diff options
author | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
commit | 978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch) | |
tree | 89400a44e42d84937deba7864e4964d6c7734da5 /debian/patches/user-group-modes.patch | |
parent | 87c685b8c6a49814fd782288097b3093f975aa72 (diff) | |
parent | 3a7e89697ca363de0f64e0d5704c57219294e41c (diff) |
* New upstream release (http://www.openssh.org/txt/release-5.9).
- Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
mandatory restrictions on the syscalls the privsep child can perform.
- Add new SHA256-based HMAC transport integrity modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
- The pre-authentication sshd(8) privilege separation slave process now
logs via a socket shared with the master process, avoiding the need to
maintain /dev/log inside the chroot (closes: #75043, #429243,
#599240).
- ssh(1) now warns when a server refuses X11 forwarding (closes:
#504757).
- sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace (closes: #76312). The authorized_keys2
fallback is deprecated but documented (closes: #560156).
- ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
ToS/DSCP (closes: #498297).
- ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add
- < /path/to/key" (closes: #229124).
- Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
- Say "required" rather than "recommended" in unprotected-private-key
warning (LP: #663455).
Diffstat (limited to 'debian/patches/user-group-modes.patch')
-rw-r--r-- | debian/patches/user-group-modes.patch | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index fe2d99be0..01ba05526 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -24,7 +24,7 @@ Index: b/readconf.c | |||
24 | 24 | ||
25 | #include "xmalloc.h" | 25 | #include "xmalloc.h" |
26 | #include "ssh.h" | 26 | #include "ssh.h" |
27 | @@ -1085,8 +1087,7 @@ | 27 | @@ -1131,8 +1133,7 @@ |
28 | 28 | ||
29 | if (fstat(fileno(f), &sb) == -1) | 29 | if (fstat(fileno(f), &sb) == -1) |
30 | fatal("fstat %s: %s", filename, strerror(errno)); | 30 | fatal("fstat %s: %s", filename, strerror(errno)); |
@@ -38,7 +38,7 @@ Index: b/ssh.1 | |||
38 | =================================================================== | 38 | =================================================================== |
39 | --- a/ssh.1 | 39 | --- a/ssh.1 |
40 | +++ b/ssh.1 | 40 | +++ b/ssh.1 |
41 | @@ -1293,6 +1293,8 @@ | 41 | @@ -1298,6 +1298,8 @@ |
42 | .Xr ssh_config 5 . | 42 | .Xr ssh_config 5 . |
43 | Because of the potential for abuse, this file must have strict permissions: | 43 | Because of the potential for abuse, this file must have strict permissions: |
44 | read/write for the user, and not accessible by others. | 44 | read/write for the user, and not accessible by others. |
@@ -51,7 +51,7 @@ Index: b/ssh_config.5 | |||
51 | =================================================================== | 51 | =================================================================== |
52 | --- a/ssh_config.5 | 52 | --- a/ssh_config.5 |
53 | +++ b/ssh_config.5 | 53 | +++ b/ssh_config.5 |
54 | @@ -1299,6 +1299,8 @@ | 54 | @@ -1343,6 +1343,8 @@ |
55 | This file is used by the SSH client. | 55 | This file is used by the SSH client. |
56 | Because of the potential for abuse, this file must have strict permissions: | 56 | Because of the potential for abuse, this file must have strict permissions: |
57 | read/write for the user, and not accessible by others. | 57 | read/write for the user, and not accessible by others. |
@@ -64,7 +64,7 @@ Index: b/auth.c | |||
64 | =================================================================== | 64 | =================================================================== |
65 | --- a/auth.c | 65 | --- a/auth.c |
66 | +++ b/auth.c | 66 | +++ b/auth.c |
67 | @@ -392,8 +392,7 @@ | 67 | @@ -380,8 +380,7 @@ |
68 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 68 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
69 | if (options.strict_modes && | 69 | if (options.strict_modes && |
70 | (stat(user_hostfile, &st) == 0) && | 70 | (stat(user_hostfile, &st) == 0) && |
@@ -74,7 +74,7 @@ Index: b/auth.c | |||
74 | logit("Authentication refused for %.100s: " | 74 | logit("Authentication refused for %.100s: " |
75 | "bad owner or modes for %.200s", | 75 | "bad owner or modes for %.200s", |
76 | pw->pw_name, user_hostfile); | 76 | pw->pw_name, user_hostfile); |
77 | @@ -454,8 +453,7 @@ | 77 | @@ -442,8 +441,7 @@ |
78 | 78 | ||
79 | /* check the open file to avoid races */ | 79 | /* check the open file to avoid races */ |
80 | if (fstat(fileno(f), &st) < 0 || | 80 | if (fstat(fileno(f), &st) < 0 || |
@@ -84,9 +84,9 @@ Index: b/auth.c | |||
84 | snprintf(err, errlen, "bad ownership or modes for file %s", | 84 | snprintf(err, errlen, "bad ownership or modes for file %s", |
85 | buf); | 85 | buf); |
86 | return -1; | 86 | return -1; |
87 | @@ -471,8 +469,7 @@ | 87 | @@ -458,8 +456,7 @@ |
88 | strlcpy(buf, cp, sizeof(buf)); | ||
88 | 89 | ||
89 | debug3("secure_filename: checking '%s'", buf); | ||
90 | if (stat(buf, &st) < 0 || | 90 | if (stat(buf, &st) < 0 || |
91 | - (st.st_uid != 0 && st.st_uid != uid) || | 91 | - (st.st_uid != 0 && st.st_uid != uid) || |
92 | - (st.st_mode & 022) != 0) { | 92 | - (st.st_mode & 022) != 0) { |
@@ -169,7 +169,7 @@ Index: b/misc.h | |||
169 | =================================================================== | 169 | =================================================================== |
170 | --- a/misc.h | 170 | --- a/misc.h |
171 | +++ b/misc.h | 171 | +++ b/misc.h |
172 | @@ -102,4 +102,6 @@ | 172 | @@ -103,4 +103,6 @@ |
173 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); | 173 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); |
174 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); | 174 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); |
175 | 175 | ||