Bug#856816: unblock: openssh/1:7.4p1-7
Colin Watson:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Please unblock openssh, which I've just uploaded. This fixes two RC
> bugs, and nothing else.
>
Hi,
Looks good to me. - CC'ing KiBi for a d-i ack. Quote in full for his sake.
> diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm
> --- openssh-7.4p1/debian/.git-dpm 2017-01-16 15:08:11.000000000 +0000
> +++ openssh-7.4p1/debian/.git-dpm 2017-03-05 02:11:08.000000000 +0000
> @@ -1,6 +1,6 @@
> # see git-dpm(1) from git-dpm package
> -3f1016b4535faf6e48aa71e21569aa714a25193f
> -3f1016b4535faf6e48aa71e21569aa714a25193f
> +e18d2ba71e6bf009c53e65509da84b712c300471
> +e18d2ba71e6bf009c53e65509da84b712c300471
> 971a7653746a6972b907dfe0ce139c06e4a6f482
> 971a7653746a6972b907dfe0ce139c06e4a6f482
> openssh_7.4p1.orig.tar.gz
> diff -Nru openssh-7.4p1/debian/NEWS openssh-7.4p1/debian/NEWS
> --- openssh-7.4p1/debian/NEWS 2017-01-16 15:08:11.000000000 +0000
> +++ openssh-7.4p1/debian/NEWS 2017-03-05 02:12:42.000000000 +0000
> @@ -1,3 +1,15 @@
> +openssh (1:7.4p1-7) unstable; urgency=medium
> +
> + This version restores the default for AuthorizedKeysFile to search both
> + ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
> + Debian configurations before 1:7.4p1-1. Upstream intends to phase out
> + searching ~/.ssh/authorized_keys2 by default, so you should ensure that
> + you are only using ~/.ssh/authorized_keys, at least for critical
> + administrative access; do not assume that the current default will remain
> + in place forever.
> +
> + -- Colin Watson <cjwatson@debian.org> Sun, 05 Mar 2017 02:12:42 +0000
> +
> openssh (1:7.4p1-1) unstable; urgency=medium
>
> OpenSSH 7.4 includes a number of changes that may affect existing
> diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
> --- openssh-7.4p1/debian/changelog 2017-01-16 15:11:10.000000000 +0000
> +++ openssh-7.4p1/debian/changelog 2017-03-05 02:12:42.000000000 +0000
> @@ -1,3 +1,15 @@
> +openssh (1:7.4p1-7) unstable; urgency=medium
> +
> + * Don't set "PermitRootLogin yes" on fresh installations (regression
> + introduced in 1:7.4p1-1; closes: #852781).
> + * Restore reading authorized_keys2 by default. Upstream seems to intend
> + to gradually phase this out, so don't assume that this will remain the
> + default forever. However, we were late in adopting the upstream
> + sshd_config changes, so it makes sense to extend the grace period
> + (closes: #852320).
> +
> + -- Colin Watson <cjwatson@debian.org> Sun, 05 Mar 2017 02:12:42 +0000
> +
> openssh (1:7.4p1-6) unstable; urgency=medium
>
> * Remove temporary file on exit from postinst (closes: #850275).
> diff -Nru openssh-7.4p1/debian/openssh-server.templates openssh-7.4p1/debian/openssh-server.templates
> --- openssh-7.4p1/debian/openssh-server.templates 2017-01-16 15:08:11.000000000 +0000
> +++ openssh-7.4p1/debian/openssh-server.templates 2017-03-05 02:11:08.000000000 +0000
> @@ -1,6 +1,6 @@
> Template: openssh-server/permit-root-login
> Type: boolean
> -Default: false
> +Default: true
> _Description: Disable SSH password authentication for root?
> Previous versions of openssh-server permitted logging in as root over SSH
> using password authentication. The default for new installations is now
> diff -Nru openssh-7.4p1/debian/patches/restore-authorized_keys2.patch openssh-7.4p1/debian/patches/restore-authorized_keys2.patch
> --- openssh-7.4p1/debian/patches/restore-authorized_keys2.patch 1970-01-01 01:00:00.000000000 +0100
> +++ openssh-7.4p1/debian/patches/restore-authorized_keys2.patch 2017-03-05 02:11:09.000000000 +0000
> @@ -0,0 +1,35 @@
> +From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001
> +From: Colin Watson <cjwatson@debian.org>
> +Date: Sun, 5 Mar 2017 02:02:11 +0000
> +Subject: Restore reading authorized_keys2 by default
> +
> +Upstream seems to intend to gradually phase this out, so don't assume
> +that this will remain the default forever. However, we were late in
> +adopting the upstream sshd_config changes, so it makes sense to extend
> +the grace period.
> +
> +Bug-Debian: https://bugs.debian.org/852320
> +Forwarded: not-needed
> +Last-Update: 2017-03-05
> +
> +Patch-Name: restore-authorized_keys2.patch
> +---
> + sshd_config | 5 ++---
> + 1 file changed, 2 insertions(+), 3 deletions(-)
> +
> +diff --git a/sshd_config b/sshd_config
> +index 4aea6c72..bcf3ac17 100644
> +--- a/sshd_config
> ++++ b/sshd_config
> +@@ -36,9 +36,8 @@
> +
> + #PubkeyAuthentication yes
> +
> +-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
> +-# but this is overridden so installations will only check .ssh/authorized_keys
> +-AuthorizedKeysFile .ssh/authorized_keys
> ++# Expect .ssh/authorized_keys2 to be disregarded by default in future.
> ++#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
> +
> + #AuthorizedPrincipalsFile none
> +
> diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series
> --- openssh-7.4p1/debian/patches/series 2017-01-16 15:08:11.000000000 +0000
> +++ openssh-7.4p1/debian/patches/series 2017-03-05 02:11:08.000000000 +0000
> @@ -29,3 +29,4 @@
> regress-mktemp.patch
> sandbox-x32-workaround.patch
> no-dsa-host-key-by-default.patch
> +restore-authorized_keys2.patch
>
> unblock openssh/1:7.4p1-7
>
> Thanks,
>
Thanks,
~Niels
Reply to: