1 files changed, 226 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 000000000..ca928f9f0
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,226 @@
+OpenSSH for Debian
+------------------
+Although this package is widely referred to as OpenSSH, it is actually
+a branch of an early version of ssh which has been tidied up by the
+OpenBSD folks.
+It has been decided that this version should have the privilege of
+carrying the ``ssh'' name in Debian, since it is the only version of
+ssh that is going to make it into Debian proper, being the only one 
+that complies with the Debian Free Software Guidelines.
+If you were expecting to get the non-free version of ssh (1.2.27 or
+whatever) when you installed this package, then you're out of luck, as
+Debian don't ship it.
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+UPGRADE ISSUES
+==============
+Privilege Separation
+--------------------
+As of 3.3, openssh has employed privilege separation to reduce the
+quantity of code that runs as root, thereby reducing the impact of
+some security holes in sshd.
+Unfortunately, privilege separation interacts badly with PAM. Any PAM
+session modules that need to run as root (pam_mkhomedir, for example)
+will fail, and PAM keyboard-interactive authentication won't work.
+Privilege separation is turned on by default, so if you decide you
+want it turned off, you need to add "UsePrivilegeSeparation no" to
+/etc/ssh/sshd_config
+PermitRootLogin set to yes
+--------------------------
+This is now the default setting (in line with upstream), and people
+who asked for an automatically-generated configuration file when
+upgrading from potato (or on a new install) will have this setting in
+their /etc/ssh/sshd_config file. 
+Should you wish to change this setting, edit /etc/ssh/sshd_config, and
+change:
+PermitRootLogin yes
+to:
+PermitRootLogin no
+Having PermitRootLogin set to yes means that an attacker that knows
+the root password can ssh in directly (without having to go via a user
+account). If you set it to no, then they must compromise a normal user
+account. In the vast majority of cases, this does not give added
+security; remember that any account you su to root from is equivalent
+to root - compromising this account gives an attacker access to root
+easily. If you only ever log in as root from the physical console,
+then you probably want to set this value to no.
+As an aside, PermitRootLogin can also be set to "without-password" or
+"forced-commands-only" - see sshd(8) for more details.
+DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
+The argument above is somewhat condensed; I have had this discussion
+at great length with many people. If you think the default is
+incorrect, and feel strongly enough to want to argue with me about it,
+then send me email to matthew@debian.org. I will close bug reports
+claiming the default is incorrect.
+SSH now uses protocol 2 by default
+----------------------------------
+This means all your keyfiles you used for protocol version 1 need to
+be re-generated. The server keys are done automatically, but for RSA
+authentication, please read the ssh-keygen manpage.
+If you have an automatically generated configuration file, and decide
+at a later stage that you do want to support protocol version 1 (not
+recommended, but note that the ssh client shipped with Debian potato
+only supported protocol version 1), then you need to do the following:
+Change /etc/ssh/sshd_config such that:
+Protocol 2
+becomes:
+Protocol 2,1
+Also add the line:
+HostKey /etc/ssh/ssh_host_key
+(you may need to generate a host key if you do not already have one)
+X11 Forwarding
+--------------
+ssh's default for ForwardX11 has been changed to ``no'' because it has
+been pointed out that logging into remote systems administered by
+untrusted people is likely to open you up to X11 attacks, so you
+should have to actively decide that you trust the remote machine's
+root, before enabling X11.  I strongly recommend that you do this on a
+machine-by-machine basis, rather than just enabling it in the default
+host settings.
+In order for X11 forwarding to work, you need to install xauth on the
+server. In Debian this is in the xbase-clients package.
+As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
+the security risks of X11 forwarding. Look up X11UseLocalhost in
+sshd_config(8) if this is a problem.
+Fallback to RSH
+---------------
+The default for this setting has been changed from Yes to No, for
+security reasons, and to stop the delay attempting to rsh to machines
+that don't offer the service.  Simply switch it back on in either
+/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
+it for.
+Setgid ssh-agent and environment variables
+------------------------------------------
+As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace()
+attacks retrieving private key material. This has the side-effect of causing
+glibc to remove certain environment variables which might have security
+implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
+TMPDIR.
+If you need to set any of these environment variables, you will need to do
+so in the program exec()ed by ssh-agent. This may involve creating a small
+wrapper script.
+Symlink Hostname invocation
+---------------------------
+This version of ssh no longer includes support for invoking ssh with the
+hostname as the name of the file run.  People wanting this support should
+use the ssh-argv0 script.
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+OTHER ISSUES
+============
+/usr/bin/ssh not SUID
+---------------------
+Due to Debian bug #164325, RhostsRSAAuthentication can only be used if ssh
+is SUID.  Until this is fixed, if that is a problem, use:
+   dpkg-statoverride 
+or if that's also missing, use this:
+   chown root.root /usr/bin/ssh
+   chmod 04755 /usr/bin/ssh
+Authorization Forwarding
+------------------------
+Similarly, root on a remote server could make use of your ssh-agent
+(while you're logged into their machine) to obtain access to machines
+which trust your keys.  This feature is therefore disabled by default.
+You should only re-enable it for those hosts (in your ~/.ssh/config or
+/etc/ssh/ssh_config) where you are confident that the remote machine
+is not a threat.
+Problems logging in with RSA authentication
+-------------------------------------------
+If you have trouble logging in with RSA authentication then the
+problem is probably caused by the fact that you have your home
+directory writable by group, as well as user (this is the default on
+Debian systems).
+Depending upon other settings on your system (i.e. other users being
+in your group) this could open a security hole, so you will need to
+make your home directory writable only by yourself.  Run this command,
+as yourself:
+  chmod g-w ~/
+to remove group write permissions.  If you use ssh-copy-id to install your
+keys, it does this for you.
+-L option of ssh nonfree
+------------------------
+non-free ssh supported the usage of the option -L to use a non privileged
+port for scp. This option will not be supported by scp from openssh. 
+Please use instead scp -o "UsePrivilegedPort=no" as documented in the 
+manpage to scp itself. 
+Problem logging in because of TCP-Wrappers
+------------------------------------------
+ssh is compiled with support for tcp-wrappers. So if you can no longer
+log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
+are configured so that ssh is not blocked. 
+Kerberos Authentication
+-----------------------
+ssh is compiled without support for kerberos authentication, and there are
+no current plans to support this.  Thus the KerberosAuthentication and 
+KerberosTgtPassing options will not be recognised.
+Interoperability between scp and the ssh.com SSH server
+-------------------------------------------------------
+In version 2 and greater of the commercial SSH server produced by SSH
+Communications Security, scp was changed to use SFTP (SSH2's file transfer
+protocol) instead of the traditional rcp-over-ssh, thereby breaking
+compatibility. The OpenSSH developers regard this as a bug in the ssh.com
+server, and do not currently intend to change OpenSSH's scp to match.
+Workarounds for this problem are to install scp1 on the server (scp2 will
+fall back to it), to use sftp, or to use some other transfer mechanism such
+as rsync-over-ssh or tar-over-ssh.
+--
+Matthew Vernon
+<matthew@debian.org>
+and
+Colin Watson
+<cjwatson@debian.org>

diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 000000000..ca928f9f0 --- /dev/null +++ b/debian/README.Debian
@@ -0,0 +1,226 @@
	1	OpenSSH for Debian
	2	------------------
	3
	4	Although this package is widely referred to as OpenSSH, it is actually
	5	a branch of an early version of ssh which has been tidied up by the
	6	OpenBSD folks.
	7
	8	It has been decided that this version should have the privilege of
	9	carrying the ``ssh'' name in Debian, since it is the only version of
	10	ssh that is going to make it into Debian proper, being the only one
	11	that complies with the Debian Free Software Guidelines.
	12
	13	If you were expecting to get the non-free version of ssh (1.2.27 or
	14	whatever) when you installed this package, then you're out of luck, as
	15	Debian don't ship it.
	16
	17	=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
	18
	19	UPGRADE ISSUES
	20	==============
	21
	22	Privilege Separation
	23	--------------------
	24
	25	As of 3.3, openssh has employed privilege separation to reduce the
	26	quantity of code that runs as root, thereby reducing the impact of
	27	some security holes in sshd.
	28
	29	Unfortunately, privilege separation interacts badly with PAM. Any PAM
	30	session modules that need to run as root (pam_mkhomedir, for example)
	31	will fail, and PAM keyboard-interactive authentication won't work.
	32
	33	Privilege separation is turned on by default, so if you decide you
	34	want it turned off, you need to add "UsePrivilegeSeparation no" to
	35	/etc/ssh/sshd_config
	36
	37	PermitRootLogin set to yes
	38	--------------------------
	39
	40	This is now the default setting (in line with upstream), and people
	41	who asked for an automatically-generated configuration file when
	42	upgrading from potato (or on a new install) will have this setting in
	43	their /etc/ssh/sshd_config file.
	44
	45	Should you wish to change this setting, edit /etc/ssh/sshd_config, and
	46	change:
	47	PermitRootLogin yes
	48	to:
	49	PermitRootLogin no
	50
	51	Having PermitRootLogin set to yes means that an attacker that knows
	52	the root password can ssh in directly (without having to go via a user
	53	account). If you set it to no, then they must compromise a normal user
	54	account. In the vast majority of cases, this does not give added
	55	security; remember that any account you su to root from is equivalent
	56	to root - compromising this account gives an attacker access to root
	57	easily. If you only ever log in as root from the physical console,
	58	then you probably want to set this value to no.
	59
	60	As an aside, PermitRootLogin can also be set to "without-password" or
	61	"forced-commands-only" - see sshd(8) for more details.
	62
	63	DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
	64
	65	The argument above is somewhat condensed; I have had this discussion
	66	at great length with many people. If you think the default is
	67	incorrect, and feel strongly enough to want to argue with me about it,
	68	then send me email to matthew@debian.org. I will close bug reports
	69	claiming the default is incorrect.
	70
	71	SSH now uses protocol 2 by default
	72	----------------------------------
	73
	74	This means all your keyfiles you used for protocol version 1 need to
	75	be re-generated. The server keys are done automatically, but for RSA
	76	authentication, please read the ssh-keygen manpage.
	77
	78	If you have an automatically generated configuration file, and decide
	79	at a later stage that you do want to support protocol version 1 (not
	80	recommended, but note that the ssh client shipped with Debian potato
	81	only supported protocol version 1), then you need to do the following:
	82
	83	Change /etc/ssh/sshd_config such that:
	84	Protocol 2
	85	becomes:
	86	Protocol 2,1
	87	Also add the line:
	88	HostKey /etc/ssh/ssh_host_key
	89
	90	(you may need to generate a host key if you do not already have one)
	91
	92	X11 Forwarding
	93	--------------
	94
	95	ssh's default for ForwardX11 has been changed to ``no'' because it has
	96	been pointed out that logging into remote systems administered by
	97	untrusted people is likely to open you up to X11 attacks, so you
	98	should have to actively decide that you trust the remote machine's
	99	root, before enabling X11. I strongly recommend that you do this on a
	100	machine-by-machine basis, rather than just enabling it in the default
	101	host settings.
	102
	103	In order for X11 forwarding to work, you need to install xauth on the
	104	server. In Debian this is in the xbase-clients package.
	105
	106	As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
	107	the security risks of X11 forwarding. Look up X11UseLocalhost in
	108	sshd_config(8) if this is a problem.
	109
	110	Fallback to RSH
	111	---------------
	112
	113	The default for this setting has been changed from Yes to No, for
	114	security reasons, and to stop the delay attempting to rsh to machines
	115	that don't offer the service. Simply switch it back on in either
	116	/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
	117	it for.
	118
	119	Setgid ssh-agent and environment variables
	120	------------------------------------------
	121
	122	As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace()
	123	attacks retrieving private key material. This has the side-effect of causing
	124	glibc to remove certain environment variables which might have security
	125	implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
	126	TMPDIR.
	127
	128	If you need to set any of these environment variables, you will need to do
	129	so in the program exec()ed by ssh-agent. This may involve creating a small
	130	wrapper script.
	131
	132	Symlink Hostname invocation
	133	---------------------------
	134
	135	This version of ssh no longer includes support for invoking ssh with the
	136	hostname as the name of the file run. People wanting this support should
	137	use the ssh-argv0 script.
	138
	139	=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
	140
	141	OTHER ISSUES
	142	============
	143
	144	/usr/bin/ssh not SUID
	145	---------------------
	146
	147	Due to Debian bug #164325, RhostsRSAAuthentication can only be used if ssh
	148	is SUID. Until this is fixed, if that is a problem, use:
	149
	150	dpkg-statoverride
	151
	152	or if that's also missing, use this:
	153
	154	chown root.root /usr/bin/ssh
	155	chmod 04755 /usr/bin/ssh
	156
	157	Authorization Forwarding
	158	------------------------
	159
	160	Similarly, root on a remote server could make use of your ssh-agent
	161	(while you're logged into their machine) to obtain access to machines
	162	which trust your keys. This feature is therefore disabled by default.
	163	You should only re-enable it for those hosts (in your ~/.ssh/config or
	164	/etc/ssh/ssh_config) where you are confident that the remote machine
	165	is not a threat.
	166
	167	Problems logging in with RSA authentication
	168	-------------------------------------------
	169
	170	If you have trouble logging in with RSA authentication then the
	171	problem is probably caused by the fact that you have your home
	172	directory writable by group, as well as user (this is the default on
	173	Debian systems).
	174
	175	Depending upon other settings on your system (i.e. other users being
	176	in your group) this could open a security hole, so you will need to
	177	make your home directory writable only by yourself. Run this command,
	178	as yourself:
	179
	180	chmod g-w ~/
	181
	182	to remove group write permissions. If you use ssh-copy-id to install your
	183	keys, it does this for you.
	184
	185	-L option of ssh nonfree
	186	------------------------
	187
	188	non-free ssh supported the usage of the option -L to use a non privileged
	189	port for scp. This option will not be supported by scp from openssh.
	190
	191	Please use instead scp -o "UsePrivilegedPort=no" as documented in the
	192	manpage to scp itself.
	193
	194	Problem logging in because of TCP-Wrappers
	195	------------------------------------------
	196
	197	ssh is compiled with support for tcp-wrappers. So if you can no longer
	198	log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
	199	are configured so that ssh is not blocked.
	200
	201	Kerberos Authentication
	202	-----------------------
	203
	204	ssh is compiled without support for kerberos authentication, and there are
	205	no current plans to support this. Thus the KerberosAuthentication and
	206	KerberosTgtPassing options will not be recognised.
	207
	208	Interoperability between scp and the ssh.com SSH server
	209	-------------------------------------------------------
	210
	211	In version 2 and greater of the commercial SSH server produced by SSH
	212	Communications Security, scp was changed to use SFTP (SSH2's file transfer
	213	protocol) instead of the traditional rcp-over-ssh, thereby breaking
	214	compatibility. The OpenSSH developers regard this as a bug in the ssh.com
	215	server, and do not currently intend to change OpenSSH's scp to match.
	216
	217	Workarounds for this problem are to install scp1 on the server (scp2 will
	218	fall back to it), to use sftp, or to use some other transfer mechanism such
	219	as rsync-over-ssh or tar-over-ssh.
	220
	221	--
	222	Matthew Vernon
	223	<matthew@debian.org>
	224	and
	225	Colin Watson
	226	<cjwatson@debian.org>