summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-10-04Install authorized_keys(5) as a symlink to sshd(8)Tomas Pospisek
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch
2017-10-04Add DebianBanner server configuration optionKees Cook
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: debian-banner.patch
2017-10-04Include the Debian version in our identificationMatthew Vernon
This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: package-versioning.patch
2017-10-04Mention ssh-keygen in ssh fingerprint changed warningScott Moser
Author: Chris Lamb <lamby@debian.org> Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 Last-Update: 2017-08-22 Patch-Name: mention-ssh-keygen-on-keychange.patch
2017-10-04Quieten logs when multiple from= restrictions are usedColin Watson
Bug-Debian: http://bugs.debian.org/630606 Forwarded: no Last-Update: 2017-10-04 Patch-Name: auth-log-verbosity.patch
2017-10-04Force use of DNSSEC even if "options edns0" isn't in resolv.confColin Watson
This allows SSHFP DNS records to be verified if glibc 2.11 is installed. Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Last-Update: 2010-04-06 Patch-Name: dnssec-sshfp.patch
2017-10-04Look for $SHELL on the path for ProxyCommand/LocalCommandColin Watson
There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 Bug-Debian: http://bugs.debian.org/492728 Last-Update: 2013-09-14 Patch-Name: shell-path.patch
2017-10-04Adjust scp quoting in verbose modeNicolas Valcárcel
Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. This should be revised to mimic real shell quoting. Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 Last-Update: 2010-02-27 Patch-Name: scp-quoting.patch
2017-10-04Allow harmless group-writabilityColin Watson
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2017-10-04 Patch-Name: user-group-modes.patch
2017-10-04"LogLevel SILENT" compatibilityJonathan David Amery
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2013-09-14 Patch-Name: syslog-level-silent.patch
2017-10-04Various keepalive extensionsRichard Kettlewell
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2017-10-04 Patch-Name: keepalive-extensions.patch
2017-10-04Accept obsolete ssh-vulnkey configuration optionsColin Watson
These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. Last-Update: 2014-02-09 Patch-Name: ssh-vulnkey-compat.patch
2017-10-04Handle SELinux authorisation rolesManoj Srivastava
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2017-10-04 Patch-Name: selinux-role.patch
2017-10-04Restore TCP wrappers supportColin Watson
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
2017-10-04GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-10-04 Patch-Name: gssapi.patch
2017-10-04Import openssh_7.6p1.orig.tar.gzColin Watson
2017-10-03upstream commitdjm@openbsd.org
Fix PermitOpen crash; spotted by benno@, ok dtucker@ deraadt@ Upstream-ID: c2cc84ffac070d2e1ff76182c70ca230a387983c
2017-10-01update URL againDamien Miller
I spotted a typo in the draft so uploaded a new version...
2017-10-01sync release notes URLDamien Miller
2017-10-01sync contrib/ssh-copy-id with upstreamDamien Miller
2017-10-01update version in RPM spec filesDamien Miller
2017-10-01update agent draft URLDamien Miller
2017-10-01upstream commitdjm@openbsd.org
openssh-7.6; ok deraadt@ Upstream-ID: a39c3a5b63a1baae109ae1ae4c7c34c2a59acde0
2017-10-01upstream commitjmc@openbsd.org
tweak EposeAuthinfo; diff from lars nooden tweaked by sthen; ok djm dtucker Upstream-ID: 8f2ea5d2065184363e8be7a0ba24d98a3b259748
2017-09-28don't fatal ./configure for LibreSSLDamien Miller
2017-09-28abort in configure when only openssl-1.1.x foundDamien Miller
We don't support openssl-1.1.x yet (see multiple threads on the openssh-unix-dev@ mailing list for the reason), but previously ./configure would accept it and the compilation would subsequently fail. This makes ./configure display an explicit error message and abort. ok dtucker@
2017-09-27Check for and handle calloc(p, 0) = NULL.Darren Tucker
On some platforms (AIX, maybe others) allocating zero bytes of memory via the various *alloc functions returns NULL, which is permitted by the standards. Autoconf has some macros for detecting this (with the exception of calloc for some reason) so use these and if necessary activate shims for them. ok djm@
2017-09-26upstream commitmarkus@openbsd.org
test reverse dynamic forwarding with SOCKS Upstream-Regress-ID: 95cf290470f7e5e2f691e4bc6ba19b91eced2f79
2017-09-26sync missing changes in dynamic-forward.shDamien Miller
2017-09-25Add minimal strsignal for platforms without it.Darren Tucker
2017-09-24upstream commitdjm@openbsd.org
fix inverted test on channel open failure path that "upgraded" a transient failure into a fatal error; reported by sthen and also seen by benno@; ok sthen@ Upstream-ID: b58b3fbb79ba224599c6cd6b60c934fc46c68472
2017-09-24upstream commitdjm@openbsd.org
write the correct buffer when tunnel forwarding; doesn't matter on OpenBSD (they are the same) but does matter on portable where we use an output filter to translate os-specific tun/tap headers Upstream-ID: f1ca94eff48404827b12e1d12f6139ee99a72284
2017-09-24upstream commitdjm@openbsd.org
fix tunnel forwarding problem introduced in refactor; reported by stsp@ ok markus@ Upstream-ID: 81a731cdae1122c8522134095d1a8b60fa9dcd04
2017-09-22upstream commitmarkus@openbsd.org
Add 'reverse' dynamic forwarding which combines dynamic forwarding (-D) with remote forwarding (-R) where the remote-forwarded port expects SOCKS-requests. The SSH server code is unchanged and the parsing happens at the SSH clients side. Thus the full SOCKS-request is sent over the forwarded channel and the client parses c->output. Parsing happens in channel_before_prepare_select(), _before_ the select bitmask is computed in the pre[] handlers, but after network input processing in the post[] handlers. help and ok djm@ Upstream-ID: aa25a6a3851064f34fe719e0bf15656ad5a64b89
2017-09-22upstream commitdtucker@openbsd.org
Use strsignal in debug message instead of casting for the benefit of portable where sig_atomic_t might not be int. "much nicer" deraadt@ Upstream-ID: 2dac6c1e40511c700bd90664cd263ed2299dcf79
2017-09-22upstream commitmillert@openbsd.org
Use explicit_bzero() instead of bzero() before free() to prevent the compiler from optimizing away the bzero() call. OK djm@ Upstream-ID: cdc6197e64c9684c7250e23d60863ee1b53cef1d
2017-09-19upstream commitdjm@openbsd.org
fix use-after-free in ~^Z escape handler path, introduced in channels.c refactor; spotted by millert@ "makes sense" deraadt@ Upstream-ID: 8fa2cdc65c23ad6420c1e59444b0c955b0589b22
2017-09-19upstream commitdtucker@openbsd.org
Prevent type mismatch warning in debug on platforms where sig_atomic_t != int. ok djm@ Upstream-ID: 306e2375eb0364a4c68e48f091739bea4f4892ed
2017-09-19upstream commitdtucker@openbsd.org
Add braces missing after channels refactor. ok markus@ Upstream-ID: 72ab325c84e010680dbc88f226e2aa96b11a3980
2017-09-19add freezero(3) replacementDamien Miller
ok dtucker@
2017-09-19move FORTIFY_SOURCE into hardening options groupDamien Miller
It's still on by default, but now it's possible to turn it off using --without-hardening. This is useful since it's known to cause problems with some -fsanitize options. ok dtucker@
2017-09-18upstream commitbluhm@openbsd.org
Print SKIPPED if sudo and doas configuration is missing. Prevents that running the regression test with wrong environment is reported as failure. Keep the fatal there to avoid interfering with other setups for portable ssh. OK dtucker@ Upstream-Regress-ID: f0dc60023caef496ded341ac5aade2a606fa234e
2017-09-18upstream commitdtucker@openbsd.org
Remove obsolete privsep=no fallback test. Upstream-Regress-ID: 7d6e1baa1678ac6be50c2a1555662eb1047638df
2017-09-18upstream commitdtucker@openbsd.org
Remove non-privsep test since disabling privsep is now deprecated. Upstream-Regress-ID: 77ad3f3d8d52e87f514a80f285c6c1229b108ce8
2017-09-18upstream commitdtucker@openbsd.org
Don't call fatal from stop_sshd since it calls cleanup which calls stop_sshd which will probably fail in the same way. Instead, just bail. Differentiate between sshd dying without cleanup and not shutting down. Upstream-Regress-ID: f97315f538618b349e2b0bea02d6b0c9196c6bc4
2017-09-14upstream commitdjm@openbsd.org
Revert commitid: gJtIN6rRTS3CHy9b. ------------- identify the case where SSHFP records are missing but other DNS RR types are present and display a more useful error message for this case; patch by Thordur Bjornsson; bz#2501; ok dtucker@ ------------- This caused unexpected failures when VerifyHostKeyDNS=yes, SSHFP results are missing but the user already has the key in known_hosts Spotted by dtucker@ Upstream-ID: 97e31742fddaf72046f6ffef091ec0d823299920
2017-09-12adapt portable to channels API changesDamien Miller
2017-09-12upstream commitdjm@openbsd.org
unused variable Upstream-ID: 2f9ba09f2708993d35eac5aa71df910dcc52bac1
2017-09-12upstream commitdjm@openbsd.org
fix tun/tap forwarding case in previous Upstream-ID: 43ebe37a930320e24bca6900dccc39857840bc53
2017-09-12upstream commitdjm@openbsd.org
Make remote channel ID a u_int Previously we tracked the remote channel IDs in an int, but this is strictly incorrect: the wire protocol uses uint32 and there is nothing in-principle stopping a SSH implementation from sending, say, 0xffff0000. In practice everyone numbers their channels sequentially, so this has never been a problem. ok markus@ Upstream-ID: b9f4cd3dc53155b4a5c995c0adba7da760d03e73