From 726497d9b38fab2eb9e9f66e73050527d9963712 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 5 Oct 2004 22:30:43 +0000 Subject: If PasswordAuthentication is disabled, then offer to disable ChallengeResponseAuthentication too. The current PAM code will attempt password-style authentication if ChallengeResponseAuthentication is enabled (closes: #250369). --- debian/changelog | 9 +++++++ debian/config | 19 +++++++++++++++ debian/po/ca.po | 30 ++++++++++++++++++++++- debian/po/cs.po | 30 ++++++++++++++++++++++- debian/po/da.po | 30 ++++++++++++++++++++++- debian/po/de.po | 30 ++++++++++++++++++++++- debian/po/el.po | 30 ++++++++++++++++++++++- debian/po/es.po | 30 ++++++++++++++++++++++- debian/po/fr.po | 30 ++++++++++++++++++++++- debian/po/it.po | 30 ++++++++++++++++++++++- debian/po/ja.po | 30 ++++++++++++++++++++++- debian/po/nl.po | 30 ++++++++++++++++++++++- debian/po/pl.po | 30 ++++++++++++++++++++++- debian/po/pt_BR.po | 30 ++++++++++++++++++++++- debian/po/ru.po | 30 ++++++++++++++++++++++- debian/po/templates.pot | 30 ++++++++++++++++++++++- debian/po/tr.po | 30 ++++++++++++++++++++++- debian/po/zh_CN.po | 30 ++++++++++++++++++++++- debian/postinst | 65 +++++++++++++++++++++++++++++++++++++++---------- debian/templates.master | 16 ++++++++++++ 20 files changed, 560 insertions(+), 29 deletions(-) diff --git a/debian/changelog b/debian/changelog index 2c157e7ad..2d527565d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +openssh (1:3.8.1p1-8.sarge.1) UNRELEASED; urgency=high + + * If PasswordAuthentication is disabled, then offer to disable + ChallengeResponseAuthentication too. The current PAM code will attempt + password-style authentication if ChallengeResponseAuthentication is + enabled (closes: #250369). + + -- Colin Watson Tue, 5 Oct 2004 19:05:08 +0100 + openssh (1:3.8.1p1-8) unstable; urgency=high * Matthew Vernon: diff --git a/debian/config b/debian/config index b5cff528c..6d9729e62 100644 --- a/debian/config +++ b/debian/config @@ -12,6 +12,16 @@ fi . /usr/share/debconf/confmodule db_version 2.0 + +get_config_option() { + option="$1" + + # TODO: actually only one '=' allowed after option + perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ + /etc/ssh/sshd_config +} + + if [ -n "$version" ] && dpkg --compare-versions "$version" lt 1:3.0p1-1 then db_input medium ssh/ssh2_keys_merged @@ -91,6 +101,15 @@ if dpkg --compare-versions "$version" lt-nl 1:3.5p1-3; then db_input high ssh/user_environment_tell || true fi +if dpkg --compare-versions "$version" lt-nl 1:3.8.1p1-8.sarge.1; then + passwordauth="$(get_config_option PasswordAuthentication)" + crauth="$(get_config_option ChallengeResponseAuthentication)" + if [ "$passwordauth" = no ] && \ + ([ -z "$crauth" ] || [ "$crauth" = yes ]); then + db_input critical ssh/disable_cr_auth || true + fi +fi + db_go exit 0 diff --git a/debian/po/ca.po b/debian/po/ca.po index 412555d19..85a65e9e4 100644 --- a/debian/po/ca.po +++ b/debian/po/ca.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh_1:3.8p1-3_templates\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2004-03-05 19:46GMT\n" "Last-Translator: Aleix Badia i Bosch \n" "Language-Team: Catalan \n" @@ -348,3 +348,31 @@ msgstr "" "Per tornar a habilitar l'opció definiu \"PermitUserEnvironment yes\" al " "fitxer /etc/ssh/sshd_config al finalitzar l'actualització (recordeu la nota " "d'avís de la pàgina del manual sshd_config(5)). " + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" diff --git a/debian/po/cs.po b/debian/po/cs.po index 071003350..0374e4a9f 100644 --- a/debian/po/cs.po +++ b/debian/po/cs.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2004-01-28 15:10+0100\n" "Last-Translator: Miroslav Kure \n" "Language-Team: Czech \n" @@ -346,6 +346,34 @@ msgstr "" "strnce sshd_config(5) a v souboru /etc/ssh/sshd_config zadejte " "\"PermitUserEnvironment yes\"." +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "Privilege separation" #~ msgstr "Oddlen privilegi" diff --git a/debian/po/da.po b/debian/po/da.po index be90f82f3..74f8e266a 100644 --- a/debian/po/da.po +++ b/debian/po/da.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh 3.6.1p2\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2003-10-28 14:30+0200\n" "Last-Translator: Morten Brix Pedersen \n" "Language-Team: debian-l10n-danish \n" @@ -353,6 +353,34 @@ msgstr "" "ssh/sshd_config efter opgraderingen er færdig, men bemærk advarslen som står " "skrevet i sshd_config(5) manual-siden." +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "Privilege separation" #~ msgstr "Privilegie adskillelse" diff --git a/debian/po/de.po b/debian/po/de.po index 85546e7c1..49d13b8c5 100644 --- a/debian/po/de.po +++ b/debian/po/de.po @@ -16,7 +16,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2004-05-30 09:49-0200\n" "Last-Translator: Helge Kreutzmann \n" "Language-Team: de \n" @@ -359,3 +359,31 @@ msgstr "" "Um diese Option wieder zu reaktivieren, setzen Sie, unter Bercksichtigung " "der Warnung in der sshd_config(5)-Handbuchseite, \"PermitUserEnvironment yes" "\" in /etc/ssh/sshd_config nachdem die Aktualisierung erfolgt ist." + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" diff --git a/debian/po/el.po b/debian/po/el.po index cdc7a21fc..cb1d43cb4 100644 --- a/debian/po/el.po +++ b/debian/po/el.po @@ -16,7 +16,7 @@ msgid "" msgstr "" "Project-Id-Version: el\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2004-02-15 14:14EEST\n" "Last-Translator: Konstantinos Margaritis \n" "Language-Team: Greek \n" @@ -370,6 +370,34 @@ msgstr "" "yes\" στο αρχείο /etc/ssh/sshd_config μετά το τέλος της αναβάθμισης, έχοντας " "υπόψιν την προειδοποίηση στη σελίδα οδηγιών του sshd_config(5)." +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "Privilege separation" #~ msgstr "Διαχωρισμός Προνομίων" diff --git a/debian/po/es.po b/debian/po/es.po index 95a76b09d..06de59528 100644 --- a/debian/po/es.po +++ b/debian/po/es.po @@ -32,7 +32,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh 3.6.1p2-11\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2004-01-17 17:47+0200\n" "Last-Translator: Javier Fernandez-Sanguino Pea \n" "Language-Team: Debian L10n Spanish \n" @@ -374,6 +374,34 @@ msgstr "" "etc/ssh/sshd_config al terminar la actualizacin, teniendo en cuenta el " "aviso de la pgina de manual de sshd_config(5)." +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "Privilege separation" #~ msgstr "Separacin de privilegios" diff --git a/debian/po/fr.po b/debian/po/fr.po index 2d7523e26..0f808b2f0 100644 --- a/debian/po/fr.po +++ b/debian/po/fr.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh 3.6.1p2-5\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2003-05-22 10:34+0200\n" "Last-Translator: Denis Barbier \n" "Language-Team: French \n" @@ -371,6 +371,34 @@ msgstr "" "ssh/sshd_config lorsque la mise niveau est termine. Veuillez tenir compte " "de l'avertissement donn dans la page de manuel sshd_config(5)." +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "Privilege separation" #~ msgstr "Sparation des privilges" diff --git a/debian/po/it.po b/debian/po/it.po index 5e3e738e2..427ce4cb0 100644 --- a/debian/po/it.po +++ b/debian/po/it.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh 3.6.1\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2003-12-21 12:23+0100\n" "Last-Translator: Renato Gini \n" "Language-Team: Italian \n" @@ -365,6 +365,34 @@ msgstr "" "file /etc/ssh/sshd_config dopo l'aggiornamento, considerando gli " "avvertimenti contenuti nella pagina del manuale sshd_config(5)." +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "Privilege separation" #~ msgstr "Separazione dei privilegi" diff --git a/debian/po/ja.po b/debian/po/ja.po index 35527b294..b23859db6 100644 --- a/debian/po/ja.po +++ b/debian/po/ja.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2003-09-24 09:32+0900\n" "Last-Translator: Kenshi Muto \n" "Language-Team: Japanese \n" @@ -351,6 +351,34 @@ msgstr "" "˥奢ڡηٹɤǡ /etc/ssh/sshd_config ե" "PermitUserEnvironment yesפꤷƤ" +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "Privilege separation" #~ msgstr "øʬΥ" diff --git a/debian/po/nl.po b/debian/po/nl.po index e3fbdfc72..9ec34ca5e 100644 --- a/debian/po/nl.po +++ b/debian/po/nl.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh 3.6.1p2-9\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2003-09-27 14:43+0100\n" "Last-Translator: Bart Cornelis \n" "Language-Team: debian-l10n-dutch \n" @@ -366,6 +366,34 @@ msgstr "" "in /etc/ssh/sshd_config aan te zetten in nadat de opwaardering compleet is; " "houd hierbij rekening met de waarschuwing in de sshd_config(5) man-pagina." +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "Privilege separation" #~ msgstr "Rechtenscheiding" diff --git a/debian/po/pl.po b/debian/po/pl.po index 1d218ab8f..6211dd9f9 100644 --- a/debian/po/pl.po +++ b/debian/po/pl.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2004-04-08 18:28+0200\n" "Last-Translator: Emil Nowak \n" "Language-Team: Polish \n" @@ -358,6 +358,34 @@ msgstr "" "konfiguracji naley zapozna si z informacjami zawartymi na stronie " "podrcznika systemowego sshd_config(5)." +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "Privilege separation" #~ msgstr "Separacja uprawnie" diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po index 00973c88d..d705e794a 100644 --- a/debian/po/pt_BR.po +++ b/debian/po/pt_BR.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh_3.6.1p2-9\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2003-11-09 16:29-0300\n" "Last-Translator: Andr Lus Lopes \n" "Language-Team: Debian-BR Project \n" @@ -365,6 +365,34 @@ msgstr "" "arquivo /et/ssh/sshd_config depois da a atualizao terminar, atentando para " "o aviso na pgina de manual do sshd_config(5)." +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "Privilege separation" #~ msgstr "Separao de Previlgios" diff --git a/debian/po/ru.po b/debian/po/ru.po index f86cca6d2..ed61285d9 100644 --- a/debian/po/ru.po +++ b/debian/po/ru.po @@ -16,7 +16,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2003-10-02 17:20+0500\n" "Last-Translator: Ilgiz Kalmetev \n" "Language-Team: russian \n" @@ -355,6 +355,34 @@ msgstr "" ", " "sshd_config(5)." +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "Privilege separation" #~ msgstr " " diff --git a/debian/po/templates.pot b/debian/po/templates.pot index e8e8e4cd2..447bf89a4 100644 --- a/debian/po/templates.pot +++ b/debian/po/templates.pot @@ -16,7 +16,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -292,3 +292,31 @@ msgid "" "sshd_config after the upgrade is complete, taking note of the warning in the " "sshd_config(5) manual page." msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" diff --git a/debian/po/tr.po b/debian/po/tr.po index b40fcb2b2..af8a0a9a2 100644 --- a/debian/po/tr.po +++ b/debian/po/tr.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: ssh\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2004-04-27 06:50+0300\n" "Last-Translator: Recai Oktaş \n" "Language-Team: Turkish \n" @@ -353,3 +353,31 @@ msgstr "" "Bu seçeneği tekrar etkinleştirmek için, sshd_config(5) kılavuz sayfasındaki " "uyarı notunu dikkate alarak, sshd yükseltmesi tamamlandığında /etc/ssh/" "ssh_config dosyasında \"PermitUserEnvironment yes\" satırını kullanın." + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" diff --git a/debian/po/zh_CN.po b/debian/po/zh_CN.po index 342605317..8ced202c0 100644 --- a/debian/po/zh_CN.po +++ b/debian/po/zh_CN.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh 3.6.1p2-11\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-03-06 17:54+0000\n" +"POT-Creation-Date: 2004-10-05 20:41+0100\n" "PO-Revision-Date: 2004-02-02 18:48+1300\n" "Last-Translator: Hiei Xu \n" "Language-Team: Chinese/Simplified \n" @@ -335,6 +335,34 @@ msgstr "" "要重新启用这个选项,升级完成后请在 /etc/ssh/sshd_config 中加入一" "行:“PermitUserEnvironment yes”。请注意 sshd_config(5) 手册页中提到的警告。" +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates.master:130 +msgid "" +"If you disable challenge-response authentication (the default answer), then " +"users will not be able to log in using passwords. If you leave it enabled, " +"then the 'PasswordAuthentication no' option will have no useful effect " +"unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "Privilege separation" #~ msgstr "权限分离" diff --git a/debian/postinst b/debian/postinst index 1baae1677..efd04c3d0 100644 --- a/debian/postinst +++ b/debian/postinst @@ -36,6 +36,25 @@ get_config_option() { } +set_config_option() { + option="$1" + value="$2" + + perl -e ' + $option = $ARGV[0]; $value = $ARGV[1]; $done = 0; + while () { + if (s/^\s*\Q$option\E\s+.*/$option $value/) { + $done = 1; + } + print; + } + print "\n$option $value\n" unless $done;' \ + "$option" "$value" \ + < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new + mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config +} + + host_keys_required() { hostkeys="$(get_config_option HostKey)" if [ "$hostkeys" ]; then @@ -86,25 +105,45 @@ create_keys() { } +check_password_auth() { + passwordauth="$(get_config_option PasswordAuthentication)" + crauth="$(get_config_option ChallengeResponseAuthentication)" + if [ "$passwordauth" = no ] && \ + ([ -z "$crauth" ] || [ "$crauth" = yes ]); then + db_get ssh/disable_cr_auth + if [ "$RET" = true ]; then + set_config_option ChallengeResponseAuthentication no + fi + fi +} + create_sshdconfig() { if [ -e /etc/ssh/sshd_config ] ; then if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then db_get ssh/new_config if [ "$RET" = "false" ] ; then return 0; fi - elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ - ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then - # Upgrade from pre-3.7: UsePAM needed to maintain standard - # Debian configuration. - echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' - cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old - perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ - /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new - echo >> /etc/ssh/sshd_config.dpkg-new - echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new - mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config - echo + else + # Upgrade sshd configuration from a sane version. + + if dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ + ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then + # Upgrade from pre-3.7: UsePAM needed to maintain standard + # Debian configuration. + echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' + cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old + perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ + /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new + echo >> /etc/ssh/sshd_config.dpkg-new + echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new + mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config + echo + fi + + if dpkg --compare-versions "$oldversion" lt-nl 1:3.8.1p1-8.sarge.1; then + check_password_auth + fi + return 0 - else return 0 fi fi diff --git a/debian/templates.master b/debian/templates.master index 07f62b178..55727c933 100644 --- a/debian/templates.master +++ b/debian/templates.master @@ -123,3 +123,19 @@ _Description: Environment options on keys have been deprecated To re-enable this option, set "PermitUserEnvironment yes" in /etc/ssh/sshd_config after the upgrade is complete, taking note of the warning in the sshd_config(5) manual page. + +Template: ssh/disable_cr_auth +Type: boolean +Default: true +_Description: Disable challenge-response authentication? + Password authentication appears to be disabled in your current OpenSSH + server configuration. In order to prevent users from logging in using + passwords (perhaps using only public key authentication instead) with + recent versions of OpenSSH, you must disable challenge-response + authentication, or else ensure that your PAM configuration does not allow + Unix password file authentication. + . + If you disable challenge-response authentication (the default answer), then + users will not be able to log in using passwords. If you leave it enabled, + then the 'PasswordAuthentication no' option will have no useful effect + unless you also adjust your PAM configuration in /etc/pam.d/ssh. -- cgit v1.2.3