Age | Commit message (Collapse) | Author |
|
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
and thread:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
It is true that this reduces preauth attack surface in sshd. On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.
It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: restore-tcp-wrappers.patch
|
|
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2016-08-07
Patch-Name: gssapi.patch
|
|
|
|
|
|
openssh-7.4
Upstream-ID: 1ee404adba6bbe10ae9277cbae3a94abe2867b79
|
|
remove testcase that depends on exact output and
behaviour of snprintf(..., "%s", NULL)
Upstream-Regress-ID: cab4288531766bd9593cb556613b91a2eeefb56f
|
|
Use LOGNAME to get current user and fall back to whoami if
not set. Mainly to benefit -portable since some platforms don't have whoami.
Upstream-Regress-ID: e3a16b7836a3ae24dc8f8a4e43fdf8127a60bdfa
|
|
Add regression test for AllowUsers and DenyUsers. Patch from
Zev Weiss <zev at bewilderbeest.net>
Upstream-Regress-ID: 8f1aac24d52728398871dac14ad26ea38b533fb9
|
|
Fixes warning pointed out by Zev Weiss <zev at bewilderbeest.net>
|
|
revert to rev1.2; the new bits in this test depend on changes
to ssh that aren't yet committed
Upstream-Regress-ID: 828ffc2c7afcf65d50ff2cf3dfc47a073ad39123
|
|
Move the "stop sshd" code into its own helper function.
Patch from Zev Weiss <zev at bewilderbeest.net>, ok djm@
Upstream-Regress-ID: a113dea77df5bd97fb4633ea31f3d72dbe356329
|
|
regression test for certificates along with private key
with no public half. bz#2617, mostly from Adam Eijdenberg
Upstream-Regress-ID: 2e74dc2c726f4dc839609b3ce045466b69f01115
|
|
Use $SUDO to read pidfile in case root's umask is
restricted. From portable.
Upstream-Regress-ID: f6b1c7ffbc5a0dfb7d430adb2883344899174a98
|
|
Add missing braces in DenyUsers code. Patch from zev at
bewilderbeest.net, ok deraadt@
Upstream-ID: d747ace338dcf943b077925f90f85f789714b54e
|
|
Fix text in error message. Patch from zev at
bewilderbeest.net.
Upstream-ID: deb0486e175e7282f98f9a15035d76c55c84f7f6
|
|
disable Unix-domain socket forwarding when privsep is
disabled
Upstream-ID: ab61516ae0faadad407857808517efa900a0d6d0
|
|
log connections dropped in excess of MaxStartups at
verbose LogLevel; bz#2613 based on diff from Tomas Kuthan; ok dtucker@
Upstream-ID: 703ae690dbf9b56620a6018f8a3b2389ce76d92b
|
|
|
|
These commented-out includes have "Still needed?" comments. Since
they've been commented out for ~13 years I assert that they're not.
|
|
|
|
Fixes build on (at least) Solaris 10.
|
|
Turkish locales are unique in their handling of the letters 'i' and
'I' (yes, they are different letters) and OpenSSH isn't remotely
prepared to deal with that. For now, the best we can do is to force
OpenSSH to use the C/POSIX locale and try to preserve the UTF-8
encoding if possible.
ok dtucker@
|
|
|
|
|
|
Check for utf8 local support and if not found, do not attempt to run the
utf8 tests. Suggested by djm@
|
|
This will use the host-prefixed version when cross compiling; patch from
david.michael at coreos.com.
|
|
make IdentityFile successfully load and use certificates that
have no corresponding bare public key. E.g. just a private id_rsa and
certificate id_rsa-cert.pub (and no id_rsa.pub).
bz#2617 ok dtucker@
Upstream-ID: c1e9699b8c0e3b63cc4189e6972e3522b6292604
|
|
Based on patch from Colin Watson via bz#2640
|
|
Patch from Colin Watson via bz#2640
|
|
Fix public key authentication when multiple
authentication is in use. Instead of deleting and re-preparing the entire
keys list, just reset the 'used' flags; the keys list is already in a good
order (with already- tried keys at the back)
Analysis and patch from Vincent Brillault on bz#2642; ok dtucker@
Upstream-ID: 7123f12dc2f3bcaae715853035a97923d7300176
|
|
Unlink PidFile on SIGHUP and always recreate it when the
new sshd starts. Regression tests (and possibly other things) depend on the
pidfile being recreated after SIGHUP, and unlinking it means it won't contain
a stale pid if sshd fails to restart. ok djm@ markus@
Upstream-ID: 132dd6dda0c77dd49d2f15b2573b5794f6160870
|
|
test new behaviour of cert force-command restriction vs.
authorized_key/ principals
Upstream-Regress-ID: 399efa7469d40c404c0b0a295064ce75d495387c
|
|
tweak previous; while here fix up FILES and AUTHORS;
Upstream-ID: 93f6e54086145a75df8d8ec7d8689bdadbbac8fa
|
|
add a whitelist of paths from which ssh-agent will load
(via ssh-pkcs11-helper) a PKCS#11 module; ok markus@
Upstream-ID: fe79769469d9cd6d26fe0dc15751b83ef2a06e8f
|
|
Add a sshd_config DisableForwaring option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as
anything else we might implement in the future.
This, like the 'restrict' authorized_keys flag, is intended to be a
simple and future-proof way of restricting an account. Suggested as
a complement to 'restrict' by Jann Horn; ok markus@
Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
|
|
When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, refuse to accept the
certificate unless they are identical.
The previous (documented) behaviour of having the certificate forced-
command override the other could be a bit confused and more error-prone.
Pointed out by Jann Horn of Project Zero; ok dtucker@
Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
|
|
On startup, check to see if sshd is already daemonized
and if so, skip the call to daemon() and do not rewrite the PidFile. This
means that when sshd re-execs itself on SIGHUP the process ID will no longer
change. Should address bz#2641. ok djm@ markus@.
Upstream-ID: 5ea0355580056fb3b25c1fd6364307d9638a37b9
|
|
Add a call to RAND_poll() to ensure than more than pid+time gets
stirred into child processes states. Prompted by analysis from Jann
Horn at Project Zero. ok dtucker@
|
|
Allow PuTTY interop tests to run unattended. bz#2639,
patch from cjwatson at debian.org.
Upstream-Regress-ID: 4345253558ac23b2082aebabccd48377433b6fe0
|
|
Reverse args to sshd-log-wrapper. Matches change in
portable, where it allows sshd do be optionally run under Valgrind.
Upstream-Regress-ID: b438d1c6726dc5caa2a45153e6103a0393faa906
|
|
Fix typo in trace message; from portable.
Upstream-Regress-ID: 4c4a2ba0d37faf5fd230a91b4c7edb5699fbd73a
|
|
Clean up MALLOC_OPTIONS. For the unittests, move
MALLOC_OPTIONS and TEST_ENV to unittets/Makefile.inc.
ok otto
Upstream-Regress-ID: 890d497e0a38eeddfebb11cc429098d76cf29f12
|
|
Remove the obsolete A and P flags from MALLOC_OPTIONS.
ok dtucker
Upstream-Regress-ID: 6cc25024c8174a87e5734a0dc830194be216dd59
|
|
Factor out code to disconnect from controlling terminal
into its own function. ok djm@
Upstream-ID: 39fd9e8ebd7222615a837312face5cc7ae962885
|
|
use sshbuf_allocate() to pre-allocate the buffer used for
loading keys. This avoids implicit realloc inside the buffer code, which
might theoretically leave fragments of the key on the heap. This doesn't
appear to happen in practice for normal sized keys, but was observed for
novelty oversize ones.
Pointed out by Jann Horn of Project Zero; ok markus@
Upstream-ID: d620e1d46a29fdea56aeadeda120879eddc60ab1
|
|
split allocation out of sshbuf_reserve() into a separate
sshbuf_allocate() function; ok markus@
Upstream-ID: 11b8a2795afeeb1418d508a2c8095b3355577ec2
|
|
allow ClientAlive{Interval,CountMax} in Match; ok dtucker,
djm
Upstream-ID: 8beb4c1eadd588f1080b58932281983864979f55
|
|
unbreak DenyUsers; reported by henning@
Upstream-ID: 1c67d4148f5e953c35acdb62e7c08ae8e33f7cb2
|
|
Validate address ranges for AllowUser/DenyUsers at
configuration load time and refuse to accept bad ones. It was previously
possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and
these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)
Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
|
|
Improve pkcs11_add_provider() logging: demote some
excessively verbose error()s to debug()s, include PKCS#11 provider name and
slot in log messages where possible. bz#2610, based on patch from Jakub Jelen
Upstream-ID: 3223ef693cfcbff9079edfc7e89f55bf63e1973d
|