From 18a9bd1867ee6fb9d913515773b322a279759b5d Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 29 Nov 2015 17:34:13 +0000 Subject: Change "PermitRootLogin without-password" to the new preferred spelling of "PermitRootLogin prohibit-password" in sshd_config, and update documentation to reflect the new upstream default. --- debian/README.Debian | 9 ++++++--- debian/changelog | 3 +++ debian/openssh-server.postinst | 8 ++++++-- debian/openssh-server.templates | 2 +- debian/po/cs.po | 8 ++++---- debian/po/da.po | 8 ++++---- debian/po/de.po | 8 ++++---- debian/po/es.po | 8 ++++---- debian/po/fr.po | 8 ++++---- debian/po/it.po | 8 ++++---- debian/po/ja.po | 12 ++++++------ debian/po/nl.po | 8 ++++---- debian/po/pt.po | 13 +++++++------ debian/po/pt_BR.po | 8 ++++---- debian/po/ru.po | 8 ++++---- debian/po/sv.po | 8 ++++---- debian/po/templates.pot | 6 +++--- debian/po/tr.po | 8 ++++---- 18 files changed, 76 insertions(+), 65 deletions(-) diff --git a/debian/README.Debian b/debian/README.Debian index dee9ddb21..9d029585c 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -19,7 +19,8 @@ PermitRootLogin --------------- As of 1:6.6p1-1, new installations will be set to "PermitRootLogin -without-password". This disables password authentication for root, foiling +without-password" (or the synonymous "PermitRootLogin prohibit-password" as +of 1:7.0p1-1). This disables password authentication for root, foiling password dictionary attacks on the root user. Some sites may wish to use the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no", but note that "PermitRootLogin no" will break setups that SSH to root with a @@ -34,7 +35,7 @@ ssh restart" as root. Disabling PermitRootLogin means that an attacker possessing credentials for the root account (any credentials in the case of "yes", or private key -material in the case of "without-password") must compromise a normal user +material in the case of "prohibit-password") must compromise a normal user account rather than being able to SSH directly to root. Be careful to avoid a false illusion of security if you change this setting; any account you escalate to root from should be considered equivalent to root for the @@ -44,7 +45,9 @@ it if you know you will only ever log in as root from the physical console. Since the root account does not generally have non-password credentials unless you explicitly install an SSH public key in its ~/.ssh/authorized_keys, which you presumably only do if you want to SSH to -it, "without-password" should be a reasonable default for most sites. +it, "prohibit-password" should be a reasonable default for most sites. + +As of OpenSSH 7.0, this is the upstream default. For further discussion, see: diff --git a/debian/changelog b/debian/changelog index 42450d4d3..262b74285 100644 --- a/debian/changelog +++ b/debian/changelog @@ -43,6 +43,9 @@ openssh (1:7.0p1-1) UNRELEASED; urgency=medium - sshd(8): Clarify documentation for UseDNS option. - Check realpath(3) behaviour matches what sftp-server requires and use a replacement if necessary. + * Change "PermitRootLogin without-password" to the new preferred spelling + of "PermitRootLogin prohibit-password" in sshd_config, and update + documentation to reflect the new upstream default. -- Colin Watson Sun, 29 Nov 2015 17:32:44 +0000 diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index 9e8516ca7..72e993d0a 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst @@ -199,7 +199,7 @@ LogLevel INFO # Authentication: LoginGraceTime 120 -PermitRootLogin without-password +PermitRootLogin prohibit-password StrictModes yes RSAAuthentication yes @@ -312,7 +312,11 @@ if [ "$action" = configure ]; then if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \ [ "$(get_config_option PermitRootLogin)" = yes ] && db_get openssh-server/permit-root-login && [ "$RET" = true ]; then - set_config_option PermitRootLogin without-password + set_config_option PermitRootLogin prohibit-password + fi + if dpkg --compare-versions "$2" lt-nl 1:7.0p1-1 && \ + [ "$(get_config_option PermitRootLogin)" = without-password ]; then + set_config_option PermitRootLogin prohibit-password fi fi diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates index a7ee70701..1bc8a3308 100644 --- a/debian/openssh-server.templates +++ b/debian/openssh-server.templates @@ -4,7 +4,7 @@ Default: false _Description: Disable SSH password authentication for root? Previous versions of openssh-server permitted logging in as root over SSH using password authentication. The default for new installations is now - "PermitRootLogin without-password", which disables password authentication + "PermitRootLogin prohibit-password", which disables password authentication for root without breaking systems that have explicitly configured SSH public key authentication for root. . diff --git a/debian/po/cs.po b/debian/po/cs.po index 2e0eae079..d01e0ffdc 100644 --- a/debian/po/cs.po +++ b/debian/po/cs.po @@ -28,13 +28,13 @@ msgstr "Zakázat ověřování heslem pro uživatele root?" msgid "" "Previous versions of openssh-server permitted logging in as root over SSH " "using password authentication. The default for new installations is now " -"\"PermitRootLogin without-password\", which disables password authentication " -"for root without breaking systems that have explicitly configured SSH public " -"key authentication for root." +"\"PermitRootLogin prohibit-password\", which disables password " +"authentication for root without breaking systems that have explicitly " +"configured SSH public key authentication for root." msgstr "" "Předchozí verze openssh-server dovolovala přihlašovat se přes SSH jako root " "pomocí ověřování heslem. Výchozí volba pro nové instalace je nyní " -"\"PermitRootLogin without-password\", která zakazuje ověřování heslem pro " +"\"PermitRootLogin prohibit-password\", která zakazuje ověřování heslem pro " "uživatele root, aniž by to omezilo systémy, které mají explicitně nastaveno " "ověřování veřejným SSH klíčem pro uživatele root." diff --git a/debian/po/da.po b/debian/po/da.po index 403a7077d..70d576d7b 100644 --- a/debian/po/da.po +++ b/debian/po/da.po @@ -28,13 +28,13 @@ msgstr "Deaktiver SSH-adgangskodegodkendelse for root?" msgid "" "Previous versions of openssh-server permitted logging in as root over SSH " "using password authentication. The default for new installations is now " -"\"PermitRootLogin without-password\", which disables password authentication " -"for root without breaking systems that have explicitly configured SSH public " -"key authentication for root." +"\"PermitRootLogin prohibit-password\", which disables password " +"authentication for root without breaking systems that have explicitly " +"configured SSH public key authentication for root." msgstr "" "Tidligere versioner af openssh-server tillod indlogning som root over SSH " "med brug af adgangskodegodkendelse. Standarden for nye installationer er nu " -"»PermitRootLogin without-password«, som deaktiverer adgangskodegodkendelse " +"»PermitRootLogin prohibit-password«, som deaktiverer adgangskodegodkendelse " "for root uden at ødelægge systemer, som eksplicit har konfigureret SSH-" "offentlig nøglegodkendelse for root." diff --git a/debian/po/de.po b/debian/po/de.po index 0f0fd2e2f..ecba54b6c 100644 --- a/debian/po/de.po +++ b/debian/po/de.po @@ -30,14 +30,14 @@ msgstr "SSH Passwort-Authentifizierung für »root« deaktivieren?" msgid "" "Previous versions of openssh-server permitted logging in as root over SSH " "using password authentication. The default for new installations is now " -"\"PermitRootLogin without-password\", which disables password authentication " -"for root without breaking systems that have explicitly configured SSH public " -"key authentication for root." +"\"PermitRootLogin prohibit-password\", which disables password " +"authentication for root without breaking systems that have explicitly " +"configured SSH public key authentication for root." msgstr "" "Vorherige Versionen von openssh-server erlaubten das Anmelden als »root« " "über SSH unter Verwendung von Passwort-Authentifizierung. Die " "Standardeinstellung für Neuinstallationen lautet nun »PermitRootLogin " -"without-password«, wodurch die Passwort-Authentifizierung für »root« " +"prohibit-password«, wodurch die Passwort-Authentifizierung für »root« " "deaktiviert wird, und Systeme dennoch funktionsfähig bleiben, bei denen " "ausdrücklich die Authentifizierung als »root« mittels öffentlichem SSH-" "Schlüssel konfiguriert ist." diff --git a/debian/po/es.po b/debian/po/es.po index 47493e406..de8a67ace 100644 --- a/debian/po/es.po +++ b/debian/po/es.po @@ -51,14 +51,14 @@ msgstr "" msgid "" "Previous versions of openssh-server permitted logging in as root over SSH " "using password authentication. The default for new installations is now " -"\"PermitRootLogin without-password\", which disables password authentication " -"for root without breaking systems that have explicitly configured SSH public " -"key authentication for root." +"\"PermitRootLogin prohibit-password\", which disables password " +"authentication for root without breaking systems that have explicitly " +"configured SSH public key authentication for root." msgstr "" "Las versiones anteriores de openssh-server permitían iniciar sesión como " "usuario root utilizando autenticación con contraseña. La configuración " "predeterminada para las nuevas instalaciones ahora incluye «PermitRootLogin " -"without-password», lo que desactiva la autenticación con contraseña para el " +"prohibit-password», lo que desactiva la autenticación con contraseña para el " "usuario root sin romper los sistemas que tienen configurado explícitamente " "la autenticación SSH utilizando claves públicas para el usuario root." diff --git a/debian/po/fr.po b/debian/po/fr.po index 3a6db02d0..f7125e9a3 100644 --- a/debian/po/fr.po +++ b/debian/po/fr.po @@ -29,14 +29,14 @@ msgstr "" msgid "" "Previous versions of openssh-server permitted logging in as root over SSH " "using password authentication. The default for new installations is now " -"\"PermitRootLogin without-password\", which disables password authentication " -"for root without breaking systems that have explicitly configured SSH public " -"key authentication for root." +"\"PermitRootLogin prohibit-password\", which disables password " +"authentication for root without breaking systems that have explicitly " +"configured SSH public key authentication for root." msgstr "" "Les versions précédentes du paquet openssh-server autorisaient la connexion " "par SSH du superutilisateur (root) en utilisant l’authentification par mot " "de passe. Par défaut, les nouvelles installations ont maintenant l’option " -"« PermitRootLogin without-password », qui désactive l’authentification par " +"« PermitRootLogin prohibit-password », qui désactive l’authentification par " "mot de passe pour le compte « root », sans casser les systèmes qui ont " "configuré explicitement l’authentification SSH par clé publique pour ce " "compte." diff --git a/debian/po/it.po b/debian/po/it.po index 2fa12cede..dd7106090 100644 --- a/debian/po/it.po +++ b/debian/po/it.po @@ -29,13 +29,13 @@ msgstr "Disabilitare l'autenticazione SSH con password per root?" msgid "" "Previous versions of openssh-server permitted logging in as root over SSH " "using password authentication. The default for new installations is now " -"\"PermitRootLogin without-password\", which disables password authentication " -"for root without breaking systems that have explicitly configured SSH public " -"key authentication for root." +"\"PermitRootLogin prohibit-password\", which disables password " +"authentication for root without breaking systems that have explicitly " +"configured SSH public key authentication for root." msgstr "" "Le versioni precedenti di openssh-server permettevano il login come root via " "SSH, usando l'autenticazione con password. Il comportamento predefinito " -"delle nuove installazioni è «PermitRootLogin without-password» che " +"delle nuove installazioni è «PermitRootLogin prohibit-password» che " "disabilita l'autenticazione con password per root, senza rendere non " "funzionanti sistemi che hanno esplicitamente configurato l'autenticazione " "SSH con chiave pubblica per root." diff --git a/debian/po/ja.po b/debian/po/ja.po index 4e6c41e4b..db382f19a 100644 --- a/debian/po/ja.po +++ b/debian/po/ja.po @@ -28,15 +28,15 @@ msgstr "root での SSH パスワード認証を無効にしますか?" msgid "" "Previous versions of openssh-server permitted logging in as root over SSH " "using password authentication. The default for new installations is now " -"\"PermitRootLogin without-password\", which disables password authentication " -"for root without breaking systems that have explicitly configured SSH public " -"key authentication for root." +"\"PermitRootLogin prohibit-password\", which disables password " +"authentication for root without breaking systems that have explicitly " +"configured SSH public key authentication for root." msgstr "" "openssh-server の以前のバージョンではパスワード認証を利用した SSH 経由の " "root のログインを許可していました。新しくインストールした場合のデフォルト値が" -"現在は「PermitRootLogin without-password」になり、root のパスワード認証を無効" -"化しますが SSH の公開鍵認証を root 用に明示的に設定しているシステムでは特に問" -"題はありません。" +"現在は「PermitRootLogin prohibit-password」になり、root のパスワード認証を無" +"効化しますが SSH の公開鍵認証を root 用に明示的に設定しているシステムでは特に" +"問題はありません。" #. Type: boolean #. Description diff --git a/debian/po/nl.po b/debian/po/nl.po index 1cb5cdf48..3afd6171e 100644 --- a/debian/po/nl.po +++ b/debian/po/nl.po @@ -30,13 +30,13 @@ msgstr "" msgid "" "Previous versions of openssh-server permitted logging in as root over SSH " "using password authentication. The default for new installations is now " -"\"PermitRootLogin without-password\", which disables password authentication " -"for root without breaking systems that have explicitly configured SSH public " -"key authentication for root." +"\"PermitRootLogin prohibit-password\", which disables password " +"authentication for root without breaking systems that have explicitly " +"configured SSH public key authentication for root." msgstr "" "Eerdere versies van de openssh-server lieten de systeembeheerder toe om zich " "over SSH te authenticeren met een wachtwoord. Voor nieuwe installaties is de " -"standaard nu \"PermitRootLogin without-password\". Deze standaardinstelling " +"standaard nu \"PermitRootLogin prohibit-password\". Deze standaardinstelling " "maakt het voor de systeembeheerder onmogelijk om zich via een wachtwoord te " "authenticeren. Deze instelling heeft geen impact op systemen waarbij de SSH-" "configuratie expliciet vereist dat de systeembeheerder zich authenticeert " diff --git a/debian/po/pt.po b/debian/po/pt.po index 282ac8dde..2dab84ccf 100644 --- a/debian/po/pt.po +++ b/debian/po/pt.po @@ -30,15 +30,16 @@ msgstr "Desactivar a autenticação SSH por palavra passe para o root?" msgid "" "Previous versions of openssh-server permitted logging in as root over SSH " "using password authentication. The default for new installations is now " -"\"PermitRootLogin without-password\", which disables password authentication " -"for root without breaking systems that have explicitly configured SSH public " -"key authentication for root." +"\"PermitRootLogin prohibit-password\", which disables password " +"authentication for root without breaking systems that have explicitly " +"configured SSH public key authentication for root." msgstr "" "As versões anteriores do servidor openssh permitiam iniciar sessão como root " "sobre SSH usando autenticação por palavra-passe. A predefinição para novas " -"instalações é agora \"PermitRootLogin without-password\", a qual desactiva a " -"autenticação por palavra-passe para o root sem danificar os sistemas que têm " -"configurados explicitamente autenticação SSH por chave pública para o root." +"instalações é agora \"PermitRootLogin prohibit-password\", a qual desactiva " +"a autenticação por palavra-passe para o root sem danificar os sistemas que " +"têm configurados explicitamente autenticação SSH por chave pública para o " +"root." #. Type: boolean #. Description diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po index d7252fb99..99b1182f1 100644 --- a/debian/po/pt_BR.po +++ b/debian/po/pt_BR.po @@ -30,13 +30,13 @@ msgstr "Desabilitar autenticação por senha do SSH para root?" msgid "" "Previous versions of openssh-server permitted logging in as root over SSH " "using password authentication. The default for new installations is now " -"\"PermitRootLogin without-password\", which disables password authentication " -"for root without breaking systems that have explicitly configured SSH public " -"key authentication for root." +"\"PermitRootLogin prohibit-password\", which disables password " +"authentication for root without breaking systems that have explicitly " +"configured SSH public key authentication for root." msgstr "" "Versões anteriores do openssh-server permitiam login como root sobre SSH " "usando autenticação por senha. O padrão para as novas instalações agora é " -"\"PermitRootLogin without-password\", que desabilita a autenticação por " +"\"PermitRootLogin prohibit-password\", que desabilita a autenticação por " "senha para root sem quebrar sistemas que tenham configurado explicitamente o " "SSH para autenticação por chave pública para root." diff --git a/debian/po/ru.po b/debian/po/ru.po index 42375e6e5..f2e1dafc4 100644 --- a/debian/po/ru.po +++ b/debian/po/ru.po @@ -30,13 +30,13 @@ msgstr "Выключить в SSH аутентификацию по паролю msgid "" "Previous versions of openssh-server permitted logging in as root over SSH " "using password authentication. The default for new installations is now " -"\"PermitRootLogin without-password\", which disables password authentication " -"for root without breaking systems that have explicitly configured SSH public " -"key authentication for root." +"\"PermitRootLogin prohibit-password\", which disables password " +"authentication for root without breaking systems that have explicitly " +"configured SSH public key authentication for root." msgstr "" "В предыдущих версиях openssh-server разрешён вход с правами пользователя " "root через SSH с помощью аутентификации по паролю. При новых установках по " -"умолчанию теперь используется настройка «PermitRootLogin without-password», " +"умолчанию теперь используется настройка «PermitRootLogin prohibit-password», " "которая отключает аутентификацию по паролю для root, что не вредит системам, " "у которых в SSH для root настроена аутентификация по открытому ключу." diff --git a/debian/po/sv.po b/debian/po/sv.po index a0cca7ba9..278b0ccbf 100644 --- a/debian/po/sv.po +++ b/debian/po/sv.po @@ -30,13 +30,13 @@ msgstr "Inaktivera SSH-lösenordsautentisering för root?" msgid "" "Previous versions of openssh-server permitted logging in as root over SSH " "using password authentication. The default for new installations is now " -"\"PermitRootLogin without-password\", which disables password authentication " -"for root without breaking systems that have explicitly configured SSH public " -"key authentication for root." +"\"PermitRootLogin prohibit-password\", which disables password " +"authentication for root without breaking systems that have explicitly " +"configured SSH public key authentication for root." msgstr "" "Tidigare versioner av openssh-server tillät inloggning som root över SSH med " "hjälp av lösenordsautentisering. Standardinställningen för nya " -"installationer är nu \"PermitRootLogin without-password\", vilket " +"installationer är nu \"PermitRootLogin prohibit-password\", vilket " "inaktiverar lösenordsautentisering för root utan att förstöra system som " "explicit har konfigurerat nyckelautentisering med hjälp av publika nycklar " "för root." diff --git a/debian/po/templates.pot b/debian/po/templates.pot index 70e64acad..47c9e3686 100644 --- a/debian/po/templates.pot +++ b/debian/po/templates.pot @@ -29,9 +29,9 @@ msgstr "" msgid "" "Previous versions of openssh-server permitted logging in as root over SSH " "using password authentication. The default for new installations is now " -"\"PermitRootLogin without-password\", which disables password authentication " -"for root without breaking systems that have explicitly configured SSH public " -"key authentication for root." +"\"PermitRootLogin prohibit-password\", which disables password " +"authentication for root without breaking systems that have explicitly " +"configured SSH public key authentication for root." msgstr "" #. Type: boolean diff --git a/debian/po/tr.po b/debian/po/tr.po index 095ac14fc..1ada04101 100644 --- a/debian/po/tr.po +++ b/debian/po/tr.po @@ -29,13 +29,13 @@ msgstr "root kullanıcısının parola ile kimlik doğrulaması engellensin mi?" msgid "" "Previous versions of openssh-server permitted logging in as root over SSH " "using password authentication. The default for new installations is now " -"\"PermitRootLogin without-password\", which disables password authentication " -"for root without breaking systems that have explicitly configured SSH public " -"key authentication for root." +"\"PermitRootLogin prohibit-password\", which disables password " +"authentication for root without breaking systems that have explicitly " +"configured SSH public key authentication for root." msgstr "" "openssh-server'ın önceki sürümleri parola ile kimlik doğrulama kullanılarak " "root kullanıcısının SSH üzerinden oturum açmasına izin veriyordu. Artık yeni " -"kurulumların öntanımlı ayarı \"PermitRootLogin without-password\" " +"kurulumların öntanımlı ayarı \"PermitRootLogin prohibit-password\" " "şeklindedir. Bu ayar root kullanıcısının parola kullanarak oturum açmasını " "yasaklar. SSH genel anahtar doğrulama yöntemine ayrıca izin veren mevcut " "sistemler bu ayardan etkilenmez." -- cgit v1.2.3