Commit Graph

974 Commits

Author SHA1 Message Date
Jakub Jelen
b7de610db3 Fix typo about sshd-keygen in sysconfig (#1325535) 2016-04-22 14:50:30 +02:00
Jakub Jelen
cf4e3a1844 Fix for CVE-2015-8325 (#1328013) 2016-04-18 12:39:11 +02:00
Jakub Jelen
58d2868dfe openssh-7.2p2-4 + 0.10.2-3 2016-04-15 17:56:43 +02:00
Jakub Jelen
5489ace8dc Add sshd-keygen.target to abstract key creation from sshd.service and sshd@.service (#1325535)
* PartOf  is needed to trigger  sshd-keygen  checks for  sshd.service  restarts
 * sshd-keygen.target  makes a level of abstraction to eliminate dupplicate
   dependencies on both  sshd  and  sshd@  services
2016-04-15 17:05:32 +02:00
Jakub Jelen
461b3af818 Remove unused sshd init script 2016-04-15 17:04:59 +02:00
Jakub Jelen
32a74888d5 openssh-7.2p2-3 + 0.10.2-3 2016-04-13 13:44:58 +02:00
Jakub Jelen
00c7b75439 Make sshd-keygen comply with packaging guidelines (#1325535) 2016-04-13 13:42:12 +02:00
Jakub Jelen
3d2c14680b Soft-deny socket() syscall in seccomp sandbox (#1324493)
* Used for  ecdh-sha2-nistp*  key exchange methods in FIPS mode
2016-04-11 16:14:25 +02:00
Jakub Jelen
0509c6c977 Remove *sha1 Kex in FIPS mode (#1324493) 2016-04-11 13:16:52 +02:00
Jakub Jelen
117a730ded Remove *gcm ciphers in FIPS mode (#1324493) 2016-04-11 13:16:44 +02:00
Jakub Jelen
f7e56a52db openssh-7.2p2-2 + 0.10.2-3 2016-04-06 13:01:29 +02:00
Jakub Jelen
fc0cf7f8d5 Fix GSSAPI Key Exchange for older clients (#1323622)
Failed with older clients, because server was doing signature over
different data than the verifying client. It was caused by bump of
minimal DH groups offered by server and a bug in code, which was
using max(client_min, server_min) instead of client_min as proposed
by RFC4462.
2016-04-06 12:53:37 +02:00
Jakub Jelen
bda184b249 pam_ssh_agent_auth: prevent using MD5 in Fips mode 2016-03-16 09:40:35 +01:00
Jakub Jelen
53c9992786 Drop init scripts dependency from sshd-keygen (#1317722) 2016-03-15 09:06:10 +01:00
Jakub Jelen
9163ba11f1 openssh-7.2p2-1 + 0.10.2-3 2016-03-10 13:36:41 +01:00
Jakub Jelen
28ce052525 Audit: Cleanup for upstream proposal
* whitespace cleanup
 * use constants instead of magic numbers
 * get rid of backup_state from old API
 * proper conditionalization of audit code
 * remove ancient fingerprint_prefix() function
2016-03-04 17:36:08 +01:00
Jakub Jelen
0bdae3b8df openssh-7.2p1-1 + 0.10.2-2 2016-03-03 17:59:53 +01:00
Jakub Jelen
e762f7265e Restore slogin symlinks 2016-03-03 17:48:20 +01:00
Jakub Jelen
13bf5bef36 Forgotten rebased FIPS patch 2016-02-29 15:16:45 +01:00
Jakub Jelen
13073f8d9c openssh-7.2p1-1 (#1312870) 2016-02-29 15:01:33 +01:00
Jakub Jelen
46445f1c7a openssh-7.1p2-4 + 0.10.2-1 2016-02-25 10:38:09 +01:00
Jakub Jelen
44fc97266b Audit race condition resolved (#1308295) 2016-02-25 10:37:22 +01:00
Jakub Jelen
7b15444065 Fix X11 forwarding CVE according to upstream 2016-02-24 09:51:43 +01:00
Jakub Jelen
4fdc3c59c4 Fix problem when running without privsep (#1303910) 2016-02-24 09:51:43 +01:00
Jakub Jelen
700da17374 Remove hard glob limit since the CVE introducing this one is unrelated. 2016-02-24 09:51:43 +01:00
Fedora Release Engineering
b2b837ad97 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild 2016-02-04 11:34:23 +00:00
Jakub Jelen
8ddd3edcd8 openssh-7.1p2-3 + 0.10.2-1 2016-01-30 01:18:26 +01:00
Jakub Jelen
ca79709ade Silently disable X11 forwarding
Based on feedback on previous update:
https://bodhi.fedoraproject.org/updates/FEDORA-2016-47ac27532d
2016-01-30 01:18:12 +01:00
Jakub Jelen
c08255b7b1 Fix pam_ssh_agent_auth segfaults with non-accepted keys (#1303036) 2016-01-30 01:18:06 +01:00
Jakub Jelen
d1b43a2865 Update sshd service file to forking (as #1291172) 2016-01-26 13:54:53 +01:00
Jakub Jelen
7adf5f4c63 Missing pam_ssh_agent_auth sources 2016-01-26 09:10:27 +01:00
Jakub Jelen
6c2eb5e22d openssh-7.1p2-2 + 0.10.2-1 2016-01-26 09:00:28 +01:00
Jakub Jelen
38c7737421 Remove defattr from spec file
Mailing list thread:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/KEO7AX3JXR2TY6OVL4M7HDISZ6YIJNKU/
2016-01-26 09:00:28 +01:00
Jakub Jelen
733cea720e CVE-2016-1908: Prevent possible fallback from untrusted to trusted X11 forwarding
Upstream commits:
  https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
  https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f
2016-01-26 09:00:23 +01:00
Jakub Jelen
87ab5fc4af Reabse to latest release of pam_ssh_agent_auth with preserving current functionality
* Rebase to latest upstream version
 * Clean up older patches for pam_ssh_agent_auth
 * Remove prefixes from upstream release so we can build it against current
   openssh library
 * Remove copied files and headers so we make sure we build against current openssh
2016-01-25 13:32:42 +01:00
Jakub Jelen
7bc64374b0 openssh-7.1p2-1 + 0.9.2-9 2016-01-14 16:11:06 +01:00
Jakub Jelen
b2191db92e openssh-7.1p1-7 + 0.9.2-8 2016-01-12 13:15:33 +01:00
Jakub Jelen
af94f46861 Fix condition to run sshd-keygen
When the first boot fails for some reason and the host keys files
are created, but the content not synced into the disk, during the
second boot, the keygen is not run, but the sshd will not start.
Changing condition mitigates this case.
2016-01-12 13:14:58 +01:00
Jakub Jelen
06b1d5330a Make ssh-keysign world readable (#1296724) 2016-01-08 13:22:09 +01:00
Jakub Jelen
f26cd8d6ee Update ssh-agent permissions (#1296724)
* It is no longer required to have ssh-agent with suid bit, because
  the ptrace attach is prevented using PR_SET_DUMPABLE 0 [1]

[1] https://anongit.mindrot.org/openssh.git/commit/?id=6c4914afccb0c188a2c412d12dfb1b73e362e07e
2016-01-08 11:27:02 +01:00
Jakub Jelen
7c5d0a686c Make sure the semantics of %global macro stays the same as before a0e252571b 2016-01-08 09:15:52 +01:00
Jakub Jelen
da62b78673 Do not check for openssl based keys if built without openssl 2016-01-05 12:48:00 +01:00
Jakub Jelen
62897e51d6 Do not set default values for GSSAPI when building without GSSAPI 2016-01-05 12:41:38 +01:00
Jakub Jelen
e1b19de52a Fix wrong handling of LEGACY environment variable 2016-01-05 12:39:40 +01:00
Jakub Jelen
a0e252571b Change %define to %global according to packaging guidelines
Based on discussion started on fedora-devel:
https://lists.fedoraproject.org/archives/list/devel%40lists.fedoraproject.org/thread/AS35NKZSAWRIKY77IUYOVNFAT6AJQVAU/
2016-01-04 10:41:27 +01:00
Jakub Jelen
c45d147a86 openssh-7.1p1-6 + 0.9.2-8 2015-12-18 14:36:00 +01:00
Jakub Jelen
f6bd29aaca Preserve IUTF8 tty mode flag over ssh connections (#1270248) 2015-12-18 14:36:00 +01:00
Jakub Jelen
c9e7e79685 Compatibility SSH_COPY_ID_LEGACY for ssh-copy-id 2015-12-18 14:36:00 +01:00
Jakub Jelen
86f52d4e69 Rebase downstream patches of ssh-copy-id into one from upstream
Source:
http://git.hands.com/ssh-copy-id
2015-12-16 15:40:10 +01:00
Jakub Jelen
d9d9575f00 GSSAPI Key Exchange documentation improvements
from Debian patches:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655
2015-12-10 15:37:52 +01:00