Commit Graph

1102 Commits

Author SHA1 Message Date
Jakub Jelen
7b15444065 Fix X11 forwarding CVE according to upstream 2016-02-24 09:51:43 +01:00
Jakub Jelen
4fdc3c59c4 Fix problem when running without privsep (#1303910) 2016-02-24 09:51:43 +01:00
Jakub Jelen
700da17374 Remove hard glob limit since the CVE introducing this one is unrelated. 2016-02-24 09:51:43 +01:00
Fedora Release Engineering
b2b837ad97 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild 2016-02-04 11:34:23 +00:00
Jakub Jelen
8ddd3edcd8 openssh-7.1p2-3 + 0.10.2-1 2016-01-30 01:18:26 +01:00
Jakub Jelen
ca79709ade Silently disable X11 forwarding
Based on feedback on previous update:
https://bodhi.fedoraproject.org/updates/FEDORA-2016-47ac27532d
2016-01-30 01:18:12 +01:00
Jakub Jelen
c08255b7b1 Fix pam_ssh_agent_auth segfaults with non-accepted keys (#1303036) 2016-01-30 01:18:06 +01:00
Jakub Jelen
d1b43a2865 Update sshd service file to forking (as #1291172) 2016-01-26 13:54:53 +01:00
Jakub Jelen
7adf5f4c63 Missing pam_ssh_agent_auth sources 2016-01-26 09:10:27 +01:00
Jakub Jelen
6c2eb5e22d openssh-7.1p2-2 + 0.10.2-1 2016-01-26 09:00:28 +01:00
Jakub Jelen
38c7737421 Remove defattr from spec file
Mailing list thread:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/KEO7AX3JXR2TY6OVL4M7HDISZ6YIJNKU/
2016-01-26 09:00:28 +01:00
Jakub Jelen
733cea720e CVE-2016-1908: Prevent possible fallback from untrusted to trusted X11 forwarding
Upstream commits:
  https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
  https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f
2016-01-26 09:00:23 +01:00
Jakub Jelen
87ab5fc4af Reabse to latest release of pam_ssh_agent_auth with preserving current functionality
* Rebase to latest upstream version
 * Clean up older patches for pam_ssh_agent_auth
 * Remove prefixes from upstream release so we can build it against current
   openssh library
 * Remove copied files and headers so we make sure we build against current openssh
2016-01-25 13:32:42 +01:00
Jakub Jelen
7bc64374b0 openssh-7.1p2-1 + 0.9.2-9 2016-01-14 16:11:06 +01:00
Jakub Jelen
b2191db92e openssh-7.1p1-7 + 0.9.2-8 2016-01-12 13:15:33 +01:00
Jakub Jelen
af94f46861 Fix condition to run sshd-keygen
When the first boot fails for some reason and the host keys files
are created, but the content not synced into the disk, during the
second boot, the keygen is not run, but the sshd will not start.
Changing condition mitigates this case.
2016-01-12 13:14:58 +01:00
Jakub Jelen
06b1d5330a Make ssh-keysign world readable (#1296724) 2016-01-08 13:22:09 +01:00
Jakub Jelen
f26cd8d6ee Update ssh-agent permissions (#1296724)
* It is no longer required to have ssh-agent with suid bit, because
  the ptrace attach is prevented using PR_SET_DUMPABLE 0 [1]

[1] https://anongit.mindrot.org/openssh.git/commit/?id=6c4914afccb0c188a2c412d12dfb1b73e362e07e
2016-01-08 11:27:02 +01:00
Jakub Jelen
7c5d0a686c Make sure the semantics of %global macro stays the same as before a0e252571b 2016-01-08 09:15:52 +01:00
Jakub Jelen
da62b78673 Do not check for openssl based keys if built without openssl 2016-01-05 12:48:00 +01:00
Jakub Jelen
62897e51d6 Do not set default values for GSSAPI when building without GSSAPI 2016-01-05 12:41:38 +01:00
Jakub Jelen
e1b19de52a Fix wrong handling of LEGACY environment variable 2016-01-05 12:39:40 +01:00
Jakub Jelen
a0e252571b Change %define to %global according to packaging guidelines
Based on discussion started on fedora-devel:
https://lists.fedoraproject.org/archives/list/devel%40lists.fedoraproject.org/thread/AS35NKZSAWRIKY77IUYOVNFAT6AJQVAU/
2016-01-04 10:41:27 +01:00
Jakub Jelen
c45d147a86 openssh-7.1p1-6 + 0.9.2-8 2015-12-18 14:36:00 +01:00
Jakub Jelen
f6bd29aaca Preserve IUTF8 tty mode flag over ssh connections (#1270248) 2015-12-18 14:36:00 +01:00
Jakub Jelen
c9e7e79685 Compatibility SSH_COPY_ID_LEGACY for ssh-copy-id 2015-12-18 14:36:00 +01:00
Jakub Jelen
86f52d4e69 Rebase downstream patches of ssh-copy-id into one from upstream
Source:
http://git.hands.com/ssh-copy-id
2015-12-16 15:40:10 +01:00
Jakub Jelen
d9d9575f00 GSSAPI Key Exchange documentation improvements
from Debian patches:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655
2015-12-10 15:37:52 +01:00
Jakub Jelen
f33aef5318 Remove unused patches 2015-12-08 14:22:44 +01:00
Jakub Jelen
5410d2d3a7 Do not require sysconfig file to start service (#1279521) 2015-11-09 17:10:15 +01:00
Jakub Jelen
ef86a312db openssh-7.1p1-5 + 0.9.2-8 2015-11-04 10:18:50 +01:00
Jakub Jelen
b6d4dc0a6f Do not set user context too many times for root logins (#1269072) 2015-11-04 10:17:32 +01:00
Jakub Jelen
fa54d5472d openssh-7.1p1-4 + 0.9.2-8 2015-10-22 14:55:07 +02:00
Jakub Jelen
aa9a7754ed Audit implicit mac, if mac is covered in cipher (#1271694)
For example chacha20-poly1305@openssh.com is AEAD (Authenticated Encryption with Associated Data) cipher and thus there is no separate MAC when it is used.
2015-10-22 14:53:36 +02:00
Jakub Jelen
0ebe96b604 Handle root logins the same way as other users (#1269072)
root users are unconfined by definition, but they can be limited by SELinux so having privilege separation still makes sense. As a consequence we can remove hunk that handled this condition if we skipped forking.
2015-10-22 14:52:55 +02:00
Jakub Jelen
22a08c3da4 Review SELinux user context handling after authentication (#1269072)
The previous required to have for all SELInux user contexts with setexec capability. Otherwise user would not be able to change password if it is expired. This patch sets correct context and cleans up the exec context.

When doing chroot, copy_selinux_context is called twice
2015-10-15 16:21:33 +02:00
Jakub Jelen
8395bb78d0 Increase size limit of glob structures in sftp 2015-09-30 15:27:08 +02:00
Jakub Jelen
a80c277795 openssh-7.1p1-3 + 0.9.2-8 2015-09-25 14:10:39 +02:00
Jakub Jelen
a01bd486f0 Fix obsolete usage of SELinux constants (#1261496) 2015-09-25 14:10:25 +02:00
Jakub Jelen
bf69b47630 Allow gss-keyex root login when without-password is set (#2456)
Reported upstream, but applicable also for our gss-keyex patch:
https://bugzilla.mindrot.org/show_bug.cgi?id=2456
2015-09-24 15:57:11 +02:00
Jakub Jelen
6bf47e3d35 Having no keys is not fatal in gssapi key exchange (#1261414) 2015-09-24 15:57:11 +02:00
Jakub Jelen
9a804fa266 Apply GSSAPI key exchange methods in client offered list (#1261414) 2015-09-24 15:57:11 +02:00
Jakub Jelen
c6ba7b1e09 Return back forgotten patch which prevent connection using GSSAPI key exchange (#1261414) 2015-09-24 15:57:11 +02:00
Jakub Jelen
812f08d95e Provide full RELRO and PIE form askpass helper (#1264036) 2015-09-24 15:57:11 +02:00
Jakub Jelen
3e5d955bcb Fix FIPS mode for DH kex (#1260253) 2015-09-11 11:32:37 +02:00
Jakub Jelen
98262158d8 openssh-7.1p1-2 + 0.9.2-8 2015-09-09 14:29:31 +02:00
Jakub Jelen
c4c52b0667 Fix warnings produced by gcc
related to
 * ssh-keysign and fingerprint algorithms
 * ssh and GSSAPI algorithms validation
2015-09-09 10:59:19 +02:00
Jakub Jelen
757fec581b openssh-7.1p1-1 + 0.9.3-8 2015-08-22 22:22:48 +02:00
Jakub Jelen
ccd186847a Add corresponding options for ssh1 configure 2015-08-22 22:22:48 +02:00
Jakub Jelen
c98f559725 HostKeyAlgorithms option on server is broken when using + sign 2015-08-22 22:22:48 +02:00