summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-02-21ssh(1): Refer to ssh-argv0(1)Colin Watson
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: ssh-argv0.patch
2020-02-21Adjust various OpenBSD-specific references in manual pagesColin Watson
No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: openbsd-docs.patch
2020-02-21Install authorized_keys(5) as a symlink to sshd(8)Tomas Pospisek
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch
2020-02-21Add DebianBanner server configuration optionKees Cook
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2020-02-21 Patch-Name: debian-banner.patch
2020-02-21Include the Debian version in our identificationMatthew Vernon
This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: package-versioning.patch
2020-02-21Mention ssh-keygen in ssh fingerprint changed warningScott Moser
Author: Chris Lamb <lamby@debian.org> Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 Last-Update: 2017-08-22 Patch-Name: mention-ssh-keygen-on-keychange.patch
2020-02-21Force use of DNSSEC even if "options edns0" isn't in resolv.confColin Watson
This allows SSHFP DNS records to be verified if glibc 2.11 is installed. Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Last-Update: 2010-04-06 Patch-Name: dnssec-sshfp.patch
2020-02-21Look for $SHELL on the path for ProxyCommand/LocalCommandColin Watson
There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 Bug-Debian: http://bugs.debian.org/492728 Last-Update: 2020-02-21 Patch-Name: shell-path.patch
2020-02-21Adjust scp quoting in verbose modeNicolas Valcárcel
Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. This should be revised to mimic real shell quoting. Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 Last-Update: 2010-02-27 Patch-Name: scp-quoting.patch
2020-02-21Allow harmless group-writabilityColin Watson
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2019-10-09 Patch-Name: user-group-modes.patch
2020-02-21"LogLevel SILENT" compatibilityNatalie Amery
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2013-09-14 Patch-Name: syslog-level-silent.patch
2020-02-21Various keepalive extensionsRichard Kettlewell
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2020-02-21 Patch-Name: keepalive-extensions.patch
2020-02-21Accept obsolete ssh-vulnkey configuration optionsColin Watson
These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. Last-Update: 2014-02-09 Patch-Name: ssh-vulnkey-compat.patch
2020-02-21Handle SELinux authorisation rolesManoj Srivastava
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2020-02-21 Patch-Name: selinux-role.patch
2020-02-21Restore TCP wrappers supportColin Watson
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: restore-tcp-wrappers.patch
2020-02-21GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2020-02-21 Patch-Name: gssapi.patch
2020-02-21Import openssh_8.2p1.orig.tar.gzColin Watson
2020-02-14upstream: openssh-8.2djm@openbsd.org
OpenBSD-Commit-ID: 0a1340ff65fad0d84b997ac58dd1b393dec7c19b
2020-02-12crank version numbersDamien Miller
2020-02-11Minor documentation update:Darren Tucker
- remove duplication of dependency information (it's all in INSTALL). - SSHFP is now an RFC.
2020-02-09Check if UINT32_MAX is defined before redefining.Darren Tucker
2020-02-07typo; reported by Phil PennockDamien Miller
2020-02-07upstream: sync the description of the $SSH_SK_PROVIDER environmentdjm@openbsd.org
variable with that of the SecurityKeyProvider ssh/sshd_config(5) directive, as the latter was more descriptive. OpenBSD-Commit-ID: 0488f09530524a7e53afca6b6e1780598022552f
2020-02-07upstream: Add ssh -Q key-sig for all key and signature types.dtucker@openbsd.org
Teach ssh -Q to accept ssh_config(5) and sshd_config(5) algorithm keywords as an alias for the corresponding query. Man page help jmc@, ok djm@. OpenBSD-Commit-ID: 1e110aee3db2fc4bc5bee2d893b7128fd622e0f8
2020-02-07upstream: fix two PIN entry bugs on FIDO keygen: 1) it would allow moredjm@openbsd.org
than the intended number of prompts (3) and 2) it would SEGV too many incorrect PINs were entered; based on patch by Gabriel Kihlman OpenBSD-Commit-ID: 9c0011f28ba8bd8adf2014424b64960333da1718
2020-02-07upstream: When using HostkeyAlgorithms to merely append or removedjm@openbsd.org
algorithms from the default set (i.e. HostkeyAlgorithms=+/-...), retain the default behaviour of preferring those algorithms that have existing keys in known_hosts; ok markus OpenBSD-Commit-ID: 040e7fcc38ea00146b5d224ce31ce7a1795ee6ed
2020-02-07upstream: expand HostkeyAlgorithms prior to config dump, matchingdjm@openbsd.org
other algorithm lists; ok markus@ OpenBSD-Commit-ID: a66f0fca8cc5ce30405a2867bc115fff600671d0
2020-02-07upstream: Add Include to the list of permitted keywords after anaddy@openbsd.org
Match keyword. ok markus@ OpenBSD-Commit-ID: 342e940538b13dd41e0fa167dc9ab192b9f6e2eb
2020-02-07upstream: Replace "security key" with "authenticator" in programnaddy@openbsd.org
messages. This replaces "security key" in error/usage/verbose messages and distinguishes between "authenticator" and "authenticator-hosted key". ok djm@ OpenBSD-Commit-ID: 7c63800e9c340c59440a054cde9790a78f18592e
2020-02-06Don't look for UINT32_MAX in inttypes.hDarren Tucker
... unless we are actually going to use it. Fixes build on HP-UX without the potential impact to other platforms of a header change shortly before release.
2020-02-06dependDamien Miller
2020-02-06Fix sha2 MAKE_CLONE no-op definitionMichael Forney
The point of the dummy declaration is so that MAKE_CLONE(...) can have a trailing semicolon without introducing an empty declaration. So, the macro replacement text should *not* have a trailing semicolon, just like DEF_WEAK.
2020-02-04upstream: require FIDO application strings to start with "ssh:"; okdjm@openbsd.org
markus@ OpenBSD-Commit-ID: 94e9c1c066d42b76f035a3d58250a32b14000afb
2020-02-04upstream: revert enabling UpdateHostKeys by default - there are stilldjm@openbsd.org
corner cases we need to address; ok markus OpenBSD-Commit-ID: ff7ad941bfdc49fb1d8baa95fd0717a61adcad57
2020-02-04upstream: use better markup for challenge and write-attestation, andjmc@openbsd.org
rejig the challenge text a little; ok djm OpenBSD-Commit-ID: 9f351e6da9edfdc907d5c3fdaf2e9ff3ab0a7a6f
2020-02-03mention libfido2 in dependencies sectionDamien Miller
2020-02-03add clock_gettime64(2) to sandbox allowed syscallsDamien Miller
bz3093
2020-02-02upstream: Output (none) in debug in the case in the CheckHostIP=no casedtucker@openbsd.org
as suggested by markus@ OpenBSD-Commit-ID: 4ab9117ee5261cbbd1868717fcc3142eea6385cf
2020-02-02upstream: Prevent possible null pointer deref of ip_str in debug.dtucker@openbsd.org
OpenBSD-Commit-ID: 37b252e2e6f690efed6682437ef75734dbc8addf
2020-02-02upstream: shuffle the challenge keyword to keep the -O list sorted;jmc@openbsd.org
OpenBSD-Commit-ID: 08efad608b790949a9a048d65578fae9ed5845fe
2020-02-02upstream: tweak previous;jmc@openbsd.org
OpenBSD-Commit-ID: 0c42851cdc88583402b4ab2b110a6348563626d3
2020-02-01Use sys-queue.h from compat library.Darren Tucker
Fixes build on platforms that don't have sys/queue.h (eg MUSL).
2020-02-01upstream: regress test for sshd_config Include directive; from Jakubdjm@openbsd.org
Jelen OpenBSD-Regress-ID: 0d9224de3297c7a5f51ba68d6e3725a2a9345fa4
2020-02-01upstream: whitespacedjm@openbsd.org
OpenBSD-Commit-ID: 564cf7a5407ecf5da2d94ec15474e07427986772
2020-02-01upstream: force early logging to stderr if debug_flag (-d) is set;djm@openbsd.org
avoids missing messages from re-exec config passing OpenBSD-Commit-ID: 02484b8241c1f49010e7a543a7098e6910a8c9ff
2020-02-01upstream: mistake in previous: filling the incorrect bufferdjm@openbsd.org
OpenBSD-Commit-ID: 862ee84bd4b97b529f64aec5d800c3dcde952e3a
2020-02-01upstream: Add a sshd_config "Include" directive to allow inclusiondjm@openbsd.org
of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@ OpenBSD-Commit-ID: 36ed0e845b872e33f03355b936a4fff02d5794ff
2020-02-01upstream: spelling fix;jmc@openbsd.org
OpenBSD-Commit-ID: 3c079523c4b161725a4b15dd06348186da912402
2020-01-31upstream: document changed default for UpdateHostKeysdjm@openbsd.org
OpenBSD-Commit-ID: 25c390b21d142f78ac0106241d13441c4265fd2c
2020-01-31upstream: enable UpdateKnownHosts=yes if the configurationdjm@openbsd.org
specifies only the default known_hosts files, otherwise select UpdateKnownHosts=ask; ok markus@ OpenBSD-Commit-ID: ab401a5ec4a33d2e1a9449eae6202e4b6d427df7