Bug#852320: openssh-server: install script sliently override config
Control: severity -1 serious
On Mon, Jan 23, 2017 at 06:15:02PM +0300, Andrey Jr. Melnikov wrote:
> Package: openssh-server
> Version: 1:7.4p1-6
> Severity: grave
> Justification: renders package unusable
This is a problem for some upgraded systems, but it doesn't render the
package unusable.
> upgrade openssh-server from jessie (1:6.7p1-5+deb8u3 -> 1:7.3p1-5 -> 1:7.4p1-6) sliently overwrite unmodifyed config,
> that leads to unintented change commented ``AuthorizedKeysFile'' options.
>
> -- cut--
> -#AuthorizedKeysFile %h/.ssh/authorized_keys
> +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
> +# but this is overridden so installations will only check .ssh/authorized_keys
> +AuthorizedKeysFile .ssh/authorized_keys
> -- cut --
>
> This disallow reading ~/.ssh/authorized_keys2 and break remote login without any notice.
It appears to be upstream's intent to gradually phase out this file:
https://anongit.mindrot.org/openssh.git/commit/?id=d8478b6a9b32760d47c2419279c4a73f5f88fdb6
... so I'm somewhat reluctant to deviate from the upstream default and
just re-enable this, as it will probably go away eventually. Would it
be acceptable to add a NEWS file entry documenting this change, and
perhaps a release notes entry? That would give you a chance to make
adjustments before upgrading.
--
Colin Watson [cjwatson@debian.org]
Reply to: