Age | Commit message (Collapse) | Author |
|
This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.
The IPQoS default changes have some unfortunate interactions with
iptables (see https://bugs.debian.org/923880) and VMware, so I'm
temporarily reverting them until those have been fixed.
Bug-Debian: https://bugs.debian.org/923879
Bug-Debian: https://bugs.debian.org/926229
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370
Last-Update: 2019-04-08
Patch-Name: revert-ipqos-defaults.patch
|
|
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2017-10-04
Patch-Name: debian-config.patch
|
|
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
Bug-Debian: http://bugs.debian.org/430154
Last-Update: 2013-09-14
Patch-Name: doc-hash-tab-completion.patch
|
|
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem). Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
default.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
Last-Update: 2019-10-09
Patch-Name: user-group-modes.patch
|
|
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
in previous versions of Debian's OpenSSH package but since superseded by
ServerAliveInterval. (We're probably stuck with this bit for
compatibility.)
In batch mode, default ServerAliveInterval to five minutes.
Adjust documentation to match and to give some more advice on use of
keepalives.
Author: Ian Jackson <ian@chiark.greenend.org.uk>
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2018-10-19
Patch-Name: keepalive-extensions.patch
|
|
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years. This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface. This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."
However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have). It seems to have a generally good
security history.
Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2019-10-09
Patch-Name: gssapi.patch
|
|
~/.ssh/id_* keys; bz#3062
OpenBSD-Commit-ID: 604be570e04646f0f4a17026f8b2aada6a585dfa
|
|
From Zachary Harmany via github.com/openssh/openssh-portable/pull/118
ok dtucker@
OpenBSD-Commit-ID: 7eebf1b7695f50c66d42053d352a4db9e8fb84b6
|
|
connection and to the protocol handshake/KEX. From Jean-Charles Longuet via
Github PR140
OpenBSD-Commit-ID: ce1766abc6da080f0d88c09c2c5585a32b2256bf
|
|
by starting the list with the '^' character, e.g.
HostKeyAlgorithms ^ssh-ed25519
Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com
ok djm@ dtucker@
OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
|
|
Options such as Ciphers take values that may be a list of ciphers; the
complete list, not indiviual elements, may be prefixed with a dash or plus
character to remove from or append to the default list, respectively.
Users might read the current text as if each elment took an optional prefix,
so tweak the wording from "values" to "list" to prevent such ambiguity for
all options supporting these semantics.
Fix instances missed in first commit. ok jmc@ kn@
OpenBSD-Commit-ID: 7112522430a54fb9f15a7a26d26190ed84d5e417
|
|
Options such as Ciphers take values that may be a list of ciphers; the
complete list, not indiviual elements, may be prefixed with a dash or plus
character to remove from or append to the default list respectively.
Users might read the current text as if each elment took an optional prefix,
so tweak the wording from "values" to "list" to prevent such ambiguity for
all options supporting this semantics (those that provide a list of
available elements via "ssh -Q ...").
Input and OK jmc
OpenBSD-Commit-ID: 4fdd175b0e5f5cb10ab3f26ccc38a93bb6515d57
|
|
"unresponsive" to clarify what it checks for. Patch from jblaine at
kickflop.net via github pr#129, ok djm@.
OpenBSD-Commit-ID: 3682f8ec7227f5697945daa25d11ce2d933899e9
|
|
OpenBSD-Commit-ID: 82f6de7438ea7ee5a14f44fdf5058ed57688fdc3
|
|
dtucker
OpenBSD-Commit-ID: 4ade73629ede63b691f36f9a929f943d4e7a44e4
|
|
the "Hostname" and "X11UseLocalhost" keywords; this makes things consistent
(effectively reversing my commit of yesterday);
ok deraadt markus djm
OpenBSD-Commit-ID: 255c02adb29186ac91dcf47dfad7adb1b1e54667
|
|
tirkkonen
OpenBSD-Commit-ID: 0c267a1257ed7482b13ef550837b6496e657d563
|
|
Part of a patch from Stephen Gregoratto <dev at sgregoratto dot me>.
OpenBSD-Commit-ID: 15501ed13c595f135e7610b1a5d8345ccdb513b7
|
|
mention of RSA keys only (since we support ECDSA now and might support others
in the future). Inspired by Jakub Jelen via bz#2974
OpenBSD-Commit-ID: a92e3686561bf624ccc64ab320c96c9e9a263aa5
|
|
in the client for KEX, ciphers and MACs. The ciphers and MACs were identical
between the client and server, but the error accidentially disabled the
diffie-hellman-group-exchange-sha1 KEX method.
This fixes the client code to use the correct method list, but
because nobody complained, it also disables the
diffie-hellman-group-exchange-sha1 KEX method.
Reported by nuxi AT vault24.org via bz#2697; ok dtucker
OpenBSD-Commit-ID: e30c33a23c10fd536fefa120e86af1842e33fd57
|
|
description in ssh.1; issue pointed out by andreas kahari
ok dtucker djm
OpenBSD-Commit-ID: 1b01ef0ae2c6328165150badae317ec92e52b01c
|
|
not applied to any ProxyJump/-J hosts. This has confused a few people...
OpenBSD-Commit-ID: 03f4f641df6ca236c1bfc69836a256b873db868b
|
|
OpenBSD-Commit-ID: 08f096922eb00c98251501c193ff9e83fbb5de4f
|
|
Matches in same pass as "Match canonical" but doesn't require
hostname canonicalisation be enabled. bz#2906 ok markus
OpenBSD-Commit-ID: fba1dfe9f6e0cabcd0e2b3be13f7a434199beffa
|
|
environment variable names as well as explicit paths. ok dtucker@
OpenBSD-Commit-ID: 2f0996e103876c53d8c9dd51dcce9889d700767b
|
|
timeout and allow X11 connections in untrusted mode indefinitely. ok dtucker@
OpenBSD-Commit-ID: ea1ceed3f540b48e5803f933e59a03b20db10c69
|
|
with a ProxyCommand set with regards to hostname canonicalisation (i.e. don't
try to canonicalise the hostname unless CanonicalizeHostname is set to
'always').
Patch from Sven Wegener via bz#2896
OpenBSD-Commit-ID: 527ff501cf98bf65fb4b29ed0cb847dda10f4d37
|
|
various -o lists; ok djm
OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288
|
|
it to specify which signature algorithms may be used by CAs when signing
certificates. Useful if you want to ban RSA/SHA1; ok markus@
OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f
|
|
Most people will 1) be using modern multi-factor authentication methods
like TOTP/OATH etc and 2) be getting support for multi-factor
authentication via PAM or BSD Auth.
|
|
characters instead the C API in section 3.
OK millert jmc nicm, "the right idea" deraadt
OpenBSD-Commit-ID: a74fd215488c382809e4d041613aeba4a4b1ffc6
|
|
ssh(1) setuid has been removed, remove supporting code and clean up
references to it in the man pages
We have not shipped ssh(1) the setuid bit since 2002. If ayone
really needs to make connections from a low port number this can
be implemented via a small setuid ProxyCommand.
ok markus@ jmc@ djm@
OpenBSD-Commit-ID: d03364610b7123ae4c6792f5274bd147b6de717e
|
|
signature work - returns ability to add/remove/specify algorithms by
wildcard.
Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
|
|
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.
feedback and ok markus@
OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
|
|
OpenBSD-Commit-ID: 27d80d8b8ca99bc33971dee905e8ffd0053ec411
|
|
environment variables for the remote session (subject to the server accepting
them)
refactor SendEnv to remove the arbitrary limit of variable names.
ok markus@
OpenBSD-Commit-ID: cfbb00d9b0e10c1ffff1d83424351fd961d1f2be
|
|
make the grammatical format in sshd_config.5 match that in ssh_config.5;
OpenBSD-Commit-ID: e325663b9342f3d556e223e5306e0d5fa1a74fa0
|
|
username is available currently. In the client this is via %i, in the server
%U (since %i was already used in the client in some places for this, but used
for something different in the server); bz#2870, ok dtucker@
OpenBSD-Commit-ID: c7e912b0213713316cb55db194b3a6415b3d4b95
|
|
after checking with codespell tool
(https://github.com/lucasdemarchi/codespell)
OpenBSD-Commit-ID: 373222f12d7ab606598a2d36840c60be93568528
|
|
OpenBSD-Commit-ID: 38e347b6f8e888f5e0700d01abb1eba7caa154f9
|
|
previously labeled for sendind. bz#1285 ok dtucker@
OpenBSD-Commit-ID: f6fec9e3d0f366f15903094fbe1754cb359a0df9
|
|
Renaud Allard (via otto@)
OpenBSD-Commit-ID: a559b1eef741557dd959ae378b665a2977d92dca
|
|
interactive and CS1 for bulk
AF21 was selected as this is the highest priority within the low-latency
service class (and it is higher than what we have today). SSH is elastic
and time-sensitive data, where a user is waiting for a response via the
network in order to continue with a task at hand. As such, these flows
should be considered foreground traffic, with delays or drops to such
traffic directly impacting user-productivity.
For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
networks implementing a scavanger/lower-than-best effort class to
discriminate scp(1) below normal activities, such as web surfing. In
general this type of bulk SSH traffic is a background activity.
An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
is that they are recognisable values on all common platforms (IANA
https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
for AF21 specifically a definition of the intended behavior exists
https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662
The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").
OK deraadt@, "no objection" djm@
OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
|
|
OpenBSD-Commit-ID: 1a719ebeae22a166adf05bea5009add7075acc8c
|
|
command-line argument to ssh(1) that directs it to bind its outgoing
connection to the address of the specified network interface.
BindInterface prefers to use addresses that aren't loopback or link-
local, but will fall back to those if no other addresses of the
required family are available on that interface.
Based on patch by Mike Manning in bz#2820, ok dtucker@
OpenBSD-Commit-ID: c5064d285c2851f773dd736a2c342aa384fbf713
|
|
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
From Jakub Jelen via bz#2826
OpenBSD-Commit-ID: 51bf769f06e55447f4bfa7306949e62d2401907a
|
|
Mention ServerAliveTimeout in context of TCPKeepAlives;
prompted by Christoph Anton Mitterer via github
OpenBSD-Commit-ID: f0cf1b5bd3f1fbf41d71c88d75d93afc1c880ca2
|
|
Shorter, more accurate explanation of
NoHostAuthenticationForLocalhost without the confusing example. Prompted by
Christoph Anton Mitterer via github and bz#2293.
OpenBSD-Commit-ID: 19dc96bea25b80d78d416b581fb8506f1e7b76df
|
|
Replace "trojan horse" with the correct term (MITM).
From maikel at predikkta.com via bz#2822, ok markus@
OpenBSD-Commit-ID: e86ac64c512057c89edfadb43302ac0aa81a6c53
|
|
tweak previous; ok djm
Upstream-ID: 7d913981ab315296be1f759c67b6e17aea38fca9
|