From 0bb3622af79c6402a15e88ce1290cbc776392403 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 1 Sep 2003 18:21:02 +0000 Subject: Debian release 3.5p1-3. --- debian/README.Debian | 33 ++++++++ debian/changelog | 26 ++++++ debian/config | 15 ++-- debian/control | 1 + debian/postinst | 14 +--- debian/rules | 16 ++-- debian/ssh-argv0 | 30 +++++++ debian/ssh-argv0.1 | 64 +++++++++++++++ debian/ssh-askpass-gnome.dirs | 3 +- debian/templates | 12 +++ debian/templates.da | 178 ++++++++++++++++++++++++++++++++---------- 11 files changed, 324 insertions(+), 68 deletions(-) create mode 100644 debian/ssh-argv0 create mode 100644 debian/ssh-argv0.1 (limited to 'debian') diff --git a/debian/README.Debian b/debian/README.Debian index 614dd08f6..13d005ac0 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -171,6 +171,39 @@ ssh is compiled without support for kerberos authentication, and there are no current plans to support this. Thus the KerberosAuthentication and KerberosTgtPassing options will not be recognised. +Setgid ssh-agent and environment variables: +------------------------------------------- +ssh-agent is installed setgid as of version 1:3.5p1-1 to prevent ptrace() +attacks retrieving private key material. This has the side-effect of causing +glibc to remove certain environment variables which might have security +implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and +TMPDIR. + +If you need to set any of these environment variables, you will need to do +so in the program exec()ed by ssh-agent. This may involve creating a small +wrapper script. + +Symlink Hostname invocation: +---------------------------- +This version of ssh no longer includes support for invoking ssh with the +hostname as the name of the file run. People wanting this support should +use the ssh-argv0 script. + +Interoperability between scp and the ssh.com SSH server: +-------------------------------------------------------- +In version 2 and greater of the commercial SSH server produced by SSH +Communications Security, scp was changed to use SFTP (SSH2's file transfer +protocol) instead of the traditional rcp-over-ssh, thereby breaking +compatibility. The OpenSSH developers regard this as a bug in the ssh.com +server, and do not currently intend to change OpenSSH's scp to match. + +Workarounds for this problem are to install scp1 on the server (scp2 will +fall back to it), to use sftp, or to use some other transfer mechanism such +as rsync-over-ssh or tar-over-ssh. + -- Matthew Vernon +and +Colin Watson + diff --git a/debian/changelog b/debian/changelog index 7f7fc33eb..7fb8079be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,29 @@ +openssh (1:3.5p1-3) unstable; urgency=low + + * Happy new year! + * Use getent rather than id to find out whether the sshd user exists + (closes: #150974). + * Remove some duplication from the postinst's ssh-keysign setuid code. + * Replace db_text with db_input throughout debian/config. (db_text has + been a compatibility wrapper since debconf 0.1.5.) + * Warn about PermitUserEnvironment on upgrade (closes: #167895). + * Use 'make install-nokeys', and disable unused debhelper commands, + thereby forward-porting the last pieces of Zack Weinberg's patch + (closes: #68341). + * Move the man page for gnome-ssh-askpass from the ssh package to + ssh-askpass-gnome (closes: #174449). + * Build with -DLOGIN_NO_ENDOPT, since Debian's /bin/login doesn't accept + '--' to terminate the list of options (closes: #171554). + * Add Jonathan Amery's ssh-argv0 script (closes: #111341). + * Update Danish debconf template (thanks, Morten Brix Pedersen; + closes: #174757). + * Document setgid ssh-agent's effect on certain environment variables in + README.Debian (closes: #167974). + * Document interoperability problems between scp and ssh.com's server in + README.Debian, and suggest some workarounds (closes: #174662). + + -- Colin Watson Wed, 1 Jan 2003 14:18:30 +0000 + openssh (1:3.5p1-2) unstable; urgency=low * Mention in the ssh package description that it provides both ssh and diff --git a/debian/config b/debian/config index 0a5f42b2e..b794276fa 100644 --- a/debian/config +++ b/debian/config @@ -14,7 +14,7 @@ db_version 2.0 if [ -n "$version" ] && dpkg --compare-versions "$version" lt 1:3.0p1-1 then - db_text medium ssh/ssh2_keys_merged + db_input medium ssh/ssh2_keys_merged fi if [ -e /etc/init.d/ssh ] && ! grep -q pidfile /etc/init.d/ssh @@ -43,11 +43,11 @@ then if [ "$RET" = "true" ]; then db_input medium ssh/protocol2_only ||true db_input high ssh/privsep_ask ||true - else db_text high ssh/privsep_tell ||true + else db_input high ssh/privsep_tell ||true fi - else db_text high ssh/privsep_tell ||true + else db_input high ssh/privsep_tell ||true fi -else db_text high ssh/privsep_tell ||true +else db_input high ssh/privsep_tell ||true fi db_input medium ssh/SUID_client || true @@ -80,7 +80,12 @@ then fi -db_text low ssh/forward_warning || true +db_input low ssh/forward_warning || true + +if dpkg --compare-versions "$version" lt-nl 1:3.5p1-3; then + db_input high ssh/user_environment_tell || true +fi + db_go exit 0 diff --git a/debian/control b/debian/control index cb25d58ba..d10c59857 100644 --- a/debian/control +++ b/debian/control @@ -37,6 +37,7 @@ Section: x11 Priority: optional Architecture: any Depends: ${shlibs:Depends}, ssh (>=1:1.2pre7-4) | ssh-krb5 +Replaces: ssh (<< 1:3.5p1-3) Provides: ssh-askpass Description: under X, asks user for a passphrase for ssh-add This has been split out of the main ssh package, so that the ssh will diff --git a/debian/postinst b/debian/postinst index 41221b9d6..bd9ebd3aa 100644 --- a/debian/postinst +++ b/debian/postinst @@ -241,7 +241,7 @@ create_alternatives() { } setup_sshd_user() { - if ! id sshd > /dev/null 2>&1 ; then + if ! getent passwd | grep -q '^sshd:'; then adduser --quiet --system --no-create-home --home /var/run/sshd sshd fi } @@ -261,21 +261,13 @@ set_sshd_permissions() { db_get ssh/SUID_client suid="$RET" } - if [ -x /usr/sbin/dpkg-statoverride ] ; then - if ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then - if [ "$suid" = "false" ] ; then - chmod 0755 /usr/lib/ssh-keysign - elif [ "$suid" = "true" ] ; then - chmod 4755 /usr/lib/ssh-keysign - fi - fi - else + if [ ! -x /usr/sbin/dpkg-statoverride ] || \ + ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then if [ "$suid" = "false" ] ; then chmod 0755 /usr/lib/ssh-keysign elif [ "$suid" = "true" ] ; then chmod 4755 /usr/lib/ssh-keysign fi - fi } diff --git a/debian/rules b/debian/rules index fb60b2270..42ecea8ef 100755 --- a/debian/rules +++ b/debian/rules @@ -21,7 +21,7 @@ build-stamp: fi ./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 --with-ipv4-default \ --with-privsep-path=/var/run/sshd --without-rand-helper - $(MAKE) -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='-O2 -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED' \ + $(MAKE) -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='-O2 -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED' \ SSH_KEYSIGN='/usr/lib/ssh-keysign' $(MAKE) -C contrib gnome-ssh-askpass1 CC='gcc -O2' @@ -45,25 +45,25 @@ install: build dh_installdirs # Add here commands to install the package into debian/tmp. - $(MAKE) DESTDIR=`pwd`/debian/tmp install + $(MAKE) DESTDIR=`pwd`/debian/tmp install-nokeys - rm -f debian/tmp/etc/ssh/ssh_host_*key* rm -f debian/tmp/etc/ssh/sshd_config #Temporary hack: remove /usr/share/Ssh.bin, since we have no smartcard support anyway. rm -f debian/tmp/usr/share/Ssh.bin install -m 755 contrib/ssh-copy-id debian/tmp/usr/bin/ssh-copy-id install -m 644 -c contrib/ssh-copy-id.1 debian/tmp/usr/share/man/man1/ssh-copy-id.1 - install -m 644 debian/gnome-ssh-askpass.1 debian/tmp/usr/share/man/man1/gnome-ssh-askpass.1 install -s -o root -g root -m 755 contrib/gnome-ssh-askpass1 debian/ssh-askpass-gnome/usr/lib/ssh/gnome-ssh-askpass + install -m 644 debian/gnome-ssh-askpass.1 debian/ssh-askpass-gnome/usr/share/man/man1/gnome-ssh-askpass.1 + + install -m 755 debian/ssh-argv0 debian/tmp/usr/bin/ssh-argv0 + install -m 644 debian/ssh-argv0.1 debian/tmp/usr/share/man/man1/ssh-argv0.1 install -o root -g root debian/init debian/tmp/etc/init.d/ssh install -o root -g root -m 755 -d debian/tmp/var/run/sshd - dh_movefiles - # Build architecture-independent files here. binary-indep: build install # nothing to do @@ -75,16 +75,12 @@ binary-arch: build install dh_installdebconf dh_installdocs OVERVIEW README cat debian/copyright.head LICENCE > debian/tmp/usr/share/doc/ssh/copyright - dh_installexamples - dh_installmenu nroff RFC.nroff > debian/tmp/usr/share/doc/ssh/RFC gzip -9 debian/tmp/usr/share/doc/ssh/RFC rm -rf debian/tmp/usr/share/doc/ssh/RFC.nroff.gz dh_installpam - dh_installcron dh_installchangelogs ChangeLog dh_strip - dh_link dh_compress dh_fixperms dh_installdeb diff --git a/debian/ssh-argv0 b/debian/ssh-argv0 new file mode 100644 index 000000000..67599aec2 --- /dev/null +++ b/debian/ssh-argv0 @@ -0,0 +1,30 @@ +#! /bin/sh -e + +# Copyright (c) 2001 Jonathan Amery. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +if [ "${0##*/}" = "ssh-argv0" ] +then + echo 'ssh-argv0: This script should not be run like this, see ssh-argv0(1) for details' 1>&2 + exit 1 +fi +exec ssh "${0##*/}" "$@" diff --git a/debian/ssh-argv0.1 b/debian/ssh-argv0.1 new file mode 100644 index 000000000..a36a63d40 --- /dev/null +++ b/debian/ssh-argv0.1 @@ -0,0 +1,64 @@ +.Dd September 7, 2001 +.Dt SSH-ARGV0 1 +.Os Debian Project +.Sh NAME +.Nm ssh-argv0 +.Nd replaces the old ssh command-name as hostname handling +.Sh SYNOPSIS +.Ar hostname | user@hostname +.Op Fl l Ar login_name +.Op Ar command +.Pp +.Ar hostname | user@hostname +.Op Fl afgknqstvxACNTX1246 +.Op Fl b Ar bind_address +.Op Fl c Ar cipher_spec +.Op Fl e Ar escape_char +.Op Fl i Ar identity_file +.Op Fl l Ar login_name +.Op Fl m Ar mac_spec +.Op Fl o Ar option +.Op Fl p Ar port +.Op Fl F Ar configfile +.Oo Fl L Xo +.Sm off +.Ar port : +.Ar host : +.Ar hostport +.Sm on +.Xc +.Oc +.Oo Fl R Xo +.Sm off +.Ar port : +.Ar host : +.Ar hostport +.Sm on +.Xc +.Oc +.Op Fl D Ar port +.Op Ar command +.Sh DESCRIPTION +.Nm +replaces the old ssh command-name as hostname handling. +If you link to this script with a hostname then executing the link is +equivalent to having executed ssh with that hostname as an argument. +All other arguments are passed to ssh and will be processed normally. +.Sh OPTIONS +See +.Xr ssh 1 . +.Sh FILES +See +.Xr ssh 1 . +.Sh AUTHORS +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by Tatu Ylonen. +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt and Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +Markus Friedl contributed the support for SSH +protocol versions 1.5 and 2.0. +Jonathan Amery wrote this ssh-argv0 script and the associated documentation. +.Sh SEE ALSO +.Xr ssh 1 diff --git a/debian/ssh-askpass-gnome.dirs b/debian/ssh-askpass-gnome.dirs index 6c255ea63..4d0ee7a32 100644 --- a/debian/ssh-askpass-gnome.dirs +++ b/debian/ssh-askpass-gnome.dirs @@ -1 +1,2 @@ -usr/lib/ssh/ +usr/lib/ssh +usr/share/man/man1 diff --git a/debian/templates b/debian/templates index b56f8a5ec..ea8565d29 100644 --- a/debian/templates +++ b/debian/templates @@ -149,3 +149,15 @@ Description: Do you want to run the sshd server ? If you are only interested in using the ssh client for outbound connections on this machine, and don't want to log into it at all using ssh, then you can disable sshd here. + +Template: ssh/user_environment_tell +Type: note +Description: Environment options on keys have been deprecated + This version of OpenSSH disables the environment option for public keys by + default, in order to avoid certain attacks (for example, LD_PRELOAD). If + you are using this option in an authorized_keys file, beware that the keys + in question will no longer work until the option is removed. + . + To re-enable this option, set "PermitUserEnvironment yes" in + /etc/ssh/sshd_config after the upgrade is complete, taking note of the + warning in the sshd_config(5) manual page. diff --git a/debian/templates.da b/debian/templates.da index c17c60039..b8fc9be18 100644 --- a/debian/templates.da +++ b/debian/templates.da @@ -1,3 +1,99 @@ +Template: ssh/privsep_tell +Type: note +Description: Privilege separation + This version of OpenSSH contains the new privilege separation option. This + significantly reduces the quantity of code that runs as root, and + therefore reduces the impact of security holes in sshd. + . + Unfortunately, privilege separation interacts badly with PAM. Any PAM + session modules that need to run as root (pam_mkhomedir, for example) will + fail, and PAM keyboard-interactive authentication won't work. + . + Privilege separation is turned on by default, so if you decide you want it + turned off, you need to add "UsePrivilegeSeparation no" to + /etc/ssh/sshd_config. + . + NB! If you are running a 2.0 series Linux kernel, then privilege + separation will not work at all, and your sshd will fail to start unless + you explicitly turn privilege separation off. +Description-da: Privilegie adskillelse + Denne version af OpenSSH indeholder den nye privilegie adskillelses + mulighed. Det reducerer markant mængden af kode der kører som root, og + derfor reducerer det impakten på sikkerheds huller i sshd. + . + Desværre, arbejder det ikke godt sammen med PAM. Ethvert PAM session modul + der skal køres som root (pam_mkhomedir, f.eks.) vil fejle, og PAM + tastatur-interaktive autentifikationer vil ikke virke. + . + Privilegie adskillelse er slået til som standard, så hvis du beslutter at + slå det fra, skal du bruge "UsePrivilegeSeparation no" i + /etc/ssh/sshd_config. + +Template: ssh/privsep_ask +Type: boolean +Default: true +Description: Enable Privilege separation + This version of OpenSSH contains the new privilege separation option. This + significantly reduces the quantity of code that runs as root, and + therefore reduces the impact of security holes in sshd. + . + Unfortunately, privilege separation interacts badly with PAM. Any PAM + session modules that need to run as root (pam_mkhomedir, for example) will + fail, and PAM keyboard-interactive authentication won't work. + . + Since you've opted to have me generate an sshd_config file for you, you + can choose whether or not to have Privilege Separation turned on or not. + Unless you are running 2.0 (in which case you *must* say no here or your + sshd won't start at all) or know you need to use PAM features that won't + work with this option, you should say yes here. +Description-da: Aktiver Privilegie adskillelse + Denne version af OpenSSH indeholder den nye privilegie adskillelses + mulighed. Det reducerer markant mængden af kode der kører som root, og + derfor reducerer det impakten på sikkerheds huller i sshd. + . + Desværre, arbejder det ikke godt sammen med PAM. Ethvert PAM session modul + der skal køres som root (pam_mkhomedir, f.eks.) vil fejle, og PAM + tastatur-interaktive autentifikationer vil ikke virke. + . + Siden du har bedt mig om at lave en sshd_config fil til dig, kan du vælge + om du vil have privilegie adskillelse slået til eller ej. Medmindre du + kører 2.0 (i hvilket tilfælde du *skal* sige nej her, ellers vil din sshd + slet ikke starte) eller ved at du skal bruge PAM funktioner som ikke vil + virke med dette tilvalg, skal du sige ja her. + +Template: ssh/new_config +Type: boolean +Default: true +Description: Generate new configuration file + This version of OpenSSH has a considerably changed configuration file from + the version shipped in Debian 'Potato', which you appear to be upgrading + from. I can now generate you a new configuration file + (/etc/ssh/sshd.config), which will work with the new server version, but + will not contain any customisations you made with the old version. + . + Please note that this new configuration file will set the value of + 'PermitRootLogin' to yes (meaning that anyone knowing the root password + can ssh directly in as root). It is the opinion of the maintainer that + this is the correct default (see README.Debian for more details), but you + can always edit sshd_config and set it to no if you wish. + . + It is strongly recommended that you let me generate a new configuration + file for you. +Description-da: Opret ny konfigurations fil + Denne version af OpenSSH har en betydeligt ændret konfigurations fil fra + den version der kom med Debian 'Potato', som du ser ud til at opgradere fra. + Jeg kan nu oprette en ny konfigurations fil (//etc/ssh/sshd.config), som + vil virke med den nye server version, men det vil ikke beholde eventuelle + ændringer du lavede med den gamle version. + . + Venligst bemærk at den nye konfigurations fil vil sætte værdien af + 'PermitRootLogin' til ja (som betyder at alle der kender roots password, + kan tilgå maskinen via ssh direkte). Det er vedligeholderens mening, at det + er den korrekte standard-værdi (se README.Debian for flere detaljer), men + du kan altid redigere sshd_config og slå det fra, hvis du ønsker. + . + Du rådes stærkt til at lade mig genere en ny konfigurations fil for dig. + Template: ssh/protocol2_only Type: boolean Default: true @@ -5,19 +101,30 @@ Description: Allow SSH protocol 2 only This version of OpenSSH supports version 2 of the ssh protocol, which is much more secure. Disabling ssh 1 is encouraged, however this will slow things down on low end machines and might prevent older clients from - connecting. + connecting (the ssh client shipped with "potato" is affected). . Also please note that keys used for protocol 1 are different so you will not be able to use them if you only allow protocol 2 connections. + . + If you later change your mind about this setting, README.Debian has + instructions on what to do to your sshd_config file. Description-da: Tillad kun SSH protokol 2 Denne udgave af OpenSSH understøtter version 2 af ssh-protokollen, som er betydeligt mere sikker. Det anbefales af deaktivere version 1. Dog kan det - sløve langsomme maskiner, og forhindre ældre klienter i at opnå forbindelse. + sløve langsomme maskiner, og forhindre ældre klienter i at opnå + forbindelse (ssh klienten der kommer med "potato" er en af dem). + . + Du skal også bemærke at de nøgler som bliver anvendt til protokol 1 er + forskellige, så du vil ikke ævre i stand til at bruge dem, hvis du kun + tillader protokol 2 forbindelser. + . + Hvis du senere ændrer din mening om denne indstilling, har README.Debian + instruktioner på hvad du skal gøre ved din sshd_config fil. Template: ssh/ssh2_keys_merged Type: note Description: ssh2 keys merged in configuration files - As of version 3 OpenSSH no longer uses seperate files for ssh1 and ssh2 + As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2 keys. This means the authorized_keys2 and known_hosts2 files are no longer needed. They will still be read in order to maintain backwards compatibility @@ -38,14 +145,13 @@ Description: Do you want to continue (and risk killing active ssh sessions) ? You can fix this by adding "--pidfile /var/run/sshd.pid" to the start-stop-daemon line in the stop section of the file. Description-da: Vil du fortsætte (og risikere at afbryde aktive ssh-forbindelser)? - Den udgave af /etc/init.d/ssh, du har installeret, vil sandsynligvis afbryde - alle sshd-dæmoner. Det vil være en rigtigt dårlig idé, hvis du er ved at - opgradering via en ssh-forbindelse. + Den udgave af /etc/init.d/ssh, du har installeret, vil sandsynligvis + afbryde alle sshd-dæmoner. Det vil være en rigtigt dårlig idé, hvis du er + ved at opgradering via en ssh-forbindelse. . Du kan afhjælpe dette ved at tilføje "--pidfile /var/run/sshd.pid" til 'start-stop-daemon'-linjen i stop-afsnittet af filen. - Template: ssh/forward_warning Type: note Description: NOTE: Forwarding of X11 and Authorization disabled by default. @@ -57,8 +163,8 @@ Description: NOTE: Forwarding of X11 and Authorization disabled by default. . More details can be found in /usr/share/doc/ssh/README.Debian Description-da: BEMÆRK: Videregivelse af X11 og adgangkontrol er som standard deaktiveret. - Af sikkerhedsgrunde har Debianudgaven af ssh sat ForwardX11 og ForwardAgent - til 'off' som standard. + Af sikkerhedsgrunde har Debianudgaven af ssh sat ForwardX11 og + ForwardAgent til 'off' som standard. . Du kan aktivere dem for servere, du stoler på i en af opsætningsfilerne eller med kommandolinjetilvalget '-X'. @@ -82,10 +188,11 @@ Description: Warning: telnetd is installed --- probably not a good idea least some chance that telnet sessions will not be sending unencrypted login/password and session information over the network. Description-da: Advarsel: telnetd er installeret --- sikkert ikke en god idé - Jeg vil råde dig til enten at fjerne pakken telnetd (hvis du i virkeligheden - ikke har brug for at tilbyde telnet-adgang) eller installere telnetd-ssl, så - der i det mindste er en mulighed for, at telnet-sessioner ikke sender - adgangskoder og sessions-oplysninger ukrypteret over netværket. + Jeg vil råde dig til enten at fjerne pakken telnetd (hvis du i + virkeligheden ikke har brug for at tilbyde telnet-adgang) eller installere + telnetd-ssl, så der i det mindste er en mulighed for, at telnet-sessioner + ikke sender adgangskoder og sessions-oplysninger ukrypteret over + netværket. Template: ssh/encrypted_host_key_but_no_keygen Type: note @@ -102,37 +209,26 @@ Description-da: Advarsel: du skal oprette en ny v Template: ssh/SUID_client Type: boolean -Default: false -Description: Do you want /usr/bin/ssh to be installed SUID root? - You have the option of installing the ssh client with the SUID bit set. - . - If you make ssh SUID, you will be able to use Rhosts/RhostsRSA - authentication, but will not be able to use socks via the LD_PRELOAD - trick. This is the traditional approach. +Default: true +Description: Do you want /usr/lib/ssh-keysign to be installed SUID root? + You have the option of installing the ssh-keysign helper with the SUID bit + set. . - If you do not make ssh SUID, you will be able to use socks, but - Rhosts/RhostsRSA authentication will stop working, which may stop you - logging in to remote systems. It will also mean that the source port will - be above 1024, which may confound firewall rules you've set up. + If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2 + host-based authentication. . If in doubt, I suggest you install it with SUID. If it causes problems - you can change your mind later by running: dpkg-reconfigure ssh -Description-da: Vil du have, at /usr/bin/ssh bliver installeret 'SUID root'? - Du har mulighed for at installere ssh-klienten med SUID-flaget sat. - . - Hvis du gør ssh SUID, vil du kunne bruge adgangskontrollen - Rhosts/RhostsRSA, men vil ikke kunne bruge socks med LD_PRELOAD-tricket. - Det vil være den almindelige fremgangsmåde. - . - Hvis du ikke gør ssh SUID, vil du kunne bruge socks, men adgangskontrol - med Rhosts/RhostRSA vil holde op med at virke, hvilket kan forhindre dig - i at logge ind på fjerne systemer. Det vil også betyde, at kildeporten - vil ligge over 1024, hvilket kan kollidere med eventuelle brandmure, du - har sat op. - . - Hvis du er i tvivl, foreslår jeg, at du installerer den med SUID. Hvis det - giver problemer, kan du senere ombestemme dig ved at køre: - 'dpkg-reconfigure ssh'. + you can change your mind later by running: dpkg-reconfigure ssh +Description-da: Vil du have, at /usr/bin/ssh-keysign bliver installeret 'SUID root'? + Du har mulighed for at installere ssh-keysign hjælperen med SUID-flaget + sat. + . + Hvis du gør ssh-keysign SUID, vil du blive i stand til at benytte SSH + protokol 2's værtsnavn-baserede autentifikation. + . + Hvis du er i tvivl, vil jeg råde dig til at installere den med SUID. Hvis + det skaber problemer, kan du ændre det tilbage igen ved at køre: + dpkg-reconfigure ssh Template: ssh/run_sshd Type: boolean -- cgit v1.2.3