openssh.git -

Age	Commit message (Collapse)	Author
2017-09-01	Tell haveged to create the pid file we expect.	Colin Watson

2017-08-31	releasing package openssh version 1:7.5p1-9	Colin Watson

2017-08-31	Run haveged without "-w 1024", as setting the low water mark doesn't seem ↵	Colin Watson
	possible in all autopkgtest virtualisation environments.
2017-08-31	Run debian/tests/regress with "set -x".	Colin Watson

2017-08-28	releasing package openssh version 1:7.5p1-8	Colin Watson

2017-08-28	Apply patches from https://bugzilla.mindrot.org/show_bug.cgi?id=2752 to ↵	Colin Watson
	allow some extra syscalls for crypto cards on s390x (LP: #1686618).
2017-08-28	Enable specific ioctl call for EP11 crypto card (s390)	Eduardo Barretto
	The EP11 crypto card needs to make an ioctl call, which receives an specific argument. This crypto card is for s390 only. Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 Last-Update: 2017-08-28 Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
2017-08-28	Allow getuid and geteuid calls	Eduardo Barretto
	getuid and geteuid are needed when using an openssl engine that calls a crypto card, e.g. ICA (libica). Those syscalls are also needed by the distros for audit code. Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 Last-Update: 2017-08-28 Patch-Name: seccomp-getuid-geteuid.patch
2017-08-28	Allow flock and ipc syscall for s390 architecture	Eduardo Barretto
	In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 implementation) which calls the libraries that will communicate with the crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, this is only need on s390 architecture. Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 Last-Update: 2017-08-28 Patch-Name: seccomp-s390-flock-ipc.patch
2017-08-28	Run haveged during autopkgtests to ensure that they have enough entropy for ↵	Colin Watson
	key generation (LP: #1712921).
2017-08-27	Drop openssh-client-ssh1, now built by a separate source package.	Colin Watson

2017-08-23	releasing package openssh version 1:7.5p1-7	Colin Watson

2017-08-23	Add RuntimeDirectory and RuntimeDirectoryMode to ssh@.service as well as ↵	Colin Watson
	ssh.service (closes: #872978).
2017-08-23	Fix spelling of RuntimeDirectoryMode (closes: #872976).	Colin Watson

2017-08-23	releasing package openssh version 1:7.5p1-6	Colin Watson

2017-08-22	Remove unnecessary package name from rm_conffile	Colin Watson

2017-08-22	Quote IP address in suggested "ssh-keygen -f" calls (closes: #872643).	Colin Watson

2017-08-22	Fix incoming compression statistics	Russell Coker
	Bug-Debian: https://bugs.debian.org/797964 Forwarded: https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-June/036077.html Last-Update: 2017-06-06 Patch-Name: fix-incoming-compression-statistics.patch
2017-08-22	Fix syntax error on Linux/X32	Damien Miller
	Patch from Mike Frysinger Origin: https://anongit.mindrot.org/openssh.git/commit/?id=6b853c6f8ba5eecc50f3b57af8e63f8184eb0fa6 Last-Update: 2017-04-02 Patch-Name: x32-syntax-error.patch
2017-08-22	Missing header on Linux/s390	Damien Miller
	Patch from Jakub Jelen Origin: https://anongit.mindrot.org/openssh.git/commit/?id=58b8cfa2a062b72139d7229ae8de567f55776f24 Last-Update: 2017-04-02 Patch-Name: s390-missing-header.patch
2017-08-22	Restore reading authorized_keys2 by default	Colin Watson
	Upstream seems to intend to gradually phase this out, so don't assume that this will remain the default forever. However, we were late in adopting the upstream sshd_config changes, so it makes sense to extend the grace period. Bug-Debian: https://bugs.debian.org/852320 Forwarded: not-needed Last-Update: 2017-03-05 Patch-Name: restore-authorized_keys2.patch
2017-08-22	Remove ssh_host_dsa_key from HostKey default	Colin Watson
	The client no longer accepts DSA host keys, and servers using the default HostKey setting should have better host keys available. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662 Bug-Debian: https://bugs.debian.org/850614 Last-Update: 2017-01-16 Patch-Name: no-dsa-host-key-by-default.patch
2017-08-22	Make integrity tests more robust against timeouts	Colin Watson
	If the first test in a series for a given MAC happens to modify the low bytes of a packet length, then ssh will time out and this will be interpreted as a test failure. Handle this failure mode. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2658 Patch-Name: regress-integrity-robust.patch Last-Update: 2017-01-01
2017-08-22	Various Debian-specific configuration changes	Colin Watson
	ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2016-12-26 Patch-Name: debian-config.patch
2017-08-22	Add systemd readiness notification support	Michael Biebl
	Bug-Debian: https://bugs.debian.org/778913 Forwarded: no Last-Update: 2017-08-22 Patch-Name: systemd-readiness.patch
2017-08-22	Give the ssh-askpass-gnome window a default icon	Vincent Untz
	Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 Last-Update: 2010-02-28 Patch-Name: gnome-ssh-askpass2-icon.patch
2017-08-22	Don't check the status field of the OpenSSL version	Kurt Roeckx
	There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. Author: Colin Watson <cjwatson@debian.org> Bug-Debian: https://bugs.debian.org/93581 Bug-Debian: https://bugs.debian.org/664383 Bug-Debian: https://bugs.debian.org/732940 Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: no-openssl-version-status.patch
2017-08-22	Document consequences of ssh-agent being setgid in ssh-agent(1)	Colin Watson
	Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2013-06-08 Patch-Name: ssh-agent-setgid.patch
2017-08-22	Document that HashKnownHosts may break tab-completion	Colin Watson
	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Bug-Debian: http://bugs.debian.org/430154 Last-Update: 2013-09-14 Patch-Name: doc-hash-tab-completion.patch
2017-08-22	ssh(1): Refer to ssh-argv0(1)	Colin Watson
	Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: ssh-argv0.patch
2017-08-22	Adjust various OpenBSD-specific references in manual pages	Colin Watson
	No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: openbsd-docs.patch
2017-08-22	Install authorized_keys(5) as a symlink to sshd(8)	Tomas Pospisek
	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch
2017-08-22	Add DebianBanner server configuration option	Kees Cook
	Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2015-11-29 Patch-Name: debian-banner.patch
2017-08-22	Include the Debian version in our identification	Matthew Vernon
	This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: package-versioning.patch
2017-08-22	Mention ssh-keygen in ssh fingerprint changed warning	Scott Moser
	Author: Chris Lamb <lamby@debian.org> Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 Last-Update: 2017-08-22 Patch-Name: mention-ssh-keygen-on-keychange.patch
2017-08-22	Add bug number for dropping Upstart support	Colin Watson

2017-08-22	Drop Upstart-specific patches	Colin Watson

2017-08-22	Fix incoming compression statistics	Russell Coker
	Bug-Debian: https://bugs.debian.org/797964 Forwarded: https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-June/036077.html Last-Update: 2017-06-06 Patch-Name: fix-incoming-compression-statistics.patch
2017-08-22	Fix syntax error on Linux/X32	Damien Miller
	Patch from Mike Frysinger Origin: https://anongit.mindrot.org/openssh.git/commit/?id=6b853c6f8ba5eecc50f3b57af8e63f8184eb0fa6 Last-Update: 2017-04-02 Patch-Name: x32-syntax-error.patch
2017-08-22	Missing header on Linux/s390	Damien Miller
	Patch from Jakub Jelen Origin: https://anongit.mindrot.org/openssh.git/commit/?id=58b8cfa2a062b72139d7229ae8de567f55776f24 Last-Update: 2017-04-02 Patch-Name: s390-missing-header.patch
2017-08-22	Restore reading authorized_keys2 by default	Colin Watson
	Upstream seems to intend to gradually phase this out, so don't assume that this will remain the default forever. However, we were late in adopting the upstream sshd_config changes, so it makes sense to extend the grace period. Bug-Debian: https://bugs.debian.org/852320 Forwarded: not-needed Last-Update: 2017-03-05 Patch-Name: restore-authorized_keys2.patch
2017-08-22	Remove ssh_host_dsa_key from HostKey default	Colin Watson
	The client no longer accepts DSA host keys, and servers using the default HostKey setting should have better host keys available. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662 Bug-Debian: https://bugs.debian.org/850614 Last-Update: 2017-01-16 Patch-Name: no-dsa-host-key-by-default.patch
2017-08-22	Make integrity tests more robust against timeouts	Colin Watson
	If the first test in a series for a given MAC happens to modify the low bytes of a packet length, then ssh will time out and this will be interpreted as a test failure. Handle this failure mode. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2658 Patch-Name: regress-integrity-robust.patch Last-Update: 2017-01-01
2017-08-22	Various Debian-specific configuration changes	Colin Watson
	ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2016-12-26 Patch-Name: debian-config.patch
2017-08-22	Add systemd readiness notification support	Michael Biebl
	Bug-Debian: https://bugs.debian.org/778913 Forwarded: no Last-Update: 2017-08-22 Patch-Name: systemd-readiness.patch
2017-08-22	Give the ssh-askpass-gnome window a default icon	Vincent Untz
	Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 Last-Update: 2010-02-28 Patch-Name: gnome-ssh-askpass2-icon.patch
2017-08-22	Don't check the status field of the OpenSSL version	Kurt Roeckx
	There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. Author: Colin Watson <cjwatson@debian.org> Bug-Debian: https://bugs.debian.org/93581 Bug-Debian: https://bugs.debian.org/664383 Bug-Debian: https://bugs.debian.org/732940 Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: no-openssl-version-status.patch
2017-08-22	Document consequences of ssh-agent being setgid in ssh-agent(1)	Colin Watson
	Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2013-06-08 Patch-Name: ssh-agent-setgid.patch
2017-08-22	Drop upstart system and user jobs.	Dimitri John Ledkov

2017-08-22	Fix up drop sshd.conf	Dimitri John Ledkov