rpms/openssh
5
0
Fork 1
Code Issues Pull Requests Releases Activity
1,233 Commits 11 Branches 68 Tags 7.7 MiB
006127a476
Commit Graph

912 Commits

Author SHA1 Message Date
Norbert Pocs
fb40f0afda Merge evp related patches 
Signed-off-by: Norbert Pocs <npocs@redhat.com>
 2023-06-08 13:57:23 +02:00
Norbert Pocs
141d7b2d4a Remove deprecated usage of %patchN 
Signed-off-by: Norbert Pocs <npocs@redhat.com>
 2023-06-08 13:56:15 +02:00
Dmitry Belyavskiy
d5fd076ab3 Updating specfile 2023-06-07 12:15:31 +02:00
Dmitry Belyavskiy
29083ac442 Remove unused patch 2023-06-02 18:56:58 +02:00
Dmitry Belyavskiy
f561c68bdb Rebasing OpenSSH from 9.0 to 9.3 2023-06-02 15:38:27 +02:00
Norbert Pocs
b129d6336e Clarify HostKeyAlgorithms option on man page 
Clarify HostkeyAlgorithms and crypto-policies relation on the ssh_config
man page

Signed-off-by: Norbert Pocs <npocs@redhat.com>
 2023-05-29 13:58:15 +02:00
Jakub Jelen
e39f11e77c pkcs11: Add support for 'serial' in PKCS#11 URI 2023-05-25 09:29:24 +02:00
Norbert Pocs
e8e01dc82e Fix regression in pkcs11 introduced in the previous patch 
Signed-off-by: Norbert Pocs <npocs@redhat.com>
 2023-05-25 09:27:33 +02:00
Dmitry Belyavskiy
6f7c765ed4 Audit logging patch was not applied 
Resolves: rhbz#2177471
 2023-04-14 10:38:37 +02:00
Dmitry Belyavskiy
1506e0825c If SHA1 signatures are not permitted, try to fallback to SHA2 
SHA1 is insecure now, and is forbidden in RHEL and will be forbidden in
several crypto-policies in Fedora in some future. This patch adds
detection of SHA1 signatures availability and, if not available,
enforces fallback to SHA2.
 2023-04-14 10:32:06 +02:00
Norbert Pocs
b63272d9eb Make the sign, dh, ecdh processes FIPS compliant 
FIPS compliancy can be stated by using only compliant crypto
functions. This is achieved by using EVP API from openssl 3.0
version. The solution uses a non-intrusive approach - instead
of rewriting everything to use EVP API it converts the data
to it at the critical places.

Signed-off-by: Norbert Pocs <npocs@redhat.com>
 2023-04-13 19:12:46 +02:00
Dmitry Belyavskiy
745da74ea2 Fix self-DoS 
Resolves: CVE-2023-25136
Remove too aggressive coverity fix causing native tests failure
 2023-04-13 18:14:19 +02:00
Florian Weimer
d5591fb5ab C99 compatiblity fixes 
Apply upstream patches from the portable OpenSSH project to fix
C99 compatibility issues in the configure script.

For the PAM agent integration, apply a custom downstream fix,
as the proposed upstream changes have not been merged yet.

Related to:

  <https://fedoraproject.org/wiki/Changes/PortingToModernC>
  <https://fedoraproject.org/wiki/Toolchain/PortingToModernC>
 2023-04-12 12:07:21 +02:00
Timothée Ravier
e3597c03f1 Make sshd & sshd@ units want ssh-host-keys-migration.service 
Enabling the unit via the presets does not enable it on
Silverblue/Kinoite/Sericea & IoT as we don't re-preset all units like
it's done in Fedora CoreOS.

See: https://pagure.io/workstation-ostree-config/pull-request/246

Instead, have the sshd & sshd@ service unit `Wants` the
ssh-host-keys-migration service unit so that it's pulled-in only when
sshd is effectively enabled and in all cases.

See: https://src.fedoraproject.org/rpms/fedora-release/pull-request/253

See: https://bugzilla.redhat.com/show_bug.cgi?id=2172956
See: https://src.fedoraproject.org/rpms/fedora-release/pull-request/252
 2023-03-14 17:17:24 +01:00
Zoltan Fridrich
3a98e6f607 Add sk-dummy subpackage for test purposes 
Resolves: rhbz#2176795

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
 2023-03-13 13:22:28 +01:00
Dusty Mabe
21fd6bef5b
Make ssh-host key migration less conditional 
If there is a case where some host keys don't have correct
permissions then they won't get migrated. Let's make the
migration script attempt migration for the rest of the keys
too.
 2023-03-06 09:55:13 -05:00
Dusty Mabe
1076e61bfd
Mark /var/lib/.ssh-host-keys-migration as %ghost file 2023-03-06 09:55:13 -05:00
Dusty Mabe
08d842d5e8
Use a service unit to strip ssh_keys group from host keys (rhbz#2172956) 
Use a systemd service unit to strip the ssh_keys group and change the
mode for host keys. This ensure that this migration is done right before
the openssh server startup on all kind of systems, either RPM or
rpm-ostree based.

Use a marker file to only do this once. We need to keep this service
unit for two Fedora releases so we will be able to remove it in Fedora
40.

See: https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
Fixes: 7a21555 Get rid of ssh_keys group for new installations
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2172956

Co-authored-by: Timothée Ravier <tim@siosm.fr>
 2023-03-03 09:56:51 -05:00
Dusty Mabe
937ee4760a
update date in changelog entry 
This entry is out of chronological order, which means we get a
warning/error every time. I'm just updating here to the commitdate
of the commit, which puts everything back in chronological order.
 2023-03-02 11:57:38 -05:00
Dmitry Belyavskiy
45028601a3 We dont install openssh.conf file 2023-01-23 16:01:47 +01:00
Dmitry Belyavskiy
7a21555354 Get rid of ssh_keys group for new installations 2023-01-23 16:01:47 +01:00
Dmitry Belyavskiy
b615362fd0 Restore upstream default host key permissions (rhbz#2141272) 2023-01-23 16:01:47 +01:00
Fedora Release Engineering
cc56e874e8 Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2023-01-19 22:57:59 +00:00
Dmitry Belyavskiy
c9904c7c8a Fix build against updated OpenSSL 
Resolves: rhbz#2158966
 2023-01-09 12:48:20 +01:00
Norbert Pocs
ebc2a70dee Add additional audit loggin 
Additional information audited about the SSH key used to log in

Resolves: rhbz#2049947

Signed-off-by: Norbert Pocs <npocs@redhat.com>
 2022-10-24 19:22:09 +02:00
Dmitry Belyavskiy
f79c122b0b Check IP opts length 
Resolves: rhbz#1960015
 2022-10-21 17:53:00 +02:00
Anthony Rabbito
09b309fe0e
bump release after rebase 
Signed-off-by: Anthony Rabbito <hello@anthonyrabbito.com>
 2022-10-05 20:01:41 -04:00
Anthony Rabbito
499c2eb7ec
fix: source order 
Signed-off-by: Anthony Rabbito <hello@anthonyrabbito.com>
 2022-10-05 19:58:14 -04:00
Anthony Rabbito
9417892cb7
openssh-clients: create a user socket unit for ssh-agent (rhbz#2125576) 
Signed-off-by: Anthony Rabbito <hello@anthonyrabbito.com>
 2022-10-05 19:58:11 -04:00
Dmitry Belyavskiy
aa843e85ee RSAMinSize => RequiredRSASize 2022-09-29 15:42:34 +02:00
Luca BRUNO
26c275d66e openssh: move users/groups creation logic to sysusers.d fragments 
See https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
 2022-09-02 14:47:11 +00:00
Alexander Sosedkin
42b22d9ad2 Mark HostbasedAcceptedAlgorithms as governed by crypto-policies 2022-08-24 13:11:22 +02:00
Dmitry Belyavskiy
483723014e Port patches from CentOS - RSAMinSize 
Related: rhbz#2117264
 2022-08-17 10:06:13 +02:00
Dmitry Belyavskiy
03150f6281 OpenSSH Rebase to 9.0p1 
Related: rhbz#2057466
 2022-08-15 09:28:25 +02:00
Dmitry Belyavskiy
9fd6981674 Add patches from CentOS/RHEL9.1 
Related: rhbz#2117264
 2022-08-10 19:58:47 +02:00
Luca BRUNO
14d7b86a50 openssh: use allocated static GID for 'ssh_keys' group (rhbz#2104595) 
This uses the static GID 101 allocated for group `ssh_keys`.
See FPC ticket for discussion/approval.

Ref: https://pagure.io/packaging-committee/issue/1188
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2104595
 2022-08-01 15:15:08 +00:00
Fedora Release Engineering
5b072577e1 Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2022-07-22 02:14:56 +00:00
Dmitry Belyavskiy
ae82569b18 Disable locale forwarding in OpenSSH 
Resolves: rhbz#2002739
 2022-04-29 11:43:53 +02:00
Cedric Staniewski
95d45cee50 Build gnome-ssh-askpass against gtk3 2022-03-02 21:59:26 +01:00
Jay W
bffeef3c12 Update openssh.spec to allow flatpak builds 2022-02-09 16:10:10 +00:00
Fedora Release Engineering
6c5dd84a55 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2022-01-20 22:29:14 +00:00
Dmitry Belyavskiy
7b76af5292 OpenSSH 8.8p1 rebase 
Related: rhbz#2007967
 2021-11-29 14:37:28 +01:00
Dmitry Belyavskiy
c5e4c28ae1 Upstream fix for CVE-2021-41617 
Resolves: rhbz#2008292
 2021-09-29 13:39:26 +02:00
Dmitry Belyavskiy
640f2450c4 fixup! OpenSSH 8.7p1 patches rebase 2021-09-16 16:04:36 +02:00
Sahana Prasad
4d585ee5a4 Rebuilt with OpenSSL 3.0.0 2021-09-14 19:10:22 +02:00
Dmitry Belyavskiy
b8319d7f17 spec and sources updated 2021-09-01 16:35:39 +02:00
Fedora Release Engineering
bdde8987e3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2021-07-22 17:20:35 +00:00
Dmitry Belyavskiy
d761d9a626 restore the blocking mode on standard output - upstream 
Resolves: rhbz#1942901
 2021-06-21 13:12:47 +02:00
Timm Bäder
2f2c30932e Use %set_build_flags to set build flags 
The previous version fo the spec file was trying to append flags to e.g.
LDFLAGS, but those are empty without doing a %set_build_flags first.
Use %set_build_flags to populate all build flags.
 2021-05-25 08:10:41 +02:00
Dmitry Belyavskiy
5e2b7dfb9e Missing version bump 
Resolves: rhbz#1963059
 2021-05-21 18:09:44 +02:00
Dmitry Belyavskiy
fddba54ba2 Hostbased ssh authentication fails if session ID contains a '/' 
Resolves: rhbz#1963059
 2021-05-21 17:57:13 +02:00
Dmitry Belyavskiy
4d4feb650d restore the blocking mode on standard output 
Resolves rhbz#1942901
 2021-05-10 11:30:58 +02:00
Dmitry Belyavskiy
ac2648baae pam_auth version bump 2021-04-30 17:06:28 +02:00
Dmitry Belyavskiy
f0f3114095 pam_auth version bump 2021-04-30 16:57:20 +02:00
Dmitry Belyavskiy
df26987d52 Fixes from RHEL 8.5.0 2021-04-29 16:37:35 +02:00
Dmitry Belyavskiy
f32b842272 OpenSSH release update 
Resolves: rhbz#1950819
8.5p1 => 8.6p1
 2021-04-29 16:37:35 +02:00
Rex Dieter
44aae310bd create userunit dir before installing to it 
*shrug*, for posterity, consider using
install -D ...
 2021-03-09 09:33:17 -06:00
Rex Dieter
9979ff5307 ssh-agent.serivce is user unit (#1761817#27) 2021-03-09 09:19:14 -06:00
Rex Dieter
5f230a4999 -clients: provide ssh-agent.service (#1761817) 2021-03-04 15:10:26 +01:00
Jakub Jelen
25c16c68f5 openssh-8.5p1-1 + 0.10.4-2 2021-03-03 11:08:52 +01:00
Zbigniew Jędrzejewski-Szmek
6e1851c5ba Rebuilt for updated systemd-rpm-macros 
See https://pagure.io/fesco/issue/2583.
 2021-03-02 16:13:10 +01:00
Fedora Release Engineering
7347a74385 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2021-01-26 22:36:09 +00:00
Jakub Jelen
ab05c4fa21 8.4p1-5 + 0.10.4-1 (forgotten version bump) 2021-01-22 17:35:02 +01:00
Jakub Jelen
106b283ba5 8.4p1-5 + 0.10.4-1 2021-01-22 12:58:02 +01:00
Timothée Ravier
a886069993 Use /usr/share/empty.ssh instead of /var/empty/sshd 
This has the following advantages:
  * Removes a dependency on a directory stored in /var
  * /usr is mounted read only on ostree based systems (CoreOS, Silverblue)

This also removes the tmpfiles config.

Edit Jakub Jelen: Removed the version bump from PR

https://src.fedoraproject.org/rpms/openssh/pull-request/14
 2021-01-22 12:57:36 +01:00
Jakub Jelen
1a45c5da8d Remove openssh-cavs subpackage as it is no longer needed and broken anyway 
The CAVS drivers were used for FIPS certification when OpenSSH used to
be a FIPS module. This is no longer the case and these leftovers
were left in place until they work. This is no longer the case either
so lets get rid of 1000 lines of patches.
 2021-01-22 12:50:51 +01:00
Jakub Jelen
258db094bd 8.4p1-4 + 0.10.4-1 2020-12-01 09:54:21 +01:00
Jakub Jelen
d8a80c8be6 Fix Obsoletes for openssh-ldap (#1902084) 2020-12-01 09:53:40 +01:00
Jakub Jelen
b6df6b3e29 List updated RFC 2020-11-26 11:48:54 +01:00
Jakub Jelen
126d278fec 8.4p1-3 + 0.10.4-1 2020-11-19 15:08:05 +01:00
Jakub Jelen
6a07699454 Compatibility with Debian's openssh-7.4p1 (#1881301) 
This only version does incorrectly reports server_sig_algorithms
extension and in Fedora 33 with disabled SHA1, clients are unable
to connect to Debian servers
 2020-11-19 15:08:05 +01:00
Jakub Jelen
bbe3c2e156 Fix missing syscall in sandbox on arm (#1897712) 2020-11-19 15:08:02 +01:00
Jakub Jelen
a048fcc3d0 8.4p1-2 + 0.10.4-1 2020-10-06 10:01:41 +02:00
Jakub Jelen
dc5e3131ec Unbreak ssh-copy-id (#1884231) 2020-10-06 10:01:23 +02:00
Jakub Jelen
7b064ea363 Add missing changelog 2020-09-29 16:10:09 +02:00
Jakub Jelen
bd35168662 8.4p1-1 + 0.10.4-1 2020-09-29 14:53:14 +02:00
Jakub Jelen
3783a5da43 Rebase pam_ssh_agent_auth to 0.10.4 2020-09-29 14:53:14 +02:00
Jakub Jelen
7e9d046986 Remove support for building rescue CD 
This is not used for close to 20 years and is broken at least from Fedora 31
 2020-09-07 09:37:58 +02:00
Jakub Jelen
10cdecf4f1 8.3p1-4 + 0.10.3-10 2020-08-28 20:14:42 +02:00
Jakub Jelen
44157573e5 Remove openssh-ldap subpackage 2020-08-21 09:40:42 +02:00
Jakub Jelen
68460c09bb Use make macros 
Based on https://src.fedoraproject.org/rpms/openssh/pull-request/11

https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
 2020-07-31 15:33:21 +02:00
Jakub Jelen
dfeecfb1e8 Drop loading of anaconda configuration from sysconfig including scriptlet to migrate to include drop-in directory 2020-07-31 15:26:55 +02:00
Fedora Release Engineering
fccd87eb18 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2020-07-28 12:48:46 +00:00
Jakub Jelen
996e25f2f9 8.3p1-3 + 0.10.3-10 2020-06-10 14:36:49 +02:00
Jakub Jelen
868439f73a Stop loading crypto policy for command line in service files 2020-06-10 14:35:23 +02:00
Jakub Jelen
8b7ddfb28b Move included configuration files in order to allow applications to include their defaults 
See more discussin in

https://src.fedoraproject.org/rpms/openssh/pull-request/9#

https://github.com/coreos/fedora-coreos-docs/pull/80#discussion_r434961161
 2020-06-08 21:52:42 +02:00
Jakub Jelen
3bd5ced9ee 8.3p1-2 + 0.10.3-10 2020-06-01 13:51:43 +02:00
Jakub Jelen
5cd9552fc4 8.3p1-1 + 0.10.3-10 2020-05-27 09:57:29 +02:00
Jakub Jelen
efd1b7e5c8 Unbreak corner cases of sshd_config include 2020-05-27 09:53:38 +02:00
Jakub Jelen
4e3553bf2a openssh-8.2p1-3 + 0.10.3-9 2020-04-08 10:27:07 +02:00
Jakub Jelen
eb546ec1a7 Drop fipscheck dependency and non-standard fips checks 2020-03-30 16:38:36 +02:00
Jakub Jelen
02af5cfa17 Do not break X11 forwarding without IPv6 2020-03-30 16:38:36 +02:00
Jakub Jelen
b2417553a2 openssh-8.2p1-2 + 0.10.3-9 2020-02-20 10:34:01 +01:00
Jakub Jelen
82f9421fb4 Build properly with integrated u2f support (#1803948) 2020-02-20 10:32:48 +01:00
Jakub Jelen
51f5c1c99f openssh-8.2p1-1 + 0.10.3-9 2020-02-17 14:34:41 +01:00
Jakub Jelen
a2cffc6e9b openssh-8.1p1-4 + 0.10.3-8 2020-02-03 00:51:53 +01:00
Fedora Release Engineering
657d132847 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2020-01-29 20:24:49 +00:00
Jakub Jelen
62361a761c openssh-8.1p1-3 + 0.10.3-8 2019-11-27 11:16:26 +01:00
Jakub Jelen
c28decf412 Unbreak the seccomp filter also on ARM (#1777054) 2019-11-27 11:15:00 +01:00
Jakub Jelen
d26b44fe7f openssh-8.1p1-2 + 0.10.3-8 2019-11-14 09:24:36 +01:00