diff options
-rw-r--r-- | debian/.git-dpm | 4 | ||||
-rw-r--r-- | debian/NEWS | 12 | ||||
-rw-r--r-- | debian/changelog | 5 | ||||
-rw-r--r-- | debian/patches/restore-authorized_keys2.patch | 35 | ||||
-rw-r--r-- | debian/patches/series | 1 | ||||
-rw-r--r-- | sshd_config | 5 |
6 files changed, 57 insertions, 5 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index a923bac35..78ca32622 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
@@ -1,6 +1,6 @@ | |||
1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
2 | 3f1016b4535faf6e48aa71e21569aa714a25193f | 2 | e18d2ba71e6bf009c53e65509da84b712c300471 |
3 | 3f1016b4535faf6e48aa71e21569aa714a25193f | 3 | e18d2ba71e6bf009c53e65509da84b712c300471 |
4 | 971a7653746a6972b907dfe0ce139c06e4a6f482 | 4 | 971a7653746a6972b907dfe0ce139c06e4a6f482 |
5 | 971a7653746a6972b907dfe0ce139c06e4a6f482 | 5 | 971a7653746a6972b907dfe0ce139c06e4a6f482 |
6 | openssh_7.4p1.orig.tar.gz | 6 | openssh_7.4p1.orig.tar.gz |
diff --git a/debian/NEWS b/debian/NEWS index cfdf7b5e1..542603ec1 100644 --- a/debian/NEWS +++ b/debian/NEWS | |||
@@ -1,3 +1,15 @@ | |||
1 | openssh (1:7.4p1-7) UNRELEASED; urgency=medium | ||
2 | |||
3 | This version restores the default for AuthorizedKeysFile to search both | ||
4 | ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in | ||
5 | Debian configurations before 1:7.4p1-1. Upstream intends to phase out | ||
6 | searching ~/.ssh/authorized_keys2 by default, so you should ensure that | ||
7 | you are only using ~/.ssh/authorized_keys, at least for critical | ||
8 | administrative access; do not assume that the current default will remain | ||
9 | in place forever. | ||
10 | |||
11 | -- Colin Watson <cjwatson@debian.org> Sun, 29 Jan 2017 11:39:05 +0000 | ||
12 | |||
1 | openssh (1:7.4p1-1) unstable; urgency=medium | 13 | openssh (1:7.4p1-1) unstable; urgency=medium |
2 | 14 | ||
3 | OpenSSH 7.4 includes a number of changes that may affect existing | 15 | OpenSSH 7.4 includes a number of changes that may affect existing |
diff --git a/debian/changelog b/debian/changelog index 4be3d4b21..54b9379af 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -2,6 +2,11 @@ openssh (1:7.4p1-7) UNRELEASED; urgency=medium | |||
2 | 2 | ||
3 | * Don't set "PermitRootLogin yes" on fresh installations (regression | 3 | * Don't set "PermitRootLogin yes" on fresh installations (regression |
4 | introduced in 1:7.4p1-1; closes: #852781). | 4 | introduced in 1:7.4p1-1; closes: #852781). |
5 | * Restore reading authorized_keys2 by default. Upstream seems to intend | ||
6 | to gradually phase this out, so don't assume that this will remain the | ||
7 | default forever. However, we were late in adopting the upstream | ||
8 | sshd_config changes, so it makes sense to extend the grace period | ||
9 | (closes: #852320). | ||
5 | 10 | ||
6 | -- Colin Watson <cjwatson@debian.org> Sun, 29 Jan 2017 11:39:05 +0000 | 11 | -- Colin Watson <cjwatson@debian.org> Sun, 29 Jan 2017 11:39:05 +0000 |
7 | 12 | ||
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch new file mode 100644 index 000000000..86da09c7e --- /dev/null +++ b/debian/patches/restore-authorized_keys2.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Sun, 5 Mar 2017 02:02:11 +0000 | ||
4 | Subject: Restore reading authorized_keys2 by default | ||
5 | |||
6 | Upstream seems to intend to gradually phase this out, so don't assume | ||
7 | that this will remain the default forever. However, we were late in | ||
8 | adopting the upstream sshd_config changes, so it makes sense to extend | ||
9 | the grace period. | ||
10 | |||
11 | Bug-Debian: https://bugs.debian.org/852320 | ||
12 | Forwarded: not-needed | ||
13 | Last-Update: 2017-03-05 | ||
14 | |||
15 | Patch-Name: restore-authorized_keys2.patch | ||
16 | --- | ||
17 | sshd_config | 5 ++--- | ||
18 | 1 file changed, 2 insertions(+), 3 deletions(-) | ||
19 | |||
20 | diff --git a/sshd_config b/sshd_config | ||
21 | index 4aea6c72..bcf3ac17 100644 | ||
22 | --- a/sshd_config | ||
23 | +++ b/sshd_config | ||
24 | @@ -36,9 +36,8 @@ | ||
25 | |||
26 | #PubkeyAuthentication yes | ||
27 | |||
28 | -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 | ||
29 | -# but this is overridden so installations will only check .ssh/authorized_keys | ||
30 | -AuthorizedKeysFile .ssh/authorized_keys | ||
31 | +# Expect .ssh/authorized_keys2 to be disregarded by default in future. | ||
32 | +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 | ||
33 | |||
34 | #AuthorizedPrincipalsFile none | ||
35 | |||
diff --git a/debian/patches/series b/debian/patches/series index 6eae81080..6f0004748 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -29,3 +29,4 @@ regress-forwarding-race.patch | |||
29 | regress-mktemp.patch | 29 | regress-mktemp.patch |
30 | sandbox-x32-workaround.patch | 30 | sandbox-x32-workaround.patch |
31 | no-dsa-host-key-by-default.patch | 31 | no-dsa-host-key-by-default.patch |
32 | restore-authorized_keys2.patch | ||
diff --git a/sshd_config b/sshd_config index 4aea6c729..bcf3ac178 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -36,9 +36,8 @@ | |||
36 | 36 | ||
37 | #PubkeyAuthentication yes | 37 | #PubkeyAuthentication yes |
38 | 38 | ||
39 | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 | 39 | # Expect .ssh/authorized_keys2 to be disregarded by default in future. |
40 | # but this is overridden so installations will only check .ssh/authorized_keys | 40 | #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 |
41 | AuthorizedKeysFile .ssh/authorized_keys | ||
42 | 41 | ||
43 | #AuthorizedPrincipalsFile none | 42 | #AuthorizedPrincipalsFile none |
44 | 43 | ||