d83100ae13
- upgrade to 7.6p1 see main package changelog for details - Update to vanilla 7.6p1 Most important changes (more details below): * complete removal of the ancient SSHv1 protocol * sshd(8) cannot run without privilege separation * removal of suport for arcfourm blowfish and CAST ciphers and RIPE-MD160 HMAC * refuse RSA keys shorter than 1024 bits Distilled upstream log: - OpenSSH 7.3 ---- Security * sshd(8): Mitigate a potential denial-of-service attack against the system's crypt(3) function via sshd(8). An attacker could send very long passwords that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept password authentication requests of length greater than 1024 characters. Independently reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto. * sshd(8): Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210, reported by EddieEzra.Harari at verint.com * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle countermeasures. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers are disabled by default and OBS-URL: https://build.opensuse.org/request/show/539322 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=122 |
||
---|---|---|
.gitattributes | ||
.gitignore | ||
cavs_driver-ssh.pl | ||
openssh-7.6p1-allow_root_password_login.patch | ||
openssh-7.6p1-blocksigalrm.patch | ||
openssh-7.6p1-disable_short_DH_parameters.patch | ||
openssh-7.6p1-eal3.patch | ||
openssh-7.6p1-enable_PAM_by_default.patch | ||
openssh-7.6p1-hostname_changes_when_forwarding_X.patch | ||
openssh-7.6p1-lastlog.patch | ||
openssh-7.6p1-pam_check_locks.patch | ||
openssh-7.6p1-pts_names_formatting.patch | ||
openssh-7.6p1-remove_xauth_cookies_on_exit.patch | ||
openssh-7.6p1-seccomp_geteuid.patch | ||
openssh-7.6p1-seccomp_getuid.patch | ||
openssh-7.6p1-seccomp_stat.patch | ||
openssh-7.6p1-send_locale.patch | ||
openssh-7.6p1-X11_trusted_forwarding.patch | ||
openssh-7.6p1.tar.gz | ||
openssh-7.6p1.tar.gz.asc | ||
openssh-askpass-gnome.changes | ||
openssh-askpass-gnome.spec | ||
openssh.changes | ||
openssh.spec | ||
README.FIPS | ||
README.kerberos | ||
README.SUSE | ||
ssh-askpass | ||
ssh.reg | ||
sshd-gen-keys-start | ||
sshd.fw | ||
sshd.init | ||
sshd.pamd | ||
sshd.service | ||
sysconfig.ssh |
This is OpenSSH version 7.2p2 for SLE12 There are following changes in default settings of ssh client and server: * Accepting and sending of locale environment variables in protocol 2 is enabled. * PAM authentication is enabled. * root authentiation with password is enabled by default (PermitRootLogin yes). NOTE: this has security implications and is only done in order to not change behaviour of the server in an update. We strongly suggest setting this option either "prohibit-password" or even better to "no" (which disables direct remote root login entirely). * SSH protocol version 1 is enabled for maximum compatibility. NOTE: do not use protocol version 1. It is less secure then v2 and should generally be phased out. * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot be considered safe any more. * Accepting all RFC4419 specified DH group parameters. See KexDHMin in ssh_config and sshd_config manual pages. For more information on differences in SUSE OpenSSH package see README.FIPS