Commits · master · Steve Langasek / openssh

23 Aug, 2022 2 commits
- Typo fix, thanks Simon · f658cfde
  Steve Langasek authored Aug 23, 2022
  
  f658cfde
- Fix README.Debian documentation for socket activation · e75b0292
  Steve Langasek authored Aug 23, 2022
  
  e75b0292
19 Aug, 2022 5 commits

Fix wrong invocation of getsockname() · a1b5b292
Steve Langasek authored Aug 19, 2022
```
The len argument has to be initialized to the size of available memory.
```
a1b5b292

Don't ignore errors from systemctl · 512f9883

Steve Langasek authored Aug 18, 2022

Per Colin's suggestion, wrap these calls in a check that we're on a systemd
system and allow errors to propagate instead of using '|| true'

512f9883

Don't try to set IPV6_V6ONLY on systemd sockets · 055f52b2
Steve Langasek authored Aug 06, 2022
```
Addresses are taken care of by systemd; trying to set this will either fail,
or be wrong.
```
055f52b2

Move the systemd branch into server_listen() · fb52a6d3

Steve Langasek authored Aug 06, 2022

server_listen() includes some initialization code for the MaxStartups option
which we were accidentally skipping, leading to uninitialized variables.
This seems to have worked by accident on jammy and fails with a different
toolchain.

fb52a6d3

Migrate any existing inetd-style socket activation to systemd socket activation · 0dc73888
Steve Langasek authored Aug 05, 2022

0dc73888

12 Aug, 2022 2 commits
- Fix to make reexec protocol work with systemd socket activation · b7b5b185
  Steve Langasek authored Aug 05, 2022
  
  b7b5b185
- Support systemd socket activation · 71f9011b
  Steve Langasek authored May 03, 2022
  
  71f9011b
11 Aug, 2022 1 commit
- Work around apparent dh-exec regressions · dd1e52af
  Colin Watson authored Aug 11, 2022
```
Closes: #1016340
```
  dd1e52af
19 Apr, 2022 3 commits
- Add changelog entry · de790f93
  Colin Watson authored Apr 19, 2022
  
  de790f93
- Merge branch 'flurb-master-patch-38465' into 'master' · 3ebc8161
  Markus Teich authored Apr 19, 2022
```
Delete obsolete upstart configuration override

See merge request !13
```
  3ebc8161
- Delete obsolete upstart configuration override · 1fb0849d
  Markus Teich authored Apr 19, 2022
```
Upstart jobs were deleted with b4fc0d32 4 years ago. This `.override` file apparently was forgotten in that cleanup.
```
  1fb0849d
09 Apr, 2022 2 commits
- releasing package openssh version 1:9.0p1-1 · b26877f4
  Colin Watson authored Apr 09, 2022
  
  b26877f4
- New upstream release (9.0p1) · 3ba036e4
  Colin Watson authored Apr 08, 2022
  
  3ba036e4
08 Apr, 2022 25 commits

Work around missing RSA SHA-2 signature support in conch · 62afaa06

Colin Watson authored Feb 15, 2022

This is fixed in Twisted upstream
(https://twistedmatrix.com/trac/ticket/9765).  Work around this until
the fix is in Debian.

Forwarded: not-needed
Last-Update: 2022-02-16

Patch-Name: conch-ssh-rsa.patch

62afaa06

Define MAXHOSTNAMELEN on GNU/Hurd · 4c3d1502
Svante Signell authored Nov 05, 2021 and Colin Watson committed Apr 08, 2022
```
Bug-Debian: https://bugs.debian.org/997030
Last-Update: 2021-11-05

Patch-Name: maxhostnamelen.patch
```
4c3d1502

Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for" · 13f1477a

Colin Watson authored Apr 08, 2019

This reverts commit 5ee8448a.

The IPQoS default changes have some unfortunate interactions with
iptables (see https://bugs.debian.org/923880) and VMware, so I'm
temporarily reverting them until those have been fixed.

Bug-Debian: https://bugs.debian.org/923879
Bug-Debian: https://bugs.debian.org/926229
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370
Last-Update: 2019-04-08

Patch-Name: revert-ipqos-defaults.patch

13f1477a

Restore reading authorized_keys2 by default · b6e525a3

Colin Watson authored Mar 05, 2017

Upstream seems to intend to gradually phase this out, so don't assume
that this will remain the default forever.  However, we were late in
adopting the upstream sshd_config changes, so it makes sense to extend
the grace period.

Bug-Debian: https://bugs.debian.org/852320
Forwarded: not-needed
Last-Update: 2017-03-05

Patch-Name: restore-authorized_keys2.patch

b6e525a3

Various Debian-specific configuration changes · 57b17147

Colin Watson authored Feb 09, 2014

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).

ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).

ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.

ssh: Enable GSSAPIAuthentication by default.

ssh: Include /etc/ssh/ssh_config.d/*.conf.

sshd: Enable PAM, disable KbdInteractiveAuthentication, and disable
PrintMotd.

sshd: Enable X11Forwarding.

sshd: Set 'AcceptEnv LANG LC_*' by default.

sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.

sshd: Include /etc/ssh/sshd_config.d/*.conf.

Document all of this.

Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2021-11-05

Patch-Name: debian-config.patch

57b17147

Add systemd readiness notification support · 3f88d663
Michael Biebl authored Dec 21, 2015 and Colin Watson committed Apr 08, 2022
```
Bug-Debian: https://bugs.debian.org/778913
Forwarded: no
Last-Update: 2017-08-22

Patch-Name: systemd-readiness.patch
```
3f88d663
Give the ssh-askpass-gnome window a default icon · 6efbc1e6
Vincent Untz authored Feb 09, 2014 and Colin Watson committed Apr 08, 2022
```
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
Last-Update: 2010-02-28

Patch-Name: gnome-ssh-askpass2-icon.patch
```
6efbc1e6

Don't check the status field of the OpenSSL version · ebdad572

Kurt Roeckx authored Feb 09, 2014 and

Colin Watson committed Apr 08, 2022

There is no reason to check the version of OpenSSL (in Debian).  If it's
not compatible the soname will change.  OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same.  Remove that check on the status since
it doesn't tell you anything about how compatible that version is.

Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: https://bugs.debian.org/93581
Bug-Debian: https://bugs.debian.org/664383
Bug-Debian: https://bugs.debian.org/732940
Forwarded: not-needed
Last-Update: 2014-10-07

Patch-Name: no-openssl-version-status.patch

ebdad572

Document consequences of ssh-agent being setgid in ssh-agent(1) · f4598709

Colin Watson authored Feb 09, 2014

Bug-Debian: http://bugs.debian.org/711623
Forwarded: no
Last-Update: 2020-02-21

Patch-Name: ssh-agent-setgid.patch

f4598709

Document that HashKnownHosts may break tab-completion · c09f880f

Colin Watson authored Feb 09, 2014

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
Bug-Debian: http://bugs.debian.org/430154
Last-Update: 2021-11-05

Patch-Name: doc-hash-tab-completion.patch

c09f880f

ssh(1): Refer to ssh-argv0(1) · 06394e02

Colin Watson authored Feb 09, 2014

Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to.  Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).

Bug-Debian: http://bugs.debian.org/111341
Forwarded: not-needed
Last-Update: 2013-09-14

Patch-Name: ssh-argv0.patch

06394e02

Adjust various OpenBSD-specific references in manual pages · 10547745

Colin Watson authored Feb 09, 2014

No single bug reference for this patch, but history includes:
 https://bugs.debian.org/154434 (login.conf(5))
 https://bugs.debian.org/513417 (/etc/rc)
 https://bugs.debian.org/530692 (ssl(8))
 https://bugs.launchpad.net/bugs/456660 (ssl(8))
 https://bugs.debian.org/998069 (rdomain(4))

Forwarded: not-needed
Last-Update: 2021-11-05

Patch-Name: openbsd-docs.patch

10547745

Install authorized_keys(5) as a symlink to sshd(8) · 83732d73

Tomas Pospisek authored Feb 09, 2014 and

Colin Watson committed Apr 08, 2022

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
Bug-Debian: http://bugs.debian.org/441817
Last-Update: 2013-09-14

Patch-Name: authorized-keys-man-symlink.patch

83732d73

Add DebianBanner server configuration option · 6106ce23

Kees Cook authored Feb 09, 2014 and

Colin Watson committed Apr 08, 2022

Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.

Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2021-11-05

Patch-Name: debian-banner.patch

6106ce23

Include the Debian version in our identification · 00b2bf85

Matthew Vernon authored Feb 09, 2014 and

Colin Watson committed Apr 08, 2022

This makes it easier to audit networks for versions patched against security
vulnerabilities.  It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings.  (However, see debian-banner.patch.)

Forwarded: not-needed
Last-Update: 2021-11-05

Patch-Name: package-versioning.patch

00b2bf85

Mention ssh-keygen in ssh fingerprint changed warning · 10effe40

Scott Moser authored Feb 09, 2014 and

Colin Watson committed Apr 08, 2022

Author: Chris Lamb <lamby@debian.org>
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
Last-Update: 2017-08-22

Patch-Name: mention-ssh-keygen-on-keychange.patch

10effe40

Force use of DNSSEC even if "options edns0" isn't in resolv.conf · 93816f47

Colin Watson authored Feb 09, 2014

This allows SSHFP DNS records to be verified if glibc 2.11 is installed.

Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2010-04-06

Patch-Name: dnssec-sshfp.patch

93816f47

Look for $SHELL on the path for ProxyCommand/LocalCommand · 4f7c21ed

Colin Watson authored Feb 09, 2014

There's some debate on the upstream bug about whether POSIX requires this.
I (Colin Watson) agree with Vincent and think it does.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
Bug-Debian: http://bugs.debian.org/492728
Last-Update: 2020-02-21

Patch-Name: shell-path.patch

4f7c21ed

Adjust scp quoting in verbose mode · 2d460930

Nicolas Valcárcel authored Feb 09, 2014 and

Colin Watson committed Apr 08, 2022

Tweak scp's reporting of filenames in verbose mode to be a bit less
confusing with spaces.

This should be revised to mimic real shell quoting.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945
Last-Update: 2010-02-27

Patch-Name: scp-quoting.patch

2d460930

Allow harmless group-writability · 2d15f920

Colin Watson authored Feb 09, 2014

Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner.  Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem).  Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
default.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
Last-Update: 2022-02-23

Patch-Name: user-group-modes.patch

2d15f920

"LogLevel SILENT" compatibility · 5bb1e143

Natalie Amery authored Feb 09, 2014 and

Colin Watson committed Apr 08, 2022

"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
match the behaviour of non-free SSH, in which -q does not suppress fatal
errors.  However, this was unintentionally broken in 1:4.6p1-2 and nobody
complained, so we've dropped most of it.  The parts that remain are basic
configuration file compatibility, and an adjustment to "Pseudo-terminal will
not be allocated ..." which should be split out into a separate patch.

Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2013-09-14

Patch-Name: syslog-level-silent.patch

5bb1e143

Various keepalive extensions · 57c7efa6

Richard Kettlewell authored Feb 09, 2014 and

Colin Watson committed Apr 08, 2022

Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
in previous versions of Debian's OpenSSH package but since superseded by
ServerAliveInterval.  (We're probably stuck with this bit for
compatibility.)

In batch mode, default ServerAliveInterval to five minutes.

Adjust documentation to match and to give some more advice on use of
keepalives.

Author: Ian Jackson <ian@chiark.greenend.org.uk>
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2021-11-05

Patch-Name: keepalive-extensions.patch

57c7efa6

Accept obsolete ssh-vulnkey configuration options · 3ebfc579

Colin Watson authored Feb 09, 2014 and

Colin Watson committed Apr 08, 2022

These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.

Last-Update: 2014-02-09

Patch-Name: ssh-vulnkey-compat.patch

3ebfc579

Handle SELinux authorisation roles · 04fd5243

Manoj Srivastava authored Feb 09, 2014 and

Colin Watson committed Apr 08, 2022

Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change.  In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2021-11-05

Patch-Name: selinux-role.patch

04fd5243

Restore TCP wrappers support · 90dd355b

Colin Watson authored Oct 07, 2014

Support for TCP wrappers was dropped in OpenSSH 6.7.  See this message
and thread:

  https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html

It is true that this reduces preauth attack surface in sshd.  On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.

It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.

Forwarded: not-needed
Last-Update: 2022-02-23

Patch-Name: restore-tcp-wrappers.patch

90dd355b