Commit Graph

9 Commits

Author SHA256 Message Date
Hans Petter Jansson
6543c1a02b Accepting request 863944 from home:dirkmueller:branches:network
- update to 8.4p1:
  Security
  ========
 * ssh-agent(1): restrict ssh-agent from signing web challenges for
   FIDO/U2F keys.
 * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating
   a FIDO resident key.
 * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
   each use. These keys may be generated using ssh-keygen using a new
   "verify-required" option. When a PIN-required key is used, the user
   will be prompted for a PIN to complete the signature operation.
  New Features
  ------------
 * sshd(8): authorized_keys now supports a new "verify-required"
   option to require FIDO signatures assert that the token verified
   that the user was present before making the signature. The FIDO
   protocol supports multiple methods for user-verification, but
   currently OpenSSH only supports PIN verification.
 * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
   signatures. Webauthn is a standard for using FIDO keys in web
   browsers. These signatures are a slightly different format to plain
   FIDO signatures and thus require explicit support.
 * ssh(1): allow some keywords to expand shell-style ${ENV}
   environment variables. The supported keywords are CertificateFile,
   ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
   RemoteForward when used for Unix domain socket paths. bz#3140
 * ssh(1), ssh-agent(1): allow some additional control over the use of
   ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
   including forcibly enabling and disabling its use. bz#69
 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time

OBS-URL: https://build.opensuse.org/request/show/863944
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
2021-01-18 01:12:55 +00:00
dbcbd30908 Accepting request 811897 from home:hpjansson:openssh-8.3
- Version update to 8.3p1:
  = Potentially-incompatible changes
  * sftp(1): reject an argument of "-1" in the same way as ssh(1) and
    scp(1) do instead of accepting and silently ignoring it.
  = New features
  * sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
    rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
    to allow .shosts files but not .rhosts.
  * sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
    sshd_config, not just before any Match blocks.
  * ssh(1): add %TOKEN percent expansion for the LocalFoward and
    RemoteForward keywords when used for Unix domain socket forwarding.
  * all: allow loading public keys from the unencrypted envelope of a
    private key file if no corresponding public key file is present.
  * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where
    possible instead of the (slower) portable C implementation included
    in OpenSSH.
  * ssh-keygen(1): add ability to dump the contents of a binary key
    revocation list via "ssh-keygen -lQf /path".
- Additional changes from 8.2p1 release:
  = Potentially-incompatible changes
  * ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
    (RSA/SHA1) algorithm from those accepted for certificate signatures
    (i.e. the client and server CASignatureAlgorithms option) and will
    use the rsa-sha2-512 signature algorithm by default when the
    ssh-keygen(1) CA signs new certificates.
  * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
    from the default key exchange proposal for both the client and
    server.
  * ssh-keygen(1): the command-line options related to the generation

OBS-URL: https://build.opensuse.org/request/show/811897
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=211
2020-06-06 06:49:00 +00:00
Tomáš Chvátal
318211936a Accepting request 737034 from home:hpjansson:branches:network
Version update to 8.1p1:
  * ssh-keygen(1): when acting as a CA and signing certificates with
    an RSA key, default to using the rsa-sha2-512 signature algorithm.
    Certificates signed by RSA keys will therefore be incompatible
    with OpenSSH versions prior to 7.2 unless the default is
    overridden (using "ssh-keygen -t ssh-rsa -s ...").
  * ssh(1): Allow %n to be expanded in ProxyCommand strings
  * ssh(1), sshd(8): Allow prepending a list of algorithms to the
    default set by starting the list with the '^' character, E.g.
    "HostKeyAlgorithms ^ssh-ed25519"
  * ssh-keygen(1): add an experimental lightweight signature and
    verification ability. Signatures may be made using regular ssh keys
    held on disk or stored in a ssh-agent and verified against an
    authorized_keys-like list of allowed keys. Signatures embed a
    namespace that prevents confusion and attacks between different
    usage domains (e.g. files vs email).
  * ssh-keygen(1): print key comment when extracting public key from a
    private key.
  * ssh-keygen(1): accept the verbose flag when searching for host keys
    in known hosts (i.e. "ssh-keygen -vF host") to print the matching
    host's random-art signature too.
  * All: support PKCS8 as an optional format for storage of private
    keys to disk.  The OpenSSH native key format remains the default,
    but PKCS8 is a superior format to PEM if interoperability with
    non-OpenSSH software is required, as it may use a less insecure
    key derivation function than PEM's.
- Additional changes from 8.0p1 release:
  * scp(1): Add "-T" flag to disable client-side filtering of
    server file list.
  * sshd(8): Remove support for obsolete "host/port" syntax.

OBS-URL: https://build.opensuse.org/request/show/737034
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=197
2019-10-10 13:32:50 +00:00
Vítězslav Čížek
8ca4d6f6f4 Accepting request 684353 from home:vitezslav_cizek:branches:network
- Minor clean-up of the fips patches, modified
  openssh-7.7p1-fips.patch
  openssh-7.7p1-fips_checks.patch

OBS-URL: https://build.opensuse.org/request/show/684353
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=185
2019-03-12 15:19:34 +00:00
Tomáš Chvátal
3f73bd9831 Accepting request 680202 from home:vitezslav_cizek:branches:network
- Correctly filter out non-compliant algorithms when in FIPS mode
  (bsc#1126397)
  * A hunk was applied to a wrong place due to a patch fuzz when
    the fips patch was being ported to openssh 7.9p1
- update openssh-7.7p1-fips.patch

OBS-URL: https://build.opensuse.org/request/show/680202
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=182
2019-02-28 20:03:36 +00:00
Tomáš Chvátal
5fcc01190a Accepting request 679869 from home:vitezslav_cizek:branches:network
- Remove the "KexDHMin" config keyword (bsc#1127180)
  It used to allow lowering of the minimal allowed DH group size,
  which was increased to 2048 by upstream in the light of the Logjam
  attack.
  The code was broken since the upgrade to 7.6p1, but nobody noticed.
  As apparently no one needs the functionality any more, let's drop
  the patch.
  It's still possible to use the fixed 1024-bit diffie-hellman-group1-sha1
  key exchange method when working with legacy systems.
- drop openssh-7.7p1-disable_short_DH_parameters.patch
- updated patches:
  openssh-7.7p1-fips.patch
  openssh-7.7p1-fips_checks.patch
  openssh-7.7p1-gssapi_key_exchange.patch

OBS-URL: https://build.opensuse.org/request/show/679869
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=181
2019-02-27 15:39:11 +00:00
Tomáš Chvátal
5f87526504 Accepting request 644397 from home:pmonrealgonzalez:branches:network
* openssh-7.7p1-cavstest-ctr.patch
  * openssh-7.7p1-ldap.patch

OBS-URL: https://build.opensuse.org/request/show/644397
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=161
2018-10-24 17:58:38 +00:00
Tomáš Chvátal
b21be4c6b4 Accepting request 643660 from home:pmonrealgonzalez:branches:network
- Version update to 7.9p1
  * No actual changes for the askpass
  * See main package changelog for details

- Version update to 7.9p1
  * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms
    option (see below) bans the use of DSA keys as certificate
    authorities.
  * sshd(8): the authentication success/failure log message has
    changed format slightly. It now includes the certificate
    fingerprint (previously it included only key ID and CA key
    fingerprint).
  * ssh(1), sshd(8): allow most port numbers to be specified using
    service names from getservbyname(3) (typically /etc/services).
  * sshd(8): support signalling sessions via the SSH protocol.
    A limited subset of signals is supported and only for login or
    command sessions (i.e. not subsystems) that were not subject to
    a forced command via authorized_keys or sshd_config. bz#1424
  * ssh(1): support "ssh -Q sig" to list supported signature options.
    Also "ssh -Q help" to show the full set of supported queries.
  * ssh(1), sshd(8): add a CASignatureAlgorithms option for the
    client and server configs to allow control over which signature
    formats are allowed for CAs to sign certificates. For example,
    this allows banning CAs that sign certificates using the RSA-SHA1
    signature algorithm.
  * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
    revoke keys specified by SHA256 hash.
  * ssh-keygen(1): allow creation of key revocation lists directly
    from base64-encoded SHA256 fingerprints. This supports revoking
    keys using only the information contained in sshd(8)

OBS-URL: https://build.opensuse.org/request/show/643660
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=159
2018-10-22 09:08:19 +00:00
Tomáš Chvátal
7bccbbd821 Accepting request 642573 from home:scarabeus_iv:branches:network
- Update to 7.8p1:
  * no actual changes for the askpass
- Format with spec-cleaner
- Respect cflags
- Use gtk3 rather than gtk2 which is being phased out

- Remove the mention of the SLE12 in the README.SUSE
- Install firewall rules only when really needed (<SLE15)

- Version update to 7.8p1:
  * For most details see release notes file
  * ssh-keygen(1): write OpenSSH format private keys by default
    instead of using OpenSSL's PEM format
- Rebase patches to apply on 7.8p1 release:
  * openssh-7.7p1-fips.patch
  * openssh-7.7p1-cavstest-kdf.patch
  * openssh-7.7p1-fips_checks.patch
  * openssh-7.7p1-gssapi_key_exchange.patch
  * openssh-7.7p1-audit.patch
  * openssh-7.7p1-openssl_1.1.0.patch
  * openssh-7.7p1-ldap.patch
  * openssh-7.7p1-IPv6_X_forwarding.patch
  * openssh-7.7p1-sftp_print_diagnostic_messages.patch
  * openssh-7.7p1-disable_short_DH_parameters.patch
  * openssh-7.7p1-hostname_changes_when_forwarding_X.patch
  * openssh-7.7p1-pam_check_locks.patch
  * openssh-7.7p1-seed-prng.patch
  * openssh-7.7p1-systemd-notify.patch
  * openssh-7.7p1-X11_trusted_forwarding.patch
- Dropped patches:

OBS-URL: https://build.opensuse.org/request/show/642573
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=153
2018-10-17 08:57:56 +00:00