# Do we want SELinux & Audit
%if 0%{?!noselinux:1}
%global WITH_SELINUX 1
%else
%global WITH_SELINUX 0
%endif
%global _hardened_build 1
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
%global no_gnome_askpass 0
# Do we want to link against a static libcrypto? (1=yes 0=no)
%global static_libcrypto 0
# Use GTK3 instead of GTK2 in gnome-ssh-askpass
%global gtk3 1
# Build position-independent executables (requires toolchain support)?
%global pie 1
# Do we want kerberos5 support (1=yes 0=no)
%global kerberos5 1
# Do we want libedit support
%global libedit 1
# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_gnome_askpass:%global no_gnome_askpass 1}
# Add option to build without GTK2 for older platforms with only GTK+.
# Red Hat Linux <= 7.2 and Red Hat Advanced Server 2.1 are examples.
# rpm -ba|--rebuild --define 'no_gtk3 1'
%{?no_gtk3:%global gtk3 0}
# Options for static OpenSSL link:
# rpm -ba|--rebuild --define "static_openssl 1"
%{?static_openssl:%global static_libcrypto 1}
%global openssh_ver 9.9p1
%global openssh_rel 7
Summary: An open source implementation of SSH protocol version 2
Name: openssh
Version: %{openssh_ver}
Release: %{openssh_rel}%{?dist}.alma.1
URL: http://www.openssh.com/portable.html
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: sshd.pam
Source3: gpgkey-736060BA.gpg
Source6: ssh-keycat.pam
Source7: sshd.sysconfig
Source9: sshd@.service
Source10: sshd.socket
Source11: sshd.service
Source12: sshd-keygen@.service
Source13: sshd-keygen
Source15: sshd-keygen.target
Source16: ssh-agent.service
Source17: ssh-agent.socket
Source19: openssh-server-systemd-sysusers.conf
Source20: ssh-host-keys-migration.sh
Source21: ssh-host-keys-migration.service
Source22: parallel_test.sh
Source23: parallel_test.Makefile
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
Patch100: openssh-6.7p1-coverity.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
# record pfs= field in CRYPTO_SESSION audit event
Patch200: openssh-7.6p1-audit.patch
# Audit race condition in forked child (#1310684)
Patch201: openssh-7.1p2-audit-race-condition.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2049947
Patch202: openssh-9.0p1-audit-log.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
Patch400: openssh-7.8p1-role-mls.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
Patch404: openssh-6.6p1-privsep-selinux.patch
#?
Patch502: openssh-6.6p1-keycat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1644
Patch601: openssh-6.6p1-allow-ip-opts.patch
#(drop?) https://bugzilla.mindrot.org/show_bug.cgi?id=1925
Patch606: openssh-5.9p1-ipv6man.patch
#?
Patch607: openssh-5.8p2-sigpipe.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
Patch609: openssh-7.2p2-x11.patch
#?
Patch700: openssh-7.7p1-fips.patch
#?
Patch702: openssh-5.1p1-askpass-progress.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=198332
Patch703: openssh-4.3p2-askpass-grab-info.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
Patch707: openssh-7.7p1-redhat.patch
# warn users for unsupported UsePAM=no (#757545)
Patch711: openssh-7.8p1-UsePAM-warning.patch
# GSSAPI Key Exchange (RFC 4462 + RFC 8732)
# from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master
# and
# Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures
# upstream MR:
# https://github.com/openssh-gsskex/openssh-gsskex/pull/21
Patch800: openssh-9.6p1-gssapi-keyex.patch
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
Patch801: openssh-6.6p1-force_krb.patch
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
# CVE-2014-9278
Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch
# Improve ccache handling in openssh (#991186, #1199363, #1566494)
# https://bugzilla.mindrot.org/show_bug.cgi?id=2775
Patch804: openssh-7.7p1-gssapi-new-unique.patch
# Respect k5login_directory option in krk5.conf (#1328243)
Patch805: openssh-7.2p2-k5login_directory.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
Patch901: openssh-6.6p1-kuserok.patch
# Use tty allocation for a remote scp (#985650)
Patch906: openssh-6.4p1-fromto-remote.patch
# privsep_preauth: use SELinux context from selinux-policy (#1008580)
Patch916: openssh-6.6.1p1-selinux-contexts.patch
# log via monitor in chroots without /dev/log (#2681)
Patch918: openssh-6.6.1p1-log-in-chroot.patch
# scp file into non-existing directory (#1142223)
Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch
# apply upstream patch and make sshd -T more consistent (#1187521)
Patch922: openssh-6.8p1-sshdT-output.patch
# Add sftp option to force mode of created files (#1191055)
Patch926: openssh-6.7p1-sftp-force-permission.patch
# make s390 use /dev/ crypto devices -- ignore closefrom
Patch939: openssh-7.2p2-s390-closefrom.patch
# Move MAX_DISPLAYS to a configuration option (#1341302)
Patch944: openssh-7.3p1-x11-max-displays.patch
# Pass inetd flags for SELinux down to openbsd compat level
Patch949: openssh-7.6p1-cleanup-selinux.patch
# Sandbox adjustments for s390 and audit
Patch950: openssh-7.5p1-sandbox.patch
# PKCS#11 URIs (upstream #2817, 2nd iteration)
# https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
# git show > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch
Patch951: openssh-8.0p1-pkcs11-uri.patch
# Unbreak scp between two IPv6 hosts (#1620333)
Patch953: openssh-7.8p1-scp-ipv6.patch
# Mention crypto-policies in manual pages (#1668325)
# clarify rhbz#2068423 on the man page of ssh_config
Patch962: openssh-8.0p1-crypto-policies.patch
# Use OpenSSL KDF (#1631761)
Patch964: openssh-8.0p1-openssl-kdf.patch
# sk-dummy.so built with -fvisibility=hidden does not work
Patch965: openssh-8.2p1-visibility.patch
# Do not break X11 without IPv6
Patch966: openssh-8.2p1-x11-without-ipv6.patch
# ssh-keygen printing fingerprint issue with Windows keys (#1901518)
Patch974: openssh-8.0p1-keygen-strip-doseol.patch
# sshd provides PAM an incorrect error code (#1879503)
Patch975: openssh-8.0p1-preserve-pam-errors.patch
# Implement kill switch for SCP protocol
Patch977: openssh-8.7p1-scp-kill-switch.patch
# Workaround for lack of sftp_realpath in older versions of RHEL
# https://bugzilla.redhat.com/show_bug.cgi?id=2038854
# https://github.com/openssh/openssh-portable/pull/299
# downstream only
Patch981: openssh-8.7p1-recursive-scp.patch
# https://github.com/djmdjm/openssh-wip/pull/13
Patch982: openssh-8.7p1-minrsabits.patch
# downstream only, IBMCA tentative fix
# From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14
Patch984: openssh-8.7p1-ibmca.patch
# Add missing options from ssh_config into ssh manpage
# upstream bug:
# https://bugzilla.mindrot.org/show_bug.cgi?id=3455
Patch1002: openssh-8.7p1-ssh-manpage.patch
# Don't propose disallowed algorithms during hostkey negotiation
# upstream MR:
# https://github.com/openssh/openssh-portable/pull/323
Patch1006: openssh-8.7p1-negotiate-supported-algs.patch
Patch1012: openssh-9.0p1-evp-fips-kex.patch
Patch1014: openssh-8.7p1-nohostsha1proof.patch
Patch1015: openssh-9.6p1-pam-rhost.patch
Patch1016: openssh-9.9p1-separate-keysign.patch
#Patch1017: openssh-8.7p1-redhat-help.patch
Patch1018: openssh-8.7p1-openssl-log.patch
# upstream cf3e48ee8ba1beeccddd2f203b558fa102be67a2
# upstream 0c3927c45f8a57b511c874c4d51a8c89414f74ef
Patch1019: openssh-9.9p1-mlkembe.patch
# upstream 3f02368e8e9121847727c46b280efc280e5eb615
# upstream 67a115e7a56dbdc3f5a58c64b29231151f3670f5
Patch1020: openssh-9.9p1-match-regression.patch
# upstream 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2
# upstream 0832aac79517611dd4de93ad0a83577994d9c907
Patch1021: openssh-9.9p2-error_processing.patch
License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
Requires: /sbin/nologin
%if ! %{no_gnome_askpass}
BuildRequires: libX11-devel
%if %{gtk3}
BuildRequires: gtk3-devel
%else
BuildRequires: gtk2-devel
%endif
%endif
BuildRequires: autoconf, automake, perl-interpreter, perl-generators, zlib-devel
BuildRequires: audit-libs-devel >= 2.0.5
BuildRequires: util-linux, groff
BuildRequires: pam-devel
BuildRequires: openssl-devel >= 0.9.8j
BuildRequires: perl-podlators
BuildRequires: systemd-devel
BuildRequires: systemd-rpm-macros
BuildRequires: gcc make
BuildRequires: p11-kit-devel
BuildRequires: libfido2-devel
Recommends: p11-kit
Obsoletes: openssh-ldap < 8.3p1-4
Obsoletes: openssh-cavs < 8.4p1-5
%if %{kerberos5}
BuildRequires: krb5-devel
%endif
%if %{libedit}
BuildRequires: libedit-devel ncurses-devel
%endif
%if %{WITH_SELINUX}
Requires: libselinux >= 2.3-5
BuildRequires: libselinux-devel >= 2.3-5
Requires: audit-libs >= 1.0.8
BuildRequires: audit-libs >= 1.0.8
%endif
BuildRequires: xauth
# for tarball signature verification
BuildRequires: gnupg2
%package clients
Summary: An open source SSH client applications
Requires: openssh = %{version}-%{release}
Requires: crypto-policies >= 20220824-1
%package keysign
Summary: A helper program used for host-based authentication
Requires: openssh = %{version}-%{release}
%package server
Summary: An open source SSH server daemon
Requires: openssh = %{version}-%{release}
Requires(pre): /usr/sbin/useradd
Requires: pam >= 1.0.1-3
Requires: crypto-policies >= 20220824-1
%{?systemd_requires}
%package keycat
Summary: A mls keycat backend for openssh
Requires: openssh = %{version}-%{release}
%package askpass
Summary: A passphrase dialog for OpenSSH and X
Requires: openssh = %{version}-%{release}
%package sk-dummy
Summary: OpenSSH SK driver for test purposes
Requires: openssh = %{version}-%{release}
%description
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's version of the last free version of SSH, bringing
it up to date in terms of security and features.
This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.
%description clients
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package includes
the clients necessary to make encrypted connections to SSH servers.
%description keysign
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. ssh-keysign is a
helper program used for host-based authentication disabled by default.
%description server
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
securely connect to your SSH server.
%description keycat
OpenSSH mls keycat is backend for using the authorized keys in the
openssh in the mls mode.
%description askpass
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH.
%description sk-dummy
This package contains a test SK driver used for OpenSSH test purposes
%prep
gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
%setup -q
%patch -P 400 -p1 -b .role-mls
%patch -P 404 -p1 -b .privsep-selinux
%patch -P 502 -p1 -b .keycat
%patch -P 601 -p1 -b .ip-opts
%patch -P 606 -p1 -b .ipv6man
%patch -P 607 -p1 -b .sigpipe
%patch -P 609 -p1 -b .x11
%patch -P 702 -p1 -b .progress
%patch -P 703 -p1 -b .grab-info
%patch -P 707 -p1 -b .redhat
%patch -P 711 -p1 -b .log-usepam-no
#
%patch -P 800 -p1 -b .gsskex
%patch -P 801 -p1 -b .force_krb
%patch -P 804 -p1 -b .ccache_name
%patch -P 805 -p1 -b .k5login
#
%patch -P 901 -p1 -b .kuserok
%patch -P 906 -p1 -b .fromto-remote
%patch -P 916 -p1 -b .contexts
%patch -P 918 -p1 -b .log-in-chroot
%patch -P 919 -p1 -b .scp
%patch -P 802 -p1 -b .GSSAPIEnablek5users
%patch -P 922 -p1 -b .sshdt
%patch -P 926 -p1 -b .sftp-force-mode
%patch -P 939 -p1 -b .s390-dev
%patch -P 944 -p1 -b .x11max
%patch -P 949 -p1 -b .refactor
%patch -P 950 -p1 -b .sandbox
%patch -P 951 -p1 -b .pkcs11-uri
%patch -P 953 -p1 -b .scp-ipv6
%patch -P 962 -p1 -b .crypto-policies
%patch -P 964 -p1 -b .openssl-kdf
%patch -P 965 -p1 -b .visibility
%patch -P 966 -p1 -b .x11-ipv6
%patch -P 974 -p1 -b .keygen-strip-doseol
%patch -P 975 -p1 -b .preserve-pam-errors
%patch -P 977 -p1 -b .kill-scp
%patch -P 981 -p1 -b .scp-sftpdirs
%patch -P 982 -p1 -b .minrsabits
%patch -P 984 -p1 -b .ibmca
%patch -P 200 -p1 -b .audit
%patch -P 201 -p1 -b .audit-race
%patch -P 202 -p1 -b .audit-log
%patch -P 700 -p1 -b .fips
%patch -P 1002 -p1 -b .ssh-manpage
%patch -P 1006 -p1 -b .negotiate-supported-algs
%patch -P 1012 -p1 -b .evp-fips-dh
%patch -P 1014 -p1 -b .nosha1hostproof
%patch -P 1015 -p1 -b .pam-rhost
%patch -P 1016 -p1 -b .sep-keysign
#%patch -P 1017 -p1 -b .help
%patch -P 1018 -p1 -b .openssl-log
%patch -P 1019 -p1 -b .mlkembe
%patch -P 1020 -p1 -b .match
%patch -P 1021 -p1 -b .errcode_set
%patch -P 100 -p1 -b .coverity
autoreconf
%build
%set_build_flags
CFLAGS="$CFLAGS"; export CFLAGS
%if %{pie}
%ifarch s390 s390x sparc sparcv9 sparc64
CFLAGS="$CFLAGS -fPIC"
%else
CFLAGS="$CFLAGS -fpic"
%endif
SAVE_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS -pie -z relro -z now"
export CFLAGS
export LDFLAGS
%endif
%if %{kerberos5}
if test -r /etc/profile.d/krb5-devel.sh ; then
source /etc/profile.d/krb5-devel.sh
fi
krb5_prefix=`krb5-config --prefix`
if test "$krb5_prefix" != "%{_prefix}" ; then
CPPFLAGS="$CPPFLAGS -I${krb5_prefix}/include -I${krb5_prefix}/include/gssapi"; export CPPFLAGS
CFLAGS="$CFLAGS -I${krb5_prefix}/include -I${krb5_prefix}/include/gssapi"
LDFLAGS="$LDFLAGS -L${krb5_prefix}/%{_lib}"; export LDFLAGS
else
krb5_prefix=
CPPFLAGS="-I%{_includedir}/gssapi"; export CPPFLAGS
CFLAGS="$CFLAGS -I%{_includedir}/gssapi"
fi
%endif
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/openssh \
--datadir=%{_datadir}/openssh \
--with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_datadir}/empty.sshd \
--disable-strip \
--without-zlib-version-check \
--with-ipaddr-display \
--with-pie=no \
--without-hardening `# The hardening flags are configured by system` \
--with-systemd \
--with-default-pkcs11-provider=yes \
--with-security-key-builtin=yes \
--with-pam \
%if %{WITH_SELINUX}
--with-selinux --with-audit=linux \
--with-sandbox=seccomp_filter \
%endif
%if %{kerberos5}
--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
%else
--without-kerberos5 \
%endif
%if %{libedit}
--with-libedit
%else
--without-libedit
%endif
%if %{static_libcrypto}
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
%endif
%make_build
make regress/misc/sk-dummy/sk-dummy.so
# Define a variable to toggle gtk2/gtk3 building. This is necessary
# because RPM doesn't handle nested %%if statements.
%if %{gtk3}
gtk3=yes
%else
gtk3=no
%endif
%if ! %{no_gnome_askpass}
pushd contrib
if [ $gtk3 = yes ] ; then
CFLAGS="$CFLAGS %{?__global_ldflags}" \
make gnome-ssh-askpass3
mv gnome-ssh-askpass3 gnome-ssh-askpass
else
CFLAGS="$CFLAGS %{?__global_ldflags}" \
make gnome-ssh-askpass2
mv gnome-ssh-askpass2 gnome-ssh-askpass
fi
popd
%endif
%check
OPENSSL_CONF=/dev/null %{SOURCE22} %{SOURCE23} # ./parallel_tests.sh parallel_tests.Makefile
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
%make_install
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/sysconfig/
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
install -m644 ssh_config_redhat $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d/50-redhat.conf
install -m644 sshd_config_redhat_cp $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d/40-redhat-crypto-policies.conf
install -m644 sshd_config_redhat $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d/50-redhat.conf
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir}
install -m644 %{SOURCE16} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
install -m644 %{SOURCE17} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.socket
install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
install -p -D -m 0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/openssh-server.conf
# Migration service/script for Fedora 38 change to remove group ownership for standard host keys
# See https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
install -m744 %{SOURCE20} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/ssh-host-keys-migration.sh
# Pulled-in via a `Wants=` in `sshd.service` & `sshd@.service`
install -m644 %{SOURCE21} $RPM_BUILD_ROOT/%{_unitdir}/ssh-host-keys-migration.service
install -d $RPM_BUILD_ROOT/%{_localstatedir}/lib
touch $RPM_BUILD_ROOT/%{_localstatedir}/lib/.ssh-host-keys-migration
%if ! %{no_gnome_askpass}
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
%endif
%if ! %{no_gnome_askpass}
ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
%endif
%if %{no_gnome_askpass}
rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.*
%endif
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
install -m 755 -d $RPM_BUILD_ROOT%{_libdir}/sshtest/
install -m 755 regress/misc/sk-dummy/sk-dummy.so $RPM_BUILD_ROOT%{_libdir}/sshtest
%pre server
%sysusers_create_compat %{SOURCE19}
%post server
if [ $1 -gt 1 ]; then
# In the case of an upgrade (never true on OSTree systems) run the migration
# script for Fedora 38 to remove group ownership for host keys.
%{_libexecdir}/openssh/ssh-host-keys-migration.sh
# Prevent the systemd unit that performs the same service (useful for
# OSTree systems) from running.
touch /var/lib/.ssh-host-keys-migration
fi
%systemd_post sshd.service sshd.socket
# Migration scriptlet for Fedora 31 and 32 installations to sshd_config
# drop-in directory (in F32+).
# Do this only if the file generated by anaconda exists, contains our config
# directive and sshd_config contains include directive as shipped in our package
%global sysconfig_anaconda /etc/sysconfig/sshd-permitrootlogin
test -f %{sysconfig_anaconda} && \
test ! -f /etc/ssh/sshd_config.d/01-permitrootlogin.conf && \
grep -q '^PERMITROOTLOGIN="-oPermitRootLogin=yes"' %{sysconfig_anaconda} && \
grep -q '^Include /etc/ssh/sshd_config.d/\*.conf' /etc/ssh/sshd_config && \
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config.d/25-permitrootlogin.conf && \
rm %{sysconfig_anaconda} || :
%preun server
%systemd_preun sshd.service sshd.socket
%postun server
%systemd_postun_with_restart sshd.service
%post clients
%systemd_user_post ssh-agent.service
%systemd_user_post ssh-agent.socket
%preun clients
%systemd_user_preun ssh-agent.service
%systemd_user_preun ssh-agent.socket
%files
%license LICENCE
%doc CREDITS ChangeLog OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/openssh
%files clients
%attr(0755,root,root) %{_bindir}/ssh
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
%attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-redhat.conf
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
%attr(0755,root,root) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add
%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0755,root,root) %{_bindir}/sftp
%attr(0755,root,root) %{_bindir}/ssh-copy-id
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
%attr(0644,root,root) %{_userunitdir}/ssh-agent.service
%attr(0644,root,root) %{_userunitdir}/ssh-agent.socket
%files keysign
%attr(4555,root,root) %{_libexecdir}/openssh/ssh-keysign
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
%files server
%dir %attr(0711,root,root) %{_datadir}/empty.sshd
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-session
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%dir %attr(0700,root,root) %{_sysconfdir}/ssh/sshd_config.d/
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-redhat-crypto-policies.conf
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-redhat.conf
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
%attr(0644,root,root) %{_unitdir}/sshd.service
%attr(0644,root,root) %{_unitdir}/sshd@.service
%attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
%attr(0644,root,root) %{_sysusersdir}/openssh-server.conf
%attr(0644,root,root) %{_unitdir}/ssh-host-keys-migration.service
%attr(0744,root,root) %{_libexecdir}/openssh/ssh-host-keys-migration.sh
%ghost %attr(0644,root,root) %{_localstatedir}/lib/.ssh-host-keys-migration
%files keycat
%doc HOWTO.ssh-keycat
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat
%attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat
%if ! %{no_gnome_askpass}
%files askpass
%attr(0644,root,root) %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
%endif
%files sk-dummy
%attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
%changelog
* Wed Jun 25 2025 Koichiro Iwao - 9.9p1-7.alma.1
- Unpatch Red Hat help message
* Tue Feb 18 2025 Dmitry Belyavskiy - 9.9p1-7
- rebuilt
Related: RHEL-78699
* Thu Feb 13 2025 Dmitry Belyavskiy - 9.9p1-6
- Fix regression of Match directive processing
Related: RHEL-76317
- Fix missing error codes set and invalid error code checks in OpenSSH. It
prevents memory exhaustion attack and a MITM attack when VerifyHostKeyDNS
is on (CVE-2025-26465, CVE-2025-26466).
Resolves: RHEL-78699
Resolves: RHEL-78943
* Mon Jan 27 2025 Dmitry Belyavskiy - 9.9p1-5
- Fix regression of Match directive processing
Resolves: RHEL-76317
- Avoid linking issues for openssl logging
Related: RHEL-63190
* Tue Oct 29 2024 Troy Dawson - 9.9p1-4.1
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Oct 28 2024 Dmitry Belyavskiy - 9.9p1-4
- Fix MLKEM for BE platforms
Related: RHEL-60564
* Fri Oct 18 2024 Dmitry Belyavskiy - 9.9p1-3
- Extra help information should not be printed if stderr is not a TTY
Resolves: RHEL-63061
- Provide details on crypto error instead of "error in libcrypto"
Resolves: RHEL-63190
* Tue Oct 15 2024 Dmitry Belyavskiy - 9.9p1-2
- Resolve memory management issues after rebase
Related: RHEL-60564
- Add extra help information on ssh early failure
Resolves: RHEL-62718
* Thu Oct 10 2024 Dmitry Belyavskiy - 9.9p1-1
- Update to OpenSSH 9.9p1
Resolves: RHEL-60564
- Separate ssh-keysign to a dedicated package
Resolves: RHEL-62112
- Use FIPS KEX defaults in FIPS mode
Resolves: RHEL-58986
* Mon Sep 16 2024 Dmitry Belyavskiy - 9.8p1-6
- rebuilt
Related: RHEL-59024
* Mon Aug 26 2024 Dmitry Belyavskiy - 9.8p1-5
- Restore GSS connectivity when no hostkeys are present
Related: RHEL-42635
- Add missing gsskeyex authentication method
Related: RHEL-42635
- "publickey-hostbound@openssh.com" extension makes no sense with GSS
Related: RHEL-42635
* Fri Aug 16 2024 Dmitry Belyavskiy - 9.8p1-4
- Address SAST scan issues
Resolves: RHEL-36766
- Remove obsoleted patches
Related: RHEL-42635
* Mon Aug 05 2024 Dmitry Belyavskiy - 9.8p1-3
- sshd doesn't propose to enter password again when a non-existing user is specified
Resolves: RHEL-11981
- Reenabling self-test on rpm build
Related: RHEL-42635
* Fri Jul 26 2024 Dmitry Belyavskiy - 9.8p1-2.0
- Temporary disabling self-test
Related: RHEL-42635
- Change ssh-keygen defaults in FIPS mode
Resolves: RHEL-37324
- Use FIPS-compatible API for key derivation RHEL-10
Resolves: RHEL-43592
* Thu Jul 25 2024 Dmitry Belyavskiy - 9.8p1-1.0
- Rebase OpenSSH to 9.8p1
Resolves: RHEL-42635
* Fri Jul 12 2024 Zoltan Fridrich - 9.6p1-1.5
- Build OpenSSH without ENGINE API
Resolves: RHEL-45507
- Remove pam_ssh_agent_auth subpackage
Resolves: RHEL-45002
* Mon Jun 24 2024 Troy Dawson - 9.6p1-1.4
- Bump release for June 2024 mass rebuild
* Thu May 09 2024 Zoltan Fridrich - 9.6p1-1.3
- Correctly audit hostname and IP address (RHEL-22316)
- Make default key sizes configurable in sshd-keygen (RHEL-26454)
* Thu Jan 25 2024 Fedora Release Engineering - 9.6p1-1.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering - 9.6p1-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Dec 26 2023 Daniel Milnes - 9.6p1-1
- Update to OpenSSH 9.6
Original patches from https://src.fedoraproject.org/rpms/openssh/pull-request/63
Tuned by Dmitry Belyavskiy for GSS and PKCS#11 URI processing
* Fri Dec 22 2023 Florian Weimer - 9.3p1-13.1
- Fix type errors in downstream gssapi-keyex patch
* Mon Oct 16 2023 Mattias Ellert - 9.3p1-13
- Fix issue with read-only ssh buffer during gssapi key exchange (rhbz#1938224)
- https://github.com/openssh-gsskex/openssh-gsskex/pull/19
* Sun Oct 15 2023 Mattias Ellert - 9.3p1-12
- Fix FTBFS due to implicit declarations (rhbz#2241211)
* Tue Sep 19 2023 Dmitry Belyavskiy - 9.3p1-11
- migrated to SPDX license
* Fri Sep 15 2023 Timothée Ravier - 9.3p1-10
- Revert "Remove sshd.socket unit (rhbz#2025716)"
* Thu Aug 03 2023 Norbert Pocs - 9.3p1-9
- pkcs11: Add support for 'serial' in PKCS#11 URI
- Apply the upstream MR related to the previous pkcs11 issue
- https://github.com/openssh/openssh-portable/pull/406
* Thu Aug 03 2023 Dmitry Belyavskiy - 9.3p1-8
- Split including crypto-policies to a separate config (rhbz#1970566)
- Disable forking of ssh-agent on startup (rhbz#2148555)
- Remove sshd.socket unit (rhbz#2025716)
- Minor optimization of ssh_krb5_kuserok (rhbz#2112501)
* Tue Aug 01 2023 Dmitry Belyavskiy - 9.3p1-7
- Relax checks of OpenSSL version
* Wed Jul 26 2023 Mattias Ellert - 9.3p1-6
- Update gssapi-keyex patch for OpenSSH 9.0+
* Fri Jul 21 2023 Dmitry Belyavskiy - 9.3p1-5
- Fix remote code execution in ssh-agent PKCS#11 support
Resolves: CVE-2023-38408
* Thu Jul 20 2023 Fedora Release Engineering - 9.3p1-3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jun 08 2023 Norbert Pocs - 9.3p1-4
- Fix deprecated %patchN syntax
- Reduce the number of patches by merging related patches
* Wed Jun 07 2023 Dmitry Belyavskiy - 9.3p1-3
- Fix DSS verification problem
Resolves: rhbz#2212937
* Fri Jun 02 2023 Dmitry Belyavskiy - 9.3p1-2
- Remove unused patch
* Thu Jun 01 2023 Dmitry Belyavskiy - 9.3p1-1 + 0.10.4-9
- Rebase OpenSSH to 9.3p1
* Wed May 24 2023 Norbert Pocs - 9.0p1-18
- Fix pkcs11 issue with the recent changes
- Clarify HostKeyAlgorithms relation with crypto-policies
* Fri Apr 14 2023 Dmitry Belyavskiy - 9.0p1-17
- In case when sha1 signatures are not supported, fallback to sha2 in hostproof
- Audit logging patch was not applied (rhbz#2177471)
* Thu Apr 13 2023 Norbert Pocs - 9.0p1-16
- Make the sign, dh, ecdh processes FIPS compliant by adopting to
openssl 3.0
* Thu Apr 13 2023 Dmitry Belyavskiy - 9.0p1-15
- Fix self-DoS
Resolves: CVE-2023-25136
- Remove too aggressive coverity fix causing native tests failure
* Wed Apr 12 2023 Florian Weimer - 9.0p1-14.2
- C99 compatiblity fixes
* Tue Mar 14 2023 Timothée Ravier - 9.0p1-14
- Make sshd & sshd@ units want ssh-host-keys-migration.service
* Mon Mar 13 2023 Zoltan Fridrich - 9.0p1-13
- Add sk-dummy subpackage for test purposes (rhbz#2176795)
* Mon Mar 06 2023 Dusty Mabe - 9.0p1-12
- Mark /var/lib/.ssh-host-keys-migration as %ghost file
- Make ssh-host key migration less conditional
* Wed Mar 01 2023 Dusty Mabe - 9.0p1-11
- Provide a systemd unit for restoring default host key permissions (rhbz#2172956)
- Co-Authored by Timothée Ravier
* Mon Jan 23 2023 Dmitry Belyavskiy - 9.0p1-10
- Restore upstream behaviour and default host key permissions (rhbz#2141272)
* Thu Jan 19 2023 Fedora Release Engineering - 9.0p1-9.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Jan 09 2023 Dmitry Belyavskiy - 9.0p1-9
- Fix build against updated OpenSSL (rhbz#2158966)
* Mon Oct 24 2022 Norbert Pocs - 9.0p1-8
- Add additional audit logging about ssh key used to login (rhbz#2049947)
* Fri Oct 21 2022 Dmitry Belyavskiy - 9.0p1-7
- Check IP opts length (rhbz#1960015)
* Wed Oct 5 2022 Anthony Rabbito - 9.0p1-6
- Add a socket unit to ssh-agent user unit (rhbz#2125576)
* Thu Sep 29 2022 Dmitry Belyavskiy - 9.0p1-5
- RSAMinSize => RequiredRSASize
* Fri Sep 02 2022 Luca BRUNO - 9.0p1-4
- Move users/groups creation logic to sysusers.d fragments
* Wed Aug 24 2022 Alexander Sosedkin - 9.0p1-3
- State in manpages that HostbasedAcceptedAlgorithms is set by crypto-policies
* Wed Aug 17 2022 Dmitry Belyavskiy - 9.0p1-2
- Port patches from CentOS - RSAMinSize (rhbz#2117264)
* Thu Aug 11 2022 Dmitry Belyavskiy - 9.0p1-1 + 0.10.4-7
- Rebase OpenSSH to 9.0p1 (rhbz#2057466)
* Wed Aug 10 2022 Dmitry Belyavskiy - 8.8p1-4 + 0.10.4-6
- Port patches from CentOS (rhbz#2117264)
* Mon Aug 01 2022 Luca BRUNO - 8.8p1-3
- Use allocated static GID for 'ssh_keys' group (rhbz#2104595)
* Fri Jul 22 2022 Fedora Release Engineering - 8.8p1-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Fri Apr 29 2022 Dmitry Belyavskiy - 8.8p1-2
- Disable locale forwarding in OpenSSH (#2002739)
* Thu Jan 20 2022 Fedora Release Engineering - 8.8p1-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Mon Nov 29 2021 Dmitry Belyavskiy - 8.8p1-1 + 0.10.4-5
- New upstream release (#2007967)
* Wed Sep 29 2021 Dmitry Belyavskiy - 8.7p1-3
- CVE-2021-41617 fix (#2008292)
* Thu Sep 16 2021 Dmitry Belyavskiy - 8.7p1-2
- Use SFTP protocol for scp by default (#2004956)
* Tue Sep 14 2021 Sahana Prasad - 8.7p1-1.1
- Rebuilt with OpenSSL 3.0.0
* Wed Sep 01 2021 Dmitry Belyavskiy - 8.7p1-1 + 0.10.4-4
- New upstream release (#1995893)
* Thu Jul 22 2021 Fedora Release Engineering - 8.6p1-5.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Mon Jun 21 2021 Dmitry Belyavskiy - 8.6p1-5
- restore the blocking mode on standard output (#1942901) - upstream
* Tue May 25 2021 Timm Bäder - 8.6p1-4
- Use %%set_build_flags to set all builds flags
* Fri May 21 2021 Dmitry Belyavskiy - 8.6p1-3
- Hostbased ssh authentication fails if session ID contains a '/' (#1963059)
* Mon May 10 2021 Dmitry Belyavskiy - 8.6p1-2
- restore the blocking mode on standard output (#1942901)
* Mon Apr 19 2021 Dmitry Belyavskiy - 8.6p1-1 + 0.10.4-3
- New upstream release (#1950819)
- ssh-keygen printing fingerprint issue with Windows keys (#1901518)
- sshd provides PAM an incorrect error code (#1879503)
* Tue Mar 09 2021 Rex Dieter - 8.5p1-2
- ssh-agent.serivce is user unit (#1761817#27)
* Wed Mar 03 2021 Jakub Jelen - 8.5p1-1 + 0.10.4-2
- New upstream release (#1934336)
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 8.4p1-5.2
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Tue Jan 26 2021 Fedora Release Engineering - 8.4p1-5.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Jan 22 2021 Jakub Jelen - 8.4p1-5 + 0.10.4-1
- Use /usr/share/empty.sshd instead of /var/empty/sshd
- Allow emptu labels in PKCS#11 tokens (#1919007)
- Drop openssh-cavs subpackage
* Tue Dec 01 2020 Jakub Jelen - 8.4p1-4 + 0.10.4-1
- Remove "PasswordAuthentication yes" from vendor configuration as it is
already default and it might be hard to override.
- Fix broken obsoletes for openssh-ldap (#1902084)
* Thu Nov 19 2020 Jakub Jelen - 8.4p1-3 + 0.10.4-1
- Unbreak seccomp filter on arm (#1897712)
- Add a workaround for Debian's broken OpenSSH (#1881301)
* Tue Oct 06 2020 Jakub Jelen - 8.4p1-2 + 0.10.4-1
- Unbreak ssh-copy-id after a release (#1884231)
- Remove misleading comment from sysconfig
* Tue Sep 29 2020 Jakub Jelen - 8.4p1-1 + 0.10.4-1
- New upstream release of OpenSSH and pam_ssh_agent_auth (#1882995)
* Fri Aug 21 2020 Jakub Jelen - 8.3p1-4 + 0.10.3-10
- Remove openssh-ldap subpackage (#1871025)
- pkcs11: Do not crash with invalid paths in ssh-agent (#1868996)
- Clarify documentation about sftp-server -m (#1862504)
* Tue Jul 28 2020 Fedora Release Engineering - 8.3p1-3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jun 10 2020 Jakub Jelen - 8.3p1-3 + 0.10.3-10
- Do not lose PIN when more slots match PKCS#11 URI (#1843372)
- Update to new crypto-policies version on server (using sshd_config include)
- Move redhat configuraion files to larger number to allow simpler override
- Move sshd_config include before any other definitions (#1824913)
* Mon Jun 01 2020 Jakub Jelen - 8.3p1-2 + 0.10.3-10
- Fix crash on cleanup (#1842281)
* Wed May 27 2020 Jakub Jelen - 8.3p1-1 + 0.10.3-10
- New upstream release (#1840503)
- Unbreak corner cases of sshd_config include
- Fix order of gssapi key exchange algorithms
* Wed Apr 08 2020 Jakub Jelen - 8.2p1-3 + 0.10.3-9
- Simplify reference to crypto policies in configuration files
- Unbreak gssapi authentication with GSSAPITrustDNS over jump hosts
- Correctly print FIPS mode initialized in debug mode
- Enable SHA2-based GSSAPI key exchange methods (#1666781)
- Do not break X11 forwarding when IPv6 is disabled
- Remove fipscheck dependency as OpenSSH is no longer FIPS module
- Improve documentation about crypto policies defaults in manual pages
* Thu Feb 20 2020 Jakub Jelen - 8.2p1-2 + 0.10.3-9
- Build against libfido2 to unbreak internal u2f support
* Mon Feb 17 2020 Jakub Jelen - 8.2p1-1 + 0.10.3-9
- New upstrem reelase (#1803290)
- New /etc/ssh/sshd_config.d drop in directory
- Support for U2F security keys
- Correctly report invalid key permissions (#1801459)
- Do not write bogus information on stderr in FIPS mode (#1778224)
* Mon Feb 03 2020 Jakub Jelen - 8.1p1-4 + 0.10.3-8
- Unbreak seccomp filter on ARM (#1796267)
* Wed Jan 29 2020 Fedora Release Engineering - 8.1p1-3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Nov 27 2019 Jakub Jelen - 8.1p1-3 + 0.10.3-8
- Unbreak seccomp filter also on ARM (#1777054)
* Thu Nov 14 2019 Jakub Jelen - 8.1p1-2 + 0.10.3-8
- Unbreak seccomp filter with latest glibc (#1771946)
* Wed Oct 09 2019 Jakub Jelen - 8.1p1-1 + 0.10.3-8
- New upstream release (#1759750)
* Thu Jul 25 2019 Fedora Release Engineering - 8.0p1-8.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue Jul 23 2019 Jakub Jelen - 8.0p1-8 + 0.10.3-7
- Use the upstream-accepted version of the PKCS#8 PEM support (#1722285)
* Fri Jul 12 2019 Jakub Jelen - 8.0p1-7 + 0.10.3-7
- Use the environment file under /etc/sysconfig for anaconda configuration (#1722928)
* Wed Jul 03 2019 Jakub Jelen - 8.0p1-6 + 0.10.3-7
- Provide the entry point for anaconda configuration in service file (#1722928)
* Wed Jun 26 2019 Jakub Jelen - 8.0p1-5 + 0.10.3-7
- Disable root password logins (#1722928)
- Fix typo in manual pages related to crypto-policies
- Fix the gating test to make sure it removes the test user
- Cleanu up spec file and get rid of some rpmlint warnings
* Mon Jun 17 2019 Jakub Jelen - 8.0p1-4 + 0.10.3-7
- Compatibility with ibmca engine for ECC
- Generate more modern PEM files using new OpenSSL API
- Provide correct signature types for RSA keys using SHA2 from agent
* Mon May 27 2019 Jakub Jelen - 8.0p1-3 + 0.10.3-7
- Remove problematic patch updating cached pw structure
- Do not require the labels on the public objects (#1710832)
* Tue May 14 2019 Jakub Jelen - 8.0p1-2 + 0.10.3-7
- Use OpenSSL KDF
- Use high-level OpenSSL API for signatures handling
- Mention crypto-policies in manual pages instead of hardcoded defaults
- Verify in package testsuite that SCP vulnerabilities are fixed
- Do not fail in FIPS mode, when unsupported algorithm is listed in configuration
* Fri Apr 26 2019 Jakub Jelen - 8.0p1-1 + 0.10.3-7
- New upstream release (#1701072)
- Removed support for VendroPatchLevel configuration option
- Significant rework of GSSAPI Key Exchange
- Significant rework of PKCS#11 URI support
* Mon Mar 11 2019 Jakub Jelen - 7.9p1-5 + 0.10.3.6
- Fix kerberos cleanup procedures with GSSAPI
- Update cached passwd structure after PAM authentication
- Do not fall back to sshd_net_t SELinux context
- Fix corner cases of PKCS#11 URI implementation
- Do not negotiate arbitrary primes with DH GEX in FIPS
* Wed Feb 06 2019 Jakub Jelen - 7.9p1-4 + 0.10.3.6
- Log when a client requests an interactive session and only sftp is allowed
- Fix minor issues in ssh-copy-id
- Enclose redhat specific configuration with Match final block
* Fri Feb 01 2019 Fedora Release Engineering - 7.9p1-3.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser - 7.9p1-3.1
- Rebuilt for libcrypt.so.2 (#1666033)
* Mon Jan 14 2019 Jakub Jelen - 7.9p1-3 + 0.10.3.6
- Backport Match final to unbreak canonicalization with crypto-policies (#1630166)
- gsskex: Dump correct option
- Backport several fixes from 7_9 branch, mostly related to certificate authentication (#1665611)
- Backport patch for CVE-2018-20685 (#1665786)
- Correctly initialize ECDSA key structures from PKCS#11
* Wed Nov 14 2018 Jakub Jelen - 7.9p1-2 + 0.10.3-6
- Fix LDAP configure test (#1642414)
- Avoid segfault on kerberos authentication failure
- Reference correct file in configuration example (#1643274)
- Dump missing GSSAPI configuration options
- Allow to disable RSA signatures with SHA-1
* Fri Oct 19 2018 Jakub Jelen - 7.9p1-1 + 0.10.3-6
- New upstream release OpenSSH 7.9p1 (#1632902, #1630166)
- Honor GSSAPIServerIdentity option for GSSAPI key exchange
- Do not break gsssapi-keyex authentication method when specified in
AuthenticationMethods
- Follow the system-wide PATH settings (#1633756)
- Address some coverity issues
* Mon Sep 24 2018 Jakub Jelen - 7.8p1-3 + 0.10.3-5
- Disable OpenSSH hardening flags and use the ones provided by system
- Ignore unknown parts of PKCS#11 URI
- Do not fail with GSSAPI enabled in match blocks (#1580017)
- Fix the segfaulting cavs test (#1628962)
* Fri Aug 31 2018 Jakub Jelen - 7.8p1-2 + 0.10.3-5
- New upstream release fixing CVE 2018-15473
- Remove unused patches
- Remove reference to unused enviornment variable SSH_USE_STRONG_RNG
- Address coverity issues
- Unbreak scp between two IPv6 hosts
- Unbreak GSSAPI key exchange (#1624344)
- Unbreak rekeying with GSSAPI key exchange (#1624344)
* Thu Aug 09 2018 Jakub Jelen - 7.7p1-6 + 0.10.3-4
- Fix listing of kex algoritms in FIPS mode
- Allow aes-gcm cipher modes in FIPS mode
- Coverity fixes
* Fri Jul 13 2018 Fedora Release Engineering - 7.7p1-5.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jul 03 2018 Jakub Jelen - 7.7p1-5 + 0.10.3-4
- Disable manual printing of motd by default (#1591381)
* Wed Jun 27 2018 Jakub Jelen - 7.7p1-4 + 0.10.3-4
- Better handling of kerberos tickets storage (#1566494)
- Add pam_motd to pam stack (#1591381)
* Mon Apr 16 2018 Jakub Jelen - 7.7p1-3 + 0.10.3-4
- Fix tun devices and other issues fixed after release upstream (#1567775)
* Thu Apr 12 2018 Jakub Jelen - 7.7p1-2 + 0.10.3-4
- Do not break quotes parsing in configuration file (#1566295)
* Wed Apr 04 2018 Jakub Jelen - 7.7p1-1 + 0.10.3-4
- New upstream release (#1563223)
- Add support for ECDSA keys in PKCS#11 (#1354510)
- Add support for PKCS#11 URIs
* Tue Mar 06 2018 Jakub Jelen - 7.6p1-7 + 0.10.3-3
- Require crypto-policies version and new path
- Remove bogus NSS linking
* Thu Feb 08 2018 Fedora Release Engineering - 7.6p1-6.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Jan 26 2018 Jakub Jelen - 7.6p1-6 + 0.10.3-3
- Rebuild for gcc bug on i386 (#1536555)
* Thu Jan 25 2018 Florian Weimer - 7.6p1-5.2
- Rebuild to work around gcc bug leading to sshd miscompilation (#1538648)
* Sat Jan 20 2018 Björn Esser - 7.6p1-5.1.1
- Rebuilt for switch to libxcrypt
* Wed Jan 17 2018 Jakub Jelen - 7.6p1-5 + 0.10.3-3
- Drop support for TCP wrappers (#1530163)
- Do not pass hostnames to audit -- UseDNS is usually disabled (#1534577)
* Thu Dec 14 2017 Jakub Jelen - 7.6p1-4 + 0.10.3-3
- Whitelist gettid() syscall in seccomp filter (#1524392)
* Mon Dec 11 2017 Jakub Jelen - 7.6p1-3 + 0.10.3-3
- Do not segfault during audit cleanup (#1524233)
- Avoid gcc warnings about uninitialized variables
* Wed Nov 22 2017 Jakub Jelen - 7.6p1-2 + 0.10.3-3
- Do not build everything against libldap
- Do not segfault for ECC keys in PKCS#11
* Thu Oct 19 2017 Jakub Jelen - 7.6p1-1 + 0.10.3-3
- New upstream release OpenSSH 7.6
- Addressing review remarks for OpenSSL 1.1.0 patch
- Fix PermitOpen bug in OpenSSH 7.6
- Drop support for ExposeAuthenticationMethods option
* Mon Sep 11 2017 Jakub Jelen - 7.5p1-6 + 0.10.3-2
- Do not export KRB5CCNAME if the default path is used (#1199363)
- Add enablement for openssl-ibmca and openssl-ibmpkcs11 (#1477636)
- Add new GSSAPI kex algorithms with SHA-2, but leave them disabled for now
- Enforce pam_sepermit for all logins in SSH (#1492313)
- Remove pam_reauthorize, since it is not needed by cockpit anymore (#1492313)
* Mon Aug 14 2017 Jakub Jelen - 7.5p1-5 + 0.10.3-2
- Another less-intrusive approach to crypto policy (#1479271)
* Tue Aug 01 2017 Jakub Jelen - 7.5p1-4 + 0.10.3-2
- Remove SSH-1 subpackage for Fedora 27 (#1474942)
- Follow system-wide crypto policy in server (#1479271)
* Thu Jul 27 2017 Fedora Release Engineering - 7.5p1-3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Jun 30 2017 Jakub Jelen - 7.5p1-2 + 0.10.3-2
- Sync downstream patches with RHEL (FIPS)
- Resolve potential issues with OpenSSL 1.1.0 patch
* Wed Mar 22 2017 Jakub Jelen - 7.5p1-2 + 0.10.3-2
- Fix various after-release typos including failed build in s390x (#1434341)
- Revert chroot magic with SELinux
* Mon Mar 20 2017 Jakub Jelen - 7.5p1-1 + 0.10.3-2
- New upstream release
* Fri Mar 03 2017 Jakub Jelen - 7.4p1-4 + 0.10.3-1
- Avoid sending the SD_NOTIFY messages from wrong processes (#1427526)
- Address reports by coverity
* Mon Feb 20 2017 Jakub Jelen - 7.4p1-3 + 0.10.3-1
- Properly report errors from included files (#1408558)
- New pam_ssh_agent_auth 0.10.3 release
- Switch to SD_NOTIFY to make systemd happy
* Mon Feb 06 2017 Jakub Jelen - 7.4p1-2 + 0.10.2-5
- Fix ssh-agent cert signing error (#1416584)
- Fix wrong path to crypto policies
- Attempt to resolve issue with systemd
* Tue Jan 03 2017 Jakub Jelen - 7.4p1-1 + 0.10.2-5
- New upstream release (#1406204)
- Cache supported OIDs for GSSAPI key exchange (#1395288)
- Fix typo causing heap corruption (use-after-free) (#1409433)
- Prevent hangs with long MOTD
* Thu Dec 08 2016 Jakub Jelen - 7.3p1-7 + 0.10.2-4
- Properly deserialize received RSA certificates in ssh-agent (#1402029)
- Move MAX_DISPLAYS to a configuration option
* Wed Nov 16 2016 Jakub Jelen - 7.3p1-6 + 0.10.2-4
- GSSAPI requires futex syscall in privsep child (#1395288)
* Thu Oct 27 2016 Jakub Jelen - 7.3p1-5 + 0.10.2-4
- Build against OpenSSL 1.1.0 with compat changes
- Recommend crypto-policies
- Fix chroot dropping capabilities (#1386755)
* Thu Sep 29 2016 Jakub Jelen - 7.3p1-4 + 0.10.2-4
- Fix NULL dereference (#1380297)
- Include client Crypto Policy (#1225752)
* Mon Aug 15 2016 Jakub Jelen - 7.3p1-3 + 0.10.2-4
- Proper content of included configuration file
* Tue Aug 09 2016 Jakub Jelen - 7.3p1-2 + 0.10.2-4
- Fix permissions on the include directory (#1365270)
* Tue Aug 02 2016 Jakub Jelen - 7.3p1-1 + 0.10.2-4
- New upstream release (#1362156)
* Tue Jul 26 2016 Jakub Jelen - 7.2p2-11 + 0.10.2-3
- Remove slogin and sshd-keygen (#1359762)
- Prevent guest_t from running sudo (#1357860)
* Mon Jul 18 2016 Jakub Jelen - 7.2p2-10 + 0.10.2-3
- CVE-2016-6210: User enumeration via covert timing channel (#1357443)
- Expose more information about authentication to PAM
- Make closefrom() ignore softlinks to the /dev/ devices on s390
* Fri Jul 01 2016 Jakub Jelen - 7.2p2-9 + 0.10.2-3
- Fix wrong detection of UseLogin in server configuration (#1350347)
* Fri Jun 24 2016 Jakub Jelen - 7.2p2-8 + 0.10.2-3
- Enable seccomp filter for MIPS architectures
- UseLogin=yes is not supported in Fedora
- SFTP server forced permissions should restore umask
- pam_ssh_agent_auth: Fix conflict bewteen two getpwuid() calls (#1349551)
* Mon Jun 06 2016 Jakub Jelen - 7.2p2-7
- Fix regression in certificate-based authentication (#1333498)
- Check for real location of .k5login file (#1328243)
- Fix unchecked dereference in pam_ssh_agent_auth
- Clean up old patches
- Build with seccomp filter on ppc64(le) (#1195065)
* Fri Apr 29 2016 Jakub Jelen - 7.2p2-6 + 0.10.2-3
- Add legacy sshd-keygen for anaconda (#1331077)
* Fri Apr 22 2016 Jakub Jelen - 7.2p2-5 + 0.10.2-3
- CVE-2015-8325: ignore PAM environment vars when UseLogin=yes (#1328013)
- Fix typo in sysconfig/sshd (#1325535)
* Fri Apr 15 2016 Jakub Jelen - 7.2p2-4 + 0.10.2-3
- Revise socket activation and services dependencies (#1325535)
- Drop unused init script
* Wed Apr 13 2016 Jakub Jelen 7.2p2-3 + 0.10.2-3
- Make sshd-keygen comply with packaging guidelines (#1325535)
- Soft-deny socket() syscall in seccomp sandbox (#1324493)
- Remove *sha1 Kex in FIPS mode (#1324493)
- Remove *gcm ciphers in FIPS mode (#1324493)
* Wed Apr 06 2016 Jakub Jelen 7.2p2-2 + 0.10.2-3
- Fix GSSAPI Key Exchange according to RFC (#1323622)
- Remove init.d/functions dependency from sshd-keygen (#1317722)
- Do not use MD5 in pam_ssh_agent_auth in FIPS mode
* Thu Mar 10 2016 Jakub Jelen 7.2p2-1 + 0.10.2-3
- New upstream (security) release (#1316529)
- Clean up audit patch
* Thu Mar 03 2016 Jakub Jelen 7.2p1-2 + 0.10.2-2
- Restore slogin symlinks to preserve backward compatibility
* Mon Feb 29 2016 Jakub Jelen 7.2p1-1 + 0.10.2-2
- New upstream release (#1312870)
* Wed Feb 24 2016 Jakub Jelen 7.1p2-4.1 + 0.10.2-1
- Fix race condition in auditing events when using multiplexing (#1308295)
- Fix X11 forwarding CVE according to upstream
- Fix problem when running without privsep (#1303910)
- Remove hard glob limit in SFTP
* Thu Feb 04 2016 Fedora Release Engineering - 7.1p2-3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Sat Jan 30 2016 Jakub Jelen 7.1p2-3 + 0.10.2-1
- Fix segfaults with pam_ssh_agent_auth (#1303036)
- Silently disable X11 forwarding on problems
- Systemd service should be forking to detect immediate failures
* Mon Jan 25 2016 Jakub Jelen 7.1p2-2 + 0.10.2-1
- Rebased to recent version of pam_ssh_agent_auth
- Upstream fix for CVE-2016-1908
- Remove useless defattr
* Thu Jan 14 2016 Jakub Jelen 7.1p2-1 + 0.9.2-9
- New security upstream release for CVE-2016-0777
* Tue Jan 12 2016 Jakub Jelen 7.1p1-7 + 0.9.2-8
- Change RPM define macros to global according to packaging guidelines
- Fix wrong handling of SSH_COPY_ID_LEGACY environment variable
- Update ssh-agent and ssh-keysign permissions (#1296724)
- Fix few problems with alternative builds without GSSAPI or openSSL
- Fix condition to run sshd-keygen
* Fri Dec 18 2015 Jakub Jelen 7.1p1-6 + 0.9.2-8
- Preserve IUTF8 tty mode flag over ssh connections (#1270248)
- Do not require sysconfig file to start service (#1279521)
- Update ssh-copy-id to upstream version
- GSSAPI Key Exchange documentation improvements
- Remove unused patches
* Wed Nov 04 2015 Jakub Jelen 7.1p1-5 + 0.9.2-8
- Do not set user context too many times for root logins (#1269072)
* Thu Oct 22 2015 Jakub Jelen 7.1p1-4 + 0.9.2-8
- Review SELinux user context handling after authentication (#1269072)
- Handle root logins the same way as other users (#1269072)
- Audit implicit mac, if mac is covered in cipher (#1271694)
- Increase size limit for remote glob over sftp
* Fri Sep 25 2015 Jakub Jelen 7.1p1-3 + 0.9.2-8
- Fix FIPS mode for DH kex (#1260253)
- Provide full RELRO and PIE form askpass helper (#1264036)
- Fix gssapi key exchange on server and client (#1261414)
- Allow gss-keyex root login when without-password is set (upstream #2456)
- Fix obsolete usage of SELinux constants (#1261496)
* Wed Sep 09 2015 Jakub Jelen 7.1p1-2 + 0.9.2-8
- Fix warnings reported by gcc related to keysign and keyAlgorithms
* Sat Aug 22 2015 Jakub Jelen 7.1p1-1 + 0.9.2-8
- New upstream release
* Wed Aug 19 2015 Jakub Jelen 7.0p1-2 + 0.9.3-7
- Fix problem with DSA keys using pam_ssh_agent_auth (#1251777)
- Add GSSAPIKexAlgorithms option for server and client application
- Possibility to validate legacy systems by more fingerprints (#1249626)
* Wed Aug 12 2015 Jakub Jelen 7.0p1-1 + 0.9.3-7
- New upstream release (#1252639)
- Fix pam_ssh_agent_auth package (#1251777)
- Security: Use-after-free bug related to PAM support (#1252853)
- Security: Privilege separation weakness related to PAM support (#1252854)
- Security: Incorrectly set TTYs to be world-writable (#1252862)
* Tue Jul 28 2015 Jakub Jelen 6.9p1-4 + 0.9.3-6
- Handle terminal control characters in scp progressmeter (#1247204)
* Thu Jul 23 2015 Jakub Jelen 6.9p1-3 + 0.9.3-6
- CVE-2015-5600: only query each keyboard-interactive device once (#1245971)
* Wed Jul 15 2015 Jakub Jelen 6.9p1-2 + 0.9.3-6
- Enable SECCOMP filter for s390* architecture (#1195065)
- Fix race condition when multiplexing connection (#1242682)
* Wed Jul 01 2015 Jakub Jelen 6.9p1-1 + 0.9.3-6
- New upstream release (#1238253)
- Increase limitation number of files which can be listed using glob in sftp
- Correctly revert "PermitRootLogin no" option from upstream sources (#89216)
* Wed Jun 24 2015 Jakub Jelen 6.8p1-9 + 0.9.3-5
- Allow socketcall(SYS_SHUTDOWN) for net_child on ix86 architecture
* Thu Jun 18 2015 Fedora Release Engineering - 6.8p1-8.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Mon Jun 08 2015 Jakub Jelen 6.8p1-8 + 0.9.3-5
- Return stat syscall to seccomp filter (#1228323)
* Wed Jun 03 2015 Jakub Jelen 6.8p1-7 + 0.9.3-5
- Handle pam_ssh_agent_auth memory, buffers and variable sizes (#1225106)
* Thu May 28 2015 Jakub Jelen 6.8p1-6 + 0.9.3-5
- Resolve problem with pam_ssh_agent_auth after rebase (#1225106)
- ssh-copy-id: tcsh doesnt work with multiline strings
- Fix upstream memory problems
- Add missing options in testmode output and manual pages
- Provide LDIF version of LPK schema
- Document required selinux boolean for working ssh-ldap-helper
* Mon Apr 20 2015 Jakub Jelen 6.8p1-5 + 0.9.3-5
- Fix segfault on daemon exit caused by API change (#1213423)
* Thu Apr 02 2015 Jakub Jelen 6.8p1-4 + 0.9.3-5
- Fix audit_end_command to restore ControlPersist function (#1203900)
* Tue Mar 31 2015 Jakub Jelen 6.8p1-3 + 0.9.3-5
- Fixed issue with GSSAPI key exchange (#1207719)
- Add pam_namespace to sshd pam stack (based on #1125110)
- Remove krb5-config workaround for #1203900
- Fix handling SELinux context in MLS systems
- Regression: solve sshd segfaults if other instance already running
* Thu Mar 26 2015 Jakub Jelen 6.8p1-2 + 0.9.3-5
- Update audit and gss patches after rebase
- Fix reintroduced upstrem bug #1878
* Tue Mar 24 2015 Jakub Jelen 6.8p1-1 + 0.9.3-5
- new upstream release openssh-6.8p1 (#1203245)
- Resolve segfault with auditing commands (#1203900)
- Workaround krb5-config bug (#1204646)
* Thu Mar 12 2015 Jakub Jelen 6.7p1-11 + 0.9.3-4
- Ability to specify LDAP filter in ldap.conf for ssh-ldap-helper
- Fix auditing when using combination of ForceCommand and PTY
- Add sftp option to force mode of created files (from rhel)
- Fix tmpfiles.d entries to be more consistent (#1196807)
* Mon Mar 02 2015 Jakub Jelen 6.7p1-10 + 0.9.3-4
- Add tmpfiles.d entries (#1196807)
* Fri Feb 27 2015 Jakub Jelen 6.7p1-9 + 0.9.3-4
- Adjust seccomp filter for primary architectures and solve aarch64 issue (#1197051)
- Solve issue with ssh-copy-id and keys without trailing newline (#1093168)
* Tue Feb 24 2015 Jakub Jelen 6.7p1-8 + 0.9.3-4
- Add AArch64 support for seccomp_filter sandbox (#1195065)
* Mon Feb 23 2015 Jakub Jelen 6.7p1-7 + 0.9.3-4
- Fix seccomp filter on architectures without getuid32
* Mon Feb 23 2015 Jakub Jelen 6.7p1-6 + 0.9.3-4
- Update seccomp filter to work on i686 architectures (#1194401)
- Fix previous failing build (#1195065)
* Sun Feb 22 2015 Peter Robinson 6.7p1-5 + 0.9.3-4
- Only use seccomp for sandboxing on supported platforms
* Fri Feb 20 2015 Jakub Jelen 6.7p1-4 + 0.9.3-4
- Move cavs tests into subpackage -cavs (#1194320)
* Wed Feb 18 2015 Jakub Jelen 6.7p1-3 + 0.9.3-4
- update coverity patch
- make output of sshd -T more consistent (#1187521)
- enable seccomp for sandboxing instead of rlimit (#1062953)
- update hardening to compile on gcc5
- Add SSH KDF CAVS test driver (#1193045)
- Fix ssh-copy-id on non-sh remote shells (#1045191)
* Tue Jan 27 2015 Jakub Jelen 6.7p1-2 + 0.9.3-4
- fixed audit patch after rebase
* Tue Jan 20 2015 Petr Lautrbach 6.7p1-1 + 0.9.3-4
- new upstream release openssh-6.7p1
* Thu Jan 15 2015 Jakub Jelen 6.6.1p1-11.1 + 0.9.3-3
- error message if scp when directory doesn't exist (#1142223)
- parsing configuration file values (#1130733)
- documentation in service and socket files for systemd (#1181593)
- updated ldap patch (#981058)
- fixed vendor-patchlevel
- add new option GSSAPIEnablek5users and disable using ~/.k5users by default CVE-2014-9278 (#1170745)
* Fri Dec 19 2014 Petr Lautrbach 6.6.1p1-10 + 0.9.3-3
- log via monitor in chroots without /dev/log
* Wed Dec 03 2014 Petr Lautrbach 6.6.1p1-9 + 0.9.3-3
- the .local domain example should be in ssh_config, not in sshd_config
- use different values for DH for Cisco servers (#1026430)
* Thu Nov 13 2014 Petr Lautrbach 6.6.1p1-8 + 0.9.3-3
- fix gsskex patch to correctly handle MONITOR_REQ_GSSSIGN request (#1118005)
* Fri Nov 07 2014 Petr Lautrbach 6.6.1p1-7 + 0.9.3-3
- correct the calculation of bytes for authctxt->krb5_ccname (#1161073)
* Tue Nov 04 2014 Petr Lautrbach 6.6.1p1-6 + 0.9.3-3
- privsep_preauth: use SELinux context from selinux-policy (#1008580)
- change audit trail for unknown users (mindrot#2245)
- fix kuserok patch which checked for the existence of .k5login
unconditionally and hence prevented other mechanisms to be used properly
- revert the default of KerberosUseKuserok back to yes (#1153076)
- ignore SIGXFSZ in postauth monitor (mindrot#2263)
- sshd-keygen - don't generate DSA and ED25519 host keys in FIPS mode
* Mon Sep 08 2014 Petr Lautrbach 6.6.1p1-5 + 0.9.3-3
- set a client's address right after a connection is set (mindrot#2257)
- apply RFC3454 stringprep to banners when possible (mindrot#2058)
- don't consider a partial success as a failure (mindrot#2270)
* Sun Aug 17 2014 Fedora Release Engineering - 6.6.1p1-4.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Fri Jul 18 2014 Tom Callaway 6.6.1p1-4 + 0.9.3-3
- fix license handling (both)
* Fri Jul 18 2014 Petr Lautrbach 6.6.1p1-3 + 0.9.3-2
- standardise on NI_MAXHOST for gethostname() string lengths (#1051490)
* Mon Jul 14 2014 Petr Lautrbach 6.6.1p1-2 + 0.9.3-2
- add pam_reauthorize.so to sshd.pam (#1115977)
- spec file and patches clenup
* Sat Jun 07 2014 Fedora Release Engineering - 6.6.1p1-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Tue Jun 03 2014 Petr Lautrbach 6.6.1p1-1 + 0.9.3-2
- disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6
- add support for ED25519 keys to sshd-keygen and sshd.sysconfig
- drop openssh-server-sysvinit subpackage
- slightly change systemd units logic - use sshd-keygen.service (#1066615)
* Tue Jun 03 2014 Petr Lautrbach 6.6p1-1 + 0.9.3-2
- new upstream release openssh-6.6p1
* Thu May 15 2014 Petr Lautrbach 6.4p1-4 + 0.9.3-1
- use SSH_COPY_ID_LEGACY variable to run ssh-copy-id in the legacy mode
- make /etc/ssh/moduli file public (#1043661)
- test existence of /etc/ssh/ssh_host_ecdsa_key in sshd-keygen.service
- don't clean up gssapi credentials by default (#1055016)
- ssh-agent - try CLOCK_BOOTTIME with fallback (#1091992)
- prevent a server from skipping SSHFP lookup - CVE-2014-2653 (#1081338)
- ignore environment variables with embedded '=' or '\0' characters - CVE-2014-2532
(#1077843)
* Wed Dec 11 2013 Petr Lautrbach 6.4p1-3 + 0.9.3-1
- sshd-keygen - use correct permissions on ecdsa host key (#1023945)
- use only rsa and ecdsa host keys by default
* Tue Nov 26 2013 Petr Lautrbach 6.4p1-2 + 0.9.3-1
- fix fatal() cleanup in the audit patch (#1029074)
- fix parsing logic of ldap.conf file (#1033662)
* Fri Nov 08 2013 Petr Lautrbach 6.4p1-1 + 0.9.3-1
- new upstream release
* Fri Nov 01 2013 Petr Lautrbach 6.3p1-5 + 0.9.3-7
- adjust gss kex mechanism to the upstream changes (#1024004)
- don't use xfree in pam_ssh_agent_auth sources (#1024965)
* Fri Oct 25 2013 Petr Lautrbach 6.3p1-4 + 0.9.3-6
- rebuild with the openssl with the ECC support
* Thu Oct 24 2013 Petr Lautrbach 6.3p1-3 + 0.9.3-6
- don't use SSH_FP_MD5 for fingerprints in FIPS mode
* Wed Oct 23 2013 Petr Lautrbach 6.3p1-2 + 0.9.3-6
- use default_ccache_name from /etc/krb5.conf for a kerberos cache (#991186)
- increase the size of the Diffie-Hellman groups (#1010607)
- sshd-keygen to generate ECDSA keys (#1019222)
* Tue Oct 15 2013 Petr Lautrbach 6.3p1-1.1 + 0.9.3-6
- new upstream release (#1007769)
* Tue Oct 08 2013 Petr Lautrbach 6.2p2-9 + 0.9.3-5
- use dracut-fips package to determine if a FIPS module is installed
- revert -fips subpackages and hmac files suffixes
* Wed Sep 25 2013 Petr Lautrbach 6.2p2-8 + 0.9.3-5
- sshd-keygen: generate only RSA keys by default (#1010092)
- use dist tag in suffixes for hmac checksum files
* Wed Sep 11 2013 Petr Lautrbach 6.2p2-7 + 0.9.3-5
- use hmac_suffix for ssh{,d} hmac checksums
- bump the minimum value of SSH_USE_STRONG_RNG to 14 according to SP800-131A
- automatically restart sshd.service on-failure after 42s interval
* Thu Aug 29 2013 Petr Lautrbach 6.2p2-6.1 + 0.9.3-5
- add -fips subpackages that contains the FIPS module files
* Wed Jul 31 2013 Petr Lautrbach 6.2p2-5 + 0.9.3-5
- gssapi credentials need to be stored before a pam session opened (#987792)
* Tue Jul 23 2013 Petr Lautrbach 6.2p2-4 + 0.9.3-5
- don't show Success for EAI_SYSTEM (#985964)
- make sftp's libedit interface marginally multibyte aware (#841771)
* Mon Jun 17 2013 Petr Lautrbach 6.2p2-3 + 0.9.3-5
- move default gssapi cache to /run/user/ (#848228)
* Tue May 21 2013 Petr Lautrbach 6.2p2-2 + 0.9.3-5
- add socket activated sshd units to the package (#963268)
- fix the example in the HOWTO.ldap-keys
* Mon May 20 2013 Petr Lautrbach 6.2p2-1 + 0.9.3-5
- new upstream release (#963582)
* Wed Apr 17 2013 Petr Lautrbach 6.2p1-4 + 0.9.3-4
- don't use export in sysconfig file (#953111)
* Tue Apr 16 2013 Petr Lautrbach 6.2p1-3 + 0.9.3-4
- sshd.service: use KillMode=process (#890376)
- add latest config.{sub,guess} to support aarch64 (#926284)
* Tue Apr 09 2013 Petr Lautrbach 6.2p1-2 + 0.9.3-4
- keep track of which IndentityFile options were manually supplied and
which were default options, and don't warn if the latter are missing.
(mindrot#2084)
* Tue Apr 09 2013 Petr Lautrbach 6.2p1-1 + 0.9.3-4
- new upstream release (#924727)
* Wed Mar 06 2013 Petr Lautrbach 6.1p1-7 + 0.9.3-3
- use SELinux type sshd_net_t for [net] childs (#915085)
* Thu Feb 14 2013 Petr Lautrbach 6.1p1-6 + 0.9.3-3
- fix AuthorizedKeysCommand option
* Fri Feb 08 2013 Petr Lautrbach 6.1p1-5 + 0.9.3-3
- change default value of MaxStartups - CVE-2010-5107 (#908707)
* Mon Dec 03 2012 Petr Lautrbach 6.1p1-4 + 0.9.3-3
- fix segfault in openssh-5.8p2-force_krb.patch (#882541)
* Mon Dec 03 2012 Petr Lautrbach 6.1p1-3 + 0.9.3-3
- replace RequiredAuthentications2 with AuthenticationMethods based on upstream
- obsolete RequiredAuthentications[12] options
- fix openssh-6.1p1-privsep-selinux.patch
* Fri Oct 26 2012 Petr Lautrbach 6.1p1-2
- add SELinux comment to /etc/ssh/sshd_config about SELinux command to modify port (#861400)
- drop required chkconfig (#865498)
- drop openssh-5.9p1-sftp-chroot.patch (#830237)
* Sat Sep 15 2012 Petr Lautrbach 6.1p1-1 + 0.9.3-3
- new upstream release (#852651)
- use DIR: kerberos type cache (#848228)
- don't use chroot_user_t for chrooted users (#830237)
- replace scriptlets with systemd macros (#850249)
- don't use /bin and /sbin paths (#856590)
* Mon Aug 06 2012 Petr Lautrbach 6.0p1-1 + 0.9.3-2
- new upstream release
* Mon Aug 06 2012 Petr Lautrbach 5.9p1-26 + 0.9.3-1
- change SELinux context also for root user (#827109)
* Fri Jul 27 2012 Petr Lautrbach 5.9p1-25 + 0.9.3-1
- fix various issues in openssh-5.9p1-required-authentications.patch
* Tue Jul 17 2012 Tomas Mraz 5.9p1-24 + 0.9.3-1
- allow sha256 and sha512 hmacs in the FIPS mode
* Fri Jun 22 2012 Tomas Mraz 5.9p1-23 + 0.9.3-1
- fix segfault in su when pam_ssh_agent_auth is used and the ssh-agent
is not running, most probably not exploitable
- update pam_ssh_agent_auth to 0.9.3 upstream version
* Fri Apr 06 2012 Petr Lautrbach 5.9p1-22 + 0.9.2-32
- don't create RSA1 key in FIPS mode
- don't install sshd-keygen.service (#810419)
* Fri Mar 30 2012 Petr Lautrbach 5.9p1-21 + 0.9.2-32
- fix various issues in openssh-5.9p1-required-authentications.patch
* Wed Mar 21 2012 Petr Lautrbach 5.9p1-20 + 0.9.2-32
- Fix dependencies in systemd units, don't enable sshd-keygen.service (#805338)
* Wed Feb 22 2012 Petr Lautrbach