Package: openssh-server
Version: 1:4.6p1-1
Severity: grave
Justification: renders package unusable
After upgrading to 1:4.6p1-1 from 1:4.3p2-11, I can no longer login to my
machine using password-based authentication. I've experienced this on two
different machines now, leading me to file this report. I've compared
the new
versions of /etc/ssh/sshd_config and /etc/pam.d/ssh to the versions prior to
the upgrade, but they're completely identical. Private key
authentication still
appears to work.
I've also noticed (on both machines) that following the upgrade, I see
this in
my auth.log when sshd starts up:
Jun 15 01:41:09 localhost sshd[11004]: Received signal 15; terminating.
Jun 15 01:41:09 localhost sshd[23456]: Server listening on :: port 22.
Jun 15 01:41:09 localhost sshd[23456]: error: Bind to port 22 on 0.0.0.0
failed:
Address already in use.
The error is new to this version. This may be a red herring, though.
Here are the contents of my sshd_config file:
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication no
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.20-1-k7 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssh-server depends on:
ii adduser 3.102 Add and remove users and groups
ii debconf 1.5.13 Debian configuration
management sy
ii dpkg 1.14.4 package maintenance system
for Deb
ii libc6 2.5-11 GNU C Library: Shared libraries
ii libcomer 1.39+1.40-WIP-2007.04.07+dfsg-2 common error description
library
ii libkrb53 1.6.dfsg.1-4 MIT Kerberos runtime libraries
ii libpam-m 0.79-4 Pluggable Authentication
Modules f
ii libpam-r 0.79-4 Runtime support for the PAM
librar
ii libpam0g 0.79-4 Pluggable Authentication
Modules l
ii libselin 2.0.15-2 SELinux shared libraries
ii libssl0. 0.9.8e-5 SSL shared libraries
ii libwrap0 7.6.dbs-13 Wietse Venema's TCP
wrappers libra
ii lsb-base 3.1-23.1 Linux Standard Base 3.1
init scrip
ii openssh- 1:4.6p1-1 secure shell client, an
rlogin/rsh
ii zlib1g 1:1.2.3-15 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
ssh/insecure_rshd:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/disable_cr_auth: false
ssh/encrypted_host_key_but_no_keygen:
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
