Debian Bug report logs - #242119
ssh - password authentication never uses pam

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Bastian Blank <waldi@debian.org>

To: submit@bugs.debian.org

Subject: ssh - password authentication never uses pam

Date: Sun, 4 Apr 2004 23:21:08 +0200

[Message part 1 (text/plain, inline)]

Package: ssh
Version: 1:3.8p1-2
Severity: grave

password authentication always tries to read /etc/shadow and fails with 
| error: Could not get shadow information for $user
This breaks logins on system which uses pam for authentication.

Bastian

-- 
Death, when unnecessary, is a tragic thing.
		-- Flint, "Requiem for Methuselah", stardate 5843.7

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 242119@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Bastian Blank <waldi@debian.org>, 242119@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#242119: ssh - password authentication never uses pam

Date: Mon, 5 Apr 2004 10:37:57 +0100

severity 242119 normal
tags 242119 moreinfo
thanks

On Sun, Apr 04, 2004 at 11:21:08PM +0200, Bastian Blank wrote:
> Package: ssh
> Version: 1:3.8p1-2
> Severity: grave
> 
> password authentication always tries to read /etc/shadow and fails with 
> | error: Could not get shadow information for $user
> This breaks logins on system which uses pam for authentication.

Clearly not, since I use the default configuration and it works here, so
it's not broken for everyone. Please provide more information,
especially when trying to file grave bugs: relevant lines from
/var/log/auth.log and 'sshd -ddd' would be a good start.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Message #19 received at 242119@bugs.debian.org (full text, mbox, reply):

From: Chaskiel M Grundman <cg2v@andrew.cmu.edu>

To: 242119@bugs.debian.org

Subject: Re: Bug#242119: ssh - password authentication never uses pam

Date: Thu, 08 Apr 2004 00:22:39 -0400

I'm having the same problem.

there's no output from this process in auth.log (since I'm using -ddd, I
guess)

debug1: PAM: initializing for "cg2v"
debug3: Trying to reverse map address 205.201.7.143.
debug1: PAM: setting PAM_RHOST to "dhcp-7-143.dsl.telerama.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: input_userauth_request: try method none
Failed none for cg2v from 205.201.7.143 port 54343 ssh2
debug1: userauth-request for user cg2v service ssh-connection method
password
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method password
debug3: auth_shadow_pwexpired: today 12516 sp_lstchg 11439 sp_max 99999
Failed password for cg2v from 205.201.7.143 port 54343 ssh2
debug1: userauth-request for user cg2v service ssh-connection method
password
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method password
Failed password for cg2v from 205.201.7.143 port 54343 ssh2
debug1: userauth-request for user cg2v service ssh-connection method
password
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method password
Failed password for cg2v from 205.201.7.143 port 54343 ssh2
Connection closed by 205.201.7.143
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering


Here's strace output from one password verification attempt (this is a
sparc, so some of the syscall names are wrong...):

Process 6897 attached - interrupt to quit
select(5, [4], NULL, NULL, NULL)        = 1 (in [4])
read(4, "\327\2102\363\303F\202\342\37\344\375\266\1771\0Q\222\206"...,
8192) = 144
write(2, "debug1: userauth-request for use"..., 79) = 79
write(2, "debug1: attempt 1 failures 1\r\n", 30) = 30
write(2, "debug2: input_userauth_request: "..., 53) = 53
open("/etc/shadow", O_RDONLY)           = 3
nfssvc(0x3)                             = 0
nfssvc(0x3)                             = 0
_llseek(3, 0, [0], SEEK_CUR)            = 0
fstat64(3, {st_mode=S_IFREG|0640, st_size=4621, ...}) = 0
SYS_56(0, 0x120d, 0x1)                  = 1879162880
_llseek(3, 4621, [4621], SEEK_SET)      = 0
munmap(0x7001c000, 4621)                = 0
close(3)                                = 0
time(NULL)                              = 1081396889
write(2, "debug3: auth_shadow_pwexpired: t"..., 73) = 73
open("/etc/shadow", O_RDONLY)           = 3
nfssvc(0x3)                             = 0
nfssvc(0x3)                             = 0
_llseek(3, 0, [0], SEEK_CUR)            = 0
fstat64(3, {st_mode=S_IFREG|0640, st_size=4621, ...}) = 0
SYS_56(0, 0x120d, 0x1)                  = 1879162880
_llseek(3, 4621, [4621], SEEK_SET)      = 0
munmap(0x7001c000, 4621)                = 0
close(3)                                = 0
getpeername(4, {sa_family=AF_INET, sin_port=htons(54343),
sin_addr=inet_addr("205.201.7.143")}, [16]) = 0
write(2, "Failed password for cg2v from 20"..., 61) = 61
write(4, "\216\3764i`\17{\306,i~\1\322\344\357\3725\245\n\n\t\364"..., 80)
= 80
select(5, [4], NULL, NULL, NULL



I do have UsePAM turned on, and lsof does indicate that the modules that
are specified by /etc/pam.d/ssh are being loaded. This configuration does
work with the sshd in ssh-krb5.  (I only installed this version because I
encountered a variant of bug 240953 and didn't remember if 3.6 had the bug
or if it had been fixed upstream in time for 3.8. since 3.6 (and thus
ssh-krb5) isn't supposed to have that problem, I guess I'm going to switch
back before this machine goes back into production)

Message #24 received at 242119@bugs.debian.org (full text, mbox, reply):

From: Zed Pobre <zed@debian.org>

To: Debian Bug Tracking System <242119@bugs.debian.org>

Subject: ssh: Related to 240506?

Date: Mon, 19 Apr 2004 11:55:52 -0500

Package: ssh
Version: 1:3.8p1-3
Followup-For: Bug #242119

I'm also having the same problems.  Authentication is handled through
LDAP, which makes me wonder if there's something related to 240506.
I'll try to get you a debug log shortly, but I wanted to note this
relationship first.

-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux julia 2.4.25.julia #1 SMP Tue Feb 24 14:48:31 CST 2004 i686
Locale: LANG=en_US, LC_CTYPE=en_US (ignored: LC_ALL set to en_US)

Versions of packages ssh depends on:
ii  adduser                     3.47         Add and remove users and groups
ii  debconf                     1.3.14       Debian configuration management sy
ii  dpkg                        1.10.15      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-11 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-14      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-19      Runtime support for the PAM librar
ii  libpam0g                    0.76-14      Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7c-1     SSL shared libraries
ii  libwrap0                    7.6-9        Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.1-3    compression library - runtime

-- debconf information excluded

Message #29 received at 242119@bugs.debian.org (full text, mbox, reply):

From: "Nikita V. Youshchenko" <yoush@cs.msu.su>

To: 242119@bugs.debian.org, 242119-submitter@bugs.debian.org, control@bugs.debian.org

Subject: What seems to be going on with sshd

Date: Thu, 13 May 2004 14:17:58 +0400

severity 242119 important
thanks

Hello,

I've spent two hours trying to find out why ssh 3.8 breaks logins to our 
terminal that use ldap auth. This is what I found.

In ssh 3.6, "password" auth method used PAM.

In ssh 3.8, "password" auth method does not use PAM, regardless of "UsePAM" 
setting. "man sshd_config" states the following about "UsePAM":
 
    UsePAM  Enables PAM authentication (via challenge-response) and session
             set up.  If you enable this, you should probably disable
             PasswordAuthentication.

UsaPAM affects another auth method, namely "keyboard-interactive"
When logging using openssh client, after "password" method fails for LDAP 
user, "keyboard-interactive" method is also tried, and succeeds.
This is logged:

May 13 14:08:33 pride sshd[9502]: debug1: Client protocol version 2.0; 
client software version OpenSSH_3.6.1p2 Debian 1:3.6.1p2-12
May 13 14:08:33 pride sshd[9502]: debug1: match: OpenSSH_3.6.1p2 Debian 
1:3.6.1p2-12 pat OpenSSH*
May 13 14:08:33 pride sshd[9502]: debug1: Enabling compatibility mode for 
protocol 2.0
May 13 14:08:33 pride sshd[9502]: debug1: Local version string 
SSH-1.99-OpenSSH_3.8p1 Debian 1:3.8p1-3
May 13 14:08:33 pride sshd[9502]: debug1: PAM: initializing for "test"
May 13 14:08:33 pride sshd[9502]: debug1: PAM: setting PAM_RHOST to 
"zigzag.lvk.cs.msu.su"
May 13 14:08:33 pride sshd[9502]: debug1: PAM: setting PAM_TTY to "ssh"
May 13 14:08:33 pride sshd[9502]: Failed none for test from 158.250.17.23 
port 43327 ssh2

At this point, "password" auth failed, and other methods are being tried.

May 13 14:08:33 pride sshd[9502]: debug1: temporarily_use_uid: 3801/100 
(e=0/0)
May 13 14:08:33 pride sshd[9502]: debug1: trying public key 
file /home/test/.ssh/authorized_keys
May 13 14:08:33 pride sshd[9502]: debug1: restore_uid: 0/0
May 13 14:08:33 pride sshd[9502]: debug1: temporarily_use_uid: 3801/100 
(e=0/0)
May 13 14:08:33 pride sshd[9502]: debug1: trying public key 
file /home/test/.ssh/authorized_keys2
May 13 14:08:33 pride sshd[9502]: debug1: restore_uid: 0/0
May 13 14:08:35 pride sshd[9504]: (pam_unix) check pass; user unknown
May 13 14:08:35 pride sshd[9504]: (pam_unix) authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=zigzag.lvk.c
s.msu.su
May 13 14:08:35 pride sshd[9502]: debug1: PAM: num PAM env strings 0
May 13 14:08:35 pride sshd[9502]: Accepted keyboard-interactive/pam for 
test from 158.250.17.23 port 43327 ssh2

At this point, "keyboard-interactive" method succeeds.

However, other ssh clients don't know anything about "keyboard-interactive" 
method. E.g. when trying to ssh from a Solaris box with ssh2, "password" 
method failes and login is disallowed.
Similar problems happens with different ssh clients running under Windows.

So the breaking change is that PAM is no longer used for "password" auth. 
This really breaks networks where different operating systems are used.
That's why I am upgrading this bug's severity to "important".

Message #39 received at 242119@bugs.debian.org (full text, mbox, reply):

From: Darren Tucker <dtucker@zip.com.au>

To: 242119@bugs.debian.org, Bastian Blank <waldi@debian.org>, Chaskiel M Grundman <cg2v@andrew.cmu.edu>, Zed Pobre <zed@debian.org>

Subject: Debian bug#242119: upstream enhancement request

Date: Fri, 28 May 2004 23:18:15 +1000

Hi.
	This Debian bug ("ssh - password authentication never uses pam") has a 
corresponding upstream enhancement request (with patch):
http://bugzilla.mindrot.org/show_bug.cgi?id=874

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Message #44 received at 242119@bugs.debian.org (full text, mbox, reply):

From: Darren Tucker <dtucker@zip.com.au>

To: 242119@bugs.debian.org, Bastian Blank <waldi@debian.org>, 238699@bugs.debian.org, Giacomo Mulas <gmulas@ca.astro.it>, 247521@bugs.debian.org, Daniel Whelan <merlin@ophelan.com>, 250369@bugs.debian.org, Marc Haber <mh+debian-bugs@zugschlus.de>

Subject: Debian bugs: sshd - PAM and password auth: fixed upstream

Date: Thu, 01 Jul 2004 09:29:20 +1000

Hi.
	Please excuse the multi-update, these bugs are somewhat related.

	The upstream bug [1] for Debian bugs #242119, #238699, #247521, #250369 
is now fixed in upstream's CVS.

	The patch attached to the bug re-adds PasswordAuthentication via PAM. 
Note that this uses a "blind" conversation that will fail if you have 
anything beyond simple password authentication; however this is the best 
that can be done within SSH's password authentication method.  If you 
need more comprehensive PAM support, set PasswordAuthentication=no and 
use ChallengeResponse/keyboard-interactive.

[1] http://bugzilla.mindrot.org/show_bug.cgi?id=874
(If you're going to backport the patch, there's a couple of other 
related patches in CVS that are not attached to the bug).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Message #51 received at 242119-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 242119-close@bugs.debian.org

Subject: Bug#242119: fixed in openssh 1:4.1p1-3

Date: Mon, 06 Jun 2005 18:17:18 -0400

Source: openssh
Source-Version: 1:4.1p1-3

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_4.1p1-3_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.1p1-3_powerpc.udeb
openssh-client_4.1p1-3_powerpc.deb
  to pool/main/o/openssh/openssh-client_4.1p1-3_powerpc.deb
openssh-server-udeb_4.1p1-3_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.1p1-3_powerpc.udeb
openssh-server_4.1p1-3_powerpc.deb
  to pool/main/o/openssh/openssh-server_4.1p1-3_powerpc.deb
openssh_4.1p1-3.diff.gz
  to pool/main/o/openssh/openssh_4.1p1-3.diff.gz
openssh_4.1p1-3.dsc
  to pool/main/o/openssh/openssh_4.1p1-3.dsc
ssh-askpass-gnome_4.1p1-3_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.1p1-3_powerpc.deb
ssh_4.1p1-3_all.deb
  to pool/main/o/openssh/ssh_4.1p1-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 242119@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  6 Jun 2005 22:28:33 +0100
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.1p1-3
Distribution: unstable
Urgency: high
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - Secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - Secure shell client for the Debian installer (udeb)
 openssh-server - Secure shell server, an rshd replacement
 openssh-server-udeb - Secure shell server for the Debian installer (udeb)
 ssh        - Secure shell client and server (transitional package)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 39741 87253 87900 141979 147212 147360 151321 162996 163933 192206 192234 220726 228828 233012 238699 242119 242462 247521 248747 250369 257130 264024 265339 265627 273831 275731 275895 276703 276754 277438 278394 278715 280190 281595 287013 289573 295757 296487 298536 298744 301852 303452 303787 307069 308868
Changes: 
 openssh (1:4.1p1-3) unstable; urgency=low
 .
   * Upload to unstable.
 .
 openssh (1:4.1p1-2) experimental; urgency=low
 .
   * Drop debconf support for allowing SSH protocol 1, which is discouraged
     and has not been the default since openssh 1:3.0.1p1-1. Users who need
     this should edit sshd_config instead (closes: #147212).
   * Since ssh-keysign isn't used by default (you need to set
     EnableSSHKeysign to "yes" in /etc/ssh/ssh_config), having a debconf
     question to ask whether it should be setuid is overkill, and the
     question text had got out of date anyway. Remove this question, ship
     ssh-keysign setuid in openssh-client.deb, and set a statoverride if the
     debconf question was previously set to false.
   * Add lintian overrides for the above (setuid-binary,
     no-debconf-templates).
   * Fix picky lintian errors about slogin symlinks.
   * Fix DEB_HOST_ARCH_OS/DEB_HOST_GNU_SYSTEM compatibility handling.
   * Apply Linux 2.2 workaround (see #239999) only on Linux.
 .
 openssh (1:4.1p1-1) experimental; urgency=low
 .
   * New upstream release.
     - Normalise socket addresses returned by get_remote_hostname(), fixing
       4-in-6 mapping issues with AllowUsers et al (closes: #192234).
   * Take upstream's hint and disable the unsupported USE_POSIX_THREADS
     (closes: #295757, #308868, and possibly others; may open other bugs).
     Use PAM password authentication to avoid #278394. In future I may
     provide two sets of binaries built with and without this option, since
     it seems I can't win.
   * Disable ChallengeResponseAuthentication in new installations, returning
     to PasswordAuthentication by default, since it now supports PAM and
     apparently works better with a non-threaded sshd (closes: #247521).
   * openssh-server Suggests: rssh (closes: #233012).
   * Change libexecdir to /usr/lib/openssh, and fix up various alternatives
     and configuration files to match (closes: #87900, #151321).
   * Fix up very old sshd_config files that refer to /usr/libexec/sftp-server
     (closes: #141979).
 .
 openssh (1:4.0p1-1) experimental; urgency=low
 .
   * New upstream release.
     - Port-forwarding specifications now take optional bind addresses, and
       the server allows client-specified bind addresses for remote port
       forwardings when configured with "GatewayPorts clientspecified"
       (closes: #87253, #192206).
     - ssh and ssh-keyscan now support hashing of known_hosts files for
       improved privacy. ssh-keygen has new options for managing known_hosts
       files, which understand hashing.
     - sftp supports command history and editing support using libedit
       (closes: #287013).
     - Have scp and sftp wait for the spawned ssh to exit before they exit
       themselves, allowing ssh to restore terminal modes (closes: #257130).
     - Improved the handling of bad data in authorized_keys files,
       eliminating fatal errors on corrupt or very large keys; e.g. linefeeds
       in keys only produce errors in auth.log now (closes: #220726).
     - Add "command mode" to ssh connection multiplexing (closes: #303452).
     - Mention $HOME/.hushlogin in sshd(8) FILES section (closes: #163933).
   * Make gnome-ssh-askpass stay above other windows (thanks, Liyang HU;
     closes: #296487).
   * Remove obsolete and unnecessary ssh/forward_warning debconf note.
   * Hurd build fixes (although sshd still doesn't work):
     - Restore X forwarding fix from #102991, lost somewhere along the way.
     - Link with -lcrypt.
     - Link with -lpthread rather than -pthread.
     - Don't build ssh-askpass-gnome on the Hurd, until GNOME is available to
       satisfy build-dependencies.
   * Drop workaround for #242462 on amd64; it's been fixed properly upstream.
   * Enable HashKnownHosts by default. This only affects new entries; use
     'ssh-keygen -H' to convert an entire known_hosts file to hashed format.
   * Note in ssh_config(5) that the SetupTimeOut option is Debian-specific
     (closes: #307069).
   * debconf template translations:
     - Update Czech (thanks, Miroslav Kure; closes: #298744).
     - Update Finnish (thanks, Matti Pöllä; closes: #303787).
     - Synchronise Spanish with sarge branch (thanks, Javier
       Fernández-Sanguino Peña; closes: #298536).
     - Add Ukrainian (thanks, Eugeniy Meshcheryakov; closes: #301852).
 .
 openssh (1:3.9p1-3) experimental; urgency=low
 .
   * Explain how to run sshd from inittab in README.Debian (closes: #147360).
   * Add debian/watch file.
 .
 openssh (1:3.9p1-2) experimental; urgency=low
 .
   * Remove pam_nologin from /etc/pam.d/ssh, as sshd's built-in support
     appears to be sufficient and more useful (closes: #162996).
   * Depend on debconf | debconf-2.0.
   * Drop LoginGraceTime back to the upstream default of two minutes on new
     installs (closes: #289573).
   * debconf template translations from Ubuntu bug #1232:
     - Update Greek (thanks, Logiotatidis George).
     - Update Spanish (thanks, Santiago Erquicia).
 .
 openssh (1:3.9p1-1) experimental; urgency=low
 .
   * New upstream release.
     - PAM password authentication implemented again (closes: #238699,
       #242119).
     - Implemented the ability to pass selected environment variables between
       the client and the server.
     - Fix ssh-keyscan breakage when remote server doesn't speak SSH protocol
       (closes: #228828).
     - Fix res_query detection (closes: #242462).
     - 'ssh -c' documentation improved (closes: #265627).
   * Pass LANG and LC_* environment variables from the client by default, and
     accept them to the server by default in new installs, although not on
     upgrade (closes: #264024).
   * Build ssh in binary-indep, not binary-arch (thanks, LaMont Jones).
   * Expand on openssh-client package description (closes: #273831).
 .
 openssh (1:3.8.1p1-14) experimental; urgency=low
 .
   * We use DH_COMPAT=2, so build-depend on debhelper (>= 2).
   * Fix timing information leak allowing discovery of invalid usernames in
     PAM keyboard-interactive authentication (backported from a patch by
     Darren Tucker; closes: #281595).
   * Make sure that there's a delay in PAM keyboard-interactive
     authentication when PermitRootLogin is not set to yes and the correct
     root password is entered (closes: #248747).
 .
 openssh (1:3.8.1p1-13) experimental; urgency=low
 .
   * Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
   * debconf template translations:
     - Update Dutch (thanks, cobaco; closes: #278715).
   * Correct README.Debian's ForwardX11Trusted description (closes: #280190).
 .
 openssh (1:3.8.1p1-12) experimental; urgency=low
 .
   * Preserve /etc/ssh/sshd_config ownership/permissions (closes: #276754).
   * Shorten the version string from the form "OpenSSH_3.8.1p1 Debian
     1:3.8.1p1-8.sarge.1" to "OpenSSH_3.8.1p1 Debian-8.sarge.1", as some SSH
     implementations apparently have problems with the long version string.
     This is of course a bug in those implementations, but since the extent
     of the problem is unknown it's best to play safe (closes: #275731).
   * debconf template translations:
     - Add Finnish (thanks, Matti Pöllä; closes: #265339).
     - Update Danish (thanks, Morten Brix Pedersen; closes: #275895).
     - Update French (thanks, Denis Barbier; closes: #276703).
     - Update Japanese (thanks, Kenshi Muto; closes: #277438).
 .
 openssh (1:3.8.1p1-11) experimental; urgency=high
 .
   * Move sshd_config(5) to openssh-server, where it belongs.
   * If PasswordAuthentication is disabled, then offer to disable
     ChallengeResponseAuthentication too. The current PAM code will attempt
     password-style authentication if ChallengeResponseAuthentication is
     enabled (closes: #250369).
   * This will ask a question of anyone who installed fresh with 1:3.8p1-2 or
     later and then upgraded. Sorry about that ... for this reason, the
     default answer is to leave ChallengeResponseAuthentication enabled.
 .
 openssh (1:3.8.1p1-10) experimental; urgency=low
 .
   * Don't install the ssh-askpass-gnome .desktop file by default; I've had
     too many GNOME people tell me it's the wrong thing to be doing. I've
     left it in /usr/share/doc/ssh-askpass-gnome/examples/ for now.
 .
 openssh (1:3.8.1p1-9) experimental; urgency=low
 .
   * Split the ssh binary package into openssh-client and openssh-server
     (closes: #39741). openssh-server depends on openssh-client for some
     common functionality; it didn't seem worth creating yet another package
     for this. openssh-client is priority standard, openssh-server optional.
   * New transitional ssh package, priority optional, depending on
     openssh-client and openssh-server. May be removed once nothing depends
     on it.
   * When upgrading from ssh to openssh-{client,server}, it's very difficult
     for the maintainer scripts to find out what version we're upgrading from
     without dodgy dpkg hackery. I've therefore taken the opportunity to move
     a couple of debconf notes into NEWS files, namely ssh/ssh2_keys_merged
     and ssh/user_environment_tell.
   * Add a heuristic to try to make sure the sshd_config upgrade to >= 3.7
     happens even though we don't know what version we're upgrading from.
   * Remove /etc/ssh/sshd_not_to_be_run on purge of openssh-server. For now
     (until sarge+2) it's still honoured to avoid breaking existing
     configurations, but the right approach is now to remove the
     openssh-server package if you don't want to run the server. Add a NEWS
     item to that effect.
Files: 
 84f2dff9c56e901f345d56fc61df0d0b 900 net standard openssh_4.1p1-3.dsc
 7ab61ab3f06d6f82054c1abe06c07d06 138002 net standard openssh_4.1p1-3.diff.gz
 02c181ac3c4d6a0548d111c59e74db82 31940 net optional ssh_4.1p1-3_all.deb
 fded10b71291844267bf4582d67e1f49 570468 net standard openssh-client_4.1p1-3_powerpc.deb
 b5d53eb227d444b63861dc93266b06d3 284250 net optional openssh-server_4.1p1-3_powerpc.deb
 712214657225f22add427e6e8af78d8e 76508 gnome optional ssh-askpass-gnome_4.1p1-3_powerpc.deb
 8a08610010a9b18697df9dcaad793d47 163160 debian-installer optional openssh-client-udeb_4.1p1-3_powerpc.udeb
 c3e34795848cfa1ddf1be4365c9450cd 171832 debian-installer optional openssh-server-udeb_4.1p1-3_powerpc.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCpMU09t0zAhD6TNERAkGpAKCDpLdoo2ILdb02EPN28FV4HuSsgQCcD7K2
QlEr7wrH8P5uw4bssmCGNzU=
=mvqt
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.