- Only for SLE15, restore the patch file removed in
Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour
from SP5 of having root password login allowed by default
(fixes bsc#1223486, related to bsc#1173067):
* openssh-7.7p1-allow_root_password_login.patch
- Since the default value for this config option is now set to
permit root to use password logins in SLE15, the
openssh-server-config-rootlogin subpackage isn't useful there so
we now create an openssh-server-config-disallow-rootlogin
subpackage that sets the configuration the other way around
than openssh-server-config-rootlogin.
OBS-URL: https://build.opensuse.org/request/show/1173783
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=266
* There is no reason to set less secure default value, if
users need the behaviour they can still set it up themselves
- Drop patch openssh-7.7p1-blocksigalrm.patch
* We had a bug way in past about this but it was never reproduced
or even confirmed in the ticket, thus rather drop the patch
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=155
- Update to 7.8p1:
* no actual changes for the askpass
- Format with spec-cleaner
- Respect cflags
- Use gtk3 rather than gtk2 which is being phased out
- Remove the mention of the SLE12 in the README.SUSE
- Install firewall rules only when really needed (<SLE15)
- Version update to 7.8p1:
* For most details see release notes file
* ssh-keygen(1): write OpenSSH format private keys by default
instead of using OpenSSL's PEM format
- Rebase patches to apply on 7.8p1 release:
* openssh-7.7p1-fips.patch
* openssh-7.7p1-cavstest-kdf.patch
* openssh-7.7p1-fips_checks.patch
* openssh-7.7p1-gssapi_key_exchange.patch
* openssh-7.7p1-audit.patch
* openssh-7.7p1-openssl_1.1.0.patch
* openssh-7.7p1-ldap.patch
* openssh-7.7p1-IPv6_X_forwarding.patch
* openssh-7.7p1-sftp_print_diagnostic_messages.patch
* openssh-7.7p1-disable_short_DH_parameters.patch
* openssh-7.7p1-hostname_changes_when_forwarding_X.patch
* openssh-7.7p1-pam_check_locks.patch
* openssh-7.7p1-seed-prng.patch
* openssh-7.7p1-systemd-notify.patch
* openssh-7.7p1-X11_trusted_forwarding.patch
- Dropped patches:
OBS-URL: https://build.opensuse.org/request/show/642573
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=153
- enable support for SSHv1 protocol and discourage its usage
(bsc#983307)
- enable DSA by default for backward compatibility and discourage
its usage (bsc#983784)
[openssh-7.2p2-allow_DSS_by_default.patch]
- upgrade to 7.2p2
upstream package without any SUSE patches
Distilled upstream log:
- OpenSSH 6.7
Potentially-incompatible changes:
* sshd(8): The default set of ciphers and MACs has been
altered to remove unsafe algorithms. In particular, CBC
ciphers and arcfour* are disabled by default.
The full set of algorithms remains available if configured
explicitly via the Ciphers and MACs sshd_config options.
* sshd(8): Support for tcpwrappers/libwrap has been removed.
* OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of
connections using the curve25519-sha256@libssh.org KEX
exchange method to fail when connecting with something that
implements the specification correctly. OpenSSH 6.7 disables
this KEX method when speaking to one of the affected
versions.
New Features:
* ssh(1), sshd(8): Add support for Unix domain socket
forwarding. A remote TCP port may be forwarded to a local
Unix domain socket and vice versa or both ends may be a Unix
domain socket.
* ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
ED25519 key types.
OBS-URL: https://build.opensuse.org/request/show/407066
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=107
- upgrade to 7.2p2
- changing license to 2-clause BSD to match source
- enable trusted X11 forwarding by default
[-X11_trusted_forwarding]
- set UID for lastlog properly [-lastlog]
- enable use of PAM by default [-enable_PAM_by_default]
- copy command line arguments properly [-saveargv-fix]
- do not use pthreads in PAM code [-dont_use_pthreads_in_PAM]
- fix paths in documentation [-eal3]
- prevent race consitions triggered by SIGALRM [-blocksigalrm]
- do send and accept locale environment variables by default
[-send_locale]
- handle hostnames changes during X forwarding
[-hostname_changes_when_forwarding_X]
- try to remove xauth cookies on exit
[-remove_xauth_cookies_on_exit]
- properly format pts names for ?tmp? log files
[-pts_names_formatting]
- check locked accounts when using PAM [-pam_check_locks]
- chenge default PermitRootLogin to 'yes' to prevent unwanted
surprises on updates from older versions.
See README.SUSE for details
[-allow_root_password_login]
- Disable DH parameters under 2048 bits by default and allow
lowering the limit back to the RFC 4419 specified minimum
through an option (bsc#932483, bsc#948902)
[-disable_short_DH_parameters]
- Add getuid() and stat() syscalls to the seccomp filter
OBS-URL: https://build.opensuse.org/request/show/398802
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103
- Cleanup with spec-cleaner
- Update of the master OpenSSH to 7.1p2
- Take refreshed and updated audit patch from redhat
* Remove our old patches:
+ openssh-6.6p1-audit1-remove_duplicit_audit.patch
+ openssh-6.6p1-audit2-better_audit_of_user_actions.patch
+ openssh-6.6p1-audit3-key_auth_usage-fips.patch
+ openssh-6.6p1-audit3-key_auth_usage.patch
+ openssh-6.6p1-audit4-kex_results-fips.patch
+ openssh-6.6p1-audit4-kex_results.patch
+ openssh-6.6p1-audit5-session_key_destruction.patch
+ openssh-6.6p1-audit6-server_key_destruction.patch
+ openssh-6.6p1-audit7-libaudit_compat.patch
+ openssh-6.6p1-audit8-libaudit_dns_timeouts.patch
* add openssh-6.7p1-audit.patch
- Reenable the openssh-6.6p1-ldap.patch
- Update the fips patch from RH build openssh-6.6p1-fips.patch
- Update and refresh openssh-6.6p1-gssapi_key_exchange.patch
- Remove fips-check patch as it is merged to fips patch
* openssh-6.6p1-fips-checks.patch
- Rebase and enable chroot patch:
* openssh-6.6p1-sftp_homechroot.patch
- Reenable rebased patch for linux seed:
* openssh-6.6p1-seed-prng.patch
- Reenable key converting patch:
* openssh-6.6p1-key-converter.patch
- Version update to 7.1p2:
* various upstream bugfixes and cleanups
OBS-URL: https://build.opensuse.org/request/show/354941
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=95