From 0bb3622af79c6402a15e88ce1290cbc776392403 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 1 Sep 2003 18:21:02 +0000 Subject: Debian release 3.5p1-3. --- debian/README.Debian | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'debian/README.Debian') diff --git a/debian/README.Debian b/debian/README.Debian index 614dd08f6..13d005ac0 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -171,6 +171,39 @@ ssh is compiled without support for kerberos authentication, and there are no current plans to support this. Thus the KerberosAuthentication and KerberosTgtPassing options will not be recognised. +Setgid ssh-agent and environment variables: +------------------------------------------- +ssh-agent is installed setgid as of version 1:3.5p1-1 to prevent ptrace() +attacks retrieving private key material. This has the side-effect of causing +glibc to remove certain environment variables which might have security +implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and +TMPDIR. + +If you need to set any of these environment variables, you will need to do +so in the program exec()ed by ssh-agent. This may involve creating a small +wrapper script. + +Symlink Hostname invocation: +---------------------------- +This version of ssh no longer includes support for invoking ssh with the +hostname as the name of the file run. People wanting this support should +use the ssh-argv0 script. + +Interoperability between scp and the ssh.com SSH server: +-------------------------------------------------------- +In version 2 and greater of the commercial SSH server produced by SSH +Communications Security, scp was changed to use SFTP (SSH2's file transfer +protocol) instead of the traditional rcp-over-ssh, thereby breaking +compatibility. The OpenSSH developers regard this as a bug in the ssh.com +server, and do not currently intend to change OpenSSH's scp to match. + +Workarounds for this problem are to install scp1 on the server (scp2 will +fall back to it), to use sftp, or to use some other transfer mechanism such +as rsync-over-ssh or tar-over-ssh. + -- Matthew Vernon +and +Colin Watson + -- cgit v1.2.3