1 files changed, 257 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 000000000..73b7cfc89
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,257 @@
+OpenSSH for Debian
+------------------
+UPGRADE ISSUES
+==============
+Privilege Separation
+--------------------
+As of 3.3, openssh has employed privilege separation to reduce the
+quantity of code that runs as root, thereby reducing the impact of
+some security holes in sshd. This now also works properly with PAM.
+Privilege separation is turned on by default, so, if you decide you
+want it turned off, you need to add "UsePrivilegeSeparation no" to
+/etc/ssh/sshd_config.
+PermitRootLogin
+---------------
+As of 1:6.6p1-1, new installations will be set to "PermitRootLogin
+without-password" (or the synonymous "PermitRootLogin prohibit-password" as
+of 1:7.1p1-1).  This disables password authentication for root, foiling
+password dictionary attacks on the root user.  Some sites may wish to use
+the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no",
+but note that "PermitRootLogin no" will break setups that SSH to root with a
+forced command to take full-system backups.  You can use PermitRootLogin in
+a Match block if you want finer-grained control here.
+For many years Debian's OpenSSH packaging used "PermitRootLogin yes", in
+line with upstream.  To avoid breaking local setups, this is still true for
+installations upgraded from before 1:6.6p1-1.  If you wish to change this,
+you should edit /etc/ssh/sshd_config, change it manually, and run "service
+ssh restart" as root.
+Disabling PermitRootLogin means that an attacker possessing credentials for
+the root account (any credentials in the case of "yes", or private key
+material in the case of "prohibit-password") must compromise a normal user
+account rather than being able to SSH directly to root.  Be careful to avoid
+a false illusion of security if you change this setting; any account you
+escalate to root from should be considered equivalent to root for the
+purposes of security against external attack.  You might for example disable
+it if you know you will only ever log in as root from the physical console.
+Since the root account does not generally have non-password credentials
+unless you explicitly install an SSH public key in its
+~/.ssh/authorized_keys, which you presumably only do if you want to SSH to
+it, "prohibit-password" should be a reasonable default for most sites.
+As of OpenSSH 7.0, this is the upstream default.
+For further discussion, see:
+  https://bugs.debian.org/298138
+  https://bugzilla.mindrot.org/show_bug.cgi?id=2164
+X11 Forwarding
+--------------
+ssh's default for ForwardX11 has been changed to ``no'' because it has
+been pointed out that logging into remote systems administered by
+untrusted people is likely to open you up to X11 attacks, so you
+should have to actively decide that you trust the remote machine's
+root, before enabling X11.  I strongly recommend that you do this on a
+machine-by-machine basis, rather than just enabling it in the default
+host settings.
+In order for X11 forwarding to work, you need to install xauth on the
+server. In Debian this is in the xbase-clients package.
+As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
+the security risks of X11 forwarding. Look up X11UseLocalhost in
+sshd_config(8) if this is a problem.
+OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the
+ssh client to create an untrusted X cookie so that attacks on the
+forwarded X11 connection can't become attacks on X clients on the remote
+machine. However, this has some problems in implementation - notably a
+very short timeout of the untrusted cookie - breaks large numbers of
+existing setups, and generally seems immature. The Debian package
+therefore sets the default for this option to "yes" (in ssh itself,
+rather than in ssh_config).
+Fallback to RSH
+---------------
+The default for this setting has been changed from Yes to No, for
+security reasons, and to stop the delay attempting to rsh to machines
+that don't offer the service.  Simply switch it back on in either
+/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
+it for.
+Setgid ssh-agent and environment variables
+------------------------------------------
+As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace()
+attacks retrieving private key material. This has the side-effect of causing
+glibc to remove certain environment variables which might have security
+implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
+TMPDIR.
+If you need to set any of these environment variables, you will need to do
+so in the program exec()ed by ssh-agent. This may involve creating a small
+wrapper script.
+Symlink Hostname invocation
+---------------------------
+This version of ssh no longer includes support for invoking ssh with the
+hostname as the name of the file run.  People wanting this support should
+use the ssh-argv0 script.
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+OTHER ISSUES
+============
+Authorization Forwarding
+------------------------
+Similarly, root on a remote server could make use of your ssh-agent
+(while you're logged into their machine) to obtain access to machines
+which trust your keys.  This feature is therefore disabled by default.
+You should only re-enable it for those hosts (in your ~/.ssh/config or
+/etc/ssh/ssh_config) where you are confident that the remote machine
+is not a threat.
+Problems logging in with RSA authentication
+-------------------------------------------
+If you have trouble logging in with RSA authentication then the
+problem is probably caused by the fact that you have your home
+directory writable by group, as well as user (this is the default on
+Debian systems).
+Depending upon other settings on your system (i.e. other users being
+in your group) this could open a security hole, so you will need to
+make your home directory writable only by yourself.  Run this command,
+as yourself:
+  chmod g-w ~/
+to remove group write permissions.  If you use ssh-copy-id to install your
+keys, it does this for you.
+-L option of ssh nonfree
+------------------------
+non-free ssh supported the usage of the option -L to use a non privileged
+port for scp. This option will not be supported by scp from openssh.
+Please use instead scp -o "UsePrivilegedPort=no" as documented in the
+manpage to scp itself.
+Problem logging in because of TCP-Wrappers
+------------------------------------------
+ssh is compiled with support for tcp-wrappers. So if you can no longer
+log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
+are configured so that ssh is not blocked.
+Kerberos support
+----------------
+ssh is now compiled with Kerberos support. Unfortunately, privilege
+separation is incompatible with parts of Kerberos support for protocol 2;
+you may need to run kinit after logging in.
+Interoperability between scp and the ssh.com SSH server
+-------------------------------------------------------
+In version 2 and greater of the commercial SSH server produced by SSH
+Communications Security, scp was changed to use SFTP (SSH2's file transfer
+protocol) instead of the traditional rcp-over-ssh, thereby breaking
+compatibility. The OpenSSH developers regard this as a bug in the ssh.com
+server, and do not currently intend to change OpenSSH's scp to match.
+Workarounds for this problem are to install scp1 on the server (scp2 will
+fall back to it), to use sftp, or to use some other transfer mechanism such
+as rsync-over-ssh or tar-over-ssh.
+Running sshd from inittab
+-------------------------
+Some people find it useful to run the sshd server from inittab, to make sure
+that it always stays running. To do this, stop sshd ('/etc/init.d/ssh
+stop'), add the following line to /etc/inittab, and run 'telinit q':
+  ss:2345:respawn:/usr/sbin/sshd -D
+If you do this, note that you will need to stop sshd being started in the
+normal way ('update-rc.d ssh disable') and that you will need to restart
+this sshd manually on upgrades.
+Per-connection sshd instances with systemd
+------------------------------------------
+If you want to reconfigure systemd to listen on port 22 itself and launch an
+instance of sshd for each connection (inetd-style socket activation), then
+you can run:
+  systemctl stop ssh.service
+  systemctl start ssh.socket
+To make this permanent:
+  systemctl disable ssh.service
+  systemctl enable ssh.socket
+This may be appropriate in environments where minimal footprint is critical
+(e.g. cloud guests).  Be aware that this bypasses MaxStartups, and systemd's
+MaxConnections cannot quite replace this as it cannot distinguish between
+authenticated and unauthenticated connections; see
+https://bugzilla.redhat.com/show_bug.cgi?id=963268 for more discussion.
+The provided ssh.socket unit file sets ListenStream=22.  If you need to have
+it listen on a different address or port, then you will need to do this by
+copying /lib/systemd/system/ssh.socket to /etc/systemd/system/ssh.socket and
+modifying the ListenStream option.  See systemd.socket(5) for details.
+Terminating SSH sessions cleanly on shutdown/reboot with systemd
+----------------------------------------------------------------
+If you have libpam-systemd >= 230 installed (following openssh-server's
+Recommends) and "UsePAM yes" in sshd_config (the default configuration
+shipped by this package), then SSH sessions will be terminated cleanly when
+the server is shut down or rebooted.
+If either of these conditions does not hold, then you may find that SSH
+sessions hang silently when the server is shut down or rebooted.  If you do
+not want to use PAM or configure it properly for whatever reason, then you
+can instead copy
+/usr/share/doc/openssh-server/examples/ssh-session-cleanup.service to
+/etc/systemd/system/ and run "systemctl enable ssh-session-cleanup.service".
+Non-systemd users may find /usr/lib/openssh/ssh-session-cleanup helpful if
+they have a similar problem, although at present there is no system
+integration for this for anything other than systemd.
+SSH protocol 1 server support removed
+-------------------------------------
+sshd(8) no longer supports the old SSH protocol 1, so all the configuration
+options related to it are now deprecated and should be removed from
+/etc/ssh/sshd_config.  These are:
+  KeyRegenerationInterval
+  RSAAuthentication
+  RhostsRSAAuthentication
+  ServerKeyBits
+The Protocol option is also no longer needed, although it is silently
+ignored rather than deprecated.
+-- 
+Matthew Vernon <matthew@debian.org>
+Colin Watson <cjwatson@debian.org>

diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 000000000..73b7cfc89 --- /dev/null +++ b/debian/README.Debian
@@ -0,0 +1,257 @@
	1	OpenSSH for Debian
	2	------------------
	3
	4	UPGRADE ISSUES
	5	==============
	6
	7	Privilege Separation
	8	--------------------
	9
	10	As of 3.3, openssh has employed privilege separation to reduce the
	11	quantity of code that runs as root, thereby reducing the impact of
	12	some security holes in sshd. This now also works properly with PAM.
	13
	14	Privilege separation is turned on by default, so, if you decide you
	15	want it turned off, you need to add "UsePrivilegeSeparation no" to
	16	/etc/ssh/sshd_config.
	17
	18	PermitRootLogin
	19	---------------
	20
	21	As of 1:6.6p1-1, new installations will be set to "PermitRootLogin
	22	without-password" (or the synonymous "PermitRootLogin prohibit-password" as
	23	of 1:7.1p1-1). This disables password authentication for root, foiling
	24	password dictionary attacks on the root user. Some sites may wish to use
	25	the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no",
	26	but note that "PermitRootLogin no" will break setups that SSH to root with a
	27	forced command to take full-system backups. You can use PermitRootLogin in
	28	a Match block if you want finer-grained control here.
	29
	30	For many years Debian's OpenSSH packaging used "PermitRootLogin yes", in
	31	line with upstream. To avoid breaking local setups, this is still true for
	32	installations upgraded from before 1:6.6p1-1. If you wish to change this,
	33	you should edit /etc/ssh/sshd_config, change it manually, and run "service
	34	ssh restart" as root.
	35
	36	Disabling PermitRootLogin means that an attacker possessing credentials for
	37	the root account (any credentials in the case of "yes", or private key
	38	material in the case of "prohibit-password") must compromise a normal user
	39	account rather than being able to SSH directly to root. Be careful to avoid
	40	a false illusion of security if you change this setting; any account you
	41	escalate to root from should be considered equivalent to root for the
	42	purposes of security against external attack. You might for example disable
	43	it if you know you will only ever log in as root from the physical console.
	44
	45	Since the root account does not generally have non-password credentials
	46	unless you explicitly install an SSH public key in its
	47	~/.ssh/authorized_keys, which you presumably only do if you want to SSH to
	48	it, "prohibit-password" should be a reasonable default for most sites.
	49
	50	As of OpenSSH 7.0, this is the upstream default.
	51
	52	For further discussion, see:
	53
	54	https://bugs.debian.org/298138
	55	https://bugzilla.mindrot.org/show_bug.cgi?id=2164
	56
	57	X11 Forwarding
	58	--------------
	59
	60	ssh's default for ForwardX11 has been changed to ``no'' because it has
	61	been pointed out that logging into remote systems administered by
	62	untrusted people is likely to open you up to X11 attacks, so you
	63	should have to actively decide that you trust the remote machine's
	64	root, before enabling X11. I strongly recommend that you do this on a
	65	machine-by-machine basis, rather than just enabling it in the default
	66	host settings.
	67
	68	In order for X11 forwarding to work, you need to install xauth on the
	69	server. In Debian this is in the xbase-clients package.
	70
	71	As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
	72	the security risks of X11 forwarding. Look up X11UseLocalhost in
	73	sshd_config(8) if this is a problem.
	74
	75	OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the
	76	ssh client to create an untrusted X cookie so that attacks on the
	77	forwarded X11 connection can't become attacks on X clients on the remote
	78	machine. However, this has some problems in implementation - notably a
	79	very short timeout of the untrusted cookie - breaks large numbers of
	80	existing setups, and generally seems immature. The Debian package
	81	therefore sets the default for this option to "yes" (in ssh itself,
	82	rather than in ssh_config).
	83
	84	Fallback to RSH
	85	---------------
	86
	87	The default for this setting has been changed from Yes to No, for
	88	security reasons, and to stop the delay attempting to rsh to machines
	89	that don't offer the service. Simply switch it back on in either
	90	/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
	91	it for.
	92
	93	Setgid ssh-agent and environment variables
	94	------------------------------------------
	95
	96	As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace()
	97	attacks retrieving private key material. This has the side-effect of causing
	98	glibc to remove certain environment variables which might have security
	99	implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
	100	TMPDIR.
	101
	102	If you need to set any of these environment variables, you will need to do
	103	so in the program exec()ed by ssh-agent. This may involve creating a small
	104	wrapper script.
	105
	106	Symlink Hostname invocation
	107	---------------------------
	108
	109	This version of ssh no longer includes support for invoking ssh with the
	110	hostname as the name of the file run. People wanting this support should
	111	use the ssh-argv0 script.
	112
	113	=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
	114
	115	OTHER ISSUES
	116	============
	117
	118	Authorization Forwarding
	119	------------------------
	120
	121	Similarly, root on a remote server could make use of your ssh-agent
	122	(while you're logged into their machine) to obtain access to machines
	123	which trust your keys. This feature is therefore disabled by default.
	124	You should only re-enable it for those hosts (in your ~/.ssh/config or
	125	/etc/ssh/ssh_config) where you are confident that the remote machine
	126	is not a threat.
	127
	128	Problems logging in with RSA authentication
	129	-------------------------------------------
	130
	131	If you have trouble logging in with RSA authentication then the
	132	problem is probably caused by the fact that you have your home
	133	directory writable by group, as well as user (this is the default on
	134	Debian systems).
	135
	136	Depending upon other settings on your system (i.e. other users being
	137	in your group) this could open a security hole, so you will need to
	138	make your home directory writable only by yourself. Run this command,
	139	as yourself:
	140
	141	chmod g-w ~/
	142
	143	to remove group write permissions. If you use ssh-copy-id to install your
	144	keys, it does this for you.
	145
	146	-L option of ssh nonfree
	147	------------------------
	148
	149	non-free ssh supported the usage of the option -L to use a non privileged
	150	port for scp. This option will not be supported by scp from openssh.
	151
	152	Please use instead scp -o "UsePrivilegedPort=no" as documented in the
	153	manpage to scp itself.
	154
	155	Problem logging in because of TCP-Wrappers
	156	------------------------------------------
	157
	158	ssh is compiled with support for tcp-wrappers. So if you can no longer
	159	log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
	160	are configured so that ssh is not blocked.
	161
	162	Kerberos support
	163	----------------
	164
	165	ssh is now compiled with Kerberos support. Unfortunately, privilege
	166	separation is incompatible with parts of Kerberos support for protocol 2;
	167	you may need to run kinit after logging in.
	168
	169	Interoperability between scp and the ssh.com SSH server
	170	-------------------------------------------------------
	171
	172	In version 2 and greater of the commercial SSH server produced by SSH
	173	Communications Security, scp was changed to use SFTP (SSH2's file transfer
	174	protocol) instead of the traditional rcp-over-ssh, thereby breaking
	175	compatibility. The OpenSSH developers regard this as a bug in the ssh.com
	176	server, and do not currently intend to change OpenSSH's scp to match.
	177
	178	Workarounds for this problem are to install scp1 on the server (scp2 will
	179	fall back to it), to use sftp, or to use some other transfer mechanism such
	180	as rsync-over-ssh or tar-over-ssh.
	181
	182	Running sshd from inittab
	183	-------------------------
	184
	185	Some people find it useful to run the sshd server from inittab, to make sure
	186	that it always stays running. To do this, stop sshd ('/etc/init.d/ssh
	187	stop'), add the following line to /etc/inittab, and run 'telinit q':
	188
	189	ss:2345:respawn:/usr/sbin/sshd -D
	190
	191	If you do this, note that you will need to stop sshd being started in the
	192	normal way ('update-rc.d ssh disable') and that you will need to restart
	193	this sshd manually on upgrades.
	194
	195	Per-connection sshd instances with systemd
	196	------------------------------------------
	197
	198	If you want to reconfigure systemd to listen on port 22 itself and launch an
	199	instance of sshd for each connection (inetd-style socket activation), then
	200	you can run:
	201
	202	systemctl stop ssh.service
	203	systemctl start ssh.socket
	204
	205	To make this permanent:
	206
	207	systemctl disable ssh.service
	208	systemctl enable ssh.socket
	209
	210	This may be appropriate in environments where minimal footprint is critical
	211	(e.g. cloud guests). Be aware that this bypasses MaxStartups, and systemd's
	212	MaxConnections cannot quite replace this as it cannot distinguish between
	213	authenticated and unauthenticated connections; see
	214	https://bugzilla.redhat.com/show_bug.cgi?id=963268 for more discussion.
	215
	216	The provided ssh.socket unit file sets ListenStream=22. If you need to have
	217	it listen on a different address or port, then you will need to do this by
	218	copying /lib/systemd/system/ssh.socket to /etc/systemd/system/ssh.socket and
	219	modifying the ListenStream option. See systemd.socket(5) for details.
	220
	221	Terminating SSH sessions cleanly on shutdown/reboot with systemd
	222	----------------------------------------------------------------
	223
	224	If you have libpam-systemd >= 230 installed (following openssh-server's
	225	Recommends) and "UsePAM yes" in sshd_config (the default configuration
	226	shipped by this package), then SSH sessions will be terminated cleanly when
	227	the server is shut down or rebooted.
	228
	229	If either of these conditions does not hold, then you may find that SSH
	230	sessions hang silently when the server is shut down or rebooted. If you do
	231	not want to use PAM or configure it properly for whatever reason, then you
	232	can instead copy
	233	/usr/share/doc/openssh-server/examples/ssh-session-cleanup.service to
	234	/etc/systemd/system/ and run "systemctl enable ssh-session-cleanup.service".
	235
	236	Non-systemd users may find /usr/lib/openssh/ssh-session-cleanup helpful if
	237	they have a similar problem, although at present there is no system
	238	integration for this for anything other than systemd.
	239
	240	SSH protocol 1 server support removed
	241	-------------------------------------
	242
	243	sshd(8) no longer supports the old SSH protocol 1, so all the configuration
	244	options related to it are now deprecated and should be removed from
	245	/etc/ssh/sshd_config. These are:
	246
	247	KeyRegenerationInterval
	248	RSAAuthentication
	249	RhostsRSAAuthentication
	250	ServerKeyBits
	251
	252	The Protocol option is also no longer needed, although it is silently
	253	ignored rather than deprecated.
	254
	255	--
	256	Matthew Vernon <matthew@debian.org>
	257	Colin Watson <cjwatson@debian.org>