diff options
author | Colin Watson <cjwatson@debian.org> | 2019-04-08 10:51:24 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2019-04-08 11:00:13 +0100 |
commit | 3d05afd871dd7b44ae567776f2773acc874a63f8 (patch) | |
tree | 16990d4041e647c9cc0cecf67570c42e45baff80 /debian | |
parent | bccee6b32e5bc84128a483dd0f761f0f30fed175 (diff) | |
parent | 6b56cd57db9061296231f14d537f1ebaf25e8877 (diff) |
Temporarily revert IPQoS defaults to pre-7.8 values
This is just until issues with "iptables -m tos" and VMware have been
fixed.
Closes: #923879, #926229
LP: #1822370
Diffstat (limited to 'debian')
-rw-r--r-- | debian/.git-dpm | 4 | ||||
-rw-r--r-- | debian/README.Debian | 20 | ||||
-rw-r--r-- | debian/changelog | 8 | ||||
-rw-r--r-- | debian/patches/revert-ipqos-defaults.patch | 93 | ||||
-rw-r--r-- | debian/patches/series | 1 |
5 files changed, 124 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index 6e6c8addb..65e73673d 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
@@ -1,6 +1,6 @@ | |||
1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
2 | 7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab | 2 | 6b56cd57db9061296231f14d537f1ebaf25e8877 |
3 | 7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab | 3 | 6b56cd57db9061296231f14d537f1ebaf25e8877 |
4 | 3d246f10429fc9a37b98eabef94fe8dc7c61002b | 4 | 3d246f10429fc9a37b98eabef94fe8dc7c61002b |
5 | 3d246f10429fc9a37b98eabef94fe8dc7c61002b | 5 | 3d246f10429fc9a37b98eabef94fe8dc7c61002b |
6 | openssh_7.9p1.orig.tar.gz | 6 | openssh_7.9p1.orig.tar.gz |
diff --git a/debian/README.Debian b/debian/README.Debian index 48f42c4e8..dbe6c2958 100644 --- a/debian/README.Debian +++ b/debian/README.Debian | |||
@@ -270,6 +270,26 @@ For further discussion, see: | |||
270 | 270 | ||
271 | https://bugs.launchpad.net/bugs/1674330 | 271 | https://bugs.launchpad.net/bugs/1674330 |
272 | 272 | ||
273 | IPQoS defaults reverted to pre-7.8 values | ||
274 | ----------------------------------------- | ||
275 | |||
276 | OpenSSH 7.8 changed the default IPQoS settings to use DSCP AF21 for | ||
277 | interactive traffic and CS1 for bulk. This caused some problems with other | ||
278 | software ("iptables -m tos" and VMware), so Debian's OpenSSH reverts this | ||
279 | change for the time being. | ||
280 | |||
281 | This is *temporary*, and we expect to come back into sync with upstream | ||
282 | OpenSSH once those other issues have been fixed. If you want to restore the | ||
283 | upstream default, add this to ssh_config and sshd_config: | ||
284 | |||
285 | IPQoS af21 cs1 | ||
286 | |||
287 | For further discussion, see: | ||
288 | |||
289 | https://bugs.debian.org/923879 | ||
290 | https://bugs.debian.org/926229 | ||
291 | https://bugs.launchpad.net/1822370 | ||
292 | |||
273 | -- | 293 | -- |
274 | Matthew Vernon <matthew@debian.org> | 294 | Matthew Vernon <matthew@debian.org> |
275 | Colin Watson <cjwatson@debian.org> | 295 | Colin Watson <cjwatson@debian.org> |
diff --git a/debian/changelog b/debian/changelog index cc103b7ff..49cd2ad29 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,3 +1,11 @@ | |||
1 | openssh (1:7.9p1-10) UNRELEASED; urgency=medium | ||
2 | |||
3 | * Temporarily revert IPQoS defaults to pre-7.8 values until issues with | ||
4 | "iptables -m tos" and VMware have been fixed (closes: #923879, #926229; | ||
5 | LP: #1822370). | ||
6 | |||
7 | -- Colin Watson <cjwatson@debian.org> Mon, 08 Apr 2019 10:57:05 +0100 | ||
8 | |||
1 | openssh (1:7.9p1-9) unstable; urgency=medium | 9 | openssh (1:7.9p1-9) unstable; urgency=medium |
2 | 10 | ||
3 | * Apply upstream patch to make scp handle shell-style brace expansions | 11 | * Apply upstream patch to make scp handle shell-style brace expansions |
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch new file mode 100644 index 000000000..a329b9be1 --- /dev/null +++ b/debian/patches/revert-ipqos-defaults.patch | |||
@@ -0,0 +1,93 @@ | |||
1 | From 6b56cd57db9061296231f14d537f1ebaf25e8877 Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Mon, 8 Apr 2019 10:46:29 +0100 | ||
4 | Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP | ||
5 | AF21 for" | ||
6 | |||
7 | This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379. | ||
8 | |||
9 | The IPQoS default changes have some unfortunate interactions with | ||
10 | iptables (see https://bugs.debian.org/923880) and VMware, so I'm | ||
11 | temporarily reverting them until those have been fixed. | ||
12 | |||
13 | Bug-Debian: https://bugs.debian.org/923879 | ||
14 | Bug-Debian: https://bugs.debian.org/926229 | ||
15 | Bug-Ubuntu: https://bugs.launchpad.net/1822370 | ||
16 | Last-Update: 2019-04-08 | ||
17 | |||
18 | Patch-Name: revert-ipqos-defaults.patch | ||
19 | --- | ||
20 | readconf.c | 4 ++-- | ||
21 | servconf.c | 4 ++-- | ||
22 | ssh_config.5 | 6 ++---- | ||
23 | sshd_config.5 | 6 ++---- | ||
24 | 4 files changed, 8 insertions(+), 12 deletions(-) | ||
25 | |||
26 | diff --git a/readconf.c b/readconf.c | ||
27 | index 661b8bf40..6d046f063 100644 | ||
28 | --- a/readconf.c | ||
29 | +++ b/readconf.c | ||
30 | @@ -2133,9 +2133,9 @@ fill_default_options(Options * options) | ||
31 | if (options->visual_host_key == -1) | ||
32 | options->visual_host_key = 0; | ||
33 | if (options->ip_qos_interactive == -1) | ||
34 | - options->ip_qos_interactive = IPTOS_DSCP_AF21; | ||
35 | + options->ip_qos_interactive = IPTOS_LOWDELAY; | ||
36 | if (options->ip_qos_bulk == -1) | ||
37 | - options->ip_qos_bulk = IPTOS_DSCP_CS1; | ||
38 | + options->ip_qos_bulk = IPTOS_THROUGHPUT; | ||
39 | if (options->request_tty == -1) | ||
40 | options->request_tty = REQUEST_TTY_AUTO; | ||
41 | if (options->proxy_use_fdpass == -1) | ||
42 | diff --git a/servconf.c b/servconf.c | ||
43 | index c5dd617ef..bf2669147 100644 | ||
44 | --- a/servconf.c | ||
45 | +++ b/servconf.c | ||
46 | @@ -403,9 +403,9 @@ fill_default_server_options(ServerOptions *options) | ||
47 | if (options->permit_tun == -1) | ||
48 | options->permit_tun = SSH_TUNMODE_NO; | ||
49 | if (options->ip_qos_interactive == -1) | ||
50 | - options->ip_qos_interactive = IPTOS_DSCP_AF21; | ||
51 | + options->ip_qos_interactive = IPTOS_LOWDELAY; | ||
52 | if (options->ip_qos_bulk == -1) | ||
53 | - options->ip_qos_bulk = IPTOS_DSCP_CS1; | ||
54 | + options->ip_qos_bulk = IPTOS_THROUGHPUT; | ||
55 | if (options->version_addendum == NULL) | ||
56 | options->version_addendum = xstrdup(""); | ||
57 | if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) | ||
58 | diff --git a/ssh_config.5 b/ssh_config.5 | ||
59 | index 1a8e24bd1..f6c1b3b33 100644 | ||
60 | --- a/ssh_config.5 | ||
61 | +++ b/ssh_config.5 | ||
62 | @@ -1055,11 +1055,9 @@ If one argument is specified, it is used as the packet class unconditionally. | ||
63 | If two values are specified, the first is automatically selected for | ||
64 | interactive sessions and the second for non-interactive sessions. | ||
65 | The default is | ||
66 | -.Cm af21 | ||
67 | -(Low-Latency Data) | ||
68 | +.Cm lowdelay | ||
69 | for interactive sessions and | ||
70 | -.Cm cs1 | ||
71 | -(Lower Effort) | ||
72 | +.Cm throughput | ||
73 | for non-interactive sessions. | ||
74 | .It Cm KbdInteractiveAuthentication | ||
75 | Specifies whether to use keyboard-interactive authentication. | ||
76 | diff --git a/sshd_config.5 b/sshd_config.5 | ||
77 | index ba50a30f1..03f813e72 100644 | ||
78 | --- a/sshd_config.5 | ||
79 | +++ b/sshd_config.5 | ||
80 | @@ -866,11 +866,9 @@ If one argument is specified, it is used as the packet class unconditionally. | ||
81 | If two values are specified, the first is automatically selected for | ||
82 | interactive sessions and the second for non-interactive sessions. | ||
83 | The default is | ||
84 | -.Cm af21 | ||
85 | -(Low-Latency Data) | ||
86 | +.Cm lowdelay | ||
87 | for interactive sessions and | ||
88 | -.Cm cs1 | ||
89 | -(Lower Effort) | ||
90 | +.Cm throughput | ||
91 | for non-interactive sessions. | ||
92 | .It Cm KbdInteractiveAuthentication | ||
93 | Specifies whether to allow keyboard-interactive authentication. | ||
diff --git a/debian/patches/series b/debian/patches/series index ff6011442..b0da97283 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -31,3 +31,4 @@ check-filenames-in-scp-client.patch | |||
31 | fix-key-type-check.patch | 31 | fix-key-type-check.patch |
32 | request-rsa-sha2-cert-signatures.patch | 32 | request-rsa-sha2-cert-signatures.patch |
33 | scp-handle-braces.patch | 33 | scp-handle-braces.patch |
34 | revert-ipqos-defaults.patch | ||