Your message dated Mon, 8 Apr 2019 22:11:23 +0200
with message-id <[email protected]>
and subject line Re: Bug#926613: openssh-server: Locked out of server after
upgrading to buster.
has caused the Debian Bug report #926613,
regarding openssh-server needs check and update of configuration
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
926613: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926613
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssh-server
Severity: serious
Justification: Policy 8.2
Dear Maintainer,
Due to a change in how some options are handled in sshd_config, upgrading to
buster can result in the user getting locked out of their system if the config
is not updated.
Probably the most likely cause (and what occurred to me) is if the
PubkeyAcceptedKeyTypes includes ssh-rsa and the admin logs in with an RSA key.
After upgrading, the user will no longer be able to connect to the server.
The solution for this case is to replace ssh-rsa with rsa-sha2-256,rsa-sha2-512.
At the very least this needs to be mentioned in the upgrade instructions in the
release notes for buster.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.15.0-47-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=C.UTF-8 (charmap=locale: Cannot set
LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_GB:en (charmap=locale: Cannot set LC_MESSAGES to default
locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.71
ii dpkg 1.19.6
ii libaudit1 1:2.8.4-2
ii libc6 2.28-8
ii libcom-err2 1.44.5-1
ii libgssapi-krb5-2 1.17-2
ii libkrb5-3 1.17-2
ii libpam-modules 1.3.1-5
ii libpam-runtime 1.3.1-5
ii libpam0g 1.3.1-5
ii libselinux1 2.8-1+b1
ii libssl1.1 1.1.1b-1
ii libsystemd0 241-1
pn libwrap0 <none>
ii lsb-base 10.2019031300
ii openssh-client 1:7.9p1-9
pn openssh-sftp-server <none>
pn procps <none>
pn ucf <none>
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages openssh-server recommends:
ii libpam-systemd 241-1
pn ncurses-term <none>
ii xauth 1:1.0.10-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
--- End Message ---
--- Begin Message ---
Hi,
On Mon, 8 Apr 2019 11:07:56 +0100 Colin Watson <[email protected]> wrote:
> Other than that, for people who don't see or don't fully read the
> NEWS.Debian file I already provided, the best I can do is reassign this
> to the release notes to lift some of these warnings up to there.
Thanks. I pushed this in a commit that mostly copies the NEWS.Debian text:
https://salsa.debian.org/ddp-team/release-notes/commit/bb4b551
Paul
signature.asc
Description: OpenPGP digital signature
--- End Message ---
