From e7543fec567f746f56936475a7db9cffb947d7e2 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 22 Feb 2004 17:23:06 +0000 Subject: Add 'UsePAM yes' to /etc/ssh/sshd_config on upgrade from versions older than this, to maintain the standard Debian sshd configuration. Comment out PAMAuthenticationViaKbdInt and RhostsAuthentication in sshd_config on upgrade. Neither option is supported any more. --- debian/changelog | 6 ++++++ debian/postinst | 22 +++++++++++----------- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/debian/changelog b/debian/changelog index e7ddc918d..2af424687 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,12 @@ openssh (1:3.7.1p2-1) UNRELEASED; urgency=low * New upstream release. + - New PAM implementation based on that in FreeBSD. This runs PAM session + modules before dropping privileges (closes: #150968). + * Add 'UsePAM yes' to /etc/ssh/sshd_config on upgrade from versions older + than this, to maintain the standard Debian sshd configuration. + * Comment out PAMAuthenticationViaKbdInt and RhostsAuthentication in + sshd_config on upgrade. Neither option is supported any more. * Remove -fno-builtin-log, -DHAVE_MMAP_ANON_SHARED, and -D__FILE_OFFSET_BITS=64 compiler options, which are no longer necessary. * Darren Tucker: diff --git a/debian/postinst b/debian/postinst index f3d4cf6d5..5d0e32fef 100644 --- a/debian/postinst +++ b/debian/postinst @@ -60,6 +60,16 @@ create_sshdconfig() { if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then db_get ssh/new_config if [ "$RET" = "false" ] ; then return 0; fi + elif dpkg --compare-versions "$oldversion" lt-nl 1:3.7.1p2-1 && \ + ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then + # Upgrade from pre-3.7: UsePAM needed to maintain standard + # Debian configuration. + cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old + perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ + /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new + echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new + mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config + return 0 else return 0 fi fi @@ -103,20 +113,11 @@ if [ "$RET" = "false" ]; then cat <> /etc/ssh/sshd_config #Explicitly set PrivSep off, as requested UsePrivilegeSeparation no - -# Use PAM authentication via keyboard-interactive so PAM modules can -# properly interface with the user -PAMAuthenticationViaKbdInt yes EOF else cat <> /etc/ssh/sshd_config #Privilege Separation is turned on for security UsePrivilegeSeparation yes - -# ...but breaks Pam auth via kbdint, so we have to turn it off -# Use PAM authentication via keyboard-interactive so PAM modules can -# properly interface with the user (off due to PrivSep) -PAMAuthenticationViaKbdInt no EOF fi @@ -138,8 +139,6 @@ RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys -# rhosts authentication should not be used -RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts @@ -181,6 +180,7 @@ KeepAlive yes Subsystem sftp /usr/lib/sftp-server +UsePAM yes EOF } -- cgit v1.2.3