diff options
Diffstat (limited to 'debian')
-rw-r--r-- | debian/README.Debian | 153 | ||||
-rw-r--r-- | debian/changelog | 944 | ||||
-rw-r--r-- | debian/conffiles | 4 | ||||
-rw-r--r-- | debian/config | 86 | ||||
-rw-r--r-- | debian/control | 43 | ||||
-rw-r--r-- | debian/copyright.head | 36 | ||||
-rw-r--r-- | debian/dirs | 7 | ||||
-rw-r--r-- | debian/init | 60 | ||||
-rw-r--r-- | debian/postinst | 330 | ||||
-rw-r--r-- | debian/postinst.old | 269 | ||||
-rw-r--r-- | debian/postrm | 16 | ||||
-rw-r--r-- | debian/preinst | 79 | ||||
-rw-r--r-- | debian/prerm | 44 | ||||
-rwxr-xr-x | debian/rules | 106 | ||||
-rw-r--r-- | debian/ssh-askpass-gnome.copyright | 44 | ||||
-rw-r--r-- | debian/ssh-askpass-gnome.dirs | 1 | ||||
-rw-r--r-- | debian/ssh-askpass-gnome.postinst | 49 | ||||
-rw-r--r-- | debian/ssh-askpass-gnome.prerm | 41 | ||||
-rw-r--r-- | debian/ssh.pam | 22 | ||||
-rw-r--r-- | debian/templates | 229 |
20 files changed, 2563 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 000000000..c2858d2f9 --- /dev/null +++ b/debian/README.Debian | |||
@@ -0,0 +1,153 @@ | |||
1 | OpenSSH for Debian | ||
2 | ------------------ | ||
3 | |||
4 | Although this package is widely referred to as OpenSSH, it is actually | ||
5 | a branch of an early version of ssh which has been tidied up by the | ||
6 | OpenBSD folks. | ||
7 | |||
8 | It has been decided that this version should have the privilege of | ||
9 | carrying the ``ssh'' name in Debian, since it is the only version of | ||
10 | ssh that is going to make it into Debian proper, being the only one | ||
11 | that complies with the Debian Free Software Guidelines. | ||
12 | |||
13 | If you were expecting to get the non-free version of ssh (1.2.27 or | ||
14 | whatever) when you installed this package, please install ssh-nonfree | ||
15 | instead, which is what we're now calling the non-free version. | ||
16 | |||
17 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | ||
18 | |||
19 | PermitRootLogin set to yes | ||
20 | -------------------------- | ||
21 | |||
22 | This is now the default setting (in line with upstream), and people | ||
23 | who asked for an automatically-generated configuration file when | ||
24 | upgrading from potato (or on a new install) will have this setting in | ||
25 | their /etc/ssh/sshd_config file. | ||
26 | |||
27 | Should you wish to change this setting, edit /etc/ssh/sshd_config, and | ||
28 | change: | ||
29 | PermitRootLogin yes | ||
30 | to: | ||
31 | PermitRootLogin no | ||
32 | |||
33 | Having PermitRootLogin set to yes means that an attacker that knows | ||
34 | the root password can ssh in directly (without having to go via a user | ||
35 | account). If you set it to no, then they must compromise a normal user | ||
36 | account. In the vast majority of cases, this does not give added | ||
37 | security; remember that any account you su to root from is equivalent | ||
38 | to root - compromising this account gives an attacker access to root | ||
39 | easily. If you only ever log in as root from the physical console, | ||
40 | then you probably want to set this value to no. | ||
41 | |||
42 | As an aside, PermitRootLogin can also be set to "without-password" or | ||
43 | "forced-commands-only" - see sshd(8) for more details. | ||
44 | |||
45 | DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT! | ||
46 | |||
47 | The argument above is somewhat condensed; I have had this discussion | ||
48 | at great length with many people. If you think the default is | ||
49 | incorrect, and feel strongly enough to want to argue with me about it, | ||
50 | then send me email to matthew@debian.org. I will close bug reports | ||
51 | claiming the default is incorrect. | ||
52 | |||
53 | SSH now uses protocol 2 by default | ||
54 | ---------------------------------- | ||
55 | |||
56 | This means all your keyfiles you used for protocol version 1 need to | ||
57 | be re-generated. The server keys are done automatically, but for RSA | ||
58 | authentication, please read the ssh-keygen manpage. | ||
59 | |||
60 | If you have an automatically generated configuration file, and decide | ||
61 | at a later stage that you do want to support protocol version 1 (not | ||
62 | recommended, but note that the ssh client shipped with Debian potato | ||
63 | only supported protocol version 1), then you need to do the following: | ||
64 | |||
65 | Change /etc/ssh/sshd_config such that: | ||
66 | Protocol 2 | ||
67 | becomes: | ||
68 | Protocol 2,1 | ||
69 | Also add the line: | ||
70 | HostKey /etc/ssh/ssh_host_key | ||
71 | |||
72 | (you may need to generate a host key if you do not already have one) | ||
73 | |||
74 | /usr/bin/ssh not SUID: | ||
75 | ---------------------- | ||
76 | If you have not installed debconf, you'll have missed the chance to | ||
77 | install ssh SUID, which means you won't be able to do Rhosts | ||
78 | authentication. If that upsets you, use: | ||
79 | |||
80 | dpkg-statoverride | ||
81 | |||
82 | or if that's also missing, use this: | ||
83 | |||
84 | chown root.root /usr/bin/ssh | ||
85 | chmod 04755 /usr/bin/ssh | ||
86 | |||
87 | X11 Forwarding: | ||
88 | --------------- | ||
89 | ssh's default for ForwardX11 has been changed to ``no'' because it has | ||
90 | been pointed out that logging into remote systems administered by | ||
91 | untrusted people is likely to open you up to X11 attacks, so you | ||
92 | should have to actively decide that you trust the remote machine's | ||
93 | root, before enabling X11. I strongly recommend that you do this on a | ||
94 | machine-by-machine basis, rather than just enabling it in the default | ||
95 | host settings. | ||
96 | |||
97 | Authorization Forwarding: | ||
98 | ------------------------- | ||
99 | Similarly, root on a remote server could make use of your ssh-agent | ||
100 | (while you're logged into their machine) to obtain access to machines | ||
101 | which trust your keys. This feature is therefore disabled by default. | ||
102 | You should only re-enable it for those hosts (in your ~/.ssh/config or | ||
103 | /etc/ssh/ssh_config) where you are confident that the remote machine | ||
104 | is not a threat. | ||
105 | |||
106 | Fallback to RSH: | ||
107 | ---------------- | ||
108 | The default for this setting has been changed from Yes to No, for | ||
109 | security reasons, and to stop the delay attempting to rsh to machines | ||
110 | that don't offer the service. Simply switch it back on in either | ||
111 | /etc/ssh/ssh_config or ~/.ssh/config for those machines that you need | ||
112 | it for. | ||
113 | |||
114 | Problems logging in with RSA authentication: | ||
115 | -------------------------------------------- | ||
116 | If you have trouble logging in with RSA authentication then the | ||
117 | problem is probably caused by the fact that you have your home | ||
118 | directory writable by group, as well as user (this is the default on | ||
119 | Debian systems). | ||
120 | |||
121 | Depending upon other settings on your system (i.e. other users being | ||
122 | in your group) this could open a security hole, so you will need to | ||
123 | make your home directory writable only by yourself. Run this command, | ||
124 | as yourself: | ||
125 | |||
126 | chmod g-w ~/ | ||
127 | |||
128 | to remove group write permissions. If you use ssh-copy-id to install your | ||
129 | keys, it does this for you. | ||
130 | |||
131 | -L option of ssh nonfree: | ||
132 | ------------------------- | ||
133 | non-free ssh supported the usage of the option -L to use a non privileged | ||
134 | port for scp. This option will not be supported by scp from openssh. | ||
135 | |||
136 | Please use instead scp -o "UsePrivilegedPort=no" as documented in the | ||
137 | manpage to scp itself. | ||
138 | |||
139 | Problem logging in because of TCP-Wrappers: | ||
140 | ------------------------------------------- | ||
141 | ssh is compiled with support for tcp-wrappers. So if you can no longer | ||
142 | log into your system, please check that /etc/hosts.allow and /etc/hosts.deny | ||
143 | are configured so that ssh is not blocked. | ||
144 | |||
145 | Kerberos Authentication: | ||
146 | ------------------------ | ||
147 | ssh is compiled without support for kerberos authentication, and there are | ||
148 | no current plans to support this. Thus the KerberosAuthentication and | ||
149 | KerberosTgtPassing options will not be recognised. | ||
150 | |||
151 | -- | ||
152 | Matthew Vernon | ||
153 | <matthew@debian.org> | ||
diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 000000000..32f541a0f --- /dev/null +++ b/debian/changelog | |||
@@ -0,0 +1,944 @@ | |||
1 | openssh (1:3.4p1-1) testing; urgency=high | ||
2 | |||
3 | * Extend my tendrils back into this package (Closes: #150915, #151098) | ||
4 | * thanks to the security team for their work | ||
5 | * no thanks to ISS/Theo de Raadt for their handling of these bugs | ||
6 | * save old sshd_configs to sshd_config.dpkg-old when auto-generating a | ||
7 | new one | ||
8 | * tell/ask the user about PriviledgeSeparation | ||
9 | * /etc/init.d/ssh run will now create the chroot empty dir if necessary | ||
10 | * Remove our previous statoverride on /usr/bin/ssh (only for people | ||
11 | upgrading from a version where we'd put one in ourselves!) | ||
12 | * Stop slandering Russia, since someone asked so nicely (Closes: #148951) | ||
13 | * Reduce the sleep time in /etc/init.d/ssh during a restart | ||
14 | |||
15 | -- Matthew Vernon <matthew@debian.org> Fri, 28 Jun 2002 15:52:10 +0100 | ||
16 | |||
17 | openssh (1:3.4p1-0.0woody1) testing-security; urgency=high | ||
18 | |||
19 | * NMU by the security team. | ||
20 | * New upstream version | ||
21 | |||
22 | -- Michael Stone <mstone@debian.org> Wed, 26 Jun 2002 15:40:38 -0400 | ||
23 | |||
24 | openssh (1:3.3p1-0.0woody4) testing-security; urgency=high | ||
25 | |||
26 | * NMU by the security team. | ||
27 | * fix error when /etc/ssh/sshd_config exists on new install | ||
28 | * check that user doesn't exist before running adduser | ||
29 | * use openssl internal random unconditionally | ||
30 | |||
31 | -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 19:44:39 -0400 | ||
32 | |||
33 | openssh (1:3.3p1-0.0woody3) testing-security; urgency=high | ||
34 | |||
35 | * NMU by the security team. | ||
36 | * use correct home directory when sshd user is created | ||
37 | |||
38 | -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 08:59:50 -0400 | ||
39 | |||
40 | openssh (1:3.3p1-0.0woody2) testing-security; urgency=high | ||
41 | |||
42 | * NMU by the security team. | ||
43 | * Fix rsa1 key creation (Closes: #150949) | ||
44 | * don't fail if sshd user removal fails | ||
45 | * depends: on adduser (Closes: #150907) | ||
46 | |||
47 | -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 08:59:50 -0400 | ||
48 | |||
49 | openssh (1:3.3p1-0.0woody1) testing-security; urgency=high | ||
50 | |||
51 | * NMU by the security team. | ||
52 | * New upstream version. | ||
53 | - Enable privilege separation by default. | ||
54 | * Include patch from Solar Designer for privilege separation and | ||
55 | compression on 2.2.x kernels. | ||
56 | * Remove --disable-suid-ssh from configure. | ||
57 | * Support setuid ssh-keysign binary instead of setuid ssh client. | ||
58 | * Check sshd configuration before restarting. | ||
59 | |||
60 | -- Daniel Jacobowitz <dan@debian.org> Mon, 24 Jun 2002 13:43:44 -0400 | ||
61 | |||
62 | openssh (1:3.0.2p1-9) unstable; urgency=high | ||
63 | |||
64 | * Thanks to those who NMUd | ||
65 | * The only change in this version is to debian/control - I've removed | ||
66 | the bit that says you can't export it from the US - it would look | ||
67 | pretty daft to say this about a package in main! Also, it's now OK | ||
68 | to use crypto in France, so I've edited that comment slightly | ||
69 | * Correct a path in README.Debian too (Closes: #138634) | ||
70 | |||
71 | -- Matthew Vernon <matthew@debian.org> Sun, 4 Apr 2002 09:52:59 +0100 | ||
72 | |||
73 | openssh (1:3.0.2p1-8.3) unstable; urgency=medium | ||
74 | |||
75 | * NMU | ||
76 | * Really set urgency to medium this time (oops) | ||
77 | * Fix priority to standard per override while I'm at it | ||
78 | |||
79 | -- Aaron M. Ucko <ucko@debian.org> Sun, 24 Mar 2002 09:00:08 -0500 | ||
80 | |||
81 | openssh (1:3.0.2p1-8.2) unstable; urgency=low | ||
82 | |||
83 | * NMU with maintainer's permission | ||
84 | * Prepare for upcoming ssh-nonfree transitional packages per | ||
85 | <http://lists.debian.org/debian-ssh/2002/debian-ssh-200203/msg00008.html> | ||
86 | * Urgency medium because it would really be good to get this into woody | ||
87 | before it releases | ||
88 | * Fix sections to match override file | ||
89 | * Reissued due to clash with non-US -> main move | ||
90 | |||
91 | -- Aaron M. Ucko <ucko@debian.org> Sat, 23 Mar 2002 21:21:52 -0500 | ||
92 | |||
93 | openssh (1:3.0.2p1-8.1) unstable; urgency=low | ||
94 | |||
95 | * NMU | ||
96 | * Move from non-US to mani | ||
97 | |||
98 | -- LaMont Jones <lamont@debian.org> Thu, 21 Mar 2002 09:33:50 -0700 | ||
99 | |||
100 | openssh (1:3.0.2p1-8) unstable; urgency=critical | ||
101 | |||
102 | * Security fix - patch from upstream (Closes: #137209, #137210) | ||
103 | * Undo the changes in the unreleased -7, since they appear to break | ||
104 | things here. Accordingly, the code change is minimal, and I'm | ||
105 | happy to get it into testing ASAP | ||
106 | |||
107 | -- Matthew Vernon <matthew@debian.org> Thu, 7 Mar 2002 14:25:23 +0000 | ||
108 | |||
109 | openssh (1:3.0.2p1-7) unstable; urgency=high | ||
110 | |||
111 | * Build to support IPv6 and IPv4 by default again | ||
112 | |||
113 | -- Matthew Vernon <matthew@debian.org> Sat, 2 Mar 2002 00:25:05 +0000 | ||
114 | |||
115 | openssh (1:3.0.2p1-6) unstable; urgency=high | ||
116 | |||
117 | * Correct error in the clean target (Closes: #130868) | ||
118 | |||
119 | -- Matthew Vernon <matthew@debian.org> Sat, 26 Jan 2002 00:32:00 +0000 | ||
120 | |||
121 | openssh (1:3.0.2p1-5) unstable; urgency=medium | ||
122 | |||
123 | * Include the Debian version in our identification, to make it easier to | ||
124 | audit networks for patched versions in future | ||
125 | |||
126 | -- Matthew Vernon <matthew@debian.org> Mon, 21 Jan 2002 17:16:10 +0000 | ||
127 | |||
128 | openssh (1:3.0.2p1-4) unstable; urgency=medium | ||
129 | |||
130 | * If we're asked to not run sshd, stop any running sshd's first | ||
131 | (Closes: #129327) | ||
132 | |||
133 | -- Matthew Vernon <matthew@debian.org> Wed, 16 Jan 2002 21:24:16 +0000 | ||
134 | |||
135 | openssh (1:3.0.2p1-3) unstable; urgency=high | ||
136 | |||
137 | * Fix /etc/pam.d/ssh to not set $MAIL (Closes: #128913) | ||
138 | * Remove extra debconf suggestion (Closes: #128094) | ||
139 | * Mmm. speedy bug-fixing :-) | ||
140 | |||
141 | -- Matthew Vernon <matthew@debian.org> Sat, 12 Jan 2002 17:23:58 +0000 | ||
142 | |||
143 | openssh (1:3.0.2p1-2) unstable; urgency=high | ||
144 | |||
145 | * Fix postinst to not automatically overwrite sshd_config (!) | ||
146 | (Closes: #127842, #127867) | ||
147 | * Add section in README.Debian about the PermitRootLogin setting | ||
148 | |||
149 | -- Matthew Vernon <matthew@debian.org> Sat, 5 Jan 2003 05:26:30 +0000 | ||
150 | |||
151 | openssh (1:3.0.2p1-1) unstable; urgency=high | ||
152 | |||
153 | * Incorporate fix from Colin's NMU | ||
154 | * New upstream version (fixes the bug Wichert fixed) (Closes: #124035) | ||
155 | * Capitalise IETF (Closes: #125379) | ||
156 | * Refer to the correct sftp-server location (Closes: #126854, #126224) | ||
157 | * Do what we're asked re SetUID ssh (Closes: #124065, #124154, #123247) | ||
158 | * Ask people upgrading from potato if they want a new conffile | ||
159 | (Closes: #125642) | ||
160 | * Fix a typo in postinst (Closes: #122192, #122410, #123440) | ||
161 | * Frob the default config a little (Closes: #122284, #125827, #125696, | ||
162 | #123854) | ||
163 | * Make /etc/init.d/ssh be more clear about ssh not running (Closes: | ||
164 | #123552) | ||
165 | * Fix typo in templates file (Closes: #123411) | ||
166 | |||
167 | -- Matthew Vernon <matthew@debian.org> Fri, 4 Jan 2002 16:01:52 +0000 | ||
168 | |||
169 | openssh (1:3.0.1p1-1.2) unstable; urgency=high | ||
170 | |||
171 | * Non-maintainer upload | ||
172 | * Prevent local users from passing environment variables to the login | ||
173 | process when UseLogin is enabled | ||
174 | |||
175 | -- Wichert Akkerman <wakkerma@debian.org> Mon, 3 Dec 2001 19:34:45 +0100 | ||
176 | |||
177 | openssh (1:3.0.1p1-1.1) unstable; urgency=low | ||
178 | |||
179 | * Non-maintainer upload, at Matthew's request. | ||
180 | * Remove sa_restorer assignment to fix compilation on alpha, hppa, and | ||
181 | ia64 (closes: #122086). | ||
182 | |||
183 | -- Colin Watson <cjwatson@debian.org> Sun, 2 Dec 2001 18:54:16 +0000 | ||
184 | |||
185 | openssh (1:3.0.1p1-1) unstable; urgency=high | ||
186 | |||
187 | * New upstream version (Closes: #113646, #113513, #114707, #118564) | ||
188 | * Building with a libc that works (!) (Closes: #115228) | ||
189 | * Patches forward-ported are -1/-2 options for scp, the improvement to | ||
190 | 'waiting for forwarded connections to terminate...' | ||
191 | * Fix /etc/init.d/ssh to stop sshd properly (Closes: #115228) | ||
192 | * /etc/ssh/sshd_config is no longer a conffile but generated in the postinst | ||
193 | * Remove suidregister leftover from postrm | ||
194 | * Mention key we are making in the postinst | ||
195 | * Default to not enable SSH protocol 1 support, since protocol 2 is | ||
196 | much safer anyway. | ||
197 | * New version of the vpn-fixes patch, from Ian Jackson | ||
198 | * New handling of -q, and added new -qq option; thanks to Jon Amery | ||
199 | * Experimental smartcard support not enabled, since I have no way of | ||
200 | testing it. | ||
201 | |||
202 | -- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000 | ||
203 | |||
204 | openssh (1:2.9p2-6) unstable; urgency=low | ||
205 | |||
206 | * check for correct file in /etc/init.d/ssh (Closes: #110876) | ||
207 | * correct location of version 2 keys in ssh.1 (Closes: #110439) | ||
208 | * call update-alternatives --quiet (Closes: #103314) | ||
209 | * hack ssh-copy-id to chmod go-w (Closes: #95551) | ||
210 | * TEMPORARY fix to provide largefile support using a -D in the cflags | ||
211 | line. long-term, upstream will patch the autoconf stuff | ||
212 | (Closes: #106809, #111849) | ||
213 | * remove /etc/rc references in ssh-keygen.1 (Closes: #68350) | ||
214 | * scp.1 patch from Adam McKenna to document -r properly (Closes: #76054) | ||
215 | * Check for files containing a newline character (Closes: #111692) | ||
216 | |||
217 | -- Matthew Vernon <matthew@debian.org> Thu, 13 Sep 2001 16:47:36 +0100 | ||
218 | |||
219 | openssh (1:2.9p2-5) unstable; urgency=high | ||
220 | |||
221 | * Thanks to all the bug-fixers who helped! | ||
222 | * remove sa_restorer assignment (Closes: #102837) | ||
223 | * patch from Peter Benie to DTRT wrt X forwarding if the server refuses | ||
224 | us access (Closes: #48297) | ||
225 | * patch from upstream CVS to fix port forwarding (Closes: #107132) | ||
226 | * patch from Jonathan Amery to document ssh-keygen behaviour | ||
227 | (Closes:#106643, #107512) | ||
228 | * patch to postinst from Jonathan Amery (Closes: #106411) | ||
229 | * patch to manpage from Jonathan Amery (Closes: #107364) | ||
230 | * patch from Matthew Vernon to make -q emit fatal errors as that is the | ||
231 | documented behaviour (Closes: #64347) | ||
232 | * patch from Ian Jackson to cause us to destroy a file when we scp it | ||
233 | onto itself, rather than dumping bits of our memory into it, which was | ||
234 | a security hole (see #51955) | ||
235 | * patch from Jonathan Amery to document lack of Kerberos support | ||
236 | (Closes: #103726) | ||
237 | * patch from Matthew Vernon to make the 'waiting for connections to | ||
238 | terminate' message more helpful (Closes: #50308) | ||
239 | |||
240 | -- Matthew Vernon <matthew@debian.org> Thu, 23 Aug 2001 02:14:09 +0100 | ||
241 | |||
242 | openssh (1:2.9p2-4) unstable; urgency=high | ||
243 | |||
244 | * Today's build of ssh is strawberry flavoured | ||
245 | * Patch from mhp to reduce length of time sshd is stopped for (Closes: #106176) | ||
246 | * Tidy up debconf template (Closes: #106152) | ||
247 | * If called non-setuid, then setgid()'s failure should not be fatal (see | ||
248 | #105854) | ||
249 | |||
250 | -- Matthew Vernon <matthew@debian.org> Sun, 22 Jul 2001 14:19:43 +0100 | ||
251 | |||
252 | openssh (1:2.9p2-3) unstable; urgency=low | ||
253 | |||
254 | * Patch from yours truly to add -1 and -2 options to scp (Closes: #106061) | ||
255 | * Improve the IdentityFile section in the man page (Closes: #106038) | ||
256 | |||
257 | -- Matthew Vernon <matthew@debian.org> Sat, 21 Jul 2001 14:47:27 +0100 | ||
258 | |||
259 | openssh (1:2.9p2-2) unstable; urgency=low | ||
260 | |||
261 | * Document the protocol version 2 and IPV6 changes (Closes: #105845, #105868) | ||
262 | * Make PrintLastLog 'no' by default (Closes: #105893) | ||
263 | |||
264 | -- Matthew Vernon <matthew@debian.org> Thu, 19 Jul 2001 18:36:41 +0100 | ||
265 | |||
266 | openssh (1:2.9p2-1) unstable; urgency=low | ||
267 | |||
268 | * new (several..) upstream version (Closes: #96726, #81856, #96335) | ||
269 | * Hopefully, this will close some other bugs too | ||
270 | |||
271 | -- Matthew Vernon <matthew@debian.org> Tue, 17 Jul 2001 19:41:58 +0100 | ||
272 | |||
273 | openssh (1:2.5.2p2-3) unstable; urgency=low | ||
274 | |||
275 | * Taking Over this package | ||
276 | * Patches from Robert Bihlmeyer for the Hurd (Closes: #102991) | ||
277 | * Put PermitRootLogin back to yes (Closes: #67334, #67371, #78274) | ||
278 | * Don't fiddle with conf-files any more (Closes: #69501) | ||
279 | |||
280 | -- Matthew Vernon <matthew@debian.org> Tue, 03 Jul 2001 02:58:13 +0100 | ||
281 | |||
282 | openssh (1:2.5.2p2-2.2) unstable; urgency=low | ||
283 | |||
284 | * NMU | ||
285 | * Include Hurd compatibility patches from Robert Bihlmeyer (Closes: #76033) | ||
286 | * Patch from Richard Kettlewell for protocolkeepalives (Closes: #99273) | ||
287 | * Patch from Matthew Vernon for BannerTimeOut, batchmode, and | ||
288 | documentation for protocolkeepalives. Makes ssh more generally useful | ||
289 | for scripting uses (Closes: #82877, #99275) | ||
290 | * Set a umask, so ourpidfile isn't world-writable (closes: #100012, | ||
291 | #98286, #97391) | ||
292 | |||
293 | -- Matthew Vernon <matthew@debian.org> Thu, 28 Jun 2001 23:15:42 +0100 | ||
294 | |||
295 | openssh (1:2.5.2p2-2.1) unstable; urgency=low | ||
296 | |||
297 | * NMU | ||
298 | * Remove duplicate Build-Depends for libssl096-dev and change it to | ||
299 | depend on libssl-dev instaed. Also adding in virtual | real package | ||
300 | style build-deps. (Closes: #93793, #75228) | ||
301 | * Removing add-log entry (Closes: #79266) | ||
302 | * This was a pam bug from a while back (Closes: #86908, #88457, #86843) | ||
303 | * pam build-dep already exists (Closes: #93683) | ||
304 | * libgnome-dev build-dep already exists (Closes: #93694) | ||
305 | * No longer in non-free (Closes: #85401) | ||
306 | * Adding in fr debconf translations (Closes: #83783) | ||
307 | * Already suggests xbase-clients (Closes: #79741) | ||
308 | * No need to suggest libpam-pwdb anymore (Closes: #81658) | ||
309 | * Providing rsh-client (Closes: #79437) | ||
310 | * hurd patch was already applied (Closes: #76033) | ||
311 | * default set to no (Closes: #73682) | ||
312 | * Adding in a suggests for dnsutils (Closes: #93265) | ||
313 | * postinst bugs fixed (Closes: #88057, #88066, #88196, #88405, #88612) | ||
314 | (Closes: #88774, #88196, #89556, #90123, #90228, #90833, #87814, #85465) | ||
315 | * Adding in debconf dependency | ||
316 | |||
317 | -- Ivan E. Moore II <rkrusty@debian.org> Mon, 16 Apr 2001 14:11:04 +0100 | ||
318 | |||
319 | openssh (1:2.5.2p2-2) unstable; urgency=high | ||
320 | |||
321 | * disable the OpenSSL version check in entropy.c | ||
322 | (closes: #93581, #93588, #93590, #93614, #93619, #93635, #93648) | ||
323 | |||
324 | -- Philip Hands <phil@uk.alcove.com> Wed, 11 Apr 2001 20:30:04 +0100 | ||
325 | |||
326 | openssh (1:2.5.2p2-1) unstable; urgency=low | ||
327 | |||
328 | * New upstream release | ||
329 | * removed make-ssh-known-hosts, since ssh-keyscan does that job (closes: #86069, #87748) | ||
330 | * fix double space indent in german templates (closes: #89493) | ||
331 | * make postinst check for ssh_host_rsa_key | ||
332 | * get rid of the last of the misguided debian/rules NMU debris :-/ | ||
333 | |||
334 | -- Philip Hands <phil@hands.com> Sat, 24 Mar 2001 20:59:33 +0000 | ||
335 | |||
336 | openssh (1:2.5.1p2-2) unstable; urgency=low | ||
337 | |||
338 | * rebuild with new debhelper (closes: #89558, #89536, #90225) | ||
339 | * fix broken dpkg-statoverride test in postinst | ||
340 | (closes: #89612, #90474, #90460, #89605) | ||
341 | * NMU bug fixed but not closed in last upload (closes: #88206) | ||
342 | |||
343 | -- Philip Hands <phil@hands.com> Fri, 23 Mar 2001 16:11:33 +0000 | ||
344 | |||
345 | openssh (1:2.5.1p2-1) unstable; urgency=high | ||
346 | |||
347 | * New upstream release | ||
348 | * fix typo in postinst (closes: #88110) | ||
349 | * revert to setting PAM service name in debian/rules, backing out last | ||
350 | NMU, which also (closes: #88101) | ||
351 | * restore the pam lastlog/motd lines, lost during the NMUs, and sshd_config | ||
352 | * restore printlastlog option patch | ||
353 | * revert to using debhelper, which had been partially disabled in NMUs | ||
354 | |||
355 | -- Philip Hands <phil@hands.com> Tue, 13 Mar 2001 01:41:34 +0000 | ||
356 | |||
357 | openssh (1:2.5.1p1-1.8) unstable; urgency=high | ||
358 | |||
359 | * And now the old pam-bug s/sshd/ssh in ssh.c is also fixed | ||
360 | |||
361 | -- Christian Kurz <shorty@debian.org> Thu, 1 Mar 2001 19:48:01 +0100 | ||
362 | |||
363 | openssh (1:2.5.1p1-1.7) unstable; urgency=high | ||
364 | |||
365 | * And now we mark the correct binary as setuid, when a user requested | ||
366 | to install it setuid. | ||
367 | |||
368 | -- Christian Kurz <shorty@debian.org> Thu, 1 Mar 2001 07:19:56 +0100 | ||
369 | |||
370 | openssh (1:2.5.1p1-1.6) unstable; urgency=high | ||
371 | |||
372 | * Fixes postinst to handle overrides that are already there. Damn, I | ||
373 | should have noticed the bug earlier. | ||
374 | |||
375 | -- Christian Kurz <shorty@debian.org> Wed, 28 Feb 2001 22:35:00 +0100 | ||
376 | |||
377 | openssh (1:2.5.1p1-1.5) unstable; urgency=high | ||
378 | |||
379 | * Rebuild ssh with pam-support. | ||
380 | |||
381 | -- Christian Kurz <shorty@debian.org> Mon, 26 Feb 2001 21:55:51 +0100 | ||
382 | |||
383 | openssh (1:2.5.1p1-1.4) unstable; urgency=low | ||
384 | |||
385 | * Added Build-Depends on libssl096-dev. | ||
386 | * Fixed sshd_config file to disallow root logins again. | ||
387 | |||
388 | -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 20:03:55 +0100 | ||
389 | |||
390 | openssh (1:2.5.1p1-1.3) unstable; urgency=low | ||
391 | |||
392 | * Fixed missing manpages for sftp.1 and ssh-keyscan.1 | ||
393 | * Made package policy 3.5.2 compliant. | ||
394 | |||
395 | -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 15:46:26 +0100 | ||
396 | |||
397 | openssh (1:2.5.1p1-1.2) unstable; urgency=low | ||
398 | |||
399 | * Added Conflict with sftp, since we now provide our own sftp-client. | ||
400 | * Added a fix for our broken dpkg-statoverride call in the | ||
401 | 2.3.0p1-13. | ||
402 | * Fixed some config pathes in the comments of sshd_config. | ||
403 | * Removed ssh-key-exchange-vulnerability-patch since it's not needed | ||
404 | anymore because upstream included the fix. | ||
405 | |||
406 | -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 13:46:58 +0100 | ||
407 | |||
408 | openssh (1:2.5.1p1-1.1) unstable; urgency=high | ||
409 | |||
410 | * Another NMU to get the new upstream version 2.5.1p1 into | ||
411 | unstable. (Closes: #87123) | ||
412 | * Corrected postinst to mark ssh as setuid. (Closes: #86391, #85766) | ||
413 | * Key Exchange patch is already included by upstream. (Closes: #86015) | ||
414 | * Upgrading should be possible now. (Closes: #85525, #85523) | ||
415 | * Added --disable-suid-ssh as compile option, so ssh won't get installed | ||
416 | suid per default. | ||
417 | * Fixed postinst to run dpkg-statoverride only, when dpkg-statoverride | ||
418 | is available and the mode of the binary should be 4755. And also added | ||
419 | suggestion for a newer dpkg. | ||
420 | (Closes: #85734, #85741, #86876) | ||
421 | * sftp and ssh-keyscan will also be included from now on. (Closes: #79994) | ||
422 | * scp now understands spaces in filenames (Closes: #53783, #58958, | ||
423 | #66723) | ||
424 | * ssh-keygen now supports showing DSA fingerprints. (Closes: #68623) | ||
425 | * ssh doesn' t show motd anymore when switch -t is used. (Closes #69035) | ||
426 | * ssh supports the usage of other dsa keys via the ssh command line | ||
427 | options. (Closes: #81250) | ||
428 | * Documentation in sshd_config fixed. (Closes: #81088) | ||
429 | * primes file included by upstream and included now. (Closes: #82101) | ||
430 | * scp now allows dots in the username. (Closes: #82477) | ||
431 | * Spelling error in ssh-copy-id.1 corrected by upstream. (Closes: #78124) | ||
432 | |||
433 | -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 10:06:08 +0100 | ||
434 | |||
435 | openssh (1:2.3.0p1-1.13) unstable; urgency=low | ||
436 | |||
437 | * Config should now also be fixed with this hopefully last NMU. | ||
438 | |||
439 | -- Christian Kurz <shorty@debian.org> Sat, 10 Feb 2001 22:56:36 +0100 | ||
440 | |||
441 | openssh (1:2.3.0p1-1.12) unstable; urgency=high | ||
442 | |||
443 | * Added suggest for xbase-clients to control-file. (Closes #85227) | ||
444 | * Applied patch from Markus Friedl to fix a vulnerability in | ||
445 | the rsa keyexchange. | ||
446 | * Fixed position of horizontal line. (Closes: #83613) | ||
447 | * Fixed hopefully the grep problem in the config-file. (Closes: #78802) | ||
448 | * Converted package from suidregister to dpkg-statoverride. | ||
449 | |||
450 | -- Christian Kurz <shorty@debian.org> Fri, 9 Feb 2001 19:43:55 +0100 | ||
451 | |||
452 | openssh (1:2.3.0p1-1.11) unstable; urgency=medium | ||
453 | |||
454 | * Fixed some typos in the german translation of the debconf | ||
455 | template. | ||
456 | |||
457 | -- Christian Kurz <shorty@debian.org> Wed, 24 Jan 2001 18:22:38 +0100 | ||
458 | |||
459 | openssh (1:2.3.0p1-1.10) unstable; urgency=medium | ||
460 | |||
461 | * Fixed double printing of motd. (Closes: #82618) | ||
462 | |||
463 | -- Christian Kurz <shorty@debian.org> Tue, 23 Jan 2001 21:03:43 +0100 | ||
464 | |||
465 | openssh (1:2.3.0p1-1.9) unstable; urgency=high | ||
466 | |||
467 | * And the next NMU which includes the patch from Andrew Bartlett | ||
468 | and Markus Friedl to fix the root privileges handling of openssh. | ||
469 | (Closes: #82657) | ||
470 | |||
471 | -- Christian Kurz <shorty@debian.org> Wed, 17 Jan 2001 22:20:54 +0100 | ||
472 | |||
473 | openssh (1:2.3.0p1-1.8) unstable; urgency=high | ||
474 | |||
475 | * Applied fix from Ryan Murray to allow building on other architectures | ||
476 | since the hurd patch was wrong. (Closes: #82471) | ||
477 | |||
478 | -- Christian Kurz <shorty@debian.org> Tue, 16 Jan 2001 22:45:51 +0100 | ||
479 | |||
480 | openssh (1:2.3.0p1-1.7) unstable; urgency=medium | ||
481 | |||
482 | * Fixed another typo on sshd_config | ||
483 | |||
484 | -- Christian Kurz <shorty@debian.org> Sun, 14 Jan 2001 19:01:31 +0100 | ||
485 | |||
486 | openssh (1:2.3.0p1-1.6) unstable; urgency=high | ||
487 | |||
488 | * Added Build-Dependency on groff (Closes: #81886) | ||
489 | * Added Build-Depencency on debhelper (Closes: #82072) | ||
490 | * Fixed entry for known_hosts in sshd_config (Closes: #82096) | ||
491 | |||
492 | -- Christian Kurz <shorty@debian.org> Thu, 11 Jan 2001 23:08:16 +0100 | ||
493 | |||
494 | openssh (1:2.3.0p1-1.5) unstable; urgency=high | ||
495 | |||
496 | * Fixed now also the problem with sshd used as default ipv4 and | ||
497 | didn't use IPv6. This should be now fixed. | ||
498 | |||
499 | -- Christian Kurz <shorty@debian.org> Thu, 11 Jan 2001 21:25:55 +0100 | ||
500 | |||
501 | openssh (1:2.3.0p1-1.4) unstable; urgency=high | ||
502 | |||
503 | * Fixed buggy entry in postinst. | ||
504 | |||
505 | -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 23:12:16 +0100 | ||
506 | |||
507 | openssh (1:2.3.0p1-1.3) unstable; urgency=high | ||
508 | |||
509 | * After finishing the rewrite of the rules-file I had to notice that | ||
510 | the manpage installation was broken. This should now work again. | ||
511 | |||
512 | -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 22:11:59 +0100 | ||
513 | |||
514 | openssh (1:2.3.0p1-1.2) unstable; urgency=high | ||
515 | |||
516 | * Fixed the screwed up build-dependency. | ||
517 | * Removed --with-ipv4-default to support ipv6. | ||
518 | * Changed makefile to use /etc/pam.d/ssh instead of /etc/pam.d/sshd. | ||
519 | * Fixed location to sftp-server in config. | ||
520 | * Since debian still relies on /etc/pam.d/ssh instead of moving to | ||
521 | /etc/pam.d/sshd, I had to hack ssh.h to get ssh to use this name. | ||
522 | * Fixed path to host key in sshd_config. | ||
523 | |||
524 | -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 08:23:47 +0100 | ||
525 | |||
526 | openssh (1:2.3.0p1-1.1) unstable; urgency=medium | ||
527 | |||
528 | * NMU with permission of Phil Hands. | ||
529 | * New upstream release | ||
530 | * Update Build-Depends to point to new libssl096. | ||
531 | * This upstream release doesn't leak any information depending | ||
532 | on the setting of PermitRootLogin (Closes: #59933) | ||
533 | * New upstream release contains fix against forcing a client to | ||
534 | do X/agent forwarding (Closes: #76788) | ||
535 | * Changed template to contain correct path to the documentation | ||
536 | (Closes: #67245) | ||
537 | * Added --with-4in6 switch as compile option into debian/rules. | ||
538 | * Added --with-ipv4-default as compile option into debian/rules. | ||
539 | (Closes: #75037) | ||
540 | * Changed default path to also contain /usr/local/bin and | ||
541 | /usr/X11R6/bin (Closes: #62472,#54567,#62810) | ||
542 | * Changed path to sftp-server in sshd_config to match the | ||
543 | our package (Closes: #68347) | ||
544 | * Replaced OpenBSDh with OpenBSD in the init-script. | ||
545 | * Changed location to original source in copyright.head | ||
546 | * Changed behaviour of init-script when invoked with the option | ||
547 | restart (Closes: #68706,#72560) | ||
548 | * Added a note about -L option of scp to README.Debian | ||
549 | * ssh won't print now the motd if invoked with -t option | ||
550 | (Closes: #59933) | ||
551 | * RFC.nroff.gz get's now converted into RFC.gz. (Closes: #63867) | ||
552 | * Added a note about tcp-wrapper support to README.Debian | ||
553 | (Closes: #72807,#22190) | ||
554 | * Removed two unneeded options from building process. | ||
555 | * Added sshd.pam into debian dir and install it. | ||
556 | * Commented out unnecessary call to dh_installinfo. | ||
557 | * Added a line to sshd.pam so that limits will be paid attention | ||
558 | to (Closes: #66904) | ||
559 | * Restart Option has a Timeout of 10 seconds (Closes: 51264) | ||
560 | * scp won't override files anymore (Closes: 51955) | ||
561 | * Removed pam_lastlog module, so that the lastlog is now printed | ||
562 | only once (Closes: #71742, #68335, #69592, #71495, #77781) | ||
563 | * If password is expired, openssh now forces the user to change it. | ||
564 | (Closes: #51747) | ||
565 | * scp should now have no more problems with shell-init-files that | ||
566 | produces ouput (Closes: #56280,#59873) | ||
567 | * ssh now prints the motd correctly (Closes: #66926) | ||
568 | * ssh upgrade should disable ssh daemon only if users has choosen | ||
569 | to do so (Closes: #67478) | ||
570 | * ssh can now be installed suid (Closes: #70879) | ||
571 | * Modified debian/rules to support hurd. | ||
572 | |||
573 | -- Christian Kurz <shorty@debian.org> Wed, 27 Dec 2000 20:06:57 +0100 | ||
574 | |||
575 | openssh (1:2.2.0p1-1.1) unstable; urgency=medium | ||
576 | |||
577 | * Non-Maintainer Upload | ||
578 | * Check for new returns in the new libc | ||
579 | (closes: #72803, #74393, #72797, #71307, #71702) | ||
580 | * Link against libssl095a (closes: #66304) | ||
581 | * Correct check for PermitRootLogin (closes: #69448) | ||
582 | |||
583 | -- Ryan Murray <rmurray@debian.org> Wed, 18 Oct 2000 00:48:18 -0700 | ||
584 | |||
585 | openssh (1:2.2.0p1-1) unstable; urgency=low | ||
586 | |||
587 | * New upstream release | ||
588 | |||
589 | -- Philip Hands <phil@hands.com> Mon, 11 Sep 2000 14:49:43 +0100 | ||
590 | |||
591 | openssh (1:2.1.1p4-3) unstable; urgency=low | ||
592 | |||
593 | * add rsh alternatives | ||
594 | * add -S option to scp (using Tommi Virtanen's patch) (closes: #63097) | ||
595 | * do the IPV4_DEFAULT thing properly this time | ||
596 | |||
597 | -- Philip Hands <phil@hands.com> Fri, 11 Aug 2000 18:14:37 +0100 | ||
598 | |||
599 | openssh (1:2.1.1p4-2) unstable; urgency=low | ||
600 | |||
601 | * reinstate manpage .out patch from 1:1.2.3 | ||
602 | * fix typo in postinst | ||
603 | * only compile ssh with IPV4_DEFAULT | ||
604 | * apply James Troup's patch to add a -o option to scp and updated manpage | ||
605 | |||
606 | -- Philip Hands <phil@hands.com> Sun, 30 Jul 2000 00:12:49 +0100 | ||
607 | |||
608 | openssh (1:2.1.1p4-1) unstable; urgency=low | ||
609 | |||
610 | * New upstream release | ||
611 | |||
612 | -- Philip Hands <phil@hands.com> Sat, 29 Jul 2000 14:46:16 +0100 | ||
613 | |||
614 | openssh (1:1.2.3-10) unstable; urgency=low | ||
615 | |||
616 | * add version to libpam-modules dependency, because old versions of | ||
617 | pam_motd make it impossible to log in. | ||
618 | |||
619 | -- Philip Hands <phil@hands.com> Sat, 29 Jul 2000 13:28:22 +0100 | ||
620 | |||
621 | openssh (1:1.2.3-9) frozen unstable; urgency=low | ||
622 | |||
623 | * force location of /usr/bin/X11/xauth | ||
624 | (closes: #64424, #66437, #66859) *RC* | ||
625 | * typos in config (closes: #66779, #66780) | ||
626 | * sshd_not_to_be_run could be assumed to be true, in error, if the config | ||
627 | script died in an unusual way --- I've reversed this (closes: #66335) | ||
628 | * Apply Zack Weinberg <zack@wolery.cumb.org>'s patch to ssh-askpass-ptk | ||
629 | (closes: #65981) | ||
630 | * change default for PermitRootLogin to "no" (closes: #66406) | ||
631 | |||
632 | -- Philip Hands <phil@hands.com> Tue, 11 Jul 2000 20:51:18 +0100 | ||
633 | |||
634 | openssh (1:1.2.3-8) frozen unstable; urgency=low | ||
635 | |||
636 | * get rid of Provides: rsh-server (this will mean that rstartd | ||
637 | will need to change it's depends to deal with #63948, which I'm | ||
638 | reopening) (closes: #66257) | ||
639 | Given that this is also a trivial change, and is a reversal of a | ||
640 | change that was mistakenly made after the freeze, I think this should | ||
641 | also go into frozen. | ||
642 | |||
643 | -- Philip Hands <phil@hands.com> Wed, 28 Jun 2000 03:26:30 +0100 | ||
644 | |||
645 | openssh (1:1.2.3-7) frozen unstable; urgency=low | ||
646 | |||
647 | * check if debconf is installed before calling db_stop in postinst. | ||
648 | This is required to allow ssh to be installed when debconf is not | ||
649 | wanted, which probably makes it an RC upload (hopefully the last of | ||
650 | too many). | ||
651 | |||
652 | -- Philip Hands <phil@hands.com> Wed, 28 Jun 2000 03:19:47 +0100 | ||
653 | |||
654 | openssh (1:1.2.3-6) frozen unstable; urgency=low | ||
655 | |||
656 | * fixed depressing little bug involving a line wrap looking like | ||
657 | a blank line in the templates file *RC* | ||
658 | (closes: #66090, #66078, #66083, #66182) | ||
659 | |||
660 | -- Philip Hands <phil@hands.com> Mon, 26 Jun 2000 00:45:05 +0100 | ||
661 | |||
662 | openssh (1:1.2.3-5) frozen unstable; urgency=low | ||
663 | |||
664 | * add code to prevent UseLogin exploit, although I think our PAM | ||
665 | conditional code breaks UseLogin in a way that protects us from this | ||
666 | exploit anyway. ;-) (closes: #65495) *RC* | ||
667 | * Apply Zack Weinberg <zack@wolery.cumb.org>'s patch to fix keyboard | ||
668 | grab vulnerability in ssh-askpass-gnome (closes: #64795) *RC* | ||
669 | * stop redirection of sshd's file descriptors (introduced in 1:1.2.3-3) | ||
670 | and use db_stop in the postinst to solve that problem instead | ||
671 | (closes: #65104) | ||
672 | * add Provides: rsh-server to ssh (closes: #63948) | ||
673 | * provide config option not to run sshd | ||
674 | |||
675 | -- Philip Hands <phil@hands.com> Mon, 12 Jun 2000 23:05:11 +0100 | ||
676 | |||
677 | openssh (1:1.2.3-4) frozen unstable; urgency=low | ||
678 | |||
679 | * fixes #63436 which is *RC* | ||
680 | * add 10 second pause in init.d restart (closes: #63844) | ||
681 | * get rid of noenv in PAM mail line (closes: #63856) | ||
682 | * fix host key path in make-ssh-known-hosts (closes: #63713) | ||
683 | * change wording of SUID template (closes: #62788, #63436) | ||
684 | |||
685 | -- Philip Hands <phil@hands.com> Sat, 27 May 2000 11:18:06 +0100 | ||
686 | |||
687 | openssh (1:1.2.3-3) frozen unstable; urgency=low | ||
688 | |||
689 | * redirect sshd's file descriptors to /dev/null in init to | ||
690 | prevent debconf from locking up during installation | ||
691 | ** grave bug just submited by me ** | ||
692 | |||
693 | -- Philip Hands <phil@hands.com> Thu, 20 Apr 2000 17:10:59 +0100 | ||
694 | |||
695 | openssh (1:1.2.3-2) frozen unstable; urgency=low | ||
696 | |||
697 | * allow user to select SUID status of /usr/bin/ssh (closes: 62462) ** RC ** | ||
698 | * suggest debconf | ||
699 | * conflict with debconf{,-tiny} (<<0.2.17) so I can clean up the preinst | ||
700 | |||
701 | -- Philip Hands <phil@hands.com> Wed, 19 Apr 2000 17:49:15 +0100 | ||
702 | |||
703 | openssh (1:1.2.3-1) frozen unstable; urgency=low | ||
704 | |||
705 | * New upstream release | ||
706 | * patch sshd to create extra xauth key required for localhost | ||
707 | (closes: #49944) *** RC *** | ||
708 | * FallbacktoRsh now defaults to ``no'' to match impression | ||
709 | given in sshd_config | ||
710 | * stop setting suid bit on ssh (closes: #58711, #58558) | ||
711 | This breaks Rhosts authentication (which nobody uses) and allows | ||
712 | the LD_PRELOAD trick to get socks working, so seems like a net benefit. | ||
713 | |||
714 | -- Philip Hands <phil@hands.com> Thu, 13 Apr 2000 20:01:54 +0100 | ||
715 | |||
716 | openssh (1:1.2.2-1.4) frozen unstable; urgency=low | ||
717 | |||
718 | * Recompile for frozen, contains fix for RC bug. | ||
719 | |||
720 | -- Tommi Virtanen <tv@debian.org> Tue, 29 Feb 2000 22:14:58 +0200 | ||
721 | |||
722 | openssh (1:1.2.2-1.3) unstable; urgency=low | ||
723 | |||
724 | * Integrated man page addition for PrintLastLog. | ||
725 | This bug was filed on "openssh", and I ended up | ||
726 | creating my own patch for this (closes: #59054) | ||
727 | * Improved error message when ssh_exchange_identification | ||
728 | gets EOF (closes: #58904) | ||
729 | * Fixed typo (your -> you're) in debian/preinst. | ||
730 | * Added else-clauses to config to make this upgradepath possible: | ||
731 | oldssh -> openssh preinst fails due to upgrade_to_openssh=false | ||
732 | -> ssh-nonfree -> openssh. Without these, debconf remembered | ||
733 | the old answer, config didn't force asking it, and preinst always | ||
734 | aborted (closes: #56596, #57782) | ||
735 | * Moved setting upgrade_to_openssh isdefault flag to the place | ||
736 | where preinst would abort. This means no double question to most | ||
737 | users, people who currently suffer from "can't upgrade" may need | ||
738 | to run apt-get install ssh twice. Did not do the same for | ||
739 | use_old_init_script, as the situation is a bit different, and | ||
740 | less common (closes: #54010, #56224) | ||
741 | * Check for existance of ssh-keygen before attempting to use it in | ||
742 | preinst, added warning for non-existant ssh-keygen in config. This | ||
743 | happens when the old ssh is removed (say, due to ssh-nonfree getting | ||
744 | installed). | ||
745 | |||
746 | -- Tommi Virtanen <tv@debian.org> Sun, 27 Feb 2000 21:36:43 +0200 | ||
747 | |||
748 | openssh (1:1.2.2-1.2) frozen unstable; urgency=low | ||
749 | |||
750 | * Non-maintainer upload. | ||
751 | * Added configuration option PrintLastLog, default off due to PAM | ||
752 | (closes: #54007, #55042) | ||
753 | * ssh-askpass-{gnome,ptk} now provide ssh-askpass, making ssh's | ||
754 | Suggests: line more accurate. Also closing related bugs fixed | ||
755 | earlier, when default ssh-askpass moved to /usr/bin. | ||
756 | (closes: #52403, #54741, #50607, #52298, #50967, #51661) | ||
757 | * Patched to call vhangup, with autoconf detection and all | ||
758 | (closes: #55379) | ||
759 | * Added --with-ipv4-default workaround to a glibc bug causing | ||
760 | slow DNS lookups, as per UPGRADING. Use -6 to really use | ||
761 | IPv6 addresses. (closes: #57891, #58744, #58713, #57970) | ||
762 | * Added noenv to PAM pam_mail line. Thanks to Ben Collins. | ||
763 | (closes: #58429) | ||
764 | * Added the UPGRADING file to the package. | ||
765 | * Added frozen to the changelog line and recompiled before | ||
766 | package was installed into the archive. | ||
767 | |||
768 | -- Tommi Virtanen <tv@debian.org> Fri, 25 Feb 2000 22:08:57 +0200 | ||
769 | |||
770 | openssh (1:1.2.2-1.1) frozen unstable; urgency=low | ||
771 | |||
772 | * Non-maintainer upload. | ||
773 | * Integrated scp pipe buffer patch from Ben Collins | ||
774 | <benc@debian.org>, should now work even if reading | ||
775 | a pipe gives less than fstat st_blksize bytes. | ||
776 | Should now work on Alpha and Sparc Linux (closes: #53697, #52071) | ||
777 | * Made ssh depend on libssl09 (>= 0.9.4-3) (closes: #51393) | ||
778 | * Integrated patch from Ben Collins <benc@debian.org> | ||
779 | to do full shadow account locking and expiration | ||
780 | checking (closes: #58165, #51747) | ||
781 | |||
782 | -- Tommi Virtanen <tv@debian.org> Tue, 22 Feb 2000 20:46:12 +0200 | ||
783 | |||
784 | openssh (1:1.2.2-1) frozen unstable; urgency=medium | ||
785 | |||
786 | * New upstream release (closes: #56870, #56346) | ||
787 | * built against new libesd (closes: #56805) | ||
788 | * add Colin Watson <cjw44@cam.ac.uk> =NULL patch | ||
789 | (closes: #49902, #54894) | ||
790 | * use socketpairs as suggested by Andrew Tridgell to eliminate rsync | ||
791 | (and other) lockups | ||
792 | * patch SSHD_PAM_SERVICE back into auth-pam.c, again :-/ | ||
793 | (closes: #49902, #55872, #56959) | ||
794 | * uncoment the * line in ssh_config (closes: #56444) | ||
795 | |||
796 | * #54894 & #49902 are release critical, so this should go in frozen | ||
797 | |||
798 | -- Philip Hands <phil@hands.com> Wed, 9 Feb 2000 04:52:04 +0000 | ||
799 | |||
800 | openssh (1:1.2.1pre24-1) unstable; urgency=low | ||
801 | |||
802 | * New upstream release | ||
803 | |||
804 | -- Philip Hands <phil@hands.com> Fri, 31 Dec 1999 02:47:24 +0000 | ||
805 | |||
806 | openssh (1:1.2.1pre23-1) unstable; urgency=low | ||
807 | |||
808 | * New upstream release | ||
809 | * excape ? in /etc/init.d/ssh (closes: #53269) | ||
810 | |||
811 | -- Philip Hands <phil@hands.com> Wed, 29 Dec 1999 16:50:46 +0000 | ||
812 | |||
813 | openssh (1:1.2pre17-1) unstable; urgency=low | ||
814 | |||
815 | * New upstream release | ||
816 | |||
817 | -- Philip Hands <phil@hands.com> Thu, 9 Dec 1999 16:50:40 +0000 | ||
818 | |||
819 | openssh (1:1.2pre16-1) unstable; urgency=low | ||
820 | |||
821 | * New upstream release | ||
822 | * upstream release (1.2pre14) (closes: #50299) | ||
823 | * make ssh depend on libwrap0 (>= 7.6-1.1) (closes: #50973, #50776) | ||
824 | * dispose of grep -q broken pipe message in config script (closes: #50855) | ||
825 | * add make-ssh-known-hosts (closes: #50660) | ||
826 | * add -i option to ssh-copy-id (closes: #50657) | ||
827 | * add check for *LK* in password, indicating a locked account | ||
828 | |||
829 | -- Philip Hands <phil@hands.com> Wed, 8 Dec 1999 22:59:38 +0000 | ||
830 | |||
831 | openssh (1:1.2pre13-1) unstable; urgency=low | ||
832 | |||
833 | * New upstream release | ||
834 | * make sshd.c use SSHD_PAM_SERVICE and define it as "ssh" in debian/rules | ||
835 | * remove duplicate line in /etc/pam.d/ssh (closes: #50310) | ||
836 | * mention ssh -A option in ssh.1 & ssh_config | ||
837 | * enable forwarding to localhost in default ssh_config (closes: #50373) | ||
838 | * tweak preinst to deal with debconf being `unpacked' | ||
839 | * use --with-tcp-wrappers (closes: #49545) | ||
840 | |||
841 | -- Philip Hands <phil@hands.com> Sat, 20 Nov 1999 14:20:04 +0000 | ||
842 | |||
843 | openssh (1:1.2pre11-2) unstable; urgency=low | ||
844 | |||
845 | * oops, just realised that I forgot to strip out the unpleasant | ||
846 | fiddling mentioned below (which turned not to be a fix anyway) | ||
847 | |||
848 | -- Philip Hands <phil@hands.com> Mon, 15 Nov 1999 01:35:23 +0000 | ||
849 | |||
850 | openssh (1:1.2pre11-1) unstable; urgency=low | ||
851 | |||
852 | * New upstream release (closes: #49722) | ||
853 | * add 2>/dev/null to dispose of spurious message casused by grep -q | ||
854 | (closes: #49876, #49604) | ||
855 | * fix typo in debian/control (closes: #49841) | ||
856 | * Do some unpleasant fiddling with upgraded keys in the preinst, which | ||
857 | should make the keylength problem go away. (closes: #49676) | ||
858 | * make pam_start in sshd use ``ssh'' as the service name (closes: #49956) | ||
859 | * If /etc/ssh/NOSERVER exist, stop sshd from starting (closes: #47107) | ||
860 | * apply Ben Collins <bcollins@debian.org>'s shadow patch | ||
861 | * disable lastlogin and motd printing if using pam (closes: #49957) | ||
862 | * add ssh-copy-id script and manpage | ||
863 | |||
864 | -- Philip Hands <phil@hands.com> Fri, 12 Nov 1999 01:03:38 +0000 | ||
865 | |||
866 | openssh (1:1.2pre9-1) unstable; urgency=low | ||
867 | |||
868 | * New upstream release | ||
869 | * apply Chip Salzenberg <chip@valinux.com>'s SO_REUSEADDR patch | ||
870 | to channels.c, to make forwarded ports instantly reusable | ||
871 | * replace Pre-Depend: debconf with some check code in preinst | ||
872 | * make the ssh-add ssh-askpass failure message more helpful | ||
873 | * fix the ssh-agent getopts bug (closes: #49426) | ||
874 | * fixed typo on Suggests: line (closes: #49704, #49571) | ||
875 | * tidy up ssh package description (closes: #49642) | ||
876 | * make ssh suid (closes: #49635) | ||
877 | * in preinst upgrade code, ensure ssh_host_keys is mode 600 (closes: #49606) | ||
878 | * disable agent forwarding by default, for the similar reasons as | ||
879 | X forwarding (closes: #49586) | ||
880 | |||
881 | -- Philip Hands <phil@hands.com> Tue, 9 Nov 1999 09:57:47 +0000 | ||
882 | |||
883 | openssh (1:1.2pre7-4) unstable; urgency=low | ||
884 | |||
885 | * predepend on debconf (>= 0.2.17) should now allow preinst questions | ||
886 | |||
887 | -- Philip Hands <phil@hands.com> Sat, 6 Nov 1999 10:31:06 +0000 | ||
888 | |||
889 | openssh (1:1.2pre7-3) unstable; urgency=low | ||
890 | |||
891 | * add ssh-askpass package using Tommi Virtanen's perl-tk script | ||
892 | * add ssh-preconfig package cludge | ||
893 | * add usage hints to ssh-agent.1 | ||
894 | |||
895 | -- Philip Hands <phil@hands.com> Fri, 5 Nov 1999 00:38:33 +0000 | ||
896 | |||
897 | openssh (1:1.2pre7-2) unstable; urgency=low | ||
898 | |||
899 | * use pam patch from Ben Collins <bcollins@debian.org> | ||
900 | * add slogin symlink to Makefile.in | ||
901 | * change /usr/bin/login to LOGIN_PROGRAM define of /bin/login | ||
902 | * sort out debconf usage | ||
903 | * patch from Tommi Virtanen <tv@debian.org>'s makes ssh-add use ssh-askpass | ||
904 | |||
905 | -- Philip Hands <phil@hands.com> Thu, 4 Nov 1999 11:08:54 +0000 | ||
906 | |||
907 | openssh (1:1.2pre7-1) unstable; urgency=low | ||
908 | |||
909 | * New upstream release | ||
910 | |||
911 | -- Philip Hands <phil@hands.com> Tue, 2 Nov 1999 21:02:37 +0000 | ||
912 | |||
913 | openssh (1:1.2.0.pre6db1-2) unstable; urgency=low | ||
914 | |||
915 | * change the binary package name to ssh (the non-free branch of ssh has | ||
916 | been renamed to ssh-nonfree) | ||
917 | * make pam file comply with Debian standards | ||
918 | * use an epoch to make sure openssh supercedes ssh-nonfree | ||
919 | |||
920 | -- Philip Hands <phil@hands.com> Sat, 30 Oct 1999 16:26:05 +0100 | ||
921 | |||
922 | openssh (1.2pre6db1-1) unstable; urgency=low | ||
923 | |||
924 | * New upstream source | ||
925 | * sshd accepts logins now! | ||
926 | |||
927 | -- Dan Brosemer <odin@linuxfreak.com> Fri, 29 Oct 1999 11:13:38 -0500 | ||
928 | |||
929 | openssh (1.2.0.19991028-1) unstable; urgency=low | ||
930 | |||
931 | * New upstream source | ||
932 | * Added test for -lnsl to configure script | ||
933 | |||
934 | -- Dan Brosemer <odin@linuxfreak.com> Thu, 28 Oct 1999 18:52:09 -0500 | ||
935 | |||
936 | openssh (1.2.0.19991027-3) unstable; urgency=low | ||
937 | |||
938 | * Initial release | ||
939 | |||
940 | -- Dan Brosemer <odin@linuxfreak.com> Wed, 27 Oct 1999 19:39:46 -0500 | ||
941 | |||
942 | Local variables: | ||
943 | mode: debian-changelog | ||
944 | End: | ||
diff --git a/debian/conffiles b/debian/conffiles new file mode 100644 index 000000000..fbc2e8444 --- /dev/null +++ b/debian/conffiles | |||
@@ -0,0 +1,4 @@ | |||
1 | /etc/ssh/ssh_config | ||
2 | /etc/ssh/moduli | ||
3 | /etc/init.d/ssh | ||
4 | /etc/pam.d/ssh | ||
diff --git a/debian/config b/debian/config new file mode 100644 index 000000000..0a5f42b2e --- /dev/null +++ b/debian/config | |||
@@ -0,0 +1,86 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | action=$1 | ||
4 | version=$2 | ||
5 | |||
6 | if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then | ||
7 | version=1.2.27 | ||
8 | cp -a /etc/ssh-nonfree /etc/ssh | ||
9 | fi | ||
10 | |||
11 | # Source debconf library. | ||
12 | . /usr/share/debconf/confmodule | ||
13 | db_version 2.0 | ||
14 | |||
15 | if [ -n "$version" ] && dpkg --compare-versions "$version" lt 1:3.0p1-1 | ||
16 | then | ||
17 | db_text medium ssh/ssh2_keys_merged | ||
18 | fi | ||
19 | |||
20 | if [ -e /etc/init.d/ssh ] && ! grep -q pidfile /etc/init.d/ssh | ||
21 | then | ||
22 | db_fset ssh/use_old_init_script isdefault true | ||
23 | db_input medium ssh/use_old_init_script || true | ||
24 | db_go | ||
25 | |||
26 | db_get ssh/use_old_init_script | ||
27 | [ "$RET" = "false" ] && exit 0 | ||
28 | else | ||
29 | db_set ssh/use_old_init_script true | ||
30 | db_fset ssh/use_old_init_script isdefault false | ||
31 | fi | ||
32 | |||
33 | if [ -z "$version" -a ! -e /etc/ssh/sshd_config ] | ||
34 | then | ||
35 | db_input medium ssh/protocol2_only || true | ||
36 | fi | ||
37 | |||
38 | if [ -e /etc/ssh/sshd_config ] | ||
39 | then | ||
40 | if dpkg --compare-versions "$version" lt-nl 1:1.3 ; | ||
41 | then db_input medium ssh/new_config || true | ||
42 | db_get ssh/new_config | ||
43 | if [ "$RET" = "true" ]; | ||
44 | then db_input medium ssh/protocol2_only ||true | ||
45 | db_input high ssh/privsep_ask ||true | ||
46 | else db_text high ssh/privsep_tell ||true | ||
47 | fi | ||
48 | else db_text high ssh/privsep_tell ||true | ||
49 | fi | ||
50 | else db_text high ssh/privsep_tell ||true | ||
51 | fi | ||
52 | |||
53 | db_input medium ssh/SUID_client || true | ||
54 | |||
55 | db_input medium ssh/run_sshd || true | ||
56 | |||
57 | if [ -x /usr/sbin/in.telnetd ] && grep -q "^telnet\b" /etc/inetd.conf | ||
58 | then | ||
59 | if ! /usr/sbin/in.telnetd -? 2>&1 | grep -q ssl 2>/dev/null | ||
60 | then | ||
61 | db_input low ssh/insecure_telnetd || true | ||
62 | fi | ||
63 | fi | ||
64 | |||
65 | key=/etc/ssh/ssh_host_key | ||
66 | export key | ||
67 | if [ -n "$version" ] && [ -f $key ] && [ ! -x /usr/bin/ssh-keygen ] && | ||
68 | dpkg --compare-versions "$version" lt 1.2.28 | ||
69 | then | ||
70 | # make sure that keys get updated to get rid of IDEA; preinst | ||
71 | # actually does the work, but if the old ssh-keygen is not found, | ||
72 | # it can't do that -- thus, we tell the user that he must create | ||
73 | # a new host key. | ||
74 | echo -en '\0\0' | 3<&0 sh -c \ | ||
75 | 'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || { | ||
76 | # this means that bytes 32&33 of the key were not both zero, in which | ||
77 | # case the key is encrypted, which we need to fix | ||
78 | db_input high ssh/encrypted_host_key_but_no_keygen || true | ||
79 | } | ||
80 | fi | ||
81 | |||
82 | |||
83 | db_text low ssh/forward_warning || true | ||
84 | db_go | ||
85 | |||
86 | exit 0 | ||
diff --git a/debian/control b/debian/control new file mode 100644 index 000000000..7063438ad --- /dev/null +++ b/debian/control | |||
@@ -0,0 +1,43 @@ | |||
1 | Source: openssh | ||
2 | Section: net | ||
3 | Priority: standard | ||
4 | Maintainer: Matthew Vernon <matthew@debian.org> | ||
5 | Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnome-dev, groff, debhelper (>=1.1.17) | ||
6 | Standards-Version: 3.5.2 | ||
7 | |||
8 | Package: ssh | ||
9 | Architecture: any | ||
10 | Depends: ${shlibs:Depends}, ${pam-depend}, debconf, adduser | ||
11 | Conflicts: ssh-nonfree (<<2), ssh-socks, ssh2, debconf (<<0.2.17), debconf-tiny (<<0.2.17), sftp, rsh-client (<<0.16.1-1) | ||
12 | Suggests: ssh-askpass, xbase-clients, dpkg (>=1.8.3.1), dnsutils | ||
13 | Provides: rsh-client | ||
14 | Description: Secure rlogin/rsh/rcp replacement (OpenSSH) | ||
15 | This is the portable version of OpenSSH, a free implementation of | ||
16 | the Secure Shell protocol as specified by the IETF secsh working | ||
17 | group. | ||
18 | . | ||
19 | Ssh (Secure Shell) is a program for logging into a remote machine | ||
20 | and for executing commands on a remote machine. | ||
21 | It provides secure encrypted communications between two untrusted | ||
22 | hosts over an insecure network. X11 connections and arbitrary TCP/IP | ||
23 | ports can also be forwarded over the secure channel. | ||
24 | It is intended as a replacement for rlogin, rsh and rcp, and can be | ||
25 | used to provide applications with a secure communication channel. | ||
26 | . | ||
27 | -------------------------------------------------------------------- | ||
28 | . | ||
29 | In some countries, particularly Iraq, and Pakistan, it may be illegal | ||
30 | to use any encryption at all without a special permit. | ||
31 | |||
32 | Package: ssh-askpass-gnome | ||
33 | Section: x11 | ||
34 | Architecture: any | ||
35 | Depends: ${shlibs:Depends}, ssh (>=1:1.2pre7-4) | ||
36 | Provides: ssh-askpass | ||
37 | Description: under X, asks user for a passphrase for ssh-add | ||
38 | This has been split out of the main ssh package, so that the ssh will | ||
39 | not need to depend upon the Gnome libraries. | ||
40 | . | ||
41 | You probably want the ssh-askpass package instead, but this is | ||
42 | provided to add to your choice and/or confusion. | ||
43 | |||
diff --git a/debian/copyright.head b/debian/copyright.head new file mode 100644 index 000000000..cd4d45b24 --- /dev/null +++ b/debian/copyright.head | |||
@@ -0,0 +1,36 @@ | |||
1 | This package was debianized by Philip Hands <phil@hands.com> on 31 Oct 1999 | ||
2 | (with help from Dan Brosemer <odin@linuxfreak.com>) | ||
3 | |||
4 | It was downloaded from here: | ||
5 | ftp://ftp.fu-berlin.de/unix/security/openssh/openssh-2.3.0p1.tar.gz | ||
6 | |||
7 | worldwide mirrors are listed here: | ||
8 | http://www.openssh.com/ftp.html | ||
9 | |||
10 | The Debian specific parts of the package are mostly taken from the | ||
11 | original ssh package, which has since been renamed as ssh-nonfree. | ||
12 | |||
13 | The Debian patch is distributed under the terms of the GPL. | ||
14 | |||
15 | The upstream source for this package is a combination of the ssh | ||
16 | branch that is being maintained by the OpenBSD team (starting from | ||
17 | the last version of SSH that was distributed under a free license), | ||
18 | and porting work by Damien Miller <damien@ibs.com.au> to get it | ||
19 | working on Linux. Other people also contributed to this, and are | ||
20 | credited in README.openssh. | ||
21 | |||
22 | Copyright: | ||
23 | |||
24 | Code in helper.[ch] is Copyright Internet Business Solutions and is | ||
25 | released under a X11-style license (see source file for details). | ||
26 | |||
27 | (A)RC4 code in rc4.[ch] is Copyright Damien Miller. It too is under a | ||
28 | X11-style license (see source file for details). | ||
29 | |||
30 | make-ssh-known-hosts is Copyright Tero Kivinen <Tero.Kivinen@hut.fi>, | ||
31 | and is distributed under the GPL (see source file for details). | ||
32 | |||
33 | The copyright for the orignal SSH version follows. It has been | ||
34 | modified with [comments] to reflect the changes that the OpenBSD folks | ||
35 | have made: | ||
36 | |||
diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 000000000..00a019411 --- /dev/null +++ b/debian/dirs | |||
@@ -0,0 +1,7 @@ | |||
1 | usr/bin | ||
2 | usr/sbin | ||
3 | usr/lib | ||
4 | etc/ssh | ||
5 | etc/init.d | ||
6 | usr/share/man/man1 | ||
7 | usr/share/man/man8 | ||
diff --git a/debian/init b/debian/init new file mode 100644 index 000000000..fe59584e6 --- /dev/null +++ b/debian/init | |||
@@ -0,0 +1,60 @@ | |||
1 | #! /bin/sh | ||
2 | |||
3 | # /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon | ||
4 | |||
5 | test -x /usr/sbin/sshd || exit 0 | ||
6 | ( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0 | ||
7 | |||
8 | # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists | ||
9 | if [ -e /etc/ssh/sshd_not_to_be_run ]; then | ||
10 | echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)" | ||
11 | exit 0 | ||
12 | fi | ||
13 | |||
14 | check_config() { | ||
15 | /usr/sbin/sshd -t || exit 1 | ||
16 | } | ||
17 | |||
18 | # Configurable options: | ||
19 | |||
20 | case "$1" in | ||
21 | start) | ||
22 | test -f /etc/ssh/sshd_not_to_be_run && exit 0 | ||
23 | #Create the PrivSep empty dir if necessary | ||
24 | if [ ! -d /var/run/sshd ]; then | ||
25 | mkdir /var/run/sshd; chmod 0755 /var/run/sshd | ||
26 | fi | ||
27 | echo -n "Starting OpenBSD Secure Shell server: sshd" | ||
28 | start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd | ||
29 | echo "." | ||
30 | ;; | ||
31 | stop) | ||
32 | echo -n "Stopping OpenBSD Secure Shell server: sshd" | ||
33 | start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid | ||
34 | echo "." | ||
35 | ;; | ||
36 | |||
37 | reload|force-reload) | ||
38 | test -f /etc/ssh/sshd_not_to_be_run && exit 0 | ||
39 | check_config | ||
40 | echo -n "Reloading OpenBSD Secure Shell server's configuration" | ||
41 | start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd | ||
42 | echo "." | ||
43 | ;; | ||
44 | |||
45 | restart) | ||
46 | test -f /etc/ssh/sshd_not_to_be_run && exit 0 | ||
47 | check_config | ||
48 | echo -n "Restarting OpenBSD Secure Shell server: sshd" | ||
49 | start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid | ||
50 | sleep 2 | ||
51 | start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd | ||
52 | echo "." | ||
53 | ;; | ||
54 | |||
55 | *) | ||
56 | echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}" | ||
57 | exit 1 | ||
58 | esac | ||
59 | |||
60 | exit 0 | ||
diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 000000000..34fee95d8 --- /dev/null +++ b/debian/postinst | |||
@@ -0,0 +1,330 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action="$1" | ||
4 | oldversion="$2" | ||
5 | |||
6 | test -e /usr/share/debconf/confmodule && { | ||
7 | . /usr/share/debconf/confmodule | ||
8 | db_version 2.0 | ||
9 | } | ||
10 | |||
11 | umask 022 | ||
12 | |||
13 | if [ "$action" != configure ] | ||
14 | then | ||
15 | exit 0 | ||
16 | fi | ||
17 | |||
18 | |||
19 | |||
20 | check_idea_key() { | ||
21 | #check for old host_key files using IDEA, which openssh does not support | ||
22 | if [ -f /etc/ssh/ssh_host_key ] ; then | ||
23 | if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \ | ||
24 | grep -q 'unknown cipher' 2>/dev/null ; then | ||
25 | mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old | ||
26 | mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old | ||
27 | fi | ||
28 | fi | ||
29 | } | ||
30 | |||
31 | |||
32 | create_key() { | ||
33 | local msg="$1" | ||
34 | shift | ||
35 | local file="$1" | ||
36 | shift | ||
37 | |||
38 | if [ ! -f "$file" ] ; then | ||
39 | echo -n $msg | ||
40 | ssh-keygen -f "$file" -N '' "$@" > /dev/null | ||
41 | echo | ||
42 | fi | ||
43 | } | ||
44 | |||
45 | |||
46 | create_keys() { | ||
47 | RET=true | ||
48 | test -e /usr/share/debconf/confmodule && { | ||
49 | db_get ssh/protocol2_only | ||
50 | } | ||
51 | |||
52 | if [ "$RET" = "false" ] ; then | ||
53 | create_key "Creating SSH1 key" /etc/ssh/ssh_host_key -t rsa1 | ||
54 | fi | ||
55 | |||
56 | create_key "Creating SSH2 RSA key" /etc/ssh/ssh_host_rsa_key -t rsa | ||
57 | create_key "Creating SSH2 DSA key" /etc/ssh/ssh_host_dsa_key -t dsa | ||
58 | } | ||
59 | |||
60 | |||
61 | create_sshdconfig() { | ||
62 | if [ -e /etc/ssh/sshd_config ] ; then | ||
63 | if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then | ||
64 | RET=true | ||
65 | test -e /usr/share/debconf/confmodule && { | ||
66 | db_get ssh/new_config | ||
67 | } | ||
68 | if [ "$RET" = "false" ] ; then return 0; fi | ||
69 | else return 0 | ||
70 | fi | ||
71 | fi | ||
72 | RET=true | ||
73 | test -e /usr/share/debconf/confmodule && { | ||
74 | db_get ssh/protocol2_only | ||
75 | } | ||
76 | |||
77 | #Preserve old sshd_config before generating a new on | ||
78 | if [ -e /etc/ssh/sshd_config ] ; then | ||
79 | mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old | ||
80 | fi | ||
81 | |||
82 | cat <<EOF > /etc/ssh/sshd_config | ||
83 | # Package generated configuration file | ||
84 | # See the sshd(8) manpage for defails | ||
85 | |||
86 | # What ports, IPs and protocols we listen for | ||
87 | Port 22 | ||
88 | # Use these options to restrict which interfaces/protocols sshd will bind to | ||
89 | #ListenAddress :: | ||
90 | #ListenAddress 0.0.0.0 | ||
91 | EOF | ||
92 | if [ "$RET" = "false" ]; then | ||
93 | cat <<EOF >> /etc/ssh/sshd_config | ||
94 | Protocol 2,1 | ||
95 | # HostKeys for protocol version 1 | ||
96 | HostKey /etc/ssh/ssh_host_key | ||
97 | # HostKeys for protocol version 2 | ||
98 | HostKey /etc/ssh/ssh_host_rsa_key | ||
99 | HostKey /etc/ssh/ssh_host_dsa_key | ||
100 | EOF | ||
101 | else | ||
102 | cat <<EOF >> /etc/ssh/sshd_config | ||
103 | Protocol 2 | ||
104 | # HostKeys for protocol version 2 | ||
105 | HostKey /etc/ssh/ssh_host_rsa_key | ||
106 | HostKey /etc/ssh/ssh_host_dsa_key | ||
107 | EOF | ||
108 | fi | ||
109 | |||
110 | test -e /usr/share/debconf/confmodule && { | ||
111 | db_get ssh/privsep_ask | ||
112 | } | ||
113 | if [ "$RET" = "false" ]; then | ||
114 | cat <<EOF >> /etc/ssh/sshd_config | ||
115 | #Explicitly set PrivSep off, as requested | ||
116 | UsePrivilegeSeparation no | ||
117 | |||
118 | # Use PAM authentication via keyboard-interactive so PAM modules can | ||
119 | # properly interface with the user | ||
120 | PAMAuthenticationViaKbdInt yes | ||
121 | EOF | ||
122 | else | ||
123 | cat <<EOF >> /etc/ssh/sshd_config | ||
124 | #Privilege Separation is turned on for security | ||
125 | UsePrivilegeSeparation yes | ||
126 | |||
127 | # ...but breaks Pam auth via kbdint, so we have to turn it off | ||
128 | # Use PAM authentication via keyboard-interactive so PAM modules can | ||
129 | # properly interface with the user (off due to PrivSep) | ||
130 | PAMAuthenticationViaKbdInt no | ||
131 | EOF | ||
132 | fi | ||
133 | |||
134 | cat <<EOF >> /etc/ssh/sshd_config | ||
135 | # Lifetime and size of ephemeral version 1 server key | ||
136 | KeyRegenerationInterval 3600 | ||
137 | ServerKeyBits 768 | ||
138 | |||
139 | # Logging | ||
140 | SyslogFacility AUTH | ||
141 | LogLevel INFO | ||
142 | |||
143 | # Authentication: | ||
144 | LoginGraceTime 600 | ||
145 | PermitRootLogin yes | ||
146 | StrictModes yes | ||
147 | |||
148 | RSAAuthentication yes | ||
149 | PubkeyAuthentication yes | ||
150 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
151 | |||
152 | # rhosts authentication should not be used | ||
153 | RhostsAuthentication no | ||
154 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
155 | IgnoreRhosts yes | ||
156 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
157 | RhostsRSAAuthentication no | ||
158 | # similar for protocol version 2 | ||
159 | HostbasedAuthentication no | ||
160 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
161 | #IgnoreUserKnownHosts yes | ||
162 | |||
163 | # To enable empty passwords, change to yes (NOT RECOMMENDED) | ||
164 | PermitEmptyPasswords no | ||
165 | |||
166 | # Uncomment to disable s/key passwords | ||
167 | #ChallengeResponseAuthentication no | ||
168 | |||
169 | # To disable tunneled clear text passwords, change to no here! | ||
170 | PasswordAuthentication yes | ||
171 | |||
172 | |||
173 | # To change Kerberos options | ||
174 | #KerberosAuthentication no | ||
175 | #KerberosOrLocalPasswd yes | ||
176 | #AFSTokenPassing no | ||
177 | #KerberosTicketCleanup no | ||
178 | |||
179 | # Kerberos TGT Passing does only work with the AFS kaserver | ||
180 | #KerberosTgtPassing yes | ||
181 | |||
182 | X11Forwarding no | ||
183 | X11DisplayOffset 10 | ||
184 | PrintMotd no | ||
185 | #PrintLastLog no | ||
186 | KeepAlive yes | ||
187 | #UseLogin no | ||
188 | |||
189 | #MaxStartups 10:30:60 | ||
190 | #Banner /etc/issue.net | ||
191 | #ReverseMappingCheck yes | ||
192 | |||
193 | Subsystem sftp /usr/lib/sftp-server | ||
194 | |||
195 | EOF | ||
196 | } | ||
197 | |||
198 | |||
199 | fix_rsh_diversion() { | ||
200 | # get rid of mistaken rsh diversion (circa 1.2.27-1) | ||
201 | |||
202 | if [ -L /usr/bin/rsh ] && | ||
203 | dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then | ||
204 | for cmd in rlogin rsh rcp ; do | ||
205 | [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd | ||
206 | dpkg-divert --package ssh --remove --rename \ | ||
207 | --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd | ||
208 | |||
209 | [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz | ||
210 | dpkg-divert --package ssh --remove --rename \ | ||
211 | --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz | ||
212 | done | ||
213 | |||
214 | rmdir /usr/bin/rsh.real | ||
215 | fi | ||
216 | } | ||
217 | |||
218 | |||
219 | fix_statoverride() { | ||
220 | # Remove an erronous override for sshd (we should have overridden ssh) | ||
221 | if [ -x /usr/sbin/dpkg-statoverride ]; then | ||
222 | if dpkg-statoverride --list /usr/sbin/sshd 2>/dev/null ; then | ||
223 | dpkg-statoverride --remove /usr/sbin/sshd | ||
224 | fi | ||
225 | fi | ||
226 | } | ||
227 | |||
228 | |||
229 | create_alternatives() { | ||
230 | # Create alternatives for the various r* tools | ||
231 | # Make sure we don't change existing alternatives that a user might have | ||
232 | # changed | ||
233 | for cmd in rsh rlogin rcp ; do | ||
234 | if ! update-alternatives --display $cmd | \ | ||
235 | grep -q ssh ; then | ||
236 | update-alternatives --quiet --install /usr/bin/$cmd $cmd /usr/bin/ssh 20 \ | ||
237 | --slave /usr/share/man/man1/$cmd.1.gz $cmd.1.gz /usr/share/man/man1/ssh.1.gz | ||
238 | fi | ||
239 | done | ||
240 | |||
241 | } | ||
242 | |||
243 | setup_sshd_user() { | ||
244 | if ! id sshd > /dev/null 2>&1 ; then | ||
245 | adduser --quiet --system --no-create-home --home /var/run/sshd sshd | ||
246 | fi | ||
247 | } | ||
248 | |||
249 | set_sshd_permissions() { | ||
250 | suid=false | ||
251 | |||
252 | if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then | ||
253 | if [ -x /usr/sbin/dpkg-statoverride ] ; then | ||
254 | if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then | ||
255 | dpkg-statoverride --remove /usr/bin/ssh >/dev/null | ||
256 | fi | ||
257 | fi | ||
258 | fi | ||
259 | |||
260 | [ -e /usr/share/debconf/confmodule ] && { | ||
261 | db_get ssh/SUID_client | ||
262 | suid="$RET" | ||
263 | } | ||
264 | if [ -x /usr/sbin/dpkg-statoverride ] ; then | ||
265 | if ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then | ||
266 | if [ "$suid" = "false" ] ; then | ||
267 | chmod 0755 /usr/lib/ssh-keysign | ||
268 | elif [ "$suid" = "true" ] ; then | ||
269 | chmod 4755 /usr/lib/ssh-keysign | ||
270 | fi | ||
271 | fi | ||
272 | else | ||
273 | if [ "$suid" = "false" ] ; then | ||
274 | chmod 0755 /usr/lib/ssh-keysign | ||
275 | elif [ "$suid" = "true" ] ; then | ||
276 | chmod 4755 /usr/lib/ssh-keysign | ||
277 | fi | ||
278 | |||
279 | fi | ||
280 | } | ||
281 | |||
282 | |||
283 | setup_startup() { | ||
284 | start=yes | ||
285 | [ -e /usr/share/debconf/confmodule ] && { | ||
286 | db_get ssh/run_sshd | ||
287 | start="$RET" | ||
288 | } | ||
289 | |||
290 | if [ "$start" != "true" ] ; then | ||
291 | /etc/init.d/ssh stop 2>&1 >/dev/null | ||
292 | touch /etc/ssh/sshd_not_to_be_run | ||
293 | else | ||
294 | rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null | ||
295 | fi | ||
296 | } | ||
297 | |||
298 | |||
299 | setup_init() { | ||
300 | if [ -e /etc/init.d/ssh ]; then | ||
301 | update-rc.d ssh defaults >/dev/null | ||
302 | /etc/init.d/ssh restart | ||
303 | fi | ||
304 | } | ||
305 | |||
306 | check_idea_key | ||
307 | create_keys | ||
308 | create_sshdconfig | ||
309 | fix_rsh_diversion | ||
310 | fix_statoverride | ||
311 | create_alternatives | ||
312 | setup_sshd_user | ||
313 | set_sshd_permissions | ||
314 | setup_startup | ||
315 | setup_init | ||
316 | |||
317 | |||
318 | # Automatically added by dh_installdocs | ||
319 | if [ "$1" = "configure" ]; then | ||
320 | if [ -d /usr/doc -a ! -e /usr/doc/ssh -a -d /usr/share/doc/ssh ]; then | ||
321 | ln -sf ../share/doc/ssh /usr/doc/ssh | ||
322 | fi | ||
323 | fi | ||
324 | # End automatically added section | ||
325 | |||
326 | |||
327 | [ -e /usr/share/debconf/confmodule ] && db_stop | ||
328 | |||
329 | exit 0 | ||
330 | |||
diff --git a/debian/postinst.old b/debian/postinst.old new file mode 100644 index 000000000..586da1cc6 --- /dev/null +++ b/debian/postinst.old | |||
@@ -0,0 +1,269 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action="$1" | ||
4 | oldversion="$2" | ||
5 | |||
6 | test -e /usr/share/debconf/confmodule && { | ||
7 | . /usr/share/debconf/confmodule | ||
8 | db_version 2.0 | ||
9 | } | ||
10 | |||
11 | |||
12 | if [ "$action" != configure ] | ||
13 | then | ||
14 | exit 0 | ||
15 | fi | ||
16 | |||
17 | |||
18 | |||
19 | check_idea_key() { | ||
20 | #check for old host_key files using IDEA, which openssh does not support | ||
21 | if [ -f /etc/ssh/ssh_host_key ] ; then | ||
22 | if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \ | ||
23 | grep -q 'unknown cipher' 2>/dev/null ; then | ||
24 | mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old | ||
25 | mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old | ||
26 | fi | ||
27 | fi | ||
28 | } | ||
29 | |||
30 | |||
31 | create_key() { | ||
32 | local file="$1" | ||
33 | shift | ||
34 | |||
35 | if [ ! -f "$file" ] ; then | ||
36 | ( umask 022 ; \ | ||
37 | ssh-keygen -f "$file" -N '' "$@" > /dev/null ) | ||
38 | fi | ||
39 | } | ||
40 | |||
41 | |||
42 | create_keys() { | ||
43 | RET=true | ||
44 | test -e /usr/share/debconf/confmodule && { | ||
45 | db_get ssh/protocol2_only | ||
46 | } | ||
47 | |||
48 | if [ "$RET" = "false" ] ; then | ||
49 | echo "Creating SSH1 key" | ||
50 | create_key /etc/ssh/ssh_host_key | ||
51 | fi | ||
52 | |||
53 | echo "Creating SSH2 RSA key" | ||
54 | create_key /etc/ssh/ssh_host_rsa_key -t rsa | ||
55 | echo "Creating SSH2 DSA key" | ||
56 | create_key /etc/ssh/ssh_host_dsa_key -t dsa | ||
57 | } | ||
58 | |||
59 | |||
60 | create_sshdconfig() { | ||
61 | [ -e /etc/ssh/sshd_config ] && return | ||
62 | |||
63 | RET=true | ||
64 | test -e /usr/share/debconf/confmodule && { | ||
65 | db_get ssh/protocol2_only | ||
66 | } | ||
67 | |||
68 | cat <<EOF > /etc/ssh/sshd_config | ||
69 | # Package generated configuration file | ||
70 | # See the sshd(8) manpage for defails | ||
71 | |||
72 | # What ports, IPs and protocols we listen for | ||
73 | Port 22 | ||
74 | # Uncomment the next entry to accept IPv6 traffic. | ||
75 | #ListenAddress :: | ||
76 | #ListenAddress 0.0.0.0 | ||
77 | EOF | ||
78 | if [ "$RET" = "false" ]; then | ||
79 | cat <<EOF >> /etc/ssh/sshd_config | ||
80 | Protocol 2,1 | ||
81 | # HostKeys for protocol version 1 | ||
82 | HostKey /etc/ssh/ssh_host_key | ||
83 | # HostKeys for protocol version 2 | ||
84 | HostKey /etc/ssh/ssh_host_rsa_key | ||
85 | HostKey /etc/ssh/ssh_host_dsa_key | ||
86 | EOF | ||
87 | else | ||
88 | cat <<EOF >> /etc/ssh/sshd_config | ||
89 | Protocol 2 | ||
90 | # HostKeys for protocol version 2 | ||
91 | HostKey /etc/ssh/ssh_host_rsa_key | ||
92 | HostKey /etc/ssh/ssh_host_dsa_key | ||
93 | EOF | ||
94 | fi | ||
95 | |||
96 | |||
97 | cat <<EOF >> /etc/ssh/sshd_config | ||
98 | # Lifetime and size of ephemeral version 1 server key | ||
99 | KeyRegenerationInterval 3600 | ||
100 | ServerKeyBits 768 | ||
101 | |||
102 | # Logging | ||
103 | SyslogFacility AUTH | ||
104 | LogLevel INFO | ||
105 | |||
106 | # Authentication: | ||
107 | LoginGraceTime 600 | ||
108 | PermitRootLogin no | ||
109 | StrictModes yes | ||
110 | |||
111 | RSAAuthentication yes | ||
112 | PubkeyAuthentication yes | ||
113 | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
114 | |||
115 | # rhosts authentication should not be used | ||
116 | RhostsAuthentication no | ||
117 | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
118 | IgnoreRhosts yes | ||
119 | # For this to work you will also need host keys in /etc/ssh_known_hosts | ||
120 | RhostsRSAAuthentication no | ||
121 | # similar for protocol version 2 | ||
122 | HostbasedAuthentication no | ||
123 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | ||
124 | #IgnoreUserKnownHosts yes | ||
125 | |||
126 | # To disable tunneled clear text passwords, change to no here! | ||
127 | PermitEmptyPasswords no | ||
128 | |||
129 | # Uncomment to disable s/key passwords | ||
130 | #ChallengeResponseAuthentication no | ||
131 | |||
132 | # Use PAM authentication via keyboard-interactive so PAM modules can | ||
133 | # properly interface with the user | ||
134 | PasswordAuthentication no | ||
135 | PAMAuthenticationViaKbdInt yes | ||
136 | |||
137 | # To change Kerberos options | ||
138 | #KerberosAuthentication no | ||
139 | #KerberosOrLocalPasswd yes | ||
140 | #AFSTokenPassing no | ||
141 | #KerberosTicketCleanup no | ||
142 | |||
143 | # Kerberos TGT Passing does only work with the AFS kaserver | ||
144 | #KerberosTgtPassing yes | ||
145 | |||
146 | X11Forwarding no | ||
147 | X11DisplayOffset 10 | ||
148 | PrintMotd no | ||
149 | #PrintLastLog no | ||
150 | KeepAlive yes | ||
151 | #UseLogin no | ||
152 | |||
153 | #MaxStartups 10:30:60 | ||
154 | #Banner /etc/issue.net | ||
155 | #ReverseMappingCheck yes | ||
156 | |||
157 | Subsystem sftp /usr/libexec/sftp-server | ||
158 | EOF | ||
159 | } | ||
160 | |||
161 | |||
162 | fix_rsh_diversion() { | ||
163 | # get rid of mistaken rsh diversion (circa 1.2.27-1) | ||
164 | |||
165 | if [ -L /usr/bin/rsh ] && | ||
166 | dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then | ||
167 | for cmd in rlogin rsh rcp ; do | ||
168 | [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd | ||
169 | dpkg-divert --package ssh --remove --rename \ | ||
170 | --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd | ||
171 | |||
172 | [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz | ||
173 | dpkg-divert --package ssh --remove --rename \ | ||
174 | --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz | ||
175 | done | ||
176 | |||
177 | rmdir /usr/bin/rsh.real | ||
178 | fi | ||
179 | } | ||
180 | |||
181 | |||
182 | fix_statoverride() { | ||
183 | # Remove an erronous override for sshd (we should have overridden ssh) | ||
184 | if [ -x /usr/sbin/dpkg-statoverride ]; then | ||
185 | if dpkg-statoverride --list /usr/sbin/sshd 2>/dev/null ; then | ||
186 | dpkg-statoverride --remote /usr/sbin/sshd | ||
187 | fi | ||
188 | fi | ||
189 | } | ||
190 | |||
191 | |||
192 | create_alternatives() { | ||
193 | # Create alternatives for the various r* tools | ||
194 | # Make sure we don't change existing alternatives that a user might have | ||
195 | # changed | ||
196 | for cmd in rsh rlogin rcp ; do | ||
197 | if ! update-alternatives --display $cmd | \ | ||
198 | grep -q ssh ; then | ||
199 | update-alternatives --quiet --install /usr/bin/$cmd $cmd /usr/bin/ssh 20 \ | ||
200 | --slave /usr/share/man/man1/$cmd.1.gz $cmd.1.gz /usr/share/man/man1/ssh.1.gz | ||
201 | fi | ||
202 | done | ||
203 | |||
204 | } | ||
205 | |||
206 | |||
207 | set_sshd_permissions() { | ||
208 | suid=no | ||
209 | |||
210 | [ -e /usr/share/debconf/confmodule ] && { | ||
211 | db_get ssh/SUID_client | ||
212 | suid="$RET" | ||
213 | } | ||
214 | |||
215 | if [ "$suid" = "yes" ] ; then | ||
216 | if [ -x /usr/sbin/dpkg-statoverride ] && \ | ||
217 | ! dpkg-statoverride /usr/bin/ssh ; then | ||
218 | dpkg-statoverride --add root root 04755 /usr/bin/ssh | ||
219 | fi | ||
220 | fi | ||
221 | } | ||
222 | |||
223 | |||
224 | setup_startup() { | ||
225 | start=yes | ||
226 | [ -e /usr/share/debconf/confmodule ] && { | ||
227 | db_get ssh/run_sshd | ||
228 | start="$RET" | ||
229 | } | ||
230 | |||
231 | if [ "$start" != "true" ] ; then | ||
232 | touch /etc/ssh/sshd_not_to_be_run | ||
233 | else | ||
234 | rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null | ||
235 | fi | ||
236 | } | ||
237 | |||
238 | |||
239 | setup_init() { | ||
240 | if [ -e /etc/init.d/ssh ]; then | ||
241 | update-rc.d ssh defaults >/dev/null | ||
242 | /etc/init.d/ssh restart | ||
243 | fi | ||
244 | } | ||
245 | |||
246 | check_idea_key | ||
247 | create_keys | ||
248 | create_sshdconfig | ||
249 | fix_rsh_diversion | ||
250 | fix_statoverride | ||
251 | create_alternatives | ||
252 | set_sshd_permissions | ||
253 | setup_startup | ||
254 | setup_init | ||
255 | |||
256 | |||
257 | # Automatically added by dh_installdocs | ||
258 | if [ "$1" = "configure" ]; then | ||
259 | if [ -d /usr/doc -a ! -e /usr/doc/ssh -a -d /usr/share/doc/ssh ]; then | ||
260 | ln -sf ../share/doc/ssh /usr/doc/ssh | ||
261 | fi | ||
262 | fi | ||
263 | # End automatically added section | ||
264 | |||
265 | |||
266 | [ -e /usr/share/debconf/confmodule ] && db_stop | ||
267 | |||
268 | exit 0 | ||
269 | |||
diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 000000000..bd0bbee38 --- /dev/null +++ b/debian/postrm | |||
@@ -0,0 +1,16 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | if [ "$1" = "purge" ] | ||
4 | then | ||
5 | rm -rf /etc/ssh | ||
6 | fi | ||
7 | |||
8 | if [ "$1" = "purge" ] ; then | ||
9 | update-rc.d ssh remove >/dev/null | ||
10 | fi | ||
11 | |||
12 | if [ "$1" = "purge" ] ; then | ||
13 | deluser --quiet sshd > /dev/null || true | ||
14 | fi | ||
15 | |||
16 | #DEBHELPER# | ||
diff --git a/debian/preinst b/debian/preinst new file mode 100644 index 000000000..320d4df2a --- /dev/null +++ b/debian/preinst | |||
@@ -0,0 +1,79 @@ | |||
1 | #!/bin/sh -e | ||
2 | |||
3 | action=$1 | ||
4 | version=$2 | ||
5 | |||
6 | if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then | ||
7 | version=1.2.27 | ||
8 | fi | ||
9 | |||
10 | if [ "$action" = upgrade -o "$action" = install ] | ||
11 | then | ||
12 | # check if debconf is missing | ||
13 | if ! test -f /usr/share/debconf/confmodule | ||
14 | then | ||
15 | cat <<EOF | ||
16 | |||
17 | WARNING: ssh's pre-configuration script relies on debconf to tell you | ||
18 | about some problems that might prevent you from logging in if you are | ||
19 | upgrading from the old, Non-free version of ssh. | ||
20 | |||
21 | If this is a new installation, you don't need to worry about this. | ||
22 | Just go ahead and install ssh (make sure to read .../ssh/README.Debian). | ||
23 | |||
24 | If you are upgrading, but you have alternative ways of logging into | ||
25 | the machine (i.e. you're sitting in front of it, or you have telnetd | ||
26 | running), then you also don't need to worry too much, because you can | ||
27 | fix it up afterwards if there's a problem. | ||
28 | |||
29 | If you're upgrading from an older (non-free) version of ssh, and ssh | ||
30 | is the only way you have to access this machine, then you should | ||
31 | probably abort the installation of ssh, install debconf, and then | ||
32 | retry the installation of ssh. | ||
33 | |||
34 | EOF | ||
35 | echo -n "Do you want to install SSH anyway [yN]: " | ||
36 | read input | ||
37 | expr "$input" : '[Yy]' >/dev/null || exit 1 | ||
38 | |||
39 | # work around for missing debconf | ||
40 | db_get() { : ; } | ||
41 | RET=true | ||
42 | if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then | ||
43 | cp -a /etc/ssh-nonfree /etc/ssh | ||
44 | fi | ||
45 | else | ||
46 | # Source debconf library. | ||
47 | . /usr/share/debconf/confmodule | ||
48 | db_version 2.0 | ||
49 | fi | ||
50 | |||
51 | db_get ssh/use_old_init_script | ||
52 | if [ "$RET" = "false" ]; then | ||
53 | echo "ssh config: Aborting because ssh/use_old_init_script = false" >&2 | ||
54 | exit 1 | ||
55 | fi | ||
56 | |||
57 | # deal with upgrading from pre-OpenSSH versions | ||
58 | key=/etc/ssh/ssh_host_key | ||
59 | export key | ||
60 | if [ -n "$version" ] && [ -x /usr/bin/ssh-keygen ] && [ -f $key ] && | ||
61 | dpkg --compare-versions "$version" lt 1.2.28 | ||
62 | then | ||
63 | # make sure that keys get updated to get rid of IDEA | ||
64 | # | ||
65 | # N.B. this only works because we've still got the old | ||
66 | # nonfree ssh-keygen at this point | ||
67 | # | ||
68 | # First, check if we need to bother | ||
69 | echo -en '\0\0' | 3<&0 sh -c \ | ||
70 | 'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || { | ||
71 | # this means that bytes 32&33 of the key were not both zero, in which | ||
72 | # case the key is encrypted, which we need to fix | ||
73 | chmod 600 $key | ||
74 | ssh-keygen -u -f $key >/dev/null | ||
75 | } | ||
76 | fi | ||
77 | fi | ||
78 | |||
79 | #DEBHELPER# | ||
diff --git a/debian/prerm b/debian/prerm new file mode 100644 index 000000000..17aa45e1f --- /dev/null +++ b/debian/prerm | |||
@@ -0,0 +1,44 @@ | |||
1 | #! /bin/sh | ||
2 | # prerm script for ssh | ||
3 | # | ||
4 | # see: dh_installdeb(1) | ||
5 | |||
6 | set -e | ||
7 | |||
8 | # summary of how this script can be called: | ||
9 | # * <prerm> `remove' | ||
10 | # * <old-prerm> `upgrade' <new-version> | ||
11 | # * <new-prerm> `failed-upgrade' <old-version> | ||
12 | # * <conflictor's-prerm> `remove' `in-favour' <package> <new-version> | ||
13 | # * <deconfigured's-prerm> `deconfigure' `in-favour' | ||
14 | # <package-being-installed> <version> `removing' | ||
15 | # <conflicting-package> <version> | ||
16 | # for details, see /usr/share/doc/packaging-manual/ | ||
17 | |||
18 | case "$1" in | ||
19 | remove|deconfigure) | ||
20 | update-alternatives --quiet --remove ssh /usr/bin/ssh | ||
21 | update-alternatives --quiet --remove ssh /usr/bin/slogin | ||
22 | update-alternatives --quiet --remove ssh /usr/bin/scp | ||
23 | if [ -e /etc/init.d/ssh ]; then | ||
24 | /etc/init.d/ssh stop | ||
25 | fi | ||
26 | # install-info --quiet --remove /usr/info/ssh-askpass.info.gz | ||
27 | ;; | ||
28 | upgrade) | ||
29 | # install-info --quiet --remove /usr/info/ssh-askpass.info.gz | ||
30 | ;; | ||
31 | failed-upgrade) | ||
32 | ;; | ||
33 | *) | ||
34 | echo "prerm called with unknown argument \`$1'" >&2 | ||
35 | exit 0 | ||
36 | ;; | ||
37 | esac | ||
38 | |||
39 | # dh_installdeb will replace this with shell code automatically | ||
40 | # generated by other debhelper scripts. | ||
41 | |||
42 | #DEBHELPER# | ||
43 | |||
44 | exit 0 | ||
diff --git a/debian/rules b/debian/rules new file mode 100755 index 000000000..365872d3d --- /dev/null +++ b/debian/rules | |||
@@ -0,0 +1,106 @@ | |||
1 | #!/usr/bin/make -f | ||
2 | |||
3 | # Uncomment this to turn on verbose mode. | ||
4 | # export DH_VERBOSE=1 | ||
5 | |||
6 | # This is the debhelper compatability version to use. | ||
7 | export DH_COMPAT=1 | ||
8 | |||
9 | # This has to be exported to make some magic below work. | ||
10 | export DH_OPTIONS | ||
11 | |||
12 | #PKG_VER = $(shell perl -e 'print <> =~ /\((.*)\)/' debian/changelog) | ||
13 | |||
14 | DEB_HOST_ARCH = $(shell dpkg-architecture -qDEB_HOST_ARCH) | ||
15 | |||
16 | build: build-stamp | ||
17 | build-stamp: | ||
18 | dh_testdir | ||
19 | #Change the version string to include the Debian Version | ||
20 | if <version.h sed -e "/define/s/\"\(.*\)\"/\"\1 Debian `dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p'`\"/" >version.h.new; \ | ||
21 | then mv version.h version.h.upstream; mv version.h.new version.h; \ | ||
22 | else echo "Version number change failed"; exit 1; \ | ||
23 | fi | ||
24 | ./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 --with-ipv4-default \ | ||
25 | --with-privsep-path=/var/run/sshd --without-rand-helper | ||
26 | $(MAKE) -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='-O2 -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED' \ | ||
27 | SSH_KEYSIGN='/usr/lib/ssh-keysign' | ||
28 | gcc -O2 `gnome-config --cflags gnome gnomeui` \ | ||
29 | contrib/gnome-ssh-askpass.c -o contrib/gnome-ssh-askpass \ | ||
30 | `gnome-config --libs gnome gnomeui` | ||
31 | |||
32 | touch build-stamp | ||
33 | |||
34 | clean: | ||
35 | dh_testdir | ||
36 | rm -f build-stamp | ||
37 | -$(MAKE) -i distclean | ||
38 | rm -f contrib/gnome-ssh-askpass config.log | ||
39 | if [ -f version.h.upstream ]; then mv version.h.upstream version.h; \ | ||
40 | fi | ||
41 | dh_clean | ||
42 | |||
43 | install: DH_OPTIONS= | ||
44 | install: build | ||
45 | dh_testdir | ||
46 | dh_testroot | ||
47 | dh_clean -k | ||
48 | dh_installdirs | ||
49 | |||
50 | # Add here commands to install the package into debian/tmp. | ||
51 | $(MAKE) DESTDIR=`pwd`/debian/tmp install | ||
52 | |||
53 | rm -f debian/tmp/etc/ssh/ssh_host_*key* | ||
54 | rm -f debian/tmp/etc/ssh/sshd_config | ||
55 | #Temporary hack: remove /usr/share/Ssh.bin, since we have no smartcard support anyway. | ||
56 | rm -f debian/tmp/usr/share/Ssh.bin | ||
57 | |||
58 | install -m 755 contrib/ssh-copy-id debian/tmp/usr/bin/ssh-copy-id | ||
59 | install -m644 -c contrib/ssh-copy-id.1 debian/tmp/usr/share/man/man1/ssh-copy-id.1 | ||
60 | |||
61 | install -s -o root -g root -m 755 contrib/gnome-ssh-askpass debian/ssh-askpass-gnome/usr/lib/ssh/gnome-ssh-askpass | ||
62 | |||
63 | install -o root -g root debian/init debian/tmp/etc/init.d/ssh | ||
64 | |||
65 | install -o root -g root -m 755 -d debian/tmp/var/run/sshd | ||
66 | |||
67 | dh_movefiles | ||
68 | |||
69 | # Build architecture-independent files here. | ||
70 | binary-indep: build install | ||
71 | # nothing to do | ||
72 | |||
73 | # Build architecture-dependent files here. | ||
74 | binary-arch: build install | ||
75 | dh_testdir | ||
76 | dh_testroot | ||
77 | dh_installdebconf | ||
78 | dh_installdocs OVERVIEW README | ||
79 | cat debian/copyright.head LICENCE > debian/tmp/usr/share/doc/ssh/copyright | ||
80 | dh_installexamples | ||
81 | dh_installmenu | ||
82 | nroff RFC.nroff > debian/tmp/usr/share/doc/ssh/RFC | ||
83 | gzip -9 debian/tmp/usr/share/doc/ssh/RFC | ||
84 | rm -rf debian/tmp/usr/share/doc/ssh/RFC.nroff.gz | ||
85 | dh_installpam | ||
86 | dh_installcron | ||
87 | dh_installchangelogs ChangeLog | ||
88 | dh_strip | ||
89 | dh_link | ||
90 | dh_compress | ||
91 | dh_fixperms | ||
92 | dh_installdeb | ||
93 | test ! -e debian/tmp/etc/ssh/ssh_prng_cmds \ | ||
94 | || echo "/etc/ssh/ssh_prng_cmds" >> debian/tmp/DEBIAN/conffiles | ||
95 | dh_shlibdeps | ||
96 | ifeq ($(DEB_HOST_ARCH),hurd-i386) | ||
97 | echo "pam-depend=" >> debian/substvars | ||
98 | else | ||
99 | echo "pam-depend=libpam-modules (>= 0.72-9), " >> debian/substvars | ||
100 | endif | ||
101 | dh_gencontrol | ||
102 | dh_md5sums | ||
103 | dh_builddeb | ||
104 | |||
105 | binary: binary-indep binary-arch | ||
106 | .PHONY: build clean binary-indep binary-arch binary install | ||
diff --git a/debian/ssh-askpass-gnome.copyright b/debian/ssh-askpass-gnome.copyright new file mode 100644 index 000000000..4a71dda00 --- /dev/null +++ b/debian/ssh-askpass-gnome.copyright | |||
@@ -0,0 +1,44 @@ | |||
1 | This package contains a Gnome based implementation of ssh-askpass | ||
2 | written by Damien Miller. | ||
3 | |||
4 | It is split out from the main package to isolate the dependency on the | ||
5 | Gnome and X11 libraries. | ||
6 | |||
7 | It was packaged for Debian by Philip Hands <phil@hands.com>. | ||
8 | |||
9 | Copyright: | ||
10 | |||
11 | /* | ||
12 | ** | ||
13 | ** GNOME ssh passphrase requestor | ||
14 | ** | ||
15 | ** Damien Miller <djm@ibs.com.au> | ||
16 | ** | ||
17 | ** Copyright 1999 Internet Business Solutions | ||
18 | ** | ||
19 | ** Permission is hereby granted, free of charge, to any person | ||
20 | ** obtaining a copy of this software and associated documentation | ||
21 | ** files (the "Software"), to deal in the Software without | ||
22 | ** restriction, including without limitation the rights to use, copy, | ||
23 | ** modify, merge, publish, distribute, sublicense, and/or sell copies | ||
24 | ** of the Software, and to permit persons to whom the Software is | ||
25 | ** furnished to do so, subject to the following conditions: | ||
26 | ** | ||
27 | ** The above copyright notice and this permission notice shall be | ||
28 | ** included in all copies or substantial portions of the Software. | ||
29 | ** | ||
30 | ** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY | ||
31 | ** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE | ||
32 | ** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE | ||
33 | ** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET | ||
34 | ** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
35 | ** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, | ||
36 | ** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE | ||
37 | ** OR OTHER DEALINGS IN THE SOFTWARE. | ||
38 | ** | ||
39 | ** Except as contained in this notice, the name of Internet Business | ||
40 | ** Solutions shall not be used in advertising or otherwise to promote | ||
41 | ** the sale, use or other dealings in this Software without prior | ||
42 | ** written authorization from Internet Business Solutions. | ||
43 | ** | ||
44 | */ | ||
diff --git a/debian/ssh-askpass-gnome.dirs b/debian/ssh-askpass-gnome.dirs new file mode 100644 index 000000000..6c255ea63 --- /dev/null +++ b/debian/ssh-askpass-gnome.dirs | |||
@@ -0,0 +1 @@ | |||
usr/lib/ssh/ | |||
diff --git a/debian/ssh-askpass-gnome.postinst b/debian/ssh-askpass-gnome.postinst new file mode 100644 index 000000000..3a52d3005 --- /dev/null +++ b/debian/ssh-askpass-gnome.postinst | |||
@@ -0,0 +1,49 @@ | |||
1 | #! /bin/sh | ||
2 | # postinst script for ssh-askpass-gnome | ||
3 | # | ||
4 | # see: dh_installdeb(1) | ||
5 | |||
6 | set -e | ||
7 | |||
8 | # summary of how this script can be called: | ||
9 | # * <postinst> `configure' <most-recently-configured-version> | ||
10 | # * <old-postinst> `abort-upgrade' <new version> | ||
11 | # * <conflictor's-postinst> `abort-remove' `in-favour' <package> | ||
12 | # <new-version> | ||
13 | # * <deconfigured's-postinst> `abort-deconfigure' `in-favour' | ||
14 | # <failed-install-package> <version> `removing' | ||
15 | # <conflicting-package> <version> | ||
16 | # for details, see /usr/share/doc/packaging-manual/ | ||
17 | # | ||
18 | # quoting from the policy: | ||
19 | # Any necessary prompting should almost always be confined to the | ||
20 | # post-installation script, and should be protected with a conditional | ||
21 | # so that unnecessary prompting doesn't happen if a package's | ||
22 | # installation fails and the `postinst' is called with `abort-upgrade', | ||
23 | # `abort-remove' or `abort-deconfigure'. | ||
24 | |||
25 | case "$1" in | ||
26 | configure) | ||
27 | update-alternatives --quiet --install /usr/bin/ssh-askpass ssh-askpass /usr/lib/ssh/gnome-ssh-askpass 30 | ||
28 | |||
29 | |||
30 | ;; | ||
31 | |||
32 | abort-upgrade|abort-remove|abort-deconfigure) | ||
33 | |||
34 | ;; | ||
35 | |||
36 | *) | ||
37 | echo "postinst called with unknown argument \`$1'" >&2 | ||
38 | exit 0 | ||
39 | ;; | ||
40 | esac | ||
41 | |||
42 | # dh_installdeb will replace this with shell code automatically | ||
43 | # generated by other debhelper scripts. | ||
44 | |||
45 | #DEBHELPER# | ||
46 | |||
47 | exit 0 | ||
48 | |||
49 | |||
diff --git a/debian/ssh-askpass-gnome.prerm b/debian/ssh-askpass-gnome.prerm new file mode 100644 index 000000000..6f3f5756d --- /dev/null +++ b/debian/ssh-askpass-gnome.prerm | |||
@@ -0,0 +1,41 @@ | |||
1 | #! /bin/sh | ||
2 | # prerm script for ssh-askpass-gnome | ||
3 | # | ||
4 | # see: dh_installdeb(1) | ||
5 | |||
6 | set -e | ||
7 | |||
8 | # summary of how this script can be called: | ||
9 | # * <prerm> `remove' | ||
10 | # * <old-prerm> `upgrade' <new-version> | ||
11 | # * <new-prerm> `failed-upgrade' <old-version> | ||
12 | # * <conflictor's-prerm> `remove' `in-favour' <package> <new-version> | ||
13 | # * <deconfigured's-prerm> `deconfigure' `in-favour' | ||
14 | # <package-being-installed> <version> `removing' | ||
15 | # <conflicting-package> <version> | ||
16 | # for details, see /usr/share/doc/packaging-manual/ | ||
17 | |||
18 | case "$1" in | ||
19 | remove|deconfigure) | ||
20 | update-alternatives --quiet --remove ssh-askpass /usr/lib/ssh/gnome-ssh-askpass | ||
21 | # install-info --quiet --remove /usr/info/ssh-askpass.info.gz | ||
22 | ;; | ||
23 | upgrade) | ||
24 | # install-info --quiet --remove /usr/info/ssh-askpass.info.gz | ||
25 | ;; | ||
26 | failed-upgrade) | ||
27 | ;; | ||
28 | *) | ||
29 | echo "prerm called with unknown argument \`$1'" >&2 | ||
30 | exit 0 | ||
31 | ;; | ||
32 | esac | ||
33 | |||
34 | # dh_installdeb will replace this with shell code automatically | ||
35 | # generated by other debhelper scripts. | ||
36 | |||
37 | #DEBHELPER# | ||
38 | |||
39 | exit 0 | ||
40 | |||
41 | |||
diff --git a/debian/ssh.pam b/debian/ssh.pam new file mode 100644 index 000000000..a4478cf4a --- /dev/null +++ b/debian/ssh.pam | |||
@@ -0,0 +1,22 @@ | |||
1 | #%PAM-1.0 | ||
2 | auth required pam_nologin.so | ||
3 | auth required pam_unix.so | ||
4 | auth required pam_env.so # [1] | ||
5 | |||
6 | account required pam_unix.so | ||
7 | |||
8 | session required pam_unix.so | ||
9 | session optional pam_lastlog.so # [1] | ||
10 | session optional pam_motd.so # [1] | ||
11 | session optional pam_mail.so standard noenv # [1] | ||
12 | session required pam_limits.so | ||
13 | |||
14 | password required pam_unix.so | ||
15 | |||
16 | # Alternate strength checking for password. Note that this | ||
17 | # requires the libpam-cracklib package to be installed. | ||
18 | # You will need to comment out the password line above and | ||
19 | # uncomment the next two in order to use this. | ||
20 | # | ||
21 | # password required pam_cracklib.so retry=3 minlen=6 difok=3 | ||
22 | # password required pam_unix.so use_authtok nullok md5 | ||
diff --git a/debian/templates b/debian/templates new file mode 100644 index 000000000..a9b4394d4 --- /dev/null +++ b/debian/templates | |||
@@ -0,0 +1,229 @@ | |||
1 | Template: ssh/privsep_tell | ||
2 | Type: note | ||
3 | Description: Privilege separation | ||
4 | This version of OpenSSH contains the new privilege separation | ||
5 | option. This significantly reduces the quantity of code that runs as | ||
6 | root, and therefore reduces the impact of security holes in sshd. | ||
7 | . | ||
8 | Unfortunately, privilege separation interacts badly with PAM. Any | ||
9 | PAM session modules that need to run as root (pam_mkhomedir, for | ||
10 | example) will fail, and PAM keyboard-interactive authentication | ||
11 | won't work. | ||
12 | . | ||
13 | Privilege separation is turned on by default, so if you decide you | ||
14 | want it turned off, you need to add "UsePrivilegeSeparation no" to | ||
15 | /etc/ssh/sshd_config | ||
16 | . | ||
17 | NB! If you are running a 2.0 series Linux kernel, then privilege | ||
18 | separation will not work at all, and your sshd will fail to start | ||
19 | unless you explicity turn privilege separation off. | ||
20 | |||
21 | Template: ssh/privsep_ask | ||
22 | Type: boolean | ||
23 | Default: true | ||
24 | Description: Enable Privilege separation | ||
25 | This version of OpenSSH contains the new privilege separation | ||
26 | option. This significantly reduces the quantity of code that runs as | ||
27 | root, and therefore reduces the impact of security holes in sshd. | ||
28 | . | ||
29 | Unfortunately, privilege separation interacts badly with PAM. Any | ||
30 | PAM session modules that need to run as root (pam_mkhomedir, for | ||
31 | example) will fail, and PAM keyboard-interactive authentication | ||
32 | won't work. | ||
33 | . | ||
34 | Since you've opted to have me generate an sshd_config file for you, | ||
35 | you can choose whether or not to have Privilege Separation turned on | ||
36 | or not. Unless you are running 2.0 (in which case you *must* say no | ||
37 | here or your sshd won't start at all) or know you need to use PAM | ||
38 | features that won't work with this option, you should say yes here. | ||
39 | |||
40 | Template: ssh/new_config | ||
41 | Type: boolean | ||
42 | Default: true | ||
43 | Description: Generate new configuration file | ||
44 | This version of OpenSSH has a considerably changed configuration file from | ||
45 | the version shipped in Debian 'Potato', which you appear to be upgrading from. | ||
46 | I can now generate you a new configuration file (/etc/ssh/sshd.config), which | ||
47 | will work with the new server version, but will not contain any customisations | ||
48 | you made with the old version. | ||
49 | . | ||
50 | Please note that this new configuration file will set the value of | ||
51 | 'PermitRootLogin' to yes (meaning that anyone knowing the root password can | ||
52 | ssh directly in as root). It is the opinion of the maintainer that this is | ||
53 | the correct default (see README.Debian for more details), but you can always | ||
54 | edit sshd_config and set it to no if you wish. | ||
55 | . | ||
56 | It is strongly recommended that you let me generate a new configuration file | ||
57 | for you | ||
58 | |||
59 | Template: ssh/protocol2_only | ||
60 | Type: boolean | ||
61 | Default: true | ||
62 | Description: Allow SSH protocol 2 only | ||
63 | This version of OpenSSH supports version 2 of the ssh protocol, which | ||
64 | is much more secure. Disabling ssh 1 is encouraged, however this | ||
65 | will slow things down on low end machines and might prevent older | ||
66 | clients from connecting (the ssh client shipped with "potato" is affected). | ||
67 | . | ||
68 | Also please note that keys used for protocol 1 are different so you will | ||
69 | not be able to use them if you only allow protocol 2 connections. | ||
70 | . | ||
71 | If you later change your mind about this setting, README.Debian has | ||
72 | instructions on what to do to your sshd_config file. | ||
73 | |||
74 | Template: ssh/ssh2_keys_merged | ||
75 | Type: note | ||
76 | Description: ssh2 keys merged in configuration files | ||
77 | As of version 3 OpenSSH no longer uses separate files for ssh1 and | ||
78 | ssh2 keys. This means the authorized_keys2 and known_hosts2 files | ||
79 | are no longer needed. They will still be read in order to maintain | ||
80 | backwards compatibility | ||
81 | |||
82 | Template: ssh/use_old_init_script | ||
83 | Type: boolean | ||
84 | Default: false | ||
85 | Description: Do you want to continue (and risk killing active ssh sessions) ? | ||
86 | The version of /etc/init.d/ssh that you have installed, is likely to kill | ||
87 | all running sshd instances. If you are doing this upgrade via an ssh | ||
88 | session, that would be a Bad Thing(tm). | ||
89 | . | ||
90 | You can fix this by adding "--pidfile /var/run/sshd.pid" to the | ||
91 | start-stop-daemon line in the stop section of the file. | ||
92 | Description-de: Wollen Sie weitermachen (und das Killen der Session riskieren)? | ||
93 | Die Version von /etc/init.d/ssh, die sie installiert haben, wird | ||
94 | vermutlich ihre aktiven ssh-Instanzen killen. Wenn Sie das Upgrade | ||
95 | via ssh erledigen, dann ist das ein Problem. | ||
96 | . | ||
97 | Sie koennen das Problem beheben, indem sie "--pidfile /var/run/sshd.pid" | ||
98 | an die start-stop-daemon Zeile in dem Bereich stop der Datei | ||
99 | /etc/init.d/ssh ergaenzen. | ||
100 | Description-fr: Voulez vous continuer (et risquer de rompre les sessions ssh actives) ? | ||
101 | Il est probable que la version de /etc/init.d/ssh install=E9e en ce moment | ||
102 | tue toutes les instances de sshd lanc=E9es en ce moment. Si vous faite une | ||
103 | mise =E0 jour via ssh, ca serait une Mauvaise Chose(tm). | ||
104 | . | ||
105 | Vous pouvez corriger /etc/init.d/ssh en ajoutant '--pidfile /var/run/sshd.pid' | ||
106 | a la ligne 'start-stop-daemon' dans la section 'stop' du fichier. | ||
107 | |||
108 | Template: ssh/forward_warning | ||
109 | Type: note | ||
110 | Description: NOTE: Forwarding of X11 and Authorization disabled by default. | ||
111 | For security reasons, the Debian version of ssh has ForwardX11 and | ||
112 | ForwardAgent set to ``off'' by default. | ||
113 | . | ||
114 | You can enable it for servers you trust, either | ||
115 | in one of the configuration files, or with the -X command line option. | ||
116 | . | ||
117 | More details can be found in /usr/share/doc/ssh/README.Debian | ||
118 | Description-de: HINWEIS: Forwarden von X11 und Authorisierung ist abgeschaltet. | ||
119 | Aus Sicherheitsgruenden haben die Debian Pakete von ssh ForwardX11 und | ||
120 | ForwardAgent auf "off" gesetzt. | ||
121 | . | ||
122 | Sie koenne dies fuer Server denen Sie trauen, entweder per Eintrag im | ||
123 | den Konfigurations Dateien oder per -X Kommando-Zeilen Option aendern. | ||
124 | . | ||
125 | Weitere Details koennen Sie in /usr/share/doc/ssh/README.Debian finden. | ||
126 | Description-fr: NOTE: Suivi de session X11 et d'agent d'autorisation d=E9sactiv=E9s par d=E9faut. | ||
127 | Pour des raisons de s=E9curit=E9, la version Debian de ssh positionne les | ||
128 | options ForwardX11 et ForwardAgent a ``Off'' par d=E9faut. | ||
129 | . | ||
130 | Vous pouvez activer ces options pour les serveurs en lesquels vous avez | ||
131 | confiance, soit dans un des fichiers de configuration, soit avec l'option | ||
132 | -X de la ligne de commande. | ||
133 | . | ||
134 | Plus d'informations sont disponibles dans /usr/share/doc/ssh/README.Debian. | ||
135 | |||
136 | Template: ssh/insecure_rshd | ||
137 | Type: note | ||
138 | Description: Warning: rsh-server is installed --- probably not a good idea | ||
139 | having rsh-server installed undermines the security that you were probably | ||
140 | wanting to obtain by installing ssh. I'd advise you to remove that package. | ||
141 | Description-de: Warnung: rsh-server ist installiert --- moeglicherweise | ||
142 | ist es eine schlechte Idee den rsh-server installiert zu haben, da er | ||
143 | die Sicherheit untergraebt. Wir empfehlen das Paket zu entfernen. | ||
144 | Description-fr: Attention: le paquet rsh-server est install=E9 --- ce n'estprobablement pas une bonne id=E9e | ||
145 | Avoir un serveur rsh install=E9 affaibli la s=E9curit=E9 que vous vouliez | ||
146 | probablement obtenir en installant ssh. Je vous conseillerais de | ||
147 | d=E9installer ce paquet. | ||
148 | |||
149 | Template: ssh/insecure_telnetd | ||
150 | Type: note | ||
151 | Description: Warning: telnetd is installed --- probably not a good idea | ||
152 | I'd advise you to either remove the telnetd package (if you don't actually | ||
153 | need to offer telnet access) or install telnetd-ssl so that there is at | ||
154 | least some chance that telnet sessions will not be sending unencrypted | ||
155 | login/password and session information over the network. | ||
156 | Description-de: Warnung: telnetd ist installiert --- schlechte Idee | ||
157 | Wir empfehlen das telnetd Paket zu entfernen (wenn sie keine telnet Zugang | ||
158 | anbieten) oder telnetd-ssl zu installieren, so dass die Moeglichkeit besteht | ||
159 | dass das Login und Password nicht unverschluesselt durch das Netz gesendet | ||
160 | werden. | ||
161 | Description-fr: Attention: le paquet telnetd est install=E9 --- ce n'est probablement pas une bonne id=E9e | ||
162 | Je vous conseillerais de, soit enlever le paquet telnetd (si ce service | ||
163 | n'est pas n=E9cessaire), soit de le remplacer par le paquet telnetd-ssl | ||
164 | pour qu'il y ait au moins une chance que les sessions telnet soient | ||
165 | encrypt=E9es et que les mot de passes et logins ne passent pas en clair sur | ||
166 | le r=E9seau. | ||
167 | |||
168 | Template: ssh/encrypted_host_key_but_no_keygen | ||
169 | Type: note | ||
170 | Description: Warning: you must create a new host key | ||
171 | There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. | ||
172 | OpenSSH can not handle this host key file, and I can't find the | ||
173 | ssh-keygen utility from the old (non-free) SSH installation. | ||
174 | . | ||
175 | You will need to generate a new host key. | ||
176 | Description-de: Warnung: Sie muessen einen neuen Host Key erzeugen | ||
177 | Es existiert eine alte Variante von /etc/ssh/ssh_host_key welche | ||
178 | per IDEA verschluesselt ist. OpenSSH kann eine solche Host Key Datei | ||
179 | nicht lesen und ssh-keygen von der alten (nicht-freien) ssh Installation | ||
180 | kann nicht gefunden werden. | ||
181 | Description-fr: Attention: vous devez cr=E9er une nouvelle cl=E9 d'h=F4te | ||
182 | Il existe un vieux /etc/ssh/ssh_host_key qui est encrypt=E9 avec IDEA. | ||
183 | OpenSSH ne peut utiliser ce fichier de cl=E9, et je ne peux trouver | ||
184 | l'utilitaire ssh-keygen de l'installation pr=E9c=E9dente (non libre) de SSH. | ||
185 | |||
186 | Template: ssh/SUID_client | ||
187 | Type: boolean | ||
188 | Default: true | ||
189 | Description: Do you want /usr/lib/ssh-keysign to be installed SUID root? | ||
190 | You have the option of installing the ssh-keysign helper with the SUID | ||
191 | bit set. | ||
192 | . | ||
193 | If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 | ||
194 | host-based authentication. | ||
195 | . | ||
196 | If in doubt, I suggest you install it with SUID. If it causes | ||
197 | problems you can change your mind later by running: dpkg-reconfigure ssh | ||
198 | |||
199 | Template: ssh/run_sshd | ||
200 | Type: boolean | ||
201 | Default: true | ||
202 | Description: Do you want to run the sshd server ? | ||
203 | This package contains both the ssh client, and the sshd server. | ||
204 | . | ||
205 | Normally the sshd Secure Shell Server will be run to allow remote | ||
206 | logins via ssh. | ||
207 | . | ||
208 | If you are only interested in using the ssh client for outbound | ||
209 | connections on this machine, and don't want to log into it at all | ||
210 | using ssh, then you can disable sshd here. | ||
211 | Description-de: Wollen Sie den sshd Server starten? | ||
212 | Das Paket enthaelt sowohl den client als auch den sshd server. | ||
213 | . | ||
214 | Normal wird der sshd Secure Shell Server fuer Remote Logins per ssh | ||
215 | gestartet. | ||
216 | . | ||
217 | Wenn Sie nur den ssh client nutzen wollen, um sich mit anderen Rechner | ||
218 | zu verbinden und sich nicht per ssh in diesen Computer einloggen wollen, | ||
219 | dann koennen Sie hier den sshd abschalten. | ||
220 | Description-fr: Voulez vous utiliser le serveur sshd ? | ||
221 | Ce paquet contient a la fois le client ssh et le serveur sshd. | ||
222 | . | ||
223 | Normalement le serveur sshd sera lanc=E9 pour permettre les logins distants | ||
224 | via ssh. | ||
225 | . | ||
226 | Si vous d=E9sirez seulement utiliser le client ssh pour vous connecter a | ||
227 | distance sur d'autres machines a partir de celle-ci, et que vous ne | ||
228 | voulez pas vous logguer sur cette machine a distance via ssh, alors vous | ||
229 | pouvez d=E9sactiver sshd maintenant. | ||