- Oct 27, 2024
-
-
Colin Watson authored
-
Colin Watson authored
This is no longer needed since a95fc5ee.
-
OpenBSD-Commit-ID: 13511fdef7535bdbc35b644c90090013da43a318 Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?h=V_9_9&id=fe8d28a7ebbaa35cfc04a21263627f05c237e460 Last-Update: 2024-10-27 Patch-Name: mlkem768x25519-big-endian-2.patch
-
jsg@ feedback/ok deraadt@ OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0 Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?h=V_9_9&id=11f348196b3fb51c3d8d1f4f36db9d73f03149ed Last-Update: 2024-10-27 Patch-Name: mlkem768x25519-big-endian-1.patch
-
When using sshd's -i option with stdio that is not a AF_INET/AF_INET6 socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then set as the value of PAM_RHOST, causing pam to try to do a reverse DNS query of "UNKNOWN", which times out multiple times, causing a substantial slowdown when logging in. To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN". Author: Daan De Meyer <daan.j.demeyer@gmail.com> Last-Update: 2024-04-03 Patch-Name: pam-avoid-unknown-host.patch
-
Colin Watson authored
This allows overriding them on configure's command line in case the automatic checks go wrong somehow. bz#3673 Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3673#c3 Last-Update: 2024-04-03 Patch-Name: configure-cache-vars.patch
-
Colin Watson authored
This is more convenient than requiring a controlling terminal. Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3676 Last-Update: 2024-03-31 Patch-Name: regress-conch-dev-zero.patch
-
Colin Watson authored
On ZFS (which may be used by e.g. `autopkgtest-virt-incus`), `utimensat` seems to leave the access time set to 0. It's not clear why. Forwarded: no Last-Update: 2024-03-11 Patch-Name: skip-utimensat-test-on-zfs.patch
-
Unlike inetd socket activation, with systemd socket activation the supervisor passes the listened-on socket to the child process and lets the child process handle the accept(). This lets us do delayed start of the sshd daemon without becoming incompatible with config options like ClientAliveCountMax. Author: Colin Watson <cjwatson@debian.org> Last-Update: 2024-08-02 Patch-Name: systemd-socket-activation.patch
-
Colin Watson authored
-
OpenBSD-Commit-ID: 13511fdef7535bdbc35b644c90090013da43a318 Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?h=V_9_9&id=fe8d28a7ebbaa35cfc04a21263627f05c237e460 Last-Update: 2024-10-27 Patch-Name: mlkem768x25519-big-endian-2.patch
-
jsg@ feedback/ok deraadt@ OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0 Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?h=V_9_9&id=11f348196b3fb51c3d8d1f4f36db9d73f03149ed Last-Update: 2024-10-27 Patch-Name: mlkem768x25519-big-endian-1.patch
-
- Oct 21, 2024
-
-
Colin Watson authored
-
- Oct 18, 2024
-
-
Colin Watson authored
This avoids a dependency. The main `regress` autopkgtest still needs `sudo` though.
-
- Oct 15, 2024
-
-
Colin Watson authored
-
- Oct 14, 2024
-
-
Colin Watson authored
Don't prefer host-bound public key signatures if there was no initial host key, as is the case when using GSS-API key exchange. Closes: #1041521
-
When using sshd's -i option with stdio that is not a AF_INET/AF_INET6 socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then set as the value of PAM_RHOST, causing pam to try to do a reverse DNS query of "UNKNOWN", which times out multiple times, causing a substantial slowdown when logging in. To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN". Author: Daan De Meyer <daan.j.demeyer@gmail.com> Last-Update: 2024-04-03 Patch-Name: pam-avoid-unknown-host.patch
-
Colin Watson authored
This allows overriding them on configure's command line in case the automatic checks go wrong somehow. bz#3673 Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3673#c3 Last-Update: 2024-04-03 Patch-Name: configure-cache-vars.patch
-
Colin Watson authored
This is more convenient than requiring a controlling terminal. Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3676 Last-Update: 2024-03-31 Patch-Name: regress-conch-dev-zero.patch
-
Colin Watson authored
This reverts commit 5ee8448a. The IPQoS default changes have some unfortunate interactions with iptables (see https://bugs.debian.org/923880) and VMware, so I'm temporarily reverting them until those have been fixed. Bug-Debian: https://bugs.debian.org/923879 Bug-Debian: https://bugs.debian.org/926229 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370 Last-Update: 2019-04-08 Patch-Name: revert-ipqos-defaults.patch
-
Colin Watson authored
On ZFS (which may be used by e.g. `autopkgtest-virt-incus`), `utimensat` seems to leave the access time set to 0. It's not clear why. Forwarded: no Last-Update: 2024-03-11 Patch-Name: skip-utimensat-test-on-zfs.patch
-
Colin Watson authored
Upstream seems to intend to gradually phase this out, so don't assume that this will remain the default forever. However, we were late in adopting the upstream sshd_config changes, so it makes sense to extend the grace period. Bug-Debian: https://bugs.debian.org/852320 Forwarded: not-needed Last-Update: 2017-03-05 Patch-Name: restore-authorized_keys2.patch
-
Unlike inetd socket activation, with systemd socket activation the supervisor passes the listened-on socket to the child process and lets the child process handle the accept(). This lets us do delayed start of the sshd daemon without becoming incompatible with config options like ClientAliveCountMax. Author: Colin Watson <cjwatson@debian.org> Last-Update: 2024-08-02 Patch-Name: systemd-socket-activation.patch
-
Colin Watson authored
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication by default. ssh: Include /etc/ssh/ssh_config.d/*.conf. sshd: Enable PAM, disable KbdInteractiveAuthentication, and disable PrintMotd. sshd: Enable X11Forwarding. sshd: Set 'AcceptEnv LANG LC_*' by default. sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. sshd: Include /etc/ssh/sshd_config.d/*.conf. sshd: Document Debian's default for SshdSessionPath. regress: Run tests with 'UsePAM yes', to match sshd_config. Document all of this. Author: Russ Allbery <rra@debian.org> Forwarded: not-needed Last-Update: 2024-07-03 Patch-Name: debian-config.patch
-
Bug-Debian: https://bugs.debian.org/997030 Last-Update: 2021-11-05 Patch-Name: maxhostnamelen.patch
-
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 Last-Update: 2010-02-28 Patch-Name: gnome-ssh-askpass2-icon.patch
-
There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. Author: Colin Watson <cjwatson@debian.org> Bug-Debian: https://bugs.debian.org/93581 Bug-Debian: https://bugs.debian.org/664383 Bug-Debian: https://bugs.debian.org/732940 Forwarded: not-needed Last-Update: 2023-09-02 Patch-Name: no-openssl-version-status.patch
-
Colin Watson authored
Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2020-02-21 Patch-Name: ssh-agent-setgid.patch
-
Colin Watson authored
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Bug-Debian: http://bugs.debian.org/430154 Last-Update: 2021-11-05 Patch-Name: doc-hash-tab-completion.patch
-
Colin Watson authored
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: ssh-argv0.patch
-
Colin Watson authored
No single bug reference for this patch, but history includes: https://bugs.debian.org/154434 (login.conf(5)) https://bugs.debian.org/513417 (/etc/rc) https://bugs.debian.org/998069 (rdomain(4)) Forwarded: not-needed Last-Update: 2024-07-03 Patch-Name: openbsd-docs.patch
-
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch
-
Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2024-09-22 Patch-Name: debian-banner.patch
-
This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2023-12-18 Patch-Name: package-versioning.patch
-
Author: Chris Lamb <lamby@debian.org> Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 Last-Update: 2023-12-11 Patch-Name: mention-ssh-keygen-on-keychange.patch
-
Colin Watson authored
This allows SSHFP DNS records to be verified if glibc 2.11 is installed. Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Last-Update: 2023-06-19 Patch-Name: dnssec-sshfp.patch
-
Colin Watson authored
There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 Bug-Debian: http://bugs.debian.org/492728 Last-Update: 2020-02-21 Patch-Name: shell-path.patch
-
Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. This should be revised to mimic real shell quoting. Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 Last-Update: 2010-02-27 Patch-Name: scp-quoting.patch
-
Colin Watson authored
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 Last-Update: 2022-02-23 Patch-Name: user-group-modes.patch
-
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. Author: Matthew Vernon <matthew@debian.org> Author: Colin Watson <cjwatson@debian.org> Last-Update: 2013-09-14 Patch-Name: syslog-level-silent.patch
-