© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f33e652
(Get the code!)
Message-ID: <20040922004245
Date: Tue, 21 Sep 2004 18:42:46 -0600
From: "Jamin W. Collins" <email address hidden>
To: <email address hidden>
Cc: Matthew Vernon <email address hidden>
Subject: Bug #250369 - silent SSH config changes
severity 250369 serious
thanks
The following section of ssh's postinst appears to be responsible for
the rather shocking change to ssh's configuration.
elif dpkg --compare-versions "$oldversion" lt-nl 1:3.8p1-1 && \
! grep -iq ^UsePAM /etc/ssh/
# Upgrade from pre-3.7: UsePAM needed to maintain standard
# Debian configuration.
cp -a /etc/ssh/
/#$1/i' \
mv /etc/ssh/
else return 0
I had disabled password authentication on all of my systems immediately
after installation. Today, I noticed and confirmed that password
authentication was once again working for ssh on most of them.
This forced a reduction in each of the effected system's security and
completely reversed my configuration as administrator of those machines.
I would expect changes of this nature to prompt the administrator to
accept them.
Due to the potential impact of this change (effective reversal of admin
configuration, a voilation of Policy 10.7.3) I'm upgrading the severity
of this bug report to an RC level of "serious".
--
Jamin W. Collins
To be nobody but yourself when the whole world is trying it's best night
and day to make you everybody else is to fight the hardest battle any
human being will fight. -- E.E. Cummings