Age | Commit message (Collapse) | Author |
|
[sshconnect.c]
When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
certificate keys to plain keys and attempt SSHFP resolution.
Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
dialog by offering only certificate keys.
Reported by mcv21 AT cam.ac.uk
|
|
[ssh-keysign.c]
include fingerprint of key not found
use arc4random_buf() instead of loop+arc4random()
|
|
[ssh-keygen.1]
the text for the -K option was inserted in the wrong place in -r1.108;
fix From: Matthew Clarke
|
|
[ssh_config.5 sshd_config.5]
sync available and default algorithms, improve algorithm list formatting
help from jmc@ and schwarze@, ok deraadt@
|
|
[sshd.8 sshd.c]
remove libwrap support. ok deraadt djm mfriedl
|
|
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c
[misc.h poly1305.h ssh-pkcs11.c]
use __bounded(...) attribute recently added to sys/cdefs.h instead of
longform __attribute__(__bounded(...));
for brevity and a warning free compilation with llvm/clang
|
|
repeatedly):
- markus@cvs.openbsd.org 2014/03/25 09:40:03
[myproposal.h]
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers
(arcfour), and the broken modes (CBC) from the default configuration
(the patch only changes the default, all the modes are still available
for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
- deraadt@cvs.openbsd.org 2014/03/26 17:16:26
[myproposal.h]
The current sharing of myproposal[] between both client and server code
makes the previous diff highly unpallatable. We want to go in that
direction for the server, but not for the client. Sigh.
Brought up by naddy.
- markus@cvs.openbsd.org 2014/03/27 23:01:27
[myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
disable weak proposals in sshd, but keep them in ssh; ok djm@
|
|
[scp.1]
there is no need for rcp anymore
ok deraadt millert
|
|
[ssh.1]
old descriptions of des and blowfish are old. maybe ok deraadt
|
|
[ssh-agent.c ssh-keygen.1 ssh-keygen.c]
Improve usage() and documentation towards the standard form.
In particular, this line saves a lot of man page reading time.
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
[-N new_passphrase] [-C comment] [-f output_keyfile]
ok schwarze jmc
|
|
[ssh-keyscan.1]
scan for Ed25519 keys by default too
|
|
[authfile.c]
correct test that kdf name is not "none" or "bcrypt"
|
|
[auth-bsdauth.c ssh-keygen.c]
don't count on things that accept arguments by reference to clear
things for us on error; most things do, but it's unsafe form.
|
|
[ssh-keyscan.c]
scan for Ed25519 keys by default too
|
|
[session.c]
ignore enviornment variables with embedded '=' or '\0' characters;
spotted by Jann Horn; ok deraadt@
Id sync only - portable already has this.
|
|
|
|
|
|
prevent a hang on re-exec (thanks, Robie Basak; LP: #1306877).
|
|
If an ssh server presents a certificate to the client, then the client
does not check the DNS for SSHFP records. This means that a malicious
server can essentially disable DNS-host-key-checking, which means the
client will fall back to asking the user (who will just say "yes" to
the fingerprint, sadly).
This patch is by Damien Miller (of openssh upstream). It's simpler
than the patch by Mark Wooding which I applied yesterday; a copy is
taken of the proffered key/cert, the key extracted from the cert (if
necessary), and then the DNS consulted.
Signed-off-by: Matthew Vernon <matthew@debian.org>
Bug-Debian: http://bugs.debian.org/742513
Patch-Name: sshfp_with_server_cert_upstr
|
|
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
default.
sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
PermitRootLogin default.
Document all of this, along with several sshd defaults set in
debian/openssh-server.postinst.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2014-02-12
Patch-Name: debian-config.patch
|
|
Author: Robie Basak <robie.basak@ubuntu.com>
Forwarded: no
Last-Update: 2014-04-14
Patch-Name: sigstop.patch
|
|
|
|
version. From des@des.no
|
|
from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
|
|
|
|
without-password" without asking (LP: #1300127).
|
|
|
|
Xsession has already done so (based on work by Bruno Vasselle; LP: #1244736).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Also ask a debconf question when upgrading systems with "PermitRootLogin
yes" from previous versions.
Closes: #298138
|
|
response to #370050 (closes: #341883).
|
|
|
|
If an ssh server presents a certificate to the client, then the client
does not check the DNS for SSHFP records. This means that a malicious
server can essentially disable DNS-host-key-checking, which means the
client will fall back to asking the user (who will just say "yes" to
the fingerprint, sadly).
This patch is by Damien Miller (of openssh upstream). It's simpler
than the patch by Mark Wooding which I applied yesterday; a copy is
taken of the proffered key/cert, the key extracted from the cert (if
necessary), and then the DNS consulted.
Signed-off-by: Matthew Vernon <matthew@debian.org>
Bug-Debian: http://bugs.debian.org/742513
Patch-Name: sshfp_with_server_cert_upstr
|
|
[ Matthew Vernon ]
Fix failure to check SSHFP records if server presents a certificate
(bug reported by me, patch largely by Mark Wooding) (Closes: #742513)
|
|
|
|
If an ssh server presents a certificate to the client, then the client
does not check the DNS for SSHFP records. This means that a malicious
server can essentially disable DNS-host-key-checking, which means the
client will fall back to asking the user (who will just say "yes" to
the fingerprint, sadly).
This patch means that the ssh client will, if necessary, extract the
server key from the proffered certificate, and attempt to verify it
against the DNS. The patch was written by Mark Wooding
<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
it, and tested it.
Signed-off-by: Matthew Vernon <matthew@debian.org>
Bug-Debian: http://bugs.debian.org/742513
Patch-Name: sshfp_with_server_cert
|
|
|
|
* New upstream release (http://www.openssh.com/txt/release-6.6).
|
|
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
Last-Update: 2010-02-28
Patch-Name: gnome-ssh-askpass2-icon.patch
|
|
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
default.
sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
PermitRootLogin default.
Document all of this, along with several sshd defaults set in
debian/openssh-server.postinst.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2014-02-12
Patch-Name: debian-config.patch
|
|
OpenSSL's SONAME is sufficient nowadays.
Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: http://bugs.debian.org/93581
Bug-Debian: http://bugs.debian.org/664383
Forwarded: not-needed
Last-Update: 2013-12-23
Patch-Name: no-openssl-version-check.patch
|