Age | Commit message (Collapse) | Author |
|
(LP: #1685022).
|
|
(closes: #760422, #856825).
|
|
|
|
* Start handling /etc/ssh/sshd_config using ucf. The immediate motivation
for this is to deal with deprecations of options related to protocol 1,
but something like this has been needed for a long time (closes:
#419574, #848089):
- sshd_config is now a slightly-patched version of upstream's, and only
contains non-default settings (closes: #147201).
- I've included as many historical md5sums of default versions of
sshd_config as I could reconstruct from version control, but I'm sure
I've missed some.
- Explicitly synchronise the debconf database with the current
configuration file state in openssh-server.config, to ensure that the
PermitRootLogin setting is properly preserved.
- UsePrivilegeSeparation now defaults to the stronger "sandbox" rather
than "yes", per upstream.
|
|
|
|
on new installations.
|
|
#823827).
|
|
#811265).
|
|
|
|
"PermitRootLogin prohibit-password" in sshd_config, and update documentation to reflect the new upstream default.
|
|
* openssh-server.postinst: Quiesce "Unable to connect to Upstart" error
message from initctl if upstart is installed, but not the current init
system. (LP: #1440070)
* openssh-server.postinst: Fix version comparisons of upgrade adjustments
to not apply to fresh installs.
|
|
|
|
(closes: #765633).
|
|
compatibility path.
|
|
#762128).
|
|
LaMont Jones).
|
|
Also ask a debconf question when upgrading systems with "PermitRootLogin
yes" from previous versions.
Closes: #298138
|
|
no longer supported.
|
|
|
|
have got it wrong before, and it's fairly harmless to repeat it.
|
|
We need to cope with still-running sysvinit jobs being considered active by
systemd (thanks, Uoti Urpala and Michael Biebl).
|
|
Thanks to Michael Biebl for spotting this.
|
|
|
|
Upgraders who wish to add such host keys should manually add 'HostKey
/etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run 'ssh-keygen
-q -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519'.
|
|
(closes: #727622, LP: #1244272).
|
|
ssh-argv0.
|
|
(closes: #687436).
|
|
this version, check whether sysvinit is still managing sshd; if so,
manually stop it so that it can be restarted under upstart. We do this
near the end of the postinst, so it shouldn't result in any appreciable
extra window where sshd is not running during upgrade.
|
|
years ago, and everyone should have upgraded through a version that
applied these checks by now. The ssh-vulnkey tool and the blacklisting
support in sshd are still here, at least for the moment.
* This removes the last of our uses of debconf (closes: #221531).
|
|
https://wiki.ubuntu.com/UpstartCompatibleInitScripts: the init script
checks for a running Upstart, and we now let dh_installinit handle most
of the heavy lifting in maintainer scripts. Ubuntu users should be
essentially unaffected except that sshd may no longer start
automatically in chroots if the running Upstart predates 0.9.0; but the
main goal is simply not to break when openssh-server is installed in a
chroot.
|
|
being primary there.
|
|
|
|
installations or if you manually add 'HostKey
/etc/ssh/ssh_host_ecdsa_key' to /etc/ssh/sshd_config.
|
|
which is intentionally no longer shipped in the openssh-server package
due to /var/run often being a temporary directory, is not removed on
upgrade (closes: #575582).
|
|
textual changes in error output, it's only relevant for direct upgrades
from truly ancient versions, and it breaks upgrades if
/etc/ssh/ssh_host_key can't be loaded (closes: #579570).
|
|
introduced to match the behaviour of non-free SSH, in which -q does not
suppress fatal errors, but matching the behaviour of OpenSSH upstream is
much more important nowadays. We no longer document that -q does not
suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to
"LogLevel QUIET" in sshd_config on upgrade.
|
|
/etc/ssh/sshd_config, and add UsePAM commentary from upstream-shipped
configuration file (closes: #415008, although unfortunately this will
only be conveniently visible on new installations).
|
|
|
|
|
|
are no longer particularly feasible anyway (closes: #420682).
|
|
|
|
- Add key blacklisting support. Keys listed in
/etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
sshd, unless "PermitBlacklistedKeys yes" is set in
/etc/ssh/sshd_config.
- Add a new program, ssh-vulnkey, which can be used to check keys
against these blacklists.
- Depend on openssh-blacklist.
- Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least
0.9.8g-9.
- Automatically regenerate known-compromised host keys, with a
critical-priority debconf note. (I regret that there was no time to
gather translations.)
|
|
configurations (LP: #211400).
|
|
SSHD_PAM_SERVICE (closes: #255870).
|
|
|
|
|
|
(closes: #122188).
|
|
|
|
GSSAPICleanupCredentials. Mark GSSUseSessionCCache and
GSSAPIUseSessionCredCache as known-but-unsupported options, and migrate
away from them on upgrade.
|
|
any unchanged conffiles from the pre-split ssh package to work around a
bug in sarge's dpkg (thanks, Justin Pryzby and others; closes: #335276).
|