summaryrefslogtreecommitdiff
path: root/debian/README.Debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian/README.Debian')
-rw-r--r--debian/README.Debian238
1 files changed, 238 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 000000000..bb1f7cf48
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,238 @@
1OpenSSH for Debian
2------------------
3
4Although this package is widely referred to as OpenSSH, it is actually
5a branch of an early version of ssh which has been tidied up by the
6OpenBSD folks.
7
8It has been decided that this version should have the privilege of
9carrying the ``ssh'' name in Debian, since it is the only version of
10ssh that is going to make it into Debian proper, being the only one
11that complies with the Debian Free Software Guidelines.
12
13If you were expecting to get the non-free version of ssh (1.2.27 or
14whatever) when you installed this package, then you're out of luck, as
15Debian don't ship it.
16
17=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
18
19BUILD ISSUES
20============
21
22To build the openssh package for woody, set DEB_BUILD_SSH_WOODY=1 in
23your environment. This is necessary due to non-backward-compatible
24changes in PAM support.
25
26=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
27
28UPGRADE ISSUES
29==============
30
31Privilege Separation
32--------------------
33
34As of 3.3, openssh has employed privilege separation to reduce the
35quantity of code that runs as root, thereby reducing the impact of
36some security holes in sshd.
37
38Unfortunately, privilege separation interacts badly with PAM. Any PAM
39session modules that need to run as root (pam_mkhomedir, for example)
40will fail, and PAM keyboard-interactive authentication won't work.
41
42Privilege separation is turned on by default, so if you decide you
43want it turned off, you need to add "UsePrivilegeSeparation no" to
44/etc/ssh/sshd_config
45
46PermitRootLogin set to yes
47--------------------------
48
49This is now the default setting (in line with upstream), and people
50who asked for an automatically-generated configuration file when
51upgrading from potato (or on a new install) will have this setting in
52their /etc/ssh/sshd_config file.
53
54Should you wish to change this setting, edit /etc/ssh/sshd_config, and
55change:
56PermitRootLogin yes
57to:
58PermitRootLogin no
59
60Having PermitRootLogin set to yes means that an attacker that knows
61the root password can ssh in directly (without having to go via a user
62account). If you set it to no, then they must compromise a normal user
63account. In the vast majority of cases, this does not give added
64security; remember that any account you su to root from is equivalent
65to root - compromising this account gives an attacker access to root
66easily. If you only ever log in as root from the physical console,
67then you probably want to set this value to no.
68
69As an aside, PermitRootLogin can also be set to "without-password" or
70"forced-commands-only" - see sshd(8) for more details.
71
72DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
73
74The argument above is somewhat condensed; I have had this discussion
75at great length with many people. If you think the default is
76incorrect, and feel strongly enough to want to argue with me about it,
77then send me email to matthew@debian.org. I will close bug reports
78claiming the default is incorrect.
79
80SSH now uses protocol 2 by default
81----------------------------------
82
83This means all your keyfiles you used for protocol version 1 need to
84be re-generated. The server keys are done automatically, but for RSA
85authentication, please read the ssh-keygen manpage.
86
87If you have an automatically generated configuration file, and decide
88at a later stage that you do want to support protocol version 1 (not
89recommended, but note that the ssh client shipped with Debian potato
90only supported protocol version 1), then you need to do the following:
91
92Change /etc/ssh/sshd_config such that:
93Protocol 2
94becomes:
95Protocol 2,1
96Also add the line:
97HostKey /etc/ssh/ssh_host_key
98
99If you do not already have an RSA1 host key in /etc/ssh/ssh_host_key,
100you will need to generate one. To do so, run this command as root:
101
102 ssh-keygen -f /etc/ssh/ssh_host_key -N '' -t rsa1
103
104X11 Forwarding
105--------------
106
107ssh's default for ForwardX11 has been changed to ``no'' because it has
108been pointed out that logging into remote systems administered by
109untrusted people is likely to open you up to X11 attacks, so you
110should have to actively decide that you trust the remote machine's
111root, before enabling X11. I strongly recommend that you do this on a
112machine-by-machine basis, rather than just enabling it in the default
113host settings.
114
115In order for X11 forwarding to work, you need to install xauth on the
116server. In Debian this is in the xbase-clients package.
117
118As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
119the security risks of X11 forwarding. Look up X11UseLocalhost in
120sshd_config(8) if this is a problem.
121
122Fallback to RSH
123---------------
124
125The default for this setting has been changed from Yes to No, for
126security reasons, and to stop the delay attempting to rsh to machines
127that don't offer the service. Simply switch it back on in either
128/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
129it for.
130
131Setgid ssh-agent and environment variables
132------------------------------------------
133
134As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace()
135attacks retrieving private key material. This has the side-effect of causing
136glibc to remove certain environment variables which might have security
137implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
138TMPDIR.
139
140If you need to set any of these environment variables, you will need to do
141so in the program exec()ed by ssh-agent. This may involve creating a small
142wrapper script.
143
144Symlink Hostname invocation
145---------------------------
146
147This version of ssh no longer includes support for invoking ssh with the
148hostname as the name of the file run. People wanting this support should
149use the ssh-argv0 script.
150
151=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
152
153OTHER ISSUES
154============
155
156/usr/bin/ssh not SUID
157---------------------
158
159Due to Debian bug #164325, RhostsRSAAuthentication can only be used if ssh
160is SUID. Until this is fixed, if that is a problem, use:
161
162 dpkg-statoverride
163
164or if that's also missing, use this:
165
166 chown root.root /usr/bin/ssh
167 chmod 04755 /usr/bin/ssh
168
169Authorization Forwarding
170------------------------
171
172Similarly, root on a remote server could make use of your ssh-agent
173(while you're logged into their machine) to obtain access to machines
174which trust your keys. This feature is therefore disabled by default.
175You should only re-enable it for those hosts (in your ~/.ssh/config or
176/etc/ssh/ssh_config) where you are confident that the remote machine
177is not a threat.
178
179Problems logging in with RSA authentication
180-------------------------------------------
181
182If you have trouble logging in with RSA authentication then the
183problem is probably caused by the fact that you have your home
184directory writable by group, as well as user (this is the default on
185Debian systems).
186
187Depending upon other settings on your system (i.e. other users being
188in your group) this could open a security hole, so you will need to
189make your home directory writable only by yourself. Run this command,
190as yourself:
191
192 chmod g-w ~/
193
194to remove group write permissions. If you use ssh-copy-id to install your
195keys, it does this for you.
196
197-L option of ssh nonfree
198------------------------
199
200non-free ssh supported the usage of the option -L to use a non privileged
201port for scp. This option will not be supported by scp from openssh.
202
203Please use instead scp -o "UsePrivilegedPort=no" as documented in the
204manpage to scp itself.
205
206Problem logging in because of TCP-Wrappers
207------------------------------------------
208
209ssh is compiled with support for tcp-wrappers. So if you can no longer
210log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
211are configured so that ssh is not blocked.
212
213Kerberos Authentication
214-----------------------
215
216ssh is compiled without support for kerberos authentication, and there are
217no current plans to support this. Thus the KerberosAuthentication and
218KerberosTgtPassing options will not be recognised.
219
220Interoperability between scp and the ssh.com SSH server
221-------------------------------------------------------
222
223In version 2 and greater of the commercial SSH server produced by SSH
224Communications Security, scp was changed to use SFTP (SSH2's file transfer
225protocol) instead of the traditional rcp-over-ssh, thereby breaking
226compatibility. The OpenSSH developers regard this as a bug in the ssh.com
227server, and do not currently intend to change OpenSSH's scp to match.
228
229Workarounds for this problem are to install scp1 on the server (scp2 will
230fall back to it), to use sftp, or to use some other transfer mechanism such
231as rsync-over-ssh or tar-over-ssh.
232
233--
234Matthew Vernon
235<matthew@debian.org>
236and
237Colin Watson
238<cjwatson@debian.org>
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-09 14:27:33 +0000