Bug#154788: marked as done (boot-floppies,www.debian.org: release notes give incorrect advice to ssh users, and attempt to subvert the package maintainer)
Your message dated Sun, 13 Apr 2003 21:12:04 +0100
with message-id <20030413201204.GA12943@hades.evilgeniuses.org.uk>
and subject line Fixed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 29 Jul 2002 22:57:41 +0000
>From matthew@pick.ucam.org Mon Jul 29 17:57:41 2002
Return-path: <matthew@pick.ucam.org>
Received: from chiark.greenend.org.uk [212.135.138.206] (mail)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 17ZJSP-0003P0-00; Mon, 29 Jul 2002 17:57:41 -0500
Received: from (ming.empire.pick.ucam.org) [172.16.22.12] (mail)
by chiark.greenend.org.uk with esmtp (Exim 3.12 #1)
id 17ZJSN-0006Qw-00 (Debian); Mon, 29 Jul 2002 23:57:39 +0100
Received: from matthew by ming.empire.pick.ucam.org with local (Exim 3.35 #1 (Debian))
id 17ZJSN-0007z9-00; Mon, 29 Jul 2002 23:57:39 +0100
From: Matthew Vernon <matthew@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: boot-floppies,www.debian.org: release notes give incorrect advice to ssh users, and attempt to subvert the package maintainer
X-Mailer: reportbug 1.50
Date: Mon, 29 Jul 2002 23:57:39 +0100
Message-Id: <E17ZJSN-0007z9-00@ming.empire.pick.ucam.org>
Sender: Matthew Vernon <matthew@pick.ucam.org>
Delivered-To: submit@bugs.debian.org
Package: boot-floppies,www.debian.org
Version: N/A; reported 2002-07-29
Severity: critical
Tags: security
Justification: breaks unrelated software
Hi,
The paragraph:
"Please note that the ssh package in this release enables root logins
by default. (Disabled in 2.2) If you do not need this feature for
remote access to your system you should ensure that the
PermitRootLogin option in /etc/ssh/sshd_config is set to no after
upgrade for security reasons. To ensure dpkg never updates the file to
match new defaults, you can simply modify the file locally. Adding a
blank line is enough."
(in section 3.2.2) should be removed immediatly for these reasons:
a) installing the new package tells you the useful parts of this
information already (to wit, that the default has changed, and how to
set it back if you so wish)
b) it is factually incorrect (the postinst will offer to auto-generate
a new configuration file for you if you're upgrading from the 1.3
package, and do nothing in this regard otherwise); dpkg will not do
anything to the configuration file on upgrade to woody in any
case. Thus it will confuse people as to what is going on wrt
PermitRootLogin
c) the wording is clearly designed to subvert the package maintainers'
default, and indeed with the security properties of this
setting. Without entering into a debate on the rights and wrongs of
this setting (since this is not the place to do so), it is absurd that
we should ship with a package and release notes that disagree with
each other; the release notes should go along with the packages in
question, so we at least appear to be consistent. If the author of
this section of the release notes (who was not me) disagrees with my
defaults for the ssh package, then there are other fora to air those
disagreements.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux ming 2.2.20 #4 Tue Jun 18 13:51:22 BST 2002 i686
Locale: LANG=C, LC_CTYPE=C
---------------------------------------
Received: (at 154788-done) by bugs.debian.org; 13 Apr 2003 20:12:14 +0000
>From rob@hades.evilgeniuses.org.uk Sun Apr 13 15:12:08 2003
Return-path: <rob@hades.evilgeniuses.org.uk>
Received: from hades.robster.org.uk (hades.evilgeniuses.org.uk) [212.111.35.118]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 194npd-0001Ne-00; Sun, 13 Apr 2003 15:12:05 -0500
Received: by hades.evilgeniuses.org.uk (Postfix, from userid 1000)
id 7CF2E53873; Sun, 13 Apr 2003 21:12:04 +0100 (BST)
Date: Sun, 13 Apr 2003 21:12:04 +0100
From: Rob Bradford <rob@debianplanet.org>
To: 154788-done@bugs.debian.org
Subject: Fixed
Message-ID: <20030413201204.GA12943@hades.evilgeniuses.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
Delivered-To: 154788-done@bugs.debian.org
X-Spam-Status: No, hits=-1.2 required=4.0
tests=SIGNATURE_SHORT_DENSE,SPAM_PHRASE_00_01,USER_AGENT,
USER_AGENT_MUTT
version=2.44
X-Spam-Level:
This bug was fixed a couple of months back. Now we dont say anything about
ssh wrt root logins; the onus is completely on debconf.
Cheers,
Rob
--
Rob 'robster' Bradford
http://robster.org.uk
Reply to: