Antonio Larrosa
dd9c4b9bb1
attempts (submitted to upstream in https://github.com/openssh/openssh-portable/pull/516): * fix-audit-fail-attempt.patch - Use --enable-dsa-keys when building openssh. It's required if the user sets the crypto-policy mode to LEGACY, where DSA keys should be allowed. The option was added by upstream in 9.7 and set to disabled by default. - These two changes fix 2 of the 3 issues reported in bsc#1229650. OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=273 |
||
---|---|---|
_multibuild | ||
.gitattributes | ||
.gitignore | ||
0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch | ||
0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch | ||
0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch | ||
cavs_driver-ssh.pl | ||
fix-audit-fail-attempt.patch | ||
fix-CVE-2024-6387.patch | ||
fix-memleak-in-process_server_config_line_depth.patch | ||
fix-missing-lz.patch | ||
logind_set_tty.patch | ||
openssh-6.6.1p1-selinux-contexts.patch | ||
openssh-6.6p1-keycat.patch | ||
openssh-6.6p1-privsep-selinux.patch | ||
openssh-7.6p1-cleanup-selinux.patch | ||
openssh-7.7p1-allow_root_password_login.patch | ||
openssh-7.7p1-cavstest-ctr.patch | ||
openssh-7.7p1-cavstest-kdf.patch | ||
openssh-7.7p1-disable_openssl_abi_check.patch | ||
openssh-7.7p1-eal3.patch | ||
openssh-7.7p1-enable_PAM_by_default.patch | ||
openssh-7.7p1-fips_checks.patch | ||
openssh-7.7p1-fips.patch | ||
openssh-7.7p1-host_ident.patch | ||
openssh-7.7p1-hostname_changes_when_forwarding_X.patch | ||
openssh-7.7p1-IPv6_X_forwarding.patch | ||
openssh-7.7p1-ldap.patch | ||
openssh-7.7p1-no_fork-no_pid_file.patch | ||
openssh-7.7p1-pam_check_locks.patch | ||
openssh-7.7p1-pts_names_formatting.patch | ||
openssh-7.7p1-remove_xauth_cookies_on_exit.patch | ||
openssh-7.7p1-seccomp_ipc_flock.patch | ||
openssh-7.7p1-seccomp_stat.patch | ||
openssh-7.7p1-send_locale.patch | ||
openssh-7.7p1-sftp_force_permissions.patch | ||
openssh-7.7p1-sftp_print_diagnostic_messages.patch | ||
openssh-7.7p1-systemd-notify.patch | ||
openssh-7.7p1-X11_trusted_forwarding.patch | ||
openssh-7.7p1-X_forward_with_disabled_ipv6.patch | ||
openssh-7.8p1-role-mls.patch | ||
openssh-7.9p1-keygen-preserve-perms.patch | ||
openssh-7.9p1-revert-new-qos-defaults.patch | ||
openssh-8.0p1-gssapi-keyex.patch | ||
openssh-8.1p1-audit.patch | ||
openssh-8.1p1-ed25519-use-openssl-rng.patch | ||
openssh-8.1p1-seccomp-clock_gettime64.patch | ||
openssh-8.1p1-seccomp-clock_nanosleep_time64.patch | ||
openssh-8.1p1-seccomp-clock_nanosleep.patch | ||
openssh-8.1p1-use-openssl-kdf.patch | ||
openssh-8.4p1-pam_motd.patch | ||
openssh-8.4p1-ssh_config_d.patch | ||
openssh-8.4p1-vendordir.patch | ||
openssh-9.6p1-crypto-policies-man.patch | ||
openssh-9.6p1-crypto-policies.patch | ||
openssh-9.6p1.tar.gz | ||
openssh-9.6p1.tar.gz.asc | ||
openssh-9.8p1.tar.gz | ||
openssh-9.8p1.tar.gz.asc | ||
openssh-askpass-gnome.changes | ||
openssh-askpass-gnome.spec | ||
openssh-do-not-send-empty-message.patch | ||
openssh-fips-ensure-approved-moduli.patch | ||
openssh-link-with-sk.patch | ||
openssh-mitigate-lingering-secrets.patch | ||
openssh-openssl-3.patch | ||
openssh-reenable-dh-group14-sha1-default.patch | ||
openssh-whitelist-syscalls.patch | ||
openssh.changes | ||
openssh.keyring | ||
openssh.spec | ||
README.FIPS | ||
README.kerberos | ||
README.SUSE | ||
ssh-askpass | ||
ssh.reg | ||
sshd-gen-keys-start | ||
sshd-sle.pamd | ||
sshd.fw | ||
sshd.pamd | ||
sshd.service | ||
sshd.socket | ||
sshd@.service | ||
sysconfig.ssh | ||
sysusers-sshd.conf | ||
wtmpdb.patch |
There are following changes in default settings of ssh client and server: * Accepting and sending of locale environment variables in protocol 2 is enabled. * PAM authentication is enabled and mostly even required, do not turn it off. * In SLE15, root authentiation with password is enabled by default (PermitRootLogin yes). NOTE: this has security implications and is only done in order to not change behaviour of the server in an update. We strongly suggest setting this option either "prohibit-password" or even better to "no" (which disables direct remote root login entirely). * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot be considered safe any more. * Accepting all RFC4419 specified DH group parameters. See KexDHMin in ssh_config and sshd_config manual pages. For more information on differences in SUSE OpenSSH package see README.FIPS