diff options
Diffstat (limited to 'debian/README.Debian')
-rw-r--r-- | debian/README.Debian | 153 |
1 files changed, 153 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 000000000..c2858d2f9 --- /dev/null +++ b/debian/README.Debian | |||
@@ -0,0 +1,153 @@ | |||
1 | OpenSSH for Debian | ||
2 | ------------------ | ||
3 | |||
4 | Although this package is widely referred to as OpenSSH, it is actually | ||
5 | a branch of an early version of ssh which has been tidied up by the | ||
6 | OpenBSD folks. | ||
7 | |||
8 | It has been decided that this version should have the privilege of | ||
9 | carrying the ``ssh'' name in Debian, since it is the only version of | ||
10 | ssh that is going to make it into Debian proper, being the only one | ||
11 | that complies with the Debian Free Software Guidelines. | ||
12 | |||
13 | If you were expecting to get the non-free version of ssh (1.2.27 or | ||
14 | whatever) when you installed this package, please install ssh-nonfree | ||
15 | instead, which is what we're now calling the non-free version. | ||
16 | |||
17 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | ||
18 | |||
19 | PermitRootLogin set to yes | ||
20 | -------------------------- | ||
21 | |||
22 | This is now the default setting (in line with upstream), and people | ||
23 | who asked for an automatically-generated configuration file when | ||
24 | upgrading from potato (or on a new install) will have this setting in | ||
25 | their /etc/ssh/sshd_config file. | ||
26 | |||
27 | Should you wish to change this setting, edit /etc/ssh/sshd_config, and | ||
28 | change: | ||
29 | PermitRootLogin yes | ||
30 | to: | ||
31 | PermitRootLogin no | ||
32 | |||
33 | Having PermitRootLogin set to yes means that an attacker that knows | ||
34 | the root password can ssh in directly (without having to go via a user | ||
35 | account). If you set it to no, then they must compromise a normal user | ||
36 | account. In the vast majority of cases, this does not give added | ||
37 | security; remember that any account you su to root from is equivalent | ||
38 | to root - compromising this account gives an attacker access to root | ||
39 | easily. If you only ever log in as root from the physical console, | ||
40 | then you probably want to set this value to no. | ||
41 | |||
42 | As an aside, PermitRootLogin can also be set to "without-password" or | ||
43 | "forced-commands-only" - see sshd(8) for more details. | ||
44 | |||
45 | DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT! | ||
46 | |||
47 | The argument above is somewhat condensed; I have had this discussion | ||
48 | at great length with many people. If you think the default is | ||
49 | incorrect, and feel strongly enough to want to argue with me about it, | ||
50 | then send me email to matthew@debian.org. I will close bug reports | ||
51 | claiming the default is incorrect. | ||
52 | |||
53 | SSH now uses protocol 2 by default | ||
54 | ---------------------------------- | ||
55 | |||
56 | This means all your keyfiles you used for protocol version 1 need to | ||
57 | be re-generated. The server keys are done automatically, but for RSA | ||
58 | authentication, please read the ssh-keygen manpage. | ||
59 | |||
60 | If you have an automatically generated configuration file, and decide | ||
61 | at a later stage that you do want to support protocol version 1 (not | ||
62 | recommended, but note that the ssh client shipped with Debian potato | ||
63 | only supported protocol version 1), then you need to do the following: | ||
64 | |||
65 | Change /etc/ssh/sshd_config such that: | ||
66 | Protocol 2 | ||
67 | becomes: | ||
68 | Protocol 2,1 | ||
69 | Also add the line: | ||
70 | HostKey /etc/ssh/ssh_host_key | ||
71 | |||
72 | (you may need to generate a host key if you do not already have one) | ||
73 | |||
74 | /usr/bin/ssh not SUID: | ||
75 | ---------------------- | ||
76 | If you have not installed debconf, you'll have missed the chance to | ||
77 | install ssh SUID, which means you won't be able to do Rhosts | ||
78 | authentication. If that upsets you, use: | ||
79 | |||
80 | dpkg-statoverride | ||
81 | |||
82 | or if that's also missing, use this: | ||
83 | |||
84 | chown root.root /usr/bin/ssh | ||
85 | chmod 04755 /usr/bin/ssh | ||
86 | |||
87 | X11 Forwarding: | ||
88 | --------------- | ||
89 | ssh's default for ForwardX11 has been changed to ``no'' because it has | ||
90 | been pointed out that logging into remote systems administered by | ||
91 | untrusted people is likely to open you up to X11 attacks, so you | ||
92 | should have to actively decide that you trust the remote machine's | ||
93 | root, before enabling X11. I strongly recommend that you do this on a | ||
94 | machine-by-machine basis, rather than just enabling it in the default | ||
95 | host settings. | ||
96 | |||
97 | Authorization Forwarding: | ||
98 | ------------------------- | ||
99 | Similarly, root on a remote server could make use of your ssh-agent | ||
100 | (while you're logged into their machine) to obtain access to machines | ||
101 | which trust your keys. This feature is therefore disabled by default. | ||
102 | You should only re-enable it for those hosts (in your ~/.ssh/config or | ||
103 | /etc/ssh/ssh_config) where you are confident that the remote machine | ||
104 | is not a threat. | ||
105 | |||
106 | Fallback to RSH: | ||
107 | ---------------- | ||
108 | The default for this setting has been changed from Yes to No, for | ||
109 | security reasons, and to stop the delay attempting to rsh to machines | ||
110 | that don't offer the service. Simply switch it back on in either | ||
111 | /etc/ssh/ssh_config or ~/.ssh/config for those machines that you need | ||
112 | it for. | ||
113 | |||
114 | Problems logging in with RSA authentication: | ||
115 | -------------------------------------------- | ||
116 | If you have trouble logging in with RSA authentication then the | ||
117 | problem is probably caused by the fact that you have your home | ||
118 | directory writable by group, as well as user (this is the default on | ||
119 | Debian systems). | ||
120 | |||
121 | Depending upon other settings on your system (i.e. other users being | ||
122 | in your group) this could open a security hole, so you will need to | ||
123 | make your home directory writable only by yourself. Run this command, | ||
124 | as yourself: | ||
125 | |||
126 | chmod g-w ~/ | ||
127 | |||
128 | to remove group write permissions. If you use ssh-copy-id to install your | ||
129 | keys, it does this for you. | ||
130 | |||
131 | -L option of ssh nonfree: | ||
132 | ------------------------- | ||
133 | non-free ssh supported the usage of the option -L to use a non privileged | ||
134 | port for scp. This option will not be supported by scp from openssh. | ||
135 | |||
136 | Please use instead scp -o "UsePrivilegedPort=no" as documented in the | ||
137 | manpage to scp itself. | ||
138 | |||
139 | Problem logging in because of TCP-Wrappers: | ||
140 | ------------------------------------------- | ||
141 | ssh is compiled with support for tcp-wrappers. So if you can no longer | ||
142 | log into your system, please check that /etc/hosts.allow and /etc/hosts.deny | ||
143 | are configured so that ssh is not blocked. | ||
144 | |||
145 | Kerberos Authentication: | ||
146 | ------------------------ | ||
147 | ssh is compiled without support for kerberos authentication, and there are | ||
148 | no current plans to support this. Thus the KerberosAuthentication and | ||
149 | KerberosTgtPassing options will not be recognised. | ||
150 | |||
151 | -- | ||
152 | Matthew Vernon | ||
153 | <matthew@debian.org> | ||