summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-09-08Add DebianBanner server configuration optionKees Cook
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: debian-banner.patch
2015-09-08Include the Debian version in our identificationMatthew Vernon
This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: package-versioning.patch
2015-09-08Mention ssh-keygen in ssh fingerprint changed warningScott Moser
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 Last-Update: 2015-09-08 Patch-Name: mention-ssh-keygen-on-keychange.patch
2015-08-19Quieten logs when multiple from= restrictions are usedColin Watson
Bug-Debian: http://bugs.debian.org/630606 Forwarded: no Last-Update: 2013-09-14 Patch-Name: auth-log-verbosity.patch
2015-08-19Force use of DNSSEC even if "options edns0" isn't in resolv.confColin Watson
This allows SSHFP DNS records to be verified if glibc 2.11 is installed. Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Last-Update: 2010-04-06 Patch-Name: dnssec-sshfp.patch
2015-08-19Look for $SHELL on the path for ProxyCommand/LocalCommandColin Watson
There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 Bug-Debian: http://bugs.debian.org/492728 Last-Update: 2013-09-14 Patch-Name: shell-path.patch
2015-08-19Adjust scp quoting in verbose modeNicolas Valcárcel
Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. This should be revised to mimic real shell quoting. Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 Last-Update: 2010-02-27 Patch-Name: scp-quoting.patch
2015-08-19Allow harmless group-writabilityColin Watson
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2013-09-14 Patch-Name: user-group-modes.patch
2015-08-19Add support for registering ConsoleKit sessions on loginColin Watson
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 Last-Updated: 2015-08-19 Patch-Name: consolekit.patch
2015-08-19Mention ~& when waiting for forwarded connections to terminateMatthew Vernon
Bug-Debian: http://bugs.debian.org/50308 Last-Update: 2010-02-27 Patch-Name: helpful-wait-terminate.patch
2015-08-19Reduce severity of "Killed by signal %d"Peter Samuelson
This produces irritating messages when using ProxyCommand or other programs that use ssh under the covers (e.g. Subversion). These messages are more normally printed by the calling program, such as the shell. According to the upstream bug, the right way to avoid this is to use the -q option, so we may drop this patch after further investigation into whether any software in Debian is still relying on it. Author: Colin Watson <cjwatson@debian.org> Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118 Bug-Debian: http://bugs.debian.org/313371 Last-Update: 2013-09-14 Patch-Name: quieter-signals.patch
2015-08-19"LogLevel SILENT" compatibilityJonathan David Amery
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2013-09-14 Patch-Name: syslog-level-silent.patch
2015-08-19Various keepalive extensionsRichard Kettlewell
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2015-08-19 Patch-Name: keepalive-extensions.patch
2015-08-19Partial server keep-alive implementation for SSH1Colin Watson
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712 Last-Update: 2013-09-14 Patch-Name: ssh1-keepalive.patch
2015-08-19Accept obsolete ssh-vulnkey configuration optionsColin Watson
These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. Last-Update: 2014-02-09 Patch-Name: ssh-vulnkey-compat.patch
2015-08-19Handle SELinux authorisation rolesManoj Srivastava
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2015-08-19 Patch-Name: selinux-role.patch
2015-08-19Restore TCP wrappers supportColin Watson
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
2015-08-19GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2015-08-19 Patch-Name: gssapi.patch
2015-08-19Import openssh_6.9p1.orig.tar.gzColin Watson
2015-08-19Import openssh_6.8p1.orig.tar.gzColin Watson
2015-07-01upstream commitdjm@openbsd.org
twiddle; (this commit marks the openssh-6.9 release) Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234
2015-07-01upstream commitdjm@openbsd.org
better refuse ForwardX11Trusted=no connections attempted after ForwardX11Timeout expires; reported by Jann Horn Upstream-ID: bf0fddadc1b46a0334e26c080038313b4b6dea21
2015-07-01upstream commitdjm@openbsd.org
put back default PermitRootLogin=no Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728
2015-07-01upstream commitdjm@openbsd.org
openssh-6.9 Upstream-ID: 6cfe8e1904812531080e6ab6e752d7001b5b2d45
2015-07-01upstream commitdjm@openbsd.org
reset default PermitRootLogin to 'yes' (momentarily, for release) Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24
2015-07-01crank version numbers for releaseDamien Miller
2015-07-01s/--with-ssh1/--without-ssh1/Damien Miller
2015-06-30upstream commitdjm@openbsd.org
fatal() when a remote window update causes the window value to overflow. Reported by Georg Wicherski, ok markus@ Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351
2015-06-30upstream commitdjm@openbsd.org
Fix math error in remote window calculations that causes eventual stalls for datagram channels. Reported by Georg Wicherski, ok markus@ Upstream-ID: be54059d11bf64e0d85061f7257f53067842e2ab
2015-06-30skip IPv6-related portions on hosts without IPv6Damien Miller
with Tim Rice
2015-06-30upstream commitdjm@openbsd.org
add getpid to sandbox, reachable by grace_alarm_handler reported by Jakub Jelen; bz#2419 Upstream-ID: d0da1117c16d4c223954995d35b0f47c8f684cd8
2015-06-27upstream commitdjm@openbsd.org
Fix \-escaping bug that caused forward path parsing to skip two characters and skip past the end of the string. Based on patch by Salvador Fandino; ok dtucker@ Upstream-ID: 7b879dc446335677cbe4cb549495636a0535f3bd
2015-06-25add missing pselect6Damien Miller
patch from Jakub Jelen
2015-06-25upstream commitdjm@openbsd.org
correct test to sshkey_sign(); spotted by Albert S. Upstream-ID: 5f7347f40f0ca6abdaca2edb3bd62f4776518933
2015-06-25upstream commitdtucker@openbsd.org
Revert previous commit. We still want to call setgroups in the case where there are zero groups to remove any that we might otherwise inherit (as pointed out by grawity at gmail.com) and since the 2nd argument to setgroups is always a static global it's always valid to dereference in this case. ok deraadt@ djm@ Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
2015-06-25upstream commitdtucker@openbsd.org
Revert previous commit. We still want to call setgroups in the case where there are zero groups to remove any that we might otherwise inherit (as pointed out by grawity at gmail.com) and since the 2nd argument to setgroups is always a static global it's always valid to dereference in this case. ok deraadt@ djm@ Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
2015-06-23upstream commitdjm@openbsd.org
Don't count successful partial authentication as failures in monitor; this may have caused the monitor to refuse multiple authentications that would otherwise have successfully completed; ok markus@ Upstream-ID: eb74b8e506714d0f649bd5c300f762a527af04a3
2015-06-23upstream commitdtucker@openbsd.org
Don't call setgroups if we have zero groups; there's no guarantee that it won't try to deref the pointer. Based on a patch from mail at quitesimple.org, ok djm deraadt Upstream-ID: 2fff85e11d7a9a387ef7fddf41fbfaf566708ab1
2015-06-18fix syntax errorDamien Miller
2015-06-17upstream commitjsing@openbsd.org
If AuthorizedPrincipalsCommand is specified, however AuthorizedPrincipalsFile is not (or is set to "none"), authentication will potentially fail due to key_cert_check_authority() failing to locate a principal that matches the username, even though an authorized principal has already been matched in the output of the subprocess. Fix this by using the same logic to determine if pw->pw_name should be passed, as is used to determine if a authorized principal must be matched earlier on. ok djm@ Upstream-ID: 43b42302ec846b0ea68aceb40677245391b9409d
2015-06-17upstream commitjsing@openbsd.org
Make the arguments to match_principals_command() similar to match_principals_file(), by changing the last argument a struct sshkey_cert * and dereferencing key->cert in the caller. No functional change. ok djm@ Upstream-ID: 533f99b844b21b47342b32b62e198dfffcf8651c
2015-06-17trivial optimisation for seccomp-bpfDamien Miller
When doing arg inspection and the syscall doesn't match, skip past the instruction that reloads the syscall into the accumulator, since the accumulator hasn't been modified at this point.
2015-06-17aarch64 support for seccomp-bpf sandboxDamien Miller
Also resort and tidy syscall list. Based on patches by Jakub Jelen bz#2361; ok dtucker@
2015-06-15upstream commitdjm@openbsd.org
return failure on RSA signature error; reported by Albert S Upstream-ID: e61bb93dbe0349625807b0810bc213a6822121fa
2015-06-09Fix t12 rules for out of tree builds.Tim Rice
2015-06-07upstream commitmillert@openbsd.org
For "ssh -L 12345:/tmp/sock" don't fail with "No forward host name." (we have a path, not a host name). Based on a diff from Jared Yanovich. OK djm@ Upstream-ID: 2846b0a8c7de037e33657f95afbd282837fc213f
2015-06-05upstream commitdjm@openbsd.org
typo: accidental repetition; bz#2386 Upstream-ID: 45e620d99f6bc301e5949d34a54027374991c88b
2015-06-05Add Linux powerpc64le and powerpcle entries.Darren Tucker
Stopgap to resolve bz#2409 because we are so close to release and will update config.guess and friends shortly after the release. ok djm@
2015-06-03Merge branch 'master' of git.mindrot.org:/var/git/opensshTim Rice
2015-06-03Remove unneeded backslashes. Patch from Ángel GonzálezTim Rice