From 9749ef7f9b382d743b186bf06c7c2aeb0b9bebee Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sat, 31 Jul 2004 03:22:20 +0000 Subject: * Split the ssh binary package into openssh-client and openssh-server (closes: #39741). openssh-server depends on openssh-client for some common functionality; it didn't seem worth creating yet another package for this. * New transitional ssh package, depending on openssh-client and openssh-server. May be removed once nothing depends on it. * When upgrading from ssh to openssh-{client,server}, it's very difficult for the maintainer scripts to find out what version we're upgrading from without dodgy dpkg hackery. I've therefore taken the opportunity to move a couple of debconf notes into NEWS files, namely ssh/ssh2_keys_merged and ssh/user_environment_tell. * In general, upgrading to this version directly from woody without first upgrading to the version in sarge is not currently guaranteed to work very smoothly due to the aforementioned version discovery problems. --- debian/changelog | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index 2c157e7ad..671e5b495 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,22 @@ +openssh (1:3.8.1p1-9) UNRELEASED; urgency=low + + * Split the ssh binary package into openssh-client and openssh-server + (closes: #39741). openssh-server depends on openssh-client for some + common functionality; it didn't seem worth creating yet another package + for this. + * New transitional ssh package, depending on openssh-client and + openssh-server. May be removed once nothing depends on it. + * When upgrading from ssh to openssh-{client,server}, it's very difficult + for the maintainer scripts to find out what version we're upgrading from + without dodgy dpkg hackery. I've therefore taken the opportunity to move + a couple of debconf notes into NEWS files, namely ssh/ssh2_keys_merged + and ssh/user_environment_tell. + * In general, upgrading to this version directly from woody without first + upgrading to the version in sarge is not currently guaranteed to work + very smoothly due to the aforementioned version discovery problems. + + -- Colin Watson Sat, 31 Jul 2004 03:01:19 +0100 + openssh (1:3.8.1p1-8) unstable; urgency=high * Matthew Vernon: -- cgit v1.2.3 From 4e43fff8597edbb2e708ac4df413795f5ca805cb Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 2 Aug 2004 17:29:06 +0000 Subject: Add a heuristic to try to make sure the sshd_config upgrade to >= 3.7 happens even though we don't know what version we're upgrading from. --- debian/changelog | 5 ++--- debian/openssh-server.postinst | 10 ++++++++-- 2 files changed, 10 insertions(+), 5 deletions(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index 671e5b495..38a7c67ae 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,9 +11,8 @@ openssh (1:3.8.1p1-9) UNRELEASED; urgency=low without dodgy dpkg hackery. I've therefore taken the opportunity to move a couple of debconf notes into NEWS files, namely ssh/ssh2_keys_merged and ssh/user_environment_tell. - * In general, upgrading to this version directly from woody without first - upgrading to the version in sarge is not currently guaranteed to work - very smoothly due to the aforementioned version discovery problems. + * Add a heuristic to try to make sure the sshd_config upgrade to >= 3.7 + happens even though we don't know what version we're upgrading from. -- Colin Watson Sat, 31 Jul 2004 03:01:19 +0100 diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index 64f9985a8..28af3f490 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst @@ -90,10 +90,16 @@ create_sshdconfig() { if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then db_get ssh/new_config if [ "$RET" = "false" ] ; then return 0; fi - elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ - ! grep -iq ^UsePAM /etc/ssh/sshd_config ; then + elif (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ + ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \ + grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \ + /etc/ssh/sshd_config ; then # Upgrade from pre-3.7: UsePAM needed to maintain standard # Debian configuration. + # Note that --compare-versions is sadly not reliable enough + # here due to the package split of ssh into openssh-client + # and openssh-server. The extra grep for some deprecated + # options should with any luck be a good enough heuristic. echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ -- cgit v1.2.3 From 4d6e7c45fdc81bcc1076b68d7b10c1dfbfaaa5be Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 2 Aug 2004 18:21:33 +0000 Subject: Remove /etc/ssh/sshd_not_to_be_run on purge of openssh-server. For now (until sarge+2) it's still honoured to avoid breaking existing configurations, but the right approach is now to remove the openssh-server package if you don't want to run the server. Add a NEWS item to that effect. --- debian/NEWS | 11 +++++++++++ debian/changelog | 5 +++++ debian/openssh-server.postrm | 1 + 3 files changed, 17 insertions(+) (limited to 'debian/changelog') diff --git a/debian/NEWS b/debian/NEWS index 242d719ff..0c645d103 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,14 @@ +openssh (1:3.8.1p1-9) UNRELEASED; urgency=low + + The ssh package has been split into openssh-client and openssh-server. If + you had previously requested that the sshd server should not be run, then + that request will still be honoured. However, the recommended approach is + now to remove the openssh-server package if you do not want to run sshd. + You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing + that. + + -- Colin Watson Sat, 31 Jul 2004 03:01:19 +0100 + openssh (1:3.5p1-1) unstable; urgency=low This version of OpenSSH disables the environment option for public keys by diff --git a/debian/changelog b/debian/changelog index 38a7c67ae..1c81c1387 100644 --- a/debian/changelog +++ b/debian/changelog @@ -13,6 +13,11 @@ openssh (1:3.8.1p1-9) UNRELEASED; urgency=low and ssh/user_environment_tell. * Add a heuristic to try to make sure the sshd_config upgrade to >= 3.7 happens even though we don't know what version we're upgrading from. + * Remove /etc/ssh/sshd_not_to_be_run on purge of openssh-server. For now + (until sarge+2) it's still honoured to avoid breaking existing + configurations, but the right approach is now to remove the + openssh-server package if you don't want to run the server. Add a NEWS + item to that effect. -- Colin Watson Sat, 31 Jul 2004 03:01:19 +0100 diff --git a/debian/openssh-server.postrm b/debian/openssh-server.postrm index 862c51520..e7a437260 100644 --- a/debian/openssh-server.postrm +++ b/debian/openssh-server.postrm @@ -12,6 +12,7 @@ then rm -f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub rm -f /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub rm -f /etc/ssh/sshd_config + rm -f /etc/ssh/sshd_not_to_be_run rmdir --ignore-fail-on-non-empty /etc/ssh fi -- cgit v1.2.3 From 317ffaa3e6c0081e90e9898128f5397d563f8e98 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 2 Aug 2004 19:28:18 +0000 Subject: Drop priorities of openssh-server and ssh to optional. --- debian/changelog | 7 ++++--- debian/control | 2 ++ 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index 1c81c1387..b24826766 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,9 +3,10 @@ openssh (1:3.8.1p1-9) UNRELEASED; urgency=low * Split the ssh binary package into openssh-client and openssh-server (closes: #39741). openssh-server depends on openssh-client for some common functionality; it didn't seem worth creating yet another package - for this. - * New transitional ssh package, depending on openssh-client and - openssh-server. May be removed once nothing depends on it. + for this. openssh-client is priority standard, openssh-server optional. + * New transitional ssh package, priority optional, depending on + openssh-client and openssh-server. May be removed once nothing depends + on it. * When upgrading from ssh to openssh-{client,server}, it's very difficult for the maintainer scripts to find out what version we're upgrading from without dodgy dpkg hackery. I've therefore taken the opportunity to move diff --git a/debian/control b/debian/control index d0080e8ec..3fd8b21f9 100644 --- a/debian/control +++ b/debian/control @@ -34,6 +34,7 @@ Description: Secure shell client, an rlogin/rsh/rcp replacement without a special permit. Package: openssh-server +Priority: optional Architecture: any Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version}) Conflicts: ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1) @@ -61,6 +62,7 @@ Description: Secure shell server, an rshd replacement without a special permit. Package: ssh +Priority: optional Architecture: all Depends: openssh-client, openssh-server Description: Secure shell client and server (transitional package) -- cgit v1.2.3 From e2300820fc0f17a3d6702b18648bf836d4028102 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 2 Aug 2004 21:34:06 +0000 Subject: Finish openssh 1:3.8.1p1-9. --- debian/NEWS | 4 ++-- debian/changelog | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'debian/changelog') diff --git a/debian/NEWS b/debian/NEWS index 0c645d103..f2359de35 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,4 +1,4 @@ -openssh (1:3.8.1p1-9) UNRELEASED; urgency=low +openssh (1:3.8.1p1-9) experimental; urgency=low The ssh package has been split into openssh-client and openssh-server. If you had previously requested that the sshd server should not be run, then @@ -7,7 +7,7 @@ openssh (1:3.8.1p1-9) UNRELEASED; urgency=low You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing that. - -- Colin Watson Sat, 31 Jul 2004 03:01:19 +0100 + -- Colin Watson Mon, 2 Aug 2004 20:48:54 +0100 openssh (1:3.5p1-1) unstable; urgency=low diff --git a/debian/changelog b/debian/changelog index b24826766..438046c06 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -openssh (1:3.8.1p1-9) UNRELEASED; urgency=low +openssh (1:3.8.1p1-9) experimental; urgency=low * Split the ssh binary package into openssh-client and openssh-server (closes: #39741). openssh-server depends on openssh-client for some @@ -20,7 +20,7 @@ openssh (1:3.8.1p1-9) UNRELEASED; urgency=low openssh-server package if you don't want to run the server. Add a NEWS item to that effect. - -- Colin Watson Sat, 31 Jul 2004 03:01:19 +0100 + -- Colin Watson Mon, 2 Aug 2004 20:48:54 +0100 openssh (1:3.8.1p1-8) unstable; urgency=high -- cgit v1.2.3 From bd2d6776a7ec2052afc6e3f085a1f3025ab072db Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Wed, 25 Aug 2004 17:32:25 +0000 Subject: Don't install the ssh-askpass-gnome .desktop file by default; I've had too many GNOME people tell me it's the wrong thing to be doing. I've left it in /usr/share/doc/ssh-askpass-gnome/examples/ for now. --- debian/changelog | 8 ++++++++ debian/rules | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index 438046c06..d722516c1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +openssh (1:3.8.1p1-10) experimental; urgency=low + + * Don't install the ssh-askpass-gnome .desktop file by default; I've had + too many GNOME people tell me it's the wrong thing to be doing. I've + left it in /usr/share/doc/ssh-askpass-gnome/examples/ for now. + + -- Colin Watson Wed, 25 Aug 2004 18:18:14 +0100 + openssh (1:3.8.1p1-9) experimental; urgency=low * Split the ssh binary package into openssh-client and openssh-server diff --git a/debian/rules b/debian/rules index 35bd678c7..8295fc05e 100755 --- a/debian/rules +++ b/debian/rules @@ -138,7 +138,6 @@ install: build install -s -o root -g root -m 755 contrib/gnome-ssh-askpass1 debian/ssh-askpass-gnome/usr/lib/ssh/gnome-ssh-askpass; \ fi install -m 644 debian/gnome-ssh-askpass.1 debian/ssh-askpass-gnome/usr/share/man/man1/gnome-ssh-askpass.1 - install -m 644 debian/ssh-askpass-gnome.desktop debian/ssh-askpass-gnome/usr/share/applications/ssh-askpass-gnome.desktop uudecode -o debian/ssh-askpass-gnome/usr/share/pixmaps/ssh-askpass-gnome.png debian/ssh-askpass-gnome.png.uue install -m 755 debian/ssh-argv0 debian/openssh-client/usr/bin/ssh-argv0 @@ -237,6 +236,7 @@ binary-ssh-askpass-gnome: build install dh_testdir dh_testroot dh_installdocs + dh_installexamples debian/ssh-askpass-gnome.desktop dh_installchangelogs ChangeLog dh_strip dh_compress -- cgit v1.2.3 From 77be91fc874d0bdfb00e2da57550ff9c8969a6d4 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 31 Aug 2004 03:34:24 +0000 Subject: Move sshd_config(5) to openssh-server, where it belongs. --- debian/changelog | 6 ++++++ debian/control | 2 +- debian/openssh-server.dirs | 1 + debian/rules | 1 + 4 files changed, 9 insertions(+), 1 deletion(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index d722516c1..c1aa043f0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +openssh (1:3.8.1p1-11) UNRELEASED; urgency=low + + * Move sshd_config(5) to openssh-server, where it belongs. + + -- Colin Watson Tue, 31 Aug 2004 04:30:34 +0100 + openssh (1:3.8.1p1-10) experimental; urgency=low * Don't install the ssh-askpass-gnome .desktop file by default; I've had diff --git a/debian/control b/debian/control index 3fd8b21f9..d604d1015 100644 --- a/debian/control +++ b/debian/control @@ -38,7 +38,7 @@ Priority: optional Architecture: any Depends: ${shlibs:Depends}, ${debconf-depends}, ${pam-depends}, libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${Source-Version}) Conflicts: ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1) -Replaces: ssh (<< 1:3.8.1p1-9) +Replaces: ssh (<< 1:3.8.1p1-9), openssh-client (<< 1:3.8.1p1-11) Suggests: ssh-askpass, xbase-clients Provides: ssh-server Description: Secure shell server, an rshd replacement diff --git a/debian/openssh-server.dirs b/debian/openssh-server.dirs index 3d434da75..85ee171be 100644 --- a/debian/openssh-server.dirs +++ b/debian/openssh-server.dirs @@ -2,5 +2,6 @@ etc/init.d etc/default usr/lib usr/sbin +usr/share/man/man5 usr/share/man/man8 var/run/sshd diff --git a/debian/rules b/debian/rules index 8295fc05e..63c438192 100755 --- a/debian/rules +++ b/debian/rules @@ -124,6 +124,7 @@ install: build # Split off the server. mv debian/openssh-client/usr/sbin/sshd debian/openssh-server/usr/sbin/ mv debian/openssh-client/usr/lib/sftp-server debian/openssh-server/usr/lib/ + mv debian/openssh-client/usr/share/man/man5/sshd_config.5 debian/openssh-server/usr/share/man/man5/ mv debian/openssh-client/usr/share/man/man8/sshd.8 debian/openssh-server/usr/share/man/man8/ mv debian/openssh-client/usr/share/man/man8/sftp-server.8 debian/openssh-server/usr/share/man/man8/ rmdir debian/openssh-client/var/run/sshd -- cgit v1.2.3 From 23ad7ca187d4b40b45b18903c6e96b4cc3ea9ec1 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Wed, 6 Oct 2004 13:22:30 +0000 Subject: Forward-port from HEAD: * If PasswordAuthentication is disabled, then offer to disable ChallengeResponseAuthentication too. The current PAM code will attempt password-style authentication if ChallengeResponseAuthentication is enabled (closes: #250369). * This will ask a question of anyone who installed fresh with 1:3.8p1-2 or later and then upgraded. Sorry about that ... for this reason, the default answer is to leave ChallengeResponseAuthentication enabled. --- debian/changelog | 7 +++ debian/openssh-server.config | 25 +++++++++++ debian/openssh-server.postinst | 82 ++++++++++++++++++++++++++-------- debian/openssh-server.templates.master | 16 +++++++ debian/po/ca.po | 30 ++++++++++++- debian/po/cs.po | 30 ++++++++++++- debian/po/da.po | 30 ++++++++++++- debian/po/de.po | 30 ++++++++++++- debian/po/el.po | 30 ++++++++++++- debian/po/es.po | 30 ++++++++++++- debian/po/fr.po | 30 ++++++++++++- debian/po/it.po | 30 ++++++++++++- debian/po/ja.po | 30 ++++++++++++- debian/po/nl.po | 30 ++++++++++++- debian/po/pl.po | 30 ++++++++++++- debian/po/pt_BR.po | 30 ++++++++++++- debian/po/ru.po | 30 ++++++++++++- debian/po/templates.pot | 30 ++++++++++++- debian/po/tr.po | 30 ++++++++++++- debian/po/zh_CN.po | 30 ++++++++++++- 20 files changed, 575 insertions(+), 35 deletions(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index c1aa043f0..e0c41d52d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,13 @@ openssh (1:3.8.1p1-11) UNRELEASED; urgency=low * Move sshd_config(5) to openssh-server, where it belongs. + * If PasswordAuthentication is disabled, then offer to disable + ChallengeResponseAuthentication too. The current PAM code will attempt + password-style authentication if ChallengeResponseAuthentication is + enabled (closes: #250369). + * This will ask a question of anyone who installed fresh with 1:3.8p1-2 or + later and then upgraded. Sorry about that ... for this reason, the + default answer is to leave ChallengeResponseAuthentication enabled. -- Colin Watson Tue, 31 Aug 2004 04:30:34 +0100 diff --git a/debian/openssh-server.config b/debian/openssh-server.config index b40e8afd7..0cd0a4b8d 100644 --- a/debian/openssh-server.config +++ b/debian/openssh-server.config @@ -7,6 +7,18 @@ version=$2 . /usr/share/debconf/confmodule db_version 2.0 + +get_config_option() { + option="$1" + + [ -f /etc/ssh/sshd_config ] || return + + # TODO: actually only one '=' allowed after option + perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ + /etc/ssh/sshd_config 2>/dev/null +} + + if [ -e /etc/init.d/ssh ] && ! grep -q pidfile /etc/init.d/ssh then db_fset ssh/use_old_init_script seen false @@ -35,6 +47,19 @@ then then db_input medium ssh/protocol2_only ||true fi fi + + # An empty version means we're upgrading from before the package split, + # so check. + if dpkg --compare-versions "$version" lt 1:3.8.1p1-11 + then + passwordauth="$(get_config_option PasswordAuthentication)" + crauth="$(get_config_option ChallengeResponseAuthentication)" + if [ "$passwordauth" = no ] && \ + ([ -z "$crauth" ] || [ "$crauth" = yes ]) + then + db_input critical ssh/disable_cr_auth || true + fi + fi fi if [ -x /usr/sbin/in.telnetd ] && grep -q "^telnet\b" /etc/inetd.conf diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index 28af3f490..dab8c94fd 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst @@ -29,12 +29,33 @@ check_idea_key() { get_config_option() { option="$1" + [ -f /etc/ssh/sshd_config ] || return + # TODO: actually only one '=' allowed after option perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \ /etc/ssh/sshd_config } +set_config_option() { + option="$1" + value="$2" + + perl -e ' + $option = $ARGV[0]; $value = $ARGV[1]; $done = 0; + while () { + if (s/^\s*\Q$option\E\s+.*/$option $value/) { + $done = 1; + } + print; + } + print "\n$option $value\n" unless $done;' \ + "$option" "$value" \ + < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new + mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config +} + + host_keys_required() { hostkeys="$(get_config_option HostKey)" if [ "$hostkeys" ]; then @@ -85,31 +106,54 @@ create_keys() { } +check_password_auth() { + passwordauth="$(get_config_option PasswordAuthentication)" + crauth="$(get_config_option ChallengeResponseAuthentication)" + if [ "$passwordauth" = no ] && \ + ([ -z "$crauth" ] || [ "$crauth" = yes ]); then + db_get ssh/disable_cr_auth + if [ "$RET" = true ]; then + set_config_option ChallengeResponseAuthentication no + fi + fi +} + + create_sshdconfig() { if [ -e /etc/ssh/sshd_config ] ; then if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then db_get ssh/new_config if [ "$RET" = "false" ] ; then return 0; fi - elif (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ - ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \ - grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \ - /etc/ssh/sshd_config ; then - # Upgrade from pre-3.7: UsePAM needed to maintain standard - # Debian configuration. - # Note that --compare-versions is sadly not reliable enough - # here due to the package split of ssh into openssh-client - # and openssh-server. The extra grep for some deprecated - # options should with any luck be a good enough heuristic. - echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' - cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old - perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ - /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new - echo >> /etc/ssh/sshd_config.dpkg-new - echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new - mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config - echo + else + # Upgrade sshd configuration from a sane version. + + if (dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ + ! grep -iq ^UsePAM /etc/ssh/sshd_config) || \ + grep -Eiq '^(PAMAuthenticationViaKbdInt|RhostsAuthentication)' \ + /etc/ssh/sshd_config ; then + # Upgrade from pre-3.7: UsePAM needed to maintain standard + # Debian configuration. + # Note that --compare-versions is sadly not reliable enough + # here due to the package split of ssh into openssh-client + # and openssh-server. The extra grep for some deprecated + # options should with any luck be a good enough heuristic. + echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' + cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old + perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ + /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new + echo >> /etc/ssh/sshd_config.dpkg-new + echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new + mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config + echo + fi + + # An empty version means we're upgrading from before the + # package split, so check. + if dpkg --compare-versions "$oldversion" lt 1:3.8.1p1-11; then + check_password_auth + fi + return 0 - else return 0 fi fi diff --git a/debian/openssh-server.templates.master b/debian/openssh-server.templates.master index e6d355639..af4d4e9f8 100644 --- a/debian/openssh-server.templates.master +++ b/debian/openssh-server.templates.master @@ -77,3 +77,19 @@ _Description: Warning: you must create a new host key from the old (non-free) SSH installation. . You will need to generate a new host key. + +Template: ssh/disable_cr_auth +Type: boolean +Default: false +_Description: Disable challenge-response authentication? + Password authentication appears to be disabled in your current OpenSSH + server configuration. In order to prevent users from logging in using + passwords (perhaps using only public key authentication instead) with + recent versions of OpenSSH, you must disable challenge-response + authentication, or else ensure that your PAM configuration does not allow + Unix password file authentication. + . + If you disable challenge-response authentication, then users will not be + able to log in using passwords. If you leave it enabled (the default + answer), then the 'PasswordAuthentication no' option will have no useful + effect unless you also adjust your PAM configuration in /etc/pam.d/ssh. diff --git a/debian/po/ca.po b/debian/po/ca.po index 19d590977..633867185 100644 --- a/debian/po/ca.po +++ b/debian/po/ca.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh_1:3.8p1-3_templates\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2004-03-05 19:46GMT\n" "Last-Translator: Aleix Badia i Bosch \n" "Language-Team: Catalan \n" @@ -265,6 +265,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr "Haureu de generar una nova clau de l'ordinador central." +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr "S'han combinat les claus de l'ssh2 als fitxers de configuració" diff --git a/debian/po/cs.po b/debian/po/cs.po index 617f7d98d..19cc1762a 100644 --- a/debian/po/cs.po +++ b/debian/po/cs.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2004-01-28 15:10+0100\n" "Last-Translator: Miroslav Kure \n" "Language-Team: Czech \n" @@ -263,6 +263,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr "Muste vygenerovat nov serverov kl" +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr "Kle ssh2 v konfiguranch souborech byly spojeny" diff --git a/debian/po/da.po b/debian/po/da.po index 6eb87ece2..a34023481 100644 --- a/debian/po/da.po +++ b/debian/po/da.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh 3.6.1p2\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2003-10-28 14:30+0200\n" "Last-Translator: Morten Brix Pedersen \n" "Language-Team: debian-l10n-danish \n" @@ -268,6 +268,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr "Du skal oprette en ny værtsnøgle." +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr "ssh2-nøgler flettet i opsætningsfilerne" diff --git a/debian/po/de.po b/debian/po/de.po index 17526f287..0af4ea07f 100644 --- a/debian/po/de.po +++ b/debian/po/de.po @@ -16,7 +16,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2004-05-30 09:49-0200\n" "Last-Translator: Helge Kreutzmann \n" "Language-Team: de \n" @@ -274,6 +274,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr "Sie mssen einen neuen Host-Schlssel erzeugen." +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr "ssh2-Schlssel in die Konfigurationsdateien eingefgt" diff --git a/debian/po/el.po b/debian/po/el.po index 4a67e7116..5cb31d755 100644 --- a/debian/po/el.po +++ b/debian/po/el.po @@ -16,7 +16,7 @@ msgid "" msgstr "" "Project-Id-Version: el\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2004-02-15 14:14EEST\n" "Last-Translator: Konstantinos Margaritis \n" "Language-Team: Greek \n" @@ -283,6 +283,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr "Πρέπει να δημιουργήσετε ένα νέο κλειδί για τον υπολογιστή (host key)." +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr "Τα κλειδιά ssh2 συγχωνεύτηκαν στα αρχεία ρυθμίσεων" diff --git a/debian/po/es.po b/debian/po/es.po index 84b290e0a..d34d1a9df 100644 --- a/debian/po/es.po +++ b/debian/po/es.po @@ -32,7 +32,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh 3.6.1p2-11\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2004-01-17 17:47+0200\n" "Last-Translator: Javier Fernandez-Sanguino Pea \n" "Language-Team: Debian L10n Spanish \n" @@ -289,6 +289,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr "Necesitar generar una nueva clave para su servidor." +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr "Las claves ssh2 ya se incluyen en los ficheros de configuracin" diff --git a/debian/po/fr.po b/debian/po/fr.po index 6c6ecfaab..0ae9bbb24 100644 --- a/debian/po/fr.po +++ b/debian/po/fr.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh 3.6.1p2-5\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2003-05-22 10:34+0200\n" "Last-Translator: Denis Barbier \n" "Language-Team: French \n" @@ -285,6 +285,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr "Vous aurez besoin de gnrer une nouvelle cl d'hte." +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr "Cls pour ssh2 fusionnes dans les fichiers de configuration" diff --git a/debian/po/it.po b/debian/po/it.po index b827e9883..303cf5e52 100644 --- a/debian/po/it.po +++ b/debian/po/it.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh 3.6.1\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2003-12-21 12:23+0100\n" "Last-Translator: Renato Gini \n" "Language-Team: Italian \n" @@ -279,6 +279,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr "Sar necessario generare una nuova chiave host." +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr "chiavi ssh2 aggiunte nei file di configurazione" diff --git a/debian/po/ja.po b/debian/po/ja.po index 0baefcc8e..5b03d6256 100644 --- a/debian/po/ja.po +++ b/debian/po/ja.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2003-09-24 09:32+0900\n" "Last-Translator: Kenshi Muto \n" "Language-Team: Japanese \n" @@ -267,6 +267,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr "ۥȥɬפޤ" +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr "ssh2 ե礵ޤ" diff --git a/debian/po/nl.po b/debian/po/nl.po index 40bca6356..059d623da 100644 --- a/debian/po/nl.po +++ b/debian/po/nl.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh 3.6.1p2-9\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2003-09-27 14:43+0100\n" "Last-Translator: Bart Cornelis \n" "Language-Team: debian-l10n-dutch \n" @@ -278,6 +278,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr "Het zal nodig zijn om een nieuwe computersleutel te genereren" +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr "ssh2 sleutels zijn samengevoegd in de configuratiebestanden" diff --git a/debian/po/pl.po b/debian/po/pl.po index f91259960..530f1668f 100644 --- a/debian/po/pl.po +++ b/debian/po/pl.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2004-04-08 18:28+0200\n" "Last-Translator: Emil Nowak \n" "Language-Team: Polish \n" @@ -273,6 +273,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr "Bdziesz musia wygenerowa nowy klucz hosta." +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr "klucze ssh2 wczone do plikw konfiguracyjnych" diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po index 4bf9baf82..4df5c2766 100644 --- a/debian/po/pt_BR.po +++ b/debian/po/pt_BR.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh_3.6.1p2-9\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2003-11-09 16:29-0300\n" "Last-Translator: Andr Lus Lopes \n" "Language-Team: Debian-BR Project \n" @@ -279,6 +279,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr "Voc precisar gerar uma nova host key." +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr "Chaves ssh2 includas nos arquivos de configurao" diff --git a/debian/po/ru.po b/debian/po/ru.po index 6a46d1ec6..43af92834 100644 --- a/debian/po/ru.po +++ b/debian/po/ru.po @@ -16,7 +16,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2003-10-02 17:20+0500\n" "Last-Translator: Ilgiz Kalmetev \n" "Language-Team: russian \n" @@ -269,6 +269,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr " ." +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr " ssh2 " diff --git a/debian/po/templates.pot b/debian/po/templates.pot index a4224d581..6d43c330f 100644 --- a/debian/po/templates.pot +++ b/debian/po/templates.pot @@ -16,7 +16,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -223,3 +223,31 @@ msgstr "" #: ../openssh-server.templates.master:74 msgid "You will need to generate a new host key." msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" diff --git a/debian/po/tr.po b/debian/po/tr.po index 499041ad2..d3d471d3c 100644 --- a/debian/po/tr.po +++ b/debian/po/tr.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: ssh\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2004-04-27 06:50+0300\n" "Last-Translator: Recai Oktaş \n" "Language-Team: Turkish \n" @@ -269,6 +269,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr "Yeni bir makine anahtarı oluşturmanız gerekiyor." +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr "yapılandırma dosyalarındaki ssh2 anahtarları birleştirildi" diff --git a/debian/po/zh_CN.po b/debian/po/zh_CN.po index 263aada78..f32d77bcb 100644 --- a/debian/po/zh_CN.po +++ b/debian/po/zh_CN.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: openssh 3.6.1p2-11\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2004-07-31 03:10+0100\n" +"POT-Creation-Date: 2004-10-06 14:06+0100\n" "PO-Revision-Date: 2004-02-02 18:48+1300\n" "Last-Translator: Hiei Xu \n" "Language-Team: Chinese/Simplified \n" @@ -256,6 +256,34 @@ msgstr "" msgid "You will need to generate a new host key." msgstr "您需要创建一个新的主机密钥。" +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "Disable challenge-response authentication?" +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"Password authentication appears to be disabled in your current OpenSSH " +"server configuration. In order to prevent users from logging in using " +"passwords (perhaps using only public key authentication instead) with recent " +"versions of OpenSSH, you must disable challenge-response authentication, or " +"else ensure that your PAM configuration does not allow Unix password file " +"authentication." +msgstr "" + +#. Type: boolean +#. Description +#: ../openssh-server.templates.master:84 +msgid "" +"If you disable challenge-response authentication, then users will not be " +"able to log in using passwords. If you leave it enabled (the default " +"answer), then the 'PasswordAuthentication no' option will have no useful " +"effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." +msgstr "" + #~ msgid "ssh2 keys merged in configuration files" #~ msgstr "ssh2 密钥被合并到配置文件" -- cgit v1.2.3 From daad133651fab07894bc1b687df6fbf2c93257d9 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Wed, 6 Oct 2004 14:54:44 +0000 Subject: Finish 1:3.8.1p1-11. --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index e0c41d52d..fd71936b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -openssh (1:3.8.1p1-11) UNRELEASED; urgency=low +openssh (1:3.8.1p1-11) experimental; urgency=high * Move sshd_config(5) to openssh-server, where it belongs. * If PasswordAuthentication is disabled, then offer to disable @@ -9,7 +9,7 @@ openssh (1:3.8.1p1-11) UNRELEASED; urgency=low later and then upgraded. Sorry about that ... for this reason, the default answer is to leave ChallengeResponseAuthentication enabled. - -- Colin Watson Tue, 31 Aug 2004 04:30:34 +0100 + -- Colin Watson Wed, 6 Oct 2004 14:28:20 +0100 openssh (1:3.8.1p1-10) experimental; urgency=low -- cgit v1.2.3 From ca67136d152c5d14a6303475e445b1213ab59e39 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 1 Nov 2004 18:19:13 +0000 Subject: Update Dutch debconf template translation (thanks, cobaco; closes: #278715). --- debian/changelog | 7 +++ debian/po/nl.po | 153 +++++-------------------------------------------------- 2 files changed, 20 insertions(+), 140 deletions(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index 4042014e7..0cdcf1215 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +openssh (1:3.8.1p1-13) UNRELEASED; urgency=low + + * debconf template translations: + - Update Dutch (thanks, cobaco; closes: #278715). + + -- Colin Watson Mon, 1 Nov 2004 18:09:08 +0000 + openssh (1:3.8.1p1-12) experimental; urgency=low * Preserve /etc/ssh/sshd_config ownership/permissions (closes: #276754). diff --git a/debian/po/nl.po b/debian/po/nl.po index 059d623da..8b34c67a4 100644 --- a/debian/po/nl.po +++ b/debian/po/nl.po @@ -16,7 +16,7 @@ msgstr "" "Project-Id-Version: openssh 3.6.1p2-9\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2004-10-06 14:06+0100\n" -"PO-Revision-Date: 2003-09-27 14:43+0100\n" +"PO-Revision-Date: 2004-10-28 23:21+0100\n" "Last-Translator: Bart Cornelis \n" "Language-Team: debian-l10n-dutch \n" "MIME-Version: 1.0\n" @@ -24,13 +24,11 @@ msgstr "" "Content-Transfer-Encoding: 8bit\n" #. Type: boolean -#. Description #: ../openssh-client.templates.master:4 msgid "Do you want /usr/lib/ssh-keysign to be installed SUID root?" msgstr "Wilt u /usr/lib/ssh-keysign met SUID root installeren?" #. Type: boolean -#. Description #: ../openssh-client.templates.master:4 msgid "" "You have the option of installing the ssh-keysign helper with the SUID bit " @@ -40,7 +38,6 @@ msgstr "" "de SUID-bit aan." #. Type: boolean -#. Description #: ../openssh-client.templates.master:4 msgid "" "If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 host-" @@ -51,7 +48,6 @@ msgstr "" "gebruiken." #. Type: boolean -#. Description #: ../openssh-client.templates.master:4 msgid "" "If in doubt, I suggest you install it with SUID. If it causes problems you " @@ -62,13 +58,11 @@ msgstr "" "ssh\" uit te voeren" #. Type: boolean -#. Description #: ../openssh-server.templates.master:4 msgid "Generate new configuration file" msgstr "Genereer het nieuwe configuratiebestand" #. Type: boolean -#. Description #: ../openssh-server.templates.master:4 msgid "" "This version of OpenSSH has a considerably changed configuration file from " @@ -85,7 +79,6 @@ msgstr "" "niet overnemen." #. Type: boolean -#. Description #: ../openssh-server.templates.master:4 msgid "" "Please note that this new configuration file will set the value of " @@ -102,7 +95,6 @@ msgstr "" "op 'no' zetten." #. Type: boolean -#. Description #: ../openssh-server.templates.master:4 msgid "" "It is strongly recommended that you let me generate a new configuration file " @@ -112,13 +104,11 @@ msgstr "" "u te laten genereren." #. Type: boolean -#. Description #: ../openssh-server.templates.master:23 msgid "Allow SSH protocol 2 only" msgstr "Laat enkel versie 2 van het SSH-protocol toe." #. Type: boolean -#. Description #: ../openssh-server.templates.master:23 msgid "" "This version of OpenSSH supports version 2 of the ssh protocol, which is " @@ -132,7 +122,6 @@ msgstr "" "oudere clients (b.v. de ssh-client uit \"potato\") onmogelijk maakt." #. Type: boolean -#. Description #: ../openssh-server.templates.master:23 msgid "" "Also please note that keys used for protocol 1 are different so you will not " @@ -143,7 +132,6 @@ msgstr "" "protocolversie 2 verbindingen toelaat." #. Type: boolean -#. Description #: ../openssh-server.templates.master:23 msgid "" "If you later change your mind about this setting, README.Debian has " @@ -153,13 +141,11 @@ msgstr "" "nog te veranderen, vindt u in /usr/share/doc/ssh/README.Debian.gz." #. Type: boolean -#. Description #: ../openssh-server.templates.master:38 msgid "Do you want to continue (and risk killing active ssh sessions)?" msgstr "Wilt u verder gaan (waarbij u mogelijk actieve ssh sessies afschiet)?" #. Type: boolean -#. Description #: ../openssh-server.templates.master:38 msgid "" "The version of /etc/init.d/ssh that you have installed, is likely to kill " @@ -171,7 +157,6 @@ msgstr "" "opwaardering via een ssh-sessie doet." #. Type: boolean -#. Description #: ../openssh-server.templates.master:38 msgid "" "You can fix this by adding \"--pidfile /var/run/sshd.pid\" to the start-stop-" @@ -181,14 +166,12 @@ msgstr "" "de start-stop-daemon regel in de stop-sectie van het bestand." #. Type: note -#. Description #: ../openssh-server.templates.master:48 msgid "NOTE: Forwarding of X11 and Authorization disabled by default." msgstr "" "OPMERKING: Doorsturen van X11 en Authorisatie is standaard uitgeschakeld." #. Type: note -#. Description #: ../openssh-server.templates.master:48 msgid "" "For security reasons, the Debian version of ssh has ForwardX11 and " @@ -198,7 +181,6 @@ msgstr "" "ForwardAgent standaard uitgeschakeld." #. Type: note -#. Description #: ../openssh-server.templates.master:48 msgid "" "You can enable it for servers you trust, either in one of the configuration " @@ -208,13 +190,11 @@ msgstr "" "configuratiebestanden, of met de -X commandoregeloptie." #. Type: note -#. Description #: ../openssh-server.templates.master:48 msgid "More details can be found in /usr/share/doc/ssh/README.Debian" msgstr "Meer details vindt u in /usr/share/doc/ssh/README.Debian.gz" #. Type: note -#. Description #: ../openssh-server.templates.master:59 msgid "Warning: rsh-server is installed --- probably not a good idea" msgstr "" @@ -222,7 +202,6 @@ msgstr "" "idee" #. Type: note -#. Description #: ../openssh-server.templates.master:59 msgid "" "having rsh-server installed undermines the security that you were probably " @@ -233,7 +212,6 @@ msgstr "" "raden u aan om dat pakket te verwijderen." #. Type: note -#. Description #: ../openssh-server.templates.master:66 msgid "Warning: telnetd is installed --- probably not a good idea" msgstr "" @@ -241,7 +219,6 @@ msgstr "" "idee" #. Type: note -#. Description #: ../openssh-server.templates.master:66 msgid "" "I'd advise you to either remove the telnetd package (if you don't actually " @@ -255,13 +232,11 @@ msgstr "" "wachtwoord en sessie informatie over het netwerk versturen." #. Type: note -#. Description #: ../openssh-server.templates.master:74 msgid "Warning: you must create a new host key" msgstr "Waarschuwing: u dient een nieuwe computersleutel aan te maken" #. Type: note -#. Description #: ../openssh-server.templates.master:74 msgid "" "There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH can " @@ -273,19 +248,16 @@ msgstr "" "de oude (niet-vrije) SSH installatie niet vinden." #. Type: note -#. Description #: ../openssh-server.templates.master:74 msgid "You will need to generate a new host key." msgstr "Het zal nodig zijn om een nieuwe computersleutel te genereren" #. Type: boolean -#. Description #: ../openssh-server.templates.master:84 msgid "Disable challenge-response authentication?" -msgstr "" +msgstr "Challenge-response-authenticatie deactiveren?" #. Type: boolean -#. Description #: ../openssh-server.templates.master:84 msgid "" "Password authentication appears to be disabled in your current OpenSSH " @@ -295,9 +267,15 @@ msgid "" "else ensure that your PAM configuration does not allow Unix password file " "authentication." msgstr "" +"Zo te zien is wachtwoord-authenticatie momenteel gedeactiveert in uw OpenSSH-" +"serverconfiguratie. Om te voorkomen dat gebruikers met recente versies van " +"OpenSSH inloggen met behulp van wachtwoorden (mogelijk door in plaats " +"daarvan enkel publieke-sleutel authenticatie te gebruiken) dient challenge-" +"response-authenticatie gedeactiveerd te woren. Zoniet dient u ervoor te " +"zorgen dat uw PAM-configuratie geen Unix 'password'-bestand-authenticatie " +"toe laat." #. Type: boolean -#. Description #: ../openssh-server.templates.master:84 msgid "" "If you disable challenge-response authentication, then users will not be " @@ -305,112 +283,7 @@ msgid "" "answer), then the 'PasswordAuthentication no' option will have no useful " "effect unless you also adjust your PAM configuration in /etc/pam.d/ssh." msgstr "" - -#~ msgid "ssh2 keys merged in configuration files" -#~ msgstr "ssh2 sleutels zijn samengevoegd in de configuratiebestanden" - -#~ msgid "" -#~ "As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 " -#~ "keys. This means the authorized_keys2 and known_hosts2 files are no " -#~ "longer needed. They will still be read in order to maintain backwards " -#~ "compatibility" -#~ msgstr "" -#~ "Vanaf versie 3 gebruikt OpenSSH niet langer aparte bestanden om ssh1 en " -#~ "ssh2 sleutels bij te houden. Dit betekend dat de authorized_keys2 en " -#~ "known_hosts2 bestanden niet langer nodig zijn. Wel worden ze nog steeds " -#~ "gelezen om achterwaartse compabiliteit te behouden." - -#~ msgid "Do you want to run the sshd server?" -#~ msgstr "Wilt u de sshd server opstarten?" - -#~ msgid "This package contains both the ssh client, and the sshd server." -#~ msgstr "Dit pakket bevat zowel de ssh-client, als de sshd-server." - -#~ msgid "" -#~ "Normally the sshd Secure Shell Server will be run to allow remote logins " -#~ "via ssh." -#~ msgstr "" -#~ "Normaal wordt de sshd-server uitgevoerd om aanmelden vanop een andere " -#~ "computer via ssh toe te laten." - -#~ msgid "" -#~ "If you are only interested in using the ssh client for outbound " -#~ "connections on this machine, and don't want to log into it at all using " -#~ "ssh, then you can disable sshd here." -#~ msgstr "" -#~ "Indien u op deze machine enkel ssh wil gebruiken voor uitgaande " -#~ "verbindingen, en ook lokaal niet wilt inloggen via ssh, kunt u sshd hier " -#~ "uitschakelen." - -#~ msgid "Environment options on keys have been deprecated" -#~ msgstr "" -#~ "Omgevingsopties voor sleutels zullen in de toekomst niet meer ondersteund " -#~ "worden." - -#~ msgid "" -#~ "This version of OpenSSH disables the environment option for public keys " -#~ "by default, in order to avoid certain attacks (for example, LD_PRELOAD). " -#~ "If you are using this option in an authorized_keys file, beware that the " -#~ "keys in question will no longer work until the option is removed." -#~ msgstr "" -#~ "Deze versie van OpenSSH schakelt de omgevingsoptie voor publieke sleutels " -#~ "standaard uit om bepaalde aanvallen uit te sluiten (bv. LD_PRELOAD). " -#~ "Indien u deze optie in een authorized_keys-bestand gebruikt, dient u u " -#~ "ervan bewust te zijn dat de betreffende sleutels niet langer zullen " -#~ "werken totdat de optie verwijderd wordt." - -#~ msgid "" -#~ "To re-enable this option, set \"PermitUserEnvironment yes\" in /etc/ssh/" -#~ "sshd_config after the upgrade is complete, taking note of the warning in " -#~ "the sshd_config(5) manual page." -#~ msgstr "" -#~ "Om deze optie opnieuw in te schakelen dient u \"PermitUserEnvironment yes" -#~ "\" in /etc/ssh/sshd_config aan te zetten in nadat de opwaardering " -#~ "compleet is; houd hierbij rekening met de waarschuwing in de sshd_config" -#~ "(5) man-pagina." - -#~ msgid "Privilege separation" -#~ msgstr "Rechtenscheiding" - -#~ msgid "" -#~ "Privilege separation is turned on by default, so if you decide you want " -#~ "it turned off, you need to add \"UsePrivilegeSeparation no\" to /etc/ssh/" -#~ "sshd_config." -#~ msgstr "" -#~ "Rechtenscheiding is standaard ingeschakeld; mocht u dit niet willen, dan " -#~ "dient u \"UsePrivilegeSeparation no\" toe te voegen in /etc/ssh/" -#~ "sshd_config." - -#~ msgid "Enable Privilege separation" -#~ msgstr "Rechtenscheiding inschakelen" - -#~ msgid "" -#~ "This version of OpenSSH contains the new privilege separation option. " -#~ "This significantly reduces the quantity of code that runs as root, and " -#~ "therefore reduces the impact of security holes in sshd." -#~ msgstr "" -#~ "Deze OpenSSH-versie bevat de nieuwe rechtenscheidingoptie. Deze " -#~ "vermindert de hoeveelheid code die als root uitgevoerd wordt " -#~ "substantieel, en vermindert op die manier de invloed van " -#~ "veiligheidslekken in sshd." - -#~ msgid "" -#~ "Unfortunately, privilege separation interacts badly with PAM. Any PAM " -#~ "session modules that need to run as root (pam_mkhomedir, for example) " -#~ "will fail, and PAM keyboard-interactive authentication won't work." -#~ msgstr "" -#~ "Spijtig genoeg werkt rechtenscheiding niet goed samen met PAM. Alle PAM-" -#~ "sessiemodules die als root uitgevoerd dienen te worden (b.v. " -#~ "pam_mkhomedir) zullen falen, en de interactieve PAM-toetsenbord-" -#~ "authenticatie zal ook niet werken." - -#~ msgid "" -#~ "Since you've opted to have me generate an sshd_config file for you, you " -#~ "can choose whether or not to have privilege separation turned on or not. " -#~ "Unless you know you need to use PAM features that won't work with this " -#~ "option, you should enable it." -#~ msgstr "" -#~ "Aangezien u ervoor gekozen heeft om mij een ssh_config-bestand voor u te " -#~ "laten genereren, kunt u kiezen of u rechtenscheiding aan of uit wilt " -#~ "hebben. U kunt dit het best activeren, tenzij u PAM-mogelijkheden nodig " -#~ "heeft die niet met rechtenscheiding samenwerken." +"Wanneer u challenge-response-authenticatie deactiveerd kunnen gebruikers " +"niet meer inloggen met behulp van wachtwoorden. Als u het geactiveerd laat " +"(de standaarwaarde) zal de 'PasswordAuthentication no' optie geen (nuttig) " +"effect hebben tenzij u ook de PAM-configuratie aanpast in /etc/pam.d/ssh." -- cgit v1.2.3 From 6c6f586d90208b998f6eff99866d3179ba3fa5c8 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Fri, 12 Nov 2004 11:37:31 +0000 Subject: Merge from HEAD: Enable threading for PAM, on Sam Hartman's advice (closes: #278394). --- debian/changelog | 1 + debian/rules | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index 0cdcf1215..41cddd823 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,6 @@ openssh (1:3.8.1p1-13) UNRELEASED; urgency=low + * Enable threading for PAM, on Sam Hartman's advice (closes: #278394). * debconf template translations: - Update Dutch (thanks, cobaco; closes: #278715). diff --git a/debian/rules b/debian/rules index dbc08d4c6..351f47785 100755 --- a/debian/rules +++ b/debian/rules @@ -59,9 +59,13 @@ build-deb-stamp: dh_testdir mkdir -p build-deb cd build-deb && $(FORCE_LIBS) ../configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin --with-superuser-path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 --with-privsep-path=/var/run/sshd --without-rand-helper + # Some 2.2 kernels have trouble with setres[ug]id() (bug #239999). perl -pi -e 's/.*#undef (BROKEN_SETRES[UG]ID).*/#define $$1 1/' build-deb/config.h - $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='$(OPTFLAGS) -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -DSSH_VERSION="\"$(SSH_VERSION)\""' SSH_KEYSIGN='/usr/lib/ssh-keysign' + # Supply pthread linkage for just those binaries linked to PAM. + perl -pi -e 's/^(LIBPAM=.*)/$$1 -pthread/' build-deb/Makefile + + $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='$(OPTFLAGS) -g -Wall -DUSE_POSIX_THREADS -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -DSSH_VERSION="\"$(SSH_VERSION)\""' SSH_KEYSIGN='/usr/lib/ssh-keysign' # Support building on Debian 3.0 (with GNOME 1.4) and later. if [ -f /usr/include/libgnomeui-2.0/gnome.h ]; then \ $(MAKE) -C contrib gnome-ssh-askpass2 CC='gcc $(OPTFLAGS) -g -Wall'; \ -- cgit v1.2.3 From 4a1259f3240a48fc2dbb0459a7b43d7675ac8ab8 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Fri, 12 Nov 2004 11:44:59 +0000 Subject: Merge from HEAD: Correct README.Debian's ForwardX11Trusted description (closes: #280190). --- debian/README.Debian | 2 +- debian/changelog | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'debian/changelog') diff --git a/debian/README.Debian b/debian/README.Debian index 4f076f898..db867e186 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -121,7 +121,7 @@ forwarded X11 connection can't become attacks on X clients on the remote machine. However, this has some problems in implementation - notably a very short timeout of the untrusted cookie - breaks large numbers of existing setups, and generally seems immature. The Debian package -therefore sets the default for this option to "no" (in ssh itself, +therefore sets the default for this option to "yes" (in ssh itself, rather than in ssh_config). Fallback to RSH diff --git a/debian/changelog b/debian/changelog index 41cddd823..caeeeeff8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,7 @@ openssh (1:3.8.1p1-13) UNRELEASED; urgency=low * Enable threading for PAM, on Sam Hartman's advice (closes: #278394). * debconf template translations: - Update Dutch (thanks, cobaco; closes: #278715). + * Correct README.Debian's ForwardX11Trusted description (closes: #280190). -- Colin Watson Mon, 1 Nov 2004 18:09:08 +0000 -- cgit v1.2.3 From 4074bbd9da1c04e4ea771fbc3554be78366c062e Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Fri, 12 Nov 2004 13:10:04 +0000 Subject: Finish 1:3.8.1p1-13. --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index caeeeeff8..128d2aa18 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,11 +1,11 @@ -openssh (1:3.8.1p1-13) UNRELEASED; urgency=low +openssh (1:3.8.1p1-13) experimental; urgency=low * Enable threading for PAM, on Sam Hartman's advice (closes: #278394). * debconf template translations: - Update Dutch (thanks, cobaco; closes: #278715). * Correct README.Debian's ForwardX11Trusted description (closes: #280190). - -- Colin Watson Mon, 1 Nov 2004 18:09:08 +0000 + -- Colin Watson Fri, 12 Nov 2004 12:03:13 +0000 openssh (1:3.8.1p1-12) experimental; urgency=low -- cgit v1.2.3 From c4945711e5b64f37ab1f5bb4538fd74595820edf Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 28 Nov 2004 17:55:17 +0000 Subject: We use DH_COMPAT=2, so build-depend on debhelper (>= 2). --- debian/changelog | 6 ++++++ debian/control | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index 128d2aa18..19840ae9b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +openssh (1:3.8.1p1-14) UNRELEASED; urgency=low + + * We use DH_COMPAT=2, so build-depend on debhelper (>= 2). + + -- Colin Watson Sun, 28 Nov 2004 17:52:23 +0000 + openssh (1:3.8.1p1-13) experimental; urgency=low * Enable threading for PAM, on Sam Hartman's advice (closes: #278394). diff --git a/debian/control b/debian/control index d604d1015..9296e079f 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: openssh Section: net Priority: standard Maintainer: Matthew Vernon -Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) | libgnome-dev, groff, debhelper (>=1.1.17), sharutils +Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnomeui-dev (>= 2.0.0) | libgnome-dev, groff, debhelper (>= 2), sharutils Standards-Version: 3.6.1 Uploaders: Colin Watson -- cgit v1.2.3 From 1153b38f4612d93ca7f8dfa6756d6ed64338b281 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 28 Nov 2004 17:59:30 +0000 Subject: Merge from HEAD: Fix timing information leak allowing discovery of invalid usernames in PAM keyboard-interactive authentication (backported from a patch by Darren Tucker; closes: #281595). --- auth-pam.c | 6 +++++- auth2-chall.c | 11 ++++------- debian/changelog | 3 +++ 3 files changed, 12 insertions(+), 8 deletions(-) (limited to 'debian/changelog') diff --git a/auth-pam.c b/auth-pam.c index 701d85b64..ec3b74951 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -169,6 +169,7 @@ static int sshpam_cred_established = 0; static int sshpam_account_status = -1; static char **sshpam_env = NULL; static Authctxt *sshpam_authctxt = NULL; +static char badpw[] = "\b\n\r\177INCORRECT"; /* Some PAM implementations don't implement this */ #ifndef HAVE_PAM_GETENVLIST @@ -644,7 +645,10 @@ sshpam_respond(void *ctx, u_int num, char **resp) return (-1); } buffer_init(&buffer); - buffer_put_cstring(&buffer, *resp); + if (sshpam_authctxt->valid) + buffer_put_cstring(&buffer, *resp); + else + buffer_put_cstring(&buffer, badpw); if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { buffer_free(&buffer); return (-1); diff --git a/auth2-chall.c b/auth2-chall.c index aacbf0bcc..0f08b05c6 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -275,12 +275,9 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) } packet_check_eom(); - if (authctxt->valid) { - res = kbdintctxt->device->respond(kbdintctxt->ctxt, - nresp, response); - } else { - res = -1; - } + res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response); + if (!authctxt->valid) + res = 1; /* keep going if login invalid */ for (i = 0; i < nresp; i++) { memset(response[i], 'r', strlen(response[i])); @@ -292,7 +289,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) switch (res) { case 0: /* Success! */ - authenticated = 1; + authenticated = authctxt->valid ? 1 : 0; break; case 1: /* Authentication needs further interaction */ diff --git a/debian/changelog b/debian/changelog index 19840ae9b..81e80f639 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,9 @@ openssh (1:3.8.1p1-14) UNRELEASED; urgency=low * We use DH_COMPAT=2, so build-depend on debhelper (>= 2). + * Fix timing information leak allowing discovery of invalid usernames in + PAM keyboard-interactive authentication (backported from a patch by + Darren Tucker; closes: #281595). -- Colin Watson Sun, 28 Nov 2004 17:52:23 +0000 -- cgit v1.2.3 From 0877f5ce7d5a4a6405eb0064a033859e1d679752 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 28 Nov 2004 18:05:12 +0000 Subject: Merge from HEAD: Make sure that there's a delay in PAM keyboard-interactive authentication when PermitRootLogin is not set to yes and the correct root password is entered (closes: #248747). --- auth-pam.c | 4 +++- debian/changelog | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'debian/changelog') diff --git a/auth-pam.c b/auth-pam.c index ec3b74951..9be57dacd 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -645,7 +645,9 @@ sshpam_respond(void *ctx, u_int num, char **resp) return (-1); } buffer_init(&buffer); - if (sshpam_authctxt->valid) + if (sshpam_authctxt->valid && + (sshpam_authctxt->pw->pw_uid != 0 || + options.permit_root_login == PERMIT_YES)) buffer_put_cstring(&buffer, *resp); else buffer_put_cstring(&buffer, badpw); diff --git a/debian/changelog b/debian/changelog index 81e80f639..b7f9a027c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,9 @@ openssh (1:3.8.1p1-14) UNRELEASED; urgency=low * Fix timing information leak allowing discovery of invalid usernames in PAM keyboard-interactive authentication (backported from a patch by Darren Tucker; closes: #281595). + * Make sure that there's a delay in PAM keyboard-interactive + authentication when PermitRootLogin is not set to yes and the correct + root password is entered (closes: #248747). -- Colin Watson Sun, 28 Nov 2004 17:52:23 +0000 -- cgit v1.2.3 From 53d7864a0531a9ff7fc33863c5802ea16ef71c68 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 28 Nov 2004 18:19:28 +0000 Subject: Finish 1:3.8.1p1-14. --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index b7f9a027c..b48b3bd69 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -openssh (1:3.8.1p1-14) UNRELEASED; urgency=low +openssh (1:3.8.1p1-14) experimental; urgency=low * We use DH_COMPAT=2, so build-depend on debhelper (>= 2). * Fix timing information leak allowing discovery of invalid usernames in @@ -8,7 +8,7 @@ openssh (1:3.8.1p1-14) UNRELEASED; urgency=low authentication when PermitRootLogin is not set to yes and the correct root password is entered (closes: #248747). - -- Colin Watson Sun, 28 Nov 2004 17:52:23 +0000 + -- Colin Watson Sun, 28 Nov 2004 18:09:37 +0000 openssh (1:3.8.1p1-13) experimental; urgency=low -- cgit v1.2.3 From ebc4a8cca5c11a314af816af146fe70ed4c7598e Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Wed, 1 Dec 2004 16:26:40 +0000 Subject: Build ssh in binary-indep, not binary-arch (thanks, LaMont Jones). --- debian/changelog | 6 ++++++ debian/rules | 5 ++--- 2 files changed, 8 insertions(+), 3 deletions(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index b48b3bd69..573dc927c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +openssh (1:3.8.1p1-15) UNRELEASED; urgency=low + + * Build ssh in binary-indep, not binary-arch (thanks, LaMont Jones). + + -- Colin Watson Wed, 1 Dec 2004 16:23:23 +0000 + openssh (1:3.8.1p1-14) experimental; urgency=low * We use DH_COMPAT=2, so build-depend on debhelper (>= 2). diff --git a/debian/rules b/debian/rules index 351f47785..0d85abbf3 100755 --- a/debian/rules +++ b/debian/rules @@ -158,11 +158,10 @@ install: build install -m 755 build-udeb/ssh-keygen debian/openssh-server-udeb/usr/bin/ssh-keygen # Build architecture-independent files here. -binary-indep: build install - # nothing to do +binary-indep: binary-ssh # Build architecture-dependent files here. -binary-arch: binary-openssh-client binary-openssh-server binary-ssh +binary-arch: binary-openssh-client binary-openssh-server binary-arch: binary-ssh-askpass-gnome binary-arch: binary-openssh-client-udeb binary-openssh-server-udeb -- cgit v1.2.3