Message-ID: <20040922004245.GE22822@cerberus>
Date: Tue, 21 Sep 2004 18:42:46 -0600
From: "Jamin W. Collins" <email address hidden>
To: <email address hidden>
Cc: Matthew Vernon <email address hidden>
Subject: Bug #250369 - silent SSH config changes
severity 250369 serious
thanks
The following section of ssh's postinst appears to be responsible for
the rather shocking change to ssh's configuration.
elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
! grep -iq ^UsePAM /etc/ssh/sshd_config ; then
# Upgrade from pre-3.7: UsePAM needed to maintain standard
# Debian configuration. echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...'
cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b
/#$1/i' \ /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new echo >> /etc/ssh/sshd_config.dpkg-new echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new
mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config echo return 0
else return 0
I had disabled password authentication on all of my systems immediately
after installation. Today, I noticed and confirmed that password
authentication was once again working for ssh on most of them.
This forced a reduction in each of the effected system's security and
completely reversed my configuration as administrator of those machines.
I would expect changes of this nature to prompt the administrator to
accept them.
Due to the potential impact of this change (effective reversal of admin
configuration, a voilation of Policy 10.7.3) I'm upgrading the severity
of this bug report to an RC level of "serious".
--
Jamin W. Collins
To be nobody but yourself when the whole world is trying it's best night
and day to make you everybody else is to fight the hardest battle any
human being will fight. -- E.E. Cummings
Message-ID: <20040922004245 .GE22822@ cerberus>
Date: Tue, 21 Sep 2004 18:42:46 -0600
From: "Jamin W. Collins" <email address hidden>
To: <email address hidden>
Cc: Matthew Vernon <email address hidden>
Subject: Bug #250369 - silent SSH config changes
severity 250369 serious
thanks
The following section of ssh's postinst appears to be responsible for
the rather shocking change to ssh's configuration.
elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \ sshd_config ; then
echo -n 'Upgrading sshd_config (old version in .dpkg-old) ...' sshd_config /etc/ssh/ sshd_config. dpkg-old
perl -pe 's/^(PAMAuthent icationViaKbdIn t|RhostsAuthent ication) \b
/ etc/ssh/ sshd_config > /etc/ssh/ sshd_config. dpkg-new
echo >> /etc/ssh/ sshd_config. dpkg-new
echo 'UsePAM yes' >> /etc/ssh/ sshd_config. dpkg-new sshd_config. dpkg-new /etc/ssh/ sshd_config
echo
return 0
! grep -iq ^UsePAM /etc/ssh/
# Upgrade from pre-3.7: UsePAM needed to maintain standard
# Debian configuration.
cp -a /etc/ssh/
/#$1/i' \
mv /etc/ssh/
else return 0
I had disabled password authentication on all of my systems immediately
after installation. Today, I noticed and confirmed that password
authentication was once again working for ssh on most of them.
This forced a reduction in each of the effected system's security and
completely reversed my configuration as administrator of those machines.
I would expect changes of this nature to prompt the administrator to
accept them.
Due to the potential impact of this change (effective reversal of admin
configuration, a voilation of Policy 10.7.3) I'm upgrading the severity
of this bug report to an RC level of "serious".
--
Jamin W. Collins
To be nobody but yourself when the whole world is trying it's best night
and day to make you everybody else is to fight the hardest battle any
human being will fight. -- E.E. Cummings