--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openssh-server: conf.d directory for configuration snippets (similar to nginx or apache)
- From: Laban Mwangi <lmwangi@gmail.com>
- Date: Wed, 18 Feb 2015 11:17:34 +0000
- Message-id: <20150218111734.24465.13890.reportbug@vagrant-ubuntu-trusty-64>
Package: openssh-server
Version: 1:6.6p1-2ubuntu2
Severity: wishlist
Tags: upstream
Dear Maintainer,
It would be nice if openssh-server had a config directory in the same vein as /etc/nginx/conf.d.
This would allow third party packages to add config blobs without mangling /etc/ssh/sshd_config.
As an example, I would like to add support for sftp-internal iff a specific package is installed
(For sftp only access to a chrooted path). If there was a conf.d directory, the deb package could
have dropped the relevant config block and SIGHUP'd sshd. With the current setup, I'll probably be
forced to use debian overrides to replace the existing /etc/ssh/sshd_config.
-- System Information:
Debian Release: jessie/sid
APT prefers trusty-updates
APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty')
Architecture: amd64 (x86_64)
Kernel: Linux 3.13.0-30-generic (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu3ubuntu3
ii debconf [debconf-2.0] 1.5.51ubuntu2
ii dpkg 1.17.5ubuntu5.3
ii init-system-helpers 1.14
ii libc6 2.19-0ubuntu6.3
ii libck-connector0 0.4.5-3.1ubuntu2
ii libcomerr2 1.42.9-3ubuntu1
ii libdbus-1-3 1.6.18-0ubuntu4.1
ii libgssapi-krb5-2 1.12+dfsg-2ubuntu4.2
ii libkrb5-3 1.12+dfsg-2ubuntu4.2
ii libpam-modules 1.1.8-1ubuntu2
ii libpam-runtime 1.1.8-1ubuntu2
ii libpam0g 1.1.8-1ubuntu2
ii libselinux1 2.2.2-1ubuntu0.1
ii libssl1.0.0 1.0.1f-1ubuntu2.5
ii libwrap0 7.6.q-25
ii lsb-base 4.1+Debian11ubuntu6
ii openssh-client 1:6.6p1-2ubuntu2
ii openssh-sftp-server 1:6.6p1-2ubuntu2
ii procps 1:3.3.9-1ubuntu2
ii sysv-rc 2.88dsf-41ubuntu6
ii zlib1g 1:1.2.8.dfsg-1ubuntu1
Versions of packages openssh-server recommends:
ii ncurses-term 5.9+20140118-1ubuntu1
ii ssh-import-id 3.21-0ubuntu1
ii xauth 1:1.0.7-1ubuntu1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
ii ufw 0.34~rc-0ubuntu2
-- debconf information:
openssh-server/permit-root-login: false
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:8.2p1-3
Done: Colin Watson <cjwatson@debian.org>
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 631189@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 23 Feb 2020 13:30:01 +0000
Source: openssh
Architecture: source
Version: 1:8.2p1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 275458 631189 845315 951220 951582 951640
Changes:
openssh (1:8.2p1-3) unstable; urgency=medium
.
* Reupload with -sa to work around confusion with 1:8.2p1-1 being in NEW.
.
openssh (1:8.2p1-2) unstable; urgency=medium
.
* Move ssh-sk-helper into openssh-client rather than shipping it in a
separate package. The extra library dependencies are pretty small, so
it doesn't seem worth bloating the Packages file. Suggested by Bastian
Blank.
.
openssh (1:8.2p1-1) unstable; urgency=medium
.
* New upstream release (https://www.openssh.com/txt/release-8.2, closes:
#951582):
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures
(i.e. the client and server CASignatureAlgorithms option) and will use
the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1)
CA signs new certificates.
- ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default
key exchange proposal for both the client and server.
- ssh-keygen(1): The command-line options related to the generation and
screening of safe prime numbers used by the
diffie-hellman-group-exchange-* key exchange algorithms have changed.
Most options have been folded under the -O flag.
- sshd(8): The sshd listener process title visible to ps(1) has changed
to include information about the number of connections that are
currently attempting authentication and the limits configured by
MaxStartups.
- Add support for FIDO/U2F hardware authenticators.
- ssh-keygen(1): Add a "no-touch-required" option when generating
FIDO-hosted keys, that disables their default behaviour of requiring a
physical touch/tap on the token during authentication. Note: not all
tokens support disabling the touch requirement.
- sshd(8): Add a sshd_config PubkeyAuthOptions directive that collects
miscellaneous public key authentication-related options for sshd(8).
At present it supports only a single option "no-touch-required". This
causes sshd to skip its default check for FIDO/U2F keys that the
signature was authorised by a touch or press event on the token
hardware.
- ssh(1), sshd(8), ssh-keygen(1): Add a "no-touch-required" option for
authorized_keys and a similar extension for certificates. This option
disables the default requirement that FIDO key signatures attest that
the user touched their key to authorize them, mirroring the similar
PubkeyAuthOptions sshd_config option.
- ssh-keygen(1): Add support for the writing the FIDO attestation
information that is returned when new keys are generated via the "-O
write-attestation=/path" option. FIDO attestation certificates may be
used to verify that a FIDO key is hosted in trusted hardware. OpenSSH
does not currently make use of this information, beyond optionally
writing it to disk.
- Add support for FIDO2 resident keys.
- sshd(8): Add an Include sshd_config keyword that allows including
additional configuration files via glob(3) patterns (closes: #631189).
- ssh(1)/sshd(8): Make the LE (low effort) DSCP code point available via
the IPQoS directive.
- ssh(1): When AddKeysToAgent=yes is set and the key contains no
comment, add the key to the agent with the key's path as the comment.
- ssh-keygen(1), ssh-agent(1): Expose PKCS#11 key labels and X.509
subjects as key comments, rather than simply listing the PKCS#11
provider library path.
- ssh-keygen(1): Allow PEM export of DSA and ECDSA keys.
- sshd(8): When clients get denied by MaxStartups, send a notification
prior to the SSH2 protocol banner according to RFC4253 section 4.2
(closes: #275458).
- ssh(1), ssh-agent(1): When invoking the $SSH_ASKPASS prompt program,
pass a hint to the program to describe the type of desired prompt.
The possible values are "confirm" (indicating that a yes/no
confirmation dialog with no text entry should be shown), "none" (to
indicate an informational message only), or blank for the original
ssh-askpass behaviour of requesting a password/phrase.
- ssh(1): Allow forwarding a different agent socket to the path
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
option to accepting an explicit path or the name of an environment
variable in addition to yes/no.
- ssh-keygen(1): Add a new signature operations "find-principals" to
look up the principal associated with a signature from an
allowed-signers file.
- sshd(8): Expose the number of currently-authenticating connections
along with the MaxStartups limit in the process title visible to "ps".
- sshd(8): Make ClientAliveCountMax=0 have sensible semantics: it will
now disable connection killing entirely rather than the current
behaviour of instantly killing the connection after the first liveness
test regardless of success.
- sshd(8): Clarify order of AllowUsers / DenyUsers vs AllowGroups /
DenyGroups in the sshd(8) manual page.
- sshd(8): Better describe HashKnownHosts in the manual page.
- sshd(8): Clarify that that permitopen=/PermitOpen do no name or
address translation in the manual page.
- sshd(8): Allow the UpdateHostKeys feature to function when multiple
known_hosts files are in use. When updating host keys, ssh will now
search subsequent known_hosts files, but will add updated host keys to
the first specified file only.
- All: Replace all calls to signal(2) with a wrapper around
sigaction(2). This wrapper blocks all other signals during the
handler preventing races between handlers, and sets SA_RESTART which
should reduce the potential for short read/write operations.
- sftp(1): Fix a race condition in the SIGCHILD handler that could turn
in to a kill(-1).
- sshd(8): Fix a case where valid (but extremely large) SSH channel IDs
were being incorrectly rejected.
- ssh(1): When checking host key fingerprints as answers to new hostkey
prompts, ignore whitespace surrounding the fingerprint itself.
- All: Wait for file descriptors to be readable or writeable during
non-blocking connect, not just readable. Prevents a timeout when the
server doesn't immediately send a banner (e.g. multiplexers like
sslh).
- sshd_config(5): Document the sntrup4591761x25519-sha512@tinyssh.org
key exchange algorithm.
* Add more historical md5sums of /etc/ssh/sshd_config between 1:7.4p1-1
and 1:7.8p1-1 inclusive (closes: #951220).
* ssh(1): Explain that -Y is equivalent to -X in the default configuration
(closes: #951640).
* Include /etc/ssh/ssh_config.d/*.conf from /etc/ssh/ssh_config and
/etc/ssh/sshd_config.d/*.conf from /etc/ssh/sshd_config (closes:
#845315).
Checksums-Sha1:
6b2d760e407d66abc925608ea02918aaecf60dd0 3342 openssh_8.2p1-3.dsc
f4ff0b48bd4ea5b10a12bbd93a8e7abda761500f 173988 openssh_8.2p1-3.debian.tar.xz
d1ab35a93507321c5db885e02d41ce1414f0507c 1701197 openssh_8.2p1.orig.tar.gz
d3814ab57572c13bdee2037ad1477e2f7c51e1b0 683 openssh_8.2p1.orig.tar.gz.asc
Checksums-Sha256:
78c26e23d7258237c69502a12d25f1e1598274ef789e5fc5faef9b801fddbf5c 3342 openssh_8.2p1-3.dsc
427f68ab8dbfa1b70c742490d7edf565cc1ced2969854a5777b9b8dc7e9fd8f0 173988 openssh_8.2p1-3.debian.tar.xz
43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671 1701197 openssh_8.2p1.orig.tar.gz
4f358bb57cb5446a7a8bf986ff5cd835fd1e03f33561df883dfd3f893cd6fe86 683 openssh_8.2p1.orig.tar.gz.asc
Files:
0f9db36ab2aed3e898aa1a2f8dda3db6 3342 net standard openssh_8.2p1-3.dsc
d7573df7de8d81abf1c47d692e795138 173988 net standard openssh_8.2p1-3.debian.tar.xz
3076e6413e8dbe56d33848c1054ac091 1701197 net standard openssh_8.2p1.orig.tar.gz
8501565a766e1a50a7e6179079f3c671 683 net standard openssh_8.2p1.orig.tar.gz.asc
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAl5TFKMACgkQOTWH2X2G
UAv6TQ//bC29/uoHiZPAWpGhrl1UUv6P56fkIdKsApQlydkNWohwKlxYbutye0pc
BVl3Q9jIclXt2kKgudTpTJNXlpJgoTnhQWwBotUKN9WPNPwsr7f1OM1hROth0Gw7
x7GnwD3BUycwtcjk6FY3m/L/k443nIAfTwNcIqHZ+Lvb+egIQdx8a1WXRhGxWeqK
gF1UNdhrQJ56zzI5/Dvz9ut0YzCXqljvexuygZYUDbKsmvn2Zzr91xh5i0ahEYwU
Kz/+4ma5QHu+U0ggh1ceHnpjkO5Aop2XaxEpkD7m7w7eAOlhEe2+5ng0MH66XzEz
Rf9Avh/wVD9p3zdYVCYGMCoOkoHttjjFQKZYXGY9cQIMiwkhO9B3bKz5T1AXhBIk
te81q2Wr4bx/+AULiD5+TmNSaYJzd3sOjQkmH0P3f+3CwtkeKMKWstScQbuA3fkj
7kxn/wb7ConVazBdeqpP0UI/260Jx6oeWXU3OoU2tngcPeoLtAQEk5UuE0Rw53yE
T1bc23ODkAjn5eVPYNlWu4Q85D5RAzHFZ3ALTT0FT6m5tzpGkGtHWae9J50R2g0+
ndLXY0T1iLce1HgjHxXVhHzY4qjOa3bLFE5YiHjEZvQlBMPTabvPzqaXSeo76oOV
NPdkDsMZsFtFflEEoE7LJzTDQJHuqJSYZAwhai3P0UnkmH5vkXg=
=DKtX
-----END PGP SIGNATURE-----
--- End Message ---