Jakub Jelen
7b15444065
Fix X11 forwarding CVE according to upstream
2016-02-24 09:51:43 +01:00
Jakub Jelen
4fdc3c59c4
Fix problem when running without privsep ( #1303910 )
2016-02-24 09:51:43 +01:00
Jakub Jelen
700da17374
Remove hard glob limit since the CVE introducing this one is unrelated.
2016-02-24 09:51:43 +01:00
Fedora Release Engineering
b2b837ad97
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
2016-02-04 11:34:23 +00:00
Jakub Jelen
8ddd3edcd8
openssh-7.1p2-3 + 0.10.2-1
2016-01-30 01:18:26 +01:00
Jakub Jelen
ca79709ade
Silently disable X11 forwarding
...
Based on feedback on previous update:
https://bodhi.fedoraproject.org/updates/FEDORA-2016-47ac27532d
2016-01-30 01:18:12 +01:00
Jakub Jelen
c08255b7b1
Fix pam_ssh_agent_auth segfaults with non-accepted keys ( #1303036 )
2016-01-30 01:18:06 +01:00
Jakub Jelen
d1b43a2865
Update sshd service file to forking (as #1291172 )
2016-01-26 13:54:53 +01:00
Jakub Jelen
7adf5f4c63
Missing pam_ssh_agent_auth sources
2016-01-26 09:10:27 +01:00
Jakub Jelen
6c2eb5e22d
openssh-7.1p2-2 + 0.10.2-1
2016-01-26 09:00:28 +01:00
Jakub Jelen
38c7737421
Remove defattr from spec file
...
Mailing list thread:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/KEO7AX3JXR2TY6OVL4M7HDISZ6YIJNKU/
2016-01-26 09:00:28 +01:00
Jakub Jelen
733cea720e
CVE-2016-1908: Prevent possible fallback from untrusted to trusted X11 forwarding
...
Upstream commits:
https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f
2016-01-26 09:00:23 +01:00
Jakub Jelen
87ab5fc4af
Reabse to latest release of pam_ssh_agent_auth with preserving current functionality
...
* Rebase to latest upstream version
* Clean up older patches for pam_ssh_agent_auth
* Remove prefixes from upstream release so we can build it against current
openssh library
* Remove copied files and headers so we make sure we build against current openssh
2016-01-25 13:32:42 +01:00
Jakub Jelen
7bc64374b0
openssh-7.1p2-1 + 0.9.2-9
2016-01-14 16:11:06 +01:00
Jakub Jelen
b2191db92e
openssh-7.1p1-7 + 0.9.2-8
2016-01-12 13:15:33 +01:00
Jakub Jelen
af94f46861
Fix condition to run sshd-keygen
...
When the first boot fails for some reason and the host keys files
are created, but the content not synced into the disk, during the
second boot, the keygen is not run, but the sshd will not start.
Changing condition mitigates this case.
2016-01-12 13:14:58 +01:00
Jakub Jelen
06b1d5330a
Make ssh-keysign world readable ( #1296724 )
2016-01-08 13:22:09 +01:00
Jakub Jelen
f26cd8d6ee
Update ssh-agent permissions ( #1296724 )
...
* It is no longer required to have ssh-agent with suid bit, because
the ptrace attach is prevented using PR_SET_DUMPABLE 0 [1]
[1] https://anongit.mindrot.org/openssh.git/commit/?id=6c4914afccb0c188a2c412d12dfb1b73e362e07e
2016-01-08 11:27:02 +01:00
Jakub Jelen
7c5d0a686c
Make sure the semantics of %global macro stays the same as before a0e252571b
2016-01-08 09:15:52 +01:00
Jakub Jelen
da62b78673
Do not check for openssl based keys if built without openssl
2016-01-05 12:48:00 +01:00
Jakub Jelen
62897e51d6
Do not set default values for GSSAPI when building without GSSAPI
2016-01-05 12:41:38 +01:00
Jakub Jelen
e1b19de52a
Fix wrong handling of LEGACY environment variable
2016-01-05 12:39:40 +01:00
Jakub Jelen
a0e252571b
Change %define to %global according to packaging guidelines
...
Based on discussion started on fedora-devel:
https://lists.fedoraproject.org/archives/list/devel%40lists.fedoraproject.org/thread/AS35NKZSAWRIKY77IUYOVNFAT6AJQVAU/
2016-01-04 10:41:27 +01:00
Jakub Jelen
c45d147a86
openssh-7.1p1-6 + 0.9.2-8
2015-12-18 14:36:00 +01:00
Jakub Jelen
f6bd29aaca
Preserve IUTF8 tty mode flag over ssh connections ( #1270248 )
2015-12-18 14:36:00 +01:00
Jakub Jelen
c9e7e79685
Compatibility SSH_COPY_ID_LEGACY for ssh-copy-id
2015-12-18 14:36:00 +01:00
Jakub Jelen
86f52d4e69
Rebase downstream patches of ssh-copy-id into one from upstream
...
Source:
http://git.hands.com/ssh-copy-id
2015-12-16 15:40:10 +01:00
Jakub Jelen
d9d9575f00
GSSAPI Key Exchange documentation improvements
...
from Debian patches:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655
2015-12-10 15:37:52 +01:00
Jakub Jelen
f33aef5318
Remove unused patches
2015-12-08 14:22:44 +01:00
Jakub Jelen
5410d2d3a7
Do not require sysconfig file to start service ( #1279521 )
2015-11-09 17:10:15 +01:00
Jakub Jelen
ef86a312db
openssh-7.1p1-5 + 0.9.2-8
2015-11-04 10:18:50 +01:00
Jakub Jelen
b6d4dc0a6f
Do not set user context too many times for root logins ( #1269072 )
2015-11-04 10:17:32 +01:00
Jakub Jelen
fa54d5472d
openssh-7.1p1-4 + 0.9.2-8
2015-10-22 14:55:07 +02:00
Jakub Jelen
aa9a7754ed
Audit implicit mac, if mac is covered in cipher ( #1271694 )
...
For example chacha20-poly1305@openssh.com is AEAD (Authenticated Encryption with Associated Data) cipher and thus there is no separate MAC when it is used.
2015-10-22 14:53:36 +02:00
Jakub Jelen
0ebe96b604
Handle root logins the same way as other users ( #1269072 )
...
root users are unconfined by definition, but they can be limited by SELinux so having privilege separation still makes sense. As a consequence we can remove hunk that handled this condition if we skipped forking.
2015-10-22 14:52:55 +02:00
Jakub Jelen
22a08c3da4
Review SELinux user context handling after authentication ( #1269072 )
...
The previous required to have for all SELInux user contexts with setexec capability. Otherwise user would not be able to change password if it is expired. This patch sets correct context and cleans up the exec context.
When doing chroot, copy_selinux_context is called twice
2015-10-15 16:21:33 +02:00
Jakub Jelen
8395bb78d0
Increase size limit of glob structures in sftp
2015-09-30 15:27:08 +02:00
Jakub Jelen
a80c277795
openssh-7.1p1-3 + 0.9.2-8
2015-09-25 14:10:39 +02:00
Jakub Jelen
a01bd486f0
Fix obsolete usage of SELinux constants ( #1261496 )
2015-09-25 14:10:25 +02:00
Jakub Jelen
bf69b47630
Allow gss-keyex root login when without-password is set ( #2456 )
...
Reported upstream, but applicable also for our gss-keyex patch:
https://bugzilla.mindrot.org/show_bug.cgi?id=2456
2015-09-24 15:57:11 +02:00
Jakub Jelen
6bf47e3d35
Having no keys is not fatal in gssapi key exchange ( #1261414 )
2015-09-24 15:57:11 +02:00
Jakub Jelen
9a804fa266
Apply GSSAPI key exchange methods in client offered list ( #1261414 )
2015-09-24 15:57:11 +02:00
Jakub Jelen
c6ba7b1e09
Return back forgotten patch which prevent connection using GSSAPI key exchange ( #1261414 )
2015-09-24 15:57:11 +02:00
Jakub Jelen
812f08d95e
Provide full RELRO and PIE form askpass helper ( #1264036 )
2015-09-24 15:57:11 +02:00
Jakub Jelen
3e5d955bcb
Fix FIPS mode for DH kex ( #1260253 )
2015-09-11 11:32:37 +02:00
Jakub Jelen
98262158d8
openssh-7.1p1-2 + 0.9.2-8
2015-09-09 14:29:31 +02:00
Jakub Jelen
c4c52b0667
Fix warnings produced by gcc
...
related to
* ssh-keysign and fingerprint algorithms
* ssh and GSSAPI algorithms validation
2015-09-09 10:59:19 +02:00
Jakub Jelen
757fec581b
openssh-7.1p1-1 + 0.9.3-8
2015-08-22 22:22:48 +02:00
Jakub Jelen
ccd186847a
Add corresponding options for ssh1 configure
2015-08-22 22:22:48 +02:00
Jakub Jelen
c98f559725
HostKeyAlgorithms option on server is broken when using + sign
2015-08-22 22:22:48 +02:00