Commit Graph

823 Commits

Author SHA1 Message Date
Jakub Jelen
6666c19414 Do not break gssapi-kex authentication method 2018-10-19 11:41:34 +02:00
Jakub Jelen
eaa7af2e41 rebase patches to openssh-7.9p1 2018-10-19 11:41:07 +02:00
Jakub Jelen
6c9d993869 Follow the system-wide PATH settings
https://fedoraproject.org/wiki/Features/SbinSanity
2018-10-03 11:00:12 +02:00
Jakub Jelen
97ee52c0a3 openssh-7.8p1-3 + 0.10.3-5 2018-09-24 15:25:57 +02:00
Jakub Jelen
8ebb9915a3 Cleanup specfile comments 2018-09-24 15:25:40 +02:00
Jakub Jelen
84d3ff9306 Do not let OpenSSH control our hardening flags 2018-09-21 17:22:35 +02:00
Jakub Jelen
8b9448c5ba openssh-7.8p1-2 + 0.10.3-5 2018-08-31 13:32:02 +02:00
Jakub Jelen
9409715f65 Unbreak scp between two IPv6 hosts (#1620333) 2018-08-31 13:26:44 +02:00
Jakub Jelen
afaf23f6c3 Drop unused patch 2018-08-28 10:51:37 +02:00
Jakub Jelen
bbf61daf97 openssh-7.8p1-1 + 0.10.3-5
New upstream release including:
 * Dropping entropy patch
 * Remove default support for MD5 fingerprints
 * Porting all the downstream patches and pam_ssh_agent_auth
   to new sshbuf and sshkey API
 * pam_ssh_agent_auth is no longer using MD5 fingerprints
2018-08-24 23:16:24 +02:00
Jakub Jelen
01ba761e18 7.7p1-6 + 0.10.3-4 2018-08-09 14:14:18 +02:00
Jakub Jelen
44e2032a0a fips: Show real list of kex algoritms in FIPS 2018-08-08 10:18:27 +02:00
Fedora Release Engineering
600d4011b5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-07-13 15:11:56 +00:00
Jakub Jelen
e1d855438b 7.7p1-5 + 0.10.3-4 2018-07-03 11:27:15 +02:00
Jakub Jelen
6c68d655b2 Disable manual reading of MOTD by default 2018-07-03 11:26:01 +02:00
Jakub Jelen
62f1736470 7.7p1-4 + 0.10.3-4 2018-06-27 14:09:27 +02:00
Jakub Jelen
1176788778 Improve kerberos credential cache handling (#1566494) 2018-06-27 13:40:48 +02:00
Jakub Jelen
04ca5e7b0b 7.7p1-3 + 0.10.3-4 2018-04-16 11:15:43 +02:00
Jakub Jelen
48cef7a0b8 Opening tun devices fails + other regressions in OpenSSH v7.7 fixed upstream 2018-04-16 11:15:37 +02:00
Jakub Jelen
836590e795 7.7p1-2 + 0.10.3-4 2018-04-12 10:35:14 +02:00
Jakub Jelen
b0815ca514 7.7p1-1 + 0.10.3-4 2018-04-04 16:59:45 +02:00
Jakub Jelen
273086d13a Need a p11-kit to allow default pkcs11 proxy 2018-04-04 16:59:45 +02:00
Jakub Jelen
7e9748a2b5 PKCS#11: Support ECDSA keys and PKCS#11 URIs
Based on the patches in upstream bugzilla:
ECDSA:
  https://bugzilla.mindrot.org/show_bug.cgi?id=2474
PKCS#11 URI:
  https://bugzilla.mindrot.org/show_bug.cgi?id=2817
2018-04-04 16:56:59 +02:00
Jakub Jelen
3cd4899257 Rebase to latest OpenSSH 7.7p1 (#1563223) 2018-04-04 16:50:43 +02:00
Jakub Jelen
cbb6ca5123 openssh-7.6p1-7 + 0.10.3-3 2018-03-06 14:37:01 +01:00
Jakub Jelen
bd5b563008 Require crypto policies 2018-03-06 13:53:02 +01:00
Jakub Jelen
c2a9e41702 Recommend crypto policies also for a server 2018-02-19 12:10:48 +01:00
Jakub Jelen
07c951f665 Require gcc
https://fedoraproject.org/wiki/Changes/Remove_GCC_from_BuildRoot
2018-02-19 12:10:48 +01:00
Igor Gnatenko
a6b5c2c42d
Remove %clean section
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-14 08:27:35 +01:00
Igor Gnatenko
5f6f10859d Remove BuildRoot definition
None of currently supported distributions need that.
It was needed last for EL5 which is EOL now

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-13 23:58:21 +01:00
Fedora Release Engineering
13efdb1d7f - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-02-08 17:49:28 +00:00
Jakub Jelen
6a6c2bc3ab We need systemd-devel for sdnotify() 2018-02-01 16:30:07 +01:00
Jakub Jelen
0780f33c5f removal of systemd-units and conforming to packaging guidelines
Per announcement on fedora-devel:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/LLG4T53FW2BGVZLGLKNYTKPD5SQNBZ2Y/
2018-01-27 10:57:06 +01:00
Jakub Jelen
bb4b7b77fc openssh-7.6p1-6 + 0.10.3-3 2018-01-26 16:26:50 +01:00
Florian Weimer
f61eaad2bd Rebuild to work around gcc bug leading to sshd miscompilation (#1538648) 2018-01-25 16:48:03 +01:00
Björn Esser
427beb2f9e
Rebuilt for switch to libxcrypt 2018-01-20 23:07:25 +01:00
Jakub Jelen
38b67ad605 Avoid undefined TRUE/FALSE in ldap patch to build in rawhide 2018-01-17 10:50:05 +01:00
Jakub Jelen
4d97279349 openssh-7.6p1-5 + 0.10.3-3 2018-01-17 10:13:18 +01:00
Jakub Jelen
316553ade0 Remove TCP wrappers support (#1530163) 2018-01-16 15:06:23 +01:00
Jakub Jelen
871dc3ed3e openssh-7.6p1-4 + 0.10.3-3 2017-12-14 10:23:37 +01:00
Jakub Jelen
1f2a7f3926 openssh-7.6p1-3 + 0.10.3-3 2017-12-11 11:54:38 +01:00
Jakub Jelen
eef660e534 7.6p1-2 + 0.10.3-3 2017-11-22 08:57:03 +01:00
Jakub Jelen
8fc2fee4e4 7.6p1-1 + 0.10.3-3 2017-11-07 14:58:44 +01:00
Jakub Jelen
c08aa4b8b1 Fix after-release bug in PermitOpen (posted on ML) 2017-11-07 14:58:44 +01:00
Jakub Jelen
5b55d0951d rebase patches to openssh-7.6p1 and make it build 2017-11-07 14:58:44 +01:00
Jakub Jelen
9e46aafab9 openssh-7.5p1-6 + 0.10.3-2 2017-10-19 16:09:53 +02:00
Jakub Jelen
72514f7644 Add newer gssapi kex methods, but leave them disabled out of the box yet 2017-10-19 16:09:53 +02:00
Jakub Jelen
8c9e97e65a Do not export KRBCCNAME if the default path is used (#1199363) 2017-10-19 16:09:53 +02:00
Jakub Jelen
ef66c0c677 openssh-7.5p1-5 + 0.10.3-2 2017-08-14 09:45:09 +02:00
Jakub Jelen
970a418151 Do not talk about SSHv1 in Summary 2017-08-09 16:10:33 +02:00
Jakub Jelen
6a05936971 Revert "server crypto policy"
This reverts commit 1d8ffcfe05.
2017-08-09 14:58:13 +02:00
Jakub Jelen
fffad0579c openssh-7.5p1-4 + 0.10.3-2 2017-08-02 15:46:58 +02:00
Jakub Jelen
722f82b9ab Remove openssh-clients-ssh1 subpackage (#1474942) 2017-08-02 15:46:58 +02:00
Jakub Jelen
1d8ffcfe05 Preprocess the configuration files to include crypto policies.
* The services are using ExecPre to start sshd-pre script
 * The sshd-pre script substitutes token in standard configuration file and writes a new on in /run
 * The services are using a file in /run as a sshd_config
2017-08-02 15:46:57 +02:00
Fedora Release Engineering
be108c2c82 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-27 01:53:26 +00:00
Petr Písař
64a3610c1f perl dependency renamed to perl-interpreter <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules> 2017-07-12 14:20:53 +02:00
Jakub Jelen
2ea24bb006 openssh-7.5p1-2 + 0.10.3-2 2017-06-30 12:44:10 +02:00
Jakub Jelen
204765aba1 openssh-7.5p1-2 + 0.10.3-2 2017-03-23 14:48:09 +01:00
Jakub Jelen
c2f63ba00b Revert the chroot magic 2017-03-23 14:47:27 +01:00
Jakub Jelen
fb74d1ec96 Add missing header on s390 (#1434341) 2017-03-22 14:35:55 +01:00
Jakub Jelen
09320cf61a Fix typo in sandbox code, that got out after release
http://lists.mindrot.org/pipermail/openssh-unix-dev/2017-March/035879.html
2017-03-21 10:12:44 +01:00
Jakub Jelen
17b491b307 openssh-7.5p1-1 + 0.10.3-2 2017-03-20 16:00:16 +01:00
Jakub Jelen
7b666e5764 openssh-7.4p1-4 + 0.10.3-1 2017-03-03 15:53:31 +01:00
Jakub Jelen
ab7f9474c7 openssh-7.4p1-3 + 0.10.3-1 2017-02-22 14:56:00 +01:00
Jakub Jelen
b92d3c8ae0 Reference upstream bug 2017-02-22 14:56:00 +01:00
Jakub Jelen
4e7cdec7ef Add systemd stuff to keep track of service 2017-02-22 14:56:00 +01:00
Jakub Jelen
140ef5a0f5 Properly report errors from included files (#1408558) 2017-02-22 14:56:00 +01:00
Jakub Jelen
a97eeb671c ppc architecture is gone for years 2017-02-22 14:56:00 +01:00
Jakub Jelen
465b6e6b82 Check seteuid return values in all cases 2017-02-22 14:56:00 +01:00
Jakub Jelen
bdb932c46a new pam_ssh_agent_auth-0.10.3 release 2017-02-22 14:55:59 +01:00
Jakub Jelen
26cec0607f openssh-7.4p1-2 + 0.10.2-5 2017-02-06 09:47:28 +01:00
Jakub Jelen
b19926d292 openssh-7.4p1-1 + 0.10.2-5 2017-01-03 14:31:29 +01:00
Jakub Jelen
58f79a27c3 Whitelist /usr/lib64/ for PKCS#11 modules 2017-01-03 14:31:29 +01:00
Jakub Jelen
6cf9b8e61b rebase to openssh-7.4p1-1
* Drop unaccepted (unapplying) coverity patches
 * Drop server support for SSH1 (server)
 * Workaround #2641 for systemd
 * UseLogin is gone
 * Drop upstream commit 28652bca
 * Tighten seccomp filter (cache credentials before entering sandbox) (#1395288)
2017-01-03 14:31:20 +01:00
Jakub Jelen
d8c2e8dc88 openssh-7.3p1-7 + 0.10.2-4 2016-12-08 14:13:32 +01:00
Jakub Jelen
162941961a Move MAX_DISPLAYS to a configuration option 2016-12-08 14:13:32 +01:00
Jakub Jelen
7bccf7e6e0 openssh-7.3p1-6 + 0.10.2-4 2016-11-16 11:07:41 +01:00
Jakub Jelen
ccf623128a Fix changelog 2016-11-07 09:33:43 +01:00
Jakub Jelen
2a8bce34e4 openssh-7.3p1-5 + 0.10.2-4 2016-10-27 18:26:25 +02:00
Jakub Jelen
aacf0d429a OpenSSL 1.1.0 compat 2016-10-27 17:19:17 +02:00
Jakub Jelen
c9d9fe9b0f Recommend crypto-policies for a client package 2016-10-11 10:29:50 +02:00
Jakub Jelen
d924bc6892 openssh-7.3p1-4 + 0.10.2-4 2016-09-29 14:14:19 +02:00
Jakub Jelen
ae831ab305 Fix NULL derefence (#1380297)
https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737
2016-09-29 11:15:13 +02:00
Jakub Jelen
739842b137 Make the code build without SELinux and without Audit 2016-09-15 16:36:04 +02:00
Jakub Jelen
0a605f4d31 openssh-7.3p1-3 + 0.10.2-4 2016-08-15 12:20:15 +02:00
Jakub Jelen
38d533a5e1 Proper content of the included configuration files 2016-08-15 12:18:50 +02:00
Jakub Jelen
73953d29f1 openssh-7.3p1-2 + 0.10.2-4 2016-08-09 10:32:01 +02:00
Jakub Jelen
88f3a752ae openssh-7.3p1-1. + 0.10.2-4 2016-08-09 08:24:35 +02:00
Jakub Jelen
90ffc35e29 Correct permissions on the ssh_config directory (#1365270) 2016-08-09 08:23:44 +02:00
Jakub Jelen
a711d3c82f openssh-7.3p1-1 + 0.10.2-4 2016-08-04 13:57:21 +02:00
Jakub Jelen
6454089e75 Create include directory with example content (redhat modifications) 2016-08-04 13:57:21 +02:00
Jakub Jelen
6da7f4d0ed Drop SCP progressmeter patch because of reworked UTF-8 API (tracked upstream #2434) 2016-08-04 13:57:02 +02:00
Jakub Jelen
70c2ac20bd CVE-2016-6210 is fixed upstream 2016-08-04 10:59:59 +02:00
Jakub Jelen
13a7aaf5e3 CVE-2015-8325 and certificate regression are fixed upstream 2016-08-04 10:59:59 +02:00
Jakub Jelen
38e1dfa80d Upstream bug #2477 applied 2016-08-04 10:59:59 +02:00
Jakub Jelen
4bd77fcccc seccomp for secondary architecures patch already upstream (#2590) 2016-08-04 10:59:59 +02:00
Jakub Jelen
05bc93847e Bug #2281 resolved upstream 2016-08-04 10:59:59 +02:00
Jakub Jelen
178ce15f5a UTF-8 banners resolved by upstream bug #2058 2016-08-04 10:59:59 +02:00
Jakub Jelen
14320ca590 The upstream bug #2257 is fixed 2016-08-04 10:59:59 +02:00
Jakub Jelen
82bfd19e51 openssh-7.2p2-11 + 0.10.2-3 2016-07-26 15:41:29 +02:00
Jakub Jelen
6a7dd92929 Remove legacy sshd-keygen (#1359762)
Revert "Add legacy sshd-keygen for anaconda (#1331077)"

This reverts commit 0b5300a59c.
2016-07-26 15:41:29 +02:00
Jakub Jelen
793bc4b1cc Remove slogin symlinks (#1359762)
Revert "Restore slogin symlinks"

This reverts commit e762f7265e.
2016-07-26 15:41:29 +02:00
Jakub Jelen
b4df5ebb8d Rework SELinux context handling with chroot using libcap-ng (#1357860) 2016-07-26 15:40:30 +02:00
Jakub Jelen
9dc741314f openssh-7.2p2-10 + 0.10.2-3 2016-07-18 13:55:58 +02:00
Jakub Jelen
1057900209 Prevent user enumeration via timing channel (CVE-2016-6210) 2016-07-18 13:30:52 +02:00
Jakub Jelen
209c7a8aea Expose more information to PAM 2016-07-18 13:30:51 +02:00
Jakub Jelen
9864973c69 Make closefrom() ignore softlinks to the /dev/ devices on s390 2016-07-18 12:26:15 +02:00
Jakub Jelen
a49441fa52 openssh-7.2p2-9 + 0.10.2-3 2016-07-01 09:07:18 +02:00
Jakub Jelen
5a67d51d0f openssh-7.2p2-8 + 0.10.2-3 2016-06-24 12:07:22 +02:00
Jakub Jelen
186bf3858e UseLogin yes is not supported in Fedora 2016-06-24 12:07:22 +02:00
Petr Písař
ad928ac7d1 Mandatory Perl build-requires added <https://fedoraproject.org/wiki/Changes/Build_Root_Without_Perl> 2016-06-24 10:03:17 +02:00
Jakub Jelen
ba8f38935c openssh-7.2p2-7 2016-06-06 16:39:35 +02:00
Jakub Jelen
f6a096caf2 Build seccomp filter on ppc64(le) architecture (#1195065) 2016-06-06 16:39:35 +02:00
Jakub Jelen
1144aef1d1 Comments for patches, merge ssh_config from localdomain to redhat patch (ssh_config related) 2016-06-06 16:39:17 +02:00
Jakub Jelen
f2868287aa rebase x11 patch to clean up coverity patch 2016-06-03 10:44:32 +02:00
Jakub Jelen
ea9421342e Coverity: dereference in pam_ssh_agent_auth
Upstream: https://sourceforge.net/p/pamsshagentauth/bugs/22/
2016-06-03 09:49:44 +02:00
Jakub Jelen
d78d347c11 Check for real location of .k5login file (#1328243) 2016-06-03 09:29:58 +02:00
Jakub Jelen
8dd0608e77 Regression in certificate-based authentication (#1333498) 2016-05-06 09:25:20 +02:00
Jakub Jelen
991b66246f openssh-7.2p2-6 + 0.10.2-3 2016-04-29 13:57:45 +02:00
Jakub Jelen
0b5300a59c Add legacy sshd-keygen for anaconda (#1331077) 2016-04-29 13:41:38 +02:00
Jakub Jelen
1380564732 openssh-7.2p2-5 + 0.10.2-3 2016-04-22 14:52:57 +02:00
Jakub Jelen
cf4e3a1844 Fix for CVE-2015-8325 (#1328013) 2016-04-18 12:39:11 +02:00
Jakub Jelen
58d2868dfe openssh-7.2p2-4 + 0.10.2-3 2016-04-15 17:56:43 +02:00
Jakub Jelen
5489ace8dc Add sshd-keygen.target to abstract key creation from sshd.service and sshd@.service (#1325535)
* PartOf  is needed to trigger  sshd-keygen  checks for  sshd.service  restarts
 * sshd-keygen.target  makes a level of abstraction to eliminate dupplicate
   dependencies on both  sshd  and  sshd@  services
2016-04-15 17:05:32 +02:00
Jakub Jelen
461b3af818 Remove unused sshd init script 2016-04-15 17:04:59 +02:00
Jakub Jelen
32a74888d5 openssh-7.2p2-3 + 0.10.2-3 2016-04-13 13:44:58 +02:00
Jakub Jelen
00c7b75439 Make sshd-keygen comply with packaging guidelines (#1325535) 2016-04-13 13:42:12 +02:00
Jakub Jelen
f7e56a52db openssh-7.2p2-2 + 0.10.2-3 2016-04-06 13:01:29 +02:00
Jakub Jelen
9163ba11f1 openssh-7.2p2-1 + 0.10.2-3 2016-03-10 13:36:41 +01:00
Jakub Jelen
0bdae3b8df openssh-7.2p1-1 + 0.10.2-2 2016-03-03 17:59:53 +01:00
Jakub Jelen
e762f7265e Restore slogin symlinks 2016-03-03 17:48:20 +01:00
Jakub Jelen
13073f8d9c openssh-7.2p1-1 (#1312870) 2016-02-29 15:01:33 +01:00
Jakub Jelen
46445f1c7a openssh-7.1p2-4 + 0.10.2-1 2016-02-25 10:38:09 +01:00
Jakub Jelen
44fc97266b Audit race condition resolved (#1308295) 2016-02-25 10:37:22 +01:00
Jakub Jelen
700da17374 Remove hard glob limit since the CVE introducing this one is unrelated. 2016-02-24 09:51:43 +01:00
Fedora Release Engineering
b2b837ad97 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild 2016-02-04 11:34:23 +00:00
Jakub Jelen
8ddd3edcd8 openssh-7.1p2-3 + 0.10.2-1 2016-01-30 01:18:26 +01:00
Jakub Jelen
6c2eb5e22d openssh-7.1p2-2 + 0.10.2-1 2016-01-26 09:00:28 +01:00
Jakub Jelen
38c7737421 Remove defattr from spec file
Mailing list thread:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/KEO7AX3JXR2TY6OVL4M7HDISZ6YIJNKU/
2016-01-26 09:00:28 +01:00
Jakub Jelen
733cea720e CVE-2016-1908: Prevent possible fallback from untrusted to trusted X11 forwarding
Upstream commits:
  https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
  https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f
2016-01-26 09:00:23 +01:00
Jakub Jelen
87ab5fc4af Reabse to latest release of pam_ssh_agent_auth with preserving current functionality
* Rebase to latest upstream version
 * Clean up older patches for pam_ssh_agent_auth
 * Remove prefixes from upstream release so we can build it against current
   openssh library
 * Remove copied files and headers so we make sure we build against current openssh
2016-01-25 13:32:42 +01:00
Jakub Jelen
7bc64374b0 openssh-7.1p2-1 + 0.9.2-9 2016-01-14 16:11:06 +01:00
Jakub Jelen
b2191db92e openssh-7.1p1-7 + 0.9.2-8 2016-01-12 13:15:33 +01:00
Jakub Jelen
06b1d5330a Make ssh-keysign world readable (#1296724) 2016-01-08 13:22:09 +01:00
Jakub Jelen
f26cd8d6ee Update ssh-agent permissions (#1296724)
* It is no longer required to have ssh-agent with suid bit, because
  the ptrace attach is prevented using PR_SET_DUMPABLE 0 [1]

[1] https://anongit.mindrot.org/openssh.git/commit/?id=6c4914afccb0c188a2c412d12dfb1b73e362e07e
2016-01-08 11:27:02 +01:00
Jakub Jelen
7c5d0a686c Make sure the semantics of %global macro stays the same as before a0e252571b 2016-01-08 09:15:52 +01:00
Jakub Jelen
a0e252571b Change %define to %global according to packaging guidelines
Based on discussion started on fedora-devel:
https://lists.fedoraproject.org/archives/list/devel%40lists.fedoraproject.org/thread/AS35NKZSAWRIKY77IUYOVNFAT6AJQVAU/
2016-01-04 10:41:27 +01:00
Jakub Jelen
c45d147a86 openssh-7.1p1-6 + 0.9.2-8 2015-12-18 14:36:00 +01:00
Jakub Jelen
f6bd29aaca Preserve IUTF8 tty mode flag over ssh connections (#1270248) 2015-12-18 14:36:00 +01:00
Jakub Jelen
86f52d4e69 Rebase downstream patches of ssh-copy-id into one from upstream
Source:
http://git.hands.com/ssh-copy-id
2015-12-16 15:40:10 +01:00