summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-03-25Attempt SSHFP lookup even if server presents a certificateMatthew Vernon
If an ssh server presents a certificate to the client, then the client does not check the DNS for SSHFP records. This means that a malicious server can essentially disable DNS-host-key-checking, which means the client will fall back to asking the user (who will just say "yes" to the fingerprint, sadly). This patch means that the ssh client will, if necessary, extract the server key from the proffered certificate, and attempt to verify it against the DNS. The patch was written by Mark Wooding <mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed it, and tested it. Signed-off-by: Matthew Vernon <matthew@debian.org> Bug-Debian: http://bugs.debian.org/742513 Patch-Name: sshfp_with_server_cert
2014-03-20Various Debian-specific configuration changesColin Watson
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2014-02-12 Patch-Name: debian-config.patch
2014-03-20Support synchronisation with service supervisor using SIGSTOPColin Watson
Forwarded: no Last-Update: 2013-09-14 Patch-Name: sigstop.patch
2014-03-20Give the ssh-askpass-gnome window a default iconVincent Untz
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 Last-Update: 2010-02-28 Patch-Name: gnome-ssh-askpass2-icon.patch
2014-03-20Disable OpenSSL version checkPhilip Hands
OpenSSL's SONAME is sufficient nowadays. Author: Colin Watson <cjwatson@debian.org> Bug-Debian: http://bugs.debian.org/93581 Bug-Debian: http://bugs.debian.org/664383 Forwarded: not-needed Last-Update: 2013-12-23 Patch-Name: no-openssl-version-check.patch
2014-03-20Document consequences of ssh-agent being setgid in ssh-agent(1)Colin Watson
Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2013-06-08 Patch-Name: ssh-agent-setgid.patch
2014-03-20Refer to ssh's Upstart job as well as its init scriptColin Watson
Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: doc-upstart.patch
2014-03-20Document that HashKnownHosts may break tab-completionColin Watson
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Bug-Debian: http://bugs.debian.org/430154 Last-Update: 2013-09-14 Patch-Name: doc-hash-tab-completion.patch
2014-03-20ssh(1): Refer to ssh-argv0(1)Colin Watson
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: ssh-argv0.patch
2014-03-20Adjust various OpenBSD-specific references in manual pagesColin Watson
No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: openbsd-docs.patch
2014-03-20Fix picky lintian errors about slogin symlinksColin Watson
Apparently this breaks some SVR4 packaging systems, so upstream can't win either way and opted to keep the status quo. We need this patch anyway. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728 Last-Update: 2013-09-14 Patch-Name: lintian-symlink-pickiness.patch
2014-03-20Install authorized_keys(5) as a symlink to sshd(8)Tomas Pospisek
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch
2014-03-20Add DebianBanner server configuration optionKees Cook
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: debian-banner.patch
2014-03-20Include the Debian version in our identificationMatthew Vernon
This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: package-versioning.patch
2014-03-20Mention ssh-keygen in ssh fingerprint changed warningScott Moser
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 Last-Update: 2013-09-14 Patch-Name: mention-ssh-keygen-on-keychange.patch
2014-03-20Quieten logs when multiple from= restrictions are usedColin Watson
Bug-Debian: http://bugs.debian.org/630606 Forwarded: no Last-Update: 2013-09-14 Patch-Name: auth-log-verbosity.patch
2014-03-20Force use of DNSSEC even if "options edns0" isn't in resolv.confColin Watson
This allows SSHFP DNS records to be verified if glibc 2.11 is installed. Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Last-Update: 2010-04-06 Patch-Name: dnssec-sshfp.patch
2014-03-20Look for $SHELL on the path for ProxyCommand/LocalCommandColin Watson
There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 Bug-Debian: http://bugs.debian.org/492728 Last-Update: 2013-09-14 Patch-Name: shell-path.patch
2014-03-20Adjust scp quoting in verbose modeNicolas Valcárcel
Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. This should be revised to mimic real shell quoting. Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 Last-Update: 2010-02-27 Patch-Name: scp-quoting.patch
2014-03-20Allow harmless group-writabilityColin Watson
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2013-09-14 Patch-Name: user-group-modes.patch
2014-03-20Add support for registering ConsoleKit sessions on loginColin Watson
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 Last-Updated: 2014-03-20 Patch-Name: consolekit.patch
2014-03-20Mention ~& when waiting for forwarded connections to terminateMatthew Vernon
Bug-Debian: http://bugs.debian.org/50308 Last-Update: 2010-02-27 Patch-Name: helpful-wait-terminate.patch
2014-03-20Reduce severity of "Killed by signal %d"Peter Samuelson
This produces irritating messages when using ProxyCommand or other programs that use ssh under the covers (e.g. Subversion). These messages are more normally printed by the calling program, such as the shell. According to the upstream bug, the right way to avoid this is to use the -q option, so we may drop this patch after further investigation into whether any software in Debian is still relying on it. Author: Colin Watson <cjwatson@debian.org> Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118 Bug-Debian: http://bugs.debian.org/313371 Last-Update: 2013-09-14 Patch-Name: quieter-signals.patch
2014-03-20"LogLevel SILENT" compatibilityJonathan David Amery
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2013-09-14 Patch-Name: syslog-level-silent.patch
2014-03-20Various keepalive extensionsRichard Kettlewell
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2013-09-14 Patch-Name: keepalive-extensions.patch
2014-03-20Partial server keep-alive implementation for SSH1Colin Watson
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712 Last-Update: 2013-09-14 Patch-Name: ssh1-keepalive.patch
2014-03-20Accept obsolete ssh-vulnkey configuration optionsColin Watson
These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. Last-Update: 2014-02-09 Patch-Name: ssh-vulnkey-compat.patch
2014-03-20Handle SELinux authorisation rolesManoj Srivastava
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2013-09-14 Patch-Name: selinux-role.patch
2014-03-20GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2014-03-19 Patch-Name: gssapi.patch
2014-03-20Import openssh_6.6p1.orig.tar.gzColin Watson
2014-03-13 - (djm) Release OpenSSH 6.6Damien Miller
2014-03-04 - djm@cvs.openbsd.org 2014/03/03 22:22:30Damien Miller
[session.c] ignore enviornment variables with embedded '=' or '\0' characters; spotted by Jann Horn; ok deraadt@
2014-03-02 - (djm) [regress/Makefile] Disable dhgex regress test; it breaks whenDamien Miller
no moduli file exists at the expected location.
2014-02-28 - (djm) [regress/host-expand.sh] Add RCS IdDamien Miller
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 21:21:25Damien Miller
[agent-ptrace.sh agent.sh] keep return values that are printed in error messages; from portable (Id sync only)
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 20:04:16Damien Miller
[login-timeout.sh] remove any existing LoginGraceTime from sshd_config before adding a specific one for the test back in
2014-02-28 - djm@cvs.openbsd.org 2014/01/26 10:49:17Damien Miller
[scp-ssh-wrapper.sh scp.sh] make sure $SCP is tested on the remote end rather than whichever one happens to be in $PATH; from portable (Id sync only)
2014-02-28 - djm@cvs.openbsd.org 2014/01/26 10:22:10Damien Miller
[regress/cert-hostkey.sh] automatically generate revoked keys from listed keys rather than manually specifying each type; from portable (Id sync only)
2014-02-28 - dtucker@cvs.openbsd.org 2014/01/25 04:35:32Damien Miller
[regress/Makefile regress/dhgex.sh] Add a test for DH GEX sizes
2014-02-28 - dtucker@cvs.openbsd.org 2014/01/20 00:00:30Damien Miller
[sftp-chroot.sh] append to rather than truncating the log file
2014-02-28 - dtucker@cvs.openbsd.org 2014/01/19 23:43:02Damien Miller
[regress/sftp-chroot.sh] Don't use -q on sftp as it suppresses logging, instead redirect the output to the regress logfile.
2014-02-28 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Crank version numbers
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 22:57:40Damien Miller
[version.h] openssh-6.6
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 22:47:07Damien Miller
[sshd_config.5] bz#2184 clarify behaviour of a keyword that appears in multiple matching Match blocks; ok dtucker@
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 08:25:09Damien Miller
[bufbn.c] off by one in range check
2014-02-28 - djm@cvs.openbsd.org 2014/02/27 00:41:49Damien Miller
[bufbn.c] fix unsigned overflow that could lead to reading a short ssh protocol 1 bignum value; found by Ben Hawkes; ok deraadt@
2014-02-27 - markus@cvs.openbsd.org 2014/02/26 21:53:37Damien Miller
[sshd.c] ssh_gssapi_prepare_supported_oids needs GSSAPI
2014-02-27 - djm@cvs.openbsd.org 2014/02/26 20:29:29Damien Miller
[channels.c] don't assume that the socks4 username is \0 terminated; spotted by Ben Hawkes; ok markus@
2014-02-27 - djm@cvs.openbsd.org 2014/02/26 20:28:44Damien Miller
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c] bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep sandboxing, as running this code in the sandbox can cause violations; ok markus@
2014-02-27 - djm@cvs.openbsd.org 2014/02/26 20:18:37Damien Miller
[ssh.c] bz#2205: avoid early hostname lookups unless canonicalisation is enabled; ok dtucker@ markus@