summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-01-16Rekeying patch fixes LP: #1608965 tooColin Watson
2017-01-16Fix rekeying failure with GSSAPI key exchange (thanks, Harald Barth; closes: ↵Colin Watson
#819361).
2017-01-16Remove ssh_host_dsa_key from HostKey defaultColin Watson
The client no longer accepts DSA host keys, and servers using the default HostKey setting should have better host keys available. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662 Bug-Debian: https://bugs.debian.org/850614 Last-Update: 2017-01-16 Patch-Name: no-dsa-host-key-by-default.patch
2017-01-16Work around clock_gettime kernel bug on Linux x32Colin Watson
On Linux x32, the clock_gettime VDSO currently falls back to the x86-64 syscall, so allow that as well as its x32 sibling. Bug-Debian: https://bugs.debian.org/849923 Forwarded: no Last-Update: 2017-01-03 Patch-Name: sandbox-x32-workaround.patch
2017-01-16Create mux socket for regress in temp directoryColin Watson
In some setups, creating the socket under OBJ may result in a path that is too long for a Unix domain socket. Add a helper to let us portably create a temporary directory instead. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2660 Last-Update: 2017-01-03 Patch-Name: regress-mktemp.patch
2017-01-16Fix race conditions in forwarding testsColin Watson
The forwarding tests sometimes seem to fail in a way that suggests ports are in use even though they shouldn't be. Convert more of them to use a mux socket rather than relying on sleeps in the hope that that makes behaviour more consistent. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2659 Patch-Name: regress-forwarding-race.patch Last-Update: 2017-01-02
2017-01-16Make integrity tests more robust against timeoutsColin Watson
If the first test in a series for a given MAC happens to modify the low bytes of a packet length, then ssh will time out and this will be interpreted as a test failure. Handle this failure mode. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2658 Patch-Name: regress-integrity-robust.patch Last-Update: 2017-01-01
2017-01-16Various Debian-specific configuration changesColin Watson
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2016-12-26 Patch-Name: debian-config.patch
2017-01-16Add systemd readiness notification supportMichael Biebl
Bug-Debian: https://bugs.debian.org/778913 Forwarded: no Last-Update: 2016-01-04 Patch-Name: systemd-readiness.patch
2017-01-16Support synchronisation with service supervisor using SIGSTOPColin Watson
Author: Robie Basak <robie.basak@ubuntu.com> Forwarded: no Last-Update: 2014-04-14 Patch-Name: sigstop.patch
2017-01-16Give the ssh-askpass-gnome window a default iconVincent Untz
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 Last-Update: 2010-02-28 Patch-Name: gnome-ssh-askpass2-icon.patch
2017-01-16Don't check the status field of the OpenSSL versionKurt Roeckx
There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. Author: Colin Watson <cjwatson@debian.org> Bug-Debian: https://bugs.debian.org/93581 Bug-Debian: https://bugs.debian.org/664383 Bug-Debian: https://bugs.debian.org/732940 Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: no-openssl-version-status.patch
2017-01-16Document consequences of ssh-agent being setgid in ssh-agent(1)Colin Watson
Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2013-06-08 Patch-Name: ssh-agent-setgid.patch
2017-01-16Refer to ssh's Upstart job as well as its init scriptColin Watson
Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: doc-upstart.patch
2017-01-16Document that HashKnownHosts may break tab-completionColin Watson
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Bug-Debian: http://bugs.debian.org/430154 Last-Update: 2013-09-14 Patch-Name: doc-hash-tab-completion.patch
2017-01-16ssh(1): Refer to ssh-argv0(1)Colin Watson
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: ssh-argv0.patch
2017-01-16Adjust various OpenBSD-specific references in manual pagesColin Watson
No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: openbsd-docs.patch
2017-01-16Install authorized_keys(5) as a symlink to sshd(8)Tomas Pospisek
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch
2017-01-16Add DebianBanner server configuration optionKees Cook
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2015-11-29 Patch-Name: debian-banner.patch
2017-01-16Include the Debian version in our identificationMatthew Vernon
This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: package-versioning.patch
2017-01-16Mention ssh-keygen in ssh fingerprint changed warningScott Moser
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 Last-Update: 2015-09-08 Patch-Name: mention-ssh-keygen-on-keychange.patch
2017-01-16Quieten logs when multiple from= restrictions are usedColin Watson
Bug-Debian: http://bugs.debian.org/630606 Forwarded: no Last-Update: 2013-09-14 Patch-Name: auth-log-verbosity.patch
2017-01-16Force use of DNSSEC even if "options edns0" isn't in resolv.confColin Watson
This allows SSHFP DNS records to be verified if glibc 2.11 is installed. Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Last-Update: 2010-04-06 Patch-Name: dnssec-sshfp.patch
2017-01-16Look for $SHELL on the path for ProxyCommand/LocalCommandColin Watson
There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 Bug-Debian: http://bugs.debian.org/492728 Last-Update: 2013-09-14 Patch-Name: shell-path.patch
2017-01-16Adjust scp quoting in verbose modeNicolas Valcárcel
Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. This should be revised to mimic real shell quoting. Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 Last-Update: 2010-02-27 Patch-Name: scp-quoting.patch
2017-01-16Allow harmless group-writabilityColin Watson
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2013-09-14 Patch-Name: user-group-modes.patch
2017-01-16Reduce severity of "Killed by signal %d"Peter Samuelson
This produces irritating messages when using ProxyCommand or other programs that use ssh under the covers (e.g. Subversion). These messages are more normally printed by the calling program, such as the shell. According to the upstream bug, the right way to avoid this is to use the -q option, so we may drop this patch after further investigation into whether any software in Debian is still relying on it. Author: Colin Watson <cjwatson@debian.org> Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118 Bug-Debian: http://bugs.debian.org/313371 Last-Update: 2013-09-14 Patch-Name: quieter-signals.patch
2017-01-16"LogLevel SILENT" compatibilityJonathan David Amery
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2013-09-14 Patch-Name: syslog-level-silent.patch
2017-01-16Various keepalive extensionsRichard Kettlewell
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2016-12-26 Patch-Name: keepalive-extensions.patch
2017-01-16Accept obsolete ssh-vulnkey configuration optionsColin Watson
These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. Last-Update: 2014-02-09 Patch-Name: ssh-vulnkey-compat.patch
2017-01-16Handle SELinux authorisation rolesManoj Srivastava
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2015-08-19 Patch-Name: selinux-role.patch
2017-01-16Restore TCP wrappers supportColin Watson
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
2017-01-16GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2017-01-16 Patch-Name: gssapi.patch
2017-01-16Remove ssh_host_dsa_key from HostKey default (closes: #850614).Colin Watson
2017-01-16Remove ssh_host_dsa_key from HostKey defaultColin Watson
The client no longer accepts DSA host keys, and servers using the default HostKey setting should have better host keys available. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662 Bug-Debian: https://bugs.debian.org/850614 Last-Update: 2017-01-16 Patch-Name: no-dsa-host-key-by-default.patch
2017-01-16Document sshd_config changes that may be needed following the removal of ↵Colin Watson
protocol 1 support from sshd (closes: #851573).
2017-01-15Remove LOGIN_PROGRAM and LOGIN_NO_ENDOPT definitions, since UseLogin is gone.Colin Watson
2017-01-06Remove temporary file on exit from postinst (closes: #850275).Colin Watson
2017-01-03releasing package openssh version 1:7.4p1-5Colin Watson
2017-01-03Work around clock_gettime kernel bug on Linux x32 (closes: #849923).Colin Watson
2017-01-03Work around clock_gettime kernel bug on Linux x32Colin Watson
On Linux x32, the clock_gettime VDSO currently falls back to the x86-64 syscall, so allow that as well as its x32 sibling. Bug-Debian: https://bugs.debian.org/849923 Forwarded: no Last-Update: 2017-01-03 Patch-Name: sandbox-x32-workaround.patch
2017-01-03Create mux socket for regression tests in a temporary directory.Colin Watson
2017-01-03Create mux socket for regress in temp directoryColin Watson
In some setups, creating the socket under OBJ may result in a path that is too long for a Unix domain socket. Add a helper to let us portably create a temporary directory instead. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2660 Last-Update: 2017-01-03 Patch-Name: regress-mktemp.patch
2017-01-02releasing package openssh version 1:7.4p1-4Colin Watson
2017-01-02merge patched into masterColin Watson
2017-01-02Fix race conditions in forwarding testsColin Watson
The forwarding tests sometimes seem to fail in a way that suggests ports are in use even though they shouldn't be. Convert more of them to use a mux socket rather than relying on sleeps in the hope that that makes behaviour more consistent. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2659 Patch-Name: regress-forwarding-race.patch Last-Update: 2017-01-02
2017-01-01Make integrity tests more robust against timeouts in the case where the ↵Colin Watson
first test in a series for a given MAC happens to modify the low bytes of a packet length.
2017-01-01Make integrity tests more robust against timeoutsColin Watson
If the first test in a series for a given MAC happens to modify the low bytes of a packet length, then ssh will time out and this will be interpreted as a test failure. Handle this failure mode. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2658 Patch-Name: regress-integrity-robust.patch Last-Update: 2017-01-01
2017-01-01Run regression tests inside annotate-output to try to diagnose timeout issues.Colin Watson
2016-12-31releasing package openssh version 1:7.4p1-3Colin Watson