[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#599240: marked as done (openssh-server: error message snot logged unless PrivilegeSeparation off)

Your message dated Thu, 08 Sep 2011 00:03:24 +0000
with message-id <E1R1S5U-00086B-0p@franck.debian.org>
and subject line Bug#599240: fixed in openssh 1:5.9p1-1
has caused the Debian Bug report #599240,
regarding openssh-server: error message snot logged unless PrivilegeSeparation off
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

599240: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599240
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: openssh-server
Version: 1:5.5p1-4
Severity: normal

When PrivilegeSeparation is on (the default), errors from pam modules are
not logged anywhere (apparently, pam tries to open /dev/log in a chroot).

this is somewhat serious as no message whatsoever gets logged for
semi-successfull log-ins.

example message that is only logged when priv. sep is off:

Oct  6 04:20:28 rain sshd[24468]: fatal: Access denied for user sf-grunt by PAM account configuration

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser                 3.112            add and remove users and groups
ii  debconf [debconf-2.0]   1.5.35           Debian configuration management sy
ii  dpkg                   Debian package management system
hi  libc6                   2.11.2-6         Embedded GNU C Library: Shared lib
ii  libcomerr2              1.41.12-2        common error description library
ii  libgssapi-krb5-2        1.8.3+dfsg-1     MIT Kerberos runtime libraries - k
ii  libkrb5-3               1.8.3+dfsg-1     MIT Kerberos runtime libraries
ii  libpam-modules          1.1.1-6          Pluggable Authentication Modules f
ii  libpam-runtime          1.1.1-6          Runtime support for the PAM librar
ii  libpam0g                1.1.1-6          Pluggable Authentication Modules l
ii  libselinux1             2.0.96-1         SELinux runtime shared libraries
ii  libssl0.9.8             0.9.8o-2         SSL shared libraries
ii  libwrap0                7.6.q-19         Wietse Venema's TCP wrappers libra
ii  lsb-base                3.2-23.1         Linux Standard Base 3.2 init scrip
ii  openssh-blacklist       0.4.1            list of default blacklisted OpenSS
ii  openssh-client          1:5.5p1-4        secure shell (SSH) client, for sec
ii  procps                  1:3.2.8-9        /proc file system utilities
ii  zlib1g                  1: compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.4-1  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                  <none>      (no description available)
pn  rssh                         <none>      (no description available)
ii  ssh-askpass                  1: under X, asks user for a passphras
pn  ufw                          <none>      (no description available)

-- Configuration Files:
/etc/pam.d/sshd changed [not included]

-- debconf information:
* ssh/use_old_init_script: true
  ssh/new_config: true
  ssh/disable_cr_auth: false

--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:5.9p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

  to main/o/openssh/openssh-client-udeb_5.9p1-1_i386.udeb
  to main/o/openssh/openssh-client_5.9p1-1_i386.deb
  to main/o/openssh/openssh-server-udeb_5.9p1-1_i386.udeb
  to main/o/openssh/openssh-server_5.9p1-1_i386.deb
  to main/o/openssh/openssh_5.9p1-1.debian.tar.gz
  to main/o/openssh/openssh_5.9p1-1.dsc
  to main/o/openssh/openssh_5.9p1.orig.tar.gz
  to main/o/openssh/ssh-askpass-gnome_5.9p1-1_i386.deb
  to main/o/openssh/ssh-krb5_5.9p1-1_all.deb
  to main/o/openssh/ssh_5.9p1-1_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 599240@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA256

Format: 1.8
Date: Wed, 07 Sep 2011 23:46:00 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source i386 all
Version: 1:5.9p1-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 75043 76312 229124 429243 444691 498297 504757 560156 599240
 openssh (1:5.9p1-1) unstable; urgency=low
   * New upstream release (http://www.openssh.org/txt/release-5.9).
     - Introduce sandboxing of the pre-auth privsep child using an optional
       sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
       mandatory restrictions on the syscalls the privsep child can perform.
     - Add new SHA256-based HMAC transport integrity modes from
     - The pre-authentication sshd(8) privilege separation slave process now
       logs via a socket shared with the master process, avoiding the need to
       maintain /dev/log inside the chroot (closes: #75043, #429243,
     - ssh(1) now warns when a server refuses X11 forwarding (closes:
     - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
       separated by whitespace (closes: #76312).  The authorized_keys2
       fallback is deprecated but documented (closes: #560156).
     - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
       ToS/DSCP (closes: #498297).
     - ssh-add(1) now accepts keys piped from standard input.  E.g. "ssh-add
       - < /path/to/key" (closes: #229124).
     - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
     - Say "required" rather than "recommended" in unprotected-private-key
       warning (LP: #663455).
   * Update OpenSSH FAQ to revision 1.112.
 0ba9f1a9edfa3382d0bb8d46662171d3d69f3899 2262 openssh_5.9p1-1.dsc
 ac4e0055421e9543f0af5da607a72cf5922dcc56 1110014 openssh_5.9p1.orig.tar.gz
 97168246fc1a9b3377de171f14909bd6d78a672d 237065 openssh_5.9p1-1.debian.tar.gz
 fc55a383f87b5c4d8340424516e6cd32c50eeb7e 1037764 openssh-client_5.9p1-1_i386.deb
 a2c769a195a70fefb281d5f8499d83e641f0603d 339636 openssh-server_5.9p1-1_i386.deb
 55337e28e302f6a20f77ff2b9dadc906a26d84d4 1248 ssh_5.9p1-1_all.deb
 5f1c19ea1c8c4d87f33a28ffd1d550ddc48d6723 83452 ssh-krb5_5.9p1-1_all.deb
 dfda1d639fd38b0a2034c0edeef722196f0e1e4d 90930 ssh-askpass-gnome_5.9p1-1_i386.deb
 3f518a8c2e8170cbb05095427f361dfbe21b22fa 258686 openssh-client-udeb_5.9p1-1_i386.udeb
 9cb16057d691947ec282ad7590d56da6eaa12ca2 291406 openssh-server-udeb_5.9p1-1_i386.udeb
 ea680e24ff1dd762b6cbfb5435a8a72516dd7723aecd1d88c8de5a1d4461847b 2262 openssh_5.9p1-1.dsc
 8d3e8b6b6ff04b525a6dfa6fdeb6a99043ccf6c3310cc32eba84c939b07777d5 1110014 openssh_5.9p1.orig.tar.gz
 b49c3539c20815557338dc4a20d44b4aa3a2b2c6a1c84af4fcae6670ed24d753 237065 openssh_5.9p1-1.debian.tar.gz
 453af7f76ad8e7ab72b2dac158cab923513c061fad0cac6342f11d894bdc20f3 1037764 openssh-client_5.9p1-1_i386.deb
 401a3d25c0611763bf43cefee2eaa52cfe56ef3093b4287eb40097e6f8a532d7 339636 openssh-server_5.9p1-1_i386.deb
 1d421348d13e33abe2f0a1a8cbd5056ffc198ca513429334295fc6cd4e4dc09d 1248 ssh_5.9p1-1_all.deb
 4d43ef9be6b94af2c2b79939d5d0e69b0486442790cc4e71781479b47d009141 83452 ssh-krb5_5.9p1-1_all.deb
 0483699f810a8f75ab5aca6e12cf1de45ed5d6cc4a27bc079fb14607f0ec84b0 90930 ssh-askpass-gnome_5.9p1-1_i386.deb
 6253bdc1f1311292eb8189733b2c2549ffe3748b40935c00bb9d8c3a55c3d6e2 258686 openssh-client-udeb_5.9p1-1_i386.udeb
 612bc799c4bf8d5110c3ab38ad944a95209a72528b2334ecedcdf4c41d0d9102 291406 openssh-server-udeb_5.9p1-1_i386.udeb
 1eeb747651ca43d84013d4ed19fa6673 2262 net standard openssh_5.9p1-1.dsc
 afe17eee7e98d3b8550cc349834a85d0 1110014 net standard openssh_5.9p1.orig.tar.gz
 ae82efba18958ccd27ae0cb176291360 237065 net standard openssh_5.9p1-1.debian.tar.gz
 d901c07e5a89146b229503d4e2a7ecd9 1037764 net standard openssh-client_5.9p1-1_i386.deb
 f483c10831cc6ad016f328d2d9bbfdfb 339636 net optional openssh-server_5.9p1-1_i386.deb
 b83d4d08aebef3f4d4893dff49e1f6b4 1248 net extra ssh_5.9p1-1_all.deb
 16a6817cc68764309d961e54dda85b31 83452 net extra ssh-krb5_5.9p1-1_all.deb
 71d5db3e60bb2c5909b2951908d26f73 90930 gnome optional ssh-askpass-gnome_5.9p1-1_i386.deb
 a7a4fa8017a653f710179e404d082bf6 258686 debian-installer optional openssh-client-udeb_5.9p1-1_i386.udeb
 7a3384769372b751843da6843d8f82d6 291406 debian-installer optional openssh-server-udeb_5.9p1-1_i386.udeb
Package-Type: udeb

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer


--- End Message ---

Reply to: