1. 20 Oct, 2018 2 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · a433d9ba
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication by default.
      
      sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
      PrintMotd.
      
      sshd: Enable X11Forwarding.
      
      sshd: Set 'AcceptEnv LANG LC_*' by default.
      
      sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
      
      Document all of this.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2017-10-04
      
      Patch-Name: debian-config.patch
      a433d9ba
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 72b1d308
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2018-10-20
      
      Patch-Name: gssapi.patch
      72b1d308
  2. 24 Aug, 2018 2 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 15727837
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication by default.
      
      sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
      PrintMotd.
      
      sshd: Enable X11Forwarding.
      
      sshd: Set 'AcceptEnv LANG LC_*' by default.
      
      sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
      
      Document all of this.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2017-10-04
      
      Patch-Name: debian-config.patch
      15727837
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · e6c7c11a
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2018-08-24
      
      Patch-Name: gssapi.patch
      e6c7c11a
  3. 03 Apr, 2018 3 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · e8e09061
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication by default.
      
      sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
      PrintMotd.
      
      sshd: Enable X11Forwarding.
      
      sshd: Set 'AcceptEnv LANG LC_*' by default.
      
      sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
      
      Document all of this.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2017-10-04
      
      Patch-Name: debian-config.patch
      e8e09061
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 279cd9cd
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication by default.
      
      sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
      PrintMotd.
      
      sshd: Enable X11Forwarding.
      
      sshd: Set 'AcceptEnv LANG LC_*' by default.
      
      sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
      
      Document all of this.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2017-10-04
      
      Patch-Name: debian-config.patch
      279cd9cd
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · cb427e23
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2017-10-04
      
      Patch-Name: gssapi.patch
      cb427e23
  4. 04 Oct, 2017 2 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 4847e512
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication by default.
      
      sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
      PrintMotd.
      
      sshd: Enable X11Forwarding.
      
      sshd: Set 'AcceptEnv LANG LC_*' by default.
      
      sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
      
      Document all of this.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2017-10-04
      
      Patch-Name: debian-config.patch
      4847e512
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 4e704909
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2017-10-04
      
      Patch-Name: gssapi.patch
      4e704909
  5. 22 Aug, 2017 2 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · cf60afd3
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication by default.
      
      sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
      PrintMotd.
      
      sshd: Enable X11Forwarding.
      
      sshd: Set 'AcceptEnv LANG LC_*' by default.
      
      sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
      
      Document all of this.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2016-12-26
      
      Patch-Name: debian-config.patch
      cf60afd3
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 2a56febe
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication by default.
      
      sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
      PrintMotd.
      
      sshd: Enable X11Forwarding.
      
      sshd: Set 'AcceptEnv LANG LC_*' by default.
      
      sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
      
      Document all of this.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2016-12-26
      
      Patch-Name: debian-config.patch
      2a56febe
  6. 07 May, 2017 2 commits
    • djm@openbsd.org's avatar
      upstream commit · acaf34fd
      djm@openbsd.org authored
      As promised in last release announcement: remove
      support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
      
      Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222
      acaf34fd
    • jmc@openbsd.org's avatar
      upstream commit · 1a1b24f8
      jmc@openbsd.org authored
      more protocol 1 bits removed; ok djm
      
      Upstream-ID: b5b977eaf756915acb56aef3604a650e27f7c2b9
      1a1b24f8
  7. 01 May, 2017 1 commit
    • djm@openbsd.org's avatar
      upstream commit · 788ac799
      djm@openbsd.org authored
      remove SSHv1 configuration options and man pages bits
      
      ok markus@
      
      Upstream-ID: 84638c23546c056727b7a7d653c72574e0f19424
      788ac799
  8. 29 Mar, 2017 2 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 78fc8282
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication by default.
      
      sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
      PrintMotd.
      
      sshd: Enable X11Forwarding.
      
      sshd: Set 'AcceptEnv LANG LC_*' by default.
      
      sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
      
      Document all of this.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2016-12-26
      
      Patch-Name: debian-config.patch
      78fc8282
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · d51c7ac3
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2017-01-16
      
      Patch-Name: gssapi.patch
      d51c7ac3
  9. 16 Jan, 2017 2 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 2b53482a
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication by default.
      
      sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
      PrintMotd.
      
      sshd: Enable X11Forwarding.
      
      sshd: Set 'AcceptEnv LANG LC_*' by default.
      
      sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
      
      Document all of this.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2016-12-26
      
      Patch-Name: debian-config.patch
      2b53482a
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 48fbb156
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2017-01-16
      
      Patch-Name: gssapi.patch
      48fbb156
  10. 28 Dec, 2016 2 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 624433c4
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication by default.
      
      sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
      PrintMotd.
      
      sshd: Enable X11Forwarding.
      
      sshd: Set 'AcceptEnv LANG LC_*' by default.
      
      sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
      
      Document all of this.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2016-12-26
      
      Patch-Name: debian-config.patch
      624433c4
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 40ab38b3
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2016-12-28
      
      Patch-Name: gssapi.patch
      40ab38b3
  11. 26 Dec, 2016 1 commit
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 41265d4f
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication by default.
      
      sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
      PrintMotd.
      
      sshd: Enable X11Forwarding.
      
      sshd: Set 'AcceptEnv LANG LC_*' by default.
      
      sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
      
      Document all of this.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2016-12-26
      
      Patch-Name: debian-config.patch
      41265d4f
  12. 24 Dec, 2016 1 commit
    • Colin Watson's avatar
      Various Debian-specific configuration changes · af54c22d
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
      default.
      
      sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
      PrintMotd.
      
      sshd: Enable X11Forwarding.
      
      sshd: Set 'AcceptEnv LANG LC_*' by default.
      
      sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
      
      Document all of this.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2016-12-24
      
      Patch-Name: debian-config.patch
      af54c22d
  13. 23 Dec, 2016 2 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 2103d3e5
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
      default.
      
      Document all of this, along with several sshd defaults set in
      debian/openssh-server.postinst.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2015-12-07
      
      Patch-Name: debian-config.patch
      2103d3e5
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 9f717de1
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2016-08-07
      
      Patch-Name: gssapi.patch
      9f717de1
  14. 07 Aug, 2016 2 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 4c914ccd
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
      default.
      
      Document all of this, along with several sshd defaults set in
      debian/openssh-server.postinst.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2015-12-07
      
      Patch-Name: debian-config.patch
      4c914ccd
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · eecddf8b
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2016-08-07
      
      Patch-Name: gssapi.patch
      eecddf8b
  15. 21 Mar, 2016 2 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · d888c963
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
      default.
      
      Document all of this, along with several sshd defaults set in
      debian/openssh-server.postinst.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2015-12-07
      
      Patch-Name: debian-config.patch
      d888c963
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 8c27af53
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2016-03-21
      
      Patch-Name: gssapi.patch
      8c27af53
  16. 10 Mar, 2016 2 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 27a3937b
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
      default.
      
      Document all of this, along with several sshd defaults set in
      debian/openssh-server.postinst.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2015-12-07
      
      Patch-Name: debian-config.patch
      27a3937b
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 6dfd41bb
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2016-01-04
      
      Patch-Name: gssapi.patch
      6dfd41bb
  17. 29 Feb, 2016 2 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 85e40e87
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
      default.
      
      Document all of this, along with several sshd defaults set in
      debian/openssh-server.postinst.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2015-12-07
      
      Patch-Name: debian-config.patch
      85e40e87
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 374db175
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2016-01-04
      
      Patch-Name: gssapi.patch
      374db175
  18. 23 Feb, 2016 2 commits
    • sobrado@openbsd.org's avatar
      upstream commit · 09d87d79
      sobrado@openbsd.org authored
      set ssh(1) protocol version to 2 only.
      
      ok djm@
      
      Upstream-ID: e168daf9d27d7e392e3c9923826bd8e87b2b3a10
      09d87d79
    • sobrado@openbsd.org's avatar
      upstream commit · 9262e078
      sobrado@openbsd.org authored
      add missing ~/.ssh/id_ecdsa and ~/.ssh/id_ed25519 to
       IdentityFile.
      
      ok djm@
      
      Upstream-ID: 6ce99466312e4ae7708017c3665e3edb976f70cf
      9262e078
  19. 14 Jan, 2016 2 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 003a875a
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
      default.
      
      Document all of this, along with several sshd defaults set in
      debian/openssh-server.postinst.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2015-12-07
      
      Patch-Name: debian-config.patch
      003a875a
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 6a0a4b2f
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2016-01-04
      
      Patch-Name: gssapi.patch
      6a0a4b2f
  20. 04 Jan, 2016 4 commits
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 966fde29
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
      default.
      
      Document all of this, along with several sshd defaults set in
      debian/openssh-server.postinst.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2015-12-07
      
      Patch-Name: debian-config.patch
      966fde29
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · 48424483
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2016-01-04
      
      Patch-Name: gssapi.patch
      48424483
    • Colin Watson's avatar
      Various Debian-specific configuration changes · 382ac29b
      Colin Watson authored
      ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
      fewer problems with existing setups (http://bugs.debian.org/237021).
      
      ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
      
      ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
      worms.
      
      ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
      default.
      
      Document all of this, along with several sshd defaults set in
      debian/openssh-server.postinst.
      
      Author: Russ Allbery <rra@debian.org>
      Forwarded: not-needed
      Last-Update: 2015-12-07
      
      Patch-Name: debian-config.patch
      382ac29b
    • Simon Wilkinson's avatar
      GSSAPI key exchange support · d6cfd64e
      Simon Wilkinson authored
      This patch has been rejected upstream: "None of the OpenSSH developers are
      in favour of adding this, and this situation has not changed for several
      years.  This is not a slight on Simon's patch, which is of fine quality, but
      just that a) we don't trust GSSAPI implementations that much and b) we don't
      like adding new KEX since they are pre-auth attack surface.  This one is
      particularly scary, since it requires hooks out to typically root-owned
      system resources."
      
      However, quite a lot of people rely on this in Debian, and it's better to
      have it merged into the main openssh package rather than having separate
      -krb5 packages (as we used to have).  It seems to have a generally good
      security history.
      
      Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
      Last-Updated: 2016-01-04
      
      Patch-Name: gssapi.patch
      d6cfd64e