for forwarded connections to terminate | ||
2 | Author: Matthew Vernon <matthew@debian.org> | ||
3 | Bug-Debian: http://bugs.debian.org/50308 | ||
4 | Last-Update: 2010-02-27 | ||
5 | |||
6 | Index: b/serverloop.c | ||
7 | =================================================================== | ||
8 | --- a/serverloop.c | ||
9 | +++ b/serverloop.c | ||
10 | @@ -680,7 +680,7 @@ | ||
11 | if (!channel_still_open()) | ||
12 | break; | ||
13 | if (!waiting_termination) { | ||
14 | - const char *s = "Waiting for forwarded connections to terminate...\r\n"; | ||
15 | + const char *s = "Waiting for forwarded connections to terminate... (press ~& to background)\r\n"; | ||
16 | char *cp; | ||
17 | waiting_termination = 1; | ||
18 | buffer_append(&stderr_buffer, s, strlen(s)); | ||
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch new file mode 100644 index 000000000..36335f475 --- /dev/null +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -0,0 +1,124 @@ | |||
1 | Description: Various keepalive extensions | ||
2 | Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, | ||
3 | supported in previous versions of Debian's OpenSSH package but since | ||
4 | superseded by ServerAliveInterval. (We're probably stuck with this bit for | ||
5 | compatibility.) | ||
6 | . | ||
7 | In batch mode, default ServerAliveInterval to five minutes. | ||
8 | . | ||
9 | Adjust documentation to match and to give some more advice on use of | ||
10 | keepalives. | ||
11 | Author: Richard Kettlewell <rjk@greenend.org.uk> | ||
12 | Author: Ian Jackson <ian@chiark.greenend.org.uk> | ||
13 | Author: Matthew Vernon <matthew@debian.org> | ||
14 | Author: Colin Watson <cjwatson@debian.org> | ||
15 | Last-Update: 2010-02-27 | ||
16 | |||
17 | Index: b/readconf.c | ||
18 | =================================================================== | ||
19 | --- a/readconf.c | ||
20 | +++ b/readconf.c | ||
21 | @@ -133,6 +133,7 @@ | ||
22 | oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, | ||
23 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | ||
24 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, | ||
25 | + oProtocolKeepAlives, oSetupTimeOut, | ||
26 | oDeprecated, oUnsupported | ||
27 | } OpCodes; | ||
28 | |||
29 | @@ -248,6 +249,8 @@ | ||
30 | #else | ||
31 | { "zeroknowledgepasswordauthentication", oUnsupported }, | ||
32 | #endif | ||
33 | + { "protocolkeepalives", oProtocolKeepAlives }, | ||
34 | + { "setuptimeout", oSetupTimeOut }, | ||
35 | |||
36 | { NULL, oBadOption } | ||
37 | }; | ||
38 | @@ -847,6 +850,8 @@ | ||
39 | goto parse_flag; | ||
40 | |||
41 | case oServerAliveInterval: | ||
42 | + case oProtocolKeepAlives: /* Debian-specific compatibility alias */ | ||
43 | + case oSetupTimeOut: /* Debian-specific compatibility alias */ | ||
44 | intptr = &options->server_alive_interval; | ||
45 | goto parse_time; | ||
46 | |||
47 | @@ -1235,8 +1240,13 @@ | ||
48 | options->rekey_limit = 0; | ||
49 | if (options->verify_host_key_dns == -1) | ||
50 | options->verify_host_key_dns = 0; | ||
51 | - if (options->server_alive_interval == -1) | ||
52 | - options->server_alive_interval = 0; | ||
53 | + if (options->server_alive_interval == -1) { | ||
54 | + /* in batch mode, default is 5mins */ | ||
55 | + if (options->batch_mode == 1) | ||
56 | + options->server_alive_interval = 300; | ||
57 | + else | ||
58 | + options->server_alive_interval = 0; | ||
59 | + } | ||
60 | if (options->server_alive_count_max == -1) | ||
61 | options->server_alive_count_max = 3; | ||
62 | if (options->control_master == -1) | ||
63 | Index: b/ssh_config.5 | ||
64 | =================================================================== | ||
65 | --- a/ssh_config.5 | ||
66 | +++ b/ssh_config.5 | ||
67 | @@ -128,8 +128,12 @@ | ||
68 | If set to | ||
69 | .Dq yes , | ||
70 | passphrase/password querying will be disabled. | ||
71 | +In addition, the | ||
72 | +.Cm ServerAliveInterval | ||
73 | +option will be set to 300 seconds by default. | ||
74 | This option is useful in scripts and other batch jobs where no user | ||
75 | -is present to supply the password. | ||
76 | +is present to supply the password, | ||
77 | +and where it is desirable to detect a broken network swiftly. | ||
78 | The argument must be | ||
79 | .Dq yes | ||
80 | or | ||
81 | @@ -963,8 +967,15 @@ | ||
82 | will send a message through the encrypted | ||
83 | channel to request a response from the server. | ||
84 | The default | ||
85 | -is 0, indicating that these messages will not be sent to the server. | ||
86 | +is 0, indicating that these messages will not be sent to the server, | ||
87 | +or 300 if the | ||
88 | +.Cm BatchMode | ||
89 | +option is set. | ||
90 | This option applies to protocol version 2 only. | ||
91 | +.Cm ProtocolKeepAlives | ||
92 | +and | ||
93 | +.Cm SetupTimeOut | ||
94 | +are Debian-specific compatibility aliases for this option. | ||
95 | .It Cm StrictHostKeyChecking | ||
96 | If this flag is set to | ||
97 | .Dq yes , | ||
98 | @@ -1003,6 +1014,12 @@ | ||
99 | other side. | ||
100 | If they are sent, death of the connection or crash of one | ||
101 | of the machines will be properly noticed. | ||
102 | +This option only uses TCP keepalives (as opposed to using ssh level | ||
103 | +keepalives), so takes a long time to notice when the connection dies. | ||
104 | +As such, you probably want | ||
105 | +the | ||
106 | +.Cm ServerAliveInterval | ||
107 | +option as well. | ||
108 | However, this means that | ||
109 | connections will die if the route is down temporarily, and some people | ||
110 | find it annoying. | ||
111 | Index: b/sshd_config.5 | ||
112 | =================================================================== | ||
113 | --- a/sshd_config.5 | ||
114 | +++ b/sshd_config.5 | ||
115 | @@ -936,6 +936,9 @@ | ||
116 | .Pp | ||
117 | To disable TCP keepalive messages, the value should be set to | ||
118 | .Dq no . | ||
119 | +.Pp | ||
120 | +This option was formerly called | ||
121 | +.Cm KeepAlive . | ||
122 | .It Cm TrustedUserCAKeys | ||
123 | Specifies a file containing public keys of certificate authorities that are | ||
124 | trusted to sign user certificates for authentication. | ||
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch new file mode 100644 index 000000000..955d38b50 --- /dev/null +++ b/debian/patches/lintian-symlink-pickiness.patch | |||
@@ -0,0 +1,23 @@ | |||
1 | Description: Fix picky lintian errors about slogin symlinks | ||
2 | Apparently this breaks some SVR4 packaging systems, so upstream can't win | ||
3 | either way and opted to keep the status quo. We need this patch anyway. | ||
4 | Author: Colin Watson <cjwatson@debian.org> | ||
5 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728 | ||
6 | Last-Update: 2010-04-10 | ||
7 | |||
8 | Index: b/Makefile.in | ||
9 | =================================================================== | ||
10 | --- a/Makefile.in | ||
11 | +++ b/Makefile.in | ||
12 | @@ -294,9 +294,9 @@ | ||
13 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | ||
14 | $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 | ||
15 | -rm -f $(DESTDIR)$(bindir)/slogin | ||
16 | - ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin | ||
17 | + ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin | ||
18 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 | ||
19 | - ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 | ||
20 | + ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 | ||
21 | |||
22 | install-sysconf: | ||
23 | if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ | ||
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch new file mode 100644 index 000000000..dea370a1b --- /dev/null +++ b/debian/patches/openbsd-docs.patch | |||
@@ -0,0 +1,117 @@ | |||
1 | Description: Adjust various OpenBSD-specific references in manual pages | ||
2 | No single bug reference for this patch, but history includes: | ||
3 | http://bugs.debian.org/154434 (login.conf(5)) | ||
4 | http://bugs.debian.org/513417 (/etc/rc) | ||
5 | http://bugs.debian.org/530692 (ssl(8)) | ||
6 | https://bugs.launchpad.net/bugs/456660 (ssl(8)) | ||
7 | Author: Colin Watson <cjwatson@debian.org> | ||
8 | Forwarded: not-needed | ||
9 | Last-Update: 2010-02-28 | ||
10 | |||
11 | Index: b/moduli.5 | ||
12 | =================================================================== | ||
13 | --- a/moduli.5 | ||
14 | +++ b/moduli.5 | ||
15 | @@ -21,7 +21,7 @@ | ||
16 | .Nd Diffie Hellman moduli | ||
17 | .Sh DESCRIPTION | ||
18 | The | ||
19 | -.Pa /etc/moduli | ||
20 | +.Pa /etc/ssh/moduli | ||
21 | file contains prime numbers and generators for use by | ||
22 | .Xr sshd 8 | ||
23 | in the Diffie-Hellman Group Exchange key exchange method. | ||
24 | @@ -111,7 +111,7 @@ | ||
25 | Diffie Hellman output to sufficiently key the selected symmetric cipher. | ||
26 | .Xr sshd 8 | ||
27 | then randomly selects a modulus from | ||
28 | -.Fa /etc/moduli | ||
29 | +.Fa /etc/ssh/moduli | ||
30 | that best meets the size requirement. | ||
31 | .Pp | ||
32 | .Sh SEE ALSO | ||
33 | Index: b/ssh-keygen.1 | ||
34 | =================================================================== | ||
35 | --- a/ssh-keygen.1 | ||
36 | +++ b/ssh-keygen.1 | ||
37 | @@ -145,9 +145,7 @@ | ||
38 | .Pa ~/.ssh/id_dsa | ||
39 | or | ||
40 | .Pa ~/.ssh/id_rsa . | ||
41 | -Additionally, the system administrator may use this to generate host keys, | ||
42 | -as seen in | ||
43 | -.Pa /etc/rc . | ||
44 | +Additionally, the system administrator may use this to generate host keys. | ||
45 | .Pp | ||
46 | Normally this program generates the key and asks for a file in which | ||
47 | to store the private key. | ||
48 | @@ -367,9 +365,7 @@ | ||
49 | .It Fl q | ||
50 | Silence | ||
51 | .Nm ssh-keygen . | ||
52 | -Used by | ||
53 | -.Pa /etc/rc | ||
54 | -when creating a new key. | ||
55 | +Used by system administration scripts when creating a new key. | ||
56 | .It Fl R Ar hostname | ||
57 | Removes all keys belonging to | ||
58 | .Ar hostname | ||
59 | Index: b/ssh.1 | ||
60 | =================================================================== | ||
61 | --- a/ssh.1 | ||
62 | +++ b/ssh.1 | ||
63 | @@ -762,6 +762,10 @@ | ||
64 | .Sx HISTORY | ||
65 | section of | ||
66 | .Xr ssl 8 | ||
67 | +(on non-OpenBSD systems, see | ||
68 | +.nh | ||
69 | +http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY) | ||
70 | +.hy | ||
71 | contains a brief discussion of the two algorithms. | ||
72 | .Pp | ||
73 | The file | ||
74 | Index: b/sshd.8 | ||
75 | =================================================================== | ||
76 | --- a/sshd.8 | ||
77 | +++ b/sshd.8 | ||
78 | @@ -70,7 +70,7 @@ | ||
79 | .Nm | ||
80 | listens for connections from clients. | ||
81 | It is normally started at boot from | ||
82 | -.Pa /etc/rc . | ||
83 | +.Pa /etc/init.d/ssh . | ||
84 | It forks a new | ||
85 | daemon for each incoming connection. | ||
86 | The forked daemons handle | ||
87 | @@ -835,7 +835,7 @@ | ||
88 | .Xr ssh 1 ) . | ||
89 | It should only be writable by root. | ||
90 | .Pp | ||
91 | -.It /etc/moduli | ||
92 | +.It /etc/ssh/moduli | ||
93 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". | ||
94 | The file format is described in | ||
95 | .Xr moduli 5 . | ||
96 | @@ -931,7 +931,6 @@ | ||
97 | .Xr ssh-vulnkey 1 , | ||
98 | .Xr chroot 2 , | ||
99 | .Xr hosts_access 5 , | ||
100 | -.Xr login.conf 5 , | ||
101 | .Xr moduli 5 , | ||
102 | .Xr sshd_config 5 , | ||
103 | .Xr inetd 8 , | ||
104 | Index: b/sshd_config.5 | ||
105 | =================================================================== | ||
106 | --- a/sshd_config.5 | ||
107 | +++ b/sshd_config.5 | ||
108 | @@ -177,8 +177,7 @@ | ||
109 | By default, no banner is displayed. | ||
110 | .It Cm ChallengeResponseAuthentication | ||
111 | Specifies whether challenge-response authentication is allowed (e.g. via | ||
112 | -PAM or though authentication styles supported in | ||
113 | -.Xr login.conf 5 ) | ||
114 | +PAM). | ||
115 | The default is | ||
116 | .Dq yes . | ||
117 | .It Cm ChrootDirectory | ||
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch new file mode 100644 index 000000000..f45cc6968 --- /dev/null +++ b/debian/patches/package-versioning.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | Description: Include the Debian version in our identification | ||
2 | This makes it easier to audit networks for versions patched against | ||
3 | security vulnerabilities. It has little detrimental effect, as attackers | ||
4 | will generally just try attacks rather than bothering to scan for | ||
5 | vulnerable-looking version strings. (However, see debian-banner.patch.) | ||
6 | Author: Matthew Vernon <matthew@debian.org> | ||
7 | Forwarded: not-needed | ||
8 | Last-Update: 2010-02-28 | ||
9 | |||
10 | Index: b/sshconnect.c | ||
11 | =================================================================== | ||
12 | --- a/sshconnect.c | ||
13 | +++ b/sshconnect.c | ||
14 | @@ -542,7 +542,7 @@ | ||
15 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", | ||
16 | compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, | ||
17 | compat20 ? PROTOCOL_MINOR_2 : minor1, | ||
18 | - SSH_VERSION, compat20 ? "\r\n" : "\n"); | ||
19 | + SSH_RELEASE, compat20 ? "\r\n" : "\n"); | ||
20 | if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf)) | ||
21 | != strlen(buf)) | ||
22 | fatal("write: %.100s", strerror(errno)); | ||
23 | Index: b/sshd.c | ||
24 | =================================================================== | ||
25 | --- a/sshd.c | ||
26 | +++ b/sshd.c | ||
27 | @@ -422,7 +422,7 @@ | ||
28 | minor = PROTOCOL_MINOR_1; | ||
29 | } | ||
30 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, | ||
31 | - SSH_VERSION, newline); | ||
32 | + SSH_RELEASE, newline); | ||
33 | server_version_string = xstrdup(buf); | ||
34 | |||
35 | /* Send our protocol version identification. */ | ||
36 | Index: b/version.h | ||
37 | =================================================================== | ||
38 | --- a/version.h | ||
39 | +++ b/version.h | ||
40 | @@ -3,4 +3,9 @@ | ||
41 | #define SSH_VERSION "OpenSSH_5.5" | ||
42 | |||
43 | #define SSH_PORTABLE "p1" | ||
44 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | ||
45 | +#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE | ||
46 | +#ifdef SSH_EXTRAVERSION | ||
47 | +#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION | ||
48 | +#else | ||
49 | +#define SSH_RELEASE SSH_RELEASE_MINIMUM | ||
50 | +#endif | ||
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch new file mode 100644 index 000000000..96a26cf7e --- /dev/null +++ b/debian/patches/quieter-signals.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | Description: Reduce severity of "Killed by signal %d" | ||
2 | This produces irritating messages when using ProxyCommand or other programs | ||
3 | that use ssh under the covers (e.g. Subversion). These messages are more | ||
4 | normally printed by the calling program, such as the shell. | ||
5 | . | ||
6 | According to the upstream bug, the right way to avoid this is to use the -q | ||
7 | option, so we may drop this patch after further investigation into whether | ||
8 | any software in Debian is still relying on it. | ||
9 | Author: Peter Samuelson <peter@p12n.org> | ||
10 | Author: Colin Watson <cjwatson@debian.org> | ||
11 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118 | ||
12 | Bug-Debian: http://bugs.debian.org/313371 | ||
13 | Last-Update: 2010-02-27 | ||
14 | |||
15 | Index: b/clientloop.c | ||
16 | =================================================================== | ||
17 | --- a/clientloop.c | ||
18 | +++ b/clientloop.c | ||
19 | @@ -1530,8 +1530,10 @@ | ||
20 | exit_status = 0; | ||
21 | } | ||
22 | |||
23 | - if (received_signal) | ||
24 | - fatal("Killed by signal %d.", (int) received_signal); | ||
25 | + if (received_signal) { | ||
26 | + debug("Killed by signal %d.", (int) received_signal); | ||
27 | + cleanup_exit((int) received_signal + 128); | ||
28 | + } | ||
29 | |||
30 | /* | ||
31 | * In interactive mode (with pseudo tty) display a message indicating | ||
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch new file mode 100644 index 000000000..99702c317 --- /dev/null +++ b/debian/patches/scp-quoting.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | Description: Adjust scp quoting in verbose mode | ||
2 | Tweak scp's reporting of filenames in verbose mode to be a bit less | ||
3 | confusing with spaces. | ||
4 | . | ||
5 | This should be revised to mimic real shell quoting. | ||
6 | Author: Nicolas Valcárcel <nvalcarcel@ubuntu.com> | ||
7 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 | ||
8 | Last-Update: 2010-02-27 | ||
9 | |||
10 | Index: b/scp.c | ||
11 | =================================================================== | ||
12 | --- a/scp.c | ||
13 | +++ b/scp.c | ||
14 | @@ -168,8 +168,16 @@ | ||
15 | |||
16 | if (verbose_mode) { | ||
17 | fprintf(stderr, "Executing:"); | ||
18 | - for (i = 0; i < a->num; i++) | ||
19 | - fprintf(stderr, " %s", a->list[i]); | ||
20 | + for (i = 0; i < a->num; i++) { | ||
21 | + if (i == 0) | ||
22 | + fprintf(stderr, " %s", a->list[i]); | ||
23 | + else | ||
24 | + /* | ||
25 | + * TODO: misbehaves if a->list[i] contains a | ||
26 | + * single quote | ||
27 | + */ | ||
28 | + fprintf(stderr, " '%s'", a->list[i]); | ||
29 | + } | ||
30 | fprintf(stderr, "\n"); | ||
31 | } | ||
32 | if ((pid = fork()) == -1) | ||
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch new file mode 100644 index 000000000..8a7e7c687 --- /dev/null +++ b/debian/patches/selinux-role.patch | |||
@@ -0,0 +1,293 @@ | |||
1 | Description: Handle SELinux authorisation roles | ||
2 | Rejected upstream due to discomfort with magic usernames; a better approach | ||
3 | will need an SSH protocol change. In the meantime, this came from Debian's | ||
4 | SELinux maintainer, so we'll keep it until we have something better. | ||
5 | Author: Manoj Srivastava <srivasta@debian.org> | ||
6 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 | ||
7 | Bug-Debian: http://bugs.debian.org/394795 | ||
8 | Last-Update: 2010-02-27 | ||
9 | |||
10 | Index: b/auth.h | ||
11 | =================================================================== | ||
12 | --- a/auth.h | ||
13 | +++ b/auth.h | ||
14 | @@ -59,6 +59,7 @@ | ||
15 | char *service; | ||
16 | struct passwd *pw; /* set if 'valid' */ | ||
17 | char *style; | ||
18 | + char *role; | ||
19 | void *kbdintctxt; | ||
20 | void *jpake_ctx; | ||
21 | #ifdef BSD_AUTH | ||
22 | Index: b/auth1.c | ||
23 | =================================================================== | ||
24 | --- a/auth1.c | ||
25 | +++ b/auth1.c | ||
26 | @@ -383,7 +383,7 @@ | ||
27 | do_authentication(Authctxt *authctxt) | ||
28 | { | ||
29 | u_int ulen; | ||
30 | - char *user, *style = NULL; | ||
31 | + char *user, *style = NULL, *role = NULL; | ||
32 | |||
33 | /* Get the name of the user that we wish to log in as. */ | ||
34 | packet_read_expect(SSH_CMSG_USER); | ||
35 | @@ -392,11 +392,17 @@ | ||
36 | user = packet_get_string(&ulen); | ||
37 | packet_check_eom(); | ||
38 | |||
39 | + if ((role = strchr(user, '/')) != NULL) | ||
40 | + *role++ = '\0'; | ||
41 | + | ||
42 | if ((style = strchr(user, ':')) != NULL) | ||
43 | *style++ = '\0'; | ||
44 | + else if (role && (style = strchr(role, ':')) != NULL) | ||
45 | + *style++ = '\0'; | ||
46 | |||
47 | authctxt->user = user; | ||
48 | authctxt->style = style; | ||
49 | + authctxt->role = role; | ||
50 | |||
51 | /* Verify that the user is a valid user. */ | ||
52 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) | ||
53 | Index: b/auth2.c | ||
54 | =================================================================== | ||
55 | --- a/auth2.c | ||
56 | +++ b/auth2.c | ||
57 | @@ -217,7 +217,7 @@ | ||
58 | { | ||
59 | Authctxt *authctxt = ctxt; | ||
60 | Authmethod *m = NULL; | ||
61 | - char *user, *service, *method, *style = NULL; | ||
62 | + char *user, *service, *method, *style = NULL, *role = NULL; | ||
63 | int authenticated = 0; | ||
64 | |||
65 | if (authctxt == NULL) | ||
66 | @@ -229,8 +229,13 @@ | ||
67 | debug("userauth-request for user %s service %s method %s", user, service, method); | ||
68 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | ||
69 | |||
70 | + if ((role = strchr(user, '/')) != NULL) | ||
71 | + *role++ = 0; | ||
72 | + | ||
73 | if ((style = strchr(user, ':')) != NULL) | ||
74 | *style++ = 0; | ||
75 | + else if (role && (style = strchr(role, ':')) != NULL) | ||
76 | + *style++ = '\0'; | ||
77 | |||
78 | if (authctxt->attempt++ == 0) { | ||
79 | /* setup auth context */ | ||
80 | @@ -254,8 +259,9 @@ | ||
81 | use_privsep ? " [net]" : ""); | ||
82 | authctxt->service = xstrdup(service); | ||
83 | authctxt->style = style ? xstrdup(style) : NULL; | ||
84 | + authctxt->role = role ? xstrdup(role) : NULL; | ||
85 | if (use_privsep) | ||
86 | - mm_inform_authserv(service, style); | ||
87 | + mm_inform_authserv(service, style, role); | ||
88 | userauth_banner(); | ||
89 | } else if (strcmp(user, authctxt->user) != 0 || | ||
90 | strcmp(service, authctxt->service) != 0) { | ||
91 | Index: b/monitor.c | ||
92 | =================================================================== | ||
93 | --- a/monitor.c | ||
94 | +++ b/monitor.c | ||
95 | @@ -137,6 +137,7 @@ | ||
96 | int mm_answer_pwnamallow(int, Buffer *); | ||
97 | int mm_answer_auth2_read_banner(int, Buffer *); | ||
98 | int mm_answer_authserv(int, Buffer *); | ||
99 | +int mm_answer_authrole(int, Buffer *); | ||
100 | int mm_answer_authpassword(int, Buffer *); | ||
101 | int mm_answer_bsdauthquery(int, Buffer *); | ||
102 | int mm_answer_bsdauthrespond(int, Buffer *); | ||
103 | @@ -215,6 +216,7 @@ | ||
104 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | ||
105 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | ||
106 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | ||
107 | + {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, | ||
108 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | ||
109 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | ||
110 | #ifdef USE_PAM | ||
111 | @@ -699,6 +701,7 @@ | ||
112 | else { | ||
113 | /* Allow service/style information on the auth context */ | ||
114 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | ||
115 | + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); | ||
116 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | ||
117 | } | ||
118 | |||
119 | @@ -732,14 +735,37 @@ | ||
120 | |||
121 | authctxt->service = buffer_get_string(m, NULL); | ||
122 | authctxt->style = buffer_get_string(m, NULL); | ||
123 | - debug3("%s: service=%s, style=%s", | ||
124 | - __func__, authctxt->service, authctxt->style); | ||
125 | + authctxt->role = buffer_get_string(m, NULL); | ||
126 | + debug3("%s: service=%s, style=%s, role=%s", | ||
127 | + __func__, authctxt->service, authctxt->style, authctxt->role); | ||
128 | |||
129 | if (strlen(authctxt->style) == 0) { | ||
130 | xfree(authctxt->style); | ||
131 | authctxt->style = NULL; | ||
132 | } | ||
133 | |||
134 | + if (strlen(authctxt->role) == 0) { | ||
135 | + xfree(authctxt->role); | ||
136 | + authctxt->role = NULL; | ||
137 | + } | ||
138 | + | ||
139 | + return (0); | ||
140 | +} | ||
141 | + | ||
142 | +int | ||
143 | +mm_answer_authrole(int sock, Buffer *m) | ||
144 | +{ | ||
145 | + monitor_permit_authentications(1); | ||
146 | + | ||
147 | + authctxt->role = buffer_get_string(m, NULL); | ||
148 | + debug3("%s: role=%s", | ||
149 | + __func__, authctxt->role); | ||
150 | + | ||
151 | + if (strlen(authctxt->role) == 0) { | ||
152 | + xfree(authctxt->role); | ||
153 | + authctxt->role = NULL; | ||
154 | + } | ||
155 | + | ||
156 | return (0); | ||
157 | } | ||
158 | |||
159 | Index: b/monitor.h | ||
160 | =================================================================== | ||
161 | --- a/monitor.h | ||
162 | +++ b/monitor.h | ||
163 | @@ -30,7 +30,7 @@ | ||
164 | |||
165 | enum monitor_reqtype { | ||
166 | MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, | ||
167 | - MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, | ||
168 | + MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE, | ||
169 | MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, | ||
170 | MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, | ||
171 | MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, | ||
172 | Index: b/monitor_wrap.c | ||
173 | =================================================================== | ||
174 | --- a/monitor_wrap.c | ||
175 | +++ b/monitor_wrap.c | ||
176 | @@ -279,10 +279,10 @@ | ||
177 | return (banner); | ||
178 | } | ||
179 | |||
180 | -/* Inform the privileged process about service and style */ | ||
181 | +/* Inform the privileged process about service, style, and role */ | ||
182 | |||
183 | void | ||
184 | -mm_inform_authserv(char *service, char *style) | ||
185 | +mm_inform_authserv(char *service, char *style, char *role) | ||
186 | { | ||
187 | Buffer m; | ||
188 | |||
189 | @@ -291,12 +291,30 @@ | ||
190 | buffer_init(&m); | ||
191 | buffer_put_cstring(&m, service); | ||
192 | buffer_put_cstring(&m, style ? style : ""); | ||
193 | + buffer_put_cstring(&m, role ? role : ""); | ||
194 | |||
195 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); | ||
196 | |||
197 | buffer_free(&m); | ||
198 | } | ||
199 | |||
200 | +/* Inform the privileged process about role */ | ||
201 | + | ||
202 | +void | ||
203 | +mm_inform_authrole(char *role) | ||
204 | +{ | ||
205 | + Buffer m; | ||
206 | + | ||
207 | + debug3("%s entering", __func__); | ||
208 | + | ||
209 | + buffer_init(&m); | ||
210 | + buffer_put_cstring(&m, role ? role : ""); | ||
211 | + | ||
212 | + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); | ||
213 | + | ||
214 | + buffer_free(&m); | ||
215 | +} | ||
216 | + | ||
217 | /* Do the password authentication */ | ||
218 | int | ||
219 | mm_auth_password(Authctxt *authctxt, char *password) | ||
220 | Index: b/monitor_wrap.h | ||
221 | =================================================================== | ||
222 | --- a/monitor_wrap.h | ||
223 | +++ b/monitor_wrap.h | ||
224 | @@ -40,7 +40,8 @@ | ||
225 | int mm_is_monitor(void); | ||
226 | DH *mm_choose_dh(int, int, int); | ||
227 | int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); | ||
228 | -void mm_inform_authserv(char *, char *); | ||
229 | +void mm_inform_authserv(char *, char *, char *); | ||
230 | +void mm_inform_authrole(char *); | ||
231 | struct passwd *mm_getpwnamallow(const char *); | ||
232 | char *mm_auth2_read_banner(void); | ||
233 | int mm_auth_password(struct Authctxt *, char *); | ||
234 | Index: b/openbsd-compat/port-linux.c | ||
235 | =================================================================== | ||
236 | --- a/openbsd-compat/port-linux.c | ||
237 | +++ b/openbsd-compat/port-linux.c | ||
238 | @@ -29,6 +29,12 @@ | ||
239 | #include <string.h> | ||
240 | #include <stdio.h> | ||
241 | |||
242 | +#ifdef WITH_SELINUX | ||
243 | +#include "key.h" | ||
244 | +#include "hostfile.h" | ||
245 | +#include "auth.h" | ||
246 | +#endif | ||
247 | + | ||
248 | #include "log.h" | ||
249 | #include "xmalloc.h" | ||
250 | #include "port-linux.h" | ||
251 | @@ -38,6 +44,8 @@ | ||
252 | #include <selinux/flask.h> | ||
253 | #include <selinux/get_context_list.h> | ||
254 | |||
255 | +extern Authctxt *the_authctxt; | ||
256 | + | ||
257 | /* Wrapper around is_selinux_enabled() to log its return value once only */ | ||
258 | int | ||
259 | ssh_selinux_enabled(void) | ||
260 | @@ -56,8 +64,8 @@ | ||
261 | static security_context_t | ||
262 | ssh_selinux_getctxbyname(char *pwname) | ||
263 | { | ||
264 | - security_context_t sc; | ||
265 | - char *sename = NULL, *lvl = NULL; | ||
266 | + security_context_t sc = NULL; | ||
267 | + char *sename = NULL, *role = NULL, *lvl = NULL; | ||
268 | int r; | ||
269 | |||
270 | #ifdef HAVE_GETSEUSERBYNAME | ||
271 | @@ -67,11 +75,20 @@ | ||
272 | sename = pwname; | ||
273 | lvl = NULL; | ||
274 | #endif | ||
275 | + if (the_authctxt) | ||
276 | + role = the_authctxt->role; | ||
277 | |||
278 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | ||
279 | - r = get_default_context_with_level(sename, lvl, NULL, &sc); | ||
280 | + if (role != NULL && role[0]) | ||
281 | + r = get_default_context_with_rolelevel(sename, role, lvl, NULL, | ||
282 | + &sc); | ||
283 | + else | ||
284 | + r = get_default_context_with_level(sename, lvl, NULL, &sc); | ||
285 | #else | ||
286 | - r = get_default_context(sename, NULL, &sc); | ||
287 | + if (role != NULL && role[0]) | ||
288 | + r = get_default_context_with_role(sename, role, NULL, &sc); | ||
289 | + else | ||
290 | + r = get_default_context(sename, NULL, &sc); | ||
291 | #endif | ||
292 | |||
293 | if (r != 0) { | ||
diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000000000..699dbaa98 --- /dev/null +++ b/debian/patches/series | |||
@@ -0,0 +1,44 @@ | |||
1 | # GSSAPI | ||
2 | gssapi.patch | ||
3 | gssapi-autoconf.patch | ||
4 | gssapi-compat.patch | ||
5 | gssapi-dump.patch | ||
6 | |||
7 | # SELinux | ||
8 | selinux-role.patch | ||
9 | |||
10 | # Key blacklisting | ||
11 | ssh-vulnkey.patch | ||
12 | |||
13 | # Keepalive handling | ||
14 | ssh1-keepalive.patch | ||
15 | keepalive-extensions.patch | ||
16 | |||
17 | # Message adjustments | ||
18 | syslog-level-silent.patch | ||
19 | quieter-signals.patch | ||
20 | helpful-wait-terminate.patch | ||
21 | |||
22 | # Miscellaneous bug fixes | ||
23 | user-group-modes.patch | ||
24 | scp-quoting.patch | ||
25 | shell-path.patch | ||
26 | ssh-copy-id-trailing-colons.patch | ||
27 | dnssec-sshfp.patch | ||
28 | |||
29 | # Versioning | ||
30 | package-versioning.patch | ||
31 | debian-banner.patch | ||
32 | |||
33 | # File system layout | ||
34 | authorized-keys-man-symlink.patch | ||
35 | lintian-symlink-pickiness.patch | ||
36 | |||
37 | # Documentation | ||
38 | openbsd-docs.patch | ||
39 | ssh-argv0.patch | ||
40 | doc-hash-tab-completion.patch | ||
41 | |||
42 | # Debian-specific configuration | ||
43 | gnome-ssh-askpass2-icon.patch | ||
44 | debian-config.patch | ||
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch new file mode 100644 index 000000000..ddae43a45 --- /dev/null +++ b/debian/patches/shell-path.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | Description: Look for $SHELL on the path for ProxyCommand/LocalCommand | ||
2 | There's some debate on the upstream bug about whether POSIX requires this. | ||
3 | I (Colin Watson) agree with Vincent and think it does. | ||
4 | Author: Colin Watson <cjwatson@debian.org> | ||
5 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 | ||
6 | Bug-Debian: http://bugs.debian.org/492728 | ||
7 | Last-Update: 2010-02-27 | ||
8 | |||
9 | Index: b/sshconnect.c | ||
10 | =================================================================== | ||
11 | --- a/sshconnect.c | ||
12 | +++ b/sshconnect.c | ||
13 | @@ -141,7 +141,7 @@ | ||
14 | |||
15 | /* Execute the proxy command. Note that we gave up any | ||
16 | extra privileges above. */ | ||
17 | - execv(argv[0], argv); | ||
18 | + execvp(argv[0], argv); | ||
19 | perror(argv[0]); | ||
20 | exit(1); | ||
21 | } | ||
22 | @@ -1243,7 +1243,7 @@ | ||
23 | pid = fork(); | ||
24 | if (pid == 0) { | ||
25 | debug3("Executing %s -c \"%s\"", shell, args); | ||
26 | - execl(shell, shell, "-c", args, (char *)NULL); | ||
27 | + execlp(shell, shell, "-c", args, (char *)NULL); | ||
28 | error("Couldn't execute %s -c \"%s\": %s", | ||
29 | shell, args, strerror(errno)); | ||
30 | _exit(1); | ||
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch new file mode 100644 index 000000000..851687dfd --- /dev/null +++ b/debian/patches/ssh-argv0.patch | |||
@@ -0,0 +1,21 @@ | |||
1 | Description: ssh(1): Refer to ssh-argv0(1) | ||
2 | Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating | ||
3 | symlinks to ssh with the name of the host you want to connect to. Debian | ||
4 | ships an ssh-argv0 script restoring this feature; this patch refers to its | ||
5 | manual page from ssh(1). | ||
6 | Bug-Debian: http://bugs.debian.org/111341 | ||
7 | Forwarded: not-needed | ||
8 | Last-Update: 2010-02-28 | ||
9 | |||
10 | Index: b/ssh.1 | ||
11 | =================================================================== | ||
12 | --- a/ssh.1 | ||
13 | +++ b/ssh.1 | ||
14 | @@ -1430,6 +1430,7 @@ | ||
15 | .Xr sftp 1 , | ||
16 | .Xr ssh-add 1 , | ||
17 | .Xr ssh-agent 1 , | ||
18 | +.Xr ssh-argv0 1 , | ||
19 | .Xr ssh-keygen 1 , | ||
20 | .Xr ssh-keyscan 1 , | ||
21 | .Xr ssh-vulnkey 1 , | ||
diff --git a/debian/patches/ssh-copy-id-trailing-colons.patch b/debian/patches/ssh-copy-id-trailing-colons.patch new file mode 100644 index 000000000..1063fc6bb --- /dev/null +++ b/debian/patches/ssh-copy-id-trailing-colons.patch | |||
@@ -0,0 +1,25 @@ | |||
1 | Description: ssh-copy-id: Strip trailing colons from hostname | ||
2 | Author: Karl Goetz <karl@kgoetz.id.au> | ||
3 | Author: Colin Watson <cjwatson@debian.org> | ||
4 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1530 | ||
5 | Bug-Debian: http://bugs.debian.org/226172 | ||
6 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/249706 | ||
7 | Last-Update: 2010-02-27 | ||
8 | |||
9 | Index: b/contrib/ssh-copy-id | ||
10 | =================================================================== | ||
11 | --- a/contrib/ssh-copy-id | ||
12 | +++ b/contrib/ssh-copy-id | ||
13 | @@ -38,10 +38,10 @@ | ||
14 | exit 1 | ||
15 | fi | ||
16 | |||
17 | -{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1 | ||
18 | +{ eval "$GET_ID" ; } | ssh ${1%:} "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1 | ||
19 | |||
20 | cat <<EOF | ||
21 | -Now try logging into the machine, with "ssh '$1'", and check in: | ||
22 | +Now try logging into the machine, with "ssh '${1%:}'", and check in: | ||
23 | |||
24 | .ssh/authorized_keys | ||
25 | |||
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch new file mode 100644 index 000000000..af56dc031 --- /dev/null +++ b/debian/patches/ssh-vulnkey.patch | |||
@@ -0,0 +1,1385 @@ | |||
1 | Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw | ||
2 | In 2008, Debian (and derived distributions such as Ubuntu) shipped an | ||
3 | OpenSSL package with a flawed random number generator, causing OpenSSH to | ||
4 | generate only a very limited set of keys which were subject to private half | ||
5 | precomputation. To mitigate this, this patch checks key authentications | ||
6 | against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey | ||
7 | program which can be used to explicitly check keys against that blacklist. | ||
8 | See CVE-2008-0166. | ||
9 | Author: Colin Watson <cjwatson@ubuntu.com> | ||
10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 | ||
11 | Last-Update: 2010-02-27 | ||
12 | |||
13 | Index: b/Makefile.in | ||
14 | =================================================================== | ||
15 | --- a/Makefile.in | ||
16 | +++ b/Makefile.in | ||
17 | @@ -27,6 +27,7 @@ | ||
18 | SSH_KEYSIGN=$(libexecdir)/ssh-keysign | ||
19 | SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper | ||
20 | RAND_HELPER=$(libexecdir)/ssh-rand-helper | ||
21 | +SSH_DATADIR=$(datadir)/ssh | ||
22 | PRIVSEP_PATH=@PRIVSEP_PATH@ | ||
23 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ | ||
24 | STRIP_OPT=@STRIP_OPT@ | ||
25 | @@ -39,7 +40,8 @@ | ||
26 | -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ | ||
27 | -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ | ||
28 | -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ | ||
29 | - -DSSH_RAND_HELPER=\"$(RAND_HELPER)\" | ||
30 | + -DSSH_RAND_HELPER=\"$(RAND_HELPER)\" \ | ||
31 | + -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" | ||
32 | |||
33 | CC=@CC@ | ||
34 | LD=@LD@ | ||
35 | @@ -62,7 +64,7 @@ | ||
36 | INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ | ||
37 | INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ | ||
38 | |||
39 | -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) | ||
40 | +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) | ||
41 | |||
42 | LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | ||
43 | canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ | ||
44 | @@ -93,8 +95,8 @@ | ||
45 | audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ | ||
46 | roaming_common.o roaming_serv.o | ||
47 | |||
48 | -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out | ||
49 | -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 | ||
50 | +MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out | ||
51 | +MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5 | ||
52 | MANTYPE = @MANTYPE@ | ||
53 | |||
54 | CONFIGFILES=sshd_config.out ssh_config.out moduli.out | ||
55 | @@ -174,6 +176,9 @@ | ||
56 | ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o | ||
57 | $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | ||
58 | |||
59 | +ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o | ||
60 | + $(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | ||
61 | + | ||
62 | # test driver for the loginrec code - not built by default | ||
63 | logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o | ||
64 | $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) | ||
65 | @@ -268,6 +273,7 @@ | ||
66 | $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) | ||
67 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) | ||
68 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | ||
69 | + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey$(EXEEXT) $(DESTDIR)$(bindir)/ssh-vulnkey$(EXEEXT) | ||
70 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 | ||
71 | $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 | ||
72 | $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 | ||
73 | @@ -285,6 +291,7 @@ | ||
74 | $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 | ||
75 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | ||
76 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | ||
77 | + $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 | ||
78 | -rm -f $(DESTDIR)$(bindir)/slogin | ||
79 | ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin | ||
80 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 | ||
81 | @@ -366,6 +373,7 @@ | ||
82 | -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) | ||
83 | -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) | ||
84 | -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) | ||
85 | + -rm -f $(DESTDIR)$(bindir)/ssh-vulnkey$(EXEEXT) | ||
86 | -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) | ||
87 | -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) | ||
88 | -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | ||
89 | @@ -379,6 +387,7 @@ | ||
90 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 | ||
91 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 | ||
92 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 | ||
93 | + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 | ||
94 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | ||
95 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 | ||
96 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 | ||
97 | Index: b/auth-rh-rsa.c | ||
98 | =================================================================== | ||
99 | --- a/auth-rh-rsa.c | ||
100 | +++ b/auth-rh-rsa.c | ||
101 | @@ -44,7 +44,7 @@ | ||
102 | { | ||
103 | HostStatus host_status; | ||
104 | |||
105 | - if (auth_key_is_revoked(client_host_key)) | ||
106 | + if (auth_key_is_revoked(client_host_key, 0)) | ||
107 | return 0; | ||
108 | |||
109 | /* Check if we would accept it using rhosts authentication. */ | ||
110 | Index: b/auth-rsa.c | ||
111 | =================================================================== | ||
112 | --- a/auth-rsa.c | ||
113 | +++ b/auth-rsa.c | ||
114 | @@ -94,7 +94,7 @@ | ||
115 | MD5_CTX md; | ||
116 | int len; | ||
117 | |||
118 | - if (auth_key_is_revoked(key)) | ||
119 | + if (auth_key_is_revoked(key, 0)) | ||
120 | return 0; | ||
121 | |||
122 | /* don't allow short keys */ | ||
123 | Index: b/auth.c | ||
124 | =================================================================== | ||
125 | --- a/auth.c | ||
126 | +++ b/auth.c | ||
127 | @@ -59,6 +59,7 @@ | ||
128 | #include "servconf.h" | ||
129 | #include "key.h" | ||
130 | #include "hostfile.h" | ||
131 | +#include "authfile.h" | ||
132 | #include "auth.h" | ||
133 | #include "auth-options.h" | ||
134 | #include "canohost.h" | ||
135 | @@ -593,10 +594,34 @@ | ||
136 | |||
137 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ | ||
138 | int | ||
139 | -auth_key_is_revoked(Key *key) | ||
140 | +auth_key_is_revoked(Key *key, int hostkey) | ||
141 | { | ||
142 | char *key_fp; | ||
143 | |||
144 | + if (blacklisted_key(key, &key_fp) == 1) { | ||
145 | + if (options.permit_blacklisted_keys) { | ||
146 | + if (hostkey) | ||
147 | + error("Host key %s blacklisted (see " | ||
148 | + "ssh-vulnkey(1)); continuing anyway", | ||
149 | + key_fp); | ||
150 | + else | ||
151 | + logit("Public key %s from %s blacklisted (see " | ||
152 | + "ssh-vulnkey(1)); continuing anyway", | ||
153 | + key_fp, get_remote_ipaddr()); | ||
154 | + xfree(key_fp); | ||
155 | + } else { | ||
156 | + if (hostkey) | ||
157 | + error("Host key %s blacklisted (see " | ||
158 | + "ssh-vulnkey(1))", key_fp); | ||
159 | + else | ||
160 | + logit("Public key %s from %s blacklisted (see " | ||
161 | + "ssh-vulnkey(1))", | ||
162 | + key_fp, get_remote_ipaddr()); | ||
163 | + xfree(key_fp); | ||
164 | + return 1; | ||
165 | + } | ||
166 | + } | ||
167 | + | ||
168 | if (options.revoked_keys_file == NULL) | ||
169 | return 0; | ||
170 | |||
171 | Index: b/auth.h | ||
172 | =================================================================== | ||
173 | --- a/auth.h | ||
174 | +++ b/auth.h | ||
175 | @@ -173,7 +173,7 @@ | ||
176 | char *authorized_keys_file2(struct passwd *); | ||
177 | |||
178 | FILE *auth_openkeyfile(const char *, struct passwd *, int); | ||
179 | -int auth_key_is_revoked(Key *); | ||
180 | +int auth_key_is_revoked(Key *, int); | ||
181 | |||
182 | HostStatus | ||
183 | check_key_in_hostfiles(struct passwd *, Key *, const char *, | ||
184 | Index: b/auth2-hostbased.c | ||
185 | =================================================================== | ||
186 | --- a/auth2-hostbased.c | ||
187 | +++ b/auth2-hostbased.c | ||
188 | @@ -145,7 +145,7 @@ | ||
189 | HostStatus host_status; | ||
190 | int len; | ||
191 | |||
192 | - if (auth_key_is_revoked(key)) | ||
193 | + if (auth_key_is_revoked(key, 0)) | ||
194 | return 0; | ||
195 | |||
196 | resolvedname = get_canonical_hostname(options.use_dns); | ||
197 | Index: b/auth2-pubkey.c | ||
198 | =================================================================== | ||
199 | --- a/auth2-pubkey.c | ||
200 | +++ b/auth2-pubkey.c | ||
201 | @@ -328,9 +328,10 @@ | ||
202 | int success; | ||
203 | char *file; | ||
204 | |||
205 | - if (auth_key_is_revoked(key)) | ||
206 | + if (auth_key_is_revoked(key, 0)) | ||
207 | return 0; | ||
208 | - if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) | ||
209 | + if (key_is_cert(key) && | ||
210 | + auth_key_is_revoked(key->cert->signature_key, 0)) | ||
211 | return 0; | ||
212 | |||
213 | success = user_cert_trusted_ca(pw, key); | ||
214 | Index: b/authfile.c | ||
215 | =================================================================== | ||
216 | --- a/authfile.c | ||
217 | +++ b/authfile.c | ||
218 | @@ -68,6 +68,7 @@ | ||
219 | #include "rsa.h" | ||
220 | #include "misc.h" | ||
221 | #include "atomicio.h" | ||
222 | +#include "pathnames.h" | ||
223 | |||
224 | /* Version identification string for SSH v1 identity files. */ | ||
225 | static const char authfile_id_string[] = | ||
226 | @@ -754,3 +755,140 @@ | ||
227 | return ret; | ||
228 | } | ||
229 | |||
230 | +/* Scan a blacklist of known-vulnerable keys in blacklist_file. */ | ||
231 | +static int | ||
232 | +blacklisted_key_in_file(const Key *key, const char *blacklist_file, char **fp) | ||
233 | +{ | ||
234 | + int fd = -1; | ||
235 | + char *dgst_hex = NULL; | ||
236 | + char *dgst_packed = NULL, *p; | ||
237 | + int i; | ||
238 | + size_t line_len; | ||
239 | + struct stat st; | ||
240 | + char buf[256]; | ||
241 | + off_t start, lower, upper; | ||
242 | + int ret = 0; | ||
243 | + | ||
244 | + debug("Checking blacklist file %s", blacklist_file); | ||
245 | + fd = open(blacklist_file, O_RDONLY); | ||
246 | + if (fd < 0) { | ||
247 | + ret = -1; | ||
248 | + goto out; | ||
249 | + } | ||
250 | + | ||
251 | + dgst_hex = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | ||
252 | + /* Remove all colons */ | ||
253 | + dgst_packed = xcalloc(1, strlen(dgst_hex) + 1); | ||
254 | + for (i = 0, p = dgst_packed; dgst_hex[i]; i++) | ||
255 | + if (dgst_hex[i] != ':') | ||
256 | + *p++ = dgst_hex[i]; | ||
257 | + /* Only compare least-significant 80 bits (to keep the blacklist | ||
258 | + * size down) | ||
259 | + */ | ||
260 | + line_len = strlen(dgst_packed + 12); | ||
261 | + if (line_len > 32) | ||
262 | + goto out; | ||
263 | + | ||
264 | + /* Skip leading comments */ | ||
265 | + start = 0; | ||
266 | + for (;;) { | ||
267 | + ssize_t r; | ||
268 | + char *newline; | ||
269 | + | ||
270 | + r = atomicio(read, fd, buf, sizeof(buf)); | ||
271 | + if (r <= 0) | ||
272 | + goto out; | ||
273 | + if (buf[0] != '#') | ||
274 | + break; | ||
275 | + | ||
276 | + newline = memchr(buf, '\n', sizeof(buf)); | ||
277 | + if (!newline) | ||
278 | + goto out; | ||
279 | + start += newline + 1 - buf; | ||
280 | + if (lseek(fd, start, SEEK_SET) < 0) | ||
281 | + goto out; | ||
282 | + } | ||
283 | + | ||
284 | + /* Initialise binary search record numbers */ | ||
285 | + if (fstat(fd, &st) < 0) | ||
286 | + goto out; | ||
287 | + lower = 0; | ||
288 | + upper = (st.st_size - start) / (line_len + 1); | ||
289 | + | ||
290 | + while (lower != upper) { | ||
291 | + off_t cur; | ||
292 | + int cmp; | ||
293 | + | ||
294 | + cur = lower + (upper - lower) / 2; | ||
295 | + | ||
296 | + /* Read this line and compare to digest; this is | ||
297 | + * overflow-safe since cur < max(off_t) / (line_len + 1) */ | ||
298 | + if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0) | ||
299 | + break; | ||
300 | + if (atomicio(read, fd, buf, line_len) != line_len) | ||
301 | + break; | ||
302 | + cmp = memcmp(buf, dgst_packed + 12, line_len); | ||
303 | + if (cmp < 0) { | ||
304 | + if (cur == lower) | ||
305 | + break; | ||
306 | + lower = cur; | ||
307 | + } else if (cmp > 0) { | ||
308 | + if (cur == upper) | ||
309 | + break; | ||
310 | + upper = cur; | ||
311 | + } else { | ||
312 | + debug("Found %s in blacklist", dgst_hex); | ||
313 | + ret = 1; | ||
314 | + break; | ||
315 | + } | ||
316 | + } | ||
317 | + | ||
318 | +out: | ||
319 | + if (dgst_packed) | ||
320 | + xfree(dgst_packed); | ||
321 | + if (ret != 1 && dgst_hex) { | ||
322 | + xfree(dgst_hex); | ||
323 | + dgst_hex = NULL; | ||
324 | + } | ||
325 | + if (fp) | ||
326 | + *fp = dgst_hex; | ||
327 | + if (fd >= 0) | ||
328 | + close(fd); | ||
329 | + return ret; | ||
330 | +} | ||
331 | + | ||
332 | +/* | ||
333 | + * Scan blacklists of known-vulnerable keys. If a vulnerable key is found, | ||
334 | + * its fingerprint is returned in *fp, unless fp is NULL. | ||
335 | + */ | ||
336 | +int | ||
337 | +blacklisted_key(const Key *key, char **fp) | ||
338 | +{ | ||
339 | + Key *public; | ||
340 | + char *blacklist_file; | ||
341 | + int ret, ret2; | ||
342 | + | ||
343 | + public = key_demote(key); | ||
344 | + if (public->type == KEY_RSA1) | ||
345 | + public->type = KEY_RSA; | ||
346 | + | ||
347 | + xasprintf(&blacklist_file, "%s.%s-%u", | ||
348 | + _PATH_BLACKLIST, key_type(public), key_size(public)); | ||
349 | + ret = blacklisted_key_in_file(public, blacklist_file, fp); | ||
350 | + xfree(blacklist_file); | ||
351 | + if (ret > 0) { | ||
352 | + key_free(public); | ||
353 | + return ret; | ||
354 | + } | ||
355 | + | ||
356 | + xasprintf(&blacklist_file, "%s.%s-%u", | ||
357 | + _PATH_BLACKLIST_CONFIG, key_type(public), key_size(public)); | ||
358 | + ret2 = blacklisted_key_in_file(public, blacklist_file, fp); | ||
359 | + xfree(blacklist_file); | ||
360 | + if (ret2 > ret) | ||
361 | + ret = ret2; | ||
362 | + | ||
363 | + key_free(public); | ||
364 | + return ret; | ||
365 | +} | ||
366 | + | ||
367 | Index: b/authfile.h | ||
368 | =================================================================== | ||
369 | --- a/authfile.h | ||
370 | +++ b/authfile.h | ||
371 | @@ -24,4 +24,6 @@ | ||
372 | int key_perm_ok(int, const char *); | ||
373 | int key_in_file(Key *, const char *, int); | ||
374 | |||
375 | +int blacklisted_key(const Key *key, char **fp); | ||
376 | + | ||
377 | #endif | ||
378 | Index: b/pathnames.h | ||
379 | =================================================================== | ||
380 | --- a/pathnames.h | ||
381 | +++ b/pathnames.h | ||
382 | @@ -18,6 +18,10 @@ | ||
383 | #define SSHDIR ETCDIR "/ssh" | ||
384 | #endif | ||
385 | |||
386 | +#ifndef _PATH_SSH_DATADIR | ||
387 | +#define _PATH_SSH_DATADIR "/usr/share/ssh" | ||
388 | +#endif | ||
389 | + | ||
390 | #ifndef _PATH_SSH_PIDDIR | ||
391 | #define _PATH_SSH_PIDDIR "/var/run" | ||
392 | #endif | ||
393 | @@ -43,6 +47,9 @@ | ||
394 | /* Backwards compatibility */ | ||
395 | #define _PATH_DH_PRIMES SSHDIR "/primes" | ||
396 | |||
397 | +#define _PATH_BLACKLIST _PATH_SSH_DATADIR "/blacklist" | ||
398 | +#define _PATH_BLACKLIST_CONFIG SSHDIR "/blacklist" | ||
399 | + | ||
400 | #ifndef _PATH_SSH_PROGRAM | ||
401 | #define _PATH_SSH_PROGRAM "/usr/bin/ssh" | ||
402 | #endif | ||
403 | Index: b/readconf.c | ||
404 | =================================================================== | ||
405 | --- a/readconf.c | ||
406 | +++ b/readconf.c | ||
407 | @@ -123,6 +123,7 @@ | ||
408 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, | ||
409 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, | ||
410 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, | ||
411 | + oUseBlacklistedKeys, | ||
412 | oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, | ||
413 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | ||
414 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | ||
415 | @@ -152,6 +153,7 @@ | ||
416 | { "passwordauthentication", oPasswordAuthentication }, | ||
417 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, | ||
418 | { "kbdinteractivedevices", oKbdInteractiveDevices }, | ||
419 | + { "useblacklistedkeys", oUseBlacklistedKeys }, | ||
420 | { "rsaauthentication", oRSAAuthentication }, | ||
421 | { "pubkeyauthentication", oPubkeyAuthentication }, | ||
422 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | ||
423 | @@ -461,6 +463,10 @@ | ||
424 | intptr = &options->challenge_response_authentication; | ||
425 | goto parse_flag; | ||
426 | |||
427 | + case oUseBlacklistedKeys: | ||
428 | + intptr = &options->use_blacklisted_keys; | ||
429 | + goto parse_flag; | ||
430 | + | ||
431 | case oGssAuthentication: | ||
432 | intptr = &options->gss_authentication; | ||
433 | goto parse_flag; | ||
434 | @@ -1050,6 +1056,7 @@ | ||
435 | options->kbd_interactive_devices = NULL; | ||
436 | options->rhosts_rsa_authentication = -1; | ||
437 | options->hostbased_authentication = -1; | ||
438 | + options->use_blacklisted_keys = -1; | ||
439 | options->batch_mode = -1; | ||
440 | options->check_host_ip = -1; | ||
441 | options->strict_host_key_checking = -1; | ||
442 | @@ -1152,6 +1159,8 @@ | ||
443 | options->rhosts_rsa_authentication = 0; | ||
444 | if (options->hostbased_authentication == -1) | ||
445 | options->hostbased_authentication = 0; | ||
446 | + if (options->use_blacklisted_keys == -1) | ||
447 | + options->use_blacklisted_keys = 0; | ||
448 | if (options->batch_mode == -1) | ||
449 | options->batch_mode = 0; | ||
450 | if (options->check_host_ip == -1) | ||
451 | Index: b/readconf.h | ||
452 | =================================================================== | ||
453 | --- a/readconf.h | ||
454 | +++ b/readconf.h | ||
455 | @@ -54,6 +54,7 @@ | ||
456 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | ||
457 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ | ||
458 | int zero_knowledge_password_authentication; /* Try jpake */ | ||
459 | + int use_blacklisted_keys; /* If true, send */ | ||
460 | int batch_mode; /* Batch mode: do not ask for passwords. */ | ||
461 | int check_host_ip; /* Also keep track of keys for IP address */ | ||
462 | int strict_host_key_checking; /* Strict host key checking. */ | ||
463 | Index: b/servconf.c | ||
464 | =================================================================== | ||
465 | --- a/servconf.c | ||
466 | +++ b/servconf.c | ||
467 | @@ -100,6 +100,7 @@ | ||
468 | options->password_authentication = -1; | ||
469 | options->kbd_interactive_authentication = -1; | ||
470 | options->challenge_response_authentication = -1; | ||
471 | + options->permit_blacklisted_keys = -1; | ||
472 | options->permit_empty_passwd = -1; | ||
473 | options->permit_user_env = -1; | ||
474 | options->use_login = -1; | ||
475 | @@ -231,6 +232,8 @@ | ||
476 | options->kbd_interactive_authentication = 0; | ||
477 | if (options->challenge_response_authentication == -1) | ||
478 | options->challenge_response_authentication = 1; | ||
479 | + if (options->permit_blacklisted_keys == -1) | ||
480 | + options->permit_blacklisted_keys = 0; | ||
481 | if (options->permit_empty_passwd == -1) | ||
482 | options->permit_empty_passwd = 0; | ||
483 | if (options->permit_user_env == -1) | ||
484 | @@ -306,7 +309,7 @@ | ||
485 | sListenAddress, sAddressFamily, | ||
486 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | ||
487 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | ||
488 | - sStrictModes, sEmptyPasswd, sTCPKeepAlive, | ||
489 | + sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive, | ||
490 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | ||
491 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | ||
492 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | ||
493 | @@ -415,6 +418,7 @@ | ||
494 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | ||
495 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | ||
496 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | ||
497 | + { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL }, | ||
498 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, | ||
499 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | ||
500 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | ||
501 | @@ -1009,6 +1013,10 @@ | ||
502 | intptr = &options->tcp_keep_alive; | ||
503 | goto parse_flag; | ||
504 | |||
505 | + case sPermitBlacklistedKeys: | ||
506 | + intptr = &options->permit_blacklisted_keys; | ||
507 | + goto parse_flag; | ||
508 | + | ||
509 | case sEmptyPasswd: | ||
510 | intptr = &options->permit_empty_passwd; | ||
511 | goto parse_flag; | ||
512 | @@ -1697,6 +1705,7 @@ | ||
513 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | ||
514 | dump_cfg_fmtint(sStrictModes, o->strict_modes); | ||
515 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | ||
516 | + dump_cfg_fmtint(sPermitBlacklistedKeys, o->permit_blacklisted_keys); | ||
517 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); | ||
518 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); | ||
519 | dump_cfg_fmtint(sUseLogin, o->use_login); | ||
520 | Index: b/servconf.h | ||
521 | =================================================================== | ||
522 | --- a/servconf.h | ||
523 | +++ b/servconf.h | ||
524 | @@ -104,6 +104,7 @@ | ||
525 | int challenge_response_authentication; | ||
526 | int zero_knowledge_password_authentication; | ||
527 | /* If true, permit jpake auth */ | ||
528 | + int permit_blacklisted_keys; /* If true, permit */ | ||
529 | int permit_empty_passwd; /* If false, do not permit empty | ||
530 | * passwords. */ | ||
531 | int permit_user_env; /* If true, read ~/.ssh/environment */ | ||
532 | Index: b/ssh-add.1 | ||
533 | =================================================================== | ||
534 | --- a/ssh-add.1 | ||
535 | +++ b/ssh-add.1 | ||
536 | @@ -82,6 +82,10 @@ | ||
537 | .Nm | ||
538 | to work. | ||
539 | .Pp | ||
540 | +Any keys recorded in the blacklist of known-compromised keys (see | ||
541 | +.Xr ssh-vulnkey 1 ) | ||
542 | +will be refused. | ||
543 | +.Pp | ||
544 | The options are as follows: | ||
545 | .Bl -tag -width Ds | ||
546 | .It Fl c | ||
547 | @@ -182,6 +186,7 @@ | ||
548 | .Xr ssh 1 , | ||
549 | .Xr ssh-agent 1 , | ||
550 | .Xr ssh-keygen 1 , | ||
551 | +.Xr ssh-vulnkey 1 , | ||
552 | .Xr sshd 8 | ||
553 | .Sh AUTHORS | ||
554 | OpenSSH is a derivative of the original and free | ||
555 | Index: b/ssh-add.c | ||
556 | =================================================================== | ||
557 | --- a/ssh-add.c | ||
558 | +++ b/ssh-add.c | ||
559 | @@ -139,7 +139,7 @@ | ||
560 | add_file(AuthenticationConnection *ac, const char *filename) | ||
561 | { | ||
562 | Key *private, *cert; | ||
563 | - char *comment = NULL; | ||
564 | + char *comment = NULL, *fp; | ||
565 | char msg[1024], *certpath; | ||
566 | int fd, perms_ok, ret = -1; | ||
567 | |||
568 | @@ -184,6 +184,14 @@ | ||
569 | "Bad passphrase, try again for %.200s: ", comment); | ||
570 | } | ||
571 | } | ||
572 | + if (blacklisted_key(private, &fp) == 1) { | ||
573 | + fprintf(stderr, "Public key %s blacklisted (see " | ||
574 | + "ssh-vulnkey(1)); refusing to add it\n", fp); | ||
575 | + xfree(fp); | ||
576 | + key_free(private); | ||
577 | + xfree(comment); | ||
578 | + return -1; | ||
579 | + } | ||
580 | |||
581 | if (ssh_add_identity_constrained(ac, private, comment, lifetime, | ||
582 | confirm)) { | ||
583 | Index: b/ssh-keygen.1 | ||
584 | =================================================================== | ||
585 | --- a/ssh-keygen.1 | ||
586 | +++ b/ssh-keygen.1 | ||
587 | @@ -628,6 +628,7 @@ | ||
588 | .Xr ssh 1 , | ||
589 | .Xr ssh-add 1 , | ||
590 | .Xr ssh-agent 1 , | ||
591 | +.Xr ssh-vulnkey 1 , | ||
592 | .Xr moduli 5 , | ||
593 | .Xr sshd 8 | ||
594 | .Rs | ||
595 | Index: b/ssh-vulnkey.1 | ||
596 | =================================================================== | ||
597 | --- /dev/null | ||
598 | +++ b/ssh-vulnkey.1 | ||
599 | @@ -0,0 +1,242 @@ | ||
600 | +.\" Copyright (c) 2008 Canonical Ltd. All rights reserved. | ||
601 | +.\" | ||
602 | +.\" Redistribution and use in source and binary forms, with or without | ||
603 | +.\" modification, are permitted provided that the following conditions | ||
604 | +.\" are met: | ||
605 | +.\" 1. Redistributions of source code must retain the above copyright | ||
606 | +.\" notice, this list of conditions and the following disclaimer. | ||
607 | +.\" 2. Redistributions in binary form must reproduce the above copyright | ||
608 | +.\" notice, this list of conditions and the following disclaimer in the | ||
609 | +.\" documentation and/or other materials provided with the distribution. | ||
610 | +.\" | ||
611 | +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | ||
612 | +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
613 | +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
614 | +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
615 | +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
616 | +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
617 | +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
618 | +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
619 | +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
620 | +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
621 | +.\" | ||
622 | +.Dd $Mdocdate: May 12 2008 $ | ||
623 | +.Dt SSH-VULNKEY 1 | ||
624 | +.Os | ||
625 | +.Sh NAME | ||
626 | +.Nm ssh-vulnkey | ||
627 | +.Nd check blacklist of compromised keys | ||
628 | +.Sh SYNOPSIS | ||
629 | +.Nm | ||
630 | +.Op Fl q | Fl v | ||
631 | +.Ar file ... | ||
632 | +.Nm | ||
633 | +.Fl a | ||
634 | +.Sh DESCRIPTION | ||
635 | +.Nm | ||
636 | +checks a key against a blacklist of compromised keys. | ||
637 | +.Pp | ||
638 | +A substantial number of keys are known to have been generated using a broken | ||
639 | +version of OpenSSL distributed by Debian which failed to seed its random | ||
640 | +number generator correctly. | ||
641 | +Keys generated using these OpenSSL versions should be assumed to be | ||
642 | +compromised. | ||
643 | +This tool may be useful in checking for such keys. | ||
644 | +.Pp | ||
645 | +Keys that are compromised cannot be repaired; replacements must be generated | ||
646 | +using | ||
647 | +.Xr ssh-keygen 1 . | ||
648 | +Make sure to update | ||
649 | +.Pa authorized_keys | ||
650 | +files on all systems where compromised keys were permitted to authenticate. | ||
651 | +.Pp | ||
652 | +The argument list will be interpreted as a list of paths to public key files | ||
653 | +or | ||
654 | +.Pa authorized_keys | ||
655 | +files. | ||
656 | +If no suitable file is found at a given path, | ||
657 | +.Nm | ||
658 | +will append | ||
659 | +.Pa .pub | ||
660 | +and retry, in case it was given a private key file. | ||
661 | +If no files are given as arguments, | ||
662 | +.Nm | ||
663 | +will check | ||
664 | +.Pa ~/.ssh/id_rsa , | ||
665 | +.Pa ~/.ssh/id_dsa , | ||
666 | +.Pa ~/.ssh/identity , | ||
667 | +.Pa ~/.ssh/authorized_keys | ||
668 | +and | ||
669 | +.Pa ~/.ssh/authorized_keys2 , | ||
670 | +as well as the system's host keys if readable. | ||
671 | +.Pp | ||
672 | +If | ||
673 | +.Dq - | ||
674 | +is given as an argument, | ||
675 | +.Nm | ||
676 | +will read from standard input. | ||
677 | +This can be used to process output from | ||
678 | +.Xr ssh-keyscan 1 , | ||
679 | +for example: | ||
680 | +.Pp | ||
681 | +.Dl $ ssh-keyscan -t rsa remote.example.org | ssh-vulnkey - | ||
682 | +.Pp | ||
683 | +Unless the | ||
684 | +.Cm PermitBlacklistedKeys | ||
685 | +option is used, | ||
686 | +.Xr sshd 8 | ||
687 | +will reject attempts to authenticate with keys in the compromised list. | ||
688 | +.Pp | ||
689 | +The output from | ||
690 | +.Nm | ||
691 | +looks like this: | ||
692 | +.Pp | ||
693 | +.Bd -literal -offset indent | ||
694 | +/etc/ssh/ssh_host_key:1: COMPROMISED: RSA1 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@host | ||
695 | +/home/user/.ssh/id_dsa:1: Not blacklisted: DSA 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx /home/user/.ssh/id_dsa.pub | ||
696 | +/home/user/.ssh/authorized_keys:3: Unknown (blacklist file not installed): RSA 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user@host | ||
697 | +.Ed | ||
698 | +.Pp | ||
699 | +Each line is of the following format (any lines beginning with | ||
700 | +.Dq # | ||
701 | +should be ignored by scripts): | ||
702 | +.Pp | ||
703 | +.Dl Ar filename : Ns Ar line : Ar status : Ar type Ar size Ar fingerprint Ar comment | ||
704 | +.Pp | ||
705 | +It is important to distinguish between the possible values of | ||
706 | +.Ar status : | ||
707 | +.Pp | ||
708 | +.Bl -tag -width Ds | ||
709 | +.It COMPROMISED | ||
710 | +These keys are listed in a blacklist file, normally because their | ||
711 | +corresponding private keys are well-known. | ||
712 | +Replacements must be generated using | ||
713 | +.Xr ssh-keygen 1 . | ||
714 | +.It Not blacklisted | ||
715 | +A blacklist file exists for this key type and size, but this key is not | ||
716 | +listed in it. | ||
717 | +Unless there is some particular reason to believe otherwise, this key | ||
718 | +may be used safely. | ||
719 | +(Note that DSA keys used with the broken version of OpenSSL distributed | ||
720 | +by Debian may be compromised in the event that anyone captured a network | ||
721 | +trace, even if they were generated with a secure version of OpenSSL.) | ||
722 | +.It Unknown (blacklist file not installed) | ||
723 | +No blacklist file exists for this key type and size. | ||
724 | +You should find a suitable published blacklist and install it before | ||
725 | +deciding whether this key is safe to use. | ||
726 | +.El | ||
727 | +.Pp | ||
728 | +The options are as follows: | ||
729 | +.Bl -tag -width Ds | ||
730 | +.It Fl a | ||
731 | +Check keys of all users on the system. | ||
732 | +You will typically need to run | ||
733 | +.Nm | ||
734 | +as root to use this option. | ||
735 | +For each user, | ||
736 | +.Nm | ||
737 | +will check | ||
738 | +.Pa ~/.ssh/id_rsa , | ||
739 | +.Pa ~/.ssh/id_dsa , | ||
740 | +.Pa ~/.ssh/identity , | ||
741 | +.Pa ~/.ssh/authorized_keys | ||
742 | +and | ||
743 | +.Pa ~/.ssh/authorized_keys2 . | ||
744 | +It will also check the system's host keys. | ||
745 | +.It Fl q | ||
746 | +Quiet mode. | ||
747 | +Normally, | ||
748 | +.Nm | ||
749 | +outputs the fingerprint of each key scanned, with a description of its | ||
750 | +status. | ||
751 | +This option suppresses that output. | ||
752 | +.It Fl v | ||
753 | +Verbose mode. | ||
754 | +Normally, | ||
755 | +.Nm | ||
756 | +does not output anything for keys that are not listed in their corresponding | ||
757 | +blacklist file (although it still produces output for keys for which there | ||
758 | +is no blacklist file, since their status is unknown). | ||
759 | +This option causes | ||
760 | +.Nm | ||
761 | +to produce output for all keys. | ||
762 | +.El | ||
763 | +.Sh EXIT STATUS | ||
764 | +.Nm | ||
765 | +will exit zero if any of the given keys were in the compromised list, | ||
766 | +otherwise non-zero. | ||
767 | +.Sh BLACKLIST FILE FORMAT | ||
768 | +The blacklist file may start with comments, on lines starting with | ||
769 | +.Dq # . | ||
770 | +After these initial comments, it must follow a strict format: | ||
771 | +.Pp | ||
772 | +.Bl -bullet -offset indent -compact | ||
773 | +.It | ||
774 | +All the lines must be exactly the same length (20 characters followed by a | ||
775 | +newline) and must be in sorted order. | ||
776 | +.It | ||
777 | +Each line must consist of the lower-case hexadecimal MD5 key fingerprint, | ||
778 | +without colons, and with the first 12 characters removed (that is, the least | ||
779 | +significant 80 bits of the fingerprint). | ||
780 | +.El | ||
781 | +.Pp | ||
782 | +The key fingerprint may be generated using | ||
783 | +.Xr ssh-keygen 1 : | ||
784 | +.Pp | ||
785 | +.Dl $ ssh-keygen -l -f /path/to/key | ||
786 | +.Pp | ||
787 | +This strict format is necessary to allow the blacklist file to be checked | ||
788 | +quickly, using a binary-search algorithm. | ||
789 | +.Sh FILES | ||
790 | +.Bl -tag -width Ds | ||
791 | +.It Pa ~/.ssh/id_rsa | ||
792 | +If present, contains the protocol version 2 RSA authentication identity of | ||
793 | +the user. | ||
794 | +.It Pa ~/.ssh/id_dsa | ||
795 | +If present, contains the protocol version 2 DSA authentication identity of | ||
796 | +the user. | ||
797 | +.It Pa ~/.ssh/identity | ||
798 | +If present, contains the protocol version 1 RSA authentication identity of | ||
799 | +the user. | ||
800 | +.It Pa ~/.ssh/authorized_keys | ||
801 | +If present, lists the public keys (RSA/DSA) that can be used for logging in | ||
802 | +as this user. | ||
803 | +.It Pa ~/.ssh/authorized_keys2 | ||
804 | +Obsolete name for | ||
805 | +.Pa ~/.ssh/authorized_keys . | ||
806 | +This file may still be present on some old systems, but should not be | ||
807 | +created if it is missing. | ||
808 | +.It Pa /etc/ssh/ssh_host_rsa_key | ||
809 | +If present, contains the protocol version 2 RSA identity of the system. | ||
810 | +.It Pa /etc/ssh/ssh_host_dsa_key | ||
811 | +If present, contains the protocol version 2 DSA identity of the system. | ||
812 | +.It Pa /etc/ssh/ssh_host_key | ||
813 | +If present, contains the protocol version 1 RSA identity of the system. | ||
814 | +.It Pa /usr/share/ssh/blacklist. Ns Ar TYPE Ns Pa - Ns Ar LENGTH | ||
815 | +If present, lists the blacklisted keys of type | ||
816 | +.Ar TYPE | ||
817 | +.Pf ( Dq RSA | ||
818 | +or | ||
819 | +.Dq DSA ) | ||
820 | +and bit length | ||
821 | +.Ar LENGTH . | ||
822 | +The format of this file is described above. | ||
823 | +RSA1 keys are converted to RSA before being checked in the blacklist. | ||
824 | +Note that the fingerprints of RSA1 keys are computed differently, so you | ||
825 | +will not be able to find them in the blacklist by hand. | ||
826 | +.It Pa /etc/ssh/blacklist. Ns Ar TYPE Ns Pa - Ns Ar LENGTH | ||
827 | +Same as | ||
828 | +.Pa /usr/share/ssh/blacklist. Ns Ar TYPE Ns Pa - Ns Ar LENGTH , | ||
829 | +but may be edited by the system administrator to add new blacklist entries. | ||
830 | +.El | ||
831 | +.Sh SEE ALSO | ||
832 | +.Xr ssh-keygen 1 , | ||
833 | +.Xr sshd 8 | ||
834 | +.Sh AUTHORS | ||
835 | +.An -nosplit | ||
836 | +.An Colin Watson Aq cjwatson@ubuntu.com | ||
837 | +.Pp | ||
838 | +Florian Weimer suggested the option to check keys of all users, and the idea | ||
839 | +of processing | ||
840 | +.Xr ssh-keyscan 1 | ||
841 | +output. | ||
842 | Index: b/ssh-vulnkey.c | ||
843 | =================================================================== | ||
844 | --- /dev/null | ||
845 | +++ b/ssh-vulnkey.c | ||
846 | @@ -0,0 +1,388 @@ | ||
847 | +/* | ||
848 | + * Copyright (c) 2008 Canonical Ltd. All rights reserved. | ||
849 | + * | ||
850 | + * Redistribution and use in source and binary forms, with or without | ||
851 | + * modification, are permitted provided that the following conditions | ||
852 | + * are met: | ||
853 | + * 1. Redistributions of source code must retain the above copyright | ||
854 | + * notice, this list of conditions and the following disclaimer. | ||
855 | + * 2. Redistributions in binary form must reproduce the above copyright | ||
856 | + * notice, this list of conditions and the following disclaimer in the | ||
857 | + * documentation and/or other materials provided with the distribution. | ||
858 | + * | ||
859 | + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | ||
860 | + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
861 | + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
862 | + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
863 | + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
864 | + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
865 | + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
866 | + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
867 | + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
868 | + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
869 | + */ | ||
870 | + | ||
871 | +#include "includes.h" | ||
872 | + | ||
873 | +#include <sys/types.h> | ||
874 | +#include <sys/stat.h> | ||
875 | + | ||
876 | +#include <errno.h> | ||
877 | +#include <string.h> | ||
878 | +#include <stdio.h> | ||
879 | +#include <fcntl.h> | ||
880 | +#include <unistd.h> | ||
881 | + | ||
882 | +#include <openssl/evp.h> | ||
883 | + | ||
884 | +#include "xmalloc.h" | ||
885 | +#include "ssh.h" | ||
886 | +#include "log.h" | ||
887 | +#include "key.h" | ||
888 | +#include "authfile.h" | ||
889 | +#include "pathnames.h" | ||
890 | +#include "uidswap.h" | ||
891 | +#include "misc.h" | ||
892 | + | ||
893 | +extern char *__progname; | ||
894 | + | ||
895 | +/* Default files to check */ | ||
896 | +static char *default_host_files[] = { | ||
897 | + _PATH_HOST_RSA_KEY_FILE, | ||
898 | + _PATH_HOST_DSA_KEY_FILE, | ||
899 | + _PATH_HOST_KEY_FILE, | ||
900 | + NULL | ||
901 | +}; | ||
902 | +static char *default_files[] = { | ||
903 | + _PATH_SSH_CLIENT_ID_RSA, | ||
904 | + _PATH_SSH_CLIENT_ID_DSA, | ||
905 | + _PATH_SSH_CLIENT_IDENTITY, | ||
906 | + _PATH_SSH_USER_PERMITTED_KEYS, | ||
907 | + _PATH_SSH_USER_PERMITTED_KEYS2, | ||
908 | + NULL | ||
909 | +}; | ||
910 | + | ||
911 | +static int verbosity = 0; | ||
912 | + | ||
913 | +static int some_keys = 0; | ||
914 | +static int some_unknown = 0; | ||
915 | +static int some_compromised = 0; | ||
916 | + | ||
917 | +static void | ||
918 | +usage(void) | ||
919 | +{ | ||
920 | + fprintf(stderr, "usage: %s [-aqv] [file ...]\n", __progname); | ||
921 | + fprintf(stderr, "Options:\n"); | ||
922 | + fprintf(stderr, " -a Check keys of all users.\n"); | ||
923 | + fprintf(stderr, " -q Quiet mode.\n"); | ||
924 | + fprintf(stderr, " -v Verbose mode.\n"); | ||
925 | + exit(1); | ||
926 | +} | ||
927 | + | ||
928 | +void | ||
929 | +describe_key(const char *filename, u_long linenum, const char *msg, | ||
930 | + const Key *key, const char *comment, int min_verbosity) | ||
931 | +{ | ||
932 | + char *fp; | ||
933 | + | ||
934 | + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | ||
935 | + if (verbosity >= min_verbosity) { | ||
936 | + if (strchr(filename, ':')) | ||
937 | + printf("\"%s\"", filename); | ||
938 | + else | ||
939 | + printf("%s", filename); | ||
940 | + printf(":%lu: %s: %s %u %s %s\n", linenum, msg, | ||
941 | + key_type(key), key_size(key), fp, comment); | ||
942 | + } | ||
943 | + xfree(fp); | ||
944 | +} | ||
945 | + | ||
946 | +int | ||
947 | +do_key(const char *filename, u_long linenum, | ||
948 | + const Key *key, const char *comment) | ||
949 | +{ | ||
950 | + Key *public; | ||
951 | + int blacklist_status; | ||
952 | + int ret = 1; | ||
953 | + | ||
954 | + some_keys = 1; | ||
955 | + | ||
956 | + public = key_demote(key); | ||
957 | + if (public->type == KEY_RSA1) | ||
958 | + public->type = KEY_RSA; | ||
959 | + | ||
960 | + blacklist_status = blacklisted_key(public, NULL); | ||
961 | + if (blacklist_status == -1) { | ||
962 | + describe_key(filename, linenum, | ||
963 | + "Unknown (blacklist file not installed)", key, comment, 0); | ||
964 | + some_unknown = 1; | ||
965 | + } else if (blacklist_status == 1) { | ||
966 | + describe_key(filename, linenum, | ||
967 | + "COMPROMISED", key, comment, 0); | ||
968 | + some_compromised = 1; | ||
969 | + ret = 0; | ||
970 | + } else | ||
971 | + describe_key(filename, linenum, | ||
972 | + "Not blacklisted", key, comment, 1); | ||
973 | + | ||
974 | + key_free(public); | ||
975 | + | ||
976 | + return ret; | ||
977 | +} | ||
978 | + | ||
979 | +int | ||
980 | +do_filename(const char *filename, int quiet_open) | ||
981 | +{ | ||
982 | + FILE *f; | ||
983 | + char line[SSH_MAX_PUBKEY_BYTES]; | ||
984 | + char *cp; | ||
985 | + u_long linenum = 0; | ||
986 | + Key *key; | ||
987 | + char *comment = NULL; | ||
988 | + int found = 0, ret = 1; | ||
989 | + | ||
990 | + /* Copy much of key_load_public's logic here so that we can read | ||
991 | + * several keys from a single file (e.g. authorized_keys). | ||
992 | + */ | ||
993 | + | ||
994 | + if (strcmp(filename, "-") != 0) { | ||
995 | + int save_errno; | ||
996 | + f = fopen(filename, "r"); | ||
997 | + save_errno = errno; | ||
998 | + if (!f) { | ||
999 | + char pubfile[MAXPATHLEN]; | ||
1000 | + if (strlcpy(pubfile, filename, sizeof pubfile) < | ||
1001 | + sizeof(pubfile) && | ||
1002 | + strlcat(pubfile, ".pub", sizeof pubfile) < | ||
1003 | + sizeof(pubfile)) | ||
1004 | + f = fopen(pubfile, "r"); | ||
1005 | + } | ||
1006 | + errno = save_errno; /* earlier errno is more useful */ | ||
1007 | + if (!f) { | ||
1008 | + if (!quiet_open) | ||
1009 | + perror(filename); | ||
1010 | + return -1; | ||
1011 | + } | ||
1012 | + if (verbosity > 0) | ||
1013 | + printf("# %s\n", filename); | ||
1014 | + } else | ||
1015 | + f = stdin; | ||
1016 | + while (read_keyfile_line(f, filename, line, sizeof(line), | ||
1017 | + &linenum) != -1) { | ||
1018 | + int i; | ||
1019 | + char *space; | ||
1020 | + int type; | ||
1021 | + char *end; | ||
1022 | + | ||
1023 | + /* Chop trailing newline. */ | ||
1024 | + i = strlen(line) - 1; | ||
1025 | + if (line[i] == '\n') | ||
1026 | + line[i] = '\0'; | ||
1027 | + | ||
1028 | + /* Skip leading whitespace, empty and comment lines. */ | ||
1029 | + for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | ||
1030 | + ; | ||
1031 | + if (!*cp || *cp == '\n' || *cp == '#') | ||
1032 | + continue; | ||
1033 | + | ||
1034 | + /* Cope with ssh-keyscan output and options in | ||
1035 | + * authorized_keys files. | ||
1036 | + */ | ||
1037 | + space = strchr(cp, ' '); | ||
1038 | + if (!space) | ||
1039 | + continue; | ||
1040 | + *space = '\0'; | ||
1041 | + type = key_type_from_name(cp); | ||
1042 | + *space = ' '; | ||
1043 | + /* Leading number (RSA1) or valid type (RSA/DSA) indicates | ||
1044 | + * that we have no host name or options to skip. | ||
1045 | + */ | ||
1046 | + if ((strtol(cp, &end, 10) == 0 || *end != ' ') && | ||
1047 | + type == KEY_UNSPEC) { | ||
1048 | + int quoted = 0; | ||
1049 | + | ||
1050 | + for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { | ||
1051 | + if (*cp == '\\' && cp[1] == '"') | ||
1052 | + cp++; /* Skip both */ | ||
1053 | + else if (*cp == '"') | ||
1054 | + quoted = !quoted; | ||
1055 | + } | ||
1056 | + /* Skip remaining whitespace. */ | ||
1057 | + for (; *cp == ' ' || *cp == '\t'; cp++) | ||
1058 | + ; | ||
1059 | + if (!*cp) | ||
1060 | + continue; | ||
1061 | + } | ||
1062 | + | ||
1063 | + /* Read and process the key itself. */ | ||
1064 | + key = key_new(KEY_RSA1); | ||
1065 | + if (key_read(key, &cp) == 1) { | ||
1066 | + while (*cp == ' ' || *cp == '\t') | ||
1067 | + cp++; | ||
1068 | + if (!do_key(filename, linenum, | ||
1069 | + key, *cp ? cp : filename)) | ||
1070 | + ret = 0; | ||
1071 | + found = 1; | ||
1072 | + } else { | ||
1073 | + key_free(key); | ||
1074 | + key = key_new(KEY_UNSPEC); | ||
1075 | + if (key_read(key, &cp) == 1) { | ||
1076 | + while (*cp == ' ' || *cp == '\t') | ||
1077 | + cp++; | ||
1078 | + if (!do_key(filename, linenum, | ||
1079 | + key, *cp ? cp : filename)) | ||
1080 | + ret = 0; | ||
1081 | + found = 1; | ||
1082 | + } | ||
1083 | + } | ||
1084 | + key_free(key); | ||
1085 | + } | ||
1086 | + if (f != stdin) | ||
1087 | + fclose(f); | ||
1088 | + | ||
1089 | + if (!found && filename) { | ||
1090 | + key = key_load_public(filename, &comment); | ||
1091 | + if (key) { | ||
1092 | + if (!do_key(filename, 1, key, comment)) | ||
1093 | + ret = 0; | ||
1094 | + found = 1; | ||
1095 | + } | ||
1096 | + if (comment) | ||
1097 | + xfree(comment); | ||
1098 | + } | ||
1099 | + | ||
1100 | + return ret; | ||
1101 | +} | ||
1102 | + | ||
1103 | +int | ||
1104 | +do_host(int quiet_open) | ||
1105 | +{ | ||
1106 | + int i; | ||
1107 | + struct stat st; | ||
1108 | + int ret = 1; | ||
1109 | + | ||
1110 | + for (i = 0; default_host_files[i]; i++) { | ||
1111 | + if (stat(default_host_files[i], &st) < 0 && errno == ENOENT) | ||
1112 | + continue; | ||
1113 | + if (!do_filename(default_host_files[i], quiet_open)) | ||
1114 | + ret = 0; | ||
1115 | + } | ||
1116 | + | ||
1117 | + return ret; | ||
1118 | +} | ||
1119 | + | ||
1120 | +int | ||
1121 | +do_user(const char *dir) | ||
1122 | +{ | ||
1123 | + int i; | ||
1124 | + char *file; | ||
1125 | + struct stat st; | ||
1126 | + int ret = 1; | ||
1127 | + | ||
1128 | + for (i = 0; default_files[i]; i++) { | ||
1129 | + xasprintf(&file, "%s/%s", dir, default_files[i]); | ||
1130 | + if (stat(file, &st) < 0 && errno == ENOENT) { | ||
1131 | + xfree(file); | ||
1132 | + continue; | ||
1133 | + } | ||
1134 | + if (!do_filename(file, 0)) | ||
1135 | + ret = 0; | ||
1136 | + xfree(file); | ||
1137 | + } | ||
1138 | + | ||
1139 | + return ret; | ||
1140 | +} | ||
1141 | + | ||
1142 | +int | ||
1143 | +main(int argc, char **argv) | ||
1144 | +{ | ||
1145 | + int opt, all_users = 0; | ||
1146 | + int ret = 1; | ||
1147 | + extern int optind; | ||
1148 | + | ||
1149 | + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ | ||
1150 | + sanitise_stdfd(); | ||
1151 | + | ||
1152 | + __progname = ssh_get_progname(argv[0]); | ||
1153 | + | ||
1154 | + SSLeay_add_all_algorithms(); | ||
1155 | + log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); | ||
1156 | + | ||
1157 | + /* We don't need the RNG ourselves, but symbol references here allow | ||
1158 | + * ld to link us properly. | ||
1159 | + */ | ||
1160 | + init_rng(); | ||
1161 | + seed_rng(); | ||
1162 | + | ||
1163 | + while ((opt = getopt(argc, argv, "ahqv")) != -1) { | ||
1164 | + switch (opt) { | ||
1165 | + case 'a': | ||
1166 | + all_users = 1; | ||
1167 | + break; | ||
1168 | + case 'q': | ||
1169 | + verbosity--; | ||
1170 | + break; | ||
1171 | + case 'v': | ||
1172 | + verbosity++; | ||
1173 | + break; | ||
1174 | + case 'h': | ||
1175 | + default: | ||
1176 | + usage(); | ||
1177 | + } | ||
1178 | + } | ||
1179 | + | ||
1180 | + if (all_users) { | ||
1181 | + struct passwd *pw; | ||
1182 | + | ||
1183 | + if (!do_host(0)) | ||
1184 | + ret = 0; | ||
1185 | + | ||
1186 | + while ((pw = getpwent()) != NULL) { | ||
1187 | + if (pw->pw_dir) { | ||
1188 | + temporarily_use_uid(pw); | ||
1189 | + if (!do_user(pw->pw_dir)) | ||
1190 | + ret = 0; | ||
1191 | + restore_uid(); | ||
1192 | + } | ||
1193 | + } | ||
1194 | + } else if (optind == argc) { | ||
1195 | + struct passwd *pw; | ||
1196 | + | ||
1197 | + if (!do_host(1)) | ||
1198 | + ret = 0; | ||
1199 | + | ||
1200 | + if ((pw = getpwuid(geteuid())) == NULL) | ||
1201 | + fprintf(stderr, "No user found with uid %u\n", | ||
1202 | + (u_int)geteuid()); | ||
1203 | + else { | ||
1204 | + if (!do_user(pw->pw_dir)) | ||
1205 | + ret = 0; | ||
1206 | + } | ||
1207 | + } else { | ||
1208 | + while (optind < argc) | ||
1209 | + if (!do_filename(argv[optind++], 0)) | ||
1210 | + ret = 0; | ||
1211 | + } | ||
1212 | + | ||
1213 | + if (verbosity >= 0) { | ||
1214 | + if (some_unknown) { | ||
1215 | + printf("#\n"); | ||
1216 | + printf("# The status of some keys on your system is unknown.\n"); | ||
1217 | + printf("# You may need to install additional blacklist files.\n"); | ||
1218 | + } | ||
1219 | + if (some_compromised) { | ||
1220 | + printf("#\n"); | ||
1221 | + printf("# Some keys on your system have been compromised!\n"); | ||
1222 | + printf("# You must replace them using ssh-keygen(1).\n"); | ||
1223 | + } | ||
1224 | + if (some_unknown || some_compromised) { | ||
1225 | + printf("#\n"); | ||
1226 | + printf("# See the ssh-vulnkey(1) manual page for further advice.\n"); | ||
1227 | + } else if (some_keys && verbosity > 0) { | ||
1228 | + printf("#\n"); | ||
1229 | + printf("# No blacklisted keys!\n"); | ||
1230 | + } | ||
1231 | + } | ||
1232 | + | ||
1233 | + return ret; | ||
1234 | +} | ||
1235 | Index: b/ssh.1 | ||
1236 | =================================================================== | ||
1237 | --- a/ssh.1 | ||
1238 | +++ b/ssh.1 | ||
1239 | @@ -1426,6 +1426,7 @@ | ||
1240 | .Xr ssh-agent 1 , | ||
1241 | .Xr ssh-keygen 1 , | ||
1242 | .Xr ssh-keyscan 1 , | ||
1243 | +.Xr ssh-vulnkey 1 , | ||
1244 | .Xr tun 4 , | ||
1245 | .Xr hosts.equiv 5 , | ||
1246 | .Xr ssh_config 5 , | ||
1247 | Index: b/ssh.c | ||
1248 | =================================================================== | ||
1249 | --- a/ssh.c | ||
1250 | +++ b/ssh.c | ||
1251 | @@ -1301,7 +1301,7 @@ | ||
1252 | static void | ||
1253 | load_public_identity_files(void) | ||
1254 | { | ||
1255 | - char *filename, *cp, thishost[NI_MAXHOST]; | ||
1256 | + char *filename, *cp, thishost[NI_MAXHOST], *fp; | ||
1257 | char *pwdir = NULL, *pwname = NULL; | ||
1258 | int i = 0; | ||
1259 | Key *public; | ||
1260 | @@ -1358,6 +1358,22 @@ | ||
1261 | public = key_load_public(filename, NULL); | ||
1262 | debug("identity file %s type %d", filename, | ||
1263 | public ? public->type : -1); | ||
1264 | + if (public && blacklisted_key(public, &fp) == 1) { | ||
1265 | + if (options.use_blacklisted_keys) | ||
1266 | + logit("Public key %s blacklisted (see " | ||
1267 | + "ssh-vulnkey(1)); continuing anyway", fp); | ||
1268 | + else | ||
1269 | + logit("Public key %s blacklisted (see " | ||
1270 | + "ssh-vulnkey(1)); refusing to send it", | ||
1271 | + fp); | ||
1272 | + xfree(fp); | ||
1273 | + if (!options.use_blacklisted_keys) { | ||
1274 | + key_free(public); | ||
1275 | + xfree(filename); | ||
1276 | + filename = NULL; | ||
1277 | + public = NULL; | ||
1278 | + } | ||
1279 | + } | ||
1280 | xfree(options.identity_files[i]); | ||
1281 | identity_files[n_ids] = filename; | ||
1282 | identity_keys[n_ids] = public; | ||
1283 | Index: b/ssh_config.5 | ||
1284 | =================================================================== | ||
1285 | --- a/ssh_config.5 | ||
1286 | +++ b/ssh_config.5 | ||
1287 | @@ -1051,6 +1051,23 @@ | ||
1288 | .Dq any . | ||
1289 | The default is | ||
1290 | .Dq any:any . | ||
1291 | +.It Cm UseBlacklistedKeys | ||
1292 | +Specifies whether | ||
1293 | +.Xr ssh 1 | ||
1294 | +should use keys recorded in its blacklist of known-compromised keys (see | ||
1295 | +.Xr ssh-vulnkey 1 ) | ||
1296 | +for authentication. | ||
1297 | +If | ||
1298 | +.Dq yes , | ||
1299 | +then attempts to use compromised keys for authentication will be logged but | ||
1300 | +accepted. | ||
1301 | +It is strongly recommended that this be used only to install new authorized | ||
1302 | +keys on the remote system, and even then only with the utmost care. | ||
1303 | +If | ||
1304 | +.Dq no , | ||
1305 | +then attempts to use compromised keys for authentication will be prevented. | ||
1306 | +The default is | ||
1307 | +.Dq no . | ||
1308 | .It Cm UsePrivilegedPort | ||
1309 | Specifies whether to use a privileged port for outgoing connections. | ||
1310 | The argument must be | ||
1311 | Index: b/sshconnect2.c | ||
1312 | =================================================================== | ||
1313 | --- a/sshconnect2.c | ||
1314 | +++ b/sshconnect2.c | ||
1315 | @@ -1418,6 +1418,8 @@ | ||
1316 | |||
1317 | /* list of keys stored in the filesystem */ | ||
1318 | for (i = 0; i < options.num_identity_files; i++) { | ||
1319 | + if (options.identity_files[i] == NULL) | ||
1320 | + continue; | ||
1321 | key = options.identity_keys[i]; | ||
1322 | if (key && key->type == KEY_RSA1) | ||
1323 | continue; | ||
1324 | @@ -1510,7 +1512,7 @@ | ||
1325 | if (id->key && id->key->type != KEY_RSA1) { | ||
1326 | debug("Offering public key: %s", id->filename); | ||
1327 | sent = send_pubkey_test(authctxt, id); | ||
1328 | - } else if (id->key == NULL) { | ||
1329 | + } else if (id->key == NULL && id->filename) { | ||
1330 | debug("Trying private key: %s", id->filename); | ||
1331 | id->key = load_identity_file(id->filename); | ||
1332 | if (id->key != NULL) { | ||
1333 | Index: b/sshd.8 | ||
1334 | =================================================================== | ||
1335 | --- a/sshd.8 | ||
1336 | +++ b/sshd.8 | ||
1337 | @@ -928,6 +928,7 @@ | ||
1338 | .Xr ssh-agent 1 , | ||
1339 | .Xr ssh-keygen 1 , | ||
1340 | .Xr ssh-keyscan 1 , | ||
1341 | +.Xr ssh-vulnkey 1 , | ||
1342 | .Xr chroot 2 , | ||
1343 | .Xr hosts_access 5 , | ||
1344 | .Xr login.conf 5 , | ||
1345 | Index: b/sshd.c | ||
1346 | =================================================================== | ||
1347 | --- a/sshd.c | ||
1348 | +++ b/sshd.c | ||
1349 | @@ -1564,6 +1564,11 @@ | ||
1350 | sensitive_data.host_keys[i] = NULL; | ||
1351 | continue; | ||
1352 | } | ||
1353 | + if (auth_key_is_revoked(key, 1)) { | ||
1354 | + key_free(key); | ||
1355 | + sensitive_data.host_keys[i] = NULL; | ||
1356 | + continue; | ||
1357 | + } | ||
1358 | switch (key->type) { | ||
1359 | case KEY_RSA1: | ||
1360 | sensitive_data.ssh1_host_key = key; | ||
1361 | Index: b/sshd_config.5 | ||
1362 | =================================================================== | ||
1363 | --- a/sshd_config.5 | ||
1364 | +++ b/sshd_config.5 | ||
1365 | @@ -694,6 +694,20 @@ | ||
1366 | Specifies whether password authentication is allowed. | ||
1367 | The default is | ||
1368 | .Dq yes . | ||
1369 | +.It Cm PermitBlacklistedKeys | ||
1370 | +Specifies whether | ||
1371 | +.Xr sshd 8 | ||
1372 | +should allow keys recorded in its blacklist of known-compromised keys (see | ||
1373 | +.Xr ssh-vulnkey 1 ) . | ||
1374 | +If | ||
1375 | +.Dq yes , | ||
1376 | +then attempts to authenticate with compromised keys will be logged but | ||
1377 | +accepted. | ||
1378 | +If | ||
1379 | +.Dq no , | ||
1380 | +then attempts to authenticate with compromised keys will be rejected. | ||
1381 | +The default is | ||
1382 | +.Dq no . | ||
1383 | .It Cm PermitEmptyPasswords | ||
1384 | When password authentication is allowed, it specifies whether the | ||
1385 | server allows login to accounts with empty password strings. | ||
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch new file mode 100644 index 000000000..7682c0761 --- /dev/null +++ b/debian/patches/ssh1-keepalive.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | Description: Partial server keep-alive implementation for SSH1 | ||
2 | Author: Colin Watson <cjwatson@debian.org> | ||
3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712 | ||
4 | Last-Update: 2010-02-27 | ||
5 | |||
6 | Index: b/clientloop.c | ||
7 | =================================================================== | ||
8 | --- a/clientloop.c | ||
9 | +++ b/clientloop.c | ||
10 | @@ -507,16 +507,21 @@ | ||
11 | static void | ||
12 | server_alive_check(void) | ||
13 | { | ||
14 | - if (packet_inc_alive_timeouts() > options.server_alive_count_max) { | ||
15 | - logit("Timeout, server not responding."); | ||
16 | - cleanup_exit(255); | ||
17 | - } | ||
18 | - packet_start(SSH2_MSG_GLOBAL_REQUEST); | ||
19 | - packet_put_cstring("keepalive@openssh.com"); | ||
20 | - packet_put_char(1); /* boolean: want reply */ | ||
21 | - packet_send(); | ||
22 | - /* Insert an empty placeholder to maintain ordering */ | ||
23 | - client_register_global_confirm(NULL, NULL); | ||
24 | + if (compat20) { | ||
25 | + if (packet_inc_alive_timeouts() > options.server_alive_count_max) { | ||
26 | + logit("Timeout, server not responding."); | ||
27 | + cleanup_exit(255); | ||
28 | + } | ||
29 | + packet_start(SSH2_MSG_GLOBAL_REQUEST); | ||
30 | + packet_put_cstring("keepalive@openssh.com"); | ||
31 | + packet_put_char(1); /* boolean: want reply */ | ||
32 | + packet_send(); | ||
33 | + /* Insert an empty placeholder to maintain ordering */ | ||
34 | + client_register_global_confirm(NULL, NULL); | ||
35 | + } else { | ||
36 | + packet_send_ignore(0); | ||
37 | + packet_send(); | ||
38 | + } | ||
39 | } | ||
40 | |||
41 | /* | ||
42 | @@ -574,7 +579,7 @@ | ||
43 | * event pending. | ||
44 | */ | ||
45 | |||
46 | - if (options.server_alive_interval == 0 || !compat20) | ||
47 | + if (options.server_alive_interval == 0) | ||
48 | tvp = NULL; | ||
49 | else { | ||
50 | tv.tv_sec = options.server_alive_interval; | ||
51 | Index: b/ssh_config.5 | ||
52 | =================================================================== | ||
53 | --- a/ssh_config.5 | ||
54 | +++ b/ssh_config.5 | ||
55 | @@ -952,7 +952,10 @@ | ||
56 | .Cm ServerAliveCountMax | ||
57 | is left at the default, if the server becomes unresponsive, | ||
58 | ssh will disconnect after approximately 45 seconds. | ||
59 | -This option applies to protocol version 2 only. | ||
60 | +This option applies to protocol version 2 only; in protocol version | ||
61 | +1 there is no mechanism to request a response from the server to the | ||
62 | +server alive messages, so disconnection is the responsibility of the TCP | ||
63 | +stack. | ||
64 | .It Cm ServerAliveInterval | ||
65 | Sets a timeout interval in seconds after which if no data has been received | ||
66 | from the server, | ||
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch new file mode 100644 index 000000000..2dc912b8e --- /dev/null +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | Description: "LogLevel SILENT" compatibility | ||
2 | "LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to | ||
3 | match the behaviour of non-free SSH, in which -q does not suppress fatal | ||
4 | errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody | ||
5 | complained, so we've dropped most of it. The parts that remain are basic | ||
6 | configuration file compatibility, and an adjustment to "Pseudo-terminal | ||
7 | will not be allocated ..." which should be split out into a separate patch. | ||
8 | Author: Jonathan David Amery <jdamery@ysolde.ucam.org> | ||
9 | Author: Matthew Vernon <matthew@debian.org> | ||
10 | Author: Colin Watson <cjwatson@debian.org> | ||
11 | Last-Update: 2010-03-31 | ||
12 | |||
13 | Index: b/log.c | ||
14 | =================================================================== | ||
15 | --- a/log.c | ||
16 | +++ b/log.c | ||
17 | @@ -90,6 +90,7 @@ | ||
18 | LogLevel val; | ||
19 | } log_levels[] = | ||
20 | { | ||
21 | + { "SILENT", SYSLOG_LEVEL_QUIET }, /* compatibility */ | ||
22 | { "QUIET", SYSLOG_LEVEL_QUIET }, | ||
23 | { "FATAL", SYSLOG_LEVEL_FATAL }, | ||
24 | { "ERROR", SYSLOG_LEVEL_ERROR }, | ||
25 | Index: b/ssh.c | ||
26 | =================================================================== | ||
27 | --- a/ssh.c | ||
28 | +++ b/ssh.c | ||
29 | @@ -624,7 +624,7 @@ | ||
30 | tty_flag = 0; | ||
31 | /* Do not allocate a tty if stdin is not a tty. */ | ||
32 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { | ||
33 | - if (tty_flag) | ||
34 | + if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET) | ||
35 | logit("Pseudo-terminal will not be allocated because " | ||
36 | "stdin is not a terminal."); | ||
37 | tty_flag = 0; | ||
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch new file mode 100644 index 000000000..4d7ebe566 --- /dev/null +++ b/debian/patches/user-group-modes.patch | |||
@@ -0,0 +1,84 @@ | |||
1 | Description: Allow harmless group-writability | ||
2 | Allow ~/.ssh/config to be group-writable, provided that the group in | ||
3 | question contains only the file's owner. Rejected upstream for IMO | ||
4 | incorrect reasons (e.g. a misunderstanding about the contents of | ||
5 | gr->gr_mem). Given that per-user groups and umask 002 are the default | ||
6 | setup in Debian (for good reasons - this makes operating in setgid | ||
7 | directories with other groups much easier), we need to permit this. | ||
8 | Author: Colin Watson <cjwatson@debian.org> | ||
9 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 | ||
10 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 | ||
11 | Last-Update: 2010-02-27 | ||
12 | |||
13 | Index: b/readconf.c | ||
14 | =================================================================== | ||
15 | --- a/readconf.c | ||
16 | +++ b/readconf.c | ||
17 | @@ -28,6 +28,8 @@ | ||
18 | #include <stdio.h> | ||
19 | #include <string.h> | ||
20 | #include <unistd.h> | ||
21 | +#include <pwd.h> | ||
22 | +#include <grp.h> | ||
23 | |||
24 | #include "xmalloc.h" | ||
25 | #include "ssh.h" | ||
26 | @@ -1000,11 +1002,30 @@ | ||
27 | |||
28 | if (checkperm) { | ||
29 | struct stat sb; | ||
30 | + int bad_modes = 0; | ||
31 | |||
32 | if (fstat(fileno(f), &sb) == -1) | ||
33 | fatal("fstat %s: %s", filename, strerror(errno)); | ||
34 | - if (((sb.st_uid != 0 && sb.st_uid != getuid()) || | ||
35 | - (sb.st_mode & 022) != 0)) | ||
36 | + if (sb.st_uid != 0 && sb.st_uid != getuid()) | ||
37 | + bad_modes = 1; | ||
38 | + if ((sb.st_mode & 020) != 0) { | ||
39 | + /* If the file is group-writable, the group in | ||
40 | + * question must have at most one member, namely the | ||
41 | + * file's owner. | ||
42 | + */ | ||
43 | + struct passwd *pw = getpwuid(sb.st_uid); | ||
44 | + struct group *gr = getgrgid(sb.st_gid); | ||
45 | + if (!pw || !gr) | ||
46 | + bad_modes = 1; | ||
47 | + else if (gr->gr_mem[0]) { | ||
48 | + if (strcmp(pw->pw_name, gr->gr_mem[0]) || | ||
49 | + gr->gr_mem[1]) | ||
50 | + bad_modes = 1; | ||
51 | + } | ||
52 | + } | ||
53 | + if ((sb.st_mode & 002) != 0) | ||
54 | + bad_modes = 1; | ||
55 | + if (bad_modes) | ||
56 | fatal("Bad owner or permissions on %s", filename); | ||
57 | } | ||
58 | |||
59 | Index: b/ssh.1 | ||
60 | =================================================================== | ||
61 | --- a/ssh.1 | ||
62 | +++ b/ssh.1 | ||
63 | @@ -1324,6 +1324,8 @@ | ||
64 | .Xr ssh_config 5 . | ||
65 | Because of the potential for abuse, this file must have strict permissions: | ||
66 | read/write for the user, and not accessible by others. | ||
67 | +It may be group-writable provided that the group in question contains only | ||
68 | +the user. | ||
69 | .Pp | ||
70 | .It ~/.ssh/environment | ||
71 | Contains additional definitions for environment variables; see | ||
72 | Index: b/ssh_config.5 | ||
73 | =================================================================== | ||
74 | --- a/ssh_config.5 | ||
75 | +++ b/ssh_config.5 | ||
76 | @@ -1204,6 +1204,8 @@ | ||
77 | This file is used by the SSH client. | ||
78 | Because of the potential for abuse, this file must have strict permissions: | ||
79 | read/write for the user, and not accessible by others. | ||
80 | +It may be group-writable provided that the group in question contains only | ||
81 | +the user. | ||
82 | .It Pa /etc/ssh/ssh_config | ||
83 | Systemwide configuration file. | ||
84 | This file provides defaults for those | ||
diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in new file mode 100644 index 000000000..c619f3451 --- /dev/null +++ b/debian/po/POTFILES.in | |||
@@ -0,0 +1 @@ | |||
[type: gettext/rfc822deb] openssh-server.templates | |||
diff --git a/debian/po/bg.po b/debian/po/bg.po new file mode 100644 index 000000000..6b2bc0e8b --- /dev/null +++ b/debian/po/bg.po | |||
@@ -0,0 +1,193 @@ | |||
1 | # translation of bg.po to Bulgarian | ||
2 | # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER | ||
3 | # This file is distributed under the same license as the PACKAGE package. | ||
4 | # | ||
5 | # Damyan Ivanov <dmn@debian.org>, 2007, 2008. | ||
6 | msgid "" | ||
7 | msgstr "" | ||
8 | "Project-Id-Version: openssh\n" | ||
9 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
10 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
11 | "PO-Revision-Date: 2008-05-19 09:27+0300\n" | ||
12 | "Last-Translator: Damyan Ivanov <dmn@debian.org>\n" | ||
13 | "Language-Team: Bulgarian <dict@fsa-bg.org>\n" | ||
14 | "MIME-Version: 1.0\n" | ||
15 | "Content-Type: text/plain; charset=UTF-8\n" | ||
16 | "Content-Transfer-Encoding: 8bit\n" | ||
17 | "X-Generator: KBabel 1.11.4\n" | ||
18 | |||
19 | #. Type: boolean | ||
20 | #. Description | ||
21 | #: ../openssh-server.templates:1001 | ||
22 | msgid "Do you want to risk killing active SSH sessions?" | ||
23 | msgstr "Да Ñе прекъÑнат ли текущите връзки по SSH?" | ||
24 | |||
25 | #. Type: boolean | ||
26 | #. Description | ||
27 | #: ../openssh-server.templates:1001 | ||
28 | msgid "" | ||
29 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
30 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
31 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
32 | msgstr "" | ||
33 | "Много е вероÑтно верÑиÑта на /etc/init.d/ssh, коÑто е инÑталирана в момента " | ||
34 | "да прекъÑне активните връзки. Ðко извършвате обновÑването отдалечено има " | ||
35 | "опаÑноÑÑ‚ връзката да Ñе разпадне и процеÑÑŠÑ‚ да не завърши нормално." | ||
36 | |||
37 | #. Type: boolean | ||
38 | #. Description | ||
39 | #: ../openssh-server.templates:1001 | ||
40 | msgid "" | ||
41 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
42 | "start-stop-daemon line in the stop section of the file." | ||
43 | msgstr "" | ||
44 | "Това може да бъде поправено ръчно Ñ Ð´Ð¾Ð±Ð°Ð²Ñнето на „--pidfile /var/run/sshd." | ||
45 | "pid“ към командата start-stop-daemon в раздела „stop“ на файла." | ||
46 | |||
47 | #. Type: note | ||
48 | #. Description | ||
49 | #: ../openssh-server.templates:2001 | ||
50 | msgid "New host key mandatory" | ||
51 | msgstr "Ðеобходим е нов ключ за хоÑта" | ||
52 | |||
53 | #. Type: note | ||
54 | #. Description | ||
55 | #: ../openssh-server.templates:2001 | ||
56 | msgid "" | ||
57 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
58 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
59 | "utility from the old (non-free) SSH installation does not appear to be " | ||
60 | "available." | ||
61 | msgstr "" | ||
62 | "Ð’ момента ключа на хоÑта в /etc/ssh/ssh_host_key е шифриран Ñ Ð°Ð»Ð³Ð¾Ñ€Ð¸Ñ‚ÑŠÐ¼Ð° " | ||
63 | "IDEA. OpenSSH не може да работи Ñ Ñ‚Ð¾Ð·Ð¸ файл, а програмата ssh-keygen от " | ||
64 | "Ñтарата инÑÑ‚Ð°Ð»Ð°Ñ†Ð¸Ñ Ð½Ðµ е налична." | ||
65 | |||
66 | #. Type: note | ||
67 | #. Description | ||
68 | #: ../openssh-server.templates:2001 | ||
69 | msgid "You need to manually generate a new host key." | ||
70 | msgstr "Ðеобходимо е да Ñе генерира ръчно нов ключ за хоÑта." | ||
71 | |||
72 | #. Type: boolean | ||
73 | #. Description | ||
74 | #: ../openssh-server.templates:3001 | ||
75 | msgid "Disable challenge-response authentication?" | ||
76 | msgstr "Забрана на удоÑтоверÑването challenge-response?" | ||
77 | |||
78 | #. Type: boolean | ||
79 | #. Description | ||
80 | #: ../openssh-server.templates:3001 | ||
81 | msgid "" | ||
82 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
83 | "configuration. In order to prevent users from logging in using passwords " | ||
84 | "(perhaps using only public key authentication instead) with recent versions " | ||
85 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
86 | "ensure that your PAM configuration does not allow Unix password file " | ||
87 | "authentication." | ||
88 | msgstr "" | ||
89 | "Изглежда че удоÑтоверÑването Ñ Ð¿Ð°Ñ€Ð¾Ð»Ð° е забранено в наÑтройката на OpenSSH " | ||
90 | "Ñървъра. За пълна забрана на използването на пароли за удоÑтоверÑване " | ||
91 | "(вероÑтно оÑтавÑйки Ñамо удоÑтоверÑването Ñ Ð¿ÑƒÐ±Ð»Ð¸Ñ‡ÐµÐ½ ключ) е необходимо да " | ||
92 | "бъде забранено удоÑтоверÑването „challenge-response“. Ð’ противен Ñлучай е " | ||
93 | "нужно да Ñе наÑтрои PAM да не позволÑва удоÑтоверÑване чрез файловете Ñ " | ||
94 | "пароли Ñтил Unix." | ||
95 | |||
96 | #. Type: boolean | ||
97 | #. Description | ||
98 | #: ../openssh-server.templates:3001 | ||
99 | msgid "" | ||
100 | "If you disable challenge-response authentication, then users will not be " | ||
101 | "able to log in using passwords. If you leave it enabled (the default " | ||
102 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
103 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
104 | msgstr "" | ||
105 | "Ðко удоÑтоверÑването chalenge-response е забрането, потребителите нÑма да " | ||
106 | "могат да използват пароли за удоÑтоверÑване. Ðко е разрешено (по " | ||
107 | "подразбиране), наÑтройката 'PasswordAuthentication no' нÑма да има ефект, " | ||
108 | "оÑвен ако не промените наÑтройките за PAM в /etc/pam.d/ssh." | ||
109 | |||
110 | #. Type: note | ||
111 | #. Description | ||
112 | #: ../openssh-server.templates:4001 | ||
113 | msgid "Vulnerable host keys will be regenerated" | ||
114 | msgstr "УÑзвимите ключове на хоÑта ще бъдат Ñъздадени наново" | ||
115 | |||
116 | #. Type: note | ||
117 | #. Description | ||
118 | #: ../openssh-server.templates:4001 | ||
119 | msgid "" | ||
120 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
121 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
122 | "these host keys are from a well-known set, are subject to brute-force " | ||
123 | "attacks, and must be regenerated." | ||
124 | msgstr "" | ||
125 | "ÐÑкои от ключовете за уÑлугата OpenSSH на хоÑта Ñа Ñъздадени Ñ Ð²ÐµÑ€ÑÐ¸Ñ Ð½Ð° " | ||
126 | "OpenSSL, коÑто използва повреден генератор на Ñлучайни чиÑла. Тези ключове " | ||
127 | "Ñа широко извеÑтни, уÑзвими Ñа към атаки и Ñ‚Ñ€Ñбва да бъдат Ñменени." | ||
128 | |||
129 | #. Type: note | ||
130 | #. Description | ||
131 | #: ../openssh-server.templates:4001 | ||
132 | msgid "" | ||
133 | "Users of this system should be informed of this change, as they will be " | ||
134 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
135 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
136 | "the new host keys." | ||
137 | msgstr "" | ||
138 | "Потребителите на ÑиÑтемата Ñ‚Ñ€Ñбва да бъдат извеÑтени за промÑната, понеже " | ||
139 | "при ÑледващиÑÑ‚ им опит за връзка чрез SSH ще получат предупреждение за " | ||
140 | "промÑна в ключовете на хоÑта. За да получите отпечатъците на новите ключове " | ||
141 | "използвайте „ssh-keygen -l -f файл-Ñ-ключ“." | ||
142 | |||
143 | #. Type: note | ||
144 | #. Description | ||
145 | #: ../openssh-server.templates:4001 | ||
146 | msgid "The affected host keys are:" | ||
147 | msgstr "ЗаÑегнатите ключове на хоÑта Ñа:" | ||
148 | |||
149 | #. Type: note | ||
150 | #. Description | ||
151 | #: ../openssh-server.templates:4001 | ||
152 | msgid "" | ||
153 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
154 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
155 | "README.compromised-keys.gz for more details." | ||
156 | msgstr "" | ||
157 | "Възможно е потребителÑките ключове Ñъщо да Ñа заÑегнати от проблема. Можете " | ||
158 | "да използвате програмата „ssh-vulnkey“ за да ги проверите. За повече " | ||
159 | "Ð¸Ð½Ñ„Ð¾Ñ€Ð¼Ð°Ñ†Ð¸Ñ Ð¿Ð¾Ð³Ð»ÐµÐ´Ð½ÐµÑ‚Ðµ /usr/share/doc/openssh-server/README.compromised-keys." | ||
160 | "gz." | ||
161 | |||
162 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
163 | #~ msgstr "Създаване на нов файл Ñ Ð½Ð°Ñтройки за OpenSSH?" | ||
164 | |||
165 | #~ msgid "" | ||
166 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
167 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
168 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
169 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
170 | #~ "will not contain any customizations you made with the old version." | ||
171 | #~ msgstr "" | ||
172 | #~ "Файлът Ñ Ð½Ð°Ñтройки в тази верÑÐ¸Ñ Ð½Ð° OpenSSH е Ñилно променен в Ñравнение " | ||
173 | #~ "Ñ Ð²ÐµÑ€ÑиÑта в Debian 'Potato', коÑто изглежда Ñе обновÑва. Може да бъде " | ||
174 | #~ "Ñъздаден нов файл Ñ Ð½Ð°Ñтройки (/etc/ssh/sshd.config), който ще работи Ñ " | ||
175 | #~ "новата верÑиÑ, но нÑма да Ñъдържа евентуални промени от ÑÑ‚Ð°Ñ€Ð¸Ñ Ñ„Ð°Ð¹Ð»." | ||
176 | |||
177 | #~ msgid "" | ||
178 | #~ "Please note that this new configuration file will set the value of " | ||
179 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
180 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
181 | #~ "details about this design choice." | ||
182 | #~ msgstr "" | ||
183 | #~ "ÐовиÑÑ‚ файл ще Ñъдържа 'PermitRootLogin yes' (разрешавайки отдалечен " | ||
184 | #~ "доÑтъп през ssh за админиÑÑ‚Ñ€Ð°Ñ‚Ð¸Ð²Ð½Ð¸Ñ Ð¿Ð¾Ñ‚Ñ€ÐµÐ±Ð¸Ñ‚ÐµÐ» root). ПодробноÑти за " | ||
185 | #~ "причините за тази наÑтройка има във файла README.Debian." | ||
186 | |||
187 | #~ msgid "" | ||
188 | #~ "It is strongly recommended that you choose to generate a new " | ||
189 | #~ "configuration file now." | ||
190 | #~ msgstr "Препоръчва Ñе да изберете Ñъздаването на нов файл Ñ Ð½Ð°Ñтройки." | ||
191 | |||
192 | #~ msgid "${HOST_KEYS}" | ||
193 | #~ msgstr "${HOST_KEYS}" | ||
diff --git a/debian/po/ca.po b/debian/po/ca.po new file mode 100644 index 000000000..04bcdea8f --- /dev/null +++ b/debian/po/ca.po | |||
@@ -0,0 +1,352 @@ | |||
1 | # | ||
2 | # Catalan translation for openssh package. | ||
3 | # Copyright (C) 2007 Matthew Vernon. | ||
4 | # This file is distributed under the same license as the openssh package. | ||
5 | # | ||
6 | # Aleix Badia i Bosch <abadia@ica.es>, 2004 | ||
7 | # Jordà Polo <jorda@ettin.org>, 2007. | ||
8 | # | ||
9 | msgid "" | ||
10 | msgstr "" | ||
11 | "Project-Id-Version: 1:4.6p1-2\n" | ||
12 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
13 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
14 | "PO-Revision-Date: 2007-06-30 01:13+0200\n" | ||
15 | "Last-Translator: Jordà Polo <jorda@ettin.org>\n" | ||
16 | "Language-Team: Català <debian-l10n-catalan@lists.debian.org>\n" | ||
17 | "MIME-Version: 1.0\n" | ||
18 | "Content-Type: text/plain; charset=UTF-8\n" | ||
19 | "Content-Transfer-Encoding: 8bit\n" | ||
20 | |||
21 | #. Type: boolean | ||
22 | #. Description | ||
23 | #: ../openssh-server.templates:1001 | ||
24 | msgid "Do you want to risk killing active SSH sessions?" | ||
25 | msgstr "Voleu arriscar-vos a aturar les sessions SSH actives?" | ||
26 | |||
27 | #. Type: boolean | ||
28 | #. Description | ||
29 | #: ../openssh-server.templates:1001 | ||
30 | msgid "" | ||
31 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
32 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
33 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
34 | msgstr "" | ||
35 | "És possible que la versió de «/etc/init.d/ssh» que teniu instal·lada " | ||
36 | "actualment aturi les instà ncies de l'sshd que s'estan executant. Si esteu " | ||
37 | "actualitzant des d'una sessió SSH, és possible que es talli la connexió i " | ||
38 | "quedi el procés d'actualització a mitges." | ||
39 | |||
40 | #. Type: boolean | ||
41 | #. Description | ||
42 | #: ../openssh-server.templates:1001 | ||
43 | msgid "" | ||
44 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
45 | "start-stop-daemon line in the stop section of the file." | ||
46 | msgstr "" | ||
47 | "Ho podeu arreglar afegint «--pidfile /var/run/sshd.pid» a la lÃnia «start-stop-" | ||
48 | "daemon» de la secció «stop» del mateix fitxer." | ||
49 | |||
50 | #. Type: note | ||
51 | #. Description | ||
52 | #: ../openssh-server.templates:2001 | ||
53 | msgid "New host key mandatory" | ||
54 | msgstr "Nova clau obligatòria" | ||
55 | |||
56 | #. Type: note | ||
57 | #. Description | ||
58 | #: ../openssh-server.templates:2001 | ||
59 | msgid "" | ||
60 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
61 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
62 | "utility from the old (non-free) SSH installation does not appear to be " | ||
63 | "available." | ||
64 | msgstr "" | ||
65 | "L'actual clau de la mà quina, a /etc/ssh/ssh_host_key, està xifrada amb " | ||
66 | "l'algorisme IDEA. OpenSSH no pot gestionar aquest fitxer de clau, i no es " | ||
67 | "pot trobar l'eina ssh-keygen de la instal·lació d'SSH anterior (non-free)." | ||
68 | |||
69 | #. Type: note | ||
70 | #. Description | ||
71 | #: ../openssh-server.templates:2001 | ||
72 | msgid "You need to manually generate a new host key." | ||
73 | msgstr "Haureu de generar manualment una nova clau per a la mà quina." | ||
74 | |||
75 | #. Type: boolean | ||
76 | #. Description | ||
77 | #: ../openssh-server.templates:3001 | ||
78 | msgid "Disable challenge-response authentication?" | ||
79 | msgstr "Voleu desactivar l'autenticació «challenge-response»?" | ||
80 | |||
81 | #. Type: boolean | ||
82 | #. Description | ||
83 | #: ../openssh-server.templates:3001 | ||
84 | msgid "" | ||
85 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
86 | "configuration. In order to prevent users from logging in using passwords " | ||
87 | "(perhaps using only public key authentication instead) with recent versions " | ||
88 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
89 | "ensure that your PAM configuration does not allow Unix password file " | ||
90 | "authentication." | ||
91 | msgstr "" | ||
92 | "Sembla que l'autenticació per contrasenya està desactivada en l'actual " | ||
93 | "configuració del servidor OpenSSH. Per tal d'evitar que els usuaris entrin " | ||
94 | "al sistema utilitzant contrasenyes (i utilitzin només autenticació basada en " | ||
95 | "clau pública), en les darreres versions d'OpenSSH heu de desactivar " | ||
96 | "l'autenticació «challenge-response», o altrament assegurar-vos que la " | ||
97 | "configuració de PAM no permet autenticar mitjançant el fitxer de " | ||
98 | "contrasenyes de Unix." | ||
99 | |||
100 | #. Type: boolean | ||
101 | #. Description | ||
102 | #: ../openssh-server.templates:3001 | ||
103 | msgid "" | ||
104 | "If you disable challenge-response authentication, then users will not be " | ||
105 | "able to log in using passwords. If you leave it enabled (the default " | ||
106 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
107 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
108 | msgstr "" | ||
109 | "Si desactiveu l'autenticació «challenge-response», aleshores els usuaris no " | ||
110 | "podran entrar utilitzant contrasenyes. Si la deixeu activada (que és l'opció " | ||
111 | "predeterminada), aleshores «PasswordAuthentication no» no tindrà cap valor a " | ||
112 | "menys que ajusteu la configuració de PAM a /etc/pam.d/ssh." | ||
113 | |||
114 | #. Type: note | ||
115 | #. Description | ||
116 | #: ../openssh-server.templates:4001 | ||
117 | msgid "Vulnerable host keys will be regenerated" | ||
118 | msgstr "" | ||
119 | |||
120 | #. Type: note | ||
121 | #. Description | ||
122 | #: ../openssh-server.templates:4001 | ||
123 | msgid "" | ||
124 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
125 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
126 | "these host keys are from a well-known set, are subject to brute-force " | ||
127 | "attacks, and must be regenerated." | ||
128 | msgstr "" | ||
129 | |||
130 | #. Type: note | ||
131 | #. Description | ||
132 | #: ../openssh-server.templates:4001 | ||
133 | msgid "" | ||
134 | "Users of this system should be informed of this change, as they will be " | ||
135 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
136 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
137 | "the new host keys." | ||
138 | msgstr "" | ||
139 | |||
140 | #. Type: note | ||
141 | #. Description | ||
142 | #: ../openssh-server.templates:4001 | ||
143 | msgid "The affected host keys are:" | ||
144 | msgstr "" | ||
145 | |||
146 | #. Type: note | ||
147 | #. Description | ||
148 | #: ../openssh-server.templates:4001 | ||
149 | msgid "" | ||
150 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
151 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
152 | "README.compromised-keys.gz for more details." | ||
153 | msgstr "" | ||
154 | |||
155 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
156 | #~ msgstr "Voleu generar un nou fitxer de configuració per a l'OpenSSH?" | ||
157 | |||
158 | #~ msgid "" | ||
159 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
160 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
161 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
162 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
163 | #~ "will not contain any customizations you made with the old version." | ||
164 | #~ msgstr "" | ||
165 | #~ "Els fitxers de configuració de l'OpenSSH s'han modificat considerablement " | ||
166 | #~ "respecte als de Debian «Potato», versió des de la qual sembla que esteu " | ||
167 | #~ "actualitzant. Aquest paquet pot generar ara un nou fitxer de configuració " | ||
168 | #~ "(/etc/sshd/sshd.config), que funcionarà amb la nova versió del servidor " | ||
169 | #~ "però no contindrà els parà metres de configuració personalitzats de la " | ||
170 | #~ "versió anterior." | ||
171 | |||
172 | #~ msgid "" | ||
173 | #~ "Please note that this new configuration file will set the value of " | ||
174 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
175 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
176 | #~ "details about this design choice." | ||
177 | #~ msgstr "" | ||
178 | #~ "Tingueu en compte que el nou fitxer de configuració establirà el valor de " | ||
179 | #~ "«PermitRootLogin» a «yes» (és a dir, qualsevol que conegui la contrasenya " | ||
180 | #~ "de root podrà connectar-se directament mitjançant ssh). Si us plau, " | ||
181 | #~ "llegiu el fitxer README.Debian per a més detalls sobre aquesta opció." | ||
182 | |||
183 | #~ msgid "" | ||
184 | #~ "It is strongly recommended that you choose to generate a new " | ||
185 | #~ "configuration file now." | ||
186 | #~ msgstr "" | ||
187 | #~ "És molt recomanable que trieu generar el nou fitxer de configuració ara." | ||
188 | |||
189 | #~ msgid "Warning: you must create a new host key" | ||
190 | #~ msgstr "AvÃs: heu de crear una nova clau del servidor central" | ||
191 | |||
192 | #~ msgid "Warning: telnetd is installed --- probably not a good idea" | ||
193 | #~ msgstr "" | ||
194 | #~ "AvÃs: el telnetd està instal·lat --- probablement no sigui una bona idea" | ||
195 | |||
196 | #~ msgid "" | ||
197 | #~ "I'd advise you to either remove the telnetd package (if you don't " | ||
198 | #~ "actually need to offer telnet access) or install telnetd-ssl so that " | ||
199 | #~ "there is at least some chance that telnet sessions will not be sending " | ||
200 | #~ "unencrypted login/password and session information over the network." | ||
201 | #~ msgstr "" | ||
202 | #~ "Es aconsellable suprimir el paquet telnetd (si no heu d'oferir accés a " | ||
203 | #~ "telnet) o torneu a instal·lar el paquet telnetd-ssl si més no per " | ||
204 | #~ "assegurar que les sessions de telnet no enviaran les informació del nom " | ||
205 | #~ "d'usuari i contrasenya sense xifrar a través de la xarxa." | ||
206 | |||
207 | #~ msgid "Warning: rsh-server is installed --- probably not a good idea" | ||
208 | #~ msgstr "" | ||
209 | #~ "AvÃs: el servidor rsh-server està instal·lat --- probablement no sigui " | ||
210 | #~ "una bona idea" | ||
211 | |||
212 | #~ msgid "" | ||
213 | #~ "having rsh-server installed undermines the security that you were " | ||
214 | #~ "probably wanting to obtain by installing ssh. I'd advise you to remove " | ||
215 | #~ "that package." | ||
216 | #~ msgstr "" | ||
217 | #~ "si teniu instal·lat l'rsh-server perdreu la seguretat que esperà veu " | ||
218 | #~ "obtenir instal·lant l'ssh. És aconsellable suprimir el paquet." | ||
219 | |||
220 | #~ msgid "Do you want ssh-keysign to be installed SUID root?" | ||
221 | #~ msgstr "Voleu que el fitxer ssh-keysign s'instal·li SUID root?" | ||
222 | |||
223 | #~ msgid "" | ||
224 | #~ "You have the option of installing the ssh-keysign helper with the SUID " | ||
225 | #~ "bit set." | ||
226 | #~ msgstr "Podeu instal·lar l'ajudant del ssh-keysign amb el bit SUID definit." | ||
227 | |||
228 | #~ msgid "" | ||
229 | #~ "If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 " | ||
230 | #~ "host-based authentication." | ||
231 | #~ msgstr "" | ||
232 | #~ "Si definiu l'ssh-keysign SUID podreu utilitzat l'autenticació basada en " | ||
233 | #~ "l'ordinador central del Protocol 2 de l'SSH." | ||
234 | |||
235 | #~ msgid "" | ||
236 | #~ "If in doubt, I suggest you install it with SUID. If it causes problems " | ||
237 | #~ "you can change your mind later by running: dpkg-reconfigure ssh" | ||
238 | #~ msgstr "" | ||
239 | #~ "Si dubteu instal·leu-lo amb el SUID. Si us causa algun problema ho podeu " | ||
240 | #~ "modificar posteriorment executant l'ordre: dpkg-reconfigure ssh" | ||
241 | |||
242 | #~ msgid "Allow SSH protocol 2 only" | ||
243 | #~ msgstr "Permet únicament la versió 2 del protocol d'SSH" | ||
244 | |||
245 | #~ msgid "" | ||
246 | #~ "This version of OpenSSH supports version 2 of the ssh protocol, which is " | ||
247 | #~ "much more secure. Disabling ssh 1 is encouraged, however this will slow " | ||
248 | #~ "things down on low end machines and might prevent older clients from " | ||
249 | #~ "connecting (the ssh client shipped with \"potato\" is affected)." | ||
250 | #~ msgstr "" | ||
251 | #~ "Aquesta versió de l'OpenSSH suporta la versió 2 del protocol d'ssh, " | ||
252 | #~ "aquesta versió és molt més segura. És recomanable inhabilitar la versió 1 " | ||
253 | #~ "del protocol, tot i que això alentirà el funcionament dels ordinadors més " | ||
254 | #~ "antics i no permetrà les connexions als clients antics (afectarà al " | ||
255 | #~ "client proporcionat per la \"potato\")." | ||
256 | |||
257 | #~ msgid "" | ||
258 | #~ "Also please note that keys used for protocol 1 are different so you will " | ||
259 | #~ "not be able to use them if you only allow protocol 2 connections." | ||
260 | #~ msgstr "" | ||
261 | #~ "Recordeu que les claus que utilitza la versió 1 del protocol són " | ||
262 | #~ "diferents i no les podreu utilitzar si habiliteu únicament les connexions " | ||
263 | #~ "de la versió 2 del protocol." | ||
264 | |||
265 | #~ msgid "" | ||
266 | #~ "If you later change your mind about this setting, README.Debian has " | ||
267 | #~ "instructions on what to do to your sshd_config file." | ||
268 | #~ msgstr "" | ||
269 | #~ "Si posteriorment canvieu d'opinió respecte a la configuració, podeu " | ||
270 | #~ "trobar les instruccions per modificar el fitxer sshd_config a README." | ||
271 | #~ "Debian." | ||
272 | |||
273 | #~ msgid "NOTE: Forwarding of X11 and Authorization disabled by default." | ||
274 | #~ msgstr "" | ||
275 | #~ "Nota: les opcions de reenviament de les X11 i autorització estan " | ||
276 | #~ "inhabilitades per defecte." | ||
277 | |||
278 | #~ msgid "" | ||
279 | #~ "For security reasons, the Debian version of ssh has ForwardX11 and " | ||
280 | #~ "ForwardAgent set to ``off'' by default." | ||
281 | #~ msgstr "" | ||
282 | #~ "Per raons de seguretat i de forma predeterminada la versió d'ssh de " | ||
283 | #~ "Debian té les opcions ForwardX11 i ForwardAgent definides a \"off\"." | ||
284 | |||
285 | #~ msgid "" | ||
286 | #~ "You can enable it for servers you trust, either in one of the " | ||
287 | #~ "configuration files, or with the -X command line option." | ||
288 | #~ msgstr "" | ||
289 | #~ "Ho podeu habilitar pels servidors de confiança, ja sigui en un dels " | ||
290 | #~ "fitxers de configuració o a través de l'opció de la lÃnia d'ordre -X." | ||
291 | |||
292 | #~ msgid "More details can be found in /usr/share/doc/ssh/README.Debian" | ||
293 | #~ msgstr "" | ||
294 | #~ "Podeu trobar més informació al fitxer /usr/share/doc/ssh/README.Debian" | ||
295 | |||
296 | #~ msgid "ssh2 keys merged in configuration files" | ||
297 | #~ msgstr "S'han combinat les claus de l'ssh2 als fitxers de configuració" | ||
298 | |||
299 | #~ msgid "" | ||
300 | #~ "As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 " | ||
301 | #~ "keys. This means the authorized_keys2 and known_hosts2 files are no " | ||
302 | #~ "longer needed. They will still be read in order to maintain backwards " | ||
303 | #~ "compatibility" | ||
304 | #~ msgstr "" | ||
305 | #~ "Des de la versió 3 de l'OpenSSH ja no s'utilitzaran fitxers separats per " | ||
306 | #~ "les claus de l'ssh1 i ssg2. Ja no caldran els fitxer authorized_keys2 i " | ||
307 | #~ "known_hosts2. Es continuaran llegint per mantenir la compatibilitat amb " | ||
308 | #~ "les versions anteriors." | ||
309 | |||
310 | #~ msgid "Do you want to run the sshd server?" | ||
311 | #~ msgstr "Voleu executar el servidor d'sshd?" | ||
312 | |||
313 | #~ msgid "This package contains both the ssh client, and the sshd server." | ||
314 | #~ msgstr "El paquet conté el client i el servidor d'ssh." | ||
315 | |||
316 | #~ msgid "" | ||
317 | #~ "Normally the sshd Secure Shell Server will be run to allow remote logins " | ||
318 | #~ "via ssh." | ||
319 | #~ msgstr "" | ||
320 | #~ "L'sshd (servidor de l'intèrpret d'ordres segur) s'executarà , normalment, " | ||
321 | #~ "per permetre l'entrada remota a través de l'ssh." | ||
322 | |||
323 | #~ msgid "" | ||
324 | #~ "If you are only interested in using the ssh client for outbound " | ||
325 | #~ "connections on this machine, and don't want to log into it at all using " | ||
326 | #~ "ssh, then you can disable sshd here." | ||
327 | #~ msgstr "" | ||
328 | #~ "Podeu inhabilitar l'sshd si voleu utilitzar el client d'ssh únicament per " | ||
329 | #~ "connexions a l'exterior i no per acceptar connexions remotes." | ||
330 | |||
331 | #~ msgid "Environment options on keys have been deprecated" | ||
332 | #~ msgstr "S'ha prohibit les opcions d'entorn a les claus." | ||
333 | |||
334 | #~ msgid "" | ||
335 | #~ "This version of OpenSSH disables the environment option for public keys " | ||
336 | #~ "by default, in order to avoid certain attacks (for example, LD_PRELOAD). " | ||
337 | #~ "If you are using this option in an authorized_keys file, beware that the " | ||
338 | #~ "keys in question will no longer work until the option is removed." | ||
339 | #~ msgstr "" | ||
340 | #~ "L'OpenSSH inhabilita, per defecte i per evitar diversos atacs (per " | ||
341 | #~ "exemple LD_PRELOAD), les opcions d'entorn per les claus públiques. Si " | ||
342 | #~ "utilitzeu aquesta opció al fitxer authorized_keys recordeu que les claus " | ||
343 | #~ "de la qüestió no funcionaran fins que no se suprimeixi l'opció." | ||
344 | |||
345 | #~ msgid "" | ||
346 | #~ "To re-enable this option, set \"PermitUserEnvironment yes\" in /etc/ssh/" | ||
347 | #~ "sshd_config after the upgrade is complete, taking note of the warning in " | ||
348 | #~ "the sshd_config(5) manual page." | ||
349 | #~ msgstr "" | ||
350 | #~ "Per tornar a habilitar l'opció definiu \"PermitUserEnvironment yes\" al " | ||
351 | #~ "fitxer /etc/ssh/sshd_config al finalitzar l'actualització (recordeu la " | ||
352 | #~ "nota d'avÃs de la pà gina del manual sshd_config(5)). " | ||
diff --git a/debian/po/cs.po b/debian/po/cs.po new file mode 100644 index 000000000..5e023da5f --- /dev/null +++ b/debian/po/cs.po | |||
@@ -0,0 +1,357 @@ | |||
1 | # | ||
2 | # Translators, if you are not familiar with the PO format, gettext | ||
3 | # documentation is worth reading, especially sections dedicated to | ||
4 | # this format, e.g. by running: | ||
5 | # info -n '(gettext)PO Files' | ||
6 | # info -n '(gettext)Header Entry' | ||
7 | # | ||
8 | # Some information specific to po-debconf are available at | ||
9 | # /usr/share/doc/po-debconf/README-trans | ||
10 | # or http://www.debian.org/intl/l10n/po-debconf/README-trans | ||
11 | # | ||
12 | # Developers do not need to manually edit POT or PO files. | ||
13 | # | ||
14 | msgid "" | ||
15 | msgstr "" | ||
16 | "Project-Id-Version: openssh\n" | ||
17 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
18 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
19 | "PO-Revision-Date: 2008-05-17 14:49+0200\n" | ||
20 | "Last-Translator: Miroslav Kure <kurem@debian.cz>\n" | ||
21 | "Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n" | ||
22 | "MIME-Version: 1.0\n" | ||
23 | "Content-Type: text/plain; charset=UTF-8\n" | ||
24 | "Content-Transfer-Encoding: 8bit\n" | ||
25 | |||
26 | #. Type: boolean | ||
27 | #. Description | ||
28 | #: ../openssh-server.templates:1001 | ||
29 | msgid "Do you want to risk killing active SSH sessions?" | ||
30 | msgstr "Chcete riskovat ukonÄenà aktivnÃch SSH spojenÃ?" | ||
31 | |||
32 | #. Type: boolean | ||
33 | #. Description | ||
34 | #: ../openssh-server.templates:1001 | ||
35 | msgid "" | ||
36 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
37 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
38 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
39 | msgstr "" | ||
40 | "StávajÃcà verze /etc/init.d/ssh pravdÄ›podobnÄ› pozabÃjà vÅ¡echny běžÃcà " | ||
41 | "instance sshd. Pokud tuto aktualizaci provádÃte pÅ™es SSH, budete nejspÃÅ¡e " | ||
42 | "odpojeni a aktualizace skonÄà na půli cesty." | ||
43 | |||
44 | #. Type: boolean | ||
45 | #. Description | ||
46 | #: ../openssh-server.templates:1001 | ||
47 | msgid "" | ||
48 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
49 | "start-stop-daemon line in the stop section of the file." | ||
50 | msgstr "" | ||
51 | "Můžete to spravit ruÄnÃm pÅ™idánÃm „--pidfile /var/run/sshd.pid“ na řádek " | ||
52 | "start-stop-daemon v sekci stop." | ||
53 | |||
54 | #. Type: note | ||
55 | #. Description | ||
56 | #: ../openssh-server.templates:2001 | ||
57 | msgid "New host key mandatory" | ||
58 | msgstr "Nutný nový serverový klÃÄ" | ||
59 | |||
60 | #. Type: note | ||
61 | #. Description | ||
62 | #: ../openssh-server.templates:2001 | ||
63 | msgid "" | ||
64 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
65 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
66 | "utility from the old (non-free) SSH installation does not appear to be " | ||
67 | "available." | ||
68 | msgstr "" | ||
69 | "Aktuálnà serverový klÃÄ v /etc/ssh/ssh_host_key je Å¡ifrovaný algoritmem " | ||
70 | "IDEA. OpenSSH neumà tento soubor zpracovat a zdá se, že utilita ssh-keygen " | ||
71 | "ze staré (nesvobodné) instalace SSH nenà k dispozici." | ||
72 | |||
73 | #. Type: note | ||
74 | #. Description | ||
75 | #: ../openssh-server.templates:2001 | ||
76 | msgid "You need to manually generate a new host key." | ||
77 | msgstr "MusÃte ruÄnÄ› vygenerovat nový serverový klÃÄ" | ||
78 | |||
79 | #. Type: boolean | ||
80 | #. Description | ||
81 | #: ../openssh-server.templates:3001 | ||
82 | msgid "Disable challenge-response authentication?" | ||
83 | msgstr "Zakázat autentizaci challenge-response?" | ||
84 | |||
85 | #. Type: boolean | ||
86 | #. Description | ||
87 | #: ../openssh-server.templates:3001 | ||
88 | msgid "" | ||
89 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
90 | "configuration. In order to prevent users from logging in using passwords " | ||
91 | "(perhaps using only public key authentication instead) with recent versions " | ||
92 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
93 | "ensure that your PAM configuration does not allow Unix password file " | ||
94 | "authentication." | ||
95 | msgstr "" | ||
96 | "Zdá se, že autentizace pomocà hesel je ve vaÅ¡Ã stávajÃcà konfiguraci OpenSSH " | ||
97 | "serveru zakázána. Abyste zabránili uživatelům v přihlášenà pouze pomocà " | ||
98 | "hesla, musÃte v poslednÃch verzÃch OpenSSH zakázat autentizaci challenge-" | ||
99 | "response, nebo jinak zajistit, aby PAM nepovolilo autentizaci vůÄi unixovému " | ||
100 | "souboru hesel." | ||
101 | |||
102 | #. Type: boolean | ||
103 | #. Description | ||
104 | #: ../openssh-server.templates:3001 | ||
105 | msgid "" | ||
106 | "If you disable challenge-response authentication, then users will not be " | ||
107 | "able to log in using passwords. If you leave it enabled (the default " | ||
108 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
109 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
110 | msgstr "" | ||
111 | "Zakážete-li autentizaci challenge-response, uživatelé se nebudou moci " | ||
112 | "pÅ™ihlásit pomocà hesel. Necháte-li ji povolenu (pÅ™ednastavená odpovÄ›Ä), pak " | ||
113 | "nebude mÃt volba „PasswordAuthentication no“ žádný efekt, pokud ovÅ¡em " | ||
114 | "neupravÃte nastavenà PAM v /etc/pam.d/ssh." | ||
115 | |||
116 | #. Type: note | ||
117 | #. Description | ||
118 | #: ../openssh-server.templates:4001 | ||
119 | msgid "Vulnerable host keys will be regenerated" | ||
120 | msgstr "Zranitelné serverové klÃÄe budou pÅ™egenerovány" | ||
121 | |||
122 | #. Type: note | ||
123 | #. Description | ||
124 | #: ../openssh-server.templates:4001 | ||
125 | msgid "" | ||
126 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
127 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
128 | "these host keys are from a well-known set, are subject to brute-force " | ||
129 | "attacks, and must be regenerated." | ||
130 | msgstr "" | ||
131 | "NÄ›které serverové klÃÄe OpenSSH na tomto systému byly vytvoÅ™eny verzà " | ||
132 | "OpenSSL, která mÄ›la naruÅ¡ený generátor náhodných ÄÃsel. Ve výsledku jsou " | ||
133 | "tyto dobÅ™e známé klÃÄe pÅ™edmÄ›tem útoků hrubou silou a musà být pÅ™egenerovány." | ||
134 | |||
135 | #. Type: note | ||
136 | #. Description | ||
137 | #: ../openssh-server.templates:4001 | ||
138 | msgid "" | ||
139 | "Users of this system should be informed of this change, as they will be " | ||
140 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
141 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
142 | "the new host keys." | ||
143 | msgstr "" | ||
144 | "Uživatelé tohoto systému by měli být informováni o změně, protože budou při " | ||
145 | "pÅ™ÃÅ¡tÃm pÅ™ihlášenà varováni o zmÄ›nÄ› serverového klÃÄe. Po aktualizaci můžete " | ||
146 | "zjistit nové otisky serverových klÃÄů pÅ™Ãkazem „ssh-keygen -l -f " | ||
147 | "SOUBOR_SE_SERVEROVÃM_KLÃÄŒEM“." | ||
148 | |||
149 | #. Type: note | ||
150 | #. Description | ||
151 | #: ../openssh-server.templates:4001 | ||
152 | msgid "The affected host keys are:" | ||
153 | msgstr "Postižené serverové klÃÄe:" | ||
154 | |||
155 | #. Type: note | ||
156 | #. Description | ||
157 | #: ../openssh-server.templates:4001 | ||
158 | msgid "" | ||
159 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
160 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
161 | "README.compromised-keys.gz for more details." | ||
162 | msgstr "" | ||
163 | "TÃmto problémem mohou být postiženy také uživatelské klÃÄe. Pro ÄásteÄnou " | ||
164 | "kontrolu můžete použÃt pÅ™Ãkaz „ssh-vulnkey“. VÃce informacà naleznete v " | ||
165 | "souboru /usr/share/doc/openssh-server/README.compromised-keys.gz." | ||
166 | |||
167 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
168 | #~ msgstr "VytvoÅ™it nový konfiguraÄnà soubor OpenSSH?" | ||
169 | |||
170 | #~ msgid "" | ||
171 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
172 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
173 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
174 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
175 | #~ "will not contain any customizations you made with the old version." | ||
176 | #~ msgstr "" | ||
177 | #~ "Tato verze OpenSSH má oproti verzi dodávané s Debianem 2.2, kterou nynà " | ||
178 | #~ "pravdÄ›podobnÄ› aktualizujete, znaÄnÄ› odliÅ¡ný konfiguraÄnà soubor. BalÃk " | ||
179 | #~ "nynà může vytvoÅ™it nový konfiguraÄnà soubor (/etc/ssh/sshd.config), který " | ||
180 | #~ "bude fungovat s novou verzà serveru, ale nebude obsahovat žádné úpravy, " | ||
181 | #~ "které jste provedli ve staré verzi." | ||
182 | |||
183 | #~ msgid "" | ||
184 | #~ "Please note that this new configuration file will set the value of " | ||
185 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
186 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
187 | #~ "details about this design choice." | ||
188 | #~ msgstr "" | ||
189 | #~ "V novém konfiguraÄnÃm souboru bude parametr PermitRootLogin nastaven na " | ||
190 | #~ "hodnotu „yes“. To znamená, že se kdokoliv se znalostà rootova hesla může " | ||
191 | #~ "pÅ™ihlásit rovnou jako root. VÃce o tomto rozhodnutà se dozvÃte v souboru " | ||
192 | #~ "README.Debian." | ||
193 | |||
194 | #~ msgid "" | ||
195 | #~ "It is strongly recommended that you choose to generate a new " | ||
196 | #~ "configuration file now." | ||
197 | #~ msgstr "" | ||
198 | #~ "Je vÅ™ele doporuÄeno nechat si nynà vytvoÅ™it nový konfiguraÄnà soubor." | ||
199 | |||
200 | #~ msgid "Warning: you must create a new host key" | ||
201 | #~ msgstr "VarovánÃ: musÃte vytvoÅ™it nový serverový klÃÄ" | ||
202 | |||
203 | #~ msgid "Warning: telnetd is installed --- probably not a good idea" | ||
204 | #~ msgstr "VarovánÃ: je nainstalován telnetd --- to nenà dobrý nápad" | ||
205 | |||
206 | #~ msgid "" | ||
207 | #~ "I'd advise you to either remove the telnetd package (if you don't " | ||
208 | #~ "actually need to offer telnet access) or install telnetd-ssl so that " | ||
209 | #~ "there is at least some chance that telnet sessions will not be sending " | ||
210 | #~ "unencrypted login/password and session information over the network." | ||
211 | #~ msgstr "" | ||
212 | #~ "DoporuÄujeme buÄ odstranit balÃk telnetd (pokud telnet pÅ™Ãstup " | ||
213 | #~ "nepotřebujete), nebo nainstalovat telnetd-ssl, kde je alespoň nějaká " | ||
214 | #~ "Å¡ance, že spojenà nebudou po sÃti zasÃlat nezaÅ¡ifrovaná jména/hesla/" | ||
215 | #~ "informace." | ||
216 | |||
217 | #~ msgid "Warning: rsh-server is installed --- probably not a good idea" | ||
218 | #~ msgstr "VarovánÃ: je nainstalován rsh-server --- to nenà dobrý nápad" | ||
219 | |||
220 | #~ msgid "" | ||
221 | #~ "having rsh-server installed undermines the security that you were " | ||
222 | #~ "probably wanting to obtain by installing ssh. I'd advise you to remove " | ||
223 | #~ "that package." | ||
224 | #~ msgstr "" | ||
225 | #~ "nainstalovánÃm rsh-server si bouráte bezpeÄnost, kterou jste " | ||
226 | #~ "pravdÄ›podobnÄ› chtÄ›li dosáhnout instalacà ssh. DoporuÄujeme tento balÃk " | ||
227 | #~ "odstranit." | ||
228 | |||
229 | #~ msgid "Do you want ssh-keysign to be installed SUID root?" | ||
230 | #~ msgstr "Chcete ssh-keysign nainstalovat jako SUID root?" | ||
231 | |||
232 | #~ msgid "" | ||
233 | #~ "You have the option of installing the ssh-keysign helper with the SUID " | ||
234 | #~ "bit set." | ||
235 | #~ msgstr "" | ||
236 | #~ "Můžete si vybrat, zda chcete nainstalovat ssh-keysign s nastaveným SUID " | ||
237 | #~ "bitem." | ||
238 | |||
239 | #~ msgid "" | ||
240 | #~ "If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 " | ||
241 | #~ "host-based authentication." | ||
242 | #~ msgstr "" | ||
243 | #~ "Pokud nastavÃte ssh-keysign SUID, můžete použÃvat „host-based“ " | ||
244 | #~ "autentizaci protokolu verze 2." | ||
245 | |||
246 | #~ msgid "" | ||
247 | #~ "If in doubt, I suggest you install it with SUID. If it causes problems " | ||
248 | #~ "you can change your mind later by running: dpkg-reconfigure ssh" | ||
249 | #~ msgstr "" | ||
250 | #~ "Pokud jste na pochybách, doporuÄujeme SUID bit povolit. Pokud zaznamenáte " | ||
251 | #~ "problémy, můžete nastavenà zmÄ›nit spuÅ¡tÄ›nÃm: dpkg-reconfigure ssh" | ||
252 | |||
253 | #~ msgid "Allow SSH protocol 2 only" | ||
254 | #~ msgstr "Povolit pouze SSH protokol verze 2" | ||
255 | |||
256 | #~ msgid "" | ||
257 | #~ "This version of OpenSSH supports version 2 of the ssh protocol, which is " | ||
258 | #~ "much more secure. Disabling ssh 1 is encouraged, however this will slow " | ||
259 | #~ "things down on low end machines and might prevent older clients from " | ||
260 | #~ "connecting (the ssh client shipped with \"potato\" is affected)." | ||
261 | #~ msgstr "" | ||
262 | #~ "Tato verze OpenSSH podporuje ssh protokol ve verzi 2, který je mnohem " | ||
263 | #~ "bezpeÄnÄ›jÅ¡Ã. Je dobré ssh verze 1 zakázat, nicménÄ› na slabÅ¡Ãch poÄÃtaÄÃch " | ||
264 | #~ "se projevà zpomalenà a také tÃm znemožnÃte pÅ™ihlášenà starÅ¡Ãch klientů " | ||
265 | #~ "(napÅ™Ãklad tÄ›ch z Debianu 2.2)." | ||
266 | |||
267 | #~ msgid "" | ||
268 | #~ "Also please note that keys used for protocol 1 are different so you will " | ||
269 | #~ "not be able to use them if you only allow protocol 2 connections." | ||
270 | #~ msgstr "" | ||
271 | #~ "Také si vÅ¡imnÄ›te, že klÃÄe protokolu verze 1 jsou odliÅ¡né a pokud " | ||
272 | #~ "povolÃte pouze protokol verze 2, nebudete je moci použÃt. " | ||
273 | |||
274 | #~ msgid "" | ||
275 | #~ "If you later change your mind about this setting, README.Debian has " | ||
276 | #~ "instructions on what to do to your sshd_config file." | ||
277 | #~ msgstr "" | ||
278 | #~ "Pokud se později rozhodnete jinak, v README.Debian se nacházà přesný " | ||
279 | #~ "návod, jak upravit soubor sshd_config." | ||
280 | |||
281 | #~ msgid "ssh2 keys merged in configuration files" | ||
282 | #~ msgstr "KlÃÄe ssh2 v konfiguraÄnÃch souborech byly spojeny" | ||
283 | |||
284 | #~ msgid "" | ||
285 | #~ "As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 " | ||
286 | #~ "keys. This means the authorized_keys2 and known_hosts2 files are no " | ||
287 | #~ "longer needed. They will still be read in order to maintain backwards " | ||
288 | #~ "compatibility" | ||
289 | #~ msgstr "" | ||
290 | #~ "OpenSSH verze 3 již nepoužÃvá oddÄ›lené soubory pro klÃÄe verze ssh1 a " | ||
291 | #~ "ssh2. To znamená, že soubory authorized_keys2 a known_hosts2 již nejsou " | ||
292 | #~ "potřeba, ovšem z důvodů zachovánà zpětné kompatibility jsou stále " | ||
293 | #~ "naÄÃtány." | ||
294 | |||
295 | #~ msgid "NOTE: Forwarding of X11 and Authorization disabled by default." | ||
296 | #~ msgstr "POZNÃMKA: Autorizace a pÅ™esmÄ›rovánà X11 je standardnÄ› vypnuto." | ||
297 | |||
298 | #~ msgid "" | ||
299 | #~ "For security reasons, the Debian version of ssh has ForwardX11 and " | ||
300 | #~ "ForwardAgent set to ``off'' by default." | ||
301 | #~ msgstr "" | ||
302 | #~ "Z bezpeÄnostnÃch důvodů má verze ssh v Debianu standardnÄ› nastavené " | ||
303 | #~ "ForwardX11 a ForwardAgent na hodnotu „off“." | ||
304 | |||
305 | #~ msgid "" | ||
306 | #~ "You can enable it for servers you trust, either in one of the " | ||
307 | #~ "configuration files, or with the -X command line option." | ||
308 | #~ msgstr "" | ||
309 | #~ "Pro servery, kterým důvěřujete, můžete tyto parametry povolit v jednom z " | ||
310 | #~ "konfiguraÄnÃch souborů, nebo z pÅ™Ãkazové řádky parametrem -X." | ||
311 | |||
312 | #~ msgid "More details can be found in /usr/share/doc/ssh/README.Debian" | ||
313 | #~ msgstr "VÃce naleznete v /usr/share/doc/ssh/README.Debian" | ||
314 | |||
315 | #~ msgid "Do you want to run the sshd server?" | ||
316 | #~ msgstr "Chcete spustit sshd server?" | ||
317 | |||
318 | #~ msgid "This package contains both the ssh client, and the sshd server." | ||
319 | #~ msgstr "Tento balÃk obsahuje jak klienta ssh, tak server sshd." | ||
320 | |||
321 | #~ msgid "" | ||
322 | #~ "Normally the sshd Secure Shell Server will be run to allow remote logins " | ||
323 | #~ "via ssh." | ||
324 | #~ msgstr "" | ||
325 | #~ "Obvykle se sshd (Secure Shell Server) spouÅ¡tÃ, aby se vzdálenà uživatelé " | ||
326 | #~ "mohli přihlašovat přes ssh." | ||
327 | |||
328 | #~ msgid "" | ||
329 | #~ "If you are only interested in using the ssh client for outbound " | ||
330 | #~ "connections on this machine, and don't want to log into it at all using " | ||
331 | #~ "ssh, then you can disable sshd here." | ||
332 | #~ msgstr "" | ||
333 | #~ "Pokud na tomto poÄÃtaÄi chcete využÃvat pouze ssh klienta pro odchozà " | ||
334 | #~ "spojenÃ, můžete zde sshd zakázat." | ||
335 | |||
336 | #~ msgid "Environment options on keys have been deprecated" | ||
337 | #~ msgstr "Volby prostÅ™edà spojené s klÃÄi jsou zakázány" | ||
338 | |||
339 | #~ msgid "" | ||
340 | #~ "This version of OpenSSH disables the environment option for public keys " | ||
341 | #~ "by default, in order to avoid certain attacks (for example, LD_PRELOAD). " | ||
342 | #~ "If you are using this option in an authorized_keys file, beware that the " | ||
343 | #~ "keys in question will no longer work until the option is removed." | ||
344 | #~ msgstr "" | ||
345 | #~ "Pro zamezenà urÄitých typů útoků (napÅ™. LD_PRELOAD), tato verze OpenSSH " | ||
346 | #~ "standardnÄ› zabraňuje použÃvat volbu prostÅ™edà u veÅ™ejných klÃÄů. Pokud " | ||
347 | #~ "tuto volbu použÃváte v souboru authorized_keys, tak postižené klÃÄe " | ||
348 | #~ "nebudou fungovat, dokud jim tuto volbu nesmažete." | ||
349 | |||
350 | #~ msgid "" | ||
351 | #~ "To re-enable this option, set \"PermitUserEnvironment yes\" in /etc/ssh/" | ||
352 | #~ "sshd_config after the upgrade is complete, taking note of the warning in " | ||
353 | #~ "the sshd_config(5) manual page." | ||
354 | #~ msgstr "" | ||
355 | #~ "Pro znovupovolenà této volby si po aktualizaci pÅ™eÄtÄ›te varovánà v " | ||
356 | #~ "manuálové stránce sshd_config(5) a v souboru /etc/ssh/sshd_config zadejte " | ||
357 | #~ "„PermitUserEnvironment yes“." | ||
diff --git a/debian/po/da.po b/debian/po/da.po new file mode 100644 index 000000000..f025f8751 --- /dev/null +++ b/debian/po/da.po | |||
@@ -0,0 +1,344 @@ | |||
1 | # | ||
2 | # Translators, if you are not familiar with the PO format, gettext | ||
3 | # documentation is worth reading, especially sections dedicated to | ||
4 | # this format, e.g. by running: | ||
5 | # info -n '(gettext)PO Files' | ||
6 | # info -n '(gettext)Header Entry' | ||
7 | # | ||
8 | # Some information specific to po-debconf are available at | ||
9 | # /usr/share/doc/po-debconf/README-trans | ||
10 | # or http://www.debian.org/intl/l10n/po-debconf/README-trans | ||
11 | # | ||
12 | # Developers do not need to manually edit POT or PO files. | ||
13 | # | ||
14 | # Claus Hindsgaul <claus.hindsgaul@gmail.com>, 2006. | ||
15 | msgid "" | ||
16 | msgstr "" | ||
17 | "Project-Id-Version: openssh 3.8.1p1\n" | ||
18 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
19 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
20 | "PO-Revision-Date: 2006-10-02 08:53+0200\n" | ||
21 | "Last-Translator: Claus Hindsgaul <claus.hindsgaul@gmail.com>\n" | ||
22 | "Language-Team: Danish\n" | ||
23 | "MIME-Version: 1.0\n" | ||
24 | "Content-Type: text/plain; charset=ISO-8859-1\n" | ||
25 | "Content-Transfer-Encoding: 8bit\n" | ||
26 | "X-Generator: KBabel 1.11.4\n" | ||
27 | |||
28 | #. Type: boolean | ||
29 | #. Description | ||
30 | #: ../openssh-server.templates:1001 | ||
31 | #, fuzzy | ||
32 | #| msgid "Do you want to continue (and risk killing active ssh sessions)?" | ||
33 | msgid "Do you want to risk killing active SSH sessions?" | ||
34 | msgstr "Vil du fortsætte (og risikere at afbryde aktive ssh-forbindelser)?" | ||
35 | |||
36 | #. Type: boolean | ||
37 | #. Description | ||
38 | #: ../openssh-server.templates:1001 | ||
39 | #, fuzzy | ||
40 | #| msgid "" | ||
41 | #| "The version of /etc/init.d/ssh that you have installed, is likely to kill " | ||
42 | #| "all running sshd instances. If you are doing this upgrade via an ssh " | ||
43 | #| "session, that would be a Bad Thing(tm)." | ||
44 | msgid "" | ||
45 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
46 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
47 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
48 | msgstr "" | ||
49 | "Den udgave af /etc/init.d/ssh, du har installeret, vil sandsynligvis afbryde " | ||
50 | "alle sshd-dæmoner. Det vil være en rigtigt dårlig idé, hvis du er ved at " | ||
51 | "opgradere via en ssh-forbindelse." | ||
52 | |||
53 | #. Type: boolean | ||
54 | #. Description | ||
55 | #: ../openssh-server.templates:1001 | ||
56 | #, fuzzy | ||
57 | #| msgid "" | ||
58 | #| "You can fix this by adding \"--pidfile /var/run/sshd.pid\" to the start-" | ||
59 | #| "stop-daemon line in the stop section of the file." | ||
60 | msgid "" | ||
61 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
62 | "start-stop-daemon line in the stop section of the file." | ||
63 | msgstr "" | ||
64 | "Du kan afhjælpe dette ved at tilføje \"--pidfile /var/run/sshd.pid\" til " | ||
65 | "'start-stop-daemon'-linjen i stop-afsnittet af filen." | ||
66 | |||
67 | #. Type: note | ||
68 | #. Description | ||
69 | #: ../openssh-server.templates:2001 | ||
70 | msgid "New host key mandatory" | ||
71 | msgstr "" | ||
72 | |||
73 | #. Type: note | ||
74 | #. Description | ||
75 | #: ../openssh-server.templates:2001 | ||
76 | #, fuzzy | ||
77 | #| msgid "" | ||
78 | #| "There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH " | ||
79 | #| "can not handle this host key file, and the ssh-keygen utility from the " | ||
80 | #| "old (non-free) SSH installation does not appear to be available." | ||
81 | msgid "" | ||
82 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
83 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
84 | "utility from the old (non-free) SSH installation does not appear to be " | ||
85 | "available." | ||
86 | msgstr "" | ||
87 | "Der er en gammel, IDEA-krypteret /etc/ssh/ssh_host_key. OpenSSH kan ikke " | ||
88 | "håndtere en sådan værtsnøglefil, og værktøjet ssh-keygen fra den gamle (ikke-" | ||
89 | "frie, 'non-free') SSH-installation lader ikke til at være tilgængeligt." | ||
90 | |||
91 | #. Type: note | ||
92 | #. Description | ||
93 | #: ../openssh-server.templates:2001 | ||
94 | #, fuzzy | ||
95 | #| msgid "You will need to generate a new host key." | ||
96 | msgid "You need to manually generate a new host key." | ||
97 | msgstr "Du skal oprette en ny værtsnøgle." | ||
98 | |||
99 | #. Type: boolean | ||
100 | #. Description | ||
101 | #: ../openssh-server.templates:3001 | ||
102 | msgid "Disable challenge-response authentication?" | ||
103 | msgstr "Slå udfordrings-svar godkendelse fra?" | ||
104 | |||
105 | #. Type: boolean | ||
106 | #. Description | ||
107 | #: ../openssh-server.templates:3001 | ||
108 | #, fuzzy | ||
109 | #| msgid "" | ||
110 | #| "Password authentication appears to be disabled in your current OpenSSH " | ||
111 | #| "server configuration. In order to prevent users from logging in using " | ||
112 | #| "passwords (perhaps using only public key authentication instead) with " | ||
113 | #| "recent versions of OpenSSH, you must disable challenge-response " | ||
114 | #| "authentication, or else ensure that your PAM configuration does not allow " | ||
115 | #| "Unix password file authentication." | ||
116 | msgid "" | ||
117 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
118 | "configuration. In order to prevent users from logging in using passwords " | ||
119 | "(perhaps using only public key authentication instead) with recent versions " | ||
120 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
121 | "ensure that your PAM configuration does not allow Unix password file " | ||
122 | "authentication." | ||
123 | msgstr "" | ||
124 | "Adgangskodegodkendelse ser ud til at være deaktiveret i din nuværende " | ||
125 | "OpenSSH-serveropsætning. For at forhindre brugere i at logge ind med " | ||
126 | "adgangskoder (f.eks. kun offentlig nøgle godkendelse) med nyere versioner af " | ||
127 | "OpenSSH, skal du deaktivere udfordrings-svar godkendelse, eller sikre at din " | ||
128 | "PAM opsætning ikke itllader Unix adgangskodefil godkendelse." | ||
129 | |||
130 | #. Type: boolean | ||
131 | #. Description | ||
132 | #: ../openssh-server.templates:3001 | ||
133 | msgid "" | ||
134 | "If you disable challenge-response authentication, then users will not be " | ||
135 | "able to log in using passwords. If you leave it enabled (the default " | ||
136 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
137 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
138 | msgstr "" | ||
139 | "Hvis du deaktiverer udfordrings-svar godkendelse, vil brugere ikke være i " | ||
140 | "stand til at logge ind med adgangskoder. Hvis du lader det være slået til " | ||
141 | "(standard svaret), så vil 'PasswordAuthentication no' indstillingen ikke " | ||
142 | "have nogen effekt, medmindre du også redigerer din PAM-opsætning i /etc/pam." | ||
143 | "d/ssh." | ||
144 | |||
145 | #. Type: note | ||
146 | #. Description | ||
147 | #: ../openssh-server.templates:4001 | ||
148 | msgid "Vulnerable host keys will be regenerated" | ||
149 | msgstr "" | ||
150 | |||
151 | #. Type: note | ||
152 | #. Description | ||
153 | #: ../openssh-server.templates:4001 | ||
154 | msgid "" | ||
155 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
156 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
157 | "these host keys are from a well-known set, are subject to brute-force " | ||
158 | "attacks, and must be regenerated." | ||
159 | msgstr "" | ||
160 | |||
161 | #. Type: note | ||
162 | #. Description | ||
163 | #: ../openssh-server.templates:4001 | ||
164 | msgid "" | ||
165 | "Users of this system should be informed of this change, as they will be " | ||
166 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
167 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
168 | "the new host keys." | ||
169 | msgstr "" | ||
170 | |||
171 | #. Type: note | ||
172 | #. Description | ||
173 | #: ../openssh-server.templates:4001 | ||
174 | msgid "The affected host keys are:" | ||
175 | msgstr "" | ||
176 | |||
177 | #. Type: note | ||
178 | #. Description | ||
179 | #: ../openssh-server.templates:4001 | ||
180 | msgid "" | ||
181 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
182 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
183 | "README.compromised-keys.gz for more details." | ||
184 | msgstr "" | ||
185 | |||
186 | #, fuzzy | ||
187 | #~| msgid "Generate new configuration file?" | ||
188 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
189 | #~ msgstr "Generér ny opsætningsfil?" | ||
190 | |||
191 | #, fuzzy | ||
192 | #~| msgid "" | ||
193 | #~| "This version of OpenSSH has a considerably changed configuration file " | ||
194 | #~| "from the version shipped in Debian 'Potato', which you appear to be " | ||
195 | #~| "upgrading from. This package can now generate a new configuration file (/" | ||
196 | #~| "etc/ssh/sshd.config), which will work with the new server version, but " | ||
197 | #~| "will not contain any customisations you made with the old version." | ||
198 | #~ msgid "" | ||
199 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
200 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
201 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
202 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
203 | #~ "will not contain any customizations you made with the old version." | ||
204 | #~ msgstr "" | ||
205 | #~ "Opsætningsfilen i denne version af OpenSSH er ændret betydeligt i forhold " | ||
206 | #~ "til den, der fulgte med Debian Potato, som det ser ud til, at du " | ||
207 | #~ "opgraderer fra. Denne pakke kan nu generere en ny opsætningsfil (/etc/ssh/" | ||
208 | #~ "sshd.config), som vil fungere med den nye serverversion, men den vil ikke " | ||
209 | #~ "indeholde eventuelle justeringer, du måtte have indført i den gamle " | ||
210 | #~ "version." | ||
211 | |||
212 | #, fuzzy | ||
213 | #~| msgid "" | ||
214 | #~| "Please note that this new configuration file will set the value of " | ||
215 | #~| "'PermitRootLogin' to yes (meaning that anyone knowing the root password " | ||
216 | #~| "can ssh directly in as root). It is the opinion of the maintainer that " | ||
217 | #~| "this is the correct default (see README.Debian for more details), but " | ||
218 | #~| "you can always edit sshd_config and set it to no if you wish." | ||
219 | #~ msgid "" | ||
220 | #~ "Please note that this new configuration file will set the value of " | ||
221 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
222 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
223 | #~ "details about this design choice." | ||
224 | #~ msgstr "" | ||
225 | #~ "Bemærk at den nye opsætningsfil vil sætte værdien af 'PermitRootLogin' " | ||
226 | #~ "til ja (som betyder at alle der kender roots adgangskode, kan tilgå " | ||
227 | #~ "maskinen via ssh direkte). Det er vedligeholderens mening, at dette er " | ||
228 | #~ "den korrekte standardværdi (se README.Debian for flere detaljer), men du " | ||
229 | #~ "kan altid redigere sshd_config og slå det fra, hvis du ønsker det." | ||
230 | |||
231 | #, fuzzy | ||
232 | #~| msgid "" | ||
233 | #~| "It is strongly recommended that you let this package generate a new " | ||
234 | #~| "configuration file now." | ||
235 | #~ msgid "" | ||
236 | #~ "It is strongly recommended that you choose to generate a new " | ||
237 | #~ "configuration file now." | ||
238 | #~ msgstr "" | ||
239 | #~ "Du anbefales stærkt at lade mig oprette en ny opsætningsfil for dig nu." | ||
240 | |||
241 | #~ msgid "Warning: you must create a new host key" | ||
242 | #~ msgstr "Advarsel: du skal oprette en ny værtsnøgle" | ||
243 | |||
244 | #~ msgid "Warning: telnetd is installed --- probably not a good idea" | ||
245 | #~ msgstr "Advarsel: telnetd er installeret --- sikkert ikke en god idé" | ||
246 | |||
247 | #~ msgid "" | ||
248 | #~ "I'd advise you to either remove the telnetd package (if you don't " | ||
249 | #~ "actually need to offer telnet access) or install telnetd-ssl so that " | ||
250 | #~ "there is at least some chance that telnet sessions will not be sending " | ||
251 | #~ "unencrypted login/password and session information over the network." | ||
252 | #~ msgstr "" | ||
253 | #~ "Jeg vil råde dig til enten at fjerne pakken telnetd (hvis du i " | ||
254 | #~ "virkeligheden ikke har brug for at tilbyde telnet-adgang) eller " | ||
255 | #~ "installere telnetd-ssl, så der i det mindste er en mulighed for, at " | ||
256 | #~ "telnet-sessioner ikke sender adgangskoder og sessions-oplysninger " | ||
257 | #~ "ukrypteret over netværket." | ||
258 | |||
259 | #~ msgid "Warning: rsh-server is installed --- probably not a good idea" | ||
260 | #~ msgstr "Advarsel: rsh-serveren er installeret --- sikkert ikke en god idé" | ||
261 | |||
262 | #~ msgid "" | ||
263 | #~ "having rsh-server installed undermines the security that you were " | ||
264 | #~ "probably wanting to obtain by installing ssh. I'd advise you to remove " | ||
265 | #~ "that package." | ||
266 | #~ msgstr "" | ||
267 | #~ "Den sikkerhed, du nok ønskede at opnå ved at installere ssh undermineres " | ||
268 | #~ "ved, at du har rsh-server installeret. Jeg vil råde dig til at fjerne " | ||
269 | #~ "pakken rsh-server." | ||
270 | |||
271 | #~ msgid "Do you want ssh-keysign to be installed SUID root?" | ||
272 | #~ msgstr "Vil du have, at ssh-keysign bliver installeret 'SUID root'?" | ||
273 | |||
274 | #~ msgid "" | ||
275 | #~ "You have the option of installing the ssh-keysign helper with the SUID " | ||
276 | #~ "bit set." | ||
277 | #~ msgstr "" | ||
278 | #~ "Du har mulighed for at installere ssh-keysign hjælperen med SUID-flaget " | ||
279 | #~ "sat." | ||
280 | |||
281 | #~ msgid "" | ||
282 | #~ "If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 " | ||
283 | #~ "host-based authentication." | ||
284 | #~ msgstr "" | ||
285 | #~ "Hvis du gør ssh-keysign SUID, vil du blive i stand til at benytte SSH " | ||
286 | #~ "protokol 2's værtsnavn-baserede autentifikation." | ||
287 | |||
288 | #~ msgid "" | ||
289 | #~ "If in doubt, I suggest you install it with SUID. If it causes problems " | ||
290 | #~ "you can change your mind later by running: dpkg-reconfigure ssh" | ||
291 | #~ msgstr "" | ||
292 | #~ "Hvis du er i tvivl, vil jeg råde dig til at installere den med SUID. Hvis " | ||
293 | #~ "det skaber problemer, kan du ændre det tilbage igen ved at køre: dpkg-" | ||
294 | #~ "reconfigure ssh" | ||
295 | |||
296 | #~ msgid "Allow SSH protocol 2 only" | ||
297 | #~ msgstr "Tillad kun SSH protokol 2" | ||
298 | |||
299 | #~ msgid "" | ||
300 | #~ "This version of OpenSSH supports version 2 of the ssh protocol, which is " | ||
301 | #~ "much more secure. Disabling ssh 1 is encouraged, however this will slow " | ||
302 | #~ "things down on low end machines and might prevent older clients from " | ||
303 | #~ "connecting (the ssh client shipped with \"potato\" is affected)." | ||
304 | #~ msgstr "" | ||
305 | #~ "Denne udgave af OpenSSH understøtter version 2 af ssh-protokollen, som er " | ||
306 | #~ "betydeligt mere sikker. Det anbefales at deaktivere version 1. Dog kan " | ||
307 | #~ "det sløve langsomme maskiner ned, og forhindre ældre klienter i at opnå " | ||
308 | #~ "forbindelse (ssh klienten der kommer med \"potato\" er en af dem)." | ||
309 | |||
310 | #~ msgid "" | ||
311 | #~ "Also please note that keys used for protocol 1 are different so you will " | ||
312 | #~ "not be able to use them if you only allow protocol 2 connections." | ||
313 | #~ msgstr "" | ||
314 | #~ "Du skal også bemærke at de nøgler som bliver anvendt til protokol 1 er " | ||
315 | #~ "forskellige, så du vil ikke være i stand til at bruge dem, hvis du kun " | ||
316 | #~ "tillader protokol 2 forbindelser." | ||
317 | |||
318 | #~ msgid "" | ||
319 | #~ "If you later change your mind about this setting, README.Debian has " | ||
320 | #~ "instructions on what to do to your sshd_config file." | ||
321 | #~ msgstr "" | ||
322 | #~ "Hvis du senere ændrer din mening om denne indstilling, har README.Debian " | ||
323 | #~ "instruktioner på hvad du skal gøre ved din sshd_config fil." | ||
324 | |||
325 | #~ msgid "NOTE: Forwarding of X11 and Authorization disabled by default." | ||
326 | #~ msgstr "" | ||
327 | #~ "BEMÆRK: Videregivelse af X11 og adgangkontrol er som standard deaktiveret." | ||
328 | |||
329 | #~ msgid "" | ||
330 | #~ "For security reasons, the Debian version of ssh has ForwardX11 and " | ||
331 | #~ "ForwardAgent set to ``off'' by default." | ||
332 | #~ msgstr "" | ||
333 | #~ "Af sikkerhedsgrunde har Debianudgaven af ssh sat ForwardX11 og " | ||
334 | #~ "ForwardAgent til 'off' som standard." | ||
335 | |||
336 | #~ msgid "" | ||
337 | #~ "You can enable it for servers you trust, either in one of the " | ||
338 | #~ "configuration files, or with the -X command line option." | ||
339 | #~ msgstr "" | ||
340 | #~ "Du kan aktivere dem for servere du stoler på, enten i en af " | ||
341 | #~ "opsætningsfilerne eller med kommandolinjetilvalget '-X'." | ||
342 | |||
343 | #~ msgid "More details can be found in /usr/share/doc/ssh/README.Debian" | ||
344 | #~ msgstr "Flere detaljer kan findes i /usr/share/doc/ssh/README.Debian" | ||
diff --git a/debian/po/de.po b/debian/po/de.po new file mode 100644 index 000000000..55b363a67 --- /dev/null +++ b/debian/po/de.po | |||
@@ -0,0 +1,369 @@ | |||
1 | # Translation of openssh debconf templates to German | ||
2 | # Copyright (C) Helge Kreutzmann <debian@helgefjell.de>, 2006-2008. | ||
3 | # This file is distributed under the same license as the openssh package. | ||
4 | # | ||
5 | msgid "" | ||
6 | msgstr "" | ||
7 | "Project-Id-Version: openssh 1:4.7p1-9\n" | ||
8 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
9 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
10 | "PO-Revision-Date: 2008-05-17 23:09+0200\n" | ||
11 | "Last-Translator: Helge Kreutzmann <debian@helgefjell.de>\n" | ||
12 | "Language-Team: de <debian-l10n-german@lists.debian.org>\n" | ||
13 | "MIME-Version: 1.0\n" | ||
14 | "Content-Type: text/plain; charset=ISO-8859-15\n" | ||
15 | "Content-Transfer-Encoding: 8bit\n" | ||
16 | |||
17 | #. Type: boolean | ||
18 | #. Description | ||
19 | #: ../openssh-server.templates:1001 | ||
20 | msgid "Do you want to risk killing active SSH sessions?" | ||
21 | msgstr "Wollen Sie das Beenden aktiver SSH-Sitzungen riskieren?" | ||
22 | |||
23 | #. Type: boolean | ||
24 | #. Description | ||
25 | #: ../openssh-server.templates:1001 | ||
26 | msgid "" | ||
27 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
28 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
29 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
30 | msgstr "" | ||
31 | "Die derzeit installierte Version von /etc/init.d/ssh wird vermutlich Ihre " | ||
32 | "aktiven ssh-Instanzen beenden. Falls Sie dieses Upgrade über eine SSH-" | ||
33 | "Sitzung durchführen, dann wird die Verbindung wahrscheinlich getrennt und " | ||
34 | "der Upgrade-Vorgang nicht beendet." | ||
35 | |||
36 | #. Type: boolean | ||
37 | #. Description | ||
38 | #: ../openssh-server.templates:1001 | ||
39 | msgid "" | ||
40 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
41 | "start-stop-daemon line in the stop section of the file." | ||
42 | msgstr "" | ||
43 | "Dieses Problem kann behoben werden, indem »--pidfile /var/run/sshd.pid« an " | ||
44 | "die start-stop-daemon-Zeile in dem Abschnitt »stop« der Datei /etc/init.d/ssh " | ||
45 | "manuell hinzugefügt wird." | ||
46 | |||
47 | #. Type: note | ||
48 | #. Description | ||
49 | #: ../openssh-server.templates:2001 | ||
50 | msgid "New host key mandatory" | ||
51 | msgstr "Neuer Host-Schlüssel verpflichtend" | ||
52 | |||
53 | #. Type: note | ||
54 | #. Description | ||
55 | #: ../openssh-server.templates:2001 | ||
56 | msgid "" | ||
57 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
58 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
59 | "utility from the old (non-free) SSH installation does not appear to be " | ||
60 | "available." | ||
61 | msgstr "" | ||
62 | "Der aktuelle Host-Schlüssel in /etc/ssh/ssh_host_key ist mit dem IDEA-" | ||
63 | "Algorithmus verschlüsselt. OpenSSH kann diese Host-Schlüssel-Datei nicht " | ||
64 | "verarbeiten und das ssh-keygen-Hilfswerkzeug von der alten (nicht-freien) " | ||
65 | "SSH-Installation scheint nicht verfügbar zu sein." | ||
66 | |||
67 | #. Type: note | ||
68 | #. Description | ||
69 | #: ../openssh-server.templates:2001 | ||
70 | msgid "You need to manually generate a new host key." | ||
71 | msgstr "Sie müssen manuell einen neuen Host-Schlüssel erzeugen." | ||
72 | |||
73 | #. Type: boolean | ||
74 | #. Description | ||
75 | #: ../openssh-server.templates:3001 | ||
76 | msgid "Disable challenge-response authentication?" | ||
77 | msgstr "Challenge-response-Authentifizierung deaktivieren?" | ||
78 | |||
79 | #. Type: boolean | ||
80 | #. Description | ||
81 | #: ../openssh-server.templates:3001 | ||
82 | msgid "" | ||
83 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
84 | "configuration. In order to prevent users from logging in using passwords " | ||
85 | "(perhaps using only public key authentication instead) with recent versions " | ||
86 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
87 | "ensure that your PAM configuration does not allow Unix password file " | ||
88 | "authentication." | ||
89 | msgstr "" | ||
90 | "Passwort-Authentifizierung scheint in der aktuellen OpenSSH-Server-" | ||
91 | "Konfiguration deaktiviert zu sein. Um in neueren Versionen von OpenSSH zu " | ||
92 | "verhindern, dass Benutzer sich unter Verwendung von Passwörtern anmelden " | ||
93 | "(möglicherweise stattdessen nur unter Verwendung von Public-Key-" | ||
94 | "Authentifizierung), müssen Sie Challenge-response-Authentifizierung " | ||
95 | "deaktivieren oder ansonsten sicherstellen, dass Ihre PAM-Konfiguration keine " | ||
96 | "Authentifizierung über Unix-Password-Dateien erlaubt." | ||
97 | |||
98 | #. Type: boolean | ||
99 | #. Description | ||
100 | #: ../openssh-server.templates:3001 | ||
101 | msgid "" | ||
102 | "If you disable challenge-response authentication, then users will not be " | ||
103 | "able to log in using passwords. If you leave it enabled (the default " | ||
104 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
105 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
106 | msgstr "" | ||
107 | "Falls Sie Challenge-response-Authentifizierung deaktivieren, werden Benutzer " | ||
108 | "nicht in der Lage sein, sich mit Passwörtern anzumelden. Falls Sie es " | ||
109 | "aktiviert lassen (die Standard-Antwort) wird die »PasswordAuthentication no«-" | ||
110 | "Einstellung keinen nützlichen Effekt haben, es sei denn, sie passen auch " | ||
111 | "Ihre PAM-Konfiguration in /etc/pam.d/ssh an." | ||
112 | |||
113 | #. Type: note | ||
114 | #. Description | ||
115 | #: ../openssh-server.templates:4001 | ||
116 | msgid "Vulnerable host keys will be regenerated" | ||
117 | msgstr "Verwundbare Host-Schlüssel werden neu erzeugt" | ||
118 | |||
119 | #. Type: note | ||
120 | #. Description | ||
121 | #: ../openssh-server.templates:4001 | ||
122 | msgid "" | ||
123 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
124 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
125 | "these host keys are from a well-known set, are subject to brute-force " | ||
126 | "attacks, and must be regenerated." | ||
127 | msgstr "" | ||
128 | "Einige der OpenSSH-Server-Host-Schlüssel auf diesem System wurden mit einer " | ||
129 | "Version von OpenSSL erzeugt, die einen defekten Zufallszahlengenerator " | ||
130 | "hatte. Als Ergebnis stammen diese Host-Schlüssel aus einer wohlbekannten " | ||
131 | "Menge, unterliegen Rechen- (»brute-force«)-angriffen und müssen neu erstellt " | ||
132 | "werden." | ||
133 | |||
134 | #. Type: note | ||
135 | #. Description | ||
136 | #: ../openssh-server.templates:4001 | ||
137 | msgid "" | ||
138 | "Users of this system should be informed of this change, as they will be " | ||
139 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
140 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
141 | "the new host keys." | ||
142 | msgstr "" | ||
143 | "Die Benutzer dieses Systems sollten über diese Änderung informiert werden, " | ||
144 | "da sie über die Änderung des Host-Schlüssels bei der nächsten Anmeldung " | ||
145 | "befragt werden. Führen Sie nach dem Upgrade »ssh-keygen -l -f " | ||
146 | "HOST_SCHLÜSSEL_DATEI« aus, um die Fingerabdrücke es neuen Host-Schlüssels " | ||
147 | "anzuzeigen." | ||
148 | |||
149 | #. Type: note | ||
150 | #. Description | ||
151 | #: ../openssh-server.templates:4001 | ||
152 | msgid "The affected host keys are:" | ||
153 | msgstr "Die betroffenen Host-Schlüssel sind:" | ||
154 | |||
155 | #. Type: note | ||
156 | #. Description | ||
157 | #: ../openssh-server.templates:4001 | ||
158 | msgid "" | ||
159 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
160 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
161 | "README.compromised-keys.gz for more details." | ||
162 | msgstr "" | ||
163 | "Die Schüssel der Benutzer könnten auch von diesem Problem betroffen sein. " | ||
164 | "Der Befehl »ssh-vulnkey« kann dazu verwandt werden, dieses Problem teilweise " | ||
165 | "zu ermitteln. Lesen Sie /usr/share/doc/openssh-server/README.compromised-" | ||
166 | "keys.gz für weitere Details." | ||
167 | |||
168 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
169 | #~ msgstr "Eine neue Konfigurationsdatei für OpenSSH erzeugen?" | ||
170 | |||
171 | #~ msgid "" | ||
172 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
173 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
174 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
175 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
176 | #~ "will not contain any customizations you made with the old version." | ||
177 | #~ msgstr "" | ||
178 | #~ "Diese Version von OpenSSH hat eine deutlich geänderte Konfigurationsdatei " | ||
179 | #~ "gegenüber der in »Potato« ausgelieferten Version, von der Sie anscheinend " | ||
180 | #~ "ein Upgrade durchführen. Dieses Paket kann jetzt eine neue " | ||
181 | #~ "Konfigurationsdatei (/etc/ssh/sshd.config) erzeugen, die mit der neuen " | ||
182 | #~ "Server-Version zusammenarbeitet, aber keine Anpassungen aus der alten " | ||
183 | #~ "Version enthält." | ||
184 | |||
185 | #~ msgid "" | ||
186 | #~ "Please note that this new configuration file will set the value of " | ||
187 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
188 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
189 | #~ "details about this design choice." | ||
190 | #~ msgstr "" | ||
191 | #~ "Bitte beachten Sie, dass die neue Konfigurationsdatei »PermitRootLogin« " | ||
192 | #~ "auf »yes« setzt (was bedeutet, dass jeder, der das Root-Passwort kennt, " | ||
193 | #~ "sich direkt via ssh als root anmelden kann). Bitte lesen Sie die Datei " | ||
194 | #~ "README.Debian für weitergehende Informationen über diese Design-" | ||
195 | #~ "Entscheidung." | ||
196 | |||
197 | #~ msgid "" | ||
198 | #~ "It is strongly recommended that you choose to generate a new " | ||
199 | #~ "configuration file now." | ||
200 | #~ msgstr "" | ||
201 | #~ "Es wird nachdrücklich empfohlen, dass Sie jetzt eine neue " | ||
202 | #~ "Konfigurationsdatei erzeugen." | ||
203 | |||
204 | #~ msgid "Warning: you must create a new host key" | ||
205 | #~ msgstr "Warnung: Sie müssen einen neuen Host-Schlüssel erzeugen" | ||
206 | |||
207 | #~ msgid "Warning: telnetd is installed --- probably not a good idea" | ||
208 | #~ msgstr "Warnung: telnetd ist installiert --- wahrscheinlich keine gute Idee" | ||
209 | |||
210 | #~ msgid "" | ||
211 | #~ "I'd advise you to either remove the telnetd package (if you don't " | ||
212 | #~ "actually need to offer telnet access) or install telnetd-ssl so that " | ||
213 | #~ "there is at least some chance that telnet sessions will not be sending " | ||
214 | #~ "unencrypted login/password and session information over the network." | ||
215 | #~ msgstr "" | ||
216 | #~ "Wir empfehlen das telnetd Paket zu entfernen (falls Sie keinen telnet " | ||
217 | #~ "Zugang anbieten) oder telnetd-ssl zu installieren, so daß Sie verhindern " | ||
218 | #~ "können, daß Login und Passwort unverschlüsselt durch das Netz gesendet " | ||
219 | #~ "werden." | ||
220 | |||
221 | #~ msgid "Warning: rsh-server is installed --- probably not a good idea" | ||
222 | #~ msgstr "" | ||
223 | #~ "Warnung: rsh-server ist installiert --- wahrscheinlich keine gute Idee" | ||
224 | |||
225 | #~ msgid "" | ||
226 | #~ "having rsh-server installed undermines the security that you were " | ||
227 | #~ "probably wanting to obtain by installing ssh. I'd advise you to remove " | ||
228 | #~ "that package." | ||
229 | #~ msgstr "" | ||
230 | #~ "ist es eine schlechte Idee, den rsh-server installiert zu haben, da er " | ||
231 | #~ "die Sicherheit untergräbt. Wir empfehlen, das Paket zu entfernen." | ||
232 | |||
233 | #~ msgid "Do you want ssh-keysign to be installed SUID root?" | ||
234 | #~ msgstr "Möchten Sie ssh-keysign SUID-Root installieren?" | ||
235 | |||
236 | #~ msgid "" | ||
237 | #~ "You have the option of installing the ssh-keysign helper with the SUID " | ||
238 | #~ "bit set." | ||
239 | #~ msgstr "" | ||
240 | #~ "Sie haben die Möglichkeit, den ssh-keysign-Helfer mit gesetzten SUID-Bit " | ||
241 | #~ "zu installieren." | ||
242 | |||
243 | #~ msgid "" | ||
244 | #~ "If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 " | ||
245 | #~ "host-based authentication." | ||
246 | #~ msgstr "" | ||
247 | #~ "Falls Sie ssh-keysign SUID installieren, können Sie die Host-basierende " | ||
248 | #~ "Authentisierung von SSH-Protokoll Version 2 verwenden." | ||
249 | |||
250 | #~ msgid "" | ||
251 | #~ "If in doubt, I suggest you install it with SUID. If it causes problems " | ||
252 | #~ "you can change your mind later by running: dpkg-reconfigure ssh" | ||
253 | #~ msgstr "" | ||
254 | #~ "Falls Sie unsicher sind, empfehle ich, mit SUID zu installieren. Falls es " | ||
255 | #~ "Probleme gibt, können Sie später Ihre Meinung ändern, indem Sie dpkg-" | ||
256 | #~ "reconfigure ssh aufrufen." | ||
257 | |||
258 | #~ msgid "Allow SSH protocol 2 only" | ||
259 | #~ msgstr "Nur SSH-Protokoll Version 2 erlauben" | ||
260 | |||
261 | #~ msgid "" | ||
262 | #~ "This version of OpenSSH supports version 2 of the ssh protocol, which is " | ||
263 | #~ "much more secure. Disabling ssh 1 is encouraged, however this will slow " | ||
264 | #~ "things down on low end machines and might prevent older clients from " | ||
265 | #~ "connecting (the ssh client shipped with \"potato\" is affected)." | ||
266 | #~ msgstr "" | ||
267 | #~ "Diese Version von OpenSSH unterstützt Version 2 des SSH-Protokolls, die " | ||
268 | #~ "sicherer ist. Es wird empfohlen, Version 1 zu deaktivieren, allerdings " | ||
269 | #~ "kann dies Vorgänge auf langsamen Maschinen verzögern und alte Clients an " | ||
270 | #~ "der Verbindungsaufnahme hindern (der ssh-Client von »potato« ist davon " | ||
271 | #~ "betroffen)." | ||
272 | |||
273 | #~ msgid "" | ||
274 | #~ "Also please note that keys used for protocol 1 are different so you will " | ||
275 | #~ "not be able to use them if you only allow protocol 2 connections." | ||
276 | #~ msgstr "" | ||
277 | #~ "Bitte beachten Sie auch, daß sich die für Protokoll 1 verwendeten " | ||
278 | #~ "Schlüssel unterscheiden und Sie diese daher nicht verwenden können, wenn " | ||
279 | #~ "Sie nur Protokoll Version 2-Verbindungen erlauben." | ||
280 | |||
281 | #~ msgid "" | ||
282 | #~ "If you later change your mind about this setting, README.Debian has " | ||
283 | #~ "instructions on what to do to your sshd_config file." | ||
284 | #~ msgstr "" | ||
285 | #~ "Falls Sie später Ihre Meinung über diese Einstellung ändern, finden Sie " | ||
286 | #~ "in README.Debian eine Anleitung was Sie mit der sshd_config-Datei machen " | ||
287 | #~ "müssen." | ||
288 | |||
289 | #~ msgid "NOTE: Forwarding of X11 and Authorization disabled by default." | ||
290 | #~ msgstr "HINWEIS: Weiterleiten von X11 und Berechtigungen ist abgeschaltet." | ||
291 | |||
292 | #~ msgid "" | ||
293 | #~ "For security reasons, the Debian version of ssh has ForwardX11 and " | ||
294 | #~ "ForwardAgent set to ``off'' by default." | ||
295 | #~ msgstr "" | ||
296 | #~ "Aus Sicherheitsgründen ist bei der Debian-Version von ssh ForwardX11 und " | ||
297 | #~ "ForwardAgent auf »off« gesetzt." | ||
298 | |||
299 | #~ msgid "" | ||
300 | #~ "You can enable it for servers you trust, either in one of the " | ||
301 | #~ "configuration files, or with the -X command line option." | ||
302 | #~ msgstr "" | ||
303 | #~ "Sie können dies für Server, denen Sie trauen, entweder per Eintrag in die " | ||
304 | #~ "Konfigurations-Dateien oder per Kommando-Zeilen Option -X ändern." | ||
305 | |||
306 | #~ msgid "More details can be found in /usr/share/doc/ssh/README.Debian" | ||
307 | #~ msgstr "" | ||
308 | #~ "Weitere Details können Sie in /usr/share/doc/ssh/README.Debian finden." | ||
309 | |||
310 | #~ msgid "ssh2 keys merged in configuration files" | ||
311 | #~ msgstr "ssh2-Schlüssel in die Konfigurationsdateien eingefügt" | ||
312 | |||
313 | #~ msgid "" | ||
314 | #~ "As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 " | ||
315 | #~ "keys. This means the authorized_keys2 and known_hosts2 files are no " | ||
316 | #~ "longer needed. They will still be read in order to maintain backwards " | ||
317 | #~ "compatibility" | ||
318 | #~ msgstr "" | ||
319 | #~ "Mit Version 3 verwendet OpenSSH nicht mehr separate Dateien für ssh1 und " | ||
320 | #~ "ssh2 Schlüssel. Dies bedeutet, daß authorized_keys2 und known_hosts2 " | ||
321 | #~ "nicht mehr benötigt werden. Sie werden noch eingelesen, um " | ||
322 | #~ "Abwärtskompatibilität zu gewähren." | ||
323 | |||
324 | #~ msgid "Do you want to run the sshd server?" | ||
325 | #~ msgstr "Möchten Sie den sshd Server starten?" | ||
326 | |||
327 | #~ msgid "This package contains both the ssh client, and the sshd server." | ||
328 | #~ msgstr "Das Paket enthält sowohl den Client als auch den sshd Server." | ||
329 | |||
330 | #~ msgid "" | ||
331 | #~ "Normally the sshd Secure Shell Server will be run to allow remote logins " | ||
332 | #~ "via ssh." | ||
333 | #~ msgstr "" | ||
334 | #~ "Normalerweise wird der sshd Secure Shell Server für Remote Logins per " | ||
335 | #~ "sshgestartet." | ||
336 | |||
337 | #~ msgid "" | ||
338 | #~ "If you are only interested in using the ssh client for outbound " | ||
339 | #~ "connections on this machine, and don't want to log into it at all using " | ||
340 | #~ "ssh, then you can disable sshd here." | ||
341 | #~ msgstr "" | ||
342 | #~ "Wenn Sie nur den ssh client nutzen wollen, um sich mit anderen Rechnern " | ||
343 | #~ "zu verbinden, und sich nicht per ssh in diesen Computer einloggen wollen, " | ||
344 | #~ "dann können Sie hier den sshd abschalten." | ||
345 | |||
346 | #~ msgid "Environment options on keys have been deprecated" | ||
347 | #~ msgstr "Umgebungs-Optionen für Schlüssel wurden missbilligt" | ||
348 | |||
349 | #~ msgid "" | ||
350 | #~ "This version of OpenSSH disables the environment option for public keys " | ||
351 | #~ "by default, in order to avoid certain attacks (for example, LD_PRELOAD). " | ||
352 | #~ "If you are using this option in an authorized_keys file, beware that the " | ||
353 | #~ "keys in question will no longer work until the option is removed." | ||
354 | #~ msgstr "" | ||
355 | #~ "Diese Version von OpenSSH deaktiviert standardmäßig die Umgebungsoption " | ||
356 | #~ "füröffentliche Schlüssel um bestimmte Angriffe (zum Beispiel über " | ||
357 | #~ "LD_PRELOAD) zu vermeiden. Falls Sie diese Option in einer authorized_keys-" | ||
358 | #~ "Datei verwenden, beachten Sie, daß die in Frage kommenden Schlüssel nicht " | ||
359 | #~ "funktionieren werden bis diese Option entfernt wurde." | ||
360 | |||
361 | #~ msgid "" | ||
362 | #~ "To re-enable this option, set \"PermitUserEnvironment yes\" in /etc/ssh/" | ||
363 | #~ "sshd_config after the upgrade is complete, taking note of the warning in " | ||
364 | #~ "the sshd_config(5) manual page." | ||
365 | #~ msgstr "" | ||
366 | #~ "Um diese Option wieder zu reaktivieren, setzen Sie, unter " | ||
367 | #~ "Berücksichtigung der Warnung in der sshd_config(5)-Handbuchseite, " | ||
368 | #~ "»PermitUserEnvironment yes« in /etc/ssh/sshd_config nachdem das Upgrade " | ||
369 | #~ "erfolgt ist." | ||
diff --git a/debian/po/el.po b/debian/po/el.po new file mode 100644 index 000000000..4ca56384e --- /dev/null +++ b/debian/po/el.po | |||
@@ -0,0 +1,451 @@ | |||
1 | # translation of el.po to Greek | ||
2 | # translation of templates.po to Greek | ||
3 | # | ||
4 | # Translators, if you are not familiar with the PO format, gettext | ||
5 | # documentation is worth reading, especially sections dedicated to | ||
6 | # this format, e.g. by running: | ||
7 | # info -n '(gettext)PO Files' | ||
8 | # info -n '(gettext)Header Entry' | ||
9 | # Some information specific to po-debconf are available at | ||
10 | # /usr/share/doc/po-debconf/README-trans | ||
11 | # or http://www.debian.org/intl/l10n/po-debconf/README-trans# | ||
12 | # Developers do not need to manually edit POT or PO files. | ||
13 | # Konstantinos Margaritis <markos@debian.org>, 2004. | ||
14 | # | ||
15 | msgid "" | ||
16 | msgstr "" | ||
17 | "Project-Id-Version: el\n" | ||
18 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
19 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
20 | "PO-Revision-Date: 2004-10-14 21:34+0300\n" | ||
21 | "Last-Translator: Konstantinos Margaritis <markos@debian.org>\n" | ||
22 | "Language-Team: Greek <debian-l10n-greek@lists.debian.org>\n" | ||
23 | "MIME-Version: 1.0\n" | ||
24 | "Content-Type: text/plain; charset=UTF-8\n" | ||
25 | "Content-Transfer-Encoding: 8bit\n" | ||
26 | "X-Generator: KBabel 1.0.2\n" | ||
27 | |||
28 | #. Type: boolean | ||
29 | #. Description | ||
30 | #: ../openssh-server.templates:1001 | ||
31 | #, fuzzy | ||
32 | #| msgid "Do you want to continue (and risk killing active ssh sessions)?" | ||
33 | msgid "Do you want to risk killing active SSH sessions?" | ||
34 | msgstr "" | ||
35 | "ΘÎλετε να συνεχίσετε (με κίνδυνο τεÏÎ¼Î±Ï„Î¹ÏƒÎ¼Î¿Ï Ï„Ï‰Î½ ενεÏγών συνεδÏιών ssh);" | ||
36 | |||
37 | #. Type: boolean | ||
38 | #. Description | ||
39 | #: ../openssh-server.templates:1001 | ||
40 | #, fuzzy | ||
41 | #| msgid "" | ||
42 | #| "The version of /etc/init.d/ssh that you have installed, is likely to kill " | ||
43 | #| "all running sshd instances. If you are doing this upgrade via an ssh " | ||
44 | #| "session, that would be a Bad Thing(tm)." | ||
45 | msgid "" | ||
46 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
47 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
48 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
49 | msgstr "" | ||
50 | "Η Ï„ÏÎχουσα Îκδοση του /etc/init.d/ssh που είναι εγκατεστημÎνη, πιθανότατα θα " | ||
51 | "τεÏματίσει όλες τις συνεδÏίες του sshd. Αν κάνετε αυτήν την αναβάθμιση μÎσω " | ||
52 | "μιας συνεδÏίας ssh, αυτό είναι μάλλον κακή ιδÎα..." | ||
53 | |||
54 | #. Type: boolean | ||
55 | #. Description | ||
56 | #: ../openssh-server.templates:1001 | ||
57 | #, fuzzy | ||
58 | #| msgid "" | ||
59 | #| "You can fix this by adding \"--pidfile /var/run/sshd.pid\" to the start-" | ||
60 | #| "stop-daemon line in the stop section of the file." | ||
61 | msgid "" | ||
62 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
63 | "start-stop-daemon line in the stop section of the file." | ||
64 | msgstr "" | ||
65 | "ΜποÏείτε να το διοÏθώσετε αυτό Ï€ÏοσθÎτοντας \"--pidfile /var/run/sshd.pid\" " | ||
66 | "στη γÏαμμή start-stop-daemon στο τμήμα \"stop\" του αÏχείου." | ||
67 | |||
68 | #. Type: note | ||
69 | #. Description | ||
70 | #: ../openssh-server.templates:2001 | ||
71 | msgid "New host key mandatory" | ||
72 | msgstr "" | ||
73 | |||
74 | #. Type: note | ||
75 | #. Description | ||
76 | #: ../openssh-server.templates:2001 | ||
77 | #, fuzzy | ||
78 | msgid "" | ||
79 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
80 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
81 | "utility from the old (non-free) SSH installation does not appear to be " | ||
82 | "available." | ||
83 | msgstr "" | ||
84 | "ΥπάÏχει Îνα παλαιότεÏο κλειδί /etc/ssh/ssh_host_key, που είναι " | ||
85 | "κÏυπτογÏαφημÎνο με τον αλγόÏιθμο IDEA. Το OpenSSH δε μποÏεί να χειÏιστεί " | ||
86 | "αυτό το κλειδί και δεν Îχει βÏεθεί το εÏγαλείο ssh-keygen από την παλιά (μη " | ||
87 | "ελεÏθεÏη) εγκατάσταση του SSH." | ||
88 | |||
89 | #. Type: note | ||
90 | #. Description | ||
91 | #: ../openssh-server.templates:2001 | ||
92 | #, fuzzy | ||
93 | #| msgid "You will need to generate a new host key." | ||
94 | msgid "You need to manually generate a new host key." | ||
95 | msgstr "Î ÏÎπει να δημιουÏγήσετε Îνα νÎο κλειδί για τον υπολογιστή (host key)." | ||
96 | |||
97 | #. Type: boolean | ||
98 | #. Description | ||
99 | #: ../openssh-server.templates:3001 | ||
100 | msgid "Disable challenge-response authentication?" | ||
101 | msgstr "Îα απενεÏγοποιηθεί η πιστοποίηση challenge-response;" | ||
102 | |||
103 | #. Type: boolean | ||
104 | #. Description | ||
105 | #: ../openssh-server.templates:3001 | ||
106 | #, fuzzy | ||
107 | #| msgid "" | ||
108 | #| "Password authentication appears to be disabled in your current OpenSSH " | ||
109 | #| "server configuration. In order to prevent users from logging in using " | ||
110 | #| "passwords (perhaps using only public key authentication instead) with " | ||
111 | #| "recent versions of OpenSSH, you must disable challenge-response " | ||
112 | #| "authentication, or else ensure that your PAM configuration does not allow " | ||
113 | #| "Unix password file authentication." | ||
114 | msgid "" | ||
115 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
116 | "configuration. In order to prevent users from logging in using passwords " | ||
117 | "(perhaps using only public key authentication instead) with recent versions " | ||
118 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
119 | "ensure that your PAM configuration does not allow Unix password file " | ||
120 | "authentication." | ||
121 | msgstr "" | ||
122 | "Η πιστοποίηση με κωδικό είναι απενεÏγοποιημÎνη στο τωÏινό OpenSSH " | ||
123 | "εξυπηÏετητή. Για να αποτÏÎψετε την είσοδο τον χÏηστών με χÏήση ÎºÏ‰Î´Î¹ÎºÎ¿Ï (για " | ||
124 | "παÏάδειγμα να γίνεται χÏήση μόνο του δημοσίου κλειδιοÏ) με την Ï€Ïόσφατες " | ||
125 | "εκδόσεις του OpenSSH, θα Ï€ÏÎπει να απενεÏγοποιήσετε την πιστοποίηση " | ||
126 | "challenge-response ή να επιβεβαιώσετε ότι η διαμόÏφωση του PAM δεν επιτÏÎπει " | ||
127 | "την πιστοποίηση με αÏχείο κωδικών." | ||
128 | |||
129 | #. Type: boolean | ||
130 | #. Description | ||
131 | #: ../openssh-server.templates:3001 | ||
132 | msgid "" | ||
133 | "If you disable challenge-response authentication, then users will not be " | ||
134 | "able to log in using passwords. If you leave it enabled (the default " | ||
135 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
136 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
137 | msgstr "" | ||
138 | "Εάν απενεÏγοποιήσετε την πιστοποίηση challenge-response, οι χÏήστες δεν θα " | ||
139 | "μποÏοÏν να εισÎλθουν χÏησιμοποιώντας τον κωδικό τους. Εάν το αφήσετε " | ||
140 | "ενεÏγοποιημÎνο (Ï€Ïοεπιλογή), τότε η επιλογή 'PasswordAuthetication no' δεν " | ||
141 | "θα επιδÏά εκτός και εάν Ïυθμίσετε και το PAM στο αÏχείο /etc/pam.d/ssh." | ||
142 | |||
143 | #. Type: note | ||
144 | #. Description | ||
145 | #: ../openssh-server.templates:4001 | ||
146 | msgid "Vulnerable host keys will be regenerated" | ||
147 | msgstr "" | ||
148 | |||
149 | #. Type: note | ||
150 | #. Description | ||
151 | #: ../openssh-server.templates:4001 | ||
152 | msgid "" | ||
153 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
154 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
155 | "these host keys are from a well-known set, are subject to brute-force " | ||
156 | "attacks, and must be regenerated." | ||
157 | msgstr "" | ||
158 | |||
159 | #. Type: note | ||
160 | #. Description | ||
161 | #: ../openssh-server.templates:4001 | ||
162 | msgid "" | ||
163 | "Users of this system should be informed of this change, as they will be " | ||
164 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
165 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
166 | "the new host keys." | ||
167 | msgstr "" | ||
168 | |||
169 | #. Type: note | ||
170 | #. Description | ||
171 | #: ../openssh-server.templates:4001 | ||
172 | msgid "The affected host keys are:" | ||
173 | msgstr "" | ||
174 | |||
175 | #. Type: note | ||
176 | #. Description | ||
177 | #: ../openssh-server.templates:4001 | ||
178 | msgid "" | ||
179 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
180 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
181 | "README.compromised-keys.gz for more details." | ||
182 | msgstr "" | ||
183 | |||
184 | #, fuzzy | ||
185 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
186 | #~ msgstr "ΔημιουÏγία νÎου αÏχείου Ïυθμίσεων" | ||
187 | |||
188 | #, fuzzy | ||
189 | #~ msgid "" | ||
190 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
191 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
192 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
193 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
194 | #~ "will not contain any customizations you made with the old version." | ||
195 | #~ msgstr "" | ||
196 | #~ "Αυτή η Îκδοση του OpenSSH Îχει σημαντικά διαφοÏοποιημÎνο αÏχείο Ïυθμίσεων " | ||
197 | #~ "από την Îκδοση που πεÏιλαμβάνεται στη διανομή 'Potato' του Debian, από " | ||
198 | #~ "την οποία φαίνεται ότι Ï€Ïαγματοποιείτε την αναβάθμιση. Στο σημείο αυτό, " | ||
199 | #~ "σας δίνεται η δυνατότητα να δημιουÏγήσετε Îνα νÎο αÏχείο Ïυθμίσεων (/etc/" | ||
200 | #~ "ssh/sshd_config), το οποίο χÏησιμοποιείται από τη νÎα Îκδοση του δαίμονα, " | ||
201 | #~ "αλλά δεν θα πεÏιÎχει οποιαδήποτε παÏαμετÏοποίηση Îχετε ήδη κάνει στην " | ||
202 | #~ "παλιά Îκδοση." | ||
203 | |||
204 | #, fuzzy | ||
205 | #~| msgid "" | ||
206 | #~| "Please note that this new configuration file will set the value of " | ||
207 | #~| "'PermitRootLogin' to yes (meaning that anyone knowing the root password " | ||
208 | #~| "can ssh directly in as root). It is the opinion of the maintainer that " | ||
209 | #~| "this is the correct default (see README.Debian for more details), but " | ||
210 | #~| "you can always edit sshd_config and set it to no if you wish." | ||
211 | #~ msgid "" | ||
212 | #~ "Please note that this new configuration file will set the value of " | ||
213 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
214 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
215 | #~ "details about this design choice." | ||
216 | #~ msgstr "" | ||
217 | #~ "Σημειώστε ότι το νÎο αÏχείο Ïυθμίσεων θα καθοÏίσει την τιμή της επιλογής " | ||
218 | #~ "'PermitRootLogin' σε yes (εννοώντας ότι οποιοσδήποτε γνωÏίζει τον κωδικό " | ||
219 | #~ "Ï€Ïόσβασης του root μποÏεί να συνδεθεί ως χÏήστης root). Κατά τον " | ||
220 | #~ "συντηÏητή αυτή είναι και η σωστή Ï€ÏοκαθοÏισμÎνη ÏÏθμιση (δείτε το README." | ||
221 | #~ "Debian για πεÏισσότεÏες λεπτομÎÏειες), αλλά μποÏείτε οποιαδήποτε στιγμή " | ||
222 | #~ "να αλλάξετε την τιμή σε no στο αÏχείο sshd_config." | ||
223 | |||
224 | #, fuzzy | ||
225 | #~ msgid "" | ||
226 | #~ "It is strongly recommended that you choose to generate a new " | ||
227 | #~ "configuration file now." | ||
228 | #~ msgstr "Συνιστάται να επιλÎξετε την δημιουÏγία του νÎου αÏχείου Ïυθμίσεων." | ||
229 | |||
230 | #~ msgid "Warning: you must create a new host key" | ||
231 | #~ msgstr "" | ||
232 | #~ "Î Ïοσοχή: Ï€ÏÎπει να δημιουÏγήσετε Îνα νÎο κλειδί για τον υπολογιστή (host " | ||
233 | #~ "key)" | ||
234 | |||
235 | #~ msgid "Warning: telnetd is installed --- probably not a good idea" | ||
236 | #~ msgstr "" | ||
237 | #~ "Î Ïοσοχή: είναι ήδη εγκατεστημÎνος ο telnetd --- όχι και τοσο καλή ιδÎα" | ||
238 | |||
239 | #~ msgid "" | ||
240 | #~ "I'd advise you to either remove the telnetd package (if you don't " | ||
241 | #~ "actually need to offer telnet access) or install telnetd-ssl so that " | ||
242 | #~ "there is at least some chance that telnet sessions will not be sending " | ||
243 | #~ "unencrypted login/password and session information over the network." | ||
244 | #~ msgstr "" | ||
245 | #~ "Συνιστάται είτε να αφαιÏÎσετε το πακÎτο telnetd (αν δεν είναι Ï€Ïαγματικά " | ||
246 | #~ "απαÏαίτητη η Ï€Ïόσβαση μÎσω telnet) ή να εγκαταστήσετε το πακÎτο telnetd-" | ||
247 | #~ "ssl, ώστε να υπάÏχει τουλάχιστον μια πιθανότητα οι συνδÎσεις telnet να " | ||
248 | #~ "μην αποστÎλλουν μη κÏυπτογÏαφημÎνες πληÏοφοÏίες κωδικών Ï€Ïόσβασης και " | ||
249 | #~ "συνεδÏιών μÎσω δικτÏου." | ||
250 | |||
251 | #~ msgid "Warning: rsh-server is installed --- probably not a good idea" | ||
252 | #~ msgstr "" | ||
253 | #~ "Î Ïοσοχή: είναι ήδη εγκατεστημÎνος ο rsh-server --- όχι και τοσο καλή ιδÎα" | ||
254 | |||
255 | #~ msgid "" | ||
256 | #~ "having rsh-server installed undermines the security that you were " | ||
257 | #~ "probably wanting to obtain by installing ssh. I'd advise you to remove " | ||
258 | #~ "that package." | ||
259 | #~ msgstr "" | ||
260 | #~ "Η παÏουσία του rsh-server υπονομεÏει την ασφάλεια του συστήματος, την " | ||
261 | #~ "οποία θÎλετε να εξασφαλίσετε με την εγκατάσταση του ssh. Συνιστάται η " | ||
262 | #~ "αφαίÏεση Î±Ï…Ï„Î¿Ï Ï„Î¿Ï… πακÎτου." | ||
263 | |||
264 | #~ msgid "Do you want ssh-keysign to be installed SUID root?" | ||
265 | #~ msgstr "ΘÎλετε να εγκαταστήσετε το ssh-keysign ως SUID;" | ||
266 | |||
267 | #~ msgid "" | ||
268 | #~ "You have the option of installing the ssh-keysign helper with the SUID " | ||
269 | #~ "bit set." | ||
270 | #~ msgstr "" | ||
271 | #~ "Έχετε την επιλογή της εγκατάστασης του εÏγαλείου ssh-keysign με το bit " | ||
272 | #~ "SUID ενεÏγοποιημÎνο." | ||
273 | |||
274 | #~ msgid "" | ||
275 | #~ "If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 " | ||
276 | #~ "host-based authentication." | ||
277 | #~ msgstr "" | ||
278 | #~ "Αν εγκαταστήσετε το ssh-keysign SUID, θα μποÏείτε να χÏησιμοποιήσετε την " | ||
279 | #~ "πιστοποίηση υπολογιστή (host-based authentication) του Ï€Ïωτοκόλου SSH 2." | ||
280 | |||
281 | #~ msgid "" | ||
282 | #~ "If in doubt, I suggest you install it with SUID. If it causes problems " | ||
283 | #~ "you can change your mind later by running: dpkg-reconfigure ssh" | ||
284 | #~ msgstr "" | ||
285 | #~ "Αν Îχετε αμφιβολίες, συνιστάται να το εγκαταστήσετε SUID. Αν " | ||
286 | #~ "διαπιστώσετε Ï€Ïοβλήματα μποÏείτε να αλλάξετε τη ÏÏθμιση αυτή εκτελώντας: " | ||
287 | #~ "dpkg-reconfigure ssh" | ||
288 | |||
289 | #~ msgid "Allow SSH protocol 2 only" | ||
290 | #~ msgstr "Îα επιτÏÎπεται μόνο η χÏήση του Ï€Ïωτοκόλλου SSH 2" | ||
291 | |||
292 | #~ msgid "" | ||
293 | #~ "This version of OpenSSH supports version 2 of the ssh protocol, which is " | ||
294 | #~ "much more secure. Disabling ssh 1 is encouraged, however this will slow " | ||
295 | #~ "things down on low end machines and might prevent older clients from " | ||
296 | #~ "connecting (the ssh client shipped with \"potato\" is affected)." | ||
297 | #~ msgstr "" | ||
298 | #~ "Αυτή η Îκδοση του OpenSSH υποστηÏίζει την Îκδοση 2 του Ï€Ïωτοκόλλου ssh, " | ||
299 | #~ "που είναι Ï€Î¿Î»Ï Ï€Î¹Î¿ ασφαλής. Συνιστάται η απενεÏγοποίηση της Îκδοσης 1, " | ||
300 | #~ "ωστόσο αυτό θα γίνει εις βάÏος της ταχÏτητας σε χαμηλότεÏων επιδόσεων " | ||
301 | #~ "συστήματα και θα απαγοÏÎψει τη σÏνδεση σε παλαιότεÏα Ï€ÏογÏάμματα-πελάτες " | ||
302 | #~ "(Ï€.χ. ο πελάτης ssh που διανÎμεται με την Îκδοση \"potato\")." | ||
303 | |||
304 | #~ msgid "" | ||
305 | #~ "Also please note that keys used for protocol 1 are different so you will " | ||
306 | #~ "not be able to use them if you only allow protocol 2 connections." | ||
307 | #~ msgstr "" | ||
308 | #~ "Επίσης, σημειώστε ότι τα κλειδιά που χÏησιμοποιοÏνταν στο Ï€Ïωτόκολλο 1 " | ||
309 | #~ "είναι διαφοÏετικά και δε θα είναι δυνατή η χÏήση τους αν επιτÏÎψετε μόνο " | ||
310 | #~ "τις συνδÎσεις με το Ï€Ïωτόκολλο 2." | ||
311 | |||
312 | #~ msgid "" | ||
313 | #~ "If you later change your mind about this setting, README.Debian has " | ||
314 | #~ "instructions on what to do to your sshd_config file." | ||
315 | #~ msgstr "" | ||
316 | #~ "Αν αποφασίσετε διαφοÏετικά αÏγότεÏα για αυτή τη ÏÏθμιση, το αÏχείο README." | ||
317 | #~ "Debian Îχει οδηγίες για την κατάλληλη Ï„Ïοποποίηση του αÏχείου sshd_config." | ||
318 | |||
319 | #~ msgid "NOTE: Forwarding of X11 and Authorization disabled by default." | ||
320 | #~ msgstr "" | ||
321 | #~ "ΣΗΜΕΙΩΣΗ: Η Ï€Ïοώθηση των πακÎτων X11 και πιστοποίησης είναι " | ||
322 | #~ "απενεÏγοποιημÎνηεξ οÏισμοÏ." | ||
323 | |||
324 | #~ msgid "" | ||
325 | #~ "For security reasons, the Debian version of ssh has ForwardX11 and " | ||
326 | #~ "ForwardAgent set to ``off'' by default." | ||
327 | #~ msgstr "" | ||
328 | #~ "Για λόγους ασφαλείας, η Îκδοση του ssh στο Debian Îχει τις επιλογÎÏ‚ " | ||
329 | #~ "ForwardX11 και ForwardAgent οÏισμÎνες σε ``off'' εξ οÏισμοÏ." | ||
330 | |||
331 | #~ msgid "" | ||
332 | #~ "You can enable it for servers you trust, either in one of the " | ||
333 | #~ "configuration files, or with the -X command line option." | ||
334 | #~ msgstr "" | ||
335 | #~ "ΜποÏείτε να τα ενεÏγοποιήσετε για διακομιστÎÏ‚ που εμπιστεÏεστε, είτε σε " | ||
336 | #~ "Îνα από τα αÏχεία Ïυθμίσεων, είτε μÎσω της επιλογής -X στη γÏαμμή εντολών." | ||
337 | |||
338 | #~ msgid "More details can be found in /usr/share/doc/ssh/README.Debian" | ||
339 | #~ msgstr "" | ||
340 | #~ "ΠεÏισσότεÏες λεπτομÎÏειες μποÏείτε να βÏείτε στο αÏχείο /usr/share/doc/" | ||
341 | #~ "ssh/README.Debian" | ||
342 | |||
343 | #~ msgid "ssh2 keys merged in configuration files" | ||
344 | #~ msgstr "Τα κλειδιά ssh2 συγχωνεÏτηκαν στα αÏχεία Ïυθμίσεων" | ||
345 | |||
346 | #~ msgid "" | ||
347 | #~ "As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 " | ||
348 | #~ "keys. This means the authorized_keys2 and known_hosts2 files are no " | ||
349 | #~ "longer needed. They will still be read in order to maintain backwards " | ||
350 | #~ "compatibility" | ||
351 | #~ msgstr "" | ||
352 | #~ "Από την Îκδοση 3 και Îπειτα, το OpenSSH δεν χÏησιμοποιεί πλÎον ξεχωÏιστά " | ||
353 | #~ "αÏχεία για τα κλειδιά των ssh1 και ssh2. Αυτό σημαίνει ότι τα αÏχεία " | ||
354 | #~ "authorized_keys2 και known_hosts2 δεν είναι πλÎον απαÏαίτητα. Θα " | ||
355 | #~ "χÏησιμοποιοÏνται μόνο για λόγους συμβατότητας." | ||
356 | |||
357 | #~ msgid "Do you want to run the sshd server?" | ||
358 | #~ msgstr "ΘÎλετε να εκτελÎσετε τον δαίμονα sshd;" | ||
359 | |||
360 | #~ msgid "This package contains both the ssh client, and the sshd server." | ||
361 | #~ msgstr "Το πακÎτο αυτό πεÏιÎχει το πελάτη ssh και το δαίμονα sshd." | ||
362 | |||
363 | #~ msgid "" | ||
364 | #~ "Normally the sshd Secure Shell Server will be run to allow remote logins " | ||
365 | #~ "via ssh." | ||
366 | #~ msgstr "" | ||
367 | #~ "Κανονικά ο δαίμονας sshd (Δαίμονας ΑσφαλοÏÏ‚ ΚελÏφους) θα εκτελείται για " | ||
368 | #~ "απομακÏυσμÎνες συνδÎσεις μÎσω ssh." | ||
369 | |||
370 | #~ msgid "" | ||
371 | #~ "If you are only interested in using the ssh client for outbound " | ||
372 | #~ "connections on this machine, and don't want to log into it at all using " | ||
373 | #~ "ssh, then you can disable sshd here." | ||
374 | #~ msgstr "" | ||
375 | #~ "Αν ενδιαφÎÏεστε μόνο για τη χÏήση του πελάτη ssh για εξεÏχόμενες " | ||
376 | #~ "συνδÎσεις από αυτόν τον υπολογιστή και δεν επιθυμείτε να συνδÎεστε σε " | ||
377 | #~ "αυτόν μÎσω ssh, τότε μποÏείτε να απενεÏγοποιήσετε τον sshd στο σημείο " | ||
378 | #~ "αυτό." | ||
379 | |||
380 | #~ msgid "Environment options on keys have been deprecated" | ||
381 | #~ msgstr "" | ||
382 | #~ "Οι επιλογÎÏ‚ πεÏιβάλλοντος κελÏφους για τα κλειδιά είναι πλÎον παÏωχημÎνες." | ||
383 | |||
384 | #~ msgid "" | ||
385 | #~ "This version of OpenSSH disables the environment option for public keys " | ||
386 | #~ "by default, in order to avoid certain attacks (for example, LD_PRELOAD). " | ||
387 | #~ "If you are using this option in an authorized_keys file, beware that the " | ||
388 | #~ "keys in question will no longer work until the option is removed." | ||
389 | #~ msgstr "" | ||
390 | #~ "Αυτή η Îκδοση του OpenSSH απενεÏγοποιεί τις επιλογÎÏ‚ πεÏιβάλλοντος " | ||
391 | #~ "κελÏφους για δημόσια κλειδιά εξ οÏισμοÏ, ώστε να αποφευχθοÏν οÏισμÎνου " | ||
392 | #~ "Ï„Ïπου επιθÎσεις (για παÏάδειγμα, LD_PRELOAD). Αν χÏησιμοποιείτε αυτήν την " | ||
393 | #~ "επιλογή σε Îνα αÏχείο authorized_keys, Îχετε υπόψιν σας ότι τα " | ||
394 | #~ "συγκεκÏιμÎνα κλειδιά δεν θα χÏησιμοποιοÏνται Îως ότου αφαιÏεθεί η επιλογή " | ||
395 | #~ "αυτή." | ||
396 | |||
397 | #~ msgid "" | ||
398 | #~ "To re-enable this option, set \"PermitUserEnvironment yes\" in /etc/ssh/" | ||
399 | #~ "sshd_config after the upgrade is complete, taking note of the warning in " | ||
400 | #~ "the sshd_config(5) manual page." | ||
401 | #~ msgstr "" | ||
402 | #~ "Για να επανενεÏγοποιήσετε αυτήν την επιλογή, οÏίστε " | ||
403 | #~ "\"PermitUserEnvironment yes\" στο αÏχείο /etc/ssh/sshd_config μετά το " | ||
404 | #~ "Ï„Îλος της αναβάθμισης, Îχοντας υπόψιν την Ï€Ïοειδοποίηση στη σελίδα " | ||
405 | #~ "οδηγιών του sshd_config(5)." | ||
406 | |||
407 | #~ msgid "Privilege separation" | ||
408 | #~ msgstr "ΔιαχωÏισμός Î Ïονομίων" | ||
409 | |||
410 | #~ msgid "" | ||
411 | #~ "Privilege separation is turned on by default, so if you decide you want " | ||
412 | #~ "it turned off, you need to add \"UsePrivilegeSeparation no\" to /etc/ssh/" | ||
413 | #~ "sshd_config." | ||
414 | #~ msgstr "" | ||
415 | #~ "Ο διαχωÏισμός Ï€Ïονομίων είναι ενεÏγοποιημÎνος εξ οÏισμοÏ, οπότε αν " | ||
416 | #~ "αποφασίσετε ότι θÎλετε να τον απενεÏγοποιήσετε, Ï€ÏÎπει να Ï€ÏοσθÎσετε την " | ||
417 | #~ "ÏÏθμιση \"UsePrivilegeSeparation no\" στο αÏχείο sshd_config." | ||
418 | |||
419 | #~ msgid "Enable Privilege separation" | ||
420 | #~ msgstr "ΕνεÏγοποίηση ΔιαχωÏÎ¹ÏƒÎ¼Î¿Ï Î Ïονομίων" | ||
421 | |||
422 | #~ msgid "" | ||
423 | #~ "This version of OpenSSH contains the new privilege separation option. " | ||
424 | #~ "This significantly reduces the quantity of code that runs as root, and " | ||
425 | #~ "therefore reduces the impact of security holes in sshd." | ||
426 | #~ msgstr "" | ||
427 | #~ "Αυτή η Îκδοση του OpenSSH πεÏιλαμβάνει τη νÎα επιλογή διαχωÏÎ¹ÏƒÎ¼Î¿Ï " | ||
428 | #~ "Ï€Ïονομίων. Αυτό μειώνει δÏαστικά το ποσοστό των Ï€ÏογÏαμμάτων που " | ||
429 | #~ "εκτελοÏνται ως root, και κατά συνÎπεια και τις Ï„ÏÏπες ασφαλείας του sshd." | ||
430 | |||
431 | #~ msgid "" | ||
432 | #~ "Unfortunately, privilege separation interacts badly with PAM. Any PAM " | ||
433 | #~ "session modules that need to run as root (pam_mkhomedir, for example) " | ||
434 | #~ "will fail, and PAM keyboard-interactive authentication won't work." | ||
435 | #~ msgstr "" | ||
436 | #~ "Δυστυχώς, ο διαχωÏισμός Ï€Ïονομίων δεν συνεÏγάζεται σωστά με το PAM. " | ||
437 | #~ "Οποιεσδήποτε μονάδες συνεδÏίας (session modules) του PAM που Ï€ÏÎπει να " | ||
438 | #~ "εκτελεστοÏν ως root (pam_mkhomedir, για παÏάδειγμα) θα αποτÏχουν, και η " | ||
439 | #~ "πιστοποίηση μÎσω πληκτÏολογίου στο PAM δεν θα λειτουÏγεί." | ||
440 | |||
441 | #~ msgid "" | ||
442 | #~ "Since you've opted to have me generate an sshd_config file for you, you " | ||
443 | #~ "can choose whether or not to have privilege separation turned on or not. " | ||
444 | #~ "Unless you know you need to use PAM features that won't work with this " | ||
445 | #~ "option, you should enable it." | ||
446 | #~ msgstr "" | ||
447 | #~ "Εφόσον Îχετε επιλÎξει να δημιουÏγήθεί αυτόματα το αÏχείο sshd_config, " | ||
448 | #~ "μποÏείτε να επιλÎξετε επίσης αν θÎλετε να ενεÏγοποιήσετε το διαχωÏισμό " | ||
449 | #~ "Ï€Ïονομίων ή όχι. Εκτός αν γνωÏίζετε ότι χÏειάζεστε να χÏησιμοποιήσετε " | ||
450 | #~ "χαÏακτηÏιστικά του PAM που δε συνεÏγάζονται με αυτή την επιλογή, " | ||
451 | #~ "συνιστάται να την ενεÏγοποιήσετε." | ||
diff --git a/debian/po/es.po b/debian/po/es.po new file mode 100644 index 000000000..94667d7af --- /dev/null +++ b/debian/po/es.po | |||
@@ -0,0 +1,448 @@ | |||
1 | # | ||
2 | # openssh debconf translation to spanish | ||
3 | # Copyright (C) 2003-2007 Software in the Public Interest | ||
4 | # This file is distributed under the same license as the XXXX package. | ||
5 | # | ||
6 | # Changes: | ||
7 | # - Initial translation | ||
8 | # Carlos Valdivia Yagüe <valyag@dat,etsit.upm.es>, 2003 | ||
9 | # - Revision | ||
10 | # Javier Fernandez-Sanguino Peña <jfs@computer.org>, 2004 | ||
11 | # - Translation updates | ||
12 | # Javier Fernandez-Sanguino Peña <jfs@computer.org>, 2006-2008 | ||
13 | # | ||
14 | # Traductores, si no conoce el formato PO, merece la pena leer la | ||
15 | # documentación de gettext, especialmente las secciones dedicadas a este | ||
16 | # formato, por ejemplo ejecutando: | ||
17 | # info -n '(gettext)PO Files' | ||
18 | # info -n '(gettext)Header Entry' | ||
19 | # | ||
20 | # Equipo de traducción al español, por favor lean antes de traducir | ||
21 | # los siguientes documentos: | ||
22 | # | ||
23 | # - El proyecto de traducción de Debian al español | ||
24 | # http://www.debian.org/intl/spanish/coordinacion | ||
25 | # especialmente las notas de traducción en | ||
26 | # http://www.debian.org/intl/spanish/notas | ||
27 | # | ||
28 | # - La guía de traducción de po's de debconf: | ||
29 | # /usr/share/doc/po-debconf/README-trans | ||
30 | # o http://www.debian.org/intl/l10n/po-debconf/README-trans | ||
31 | # | ||
32 | msgid "" | ||
33 | msgstr "" | ||
34 | "Project-Id-Version: openssh 3.6.1p2-11\n" | ||
35 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
36 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
37 | "PO-Revision-Date: 2008-05-22 00:56+0200\n" | ||
38 | "Last-Translator: Javier Fernandez-Sanguino Peña <jfs@debian.org>\n" | ||
39 | "Language-Team: Debian L10n Spanish <debian-l10n-spanish@lists.debian.org>\n" | ||
40 | "MIME-Version: 1.0\n" | ||
41 | "Content-Type: text/plain; charset=ISO-8859-15\n" | ||
42 | "Content-Transfer-Encoding: 8bit\n" | ||
43 | "X-POFile-SpellExtra: usr pid PasswordAuthentication PermitRootLogin server\n" | ||
44 | "X-POFile-SpellExtra: PAM start OpenSSH OpenSSL init sshhostkey daemon var\n" | ||
45 | "X-POFile-SpellExtra: config pam pidfile vulnkey run Potato keys share stop\n" | ||
46 | "X-POFile-SpellExtra: gz README ssh sshd doc keygen ARCHIVOCLAVESISTEMA SSH\n" | ||
47 | "X-POFile-SpellExtra: openssh root compromised\n" | ||
48 | |||
49 | #. Type: boolean | ||
50 | #. Description | ||
51 | #: ../openssh-server.templates:1001 | ||
52 | msgid "Do you want to risk killing active SSH sessions?" | ||
53 | msgstr "¿Desea correr el riesgo de matar las sesiones SSH activas?" | ||
54 | |||
55 | #. Type: boolean | ||
56 | #. Description | ||
57 | #: ../openssh-server.templates:1001 | ||
58 | msgid "" | ||
59 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
60 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
61 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
62 | msgstr "" | ||
63 | "La versión de /etc/init.d/ssh que tiene instalada es muy probable que mate " | ||
64 | "todas las estancias que están ejecutándose de sshd. Es muy probable que se " | ||
65 | "le desconecte y el procedimiento de actualización quede a medidas si " | ||
66 | "continúa y está realizando esta actualizando." | ||
67 | |||
68 | #. Type: boolean | ||
69 | #. Description | ||
70 | #: ../openssh-server.templates:1001 | ||
71 | msgid "" | ||
72 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
73 | "start-stop-daemon line in the stop section of the file." | ||
74 | msgstr "" | ||
75 | "Puede arreglarlo añadiendo manualmente «--pidfile /var/run/sshd.pid» a la " | ||
76 | "línea «start-stop-daemon», en la sección «stop» del fichero." | ||
77 | |||
78 | #. Type: note | ||
79 | #. Description | ||
80 | #: ../openssh-server.templates:2001 | ||
81 | msgid "New host key mandatory" | ||
82 | msgstr "Nueva clave de sistema obligatoria" | ||
83 | |||
84 | #. Type: note | ||
85 | #. Description | ||
86 | #: ../openssh-server.templates:2001 | ||
87 | msgid "" | ||
88 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
89 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
90 | "utility from the old (non-free) SSH installation does not appear to be " | ||
91 | "available." | ||
92 | msgstr "" | ||
93 | "La clave actual de su sistema, en /etc/ssh/ssh_host_key, está cifrada con el " | ||
94 | "algoritmo IDEA. OpenSSH no puede manejar este fichero de clave y tampoco " | ||
95 | "parece estar disponible la utilidad «ssh-keygen» de la instalación antigua de " | ||
96 | "SSH (no libre)." | ||
97 | |||
98 | #. Type: note | ||
99 | #. Description | ||
100 | #: ../openssh-server.templates:2001 | ||
101 | msgid "You need to manually generate a new host key." | ||
102 | msgstr "Debe generar manualmente una nueva clave de sistema." | ||
103 | |||
104 | #. Type: boolean | ||
105 | #. Description | ||
106 | #: ../openssh-server.templates:3001 | ||
107 | msgid "Disable challenge-response authentication?" | ||
108 | msgstr "¿Desea deshabilitar la autenticación basada en desafío-respuesta?" | ||
109 | |||
110 | #. Type: boolean | ||
111 | #. Description | ||
112 | #: ../openssh-server.templates:3001 | ||
113 | msgid "" | ||
114 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
115 | "configuration. In order to prevent users from logging in using passwords " | ||
116 | "(perhaps using only public key authentication instead) with recent versions " | ||
117 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
118 | "ensure that your PAM configuration does not allow Unix password file " | ||
119 | "authentication." | ||
120 | msgstr "" | ||
121 | "Parece que la configuración actual de su servidor de OpenSSH tiene " | ||
122 | "deshabilitada la autenticación mediante contraseñas. En las versiones " | ||
123 | "recientes de OpenSSH para impedir que los usuarios se puedan conectar con " | ||
124 | "contraseñas (y obligar la utilización de sistemas de autenticación con clave " | ||
125 | "pública) debe deshabilitar la autenticación basada en desafío-respuesta o " | ||
126 | "asegurarse de que su configuración PAM no permite autenticación basada en el " | ||
127 | "fichero de contraseñas Unix." | ||
128 | |||
129 | #. Type: boolean | ||
130 | #. Description | ||
131 | #: ../openssh-server.templates:3001 | ||
132 | msgid "" | ||
133 | "If you disable challenge-response authentication, then users will not be " | ||
134 | "able to log in using passwords. If you leave it enabled (the default " | ||
135 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
136 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
137 | msgstr "" | ||
138 | "Si deshabilita la autenticación mediante desafío-respuesta los usuarios no " | ||
139 | "podrán acceder con contraseñas. Si la deja habilitada (respuesta por " | ||
140 | "omisión) entonces la opción «PasswordAuthentication no» no tendrá ninguna " | ||
141 | "utilidad a menos que ajuste su configuración de PAM en «/etc/pam.d/ssh»." | ||
142 | |||
143 | #. Type: note | ||
144 | #. Description | ||
145 | #: ../openssh-server.templates:4001 | ||
146 | msgid "Vulnerable host keys will be regenerated" | ||
147 | msgstr "Se regenerarán las claves vulnerables del sistema" | ||
148 | |||
149 | #. Type: note | ||
150 | #. Description | ||
151 | #: ../openssh-server.templates:4001 | ||
152 | msgid "" | ||
153 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
154 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
155 | "these host keys are from a well-known set, are subject to brute-force " | ||
156 | "attacks, and must be regenerated." | ||
157 | msgstr "" | ||
158 | "Algunas de las claves de sistema del servidor OpenSSH en este equipo se " | ||
159 | "generaron con una versión de OpenSSL que tenía un generador de números " | ||
160 | "aleatorios defectuoso. Consecuentemente, estas claves de sistema son de un " | ||
161 | "conjunto de claves conocidas y están sujetas a ataques de fuerza bruta por " | ||
162 | "lo que conviene regenerarlas." | ||
163 | |||
164 | #. Type: note | ||
165 | #. Description | ||
166 | #: ../openssh-server.templates:4001 | ||
167 | msgid "" | ||
168 | "Users of this system should be informed of this change, as they will be " | ||
169 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
170 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
171 | "the new host keys." | ||
172 | msgstr "" | ||
173 | "Se informará a los usuarios de este sistema ya que se les informará del " | ||
174 | "cambio de clave la siguiente vez que se conecten. Utilice «ssh-keygen -l -f " | ||
175 | "ARCHIVO_CLAVE_SISTEMA» después de la actualización para obtener la huella " | ||
176 | "digital de las nuevas claves del sistema." | ||
177 | |||
178 | #. Type: note | ||
179 | #. Description | ||
180 | #: ../openssh-server.templates:4001 | ||
181 | msgid "The affected host keys are:" | ||
182 | msgstr "Las claves del sistema afectadas son:" | ||
183 | |||
184 | #. Type: note | ||
185 | #. Description | ||
186 | #: ../openssh-server.templates:4001 | ||
187 | msgid "" | ||
188 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
189 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
190 | "README.compromised-keys.gz for more details." | ||
191 | msgstr "" | ||
192 | "Las claves de los usuarios también pueden estar afectadas por este problema. " | ||
193 | "Se puede utilizar el programa «ssh-vulnkey» como un test parcial para " | ||
194 | "detectar el problema. Consulte la información en «/usr/share/doc/openssh-" | ||
195 | "server/README.compromised-keys.gz» para conocer los detalles." | ||
196 | |||
197 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
198 | #~ msgstr "¿Desea generar un nuevo fichero de configuración para OpenSSH?" | ||
199 | |||
200 | #~ msgid "" | ||
201 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
202 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
203 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
204 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
205 | #~ "will not contain any customizations you made with the old version." | ||
206 | #~ msgstr "" | ||
207 | #~ "Esta versión de OpenSSH ha cambiado considerablemente el fichero de " | ||
208 | #~ "configuración del incluido en Debian 'Potato', que es la versión desde la " | ||
209 | #~ "que parece estar actualizando. Puede crear automáticamente un nuevo " | ||
210 | #~ "fichero de configuración (/etc/ssh/sshd.config), que funcionará con la " | ||
211 | #~ "nueva versión del servidor, pero no incluirá las modificaciones que " | ||
212 | #~ "hiciera en la versión antigua." | ||
213 | |||
214 | #~ msgid "" | ||
215 | #~ "Please note that this new configuration file will set the value of " | ||
216 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
217 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
218 | #~ "details about this design choice." | ||
219 | #~ msgstr "" | ||
220 | #~ "Además, recuerde que este nuevo fichero de configuración dirá sí en la " | ||
221 | #~ "opción «PermitRootLogin», por lo que cualquiera que conozca la contraseña " | ||
222 | #~ "de root podrá entrar mediante ssh directamente como root. Puede leer " | ||
223 | #~ "README.Debian si quiere conocer más información sobre esta elección de " | ||
224 | #~ "diseño." | ||
225 | |||
226 | #~ msgid "" | ||
227 | #~ "It is strongly recommended that you choose to generate a new " | ||
228 | #~ "configuration file now." | ||
229 | #~ msgstr "" | ||
230 | #~ "Es muy recomendable que elija generar un nuevo fichero de configuración " | ||
231 | #~ "ahora." | ||
232 | |||
233 | #~ msgid "Warning: you must create a new host key" | ||
234 | #~ msgstr "Aviso: debe crear una nueva clave para su servidor" | ||
235 | |||
236 | #~ msgid "Warning: telnetd is installed --- probably not a good idea" | ||
237 | #~ msgstr "Aviso: tiene telnetd instalado (posiblemente no es una buena idea)" | ||
238 | |||
239 | #~ msgid "" | ||
240 | #~ "I'd advise you to either remove the telnetd package (if you don't " | ||
241 | #~ "actually need to offer telnet access) or install telnetd-ssl so that " | ||
242 | #~ "there is at least some chance that telnet sessions will not be sending " | ||
243 | #~ "unencrypted login/password and session information over the network." | ||
244 | #~ msgstr "" | ||
245 | #~ "Es muy aconsejable que borre el paquete telnetd si no necesita realmente " | ||
246 | #~ "ofrecer acceso mediante telnet o instalar telnetd-ssl para que las " | ||
247 | #~ "contraseñas, nombres de usuario y demás información de las sesiones " | ||
248 | #~ "telnet no viajen sin cifrar por la red." | ||
249 | |||
250 | #~ msgid "Warning: rsh-server is installed --- probably not a good idea" | ||
251 | #~ msgstr "" | ||
252 | #~ "Aviso: tiene rsh-server instalado (seguramente, esto no es una buena idea)" | ||
253 | |||
254 | #~ msgid "" | ||
255 | #~ "having rsh-server installed undermines the security that you were " | ||
256 | #~ "probably wanting to obtain by installing ssh. I'd advise you to remove " | ||
257 | #~ "that package." | ||
258 | #~ msgstr "" | ||
259 | #~ "Tener rsh-server instalado representa un menoscabo de la seguridad que " | ||
260 | #~ "probablemente desea obtener instalando ssh. Es muy aconsejable que borre " | ||
261 | #~ "ese paquete." | ||
262 | |||
263 | #~ msgid "Do you want ssh-keysign to be installed SUID root?" | ||
264 | #~ msgstr "¿Quiere instalar ssh-keysign SUID root?" | ||
265 | |||
266 | #~ msgid "" | ||
267 | #~ "You have the option of installing the ssh-keysign helper with the SUID " | ||
268 | #~ "bit set." | ||
269 | #~ msgstr "" | ||
270 | #~ "Puede instalar ssh-keysign con el bit SUID (se ejecutará con privilegios " | ||
271 | #~ "de root)." | ||
272 | |||
273 | #~ msgid "" | ||
274 | #~ "If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 " | ||
275 | #~ "host-based authentication." | ||
276 | #~ msgstr "" | ||
277 | #~ "Si hace ssh-keysign SUID, podrá usar la autenticación basada en servidor " | ||
278 | #~ "de la versión 2 del protocolo SSH." | ||
279 | |||
280 | #~ msgid "" | ||
281 | #~ "If in doubt, I suggest you install it with SUID. If it causes problems " | ||
282 | #~ "you can change your mind later by running: dpkg-reconfigure ssh" | ||
283 | #~ msgstr "" | ||
284 | #~ "Si duda, se recomienda que lo instale SUID. Si le causa problemas puede " | ||
285 | #~ "cambiar de opinión posteriormente ejecutando «dpkg-reconfigure ssh»." | ||
286 | |||
287 | #~ msgid "Allow SSH protocol 2 only" | ||
288 | #~ msgstr "Permitir sólo la versión 2 del protocolo SSH" | ||
289 | |||
290 | #~ msgid "" | ||
291 | #~ "This version of OpenSSH supports version 2 of the ssh protocol, which is " | ||
292 | #~ "much more secure. Disabling ssh 1 is encouraged, however this will slow " | ||
293 | #~ "things down on low end machines and might prevent older clients from " | ||
294 | #~ "connecting (the ssh client shipped with \"potato\" is affected)." | ||
295 | #~ msgstr "" | ||
296 | #~ "Esta versión de OpenSSH soporta la versión 2 del protocolo ssh, que es " | ||
297 | #~ "mucho más segura que la anterior. Se recomienda desactivar la versión 1, " | ||
298 | #~ "aunque funcionará más lento en máquinas modestas y puede impedir que se " | ||
299 | #~ "conecten clientes antiguos, como, por ejemplo, el incluido en «potato»." | ||
300 | |||
301 | #~ msgid "" | ||
302 | #~ "Also please note that keys used for protocol 1 are different so you will " | ||
303 | #~ "not be able to use them if you only allow protocol 2 connections." | ||
304 | #~ msgstr "" | ||
305 | #~ "También tenga en cuenta que las claves utilizadas para el protocolo 1 son " | ||
306 | #~ "diferentes, por lo que no podrá usarlas si únicamente permite conexiones " | ||
307 | #~ "mediante la versión 2 del protocolo." | ||
308 | |||
309 | #~ msgid "" | ||
310 | #~ "If you later change your mind about this setting, README.Debian has " | ||
311 | #~ "instructions on what to do to your sshd_config file." | ||
312 | #~ msgstr "" | ||
313 | #~ "Si más tarde cambia de opinión, el fichero README.Debian contiene " | ||
314 | #~ "instrucciones sobre cómo modificar en el fichero sshd_config." | ||
315 | |||
316 | #~ msgid "NOTE: Forwarding of X11 and Authorization disabled by default." | ||
317 | #~ msgstr "NOTA: Reenvío de X11 y Autorización desactivadas por defecto." | ||
318 | |||
319 | #~ msgid "" | ||
320 | #~ "For security reasons, the Debian version of ssh has ForwardX11 and " | ||
321 | #~ "ForwardAgent set to ``off'' by default." | ||
322 | #~ msgstr "" | ||
323 | #~ "Por razones de seguridad, la versión de ssh de Debian tiene por defecto " | ||
324 | #~ "ForwardX11 y ForwardAgent desactivadas." | ||
325 | |||
326 | #~ msgid "" | ||
327 | #~ "You can enable it for servers you trust, either in one of the " | ||
328 | #~ "configuration files, or with the -X command line option." | ||
329 | #~ msgstr "" | ||
330 | #~ "Puede activar estas opciones para los servidores en los que confíe, en " | ||
331 | #~ "los ficheros de configuración o con la opción -X en línea de comandos." | ||
332 | |||
333 | #~ msgid "More details can be found in /usr/share/doc/ssh/README.Debian" | ||
334 | #~ msgstr "Puede encontrar más detalles en /usr/share/doc/ssh/README.Debian." | ||
335 | |||
336 | #~ msgid "ssh2 keys merged in configuration files" | ||
337 | #~ msgstr "Las claves ssh2 ya se incluyen en los ficheros de configuración" | ||
338 | |||
339 | #~ msgid "" | ||
340 | #~ "As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 " | ||
341 | #~ "keys. This means the authorized_keys2 and known_hosts2 files are no " | ||
342 | #~ "longer needed. They will still be read in order to maintain backwards " | ||
343 | #~ "compatibility" | ||
344 | #~ msgstr "" | ||
345 | #~ "A partir de la versión 3, OpenSSH ya no utiliza ficheros diferentes para " | ||
346 | #~ "las claves ssh1 y ssh2. Esto quiere decir que ya no son necesarios los " | ||
347 | #~ "ficheros authorized_keys2 y known_hosts2, aunque aún se seguirán leyendo " | ||
348 | #~ "para mantener compatibilidad hacia atrás." | ||
349 | |||
350 | #~ msgid "Do you want to run the sshd server?" | ||
351 | #~ msgstr "¿Quiere ejecutar el servidor sshd?" | ||
352 | |||
353 | #~ msgid "This package contains both the ssh client, and the sshd server." | ||
354 | #~ msgstr "Este paquete contiene el cliente ssh y el servidor sshd." | ||
355 | |||
356 | #~ msgid "" | ||
357 | #~ "Normally the sshd Secure Shell Server will be run to allow remote logins " | ||
358 | #~ "via ssh." | ||
359 | #~ msgstr "" | ||
360 | #~ "Generalmente, el servidor de ssh (Secure Shell Server) se ejecuta para " | ||
361 | #~ "permitir el acceso remoto mediante ssh." | ||
362 | |||
363 | #~ msgid "" | ||
364 | #~ "If you are only interested in using the ssh client for outbound " | ||
365 | #~ "connections on this machine, and don't want to log into it at all using " | ||
366 | #~ "ssh, then you can disable sshd here." | ||
367 | #~ msgstr "" | ||
368 | #~ "Si sólo está interesado en usar el cliente ssh en conexiones salientes " | ||
369 | #~ "del sistema y no quiere acceder a él mediante ssh, entonces puede " | ||
370 | #~ "desactivar sshd." | ||
371 | |||
372 | #~ msgid "Environment options on keys have been deprecated" | ||
373 | #~ msgstr "Las opciones de entorno para las claves, en desuso" | ||
374 | |||
375 | #~ msgid "" | ||
376 | #~ "This version of OpenSSH disables the environment option for public keys " | ||
377 | #~ "by default, in order to avoid certain attacks (for example, LD_PRELOAD). " | ||
378 | #~ "If you are using this option in an authorized_keys file, beware that the " | ||
379 | #~ "keys in question will no longer work until the option is removed." | ||
380 | #~ msgstr "" | ||
381 | #~ "Esta versión de OpenSSH tiene desactivada por defecto la opción de " | ||
382 | #~ "entorno para las claves públicas, para evitar ciertos ataques (por " | ||
383 | #~ "ejemplo, basados en LD_PRELOAD). Si utiliza esta opción en un fichero " | ||
384 | #~ "authorized_keys, las claves implicadas no funcionarán hasta que borre la " | ||
385 | #~ "opción." | ||
386 | |||
387 | #~ msgid "" | ||
388 | #~ "To re-enable this option, set \"PermitUserEnvironment yes\" in /etc/ssh/" | ||
389 | #~ "sshd_config after the upgrade is complete, taking note of the warning in " | ||
390 | #~ "the sshd_config(5) manual page." | ||
391 | #~ msgstr "" | ||
392 | #~ "Para volver a activar esta opción, escriba «PermitUserEnvironment yes» en /" | ||
393 | #~ "etc/ssh/sshd_config al terminar la actualización, teniendo en cuenta el " | ||
394 | #~ "aviso de la página de manual de sshd_config(5)." | ||
395 | |||
396 | #~ msgid "Privilege separation" | ||
397 | #~ msgstr "Separación de privilegios" | ||
398 | |||
399 | #~ msgid "" | ||
400 | #~ "Privilege separation is turned on by default, so if you decide you want " | ||
401 | #~ "it turned off, you need to add \"UsePrivilegeSeparation no\" to /etc/ssh/" | ||
402 | #~ "sshd_config." | ||
403 | #~ msgstr "" | ||
404 | #~ "La separación de privilegios está activa por defecto, por lo que si " | ||
405 | #~ "decide desactivarla, tiene que añadir «UsePrivilegeSeparation no» al " | ||
406 | #~ "fichero /etc/ssh/sshd_config." | ||
407 | |||
408 | #~ msgid "Enable Privilege separation" | ||
409 | #~ msgstr "Activar separación de privilegios" | ||
410 | |||
411 | #~ msgid "" | ||
412 | #~ "This version of OpenSSH contains the new privilege separation option. " | ||
413 | #~ "This significantly reduces the quantity of code that runs as root, and " | ||
414 | #~ "therefore reduces the impact of security holes in sshd." | ||
415 | #~ msgstr "" | ||
416 | #~ "Esta versión de OpenSSH incluye una nueva opción de separación de " | ||
417 | #~ "privilegios que reduce significativamente la cantidad de código que se " | ||
418 | #~ "ejecuta como root, por lo que reduce el impacto de posibles agujeros de " | ||
419 | #~ "seguridad en sshd." | ||
420 | |||
421 | #~ msgid "" | ||
422 | #~ "Unfortunately, privilege separation interacts badly with PAM. Any PAM " | ||
423 | #~ "session modules that need to run as root (pam_mkhomedir, for example) " | ||
424 | #~ "will fail, and PAM keyboard-interactive authentication won't work." | ||
425 | #~ msgstr "" | ||
426 | #~ "Desafortunadamente, la separación de privilegios no funciona " | ||
427 | #~ "correctamente con PAM. Cualquier módulo PAM que necesite ejecutarse como " | ||
428 | #~ "root (como, por ejemplo, pam_mkhomedir) y la autenticación interactiva " | ||
429 | #~ "PAM con teclado no funcionarán." | ||
430 | |||
431 | #~ msgid "" | ||
432 | #~ "Since you've opted to have me generate an sshd_config file for you, you " | ||
433 | #~ "can choose whether or not to have privilege separation turned on or not. " | ||
434 | #~ "Unless you know you need to use PAM features that won't work with this " | ||
435 | #~ "option, you should enable it." | ||
436 | #~ msgstr "" | ||
437 | #~ "Puesto que ha elegido crear automáticamente el fichero sshd_config, puede " | ||
438 | #~ "decidir ahora si quiere activar la opción de separación de privilegios. A " | ||
439 | #~ "menos que necesite usar ciertas características de PAM que no funcionan " | ||
440 | #~ "con esta opción, debería responder sí a esta pregunta." | ||
441 | |||
442 | #~ msgid "" | ||
443 | #~ "NB! If you are running a 2.0 series Linux kernel, then privilege " | ||
444 | #~ "separation will not work at all, and your sshd will fail to start unless " | ||
445 | #~ "you explicitly turn privilege separation off." | ||
446 | #~ msgstr "" | ||
447 | #~ "Nota: Si utiliza un núcleo Linux 2.0, la separación de privilegios " | ||
448 | #~ "fallará estrepitosamente y sshd no funcionará a no ser que la desactive." | ||
diff --git a/debian/po/eu.po b/debian/po/eu.po new file mode 100644 index 000000000..efa16fa81 --- /dev/null +++ b/debian/po/eu.po | |||
@@ -0,0 +1,197 @@ | |||
1 | # translation of openssh-templates.po to basque | ||
2 | # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER | ||
3 | # This file is distributed under the same license as the PACKAGE package. | ||
4 | # | ||
5 | # Piarres Beobide <pi@beobide.net>, 2007, 2008. | ||
6 | msgid "" | ||
7 | msgstr "" | ||
8 | "Project-Id-Version: openssh-templates\n" | ||
9 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
10 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
11 | "PO-Revision-Date: 2007-04-27 12:10+0200\n" | ||
12 | "Last-Translator: Piarres Beobide <pi@beobide.net>\n" | ||
13 | "Language-Team: librezale <librezale@librezale.org>\n" | ||
14 | "MIME-Version: 1.0\n" | ||
15 | "Content-Type: text/plain; charset=UTF-8\n" | ||
16 | "Content-Transfer-Encoding: 8bit\n" | ||
17 | "X-Generator: Pootle 0.11\n" | ||
18 | "Plural-Forms: nplurals=2; plural=(n != 1);\n" | ||
19 | |||
20 | #. Type: boolean | ||
21 | #. Description | ||
22 | #: ../openssh-server.templates:1001 | ||
23 | msgid "Do you want to risk killing active SSH sessions?" | ||
24 | msgstr "Irekirik dauden SSH saioak ixteko arriskua hartu nahi duzu?" | ||
25 | |||
26 | #. Type: boolean | ||
27 | #. Description | ||
28 | #: ../openssh-server.templates:1001 | ||
29 | msgid "" | ||
30 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
31 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
32 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
33 | msgstr "" | ||
34 | "Instalaturik dagoen /etc/init.d/ssh bertsioak martxan dauden sshd " | ||
35 | "instantziak hilko ditu. Bertsio berritze hau SSH bidez egiten ari bazara, " | ||
36 | "ziurrenik deskonektatu egingo zara eta bertsio berritze prozedura ez da " | ||
37 | "behar bezala amaituko." | ||
38 | |||
39 | #. Type: boolean | ||
40 | #. Description | ||
41 | #: ../openssh-server.templates:1001 | ||
42 | msgid "" | ||
43 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
44 | "start-stop-daemon line in the stop section of the file." | ||
45 | msgstr "" | ||
46 | "Hau eskuz konpondu daiteke \"--pidfile /var/run/sshd.pid\" gehituaz start-" | ||
47 | "stop-daemon lerroan fitxategiaren \"stop\" atalean." | ||
48 | |||
49 | #. Type: note | ||
50 | #. Description | ||
51 | #: ../openssh-server.templates:2001 | ||
52 | msgid "New host key mandatory" | ||
53 | msgstr "Ostalari gako berria beharrezkoa" | ||
54 | |||
55 | #. Type: note | ||
56 | #. Description | ||
57 | #: ../openssh-server.templates:2001 | ||
58 | msgid "" | ||
59 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
60 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
61 | "utility from the old (non-free) SSH installation does not appear to be " | ||
62 | "available." | ||
63 | msgstr "" | ||
64 | "/etc/ssh/ssh_host_key-ko ostalari gakoa IDEA algoritmoaren bidez " | ||
65 | "enkriptaturik dago. OpenSSH ez da ostalari gako mota hau kudeatzeko gai eta " | ||
66 | "SSH instalazio zaharreko (ez-librea) ssh-keygen lanabesa dirudienez ez dago " | ||
67 | "erabilgarri." | ||
68 | |||
69 | #. Type: note | ||
70 | #. Description | ||
71 | #: ../openssh-server.templates:2001 | ||
72 | msgid "You need to manually generate a new host key." | ||
73 | msgstr "Ostalari gako berri bat eskuz sortu behar duzu." | ||
74 | |||
75 | #. Type: boolean | ||
76 | #. Description | ||
77 | #: ../openssh-server.templates:3001 | ||
78 | msgid "Disable challenge-response authentication?" | ||
79 | msgstr "erronka-erantzun autentifikazioa desgaitu?" | ||
80 | |||
81 | #. Type: boolean | ||
82 | #. Description | ||
83 | #: ../openssh-server.templates:3001 | ||
84 | msgid "" | ||
85 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
86 | "configuration. In order to prevent users from logging in using passwords " | ||
87 | "(perhaps using only public key authentication instead) with recent versions " | ||
88 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
89 | "ensure that your PAM configuration does not allow Unix password file " | ||
90 | "authentication." | ||
91 | msgstr "" | ||
92 | "Pasahitz egiaztapena dirudienez desgaiturik dago instalaturik dagoen OpenSSH " | ||
93 | "konfigurazioan. Pasahitzak erabiliaz OpenSSH bertsio berrietan saio hastea " | ||
94 | "ezintzeko (agian gako publiko autentifikazioa bakarrik erabiliaz), erronka-" | ||
95 | "erantzun (challenge-response) autentifikazioa desgaitu edo zure PAM " | ||
96 | "konfigurazioak UNIX pasahitz fitxategi autentifikazioa onartzen ez duela " | ||
97 | "ziurtatu beharko duzu." | ||
98 | |||
99 | #. Type: boolean | ||
100 | #. Description | ||
101 | #: ../openssh-server.templates:3001 | ||
102 | msgid "" | ||
103 | "If you disable challenge-response authentication, then users will not be " | ||
104 | "able to log in using passwords. If you leave it enabled (the default " | ||
105 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
106 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
107 | msgstr "" | ||
108 | "Erronka-erantzun autentifikazioa des\tgaituaz gero erabiltzaileak ez dira " | ||
109 | "pasahitza erabiliaz saio hasteko gai izango. Berau gaiturik utziaz gero " | ||
110 | "(lehenetsiriko erantzuna), 'PasswordAuthentication no' aukerak ez du " | ||
111 | "ondoriorik izango /etc/pam.d/ssh-eko PAM konfigurazioa doitzen ez baduzu." | ||
112 | |||
113 | #. Type: note | ||
114 | #. Description | ||
115 | #: ../openssh-server.templates:4001 | ||
116 | msgid "Vulnerable host keys will be regenerated" | ||
117 | msgstr "Ostalari gako ahulak birsortu egingo dira" | ||
118 | |||
119 | #. Type: note | ||
120 | #. Description | ||
121 | #: ../openssh-server.templates:4001 | ||
122 | msgid "" | ||
123 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
124 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
125 | "these host keys are from a well-known set, are subject to brute-force " | ||
126 | "attacks, and must be regenerated." | ||
127 | msgstr "" | ||
128 | "Sistema honetako zenbait OpenSSH ostalari gako hondaturiko ausazko zenbasi " | ||
129 | "sortzaile bat zuen OpenSSL bertsio batez sortuak izan ziren. Hau dela eta, " | ||
130 | "ostalari gako horiek ezagutza handiko pertsona batek indarrezko erasoei " | ||
131 | "ahulak dira eta birsortuak izango dira." | ||
132 | |||
133 | #. Type: note | ||
134 | #. Description | ||
135 | #: ../openssh-server.templates:4001 | ||
136 | msgid "" | ||
137 | "Users of this system should be informed of this change, as they will be " | ||
138 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
139 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
140 | "the new host keys." | ||
141 | msgstr "" | ||
142 | "Sistema honetako erabiltzaileak aldaketa honetaz ohartu beharko ziren, saio " | ||
143 | "hasten duten hurrengoan ostalari gako aldaketaz galdetuko zaie eta. 'ssh-" | ||
144 | "keygen -l -f OSTALARI_GAKO_FITX' erabili bertsio-berritzearen ondoren " | ||
145 | "ostalari gako berrien hatzmarkak inprimatzeko." | ||
146 | |||
147 | #. Type: note | ||
148 | #. Description | ||
149 | #: ../openssh-server.templates:4001 | ||
150 | msgid "The affected host keys are:" | ||
151 | msgstr "Ostalari gako hauei eragingo die:" | ||
152 | |||
153 | #. Type: note | ||
154 | #. Description | ||
155 | #: ../openssh-server.templates:4001 | ||
156 | msgid "" | ||
157 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
158 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
159 | "README.compromised-keys.gz for more details." | ||
160 | msgstr "" | ||
161 | "Erabiltzaile gakoak ere arazo honengatik eragindak egon daitezke. 'ssh-" | ||
162 | "vulnkey' komandoak honetarako proba bezala erdi-ziur erabili daiteke. Ikusi /" | ||
163 | "usr/share/doc/openssh-server/README.compromised-keys.gz xehetasun " | ||
164 | "gehiagorako." | ||
165 | |||
166 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
167 | #~ msgstr "OpenSSH-rentzat konfigurazio fitxategi berri bat sortu?" | ||
168 | |||
169 | #~ msgid "" | ||
170 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
171 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
172 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
173 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
174 | #~ "will not contain any customizations you made with the old version." | ||
175 | #~ msgstr "" | ||
176 | #~ "OpenSSH bertsio honek konfigurazio fitxategia nahiko aldatu du Debian " | ||
177 | #~ "'Potato' bertsioak banatu zuenetik, dirudienez zu bertsio horretatik " | ||
178 | #~ "eguneratzen ari zara. Pakete honek konfigurazio fitxategi berri bat sortu " | ||
179 | #~ "dezake (/etc/ssh/sshd.config) bertsio honetarako funtziona dezan baina ez " | ||
180 | #~ "ditu zuk bertsio zaharrari egin ahal izan diezazkiokezun " | ||
181 | #~ "pertsonalizazioak edukiko." | ||
182 | |||
183 | #~ msgid "" | ||
184 | #~ "Please note that this new configuration file will set the value of " | ||
185 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
186 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
187 | #~ "details about this design choice." | ||
188 | #~ msgstr "" | ||
189 | #~ "Kontutan izan konfigurazio fitxategi berri honek 'PermitRootLogin' " | ||
190 | #~ "parametroan balioa 'yes' bezala ezarriko duela (honek root erabiltzaileak " | ||
191 | #~ "ssh bidez sartzeko aukera emango du). Mesedez irakurri README.Debian " | ||
192 | #~ "fitxategia ezarpen honen xehetasun gehiagorako." | ||
193 | |||
194 | #~ msgid "" | ||
195 | #~ "It is strongly recommended that you choose to generate a new " | ||
196 | #~ "configuration file now." | ||
197 | #~ msgstr "Gomendagarria da konfigurazio fitxategi berri bat orain sortzea." | ||
diff --git a/debian/po/fi.po b/debian/po/fi.po new file mode 100644 index 000000000..b5e192db3 --- /dev/null +++ b/debian/po/fi.po | |||
@@ -0,0 +1,202 @@ | |||
1 | # translation of fi.po to Finnish | ||
2 | # openssh translation | ||
3 | # | ||
4 | # Translators, if you are not familiar with the PO format, gettext | ||
5 | # documentation is worth reading, especially sections dedicated to | ||
6 | # this format, e.g. by running: | ||
7 | # info -n '(gettext)PO Files' | ||
8 | # info -n '(gettext)Header Entry' | ||
9 | # | ||
10 | # Some information specific to po-debconf are available at | ||
11 | # /usr/share/doc/po-debconf/README-trans | ||
12 | # or http://www.debian.org/intl/l10n/po-debconf/README-trans | ||
13 | # | ||
14 | # Developers do not need to manually edit POT or PO files. | ||
15 | # | ||
16 | # Matti Pöllä <mpo@iki.fi>, 2004-2005. | ||
17 | msgid "" | ||
18 | msgstr "" | ||
19 | "Project-Id-Version: openssh\n" | ||
20 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
21 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
22 | "PO-Revision-Date: 2008-05-17 16:38+0200\n" | ||
23 | "Last-Translator: Esko Arajärvi <edu@iki.fi>\n" | ||
24 | "Language-Team: Finnish <debian-l10n-finnish@lists.debian.org>\n" | ||
25 | "MIME-Version: 1.0\n" | ||
26 | "Content-Type: text/plain; charset=UTF-8\n" | ||
27 | "Content-Transfer-Encoding: 8bit\n" | ||
28 | |||
29 | #. Type: boolean | ||
30 | #. Description | ||
31 | #: ../openssh-server.templates:1001 | ||
32 | msgid "Do you want to risk killing active SSH sessions?" | ||
33 | msgstr "Haluatko ottaa riskin, että aktiiviset SSH-istunnot tapetaan?" | ||
34 | |||
35 | #. Type: boolean | ||
36 | #. Description | ||
37 | #: ../openssh-server.templates:1001 | ||
38 | msgid "" | ||
39 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
40 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
41 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
42 | msgstr "" | ||
43 | "Tiedoston /etc/init.d/ssh asennettuna oleva versio tappaa todennäköisesti " | ||
44 | "kaikki käynnissä olevat sshd-prosessit. Jos teet tätä päivitystä ssh-" | ||
45 | "yhteyden yli, yhteytesi luultavasti katkeaa ja päivitysprosessi keskeytyy." | ||
46 | |||
47 | #. Type: boolean | ||
48 | #. Description | ||
49 | #: ../openssh-server.templates:1001 | ||
50 | msgid "" | ||
51 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
52 | "start-stop-daemon line in the stop section of the file." | ||
53 | msgstr "" | ||
54 | "Tämä voidaan korjata lisäämällä merkkijono â€--pidfile /var/run/sshd.pid†" | ||
55 | "kyseisen tiedoston stop-osion start-stop-daemon-riville." | ||
56 | |||
57 | #. Type: note | ||
58 | #. Description | ||
59 | #: ../openssh-server.templates:2001 | ||
60 | msgid "New host key mandatory" | ||
61 | msgstr "Uusi järjestelmäavain pakollinen" | ||
62 | |||
63 | #. Type: note | ||
64 | #. Description | ||
65 | #: ../openssh-server.templates:2001 | ||
66 | msgid "" | ||
67 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
68 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
69 | "utility from the old (non-free) SSH installation does not appear to be " | ||
70 | "available." | ||
71 | msgstr "" | ||
72 | "Olemassa oleva järjestelmäavain /etc/ssh/ssh_host_key on salattu IDEA-" | ||
73 | "algoritmilla. OpenSSH ei voi käsitellä tätä järjestelmäavaintiedostoa, eikä " | ||
74 | "vanhan (ei-vapaan) SSH-asennuksen ssh-keygen-ohjelmaa löydy." | ||
75 | |||
76 | #. Type: note | ||
77 | #. Description | ||
78 | #: ../openssh-server.templates:2001 | ||
79 | msgid "You need to manually generate a new host key." | ||
80 | msgstr "Uuden järjestelmäavaimen (host key) luominen on tarpeen." | ||
81 | |||
82 | #. Type: boolean | ||
83 | #. Description | ||
84 | #: ../openssh-server.templates:3001 | ||
85 | msgid "Disable challenge-response authentication?" | ||
86 | msgstr "Poistetaanko haaste-vaste-autentikointi käytöstä?" | ||
87 | |||
88 | #. Type: boolean | ||
89 | #. Description | ||
90 | #: ../openssh-server.templates:3001 | ||
91 | msgid "" | ||
92 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
93 | "configuration. In order to prevent users from logging in using passwords " | ||
94 | "(perhaps using only public key authentication instead) with recent versions " | ||
95 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
96 | "ensure that your PAM configuration does not allow Unix password file " | ||
97 | "authentication." | ||
98 | msgstr "" | ||
99 | "OpenSSH-palvelimen nykyisissä asetuksissa salasana-autentikointi näyttää " | ||
100 | "olevan poissa käytöstä. Estääksesi kirjautumiset salasanaa käyttäen (esim. " | ||
101 | "salliaksesi kirjautumisen vain julkista avainta käyttäen), OpenSSH:n uusissa " | ||
102 | "versioissa haaste-vaste-autentikointi tulee poistaa käytöstä tai muutoin " | ||
103 | "varmistaa, että PAM-asetukset eivät salli Unixin salasanatiedostoon " | ||
104 | "perustuvaa autentikointia." | ||
105 | |||
106 | #. Type: boolean | ||
107 | #. Description | ||
108 | #: ../openssh-server.templates:3001 | ||
109 | msgid "" | ||
110 | "If you disable challenge-response authentication, then users will not be " | ||
111 | "able to log in using passwords. If you leave it enabled (the default " | ||
112 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
113 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
114 | msgstr "" | ||
115 | "Jos poistat haaste-vaste-autentikoinnin käytöstä, käyttäjät eivät voi " | ||
116 | "kirjautua käyttäen salasanaa. Jos jätät sen päälle (oletus), asetuksella " | ||
117 | "â€PasswordAuthentication no†ei ole vaikutusta, ellet muuta myös PAM-" | ||
118 | "asetuksia tiedostossa /etc/pam.d/ssh." | ||
119 | |||
120 | #. Type: note | ||
121 | #. Description | ||
122 | #: ../openssh-server.templates:4001 | ||
123 | msgid "Vulnerable host keys will be regenerated" | ||
124 | msgstr "Haavoittuvaiset järjestelmäavaimet luodaan uudelleen" | ||
125 | |||
126 | #. Type: note | ||
127 | #. Description | ||
128 | #: ../openssh-server.templates:4001 | ||
129 | msgid "" | ||
130 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
131 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
132 | "these host keys are from a well-known set, are subject to brute-force " | ||
133 | "attacks, and must be regenerated." | ||
134 | msgstr "" | ||
135 | "Jotkin tämän järjestelmän OpenSSH-palvelimen järjestelmäavaimista on luotu " | ||
136 | "OpenSSL:n versiolla, jossa oli rikkinäinen satunnaislukugeneraattori. Tämän " | ||
137 | "tuloksena nämä avaimet voidaan murtaa järjestelmällisellä läpikäynnillä ja " | ||
138 | "ne tulee vaihtaa." | ||
139 | |||
140 | #. Type: note | ||
141 | #. Description | ||
142 | #: ../openssh-server.templates:4001 | ||
143 | msgid "" | ||
144 | "Users of this system should be informed of this change, as they will be " | ||
145 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
146 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
147 | "the new host keys." | ||
148 | msgstr "" | ||
149 | "Järjestelmän käyttäjille tulisi tiedottaa tästä muutoksesta, koska heitä " | ||
150 | "pyydetään hyväksymään muuttunut järjestelmäavain, kun he seuraavan kerran " | ||
151 | "kirjautuvat järjestelmään. Komennolla â€ssh-keygen -l -f HOST_KEY_FILE†" | ||
152 | "voidaan tulostaa uusien järjestelmäavainten sormenjäljet päivityksen jälkeen." | ||
153 | |||
154 | #. Type: note | ||
155 | #. Description | ||
156 | #: ../openssh-server.templates:4001 | ||
157 | msgid "The affected host keys are:" | ||
158 | msgstr "Järjestelmäavaimet, joihin tämä vaikuttaa:" | ||
159 | |||
160 | #. Type: note | ||
161 | #. Description | ||
162 | #: ../openssh-server.templates:4001 | ||
163 | msgid "" | ||
164 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
165 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
166 | "README.compromised-keys.gz for more details." | ||
167 | msgstr "" | ||
168 | "Tämä ongelma saattaa vaikuttaa myös käyttäjien avaimiin. Komennolla â€ssh-" | ||
169 | "vulnkey†voidaan osittain testata tätä. Tiedostossa /usr/share/doc/openssh-" | ||
170 | "server/README.compromised-keys.gz on lisätietoja." | ||
171 | |||
172 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
173 | #~ msgstr "Luodaanko OpenSSH:lle uusi asetustiedosto?" | ||
174 | |||
175 | #~ msgid "" | ||
176 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
177 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
178 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
179 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
180 | #~ "will not contain any customizations you made with the old version." | ||
181 | #~ msgstr "" | ||
182 | #~ "Tämän OpenSSH:n version käyttämän asetustiedoston muoto poikkeaa " | ||
183 | #~ "huomattavasti Debianin â€Potatoâ€-julkaisun mukana toimitetusta versiosta, " | ||
184 | #~ "jota olet päivittämässä. Uusi asetustiedosto (/etc/ssh/sshd.config) " | ||
185 | #~ "voidaan luoda nyt. Uudet asetukset toimivat uuden palvelinversion kanssa, " | ||
186 | #~ "mutta vanhaan versioon itse tehdyt muokkaukset menetetään." | ||
187 | |||
188 | #~ msgid "" | ||
189 | #~ "Please note that this new configuration file will set the value of " | ||
190 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
191 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
192 | #~ "details about this design choice." | ||
193 | #~ msgstr "" | ||
194 | #~ "Uudessa asetustiedostossa muuttujan â€PermitRootLogin†arvo on " | ||
195 | #~ "â€yes†(tarkoittaen, että kuka tahansa pääkäyttäjän salasanan tietävä voi " | ||
196 | #~ "kirjautua suoraan ssh:n avulla pääkäyttäjänä). Lisätietoja tästä " | ||
197 | #~ "valinnasta löytyy (englanniksi) tiedostosta README.Debian." | ||
198 | |||
199 | #~ msgid "" | ||
200 | #~ "It is strongly recommended that you choose to generate a new " | ||
201 | #~ "configuration file now." | ||
202 | #~ msgstr "Uuden asetustiedoston luominen nyt on erittäin suositeltavaa." | ||
diff --git a/debian/po/fr.po b/debian/po/fr.po new file mode 100644 index 000000000..a8856906d --- /dev/null +++ b/debian/po/fr.po | |||
@@ -0,0 +1,211 @@ | |||
1 | # translation of fr.po to French | ||
2 | # | ||
3 | # Translators, if you are not familiar with the PO format, gettext | ||
4 | # documentation is worth reading, especially sections dedicated to | ||
5 | # this format, e.g. by running: | ||
6 | # info -n '(gettext)PO Files' | ||
7 | # info -n '(gettext)Header Entry' | ||
8 | # | ||
9 | # Some information specific to po-debconf are available at | ||
10 | # /usr/share/doc/po-debconf/README-trans | ||
11 | # or http://www.debian.org/intl/l10n/po-debconf/README-trans | ||
12 | # | ||
13 | # Developers do not need to manually edit POT or PO files. | ||
14 | # | ||
15 | # Christian Perrier <bubulle@debian.org>, 2007, 2008. | ||
16 | msgid "" | ||
17 | msgstr "" | ||
18 | "Project-Id-Version: \n" | ||
19 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
20 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
21 | "PO-Revision-Date: 2008-05-15 10:23+0200\n" | ||
22 | "Last-Translator: Christian Perrier <bubulle@debian.org>\n" | ||
23 | "Language-Team: French <debian-l10n-french@lists.debian.org>\n" | ||
24 | "MIME-Version: 1.0\n" | ||
25 | "Content-Type: text/plain; charset=UTF-8\n" | ||
26 | "Content-Transfer-Encoding: 8bit\n" | ||
27 | "X-Generator: KBabel 1.11.4\n" | ||
28 | |||
29 | #. Type: boolean | ||
30 | #. Description | ||
31 | #: ../openssh-server.templates:1001 | ||
32 | msgid "Do you want to risk killing active SSH sessions?" | ||
33 | msgstr "Voulez-vous risquer de rompre les sessions SSH actives ?" | ||
34 | |||
35 | #. Type: boolean | ||
36 | #. Description | ||
37 | #: ../openssh-server.templates:1001 | ||
38 | msgid "" | ||
39 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
40 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
41 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
42 | msgstr "" | ||
43 | "La version de /etc/init.d/ssh actuellement installée va vraisemblablement " | ||
44 | "interrompre toutes les instances de sshd en cours. Si vous êtes en train de " | ||
45 | "faire cette mise à niveau à l'aide de SSH, la connexion sera probablement " | ||
46 | "coupée et la mise à jour sera interrompue." | ||
47 | |||
48 | #. Type: boolean | ||
49 | #. Description | ||
50 | #: ../openssh-server.templates:1001 | ||
51 | msgid "" | ||
52 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
53 | "start-stop-daemon line in the stop section of the file." | ||
54 | msgstr "" | ||
55 | "Cela peut être corrigé en ajoutant « --pidfile /var/run/sshd.pid » à la ligne " | ||
56 | "« start-stop-daemon » dans /etc/init.d/ssh, dans la section « stop » du " | ||
57 | "fichier." | ||
58 | |||
59 | #. Type: note | ||
60 | #. Description | ||
61 | #: ../openssh-server.templates:2001 | ||
62 | msgid "New host key mandatory" | ||
63 | msgstr "Nouvelle clé d'hôte obligatoire" | ||
64 | |||
65 | #. Type: note | ||
66 | #. Description | ||
67 | #: ../openssh-server.templates:2001 | ||
68 | msgid "" | ||
69 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
70 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
71 | "utility from the old (non-free) SSH installation does not appear to be " | ||
72 | "available." | ||
73 | msgstr "" | ||
74 | "La clé d'hôte actuelle, /etc/ssh/ssh_host_key, est chiffrée avec IDEA. " | ||
75 | "OpenSSH ne peut utiliser ce fichier de clé, et l'utilitaire ssh-keygen de " | ||
76 | "l'installation précédente (non libre) de SSH n'a pas été trouvé." | ||
77 | |||
78 | #. Type: note | ||
79 | #. Description | ||
80 | #: ../openssh-server.templates:2001 | ||
81 | msgid "You need to manually generate a new host key." | ||
82 | msgstr "Vous devez générer une nouvelle clé d'hôte vous-même." | ||
83 | |||
84 | #. Type: boolean | ||
85 | #. Description | ||
86 | #: ../openssh-server.templates:3001 | ||
87 | msgid "Disable challenge-response authentication?" | ||
88 | msgstr "Faut-il désactiver l'authentification par défi-réponse ?" | ||
89 | |||
90 | #. Type: boolean | ||
91 | #. Description | ||
92 | #: ../openssh-server.templates:3001 | ||
93 | msgid "" | ||
94 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
95 | "configuration. In order to prevent users from logging in using passwords " | ||
96 | "(perhaps using only public key authentication instead) with recent versions " | ||
97 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
98 | "ensure that your PAM configuration does not allow Unix password file " | ||
99 | "authentication." | ||
100 | msgstr "" | ||
101 | "L'authentification par mots de passe semble être désactivée dans la " | ||
102 | "configuration actuelle du serveur OpenSSH. Afin d'empêcher les utilisateurs " | ||
103 | "de se connecter avec un mot de passe (pour, par exemple n'autoriser que " | ||
104 | "l'authentification par clé publique) avec les versions récentes d'OpenSSH, " | ||
105 | "vous devez aussi désactiver l'authentification par défi-réponse, ou alors " | ||
106 | "vous assurer que votre configuration de PAM n'autorise pas " | ||
107 | "l'authentification avec le fichier de mots de passe Unix." | ||
108 | |||
109 | #. Type: boolean | ||
110 | #. Description | ||
111 | #: ../openssh-server.templates:3001 | ||
112 | msgid "" | ||
113 | "If you disable challenge-response authentication, then users will not be " | ||
114 | "able to log in using passwords. If you leave it enabled (the default " | ||
115 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
116 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
117 | msgstr "" | ||
118 | "Si vous désactivez l'authentification par défi-réponse, alors les " | ||
119 | "utilisateurs ne pourront pas se connecter en entrant un mot de passe. Si " | ||
120 | "vous la laissez active (ce qui est la valeur par défaut), alors l'option " | ||
121 | "« PasswordAuthentication no » n'aura d'effet que si vous ajustez aussi la " | ||
122 | "configuration de PAM dans /etc/pam.d/ssh." | ||
123 | |||
124 | #. Type: note | ||
125 | #. Description | ||
126 | #: ../openssh-server.templates:4001 | ||
127 | msgid "Vulnerable host keys will be regenerated" | ||
128 | msgstr "Recréation des clés d'hôte vulnérables" | ||
129 | |||
130 | #. Type: note | ||
131 | #. Description | ||
132 | #: ../openssh-server.templates:4001 | ||
133 | msgid "" | ||
134 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
135 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
136 | "these host keys are from a well-known set, are subject to brute-force " | ||
137 | "attacks, and must be regenerated." | ||
138 | msgstr "" | ||
139 | "Certaines clés d'hôte OpenSSH de ce serveur ont été créées avec une version " | ||
140 | "d'OpenSSL affligée d'un défaut dans le générateur de nombres aléatoires. En " | ||
141 | "conséquence, ces clés ont un contenu prévisible et peuvent être vulnérables " | ||
142 | "à des attaques par force brute. Elles doivent être recréées." | ||
143 | |||
144 | #. Type: note | ||
145 | #. Description | ||
146 | #: ../openssh-server.templates:4001 | ||
147 | msgid "" | ||
148 | "Users of this system should be informed of this change, as they will be " | ||
149 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
150 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
151 | "the new host keys." | ||
152 | msgstr "" | ||
153 | "Les utilisateurs de ce système devraient être informés de cette modification " | ||
154 | "car le système leur signalera le changement de clé d'hôte à leur prochaine " | ||
155 | "connexion. Vous pouvez utiliser la commande « ssh-keygen -l -f " | ||
156 | "HOST_KEY_FILE » après la mise à jour pour afficher l'empreinte des nouvelles " | ||
157 | "clés d'hôte." | ||
158 | |||
159 | #. Type: note | ||
160 | #. Description | ||
161 | #: ../openssh-server.templates:4001 | ||
162 | msgid "The affected host keys are:" | ||
163 | msgstr "Les clés concernées sont les suivantes :" | ||
164 | |||
165 | #. Type: note | ||
166 | #. Description | ||
167 | #: ../openssh-server.templates:4001 | ||
168 | msgid "" | ||
169 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
170 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
171 | "README.compromised-keys.gz for more details." | ||
172 | msgstr "" | ||
173 | "Les clés OpenSSH des utilisateurs sont aussi potentiellement affectées par " | ||
174 | "ce problème. La commande « ssh-vulnkey » offre un test partiel pour cette " | ||
175 | "vulnérabilité. Veuillez consulter le fichier /usr/share/doc/openssh-server/" | ||
176 | "README.compromised-keys.gz pour plus d'informations." | ||
177 | |||
178 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
179 | #~ msgstr "Faut-il créer un nouveau fichier de configuration pour OpenSSH ?" | ||
180 | |||
181 | #~ msgid "" | ||
182 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
183 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
184 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
185 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
186 | #~ "will not contain any customizations you made with the old version." | ||
187 | #~ msgstr "" | ||
188 | #~ "Cette version d'OpenSSH utilise un fichier de configuration qui a " | ||
189 | #~ "fortement changé depuis la version contenue dans la distribution Debian " | ||
190 | #~ "« Potato », depuis laquelle vous semblez faire une mise à jour. Un nouveau " | ||
191 | #~ "fichier de configuration (/etc/ssh/sshd.config) qui fonctionnera avec la " | ||
192 | #~ "nouvelle version du serveur peut être créé, mais ne contiendra aucun des " | ||
193 | #~ "réglages que vous aviez faits avec la version précédente." | ||
194 | |||
195 | #~ msgid "" | ||
196 | #~ "Please note that this new configuration file will set the value of " | ||
197 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
198 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
199 | #~ "details about this design choice." | ||
200 | #~ msgstr "" | ||
201 | #~ "Veuillez noter que ce nouveau fichier de configuration positionnera la " | ||
202 | #~ "valeur de « PermitRootLogin » à « yes » (ce qui signifie que quiconque " | ||
203 | #~ "connaissant le mot de passe du superutilisateur peut se connecter en tant " | ||
204 | #~ "que tel sur la machine). Veuillez consulter le fichier README.Debian pour " | ||
205 | #~ "plus d'informations à propos de ce choix." | ||
206 | |||
207 | #~ msgid "" | ||
208 | #~ "It is strongly recommended that you choose to generate a new " | ||
209 | #~ "configuration file now." | ||
210 | #~ msgstr "" | ||
211 | #~ "Il est fortement recommandé de créer un nouveau fichier de configuration." | ||
diff --git a/debian/po/gl.po b/debian/po/gl.po new file mode 100644 index 000000000..acbb341b2 --- /dev/null +++ b/debian/po/gl.po | |||
@@ -0,0 +1,236 @@ | |||
1 | # Galician translation of openssh's debconf templates. | ||
2 | # This file is distributed under the same license as the openssh package. | ||
3 | # | ||
4 | # 2006, 2007, 2008 Jacobo Tarrio <jtarrio@debian.org> | ||
5 | # | ||
6 | msgid "" | ||
7 | msgstr "" | ||
8 | "Project-Id-Version: openssh\n" | ||
9 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
10 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
11 | "PO-Revision-Date: 2008-05-17 10:29+0100\n" | ||
12 | "Last-Translator: Jacobo Tarrio <jtarrio@debian.org>\n" | ||
13 | "Language-Team: Galician <proxecto@trasno.net>\n" | ||
14 | "MIME-Version: 1.0\n" | ||
15 | "Content-Type: text/plain; charset=UTF-8\n" | ||
16 | "Content-Transfer-Encoding: 8bit\n" | ||
17 | |||
18 | #. Type: boolean | ||
19 | #. Description | ||
20 | #: ../openssh-server.templates:1001 | ||
21 | msgid "Do you want to risk killing active SSH sessions?" | ||
22 | msgstr "¿Quere arriscarse a matar as sesións de SSH activas?" | ||
23 | |||
24 | #. Type: boolean | ||
25 | #. Description | ||
26 | #: ../openssh-server.templates:1001 | ||
27 | msgid "" | ||
28 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
29 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
30 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
31 | msgstr "" | ||
32 | "É posible que a versión de /etc/init.d/ssh que instalou vaia matar tódalas " | ||
33 | "instancias de sshd en execución. Se está a facer esta actualización mediante " | ||
34 | "unha sesión SSH, é probable que se desconecte e este procedemento de " | ||
35 | "actualización quede sen rematar." | ||
36 | |||
37 | #. Type: boolean | ||
38 | #. Description | ||
39 | #: ../openssh-server.templates:1001 | ||
40 | msgid "" | ||
41 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
42 | "start-stop-daemon line in the stop section of the file." | ||
43 | msgstr "" | ||
44 | "Isto pode arranxarse engadindo \"--pidfile /var/run/sshd.pid\" á liña start-" | ||
45 | "stop-daemon da sección stop do ficheiro." | ||
46 | |||
47 | #. Type: note | ||
48 | #. Description | ||
49 | #: ../openssh-server.templates:2001 | ||
50 | msgid "New host key mandatory" | ||
51 | msgstr "É obrigatorio ter unha nova clave de servidor" | ||
52 | |||
53 | #. Type: note | ||
54 | #. Description | ||
55 | #: ../openssh-server.templates:2001 | ||
56 | msgid "" | ||
57 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
58 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
59 | "utility from the old (non-free) SSH installation does not appear to be " | ||
60 | "available." | ||
61 | msgstr "" | ||
62 | "A clave de servidor actual, armacenada en /etc/ssh/ssh_host_key, está " | ||
63 | "cifrada mediante o algoritmo IDEA. OpenSSH non pode xestionar este ficheiro " | ||
64 | "de clave de servidor, e non semella que estea dispoñible a utilidade ssh-" | ||
65 | "keygen da anterior instalación de SSH (non libre)." | ||
66 | |||
67 | #. Type: note | ||
68 | #. Description | ||
69 | #: ../openssh-server.templates:2001 | ||
70 | msgid "You need to manually generate a new host key." | ||
71 | msgstr "Ten que xerar unha nova clave de servidor." | ||
72 | |||
73 | #. Type: boolean | ||
74 | #. Description | ||
75 | #: ../openssh-server.templates:3001 | ||
76 | msgid "Disable challenge-response authentication?" | ||
77 | msgstr "¿Desactivar a autenticación por desafÃo-resposta?" | ||
78 | |||
79 | #. Type: boolean | ||
80 | #. Description | ||
81 | #: ../openssh-server.templates:3001 | ||
82 | msgid "" | ||
83 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
84 | "configuration. In order to prevent users from logging in using passwords " | ||
85 | "(perhaps using only public key authentication instead) with recent versions " | ||
86 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
87 | "ensure that your PAM configuration does not allow Unix password file " | ||
88 | "authentication." | ||
89 | msgstr "" | ||
90 | "Semella que a autenticación por contrasinal está desactivada na " | ||
91 | "configuración actual do servidor de OpenSSH. Para impedir que os usuarios se " | ||
92 | "conecten empregando contrasinais (empregando no seu canto, por exemplo, " | ||
93 | "autenticación mediante clave pública), nas versións recentes de OpenSSH ten " | ||
94 | "que desactivar a autenticación por desafÃo-resposta ou asegurarse de que a " | ||
95 | "súa configuración de PAM non permita a autenticación por ficheiro de " | ||
96 | "contrasinais de Unix." | ||
97 | |||
98 | #. Type: boolean | ||
99 | #. Description | ||
100 | #: ../openssh-server.templates:3001 | ||
101 | msgid "" | ||
102 | "If you disable challenge-response authentication, then users will not be " | ||
103 | "able to log in using passwords. If you leave it enabled (the default " | ||
104 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
105 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
106 | msgstr "" | ||
107 | "Se desactiva a autenticación por desafÃo-resposta, os usuarios non han poder " | ||
108 | "conectarse empregando contrasinais. Se a deixa activada (a resposta por " | ||
109 | "defecto) a opción \"PasswordAuthentication no\" non ha ter ningún efecto " | ||
110 | "útil a menos que tamén axuste a súa configuración de PAM en /etc/pam.d/ssh." | ||
111 | |||
112 | #. Type: note | ||
113 | #. Description | ||
114 | #: ../openssh-server.templates:4001 | ||
115 | msgid "Vulnerable host keys will be regenerated" | ||
116 | msgstr "Hanse rexenerar as claves de servidor vulnerables" | ||
117 | |||
118 | #. Type: note | ||
119 | #. Description | ||
120 | #: ../openssh-server.templates:4001 | ||
121 | msgid "" | ||
122 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
123 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
124 | "these host keys are from a well-known set, are subject to brute-force " | ||
125 | "attacks, and must be regenerated." | ||
126 | msgstr "" | ||
127 | "Algunhas das claves de servidor de OpenSSH deste sistema xeráronse cunha " | ||
128 | "versión de OpenSSL que tiña un xerador de números aleatorios que non " | ||
129 | "funcionaba correctamente. Coma resultado, esas claves de servidor pertencen " | ||
130 | "a un conxunto coñecido, son vulnerables a ataques por forza bruta, e teñen " | ||
131 | "que se rexenerar." | ||
132 | |||
133 | #. Type: note | ||
134 | #. Description | ||
135 | #: ../openssh-server.templates:4001 | ||
136 | msgid "" | ||
137 | "Users of this system should be informed of this change, as they will be " | ||
138 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
139 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
140 | "the new host keys." | ||
141 | msgstr "" | ||
142 | "É preciso informar deste cambio aos usuarios deste sistema, xa que se lles " | ||
143 | "ha avisar do cambio de clave de servidor a próxima vez que se conecten. " | ||
144 | "Empregue a orde \"ssh-keygen -l -f FICHEIRO_DE_CLAVE\" trala actualización " | ||
145 | "para amosar as pegadas dactilares das novas claves de servidor." | ||
146 | |||
147 | #. Type: note | ||
148 | #. Description | ||
149 | #: ../openssh-server.templates:4001 | ||
150 | msgid "The affected host keys are:" | ||
151 | msgstr "As claves de servidor afectadas son:" | ||
152 | |||
153 | #. Type: note | ||
154 | #. Description | ||
155 | #: ../openssh-server.templates:4001 | ||
156 | msgid "" | ||
157 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
158 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
159 | "README.compromised-keys.gz for more details." | ||
160 | msgstr "" | ||
161 | "As claves dos usuarios tamén poden estar afectadas por este problema. Pódese " | ||
162 | "empregar a orde \"ssh-vulnkey\" para facer unha comprobación parcial disto. " | ||
163 | "Consulte /usr/share/doc/openssh-server/README.compromised-keys.gz para máis " | ||
164 | "detalles." | ||
165 | |||
166 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
167 | #~ msgstr "¿Xerar un novo ficheiro de configuración para OpenSSH?" | ||
168 | |||
169 | #~ msgid "" | ||
170 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
171 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
172 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
173 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
174 | #~ "will not contain any customizations you made with the old version." | ||
175 | #~ msgstr "" | ||
176 | #~ "Esta versión de OpenSSH ten un ficheiro de configuración que cambiou " | ||
177 | #~ "moito con respecto á versión que se subministrou con Debian \"Potato\", " | ||
178 | #~ "desde a que semella que se está a actualizar. Este paquete pode xerar " | ||
179 | #~ "agora un novo ficheiro de configuración (/etc/ssh/sshd.config) que ha " | ||
180 | #~ "funcionar coa nova versión do servidor, pero que non ha conter ningunha " | ||
181 | #~ "personalización que teña feito na versión antiga." | ||
182 | |||
183 | # | msgid "" | ||
184 | # | "Please note that this new configuration file will set the value of " | ||
185 | # | "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
186 | # | "can ssh directly in as root). Please read the README.Debian file for more " | ||
187 | # | "details about this design choice." | ||
188 | #~ msgid "" | ||
189 | #~ "Please note that this new configuration file will set the value of " | ||
190 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
191 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
192 | #~ "details about this design choice." | ||
193 | #~ msgstr "" | ||
194 | #~ "Teña en conta que este novo ficheiro de configuración ha establecer o " | ||
195 | #~ "valor de de \"PermitRootLogin\" a \"yes\" (o que significa que calquera " | ||
196 | #~ "que coñeza o contrasinal do administrador ha poder conectarse " | ||
197 | #~ "directamente coma \"root\" mediante ssh). Consulte o ficheiro README." | ||
198 | #~ "Debian para ter máis detalles sobre esta decisión de deseño." | ||
199 | |||
200 | #~ msgid "" | ||
201 | #~ "It is strongly recommended that you choose to generate a new " | ||
202 | #~ "configuration file now." | ||
203 | #~ msgstr "" | ||
204 | #~ "Recoméndase encarecidamente que xere agora un novo ficheiro de " | ||
205 | #~ "configuración." | ||
206 | |||
207 | #~ msgid "Warning: you must create a new host key" | ||
208 | #~ msgstr "Aviso: ten que crear unha nove chave de servidor" | ||
209 | |||
210 | #~ msgid "Warning: telnetd is installed --- probably not a good idea" | ||
211 | #~ msgstr "" | ||
212 | #~ "Aviso: telnetd está instalado --- seguramente non sexa unha boa idea" | ||
213 | |||
214 | #~ msgid "" | ||
215 | #~ "I'd advise you to either remove the telnetd package (if you don't " | ||
216 | #~ "actually need to offer telnet access) or install telnetd-ssl so that " | ||
217 | #~ "there is at least some chance that telnet sessions will not be sending " | ||
218 | #~ "unencrypted login/password and session information over the network." | ||
219 | #~ msgstr "" | ||
220 | #~ "Recoméndase que elimine o paquete telnetd (se non precisa de fornecer " | ||
221 | #~ "acceso por telnet) ou instale telnetd-ssl para que exista alomenos " | ||
222 | #~ "algunha posibilidade de que as sesións telnet non envÃen información de " | ||
223 | #~ "usuario/contrasinal e das sesións sen cifrar pola rede." | ||
224 | |||
225 | #~ msgid "Warning: rsh-server is installed --- probably not a good idea" | ||
226 | #~ msgstr "" | ||
227 | #~ "Aviso: rsh-server está instalado --- seguramente non sexa unha boa idea" | ||
228 | |||
229 | #~ msgid "" | ||
230 | #~ "having rsh-server installed undermines the security that you were " | ||
231 | #~ "probably wanting to obtain by installing ssh. I'd advise you to remove " | ||
232 | #~ "that package." | ||
233 | #~ msgstr "" | ||
234 | #~ "ao ter rsh-server instalado pérdese a seguridade que probablemente " | ||
235 | #~ "pretendÃa obter ao instalar ssh. Recoméndase que se desinstale ese " | ||
236 | #~ "paquete." | ||
diff --git a/debian/po/it.po b/debian/po/it.po new file mode 100644 index 000000000..047dd3f34 --- /dev/null +++ b/debian/po/it.po | |||
@@ -0,0 +1,202 @@ | |||
1 | # Italian (it) translation of debconf templates for openssh | ||
2 | # Copyright (C) 2006 Software in the Public Interest | ||
3 | # This file is distributed under the same license as the openssh package. | ||
4 | # Renato Gini <rgini@openlabs.it>, 2003 - 2005 | ||
5 | # Luca Monducci <luca.mo@tiscali.it>, 2006, 2007. | ||
6 | # | ||
7 | msgid "" | ||
8 | msgstr "" | ||
9 | "Project-Id-Version: openssh 4.7p1 italian debconf templates\n" | ||
10 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
11 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
12 | "PO-Revision-Date: 2008-05-18 12:08+0200\n" | ||
13 | "Last-Translator: Luca Monducci <luca.mo@tiscali.it>\n" | ||
14 | "Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n" | ||
15 | "MIME-Version: 1.0\n" | ||
16 | "Content-Type: text/plain; charset=UTF-8\n" | ||
17 | "Content-Transfer-Encoding: 8bit\n" | ||
18 | |||
19 | #. Type: boolean | ||
20 | #. Description | ||
21 | #: ../openssh-server.templates:1001 | ||
22 | msgid "Do you want to risk killing active SSH sessions?" | ||
23 | msgstr "Si vuole rischiare di terminare le sessioni SSH attive?" | ||
24 | |||
25 | #. Type: boolean | ||
26 | #. Description | ||
27 | #: ../openssh-server.templates:1001 | ||
28 | msgid "" | ||
29 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
30 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
31 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
32 | msgstr "" | ||
33 | "È probabile che la versione di /etc/init.d/ssh attualmente installata " | ||
34 | "termini tutte le istanze di sshd attive. Se si sta effettuando questo " | ||
35 | "aggiornamento tramite una sessione SSH, è possibile che la sessione venga " | ||
36 | "chiusa e che la procedura di aggiornamento rimanga incompleta." | ||
37 | |||
38 | #. Type: boolean | ||
39 | #. Description | ||
40 | #: ../openssh-server.templates:1001 | ||
41 | msgid "" | ||
42 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
43 | "start-stop-daemon line in the stop section of the file." | ||
44 | msgstr "" | ||
45 | "È possibile evitare ciò aggiungendo manualmente «--pidfile /var/run/sshd.pid» " | ||
46 | "alla riga start-stop-daemon nella sezione stop del file." | ||
47 | |||
48 | #. Type: note | ||
49 | #. Description | ||
50 | #: ../openssh-server.templates:2001 | ||
51 | msgid "New host key mandatory" | ||
52 | msgstr "Necessaria una nuova chiave host" | ||
53 | |||
54 | #. Type: note | ||
55 | #. Description | ||
56 | #: ../openssh-server.templates:2001 | ||
57 | msgid "" | ||
58 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
59 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
60 | "utility from the old (non-free) SSH installation does not appear to be " | ||
61 | "available." | ||
62 | msgstr "" | ||
63 | "L'attuale chiave host, contenuta in /etc/ssh/ssh_host_key, è cifrata con " | ||
64 | "l'algoritmo IDEA. OpenSSH non è in grado di gestire questa chiave host e non " | ||
65 | "è disponibile il programma (non-free) ssh-keygen dalla precedente " | ||
66 | "installazione di SSH." | ||
67 | |||
68 | #. Type: note | ||
69 | #. Description | ||
70 | #: ../openssh-server.templates:2001 | ||
71 | msgid "You need to manually generate a new host key." | ||
72 | msgstr "È necessario generare manualmente una nuova chiave host." | ||
73 | |||
74 | #. Type: boolean | ||
75 | #. Description | ||
76 | #: ../openssh-server.templates:3001 | ||
77 | msgid "Disable challenge-response authentication?" | ||
78 | msgstr "Disabilitare l'autenticazione interattiva?" | ||
79 | |||
80 | #. Type: boolean | ||
81 | #. Description | ||
82 | #: ../openssh-server.templates:3001 | ||
83 | msgid "" | ||
84 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
85 | "configuration. In order to prevent users from logging in using passwords " | ||
86 | "(perhaps using only public key authentication instead) with recent versions " | ||
87 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
88 | "ensure that your PAM configuration does not allow Unix password file " | ||
89 | "authentication." | ||
90 | msgstr "" | ||
91 | "Nell'attuale configurazione del server OpenSSH è disabilitata " | ||
92 | "l'autenticazione tramite password. Con le versioni più recenti di OpenSSH " | ||
93 | "per impedire l'accesso degli utenti al sistema con la password (per esempio " | ||
94 | "l'accesso deve essere possibile solo tramite chiavi pubbliche) si deve " | ||
95 | "disabilitare l'autenticazione interattiva oppure si deve verificare che PAM " | ||
96 | "sia configurato in modo da non consentire l'autenticazione tramite il file " | ||
97 | "delle password Unix." | ||
98 | |||
99 | #. Type: boolean | ||
100 | #. Description | ||
101 | #: ../openssh-server.templates:3001 | ||
102 | msgid "" | ||
103 | "If you disable challenge-response authentication, then users will not be " | ||
104 | "able to log in using passwords. If you leave it enabled (the default " | ||
105 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
106 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
107 | msgstr "" | ||
108 | "Se l'autenticazione interattiva è disabilitata gli utenti non possono " | ||
109 | "effettuare l'accesso al sistema con la password. Invece se, come previsto " | ||
110 | "dalla configurazione predefinita, è abilitata allora l'opzione " | ||
111 | "«PasswordAuthentication no» non ha effetto fino a quando non si interviene " | ||
112 | "anche sulla configurazione di PAM in /etc/pam.d/ssh." | ||
113 | |||
114 | #. Type: note | ||
115 | #. Description | ||
116 | #: ../openssh-server.templates:4001 | ||
117 | msgid "Vulnerable host keys will be regenerated" | ||
118 | msgstr "Le chiavi host vulnerabili devono essere rigenerate" | ||
119 | |||
120 | #. Type: note | ||
121 | #. Description | ||
122 | #: ../openssh-server.templates:4001 | ||
123 | msgid "" | ||
124 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
125 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
126 | "these host keys are from a well-known set, are subject to brute-force " | ||
127 | "attacks, and must be regenerated." | ||
128 | msgstr "" | ||
129 | "Alcune delle chiavi host OpenSSH per server presenti su questo sistema sono " | ||
130 | "state create con una versione di OpenSSL afflitta da un problema al " | ||
131 | "generatore di numeri casuali. Di conseguenza queste chiavi host appartengono " | ||
132 | "a un insieme noto, quindi sono vulnerabili ad attacchi di tipo forza bruta e " | ||
133 | "devono essere rigenerate." | ||
134 | |||
135 | #. Type: note | ||
136 | #. Description | ||
137 | #: ../openssh-server.templates:4001 | ||
138 | msgid "" | ||
139 | "Users of this system should be informed of this change, as they will be " | ||
140 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
141 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
142 | "the new host keys." | ||
143 | msgstr "" | ||
144 | "Gli utenti del sistema dovrebbero essere informati di questo cambiamento " | ||
145 | "poiché al prossimo accesso al sistema verrà loro mostrato un avvertimento " | ||
146 | "relativo al cambiamento della chiave host. Dopo l'aggiornamento usare \"ssh-" | ||
147 | "keygen -l -f FILE_CHIAVE_HOST\" per stampare i fingerprint delle nuove " | ||
148 | "chiavi host." | ||
149 | |||
150 | #. Type: note | ||
151 | #. Description | ||
152 | #: ../openssh-server.templates:4001 | ||
153 | msgid "The affected host keys are:" | ||
154 | msgstr "Le chiavi host vulnerabili sono:" | ||
155 | |||
156 | #. Type: note | ||
157 | #. Description | ||
158 | #: ../openssh-server.templates:4001 | ||
159 | msgid "" | ||
160 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
161 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
162 | "README.compromised-keys.gz for more details." | ||
163 | msgstr "" | ||
164 | "Anche le chiavi utente potrebbero essere afflitte dallo stesso problema. È " | ||
165 | "possibile usare il comando \"ssh-vulnkey\" per fare un test parziale sulla " | ||
166 | "loro vulnerabilità . Si veda /usr/share/doc/openssh-server/README.compromised-" | ||
167 | "keys.gz per ulteriori informazioni." | ||
168 | |||
169 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
170 | #~ msgstr "Generare un nuovo file di configurazione per OpenSSH?" | ||
171 | |||
172 | #~ msgid "" | ||
173 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
174 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
175 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
176 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
177 | #~ "will not contain any customizations you made with the old version." | ||
178 | #~ msgstr "" | ||
179 | #~ "Questa versione di OpenSSH contiene un file di configurazione decisamente " | ||
180 | #~ "diverso da quello distribuito in Debian \"Potato\", che sembra essere " | ||
181 | #~ "quello che si sta aggiornando. Questo pacchetto è in grado di generare " | ||
182 | #~ "automaticamente un nuovo file di configurazione (/etc/ssh/sshd.config) " | ||
183 | #~ "adatto alla nuova versione del server, ma che non contiene nessuna delle " | ||
184 | #~ "personalizzazioni apportate nella precedente versione." | ||
185 | |||
186 | #~ msgid "" | ||
187 | #~ "Please note that this new configuration file will set the value of " | ||
188 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
189 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
190 | #~ "details about this design choice." | ||
191 | #~ msgstr "" | ||
192 | #~ "Notare che nel nuovo file di configurazione il valore di «PermitRootLogin» " | ||
193 | #~ "è impostato a «yes» (quindi chiunque conosca la password di root può " | ||
194 | #~ "collegarsi tramite ssh direttamente come root). Per ulteriori dettagli su " | ||
195 | #~ "questa scelta si veda il file README.Debian." | ||
196 | |||
197 | #~ msgid "" | ||
198 | #~ "It is strongly recommended that you choose to generate a new " | ||
199 | #~ "configuration file now." | ||
200 | #~ msgstr "" | ||
201 | #~ "È vivamente raccomandata la scelta di far generare automaticamente un " | ||
202 | #~ "nuovo file di configurazione." | ||
diff --git a/debian/po/ja.po b/debian/po/ja.po new file mode 100644 index 000000000..b011ddc0a --- /dev/null +++ b/debian/po/ja.po | |||
@@ -0,0 +1,197 @@ | |||
1 | # | ||
2 | # Translators, if you are not familiar with the PO format, gettext | ||
3 | # documentation is worth reading, especially sections dedicated to | ||
4 | # this format, e.g. by running: | ||
5 | # info -n '(gettext)PO Files' | ||
6 | # info -n '(gettext)Header Entry' | ||
7 | # | ||
8 | # Some information specific to po-debconf are available at | ||
9 | # /usr/share/doc/po-debconf/README-trans | ||
10 | # or http://www.debian.org/intl/l10n/po-debconf/README-trans | ||
11 | # | ||
12 | # Developers do not need to manually edit POT or PO files. | ||
13 | # | ||
14 | msgid "" | ||
15 | msgstr "" | ||
16 | "Project-Id-Version: openssh\n" | ||
17 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
18 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
19 | "PO-Revision-Date: 2008-05-17 21:28+0900\n" | ||
20 | "Last-Translator: Kenshi Muto <kmuto@debian.org>\n" | ||
21 | "Language-Team: Japanese <debian-japanese@lists.debian.org>\n" | ||
22 | "MIME-Version: 1.0\n" | ||
23 | "Content-Type: text/plain; charset=UTF-8\n" | ||
24 | "Content-Transfer-Encoding: 8bit\n" | ||
25 | |||
26 | #. Type: boolean | ||
27 | #. Description | ||
28 | #: ../openssh-server.templates:1001 | ||
29 | msgid "Do you want to risk killing active SSH sessions?" | ||
30 | msgstr "接続ä¸ã® SSH セッションãŒåˆ‡ã‚Œã‚‹ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ãŒã‚ˆã„ã§ã™ã‹?" | ||
31 | |||
32 | #. Type: boolean | ||
33 | #. Description | ||
34 | #: ../openssh-server.templates:1001 | ||
35 | msgid "" | ||
36 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
37 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
38 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
39 | msgstr "" | ||
40 | "ç¾åœ¨ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã•ã‚ŒãŸãƒãƒ¼ã‚¸ãƒ§ãƒ³ã® /etc/init.d/ssh ã¯ã€ãŠãらã実行ä¸ã® sshd " | ||
41 | "インスタンスをã™ã¹ã¦æ®ºã—ã¾ã™ã€‚ã“ã®ã‚¢ãƒƒãƒ—グレードを SSH セッション経由ã§è¡Œã£ã¦" | ||
42 | "ã„ã‚‹å ´åˆã€ã‚ãªãŸã¯åˆ‡æ–ã•ã‚Œã€ã‚¢ãƒƒãƒ—グレード処ç†ã¯ä¸å®Œå…¨ãªã¾ã¾ã«ãªã‚‹ã§ã—ょã†ã€‚" | ||
43 | |||
44 | #. Type: boolean | ||
45 | #. Description | ||
46 | #: ../openssh-server.templates:1001 | ||
47 | msgid "" | ||
48 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
49 | "start-stop-daemon line in the stop section of the file." | ||
50 | msgstr "" | ||
51 | "ã“ã®çŠ¶æ³ã‚’ä¿®æ£ã™ã‚‹ã«ã¯ã€ãƒ•ã‚¡ã‚¤ãƒ«ã® stop セクション㮠start-stop-daemon ã®è¡Œã«" | ||
52 | "「--pidfile /var/run/sshd.pidã€ã¨æ‰‹å‹•ã§è¿½åŠ ã—ã¾ã™ã€‚" | ||
53 | |||
54 | #. Type: note | ||
55 | #. Description | ||
56 | #: ../openssh-server.templates:2001 | ||
57 | msgid "New host key mandatory" | ||
58 | msgstr "æ–°ã—ã„ホストã‚ーãŒå¿…è¦ã§ã™" | ||
59 | |||
60 | #. Type: note | ||
61 | #. Description | ||
62 | #: ../openssh-server.templates:2001 | ||
63 | msgid "" | ||
64 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
65 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
66 | "utility from the old (non-free) SSH installation does not appear to be " | ||
67 | "available." | ||
68 | msgstr "" | ||
69 | "/etc/ssh/ssh_host_key ã«ã‚ã‚‹ç¾åœ¨ã®ãƒ›ã‚¹ãƒˆã‚ー㯠IDEA ã§æš—å·åŒ–ã•ã‚Œã¦ã„ã‚ã™ã€‚" | ||
70 | "OpenSSH ã¯ã“ã®ãƒ›ã‚¹ãƒˆã‚ーファイルを扱ãˆãšã€å¤ã„ (フリーã§ã¯ãªã„) SSH ã® ssh-" | ||
71 | "keygen ユーティリティã¯ã‚‚ã†åˆ©ç”¨ã§ãã¾ã›ã‚“。" | ||
72 | |||
73 | #. Type: note | ||
74 | #. Description | ||
75 | #: ../openssh-server.templates:2001 | ||
76 | msgid "You need to manually generate a new host key." | ||
77 | msgstr "æ–°ã—ã„ホストã‚ーを手動ã§ç”Ÿæˆã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚" | ||
78 | |||
79 | #. Type: boolean | ||
80 | #. Description | ||
81 | #: ../openssh-server.templates:3001 | ||
82 | msgid "Disable challenge-response authentication?" | ||
83 | msgstr "ãƒãƒ£ãƒ¬ãƒ³ã‚¸-レスãƒãƒ³ã‚¹èªè¨¼ã‚’無効ã«ã—ã¾ã™ã‹?" | ||
84 | |||
85 | #. Type: boolean | ||
86 | #. Description | ||
87 | #: ../openssh-server.templates:3001 | ||
88 | msgid "" | ||
89 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
90 | "configuration. In order to prevent users from logging in using passwords " | ||
91 | "(perhaps using only public key authentication instead) with recent versions " | ||
92 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
93 | "ensure that your PAM configuration does not allow Unix password file " | ||
94 | "authentication." | ||
95 | msgstr "" | ||
96 | "ç¾åœ¨ã® OpenSSH サーãƒã®è¨å®šã§ã¯ãƒ‘スワードèªè¨¼ãŒç„¡åŠ¹ã«ãªã£ã¦ã„るよã†ã§ã™ã€‚" | ||
97 | "OpenSSH ã®æœ€è¿‘ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã§ãƒ‘スワードを使ã£ã¦ãƒ¦ãƒ¼ã‚¶ãŒãƒã‚°ã‚¤ãƒ³ã™ã‚‹ã®ã‚’防ã " | ||
98 | "(多分公開éµèªè¨¼ã ã‘を代ã‚ã‚Šã«ä½¿ã†) ãŸã‚ã«ã¯ã€ãƒãƒ£ãƒ¬ãƒ³ã‚¸-レスãƒãƒ³ã‚¹èªè¨¼ã‚’無効" | ||
99 | "ã«ã™ã‚‹ã‹ã€PAM è¨å®šã§ Unix パスワードファイルèªè¨¼ã‚’絶対ã«è¨±å¯ã—ãªã„よã†ã«ã™ã‚‹" | ||
100 | "å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚" | ||
101 | |||
102 | #. Type: boolean | ||
103 | #. Description | ||
104 | #: ../openssh-server.templates:3001 | ||
105 | msgid "" | ||
106 | "If you disable challenge-response authentication, then users will not be " | ||
107 | "able to log in using passwords. If you leave it enabled (the default " | ||
108 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
109 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
110 | msgstr "" | ||
111 | "ãƒãƒ£ãƒ¬ãƒ³ã‚¸-レスãƒãƒ³ã‚¹èªè¨¼ã‚’無効ã«ã™ã‚‹å ´åˆã€ãƒ¦ãƒ¼ã‚¶ã¯ãƒ‘スワードを使ã£ã¦ãƒã‚°ã‚¤ãƒ³" | ||
112 | "ã§ããªããªã‚Šã¾ã™ã€‚有効 (デフォルト) ã®ã¾ã¾ã«ã—ã¦ãŠãã¨ã€/etc/pam.d/ssh ã«ã‚" | ||
113 | "ã‚‹ PAM è¨å®šã‚’調節ã—ãªã„é™ã‚Šã€'PasswordAuthentication no' オプションã¯åŠ¹æžœã‚’æŒ" | ||
114 | "ãŸãªããªã‚Šã¾ã™ã€‚" | ||
115 | |||
116 | #. Type: note | ||
117 | #. Description | ||
118 | #: ../openssh-server.templates:4001 | ||
119 | msgid "Vulnerable host keys will be regenerated" | ||
120 | msgstr "脆弱ãªãƒ›ã‚¹ãƒˆã‚ーã¯å†ç”Ÿæˆã•ã‚Œã¾ã™" | ||
121 | |||
122 | #. Type: note | ||
123 | #. Description | ||
124 | #: ../openssh-server.templates:4001 | ||
125 | msgid "" | ||
126 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
127 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
128 | "these host keys are from a well-known set, are subject to brute-force " | ||
129 | "attacks, and must be regenerated." | ||
130 | msgstr "" | ||
131 | "ã“ã®ã‚·ã‚¹ãƒ†ãƒ ã® OpenSSH サーãƒã®ãƒ›ã‚¹ãƒˆã‚ーã®ã„ãã¤ã‹ãŒã€å£Šã‚ŒãŸä¹±æ•°ç”Ÿæˆå™¨ã‚’æŒ" | ||
132 | "㤠OpenSSL ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã§ç”Ÿæˆã•ã‚Œã¦ã„ã¾ã—ãŸã€‚çµæžœã¨ã—ã¦ã€ã“れらã®ãƒ›ã‚¹ãƒˆã‚ーã¯æ—¢" | ||
133 | "知ã®çµ„ã¿åˆã‚ã›ã‹ã‚‰æˆã‚Šã€ãƒ–ルートフォース攻撃をå—ã‘ã‚„ã™ã„ã‚‚ã®ã«ãªã£ã¦ã„ã‚‹ãŸ" | ||
134 | "ã‚ã€å†ç”Ÿæˆã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚" | ||
135 | |||
136 | #. Type: note | ||
137 | #. Description | ||
138 | #: ../openssh-server.templates:4001 | ||
139 | msgid "" | ||
140 | "Users of this system should be informed of this change, as they will be " | ||
141 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
142 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
143 | "the new host keys." | ||
144 | msgstr "" | ||
145 | "次回ã®ãƒã‚°ã‚¤ãƒ³æ™‚ã«ãƒ›ã‚¹ãƒˆã‚ーã®å¤‰æ›´ãŒç¤ºã•ã‚Œã‚‹ã“ã¨ã§ã€ã“ã®ã‚·ã‚¹ãƒ†ãƒ ã®ãƒ¦ãƒ¼ã‚¶ã¯ã€" | ||
146 | "ã“ã®å¤‰æ›´ã®é€šçŸ¥ã‚’å—ã‘å–ã‚‹ã“ã¨ã«ãªã‚Šã¾ã™ã€‚更新後ã«æ–°ã—ã„ホストã‚ーã®æŒ‡ç´‹ã‚’表示" | ||
147 | "ã™ã‚‹ã«ã¯ã€'ssh-keygen -l -f HOST_KEY_FILE' を使ã„ã¾ã™ã€‚" | ||
148 | |||
149 | #. Type: note | ||
150 | #. Description | ||
151 | #: ../openssh-server.templates:4001 | ||
152 | msgid "The affected host keys are:" | ||
153 | msgstr "影響をå—ã‘るホストã‚ーã¯æ¬¡ã®ã¨ãŠã‚Šã§ã™:" | ||
154 | |||
155 | #. Type: note | ||
156 | #. Description | ||
157 | #: ../openssh-server.templates:4001 | ||
158 | msgid "" | ||
159 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
160 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
161 | "README.compromised-keys.gz for more details." | ||
162 | msgstr "" | ||
163 | "ユーザã‚ーもã“ã®å•é¡Œã®å½±éŸ¿ã‚’å—ã‘ã¦ã„ã‚‹æã‚ŒãŒã‚ã‚Šã¾ã™ã€‚ã“ã®éƒ¨åˆ†çš„ãªãƒ†ã‚¹ãƒˆã¨ã—" | ||
164 | "ã¦ã€'ssh-vulnkey' コマンドを利用ã§ãã¾ã™ã€‚詳細ã«ã¤ã„ã¦ã¯ /usr/share/doc/" | ||
165 | "openssh-server/README.compromised-keys.gz ã‚’å‚ç…§ã—ã¦ãã ã•ã„。" | ||
166 | |||
167 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
168 | #~ msgstr "OpenSSH ã®æ–°ã—ã„è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã‚’作りã¾ã™ã‹?" | ||
169 | |||
170 | #~ msgid "" | ||
171 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
172 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
173 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
174 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
175 | #~ "will not contain any customizations you made with the old version." | ||
176 | #~ msgstr "" | ||
177 | #~ "OpenSSH ã®ã“ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã¯ã€Debian 'Potato' ã§æä¾›ã—ã¦ã„ãŸãƒãƒ¼ã‚¸ãƒ§ãƒ³ (ã„" | ||
178 | #~ "ã¾ã€ãã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‹ã‚‰ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚¢ãƒƒãƒ—を試ã¿ã¦ã„ã‚‹ã¨ã“ã‚) ã‹ã‚‰ã€è¨å®šãƒ•ã‚¡" | ||
179 | #~ "イルãŒå¤§å¹…ã«å¤‰åŒ–ã—ã¦ã„ã¾ã™ã€‚ã“ã®ãƒ‘ッケージã¯ã€æ–°ã—ã„ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã®ã‚µãƒ¼ãƒã§ä½¿" | ||
180 | #~ "ã†ã“ã¨ãŒã§ãã‚‹æ–°ã—ã„è¨å®šãƒ•ã‚¡ã‚¤ãƒ« (/etc/ssh/sshd.config) を今生æˆã™ã‚‹ã“ã¨ãŒ" | ||
181 | #~ "ã§ãã¾ã™ãŒã€å¤ã„ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã®è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã«åŠ ãˆã¦ã„ãŸã‚«ã‚¹ã‚¿ãƒžã‚¤ã‚ºã¯ã„ãšã‚Œã‚‚" | ||
182 | #~ "å«ã¾ã‚Œã¾ã›ã‚“。" | ||
183 | |||
184 | #~ msgid "" | ||
185 | #~ "Please note that this new configuration file will set the value of " | ||
186 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
187 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
188 | #~ "details about this design choice." | ||
189 | #~ msgstr "" | ||
190 | #~ "ã“ã®æ–°ã—ã„è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã¯ã€ã€ŒPermitRootLoginã€ã‚’「yesã€ã«è¨å®šã—ã¾ã™ (ã¤ã¾" | ||
191 | #~ "ã‚Šã€root ã®ãƒ‘スワードを知ã£ã¦ã„る人ãªã‚‰èª°ã§ã‚‚直接ãƒã‚°ã‚¤ãƒ³ã§ãã¾ã™)。ã“ã®ã‚ˆ" | ||
192 | #~ "ã†ãªè¨è¨ˆã‚’é¸ã‚“ã§ã„ã‚‹ç†ç”±ã®è©³ç´°ã«ã¤ã„ã¦ã¯ã€README.Debian ã‚’èªã‚“ã§ãã ã•ã„。" | ||
193 | |||
194 | #~ msgid "" | ||
195 | #~ "It is strongly recommended that you choose to generate a new " | ||
196 | #~ "configuration file now." | ||
197 | #~ msgstr "æ–°ã—ã„è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã‚’今生æˆã™ã‚‹ã“ã¨ã‚’å¼·ããŠå‹§ã‚ã—ã¾ã™ã€‚" | ||
diff --git a/debian/po/ko.po b/debian/po/ko.po new file mode 100644 index 000000000..7cbf4c13c --- /dev/null +++ b/debian/po/ko.po | |||
@@ -0,0 +1,189 @@ | |||
1 | # Korean translations for openssh package | ||
2 | # openssh íŒ¨í‚¤ì§€ì— ëŒ€í•œ í•œêµì–´ 번ì—문. | ||
3 | # Copyright (C) 2007 THE openssh'S COPYRIGHT HOLDER | ||
4 | # This file is distributed under the same license as the openssh package. | ||
5 | # Sunjae Park <darehanl@gmail.com>, 2007. | ||
6 | # | ||
7 | msgid "" | ||
8 | msgstr "" | ||
9 | "Project-Id-Version: openssh\n" | ||
10 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
11 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
12 | "PO-Revision-Date: 2008-06-06 16:06-0400\n" | ||
13 | "Last-Translator: Sunjae Park <darehanl@gmail.com>\n" | ||
14 | "Language-Team: Korean <debian-l10n-korean@lists.debian.org>\n" | ||
15 | "MIME-Version: 1.0\n" | ||
16 | "Content-Type: text/plain; charset=UTF-8\n" | ||
17 | "Content-Transfer-Encoding: 8bit\n" | ||
18 | "Plural-Forms: nplurals=1; plural=0;\n" | ||
19 | |||
20 | #. Type: boolean | ||
21 | #. Description | ||
22 | #: ../openssh-server.templates:1001 | ||
23 | msgid "Do you want to risk killing active SSH sessions?" | ||
24 | msgstr "현재 ì‚¬ìš©ì¤‘ì¸ SSH ì„¸ì…˜ì„ ì£½ì—¬ë„ ê´œì°®ìŠµë‹ˆê¹Œ?" | ||
25 | |||
26 | #. Type: boolean | ||
27 | #. Description | ||
28 | #: ../openssh-server.templates:1001 | ||
29 | msgid "" | ||
30 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
31 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
32 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
33 | msgstr "" | ||
34 | "현재 ì„¤ì¹˜ëœ /etc/init.d/ssh ë²„ì „ì€ ì‚¬ìš©ì¤‘ì¸ sshd ì¸ìŠ¤í„´ìŠ¤ë¥¼ ëª¨ë‘ ì£½ì¼ ê²ƒìž…ë‹ˆ" | ||
35 | "다. 만약 SSH ì„¸ì…˜ì„ í†µí•´ ì´ ì—…ê·¸ë ˆì´ë“œë¥¼ í•˜ê³ ìžˆë‹¤ë©´ ë„ì¤‘ì— ì—°ê²°ì´ í•´ì œë˜ì–´ " | ||
36 | "ì—…ê·¸ë ˆì´ë“œ ìž‘ì—…ì´ ë„ì¤‘ì— ì¤‘ë‹¨ë 수 있습니다." | ||
37 | |||
38 | #. Type: boolean | ||
39 | #. Description | ||
40 | #: ../openssh-server.templates:1001 | ||
41 | msgid "" | ||
42 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
43 | "start-stop-daemon line in the stop section of the file." | ||
44 | msgstr "" | ||
45 | "파ì¼ì˜ stop 구ì—ì— ìžˆëŠ” start-stop-daemonì— \"--pidfile /var/run/sshd.pid" | ||
46 | "\"ì„ ì¶”ê°€í•˜ì‹œë©´ ì´ ë¬¸ì œë¥¼ í•´ê²°í• ìˆ˜ 있습니다." | ||
47 | |||
48 | #. Type: note | ||
49 | #. Description | ||
50 | #: ../openssh-server.templates:2001 | ||
51 | msgid "New host key mandatory" | ||
52 | msgstr "호스트키 새로 만들어야 함" | ||
53 | |||
54 | #. Type: note | ||
55 | #. Description | ||
56 | #: ../openssh-server.templates:2001 | ||
57 | msgid "" | ||
58 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
59 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
60 | "utility from the old (non-free) SSH installation does not appear to be " | ||
61 | "available." | ||
62 | msgstr "" | ||
63 | "/etc/ssh/ssh_host_keyì— ìžˆëŠ” 현재 호스트키늘 IDEA ì•Œê³ ë¦¬ì¦˜ìœ¼ë¡œ 암호화ë˜ì–´ìžˆìŠµ" | ||
64 | "니다. OpenSSH는 ì´ í˜¸ìŠ¤íŠ¸í‚¤ 파ì¼ì„ 다루지 못하며, ì´ì „ì— ì„¤ì¹˜ë˜ì—ˆë˜ (비ìžìœ ) " | ||
65 | "SSH í”„ë¡œê·¸ëž¨ì˜ ssh-keygen ì‘ìš©í”„ë¡œê·¸ëž¨ì´ ì—†ëŠ” 것 같습니다." | ||
66 | |||
67 | #. Type: note | ||
68 | #. Description | ||
69 | #: ../openssh-server.templates:2001 | ||
70 | msgid "You need to manually generate a new host key." | ||
71 | msgstr "호스트키를 ì§ì ‘ 새로 ìƒì„±í•˜ì…”야 합니다." | ||
72 | |||
73 | #. Type: boolean | ||
74 | #. Description | ||
75 | #: ../openssh-server.templates:3001 | ||
76 | msgid "Disable challenge-response authentication?" | ||
77 | msgstr "ì œê¸°-ì‘답 ì¸ì¦ë°©ì‹ì„ í•´ì œí•˜ë„ë¡ í• ê¹Œìš”?" | ||
78 | |||
79 | #. Type: boolean | ||
80 | #. Description | ||
81 | #: ../openssh-server.templates:3001 | ||
82 | msgid "" | ||
83 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
84 | "configuration. In order to prevent users from logging in using passwords " | ||
85 | "(perhaps using only public key authentication instead) with recent versions " | ||
86 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
87 | "ensure that your PAM configuration does not allow Unix password file " | ||
88 | "authentication." | ||
89 | msgstr "" | ||
90 | "í˜„ìž¬ì˜ OpenSSH 서버 ì„¤ì •ì— ë¹„ë°€ë²ˆí˜¸ ì¸ì¦ë°©ì‹ì´ í•´ì œë˜ì–´ 있습니다. 최근 ë²„ì „" | ||
91 | "ì˜ OpenSSHì—ì„œ 사용ìžë“¤ì´ (공개키 ë°©ì‹ë§Œ 허용하기 위해서 ë“±ì˜ ì´ìœ ë¡œ) 비밀번" | ||
92 | "호로 로그ì¸í•˜ì§€ 못하ë„ë¡ í•˜ì‹œë ¤ë©´ ì œê¸°-ì‘답 ì¸ì¦ë°©ì‹ì„ í•´ì œí•˜ì‹œë“ ì§€ ìœ ë‹‰ìŠ¤ " | ||
93 | "password íŒŒì¼ ì¸ì¦ë°©ì‹ì„ 사용하지 못하ë„ë¡ PAM ì„¤ì •ì„ í•˜ì…”ì•¼ 합니다." | ||
94 | |||
95 | #. Type: boolean | ||
96 | #. Description | ||
97 | #: ../openssh-server.templates:3001 | ||
98 | msgid "" | ||
99 | "If you disable challenge-response authentication, then users will not be " | ||
100 | "able to log in using passwords. If you leave it enabled (the default " | ||
101 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
102 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
103 | msgstr "" | ||
104 | "ì œê¸°-ì‘답 ì¸ì¦ë°©ì‹ì„ í•´ì œí•˜ë©´ 사용ìžë“¤ì€ 비밀번호를 ì´ìš©í•˜ì—¬ 로그ì¸í•˜ì§€ 못하" | ||
105 | "게 ë©ë‹ˆë‹¤. (기본 ì„¤ì •ëŒ€ë¡œ) í•´ì œí•˜ì§€ 않으시면 /etc/pam.d/sshì— ìžˆëŠ” PAM ì„¤ì •" | ||
106 | "ì„ ë³€ê²½í•˜ì§€ 않으실 경우 'PasswordAuthentication no' ì˜µì…˜ì€ ì•„ë¬´ëŸ° ì˜í–¥ì„ 주" | ||
107 | "지 못합니다." | ||
108 | |||
109 | #. Type: note | ||
110 | #. Description | ||
111 | #: ../openssh-server.templates:4001 | ||
112 | msgid "Vulnerable host keys will be regenerated" | ||
113 | msgstr "취약한 호스트키를 다시 ìƒì„±í•©ë‹ˆë‹¤" | ||
114 | |||
115 | #. Type: note | ||
116 | #. Description | ||
117 | #: ../openssh-server.templates:4001 | ||
118 | msgid "" | ||
119 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
120 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
121 | "these host keys are from a well-known set, are subject to brute-force " | ||
122 | "attacks, and must be regenerated." | ||
123 | msgstr "" | ||
124 | "ì´ ì‹œìŠ¤í…œì— ìžˆëŠ” OpenSSH ì„œë²„ì˜ í˜¸ìŠ¤íŠ¸í‚¤ëŠ” ìž˜ëª»ëœ ë‚œìˆ˜ìƒì„±ê¸°ë¥¼ 사용한 ë²„ì „ì˜ " | ||
125 | "OpenSSL를 통해 만들어졌습니다. ì´ëŸ¬í•œ í˜¸ìŠ¤íŠ¸í‚¤ë“¤ì€ ìž˜ ì•Œë ¤ì§„ 범위 ë‚´ì— ìžˆê²Œ " | ||
126 | "ë˜ë¯€ë¡œ brute-force ê³µê²©ì— ì•½í• ìˆ˜ 있으며, ë”°ë¼ì„œ 다시 만들어야 합니다." | ||
127 | |||
128 | #. Type: note | ||
129 | #. Description | ||
130 | #: ../openssh-server.templates:4001 | ||
131 | msgid "" | ||
132 | "Users of this system should be informed of this change, as they will be " | ||
133 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
134 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
135 | "the new host keys." | ||
136 | msgstr "" | ||
137 | "ì´ ì‹œìŠ¤í…œì„ ì‚¬ìš©í•œ ì‚¬ëžŒë“¤ì€ ë‹¤ìŒì— 로그ì¸í• ë•Œ 호스트키가 변경ë˜ì—ˆë‹¤ëŠ” 사실" | ||
138 | "ì„ ê°ì§€í•˜ê²Œ ë˜ê¸° ë•Œë¬¸ì— ì‚¬ìš©ìžë“¤ì—게 ì´ ì‚¬í•ì„ ì•Œë ¤ì£¼ì…”ì•¼ 합니다. ì—…ê·¸ë ˆì´ë“œ " | ||
139 | "후 'ssh-keygen -l -f 호스트키 파ì¼ëª…'ì„ ì‚¬ìš©í•˜ì—¬ 새로운 í˜¸ìŠ¤íŠ¸í‚¤ì˜ í•‘ê±°í”„ë¦°íŠ¸" | ||
140 | "를 ì¶œë ¥ë°›ì„ ìˆ˜ 있습니다." | ||
141 | |||
142 | #. Type: note | ||
143 | #. Description | ||
144 | #: ../openssh-server.templates:4001 | ||
145 | msgid "The affected host keys are:" | ||
146 | msgstr "ê´€ë ¨ëœ í˜¸ìŠ¤íŠ¸í‚¤ì˜ ëª©ë¡ì€:" | ||
147 | |||
148 | #. Type: note | ||
149 | #. Description | ||
150 | #: ../openssh-server.templates:4001 | ||
151 | msgid "" | ||
152 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
153 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
154 | "README.compromised-keys.gz for more details." | ||
155 | msgstr "" | ||
156 | "ì‚¬ìš©ìž í‚¤ ì—ì‹œ ì´ ë¬¸ì œì— ì˜í–¥ì„ ë°›ì„ ìˆ˜ 있습니다. 'ssh-vulnkey' ëª…ë ¹ì„ ì‚¬ìš©í•˜" | ||
157 | "ì—¬ 부분ì 으로나마 ê·¸ë ‡í•œì§€ë¥¼ ê²€ì‚¬í• ìˆ˜ 있습니다. ìžì„¸í•œ ì •ë³´ëŠ” /usr/share/" | ||
158 | "doc/openssh-server/README.compromised-keys.gz를 참조하ì‹ì‹œì˜¤." | ||
159 | |||
160 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
161 | #~ msgstr "OpenSSH ì„¤ì • 파ì¼ì„ 새로 만들까요?" | ||
162 | |||
163 | #~ msgid "" | ||
164 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
165 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
166 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
167 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
168 | #~ "will not contain any customizations you made with the old version." | ||
169 | #~ msgstr "" | ||
170 | #~ "ì´ë²ˆ OpenSSH ë²„ì „ì€ ì§€ê¸ˆ ì‚¬ìš©í•˜ê³ ê³„ì‹œëŠ” 듯한 ë°ë¹„안 'Potato'ì˜ OpenSSH 버" | ||
171 | #~ "ì „ê³¼ëŠ” í¬ê²Œ 다른 ì„¤ì • 파ì¼ì„ 사용합니다. ì´ ê¾¸ëŸ¬ë¯¸ëŠ” 새로 설치ë˜ëŠ” 서버 버" | ||
172 | #~ "ì „ì— ë§žëŠ” ì„¤ì • 파ì¼(/etc/ssh/sshd.config)ì„ ìƒˆë¡œ 만들 수 있습니다만, ì´ì „ " | ||
173 | #~ "ë²„ì „ì—ì„œ 변경한 ë‚´ì—ì€ ì ìš©ë˜ì§€ 않습니다." | ||
174 | |||
175 | #~ msgid "" | ||
176 | #~ "Please note that this new configuration file will set the value of " | ||
177 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
178 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
179 | #~ "details about this design choice." | ||
180 | #~ msgstr "" | ||
181 | #~ "ì°¸ê³ ë¡œ 새로 설치ë˜ëŠ” ì„¤ì •íŒŒì¼ì€ 'PermitRootLogin'ì˜ ê°’ì„ 'yes'ë¡œ ì„¤ì •í•©ë‹ˆ" | ||
182 | #~ "다(ë”°ë¼ì„œ root 비밀번호를 ì•Œê³ ìžˆëŠ” ì‚¬ëžŒì€ ëˆ„êµ¬ë‚˜ rootë¡œ ì§ì ‘ ssh 로그ì¸" | ||
183 | #~ "í• ìˆ˜ 있습니다). ì´ë ‡ê²Œ ê²°ì •í•œ ì´ìœ ì— ëŒ€í•´ì„œ ìžì„¸ížˆ ì•Œê³ ìž í•˜ì‹ ë‹¤ë©´ " | ||
184 | #~ "README.Debian 파ì¼ì„ 참조하시기 ë°”ëžë‹ˆë‹¤." | ||
185 | |||
186 | #~ msgid "" | ||
187 | #~ "It is strongly recommended that you choose to generate a new " | ||
188 | #~ "configuration file now." | ||
189 | #~ msgstr "ì„¤ì • 파ì¼ì„ 지금 새로 만드시길 ê°•ë ¥ížˆ 권장합니다." | ||
diff --git a/debian/po/nb.po b/debian/po/nb.po new file mode 100644 index 000000000..415d5faf2 --- /dev/null +++ b/debian/po/nb.po | |||
@@ -0,0 +1,196 @@ | |||
1 | # translation of nb.po to Norwegian Bokmål | ||
2 | # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER | ||
3 | # This file is distributed under the same license as the PACKAGE package. | ||
4 | # | ||
5 | # Bjørn Steensrud <bjornst@powertech.no>, 2007. | ||
6 | # Bjørn Steensrud <bjornst@skogkatt.homelinux.org>, 2008. | ||
7 | msgid "" | ||
8 | msgstr "" | ||
9 | "Project-Id-Version: nb\n" | ||
10 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
11 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
12 | "PO-Revision-Date: 2008-05-17 11:04+0200\n" | ||
13 | "Last-Translator: Bjørn Steensrud <bjornst@skogkatt.homelinux.org>\n" | ||
14 | "Language-Team: Norwegian Bokmål <i18n-nb@lister.ping.uio.no>\n" | ||
15 | "MIME-Version: 1.0\n" | ||
16 | "Content-Type: text/plain; charset=UTF-8\n" | ||
17 | "Content-Transfer-Encoding: 8bit\n" | ||
18 | "X-Generator: KBabel 1.11.4\n" | ||
19 | |||
20 | #. Type: boolean | ||
21 | #. Description | ||
22 | #: ../openssh-server.templates:1001 | ||
23 | msgid "Do you want to risk killing active SSH sessions?" | ||
24 | msgstr "Vil du risikere å avbryte aktive SSH-økter?" | ||
25 | |||
26 | #. Type: boolean | ||
27 | #. Description | ||
28 | #: ../openssh-server.templates:1001 | ||
29 | msgid "" | ||
30 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
31 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
32 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
33 | msgstr "" | ||
34 | "Den versjonen av /etc/init.d/ssh som nå er installert vil antakelig stoppe " | ||
35 | "alle sshd-instanser som kjører. Hvis denne oppgraderingen gjøres over en SSH-" | ||
36 | "økt, så risikerer du å bli frakoblet og oppgraderingen blir ikke fullført." | ||
37 | |||
38 | #. Type: boolean | ||
39 | #. Description | ||
40 | #: ../openssh-server.templates:1001 | ||
41 | msgid "" | ||
42 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
43 | "start-stop-daemon line in the stop section of the file." | ||
44 | msgstr "" | ||
45 | "Dette kan rettes på ved å legge til manuelt «--pidfile /var/run/sshd.pid» til " | ||
46 | "start-stop-daemon linja i stopp-delen av fila." | ||
47 | |||
48 | #. Type: note | ||
49 | #. Description | ||
50 | #: ../openssh-server.templates:2001 | ||
51 | msgid "New host key mandatory" | ||
52 | msgstr "Ny vertsnøkkel obligatorisk" | ||
53 | |||
54 | #. Type: note | ||
55 | #. Description | ||
56 | #: ../openssh-server.templates:2001 | ||
57 | msgid "" | ||
58 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
59 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
60 | "utility from the old (non-free) SSH installation does not appear to be " | ||
61 | "available." | ||
62 | msgstr "" | ||
63 | "Den gjeldende vertsnøkkelen, i /etc/ssh/ssh_host_key, er kryptert med IDEA-" | ||
64 | "algoritmen. OpenSSH kan ikke håndtere denne vertsnøkkelfila, og det ser ikke " | ||
65 | "ut til at verktøyet ssh-keygen fra den gamle (ikke-frie) SSH-installasjonen " | ||
66 | "er tilgjengelig." | ||
67 | |||
68 | #. Type: note | ||
69 | #. Description | ||
70 | #: ../openssh-server.templates:2001 | ||
71 | msgid "You need to manually generate a new host key." | ||
72 | msgstr "En ny vertsnøkkel må lages manuelt." | ||
73 | |||
74 | #. Type: boolean | ||
75 | #. Description | ||
76 | #: ../openssh-server.templates:3001 | ||
77 | msgid "Disable challenge-response authentication?" | ||
78 | msgstr "Skal autentisering med utfordring/svar slås av?" | ||
79 | |||
80 | #. Type: boolean | ||
81 | #. Description | ||
82 | #: ../openssh-server.templates:3001 | ||
83 | msgid "" | ||
84 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
85 | "configuration. In order to prevent users from logging in using passwords " | ||
86 | "(perhaps using only public key authentication instead) with recent versions " | ||
87 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
88 | "ensure that your PAM configuration does not allow Unix password file " | ||
89 | "authentication." | ||
90 | msgstr "" | ||
91 | "Det ser ut til at passord-autentisering er slått av i det gjeldende " | ||
92 | "tjeneroppsettet for OpenSSH. For å hindre brukere i å logge inn med passord " | ||
93 | "med nyere versjoner av OpenSSH (kanskje med autentisering med kryptonøkler i " | ||
94 | "stedet), så må autentisering med utfordring-svar slås av, eller det må " | ||
95 | "sjekkes at PAM-oppsettet er satt til ikke å tillate autentisering mot Unix " | ||
96 | "passord-fila." | ||
97 | |||
98 | #. Type: boolean | ||
99 | #. Description | ||
100 | #: ../openssh-server.templates:3001 | ||
101 | msgid "" | ||
102 | "If you disable challenge-response authentication, then users will not be " | ||
103 | "able to log in using passwords. If you leave it enabled (the default " | ||
104 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
105 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
106 | msgstr "" | ||
107 | "Hvis autentisering med utfordring-svar er slått av, så kan brukere ikke " | ||
108 | "logge inn med passord. Hvis det står på (som er standard), så har det ingen " | ||
109 | "virkning å sette «PasswordAuthentication no» med mindre PAM-oppsettet i /etc/" | ||
110 | "pam.d/ssh også justeres." | ||
111 | |||
112 | #. Type: note | ||
113 | #. Description | ||
114 | #: ../openssh-server.templates:4001 | ||
115 | msgid "Vulnerable host keys will be regenerated" | ||
116 | msgstr "Sårbare vertsnøkler vil bli laget på nytt" | ||
117 | |||
118 | #. Type: note | ||
119 | #. Description | ||
120 | #: ../openssh-server.templates:4001 | ||
121 | msgid "" | ||
122 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
123 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
124 | "these host keys are from a well-known set, are subject to brute-force " | ||
125 | "attacks, and must be regenerated." | ||
126 | msgstr "" | ||
127 | "Noen av OpenSSHs vertsnøkler på dette systemet ble opprettet med versjon av " | ||
128 | "OpenSSH som hadde en feil på slumptallsgeneratoren. Derfor tilhører disse " | ||
129 | "nøklene et velkjent sett nøkler, kan knekkes med «rå kraft»-metoden og må " | ||
130 | "lages på nytt." | ||
131 | |||
132 | #. Type: note | ||
133 | #. Description | ||
134 | #: ../openssh-server.templates:4001 | ||
135 | msgid "" | ||
136 | "Users of this system should be informed of this change, as they will be " | ||
137 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
138 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
139 | "the new host keys." | ||
140 | msgstr "" | ||
141 | "De som bruker dette systemet bør få opplysning om denne endringen, siden de " | ||
142 | "vkil få spørsmål om vertsnøkkelendringen neste gang de logger inn. Etter " | ||
143 | "oppgraderingen kan fingeravtrykkene for de nye vertsnøklene skrives ut med " | ||
144 | "kommandoen «keygen -l -f VERTSNØKKELFIL»." | ||
145 | |||
146 | #. Type: note | ||
147 | #. Description | ||
148 | #: ../openssh-server.templates:4001 | ||
149 | msgid "The affected host keys are:" | ||
150 | msgstr "De vertsnøklene dette gjelder er:" | ||
151 | |||
152 | #. Type: note | ||
153 | #. Description | ||
154 | #: ../openssh-server.templates:4001 | ||
155 | msgid "" | ||
156 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
157 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
158 | "README.compromised-keys.gz for more details." | ||
159 | msgstr "" | ||
160 | "Det kan være at brukernøkler også har dette problemet. En delvis test på " | ||
161 | "dette kan gjøres med kommandoen «ssh-vulnkey». Mer detaljer finnes i /usr/" | ||
162 | "share/doc/openssh-server/README.compromised-keys.gz." | ||
163 | |||
164 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
165 | #~ msgstr "Skal ny oppsettsfil for OpenSSH lages?" | ||
166 | |||
167 | #~ msgid "" | ||
168 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
169 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
170 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
171 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
172 | #~ "will not contain any customizations you made with the old version." | ||
173 | #~ msgstr "" | ||
174 | #~ "Det ser ut til at du oppgraderer fra Debian «Potato», og denne versjonen " | ||
175 | #~ "av OpenSSH har ganske store endringer i oppsettsfila. Denne pakka kan nå " | ||
176 | #~ "lage en ny oppsettsfil (/etc/ssh/sshd.config) som fungerer med den nye " | ||
177 | #~ "tjenerversjonen, men ikke inneholder noen tilpasninger som kan være gjort " | ||
178 | #~ "lokalt i den gamle versjonen." | ||
179 | |||
180 | #~ msgid "" | ||
181 | #~ "Please note that this new configuration file will set the value of " | ||
182 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
183 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
184 | #~ "details about this design choice." | ||
185 | #~ msgstr "" | ||
186 | #~ "Merk at denne nye oppsettsfila setter verdien av «PermitRootLogin» til " | ||
187 | #~ "«yes» (slik at alle som kjenner root-passordet kan logge inn direkte med " | ||
188 | #~ "ssh som root). Les README.Debian-fila for å finne ut mer om dette " | ||
189 | #~ "oppsettsvalget." | ||
190 | |||
191 | #~ msgid "" | ||
192 | #~ "It is strongly recommended that you choose to generate a new " | ||
193 | #~ "configuration file now." | ||
194 | #~ msgstr "" | ||
195 | #~ "Det anbefales sterkt at denne pakka får lov til å lage en ny oppsettsfil " | ||
196 | #~ "nå." | ||
diff --git a/debian/po/nl.po b/debian/po/nl.po new file mode 100644 index 000000000..b88ca8276 --- /dev/null +++ b/debian/po/nl.po | |||
@@ -0,0 +1,208 @@ | |||
1 | # | ||
2 | # Translators, if you are not familiar with the PO format, gettext | ||
3 | # documentation is worth reading, especially sections dedicated to | ||
4 | # this format, e.g. by running: | ||
5 | # info -n '(gettext)PO Files' | ||
6 | # info -n '(gettext)Header Entry' | ||
7 | # | ||
8 | # Some information specific to po-debconf are available at | ||
9 | # /usr/share/doc/po-debconf/README-trans | ||
10 | # or http://www.debian.org/intl/l10n/po-debconf/README-trans | ||
11 | # | ||
12 | # Developers do not need to manually edit POT or PO files. | ||
13 | # | ||
14 | msgid "" | ||
15 | msgstr "" | ||
16 | "Project-Id-Version: openssh 3.6.1p2-9\n" | ||
17 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
18 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
19 | "PO-Revision-Date: 2008-05-26 15:19+0200\n" | ||
20 | "Last-Translator: Bart Cornelis <cobaco@skolelinux.no>\n" | ||
21 | "Language-Team: debian-l10n-dutch <debian-l10n-dutch@lists.debian.org>\n" | ||
22 | "MIME-Version: 1.0\n" | ||
23 | "Content-Type: text/plain; charset=utf-8\n" | ||
24 | "Content-Transfer-Encoding: 8bit\n" | ||
25 | "X-Poedit-Language: Dutch\n" | ||
26 | |||
27 | #. Type: boolean | ||
28 | #. Description | ||
29 | #: ../openssh-server.templates:1001 | ||
30 | msgid "Do you want to risk killing active SSH sessions?" | ||
31 | msgstr "Wilt u het afsluiten van actieve SSH-sessies riskeren?" | ||
32 | |||
33 | #. Type: boolean | ||
34 | #. Description | ||
35 | #: ../openssh-server.templates:1001 | ||
36 | msgid "" | ||
37 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
38 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
39 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
40 | msgstr "" | ||
41 | "De /etc/init.d/ssh versie die u geïnstalleerd hebt sluit waarschijnlijk alle " | ||
42 | "lopende sshd-instanties af. Als u deze opwaardering via een SSH-sessie " | ||
43 | "uitvoert verliest u waarschijnlijk de verbinding waardoor de " | ||
44 | "opwaarderingsprocedure onafgemaakt blijft." | ||
45 | |||
46 | #. Type: boolean | ||
47 | #. Description | ||
48 | #: ../openssh-server.templates:1001 | ||
49 | msgid "" | ||
50 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
51 | "start-stop-daemon line in the stop section of the file." | ||
52 | msgstr "" | ||
53 | "U kunt dit handmatig repareren door \"--pidfile /var/run/sshd.pid\" toe te " | ||
54 | "voegen aan de start-stop-daemon regel in de stop-sectie van het bestand." | ||
55 | |||
56 | #. Type: note | ||
57 | #. Description | ||
58 | #: ../openssh-server.templates:2001 | ||
59 | msgid "New host key mandatory" | ||
60 | msgstr "Een nieuwe computersleutel is verplicht" | ||
61 | |||
62 | #. Type: note | ||
63 | #. Description | ||
64 | #: ../openssh-server.templates:2001 | ||
65 | msgid "" | ||
66 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
67 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
68 | "utility from the old (non-free) SSH installation does not appear to be " | ||
69 | "available." | ||
70 | msgstr "" | ||
71 | "De huidige computersleutel in /etc/ssh/ssh_host_key is versleuteld met het " | ||
72 | "IDEA-algoritme. OpenSSH kan dit computer-sleutelbestand niet aan, en het ssh-" | ||
73 | "keygen programma van de oude (niet-vrije) SSH-installatie is niet " | ||
74 | "beschikbaar." | ||
75 | |||
76 | #. Type: note | ||
77 | #. Description | ||
78 | #: ../openssh-server.templates:2001 | ||
79 | msgid "You need to manually generate a new host key." | ||
80 | msgstr "U dient bijgevolg handmatig een nieuwe computersleutel te genereren." | ||
81 | |||
82 | #. Type: boolean | ||
83 | #. Description | ||
84 | #: ../openssh-server.templates:3001 | ||
85 | msgid "Disable challenge-response authentication?" | ||
86 | msgstr "Challenge-response-authenticatie deactiveren?" | ||
87 | |||
88 | #. Type: boolean | ||
89 | #. Description | ||
90 | #: ../openssh-server.templates:3001 | ||
91 | msgid "" | ||
92 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
93 | "configuration. In order to prevent users from logging in using passwords " | ||
94 | "(perhaps using only public key authentication instead) with recent versions " | ||
95 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
96 | "ensure that your PAM configuration does not allow Unix password file " | ||
97 | "authentication." | ||
98 | msgstr "" | ||
99 | "Zo te zien is wachtwoord-authenticatie momenteel gedeactiveerd in uw OpenSSH-" | ||
100 | "serverconfiguratie. Om te voorkomen dat gebruikers van recente OpenSSH-" | ||
101 | "versies inloggen met behulp van wachtwoorden (en in plaats daarvan enkel " | ||
102 | "publieke-sleutel authenticatie te gebruiken), dient challenge-response-" | ||
103 | "authenticatie gedeactiveerd te worden, of dient u ervoor te zorgen dat uw " | ||
104 | "PAM-configuratie geen Unix 'password'-bestand-authenticatie toe laat." | ||
105 | |||
106 | #. Type: boolean | ||
107 | #. Description | ||
108 | #: ../openssh-server.templates:3001 | ||
109 | msgid "" | ||
110 | "If you disable challenge-response authentication, then users will not be " | ||
111 | "able to log in using passwords. If you leave it enabled (the default " | ||
112 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
113 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
114 | msgstr "" | ||
115 | "Wanneer u challenge-response-authenticatie deactiveert kunnen gebruikers " | ||
116 | "niet meer inloggen met behulp van wachtwoorden. Als u het geactiveerd laat " | ||
117 | "(de standaarwaarde) zal de 'PasswordAuthentication no' optie geen (nuttig) " | ||
118 | "effect hebben tenzij u ook de PAM-configuratie aanpast in /etc/pam.d/ssh." | ||
119 | |||
120 | #. Type: note | ||
121 | #. Description | ||
122 | #: ../openssh-server.templates:4001 | ||
123 | msgid "Vulnerable host keys will be regenerated" | ||
124 | msgstr "Kwetsbare computersleutels worden opnieuw aangemaakt" | ||
125 | |||
126 | #. Type: note | ||
127 | #. Description | ||
128 | #: ../openssh-server.templates:4001 | ||
129 | msgid "" | ||
130 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
131 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
132 | "these host keys are from a well-known set, are subject to brute-force " | ||
133 | "attacks, and must be regenerated." | ||
134 | msgstr "" | ||
135 | "Er zijn op dit systeem OpenSSH-computersleutels aangetroffen die aangemaakt " | ||
136 | "zijn door een versie van OpenSSL met een onjuiste random-nummer-generator. " | ||
137 | "Hierdoor zijn deze computersleutels kwetsbaar voor 'brute-force'-aanvallen " | ||
138 | "en moeten ze opnieuw aangemaakt worden." | ||
139 | |||
140 | #. Type: note | ||
141 | #. Description | ||
142 | #: ../openssh-server.templates:4001 | ||
143 | msgid "" | ||
144 | "Users of this system should be informed of this change, as they will be " | ||
145 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
146 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
147 | "the new host keys." | ||
148 | msgstr "" | ||
149 | "Gebruikers van dit systeem krijgen een melding omtrent de " | ||
150 | "computersleutelverandering op hun scherm de volgende keer dat ze inloggen " | ||
151 | "via ssh. U dient hun hierover dus te berichten. De vingerafdrukken van de " | ||
152 | "nieuwe computersleutels kunt na de opwaardering opvragen via het commando " | ||
153 | "'ssh-keygen -l -f HOST_KEY_FILE'." | ||
154 | |||
155 | #. Type: note | ||
156 | #. Description | ||
157 | #: ../openssh-server.templates:4001 | ||
158 | msgid "The affected host keys are:" | ||
159 | msgstr "De getroffen computersleutels zijn:" | ||
160 | |||
161 | #. Type: note | ||
162 | #. Description | ||
163 | #: ../openssh-server.templates:4001 | ||
164 | msgid "" | ||
165 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
166 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
167 | "README.compromised-keys.gz for more details." | ||
168 | msgstr "" | ||
169 | "Sleutels van gebruikers kunnen ook getroffen zijn door dit probleem. Het " | ||
170 | "'ssh-vulnkey' commando kan gebruikt worden als een gedeeltelijke test, meer " | ||
171 | "details vindt u in /usr/share/doc/openssh-server/README.compromised-keys." | ||
172 | "gz . " | ||
173 | |||
174 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
175 | #~ msgstr "" | ||
176 | #~ "Wilt u dat er een nieuw configuratiebestand aangemaakt wordt voor OpenSSH?" | ||
177 | |||
178 | #~ msgid "" | ||
179 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
180 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
181 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
182 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
183 | #~ "will not contain any customizations you made with the old version." | ||
184 | #~ msgstr "" | ||
185 | #~ "Deze versie van OpenSSH gebruikt een configuratiebestand dat sterk " | ||
186 | #~ "veranderd is ten opzichte van dat in Debian 'Potato' (waarvan u lijkt op " | ||
187 | #~ "te waarderen). Het pakket kan nu een nieuw configuratiebestand (/etc/ssh/" | ||
188 | #~ "sshd.config) genereren dat met de nieuwe versie werkt. Dit gegenereerde " | ||
189 | #~ "bestand zal echter de door u gemaakte aanpassingen in het oude " | ||
190 | #~ "configuratiebestand niet overnemen." | ||
191 | |||
192 | #~ msgid "" | ||
193 | #~ "Please note that this new configuration file will set the value of " | ||
194 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
195 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
196 | #~ "details about this design choice." | ||
197 | #~ msgstr "" | ||
198 | #~ "Merk op dat dit nieuwe configuratiebestand de waarde van " | ||
199 | #~ "'PermitRootLogin' op 'yes' zet (wat betekent dat iedereen die het root-" | ||
200 | #~ "wachtwoord kent via ssh rechtstreeks als root kan aanmelden). Meer " | ||
201 | #~ "informatie over deze ontwerpkeuze vindt u in het bestand README.Debian." | ||
202 | |||
203 | #~ msgid "" | ||
204 | #~ "It is strongly recommended that you choose to generate a new " | ||
205 | #~ "configuration file now." | ||
206 | #~ msgstr "" | ||
207 | #~ "Het wordt ten sterkste aangeraden om nu het nieuwe configuratiebestand te " | ||
208 | #~ "laten genereren." | ||
diff --git a/debian/po/pl.po b/debian/po/pl.po new file mode 100644 index 000000000..e70ee26ac --- /dev/null +++ b/debian/po/pl.po | |||
@@ -0,0 +1,432 @@ | |||
1 | # | ||
2 | # Translators, if you are not familiar with the PO format, gettext | ||
3 | # documentation is worth reading, especially sections dedicated to | ||
4 | # this format, e.g. by running: | ||
5 | # info -n '(gettext)PO Files' | ||
6 | # info -n '(gettext)Header Entry' | ||
7 | # | ||
8 | # Some information specific to po-debconf are available at | ||
9 | # /usr/share/doc/po-debconf/README-trans | ||
10 | # or http://www.debian.org/intl/l10n/po-debconf/README-trans | ||
11 | # | ||
12 | # Developers do not need to manually edit POT or PO files. | ||
13 | # | ||
14 | msgid "" | ||
15 | msgstr "" | ||
16 | "Project-Id-Version: PACKAGE VERSION\n" | ||
17 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
18 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
19 | "PO-Revision-Date: 2004-04-08 18:28+0200\n" | ||
20 | "Last-Translator: Emil Nowak <emil5@go2.pl>\n" | ||
21 | "Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n" | ||
22 | "MIME-Version: 1.0\n" | ||
23 | "Content-Type: text/plain; charset=ISO-8859-2\n" | ||
24 | "Content-Transfer-Encoding: 8bit\n" | ||
25 | |||
26 | #. Type: boolean | ||
27 | #. Description | ||
28 | #: ../openssh-server.templates:1001 | ||
29 | #, fuzzy | ||
30 | #| msgid "Do you want to continue (and risk killing active ssh sessions)?" | ||
31 | msgid "Do you want to risk killing active SSH sessions?" | ||
32 | msgstr "Czy chcesz kontynuowaæ (i ryzykowaæ przerwaniem aktywnych sesji ssh) ?" | ||
33 | |||
34 | #. Type: boolean | ||
35 | #. Description | ||
36 | #: ../openssh-server.templates:1001 | ||
37 | #, fuzzy | ||
38 | #| msgid "" | ||
39 | #| "The version of /etc/init.d/ssh that you have installed, is likely to kill " | ||
40 | #| "all running sshd instances. If you are doing this upgrade via an ssh " | ||
41 | #| "session, that would be a Bad Thing(tm)." | ||
42 | msgid "" | ||
43 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
44 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
45 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
46 | msgstr "" | ||
47 | "Zainstalowana w³a¶nie wersja /etc/init.d/ssh mo¿e zabiæ wszystkie dzia³aj±ce " | ||
48 | "obecnie kopie sshd. Je¶li wykonujesz t± aktualizacjê przez ssh, to by³aby " | ||
49 | "Z³a Rzecz(tm)." | ||
50 | |||
51 | #. Type: boolean | ||
52 | #. Description | ||
53 | #: ../openssh-server.templates:1001 | ||
54 | #, fuzzy | ||
55 | #| msgid "" | ||
56 | #| "You can fix this by adding \"--pidfile /var/run/sshd.pid\" to the start-" | ||
57 | #| "stop-daemon line in the stop section of the file." | ||
58 | msgid "" | ||
59 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
60 | "start-stop-daemon line in the stop section of the file." | ||
61 | msgstr "" | ||
62 | "Mo¿esz to naprawiæ dodaj±c \"--pidfile /var/run/sshd.pid\" do linijki start-" | ||
63 | "stop-daemon w sekcji stop tego pliku." | ||
64 | |||
65 | #. Type: note | ||
66 | #. Description | ||
67 | #: ../openssh-server.templates:2001 | ||
68 | msgid "New host key mandatory" | ||
69 | msgstr "" | ||
70 | |||
71 | #. Type: note | ||
72 | #. Description | ||
73 | #: ../openssh-server.templates:2001 | ||
74 | #, fuzzy | ||
75 | msgid "" | ||
76 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
77 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
78 | "utility from the old (non-free) SSH installation does not appear to be " | ||
79 | "available." | ||
80 | msgstr "" | ||
81 | "Istnieje stary /etc/ssh/ssh_host_key, który jest zaszyfrowany przez IDEA. " | ||
82 | "OpenSSH nie umie korzystaæ z tak zaszyfrowanego klucza, a nie mo¿e znale¼æ " | ||
83 | "polecenia ssh-keygen ze starego SSH (non-free)." | ||
84 | |||
85 | #. Type: note | ||
86 | #. Description | ||
87 | #: ../openssh-server.templates:2001 | ||
88 | #, fuzzy | ||
89 | #| msgid "You will need to generate a new host key." | ||
90 | msgid "You need to manually generate a new host key." | ||
91 | msgstr "Bêdziesz musia³ wygenerowaæ nowy klucz hosta." | ||
92 | |||
93 | #. Type: boolean | ||
94 | #. Description | ||
95 | #: ../openssh-server.templates:3001 | ||
96 | msgid "Disable challenge-response authentication?" | ||
97 | msgstr "" | ||
98 | |||
99 | #. Type: boolean | ||
100 | #. Description | ||
101 | #: ../openssh-server.templates:3001 | ||
102 | msgid "" | ||
103 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
104 | "configuration. In order to prevent users from logging in using passwords " | ||
105 | "(perhaps using only public key authentication instead) with recent versions " | ||
106 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
107 | "ensure that your PAM configuration does not allow Unix password file " | ||
108 | "authentication." | ||
109 | msgstr "" | ||
110 | |||
111 | #. Type: boolean | ||
112 | #. Description | ||
113 | #: ../openssh-server.templates:3001 | ||
114 | msgid "" | ||
115 | "If you disable challenge-response authentication, then users will not be " | ||
116 | "able to log in using passwords. If you leave it enabled (the default " | ||
117 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
118 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
119 | msgstr "" | ||
120 | |||
121 | #. Type: note | ||
122 | #. Description | ||
123 | #: ../openssh-server.templates:4001 | ||
124 | msgid "Vulnerable host keys will be regenerated" | ||
125 | msgstr "" | ||
126 | |||
127 | #. Type: note | ||
128 | #. Description | ||
129 | #: ../openssh-server.templates:4001 | ||
130 | msgid "" | ||
131 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
132 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
133 | "these host keys are from a well-known set, are subject to brute-force " | ||
134 | "attacks, and must be regenerated." | ||
135 | msgstr "" | ||
136 | |||
137 | #. Type: note | ||
138 | #. Description | ||
139 | #: ../openssh-server.templates:4001 | ||
140 | msgid "" | ||
141 | "Users of this system should be informed of this change, as they will be " | ||
142 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
143 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
144 | "the new host keys." | ||
145 | msgstr "" | ||
146 | |||
147 | #. Type: note | ||
148 | #. Description | ||
149 | #: ../openssh-server.templates:4001 | ||
150 | msgid "The affected host keys are:" | ||
151 | msgstr "" | ||
152 | |||
153 | #. Type: note | ||
154 | #. Description | ||
155 | #: ../openssh-server.templates:4001 | ||
156 | msgid "" | ||
157 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
158 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
159 | "README.compromised-keys.gz for more details." | ||
160 | msgstr "" | ||
161 | |||
162 | #, fuzzy | ||
163 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
164 | #~ msgstr "Wygeneruj nowy plik konfiguracyjny" | ||
165 | |||
166 | #, fuzzy | ||
167 | #~ msgid "" | ||
168 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
169 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
170 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
171 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
172 | #~ "will not contain any customizations you made with the old version." | ||
173 | #~ msgstr "" | ||
174 | #~ "W tej wersji OpenSSH zmieni³ siê plik konfiguracyjny w stosunku do wersji " | ||
175 | #~ "dostarczanej z Debianem 'Potato', któr± zdajesz siê aktualizowaæ. Mogê " | ||
176 | #~ "teraz wygenerowaæ nowy plik konfiguracyjny (/etc/ssh/sshd.config), który " | ||
177 | #~ "bêdzie dzia³a³ z now± wersj± serwera, ale nie bêdzie zawiera³ ¿adnych " | ||
178 | #~ "dokonanych przez ciebie w starej wersji zmian." | ||
179 | |||
180 | #, fuzzy | ||
181 | #~| msgid "" | ||
182 | #~| "Please note that this new configuration file will set the value of " | ||
183 | #~| "'PermitRootLogin' to yes (meaning that anyone knowing the root password " | ||
184 | #~| "can ssh directly in as root). It is the opinion of the maintainer that " | ||
185 | #~| "this is the correct default (see README.Debian for more details), but " | ||
186 | #~| "you can always edit sshd_config and set it to no if you wish." | ||
187 | #~ msgid "" | ||
188 | #~ "Please note that this new configuration file will set the value of " | ||
189 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
190 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
191 | #~ "details about this design choice." | ||
192 | #~ msgstr "" | ||
193 | #~ "Zauwa¿ proszê, ¿e nowy plik konfiguracyjny bêdzie ustawia³ warto¶æ opcji " | ||
194 | #~ "'PermitRootLogin' na 'tak' (co oznacza, ¿e ka¿dy kto zna has³o root'a " | ||
195 | #~ "mo¿e zdalnie zalogowaæ siê przez ssh jako root). W opinii opiekuna " | ||
196 | #~ "pakietu to jest poprawna warto¶æ domy¶lna (szczegó³y w README.Debian), " | ||
197 | #~ "ale mo¿esz sobie wyedytowaæ sshd_config i ustawiæ tê opcjê na 'nie' je¶li " | ||
198 | #~ "siê z t± opini± nie zgadzasz." | ||
199 | |||
200 | #, fuzzy | ||
201 | #~ msgid "" | ||
202 | #~ "It is strongly recommended that you choose to generate a new " | ||
203 | #~ "configuration file now." | ||
204 | #~ msgstr "" | ||
205 | #~ "Jest bardzo wskazane aby¶ pozwoli³ mi wygenerowaæ nowy plik " | ||
206 | #~ "konfiguracyjny." | ||
207 | |||
208 | #~ msgid "Warning: you must create a new host key" | ||
209 | #~ msgstr "Uwaga: musisz utworzyæ nowy klucz hosta" | ||
210 | |||
211 | #~ msgid "Warning: telnetd is installed --- probably not a good idea" | ||
212 | #~ msgstr "" | ||
213 | #~ "Uwaga: telnetd jest zainstalowany --- prawdopodobnie nienajlepszy pomys³" | ||
214 | |||
215 | #~ msgid "" | ||
216 | #~ "I'd advise you to either remove the telnetd package (if you don't " | ||
217 | #~ "actually need to offer telnet access) or install telnetd-ssl so that " | ||
218 | #~ "there is at least some chance that telnet sessions will not be sending " | ||
219 | #~ "unencrypted login/password and session information over the network." | ||
220 | #~ msgstr "" | ||
221 | #~ "Radzi³bym albo usun±æ pakiet telnetd (je¶li nie potrzebujesz koniecznie " | ||
222 | #~ "udostêpniaæ telnet'a) albo zainstalowaæ telnetd-ssl aby by³a choæ " | ||
223 | #~ "szansza, ¿e sesje telnet nie bêd± przesy³aæ niezaszyfrowanego loginu/" | ||
224 | #~ "has³a oraz danych sesji przez sieæ." | ||
225 | |||
226 | #~ msgid "Warning: rsh-server is installed --- probably not a good idea" | ||
227 | #~ msgstr "" | ||
228 | #~ "Uwaga: serwer rsh jest zainstalowany --- prawdopodobnie nienajlepszy " | ||
229 | #~ "pomys³" | ||
230 | |||
231 | #~ msgid "" | ||
232 | #~ "having rsh-server installed undermines the security that you were " | ||
233 | #~ "probably wanting to obtain by installing ssh. I'd advise you to remove " | ||
234 | #~ "that package." | ||
235 | #~ msgstr "" | ||
236 | #~ "Posiadanie zainstalowanego serwera rsh podminowuje zabezpieczenia, które " | ||
237 | #~ "prawdopodobnie starasz siê uzyskaæ instaluj±c ssh. Radzi³bym usun±æ ten " | ||
238 | #~ "pakiet." | ||
239 | |||
240 | #~ msgid "Do you want ssh-keysign to be installed SUID root?" | ||
241 | #~ msgstr "Czy chcesz aby ssh-keysign by³ zainstalowany jako SUID root?" | ||
242 | |||
243 | #~ msgid "" | ||
244 | #~ "You have the option of installing the ssh-keysign helper with the SUID " | ||
245 | #~ "bit set." | ||
246 | #~ msgstr "" | ||
247 | #~ "Masz mo¿liwo¶æ zainstalowania pomocniczego programu ssh-keysign z " | ||
248 | #~ "w³±czonym bitem SETUID." | ||
249 | |||
250 | #~ msgid "" | ||
251 | #~ "If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 " | ||
252 | #~ "host-based authentication." | ||
253 | #~ msgstr "" | ||
254 | #~ "Je¶li uczynisz ssh-keysign SUIDowym, bêdziesz móg³ u¿ywaæ opartej na " | ||
255 | #~ "hostach autoryzacji drugiej wersji protoko³u SSH." | ||
256 | |||
257 | #~ msgid "" | ||
258 | #~ "If in doubt, I suggest you install it with SUID. If it causes problems " | ||
259 | #~ "you can change your mind later by running: dpkg-reconfigure ssh" | ||
260 | #~ msgstr "" | ||
261 | #~ "Je¶li masz w±tpliwo¶ci, radzê zainstalowaæ go z SUIDem. Je¶li to sprawia " | ||
262 | #~ "problemy, mo¿esz zmieniæ swoje zdanie uruchamiaj±c pó¼niej polecenie: " | ||
263 | #~ "dpkg-reconfigure ssh" | ||
264 | |||
265 | #~ msgid "Allow SSH protocol 2 only" | ||
266 | #~ msgstr "Zezwalaj wy³±cznie na wersjê 2 protoko³u SSH" | ||
267 | |||
268 | #~ msgid "" | ||
269 | #~ "This version of OpenSSH supports version 2 of the ssh protocol, which is " | ||
270 | #~ "much more secure. Disabling ssh 1 is encouraged, however this will slow " | ||
271 | #~ "things down on low end machines and might prevent older clients from " | ||
272 | #~ "connecting (the ssh client shipped with \"potato\" is affected)." | ||
273 | #~ msgstr "" | ||
274 | #~ "Ta wersja OpenSSH wspiera drug± wersjê protoko³u ssh, która jest znacznie " | ||
275 | #~ "bardziej bezpieczna. Wy³±czenie ssh 1 jest zalecane, choæ spowalnia to " | ||
276 | #~ "dzia³anie na starych maszynach i mo¿e uniemo¿liwiæ po³±czenie starszym " | ||
277 | #~ "wersjom klientów (dotyczy to np. klienta ssh do³±czanego do \"potato\")." | ||
278 | |||
279 | #~ msgid "" | ||
280 | #~ "Also please note that keys used for protocol 1 are different so you will " | ||
281 | #~ "not be able to use them if you only allow protocol 2 connections." | ||
282 | #~ msgstr "" | ||
283 | #~ "Ponadto, zauwa¿ proszê, ¿e klucze u¿ywane przez protokó³ 1 s± inne, wiêc " | ||
284 | #~ "nie bêdziesz móg³ ich u¿ywaæ je¶li zezwolisz na korzystanie wy³±cznie z " | ||
285 | #~ "wersji 2 protoko³u." | ||
286 | |||
287 | #~ msgid "" | ||
288 | #~ "If you later change your mind about this setting, README.Debian has " | ||
289 | #~ "instructions on what to do to your sshd_config file." | ||
290 | #~ msgstr "" | ||
291 | #~ "Je¶li pó¼niej zmienisz zdanie co do tego ustawienia, to instrukcje co " | ||
292 | #~ "zmieniæ w sshd_config znajduj± siê w README.Debian." | ||
293 | |||
294 | #~ msgid "NOTE: Forwarding of X11 and Authorization disabled by default." | ||
295 | #~ msgstr "" | ||
296 | #~ "UWAGA: Przekazywanie (forwarding) X11 i Autoryzacji jest domy¶lnie " | ||
297 | #~ "wy³±czone." | ||
298 | |||
299 | #~ msgid "" | ||
300 | #~ "For security reasons, the Debian version of ssh has ForwardX11 and " | ||
301 | #~ "ForwardAgent set to ``off'' by default." | ||
302 | #~ msgstr "" | ||
303 | #~ "Ze wzglêdów bezpieczeñstwa Debianowa wersja ssh ma ForwardX11 i " | ||
304 | #~ "ForwardAgent ustawione domy¶lnie na 'off'." | ||
305 | |||
306 | #~ msgid "" | ||
307 | #~ "You can enable it for servers you trust, either in one of the " | ||
308 | #~ "configuration files, or with the -X command line option." | ||
309 | #~ msgstr "" | ||
310 | #~ "Dla zaufanych serwerów mo¿esz w³±czyæ te opcje w pliku konfiguracyjnym " | ||
311 | #~ "lub przy pomocy opcji -X z linii komend." | ||
312 | |||
313 | #~ msgid "More details can be found in /usr/share/doc/ssh/README.Debian" | ||
314 | #~ msgstr "Wiêcej szczegó³ów znajdziesz w /usr/share/doc/ssh/README.Debian." | ||
315 | |||
316 | #~ msgid "ssh2 keys merged in configuration files" | ||
317 | #~ msgstr "klucze ssh2 w³±czone do plików konfiguracyjnych" | ||
318 | |||
319 | #~ msgid "" | ||
320 | #~ "As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 " | ||
321 | #~ "keys. This means the authorized_keys2 and known_hosts2 files are no " | ||
322 | #~ "longer needed. They will still be read in order to maintain backwards " | ||
323 | #~ "compatibility" | ||
324 | #~ msgstr "" | ||
325 | #~ "Pocz±wszy od wersji 3 OpenSSH nie u¿ywa ju¿ osobnych plików dla kluczy " | ||
326 | #~ "ssh1 i ssh2. Oznacza to, ¿e pliki authorized_keys2 i known_hosts2 nie s± " | ||
327 | #~ "ju¿ potrzebne. Bêd± one jednak odczytywane aby zachowaæ wsteczn± " | ||
328 | #~ "kompatybilno¶æ." | ||
329 | |||
330 | #~ msgid "Do you want to run the sshd server?" | ||
331 | #~ msgstr "Czy chcesz uruchamiaæ serwer sshd ?" | ||
332 | |||
333 | #~ msgid "This package contains both the ssh client, and the sshd server." | ||
334 | #~ msgstr "Ten pakiet zawiera zarówno klienta ssh, jak i serwer sshd." | ||
335 | |||
336 | #~ msgid "" | ||
337 | #~ "Normally the sshd Secure Shell Server will be run to allow remote logins " | ||
338 | #~ "via ssh." | ||
339 | #~ msgstr "" | ||
340 | #~ "Normalnie serwer sshd (Secure Shell Server) bêdzie uruchomiony aby " | ||
341 | #~ "umo¿liwiæ zdalny dostêp przez ssh." | ||
342 | |||
343 | #~ msgid "" | ||
344 | #~ "If you are only interested in using the ssh client for outbound " | ||
345 | #~ "connections on this machine, and don't want to log into it at all using " | ||
346 | #~ "ssh, then you can disable sshd here." | ||
347 | #~ msgstr "" | ||
348 | #~ "Je¶li jeste¶ zainteresowany u¿ywaniem wy³±cznie klienta ssh dla po³±czeñ " | ||
349 | #~ "wychodz±cych z tej maszyny, i nie chcesz siê na ni± logowaæ przy pomocy " | ||
350 | #~ "ssh, to mo¿esz teraz wy³±czyæ serwer sshd." | ||
351 | |||
352 | #~ msgid "Environment options on keys have been deprecated" | ||
353 | #~ msgstr "Odradzamy stosowanie ustawieñ ¶rodowiskowych dla kluczy." | ||
354 | |||
355 | #~ msgid "" | ||
356 | #~ "This version of OpenSSH disables the environment option for public keys " | ||
357 | #~ "by default, in order to avoid certain attacks (for example, LD_PRELOAD). " | ||
358 | #~ "If you are using this option in an authorized_keys file, beware that the " | ||
359 | #~ "keys in question will no longer work until the option is removed." | ||
360 | #~ msgstr "" | ||
361 | #~ "Ta wersja OpenSSH ma wy³±czon± opcjê wykorzystywania ustawieñ " | ||
362 | #~ "¶rodowiskowych dla kluczy publicznych. Mo¿na dziêki temu unikn±æ pewnych " | ||
363 | #~ "ataków (jak np.: LD_PRELOAD). Je¿eli u¿ywasz tej opcji w pliku " | ||
364 | #~ "authorized_keys, to zawarte w nim klucze nie bêd± dzia³aæ dopóki ta opcja " | ||
365 | #~ "nie zostanie usuniêta." | ||
366 | |||
367 | #~ msgid "" | ||
368 | #~ "To re-enable this option, set \"PermitUserEnvironment yes\" in /etc/ssh/" | ||
369 | #~ "sshd_config after the upgrade is complete, taking note of the warning in " | ||
370 | #~ "the sshd_config(5) manual page." | ||
371 | #~ msgstr "" | ||
372 | #~ "Aby ponownie w³±czyæ tê opcjê, nale¿y dodaæ wpis \"PermitUserEnvironment " | ||
373 | #~ "yes\" do pliku /etc/ssh/sshd_config po ukoñczeniu aktualizacji. Przy " | ||
374 | #~ "zmianie konfiguracji nale¿y zapoznaæ siê z informacjami zawartymi na " | ||
375 | #~ "stronie podrêcznika systemowego sshd_config(5)." | ||
376 | |||
377 | #~ msgid "Privilege separation" | ||
378 | #~ msgstr "Separacja uprawnieñ" | ||
379 | |||
380 | #~ msgid "" | ||
381 | #~ "Privilege separation is turned on by default, so if you decide you want " | ||
382 | #~ "it turned off, you need to add \"UsePrivilegeSeparation no\" to /etc/ssh/" | ||
383 | #~ "sshd_config." | ||
384 | #~ msgstr "" | ||
385 | #~ "Separacja uprawnieñ jest domy¶lnie w³±czona, wiêc je¶li zdecydujesz siê " | ||
386 | #~ "j± wy³±czyæ, musisz dodaæ \"UsePrivilegeSeparation no\" do pliku /etc/ssh/" | ||
387 | #~ "sshd_config." | ||
388 | |||
389 | #~ msgid "Enable Privilege separation" | ||
390 | #~ msgstr "W³±czenie separacji uprawnieñ" | ||
391 | |||
392 | #~ msgid "" | ||
393 | #~ "This version of OpenSSH contains the new privilege separation option. " | ||
394 | #~ "This significantly reduces the quantity of code that runs as root, and " | ||
395 | #~ "therefore reduces the impact of security holes in sshd." | ||
396 | #~ msgstr "" | ||
397 | #~ "Ta wersja OpenSSH zawiera now± opcjê separacji uprawnieñ. Znacz±co " | ||
398 | #~ "zmniejsza ona ilo¶æ kodu, który jest uruchamiany jako root i co za tym " | ||
399 | #~ "idzie redukuje efekty luk bezpieczeñstwa w sshd." | ||
400 | |||
401 | #~ msgid "" | ||
402 | #~ "Unfortunately, privilege separation interacts badly with PAM. Any PAM " | ||
403 | #~ "session modules that need to run as root (pam_mkhomedir, for example) " | ||
404 | #~ "will fail, and PAM keyboard-interactive authentication won't work." | ||
405 | #~ msgstr "" | ||
406 | #~ "Niestety separacja uprawnieñ ¼le reaguje z PAMem. Jakikolwiek modu³ sesji " | ||
407 | #~ "PAM, który musi byæ uruchamiany jako root (pam_mkhomedir, na przyk³ad) " | ||
408 | #~ "zawiedzie. Nie bêdzie dzia³aæ równie¿ interaktywna autentykacja z " | ||
409 | #~ "klawiatury (keyboard-interactive authentication)." | ||
410 | |||
411 | #, fuzzy | ||
412 | #~ msgid "" | ||
413 | #~ "Since you've opted to have me generate an sshd_config file for you, you " | ||
414 | #~ "can choose whether or not to have privilege separation turned on or not. " | ||
415 | #~ "Unless you know you need to use PAM features that won't work with this " | ||
416 | #~ "option, you should enable it." | ||
417 | #~ msgstr "" | ||
418 | #~ "Zdecydowa³e¶ siê na to abym wygenerowa³ dla ciebie plik sshd_config, i " | ||
419 | #~ "mo¿esz wybraæ czy chcesz w³±czyæ Separacjê Uprawnieñ, czy te¿ nie. Je¶li " | ||
420 | #~ "nie u¿ywasz j±dra z serii 2.0 (w którym to przypadku *musisz* " | ||
421 | #~ "odpowiedzieæ tutaj 'nie' albo sshd w ogóle nie ruszy) i je¶li nie musisz " | ||
422 | #~ "korzystaæ z mo¿liwo¶ci PAMa, które nie bêd± dzia³a³y z t± opcj±, " | ||
423 | #~ "powiniene¶ odpowiedzieæ tutaj 'tak'." | ||
424 | |||
425 | #~ msgid "" | ||
426 | #~ "NB! If you are running a 2.0 series Linux kernel, then privilege " | ||
427 | #~ "separation will not work at all, and your sshd will fail to start unless " | ||
428 | #~ "you explicitly turn privilege separation off." | ||
429 | #~ msgstr "" | ||
430 | #~ "UWAGA! Je¿eli u¿ywasz j±dra Linux'a z serii 2.0, to separacja uprawnieñ w " | ||
431 | #~ "ogóle nie bêdzie dzia³aæ i sshd nie wystartuje dopóki w³asnorêcznie nie " | ||
432 | #~ "wy³±czysz separacji uprawnieñ w /etc/ssh/sshd_config." | ||
diff --git a/debian/po/pt.po b/debian/po/pt.po new file mode 100644 index 000000000..7fe576feb --- /dev/null +++ b/debian/po/pt.po | |||
@@ -0,0 +1,195 @@ | |||
1 | # Portuguese translation of openssh debconf messages. | ||
2 | # This file is distributed under the same license as the openssh package. | ||
3 | # Ricardo Silva <ardoric@gmail.com>, 2007. | ||
4 | # | ||
5 | msgid "" | ||
6 | msgstr "" | ||
7 | "Project-Id-Version: openssh 4.7p1-9\n" | ||
8 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
9 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
10 | "PO-Revision-Date: 2008-05-18 14:48+0100\n" | ||
11 | "Last-Translator: Ricardo Silva <ardoric@gmail.com>\n" | ||
12 | "Language-Team: Native Portuguese <traduz@debianpt.org>\n" | ||
13 | "MIME-Version: 1.0\n" | ||
14 | "Content-Type: text/plain; charset=UTF-8\n" | ||
15 | "Content-Transfer-Encoding: 8bit\n" | ||
16 | |||
17 | #. Type: boolean | ||
18 | #. Description | ||
19 | #: ../openssh-server.templates:1001 | ||
20 | msgid "Do you want to risk killing active SSH sessions?" | ||
21 | msgstr "Quer arriscar matar sessões activas de SSH?" | ||
22 | |||
23 | #. Type: boolean | ||
24 | #. Description | ||
25 | #: ../openssh-server.templates:1001 | ||
26 | msgid "" | ||
27 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
28 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
29 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
30 | msgstr "" | ||
31 | "A versão do /etc/init.d/ssh que tem instalado provavelmente terminará todas " | ||
32 | "as instâncias de sshd. Se vai actualizar através de uma sessão ssh, é " | ||
33 | "possÃvel que a sua sessão seja terminada e que deixe o procedimento de " | ||
34 | "actualização por terminar." | ||
35 | |||
36 | #. Type: boolean | ||
37 | #. Description | ||
38 | #: ../openssh-server.templates:1001 | ||
39 | msgid "" | ||
40 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
41 | "start-stop-daemon line in the stop section of the file." | ||
42 | msgstr "" | ||
43 | "Isto pode ser arranjado adicionando \"--pidfile /var/run/sshd.pid\" Ã linha " | ||
44 | "start-stop-daemon na secção stop do ficheiro." | ||
45 | |||
46 | #. Type: note | ||
47 | #. Description | ||
48 | #: ../openssh-server.templates:2001 | ||
49 | msgid "New host key mandatory" | ||
50 | msgstr "Uma nova chave de anfitrião é obrigatória" | ||
51 | |||
52 | #. Type: note | ||
53 | #. Description | ||
54 | #: ../openssh-server.templates:2001 | ||
55 | msgid "" | ||
56 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
57 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
58 | "utility from the old (non-free) SSH installation does not appear to be " | ||
59 | "available." | ||
60 | msgstr "" | ||
61 | "A chave actual, em /etc/ssh/ssh_host_key, está cifrada com o algoritmo IDEA. " | ||
62 | "O OpenSSH não consegue usar este ficheiro, e o utilitário ssh-keygen da " | ||
63 | "antiga (e não livre) instalação do SSH não parece estar disponÃvel." | ||
64 | |||
65 | #. Type: note | ||
66 | #. Description | ||
67 | #: ../openssh-server.templates:2001 | ||
68 | msgid "You need to manually generate a new host key." | ||
69 | msgstr "Terá de gerar manualmente uma nova chave para o host." | ||
70 | |||
71 | #. Type: boolean | ||
72 | #. Description | ||
73 | #: ../openssh-server.templates:3001 | ||
74 | msgid "Disable challenge-response authentication?" | ||
75 | msgstr "Desactivar autenticação por desafio-resposta?" | ||
76 | |||
77 | #. Type: boolean | ||
78 | #. Description | ||
79 | #: ../openssh-server.templates:3001 | ||
80 | msgid "" | ||
81 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
82 | "configuration. In order to prevent users from logging in using passwords " | ||
83 | "(perhaps using only public key authentication instead) with recent versions " | ||
84 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
85 | "ensure that your PAM configuration does not allow Unix password file " | ||
86 | "authentication." | ||
87 | msgstr "" | ||
88 | "Autenticação por palavra-chave aparenta estar desactivada na sua " | ||
89 | "configuração actual do servidor OpenSSH. De forma a impedir que os " | ||
90 | "utilizadores se liguem usando palavras-chave (talvez usando apenas " | ||
91 | "autenticação por chave pública) com versões recentes do OpenSSH, tem de " | ||
92 | "desactivar a autenticação por desafio-resposta, ou assegurar-se que a sua " | ||
93 | "configuração do PAM não permite autenticação pelo ficheiro password de Unix." | ||
94 | |||
95 | #. Type: boolean | ||
96 | #. Description | ||
97 | #: ../openssh-server.templates:3001 | ||
98 | msgid "" | ||
99 | "If you disable challenge-response authentication, then users will not be " | ||
100 | "able to log in using passwords. If you leave it enabled (the default " | ||
101 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
102 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
103 | msgstr "" | ||
104 | "Se desactivar autenticação por pedido-resposta, os utilizadores não serão " | ||
105 | "capazes de se ligar usando palavras-chave. Se deixar activado (a resposta " | ||
106 | "por omissão), então a opção 'PasswordAuthentication no' não terá efeito a " | ||
107 | "não ser que também ajuste a configuração do PAM em /etc/pam.d/ssh." | ||
108 | |||
109 | #. Type: note | ||
110 | #. Description | ||
111 | #: ../openssh-server.templates:4001 | ||
112 | msgid "Vulnerable host keys will be regenerated" | ||
113 | msgstr "Chaves do anfitrião vulneráveis serão regeneradas" | ||
114 | |||
115 | #. Type: note | ||
116 | #. Description | ||
117 | #: ../openssh-server.templates:4001 | ||
118 | msgid "" | ||
119 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
120 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
121 | "these host keys are from a well-known set, are subject to brute-force " | ||
122 | "attacks, and must be regenerated." | ||
123 | msgstr "" | ||
124 | "Algumas das chaves do servidor OpenSSH neste sistema foram criadas com uma " | ||
125 | "versão do OpenSSL que tem um gerador de números aleatórios com problemas. " | ||
126 | "Como resultado estas chaves, que fazem parte de um conjunto bem conhecido, " | ||
127 | "estão sujeitas a ataques por força bruta, e têm de ser geradas de novo." | ||
128 | |||
129 | #. Type: note | ||
130 | #. Description | ||
131 | #: ../openssh-server.templates:4001 | ||
132 | msgid "" | ||
133 | "Users of this system should be informed of this change, as they will be " | ||
134 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
135 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
136 | "the new host keys." | ||
137 | msgstr "" | ||
138 | "Os utilizadores deste sistema devem ser informados desta mudança, uma vez " | ||
139 | "que vão ser avisados da mudança de chave da próxima vez que se ligarem. " | ||
140 | "Utilize o comando 'ssh-keygen -l -f FICHEIRO_DA_CHAVE' depois da " | ||
141 | "actualização para imprimir as impressões das novas chaves." | ||
142 | |||
143 | #. Type: note | ||
144 | #. Description | ||
145 | #: ../openssh-server.templates:4001 | ||
146 | msgid "The affected host keys are:" | ||
147 | msgstr "As chaves afectadas são:" | ||
148 | |||
149 | #. Type: note | ||
150 | #. Description | ||
151 | #: ../openssh-server.templates:4001 | ||
152 | msgid "" | ||
153 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
154 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
155 | "README.compromised-keys.gz for more details." | ||
156 | msgstr "" | ||
157 | "As chaves de utilizador também podem ser afectadas por este problema. O " | ||
158 | "comando 'ssh-vulnkey' pode ser usado como um teste parcial para este caso. " | ||
159 | "Veja o ficheiro /usr/share/doc/openssh-server/README.compromised-keys.gz " | ||
160 | "para mais detalhes." | ||
161 | |||
162 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
163 | #~ msgstr "Gerar um ficheiro de configuração novo para o OpenSSH?" | ||
164 | |||
165 | #~ msgid "" | ||
166 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
167 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
168 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
169 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
170 | #~ "will not contain any customizations you made with the old version." | ||
171 | #~ msgstr "" | ||
172 | #~ "Esta versão do OpenSSH tem um ficheiro de configuração bastante diferente " | ||
173 | #~ "da versão que vinha com o Debian 'Potato', que parece ser de onde está a " | ||
174 | #~ "actualizar. Este pacote pode agora gerar um novo ficheiro de configuração " | ||
175 | #~ "(/etc/ssh/sshd.config), que irá funcionar com a nova versão do servidor, " | ||
176 | #~ "mas não conterá nenhuma alteração que tenha feito à versão antiga." | ||
177 | |||
178 | #~ msgid "" | ||
179 | #~ "Please note that this new configuration file will set the value of " | ||
180 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
181 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
182 | #~ "details about this design choice." | ||
183 | #~ msgstr "" | ||
184 | #~ "Por favor note que este novo ficheiro de configuração terá " | ||
185 | #~ "'PermitRootLogin' definido para 'yes' (o que significa que qualquer " | ||
186 | #~ "pessoa que saiba a palavra-chave de root pode ligar-se directamente como " | ||
187 | #~ "root a partir do ssh). Por favor leia o ficheiro README.Debian para mais " | ||
188 | #~ "detalhes sobre esta escolha." | ||
189 | |||
190 | #~ msgid "" | ||
191 | #~ "It is strongly recommended that you choose to generate a new " | ||
192 | #~ "configuration file now." | ||
193 | #~ msgstr "" | ||
194 | #~ "É fortemente recomendado que escolha gerar um novo ficheiro de " | ||
195 | #~ "configuração agora." | ||
diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po new file mode 100644 index 000000000..fe2227190 --- /dev/null +++ b/debian/po/pt_BR.po | |||
@@ -0,0 +1,203 @@ | |||
1 | # openssh Brazilian Portuguese translation | ||
2 | # Copyright (C) 2007, André LuÃs Lopes | ||
3 | # This file is distributed under the same license as the openssh package. | ||
4 | # André LuÃs Lopes <andrelop@debian.org>, 2007. | ||
5 | # Eder L. Marques (frolic) <frolic@debian-ce.org>, 2008. | ||
6 | # | ||
7 | msgid "" | ||
8 | msgstr "" | ||
9 | "Project-Id-Version: openssh 1:4.7p1-9\n" | ||
10 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
11 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
12 | "PO-Revision-Date: 2008-05-27 10:10-0300\n" | ||
13 | "Last-Translator: Eder L. Marques (frolic) <frolic@debian-ce.org>\n" | ||
14 | "Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian." | ||
15 | "org>\n" | ||
16 | "MIME-Version: 1.0\n" | ||
17 | "Content-Type: text/plain; charset=UTF-8\n" | ||
18 | "Content-Transfer-Encoding: 8bit\n" | ||
19 | "pt_BR utf-8\n" | ||
20 | |||
21 | #. Type: boolean | ||
22 | #. Description | ||
23 | #: ../openssh-server.templates:1001 | ||
24 | msgid "Do you want to risk killing active SSH sessions?" | ||
25 | msgstr "Você deseja arriscar matar (\"kill\") as sessões SSH ativas?" | ||
26 | |||
27 | #. Type: boolean | ||
28 | #. Description | ||
29 | #: ../openssh-server.templates:1001 | ||
30 | msgid "" | ||
31 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
32 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
33 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
34 | msgstr "" | ||
35 | "A versão instalada atualmente de /etc/init.d/ssh está prestes a derrubar " | ||
36 | "todas as instâncias sshd em execução. Se você estiver fazendo esta " | ||
37 | "atualização através de uma sessão SSH, você provavelmente será desconectado " | ||
38 | "e deixará este processo de atualização incompleto." | ||
39 | |||
40 | #. Type: boolean | ||
41 | #. Description | ||
42 | #: ../openssh-server.templates:1001 | ||
43 | msgid "" | ||
44 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
45 | "start-stop-daemon line in the stop section of the file." | ||
46 | msgstr "" | ||
47 | "Você pode corrigir isto adicionando \"--pidfile /var/run/sshd.pid\" na linha " | ||
48 | "start-stop-daemon na seção stop deste arquivo." | ||
49 | |||
50 | #. Type: note | ||
51 | #. Description | ||
52 | #: ../openssh-server.templates:2001 | ||
53 | msgid "New host key mandatory" | ||
54 | msgstr "Nova chave de máquina obrigatória" | ||
55 | |||
56 | #. Type: note | ||
57 | #. Description | ||
58 | #: ../openssh-server.templates:2001 | ||
59 | msgid "" | ||
60 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
61 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
62 | "utility from the old (non-free) SSH installation does not appear to be " | ||
63 | "available." | ||
64 | msgstr "" | ||
65 | "A chave de máquina atual, em /etc/ssh/ssh_host_key, é criptografada " | ||
66 | "utilizando o algoritmo IDEA. O OpenSSH não pode gerenciar esse arquivo de " | ||
67 | "chave de máquina, e o utilitário ssh-keygen da antiga (e não livre) " | ||
68 | "instalação SSH não parece estar disponÃvel." | ||
69 | |||
70 | #. Type: note | ||
71 | #. Description | ||
72 | #: ../openssh-server.templates:2001 | ||
73 | msgid "You need to manually generate a new host key." | ||
74 | msgstr "Você precisa gerar manualmente uma chave de máquina." | ||
75 | |||
76 | #. Type: boolean | ||
77 | #. Description | ||
78 | #: ../openssh-server.templates:3001 | ||
79 | msgid "Disable challenge-response authentication?" | ||
80 | msgstr "Desabilitar autenticação desafio-resposta (\"challenge-response\")?" | ||
81 | |||
82 | #. Type: boolean | ||
83 | #. Description | ||
84 | #: ../openssh-server.templates:3001 | ||
85 | msgid "" | ||
86 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
87 | "configuration. In order to prevent users from logging in using passwords " | ||
88 | "(perhaps using only public key authentication instead) with recent versions " | ||
89 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
90 | "ensure that your PAM configuration does not allow Unix password file " | ||
91 | "authentication." | ||
92 | msgstr "" | ||
93 | "A autenticação através de senha parece estar desabilitada em sua " | ||
94 | "configuração atual do servidor OpenSSH. Para que seja possÃvel evitar que " | ||
95 | "usuários se autentiquem utilizando senhas (talvez utilizando somente " | ||
96 | "autenticação através de chaves públicas) em versões recentes do OpenSSH você " | ||
97 | "deve desabilitar a autenticação desafio-resposta (\"challenge-response\") ou " | ||
98 | "então se certificar que sua configuração PAM não permita autenticação " | ||
99 | "através do arquivos de senhas Unix (\"password\")." | ||
100 | |||
101 | #. Type: boolean | ||
102 | #. Description | ||
103 | #: ../openssh-server.templates:3001 | ||
104 | msgid "" | ||
105 | "If you disable challenge-response authentication, then users will not be " | ||
106 | "able to log in using passwords. If you leave it enabled (the default " | ||
107 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
108 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
109 | msgstr "" | ||
110 | "Caso você desabilite a autenticação desafio-resposta (\"challenge-response" | ||
111 | "\"), os usuários não poderão se autenticar utilizando suas senhas. Se você " | ||
112 | "deixá-la habilitada (a resposta padrão), então a opção " | ||
113 | "'PasswordAuthentication no' não terá efeito útil a menos que você também " | ||
114 | "ajuste sua configuração PAM em /etc/pam.d/ssh." | ||
115 | |||
116 | #. Type: note | ||
117 | #. Description | ||
118 | #: ../openssh-server.templates:4001 | ||
119 | msgid "Vulnerable host keys will be regenerated" | ||
120 | msgstr "Chaves de host vulneráveis serão regeradas" | ||
121 | |||
122 | #. Type: note | ||
123 | #. Description | ||
124 | #: ../openssh-server.templates:4001 | ||
125 | msgid "" | ||
126 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
127 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
128 | "these host keys are from a well-known set, are subject to brute-force " | ||
129 | "attacks, and must be regenerated." | ||
130 | msgstr "" | ||
131 | "Algumas das chaves de host do servidor OpenSSH neste sistema foram geradas " | ||
132 | "com uma versão do OpenSSL que tem um gerador de números aleatórios quebrado. " | ||
133 | "Como resultado, estas chaves de host são originárias de um conjunto bem " | ||
134 | "conhecido, ficando sujeitas a ataques de força bruta, e devem ser regeradas." | ||
135 | |||
136 | #. Type: note | ||
137 | #. Description | ||
138 | #: ../openssh-server.templates:4001 | ||
139 | msgid "" | ||
140 | "Users of this system should be informed of this change, as they will be " | ||
141 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
142 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
143 | "the new host keys." | ||
144 | msgstr "" | ||
145 | "Usuários deste sistema deverão ser informados desta mudança, pois eles serão " | ||
146 | "alertados sobre a mudança de chave de host na próxima vez que logarem. Use " | ||
147 | "'ssh-keygen -l -f ARQUIVO_COM_A_CHAVE_DE_HOST' após a atualização para " | ||
148 | "exibir as impressões digitais (\"fingerprints\") das novas chaves de host." | ||
149 | |||
150 | #. Type: note | ||
151 | #. Description | ||
152 | #: ../openssh-server.templates:4001 | ||
153 | msgid "The affected host keys are:" | ||
154 | msgstr "As chaves de host afetadas são:" | ||
155 | |||
156 | #. Type: note | ||
157 | #. Description | ||
158 | #: ../openssh-server.templates:4001 | ||
159 | msgid "" | ||
160 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
161 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
162 | "README.compromised-keys.gz for more details." | ||
163 | msgstr "" | ||
164 | "Chaves de usuários também podem ser afetadas por este problema. O comando " | ||
165 | "'ssh-vulnkey' pode ser usado como um teste parcial para isso. Veja /usr/" | ||
166 | "share/doc/openssh-server/README.compromised-keys.gz para mais detalhes." | ||
167 | |||
168 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
169 | #~ msgstr "Gerar um novo arquivo de configuração para o OpenSSH?" | ||
170 | |||
171 | #~ msgid "" | ||
172 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
173 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
174 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
175 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
176 | #~ "will not contain any customizations you made with the old version." | ||
177 | #~ msgstr "" | ||
178 | #~ "Esta versão do OpenSSH possui um arquivo de configuração " | ||
179 | #~ "consideravelmente diferente da versão fornecida com o Debian 'Potato', a " | ||
180 | #~ "versão do Debian a partir da qual você parece estar atualizando. Este " | ||
181 | #~ "pacote pode agora gerar um novo arquivo de configuração (/etc/ssh/" | ||
182 | #~ "sshd_config), o qual irá funcionar com a nova versão do servidor sshd mas " | ||
183 | #~ "não irá conter nenhuma personalização que você possa ter feito na versão " | ||
184 | #~ "anterior." | ||
185 | |||
186 | #~ msgid "" | ||
187 | #~ "Please note that this new configuration file will set the value of " | ||
188 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
189 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
190 | #~ "details about this design choice." | ||
191 | #~ msgstr "" | ||
192 | #~ "Por favor, note que este novo arquivo de configuração irá definir o valor " | ||
193 | #~ "da opção 'PermitRootLogin' para 'yes' (o que significa que qualquer " | ||
194 | #~ "pessoa que conheça a senha do root poderá conectar via ssh diretamente " | ||
195 | #~ "como root). Por favor, leia os arquivos README.Debian para maiores " | ||
196 | #~ "detalhes sobre essa escolha de projeto." | ||
197 | |||
198 | #~ msgid "" | ||
199 | #~ "It is strongly recommended that you choose to generate a new " | ||
200 | #~ "configuration file now." | ||
201 | #~ msgstr "" | ||
202 | #~ "É fortemente recomendado que você escolha gerar um novo arquivo de " | ||
203 | #~ "configuração agora." | ||
diff --git a/debian/po/ro.po b/debian/po/ro.po new file mode 100644 index 000000000..87480db23 --- /dev/null +++ b/debian/po/ro.po | |||
@@ -0,0 +1,224 @@ | |||
1 | # Romanian translation of openssh. | ||
2 | # Copyright (C) 2006 THE openssh'S COPYRIGHT HOLDER | ||
3 | # This file is distributed under the same license as the openssh package. | ||
4 | # | ||
5 | # Stan Ioan-Eugen <stan.ieugen@gmail.com>, 2006. | ||
6 | # Igor Stirbu <igor.stirbu@gmail.com>, 2007. | ||
7 | # Cătălin Feștilă <catalinfest@gmail.com>,2008 | ||
8 | msgid "" | ||
9 | msgstr "" | ||
10 | "Project-Id-Version: openssh 1.4\n" | ||
11 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
12 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
13 | "PO-Revision-Date: 2008-05-28 17:54+0200\n" | ||
14 | "Last-Translator: Cătălin Feștilă <catalinfest@gmail.com>\n" | ||
15 | "Language-Team: Romanian <debian-l10n-romanian@lists.debian.org>\n" | ||
16 | "MIME-Version: 1.0\n" | ||
17 | "Content-Type: text/plain; charset=UTF-8\n" | ||
18 | "Content-Transfer-Encoding: 8bit\n" | ||
19 | "X-Generator: KBabel 1.11.4\n" | ||
20 | "Plural-Forms: nplurals=3; plural=n==1 ? 0 : (n==0 || (n%100 > 0 && n%100 < " | ||
21 | "20)) ? 1 : 2;\n" | ||
22 | |||
23 | #. Type: boolean | ||
24 | #. Description | ||
25 | #: ../openssh-server.templates:1001 | ||
26 | msgid "Do you want to risk killing active SSH sessions?" | ||
27 | msgstr "Doriți să riscați întreruperea sesiunilor ssh active?" | ||
28 | |||
29 | #. Type: boolean | ||
30 | #. Description | ||
31 | #: ../openssh-server.templates:1001 | ||
32 | msgid "" | ||
33 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
34 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
35 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
36 | msgstr "" | ||
37 | "Este foarte probabil ca această versiune de /etc/init.d/ssh pe care o aveți " | ||
38 | "instalată să omoare toate instanțele sshd care rulează. Dacă faceți această " | ||
39 | "actualizare printr-o sesiune ssh, atunci este posibil să fiți deconectați și " | ||
40 | "actualizarea să rămână neterminată." | ||
41 | |||
42 | #. Type: boolean | ||
43 | #. Description | ||
44 | #: ../openssh-server.templates:1001 | ||
45 | msgid "" | ||
46 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
47 | "start-stop-daemon line in the stop section of the file." | ||
48 | msgstr "" | ||
49 | "Puteți repară manual acest lucru adăugând „--pidfile /var/run/sshd.pid†la " | ||
50 | "linia start-stop-daemon în secțiunea stop a fișierului." | ||
51 | |||
52 | #. Type: note | ||
53 | #. Description | ||
54 | #: ../openssh-server.templates:2001 | ||
55 | msgid "New host key mandatory" | ||
56 | msgstr "O cheie nouă este obligatorie" | ||
57 | |||
58 | #. Type: note | ||
59 | #. Description | ||
60 | #: ../openssh-server.templates:2001 | ||
61 | msgid "" | ||
62 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
63 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
64 | "utility from the old (non-free) SSH installation does not appear to be " | ||
65 | "available." | ||
66 | msgstr "" | ||
67 | "Cheia curentă în /etc/ssh/ssh_host_key este criptată cu algoritmul IDEA. " | ||
68 | "OpenSSH nu suportă acest tip de cheie, iar utilitarul ssh-keygen din " | ||
69 | "versiunea SSH (non-liberă) anterior instalată nu pare să fie disponibil." | ||
70 | |||
71 | #. Type: note | ||
72 | #. Description | ||
73 | #: ../openssh-server.templates:2001 | ||
74 | msgid "You need to manually generate a new host key." | ||
75 | msgstr "Va trebui să generați manual o nouă cheie pentru sistem." | ||
76 | |||
77 | #. Type: boolean | ||
78 | #. Description | ||
79 | #: ../openssh-server.templates:3001 | ||
80 | msgid "Disable challenge-response authentication?" | ||
81 | msgstr "Dezactivează modul de autentificare provocare-răspuns?" | ||
82 | |||
83 | #. Type: boolean | ||
84 | #. Description | ||
85 | #: ../openssh-server.templates:3001 | ||
86 | msgid "" | ||
87 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
88 | "configuration. In order to prevent users from logging in using passwords " | ||
89 | "(perhaps using only public key authentication instead) with recent versions " | ||
90 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
91 | "ensure that your PAM configuration does not allow Unix password file " | ||
92 | "authentication." | ||
93 | msgstr "" | ||
94 | "Autentificarea pe bază de parole pare dezactivată în configurația curentă a " | ||
95 | "serverului OpenSSH. Pentru a împiedica utilizatorii să se autentifice " | ||
96 | "folosind parole (probabil folosind doar autentificarea cu chei publice) în " | ||
97 | "versiunile recente OpenSSH trebuie să dezactivați autentificarea tip " | ||
98 | "provocare-răspuns, sau asigurați-vă că configurația PAM nu permite " | ||
99 | "autentificarea cu fișierul de parole Unix." | ||
100 | |||
101 | #. Type: boolean | ||
102 | #. Description | ||
103 | #: ../openssh-server.templates:3001 | ||
104 | msgid "" | ||
105 | "If you disable challenge-response authentication, then users will not be " | ||
106 | "able to log in using passwords. If you leave it enabled (the default " | ||
107 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
108 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
109 | msgstr "" | ||
110 | "Dacă dezactivați autentificarea pe bază de provocare-răspuns, utilizatorii " | ||
111 | "nu vor mai putea să se autentifice folosind parolele. Dacă nu o dezactivați " | ||
112 | "(răspunsul implicit), atunci opțiunea 'PasswordAuthentification no' va fi " | ||
113 | "utilizabilă doar dacă modificați și configurația PAM din /etc/pam.d/ssh." | ||
114 | |||
115 | #. Type: note | ||
116 | #. Description | ||
117 | #: ../openssh-server.templates:4001 | ||
118 | msgid "Vulnerable host keys will be regenerated" | ||
119 | msgstr "Cheile vulnerabile vor fi regenerate" | ||
120 | |||
121 | #. Type: note | ||
122 | #. Description | ||
123 | #: ../openssh-server.templates:4001 | ||
124 | msgid "" | ||
125 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
126 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
127 | "these host keys are from a well-known set, are subject to brute-force " | ||
128 | "attacks, and must be regenerated." | ||
129 | msgstr "" | ||
130 | "Unele dintre cheile serverului OpenSSH gazdă de pe acest sistem au fost " | ||
131 | "generate cu o versiune de OpenSSL, care a avut un generator de numere " | ||
132 | "aleatorii stricat. Ca rezultat, aceste chei gazda sunt un set binecunoscut, " | ||
133 | "sunt supuse la atacuri brute-force și trebuie să fie regenerate." | ||
134 | |||
135 | #. Type: note | ||
136 | #. Description | ||
137 | #: ../openssh-server.templates:4001 | ||
138 | msgid "" | ||
139 | "Users of this system should be informed of this change, as they will be " | ||
140 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
141 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
142 | "the new host keys." | ||
143 | msgstr "" | ||
144 | "Utilizatorii acestui sistem ar trebui să fie informați ce se schimbă, " | ||
145 | "deoarece se va solicita cheia gazdă ce se schimba data viitoare când se " | ||
146 | "autentifică. Folosiți 'ssh-keygen -l -f HOST_KEY_FILE' după ce faceți " | ||
147 | "actualizare pentru a imprima amprentele digitale ale noilor chei gazdă." | ||
148 | |||
149 | #. Type: note | ||
150 | #. Description | ||
151 | #: ../openssh-server.templates:4001 | ||
152 | msgid "The affected host keys are:" | ||
153 | msgstr "Cheile gazdă afectate sunt:" | ||
154 | |||
155 | #. Type: note | ||
156 | #. Description | ||
157 | #: ../openssh-server.templates:4001 | ||
158 | msgid "" | ||
159 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
160 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
161 | "README.compromised-keys.gz for more details." | ||
162 | msgstr "" | ||
163 | "Cheile utilizatorului de asemenea, pot fi afectate de această problemă. " | ||
164 | "Comanda 'ssh-vulnkey' poate fi folosită ca un test parțial pentru acestea. A " | ||
165 | "se vedea /usr/share/doc/openssh-server/README.compromised-keys.gz pentru mai " | ||
166 | "multe detalii." | ||
167 | |||
168 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
169 | #~ msgstr "Să se genereze un fișier nou de configurare pentru OpenSSH?" | ||
170 | |||
171 | #~ msgid "" | ||
172 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
173 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
174 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
175 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
176 | #~ "will not contain any customizations you made with the old version." | ||
177 | #~ msgstr "" | ||
178 | #~ "Această versiune de OpenSSH are un fișier de configurare considerabil " | ||
179 | #~ "modificat față de versiunea care vine cu Debian 'Potato', pe care se pare " | ||
180 | #~ "că o actualizați. Acest pachet poate genera acum un nou fișier de " | ||
181 | #~ "configurare (/etc/ssh/sshd.config), care va funcționa cu noua versiune de " | ||
182 | #~ "server, dar nu va conține nici o personalizare făcută pentru versiunea " | ||
183 | #~ "anterioară." | ||
184 | |||
185 | #~ msgid "" | ||
186 | #~ "Please note that this new configuration file will set the value of " | ||
187 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
188 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
189 | #~ "details about this design choice." | ||
190 | #~ msgstr "" | ||
191 | #~ "A se reține că acest fișier nou de configurare va stabili valoarea " | ||
192 | #~ "opțiunii 'PermitRootLogin' la „yes†(ceea ce înseamnă că cine știe parola " | ||
193 | #~ "de root se poate autentifica prin ssh direct ca root). Părerea " | ||
194 | #~ "responsabilului de pachet este că aceasta trebuie să fie valoarea " | ||
195 | #~ "implicită (a se vedea fișierul README.Debian pentru detalii " | ||
196 | #~ "suplimentare), dar, dacă doriți, puteți edita oricând fișierul " | ||
197 | #~ "sshd_config pentru a stabili valoarea opÈ›iunii la „noâ€." | ||
198 | |||
199 | #~ msgid "" | ||
200 | #~ "It is strongly recommended that you choose to generate a new " | ||
201 | #~ "configuration file now." | ||
202 | #~ msgstr "" | ||
203 | #~ "Este indicat să alegeți acum generarea un nou fișier de configurare." | ||
204 | |||
205 | #~ msgid "Warning: you must create a new host key" | ||
206 | #~ msgstr "Avertizare: trebuie să creați o nouă cheie pentru sistem" | ||
207 | |||
208 | #~ msgid "Warning: telnetd is installed --- probably not a good idea" | ||
209 | #~ msgstr "" | ||
210 | #~ "Avertizare: telnetd este instalat --- probabil că nu este o idee bună" | ||
211 | |||
212 | #~ msgid "" | ||
213 | #~ "I'd advise you to either remove the telnetd package (if you don't " | ||
214 | #~ "actually need to offer telnet access) or install telnetd-ssl so that " | ||
215 | #~ "there is at least some chance that telnet sessions will not be sending " | ||
216 | #~ "unencrypted login/password and session information over the network." | ||
217 | #~ msgstr "" | ||
218 | #~ "Un sfat bun este fie să ștergeți pachetul telnetd (dacă întradevăr nu-l " | ||
219 | #~ "utilizați) fie să instalați telnetd-ssl astfel încât să existe " | ||
220 | #~ "posibilitatea ca sesiunile telnet să nu trimită informații necriptate de " | ||
221 | #~ "autentificare/parole prin rețea." | ||
222 | |||
223 | #~ msgid "${HOST_KEYS}" | ||
224 | #~ msgstr "${HOST_KEYS}" | ||
diff --git a/debian/po/ru.po b/debian/po/ru.po new file mode 100644 index 000000000..23b8c0348 --- /dev/null +++ b/debian/po/ru.po | |||
@@ -0,0 +1,209 @@ | |||
1 | # translation of ru.po to Russian | ||
2 | # translation of openssh to Russian | ||
3 | # | ||
4 | # Translators, if you are not familiar with the PO format, gettext | ||
5 | # documentation is worth reading, especially sections dedicated to | ||
6 | # this format, e.g. by running: | ||
7 | # info -n '(gettext)PO Files' | ||
8 | # info -n '(gettext)Header Entry' | ||
9 | # Some information specific to po-debconf are available at | ||
10 | # /usr/share/doc/po-debconf/README-trans | ||
11 | # or http://www.debian.org/intl/l10n/po-debconf/README-trans# | ||
12 | # Developers do not need to manually edit POT or PO files. | ||
13 | # | ||
14 | # Yuriy Talakan' <yt@drsk.ru>, 2007. | ||
15 | # Yuri Kozlov <kozlov.y@gmail.com>, 2008. | ||
16 | msgid "" | ||
17 | msgstr "" | ||
18 | "Project-Id-Version: openssh 1:4.7p1-9\n" | ||
19 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
20 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
21 | "PO-Revision-Date: 2008-05-18 08:55+0400\n" | ||
22 | "Last-Translator: Yuri Kozlov <kozlov.y@gmail.com>\n" | ||
23 | "Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n" | ||
24 | "MIME-Version: 1.0\n" | ||
25 | "Content-Type: text/plain; charset=UTF-8\n" | ||
26 | "Content-Transfer-Encoding: 8bit\n" | ||
27 | "X-Generator: KBabel 1.11.4\n" | ||
28 | "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%" | ||
29 | "10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" | ||
30 | |||
31 | #. Type: boolean | ||
32 | #. Description | ||
33 | #: ../openssh-server.templates:1001 | ||
34 | msgid "Do you want to risk killing active SSH sessions?" | ||
35 | msgstr "Ð’Ñ‹ хотите пойти на риÑк потерÑÑ‚ÑŒ активные SSH ÑоединениÑ?" | ||
36 | |||
37 | #. Type: boolean | ||
38 | #. Description | ||
39 | #: ../openssh-server.templates:1001 | ||
40 | msgid "" | ||
41 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
42 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
43 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
44 | msgstr "" | ||
45 | "УÑÑ‚Ð°Ð½Ð¾Ð²Ð»ÐµÐ½Ð½Ð°Ñ Ð² наÑтоÑщее Ð²Ñ€ÐµÐ¼Ñ Ð²ÐµÑ€ÑÐ¸Ñ /etc/init.d/ssh, вероÑтно, уничтожит " | ||
46 | "вÑе запущенные ÑкземплÑры sshd. ЕÑли вы выполнÑете Ñто обновление через SSH " | ||
47 | "Ñоединение, то Ñкорее вÑего вы будете отключены и процедура Ð¾Ð±Ð½Ð¾Ð²Ð»ÐµÐ½Ð¸Ñ " | ||
48 | "оÑтанетÑÑ Ð½Ðµ завершенной." | ||
49 | |||
50 | #. Type: boolean | ||
51 | #. Description | ||
52 | #: ../openssh-server.templates:1001 | ||
53 | msgid "" | ||
54 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
55 | "start-stop-daemon line in the stop section of the file." | ||
56 | msgstr "" | ||
57 | "Ðто может быть иÑправлено вручную добавлением \"--pidfile /var/run/sshd.pid" | ||
58 | "\" в Ñтроку start-stop-daemon в разделе stop Ñтого файла." | ||
59 | |||
60 | #. Type: note | ||
61 | #. Description | ||
62 | #: ../openssh-server.templates:2001 | ||
63 | msgid "New host key mandatory" | ||
64 | msgstr "Ðеобходим новый ключ хоÑта" | ||
65 | |||
66 | #. Type: note | ||
67 | #. Description | ||
68 | #: ../openssh-server.templates:2001 | ||
69 | msgid "" | ||
70 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
71 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
72 | "utility from the old (non-free) SSH installation does not appear to be " | ||
73 | "available." | ||
74 | msgstr "" | ||
75 | "Текущий ключ хоÑта, /etc/ssh/ssh_host_key, зашифрован алгоритмом IDEA. " | ||
76 | "OpenSSH не может работать Ñ Ñ‚Ð°ÐºÐ¸Ð¼ файлом ключа хоÑта, а утилита ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ ssh-" | ||
77 | "ключа (ssh-keygen) из прежней (не Ñвободной) уÑтановки SSH, кажетÑÑ, " | ||
78 | "недоÑтупна." | ||
79 | |||
80 | #. Type: note | ||
81 | #. Description | ||
82 | #: ../openssh-server.templates:2001 | ||
83 | msgid "You need to manually generate a new host key." | ||
84 | msgstr "Вам нужно вручную Ñоздать новый ключ хоÑта." | ||
85 | |||
86 | #. Type: boolean | ||
87 | #. Description | ||
88 | #: ../openssh-server.templates:3001 | ||
89 | msgid "Disable challenge-response authentication?" | ||
90 | msgstr "Отключить аутентификацию запроÑ-ответ?" | ||
91 | |||
92 | #. Type: boolean | ||
93 | #. Description | ||
94 | #: ../openssh-server.templates:3001 | ||
95 | msgid "" | ||
96 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
97 | "configuration. In order to prevent users from logging in using passwords " | ||
98 | "(perhaps using only public key authentication instead) with recent versions " | ||
99 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
100 | "ensure that your PAM configuration does not allow Unix password file " | ||
101 | "authentication." | ||
102 | msgstr "" | ||
103 | "КажетÑÑ, что Ð¿Ð°Ñ€Ð¾Ð»ÑŒÐ½Ð°Ñ Ð°ÑƒÑ‚ÐµÐ½Ñ‚Ð¸Ñ„Ð¸ÐºÐ°Ñ†Ð¸Ñ Ð¾Ñ‚ÐºÐ»ÑŽÑ‡ÐµÐ½Ð° в текущей наÑтройке Ñервера " | ||
104 | "OpenSSH. Чтобы запретить пользователÑм вход Ñ Ð¸Ñпользованием паролей " | ||
105 | "(возможно, иÑпользовав вмеÑто Ñтого только аутентификацию по публичному " | ||
106 | "ключу) в новых верÑиÑÑ… OpenSSH, вы должны отключить аутентификацию запроÑ-" | ||
107 | "ответ, либо убедитьÑÑ, что ваша наÑтройка PAM не разрешает аутентификацию по " | ||
108 | "файлу паролей Unix." | ||
109 | |||
110 | #. Type: boolean | ||
111 | #. Description | ||
112 | #: ../openssh-server.templates:3001 | ||
113 | msgid "" | ||
114 | "If you disable challenge-response authentication, then users will not be " | ||
115 | "able to log in using passwords. If you leave it enabled (the default " | ||
116 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
117 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
118 | msgstr "" | ||
119 | "ЕÑли вы запретите аутентификацию запроÑ-ответ, пользователи не Ñмогут войти " | ||
120 | "Ñ Ð¸Ñпользованием паролей. ЕÑли вы оÑтавите её разрешенной (ответ по " | ||
121 | "умолчанию), то параметр 'PasswordAuthentication no' не будет иметь Ñилы до " | ||
122 | "тех пор, пока вы также не откорректируете наÑтройки PAM в /etc/pam.d/ssh." | ||
123 | |||
124 | #. Type: note | ||
125 | #. Description | ||
126 | #: ../openssh-server.templates:4001 | ||
127 | msgid "Vulnerable host keys will be regenerated" | ||
128 | msgstr "УÑзвимые ключи хоÑта будут Ñозданы заново" | ||
129 | |||
130 | #. Type: note | ||
131 | #. Description | ||
132 | #: ../openssh-server.templates:4001 | ||
133 | msgid "" | ||
134 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
135 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
136 | "these host keys are from a well-known set, are subject to brute-force " | ||
137 | "attacks, and must be regenerated." | ||
138 | msgstr "" | ||
139 | "Ðекоторые ключи хоÑта Ñервера OpenSSH в Ñтой ÑиÑтеме были Ñозданы Ñ Ð¿Ð¾Ð¼Ð¾Ñ‰ÑŒÑŽ " | ||
140 | "верÑии OpenSSL, в которой был иÑпорченный генератор Ñлучайных чиÑел. Ð’ " | ||
141 | "результате, такие ключи хоÑта входили во вÑем извеÑтный ÑпиÑок, что " | ||
142 | "позволÑло применÑÑ‚ÑŒ атаку поÑледовательного подбора ключей. Ключи должны " | ||
143 | "быть Ñозданы заново." | ||
144 | |||
145 | #. Type: note | ||
146 | #. Description | ||
147 | #: ../openssh-server.templates:4001 | ||
148 | msgid "" | ||
149 | "Users of this system should be informed of this change, as they will be " | ||
150 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
151 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
152 | "the new host keys." | ||
153 | msgstr "" | ||
154 | "Пользователи Ñтой ÑиÑтемы будут проинформированы об Ñтом изменении, так как " | ||
155 | "им будет выведено Ñообщение о Ñмене ключа хоÑта при Ñледующем подключении. " | ||
156 | "ИÑпользуйте команду 'ssh-keygen -l -f HOST_KEY_FILE' поÑле Ð¾Ð±Ð½Ð¾Ð²Ð»ÐµÐ½Ð¸Ñ Ð´Ð»Ñ " | ||
157 | "раÑпечатки отпечатков новых ключей хоÑта." | ||
158 | |||
159 | #. Type: note | ||
160 | #. Description | ||
161 | #: ../openssh-server.templates:4001 | ||
162 | msgid "The affected host keys are:" | ||
163 | msgstr "Ключи хоÑта, которые будут заменены:" | ||
164 | |||
165 | #. Type: note | ||
166 | #. Description | ||
167 | #: ../openssh-server.templates:4001 | ||
168 | msgid "" | ||
169 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
170 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
171 | "README.compromised-keys.gz for more details." | ||
172 | msgstr "" | ||
173 | "ПользовательÑкие ключи также имеют данную проблему. Ð”Ð»Ñ Ñ‡Ð°Ñтичной проверки " | ||
174 | "можно воÑпользоватьÑÑ ÐºÐ¾Ð¼Ð°Ð½Ð´Ð¾Ð¹ 'ssh-vulnkey'. Ð’ файле /usr/share/doc/openssh-" | ||
175 | "server/README.compromised-keys.gz дано более подробное опиÑание." | ||
176 | |||
177 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
178 | #~ msgstr "Создать новый файл наÑтроек Ð´Ð»Ñ OpenSSH?" | ||
179 | |||
180 | #~ msgid "" | ||
181 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
182 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
183 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
184 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
185 | #~ "will not contain any customizations you made with the old version." | ||
186 | #~ msgstr "" | ||
187 | #~ "Файл наÑтроек Ñтой верÑии OpenSSH значительно отличаетÑÑ Ð¾Ñ‚ файла верÑии, " | ||
188 | #~ "ÐºÐ¾Ñ‚Ð¾Ñ€Ð°Ñ Ð¿Ð¾ÑтавлÑлаÑÑŒ Ñ Debian 'Potato', и которую вы, кажетÑÑ, " | ||
189 | #~ "обновлÑете. Ðтот пакет может ÑÐµÐ¹Ñ‡Ð°Ñ Ñоздать новый файл наÑтроек (/etc/ssh/" | ||
190 | #~ "sshd.config), который будет работать Ñ Ñервером новой верÑии, но не будет " | ||
191 | #~ "Ñодержать наÑтроек, которые вы Ñделали в Ñтарой верÑии." | ||
192 | |||
193 | #~ msgid "" | ||
194 | #~ "Please note that this new configuration file will set the value of " | ||
195 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
196 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
197 | #~ "details about this design choice." | ||
198 | #~ msgstr "" | ||
199 | #~ "Обратите внимание, что Ñтот новый файл наÑтроек уÑтановит значение " | ||
200 | #~ "параметра 'PermitRootLogin' в 'yes' (Ñто означает, что каждый знающий " | ||
201 | #~ "пароль ÑÑƒÐ¿ÐµÑ€Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ Ð¼Ð¾Ð¶ÐµÑ‚ войти в ÑиÑтему по ssh как " | ||
202 | #~ "Ñуперпользователь). ПожалуйÑта, прочтите файл README.Debian Ð´Ð»Ñ " | ||
203 | #~ "разъÑÑÐ½ÐµÐ½Ð¸Ñ Ð´ÐµÑ‚Ð°Ð»ÐµÐ¹ Ñтого выбора." | ||
204 | |||
205 | #~ msgid "" | ||
206 | #~ "It is strongly recommended that you choose to generate a new " | ||
207 | #~ "configuration file now." | ||
208 | #~ msgstr "" | ||
209 | #~ "ÐаÑтоÑтельно рекомендуетÑÑ Ð²Ñ‹Ð±Ñ€Ð°Ñ‚ÑŒ ÑÐµÐ¹Ñ‡Ð°Ñ Ñоздание нового файла наÑтроек." | ||
diff --git a/debian/po/sk.po b/debian/po/sk.po new file mode 100644 index 000000000..a10e09b6c --- /dev/null +++ b/debian/po/sk.po | |||
@@ -0,0 +1,188 @@ | |||
1 | msgid "" | ||
2 | msgstr "" | ||
3 | "Project-Id-Version: openssh 1_4.6p1-5\n" | ||
4 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
5 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
6 | "PO-Revision-Date: 2008-05-29 08:51+0100\n" | ||
7 | "Last-Translator: Ivan Masár <helix84@centrum.sk>\n" | ||
8 | "Language-Team: Slovak <sk-i18n@lists.linux.sk>\n" | ||
9 | "MIME-Version: 1.0\n" | ||
10 | "Content-Type: text/plain; charset=utf-8\n" | ||
11 | "Content-Transfer-Encoding: 8bit\n" | ||
12 | |||
13 | #. Type: boolean | ||
14 | #. Description | ||
15 | #: ../openssh-server.templates:1001 | ||
16 | msgid "Do you want to risk killing active SSH sessions?" | ||
17 | msgstr "Chcete riskovaÅ¥ zruÅ¡enie aktÃvnych SSH reláciÃ?" | ||
18 | |||
19 | #. Type: boolean | ||
20 | #. Description | ||
21 | #: ../openssh-server.templates:1001 | ||
22 | msgid "" | ||
23 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
24 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
25 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
26 | msgstr "" | ||
27 | "Momentálne nainÅ¡talovaná verzia /etc/init.d/ssh pravdepodobne ukonÄà vÅ¡etky " | ||
28 | "prebiehajúce inštancie sshd. Ak túto aktualizáciu vykonávate cez reláciu SSH " | ||
29 | "pravdepodobne budete odpojený a aktualizácia zostane nedokonÄená." | ||
30 | |||
31 | #. Type: boolean | ||
32 | #. Description | ||
33 | #: ../openssh-server.templates:1001 | ||
34 | msgid "" | ||
35 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
36 | "start-stop-daemon line in the stop section of the file." | ||
37 | msgstr "" | ||
38 | "Toto je možné manuálne napraviť tým, že pridáte „--pidfile /var/run/sshd." | ||
39 | "pid“ do stop sekcie súboru start-stop-daemon." | ||
40 | |||
41 | #. Type: note | ||
42 | #. Description | ||
43 | #: ../openssh-server.templates:2001 | ||
44 | msgid "New host key mandatory" | ||
45 | msgstr "Nový kÄ¾ÃºÄ hostiteľa je povinný" | ||
46 | |||
47 | #. Type: note | ||
48 | #. Description | ||
49 | #: ../openssh-server.templates:2001 | ||
50 | msgid "" | ||
51 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
52 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
53 | "utility from the old (non-free) SSH installation does not appear to be " | ||
54 | "available." | ||
55 | msgstr "" | ||
56 | "Aktuálny kÄ¾ÃºÄ hostiteľa v /etc/ssh/ssh_host_key je kryptovaný algoritmom " | ||
57 | "IDEA. OpenSSH nemôže pracovaÅ¥ s týmto súborom s kľúÄom hostiteľa a nástroj " | ||
58 | "ssh-keygen zo starej (neslobodnej) inštalácie SSH nie je dostupný." | ||
59 | |||
60 | #. Type: note | ||
61 | #. Description | ||
62 | #: ../openssh-server.templates:2001 | ||
63 | msgid "You need to manually generate a new host key." | ||
64 | msgstr "MusÃte ruÄne vygenerovaÅ¥ nový kÄ¾ÃºÄ hostiteľa." | ||
65 | |||
66 | #. Type: boolean | ||
67 | #. Description | ||
68 | #: ../openssh-server.templates:3001 | ||
69 | msgid "Disable challenge-response authentication?" | ||
70 | msgstr "Vypnúť autentifikáciu výzva-odpoveÄ?" | ||
71 | |||
72 | #. Type: boolean | ||
73 | #. Description | ||
74 | #: ../openssh-server.templates:3001 | ||
75 | msgid "" | ||
76 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
77 | "configuration. In order to prevent users from logging in using passwords " | ||
78 | "(perhaps using only public key authentication instead) with recent versions " | ||
79 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
80 | "ensure that your PAM configuration does not allow Unix password file " | ||
81 | "authentication." | ||
82 | msgstr "" | ||
83 | "Zdá sa, že autentifikácia pomocou hesla je v aktuálnej konfigurácii OpenSSH " | ||
84 | "servera vypnutá. Aby ste zabránili použÃvateľom prihlasovaÅ¥ sa pomocou " | ||
85 | "hesiel (snÃ¡Ä iba použitÃm autentifikácie svojÃm verejným kľúÄom) pri novÅ¡Ãch " | ||
86 | "verziách OpenSSH musÃte vypnúť autentifikáciu výzva-odpoveÄ alebo sa inak " | ||
87 | "uistiť, že vaša konfigurácia PAM neumožňuje autentifikáciu pomocu unixového " | ||
88 | "súboru s heslami." | ||
89 | |||
90 | #. Type: boolean | ||
91 | #. Description | ||
92 | #: ../openssh-server.templates:3001 | ||
93 | msgid "" | ||
94 | "If you disable challenge-response authentication, then users will not be " | ||
95 | "able to log in using passwords. If you leave it enabled (the default " | ||
96 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
97 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
98 | msgstr "" | ||
99 | "Ak vypnete autentifikáciu výzva-odpoveÄ, použÃvatelia sa nebudú môcÅ¥ " | ||
100 | "prihlasovaÅ¥ pomocou hesiel. Ak ju necháte zapnutú (Å¡tandardná odpoveÄ), " | ||
101 | "potom nebude maÅ¥ voľba „PasswordAuthentication no“ žiadny úÄinok v prÃpade, " | ||
102 | "že tiež vhodne nenastavÃte vaÅ¡u konfiguráciu PAM v /etc/pam.d/ssh." | ||
103 | |||
104 | #. Type: note | ||
105 | #. Description | ||
106 | #: ../openssh-server.templates:4001 | ||
107 | msgid "Vulnerable host keys will be regenerated" | ||
108 | msgstr "Namiesto zneužiteľných kľúÄov hostiteľa sa vytvoria nové" | ||
109 | |||
110 | #. Type: note | ||
111 | #. Description | ||
112 | #: ../openssh-server.templates:4001 | ||
113 | msgid "" | ||
114 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
115 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
116 | "these host keys are from a well-known set, are subject to brute-force " | ||
117 | "attacks, and must be regenerated." | ||
118 | msgstr "" | ||
119 | "Niektoré z OpenSSH klúÄov hostiteľa na tomto systéme boli vytvorené verziou " | ||
120 | "OpenSSL, ktorá mala chybný generátor náhodných ÄÃsel. Dôsledkom je, že tieto " | ||
121 | "klúÄe hostiteľa sú z vopred známej množiny, je možné ich prelomiÅ¥ hrubou " | ||
122 | "silou a je potrebné vytvoriť namiesto nich nové." | ||
123 | |||
124 | #. Type: note | ||
125 | #. Description | ||
126 | #: ../openssh-server.templates:4001 | ||
127 | msgid "" | ||
128 | "Users of this system should be informed of this change, as they will be " | ||
129 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
130 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
131 | "the new host keys." | ||
132 | msgstr "" | ||
133 | "PoužÃvateľov tohoto systému by ste mali informovaÅ¥ o tejto zmene, pretože " | ||
134 | "pri najbližšom prihlásenà sa im zobrazà výzva o zmenenom kľúÄi hostiteľa. Po " | ||
135 | "aktualizácii vypÃÅ¡ete odtlaÄky nových kľúÄov hostiteľa prÃkazom „ssh-keygen -" | ||
136 | "l -f HOST_KEY_FILE“." | ||
137 | |||
138 | #. Type: note | ||
139 | #. Description | ||
140 | #: ../openssh-server.templates:4001 | ||
141 | msgid "The affected host keys are:" | ||
142 | msgstr "Postihnuté kľúÄe sú:" | ||
143 | |||
144 | #. Type: note | ||
145 | #. Description | ||
146 | #: ../openssh-server.templates:4001 | ||
147 | msgid "" | ||
148 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
149 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
150 | "README.compromised-keys.gz for more details." | ||
151 | msgstr "" | ||
152 | "PoužÃvateľské kľúÄe tiež mohol ovplyvniÅ¥ tento problém. Na ÄiastoÄný test " | ||
153 | "zraniteľnosti je možné použiÅ¥ prÃkaz „ssh-vulnkey“. Podrobnosti nájdete v /" | ||
154 | "usr/share/doc/openssh-server/README.compromised-keys.gz" | ||
155 | |||
156 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
157 | #~ msgstr "VytvoriÅ¥ nový konfiguraÄný súbor pre OpenSSH?" | ||
158 | |||
159 | #~ msgid "" | ||
160 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
161 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
162 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
163 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
164 | #~ "will not contain any customizations you made with the old version." | ||
165 | #~ msgstr "" | ||
166 | #~ "Táto verzia OpenSSH má podstatne zmenený konfiguraÄný súbor v porovnanà s " | ||
167 | #~ "versiou, ktorá sa dodávala s Debian „Potato“, z ktorej, zdá sa, " | ||
168 | #~ "aktualizujete. Tento balÃk teraz môže vytvoriÅ¥ nový konfiguraÄný súbor (/" | ||
169 | #~ "etc/ssh/sshd.config), ktorý bude fungovať s novou verziou servera, ale " | ||
170 | #~ "nebude obsahovať akékoľvek zmeny, ktoré ste urobili v starej verzii." | ||
171 | |||
172 | #~ msgid "" | ||
173 | #~ "Please note that this new configuration file will set the value of " | ||
174 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
175 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
176 | #~ "details about this design choice." | ||
177 | #~ msgstr "" | ||
178 | #~ "ProsÃm, majte na pamäti, že tento nový konfiguraÄný súbor nastavà hodnotu " | ||
179 | #~ "„'PermitRootLogin“ na „áno“ (Äo znamená, že každý, kto pozná heslo úÄtu " | ||
180 | #~ "root, sa bude môcÅ¥ pomocou ssh prihlásiÅ¥ priamo ako root). ProsÃm, " | ||
181 | #~ "preÄÃtajte si podrobnosti o tejto voľbe pri návrhu v súbore README.Debian." | ||
182 | |||
183 | #~ msgid "" | ||
184 | #~ "It is strongly recommended that you choose to generate a new " | ||
185 | #~ "configuration file now." | ||
186 | #~ msgstr "" | ||
187 | #~ "Silne sa odporúÄa, aby ste teraz zvolili vytvorenie nového konfiguraÄného " | ||
188 | #~ "súboru." | ||
diff --git a/debian/po/sv.po b/debian/po/sv.po new file mode 100644 index 000000000..cd28386d0 --- /dev/null +++ b/debian/po/sv.po | |||
@@ -0,0 +1,197 @@ | |||
1 | # translation of openssh.po to swedish | ||
2 | # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER | ||
3 | # This file is distributed under the same license as the PACKAGE package. | ||
4 | # | ||
5 | # Martin Bagge <martin.bagge@bthstudent.se>, 2008. | ||
6 | msgid "" | ||
7 | msgstr "" | ||
8 | "Project-Id-Version: openssh\n" | ||
9 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
10 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
11 | "PO-Revision-Date: 2008-05-25 23:32+0200\n" | ||
12 | "Last-Translator: Martin Bagge <martin.bagge@bthstudent.se>\n" | ||
13 | "Language-Team: swedish <sv@li.org>\n" | ||
14 | "MIME-Version: 1.0\n" | ||
15 | "Content-Type: text/plain; charset=UTF-8\n" | ||
16 | "Content-Transfer-Encoding: 8bit\n" | ||
17 | "X-Generator: KBabel 1.11.4\n" | ||
18 | |||
19 | #. Type: boolean | ||
20 | #. Description | ||
21 | #: ../openssh-server.templates:1001 | ||
22 | msgid "Do you want to risk killing active SSH sessions?" | ||
23 | msgstr "Vill du riskera att döda aktiva SSH-sessioner?" | ||
24 | |||
25 | #. Type: boolean | ||
26 | #. Description | ||
27 | #: ../openssh-server.templates:1001 | ||
28 | msgid "" | ||
29 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
30 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
31 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
32 | msgstr "" | ||
33 | "Den för närvarande installerade versionen av /etc/init.d/ssh kommer " | ||
34 | "antagligen döda alla körande instanser av sshd. Om du gör denna " | ||
35 | "uppgradering via en SSH-session kommer du sannolikt att kopplas ner och " | ||
36 | "uppgraderingsprocessen lämnas ofärdig." | ||
37 | |||
38 | #. Type: boolean | ||
39 | #. Description | ||
40 | #: ../openssh-server.templates:1001 | ||
41 | msgid "" | ||
42 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
43 | "start-stop-daemon line in the stop section of the file." | ||
44 | msgstr "" | ||
45 | "Det här kan rättas till genom att manuellt lägga till \"--pidfile /var/run/" | ||
46 | "sshd.pid\" till raden \"start-stop-daemon\" i sektionen \"stop\" i filen." | ||
47 | |||
48 | #. Type: note | ||
49 | #. Description | ||
50 | #: ../openssh-server.templates:2001 | ||
51 | msgid "New host key mandatory" | ||
52 | msgstr "Ny värdnyckel är obligatorisk" | ||
53 | |||
54 | #. Type: note | ||
55 | #. Description | ||
56 | #: ../openssh-server.templates:2001 | ||
57 | msgid "" | ||
58 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
59 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
60 | "utility from the old (non-free) SSH installation does not appear to be " | ||
61 | "available." | ||
62 | msgstr "" | ||
63 | "Den aktuella värdnyckeln i /etc/ssh/ssh_host_key är krypterad med IDEA-" | ||
64 | "algoritmen. OpenSSH kan inte hantera den här värdnyckelfilen och verktyget " | ||
65 | "ssh-keygen från den gamla (ickefria) SSH-installationen verkar inte finnas " | ||
66 | "tillgänglig." | ||
67 | |||
68 | #. Type: note | ||
69 | #. Description | ||
70 | #: ../openssh-server.templates:2001 | ||
71 | msgid "You need to manually generate a new host key." | ||
72 | msgstr "Du behöver manuellt generera en ny värdnyckel." | ||
73 | |||
74 | #. Type: boolean | ||
75 | #. Description | ||
76 | #: ../openssh-server.templates:3001 | ||
77 | msgid "Disable challenge-response authentication?" | ||
78 | msgstr "Inaktivera challenge-response-autentisering?" | ||
79 | |||
80 | #. Type: boolean | ||
81 | #. Description | ||
82 | #: ../openssh-server.templates:3001 | ||
83 | msgid "" | ||
84 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
85 | "configuration. In order to prevent users from logging in using passwords " | ||
86 | "(perhaps using only public key authentication instead) with recent versions " | ||
87 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
88 | "ensure that your PAM configuration does not allow Unix password file " | ||
89 | "authentication." | ||
90 | msgstr "" | ||
91 | "Lösenordsautentisering verkar vara inaktiverat i din aktuella konfiguration " | ||
92 | "av OpenSSH-servern. För att förhindra att användare loggar in med lösenord " | ||
93 | "(istället kanske endast använder publik nyckelautentisering) med senare " | ||
94 | "versioner av OpenSSH, måste du inaktivera challenge-response-autentisering " | ||
95 | "eller försäkra dig om att din PAM-konfiguration inte tillåter autentisering " | ||
96 | "via Unix lösenordsfil." | ||
97 | |||
98 | #. Type: boolean | ||
99 | #. Description | ||
100 | #: ../openssh-server.templates:3001 | ||
101 | msgid "" | ||
102 | "If you disable challenge-response authentication, then users will not be " | ||
103 | "able to log in using passwords. If you leave it enabled (the default " | ||
104 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
105 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
106 | msgstr "" | ||
107 | "Om du inaktiverar challenge-response-autentisering så kan användarna inte " | ||
108 | "logga in med lösenord. Om du lämnar det aktiverat (som är standard) så " | ||
109 | "kommer \"PasswordAuthentication no\" inte att ha någon effekt om du inte " | ||
110 | "justerar din PAM-konfiguration i /etc/pam.d/ssh." | ||
111 | |||
112 | #. Type: note | ||
113 | #. Description | ||
114 | #: ../openssh-server.templates:4001 | ||
115 | msgid "Vulnerable host keys will be regenerated" | ||
116 | msgstr "Sårbara värdnycklar kommer att omskapas" | ||
117 | |||
118 | #. Type: note | ||
119 | #. Description | ||
120 | #: ../openssh-server.templates:4001 | ||
121 | msgid "" | ||
122 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
123 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
124 | "these host keys are from a well-known set, are subject to brute-force " | ||
125 | "attacks, and must be regenerated." | ||
126 | msgstr "" | ||
127 | "Några av värdnycklarna för OpenSSH skapades med en version av OpenSSL som " | ||
128 | "innehöll ett fel i slumptalsgeneratorn. På grund av detta är värden sårbar " | ||
129 | "för en så kallad brute force-attack då nycklarna kommer från ett litet och " | ||
130 | "välkänt spektra." | ||
131 | |||
132 | #. Type: note | ||
133 | #. Description | ||
134 | #: ../openssh-server.templates:4001 | ||
135 | msgid "" | ||
136 | "Users of this system should be informed of this change, as they will be " | ||
137 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
138 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
139 | "the new host keys." | ||
140 | msgstr "" | ||
141 | "Användarna på det här systemet borde informeras om den här förändringen då " | ||
142 | "de kommer att bli varse bytet av värdnyckel nästa gång de loggar in. Använd " | ||
143 | "'ssh-keygen -l -f HOST_KEY_FILE' efter uppgraderingen har slutförst för att " | ||
144 | "skriva ut fingeravtrycken för de nya värdnycklarna" | ||
145 | |||
146 | #. Type: note | ||
147 | #. Description | ||
148 | #: ../openssh-server.templates:4001 | ||
149 | msgid "The affected host keys are:" | ||
150 | msgstr "De drabbade värdnycklarna är:" | ||
151 | |||
152 | #. Type: note | ||
153 | #. Description | ||
154 | #: ../openssh-server.templates:4001 | ||
155 | msgid "" | ||
156 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
157 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
158 | "README.compromised-keys.gz for more details." | ||
159 | msgstr "" | ||
160 | "Användarnycklar kan också vara drabbade av detta fel. Kommandot 'ssh-" | ||
161 | "vulnkey' kan användas som ett deltest. Läs /usr/share/doc/openssh-server/" | ||
162 | "README.compromised-keys.gz för mer ingående detaljer." | ||
163 | |||
164 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
165 | #~ msgstr "Generera en ny konfigurationsfil för OpenSSH?" | ||
166 | |||
167 | #~ msgid "" | ||
168 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
169 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
170 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
171 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
172 | #~ "will not contain any customizations you made with the old version." | ||
173 | #~ msgstr "" | ||
174 | #~ "Denna version av OpenSSH har ändrat konfigurationsfilen ansenligt från " | ||
175 | #~ "den version som skickades med i Debians \"Potato\"-utgåva som du verkar " | ||
176 | #~ "uppgradera från. Detta paket kan nu generera en ny konfigurationsfil (/" | ||
177 | #~ "etc/ssh/sshd.config) som kommer att fungera med den nya serverversionen " | ||
178 | #~ "men kommer inte att innehålla några anpassningar som du gjorde med den " | ||
179 | #~ "gamla versionen." | ||
180 | |||
181 | #~ msgid "" | ||
182 | #~ "Please note that this new configuration file will set the value of " | ||
183 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
184 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
185 | #~ "details about this design choice." | ||
186 | #~ msgstr "" | ||
187 | #~ "Observera att den nya konfigurationsfilen kommer att ställa in värdet för " | ||
188 | #~ "\"PermitRootLogin\" till \"yes\" (vilket betyder att vem som helst som " | ||
189 | #~ "kan root-lösenordet kan logga in direkt som root). Läs filen README." | ||
190 | #~ "Debian för mer information om det här designvalet." | ||
191 | |||
192 | #~ msgid "" | ||
193 | #~ "It is strongly recommended that you choose to generate a new " | ||
194 | #~ "configuration file now." | ||
195 | #~ msgstr "" | ||
196 | #~ "Det rekommenderas starkt att du väljer att generera en ny " | ||
197 | #~ "konfigurationsfil nu." | ||
diff --git a/debian/po/ta.po b/debian/po/ta.po new file mode 100644 index 000000000..cab323a83 --- /dev/null +++ b/debian/po/ta.po | |||
@@ -0,0 +1,181 @@ | |||
1 | # translation of openssh.po to TAMIL | ||
2 | # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER | ||
3 | # This file is distributed under the same license as the PACKAGE package. | ||
4 | # | ||
5 | # Dr.T.Vasudevan <agnihot3@gmail.com>, 2007. | ||
6 | msgid "" | ||
7 | msgstr "" | ||
8 | "Project-Id-Version: openssh\n" | ||
9 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
10 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
11 | "PO-Revision-Date: 2007-04-24 20:52+0530\n" | ||
12 | "Last-Translator: Dr.T.Vasudevan <agnihot3@gmail.com>\n" | ||
13 | "Language-Team: TAMIL <ubuntu-l10n-tam@lists.ubuntu.com>\n" | ||
14 | "MIME-Version: 1.0\n" | ||
15 | "Content-Type: text/plain; charset=UTF-8\n" | ||
16 | "Content-Transfer-Encoding: 8bit\n" | ||
17 | "X-Generator: KBabel 1.11.4\n" | ||
18 | |||
19 | #. Type: boolean | ||
20 | #. Description | ||
21 | #: ../openssh-server.templates:1001 | ||
22 | msgid "Do you want to risk killing active SSH sessions?" | ||
23 | msgstr "" | ||
24 | "செயலில௠இரà¯à®•à¯à®•à¯à®®à¯ எஸà¯à®Žà®¸à¯à®¹à¯†à®šà¯ அமரà¯à®µà¯à®•à®³à¯ˆ செயல௠நீகà¯à®•à®®à¯ செயà¯à®µà®¤à¯ˆ அனà¯à®®à®¤à®¿à®•à¯à®• விரà¯à®®à¯à®ªà¯à®•à®¿à®±à¯€à®•à®³à®¾?" | ||
25 | |||
26 | #. Type: boolean | ||
27 | #. Description | ||
28 | #: ../openssh-server.templates:1001 | ||
29 | msgid "" | ||
30 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
31 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
32 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
33 | msgstr "" | ||
34 | "இபà¯à®ªà¯‹à®¤à¯ நிறà¯à®µà®¿à®¯à¯à®³à¯à®³ /etc/init.d/ssh பதிபà¯à®ªà¯ எலà¯à®²à®¾ செயலில௠இரà¯à®•à¯à®•à¯à®®à¯ எஸà¯à®Žà®¸à¯à®¹à¯†à®šà¯ " | ||
35 | "அமரà¯à®µà¯à®•à®³à¯ˆ செயல௠நீகà¯à®•à®®à¯ செயà¯à®¯à¯à®®à¯. நீஙà¯à®•à®³à¯ இநà¯à®¤ மேமà¯à®ªà®Ÿà¯à®¤à¯à®¤à®²à¯ˆ எஸà¯à®Žà®¸à¯à®¹à¯†à®šà¯ அமரà¯à®µà¯ வழியாக செயà¯à®¤à¯ " | ||
36 | "கொணà¯à®Ÿà®¿à®°à¯à®¨à¯à®¤à®¾à®²à¯ வலை இணபà¯à®ªà¯ தà¯à®£à¯à®Ÿà®¿à®•à¯à®•à®ªà¯à®ªà®Ÿà¯à®Ÿà¯ மேமà¯à®ªà®Ÿà¯à®¤à¯à®¤à®²à¯ நிறைவà¯à®±à®¾à®¤à¯." | ||
37 | |||
38 | #. Type: boolean | ||
39 | #. Description | ||
40 | #: ../openssh-server.templates:1001 | ||
41 | msgid "" | ||
42 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
43 | "start-stop-daemon line in the stop section of the file." | ||
44 | msgstr "" | ||
45 | "இத௠கைமà¯à®±à¯ˆà®¯à®¾à®• கோபà¯à®ªà®¿à®©à¯ நிறà¯à®¤à¯à®¤à¯ பகà¯à®¤à®¿à®¯à®¿à®²à¯ ஆரமà¯à®ªà®¿-நிறà¯à®¤à¯à®¤à¯-கிஙà¯à®•à®°à®©à¯ வரியில௠\"--" | ||
46 | "pidfile /var/run/sshd.pid\" என சேரà¯à®ªà¯à®ªà®¤à®¾à®²à¯ சரி செயà¯à®¯à®ªà¯à®ªà®Ÿà¯à®®à¯." | ||
47 | |||
48 | #. Type: note | ||
49 | #. Description | ||
50 | #: ../openssh-server.templates:2001 | ||
51 | msgid "New host key mandatory" | ||
52 | msgstr "பà¯à®¤à®¿à®¯ பà¯à®°à®µà®²à®©à¯ விசை கடà¯à®Ÿà®¾à®¯à®®à®¾à®•à¯à®®à¯" | ||
53 | |||
54 | #. Type: note | ||
55 | #. Description | ||
56 | #: ../openssh-server.templates:2001 | ||
57 | msgid "" | ||
58 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
59 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
60 | "utility from the old (non-free) SSH installation does not appear to be " | ||
61 | "available." | ||
62 | msgstr "" | ||
63 | "இபà¯à®ªà¯‹à®¤à¯ˆà®¯ /etc/ssh/ssh_host_key இல௠உளà¯à®³ பà¯à®°à®µà®²à®©à¯ விசை IDEA அலà¯à®•à®¾à®°à®¿à®¤à®¤à¯à®¤à®¿à®²à¯ கà¯à®±à®¿à®¯à¯€à®Ÿà¯ " | ||
64 | "செயà¯à®¯à®ªà¯à®ªà®Ÿà¯à®Ÿà®¤à¯. இநà¯à®¤ பà¯à®°à®µà®²à®©à¯ விசையை ஓபன௠எஸà¯à®Žà®¸à¯à®¹à¯†à®šà¯ கையாள இயலாதà¯. பழைய பதிபà¯à®ªà®¿à®²à®¿à®°à¯à®¨à¯à®¤à¯ " | ||
65 | "ssh-keygen பயனà¯à®ªà®¾à®Ÿà¯ இரà¯à®ªà¯à®ªà®¿à®²à¯ இலà¯à®²à¯ˆ." | ||
66 | |||
67 | #. Type: note | ||
68 | #. Description | ||
69 | #: ../openssh-server.templates:2001 | ||
70 | msgid "You need to manually generate a new host key." | ||
71 | msgstr "நீஙà¯à®•à®³à¯ கைமà¯à®±à¯ˆà®¯à®¾à®• பà¯à®¤à®¿à®¯ பà¯à®°à®µà®²à®©à¯ விசையை உரà¯à®µà®¾à®•à¯à®• வேணà¯à®Ÿà¯à®®à¯." | ||
72 | |||
73 | #. Type: boolean | ||
74 | #. Description | ||
75 | #: ../openssh-server.templates:3001 | ||
76 | msgid "Disable challenge-response authentication?" | ||
77 | msgstr "கேளà¯à®µà®¿ பதில௠உறà¯à®¤à®¿à®ªà¯à®ªà®Ÿà¯à®¤à¯à®¤à®²à¯ˆ செயலிழகà¯à®• செயà¯à®¯à®µà®¾?" | ||
78 | |||
79 | #. Type: boolean | ||
80 | #. Description | ||
81 | #: ../openssh-server.templates:3001 | ||
82 | msgid "" | ||
83 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
84 | "configuration. In order to prevent users from logging in using passwords " | ||
85 | "(perhaps using only public key authentication instead) with recent versions " | ||
86 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
87 | "ensure that your PAM configuration does not allow Unix password file " | ||
88 | "authentication." | ||
89 | msgstr "" | ||
90 | "இபà¯à®ªà¯‹à®¤à¯ˆà®¯ ஓபன௠எஸà¯à®Žà®¸à¯à®¹à¯†à®šà¯ சேவையக வடிவமைபà¯à®ªà®¿à®²à¯ கடவà¯à®šà¯à®šà¯Šà®²à¯ உறà¯à®¤à®¿à®ªà¯à®ªà®Ÿà¯à®¤à¯à®¤à®²à¯ˆ செயலிழகà¯à®• " | ||
91 | "செயà¯à®¤à¯à®³à¯à®³à®¤à¯. (திறநà¯à®¤ விசையை பயனà¯à®ªà®Ÿà¯à®¤à¯à®¤à®¿) பயனரà¯à®•à®³à¯ உளà¯à®¨à¯à®´à¯ˆà®µà®¤à¯ˆ தடà¯à®•à¯à®• சமீபதà¯à®¤à®¿à®¯ ஓபன௠" | ||
92 | "எஸà¯à®Žà®¸à¯à®¹à¯†à®šà¯ பதிபà¯à®ªà¯à®•à®³à®¿à®²à¯ நீஙà¯à®•à®³à¯ கேளà¯à®µà®¿ பதில௠உறà¯à®¤à®¿à®ªà¯à®ªà®Ÿà¯à®¤à¯à®¤à®²à¯ˆ செயலிழகà¯à®• செயà¯à®¯ வேணà¯à®Ÿà¯à®®à¯. அலà¯à®²à®¤à¯ " | ||
93 | "உஙà¯à®•à®³à¯ பாம௠வடிவமைபà¯à®ªà¯ யூனிகà¯à®¸à¯ கடவà¯à®šà¯à®šà¯Šà®²à¯ கோபà¯à®ªà¯ உறà¯à®¤à®¿à®ªà¯à®ªà®Ÿà¯à®¤à¯à®¤à®²à¯ˆ à®à®±à¯à®•à®¾à®¤à®µà®¾à®±à¯ அமைகà¯à®• " | ||
94 | "வேணà¯à®Ÿà¯à®®à¯." | ||
95 | |||
96 | #. Type: boolean | ||
97 | #. Description | ||
98 | #: ../openssh-server.templates:3001 | ||
99 | msgid "" | ||
100 | "If you disable challenge-response authentication, then users will not be " | ||
101 | "able to log in using passwords. If you leave it enabled (the default " | ||
102 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
103 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
104 | msgstr "" | ||
105 | "நீஙà¯à®•à®³à¯ கேளà¯à®µà®¿ பதில௠உறà¯à®¤à®¿à®ªà¯à®ªà®Ÿà¯à®¤à¯à®¤à®²à¯ˆ செயலிழகà¯à®• செயà¯à®¤à®¾à®²à¯ பயனரà¯à®•à®³à¯ கடவà¯à®šà¯à®šà¯Šà®±à¯à®•à®³à¯ˆ பயன௠படà¯à®¤à¯à®¤à®¿ " | ||
106 | "உள௠நà¯à®´à¯ˆà®¯ இயலாதà¯. அதை செயல௠படசà¯à®šà¯†à®¯à¯à®¤à®¾à®²à¯ (கடவà¯à®šà¯à®šà¯Šà®²à¯ உறà¯à®¤à®¿à®ªà¯à®ªà®Ÿà¯à®¤à¯à®¤à®²à¯ தேரà¯à®µà¯ இலà¯à®²à¯ˆ) " | ||
107 | "'PasswordAuthentication no' தேரà¯à®µà¯ /etc/pam.d/ssh இல௠பாம௠வடிவமைபà¯à®ªà¯ˆ சரி " | ||
108 | "செயà¯à®¤à®¾à®²à¯ ஒழிய பயன௠தராதà¯." | ||
109 | |||
110 | #. Type: note | ||
111 | #. Description | ||
112 | #: ../openssh-server.templates:4001 | ||
113 | msgid "Vulnerable host keys will be regenerated" | ||
114 | msgstr "" | ||
115 | |||
116 | #. Type: note | ||
117 | #. Description | ||
118 | #: ../openssh-server.templates:4001 | ||
119 | msgid "" | ||
120 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
121 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
122 | "these host keys are from a well-known set, are subject to brute-force " | ||
123 | "attacks, and must be regenerated." | ||
124 | msgstr "" | ||
125 | |||
126 | #. Type: note | ||
127 | #. Description | ||
128 | #: ../openssh-server.templates:4001 | ||
129 | msgid "" | ||
130 | "Users of this system should be informed of this change, as they will be " | ||
131 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
132 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
133 | "the new host keys." | ||
134 | msgstr "" | ||
135 | |||
136 | #. Type: note | ||
137 | #. Description | ||
138 | #: ../openssh-server.templates:4001 | ||
139 | msgid "The affected host keys are:" | ||
140 | msgstr "" | ||
141 | |||
142 | #. Type: note | ||
143 | #. Description | ||
144 | #: ../openssh-server.templates:4001 | ||
145 | msgid "" | ||
146 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
147 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
148 | "README.compromised-keys.gz for more details." | ||
149 | msgstr "" | ||
150 | |||
151 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
152 | #~ msgstr "ஓபன௠எஸà¯à®Žà®¸à¯à®¹à¯†à®šà¯ கà¯à®•à¯ பà¯à®¤à®¿à®¯ வடிவமைபà¯à®ªà¯ கோபà¯à®ªà¯ˆ உரà¯à®µà®¾à®•à¯à®•à®µà®¾?" | ||
153 | |||
154 | #~ msgid "" | ||
155 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
156 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
157 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
158 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
159 | #~ "will not contain any customizations you made with the old version." | ||
160 | #~ msgstr "" | ||
161 | #~ "இநà¯à®¤ பதிபà¯à®ªà¯ ஓபன௠எஸà¯à®Žà®¸à¯à®¹à¯†à®šà¯ நீஙà¯à®•à®³à¯ மேமà¯à®ªà®Ÿà¯à®¤à¯à®¤à¯à®®à¯ டெபியன௠பொடாடோவில௠அமைநà¯à®¤ பதிபà¯à®ªà¯ˆ " | ||
162 | #~ "காடà¯à®Ÿà®¿à®²à¯à®®à¯ மிக மாறிய வடிவம௠உடையதà¯. இநà¯à®¤ பொதி இபà¯à®ªà¯‹à®¤à¯ பà¯à®¤à®¿à®¯ வடிவமைபà¯à®ªà¯ கோபà¯à®ªà¯ˆ " | ||
163 | #~ "உரà¯à®µà®¾à®•à¯à®•à¯à®®à¯. (/etc/ssh/sshd.config). இத௠பà¯à®¤à®¿à®¯ சேவையக பதிபà¯à®ªà®¿à®²à¯ வேலை செயà¯à®¯à¯à®®à¯. " | ||
164 | #~ "ஆனால௠நீஙà¯à®•à®³à¯ பழைய பதிபà¯à®ªà®¿à®²à¯ செயà¯à®¤ தனிபà¯à®ªà®Ÿà¯à®¤à¯à®¤à®²à¯ இயலாதà¯." | ||
165 | |||
166 | #~ msgid "" | ||
167 | #~ "Please note that this new configuration file will set the value of " | ||
168 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
169 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
170 | #~ "details about this design choice." | ||
171 | #~ msgstr "" | ||
172 | #~ "இநà¯à®¤ பà¯à®¤à®¿à®¯ வடிவமைபà¯à®ªà¯ கோபà¯à®ªà¯ 'PermitRootLogin மதிபà¯à®ªà¯ˆ ஆம௠என அமைகà¯à®•à¯à®®à¯ என " | ||
173 | #~ "அறியவà¯à®®à¯. அதாவத௠ரூட௠கடவà¯à®šà¯à®šà¯Šà®²à¯ அறிநà¯à®¤ யாரà¯à®®à¯ ரூடà¯à®Ÿà®¾à®• ஓபன௠எஸà¯à®Žà®¸à¯à®¹à¯†à®šà¯ வழியே " | ||
174 | #~ "உளà¯à®¨à¯à®´à¯ˆà®¯à®²à®¾à®®à¯. இநà¯à®¤ வடிவமைபà¯à®ªà¯ கà¯à®±à®¿à®¤à¯à®¤à¯ மேலà¯à®®à¯ README.Debian கோபà¯à®ªà®¿à®²à¯ காணவà¯à®®à¯." | ||
175 | |||
176 | #~ msgid "" | ||
177 | #~ "It is strongly recommended that you choose to generate a new " | ||
178 | #~ "configuration file now." | ||
179 | #~ msgstr "" | ||
180 | #~ "நீஙà¯à®•à®³à¯ இபà¯à®ªà¯‹à®¤à¯ பà¯à®¤à®¿à®¯ வடிவமைபà¯à®ªà¯ கோபà¯à®ªà¯ˆ உரà¯à®µà®¾à®•à¯à®• தேரà¯à®µà¯ செயà¯à®¯ பலமாக " | ||
181 | #~ "பரிநà¯à®¤à¯à®°à¯ˆà®•à¯à®•à®ªà¯à®ªà®Ÿà¯à®•à®¿à®±à®¤à¯." | ||
diff --git a/debian/po/templates.pot b/debian/po/templates.pot new file mode 100644 index 000000000..de8023b07 --- /dev/null +++ b/debian/po/templates.pot | |||
@@ -0,0 +1,131 @@ | |||
1 | # SOME DESCRIPTIVE TITLE. | ||
2 | # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER | ||
3 | # This file is distributed under the same license as the PACKAGE package. | ||
4 | # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. | ||
5 | # | ||
6 | #, fuzzy | ||
7 | msgid "" | ||
8 | msgstr "" | ||
9 | "Project-Id-Version: PACKAGE VERSION\n" | ||
10 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
11 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
12 | "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" | ||
13 | "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" | ||
14 | "Language-Team: LANGUAGE <LL@li.org>\n" | ||
15 | "MIME-Version: 1.0\n" | ||
16 | "Content-Type: text/plain; charset=CHARSET\n" | ||
17 | "Content-Transfer-Encoding: 8bit\n" | ||
18 | |||
19 | #. Type: boolean | ||
20 | #. Description | ||
21 | #: ../openssh-server.templates:1001 | ||
22 | msgid "Do you want to risk killing active SSH sessions?" | ||
23 | msgstr "" | ||
24 | |||
25 | #. Type: boolean | ||
26 | #. Description | ||
27 | #: ../openssh-server.templates:1001 | ||
28 | msgid "" | ||
29 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
30 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
31 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
32 | msgstr "" | ||
33 | |||
34 | #. Type: boolean | ||
35 | #. Description | ||
36 | #: ../openssh-server.templates:1001 | ||
37 | msgid "" | ||
38 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
39 | "start-stop-daemon line in the stop section of the file." | ||
40 | msgstr "" | ||
41 | |||
42 | #. Type: note | ||
43 | #. Description | ||
44 | #: ../openssh-server.templates:2001 | ||
45 | msgid "New host key mandatory" | ||
46 | msgstr "" | ||
47 | |||
48 | #. Type: note | ||
49 | #. Description | ||
50 | #: ../openssh-server.templates:2001 | ||
51 | msgid "" | ||
52 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
53 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
54 | "utility from the old (non-free) SSH installation does not appear to be " | ||
55 | "available." | ||
56 | msgstr "" | ||
57 | |||
58 | #. Type: note | ||
59 | #. Description | ||
60 | #: ../openssh-server.templates:2001 | ||
61 | msgid "You need to manually generate a new host key." | ||
62 | msgstr "" | ||
63 | |||
64 | #. Type: boolean | ||
65 | #. Description | ||
66 | #: ../openssh-server.templates:3001 | ||
67 | msgid "Disable challenge-response authentication?" | ||
68 | msgstr "" | ||
69 | |||
70 | #. Type: boolean | ||
71 | #. Description | ||
72 | #: ../openssh-server.templates:3001 | ||
73 | msgid "" | ||
74 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
75 | "configuration. In order to prevent users from logging in using passwords " | ||
76 | "(perhaps using only public key authentication instead) with recent versions " | ||
77 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
78 | "ensure that your PAM configuration does not allow Unix password file " | ||
79 | "authentication." | ||
80 | msgstr "" | ||
81 | |||
82 | #. Type: boolean | ||
83 | #. Description | ||
84 | #: ../openssh-server.templates:3001 | ||
85 | msgid "" | ||
86 | "If you disable challenge-response authentication, then users will not be " | ||
87 | "able to log in using passwords. If you leave it enabled (the default " | ||
88 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
89 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
90 | msgstr "" | ||
91 | |||
92 | #. Type: note | ||
93 | #. Description | ||
94 | #: ../openssh-server.templates:4001 | ||
95 | msgid "Vulnerable host keys will be regenerated" | ||
96 | msgstr "" | ||
97 | |||
98 | #. Type: note | ||
99 | #. Description | ||
100 | #: ../openssh-server.templates:4001 | ||
101 | msgid "" | ||
102 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
103 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
104 | "these host keys are from a well-known set, are subject to brute-force " | ||
105 | "attacks, and must be regenerated." | ||
106 | msgstr "" | ||
107 | |||
108 | #. Type: note | ||
109 | #. Description | ||
110 | #: ../openssh-server.templates:4001 | ||
111 | msgid "" | ||
112 | "Users of this system should be informed of this change, as they will be " | ||
113 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
114 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
115 | "the new host keys." | ||
116 | msgstr "" | ||
117 | |||
118 | #. Type: note | ||
119 | #. Description | ||
120 | #: ../openssh-server.templates:4001 | ||
121 | msgid "The affected host keys are:" | ||
122 | msgstr "" | ||
123 | |||
124 | #. Type: note | ||
125 | #. Description | ||
126 | #: ../openssh-server.templates:4001 | ||
127 | msgid "" | ||
128 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
129 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
130 | "README.compromised-keys.gz for more details." | ||
131 | msgstr "" | ||
diff --git a/debian/po/tr.po b/debian/po/tr.po new file mode 100644 index 000000000..cff4ffae9 --- /dev/null +++ b/debian/po/tr.po | |||
@@ -0,0 +1,377 @@ | |||
1 | # Turkish translation of ssh. | ||
2 | # This file is distributed under the same license as the ssh package. | ||
3 | # Mert Dirik <mertdirik@gmail.com>, 2008. | ||
4 | # Recai OktaÅŸ <roktas@omu.edu.tr>, 2004. | ||
5 | # | ||
6 | msgid "" | ||
7 | msgstr "" | ||
8 | "Project-Id-Version: ssh\n" | ||
9 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
10 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
11 | "PO-Revision-Date: 2008-05-23 16:24+0200\n" | ||
12 | "Last-Translator: Mert Dirik <mertdirik@gmail.com>\n" | ||
13 | "Language-Team: Turkish <debian-l10n-turkish@lists.debian.org>\n" | ||
14 | "MIME-Version: 1.0\n" | ||
15 | "Content-Type: text/plain; charset=UTF-8\n" | ||
16 | "Content-Transfer-Encoding: 8bit\n" | ||
17 | "Plural-Forms: nplurals=1; plural=0;\n" | ||
18 | |||
19 | #. Type: boolean | ||
20 | #. Description | ||
21 | #: ../openssh-server.templates:1001 | ||
22 | msgid "Do you want to risk killing active SSH sessions?" | ||
23 | msgstr "Etkin SSH oturumlarının öldürülmesi riskini göze alıyor musunuz?" | ||
24 | |||
25 | #. Type: boolean | ||
26 | #. Description | ||
27 | #: ../openssh-server.templates:1001 | ||
28 | msgid "" | ||
29 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
30 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
31 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
32 | msgstr "" | ||
33 | "Kurmuş olduğunuz /etc/init.d/ssh sürümü büyük olasılıkla, çalışıyor olan tüm " | ||
34 | "sshd süreçlerini öldürecek. Bu yükseltmeyi bir ssh oturumu üzerinden " | ||
35 | "yapıyorsanız büyük olasılıkla bağlantınız kopacak ve yükseltme işlemi yarım " | ||
36 | "kalacak." | ||
37 | |||
38 | #. Type: boolean | ||
39 | #. Description | ||
40 | #: ../openssh-server.templates:1001 | ||
41 | msgid "" | ||
42 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
43 | "start-stop-daemon line in the stop section of the file." | ||
44 | msgstr "" | ||
45 | "Bu sorunu dosyanın (/etc/init.d/ssh) stop bölümündeki start-stop-daemon " | ||
46 | "satırına \"--pidfile /var/run/sshd.pid\" ekleyerek düzeltebilirsiniz." | ||
47 | |||
48 | #. Type: note | ||
49 | #. Description | ||
50 | #: ../openssh-server.templates:2001 | ||
51 | msgid "New host key mandatory" | ||
52 | msgstr "Yeni makine anahtarı zorunlu" | ||
53 | |||
54 | #. Type: note | ||
55 | #. Description | ||
56 | #: ../openssh-server.templates:2001 | ||
57 | msgid "" | ||
58 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
59 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
60 | "utility from the old (non-free) SSH installation does not appear to be " | ||
61 | "available." | ||
62 | msgstr "" | ||
63 | "Şu anda kullandığınız makine anahtarı, /etc/ssh/ssh_host_key, IDEA " | ||
64 | "algoritmasıyla şifrelenmiş. OpenSSH bu anahtar dosyasını yönetemez; ayrıca " | ||
65 | "eski (özgür olmayan) SSH kurulumuna ait ssh-keygen aracı da ulaşılabilir " | ||
66 | "deÄŸil." | ||
67 | |||
68 | #. Type: note | ||
69 | #. Description | ||
70 | #: ../openssh-server.templates:2001 | ||
71 | msgid "You need to manually generate a new host key." | ||
72 | msgstr "Yeni bir makine anahtarı oluşturmanız gerekiyor." | ||
73 | |||
74 | #. Type: boolean | ||
75 | #. Description | ||
76 | #: ../openssh-server.templates:3001 | ||
77 | msgid "Disable challenge-response authentication?" | ||
78 | msgstr "Sorgula-yanıtla yöntemiyle kimlik doğrulama devre dışı bırakılsın mı?" | ||
79 | |||
80 | #. Type: boolean | ||
81 | #. Description | ||
82 | #: ../openssh-server.templates:3001 | ||
83 | msgid "" | ||
84 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
85 | "configuration. In order to prevent users from logging in using passwords " | ||
86 | "(perhaps using only public key authentication instead) with recent versions " | ||
87 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
88 | "ensure that your PAM configuration does not allow Unix password file " | ||
89 | "authentication." | ||
90 | msgstr "" | ||
91 | "Şu anda kullanılan OpenSSH yapılandırmasında parola ile kimlik doğrulama " | ||
92 | "devre dışı gibi görünüyor. OpenSSH'ın yeni versiyonlarında kullanıcıların " | ||
93 | "parola kullanarak oturum açmalarını engellemek için (belki bunun yerine " | ||
94 | "açık anahtar yöntemiyle kimlik doğrulamayı kullanabilirsiniz) sorgula-" | ||
95 | "yanıtla yöntemiyle kimlik doğrulamayı devre dışı bırakmalı ya da PAM " | ||
96 | "yapılandırmanızın Unix parola dosyası yöntemiyle kimlik doğrulamaya izin " | ||
97 | "vermediğinden emin olmalısınız." | ||
98 | |||
99 | #. Type: boolean | ||
100 | #. Description | ||
101 | #: ../openssh-server.templates:3001 | ||
102 | msgid "" | ||
103 | "If you disable challenge-response authentication, then users will not be " | ||
104 | "able to log in using passwords. If you leave it enabled (the default " | ||
105 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
106 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
107 | msgstr "" | ||
108 | "Sorgula-yanıtla kimlik doğrulamayı devre dışı bırakırsanız, kullanıcılar " | ||
109 | "parola kullanarak oturum açamayacaklar. Eğer sorgula-yanıtla kimlik " | ||
110 | "doğrulamayı etkin halde bırakırsanız (öntanımlı yanıt); /etc/pam.d/ssh'daki " | ||
111 | "PAM yapılandırmasını ayarlamadığınız sürece 'PasswordAuthentication no' " | ||
112 | "seçeneği bir işe yaramayacak." | ||
113 | |||
114 | #. Type: note | ||
115 | #. Description | ||
116 | #: ../openssh-server.templates:4001 | ||
117 | msgid "Vulnerable host keys will be regenerated" | ||
118 | msgstr "Saldırıya açık makine anahtarları yeniden yaratılacak" | ||
119 | |||
120 | #. Type: note | ||
121 | #. Description | ||
122 | #: ../openssh-server.templates:4001 | ||
123 | msgid "" | ||
124 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
125 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
126 | "these host keys are from a well-known set, are subject to brute-force " | ||
127 | "attacks, and must be regenerated." | ||
128 | msgstr "" | ||
129 | "Bu sistemdeki OpenSSH sunucusu makine anahtarlarından bazıları OpenSSL'in " | ||
130 | "rastgele sayı üreticisi bozuk olan bir versiyonuyla oluşturulmuş. Sonuç " | ||
131 | "olarak, bu makine anahtarları iyi bilinen bir gruptan ve kaba kuvvet " | ||
132 | "saldırılarına açık. Bu anahtarlar yeniden oluşturulmalı." | ||
133 | |||
134 | #. Type: note | ||
135 | #. Description | ||
136 | #: ../openssh-server.templates:4001 | ||
137 | msgid "" | ||
138 | "Users of this system should be informed of this change, as they will be " | ||
139 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
140 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
141 | "the new host keys." | ||
142 | msgstr "" | ||
143 | "Bu sistemin kullanıcılarını makine anahtarı değişikliğinden haberdar " | ||
144 | "etmelisiniz, çünkü kullanıcılar sisteme ilk oturum açışlarında uyarılacak " | ||
145 | "ve kullanıcılara oturum açmaya devam etmek isteyip istemedikleri sorulacak. " | ||
146 | "Yeni makine anahtarlarının parmak izlerini görmek için yükseltmeden sonra " | ||
147 | "'ssh-keygen -l -f MAKİNE_ANAHTARI_DOSYASI' komutunu kullanın." | ||
148 | |||
149 | #. Type: note | ||
150 | #. Description | ||
151 | #: ../openssh-server.templates:4001 | ||
152 | msgid "The affected host keys are:" | ||
153 | msgstr "Etkilenmiş makine anahtarları:" | ||
154 | |||
155 | #. Type: note | ||
156 | #. Description | ||
157 | #: ../openssh-server.templates:4001 | ||
158 | msgid "" | ||
159 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
160 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
161 | "README.compromised-keys.gz for more details." | ||
162 | msgstr "" | ||
163 | "Kullanıcı anahtarları da bu sorundan etkilenebilir. 'ssh-vulnkey' komutu bu " | ||
164 | "sorun için kısmi bir test olarak kullanılabilir. Ayrıntılar için /usr/share/" | ||
165 | "doc/openssh-server/README.compromised-keys.gz belgesine bakın." | ||
166 | |||
167 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
168 | #~ msgstr "OpenSSH için yeni yapılandırma dosyası oluşturulsun mu?" | ||
169 | |||
170 | #~ msgid "" | ||
171 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
172 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
173 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
174 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
175 | #~ "will not contain any customizations you made with the old version." | ||
176 | #~ msgstr "" | ||
177 | #~ "Debian 'Potato' dağıtımından yükseltme yapmış gibi görünüyorsunuz. " | ||
178 | #~ "OpenSSH'ın bu sürümü Debian 'Potato' ile birlikte gelen sürümden çok " | ||
179 | #~ "farklı bir yapılandırma dosyası kullanmakta. Bu paket şimdi sizin için " | ||
180 | #~ "yeni bir yapılandırma dosyası (/etc/ssh/sshd.config) üretebilir. Bu dosya " | ||
181 | #~ "yeni sunucu sürümüyle çalışacak, fakat eski sürümde yaptığınız " | ||
182 | #~ "özelleştirmeleri içermeyecek." | ||
183 | |||
184 | #~| msgid "" | ||
185 | #~| "Please note that this new configuration file will set the value of " | ||
186 | #~| "'PermitRootLogin' to yes (meaning that anyone knowing the root password " | ||
187 | #~| "can ssh directly in as root). It is the opinion of the maintainer that " | ||
188 | #~| "this is the correct default (see README.Debian for more details), but " | ||
189 | #~| "you can always edit sshd_config and set it to no if you wish." | ||
190 | #~ msgid "" | ||
191 | #~ "Please note that this new configuration file will set the value of " | ||
192 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
193 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
194 | #~ "details about this design choice." | ||
195 | #~ msgstr "" | ||
196 | #~ "Yeni yapılandırma dosyasının 'PermitRootLogin' seçeneğini 'yes' olarak " | ||
197 | #~ "ayarlayacağını (yani root parolasını bilen herhangi birisinin ssh ile " | ||
198 | #~ "doğrudan sisteme girebileceğini) unutmayın. Öntanımlı ayarın böyle olması " | ||
199 | #~ "gerektiği paket geliştiricisinin kanaatidir (ayrıntılar için README." | ||
200 | #~ "Debian dosyasını okuyun)." | ||
201 | |||
202 | #~ msgid "" | ||
203 | #~ "It is strongly recommended that you choose to generate a new " | ||
204 | #~ "configuration file now." | ||
205 | #~ msgstr "" | ||
206 | #~ "Şimdi yeni bir yapılandırma dosyası üretmeyi seçmeniz kuvvetle tavsiye " | ||
207 | #~ "edilir." | ||
208 | |||
209 | #~ msgid "Warning: you must create a new host key" | ||
210 | #~ msgstr "Uyarı: yeni bir makine anahtarı oluşturmalısınız" | ||
211 | |||
212 | #~ msgid "Warning: telnetd is installed --- probably not a good idea" | ||
213 | #~ msgstr "Uyarı: telnetd kurulmuş --- bu muhtemelen iyi bir fikir değil" | ||
214 | |||
215 | #~ msgid "" | ||
216 | #~ "I'd advise you to either remove the telnetd package (if you don't " | ||
217 | #~ "actually need to offer telnet access) or install telnetd-ssl so that " | ||
218 | #~ "there is at least some chance that telnet sessions will not be sending " | ||
219 | #~ "unencrypted login/password and session information over the network." | ||
220 | #~ msgstr "" | ||
221 | #~ "Telnetd paketini (eğer gerçekten telnet erişimi sunmak gibi bir " | ||
222 | #~ "zorunluluğunuz yoksa) kaldırmanızı veya en azından, telnet oturumlarında " | ||
223 | #~ "şifrelenmemiş giriş/parola ve oturum bilgilerinin ağ üzerinden " | ||
224 | #~ "gönderilmemesi olanağını sunan telnetd-ssl paketini kurmanızı öneririm." | ||
225 | |||
226 | #~ msgid "Warning: rsh-server is installed --- probably not a good idea" | ||
227 | #~ msgstr "Uyarı: rsh-server kurulmuş --- bu muhtemelen iyi bir fikir değil" | ||
228 | |||
229 | #~ msgid "" | ||
230 | #~ "having rsh-server installed undermines the security that you were " | ||
231 | #~ "probably wanting to obtain by installing ssh. I'd advise you to remove " | ||
232 | #~ "that package." | ||
233 | #~ msgstr "" | ||
234 | #~ "rsh-server'ın kurulu durumda olması muhtemelen ssh'ı kurmakla elde " | ||
235 | #~ "edilmesini istediğiniz güvenliği gölgeliyor. Bu paketi kaldırmanızı " | ||
236 | #~ "öneririm." | ||
237 | |||
238 | #~ msgid "Do you want ssh-keysign to be installed SUID root?" | ||
239 | #~ msgstr "" | ||
240 | #~ "ssh-keysign'ın root haklarıyla kurulmasını (SUID root) ister misiniz?" | ||
241 | |||
242 | #~ msgid "" | ||
243 | #~ "You have the option of installing the ssh-keysign helper with the SUID " | ||
244 | #~ "bit set." | ||
245 | #~ msgstr "" | ||
246 | #~ "ssh-keysign yardımcı aracının SUID bit'i etkinleştirilerek kurulması " | ||
247 | #~ "seçeneğine sahipsiniz." | ||
248 | |||
249 | #~ msgid "" | ||
250 | #~ "If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 " | ||
251 | #~ "host-based authentication." | ||
252 | #~ msgstr "" | ||
253 | #~ "Eğer ssh-keysign'ı SUID yaparsanız, SSH'ın makine tabanlı Protokol 2 " | ||
254 | #~ "yetkilendirmesini kullanabileceksiniz." | ||
255 | |||
256 | #~ msgid "" | ||
257 | #~ "If in doubt, I suggest you install it with SUID. If it causes problems " | ||
258 | #~ "you can change your mind later by running: dpkg-reconfigure ssh" | ||
259 | #~ msgstr "" | ||
260 | #~ "Bu konuda şüpheliyseniz, size SUID'li kurulumu öneririm. Eğer bu " | ||
261 | #~ "sorunlara yol açarsa ileride fikrinizi değiştirmek için şu komutu " | ||
262 | #~ "çalıştırabilirsiniz: dpkg-reconfigure ssh" | ||
263 | |||
264 | #~ msgid "Allow SSH protocol 2 only" | ||
265 | #~ msgstr "Sadece SSH protokol 2'ye izin ver" | ||
266 | |||
267 | #~ msgid "" | ||
268 | #~ "This version of OpenSSH supports version 2 of the ssh protocol, which is " | ||
269 | #~ "much more secure. Disabling ssh 1 is encouraged, however this will slow " | ||
270 | #~ "things down on low end machines and might prevent older clients from " | ||
271 | #~ "connecting (the ssh client shipped with \"potato\" is affected)." | ||
272 | #~ msgstr "" | ||
273 | #~ "OpenSSH'ın bu sürümü ssh'ın çok daha güvenli olan sürüm 2 protokolünü " | ||
274 | #~ "destekler. Sürüm 1 protokolünün etkisizleştirilmesini teşvik ediyoruz, " | ||
275 | #~ "bununla beraber böyle yapılması halinde düşük düzeyli makinelerde " | ||
276 | #~ "işlemler yavaşlayacak ve eski sürüm ssh istemcilerinden (\"potato\" ile " | ||
277 | #~ "birlikte gelen ssh istemcisi gibi) bağlantı kurulamayacaktır." | ||
278 | |||
279 | #~ msgid "" | ||
280 | #~ "Also please note that keys used for protocol 1 are different so you will " | ||
281 | #~ "not be able to use them if you only allow protocol 2 connections." | ||
282 | #~ msgstr "" | ||
283 | #~ "Protokol 1 anahtarları çok farklı olduğundan, sadece protokol 2 " | ||
284 | #~ "bağlantılarına izin vermeniz halinde bu anahtarları kullanamayacağınızı " | ||
285 | #~ "da lütfen not edin." | ||
286 | |||
287 | #~ msgid "" | ||
288 | #~ "If you later change your mind about this setting, README.Debian has " | ||
289 | #~ "instructions on what to do to your sshd_config file." | ||
290 | #~ msgstr "" | ||
291 | #~ "Bu ayar hakkındaki fikriniz ileride değişirse, sshd_config dosyasında " | ||
292 | #~ "yapacağınız işlemlerle ilgili talimatları README.Debian dosyasında " | ||
293 | #~ "bulabilirsiniz." | ||
294 | |||
295 | #~ msgid "NOTE: Forwarding of X11 and Authorization disabled by default." | ||
296 | #~ msgstr "" | ||
297 | #~ "NOT: X11 yönlendirme ve yetkilendirmesi öntanımlı olarak " | ||
298 | #~ "etkisizleÅŸtirilmiÅŸtir." | ||
299 | |||
300 | #~ msgid "" | ||
301 | #~ "For security reasons, the Debian version of ssh has ForwardX11 and " | ||
302 | #~ "ForwardAgent set to ``off'' by default." | ||
303 | #~ msgstr "" | ||
304 | #~ "Güvenlik gerekçeleriyle ssh'ın Debian sürümünde ForwardX11 ve " | ||
305 | #~ "ForwardAgent seçenekleri öntanımlı ``off'' değerine ayarlıdır." | ||
306 | |||
307 | #~ msgid "" | ||
308 | #~ "You can enable it for servers you trust, either in one of the " | ||
309 | #~ "configuration files, or with the -X command line option." | ||
310 | #~ msgstr "" | ||
311 | #~ "Güvendiğiniz sunucular için bu seçeneği yapılandırma dosyalarından " | ||
312 | #~ "birinde veya -X komut satırı seçeneğiyle etkinleştirebilirsiniz." | ||
313 | |||
314 | #~ msgid "More details can be found in /usr/share/doc/ssh/README.Debian" | ||
315 | #~ msgstr "" | ||
316 | #~ "Daha ayrıntılı bilgi /usr/share/doc/ssh/README.Debian dosyasında " | ||
317 | #~ "bulunabilir." | ||
318 | |||
319 | #~ msgid "ssh2 keys merged in configuration files" | ||
320 | #~ msgstr "yapılandırma dosyalarındaki ssh2 anahtarları birleştirildi" | ||
321 | |||
322 | #~ msgid "" | ||
323 | #~ "As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 " | ||
324 | #~ "keys. This means the authorized_keys2 and known_hosts2 files are no " | ||
325 | #~ "longer needed. They will still be read in order to maintain backwards " | ||
326 | #~ "compatibility" | ||
327 | #~ msgstr "" | ||
328 | #~ "Sürüm 3 itibarıyla OpenSSH artık, ssh1 ve ssh2 için ayrı yapılandırma " | ||
329 | #~ "dosyaları kullanmamaktadır. Bu, authorized_keys2 ve known_hosts2 " | ||
330 | #~ "dosyalarının artık gerekmediği anlamına gelir. Geriye doğru uyumluluğu " | ||
331 | #~ "korumak için bu dosyalar yine de okunacaktır." | ||
332 | |||
333 | #~ msgid "Do you want to run the sshd server?" | ||
334 | #~ msgstr "SSH sunucusu sshd'yi çalıştırmak istiyor musunuz?" | ||
335 | |||
336 | #~ msgid "This package contains both the ssh client, and the sshd server." | ||
337 | #~ msgstr "Bu paket hem ssh istemcisini hem de sshd sunucusunu içeriyor." | ||
338 | |||
339 | #~ msgid "" | ||
340 | #~ "Normally the sshd Secure Shell Server will be run to allow remote logins " | ||
341 | #~ "via ssh." | ||
342 | #~ msgstr "" | ||
343 | #~ "Güvenli Kabuk Sunucusu sshd, normalde ssh ile uzaktan girişlere izin " | ||
344 | #~ "vermek için çalıştırılacaktır." | ||
345 | |||
346 | #~ msgid "" | ||
347 | #~ "If you are only interested in using the ssh client for outbound " | ||
348 | #~ "connections on this machine, and don't want to log into it at all using " | ||
349 | #~ "ssh, then you can disable sshd here." | ||
350 | #~ msgstr "" | ||
351 | #~ "Eğer amacınız sadece bu makinedeki dış bağlantılar için ssh istemcisini " | ||
352 | #~ "kullanmak ise ve bu makineye ssh'la girmek gibi bir ÅŸeyi de " | ||
353 | #~ "istemiyorsanız, sshd sunucusunu bu adımda etkisizleştirebilirsiniz." | ||
354 | |||
355 | #~ msgid "Environment options on keys have been deprecated" | ||
356 | #~ msgstr "Anahtarlara ilişkin ortam seçenekleri geçerliliğini kaybetmiştir" | ||
357 | |||
358 | #~ msgid "" | ||
359 | #~ "This version of OpenSSH disables the environment option for public keys " | ||
360 | #~ "by default, in order to avoid certain attacks (for example, LD_PRELOAD). " | ||
361 | #~ "If you are using this option in an authorized_keys file, beware that the " | ||
362 | #~ "keys in question will no longer work until the option is removed." | ||
363 | #~ msgstr "" | ||
364 | #~ "OpenSSH'ın bu sürümü belirli atakları önlemek için (ör. LD_PRELOAD) ortak " | ||
365 | #~ "anahtarlara ait ortam seçeneklerini öntanımlı olarak etkisizleştirir. " | ||
366 | #~ "Eğer bu seçeneği bir authorized_keys dosyasında kullanıyorsanız, ilgili " | ||
367 | #~ "seçenek silininceye kadar bu anahtarın artık çalışmayacağını unutmayın." | ||
368 | |||
369 | #~ msgid "" | ||
370 | #~ "To re-enable this option, set \"PermitUserEnvironment yes\" in /etc/ssh/" | ||
371 | #~ "sshd_config after the upgrade is complete, taking note of the warning in " | ||
372 | #~ "the sshd_config(5) manual page." | ||
373 | #~ msgstr "" | ||
374 | #~ "Bu seçeneği tekrar etkinleştirmek için, sshd_config(5) kılavuz " | ||
375 | #~ "sayfasındaki uyarı notunu dikkate alarak, sshd yükseltmesi " | ||
376 | #~ "tamamlandığında /etc/ssh/ssh_config dosyasında \"PermitUserEnvironment yes" | ||
377 | #~ "\" satırını kullanın." | ||
diff --git a/debian/po/uk.po b/debian/po/uk.po new file mode 100644 index 000000000..7663a96c0 --- /dev/null +++ b/debian/po/uk.po | |||
@@ -0,0 +1,387 @@ | |||
1 | # translation of openssh to Ukrainian | ||
2 | # | ||
3 | # Translators, if you are not familiar with the PO format, gettext | ||
4 | # documentation is worth reading, especially sections dedicated to | ||
5 | # this format, e.g. by running: | ||
6 | # info -n '(gettext)PO Files' | ||
7 | # info -n '(gettext)Header Entry' | ||
8 | # Some information specific to po-debconf are available at | ||
9 | # /usr/share/doc/po-debconf/README-trans | ||
10 | # or http://www.debian.org/intl/l10n/po-debconf/README-trans# | ||
11 | # Developers do not need to manually edit POT or PO files. | ||
12 | # Eugeniy Meshcheryakov <eugen@univ.kiev.ua>, 2005. | ||
13 | # | ||
14 | msgid "" | ||
15 | msgstr "" | ||
16 | "Project-Id-Version: openssh-uk\n" | ||
17 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
18 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
19 | "PO-Revision-Date: 2005-03-28 22:28+0300\n" | ||
20 | "Last-Translator: Eugeniy Meshcheryakov <eugen@univ.kiev.ua>\n" | ||
21 | "Language-Team: Ukrainian\n" | ||
22 | "MIME-Version: 1.0\n" | ||
23 | "Content-Type: text/plain; charset=UTF-8\n" | ||
24 | "Content-Transfer-Encoding: 8bit\n" | ||
25 | "X-Generator: KBabel 1.9.1\n" | ||
26 | "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%" | ||
27 | "10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" | ||
28 | |||
29 | #. Type: boolean | ||
30 | #. Description | ||
31 | #: ../openssh-server.templates:1001 | ||
32 | #, fuzzy | ||
33 | #| msgid "Do you want to continue (and risk killing active ssh sessions)?" | ||
34 | msgid "Do you want to risk killing active SSH sessions?" | ||
35 | msgstr "" | ||
36 | "Чи бажаєте ви продовжувати (та ризикувати втратити активні ÑеанÑи ssh)?" | ||
37 | |||
38 | #. Type: boolean | ||
39 | #. Description | ||
40 | #: ../openssh-server.templates:1001 | ||
41 | #, fuzzy | ||
42 | #| msgid "" | ||
43 | #| "The version of /etc/init.d/ssh that you have installed, is likely to kill " | ||
44 | #| "all running sshd instances. If you are doing this upgrade via an ssh " | ||
45 | #| "session, that would be a Bad Thing(tm)." | ||
46 | msgid "" | ||
47 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
48 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
49 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
50 | msgstr "" | ||
51 | "ВерÑÑ–Ñ /etc/init.d/ssh, Ñку ви вÑтановили, імовірно зупинить вÑÑ– запущені " | ||
52 | "процеÑи sshd. Якщо ви оновлюєтеÑÑ Ñ‡ÐµÑ€ÐµÐ· ssh, це буде Погана річ (tm)." | ||
53 | |||
54 | #. Type: boolean | ||
55 | #. Description | ||
56 | #: ../openssh-server.templates:1001 | ||
57 | #, fuzzy | ||
58 | #| msgid "" | ||
59 | #| "You can fix this by adding \"--pidfile /var/run/sshd.pid\" to the start-" | ||
60 | #| "stop-daemon line in the stop section of the file." | ||
61 | msgid "" | ||
62 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
63 | "start-stop-daemon line in the stop section of the file." | ||
64 | msgstr "" | ||
65 | "Ви можете виправити це, додавши \"--pidfile /var/run/sshd.pid\" до Ñ€Ñдка з " | ||
66 | "викликом start-stop-daemon в чаÑтині зупинки цього файла." | ||
67 | |||
68 | #. Type: note | ||
69 | #. Description | ||
70 | #: ../openssh-server.templates:2001 | ||
71 | msgid "New host key mandatory" | ||
72 | msgstr "" | ||
73 | |||
74 | #. Type: note | ||
75 | #. Description | ||
76 | #: ../openssh-server.templates:2001 | ||
77 | #, fuzzy | ||
78 | msgid "" | ||
79 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
80 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
81 | "utility from the old (non-free) SSH installation does not appear to be " | ||
82 | "available." | ||
83 | msgstr "" | ||
84 | "Старий ключ в /etc/ssh/ssh_host_key зашифрований за допомогою IDEA. OpenSSH " | ||
85 | "не може оброблÑти такий файл ключа вузла, також неможливо знайти програму " | ||
86 | "ssh-keygen зі Ñтарої (невільної) верÑÑ–Ñ— SSH." | ||
87 | |||
88 | #. Type: note | ||
89 | #. Description | ||
90 | #: ../openssh-server.templates:2001 | ||
91 | #, fuzzy | ||
92 | #| msgid "You will need to generate a new host key." | ||
93 | msgid "You need to manually generate a new host key." | ||
94 | msgstr "Вам потрібно Ñтворити новий ключ вузла." | ||
95 | |||
96 | #. Type: boolean | ||
97 | #. Description | ||
98 | #: ../openssh-server.templates:3001 | ||
99 | msgid "Disable challenge-response authentication?" | ||
100 | msgstr "Заборонити автентифікацію запит-відповідь?" | ||
101 | |||
102 | #. Type: boolean | ||
103 | #. Description | ||
104 | #: ../openssh-server.templates:3001 | ||
105 | #, fuzzy | ||
106 | #| msgid "" | ||
107 | #| "Password authentication appears to be disabled in your current OpenSSH " | ||
108 | #| "server configuration. In order to prevent users from logging in using " | ||
109 | #| "passwords (perhaps using only public key authentication instead) with " | ||
110 | #| "recent versions of OpenSSH, you must disable challenge-response " | ||
111 | #| "authentication, or else ensure that your PAM configuration does not allow " | ||
112 | #| "Unix password file authentication." | ||
113 | msgid "" | ||
114 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
115 | "configuration. In order to prevent users from logging in using passwords " | ||
116 | "(perhaps using only public key authentication instead) with recent versions " | ||
117 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
118 | "ensure that your PAM configuration does not allow Unix password file " | ||
119 | "authentication." | ||
120 | msgstr "" | ||
121 | "Схоже, що Ð°Ð²Ñ‚ÐµÐ½Ñ‚Ð¸Ñ„Ñ–ÐºÐ°Ñ†Ñ–Ñ Ð· викориÑтаннÑм паролів заборонена у поточній " | ||
122 | "конфігурації Ñервера OpenSSH. Щоб перешкодити кориÑтувачам реєÑтруватиÑÑ Ð· " | ||
123 | "викориÑтаннÑм паролів (можливо, Ð´Ð»Ñ Ð°Ð²Ñ‚ÐµÐ½Ñ‚Ð¸Ñ„Ñ–ÐºÐ°Ñ†Ñ–Ñ— тільки за допомогою " | ||
124 | "відкритих ключів) з оÑтанніми верÑÑ–Ñми OpenSSH, необхідно заборонити " | ||
125 | "автентифікацію виклик-відгук або впевнитиÑÑ, що Ð½Ð°Ð»Ð°ÑˆÑ‚ÑƒÐ²Ð°Ð½Ð½Ñ PAM не " | ||
126 | "дозволÑÑŽÑ‚ÑŒ автентифікацію за допомогою файла паролів Unix." | ||
127 | |||
128 | #. Type: boolean | ||
129 | #. Description | ||
130 | #: ../openssh-server.templates:3001 | ||
131 | msgid "" | ||
132 | "If you disable challenge-response authentication, then users will not be " | ||
133 | "able to log in using passwords. If you leave it enabled (the default " | ||
134 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
135 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
136 | msgstr "" | ||
137 | "Якщо ви забороните автентифікацію виклик-відгук, то ваші кориÑтувачі не " | ||
138 | "зможуть реєÑтруватиÑÑ Ð²Ð¸ÐºÐ¾Ñ€Ð¸Ñтовуючи паролі. Якщо ви залишите Ñ—Ñ— дозволеною " | ||
139 | "(відповідь за замовчаннÑм), то Ð¾Ð¿Ñ†Ñ–Ñ 'PasswordAuthentication no' не буде " | ||
140 | "мати кориÑного ефекту доки ви не приÑтоÑуєте також Ð½Ð°Ð»Ð°ÑˆÑ‚ÑƒÐ²Ð°Ð½Ð½Ñ PAM в /etc/" | ||
141 | "pam.d/ssh." | ||
142 | |||
143 | #. Type: note | ||
144 | #. Description | ||
145 | #: ../openssh-server.templates:4001 | ||
146 | msgid "Vulnerable host keys will be regenerated" | ||
147 | msgstr "" | ||
148 | |||
149 | #. Type: note | ||
150 | #. Description | ||
151 | #: ../openssh-server.templates:4001 | ||
152 | msgid "" | ||
153 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
154 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
155 | "these host keys are from a well-known set, are subject to brute-force " | ||
156 | "attacks, and must be regenerated." | ||
157 | msgstr "" | ||
158 | |||
159 | #. Type: note | ||
160 | #. Description | ||
161 | #: ../openssh-server.templates:4001 | ||
162 | msgid "" | ||
163 | "Users of this system should be informed of this change, as they will be " | ||
164 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
165 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
166 | "the new host keys." | ||
167 | msgstr "" | ||
168 | |||
169 | #. Type: note | ||
170 | #. Description | ||
171 | #: ../openssh-server.templates:4001 | ||
172 | msgid "The affected host keys are:" | ||
173 | msgstr "" | ||
174 | |||
175 | #. Type: note | ||
176 | #. Description | ||
177 | #: ../openssh-server.templates:4001 | ||
178 | msgid "" | ||
179 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
180 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
181 | "README.compromised-keys.gz for more details." | ||
182 | msgstr "" | ||
183 | |||
184 | #, fuzzy | ||
185 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
186 | #~ msgstr "Створити новий файл налаштувань" | ||
187 | |||
188 | #, fuzzy | ||
189 | #~ msgid "" | ||
190 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
191 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
192 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
193 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
194 | #~ "will not contain any customizations you made with the old version." | ||
195 | #~ msgstr "" | ||
196 | #~ "Ð’ цій верÑÑ–Ñ— OpenSSH значно змінений файл налаштувань, в порівнÑнні з " | ||
197 | #~ "верÑією, що входила в Debian 'Potato', Ñ– Ñку ви, Ñхоже, оновлюєте. Зараз " | ||
198 | #~ "можна Ñтворити новий файл налаштувань (/etc/ssh/sshd.config), що буде " | ||
199 | #~ "працювати з новою верÑією Ñервера, але не буде міÑтити будь-Ñкі зміни, " | ||
200 | #~ "Ñкі ви внеÑли у Ñтару верÑÑ–ÑŽ." | ||
201 | |||
202 | #, fuzzy | ||
203 | #~| msgid "" | ||
204 | #~| "Please note that this new configuration file will set the value of " | ||
205 | #~| "'PermitRootLogin' to yes (meaning that anyone knowing the root password " | ||
206 | #~| "can ssh directly in as root). It is the opinion of the maintainer that " | ||
207 | #~| "this is the correct default (see README.Debian for more details), but " | ||
208 | #~| "you can always edit sshd_config and set it to no if you wish." | ||
209 | #~ msgid "" | ||
210 | #~ "Please note that this new configuration file will set the value of " | ||
211 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
212 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
213 | #~ "details about this design choice." | ||
214 | #~ msgstr "" | ||
215 | #~ "Зауважте, що в новій верÑÑ–Ñ— файла налаштувань змінна 'PermitRootLogin' " | ||
216 | #~ "буде мати Ð·Ð½Ð°Ñ‡ÐµÐ½Ð½Ñ yes (що означає, що будь-Ñка людина, котра знає пароль " | ||
217 | #~ "кориÑтувача root, зможе увійти в ÑиÑтему через ssh). Ðа думку " | ||
218 | #~ "Ñупроводжуючого пакунку - це вірне Ð·Ð½Ð°Ñ‡ÐµÐ½Ð½Ñ Ð·Ð° замовчаннÑм (дивітьÑÑ " | ||
219 | #~ "також README.Debian), але ви завжди можете змінити Ð·Ð½Ð°Ñ‡ÐµÐ½Ð½Ñ Ñ†ÑŒÐ¾Ð³Ð¾ " | ||
220 | #~ "параметра у файлі sshd_config." | ||
221 | |||
222 | #, fuzzy | ||
223 | #~ msgid "" | ||
224 | #~ "It is strongly recommended that you choose to generate a new " | ||
225 | #~ "configuration file now." | ||
226 | #~ msgstr "РекомендуєтьÑÑ Ð´Ð¾Ð·Ð²Ð¾Ð»Ð¸Ñ‚Ð¸ Ñтворити новий файл налаштувань." | ||
227 | |||
228 | #~ msgid "Warning: you must create a new host key" | ||
229 | #~ msgstr "ПопередженнÑ: ви повинні Ñтворити новий ключ вузла" | ||
230 | |||
231 | #~ msgid "Warning: telnetd is installed --- probably not a good idea" | ||
232 | #~ msgstr "ПопередженнÑ: telnetd вÑтановлений - це погана ідеÑ" | ||
233 | |||
234 | #~ msgid "" | ||
235 | #~ "I'd advise you to either remove the telnetd package (if you don't " | ||
236 | #~ "actually need to offer telnet access) or install telnetd-ssl so that " | ||
237 | #~ "there is at least some chance that telnet sessions will not be sending " | ||
238 | #~ "unencrypted login/password and session information over the network." | ||
239 | #~ msgstr "" | ||
240 | #~ "РекомендуєтьÑÑ Ð°Ð±Ð¾ видалити пакунок telnetd (Ñкщо вам не потрібно " | ||
241 | #~ "надавати доÑтуп через telnet), або вÑтановити telnetd-ssl, щоб мати " | ||
242 | #~ "можливіÑÑ‚ÑŒ не передавати незашифровані логін/пароль та іншу інформацію " | ||
243 | #~ "через мережу." | ||
244 | |||
245 | #~ msgid "Warning: rsh-server is installed --- probably not a good idea" | ||
246 | #~ msgstr "ПопередженнÑ: rsh-server вÑтановлений - це погана ідеÑ" | ||
247 | |||
248 | #~ msgid "" | ||
249 | #~ "having rsh-server installed undermines the security that you were " | ||
250 | #~ "probably wanting to obtain by installing ssh. I'd advise you to remove " | ||
251 | #~ "that package." | ||
252 | #~ msgstr "" | ||
253 | #~ "Ð’Ñтановлений rsh-server знижує рівень безпеки, Ñкий ви, можливо, хотіли " | ||
254 | #~ "отримати вÑтановивши ssh. РекомендуєтьÑÑ Ð²Ð¸Ð´Ð°Ð»Ð¸Ñ‚Ð¸ цей пакунок." | ||
255 | |||
256 | #~ msgid "Do you want ssh-keysign to be installed SUID root?" | ||
257 | #~ msgstr "Чи бажаєте ви, щоб ssh-keysign мав вÑтановлений біт SUID?" | ||
258 | |||
259 | #~ msgid "" | ||
260 | #~ "You have the option of installing the ssh-keysign helper with the SUID " | ||
261 | #~ "bit set." | ||
262 | #~ msgstr "Ви маєте можливіÑÑ‚ÑŒ вÑтановити біт SUID Ð´Ð»Ñ Ð¿Ñ€Ð¾Ð³Ñ€Ð°Ð¼Ð¸ ssh-keysign." | ||
263 | |||
264 | #~ msgid "" | ||
265 | #~ "If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 " | ||
266 | #~ "host-based authentication." | ||
267 | #~ msgstr "" | ||
268 | #~ "Якщо ви вÑтановите біт SUID Ð´Ð»Ñ ssh-keysign, ви зможете викориÑтовувати " | ||
269 | #~ "вузлову автентифікацію протоколу SSH верÑÑ–Ñ— 2." | ||
270 | |||
271 | #~ msgid "" | ||
272 | #~ "If in doubt, I suggest you install it with SUID. If it causes problems " | ||
273 | #~ "you can change your mind later by running: dpkg-reconfigure ssh" | ||
274 | #~ msgstr "" | ||
275 | #~ "Якщо ÑумніваєтеÑÑŒ, то рекомендуєтьÑÑ Ð´Ð¾Ð·Ð²Ð¾Ð»Ð¸Ñ‚Ð¸ вÑтановити біт SUID. Якщо " | ||
276 | #~ "це викликатиме проблеми, ви зможете вÑе змінити запуÑтивши dpkg-" | ||
277 | #~ "reconfigure ssh" | ||
278 | |||
279 | #~ msgid "Allow SSH protocol 2 only" | ||
280 | #~ msgstr "Дозволити тільки SSH-протокол верÑÑ–Ñ— 2" | ||
281 | |||
282 | #~ msgid "" | ||
283 | #~ "This version of OpenSSH supports version 2 of the ssh protocol, which is " | ||
284 | #~ "much more secure. Disabling ssh 1 is encouraged, however this will slow " | ||
285 | #~ "things down on low end machines and might prevent older clients from " | ||
286 | #~ "connecting (the ssh client shipped with \"potato\" is affected)." | ||
287 | #~ msgstr "" | ||
288 | #~ "Ð¦Ñ Ð²ÐµÑ€ÑÑ–Ñ OpenSSH підтримує верÑÑ–ÑŽ 2 протоколу SSH, Ñка Ñ” більш " | ||
289 | #~ "безпечною. РекомендуєтьÑÑ Ð·Ð°Ð±Ð¾Ñ€Ð¾Ð½Ð¸Ñ‚Ð¸ верÑÑ–ÑŽ 1, однак це може уповільнити " | ||
290 | #~ "роботу на Ñлабких ÑиÑтемах та зробити неможливим з'Ñ”Ð´Ð½Ð°Ð½Ð½Ñ Ð· " | ||
291 | #~ "викориÑтаннÑм Ñтарих клієнтів (включно з клієнтом ssh з \"potato\")." | ||
292 | |||
293 | #~ msgid "" | ||
294 | #~ "Also please note that keys used for protocol 1 are different so you will " | ||
295 | #~ "not be able to use them if you only allow protocol 2 connections." | ||
296 | #~ msgstr "" | ||
297 | #~ "Також зверніть увагу, що ключі Ð´Ð»Ñ Ð²ÐµÑ€ÑÑ–Ñ— 1 відрізнÑÑŽÑ‚ÑŒÑÑ Ð²Ñ–Ð´ ключів Ð´Ð»Ñ " | ||
298 | #~ "верÑÑ–Ñ— 2, тому ви не зможете викориÑтовувати Ñ—Ñ…, Ñкщо дозволите з'Ñ”Ð´Ð½Ð°Ð½Ð½Ñ " | ||
299 | #~ "тільки по протоколу верÑÑ–Ñ— 2." | ||
300 | |||
301 | #~ msgid "" | ||
302 | #~ "If you later change your mind about this setting, README.Debian has " | ||
303 | #~ "instructions on what to do to your sshd_config file." | ||
304 | #~ msgstr "" | ||
305 | #~ "Якщо ви пізніше передумаєте щодо цього параметра, файл README.Debian " | ||
306 | #~ "міÑтить інÑтрукції щодо внеÑÐµÐ½Ð½Ñ Ð·Ð¼Ñ–Ð½ до файла sshd_config." | ||
307 | |||
308 | #~ msgid "ssh2 keys merged in configuration files" | ||
309 | #~ msgstr "ssh2-ключі злиті у файлах налаштувань" | ||
310 | |||
311 | #~ msgid "" | ||
312 | #~ "As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 " | ||
313 | #~ "keys. This means the authorized_keys2 and known_hosts2 files are no " | ||
314 | #~ "longer needed. They will still be read in order to maintain backwards " | ||
315 | #~ "compatibility" | ||
316 | #~ msgstr "" | ||
317 | #~ "У верÑÑ–Ñ— 3 OpenSSH більше не викориÑтовує окремі файли Ð´Ð»Ñ ÐºÐ»ÑŽÑ‡Ñ–Ð² ssh1 та " | ||
318 | #~ "ssh2. Це означає, що файли authorized_keys2 та known_hosts2 більше " | ||
319 | #~ "непотрібні. Вони будуть читатиÑÑ Ð· метою Ð·Ð°Ð±ÐµÐ·Ð¿ÐµÑ‡ÐµÐ½Ð½Ñ Ð·Ð²Ð¾Ñ€Ð¾Ñ‚Ð½Ð¾Ñ— " | ||
320 | #~ "ÑуміÑноÑÑ‚Ñ–." | ||
321 | |||
322 | #~ msgid "NOTE: Forwarding of X11 and Authorization disabled by default." | ||
323 | #~ msgstr "" | ||
324 | #~ "ЗÐУВÐЖЕÐÐЯ: Форвардинг X11 та Authorization заборонені за замовчаннÑм." | ||
325 | |||
326 | #~ msgid "" | ||
327 | #~ "For security reasons, the Debian version of ssh has ForwardX11 and " | ||
328 | #~ "ForwardAgent set to ``off'' by default." | ||
329 | #~ msgstr "" | ||
330 | #~ "З міркувань безпеки в Debian-верÑÑ–Ñ— ssh параметри ForwardX11 та " | ||
331 | #~ "ForwardAgent за замовчаннÑм мають Ð·Ð½Ð°Ñ‡ÐµÐ½Ð½Ñ \"off\"." | ||
332 | |||
333 | #~ msgid "" | ||
334 | #~ "You can enable it for servers you trust, either in one of the " | ||
335 | #~ "configuration files, or with the -X command line option." | ||
336 | #~ msgstr "" | ||
337 | #~ "Ви можете дозволити Ñ—Ñ… Ð´Ð»Ñ Ñерверів, Ñким довірÑєте, або у одному з " | ||
338 | #~ "файлів налаштувань, або за допомогою параметра командного Ñ€Ñдка -X." | ||
339 | |||
340 | #~ msgid "More details can be found in /usr/share/doc/ssh/README.Debian" | ||
341 | #~ msgstr "Подробиці можна прочитати у файлі /usr/share/doc/ssh/README.Debian" | ||
342 | |||
343 | #~ msgid "Do you want to run the sshd server?" | ||
344 | #~ msgstr "Чи бажаєте ви запуÑтити Ñервер sshd?" | ||
345 | |||
346 | #~ msgid "This package contains both the ssh client, and the sshd server." | ||
347 | #~ msgstr "Цей пакунок міÑтить Ñк клієнт ssh, так Ñ– Ñервер sshd." | ||
348 | |||
349 | #~ msgid "" | ||
350 | #~ "Normally the sshd Secure Shell Server will be run to allow remote logins " | ||
351 | #~ "via ssh." | ||
352 | #~ msgstr "" | ||
353 | #~ "Звичайно sshd (Secure Shell Server) запуÑкаєтьÑÑ Ñ‰Ð¾Ð± зробити можливим " | ||
354 | #~ "віддалену реєÑтрацію в ÑиÑтемі за допомогою ssh." | ||
355 | |||
356 | #~ msgid "" | ||
357 | #~ "If you are only interested in using the ssh client for outbound " | ||
358 | #~ "connections on this machine, and don't want to log into it at all using " | ||
359 | #~ "ssh, then you can disable sshd here." | ||
360 | #~ msgstr "" | ||
361 | #~ "Якщо Ð²Ð°Ñ Ñ†Ñ–ÐºÐ°Ð²Ð¸Ñ‚ÑŒ викориÑÑ‚Ð°Ð½Ð½Ñ Ñ‚Ñ–Ð»ÑŒÐºÐ¸ клієнта ssh на цій машині Ñ– ви не " | ||
362 | #~ "бажаєте реєÑтруватиÑÑ Ð½Ð° ній викориÑтовуючи ssh, тоді ви можете " | ||
363 | #~ "заборонити sshd." | ||
364 | |||
365 | #~ msgid "Environment options on keys have been deprecated" | ||
366 | #~ msgstr "Опції Ð¾Ñ‚Ð¾Ñ‡ÐµÐ½Ð½Ñ Ð´Ð»Ñ ÐºÐ»ÑŽÑ‡Ñ–Ð² не повинні викориÑтовуватиÑÑ" | ||
367 | |||
368 | #~ msgid "" | ||
369 | #~ "This version of OpenSSH disables the environment option for public keys " | ||
370 | #~ "by default, in order to avoid certain attacks (for example, LD_PRELOAD). " | ||
371 | #~ "If you are using this option in an authorized_keys file, beware that the " | ||
372 | #~ "keys in question will no longer work until the option is removed." | ||
373 | #~ msgstr "" | ||
374 | #~ "Ð’ цій верÑÑ–Ñ— OpenSSH, з метою ÑƒÐ½Ð¸ÐºÐ½ÐµÐ½Ð½Ñ Ð´ÐµÑких атак (наприклад " | ||
375 | #~ "LD_PRELOAD), за замовчаннÑм заборонені опції Ð¾Ñ‚Ð¾Ñ‡ÐµÐ½Ð½Ñ Ð´Ð»Ñ Ð²Ñ–Ð´ÐºÑ€Ð¸Ñ‚Ð¸Ñ… " | ||
376 | #~ "ключів. Якщо ви викориÑтовуєте цю опцію у файлі authorized_keys, майте на " | ||
377 | #~ "увазі, що ключі з такими опціÑми не будуть працювати, доки Ð¾Ð¿Ñ†Ñ–Ñ Ð½Ðµ буде " | ||
378 | #~ "видалена." | ||
379 | |||
380 | #~ msgid "" | ||
381 | #~ "To re-enable this option, set \"PermitUserEnvironment yes\" in /etc/ssh/" | ||
382 | #~ "sshd_config after the upgrade is complete, taking note of the warning in " | ||
383 | #~ "the sshd_config(5) manual page." | ||
384 | #~ msgstr "" | ||
385 | #~ "Щоб дозволити цю опцію, вÑтановіть \"PermitUserEnvironment yes\" в /etc/" | ||
386 | #~ "ssh/sshd_config піÑÐ»Ñ Ð·Ð°Ð²ÐµÑ€ÑˆÐµÐ½Ð½Ñ Ð¾Ð½Ð¾Ð²Ð»ÐµÐ½Ð½Ñ; зверніть увагу на " | ||
387 | #~ "Ð¿Ð¾Ð¿ÐµÑ€ÐµÐ´Ð¶ÐµÐ½Ð½Ñ Ð½Ð° Ñторінці підручника sshd_config(5)." | ||
diff --git a/debian/po/vi.po b/debian/po/vi.po new file mode 100644 index 000000000..a94514c22 --- /dev/null +++ b/debian/po/vi.po | |||
@@ -0,0 +1,212 @@ | |||
1 | # Vietnamese translation for OpenSSH. | ||
2 | # Copyright © 2008 Free Software Foundation, Inc. | ||
3 | # Clytie Siddall <clytie@riverland.net.au>, 2007-2008. | ||
4 | # | ||
5 | msgid "" | ||
6 | msgstr "" | ||
7 | "Project-Id-Version: openssh 1:4.7p1-9\n" | ||
8 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
9 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
10 | "PO-Revision-Date: 2008-05-19 16:49+0930\n" | ||
11 | "Last-Translator: Clytie Siddall <clytie@riverland.net.au>\n" | ||
12 | "Language-Team: Vietnamese <vi-VN@googlegroups.com>\n" | ||
13 | "MIME-Version: 1.0\n" | ||
14 | "Content-Type: text/plain; charset=UTF-8\n" | ||
15 | "Content-Transfer-Encoding: 8bit\n" | ||
16 | "Plural-Forms: nplurals=1; plural=0;\n" | ||
17 | "X-Generator: LocFactoryEditor 1.7b3\n" | ||
18 | |||
19 | #. Type: boolean | ||
20 | #. Description | ||
21 | #: ../openssh-server.templates:1001 | ||
22 | msgid "Do you want to risk killing active SSH sessions?" | ||
23 | msgstr "Bạn có muốn rủi ro giết phiên bản SSH đang chạy không?" | ||
24 | |||
25 | # The version of /etc/init.d/ssh that you have installed, is likely to kill | ||
26 | # all running sshd instances. If you are doing this upgrade via an ssh | ||
27 | # session, that would be a Bad Thing(tm). | ||
28 | #. Type: boolean | ||
29 | #. Description | ||
30 | #: ../openssh-server.templates:1001 | ||
31 | msgid "" | ||
32 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
33 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
34 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
35 | msgstr "" | ||
36 | "Phiên bản « /etc/init.d/ssh » được cà i đặt hiện thá»i rất có thể giết má»i tiến " | ||
37 | "trình sshd đang chạy. Nếu bạn có nâng cấp qua phiên chạy SSH, rất có thể bạn " | ||
38 | "bị ngắt kết nối, để lại tiến trình nâng cấp chưa hoà n tất." | ||
39 | |||
40 | # You can fix this by adding \"--pidfile /var/run/sshd.pid\" to the start- | ||
41 | # stop-daemon line in the stop section of the file. | ||
42 | #. Type: boolean | ||
43 | #. Description | ||
44 | #: ../openssh-server.templates:1001 | ||
45 | msgid "" | ||
46 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
47 | "start-stop-daemon line in the stop section of the file." | ||
48 | msgstr "" | ||
49 | "Bạn vẫn còn có thể sá»a chữa vấn Ä‘á» nà y bằng cách tá»± thêm chuá»—i « --pidfile /" | ||
50 | "var/run/sshd.pid » và o dòng « start-stop-daemon » (khởi/ngừng chạy trình ná»n) " | ||
51 | "trong phần « stop » (ngừng chạy) của táºp tin đó." | ||
52 | |||
53 | #. Type: note | ||
54 | #. Description | ||
55 | #: ../openssh-server.templates:2001 | ||
56 | msgid "New host key mandatory" | ||
57 | msgstr "Bắt buộc phải có khoá máy mới" | ||
58 | |||
59 | #. Type: note | ||
60 | #. Description | ||
61 | #: ../openssh-server.templates:2001 | ||
62 | msgid "" | ||
63 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
64 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
65 | "utility from the old (non-free) SSH installation does not appear to be " | ||
66 | "available." | ||
67 | msgstr "" | ||
68 | "Khoá máy hiện thá»i, trong « /etc/ssh/ssh_host_key », được mặt mã bằng thuáºt " | ||
69 | "toán IDEA. Phần má»m OpenSSH không thể xá» lý táºp tin khoá máy kiểu nà y; cÅ©ng " | ||
70 | "có vẻ là tiện Ãch « ssh-keygen » (tạo khoá SSH) thuá»™c vá» bản cà i đặt SSH cÅ© " | ||
71 | "(khác tự do) không sẵn sà ng." | ||
72 | |||
73 | #. Type: note | ||
74 | #. Description | ||
75 | #: ../openssh-server.templates:2001 | ||
76 | msgid "You need to manually generate a new host key." | ||
77 | msgstr "Váºy bạn cần phải tá»± tạo má»™t khoá máy má»›i." | ||
78 | |||
79 | #. Type: boolean | ||
80 | #. Description | ||
81 | #: ../openssh-server.templates:3001 | ||
82 | msgid "Disable challenge-response authentication?" | ||
83 | msgstr "Tắt chức năng xác thực kiểu yêu cầu/đáp ứng không?" | ||
84 | |||
85 | # Password authentication appears to be disabled in your current OpenSSH | ||
86 | # server configuration. In order to prevent users from logging in using | ||
87 | # passwords (perhaps using only public key authentication instead) with | ||
88 | # recent versions of OpenSSH, you must disable challenge-response | ||
89 | # authentication, or else ensure that your PAM configuration does not allow | ||
90 | # Unix password file authentication. | ||
91 | #. Type: boolean | ||
92 | #. Description | ||
93 | #: ../openssh-server.templates:3001 | ||
94 | msgid "" | ||
95 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
96 | "configuration. In order to prevent users from logging in using passwords " | ||
97 | "(perhaps using only public key authentication instead) with recent versions " | ||
98 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
99 | "ensure that your PAM configuration does not allow Unix password file " | ||
100 | "authentication." | ||
101 | msgstr "" | ||
102 | "Có vẻ là chức năng xác thá»±c bằng máºt khẩu bị tắt trong cấu hình trình phục " | ||
103 | "vụ OpenSSH hiện thá»i. Äể ngăn cản ngÆ°á»i dùng đăng nháºp bằng máºt khẩu (có lẽ " | ||
104 | "chỉ xác thực bằng khoá công) với phiên bản OpenSSH gần đây, bạn cần phải " | ||
105 | "tắt khả năng xác thực kiểu yêu cầu/đáp ứng (challenge-response " | ||
106 | "authentication), không thì đảm bảo cấu hình PAM không cho phép xác thực bằng " | ||
107 | "táºp tin máºt khẩu UNIX." | ||
108 | |||
109 | #. Type: boolean | ||
110 | #. Description | ||
111 | #: ../openssh-server.templates:3001 | ||
112 | msgid "" | ||
113 | "If you disable challenge-response authentication, then users will not be " | ||
114 | "able to log in using passwords. If you leave it enabled (the default " | ||
115 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
116 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
117 | msgstr "" | ||
118 | "Nếu bạn tắt khả năng xác thá»±c kiểu yêu cầu/đáp ứng, ngÆ°á»i dùng sẽ không thể " | ||
119 | "đăng nháºp bằng máºt khẩu. Äể lại hoạt Ä‘á»™ng (trả lá»i mặc định) thì tùy chá»n « " | ||
120 | "PasswordAuthentication no » (xác thá»±c bằng máºt khẩu : không) sẽ không có tác " | ||
121 | "Ä‘á»™ng tháºt, nếu bạn không Ä‘iá»u chỉnh cấu hình PAM trong « /etc/pam.d/ssh »" | ||
122 | |||
123 | #. Type: note | ||
124 | #. Description | ||
125 | #: ../openssh-server.templates:4001 | ||
126 | msgid "Vulnerable host keys will be regenerated" | ||
127 | msgstr "Má»i khoá máy dá»… bị tấn công Ä‘á»u sẽ được tạo lại" | ||
128 | |||
129 | #. Type: note | ||
130 | #. Description | ||
131 | #: ../openssh-server.templates:4001 | ||
132 | msgid "" | ||
133 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
134 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
135 | "these host keys are from a well-known set, are subject to brute-force " | ||
136 | "attacks, and must be regenerated." | ||
137 | msgstr "" | ||
138 | "Một số khoá máy kiểu trình phục vụ OpenSSH trên hệ thống nà y đã được tạo " | ||
139 | "bằng má»™t phiên bản OpenSSL có má»™t cÆ¡ chế tạo số ngẫu nhiên mà bị há»ng. Kết " | ||
140 | "quả là những khoá máy nà y thuá»™c vá» má»™t táºp hợp ai cÅ©ng biết, có thể bị tấn " | ||
141 | "công dùng sức mạnh vũ phu, và phải được tạo lại." | ||
142 | |||
143 | #. Type: note | ||
144 | #. Description | ||
145 | #: ../openssh-server.templates:4001 | ||
146 | msgid "" | ||
147 | "Users of this system should be informed of this change, as they will be " | ||
148 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
149 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
150 | "the new host keys." | ||
151 | msgstr "" | ||
152 | "Các ngÆ°á»i dùng của hệ thống nà y nên được thông báo vá» thay đổi nà y, vì há» sẽ " | ||
153 | "được nhắc cho thay đổi khoá máy nà y lần kế tiếp đăng nháºp. Hãy dùng câu lệnh " | ||
154 | "« ssh-keygen -l -f TẬP_TIN_KHOÃ_MÃY » sau khi nâng cấp, để in ra các vân tay " | ||
155 | "của những khoá máy mới." | ||
156 | |||
157 | #. Type: note | ||
158 | #. Description | ||
159 | #: ../openssh-server.templates:4001 | ||
160 | msgid "The affected host keys are:" | ||
161 | msgstr "Những máy khoá bị ảnh hưởng:" | ||
162 | |||
163 | #. Type: note | ||
164 | #. Description | ||
165 | #: ../openssh-server.templates:4001 | ||
166 | msgid "" | ||
167 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
168 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
169 | "README.compromised-keys.gz for more details." | ||
170 | msgstr "" | ||
171 | "Các khoá kiểu ngÆ°á»i dùng cÅ©ng có thể bị vấn Ä‘á» nà y ảnh hưởng. Câu lệnh « ssh-" | ||
172 | "vulnkey » có thể được sá» dụng là m thá» bá»™ pháºn để phát hiện các khoá vẫn còn " | ||
173 | "dá»… tấn công. Xem tà i liệu Äá»c Äi « /usr/share/doc/openssh-server/README." | ||
174 | "compromised-keys.gz » để tìm thêm chi tiết." | ||
175 | |||
176 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
177 | #~ msgstr "Tao ra táºp tin cấu hình má»›i cho OpenSSH không?" | ||
178 | |||
179 | #~ msgid "" | ||
180 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
181 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
182 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
183 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
184 | #~ "will not contain any customizations you made with the old version." | ||
185 | #~ msgstr "" | ||
186 | #~ "Phiên bản OpenSSH nà y có má»™t táºp tin cấu hình đã thay đổi nhiá»u so vá»›i " | ||
187 | #~ "phiên bản có sẵn trong bản phát hà nh « Potato » của Debian, trong đó có vẻ " | ||
188 | #~ "là bạn Ä‘ang cáºp nháºt. Gói hiện thá»i có khả năng tạo ra má»™t táºp tin cấu " | ||
189 | #~ "hình mới (/etc/ssh/sshd.config), mà sẽ hoạt động được với phiên bản trình " | ||
190 | #~ "phục vụ má»›i, nhÆ°ng không còn chứa lại mục sá»a đổi nà o bạn đã tạo trong " | ||
191 | #~ "phiên bản cũ." | ||
192 | |||
193 | # Please note that this new configuration file will set the value of | ||
194 | # 'PermitRootLogin' to yes (meaning that anyone knowing the root password | ||
195 | # can ssh directly in as root). It is the opinion of the maintainer that | ||
196 | # this is the correct default (see README.Debian for more details), but you | ||
197 | # can always edit sshd_config and set it to no if you wish. | ||
198 | #~ msgid "" | ||
199 | #~ "Please note that this new configuration file will set the value of " | ||
200 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
201 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
202 | #~ "details about this design choice." | ||
203 | #~ msgstr "" | ||
204 | #~ "Ghi chú rằng táºp tin cấu hình má»›i nà y sẽ đặt giá trị của « PermitRootLogin " | ||
205 | #~ "» thà nh « yes » (có : nghÄ©a là ai đó biết máºt khẩu ngÆ°á»i chủ thì có khả " | ||
206 | #~ "năng truy cáºp trá»±c tiếp qua ssh vá»›i tÆ° cách là ngÆ°á»i chủ). Xem táºp tin " | ||
207 | #~ "Äá»c Äi « README.Debian » để tìm thêm chi tiết vá» sá»± chá»n thiết kế nà y." | ||
208 | |||
209 | #~ msgid "" | ||
210 | #~ "It is strongly recommended that you choose to generate a new " | ||
211 | #~ "configuration file now." | ||
212 | #~ msgstr "Rất khuyên bạn chá»n tạo ra táºp tin cấu hình má»›i ngay bây giá»." | ||
diff --git a/debian/po/zh_CN.po b/debian/po/zh_CN.po new file mode 100644 index 000000000..9eee59af9 --- /dev/null +++ b/debian/po/zh_CN.po | |||
@@ -0,0 +1,389 @@ | |||
1 | # | ||
2 | # Translators, if you are not familiar with the PO format, gettext | ||
3 | # documentation is worth reading, especially sections dedicated to | ||
4 | # this format, e.g. by running: | ||
5 | # info -n '(gettext)PO Files' | ||
6 | # info -n '(gettext)Header Entry' | ||
7 | # | ||
8 | # Some information specific to po-debconf are available at | ||
9 | # /usr/share/doc/po-debconf/README-trans | ||
10 | # or http://www.debian.org/intl/l10n/po-debconf/README-trans | ||
11 | # | ||
12 | # Developers do not need to manually edit POT or PO files. | ||
13 | # | ||
14 | msgid "" | ||
15 | msgstr "" | ||
16 | "Project-Id-Version: openssh 3.6.1p2-11\n" | ||
17 | "Report-Msgid-Bugs-To: openssh@packages.debian.org\n" | ||
18 | "POT-Creation-Date: 2010-01-02 08:55+0000\n" | ||
19 | "PO-Revision-Date: 2004-02-02 18:48+1300\n" | ||
20 | "Last-Translator: Hiei Xu <nicky@mail.edu.cn>\n" | ||
21 | "Language-Team: Chinese/Simplified <i18n-translation@lists.linux.net.cn>\n" | ||
22 | "MIME-Version: 1.0\n" | ||
23 | "Content-Type: text/plain; charset=UTF-8\n" | ||
24 | "Content-Transfer-Encoding: 8bit\n" | ||
25 | |||
26 | #. Type: boolean | ||
27 | #. Description | ||
28 | #: ../openssh-server.templates:1001 | ||
29 | #, fuzzy | ||
30 | #| msgid "Do you want to continue (and risk killing active ssh sessions)?" | ||
31 | msgid "Do you want to risk killing active SSH sessions?" | ||
32 | msgstr "您è¦ç»§ç»å—(会有æ€æ»æ´»åŠ¨çš„ ssh 会è¯çš„å±é™©)?" | ||
33 | |||
34 | #. Type: boolean | ||
35 | #. Description | ||
36 | #: ../openssh-server.templates:1001 | ||
37 | #, fuzzy | ||
38 | #| msgid "" | ||
39 | #| "The version of /etc/init.d/ssh that you have installed, is likely to kill " | ||
40 | #| "all running sshd instances. If you are doing this upgrade via an ssh " | ||
41 | #| "session, that would be a Bad Thing(tm)." | ||
42 | msgid "" | ||
43 | "The currently installed version of /etc/init.d/ssh is likely to kill all " | ||
44 | "running sshd instances. If you are doing this upgrade via an SSH session, " | ||
45 | "you're likely to be disconnected and leave the upgrade procedure unfinished." | ||
46 | msgstr "" | ||
47 | "您安装的 /etc/init.d/ssh 版本很å¯èƒ½ä¼šæ€æ»æ‰€æœ‰è¿è¡Œä¸çš„ sshd 例程。如果您是在通" | ||
48 | "过 ssh 会è¯è¿›è¡Œè¿™é¡¹å‡çº§ï¼Œé‚£å¯çœŸæ˜¯ä»¶ç³Ÿç³•çš„事情(tm)。" | ||
49 | |||
50 | #. Type: boolean | ||
51 | #. Description | ||
52 | #: ../openssh-server.templates:1001 | ||
53 | #, fuzzy | ||
54 | #| msgid "" | ||
55 | #| "You can fix this by adding \"--pidfile /var/run/sshd.pid\" to the start-" | ||
56 | #| "stop-daemon line in the stop section of the file." | ||
57 | msgid "" | ||
58 | "This can be fixed by manually adding \"--pidfile /var/run/sshd.pid\" to the " | ||
59 | "start-stop-daemon line in the stop section of the file." | ||
60 | msgstr "" | ||
61 | "您å¯ä»¥é€šè¿‡æ·»åŠ “--pidfile /var/run/sshd.pidâ€åˆ°è¿™ä¸ªæ–‡ä»¶çš„ stop 部分的 start-" | ||
62 | "stop-daemon è¡Œæ¥ä¿®æ£è¿™ä¸ªé—®é¢˜ã€‚" | ||
63 | |||
64 | #. Type: note | ||
65 | #. Description | ||
66 | #: ../openssh-server.templates:2001 | ||
67 | msgid "New host key mandatory" | ||
68 | msgstr "" | ||
69 | |||
70 | #. Type: note | ||
71 | #. Description | ||
72 | #: ../openssh-server.templates:2001 | ||
73 | #, fuzzy | ||
74 | msgid "" | ||
75 | "The current host key, in /etc/ssh/ssh_host_key, is encrypted with the IDEA " | ||
76 | "algorithm. OpenSSH can not handle this host key file, and the ssh-keygen " | ||
77 | "utility from the old (non-free) SSH installation does not appear to be " | ||
78 | "available." | ||
79 | msgstr "" | ||
80 | "/etc/ssh/ssh_host_key 是由 IDEA åŠ å¯†çš„æ—§å¯†é’¥æ–‡ä»¶ã€‚OpenSSH ä¸èƒ½å¤„ç†è¿™ç§å¯†é’¥æ–‡" | ||
81 | "ä»¶ï¼Œæˆ‘ä¹Ÿæ— æ³•æ‰¾åˆ°æ—§çš„(éžè‡ªç”±çš„) SSH 安装所带的 ssh-keygen 密钥生æˆå·¥å…·ã€‚" | ||
82 | |||
83 | #. Type: note | ||
84 | #. Description | ||
85 | #: ../openssh-server.templates:2001 | ||
86 | #, fuzzy | ||
87 | #| msgid "You will need to generate a new host key." | ||
88 | msgid "You need to manually generate a new host key." | ||
89 | msgstr "您需è¦åˆ›å»ºä¸€ä¸ªæ–°çš„主机密钥。" | ||
90 | |||
91 | #. Type: boolean | ||
92 | #. Description | ||
93 | #: ../openssh-server.templates:3001 | ||
94 | msgid "Disable challenge-response authentication?" | ||
95 | msgstr "" | ||
96 | |||
97 | #. Type: boolean | ||
98 | #. Description | ||
99 | #: ../openssh-server.templates:3001 | ||
100 | msgid "" | ||
101 | "Password authentication appears to be disabled in the current OpenSSH server " | ||
102 | "configuration. In order to prevent users from logging in using passwords " | ||
103 | "(perhaps using only public key authentication instead) with recent versions " | ||
104 | "of OpenSSH, you must disable challenge-response authentication, or else " | ||
105 | "ensure that your PAM configuration does not allow Unix password file " | ||
106 | "authentication." | ||
107 | msgstr "" | ||
108 | |||
109 | #. Type: boolean | ||
110 | #. Description | ||
111 | #: ../openssh-server.templates:3001 | ||
112 | msgid "" | ||
113 | "If you disable challenge-response authentication, then users will not be " | ||
114 | "able to log in using passwords. If you leave it enabled (the default " | ||
115 | "answer), then the 'PasswordAuthentication no' option will have no useful " | ||
116 | "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." | ||
117 | msgstr "" | ||
118 | |||
119 | #. Type: note | ||
120 | #. Description | ||
121 | #: ../openssh-server.templates:4001 | ||
122 | msgid "Vulnerable host keys will be regenerated" | ||
123 | msgstr "" | ||
124 | |||
125 | #. Type: note | ||
126 | #. Description | ||
127 | #: ../openssh-server.templates:4001 | ||
128 | msgid "" | ||
129 | "Some of the OpenSSH server host keys on this system were generated with a " | ||
130 | "version of OpenSSL that had a broken random number generator. As a result, " | ||
131 | "these host keys are from a well-known set, are subject to brute-force " | ||
132 | "attacks, and must be regenerated." | ||
133 | msgstr "" | ||
134 | |||
135 | #. Type: note | ||
136 | #. Description | ||
137 | #: ../openssh-server.templates:4001 | ||
138 | msgid "" | ||
139 | "Users of this system should be informed of this change, as they will be " | ||
140 | "prompted about the host key change the next time they log in. Use 'ssh-" | ||
141 | "keygen -l -f HOST_KEY_FILE' after the upgrade to print the fingerprints of " | ||
142 | "the new host keys." | ||
143 | msgstr "" | ||
144 | |||
145 | #. Type: note | ||
146 | #. Description | ||
147 | #: ../openssh-server.templates:4001 | ||
148 | msgid "The affected host keys are:" | ||
149 | msgstr "" | ||
150 | |||
151 | #. Type: note | ||
152 | #. Description | ||
153 | #: ../openssh-server.templates:4001 | ||
154 | msgid "" | ||
155 | "User keys may also be affected by this problem. The 'ssh-vulnkey' command " | ||
156 | "may be used as a partial test for this. See /usr/share/doc/openssh-server/" | ||
157 | "README.compromised-keys.gz for more details." | ||
158 | msgstr "" | ||
159 | |||
160 | #, fuzzy | ||
161 | #~ msgid "Generate a new configuration file for OpenSSH?" | ||
162 | #~ msgstr "生æˆæ–°çš„é…置文件" | ||
163 | |||
164 | #, fuzzy | ||
165 | #~ msgid "" | ||
166 | #~ "This version of OpenSSH has a considerably changed configuration file " | ||
167 | #~ "from the version shipped in Debian 'Potato', which you appear to be " | ||
168 | #~ "upgrading from. This package can now generate a new configuration file (/" | ||
169 | #~ "etc/ssh/sshd.config), which will work with the new server version, but " | ||
170 | #~ "will not contain any customizations you made with the old version." | ||
171 | #~ msgstr "" | ||
172 | #~ "看æ¥æ‚¨æ£åœ¨ä»Ž Debian “Potatoâ€å‡çº§ï¼Œå½“å‰ç‰ˆæœ¬å’Œ Debian “Potatoâ€æ‰€å¸¦çš„ " | ||
173 | #~ "OpenSSH 版本的é…置文件对比有了相当多的改å˜ã€‚我现在å¯ä»¥ç”Ÿæˆé€‚用于新æœåŠ¡å™¨ç‰ˆ" | ||
174 | #~ "本的新é…置文件 (/etc/ssh/sshd_config),但是它ä¸ä¼šä¿ç•™æ‚¨ä¸ºæ—§ç‰ˆæœ¬å®šåˆ¶çš„任何" | ||
175 | #~ "é…置。" | ||
176 | |||
177 | #, fuzzy | ||
178 | #~| msgid "" | ||
179 | #~| "Please note that this new configuration file will set the value of " | ||
180 | #~| "'PermitRootLogin' to yes (meaning that anyone knowing the root password " | ||
181 | #~| "can ssh directly in as root). It is the opinion of the maintainer that " | ||
182 | #~| "this is the correct default (see README.Debian for more details), but " | ||
183 | #~| "you can always edit sshd_config and set it to no if you wish." | ||
184 | #~ msgid "" | ||
185 | #~ "Please note that this new configuration file will set the value of " | ||
186 | #~ "'PermitRootLogin' to 'yes' (meaning that anyone knowing the root password " | ||
187 | #~ "can ssh directly in as root). Please read the README.Debian file for more " | ||
188 | #~ "details about this design choice." | ||
189 | #~ msgstr "" | ||
190 | #~ "请注æ„æ–°çš„é…置文件将会把“PermitRootLoginâ€çš„值设置为 yes,(è¿™æ„味ç€ä»»ä½•ä¸€ä¸ª" | ||
191 | #~ "çŸ¥é“ root 密ç 的人都å¯ä»¥ç›´æŽ¥ä»¥ root 登录)。维护者认为这是一个æ£ç¡®çš„默认值 " | ||
192 | #~ "(详情请阅读 README.Debian),但如果您希望,也å¯ä»¥ç¼–辑 sshd_config 文件将其" | ||
193 | #~ "设置为 no。" | ||
194 | |||
195 | #, fuzzy | ||
196 | #~ msgid "" | ||
197 | #~ "It is strongly recommended that you choose to generate a new " | ||
198 | #~ "configuration file now." | ||
199 | #~ msgstr "强烈建议让我为您生æˆä¸€ä»½æ–°çš„é…置文件。" | ||
200 | |||
201 | #~ msgid "Warning: you must create a new host key" | ||
202 | #~ msgstr "è¦å‘Šï¼šæ‚¨å¿…须创建一个新的主机密钥" | ||
203 | |||
204 | #~ msgid "Warning: telnetd is installed --- probably not a good idea" | ||
205 | #~ msgstr "è¦å‘Šï¼šå·²ç»å®‰è£…了 telnetd æœåŠ¡å™¨ --- å¯èƒ½ä¸æ˜¯ä¸ªå¥½ä¸»æ„" | ||
206 | |||
207 | #~ msgid "" | ||
208 | #~ "I'd advise you to either remove the telnetd package (if you don't " | ||
209 | #~ "actually need to offer telnet access) or install telnetd-ssl so that " | ||
210 | #~ "there is at least some chance that telnet sessions will not be sending " | ||
211 | #~ "unencrypted login/password and session information over the network." | ||
212 | #~ msgstr "" | ||
213 | #~ "æˆ‘å»ºè®®æ‚¨åˆ é™¤ telnetd 包(如果您ä¸æ˜¯çœŸçš„需è¦æä¾› telnet 访问),或者安装 " | ||
214 | #~ "telnetd-sslï¼Œè¿™æ ·è‡³å°‘æœ‰æ—¶å€™ telnet 会è¯ä¸ä¼šå°†æœªåŠ 密的 登录å/密ç 和会è¯ä¿¡" | ||
215 | #~ "æ¯é€šè¿‡ç½‘络å‘é€ã€‚" | ||
216 | |||
217 | #~ msgid "Warning: rsh-server is installed --- probably not a good idea" | ||
218 | #~ msgstr "è¦å‘Šï¼šå·²ç»å®‰è£…了 rsh æœåŠ¡å™¨ --- å¯èƒ½ä¸æ˜¯ä¸ªå¥½ä¸»æ„" | ||
219 | |||
220 | #~ msgid "" | ||
221 | #~ "having rsh-server installed undermines the security that you were " | ||
222 | #~ "probably wanting to obtain by installing ssh. I'd advise you to remove " | ||
223 | #~ "that package." | ||
224 | #~ msgstr "" | ||
225 | #~ "安装 rsh æœåŠ¡å™¨å¾ˆå¯èƒ½ä¼šé™ä½Žæ‚¨æƒ³è¦é€šè¿‡å®‰è£… ssh å¾—åˆ°çš„å®‰å…¨æ€§ã€‚æˆ‘å»ºè®®æ‚¨åˆ é™¤è¿™" | ||
226 | #~ "个包。" | ||
227 | |||
228 | #~ msgid "Do you want ssh-keysign to be installed SUID root?" | ||
229 | #~ msgstr "您è¦å°† ssh-keysign 安装为 SUID root 程åºå—?" | ||
230 | |||
231 | #~ msgid "" | ||
232 | #~ "You have the option of installing the ssh-keysign helper with the SUID " | ||
233 | #~ "bit set." | ||
234 | #~ msgstr "您使用为 ssh-keysign 帮助者程åºè®¾ç½® SUID ä½çš„选项。" | ||
235 | |||
236 | #~ msgid "" | ||
237 | #~ "If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 " | ||
238 | #~ "host-based authentication." | ||
239 | #~ msgstr "" | ||
240 | #~ "如果您为 ssh-keysign 设置了 SUID,您将å¯ä»¥ä½¿ç”¨ SSH åè®® 2 的基于主机的认è¯" | ||
241 | #~ "æ–¹å¼ã€‚" | ||
242 | |||
243 | #~ msgid "" | ||
244 | #~ "If in doubt, I suggest you install it with SUID. If it causes problems " | ||
245 | #~ "you can change your mind later by running: dpkg-reconfigure ssh" | ||
246 | #~ msgstr "" | ||
247 | #~ "如果有疑问,我建议您将它安装为 SUID。如果它带æ¥éº»çƒ¦ï¼Œæ‚¨å¯ä»¥é€šè¿‡è¿è¡Œï¼šdpkg-" | ||
248 | #~ "reconfigure ssh æ¥æ”¹å˜ä¸»æ„" | ||
249 | |||
250 | #~ msgid "Allow SSH protocol 2 only" | ||
251 | #~ msgstr "åªå…许 SSH åè®® 2 (ssh2)。" | ||
252 | |||
253 | #~ msgid "" | ||
254 | #~ "This version of OpenSSH supports version 2 of the ssh protocol, which is " | ||
255 | #~ "much more secure. Disabling ssh 1 is encouraged, however this will slow " | ||
256 | #~ "things down on low end machines and might prevent older clients from " | ||
257 | #~ "connecting (the ssh client shipped with \"potato\" is affected)." | ||
258 | #~ msgstr "" | ||
259 | #~ "这个版本的 OpenSSH 支æŒæ›´åŠ 安全的第二版本 ssh å议。我们鼓励您ç¦ç”¨ ssh 1," | ||
260 | #~ "然而这会é™ä½Žä½Žç«¯æœºå™¨é€Ÿåº¦ï¼Œå¹¶ä¸”会阻æ¢è€ç‰ˆå®¢æˆ·ç«¯çš„连接(“potatoâ€æ‰€å¸¦çš„ ssh 客" | ||
261 | #~ "户端会å—到影å“)。" | ||
262 | |||
263 | #~ msgid "" | ||
264 | #~ "Also please note that keys used for protocol 1 are different so you will " | ||
265 | #~ "not be able to use them if you only allow protocol 2 connections." | ||
266 | #~ msgstr "" | ||
267 | #~ "也请注æ„åè®® 1 所用的密钥是ä¸åŒçš„ï¼Œå› æ¤å¦‚果您åªå…许åè®® 2 连接将会导致ä¸èƒ½" | ||
268 | #~ "使用它们。" | ||
269 | |||
270 | #~ msgid "" | ||
271 | #~ "If you later change your mind about this setting, README.Debian has " | ||
272 | #~ "instructions on what to do to your sshd_config file." | ||
273 | #~ msgstr "" | ||
274 | #~ "如果您ç¨åŽæƒ³æ”¹å˜è¿™ä¸ªè®¾ç½®ï¼ŒREADME.Debian 上有说明告诉您如何修改 " | ||
275 | #~ "sshd_Config 文件。" | ||
276 | |||
277 | #~ msgid "NOTE: Forwarding of X11 and Authorization disabled by default." | ||
278 | #~ msgstr "注æ„:X11 转å‘和认è¯é»˜è®¤è¢«ç¦æ¢ã€‚" | ||
279 | |||
280 | #~ msgid "" | ||
281 | #~ "For security reasons, the Debian version of ssh has ForwardX11 and " | ||
282 | #~ "ForwardAgent set to ``off'' by default." | ||
283 | #~ msgstr "" | ||
284 | #~ "å› ä¸ºå®‰å…¨æ€§åŽŸå› ï¼Œé»˜è®¤æƒ…å†µä¸‹ Debian 版本的 ssh å°† ForwardX11 å’Œ " | ||
285 | #~ "ForwardAgent 设置为 off。" | ||
286 | |||
287 | #~ msgid "" | ||
288 | #~ "You can enable it for servers you trust, either in one of the " | ||
289 | #~ "configuration files, or with the -X command line option." | ||
290 | #~ msgstr "" | ||
291 | #~ "您å¯ä»¥ä¸ºä¿¡èµ–çš„æœåŠ¡å™¨å¯ç”¨è¿™ä¸ªé€‰é¡¹ï¼Œå¯ä»¥é€šè¿‡å…¶ä¸ä¹‹ä¸€çš„é…置文件或者使用 -X 命" | ||
292 | #~ "令行选项æ¥å®žçŽ°ã€‚" | ||
293 | |||
294 | #~ msgid "More details can be found in /usr/share/doc/ssh/README.Debian" | ||
295 | #~ msgstr "更多细节å¯ä»¥åœ¨ /usr/share/doc/ssh/README.Debian 找到" | ||
296 | |||
297 | #~ msgid "ssh2 keys merged in configuration files" | ||
298 | #~ msgstr "ssh2 密钥被åˆå¹¶åˆ°é…置文件" | ||
299 | |||
300 | #~ msgid "" | ||
301 | #~ "As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 " | ||
302 | #~ "keys. This means the authorized_keys2 and known_hosts2 files are no " | ||
303 | #~ "longer needed. They will still be read in order to maintain backwards " | ||
304 | #~ "compatibility" | ||
305 | #~ msgstr "" | ||
306 | #~ "在 OpenSSH 第 3 版ä¸å†ä¸º ssh1 å’Œ ssh2 的密钥使用ä¸åŒçš„文件。这æ„å‘³ç€ " | ||
307 | #~ "authorized_keys2 å’Œ known_hosts2 文件将ä¸å†éœ€è¦ã€‚但为了ä¿æŒå‘åŽå…¼å®¹æ€§ï¼Œå®ƒ" | ||
308 | #~ "们ä»ä¼šè¢«è¯»å–。" | ||
309 | |||
310 | #~ msgid "Do you want to run the sshd server?" | ||
311 | #~ msgstr "您è¦è¿è¡Œ sshd æœåŠ¡å™¨å—?" | ||
312 | |||
313 | #~ msgid "This package contains both the ssh client, and the sshd server." | ||
314 | #~ msgstr "è¿™ä¸ªè½¯ä»¶åŒ…å†…å« ssh 客户端和 sshd æœåŠ¡å™¨ã€‚" | ||
315 | |||
316 | #~ msgid "" | ||
317 | #~ "Normally the sshd Secure Shell Server will be run to allow remote logins " | ||
318 | #~ "via ssh." | ||
319 | #~ msgstr "通常 sshd 安全 Shell æœåŠ¡å™¨éƒ½ä¼šè¿è¡Œä»¥ä¾¿å…许通过 ssh 进行远程登录。" | ||
320 | |||
321 | #~ msgid "" | ||
322 | #~ "If you are only interested in using the ssh client for outbound " | ||
323 | #~ "connections on this machine, and don't want to log into it at all using " | ||
324 | #~ "ssh, then you can disable sshd here." | ||
325 | #~ msgstr "" | ||
326 | #~ "如果您åªè¦åœ¨è¿™å°æœºå™¨ä¸Šä½¿ç”¨ ssh 客户端对外连接,完全ä¸æƒ³é€šè¿‡ ssh 登录到本" | ||
327 | #~ "机,那么您å¯ä»¥åœ¨è¿™é‡Œç¦ç”¨ sshd æœåŠ¡å™¨ã€‚" | ||
328 | |||
329 | #~ msgid "Environment options on keys have been deprecated" | ||
330 | #~ msgstr "密钥的环境选项已被废弃" | ||
331 | |||
332 | #~ msgid "" | ||
333 | #~ "This version of OpenSSH disables the environment option for public keys " | ||
334 | #~ "by default, in order to avoid certain attacks (for example, LD_PRELOAD). " | ||
335 | #~ "If you are using this option in an authorized_keys file, beware that the " | ||
336 | #~ "keys in question will no longer work until the option is removed." | ||
337 | #~ msgstr "" | ||
338 | #~ "为了é¿å…一些攻击(如 LD_PRELOAD),这个版本的 OpenSSH 默认ç¦ç”¨äº†å…¬é’¥ä¸Šçš„环境" | ||
339 | #~ "选项。如果您在æŸä¸ªæŽˆæƒå¯†é’¥(authorized_keys)文件ä¸ç”¨äº†è¿™ä¸ªå‚数,请注æ„除éž" | ||
340 | #~ "åˆ é™¤äº†æ¤é€‰é¡¹ï¼Œå¦åˆ™è¿™ä¸ªå¯ç–‘的密钥将ä¸å†èµ·ä½œç”¨ã€‚" | ||
341 | |||
342 | #~ msgid "" | ||
343 | #~ "To re-enable this option, set \"PermitUserEnvironment yes\" in /etc/ssh/" | ||
344 | #~ "sshd_config after the upgrade is complete, taking note of the warning in " | ||
345 | #~ "the sshd_config(5) manual page." | ||
346 | #~ msgstr "" | ||
347 | #~ "è¦é‡æ–°å¯ç”¨è¿™ä¸ªé€‰é¡¹ï¼Œå‡çº§å®ŒæˆåŽè¯·åœ¨ /etc/ssh/sshd_config ä¸åŠ 入一" | ||
348 | #~ "行:“PermitUserEnvironment yesâ€ã€‚è¯·æ³¨æ„ sshd_config(5) 手册页ä¸æ到的è¦" | ||
349 | #~ "告。" | ||
350 | |||
351 | #~ msgid "Privilege separation" | ||
352 | #~ msgstr "æƒé™åˆ†ç¦»" | ||
353 | |||
354 | #~ msgid "" | ||
355 | #~ "Privilege separation is turned on by default, so if you decide you want " | ||
356 | #~ "it turned off, you need to add \"UsePrivilegeSeparation no\" to /etc/ssh/" | ||
357 | #~ "sshd_config." | ||
358 | #~ msgstr "" | ||
359 | #~ "æƒé™åˆ†ç¦»é€‰é¡¹æ˜¯é»˜è®¤æ‰“开的。如果想è¦å…³é—æ¤é€‰é¡¹ï¼Œæ‚¨éœ€è¦åœ¨ /etc/ssh/" | ||
360 | #~ "sshd_config 文件ä¸æ·»åŠ 一行“UsePrivilegeSeparation noâ€ã€‚" | ||
361 | |||
362 | #~ msgid "Enable Privilege separation" | ||
363 | #~ msgstr "å¯ç”¨æƒé™åˆ†ç¦»" | ||
364 | |||
365 | #~ msgid "" | ||
366 | #~ "This version of OpenSSH contains the new privilege separation option. " | ||
367 | #~ "This significantly reduces the quantity of code that runs as root, and " | ||
368 | #~ "therefore reduces the impact of security holes in sshd." | ||
369 | #~ msgstr "" | ||
370 | #~ "这个版本的 OpenSSH 包å«äº†ä¸€ä¸ªæ–°çš„æƒé™åˆ†ç¦»çš„选项,目的是为了å‡å°‘以 root è¿" | ||
371 | #~ "行的代ç 数目,进而å‡å°‘了 sshd 被安全æ¼æ´žå½±å“的机会。" | ||
372 | |||
373 | #~ msgid "" | ||
374 | #~ "Unfortunately, privilege separation interacts badly with PAM. Any PAM " | ||
375 | #~ "session modules that need to run as root (pam_mkhomedir, for example) " | ||
376 | #~ "will fail, and PAM keyboard-interactive authentication won't work." | ||
377 | #~ msgstr "" | ||
378 | #~ "ä¸å¹¸çš„是,æƒé™åˆ†ç¦»å’Œ PAM åŒæ—¶ä½¿ç”¨ä¼šå¾ˆç³Ÿç³•ã€‚任何需è¦ä»¥ root è¿è¡Œçš„ PAM 会è¯" | ||
379 | #~ "æ¨¡å— (如 pam_mkhomedir) 都会失败,而且 PAM 键盘交互å¼è®¤è¯éƒ½ä¸èµ·ä½œç”¨ã€‚" | ||
380 | |||
381 | #~ msgid "" | ||
382 | #~ "Since you've opted to have me generate an sshd_config file for you, you " | ||
383 | #~ "can choose whether or not to have privilege separation turned on or not. " | ||
384 | #~ "Unless you know you need to use PAM features that won't work with this " | ||
385 | #~ "option, you should enable it." | ||
386 | #~ msgstr "" | ||
387 | #~ "å› ä¸ºæ‚¨é€‰æ‹©äº†è®©æˆ‘ä¸ºæ‚¨ç”Ÿæˆ sshd_config 文件,您å¯ä»¥é€‰æ‹©æ˜¯å¦æ‰“å¼€æƒé™åˆ†ç¦»é€‰" | ||
388 | #~ "项。除éžæ‚¨çŸ¥é“需è¦ä½¿ç”¨ PAM 这个ä¸èƒ½å’Œæƒé™åˆ†ç¦»åŒæ—¶å·¥ä½œçš„功能,å¦åˆ™å°±åº”该å¯" | ||
389 | #~ "用它。" | ||
diff --git a/debian/rules b/debian/rules new file mode 100755 index 000000000..85b916bd4 --- /dev/null +++ b/debian/rules | |||
@@ -0,0 +1,218 @@ | |||
1 | #!/usr/bin/make -f | ||
2 | |||
3 | # Uncomment this to turn on verbose mode. | ||
4 | # export DH_VERBOSE=1 | ||
5 | |||
6 | include /usr/share/hardening-includes/hardening.make | ||
7 | |||
8 | # This has to be exported to make some magic below work. | ||
9 | export DH_OPTIONS | ||
10 | |||
11 | ifeq (,$(filter noopt,$(DEB_BUILD_OPTIONS))) | ||
12 | OPTFLAGS := -O2 | ||
13 | else | ||
14 | OPTFLAGS := -O0 | ||
15 | endif | ||
16 | |||
17 | ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) | ||
18 | RUN_TESTS := yes | ||
19 | else | ||
20 | RUN_TESTS := | ||
21 | endif | ||
22 | |||
23 | DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) | ||
24 | DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) | ||
25 | |||
26 | ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) | ||
27 | CC := gcc | ||
28 | else | ||
29 | CC := $(DEB_HOST_GNU_TYPE)-gcc | ||
30 | RUN_TESTS := | ||
31 | endif | ||
32 | |||
33 | DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null) | ||
34 | DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_ARCH_CPU 2>/dev/null) | ||
35 | |||
36 | # Take account of old dpkg-architecture output. | ||
37 | ifeq ($(DEB_HOST_ARCH_OS),) | ||
38 | DEB_HOST_ARCH_OS := $(subst -gnu,,$(shell dpkg-architecture -qDEB_HOST_GNU_SYSTEM)) | ||
39 | ifeq ($(DEB_HOST_ARCH_OS),gnu) | ||
40 | DEB_HOST_ARCH_OS := hurd | ||
41 | endif | ||
42 | endif | ||
43 | ifeq ($(DEB_HOST_ARCH_CPU),) | ||
44 | DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_GNU_CPU) | ||
45 | ifeq ($(DEB_HOST_ARCH_CPU),x86_64) | ||
46 | DEB_HOST_ARCH_CPU := amd64 | ||
47 | endif | ||
48 | endif | ||
49 | |||
50 | ifneq (,$(findstring :$(DEB_HOST_ARCH_OS):,:linux:knetbsd:)) | ||
51 | ifneq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:mips:mipsel:)) | ||
52 | # Apparently this is not implied by -fPIE, at least on the mipsen. | ||
53 | PIC_CFLAGS := -fPIC | ||
54 | PIC_LDFLAGS := -fPIC | ||
55 | endif | ||
56 | endif | ||
57 | |||
58 | # Change the version string to include the Debian version | ||
59 | SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//') | ||
60 | |||
61 | DISTRIBUTOR := $(shell lsb_release -is 2>/dev/null || echo Debian) | ||
62 | ifeq ($(DISTRIBUTOR),Ubuntu) | ||
63 | DEFAULT_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games | ||
64 | else | ||
65 | DEFAULT_PATH := /usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games | ||
66 | endif | ||
67 | SUPERUSER_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 | ||
68 | |||
69 | # Common path configuration. | ||
70 | confflags += --sysconfdir=/etc/ssh | ||
71 | |||
72 | # Common build options. | ||
73 | confflags += --disable-strip | ||
74 | confflags += --with-mantype=doc | ||
75 | confflags += --with-4in6 | ||
76 | confflags += --with-privsep-path=/var/run/sshd | ||
77 | confflags += --without-rand-helper | ||
78 | |||
79 | # The Hurd needs libcrypt for res_query et al. | ||
80 | ifeq ($(DEB_HOST_ARCH_OS),hurd) | ||
81 | confflags += --with-libs=-lcrypt | ||
82 | endif | ||
83 | |||
84 | # Everything above here is common to the deb and udeb builds. | ||
85 | confflags_udeb := $(confflags) | ||
86 | |||
87 | # Options specific to the deb build. | ||
88 | confflags += --with-tcp-wrappers | ||
89 | confflags += --with-pam | ||
90 | confflags += --with-libedit | ||
91 | confflags += --with-kerberos5=/usr | ||
92 | confflags += --with-ssl-engine | ||
93 | ifeq ($(DEB_HOST_ARCH_OS),linux) | ||
94 | confflags += --with-selinux | ||
95 | endif | ||
96 | |||
97 | # The deb build wants xauth; the udeb build doesn't. | ||
98 | confflags += --with-xauth=/usr/bin/xauth | ||
99 | confflags_udeb += --without-xauth | ||
100 | |||
101 | # Default paths. The udeb build has /usr/bin/X11 and /usr/games removed. | ||
102 | confflags += --with-default-path=$(DEFAULT_PATH) --with-superuser-path=$(SUPERUSER_PATH) | ||
103 | confflags_udeb += --with-default-path=/usr/local/bin:/usr/bin:/bin --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin | ||
104 | |||
105 | # Compiler flags. | ||
106 | cflags := $(OPTFLAGS) $(PIC_CFLAGS) $(HARDENING_CFLAGS) | ||
107 | cflags += -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT | ||
108 | cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\" | ||
109 | cflags_udeb := -Os | ||
110 | cflags_udeb += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\" | ||
111 | confflags += --with-cflags='$(cflags)' | ||
112 | confflags_udeb += --with-cflags='$(cflags_udeb)' | ||
113 | |||
114 | # Linker flags. | ||
115 | confflags += --with-ldflags='$(strip -Wl,--as-needed $(PIC_LDFLAGS) $(HARDENING_LDFLAGS))' | ||
116 | confflags_udeb += --with-ldflags='-Wl,--as-needed' | ||
117 | |||
118 | %: | ||
119 | dh $@ | ||
120 | |||
121 | override_dh_auto_configure: | ||
122 | dh_auto_configure -Bbuild-deb -- $(confflags) | ||
123 | dh_auto_configure -Bbuild-udeb -- $(confflags_udeb) | ||
124 | |||
125 | override_dh_auto_build: | ||
126 | # Debian's /var/log/btmp has inappropriate permissions. | ||
127 | perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' build-deb/config.h | ||
128 | perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' build-udeb/config.h | ||
129 | |||
130 | # Avoid libnsl linkage. Ugh. | ||
131 | perl -pi -e 's/ +-lnsl//' build-udeb/config.status | ||
132 | cd build-udeb && ./config.status | ||
133 | |||
134 | $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' | ||
135 | $(MAKE) -C build-udeb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' ssh scp sftp sshd ssh-keygen | ||
136 | |||
137 | $(MAKE) -C contrib gnome-ssh-askpass2 CC='$(CC) $(OPTFLAGS) -g -Wall -Wl,--as-needed' | ||
138 | |||
139 | override_dh_auto_test: | ||
140 | ifeq ($(RUN_TESTS),yes) | ||
141 | $(MAKE) -C debian/tests | ||
142 | endif | ||
143 | |||
144 | override_dh_auto_clean: | ||
145 | rm -rf build-deb build-udeb | ||
146 | ifeq ($(RUN_TESTS),yes) | ||
147 | $(MAKE) -C debian/tests clean | ||
148 | endif | ||
149 | $(MAKE) -C contrib clean | ||
150 | (cat debian/copyright.head; iconv -f ISO-8859-1 -t UTF-8 LICENCE) \ | ||
151 | > debian/copyright | ||
152 | |||
153 | override_dh_auto_install: | ||
154 | $(MAKE) -C build-deb DESTDIR=`pwd`/debian/tmp install-nokeys | ||
155 | |||
156 | override_dh_install: | ||
157 | rm -f debian/tmp/etc/ssh/sshd_config | ||
158 | |||
159 | dh_install -Nopenssh-client-udeb -Nopenssh-server-udeb --fail-missing | ||
160 | dh_install -popenssh-client-udeb -popenssh-server-udeb \ | ||
161 | --sourcedir=build-udeb | ||
162 | |||
163 | install -s -o root -g root -m 755 contrib/gnome-ssh-askpass2 debian/ssh-askpass-gnome/usr/lib/openssh/gnome-ssh-askpass | ||
164 | |||
165 | install -o root -g root debian/openssh-server.if-up debian/openssh-server/etc/network/if-up.d/openssh-server | ||
166 | install -o root -g root -m 644 debian/openssh-server.ufw.profile debian/openssh-server/etc/ufw/applications.d/openssh-server | ||
167 | |||
168 | # Remove version control tags to avoid unnecessary conffile | ||
169 | # resolution steps for administrators. | ||
170 | sed -i '/\$$OpenBSD:/d' \ | ||
171 | debian/openssh-client/etc/ssh/moduli \ | ||
172 | debian/openssh-client/etc/ssh/ssh_config | ||
173 | |||
174 | override_dh_installdocs: | ||
175 | dh_installdocs -Nopenssh-server -Nssh | ||
176 | dh_installdocs -popenssh-server -pssh --link-doc=openssh-client | ||
177 | # Avoid breaking dh_installexamples later. | ||
178 | mkdir -p debian/openssh-server/usr/share/doc/openssh-client | ||
179 | |||
180 | override_dh_installinit: | ||
181 | dh_installinit --name ssh | ||
182 | |||
183 | override_dh_installpam: | ||
184 | dh_installpam --name sshd | ||
185 | |||
186 | override_dh_fixperms: | ||
187 | dh_fixperms | ||
188 | chmod u+s debian/openssh-client/usr/lib/openssh/ssh-keysign | ||
189 | |||
190 | override_dh_installdeb: | ||
191 | dh_installdeb | ||
192 | perl -i debian/substitute-conffile.pl \ | ||
193 | ETC_SSH_MODULI debian/openssh-client/etc/ssh/moduli \ | ||
194 | ETC_SSH_SSH_CONFIG debian/openssh-client/etc/ssh/ssh_config \ | ||
195 | debian/openssh-client/DEBIAN/preinst | ||
196 | # Yes, ETC_PAM_D_SSH is meant to be spelled that way, to match the | ||
197 | # old configuration file name we need to transfer. | ||
198 | perl -i debian/substitute-conffile.pl \ | ||
199 | ETC_DEFAULT_SSH debian/openssh-server/etc/default/ssh \ | ||
200 | ETC_INIT_D_SSH debian/openssh-server/etc/init.d/ssh \ | ||
201 | ETC_PAM_D_SSH debian/openssh-server/etc/pam.d/sshd \ | ||
202 | debian/openssh-server/DEBIAN/preinst | ||
203 | |||
204 | debian/faq.html: | ||
205 | wget -O - http://www.openssh.org/faq.html | \ | ||
206 | sed 's,\(href="\)\(txt/\|[^":]*\.html\),\1http://www.openssh.org/\2,g' \ | ||
207 | > debian/faq.html | ||
208 | |||
209 | # You only need to run this immediately after checking out the package from | ||
210 | # revision control. | ||
211 | quilt-setup: | ||
212 | [ ! -d .pc ] | ||
213 | set -e; for patch in $$(quilt series | tac); do \ | ||
214 | patch -p1 -R --no-backup-if-mismatch <"debian/patches/$$patch"; \ | ||
215 | done | ||
216 | quilt push -a | ||
217 | |||
218 | .PHONY: quilt-setup | ||
diff --git a/debian/source.lintian-overrides b/debian/source.lintian-overrides new file mode 100644 index 000000000..5ddb25600 --- /dev/null +++ b/debian/source.lintian-overrides | |||
@@ -0,0 +1,2 @@ | |||
1 | # .desktop file intentionally not installed | ||
2 | openssh source: desktop-file-but-no-dh_desktop-call | ||
diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 000000000..163aaf8d8 --- /dev/null +++ b/debian/source/format | |||
@@ -0,0 +1 @@ | |||
3.0 (quilt) | |||
diff --git a/debian/source/include-binaries b/debian/source/include-binaries new file mode 100644 index 000000000..df5790e2e --- /dev/null +++ b/debian/source/include-binaries | |||
@@ -0,0 +1 @@ | |||
debian/ssh-askpass-gnome.png | |||
diff --git a/debian/ssh-argv0 b/debian/ssh-argv0 new file mode 100644 index 000000000..67599aec2 --- /dev/null +++ b/debian/ssh-argv0 | |||
@@ -0,0 +1,30 @@ | |||
1 | #! /bin/sh -e | ||
2 | |||
3 | # Copyright (c) 2001 Jonathan Amery. | ||
4 | # | ||
5 | # Redistribution and use in source and binary forms, with or without | ||
6 | # modification, are permitted provided that the following conditions | ||
7 | # are met: | ||
8 | # 1. Redistributions of source code must retain the above copyright | ||
9 | # notice, this list of conditions and the following disclaimer. | ||
10 | # 2. Redistributions in binary form must reproduce the above copyright | ||
11 | # notice, this list of conditions and the following disclaimer in the | ||
12 | # documentation and/or other materials provided with the distribution. | ||
13 | # | ||
14 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | ||
15 | # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
16 | # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
17 | # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
18 | # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
19 | # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
20 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
21 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
22 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
23 | # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
24 | |||
25 | if [ "${0##*/}" = "ssh-argv0" ] | ||
26 | then | ||
27 | echo 'ssh-argv0: This script should not be run like this, see ssh-argv0(1) for details' 1>&2 | ||
28 | exit 1 | ||
29 | fi | ||
30 | exec ssh "${0##*/}" "$@" | ||
diff --git a/debian/ssh-argv0.1 b/debian/ssh-argv0.1 new file mode 100644 index 000000000..a36a63d40 --- /dev/null +++ b/debian/ssh-argv0.1 | |||
@@ -0,0 +1,64 @@ | |||
1 | .Dd September 7, 2001 | ||
2 | .Dt SSH-ARGV0 1 | ||
3 | .Os Debian Project | ||
4 | .Sh NAME | ||
5 | .Nm ssh-argv0 | ||
6 | .Nd replaces the old ssh command-name as hostname handling | ||
7 | .Sh SYNOPSIS | ||
8 | .Ar hostname | user@hostname | ||
9 | .Op Fl l Ar login_name | ||
10 | .Op Ar command | ||
11 | .Pp | ||
12 | .Ar hostname | user@hostname | ||
13 | .Op Fl afgknqstvxACNTX1246 | ||
14 | .Op Fl b Ar bind_address | ||
15 | .Op Fl c Ar cipher_spec | ||
16 | .Op Fl e Ar escape_char | ||
17 | .Op Fl i Ar identity_file | ||
18 | .Op Fl l Ar login_name | ||
19 | .Op Fl m Ar mac_spec | ||
20 | .Op Fl o Ar option | ||
21 | .Op Fl p Ar port | ||
22 | .Op Fl F Ar configfile | ||
23 | .Oo Fl L Xo | ||
24 | .Sm off | ||
25 | .Ar port : | ||
26 | .Ar host : | ||
27 | .Ar hostport | ||
28 | .Sm on | ||
29 | .Xc | ||
30 | .Oc | ||
31 | .Oo Fl R Xo | ||
32 | .Sm off | ||
33 | .Ar port : | ||
34 | .Ar host : | ||
35 | .Ar hostport | ||
36 | .Sm on | ||
37 | .Xc | ||
38 | .Oc | ||
39 | .Op Fl D Ar port | ||
40 | .Op Ar command | ||
41 | .Sh DESCRIPTION | ||
42 | .Nm | ||
43 | replaces the old ssh command-name as hostname handling. | ||
44 | If you link to this script with a hostname then executing the link is | ||
45 | equivalent to having executed ssh with that hostname as an argument. | ||
46 | All other arguments are passed to ssh and will be processed normally. | ||
47 | .Sh OPTIONS | ||
48 | See | ||
49 | .Xr ssh 1 . | ||
50 | .Sh FILES | ||
51 | See | ||
52 | .Xr ssh 1 . | ||
53 | .Sh AUTHORS | ||
54 | OpenSSH is a derivative of the original and free | ||
55 | ssh 1.2.12 release by Tatu Ylonen. | ||
56 | Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, | ||
57 | Theo de Raadt and Dug Song | ||
58 | removed many bugs, re-added newer features and | ||
59 | created OpenSSH. | ||
60 | Markus Friedl contributed the support for SSH | ||
61 | protocol versions 1.5 and 2.0. | ||
62 | Jonathan Amery wrote this ssh-argv0 script and the associated documentation. | ||
63 | .Sh SEE ALSO | ||
64 | .Xr ssh 1 | ||
diff --git a/debian/ssh-askpass-gnome.copyright b/debian/ssh-askpass-gnome.copyright new file mode 100644 index 000000000..4a71dda00 --- /dev/null +++ b/debian/ssh-askpass-gnome.copyright | |||
@@ -0,0 +1,44 @@ | |||
1 | This package contains a Gnome based implementation of ssh-askpass | ||
2 | written by Damien Miller. | ||
3 | |||
4 | It is split out from the main package to isolate the dependency on the | ||
5 | Gnome and X11 libraries. | ||
6 | |||
7 | It was packaged for Debian by Philip Hands <phil@hands.com>. | ||
8 | |||
9 | Copyright: | ||
10 | |||
11 | /* | ||
12 | ** | ||
13 | ** GNOME ssh passphrase requestor | ||
14 | ** | ||
15 | ** Damien Miller <djm@ibs.com.au> | ||
16 | ** | ||
17 | ** Copyright 1999 Internet Business Solutions | ||
18 | ** | ||
19 | ** Permission is hereby granted, free of charge, to any person | ||
20 | ** obtaining a copy of this software and associated documentation | ||
21 | ** files (the "Software"), to deal in the Software without | ||
22 | ** restriction, including without limitation the rights to use, copy, | ||
23 | ** modify, merge, publish, distribute, sublicense, and/or sell copies | ||
24 | ** of the Software, and to permit persons to whom the Software is | ||
25 | ** furnished to do so, subject to the following conditions: | ||
26 | ** | ||
27 | ** The above copyright notice and this permission notice shall be | ||
28 | ** included in all copies or substantial portions of the Software. | ||
29 | ** | ||
30 | ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY | ||
31 | ** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE | ||
32 | ** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE | ||
33 | ** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET | ||
34 | ** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
35 | ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, | ||
36 | ** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE | ||
37 | ** OR OTHER DEALINGS IN THE SOFTWARE. | ||
38 | ** | ||
39 | ** Except as contained in this notice, the name of Internet Business | ||
40 | ** Solutions shall not be used in advertising or otherwise to promote | ||
41 | ** the sale, use or other dealings in this Software without prior | ||
42 | ** written authorization from Internet Business Solutions. | ||
43 | ** | ||
44 | */ | ||
diff --git a/debian/ssh-askpass-gnome.desktop b/debian/ssh-askpass-gnome.desktop new file mode 100644 index 000000000..eba7a67d1 --- /dev/null +++ b/debian/ssh-askpass-gnome.desktop | |||
@@ -0,0 +1,12 @@ | |||
1 | [Desktop Entry] | ||
2 | Version=1.0 | ||
3 | Encoding=UTF-8 | ||
4 | Name=SSH AskPass | ||
5 | GenericName=ssh-add | ||
6 | Comment=Enter passphrase to authenticate to the ssh agent | ||
7 | Exec=/usr/bin/ssh-add | ||
8 | TryExec=ssh-add | ||
9 | Terminal=false | ||
10 | Type=Application | ||
11 | Icon=ssh-askpass-gnome | ||
12 | Categories=Network;Security; | ||
diff --git a/debian/ssh-askpass-gnome.dirs b/debian/ssh-askpass-gnome.dirs new file mode 100644 index 000000000..0ffa45024 --- /dev/null +++ b/debian/ssh-askpass-gnome.dirs | |||
@@ -0,0 +1,3 @@ | |||
1 | usr/lib/openssh | ||
2 | usr/share/man/man1 | ||
3 | usr/share/pixmaps | ||
diff --git a/debian/ssh-askpass-gnome.examples b/debian/ssh-askpass-gnome.examples new file mode 100644 index 000000000..66fd8c0e4 --- /dev/null +++ b/debian/ssh-askpass-gnome.examples | |||
@@ -0,0 +1 @@ | |||
debian/ssh-askpass-gnome.desktop | |||
diff --git a/debian/ssh-askpass-gnome.install b/debian/ssh-askpass-gnome.install new file mode 100644 index 000000000..8b6b5f045 --- /dev/null +++ b/debian/ssh-askpass-gnome.install | |||
@@ -0,0 +1 @@ | |||
debian/ssh-askpass-gnome.png usr/share/pixmaps | |||
diff --git a/debian/ssh-askpass-gnome.manpages b/debian/ssh-askpass-gnome.manpages new file mode 100644 index 000000000..7749f13bb --- /dev/null +++ b/debian/ssh-askpass-gnome.manpages | |||
@@ -0,0 +1 @@ | |||
debian/gnome-ssh-askpass.1 | |||
diff --git a/debian/ssh-askpass-gnome.png b/debian/ssh-askpass-gnome.png new file mode 100644 index 000000000..06f75764e --- /dev/null +++ b/debian/ssh-askpass-gnome.png | |||
Binary files differ | |||
diff --git a/debian/ssh-askpass-gnome.postinst b/debian/ssh-askpass-gnome.postinst new file mode 100644 index 000000000..b6c56d4e7 --- /dev/null +++ b/debian/ssh-askpass-gnome.postinst | |||
@@ -0,0 +1,65 @@ | |||
1 | #! /bin/sh | ||
2 | # postinst script for ssh-askpass-gnome | ||
3 | # | ||
4 | # see: dh_installdeb(1) | ||
5 | |||
6 | set -e | ||
7 | |||
8 | # summary of how this script can be called: | ||
9 | # * <postinst> `configure' <most-recently-configured-version> | ||
10 | # * <old-postinst> `abort-upgrade' <new version> | ||
11 | # * <conflictor's-postinst> `abort-remove' `in-favour' <package> | ||
12 | # <new-version> | ||
13 | # * <deconfigured's-postinst> `abort-deconfigure' `in-favour' | ||
14 | # <failed-install-package> <version> `removing' | ||
15 | # <conflicting-package> <version> | ||
16 | # for details, see /usr/share/doc/packaging-manual/ | ||
17 | # | ||
18 | # quoting from the policy: | ||
19 | # Any necessary prompting should almost always be confined to the | ||
20 | # post-installation script, and should be protected with a conditional | ||
21 | # so that unnecessary prompting doesn't happen if a package's | ||
22 | # installation fails and the `postinst' is called with `abort-upgrade', | ||
23 | # `abort-remove' or `abort-deconfigure'. | ||
24 | |||
25 | case "$1" in | ||
26 | configure) | ||
27 | if dpkg --compare-versions "$2" lt-nl 1:4.1p1-1; then | ||
28 | # libexecdir changed, so remove the obsolete alternative. | ||
29 | update-alternatives --quiet --remove ssh-askpass \ | ||
30 | /usr/lib/ssh/gnome-ssh-askpass | ||
31 | fi | ||
32 | if dpkg --compare-versions "$2" lt-nl 1:4.1p1-7 && \ | ||
33 | [ -h /etc/alternatives/ssh-askpass ] && \ | ||
34 | [ "$(readlink /etc/alternatives/ssh-askpass)" = /usr/lib/ssh/gnome-ssh-askpass ]; then | ||
35 | # Work around the ssh-askpass alternative somehow ending up in | ||
36 | # manual mode. | ||
37 | update-alternatives --auto ssh-askpass | ||
38 | fi | ||
39 | update-alternatives --quiet \ | ||
40 | --install /usr/bin/ssh-askpass ssh-askpass \ | ||
41 | /usr/lib/openssh/gnome-ssh-askpass 30 \ | ||
42 | --slave /usr/share/man/man1/ssh-askpass.1.gz \ | ||
43 | ssh-askpass.1.gz /usr/share/man/man1/gnome-ssh-askpass.1.gz | ||
44 | |||
45 | |||
46 | ;; | ||
47 | |||
48 | abort-upgrade|abort-remove|abort-deconfigure) | ||
49 | |||
50 | ;; | ||
51 | |||
52 | *) | ||
53 | echo "postinst called with unknown argument \`$1'" >&2 | ||
54 | exit 0 | ||
55 | ;; | ||
56 | esac | ||
57 | |||
58 | # dh_installdeb will replace this with shell code automatically | ||
59 | # generated by other debhelper scripts. | ||
60 | |||
61 | #DEBHELPER# | ||
62 | |||
63 | exit 0 | ||
64 | |||
65 | |||
diff --git a/debian/ssh-askpass-gnome.prerm b/debian/ssh-askpass-gnome.prerm new file mode 100644 index 000000000..e85f2d4a7 --- /dev/null +++ b/debian/ssh-askpass-gnome.prerm | |||
@@ -0,0 +1,41 @@ | |||
1 | #! /bin/sh | ||
2 | # prerm script for ssh-askpass-gnome | ||
3 | # | ||
4 | # see: dh_installdeb(1) | ||
5 | |||
6 | set -e | ||
7 | |||
8 | # summary of how this script can be called: | ||
9 | # * <prerm> `remove' | ||
10 | # * <old-prerm> `upgrade' <new-version> | ||
11 | # * <new-prerm> `failed-upgrade' <old-version> | ||
12 | # * <conflictor's-prerm> `remove' `in-favour' <package> <new-version> | ||
13 | # * <deconfigured's-prerm> `deconfigure' `in-favour' | ||
14 | # <package-being-installed> <version> `removing' | ||
15 | # <conflicting-package> <version> | ||
16 | # for details, see /usr/share/doc/packaging-manual/ | ||
17 | |||
18 | case "$1" in | ||
19 | remove|deconfigure) | ||
20 | update-alternatives --quiet --remove ssh-askpass /usr/lib/openssh/gnome-ssh-askpass | ||
21 | # install-info --quiet --remove /usr/info/ssh-askpass.info.gz | ||
22 | ;; | ||
23 | upgrade) | ||
24 | # install-info --quiet --remove /usr/info/ssh-askpass.info.gz | ||
25 | ;; | ||
26 | failed-upgrade) | ||
27 | ;; | ||
28 | *) | ||
29 | echo "prerm called with unknown argument \`$1'" >&2 | ||
30 | exit 0 | ||
31 | ;; | ||
32 | esac | ||
33 | |||
34 | # dh_installdeb will replace this with shell code automatically | ||
35 | # generated by other debhelper scripts. | ||
36 | |||
37 | #DEBHELPER# | ||
38 | |||
39 | exit 0 | ||
40 | |||
41 | |||
diff --git a/debian/ssh-krb5.NEWS b/debian/ssh-krb5.NEWS new file mode 100644 index 000000000..5a6433ab2 --- /dev/null +++ b/debian/ssh-krb5.NEWS | |||
@@ -0,0 +1,18 @@ | |||
1 | ssh-krb5 (1:4.3p2-7) unstable; urgency=low | ||
2 | |||
3 | The normal openssh-server and openssh-client packages in Debian now | ||
4 | include full GSSAPI support, including key exchange. This package is | ||
5 | now only a transitional package that depends on openssh-server and | ||
6 | openssh-client and configures openssh-server for GSSAPI authentication | ||
7 | if it wasn't already. | ||
8 | |||
9 | You can now simply install openssh-server and openssh-client directly | ||
10 | and remove this package. Just make sure that /etc/ssh/sshd_config | ||
11 | contains: | ||
12 | |||
13 | GSSAPIAuthentication yes | ||
14 | GSSAPIKeyExchange yes | ||
15 | |||
16 | if you want to support GSSAPI authentication to your ssh server. | ||
17 | |||
18 | -- Russ Allbery <rra@debian.org> Tue, 03 Oct 2006 22:27:27 -0700 | ||
diff --git a/debian/ssh-krb5.postinst b/debian/ssh-krb5.postinst new file mode 100644 index 000000000..4d943d861 --- /dev/null +++ b/debian/ssh-krb5.postinst | |||
@@ -0,0 +1,73 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | set -e | ||
4 | |||
5 | action="$1" | ||
6 | oldversion="$2" | ||
7 | |||
8 | if [ "$action" = configure ] ; then | ||
9 | if dpkg --compare-versions "$oldversion" lt-nl 1:4.3p2-7; then | ||
10 | # Replaced by /etc/init.d/ssh. | ||
11 | if [ -f /etc/init.d/ssh-krb5 ]; then | ||
12 | mv /etc/init.d/ssh-krb5 /etc/init.d/ssh-krb5.dpkg-old | ||
13 | update-rc.d ssh-krb5 remove || true | ||
14 | fi | ||
15 | fi | ||
16 | |||
17 | # Make sure that GSSAPI is enabled. If there is no uncommented GSSAPI | ||
18 | # configuration, uncomment any commented-out configuration if present | ||
19 | # (this will catch the case of a fresh install of openssh-server). | ||
20 | # Otherwise, add configuration turning on GSSAPIAuthentication and | ||
21 | # GSSAPIKeyExchange. | ||
22 | # | ||
23 | # If there is some configuration, we may be upgrading from ssh-krb5. It | ||
24 | # enabled GSSAPIKeyExchange without any configuration option. Therefore, | ||
25 | # if it isn't explicitly set, always enable it for compatible behavior | ||
26 | # with ssh-krb5. | ||
27 | if dpkg --compare-versions "$oldversion" ge 1:4.3p2-9; then | ||
28 | : | ||
29 | else | ||
30 | changed= | ||
31 | if grep -qi '^[ ]*GSSAPI' /etc/ssh/sshd_config ; then | ||
32 | if grep -qi '^[ ]*GSSAPIKeyExchange' /etc/ssh/sshd_config ; then | ||
33 | : | ||
34 | else | ||
35 | changed=true | ||
36 | cat >> /etc/ssh/sshd_config <<EOF | ||
37 | |||
38 | # GSSAPI key exchange (added by ssh-krb5 transitional package) | ||
39 | GSSAPIKeyExchange yes | ||
40 | EOF | ||
41 | fi | ||
42 | else | ||
43 | changed=true | ||
44 | if grep -qi '^#GSSAPI' /etc/ssh/sshd_config ; then | ||
45 | perl -pe 's/^\#(GSSAPI(Authentication|KeyExchange))\b.*/$1 yes/i' \ | ||
46 | < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new | ||
47 | chown --reference /etc/ssh/sshd_config \ | ||
48 | /etc/ssh/sshd_config.dpkg-new | ||
49 | chmod --reference /etc/ssh/sshd_config \ | ||
50 | /etc/ssh/sshd_config.dpkg-new | ||
51 | mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config | ||
52 | else | ||
53 | cat >> /etc/ssh/sshd_config <<EOF | ||
54 | |||
55 | # GSSAPI authentication (added by ssh-krb5 transitional package) | ||
56 | GSSAPIAuthentication yes | ||
57 | GSSAPIKeyExchange yes | ||
58 | EOF | ||
59 | fi | ||
60 | fi | ||
61 | if [ -n "$changed" ] && [ -x /etc/init.d/ssh ] ; then | ||
62 | if [ -x /usr/sbin/invoke-rc.d ] ; then | ||
63 | invoke-rc.d ssh restart | ||
64 | else | ||
65 | /etc/init.d/ssh restart | ||
66 | fi | ||
67 | fi | ||
68 | fi | ||
69 | fi | ||
70 | |||
71 | #DEBHELPER# | ||
72 | |||
73 | exit 0 | ||
diff --git a/debian/ssh.dirs b/debian/ssh.dirs new file mode 100644 index 000000000..1da8fba83 --- /dev/null +++ b/debian/ssh.dirs | |||
@@ -0,0 +1 @@ | |||
usr/share/lintian/overrides | |||
diff --git a/debian/ssh.lintian-overrides b/debian/ssh.lintian-overrides new file mode 100644 index 000000000..b9bf7ea08 --- /dev/null +++ b/debian/ssh.lintian-overrides | |||
@@ -0,0 +1 @@ | |||
ssh: package-contains-empty-directory usr/share/doc/openssh-client/ | |||
diff --git a/debian/ssh.postinst b/debian/ssh.postinst new file mode 100644 index 000000000..cb1278033 --- /dev/null +++ b/debian/ssh.postinst | |||
@@ -0,0 +1,18 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action="$1" | ||
4 | oldversion="$2" | ||
5 | |||
6 | if [ "$action" != configure ]; then | ||
7 | exit 0 | ||
8 | fi | ||
9 | |||
10 | if [ ! -L /usr/share/doc/ssh ] && \ | ||
11 | dpkg --compare-versions "$oldversion" lt-nl 1:4.1p1-5; then | ||
12 | rm -rf /usr/share/doc/ssh | ||
13 | ln -s openssh-client /usr/share/doc/ssh | ||
14 | fi | ||
15 | |||
16 | #DEBHELPER# | ||
17 | |||
18 | exit 0 | ||
diff --git a/debian/ssh.prerm b/debian/ssh.prerm new file mode 100644 index 000000000..400c92bed --- /dev/null +++ b/debian/ssh.prerm | |||
@@ -0,0 +1,14 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | case $1 in | ||
4 | upgrade) | ||
5 | if [ -L /usr/share/doc/ssh ] && \ | ||
6 | dpkg --compare-versions "$2" lt-nl 1:4.1p1-5; then | ||
7 | rm -f /usr/share/doc/ssh | ||
8 | fi | ||
9 | ;; | ||
10 | esac | ||
11 | |||
12 | #DEBHELPER# | ||
13 | |||
14 | exit 0 | ||
diff --git a/debian/substitute-conffile.pl b/debian/substitute-conffile.pl new file mode 100644 index 000000000..7dd23363e --- /dev/null +++ b/debian/substitute-conffile.pl | |||
@@ -0,0 +1,26 @@ | |||
1 | #! /usr/bin/perl -p | ||
2 | |||
3 | # This is needed for a nasty preinst hack to work around a bug in sarge's | ||
4 | # version of dpkg. It substitutes the literal text of conffiles into preinst | ||
5 | # scripts so that they can be used when moving conffiles between packages. | ||
6 | |||
7 | BEGIN { | ||
8 | %texts = (); | ||
9 | while (@ARGV > 1) { | ||
10 | my $name = $ARGV[0]; | ||
11 | shift; | ||
12 | local *FILE; | ||
13 | open FILE, '<', $ARGV[0]; | ||
14 | local $/ = undef; | ||
15 | my $text = <FILE>; | ||
16 | close FILE; | ||
17 | # Quote for the shell. | ||
18 | $text =~ s/'/'\\''/g; | ||
19 | shift; | ||
20 | $texts{$name} = $text; | ||
21 | } | ||
22 | } | ||
23 | |||
24 | for my $name (keys %texts) { | ||
25 | s/\@$name\@/'$texts{$name}'/g; | ||
26 | } | ||
diff --git a/debian/tests/Makefile b/debian/tests/Makefile new file mode 100644 index 000000000..666ed8227 --- /dev/null +++ b/debian/tests/Makefile | |||
@@ -0,0 +1,12 @@ | |||
1 | test: getpid.so | ||
2 | chmod +x keygen-test | ||
3 | ./keygen-test | ||
4 | |||
5 | getpid.o: getpid.c | ||
6 | gcc -fPIC -c $< -o $@ | ||
7 | |||
8 | getpid.so: getpid.o | ||
9 | gcc -shared -o $@ $< | ||
10 | |||
11 | clean: | ||
12 | rm -f getpid.o getpid.so key1 key1.pub key2 key2.pub | ||
diff --git a/debian/tests/getpid.c b/debian/tests/getpid.c new file mode 100644 index 000000000..c9e35b87e --- /dev/null +++ b/debian/tests/getpid.c | |||
@@ -0,0 +1,39 @@ | |||
1 | /* | ||
2 | * Compile: | ||
3 | |||
4 | gcc -fPIC -c getpid.c -o getpid.o | ||
5 | gcc -shared -o getpid.so getpid.o | ||
6 | |||
7 | * Use: | ||
8 | |||
9 | FORCE_PID=1234 LD_PRELOAD=./getpid.so bash | ||
10 | |||
11 | # | ||
12 | # Copyright (C) 2001-2008 Kees Cook | ||
13 | # kees@outflux.net, http://outflux.net/ | ||
14 | # | ||
15 | # This program is free software; you can redistribute it and/or | ||
16 | # modify it under the terms of the GNU General Public License | ||
17 | # as published by the Free Software Foundation; either version 2 | ||
18 | # of the License, or (at your option) any later version. | ||
19 | # | ||
20 | # This program is distributed in the hope that it will be useful, | ||
21 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
22 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
23 | # GNU General Public License for more details. | ||
24 | # | ||
25 | # You should have received a copy of the GNU General Public License | ||
26 | # along with this program; if not, write to the Free Software | ||
27 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | ||
28 | # http://www.gnu.org/copyleft/gpl.html | ||
29 | |||
30 | */ | ||
31 | |||
32 | #include <sys/types.h> | ||
33 | #include <unistd.h> | ||
34 | #include <stdlib.h> | ||
35 | |||
36 | pid_t getpid(void) | ||
37 | { | ||
38 | return atoi(getenv("FORCE_PID")); | ||
39 | } | ||
diff --git a/debian/tests/keygen-test b/debian/tests/keygen-test new file mode 100755 index 000000000..02b7c761a --- /dev/null +++ b/debian/tests/keygen-test | |||
@@ -0,0 +1,12 @@ | |||
1 | #! /bin/sh | ||
2 | |||
3 | rm -f key1 key1.pub key2 key2.pub | ||
4 | LD_PRELOAD="$(pwd)/getpid.so" FORCE_PID=1234 \ | ||
5 | ../../build-deb/ssh-keygen -N '' -f key1 >/dev/null | ||
6 | LD_PRELOAD="$(pwd)/getpid.so" FORCE_PID=1234 \ | ||
7 | ../../build-deb/ssh-keygen -N '' -f key2 >/dev/null | ||
8 | if cmp -s key1 key2; then | ||
9 | echo "Generated two identical keys!" >&2 | ||
10 | exit 1 | ||
11 | fi | ||
12 | exit 0 | ||
diff --git a/debian/watch b/debian/watch new file mode 100644 index 000000000..6ffdc3708 --- /dev/null +++ b/debian/watch | |||
@@ -0,0 +1,3 @@ | |||
1 | version=2 | ||
2 | ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-(.*)\.tar\.gz \ | ||
3 | debian uupdate | ||
@@ -176,6 +176,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | |||
176 | { | 176 | { |
177 | u_int counter; | 177 | u_int counter; |
178 | int result; | 178 | int result; |
179 | unsigned int rrset_flags = 0; | ||
179 | struct rrsetinfo *fingerprints = NULL; | 180 | struct rrsetinfo *fingerprints = NULL; |
180 | 181 | ||
181 | u_int8_t hostkey_algorithm; | 182 | u_int8_t hostkey_algorithm; |
@@ -199,8 +200,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | |||
199 | return -1; | 200 | return -1; |
200 | } | 201 | } |
201 | 202 | ||
203 | /* | ||
204 | * Original getrrsetbyname function, found on OpenBSD for example, | ||
205 | * doesn't accept any flag and prerequisite for obtaining AD bit in | ||
206 | * DNS response is set by "options edns0" in resolv.conf. | ||
207 | * | ||
208 | * Our version is more clever and use RRSET_FORCE_EDNS0 flag. | ||
209 | */ | ||
210 | #ifndef HAVE_GETRRSETBYNAME | ||
211 | rrset_flags |= RRSET_FORCE_EDNS0; | ||
212 | #endif | ||
202 | result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, | 213 | result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, |
203 | DNS_RDATATYPE_SSHFP, 0, &fingerprints); | 214 | DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints); |
215 | |||
204 | if (result) { | 216 | if (result) { |
205 | verbose("DNS lookup error: %s", dns_result_totext(result)); | 217 | verbose("DNS lookup error: %s", dns_result_totext(result)); |
206 | return -1; | 218 | return -1; |
@@ -90,6 +90,7 @@ static struct { | |||
90 | LogLevel val; | 90 | LogLevel val; |
91 | } log_levels[] = | 91 | } log_levels[] = |
92 | { | 92 | { |
93 | { "SILENT", SYSLOG_LEVEL_QUIET }, /* compatibility */ | ||
93 | { "QUIET", SYSLOG_LEVEL_QUIET }, | 94 | { "QUIET", SYSLOG_LEVEL_QUIET }, |
94 | { "FATAL", SYSLOG_LEVEL_FATAL }, | 95 | { "FATAL", SYSLOG_LEVEL_FATAL }, |
95 | { "ERROR", SYSLOG_LEVEL_ERROR }, | 96 | { "ERROR", SYSLOG_LEVEL_ERROR }, |
@@ -21,7 +21,7 @@ | |||
21 | .Nd Diffie Hellman moduli | 21 | .Nd Diffie Hellman moduli |
22 | .Sh DESCRIPTION | 22 | .Sh DESCRIPTION |
23 | The | 23 | The |
24 | .Pa /etc/moduli | 24 | .Pa /etc/ssh/moduli |
25 | file contains prime numbers and generators for use by | 25 | file contains prime numbers and generators for use by |
26 | .Xr sshd 8 | 26 | .Xr sshd 8 |
27 | in the Diffie-Hellman Group Exchange key exchange method. | 27 | in the Diffie-Hellman Group Exchange key exchange method. |
@@ -111,7 +111,7 @@ first estimates the size of the modulus required to produce enough | |||
111 | Diffie Hellman output to sufficiently key the selected symmetric cipher. | 111 | Diffie Hellman output to sufficiently key the selected symmetric cipher. |
112 | .Xr sshd 8 | 112 | .Xr sshd 8 |
113 | then randomly selects a modulus from | 113 | then randomly selects a modulus from |
114 | .Fa /etc/moduli | 114 | .Fa /etc/ssh/moduli |
115 | that best meets the size requirement. | 115 | that best meets the size requirement. |
116 | .Pp | 116 | .Pp |
117 | .Sh SEE ALSO | 117 | .Sh SEE ALSO |
@@ -137,6 +137,7 @@ int mm_answer_sign(int, Buffer *); | |||
137 | int mm_answer_pwnamallow(int, Buffer *); | 137 | int mm_answer_pwnamallow(int, Buffer *); |
138 | int mm_answer_auth2_read_banner(int, Buffer *); | 138 | int mm_answer_auth2_read_banner(int, Buffer *); |
139 | int mm_answer_authserv(int, Buffer *); | 139 | int mm_answer_authserv(int, Buffer *); |
140 | int mm_answer_authrole(int, Buffer *); | ||
140 | int mm_answer_authpassword(int, Buffer *); | 141 | int mm_answer_authpassword(int, Buffer *); |
141 | int mm_answer_bsdauthquery(int, Buffer *); | 142 | int mm_answer_bsdauthquery(int, Buffer *); |
142 | int mm_answer_bsdauthrespond(int, Buffer *); | 143 | int mm_answer_bsdauthrespond(int, Buffer *); |
@@ -215,6 +216,7 @@ struct mon_table mon_dispatch_proto20[] = { | |||
215 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 216 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
216 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 217 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
217 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 218 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
219 | {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, | ||
218 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 220 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
219 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 221 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
220 | #ifdef USE_PAM | 222 | #ifdef USE_PAM |
@@ -699,6 +701,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) | |||
699 | else { | 701 | else { |
700 | /* Allow service/style information on the auth context */ | 702 | /* Allow service/style information on the auth context */ |
701 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 703 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
704 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); | ||
702 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 705 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
703 | } | 706 | } |
704 | 707 | ||
@@ -732,14 +735,37 @@ mm_answer_authserv(int sock, Buffer *m) | |||
732 | 735 | ||
733 | authctxt->service = buffer_get_string(m, NULL); | 736 | authctxt->service = buffer_get_string(m, NULL); |
734 | authctxt->style = buffer_get_string(m, NULL); | 737 | authctxt->style = buffer_get_string(m, NULL); |
735 | debug3("%s: service=%s, style=%s", | 738 | authctxt->role = buffer_get_string(m, NULL); |
736 | __func__, authctxt->service, authctxt->style); | 739 | debug3("%s: service=%s, style=%s, role=%s", |
740 | __func__, authctxt->service, authctxt->style, authctxt->role); | ||
737 | 741 | ||
738 | if (strlen(authctxt->style) == 0) { | 742 | if (strlen(authctxt->style) == 0) { |
739 | xfree(authctxt->style); | 743 | xfree(authctxt->style); |
740 | authctxt->style = NULL; | 744 | authctxt->style = NULL; |
741 | } | 745 | } |
742 | 746 | ||
747 | if (strlen(authctxt->role) == 0) { | ||
748 | xfree(authctxt->role); | ||
749 | authctxt->role = NULL; | ||
750 | } | ||
751 | |||
752 | return (0); | ||
753 | } | ||
754 | |||
755 | int | ||
756 | mm_answer_authrole(int sock, Buffer *m) | ||
757 | { | ||
758 | monitor_permit_authentications(1); | ||
759 | |||
760 | authctxt->role = buffer_get_string(m, NULL); | ||
761 | debug3("%s: role=%s", | ||
762 | __func__, authctxt->role); | ||
763 | |||
764 | if (strlen(authctxt->role) == 0) { | ||
765 | xfree(authctxt->role); | ||
766 | authctxt->role = NULL; | ||
767 | } | ||
768 | |||
743 | return (0); | 769 | return (0); |
744 | } | 770 | } |
745 | 771 | ||
@@ -30,7 +30,7 @@ | |||
30 | 30 | ||
31 | enum monitor_reqtype { | 31 | enum monitor_reqtype { |
32 | MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, | 32 | MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, |
33 | MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, | 33 | MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE, |
34 | MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, | 34 | MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, |
35 | MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, | 35 | MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, |
36 | MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, | 36 | MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, |
diff --git a/monitor_wrap.c b/monitor_wrap.c index a01500c81..24b54e4a4 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -279,10 +279,10 @@ mm_auth2_read_banner(void) | |||
279 | return (banner); | 279 | return (banner); |
280 | } | 280 | } |
281 | 281 | ||
282 | /* Inform the privileged process about service and style */ | 282 | /* Inform the privileged process about service, style, and role */ |
283 | 283 | ||
284 | void | 284 | void |
285 | mm_inform_authserv(char *service, char *style) | 285 | mm_inform_authserv(char *service, char *style, char *role) |
286 | { | 286 | { |
287 | Buffer m; | 287 | Buffer m; |
288 | 288 | ||
@@ -291,12 +291,30 @@ mm_inform_authserv(char *service, char *style) | |||
291 | buffer_init(&m); | 291 | buffer_init(&m); |
292 | buffer_put_cstring(&m, service); | 292 | buffer_put_cstring(&m, service); |
293 | buffer_put_cstring(&m, style ? style : ""); | 293 | buffer_put_cstring(&m, style ? style : ""); |
294 | buffer_put_cstring(&m, role ? role : ""); | ||
294 | 295 | ||
295 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); | 296 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); |
296 | 297 | ||
297 | buffer_free(&m); | 298 | buffer_free(&m); |
298 | } | 299 | } |
299 | 300 | ||
301 | /* Inform the privileged process about role */ | ||
302 | |||
303 | void | ||
304 | mm_inform_authrole(char *role) | ||
305 | { | ||
306 | Buffer m; | ||
307 | |||
308 | debug3("%s entering", __func__); | ||
309 | |||
310 | buffer_init(&m); | ||
311 | buffer_put_cstring(&m, role ? role : ""); | ||
312 | |||
313 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); | ||
314 | |||
315 | buffer_free(&m); | ||
316 | } | ||
317 | |||
300 | /* Do the password authentication */ | 318 | /* Do the password authentication */ |
301 | int | 319 | int |
302 | mm_auth_password(Authctxt *authctxt, char *password) | 320 | mm_auth_password(Authctxt *authctxt, char *password) |
diff --git a/monitor_wrap.h b/monitor_wrap.h index 432953fbf..d2dad84aa 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h | |||
@@ -40,7 +40,8 @@ struct Authctxt; | |||
40 | int mm_is_monitor(void); | 40 | int mm_is_monitor(void); |
41 | DH *mm_choose_dh(int, int, int); | 41 | DH *mm_choose_dh(int, int, int); |
42 | int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); | 42 | int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); |
43 | void mm_inform_authserv(char *, char *); | 43 | void mm_inform_authserv(char *, char *, char *); |
44 | void mm_inform_authrole(char *); | ||
44 | struct passwd *mm_getpwnamallow(const char *); | 45 | struct passwd *mm_getpwnamallow(const char *); |
45 | char *mm_auth2_read_banner(void); | 46 | char *mm_auth2_read_banner(void); |
46 | int mm_auth_password(struct Authctxt *, char *); | 47 | int mm_auth_password(struct Authctxt *, char *); |
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index 98876673d..011821198 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c | |||
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, | |||
209 | goto fail; | 209 | goto fail; |
210 | } | 210 | } |
211 | 211 | ||
212 | /* don't allow flags yet, unimplemented */ | 212 | /* Allow RRSET_FORCE_EDNS0 flag only. */ |
213 | if (flags) { | 213 | if ((flags & !RRSET_FORCE_EDNS0) != 0) { |
214 | result = ERRSET_INVAL; | 214 | result = ERRSET_INVAL; |
215 | goto fail; | 215 | goto fail; |
216 | } | 216 | } |
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, | |||
226 | #endif /* DEBUG */ | 226 | #endif /* DEBUG */ |
227 | 227 | ||
228 | #ifdef RES_USE_DNSSEC | 228 | #ifdef RES_USE_DNSSEC |
229 | /* turn on DNSSEC if EDNS0 is configured */ | 229 | /* turn on DNSSEC if required */ |
230 | if (_resp->options & RES_USE_EDNS0) | 230 | if (flags & RRSET_FORCE_EDNS0) |
231 | _resp->options |= RES_USE_DNSSEC; | 231 | _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC); |
232 | #endif /* RES_USE_DNSEC */ | 232 | #endif /* RES_USE_DNSEC */ |
233 | 233 | ||
234 | /* make query */ | 234 | /* make query */ |
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h index 1283f5506..dbbc85a2a 100644 --- a/openbsd-compat/getrrsetbyname.h +++ b/openbsd-compat/getrrsetbyname.h | |||
@@ -72,6 +72,9 @@ | |||
72 | #ifndef RRSET_VALIDATED | 72 | #ifndef RRSET_VALIDATED |
73 | # define RRSET_VALIDATED 1 | 73 | # define RRSET_VALIDATED 1 |
74 | #endif | 74 | #endif |
75 | #ifndef RRSET_FORCE_EDNS0 | ||
76 | # define RRSET_FORCE_EDNS0 0x0001 | ||
77 | #endif | ||
75 | 78 | ||
76 | /* | 79 | /* |
77 | * Return codes for getrrsetbyname() | 80 | * Return codes for getrrsetbyname() |
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index 89b9a7340..c0ac9065e 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c | |||
@@ -29,6 +29,12 @@ | |||
29 | #include <string.h> | 29 | #include <string.h> |
30 | #include <stdio.h> | 30 | #include <stdio.h> |
31 | 31 | ||
32 | #ifdef WITH_SELINUX | ||
33 | #include "key.h" | ||
34 | #include "hostfile.h" | ||
35 | #include "auth.h" | ||
36 | #endif | ||
37 | |||
32 | #include "log.h" | 38 | #include "log.h" |
33 | #include "xmalloc.h" | 39 | #include "xmalloc.h" |
34 | #include "port-linux.h" | 40 | #include "port-linux.h" |
@@ -38,6 +44,8 @@ | |||
38 | #include <selinux/flask.h> | 44 | #include <selinux/flask.h> |
39 | #include <selinux/get_context_list.h> | 45 | #include <selinux/get_context_list.h> |
40 | 46 | ||
47 | extern Authctxt *the_authctxt; | ||
48 | |||
41 | /* Wrapper around is_selinux_enabled() to log its return value once only */ | 49 | /* Wrapper around is_selinux_enabled() to log its return value once only */ |
42 | int | 50 | int |
43 | ssh_selinux_enabled(void) | 51 | ssh_selinux_enabled(void) |
@@ -56,8 +64,8 @@ ssh_selinux_enabled(void) | |||
56 | static security_context_t | 64 | static security_context_t |
57 | ssh_selinux_getctxbyname(char *pwname) | 65 | ssh_selinux_getctxbyname(char *pwname) |
58 | { | 66 | { |
59 | security_context_t sc; | 67 | security_context_t sc = NULL; |
60 | char *sename = NULL, *lvl = NULL; | 68 | char *sename = NULL, *role = NULL, *lvl = NULL; |
61 | int r; | 69 | int r; |
62 | 70 | ||
63 | #ifdef HAVE_GETSEUSERBYNAME | 71 | #ifdef HAVE_GETSEUSERBYNAME |
@@ -67,11 +75,20 @@ ssh_selinux_getctxbyname(char *pwname) | |||
67 | sename = pwname; | 75 | sename = pwname; |
68 | lvl = NULL; | 76 | lvl = NULL; |
69 | #endif | 77 | #endif |
78 | if (the_authctxt) | ||
79 | role = the_authctxt->role; | ||
70 | 80 | ||
71 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 81 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
72 | r = get_default_context_with_level(sename, lvl, NULL, &sc); | 82 | if (role != NULL && role[0]) |
83 | r = get_default_context_with_rolelevel(sename, role, lvl, NULL, | ||
84 | &sc); | ||
85 | else | ||
86 | r = get_default_context_with_level(sename, lvl, NULL, &sc); | ||
73 | #else | 87 | #else |
74 | r = get_default_context(sename, NULL, &sc); | 88 | if (role != NULL && role[0]) |
89 | r = get_default_context_with_role(sename, role, NULL, &sc); | ||
90 | else | ||
91 | r = get_default_context(sename, NULL, &sc); | ||
75 | #endif | 92 | #endif |
76 | 93 | ||
77 | if (r != 0) { | 94 | if (r != 0) { |
diff --git a/pathnames.h b/pathnames.h index 9e50950fe..9cef1299f 100644 --- a/pathnames.h +++ b/pathnames.h | |||
@@ -18,6 +18,10 @@ | |||
18 | #define SSHDIR ETCDIR "/ssh" | 18 | #define SSHDIR ETCDIR "/ssh" |
19 | #endif | 19 | #endif |
20 | 20 | ||
21 | #ifndef _PATH_SSH_DATADIR | ||
22 | #define _PATH_SSH_DATADIR "/usr/share/ssh" | ||
23 | #endif | ||
24 | |||
21 | #ifndef _PATH_SSH_PIDDIR | 25 | #ifndef _PATH_SSH_PIDDIR |
22 | #define _PATH_SSH_PIDDIR "/var/run" | 26 | #define _PATH_SSH_PIDDIR "/var/run" |
23 | #endif | 27 | #endif |
@@ -43,6 +47,9 @@ | |||
43 | /* Backwards compatibility */ | 47 | /* Backwards compatibility */ |
44 | #define _PATH_DH_PRIMES SSHDIR "/primes" | 48 | #define _PATH_DH_PRIMES SSHDIR "/primes" |
45 | 49 | ||
50 | #define _PATH_BLACKLIST _PATH_SSH_DATADIR "/blacklist" | ||
51 | #define _PATH_BLACKLIST_CONFIG SSHDIR "/blacklist" | ||
52 | |||
46 | #ifndef _PATH_SSH_PROGRAM | 53 | #ifndef _PATH_SSH_PROGRAM |
47 | #define _PATH_SSH_PROGRAM "/usr/bin/ssh" | 54 | #define _PATH_SSH_PROGRAM "/usr/bin/ssh" |
48 | #endif | 55 | #endif |
diff --git a/readconf.c b/readconf.c index 9d1ee55fa..487c3399b 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -28,6 +28,8 @@ | |||
28 | #include <stdio.h> | 28 | #include <stdio.h> |
29 | #include <string.h> | 29 | #include <string.h> |
30 | #include <unistd.h> | 30 | #include <unistd.h> |
31 | #include <pwd.h> | ||
32 | #include <grp.h> | ||
31 | 33 | ||
32 | #include "xmalloc.h" | 34 | #include "xmalloc.h" |
33 | #include "ssh.h" | 35 | #include "ssh.h" |
@@ -123,6 +125,7 @@ typedef enum { | |||
123 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, | 125 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, |
124 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, | 126 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, |
125 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, | 127 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, |
128 | oUseBlacklistedKeys, | ||
126 | oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, | 129 | oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, |
127 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 130 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
128 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 131 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
@@ -132,6 +135,7 @@ typedef enum { | |||
132 | oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, | 135 | oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, |
133 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | 136 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, |
134 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, | 137 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, |
138 | oProtocolKeepAlives, oSetupTimeOut, | ||
135 | oDeprecated, oUnsupported | 139 | oDeprecated, oUnsupported |
136 | } OpCodes; | 140 | } OpCodes; |
137 | 141 | ||
@@ -152,6 +156,7 @@ static struct { | |||
152 | { "passwordauthentication", oPasswordAuthentication }, | 156 | { "passwordauthentication", oPasswordAuthentication }, |
153 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, | 157 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, |
154 | { "kbdinteractivedevices", oKbdInteractiveDevices }, | 158 | { "kbdinteractivedevices", oKbdInteractiveDevices }, |
159 | { "useblacklistedkeys", oUseBlacklistedKeys }, | ||
155 | { "rsaauthentication", oRSAAuthentication }, | 160 | { "rsaauthentication", oRSAAuthentication }, |
156 | { "pubkeyauthentication", oPubkeyAuthentication }, | 161 | { "pubkeyauthentication", oPubkeyAuthentication }, |
157 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 162 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
@@ -246,6 +251,8 @@ static struct { | |||
246 | #else | 251 | #else |
247 | { "zeroknowledgepasswordauthentication", oUnsupported }, | 252 | { "zeroknowledgepasswordauthentication", oUnsupported }, |
248 | #endif | 253 | #endif |
254 | { "protocolkeepalives", oProtocolKeepAlives }, | ||
255 | { "setuptimeout", oSetupTimeOut }, | ||
249 | 256 | ||
250 | { NULL, oBadOption } | 257 | { NULL, oBadOption } |
251 | }; | 258 | }; |
@@ -461,6 +468,10 @@ parse_flag: | |||
461 | intptr = &options->challenge_response_authentication; | 468 | intptr = &options->challenge_response_authentication; |
462 | goto parse_flag; | 469 | goto parse_flag; |
463 | 470 | ||
471 | case oUseBlacklistedKeys: | ||
472 | intptr = &options->use_blacklisted_keys; | ||
473 | goto parse_flag; | ||
474 | |||
464 | case oGssAuthentication: | 475 | case oGssAuthentication: |
465 | intptr = &options->gss_authentication; | 476 | intptr = &options->gss_authentication; |
466 | goto parse_flag; | 477 | goto parse_flag; |
@@ -841,6 +852,8 @@ parse_int: | |||
841 | goto parse_flag; | 852 | goto parse_flag; |
842 | 853 | ||
843 | case oServerAliveInterval: | 854 | case oServerAliveInterval: |
855 | case oProtocolKeepAlives: /* Debian-specific compatibility alias */ | ||
856 | case oSetupTimeOut: /* Debian-specific compatibility alias */ | ||
844 | intptr = &options->server_alive_interval; | 857 | intptr = &options->server_alive_interval; |
845 | goto parse_time; | 858 | goto parse_time; |
846 | 859 | ||
@@ -989,11 +1002,30 @@ read_config_file(const char *filename, const char *host, Options *options, | |||
989 | 1002 | ||
990 | if (checkperm) { | 1003 | if (checkperm) { |
991 | struct stat sb; | 1004 | struct stat sb; |
1005 | int bad_modes = 0; | ||
992 | 1006 | ||
993 | if (fstat(fileno(f), &sb) == -1) | 1007 | if (fstat(fileno(f), &sb) == -1) |
994 | fatal("fstat %s: %s", filename, strerror(errno)); | 1008 | fatal("fstat %s: %s", filename, strerror(errno)); |
995 | if (((sb.st_uid != 0 && sb.st_uid != getuid()) || | 1009 | if (sb.st_uid != 0 && sb.st_uid != getuid()) |
996 | (sb.st_mode & 022) != 0)) | 1010 | bad_modes = 1; |
1011 | if ((sb.st_mode & 020) != 0) { | ||
1012 | /* If the file is group-writable, the group in | ||
1013 | * question must have at most one member, namely the | ||
1014 | * file's owner. | ||
1015 | */ | ||
1016 | struct passwd *pw = getpwuid(sb.st_uid); | ||
1017 | struct group *gr = getgrgid(sb.st_gid); | ||
1018 | if (!pw || !gr) | ||
1019 | bad_modes = 1; | ||
1020 | else if (gr->gr_mem[0]) { | ||
1021 | if (strcmp(pw->pw_name, gr->gr_mem[0]) || | ||
1022 | gr->gr_mem[1]) | ||
1023 | bad_modes = 1; | ||
1024 | } | ||
1025 | } | ||
1026 | if ((sb.st_mode & 002) != 0) | ||
1027 | bad_modes = 1; | ||
1028 | if (bad_modes) | ||
997 | fatal("Bad owner or permissions on %s", filename); | 1029 | fatal("Bad owner or permissions on %s", filename); |
998 | } | 1030 | } |
999 | 1031 | ||
@@ -1050,6 +1082,7 @@ initialize_options(Options * options) | |||
1050 | options->kbd_interactive_devices = NULL; | 1082 | options->kbd_interactive_devices = NULL; |
1051 | options->rhosts_rsa_authentication = -1; | 1083 | options->rhosts_rsa_authentication = -1; |
1052 | options->hostbased_authentication = -1; | 1084 | options->hostbased_authentication = -1; |
1085 | options->use_blacklisted_keys = -1; | ||
1053 | options->batch_mode = -1; | 1086 | options->batch_mode = -1; |
1054 | options->check_host_ip = -1; | 1087 | options->check_host_ip = -1; |
1055 | options->strict_host_key_checking = -1; | 1088 | options->strict_host_key_checking = -1; |
@@ -1119,7 +1152,7 @@ fill_default_options(Options * options) | |||
1119 | if (options->forward_x11 == -1) | 1152 | if (options->forward_x11 == -1) |
1120 | options->forward_x11 = 0; | 1153 | options->forward_x11 = 0; |
1121 | if (options->forward_x11_trusted == -1) | 1154 | if (options->forward_x11_trusted == -1) |
1122 | options->forward_x11_trusted = 0; | 1155 | options->forward_x11_trusted = 1; |
1123 | if (options->exit_on_forward_failure == -1) | 1156 | if (options->exit_on_forward_failure == -1) |
1124 | options->exit_on_forward_failure = 0; | 1157 | options->exit_on_forward_failure = 0; |
1125 | if (options->xauth_location == NULL) | 1158 | if (options->xauth_location == NULL) |
@@ -1152,6 +1185,8 @@ fill_default_options(Options * options) | |||
1152 | options->rhosts_rsa_authentication = 0; | 1185 | options->rhosts_rsa_authentication = 0; |
1153 | if (options->hostbased_authentication == -1) | 1186 | if (options->hostbased_authentication == -1) |
1154 | options->hostbased_authentication = 0; | 1187 | options->hostbased_authentication = 0; |
1188 | if (options->use_blacklisted_keys == -1) | ||
1189 | options->use_blacklisted_keys = 0; | ||
1155 | if (options->batch_mode == -1) | 1190 | if (options->batch_mode == -1) |
1156 | options->batch_mode = 0; | 1191 | options->batch_mode = 0; |
1157 | if (options->check_host_ip == -1) | 1192 | if (options->check_host_ip == -1) |
@@ -1226,8 +1261,13 @@ fill_default_options(Options * options) | |||
1226 | options->rekey_limit = 0; | 1261 | options->rekey_limit = 0; |
1227 | if (options->verify_host_key_dns == -1) | 1262 | if (options->verify_host_key_dns == -1) |
1228 | options->verify_host_key_dns = 0; | 1263 | options->verify_host_key_dns = 0; |
1229 | if (options->server_alive_interval == -1) | 1264 | if (options->server_alive_interval == -1) { |
1230 | options->server_alive_interval = 0; | 1265 | /* in batch mode, default is 5mins */ |
1266 | if (options->batch_mode == 1) | ||
1267 | options->server_alive_interval = 300; | ||
1268 | else | ||
1269 | options->server_alive_interval = 0; | ||
1270 | } | ||
1231 | if (options->server_alive_count_max == -1) | 1271 | if (options->server_alive_count_max == -1) |
1232 | options->server_alive_count_max = 3; | 1272 | options->server_alive_count_max = 3; |
1233 | if (options->control_master == -1) | 1273 | if (options->control_master == -1) |
diff --git a/readconf.h b/readconf.h index fd31bd40f..24762e71c 100644 --- a/readconf.h +++ b/readconf.h | |||
@@ -54,6 +54,7 @@ typedef struct { | |||
54 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 54 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
55 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ | 55 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ |
56 | int zero_knowledge_password_authentication; /* Try jpake */ | 56 | int zero_knowledge_password_authentication; /* Try jpake */ |
57 | int use_blacklisted_keys; /* If true, send */ | ||
57 | int batch_mode; /* Batch mode: do not ask for passwords. */ | 58 | int batch_mode; /* Batch mode: do not ask for passwords. */ |
58 | int check_host_ip; /* Also keep track of keys for IP address */ | 59 | int check_host_ip; /* Also keep track of keys for IP address */ |
59 | int strict_host_key_checking; /* Strict host key checking. */ | 60 | int strict_host_key_checking; /* Strict host key checking. */ |
@@ -168,8 +168,16 @@ do_local_cmd(arglist *a) | |||
168 | 168 | ||
169 | if (verbose_mode) { | 169 | if (verbose_mode) { |
170 | fprintf(stderr, "Executing:"); | 170 | fprintf(stderr, "Executing:"); |
171 | for (i = 0; i < a->num; i++) | 171 | for (i = 0; i < a->num; i++) { |
172 | fprintf(stderr, " %s", a->list[i]); | 172 | if (i == 0) |
173 | fprintf(stderr, " %s", a->list[i]); | ||
174 | else | ||
175 | /* | ||
176 | * TODO: misbehaves if a->list[i] contains a | ||
177 | * single quote | ||
178 | */ | ||
179 | fprintf(stderr, " '%s'", a->list[i]); | ||
180 | } | ||
173 | fprintf(stderr, "\n"); | 181 | fprintf(stderr, "\n"); |
174 | } | 182 | } |
175 | if ((pid = fork()) == -1) | 183 | if ((pid = fork()) == -1) |
diff --git a/servconf.c b/servconf.c index 73e47eacf..d42dd527b 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -100,6 +100,7 @@ initialize_server_options(ServerOptions *options) | |||
100 | options->password_authentication = -1; | 100 | options->password_authentication = -1; |
101 | options->kbd_interactive_authentication = -1; | 101 | options->kbd_interactive_authentication = -1; |
102 | options->challenge_response_authentication = -1; | 102 | options->challenge_response_authentication = -1; |
103 | options->permit_blacklisted_keys = -1; | ||
103 | options->permit_empty_passwd = -1; | 104 | options->permit_empty_passwd = -1; |
104 | options->permit_user_env = -1; | 105 | options->permit_user_env = -1; |
105 | options->use_login = -1; | 106 | options->use_login = -1; |
@@ -134,6 +135,7 @@ initialize_server_options(ServerOptions *options) | |||
134 | options->zero_knowledge_password_authentication = -1; | 135 | options->zero_knowledge_password_authentication = -1; |
135 | options->revoked_keys_file = NULL; | 136 | options->revoked_keys_file = NULL; |
136 | options->trusted_user_ca_keys = NULL; | 137 | options->trusted_user_ca_keys = NULL; |
138 | options->debian_banner = -1; | ||
137 | } | 139 | } |
138 | 140 | ||
139 | void | 141 | void |
@@ -231,6 +233,8 @@ fill_default_server_options(ServerOptions *options) | |||
231 | options->kbd_interactive_authentication = 0; | 233 | options->kbd_interactive_authentication = 0; |
232 | if (options->challenge_response_authentication == -1) | 234 | if (options->challenge_response_authentication == -1) |
233 | options->challenge_response_authentication = 1; | 235 | options->challenge_response_authentication = 1; |
236 | if (options->permit_blacklisted_keys == -1) | ||
237 | options->permit_blacklisted_keys = 0; | ||
234 | if (options->permit_empty_passwd == -1) | 238 | if (options->permit_empty_passwd == -1) |
235 | options->permit_empty_passwd = 0; | 239 | options->permit_empty_passwd = 0; |
236 | if (options->permit_user_env == -1) | 240 | if (options->permit_user_env == -1) |
@@ -274,6 +278,8 @@ fill_default_server_options(ServerOptions *options) | |||
274 | options->permit_tun = SSH_TUNMODE_NO; | 278 | options->permit_tun = SSH_TUNMODE_NO; |
275 | if (options->zero_knowledge_password_authentication == -1) | 279 | if (options->zero_knowledge_password_authentication == -1) |
276 | options->zero_knowledge_password_authentication = 0; | 280 | options->zero_knowledge_password_authentication = 0; |
281 | if (options->debian_banner == -1) | ||
282 | options->debian_banner = 1; | ||
277 | 283 | ||
278 | /* Turn privilege separation on by default */ | 284 | /* Turn privilege separation on by default */ |
279 | if (use_privsep == -1) | 285 | if (use_privsep == -1) |
@@ -306,7 +312,7 @@ typedef enum { | |||
306 | sListenAddress, sAddressFamily, | 312 | sListenAddress, sAddressFamily, |
307 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 313 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
308 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 314 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
309 | sStrictModes, sEmptyPasswd, sTCPKeepAlive, | 315 | sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive, |
310 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 316 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
311 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 317 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
312 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 318 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
@@ -322,6 +328,7 @@ typedef enum { | |||
322 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 328 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
323 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 329 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
324 | sRevokedKeys, sTrustedUserCAKeys, | 330 | sRevokedKeys, sTrustedUserCAKeys, |
331 | sDebianBanner, | ||
325 | sDeprecated, sUnsupported | 332 | sDeprecated, sUnsupported |
326 | } ServerOpCodes; | 333 | } ServerOpCodes; |
327 | 334 | ||
@@ -380,16 +387,20 @@ static struct { | |||
380 | #ifdef GSSAPI | 387 | #ifdef GSSAPI |
381 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 388 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
382 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 389 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
390 | { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, | ||
383 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, | 391 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, |
384 | { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, | 392 | { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, |
385 | { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, | 393 | { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, |
386 | #else | 394 | #else |
387 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, | 395 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
388 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | 396 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
397 | { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, | ||
389 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, | 398 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, |
390 | { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, | 399 | { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, |
391 | { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, | 400 | { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, |
392 | #endif | 401 | #endif |
402 | { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, | ||
403 | { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, | ||
393 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 404 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
394 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 405 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
395 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 406 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
@@ -411,6 +422,7 @@ static struct { | |||
411 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 422 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
412 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 423 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
413 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 424 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
425 | { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL }, | ||
414 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, | 426 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, |
415 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 427 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
416 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 428 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
@@ -449,6 +461,7 @@ static struct { | |||
449 | { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, | 461 | { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, |
450 | { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, | 462 | { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, |
451 | { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, | 463 | { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
464 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | ||
452 | { NULL, sBadOption, 0 } | 465 | { NULL, sBadOption, 0 } |
453 | }; | 466 | }; |
454 | 467 | ||
@@ -1005,6 +1018,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1005 | intptr = &options->tcp_keep_alive; | 1018 | intptr = &options->tcp_keep_alive; |
1006 | goto parse_flag; | 1019 | goto parse_flag; |
1007 | 1020 | ||
1021 | case sPermitBlacklistedKeys: | ||
1022 | intptr = &options->permit_blacklisted_keys; | ||
1023 | goto parse_flag; | ||
1024 | |||
1008 | case sEmptyPasswd: | 1025 | case sEmptyPasswd: |
1009 | intptr = &options->permit_empty_passwd; | 1026 | intptr = &options->permit_empty_passwd; |
1010 | goto parse_flag; | 1027 | goto parse_flag; |
@@ -1374,6 +1391,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1374 | charptr = &options->revoked_keys_file; | 1391 | charptr = &options->revoked_keys_file; |
1375 | goto parse_filename; | 1392 | goto parse_filename; |
1376 | 1393 | ||
1394 | case sDebianBanner: | ||
1395 | intptr = &options->debian_banner; | ||
1396 | goto parse_int; | ||
1397 | |||
1377 | case sDeprecated: | 1398 | case sDeprecated: |
1378 | logit("%s line %d: Deprecated option %s", | 1399 | logit("%s line %d: Deprecated option %s", |
1379 | filename, linenum, arg); | 1400 | filename, linenum, arg); |
@@ -1673,7 +1694,10 @@ dump_config(ServerOptions *o) | |||
1673 | #endif | 1694 | #endif |
1674 | #ifdef GSSAPI | 1695 | #ifdef GSSAPI |
1675 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 1696 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
1697 | dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); | ||
1676 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); | 1698 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); |
1699 | dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); | ||
1700 | dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey); | ||
1677 | #endif | 1701 | #endif |
1678 | #ifdef JPAKE | 1702 | #ifdef JPAKE |
1679 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, | 1703 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, |
@@ -1690,6 +1714,7 @@ dump_config(ServerOptions *o) | |||
1690 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | 1714 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); |
1691 | dump_cfg_fmtint(sStrictModes, o->strict_modes); | 1715 | dump_cfg_fmtint(sStrictModes, o->strict_modes); |
1692 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | 1716 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); |
1717 | dump_cfg_fmtint(sPermitBlacklistedKeys, o->permit_blacklisted_keys); | ||
1693 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); | 1718 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); |
1694 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); | 1719 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); |
1695 | dump_cfg_fmtint(sUseLogin, o->use_login); | 1720 | dump_cfg_fmtint(sUseLogin, o->use_login); |
diff --git a/servconf.h b/servconf.h index 083789334..4f20ad595 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -104,6 +104,7 @@ typedef struct { | |||
104 | int challenge_response_authentication; | 104 | int challenge_response_authentication; |
105 | int zero_knowledge_password_authentication; | 105 | int zero_knowledge_password_authentication; |
106 | /* If true, permit jpake auth */ | 106 | /* If true, permit jpake auth */ |
107 | int permit_blacklisted_keys; /* If true, permit */ | ||
107 | int permit_empty_passwd; /* If false, do not permit empty | 108 | int permit_empty_passwd; /* If false, do not permit empty |
108 | * passwords. */ | 109 | * passwords. */ |
109 | int permit_user_env; /* If true, read ~/.ssh/environment */ | 110 | int permit_user_env; /* If true, read ~/.ssh/environment */ |
@@ -156,6 +157,8 @@ typedef struct { | |||
156 | 157 | ||
157 | int num_permitted_opens; | 158 | int num_permitted_opens; |
158 | 159 | ||
160 | int debian_banner; | ||
161 | |||
159 | char *chroot_directory; | 162 | char *chroot_directory; |
160 | char *revoked_keys_file; | 163 | char *revoked_keys_file; |
161 | char *trusted_user_ca_keys; | 164 | char *trusted_user_ca_keys; |
diff --git a/serverloop.c b/serverloop.c index 8be01c5c3..db3c2514f 100644 --- a/serverloop.c +++ b/serverloop.c | |||
@@ -680,7 +680,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) | |||
680 | if (!channel_still_open()) | 680 | if (!channel_still_open()) |
681 | break; | 681 | break; |
682 | if (!waiting_termination) { | 682 | if (!waiting_termination) { |
683 | const char *s = "Waiting for forwarded connections to terminate...\r\n"; | 683 | const char *s = "Waiting for forwarded connections to terminate... (press ~& to background)\r\n"; |
684 | char *cp; | 684 | char *cp; |
685 | waiting_termination = 1; | 685 | waiting_termination = 1; |
686 | buffer_append(&stderr_buffer, s, strlen(s)); | 686 | buffer_append(&stderr_buffer, s, strlen(s)); |
@@ -82,6 +82,10 @@ environment variable must contain the name of its socket for | |||
82 | .Nm | 82 | .Nm |
83 | to work. | 83 | to work. |
84 | .Pp | 84 | .Pp |
85 | Any keys recorded in the blacklist of known-compromised keys (see | ||
86 | .Xr ssh-vulnkey 1 ) | ||
87 | will be refused. | ||
88 | .Pp | ||
85 | The options are as follows: | 89 | The options are as follows: |
86 | .Bl -tag -width Ds | 90 | .Bl -tag -width Ds |
87 | .It Fl c | 91 | .It Fl c |
@@ -182,6 +186,7 @@ is unable to contact the authentication agent. | |||
182 | .Xr ssh 1 , | 186 | .Xr ssh 1 , |
183 | .Xr ssh-agent 1 , | 187 | .Xr ssh-agent 1 , |
184 | .Xr ssh-keygen 1 , | 188 | .Xr ssh-keygen 1 , |
189 | .Xr ssh-vulnkey 1 , | ||
185 | .Xr sshd 8 | 190 | .Xr sshd 8 |
186 | .Sh AUTHORS | 191 | .Sh AUTHORS |
187 | OpenSSH is a derivative of the original and free | 192 | OpenSSH is a derivative of the original and free |
@@ -139,7 +139,7 @@ static int | |||
139 | add_file(AuthenticationConnection *ac, const char *filename) | 139 | add_file(AuthenticationConnection *ac, const char *filename) |
140 | { | 140 | { |
141 | Key *private, *cert; | 141 | Key *private, *cert; |
142 | char *comment = NULL; | 142 | char *comment = NULL, *fp; |
143 | char msg[1024], *certpath; | 143 | char msg[1024], *certpath; |
144 | int fd, perms_ok, ret = -1; | 144 | int fd, perms_ok, ret = -1; |
145 | 145 | ||
@@ -184,6 +184,14 @@ add_file(AuthenticationConnection *ac, const char *filename) | |||
184 | "Bad passphrase, try again for %.200s: ", comment); | 184 | "Bad passphrase, try again for %.200s: ", comment); |
185 | } | 185 | } |
186 | } | 186 | } |
187 | if (blacklisted_key(private, &fp) == 1) { | ||
188 | fprintf(stderr, "Public key %s blacklisted (see " | ||
189 | "ssh-vulnkey(1)); refusing to add it\n", fp); | ||
190 | xfree(fp); | ||
191 | key_free(private); | ||
192 | xfree(comment); | ||
193 | return -1; | ||
194 | } | ||
187 | 195 | ||
188 | if (ssh_add_identity_constrained(ac, private, comment, lifetime, | 196 | if (ssh_add_identity_constrained(ac, private, comment, lifetime, |
189 | confirm)) { | 197 | confirm)) { |
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 3e03a9bd0..64638aa9c 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -145,9 +145,7 @@ key in | |||
145 | .Pa ~/.ssh/id_dsa | 145 | .Pa ~/.ssh/id_dsa |
146 | or | 146 | or |
147 | .Pa ~/.ssh/id_rsa . | 147 | .Pa ~/.ssh/id_rsa . |
148 | Additionally, the system administrator may use this to generate host keys, | 148 | Additionally, the system administrator may use this to generate host keys. |
149 | as seen in | ||
150 | .Pa /etc/rc . | ||
151 | .Pp | 149 | .Pp |
152 | Normally this program generates the key and asks for a file in which | 150 | Normally this program generates the key and asks for a file in which |
153 | to store the private key. | 151 | to store the private key. |
@@ -367,9 +365,7 @@ new passphrase. | |||
367 | .It Fl q | 365 | .It Fl q |
368 | Silence | 366 | Silence |
369 | .Nm ssh-keygen . | 367 | .Nm ssh-keygen . |
370 | Used by | 368 | Used by system administration scripts when creating a new key. |
371 | .Pa /etc/rc | ||
372 | when creating a new key. | ||
373 | .It Fl R Ar hostname | 369 | .It Fl R Ar hostname |
374 | Removes all keys belonging to | 370 | Removes all keys belonging to |
375 | .Ar hostname | 371 | .Ar hostname |
@@ -628,6 +624,7 @@ The file format is described in | |||
628 | .Xr ssh 1 , | 624 | .Xr ssh 1 , |
629 | .Xr ssh-add 1 , | 625 | .Xr ssh-add 1 , |
630 | .Xr ssh-agent 1 , | 626 | .Xr ssh-agent 1 , |
627 | .Xr ssh-vulnkey 1 , | ||
631 | .Xr moduli 5 , | 628 | .Xr moduli 5 , |
632 | .Xr sshd 8 | 629 | .Xr sshd 8 |
633 | .Rs | 630 | .Rs |
diff --git a/ssh-vulnkey.1 b/ssh-vulnkey.1 new file mode 100644 index 000000000..bcb9d31c6 --- /dev/null +++ b/ssh-vulnkey.1 | |||
@@ -0,0 +1,242 @@ | |||
1 | .\" Copyright (c) 2008 Canonical Ltd. All rights reserved. | ||
2 | .\" | ||
3 | .\" Redistribution and use in source and binary forms, with or without | ||
4 | .\" modification, are permitted provided that the following conditions | ||
5 | .\" are met: | ||
6 | .\" 1. Redistributions of source code must retain the above copyright | ||
7 | .\" notice, this list of conditions and the following disclaimer. | ||
8 | .\" 2. Redistributions in binary form must reproduce the above copyright | ||
9 | .\" notice, this list of conditions and the following disclaimer in the | ||
10 | .\" documentation and/or other materials provided with the distribution. | ||
11 | .\" | ||
12 | .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | ||
13 | .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
14 | .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
15 | .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
16 | .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
17 | .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
18 | .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
19 | .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
20 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
21 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
22 | .\" | ||
23 | .Dd $Mdocdate: May 12 2008 $ | ||
24 | .Dt SSH-VULNKEY 1 | ||
25 | .Os | ||
26 | .Sh NAME | ||
27 | .Nm ssh-vulnkey | ||
28 | .Nd check blacklist of compromised keys | ||
29 | .Sh SYNOPSIS | ||
30 | .Nm | ||
31 | .Op Fl q | Fl v | ||
32 | .Ar file ... | ||
33 | .Nm | ||
34 | .Fl a | ||
35 | .Sh DESCRIPTION | ||
36 | .Nm | ||
37 | checks a key against a blacklist of compromised keys. | ||
38 | .Pp | ||
39 | A substantial number of keys are known to have been generated using a broken | ||
40 | version of OpenSSL distributed by Debian which failed to seed its random | ||
41 | number generator correctly. | ||
42 | Keys generated using these OpenSSL versions should be assumed to be | ||
43 | compromised. | ||
44 | This tool may be useful in checking for such keys. | ||
45 | .Pp | ||
46 | Keys that are compromised cannot be repaired; replacements must be generated | ||
47 | using | ||
48 | .Xr ssh-keygen 1 . | ||
49 | Make sure to update | ||
50 | .Pa authorized_keys | ||
51 | files on all systems where compromised keys were permitted to authenticate. | ||
52 | .Pp | ||
53 | The argument list will be interpreted as a list of paths to public key files | ||
54 | or | ||
55 | .Pa authorized_keys | ||
56 | files. | ||
57 | If no suitable file is found at a given path, | ||
58 | .Nm | ||
59 | will append | ||
60 | .Pa .pub | ||
61 | and retry, in case it was given a private key file. | ||
62 | If no files are given as arguments, | ||
63 | .Nm | ||
64 | will check | ||
65 | .Pa ~/.ssh/id_rsa , | ||
66 | .Pa ~/.ssh/id_dsa , | ||
67 | .Pa ~/.ssh/identity , | ||
68 | .Pa ~/.ssh/authorized_keys | ||
69 | and | ||
70 | .Pa ~/.ssh/authorized_keys2 , | ||
71 | as well as the system's host keys if readable. | ||
72 | .Pp | ||
73 | If | ||
74 | .Dq - | ||
75 | is given as an argument, | ||
76 | .Nm | ||
77 | will read from standard input. | ||
78 | This can be used to process output from | ||
79 | .Xr ssh-keyscan 1 , | ||
80 | for example: | ||
81 | .Pp | ||
82 | .Dl $ ssh-keyscan -t rsa remote.example.org | ssh-vulnkey - | ||
83 | .Pp | ||
84 | Unless the | ||
85 | .Cm PermitBlacklistedKeys | ||
86 | option is used, | ||
87 | .Xr sshd 8 | ||
88 | will reject attempts to authenticate with keys in the compromised list. | ||
89 | .Pp | ||
90 | The output from | ||
91 | .Nm | ||
92 | looks like this: | ||
93 | .Pp | ||
94 | .Bd -literal -offset indent | ||
95 | /etc/ssh/ssh_host_key:1: COMPROMISED: RSA1 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@host | ||
96 | /home/user/.ssh/id_dsa:1: Not blacklisted: DSA 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx /home/user/.ssh/id_dsa.pub | ||
97 | /home/user/.ssh/authorized_keys:3: Unknown (blacklist file not installed): RSA 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user@host | ||
98 | .Ed | ||
99 | .Pp | ||
100 | Each line is of the following format (any lines beginning with | ||
101 | .Dq # | ||
102 | should be ignored by scripts): | ||
103 | .Pp | ||
104 | .Dl Ar filename : Ns Ar line : Ar status : Ar type Ar size Ar fingerprint Ar comment | ||
105 | .Pp | ||
106 | It is important to distinguish between the possible values of | ||
107 | .Ar status : | ||
108 | .Pp | ||
109 | .Bl -tag -width Ds | ||
110 | .It COMPROMISED | ||
111 | These keys are listed in a blacklist file, normally because their | ||
112 | corresponding private keys are well-known. | ||
113 | Replacements must be generated using | ||
114 | .Xr ssh-keygen 1 . | ||
115 | .It Not blacklisted | ||
116 | A blacklist file exists for this key type and size, but this key is not | ||
117 | listed in it. | ||
118 | Unless there is some particular reason to believe otherwise, this key | ||
119 | may be used safely. | ||
120 | (Note that DSA keys used with the broken version of OpenSSL distributed | ||
121 | by Debian may be compromised in the event that anyone captured a network | ||
122 | trace, even if they were generated with a secure version of OpenSSL.) | ||
123 | .It Unknown (blacklist file not installed) | ||
124 | No blacklist file exists for this key type and size. | ||
125 | You should find a suitable published blacklist and install it before | ||
126 | deciding whether this key is safe to use. | ||
127 | .El | ||
128 | .Pp | ||
129 | The options are as follows: | ||
130 | .Bl -tag -width Ds | ||
131 | .It Fl a | ||
132 | Check keys of all users on the system. | ||
133 | You will typically need to run | ||
134 | .Nm | ||
135 | as root to use this option. | ||
136 | For each user, | ||
137 | .Nm | ||
138 | will check | ||
139 | .Pa ~/.ssh/id_rsa , | ||
140 | .Pa ~/.ssh/id_dsa , | ||
141 | .Pa ~/.ssh/identity , | ||
142 | .Pa ~/.ssh/authorized_keys | ||
143 | and | ||
144 | .Pa ~/.ssh/authorized_keys2 . | ||
145 | It will also check the system's host keys. | ||
146 | .It Fl q | ||
147 | Quiet mode. | ||
148 | Normally, | ||
149 | .Nm | ||
150 | outputs the fingerprint of each key scanned, with a description of its | ||
151 | status. | ||
152 | This option suppresses that output. | ||
153 | .It Fl v | ||
154 | Verbose mode. | ||
155 | Normally, | ||
156 | .Nm | ||
157 | does not output anything for keys that are not listed in their corresponding | ||
158 | blacklist file (although it still produces output for keys for which there | ||
159 | is no blacklist file, since their status is unknown). | ||
160 | This option causes | ||
161 | .Nm | ||
162 | to produce output for all keys. | ||
163 | .El | ||
164 | .Sh EXIT STATUS | ||
165 | .Nm | ||
166 | will exit zero if any of the given keys were in the compromised list, | ||
167 | otherwise non-zero. | ||
168 | .Sh BLACKLIST FILE FORMAT | ||
169 | The blacklist file may start with comments, on lines starting with | ||
170 | .Dq # . | ||
171 | After these initial comments, it must follow a strict format: | ||
172 | .Pp | ||
173 | .Bl -bullet -offset indent -compact | ||
174 | .It | ||
175 | All the lines must be exactly the same length (20 characters followed by a | ||
176 | newline) and must be in sorted order. | ||
177 | .It | ||
178 | Each line must consist of the lower-case hexadecimal MD5 key fingerprint, | ||
179 | without colons, and with the first 12 characters removed (that is, the least | ||
180 | significant 80 bits of the fingerprint). | ||
181 | .El | ||
182 | .Pp | ||
183 | The key fingerprint may be generated using | ||
184 | .Xr ssh-keygen 1 : | ||
185 | .Pp | ||
186 | .Dl $ ssh-keygen -l -f /path/to/key | ||
187 | .Pp | ||
188 | This strict format is necessary to allow the blacklist file to be checked | ||
189 | quickly, using a binary-search algorithm. | ||
190 | .Sh FILES | ||
191 | .Bl -tag -width Ds | ||
192 | .It Pa ~/.ssh/id_rsa | ||
193 | If present, contains the protocol version 2 RSA authentication identity of | ||
194 | the user. | ||
195 | .It Pa ~/.ssh/id_dsa | ||
196 | If present, contains the protocol version 2 DSA authentication identity of | ||
197 | the user. | ||
198 | .It Pa ~/.ssh/identity | ||
199 | If present, contains the protocol version 1 RSA authentication identity of | ||
200 | the user. | ||
201 | .It Pa ~/.ssh/authorized_keys | ||
202 | If present, lists the public keys (RSA/DSA) that can be used for logging in | ||
203 | as this user. | ||
204 | .It Pa ~/.ssh/authorized_keys2 | ||
205 | Obsolete name for | ||
206 | .Pa ~/.ssh/authorized_keys . | ||
207 | This file may still be present on some old systems, but should not be | ||
208 | created if it is missing. | ||
209 | .It Pa /etc/ssh/ssh_host_rsa_key | ||
210 | If present, contains the protocol version 2 RSA identity of the system. | ||
211 | .It Pa /etc/ssh/ssh_host_dsa_key | ||
212 | If present, contains the protocol version 2 DSA identity of the system. | ||
213 | .It Pa /etc/ssh/ssh_host_key | ||
214 | If present, contains the protocol version 1 RSA identity of the system. | ||
215 | .It Pa /usr/share/ssh/blacklist. Ns Ar TYPE Ns Pa - Ns Ar LENGTH | ||
216 | If present, lists the blacklisted keys of type | ||
217 | .Ar TYPE | ||
218 | .Pf ( Dq RSA | ||
219 | or | ||
220 | .Dq DSA ) | ||
221 | and bit length | ||
222 | .Ar LENGTH . | ||
223 | The format of this file is described above. | ||
224 | RSA1 keys are converted to RSA before being checked in the blacklist. | ||
225 | Note that the fingerprints of RSA1 keys are computed differently, so you | ||
226 | will not be able to find them in the blacklist by hand. | ||
227 | .It Pa /etc/ssh/blacklist. Ns Ar TYPE Ns Pa - Ns Ar LENGTH | ||
228 | Same as | ||
229 | .Pa /usr/share/ssh/blacklist. Ns Ar TYPE Ns Pa - Ns Ar LENGTH , | ||
230 | but may be edited by the system administrator to add new blacklist entries. | ||
231 | .El | ||
232 | .Sh SEE ALSO | ||
233 | .Xr ssh-keygen 1 , | ||
234 | .Xr sshd 8 | ||
235 | .Sh AUTHORS | ||
236 | .An -nosplit | ||
237 | .An Colin Watson Aq cjwatson@ubuntu.com | ||
238 | .Pp | ||
239 | Florian Weimer suggested the option to check keys of all users, and the idea | ||
240 | of processing | ||
241 | .Xr ssh-keyscan 1 | ||
242 | output. | ||
diff --git a/ssh-vulnkey.c b/ssh-vulnkey.c new file mode 100644 index 000000000..4a5780488 --- /dev/null +++ b/ssh-vulnkey.c | |||
@@ -0,0 +1,388 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2008 Canonical Ltd. All rights reserved. | ||
3 | * | ||
4 | * Redistribution and use in source and binary forms, with or without | ||
5 | * modification, are permitted provided that the following conditions | ||
6 | * are met: | ||
7 | * 1. Redistributions of source code must retain the above copyright | ||
8 | * notice, this list of conditions and the following disclaimer. | ||
9 | * 2. Redistributions in binary form must reproduce the above copyright | ||
10 | * notice, this list of conditions and the following disclaimer in the | ||
11 | * documentation and/or other materials provided with the distribution. | ||
12 | * | ||
13 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | ||
14 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
15 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
16 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
17 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
18 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
19 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
20 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
21 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
23 | */ | ||
24 | |||
25 | #include "includes.h" | ||
26 | |||
27 | #include <sys/types.h> | ||
28 | #include <sys/stat.h> | ||
29 | |||
30 | #include <errno.h> | ||
31 | #include <string.h> | ||
32 | #include <stdio.h> | ||
33 | #include <fcntl.h> | ||
34 | #include <unistd.h> | ||
35 | |||
36 | #include <openssl/evp.h> | ||
37 | |||
38 | #include "xmalloc.h" | ||
39 | #include "ssh.h" | ||
40 | #include "log.h" | ||
41 | #include "key.h" | ||
42 | #include "authfile.h" | ||
43 | #include "pathnames.h" | ||
44 | #include "uidswap.h" | ||
45 | #include "misc.h" | ||
46 | |||
47 | extern char *__progname; | ||
48 | |||
49 | /* Default files to check */ | ||
50 | static char *default_host_files[] = { | ||
51 | _PATH_HOST_RSA_KEY_FILE, | ||
52 | _PATH_HOST_DSA_KEY_FILE, | ||
53 | _PATH_HOST_KEY_FILE, | ||
54 | NULL | ||
55 | }; | ||
56 | static char *default_files[] = { | ||
57 | _PATH_SSH_CLIENT_ID_RSA, | ||
58 | _PATH_SSH_CLIENT_ID_DSA, | ||
59 | _PATH_SSH_CLIENT_IDENTITY, | ||
60 | _PATH_SSH_USER_PERMITTED_KEYS, | ||
61 | _PATH_SSH_USER_PERMITTED_KEYS2, | ||
62 | NULL | ||
63 | }; | ||
64 | |||
65 | static int verbosity = 0; | ||
66 | |||
67 | static int some_keys = 0; | ||
68 | static int some_unknown = 0; | ||
69 | static int some_compromised = 0; | ||
70 | |||
71 | static void | ||
72 | usage(void) | ||
73 | { | ||
74 | fprintf(stderr, "usage: %s [-aqv] [file ...]\n", __progname); | ||
75 | fprintf(stderr, "Options:\n"); | ||
76 | fprintf(stderr, " -a Check keys of all users.\n"); | ||
77 | fprintf(stderr, " -q Quiet mode.\n"); | ||
78 | fprintf(stderr, " -v Verbose mode.\n"); | ||
79 | exit(1); | ||
80 | } | ||
81 | |||
82 | void | ||
83 | describe_key(const char *filename, u_long linenum, const char *msg, | ||
84 | const Key *key, const char *comment, int min_verbosity) | ||
85 | { | ||
86 | char *fp; | ||
87 | |||
88 | fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | ||
89 | if (verbosity >= min_verbosity) { | ||
90 | if (strchr(filename, ':')) | ||
91 | printf("\"%s\"", filename); | ||
92 | else | ||
93 | printf("%s", filename); | ||
94 | printf(":%lu: %s: %s %u %s %s\n", linenum, msg, | ||
95 | key_type(key), key_size(key), fp, comment); | ||
96 | } | ||
97 | xfree(fp); | ||
98 | } | ||
99 | |||
100 | int | ||
101 | do_key(const char *filename, u_long linenum, | ||
102 | const Key *key, const char *comment) | ||
103 | { | ||
104 | Key *public; | ||
105 | int blacklist_status; | ||
106 | int ret = 1; | ||
107 | |||
108 | some_keys = 1; | ||
109 | |||
110 | public = key_demote(key); | ||
111 | if (public->type == KEY_RSA1) | ||
112 | public->type = KEY_RSA; | ||
113 | |||
114 | blacklist_status = blacklisted_key(public, NULL); | ||
115 | if (blacklist_status == -1) { | ||
116 | describe_key(filename, linenum, | ||
117 | "Unknown (blacklist file not installed)", key, comment, 0); | ||
118 | some_unknown = 1; | ||
119 | } else if (blacklist_status == 1) { | ||
120 | describe_key(filename, linenum, | ||
121 | "COMPROMISED", key, comment, 0); | ||
122 | some_compromised = 1; | ||
123 | ret = 0; | ||
124 | } else | ||
125 | describe_key(filename, linenum, | ||
126 | "Not blacklisted", key, comment, 1); | ||
127 | |||
128 | key_free(public); | ||
129 | |||
130 | return ret; | ||
131 | } | ||
132 | |||
133 | int | ||
134 | do_filename(const char *filename, int quiet_open) | ||
135 | { | ||
136 | FILE *f; | ||
137 | char line[SSH_MAX_PUBKEY_BYTES]; | ||
138 | char *cp; | ||
139 | u_long linenum = 0; | ||
140 | Key *key; | ||
141 | char *comment = NULL; | ||
142 | int found = 0, ret = 1; | ||
143 | |||
144 | /* Copy much of key_load_public's logic here so that we can read | ||
145 | * several keys from a single file (e.g. authorized_keys). | ||
146 | */ | ||
147 | |||
148 | if (strcmp(filename, "-") != 0) { | ||
149 | int save_errno; | ||
150 | f = fopen(filename, "r"); | ||
151 | save_errno = errno; | ||
152 | if (!f) { | ||
153 | char pubfile[MAXPATHLEN]; | ||
154 | if (strlcpy(pubfile, filename, sizeof pubfile) < | ||
155 | sizeof(pubfile) && | ||
156 | strlcat(pubfile, ".pub", sizeof pubfile) < | ||
157 | sizeof(pubfile)) | ||
158 | f = fopen(pubfile, "r"); | ||
159 | } | ||
160 | errno = save_errno; /* earlier errno is more useful */ | ||
161 | if (!f) { | ||
162 | if (!quiet_open) | ||
163 | perror(filename); | ||
164 | return -1; | ||
165 | } | ||
166 | if (verbosity > 0) | ||
167 | printf("# %s\n", filename); | ||
168 | } else | ||
169 | f = stdin; | ||
170 | while (read_keyfile_line(f, filename, line, sizeof(line), | ||
171 | &linenum) != -1) { | ||
172 | int i; | ||
173 | char *space; | ||
174 | int type; | ||
175 | char *end; | ||
176 | |||
177 | /* Chop trailing newline. */ | ||
178 | i = strlen(line) - 1; | ||
179 | if (line[i] == '\n') | ||
180 | line[i] = '\0'; | ||
181 | |||
182 | /* Skip leading whitespace, empty and comment lines. */ | ||
183 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | ||
184 | ; | ||
185 | if (!*cp || *cp == '\n' || *cp == '#') | ||
186 | continue; | ||
187 | |||
188 | /* Cope with ssh-keyscan output and options in | ||
189 | * authorized_keys files. | ||
190 | */ | ||
191 | space = strchr(cp, ' '); | ||
192 | if (!space) | ||
193 | continue; | ||
194 | *space = '\0'; | ||
195 | type = key_type_from_name(cp); | ||
196 | *space = ' '; | ||
197 | /* Leading number (RSA1) or valid type (RSA/DSA) indicates | ||
198 | * that we have no host name or options to skip. | ||
199 | */ | ||
200 | if ((strtol(cp, &end, 10) == 0 || *end != ' ') && | ||
201 | type == KEY_UNSPEC) { | ||
202 | int quoted = 0; | ||
203 | |||
204 | for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { | ||
205 | if (*cp == '\\' && cp[1] == '"') | ||
206 | cp++; /* Skip both */ | ||
207 | else if (*cp == '"') | ||
208 | quoted = !quoted; | ||
209 | } | ||
210 | /* Skip remaining whitespace. */ | ||
211 | for (; *cp == ' ' || *cp == '\t'; cp++) | ||
212 | ; | ||
213 | if (!*cp) | ||
214 | continue; | ||
215 | } | ||
216 | |||
217 | /* Read and process the key itself. */ | ||
218 | key = key_new(KEY_RSA1); | ||
219 | if (key_read(key, &cp) == 1) { | ||
220 | while (*cp == ' ' || *cp == '\t') | ||
221 | cp++; | ||
222 | if (!do_key(filename, linenum, | ||
223 | key, *cp ? cp : filename)) | ||
224 | ret = 0; | ||
225 | found = 1; | ||
226 | } else { | ||
227 | key_free(key); | ||
228 | key = key_new(KEY_UNSPEC); | ||
229 | if (key_read(key, &cp) == 1) { | ||
230 | while (*cp == ' ' || *cp == '\t') | ||
231 | cp++; | ||
232 | if (!do_key(filename, linenum, | ||
233 | key, *cp ? cp : filename)) | ||
234 | ret = 0; | ||
235 | found = 1; | ||
236 | } | ||
237 | } | ||
238 | key_free(key); | ||
239 | } | ||
240 | if (f != stdin) | ||
241 | fclose(f); | ||
242 | |||
243 | if (!found && filename) { | ||
244 | key = key_load_public(filename, &comment); | ||
245 | if (key) { | ||
246 | if (!do_key(filename, 1, key, comment)) | ||
247 | ret = 0; | ||
248 | found = 1; | ||
249 | } | ||
250 | if (comment) | ||
251 | xfree(comment); | ||
252 | } | ||
253 | |||
254 | return ret; | ||
255 | } | ||
256 | |||
257 | int | ||
258 | do_host(int quiet_open) | ||
259 | { | ||
260 | int i; | ||
261 | struct stat st; | ||
262 | int ret = 1; | ||
263 | |||
264 | for (i = 0; default_host_files[i]; i++) { | ||
265 | if (stat(default_host_files[i], &st) < 0 && errno == ENOENT) | ||
266 | continue; | ||
267 | if (!do_filename(default_host_files[i], quiet_open)) | ||
268 | ret = 0; | ||
269 | } | ||
270 | |||
271 | return ret; | ||
272 | } | ||
273 | |||
274 | int | ||
275 | do_user(const char *dir) | ||
276 | { | ||
277 | int i; | ||
278 | char *file; | ||
279 | struct stat st; | ||
280 | int ret = 1; | ||
281 | |||
282 | for (i = 0; default_files[i]; i++) { | ||
283 | xasprintf(&file, "%s/%s", dir, default_files[i]); | ||
284 | if (stat(file, &st) < 0 && errno == ENOENT) { | ||
285 | xfree(file); | ||
286 | continue; | ||
287 | } | ||
288 | if (!do_filename(file, 0)) | ||
289 | ret = 0; | ||
290 | xfree(file); | ||
291 | } | ||
292 | |||
293 | return ret; | ||
294 | } | ||
295 | |||
296 | int | ||
297 | main(int argc, char **argv) | ||
298 | { | ||
299 | int opt, all_users = 0; | ||
300 | int ret = 1; | ||
301 | extern int optind; | ||
302 | |||
303 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ | ||
304 | sanitise_stdfd(); | ||
305 | |||
306 | __progname = ssh_get_progname(argv[0]); | ||
307 | |||
308 | SSLeay_add_all_algorithms(); | ||
309 | log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); | ||
310 | |||
311 | /* We don't need the RNG ourselves, but symbol references here allow | ||
312 | * ld to link us properly. | ||
313 | */ | ||
314 | init_rng(); | ||
315 | seed_rng(); | ||
316 | |||
317 | while ((opt = getopt(argc, argv, "ahqv")) != -1) { | ||
318 | switch (opt) { | ||
319 | case 'a': | ||
320 | all_users = 1; | ||
321 | break; | ||
322 | case 'q': | ||
323 | verbosity--; | ||
324 | break; | ||
325 | case 'v': | ||
326 | verbosity++; | ||
327 | break; | ||
328 | case 'h': | ||
329 | default: | ||
330 | usage(); | ||
331 | } | ||
332 | } | ||
333 | |||
334 | if (all_users) { | ||
335 | struct passwd *pw; | ||
336 | |||
337 | if (!do_host(0)) | ||
338 | ret = 0; | ||
339 | |||
340 | while ((pw = getpwent()) != NULL) { | ||
341 | if (pw->pw_dir) { | ||
342 | temporarily_use_uid(pw); | ||
343 | if (!do_user(pw->pw_dir)) | ||
344 | ret = 0; | ||
345 | restore_uid(); | ||
346 | } | ||
347 | } | ||
348 | } else if (optind == argc) { | ||
349 | struct passwd *pw; | ||
350 | |||
351 | if (!do_host(1)) | ||
352 | ret = 0; | ||
353 | |||
354 | if ((pw = getpwuid(geteuid())) == NULL) | ||
355 | fprintf(stderr, "No user found with uid %u\n", | ||
356 | (u_int)geteuid()); | ||
357 | else { | ||
358 | if (!do_user(pw->pw_dir)) | ||
359 | ret = 0; | ||
360 | } | ||
361 | } else { | ||
362 | while (optind < argc) | ||
363 | if (!do_filename(argv[optind++], 0)) | ||
364 | ret = 0; | ||
365 | } | ||
366 | |||
367 | if (verbosity >= 0) { | ||
368 | if (some_unknown) { | ||
369 | printf("#\n"); | ||
370 | printf("# The status of some keys on your system is unknown.\n"); | ||
371 | printf("# You may need to install additional blacklist files.\n"); | ||
372 | } | ||
373 | if (some_compromised) { | ||
374 | printf("#\n"); | ||
375 | printf("# Some keys on your system have been compromised!\n"); | ||
376 | printf("# You must replace them using ssh-keygen(1).\n"); | ||
377 | } | ||
378 | if (some_unknown || some_compromised) { | ||
379 | printf("#\n"); | ||
380 | printf("# See the ssh-vulnkey(1) manual page for further advice.\n"); | ||
381 | } else if (some_keys && verbosity > 0) { | ||
382 | printf("#\n"); | ||
383 | printf("# No blacklisted keys!\n"); | ||
384 | } | ||
385 | } | ||
386 | |||
387 | return ret; | ||
388 | } | ||
@@ -762,6 +762,10 @@ The | |||
762 | .Sx HISTORY | 762 | .Sx HISTORY |
763 | section of | 763 | section of |
764 | .Xr ssl 8 | 764 | .Xr ssl 8 |
765 | (on non-OpenBSD systems, see | ||
766 | .nh | ||
767 | http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY) | ||
768 | .hy | ||
765 | contains a brief discussion of the two algorithms. | 769 | contains a brief discussion of the two algorithms. |
766 | .Pp | 770 | .Pp |
767 | The file | 771 | The file |
@@ -1324,6 +1328,8 @@ The file format and configuration options are described in | |||
1324 | .Xr ssh_config 5 . | 1328 | .Xr ssh_config 5 . |
1325 | Because of the potential for abuse, this file must have strict permissions: | 1329 | Because of the potential for abuse, this file must have strict permissions: |
1326 | read/write for the user, and not accessible by others. | 1330 | read/write for the user, and not accessible by others. |
1331 | It may be group-writable provided that the group in question contains only | ||
1332 | the user. | ||
1327 | .Pp | 1333 | .Pp |
1328 | .It ~/.ssh/environment | 1334 | .It ~/.ssh/environment |
1329 | Contains additional definitions for environment variables; see | 1335 | Contains additional definitions for environment variables; see |
@@ -1424,8 +1430,10 @@ manual page for more information. | |||
1424 | .Xr sftp 1 , | 1430 | .Xr sftp 1 , |
1425 | .Xr ssh-add 1 , | 1431 | .Xr ssh-add 1 , |
1426 | .Xr ssh-agent 1 , | 1432 | .Xr ssh-agent 1 , |
1433 | .Xr ssh-argv0 1 , | ||
1427 | .Xr ssh-keygen 1 , | 1434 | .Xr ssh-keygen 1 , |
1428 | .Xr ssh-keyscan 1 , | 1435 | .Xr ssh-keyscan 1 , |
1436 | .Xr ssh-vulnkey 1 , | ||
1429 | .Xr tun 4 , | 1437 | .Xr tun 4 , |
1430 | .Xr hosts.equiv 5 , | 1438 | .Xr hosts.equiv 5 , |
1431 | .Xr ssh_config 5 , | 1439 | .Xr ssh_config 5 , |
@@ -624,7 +624,7 @@ main(int ac, char **av) | |||
624 | tty_flag = 0; | 624 | tty_flag = 0; |
625 | /* Do not allocate a tty if stdin is not a tty. */ | 625 | /* Do not allocate a tty if stdin is not a tty. */ |
626 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { | 626 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { |
627 | if (tty_flag) | 627 | if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET) |
628 | logit("Pseudo-terminal will not be allocated because " | 628 | logit("Pseudo-terminal will not be allocated because " |
629 | "stdin is not a terminal."); | 629 | "stdin is not a terminal."); |
630 | tty_flag = 0; | 630 | tty_flag = 0; |
@@ -1301,7 +1301,7 @@ ssh_session2(void) | |||
1301 | static void | 1301 | static void |
1302 | load_public_identity_files(void) | 1302 | load_public_identity_files(void) |
1303 | { | 1303 | { |
1304 | char *filename, *cp, thishost[NI_MAXHOST]; | 1304 | char *filename, *cp, thishost[NI_MAXHOST], *fp; |
1305 | char *pwdir = NULL, *pwname = NULL; | 1305 | char *pwdir = NULL, *pwname = NULL; |
1306 | int i = 0; | 1306 | int i = 0; |
1307 | Key *public; | 1307 | Key *public; |
@@ -1358,6 +1358,22 @@ load_public_identity_files(void) | |||
1358 | public = key_load_public(filename, NULL); | 1358 | public = key_load_public(filename, NULL); |
1359 | debug("identity file %s type %d", filename, | 1359 | debug("identity file %s type %d", filename, |
1360 | public ? public->type : -1); | 1360 | public ? public->type : -1); |
1361 | if (public && blacklisted_key(public, &fp) == 1) { | ||
1362 | if (options.use_blacklisted_keys) | ||
1363 | logit("Public key %s blacklisted (see " | ||
1364 | "ssh-vulnkey(1)); continuing anyway", fp); | ||
1365 | else | ||
1366 | logit("Public key %s blacklisted (see " | ||
1367 | "ssh-vulnkey(1)); refusing to send it", | ||
1368 | fp); | ||
1369 | xfree(fp); | ||
1370 | if (!options.use_blacklisted_keys) { | ||
1371 | key_free(public); | ||
1372 | xfree(filename); | ||
1373 | filename = NULL; | ||
1374 | public = NULL; | ||
1375 | } | ||
1376 | } | ||
1361 | xfree(options.identity_files[i]); | 1377 | xfree(options.identity_files[i]); |
1362 | identity_files[n_ids] = filename; | 1378 | identity_files[n_ids] = filename; |
1363 | identity_keys[n_ids] = public; | 1379 | identity_keys[n_ids] = public; |
diff --git a/ssh_config b/ssh_config index 2c06ba707..4281e7317 100644 --- a/ssh_config +++ b/ssh_config | |||
@@ -17,9 +17,10 @@ | |||
17 | # list of available options, their meanings and defaults, please see the | 17 | # list of available options, their meanings and defaults, please see the |
18 | # ssh_config(5) man page. | 18 | # ssh_config(5) man page. |
19 | 19 | ||
20 | # Host * | 20 | Host * |
21 | # ForwardAgent no | 21 | # ForwardAgent no |
22 | # ForwardX11 no | 22 | # ForwardX11 no |
23 | # ForwardX11Trusted yes | ||
23 | # RhostsRSAAuthentication no | 24 | # RhostsRSAAuthentication no |
24 | # RSAAuthentication yes | 25 | # RSAAuthentication yes |
25 | # PasswordAuthentication yes | 26 | # PasswordAuthentication yes |
@@ -47,3 +48,7 @@ | |||
47 | # PermitLocalCommand no | 48 | # PermitLocalCommand no |
48 | # VisualHostKey no | 49 | # VisualHostKey no |
49 | # ProxyCommand ssh -q -W %h:%p gateway.example.com | 50 | # ProxyCommand ssh -q -W %h:%p gateway.example.com |
51 | SendEnv LANG LC_* | ||
52 | HashKnownHosts yes | ||
53 | GSSAPIAuthentication yes | ||
54 | GSSAPIDelegateCredentials no | ||
diff --git a/ssh_config.5 b/ssh_config.5 index 19d13f5c7..45496cfbc 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -72,6 +72,22 @@ Since the first obtained value for each parameter is used, more | |||
72 | host-specific declarations should be given near the beginning of the | 72 | host-specific declarations should be given near the beginning of the |
73 | file, and general defaults at the end. | 73 | file, and general defaults at the end. |
74 | .Pp | 74 | .Pp |
75 | Note that the Debian | ||
76 | .Ic openssh-client | ||
77 | package sets several options as standard in | ||
78 | .Pa /etc/ssh/ssh_config | ||
79 | which are not the default in | ||
80 | .Xr ssh 1 : | ||
81 | .Pp | ||
82 | .Bl -bullet -offset indent -compact | ||
83 | .It | ||
84 | .Cm SendEnv No LANG LC_* | ||
85 | .It | ||
86 | .Cm HashKnownHosts No yes | ||
87 | .It | ||
88 | .Cm GSSAPIAuthentication No yes | ||
89 | .El | ||
90 | .Pp | ||
75 | The configuration file has the following format: | 91 | The configuration file has the following format: |
76 | .Pp | 92 | .Pp |
77 | Empty lines and lines starting with | 93 | Empty lines and lines starting with |
@@ -128,8 +144,12 @@ Valid arguments are | |||
128 | If set to | 144 | If set to |
129 | .Dq yes , | 145 | .Dq yes , |
130 | passphrase/password querying will be disabled. | 146 | passphrase/password querying will be disabled. |
147 | In addition, the | ||
148 | .Cm ServerAliveInterval | ||
149 | option will be set to 300 seconds by default. | ||
131 | This option is useful in scripts and other batch jobs where no user | 150 | This option is useful in scripts and other batch jobs where no user |
132 | is present to supply the password. | 151 | is present to supply the password, |
152 | and where it is desirable to detect a broken network swiftly. | ||
133 | The argument must be | 153 | The argument must be |
134 | .Dq yes | 154 | .Dq yes |
135 | or | 155 | or |
@@ -448,7 +468,8 @@ token used for the session will be set to expire after 20 minutes. | |||
448 | Remote clients will be refused access after this time. | 468 | Remote clients will be refused access after this time. |
449 | .Pp | 469 | .Pp |
450 | The default is | 470 | The default is |
451 | .Dq no . | 471 | .Dq yes |
472 | (Debian-specific). | ||
452 | .Pp | 473 | .Pp |
453 | See the X11 SECURITY extension specification for full details on | 474 | See the X11 SECURITY extension specification for full details on |
454 | the restrictions imposed on untrusted clients. | 475 | the restrictions imposed on untrusted clients. |
@@ -527,6 +548,9 @@ Note that existing names and addresses in known hosts files | |||
527 | will not be converted automatically, | 548 | will not be converted automatically, |
528 | but may be manually hashed using | 549 | but may be manually hashed using |
529 | .Xr ssh-keygen 1 . | 550 | .Xr ssh-keygen 1 . |
551 | Use of this option may break facilities such as tab-completion that rely | ||
552 | on being able to read unhashed host names from | ||
553 | .Pa ~/.ssh/known_hosts . | ||
530 | .It Cm HostbasedAuthentication | 554 | .It Cm HostbasedAuthentication |
531 | Specifies whether to try rhosts based authentication with public key | 555 | Specifies whether to try rhosts based authentication with public key |
532 | authentication. | 556 | authentication. |
@@ -952,7 +976,10 @@ If, for example, | |||
952 | .Cm ServerAliveCountMax | 976 | .Cm ServerAliveCountMax |
953 | is left at the default, if the server becomes unresponsive, | 977 | is left at the default, if the server becomes unresponsive, |
954 | ssh will disconnect after approximately 45 seconds. | 978 | ssh will disconnect after approximately 45 seconds. |
955 | This option applies to protocol version 2 only. | 979 | This option applies to protocol version 2 only; in protocol version |
980 | 1 there is no mechanism to request a response from the server to the | ||
981 | server alive messages, so disconnection is the responsibility of the TCP | ||
982 | stack. | ||
956 | .It Cm ServerAliveInterval | 983 | .It Cm ServerAliveInterval |
957 | Sets a timeout interval in seconds after which if no data has been received | 984 | Sets a timeout interval in seconds after which if no data has been received |
958 | from the server, | 985 | from the server, |
@@ -960,8 +987,15 @@ from the server, | |||
960 | will send a message through the encrypted | 987 | will send a message through the encrypted |
961 | channel to request a response from the server. | 988 | channel to request a response from the server. |
962 | The default | 989 | The default |
963 | is 0, indicating that these messages will not be sent to the server. | 990 | is 0, indicating that these messages will not be sent to the server, |
991 | or 300 if the | ||
992 | .Cm BatchMode | ||
993 | option is set. | ||
964 | This option applies to protocol version 2 only. | 994 | This option applies to protocol version 2 only. |
995 | .Cm ProtocolKeepAlives | ||
996 | and | ||
997 | .Cm SetupTimeOut | ||
998 | are Debian-specific compatibility aliases for this option. | ||
965 | .It Cm StrictHostKeyChecking | 999 | .It Cm StrictHostKeyChecking |
966 | If this flag is set to | 1000 | If this flag is set to |
967 | .Dq yes , | 1001 | .Dq yes , |
@@ -1000,6 +1034,12 @@ Specifies whether the system should send TCP keepalive messages to the | |||
1000 | other side. | 1034 | other side. |
1001 | If they are sent, death of the connection or crash of one | 1035 | If they are sent, death of the connection or crash of one |
1002 | of the machines will be properly noticed. | 1036 | of the machines will be properly noticed. |
1037 | This option only uses TCP keepalives (as opposed to using ssh level | ||
1038 | keepalives), so takes a long time to notice when the connection dies. | ||
1039 | As such, you probably want | ||
1040 | the | ||
1041 | .Cm ServerAliveInterval | ||
1042 | option as well. | ||
1003 | However, this means that | 1043 | However, this means that |
1004 | connections will die if the route is down temporarily, and some people | 1044 | connections will die if the route is down temporarily, and some people |
1005 | find it annoying. | 1045 | find it annoying. |
@@ -1051,6 +1091,23 @@ is not specified, it defaults to | |||
1051 | .Dq any . | 1091 | .Dq any . |
1052 | The default is | 1092 | The default is |
1053 | .Dq any:any . | 1093 | .Dq any:any . |
1094 | .It Cm UseBlacklistedKeys | ||
1095 | Specifies whether | ||
1096 | .Xr ssh 1 | ||
1097 | should use keys recorded in its blacklist of known-compromised keys (see | ||
1098 | .Xr ssh-vulnkey 1 ) | ||
1099 | for authentication. | ||
1100 | If | ||
1101 | .Dq yes , | ||
1102 | then attempts to use compromised keys for authentication will be logged but | ||
1103 | accepted. | ||
1104 | It is strongly recommended that this be used only to install new authorized | ||
1105 | keys on the remote system, and even then only with the utmost care. | ||
1106 | If | ||
1107 | .Dq no , | ||
1108 | then attempts to use compromised keys for authentication will be prevented. | ||
1109 | The default is | ||
1110 | .Dq no . | ||
1054 | .It Cm UsePrivilegedPort | 1111 | .It Cm UsePrivilegedPort |
1055 | Specifies whether to use a privileged port for outgoing connections. | 1112 | Specifies whether to use a privileged port for outgoing connections. |
1056 | The argument must be | 1113 | The argument must be |
@@ -1167,6 +1224,8 @@ The format of this file is described above. | |||
1167 | This file is used by the SSH client. | 1224 | This file is used by the SSH client. |
1168 | Because of the potential for abuse, this file must have strict permissions: | 1225 | Because of the potential for abuse, this file must have strict permissions: |
1169 | read/write for the user, and not accessible by others. | 1226 | read/write for the user, and not accessible by others. |
1227 | It may be group-writable provided that the group in question contains only | ||
1228 | the user. | ||
1170 | .It Pa /etc/ssh/ssh_config | 1229 | .It Pa /etc/ssh/ssh_config |
1171 | Systemwide configuration file. | 1230 | Systemwide configuration file. |
1172 | This file provides defaults for those | 1231 | This file provides defaults for those |
diff --git a/sshconnect.c b/sshconnect.c index 9de52224d..b6fea4d7e 100644 --- a/sshconnect.c +++ b/sshconnect.c | |||
@@ -141,7 +141,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) | |||
141 | 141 | ||
142 | /* Execute the proxy command. Note that we gave up any | 142 | /* Execute the proxy command. Note that we gave up any |
143 | extra privileges above. */ | 143 | extra privileges above. */ |
144 | execv(argv[0], argv); | 144 | execvp(argv[0], argv); |
145 | perror(argv[0]); | 145 | perror(argv[0]); |
146 | exit(1); | 146 | exit(1); |
147 | } | 147 | } |
@@ -542,7 +542,7 @@ ssh_exchange_identification(int timeout_ms) | |||
542 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", | 542 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", |
543 | compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, | 543 | compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, |
544 | compat20 ? PROTOCOL_MINOR_2 : minor1, | 544 | compat20 ? PROTOCOL_MINOR_2 : minor1, |
545 | SSH_VERSION, compat20 ? "\r\n" : "\n"); | 545 | SSH_RELEASE, compat20 ? "\r\n" : "\n"); |
546 | if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf)) | 546 | if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf)) |
547 | != strlen(buf)) | 547 | != strlen(buf)) |
548 | fatal("write: %.100s", strerror(errno)); | 548 | fatal("write: %.100s", strerror(errno)); |
@@ -1243,7 +1243,7 @@ ssh_local_cmd(const char *args) | |||
1243 | pid = fork(); | 1243 | pid = fork(); |
1244 | if (pid == 0) { | 1244 | if (pid == 0) { |
1245 | debug3("Executing %s -c \"%s\"", shell, args); | 1245 | debug3("Executing %s -c \"%s\"", shell, args); |
1246 | execl(shell, shell, "-c", args, (char *)NULL); | 1246 | execlp(shell, shell, "-c", args, (char *)NULL); |
1247 | error("Couldn't execute %s -c \"%s\": %s", | 1247 | error("Couldn't execute %s -c \"%s\": %s", |
1248 | shell, args, strerror(errno)); | 1248 | shell, args, strerror(errno)); |
1249 | _exit(1); | 1249 | _exit(1); |
diff --git a/sshconnect2.c b/sshconnect2.c index 5bf11c085..f10f6bf8c 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
@@ -1418,6 +1418,8 @@ pubkey_prepare(Authctxt *authctxt) | |||
1418 | 1418 | ||
1419 | /* list of keys stored in the filesystem */ | 1419 | /* list of keys stored in the filesystem */ |
1420 | for (i = 0; i < options.num_identity_files; i++) { | 1420 | for (i = 0; i < options.num_identity_files; i++) { |
1421 | if (options.identity_files[i] == NULL) | ||
1422 | continue; | ||
1421 | key = options.identity_keys[i]; | 1423 | key = options.identity_keys[i]; |
1422 | if (key && key->type == KEY_RSA1) | 1424 | if (key && key->type == KEY_RSA1) |
1423 | continue; | 1425 | continue; |
@@ -1510,7 +1512,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
1510 | if (id->key && id->key->type != KEY_RSA1) { | 1512 | if (id->key && id->key->type != KEY_RSA1) { |
1511 | debug("Offering public key: %s", id->filename); | 1513 | debug("Offering public key: %s", id->filename); |
1512 | sent = send_pubkey_test(authctxt, id); | 1514 | sent = send_pubkey_test(authctxt, id); |
1513 | } else if (id->key == NULL) { | 1515 | } else if (id->key == NULL && id->filename) { |
1514 | debug("Trying private key: %s", id->filename); | 1516 | debug("Trying private key: %s", id->filename); |
1515 | id->key = load_identity_file(id->filename); | 1517 | id->key = load_identity_file(id->filename); |
1516 | if (id->key != NULL) { | 1518 | if (id->key != NULL) { |
@@ -70,7 +70,7 @@ over an insecure network. | |||
70 | .Nm | 70 | .Nm |
71 | listens for connections from clients. | 71 | listens for connections from clients. |
72 | It is normally started at boot from | 72 | It is normally started at boot from |
73 | .Pa /etc/rc . | 73 | .Pa /etc/init.d/ssh . |
74 | It forks a new | 74 | It forks a new |
75 | daemon for each incoming connection. | 75 | daemon for each incoming connection. |
76 | The forked daemons handle | 76 | The forked daemons handle |
@@ -835,7 +835,7 @@ This file is for host-based authentication (see | |||
835 | .Xr ssh 1 ) . | 835 | .Xr ssh 1 ) . |
836 | It should only be writable by root. | 836 | It should only be writable by root. |
837 | .Pp | 837 | .Pp |
838 | .It /etc/moduli | 838 | .It /etc/ssh/moduli |
839 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". | 839 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". |
840 | The file format is described in | 840 | The file format is described in |
841 | .Xr moduli 5 . | 841 | .Xr moduli 5 . |
@@ -928,9 +928,9 @@ The content of this file is not sensitive; it can be world-readable. | |||
928 | .Xr ssh-agent 1 , | 928 | .Xr ssh-agent 1 , |
929 | .Xr ssh-keygen 1 , | 929 | .Xr ssh-keygen 1 , |
930 | .Xr ssh-keyscan 1 , | 930 | .Xr ssh-keyscan 1 , |
931 | .Xr ssh-vulnkey 1 , | ||
931 | .Xr chroot 2 , | 932 | .Xr chroot 2 , |
932 | .Xr hosts_access 5 , | 933 | .Xr hosts_access 5 , |
933 | .Xr login.conf 5 , | ||
934 | .Xr moduli 5 , | 934 | .Xr moduli 5 , |
935 | .Xr sshd_config 5 , | 935 | .Xr sshd_config 5 , |
936 | .Xr inetd 8 , | 936 | .Xr inetd 8 , |
@@ -422,7 +422,8 @@ sshd_exchange_identification(int sock_in, int sock_out) | |||
422 | minor = PROTOCOL_MINOR_1; | 422 | minor = PROTOCOL_MINOR_1; |
423 | } | 423 | } |
424 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, | 424 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, |
425 | SSH_VERSION, newline); | 425 | options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, |
426 | newline); | ||
426 | server_version_string = xstrdup(buf); | 427 | server_version_string = xstrdup(buf); |
427 | 428 | ||
428 | /* Send our protocol version identification. */ | 429 | /* Send our protocol version identification. */ |
@@ -1564,6 +1565,11 @@ main(int ac, char **av) | |||
1564 | sensitive_data.host_keys[i] = NULL; | 1565 | sensitive_data.host_keys[i] = NULL; |
1565 | continue; | 1566 | continue; |
1566 | } | 1567 | } |
1568 | if (auth_key_is_revoked(key, 1)) { | ||
1569 | key_free(key); | ||
1570 | sensitive_data.host_keys[i] = NULL; | ||
1571 | continue; | ||
1572 | } | ||
1567 | switch (key->type) { | 1573 | switch (key->type) { |
1568 | case KEY_RSA1: | 1574 | case KEY_RSA1: |
1569 | sensitive_data.ssh1_host_key = key; | 1575 | sensitive_data.ssh1_host_key = key; |
diff --git a/sshd_config b/sshd_config index 69ff6b600..56965d93b 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -36,6 +36,7 @@ | |||
36 | # Authentication: | 36 | # Authentication: |
37 | 37 | ||
38 | #LoginGraceTime 2m | 38 | #LoginGraceTime 2m |
39 | # See /usr/share/doc/openssh-server/README.Debian.gz. | ||
39 | #PermitRootLogin yes | 40 | #PermitRootLogin yes |
40 | #StrictModes yes | 41 | #StrictModes yes |
41 | #MaxAuthTries 6 | 42 | #MaxAuthTries 6 |
diff --git a/sshd_config.5 b/sshd_config.5 index 6e3c69d05..de447bce5 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -58,6 +58,33 @@ Arguments may optionally be enclosed in double quotes | |||
58 | .Pq \&" | 58 | .Pq \&" |
59 | in order to represent arguments containing spaces. | 59 | in order to represent arguments containing spaces. |
60 | .Pp | 60 | .Pp |
61 | Note that the Debian | ||
62 | .Ic openssh-server | ||
63 | package sets several options as standard in | ||
64 | .Pa /etc/ssh/sshd_config | ||
65 | which are not the default in | ||
66 | .Xr sshd 8 . | ||
67 | The exact list depends on whether the package was installed fresh or | ||
68 | upgraded from various possible previous versions, but includes at least the | ||
69 | following: | ||
70 | .Pp | ||
71 | .Bl -bullet -offset indent -compact | ||
72 | .It | ||
73 | .Cm Protocol No 2 | ||
74 | .It | ||
75 | .Cm ChallengeResponseAuthentication No no | ||
76 | .It | ||
77 | .Cm X11Forwarding No yes | ||
78 | .It | ||
79 | .Cm PrintMotd No no | ||
80 | .It | ||
81 | .Cm AcceptEnv No LANG LC_* | ||
82 | .It | ||
83 | .Cm Subsystem No sftp /usr/lib/openssh/sftp-server | ||
84 | .It | ||
85 | .Cm UsePAM No yes | ||
86 | .El | ||
87 | .Pp | ||
61 | The possible | 88 | The possible |
62 | keywords and their meanings are as follows (note that | 89 | keywords and their meanings are as follows (note that |
63 | keywords are case-insensitive and arguments are case-sensitive): | 90 | keywords are case-insensitive and arguments are case-sensitive): |
@@ -177,8 +204,7 @@ This option is only available for protocol version 2. | |||
177 | By default, no banner is displayed. | 204 | By default, no banner is displayed. |
178 | .It Cm ChallengeResponseAuthentication | 205 | .It Cm ChallengeResponseAuthentication |
179 | Specifies whether challenge-response authentication is allowed (e.g. via | 206 | Specifies whether challenge-response authentication is allowed (e.g. via |
180 | PAM or though authentication styles supported in | 207 | PAM). |
181 | .Xr login.conf 5 ) | ||
182 | The default is | 208 | The default is |
183 | .Dq yes . | 209 | .Dq yes . |
184 | .It Cm ChrootDirectory | 210 | .It Cm ChrootDirectory |
@@ -295,6 +321,11 @@ or | |||
295 | .Dq no . | 321 | .Dq no . |
296 | The default is | 322 | The default is |
297 | .Dq delayed . | 323 | .Dq delayed . |
324 | .It Cm DebianBanner | ||
325 | Specifies whether the distribution-specified extra version suffix is | ||
326 | included during initial protocol handshake. | ||
327 | The default is | ||
328 | .Dq yes . | ||
298 | .It Cm DenyGroups | 329 | .It Cm DenyGroups |
299 | This keyword can be followed by a list of group name patterns, separated | 330 | This keyword can be followed by a list of group name patterns, separated |
300 | by spaces. | 331 | by spaces. |
@@ -694,6 +725,20 @@ are refused if the number of unauthenticated connections reaches | |||
694 | Specifies whether password authentication is allowed. | 725 | Specifies whether password authentication is allowed. |
695 | The default is | 726 | The default is |
696 | .Dq yes . | 727 | .Dq yes . |
728 | .It Cm PermitBlacklistedKeys | ||
729 | Specifies whether | ||
730 | .Xr sshd 8 | ||
731 | should allow keys recorded in its blacklist of known-compromised keys (see | ||
732 | .Xr ssh-vulnkey 1 ) . | ||
733 | If | ||
734 | .Dq yes , | ||
735 | then attempts to authenticate with compromised keys will be logged but | ||
736 | accepted. | ||
737 | If | ||
738 | .Dq no , | ||
739 | then attempts to authenticate with compromised keys will be rejected. | ||
740 | The default is | ||
741 | .Dq no . | ||
697 | .It Cm PermitEmptyPasswords | 742 | .It Cm PermitEmptyPasswords |
698 | When password authentication is allowed, it specifies whether the | 743 | When password authentication is allowed, it specifies whether the |
699 | server allows login to accounts with empty password strings. | 744 | server allows login to accounts with empty password strings. |
@@ -922,6 +967,9 @@ This avoids infinitely hanging sessions. | |||
922 | .Pp | 967 | .Pp |
923 | To disable TCP keepalive messages, the value should be set to | 968 | To disable TCP keepalive messages, the value should be set to |
924 | .Dq no . | 969 | .Dq no . |
970 | .Pp | ||
971 | This option was formerly called | ||
972 | .Cm KeepAlive . | ||
925 | .It Cm TrustedUserCAKeys | 973 | .It Cm TrustedUserCAKeys |
926 | Specifies a file containing public keys of certificate authorities that are | 974 | Specifies a file containing public keys of certificate authorities that are |
927 | trusted to sign user certificates for authentication. | 975 | trusted to sign user certificates for authentication. |
@@ -3,4 +3,9 @@ | |||
3 | #define SSH_VERSION "OpenSSH_5.5" | 3 | #define SSH_VERSION "OpenSSH_5.5" |
4 | 4 | ||
5 | #define SSH_PORTABLE "p1" | 5 | #define SSH_PORTABLE "p1" |
6 | #define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 6 | #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE |
7 | #ifdef SSH_EXTRAVERSION | ||
8 | #define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION | ||
9 | #else | ||
10 | #define SSH_RELEASE SSH_RELEASE_MINIMUM | ||
11 | #endif | ||