summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-12-26Adjust scp quoting in verbose modeNicolas Valcárcel
Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. This should be revised to mimic real shell quoting. Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 Last-Update: 2010-02-27 Patch-Name: scp-quoting.patch
2016-12-26Allow harmless group-writabilityColin Watson
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2013-09-14 Patch-Name: user-group-modes.patch
2016-12-26Reduce severity of "Killed by signal %d"Peter Samuelson
This produces irritating messages when using ProxyCommand or other programs that use ssh under the covers (e.g. Subversion). These messages are more normally printed by the calling program, such as the shell. According to the upstream bug, the right way to avoid this is to use the -q option, so we may drop this patch after further investigation into whether any software in Debian is still relying on it. Author: Colin Watson <cjwatson@debian.org> Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118 Bug-Debian: http://bugs.debian.org/313371 Last-Update: 2013-09-14 Patch-Name: quieter-signals.patch
2016-12-26"LogLevel SILENT" compatibilityJonathan David Amery
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2013-09-14 Patch-Name: syslog-level-silent.patch
2016-12-26Various keepalive extensionsRichard Kettlewell
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2016-12-26 Patch-Name: keepalive-extensions.patch
2016-12-23Accept obsolete ssh-vulnkey configuration optionsColin Watson
These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. Last-Update: 2014-02-09 Patch-Name: ssh-vulnkey-compat.patch
2016-12-23Handle SELinux authorisation rolesManoj Srivastava
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2015-08-19 Patch-Name: selinux-role.patch
2016-12-23Restore TCP wrappers supportColin Watson
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: restore-tcp-wrappers.patch
2016-12-23GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2016-08-07 Patch-Name: gssapi.patch
2016-12-20Import openssh_7.4p1.orig.tar.gzColin Watson
2016-12-19crank version numbers for releaseDamien Miller
2016-12-19upstream commitdjm@openbsd.org
openssh-7.4 Upstream-ID: 1ee404adba6bbe10ae9277cbae3a94abe2867b79
2016-12-19upstream commitdjm@openbsd.org
remove testcase that depends on exact output and behaviour of snprintf(..., "%s", NULL) Upstream-Regress-ID: cab4288531766bd9593cb556613b91a2eeefb56f
2016-12-19upstream commitdtucker@openbsd.org
Use LOGNAME to get current user and fall back to whoami if not set. Mainly to benefit -portable since some platforms don't have whoami. Upstream-Regress-ID: e3a16b7836a3ae24dc8f8a4e43fdf8127a60bdfa
2016-12-17upstream commitdtucker@openbsd.org
Add regression test for AllowUsers and DenyUsers. Patch from Zev Weiss <zev at bewilderbeest.net> Upstream-Regress-ID: 8f1aac24d52728398871dac14ad26ea38b533fb9
2016-12-16Add missing monitor.h include.Darren Tucker
Fixes warning pointed out by Zev Weiss <zev at bewilderbeest.net>
2016-12-16upstream commitdjm@openbsd.org
revert to rev1.2; the new bits in this test depend on changes to ssh that aren't yet committed Upstream-Regress-ID: 828ffc2c7afcf65d50ff2cf3dfc47a073ad39123
2016-12-16upstream commitdtucker@openbsd.org
Move the "stop sshd" code into its own helper function. Patch from Zev Weiss <zev at bewilderbeest.net>, ok djm@ Upstream-Regress-ID: a113dea77df5bd97fb4633ea31f3d72dbe356329
2016-12-16upstream commitdjm@openbsd.org
regression test for certificates along with private key with no public half. bz#2617, mostly from Adam Eijdenberg Upstream-Regress-ID: 2e74dc2c726f4dc839609b3ce045466b69f01115
2016-12-16upstream commitdtucker@openbsd.org
Use $SUDO to read pidfile in case root's umask is restricted. From portable. Upstream-Regress-ID: f6b1c7ffbc5a0dfb7d430adb2883344899174a98
2016-12-16upstream commitdtucker@openbsd.org
Add missing braces in DenyUsers code. Patch from zev at bewilderbeest.net, ok deraadt@ Upstream-ID: d747ace338dcf943b077925f90f85f789714b54e
2016-12-16upstream commitdtucker@openbsd.org
Fix text in error message. Patch from zev at bewilderbeest.net. Upstream-ID: deb0486e175e7282f98f9a15035d76c55c84f7f6
2016-12-14upstream commitdjm@openbsd.org
disable Unix-domain socket forwarding when privsep is disabled Upstream-ID: ab61516ae0faadad407857808517efa900a0d6d0
2016-12-14upstream commitdjm@openbsd.org
log connections dropped in excess of MaxStartups at verbose LogLevel; bz#2613 based on diff from Tomas Kuthan; ok dtucker@ Upstream-ID: 703ae690dbf9b56620a6018f8a3b2389ce76d92b
2016-12-13Get default of TEST_SSH_UTF8 from environment.Darren Tucker
2016-12-13Remove commented-out includes.Darren Tucker
These commented-out includes have "Still needed?" comments. Since they've been commented out for ~13 years I assert that they're not.
2016-12-13Add prototype for strcasestr in compat library.Darren Tucker
2016-12-13Add strcasestr to compat library.Darren Tucker
Fixes build on (at least) Solaris 10.
2016-12-12Force Turkish locales back to C/POSIX; bz#2643Damien Miller
Turkish locales are unique in their handling of the letters 'i' and 'I' (yes, they are different letters) and OpenSSH isn't remotely prepared to deal with that. For now, the best we can do is to force OpenSSH to use the C/POSIX locale and try to preserve the UTF-8 encoding if possible. ok dtucker@
2016-12-09exit is in stdlib.h not unistd.h (that's _exit).Darren Tucker
2016-12-09Include <unistd.h> for exit in utf8 locale test.Darren Tucker
2016-12-08Check for utf8 local support before testing it.Darren Tucker
Check for utf8 local support and if not found, do not attempt to run the utf8 tests. Suggested by djm@
2016-12-08Use AC_PATH_TOOL for krb5-config.Darren Tucker
This will use the host-prefixed version when cross compiling; patch from david.michael at coreos.com.
2016-12-06upstream commitdjm@openbsd.org
make IdentityFile successfully load and use certificates that have no corresponding bare public key. E.g. just a private id_rsa and certificate id_rsa-cert.pub (and no id_rsa.pub). bz#2617 ok dtucker@ Upstream-ID: c1e9699b8c0e3b63cc4189e6972e3522b6292604
2016-12-06Add a gnome-ssh-askpass3 target for GTK+3 versionDamien Miller
Based on patch from Colin Watson via bz#2640
2016-12-06Make gnome-ssh-askpass2.c GTK+3-friendlyDamien Miller
Patch from Colin Watson via bz#2640
2016-12-05upstream commitdjm@openbsd.org
Fix public key authentication when multiple authentication is in use. Instead of deleting and re-preparing the entire keys list, just reset the 'used' flags; the keys list is already in a good order (with already- tried keys at the back) Analysis and patch from Vincent Brillault on bz#2642; ok dtucker@ Upstream-ID: 7123f12dc2f3bcaae715853035a97923d7300176
2016-12-05upstream commitdtucker@openbsd.org
Unlink PidFile on SIGHUP and always recreate it when the new sshd starts. Regression tests (and possibly other things) depend on the pidfile being recreated after SIGHUP, and unlinking it means it won't contain a stale pid if sshd fails to restart. ok djm@ markus@ Upstream-ID: 132dd6dda0c77dd49d2f15b2573b5794f6160870
2016-11-30upstream commitdjm@openbsd.org
test new behaviour of cert force-command restriction vs. authorized_key/ principals Upstream-Regress-ID: 399efa7469d40c404c0b0a295064ce75d495387c
2016-11-30upstream commitjmc@openbsd.org
tweak previous; while here fix up FILES and AUTHORS; Upstream-ID: 93f6e54086145a75df8d8ec7d8689bdadbbac8fa
2016-11-30upstream commitdjm@openbsd.org
add a whitelist of paths from which ssh-agent will load (via ssh-pkcs11-helper) a PKCS#11 module; ok markus@ Upstream-ID: fe79769469d9cd6d26fe0dc15751b83ef2a06e8f
2016-11-30upstream commitdjm@openbsd.org
Add a sshd_config DisableForwaring option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. This, like the 'restrict' authorized_keys flag, is intended to be a simple and future-proof way of restricting an account. Suggested as a complement to 'restrict' by Jann Horn; ok markus@ Upstream-ID: 203803f66e533a474086b38a59ceb4cf2410fcf7
2016-11-30upstream commitdjm@openbsd.org
When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced- command override the other could be a bit confused and more error-prone. Pointed out by Jann Horn of Project Zero; ok dtucker@ Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
2016-11-30upstream commitdtucker@openbsd.org
On startup, check to see if sshd is already daemonized and if so, skip the call to daemon() and do not rewrite the PidFile. This means that when sshd re-execs itself on SIGHUP the process ID will no longer change. Should address bz#2641. ok djm@ markus@. Upstream-ID: 5ea0355580056fb3b25c1fd6364307d9638a37b9
2016-11-30factor out common PRNG reseed before privdropDamien Miller
Add a call to RAND_poll() to ensure than more than pid+time gets stirred into child processes states. Prompted by analysis from Jann Horn at Project Zero. ok dtucker@
2016-11-29upstream commitdtucker@openbsd.org
Allow PuTTY interop tests to run unattended. bz#2639, patch from cjwatson at debian.org. Upstream-Regress-ID: 4345253558ac23b2082aebabccd48377433b6fe0
2016-11-29upstream commitdtucker@openbsd.org
Reverse args to sshd-log-wrapper. Matches change in portable, where it allows sshd do be optionally run under Valgrind. Upstream-Regress-ID: b438d1c6726dc5caa2a45153e6103a0393faa906
2016-11-29upstream commitdtucker@openbsd.org
Fix typo in trace message; from portable. Upstream-Regress-ID: 4c4a2ba0d37faf5fd230a91b4c7edb5699fbd73a
2016-11-29upstream committb@openbsd.org
Clean up MALLOC_OPTIONS. For the unittests, move MALLOC_OPTIONS and TEST_ENV to unittets/Makefile.inc. ok otto Upstream-Regress-ID: 890d497e0a38eeddfebb11cc429098d76cf29f12
2016-11-29upstream committb@openbsd.org
Remove the obsolete A and P flags from MALLOC_OPTIONS. ok dtucker Upstream-Regress-ID: 6cc25024c8174a87e5734a0dc830194be216dd59