summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-03-13upstream: consistently check packet_timeout_ms against 0; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: e8fb8cb2c96c980f075069302534eaf830929928
2020-03-13upstream: initialize cname in case ai_canonname is NULL or toomarkus@openbsd.org
long; ok djm OpenBSD-Commit-ID: c27984636fdb1035d1642283664193e91aab6e37
2020-03-13upstream: fix uninitialized pointers for forward_cancel; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: 612778e6d87ee865d0ba97d0a335f141cee1aa37
2020-03-13upstream: exit on parse failures in input_service_request; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: 6a7e1bfded26051d5aa893c030229b1ee6a0d5d2
2020-03-13upstream: fix null-deref on calloc failure; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: a313519579b392076b7831ec022dfdefbec8724a
2020-03-13upstream: exit if ssh_krl_revoke_key_sha256 fails; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: 0864ad4fe8bf28ab21fd1df766e0365c11bbc0dc
2020-03-13upstream: pkcs11_register_provider: return < 0 on error; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: cfc8321315b787e4d40da4bdb2cbabd4154b0d97
2020-03-13upstream: sshsig: return correct error, fix null-deref; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: 1d1af7cd538b8b23e621cf7ab84f11e7a923edcd
2020-03-13upstream: vasnmprintf allocates str and returns -1; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: dae4c9e83d88471bf3b3f89e3da7a107b44df11c
2020-03-13upstream: sshpkt_fatal() does not return; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: 7dfe847e28bd78208eb227b37f29f4a2a0929929
2020-02-28upstream: no-touch-required certificate option should be andjm@openbsd.org
extension, not a critical option. OpenBSD-Commit-ID: 626b22c5feb7be8a645e4b9a9bef89893b88600d
2020-02-28upstream: better error message when trying to use a FIDO keydjm@openbsd.org
function and SecurityKeyProvider is empty OpenBSD-Commit-ID: e56602c2ee8c82f835d30e4dc8ee2e4a7896be24
2020-02-28upstream: Drop leading space from line count that was confusingdtucker@openbsd.org
ssh-keygen's screen mode. OpenBSD-Commit-ID: 3bcae7a754db3fc5ad3cab63dd46774edb35b8ae
2020-02-28upstream: change explicit_bzero();free() to freezero()jsg@openbsd.org
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry. ok deraadt@ djm@ OpenBSD-Commit-ID: 2660fa334fcc7cd05ec74dd99cb036f9ade6384a
2020-02-26upstream: Have sftp reject "-1" in the same way as ssh(1) anddtucker@openbsd.org
scp(1) do instead of accepting and silently ignoring it since protocol 1 support has been removed. Spotted by shivakumar2696 at gmail.com, ok deraadt@ OpenBSD-Commit-ID: b79f95559a1c993214f4ec9ae3c34caa87e9d5de
2020-02-26upstream: Remove obsolete XXX comment. ok deraadt@dtucker@openbsd.org
OpenBSD-Commit-ID: bc462cc843947feea26a2e21c750b3a7469ff01b
2020-02-26releasing package openssh version 1:8.2p1-4Colin Watson
2020-02-26Install ssh-sk-helper even on non-Linux architecturesColin Watson
It will need an external middleware library in those cases.
2020-02-24Add /etc/ssh/sshd_config.d/ to openssh-serverColin Watson
Closes: #952427
2020-02-24Add /etc/ssh/ssh_config.d/ to openssh-clientColin Watson
2020-02-24upstream: Fix typo. Patch from itoama at live.jp via github PR#173.dtucker@openbsd.org
OpenBSD-Commit-ID: 5cdaafab38bbdea0d07e24777d00bfe6f972568a
2020-02-23releasing package openssh version 1:8.2p1-3Colin Watson
2020-02-23Reupload with -saColin Watson
This works around confusion with 1:8.2p1-1 being in NEW: dgit left out the .orig from the .changes, but dak then complains that "openssh_8.2p1.orig.tar.gz is only available in NEW".
2020-02-23releasing package openssh version 1:8.2p1-2Colin Watson
2020-02-23Move ssh-sk-helper into openssh-clientColin Watson
... rather than shipping it in a separate package. The extra library dependencies are pretty small, so it doesn't seem worth bloating the Packages file. Suggested by Bastian Blank.
2020-02-22Switch %define to %global for redhat/openssh.specNico Kadel-Garcia
2020-02-21releasing package openssh version 1:8.2p1-1Colin Watson
2020-02-21Update md5sum threshold in changelogColin Watson
2020-02-21openssh-tests Depends: openssh-sk-helperColin Watson
2020-02-21Fix typoColin Watson
2020-02-21Include /etc/ssh/*_config.d/*.confColin Watson
Include /etc/ssh/ssh_config.d/*.conf from /etc/ssh/ssh_config and /etc/ssh/sshd_config.d/*.conf from /etc/ssh/sshd_config. Closes: #845315
2020-02-21Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for"Colin Watson
This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379. The IPQoS default changes have some unfortunate interactions with iptables (see https://bugs.debian.org/923880) and VMware, so I'm temporarily reverting them until those have been fixed. Bug-Debian: https://bugs.debian.org/923879 Bug-Debian: https://bugs.debian.org/926229 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370 Last-Update: 2019-04-08 Patch-Name: revert-ipqos-defaults.patch
2020-02-21Work around conch interoperability failureColin Watson
Twisted Conch fails to read private keys in the new format (https://twistedmatrix.com/trac/ticket/9515). Work around this until it can be fixed in Twisted. Forwarded: not-needed Last-Update: 2019-10-09 Patch-Name: conch-old-privkey-format.patch
2020-02-21Restore reading authorized_keys2 by defaultColin Watson
Upstream seems to intend to gradually phase this out, so don't assume that this will remain the default forever. However, we were late in adopting the upstream sshd_config changes, so it makes sense to extend the grace period. Bug-Debian: https://bugs.debian.org/852320 Forwarded: not-needed Last-Update: 2017-03-05 Patch-Name: restore-authorized_keys2.patch
2020-02-21Various Debian-specific configuration changesColin Watson
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. ssh: Include /etc/ssh/ssh_config.d/*.conf. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. sshd: Include /etc/ssh/sshd_config.d/*.conf. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2020-02-21 Patch-Name: debian-config.patch
2020-02-21New upstream release (8.2p1)Colin Watson
2020-02-21Add systemd readiness notification supportMichael Biebl
Bug-Debian: https://bugs.debian.org/778913 Forwarded: no Last-Update: 2017-08-22 Patch-Name: systemd-readiness.patch
2020-02-21Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for"Colin Watson
This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379. The IPQoS default changes have some unfortunate interactions with iptables (see https://bugs.debian.org/923880) and VMware, so I'm temporarily reverting them until those have been fixed. Bug-Debian: https://bugs.debian.org/923879 Bug-Debian: https://bugs.debian.org/926229 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370 Last-Update: 2019-04-08 Patch-Name: revert-ipqos-defaults.patch
2020-02-21Work around conch interoperability failureColin Watson
Twisted Conch fails to read private keys in the new format (https://twistedmatrix.com/trac/ticket/9515). Work around this until it can be fixed in Twisted. Forwarded: not-needed Last-Update: 2019-10-09 Patch-Name: conch-old-privkey-format.patch
2020-02-21Restore reading authorized_keys2 by defaultColin Watson
Upstream seems to intend to gradually phase this out, so don't assume that this will remain the default forever. However, we were late in adopting the upstream sshd_config changes, so it makes sense to extend the grace period. Bug-Debian: https://bugs.debian.org/852320 Forwarded: not-needed Last-Update: 2017-03-05 Patch-Name: restore-authorized_keys2.patch
2020-02-21Various Debian-specific configuration changesColin Watson
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2020-02-19 Patch-Name: debian-config.patch
2020-02-21Give the ssh-askpass-gnome window a default iconVincent Untz
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 Last-Update: 2010-02-28 Patch-Name: gnome-ssh-askpass2-icon.patch
2020-02-21Don't check the status field of the OpenSSL versionKurt Roeckx
There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. Author: Colin Watson <cjwatson@debian.org> Bug-Debian: https://bugs.debian.org/93581 Bug-Debian: https://bugs.debian.org/664383 Bug-Debian: https://bugs.debian.org/732940 Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: no-openssl-version-status.patch
2020-02-21Document consequences of ssh-agent being setgid in ssh-agent(1)Colin Watson
Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2020-02-21 Patch-Name: ssh-agent-setgid.patch
2020-02-21Document that HashKnownHosts may break tab-completionColin Watson
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Bug-Debian: http://bugs.debian.org/430154 Last-Update: 2013-09-14 Patch-Name: doc-hash-tab-completion.patch
2020-02-21ssh(1): Refer to ssh-argv0(1)Colin Watson
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: ssh-argv0.patch
2020-02-21Adjust various OpenBSD-specific references in manual pagesColin Watson
No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: openbsd-docs.patch
2020-02-21Install authorized_keys(5) as a symlink to sshd(8)Tomas Pospisek
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch
2020-02-21Add DebianBanner server configuration optionKees Cook
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2020-02-21 Patch-Name: debian-banner.patch
2020-02-21Include the Debian version in our identificationMatthew Vernon
This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: package-versioning.patch
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-30 16:38:59 +0000