Age | Commit message (Collapse) | Author |
|
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
Last-Update: 2013-09-14
Patch-Name: ssh1-keepalive.patch
|
|
These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.
Last-Update: 2014-02-09
Patch-Name: ssh-vulnkey-compat.patch
|
|
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2015-08-19
Patch-Name: selinux-role.patch
|
|
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
and thread:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
It is true that this reduces preauth attack surface in sshd. On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.
It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: restore-tcp-wrappers.patch
|
|
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2015-11-29
Patch-Name: gssapi.patch
|
|
|
|
|
|
|
|
add prohibit-password as a synonymn for without-password,
since the without-password is causing too many questions. Harden it to ban
all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
djm, ok markus
Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
|
|
|
|
|
|
Avoids use-after-free in monitor when privsep child is compromised.
Reported by Moritz Jodeit; ok dtucker@
|
|
Pointed out by Moritz Jodeit; ok dtucker@
|
|
|
|
|
|
|
|
adjust for RSA minimum modulus switch; ok deraadt@
Upstream-Regress-ID: 5a72c83431b96224d583c573ca281cd3a3ebfdae
|
|
backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this
release; problems spotted by sthen@ ok deraadt@ markus@
Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822
|
|
openssh 7.0; ok deraadt@
Upstream-ID: c63afdef537f57f28ae84145c5a8e29e9250221f
|
|
Allow PermitRootLogin to be overridden by config
ok markus@ deeradt@
Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4
|
|
fix pty permissions; patch from Nikolay Edigaryev; ok
deraadt
Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550
|
|
change default: PermitRootLogin without-password matching
install script changes coming as well ok djm markus
Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
|
|
|
|
Allow ssh_config and sshd_config kex parameters options be
prefixed by a '+' to indicate that the specified items be appended to the
default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
|
|
fix bug in previous; was printing incorrect string for
failed host key algorithms negotiation
Upstream-ID: 22c0dc6bc61930513065d92e11f0753adc4c6e6e
|
|
include the peer's offer when logging a failure to
negotiate a mutual set of algorithms (kex, pubkey, ciphers, etc.) ok markus@
Upstream-ID: bbb8caabf5c01790bb845f5ce135565248d7c796
|
|
add Cisco to the list of clients that choke on the
hostkeys update extension. Pointed out by Howard Kash
Upstream-ID: c9eadde28ecec056c73d09ee10ba4570dfba7e84
|
|
Permit kbind(2) use in the sandbox now, to ease testing
of ld.so work using it
reminded by miod@, ok deraadt@
Upstream-ID: 523922e4d1ba7a091e3824e77a8a3c818ee97413
|
|
Move .Pp before .Bl, not after to quiet mandoc -Tlint.
Noticed by jmc@
Upstream-ID: 59fadbf8407cec4e6931e50c53cfa0214a848e23
|
|
Sync usage with SYNOPSIS
Upstream-ID: 7a321a170181a54f6450deabaccb6ef60cf3f0b7
|
|
Better desciption of Unix domain socket forwarding.
bz#2423; ok jmc@
Upstream-ID: 85e28874726897e3f26ae50dfa2e8d2de683805d
|
|
|
|
mention that the default of UseDNS=no implies that
hostnames cannot be used for host matching in sshd_config and
authorized_keys; bz#2045, ok dtucker@
Upstream-ID: 0812705d5f2dfa59aab01f2764ee800b1741c4e1
|
|
don't ignore PKCS#11 hosted keys that return empty
CKA_ID; patch by Jakub Jelen via bz#2429; ok markus
Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485
|
|
skip uninitialised PKCS#11 slots; patch from Jakub Jelen
in bz#2427 ok markus@
Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29
|
|
only query each keyboard-interactive device once per
authentication request regardless of how many times it is listed; ok markus@
Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
|
|
remove -u flag to diff (only used for error output) to make
things easier for -portable
Upstream-Regress-ID: a5d6777d2909540d87afec3039d9bb2414ade548
|
|
direct-streamlocal@openssh.com Unix domain foward
messages do not contain a "reserved for future use" field and in fact,
serverloop.c checks that there isn't one. Remove erroneous mention from
PROTOCOL description. bz#2421 from Daniel Black
Upstream-ID: 3d51a19e64f72f764682f1b08f35a8aa810a43ac
|
|
describe magic for setting up Unix domain socket fowards
via the mux channel; bz#2422 patch from Daniel Black
Upstream-ID: 943080fe3864715c423bdeb7c920bb30c4eee861
|
|
On some platforms the native realpath doesn't work with non-existent
files (this is actually specified in some versions of POSIX), however
the sftp spec says its realpath with "canonicalize any given path name".
On those platforms, use realpath from the compat library.
In addition, when compiling with -DFORTIFY_SOURCE, glibc redefines
the realpath symbol to the checked version, so redefine ours to
something else so we pick up the compat version we want.
bz#2428, ok djm@
|
|
fix incorrect test for SSH1 keys when compiled without SSH1
support
Upstream-ID: 6004d720345b8e481c405e8ad05ce2271726e451
|
|
fix NULL-deref when SSH1 reenabled
Upstream-ID: f22fd805288c92b3e9646782d15b48894b2d5295
|
|
regen RSA1 test keys; the last batch was missing their
private parts
Upstream-Regress-ID: 7ccf437305dd63ff0b48dd50c5fd0f4d4230c10a
|
|
Adapt tests, now that DSA if off by default; use
PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA.
Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c
|
|
regen test data after mktestdata.sh changes
Upstream-Regress-ID: 3495ecb082b9a7c048a2d7c5c845d3bf181d25a4
|
|
adapt tests to new minimum RSA size and default FP format
Upstream-Regress-ID: a4b30afd174ce82b96df14eb49fb0b81398ffd0e
|
|
legacy v00 certificates are gone; adapt and don't try to
test them; "sure" markus@ dtucker@
Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
|
|
don't expect SSH v.1 in unittests
Upstream-Regress-ID: f8812b16668ba78e6a698646b2a652b90b653397
|
|
turn SSH1 back on to match src/usr.bin/ssh being tested
Upstream-Regress-ID: 6c4f763a2f0cc6893bf33983919e9030ae638333
|
|
Add "PuTTY_Local:" to the clients to which we do not
offer DH-GEX. This was the string that was used for development versions
prior to September 2014 and they don't do RFC4419 DH-GEX, but unfortunately
there are some extant products based on those versions. bx2424 from Jay
Rouman, ok markus@ djm@
Upstream-ID: be34d41e18b966832fe09ca243d275b81882e1d5
|