From 0b848463a5673dabee2561bd381c679d673d2215 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 9 Jun 2008 11:08:17 +0000 Subject: Add documentation on removing openssh-blacklist locally (see #484269). --- debian/README.compromised-keys | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'debian/README.compromised-keys') diff --git a/debian/README.compromised-keys b/debian/README.compromised-keys index bfffc154a..7a9cb7657 100644 --- a/debian/README.compromised-keys +++ b/debian/README.compromised-keys @@ -138,3 +138,30 @@ OpenSSL: 3. If certificates have been generated for use on other systems, they must be found and replaced as well. + +== Removing openssh-blacklist == + +For the moment, the openssh-server package depends on openssh-blacklist, in +order that the blacklist is deployed to the maximum possible number of +systems to reduce the potential spread of worms exploiting this +vulnerability. We acknowledge that this may be inconvenient for some small +systems, but nevertheless feel that this was the best course of action. + +If you absolutely need to remove the blacklist from your system, then you +can run the following commands to substitute a fake package for +openssh-blacklist: + + sudo apt-get install equivs + equivs-control openssh-blacklist.ctl + sed -i 's/^Package:.*/Package: openssh-blacklist/' openssh-blacklist.ctl + sed -i 's/^# Version:.*/Version: 9:1.0/' openssh-blacklist.ctl + equivs-build openssh-blacklist.ctl + sudo dpkg -i openssh-blacklist_1.0_all.deb + +Be warned: this circumvents a security measure for the sake of disk space. +You should only do this if you have no other option, and if you are certain +that no compromised keys will ever be generated on or copied onto this +system. + +Once a sufficient amount of time and number of releases have passed, the +openssh-blacklist package will be phased out. -- cgit v1.2.3