Control: severity -1 serious On Mon, Jan 23, 2017 at 06:15:02PM +0300, Andrey Jr. Melnikov wrote: > Package: openssh-server > Version: 1:7.4p1-6 > Severity: grave > Justification: renders package unusable
This is a problem for some upgraded systems, but it doesn't render the package unusable. > upgrade openssh-server from jessie (1:6.7p1-5+deb8u3 -> 1:7.3p1-5 -> > 1:7.4p1-6) sliently overwrite unmodifyed config, > that leads to unintented change commented ``AuthorizedKeysFile'' options. > > -- cut-- > -#AuthorizedKeysFile %h/.ssh/authorized_keys > +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 > +# but this is overridden so installations will only check > .ssh/authorized_keys > +AuthorizedKeysFile .ssh/authorized_keys > -- cut -- > > This disallow reading ~/.ssh/authorized_keys2 and break remote login without > any notice. It appears to be upstream's intent to gradually phase out this file: https://anongit.mindrot.org/openssh.git/commit/?id=d8478b6a9b32760d47c2419279c4a73f5f88fdb6 ... so I'm somewhat reluctant to deviate from the upstream default and just re-enable this, as it will probably go away eventually. Would it be acceptable to add a NEWS file entry documenting this change, and perhaps a release notes entry? That would give you a chance to make adjustments before upgrading. -- Colin Watson [cjwat...@debian.org]
