1 files changed, 226 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 000000000..b9efeb9f5
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,226 @@
+OpenSSH for Debian
+------------------
+UPGRADE ISSUES
+==============
+Privilege Separation
+--------------------
+As of 3.3, openssh has employed privilege separation to reduce the
+quantity of code that runs as root, thereby reducing the impact of
+some security holes in sshd. This now also works properly with PAM.
+Privilege separation is turned on by default, so, if you decide you
+want it turned off, you need to add "UsePrivilegeSeparation no" to
+/etc/ssh/sshd_config.
+PermitRootLogin set to yes
+--------------------------
+This is now the default setting (in line with upstream), and people
+who asked for an automatically-generated configuration file when
+upgrading from potato (or on a new install) will have this setting in
+their /etc/ssh/sshd_config file.
+Should you wish to change this setting, edit /etc/ssh/sshd_config, and
+change:
+PermitRootLogin yes
+to:
+PermitRootLogin no
+Having PermitRootLogin set to yes means that an attacker that knows
+the root password can ssh in directly (without having to go via a user
+account). If you set it to no, then they must compromise a normal user
+account. In the vast majority of cases, this does not give added
+security; remember that any account you su to root from is equivalent
+to root - compromising this account gives an attacker access to root
+easily. If you only ever log in as root from the physical console,
+then you probably want to set this value to no.
+As an aside, PermitRootLogin can also be set to "without-password" or
+"forced-commands-only" - see sshd(8) for more details.
+DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
+The argument above is somewhat condensed; I have had this discussion
+at great length with many people. If you think the default is
+incorrect, and feel strongly enough to want to argue about it, then
+send email to debian-ssh@lists.debian.org. I will close bug reports
+claiming the default is incorrect.
+X11 Forwarding
+--------------
+ssh's default for ForwardX11 has been changed to ``no'' because it has
+been pointed out that logging into remote systems administered by
+untrusted people is likely to open you up to X11 attacks, so you
+should have to actively decide that you trust the remote machine's
+root, before enabling X11.  I strongly recommend that you do this on a
+machine-by-machine basis, rather than just enabling it in the default
+host settings.
+In order for X11 forwarding to work, you need to install xauth on the
+server. In Debian this is in the xbase-clients package.
+As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
+the security risks of X11 forwarding. Look up X11UseLocalhost in
+sshd_config(8) if this is a problem.
+OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the
+ssh client to create an untrusted X cookie so that attacks on the
+forwarded X11 connection can't become attacks on X clients on the remote
+machine. However, this has some problems in implementation - notably a
+very short timeout of the untrusted cookie - breaks large numbers of
+existing setups, and generally seems immature. The Debian package
+therefore sets the default for this option to "yes" (in ssh itself,
+rather than in ssh_config).
+Fallback to RSH
+---------------
+The default for this setting has been changed from Yes to No, for
+security reasons, and to stop the delay attempting to rsh to machines
+that don't offer the service.  Simply switch it back on in either
+/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
+it for.
+Setgid ssh-agent and environment variables
+------------------------------------------
+As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace()
+attacks retrieving private key material. This has the side-effect of causing
+glibc to remove certain environment variables which might have security
+implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
+TMPDIR.
+If you need to set any of these environment variables, you will need to do
+so in the program exec()ed by ssh-agent. This may involve creating a small
+wrapper script.
+Symlink Hostname invocation
+---------------------------
+This version of ssh no longer includes support for invoking ssh with the
+hostname as the name of the file run.  People wanting this support should
+use the ssh-argv0 script.
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+OTHER ISSUES
+============
+/usr/bin/ssh not SUID
+---------------------
+Due to Debian bug #164325, RhostsRSAAuthentication can only be used if ssh
+is SUID.  Until this is fixed, if that is a problem, use:
+   dpkg-statoverride
+or if that's also missing, use this:
+   chown root.root /usr/bin/ssh
+   chmod 04755 /usr/bin/ssh
+Authorization Forwarding
+------------------------
+Similarly, root on a remote server could make use of your ssh-agent
+(while you're logged into their machine) to obtain access to machines
+which trust your keys.  This feature is therefore disabled by default.
+You should only re-enable it for those hosts (in your ~/.ssh/config or
+/etc/ssh/ssh_config) where you are confident that the remote machine
+is not a threat.
+Problems logging in with RSA authentication
+-------------------------------------------
+If you have trouble logging in with RSA authentication then the
+problem is probably caused by the fact that you have your home
+directory writable by group, as well as user (this is the default on
+Debian systems).
+Depending upon other settings on your system (i.e. other users being
+in your group) this could open a security hole, so you will need to
+make your home directory writable only by yourself.  Run this command,
+as yourself:
+  chmod g-w ~/
+to remove group write permissions.  If you use ssh-copy-id to install your
+keys, it does this for you.
+-L option of ssh nonfree
+------------------------
+non-free ssh supported the usage of the option -L to use a non privileged
+port for scp. This option will not be supported by scp from openssh.
+Please use instead scp -o "UsePrivilegedPort=no" as documented in the
+manpage to scp itself.
+Problem logging in because of TCP-Wrappers
+------------------------------------------
+ssh is compiled with support for tcp-wrappers. So if you can no longer
+log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
+are configured so that ssh is not blocked.
+Kerberos support
+----------------
+ssh is now compiled with Kerberos support. Unfortunately, privilege
+separation is incompatible with Kerberos support for SSH protocol 1 and
+parts of the support for protocol 2; you may need to run kinit after logging
+in.
+Interoperability between scp and the ssh.com SSH server
+-------------------------------------------------------
+In version 2 and greater of the commercial SSH server produced by SSH
+Communications Security, scp was changed to use SFTP (SSH2's file transfer
+protocol) instead of the traditional rcp-over-ssh, thereby breaking
+compatibility. The OpenSSH developers regard this as a bug in the ssh.com
+server, and do not currently intend to change OpenSSH's scp to match.
+Workarounds for this problem are to install scp1 on the server (scp2 will
+fall back to it), to use sftp, or to use some other transfer mechanism such
+as rsync-over-ssh or tar-over-ssh.
+Running sshd from inittab
+-------------------------
+Some people find it useful to run the sshd server from inittab, to make sure
+that it always stays running. To do this, stop sshd ('/etc/init.d/ssh
+stop'), add the following line to /etc/inittab, and run 'telinit q':
+  ss:2345:respawn:/usr/sbin/sshd -D
+If you do this, note that you will need to stop sshd being started in the
+normal way ('rm -f /etc/rc[2345].d/S16ssh') and that you will need to
+restart this sshd manually on upgrades.
+systemd socket activation
+-------------------------
+If you want to reconfigure systemd to launch sshd using socket activation,
+then you can run:
+  systemctl stop ssh.service
+  systemctl start ssh.socket
+To make this permanent:
+  systemctl disable ssh.service
+  systemctl enable ssh.socket
+This may be appropriate in environments where minimal footprint is critical
+(e.g. cloud guests).  Be aware that this bypasses MaxStartups, and systemd's
+MaxConnections cannot quite replace this as it cannot distinguish between
+authenticated and unauthenticated connections; see
+https://bugzilla.redhat.com/show_bug.cgi?id=963268 for more discussion.
+-- 
+Matthew Vernon <matthew@debian.org>
+Colin Watson <cjwatson@debian.org>

diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 000000000..b9efeb9f5 --- /dev/null +++ b/debian/README.Debian
@@ -0,0 +1,226 @@
	1	OpenSSH for Debian
	2	------------------
	3
	4	UPGRADE ISSUES
	5	==============
	6
	7	Privilege Separation
	8	--------------------
	9
	10	As of 3.3, openssh has employed privilege separation to reduce the
	11	quantity of code that runs as root, thereby reducing the impact of
	12	some security holes in sshd. This now also works properly with PAM.
	13
	14	Privilege separation is turned on by default, so, if you decide you
	15	want it turned off, you need to add "UsePrivilegeSeparation no" to
	16	/etc/ssh/sshd_config.
	17
	18	PermitRootLogin set to yes
	19	--------------------------
	20
	21	This is now the default setting (in line with upstream), and people
	22	who asked for an automatically-generated configuration file when
	23	upgrading from potato (or on a new install) will have this setting in
	24	their /etc/ssh/sshd_config file.
	25
	26	Should you wish to change this setting, edit /etc/ssh/sshd_config, and
	27	change:
	28	PermitRootLogin yes
	29	to:
	30	PermitRootLogin no
	31
	32	Having PermitRootLogin set to yes means that an attacker that knows
	33	the root password can ssh in directly (without having to go via a user
	34	account). If you set it to no, then they must compromise a normal user
	35	account. In the vast majority of cases, this does not give added
	36	security; remember that any account you su to root from is equivalent
	37	to root - compromising this account gives an attacker access to root
	38	easily. If you only ever log in as root from the physical console,
	39	then you probably want to set this value to no.
	40
	41	As an aside, PermitRootLogin can also be set to "without-password" or
	42	"forced-commands-only" - see sshd(8) for more details.
	43
	44	DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
	45
	46	The argument above is somewhat condensed; I have had this discussion
	47	at great length with many people. If you think the default is
	48	incorrect, and feel strongly enough to want to argue about it, then
	49	send email to debian-ssh@lists.debian.org. I will close bug reports
	50	claiming the default is incorrect.
	51
	52	X11 Forwarding
	53	--------------
	54
	55	ssh's default for ForwardX11 has been changed to ``no'' because it has
	56	been pointed out that logging into remote systems administered by
	57	untrusted people is likely to open you up to X11 attacks, so you
	58	should have to actively decide that you trust the remote machine's
	59	root, before enabling X11. I strongly recommend that you do this on a
	60	machine-by-machine basis, rather than just enabling it in the default
	61	host settings.
	62
	63	In order for X11 forwarding to work, you need to install xauth on the
	64	server. In Debian this is in the xbase-clients package.
	65
	66	As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
	67	the security risks of X11 forwarding. Look up X11UseLocalhost in
	68	sshd_config(8) if this is a problem.
	69
	70	OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the
	71	ssh client to create an untrusted X cookie so that attacks on the
	72	forwarded X11 connection can't become attacks on X clients on the remote
	73	machine. However, this has some problems in implementation - notably a
	74	very short timeout of the untrusted cookie - breaks large numbers of
	75	existing setups, and generally seems immature. The Debian package
	76	therefore sets the default for this option to "yes" (in ssh itself,
	77	rather than in ssh_config).
	78
	79	Fallback to RSH
	80	---------------
	81
	82	The default for this setting has been changed from Yes to No, for
	83	security reasons, and to stop the delay attempting to rsh to machines
	84	that don't offer the service. Simply switch it back on in either
	85	/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
	86	it for.
	87
	88	Setgid ssh-agent and environment variables
	89	------------------------------------------
	90
	91	As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace()
	92	attacks retrieving private key material. This has the side-effect of causing
	93	glibc to remove certain environment variables which might have security
	94	implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
	95	TMPDIR.
	96
	97	If you need to set any of these environment variables, you will need to do
	98	so in the program exec()ed by ssh-agent. This may involve creating a small
	99	wrapper script.
	100
	101	Symlink Hostname invocation
	102	---------------------------
	103
	104	This version of ssh no longer includes support for invoking ssh with the
	105	hostname as the name of the file run. People wanting this support should
	106	use the ssh-argv0 script.
	107
	108	=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
	109
	110	OTHER ISSUES
	111	============
	112
	113	/usr/bin/ssh not SUID
	114	---------------------
	115
	116	Due to Debian bug #164325, RhostsRSAAuthentication can only be used if ssh
	117	is SUID. Until this is fixed, if that is a problem, use:
	118
	119	dpkg-statoverride
	120
	121	or if that's also missing, use this:
	122
	123	chown root.root /usr/bin/ssh
	124	chmod 04755 /usr/bin/ssh
	125
	126	Authorization Forwarding
	127	------------------------
	128
	129	Similarly, root on a remote server could make use of your ssh-agent
	130	(while you're logged into their machine) to obtain access to machines
	131	which trust your keys. This feature is therefore disabled by default.
	132	You should only re-enable it for those hosts (in your ~/.ssh/config or
	133	/etc/ssh/ssh_config) where you are confident that the remote machine
	134	is not a threat.
	135
	136	Problems logging in with RSA authentication
	137	-------------------------------------------
	138
	139	If you have trouble logging in with RSA authentication then the
	140	problem is probably caused by the fact that you have your home
	141	directory writable by group, as well as user (this is the default on
	142	Debian systems).
	143
	144	Depending upon other settings on your system (i.e. other users being
	145	in your group) this could open a security hole, so you will need to
	146	make your home directory writable only by yourself. Run this command,
	147	as yourself:
	148
	149	chmod g-w ~/
	150
	151	to remove group write permissions. If you use ssh-copy-id to install your
	152	keys, it does this for you.
	153
	154	-L option of ssh nonfree
	155	------------------------
	156
	157	non-free ssh supported the usage of the option -L to use a non privileged
	158	port for scp. This option will not be supported by scp from openssh.
	159
	160	Please use instead scp -o "UsePrivilegedPort=no" as documented in the
	161	manpage to scp itself.
	162
	163	Problem logging in because of TCP-Wrappers
	164	------------------------------------------
	165
	166	ssh is compiled with support for tcp-wrappers. So if you can no longer
	167	log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
	168	are configured so that ssh is not blocked.
	169
	170	Kerberos support
	171	----------------
	172
	173	ssh is now compiled with Kerberos support. Unfortunately, privilege
	174	separation is incompatible with Kerberos support for SSH protocol 1 and
	175	parts of the support for protocol 2; you may need to run kinit after logging
	176	in.
	177
	178	Interoperability between scp and the ssh.com SSH server
	179	-------------------------------------------------------
	180
	181	In version 2 and greater of the commercial SSH server produced by SSH
	182	Communications Security, scp was changed to use SFTP (SSH2's file transfer
	183	protocol) instead of the traditional rcp-over-ssh, thereby breaking
	184	compatibility. The OpenSSH developers regard this as a bug in the ssh.com
	185	server, and do not currently intend to change OpenSSH's scp to match.
	186
	187	Workarounds for this problem are to install scp1 on the server (scp2 will
	188	fall back to it), to use sftp, or to use some other transfer mechanism such
	189	as rsync-over-ssh or tar-over-ssh.
	190
	191	Running sshd from inittab
	192	-------------------------
	193
	194	Some people find it useful to run the sshd server from inittab, to make sure
	195	that it always stays running. To do this, stop sshd ('/etc/init.d/ssh
	196	stop'), add the following line to /etc/inittab, and run 'telinit q':
	197
	198	ss:2345:respawn:/usr/sbin/sshd -D
	199
	200	If you do this, note that you will need to stop sshd being started in the
	201	normal way ('rm -f /etc/rc[2345].d/S16ssh') and that you will need to
	202	restart this sshd manually on upgrades.
	203
	204	systemd socket activation
	205	-------------------------
	206
	207	If you want to reconfigure systemd to launch sshd using socket activation,
	208	then you can run:
	209
	210	systemctl stop ssh.service
	211	systemctl start ssh.socket
	212
	213	To make this permanent:
	214
	215	systemctl disable ssh.service
	216	systemctl enable ssh.socket
	217
	218	This may be appropriate in environments where minimal footprint is critical
	219	(e.g. cloud guests). Be aware that this bypasses MaxStartups, and systemd's
	220	MaxConnections cannot quite replace this as it cannot distinguish between
	221	authenticated and unauthenticated connections; see
	222	https://bugzilla.redhat.com/show_bug.cgi?id=963268 for more discussion.
	223
	224	--
	225	Matthew Vernon <matthew@debian.org>
	226	Colin Watson <cjwatson@debian.org>