summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2010-04-07Convert to dh(1), and use dh_installdocs --link-doc.Colin Watson
2010-04-06Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 isColin Watson
installed, the host key is published in an SSHFP RR secured with DNSSEC, and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key verification (closes: #572049).
2010-04-06lintian-symlink-pickiness.patch rejected upstream, but we need to keep itColin Watson
2010-04-06releasing version 1:5.4p1-1Colin Watson
2010-04-03* Policy version 3.8.4:Colin Watson
- Add a Homepage field.
2010-03-31Drop most of our "LogLevel SILENT" (-qq) patch. This was originallyColin Watson
introduced to match the behaviour of non-free SSH, in which -q does not suppress fatal errors, but matching the behaviour of OpenSSH upstream is much more important nowadays. We no longer document that -q does not suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to "LogLevel QUIET" in sshd_config on upgrade.
2010-03-31Drop Debian-specific removal of OpenSSL version check. Upstream ignoresColin Watson
the two patchlevel nybbles now, which is sufficient to address the original reason this change was introduced, and it appears that any change in the major/minor/fix nybbles would involve a new libssl package name. (We'd still lose if the status nybble were ever changed, but that would mean somebody had packaged a development/beta version rather than a proper release, which doesn't appear to be normal practice.)
2010-03-31Remove SSHD_OOM_ADJUST configuration. sshd now unconditionally makesColin Watson
itself non-OOM-killable, and doesn't require configuration to avoid log spam in virtualisation containers (closes: #555625).
2010-03-31ssh-vulnkey.patch: update another call to auth_key_is_revokedColin Watson
2010-03-31* New upstream release (LP: #535029).Colin Watson
- After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-" (closes: #531561).
2010-03-31merge 5.4p1Colin Watson
2010-03-31Import 5.4p1 tarballColin Watson
2010-03-31handle merge history from previous tarball branchColin Watson
2010-03-29Hardcode the location of xauth to /usr/bin/xauth rather thanColin Watson
/usr/bin/X11/xauth (thanks, Aron Griffis; closes: #575725, LP: #8440). xauth no longer depends on x11-common, so we're no longer guaranteed to have the /usr/bin/X11 symlink available. I was taking advantage of the /usr/bin/X11 symlink to smooth X's move to /usr/bin, but this is far enough in the past now that it's probably safe to just use /usr/bin.
2010-03-17Fix substitution of ETC_PAM_D_SSH, following the rename in 1:4.7p1-4.Colin Watson
2010-03-08Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<Colin Watson
3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi mechanism was removed due to a serious security hole, and since these versions of ssh-krb5 are no longer security-supported by Debian I don't think there's any point keeping client compatibility for them.
2010-03-08 - djm@cvs.openbsd.org 2010/03/08 00:28:55Damien Miller
[ssh-keygen.1] document permit-agent-forwarding certificate constraint; patch from stevesk@
2010-03-08 - djm@cvs.openbsd.org 2010/03/08 00:28:55Damien Miller
[ssh-keygen.1] document permit-agent-forwarding certificate constraint; patch from stevesk@
2010-03-08 - (djm) Release OpenSSH-5.4p1Damien Miller
2010-03-08 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
crank version numbers
2010-03-08 - djm@cvs.openbsd.org 2010/03/07 22:16:01Damien Miller
[ssh-keygen.c] make internal strptime string match strftime format; suggested by vinschen AT redhat.com and markus@
2010-03-08 - (djm) OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/03/07 22:01:32 [version.h] openssh-5.4
2010-03-07 - dtucker@cvs.openbsd.org 2010/03/07 11:57:13Darren Tucker
[auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c] Hold authentication debug messages until after successful authentication. Fixes an info leak of environment variables specified in authorized_keys, reported by Jacob Appelbaum. ok djm@
2010-03-07 - (dtucker) [session.c] Also initialize creds to NULL for handing toDarren Tucker
setpcred.
2010-03-07 - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot andDarren Tucker
do not set real uid, since that's needed for the chroot, and will be set by permanently_set_uid.
2010-03-07 - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so thatDarren Tucker
it gets the passwd struct from the LAM that knows about the user which is not necessarily the default. Patch from Alexandre Letourneau.
2010-03-05 - djm@cvs.openbsd.org 2010/03/05 10:28:21Damien Miller
[ssh-add.1 ssh.1 ssh_config.5] mention loading of certificate files from [private]-cert.pub when they are present; feedback and ok jmc@
2010-03-05 - jmc@cvs.openbsd.org 2010/03/05 08:31:20Damien Miller
[ssh.1] document certificate authentication; help/ok djm
2010-03-05 - jmc@cvs.openbsd.org 2010/03/05 06:50:35Damien Miller
[ssh.1 sshd.8] tweak previous;
2010-03-05 - (djm) [configure.ac] set -fno-strict-aliasing for gcc4; ok dtucker@Damien Miller
2010-03-05 - djm@cvs.openbsd.org 2010/03/05 02:58:11Damien Miller
[auth.c] make the warning for a revoked key louder and more noticable
2010-03-05 - (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failureDamien Miller
on some platforms
2010-03-05 - djm@cvs.openbsd.org 2010/03/04 23:27:25Damien Miller
[auth-options.c ssh-keygen.c] "force-command" is not spelled "forced-command"; spotted by imorgan AT nas.nasa.gov
2010-03-05 - djm@cvs.openbsd.org 2010/03/04 23:19:29Damien Miller
[ssh.1 sshd.8] move section on CA and revoked keys from ssh.1 to sshd.8's known hosts format section and rework it a bit; requested by jmc@
2010-03-05 - djm@cvs.openbsd.org 2010/03/04 23:17:25Damien Miller
[sshd_config.5] missing word; spotted by jmc@
2010-03-05 - jmc@cvs.openbsd.org 2010/03/04 22:52:40Damien Miller
[ssh-keygen.1] fix Bk/Ek;
2010-03-04 - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in olderTim Rice
compilers. OK djm@
2010-03-05 - djm@cvs.openbsd.org 2010/03/04 20:35:08Damien Miller
[ssh-keygen.1 ssh-keygen.c] Add a -L flag to print the contents of a certificate; ok markus@
2010-03-05 - jmc@cvs.openbsd.org 2010/03/04 12:51:25Damien Miller
[ssh.1 sshd_config.5] tweak previous;
2010-03-04 - djm@cvs.openbsd.org 2010/03/04 10:38:23Damien Miller
[regress/cert-hostkey.sh regress/cert-userkey.sh] additional regression tests for revoked keys and TrustedUserCAKeys
2010-03-04 - djm@cvs.openbsd.org 2010/03/03 00:47:23Damien Miller
[regress/cert-hostkey.sh regress/cert-userkey.sh] add an extra test to ensure that authentication with the wrong certificate fails as it should (and it does)
2010-03-04 - djm@cvs.openbsd.org 2010/03/04 10:36:03Damien Miller
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c] [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h] [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5] Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
2010-03-04 - djm@cvs.openbsd.org 2010/03/04 01:44:57Damien Miller
[key.c] use buffer_get_string_ptr_ret() where we are checking the return value explicitly instead of the fatal()-causing buffer_get_string_ptr()
2010-03-04 - djm@cvs.openbsd.org 2010/03/03 22:50:40Damien Miller
[PROTOCOL.certkeys] s/similar same/similar/; from imorgan AT nas.nasa.gov
2010-03-04 - djm@cvs.openbsd.org 2010/03/03 22:49:50Damien Miller
[sshd.8] the authorized_keys option for CA keys is "cert-authority", not "from=cert-authority". spotted by imorgan AT nas.nasa.gov
2010-03-04 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/03/03 01:44:36 [auth-options.c key.c] reject strings with embedded ASCII nul chars in certificate key IDs, principal names and constraints
2010-03-04 - (djm) [regress/Makefile] Cleanup sshd_proxy_origDamien Miller
2010-03-04 - (djm) [.cvsignore] Ignore ssh-pkcs11-helperDamien Miller
2010-03-04 - (djm) [contrib/redhat/openssh.spec] Replace obsolete BuildPreReqDamien Miller
on XFree86-devel with neutral /usr/include/X11/Xlib.h; imorgan AT nas.nasa.gov in bz#1731
2010-03-04 - (djm) [ssh-keygen.c] Use correct local variable, instead ofDamien Miller
maybe-undefined global "optarg"