e8b9919265
- Fix preauth seccomp separation on mainframes (bsc#1016709) [openssh-7.2p2-s390_hw_crypto_syscalls.patch] [openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch] - enable case-insensitive hostname matching (bsc#1017099) [openssh-7.2p2-ssh_case_insensitive_host_matching.patch] - add CAVS tests [openssh-7.2p2-cavstest-ctr.patch] [openssh-7.2p2-cavstest-kdf.patch] - Adding missing pieces for user matching (bsc#1021626) - Properly verify CIDR masks in configuration (bsc#1005893) [openssh-7.2p2-verify_CIDR_address_ranges.patch] - Remove pre-auth compression support from the server to prevent possible cryptographic attacks. (CVE-2016-10012, bsc#1016370) [openssh-7.2p2-disable_preauth_compression.patch] - limit directories for loading PKCS11 modules (CVE-2016-10009, bsc#1016366) [openssh-7.2p2-restrict_pkcs11-modules.patch] - Prevent possible leaks of host private keys to low-privilege process handling authentication (CVE-2016-10011, bsc#1016369) [openssh-7.2p2-prevent_private_key_leakage.patch] - Do not allow unix socket forwarding when running without privilege separation (CVE-2016-10010, bsc#1016368) [openssh-7.2p2-secure_unix_sockets_forwarding.patch] - prevent resource depletion during key exchange (bsc#1005480, CVE-2016-8858) [openssh-7.2p2-kex_resource_depletion.patch] OBS-URL: https://build.opensuse.org/request/show/500279 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=117
30 lines
1.2 KiB
Plaintext
30 lines
1.2 KiB
Plaintext
This is OpenSSH version 7.2p2 for SLE12
|
|
|
|
There are following changes in default settings of ssh client and server:
|
|
|
|
* Accepting and sending of locale environment variables in protocol 2 is
|
|
enabled.
|
|
|
|
* PAM authentication is enabled.
|
|
|
|
* root authentiation with password is enabled by default (PermitRootLogin yes).
|
|
NOTE: this has security implications and is only done in order to not change
|
|
behaviour of the server in an update. We strongly suggest setting this option
|
|
either "prohibit-password" or even better to "no" (which disables direct
|
|
remote root login entirely).
|
|
|
|
* SSH protocol version 1 is enabled for maximum compatibility.
|
|
NOTE: do not use protocol version 1. It is less secure then v2 and should
|
|
generally be phased out.
|
|
|
|
* DSA authentication is enabled by default for maximum compatibility.
|
|
NOTE: do not use DSA authentication since it is being phased out for a reason
|
|
- the size of DSA keys is limited by the standard to 1024 bits which cannot
|
|
be considered safe any more.
|
|
|
|
* Accepting all RFC4419 specified DH group parameters. See KexDHMin in
|
|
ssh_config and sshd_config manual pages.
|
|
|
|
For more information on differences in SUSE OpenSSH package see README.FIPS
|
|
|