Jakub Jelen
84d3989ec8
Coverity -> FIPS patch
2016-06-03 12:54:03 +02:00
Jakub Jelen
31536c7ac6
Move linux_seed() header from coverity to entropy patch
2016-06-03 12:54:03 +02:00
Jakub Jelen
f2868287aa
rebase x11 patch to clean up coverity patch
2016-06-03 10:44:32 +02:00
Jakub Jelen
ea9421342e
Coverity: dereference in pam_ssh_agent_auth
...
Upstream: https://sourceforge.net/p/pamsshagentauth/bugs/22/
2016-06-03 09:49:44 +02:00
Jakub Jelen
d78d347c11
Check for real location of .k5login file ( #1328243 )
2016-06-03 09:29:58 +02:00
Jakub Jelen
8dd0608e77
Regression in certificate-based authentication ( #1333498 )
2016-05-06 09:25:20 +02:00
Jakub Jelen
991b66246f
openssh-7.2p2-6 + 0.10.2-3
2016-04-29 13:57:45 +02:00
Jakub Jelen
0b5300a59c
Add legacy sshd-keygen for anaconda ( #1331077 )
2016-04-29 13:41:38 +02:00
Jakub Jelen
1380564732
openssh-7.2p2-5 + 0.10.2-3
2016-04-22 14:52:57 +02:00
Jakub Jelen
b7de610db3
Fix typo about sshd-keygen in sysconfig ( #1325535 )
2016-04-22 14:50:30 +02:00
Jakub Jelen
cf4e3a1844
Fix for CVE-2015-8325 ( #1328013 )
2016-04-18 12:39:11 +02:00
Jakub Jelen
58d2868dfe
openssh-7.2p2-4 + 0.10.2-3
2016-04-15 17:56:43 +02:00
Jakub Jelen
5489ace8dc
Add sshd-keygen.target to abstract key creation from sshd.service and sshd@.service ( #1325535 )
...
* PartOf is needed to trigger sshd-keygen checks for sshd.service restarts
* sshd-keygen.target makes a level of abstraction to eliminate dupplicate
dependencies on both sshd and sshd@ services
2016-04-15 17:05:32 +02:00
Jakub Jelen
461b3af818
Remove unused sshd init script
2016-04-15 17:04:59 +02:00
Jakub Jelen
32a74888d5
openssh-7.2p2-3 + 0.10.2-3
2016-04-13 13:44:58 +02:00
Jakub Jelen
00c7b75439
Make sshd-keygen comply with packaging guidelines ( #1325535 )
2016-04-13 13:42:12 +02:00
Jakub Jelen
3d2c14680b
Soft-deny socket() syscall in seccomp sandbox ( #1324493 )
...
* Used for ecdh-sha2-nistp* key exchange methods in FIPS mode
2016-04-11 16:14:25 +02:00
Jakub Jelen
0509c6c977
Remove *sha1 Kex in FIPS mode ( #1324493 )
2016-04-11 13:16:52 +02:00
Jakub Jelen
117a730ded
Remove *gcm ciphers in FIPS mode ( #1324493 )
2016-04-11 13:16:44 +02:00
Jakub Jelen
f7e56a52db
openssh-7.2p2-2 + 0.10.2-3
2016-04-06 13:01:29 +02:00
Jakub Jelen
fc0cf7f8d5
Fix GSSAPI Key Exchange for older clients ( #1323622 )
...
Failed with older clients, because server was doing signature over
different data than the verifying client. It was caused by bump of
minimal DH groups offered by server and a bug in code, which was
using max(client_min, server_min) instead of client_min as proposed
by RFC4462.
2016-04-06 12:53:37 +02:00
Jakub Jelen
bda184b249
pam_ssh_agent_auth: prevent using MD5 in Fips mode
2016-03-16 09:40:35 +01:00
Jakub Jelen
53c9992786
Drop init scripts dependency from sshd-keygen ( #1317722 )
2016-03-15 09:06:10 +01:00
Jakub Jelen
9163ba11f1
openssh-7.2p2-1 + 0.10.2-3
2016-03-10 13:36:41 +01:00
Jakub Jelen
28ce052525
Audit: Cleanup for upstream proposal
...
* whitespace cleanup
* use constants instead of magic numbers
* get rid of backup_state from old API
* proper conditionalization of audit code
* remove ancient fingerprint_prefix() function
2016-03-04 17:36:08 +01:00
Jakub Jelen
0bdae3b8df
openssh-7.2p1-1 + 0.10.2-2
2016-03-03 17:59:53 +01:00
Jakub Jelen
e762f7265e
Restore slogin symlinks
2016-03-03 17:48:20 +01:00
Jakub Jelen
13bf5bef36
Forgotten rebased FIPS patch
2016-02-29 15:16:45 +01:00
Jakub Jelen
13073f8d9c
openssh-7.2p1-1 ( #1312870 )
2016-02-29 15:01:33 +01:00
Jakub Jelen
46445f1c7a
openssh-7.1p2-4 + 0.10.2-1
2016-02-25 10:38:09 +01:00
Jakub Jelen
44fc97266b
Audit race condition resolved ( #1308295 )
2016-02-25 10:37:22 +01:00
Jakub Jelen
7b15444065
Fix X11 forwarding CVE according to upstream
2016-02-24 09:51:43 +01:00
Jakub Jelen
4fdc3c59c4
Fix problem when running without privsep ( #1303910 )
2016-02-24 09:51:43 +01:00
Jakub Jelen
700da17374
Remove hard glob limit since the CVE introducing this one is unrelated.
2016-02-24 09:51:43 +01:00
Fedora Release Engineering
b2b837ad97
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
2016-02-04 11:34:23 +00:00
Jakub Jelen
8ddd3edcd8
openssh-7.1p2-3 + 0.10.2-1
2016-01-30 01:18:26 +01:00
Jakub Jelen
ca79709ade
Silently disable X11 forwarding
...
Based on feedback on previous update:
https://bodhi.fedoraproject.org/updates/FEDORA-2016-47ac27532d
2016-01-30 01:18:12 +01:00
Jakub Jelen
c08255b7b1
Fix pam_ssh_agent_auth segfaults with non-accepted keys ( #1303036 )
2016-01-30 01:18:06 +01:00
Jakub Jelen
d1b43a2865
Update sshd service file to forking (as #1291172 )
2016-01-26 13:54:53 +01:00
Jakub Jelen
7adf5f4c63
Missing pam_ssh_agent_auth sources
2016-01-26 09:10:27 +01:00
Jakub Jelen
6c2eb5e22d
openssh-7.1p2-2 + 0.10.2-1
2016-01-26 09:00:28 +01:00
Jakub Jelen
38c7737421
Remove defattr from spec file
...
Mailing list thread:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/KEO7AX3JXR2TY6OVL4M7HDISZ6YIJNKU/
2016-01-26 09:00:28 +01:00
Jakub Jelen
733cea720e
CVE-2016-1908: Prevent possible fallback from untrusted to trusted X11 forwarding
...
Upstream commits:
https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f
2016-01-26 09:00:23 +01:00
Jakub Jelen
87ab5fc4af
Reabse to latest release of pam_ssh_agent_auth with preserving current functionality
...
* Rebase to latest upstream version
* Clean up older patches for pam_ssh_agent_auth
* Remove prefixes from upstream release so we can build it against current
openssh library
* Remove copied files and headers so we make sure we build against current openssh
2016-01-25 13:32:42 +01:00
Jakub Jelen
7bc64374b0
openssh-7.1p2-1 + 0.9.2-9
2016-01-14 16:11:06 +01:00
Jakub Jelen
b2191db92e
openssh-7.1p1-7 + 0.9.2-8
2016-01-12 13:15:33 +01:00
Jakub Jelen
af94f46861
Fix condition to run sshd-keygen
...
When the first boot fails for some reason and the host keys files
are created, but the content not synced into the disk, during the
second boot, the keygen is not run, but the sshd will not start.
Changing condition mitigates this case.
2016-01-12 13:14:58 +01:00
Jakub Jelen
06b1d5330a
Make ssh-keysign world readable ( #1296724 )
2016-01-08 13:22:09 +01:00
Jakub Jelen
f26cd8d6ee
Update ssh-agent permissions ( #1296724 )
...
* It is no longer required to have ssh-agent with suid bit, because
the ptrace attach is prevented using PR_SET_DUMPABLE 0 [1]
[1] https://anongit.mindrot.org/openssh.git/commit/?id=6c4914afccb0c188a2c412d12dfb1b73e362e07e
2016-01-08 11:27:02 +01:00
Jakub Jelen
7c5d0a686c
Make sure the semantics of %global macro stays the same as before a0e252571b
2016-01-08 09:15:52 +01:00