diff options
Diffstat (limited to 'debian')
22 files changed, 211 insertions, 152 deletions
diff --git a/debian/changelog b/debian/changelog index 0697fd5ad..b499cde66 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,3 +1,35 @@ | |||
1 | openssh (1:5.6p1-3) UNRELEASED; urgency=low | ||
2 | |||
3 | * Drop override for desktop-file-but-no-dh_desktop-call, which Lintian no | ||
4 | longer issues. | ||
5 | * Merge 1:5.5p1-6. | ||
6 | |||
7 | -- Colin Watson <cjwatson@debian.org> Tue, 02 Nov 2010 23:00:07 +0000 | ||
8 | |||
9 | openssh (1:5.6p1-2) experimental; urgency=low | ||
10 | |||
11 | * Backport upstream patch to install a SIGCHLD handler to reap expired ssh | ||
12 | child processes, preventing lots of zombies when using ControlPersist | ||
13 | (closes: #594687). | ||
14 | |||
15 | -- Colin Watson <cjwatson@debian.org> Tue, 26 Oct 2010 14:46:40 +0100 | ||
16 | |||
17 | openssh (1:5.6p1-1) experimental; urgency=low | ||
18 | |||
19 | * New upstream release (http://www.openssh.com/txt/release-5.6): | ||
20 | - Added a ControlPersist option to ssh_config(5) that automatically | ||
21 | starts a background ssh(1) multiplex master when connecting. This | ||
22 | connection can stay alive indefinitely, or can be set to automatically | ||
23 | close after a user-specified duration of inactivity (closes: #335697, | ||
24 | #350898, #454787, #500573, #550262). | ||
25 | - Support AuthorizedKeysFile, AuthorizedPrincipalsFile, | ||
26 | HostbasedUsesNameFromPacketOnly, and PermitTunnel in sshd_config(5) | ||
27 | Match blocks (closes: #549858). | ||
28 | - sftp(1): fix ls in working directories that contain globbing | ||
29 | characters in their pathnames (LP: #530714). | ||
30 | |||
31 | -- Colin Watson <cjwatson@debian.org> Tue, 24 Aug 2010 00:37:54 +0100 | ||
32 | |||
1 | openssh (1:5.5p1-6) unstable; urgency=low | 33 | openssh (1:5.5p1-6) unstable; urgency=low |
2 | 34 | ||
3 | * Touch /var/run/sshd/.placeholder in the preinst so that /var/run/sshd, | 35 | * Touch /var/run/sshd/.placeholder in the preinst so that /var/run/sshd, |
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index e608bd20d..b0761420e 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -10,15 +10,15 @@ Index: b/servconf.c | |||
10 | =================================================================== | 10 | =================================================================== |
11 | --- a/servconf.c | 11 | --- a/servconf.c |
12 | +++ b/servconf.c | 12 | +++ b/servconf.c |
13 | @@ -135,6 +135,7 @@ | 13 | @@ -136,6 +136,7 @@ |
14 | options->zero_knowledge_password_authentication = -1; | ||
15 | options->revoked_keys_file = NULL; | 14 | options->revoked_keys_file = NULL; |
16 | options->trusted_user_ca_keys = NULL; | 15 | options->trusted_user_ca_keys = NULL; |
16 | options->authorized_principals_file = NULL; | ||
17 | + options->debian_banner = -1; | 17 | + options->debian_banner = -1; |
18 | } | 18 | } |
19 | 19 | ||
20 | void | 20 | void |
21 | @@ -277,6 +278,8 @@ | 21 | @@ -278,6 +279,8 @@ |
22 | options->permit_tun = SSH_TUNMODE_NO; | 22 | options->permit_tun = SSH_TUNMODE_NO; |
23 | if (options->zero_knowledge_password_authentication == -1) | 23 | if (options->zero_knowledge_password_authentication == -1) |
24 | options->zero_knowledge_password_authentication = 0; | 24 | options->zero_knowledge_password_authentication = 0; |
@@ -27,23 +27,23 @@ Index: b/servconf.c | |||
27 | 27 | ||
28 | /* Turn privilege separation on by default */ | 28 | /* Turn privilege separation on by default */ |
29 | if (use_privsep == -1) | 29 | if (use_privsep == -1) |
30 | @@ -325,6 +328,7 @@ | 30 | @@ -326,6 +329,7 @@ |
31 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 31 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
32 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 32 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
33 | sRevokedKeys, sTrustedUserCAKeys, | 33 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
34 | + sDebianBanner, | 34 | + sDebianBanner, |
35 | sDeprecated, sUnsupported | 35 | sDeprecated, sUnsupported |
36 | } ServerOpCodes; | 36 | } ServerOpCodes; |
37 | 37 | ||
38 | @@ -457,6 +461,7 @@ | 38 | @@ -459,6 +463,7 @@ |
39 | { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, | ||
40 | { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, | 39 | { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, |
41 | { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, | 40 | { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
41 | { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, | ||
42 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | 42 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, |
43 | { NULL, sBadOption, 0 } | 43 | { NULL, sBadOption, 0 } |
44 | }; | 44 | }; |
45 | 45 | ||
46 | @@ -1386,6 +1391,10 @@ | 46 | @@ -1392,6 +1397,10 @@ |
47 | charptr = &options->revoked_keys_file; | 47 | charptr = &options->revoked_keys_file; |
48 | goto parse_filename; | 48 | goto parse_filename; |
49 | 49 | ||
@@ -85,7 +85,7 @@ Index: b/sshd_config.5 | |||
85 | =================================================================== | 85 | =================================================================== |
86 | --- a/sshd_config.5 | 86 | --- a/sshd_config.5 |
87 | +++ b/sshd_config.5 | 87 | +++ b/sshd_config.5 |
88 | @@ -295,6 +295,11 @@ | 88 | @@ -340,6 +340,11 @@ |
89 | .Dq no . | 89 | .Dq no . |
90 | The default is | 90 | The default is |
91 | .Dq delayed . | 91 | .Dq delayed . |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index ac77919e6..2fe365639 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -24,15 +24,15 @@ Index: b/readconf.c | |||
24 | =================================================================== | 24 | =================================================================== |
25 | --- a/readconf.c | 25 | --- a/readconf.c |
26 | +++ b/readconf.c | 26 | +++ b/readconf.c |
27 | @@ -1132,7 +1132,7 @@ | 27 | @@ -1179,7 +1179,7 @@ |
28 | if (options->forward_x11 == -1) | 28 | if (options->forward_x11 == -1) |
29 | options->forward_x11 = 0; | 29 | options->forward_x11 = 0; |
30 | if (options->forward_x11_trusted == -1) | 30 | if (options->forward_x11_trusted == -1) |
31 | - options->forward_x11_trusted = 0; | 31 | - options->forward_x11_trusted = 0; |
32 | + options->forward_x11_trusted = 1; | 32 | + options->forward_x11_trusted = 1; |
33 | if (options->forward_x11_timeout == -1) | ||
34 | options->forward_x11_timeout = 1200; | ||
33 | if (options->exit_on_forward_failure == -1) | 35 | if (options->exit_on_forward_failure == -1) |
34 | options->exit_on_forward_failure = 0; | ||
35 | if (options->xauth_location == NULL) | ||
36 | Index: b/ssh_config | 36 | Index: b/ssh_config |
37 | =================================================================== | 37 | =================================================================== |
38 | --- a/ssh_config | 38 | --- a/ssh_config |
@@ -84,7 +84,7 @@ Index: b/ssh_config.5 | |||
84 | The configuration file has the following format: | 84 | The configuration file has the following format: |
85 | .Pp | 85 | .Pp |
86 | Empty lines and lines starting with | 86 | Empty lines and lines starting with |
87 | @@ -452,7 +468,8 @@ | 87 | @@ -483,7 +499,8 @@ |
88 | Remote clients will be refused access after this time. | 88 | Remote clients will be refused access after this time. |
89 | .Pp | 89 | .Pp |
90 | The default is | 90 | The default is |
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index 4c555799f..fb522013c 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -8,7 +8,7 @@ Index: b/ssh_config.5 | |||
8 | =================================================================== | 8 | =================================================================== |
9 | --- a/ssh_config.5 | 9 | --- a/ssh_config.5 |
10 | +++ b/ssh_config.5 | 10 | +++ b/ssh_config.5 |
11 | @@ -531,6 +531,9 @@ | 11 | @@ -562,6 +562,9 @@ |
12 | will not be converted automatically, | 12 | will not be converted automatically, |
13 | but may be manually hashed using | 13 | but may be manually hashed using |
14 | .Xr ssh-keygen 1 . | 14 | .Xr ssh-keygen 1 . |
diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch index 3ea221834..d88382dcb 100644 --- a/debian/patches/gssapi-autoconf.patch +++ b/debian/patches/gssapi-autoconf.patch | |||
@@ -7,7 +7,7 @@ Index: b/config.h.in | |||
7 | =================================================================== | 7 | =================================================================== |
8 | --- a/config.h.in | 8 | --- a/config.h.in |
9 | +++ b/config.h.in | 9 | +++ b/config.h.in |
10 | @@ -1384,6 +1384,9 @@ | 10 | @@ -1387,6 +1387,9 @@ |
11 | /* Use btmp to log bad logins */ | 11 | /* Use btmp to log bad logins */ |
12 | #undef USE_BTMP | 12 | #undef USE_BTMP |
13 | 13 | ||
@@ -17,7 +17,7 @@ Index: b/config.h.in | |||
17 | /* Use libedit for sftp */ | 17 | /* Use libedit for sftp */ |
18 | #undef USE_LIBEDIT | 18 | #undef USE_LIBEDIT |
19 | 19 | ||
20 | @@ -1396,6 +1399,9 @@ | 20 | @@ -1399,6 +1402,9 @@ |
21 | /* Use PIPES instead of a socketpair() */ | 21 | /* Use PIPES instead of a socketpair() */ |
22 | #undef USE_PIPES | 22 | #undef USE_PIPES |
23 | 23 | ||
diff --git a/debian/patches/gssapi-compat.patch b/debian/patches/gssapi-compat.patch index 369a23360..b93134933 100644 --- a/debian/patches/gssapi-compat.patch +++ b/debian/patches/gssapi-compat.patch | |||
@@ -10,7 +10,7 @@ Index: b/servconf.c | |||
10 | =================================================================== | 10 | =================================================================== |
11 | --- a/servconf.c | 11 | --- a/servconf.c |
12 | +++ b/servconf.c | 12 | +++ b/servconf.c |
13 | @@ -380,16 +380,20 @@ | 13 | @@ -381,16 +381,20 @@ |
14 | #ifdef GSSAPI | 14 | #ifdef GSSAPI |
15 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 15 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
16 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 16 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
diff --git a/debian/patches/gssapi-dump.patch b/debian/patches/gssapi-dump.patch index 6e09df484..0969c59b4 100644 --- a/debian/patches/gssapi-dump.patch +++ b/debian/patches/gssapi-dump.patch | |||
@@ -11,7 +11,7 @@ Index: b/servconf.c | |||
11 | =================================================================== | 11 | =================================================================== |
12 | --- a/servconf.c | 12 | --- a/servconf.c |
13 | +++ b/servconf.c | 13 | +++ b/servconf.c |
14 | @@ -1677,7 +1677,10 @@ | 14 | @@ -1688,7 +1688,10 @@ |
15 | #endif | 15 | #endif |
16 | #ifdef GSSAPI | 16 | #ifdef GSSAPI |
17 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 17 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index e39239fbd..778c23023 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -364,7 +364,7 @@ Index: b/clientloop.c | |||
364 | /* import options */ | 364 | /* import options */ |
365 | extern Options options; | 365 | extern Options options; |
366 | 366 | ||
367 | @@ -1431,6 +1435,15 @@ | 367 | @@ -1483,6 +1487,15 @@ |
368 | /* Do channel operations unless rekeying in progress. */ | 368 | /* Do channel operations unless rekeying in progress. */ |
369 | if (!rekeying) { | 369 | if (!rekeying) { |
370 | channel_after_select(readset, writeset); | 370 | channel_after_select(readset, writeset); |
@@ -1918,9 +1918,9 @@ Index: b/key.c | |||
1918 | =================================================================== | 1918 | =================================================================== |
1919 | --- a/key.c | 1919 | --- a/key.c |
1920 | +++ b/key.c | 1920 | +++ b/key.c |
1921 | @@ -982,6 +982,8 @@ | 1921 | @@ -1020,6 +1020,8 @@ |
1922 | return KEY_RSA_CERT; | 1922 | return KEY_RSA_CERT; |
1923 | } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { | 1923 | } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { |
1924 | return KEY_DSA_CERT; | 1924 | return KEY_DSA_CERT; |
1925 | + } else if (strcmp(name, "null") == 0) { | 1925 | + } else if (strcmp(name, "null") == 0) { |
1926 | + return KEY_NULL; | 1926 | + return KEY_NULL; |
@@ -1931,10 +1931,10 @@ Index: b/key.h | |||
1931 | =================================================================== | 1931 | =================================================================== |
1932 | --- a/key.h | 1932 | --- a/key.h |
1933 | +++ b/key.h | 1933 | +++ b/key.h |
1934 | @@ -37,6 +37,7 @@ | 1934 | @@ -39,6 +39,7 @@ |
1935 | KEY_DSA, | ||
1936 | KEY_RSA_CERT, | ||
1937 | KEY_DSA_CERT, | 1935 | KEY_DSA_CERT, |
1936 | KEY_RSA_CERT_V00, | ||
1937 | KEY_DSA_CERT_V00, | ||
1938 | + KEY_NULL, | 1938 | + KEY_NULL, |
1939 | KEY_UNSPEC | 1939 | KEY_UNSPEC |
1940 | }; | 1940 | }; |
@@ -2239,9 +2239,9 @@ Index: b/readconf.c | |||
2239 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | 2239 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
2240 | + oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, | 2240 | + oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, |
2241 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 2241 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
2242 | oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, | 2242 | oSendEnv, oControlPath, oControlMaster, oControlPersist, |
2243 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | 2243 | oHashKnownHosts, |
2244 | @@ -164,10 +165,18 @@ | 2244 | @@ -166,10 +167,18 @@ |
2245 | { "afstokenpassing", oUnsupported }, | 2245 | { "afstokenpassing", oUnsupported }, |
2246 | #if defined(GSSAPI) | 2246 | #if defined(GSSAPI) |
2247 | { "gssapiauthentication", oGssAuthentication }, | 2247 | { "gssapiauthentication", oGssAuthentication }, |
@@ -2260,7 +2260,7 @@ Index: b/readconf.c | |||
2260 | #endif | 2260 | #endif |
2261 | { "fallbacktorsh", oDeprecated }, | 2261 | { "fallbacktorsh", oDeprecated }, |
2262 | { "usersh", oDeprecated }, | 2262 | { "usersh", oDeprecated }, |
2263 | @@ -456,10 +465,26 @@ | 2263 | @@ -474,10 +483,26 @@ |
2264 | intptr = &options->gss_authentication; | 2264 | intptr = &options->gss_authentication; |
2265 | goto parse_flag; | 2265 | goto parse_flag; |
2266 | 2266 | ||
@@ -2287,7 +2287,7 @@ Index: b/readconf.c | |||
2287 | case oBatchMode: | 2287 | case oBatchMode: |
2288 | intptr = &options->batch_mode; | 2288 | intptr = &options->batch_mode; |
2289 | goto parse_flag; | 2289 | goto parse_flag; |
2290 | @@ -1015,7 +1040,11 @@ | 2290 | @@ -1058,7 +1083,11 @@ |
2291 | options->pubkey_authentication = -1; | 2291 | options->pubkey_authentication = -1; |
2292 | options->challenge_response_authentication = -1; | 2292 | options->challenge_response_authentication = -1; |
2293 | options->gss_authentication = -1; | 2293 | options->gss_authentication = -1; |
@@ -2299,7 +2299,7 @@ Index: b/readconf.c | |||
2299 | options->password_authentication = -1; | 2299 | options->password_authentication = -1; |
2300 | options->kbd_interactive_authentication = -1; | 2300 | options->kbd_interactive_authentication = -1; |
2301 | options->kbd_interactive_devices = NULL; | 2301 | options->kbd_interactive_devices = NULL; |
2302 | @@ -1107,8 +1136,14 @@ | 2302 | @@ -1156,8 +1185,14 @@ |
2303 | options->challenge_response_authentication = 1; | 2303 | options->challenge_response_authentication = 1; |
2304 | if (options->gss_authentication == -1) | 2304 | if (options->gss_authentication == -1) |
2305 | options->gss_authentication = 0; | 2305 | options->gss_authentication = 0; |
@@ -2318,7 +2318,7 @@ Index: b/readconf.h | |||
2318 | =================================================================== | 2318 | =================================================================== |
2319 | --- a/readconf.h | 2319 | --- a/readconf.h |
2320 | +++ b/readconf.h | 2320 | +++ b/readconf.h |
2321 | @@ -44,7 +44,11 @@ | 2321 | @@ -46,7 +46,11 @@ |
2322 | int challenge_response_authentication; | 2322 | int challenge_response_authentication; |
2323 | /* Try S/Key or TIS, authentication. */ | 2323 | /* Try S/Key or TIS, authentication. */ |
2324 | int gss_authentication; /* Try GSS authentication */ | 2324 | int gss_authentication; /* Try GSS authentication */ |
@@ -2345,7 +2345,7 @@ Index: b/servconf.c | |||
2345 | options->password_authentication = -1; | 2345 | options->password_authentication = -1; |
2346 | options->kbd_interactive_authentication = -1; | 2346 | options->kbd_interactive_authentication = -1; |
2347 | options->challenge_response_authentication = -1; | 2347 | options->challenge_response_authentication = -1; |
2348 | @@ -214,8 +217,14 @@ | 2348 | @@ -215,8 +218,14 @@ |
2349 | options->kerberos_get_afs_token = 0; | 2349 | options->kerberos_get_afs_token = 0; |
2350 | if (options->gss_authentication == -1) | 2350 | if (options->gss_authentication == -1) |
2351 | options->gss_authentication = 0; | 2351 | options->gss_authentication = 0; |
@@ -2360,7 +2360,7 @@ Index: b/servconf.c | |||
2360 | if (options->password_authentication == -1) | 2360 | if (options->password_authentication == -1) |
2361 | options->password_authentication = 1; | 2361 | options->password_authentication = 1; |
2362 | if (options->kbd_interactive_authentication == -1) | 2362 | if (options->kbd_interactive_authentication == -1) |
2363 | @@ -306,7 +315,9 @@ | 2363 | @@ -307,7 +316,9 @@ |
2364 | sBanner, sUseDNS, sHostbasedAuthentication, | 2364 | sBanner, sUseDNS, sHostbasedAuthentication, |
2365 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2365 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
2366 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, | 2366 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, |
@@ -2371,7 +2371,7 @@ Index: b/servconf.c | |||
2371 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2371 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2372 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2372 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2373 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 2373 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
2374 | @@ -369,9 +380,15 @@ | 2374 | @@ -370,9 +381,15 @@ |
2375 | #ifdef GSSAPI | 2375 | #ifdef GSSAPI |
2376 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2376 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2377 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2377 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2387,7 +2387,7 @@ Index: b/servconf.c | |||
2387 | #endif | 2387 | #endif |
2388 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2388 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2389 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2389 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2390 | @@ -924,10 +941,22 @@ | 2390 | @@ -926,10 +943,22 @@ |
2391 | intptr = &options->gss_authentication; | 2391 | intptr = &options->gss_authentication; |
2392 | goto parse_flag; | 2392 | goto parse_flag; |
2393 | 2393 | ||
@@ -2543,7 +2543,7 @@ Index: b/ssh_config.5 | |||
2543 | =================================================================== | 2543 | =================================================================== |
2544 | --- a/ssh_config.5 | 2544 | --- a/ssh_config.5 |
2545 | +++ b/ssh_config.5 | 2545 | +++ b/ssh_config.5 |
2546 | @@ -478,11 +478,38 @@ | 2546 | @@ -509,11 +509,38 @@ |
2547 | The default is | 2547 | The default is |
2548 | .Dq no . | 2548 | .Dq no . |
2549 | Note that this option applies to protocol version 2 only. | 2549 | Note that this option applies to protocol version 2 only. |
@@ -2794,7 +2794,7 @@ Index: b/sshd.c | |||
2794 | #ifdef LIBWRAP | 2794 | #ifdef LIBWRAP |
2795 | #include <tcpd.h> | 2795 | #include <tcpd.h> |
2796 | #include <syslog.h> | 2796 | #include <syslog.h> |
2797 | @@ -1577,10 +1581,13 @@ | 2797 | @@ -1586,10 +1590,13 @@ |
2798 | logit("Disabling protocol version 1. Could not load host key"); | 2798 | logit("Disabling protocol version 1. Could not load host key"); |
2799 | options.protocol &= ~SSH_PROTO_1; | 2799 | options.protocol &= ~SSH_PROTO_1; |
2800 | } | 2800 | } |
@@ -2808,7 +2808,7 @@ Index: b/sshd.c | |||
2808 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2808 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2809 | logit("sshd: no hostkeys available -- exiting."); | 2809 | logit("sshd: no hostkeys available -- exiting."); |
2810 | exit(1); | 2810 | exit(1); |
2811 | @@ -1909,6 +1916,60 @@ | 2811 | @@ -1918,6 +1925,60 @@ |
2812 | /* Log the connection. */ | 2812 | /* Log the connection. */ |
2813 | verbose("Connection from %.500s port %d", remote_ip, remote_port); | 2813 | verbose("Connection from %.500s port %d", remote_ip, remote_port); |
2814 | 2814 | ||
@@ -2869,7 +2869,7 @@ Index: b/sshd.c | |||
2869 | /* | 2869 | /* |
2870 | * We don't want to listen forever unless the other side | 2870 | * We don't want to listen forever unless the other side |
2871 | * successfully authenticates itself. So we set up an alarm which is | 2871 | * successfully authenticates itself. So we set up an alarm which is |
2872 | @@ -2287,12 +2348,61 @@ | 2872 | @@ -2296,12 +2357,61 @@ |
2873 | 2873 | ||
2874 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 2874 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); |
2875 | 2875 | ||
@@ -2948,7 +2948,7 @@ Index: b/sshd_config.5 | |||
2948 | =================================================================== | 2948 | =================================================================== |
2949 | --- a/sshd_config.5 | 2949 | --- a/sshd_config.5 |
2950 | +++ b/sshd_config.5 | 2950 | +++ b/sshd_config.5 |
2951 | @@ -379,12 +379,40 @@ | 2951 | @@ -424,12 +424,40 @@ |
2952 | The default is | 2952 | The default is |
2953 | .Dq no . | 2953 | .Dq no . |
2954 | Note that this option applies to protocol version 2 only. | 2954 | Note that this option applies to protocol version 2 only. |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index 36335f475..9e1705719 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -18,15 +18,15 @@ Index: b/readconf.c | |||
18 | =================================================================== | 18 | =================================================================== |
19 | --- a/readconf.c | 19 | --- a/readconf.c |
20 | +++ b/readconf.c | 20 | +++ b/readconf.c |
21 | @@ -133,6 +133,7 @@ | 21 | @@ -134,6 +134,7 @@ |
22 | oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, | 22 | oHashKnownHosts, |
23 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | 23 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, |
24 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, | 24 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, |
25 | + oProtocolKeepAlives, oSetupTimeOut, | 25 | + oProtocolKeepAlives, oSetupTimeOut, |
26 | oDeprecated, oUnsupported | 26 | oDeprecated, oUnsupported |
27 | } OpCodes; | 27 | } OpCodes; |
28 | 28 | ||
29 | @@ -248,6 +249,8 @@ | 29 | @@ -251,6 +252,8 @@ |
30 | #else | 30 | #else |
31 | { "zeroknowledgepasswordauthentication", oUnsupported }, | 31 | { "zeroknowledgepasswordauthentication", oUnsupported }, |
32 | #endif | 32 | #endif |
@@ -35,7 +35,7 @@ Index: b/readconf.c | |||
35 | 35 | ||
36 | { NULL, oBadOption } | 36 | { NULL, oBadOption } |
37 | }; | 37 | }; |
38 | @@ -847,6 +850,8 @@ | 38 | @@ -865,6 +868,8 @@ |
39 | goto parse_flag; | 39 | goto parse_flag; |
40 | 40 | ||
41 | case oServerAliveInterval: | 41 | case oServerAliveInterval: |
@@ -44,7 +44,7 @@ Index: b/readconf.c | |||
44 | intptr = &options->server_alive_interval; | 44 | intptr = &options->server_alive_interval; |
45 | goto parse_time; | 45 | goto parse_time; |
46 | 46 | ||
47 | @@ -1235,8 +1240,13 @@ | 47 | @@ -1284,8 +1289,13 @@ |
48 | options->rekey_limit = 0; | 48 | options->rekey_limit = 0; |
49 | if (options->verify_host_key_dns == -1) | 49 | if (options->verify_host_key_dns == -1) |
50 | options->verify_host_key_dns = 0; | 50 | options->verify_host_key_dns = 0; |
@@ -78,7 +78,7 @@ Index: b/ssh_config.5 | |||
78 | The argument must be | 78 | The argument must be |
79 | .Dq yes | 79 | .Dq yes |
80 | or | 80 | or |
81 | @@ -963,8 +967,15 @@ | 81 | @@ -994,8 +998,15 @@ |
82 | will send a message through the encrypted | 82 | will send a message through the encrypted |
83 | channel to request a response from the server. | 83 | channel to request a response from the server. |
84 | The default | 84 | The default |
@@ -95,7 +95,7 @@ Index: b/ssh_config.5 | |||
95 | .It Cm StrictHostKeyChecking | 95 | .It Cm StrictHostKeyChecking |
96 | If this flag is set to | 96 | If this flag is set to |
97 | .Dq yes , | 97 | .Dq yes , |
98 | @@ -1003,6 +1014,12 @@ | 98 | @@ -1034,6 +1045,12 @@ |
99 | other side. | 99 | other side. |
100 | If they are sent, death of the connection or crash of one | 100 | If they are sent, death of the connection or crash of one |
101 | of the machines will be properly noticed. | 101 | of the machines will be properly noticed. |
@@ -112,7 +112,7 @@ Index: b/sshd_config.5 | |||
112 | =================================================================== | 112 | =================================================================== |
113 | --- a/sshd_config.5 | 113 | --- a/sshd_config.5 |
114 | +++ b/sshd_config.5 | 114 | +++ b/sshd_config.5 |
115 | @@ -936,6 +936,9 @@ | 115 | @@ -985,6 +985,9 @@ |
116 | .Pp | 116 | .Pp |
117 | To disable TCP keepalive messages, the value should be set to | 117 | To disable TCP keepalive messages, the value should be set to |
118 | .Dq no . | 118 | .Dq no . |
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index dea370a1b..de63e46f8 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -34,7 +34,7 @@ Index: b/ssh-keygen.1 | |||
34 | =================================================================== | 34 | =================================================================== |
35 | --- a/ssh-keygen.1 | 35 | --- a/ssh-keygen.1 |
36 | +++ b/ssh-keygen.1 | 36 | +++ b/ssh-keygen.1 |
37 | @@ -145,9 +145,7 @@ | 37 | @@ -148,9 +148,7 @@ |
38 | .Pa ~/.ssh/id_dsa | 38 | .Pa ~/.ssh/id_dsa |
39 | or | 39 | or |
40 | .Pa ~/.ssh/id_rsa . | 40 | .Pa ~/.ssh/id_rsa . |
@@ -45,7 +45,7 @@ Index: b/ssh-keygen.1 | |||
45 | .Pp | 45 | .Pp |
46 | Normally this program generates the key and asks for a file in which | 46 | Normally this program generates the key and asks for a file in which |
47 | to store the private key. | 47 | to store the private key. |
48 | @@ -367,9 +365,7 @@ | 48 | @@ -394,9 +392,7 @@ |
49 | .It Fl q | 49 | .It Fl q |
50 | Silence | 50 | Silence |
51 | .Nm ssh-keygen . | 51 | .Nm ssh-keygen . |
@@ -60,7 +60,7 @@ Index: b/ssh.1 | |||
60 | =================================================================== | 60 | =================================================================== |
61 | --- a/ssh.1 | 61 | --- a/ssh.1 |
62 | +++ b/ssh.1 | 62 | +++ b/ssh.1 |
63 | @@ -762,6 +762,10 @@ | 63 | @@ -728,6 +728,10 @@ |
64 | .Sx HISTORY | 64 | .Sx HISTORY |
65 | section of | 65 | section of |
66 | .Xr ssl 8 | 66 | .Xr ssl 8 |
@@ -84,7 +84,7 @@ Index: b/sshd.8 | |||
84 | It forks a new | 84 | It forks a new |
85 | daemon for each incoming connection. | 85 | daemon for each incoming connection. |
86 | The forked daemons handle | 86 | The forked daemons handle |
87 | @@ -835,7 +835,7 @@ | 87 | @@ -845,7 +845,7 @@ |
88 | .Xr ssh 1 ) . | 88 | .Xr ssh 1 ) . |
89 | It should only be writable by root. | 89 | It should only be writable by root. |
90 | .Pp | 90 | .Pp |
@@ -93,7 +93,7 @@ Index: b/sshd.8 | |||
93 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". | 93 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". |
94 | The file format is described in | 94 | The file format is described in |
95 | .Xr moduli 5 . | 95 | .Xr moduli 5 . |
96 | @@ -931,7 +931,6 @@ | 96 | @@ -941,7 +941,6 @@ |
97 | .Xr ssh-vulnkey 1 , | 97 | .Xr ssh-vulnkey 1 , |
98 | .Xr chroot 2 , | 98 | .Xr chroot 2 , |
99 | .Xr hosts_access 5 , | 99 | .Xr hosts_access 5 , |
@@ -105,7 +105,7 @@ Index: b/sshd_config.5 | |||
105 | =================================================================== | 105 | =================================================================== |
106 | --- a/sshd_config.5 | 106 | --- a/sshd_config.5 |
107 | +++ b/sshd_config.5 | 107 | +++ b/sshd_config.5 |
108 | @@ -177,8 +177,7 @@ | 108 | @@ -222,8 +222,7 @@ |
109 | By default, no banner is displayed. | 109 | By default, no banner is displayed. |
110 | .It Cm ChallengeResponseAuthentication | 110 | .It Cm ChallengeResponseAuthentication |
111 | Specifies whether challenge-response authentication is allowed (e.g. via | 111 | Specifies whether challenge-response authentication is allowed (e.g. via |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index f45cc6968..67e014002 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -38,7 +38,7 @@ Index: b/version.h | |||
38 | --- a/version.h | 38 | --- a/version.h |
39 | +++ b/version.h | 39 | +++ b/version.h |
40 | @@ -3,4 +3,9 @@ | 40 | @@ -3,4 +3,9 @@ |
41 | #define SSH_VERSION "OpenSSH_5.5" | 41 | #define SSH_VERSION "OpenSSH_5.6" |
42 | 42 | ||
43 | #define SSH_PORTABLE "p1" | 43 | #define SSH_PORTABLE "p1" |
44 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 44 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch index 96a26cf7e..f8bc5fd4e 100644 --- a/debian/patches/quieter-signals.patch +++ b/debian/patches/quieter-signals.patch | |||
@@ -16,7 +16,7 @@ Index: b/clientloop.c | |||
16 | =================================================================== | 16 | =================================================================== |
17 | --- a/clientloop.c | 17 | --- a/clientloop.c |
18 | +++ b/clientloop.c | 18 | +++ b/clientloop.c |
19 | @@ -1530,8 +1530,10 @@ | 19 | @@ -1594,8 +1594,10 @@ |
20 | exit_status = 0; | 20 | exit_status = 0; |
21 | } | 21 | } |
22 | 22 | ||
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index 99702c317..3f06225ad 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch | |||
@@ -11,7 +11,7 @@ Index: b/scp.c | |||
11 | =================================================================== | 11 | =================================================================== |
12 | --- a/scp.c | 12 | --- a/scp.c |
13 | +++ b/scp.c | 13 | +++ b/scp.c |
14 | @@ -168,8 +168,16 @@ | 14 | @@ -182,8 +182,16 @@ |
15 | 15 | ||
16 | if (verbose_mode) { | 16 | if (verbose_mode) { |
17 | fprintf(stderr, "Executing:"); | 17 | fprintf(stderr, "Executing:"); |
diff --git a/debian/patches/series b/debian/patches/series index 699dbaa98..f3c6a87e0 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -23,7 +23,6 @@ helpful-wait-terminate.patch | |||
23 | user-group-modes.patch | 23 | user-group-modes.patch |
24 | scp-quoting.patch | 24 | scp-quoting.patch |
25 | shell-path.patch | 25 | shell-path.patch |
26 | ssh-copy-id-trailing-colons.patch | ||
27 | dnssec-sshfp.patch | 26 | dnssec-sshfp.patch |
28 | 27 | ||
29 | # Versioning | 28 | # Versioning |
@@ -42,3 +41,4 @@ doc-hash-tab-completion.patch | |||
42 | # Debian-specific configuration | 41 | # Debian-specific configuration |
43 | gnome-ssh-askpass2-icon.patch | 42 | gnome-ssh-askpass2-icon.patch |
44 | debian-config.patch | 43 | debian-config.patch |
44 | ssh-sigchld.patch | ||
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index 851687dfd..4a651bfa1 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -11,7 +11,7 @@ Index: b/ssh.1 | |||
11 | =================================================================== | 11 | =================================================================== |
12 | --- a/ssh.1 | 12 | --- a/ssh.1 |
13 | +++ b/ssh.1 | 13 | +++ b/ssh.1 |
14 | @@ -1430,6 +1430,7 @@ | 14 | @@ -1396,6 +1396,7 @@ |
15 | .Xr sftp 1 , | 15 | .Xr sftp 1 , |
16 | .Xr ssh-add 1 , | 16 | .Xr ssh-add 1 , |
17 | .Xr ssh-agent 1 , | 17 | .Xr ssh-agent 1 , |
diff --git a/debian/patches/ssh-copy-id-trailing-colons.patch b/debian/patches/ssh-copy-id-trailing-colons.patch deleted file mode 100644 index 1063fc6bb..000000000 --- a/debian/patches/ssh-copy-id-trailing-colons.patch +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | Description: ssh-copy-id: Strip trailing colons from hostname | ||
2 | Author: Karl Goetz <karl@kgoetz.id.au> | ||
3 | Author: Colin Watson <cjwatson@debian.org> | ||
4 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1530 | ||
5 | Bug-Debian: http://bugs.debian.org/226172 | ||
6 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/249706 | ||
7 | Last-Update: 2010-02-27 | ||
8 | |||
9 | Index: b/contrib/ssh-copy-id | ||
10 | =================================================================== | ||
11 | --- a/contrib/ssh-copy-id | ||
12 | +++ b/contrib/ssh-copy-id | ||
13 | @@ -38,10 +38,10 @@ | ||
14 | exit 1 | ||
15 | fi | ||
16 | |||
17 | -{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1 | ||
18 | +{ eval "$GET_ID" ; } | ssh ${1%:} "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1 | ||
19 | |||
20 | cat <<EOF | ||
21 | -Now try logging into the machine, with "ssh '$1'", and check in: | ||
22 | +Now try logging into the machine, with "ssh '${1%:}'", and check in: | ||
23 | |||
24 | .ssh/authorized_keys | ||
25 | |||
diff --git a/debian/patches/ssh-sigchld.patch b/debian/patches/ssh-sigchld.patch new file mode 100644 index 000000000..21d286b21 --- /dev/null +++ b/debian/patches/ssh-sigchld.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | Description: Install a SIGCHLD handler to reap expired child processes | ||
2 | Origin: upstream, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/6166 | ||
3 | Bug-Debian: http://bugs.debian.org/594687 | ||
4 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1812 | ||
5 | Forwarded: not-needed | ||
6 | Last-Update: 2010-10-26 | ||
7 | |||
8 | Index: b/ssh.c | ||
9 | =================================================================== | ||
10 | --- a/ssh.c | ||
11 | +++ b/ssh.c | ||
12 | @@ -50,6 +50,7 @@ | ||
13 | #include <sys/ioctl.h> | ||
14 | #include <sys/param.h> | ||
15 | #include <sys/socket.h> | ||
16 | +#include <sys/wait.h> | ||
17 | |||
18 | #include <ctype.h> | ||
19 | #include <errno.h> | ||
20 | @@ -210,6 +211,7 @@ | ||
21 | static int ssh_session(void); | ||
22 | static int ssh_session2(void); | ||
23 | static void load_public_identity_files(void); | ||
24 | +static void main_sigchld_handler(int); | ||
25 | |||
26 | /* from muxclient.c */ | ||
27 | void muxclient(const char *); | ||
28 | @@ -849,6 +851,7 @@ | ||
29 | tilde_expand_filename(options.user_hostfile2, original_real_uid); | ||
30 | |||
31 | signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ | ||
32 | + signal(SIGCHLD, main_sigchld_handler); | ||
33 | |||
34 | /* Log into the remote system. Never returns if the login fails. */ | ||
35 | ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, | ||
36 | @@ -1532,3 +1535,19 @@ | ||
37 | bzero(pwdir, strlen(pwdir)); | ||
38 | xfree(pwdir); | ||
39 | } | ||
40 | + | ||
41 | +static void | ||
42 | +main_sigchld_handler(int sig) | ||
43 | +{ | ||
44 | + int save_errno = errno; | ||
45 | + pid_t pid; | ||
46 | + int status; | ||
47 | + | ||
48 | + while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || | ||
49 | + (pid < 0 && errno == EINTR)) | ||
50 | + ; | ||
51 | + | ||
52 | + signal(sig, main_sigchld_handler); | ||
53 | + errno = save_errno; | ||
54 | +} | ||
55 | + | ||
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch index af56dc031..81c225a7f 100644 --- a/debian/patches/ssh-vulnkey.patch +++ b/debian/patches/ssh-vulnkey.patch | |||
@@ -132,7 +132,7 @@ Index: b/auth.c | |||
132 | #include "auth.h" | 132 | #include "auth.h" |
133 | #include "auth-options.h" | 133 | #include "auth-options.h" |
134 | #include "canohost.h" | 134 | #include "canohost.h" |
135 | @@ -593,10 +594,34 @@ | 135 | @@ -615,10 +616,34 @@ |
136 | 136 | ||
137 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ | 137 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ |
138 | int | 138 | int |
@@ -172,10 +172,10 @@ Index: b/auth.h | |||
172 | =================================================================== | 172 | =================================================================== |
173 | --- a/auth.h | 173 | --- a/auth.h |
174 | +++ b/auth.h | 174 | +++ b/auth.h |
175 | @@ -173,7 +173,7 @@ | 175 | @@ -175,7 +175,7 @@ |
176 | char *authorized_keys_file2(struct passwd *); | ||
177 | 176 | ||
178 | FILE *auth_openkeyfile(const char *, struct passwd *, int); | 177 | FILE *auth_openkeyfile(const char *, struct passwd *, int); |
178 | FILE *auth_openprincipals(const char *, struct passwd *, int); | ||
179 | -int auth_key_is_revoked(Key *); | 179 | -int auth_key_is_revoked(Key *); |
180 | +int auth_key_is_revoked(Key *, int); | 180 | +int auth_key_is_revoked(Key *, int); |
181 | 181 | ||
@@ -185,9 +185,9 @@ Index: b/auth2-hostbased.c | |||
185 | =================================================================== | 185 | =================================================================== |
186 | --- a/auth2-hostbased.c | 186 | --- a/auth2-hostbased.c |
187 | +++ b/auth2-hostbased.c | 187 | +++ b/auth2-hostbased.c |
188 | @@ -145,7 +145,7 @@ | 188 | @@ -146,7 +146,7 @@ |
189 | HostStatus host_status; | ||
190 | int len; | 189 | int len; |
190 | char *fp; | ||
191 | 191 | ||
192 | - if (auth_key_is_revoked(key)) | 192 | - if (auth_key_is_revoked(key)) |
193 | + if (auth_key_is_revoked(key, 0)) | 193 | + if (auth_key_is_revoked(key, 0)) |
@@ -198,7 +198,7 @@ Index: b/auth2-pubkey.c | |||
198 | =================================================================== | 198 | =================================================================== |
199 | --- a/auth2-pubkey.c | 199 | --- a/auth2-pubkey.c |
200 | +++ b/auth2-pubkey.c | 200 | +++ b/auth2-pubkey.c |
201 | @@ -328,9 +328,10 @@ | 201 | @@ -439,9 +439,10 @@ |
202 | int success; | 202 | int success; |
203 | char *file; | 203 | char *file; |
204 | 204 | ||
@@ -223,13 +223,13 @@ Index: b/authfile.c | |||
223 | 223 | ||
224 | /* Version identification string for SSH v1 identity files. */ | 224 | /* Version identification string for SSH v1 identity files. */ |
225 | static const char authfile_id_string[] = | 225 | static const char authfile_id_string[] = |
226 | @@ -754,3 +755,140 @@ | 226 | @@ -814,3 +815,140 @@ |
227 | return ret; | 227 | return ret; |
228 | } | 228 | } |
229 | 229 | ||
230 | +/* Scan a blacklist of known-vulnerable keys in blacklist_file. */ | 230 | +/* Scan a blacklist of known-vulnerable keys in blacklist_file. */ |
231 | +static int | 231 | +static int |
232 | +blacklisted_key_in_file(const Key *key, const char *blacklist_file, char **fp) | 232 | +blacklisted_key_in_file(Key *key, const char *blacklist_file, char **fp) |
233 | +{ | 233 | +{ |
234 | + int fd = -1; | 234 | + int fd = -1; |
235 | + char *dgst_hex = NULL; | 235 | + char *dgst_hex = NULL; |
@@ -334,7 +334,7 @@ Index: b/authfile.c | |||
334 | + * its fingerprint is returned in *fp, unless fp is NULL. | 334 | + * its fingerprint is returned in *fp, unless fp is NULL. |
335 | + */ | 335 | + */ |
336 | +int | 336 | +int |
337 | +blacklisted_key(const Key *key, char **fp) | 337 | +blacklisted_key(Key *key, char **fp) |
338 | +{ | 338 | +{ |
339 | + Key *public; | 339 | + Key *public; |
340 | + char *blacklist_file; | 340 | + char *blacklist_file; |
@@ -368,11 +368,11 @@ Index: b/authfile.h | |||
368 | =================================================================== | 368 | =================================================================== |
369 | --- a/authfile.h | 369 | --- a/authfile.h |
370 | +++ b/authfile.h | 370 | +++ b/authfile.h |
371 | @@ -24,4 +24,6 @@ | 371 | @@ -26,4 +26,6 @@ |
372 | int key_perm_ok(int, const char *); | 372 | int key_perm_ok(int, const char *); |
373 | int key_in_file(Key *, const char *, int); | 373 | int key_in_file(Key *, const char *, int); |
374 | 374 | ||
375 | +int blacklisted_key(const Key *key, char **fp); | 375 | +int blacklisted_key(Key *key, char **fp); |
376 | + | 376 | + |
377 | #endif | 377 | #endif |
378 | Index: b/pathnames.h | 378 | Index: b/pathnames.h |
@@ -412,7 +412,7 @@ Index: b/readconf.c | |||
412 | oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, | 412 | oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, |
413 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 413 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
414 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 414 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
415 | @@ -152,6 +153,7 @@ | 415 | @@ -154,6 +155,7 @@ |
416 | { "passwordauthentication", oPasswordAuthentication }, | 416 | { "passwordauthentication", oPasswordAuthentication }, |
417 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, | 417 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, |
418 | { "kbdinteractivedevices", oKbdInteractiveDevices }, | 418 | { "kbdinteractivedevices", oKbdInteractiveDevices }, |
@@ -420,7 +420,7 @@ Index: b/readconf.c | |||
420 | { "rsaauthentication", oRSAAuthentication }, | 420 | { "rsaauthentication", oRSAAuthentication }, |
421 | { "pubkeyauthentication", oPubkeyAuthentication }, | 421 | { "pubkeyauthentication", oPubkeyAuthentication }, |
422 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 422 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
423 | @@ -461,6 +463,10 @@ | 423 | @@ -479,6 +481,10 @@ |
424 | intptr = &options->challenge_response_authentication; | 424 | intptr = &options->challenge_response_authentication; |
425 | goto parse_flag; | 425 | goto parse_flag; |
426 | 426 | ||
@@ -431,7 +431,7 @@ Index: b/readconf.c | |||
431 | case oGssAuthentication: | 431 | case oGssAuthentication: |
432 | intptr = &options->gss_authentication; | 432 | intptr = &options->gss_authentication; |
433 | goto parse_flag; | 433 | goto parse_flag; |
434 | @@ -1050,6 +1056,7 @@ | 434 | @@ -1093,6 +1099,7 @@ |
435 | options->kbd_interactive_devices = NULL; | 435 | options->kbd_interactive_devices = NULL; |
436 | options->rhosts_rsa_authentication = -1; | 436 | options->rhosts_rsa_authentication = -1; |
437 | options->hostbased_authentication = -1; | 437 | options->hostbased_authentication = -1; |
@@ -439,7 +439,7 @@ Index: b/readconf.c | |||
439 | options->batch_mode = -1; | 439 | options->batch_mode = -1; |
440 | options->check_host_ip = -1; | 440 | options->check_host_ip = -1; |
441 | options->strict_host_key_checking = -1; | 441 | options->strict_host_key_checking = -1; |
442 | @@ -1152,6 +1159,8 @@ | 442 | @@ -1201,6 +1208,8 @@ |
443 | options->rhosts_rsa_authentication = 0; | 443 | options->rhosts_rsa_authentication = 0; |
444 | if (options->hostbased_authentication == -1) | 444 | if (options->hostbased_authentication == -1) |
445 | options->hostbased_authentication = 0; | 445 | options->hostbased_authentication = 0; |
@@ -452,7 +452,7 @@ Index: b/readconf.h | |||
452 | =================================================================== | 452 | =================================================================== |
453 | --- a/readconf.h | 453 | --- a/readconf.h |
454 | +++ b/readconf.h | 454 | +++ b/readconf.h |
455 | @@ -54,6 +54,7 @@ | 455 | @@ -56,6 +56,7 @@ |
456 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 456 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
457 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ | 457 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ |
458 | int zero_knowledge_password_authentication; /* Try jpake */ | 458 | int zero_knowledge_password_authentication; /* Try jpake */ |
@@ -472,7 +472,7 @@ Index: b/servconf.c | |||
472 | options->permit_empty_passwd = -1; | 472 | options->permit_empty_passwd = -1; |
473 | options->permit_user_env = -1; | 473 | options->permit_user_env = -1; |
474 | options->use_login = -1; | 474 | options->use_login = -1; |
475 | @@ -231,6 +232,8 @@ | 475 | @@ -232,6 +233,8 @@ |
476 | options->kbd_interactive_authentication = 0; | 476 | options->kbd_interactive_authentication = 0; |
477 | if (options->challenge_response_authentication == -1) | 477 | if (options->challenge_response_authentication == -1) |
478 | options->challenge_response_authentication = 1; | 478 | options->challenge_response_authentication = 1; |
@@ -481,7 +481,7 @@ Index: b/servconf.c | |||
481 | if (options->permit_empty_passwd == -1) | 481 | if (options->permit_empty_passwd == -1) |
482 | options->permit_empty_passwd = 0; | 482 | options->permit_empty_passwd = 0; |
483 | if (options->permit_user_env == -1) | 483 | if (options->permit_user_env == -1) |
484 | @@ -306,7 +309,7 @@ | 484 | @@ -307,7 +310,7 @@ |
485 | sListenAddress, sAddressFamily, | 485 | sListenAddress, sAddressFamily, |
486 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 486 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
487 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 487 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
@@ -490,7 +490,7 @@ Index: b/servconf.c | |||
490 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 490 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
491 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 491 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
492 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 492 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
493 | @@ -415,6 +418,7 @@ | 493 | @@ -416,6 +419,7 @@ |
494 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 494 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
495 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 495 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
496 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 496 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
@@ -498,7 +498,7 @@ Index: b/servconf.c | |||
498 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, | 498 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, |
499 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 499 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
500 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 500 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
501 | @@ -1009,6 +1013,10 @@ | 501 | @@ -1011,6 +1015,10 @@ |
502 | intptr = &options->tcp_keep_alive; | 502 | intptr = &options->tcp_keep_alive; |
503 | goto parse_flag; | 503 | goto parse_flag; |
504 | 504 | ||
@@ -509,7 +509,7 @@ Index: b/servconf.c | |||
509 | case sEmptyPasswd: | 509 | case sEmptyPasswd: |
510 | intptr = &options->permit_empty_passwd; | 510 | intptr = &options->permit_empty_passwd; |
511 | goto parse_flag; | 511 | goto parse_flag; |
512 | @@ -1697,6 +1705,7 @@ | 512 | @@ -1708,6 +1716,7 @@ |
513 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | 513 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); |
514 | dump_cfg_fmtint(sStrictModes, o->strict_modes); | 514 | dump_cfg_fmtint(sStrictModes, o->strict_modes); |
515 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | 515 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); |
@@ -584,7 +584,7 @@ Index: b/ssh-keygen.1 | |||
584 | =================================================================== | 584 | =================================================================== |
585 | --- a/ssh-keygen.1 | 585 | --- a/ssh-keygen.1 |
586 | +++ b/ssh-keygen.1 | 586 | +++ b/ssh-keygen.1 |
587 | @@ -628,6 +628,7 @@ | 587 | @@ -669,6 +669,7 @@ |
588 | .Xr ssh 1 , | 588 | .Xr ssh 1 , |
589 | .Xr ssh-add 1 , | 589 | .Xr ssh-add 1 , |
590 | .Xr ssh-agent 1 , | 590 | .Xr ssh-agent 1 , |
@@ -925,9 +925,9 @@ Index: b/ssh-vulnkey.c | |||
925 | + exit(1); | 925 | + exit(1); |
926 | +} | 926 | +} |
927 | + | 927 | + |
928 | +void | 928 | +static void |
929 | +describe_key(const char *filename, u_long linenum, const char *msg, | 929 | +describe_key(const char *filename, u_long linenum, const char *msg, |
930 | + const Key *key, const char *comment, int min_verbosity) | 930 | + Key *key, const char *comment, int min_verbosity) |
931 | +{ | 931 | +{ |
932 | + char *fp; | 932 | + char *fp; |
933 | + | 933 | + |
@@ -943,9 +943,9 @@ Index: b/ssh-vulnkey.c | |||
943 | + xfree(fp); | 943 | + xfree(fp); |
944 | +} | 944 | +} |
945 | + | 945 | + |
946 | +int | 946 | +static int |
947 | +do_key(const char *filename, u_long linenum, | 947 | +do_key(const char *filename, u_long linenum, |
948 | + const Key *key, const char *comment) | 948 | + Key *key, const char *comment) |
949 | +{ | 949 | +{ |
950 | + Key *public; | 950 | + Key *public; |
951 | + int blacklist_status; | 951 | + int blacklist_status; |
@@ -976,7 +976,7 @@ Index: b/ssh-vulnkey.c | |||
976 | + return ret; | 976 | + return ret; |
977 | +} | 977 | +} |
978 | + | 978 | + |
979 | +int | 979 | +static int |
980 | +do_filename(const char *filename, int quiet_open) | 980 | +do_filename(const char *filename, int quiet_open) |
981 | +{ | 981 | +{ |
982 | + FILE *f; | 982 | + FILE *f; |
@@ -1100,7 +1100,7 @@ Index: b/ssh-vulnkey.c | |||
1100 | + return ret; | 1100 | + return ret; |
1101 | +} | 1101 | +} |
1102 | + | 1102 | + |
1103 | +int | 1103 | +static int |
1104 | +do_host(int quiet_open) | 1104 | +do_host(int quiet_open) |
1105 | +{ | 1105 | +{ |
1106 | + int i; | 1106 | + int i; |
@@ -1117,7 +1117,7 @@ Index: b/ssh-vulnkey.c | |||
1117 | + return ret; | 1117 | + return ret; |
1118 | +} | 1118 | +} |
1119 | + | 1119 | + |
1120 | +int | 1120 | +static int |
1121 | +do_user(const char *dir) | 1121 | +do_user(const char *dir) |
1122 | +{ | 1122 | +{ |
1123 | + int i; | 1123 | + int i; |
@@ -1236,7 +1236,7 @@ Index: b/ssh.1 | |||
1236 | =================================================================== | 1236 | =================================================================== |
1237 | --- a/ssh.1 | 1237 | --- a/ssh.1 |
1238 | +++ b/ssh.1 | 1238 | +++ b/ssh.1 |
1239 | @@ -1426,6 +1426,7 @@ | 1239 | @@ -1392,6 +1392,7 @@ |
1240 | .Xr ssh-agent 1 , | 1240 | .Xr ssh-agent 1 , |
1241 | .Xr ssh-keygen 1 , | 1241 | .Xr ssh-keygen 1 , |
1242 | .Xr ssh-keyscan 1 , | 1242 | .Xr ssh-keyscan 1 , |
@@ -1248,7 +1248,7 @@ Index: b/ssh.c | |||
1248 | =================================================================== | 1248 | =================================================================== |
1249 | --- a/ssh.c | 1249 | --- a/ssh.c |
1250 | +++ b/ssh.c | 1250 | +++ b/ssh.c |
1251 | @@ -1301,7 +1301,7 @@ | 1251 | @@ -1422,7 +1422,7 @@ |
1252 | static void | 1252 | static void |
1253 | load_public_identity_files(void) | 1253 | load_public_identity_files(void) |
1254 | { | 1254 | { |
@@ -1257,7 +1257,7 @@ Index: b/ssh.c | |||
1257 | char *pwdir = NULL, *pwname = NULL; | 1257 | char *pwdir = NULL, *pwname = NULL; |
1258 | int i = 0; | 1258 | int i = 0; |
1259 | Key *public; | 1259 | Key *public; |
1260 | @@ -1358,6 +1358,22 @@ | 1260 | @@ -1479,6 +1479,22 @@ |
1261 | public = key_load_public(filename, NULL); | 1261 | public = key_load_public(filename, NULL); |
1262 | debug("identity file %s type %d", filename, | 1262 | debug("identity file %s type %d", filename, |
1263 | public ? public->type : -1); | 1263 | public ? public->type : -1); |
@@ -1284,7 +1284,7 @@ Index: b/ssh_config.5 | |||
1284 | =================================================================== | 1284 | =================================================================== |
1285 | --- a/ssh_config.5 | 1285 | --- a/ssh_config.5 |
1286 | +++ b/ssh_config.5 | 1286 | +++ b/ssh_config.5 |
1287 | @@ -1051,6 +1051,23 @@ | 1287 | @@ -1082,6 +1082,23 @@ |
1288 | .Dq any . | 1288 | .Dq any . |
1289 | The default is | 1289 | The default is |
1290 | .Dq any:any . | 1290 | .Dq any:any . |
@@ -1312,7 +1312,7 @@ Index: b/sshconnect2.c | |||
1312 | =================================================================== | 1312 | =================================================================== |
1313 | --- a/sshconnect2.c | 1313 | --- a/sshconnect2.c |
1314 | +++ b/sshconnect2.c | 1314 | +++ b/sshconnect2.c |
1315 | @@ -1418,6 +1418,8 @@ | 1315 | @@ -1421,6 +1421,8 @@ |
1316 | 1316 | ||
1317 | /* list of keys stored in the filesystem */ | 1317 | /* list of keys stored in the filesystem */ |
1318 | for (i = 0; i < options.num_identity_files; i++) { | 1318 | for (i = 0; i < options.num_identity_files; i++) { |
@@ -1321,9 +1321,9 @@ Index: b/sshconnect2.c | |||
1321 | key = options.identity_keys[i]; | 1321 | key = options.identity_keys[i]; |
1322 | if (key && key->type == KEY_RSA1) | 1322 | if (key && key->type == KEY_RSA1) |
1323 | continue; | 1323 | continue; |
1324 | @@ -1510,7 +1512,7 @@ | 1324 | @@ -1514,7 +1516,7 @@ |
1325 | if (id->key && id->key->type != KEY_RSA1) { | 1325 | debug("Offering %s public key: %s", key_type(id->key), |
1326 | debug("Offering public key: %s", id->filename); | 1326 | id->filename); |
1327 | sent = send_pubkey_test(authctxt, id); | 1327 | sent = send_pubkey_test(authctxt, id); |
1328 | - } else if (id->key == NULL) { | 1328 | - } else if (id->key == NULL) { |
1329 | + } else if (id->key == NULL && id->filename) { | 1329 | + } else if (id->key == NULL && id->filename) { |
@@ -1334,7 +1334,7 @@ Index: b/sshd.8 | |||
1334 | =================================================================== | 1334 | =================================================================== |
1335 | --- a/sshd.8 | 1335 | --- a/sshd.8 |
1336 | +++ b/sshd.8 | 1336 | +++ b/sshd.8 |
1337 | @@ -928,6 +928,7 @@ | 1337 | @@ -938,6 +938,7 @@ |
1338 | .Xr ssh-agent 1 , | 1338 | .Xr ssh-agent 1 , |
1339 | .Xr ssh-keygen 1 , | 1339 | .Xr ssh-keygen 1 , |
1340 | .Xr ssh-keyscan 1 , | 1340 | .Xr ssh-keyscan 1 , |
@@ -1346,7 +1346,7 @@ Index: b/sshd.c | |||
1346 | =================================================================== | 1346 | =================================================================== |
1347 | --- a/sshd.c | 1347 | --- a/sshd.c |
1348 | +++ b/sshd.c | 1348 | +++ b/sshd.c |
1349 | @@ -1564,6 +1564,11 @@ | 1349 | @@ -1573,6 +1573,11 @@ |
1350 | sensitive_data.host_keys[i] = NULL; | 1350 | sensitive_data.host_keys[i] = NULL; |
1351 | continue; | 1351 | continue; |
1352 | } | 1352 | } |
@@ -1362,7 +1362,7 @@ Index: b/sshd_config.5 | |||
1362 | =================================================================== | 1362 | =================================================================== |
1363 | --- a/sshd_config.5 | 1363 | --- a/sshd_config.5 |
1364 | +++ b/sshd_config.5 | 1364 | +++ b/sshd_config.5 |
1365 | @@ -694,6 +694,20 @@ | 1365 | @@ -743,6 +743,20 @@ |
1366 | Specifies whether password authentication is allowed. | 1366 | Specifies whether password authentication is allowed. |
1367 | The default is | 1367 | The default is |
1368 | .Dq yes . | 1368 | .Dq yes . |
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch index 7682c0761..dac1ca1cc 100644 --- a/debian/patches/ssh1-keepalive.patch +++ b/debian/patches/ssh1-keepalive.patch | |||
@@ -7,20 +7,13 @@ Index: b/clientloop.c | |||
7 | =================================================================== | 7 | =================================================================== |
8 | --- a/clientloop.c | 8 | --- a/clientloop.c |
9 | +++ b/clientloop.c | 9 | +++ b/clientloop.c |
10 | @@ -507,16 +507,21 @@ | 10 | @@ -547,16 +547,21 @@ |
11 | static void | 11 | static void |
12 | server_alive_check(void) | 12 | server_alive_check(void) |
13 | { | 13 | { |
14 | - if (packet_inc_alive_timeouts() > options.server_alive_count_max) { | 14 | - if (packet_inc_alive_timeouts() > options.server_alive_count_max) { |
15 | - logit("Timeout, server not responding."); | 15 | - logit("Timeout, server not responding."); |
16 | - cleanup_exit(255); | 16 | - cleanup_exit(255); |
17 | - } | ||
18 | - packet_start(SSH2_MSG_GLOBAL_REQUEST); | ||
19 | - packet_put_cstring("keepalive@openssh.com"); | ||
20 | - packet_put_char(1); /* boolean: want reply */ | ||
21 | - packet_send(); | ||
22 | - /* Insert an empty placeholder to maintain ordering */ | ||
23 | - client_register_global_confirm(NULL, NULL); | ||
24 | + if (compat20) { | 17 | + if (compat20) { |
25 | + if (packet_inc_alive_timeouts() > options.server_alive_count_max) { | 18 | + if (packet_inc_alive_timeouts() > options.server_alive_count_max) { |
26 | + logit("Timeout, server not responding."); | 19 | + logit("Timeout, server not responding."); |
@@ -35,24 +28,30 @@ Index: b/clientloop.c | |||
35 | + } else { | 28 | + } else { |
36 | + packet_send_ignore(0); | 29 | + packet_send_ignore(0); |
37 | + packet_send(); | 30 | + packet_send(); |
38 | + } | 31 | } |
32 | - packet_start(SSH2_MSG_GLOBAL_REQUEST); | ||
33 | - packet_put_cstring("keepalive@openssh.com"); | ||
34 | - packet_put_char(1); /* boolean: want reply */ | ||
35 | - packet_send(); | ||
36 | - /* Insert an empty placeholder to maintain ordering */ | ||
37 | - client_register_global_confirm(NULL, NULL); | ||
39 | } | 38 | } |
40 | 39 | ||
41 | /* | 40 | /* |
42 | @@ -574,7 +579,7 @@ | 41 | @@ -616,7 +621,7 @@ |
43 | * event pending. | ||
44 | */ | 42 | */ |
45 | 43 | ||
46 | - if (options.server_alive_interval == 0 || !compat20) | 44 | timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ |
47 | + if (options.server_alive_interval == 0) | 45 | - if (options.server_alive_interval > 0 && compat20) |
48 | tvp = NULL; | 46 | + if (options.server_alive_interval > 0) |
49 | else { | 47 | timeout_secs = options.server_alive_interval; |
50 | tv.tv_sec = options.server_alive_interval; | 48 | set_control_persist_exit_time(); |
49 | if (control_persist_exit_time > 0) { | ||
51 | Index: b/ssh_config.5 | 50 | Index: b/ssh_config.5 |
52 | =================================================================== | 51 | =================================================================== |
53 | --- a/ssh_config.5 | 52 | --- a/ssh_config.5 |
54 | +++ b/ssh_config.5 | 53 | +++ b/ssh_config.5 |
55 | @@ -952,7 +952,10 @@ | 54 | @@ -983,7 +983,10 @@ |
56 | .Cm ServerAliveCountMax | 55 | .Cm ServerAliveCountMax |
57 | is left at the default, if the server becomes unresponsive, | 56 | is left at the default, if the server becomes unresponsive, |
58 | ssh will disconnect after approximately 45 seconds. | 57 | ssh will disconnect after approximately 45 seconds. |
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index 2dc912b8e..3cb9fdc65 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -26,7 +26,7 @@ Index: b/ssh.c | |||
26 | =================================================================== | 26 | =================================================================== |
27 | --- a/ssh.c | 27 | --- a/ssh.c |
28 | +++ b/ssh.c | 28 | +++ b/ssh.c |
29 | @@ -624,7 +624,7 @@ | 29 | @@ -642,7 +642,7 @@ |
30 | tty_flag = 0; | 30 | tty_flag = 0; |
31 | /* Do not allocate a tty if stdin is not a tty. */ | 31 | /* Do not allocate a tty if stdin is not a tty. */ |
32 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { | 32 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { |
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index 164b8ec81..69700e592 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -24,7 +24,7 @@ Index: b/readconf.c | |||
24 | 24 | ||
25 | #include "xmalloc.h" | 25 | #include "xmalloc.h" |
26 | #include "ssh.h" | 26 | #include "ssh.h" |
27 | @@ -1003,8 +1005,7 @@ | 27 | @@ -1045,8 +1047,7 @@ |
28 | 28 | ||
29 | if (fstat(fileno(f), &sb) == -1) | 29 | if (fstat(fileno(f), &sb) == -1) |
30 | fatal("fstat %s: %s", filename, strerror(errno)); | 30 | fatal("fstat %s: %s", filename, strerror(errno)); |
@@ -38,7 +38,7 @@ Index: b/ssh.1 | |||
38 | =================================================================== | 38 | =================================================================== |
39 | --- a/ssh.1 | 39 | --- a/ssh.1 |
40 | +++ b/ssh.1 | 40 | +++ b/ssh.1 |
41 | @@ -1324,6 +1324,8 @@ | 41 | @@ -1290,6 +1290,8 @@ |
42 | .Xr ssh_config 5 . | 42 | .Xr ssh_config 5 . |
43 | Because of the potential for abuse, this file must have strict permissions: | 43 | Because of the potential for abuse, this file must have strict permissions: |
44 | read/write for the user, and not accessible by others. | 44 | read/write for the user, and not accessible by others. |
@@ -51,7 +51,7 @@ Index: b/ssh_config.5 | |||
51 | =================================================================== | 51 | =================================================================== |
52 | --- a/ssh_config.5 | 52 | --- a/ssh_config.5 |
53 | +++ b/ssh_config.5 | 53 | +++ b/ssh_config.5 |
54 | @@ -1204,6 +1204,8 @@ | 54 | @@ -1235,6 +1235,8 @@ |
55 | This file is used by the SSH client. | 55 | This file is used by the SSH client. |
56 | Because of the potential for abuse, this file must have strict permissions: | 56 | Because of the potential for abuse, this file must have strict permissions: |
57 | read/write for the user, and not accessible by others. | 57 | read/write for the user, and not accessible by others. |
@@ -64,7 +64,7 @@ Index: b/auth.c | |||
64 | =================================================================== | 64 | =================================================================== |
65 | --- a/auth.c | 65 | --- a/auth.c |
66 | +++ b/auth.c | 66 | +++ b/auth.c |
67 | @@ -385,8 +385,7 @@ | 67 | @@ -393,8 +393,7 @@ |
68 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 68 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
69 | if (options.strict_modes && | 69 | if (options.strict_modes && |
70 | (stat(user_hostfile, &st) == 0) && | 70 | (stat(user_hostfile, &st) == 0) && |
@@ -74,7 +74,7 @@ Index: b/auth.c | |||
74 | logit("Authentication refused for %.100s: " | 74 | logit("Authentication refused for %.100s: " |
75 | "bad owner or modes for %.200s", | 75 | "bad owner or modes for %.200s", |
76 | pw->pw_name, user_hostfile); | 76 | pw->pw_name, user_hostfile); |
77 | @@ -438,8 +437,7 @@ | 77 | @@ -448,8 +447,7 @@ |
78 | 78 | ||
79 | /* check the open file to avoid races */ | 79 | /* check the open file to avoid races */ |
80 | if (fstat(fileno(f), &st) < 0 || | 80 | if (fstat(fileno(f), &st) < 0 || |
@@ -84,7 +84,7 @@ Index: b/auth.c | |||
84 | snprintf(err, errlen, "bad ownership or modes for file %s", | 84 | snprintf(err, errlen, "bad ownership or modes for file %s", |
85 | buf); | 85 | buf); |
86 | return -1; | 86 | return -1; |
87 | @@ -455,8 +453,7 @@ | 87 | @@ -465,8 +463,7 @@ |
88 | 88 | ||
89 | debug3("secure_filename: checking '%s'", buf); | 89 | debug3("secure_filename: checking '%s'", buf); |
90 | if (stat(buf, &st) < 0 || | 90 | if (stat(buf, &st) < 0 || |
@@ -109,7 +109,7 @@ Index: b/misc.c | |||
109 | #ifdef SSH_TUN_OPENBSD | 109 | #ifdef SSH_TUN_OPENBSD |
110 | #include <net/if.h> | 110 | #include <net/if.h> |
111 | #endif | 111 | #endif |
112 | @@ -638,6 +639,55 @@ | 112 | @@ -639,6 +640,55 @@ |
113 | } | 113 | } |
114 | 114 | ||
115 | int | 115 | int |
@@ -169,7 +169,7 @@ Index: b/misc.h | |||
169 | =================================================================== | 169 | =================================================================== |
170 | --- a/misc.h | 170 | --- a/misc.h |
171 | +++ b/misc.h | 171 | +++ b/misc.h |
172 | @@ -91,4 +91,6 @@ | 172 | @@ -92,4 +92,6 @@ |
173 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); | 173 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); |
174 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); | 174 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); |
175 | 175 | ||
diff --git a/debian/source.lintian-overrides b/debian/source.lintian-overrides deleted file mode 100644 index 5ddb25600..000000000 --- a/debian/source.lintian-overrides +++ /dev/null | |||
@@ -1,2 +0,0 @@ | |||
1 | # .desktop file intentionally not installed | ||
2 | openssh source: desktop-file-but-no-dh_desktop-call | ||