Age | Commit message (Collapse) | Author |
|
Author: Chris Lamb <lamby@debian.org>
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
Last-Update: 2017-08-22
Patch-Name: mention-ssh-keygen-on-keychange.patch
|
|
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2010-04-06
Patch-Name: dnssec-sshfp.patch
|
|
There's some debate on the upstream bug about whether POSIX requires this.
I (Colin Watson) agree with Vincent and think it does.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
Bug-Debian: http://bugs.debian.org/492728
Last-Update: 2013-09-14
Patch-Name: shell-path.patch
|
|
Tweak scp's reporting of filenames in verbose mode to be a bit less
confusing with spaces.
This should be revised to mimic real shell quoting.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945
Last-Update: 2010-02-27
Patch-Name: scp-quoting.patch
|
|
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem). Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
default.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
Last-Update: 2019-10-09
Patch-Name: user-group-modes.patch
|
|
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
match the behaviour of non-free SSH, in which -q does not suppress fatal
errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody
complained, so we've dropped most of it. The parts that remain are basic
configuration file compatibility, and an adjustment to "Pseudo-terminal will
not be allocated ..." which should be split out into a separate patch.
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2013-09-14
Patch-Name: syslog-level-silent.patch
|
|
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
in previous versions of Debian's OpenSSH package but since superseded by
ServerAliveInterval. (We're probably stuck with this bit for
compatibility.)
In batch mode, default ServerAliveInterval to five minutes.
Adjust documentation to match and to give some more advice on use of
keepalives.
Author: Ian Jackson <ian@chiark.greenend.org.uk>
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2018-10-19
Patch-Name: keepalive-extensions.patch
|
|
These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.
Last-Update: 2014-02-09
Patch-Name: ssh-vulnkey-compat.patch
|
|
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2019-06-05
Patch-Name: selinux-role.patch
|
|
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
and thread:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
It is true that this reduces preauth attack surface in sshd. On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.
It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.
Forwarded: not-needed
Last-Update: 2019-06-05
Patch-Name: restore-tcp-wrappers.patch
|
|
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2019-10-09
Patch-Name: gssapi.patch
|
|
|
|
|
|
OpenBSD-Commit-ID: 3356bb34e2aa287f0e6d6773c9ae659dc680147d
|
|
case, and some other NULL dereferences found by fuzzing.
fix with and ok markus@
OpenBSD-Commit-ID: 0f81adbb95ef887ce586953e1cb225fa45c7a47b
|
|
Reported by Adam Zabrocki via SecuriTeam's SSH program.
Note that this code is experimental and not compiled by default.
ok markus@
OpenBSD-Commit-ID: cd0361896d15e8a1bac495ac583ff065ffca2be1
|
|
warnings on some platforms. ok deraadt.
OpenBSD-Commit-ID: a990dbc2dac25bdfa07e79321349c73fd991efa2
|
|
OpenBSD-Commit-ID: 78bb512d04cfc238adb2c5b7504ac93eecf523b3
|
|
|
|
Similar to the previous change to DEF_WEAK, some compilers don't like
the empty statement, so convert into a no-op function prototype.
|
|
make the indenting a little more consistent too..
Fixes Solaris 2.6; reported by Tom G. Christensen
|
|
spotted by Tim Rice; ok dtucker
|
|
Completely nop-ing out DEF_WEAK leaves an empty statemment which some
compilers don't like. Replace with a no-op function template. ok djm@
|
|
remove them only where it's needed (and confuses test(1) on at least OS X in
portable).
OpenBSD-Regress-ID: a6ab9b4bd1d33770feaf01b2dfb96f9e4189d2d0
|
|
The EP11 crypto card needs to make an ioctl call, which receives an
specific argument. This crypto card is for s390 only.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
|
krishnaiah.bommu@intel.com, ok dtucker
OpenBSD-Commit-ID: d031853f3ecf47b35a0669588f4d9d8e3b307b3c
|
|
OpenBSD-Commit-ID: 350648bcf00a2454e7ef998b7d88e42552b348ac
|
|
check-novalidate signature test mode and signing keys in ssh-agent.
From Sebastian Kinne (slightly tweaked)
OpenBSD-Regress-ID: b39566f5cec70140674658cdcedf38752a52e2e2
|
|
patch from krishnaiah.bommu@intel.com, ok djm@
OpenBSD-Commit-ID: 4c6a4cde0022188ac83737de08da0e875704eeaa
|
|
usage(); while here, no need for Bk/Ek;
ok dtucker
OpenBSD-Commit-ID: 38715c3f10b166f599a2283eb7bc14860211bb90
|
|
=?UTF-8?q?=20Mikul=C4=97nas?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
OpenBSD-Commit-ID: ffa3f5a45e09752fc47d9041e2203ee2ec15b24d
|
|
=?UTF-8?q?=20as=20a=20string,=20not=20raw=20bytes.=20Spotted=20by=20Manta?=
=?UTF-8?q?s=20Mikul=C4=97nas?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
OpenBSD-Commit-ID: 80fcc6d52893f80c6de2bedd65353cebfebcfa8f
|
|
=?UTF-8?q?shsig;=20spotted=20by=20Mantas=20Mikul=C4=97nas?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
OpenBSD-Commit-ID: 7c5bcf40bed8f4e826230176f4aa353c52aeb698
|
|
|
|
New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt
in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
|
|
Prompted by Jakub Jelen
|
|
|
|
OpenBSD-Commit-ID: ed6827ab921eff8027669848ef4f70dc1da4098c
|
|
ssh-pkcs11.c; r1.45 added a forced login as a fallback for cases where the
token returns no objects and this is less disruptive for users of tokens
directly in ssh (rather than via ssh-agent) and in ssh-keygen
bz3006, patch from Jakub Jelen; ok markus
OpenBSD-Commit-ID: 33d6df589b072094384631ff93b1030103b3d02e
|
|
OpenBSD-Commit-ID: e1480e760a2b582f79696cdcff70098e23fc603f
|
|
i added a comma to the first part, for balance...
OpenBSD-Commit-ID: 2c3464e9e82a41e8cdfe8f0a16d94266e43dbb58
|
|
number 1024
OpenBSD-Commit-ID: e775f94ad47ce9ab37bd1410d7cf3b7ea98b11b7
|
|
OpenBSD-Commit-ID: c35ca5ec07be460e95e7406af12eee04a77b6698
|
|
Patch from vapier@gentoo.org.
|
|
|
|
as they confuse tools on some platforms. Re-enable the 3des-cbc test.
OpenBSD-Regress-ID: edf536d4f29fc1ba412889b37247a47f1b49d250
|
|
Since we've added larger fallback groups to dh.c this test will pass
even if there is no moduli file installed on the system.
|
|
|
|
|
|
that a signature came from a trusted signer. To discourage accidental or
unintentional use, this is invoked by the deliberately ugly option name
"check-novalidate"
from Sebastian Kinne
OpenBSD-Commit-ID: cea42c36ab7d6b70890e2d8635c1b5b943adcc0b
|