11 files changed, 167 insertions, 199 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 5452ac780..f530b3269 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-2103d3e5566c54e08a59be750579a249e46747d7
+af54c22db774b37a15df5e599d08a83d4bbe5079
-2103d3e5566c54e08a59be750579a249e46747d7
+af54c22db774b37a15df5e599d08a83d4bbe5079
 971a7653746a6972b907dfe0ce139c06e4a6f482
 971a7653746a6972b907dfe0ce139c06e4a6f482
 openssh_7.4p1.orig.tar.gz
diff --git a/debian/NEWS b/debian/NEWS
index 3a331e1fd..590aa664b 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -27,6 +27,12 @@ openssh (1:7.4p1-1) UNRELEASED; urgency=medium
   * sshd(8): Remove the UseLogin configuration directive and support for
     having /bin/login manage login sessions.
+  The unprivileged sshd process that deals with pre-authentication network
+  traffic is now subject to additional sandboxing restrictions by default:
+  that is, the default sshd_config now sets UsePrivilegeSeparation to
+  "sandbox" rather than "yes".  This has been the case upstream for a while,
+  but until now the Debian configuration diverged unnecessarily.
 -- Colin Watson <cjwatson@debian.org>  Tue, 20 Dec 2016 22:21:15 +0000
 openssh (1:7.2p1-1) unstable; urgency=medium
diff --git a/debian/changelog b/debian/changelog
index c24cdc60b..80e03947f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -118,6 +118,20 @@ openssh (1:7.4p1-1) UNRELEASED; urgency=medium
  * Remove entries related to protocol 1 from the default sshd_config
    generated on new installations.
  * Remove some advice related to protocol 1 from README.Debian.
+  * Start handling /etc/ssh/sshd_config using ucf.  The immediate motivation
+    for this is to deal with deprecations of options related to protocol 1,
+    but something like this has been needed for a long time (closes:
+    #419574, #848089):
+    - sshd_config is now a slightly-patched version of upstream's, and only
+      contains non-default settings (closes: #147201).
+    - I've included as many historical md5sums of default versions of
+      sshd_config as I could reconstruct from version control, but I'm sure
+      I've missed some.
+    - Explicitly synchronise the debconf database with the current
+      configuration file state in openssh-server.config, to ensure that the
+      PermitRootLogin setting is properly preserved.
+    - UsePrivilegeSeparation now defaults to the stronger "sandbox" rather
+      than "yes", per upstream.
 -- Colin Watson <cjwatson@debian.org>  Mon, 05 Dec 2016 19:31:33 +0000
diff --git a/debian/control b/debian/control
index 98361086f..828d36269 100644
--- a/debian/control
+++ b/debian/control
@@ -109,6 +109,7 @@ Depends: adduser (>= 3.9),
         openssh-client (= ${binary:Version}),
         openssh-sftp-server,
         procps,
+         ucf (>= 0.28),
         ${misc:Depends},
         ${shlibs:Depends},
 Recommends: libpam-systemd,
diff --git a/debian/openssh-server.config b/debian/openssh-server.config
index dbde2cbb0..67a074ec2 100644
--- a/debian/openssh-server.config
+++ b/debian/openssh-server.config
@@ -16,8 +16,19 @@ get_config_option() {
           /etc/ssh/sshd_config 2>/dev/null
 }
+permit_root_login="$(get_config_option PermitRootLogin)"
+if [ -f /etc/ssh/sshd_config ]; then
+        # Make sure the debconf database is in sync with the current state
+        # of the system.
+        if [ "$permit_root_login" = yes ]; then
+                db_set openssh-server/permit-root-login false
+        else
+                db_set openssh-server/permit-root-login true
+        fi
+fi
 if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
-   [ "$(get_config_option PermitRootLogin)" = yes ]; then
+   [ "$permit_root_login" = yes ]; then
        if [ "$(getent shadow root | cut -d: -f2)" = "!" ]; then
                db_set openssh-server/permit-root-login true
        else
diff --git a/debian/openssh-server.examples b/debian/openssh-server.examples
index ef6eb5468..9f15e1fa7 100644
--- a/debian/openssh-server.examples
+++ b/debian/openssh-server.examples
@@ -1,2 +1 @@
-sshd_config
 debian/systemd/ssh-session-cleanup.service
diff --git a/debian/openssh-server.install b/debian/openssh-server.install
index f696de231..7fdf609a7 100755
--- a/debian/openssh-server.install
+++ b/debian/openssh-server.install
@@ -5,6 +5,9 @@ usr/share/man/man5/authorized_keys.5
 usr/share/man/man5/sshd_config.5
 usr/share/man/man8/sshd.8
+sshd_config => usr/share/openssh/sshd_config
+debian/openssh-server.ucf-md5sum => usr/share/openssh/sshd_config.md5sum
 debian/openssh-server.if-up => etc/network/if-up.d/openssh-server
 debian/openssh-server.ufw.profile => etc/ufw/applications.d/openssh-server
 debian/systemd/ssh.socket lib/systemd/system
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 5635a60a6..391efc43b 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -23,56 +23,6 @@ get_config_option() {
 }
-set_config_option() {
-        option="$1"
-        value="$2"
-        perl -le '
-                $option = $ARGV[0]; $value = $ARGV[1]; $done = 0;
-                while (<STDIN>) {
-                        chomp;
-                        (my $match = $_) =~ s/\s+/ /g;
-                        if ($match =~ s/^\s*\Q$option\E\s+.*/$option $value/) {
-                                $_ = $match;
-                                $done = 1;
-                        }
-                        print;
-                }
-                print "$option $value" unless $done;' \
-                "$option" "$value" \
-                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
-        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
-        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
-        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
-}
-rename_config_option() {
-        oldoption="$1"
-        newoption="$2"
-        value="$(get_config_option "$oldoption")"
-        [ "$value" ] || return 0
-        perl -le '
-                $oldoption = $ARGV[0]; $newoption = $ARGV[1];
-                while (<STDIN>) {
-                        chomp;
-                        (my $match = $_) =~ s/\s+/ /g;
-                        # TODO: actually only one "=" allowed after option
-                        if ($match =~ s/^(\s*)\Q$oldoption\E([[:space:]=]+)/$1$newoption$2/i) {
-                                $_ = $match;
-                        }
-                        print;
-                }' \
-                "$oldoption" "$newoption" \
-                < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new
-        chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
-        chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new
-        mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config
-}
 host_keys_required() {
        hostkeys="$(get_config_option HostKey)"
        if [ "$hostkeys" ]; then
@@ -122,137 +72,24 @@ create_keys() {
 }
-fix_loglevel_silent() {
-        if [ "$(get_config_option LogLevel)" = SILENT ]; then
-                set_config_option LogLevel QUIET
-        fi
-}
-update_server_key_bits() {
-        if [ "$(get_config_option ServerKeyBits)" = 768 ]; then
-                set_config_option ServerKeyBits 1024
-        fi
-}
 create_sshdconfig() {
-        if [ -e /etc/ssh/sshd_config ] ; then
+        # XXX cjwatson 2016-12-24: This debconf template is very confusingly
-            # Upgrade an existing sshd configuration.
+        # named; its description is "Disable SSH password authentication for
+        # root?", so true -> prohibit-password (the upstream default),
-            # This option was renamed in 3.8p1, but we never took care
+        # false -> yes.
-            # of adjusting the configuration file until now.
+        db_get openssh-server/permit-root-login
-            if dpkg --compare-versions "$oldversion" lt 1:4.7p1-8; then
+        permit_root_login="$RET"
-                rename_config_option KeepAlive TCPKeepAlive
-            fi
+        new_config="$(tempfile)"
+        cp -a /usr/share/openssh/sshd_config "$new_config"
-            # 'LogLevel SILENT' is now equivalent to QUIET.
+        if [ "$permit_root_login" != true ]; then
-            if dpkg --compare-versions "$oldversion" lt 1:5.4p1-1; then
+                sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
-                fix_loglevel_silent
+                        "$new_config"
-            fi
-            # Changed upstream in 5.1p1, but we forgot to update the
-            # package-generated configuration file until now.
-            if dpkg --compare-versions "$oldversion" lt 1:6.4p1-2; then
-                update_server_key_bits
-            fi
-            if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
-               [ "$(get_config_option PermitRootLogin)" = yes ] &&
-               db_get openssh-server/permit-root-login && [ "$RET" = true ]; then
-                set_config_option PermitRootLogin prohibit-password
-            fi
-            if dpkg --compare-versions "$2" lt-nl 1:7.1p1-1 && \
-               [ "$(get_config_option PermitRootLogin)" = without-password ]; then
-                set_config_option PermitRootLogin prohibit-password
-            fi
-            return 0
        fi
+        ucf --three-way --debconf-ok \
-        cat <<EOF > /etc/ssh/sshd_config
+                --sum-file /usr/share/openssh/sshd_config.md5sum \
-# Package generated configuration file
+                "$new_config" /etc/ssh/sshd_config
-# See the sshd_config(5) manpage for details
+        ucfr openssh-server /etc/ssh/sshd_config
-# What ports, IPs and protocols we listen for
-Port 22
-# Use these options to restrict which interfaces/protocols sshd will bind to
-#ListenAddress ::
-#ListenAddress 0.0.0.0
-Protocol 2
-# HostKeys for protocol version 2
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
-#Privilege Separation is turned on for security
-UsePrivilegeSeparation yes
-# Logging
-SyslogFacility AUTH
-LogLevel INFO
-# Authentication:
-LoginGraceTime 120
-PermitRootLogin prohibit-password
-StrictModes yes
-PubkeyAuthentication yes
-#AuthorizedKeysFile     %h/.ssh/authorized_keys
-# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
-# For this to work you will also need host keys in /etc/ssh_known_hosts
-HostbasedAuthentication no
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
-#IgnoreUserKnownHosts yes
-# To enable empty passwords, change to yes (NOT RECOMMENDED)
-PermitEmptyPasswords no
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-# Change to no to disable tunnelled clear text passwords
-#PasswordAuthentication yes
-# Kerberos options
-#KerberosAuthentication no
-#KerberosGetAFSToken no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-X11Forwarding yes
-X11DisplayOffset 10
-PrintMotd no
-PrintLastLog yes
-TCPKeepAlive yes
-#UseLogin no
-#MaxStartups 10:30:60
-#Banner /etc/issue.net
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-Subsystem sftp /usr/lib/openssh/sftp-server
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-EOF
 }
 fix_statoverride() {
diff --git a/debian/openssh-server.postrm b/debian/openssh-server.postrm
index 88e28a91e..ff16e5619 100644
--- a/debian/openssh-server.postrm
+++ b/debian/openssh-server.postrm
@@ -14,7 +14,15 @@ case $1 in
                rm -f /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub
                rm -f /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key.pub
                rm -f /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key.pub
-                rm -f /etc/ssh/sshd_config
+                for ext in .ucf-new .ucf-old .ucf-dist ""; do
+                        rm -f "/etc/ssh/sshd_config$ext"
+                done
+                if which ucf >/dev/null 2>&1; then
+                        ucf --purge /etc/ssh/sshd_config
+                fi
+                if which ucfr >/dev/null 2>&1; then
+                        ucfr --purge openssh-server /etc/ssh/sshd_config
+                fi
                rm -f /etc/ssh/sshd_not_to_be_run
                rmdir --ignore-fail-on-non-empty /etc/ssh
diff --git a/debian/openssh-server.ucf-md5sum b/debian/openssh-server.ucf-md5sum
new file mode 100644
index 000000000..c9c89d429
--- /dev/null
+++ b/debian/openssh-server.ucf-md5sum
@@ -0,0 +1,48 @@
+# Historical md5sums of the default /etc/ssh/sshd_config up to and including
+# 1:7.3p1-5.
+0d06fc337cee10609d4833dc88df740f
+10dc68360f6658910a98a051273de22c
+11f9e107b4d13bbcabe7f8e8da734371
+16c827adcff44efaca05ec5eea6383d7
+2eeff28468576c3f2e538314e177687b
+386c8b9079625b78f6d624ae506958ae
+38fc7b31b3e3078848f0eec457d3e050
+395c5e13801f9b4f17c2cb54aa634fbd
+423d5796cee663af2d0f24c4d520b578
+42be2cb5b64bc91443b2e46969d2d539
+42cd8b7c5ea9e440d3efa50b9a1bb444
+4f56ca8d0b5dfdaeb732becd3292ce5d
+54998a682a97af8449e9de0316eacf1d
+5c0bdc1735accbdc062381149937ec4a
+6357b54acf8e089c57544e06d1bbec53
+6a621d8bc448987e5a8a613c40307a4c
+702a79962e60aa17c6d3df742e8ec670
+7a69eff91ec92b4e065b8dd8846366b2
+7c60e22f183b6219c684f15ce24153fd
+8304e780c43d4a606f695c8965f48299
+8b9e70ee87f4b822714e2ed7af5b70dc
+8caefdd9e251b7cc1baa37874149a870
+90baeb1c778464d2da610f8268939719
+962a382e51f43f80109131838ca326ba
+96eaf22faba705a37905282f6ad69d64
+9cb6cd83be1c21f73476be629b163c01
+a07a9865cd33b85a1426cd67954c6fa0
+ae1e844b43986e2a964cf84f46b50c5b
+b516afa5a1e298f4cd00952b36dd623f
+b69fc974ee9b5a111bd473ef54cdd232
+ba9c3f808c811d6f944ad10a508c4767
+bccf9af9c7027afd0895d8ff8e02761a
+bd3a2b95f8b4b180eed707794ad81e4d
+c34586b56496f81a10615c002685fc74
+c47555a21189a6b703d2c5d37d2c50ed
+cac079e87c0ae0d77eafc9b285e36348
+d224f92823483333432974f63cb6dc66
+d50ef9ef2aa51cb9f808f6a776260c0a
+e0029e1e9871d4d2b673ee6d70a38614
+e086e7eb521ccc5776371b2e198f0702
+e101f74dc7381527e9aefa1f78b01a7f
+e24f749808133a27d94fda84a89bb27b
+ec16c3dd0203f13885d74ce529719fda
+efcff5380823d4e3f5039620c2e08459
+f58056370a64dbd2017d7486421c281d
+fe396d52df77f1fbf710591d4dbf3311
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 8129c1e58..65175d589 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 2103d3e5566c54e08a59be750579a249e46747d7 Mon Sep 17 00:00:00 2001
+From af54c22db774b37a15df5e599d08a83d4bbe5079 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -14,12 +14,20 @@ worms.
 ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
 default.
-Document all of this, along with several sshd defaults set in
+sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
-debian/openssh-server.postinst.
+PrintMotd.
+sshd: Enable X11Forwarding.
+sshd: Set 'AcceptEnv LANG LC_*' by default.
+sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
+Document all of this.
 Author: Russ Allbery <rra@debian.org>
 Forwarded: not-needed
-Last-Update: 2015-12-07
+Last-Update: 2016-12-24
 Patch-Name: debian-config.patch
 ---
@@ -27,9 +35,9 @@ Patch-Name: debian-config.patch
 ssh.1         | 21 +++++++++++++++++++++
 ssh_config    |  7 ++++++-
 ssh_config.5  | 19 ++++++++++++++++++-
- sshd_config   |  2 +-
+ sshd_config   | 16 ++++++++++------
- sshd_config.5 | 25 +++++++++++++++++++++++++
+ sshd_config.5 | 22 ++++++++++++++++++++++
- 6 files changed, 72 insertions(+), 4 deletions(-)
+ 6 files changed, 78 insertions(+), 9 deletions(-)
 diff --git a/readconf.c b/readconf.c
 index c02cdf63..d1091cbd 100644
@@ -149,12 +157,48 @@ index 40617be4..8dce757e 100644
 from stealing or tampering with data belonging to trusted X11
 clients.
 diff --git a/sshd_config b/sshd_config
-index 00e5a728..c0b84f8e 100644
+index 00e5a728..13cbe2c6 100644
 --- a/sshd_config
 +++ b/sshd_config
-@@ -111,7 +111,7 @@ AuthorizedKeysFile  .ssh/authorized_keys
+@@ -58,8 +58,9 @@ AuthorizedKeysFile    .ssh/authorized_keys
+ #PasswordAuthentication yes
+ #PermitEmptyPasswords no
+ 
+-# Change to no to disable s/key passwords
+-#ChallengeResponseAuthentication yes
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+ 
+ # Kerberos options
+ #KerberosAuthentication no
+@@ -82,16 +83,16 @@ AuthorizedKeysFile  .ssh/authorized_keys
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and ChallengeResponseAuthentication to 'no'.
+-#UsePAM no
+UsePAM yes
+ 
+ #AllowAgentForwarding yes
+ #AllowTcpForwarding yes
+ #GatewayPorts no
+-#X11Forwarding no
+X11Forwarding yes
+ #X11DisplayOffset 10
+ #X11UseLocalhost yes
+ #PermitTTY yes
+-#PrintMotd yes
+PrintMotd no
+ #PrintLastLog yes
+ #TCPKeepAlive yes
+ #UseLogin no
+@@ -110,8 +111,11 @@ AuthorizedKeysFile .ssh/authorized_keys
+ # no default banner path
 #Banner none
 
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
 # override default of no subsystems
 -Subsystem      sftp    /usr/libexec/sftp-server
 +Subsystem      sftp    /usr/lib/openssh/sftp-server
@@ -162,10 +206,10 @@ index 00e5a728..c0b84f8e 100644
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 diff --git a/sshd_config.5 b/sshd_config.5
-index e45a8937..d6911a98 100644
+index e45a8937..703a9cdd 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
+@@ -57,6 +57,28 @@ Arguments may optionally be enclosed in double quotes
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
@@ -174,10 +218,7 @@ index e45a8937..d6911a98 100644
 +package sets several options as standard in
 +.Pa /etc/ssh/sshd_config
 +which are not the default in
-+.Xr sshd 8 .
+.Xr sshd 8 :
-+The exact list depends on whether the package was installed fresh or
-+upgraded from various possible previous versions, but includes at least the
-+following:
 +.Pp
 +.Bl -bullet -offset indent -compact
 +.It