Package: openssh / 1:6.6p1-4~bpo70+1

Metadata

Package Version Patches format
openssh 1:6.6p1-4~bpo70+1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
gssapi.patch | (download)

ChangeLog.gssapi | 113 113 + 0 - 0 !
Makefile.in | 3 2 + 1 - 0 !
auth-krb5.c | 17 15 + 2 - 0 !
auth2-gss.c | 48 45 + 3 - 0 !
auth2.c | 2 2 + 0 - 0 !
clientloop.c | 13 13 + 0 - 0 !
config.h.in | 6 6 + 0 - 0 !
configure | 57 57 + 0 - 0 !
configure.ac | 24 24 + 0 - 0 !
gss-genr.c | 275 271 + 4 - 0 !
gss-serv-krb5.c | 85 78 + 7 - 0 !
gss-serv.c | 221 193 + 28 - 0 !
kex.c | 16 16 + 0 - 0 !
kex.h | 14 14 + 0 - 0 !
kexgssc.c | 332 332 + 0 - 0 !
kexgsss.c | 289 289 + 0 - 0 !
key.c | 3 2 + 1 - 0 !
key.h | 1 1 + 0 - 0 !
monitor.c | 108 107 + 1 - 0 !
monitor.h | 3 3 + 0 - 0 !
monitor_wrap.c | 47 46 + 1 - 0 !
monitor_wrap.h | 4 3 + 1 - 0 !
readconf.c | 42 42 + 0 - 0 !
readconf.h | 5 5 + 0 - 0 !
servconf.c | 38 37 + 1 - 0 !
servconf.h | 3 3 + 0 - 0 !
ssh-gss.h | 41 37 + 4 - 0 !
ssh_config | 2 2 + 0 - 0 !
ssh_config.5 | 34 33 + 1 - 0 !
sshconnect2.c | 124 120 + 4 - 0 !
sshd.c | 110 110 + 0 - 0 !
sshd_config | 2 2 + 0 - 0 !
sshd_config.5 | 28 28 + 0 - 0 !
33 files changed, 2051 insertions(+), 59 deletions(-)

 gssapi key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years.  This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface.  This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."

However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have).  It seems to have a generally good
security history.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2014-03-19

Patch-Name: gssapi.patch

selinux role.patch | (download)

auth.h | 1 1 + 0 - 0 !
auth1.c | 8 7 + 1 - 0 !
auth2.c | 10 8 + 2 - 0 !
monitor.c | 32 29 + 3 - 0 !
monitor.h | 2 2 + 0 - 0 !
monitor_wrap.c | 22 20 + 2 - 0 !
monitor_wrap.h | 3 2 + 1 - 0 !
openbsd-compat/port-linux.c | 27 20 + 7 - 0 !
openbsd-compat/port-linux.h | 4 2 + 2 - 0 !
platform.c | 4 2 + 2 - 0 !
platform.h | 2 1 + 1 - 0 !
session.c | 10 5 + 5 - 0 !
session.h | 2 1 + 1 - 0 !
sshd.c | 2 1 + 1 - 0 !
sshpty.c | 4 2 + 2 - 0 !
sshpty.h | 2 1 + 1 - 0 !
16 files changed, 104 insertions(+), 31 deletions(-)

 handle selinux authorisation roles

Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change.  In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
ssh vulnkey compat.patch | (download)

readconf.c | 1 1 + 0 - 0 !
servconf.c | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+)

 accept obsolete ssh-vulnkey configuration options

These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.

ssh1 keepalive.patch | (download)

clientloop.c | 25 15 + 10 - 0 !
ssh_config.5 | 5 4 + 1 - 0 !
2 files changed, 19 insertions(+), 11 deletions(-)

 partial server keep-alive implementation for ssh1

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
keepalive extensions.patch | (download)

readconf.c | 14 12 + 2 - 0 !
ssh_config.5 | 21 19 + 2 - 0 !
sshd_config.5 | 3 3 + 0 - 0 !
3 files changed, 34 insertions(+), 4 deletions(-)

 various keepalive extensions

Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
in previous versions of Debian's OpenSSH package but since superseded by
ServerAliveInterval.  (We're probably stuck with this bit for
compatibility.)

In batch mode, default ServerAliveInterval to five minutes.

Adjust documentation to match and to give some more advice on use of
keepalives.

syslog level silent.patch | (download)

log.c | 1 1 + 0 - 0 !
ssh.c | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 1 deletion(-)

 "loglevel silent" compatibility

"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
match the behaviour of non-free SSH, in which -q does not suppress fatal
errors.  However, this was unintentionally broken in 1:4.6p1-2 and nobody
complained, so we've dropped most of it.  The parts that remain are basic
configuration file compatibility, and an adjustment to "Pseudo-terminal will
not be allocated ..." which should be split out into a separate patch.

quieter signals.patch | (download)

clientloop.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 reduce severity of "killed by signal %d"

This produces irritating messages when using ProxyCommand or other programs
that use ssh under the covers (e.g. Subversion).  These messages are more
normally printed by the calling program, such as the shell.

According to the upstream bug, the right way to avoid this is to use the -q
option, so we may drop this patch after further investigation into whether
any software in Debian is still relying on it.

helpful wait terminate.patch | (download)

serverloop.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 mention ~& when waiting for forwarded connections to terminate

Bug-Debian: http://bugs.debian.org/50308
consolekit.patch | (download)

Makefile.in | 3 2 + 1 - 0 !
configure | 132 132 + 0 - 0 !
configure.ac | 25 25 + 0 - 0 !
consolekit.c | 240 240 + 0 - 0 !
consolekit.h | 24 24 + 0 - 0 !
monitor.c | 42 42 + 0 - 0 !
monitor.h | 2 2 + 0 - 0 !
monitor_wrap.c | 30 30 + 0 - 0 !
monitor_wrap.h | 4 4 + 0 - 0 !
session.c | 13 13 + 0 - 0 !
session.h | 6 6 + 0 - 0 !
11 files changed, 520 insertions(+), 1 deletion(-)

 add support for registering consolekit sessions on login

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
Last-Updated: 2014-03-20

Patch-Name: consolekit.patch

user group modes.patch | (download)

auth-rhosts.c | 6 2 + 4 - 0 !
auth.c | 9 3 + 6 - 0 !
misc.c | 69 68 + 1 - 0 !
misc.h | 2 2 + 0 - 0 !
platform.c | 16 0 + 16 - 0 !
readconf.c | 5 3 + 2 - 0 !
ssh.1 | 2 2 + 0 - 0 !
ssh_config.5 | 2 2 + 0 - 0 !
8 files changed, 82 insertions(+), 29 deletions(-)

 allow harmless group-writability

Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner.  Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem).  Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
default.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
scp quoting.patch | (download)

scp.c | 12 10 + 2 - 0 !
1 file changed, 10 insertions(+), 2 deletions(-)

 adjust scp quoting in verbose mode

Tweak scp's reporting of filenames in verbose mode to be a bit less
confusing with spaces.

This should be revised to mimic real shell quoting.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945
shell path.patch | (download)

sshconnect.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 look for $shell on the path for proxycommand/localcommand

There's some debate on the upstream bug about whether POSIX requires this.
I (Colin Watson) agree with Vincent and think it does.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
Bug-Debian: http://bugs.debian.org/492728
dnssec sshfp.patch | (download)

dns.c | 14 13 + 1 - 0 !
openbsd-compat/getrrsetbyname.c | 10 5 + 5 - 0 !
openbsd-compat/getrrsetbyname.h | 3 3 + 0 - 0 !
3 files changed, 21 insertions(+), 6 deletions(-)

 force use of dnssec even if "options edns0" isn't in resolv.conf

This allows SSHFP DNS records to be verified if glibc 2.11 is installed.

auth log verbosity.patch | (download)

auth-options.c | 35 26 + 9 - 0 !
auth-options.h | 1 1 + 0 - 0 !
auth-rsa.c | 2 2 + 0 - 0 !
auth2-pubkey.c | 3 3 + 0 - 0 !
4 files changed, 32 insertions(+), 9 deletions(-)

 quieten logs when multiple from= restrictions are used

Bug-Debian: http://bugs.debian.org/630606
mention ssh keygen on keychange.patch | (download)

sshconnect.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 mention ssh-keygen in ssh fingerprint changed warning

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
package versioning.patch | (download)

sshconnect.c | 4 2 + 2 - 0 !
sshd.c | 2 1 + 1 - 0 !
version.h | 7 6 + 1 - 0 !
3 files changed, 9 insertions(+), 4 deletions(-)

 include the debian version in our identification

This makes it easier to audit networks for versions patched against security
vulnerabilities.  It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings.  (However, see debian-banner.patch.)

debian banner.patch | (download)

servconf.c | 9 9 + 0 - 0 !
servconf.h | 2 2 + 0 - 0 !
sshd.c | 3 2 + 1 - 0 !
sshd_config.5 | 5 5 + 0 - 0 !
4 files changed, 18 insertions(+), 1 deletion(-)

 add debianbanner server configuration option

Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.

Bug-Debian: http://bugs.debian.org/562048
authorized keys man symlink.patch | (download)

Makefile.in | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 install authorized_keys(5) as a symlink to sshd(8)

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
Bug-Debian: http://bugs.debian.org/441817
lintian symlink pickiness.patch | (download)

Makefile.in | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix picky lintian errors about slogin symlinks

Apparently this breaks some SVR4 packaging systems, so upstream can't win
either way and opted to keep the status quo.  We need this patch anyway.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728
openbsd docs.patch | (download)

moduli.5 | 4 2 + 2 - 0 !
ssh-keygen.1 | 12 4 + 8 - 0 !
ssh.1 | 4 4 + 0 - 0 !
sshd.8 | 5 2 + 3 - 0 !
sshd_config.5 | 3 1 + 2 - 0 !
5 files changed, 13 insertions(+), 15 deletions(-)

 adjust various openbsd-specific references in manual pages

No single bug reference for this patch, but history includes:
 http://bugs.debian.org/154434 (login.conf(5))
 http://bugs.debian.org/513417 (/etc/rc)
 http://bugs.debian.org/530692 (ssl(8))
 https://bugs.launchpad.net/bugs/456660 (ssl(8))

ssh argv0.patch | (download)

ssh.1 | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 ssh(1): refer to ssh-argv0(1)

Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to.  Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).

Bug-Debian: http://bugs.debian.org/111341
doc hash tab completion.patch | (download)

ssh_config.5 | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 document that hashknownhosts may break tab-completion

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
Bug-Debian: http://bugs.debian.org/430154
doc upstart.patch | (download)

sshd.8 | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 refer to ssh's upstart job as well as its init script

ssh agent setgid.patch | (download)

ssh-agent.1 | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 document consequences of ssh-agent being setgid in ssh-agent(1)

Bug-Debian: http://bugs.debian.org/711623
no openssl version check.patch | (download)

entropy.c | 12 0 + 12 - 0 !
1 file changed, 12 deletions(-)

 disable openssl version check

OpenSSL's SONAME is sufficient nowadays.

gnome ssh askpass2 icon.patch | (download)

contrib/gnome-ssh-askpass2.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 give the ssh-askpass-gnome window a default icon

Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
sigstop.patch | (download)

sshd.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 support synchronisation with service supervisor using sigstop

debian config.patch | (download)

readconf.c | 2 1 + 1 - 0 !
ssh_config | 7 6 + 1 - 0 !
ssh_config.5 | 19 18 + 1 - 0 !
sshd_config | 1 1 + 0 - 0 !
sshd_config.5 | 25 25 + 0 - 0 !
5 files changed, 51 insertions(+), 3 deletions(-)

 various debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).

ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).

ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.

ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
default.

sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
PermitRootLogin default.

Document all of this, along with several sshd defaults set in
debian/openssh-server.postinst.

sshfp_with_server_cert_upstr | (download)

sshconnect.c | 42 26 + 16 - 0 !
1 file changed, 26 insertions(+), 16 deletions(-)

 attempt sshfp lookup even if server presents a certificate

If an ssh server presents a certificate to the client, then the client
does not check the DNS for SSHFP records. This means that a malicious
server can essentially disable DNS-host-key-checking, which means the
client will fall back to asking the user (who will just say "yes" to
the fingerprint, sadly).

This patch is by Damien Miller (of openssh upstream). It's simpler
than the patch by Mark Wooding which I applied yesterday; a copy is
taken of the proffered key/cert, the key extracted from the cert (if
necessary), and then the DNS consulted.

Signed-off-by: Matthew Vernon <matthew@debian.org>
Bug-Debian: http://bugs.debian.org/742513
Patch-Name: sshfp_with_server_cert_upstr

curve25519 sha256 bignum encoding.patch | (download)

bufaux.c | 5 4 + 1 - 0 !
compat.c | 17 16 + 1 - 0 !
compat.h | 2 2 + 0 - 0 !
sshconnect2.c | 2 2 + 0 - 0 !
sshd.c | 3 3 + 0 - 0 !
version.h | 2 1 + 1 - 0 !
6 files changed, 28 insertions(+), 3 deletions(-)

 bad bignum encoding for curve25519-sha256@libssh.org

Hi,

So I screwed up when writing the support for the curve25519 KEX method
that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
leading zero bytes where they should have been skipped. The impact of
this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
peer that implements curve25519-sha256@libssh.org properly about 0.2%
of the time (one in every 512ish connections).

We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
key exchange for previous versions, but I'd recommend distributors
of OpenSSH apply this patch so the affected code doesn't become
too entrenched in LTS releases.

The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
to distinguish itself from the incorrect versions so the compatibility
code to disable the affected KEX isn't activated.

I've committed this on the 6.6 branch too.

Apologies for the hassle.

-d