From 79cf0b3654d7b597de323153eb57015cdfbd90a4 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 1 Sep 2003 00:51:03 +0000 Subject: Debian release 3.4p1-1. --- debian/README.Debian | 153 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 153 insertions(+) create mode 100644 debian/README.Debian (limited to 'debian/README.Debian') diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 000000000..c2858d2f9 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,153 @@ +OpenSSH for Debian +------------------ + +Although this package is widely referred to as OpenSSH, it is actually +a branch of an early version of ssh which has been tidied up by the +OpenBSD folks. + +It has been decided that this version should have the privilege of +carrying the ``ssh'' name in Debian, since it is the only version of +ssh that is going to make it into Debian proper, being the only one +that complies with the Debian Free Software Guidelines. + +If you were expecting to get the non-free version of ssh (1.2.27 or +whatever) when you installed this package, please install ssh-nonfree +instead, which is what we're now calling the non-free version. + +=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +PermitRootLogin set to yes +-------------------------- + +This is now the default setting (in line with upstream), and people +who asked for an automatically-generated configuration file when +upgrading from potato (or on a new install) will have this setting in +their /etc/ssh/sshd_config file. + +Should you wish to change this setting, edit /etc/ssh/sshd_config, and +change: +PermitRootLogin yes +to: +PermitRootLogin no + +Having PermitRootLogin set to yes means that an attacker that knows +the root password can ssh in directly (without having to go via a user +account). If you set it to no, then they must compromise a normal user +account. In the vast majority of cases, this does not give added +security; remember that any account you su to root from is equivalent +to root - compromising this account gives an attacker access to root +easily. If you only ever log in as root from the physical console, +then you probably want to set this value to no. + +As an aside, PermitRootLogin can also be set to "without-password" or +"forced-commands-only" - see sshd(8) for more details. + +DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT! + +The argument above is somewhat condensed; I have had this discussion +at great length with many people. If you think the default is +incorrect, and feel strongly enough to want to argue with me about it, +then send me email to matthew@debian.org. I will close bug reports +claiming the default is incorrect. + +SSH now uses protocol 2 by default +---------------------------------- + +This means all your keyfiles you used for protocol version 1 need to +be re-generated. The server keys are done automatically, but for RSA +authentication, please read the ssh-keygen manpage. + +If you have an automatically generated configuration file, and decide +at a later stage that you do want to support protocol version 1 (not +recommended, but note that the ssh client shipped with Debian potato +only supported protocol version 1), then you need to do the following: + +Change /etc/ssh/sshd_config such that: +Protocol 2 +becomes: +Protocol 2,1 +Also add the line: +HostKey /etc/ssh/ssh_host_key + +(you may need to generate a host key if you do not already have one) + +/usr/bin/ssh not SUID: +---------------------- +If you have not installed debconf, you'll have missed the chance to +install ssh SUID, which means you won't be able to do Rhosts +authentication. If that upsets you, use: + + dpkg-statoverride + +or if that's also missing, use this: + + chown root.root /usr/bin/ssh + chmod 04755 /usr/bin/ssh + +X11 Forwarding: +--------------- +ssh's default for ForwardX11 has been changed to ``no'' because it has +been pointed out that logging into remote systems administered by +untrusted people is likely to open you up to X11 attacks, so you +should have to actively decide that you trust the remote machine's +root, before enabling X11. I strongly recommend that you do this on a +machine-by-machine basis, rather than just enabling it in the default +host settings. + +Authorization Forwarding: +------------------------- +Similarly, root on a remote server could make use of your ssh-agent +(while you're logged into their machine) to obtain access to machines +which trust your keys. This feature is therefore disabled by default. +You should only re-enable it for those hosts (in your ~/.ssh/config or +/etc/ssh/ssh_config) where you are confident that the remote machine +is not a threat. + +Fallback to RSH: +---------------- +The default for this setting has been changed from Yes to No, for +security reasons, and to stop the delay attempting to rsh to machines +that don't offer the service. Simply switch it back on in either +/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need +it for. + +Problems logging in with RSA authentication: +-------------------------------------------- +If you have trouble logging in with RSA authentication then the +problem is probably caused by the fact that you have your home +directory writable by group, as well as user (this is the default on +Debian systems). + +Depending upon other settings on your system (i.e. other users being +in your group) this could open a security hole, so you will need to +make your home directory writable only by yourself. Run this command, +as yourself: + + chmod g-w ~/ + +to remove group write permissions. If you use ssh-copy-id to install your +keys, it does this for you. + +-L option of ssh nonfree: +------------------------- +non-free ssh supported the usage of the option -L to use a non privileged +port for scp. This option will not be supported by scp from openssh. + +Please use instead scp -o "UsePrivilegedPort=no" as documented in the +manpage to scp itself. + +Problem logging in because of TCP-Wrappers: +------------------------------------------- +ssh is compiled with support for tcp-wrappers. So if you can no longer +log into your system, please check that /etc/hosts.allow and /etc/hosts.deny +are configured so that ssh is not blocked. + +Kerberos Authentication: +------------------------ +ssh is compiled without support for kerberos authentication, and there are +no current plans to support this. Thus the KerberosAuthentication and +KerberosTgtPassing options will not be recognised. + +-- +Matthew Vernon + -- cgit v1.2.3