Re: (forw) Debconf abuse by several packages
Scripsit Joey Hess <joeyh@debian.org>
> Christian Perrier wrote:
> > s=number of screens shown (aka how many times to press Enter!)
> > d=number of questions with reasonable defaults which IMHO shouldn't have
> > been asked (guess what "d" is for...)
> > u=number of untranslated questions
> > n=number of useless notes
> > - ssh : 1s 0d 0u 1n
> ssh's question could be avoided by the long-standing idea of splitting
> it into a server and a client package.
As far as I read the table it's not even a question but an "useless
note". And lo: when I do dpkg-reconfigure ssh, the only thing that
happens with priority "high" is the *note* ssh/privsep_tell:
Privilege separation
This version of OpenSSH contains the new privilege separation
option. This significantly reduces the quantity of code that runs
as root, and therefore reduces the impact of security holes in
sshd.
Unfortunately, privilege separation interacts badly with PAM. Any
PAM session modules that need to run as root (pam_mkhomedir, for
example) will fail, and PAM keyboard-interactive authentication
won't work.
Privilege separation is turned on by default, so if you decide you
want it turned off, you need to add "UsePrivilegeSeparation no" to
/etc/ssh/sshd_config.
This looks like a clear candidate for README.Debian rather than a
debconf note.
It just *might* be reasonable to warn the user if
1. the sshd daemon is indeed to be started,
2. one is upgrading from a version of ssh where privilege separation
was not default (which is not likely for sarge anyway, since this
was introduced before woody released), and
3. a scan of the existing sshd_conf or /etc/pam.d/ssh indicates that no
privilege-separated-capable authentification methods are defined.
since then users upgrading remotely might end up with an unresponsive
system. But the config script makes no attempt to establish either of
these conditions before slamming a note in the face of the
(presumably) puzzled user.
--
Henning Makholm "I ... I have to return some videos."
Reply to: