d1b43a2865
Update sshd service file to forking (as #1291172 )
2016-01-26 13:54:53 +01:00
7adf5f4c63
Missing pam_ssh_agent_auth sources
2016-01-26 09:10:27 +01:00
6c2eb5e22d
openssh-7.1p2-2 + 0.10.2-1
2016-01-26 09:00:28 +01:00
38c7737421
Remove defattr from spec file
...
Mailing list thread:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/KEO7AX3JXR2TY6OVL4M7HDISZ6YIJNKU/
2016-01-26 09:00:28 +01:00
733cea720e
CVE-2016-1908: Prevent possible fallback from untrusted to trusted X11 forwarding
...
Upstream commits:
https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f
2016-01-26 09:00:23 +01:00
87ab5fc4af
Reabse to latest release of pam_ssh_agent_auth with preserving current functionality
...
* Rebase to latest upstream version
* Clean up older patches for pam_ssh_agent_auth
* Remove prefixes from upstream release so we can build it against current
openssh library
* Remove copied files and headers so we make sure we build against current openssh
2016-01-25 13:32:42 +01:00
7bc64374b0
openssh-7.1p2-1 + 0.9.2-9
2016-01-14 16:11:06 +01:00
b2191db92e
openssh-7.1p1-7 + 0.9.2-8
2016-01-12 13:15:33 +01:00
af94f46861
Fix condition to run sshd-keygen
...
When the first boot fails for some reason and the host keys files
are created, but the content not synced into the disk, during the
second boot, the keygen is not run, but the sshd will not start.
Changing condition mitigates this case.
2016-01-12 13:14:58 +01:00
06b1d5330a
Make ssh-keysign world readable ( #1296724 )
2016-01-08 13:22:09 +01:00
f26cd8d6ee
Update ssh-agent permissions ( #1296724 )
...
* It is no longer required to have ssh-agent with suid bit, because
the ptrace attach is prevented using PR_SET_DUMPABLE 0 [1]
[1] https://anongit.mindrot.org/openssh.git/commit/?id=6c4914afccb0c188a2c412d12dfb1b73e362e07e
2016-01-08 11:27:02 +01:00
7c5d0a686c
Make sure the semantics of %global macro stays the same as before a0e252571b
2016-01-08 09:15:52 +01:00
da62b78673
Do not check for openssl based keys if built without openssl
2016-01-05 12:48:00 +01:00
62897e51d6
Do not set default values for GSSAPI when building without GSSAPI
2016-01-05 12:41:38 +01:00
e1b19de52a
Fix wrong handling of LEGACY environment variable
2016-01-05 12:39:40 +01:00
a0e252571b
Change %define to %global according to packaging guidelines
...
Based on discussion started on fedora-devel:
https://lists.fedoraproject.org/archives/list/devel%40lists.fedoraproject.org/thread/AS35NKZSAWRIKY77IUYOVNFAT6AJQVAU/
2016-01-04 10:41:27 +01:00
c45d147a86
openssh-7.1p1-6 + 0.9.2-8
2015-12-18 14:36:00 +01:00
f6bd29aaca
Preserve IUTF8 tty mode flag over ssh connections ( #1270248 )
2015-12-18 14:36:00 +01:00
c9e7e79685
Compatibility SSH_COPY_ID_LEGACY for ssh-copy-id
2015-12-18 14:36:00 +01:00
86f52d4e69
Rebase downstream patches of ssh-copy-id into one from upstream
...
Source:
http://git.hands.com/ssh-copy-id
2015-12-16 15:40:10 +01:00
d9d9575f00
GSSAPI Key Exchange documentation improvements
...
from Debian patches:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655
2015-12-10 15:37:52 +01:00
f33aef5318
Remove unused patches
2015-12-08 14:22:44 +01:00
5410d2d3a7
Do not require sysconfig file to start service ( #1279521 )
2015-11-09 17:10:15 +01:00
ef86a312db
openssh-7.1p1-5 + 0.9.2-8
2015-11-04 10:18:50 +01:00
b6d4dc0a6f
Do not set user context too many times for root logins ( #1269072 )
2015-11-04 10:17:32 +01:00
fa54d5472d
openssh-7.1p1-4 + 0.9.2-8
2015-10-22 14:55:07 +02:00
aa9a7754ed
Audit implicit mac, if mac is covered in cipher ( #1271694 )
...
For example chacha20-poly1305@openssh.com is AEAD (Authenticated Encryption with Associated Data) cipher and thus there is no separate MAC when it is used.
2015-10-22 14:53:36 +02:00
0ebe96b604
Handle root logins the same way as other users ( #1269072 )
...
root users are unconfined by definition, but they can be limited by SELinux so having privilege separation still makes sense. As a consequence we can remove hunk that handled this condition if we skipped forking.
2015-10-22 14:52:55 +02:00
22a08c3da4
Review SELinux user context handling after authentication ( #1269072 )
...
The previous required to have for all SELInux user contexts with setexec capability. Otherwise user would not be able to change password if it is expired. This patch sets correct context and cleans up the exec context.
When doing chroot, copy_selinux_context is called twice
2015-10-15 16:21:33 +02:00
8395bb78d0
Increase size limit of glob structures in sftp
2015-09-30 15:27:08 +02:00
a80c277795
openssh-7.1p1-3 + 0.9.2-8
2015-09-25 14:10:39 +02:00
a01bd486f0
Fix obsolete usage of SELinux constants ( #1261496 )
2015-09-25 14:10:25 +02:00
bf69b47630
Allow gss-keyex root login when without-password is set ( #2456 )
...
Reported upstream, but applicable also for our gss-keyex patch:
https://bugzilla.mindrot.org/show_bug.cgi?id=2456
2015-09-24 15:57:11 +02:00
6bf47e3d35
Having no keys is not fatal in gssapi key exchange ( #1261414 )
2015-09-24 15:57:11 +02:00
9a804fa266
Apply GSSAPI key exchange methods in client offered list ( #1261414 )
2015-09-24 15:57:11 +02:00
c6ba7b1e09
Return back forgotten patch which prevent connection using GSSAPI key exchange ( #1261414 )
2015-09-24 15:57:11 +02:00
812f08d95e
Provide full RELRO and PIE form askpass helper ( #1264036 )
2015-09-24 15:57:11 +02:00
3e5d955bcb
Fix FIPS mode for DH kex ( #1260253 )
2015-09-11 11:32:37 +02:00
98262158d8
openssh-7.1p1-2 + 0.9.2-8
2015-09-09 14:29:31 +02:00
c4c52b0667
Fix warnings produced by gcc
...
related to
* ssh-keysign and fingerprint algorithms
* ssh and GSSAPI algorithms validation
2015-09-09 10:59:19 +02:00
757fec581b
openssh-7.1p1-1 + 0.9.3-8
2015-08-22 22:22:48 +02:00
ccd186847a
Add corresponding options for ssh1 configure
2015-08-22 22:22:48 +02:00
c98f559725
HostKeyAlgorithms option on server is broken when using + sign
2015-08-22 22:22:48 +02:00
ebdae84225
openssh-7.0p1-2 + 0.9.3-7
2015-08-19 13:49:45 +02:00
18e54994fa
Fix typo in version string
2015-08-19 13:47:28 +02:00
4df30a2a72
Possibility to validate legacy systems by more fingerprints ( #1249626 )
2015-08-19 13:43:36 +02:00
bc4ef0f373
Add GSSAPIKexAlgorithms option for server and client application
2015-08-19 13:18:07 +02:00
459bd27529
Fix problem with DSA keys using pam_ssh_agent_auth ( #1251777 )
2015-08-17 16:27:38 +02:00
d0337fc530
Forgotten sources :(
2015-08-13 18:03:38 +02:00
3f55133c24
openssh-7.0p1-1 + 6.9.3-7
...
New upstream release (#1252639 )
- allow root login in default config
Security: Use-after-free bug related to PAM support (#1252853 )
Security: Privilege separation weakness related to PAM support (#1252854 )
Security: Incorrectly set TTYs to be world-writable (#1252862 )
2015-08-13 17:44:41 +02:00
Jakub Jelen