Bug#852320: openssh-server: install script sliently override config
2017-01-24 14:54 GMT+03:00 Colin Watson <cjwatson@debian.org>:
> Control: severity -1 serious
>
> On Mon, Jan 23, 2017 at 06:15:02PM +0300, Andrey Jr. Melnikov wrote:
>> Package: openssh-server
>> Version: 1:7.4p1-6
>> Severity: grave
>> Justification: renders package unusable
>
> This is a problem for some upgraded systems, but it doesn't render the
> package unusable.
This render the server unusable. You want to travel 2500km to server
for rename ONE file? I - don't.
>> upgrade openssh-server from jessie (1:6.7p1-5+deb8u3 -> 1:7.3p1-5 -> 1:7.4p1-6) sliently overwrite unmodifyed config,
>> that leads to unintented change commented ``AuthorizedKeysFile'' options.
>>
>> -- cut--
>> -#AuthorizedKeysFile %h/.ssh/authorized_keys
>> +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
>> +# but this is overridden so installations will only check .ssh/authorized_keys
>> +AuthorizedKeysFile .ssh/authorized_keys
>> -- cut --
>>
>> This disallow reading ~/.ssh/authorized_keys2 and break remote login without any notice.
>
> It appears to be upstream's intent to gradually phase out this file:
> https://anongit.mindrot.org/openssh.git/commit/?id=d8478b6a9b32760d47c2419279c4a73f5f88fdb6
>
> ... so I'm somewhat reluctant to deviate from the upstream default and
> just re-enable this, as it will probably go away eventually. Would it
> be acceptable to add a NEWS file entry documenting this change, and
> perhaps a release notes entry? That would give you a chance to make
> adjustments before upgrading.
>From my point of view - better:
a) discard upstream changes in config.
b) notify admin about renaming ~/.ssh/authorized_keys2 to ~/.ssh/authorized_keys
Reply to: