[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: (forw) Debconf abuse by several packages

Scripsit Joey Hess <joeyh@debian.org>
> Christian Perrier wrote:

> >   s=number of screens shown (aka how many times to press Enter!)
> >  d=number of questions with reasonable defaults which IMHO shouldn't have
> >    been asked (guess what "d" is for...)
> >  u=number of untranslated questions
> >  n=number of useless notes

> > - ssh                   : 1s  0d  0u  1n

> ssh's question could be avoided by the long-standing idea of splitting
> it into a server and a client package.

As far as I read the table it's not even a question but an "useless
note". And lo: when I do dpkg-reconfigure ssh, the only thing that
happens with priority "high" is the *note* ssh/privsep_tell:

   Privilege separation

   This version of OpenSSH contains the new privilege separation
   option. This significantly reduces the quantity of code that runs
   as root, and therefore reduces the impact of security holes in

   Unfortunately, privilege separation interacts badly with PAM. Any
   PAM session modules that need to run as root (pam_mkhomedir, for
   example) will fail, and PAM keyboard-interactive authentication
   won't work.

   Privilege separation is turned on by default, so if you decide you
   want it turned off, you need to add "UsePrivilegeSeparation no" to

This looks like a clear candidate for README.Debian rather than a
debconf note.

It just *might* be reasonable to warn the user if

  1. the sshd daemon is indeed to be started,

  2. one is upgrading from a version of ssh where privilege separation
     was not default (which is not likely for sarge anyway, since this
     was introduced before woody released), and

  3. a scan of the existing sshd_conf or /etc/pam.d/ssh indicates that no
     privilege-separated-capable authentification methods are defined.

since then users upgrading remotely might end up with an unresponsive
system. But the config script makes no attempt to establish either of
these conditions before slamming a note in the face of the
(presumably) puzzled user.

Henning Makholm                        "I ... I have to return some videos."

Reply to: