openssh

SHA256

Go to file

Dominique Leuenberger fbdd7af379 Accepting request 1196434 from network - Update to openssh 9.8p1: * No changes for askpass, see main package changelog for details. - Add patch to fix sshd not logging in the audit failed login attempts (submitted to upstream in https://github.com/openssh/openssh-portable/pull/516): * fix-audit-fail-attempt.patch - Use --enable-dsa-keys when building openssh. It's required if the user sets the crypto-policy mode to LEGACY, where DSA keys should be allowed. The option was added by upstream in 9.7 and set to disabled by default. - These two changes fix 2 of the 3 issues reported in bsc#1229650. - Fix a dbus connection leaked in the logind patch that was missing a sd_bus_unref call (found by Matthias Gerstner): * logind_set_tty.patch - Add a patch that fixes a small memory leak when parsing the subsystem configuration option: * fix-memleak-in-process_server_config_line_depth.patch - Update to openssh 9.8p1: = Security * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387). A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to OBS-URL: https://build.opensuse.org/request/show/1196434 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=183		2024-08-29 13:42:55 +00:00
_multibuild	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
.gitattributes	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
.gitignore	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
cavs_driver-ssh.pl	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
fix-audit-fail-attempt.patch	- Add patch to fix sshd not logging in the audit failed login	2024-08-23 12:36:12 +00:00
fix-memleak-in-process_server_config_line_depth.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
logind_set_tty.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-6.6.1p1-selinux-contexts.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-6.6p1-keycat.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-6.6p1-privsep-selinux.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-7.6p1-cleanup-selinux.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-7.7p1-allow_root_password_login.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-cavstest-ctr.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-7.7p1-cavstest-kdf.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-7.7p1-disable_openssl_abi_check.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-eal3.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-enable_PAM_by_default.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-fips_checks.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-7.7p1-fips.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-7.7p1-host_ident.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-hostname_changes_when_forwarding_X.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-IPv6_X_forwarding.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-ldap.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-7.7p1-no_fork-no_pid_file.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-pam_check_locks.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-7.7p1-pts_names_formatting.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-remove_xauth_cookies_on_exit.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-seccomp_ipc_flock.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-seccomp_stat.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-send_locale.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-sftp_force_permissions.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-sftp_print_diagnostic_messages.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-systemd-notify.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-7.7p1-X11_trusted_forwarding.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.7p1-X_forward_with_disabled_ipv6.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.8p1-role-mls.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-7.9p1-keygen-preserve-perms.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-7.9p1-revert-new-qos-defaults.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-8.0p1-gssapi-keyex.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-8.1p1-audit.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-8.1p1-ed25519-use-openssl-rng.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-8.1p1-seccomp-clock_gettime64.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-8.1p1-seccomp-clock_nanosleep_time64.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-8.1p1-seccomp-clock_nanosleep.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-8.1p1-use-openssl-kdf.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-8.4p1-pam_motd.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-8.4p1-ssh_config_d.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-8.4p1-vendordir.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-9.6p1-crypto-policies-man.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-9.6p1-crypto-policies.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-9.8p1.tar.gz	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-9.8p1.tar.gz.asc	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-askpass-gnome.changes	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-askpass-gnome.spec	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-do-not-send-empty-message.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-fips-ensure-approved-moduli.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-link-with-sk.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-mitigate-lingering-secrets.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-openssl-3.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh-reenable-dh-group14-sha1-default.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
openssh-whitelist-syscalls.patch	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh.changes	- Add patch to fix sshd not logging in the audit failed login	2024-08-23 12:36:12 +00:00
openssh.keyring	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
openssh.spec	- Add patch to fix sshd not logging in the audit failed login	2024-08-23 12:36:12 +00:00
README.FIPS	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
README.kerberos	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
README.SUSE	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
ssh-askpass	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
ssh.reg	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
sshd-gen-keys-start	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
sshd-sle.pamd	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
sshd.fw	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
sshd.pamd	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
sshd.service	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
sshd.socket	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
sshd@.service	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00
sysconfig.ssh	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
sysusers-sshd.conf	- Update to openssh 9.8p1:	2024-08-12 09:54:46 +00:00
wtmpdb.patch	https://bugzilla.opensuse.org/show_bug.cgi?id=1229650	2024-08-22 10:34:42 +00:00

README.SUSE

There are following changes in default settings of ssh client and server:

* Accepting and sending of locale environment variables in protocol 2 is
  enabled.

* PAM authentication is enabled and mostly even required, do not turn it off.

* In SLE15, root authentiation with password is enabled by default
  (PermitRootLogin yes).
  NOTE: this has security implications and is only done in order to not change
  behaviour of the server in an update. We strongly suggest setting this option
  either "prohibit-password" or even better to "no" (which disables direct
  remote root login entirely).

* DSA authentication is enabled by default for maximum compatibility.
  NOTE: do not use DSA authentication since it is being phased out for a reason
  - the size of DSA keys is limited by the standard to 1024 bits which cannot
  be considered safe any more.

* Accepting all RFC4419 specified DH group parameters. See KexDHMin in
  ssh_config and sshd_config manual pages.

For more information on differences in SUSE OpenSSH package see README.FIPS