* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out

for a while, but there's no GSSAPI patch available for it yet. - Change the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". - Add countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack (closes: #506115, LP: #379329). - ForceCommand directive now accepts commandline arguments for the internal-sftp server (closes: #524423, LP: #362511). - Add AllowAgentForwarding to available Match keywords list (closes: #540623). - Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. - Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1; closes: #496017). * Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch, including cascading credentials support (LP: #416958).
author: Colin Watson <cjwatson@debian.org> 2010-01-01 23:53:30 +0000
committer: Colin Watson <cjwatson@debian.org> 2010-01-01 23:53:30 +0000
commit: df03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch)
tree: 1aab079441dff9615274769b19f2d734ddf508dd /contrib/caldera/ssh-host-keygen
parent: 6ad6994c288662fca6949f42bf91fec2aff00bca (diff)
parent: 99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff)
1 files changed, 5 insertions, 5 deletions
diff --git a/contrib/caldera/ssh-host-keygen b/contrib/caldera/ssh-host-keygen
index 3c5c17182..86382ddfb 100755
--- a/contrib/caldera/ssh-host-keygen
+++ b/contrib/caldera/ssh-host-keygen
@@ -1,6 +1,6 @@
 #! /bin/sh
 #
-# $Id: ssh-host-keygen,v 1.2 2003/11/21 12:48:57 djm Exp $
+# $Id: ssh-host-keygen,v 1.3 2008/11/03 09:16:01 djm Exp $
 #
 # This script is normally run only *once* for a given host
 # (in a given period of time) -- on updates/upgrades/recovery
@@ -15,16 +15,16 @@ if [ -f $keydir/ssh_host_key -o \
             -f $keydir/ssh_host_key.pub ]; then
  echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key."
 else
-  echo "Generating 1024 bit SSH1 RSA host key."
+  echo "Generating SSH1 RSA host key."
-  $keygen -b 1024 -t rsa1 -f $keydir/ssh_host_key -C '' -N ''
+  $keygen -t rsa1 -f $keydir/ssh_host_key -C '' -N ''
 fi
 if [ -f $keydir/ssh_host_rsa_key -o \
             -f $keydir/ssh_host_rsa_key.pub ]; then
  echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key."
 else
-  echo "Generating 1024 bit SSH2 RSA host key."
+  echo "Generating SSH2 RSA host key."
-  $keygen -b 1024 -t rsa -f $keydir/ssh_host_rsa_key -C '' -N ''
+  $keygen -t rsa -f $keydir/ssh_host_rsa_key -C '' -N ''
 fi
 if [ -f $keydir/ssh_host_dsa_key -o \
author	Colin Watson <cjwatson@debian.org>	2010-01-01 23:53:30 +0000
committer	Colin Watson <cjwatson@debian.org>	2010-01-01 23:53:30 +0000
commit	df03186a4f9e0c2ece398b5c0571cb6263d7a752 (patch)
tree	1aab079441dff9615274769b19f2d734ddf508dd /contrib/caldera/ssh-host-keygen
parent	6ad6994c288662fca6949f42bf91fec2aff00bca (diff)
parent	99b402ea4c8457b0a3cafff37f5b3410a8dc6476 (diff)

diff --git a/contrib/caldera/ssh-host-keygen b/contrib/caldera/ssh-host-keygen index 3c5c17182..86382ddfb 100755 --- a/contrib/caldera/ssh-host-keygen +++ b/contrib/caldera/ssh-host-keygen
@@ -1,6 +1,6 @@
1	#! /bin/sh	1	#! /bin/sh
2	#	2	#
3	# $Id: ssh-host-keygen,v 1.2 2003/11/21 12:48:57 djm Exp $	3	# $Id: ssh-host-keygen,v 1.3 2008/11/03 09:16:01 djm Exp $
4	#	4	#
5	# This script is normally run only once for a given host	5	# This script is normally run only once for a given host
6	# (in a given period of time) -- on updates/upgrades/recovery	6	# (in a given period of time) -- on updates/upgrades/recovery
@@ -15,16 +15,16 @@ if [ -f $keydir/ssh_host_key -o \
15	-f $keydir/ssh_host_key.pub ]; then	15	-f $keydir/ssh_host_key.pub ]; then
16	echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key."	16	echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key."
17	else	17	else
18	echo "Generating 1024 bit SSH1 RSA host key."	18	echo "Generating SSH1 RSA host key."
19	$keygen -b 1024 -t rsa1 -f $keydir/ssh_host_key -C '' -N ''	19	$keygen -t rsa1 -f $keydir/ssh_host_key -C '' -N ''
20	fi	20	fi
21		21
22	if [ -f $keydir/ssh_host_rsa_key -o \	22	if [ -f $keydir/ssh_host_rsa_key -o \
23	-f $keydir/ssh_host_rsa_key.pub ]; then	23	-f $keydir/ssh_host_rsa_key.pub ]; then
24	echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key."	24	echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key."
25	else	25	else
26	echo "Generating 1024 bit SSH2 RSA host key."	26	echo "Generating SSH2 RSA host key."
27	$keygen -b 1024 -t rsa -f $keydir/ssh_host_rsa_key -C '' -N ''	27	$keygen -t rsa -f $keydir/ssh_host_rsa_key -C '' -N ''
28	fi	28	fi
29		29
30	if [ -f $keydir/ssh_host_dsa_key -o \	30	if [ -f $keydir/ssh_host_dsa_key -o \