openssh.git -

Age	Commit message (Collapse)	Author
2014-02-12	Remove unnecessary /dev/null tests	Colin Watson
	Remove tests for whether /dev/null is a character device from the Upstart job and the systemd service files; it's there to avoid a confusing failure mode in daemon(), but with modern init systems we use the -D option to suppress daemonisation anyway.
2014-02-12	Reorder transition code by guard version.	Colin Watson

2014-02-12	Bump guard version for sysvinit->systemd transition to 1:6.5p1-3; we may ↵	Colin Watson
	have got it wrong before, and it's fairly harmless to repeat it.
2014-02-12	Fix sysvinit->systemd transition code	Colin Watson
	We need to cope with still-running sysvinit jobs being considered active by systemd (thanks, Uoti Urpala and Michael Biebl).
2014-02-12	Avoid stdout noise from which(1) on purge of openssh-client.	Colin Watson

2014-02-12	Stop claiming that "Protocol 2" is a Debian-specific default	Colin Watson
	This has been upstream's default since 5.4p1.
2014-02-12	Unbreak case-sensitive matching of ssh_config	Damien Miller
	- djm@cvs.openbsd.org 2014/02/04 00:24:29 [ssh.c] delay lowercasing of hostname until right before hostname canonicalisation to unbreak case-sensitive matching of ssh_config; reported by Ike Devolder; ok markus@ Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=d56b44d2dfa093883a5c4e91be3f72d99946b170 Bug-Debian: http://bugs.debian.org/738619 Forwarded: not-needed Last-Update: 2014-02-11 Patch-Name: fix-case-sensitive-matching.patch
2014-02-12	Various Debian-specific configuration changes	Colin Watson
	ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2014-02-12 Patch-Name: debian-config.patch
2014-02-12	Adjust section title too.	Colin Watson

2014-02-11	Clarify socket activation mode in README.Debian, as suggested by Uoti Urpala.	Colin Watson

2014-02-11	releasing package openssh version 1:6.5p1-2	Colin Watson

2014-02-11	Backport upstream patch to unbreak case-sensitive matching of ssh_config ↵	Colin Watson
	(closes: #738619).
2014-02-11	Unbreak case-sensitive matching of ssh_config	Damien Miller
	- djm@cvs.openbsd.org 2014/02/04 00:24:29 [ssh.c] delay lowercasing of hostname until right before hostname canonicalisation to unbreak case-sensitive matching of ssh_config; reported by Ike Devolder; ok markus@ Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=d56b44d2dfa093883a5c4e91be3f72d99946b170 Bug-Debian: http://bugs.debian.org/738619 Forwarded: not-needed Last-Update: 2014-02-11 Patch-Name: fix-case-sensitive-matching.patch
2014-02-11	Only enable ssh.service for systemd, not both ssh.service and ssh.socket. ↵	Colin Watson
	Thanks to Michael Biebl for spotting this.
2014-02-10	releasing package openssh version 1:6.5p1-1	Colin Watson

2014-02-10	Drop After=syslog.target; this is obsolete according to Lintian.	Colin Watson

2014-02-10	Add systemd support (thanks, Sven Joachim; closes: #676830).	Colin Watson

2014-02-10	Stop manually creating /usr/share/lintian/overrides; dh_lintian handles this.	Colin Watson

2014-02-10	Drop long-obsolete "SSH now uses protocol 2 by default" section from ↵	Colin Watson
	README.Debian.
2014-02-10	Generate ED25519 host keys on fresh installations.	Colin Watson
	Upgraders who wish to add such host keys should manually add 'HostKey /etc/ssh/ssh_host_ed25519_key' to /etc/ssh/sshd_config and run 'ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519'.
2014-02-10	Close some bugs related to ssh-vulnkey.	Colin Watson

2014-02-10	Incorporate default path changes from shadow 1:4.0.18.1-8, removing ↵	Colin Watson
	/usr/bin/X11 (closes: #644521).
2014-02-10	Add the pam_keyinit session module, to create a new session keyring on login ↵	Colin Watson
	(closes: #734816).
2014-02-10	Merge 6.5p1.	Colin Watson
	* New upstream release (http://www.openssh.com/txt/release-6.5, LP: #1275068): - ssh(1): Add support for client-side hostname canonicalisation using a set of DNS suffixes and rules in ssh_config(5). This allows unqualified names to be canonicalised to fully-qualified domain names to eliminate ambiguity when looking up keys in known_hosts or checking host certificate names (closes: #115286).
2014-02-10	Support synchronisation with service supervisor using SIGSTOP	Colin Watson
	Forwarded: no Last-Update: 2013-09-14 Patch-Name: sigstop.patch
2014-02-10	Various Debian-specific configuration changes	Colin Watson
	ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: debian-config.patch
2014-02-10	Give the ssh-askpass-gnome window a default icon	Vincent Untz
	Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 Last-Update: 2010-02-28 Patch-Name: gnome-ssh-askpass2-icon.patch
2014-02-10	Disable OpenSSL version check	Philip Hands
	OpenSSL's SONAME is sufficient nowadays. Author: Colin Watson <cjwatson@debian.org> Bug-Debian: http://bugs.debian.org/93581 Bug-Debian: http://bugs.debian.org/664383 Forwarded: not-needed Last-Update: 2013-12-23 Patch-Name: no-openssl-version-check.patch
2014-02-10	Document consequences of ssh-agent being setgid in ssh-agent(1)	Colin Watson
	Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2013-06-08 Patch-Name: ssh-agent-setgid.patch
2014-02-10	Refer to ssh's Upstart job as well as its init script	Colin Watson
	Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: doc-upstart.patch
2014-02-10	Document that HashKnownHosts may break tab-completion	Colin Watson
	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Bug-Debian: http://bugs.debian.org/430154 Last-Update: 2013-09-14 Patch-Name: doc-hash-tab-completion.patch
2014-02-10	ssh(1): Refer to ssh-argv0(1)	Colin Watson
	Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: ssh-argv0.patch
2014-02-10	Adjust various OpenBSD-specific references in manual pages	Colin Watson
	No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: openbsd-docs.patch
2014-02-10	Fix picky lintian errors about slogin symlinks	Colin Watson
	Apparently this breaks some SVR4 packaging systems, so upstream can't win either way and opted to keep the status quo. We need this patch anyway. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728 Last-Update: 2013-09-14 Patch-Name: lintian-symlink-pickiness.patch
2014-02-10	Install authorized_keys(5) as a symlink to sshd(8)	Tomas Pospisek
	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch
2014-02-10	Add DebianBanner server configuration option	Kees Cook
	Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: debian-banner.patch
2014-02-10	Include the Debian version in our identification	Matthew Vernon
	This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: package-versioning.patch
2014-02-10	Mention ssh-keygen in ssh fingerprint changed warning	Scott Moser
	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 Last-Update: 2013-09-14 Patch-Name: mention-ssh-keygen-on-keychange.patch
2014-02-10	Quieten logs when multiple from= restrictions are used	Colin Watson
	Bug-Debian: http://bugs.debian.org/630606 Forwarded: no Last-Update: 2013-09-14 Patch-Name: auth-log-verbosity.patch
2014-02-10	Force use of DNSSEC even if "options edns0" isn't in resolv.conf	Colin Watson
	This allows SSHFP DNS records to be verified if glibc 2.11 is installed. Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Last-Update: 2010-04-06 Patch-Name: dnssec-sshfp.patch
2014-02-10	Look for $SHELL on the path for ProxyCommand/LocalCommand	Colin Watson
	There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 Bug-Debian: http://bugs.debian.org/492728 Last-Update: 2013-09-14 Patch-Name: shell-path.patch
2014-02-10	Adjust scp quoting in verbose mode	Nicolas Valcárcel
	Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. This should be revised to mimic real shell quoting. Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 Last-Update: 2010-02-27 Patch-Name: scp-quoting.patch
2014-02-10	Allow harmless group-writability	Colin Watson
	Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2013-09-14 Patch-Name: user-group-modes.patch
2014-02-10	Add support for registering ConsoleKit sessions on login	Colin Watson
	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 Last-Updated: 2013-09-14 Patch-Name: consolekit.patch
2014-02-10	Mention ~& when waiting for forwarded connections to terminate	Matthew Vernon
	Bug-Debian: http://bugs.debian.org/50308 Last-Update: 2010-02-27 Patch-Name: helpful-wait-terminate.patch
2014-02-10	Reduce severity of "Killed by signal %d"	Peter Samuelson
	This produces irritating messages when using ProxyCommand or other programs that use ssh under the covers (e.g. Subversion). These messages are more normally printed by the calling program, such as the shell. According to the upstream bug, the right way to avoid this is to use the -q option, so we may drop this patch after further investigation into whether any software in Debian is still relying on it. Author: Colin Watson <cjwatson@debian.org> Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118 Bug-Debian: http://bugs.debian.org/313371 Last-Update: 2013-09-14 Patch-Name: quieter-signals.patch
2014-02-10	"LogLevel SILENT" compatibility	Jonathan David Amery
	"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2013-09-14 Patch-Name: syslog-level-silent.patch
2014-02-10	Various keepalive extensions	Richard Kettlewell
	Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. Author: Ian Jackson <ian@chiark.greenend.org.uk> Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2013-09-14 Patch-Name: keepalive-extensions.patch
2014-02-10	Partial server keep-alive implementation for SSH1	Colin Watson
	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712 Last-Update: 2013-09-14 Patch-Name: ssh1-keepalive.patch
2014-02-10	Accept obsolete ssh-vulnkey configuration options	Colin Watson
	These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. Last-Update: 2014-02-09 Patch-Name: ssh-vulnkey-compat.patch