Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
After talking with Daniel, we agreed to update the patch for this (non-
critical security) bug via spu. This will allow to build the next debian-live
without the vulnerability.
The problem is the following: Debian-live allows to SSH access with default
user and password. The patch disable ssh password authentication.
The debdiff is attached.
Thanks!
/luciano
diff -Nru live-config-3.0.23/debian/changelog live-config-3.0.23/debian/changelog
--- live-config-3.0.23/debian/changelog 2013-04-25 19:36:15.000000000 +0200
+++ live-config-3.0.23/debian/changelog 2014-08-26 00:48:24.000000000 +0200
@@ -1,3 +1,10 @@
+live-config (3.0.23-1+deb7u1) wheezy-proposed-updates; urgency=medium
+
+ * Non-maintainer upload.
+ * Disbaling ssh password authentication by default (Closes: #741678)
+
+ -- Luciano Bello <luci...@debian.org> Tue, 26 Aug 2014 00:44:04 +0200
+
live-config (3.0.23-1) unstable; urgency=low
* Loading fglrx module with --ignore-install like the nvidia ones too.
diff -Nru live-config-3.0.23/debian/patches/PasswordAuthentication_no live-config-3.0.23/debian/patches/PasswordAuthentication_no
--- live-config-3.0.23/debian/patches/PasswordAuthentication_no 1970-01-01 01:00:00.000000000 +0100
+++ live-config-3.0.23/debian/patches/PasswordAuthentication_no 2014-08-26 00:43:49.000000000 +0200
@@ -0,0 +1,11 @@
+--- a/scripts/config/1170-openssh-server
++++ b/scripts/config/1170-openssh-server
+@@ -35,6 +35,8 @@
+ fi
+ done
+
++ sed -i -e 's|#\(PasswordAuthentication\) yes|\1 no|' /etc/ssh/sshd_config
++
+ case "${_SSH}" in
+ true)
+ # Creating state file
diff -Nru live-config-3.0.23/debian/patches/series live-config-3.0.23/debian/patches/series
--- live-config-3.0.23/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ live-config-3.0.23/debian/patches/series 2014-08-26 00:43:09.000000000 +0200
@@ -0,0 +1 @@
+PasswordAuthentication_no
