Age | Commit message (Collapse) | Author |
|
These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.
Last-Update: 2014-02-09
Patch-Name: ssh-vulnkey-compat.patch
|
|
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2016-03-21
Patch-Name: gssapi.patch
|
|
When DISABLE_LASTLOG is set, do not try to include PrintLastLog in the
config dump since it'll be reported as UNKNOWN.
|
|
make sandboxed privilege separation the default, not just
for new installs; "absolutely" deraadt@
Upstream-ID: 5221ef3b927d2df044e9aa3f5db74ae91743f69b
|
|
Allow RekeyLimits in excess of 4G up to 2**63 bits
(limited by the return type of scan_scaled). Part of bz#2521, ok djm.
Upstream-ID: 13bea82be566b9704821b1ea05bf7804335c7979
|
|
Support "none" as an argument for sshd_config
ForceCommand and ChrootDirectory. Useful inside Match blocks to override a
global default. bz#2486 ok dtucker@
Upstream-ID: 7ef478d6592bc7db5c7376fc33b4443e63dccfa5
|
|
Fix "PubkeyAcceptedKeyTypes +..." inside a Match block;
ok dtucker@
Upstream-ID: 853662c4036730b966aab77684390c47b9738c69
|
|
bz#2278 from Brent Paulson
|
|
Fix expansion of HostkeyAlgorithms=+...
Reported by Bryan Drewery
Upstream-ID: 70ca1deea39d758ba36d36428ae832e28566f78d
|
|
add prohibit-password as a synonymn for without-password,
since the without-password is causing too many questions. Harden it to ban
all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
djm, ok markus
Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
|
|
Allow PermitRootLogin to be overridden by config
ok markus@ deeradt@
Upstream-ID: 5cf3e26ed702888de84e2dc9d0054ccf4d9125b4
|
|
change default: PermitRootLogin without-password matching
install script changes coming as well ok djm markus
Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
|
|
Allow ssh_config and sshd_config kex parameters options be
prefixed by a '+' to indicate that the specified items be appended to the
default rather than replacing it.
approach suggested by dtucker@, feedback dlg@, ok markus@
Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
|
|
Turn off DSA by default; add HostKeyAlgorithms to the
server and PubkeyAcceptedKeyTypes to the client side, so it still can be
tested or turned back on; feedback and ok djm@
Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
|
|
twiddle PermitRootLogin back
Upstream-ID: 2bd23976305d0512e9f84d054e1fc23cd70b89f2
|
|
twiddle; (this commit marks the openssh-6.9 release)
Upstream-ID: 78500582819f61dd8adee36ec5cc9b9ac9351234
|
|
put back default PermitRootLogin=no
Upstream-ID: 7bdedd5cead99c57ed5571f3b6b7840922d5f728
|
|
reset default PermitRootLogin to 'yes' (momentarily, for
release)
Upstream-ID: cad8513527066e65dd7a1c16363d6903e8cefa24
|
|
add knob to relax GSSAPI host credential check for
multihomed hosts bz#928, patch by Simon Wilkinson; ok dtucker
(kerberos/GSSAPI is not compiled by default on OpenBSD)
Upstream-ID: 15ddf1c6f7fd9d98eea9962f480079ae3637285d
|
|
add AuthorizedPrincipalsCommand that allows getting
authorized_principals from a subprocess rather than a file, which is quite
useful in deployments with large userbases
feedback and ok markus@
Upstream-ID: aa1bdac7b16fc6d2fa3524ef08f04c7258d247f6
|
|
Remove pattern length argument from match_pattern_list(), we
only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.
ok markus@
|
|
a couple of parse targets were missing activep checks,
causing them to be misapplied in match context; bz#2272 diagnosis and
original patch from Sami Hartikainen ok dtucker@
|
|
make handling of AuthorizedPrincipalsFile=none more
consistent with other =none options; bz#2288 from Jakub Jelen; ok dtucker@
|
|
Remove pattern length argument from match_pattern_list(), we
only ever use it for strlen(pattern).
Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.
ok markus@
|
|
Allow ListenAddress, Port and AddressFamily in any
order. bz#68, ok djm@, jmc@ (for the man page bit).
|
|
Make sshd default to PermitRootLogin=no; ok deraadt@
rpe@
|
|
rename xrealloc() to xreallocarray() since it follows
that form. ok djm
|
|
Two small fixes for sshd -T: ListenAddress'es are added
to a list head so reverse the order when printing them to ensure the
behaviour remains the same, and print StreamLocalBindMask as octal with
leading zero. ok deraadt@
|
|
Check for and reject missing arguments for
VersionAddendum and ForceCommand. bz#2281, patch from plautrba at redhat com,
ok djm@
|
|
Add some missing options to sshd -T and fix the output
of VersionAddendum HostCertificate. bz#2346, patch from jjelen at redhat
com, ok djm.
|
|
Part of bz#2346, patch from jjelen at redhat com.
|
|
increasing encounters with difficult DNS setups in
darknets has convinced me UseDNS off by default is better ok djm
|
|
Replace <sys/param.h> with <limits.h> and other less
dirty headers where possible. Annotate <sys/param.h> lines with their
current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1,
LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of
MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution.
These are the files confirmed through binary verification. ok guenther,
millert, doug (helped with the verification protocol)
|
|
add sshd_config HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options to allow sshd to control what public key types
will be accepted. Currently defaults to all. Feedback & ok markus@
|
|
make internal handling of filename arguments of "none"
more consistent with ssh. "none" arguments are now replaced with NULL when
the configuration is finalised.
Simplifies checking later on (just need to test not-NULL rather than
that + strcmp) and cleans up some inconsistencies. ok markus@
|
|
Add FingerprintHash option to control algorithm used for
key fingerprints. Default changes from MD5 to SHA256 and format from hex to
base64.
Feedback and ok naddy@ markus@
|
|
Fix crashes in the handling of the sshd config file found
with the afl fuzzer.
ok deraadt@ djm@
|
|
Remove unnecessary include: netinet/in_systm.h is not needed
by these programs.
NB. skipped for portable
ok deraadt@ millert@
|
|
whitespace
|
|
When dumping the server configuration (sshd -T), print
correct KEX, MAC and cipher defaults. Spotted by Iain Morgan
|
|
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
[sshd_config.5 sshlogin.c]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
|
|
[servconf.c servconf.h session.c sshd.8 sshd_config.5]
Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
executed, mirroring the no-user-rc authorized_keys option;
bz#2160; ok markus@
|
|
[Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c]
[monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h]
[schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c]
remove experimental, never-enabled JPAKE code; ok markus@
|
|
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
[servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
[ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
[sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
[fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
support ed25519 keys (hostkeys and user identities) using the public
domain ed25519 reference code from SUPERCOP, see
http://ed25519.cr.yp.to/software.html
feedback, help & ok djm@
|
|
[servconf.c servconf.h]
bz#2161 - fix AuthorizedKeysCommand inside a Match block and
rearrange things so the same error is harder to make next time;
with and ok dtucker@
|
|
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
[chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
[dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
[ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
cipher "chacha20-poly1305@openssh.com" that combines Daniel
Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS:
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
but differs in layout used for the MAC calculation and the use of a
second ChaCha20 instance to separately encrypt packet lengths.
Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
ok markus@ naddy@
|
|
[cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c]
Output the effective values of Ciphers, MACs and KexAlgorithms when
the default has not been overridden. ok markus@
|
|
[servconf.c servconf.h session.c sshd_config sshd_config.5]
shd_config PermitTTY to disallow TTY allocation, mirroring the
longstanding no-pty authorized_keys option;
bz#2070, patch from Teran McKinney; ok markus@
|
|
[readconf.c servconf.c ssh_config.5 sshd_config.5]
Disallow empty Match statements and add "Match all" which matches
everything. ok djm, man page help jmc@
|
|
[servconf.c]
fix comment
|