1 files changed, 234 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 000000000..f37cce4b0
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,234 @@
+OpenSSH for Debian
+------------------
+UPGRADE ISSUES
+==============
+Privilege Separation
+--------------------
+As of 3.3, openssh has employed privilege separation to reduce the
+quantity of code that runs as root, thereby reducing the impact of
+some security holes in sshd. This now also works properly with PAM.
+Privilege separation is turned on by default, so, if you decide you
+want it turned off, you need to add "UsePrivilegeSeparation no" to
+/etc/ssh/sshd_config.
+PermitRootLogin set to yes
+--------------------------
+This is now the default setting (in line with upstream), and people
+who asked for an automatically-generated configuration file when
+upgrading from potato (or on a new install) will have this setting in
+their /etc/ssh/sshd_config file.
+Should you wish to change this setting, edit /etc/ssh/sshd_config, and
+change:
+PermitRootLogin yes
+to:
+PermitRootLogin no
+Having PermitRootLogin set to yes means that an attacker that knows
+the root password can ssh in directly (without having to go via a user
+account). If you set it to no, then they must compromise a normal user
+account. In the vast majority of cases, this does not give added
+security; remember that any account you su to root from is equivalent
+to root - compromising this account gives an attacker access to root
+easily. If you only ever log in as root from the physical console,
+then you probably want to set this value to no.
+As an aside, PermitRootLogin can also be set to "without-password" or
+"forced-commands-only" - see sshd(8) for more details.
+DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
+The argument above is somewhat condensed; I have had this discussion
+at great length with many people. If you think the default is
+incorrect, and feel strongly enough to want to argue about it, then
+send email to debian-ssh@lists.debian.org. I will close bug reports
+claiming the default is incorrect.
+SSH now uses protocol 2 by default
+----------------------------------
+This means all your keyfiles you used for protocol version 1 need to
+be re-generated. The server keys are done automatically, but for RSA
+authentication, please read the ssh-keygen manpage.
+If you have an automatically generated configuration file, and decide
+at a later stage that you do want to support protocol version 1 (not
+recommended, but note that the ssh client shipped with Debian potato
+only supported protocol version 1), then you need to do the following:
+Change /etc/ssh/sshd_config such that:
+Protocol 2
+becomes:
+Protocol 2,1
+Also add the line:
+HostKey /etc/ssh/ssh_host_key
+If you do not already have an RSA1 host key in /etc/ssh/ssh_host_key,
+you will need to generate one. To do so, run this command as root:
+  ssh-keygen -f /etc/ssh/ssh_host_key -N '' -t rsa1
+As of openssh-server 1:4.1p1-2, the option to support protocol version 1
+is no longer available via debconf. You must edit the configuration file
+instead.
+X11 Forwarding
+--------------
+ssh's default for ForwardX11 has been changed to ``no'' because it has
+been pointed out that logging into remote systems administered by
+untrusted people is likely to open you up to X11 attacks, so you
+should have to actively decide that you trust the remote machine's
+root, before enabling X11.  I strongly recommend that you do this on a
+machine-by-machine basis, rather than just enabling it in the default
+host settings.
+In order for X11 forwarding to work, you need to install xauth on the
+server. In Debian this is in the xbase-clients package.
+As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
+the security risks of X11 forwarding. Look up X11UseLocalhost in
+sshd_config(8) if this is a problem.
+OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the
+ssh client to create an untrusted X cookie so that attacks on the
+forwarded X11 connection can't become attacks on X clients on the remote
+machine. However, this has some problems in implementation - notably a
+very short timeout of the untrusted cookie - breaks large numbers of
+existing setups, and generally seems immature. The Debian package
+therefore sets the default for this option to "yes" (in ssh itself,
+rather than in ssh_config).
+Fallback to RSH
+---------------
+The default for this setting has been changed from Yes to No, for
+security reasons, and to stop the delay attempting to rsh to machines
+that don't offer the service.  Simply switch it back on in either
+/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
+it for.
+Setgid ssh-agent and environment variables
+------------------------------------------
+As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace()
+attacks retrieving private key material. This has the side-effect of causing
+glibc to remove certain environment variables which might have security
+implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
+TMPDIR.
+If you need to set any of these environment variables, you will need to do
+so in the program exec()ed by ssh-agent. This may involve creating a small
+wrapper script.
+Symlink Hostname invocation
+---------------------------
+This version of ssh no longer includes support for invoking ssh with the
+hostname as the name of the file run.  People wanting this support should
+use the ssh-argv0 script.
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+OTHER ISSUES
+============
+/usr/bin/ssh not SUID
+---------------------
+Due to Debian bug #164325, RhostsRSAAuthentication can only be used if ssh
+is SUID.  Until this is fixed, if that is a problem, use:
+   dpkg-statoverride
+or if that's also missing, use this:
+   chown root.root /usr/bin/ssh
+   chmod 04755 /usr/bin/ssh
+Authorization Forwarding
+------------------------
+Similarly, root on a remote server could make use of your ssh-agent
+(while you're logged into their machine) to obtain access to machines
+which trust your keys.  This feature is therefore disabled by default.
+You should only re-enable it for those hosts (in your ~/.ssh/config or
+/etc/ssh/ssh_config) where you are confident that the remote machine
+is not a threat.
+Problems logging in with RSA authentication
+-------------------------------------------
+If you have trouble logging in with RSA authentication then the
+problem is probably caused by the fact that you have your home
+directory writable by group, as well as user (this is the default on
+Debian systems).
+Depending upon other settings on your system (i.e. other users being
+in your group) this could open a security hole, so you will need to
+make your home directory writable only by yourself.  Run this command,
+as yourself:
+  chmod g-w ~/
+to remove group write permissions.  If you use ssh-copy-id to install your
+keys, it does this for you.
+-L option of ssh nonfree
+------------------------
+non-free ssh supported the usage of the option -L to use a non privileged
+port for scp. This option will not be supported by scp from openssh.
+Please use instead scp -o "UsePrivilegedPort=no" as documented in the
+manpage to scp itself.
+Problem logging in because of TCP-Wrappers
+------------------------------------------
+ssh is compiled with support for tcp-wrappers. So if you can no longer
+log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
+are configured so that ssh is not blocked.
+Kerberos support
+----------------
+ssh is now compiled with Kerberos support. Unfortunately, privilege
+separation is incompatible with Kerberos support for SSH protocol 1 and
+parts of the support for protocol 2; you may need to run kinit after logging
+in.
+Interoperability between scp and the ssh.com SSH server
+-------------------------------------------------------
+In version 2 and greater of the commercial SSH server produced by SSH
+Communications Security, scp was changed to use SFTP (SSH2's file transfer
+protocol) instead of the traditional rcp-over-ssh, thereby breaking
+compatibility. The OpenSSH developers regard this as a bug in the ssh.com
+server, and do not currently intend to change OpenSSH's scp to match.
+Workarounds for this problem are to install scp1 on the server (scp2 will
+fall back to it), to use sftp, or to use some other transfer mechanism such
+as rsync-over-ssh or tar-over-ssh.
+Running sshd from inittab
+-------------------------
+Some people find it useful to run the sshd server from inittab, to make sure
+that it always stays running. To do this, stop sshd ('/etc/init.d/ssh
+stop'), add the following line to /etc/inittab, and run 'telinit q':
+  ss:2345:respawn:/usr/sbin/sshd -D
+If you do this, note that you will need to stop sshd being started in the
+normal way ('rm -f /etc/rc[2345].d/S16ssh') and that you will need to
+restart this sshd manually on upgrades.
+-- 
+Matthew Vernon <matthew@debian.org>
+Colin Watson <cjwatson@debian.org>

diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 000000000..f37cce4b0 --- /dev/null +++ b/debian/README.Debian
@@ -0,0 +1,234 @@
	1	OpenSSH for Debian
	2	------------------
	3
	4	UPGRADE ISSUES
	5	==============
	6
	7	Privilege Separation
	8	--------------------
	9
	10	As of 3.3, openssh has employed privilege separation to reduce the
	11	quantity of code that runs as root, thereby reducing the impact of
	12	some security holes in sshd. This now also works properly with PAM.
	13
	14	Privilege separation is turned on by default, so, if you decide you
	15	want it turned off, you need to add "UsePrivilegeSeparation no" to
	16	/etc/ssh/sshd_config.
	17
	18	PermitRootLogin set to yes
	19	--------------------------
	20
	21	This is now the default setting (in line with upstream), and people
	22	who asked for an automatically-generated configuration file when
	23	upgrading from potato (or on a new install) will have this setting in
	24	their /etc/ssh/sshd_config file.
	25
	26	Should you wish to change this setting, edit /etc/ssh/sshd_config, and
	27	change:
	28	PermitRootLogin yes
	29	to:
	30	PermitRootLogin no
	31
	32	Having PermitRootLogin set to yes means that an attacker that knows
	33	the root password can ssh in directly (without having to go via a user
	34	account). If you set it to no, then they must compromise a normal user
	35	account. In the vast majority of cases, this does not give added
	36	security; remember that any account you su to root from is equivalent
	37	to root - compromising this account gives an attacker access to root
	38	easily. If you only ever log in as root from the physical console,
	39	then you probably want to set this value to no.
	40
	41	As an aside, PermitRootLogin can also be set to "without-password" or
	42	"forced-commands-only" - see sshd(8) for more details.
	43
	44	DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
	45
	46	The argument above is somewhat condensed; I have had this discussion
	47	at great length with many people. If you think the default is
	48	incorrect, and feel strongly enough to want to argue about it, then
	49	send email to debian-ssh@lists.debian.org. I will close bug reports
	50	claiming the default is incorrect.
	51
	52	SSH now uses protocol 2 by default
	53	----------------------------------
	54
	55	This means all your keyfiles you used for protocol version 1 need to
	56	be re-generated. The server keys are done automatically, but for RSA
	57	authentication, please read the ssh-keygen manpage.
	58
	59	If you have an automatically generated configuration file, and decide
	60	at a later stage that you do want to support protocol version 1 (not
	61	recommended, but note that the ssh client shipped with Debian potato
	62	only supported protocol version 1), then you need to do the following:
	63
	64	Change /etc/ssh/sshd_config such that:
	65	Protocol 2
	66	becomes:
	67	Protocol 2,1
	68	Also add the line:
	69	HostKey /etc/ssh/ssh_host_key
	70
	71	If you do not already have an RSA1 host key in /etc/ssh/ssh_host_key,
	72	you will need to generate one. To do so, run this command as root:
	73
	74	ssh-keygen -f /etc/ssh/ssh_host_key -N '' -t rsa1
	75
	76	As of openssh-server 1:4.1p1-2, the option to support protocol version 1
	77	is no longer available via debconf. You must edit the configuration file
	78	instead.
	79
	80	X11 Forwarding
	81	--------------
	82
	83	ssh's default for ForwardX11 has been changed to ``no'' because it has
	84	been pointed out that logging into remote systems administered by
	85	untrusted people is likely to open you up to X11 attacks, so you
	86	should have to actively decide that you trust the remote machine's
	87	root, before enabling X11. I strongly recommend that you do this on a
	88	machine-by-machine basis, rather than just enabling it in the default
	89	host settings.
	90
	91	In order for X11 forwarding to work, you need to install xauth on the
	92	server. In Debian this is in the xbase-clients package.
	93
	94	As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
	95	the security risks of X11 forwarding. Look up X11UseLocalhost in
	96	sshd_config(8) if this is a problem.
	97
	98	OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the
	99	ssh client to create an untrusted X cookie so that attacks on the
	100	forwarded X11 connection can't become attacks on X clients on the remote
	101	machine. However, this has some problems in implementation - notably a
	102	very short timeout of the untrusted cookie - breaks large numbers of
	103	existing setups, and generally seems immature. The Debian package
	104	therefore sets the default for this option to "yes" (in ssh itself,
	105	rather than in ssh_config).
	106
	107	Fallback to RSH
	108	---------------
	109
	110	The default for this setting has been changed from Yes to No, for
	111	security reasons, and to stop the delay attempting to rsh to machines
	112	that don't offer the service. Simply switch it back on in either
	113	/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
	114	it for.
	115
	116	Setgid ssh-agent and environment variables
	117	------------------------------------------
	118
	119	As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace()
	120	attacks retrieving private key material. This has the side-effect of causing
	121	glibc to remove certain environment variables which might have security
	122	implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
	123	TMPDIR.
	124
	125	If you need to set any of these environment variables, you will need to do
	126	so in the program exec()ed by ssh-agent. This may involve creating a small
	127	wrapper script.
	128
	129	Symlink Hostname invocation
	130	---------------------------
	131
	132	This version of ssh no longer includes support for invoking ssh with the
	133	hostname as the name of the file run. People wanting this support should
	134	use the ssh-argv0 script.
	135
	136	=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
	137
	138	OTHER ISSUES
	139	============
	140
	141	/usr/bin/ssh not SUID
	142	---------------------
	143
	144	Due to Debian bug #164325, RhostsRSAAuthentication can only be used if ssh
	145	is SUID. Until this is fixed, if that is a problem, use:
	146
	147	dpkg-statoverride
	148
	149	or if that's also missing, use this:
	150
	151	chown root.root /usr/bin/ssh
	152	chmod 04755 /usr/bin/ssh
	153
	154	Authorization Forwarding
	155	------------------------
	156
	157	Similarly, root on a remote server could make use of your ssh-agent
	158	(while you're logged into their machine) to obtain access to machines
	159	which trust your keys. This feature is therefore disabled by default.
	160	You should only re-enable it for those hosts (in your ~/.ssh/config or
	161	/etc/ssh/ssh_config) where you are confident that the remote machine
	162	is not a threat.
	163
	164	Problems logging in with RSA authentication
	165	-------------------------------------------
	166
	167	If you have trouble logging in with RSA authentication then the
	168	problem is probably caused by the fact that you have your home
	169	directory writable by group, as well as user (this is the default on
	170	Debian systems).
	171
	172	Depending upon other settings on your system (i.e. other users being
	173	in your group) this could open a security hole, so you will need to
	174	make your home directory writable only by yourself. Run this command,
	175	as yourself:
	176
	177	chmod g-w ~/
	178
	179	to remove group write permissions. If you use ssh-copy-id to install your
	180	keys, it does this for you.
	181
	182	-L option of ssh nonfree
	183	------------------------
	184
	185	non-free ssh supported the usage of the option -L to use a non privileged
	186	port for scp. This option will not be supported by scp from openssh.
	187
	188	Please use instead scp -o "UsePrivilegedPort=no" as documented in the
	189	manpage to scp itself.
	190
	191	Problem logging in because of TCP-Wrappers
	192	------------------------------------------
	193
	194	ssh is compiled with support for tcp-wrappers. So if you can no longer
	195	log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
	196	are configured so that ssh is not blocked.
	197
	198	Kerberos support
	199	----------------
	200
	201	ssh is now compiled with Kerberos support. Unfortunately, privilege
	202	separation is incompatible with Kerberos support for SSH protocol 1 and
	203	parts of the support for protocol 2; you may need to run kinit after logging
	204	in.
	205
	206	Interoperability between scp and the ssh.com SSH server
	207	-------------------------------------------------------
	208
	209	In version 2 and greater of the commercial SSH server produced by SSH
	210	Communications Security, scp was changed to use SFTP (SSH2's file transfer
	211	protocol) instead of the traditional rcp-over-ssh, thereby breaking
	212	compatibility. The OpenSSH developers regard this as a bug in the ssh.com
	213	server, and do not currently intend to change OpenSSH's scp to match.
	214
	215	Workarounds for this problem are to install scp1 on the server (scp2 will
	216	fall back to it), to use sftp, or to use some other transfer mechanism such
	217	as rsync-over-ssh or tar-over-ssh.
	218
	219	Running sshd from inittab
	220	-------------------------
	221
	222	Some people find it useful to run the sshd server from inittab, to make sure
	223	that it always stays running. To do this, stop sshd ('/etc/init.d/ssh
	224	stop'), add the following line to /etc/inittab, and run 'telinit q':
	225
	226	ss:2345:respawn:/usr/sbin/sshd -D
	227
	228	If you do this, note that you will need to stop sshd being started in the
	229	normal way ('rm -f /etc/rc[2345].d/S16ssh') and that you will need to
	230	restart this sshd manually on upgrades.
	231
	232	--
	233	Matthew Vernon <matthew@debian.org>
	234	Colin Watson <cjwatson@debian.org>