summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-07-29debian/openssh-server.if-up: Don't block on a finished reload of openssh.serviceMartin Pitt
This avoids deadlocking with restarting networking. LP: #1584393
2016-07-29Add systemd user unit for graphical sessions that use systemdMartin Pitt
Override the corresponding upstart job in that case.
2016-07-29Add debian/agent-launch: Helper script for conditionally starting the SSH ↵Martin Pitt
agent in the user session Use it in ssh-agent.user-session.upstart. This will also be used in a corresponding systemd user unit. This replaces the backgrounded "ssh-agent -s" with a foreground task which works more nicely with modern init systems for logging/debugging and starting/stopping. Also use a fixed socket file name in $XDG_RUNTIME_DIR -- under both upstart and systemd we can assume this, and it allows restarting the service in a running session.
2016-07-29Stop enabling ssh-session-cleanup.service by default; instead, ship it as an ↵Colin Watson
example and add a section to README.Debian. libpam-systemd >= 230 and "UsePAM yes" should take care of the original problem for most systemd users (thanks, Michael Biebl; closes: #832155).
2016-07-23releasing package openssh version 1:7.2p2-7Colin Watson
2016-07-23Add note about upgrade problems.Colin Watson
2016-07-23Recommend libpam-systemd from openssh-server. It's a much better solution ↵Colin Watson
than the above for systemd users, but I'm wary of depending on it in case I cause an assortment of exciting dependency problems on upgrade for non-systemd users.
2016-07-23Don't stop the ssh-session-cleanup service on upgrade (closes: #832155).Colin Watson
2016-07-22releasing package openssh version 1:7.2p2-6Colin Watson
2016-07-22Fix typo.Colin Watson
2016-07-22Stop generating DSA host keys by default (thanks, Santiago Vila; closes: ↵Colin Watson
#823827).
2016-07-22Add a session cleanup script and a systemd unit file to trigger it, which ↵Colin Watson
serves to terminate SSH sessions cleanly if systemd doesn't do that itself, often because libpam-systemd is not installed (thanks, Vivek Das Mohapatra, Tom Hutter, and others; closes: #751636).
2016-07-22Backport upstream patch to close ControlPersist background process stderr ↵Colin Watson
when not in debug mode or when logging to a file or syslog (closes: #714526).
2016-07-22upstream commitdjm@openbsd.org
close ControlPersist background process stderr when not in debug mode or when logging to a file or syslog. bz#1988 ok dtucker Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24 Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d2d6bf864e52af8491a60dd507f85b74361f5da3 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1988 Bug-Debian: https://bugs.debian.org/714526 Last-Update: 2016-07-22 Patch-Name: control-persist-close-stderr.patch
2016-07-22Close #831902.Colin Watson
2016-07-22CVE-2016-6210: Mitigate user enumeration via covert timing channel.Colin Watson
2016-07-22Search users for one with a valid salt.Darren Tucker
If the root account is locked (eg password "!!" or "*LK*") keep looking until we find a user with a valid salt to use for crypting passwords of invalid users. ok djm@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=dbf788b4d9d9490a5fff08a7b09888272bb10fcc Bug-Debian: https://bugs.debian.org/831902 Last-Update: 2016-07-22 Patch-Name: CVE-2016-6210-3.patch
2016-07-22Mitigate timing of disallowed users PAM logins.Darren Tucker
When sshd decides to not allow a login (eg PermitRootLogin=no) and it's using PAM, it sends a fake password to PAM so that the timing for the failure is not noticeably different whether or not the password is correct. This behaviour can be detected by sending a very long password string which is slower to hash than the fake password. Mitigate by constructing an invalid password that is the same length as the one from the client and thus takes the same time to hash. Diff from djm@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=283b97ff33ea2c641161950849931bd578de6946 Bug-Debian: https://bugs.debian.org/831902 Last-Update: 2016-07-22 Patch-Name: CVE-2016-6210-2.patch
2016-07-22Determine appropriate salt for invalid users.Darren Tucker
When sshd is processing a non-PAM login for a non-existent user it uses the string from the fakepw structure as the salt for crypt(3)ing the password supplied by the client. That string has a Blowfish prefix, so on systems that don't understand that crypt will fail fast due to an invalid salt, and even on those that do it may have significantly different timing from the hash methods used for real accounts (eg sha512). This allows user enumeration by, eg, sending large password strings. This was noted by EddieEzra.Harari at verint.com (CVE-2016-6210). To mitigate, use the same hash algorithm that root uses for hashing passwords for users that do not exist on the system. ok djm@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=9286875a73b2de7736b5e50692739d314cd8d9dc Bug-Debian: https://bugs.debian.org/831902 Last-Update: 2016-07-22 Patch-Name: CVE-2016-6210-1.patch
2016-06-06Retroactively add a NEWS.Debian entry for the UseDNS change in 6.9 (see LP ↵Colin Watson
#1588457).
2016-05-16Set SSH_PROGRAM=/usr/bin/ssh1 when building openssh-client-ssh1 so that scp1 ↵Colin Watson
works (reported by Olivier MATZ).
2016-05-03Copy summary of supported SFTP protocol versions from upstream's PROTOCOL ↵Colin Watson
file into the openssh-sftp-server package description (closes: #766887).
2016-04-30debian/watch: Switch to HTTP (thanks, Nicholas Luedtke; closes: #822997).Colin Watson
2016-04-28releasing package openssh version 1:7.2p2-5Colin Watson
2016-04-28Backport upstream patch to unbreak authentication using lone certificate ↵Colin Watson
keys in ssh-agent: when attempting pubkey auth with a certificate, if no separate private key is found among the keys then try with the certificate key itself (thanks, Paul Querna; LP: #1575961).
2016-04-28upstream commitdjm@openbsd.org
unbreak authentication using lone certificate keys in ssh-agent: when attempting pubkey auth with a certificate, if no separate private key is found among the keys then try with the certificate key itself. bz#2550 reported by Peter Moody Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966 Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=c38905ba391434834da86abfc988a2b8b9b62477 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1575961 Last-Update: 2016-04-28 Patch-Name: unbreak-certificate-auth.patch
2016-04-15releasing package openssh version 1:7.2p2-4Colin Watson
2016-04-15Policy version 3.9.7: no changes required.Colin Watson
2016-04-15Drop dependency on libnss-files-udeb (closes: #819686).Colin Watson
2016-04-13releasing package openssh version 1:7.2p2-3Colin Watson
2016-04-13CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes.Colin Watson
2016-04-13ignore PAM environment vars when UseLogin=yesDamien Miller
If PAM is configured to read user-specified environment variables and UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login via LD_PRELOAD or similar environment variables set via PAM. CVE-2015-8325, found by Shayan Sadigh, via Colin Watson Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Last-Update: 2016-04-13 Patch-Name: CVE-2015-8325.patch
2016-04-06Fill in CVE-2016-3115 identifier.Colin Watson
2016-04-03Change all openssh.org references to openssh.com (closes: #819213).Colin Watson
2016-03-21releasing package openssh version 1:7.2p2-2Colin Watson
2016-03-21Fix kexgss_server to cope with DH_GRP_MIN/DH_GRP_MAX being stricter on the ↵Colin Watson
server end than the client (thanks, Damien Miller; closes: #817870, LP: #1558576).
2016-03-21Various Debian-specific configuration changesColin Watson
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2015-12-07 Patch-Name: debian-config.patch
2016-03-21Add systemd readiness notification supportMichael Biebl
Bug-Debian: https://bugs.debian.org/778913 Forwarded: no Last-Update: 2016-01-04 Patch-Name: systemd-readiness.patch
2016-03-21Support synchronisation with service supervisor using SIGSTOPColin Watson
Author: Robie Basak <robie.basak@ubuntu.com> Forwarded: no Last-Update: 2014-04-14 Patch-Name: sigstop.patch
2016-03-21Give the ssh-askpass-gnome window a default iconVincent Untz
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 Last-Update: 2010-02-28 Patch-Name: gnome-ssh-askpass2-icon.patch
2016-03-21Don't check the status field of the OpenSSL versionKurt Roeckx
There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. Author: Colin Watson <cjwatson@debian.org> Bug-Debian: https://bugs.debian.org/93581 Bug-Debian: https://bugs.debian.org/664383 Bug-Debian: https://bugs.debian.org/732940 Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: no-openssl-version-status.patch
2016-03-21Document consequences of ssh-agent being setgid in ssh-agent(1)Colin Watson
Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2013-06-08 Patch-Name: ssh-agent-setgid.patch
2016-03-21Refer to ssh's Upstart job as well as its init scriptColin Watson
Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: doc-upstart.patch
2016-03-21Document that HashKnownHosts may break tab-completionColin Watson
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Bug-Debian: http://bugs.debian.org/430154 Last-Update: 2013-09-14 Patch-Name: doc-hash-tab-completion.patch
2016-03-21ssh(1): Refer to ssh-argv0(1)Colin Watson
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: ssh-argv0.patch
2016-03-21Adjust various OpenBSD-specific references in manual pagesColin Watson
No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: openbsd-docs.patch
2016-03-21Install authorized_keys(5) as a symlink to sshd(8)Tomas Pospisek
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch
2016-03-21Add DebianBanner server configuration optionKees Cook
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2015-11-29 Patch-Name: debian-banner.patch
2016-03-21Include the Debian version in our identificationMatthew Vernon
This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: package-versioning.patch
2016-03-21Mention ssh-keygen in ssh fingerprint changed warningScott Moser
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 Last-Update: 2015-09-08 Patch-Name: mention-ssh-keygen-on-keychange.patch