Bug#856816: unblock: openssh/1:7.4p1-7
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock openssh, which I've just uploaded. This fixes two RC
bugs, and nothing else.
diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm
--- openssh-7.4p1/debian/.git-dpm 2017-01-16 15:08:11.000000000 +0000
+++ openssh-7.4p1/debian/.git-dpm 2017-03-05 02:11:08.000000000 +0000
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-3f1016b4535faf6e48aa71e21569aa714a25193f
-3f1016b4535faf6e48aa71e21569aa714a25193f
+e18d2ba71e6bf009c53e65509da84b712c300471
+e18d2ba71e6bf009c53e65509da84b712c300471
971a7653746a6972b907dfe0ce139c06e4a6f482
971a7653746a6972b907dfe0ce139c06e4a6f482
openssh_7.4p1.orig.tar.gz
diff -Nru openssh-7.4p1/debian/NEWS openssh-7.4p1/debian/NEWS
--- openssh-7.4p1/debian/NEWS 2017-01-16 15:08:11.000000000 +0000
+++ openssh-7.4p1/debian/NEWS 2017-03-05 02:12:42.000000000 +0000
@@ -1,3 +1,15 @@
+openssh (1:7.4p1-7) unstable; urgency=medium
+
+ This version restores the default for AuthorizedKeysFile to search both
+ ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
+ Debian configurations before 1:7.4p1-1. Upstream intends to phase out
+ searching ~/.ssh/authorized_keys2 by default, so you should ensure that
+ you are only using ~/.ssh/authorized_keys, at least for critical
+ administrative access; do not assume that the current default will remain
+ in place forever.
+
+ -- Colin Watson <cjwatson@debian.org> Sun, 05 Mar 2017 02:12:42 +0000
+
openssh (1:7.4p1-1) unstable; urgency=medium
OpenSSH 7.4 includes a number of changes that may affect existing
diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog 2017-01-16 15:11:10.000000000 +0000
+++ openssh-7.4p1/debian/changelog 2017-03-05 02:12:42.000000000 +0000
@@ -1,3 +1,15 @@
+openssh (1:7.4p1-7) unstable; urgency=medium
+
+ * Don't set "PermitRootLogin yes" on fresh installations (regression
+ introduced in 1:7.4p1-1; closes: #852781).
+ * Restore reading authorized_keys2 by default. Upstream seems to intend
+ to gradually phase this out, so don't assume that this will remain the
+ default forever. However, we were late in adopting the upstream
+ sshd_config changes, so it makes sense to extend the grace period
+ (closes: #852320).
+
+ -- Colin Watson <cjwatson@debian.org> Sun, 05 Mar 2017 02:12:42 +0000
+
openssh (1:7.4p1-6) unstable; urgency=medium
* Remove temporary file on exit from postinst (closes: #850275).
diff -Nru openssh-7.4p1/debian/openssh-server.templates openssh-7.4p1/debian/openssh-server.templates
--- openssh-7.4p1/debian/openssh-server.templates 2017-01-16 15:08:11.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.templates 2017-03-05 02:11:08.000000000 +0000
@@ -1,6 +1,6 @@
Template: openssh-server/permit-root-login
Type: boolean
-Default: false
+Default: true
_Description: Disable SSH password authentication for root?
Previous versions of openssh-server permitted logging in as root over SSH
using password authentication. The default for new installations is now
diff -Nru openssh-7.4p1/debian/patches/restore-authorized_keys2.patch openssh-7.4p1/debian/patches/restore-authorized_keys2.patch
--- openssh-7.4p1/debian/patches/restore-authorized_keys2.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/restore-authorized_keys2.patch 2017-03-05 02:11:09.000000000 +0000
@@ -0,0 +1,35 @@
+From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 5 Mar 2017 02:02:11 +0000
+Subject: Restore reading authorized_keys2 by default
+
+Upstream seems to intend to gradually phase this out, so don't assume
+that this will remain the default forever. However, we were late in
+adopting the upstream sshd_config changes, so it makes sense to extend
+the grace period.
+
+Bug-Debian: https://bugs.debian.org/852320
+Forwarded: not-needed
+Last-Update: 2017-03-05
+
+Patch-Name: restore-authorized_keys2.patch
+---
+ sshd_config | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/sshd_config b/sshd_config
+index 4aea6c72..bcf3ac17 100644
+--- a/sshd_config
++++ b/sshd_config
+@@ -36,9 +36,8 @@
+
+ #PubkeyAuthentication yes
+
+-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+-# but this is overridden so installations will only check .ssh/authorized_keys
+-AuthorizedKeysFile .ssh/authorized_keys
++# Expect .ssh/authorized_keys2 to be disregarded by default in future.
++#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+
+ #AuthorizedPrincipalsFile none
+
diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series
--- openssh-7.4p1/debian/patches/series 2017-01-16 15:08:11.000000000 +0000
+++ openssh-7.4p1/debian/patches/series 2017-03-05 02:11:08.000000000 +0000
@@ -29,3 +29,4 @@
regress-mktemp.patch
sandbox-x32-workaround.patch
no-dsa-host-key-by-default.patch
+restore-authorized_keys2.patch
unblock openssh/1:7.4p1-7
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: