summaryrefslogtreecommitdiff
path: root/debian/changelog
AgeCommit message (Collapse)Author
2010-04-06Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 isColin Watson
installed, the host key is published in an SSHFP RR secured with DNSSEC, and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key verification (closes: #572049).
2010-04-06releasing version 1:5.4p1-1Colin Watson
2010-04-03* Policy version 3.8.4:Colin Watson
- Add a Homepage field.
2010-03-31Drop most of our "LogLevel SILENT" (-qq) patch. This was originallyColin Watson
introduced to match the behaviour of non-free SSH, in which -q does not suppress fatal errors, but matching the behaviour of OpenSSH upstream is much more important nowadays. We no longer document that -q does not suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to "LogLevel QUIET" in sshd_config on upgrade.
2010-03-31Drop Debian-specific removal of OpenSSL version check. Upstream ignoresColin Watson
the two patchlevel nybbles now, which is sufficient to address the original reason this change was introduced, and it appears that any change in the major/minor/fix nybbles would involve a new libssl package name. (We'd still lose if the status nybble were ever changed, but that would mean somebody had packaged a development/beta version rather than a proper release, which doesn't appear to be normal practice.)
2010-03-31Remove SSHD_OOM_ADJUST configuration. sshd now unconditionally makesColin Watson
itself non-OOM-killable, and doesn't require configuration to avoid log spam in virtualisation containers (closes: #555625).
2010-03-31* New upstream release (LP: #535029).Colin Watson
- After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-" (closes: #531561).
2010-03-29Hardcode the location of xauth to /usr/bin/xauth rather thanColin Watson
/usr/bin/X11/xauth (thanks, Aron Griffis; closes: #575725, LP: #8440). xauth no longer depends on x11-common, so we're no longer guaranteed to have the /usr/bin/X11 symlink available. I was taking advantage of the /usr/bin/X11 symlink to smooth X's move to /usr/bin, but this is far enough in the past now that it's probably safe to just use /usr/bin.
2010-03-17Fix substitution of ETC_PAM_D_SSH, following the rename in 1:4.7p1-4.Colin Watson
2010-03-08Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<Colin Watson
3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi mechanism was removed due to a serious security hole, and since these versions of ssh-krb5 are no longer security-supported by Debian I don't think there's any point keeping client compatibility for them.
2010-03-01Include debian/ssh-askpass-gnome.png in the Debian tarball now thatColin Watson
we're using a source format that permits this, rather than messing around with uudecode.
2010-03-01Fix 'debian/rules quilt-setup' to avoid writing .orig files if someColin Watson
patches apply with offsets.
2010-02-28releasing version 1:5.3p1-3Colin Watson
2010-02-28Update copyright years for GSSAPI patch.Colin Watson
2010-02-28Remove obsolete header from README.Debian dating from when peopleColin Watson
expected non-free SSH.
2010-02-28Remove documentation of building for Debian 3.0 in README.Debian.Colin Watson
Support for this was removed in 1:4.7p1-2.
2010-02-28Add GSSAPIStoreCredentialsOnRekey to 'sshd -T' configuration dump.Colin Watson
2010-02-28* Update README.source to match, and add a 'quilt-setup' target toColin Watson
debian/rules for the benefit of those checking out the package from revision control. * All patches are now maintained separately and tagged according to DEP-3.
2010-02-27Convert to source format 3.0 (quilt).Colin Watson
2010-02-22releasing version 1:5.3p1-2Colin Watson
2010-01-31Honour DEB_BUILD_OPTIONS=nocheck.Colin Watson
2010-01-31Use dh_lintian.Colin Watson
2010-01-31Install upstream sshd_config as an example (closes: #415008).Colin Watson
2010-01-31fix typo in 1:5.3p1-1 changelogColin Watson
2010-01-31Link with -Wl,--as-needed (closes: #560155).Colin Watson
2010-01-26releasing version 1:5.3p1-1Colin Watson
2010-01-25Drop change from 1:3.8p1-3 to avoid setresuid() and setresgid() systemColin Watson
calls. This only applied to Linux 2.2, which it's no longer feasible to run anyway (see 1:5.2p1-2 changelog).
2010-01-25* Backport from upstream:Colin Watson
- Do not fall back to adding keys without contraints (ssh-add -c / -t ...) when the agent refuses the constrained add request. This was a useful migration measure back in 2002 when constraints were new, but just adds risk now (LP: #209447).
2010-01-24* New upstream release.Colin Watson
* Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.3p1-gsskex-all-20100124.patch.
2010-01-16releasing version 1:5.2p1-2Colin Watson
2010-01-16Output a debug if we can't open an existing keyfile (LP: #505301).Colin Watson
2010-01-16Implement DebianBanner server configuration flag that can be set to "no"Colin Watson
to allow sshd to run without the Debian-specific extra version in the initial protocol handshake (closes: #562048).
2010-01-15spacingColin Watson
2010-01-15Drop change from 1:3.6.1p2-5 to disable cmsg_type check for fileColin Watson
descriptor passing when running on Linux 2.0. The previous stable release of Debian dropped support for Linux 2.4, let alone 2.0, so this very likely has no remaining users depending on it.
2010-01-12Don't run tests when cross-compiling.Colin Watson
2010-01-12Use host compiler for ssh-askpass-gnome when cross-compiling.Colin Watson
2010-01-10* Backport from upstream:Colin Watson
- After sshd receives a SIGHUP, ignore subsequent HUPs while sshd re-execs itself. Prevents two HUPs in quick succession from resulting in sshd dying (LP: #497781).
2010-01-04releasing version 1:5.2p1-1Colin Watson
2010-01-04LP bug closure tooColin Watson
2010-01-04reasoningColin Watson
2010-01-04Include URL to OpenBSD's ssl(8) in ssh(1) (closes: #530692).Colin Watson
2010-01-04Refer to sshd_config(5) rather than sshd(8) in postinst-writtenColin Watson
/etc/ssh/sshd_config, and add UsePAM commentary from upstream-shipped configuration file (closes: #415008, although unfortunately this will only be conveniently visible on new installations).
2010-01-04Remove/adjust manual page references to BSD-specific /etc/rc (closes:Colin Watson
#513417).
2010-01-04Remove manual page references to login.conf, which aren't applicable onColin Watson
non-BSD systems (closes: #154434).
2010-01-04Adjust short descriptions to avoid relying on previous experience withColin Watson
rsh, based on suggestions from Reuben Thomas (closes: #512198).
2010-01-02Remove init script stop link in rc1, as killprocs handles it already.Colin Watson
2010-01-02Cope with insserv reordering of init script links.Colin Watson
2010-01-02Remove ssh/new_config, only needed for direct upgrades from potato whichColin Watson
are no longer particularly feasible anyway (closes: #420682).
2010-01-02Update OpenSSH FAQ to revision 1.110.Colin Watson
2010-01-02yet another report of thisColin Watson