Bug#856816: marked as done (unblock: openssh/1:7.4p1-7)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 05 Mar 2017 08:11:00 +0000
with message-id <e0f65fd7-542d-cf95-d732-634f44bcf34b@thykier.net>
and subject line Re: Bug#856816: unblock: openssh/1:7.4p1-7
has caused the Debian Bug report #856816,
regarding unblock: openssh/1:7.4p1-7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
856816: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856816
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: openssh/1:7.4p1-7
• From: Colin Watson <cjwatson@debian.org>
• Date: Sun, 5 Mar 2017 02:16:29 +0000
• Message-id: <[🔎] 20170305021629.GA14445@riva.ucam.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock openssh, which I've just uploaded.  This fixes two RC
bugs, and nothing else.

diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm
--- openssh-7.4p1/debian/.git-dpm	2017-01-16 15:08:11.000000000 +0000
+++ openssh-7.4p1/debian/.git-dpm	2017-03-05 02:11:08.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-3f1016b4535faf6e48aa71e21569aa714a25193f
-3f1016b4535faf6e48aa71e21569aa714a25193f
+e18d2ba71e6bf009c53e65509da84b712c300471
+e18d2ba71e6bf009c53e65509da84b712c300471
 971a7653746a6972b907dfe0ce139c06e4a6f482
 971a7653746a6972b907dfe0ce139c06e4a6f482
 openssh_7.4p1.orig.tar.gz
diff -Nru openssh-7.4p1/debian/NEWS openssh-7.4p1/debian/NEWS
--- openssh-7.4p1/debian/NEWS	2017-01-16 15:08:11.000000000 +0000
+++ openssh-7.4p1/debian/NEWS	2017-03-05 02:12:42.000000000 +0000
@@ -1,3 +1,15 @@
+openssh (1:7.4p1-7) unstable; urgency=medium
+
+  This version restores the default for AuthorizedKeysFile to search both
+  ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
+  Debian configurations before 1:7.4p1-1.  Upstream intends to phase out
+  searching ~/.ssh/authorized_keys2 by default, so you should ensure that
+  you are only using ~/.ssh/authorized_keys, at least for critical
+  administrative access; do not assume that the current default will remain
+  in place forever.
+
+ -- Colin Watson <cjwatson@debian.org>  Sun, 05 Mar 2017 02:12:42 +0000
+
 openssh (1:7.4p1-1) unstable; urgency=medium
 
   OpenSSH 7.4 includes a number of changes that may affect existing
diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog	2017-01-16 15:11:10.000000000 +0000
+++ openssh-7.4p1/debian/changelog	2017-03-05 02:12:42.000000000 +0000
@@ -1,3 +1,15 @@
+openssh (1:7.4p1-7) unstable; urgency=medium
+
+  * Don't set "PermitRootLogin yes" on fresh installations (regression
+    introduced in 1:7.4p1-1; closes: #852781).
+  * Restore reading authorized_keys2 by default.  Upstream seems to intend
+    to gradually phase this out, so don't assume that this will remain the
+    default forever.  However, we were late in adopting the upstream
+    sshd_config changes, so it makes sense to extend the grace period
+    (closes: #852320).
+
+ -- Colin Watson <cjwatson@debian.org>  Sun, 05 Mar 2017 02:12:42 +0000
+
 openssh (1:7.4p1-6) unstable; urgency=medium
 
   * Remove temporary file on exit from postinst (closes: #850275).
diff -Nru openssh-7.4p1/debian/openssh-server.templates openssh-7.4p1/debian/openssh-server.templates
--- openssh-7.4p1/debian/openssh-server.templates	2017-01-16 15:08:11.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.templates	2017-03-05 02:11:08.000000000 +0000
@@ -1,6 +1,6 @@
 Template: openssh-server/permit-root-login
 Type: boolean
-Default: false
+Default: true
 _Description: Disable SSH password authentication for root?
  Previous versions of openssh-server permitted logging in as root over SSH
  using password authentication. The default for new installations is now
diff -Nru openssh-7.4p1/debian/patches/restore-authorized_keys2.patch openssh-7.4p1/debian/patches/restore-authorized_keys2.patch
--- openssh-7.4p1/debian/patches/restore-authorized_keys2.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/restore-authorized_keys2.patch	2017-03-05 02:11:09.000000000 +0000
@@ -0,0 +1,35 @@
+From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 5 Mar 2017 02:02:11 +0000
+Subject: Restore reading authorized_keys2 by default
+
+Upstream seems to intend to gradually phase this out, so don't assume
+that this will remain the default forever.  However, we were late in
+adopting the upstream sshd_config changes, so it makes sense to extend
+the grace period.
+
+Bug-Debian: https://bugs.debian.org/852320
+Forwarded: not-needed
+Last-Update: 2017-03-05
+
+Patch-Name: restore-authorized_keys2.patch
+---
+ sshd_config | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/sshd_config b/sshd_config
+index 4aea6c72..bcf3ac17 100644
+--- a/sshd_config
++++ b/sshd_config
+@@ -36,9 +36,8 @@
+ 
+ #PubkeyAuthentication yes
+ 
+-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+-# but this is overridden so installations will only check .ssh/authorized_keys
+-AuthorizedKeysFile	.ssh/authorized_keys
++# Expect .ssh/authorized_keys2 to be disregarded by default in future.
++#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+ 
+ #AuthorizedPrincipalsFile none
+ 
diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series
--- openssh-7.4p1/debian/patches/series	2017-01-16 15:08:11.000000000 +0000
+++ openssh-7.4p1/debian/patches/series	2017-03-05 02:11:08.000000000 +0000
@@ -29,3 +29,4 @@
 regress-mktemp.patch
 sandbox-x32-workaround.patch
 no-dsa-host-key-by-default.patch
+restore-authorized_keys2.patch

unblock openssh/1:7.4p1-7

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---

--- Begin Message ---

• To: Cyril Brulebois <kibi@debian.org>, 856816-done@bugs.debian.org
• Cc: Colin Watson <cjwatson@debian.org>
• Subject: Re: Bug#856816: unblock: openssh/1:7.4p1-7
• From: Niels Thykier <niels@thykier.net>
• Date: Sun, 05 Mar 2017 08:11:00 +0000
• Message-id: <e0f65fd7-542d-cf95-d732-634f44bcf34b@thykier.net>
• In-reply-to: <[🔎] 20170305075945.GB24512@mraw.org>
• References: <[🔎] 20170305021629.GA14445@riva.ucam.org> <[🔎] aff516d9-51da-7988-5bf0-12abbe0e954c@thykier.net> <[🔎] 20170305075945.GB24512@mraw.org>

Cyril Brulebois:
> Niels Thykier <niels@thykier.net> (2017-03-05):
>> Looks good to me. - CC'ing KiBi for a d-i ack.  Quote in full for his sake.
> 
> Sure, go ahead.
> 
> 
> KiBi.
> 

Excellent, openssh has been unblocked.

Thanks,
~Niels

--- End Message ---