Age | Commit message (Collapse) | Author |
|
These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.
Last-Update: 2014-02-09
Patch-Name: ssh-vulnkey-compat.patch
|
|
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2017-10-04
Patch-Name: selinux-role.patch
|
|
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
and thread:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
It is true that this reduces preauth attack surface in sshd. On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.
It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: restore-tcp-wrappers.patch
|
|
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2017-10-04
Patch-Name: gssapi.patch
|
|
|
|
|
|
|
|
On at least some revisions of AIX, strndup returns unterminated strings
under some conditions, apparently because strnlen returns incorrect
values in those cases. Disable both on AIX and use the replacements
from openbsd-compat. Fixes problem with ECDSA keys there, ok djm.
|
|
struct ssh is needed by implementations of sys_auth_passwd() that were
converted in commit bba02a50. Needed to fix build on AIX, I assume for
the other platforms too (although it should be harmless if not needed).
|
|
Fixes compile error on AIX.
|
|
OpenBSD-Commit-ID: 274e614352460b9802c905f38fb5ea7ed5db3d41
|
|
Some platforms lack printenv in the default $PATH.
Reported by Tom G. Christensen
|
|
|
|
modified: openbsd-compat/port-aix.c
modified: openbsd-compat/port-uw.c
propogate changes to auth-passwd.c in commit
7c856857607112a3dfe6414696bf4c7ab7fb0cb3 to other providers
of sys_auth_passwd()
|
|
OpenBSD-Commit-ID: 274e614352460b9802c905f38fb5ea7ed5db3d41
|
|
from djm; ok deraadt dtucker
OpenBSD-Commit-ID: 12e50836ba2040042383a8b71e12d7ea06e9633d
|
|
For some reason sftp -b doesn't work with /dev/stdin on Cygwin, as noted
and suggested by vinschen at redhat.com.
|
|
|
|
OpenBSD they are both non-blocking, but on many other -portable platforms it
blocks, stalling tests.
OpenBSD-Regress-ID: 397d0d4c719c353f24d79f5b14775e0cfdf0e1cc
|
|
OpenBSD-Commit-ID: c9374ca41d4497f1c673ab681cc33f6e7c5dd186
|
|
OpenBSD-Commit-ID: f44c41636c16ec83502039828beaf521c057dddc
|
|
In some shells (FreeBSD 9, ash) the case statement resets $?, so save
for later testing.
|
|
"expiry-time" as the former is confusing wrt similar terminology in X.509;
pointed out by jsing@
OpenBSD-Regress-ID: ac8b41dbfd90cffd525d58350c327195b0937793
|
|
OpenBSD-Regress-ID: 7e1e4a84f7f099a290e5a4cbf4196f90ff2d7e11
|
|
OpenBSD-Regress-ID: 74d7b24e8c72c27af6b481198344eb077e993a62
|
|
PubkeyAcceptedKeyTypes here
OpenBSD-Regress-ID: 954d19e0032a74e31697fb1dc7e7d3d1b2d65fe9
|
|
OpenBSD-Commit-ID: 8c7d82ee1e63e26ceb2b3d3a16514019f984f6bf
|
|
"expiry-time" as the former is confusing wrt similar terminology in X.509;
pointed out by jsing@
OpenBSD-Commit-ID: 376939466a1f562f3950a22314bc6505733aaae6
|
|
simple way of giving a key an expiry date. ok markus@
OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
|
|
The recently added MIPS ABI tests need AC_LANG_PROGRAM to prevent
warnings from autoconf. Pointed out by klausz at haus-gisela.de.
|
|
some configs.
revision 1.124
date: 2018/03/02 03:02:11; author: djm; state: Exp; lines: +19 -8; commitid: nNRsCijZiGG6SUTT;
Allow escaped quotes \" and \' in ssh_config and sshd_config quotes
option strings. bz#1596 ok markus@
OpenBSD-Commit-ID: 59c40b1b81206d713c06b49d8477402c86babda5
|
|
format details and point to sshd(8), where it is documented;
ok dtucker
OpenBSD-Commit-ID: 95f17e47dae02a6ac7329708c8c893d4cad0004a
|
|
Currently seccomp_audit_arch is set to AUDIT_ARCH_MIPS64 or
AUDIT_ARCH_MIPSEL64 (depending on the endinness) when openssh is built
for MIPS64. However, that's only valid for n64 ABI. The right macros for
n32 ABI defined in seccomp.h are AUDIT_ARCH_MIPS64N32 and
AUDIT_ARCH_MIPSEL64N32, for big and little endian respectively.
Because of that an sshd built for MIPS64 n32 rejects connection attempts
and the output of strace reveals that the problem is related to seccomp
audit:
[pid 194] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57,
filter=0x555d5da0}) = 0
[pid 194] write(7, "\0\0\0]\0\0\0\5\0\0\0Ulist_hostkey_types: "..., 97) = ?
[pid 193] <... poll resumed> ) = 2 ([{fd=5, revents=POLLIN|POLLHUP},
{fd=6, revents=POLLHUP}])
[pid 194] +++ killed by SIGSYS +++
This patch fixes that problem by setting the right value to
seccomp_audit_arch taking into account the MIPS64 ABI.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
|
|
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
|
|
|
|
|
|
Some really old platforms (eg SunOS4) segfault on fflush(NULL) so check
for and work around. With klausz at haus-gisela.de.
|
|
Extra #endif breaks compile with -DWITH_XMSS. Pointed out by Jack
Schmidt via github.
|
|
bumped the minimum from 768 to 1024, update man page accordingly.
OpenBSD-Commit-ID: 27563ab4e866cd2aac40a5247876f6787c08a338
|
|
points to something in /dev (rather than checking the device node itself);
makes life easier for portable, where systems with dynamic ptys can delete
nodes before we get around to testing their existence.
OpenBSD-Regress-ID: b1e455b821e62572bccd98102f8dd9d09bb94994
|
|
|
|
Some platforms don't have strndup, which includes Solaris 10, NetBSD 3
and FreeBSD 6.
|
|
This will make maintenance and changes easier. "no objection" tim@
|
|
OpenBSD-Regress-ID: 820f9ec9c6301f6ca330ad4052d85f0e67d0bdc1
|
|
testing of restrict keyword
OpenBSD-Regress-ID: 4268f27c2706a0a95e725d9518c5bcbec9814c6d
|
|
authorized_keys
OpenBSD-Regress-ID: ee771df8955f2735df54746872c6228aff381daa
|
|
remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.
feedback and ok markus@
OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
|
|
This API parses options to a dedicated structure rather than the old API's
approach of setting global state. It also includes support for merging
options, e.g. from authorized_keys, authorized_principals and/or
certificates.
feedback and ok markus@
OpenBSD-Commit-ID: 98badda102cd575210d7802943e93a34232c80a2
|
|
different to what was requested. This might happen when an old/non-OpenSSH
agent is asked to make a rsa-sha2-256/512 signature but only supports
ssh-rsa. bz#2799 feedback and ok markus@
OpenBSD-Commit-ID: 760c0f9438c5c58abc16b5f98008ff2d95cb13ce
|
|
OpenBSD-Commit-ID: 518a6736338045e0037f503c21027d958d05e703
|