mirror of
https://abf.rosa.ru/djam/openssh.git
synced 2025-02-25 18:53:02 +00:00
33 lines
1.3 KiB
Text
33 lines
1.3 KiB
Text
Openssh changes upgrading from <= 3.6p2 to 3.8p1
|
|
Jun-9-2004 Stew Benedict <sbenedict@mandrakesoft.com>
|
|
|
|
Some changes in the behavior of the openssh-server have
|
|
taken place in the 3.8p1 upgrade. UsePAM is now "no" by
|
|
default, and recommendations are not to enable it lightly.
|
|
|
|
That said, some changes have been made to /etc/pam.d/ssh to
|
|
preserve expected behavior if UsePAM is enabled:
|
|
|
|
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers
|
|
|
|
This line and the entry "root" in the referenced /etc/ssh/denyusers
|
|
allows "PermitRootLogin without-password" to behave as expected,
|
|
using keys. Otherwise, it's possible to still get a password prompt
|
|
and login without keys.
|
|
|
|
The package has a trigger to attempt to detect alternative auth methods
|
|
(ldap, mysql, winbind), and change UsePAM to yes if one of these are
|
|
detected. If you update and suddenly your users can't login via ssh
|
|
you may need to review and correct the configuration. Please consult
|
|
"man sshd_config" for details of the configuration choices.
|
|
|
|
You may also find you need to set:
|
|
|
|
ChallengeResponseAuthentication=no
|
|
|
|
For things like pam_mkhomedir to work.
|
|
|
|
In addition, for X11 forwarding to work in 3.8p1, the option
|
|
"ForwardX11Trusted yes" must be enabled in /etc/ssh/ssh_config.
|
|
This is enabled by default.
|
|
|