openssh - Debian Package Tracker (original) (raw)

vcswatch reports that this package seems to have a new changelog entry (version 1:9.9p1-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 5a0643ced1d587c8be0aa01cd3fafa4aa6ac2454 Author: Colin Watson cjwatson@debian.org Date: Tue Oct 15 16:45:52 2024 +0100

ssh-gssapi autopkgtest needs sudo now

commit 7d291bb6319611a01dfa0f56fd161db11547320f Merge: a4ca8f9 38f95ea Author: Colin Watson cjwatson@debian.org Date: Mon Oct 14 19:06:08 2024 +0100

Fix interaction between gssapi-keyex and pubkey auth

Don't prefer host-bound public key signatures if there was no initial
host key, as is the case when using GSS-API key exchange.

Closes: #1041521

commit 38f95eae479c70eacf56572b83a0b4c0d7f39be0 Author: Daan De Meyer daan.j.demeyer@gmail.com Date: Mon Mar 20 20:22:14 2023 +0100

Only set PAM_RHOST if the remote host is not "UNKNOWN"

When using sshd's -i option with stdio that is not a AF_INET/AF_INET6
socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then
set as the value of PAM_RHOST, causing pam to try to do a reverse DNS
query of "UNKNOWN", which times out multiple times, causing a
substantial slowdown when logging in.

To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN".

Author: Daan De Meyer <daan.j.demeyer@gmail.com>
Last-Update: 2024-04-03

Patch-Name: pam-avoid-unknown-host.patch

commit 74ebdfdde5a42dfa03964b0ca4016ccb57e19df2 Author: Colin Watson cjwatson@debian.org Date: Wed Apr 3 11:52:04 2024 +0100

Add Autoconf cache variables for OSSH_CHECK_*FLAG_*

This allows overriding them on configure's command line in case the
automatic checks go wrong somehow.  bz#3673

Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3673#c3
Last-Update: 2024-04-03

Patch-Name: configure-cache-vars.patch

commit fe68bfdd54c1608023711f63439924a6d466efe1 Author: Colin Watson cjwatson@debian.org Date: Sun Mar 31 00:24:11 2024 +0000

regress: Redirect conch stdin from /dev/zero

This is more convenient than requiring a controlling terminal.

Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3676
Last-Update: 2024-03-31

Patch-Name: regress-conch-dev-zero.patch

commit e0fdc43cf9fd94f71f357156b49b3296f16234c5 Author: Colin Watson cjwatson@debian.org Date: Mon Mar 11 16:24:49 2024 +0000

Skip utimensat test on ZFS

On ZFS (which may be used by e.g. `autopkgtest-virt-incus`), `utimensat`
seems to leave the access time set to 0.  It's not clear why.

Forwarded: no
Last-Update: 2024-03-11

Patch-Name: skip-utimensat-test-on-zfs.patch

commit 903d99f29389be5c768ef576ed5af43cb8a908de Author: Steve Langasek steve.langasek@ubuntu.com Date: Thu Sep 1 16:03:37 2022 +0100

Support systemd socket activation

Unlike inetd socket activation, with systemd socket activation the
supervisor passes the listened-on socket to the child process and lets
the child process handle the accept().  This lets us do delayed start
of the sshd daemon without becoming incompatible with config options
like ClientAliveCountMax.

Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2024-08-02

Patch-Name: systemd-socket-activation.patch

commit 31d56e41b85d19099df261dc6258564019ba0218 Author: Svante Signell svante.signell@gmail.com Date: Fri Nov 5 23:22:53 2021 +0000

Define MAXHOSTNAMELEN on GNU/Hurd

Bug-Debian: https://bugs.debian.org/997030
Last-Update: 2021-11-05

Patch-Name: maxhostnamelen.patch

commit bef41555f2e735bffe89e91d4e9f5b4b157d7663 Author: Colin Watson cjwatson@debian.org Date: Mon Apr 8 10:46:29 2019 +0100

Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for"

This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.

The IPQoS default changes have some unfortunate interactions with
iptables (see https://bugs.debian.org/923880) and VMware, so I'm
temporarily reverting them until those have been fixed.

Bug-Debian: https://bugs.debian.org/923879
Bug-Debian: https://bugs.debian.org/926229
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370
Last-Update: 2019-04-08

Patch-Name: revert-ipqos-defaults.patch

commit d6bfcde360768009d66ecc052fa5d3e1a89fa5ce Author: Colin Watson cjwatson@debian.org Date: Sun Mar 5 02:02:11 2017 +0000

Restore reading authorized_keys2 by default

Upstream seems to intend to gradually phase this out, so don't assume
that this will remain the default forever.  However, we were late in
adopting the upstream sshd_config changes, so it makes sense to extend
the grace period.

Bug-Debian: https://bugs.debian.org/852320
Forwarded: not-needed
Last-Update: 2017-03-05

Patch-Name: restore-authorized_keys2.patch

commit bcafde3235b00794b6d7ee62b8687a786aa08d4f Author: Colin Watson cjwatson@debian.org Date: Sun Feb 9 16:10:18 2014 +0000

Various Debian-specific configuration changes

ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).

ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).

ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.

ssh: Enable GSSAPIAuthentication by default.

ssh: Include /etc/ssh/ssh_config.d/*.conf.

sshd: Enable PAM, disable KbdInteractiveAuthentication, and disable
PrintMotd.

sshd: Enable X11Forwarding.

sshd: Set 'AcceptEnv LANG LC_*' by default.

sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.

sshd: Include /etc/ssh/sshd_config.d/*.conf.

sshd: Document Debian's default for SshdSessionPath.

regress: Run tests with 'UsePAM yes', to match sshd_config.

Document all of this.

Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2024-07-03

Patch-Name: debian-config.patch

commit 8542c03bc3d4325d9e8b03c7fb0340ff743e70e1 Author: Vincent Untz vuntz@ubuntu.com Date: Sun Feb 9 16:10:16 2014 +0000

Give the ssh-askpass-gnome window a default icon

Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
Last-Update: 2010-02-28

Patch-Name: gnome-ssh-askpass2-icon.patch

commit 30154cd7eb49b9a5dafbdfd2d730fde5d2a9ea16 Author: Kurt Roeckx kurt@roeckx.be Date: Sun Feb 9 16:10:14 2014 +0000

Don't check the status field of the OpenSSL version

There is no reason to check the version of OpenSSL (in Debian).  If it's
not compatible the soname will change.  OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same.  Remove that check on the status since
it doesn't tell you anything about how compatible that version is.

Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: https://bugs.debian.org/93581
Bug-Debian: https://bugs.debian.org/664383
Bug-Debian: https://bugs.debian.org/732940
Forwarded: not-needed
Last-Update: 2023-09-02

Patch-Name: no-openssl-version-status.patch

commit da7a6ece81d3c8ed572e9b8188975c0f787ee57a Author: Colin Watson cjwatson@debian.org Date: Sun Feb 9 16:10:13 2014 +0000

Document consequences of ssh-agent being setgid in ssh-agent(1)

Bug-Debian: http://bugs.debian.org/711623
Forwarded: no
Last-Update: 2020-02-21

Patch-Name: ssh-agent-setgid.patch

commit e0f5ef4ccd951f2c8dc30639019c2e45451389c3 Author: Colin Watson cjwatson@debian.org Date: Sun Feb 9 16:10:11 2014 +0000

Document that HashKnownHosts may break tab-completion

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
Bug-Debian: http://bugs.debian.org/430154
Last-Update: 2021-11-05

Patch-Name: doc-hash-tab-completion.patch

commit 9c28130b8475e321fb7f5d83f54de7725e53238e Author: Colin Watson cjwatson@debian.org Date: Sun Feb 9 16:10:10 2014 +0000

ssh(1): Refer to ssh-argv0(1)

Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to.  Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).

Bug-Debian: http://bugs.debian.org/111341
Forwarded: not-needed
Last-Update: 2013-09-14

Patch-Name: ssh-argv0.patch

commit e868160317622303dd192460a186162dfa4b6c2e Author: Colin Watson cjwatson@debian.org Date: Sun Feb 9 16:10:09 2014 +0000

Adjust various OpenBSD-specific references in manual pages

No single bug reference for this patch, but history includes:
 https://bugs.debian.org/154434 (login.conf(5))
 https://bugs.debian.org/513417 (/etc/rc)
 https://bugs.debian.org/998069 (rdomain(4))

Forwarded: not-needed
Last-Update: 2024-07-03

Patch-Name: openbsd-docs.patch

commit a9fcf8497c9a34523f834e0982fee41daad78bc4 Author: Tomas Pospisek tpo_deb@sourcepole.ch Date: Sun Feb 9 16:10:07 2014 +0000

Install authorized_keys(5) as a symlink to sshd(8)

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
Bug-Debian: http://bugs.debian.org/441817
Last-Update: 2013-09-14

Patch-Name: authorized-keys-man-symlink.patch

commit acf273b1eb60544826e13ffbd9967772c4f13e13 Author: Kees Cook kees@debian.org Date: Sun Feb 9 16:10:06 2014 +0000

Add DebianBanner server configuration option

Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.

Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2024-09-22

Patch-Name: debian-banner.patch

commit 5aeb7a317738bafded850091cb310274388d498f Author: Matthew Vernon matthew@debian.org Date: Sun Feb 9 16:10:05 2014 +0000

Include the Debian version in our identification

This makes it easier to audit networks for versions patched against security
vulnerabilities.  It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings.  (However, see debian-banner.patch.)

Forwarded: not-needed
Last-Update: 2023-12-18

Patch-Name: package-versioning.patch

commit 32e848548c722c9db2bf3ae50b1f13f1fd45619c Author: Scott Moser smoser@ubuntu.com Date: Sun Feb 9 16:10:03 2014 +0000

Mention ssh-keygen in ssh fingerprint changed warning

Author: Chris Lamb <lamby@debian.org>
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
Last-Update: 2023-12-11

Patch-Name: mention-ssh-keygen-on-keychange.patch

commit d4727dbc1b6618e4087fd35f15adee1a971cc92c Author: Colin Watson cjwatson@debian.org Date: Sun Feb 9 16:10:01 2014 +0000

Force use of DNSSEC even if "options edns0" isn't in resolv.conf

This allows SSHFP DNS records to be verified if glibc 2.11 is installed.

Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2023-06-19

Patch-Name: dnssec-sshfp.patch

commit db03f4eab3e6e03b8568629aee068e7221d03c51 Author: Colin Watson cjwatson@debian.org Date: Sun Feb 9 16:10:00 2014 +0000

Look for $SHELL on the path for ProxyCommand/LocalCommand

There's some debate on the upstream bug about whether POSIX requires this.
I (Colin Watson) agree with Vincent and think it does.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
Bug-Debian: http://bugs.debian.org/492728
Last-Update: 2020-02-21

Patch-Name: shell-path.patch

commit 7df75a1b544e1ac75377d4968b1171e005a3625e Author: Nicolas Valcárcel nvalcarcel@ubuntu.com Date: Sun Feb 9 16:09:59 2014 +0000

Adjust scp quoting in verbose mode

Tweak scp's reporting of filenames in verbose mode to be a bit less
confusing with spaces.

This should be revised to mimic real shell quoting.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945
Last-Update: 2010-02-27

Patch-Name: scp-quoting.patch

commit a3be0a7259302fe037d63546c78c5d3ca7fe3609 Author: Colin Watson cjwatson@debian.org Date: Sun Feb 9 16:09:58 2014 +0000

Allow harmless group-writability

Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner.  Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem).  Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
default.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
Last-Update: 2022-02-23

Patch-Name: user-group-modes.patch

commit fd1b38447970e7a0d5d567571f3bad35db4da90d Author: Natalie Amery nmamery@chiark.greenend.org.uk Date: Sun Feb 9 16:09:54 2014 +0000

"LogLevel SILENT" compatibility

"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
match the behaviour of non-free SSH, in which -q does not suppress fatal
errors.  However, this was unintentionally broken in 1:4.6p1-2 and nobody
complained, so we've dropped most of it.  The parts that remain are basic
configuration file compatibility, and an adjustment to "Pseudo-terminal will
not be allocated ..." which should be split out into a separate patch.

Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2013-09-14

Patch-Name: syslog-level-silent.patch

commit d927628a5a54212ba64b7a703a25d63aab0fb3a3 Author: Richard Kettlewell rjk@greenend.org.uk Date: Sun Feb 9 16:09:52 2014 +0000

Various keepalive extensions

Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
in previous versions of Debian's OpenSSH package but since superseded by
ServerAliveInterval.  (We're probably stuck with this bit for
compatibility.)

In batch mode, default ServerAliveInterval to five minutes.

Adjust documentation to match and to give some more advice on use of
keepalives.

Author: Ian Jackson <ian@chiark.greenend.org.uk>
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2024-09-13

Patch-Name: keepalive-extensions.patch

commit 9082cd8deab422393c5eee898a77f7dd2b505711 Author: Colin Watson cjwatson@ubuntu.com Date: Sun Feb 9 16:09:50 2014 +0000

Accept obsolete ssh-vulnkey configuration options

These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.

Last-Update: 2014-02-09

Patch-Name: ssh-vulnkey-compat.patch

commit c787621f9bfda401c9a289a8e0cfd00f242aad86 Author: Manoj Srivastava srivasta@debian.org Date: Sun Feb 9 16:09:49 2014 +0000

Handle SELinux authorisation roles

Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change.  In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2024-07-03

Patch-Name: selinux-role.patch

commit c4f6a4d2c7ce9dcd29df3d447e7bc8ddf1b5c592 Author: Colin Watson cjwatson@debian.org Date: Tue Oct 7 13:22:41 2014 +0100

Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7.  See this message
and thread:

  https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html

It is true that this reduces preauth attack surface in sshd.  On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.

It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.

Forwarded: not-needed
Last-Update: 2024-08-02

Patch-Name: restore-tcp-wrappers.patch

commit 160d97105023e620b623f2f337327aa820bd0e5a Author: Simon Wilkinson simon@sxw.org.uk Date: Sun Feb 9 16:09:48 2014 +0000

GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years.  This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface.  This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."

However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have).  It seems to have a generally good
security history.

Author: Simon Wilkinson <simon@sxw.org.uk>
Author: Colin Watson <cjwatson@debian.org>
Author: Jakub Jelen <jjelen@redhat.com>
Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2024-10-14

Patch-Name: gssapi.patch