Revisions of openssh
Hans Petter Jansson (hpjansson)
accepted
request 867202
from
Thorsten Kukuk (kukuk)
(revision 226)
- Add support for /etc/ssh/ssh_config.d and /etc/ssh/sshd_config.d (openssh-8.4p1-ssh_config_d.patch) If the user changes are separated from the distribution changes, updating will be much easier, especially for MicroOS/SLE Micro. I implemented it like other distributions, especially Fedora, are alreading doing since a longer time.
Dirk Mueller (dirkmueller)
accepted
request 866259
from
Hans Petter Jansson (hpjansson)
(revision 225)
- Add openssh-fix-ssh-copy-id.patch, which fixes breakage introduced in 8.4p1 (bsc#1181311). - sysusers-sshd.conf: use sysusers.d configuration file to create sshd user (avoid hard dependency on shadow).
Dirk Mueller (dirkmueller)
accepted
request 866139
from
Hans Petter Jansson (hpjansson)
(revision 224)
- Improve robustness of sshd init detection when upgrading from a pre-systemd distribution. - Add openssh-reenable-dh-group14-sha1-default.patch, which adds diffie-hellman-group14-sha1 key exchange back to the default list (bsc#1180958). This is needed for backwards compatibility with older platforms.
Hans Petter Jansson (hpjansson)
accepted
request 865536
from
Hans Petter Jansson (hpjansson)
(revision 223)
- Make sure sshd is enabled correctly when upgrading from a pre-systemd distribution (bsc#1180083).
Hans Petter Jansson (hpjansson)
accepted
request 863944
from
Dirk Mueller (dirkmueller)
(revision 222)
- update to 8.4p1:
Security
========
* ssh-agent(1): restrict ssh-agent from signing web challenges for
FIDO/U2F keys.
* ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating
a FIDO resident key.
* ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
each use. These keys may be generated using ssh-keygen using a new
"verify-required" option. When a PIN-required key is used, the user
will be prompted for a PIN to complete the signature operation.
New Features
------------
* sshd(8): authorized_keys now supports a new "verify-required"
option to require FIDO signatures assert that the token verified
that the user was present before making the signature. The FIDO
protocol supports multiple methods for user-verification, but
currently OpenSSH only supports PIN verification.
* sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
signatures. Webauthn is a standard for using FIDO keys in web
browsers. These signatures are a slightly different format to plain
FIDO signatures and thus require explicit support.
* ssh(1): allow some keywords to expand shell-style ${ENV}
environment variables. The supported keywords are CertificateFile,
ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
RemoteForward when used for Unix domain socket paths. bz#3140
* ssh(1), ssh-agent(1): allow some additional control over the use of
ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
including forcibly enabling and disabling its use. bz#69
* ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
Hans Petter Jansson (hpjansson)
accepted
request 861491
from
Hans Petter Jansson (hpjansson)
(revision 221)
- Update openssh-8.1p1-audit.patch (bsc#1180501). This fixes occasional crashes on connection termination caused by accessing freed memory.
Hans Petter Jansson (hpjansson)
accepted
request 851366
from
Thorsten Kukuk (kukuk)
(revision 220)
- Support /usr/etc/pam.d
Hans Petter Jansson (hpjansson)
accepted
request 849311
from
Hans Petter Jansson (hpjansson)
(revision 219)
- Fix build breakage caused by missing security key objects: + Modify openssh-7.7p1-cavstest-ctr.patch. + Modify openssh-7.7p1-cavstest-kdf.patch. + Add openssh-link-with-sk.patch. - Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). This ensures only approved DH parameters are used in FIPS mode. - Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). This uses OpenSSL's RAND_bytes() directly instead of the internal ChaCha20-based implementation to obtain random bytes for Ed25519 curve computations. This is required for FIPS compliance.
Hans Petter Jansson (hpjansson)
accepted
request 840337
from
Hans Petter Jansson (hpjansson)
(revision 218)
- Work around %service_add_post disabling sshd on upgrade with package name change (bsc#1177039). - Use of DISABLE_RESTART_ON_UPDATE is deprecated. Replace it with %service_del_postun_without_restart
Dominique Leuenberger (dimstar_suse)
committed
(revision 217)
buildservice-autocommit
accepted
request 837828
from
Hans Petter Jansson (hpjansson)
(revision 216)
Hans Petter Jansson (hpjansson)
(revision 216)
baserev update by copy to link target
Hans Petter Jansson (hpjansson)
accepted
request 837497
from
Dominique Leuenberger (dimstar)
(revision 215)
- Fix fillup-template usage:
+ %post server needs to reference ssh (not sshd), which matches
the sysconfig.ssh file name the package ships.
+ %post client does not need any fillup_ calls, as there is no
client-relevant sysconfig file present. The naming of the
sysconfig file (ssh instead of sshd) is unfortunate.
Hans Petter Jansson (hpjansson)
accepted
request 835301
from
Jan Engelhardt (jengelh)
(revision 214)
(re)based onto//includes 835039 - Move some Requires to the right subpackage.
Marcus Meissner (msmeissn)
accepted
request 833579
from
Hans Petter Jansson (hpjansson)
(revision 213)
- Split openssh package into openssh, openssh-server and openssh-clients. This allows for the ssh clients to be installed without the server component (bsc#1176434). - Supplement openssh-clients instead of openssh (bsc#1176434).
buildservice-autocommit
accepted
request 812018
from
Marcus Meissner (msmeissn)
(revision 212)
Marcus Meissner (msmeissn)
(revision 212)
baserev update by copy to link target
Marcus Meissner (msmeissn)
accepted
request 811897
from
Hans Petter Jansson (hpjansson)
(revision 211)
- Version update to 8.3p1:
= Potentially-incompatible changes
* sftp(1): reject an argument of "-1" in the same way as ssh(1) and
scp(1) do instead of accepting and silently ignoring it.
= New features
* sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
to allow .shosts files but not .rhosts.
* sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
sshd_config, not just before any Match blocks.
* ssh(1): add %TOKEN percent expansion for the LocalFoward and
RemoteForward keywords when used for Unix domain socket forwarding.
* all: allow loading public keys from the unencrypted envelope of a
private key file if no corresponding public key file is present.
* ssh(1), sshd(8): prefer to use chacha20 from libcrypto where
possible instead of the (slower) portable C implementation included
in OpenSSH.
* ssh-keygen(1): add ability to dump the contents of a binary key
revocation list via "ssh-keygen -lQf /path".
- Additional changes from 8.2p1 release:
= Potentially-incompatible changes
* ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures
(i.e. the client and server CASignatureAlgorithms option) and will
use the rsa-sha2-512 signature algorithm by default when the
ssh-keygen(1) CA signs new certificates.
* ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
from the default key exchange proposal for both the client and
server.
* ssh-keygen(1): the command-line options related to the generation
buildservice-autocommit
accepted
request 811148
from
Vítězslav Čížek (vitezslav_cizek)
(revision 210)
Vítězslav Čížek (vitezslav_cizek)
(revision 210)
baserev update by copy to link target
Vítězslav Čížek (vitezslav_cizek)
accepted
request 810465
from
Andreas Stieger (AndreasStieger)
(revision 209)
- add upstream signing key to actually verify source signature
buildservice-autocommit
accepted
request 780476
from
Tomáš Chvátal (scarabeus_iv)
(revision 208)
Tomáš Chvátal (scarabeus_iv)
(revision 208)
baserev update by copy to link target
Displaying revisions 41 - 60 of 267
