2017-01-24 14:54 GMT+03:00 Colin Watson <cjwat...@debian.org>: > Control: severity -1 serious > > On Mon, Jan 23, 2017 at 06:15:02PM +0300, Andrey Jr. Melnikov wrote: >> Package: openssh-server >> Version: 1:7.4p1-6 >> Severity: grave >> Justification: renders package unusable > > This is a problem for some upgraded systems, but it doesn't render the > package unusable.
This render the server unusable. You want to travel 2500km to server for rename ONE file? I - don't. >> upgrade openssh-server from jessie (1:6.7p1-5+deb8u3 -> 1:7.3p1-5 -> >> 1:7.4p1-6) sliently overwrite unmodifyed config, >> that leads to unintented change commented ``AuthorizedKeysFile'' options. >> >> -- cut-- >> -#AuthorizedKeysFile %h/.ssh/authorized_keys >> +# The default is to check both .ssh/authorized_keys and >> .ssh/authorized_keys2 >> +# but this is overridden so installations will only check >> .ssh/authorized_keys >> +AuthorizedKeysFile .ssh/authorized_keys >> -- cut -- >> >> This disallow reading ~/.ssh/authorized_keys2 and break remote login without >> any notice. > > It appears to be upstream's intent to gradually phase out this file: > > https://anongit.mindrot.org/openssh.git/commit/?id=d8478b6a9b32760d47c2419279c4a73f5f88fdb6 > > ... so I'm somewhat reluctant to deviate from the upstream default and > just re-enable this, as it will probably go away eventually. Would it > be acceptable to add a NEWS file entry documenting this change, and > perhaps a release notes entry? That would give you a chance to make > adjustments before upgrading. >From my point of view - better: a) discard upstream changes in config. b) notify admin about renaming ~/.ssh/authorized_keys2 to ~/.ssh/authorized_keys
