| Age | Commit message (Collapse) | Author |
|---|
|
- Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA
offer better performance than plain DH and DSA at the same equivalent
symmetric key length, as well as much shorter keys.
- sftp(1)/sftp-server(8): add a protocol extension to support a hard
link operation. It is available through the "ln" command in the
client. The old "ln" behaviour of creating a symlink is available
using its "-s" option or through the preexisting "symlink" command.
- scp(1): Add a new -3 option to scp: Copies between two remote hosts
are transferred through the local host (closes: #508613).
- ssh(1): "atomically" create the listening mux socket by binding it on
a temporary name and then linking it into position after listen() has
succeeded. This allows the mux clients to determine that the server
socket is either ready or stale without races (closes: #454784).
Stale server sockets are now automatically removed (closes: #523250).
- ssh(1): install a SIGCHLD handler to reap expired child process
(closes: #594687).
- ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent
temporary directories (closes: #357469, although only if you arrange
for ssh-agent to actually see $TMPDIR since the setgid bit will cause
it to be stripped off).
|
|
|
|
[contrib/suse/openssh.spec] update versions in docs and spec files.
|
|
of RPM so build completes. Signatures were changed to .asc since 4.1p1.
|
|
remove. Patch from martynas at venck us.
|
|
- Added a ControlPersist option to ssh_config(5) that automatically
starts a background ssh(1) multiplex master when connecting. This
connection can stay alive indefinitely, or can be set to automatically
close after a user-specified duration of inactivity (closes: #335697,
#350898, #454787, #500573, #550262).
- Support AuthorizedKeysFile, AuthorizedPrincipalsFile,
HostbasedUsesNameFromPacketOnly, and PermitTunnel in sshd_config(5)
Match blocks (closes: #549858).
- sftp(1): fix ls in working directories that contain globbing
characters in their pathnames (LP: #530714).
|
|
|
|
based in part on a patch from Colin Watson, ok djm@
|
|
[contrib/suse/openssh.spec] Crank version numbers
|
|
details about its behaviour WRT existing directories. Patch from
asguthrie at gmail com, ok djm.
|
|
(line 77) should have been for no_x11_askpass.
|
|
rather than assuming that $CWD == $HOME. bz#1500, patch from
timothy AT gelter.com
|
|
minires-devel package, and to add the reference to the libedit-devel
package since CYgwin now provides libedit. Patch from Corinna Vinschen.
|
|
file.
|
|
- Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative
paths.
- Include a language tag when sending a protocol 2 disconnection
message.
- Make logging of certificates used for user authentication more clear
and consistent between CAs specified using TrustedUserCAKeys and
authorized_keys.
|
|
|
|
ones. Based on a patch from Roumen Petrov.
|
|
- After a transition period of about 10 years, this release disables SSH
protocol 1 by default. Clients and servers that need to use the
legacy protocol must explicitly enable it in ssh_config / sshd_config
or on the command-line.
- Remove the libsectok/OpenSC-based smartcard code and add support for
PKCS#11 tokens. This support is enabled by default in the Debian
packaging, since it now doesn't involve additional library
dependencies (closes: #231472, LP: #16918).
- Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (closes: #482806).
- Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
- Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian
package, this overlaps with the key blacklisting facility added in
openssh 1:4.7p1-9, but with different file formats and slightly
different scopes; for the moment, I've roughly merged the two.)
- Various multiplexing improvements, including support for requesting
port-forwardings via the multiplex protocol (closes: #360151).
- Allow setting an explicit umask on the sftp-server(8) commandline to
override whatever default the user has (closes: #496843).
- Many sftp client improvements, including tab-completion, more options,
and recursive transfer support for get/put (LP: #33378). The old
mget/mput commands never worked properly and have been removed
(closes: #270399, #428082).
- Do not prompt for a passphrase if we fail to open a keyfile, and log
the reason why the open failed to debug (closes: #431538).
- Prevent sftp from crashing when given a "-" without a command. Also,
allow whitespace to follow a "-" (closes: #531561).
|
|
|
|
bz#1723 patch from Adeodato Simó via Colin Watson; ok dtucker@
|
|
pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold).
|
|
containing the services file explicitely case-insensitive. This allows to
tweak the Windows services file reliably. Patch from vinschen at redhat.
|
|
[contrib/suse/openssh.spec] Crank version numbers
|
|
on a Cygwin installation. Patch from Corinna Vinschen.
|
|
report by imorgan AT nas.nasa.gov
|
|
crank version numbers
|
|
on XFree86-devel with neutral /usr/include/X11/Xlib.h;
imorgan AT nas.nasa.gov in bz#1731
|
|
contrib/redhat/openssh.spec
contrib/suse/openssh.spec
|
|
* Update to GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-5.3p1-gsskex-all-20100124.patch.
|
|
|
|
for a while, but there's no GSSAPI patch available for it yet.
- Change the default cipher order to prefer the AES CTR modes and the
revised "arcfour256" mode to CBC mode ciphers that are susceptible to
CPNI-957037 "Plaintext Recovery Attack Against SSH".
- Add countermeasures to mitigate CPNI-957037-style attacks against the
SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid
packet length or Message Authentication Code, ssh/sshd will continue
reading up to the maximum supported packet length rather than
immediately terminating the connection. This eliminates most of the
known differences in behaviour that leaked information about the
plaintext of injected data which formed the basis of this attack
(closes: #506115, LP: #379329).
- ForceCommand directive now accepts commandline arguments for the
internal-sftp server (closes: #524423, LP: #362511).
- Add AllowAgentForwarding to available Match keywords list (closes:
#540623).
- Make ssh(1) send the correct channel number for
SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
avoid triggering 'Non-public channel' error messages on sshd(8) in
openssh-5.1.
- Avoid printing 'Non-public channel' warnings in sshd(8), since the
ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a
behaviour introduced in openssh-5.1; closes: #496017).
* Update to GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch,
including cascading credentials support (LP: #416958).
|
|
|
|
Gzip all man pages. Patch from Corinna Vinschen.
|
|
|
|
|
|
bz#1645, patch from jchadima AT redhat.com
|
|
|
|
20090926
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
[contrib/suse/openssh.spec] Update for release
- (djm) [README] update relnotes URL
- (djm) [packet.c] Restore EWOULDBLOCK handling that got lost somewhere
- (djm) Release 5.3p1
|
|
[contrib/suse/openssh.spec] Update for release
|
|
function. Patch from Corinna Vinschen.
|
|
from Corinna Vinschen.
|
|
scripts and fix usage of eval. Patch from Corinna Vinschen.
|
|
exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS
has a /dev/random).
|
|
[contrib/suse/openssh.spec] Prepare for 5.2p1
|
|
|
|
If the CYGWIN environment variable is empty, the installer script
should not install the service with an empty CYGWIN variable, but
rather without setting CYGWNI entirely.
|
|
Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x.
The information given for the setting of the CYGWIN environment variable
is wrong for both releases so I just removed it, together with the
unnecessary (Cygwin 1.5.x) or wrong (Cygwin 1.7.x) default setting.
|
|
ssh-copy-id copy id_rsa.pub by default (instead of the legacy "identity"
key). Patch from cjwatson AT debian.org
|
|
and tweak the is-sshd-running check in ssh-host-config. Patch from
vinschen at redhat com.
|
|
[contrib/redhat/sshd.pam] Move pam_nologin to account group from
incorrect auth group in example files;
patch from imorgan AT nas.nasa.gov
|
