next round of patches
- allow X forwarding over IPv4 when IPv6 sockets is not available
[openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
- do not write PID file when not daemonizing
[openssh-7.2p2-no_fork-no_pid_file.patch]
- use correct options when invoking login
[openssh-7.2p2-login_options.patch]
- helper application for retrieving users' public keys from
an LDAP server
[openssh-7.2p2-ldap.patch]
- allow forcing permissions over sftp
[openssh-7.2p2-sftp_force_permissions.patch]
- do not perform run-time checks for OpenSSL API/ABI change
[openssh-7.2p2-disable-openssl-abi-check.patch]
- suggest commands for cleaning known hosts file
[openssh-7.2p2-host_ident.patch]
- sftp home chroot patch
[openssh-7.2p2-sftp_homechroot.patch]
- ssh sessions auditing
[openssh-7.2p2-audit.patch]
- enable seccomp sandbox on additional architectures
[openssh-7.2p2-additional_seccomp_archs.patch]
OBS-URL: https://build.opensuse.org/request/show/432093
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=112
- enable support for SSHv1 protocol and discourage its usage
(bsc#983307)
- enable DSA by default for backward compatibility and discourage
its usage (bsc#983784)
[openssh-7.2p2-allow_DSS_by_default.patch]
- upgrade to 7.2p2
upstream package without any SUSE patches
Distilled upstream log:
- OpenSSH 6.7
Potentially-incompatible changes:
* sshd(8): The default set of ciphers and MACs has been
altered to remove unsafe algorithms. In particular, CBC
ciphers and arcfour* are disabled by default.
The full set of algorithms remains available if configured
explicitly via the Ciphers and MACs sshd_config options.
* sshd(8): Support for tcpwrappers/libwrap has been removed.
* OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of
connections using the curve25519-sha256@libssh.org KEX
exchange method to fail when connecting with something that
implements the specification correctly. OpenSSH 6.7 disables
this KEX method when speaking to one of the affected
versions.
New Features:
* ssh(1), sshd(8): Add support for Unix domain socket
forwarding. A remote TCP port may be forwarded to a local
Unix domain socket and vice versa or both ends may be a Unix
domain socket.
* ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
ED25519 key types.
OBS-URL: https://build.opensuse.org/request/show/407066
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=107
- upgrade to 7.2p2
- changing license to 2-clause BSD to match source
- enable trusted X11 forwarding by default
[-X11_trusted_forwarding]
- set UID for lastlog properly [-lastlog]
- enable use of PAM by default [-enable_PAM_by_default]
- copy command line arguments properly [-saveargv-fix]
- do not use pthreads in PAM code [-dont_use_pthreads_in_PAM]
- fix paths in documentation [-eal3]
- prevent race consitions triggered by SIGALRM [-blocksigalrm]
- do send and accept locale environment variables by default
[-send_locale]
- handle hostnames changes during X forwarding
[-hostname_changes_when_forwarding_X]
- try to remove xauth cookies on exit
[-remove_xauth_cookies_on_exit]
- properly format pts names for ?tmp? log files
[-pts_names_formatting]
- check locked accounts when using PAM [-pam_check_locks]
- chenge default PermitRootLogin to 'yes' to prevent unwanted
surprises on updates from older versions.
See README.SUSE for details
[-allow_root_password_login]
- Disable DH parameters under 2048 bits by default and allow
lowering the limit back to the RFC 4419 specified minimum
through an option (bsc#932483, bsc#948902)
[-disable_short_DH_parameters]
- Add getuid() and stat() syscalls to the seccomp filter
OBS-URL: https://build.opensuse.org/request/show/398802
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=103
