b21be4c6b4
- Version update to 7.9p1
* No actual changes for the askpass
* See main package changelog for details
- Version update to 7.9p1
* ssh(1), sshd(8): the setting of the new CASignatureAlgorithms
option (see below) bans the use of DSA keys as certificate
authorities.
* sshd(8): the authentication success/failure log message has
changed format slightly. It now includes the certificate
fingerprint (previously it included only key ID and CA key
fingerprint).
* ssh(1), sshd(8): allow most port numbers to be specified using
service names from getservbyname(3) (typically /etc/services).
* sshd(8): support signalling sessions via the SSH protocol.
A limited subset of signals is supported and only for login or
command sessions (i.e. not subsystems) that were not subject to
a forced command via authorized_keys or sshd_config. bz#1424
* ssh(1): support "ssh -Q sig" to list supported signature options.
Also "ssh -Q help" to show the full set of supported queries.
* ssh(1), sshd(8): add a CASignatureAlgorithms option for the
client and server configs to allow control over which signature
formats are allowed for CAs to sign certificates. For example,
this allows banning CAs that sign certificates using the RSA-SHA1
signature algorithm.
* sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
revoke keys specified by SHA256 hash.
* ssh-keygen(1): allow creation of key revocation lists directly
from base64-encoded SHA256 fingerprints. This supports revoking
keys using only the information contained in sshd(8)
OBS-URL: https://build.opensuse.org/request/show/643660
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=159
42 lines
1.4 KiB
Diff
42 lines
1.4 KiB
Diff
# HG changeset patch
|
|
# Parent 9d38b7292619a6d5faf554b1a88888fdfa535de7
|
|
Patch from IBM enabling the use of OpenCryptoki, submitted upstreams:
|
|
|
|
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
|
To: openssh-unix-dev@mindrot.org
|
|
Subject: [PATCH 1/3] Allow flock and ipc syscall for s390 architecture
|
|
Date: Tue, 9 May 2017 14:27:13 -0300
|
|
|
|
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
|
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
|
implementation) which calls the libraries that will communicate with the
|
|
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
|
this is only need on s390 architecture.
|
|
|
|
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
|
|
|
Index: openssh-7.9p1/sandbox-seccomp-filter.c
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/sandbox-seccomp-filter.c
|
|
+++ openssh-7.9p1/sandbox-seccomp-filter.c
|
|
@@ -175,6 +175,9 @@ static const struct sock_filter preauth_
|
|
#ifdef __NR_geteuid32
|
|
SC_ALLOW(__NR_geteuid32),
|
|
#endif
|
|
+#if defined(__NR_flock) && defined(__s390__)
|
|
+ SC_ALLOW(__NR_flock),
|
|
+#endif
|
|
#ifdef __NR_getpgid
|
|
SC_ALLOW(__NR_getpgid),
|
|
#endif
|
|
@@ -193,6 +196,9 @@ static const struct sock_filter preauth_
|
|
#ifdef __NR_getuid32
|
|
SC_ALLOW(__NR_getuid32),
|
|
#endif
|
|
+#if defined(__NR_ipc) && defined(__s390__)
|
|
+ SC_ALLOW(__NR_ipc),
|
|
+#endif
|
|
#ifdef __NR_madvise
|
|
SC_ALLOW(__NR_madvise),
|
|
#endif
|