d/control: Remove ancent version constraints

See merge request !17

Steve Langasek authored Sep 01, 2022 and Colin Watson committed Sep 01, 2022

Unlike inetd socket activation, with systemd socket activation the
supervisor passes the listened-on socket to the child process and lets
the child process handle the accept().  This lets us do delayed start
of the sshd daemon without becoming incompatible with config options
like ClientAliveCountMax.

Last-Update: 2022-09-01

Patch-Name: systemd-socket-activation.patch

Various version constraints can be removed because they reference
versions that are available since old-old-old-stable (Debian 6 squeeze).

For the record, Debian 6 squeeze has:

* adduser: 3.113+nmu3
* dpkg, dpkg-dev: 1.17.27
* libpam-modules: 1.1.8-3.1+deb8u2+b1
* libpam-runtime: 1.1.8-3.1+deb8u2
* lsb-base: 4.1+Debian13+nmu1
* ucf: 3.0030
* zlib1g-dev: 1:1.2.8.dfsg-2+b1

The len argument has to be initialized to the size of available memory.

Per Colin's suggestion, wrap these calls in a check that we're on a systemd
system and allow errors to propagate instead of using '|| true'

Addresses are taken care of by systemd; trying to set this will either fail,
or be wrong.

server_listen() includes some initialization code for the MaxStartups option
which we were accidentally skipping, leading to uninitialized variables.
This seems to have worked by accident on jammy and fails with a different
toolchain.

Closes: #1016340

Delete obsolete upstart configuration override

See merge request !13

Upstart jobs were deleted with b4fc0d32 4 years ago. This `.override` file apparently was forgotten in that cleanup.

This is fixed in Twisted upstream
(https://twistedmatrix.com/trac/ticket/9765).  Work around this until
the fix is in Debian.

Forwarded: not-needed
Last-Update: 2022-02-16

Patch-Name: conch-ssh-rsa.patch

Svante Signell authored Nov 05, 2021 and Colin Watson committed Apr 08, 2022

Bug-Debian: https://bugs.debian.org/997030
Last-Update: 2021-11-05

Patch-Name: maxhostnamelen.patch

This reverts commit 5ee8448a.

The IPQoS default changes have some unfortunate interactions with
iptables (see https://bugs.debian.org/923880) and VMware, so I'm
temporarily reverting them until those have been fixed.

Bug-Debian: https://bugs.debian.org/923879
Bug-Debian: https://bugs.debian.org/926229
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370
Last-Update: 2019-04-08

Patch-Name: revert-ipqos-defaults.patch

Upstream seems to intend to gradually phase this out, so don't assume
that this will remain the default forever.  However, we were late in
adopting the upstream sshd_config changes, so it makes sense to extend
the grace period.

Bug-Debian: https://bugs.debian.org/852320
Forwarded: not-needed
Last-Update: 2017-03-05

Patch-Name: restore-authorized_keys2.patch

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).

ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).

ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.

ssh: Enable GSSAPIAuthentication by default.

ssh: Include /etc/ssh/ssh_config.d/*.conf.

sshd: Enable PAM, disable KbdInteractiveAuthentication, and disable
PrintMotd.

sshd: Enable X11Forwarding.

sshd: Set 'AcceptEnv LANG LC_*' by default.

sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.

sshd: Include /etc/ssh/sshd_config.d/*.conf.

Document all of this.

Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2021-11-05

Patch-Name: debian-config.patch

Michael Biebl authored Dec 21, 2015 and Colin Watson committed Apr 08, 2022

Bug-Debian: https://bugs.debian.org/778913
Forwarded: no
Last-Update: 2017-08-22

Patch-Name: systemd-readiness.patch

Vincent Untz authored Feb 09, 2014 and Colin Watson committed Apr 08, 2022

Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
Last-Update: 2010-02-28

Patch-Name: gnome-ssh-askpass2-icon.patch

Kurt Roeckx authored Feb 09, 2014 and Colin Watson committed Apr 08, 2022

There is no reason to check the version of OpenSSL (in Debian).  If it's
not compatible the soname will change.  OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same.  Remove that check on the status since
it doesn't tell you anything about how compatible that version is.

Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: https://bugs.debian.org/93581
Bug-Debian: https://bugs.debian.org/664383
Bug-Debian: https://bugs.debian.org/732940
Forwarded: not-needed
Last-Update: 2014-10-07

Patch-Name: no-openssl-version-status.patch

Bug-Debian: http://bugs.debian.org/711623
Forwarded: no
Last-Update: 2020-02-21

Patch-Name: ssh-agent-setgid.patch

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
Bug-Debian: http://bugs.debian.org/430154
Last-Update: 2021-11-05

Patch-Name: doc-hash-tab-completion.patch

Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to.  Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).

Bug-Debian: http://bugs.debian.org/111341
Forwarded: not-needed
Last-Update: 2013-09-14

Patch-Name: ssh-argv0.patch

No single bug reference for this patch, but history includes:
 https://bugs.debian.org/154434 (login.conf(5))
 https://bugs.debian.org/513417 (/etc/rc)
 https://bugs.debian.org/530692 (ssl(8))
 https://bugs.launchpad.net/bugs/456660 (ssl(8))
 https://bugs.debian.org/998069 (rdomain(4))

Forwarded: not-needed
Last-Update: 2021-11-05

Patch-Name: openbsd-docs.patch

Tomas Pospisek authored Feb 09, 2014 and Colin Watson committed Apr 08, 2022

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
Bug-Debian: http://bugs.debian.org/441817
Last-Update: 2013-09-14

Patch-Name: authorized-keys-man-symlink.patch

Kees Cook authored Feb 09, 2014 and Colin Watson committed Apr 08, 2022

Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.

Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2021-11-05

Patch-Name: debian-banner.patch