summaryrefslogtreecommitdiff
path: root/debian/rules
AgeCommit message (Collapse)Author
2007-06-12* Build the .deb --with-ssl-engine (LP: #119295).Colin Watson
2007-06-12* New upstream release (closes: #395507, #397961, #420035). ImportantColin Watson
changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
2006-12-23* It turns out that the people who told me that removing a conffile in theColin Watson
preinst was sufficient to have dpkg replace it without prompting when moving a conffile between packages were very much mistaken. As far as I can tell, the only way to do this reliably is to write out the desired new text of the conffile in the preinst. This is gross, and requires shipping the text of all conffiles in the preinst too, but there's nothing for it. Fortunately this nonsense is only required for smooth upgrades from sarge.
2006-12-06ssh-krb5 needs a copyright fileColin Watson
2006-12-06don't symlink /usr/share/doc/ssh-krb5; we have a separate NEWS file to put thereColin Watson
2006-12-06fix sed mistakeColin Watson
2006-12-06* Remove version control tags from /etc/ssh/moduli and /etc/ssh/ssh_configColin Watson
to avoid unnecessary conffile resolution steps for administrators (thanks, Jari Aalto; closes: #335259).
2006-12-06* Create transitional ssh-krb5 package which enables GSSAPI configurationColin Watson
in sshd_config. * Default client to attempting GSSAPI authentication. * Remove obsolete GSSAPINoMICAuthentication from sshd_config if it's found.
2006-05-12* Ship README.tun.Colin Watson
2006-05-12* debian/rules: Resynchronise CFLAGS with that generated by configure.Colin Watson
2006-03-31* Switch to debhelper compatibility level 4, since we now requireColin Watson
debhelper 4 even on sarge anyway for udeb support.
2006-03-31* Use udeb support introduced in debhelper 4.2.0 (available in sarge)Colin Watson
rather than constructing udebs by steam. * Require debhelper 5.0.22, which generates correct shared library dependencies for udebs. This build-dependency can be ignored if building on sarge.
2006-03-01small path reorderings, really sync with /etc/login.defsColin Watson
2006-03-01* I accidentally applied the default $PATH change in 1:4.2p1-6 to the udebColin Watson
rather than the deb. Fixed.
2005-10-10* Sync default values of $PATH from shadow 1:4.0.12-6, adding /usr/bin/X11Colin Watson
to the normal and superuser paths and /usr/games to the normal path.
2005-09-15* Explicitly tell po2debconf to use the 'popular' output encoding, so thatColin Watson
the woody-compatibility hack works even with po-debconf 0.9.0.
2005-09-14 - Build-depend on libkrb5-dev and configure --with-kerberos5=/usr.Colin Watson
2005-09-14* debian/rules: Resynchronise CFLAGS with that generated by configure.Colin Watson
2005-07-07Fix one-character typo that meant the binaries in openssh-client andColin Watson
openssh-server got recompiled with the wrong options during 'debian/rules install' (closes: #317088, #317238, #317241).
2005-07-03Disable btmp logging, since Debian's /var/log/btmp has inappropriateColin Watson
permissions (closes: #314956).
2005-07-03Ship README.dns (closes: #284874).Colin Watson
2005-07-03Make /usr/share/doc/openssh-server and /usr/share/doc/ssh symlinks toColin Watson
/usr/share/doc/openssh-client.
2005-06-17Switch to debhelper compat level 3, since 2 is deprecated.Colin Watson
2005-06-17Restore /usr/lib/sftp-server temporarily, as a symlink toColin Watson
/usr/lib/openssh/sftp-server (closes: #312891).
2005-06-17Re-enable ssh-askpass-gnome on the Hurd, now that its build-dependenciesColin Watson
are available.
2005-06-17Manoj Srivastava:Colin Watson
- Added SELinux capability, and turned it on be default. Added restorecon calls in preinst and postinst (should not matter if the machine is not SELinux aware). By and large, the changes made should have no effect unless the rules file calls --with-selinux; and even then there should be no performance hit for machines not actively running SELinux. - Modified the preinst and postinst to call restorecon to set the security context for the generated public key files. - Added a comment to /etc/pam.d/ssh to indicate that an SELinux system may want to also include pam_selinux.so.
2005-06-01Apply Linux 2.2 workaround (see #239999) only on Linux.Colin Watson
2005-06-01Fix DEB_HOST_ARCH_OS/DEB_HOST_GNU_SYSTEM compatibility handling.Colin Watson
2005-05-31Remove unnecessary SSH_KEYSIGN variable overrides.Colin Watson
2005-05-31Add lintian overrides for the above (setuid-binary, no-debconf-templates).Colin Watson
2005-05-31Since ssh-keysign isn't used by default (you need to set EnableSSHKeysignColin Watson
to "yes" in /etc/ssh/ssh_config), having a debconf question to ask whether it should be setuid is overkill, and the question text had got out of date anyway. Remove this question, ship ssh-keysign setuid in openssh-client.deb, and set a statoverride if the debconf question was previously set to false.
2005-05-31Change libexecdir to /usr/lib/openssh, and fix up various alternatives andColin Watson
configuration files to match (closes: #87900, #151321).
2005-05-30Take upstream's hint and disable the unsupported USE_POSIX_THREADSColin Watson
(closes: #295757, #308868, and possibly others; may open other bugs). Use PAM password authentication to avoid #278394. In future I may provide two sets of binaries built with and without this option, since it seems I can't win.
2005-05-25Don't build ssh-askpass-gnome on the Hurd, until GNOME is available toColin Watson
satisfy build-dependencies.
2005-05-25Hurd fixes:Colin Watson
- Link with -lcrypt. - Link with -lpthread rather than -pthread.
2005-05-25Drop workaround for #242462 on amd64; it's been fixed properly upstream.Colin Watson
2005-05-25Enable libedit support in sftp; build-depend on libedit-dev.Colin Watson
2005-05-25Merge 4.0p1 to the trunk.Colin Watson
2005-01-13Depend on debconf | debconf-2.0.Colin Watson
2005-01-04remove /usr/sbin from openssh-clientColin Watson
2004-12-01Build ssh in binary-indep, not binary-arch (thanks, LaMont Jones).Colin Watson
2004-11-12Merge from HEAD:Colin Watson
Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
2004-10-24Forward-port from HEAD:Colin Watson
* Preserve /etc/ssh/sshd_config ownership/permissions (closes: #276754). * Shorten the version string from the form "OpenSSH_3.8.1p1 Debian 1:3.8.1p1-8.sarge.1" to "OpenSSH_3.8.1p1 Debian-8.sarge.1", as some SSH implementations apparently have problems with the long version string. This is of course a bug in those implementations, but since the extent of the problem is unknown it's best to play safe (closes: #275731). * debconf template translations: - Add Finnish (thanks, Matti Pöllä; closes: #265339). - Update Danish (thanks, Morten Brix Pedersen; closes: #275895). - Update French (thanks, Denis Barbier; closes: #276703). - Update Japanese (thanks, Kenshi Muto; closes: #277438).
2004-10-24Shorten the version string from the form "OpenSSH_3.8.1p1 DebianColin Watson
1:3.8.1p1-8.sarge.1" to "OpenSSH_3.8.1p1 Debian-8.sarge.1", as some SSH implementations apparently have problems with the long version string. This is of course a bug in those implementations, but since the extent of the problem is unknown it's best to play safe (closes: #275731).
2004-08-31Move sshd_config(5) to openssh-server, where it belongs.Colin Watson
2004-08-25Don't install the ssh-askpass-gnome .desktop file by default; I've had tooColin Watson
many GNOME people tell me it's the wrong thing to be doing. I've left it in /usr/share/doc/ssh-askpass-gnome/examples/ for now.
2004-08-02Add copyright file to transitional ssh package.Colin Watson
2004-07-31* Split the ssh binary package into openssh-client and openssh-serverColin Watson
(closes: #39741). openssh-server depends on openssh-client for some common functionality; it didn't seem worth creating yet another package for this. * New transitional ssh package, depending on openssh-client and openssh-server. May be removed once nothing depends on it. * When upgrading from ssh to openssh-{client,server}, it's very difficult for the maintainer scripts to find out what version we're upgrading from without dodgy dpkg hackery. I've therefore taken the opportunity to move a couple of debconf notes into NEWS files, namely ssh/ssh2_keys_merged and ssh/user_environment_tell. * In general, upgrading to this version directly from woody without first upgrading to the version in sarge is not currently guaranteed to work very smoothly due to the aforementioned version discovery problems.
2004-07-30Merge from MAIN:Colin Watson
cvs up -jV_3_8_1_P1-4 -jV_3_8_1_P1-8
2004-07-22Re-enable shadow password support in openssh-server-udeb, at BastianColin Watson
Blank's request (closes: #260800).