Bug#856816: unblock: openssh/1:7.4p1-7
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock openssh, which I've just uploaded. This fixes two RC bugs, and nothing else. diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm --- openssh-7.4p1/debian/.git-dpm 2017-01-16 15:08:11.0 + +++ openssh-7.4p1/debian/.git-dpm 2017-03-05 02:11:08.0 + @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -3f1016b4535faf6e48aa71e21569aa714a25193f -3f1016b4535faf6e48aa71e21569aa714a25193f +e18d2ba71e6bf009c53e65509da84b712c300471 +e18d2ba71e6bf009c53e65509da84b712c300471 971a7653746a6972b907dfe0ce139c06e4a6f482 971a7653746a6972b907dfe0ce139c06e4a6f482 openssh_7.4p1.orig.tar.gz diff -Nru openssh-7.4p1/debian/NEWS openssh-7.4p1/debian/NEWS --- openssh-7.4p1/debian/NEWS 2017-01-16 15:08:11.0 + +++ openssh-7.4p1/debian/NEWS 2017-03-05 02:12:42.0 + @@ -1,3 +1,15 @@ +openssh (1:7.4p1-7) unstable; urgency=medium + + This version restores the default for AuthorizedKeysFile to search both + ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in + Debian configurations before 1:7.4p1-1. Upstream intends to phase out + searching ~/.ssh/authorized_keys2 by default, so you should ensure that + you are only using ~/.ssh/authorized_keys, at least for critical + administrative access; do not assume that the current default will remain + in place forever. + + -- Colin Watson Sun, 05 Mar 2017 02:12:42 + + openssh (1:7.4p1-1) unstable; urgency=medium OpenSSH 7.4 includes a number of changes that may affect existing diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog --- openssh-7.4p1/debian/changelog 2017-01-16 15:11:10.0 + +++ openssh-7.4p1/debian/changelog 2017-03-05 02:12:42.0 + @@ -1,3 +1,15 @@ +openssh (1:7.4p1-7) unstable; urgency=medium + + * Don't set "PermitRootLogin yes" on fresh installations (regression +introduced in 1:7.4p1-1; closes: #852781). + * Restore reading authorized_keys2 by default. Upstream seems to intend +to gradually phase this out, so don't assume that this will remain the +default forever. However, we were late in adopting the upstream +sshd_config changes, so it makes sense to extend the grace period +(closes: #852320). + + -- Colin Watson Sun, 05 Mar 2017 02:12:42 + + openssh (1:7.4p1-6) unstable; urgency=medium * Remove temporary file on exit from postinst (closes: #850275). diff -Nru openssh-7.4p1/debian/openssh-server.templates openssh-7.4p1/debian/openssh-server.templates --- openssh-7.4p1/debian/openssh-server.templates 2017-01-16 15:08:11.0 + +++ openssh-7.4p1/debian/openssh-server.templates 2017-03-05 02:11:08.0 + @@ -1,6 +1,6 @@ Template: openssh-server/permit-root-login Type: boolean -Default: false +Default: true _Description: Disable SSH password authentication for root? Previous versions of openssh-server permitted logging in as root over SSH using password authentication. The default for new installations is now diff -Nru openssh-7.4p1/debian/patches/restore-authorized_keys2.patch openssh-7.4p1/debian/patches/restore-authorized_keys2.patch --- openssh-7.4p1/debian/patches/restore-authorized_keys2.patch 1970-01-01 01:00:00.0 +0100 +++ openssh-7.4p1/debian/patches/restore-authorized_keys2.patch 2017-03-05 02:11:09.0 + @@ -0,0 +1,35 @@ +From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Sun, 5 Mar 2017 02:02:11 + +Subject: Restore reading authorized_keys2 by default + +Upstream seems to intend to gradually phase this out, so don't assume +that this will remain the default forever. However, we were late in +adopting the upstream sshd_config changes, so it makes sense to extend +the grace period. + +Bug-Debian: https://bugs.debian.org/852320 +Forwarded: not-needed +Last-Update: 2017-03-05 + +Patch-Name: restore-authorized_keys2.patch +--- + sshd_config | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/sshd_config b/sshd_config +index 4aea6c72..bcf3ac17 100644 +--- a/sshd_config b/sshd_config +@@ -36,9 +36,8 @@ + + #PubkeyAuthentication yes + +-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +-# but this is overridden so installations will only check .ssh/authorized_keys +-AuthorizedKeysFile.ssh/authorized_keys ++# Expect .ssh/authorized_keys2 to be disregarded by default in future. ++#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + + #AuthorizedPrincipalsFile none + diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series --- openssh-7.4p1/debian/patches/series 2017-01-16 15:08:11.0 + +++ openssh-7.4p1/debian/patches/series 2017-03-05 02:11:08.0 + @@ -29,3 +29,4 @@ regress-mktemp.patch sandbox-x32-workaroun
Bug#856816: unblock: openssh/1:7.4p1-7
Colin Watson: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock openssh, which I've just uploaded. This fixes two RC > bugs, and nothing else. > Hi, Looks good to me. - CC'ing KiBi for a d-i ack. Quote in full for his sake. > diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm > --- openssh-7.4p1/debian/.git-dpm 2017-01-16 15:08:11.0 + > +++ openssh-7.4p1/debian/.git-dpm 2017-03-05 02:11:08.0 + > @@ -1,6 +1,6 @@ > # see git-dpm(1) from git-dpm package > -3f1016b4535faf6e48aa71e21569aa714a25193f > -3f1016b4535faf6e48aa71e21569aa714a25193f > +e18d2ba71e6bf009c53e65509da84b712c300471 > +e18d2ba71e6bf009c53e65509da84b712c300471 > 971a7653746a6972b907dfe0ce139c06e4a6f482 > 971a7653746a6972b907dfe0ce139c06e4a6f482 > openssh_7.4p1.orig.tar.gz > diff -Nru openssh-7.4p1/debian/NEWS openssh-7.4p1/debian/NEWS > --- openssh-7.4p1/debian/NEWS 2017-01-16 15:08:11.0 + > +++ openssh-7.4p1/debian/NEWS 2017-03-05 02:12:42.0 + > @@ -1,3 +1,15 @@ > +openssh (1:7.4p1-7) unstable; urgency=medium > + > + This version restores the default for AuthorizedKeysFile to search both > + ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in > + Debian configurations before 1:7.4p1-1. Upstream intends to phase out > + searching ~/.ssh/authorized_keys2 by default, so you should ensure that > + you are only using ~/.ssh/authorized_keys, at least for critical > + administrative access; do not assume that the current default will remain > + in place forever. > + > + -- Colin Watson Sun, 05 Mar 2017 02:12:42 + > + > openssh (1:7.4p1-1) unstable; urgency=medium > >OpenSSH 7.4 includes a number of changes that may affect existing > diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog > --- openssh-7.4p1/debian/changelog2017-01-16 15:11:10.0 + > +++ openssh-7.4p1/debian/changelog2017-03-05 02:12:42.0 + > @@ -1,3 +1,15 @@ > +openssh (1:7.4p1-7) unstable; urgency=medium > + > + * Don't set "PermitRootLogin yes" on fresh installations (regression > +introduced in 1:7.4p1-1; closes: #852781). > + * Restore reading authorized_keys2 by default. Upstream seems to intend > +to gradually phase this out, so don't assume that this will remain the > +default forever. However, we were late in adopting the upstream > +sshd_config changes, so it makes sense to extend the grace period > +(closes: #852320). > + > + -- Colin Watson Sun, 05 Mar 2017 02:12:42 + > + > openssh (1:7.4p1-6) unstable; urgency=medium > >* Remove temporary file on exit from postinst (closes: #850275). > diff -Nru openssh-7.4p1/debian/openssh-server.templates > openssh-7.4p1/debian/openssh-server.templates > --- openssh-7.4p1/debian/openssh-server.templates 2017-01-16 > 15:08:11.0 + > +++ openssh-7.4p1/debian/openssh-server.templates 2017-03-05 > 02:11:08.0 + > @@ -1,6 +1,6 @@ > Template: openssh-server/permit-root-login > Type: boolean > -Default: false > +Default: true > _Description: Disable SSH password authentication for root? > Previous versions of openssh-server permitted logging in as root over SSH > using password authentication. The default for new installations is now > diff -Nru openssh-7.4p1/debian/patches/restore-authorized_keys2.patch > openssh-7.4p1/debian/patches/restore-authorized_keys2.patch > --- openssh-7.4p1/debian/patches/restore-authorized_keys2.patch > 1970-01-01 01:00:00.0 +0100 > +++ openssh-7.4p1/debian/patches/restore-authorized_keys2.patch > 2017-03-05 02:11:09.0 + > @@ -0,0 +1,35 @@ > +From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001 > +From: Colin Watson > +Date: Sun, 5 Mar 2017 02:02:11 + > +Subject: Restore reading authorized_keys2 by default > + > +Upstream seems to intend to gradually phase this out, so don't assume > +that this will remain the default forever. However, we were late in > +adopting the upstream sshd_config changes, so it makes sense to extend > +the grace period. > + > +Bug-Debian: https://bugs.debian.org/852320 > +Forwarded: not-needed > +Last-Update: 2017-03-05 > + > +Patch-Name: restore-authorized_keys2.patch > +--- > + sshd_config | 5 ++--- > + 1 file changed, 2 insertions(+), 3 deletions(-) > + > +diff --git a/sshd_config b/sshd_config > +index 4aea6c72..bcf3ac17 100644 > +--- a/sshd_config > b/sshd_config > +@@ -36,9 +36,8 @@ > + > + #PubkeyAuthentication yes > + > +-# The default is to check both .ssh/authorized_keys and > .ssh/authorized_keys2 > +-# but this is overridden so installations will only check > .ssh/authorized_keys > +-AuthorizedKeysFile .ssh/authorized_keys > ++# Expect .ssh/authorized_keys2 to be disregarded by default in future. > ++#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 > + > + #Authorize
Bug#856816: unblock: openssh/1:7.4p1-7
Niels Thykier (2017-03-05): > Looks good to me. - CC'ing KiBi for a d-i ack. Quote in full for his sake. Sure, go ahead. KiBi. signature.asc Description: Digital signature
