Age | Commit message (Collapse) | Author |
|
|
|
"PermitRootLogin prohibit-password" in sshd_config, and update documentation to reflect the new upstream default.
|
|
* openssh-server.postinst: Quiesce "Unable to connect to Upstart" error
message from initctl if upstart is installed, but not the current init
system. (LP: #1440070)
* openssh-server.postinst: Fix version comparisons of upgrade adjustments
to not apply to fresh installs.
|
|
|
|
(closes: #765633).
|
|
compatibility path.
|
|
#762128).
|
|
LaMont Jones).
|
|
Also ask a debconf question when upgrading systems with "PermitRootLogin
yes" from previous versions.
Closes: #298138
|
|
no longer supported.
|
|
|
|
have got it wrong before, and it's fairly harmless to repeat it.
|
|
We need to cope with still-running sysvinit jobs being considered active by
systemd (thanks, Uoti Urpala and Michael Biebl).
|
|
Thanks to Michael Biebl for spotting this.
|
|
|
|
Upgraders who wish to add such host keys should manually add 'HostKey
/etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run 'ssh-keygen
-q -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519'.
|
|
(closes: #727622, LP: #1244272).
|
|
ssh-argv0.
|
|
(closes: #687436).
|
|
this version, check whether sysvinit is still managing sshd; if so,
manually stop it so that it can be restarted under upstart. We do this
near the end of the postinst, so it shouldn't result in any appreciable
extra window where sshd is not running during upgrade.
|
|
years ago, and everyone should have upgraded through a version that
applied these checks by now. The ssh-vulnkey tool and the blacklisting
support in sshd are still here, at least for the moment.
* This removes the last of our uses of debconf (closes: #221531).
|
|
https://wiki.ubuntu.com/UpstartCompatibleInitScripts: the init script
checks for a running Upstart, and we now let dh_installinit handle most
of the heavy lifting in maintainer scripts. Ubuntu users should be
essentially unaffected except that sshd may no longer start
automatically in chroots if the running Upstart predates 0.9.0; but the
main goal is simply not to break when openssh-server is installed in a
chroot.
|
|
being primary there.
|
|
|
|
installations or if you manually add 'HostKey
/etc/ssh/ssh_host_ecdsa_key' to /etc/ssh/sshd_config.
|
|
which is intentionally no longer shipped in the openssh-server package
due to /var/run often being a temporary directory, is not removed on
upgrade (closes: #575582).
|
|
textual changes in error output, it's only relevant for direct upgrades
from truly ancient versions, and it breaks upgrades if
/etc/ssh/ssh_host_key can't be loaded (closes: #579570).
|
|
introduced to match the behaviour of non-free SSH, in which -q does not
suppress fatal errors, but matching the behaviour of OpenSSH upstream is
much more important nowadays. We no longer document that -q does not
suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to
"LogLevel QUIET" in sshd_config on upgrade.
|
|
/etc/ssh/sshd_config, and add UsePAM commentary from upstream-shipped
configuration file (closes: #415008, although unfortunately this will
only be conveniently visible on new installations).
|
|
|
|
|
|
are no longer particularly feasible anyway (closes: #420682).
|
|
|
|
- Add key blacklisting support. Keys listed in
/etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
sshd, unless "PermitBlacklistedKeys yes" is set in
/etc/ssh/sshd_config.
- Add a new program, ssh-vulnkey, which can be used to check keys
against these blacklists.
- Depend on openssh-blacklist.
- Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least
0.9.8g-9.
- Automatically regenerate known-compromised host keys, with a
critical-priority debconf note. (I regret that there was no time to
gather translations.)
|
|
configurations (LP: #211400).
|
|
SSHD_PAM_SERVICE (closes: #255870).
|
|
|
|
|
|
(closes: #122188).
|
|
|
|
GSSAPICleanupCredentials. Mark GSSUseSessionCCache and
GSSAPIUseSessionCredCache as known-but-unsupported options, and migrate
away from them on upgrade.
|
|
any unchanged conffiles from the pre-split ssh package to work around a
bug in sarge's dpkg (thanks, Justin Pryzby and others; closes: #335276).
|
|
in sshd_config.
* Default client to attempting GSSAPI authentication.
* Remove obsolete GSSAPINoMICAuthentication from sshd_config if it's
found.
|
|
fail if the sshd user is not local (closes: #398436).
|
|
|
|
Introduces dependency on passwd for usermod.
|
|
(closes: #349896).
|
|
|
|
At least when X11UseLocalhost is turned on, which is the default, the
security risks of using X11 forwarding are risks to the client, not to
the server (closes: #320104).
|
|
/etc/ssh/ssh_host_key itself (closes: #312312).
|