--- Begin Message ---
Package: openssh-server
Version: 1:5.5p1-3
Severity: important
Hi,
Base-files package just switched to umask 002 by default for new install
(see #248140 and discussion in d-devel). However, with this setup,
openssh-server babdly behave. It is similar to #314347 that was opened
for openssh-client and permission chechs for $HOME/.ssh/config.
The fix for this bug should probably be similar.
Here is a example of the problem:
On 15/05/2010 03:12, Joey Hess wrote:
> > Vincent Danjean wrote:
>> >> I'm happy with this move. However, there is still an interaction with ssh
>> >> to deal with:
>> >> vdanjean@eyak:~$ chmod -Rv g+w .ssh/authorized_keys
>> >> vdanjean@eyak:~$ ssh localhost
>> >> vdanjean@localhost's password:
>> >> And, in /var/log/auth.log:
>> >> May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or modes for file /home/vdanjean/.ssh/authorized_keys
>> >>
>> >> vdanjean@eyak:~$ chmod -Rv g-w .ssh/authorized_keys
>> >> le mode de « .ssh/authorized_keys » a été modifié en 0644 (rw-r--r--).
>> >> vdanjean@eyak:~$ ssh localhost
>> >> You have mail.
>> >> Last login: Tue May 11 17:10:30 2010
>> >> vdanjean@eyak:~$
>> >>
>> >> My system is in UPG but I was using default umask 022
> >
> > FWIW, for openssh this is supposed to be fixed in version 1:4.1p1-3.
> > See #314347. It was changed to allow group-writable files if
> > the owner is the only member in the group.
Somethink is wrong here. Should 314347 be reopened ?
vdanjean@eyak:~$ LC_ALL=C apt-cache policy openssh-server
openssh-server:
Installed: 1:5.5p1-3
Candidate: 1:5.5p1-3
Version table:
*** 1:5.5p1-3 0
500 http://ftp.fr.debian.org unstable/main Packages
500 http://ftp.fr.debian.org testing/main Packages
100 /var/lib/dpkg/status
1:5.1p1-5 0
500 http://ftp.fr.debian.org stable/main Packages
1:4.3p2-9etch3 0
500 http://ftp.fr.debian.org oldstable/main Packages
vdanjean@eyak:~$ cat /etc/group /etc/passwd | grep '^vdanjean'
vdanjean:x:1000:
vdanjean:x:1000:1000:Vincent Danjean,,,:/home/vdanjean:/bin/bash
vdanjean@eyak:~$
Regards,
Vincent
-- System Information:
Debian Release: squeeze/sid
APT prefers oldstable
APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.33-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssh-server depends on:
ii adduser 3.112 add and remove users and groups
ii debconf [debconf-2.0] 1.5.32 Debian configuration management sy
ii dpkg 1.15.7.1 Debian package management system
ii libc6 2.11-0exp6 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.11-1 common error description library
ii libgssapi-krb5-2 1.8.1+dfsg-2 MIT Kerberos runtime libraries - k
ii libkrb5-3 1.8.1+dfsg-2 MIT Kerberos runtime libraries
ii libpam-modules 1.1.1-3 Pluggable Authentication Modules f
ii libpam-runtime 1.1.1-3 Runtime support for the PAM librar
ii libpam0g 1.1.1-3 Pluggable Authentication Modules l
ii libselinux1 2.0.94-1 SELinux runtime shared libraries
ii libssl0.9.8 0.9.8n-1 SSL shared libraries
ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.5p1-3 secure shell (SSH) client, for sec
ii procps 1:3.2.8-9 /proc file system utilities
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.4-1 X authentication utility
Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
pn rssh <none> (no description available)
ii ssh-askpass 1:1.2.4.1-9 under X, asks user for a passphras
pn ufw <none> (no description available)
-- debconf information:
ssh/vulnerable_host_keys:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/disable_cr_auth: false
ssh/encrypted_host_key_but_no_keygen:
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:5.5p1-4
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_5.5p1-4_i386.udeb
to main/o/openssh/openssh-client-udeb_5.5p1-4_i386.udeb
openssh-client_5.5p1-4_i386.deb
to main/o/openssh/openssh-client_5.5p1-4_i386.deb
openssh-server-udeb_5.5p1-4_i386.udeb
to main/o/openssh/openssh-server-udeb_5.5p1-4_i386.udeb
openssh-server_5.5p1-4_i386.deb
to main/o/openssh/openssh-server_5.5p1-4_i386.deb
openssh_5.5p1-4.debian.tar.gz
to main/o/openssh/openssh_5.5p1-4.debian.tar.gz
openssh_5.5p1-4.dsc
to main/o/openssh/openssh_5.5p1-4.dsc
ssh-askpass-gnome_5.5p1-4_i386.deb
to main/o/openssh/ssh-askpass-gnome_5.5p1-4_i386.deb
ssh-krb5_5.5p1-4_all.deb
to main/o/openssh/ssh-krb5_5.5p1-4_all.deb
ssh_5.5p1-4_all.deb
to main/o/openssh/ssh_5.5p1-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 581919@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 22 May 2010 23:37:20 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:5.5p1-4
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 579843 581697 581919
Changes:
openssh (1:5.5p1-4) unstable; urgency=low
.
[ Sebastian Andrzej Siewior ]
* Add powerpcspe to architecture list for libselinux1-dev build-dependency
(closes: #579843).
.
[ Colin Watson ]
* Allow ~/.ssh/authorized_keys and other secure files to be
group-writable, provided that the group in question contains only the
file's owner; this extends a patch previously applied to ~/.ssh/config
(closes: #581919).
* Check primary group memberships as well as supplementary group
memberships, and only allow group-writability by groups with exactly one
member, as zero-member groups are typically used by setgid binaries
rather than being user-private groups (closes: #581697).
Checksums-Sha1:
283186a3e3066519742aee9a15975da648c1fc2a 1701 openssh_5.5p1-4.dsc
14cfb2428053dc8d6755ac1a32c4fa20343c1abd 234111 openssh_5.5p1-4.debian.tar.gz
f018aee71a0717c169cae154e7eae86e53fc88e3 880568 openssh-client_5.5p1-4_i386.deb
e2312d1016502ac77607074bcb724f400643531c 297554 openssh-server_5.5p1-4_i386.deb
c1ec0b0986a49f3410ee7de8ae2e42427e667f46 1244 ssh_5.5p1-4_all.deb
3c553288883174406bf0ab385bf66cd6be268b3d 95464 ssh-krb5_5.5p1-4_all.deb
bf008581058e4079f3b5ce839fb3805ba82cd126 103064 ssh-askpass-gnome_5.5p1-4_i386.deb
dd9aff4745bdb6b7f55de6546e220fcba6b2a013 193690 openssh-client-udeb_5.5p1-4_i386.udeb
84d707d8aa1c9345b142d107f9ac456139a35efe 218538 openssh-server-udeb_5.5p1-4_i386.udeb
Checksums-Sha256:
5f42f3eb3944bda5d8216f369feb95e0fa9ec9a9271b0b9bf37b524f73485462 1701 openssh_5.5p1-4.dsc
59fc5345a617f3f297d936829af759accc2a710d1de839bc8cdb54c9ee9bd5db 234111 openssh_5.5p1-4.debian.tar.gz
7f3bca990542a5279a4c16932dbdc987009c5a5a48ee13694b68fe9fa7a00baf 880568 openssh-client_5.5p1-4_i386.deb
b07228936408f37ecc9174f29b8512de53e9823ed91b6555c51b224b6b994a6d 297554 openssh-server_5.5p1-4_i386.deb
b821fab4ad7fdfae2663c05df7640d0dc849c086b1e1d5c61c48b313f5fe970a 1244 ssh_5.5p1-4_all.deb
13fd6e26e439cf57ccb729a70bf647207e7cff0e029ba0f87d462a2de65cffc8 95464 ssh-krb5_5.5p1-4_all.deb
3fdefda53e550357f7d59fea51202adaf430a8ee9d21dee78b098f7472c79c15 103064 ssh-askpass-gnome_5.5p1-4_i386.deb
d8bca821941b768c97d351968b8a212287822bf7b4ea83b8cc1fb6d15460e2aa 193690 openssh-client-udeb_5.5p1-4_i386.udeb
f17c9fe3f44fdd081cce9d8ceb69b3899dcbaf097af89f660dfe6ae26ce12556 218538 openssh-server-udeb_5.5p1-4_i386.udeb
Files:
194ea11fdf4f582fb966ce2397d95a97 1701 net standard openssh_5.5p1-4.dsc
dcb5e032b60d6bb881e59a71a1877916 234111 net standard openssh_5.5p1-4.debian.tar.gz
f21db060ebafa8555a469431efc000aa 880568 net standard openssh-client_5.5p1-4_i386.deb
6f4e54dd67c2978ad35fc2d4dd073688 297554 net optional openssh-server_5.5p1-4_i386.deb
0107471a60de025600024b06498a7e0b 1244 net extra ssh_5.5p1-4_all.deb
6a9debbb7c88fc0b897670d85348a714 95464 net extra ssh-krb5_5.5p1-4_all.deb
3a6d65f3b7225db5b62c24497786395e 103064 gnome optional ssh-askpass-gnome_5.5p1-4_i386.deb
9bf3ec427b8ac01e11a8a9a9acc0b0a8 193690 debian-installer optional openssh-client-udeb_5.5p1-4_i386.udeb
02e23812f5cc38c9c875c0440b7aa573 218538 debian-installer optional openssh-server-udeb_5.5p1-4_i386.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iD8DBQFL+F2e9t0zAhD6TNERAn1TAJ9rwlavocxyM1cYSgA4B5hQMWtnhgCdE5fR
nI9MxJLBX8mqHsaY/pvhXeg=
=m9C4
-----END PGP SIGNATURE-----
--- End Message ---