Bug#856816: unblock: openssh/1:7.4p1-7

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#856816: unblock: openssh/1:7.4p1-7
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 5 Mar 2017 02:16:29 +0000
Message-id: <[🔎] 20170305021629.GA14445@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 856816@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock openssh, which I've just uploaded.  This fixes two RC
bugs, and nothing else.

diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm
--- openssh-7.4p1/debian/.git-dpm	2017-01-16 15:08:11.000000000 +0000
+++ openssh-7.4p1/debian/.git-dpm	2017-03-05 02:11:08.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-3f1016b4535faf6e48aa71e21569aa714a25193f
-3f1016b4535faf6e48aa71e21569aa714a25193f
+e18d2ba71e6bf009c53e65509da84b712c300471
+e18d2ba71e6bf009c53e65509da84b712c300471
 971a7653746a6972b907dfe0ce139c06e4a6f482
 971a7653746a6972b907dfe0ce139c06e4a6f482
 openssh_7.4p1.orig.tar.gz
diff -Nru openssh-7.4p1/debian/NEWS openssh-7.4p1/debian/NEWS
--- openssh-7.4p1/debian/NEWS	2017-01-16 15:08:11.000000000 +0000
+++ openssh-7.4p1/debian/NEWS	2017-03-05 02:12:42.000000000 +0000
@@ -1,3 +1,15 @@
+openssh (1:7.4p1-7) unstable; urgency=medium
+
+  This version restores the default for AuthorizedKeysFile to search both
+  ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
+  Debian configurations before 1:7.4p1-1.  Upstream intends to phase out
+  searching ~/.ssh/authorized_keys2 by default, so you should ensure that
+  you are only using ~/.ssh/authorized_keys, at least for critical
+  administrative access; do not assume that the current default will remain
+  in place forever.
+
+ -- Colin Watson <cjwatson@debian.org>  Sun, 05 Mar 2017 02:12:42 +0000
+
 openssh (1:7.4p1-1) unstable; urgency=medium
 
   OpenSSH 7.4 includes a number of changes that may affect existing
diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog	2017-01-16 15:11:10.000000000 +0000
+++ openssh-7.4p1/debian/changelog	2017-03-05 02:12:42.000000000 +0000
@@ -1,3 +1,15 @@
+openssh (1:7.4p1-7) unstable; urgency=medium
+
+  * Don't set "PermitRootLogin yes" on fresh installations (regression
+    introduced in 1:7.4p1-1; closes: #852781).
+  * Restore reading authorized_keys2 by default.  Upstream seems to intend
+    to gradually phase this out, so don't assume that this will remain the
+    default forever.  However, we were late in adopting the upstream
+    sshd_config changes, so it makes sense to extend the grace period
+    (closes: #852320).
+
+ -- Colin Watson <cjwatson@debian.org>  Sun, 05 Mar 2017 02:12:42 +0000
+
 openssh (1:7.4p1-6) unstable; urgency=medium
 
   * Remove temporary file on exit from postinst (closes: #850275).
diff -Nru openssh-7.4p1/debian/openssh-server.templates openssh-7.4p1/debian/openssh-server.templates
--- openssh-7.4p1/debian/openssh-server.templates	2017-01-16 15:08:11.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.templates	2017-03-05 02:11:08.000000000 +0000
@@ -1,6 +1,6 @@
 Template: openssh-server/permit-root-login
 Type: boolean
-Default: false
+Default: true
 _Description: Disable SSH password authentication for root?
  Previous versions of openssh-server permitted logging in as root over SSH
  using password authentication. The default for new installations is now
diff -Nru openssh-7.4p1/debian/patches/restore-authorized_keys2.patch openssh-7.4p1/debian/patches/restore-authorized_keys2.patch
--- openssh-7.4p1/debian/patches/restore-authorized_keys2.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/restore-authorized_keys2.patch	2017-03-05 02:11:09.000000000 +0000
@@ -0,0 +1,35 @@
+From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 5 Mar 2017 02:02:11 +0000
+Subject: Restore reading authorized_keys2 by default
+
+Upstream seems to intend to gradually phase this out, so don't assume
+that this will remain the default forever.  However, we were late in
+adopting the upstream sshd_config changes, so it makes sense to extend
+the grace period.
+
+Bug-Debian: https://bugs.debian.org/852320
+Forwarded: not-needed
+Last-Update: 2017-03-05
+
+Patch-Name: restore-authorized_keys2.patch
+---
+ sshd_config | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/sshd_config b/sshd_config
+index 4aea6c72..bcf3ac17 100644
+--- a/sshd_config
++++ b/sshd_config
+@@ -36,9 +36,8 @@
+ 
+ #PubkeyAuthentication yes
+ 
+-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+-# but this is overridden so installations will only check .ssh/authorized_keys
+-AuthorizedKeysFile	.ssh/authorized_keys
++# Expect .ssh/authorized_keys2 to be disregarded by default in future.
++#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+ 
+ #AuthorizedPrincipalsFile none
+ 
diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series
--- openssh-7.4p1/debian/patches/series	2017-01-16 15:08:11.000000000 +0000
+++ openssh-7.4p1/debian/patches/series	2017-03-05 02:11:08.000000000 +0000
@@ -29,3 +29,4 @@
 regress-mktemp.patch
 sandbox-x32-workaround.patch
 no-dsa-host-key-by-default.patch
+restore-authorized_keys2.patch

unblock openssh/1:7.4p1-7

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Bug#856816: unblock: openssh/1:7.4p1-7
  - From: Niels Thykier <niels@thykier.net>
- Bug#856816: marked as done (unblock: openssh/1:7.4p1-7)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#856812: unblock: wolf4sdl/1.7+svn262+dfsg1-4
Next by Date: Bug#856820: unblock: forensics-extra/1.8
Previous by thread: Bug#856812: marked as done (unblock: wolf4sdl/1.7+svn262+dfsg1-4)
Next by thread: Bug#856816: unblock: openssh/1:7.4p1-7
Index(es):
- Date
- Thread