* New upstream release (http://www.openssh.org/txt/release-5.9).

- Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. - Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt. - The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot (closes: #75043, #429243, #599240). - ssh(1) now warns when a server refuses X11 forwarding (closes: #504757). - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by whitespace (closes: #76312). The authorized_keys2 fallback is deprecated but documented (closes: #560156). - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4 ToS/DSCP (closes: #498297). - ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add - < /path/to/key" (closes: #229124). - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691). - Say "required" rather than "recommended" in unprotected-private-key warning (LP: #663455).
author: Colin Watson <cjwatson@debian.org> 2011-09-06 14:56:29 +0100
committer: Colin Watson <cjwatson@debian.org> 2011-09-06 14:56:29 +0100
commit: 978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch)
tree: 89400a44e42d84937deba7864e4964d6c7734da5 /debian/patches/debian-banner.patch
parent: 87c685b8c6a49814fd782288097b3093f975aa72 (diff)
parent: 3a7e89697ca363de0f64e0d5704c57219294e41c (diff)
1 files changed, 8 insertions, 8 deletions
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 32251397d..57ca35e87 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -10,7 +10,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -143,6 +143,7 @@
+@@ -142,6 +142,7 @@
        options->authorized_principals_file = NULL;
        options->ip_qos_interactive = -1;
        options->ip_qos_bulk = -1;
@@ -18,7 +18,7 @@ Index: b/servconf.c
 }
 
 void
-@@ -293,6 +294,8 @@
+@@ -289,6 +290,8 @@
                options->ip_qos_interactive = IPTOS_LOWDELAY;
        if (options->ip_qos_bulk == -1)
                options->ip_qos_bulk = IPTOS_THROUGHPUT;
@@ -27,7 +27,7 @@ Index: b/servconf.c
 
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
-@@ -342,6 +345,7 @@
+@@ -338,6 +341,7 @@
        sZeroKnowledgePasswordAuthentication, sHostCertificate,
        sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
        sKexAlgorithms, sIPQoS,
@@ -35,7 +35,7 @@ Index: b/servconf.c
        sDeprecated, sUnsupported
 } ServerOpCodes;
 
-@@ -477,6 +481,7 @@
+@@ -473,6 +477,7 @@
        { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
        { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
        { "ipqos", sIPQoS, SSHCFG_ALL },
@@ -43,7 +43,7 @@ Index: b/servconf.c
        { NULL, sBadOption, 0 }
 };
 
-@@ -1439,6 +1444,10 @@
+@@ -1436,6 +1441,10 @@
                }
                break;
 
@@ -58,7 +58,7 @@ Index: b/servconf.h
 ===================================================================
 --- a/servconf.h
 +++ b/servconf.h
-@@ -160,6 +160,8 @@
+@@ -166,6 +166,8 @@
 
        int     num_permitted_opens;
 
@@ -71,7 +71,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -422,7 +422,8 @@
+@@ -423,7 +423,8 @@
                minor = PROTOCOL_MINOR_1;
        }
        snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
@@ -85,7 +85,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -339,6 +339,11 @@
+@@ -340,6 +340,11 @@
 .Dq no .
 The default is
 .Dq delayed .
author	Colin Watson <cjwatson@debian.org>	2011-09-06 14:56:29 +0100
committer	Colin Watson <cjwatson@debian.org>	2011-09-06 14:56:29 +0100
commit	978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch)
tree	89400a44e42d84937deba7864e4964d6c7734da5 /debian/patches/debian-banner.patch
parent	87c685b8c6a49814fd782288097b3093f975aa72 (diff)
parent	3a7e89697ca363de0f64e0d5704c57219294e41c (diff)

diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index 32251397d..57ca35e87 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch
@@ -10,7 +10,7 @@ Index: b/servconf.c
10	===================================================================	10	===================================================================
11	--- a/servconf.c	11	--- a/servconf.c
12	+++ b/servconf.c	12	+++ b/servconf.c
13	@@ -143,6 +143,7 @@	13	@@ -142,6 +142,7 @@
14	options->authorized_principals_file = NULL;	14	options->authorized_principals_file = NULL;
15	options->ip_qos_interactive = -1;	15	options->ip_qos_interactive = -1;
16	options->ip_qos_bulk = -1;	16	options->ip_qos_bulk = -1;
@@ -18,7 +18,7 @@ Index: b/servconf.c
18	}	18	}
19		19
20	void	20	void
21	@@ -293,6 +294,8 @@	21	@@ -289,6 +290,8 @@
22	options->ip_qos_interactive = IPTOS_LOWDELAY;	22	options->ip_qos_interactive = IPTOS_LOWDELAY;
23	if (options->ip_qos_bulk == -1)	23	if (options->ip_qos_bulk == -1)
24	options->ip_qos_bulk = IPTOS_THROUGHPUT;	24	options->ip_qos_bulk = IPTOS_THROUGHPUT;
@@ -27,7 +27,7 @@ Index: b/servconf.c
27		27
28	/* Turn privilege separation on by default */	28	/* Turn privilege separation on by default */
29	if (use_privsep == -1)	29	if (use_privsep == -1)
30	@@ -342,6 +345,7 @@	30	@@ -338,6 +341,7 @@
31	sZeroKnowledgePasswordAuthentication, sHostCertificate,	31	sZeroKnowledgePasswordAuthentication, sHostCertificate,
32	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	32	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
33	sKexAlgorithms, sIPQoS,	33	sKexAlgorithms, sIPQoS,
@@ -35,7 +35,7 @@ Index: b/servconf.c
35	sDeprecated, sUnsupported	35	sDeprecated, sUnsupported
36	} ServerOpCodes;	36	} ServerOpCodes;
37		37
38	@@ -477,6 +481,7 @@	38	@@ -473,6 +477,7 @@
39	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },	39	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
40	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },	40	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
41	{ "ipqos", sIPQoS, SSHCFG_ALL },	41	{ "ipqos", sIPQoS, SSHCFG_ALL },
@@ -43,7 +43,7 @@ Index: b/servconf.c
43	{ NULL, sBadOption, 0 }	43	{ NULL, sBadOption, 0 }
44	};	44	};
45		45
46	@@ -1439,6 +1444,10 @@	46	@@ -1436,6 +1441,10 @@
47	}	47	}
48	break;	48	break;
49		49
@@ -58,7 +58,7 @@ Index: b/servconf.h
58	===================================================================	58	===================================================================
59	--- a/servconf.h	59	--- a/servconf.h
60	+++ b/servconf.h	60	+++ b/servconf.h
61	@@ -160,6 +160,8 @@	61	@@ -166,6 +166,8 @@
62		62
63	int num_permitted_opens;	63	int num_permitted_opens;
64		64
@@ -71,7 +71,7 @@ Index: b/sshd.c
71	===================================================================	71	===================================================================
72	--- a/sshd.c	72	--- a/sshd.c
73	+++ b/sshd.c	73	+++ b/sshd.c
74	@@ -422,7 +422,8 @@	74	@@ -423,7 +423,8 @@
75	minor = PROTOCOL_MINOR_1;	75	minor = PROTOCOL_MINOR_1;
76	}	76	}
77	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,	77	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
@@ -85,7 +85,7 @@ Index: b/sshd_config.5
85	===================================================================	85	===================================================================
86	--- a/sshd_config.5	86	--- a/sshd_config.5
87	+++ b/sshd_config.5	87	+++ b/sshd_config.5
88	@@ -339,6 +339,11 @@	88	@@ -340,6 +340,11 @@
89	.Dq no .	89	.Dq no .
90	The default is	90	The default is
91	.Dq delayed .	91	.Dq delayed .