efb05e6527
- Update of the underlying OpenSSH to 6.6p1
- update to 6.6p1
Security:
* sshd(8): when using environment passing with a sshd_config(5)
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
be tricked into accepting any enviornment variable that
contains the characters before the wildcard character.
Features since 6.5p1:
* ssh(1), sshd(8): removal of the J-PAKE authentication code,
which was experimental, never enabled and has been
unmaintained for some time.
* ssh(1): skip 'exec' clauses other clauses predicates failed
to match while processing Match blocks.
* ssh(1): if hostname canonicalisation is enabled and results
in the destination hostname being changed, then re-parse
ssh_config(5) files using the new destination hostname. This
gives 'Host' and 'Match' directives that use the expanded
hostname a chance to be applied.
Bugfixes:
* ssh(1): avoid spurious "getsockname failed: Bad file
descriptor" in ssh -W. bz#2200, debian#738692
* sshd(8): allow the shutdown(2) syscall in seccomp-bpf and
systrace sandbox modes, as it is reachable if the connection
is terminated during the pre-auth phase.
* ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1
bignum parsing. Minimum key length checks render this bug
unexploitable to compromise SSH 1 sessions.
* sshd_config(5): clarify behaviour of a keyword that appears
in multiple matching Match blocks. bz#2184
OBS-URL: https://build.opensuse.org/request/show/230097
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76
62 lines
2.1 KiB
Diff
62 lines
2.1 KiB
Diff
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
|
|
# configuration
|
|
# bnc#50836 (was suse #35836)
|
|
|
|
diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config
|
|
--- a/openssh-6.6p1/ssh_config
|
|
+++ b/openssh-6.6p1/ssh_config
|
|
@@ -12,19 +12,30 @@
|
|
# Any configuration value is only changed the first time it is set.
|
|
# Thus, host-specific definitions should be at the beginning of the
|
|
# configuration file, and defaults at the end.
|
|
|
|
# Site-wide defaults for some commonly used options. For a comprehensive
|
|
# list of available options, their meanings and defaults, please see the
|
|
# ssh_config(5) man page.
|
|
|
|
-# Host *
|
|
+Host *
|
|
# ForwardAgent no
|
|
# ForwardX11 no
|
|
+
|
|
+# If you do not trust your remote host (or its administrator), you
|
|
+# should not forward X11 connections to your local X11-display for
|
|
+# security reasons: Someone stealing the authentification data on the
|
|
+# remote side (the "spoofed" X-server by the remote sshd) can read your
|
|
+# keystrokes as you type, just like any other X11 client could do.
|
|
+# Set this to "no" here for global effect or in your own ~/.ssh/config
|
|
+# file if you want to have the remote X11 authentification data to
|
|
+# expire after two minutes after remote login.
|
|
+ForwardX11Trusted yes
|
|
+
|
|
# RhostsRSAAuthentication no
|
|
# RSAAuthentication yes
|
|
# PasswordAuthentication yes
|
|
# HostbasedAuthentication no
|
|
# GSSAPIAuthentication no
|
|
# GSSAPIDelegateCredentials no
|
|
# BatchMode no
|
|
# CheckHostIP yes
|
|
diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config
|
|
--- a/openssh-6.6p1/sshd_config
|
|
+++ b/openssh-6.6p1/sshd_config
|
|
@@ -94,17 +94,17 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
# If you just want the PAM account and session checks to run without
|
|
# PAM authentication, then enable this but set PasswordAuthentication
|
|
# and ChallengeResponseAuthentication to 'no'.
|
|
#UsePAM no
|
|
|
|
#AllowAgentForwarding yes
|
|
#AllowTcpForwarding yes
|
|
#GatewayPorts no
|
|
-#X11Forwarding no
|
|
+X11Forwarding yes
|
|
#X11DisplayOffset 10
|
|
#X11UseLocalhost yes
|
|
#PermitTTY yes
|
|
#PrintMotd yes
|
|
#PrintLastLog yes
|
|
#TCPKeepAlive yes
|
|
#UseLogin no
|
|
UsePrivilegeSeparation sandbox # Default for new installations.
|