Revisions of openssh
Stephan Kulow (coolo)
accepted
request 234675
from
Petr Cerny (pcerny)
(revision 97)
- Remove tcpwrappers support now, This feature was removed in upstream code at the end of April and the underlying libraries are abandonware. See: http://comments.gmane.org/gmane.linux.suse.general/348119 (forwarded request 234473 from elvigia)
Stephan Kulow (coolo)
accepted
request 231428
from
Petr Cerny (pcerny)
(revision 96)
- curve25519 key exchange fix (-curve25519-6.6.1p1.patch) - patch re-ordering (-audit3-key_auth_usage-fips.patch, -audit4-kex_results-fips.patch) (forwarded request 231427 from pcerny)
Tomáš Chvátal (scarabeus_factory)
accepted
request 230190
from
Petr Cerny (pcerny)
(revision 95)
- Update of the underlying OpenSSH to 6.6p1 - Remove uneeded dependency on the OpenLDAP server (openldap2) from openssh-helpers. openssh-helpers just depends on the openldap client libraries, which will be auto-generated by rpm. - update to 6.6p1 Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. Features since 6.5p1: * ssh(1), sshd(8): removal of the J-PAKE authentication code, which was experimental, never enabled and has been unmaintained for some time. * ssh(1): skip 'exec' clauses other clauses predicates failed to match while processing Match blocks. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1
Stephan Kulow (coolo)
accepted
request 227709
from
Marcus Meissner (msmeissn)
(revision 94)
- Update openssh-6.5p1-audit4-kex_results.patch to ensure that we don't pass a NULL string to buffer_put_cstring. This happens when you have "Ciphers chacha20-poly1305@openssh.com" directive. (forwarded request 227423 from namtrac)
Stephan Kulow (coolo)
accepted
request 226335
from
Petr Cerny (pcerny)
(revision 93)
- re-enabling the GSSAPI Key Exchange patch !!! currently breaks anythng else than Factory (forwarded request 226334 from pcerny)
Stephan Kulow (coolo)
accepted
request 224303
from
Petr Cerny (pcerny)
(revision 92)
- re-enabling FIPS-enablement patch - enable X11 forwarding when IPv6 is present but disabled on server (bnc#712683, FATE#31503; -X_forward_with_disabled_ipv6.patch) (forwarded request 224302 from pcerny)
Stephan Kulow (coolo)
accepted
request 223064
from
Marcus Meissner (msmeissn)
(revision 91)
- openssh-6.5p1-seccomp_getuid.patch: re-enabling the seccomp sandbox (allowing use of the getuid syscall) (bnc#864171)
Stephan Kulow (coolo)
accepted
request 222366
from
Petr Cerny (pcerny)
(revision 90)
- Update of the underlying OpenSSH to 6.5p1 - Update to 6.5p1 Features since 6.4p1: * ssh(1), sshd(8): support for key exchange using ECDH in Daniel Bernstein's Curve25519; default when both the client and server support it. * ssh(1), sshd(8): support for Ed25519 as a public key type fo rboth server and client. Ed25519 is an EC signature offering better security than ECDSA and DSA and good performance. * Add a new private key format that uses a bcrypt KDF to better protect keys at rest. Used unconditionally for Ed25519 keys, on demand for other key types via the -o ssh-keygen(1) option. Intended to become default in the near future. Details documented in PROTOCOL.key. * ssh(1), sshd(8): new transport cipher "chacha20-poly1305@openssh.com" combining Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details documented PROTOCOL.chacha20poly1305. * ssh(1), sshd(8): refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release. * ssh(1), sshd(8): refuse old proprietary clients and servers that use a weaker key exchange hash calculation. * ssh(1): increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by (forwarded request 222365 from pcerny)
Adrian Schröter (adrianSuSE)
committed
(revision 89)
Split 13.1 from Factory
Stephan Kulow (coolo)
accepted
request 198435
from
Sascha Peilicke (saschpe)
(revision 88)
- fix the logic in openssh-nodaemon-nopid.patch which is broken and pid_file therefore still being created. (forwarded request 198380 from elvigia)
Stephan Kulow (coolo)
accepted
request 185890
from
Marcus Meissner (msmeissn)
(revision 87)
- Update for 6.2p2 - Update to version 6.2p2 * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes * ssh(1)/sshd(8): Added support for the UMAC-128 MAC * sshd(8): Added support for multiple required authentication * sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists * ssh(1): When SSH protocol 2 only is selected (the default), ssh(1) now immediately sends its SSH protocol banner to the server without waiting to receive the server's banner, saving time when connecting. * dozens of other changes, see http://www.openssh.org/txt/release-6.2 (forwarded request 185789 from elvigia)
Stephan Kulow (coolo)
accepted
request 181731
from
Marcus Meissner (msmeissn)
(revision 86)
- avoid the build cycle between curl, krb5, libssh2_org and openssh by using krb5-mini-devel (forwarded request 181706 from coolo)
Stephan Kulow (coolo)
accepted
request 180225
from
Marcus Meissner (msmeissn)
(revision 85)
- Recommend xauth, X11-forwarding won't work if it is not installed - sshd.service: Do not order after syslog.target, it is not required or recommended and that target does not even exist anymore.
Adrian Schröter (adrianSuSE)
committed
(revision 84)
Split 12.3 from Factory
Stephan Kulow (coolo)
accepted
request 147498
from
Petr Cerny (pcerny)
(revision 83)
- use ssh-keygen(1) default keylengths in generating the host key instead of hardcoding it (forwarded request 147497 from dirkmueller)
Stephan Kulow (coolo)
accepted
request 141129
from
Marcus Meissner (msmeissn)
(revision 82)
- Updated to 6.1p1, a bugfix release Features: * sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner. Bugfixes: * ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
Stephan Kulow (coolo)
accepted
request 139516
from
Marcus Meissner (msmeissn)
(revision 81)
- explicit buildrequire groff, needed for man pages (forwarded request 139460 from coolo)
Stephan Kulow (coolo)
accepted
request 139103
from
Factory Maintainer (factory-maintainer)
(revision 80)
Automatic submission by obs-autosubmit
Stephan Kulow (coolo)
accepted
request 134088
from
Factory Maintainer (factory-maintainer)
(revision 79)
Automatic submission by obs-autosubmit
Stephan Kulow (coolo)
accepted
request 126287
from
Marcus Meissner (msmeissn)
(revision 78)
- the gnome askpass does not require the x11 askpass - especially not in the version of openssh (it's at 1.X) (forwarded request 126286 from coolo)
Displaying revisions 81 - 100 of 177