diff options
Diffstat (limited to 'debian/README.Debian')
-rw-r--r-- | debian/README.Debian | 229 |
1 files changed, 229 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 000000000..4d16eb4d8 --- /dev/null +++ b/debian/README.Debian | |||
@@ -0,0 +1,229 @@ | |||
1 | OpenSSH for Debian | ||
2 | ------------------ | ||
3 | |||
4 | UPGRADE ISSUES | ||
5 | ============== | ||
6 | |||
7 | Privilege Separation | ||
8 | -------------------- | ||
9 | |||
10 | As of 3.3, openssh has employed privilege separation to reduce the | ||
11 | quantity of code that runs as root, thereby reducing the impact of | ||
12 | some security holes in sshd. This now also works properly with PAM. | ||
13 | |||
14 | Privilege separation is turned on by default, so, if you decide you | ||
15 | want it turned off, you need to add "UsePrivilegeSeparation no" to | ||
16 | /etc/ssh/sshd_config. | ||
17 | |||
18 | PermitRootLogin | ||
19 | --------------- | ||
20 | |||
21 | As of 1:6.6p1-1, new installations will be set to "PermitRootLogin | ||
22 | without-password". This disables password authentication for root, foiling | ||
23 | password dictionary attacks on the root user. Some sites may wish to use | ||
24 | the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no", | ||
25 | but note that "PermitRootLogin no" will break setups that SSH to root with a | ||
26 | forced command to take full-system backups. You can use PermitRootLogin in | ||
27 | a Match block if you want finer-grained control here. | ||
28 | |||
29 | For many years Debian's OpenSSH packaging used "PermitRootLogin yes", in | ||
30 | line with upstream. To avoid breaking local setups, this is still true for | ||
31 | installations upgraded from before 1:6.6p1-1. If you wish to change this, | ||
32 | you should edit /etc/ssh/sshd_config, change it manually, and run "service | ||
33 | ssh restart" as root. | ||
34 | |||
35 | Disabling PermitRootLogin means that an attacker possessing credentials for | ||
36 | the root account (any credentials in the case of "yes", or private key | ||
37 | material in the case of "without-password") must compromise a normal user | ||
38 | account rather than being able to SSH directly to root. Be careful to avoid | ||
39 | a false illusion of security if you change this setting; any account you | ||
40 | escalate to root from should be considered equivalent to root for the | ||
41 | purposes of security against external attack. You might for example disable | ||
42 | it if you know you will only ever log in as root from the physical console. | ||
43 | |||
44 | Since the root account does not generally have non-password credentials | ||
45 | unless you explicitly install an SSH public key in its | ||
46 | ~/.ssh/authorized_keys, which you presumably only do if you want to SSH to | ||
47 | it, "without-password" should be a reasonable default for most sites. | ||
48 | |||
49 | For further discussion, see: | ||
50 | |||
51 | https://bugs.debian.org/298138 | ||
52 | https://bugzilla.mindrot.org/show_bug.cgi?id=2164 | ||
53 | |||
54 | X11 Forwarding | ||
55 | -------------- | ||
56 | |||
57 | ssh's default for ForwardX11 has been changed to ``no'' because it has | ||
58 | been pointed out that logging into remote systems administered by | ||
59 | untrusted people is likely to open you up to X11 attacks, so you | ||
60 | should have to actively decide that you trust the remote machine's | ||
61 | root, before enabling X11. I strongly recommend that you do this on a | ||
62 | machine-by-machine basis, rather than just enabling it in the default | ||
63 | host settings. | ||
64 | |||
65 | In order for X11 forwarding to work, you need to install xauth on the | ||
66 | server. In Debian this is in the xbase-clients package. | ||
67 | |||
68 | As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce | ||
69 | the security risks of X11 forwarding. Look up X11UseLocalhost in | ||
70 | sshd_config(8) if this is a problem. | ||
71 | |||
72 | OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the | ||
73 | ssh client to create an untrusted X cookie so that attacks on the | ||
74 | forwarded X11 connection can't become attacks on X clients on the remote | ||
75 | machine. However, this has some problems in implementation - notably a | ||
76 | very short timeout of the untrusted cookie - breaks large numbers of | ||
77 | existing setups, and generally seems immature. The Debian package | ||
78 | therefore sets the default for this option to "yes" (in ssh itself, | ||
79 | rather than in ssh_config). | ||
80 | |||
81 | Fallback to RSH | ||
82 | --------------- | ||
83 | |||
84 | The default for this setting has been changed from Yes to No, for | ||
85 | security reasons, and to stop the delay attempting to rsh to machines | ||
86 | that don't offer the service. Simply switch it back on in either | ||
87 | /etc/ssh/ssh_config or ~/.ssh/config for those machines that you need | ||
88 | it for. | ||
89 | |||
90 | Setgid ssh-agent and environment variables | ||
91 | ------------------------------------------ | ||
92 | |||
93 | As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace() | ||
94 | attacks retrieving private key material. This has the side-effect of causing | ||
95 | glibc to remove certain environment variables which might have security | ||
96 | implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and | ||
97 | TMPDIR. | ||
98 | |||
99 | If you need to set any of these environment variables, you will need to do | ||
100 | so in the program exec()ed by ssh-agent. This may involve creating a small | ||
101 | wrapper script. | ||
102 | |||
103 | Symlink Hostname invocation | ||
104 | --------------------------- | ||
105 | |||
106 | This version of ssh no longer includes support for invoking ssh with the | ||
107 | hostname as the name of the file run. People wanting this support should | ||
108 | use the ssh-argv0 script. | ||
109 | |||
110 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | ||
111 | |||
112 | OTHER ISSUES | ||
113 | ============ | ||
114 | |||
115 | /usr/bin/ssh not SUID | ||
116 | --------------------- | ||
117 | |||
118 | Due to Debian bug #164325, RhostsRSAAuthentication can only be used if ssh | ||
119 | is SUID. Until this is fixed, if that is a problem, use: | ||
120 | |||
121 | dpkg-statoverride | ||
122 | |||
123 | or if that's also missing, use this: | ||
124 | |||
125 | chown root.root /usr/bin/ssh | ||
126 | chmod 04755 /usr/bin/ssh | ||
127 | |||
128 | Authorization Forwarding | ||
129 | ------------------------ | ||
130 | |||
131 | Similarly, root on a remote server could make use of your ssh-agent | ||
132 | (while you're logged into their machine) to obtain access to machines | ||
133 | which trust your keys. This feature is therefore disabled by default. | ||
134 | You should only re-enable it for those hosts (in your ~/.ssh/config or | ||
135 | /etc/ssh/ssh_config) where you are confident that the remote machine | ||
136 | is not a threat. | ||
137 | |||
138 | Problems logging in with RSA authentication | ||
139 | ------------------------------------------- | ||
140 | |||
141 | If you have trouble logging in with RSA authentication then the | ||
142 | problem is probably caused by the fact that you have your home | ||
143 | directory writable by group, as well as user (this is the default on | ||
144 | Debian systems). | ||
145 | |||
146 | Depending upon other settings on your system (i.e. other users being | ||
147 | in your group) this could open a security hole, so you will need to | ||
148 | make your home directory writable only by yourself. Run this command, | ||
149 | as yourself: | ||
150 | |||
151 | chmod g-w ~/ | ||
152 | |||
153 | to remove group write permissions. If you use ssh-copy-id to install your | ||
154 | keys, it does this for you. | ||
155 | |||
156 | -L option of ssh nonfree | ||
157 | ------------------------ | ||
158 | |||
159 | non-free ssh supported the usage of the option -L to use a non privileged | ||
160 | port for scp. This option will not be supported by scp from openssh. | ||
161 | |||
162 | Please use instead scp -o "UsePrivilegedPort=no" as documented in the | ||
163 | manpage to scp itself. | ||
164 | |||
165 | Problem logging in because of TCP-Wrappers | ||
166 | ------------------------------------------ | ||
167 | |||
168 | ssh is compiled with support for tcp-wrappers. So if you can no longer | ||
169 | log into your system, please check that /etc/hosts.allow and /etc/hosts.deny | ||
170 | are configured so that ssh is not blocked. | ||
171 | |||
172 | Kerberos support | ||
173 | ---------------- | ||
174 | |||
175 | ssh is now compiled with Kerberos support. Unfortunately, privilege | ||
176 | separation is incompatible with Kerberos support for SSH protocol 1 and | ||
177 | parts of the support for protocol 2; you may need to run kinit after logging | ||
178 | in. | ||
179 | |||
180 | Interoperability between scp and the ssh.com SSH server | ||
181 | ------------------------------------------------------- | ||
182 | |||
183 | In version 2 and greater of the commercial SSH server produced by SSH | ||
184 | Communications Security, scp was changed to use SFTP (SSH2's file transfer | ||
185 | protocol) instead of the traditional rcp-over-ssh, thereby breaking | ||
186 | compatibility. The OpenSSH developers regard this as a bug in the ssh.com | ||
187 | server, and do not currently intend to change OpenSSH's scp to match. | ||
188 | |||
189 | Workarounds for this problem are to install scp1 on the server (scp2 will | ||
190 | fall back to it), to use sftp, or to use some other transfer mechanism such | ||
191 | as rsync-over-ssh or tar-over-ssh. | ||
192 | |||
193 | Running sshd from inittab | ||
194 | ------------------------- | ||
195 | |||
196 | Some people find it useful to run the sshd server from inittab, to make sure | ||
197 | that it always stays running. To do this, stop sshd ('/etc/init.d/ssh | ||
198 | stop'), add the following line to /etc/inittab, and run 'telinit q': | ||
199 | |||
200 | ss:2345:respawn:/usr/sbin/sshd -D | ||
201 | |||
202 | If you do this, note that you will need to stop sshd being started in the | ||
203 | normal way ('update-rc.d ssh disable') and that you will need to restart | ||
204 | this sshd manually on upgrades. | ||
205 | |||
206 | Per-connection sshd instances with systemd | ||
207 | ------------------------------------------ | ||
208 | |||
209 | If you want to reconfigure systemd to listen on port 22 itself and launch an | ||
210 | instance of sshd for each connection (inetd-style socket activation), then | ||
211 | you can run: | ||
212 | |||
213 | systemctl stop ssh.service | ||
214 | systemctl start ssh.socket | ||
215 | |||
216 | To make this permanent: | ||
217 | |||
218 | systemctl disable ssh.service | ||
219 | systemctl enable ssh.socket | ||
220 | |||
221 | This may be appropriate in environments where minimal footprint is critical | ||
222 | (e.g. cloud guests). Be aware that this bypasses MaxStartups, and systemd's | ||
223 | MaxConnections cannot quite replace this as it cannot distinguish between | ||
224 | authenticated and unauthenticated connections; see | ||
225 | https://bugzilla.redhat.com/show_bug.cgi?id=963268 for more discussion. | ||
226 | |||
227 | -- | ||
228 | Matthew Vernon <matthew@debian.org> | ||
229 | Colin Watson <cjwatson@debian.org> | ||