summaryrefslogtreecommitdiff
path: root/debian/openssh-server.postinst
AgeCommit message (Collapse)Author
2010-04-28Drop IDEA key check; I don't think it works properly any more due toColin Watson
textual changes in error output, it's only relevant for direct upgrades from truly ancient versions, and it breaks upgrades if /etc/ssh/ssh_host_key can't be loaded (closes: #579570).
2010-03-31Drop most of our "LogLevel SILENT" (-qq) patch. This was originallyColin Watson
introduced to match the behaviour of non-free SSH, in which -q does not suppress fatal errors, but matching the behaviour of OpenSSH upstream is much more important nowadays. We no longer document that -q does not suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to "LogLevel QUIET" in sshd_config on upgrade.
2010-01-04Refer to sshd_config(5) rather than sshd(8) in postinst-writtenColin Watson
/etc/ssh/sshd_config, and add UsePAM commentary from upstream-shipped configuration file (closes: #415008, although unfortunately this will only be conveniently visible on new installations).
2010-01-02Remove init script stop link in rc1, as killprocs handles it already.Colin Watson
2010-01-02Cope with insserv reordering of init script links.Colin Watson
2010-01-02Remove ssh/new_config, only needed for direct upgrades from potato whichColin Watson
are no longer particularly feasible anyway (closes: #420682).
2009-07-31Use 'which' rather than 'type' in maintainer scripts.Colin Watson
2008-05-12* Mitigate OpenSSL security vulnerability:Colin Watson
- Add key blacklisting support. Keys listed in /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by sshd, unless "PermitBlacklistedKeys yes" is set in /etc/ssh/sshd_config. - Add a new program, ssh-vulnkey, which can be used to check keys against these blacklists. - Depend on openssh-blacklist. - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least 0.9.8g-9. - Automatically regenerate known-compromised host keys, with a critical-priority debconf note. (I regret that there was no time to gather translations.)
2008-04-04Rename KeepAlive to TCPKeepAlive in sshd_config, cleaning up from oldColin Watson
configurations (LP: #211400).
2008-02-08* Move /etc/pam.d/ssh to /etc/pam.d/sshd, allowing us to stop definingColin Watson
SSHD_PAM_SERVICE (closes: #255870).
2007-12-24* Remove the hideously old /etc/ssh/primes on upgrade (closes: #123013).Colin Watson
2007-06-12stop link for rc1; fix function callColin Watson
2007-06-12* Move init script start links to S16, and remove stop links altogetherColin Watson
(closes: #122188).
2006-12-23fix disable_config_option to actually workColin Watson
2006-12-23* Make GSSAPICleanupCreds a compatibility alias forColin Watson
GSSAPICleanupCredentials. Mark GSSUseSessionCCache and GSSAPIUseSessionCredCache as known-but-unsupported options, and migrate away from them on upgrade.
2006-12-06* When installing openssh-client or openssh-server from scratch, removeColin Watson
any unchanged conffiles from the pre-split ssh package to work around a bug in sarge's dpkg (thanks, Justin Pryzby and others; closes: #335276).
2006-12-06* Create transitional ssh-krb5 package which enables GSSAPI configurationColin Watson
in sshd_config. * Default client to attempting GSSAPI authentication. * Remove obsolete GSSAPINoMICAuthentication from sshd_config if it's found.
2006-11-20* Ignore errors from usermod when changing sshd'\''s shell, since it willColin Watson
fail if the sshd user is not local (closes: #398436).
2006-07-26silence grep outputColin Watson
2006-07-14* Change sshd user's shell to /usr/sbin/nologin (closes: #366541).Colin Watson
Introduces dependency on passwd for usermod.
2006-04-16* Rename KeepAlive to TCPKeepAlive in default sshd_configColin Watson
(closes: #349896).
2005-09-14 - Update commented-out Kerberos/GSSAPI options in default sshd_config.Colin Watson
2005-09-14* Set X11Forwarding to yes in the default sshd_config (new installs only).Colin Watson
At least when X11UseLocalhost is turned on, which is the default, the security risks of using X11 forwarding are risks to the client, not to the server (closes: #320104).
2005-07-09Do the IDEA host key check on a temporary file to avoid alteringColin Watson
/etc/ssh/ssh_host_key itself (closes: #312312).
2005-07-09fix awful formatting in check_idea_keyColin Watson
2005-07-03Make /usr/share/doc/openssh-server and /usr/share/doc/ssh symlinks toColin Watson
/usr/share/doc/openssh-client.
2005-06-17Manoj Srivastava:Colin Watson
- Added SELinux capability, and turned it on be default. Added restorecon calls in preinst and postinst (should not matter if the machine is not SELinux aware). By and large, the changes made should have no effect unless the rules file calls --with-selinux; and even then there should be no performance hit for machines not actively running SELinux. - Modified the preinst and postinst to call restorecon to set the security context for the generated public key files. - Added a comment to /etc/pam.d/ssh to indicate that an SELinux system may want to also include pam_selinux.so.
2005-05-31Drop debconf support for allowing SSH protocol 1, which is discouraged andColin Watson
has not been the default since openssh 1:3.0.1p1-1. Users who need this should edit sshd_config instead (closes: #147212).
2005-05-31Fix up very old sshd_config files that refer to /usr/libexec/sftp-serverColin Watson
(closes: #141979).
2005-05-31Change libexecdir to /usr/lib/openssh, and fix up various alternatives andColin Watson
configuration files to match (closes: #87900, #151321).
2005-05-30Disable ChallengeResponseAuthentication in new installations, returning toColin Watson
PasswordAuthentication by default, since it now supports PAM and apparently works better with a non-threaded sshd.
2005-01-15Drop LoginGraceTime back to the upstream default of two minutes on newColin Watson
installs (closes: #289573).
2005-01-04Pass LANG and LC_* environment variables from the client by default, andColin Watson
accept them to the server by default in new installs, although not on upgrade (closes: #264024).
2004-10-24Forward-port from HEAD:Colin Watson
* Preserve /etc/ssh/sshd_config ownership/permissions (closes: #276754). * Shorten the version string from the form "OpenSSH_3.8.1p1 Debian 1:3.8.1p1-8.sarge.1" to "OpenSSH_3.8.1p1 Debian-8.sarge.1", as some SSH implementations apparently have problems with the long version string. This is of course a bug in those implementations, but since the extent of the problem is unknown it's best to play safe (closes: #275731). * debconf template translations: - Add Finnish (thanks, Matti Pöllä; closes: #265339). - Update Danish (thanks, Morten Brix Pedersen; closes: #275895). - Update French (thanks, Denis Barbier; closes: #276703). - Update Japanese (thanks, Kenshi Muto; closes: #277438).
2004-10-06Forward-port from HEAD:Colin Watson
* If PasswordAuthentication is disabled, then offer to disable ChallengeResponseAuthentication too. The current PAM code will attempt password-style authentication if ChallengeResponseAuthentication is enabled (closes: #250369). * This will ask a question of anyone who installed fresh with 1:3.8p1-2 or later and then upgraded. Sorry about that ... for this reason, the default answer is to leave ChallengeResponseAuthentication enabled.
2004-08-02Add a heuristic to try to make sure the sshd_config upgrade to >= 3.7Colin Watson
happens even though we don't know what version we're upgrading from.
2004-07-31* Split the ssh binary package into openssh-client and openssh-serverColin Watson
(closes: #39741). openssh-server depends on openssh-client for some common functionality; it didn't seem worth creating yet another package for this. * New transitional ssh package, depending on openssh-client and openssh-server. May be removed once nothing depends on it. * When upgrading from ssh to openssh-{client,server}, it's very difficult for the maintainer scripts to find out what version we're upgrading from without dodgy dpkg hackery. I've therefore taken the opportunity to move a couple of debconf notes into NEWS files, namely ssh/ssh2_keys_merged and ssh/user_environment_tell. * In general, upgrading to this version directly from woody without first upgrading to the version in sarge is not currently guaranteed to work very smoothly due to the aforementioned version discovery problems.