Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock openssh, which I've just uploaded. This fixes two RC bugs, and nothing else. diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm --- openssh-7.4p1/debian/.git-dpm 2017-01-16 15:08:11.000000000 +0000 +++ openssh-7.4p1/debian/.git-dpm 2017-03-05 02:11:08.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -3f1016b4535faf6e48aa71e21569aa714a25193f -3f1016b4535faf6e48aa71e21569aa714a25193f +e18d2ba71e6bf009c53e65509da84b712c300471 +e18d2ba71e6bf009c53e65509da84b712c300471 971a7653746a6972b907dfe0ce139c06e4a6f482 971a7653746a6972b907dfe0ce139c06e4a6f482 openssh_7.4p1.orig.tar.gz diff -Nru openssh-7.4p1/debian/NEWS openssh-7.4p1/debian/NEWS --- openssh-7.4p1/debian/NEWS 2017-01-16 15:08:11.000000000 +0000 +++ openssh-7.4p1/debian/NEWS 2017-03-05 02:12:42.000000000 +0000 @@ -1,3 +1,15 @@ +openssh (1:7.4p1-7) unstable; urgency=medium + + This version restores the default for AuthorizedKeysFile to search both + ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in + Debian configurations before 1:7.4p1-1. Upstream intends to phase out + searching ~/.ssh/authorized_keys2 by default, so you should ensure that + you are only using ~/.ssh/authorized_keys, at least for critical + administrative access; do not assume that the current default will remain + in place forever. + + -- Colin Watson <cjwat...@debian.org> Sun, 05 Mar 2017 02:12:42 +0000 + openssh (1:7.4p1-1) unstable; urgency=medium OpenSSH 7.4 includes a number of changes that may affect existing diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog --- openssh-7.4p1/debian/changelog 2017-01-16 15:11:10.000000000 +0000 +++ openssh-7.4p1/debian/changelog 2017-03-05 02:12:42.000000000 +0000 @@ -1,3 +1,15 @@ +openssh (1:7.4p1-7) unstable; urgency=medium + + * Don't set "PermitRootLogin yes" on fresh installations (regression + introduced in 1:7.4p1-1; closes: #852781). + * Restore reading authorized_keys2 by default. Upstream seems to intend + to gradually phase this out, so don't assume that this will remain the + default forever. However, we were late in adopting the upstream + sshd_config changes, so it makes sense to extend the grace period + (closes: #852320). + + -- Colin Watson <cjwat...@debian.org> Sun, 05 Mar 2017 02:12:42 +0000 + openssh (1:7.4p1-6) unstable; urgency=medium * Remove temporary file on exit from postinst (closes: #850275). diff -Nru openssh-7.4p1/debian/openssh-server.templates openssh-7.4p1/debian/openssh-server.templates --- openssh-7.4p1/debian/openssh-server.templates 2017-01-16 15:08:11.000000000 +0000 +++ openssh-7.4p1/debian/openssh-server.templates 2017-03-05 02:11:08.000000000 +0000 @@ -1,6 +1,6 @@ Template: openssh-server/permit-root-login Type: boolean -Default: false +Default: true _Description: Disable SSH password authentication for root? Previous versions of openssh-server permitted logging in as root over SSH using password authentication. The default for new installations is now diff -Nru openssh-7.4p1/debian/patches/restore-authorized_keys2.patch openssh-7.4p1/debian/patches/restore-authorized_keys2.patch --- openssh-7.4p1/debian/patches/restore-authorized_keys2.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssh-7.4p1/debian/patches/restore-authorized_keys2.patch 2017-03-05 02:11:09.000000000 +0000 @@ -0,0 +1,35 @@ +From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001 +From: Colin Watson <cjwat...@debian.org> +Date: Sun, 5 Mar 2017 02:02:11 +0000 +Subject: Restore reading authorized_keys2 by default + +Upstream seems to intend to gradually phase this out, so don't assume +that this will remain the default forever. However, we were late in +adopting the upstream sshd_config changes, so it makes sense to extend +the grace period. + +Bug-Debian: https://bugs.debian.org/852320 +Forwarded: not-needed +Last-Update: 2017-03-05 + +Patch-Name: restore-authorized_keys2.patch +--- + sshd_config | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/sshd_config b/sshd_config +index 4aea6c72..bcf3ac17 100644 +--- a/sshd_config ++++ b/sshd_config +@@ -36,9 +36,8 @@ + + #PubkeyAuthentication yes + +-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +-# but this is overridden so installations will only check .ssh/authorized_keys +-AuthorizedKeysFile .ssh/authorized_keys ++# Expect .ssh/authorized_keys2 to be disregarded by default in future. ++#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + + #AuthorizedPrincipalsFile none + diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series --- openssh-7.4p1/debian/patches/series 2017-01-16 15:08:11.000000000 +0000 +++ openssh-7.4p1/debian/patches/series 2017-03-05 02:11:08.000000000 +0000 @@ -29,3 +29,4 @@ regress-mktemp.patch sandbox-x32-workaround.patch no-dsa-host-key-by-default.patch +restore-authorized_keys2.patch unblock openssh/1:7.4p1-7 Thanks, -- Colin Watson [cjwat...@debian.org]
