Go to file
Petr Cerny d83100ae13 Accepting request 539322 from home:pcerny:factory
- upgrade to 7.6p1
  see main package changelog for details

- Update to vanilla 7.6p1
  Most important changes (more details below):
  * complete removal of the ancient SSHv1 protocol
  * sshd(8) cannot run without privilege separation
  * removal of suport for arcfourm blowfish and CAST ciphers
    and RIPE-MD160 HMAC
  * refuse RSA keys shorter than 1024 bits
  Distilled upstream log:
- OpenSSH 7.3
  ---- Security
  * sshd(8): Mitigate a potential denial-of-service attack
    against the system's crypt(3) function via sshd(8). An
    attacker could send very long passwords that would cause
    excessive CPU use in crypt(3). sshd(8) now refuses to accept
    password authentication requests of length greater than 1024
    characters. Independently reported by Tomas Kuthan (Oracle),
    Andres Rojas and Javier Nieto.
  * sshd(8): Mitigate timing differences in password
    authentication that could be used to discern valid from
    invalid account names when long passwords were sent and
    particular password hashing algorithms are in use on the
    server. CVE-2016-6210, reported by EddieEzra.Harari at
    verint.com
  * ssh(1), sshd(8): Fix observable timing weakness in the CBC
    padding oracle countermeasures. Reported by Jean Paul
    Degabriele, Kenny Paterson, Torben Hansen and Martin
    Albrecht. Note that CBC ciphers are disabled by default and

OBS-URL: https://build.opensuse.org/request/show/539322
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=122
2017-11-06 14:50:53 +00:00
.gitattributes OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=1 2007-01-07 16:26:05 +00:00
.gitignore OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=1 2007-01-07 16:26:05 +00:00
cavs_driver-ssh.pl Accepting request 398802 from home:pcerny:factory 2016-05-30 01:36:18 +00:00
openssh-7.6p1-allow_root_password_login.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1-blocksigalrm.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1-disable_short_DH_parameters.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1-eal3.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1-enable_PAM_by_default.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1-hostname_changes_when_forwarding_X.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1-lastlog.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1-pam_check_locks.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1-pts_names_formatting.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1-remove_xauth_cookies_on_exit.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1-seccomp_geteuid.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1-seccomp_getuid.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1-seccomp_stat.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1-send_locale.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1-X11_trusted_forwarding.patch Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1.tar.gz Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-7.6p1.tar.gz.asc Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-askpass-gnome.changes Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh-askpass-gnome.spec Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh.changes Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
openssh.spec Accepting request 539322 from home:pcerny:factory 2017-11-06 14:50:53 +00:00
README.FIPS Accepting request 432093 from home:pcerny:factory 2016-09-30 20:34:19 +00:00
README.kerberos Accepting request 500279 from home:pcerny:factory 2017-05-31 23:09:14 +00:00
README.SUSE Accepting request 500279 from home:pcerny:factory 2017-05-31 23:09:14 +00:00
ssh-askpass Accepting request 398802 from home:pcerny:factory 2016-05-30 01:36:18 +00:00
ssh.reg OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=1 2007-01-07 16:26:05 +00:00
sshd-gen-keys-start Accepting request 199679 from home:pcerny:factory 2013-09-19 04:09:33 +00:00
sshd.fw OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=7 2007-07-27 00:01:43 +00:00
sshd.init Accepting request 398802 from home:pcerny:factory 2016-05-30 01:36:18 +00:00
sshd.pamd Accepting request 199679 from home:pcerny:factory 2013-09-19 04:09:33 +00:00
sshd.service Accepting request 459897 from home:elvigia:branches:network 2017-03-01 11:01:26 +00:00
sysconfig.ssh Accepting request 88642 from home:pcerny:factory 2011-10-19 02:18:13 +00:00

This is OpenSSH version 7.2p2 for SLE12

There are following changes in default settings of ssh client and server:

* Accepting and sending of locale environment variables in protocol 2 is
  enabled.

* PAM authentication is enabled.

* root authentiation with password is enabled by default (PermitRootLogin yes).
  NOTE: this has security implications and is only done in order to not change
  behaviour of the server in an update. We strongly suggest setting this option
  either "prohibit-password" or even better to "no" (which disables direct
  remote root login entirely).

* SSH protocol version 1 is enabled for maximum compatibility.
  NOTE: do not use protocol version 1. It is less secure then v2 and should
  generally be phased out.

* DSA authentication is enabled by default for maximum compatibility.
  NOTE: do not use DSA authentication since it is being phased out for a reason
  - the size of DSA keys is limited by the standard to 1024 bits which cannot
  be considered safe any more.

* Accepting all RFC4419 specified DH group parameters. See KexDHMin in
  ssh_config and sshd_config manual pages.

For more information on differences in SUSE OpenSSH package see README.FIPS