Age | Commit message (Collapse) | Author |
|
|
|
This avoids deadlocking with restarting networking.
LP: #1584393
|
|
Override the corresponding upstart job in that case.
|
|
agent in the user session
Use it in ssh-agent.user-session.upstart. This will also be used in a
corresponding systemd user unit.
This replaces the backgrounded "ssh-agent -s" with a foreground task which
works more nicely with modern init systems for logging/debugging and
starting/stopping.
Also use a fixed socket file name in $XDG_RUNTIME_DIR -- under both upstart and
systemd we can assume this, and it allows restarting the service in a running
session.
|
|
example and add a section to README.Debian. libpam-systemd >= 230 and "UsePAM yes" should take care of the original problem for most systemd users (thanks, Michael Biebl; closes: #832155).
|
|
|
|
|
|
than the above for systemd users, but I'm wary of depending on it in case I cause an assortment of exciting dependency problems on upgrade for non-systemd users.
|
|
|
|
|
|
|
|
#823827).
|
|
serves to terminate SSH sessions cleanly if systemd doesn't do that itself, often because libpam-systemd is not installed (thanks, Vivek Das Mohapatra, Tom Hutter, and others; closes: #751636).
|
|
when not in debug mode or when logging to a file or syslog (closes: #714526).
|
|
close ControlPersist background process stderr when not
in debug mode or when logging to a file or syslog. bz#1988 ok dtucker
Upstream-ID: 4fb726f0fdcb155ad419913cea10dc4afd409d24
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d2d6bf864e52af8491a60dd507f85b74361f5da3
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1988
Bug-Debian: https://bugs.debian.org/714526
Last-Update: 2016-07-22
Patch-Name: control-persist-close-stderr.patch
|
|
|
|
|
|
If the root account is locked (eg password "!!" or "*LK*") keep looking
until we find a user with a valid salt to use for crypting passwords of
invalid users. ok djm@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=dbf788b4d9d9490a5fff08a7b09888272bb10fcc
Bug-Debian: https://bugs.debian.org/831902
Last-Update: 2016-07-22
Patch-Name: CVE-2016-6210-3.patch
|
|
When sshd decides to not allow a login (eg PermitRootLogin=no) and
it's using PAM, it sends a fake password to PAM so that the timing for
the failure is not noticeably different whether or not the password
is correct. This behaviour can be detected by sending a very long
password string which is slower to hash than the fake password.
Mitigate by constructing an invalid password that is the same length
as the one from the client and thus takes the same time to hash.
Diff from djm@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=283b97ff33ea2c641161950849931bd578de6946
Bug-Debian: https://bugs.debian.org/831902
Last-Update: 2016-07-22
Patch-Name: CVE-2016-6210-2.patch
|
|
When sshd is processing a non-PAM login for a non-existent user it uses
the string from the fakepw structure as the salt for crypt(3)ing the
password supplied by the client. That string has a Blowfish prefix, so on
systems that don't understand that crypt will fail fast due to an invalid
salt, and even on those that do it may have significantly different timing
from the hash methods used for real accounts (eg sha512). This allows
user enumeration by, eg, sending large password strings. This was noted
by EddieEzra.Harari at verint.com (CVE-2016-6210).
To mitigate, use the same hash algorithm that root uses for hashing
passwords for users that do not exist on the system. ok djm@
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=9286875a73b2de7736b5e50692739d314cd8d9dc
Bug-Debian: https://bugs.debian.org/831902
Last-Update: 2016-07-22
Patch-Name: CVE-2016-6210-1.patch
|
|
#1588457).
|
|
works (reported by Olivier MATZ).
|
|
file into the openssh-sftp-server package description (closes: #766887).
|
|
|
|
|
|
keys in ssh-agent: when attempting pubkey auth with a certificate, if no separate private key is found among the keys then try with the certificate key itself (thanks, Paul Querna; LP: #1575961).
|
|
unbreak authentication using lone certificate keys in
ssh-agent: when attempting pubkey auth with a certificate, if no separate
private key is found among the keys then try with the certificate key itself.
bz#2550 reported by Peter Moody
Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=c38905ba391434834da86abfc988a2b8b9b62477
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1575961
Last-Update: 2016-04-28
Patch-Name: unbreak-certificate-auth.patch
|
|
|
|
|
|
|
|
|
|
|
|
If PAM is configured to read user-specified environment variables
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.
CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755
Last-Update: 2016-04-13
Patch-Name: CVE-2015-8325.patch
|
|
|
|
|
|
|
|
server end than the client (thanks, Damien Miller; closes: #817870, LP: #1558576).
|
|
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
default.
Document all of this, along with several sshd defaults set in
debian/openssh-server.postinst.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2015-12-07
Patch-Name: debian-config.patch
|
|
Bug-Debian: https://bugs.debian.org/778913
Forwarded: no
Last-Update: 2016-01-04
Patch-Name: systemd-readiness.patch
|
|
Author: Robie Basak <robie.basak@ubuntu.com>
Forwarded: no
Last-Update: 2014-04-14
Patch-Name: sigstop.patch
|
|
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
Last-Update: 2010-02-28
Patch-Name: gnome-ssh-askpass2-icon.patch
|
|
There is no reason to check the version of OpenSSL (in Debian). If it's
not compatible the soname will change. OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same. Remove that check on the status since
it doesn't tell you anything about how compatible that version is.
Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: https://bugs.debian.org/93581
Bug-Debian: https://bugs.debian.org/664383
Bug-Debian: https://bugs.debian.org/732940
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: no-openssl-version-status.patch
|
|
Bug-Debian: http://bugs.debian.org/711623
Forwarded: no
Last-Update: 2013-06-08
Patch-Name: ssh-agent-setgid.patch
|
|
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: doc-upstart.patch
|
|
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
Bug-Debian: http://bugs.debian.org/430154
Last-Update: 2013-09-14
Patch-Name: doc-hash-tab-completion.patch
|
|
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to. Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).
Bug-Debian: http://bugs.debian.org/111341
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: ssh-argv0.patch
|
|
No single bug reference for this patch, but history includes:
http://bugs.debian.org/154434 (login.conf(5))
http://bugs.debian.org/513417 (/etc/rc)
http://bugs.debian.org/530692 (ssl(8))
https://bugs.launchpad.net/bugs/456660 (ssl(8))
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: openbsd-docs.patch
|
|
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
Bug-Debian: http://bugs.debian.org/441817
Last-Update: 2013-09-14
Patch-Name: authorized-keys-man-symlink.patch
|
|
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2015-11-29
Patch-Name: debian-banner.patch
|
|
This makes it easier to audit networks for versions patched against security
vulnerabilities. It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings. (However, see debian-banner.patch.)
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: package-versioning.patch
|