Commit Graph

161 Commits

Author SHA256 Message Date
Petr Cerny
4187c8a645 Accepting request 234473 from home:elvigia:branches:network
- Remove tcpwrappers support now, This feature was removed
  in upstream code at the end of April and the underlying
  libraries are abandonware.
  See: http://comments.gmane.org/gmane.linux.suse.general/348119

OBS-URL: https://build.opensuse.org/request/show/234473
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=82
2014-05-19 10:15:21 +00:00
Petr Cerny
9fb40d132b Accepting request 231427 from home:pcerny:factory
- curve25519 key exchange fix (-curve25519-6.6.1p1.patch)
- patch re-ordering (-audit3-key_auth_usage-fips.patch,
    -audit4-kex_results-fips.patch)

OBS-URL: https://build.opensuse.org/request/show/231427
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=80
2014-04-25 13:11:58 +00:00
Andrey Karepin
4dd2bec462 Accepting request 230928 from home:namtrac:bugfix
- Add fix-curve25519-kex.patch to fix a key-exchange problem
  with curve25519-sha256@libssh.org, see
  http://marc.info/?l=openssh-unix-dev&m=139797807804698&w=2

OBS-URL: https://build.opensuse.org/request/show/230928
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=79
2014-04-24 10:08:13 +00:00
Petr Cerny
5b66f43acd Accepting request 230167 from home:rhafer:branches:network
OBS-URL: https://build.opensuse.org/request/show/230167
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=77
2014-04-15 11:28:24 +00:00
Petr Cerny
efb05e6527 Accepting request 230097 from home:pcerny:factory
- Update of the underlying OpenSSH to 6.6p1

- update to 6.6p1
  Security:
  * sshd(8): when using environment passing with a sshd_config(5)
    AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
    be tricked into accepting any enviornment variable that
    contains the characters before the wildcard character.
  Features since 6.5p1:
  * ssh(1), sshd(8): removal of the J-PAKE authentication code,
    which was experimental, never enabled and has been
    unmaintained for some time.
  * ssh(1): skip 'exec' clauses other clauses predicates failed
    to match while processing Match blocks.
  * ssh(1): if hostname canonicalisation is enabled and results
    in the destination hostname being changed, then re-parse
    ssh_config(5) files using the new destination hostname. This
    gives 'Host' and 'Match' directives that use the expanded
    hostname a chance to be applied.
  Bugfixes:
  * ssh(1): avoid spurious "getsockname failed: Bad file
    descriptor" in ssh -W. bz#2200, debian#738692
  * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and
    systrace sandbox modes, as it is reachable if the connection
    is terminated during the pre-auth phase.
  * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1
    bignum parsing. Minimum key length checks render this bug
    unexploitable to compromise SSH 1 sessions.
  * sshd_config(5): clarify behaviour of a keyword that appears
    in multiple matching Match blocks. bz#2184

OBS-URL: https://build.opensuse.org/request/show/230097
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
2014-04-14 21:53:01 +00:00
f722726301 Accepting request 227423 from home:namtrac:bugfix
- Update openssh-6.5p1-audit4-kex_results.patch to ensure that
  we don't pass a NULL string to buffer_put_cstring. This happens
  when you have "Ciphers chacha20-poly1305@openssh.com" directive.

OBS-URL: https://build.opensuse.org/request/show/227423
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=74
2014-03-27 10:02:56 +00:00
Petr Cerny
5d4cc441c8 Accepting request 226334 from home:pcerny:factory
- re-enabling the GSSAPI Key Exchange patch 
!!! currently breaks anythng else than Factory

OBS-URL: https://build.opensuse.org/request/show/226334
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=72
2014-03-17 02:46:40 +00:00
Petr Cerny
25f021b853 Accepting request 224302 from home:pcerny:factory
- re-enabling FIPS-enablement patch
- enable X11 forwarding when IPv6 is present but disabled on server
  (bnc#712683, FATE#31503; -X_forward_with_disabled_ipv6.patch)

OBS-URL: https://build.opensuse.org/request/show/224302
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=70
2014-03-01 00:05:55 +00:00
5f397d839b - openssh-6.5p1-seccomp_getuid.patch: re-enabling the seccomp sandbox
(allowing use of the getuid syscall) (bnc#864171)

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=68
2014-02-19 13:30:54 +00:00
5ada588ef0 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=67 2014-02-19 13:22:51 +00:00
Petr Cerny
f2774839fb Accepting request 222710 from home:pcerny:factory
- re-enabling the seccomp sandbox
  (allowing use of getuid the syscall)

OBS-URL: https://build.opensuse.org/request/show/222710
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=66
2014-02-18 13:04:57 +00:00
Petr Cerny
eedbb4ea75 Accepting request 222560 from home:pcerny:factory
- reverting to rlimit sandbox even for newer distributions, since
  it seems not to work properly (bnc#864171)

OBS-URL: https://build.opensuse.org/request/show/222560
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=65
2014-02-17 11:31:08 +00:00
Petr Cerny
08f9072513 Accepting request 222365 from home:pcerny:factory
- Update of the underlying OpenSSH to 6.5p1

- Update to 6.5p1
  Features since 6.4p1:
  * ssh(1), sshd(8): support for key exchange using ECDH in
    Daniel Bernstein's Curve25519; default when both the client
    and server support it.
  * ssh(1), sshd(8): support for Ed25519 as a public key type fo
    rboth server and client.  Ed25519 is an EC signature offering
    better security than ECDSA and DSA and good performance.
  * Add a new private key format that uses a bcrypt KDF to better
    protect keys at rest. Used unconditionally for Ed25519 keys,
    on demand for other key types via the -o ssh-keygen(1)
    option.  Intended to become default in the near future.
    Details documented in PROTOCOL.key.
  * ssh(1), sshd(8): new transport cipher
    "chacha20-poly1305@openssh.com" combining Daniel Bernstein's
    ChaCha20 stream cipher and Poly1305 MAC to build an
    authenticated encryption mode. Details documented
    PROTOCOL.chacha20poly1305.
  * ssh(1), sshd(8): refuse RSA keys from old proprietary clients
    and servers that use the obsolete RSA+MD5 signature scheme.
    It will still be possible to connect with these
    clients/servers but only DSA keys will be accepted, and
    OpenSSH will refuse connection entirely in a future release.
  * ssh(1), sshd(8): refuse old proprietary clients and servers
    that use a weaker key exchange hash calculation.
  * ssh(1): increase the size of the Diffie-Hellman groups
    requested for each symmetric key size. New values from NIST
    Special Publication 800-57 with the upper limit specified by

OBS-URL: https://build.opensuse.org/request/show/222365
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=63
2014-02-14 14:54:10 +00:00
b189026b63 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=62 2014-02-11 08:14:49 +00:00
e282a93fa2 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=61 2014-02-11 08:14:43 +00:00
db5db0c1c2 - add a rcsshd symlink to /usr/sbin/service
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=60
2014-02-11 07:43:47 +00:00
7d3e25f02e Accepting request 221224 from home:namtrac:bugfix
- Add openssh-6.2p1-forcepermissions.patch to implement a force
  permissions mode (fate#312774). The patch is based on
  http://marc.info/?l=openssh-unix-dev&m=128896838930893

OBS-URL: https://build.opensuse.org/request/show/221224
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=59
2014-02-08 10:47:01 +00:00
Petr Cerny
712ccf3395 Accepting request 220466 from home:pcerny:factory
- Update of the underlying OpenSSH to 6.4p1

- Update to 6.4p1
  Features since 6.2p2:
  * ssh-agent(1) support in sshd(8); allows encrypted hostkeys, or
    hostkeys on smartcards.
  * ssh(1)/sshd(8): allow optional time-based rekeying via a
    second argument to the existing RekeyLimit option. RekeyLimit
    is now supported in sshd_config as well as on the client.
  * sshd(8): standardise logging of information during user
    authentication.
  * The presented key/cert and the remote username (if available)
    is now logged in the authentication success/failure message on
    the same log line as the local username, remote host/port and
    protocol in use.  Certificates contents and the key
    fingerprint of the signing CA are logged too.
  * ssh(1) ability to query what cryptographic algorithms are
    supported in the binary.
  * ssh(1): ProxyCommand=- for cases where stdin and stdout
    already point to the proxy.
  * ssh(1): allow IdentityFile=none
  * ssh(1)/sshd(8): -E option to append debugging logs to a
    specified file instead of stderr or syslog.
  * sftp(1): support resuming partial downloads with the "reget"
    command and on the sftp commandline or on the "get"
    commandline with the "-a" (append) option.
  * ssh(1): "IgnoreUnknown" configuration option to selectively
    suppress errors arising from unknown configuration directives.
  * sshd(8): support for submethods to be appended to required
    authentication methods listed via AuthenticationMethods.

OBS-URL: https://build.opensuse.org/request/show/220466
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=58
2014-01-31 12:18:41 +00:00
Petr Cerny
6fccab223a Accepting request 202452 from home:pcerny:factory
- fix server crashes when using AES-GCM
- removed superfluous build dependency on X

OBS-URL: https://build.opensuse.org/request/show/202452
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=57
2013-10-07 08:32:48 +00:00
Petr Cerny
673551b2c9 Accepting request 199729 from home:pcerny:factory
- spec file and patch cleanup
- patches from SLE11
- init script is moved into documentation for openSUSE 12.3+

OBS-URL: https://build.opensuse.org/request/show/199729
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=56
2013-09-19 13:51:33 +00:00
Petr Cerny
6cd875acfc Accepting request 199679 from home:pcerny:factory
- spec file cleanup (don't pointelssly build whole OpenSSH)

- spec file and patch cleanup
  * removing obsoleted auditing patch
    (openssh-%{version}-audit.patch)
- added patches from SLE
  * GSSAPI key exchange
  * FIPS enablement (currently disabled)
  * small bugfixes 
- split the LDAP helper into a separate package: openssh-akc-ldap

OBS-URL: https://build.opensuse.org/request/show/199679
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=55
2013-09-19 04:09:33 +00:00
Sascha Peilicke
76e102ad97 Accepting request 198380 from home:elvigia:branches:network
- fix the logic in openssh-nodaemon-nopid.patch which is broken
  and pid_file therefore still being created.

OBS-URL: https://build.opensuse.org/request/show/198380
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=53
2013-09-11 08:27:54 +00:00
616ae5907d Accepting request 185789 from home:elvigia:branches:network
- Update for 6.2p2 

- Update to version 6.2p2 
* ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption
* ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes
* ssh(1)/sshd(8): Added support for the UMAC-128 MAC
* sshd(8): Added support for multiple required authentication
* sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists
* ssh(1): When SSH protocol 2 only is selected (the default), ssh(1)
  now immediately sends its SSH protocol banner to the server without
  waiting to receive the server's banner, saving time when connecting.
* dozens of other changes, see http://www.openssh.org/txt/release-6.2

OBS-URL: https://build.opensuse.org/request/show/185789
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=51
2013-08-05 07:15:19 +00:00
d3a2cdd766 Accepting request 181706 from openSUSE:Factory:Core
- avoid the build cycle between curl, krb5, libssh2_org and openssh
  by using krb5-mini-devel

OBS-URL: https://build.opensuse.org/request/show/181706
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=49
2013-07-02 08:17:10 +00:00
16b13adda2 Accepting request 179643 from home:saschpe:branches:network
- Recommend xauth, X11-forwarding won't work if it is not installed

OBS-URL: https://build.opensuse.org/request/show/179643
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=47
2013-06-19 14:31:43 +00:00
Petr Cerny
91c220ec23 Accepting request 163992 from home:elvigia:branches:network
- sshd.service: Do not order after syslog.target, it is 
 not required or recommended and that target does not even exist
 anymore.

OBS-URL: https://build.opensuse.org/request/show/163992
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=46
2013-04-15 09:19:17 +00:00
Petr Cerny
892194f58f Accepting request 147497 from home:dirkmueller:branches:network
- use ssh-keygen(1) default keylengths in generating the host key
  instead of hardcoding it

OBS-URL: https://build.opensuse.org/request/show/147497
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=44
2013-01-08 10:22:21 +00:00
41221d925c - Updated to 6.1p1, a bugfix release
Features:
 * sshd(8): This release turns on pre-auth sandboxing sshd by default for
   new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
 * ssh-keygen(1): Add options to specify starting line number and number of
   lines to process when screening moduli candidates, allowing processing
   of different parts of a candidate moduli file in parallel
 * sshd(8): The Match directive now supports matching on the local (listen)
   address and port upon which the incoming connection was received via
   LocalAddress and LocalPort clauses.
 * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv
   and {Allow,Deny}{Users,Groups}
 * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978
 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8
 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as
   an argument to refuse all port-forwarding requests.
 * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile
 * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971
 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators
   to append some arbitrary text to the server SSH protocol banner.
 Bugfixes:
 * ssh(1)/sshd(8): Don't spin in accept() in situations of file
   descriptor exhaustion. Instead back off for a while.
 * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as
   they were removed from the specification. bz#2023,
 * sshd(8): Handle long comments in config files better. bz#2025
 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly
   picked up. bz#1995
 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root
   on platforms that use login_cap.

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=42
2012-11-13 10:50:53 +00:00
22f435a6cb Accepting request 141090 from home:kukuk:branches:network
- Fix groupadd arguments
- Add LSB tag to sshd init script

OBS-URL: https://build.opensuse.org/request/show/141090
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=41
2012-11-13 10:18:36 +00:00
b4cc1b8406 Accepting request 139460 from home:coolo:branches:openSUSE:Factory
- explicit buildrequire groff, needed for man pages

OBS-URL: https://build.opensuse.org/request/show/139460
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=39
2012-10-26 23:00:00 +00:00
Petr Cerny
8c5df33063 Accepting request 138920 from openSUSE:Factory:Staging:Systemd
buildrequire systemd through pkgconfig to break cycle

OBS-URL: https://build.opensuse.org/request/show/138920
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=37
2012-10-21 21:45:27 +00:00
Petr Cerny
f948d6768b Accepting request 130946 from home:elvigia:branches:network
- When not daemonizing, such is used with systemd, no not
 create a PID file

OBS-URL: https://build.opensuse.org/request/show/130946
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=35
2012-08-16 12:55:50 +00:00
cfb80ff52c Accepting request 126286 from home:coolo:branches:openSUSE:Factory
- the gnome askpass does not require the x11 askpass - especially not
  in the version of openssh (it's at 1.X)

OBS-URL: https://build.opensuse.org/request/show/126286
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=33
2012-06-27 10:11:02 +00:00
c0682a3f4e Accepting request 125376 from home:coolo:branches:openSUSE:Factory
fixup the previous SR

OBS-URL: https://build.opensuse.org/request/show/125376
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=31
2012-06-19 07:08:12 +00:00
7e403aa536 Accepting request 125300 from home:coolo:branches:openSUSE:Factory
- do not buildrequire xorg-x11, the askpass is an extra package
  and should build from a different package

OBS-URL: https://build.opensuse.org/request/show/125300
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=30
2012-06-18 15:59:54 +00:00
517f6527d0 - use correct tarball url
- update to 6.0p1.

- use correct download url and tarball format.

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=28
2012-05-29 07:15:29 +00:00
9d7406f5e6 Accepting request 122649 from home:elvigia:branches:network
- Update to version 6.0, large list of changes, seen
  http://www.openssh.org/txt/release-6.0 for detail.

OBS-URL: https://build.opensuse.org/request/show/122649
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=27
2012-05-29 07:11:57 +00:00
0c4ab9d007 Accepting request 120648 from home:elvigia:branches:network
- By default openSSH checks at *runtime* if the openssl 
  API version matches with the running library, that might
  be good if you are compiling SSH yourself but it is a totally
  insane way to check for binary/source compatibility in a distribution.

OBS-URL: https://build.opensuse.org/request/show/120648
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=25
2012-05-16 22:21:36 +00:00
Petr Cerny
b29ae30591 Accepting request 111545 from home:a_jaeger:FactoryFix
Fix build.

OBS-URL: https://build.opensuse.org/request/show/111545
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=23
2012-03-30 14:20:49 +00:00
7385d7e1a1 Accepting request 105960 from home:msmeissn:branches:network
fix build with new x11

OBS-URL: https://build.opensuse.org/request/show/105960
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=21
2012-02-20 15:20:42 +00:00
Stephan Kulow
4095c0743d Accepting request 98019 from home:aljex
Fix building for openSUSE targets back to 10.2

OBS-URL: https://build.opensuse.org/request/show/98019
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=19
2011-12-26 07:09:33 +00:00
Petr Cerny
5a09a92856 Accepting request 97537 from home:coolo:removeautoconf
add autoconf to buildrequires

OBS-URL: https://build.opensuse.org/request/show/97537
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=18
2011-12-21 17:59:28 +00:00
Minh Ngo
2401590e48 Accepting request 94377 from home:elvigia:branches:network
- Add systemd startup units

OBS-URL: https://build.opensuse.org/request/show/94377
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=16
2011-11-29 19:55:10 +00:00
Petr Cerny
e4e9974691 Accepting request 89778 from home:pcerny:factory
- finalising libexecdir change (bnc#726712)

OBS-URL: https://build.opensuse.org/request/show/89778
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=15
2011-11-02 15:44:39 +00:00
Petr Cerny
5a89c49d11 Accepting request 88642 from home:pcerny:factory
- Update to 5.9p1 
  * sandboxing privsep child through rlimit
- spec files and sources cleanup
- removed bogus key size from init script

OBS-URL: https://build.opensuse.org/request/show/88642
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=14
2011-10-19 02:18:13 +00:00
Pavol Rusnak
2f1296c7be Accepting request 86032 from home:jengelh:dev
- Avoid overriding libexecdir with %_lib (bnc#712025)
- Clean up the specfile by request of Minh Ngo, details entail:
* remove norootforbuild comments, redundant %clean section
* run spec-beautifier over it
- Add PIEFLAGS to compilation of askpass; fails otherwise

OBS-URL: https://build.opensuse.org/request/show/86032
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=12
2011-10-05 12:14:43 +00:00
fc3180d72b Accepting request 80152 from home:elvigia:branches:network
-  Update to verison 5.8p2
* Fixed vuln in systems without dev/random, we arenot affected
* Fixes problems building with selinux enabled
- Fix build with as-needed and no-add-needed

- Enable libedit/autocompletion support in sftp

OBS-URL: https://build.opensuse.org/request/show/80152
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=10
2011-09-07 15:50:44 +00:00
Petr Cerny
9810ecd029 Accepting request 69985 from home:msmeissn:branches:network
bump hostkey length to 2048

OBS-URL: https://build.opensuse.org/request/show/69985
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=9
2011-05-10 15:21:03 +00:00
Petr Cerny
ceda754f5a Accepting request 60057 from home:leonardocf:branches:network
reviewed ok.

OBS-URL: https://build.opensuse.org/request/show/60057
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=7
2011-02-04 13:58:22 +00:00
Petr Cerny
5920438cad Accepting request 60035 from home:pcerny:factory
reviewed ok.

OBS-URL: https://build.opensuse.org/request/show/60035
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=6
2011-02-04 10:44:51 +00:00