summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/README.Debian153
-rw-r--r--debian/changelog944
-rw-r--r--debian/conffiles4
-rw-r--r--debian/config86
-rw-r--r--debian/control43
-rw-r--r--debian/copyright.head36
-rw-r--r--debian/dirs7
-rw-r--r--debian/init60
-rw-r--r--debian/postinst330
-rw-r--r--debian/postinst.old269
-rw-r--r--debian/postrm16
-rw-r--r--debian/preinst79
-rw-r--r--debian/prerm44
-rwxr-xr-xdebian/rules106
-rw-r--r--debian/ssh-askpass-gnome.copyright44
-rw-r--r--debian/ssh-askpass-gnome.dirs1
-rw-r--r--debian/ssh-askpass-gnome.postinst49
-rw-r--r--debian/ssh-askpass-gnome.prerm41
-rw-r--r--debian/ssh.pam22
-rw-r--r--debian/templates229
20 files changed, 2563 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 000000000..c2858d2f9
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,153 @@
1OpenSSH for Debian
2------------------
3
4Although this package is widely referred to as OpenSSH, it is actually
5a branch of an early version of ssh which has been tidied up by the
6OpenBSD folks.
7
8It has been decided that this version should have the privilege of
9carrying the ``ssh'' name in Debian, since it is the only version of
10ssh that is going to make it into Debian proper, being the only one
11that complies with the Debian Free Software Guidelines.
12
13If you were expecting to get the non-free version of ssh (1.2.27 or
14whatever) when you installed this package, please install ssh-nonfree
15instead, which is what we're now calling the non-free version.
16
17=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
18
19PermitRootLogin set to yes
20--------------------------
21
22This is now the default setting (in line with upstream), and people
23who asked for an automatically-generated configuration file when
24upgrading from potato (or on a new install) will have this setting in
25their /etc/ssh/sshd_config file.
26
27Should you wish to change this setting, edit /etc/ssh/sshd_config, and
28change:
29PermitRootLogin yes
30to:
31PermitRootLogin no
32
33Having PermitRootLogin set to yes means that an attacker that knows
34the root password can ssh in directly (without having to go via a user
35account). If you set it to no, then they must compromise a normal user
36account. In the vast majority of cases, this does not give added
37security; remember that any account you su to root from is equivalent
38to root - compromising this account gives an attacker access to root
39easily. If you only ever log in as root from the physical console,
40then you probably want to set this value to no.
41
42As an aside, PermitRootLogin can also be set to "without-password" or
43"forced-commands-only" - see sshd(8) for more details.
44
45DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
46
47The argument above is somewhat condensed; I have had this discussion
48at great length with many people. If you think the default is
49incorrect, and feel strongly enough to want to argue with me about it,
50then send me email to matthew@debian.org. I will close bug reports
51claiming the default is incorrect.
52
53SSH now uses protocol 2 by default
54----------------------------------
55
56This means all your keyfiles you used for protocol version 1 need to
57be re-generated. The server keys are done automatically, but for RSA
58authentication, please read the ssh-keygen manpage.
59
60If you have an automatically generated configuration file, and decide
61at a later stage that you do want to support protocol version 1 (not
62recommended, but note that the ssh client shipped with Debian potato
63only supported protocol version 1), then you need to do the following:
64
65Change /etc/ssh/sshd_config such that:
66Protocol 2
67becomes:
68Protocol 2,1
69Also add the line:
70HostKey /etc/ssh/ssh_host_key
71
72(you may need to generate a host key if you do not already have one)
73
74/usr/bin/ssh not SUID:
75----------------------
76If you have not installed debconf, you'll have missed the chance to
77install ssh SUID, which means you won't be able to do Rhosts
78authentication. If that upsets you, use:
79
80 dpkg-statoverride
81
82or if that's also missing, use this:
83
84 chown root.root /usr/bin/ssh
85 chmod 04755 /usr/bin/ssh
86
87X11 Forwarding:
88---------------
89ssh's default for ForwardX11 has been changed to ``no'' because it has
90been pointed out that logging into remote systems administered by
91untrusted people is likely to open you up to X11 attacks, so you
92should have to actively decide that you trust the remote machine's
93root, before enabling X11. I strongly recommend that you do this on a
94machine-by-machine basis, rather than just enabling it in the default
95host settings.
96
97Authorization Forwarding:
98-------------------------
99Similarly, root on a remote server could make use of your ssh-agent
100(while you're logged into their machine) to obtain access to machines
101which trust your keys. This feature is therefore disabled by default.
102You should only re-enable it for those hosts (in your ~/.ssh/config or
103/etc/ssh/ssh_config) where you are confident that the remote machine
104is not a threat.
105
106Fallback to RSH:
107----------------
108The default for this setting has been changed from Yes to No, for
109security reasons, and to stop the delay attempting to rsh to machines
110that don't offer the service. Simply switch it back on in either
111/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
112it for.
113
114Problems logging in with RSA authentication:
115--------------------------------------------
116If you have trouble logging in with RSA authentication then the
117problem is probably caused by the fact that you have your home
118directory writable by group, as well as user (this is the default on
119Debian systems).
120
121Depending upon other settings on your system (i.e. other users being
122in your group) this could open a security hole, so you will need to
123make your home directory writable only by yourself. Run this command,
124as yourself:
125
126 chmod g-w ~/
127
128to remove group write permissions. If you use ssh-copy-id to install your
129keys, it does this for you.
130
131-L option of ssh nonfree:
132-------------------------
133non-free ssh supported the usage of the option -L to use a non privileged
134port for scp. This option will not be supported by scp from openssh.
135
136Please use instead scp -o "UsePrivilegedPort=no" as documented in the
137manpage to scp itself.
138
139Problem logging in because of TCP-Wrappers:
140-------------------------------------------
141ssh is compiled with support for tcp-wrappers. So if you can no longer
142log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
143are configured so that ssh is not blocked.
144
145Kerberos Authentication:
146------------------------
147ssh is compiled without support for kerberos authentication, and there are
148no current plans to support this. Thus the KerberosAuthentication and
149KerberosTgtPassing options will not be recognised.
150
151--
152Matthew Vernon
153<matthew@debian.org>
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 000000000..32f541a0f
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,944 @@
1openssh (1:3.4p1-1) testing; urgency=high
2
3 * Extend my tendrils back into this package (Closes: #150915, #151098)
4 * thanks to the security team for their work
5 * no thanks to ISS/Theo de Raadt for their handling of these bugs
6 * save old sshd_configs to sshd_config.dpkg-old when auto-generating a
7 new one
8 * tell/ask the user about PriviledgeSeparation
9 * /etc/init.d/ssh run will now create the chroot empty dir if necessary
10 * Remove our previous statoverride on /usr/bin/ssh (only for people
11 upgrading from a version where we'd put one in ourselves!)
12 * Stop slandering Russia, since someone asked so nicely (Closes: #148951)
13 * Reduce the sleep time in /etc/init.d/ssh during a restart
14
15 -- Matthew Vernon <matthew@debian.org> Fri, 28 Jun 2002 15:52:10 +0100
16
17openssh (1:3.4p1-0.0woody1) testing-security; urgency=high
18
19 * NMU by the security team.
20 * New upstream version
21
22 -- Michael Stone <mstone@debian.org> Wed, 26 Jun 2002 15:40:38 -0400
23
24openssh (1:3.3p1-0.0woody4) testing-security; urgency=high
25
26 * NMU by the security team.
27 * fix error when /etc/ssh/sshd_config exists on new install
28 * check that user doesn't exist before running adduser
29 * use openssl internal random unconditionally
30
31 -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 19:44:39 -0400
32
33openssh (1:3.3p1-0.0woody3) testing-security; urgency=high
34
35 * NMU by the security team.
36 * use correct home directory when sshd user is created
37
38 -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 08:59:50 -0400
39
40openssh (1:3.3p1-0.0woody2) testing-security; urgency=high
41
42 * NMU by the security team.
43 * Fix rsa1 key creation (Closes: #150949)
44 * don't fail if sshd user removal fails
45 * depends: on adduser (Closes: #150907)
46
47 -- Michael Stone <mstone@debian.org> Tue, 25 Jun 2002 08:59:50 -0400
48
49openssh (1:3.3p1-0.0woody1) testing-security; urgency=high
50
51 * NMU by the security team.
52 * New upstream version.
53 - Enable privilege separation by default.
54 * Include patch from Solar Designer for privilege separation and
55 compression on 2.2.x kernels.
56 * Remove --disable-suid-ssh from configure.
57 * Support setuid ssh-keysign binary instead of setuid ssh client.
58 * Check sshd configuration before restarting.
59
60 -- Daniel Jacobowitz <dan@debian.org> Mon, 24 Jun 2002 13:43:44 -0400
61
62openssh (1:3.0.2p1-9) unstable; urgency=high
63
64 * Thanks to those who NMUd
65 * The only change in this version is to debian/control - I've removed
66 the bit that says you can't export it from the US - it would look
67 pretty daft to say this about a package in main! Also, it's now OK
68 to use crypto in France, so I've edited that comment slightly
69 * Correct a path in README.Debian too (Closes: #138634)
70
71 -- Matthew Vernon <matthew@debian.org> Sun, 4 Apr 2002 09:52:59 +0100
72
73openssh (1:3.0.2p1-8.3) unstable; urgency=medium
74
75 * NMU
76 * Really set urgency to medium this time (oops)
77 * Fix priority to standard per override while I'm at it
78
79 -- Aaron M. Ucko <ucko@debian.org> Sun, 24 Mar 2002 09:00:08 -0500
80
81openssh (1:3.0.2p1-8.2) unstable; urgency=low
82
83 * NMU with maintainer's permission
84 * Prepare for upcoming ssh-nonfree transitional packages per
85 <http://lists.debian.org/debian-ssh/2002/debian-ssh-200203/msg00008.html>
86 * Urgency medium because it would really be good to get this into woody
87 before it releases
88 * Fix sections to match override file
89 * Reissued due to clash with non-US -> main move
90
91 -- Aaron M. Ucko <ucko@debian.org> Sat, 23 Mar 2002 21:21:52 -0500
92
93openssh (1:3.0.2p1-8.1) unstable; urgency=low
94
95 * NMU
96 * Move from non-US to mani
97
98 -- LaMont Jones <lamont@debian.org> Thu, 21 Mar 2002 09:33:50 -0700
99
100openssh (1:3.0.2p1-8) unstable; urgency=critical
101
102 * Security fix - patch from upstream (Closes: #137209, #137210)
103 * Undo the changes in the unreleased -7, since they appear to break
104 things here. Accordingly, the code change is minimal, and I'm
105 happy to get it into testing ASAP
106
107 -- Matthew Vernon <matthew@debian.org> Thu, 7 Mar 2002 14:25:23 +0000
108
109openssh (1:3.0.2p1-7) unstable; urgency=high
110
111 * Build to support IPv6 and IPv4 by default again
112
113 -- Matthew Vernon <matthew@debian.org> Sat, 2 Mar 2002 00:25:05 +0000
114
115openssh (1:3.0.2p1-6) unstable; urgency=high
116
117 * Correct error in the clean target (Closes: #130868)
118
119 -- Matthew Vernon <matthew@debian.org> Sat, 26 Jan 2002 00:32:00 +0000
120
121openssh (1:3.0.2p1-5) unstable; urgency=medium
122
123 * Include the Debian version in our identification, to make it easier to
124 audit networks for patched versions in future
125
126 -- Matthew Vernon <matthew@debian.org> Mon, 21 Jan 2002 17:16:10 +0000
127
128openssh (1:3.0.2p1-4) unstable; urgency=medium
129
130 * If we're asked to not run sshd, stop any running sshd's first
131 (Closes: #129327)
132
133 -- Matthew Vernon <matthew@debian.org> Wed, 16 Jan 2002 21:24:16 +0000
134
135openssh (1:3.0.2p1-3) unstable; urgency=high
136
137 * Fix /etc/pam.d/ssh to not set $MAIL (Closes: #128913)
138 * Remove extra debconf suggestion (Closes: #128094)
139 * Mmm. speedy bug-fixing :-)
140
141 -- Matthew Vernon <matthew@debian.org> Sat, 12 Jan 2002 17:23:58 +0000
142
143openssh (1:3.0.2p1-2) unstable; urgency=high
144
145 * Fix postinst to not automatically overwrite sshd_config (!)
146 (Closes: #127842, #127867)
147 * Add section in README.Debian about the PermitRootLogin setting
148
149 -- Matthew Vernon <matthew@debian.org> Sat, 5 Jan 2003 05:26:30 +0000
150
151openssh (1:3.0.2p1-1) unstable; urgency=high
152
153 * Incorporate fix from Colin's NMU
154 * New upstream version (fixes the bug Wichert fixed) (Closes: #124035)
155 * Capitalise IETF (Closes: #125379)
156 * Refer to the correct sftp-server location (Closes: #126854, #126224)
157 * Do what we're asked re SetUID ssh (Closes: #124065, #124154, #123247)
158 * Ask people upgrading from potato if they want a new conffile
159 (Closes: #125642)
160 * Fix a typo in postinst (Closes: #122192, #122410, #123440)
161 * Frob the default config a little (Closes: #122284, #125827, #125696,
162 #123854)
163 * Make /etc/init.d/ssh be more clear about ssh not running (Closes:
164 #123552)
165 * Fix typo in templates file (Closes: #123411)
166
167 -- Matthew Vernon <matthew@debian.org> Fri, 4 Jan 2002 16:01:52 +0000
168
169openssh (1:3.0.1p1-1.2) unstable; urgency=high
170
171 * Non-maintainer upload
172 * Prevent local users from passing environment variables to the login
173 process when UseLogin is enabled
174
175 -- Wichert Akkerman <wakkerma@debian.org> Mon, 3 Dec 2001 19:34:45 +0100
176
177openssh (1:3.0.1p1-1.1) unstable; urgency=low
178
179 * Non-maintainer upload, at Matthew's request.
180 * Remove sa_restorer assignment to fix compilation on alpha, hppa, and
181 ia64 (closes: #122086).
182
183 -- Colin Watson <cjwatson@debian.org> Sun, 2 Dec 2001 18:54:16 +0000
184
185openssh (1:3.0.1p1-1) unstable; urgency=high
186
187 * New upstream version (Closes: #113646, #113513, #114707, #118564)
188 * Building with a libc that works (!) (Closes: #115228)
189 * Patches forward-ported are -1/-2 options for scp, the improvement to
190 'waiting for forwarded connections to terminate...'
191 * Fix /etc/init.d/ssh to stop sshd properly (Closes: #115228)
192 * /etc/ssh/sshd_config is no longer a conffile but generated in the postinst
193 * Remove suidregister leftover from postrm
194 * Mention key we are making in the postinst
195 * Default to not enable SSH protocol 1 support, since protocol 2 is
196 much safer anyway.
197 * New version of the vpn-fixes patch, from Ian Jackson
198 * New handling of -q, and added new -qq option; thanks to Jon Amery
199 * Experimental smartcard support not enabled, since I have no way of
200 testing it.
201
202 -- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000
203
204openssh (1:2.9p2-6) unstable; urgency=low
205
206 * check for correct file in /etc/init.d/ssh (Closes: #110876)
207 * correct location of version 2 keys in ssh.1 (Closes: #110439)
208 * call update-alternatives --quiet (Closes: #103314)
209 * hack ssh-copy-id to chmod go-w (Closes: #95551)
210 * TEMPORARY fix to provide largefile support using a -D in the cflags
211 line. long-term, upstream will patch the autoconf stuff
212 (Closes: #106809, #111849)
213 * remove /etc/rc references in ssh-keygen.1 (Closes: #68350)
214 * scp.1 patch from Adam McKenna to document -r properly (Closes: #76054)
215 * Check for files containing a newline character (Closes: #111692)
216
217 -- Matthew Vernon <matthew@debian.org> Thu, 13 Sep 2001 16:47:36 +0100
218
219openssh (1:2.9p2-5) unstable; urgency=high
220
221 * Thanks to all the bug-fixers who helped!
222 * remove sa_restorer assignment (Closes: #102837)
223 * patch from Peter Benie to DTRT wrt X forwarding if the server refuses
224 us access (Closes: #48297)
225 * patch from upstream CVS to fix port forwarding (Closes: #107132)
226 * patch from Jonathan Amery to document ssh-keygen behaviour
227 (Closes:#106643, #107512)
228 * patch to postinst from Jonathan Amery (Closes: #106411)
229 * patch to manpage from Jonathan Amery (Closes: #107364)
230 * patch from Matthew Vernon to make -q emit fatal errors as that is the
231 documented behaviour (Closes: #64347)
232 * patch from Ian Jackson to cause us to destroy a file when we scp it
233 onto itself, rather than dumping bits of our memory into it, which was
234 a security hole (see #51955)
235 * patch from Jonathan Amery to document lack of Kerberos support
236 (Closes: #103726)
237 * patch from Matthew Vernon to make the 'waiting for connections to
238 terminate' message more helpful (Closes: #50308)
239
240 -- Matthew Vernon <matthew@debian.org> Thu, 23 Aug 2001 02:14:09 +0100
241
242openssh (1:2.9p2-4) unstable; urgency=high
243
244 * Today's build of ssh is strawberry flavoured
245 * Patch from mhp to reduce length of time sshd is stopped for (Closes: #106176)
246 * Tidy up debconf template (Closes: #106152)
247 * If called non-setuid, then setgid()'s failure should not be fatal (see
248 #105854)
249
250 -- Matthew Vernon <matthew@debian.org> Sun, 22 Jul 2001 14:19:43 +0100
251
252openssh (1:2.9p2-3) unstable; urgency=low
253
254 * Patch from yours truly to add -1 and -2 options to scp (Closes: #106061)
255 * Improve the IdentityFile section in the man page (Closes: #106038)
256
257 -- Matthew Vernon <matthew@debian.org> Sat, 21 Jul 2001 14:47:27 +0100
258
259openssh (1:2.9p2-2) unstable; urgency=low
260
261 * Document the protocol version 2 and IPV6 changes (Closes: #105845, #105868)
262 * Make PrintLastLog 'no' by default (Closes: #105893)
263
264 -- Matthew Vernon <matthew@debian.org> Thu, 19 Jul 2001 18:36:41 +0100
265
266openssh (1:2.9p2-1) unstable; urgency=low
267
268 * new (several..) upstream version (Closes: #96726, #81856, #96335)
269 * Hopefully, this will close some other bugs too
270
271 -- Matthew Vernon <matthew@debian.org> Tue, 17 Jul 2001 19:41:58 +0100
272
273openssh (1:2.5.2p2-3) unstable; urgency=low
274
275 * Taking Over this package
276 * Patches from Robert Bihlmeyer for the Hurd (Closes: #102991)
277 * Put PermitRootLogin back to yes (Closes: #67334, #67371, #78274)
278 * Don't fiddle with conf-files any more (Closes: #69501)
279
280 -- Matthew Vernon <matthew@debian.org> Tue, 03 Jul 2001 02:58:13 +0100
281
282openssh (1:2.5.2p2-2.2) unstable; urgency=low
283
284 * NMU
285 * Include Hurd compatibility patches from Robert Bihlmeyer (Closes: #76033)
286 * Patch from Richard Kettlewell for protocolkeepalives (Closes: #99273)
287 * Patch from Matthew Vernon for BannerTimeOut, batchmode, and
288 documentation for protocolkeepalives. Makes ssh more generally useful
289 for scripting uses (Closes: #82877, #99275)
290 * Set a umask, so ourpidfile isn't world-writable (closes: #100012,
291 #98286, #97391)
292
293 -- Matthew Vernon <matthew@debian.org> Thu, 28 Jun 2001 23:15:42 +0100
294
295openssh (1:2.5.2p2-2.1) unstable; urgency=low
296
297 * NMU
298 * Remove duplicate Build-Depends for libssl096-dev and change it to
299 depend on libssl-dev instaed. Also adding in virtual | real package
300 style build-deps. (Closes: #93793, #75228)
301 * Removing add-log entry (Closes: #79266)
302 * This was a pam bug from a while back (Closes: #86908, #88457, #86843)
303 * pam build-dep already exists (Closes: #93683)
304 * libgnome-dev build-dep already exists (Closes: #93694)
305 * No longer in non-free (Closes: #85401)
306 * Adding in fr debconf translations (Closes: #83783)
307 * Already suggests xbase-clients (Closes: #79741)
308 * No need to suggest libpam-pwdb anymore (Closes: #81658)
309 * Providing rsh-client (Closes: #79437)
310 * hurd patch was already applied (Closes: #76033)
311 * default set to no (Closes: #73682)
312 * Adding in a suggests for dnsutils (Closes: #93265)
313 * postinst bugs fixed (Closes: #88057, #88066, #88196, #88405, #88612)
314 (Closes: #88774, #88196, #89556, #90123, #90228, #90833, #87814, #85465)
315 * Adding in debconf dependency
316
317 -- Ivan E. Moore II <rkrusty@debian.org> Mon, 16 Apr 2001 14:11:04 +0100
318
319openssh (1:2.5.2p2-2) unstable; urgency=high
320
321 * disable the OpenSSL version check in entropy.c
322 (closes: #93581, #93588, #93590, #93614, #93619, #93635, #93648)
323
324 -- Philip Hands <phil@uk.alcove.com> Wed, 11 Apr 2001 20:30:04 +0100
325
326openssh (1:2.5.2p2-1) unstable; urgency=low
327
328 * New upstream release
329 * removed make-ssh-known-hosts, since ssh-keyscan does that job (closes: #86069, #87748)
330 * fix double space indent in german templates (closes: #89493)
331 * make postinst check for ssh_host_rsa_key
332 * get rid of the last of the misguided debian/rules NMU debris :-/
333
334 -- Philip Hands <phil@hands.com> Sat, 24 Mar 2001 20:59:33 +0000
335
336openssh (1:2.5.1p2-2) unstable; urgency=low
337
338 * rebuild with new debhelper (closes: #89558, #89536, #90225)
339 * fix broken dpkg-statoverride test in postinst
340 (closes: #89612, #90474, #90460, #89605)
341 * NMU bug fixed but not closed in last upload (closes: #88206)
342
343 -- Philip Hands <phil@hands.com> Fri, 23 Mar 2001 16:11:33 +0000
344
345openssh (1:2.5.1p2-1) unstable; urgency=high
346
347 * New upstream release
348 * fix typo in postinst (closes: #88110)
349 * revert to setting PAM service name in debian/rules, backing out last
350 NMU, which also (closes: #88101)
351 * restore the pam lastlog/motd lines, lost during the NMUs, and sshd_config
352 * restore printlastlog option patch
353 * revert to using debhelper, which had been partially disabled in NMUs
354
355 -- Philip Hands <phil@hands.com> Tue, 13 Mar 2001 01:41:34 +0000
356
357openssh (1:2.5.1p1-1.8) unstable; urgency=high
358
359 * And now the old pam-bug s/sshd/ssh in ssh.c is also fixed
360
361 -- Christian Kurz <shorty@debian.org> Thu, 1 Mar 2001 19:48:01 +0100
362
363openssh (1:2.5.1p1-1.7) unstable; urgency=high
364
365 * And now we mark the correct binary as setuid, when a user requested
366 to install it setuid.
367
368 -- Christian Kurz <shorty@debian.org> Thu, 1 Mar 2001 07:19:56 +0100
369
370openssh (1:2.5.1p1-1.6) unstable; urgency=high
371
372 * Fixes postinst to handle overrides that are already there. Damn, I
373 should have noticed the bug earlier.
374
375 -- Christian Kurz <shorty@debian.org> Wed, 28 Feb 2001 22:35:00 +0100
376
377openssh (1:2.5.1p1-1.5) unstable; urgency=high
378
379 * Rebuild ssh with pam-support.
380
381 -- Christian Kurz <shorty@debian.org> Mon, 26 Feb 2001 21:55:51 +0100
382
383openssh (1:2.5.1p1-1.4) unstable; urgency=low
384
385 * Added Build-Depends on libssl096-dev.
386 * Fixed sshd_config file to disallow root logins again.
387
388 -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 20:03:55 +0100
389
390openssh (1:2.5.1p1-1.3) unstable; urgency=low
391
392 * Fixed missing manpages for sftp.1 and ssh-keyscan.1
393 * Made package policy 3.5.2 compliant.
394
395 -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 15:46:26 +0100
396
397openssh (1:2.5.1p1-1.2) unstable; urgency=low
398
399 * Added Conflict with sftp, since we now provide our own sftp-client.
400 * Added a fix for our broken dpkg-statoverride call in the
401 2.3.0p1-13.
402 * Fixed some config pathes in the comments of sshd_config.
403 * Removed ssh-key-exchange-vulnerability-patch since it's not needed
404 anymore because upstream included the fix.
405
406 -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 13:46:58 +0100
407
408openssh (1:2.5.1p1-1.1) unstable; urgency=high
409
410 * Another NMU to get the new upstream version 2.5.1p1 into
411 unstable. (Closes: #87123)
412 * Corrected postinst to mark ssh as setuid. (Closes: #86391, #85766)
413 * Key Exchange patch is already included by upstream. (Closes: #86015)
414 * Upgrading should be possible now. (Closes: #85525, #85523)
415 * Added --disable-suid-ssh as compile option, so ssh won't get installed
416 suid per default.
417 * Fixed postinst to run dpkg-statoverride only, when dpkg-statoverride
418 is available and the mode of the binary should be 4755. And also added
419 suggestion for a newer dpkg.
420 (Closes: #85734, #85741, #86876)
421 * sftp and ssh-keyscan will also be included from now on. (Closes: #79994)
422 * scp now understands spaces in filenames (Closes: #53783, #58958,
423 #66723)
424 * ssh-keygen now supports showing DSA fingerprints. (Closes: #68623)
425 * ssh doesn' t show motd anymore when switch -t is used. (Closes #69035)
426 * ssh supports the usage of other dsa keys via the ssh command line
427 options. (Closes: #81250)
428 * Documentation in sshd_config fixed. (Closes: #81088)
429 * primes file included by upstream and included now. (Closes: #82101)
430 * scp now allows dots in the username. (Closes: #82477)
431 * Spelling error in ssh-copy-id.1 corrected by upstream. (Closes: #78124)
432
433 -- Christian Kurz <shorty@debian.org> Sun, 25 Feb 2001 10:06:08 +0100
434
435openssh (1:2.3.0p1-1.13) unstable; urgency=low
436
437 * Config should now also be fixed with this hopefully last NMU.
438
439 -- Christian Kurz <shorty@debian.org> Sat, 10 Feb 2001 22:56:36 +0100
440
441openssh (1:2.3.0p1-1.12) unstable; urgency=high
442
443 * Added suggest for xbase-clients to control-file. (Closes #85227)
444 * Applied patch from Markus Friedl to fix a vulnerability in
445 the rsa keyexchange.
446 * Fixed position of horizontal line. (Closes: #83613)
447 * Fixed hopefully the grep problem in the config-file. (Closes: #78802)
448 * Converted package from suidregister to dpkg-statoverride.
449
450 -- Christian Kurz <shorty@debian.org> Fri, 9 Feb 2001 19:43:55 +0100
451
452openssh (1:2.3.0p1-1.11) unstable; urgency=medium
453
454 * Fixed some typos in the german translation of the debconf
455 template.
456
457 -- Christian Kurz <shorty@debian.org> Wed, 24 Jan 2001 18:22:38 +0100
458
459openssh (1:2.3.0p1-1.10) unstable; urgency=medium
460
461 * Fixed double printing of motd. (Closes: #82618)
462
463 -- Christian Kurz <shorty@debian.org> Tue, 23 Jan 2001 21:03:43 +0100
464
465openssh (1:2.3.0p1-1.9) unstable; urgency=high
466
467 * And the next NMU which includes the patch from Andrew Bartlett
468 and Markus Friedl to fix the root privileges handling of openssh.
469 (Closes: #82657)
470
471 -- Christian Kurz <shorty@debian.org> Wed, 17 Jan 2001 22:20:54 +0100
472
473openssh (1:2.3.0p1-1.8) unstable; urgency=high
474
475 * Applied fix from Ryan Murray to allow building on other architectures
476 since the hurd patch was wrong. (Closes: #82471)
477
478 -- Christian Kurz <shorty@debian.org> Tue, 16 Jan 2001 22:45:51 +0100
479
480openssh (1:2.3.0p1-1.7) unstable; urgency=medium
481
482 * Fixed another typo on sshd_config
483
484 -- Christian Kurz <shorty@debian.org> Sun, 14 Jan 2001 19:01:31 +0100
485
486openssh (1:2.3.0p1-1.6) unstable; urgency=high
487
488 * Added Build-Dependency on groff (Closes: #81886)
489 * Added Build-Depencency on debhelper (Closes: #82072)
490 * Fixed entry for known_hosts in sshd_config (Closes: #82096)
491
492 -- Christian Kurz <shorty@debian.org> Thu, 11 Jan 2001 23:08:16 +0100
493
494openssh (1:2.3.0p1-1.5) unstable; urgency=high
495
496 * Fixed now also the problem with sshd used as default ipv4 and
497 didn't use IPv6. This should be now fixed.
498
499 -- Christian Kurz <shorty@debian.org> Thu, 11 Jan 2001 21:25:55 +0100
500
501openssh (1:2.3.0p1-1.4) unstable; urgency=high
502
503 * Fixed buggy entry in postinst.
504
505 -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 23:12:16 +0100
506
507openssh (1:2.3.0p1-1.3) unstable; urgency=high
508
509 * After finishing the rewrite of the rules-file I had to notice that
510 the manpage installation was broken. This should now work again.
511
512 -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 22:11:59 +0100
513
514openssh (1:2.3.0p1-1.2) unstable; urgency=high
515
516 * Fixed the screwed up build-dependency.
517 * Removed --with-ipv4-default to support ipv6.
518 * Changed makefile to use /etc/pam.d/ssh instead of /etc/pam.d/sshd.
519 * Fixed location to sftp-server in config.
520 * Since debian still relies on /etc/pam.d/ssh instead of moving to
521 /etc/pam.d/sshd, I had to hack ssh.h to get ssh to use this name.
522 * Fixed path to host key in sshd_config.
523
524 -- Christian Kurz <shorty@debian.org> Wed, 10 Jan 2001 08:23:47 +0100
525
526openssh (1:2.3.0p1-1.1) unstable; urgency=medium
527
528 * NMU with permission of Phil Hands.
529 * New upstream release
530 * Update Build-Depends to point to new libssl096.
531 * This upstream release doesn't leak any information depending
532 on the setting of PermitRootLogin (Closes: #59933)
533 * New upstream release contains fix against forcing a client to
534 do X/agent forwarding (Closes: #76788)
535 * Changed template to contain correct path to the documentation
536 (Closes: #67245)
537 * Added --with-4in6 switch as compile option into debian/rules.
538 * Added --with-ipv4-default as compile option into debian/rules.
539 (Closes: #75037)
540 * Changed default path to also contain /usr/local/bin and
541 /usr/X11R6/bin (Closes: #62472,#54567,#62810)
542 * Changed path to sftp-server in sshd_config to match the
543 our package (Closes: #68347)
544 * Replaced OpenBSDh with OpenBSD in the init-script.
545 * Changed location to original source in copyright.head
546 * Changed behaviour of init-script when invoked with the option
547 restart (Closes: #68706,#72560)
548 * Added a note about -L option of scp to README.Debian
549 * ssh won't print now the motd if invoked with -t option
550 (Closes: #59933)
551 * RFC.nroff.gz get's now converted into RFC.gz. (Closes: #63867)
552 * Added a note about tcp-wrapper support to README.Debian
553 (Closes: #72807,#22190)
554 * Removed two unneeded options from building process.
555 * Added sshd.pam into debian dir and install it.
556 * Commented out unnecessary call to dh_installinfo.
557 * Added a line to sshd.pam so that limits will be paid attention
558 to (Closes: #66904)
559 * Restart Option has a Timeout of 10 seconds (Closes: 51264)
560 * scp won't override files anymore (Closes: 51955)
561 * Removed pam_lastlog module, so that the lastlog is now printed
562 only once (Closes: #71742, #68335, #69592, #71495, #77781)
563 * If password is expired, openssh now forces the user to change it.
564 (Closes: #51747)
565 * scp should now have no more problems with shell-init-files that
566 produces ouput (Closes: #56280,#59873)
567 * ssh now prints the motd correctly (Closes: #66926)
568 * ssh upgrade should disable ssh daemon only if users has choosen
569 to do so (Closes: #67478)
570 * ssh can now be installed suid (Closes: #70879)
571 * Modified debian/rules to support hurd.
572
573 -- Christian Kurz <shorty@debian.org> Wed, 27 Dec 2000 20:06:57 +0100
574
575openssh (1:2.2.0p1-1.1) unstable; urgency=medium
576
577 * Non-Maintainer Upload
578 * Check for new returns in the new libc
579 (closes: #72803, #74393, #72797, #71307, #71702)
580 * Link against libssl095a (closes: #66304)
581 * Correct check for PermitRootLogin (closes: #69448)
582
583 -- Ryan Murray <rmurray@debian.org> Wed, 18 Oct 2000 00:48:18 -0700
584
585openssh (1:2.2.0p1-1) unstable; urgency=low
586
587 * New upstream release
588
589 -- Philip Hands <phil@hands.com> Mon, 11 Sep 2000 14:49:43 +0100
590
591openssh (1:2.1.1p4-3) unstable; urgency=low
592
593 * add rsh alternatives
594 * add -S option to scp (using Tommi Virtanen's patch) (closes: #63097)
595 * do the IPV4_DEFAULT thing properly this time
596
597 -- Philip Hands <phil@hands.com> Fri, 11 Aug 2000 18:14:37 +0100
598
599openssh (1:2.1.1p4-2) unstable; urgency=low
600
601 * reinstate manpage .out patch from 1:1.2.3
602 * fix typo in postinst
603 * only compile ssh with IPV4_DEFAULT
604 * apply James Troup's patch to add a -o option to scp and updated manpage
605
606 -- Philip Hands <phil@hands.com> Sun, 30 Jul 2000 00:12:49 +0100
607
608openssh (1:2.1.1p4-1) unstable; urgency=low
609
610 * New upstream release
611
612 -- Philip Hands <phil@hands.com> Sat, 29 Jul 2000 14:46:16 +0100
613
614openssh (1:1.2.3-10) unstable; urgency=low
615
616 * add version to libpam-modules dependency, because old versions of
617 pam_motd make it impossible to log in.
618
619 -- Philip Hands <phil@hands.com> Sat, 29 Jul 2000 13:28:22 +0100
620
621openssh (1:1.2.3-9) frozen unstable; urgency=low
622
623 * force location of /usr/bin/X11/xauth
624 (closes: #64424, #66437, #66859) *RC*
625 * typos in config (closes: #66779, #66780)
626 * sshd_not_to_be_run could be assumed to be true, in error, if the config
627 script died in an unusual way --- I've reversed this (closes: #66335)
628 * Apply Zack Weinberg <zack@wolery.cumb.org>'s patch to ssh-askpass-ptk
629 (closes: #65981)
630 * change default for PermitRootLogin to "no" (closes: #66406)
631
632 -- Philip Hands <phil@hands.com> Tue, 11 Jul 2000 20:51:18 +0100
633
634openssh (1:1.2.3-8) frozen unstable; urgency=low
635
636 * get rid of Provides: rsh-server (this will mean that rstartd
637 will need to change it's depends to deal with #63948, which I'm
638 reopening) (closes: #66257)
639 Given that this is also a trivial change, and is a reversal of a
640 change that was mistakenly made after the freeze, I think this should
641 also go into frozen.
642
643 -- Philip Hands <phil@hands.com> Wed, 28 Jun 2000 03:26:30 +0100
644
645openssh (1:1.2.3-7) frozen unstable; urgency=low
646
647 * check if debconf is installed before calling db_stop in postinst.
648 This is required to allow ssh to be installed when debconf is not
649 wanted, which probably makes it an RC upload (hopefully the last of
650 too many).
651
652 -- Philip Hands <phil@hands.com> Wed, 28 Jun 2000 03:19:47 +0100
653
654openssh (1:1.2.3-6) frozen unstable; urgency=low
655
656 * fixed depressing little bug involving a line wrap looking like
657 a blank line in the templates file *RC*
658 (closes: #66090, #66078, #66083, #66182)
659
660 -- Philip Hands <phil@hands.com> Mon, 26 Jun 2000 00:45:05 +0100
661
662openssh (1:1.2.3-5) frozen unstable; urgency=low
663
664 * add code to prevent UseLogin exploit, although I think our PAM
665 conditional code breaks UseLogin in a way that protects us from this
666 exploit anyway. ;-) (closes: #65495) *RC*
667 * Apply Zack Weinberg <zack@wolery.cumb.org>'s patch to fix keyboard
668 grab vulnerability in ssh-askpass-gnome (closes: #64795) *RC*
669 * stop redirection of sshd's file descriptors (introduced in 1:1.2.3-3)
670 and use db_stop in the postinst to solve that problem instead
671 (closes: #65104)
672 * add Provides: rsh-server to ssh (closes: #63948)
673 * provide config option not to run sshd
674
675 -- Philip Hands <phil@hands.com> Mon, 12 Jun 2000 23:05:11 +0100
676
677openssh (1:1.2.3-4) frozen unstable; urgency=low
678
679 * fixes #63436 which is *RC*
680 * add 10 second pause in init.d restart (closes: #63844)
681 * get rid of noenv in PAM mail line (closes: #63856)
682 * fix host key path in make-ssh-known-hosts (closes: #63713)
683 * change wording of SUID template (closes: #62788, #63436)
684
685 -- Philip Hands <phil@hands.com> Sat, 27 May 2000 11:18:06 +0100
686
687openssh (1:1.2.3-3) frozen unstable; urgency=low
688
689 * redirect sshd's file descriptors to /dev/null in init to
690 prevent debconf from locking up during installation
691 ** grave bug just submited by me **
692
693 -- Philip Hands <phil@hands.com> Thu, 20 Apr 2000 17:10:59 +0100
694
695openssh (1:1.2.3-2) frozen unstable; urgency=low
696
697 * allow user to select SUID status of /usr/bin/ssh (closes: 62462) ** RC **
698 * suggest debconf
699 * conflict with debconf{,-tiny} (<<0.2.17) so I can clean up the preinst
700
701 -- Philip Hands <phil@hands.com> Wed, 19 Apr 2000 17:49:15 +0100
702
703openssh (1:1.2.3-1) frozen unstable; urgency=low
704
705 * New upstream release
706 * patch sshd to create extra xauth key required for localhost
707 (closes: #49944) *** RC ***
708 * FallbacktoRsh now defaults to ``no'' to match impression
709 given in sshd_config
710 * stop setting suid bit on ssh (closes: #58711, #58558)
711 This breaks Rhosts authentication (which nobody uses) and allows
712 the LD_PRELOAD trick to get socks working, so seems like a net benefit.
713
714 -- Philip Hands <phil@hands.com> Thu, 13 Apr 2000 20:01:54 +0100
715
716openssh (1:1.2.2-1.4) frozen unstable; urgency=low
717
718 * Recompile for frozen, contains fix for RC bug.
719
720 -- Tommi Virtanen <tv@debian.org> Tue, 29 Feb 2000 22:14:58 +0200
721
722openssh (1:1.2.2-1.3) unstable; urgency=low
723
724 * Integrated man page addition for PrintLastLog.
725 This bug was filed on "openssh", and I ended up
726 creating my own patch for this (closes: #59054)
727 * Improved error message when ssh_exchange_identification
728 gets EOF (closes: #58904)
729 * Fixed typo (your -> you're) in debian/preinst.
730 * Added else-clauses to config to make this upgradepath possible:
731 oldssh -> openssh preinst fails due to upgrade_to_openssh=false
732 -> ssh-nonfree -> openssh. Without these, debconf remembered
733 the old answer, config didn't force asking it, and preinst always
734 aborted (closes: #56596, #57782)
735 * Moved setting upgrade_to_openssh isdefault flag to the place
736 where preinst would abort. This means no double question to most
737 users, people who currently suffer from "can't upgrade" may need
738 to run apt-get install ssh twice. Did not do the same for
739 use_old_init_script, as the situation is a bit different, and
740 less common (closes: #54010, #56224)
741 * Check for existance of ssh-keygen before attempting to use it in
742 preinst, added warning for non-existant ssh-keygen in config. This
743 happens when the old ssh is removed (say, due to ssh-nonfree getting
744 installed).
745
746 -- Tommi Virtanen <tv@debian.org> Sun, 27 Feb 2000 21:36:43 +0200
747
748openssh (1:1.2.2-1.2) frozen unstable; urgency=low
749
750 * Non-maintainer upload.
751 * Added configuration option PrintLastLog, default off due to PAM
752 (closes: #54007, #55042)
753 * ssh-askpass-{gnome,ptk} now provide ssh-askpass, making ssh's
754 Suggests: line more accurate. Also closing related bugs fixed
755 earlier, when default ssh-askpass moved to /usr/bin.
756 (closes: #52403, #54741, #50607, #52298, #50967, #51661)
757 * Patched to call vhangup, with autoconf detection and all
758 (closes: #55379)
759 * Added --with-ipv4-default workaround to a glibc bug causing
760 slow DNS lookups, as per UPGRADING. Use -6 to really use
761 IPv6 addresses. (closes: #57891, #58744, #58713, #57970)
762 * Added noenv to PAM pam_mail line. Thanks to Ben Collins.
763 (closes: #58429)
764 * Added the UPGRADING file to the package.
765 * Added frozen to the changelog line and recompiled before
766 package was installed into the archive.
767
768 -- Tommi Virtanen <tv@debian.org> Fri, 25 Feb 2000 22:08:57 +0200
769
770openssh (1:1.2.2-1.1) frozen unstable; urgency=low
771
772 * Non-maintainer upload.
773 * Integrated scp pipe buffer patch from Ben Collins
774 <benc@debian.org>, should now work even if reading
775 a pipe gives less than fstat st_blksize bytes.
776 Should now work on Alpha and Sparc Linux (closes: #53697, #52071)
777 * Made ssh depend on libssl09 (>= 0.9.4-3) (closes: #51393)
778 * Integrated patch from Ben Collins <benc@debian.org>
779 to do full shadow account locking and expiration
780 checking (closes: #58165, #51747)
781
782 -- Tommi Virtanen <tv@debian.org> Tue, 22 Feb 2000 20:46:12 +0200
783
784openssh (1:1.2.2-1) frozen unstable; urgency=medium
785
786 * New upstream release (closes: #56870, #56346)
787 * built against new libesd (closes: #56805)
788 * add Colin Watson <cjw44@cam.ac.uk> =NULL patch
789 (closes: #49902, #54894)
790 * use socketpairs as suggested by Andrew Tridgell to eliminate rsync
791 (and other) lockups
792 * patch SSHD_PAM_SERVICE back into auth-pam.c, again :-/
793 (closes: #49902, #55872, #56959)
794 * uncoment the * line in ssh_config (closes: #56444)
795
796 * #54894 & #49902 are release critical, so this should go in frozen
797
798 -- Philip Hands <phil@hands.com> Wed, 9 Feb 2000 04:52:04 +0000
799
800openssh (1:1.2.1pre24-1) unstable; urgency=low
801
802 * New upstream release
803
804 -- Philip Hands <phil@hands.com> Fri, 31 Dec 1999 02:47:24 +0000
805
806openssh (1:1.2.1pre23-1) unstable; urgency=low
807
808 * New upstream release
809 * excape ? in /etc/init.d/ssh (closes: #53269)
810
811 -- Philip Hands <phil@hands.com> Wed, 29 Dec 1999 16:50:46 +0000
812
813openssh (1:1.2pre17-1) unstable; urgency=low
814
815 * New upstream release
816
817 -- Philip Hands <phil@hands.com> Thu, 9 Dec 1999 16:50:40 +0000
818
819openssh (1:1.2pre16-1) unstable; urgency=low
820
821 * New upstream release
822 * upstream release (1.2pre14) (closes: #50299)
823 * make ssh depend on libwrap0 (>= 7.6-1.1) (closes: #50973, #50776)
824 * dispose of grep -q broken pipe message in config script (closes: #50855)
825 * add make-ssh-known-hosts (closes: #50660)
826 * add -i option to ssh-copy-id (closes: #50657)
827 * add check for *LK* in password, indicating a locked account
828
829 -- Philip Hands <phil@hands.com> Wed, 8 Dec 1999 22:59:38 +0000
830
831openssh (1:1.2pre13-1) unstable; urgency=low
832
833 * New upstream release
834 * make sshd.c use SSHD_PAM_SERVICE and define it as "ssh" in debian/rules
835 * remove duplicate line in /etc/pam.d/ssh (closes: #50310)
836 * mention ssh -A option in ssh.1 & ssh_config
837 * enable forwarding to localhost in default ssh_config (closes: #50373)
838 * tweak preinst to deal with debconf being `unpacked'
839 * use --with-tcp-wrappers (closes: #49545)
840
841 -- Philip Hands <phil@hands.com> Sat, 20 Nov 1999 14:20:04 +0000
842
843openssh (1:1.2pre11-2) unstable; urgency=low
844
845 * oops, just realised that I forgot to strip out the unpleasant
846 fiddling mentioned below (which turned not to be a fix anyway)
847
848 -- Philip Hands <phil@hands.com> Mon, 15 Nov 1999 01:35:23 +0000
849
850openssh (1:1.2pre11-1) unstable; urgency=low
851
852 * New upstream release (closes: #49722)
853 * add 2>/dev/null to dispose of spurious message casused by grep -q
854 (closes: #49876, #49604)
855 * fix typo in debian/control (closes: #49841)
856 * Do some unpleasant fiddling with upgraded keys in the preinst, which
857 should make the keylength problem go away. (closes: #49676)
858 * make pam_start in sshd use ``ssh'' as the service name (closes: #49956)
859 * If /etc/ssh/NOSERVER exist, stop sshd from starting (closes: #47107)
860 * apply Ben Collins <bcollins@debian.org>'s shadow patch
861 * disable lastlogin and motd printing if using pam (closes: #49957)
862 * add ssh-copy-id script and manpage
863
864 -- Philip Hands <phil@hands.com> Fri, 12 Nov 1999 01:03:38 +0000
865
866openssh (1:1.2pre9-1) unstable; urgency=low
867
868 * New upstream release
869 * apply Chip Salzenberg <chip@valinux.com>'s SO_REUSEADDR patch
870 to channels.c, to make forwarded ports instantly reusable
871 * replace Pre-Depend: debconf with some check code in preinst
872 * make the ssh-add ssh-askpass failure message more helpful
873 * fix the ssh-agent getopts bug (closes: #49426)
874 * fixed typo on Suggests: line (closes: #49704, #49571)
875 * tidy up ssh package description (closes: #49642)
876 * make ssh suid (closes: #49635)
877 * in preinst upgrade code, ensure ssh_host_keys is mode 600 (closes: #49606)
878 * disable agent forwarding by default, for the similar reasons as
879 X forwarding (closes: #49586)
880
881 -- Philip Hands <phil@hands.com> Tue, 9 Nov 1999 09:57:47 +0000
882
883openssh (1:1.2pre7-4) unstable; urgency=low
884
885 * predepend on debconf (>= 0.2.17) should now allow preinst questions
886
887 -- Philip Hands <phil@hands.com> Sat, 6 Nov 1999 10:31:06 +0000
888
889openssh (1:1.2pre7-3) unstable; urgency=low
890
891 * add ssh-askpass package using Tommi Virtanen's perl-tk script
892 * add ssh-preconfig package cludge
893 * add usage hints to ssh-agent.1
894
895 -- Philip Hands <phil@hands.com> Fri, 5 Nov 1999 00:38:33 +0000
896
897openssh (1:1.2pre7-2) unstable; urgency=low
898
899 * use pam patch from Ben Collins <bcollins@debian.org>
900 * add slogin symlink to Makefile.in
901 * change /usr/bin/login to LOGIN_PROGRAM define of /bin/login
902 * sort out debconf usage
903 * patch from Tommi Virtanen <tv@debian.org>'s makes ssh-add use ssh-askpass
904
905 -- Philip Hands <phil@hands.com> Thu, 4 Nov 1999 11:08:54 +0000
906
907openssh (1:1.2pre7-1) unstable; urgency=low
908
909 * New upstream release
910
911 -- Philip Hands <phil@hands.com> Tue, 2 Nov 1999 21:02:37 +0000
912
913openssh (1:1.2.0.pre6db1-2) unstable; urgency=low
914
915 * change the binary package name to ssh (the non-free branch of ssh has
916 been renamed to ssh-nonfree)
917 * make pam file comply with Debian standards
918 * use an epoch to make sure openssh supercedes ssh-nonfree
919
920 -- Philip Hands <phil@hands.com> Sat, 30 Oct 1999 16:26:05 +0100
921
922openssh (1.2pre6db1-1) unstable; urgency=low
923
924 * New upstream source
925 * sshd accepts logins now!
926
927 -- Dan Brosemer <odin@linuxfreak.com> Fri, 29 Oct 1999 11:13:38 -0500
928
929openssh (1.2.0.19991028-1) unstable; urgency=low
930
931 * New upstream source
932 * Added test for -lnsl to configure script
933
934 -- Dan Brosemer <odin@linuxfreak.com> Thu, 28 Oct 1999 18:52:09 -0500
935
936openssh (1.2.0.19991027-3) unstable; urgency=low
937
938 * Initial release
939
940 -- Dan Brosemer <odin@linuxfreak.com> Wed, 27 Oct 1999 19:39:46 -0500
941
942Local variables:
943mode: debian-changelog
944End:
diff --git a/debian/conffiles b/debian/conffiles
new file mode 100644
index 000000000..fbc2e8444
--- /dev/null
+++ b/debian/conffiles
@@ -0,0 +1,4 @@
1/etc/ssh/ssh_config
2/etc/ssh/moduli
3/etc/init.d/ssh
4/etc/pam.d/ssh
diff --git a/debian/config b/debian/config
new file mode 100644
index 000000000..0a5f42b2e
--- /dev/null
+++ b/debian/config
@@ -0,0 +1,86 @@
1#!/bin/sh
2
3action=$1
4version=$2
5
6if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then
7 version=1.2.27
8 cp -a /etc/ssh-nonfree /etc/ssh
9fi
10
11# Source debconf library.
12. /usr/share/debconf/confmodule
13db_version 2.0
14
15if [ -n "$version" ] && dpkg --compare-versions "$version" lt 1:3.0p1-1
16then
17 db_text medium ssh/ssh2_keys_merged
18fi
19
20if [ -e /etc/init.d/ssh ] && ! grep -q pidfile /etc/init.d/ssh
21then
22 db_fset ssh/use_old_init_script isdefault true
23 db_input medium ssh/use_old_init_script || true
24 db_go
25
26 db_get ssh/use_old_init_script
27 [ "$RET" = "false" ] && exit 0
28else
29 db_set ssh/use_old_init_script true
30 db_fset ssh/use_old_init_script isdefault false
31fi
32
33if [ -z "$version" -a ! -e /etc/ssh/sshd_config ]
34then
35 db_input medium ssh/protocol2_only || true
36fi
37
38if [ -e /etc/ssh/sshd_config ]
39then
40 if dpkg --compare-versions "$version" lt-nl 1:1.3 ;
41 then db_input medium ssh/new_config || true
42 db_get ssh/new_config
43 if [ "$RET" = "true" ];
44 then db_input medium ssh/protocol2_only ||true
45 db_input high ssh/privsep_ask ||true
46 else db_text high ssh/privsep_tell ||true
47 fi
48 else db_text high ssh/privsep_tell ||true
49 fi
50else db_text high ssh/privsep_tell ||true
51fi
52
53db_input medium ssh/SUID_client || true
54
55db_input medium ssh/run_sshd || true
56
57if [ -x /usr/sbin/in.telnetd ] && grep -q "^telnet\b" /etc/inetd.conf
58then
59 if ! /usr/sbin/in.telnetd -? 2>&1 | grep -q ssl 2>/dev/null
60 then
61 db_input low ssh/insecure_telnetd || true
62 fi
63fi
64
65key=/etc/ssh/ssh_host_key
66export key
67if [ -n "$version" ] && [ -f $key ] && [ ! -x /usr/bin/ssh-keygen ] &&
68 dpkg --compare-versions "$version" lt 1.2.28
69then
70 # make sure that keys get updated to get rid of IDEA; preinst
71 # actually does the work, but if the old ssh-keygen is not found,
72 # it can't do that -- thus, we tell the user that he must create
73 # a new host key.
74 echo -en '\0\0' | 3<&0 sh -c \
75 'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || {
76 # this means that bytes 32&33 of the key were not both zero, in which
77 # case the key is encrypted, which we need to fix
78 db_input high ssh/encrypted_host_key_but_no_keygen || true
79 }
80fi
81
82
83db_text low ssh/forward_warning || true
84db_go
85
86exit 0
diff --git a/debian/control b/debian/control
new file mode 100644
index 000000000..7063438ad
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,43 @@
1Source: openssh
2Section: net
3Priority: standard
4Maintainer: Matthew Vernon <matthew@debian.org>
5Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnome-dev, groff, debhelper (>=1.1.17)
6Standards-Version: 3.5.2
7
8Package: ssh
9Architecture: any
10Depends: ${shlibs:Depends}, ${pam-depend}, debconf, adduser
11Conflicts: ssh-nonfree (<<2), ssh-socks, ssh2, debconf (<<0.2.17), debconf-tiny (<<0.2.17), sftp, rsh-client (<<0.16.1-1)
12Suggests: ssh-askpass, xbase-clients, dpkg (>=1.8.3.1), dnsutils
13Provides: rsh-client
14Description: Secure rlogin/rsh/rcp replacement (OpenSSH)
15 This is the portable version of OpenSSH, a free implementation of
16 the Secure Shell protocol as specified by the IETF secsh working
17 group.
18 .
19 Ssh (Secure Shell) is a program for logging into a remote machine
20 and for executing commands on a remote machine.
21 It provides secure encrypted communications between two untrusted
22 hosts over an insecure network. X11 connections and arbitrary TCP/IP
23 ports can also be forwarded over the secure channel.
24 It is intended as a replacement for rlogin, rsh and rcp, and can be
25 used to provide applications with a secure communication channel.
26 .
27 --------------------------------------------------------------------
28 .
29 In some countries, particularly Iraq, and Pakistan, it may be illegal
30 to use any encryption at all without a special permit.
31
32Package: ssh-askpass-gnome
33Section: x11
34Architecture: any
35Depends: ${shlibs:Depends}, ssh (>=1:1.2pre7-4)
36Provides: ssh-askpass
37Description: under X, asks user for a passphrase for ssh-add
38 This has been split out of the main ssh package, so that the ssh will
39 not need to depend upon the Gnome libraries.
40 .
41 You probably want the ssh-askpass package instead, but this is
42 provided to add to your choice and/or confusion.
43
diff --git a/debian/copyright.head b/debian/copyright.head
new file mode 100644
index 000000000..cd4d45b24
--- /dev/null
+++ b/debian/copyright.head
@@ -0,0 +1,36 @@
1This package was debianized by Philip Hands <phil@hands.com> on 31 Oct 1999
2(with help from Dan Brosemer <odin@linuxfreak.com>)
3
4It was downloaded from here:
5 ftp://ftp.fu-berlin.de/unix/security/openssh/openssh-2.3.0p1.tar.gz
6
7worldwide mirrors are listed here:
8 http://www.openssh.com/ftp.html
9
10The Debian specific parts of the package are mostly taken from the
11original ssh package, which has since been renamed as ssh-nonfree.
12
13The Debian patch is distributed under the terms of the GPL.
14
15The upstream source for this package is a combination of the ssh
16branch that is being maintained by the OpenBSD team (starting from
17the last version of SSH that was distributed under a free license),
18and porting work by Damien Miller <damien@ibs.com.au> to get it
19working on Linux. Other people also contributed to this, and are
20credited in README.openssh.
21
22Copyright:
23
24Code in helper.[ch] is Copyright Internet Business Solutions and is
25released under a X11-style license (see source file for details).
26
27(A)RC4 code in rc4.[ch] is Copyright Damien Miller. It too is under a
28X11-style license (see source file for details).
29
30make-ssh-known-hosts is Copyright Tero Kivinen <Tero.Kivinen@hut.fi>,
31and is distributed under the GPL (see source file for details).
32
33The copyright for the orignal SSH version follows. It has been
34modified with [comments] to reflect the changes that the OpenBSD folks
35have made:
36
diff --git a/debian/dirs b/debian/dirs
new file mode 100644
index 000000000..00a019411
--- /dev/null
+++ b/debian/dirs
@@ -0,0 +1,7 @@
1usr/bin
2usr/sbin
3usr/lib
4etc/ssh
5etc/init.d
6usr/share/man/man1
7usr/share/man/man8
diff --git a/debian/init b/debian/init
new file mode 100644
index 000000000..fe59584e6
--- /dev/null
+++ b/debian/init
@@ -0,0 +1,60 @@
1#! /bin/sh
2
3# /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon
4
5test -x /usr/sbin/sshd || exit 0
6( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
7
8# forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
9if [ -e /etc/ssh/sshd_not_to_be_run ]; then
10 echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"
11 exit 0
12fi
13
14check_config() {
15 /usr/sbin/sshd -t || exit 1
16}
17
18# Configurable options:
19
20case "$1" in
21 start)
22 test -f /etc/ssh/sshd_not_to_be_run && exit 0
23#Create the PrivSep empty dir if necessary
24 if [ ! -d /var/run/sshd ]; then
25 mkdir /var/run/sshd; chmod 0755 /var/run/sshd
26 fi
27 echo -n "Starting OpenBSD Secure Shell server: sshd"
28 start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd
29 echo "."
30 ;;
31 stop)
32 echo -n "Stopping OpenBSD Secure Shell server: sshd"
33 start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid
34 echo "."
35 ;;
36
37 reload|force-reload)
38 test -f /etc/ssh/sshd_not_to_be_run && exit 0
39 check_config
40 echo -n "Reloading OpenBSD Secure Shell server's configuration"
41 start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd
42 echo "."
43 ;;
44
45 restart)
46 test -f /etc/ssh/sshd_not_to_be_run && exit 0
47 check_config
48 echo -n "Restarting OpenBSD Secure Shell server: sshd"
49 start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid
50 sleep 2
51 start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd
52 echo "."
53 ;;
54
55 *)
56 echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}"
57 exit 1
58esac
59
60exit 0
diff --git a/debian/postinst b/debian/postinst
new file mode 100644
index 000000000..34fee95d8
--- /dev/null
+++ b/debian/postinst
@@ -0,0 +1,330 @@
1#!/bin/sh -e
2
3action="$1"
4oldversion="$2"
5
6test -e /usr/share/debconf/confmodule && {
7 . /usr/share/debconf/confmodule
8 db_version 2.0
9}
10
11umask 022
12
13if [ "$action" != configure ]
14 then
15 exit 0
16fi
17
18
19
20check_idea_key() {
21 #check for old host_key files using IDEA, which openssh does not support
22 if [ -f /etc/ssh/ssh_host_key ] ; then
23 if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
24 grep -q 'unknown cipher' 2>/dev/null ; then
25 mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
26 mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
27 fi
28 fi
29}
30
31
32create_key() {
33 local msg="$1"
34 shift
35 local file="$1"
36 shift
37
38 if [ ! -f "$file" ] ; then
39 echo -n $msg
40 ssh-keygen -f "$file" -N '' "$@" > /dev/null
41 echo
42 fi
43}
44
45
46create_keys() {
47 RET=true
48 test -e /usr/share/debconf/confmodule && {
49 db_get ssh/protocol2_only
50 }
51
52 if [ "$RET" = "false" ] ; then
53 create_key "Creating SSH1 key" /etc/ssh/ssh_host_key -t rsa1
54 fi
55
56 create_key "Creating SSH2 RSA key" /etc/ssh/ssh_host_rsa_key -t rsa
57 create_key "Creating SSH2 DSA key" /etc/ssh/ssh_host_dsa_key -t dsa
58}
59
60
61create_sshdconfig() {
62 if [ -e /etc/ssh/sshd_config ] ; then
63 if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
64 RET=true
65 test -e /usr/share/debconf/confmodule && {
66 db_get ssh/new_config
67 }
68 if [ "$RET" = "false" ] ; then return 0; fi
69 else return 0
70 fi
71 fi
72 RET=true
73 test -e /usr/share/debconf/confmodule && {
74 db_get ssh/protocol2_only
75 }
76
77 #Preserve old sshd_config before generating a new on
78 if [ -e /etc/ssh/sshd_config ] ; then
79 mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
80 fi
81
82 cat <<EOF > /etc/ssh/sshd_config
83# Package generated configuration file
84# See the sshd(8) manpage for defails
85
86# What ports, IPs and protocols we listen for
87Port 22
88# Use these options to restrict which interfaces/protocols sshd will bind to
89#ListenAddress ::
90#ListenAddress 0.0.0.0
91EOF
92if [ "$RET" = "false" ]; then
93 cat <<EOF >> /etc/ssh/sshd_config
94Protocol 2,1
95# HostKeys for protocol version 1
96HostKey /etc/ssh/ssh_host_key
97# HostKeys for protocol version 2
98HostKey /etc/ssh/ssh_host_rsa_key
99HostKey /etc/ssh/ssh_host_dsa_key
100EOF
101else
102 cat <<EOF >> /etc/ssh/sshd_config
103Protocol 2
104# HostKeys for protocol version 2
105HostKey /etc/ssh/ssh_host_rsa_key
106HostKey /etc/ssh/ssh_host_dsa_key
107EOF
108fi
109
110test -e /usr/share/debconf/confmodule && {
111 db_get ssh/privsep_ask
112}
113if [ "$RET" = "false" ]; then
114 cat <<EOF >> /etc/ssh/sshd_config
115#Explicitly set PrivSep off, as requested
116UsePrivilegeSeparation no
117
118# Use PAM authentication via keyboard-interactive so PAM modules can
119# properly interface with the user
120PAMAuthenticationViaKbdInt yes
121EOF
122else
123 cat <<EOF >> /etc/ssh/sshd_config
124#Privilege Separation is turned on for security
125UsePrivilegeSeparation yes
126
127# ...but breaks Pam auth via kbdint, so we have to turn it off
128# Use PAM authentication via keyboard-interactive so PAM modules can
129# properly interface with the user (off due to PrivSep)
130PAMAuthenticationViaKbdInt no
131EOF
132fi
133
134 cat <<EOF >> /etc/ssh/sshd_config
135# Lifetime and size of ephemeral version 1 server key
136KeyRegenerationInterval 3600
137ServerKeyBits 768
138
139# Logging
140SyslogFacility AUTH
141LogLevel INFO
142
143# Authentication:
144LoginGraceTime 600
145PermitRootLogin yes
146StrictModes yes
147
148RSAAuthentication yes
149PubkeyAuthentication yes
150#AuthorizedKeysFile %h/.ssh/authorized_keys
151
152# rhosts authentication should not be used
153RhostsAuthentication no
154# Don't read the user's ~/.rhosts and ~/.shosts files
155IgnoreRhosts yes
156# For this to work you will also need host keys in /etc/ssh_known_hosts
157RhostsRSAAuthentication no
158# similar for protocol version 2
159HostbasedAuthentication no
160# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
161#IgnoreUserKnownHosts yes
162
163# To enable empty passwords, change to yes (NOT RECOMMENDED)
164PermitEmptyPasswords no
165
166# Uncomment to disable s/key passwords
167#ChallengeResponseAuthentication no
168
169# To disable tunneled clear text passwords, change to no here!
170PasswordAuthentication yes
171
172
173# To change Kerberos options
174#KerberosAuthentication no
175#KerberosOrLocalPasswd yes
176#AFSTokenPassing no
177#KerberosTicketCleanup no
178
179# Kerberos TGT Passing does only work with the AFS kaserver
180#KerberosTgtPassing yes
181
182X11Forwarding no
183X11DisplayOffset 10
184PrintMotd no
185#PrintLastLog no
186KeepAlive yes
187#UseLogin no
188
189#MaxStartups 10:30:60
190#Banner /etc/issue.net
191#ReverseMappingCheck yes
192
193Subsystem sftp /usr/lib/sftp-server
194
195EOF
196}
197
198
199fix_rsh_diversion() {
200# get rid of mistaken rsh diversion (circa 1.2.27-1)
201
202 if [ -L /usr/bin/rsh ] &&
203 dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
204 for cmd in rlogin rsh rcp ; do
205 [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
206 dpkg-divert --package ssh --remove --rename \
207 --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd
208
209 [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
210 dpkg-divert --package ssh --remove --rename \
211 --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
212 done
213
214 rmdir /usr/bin/rsh.real
215 fi
216}
217
218
219fix_statoverride() {
220# Remove an erronous override for sshd (we should have overridden ssh)
221 if [ -x /usr/sbin/dpkg-statoverride ]; then
222 if dpkg-statoverride --list /usr/sbin/sshd 2>/dev/null ; then
223 dpkg-statoverride --remove /usr/sbin/sshd
224 fi
225 fi
226}
227
228
229create_alternatives() {
230# Create alternatives for the various r* tools
231# Make sure we don't change existing alternatives that a user might have
232# changed
233 for cmd in rsh rlogin rcp ; do
234 if ! update-alternatives --display $cmd | \
235 grep -q ssh ; then
236 update-alternatives --quiet --install /usr/bin/$cmd $cmd /usr/bin/ssh 20 \
237 --slave /usr/share/man/man1/$cmd.1.gz $cmd.1.gz /usr/share/man/man1/ssh.1.gz
238 fi
239 done
240
241}
242
243setup_sshd_user() {
244 if ! id sshd > /dev/null 2>&1 ; then
245 adduser --quiet --system --no-create-home --home /var/run/sshd sshd
246 fi
247}
248
249set_sshd_permissions() {
250 suid=false
251
252 if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then
253 if [ -x /usr/sbin/dpkg-statoverride ] ; then
254 if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then
255 dpkg-statoverride --remove /usr/bin/ssh >/dev/null
256 fi
257 fi
258 fi
259
260 [ -e /usr/share/debconf/confmodule ] && {
261 db_get ssh/SUID_client
262 suid="$RET"
263 }
264 if [ -x /usr/sbin/dpkg-statoverride ] ; then
265 if ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then
266 if [ "$suid" = "false" ] ; then
267 chmod 0755 /usr/lib/ssh-keysign
268 elif [ "$suid" = "true" ] ; then
269 chmod 4755 /usr/lib/ssh-keysign
270 fi
271 fi
272 else
273 if [ "$suid" = "false" ] ; then
274 chmod 0755 /usr/lib/ssh-keysign
275 elif [ "$suid" = "true" ] ; then
276 chmod 4755 /usr/lib/ssh-keysign
277 fi
278
279 fi
280}
281
282
283setup_startup() {
284 start=yes
285 [ -e /usr/share/debconf/confmodule ] && {
286 db_get ssh/run_sshd
287 start="$RET"
288 }
289
290 if [ "$start" != "true" ] ; then
291 /etc/init.d/ssh stop 2>&1 >/dev/null
292 touch /etc/ssh/sshd_not_to_be_run
293 else
294 rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null
295 fi
296}
297
298
299setup_init() {
300 if [ -e /etc/init.d/ssh ]; then
301 update-rc.d ssh defaults >/dev/null
302 /etc/init.d/ssh restart
303 fi
304}
305
306check_idea_key
307create_keys
308create_sshdconfig
309fix_rsh_diversion
310fix_statoverride
311create_alternatives
312setup_sshd_user
313set_sshd_permissions
314setup_startup
315setup_init
316
317
318# Automatically added by dh_installdocs
319if [ "$1" = "configure" ]; then
320 if [ -d /usr/doc -a ! -e /usr/doc/ssh -a -d /usr/share/doc/ssh ]; then
321 ln -sf ../share/doc/ssh /usr/doc/ssh
322 fi
323fi
324# End automatically added section
325
326
327[ -e /usr/share/debconf/confmodule ] && db_stop
328
329exit 0
330
diff --git a/debian/postinst.old b/debian/postinst.old
new file mode 100644
index 000000000..586da1cc6
--- /dev/null
+++ b/debian/postinst.old
@@ -0,0 +1,269 @@
1#!/bin/sh -e
2
3action="$1"
4oldversion="$2"
5
6test -e /usr/share/debconf/confmodule && {
7 . /usr/share/debconf/confmodule
8 db_version 2.0
9}
10
11
12if [ "$action" != configure ]
13 then
14 exit 0
15fi
16
17
18
19check_idea_key() {
20 #check for old host_key files using IDEA, which openssh does not support
21 if [ -f /etc/ssh/ssh_host_key ] ; then
22 if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
23 grep -q 'unknown cipher' 2>/dev/null ; then
24 mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
25 mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
26 fi
27 fi
28}
29
30
31create_key() {
32 local file="$1"
33 shift
34
35 if [ ! -f "$file" ] ; then
36 ( umask 022 ; \
37 ssh-keygen -f "$file" -N '' "$@" > /dev/null )
38 fi
39}
40
41
42create_keys() {
43 RET=true
44test -e /usr/share/debconf/confmodule && {
45 db_get ssh/protocol2_only
46}
47
48 if [ "$RET" = "false" ] ; then
49 echo "Creating SSH1 key"
50 create_key /etc/ssh/ssh_host_key
51fi
52
53 echo "Creating SSH2 RSA key"
54 create_key /etc/ssh/ssh_host_rsa_key -t rsa
55 echo "Creating SSH2 DSA key"
56 create_key /etc/ssh/ssh_host_dsa_key -t dsa
57}
58
59
60create_sshdconfig() {
61 [ -e /etc/ssh/sshd_config ] && return
62
63RET=true
64test -e /usr/share/debconf/confmodule && {
65 db_get ssh/protocol2_only
66}
67
68 cat <<EOF > /etc/ssh/sshd_config
69# Package generated configuration file
70# See the sshd(8) manpage for defails
71
72# What ports, IPs and protocols we listen for
73Port 22
74# Uncomment the next entry to accept IPv6 traffic.
75#ListenAddress ::
76#ListenAddress 0.0.0.0
77EOF
78if [ "$RET" = "false" ]; then
79 cat <<EOF >> /etc/ssh/sshd_config
80Protocol 2,1
81# HostKeys for protocol version 1
82HostKey /etc/ssh/ssh_host_key
83# HostKeys for protocol version 2
84HostKey /etc/ssh/ssh_host_rsa_key
85HostKey /etc/ssh/ssh_host_dsa_key
86EOF
87else
88 cat <<EOF >> /etc/ssh/sshd_config
89Protocol 2
90# HostKeys for protocol version 2
91HostKey /etc/ssh/ssh_host_rsa_key
92HostKey /etc/ssh/ssh_host_dsa_key
93EOF
94fi
95
96
97 cat <<EOF >> /etc/ssh/sshd_config
98# Lifetime and size of ephemeral version 1 server key
99KeyRegenerationInterval 3600
100ServerKeyBits 768
101
102# Logging
103SyslogFacility AUTH
104LogLevel INFO
105
106# Authentication:
107LoginGraceTime 600
108PermitRootLogin no
109StrictModes yes
110
111RSAAuthentication yes
112PubkeyAuthentication yes
113#AuthorizedKeysFile %h/.ssh/authorized_keys
114
115# rhosts authentication should not be used
116RhostsAuthentication no
117# Don't read the user's ~/.rhosts and ~/.shosts files
118IgnoreRhosts yes
119# For this to work you will also need host keys in /etc/ssh_known_hosts
120RhostsRSAAuthentication no
121# similar for protocol version 2
122HostbasedAuthentication no
123# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
124#IgnoreUserKnownHosts yes
125
126# To disable tunneled clear text passwords, change to no here!
127PermitEmptyPasswords no
128
129# Uncomment to disable s/key passwords
130#ChallengeResponseAuthentication no
131
132# Use PAM authentication via keyboard-interactive so PAM modules can
133# properly interface with the user
134PasswordAuthentication no
135PAMAuthenticationViaKbdInt yes
136
137# To change Kerberos options
138#KerberosAuthentication no
139#KerberosOrLocalPasswd yes
140#AFSTokenPassing no
141#KerberosTicketCleanup no
142
143# Kerberos TGT Passing does only work with the AFS kaserver
144#KerberosTgtPassing yes
145
146X11Forwarding no
147X11DisplayOffset 10
148PrintMotd no
149#PrintLastLog no
150KeepAlive yes
151#UseLogin no
152
153#MaxStartups 10:30:60
154#Banner /etc/issue.net
155#ReverseMappingCheck yes
156
157Subsystem sftp /usr/libexec/sftp-server
158EOF
159}
160
161
162fix_rsh_diversion() {
163# get rid of mistaken rsh diversion (circa 1.2.27-1)
164
165 if [ -L /usr/bin/rsh ] &&
166 dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
167 for cmd in rlogin rsh rcp ; do
168 [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
169 dpkg-divert --package ssh --remove --rename \
170 --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd
171
172 [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
173 dpkg-divert --package ssh --remove --rename \
174 --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
175 done
176
177 rmdir /usr/bin/rsh.real
178 fi
179}
180
181
182fix_statoverride() {
183# Remove an erronous override for sshd (we should have overridden ssh)
184if [ -x /usr/sbin/dpkg-statoverride ]; then
185 if dpkg-statoverride --list /usr/sbin/sshd 2>/dev/null ; then
186 dpkg-statoverride --remote /usr/sbin/sshd
187 fi
188 fi
189}
190
191
192create_alternatives() {
193# Create alternatives for the various r* tools
194# Make sure we don't change existing alternatives that a user might have
195# changed
196 for cmd in rsh rlogin rcp ; do
197 if ! update-alternatives --display $cmd | \
198 grep -q ssh ; then
199 update-alternatives --quiet --install /usr/bin/$cmd $cmd /usr/bin/ssh 20 \
200 --slave /usr/share/man/man1/$cmd.1.gz $cmd.1.gz /usr/share/man/man1/ssh.1.gz
201 fi
202 done
203
204}
205
206
207set_sshd_permissions() {
208 suid=no
209
210 [ -e /usr/share/debconf/confmodule ] && {
211 db_get ssh/SUID_client
212 suid="$RET"
213 }
214
215 if [ "$suid" = "yes" ] ; then
216 if [ -x /usr/sbin/dpkg-statoverride ] && \
217 ! dpkg-statoverride /usr/bin/ssh ; then
218 dpkg-statoverride --add root root 04755 /usr/bin/ssh
219fi
220 fi
221}
222
223
224setup_startup() {
225 start=yes
226 [ -e /usr/share/debconf/confmodule ] && {
227 db_get ssh/run_sshd
228 start="$RET"
229 }
230
231 if [ "$start" != "true" ] ; then
232 touch /etc/ssh/sshd_not_to_be_run
233 else
234 rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null
235 fi
236}
237
238
239setup_init() {
240if [ -e /etc/init.d/ssh ]; then
241 update-rc.d ssh defaults >/dev/null
242 /etc/init.d/ssh restart
243fi
244}
245
246check_idea_key
247create_keys
248create_sshdconfig
249fix_rsh_diversion
250fix_statoverride
251create_alternatives
252set_sshd_permissions
253setup_startup
254setup_init
255
256
257# Automatically added by dh_installdocs
258if [ "$1" = "configure" ]; then
259 if [ -d /usr/doc -a ! -e /usr/doc/ssh -a -d /usr/share/doc/ssh ]; then
260 ln -sf ../share/doc/ssh /usr/doc/ssh
261 fi
262fi
263# End automatically added section
264
265
266[ -e /usr/share/debconf/confmodule ] && db_stop
267
268exit 0
269
diff --git a/debian/postrm b/debian/postrm
new file mode 100644
index 000000000..bd0bbee38
--- /dev/null
+++ b/debian/postrm
@@ -0,0 +1,16 @@
1#!/bin/sh -e
2
3if [ "$1" = "purge" ]
4then
5 rm -rf /etc/ssh
6fi
7
8if [ "$1" = "purge" ] ; then
9 update-rc.d ssh remove >/dev/null
10fi
11
12if [ "$1" = "purge" ] ; then
13 deluser --quiet sshd > /dev/null || true
14fi
15
16#DEBHELPER#
diff --git a/debian/preinst b/debian/preinst
new file mode 100644
index 000000000..320d4df2a
--- /dev/null
+++ b/debian/preinst
@@ -0,0 +1,79 @@
1#!/bin/sh -e
2
3action=$1
4version=$2
5
6if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then
7 version=1.2.27
8fi
9
10if [ "$action" = upgrade -o "$action" = install ]
11then
12 # check if debconf is missing
13 if ! test -f /usr/share/debconf/confmodule
14 then
15 cat <<EOF
16
17WARNING: ssh's pre-configuration script relies on debconf to tell you
18about some problems that might prevent you from logging in if you are
19upgrading from the old, Non-free version of ssh.
20
21If this is a new installation, you don't need to worry about this.
22Just go ahead and install ssh (make sure to read .../ssh/README.Debian).
23
24If you are upgrading, but you have alternative ways of logging into
25the machine (i.e. you're sitting in front of it, or you have telnetd
26running), then you also don't need to worry too much, because you can
27fix it up afterwards if there's a problem.
28
29If you're upgrading from an older (non-free) version of ssh, and ssh
30is the only way you have to access this machine, then you should
31probably abort the installation of ssh, install debconf, and then
32retry the installation of ssh.
33
34EOF
35 echo -n "Do you want to install SSH anyway [yN]: "
36 read input
37 expr "$input" : '[Yy]' >/dev/null || exit 1
38
39 # work around for missing debconf
40 db_get() { : ; }
41 RET=true
42 if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then
43 cp -a /etc/ssh-nonfree /etc/ssh
44 fi
45 else
46 # Source debconf library.
47 . /usr/share/debconf/confmodule
48 db_version 2.0
49 fi
50
51 db_get ssh/use_old_init_script
52 if [ "$RET" = "false" ]; then
53 echo "ssh config: Aborting because ssh/use_old_init_script = false" >&2
54 exit 1
55 fi
56
57 # deal with upgrading from pre-OpenSSH versions
58 key=/etc/ssh/ssh_host_key
59 export key
60 if [ -n "$version" ] && [ -x /usr/bin/ssh-keygen ] && [ -f $key ] &&
61 dpkg --compare-versions "$version" lt 1.2.28
62 then
63 # make sure that keys get updated to get rid of IDEA
64 #
65 # N.B. this only works because we've still got the old
66 # nonfree ssh-keygen at this point
67 #
68 # First, check if we need to bother
69 echo -en '\0\0' | 3<&0 sh -c \
70 'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || {
71 # this means that bytes 32&33 of the key were not both zero, in which
72 # case the key is encrypted, which we need to fix
73 chmod 600 $key
74 ssh-keygen -u -f $key >/dev/null
75 }
76 fi
77fi
78
79#DEBHELPER#
diff --git a/debian/prerm b/debian/prerm
new file mode 100644
index 000000000..17aa45e1f
--- /dev/null
+++ b/debian/prerm
@@ -0,0 +1,44 @@
1#! /bin/sh
2# prerm script for ssh
3#
4# see: dh_installdeb(1)
5
6set -e
7
8# summary of how this script can be called:
9# * <prerm> `remove'
10# * <old-prerm> `upgrade' <new-version>
11# * <new-prerm> `failed-upgrade' <old-version>
12# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
13# * <deconfigured's-prerm> `deconfigure' `in-favour'
14# <package-being-installed> <version> `removing'
15# <conflicting-package> <version>
16# for details, see /usr/share/doc/packaging-manual/
17
18case "$1" in
19 remove|deconfigure)
20 update-alternatives --quiet --remove ssh /usr/bin/ssh
21 update-alternatives --quiet --remove ssh /usr/bin/slogin
22 update-alternatives --quiet --remove ssh /usr/bin/scp
23 if [ -e /etc/init.d/ssh ]; then
24 /etc/init.d/ssh stop
25 fi
26# install-info --quiet --remove /usr/info/ssh-askpass.info.gz
27 ;;
28 upgrade)
29# install-info --quiet --remove /usr/info/ssh-askpass.info.gz
30 ;;
31 failed-upgrade)
32 ;;
33 *)
34 echo "prerm called with unknown argument \`$1'" >&2
35 exit 0
36 ;;
37esac
38
39# dh_installdeb will replace this with shell code automatically
40# generated by other debhelper scripts.
41
42#DEBHELPER#
43
44exit 0
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 000000000..365872d3d
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,106 @@
1#!/usr/bin/make -f
2
3# Uncomment this to turn on verbose mode.
4# export DH_VERBOSE=1
5
6# This is the debhelper compatability version to use.
7export DH_COMPAT=1
8
9# This has to be exported to make some magic below work.
10export DH_OPTIONS
11
12#PKG_VER = $(shell perl -e 'print <> =~ /\((.*)\)/' debian/changelog)
13
14DEB_HOST_ARCH = $(shell dpkg-architecture -qDEB_HOST_ARCH)
15
16build: build-stamp
17build-stamp:
18 dh_testdir
19#Change the version string to include the Debian Version
20 if <version.h sed -e "/define/s/\"\(.*\)\"/\"\1 Debian `dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p'`\"/" >version.h.new; \
21 then mv version.h version.h.upstream; mv version.h.new version.h; \
22 else echo "Version number change failed"; exit 1; \
23 fi
24 ./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 --with-ipv4-default \
25 --with-privsep-path=/var/run/sshd --without-rand-helper
26 $(MAKE) -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='-O2 -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED' \
27 SSH_KEYSIGN='/usr/lib/ssh-keysign'
28 gcc -O2 `gnome-config --cflags gnome gnomeui` \
29 contrib/gnome-ssh-askpass.c -o contrib/gnome-ssh-askpass \
30 `gnome-config --libs gnome gnomeui`
31
32 touch build-stamp
33
34clean:
35 dh_testdir
36 rm -f build-stamp
37 -$(MAKE) -i distclean
38 rm -f contrib/gnome-ssh-askpass config.log
39 if [ -f version.h.upstream ]; then mv version.h.upstream version.h; \
40 fi
41 dh_clean
42
43install: DH_OPTIONS=
44install: build
45 dh_testdir
46 dh_testroot
47 dh_clean -k
48 dh_installdirs
49
50 # Add here commands to install the package into debian/tmp.
51 $(MAKE) DESTDIR=`pwd`/debian/tmp install
52
53 rm -f debian/tmp/etc/ssh/ssh_host_*key*
54 rm -f debian/tmp/etc/ssh/sshd_config
55 #Temporary hack: remove /usr/share/Ssh.bin, since we have no smartcard support anyway.
56 rm -f debian/tmp/usr/share/Ssh.bin
57
58 install -m 755 contrib/ssh-copy-id debian/tmp/usr/bin/ssh-copy-id
59 install -m644 -c contrib/ssh-copy-id.1 debian/tmp/usr/share/man/man1/ssh-copy-id.1
60
61 install -s -o root -g root -m 755 contrib/gnome-ssh-askpass debian/ssh-askpass-gnome/usr/lib/ssh/gnome-ssh-askpass
62
63 install -o root -g root debian/init debian/tmp/etc/init.d/ssh
64
65 install -o root -g root -m 755 -d debian/tmp/var/run/sshd
66
67 dh_movefiles
68
69# Build architecture-independent files here.
70binary-indep: build install
71 # nothing to do
72
73# Build architecture-dependent files here.
74binary-arch: build install
75 dh_testdir
76 dh_testroot
77 dh_installdebconf
78 dh_installdocs OVERVIEW README
79 cat debian/copyright.head LICENCE > debian/tmp/usr/share/doc/ssh/copyright
80 dh_installexamples
81 dh_installmenu
82 nroff RFC.nroff > debian/tmp/usr/share/doc/ssh/RFC
83 gzip -9 debian/tmp/usr/share/doc/ssh/RFC
84 rm -rf debian/tmp/usr/share/doc/ssh/RFC.nroff.gz
85 dh_installpam
86 dh_installcron
87 dh_installchangelogs ChangeLog
88 dh_strip
89 dh_link
90 dh_compress
91 dh_fixperms
92 dh_installdeb
93 test ! -e debian/tmp/etc/ssh/ssh_prng_cmds \
94 || echo "/etc/ssh/ssh_prng_cmds" >> debian/tmp/DEBIAN/conffiles
95 dh_shlibdeps
96ifeq ($(DEB_HOST_ARCH),hurd-i386)
97 echo "pam-depend=" >> debian/substvars
98else
99 echo "pam-depend=libpam-modules (>= 0.72-9), " >> debian/substvars
100endif
101 dh_gencontrol
102 dh_md5sums
103 dh_builddeb
104
105binary: binary-indep binary-arch
106.PHONY: build clean binary-indep binary-arch binary install
diff --git a/debian/ssh-askpass-gnome.copyright b/debian/ssh-askpass-gnome.copyright
new file mode 100644
index 000000000..4a71dda00
--- /dev/null
+++ b/debian/ssh-askpass-gnome.copyright
@@ -0,0 +1,44 @@
1This package contains a Gnome based implementation of ssh-askpass
2written by Damien Miller.
3
4It is split out from the main package to isolate the dependency on the
5Gnome and X11 libraries.
6
7It was packaged for Debian by Philip Hands <phil@hands.com>.
8
9Copyright:
10
11/*
12**
13** GNOME ssh passphrase requestor
14**
15** Damien Miller <djm@ibs.com.au>
16**
17** Copyright 1999 Internet Business Solutions
18**
19** Permission is hereby granted, free of charge, to any person
20** obtaining a copy of this software and associated documentation
21** files (the "Software"), to deal in the Software without
22** restriction, including without limitation the rights to use, copy,
23** modify, merge, publish, distribute, sublicense, and/or sell copies
24** of the Software, and to permit persons to whom the Software is
25** furnished to do so, subject to the following conditions:
26**
27** The above copyright notice and this permission notice shall be
28** included in all copies or substantial portions of the Software.
29**
30** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
31** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
32** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
33** AND NONINFRINGEMENT. IN NO EVENT SHALL DAMIEN MILLER OR INTERNET
34** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
35** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
36** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
37** OR OTHER DEALINGS IN THE SOFTWARE.
38**
39** Except as contained in this notice, the name of Internet Business
40** Solutions shall not be used in advertising or otherwise to promote
41** the sale, use or other dealings in this Software without prior
42** written authorization from Internet Business Solutions.
43**
44*/
diff --git a/debian/ssh-askpass-gnome.dirs b/debian/ssh-askpass-gnome.dirs
new file mode 100644
index 000000000..6c255ea63
--- /dev/null
+++ b/debian/ssh-askpass-gnome.dirs
@@ -0,0 +1 @@
usr/lib/ssh/
diff --git a/debian/ssh-askpass-gnome.postinst b/debian/ssh-askpass-gnome.postinst
new file mode 100644
index 000000000..3a52d3005
--- /dev/null
+++ b/debian/ssh-askpass-gnome.postinst
@@ -0,0 +1,49 @@
1#! /bin/sh
2# postinst script for ssh-askpass-gnome
3#
4# see: dh_installdeb(1)
5
6set -e
7
8# summary of how this script can be called:
9# * <postinst> `configure' <most-recently-configured-version>
10# * <old-postinst> `abort-upgrade' <new version>
11# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
12# <new-version>
13# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
14# <failed-install-package> <version> `removing'
15# <conflicting-package> <version>
16# for details, see /usr/share/doc/packaging-manual/
17#
18# quoting from the policy:
19# Any necessary prompting should almost always be confined to the
20# post-installation script, and should be protected with a conditional
21# so that unnecessary prompting doesn't happen if a package's
22# installation fails and the `postinst' is called with `abort-upgrade',
23# `abort-remove' or `abort-deconfigure'.
24
25case "$1" in
26 configure)
27 update-alternatives --quiet --install /usr/bin/ssh-askpass ssh-askpass /usr/lib/ssh/gnome-ssh-askpass 30
28
29
30 ;;
31
32 abort-upgrade|abort-remove|abort-deconfigure)
33
34 ;;
35
36 *)
37 echo "postinst called with unknown argument \`$1'" >&2
38 exit 0
39 ;;
40esac
41
42# dh_installdeb will replace this with shell code automatically
43# generated by other debhelper scripts.
44
45#DEBHELPER#
46
47exit 0
48
49
diff --git a/debian/ssh-askpass-gnome.prerm b/debian/ssh-askpass-gnome.prerm
new file mode 100644
index 000000000..6f3f5756d
--- /dev/null
+++ b/debian/ssh-askpass-gnome.prerm
@@ -0,0 +1,41 @@
1#! /bin/sh
2# prerm script for ssh-askpass-gnome
3#
4# see: dh_installdeb(1)
5
6set -e
7
8# summary of how this script can be called:
9# * <prerm> `remove'
10# * <old-prerm> `upgrade' <new-version>
11# * <new-prerm> `failed-upgrade' <old-version>
12# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
13# * <deconfigured's-prerm> `deconfigure' `in-favour'
14# <package-being-installed> <version> `removing'
15# <conflicting-package> <version>
16# for details, see /usr/share/doc/packaging-manual/
17
18case "$1" in
19 remove|deconfigure)
20 update-alternatives --quiet --remove ssh-askpass /usr/lib/ssh/gnome-ssh-askpass
21# install-info --quiet --remove /usr/info/ssh-askpass.info.gz
22 ;;
23 upgrade)
24# install-info --quiet --remove /usr/info/ssh-askpass.info.gz
25 ;;
26 failed-upgrade)
27 ;;
28 *)
29 echo "prerm called with unknown argument \`$1'" >&2
30 exit 0
31 ;;
32esac
33
34# dh_installdeb will replace this with shell code automatically
35# generated by other debhelper scripts.
36
37#DEBHELPER#
38
39exit 0
40
41
diff --git a/debian/ssh.pam b/debian/ssh.pam
new file mode 100644
index 000000000..a4478cf4a
--- /dev/null
+++ b/debian/ssh.pam
@@ -0,0 +1,22 @@
1#%PAM-1.0
2auth required pam_nologin.so
3auth required pam_unix.so
4auth required pam_env.so # [1]
5
6account required pam_unix.so
7
8session required pam_unix.so
9session optional pam_lastlog.so # [1]
10session optional pam_motd.so # [1]
11session optional pam_mail.so standard noenv # [1]
12session required pam_limits.so
13
14password required pam_unix.so
15
16# Alternate strength checking for password. Note that this
17# requires the libpam-cracklib package to be installed.
18# You will need to comment out the password line above and
19# uncomment the next two in order to use this.
20#
21# password required pam_cracklib.so retry=3 minlen=6 difok=3
22# password required pam_unix.so use_authtok nullok md5
diff --git a/debian/templates b/debian/templates
new file mode 100644
index 000000000..a9b4394d4
--- /dev/null
+++ b/debian/templates
@@ -0,0 +1,229 @@
1Template: ssh/privsep_tell
2Type: note
3Description: Privilege separation
4 This version of OpenSSH contains the new privilege separation
5 option. This significantly reduces the quantity of code that runs as
6 root, and therefore reduces the impact of security holes in sshd.
7 .
8 Unfortunately, privilege separation interacts badly with PAM. Any
9 PAM session modules that need to run as root (pam_mkhomedir, for
10 example) will fail, and PAM keyboard-interactive authentication
11 won't work.
12 .
13 Privilege separation is turned on by default, so if you decide you
14 want it turned off, you need to add "UsePrivilegeSeparation no" to
15 /etc/ssh/sshd_config
16 .
17 NB! If you are running a 2.0 series Linux kernel, then privilege
18 separation will not work at all, and your sshd will fail to start
19 unless you explicity turn privilege separation off.
20
21Template: ssh/privsep_ask
22Type: boolean
23Default: true
24Description: Enable Privilege separation
25 This version of OpenSSH contains the new privilege separation
26 option. This significantly reduces the quantity of code that runs as
27 root, and therefore reduces the impact of security holes in sshd.
28 .
29 Unfortunately, privilege separation interacts badly with PAM. Any
30 PAM session modules that need to run as root (pam_mkhomedir, for
31 example) will fail, and PAM keyboard-interactive authentication
32 won't work.
33 .
34 Since you've opted to have me generate an sshd_config file for you,
35 you can choose whether or not to have Privilege Separation turned on
36 or not. Unless you are running 2.0 (in which case you *must* say no
37 here or your sshd won't start at all) or know you need to use PAM
38 features that won't work with this option, you should say yes here.
39
40Template: ssh/new_config
41Type: boolean
42Default: true
43Description: Generate new configuration file
44 This version of OpenSSH has a considerably changed configuration file from
45 the version shipped in Debian 'Potato', which you appear to be upgrading from.
46 I can now generate you a new configuration file (/etc/ssh/sshd.config), which
47 will work with the new server version, but will not contain any customisations
48 you made with the old version.
49 .
50 Please note that this new configuration file will set the value of
51 'PermitRootLogin' to yes (meaning that anyone knowing the root password can
52 ssh directly in as root). It is the opinion of the maintainer that this is
53 the correct default (see README.Debian for more details), but you can always
54 edit sshd_config and set it to no if you wish.
55 .
56 It is strongly recommended that you let me generate a new configuration file
57 for you
58
59Template: ssh/protocol2_only
60Type: boolean
61Default: true
62Description: Allow SSH protocol 2 only
63 This version of OpenSSH supports version 2 of the ssh protocol, which
64 is much more secure. Disabling ssh 1 is encouraged, however this
65 will slow things down on low end machines and might prevent older
66 clients from connecting (the ssh client shipped with "potato" is affected).
67 .
68 Also please note that keys used for protocol 1 are different so you will
69 not be able to use them if you only allow protocol 2 connections.
70 .
71 If you later change your mind about this setting, README.Debian has
72 instructions on what to do to your sshd_config file.
73
74Template: ssh/ssh2_keys_merged
75Type: note
76Description: ssh2 keys merged in configuration files
77 As of version 3 OpenSSH no longer uses separate files for ssh1 and
78 ssh2 keys. This means the authorized_keys2 and known_hosts2 files
79 are no longer needed. They will still be read in order to maintain
80 backwards compatibility
81
82Template: ssh/use_old_init_script
83Type: boolean
84Default: false
85Description: Do you want to continue (and risk killing active ssh sessions) ?
86 The version of /etc/init.d/ssh that you have installed, is likely to kill
87 all running sshd instances. If you are doing this upgrade via an ssh
88 session, that would be a Bad Thing(tm).
89 .
90 You can fix this by adding "--pidfile /var/run/sshd.pid" to the
91 start-stop-daemon line in the stop section of the file.
92Description-de: Wollen Sie weitermachen (und das Killen der Session riskieren)?
93 Die Version von /etc/init.d/ssh, die sie installiert haben, wird
94 vermutlich ihre aktiven ssh-Instanzen killen. Wenn Sie das Upgrade
95 via ssh erledigen, dann ist das ein Problem.
96 .
97 Sie koennen das Problem beheben, indem sie "--pidfile /var/run/sshd.pid"
98 an die start-stop-daemon Zeile in dem Bereich stop der Datei
99 /etc/init.d/ssh ergaenzen.
100Description-fr: Voulez vous continuer (et risquer de rompre les sessions ssh actives) ?
101 Il est probable que la version de /etc/init.d/ssh install=E9e en ce moment
102 tue toutes les instances de sshd lanc=E9es en ce moment. Si vous faite une
103 mise =E0 jour via ssh, ca serait une Mauvaise Chose(tm).
104 .
105 Vous pouvez corriger /etc/init.d/ssh en ajoutant '--pidfile /var/run/sshd.pid'
106 a la ligne 'start-stop-daemon' dans la section 'stop' du fichier.
107
108Template: ssh/forward_warning
109Type: note
110Description: NOTE: Forwarding of X11 and Authorization disabled by default.
111 For security reasons, the Debian version of ssh has ForwardX11 and
112 ForwardAgent set to ``off'' by default.
113 .
114 You can enable it for servers you trust, either
115 in one of the configuration files, or with the -X command line option.
116 .
117 More details can be found in /usr/share/doc/ssh/README.Debian
118Description-de: HINWEIS: Forwarden von X11 und Authorisierung ist abgeschaltet.
119 Aus Sicherheitsgruenden haben die Debian Pakete von ssh ForwardX11 und
120 ForwardAgent auf "off" gesetzt.
121 .
122 Sie koenne dies fuer Server denen Sie trauen, entweder per Eintrag im
123 den Konfigurations Dateien oder per -X Kommando-Zeilen Option aendern.
124 .
125 Weitere Details koennen Sie in /usr/share/doc/ssh/README.Debian finden.
126Description-fr: NOTE: Suivi de session X11 et d'agent d'autorisation d=E9sactiv=E9s par d=E9faut.
127 Pour des raisons de s=E9curit=E9, la version Debian de ssh positionne les
128 options ForwardX11 et ForwardAgent a ``Off'' par d=E9faut.
129 .
130 Vous pouvez activer ces options pour les serveurs en lesquels vous avez
131 confiance, soit dans un des fichiers de configuration, soit avec l'option
132 -X de la ligne de commande.
133 .
134 Plus d'informations sont disponibles dans /usr/share/doc/ssh/README.Debian.
135
136Template: ssh/insecure_rshd
137Type: note
138Description: Warning: rsh-server is installed --- probably not a good idea
139 having rsh-server installed undermines the security that you were probably
140 wanting to obtain by installing ssh. I'd advise you to remove that package.
141Description-de: Warnung: rsh-server ist installiert --- moeglicherweise
142 ist es eine schlechte Idee den rsh-server installiert zu haben, da er
143 die Sicherheit untergraebt. Wir empfehlen das Paket zu entfernen.
144Description-fr: Attention: le paquet rsh-server est install=E9 --- ce n'estprobablement pas une bonne id=E9e
145 Avoir un serveur rsh install=E9 affaibli la s=E9curit=E9 que vous vouliez
146 probablement obtenir en installant ssh. Je vous conseillerais de
147 d=E9installer ce paquet.
148
149Template: ssh/insecure_telnetd
150Type: note
151Description: Warning: telnetd is installed --- probably not a good idea
152 I'd advise you to either remove the telnetd package (if you don't actually
153 need to offer telnet access) or install telnetd-ssl so that there is at
154 least some chance that telnet sessions will not be sending unencrypted
155 login/password and session information over the network.
156Description-de: Warnung: telnetd ist installiert --- schlechte Idee
157 Wir empfehlen das telnetd Paket zu entfernen (wenn sie keine telnet Zugang
158 anbieten) oder telnetd-ssl zu installieren, so dass die Moeglichkeit besteht
159 dass das Login und Password nicht unverschluesselt durch das Netz gesendet
160 werden.
161Description-fr: Attention: le paquet telnetd est install=E9 --- ce n'est probablement pas une bonne id=E9e
162 Je vous conseillerais de, soit enlever le paquet telnetd (si ce service
163 n'est pas n=E9cessaire), soit de le remplacer par le paquet telnetd-ssl
164 pour qu'il y ait au moins une chance que les sessions telnet soient
165 encrypt=E9es et que les mot de passes et logins ne passent pas en clair sur
166 le r=E9seau.
167
168Template: ssh/encrypted_host_key_but_no_keygen
169Type: note
170Description: Warning: you must create a new host key
171 There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
172 OpenSSH can not handle this host key file, and I can't find the
173 ssh-keygen utility from the old (non-free) SSH installation.
174 .
175 You will need to generate a new host key.
176Description-de: Warnung: Sie muessen einen neuen Host Key erzeugen
177 Es existiert eine alte Variante von /etc/ssh/ssh_host_key welche
178 per IDEA verschluesselt ist. OpenSSH kann eine solche Host Key Datei
179 nicht lesen und ssh-keygen von der alten (nicht-freien) ssh Installation
180 kann nicht gefunden werden.
181Description-fr: Attention: vous devez cr=E9er une nouvelle cl=E9 d'h=F4te
182 Il existe un vieux /etc/ssh/ssh_host_key qui est encrypt=E9 avec IDEA.
183 OpenSSH ne peut utiliser ce fichier de cl=E9, et je ne peux trouver
184 l'utilitaire ssh-keygen de l'installation pr=E9c=E9dente (non libre) de SSH.
185
186Template: ssh/SUID_client
187Type: boolean
188Default: true
189Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
190 You have the option of installing the ssh-keysign helper with the SUID
191 bit set.
192 .
193 If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
194 host-based authentication.
195 .
196 If in doubt, I suggest you install it with SUID. If it causes
197 problems you can change your mind later by running: dpkg-reconfigure ssh
198
199Template: ssh/run_sshd
200Type: boolean
201Default: true
202Description: Do you want to run the sshd server ?
203 This package contains both the ssh client, and the sshd server.
204 .
205 Normally the sshd Secure Shell Server will be run to allow remote
206 logins via ssh.
207 .
208 If you are only interested in using the ssh client for outbound
209 connections on this machine, and don't want to log into it at all
210 using ssh, then you can disable sshd here.
211Description-de: Wollen Sie den sshd Server starten?
212 Das Paket enthaelt sowohl den client als auch den sshd server.
213 .
214 Normal wird der sshd Secure Shell Server fuer Remote Logins per ssh
215 gestartet.
216 .
217 Wenn Sie nur den ssh client nutzen wollen, um sich mit anderen Rechner
218 zu verbinden und sich nicht per ssh in diesen Computer einloggen wollen,
219 dann koennen Sie hier den sshd abschalten.
220Description-fr: Voulez vous utiliser le serveur sshd ?
221 Ce paquet contient a la fois le client ssh et le serveur sshd.
222 .
223 Normalement le serveur sshd sera lanc=E9 pour permettre les logins distants
224 via ssh.
225 .
226 Si vous d=E9sirez seulement utiliser le client ssh pour vous connecter a
227 distance sur d'autres machines a partir de celle-ci, et que vous ne
228 voulez pas vous logguer sur cette machine a distance via ssh, alors vous
229 pouvez d=E9sactiver sshd maintenant.