Age | Commit message (Collapse) | Author |
|
remove compat20/compat13/compat15 variables
ok markus@
Upstream-ID: 43802c035ceb3fef6c50c400e4ecabf12354691c
|
|
remove options.protocol and client Protocol
configuration knob
ok markus@
Upstream-ID: 5a967f5d06e2d004b0235457b6de3a9a314e9366
|
|
unifdef WITH_SSH1 ok markus@
Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
|
|
tweak previous;
Upstream-ID: a3abc6857455299aa42a046d232b7984568bceb9
|
|
allow ssh-keygen to include arbitrary string or flag
certificate extensions and critical options. ok markus@ dtucker@
Upstream-ID: 2cf28dd6c5489eb9fc136e0b667ac3ea10241646
|
|
sort;
Upstream-ID: 7e6b56e52b039cf44d0418e9de9aca20a2d2d15a
|
|
Upstream-Regress-ID: 1e6b51ddf767cbad0a4e63eb08026c127e654308
|
|
Upstream-Regress-ID: 30c20180c87cbc99fa1020489fe7fd8245b6420c
Upstream-Regress-ID: 1e6b51ddf767cbad0a4e63eb08026c127e654308
|
|
Merge missing bits from Colin Watson's patch in bz#2658 which make integrity
tests more robust against timeouts. ok djm@
|
|
|
|
Change COMPILER_VERSION tests which limited additional
warnings to gcc4 to instead skip them on gcc3 as clang can handle
-Wpointer-sign and -Wold-style-definition.
Upstream-Regress-ID: e48d7dc13e48d9334b8195ef884dfbc51316012f
|
|
include key fingerprint in "Offering public key" debug
message
Upstream-ID: 964749f820c2ed4cf6a866268b1a05e907315c52
|
|
Avoid relying on implementation-specific behavior when
detecting whether the timestamp or file size overflowed. If time_t and off_t
are not either 32-bit or 64-bit scp will exit with an error. OK djm@
Upstream-ID: f31caae73ddab6df496b7bbbf7da431e267ad135
|
|
Add SyslogFacility option to ssh(1) matching the
equivalent option in sshd(8). bz#2705, patch from erahn at arista.com, ok
djm@
Upstream-ID: d5115c2c0193ceb056ed857813b2a7222abda9ed
|
|
remove a static array unused since rev 1.306 spotted by
clang ok djm@
Upstream-ID: 249b3eed2446f6074ba2219ccc46919dd235a7b8
|
|
Avoid potential signed int overflow when parsing the file
size. Use strtoul() instead of parsing manually. OK djm@
Upstream-ID: 1f82640861c7d905bbb05e7d935d46b0419ced02
|
|
Pointed out by jjelen at redhat.com.
|
|
OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys
in privsep child. The socket() syscall is already denied in the seccomp
filter, but in ppc64le kernel, it is implemented using socketcall()
syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and
therefore fails hard.
Patch from jjelen at redhat.com.
|
|
(LP: #1685022).
|
|
|
|
Recognize nl_langinfo(CODESET) return values "646" and ""
as aliases for "US-ASCII", useful for different versions of NetBSD and
Solaris. Found by dtucker@ and by Tom G. Christensen <tgc at jupiterrise dot
com>. OK dtucker@ deraadt@
Upstream-ID: 38c2133817cbcae75c88c63599ac54228f0fa384
|
|
Change COMPILER_VERSION tests which limited additional
warnings to gcc4 to instead skip them on gcc3 as clang can handle
-Wpointer-sign and -Wold-style-definition.
Upstream-ID: 5cbe348aa76dc1adf55be6c0e388fafaa945439a
|
|
|
|
|
|
disallow creation (of empty files) in read-only mode;
reported by Michal Zalewski, feedback & ok deraadt@
Upstream-ID: 5d9c8f2fa8511d4ecf95322994ffe73e9283899b
|
|
incorrect renditions of this quote bother me
Upstream-ID: 1662be3ebb7a71d543da088119c31d4d463a9e49
|
|
|
|
|
|
Patch from Mike Frysinger
Origin: https://anongit.mindrot.org/openssh.git/commit/?id=6b853c6f8ba5eecc50f3b57af8e63f8184eb0fa6
Last-Update: 2017-04-02
Patch-Name: x32-syntax-error.patch
|
|
|
|
Patch from Jakub Jelen
Origin: https://anongit.mindrot.org/openssh.git/commit/?id=58b8cfa2a062b72139d7229ae8de567f55776f24
Last-Update: 2017-04-02
Patch-Name: s390-missing-header.patch
|
|
|
|
|
|
Speeds up configure and build by a couple of percent. ok djm@
|
|
|
|
|
|
unbreak Unix domain socket forwarding for root; ok
markus@
Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
Origin: https://anongit.mindrot.org/openssh.git/commit/?id=51045869fa084cdd016fdd721ea760417c0a3bf3
Bug-Debian: https://bugs.debian.org/858252
Last-Update: 2017-03-30
Patch-Name: unbreak-unix-forwarding-for-root.patch
|
|
(closes: #760422, #856825).
|
|
Upstream seems to intend to gradually phase this out, so don't assume
that this will remain the default forever. However, we were late in
adopting the upstream sshd_config changes, so it makes sense to extend
the grace period.
Bug-Debian: https://bugs.debian.org/852320
Forwarded: not-needed
Last-Update: 2017-03-05
Patch-Name: restore-authorized_keys2.patch
|
|
The client no longer accepts DSA host keys, and servers using the
default HostKey setting should have better host keys available.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662
Bug-Debian: https://bugs.debian.org/850614
Last-Update: 2017-01-16
Patch-Name: no-dsa-host-key-by-default.patch
|
|
Fix overly-conservative overflow checks on mulitplications and add checks
on additions. This allows scan_scaled to work up to +/-LLONG_MAX (LLONG_MIN
will still be flagged as a range error). ok millert@
|
|
Collapse underflow and overflow checks into a single block.
ok djm@ millert@
|
|
Catch integer underflow in scan_scaled reported by Nicolas Iooss.
ok deraadt@ djm@
|
|
If running with privsep (mandatory now) as a non-privileged user, we
don't chroot or change to an unprivileged user however we still checked
the existence of the user and directory. Don't do those checks if we're
not going to use them. Based in part on a patch from Lionel Fourquaux
via Corinna Vinschen, ok djm@
|
|
If the first test in a series for a given MAC happens to modify the low
bytes of a packet length, then ssh will time out and this will be
interpreted as a test failure. Handle this failure mode.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2658
Patch-Name: regress-integrity-robust.patch
Last-Update: 2017-01-01
|
|
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2016-12-26
Patch-Name: debian-config.patch
|
|
Bug-Debian: https://bugs.debian.org/778913
Forwarded: no
Last-Update: 2016-01-04
Patch-Name: systemd-readiness.patch
|
|
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
Bug-Debian: http://bugs.debian.org/430154
Last-Update: 2013-09-14
Patch-Name: doc-hash-tab-completion.patch
|
|
Author: Robie Basak <robie.basak@ubuntu.com>
Forwarded: no
Last-Update: 2014-04-14
Patch-Name: sigstop.patch
|
|
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to. Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).
Bug-Debian: http://bugs.debian.org/111341
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: ssh-argv0.patch
|