Colin Watson: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock openssh, which I've just uploaded. This fixes two RC > bugs, and nothing else. >
Hi, Looks good to me. - CC'ing KiBi for a d-i ack. Quote in full for his sake. > diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm > --- openssh-7.4p1/debian/.git-dpm 2017-01-16 15:08:11.000000000 +0000 > +++ openssh-7.4p1/debian/.git-dpm 2017-03-05 02:11:08.000000000 +0000 > @@ -1,6 +1,6 @@ > # see git-dpm(1) from git-dpm package > -3f1016b4535faf6e48aa71e21569aa714a25193f > -3f1016b4535faf6e48aa71e21569aa714a25193f > +e18d2ba71e6bf009c53e65509da84b712c300471 > +e18d2ba71e6bf009c53e65509da84b712c300471 > 971a7653746a6972b907dfe0ce139c06e4a6f482 > 971a7653746a6972b907dfe0ce139c06e4a6f482 > openssh_7.4p1.orig.tar.gz > diff -Nru openssh-7.4p1/debian/NEWS openssh-7.4p1/debian/NEWS > --- openssh-7.4p1/debian/NEWS 2017-01-16 15:08:11.000000000 +0000 > +++ openssh-7.4p1/debian/NEWS 2017-03-05 02:12:42.000000000 +0000 > @@ -1,3 +1,15 @@ > +openssh (1:7.4p1-7) unstable; urgency=medium > + > + This version restores the default for AuthorizedKeysFile to search both > + ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in > + Debian configurations before 1:7.4p1-1. Upstream intends to phase out > + searching ~/.ssh/authorized_keys2 by default, so you should ensure that > + you are only using ~/.ssh/authorized_keys, at least for critical > + administrative access; do not assume that the current default will remain > + in place forever. > + > + -- Colin Watson <cjwat...@debian.org> Sun, 05 Mar 2017 02:12:42 +0000 > + > openssh (1:7.4p1-1) unstable; urgency=medium > > OpenSSH 7.4 includes a number of changes that may affect existing > diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog > --- openssh-7.4p1/debian/changelog 2017-01-16 15:11:10.000000000 +0000 > +++ openssh-7.4p1/debian/changelog 2017-03-05 02:12:42.000000000 +0000 > @@ -1,3 +1,15 @@ > +openssh (1:7.4p1-7) unstable; urgency=medium > + > + * Don't set "PermitRootLogin yes" on fresh installations (regression > + introduced in 1:7.4p1-1; closes: #852781). > + * Restore reading authorized_keys2 by default. Upstream seems to intend > + to gradually phase this out, so don't assume that this will remain the > + default forever. However, we were late in adopting the upstream > + sshd_config changes, so it makes sense to extend the grace period > + (closes: #852320). > + > + -- Colin Watson <cjwat...@debian.org> Sun, 05 Mar 2017 02:12:42 +0000 > + > openssh (1:7.4p1-6) unstable; urgency=medium > > * Remove temporary file on exit from postinst (closes: #850275). > diff -Nru openssh-7.4p1/debian/openssh-server.templates > openssh-7.4p1/debian/openssh-server.templates > --- openssh-7.4p1/debian/openssh-server.templates 2017-01-16 > 15:08:11.000000000 +0000 > +++ openssh-7.4p1/debian/openssh-server.templates 2017-03-05 > 02:11:08.000000000 +0000 > @@ -1,6 +1,6 @@ > Template: openssh-server/permit-root-login > Type: boolean > -Default: false > +Default: true > _Description: Disable SSH password authentication for root? > Previous versions of openssh-server permitted logging in as root over SSH > using password authentication. The default for new installations is now > diff -Nru openssh-7.4p1/debian/patches/restore-authorized_keys2.patch > openssh-7.4p1/debian/patches/restore-authorized_keys2.patch > --- openssh-7.4p1/debian/patches/restore-authorized_keys2.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ openssh-7.4p1/debian/patches/restore-authorized_keys2.patch > 2017-03-05 02:11:09.000000000 +0000 > @@ -0,0 +1,35 @@ > +From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001 > +From: Colin Watson <cjwat...@debian.org> > +Date: Sun, 5 Mar 2017 02:02:11 +0000 > +Subject: Restore reading authorized_keys2 by default > + > +Upstream seems to intend to gradually phase this out, so don't assume > +that this will remain the default forever. However, we were late in > +adopting the upstream sshd_config changes, so it makes sense to extend > +the grace period. > + > +Bug-Debian: https://bugs.debian.org/852320 > +Forwarded: not-needed > +Last-Update: 2017-03-05 > + > +Patch-Name: restore-authorized_keys2.patch > +--- > + sshd_config | 5 ++--- > + 1 file changed, 2 insertions(+), 3 deletions(-) > + > +diff --git a/sshd_config b/sshd_config > +index 4aea6c72..bcf3ac17 100644 > +--- a/sshd_config > ++++ b/sshd_config > +@@ -36,9 +36,8 @@ > + > + #PubkeyAuthentication yes > + > +-# The default is to check both .ssh/authorized_keys and > .ssh/authorized_keys2 > +-# but this is overridden so installations will only check > .ssh/authorized_keys > +-AuthorizedKeysFile .ssh/authorized_keys > ++# Expect .ssh/authorized_keys2 to be disregarded by default in future. > ++#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 > + > + #AuthorizedPrincipalsFile none > + > diff -Nru openssh-7.4p1/debian/patches/series > openssh-7.4p1/debian/patches/series > --- openssh-7.4p1/debian/patches/series 2017-01-16 15:08:11.000000000 > +0000 > +++ openssh-7.4p1/debian/patches/series 2017-03-05 02:11:08.000000000 > +0000 > @@ -29,3 +29,4 @@ > regress-mktemp.patch > sandbox-x32-workaround.patch > no-dsa-host-key-by-default.patch > +restore-authorized_keys2.patch > > unblock openssh/1:7.4p1-7 > > Thanks, > Thanks, ~Niels