summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-08-07Adjust scp quoting in verbose modeNicolas Valcárcel
Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. This should be revised to mimic real shell quoting. Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 Last-Update: 2010-02-27 Patch-Name: scp-quoting.patch
2016-08-07Allow harmless group-writabilityColin Watson
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2013-09-14 Patch-Name: user-group-modes.patch
2016-08-07Mention ~& when waiting for forwarded connections to terminateMatthew Vernon
Bug-Debian: http://bugs.debian.org/50308 Last-Update: 2010-02-27 Patch-Name: helpful-wait-terminate.patch
2016-08-07Reduce severity of "Killed by signal %d"Peter Samuelson
This produces irritating messages when using ProxyCommand or other programs that use ssh under the covers (e.g. Subversion). These messages are more normally printed by the calling program, such as the shell. According to the upstream bug, the right way to avoid this is to use the -q option, so we may drop this patch after further investigation into whether any software in Debian is still relying on it. Author: Colin Watson <cjwatson@debian.org> Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118 Bug-Debian: http://bugs.debian.org/313371 Last-Update: 2013-09-14 Patch-Name: quieter-signals.patch
2016-08-07"LogLevel SILENT" compatibilityJonathan David Amery
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2013-09-14 Patch-Name: syslog-level-silent.patch
2016-08-07Various keepalive extensionsRichard Kettlewell
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2015-11-29 Patch-Name: keepalive-extensions.patch
2016-08-07Accept obsolete ssh-vulnkey configuration optionsColin Watson
These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. Last-Update: 2014-02-09 Patch-Name: ssh-vulnkey-compat.patch
2016-08-07Handle SELinux authorisation rolesManoj Srivastava
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2015-08-19 Patch-Name: selinux-role.patch
2016-08-07Restore TCP wrappers supportColin Watson
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
2016-08-07GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2016-08-07 Patch-Name: gssapi.patch
2016-08-06Import openssh_7.3p1.orig.tar.gzColin Watson
2016-07-28define _OPENBSD_SOURCE for reallocarray on NetBSDDamien Miller
Report by and debugged with Hisashi T Fujinaka, dtucker nailed the problem (lack of prototype causing return type confusion).
2016-07-27KNFDamien Miller
2016-07-27Linux auditing also needs packet.hDamien Miller
2016-07-27fix auditing on LinuxDamien Miller
get_remote_ipaddr() was replaced with ssh_remote_ipaddr()
2016-07-24crank version numbersDamien Miller
2016-07-24upstream commitdjm@openbsd.org
openssh-7.3 Upstream-ID: af106a7eb665f642648cf1993e162c899f358718
2016-07-23Move Cygwin IPPORT_RESERVED overrride to defines.hDarren Tucker
Patch from vinschen at redhat.com.
2016-07-23upstream commitdjm@openbsd.org
fix pledge violation with ssh -f; reported by Valentin Kozamernik ok dtucker@ Upstream-ID: a61db7988db88d9dac3c4dd70e18876a8edf84aa
2016-07-23upstream commitdjm@openbsd.org
improve wording; suggested by jmc@ Upstream-ID: 55cb0a24c8e0618b3ceec80998dc82c85db2d2f8
2016-07-23upstream commitdtucker@openbsd.org
Lower loglevel for "Authenticated with partial success" message similar to other similar level. bz#2599, patch from cgallek at gmail.com, ok markus@ Upstream-ID: 3faab814e947dc7b2e292edede23e94c608cb4dd
2016-07-22retry waitpid on EINTR failureDamien Miller
patch from Jakub Jelen on bz#2581; ok dtucker@
2016-07-22upstream commitdjm@openbsd.org
constify a few functions' arguments; patch from Jakub Jelen bz#2581 Upstream-ID: f2043f51454ea37830ff6ad60c8b32b4220f448d
2016-07-22upstream commitdjm@openbsd.org
move debug("%p", key) to before key is free'd; probable undefined behaviour on strict compilers; reported by Jakub Jelen bz#2581 Upstream-ID: 767f323e1f5819508a0e35e388ec241bac2f953a
2016-07-22upstream commitdjm@openbsd.org
reverse the order in which -J/JumpHost proxies are visited to be more intuitive and document reported by and manpage bits naddy@ Upstream-ID: 3a68fd6a841fd6cf8cedf6552a9607ba99df179a
2016-07-22upstream commitdtucker@openbsd.org
Skip passwords longer than 1k in length so clients can't easily DoS sshd by sending very long passwords, causing it to spend CPU hashing them. feedback djm@, ok markus@. Brought to our attention by tomas.kuthan at oracle.com, shilei-c at 360.cn and coredump at autistici.org Upstream-ID: d0af7d4a2190b63ba1d38eec502bc4be0be9e333
2016-07-22upstream commitnaddy@openbsd.org
Do not clobber the global jump_host variables when parsing an inactive configuration. ok djm@ Upstream-ID: 5362210944d91417d5976346d41ac0b244350d31
2016-07-22upstream commitjmc@openbsd.org
tweak previous; Upstream-ID: f3c1a5b3f05dff366f60c028728a2b43f15ff534
2016-07-22upstream commitdtucker@openbsd.org
Allow wildcard for PermitOpen hosts as well as ports. bz#2582, patch from openssh at mzpqnxow.com and jjelen at redhat.com. ok markus@ Upstream-ID: af0294e9b9394c4e16e991424ca0a47a7cc605f2
2016-07-22upstream commitmarkus@openbsd.org
Reduce timing attack against obsolete CBC modes by always computing the MAC over a fixed size of data. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. ok djm@ Upstream-ID: f20a13279b00ba0afbacbcc1f04e62e9d41c2912
2016-07-21Search users for one with a valid salt.Darren Tucker
If the root account is locked (eg password "!!" or "*LK*") keep looking until we find a user with a valid salt to use for crypting passwords of invalid users. ok djm@
2016-07-18Explicitly specify source files for regress tools.Darren Tucker
Since adding $(REGRESSLIBS), $? is wrong because it includes only the changed source files. $< seems like it'd be right however it doesn't seem to work on some non-GNU makes, so do what works everywhere.
2016-07-18Conditionally include err.h.Darren Tucker
2016-07-18Remove local implementation of err, errx.Darren Tucker
We now have a shared implementation in libopenbsd-compat.
2016-07-18upstream commitdjm@openbsd.org
Add some unsigned overflow checks for extra_pad. None of these are reachable with the amount of padding that we use internally. bz#2566, pointed out by Torben Hansen. ok markus@ Upstream-ID: 4d4be8450ab2fc1b852d5884339f8e8c31c3fd76
2016-07-18Add dependency on libs for unit tests.Darren Tucker
Makes "./configure && make tests" work again. ok djm@
2016-07-18Correct location for kexfuzz in clean target.Darren Tucker
2016-07-18Handle PAM_MAXTRIES from modules.Darren Tucker
bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer password and keyboard-interative authentication methods. Should prevent "sshd ignoring max retries" warnings in the log. ok djm@ It probably won't trigger with keyboard-interactive in the default configuration because the retry counter is stored in module-private storage which goes away with the sshd PAM process (see bz#688). On the other hand, those cases probably won't log a warning either.
2016-07-17upstream commitdjm@openbsd.org
support UTF-8 characters in ssh(1) banners using schwarze@'s safe fmprintf printer; bz#2058 feedback schwarze@ ok dtucker@ Upstream-ID: a72ce4e3644c957643c9524eea2959e41b91eea7
2016-07-17upstream commitjmc@openbsd.org
- add proxyjump to the options list - formatting fixes - update usage() ok djm Upstream-ID: 43d318e14ce677a2eec8f21ef5ba2f9f68a59457
2016-07-15upstream commitdtucker@openbsd.org
Reduce the syslog level of some relatively common protocol events from LOG_CRIT by replacing fatal() calls with logdie(). Part of bz#2585, ok djm@ Upstream-ID: 9005805227c94edf6ac02a160f0e199638d288e5
2016-07-15missing openssl/dh.hDamien Miller
2016-07-15cast to avoid type warning in error messageDamien Miller
2016-07-15Move VA_COPY macro into compat header.Darren Tucker
Some AIX compilers unconditionally undefine va_copy but don't set it back to an internal function, causing link errors. In some compat code we already use VA_COPY instead so move the two existing instances into the shared header and use for sshbuf-getput-basic.c too. Should fix building with at lease some versions of AIX's compiler. bz#2589, ok djm@
2016-07-15disable ciphers not supported by OpenSSLDamien Miller
bz#2466 ok dtucker@
2016-07-15add a --disable-pkcs11 knobDamien Miller
2016-07-15fix newline escaping for unsupported_algorithmsDamien Miller
The hmac-ripemd160 was incorrect and could lead to broken Makefiles on systems that lacked support for it, but I made all the others consistent too.
2016-07-15upstream commitdjm@openbsd.org
Add a ProxyJump ssh_config(5) option and corresponding -J ssh(1) command-line flag to allow simplified indirection through a SSH bastion or "jump host". These options construct a proxy command that connects to the specified jump host(s) (more than one may be specified) and uses port-forwarding to establish a connection to the next destination. This codifies the safest way of indirecting connections through SSH servers and makes it easy to use. ok markus@ Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
2016-07-15Map umac_ctx struct name too.Darren Tucker
Prevents size mismatch linker warnings on Solaris 11.
2016-07-15Mitigate timing of disallowed users PAM logins.Darren Tucker
When sshd decides to not allow a login (eg PermitRootLogin=no) and it's using PAM, it sends a fake password to PAM so that the timing for the failure is not noticeably different whether or not the password is correct. This behaviour can be detected by sending a very long password string which is slower to hash than the fake password. Mitigate by constructing an invalid password that is the same length as the one from the client and thus takes the same time to hash. Diff from djm@