horok/openssh
1
0
Fork 0
Code Activity

Adding debian version 1:10.0p1-5.

Browse source 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
This commit is contained in:
Daniel Baumann 2025-06-21 09:50:02 +02:00
parent f4a1000be6
commit 31f6d7a384
Signed by: daniel.baumann
GPG key ID: BCC918A2ABD66424
128 changed files with 19142 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

12
debian/.git-dpm vendored Normal file
View file

@ -0,0 +1,12 @@
# see git-dpm(1) from git-dpm package
f5c89caec93130da905a95602cf36a4e25f2303e
f5c89caec93130da905a95602cf36a4e25f2303e
860fa104f07024318a40065f07708daa5753f55d
860fa104f07024318a40065f07708daa5753f55d
openssh_10.0p1.orig.tar.gz
ac4205e827aea383bf316a33a0e2d5b66b85fcf8
1972675
debianTag="debian/%e%%%V"
patchedTag="patched/%e%%%V"
upstreamTag="upstream/%U"
signature:9623202a5dd2cee22dc5bdbe73144d15730b1f97:833:openssh_10.0p1.orig.tar.gz.asc

17
debian/.gitignore vendored Normal file
View file

@ -0,0 +1,17 @@
/*.debhelper*
/*substvars
/build-deb
/build-udeb
/files
/keygen-test/key1
/keygen-test/key1.pub
/keygen-test/key2
/keygen-test/key2.pub
/openssh-client
/openssh-client-udeb
/openssh-server
/openssh-server-udeb
/ssh
/ssh-askpass-gnome
/ssh-krb5
/tmp

700
debian/NEWS vendored Normal file
View file

@ -0,0 +1,700 @@
openssh (1:10.0p1-1) unstable; urgency=medium
OpenSSH 10.0p1 includes a number of changes that may affect existing
configurations:
* This release removes support for the weak DSA signature algorithm,
completing the deprecation process that began in 2015 (when DSA was
disabled by default) and repeatedly warned over the last 12 months.
* scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by scp &
sftp. This disables implicit session creation by these tools when
ControlMaster was set to yes/auto by configuration, which some users
found surprising. This change will not prevent scp/sftp from using an
existing multiplexing session if one had already been created.
* sshd(8): this release disables finite field (a.k.a modp) Diffie-Hellman
key exchange in sshd by default. Specifically, this removes the
"diffie-hellman-group*" and "diffie-hellman-group-exchange-*" methods
from the default KEXAlgorithms list. The client is unchanged and
continues to support these methods by default.
* sshd(8): this release removes the implicit fallback to compiled-in
groups for Diffie-Hellman Group Exchange KEX when the moduli file
exists but does not contain moduli within the client-requested range.
The fallback behaviour remains for the case where the moduli file does
not exist at all. This allows administrators more explicit control over
which DH groups will be selected, but can lead to connection failures
if the moduli file is edited incorrectly.
-- Colin Watson <cjwatson@debian.org> Fri, 11 Apr 2025 11:16:19 +0100
openssh (1:9.9p1-1) unstable; urgency=medium
OpenSSH 9.9p1 includes a number of changes that may affect existing
configurations:
* ssh(1): remove support for pre-authentication compression. OpenSSH has
only supported post-authentication compression in the server for some
years. Compression before authentication significantly increases the
attack surface of SSH servers and risks creating oracles that reveal
information about information sent during authentication.
* ssh(1), sshd(8): processing of the arguments to the "Match"
configuration directive now follows more shell-like rules for quoted
strings, including allowing nested quotes and \-escaped characters. If
configurations contained workarounds for the previous simplistic quote
handling then they may need to be adjusted. If this is the case, it's
most likely to be in the arguments to a "Match exec" condition. In this
case, moving the command to be evaluated from the Match line to an
external shell script is the easiest way to preserve compatibility with
both the old and new versions.
-- Colin Watson <cjwatson@debian.org> Mon, 23 Sep 2024 21:09:59 -0700
openssh (1:9.8p1-5) unstable; urgency=medium
Future Debian releases will remove GSS-API authentication and key exchange
support from openssh-client and openssh-server; this adds
pre-authentication attack surface and should only be used where
specifically needed. Users of GSS-API authentication or key exchange
should install the new openssh-client-gssapi or openssh-server-gssapi
package now; these currently just depend on openssh-client and
openssh-server respectively, but this will change in the future.
-- Colin Watson <cjwatson@debian.org> Thu, 29 Aug 2024 12:13:32 +0100
openssh (1:9.8p1-1) unstable; urgency=medium
OpenSSH 9.8p1 includes a number of changes that may affect existing
configurations:
* DSA keys, as specified in the SSH protocol, are inherently weak: they
are limited to 160-bit private keys and the SHA-1 digest. The SSH
implementation provided by the openssh-client and openssh-server
packages has disabled support for DSA keys by default since OpenSSH
7.0p1 in 2015, released with Debian 9 ("stretch"), although it could
still be enabled using the HostKeyAlgorithms and
PubkeyAcceptedAlgorithms configuration options for host and user keys
respectively.
The only remaining uses of DSA at this point should be connecting to
some very old devices. For all other purposes, the other key types
supported by OpenSSH (RSA, ECDSA, and Ed25519) are superior.
As of OpenSSH 9.8p1, DSA keys are no longer supported even with the
above configuration options. If you have a device that you can only
connect to using DSA, then you can use the ssh1 command provided by the
openssh-client-ssh1 package to do so.
In the unlikely event that you are still using DSA keys to connect to a
Debian server (if you are unsure, you can check by adding the -v option
to the ssh command line you use to connect to that server and looking
for the "Server accepts key:" line), then you must generate replacement
keys before upgrading.
* sshd(8): the server will now block client addresses that repeatedly
fail authentication, repeatedly connect without ever completing
authentication or that crash the server. Operators of servers that
accept connections from many users, or servers that accept connections
from addresses behind NAT or proxies may need to consider these
settings.
* sshd(8): several log messages have changed. In particular, some log
messages will be tagged with as originating from a process named
"sshd-session" rather than "sshd".
* ssh-keyscan(1): this tool previously emitted comment lines containing
the hostname and SSH protocol banner to standard error. This release
now emits them to standard output, but adds a new "-q" flag to silence
them altogether.
* sshd(8): sshd will no longer use argv[0] as the PAM service name. A
new "PAMServiceName" sshd_config(5) directive allows selecting the
service name at runtime. This defaults to "sshd".
-- Colin Watson <cjwatson@debian.org> Wed, 31 Jul 2024 17:16:04 +0100
openssh (1:9.7p1-6) unstable; urgency=medium
Debian's PAM configuration for OpenSSH no longer reads the
~/.pam_environment file. The implementation of this in pam_env has a
history of security problems and has been deprecated by the upstream
Linux-PAM maintainers due to the possibility that "user supplied
environment variables in the PAM environment could affect behavior of
subsequent modules in the stack without the consent of the system
administrator".
Instead, environment variables need to be set somewhere that will be
handled by the session process; for most users, this will be shell
initialization files such as ~/.bash_profile or ~/.bashrc.
-- Colin Watson <cjwatson@debian.org> Tue, 25 Jun 2024 14:20:44 +0100
openssh (1:9.5p1-1) experimental; urgency=medium
OpenSSH 9.5p1 includes a number of changes that may affect existing
configurations:
* ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys
are very convenient due to their small size. Ed25519 keys are specified
in RFC 8709 and OpenSSH has supported them since version 6.5 (January
2014).
* sshd(8): the Subsystem directive now accurately preserves quoting of
subsystem commands and arguments. This may change behaviour for exotic
configurations, but the most common subsystem configuration
(sftp-server) is unlikely to be affected.
-- Colin Watson <cjwatson@debian.org> Thu, 23 Nov 2023 17:38:07 +0000
openssh (1:9.4p1-1) unstable; urgency=medium
OpenSSH 9.4p1 includes a number of changes that may affect existing
configurations:
* ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system library
directories.
-- Colin Watson <cjwatson@debian.org> Sat, 02 Sep 2023 21:02:53 +0100
openssh (1:9.3p2-1) unstable; urgency=high
OpenSSH 9.3p2 includes a number of changes that may affect existing
configurations:
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added to
restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify requests
that are remote. The OpenSSH >=8.9 ssh(1) client does this, but
forwarding access to an agent socket using other tools may circumvent
this restriction.
-- Colin Watson <cjwatson@debian.org> Wed, 19 Jul 2023 21:57:53 +0100
openssh (1:9.2p1-1) unstable; urgency=medium
OpenSSH 9.2 includes a number of changes that may affect existing
configurations:
* ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
controls whether the client-side ~C escape sequence that provides a
command-line is available. Among other things, the ~C command-line
could be used to add additional port-forwards at runtime.
This option defaults to "no", disabling the ~C command-line that was
previously enabled by default. Turning off the command-line allows
platforms that support sandboxing of the ssh(1) client (currently only
OpenBSD) to use a stricter default sandbox policy.
-- Colin Watson <cjwatson@debian.org> Wed, 08 Feb 2023 10:36:06 +0000
openssh (1:9.1p1-1) unstable; urgency=medium
OpenSSH 9.1 includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are
now first-match-wins to match other directives. Previously if an
environment variable was multiply specified the last set value would
have been used.
* ssh-keygen(8): ssh-keygen -A (generate all default host key types) will
no longer generate DSA keys, as these are insecure and have not been
used by default for some years.
-- Colin Watson <cjwatson@debian.org> Mon, 14 Nov 2022 16:35:59 +0000
openssh (1:9.0p1-1) unstable; urgency=medium
OpenSSH 9.0 includes a number of changes that may affect existing
configurations:
* This release switches scp(1) from using the legacy scp/rcp protocol to
using the SFTP protocol by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example - "scp
host:~user/file /tmp". The SFTP protocol has no native way to expand a
~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a
protocol extension "expand-path@openssh.com" to support this.
In case of incompatibility, the scp(1) client may be instructed to use
the legacy scp/rcp using the -O flag.
-- Colin Watson <cjwatson@debian.org> Sat, 09 Apr 2022 14:14:10 +0100
openssh (1:8.8p1-1) unstable; urgency=medium
OpenSSH 8.8 includes a number of changes that may affect existing
configurations:
* This release disables RSA signatures using the SHA-1 hash algorithm by
default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K.
For most users, this change should be invisible and there is no need to
replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512
signatures since release 7.2 and existing ssh-rsa keys will
automatically use the stronger algorithm where possible.
Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination
host:
Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).
-- Colin Watson <cjwatson@debian.org> Tue, 15 Feb 2022 19:20:21 +0000
openssh (1:8.7p1-1) unstable; urgency=medium
OpenSSH 8.7 includes a number of changes that may affect existing
configurations:
* scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host by
default. This was previously available via the -3 flag. This mode
avoids the need to expose credentials on the origin hop, avoids
triplicate interpretation of filenames by the shell (by the local
system, the copy origin and the destination) and, in conjunction with
the SFTP support for scp(1) mentioned below, allows use of all
authentication methods to the remote hosts (previously, only
non-interactive methods could be used). A -R flag has been added to
select the old behaviour.
* ssh(1)/sshd(8): both the client and server are now using a stricter
configuration file parser. The new parser uses more shell-like rules
for quotes, space and escape characters. It is also more strict in
rejecting configurations that include options lacking arguments.
Previously some options (e.g. DenyUsers) could appear on a line with no
subsequent arguments. This release will reject such configurations. The
new parser will also reject configurations with unterminated quotes and
multiple '=' characters after the option name.
* ssh(1): when using SSHFP DNS records for host key verification, ssh(1)
will verify all matching records instead of just those with the
specific signature type requested. This may cause host key verification
problems if stale SSHFP records of a different or legacy signature type
exist alongside other records for a particular host. bz#3322
* ssh-keygen(1): when generating a FIDO key and specifying an explicit
attestation challenge (using -Ochallenge), the challenge will now be
hashed by the builtin security key middleware. This removes the
(undocumented) requirement that challenges be exactly 32 bytes in
length and matches the expectations of libfido2.
* sshd(8): environment="..." directives in authorized_keys files are now
first-match-wins and limited to 1024 discrete environment variable
names.
OpenSSH 8.5 includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8): this release changes the first-preference signature
algorithm from ECDSA to ED25519.
* ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for
interactive use prior to TCP connect. The connection phase of the SSH
session is time-sensitive and often explicitly interactive. The
ultimate interactive/bulk TOS/DSCP will be set after authentication
completes.
* ssh(1), sshd(8): remove the pre-standardization cipher
rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it
was standardized in RFC4253 (2006), has been deprecated and disabled by
default since OpenSSH 7.2 (2016) and was only briefly documented in
ssh.1 in 2001.
* ssh(1), sshd(8): update/replace the experimental post-quantum hybrid
key exchange method based on Streamlined NTRU Prime coupled with
X25519.
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced
with sntrup761x25519-sha512@openssh.com. Per its designers, the
sntrup4591761 algorithm was superseded almost two years ago by
sntrup761.
(note this both the updated method and the one that it replaced are
disabled by default)
* ssh(1): disable CheckHostIP by default. It provides insignificant
benefits while making key rotation significantly more difficult,
especially for hosts behind IP-based load-balancers.
-- Colin Watson <cjwatson@debian.org> Sat, 06 Nov 2021 12:23:47 +0000
openssh (1:8.4p1-1) unstable; urgency=medium
OpenSSH 8.4 includes a number of changes that may affect existing
configurations:
* ssh-keygen(1): the format of the attestation information optionally
recorded when a FIDO key is generated has changed. It now includes the
authenticator data needed to validate attestation signatures.
* The API between OpenSSH and the FIDO token middleware has changed and
the SSH_SK_VERSION_MAJOR version has been incremented as a result.
Third-party middleware libraries must support the current API version
(7) to work with OpenSSH 8.4.
-- Colin Watson <cjwatson@debian.org> Sun, 18 Oct 2020 12:07:48 +0100
openssh (1:8.3p1-1) unstable; urgency=medium
OpenSSH 8.3 includes a number of changes that may affect existing
configurations:
* sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1)
do instead of accepting and silently ignoring it.
-- Colin Watson <cjwatson@debian.org> Sun, 07 Jun 2020 13:44:04 +0100
openssh (1:8.2p1-1) unstable; urgency=medium
OpenSSH 8.2 includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8), ssh-keygen(1): This release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures
(i.e. the client and server CASignatureAlgorithms option) and will use
the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1)
CA signs new certificates.
Certificates are at special risk to SHA1 collision vulnerabilities as
an attacker has effectively unlimited time in which to craft a
collision that yields them a valid certificate, far more than the
relatively brief LoginGraceTime window that they have to forge a host
key signature.
The OpenSSH certificate format includes a CA-specified (typically
random) nonce value near the start of the certificate that should make
exploitation of chosen-prefix collisions in this context challenging,
as the attacker does not have full control over the prefix that
actually gets signed. Nonetheless, SHA1 is now a demonstrably broken
algorithm and further improvements in attacks are highly likely.
OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
algorithms and will refuse to accept certificates signed by an OpenSSH
8.2+ CA using RSA keys unless the unsafe algorithm is explicitly
selected during signing ("ssh-keygen -t ssh-rsa"). Older
clients/servers may use another CA key type such as ssh-ed25519
(supported since OpenSSH 6.5) or one of the ecdsa-sha2-nistp256/384/521
types (supported since OpenSSH 5.7) instead if they cannot be upgraded.
* ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default
key exchange proposal for both the client and server.
* ssh-keygen(1): The command-line options related to the generation and
screening of safe prime numbers used by the
diffie-hellman-group-exchange-* key exchange algorithms have changed.
Most options have been folded under the -O flag.
* sshd(8): The sshd listener process title visible to ps(1) has changed
to include information about the number of connections that are
currently attempting authentication and the limits configured by
MaxStartups.
-- Colin Watson <cjwatson@debian.org> Fri, 21 Feb 2020 16:36:37 +0000
openssh (1:8.1p1-1) unstable; urgency=medium
OpenSSH 8.1 includes a number of changes that may affect existing
configurations:
* ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
Certificates signed by RSA keys will therefore be incompatible with
OpenSSH versions prior to 7.2 unless the default is overridden (using
"ssh-keygen -t ssh-rsa -s ...").
-- Colin Watson <cjwatson@debian.org> Thu, 10 Oct 2019 10:23:19 +0100
openssh (1:8.0p1-1) experimental; urgency=medium
OpenSSH 8.0 includes a number of changes that may affect existing
configurations:
* sshd(8): Remove support for obsolete "host/port" syntax.
Slash-separated host/port was added in 2001 as an alternative to
host:port syntax for the benefit of IPv6 users. These days there are
established standards for this like [::1]:22 and the slash syntax is
easily mistaken for CIDR notation, which OpenSSH supports for some
things. Remove the slash notation from ListenAddress and PermitOpen.
-- Colin Watson <cjwatson@debian.org> Sun, 09 Jun 2019 22:47:27 +0100
openssh (1:7.9p1-1) unstable; urgency=medium
OpenSSH 7.9 includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option
bans the use of DSA keys as certificate authorities.
* sshd(8): the authentication success/failure log message has changed
format slightly. It now includes the certificate fingerprint
(previously it included only key ID and CA key fingerprint).
-- Colin Watson <cjwatson@debian.org> Sun, 21 Oct 2018 10:39:24 +0100
openssh (1:7.8p1-1) unstable; urgency=medium
OpenSSH 7.8 includes a number of changes that may affect existing
configurations:
* ssh-keygen(1): Write OpenSSH format private keys by default instead of
using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH
releases since 2014 and described in the PROTOCOL.key file in the
source distribution, offers substantially better protection against
offline password guessing and supports key comments in private keys.
If necessary, it is possible to write old PEM-style keys by adding "-m
PEM" to ssh-keygen's arguments when generating or updating a key.
* sshd(8): Remove internal support for S/Key multiple factor
authentication. S/Key may still be used via PAM or BSD auth.
* ssh(1): Remove vestigial support for running ssh(1) as setuid. This
used to be required for hostbased authentication and the (long gone)
rhosts-style authentication, but has not been necessary for a long
time. Attempting to execute ssh as a setuid binary, or with uid !=
effective uid will now yield a fatal error at runtime.
* sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
HostbasedAcceptedKeyTypes options have changed. These now specify
signature algorithms that are accepted for their respective
authentication mechanism, where previously they specified accepted key
types. This distinction matters when using the RSA/SHA2 signature
algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
counterparts. Configurations that override these options but omit
these algorithm names may cause unexpected authentication failures (no
action is required for configurations that accept the default for these
options).
* sshd(8): The precedence of session environment variables has changed.
~/.ssh/environment and environment="..." options in authorized_keys
files can no longer override SSH_* variables set implicitly by sshd.
* ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They
will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a
detailed rationale, please see the commit message:
https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
-- Colin Watson <cjwatson@debian.org> Thu, 30 Aug 2018 15:35:27 +0100
openssh (1:7.6p1-1) unstable; urgency=medium
OpenSSH 7.6 includes a number of changes that may affect existing
configurations:
* ssh(1): Delete SSH protocol version 1 support, associated configuration
options and documentation.
* ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
* ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
ciphers.
* Refuse RSA keys <1024 bits in length and improve reporting for keys
that do not meet this requirement.
* ssh(1): Do not offer CBC ciphers by default.
-- Colin Watson <cjwatson@debian.org> Fri, 06 Oct 2017 12:36:48 +0100
openssh (1:7.5p1-1) experimental; urgency=medium
OpenSSH 7.5 includes a number of changes that may affect existing
configurations:
* This release deprecates the sshd_config UsePrivilegeSeparation option,
thereby making privilege separation mandatory.
* The format of several log messages emitted by the packet code has
changed to include additional information about the user and their
authentication state. Software that monitors ssh/sshd logs may need to
account for these changes. For example:
Connection closed by user x 1.1.1.1 port 1234 [preauth]
Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
Affected messages include connection closure, timeout, remote
disconnection, negotiation failure and some other fatal messages
generated by the packet code.
-- Colin Watson <cjwatson@debian.org> Sun, 02 Apr 2017 02:58:01 +0100
openssh (1:7.4p1-7) unstable; urgency=medium
This version restores the default for AuthorizedKeysFile to search both
~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
Debian configurations before 1:7.4p1-1. Upstream intends to phase out
searching ~/.ssh/authorized_keys2 by default, so you should ensure that
you are only using ~/.ssh/authorized_keys, at least for critical
administrative access; do not assume that the current default will remain
in place forever.
-- Colin Watson <cjwatson@debian.org> Sun, 05 Mar 2017 02:12:42 +0000
openssh (1:7.4p1-1) unstable; urgency=medium
OpenSSH 7.4 includes a number of changes that may affect existing
configurations:
* ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
block ciphers are not safe in 2016 and we don't want to wait until
attacks like SWEET32 are extended to SSH. As 3des-cbc was the only
mandatory cipher in the SSH RFCs, this may cause problems connecting to
older devices using the default configuration, but it's highly likely
that such devices already need explicit configuration for key exchange
and hostkey algorithms already anyway.
* sshd(8): Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the
1990s, but today it's clearly a bad idea in terms of both cryptography
(cf. multiple compression oracle attacks in TLS) and attack surface.
Pre-auth compression support has been disabled by default for >10
years. Support remains in the client.
* ssh-agent will refuse to load PKCS#11 modules outside a whitelist of
trusted paths by default. The path whitelist may be specified at
run-time.
* sshd(8): When a forced-command appears in both a certificate and an
authorized keys/principals command= restriction, sshd will now refuse
to accept the certificate unless they are identical. The previous
(documented) behaviour of having the certificate forced-command
override the other could be a bit confusing and error-prone.
* sshd(8): Remove the UseLogin configuration directive and support for
having /bin/login manage login sessions.
The unprivileged sshd process that deals with pre-authentication network
traffic is now subject to additional sandboxing restrictions by default:
that is, the default sshd_config now sets UsePrivilegeSeparation to
"sandbox" rather than "yes". This has been the case upstream for a while,
but until now the Debian configuration diverged unnecessarily.
-- Colin Watson <cjwatson@debian.org> Tue, 27 Dec 2016 18:01:46 +0000
openssh (1:7.2p1-1) unstable; urgency=medium
OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
default in ssh:
* Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
rijndael-cbc aliases for AES.
* MD5-based and truncated HMAC algorithms.
These algorithms are already disabled by default in sshd.
-- Colin Watson <cjwatson@debian.org> Tue, 08 Mar 2016 11:47:20 +0000
openssh (1:7.1p1-2) unstable; urgency=medium
OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
cryptography.
* Support for the legacy SSH version 1 protocol is disabled by default at
compile time. Note that this also means that the Cipher keyword in
ssh_config(5) is effectively no longer usable; use Ciphers instead for
protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1",
and "ssh-keygen1" binaries which you can use if you have no alternative
way to connect to an outdated SSH1-only server; please contact the
server administrator or system vendor in such cases and ask them to
upgrade.
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
disabled by default at run-time. It may be re-enabled using the
instructions at http://www.openssh.com/legacy.html
* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
default at run-time. These may be re-enabled using the instructions at
http://www.openssh.com/legacy.html
* Support for the legacy v00 cert format has been removed.
Future releases will retire more legacy cryptography, including:
* Refusing all RSA keys smaller than 1024 bits (the current minimum is
768 bits).
* Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
all arcfour variants, and the rijndael-cbc aliases for AES.
* MD5-based HMAC algorithms will be disabled by default.
-- Colin Watson <cjwatson@debian.org> Tue, 08 Dec 2015 15:33:08 +0000
openssh (1:6.9p1-1) unstable; urgency=medium
UseDNS now defaults to 'no'. Configurations that match against the client
host name (via sshd_config or authorized_keys) may need to re-enable it or
convert to matching against addresses.
-- Colin Watson <cjwatson@debian.org> Thu, 20 Aug 2015 10:38:58 +0100
openssh (1:6.7p1-5) unstable; urgency=medium
openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
a number of specific LC_FOO variables rather than the wildcard LC_*. I
have since been persuaded that this was a bad idea and have reverted it,
but it is difficult to automatically undo the change to
/etc/ssh/sshd_config without compounding the problem (that of modifying
configuration that some users did not want to be modified) further. Most
users who upgraded via version 1:6.7p1-4 should restore the previous value
of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.
-- Colin Watson <cjwatson@debian.org> Sun, 22 Mar 2015 23:09:32 +0000
openssh (1:5.4p1-2) unstable; urgency=low
Smartcard support is now available using PKCS#11 tokens. If you were
previously using an unofficial build of Debian's OpenSSH package with
OpenSC-based smartcard support added, then note that commands like
'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s
/usr/lib/opensc-pkcs11.so' instead.
-- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100
openssh (1:3.8.1p1-9) experimental; urgency=low
The ssh package has been split into openssh-client and openssh-server. If
you had previously requested that the sshd server should not be run, then
that request will still be honoured. However, the recommended approach is
now to remove the openssh-server package if you do not want to run sshd.
You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing
that.
-- Colin Watson <cjwatson@debian.org> Mon, 2 Aug 2004 20:48:54 +0100
openssh (1:3.5p1-1) unstable; urgency=low
This version of OpenSSH disables the environment option for public keys by
default, in order to avoid certain attacks (for example, LD_PRELOAD). If
you are using this option in an authorized_keys file, beware that the keys
in question will no longer work until the option is removed.
To re-enable this option, set "PermitUserEnvironment yes" in
/etc/ssh/sshd_config after the upgrade is complete, taking note of the
warning in the sshd_config(5) manual page.
-- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100
openssh (1:3.0.1p1-1) unstable; urgency=high
As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2
keys. This means the authorized_keys2 and known_hosts2 files are no longer
needed. They will still be read in order to maintain backward
compatibility.
-- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000

297
debian/README.Debian vendored Normal file
View file

@ -0,0 +1,297 @@
OpenSSH for Debian
------------------
UPGRADE ISSUES
==============
PermitRootLogin
---------------
As of 1:6.6p1-1, new installations will be set to "PermitRootLogin
without-password" (or the synonymous "PermitRootLogin prohibit-password" as
of 1:7.1p1-1). This disables password authentication for root, foiling
password dictionary attacks on the root user. Some sites may wish to use
the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no",
but note that "PermitRootLogin no" will break setups that SSH to root with a
forced command to take full-system backups. You can use PermitRootLogin in
a Match block if you want finer-grained control here.
For many years Debian's OpenSSH packaging used "PermitRootLogin yes", in
line with upstream. To avoid breaking local setups, this is still true for
installations upgraded from before 1:6.6p1-1. If you wish to change this,
you should edit /etc/ssh/sshd_config, change it manually, and run "service
ssh restart" as root.
Disabling PermitRootLogin means that an attacker possessing credentials for
the root account (any credentials in the case of "yes", or private key
material in the case of "prohibit-password") must compromise a normal user
account rather than being able to SSH directly to root. Be careful to avoid
a false illusion of security if you change this setting; any account you
escalate to root from should be considered equivalent to root for the
purposes of security against external attack. You might for example disable
it if you know you will only ever log in as root from the physical console.
Since the root account does not generally have non-password credentials
unless you explicitly install an SSH public key in its
~/.ssh/authorized_keys, which you presumably only do if you want to SSH to
it, "prohibit-password" should be a reasonable default for most sites.
As of OpenSSH 7.0, this is the upstream default.
For further discussion, see:
https://bugs.debian.org/298138
https://bugzilla.mindrot.org/show_bug.cgi?id=2164
X11 Forwarding
--------------
ssh's default for ForwardX11 has been changed to ``no'' because it has
been pointed out that logging into remote systems administered by
untrusted people is likely to open you up to X11 attacks, so you
should have to actively decide that you trust the remote machine's
root, before enabling X11. I strongly recommend that you do this on a
machine-by-machine basis, rather than just enabling it in the default
host settings.
In order for X11 forwarding to work, you need to install xauth on the
server. In Debian this is in the xbase-clients package.
As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
the security risks of X11 forwarding. Look up X11UseLocalhost in
sshd_config(8) if this is a problem.
OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the
ssh client to create an untrusted X cookie so that attacks on the
forwarded X11 connection can't become attacks on X clients on the remote
machine. However, this has some problems in implementation - notably a
very short timeout of the untrusted cookie - breaks large numbers of
existing setups, and generally seems immature. The Debian package
therefore sets the default for this option to "yes" (in ssh itself,
rather than in ssh_config).
Fallback to RSH
---------------
The default for this setting has been changed from Yes to No, for
security reasons, and to stop the delay attempting to rsh to machines
that don't offer the service. Simply switch it back on in either
/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
it for.
Setgid ssh-agent and environment variables
------------------------------------------
As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace()
attacks retrieving private key material. This has the side-effect of causing
glibc to remove certain environment variables which might have security
implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
TMPDIR.
If you need to set any of these environment variables, you will need to do
so in the program exec()ed by ssh-agent. This may involve creating a small
wrapper script.
Symlink Hostname invocation
---------------------------
This version of ssh no longer includes support for invoking ssh with the
hostname as the name of the file run. People wanting this support should
use the ssh-argv0 script.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
OTHER ISSUES
============
Authorization Forwarding
------------------------
Similarly, root on a remote server could make use of your ssh-agent
(while you're logged into their machine) to obtain access to machines
which trust your keys. This feature is therefore disabled by default.
You should only re-enable it for those hosts (in your ~/.ssh/config or
/etc/ssh/ssh_config) where you are confident that the remote machine
is not a threat.
Problems logging in with RSA authentication
-------------------------------------------
If you have trouble logging in with RSA authentication then the
problem is probably caused by the fact that you have your home
directory writable by group, as well as user (this is the default on
Debian systems).
Depending upon other settings on your system (i.e. other users being
in your group) this could open a security hole, so you will need to
make your home directory writable only by yourself. Run this command,
as yourself:
chmod g-w ~/
to remove group write permissions. If you use ssh-copy-id to install your
keys, it does this for you.
-L option of ssh nonfree
------------------------
non-free ssh supported the usage of the option -L to use a non privileged
port for scp. This option will not be supported by scp from openssh.
Please use instead scp -o "UsePrivilegedPort=no" as documented in the
manpage to scp itself.
Problem logging in because of TCP-Wrappers
------------------------------------------
ssh is compiled with support for tcp-wrappers. So if you can no longer
log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
are configured so that ssh is not blocked.
Kerberos support
----------------
ssh is now compiled with Kerberos support. Unfortunately, privilege
separation is incompatible with parts of Kerberos support for protocol 2;
you may need to run kinit after logging in.
Interoperability between scp and the ssh.com SSH server
-------------------------------------------------------
In version 2 and greater of the commercial SSH server produced by SSH
Communications Security, scp was changed to use SFTP (SSH2's file transfer
protocol) instead of the traditional rcp-over-ssh, thereby breaking
compatibility. The OpenSSH developers regard this as a bug in the ssh.com
server, and do not currently intend to change OpenSSH's scp to match.
Workarounds for this problem are to install scp1 on the server (scp2 will
fall back to it), to use sftp, or to use some other transfer mechanism such
as rsync-over-ssh or tar-over-ssh.
Running sshd from inittab
-------------------------
Some people find it useful to run the sshd server from inittab, to make sure
that it always stays running. To do this, stop sshd ('service ssh stop'),
add the following line to /etc/inittab, and run 'telinit q':
ss:2345:respawn:/usr/sbin/sshd -D
If you do this, note that you will need to stop sshd being started in the
normal way ('update-rc.d ssh disable') and that you will need to restart
this sshd manually on upgrades.
Socket-based activation with systemd
------------------------------------
If you want to reconfigure systemd to listen on port 22 itself and launch
sshd on connection (systemd-style socket activation), then you can run:
systemctl disable --now ssh.service
systemctl start ssh.socket
To roll back this change, run:
systemctl stop ssh.socket
systemctl enable --now ssh.service
Or if you want to make this change permanent:
systemctl enable ssh.socket
This may be appropriate in environments where minimal footprint is critical
(e.g. cloud guests).
The provided ssh.socket unit file sets ListenStream=22. If you need to have
it listen on a different address or port, then you will need to do this as
follows (modifying ListenStream to match your requirements):
mkdir -p /etc/systemd/system/ssh.socket.d
cat >/etc/systemd/system/ssh.socket.d/listen.conf <<EOF
[Socket]
ListenStream=
ListenStream=2222
EOF
systemctl daemon-reload
systemctl restart ssh.socket
See systemd.socket(5) for details.
Terminating SSH sessions cleanly on shutdown/reboot with systemd
----------------------------------------------------------------
If you have libpam-systemd >= 230 installed (following openssh-server's
Recommends) and "UsePAM yes" in sshd_config (the default configuration
shipped by this package), then SSH sessions will be terminated cleanly when
the server is shut down or rebooted.
If either of these conditions does not hold, then you may find that SSH
sessions hang silently when the server is shut down or rebooted. If you do
not want to use PAM or configure it properly for whatever reason, then you
can instead copy
/usr/share/doc/openssh-server/examples/ssh-session-cleanup.service to
/etc/systemd/system/ and run "systemctl enable ssh-session-cleanup.service".
Non-systemd users may find /usr/lib/openssh/ssh-session-cleanup helpful if
they have a similar problem, although at present there is no system
integration for this for anything other than systemd.
SSH protocol 1 server support removed
-------------------------------------
sshd(8) no longer supports the old SSH protocol 1, so all the configuration
options related to it are now deprecated and should be removed from
/etc/ssh/sshd_config. These are:
KeyRegenerationInterval
RSAAuthentication
RhostsRSAAuthentication
ServerKeyBits
The Protocol option is also no longer needed, although it is silently
ignored rather than deprecated.
if-up hook removed
------------------
openssh-server previously shipped an if-up hook that restarted sshd when a
network interface came up. This generally caused more problems than it
solved: for instance, it means that sshd stops listening briefly while being
restarted, which can cause problems in some environments, particularly
automated tests.
The only known situation where the if-up hook was useful was when
sshd_config was changed to add ListenAddress entries for particular IP
addresses, overriding the default of listening on all addresses, and the
system is one that often roams between networks. In such a situation, it is
better to remove ListenAddress entries from sshd_config (restoring it to the
default behaviour) and instead use firewall rules to restrict incoming SSH
connections to only the desired interfaces or addresses.
For further discussion, see:
https://bugs.launchpad.net/bugs/1674330
IPQoS defaults reverted to pre-7.8 values
-----------------------------------------
OpenSSH 7.8 changed the default IPQoS settings to use DSCP AF21 for
interactive traffic and CS1 for bulk. This caused some problems with other
software ("iptables -m tos" and VMware), so Debian's OpenSSH reverts this
change for the time being.
This is *temporary*, and we expect to come back into sync with upstream
OpenSSH once those other issues have been fixed. If you want to restore the
upstream default, add this to ssh_config and sshd_config:
IPQoS af21 cs1
For further discussion, see:
https://bugs.debian.org/923879
https://bugs.debian.org/926229
https://bugs.launchpad.net/1822370
--
Matthew Vernon <matthew@debian.org>
Colin Watson <cjwatson@debian.org>

7681
debian/changelog vendored Normal file
View file

File diff suppressed because it is too large Load diff

31
debian/check-ucf-md5sums vendored Executable file
View file

@ -0,0 +1,31 @@
#! /bin/sh
# Check whether debian/openssh-server.ucf-md5sum is up to date.
set -e
contains_md5sum () {
# shellcheck disable=SC3043
local md5sum
md5sum="$(md5sum | sed 's/ -$//')"
if grep -qx "$md5sum" debian/openssh-server.ucf-md5sum; then
return 0
else
echo "Missing from debian/openssh-server.ucf-md5sum: $md5sum" >&2
return 1
fi
}
ret=0
<sshd_config contains_md5sum || ret=1
<sshd_config \
sed 's/^#*PermitRootLogin .*/PermitRootLogin yes/' | \
contains_md5sum || ret=1
<sshd_config \
sed 's/^#PasswordAuthentication .*/PasswordAuthentication no/' | \
contains_md5sum || ret=1
<sshd_config \
sed 's/^#*PermitRootLogin .*/PermitRootLogin yes/' | \
sed 's/^#PasswordAuthentication .*/PasswordAuthentication no/' | \
contains_md5sum || ret=1
exit "$ret"

2
debian/clean vendored Normal file
View file

@ -0,0 +1,2 @@
config.log
debian/openssh-server.sshd.pam

322
debian/control vendored Normal file
View file

@ -0,0 +1,322 @@
Source: openssh
Section: net
Priority: standard
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Build-Depends:
debhelper (>= 13.1~),
debhelper-compat (= 13),
dh-exec,
dh-runit (>= 2.8.8),
dh-sequence-movetousr,
libaudit-dev [linux-any],
libedit-dev,
libfido2-dev (>= 1.5.0) [linux-any],
libgtk-3-dev <!pkg.openssh.nognome>,
libkrb5-dev | heimdal-dev,
libpam0g-dev | libpam-dev,
libselinux1-dev [linux-any],
libssl-dev (>= 1.1.1),
libwrap0-dev | libwrap-dev,
libwtmpdb-dev,
pkgconf,
zlib1g-dev,
Standards-Version: 4.6.2
Uploaders:
Colin Watson <cjwatson@debian.org>,
Matthew Vernon <matthew@debian.org>,
Homepage: https://www.openssh.com/
Vcs-Git: https://salsa.debian.org/ssh-team/openssh.git
Vcs-Browser: https://salsa.debian.org/ssh-team/openssh
Rules-Requires-Root: no
X-Style: black
Package: openssh-client
Architecture: any
Depends:
adduser,
init-system-helpers (>= 1.66~),
passwd,
${misc:Depends},
${shlibs:Depends},
Recommends:
xauth,
Conflicts:
sftp,
Breaks:
openssh-sk-helper,
Replaces:
openssh-sk-helper,
ssh,
ssh-krb5,
Suggests:
keychain,
libpam-ssh,
monkeysphere,
ssh-askpass,
Provides:
ssh-client,
Multi-Arch: foreign
Description: secure shell (SSH) client, for secure access to remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the ssh, scp and sftp clients, the ssh-agent
and ssh-add programs to make public key authentication more convenient,
and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
.
In some countries it may be illegal to use any encryption at all
without a special permit.
.
ssh replaces the insecure rsh, rcp and rlogin programs, which are
obsolete for most purposes.
Package: openssh-client-gssapi
Priority: optional
Architecture: all
Depends:
openssh-client (>= ${binary:Version}),
${misc:Depends},
Multi-Arch: foreign
Description: secure shell (SSH) client, with GSS-API support
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides versions of the ssh client and related programs
built with support for GSS-API authentication and key exchange, which
can be used with systems such as Kerberos.
It is currently an empty package depending on openssh-client, but
future releases will remove GSS-API support from openssh-client, so
users who need it should install this package.
Package: openssh-server
Priority: optional
Architecture: any
Pre-Depends:
${misc:Pre-Depends},
Depends:
libpam-modules,
libpam-runtime,
lsb-base,
openssh-client (= ${binary:Version}),
openssh-sftp-server,
procps,
ucf,
${misc:Depends},
${shlibs:Depends},
Recommends:
default-logind | logind | libpam-systemd,
ncurses-term,
xauth,
${openssh-server:Recommends},
Conflicts:
sftp,
ssh-socks,
ssh2,
Replaces:
openssh-client (<< 1:7.9p1-8),
ssh,
ssh-krb5,
Breaks:
${runit:Breaks},
Suggests:
molly-guard,
monkeysphere,
ssh-askpass,
ufw,
Provides:
ssh-server,
Multi-Arch: foreign
Description: secure shell (SSH) server, for secure access from remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the sshd server.
.
In some countries it may be illegal to use any encryption at all
without a special permit.
.
sshd replaces the insecure rshd program, which is obsolete for most
purposes.
Package: openssh-server-gssapi
Priority: optional
Architecture: all
Depends:
openssh-client-gssapi (>= ${binary:Version}),
openssh-server (>= ${binary:Version}),
${misc:Depends},
Multi-Arch: foreign
Description: secure shell (SSH) server, with GSS-API key exchange
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides a version of the sshd server built with support
for GSS-API authentication and key exchange, which can be used with
systems such as Kerberos.
It is currently an empty package depending on openssh-server, but
future releases will remove GSS-API support from openssh-server, so
users who need it should install this package.
Package: openssh-sftp-server
Priority: optional
Architecture: any
Depends:
${misc:Depends},
${shlibs:Depends},
Recommends:
openssh-server | ssh-server,
Breaks:
openssh-server (<< 1:6.5p1-5),
Replaces:
openssh-server (<< 1:6.5p1-5),
Enhances:
openssh-server,
ssh-server,
Multi-Arch: foreign
Description: secure shell (SSH) sftp server module, for SFTP access from remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the SFTP server module for the SSH server. It
is needed if you want to access your SSH server with SFTP. The SFTP
server module also works with other SSH daemons like dropbear.
.
OpenSSH's sftp and sftp-server implement revision 3 of the SSH filexfer
protocol described in:
.
http://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt
.
Newer versions of the draft will not be supported, though some features
are individually implemented as extensions.
Package: openssh-tests
Priority: optional
Architecture: any
Depends:
openssh-client (= ${binary:Version}),
openssh-server (= ${binary:Version}),
openssh-sftp-server (= ${binary:Version}),
openssl,
putty-tools (>= 0.67-2),
python3-twisted,
${misc:Depends},
${shlibs:Depends},
Multi-Arch: foreign
Description: OpenSSH regression tests
This package provides OpenSSH's regression test suite. It is mainly
intended for use with the autopkgtest system, though can also be run
directly using /usr/lib/openssh/regress/run-tests.
Package: ssh
Priority: optional
Architecture: all
Depends:
openssh-client (>= ${binary:Version}),
openssh-server (>= ${binary:Version}),
${misc:Depends},
Multi-Arch: foreign
Description: secure shell client and server (metapackage)
This metapackage is a convenient way to install both the OpenSSH client
and the OpenSSH server. It provides nothing in and of itself, so you
may remove it if nothing depends on it.
Package: ssh-askpass-gnome
Build-Profiles: <!pkg.openssh.nognome>
Section: gnome
Priority: optional
Architecture: any
Depends:
openssh-client | ssh (>= 1:1.2pre7-4),
${misc:Depends},
${shlibs:Depends},
Replaces:
ssh (<< 1:3.5p1-3),
Provides:
ssh-askpass,
Multi-Arch: foreign
Description: interactive X program to prompt users for a passphrase for ssh-add
This has been split out of the main openssh-client package so that
openssh-client does not need to depend on GTK+.
.
You probably want the ssh-askpass package instead, but this is
provided to add to your choice and/or confusion.
Package: openssh-client-udeb
Build-Profiles: <!noudeb>
Package-Type: udeb
Section: debian-installer
Priority: optional
Architecture: any
Depends:
${misc:Depends},
${shlibs:Depends},
XB-Installer-Menu-Item: 99999
Description: secure shell client for the Debian installer
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
This package provides the ssh client for use in debian-installer.
Package: openssh-server-udeb
Build-Profiles: <!noudeb>
Package-Type: udeb
Section: debian-installer
Priority: optional
Architecture: any
Depends:
${misc:Depends},
${shlibs:Depends},
Description: secure shell server for the Debian installer
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
This package provides the sshd server for use in debian-installer.
Since it is expected to be used in specialized situations (e.g. S/390
installs with no console), it does not provide any configuration.

239
debian/copyright vendored Normal file
View file

@ -0,0 +1,239 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: OpenSSH
Upstream-Contact: openssh-unix-dev@mindrot.org
Source: https://www.openssh.com/portable.html
Comment:
The overall licence of the OpenSSH upstream code amounts to BSD-3-clause or
various less restrictive licences, with the additional restrictions that
derived versions must be clearly marked as such and that if derived works
are incompatible with the RFC-specified protocol then they must be called
by a name other than "ssh" or "Secure Shell".
Files: *
Copyright:
1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
Markus Friedl
Theo de Raadt
Niels Provos
Dug Song
Aaron Campbell
Damien Miller
Kevin Steves
Daniel Kouril
Wesley Griffin
Per Allansson
Nils Nordman
Simon Wilkinson
Ben Lindstrom
Tim Rice
Andre Lucas
Chris Adams
Corinna Vinschen
Cray Inc.
Denis Parker
Gert Doering
Jakob Schlyter
Jason Downs
Juha Yrjölä
Michael Stone
Networks Associates Technology, Inc.
Solar Designer
Todd C. Miller
Wayne Schroeder
William Jones
Darren Tucker
Sun Microsystems
The SCO Group
Daniel Walsh
Red Hat, Inc
Simon Vallet / Genoscope
Internet Software Consortium
Reyk Floeter
Chad Mynhier
License: OpenSSH
Tatu Ylonen's original licence is as follows (excluding some terms about
third-party code which are no longer relevant; see the LICENCE file for
details):
.
As far as I am concerned, the code I have written for this software
can be used freely for any purpose. Any derived versions of this
software must be clearly marked as such, and if the derived work is
incompatible with the protocol description in the RFC file, it must be
called by a name other than "ssh" or "Secure Shell".
.
Note that any information and cryptographic algorithms used in this
software are publicly available on the Internet and at any major
bookstore, scientific library, and patent office worldwide. More
information can be found e.g. at "http://www.cs.hut.fi/crypto".
.
The legal status of this program is some combination of all these
permissions and restrictions. Use only at your own responsibility.
You will be responsible for any legal consequences yourself; I am not
making any claims whether possessing or using this is legal or not in
your country, and I am not taking any responsibility on your behalf.
.
Most remaining components of the software are provided under a standard
2-term BSD licence:
.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.
Some code is licensed under an ISC-style license, to the following
copyright holders:
.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
.
THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Files: ssh-keyscan.*
Copyright: 1995, 1996 David Mazieres <dm@lcs.mit.edu>
License: Mazieres-BSD-style
Modification and redistribution in source and binary forms is
permitted provided that due credit is given to the author and the
OpenBSD project by leaving this copyright notice intact.
Files: rijndael.*
Copyright: none (public domain)
License: public-domain
This code is from a reference implementation of the Rijndael cipher which
has been dedicated to the public domain.
.
@version 3.0 (December 2000)
.
Optimised ANSI C code for the Rijndael cipher (now AES)
.
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
.
This code is hereby placed in the public domain.
.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Files: loginrec.c openbsd-compat/* scp.c
Copyright:
1983, 1995-1997 Eric P. Allman
1999 Aaron Campbell
1993 by Digital Equipment Corporation
2000 Andre Lucas
1999-2010 Damien Miller
1997-2010 Todd C. Miller
1995, 1996, 1998, 1999, 2008 Theo de Raadt
2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
1980, 1983, 1987, 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995 The Regents of the University of California
License: BSD-3-clause
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
Files: openbsd-compat/bsd-snprintf.c
Copyright: 1995 Patrick Powell
License: Powell-BSD-style
This code is based on code written by Patrick Powell
(papowell@astart.com) It may be used for any purpose as long as this
notice remains intact on all source code distributions
Files: openbsd-compat/sigact.*
Copyright: 1998, 2000 Free Software Foundation, Inc.
License: Expat-with-advertising-restriction
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, distribute with modifications, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
.
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
THE USE OR OTHER DEALINGS IN THE SOFTWARE.
.
Except as contained in this notice, the name(s) of the above copyright
holders shall not be used in advertising or otherwise to promote the
sale, use or other dealings in this Software without prior written
authorization.
Files: debian/*
Copyright: Matthew Vernon, Colin Watson
License: BSD-2-clause
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

91
debian/gnome-ssh-askpass.1 vendored Normal file
View file

@ -0,0 +1,91 @@
.\" Copyright (c) 2003-2022 Colin Watson <cjwatson@debian.org>
.\" Based on a manual page by Philip Hands for x11-ssh-askpass(1).
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.Dd $Mdocdate: November 14 2022 $
.Dt GNOME-SSH-ASKPASS 1
.Os
.Sh NAME
.Nm gnome-ssh-askpass
.Nd prompts a user for a passphrase using GNOME
.Sh SYNOPSIS
.Nm Op Ar message ...
.Sh DESCRIPTION
.Nm
is a GNOME-based passphrase dialog for use with OpenSSH.
It is intended to be called by the
.Xr ssh-add 1
program and not invoked directly.
It allows
.Xr ssh-add 1
to obtain a passphrase from a user, even if not connected to a terminal
(assuming that an X display is available).
This happens automatically in the case where
.Xr ssh-add 1
is invoked from one's
.Pa ~/.xsession
or as one of the GNOME startup programs, for example.
.Pp
In order to be called automatically by
.Xr ssh-add 1 ,
the
.Ev SSH_ASKPASS
environment variable should be set to point to the location of
.Nm ,
or
.Nm
should be installed as
.Pa /usr/bin/ssh-askpass .
.Sh ENVIRONMENT
The following environment variables are recognized:
.Bl -tag -width "GNOME_SSH_ASKPASS_GRAB_POINTER"
.It Ev GNOME_SSH_ASKPASS_BG_COLOR
Text area background color, specified as hexadecimal RGB or RRGGBB,
optionally prefixed by
.Dq #
or
.Dq 0x .
.It Ev GNOME_SSH_ASKPASS_FG_COLOR
Text area foreground color, specified as hexadecimal RGB or RRGGBB,
optionally prefixed by
.Dq #
or
.Dq 0x .
.It Ev GNOME_SSH_ASKPASS_GRAB_POINTER
If set, causes
.Nm
to grab the mouse pointer before asking for a passphrase.
.It Ev GNOME_SSH_ASKPASS_GRAB_SERVER
If set, causes
.Nm
to grab the X server before asking for a passphrase.
.It Ev SSH_ASKPASS_PROMPT
If set to
.Li confirm ,
show a yes-or-no prompt, defaulting to yes.
If set to
.Li none ,
show a prompt with only a close button.
Otherwise, show an OK-or-cancel prompt, defaulting to OK.
This environment variable is typically set by
.Xr ssh-add 1 ,
and should not normally be set manually.
.El
.Pp
Regardless of whether either
.Ev GNOME_SSH_ASKPASS_GRAB_POINTER
or
.Ev GNOME_SSH_ASKPASS_GRAB_SERVER
is set,
.Nm
will grab the keyboard.

12
debian/keygen-test/Makefile vendored Normal file
View file

@ -0,0 +1,12 @@
test: getpid.so
chmod +x keygen-test
./keygen-test
getpid.o: getpid.c
gcc $(CPPFLAGS) $(CFLAGS) -fPIC -c $< -o $@
getpid.so: getpid.o
gcc $(LDFLAGS) -shared -o $@ $<
clean:
rm -f getpid.o getpid.so key1 key1.pub key2 key2.pub

39
debian/keygen-test/getpid.c vendored Normal file
View file

@ -0,0 +1,39 @@
/*
* Compile:
gcc -fPIC -c getpid.c -o getpid.o
gcc -shared -o getpid.so getpid.o
* Use:
FORCE_PID=1234 LD_PRELOAD=./getpid.so bash
#
# Copyright (C) 2001-2008 Kees Cook
# kees@outflux.net, http://outflux.net/
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# http://www.gnu.org/copyleft/gpl.html
*/
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
pid_t getpid(void)
{
return atoi(getenv("FORCE_PID"));
}

12
debian/keygen-test/keygen-test vendored Executable file
View file

@ -0,0 +1,12 @@
#! /bin/sh
rm -f key1 key1.pub key2 key2.pub
LD_PRELOAD="$(pwd)/getpid.so" FORCE_PID=1234 \
../build-deb/ssh-keygen -N '' -f key1 >/dev/null
LD_PRELOAD="$(pwd)/getpid.so" FORCE_PID=1234 \
../build-deb/ssh-keygen -N '' -f key2 >/dev/null
if cmp -s key1 key2; then
echo "Generated two identical keys!" >&2
exit 1
fi
exit 0

3
debian/openssh-client-udeb.install vendored Normal file
View file

@ -0,0 +1,3 @@
scp usr/bin
sftp usr/bin
ssh usr/bin

35
debian/openssh-client.apport vendored Normal file
View file

@ -0,0 +1,35 @@
'''apport hook for openssh-client
(c) 2010 Canonical Ltd.
Author: Chuck Short <chuck.short@canonical.com>
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version. See http://www.gnu.org/copyleft/gpl.html for
the full text of the license.
'''
from apport.hookutils import (
attach_conffiles,
attach_related_packages,
command_output,
)
def add_info(report, ui):
response = ui.yesno("The contents of your /etc/ssh/ssh_config file "
"may help developers diagnose your bug more "
"quickly. However, it may contain sensitive "
"information. Do you want to include it in your "
"bug report?")
if response == None: # user cancelled
raise StopIteration
elif response:
attach_conffiles(report, 'openssh-client')
attach_related_packages(report,
['ssh-askpass', 'libpam-ssh', 'keychain', 'ssh-askpass-gnome'])
report['SSHClientVersion'] = command_output(['/usr/bin/ssh', '-V'])

1
debian/openssh-client.dirs vendored Normal file
View file

@ -0,0 +1 @@
etc/ssh/ssh_config.d

4
debian/openssh-client.docs vendored Normal file
View file

@ -0,0 +1,4 @@
OVERVIEW
README
README.dns
README.tun

35
debian/openssh-client.install vendored Executable file
View file

@ -0,0 +1,35 @@
#! /usr/bin/dh-exec
etc/ssh/ssh_config
usr/bin/scp
usr/bin/sftp
usr/bin/ssh
usr/bin/ssh-add
usr/bin/ssh-agent
usr/bin/ssh-keygen
usr/bin/ssh-keyscan
usr/lib/openssh/ssh-keysign
usr/lib/openssh/ssh-pkcs11-helper
usr/lib/openssh/ssh-sk-helper
usr/share/man/man1/scp.1
usr/share/man/man1/sftp.1
usr/share/man/man1/ssh-add.1
usr/share/man/man1/ssh-agent.1
usr/share/man/man1/ssh-keygen.1
usr/share/man/man1/ssh-keyscan.1
usr/share/man/man1/ssh.1
usr/share/man/man5/ssh_config.5
usr/share/man/man8/ssh-keysign.8
usr/share/man/man8/ssh-pkcs11-helper.8
usr/share/man/man8/ssh-sk-helper.8
contrib/ssh-copy-id usr/bin
debian/ssh-argv0 usr/bin
# dh_apport would be neater, but at the time of writing it isn't in unstable
# yet.
debian/openssh-client.apport => usr/share/apport/package-hooks/openssh-client.py
# systemd user unit (only used under sessions)
debian/systemd/ssh-agent.service usr/lib/systemd/user
debian/systemd/ssh-agent.socket usr/lib/systemd/user

2
debian/openssh-client.links vendored Normal file
View file

@ -0,0 +1,2 @@
# enable systemd user unit for graphical sessions that use systemd
usr/lib/systemd/user/ssh-agent.service usr/lib/systemd/user/graphical-session-pre.target.wants/ssh-agent.service

1
debian/openssh-client.lintian-overrides vendored Normal file
View file

@ -0,0 +1 @@
openssh-client: elevated-privileges 4755 root/root [usr/lib/openssh/ssh-keysign]

1
debian/openssh-client.maintscript vendored Normal file
View file

@ -0,0 +1 @@
rm_conffile /etc/ssh/moduli 1:7.9p1-8~

2
debian/openssh-client.manpages vendored Normal file
View file

@ -0,0 +1,2 @@
contrib/ssh-copy-id.1
debian/ssh-argv0.1

55
debian/openssh-client.postinst vendored Normal file
View file

@ -0,0 +1,55 @@
#!/bin/sh
set -e
action="$1"
umask 022
update_ssh_group_name() {
# The _ssh group used to be called ssh, but that could clash with
# locally-created user accounts. Since this only exists as an
# otherwise-empty group to which ssh-agent is installed setgid, it's
# easy to rename.
if getent group ssh >/dev/null && ! getent group _ssh >/dev/null; then
groupmod -n _ssh ssh
fi
}
set_ssh_agent_permissions() {
if ! getent group _ssh >/dev/null; then
addgroup --system --quiet --force-badname _ssh
fi
if ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null; then
chgrp _ssh /usr/bin/ssh-agent
chmod 2755 /usr/bin/ssh-agent
fi
}
remove_obsolete_alternatives() {
update-alternatives --remove rcp /usr/bin/scp
update-alternatives --remove rlogin /usr/bin/slogin
update-alternatives --remove rsh /usr/bin/ssh
}
if [ "$action" = configure ]; then
if dpkg --compare-versions "$2" lt-nl 1:8.4p1-6~; then
update_ssh_group_name
fi
set_ssh_agent_permissions
if dpkg --compare-versions "$2" lt-nl 1:9.1p1-1~; then
remove_obsolete_alternatives
fi
# debhelper compatibility level 14 may supersede this with something
# more complete; in the meantime, just reload systemd's state so
# that it at least has the current ssh-agent.* unit files.
if [ -z "$DPKG_ROOT" ] && [ -d /run/systemd/system ]; then
deb-systemd-invoke --user daemon-reload >/dev/null || true
fi
fi
#DEBHELPER#
exit 0

22
debian/openssh-client.postrm vendored Normal file
View file

@ -0,0 +1,22 @@
#!/bin/sh
set -e
#DEBHELPER#
case $1 in
purge)
# Remove all non-conffiles that ssh might create, so that we
# can smoothly remove /etc/ssh if and only if the user
# hasn't dropped some other files in there. Conffiles have
# already been removed at this point.
rm -f /etc/ssh/moduli /etc/ssh/primes
rm -f /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
[ ! -d /etc/ssh ] || rmdir --ignore-fail-on-non-empty /etc/ssh
if command -v delgroup >/dev/null 2>&1; then
delgroup --quiet ssh > /dev/null || true
fi
;;
esac
exit 0

1
debian/openssh-client.tmpfiles vendored Normal file
View file

@ -0,0 +1 @@
x /tmp/ssh-*

1
debian/openssh-server-udeb.dirs vendored Normal file
View file

@ -0,0 +1 @@
run/sshd

4
debian/openssh-server-udeb.install vendored Normal file
View file

@ -0,0 +1,4 @@
sshd usr/sbin
sshd-auth usr/lib/openssh
sshd-session usr/lib/openssh
ssh-keygen usr/bin

27
debian/openssh-server.apport vendored Normal file
View file

@ -0,0 +1,27 @@
'''apport hook for openssh-server
(c) 2010 Canonical Ltd.
Author: Chuck Short <chuck.short@canonical.com>
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version. See http://www.gnu.org/copyleft/gpl.html for
the full text of the license.
'''
from apport.hookutils import root_command_output
def add_info(report, ui):
response = ui.yesno("The contents of your /etc/ssh/sshd_config file "
"may help developers diagnose your bug more "
"quickly. However, it may contain sensitive "
"information. Do you want to include it in your "
"bug report?")
if response == None: # user cancelled
raise StopIteration
elif response:
report['SSHDConfig'] = root_command_output(['/usr/sbin/sshd', '-T'])

36
debian/openssh-server.config vendored Normal file
View file

@ -0,0 +1,36 @@
#! /bin/sh
set -e
. /usr/share/debconf/confmodule
db_version 2.0
get_config_option() {
option="$1"
[ -f /etc/ssh/sshd_config ] || return
# TODO: actually only one '=' allowed after option
sed -E -n -e 's/[[:space:]]+/ /g' -e 's/[[:space:]]+$//' \
-e 's/^[[:space:]]*'"$option"'[[:space:]=]+//Ip' \
/etc/ssh/sshd_config 2>/dev/null
}
permit_root_login="$(get_config_option PermitRootLogin)" || true
password_authentication="$(get_config_option PasswordAuthentication)" || true
if [ -f /etc/ssh/sshd_config ]; then
# Make sure the debconf database is in sync with the current state
# of the system.
if [ "$permit_root_login" = yes ]; then
db_set openssh-server/permit-root-login false
else
db_set openssh-server/permit-root-login true
fi
if [ "$password_authentication" = no ]; then
db_set openssh-server/password-authentication false
else
db_set openssh-server/password-authentication true
fi
fi
exit 0

1
debian/openssh-server.dirs vendored Normal file
View file

@ -0,0 +1 @@
etc/ssh/sshd_config.d

1
debian/openssh-server.examples vendored Normal file
View file

@ -0,0 +1 @@
debian/systemd/ssh-session-cleanup.service

25
debian/openssh-server.install vendored Executable file
View file

@ -0,0 +1,25 @@
#! /usr/bin/dh-exec
etc/ssh/moduli
usr/lib/openssh/sshd-auth
usr/lib/openssh/sshd-session
usr/sbin/sshd
usr/share/man/man5/authorized_keys.5
usr/share/man/man5/moduli.5
usr/share/man/man5/sshd_config.5
usr/share/man/man8/sshd.8
debian/tmp/etc/ssh/sshd_config => usr/share/openssh/sshd_config
debian/openssh-server.ucf-md5sum => usr/share/openssh/sshd_config.md5sum
debian/openssh-server.ufw.profile => etc/ufw/applications.d/openssh-server
debian/systemd/ssh.service lib/systemd/system
debian/systemd/ssh.socket lib/systemd/system
debian/systemd/rescue-ssh.target lib/systemd/system
debian/systemd/sshd@.service lib/systemd/system
debian/systemd/sshd-keygen.service lib/systemd/system
debian/systemd/ssh-session-cleanup usr/lib/openssh
# dh_apport would be neater, but at the time of writing it isn't in unstable
# yet.
debian/openssh-server.apport => usr/share/apport/package-hooks/openssh-server.py

0
debian/openssh-server.links vendored Normal file
View file

10
debian/openssh-server.lintian-overrides vendored Normal file
View file

@ -0,0 +1,10 @@
# Ignoring until after the release of bookworm to avoid problems with
# partial upgrades on non-default init systems. See
# https://lists.debian.org/debian-devel/2023/01/msg00158.html and thread.
openssh-server: depends-on-obsolete-package Depends: lsb-base
# Deliberate special cases for a helper service.
openssh-server: systemd-service-file-refers-to-unusual-wantedby-target ssh.service [usr/lib/systemd/system/sshd-keygen.service]
openssh-server: systemd-service-file-refers-to-unusual-wantedby-target ssh.socket [usr/lib/systemd/system/sshd-keygen.service]
openssh-server: systemd-service-file-refers-to-unusual-wantedby-target sshd.service [usr/lib/systemd/system/sshd-keygen.service]
openssh-server: systemd-service-file-refers-to-unusual-wantedby-target sshd@.service [usr/lib/systemd/system/sshd-keygen.service]

1
debian/openssh-server.maintscript vendored Normal file
View file

@ -0,0 +1 @@
rm_conffile /etc/network/if-up.d/openssh-server 1:7.9p1-1~

118
debian/openssh-server.postinst vendored Normal file
View file

@ -0,0 +1,118 @@
#!/bin/sh
set -e
. /usr/share/debconf/confmodule
db_version 2.0
action="$1"
umask 022
get_config_option() {
option="$1"
[ -f /etc/ssh/sshd_config ] || return
/usr/sbin/sshd -G | sed -n "s/^$option //Ip"
}
create_key() {
msg="$1"
shift
hostkeys="$1"
shift
file="$1"
shift
if echo "$hostkeys" | grep -x "$file" >/dev/null && \
[ ! -f "$file" ] ; then
printf %s "$msg"
ssh-keygen -q -f "$file" -N '' "$@"
echo
if command -v restorecon >/dev/null 2>&1; then
restorecon "$file" "$file.pub"
fi
ssh-keygen -l -f "$file.pub"
fi
}
create_keys() {
hostkeys="$(get_config_option HostKey)"
create_key "Creating SSH2 RSA key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
create_key "Creating SSH2 ECDSA key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
create_key "Creating SSH2 ED25519 key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
}
new_config=
cleanup() {
if [ "$new_config" ]; then
rm -f "$new_config"
fi
}
create_sshdconfig() {
# XXX cjwatson 2016-12-24: This debconf template is very confusingly
# named; its description is "Disable SSH password authentication for
# root?", so true -> prohibit-password (the upstream default),
# false -> yes.
db_get openssh-server/permit-root-login
permit_root_login="$RET"
db_get openssh-server/password-authentication
password_authentication="$RET"
trap cleanup EXIT
new_config="$(mktemp)"
cp -aZ /usr/share/openssh/sshd_config "$new_config"
if [ "$permit_root_login" != true ]; then
sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
"$new_config"
fi
if [ "$password_authentication" != true ]; then
sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \
"$new_config"
fi
mkdir -pZ /etc/ssh
ucf --three-way --debconf-ok \
--sum-file /usr/share/openssh/sshd_config.md5sum \
"$new_config" /etc/ssh/sshd_config
ucfr openssh-server /etc/ssh/sshd_config
}
if [ "$action" = configure ]; then
create_sshdconfig
create_keys
if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \
[ -f /etc/ssh/moduli.dpkg-bak ]; then
# Handle /etc/ssh/moduli being moved from openssh-client to
# openssh-server. If there were no user modifications, then we
# don't need to do anything special here; but if there were,
# then the dpkg-maintscript-helper calls from openssh-client's
# maintainer scripts will have saved the old file as .dpkg-bak,
# which we now move back into place.
mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli
fi
if dpkg --compare-versions "$2" lt-nl 1:9.1p1-1~ && \
deb-systemd-helper --quiet was-enabled ssh.socket && \
[ -d /run/systemd/system ]
then
# migrate to systemd socket activation.
systemctl unmask ssh.service
systemctl disable ssh.service
fi
fi
#DEBHELPER#
db_stop
exit 0

35
debian/openssh-server.postrm vendored Normal file
View file

@ -0,0 +1,35 @@
#!/bin/sh
set -e
#DEBHELPER#
case $1 in
purge)
# Remove all non-conffiles that ssh might create, so that we
# can smoothly remove /etc/ssh if and only if the user
# hasn't dropped some other files in there. Conffiles have
# already been removed at this point.
rm -f /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub
rm -f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub
rm -f /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub
rm -f /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key.pub
rm -f /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key.pub
for ext in .ucf-new .ucf-old .ucf-dist ""; do
rm -f "/etc/ssh/sshd_config$ext"
done
if command -v ucf >/dev/null 2>&1; then
ucf --purge /etc/ssh/sshd_config
fi
if command -v ucfr >/dev/null 2>&1; then
ucfr --purge openssh-server /etc/ssh/sshd_config
fi
rm -f /etc/ssh/sshd_not_to_be_run
[ ! -d /etc/ssh ] || rmdir --ignore-fail-on-non-empty /etc/ssh
if command -v deluser >/dev/null 2>&1; then
deluser --quiet sshd > /dev/null || true
fi
;;
esac
exit 0

1
debian/openssh-server.runit vendored Normal file
View file

@ -0,0 +1 @@
debian/openssh-server.ssh.runscript logscript,name=ssh,since=1:8.0p1-5

5
debian/openssh-server.ssh.default vendored Normal file
View file

@ -0,0 +1,5 @@
# Default settings for openssh-server. This file is sourced by /bin/sh from
# /etc/init.d/ssh.
# Options to pass to sshd
SSHD_OPTS=

166
debian/openssh-server.ssh.init vendored Executable file
View file

@ -0,0 +1,166 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: ssh sshd
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: OpenBSD Secure Shell server
### END INIT INFO
set -e
# /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon
test -x /usr/sbin/sshd || exit 0
( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
umask 022
if test -f /etc/default/ssh; then
. /etc/default/ssh
fi
. /lib/lsb/init-functions
if [ -n "$2" ]; then
SSHD_OPTS="$SSHD_OPTS $2"
fi
# Are we running from init?
run_by_init() {
([ "$previous" ] && [ "$runlevel" ]) || [ "$runlevel" = S ]
}
check_for_no_start() {
# forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
if [ -e /etc/ssh/sshd_not_to_be_run ]; then
if [ "$1" = log_end_msg ]; then
log_end_msg 0 || true
fi
if ! run_by_init; then
log_action_msg "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)" || true
fi
exit 0
fi
}
check_dev_null() {
if [ ! -c /dev/null ]; then
if [ "$1" = log_end_msg ]; then
log_end_msg 1 || true
fi
if ! run_by_init; then
log_action_msg "/dev/null is not a character device!" || true
fi
exit 1
fi
}
check_privsep_dir() {
# Create the PrivSep empty dir if necessary
if [ ! -d /run/sshd ]; then
mkdir /run/sshd
chmod 0755 /run/sshd
fi
}
check_config() {
if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
# shellcheck disable=SC2086
/usr/sbin/sshd $SSHD_OPTS -t || exit 1
fi
}
export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
case "$1" in
start)
check_privsep_dir
check_for_no_start
check_dev_null
log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
# shellcheck disable=SC2086
if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
stop)
log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" || true
if start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
reload|force-reload)
check_for_no_start
check_config
log_daemon_msg "Reloading OpenBSD Secure Shell server's configuration" "sshd" || true
if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
restart)
check_privsep_dir
check_config
log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /run/sshd.pid --exec /usr/sbin/sshd
check_for_no_start log_end_msg
check_dev_null log_end_msg
# shellcheck disable=SC2086
if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
try-restart)
check_privsep_dir
check_config
log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
RET=0
start-stop-daemon --stop --quiet --retry 30 --pidfile /run/sshd.pid --exec /usr/sbin/sshd || RET="$?"
case $RET in
0)
# old daemon stopped
check_for_no_start log_end_msg
check_dev_null log_end_msg
# shellcheck disable=SC2086
if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
1)
# daemon not running
log_progress_msg "(not running)" || true
log_end_msg 0 || true
;;
*)
# failed to stop
log_progress_msg "(failed to stop)" || true
log_end_msg 1 || true
;;
esac
;;
status)
status_of_proc -p /run/sshd.pid /usr/sbin/sshd sshd && exit 0 || exit $?
;;
*)
log_action_msg "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart|try-restart|status}" || true
exit 1
esac
exit 0

16
debian/openssh-server.ssh.runscript/finish vendored Normal file
View file

@ -0,0 +1,16 @@
#!/bin/sh
set -e
NAME=ssh
[ "$1" = -1 ] && echo "runsv: ERROR in $NAME: unexpected error or wrong sh syntax"
# no need to stop the service here, runsv will stop trying after the first attempt
[ "$1" = 161 ] && echo "runsv: ERROR $1 in $NAME: disabled by local settings" \
&& sv d "$(dirname "$0")" && exit 0
[ "$1" = 162 ] && echo "runsv: ERROR $1 in $NAME: configtest or early setup failed" \
&& sv d "$(dirname "$0")" && exit 0
echo "$NAME Stopped"

20
debian/openssh-server.ssh.runscript/run vendored Normal file
View file

@ -0,0 +1,20 @@
#!/usr/bin/env /lib/runit/invoke-run
set -e
NAME="ssh"
sv start auditd || sv check auditd || true
# don't start if 'sshd_not_to_be_run' exists
test -e /etc/ssh/sshd_not_to_be_run && exit 161
#Create /run/sshd
test -d /run/sshd || mkdir /run/sshd && chmod 0755 /run/sshd
exec 2>&1
#Config test
/usr/sbin/sshd -t || exit 162
echo "Starting $NAME..."
exec /usr/sbin/sshd -D -e $SSHD_OPTS

55
debian/openssh-server.sshd.pam.in vendored Normal file
View file

@ -0,0 +1,55 @@
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
@IF_KEYINIT@# Create a new session keyring.
@IF_KEYINIT@session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password

1
debian/openssh-server.sysusers vendored Normal file
View file

@ -0,0 +1 @@
u sshd -:nogroup "sshd user" /run/sshd

23
debian/openssh-server.templates vendored Normal file
View file

@ -0,0 +1,23 @@
Template: openssh-server/permit-root-login
Type: boolean
Default: true
_Description: Disable SSH password authentication for root?
Previous versions of openssh-server permitted logging in as root over SSH
using password authentication. The default for new installations is now
"PermitRootLogin prohibit-password", which disables password authentication
for root without breaking systems that have explicitly configured SSH
public key authentication for root.
.
This change makes systems more secure against brute-force password
dictionary attacks on the root user (a very common target for such
attacks). However, it may break systems that are set up with the
expectation of being able to SSH as root using password authentication. You
should only make this change if you do not need to do that.
Template: openssh-server/password-authentication
Type: boolean
Default: true
Description: Allow password authentication?
By default, the SSH server will allow authenticating using a password.
You may want to change this if all users on this system authenticate using
a stronger authentication method, such as public keys.

1
debian/openssh-server.tmpfiles vendored Normal file
View file

@ -0,0 +1 @@
x /tmp/sshauth.*

128
debian/openssh-server.ucf-md5sum vendored Normal file
View file

@ -0,0 +1,128 @@
# Historical md5sums of the default /etc/ssh/sshd_config up to and including
# 1:7.3p1-5.
0d06fc337cee10609d4833dc88df740f
10dc68360f6658910a98a051273de22c
11f9e107b4d13bbcabe7f8e8da734371
16c827adcff44efaca05ec5eea6383d7
2eeff28468576c3f2e538314e177687b
386c8b9079625b78f6d624ae506958ae
38fc7b31b3e3078848f0eec457d3e050
395c5e13801f9b4f17c2cb54aa634fbd
423d5796cee663af2d0f24c4d520b578
42be2cb5b64bc91443b2e46969d2d539
42cd8b7c5ea9e440d3efa50b9a1bb444
4f56ca8d0b5dfdaeb732becd3292ce5d
54998a682a97af8449e9de0316eacf1d
5c0bdc1735accbdc062381149937ec4a
6357b54acf8e089c57544e06d1bbec53
6a621d8bc448987e5a8a613c40307a4c
702a79962e60aa17c6d3df742e8ec670
7a69eff91ec92b4e065b8dd8846366b2
7c60e22f183b6219c684f15ce24153fd
8304e780c43d4a606f695c8965f48299
8b9e70ee87f4b822714e2ed7af5b70dc
8caefdd9e251b7cc1baa37874149a870
90baeb1c778464d2da610f8268939719
962a382e51f43f80109131838ca326ba
96eaf22faba705a37905282f6ad69d64
9cb6cd83be1c21f73476be629b163c01
a07a9865cd33b85a1426cd67954c6fa0
ae1e844b43986e2a964cf84f46b50c5b
b516afa5a1e298f4cd00952b36dd623f
b69fc974ee9b5a111bd473ef54cdd232
ba9c3f808c811d6f944ad10a508c4767
bccf9af9c7027afd0895d8ff8e02761a
bd3a2b95f8b4b180eed707794ad81e4d
c34586b56496f81a10615c002685fc74
c47555a21189a6b703d2c5d37d2c50ed
cac079e87c0ae0d77eafc9b285e36348
d224f92823483333432974f63cb6dc66
d50ef9ef2aa51cb9f808f6a776260c0a
e0029e1e9871d4d2b673ee6d70a38614
e086e7eb521ccc5776371b2e198f0702
e101f74dc7381527e9aefa1f78b01a7f
e24f749808133a27d94fda84a89bb27b
ec16c3dd0203f13885d74ce529719fda
efcff5380823d4e3f5039620c2e08459
f58056370a64dbd2017d7486421c281d
fe396d52df77f1fbf710591d4dbf3311
# From this point on, we have four md5sums for each released version of
# sshd_config, depending on the state of openssh-server/permit-root-login
# and openssh-server/password-authentication; the plain copy plus the result
# of running through either or both of the following:
#
# sed 's/^#*PermitRootLogin .*/PermitRootLogin yes/'
# sed 's/^#PasswordAuthentication .*/PasswordAuthentication no/'
#
# This obviously leaves something to be desired in terms of maintainability.
#
# The following covers up to 1:7.8p1-1, including everything except the
# latest version of sshd_config. It should be extended any time sshd_config
# changes.
# From 1:7.4p1-1:
f8ecd8f588749a0e39a5b1d3ff261cb2
0f923c50ef1b00e1e88e02736727f03e
abc2568a7ec0cb54c584ea03c7a4f854
17851b145a2515fce2e8d0b9020d5cd4
# From 1:7.4p1-6:
bbcdf7b77777d40996e287495bb96e47
55dd47f61a4af5d1a8884ec590ce33ef
e1375e853a36f9bcd5faeb4b8c570dd1
fa6d314c0ab05933ab970fd362ab2800
# From 1:7.4p1-7:
bbad7ed242a834e831c7066901cee49e
df8447ce600dd3d6bc4048ccc2faa536
87adc8952a7f06efdda8473fd772997f
14301f8b9e39c72b3f929dc70e41ebf6
# From 1:7.5p1-1:
739d6887c8f3dd71a9168c614c07175c
cc463c55b512da68e807784f675a1301
203e9b92fe3623aeba277ee44297f7dd
1d29cac6b0dd5c0004cf7d80b823715c
# From 1:7.7p1-1:
cc873ab3ccc9cf3a3830c3c0728c0d0b
2d0b1d2719c01b15457401fd97d607ed
8ce930e15835a8f46285315ed0da7f4a
8a71a3620605f21ac3ef16fd5d23f76a
# From 1:7.8p1-1:
55570f990ec9c3b8d19c19ab4d0b8eb8
0b8a28dca5cdbace0cd85fcd7794cba8
18df1377273c4d51d4c03c9adc31021f
63284e767f6ccf2375ef80507c564797
# From 1:8.2p1-1:
6dbdc3a27e1953d209f929df7aff0c57
0ef8c8fe6a3afd12382dbb93cd7bbb4e
9f1bec115595c0f76282d80abe5d9bcc
ae1a449c8adb31cb603e28fda5342696
# From 1:8.7p1-1:
fe83fd23553510bb632dc8e6e35ab41a
d96ecd9064ea650c44372a5a33d3e497
7fdb195ac56e0bf1992e18ac656811af
4e03b4df60cd00c651777ec14ff76aef
# From 1:9.2p1-1:
b8e751f62cf86a18bc30cdaae494b03f
b89c8626d43128cdb233536439e00566
5f589fb3658df8cb7cce8505cf821e40
8d7588b06f81ef23bea8d84442af8e68
# From 1:9.9p2-3:
a28c3e7d6c8f1293d5dacd70157872f6
08c279b9cb7685877107ac781fd166bd
abf26bfd692dada3111bea33dc4cc268
509c39a0ee41efa32c76a96c525b183e
# From 1:10.0p1-1:
b3d7f2a64f6ad1fc763321167a3435d5
29f3b6afc6b7b84e9e084fe10d27ede3
16d925db19c47346e642578c8a68fae9
98d17cfbc85c1ced1fa458699ffc1ee1

4
debian/openssh-server.ufw.profile vendored Normal file
View file

@ -0,0 +1,4 @@
[OpenSSH]
title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.
ports=22/tcp

2
debian/openssh-sftp-server.install vendored Normal file
View file

@ -0,0 +1,2 @@
usr/lib/openssh/sftp-server
usr/share/man/man8/sftp-server.8

1
debian/openssh-sftp-server.links vendored Normal file
View file

@ -0,0 +1 @@
usr/lib/openssh/sftp-server usr/lib/sftp-server

12
debian/openssh-tests.install vendored Normal file
View file

@ -0,0 +1,12 @@
regress /usr/lib/openssh
debian/build-deb/regress/check-perm /usr/lib/openssh/regress
debian/build-deb/regress/misc /usr/lib/openssh/regress
debian/build-deb/regress/mkdtemp /usr/lib/openssh/regress
debian/build-deb/regress/modpipe /usr/lib/openssh/regress
debian/build-deb/regress/netcat /usr/lib/openssh/regress
debian/build-deb/regress/setuid-allowed /usr/lib/openssh/regress
debian/build-deb/regress/timestamp /usr/lib/openssh/regress
debian/build-deb/regress/unittests /usr/lib/openssh/regress
debian/build-deb/config.h /usr/lib/openssh/regress
debian/run-tests /usr/lib/openssh/regress

26
debian/patches/authorized-keys-man-symlink.patch vendored Normal file
View file

@ -0,0 +1,26 @@
From d8aca11c6d61adb619a8aea6f2f3a7a3365babda Mon Sep 17 00:00:00 2001
From: Tomas Pospisek <tpo_deb@sourcepole.ch>
Date: Sun, 9 Feb 2014 16:10:07 +0000
Subject: Install authorized_keys(5) as a symlink to sshd(8)
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
Bug-Debian: http://bugs.debian.org/441817
Last-Update: 2013-09-14
Patch-Name: authorized-keys-man-symlink.patch
---
Makefile.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/Makefile.in b/Makefile.in
index 63c0e8d51..f85e312c6 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -459,6 +459,7 @@ install-files:
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
+ ln -s ../$(mansubdir)8/sshd.8 $(DESTDIR)$(mandir)/$(mansubdir)5/authorized_keys.5
$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8

137
debian/patches/configure-cache-vars.patch vendored Normal file
View file

@ -0,0 +1,137 @@
From 009c6b987ef180ee0ef58b5c06dfdbf0097e18a9 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 3 Apr 2024 11:52:04 +0100
Subject: Add Autoconf cache variables for OSSH_CHECK_*FLAG_*
This allows overriding them on configure's command line in case the
automatic checks go wrong somehow. bz#3673
Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3673#c3
Last-Update: 2024-04-03
Patch-Name: configure-cache-vars.patch
---
m4/openssh.m4 | 42 ++++++++++++++++++++++++------------------
1 file changed, 24 insertions(+), 18 deletions(-)
diff --git a/m4/openssh.m4 b/m4/openssh.m4
index 176a8d1c9..f420146f1 100644
--- a/m4/openssh.m4
+++ b/m4/openssh.m4
@@ -62,7 +62,8 @@ dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
dnl 'check_flag'.
AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
- AC_MSG_CHECKING([if $CC supports compile flag $1])
+ ossh_cache_var=AS_TR_SH([ossh_cv_cflag_$1])
+ AC_CACHE_CHECK([if $CC supports compile flag $1], [$ossh_cache_var], [
saved_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS $WERROR $1"
_define_flag="$2"
@@ -71,22 +72,23 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
[
if $ac_cv_path_EGREP -i "unrecognized option|warning.*ignored" conftest.err >/dev/null
then
- AC_MSG_RESULT([no])
+ eval "$ossh_cache_var=no"
CFLAGS="$saved_CFLAGS"
else
dnl If we are compiling natively, try running the program.
AC_RUN_IFELSE([OSSH_COMPILER_FLAG_TEST_PROGRAM],
- [ AC_MSG_RESULT([yes])
+ [ eval "$ossh_cache_var=yes"
CFLAGS="$saved_CFLAGS $_define_flag" ],
- [ AC_MSG_RESULT([no, fails at run time])
+ [ eval "$ossh_cache_var='no, fails at run time'"
CFLAGS="$saved_CFLAGS" ],
- [ AC_MSG_RESULT([yes])
+ [ eval "$ossh_cache_var=yes"
CFLAGS="$saved_CFLAGS $_define_flag" ],
)
fi],
- [ AC_MSG_RESULT([no])
+ [ eval "$ossh_cache_var=no"
CFLAGS="$saved_CFLAGS" ]
)
+ ])
}])
dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag])
@@ -94,7 +96,8 @@ dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
dnl 'check_flag'.
AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{
- AC_MSG_CHECKING([if $CC supports compile flag $1 and linking succeeds])
+ ossh_cache_var=AS_TR_SH([ossh_cv_cflag_$1])
+ AC_CACHE_CHECK([if $CC supports compile flag $1 and linking succeeds], [$ossh_cache_var], [
saved_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS $WERROR $1"
_define_flag="$2"
@@ -103,22 +106,23 @@ AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{
[
if $ac_cv_path_EGREP -i "unrecognized option|warning.*ignored" conftest.err >/dev/null
then
- AC_MSG_RESULT([no])
+ eval "$ossh_cache_var=no"
CFLAGS="$saved_CFLAGS"
else
dnl If we are compiling natively, try running the program.
AC_RUN_IFELSE([OSSH_COMPILER_FLAG_TEST_PROGRAM],
- [ AC_MSG_RESULT([yes])
+ [ eval "$ossh_cache_var=yes"
CFLAGS="$saved_CFLAGS $_define_flag" ],
- [ AC_MSG_RESULT([no, fails at run time])
+ [ eval "$ossh_cache_var='no, fails at run time'"
CFLAGS="$saved_CFLAGS" ],
- [ AC_MSG_RESULT([yes])
+ [ eval "$ossh_cache_var=yes"
CFLAGS="$saved_CFLAGS $_define_flag" ],
)
fi],
- [ AC_MSG_RESULT([no])
+ [ eval "$ossh_cache_var=no"
CFLAGS="$saved_CFLAGS" ]
)
+ ])
}])
dnl OSSH_CHECK_LDFLAG_LINK(check_flag[, define_flag])
@@ -126,7 +130,8 @@ dnl Check that $LD accepts a flag 'check_flag'. If it is supported append
dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append
dnl 'check_flag'.
AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{
- AC_MSG_CHECKING([if $LD supports link flag $1])
+ ossh_cache_var=AS_TR_SH([ossh_cv_ldflag_$1])
+ AC_CACHE_CHECK([if $LD supports link flag $1], [$ossh_cache_var], [
saved_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS $WERROR $1"
_define_flag="$2"
@@ -135,22 +140,23 @@ AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{
[
if $ac_cv_path_EGREP -i "unrecognized option|warning.*ignored" conftest.err >/dev/null
then
- AC_MSG_RESULT([no])
+ eval "$ossh_cache_var=no"
LDFLAGS="$saved_LDFLAGS"
else
dnl If we are compiling natively, try running the program.
AC_RUN_IFELSE([OSSH_COMPILER_FLAG_TEST_PROGRAM],
- [ AC_MSG_RESULT([yes])
+ [ eval "$ossh_cache_var=yes"
LDFLAGS="$saved_LDFLAGS $_define_flag" ],
- [ AC_MSG_RESULT([no, fails at run time])
+ [ eval "$ossh_cache_var='no, fails at run time'"
LDFLAGS="$saved_LDFLAGS" ],
- [ AC_MSG_RESULT([yes])
+ [ eval "$ossh_cache_var=yes"
LDFLAGS="$saved_LDFLAGS $_define_flag" ]
)
fi ],
- [ AC_MSG_RESULT([no])
+ [ eval "$ossh_cache_var=no"
LDFLAGS="$saved_LDFLAGS" ]
)
+ ])
}])
dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol)

170
debian/patches/debian-banner.patch vendored Normal file
View file

@ -0,0 +1,170 @@
From 8f693762755211b20d50f7e0b963bd1c3955c4b7 Mon Sep 17 00:00:00 2001
From: Kees Cook <kees@debian.org>
Date: Sun, 9 Feb 2014 16:10:06 +0000
Subject: Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2025-04-11
Patch-Name: debian-banner.patch
---
kex.c | 5 +++--
kex.h | 2 +-
servconf.c | 10 ++++++++++
servconf.h | 2 ++
sshconnect.c | 2 +-
sshd-session.c | 2 +-
sshd_config.5 | 5 +++++
7 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/kex.c b/kex.c
index 19b1fcaa8..ca6d5b53d 100644
--- a/kex.c
+++ b/kex.c
@@ -1237,7 +1237,7 @@ send_error(struct ssh *ssh, char *msg)
*/
int
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
- const char *version_addendum)
+ int debian_banner, const char *version_addendum)
{
int remote_major, remote_minor, mismatch, oerrno = 0;
size_t len, n;
@@ -1255,7 +1255,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+ debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
oerrno = errno;
diff --git a/kex.h b/kex.h
index cd6a40333..6a08023d0 100644
--- a/kex.h
+++ b/kex.h
@@ -215,7 +215,7 @@ void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
const char *, const char *, const char *, const char *, const char *);
void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]);
-int kex_exchange_identification(struct ssh *, int, const char *);
+int kex_exchange_identification(struct ssh *, int, int, const char *);
struct kex *kex_new(void);
int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
diff --git a/servconf.c b/servconf.c
index d2025592a..4891a43d6 100644
--- a/servconf.c
+++ b/servconf.c
@@ -221,6 +221,7 @@ initialize_server_options(ServerOptions *options)
options->sshd_session_path = NULL;
options->sshd_auth_path = NULL;
options->refuse_connection = -1;
+ options->debian_banner = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -511,6 +512,8 @@ fill_default_server_options(ServerOptions *options)
options->sshd_auth_path = xstrdup(_PATH_SSHD_AUTH);
if (options->refuse_connection == -1)
options->refuse_connection = 0;
+ if (options->debian_banner == -1)
+ options->debian_banner = 1;
assemble_algorithms(options);
@@ -595,6 +598,7 @@ typedef enum {
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
sSshdSessionPath, sSshdAuthPath, sRefuseConnection,
+ sDebianBanner,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@@ -775,6 +779,7 @@ static struct {
{ "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
{ "sshdauthpath", sSshdAuthPath, SSHCFG_GLOBAL },
{ "refuseconnection", sRefuseConnection, SSHCFG_ALL },
+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
{ NULL, sBadOption, 0 }
};
@@ -2773,6 +2778,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
multistate_ptr = multistate_flag;
goto parse_multistate;
+ case sDebianBanner:
+ intptr = &options->debian_banner;
+ goto parse_flag;
+
case sDeprecated:
case sIgnore:
case sUnsupported:
@@ -3328,6 +3337,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
dump_cfg_fmtint(sRefuseConnection, o->refuse_connection);
+ dump_cfg_fmtint(sDebianBanner, o->debian_banner);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff --git a/servconf.h b/servconf.h
index c3f501400..b510992e3 100644
--- a/servconf.h
+++ b/servconf.h
@@ -255,6 +255,8 @@ typedef struct {
char *sshd_auth_path;
int refuse_connection;
+
+ int debian_banner;
} ServerOptions;
/* Information about the incoming connection as used by Match */
diff --git a/sshconnect.c b/sshconnect.c
index 54de157db..59f66c534 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1611,7 +1611,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
lowercase(host);
/* Exchange protocol version identification strings with the server. */
- if ((r = kex_exchange_identification(ssh, timeout_ms,
+ if ((r = kex_exchange_identification(ssh, timeout_ms, 1,
options.version_addendum)) != 0)
sshpkt_fatal(ssh, r, "banner exchange");
diff --git a/sshd-session.c b/sshd-session.c
index 372a610b3..2b6d2a98b 100644
--- a/sshd-session.c
+++ b/sshd-session.c
@@ -1295,7 +1295,7 @@ main(int ac, char **av)
fatal("login grace time setitimer failed");
}
- if ((r = kex_exchange_identification(ssh, -1,
+ if ((r = kex_exchange_identification(ssh, -1, options.debian_banner,
options.version_addendum)) != 0)
sshpkt_fatal(ssh, r, "banner exchange");
diff --git a/sshd_config.5 b/sshd_config.5
index b79e8a3ee..677567908 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -629,6 +629,11 @@ or
.Cm no .
The default is
.Cm yes .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Cm yes .
.It Cm DenyGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.

308
debian/patches/debian-config.patch vendored Normal file
View file

@ -0,0 +1,308 @@
From 5fbe366def6557d221b9d955b7ab9bfbe88fd2b3 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:18 +0000
Subject: Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_* COLORTERM NO_COLOR' by default
(http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
ssh: Include /etc/ssh/ssh_config.d/*.conf.
sshd: Enable PAM, disable KbdInteractiveAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_* COLORTERM NO_COLOR' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
sshd: Include /etc/ssh/sshd_config.d/*.conf.
sshd: Document Debian's defaults for SshdAuthPath and SshdSessionPath.
regress: Run tests with 'UsePAM yes', to match sshd_config.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Author: Luca Boccassi <bluca@debian.org>
Forwarded: not-needed
Last-Update: 2025-04-11
Patch-Name: debian-config.patch
---
readconf.c | 2 +-
regress/test-exec.sh | 1 +
ssh.1 | 24 ++++++++++++++++++++++++
ssh_config | 8 +++++++-
ssh_config.5 | 26 +++++++++++++++++++++++++-
sshd_config | 18 ++++++++++++------
sshd_config.5 | 33 +++++++++++++++++++++++++++++++--
7 files changed, 101 insertions(+), 11 deletions(-)
diff --git a/readconf.c b/readconf.c
index 8419b5451..fc625a00c 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2860,7 +2860,7 @@ fill_default_options(Options * options)
if (options->forward_x11 == -1)
options->forward_x11 = 0;
if (options->forward_x11_trusted == -1)
- options->forward_x11_trusted = 0;
+ options->forward_x11_trusted = 1;
if (options->forward_x11_timeout == -1)
options->forward_x11_timeout = 1200;
/*
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 8a00c729c..486826928 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -634,6 +634,7 @@ cat << EOF > $OBJ/sshd_config
SshdSessionPath $SSHD_SESSION
SshdAuthPath $SSHD_AUTH
PerSourcePenalties no
+ UsePAM yes
EOF
# This may be necessary if /usr/src and/or /usr/obj are group-writable,
diff --git a/ssh.1 b/ssh.1
index 3d849f02c..56bdfa3d9 100644
--- a/ssh.1
+++ b/ssh.1
@@ -873,6 +873,16 @@ directive in
.Xr ssh_config 5
for more information.
.Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
.It Fl x
Disables X11 forwarding.
.Pp
@@ -881,6 +891,20 @@ Enables trusted X11 forwarding.
Trusted X11 forwardings are not subjected to the X11 SECURITY extension
controls.
.Pp
+(Debian-specific: In the default configuration, this option is equivalent to
+.Fl X ,
+since
+.Cm ForwardX11Trusted
+defaults to
+.Dq yes
+as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
.It Fl y
Send log information using the
.Xr syslog 3
diff --git a/ssh_config b/ssh_config
index 16197d15d..fc7930bfc 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,12 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
-# Host *
+Include /etc/ssh/ssh_config.d/*.conf
+
+Host *
# ForwardAgent no
# ForwardX11 no
+# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
@@ -46,3 +49,6 @@
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+ SendEnv LANG LC_* COLORTERM NO_COLOR
+ HashKnownHosts yes
+ GSSAPIAuthentication yes
diff --git a/ssh_config.5 b/ssh_config.5
index 0356de8b0..d8452237d 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
host-specific declarations should be given near the beginning of the
file, and general defaults at the end.
.Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Include /etc/ssh/ssh_config.d/*.conf
+.It
+.Cm SendEnv No LANG LC_* COLORTERM NO_COLOR
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
+.Pa /etc/ssh/ssh_config.d/*.conf
+files are included at the start of the system-wide configuration file, so
+options set there will override those in
+.Pa /etc/ssh/ssh_config.
+.Pp
The file contains keyword-argument pairs, one per line.
Lines starting with
.Ql #
@@ -941,11 +964,12 @@ elapsed.
.It Cm ForwardX11Trusted
If this option is set to
.Cm yes ,
+(the Debian-specific default),
remote X11 clients will have full access to the original X11 display.
.Pp
If this option is set to
.Cm no
-(the default),
+(the upstream default),
remote X11 clients will be considered untrusted and prevented
from stealing or tampering with data belonging to trusted X11
clients.
diff --git a/sshd_config b/sshd_config
index 6ddae0370..01e8d9098 100644
--- a/sshd_config
+++ b/sshd_config
@@ -10,6 +10,8 @@
# possible, but leave them commented. Uncommented options override the
# default value.
+Include /etc/ssh/sshd_config.d/*.conf
+
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
@@ -57,10 +59,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#PasswordAuthentication yes
#PermitEmptyPasswords no
-# Change to "no" to disable keyboard-interactive authentication. Depending on
+# Change to "yes" to enable keyboard-interactive authentication. Depending on
# the system's configuration, this may involve passwords, challenge-response,
# one-time passwords or some combination of these and other methods.
-#KbdInteractiveAuthentication yes
+# Beware issues with some PAM modules and threads.
+KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
@@ -83,16 +86,16 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
+UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
-#PrintMotd yes
+PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
@@ -109,8 +112,11 @@ AuthorizedKeysFile .ssh/authorized_keys
# no default banner path
#Banner none
+# Allow client to pass locale and color environment variables
+AcceptEnv LANG LC_* COLORTERM NO_COLOR
+
# override default of no subsystems
-Subsystem sftp /usr/libexec/sftp-server
+Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
diff --git a/sshd_config.5 b/sshd_config.5
index 80a75fbb7..a5594102f 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
.Pq \&"
in order to represent arguments containing spaces.
.Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Include /etc/ssh/sshd_config.d/*.conf
+.It
+.Cm KbdInteractiveAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_* COLORTERM NO_COLOR
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
+.Pa /etc/ssh/sshd_config.d/*.conf
+files are included at the start of the configuration file, so options set
+there will override those in
+.Pa /etc/ssh/sshd_config.
+.Pp
The possible
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):
@@ -1889,14 +1918,14 @@ Overrides the default path to the
.Cm sshd-auth
binary that is invoked to complete user authentication.
The default is
-.Pa /usr/libexec/sshd-auth .
+.Pa /usr/lib/openssh/sshd-auth .
This option is intended for use by tests.
.It Cm SshdSessionPath
Overrides the default path to the
.Cm sshd-session
binary that is invoked to handle each connection.
The default is
-.Pa /usr/libexec/sshd-session .
+.Pa /usr/lib/openssh/sshd-session .
This option is intended for use by tests.
.It Cm StreamLocalBindMask
Sets the octal file creation mode mask

94
debian/patches/dnssec-sshfp.patch vendored Normal file
View file

@ -0,0 +1,94 @@
From 4b42694c1823a9eb69a972c53cf79ce289b2c810 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:01 +0000
Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2023-06-19
Patch-Name: dnssec-sshfp.patch
---
dns.c | 14 +++++++++++++-
openbsd-compat/getrrsetbyname.c | 10 +++++-----
openbsd-compat/getrrsetbyname.h | 3 +++
3 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/dns.c b/dns.c
index 939241440..bf47a079f 100644
--- a/dns.c
+++ b/dns.c
@@ -198,6 +198,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
{
u_int counter;
int result;
+ unsigned int rrset_flags = 0;
struct rrsetinfo *fingerprints = NULL;
u_int8_t hostkey_algorithm;
@@ -220,8 +221,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
return -1;
}
+ /*
+ * Original getrrsetbyname function, found on OpenBSD for example,
+ * doesn't accept any flag and prerequisite for obtaining AD bit in
+ * DNS response is set by "options edns0" in resolv.conf.
+ *
+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
+ */
+#ifndef HAVE_GETRRSETBYNAME
+ rrset_flags |= RRSET_FORCE_EDNS0;
+#endif
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
- DNS_RDATATYPE_SSHFP, 0, &fingerprints);
+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
+
if (result) {
verbose("DNS lookup error: %s", dns_result_totext(result));
return -1;
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index ad35148c9..add519441 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -214,8 +214,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
goto fail;
}
- /* don't allow flags yet, unimplemented */
- if (flags) {
+ /* Allow RRSET_FORCE_EDNS0 flag only. */
+ if ((flags & ~RRSET_FORCE_EDNS0) != 0) {
result = ERRSET_INVAL;
goto fail;
}
@@ -231,9 +231,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
#endif /* DEBUG */
#ifdef RES_USE_DNSSEC
- /* turn on DNSSEC if EDNS0 is configured */
- if (_resp->options & RES_USE_EDNS0)
- _resp->options |= RES_USE_DNSSEC;
+ /* turn on DNSSEC if required */
+ if (flags & RRSET_FORCE_EDNS0)
+ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
#endif /* RES_USE_DNSEC */
/* make query */
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
index 1283f5506..dbbc85a2a 100644
--- a/openbsd-compat/getrrsetbyname.h
+++ b/openbsd-compat/getrrsetbyname.h
@@ -72,6 +72,9 @@
#ifndef RRSET_VALIDATED
# define RRSET_VALIDATED 1
#endif
+#ifndef RRSET_FORCE_EDNS0
+# define RRSET_FORCE_EDNS0 0x0001
+#endif
/*
* Return codes for getrrsetbyname()

28
debian/patches/doc-hash-tab-completion.patch vendored Normal file
View file

@ -0,0 +1,28 @@
From c3c79bbb6ba940f4587dddaf8e85b8f36e4a895e Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:11 +0000
Subject: Document that HashKnownHosts may break tab-completion
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
Bug-Debian: http://bugs.debian.org/430154
Last-Update: 2021-11-05
Patch-Name: doc-hash-tab-completion.patch
---
ssh_config.5 | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ssh_config.5 b/ssh_config.5
index dd0084c82..0356de8b0 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1060,6 +1060,9 @@ Note that existing names and addresses in known hosts files
will not be converted automatically,
but may be manually hashed using
.Xr ssh-keygen 1 .
+Use of this option may break facilities such as tab-completion that rely
+on being able to read unhashed host names from
+.Pa ~/.ssh/known_hosts .
.It Cm HostbasedAcceptedAlgorithms
Specifies the signature algorithms that will be used for hostbased
authentication as a comma-separated list of patterns.

26
debian/patches/gnome-ssh-askpass2-icon.patch vendored Normal file
View file

@ -0,0 +1,26 @@
From 53cb8cc4c931b81db8a924be43e09ad6edca9808 Mon Sep 17 00:00:00 2001
From: Vincent Untz <vuntz@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:16 +0000
Subject: Give the ssh-askpass-gnome window a default icon
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
Last-Update: 2010-02-28
Patch-Name: gnome-ssh-askpass2-icon.patch
---
contrib/gnome-ssh-askpass2.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
index a62f98152..304569802 100644
--- a/contrib/gnome-ssh-askpass2.c
+++ b/contrib/gnome-ssh-askpass2.c
@@ -320,6 +320,8 @@ main(int argc, char **argv)
gtk_init(&argc, &argv);
+ gtk_window_set_default_icon_from_file ("/usr/share/pixmaps/ssh-askpass-gnome.png", NULL);
+
if (argc > 1) {
message = g_strjoinv(" ", argv + 1);
} else {

3987
debian/patches/gssapi.patch vendored Normal file
View file

File diff suppressed because it is too large Load diff

149
debian/patches/keepalive-extensions.patch vendored Normal file
View file

@ -0,0 +1,149 @@
From d3fc1f4d6bf0c2a857af1d5f90e7a0b061cdb490 Mon Sep 17 00:00:00 2001
From: Richard Kettlewell <rjk@greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:52 +0000
Subject: Various keepalive extensions
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
in previous versions of Debian's OpenSSH package but since superseded by
ServerAliveInterval. (We're probably stuck with this bit for
compatibility.)
In batch mode, default ServerAliveInterval to five minutes.
Adjust documentation to match and to give some more advice on use of
keepalives.
Author: Ian Jackson <ian@chiark.greenend.org.uk>
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2025-04-10
Patch-Name: keepalive-extensions.patch
---
readconf.c | 14 ++++++++++++--
ssh_config.5 | 21 +++++++++++++++++++--
sshd_config.5 | 3 +++
3 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/readconf.c b/readconf.c
index 2b6f2c1e3..5a38016eb 100644
--- a/readconf.c
+++ b/readconf.c
@@ -184,6 +184,7 @@ typedef enum {
oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize,
oEnableEscapeCommandline, oObscureKeystrokeTiming, oChannelTimeout,
oVersionAddendum,
+ oProtocolKeepAlives, oSetupTimeOut,
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
@@ -348,6 +349,8 @@ static struct {
{ "obscurekeystroketiming", oObscureKeystrokeTiming },
{ "channeltimeout", oChannelTimeout },
{ "versionaddendum", oVersionAddendum },
+ { "protocolkeepalives", oProtocolKeepAlives },
+ { "setuptimeout", oSetupTimeOut },
{ NULL, oBadOption }
};
@@ -1230,6 +1233,7 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host,
argv_consume(&ac);
break;
case oConnectTimeout:
+ case oSetupTimeOut: /* Debian-specific compatibility alias */
intptr = &options->connection_timeout;
parse_time:
arg = argv_next(&ac, &av);
@@ -1972,6 +1976,7 @@ parse_pubkey_algos:
goto parse_flag;
case oServerAliveInterval:
+ case oProtocolKeepAlives: /* Debian-specific compatibility alias */
intptr = &options->server_alive_interval;
goto parse_time;
@@ -2980,8 +2985,13 @@ fill_default_options(Options * options)
options->rekey_interval = 0;
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
- if (options->server_alive_interval == -1)
- options->server_alive_interval = 0;
+ if (options->server_alive_interval == -1) {
+ /* in batch mode, default is 5mins */
+ if (options->batch_mode == 1)
+ options->server_alive_interval = 300;
+ else
+ options->server_alive_interval = 0;
+ }
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
if (options->control_master == -1)
diff --git a/ssh_config.5 b/ssh_config.5
index cb65089f6..a82ea54db 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -335,9 +335,13 @@ If set to
.Cm yes ,
user interaction such as password prompts and host key confirmation requests
will be disabled.
+In addition, the
+.Cm ServerAliveInterval
+option will be set to 300 seconds by default (Debian-specific).
This option is useful in scripts and other batch jobs where no user
is present to interact with
-.Xr ssh 1 .
+.Xr ssh 1 ,
+and where it is desirable to detect a broken network swiftly.
The argument must be
.Cm yes
or
@@ -658,6 +662,8 @@ Specifies the timeout (in seconds) used when connecting to the
SSH server, instead of using the default system TCP timeout.
This timeout is applied both to establishing the connection and to performing
the initial SSH protocol handshake and key exchange.
+.Cm SetupTimeOut
+is a Debian-specific compatibility alias for this option.
.It Cm ControlMaster
Enables the sharing of multiple sessions over a single network connection.
When set to
@@ -1982,7 +1988,12 @@ from the server,
will send a message through the encrypted
channel to request a response from the server.
The default
-is 0, indicating that these messages will not be sent to the server.
+is 0, indicating that these messages will not be sent to the server,
+or 300 if the
+.Cm BatchMode
+option is set (Debian-specific).
+.Cm ProtocolKeepAlives
+is a Debian-specific compatibility alias for this option.
.It Cm SessionType
May be used to either request invocation of a subsystem on the remote system,
or to prevent the execution of a remote command at all.
@@ -2105,6 +2116,12 @@ Specifies whether the system should send TCP keepalive messages to the
other side.
If they are sent, death of the connection or crash of one
of the machines will be properly noticed.
+This option only uses TCP keepalives (as opposed to using ssh level
+keepalives), so takes a long time to notice when the connection dies.
+As such, you probably want
+the
+.Cm ServerAliveInterval
+option as well.
However, this means that
connections will die if the route is down temporarily, and some people
find it annoying.
diff --git a/sshd_config.5 b/sshd_config.5
index c36484972..b79e8a3ee 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1996,6 +1996,9 @@ This avoids infinitely hanging sessions.
.Pp
To disable TCP keepalive messages, the value should be set to
.Cm no .
+.Pp
+This option was formerly called
+.Cm KeepAlive .
.It Cm TrustedUserCAKeys
Specifies a file containing public keys of certificate authorities that are
trusted to sign user certificates for authentication, or

44
debian/patches/mention-ssh-keygen-on-keychange.patch vendored Normal file
View file

@ -0,0 +1,44 @@
From 4bf6a2acf9290928d4393c3d3f219074c9c7eb3c Mon Sep 17 00:00:00 2001
From: Scott Moser <smoser@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:03 +0000
Subject: Mention ssh-keygen in ssh fingerprint changed warning
Author: Chris Lamb <lamby@debian.org>
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
Last-Update: 2023-12-11
Patch-Name: mention-ssh-keygen-on-keychange.patch
---
sshconnect.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/sshconnect.c b/sshconnect.c
index 43b75dcf7..54de157db 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1307,9 +1307,13 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
error("%s. This could either mean that", key_msg);
error("DNS SPOOFING is happening or the IP address for the host");
error("and its host key have changed at the same time.");
- if (ip_status != HOST_NEW)
+ if (ip_status != HOST_NEW) {
error("Offending key for IP in %s:%lu",
ip_found->file, ip_found->line);
+ error(" remove with:");
+ error(" ssh-keygen -f '%s' -R '%s'",
+ ip_found->file, ip);
+ }
}
/* The host key has changed. */
warn_changed_key(host_key);
@@ -1321,6 +1325,9 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
error("Offending %s key in %s:%lu",
sshkey_type(host_found->key),
host_found->file, host_found->line);
+ error(" remove with:");
+ error(" ssh-keygen -f '%s' -R '%s'",
+ host_found->file, host);
/*
* If strict host key checking is in use, the user will have

71
debian/patches/no-openssl-version-status.patch vendored Normal file
View file

@ -0,0 +1,71 @@
From bcb6fbcb58e6256516d5a63e6c27c3dd880373c3 Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 9 Feb 2014 16:10:14 +0000
Subject: Don't check the status field of the OpenSSL version
There is no reason to check the version of OpenSSL (in Debian). If it's
not compatible the soname will change. OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same. Remove that check on the status since
it doesn't tell you anything about how compatible that version is.
Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: https://bugs.debian.org/93581
Bug-Debian: https://bugs.debian.org/664383
Bug-Debian: https://bugs.debian.org/732940
Forwarded: not-needed
Last-Update: 2023-09-02
Patch-Name: no-openssl-version-status.patch
---
openbsd-compat/openssl-compat.c | 8 ++++----
openbsd-compat/regress/opensslvertest.c | 2 ++
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index 14865077e..0cea08c03 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -49,18 +49,18 @@ ssh_compatible_openssl(long headerver, long libver)
return 1;
/*
- * For versions >= 3.0, only the major and status must match.
+ * For versions >= 3.0, only the major must match.
*/
if (headerver >= 0x3000000f) {
- mask = 0xf000000fL; /* major,status */
+ mask = 0xf0000000L; /* major */
return (headerver & mask) == (libver & mask);
}
/*
- * For versions >= 1.0.0, but <3, major,minor,status must match and
+ * For versions >= 1.0.0, but <3, major,minor must match and
* library fix version must be equal to or newer than the header.
*/
- mask = 0xfff0000fL; /* major,minor,status */
+ mask = 0xfff00000L; /* major,minor */
hfix = (headerver & 0x000ff000) >> 12;
lfix = (libver & 0x000ff000) >> 12;
if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
index 99c894418..351df4374 100644
--- a/openbsd-compat/regress/opensslvertest.c
+++ b/openbsd-compat/regress/opensslvertest.c
@@ -28,6 +28,7 @@ struct version_test {
} version_tests[] = {
/* built with 1.0.1b release headers */
{ 0x1000101fL, 0x1000101fL, 1},/* exact match */
+ { 0x1000101fL, 0x10001010L, 1}, /* different status: ok */
{ 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */
{ 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */
{ 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */
@@ -48,6 +49,7 @@ struct version_test {
/* built with 3.0.1 release headers */
{ 0x3010101fL, 0x3010101fL, 1},/* exact match */
+ { 0x3010101fL, 0x30101010L, 1}, /* different status: ok */
{ 0x3010101fL, 0x3010102fL, 1}, /* newer library patch version: ok */
{ 0x3010101fL, 0x3010100fL, 1}, /* older library patch version: ok */
{ 0x3010101fL, 0x3010201fL, 1}, /* newer library fix version: ok */

190
debian/patches/openbsd-docs.patch vendored Normal file
View file

@ -0,0 +1,190 @@
From f44687fdc6dcf48a38f32693d7e28034d4961d0d Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:09 +0000
Subject: Adjust various OpenBSD-specific references in manual pages
No single bug reference for this patch, but history includes:
https://bugs.debian.org/154434 (login.conf(5))
https://bugs.debian.org/513417 (/etc/rc)
https://bugs.debian.org/998069, https://bugs.debian.org/1095686 (rdomain(4))
Forwarded: not-needed
Last-Update: 2025-04-15
Patch-Name: openbsd-docs.patch
---
moduli.5 | 4 ++--
ssh-keygen.1 | 12 ++++--------
sshd.8 | 5 ++---
sshd_config.5 | 27 ++++++---------------------
4 files changed, 14 insertions(+), 34 deletions(-)
diff --git a/moduli.5 b/moduli.5
index 5086a6d42..6dffdc7e6 100644
--- a/moduli.5
+++ b/moduli.5
@@ -21,7 +21,7 @@
.Nd Diffie-Hellman moduli
.Sh DESCRIPTION
The
-.Pa /etc/moduli
+.Pa /etc/ssh/moduli
file contains prime numbers and generators for use by
.Xr sshd 8
in the Diffie-Hellman Group Exchange key exchange method.
@@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough
Diffie-Hellman output to sufficiently key the selected symmetric cipher.
.Xr sshd 8
then randomly selects a modulus from
-.Fa /etc/moduli
+.Fa /etc/ssh/moduli
that best meets the size requirement.
.Sh SEE ALSO
.Xr ssh-keygen 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 00246a861..9c1514951 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -211,9 +211,7 @@ key in
.Pa ~/.ssh/id_ed25519_sk
or
.Pa ~/.ssh/id_rsa .
-Additionally, the system administrator may use this to generate host keys,
-as seen in
-.Pa /etc/rc .
+Additionally, the system administrator may use this to generate host keys.
.Pp
Normally this program generates the key and asks for a file in which
to store the private key.
@@ -278,9 +276,7 @@ If
.Fl f
has also been specified, its argument is used as a prefix to the
default path for the resulting host key files.
-This is used by
-.Pa /etc/rc
-to generate new host keys.
+This is used by system administration scripts to generate new host keys.
.It Fl a Ar rounds
When saving a private key, this option specifies the number of KDF
(key derivation function, currently
@@ -860,7 +856,7 @@ option.
Valid generator values are 2, 3, and 5.
.Pp
Screened DH groups may be installed in
-.Pa /etc/moduli .
+.Pa /etc/ssh/moduli .
It is important that this file contains moduli of a range of bit lengths.
.Pp
A number of options are available for moduli generation and screening via the
@@ -1314,7 +1310,7 @@ on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
.Pp
-.It Pa /etc/moduli
+.It Pa /etc/ssh/moduli
Contains Diffie-Hellman groups used for DH-GEX.
The file format is described in
.Xr moduli 5 .
diff --git a/sshd.8 b/sshd.8
index 464d402f6..bd1117bfe 100644
--- a/sshd.8
+++ b/sshd.8
@@ -64,7 +64,7 @@ over an insecure network.
.Nm
listens for connections from clients.
It is normally started at boot from
-.Pa /etc/rc .
+.Pa /etc/init.d/ssh .
It forks a new
daemon for each incoming connection.
The forked daemons handle
@@ -936,7 +936,7 @@ This file is for host-based authentication (see
.Xr ssh 1 ) .
It should only be writable by root.
.Pp
-.It Pa /etc/moduli
+.It Pa /etc/ssh/moduli
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
key exchange method.
The file format is described in
@@ -1034,7 +1034,6 @@ The content of this file is not sensitive; it can be world-readable.
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
-.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
.Xr inetd 8 ,
diff --git a/sshd_config.5 b/sshd_config.5
index 677567908..80a75fbb7 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1001,9 +1001,6 @@ for interactive sessions and
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to allow keyboard-interactive authentication.
-All authentication styles from
-.Xr login.conf 5
-are supported.
The default is
.Cm yes .
The argument to this keyword must be
@@ -1151,8 +1148,10 @@ routing domain.
Multiple
.Cm ListenAddress
options are permitted.
-For more information on routing domains, see
-.Xr rdomain 4 .
+.Pp
+On Linux, routing domains are implemented using Virtual Routing and
+Forwarding domains (VRFs); for more information, see
+.Xr ip-vrf 8 .
.It Cm LoginGraceTime
The server disconnects after this time if the user has not
successfully logged in.
@@ -1286,9 +1285,8 @@ and
.Cm Address
(with
.Cm RDomain
-representing the
-.Xr rdomain 4
-on which the connection was received).
+representing the routing domain on which the connection was received; see
+.Xr ip-vrf 8 ) .
.Pp
The match patterns may consist of single entries or comma-separated
lists and may use the wildcard and negation operators described in the
@@ -1369,7 +1367,6 @@ Available keywords are
.Cm RefuseConnection ,
.Cm RekeyLimit ,
.Cm RevokedKeys ,
-.Cm RDomain ,
.Cm SetEnv ,
.Cm StreamLocalBindMask ,
.Cm StreamLocalBindUnlink ,
@@ -1868,15 +1865,6 @@ an OpenSSH Key Revocation List (KRL) as generated by
.Xr ssh-keygen 1 .
For more information on KRLs, see the KEY REVOCATION LISTS section in
.Xr ssh-keygen 1 .
-.It Cm RDomain
-Specifies an explicit routing domain that is applied after authentication
-has completed.
-The user session, as well as any forwarded or listening IP sockets,
-will be bound to this
-.Xr rdomain 4 .
-If the routing domain is set to
-.Cm \&%D ,
-then the domain in which the incoming connection was received will be applied.
.It Cm SecurityKeyProvider
Specifies a path to a library that will be used when loading
FIDO authenticator-hosted keys, overriding the default of using
@@ -2257,9 +2245,6 @@ accepts the tokens %%, %h, %U, and %u.
.Pp
.Cm ChrootDirectory
accepts the tokens %%, %h, %U, and %u.
-.Pp
-.Cm RoutingDomain
-accepts the token %D.
.Sh FILES
.Bl -tag -width Ds
.It Pa /etc/ssh/sshd_config

47
debian/patches/package-versioning.patch vendored Normal file
View file

@ -0,0 +1,47 @@
From fc17470467826ef2bf50c930a45f6db43c2b5ba3 Mon Sep 17 00:00:00 2001
From: Matthew Vernon <matthew@debian.org>
Date: Sun, 9 Feb 2014 16:10:05 +0000
Subject: Include the Debian version in our identification
This makes it easier to audit networks for versions patched against security
vulnerabilities. It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings. (However, see debian-banner.patch.)
Forwarded: not-needed
Last-Update: 2025-02-18
Patch-Name: package-versioning.patch
---
kex.c | 2 +-
version.h | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/kex.c b/kex.c
index f09e79e6b..19b1fcaa8 100644
--- a/kex.c
+++ b/kex.c
@@ -1255,7 +1255,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%s%s%s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
oerrno = errno;
diff --git a/version.h b/version.h
index 1b417bfce..7acb6231e 100644
--- a/version.h
+++ b/version.h
@@ -3,4 +3,9 @@
#define SSH_VERSION "OpenSSH_10.0"
#define SSH_PORTABLE "p2"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
+#ifdef SSH_EXTRAVERSION
+#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION
+#else
+#define SSH_RELEASE SSH_RELEASE_MINIMUM
+#endif

34
debian/patches/pam-avoid-unknown-host.patch vendored Normal file
View file

@ -0,0 +1,34 @@
From f5c89caec93130da905a95602cf36a4e25f2303e Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 20 Mar 2023 20:22:14 +0100
Subject: Only set PAM_RHOST if the remote host is not "UNKNOWN"
When using sshd's -i option with stdio that is not a AF_INET/AF_INET6
socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then
set as the value of PAM_RHOST, causing pam to try to do a reverse DNS
query of "UNKNOWN", which times out multiple times, causing a
substantial slowdown when logging in.
To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN".
Author: Daan De Meyer <daan.j.demeyer@gmail.com>
Last-Update: 2024-04-03
Patch-Name: pam-avoid-unknown-host.patch
---
auth-pam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth-pam.c b/auth-pam.c
index 13c0a792e..b22883b95 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -735,7 +735,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
sshpam_laddr = get_local_ipaddr(
ssh_packet_get_connection_in(ssh));
}
- if (sshpam_rhost != NULL) {
+ if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) {
debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost);
sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST,
sshpam_rhost);

39
debian/patches/regress-conch-dev-zero.patch vendored Normal file
View file

@ -0,0 +1,39 @@
From 93b2730229d7385fe79d2136c5269e5a7fd49795 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 31 Mar 2024 00:24:11 +0000
Subject: regress: Redirect conch stdin from /dev/zero
This is more convenient than requiring a controlling terminal.
Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3676
Last-Update: 2024-03-31
Patch-Name: regress-conch-dev-zero.patch
---
regress/conch-ciphers.sh | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
index 26b606d65..22168570c 100644
--- a/regress/conch-ciphers.sh
+++ b/regress/conch-ciphers.sh
@@ -7,10 +7,6 @@ if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
skip "conch interop tests not enabled"
fi
-if ! [ -t 0 ]; then
- skip "conch interop tests requires a controlling terminal"
-fi
-
start_sshd
for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
@@ -21,7 +17,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
# in conch
${CONCH} --identity $OBJ/ssh-ed25519 --port $PORT --user $USER -e none \
--known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
- 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
+ 127.0.0.1 "cat ${DATA}" </dev/zero 2>/dev/null | cat > ${COPY}
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
fi

35
debian/patches/restore-authorized_keys2.patch vendored Normal file
View file

@ -0,0 +1,35 @@
From 379b97fb24160f38bcd5f3be5737eac848a04af9 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 5 Mar 2017 02:02:11 +0000
Subject: Restore reading authorized_keys2 by default
Upstream seems to intend to gradually phase this out, so don't assume
that this will remain the default forever. However, we were late in
adopting the upstream sshd_config changes, so it makes sense to extend
the grace period.
Bug-Debian: https://bugs.debian.org/852320
Forwarded: not-needed
Last-Update: 2017-03-05
Patch-Name: restore-authorized_keys2.patch
---
sshd_config | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/sshd_config b/sshd_config
index 01e8d9098..481dc4137 100644
--- a/sshd_config
+++ b/sshd_config
@@ -38,9 +38,8 @@ Include /etc/ssh/sshd_config.d/*.conf
#PubkeyAuthentication yes
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile .ssh/authorized_keys
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none

172
debian/patches/restore-tcp-wrappers.patch vendored Normal file
View file

@ -0,0 +1,172 @@
From 5f13fe22c2a9771dbcd12e2e9a1b2f905bcad22a Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 7 Oct 2014 13:22:41 +0100
Subject: Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
and thread:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
It is true that this reduces preauth attack surface in sshd. On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.
It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.
Forwarded: not-needed
Last-Update: 2024-08-02
Patch-Name: restore-tcp-wrappers.patch
---
configure.ac | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++
sshd-session.c | 25 ++++++++++++++++++++++
sshd.8 | 7 +++++++
3 files changed, 89 insertions(+)
diff --git a/configure.ac b/configure.ac
index e334ad2ec..06ad5c78a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1727,6 +1727,62 @@ else
AC_MSG_RESULT([no])
fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+ saved_LIBS="$LIBS"
+ saved_LDFLAGS="$LDFLAGS"
+ saved_CPPFLAGS="$CPPFLAGS"
+ if test -n "${withval}" && \
+ test "x${withval}" != "xyes"; then
+ if test -d "${withval}/lib"; then
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ else
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ fi
+ if test -d "${withval}/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ fi
+ LIBS="-lwrap $LIBS"
+ AC_MSG_CHECKING([for libwrap])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+ ]], [[
+ hosts_access(0);
+ ]])], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([LIBWRAP], [1],
+ [Define if you want
+ TCP Wrappers support])
+ SSHDLIBS="$SSHDLIBS -lwrap"
+ TCPW_MSG="yes"
+ ], [
+ AC_MSG_ERROR([*** libwrap missing])
+
+ ])
+ LIBS="$saved_LIBS"
+ fi
+ ]
+)
+
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5806,6 +5862,7 @@ echo " PAM support: $PAM_MSG"
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff --git a/sshd-session.c b/sshd-session.c
index 7d8498a88..c171c8923 100644
--- a/sshd-session.c
+++ b/sshd-session.c
@@ -109,6 +109,13 @@
#include "srclimit.h"
#include "dh.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 2)
@@ -1237,6 +1244,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif
+#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
+ /* Check whether logins are denied from this host. */
+ if (ssh_packet_connection_is_on_socket(ssh)) {
+ struct request_info req;
+
+ request_init(&req, RQ_DAEMON, "sshd", RQ_FILE, sock_in, 0);
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ debug("Connection refused by tcp wrapper");
+ refuse(&req);
+ /* NOTREACHED */
+ fatal("libwrap refuse returns");
+ }
+ }
+#endif /* LIBWRAP */
rdomain = ssh_packet_rdomain_in(ssh);
diff --git a/sshd.8 b/sshd.8
index 08ebf53a1..464d402f6 100644
--- a/sshd.8
+++ b/sshd.8
@@ -925,6 +925,12 @@ the user's home directory becomes accessible.
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -1027,6 +1033,7 @@ The content of this file is not sensitive; it can be world-readable.
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
+.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,

93
debian/patches/revert-ipqos-defaults.patch vendored Normal file
View file

@ -0,0 +1,93 @@
From c0165ba64a76bf4d962d6d9a500299c2696e150d Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 8 Apr 2019 10:46:29 +0100
Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
AF21 for"
This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.
The IPQoS default changes have some unfortunate interactions with
iptables (see https://bugs.debian.org/923880) and VMware, so I'm
temporarily reverting them until those have been fixed.
Bug-Debian: https://bugs.debian.org/923879
Bug-Debian: https://bugs.debian.org/926229
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370
Last-Update: 2019-04-08
Patch-Name: revert-ipqos-defaults.patch
---
readconf.c | 4 ++--
servconf.c | 4 ++--
ssh_config.5 | 6 ++----
sshd_config.5 | 6 ++----
4 files changed, 8 insertions(+), 12 deletions(-)
diff --git a/readconf.c b/readconf.c
index fc625a00c..09b8ca33c 100644
--- a/readconf.c
+++ b/readconf.c
@@ -3012,9 +3012,9 @@ fill_default_options(Options * options)
if (options->visual_host_key == -1)
options->visual_host_key = 0;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->request_tty == -1)
options->request_tty = REQUEST_TTY_AUTO;
if (options->session_type == -1)
diff --git a/servconf.c b/servconf.c
index 4891a43d6..a51370a6d 100644
--- a/servconf.c
+++ b/servconf.c
@@ -485,9 +485,9 @@ fill_default_server_options(ServerOptions *options)
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
diff --git a/ssh_config.5 b/ssh_config.5
index d8452237d..df12ef118 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1367,11 +1367,9 @@ If one argument is specified, it is used as the packet class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
-.Cm af21
-(Low-Latency Data)
+.Cm lowdelay
for interactive sessions and
-.Cm cs1
-(Lower Effort)
+.Cm throughput
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to use keyboard-interactive authentication.
diff --git a/sshd_config.5 b/sshd_config.5
index a5594102f..998837edf 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1022,11 +1022,9 @@ If one argument is specified, it is used as the packet class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
-.Cm af21
-(Low-Latency Data)
+.Cm lowdelay
for interactive sessions and
-.Cm cs1
-(Lower Effort)
+.Cm throughput
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to allow keyboard-interactive authentication.

41
debian/patches/scp-quoting.patch vendored Normal file
View file

@ -0,0 +1,41 @@
From 999eab9bf1499834341de56a71d5457ae2938840 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:59 +0000
Subject: Adjust scp quoting in verbose mode
Tweak scp's reporting of filenames in verbose mode to be a bit less
confusing with spaces.
This should be revised to mimic real shell quoting.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945
Last-Update: 2010-02-27
Patch-Name: scp-quoting.patch
---
scp.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/scp.c b/scp.c
index 57c242ffc..ec2040a6c 100644
--- a/scp.c
+++ b/scp.c
@@ -241,8 +241,16 @@ do_local_cmd(arglist *a)
if (verbose_mode) {
fprintf(stderr, "Executing:");
- for (i = 0; i < a->num; i++)
- fmprintf(stderr, " %s", a->list[i]);
+ for (i = 0; i < a->num; i++) {
+ if (i == 0)
+ fmprintf(stderr, " %s", a->list[i]);
+ else
+ /*
+ * TODO: misbehaves if a->list[i] contains a
+ * single quote
+ */
+ fmprintf(stderr, " '%s'", a->list[i]);
+ }
fprintf(stderr, "\n");
}
if ((pid = fork()) == -1)

461
debian/patches/selinux-role.patch vendored Normal file
View file

@ -0,0 +1,461 @@
From ad6e66e766ecc3a76c62c6daf81ebf19432713cb Mon Sep 17 00:00:00 2001
From: Manoj Srivastava <srivasta@debian.org>
Date: Sun, 9 Feb 2014 16:09:49 +0000
Subject: Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2024-07-03
Patch-Name: selinux-role.patch
---
auth.h | 1 +
auth2.c | 10 ++++++++--
monitor.c | 36 +++++++++++++++++++++++++++++++++---
monitor.h | 2 ++
monitor_wrap.c | 27 ++++++++++++++++++++++++---
monitor_wrap.h | 3 ++-
openbsd-compat/port-linux.c | 21 ++++++++++++++-------
openbsd-compat/port-linux.h | 4 ++--
platform.c | 4 ++--
platform.h | 2 +-
session.c | 8 ++++----
session.h | 2 +-
sshd-session.c | 2 +-
sshpty.c | 4 ++--
sshpty.h | 2 +-
15 files changed, 98 insertions(+), 30 deletions(-)
diff --git a/auth.h b/auth.h
index 98bb23d4c..59799a812 100644
--- a/auth.h
+++ b/auth.h
@@ -65,6 +65,7 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+ char *role;
/* Method lists for multiple authentication */
char **auth_methods; /* modified from server config */
diff --git a/auth2.c b/auth2.c
index 4fff5a5f7..7ca8a96f8 100644
--- a/auth2.c
+++ b/auth2.c
@@ -272,7 +272,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
{
Authctxt *authctxt = ssh->authctxt;
Authmethod *m = NULL;
- char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
+ char *user = NULL, *service = NULL, *method = NULL, *style = NULL, *role = NULL;
int r, authenticated = 0;
double tstart = monotime_double();
@@ -286,8 +286,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = 0;
+
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
+ else if (role && (style = strchr(role, ':')) != NULL)
+ *style++ = '\0';
if (authctxt->attempt >= 1024)
auth_maxtries_exceeded(ssh);
@@ -315,7 +320,8 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
setproctitle("%s [net]", authctxt->valid ? user : "unknown");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
- mm_inform_authserv(service, style);
+ authctxt->role = role ? xstrdup(role) : NULL;
+ mm_inform_authserv(service, style, role);
userauth_banner(ssh);
if ((r = kex_server_update_ext_info(ssh)) != 0)
fatal_fr(r, "kex_server_update_ext_info failed");
diff --git a/monitor.c b/monitor.c
index 1aa81094e..180c6dbbc 100644
--- a/monitor.c
+++ b/monitor.c
@@ -120,6 +120,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
+int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
@@ -196,6 +197,7 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -929,6 +931,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
#ifdef USE_PAM
@@ -962,15 +965,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
monitor_permit_authentications(1);
if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
- (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0)
+ (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0 ||
+ (r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
fatal_fr(r, "parse");
- debug3_f("service=%s, style=%s", authctxt->service, authctxt->style);
+ debug3_f("service=%s, style=%s, role=%s",
+ authctxt->service, authctxt->style, authctxt->role);
if (strlen(authctxt->style) == 0) {
free(authctxt->style);
authctxt->style = NULL;
}
+ if (strlen(authctxt->role) == 0) {
+ free(authctxt->role);
+ authctxt->role = NULL;
+ }
+
+ return (0);
+}
+
+int
+mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
+{
+ int r;
+
+ monitor_permit_authentications(1);
+
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ debug3("%s: role=%s",
+ __func__, authctxt->role);
+
+ if (strlen(authctxt->role) == 0) {
+ free(authctxt->role);
+ authctxt->role = NULL;
+ }
+
return (0);
}
@@ -1691,7 +1721,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
if (res == 0)
goto error;
- pty_setowner(authctxt->pw, s->tty);
+ pty_setowner(authctxt->pw, s->tty, authctxt->role);
if ((r = sshbuf_put_u32(m, 1)) != 0 ||
(r = sshbuf_put_cstring(m, s->tty)) != 0)
diff --git a/monitor.h b/monitor.h
index 4076f71ea..1eda94540 100644
--- a/monitor.h
+++ b/monitor.h
@@ -66,6 +66,8 @@ enum monitor_reqtype {
MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
+
+ MONITOR_REQ_AUTHROLE = 154,
};
struct ssh;
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 8a6b4442f..9bf62aac2 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -421,10 +421,10 @@ mm_auth2_read_banner(void)
return (banner);
}
-/* Inform the privileged process about service and style */
+/* Inform the privileged process about service, style, and role */
void
-mm_inform_authserv(char *service, char *style)
+mm_inform_authserv(char *service, char *style, char *role)
{
struct sshbuf *m;
int r;
@@ -434,7 +434,8 @@ mm_inform_authserv(char *service, char *style)
if ((m = sshbuf_new()) == NULL)
fatal_f("sshbuf_new failed");
if ((r = sshbuf_put_cstring(m, service)) != 0 ||
- (r = sshbuf_put_cstring(m, style ? style : "")) != 0)
+ (r = sshbuf_put_cstring(m, style ? style : "")) != 0 ||
+ (r = sshbuf_put_cstring(m, role ? role : "")) != 0)
fatal_fr(r, "assemble");
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m);
@@ -442,6 +443,26 @@ mm_inform_authserv(char *service, char *style)
sshbuf_free(m);
}
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+ struct sshbuf *m;
+ int r;
+
+ debug3("%s entering", __func__);
+
+ if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
+
+ sshbuf_free(m);
+}
+
/* Do the password authentication */
int
mm_auth_password(struct ssh *ssh, char *password)
diff --git a/monitor_wrap.h b/monitor_wrap.h
index 01251cf1b..fb6d7e15b 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -45,7 +45,8 @@ DH *mm_choose_dh(int, int, int);
int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
const u_char *, size_t, const char *, const char *,
const char *, u_int compat);
-void mm_inform_authserv(char *, char *);
+void mm_inform_authserv(char *, char *, char *);
+void mm_inform_authrole(char *);
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct ssh *, char *);
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index c1d54f38d..1fd3bfa81 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -65,7 +65,7 @@ ssh_selinux_enabled(void)
/* Return the default security context for the given username */
static char *
-ssh_selinux_getctxbyname(char *pwname)
+ssh_selinux_getctxbyname(char *pwname, const char *role)
{
char *sc = NULL, *sename = NULL, *lvl = NULL;
int r;
@@ -79,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname)
#endif
#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
- r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ if (role != NULL && role[0])
+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
+ &sc);
+ else
+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
#else
- r = get_default_context(sename, NULL, &sc);
+ if (role != NULL && role[0])
+ r = get_default_context_with_role(sename, role, NULL, &sc);
+ else
+ r = get_default_context(sename, NULL, &sc);
#endif
if (r != 0) {
@@ -111,7 +118,7 @@ ssh_selinux_getctxbyname(char *pwname)
/* Set the execution context to the default for the specified user */
void
-ssh_selinux_setup_exec_context(char *pwname)
+ssh_selinux_setup_exec_context(char *pwname, const char *role)
{
char *user_ctx = NULL;
@@ -120,7 +127,7 @@ ssh_selinux_setup_exec_context(char *pwname)
debug3("%s: setting execution context", __func__);
- user_ctx = ssh_selinux_getctxbyname(pwname);
+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
if (setexeccon(user_ctx) != 0) {
switch (security_getenforce()) {
case -1:
@@ -142,7 +149,7 @@ ssh_selinux_setup_exec_context(char *pwname)
/* Set the TTY context for the specified user */
void
-ssh_selinux_setup_pty(char *pwname, const char *tty)
+ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
{
char *new_tty_ctx = NULL, *user_ctx = NULL, *old_tty_ctx = NULL;
security_class_t chrclass;
@@ -152,7 +159,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
debug3("%s: setting TTY context on %s", __func__, tty);
- user_ctx = ssh_selinux_getctxbyname(pwname);
+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
/* XXX: should these calls fatal() upon failure in enforcing mode? */
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index 959430de1..7f9a7c195 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -19,8 +19,8 @@
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
-void ssh_selinux_setup_pty(char *, const char *);
-void ssh_selinux_setup_exec_context(char *);
+void ssh_selinux_setup_pty(char *, const char *, const char *);
+void ssh_selinux_setup_exec_context(char *, const char *);
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
#endif
diff --git a/platform.c b/platform.c
index 4c4fe57ea..f3dc7c3a8 100644
--- a/platform.c
+++ b/platform.c
@@ -99,7 +99,7 @@ platform_setusercontext(struct passwd *pw)
* called if sshd is running as root.
*/
void
-platform_setusercontext_post_groups(struct passwd *pw)
+platform_setusercontext_post_groups(struct passwd *pw, const char *role)
{
#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
/*
@@ -140,7 +140,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
}
#endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX
- ssh_selinux_setup_exec_context(pw->pw_name);
+ ssh_selinux_setup_exec_context(pw->pw_name, role);
#endif
}
diff --git a/platform.h b/platform.h
index 08cbd225d..2a7364578 100644
--- a/platform.h
+++ b/platform.h
@@ -27,7 +27,7 @@ void platform_post_fork_child(void);
void platform_pre_session_start(void);
int platform_privileged_uidswap(void);
void platform_setusercontext(struct passwd *);
-void platform_setusercontext_post_groups(struct passwd *);
+void platform_setusercontext_post_groups(struct passwd *, const char *);
char *platform_get_krb5_client(const char *);
char *platform_krb5_get_principal_name(const char *);
int platform_locked_account(struct passwd *);
diff --git a/session.c b/session.c
index b3833e44c..6614d8560 100644
--- a/session.c
+++ b/session.c
@@ -1344,7 +1344,7 @@ safely_chroot(const char *path, uid_t uid)
/* Set login name, uid, gid, and groups. */
void
-do_setusercontext(struct passwd *pw)
+do_setusercontext(struct passwd *pw, const char *role)
{
char uidstr[32], *chroot_path, *tmp;
@@ -1372,7 +1372,7 @@ do_setusercontext(struct passwd *pw)
endgrent();
#endif
- platform_setusercontext_post_groups(pw);
+ platform_setusercontext_post_groups(pw, role);
if (!in_chroot && options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1515,7 +1515,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
/* Force a password change */
if (s->authctxt->force_pwchange) {
- do_setusercontext(pw);
+ do_setusercontext(pw, s->authctxt->role);
child_close_fds(ssh);
do_pwchange(s);
exit(1);
@@ -1533,7 +1533,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
/* When PAM is enabled we rely on it to do the nologin check */
if (!options.use_pam)
do_nologin(pw);
- do_setusercontext(pw);
+ do_setusercontext(pw, s->authctxt->role);
/*
* PAM session modules in do_setusercontext may have
* generated messages, so if this in an interactive
diff --git a/session.h b/session.h
index 344a1ddf9..20ea822a7 100644
--- a/session.h
+++ b/session.h
@@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *);
Session *session_new(void);
Session *session_by_tty(char *);
void session_close(struct ssh *, Session *);
-void do_setusercontext(struct passwd *);
+void do_setusercontext(struct passwd *, const char *);
const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
diff --git a/sshd-session.c b/sshd-session.c
index c171c8923..372a610b3 100644
--- a/sshd-session.c
+++ b/sshd-session.c
@@ -471,7 +471,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
/* Drop privileges */
if (!skip_privdrop)
- do_setusercontext(authctxt->pw);
+ do_setusercontext(authctxt->pw, authctxt->role);
/* It is safe now to apply the key state */
monitor_apply_keystate(ssh, pmonitor);
diff --git a/sshpty.c b/sshpty.c
index cae0b977a..7870c6482 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -163,7 +163,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
}
void
-pty_setowner(struct passwd *pw, const char *tty)
+pty_setowner(struct passwd *pw, const char *tty, const char *role)
{
struct group *grp;
gid_t gid;
@@ -187,7 +187,7 @@ pty_setowner(struct passwd *pw, const char *tty)
strerror(errno));
#ifdef WITH_SELINUX
- ssh_selinux_setup_pty(pw->pw_name, tty);
+ ssh_selinux_setup_pty(pw->pw_name, tty, role);
#endif
if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
diff --git a/sshpty.h b/sshpty.h
index 9ec7e9a15..de7e000ae 100644
--- a/sshpty.h
+++ b/sshpty.h
@@ -24,5 +24,5 @@ int pty_allocate(int *, int *, char *, size_t);
void pty_release(const char *);
void pty_make_controlling_tty(int *, const char *);
void pty_change_window_size(int, u_int, u_int, u_int, u_int);
-void pty_setowner(struct passwd *, const char *);
+void pty_setowner(struct passwd *, const char *, const char *);
void disconnect_controlling_tty(void);

28
debian/patches/series vendored Normal file
View file

@ -0,0 +1,28 @@
gssapi.patch
restore-tcp-wrappers.patch
selinux-role.patch
ssh-vulnkey-compat.patch
keepalive-extensions.patch
syslog-level-silent.patch
user-group-modes.patch
scp-quoting.patch
shell-path.patch
dnssec-sshfp.patch
mention-ssh-keygen-on-keychange.patch
package-versioning.patch
debian-banner.patch
authorized-keys-man-symlink.patch
openbsd-docs.patch
ssh-argv0.patch
doc-hash-tab-completion.patch
ssh-agent-setgid.patch
no-openssl-version-status.patch
gnome-ssh-askpass2-icon.patch
debian-config.patch
restore-authorized_keys2.patch
revert-ipqos-defaults.patch
systemd-socket-activation.patch
skip-utimensat-test-on-zfs.patch
regress-conch-dev-zero.patch
configure-cache-vars.patch
pam-avoid-unknown-host.patch

39
debian/patches/shell-path.patch vendored Normal file
View file

@ -0,0 +1,39 @@
From aff1a94c2716097f669efd7d59b257f50232c01e Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:00 +0000
Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
There's some debate on the upstream bug about whether POSIX requires this.
I (Colin Watson) agree with Vincent and think it does.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
Bug-Debian: http://bugs.debian.org/492728
Last-Update: 2020-02-21
Patch-Name: shell-path.patch
---
sshconnect.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sshconnect.c b/sshconnect.c
index c86182d13..43b75dcf7 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -248,7 +248,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg,
* extra privileges above.
*/
ssh_signal(SIGPIPE, SIG_DFL);
- execv(argv[0], argv);
+ execvp(argv[0], argv);
perror(argv[0]);
exit(1);
}
@@ -1711,7 +1711,7 @@ ssh_local_cmd(const char *args)
if (pid == 0) {
ssh_signal(SIGPIPE, SIG_DFL);
debug3("Executing %s -c \"%s\"", shell, args);
- execl(shell, shell, "-c", args, (char *)NULL);
+ execlp(shell, shell, "-c", args, (char *)NULL);
error("Couldn't execute %s -c \"%s\": %s",
shell, args, strerror(errno));
_exit(1);

55
debian/patches/skip-utimensat-test-on-zfs.patch vendored Normal file
View file

@ -0,0 +1,55 @@
From 44616edf6f926b9fec6a322c755fb1bb8c90e7fe Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 11 Mar 2024 16:24:49 +0000
Subject: Skip utimensat test on ZFS
On ZFS (which may be used by e.g. `autopkgtest-virt-incus`), `utimensat`
seems to leave the access time set to 0. It's not clear why.
Forwarded: no
Last-Update: 2024-03-11
Patch-Name: skip-utimensat-test-on-zfs.patch
---
openbsd-compat/regress/utimensattest.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/openbsd-compat/regress/utimensattest.c b/openbsd-compat/regress/utimensattest.c
index bbc66c485..662d58146 100644
--- a/openbsd-compat/regress/utimensattest.c
+++ b/openbsd-compat/regress/utimensattest.c
@@ -33,6 +33,12 @@
# define AT_SYMLINK_NOFOLLOW 0x80000000
#endif
+#if defined(HAVE_SYS_VFS_H) && defined(HAVE_STATFS) && defined(HAVE_STRUCT_STATFS_F_FILES)
+# include <sys/vfs.h>
+# define ZFS_SUPER_MAGIC 0x2fc12fc1
+# define HAVE_ZFS_CHECK
+#endif
+
int utimensat(int, const char *, const struct timespec[2], int);
static void
@@ -60,10 +66,21 @@ fail(char *msg, long expect, long got)
int
main(void)
{
+#ifdef HAVE_ZFS_CHECK
+ struct statfs sfsb;
+#endif
int fd;
struct stat sb;
struct timespec ts[2];
+#ifdef HAVE_ZFS_CHECK
+ /* On ZFS, utimensat seems to leave the atime set to 0. */
+ if (statfs(".", &sfsb) == 0 && sfsb.f_type == ZFS_SUPER_MAGIC) {
+ fprintf(stderr, "utimensat: skipping test on ZFS\n");
+ exit(0);
+ }
+#endif
+
cleanup();
if ((fd = open(TMPFILE, O_CREAT, 0600)) == -1)
fail("open", 0, 0);

40
debian/patches/ssh-agent-setgid.patch vendored Normal file
View file

@ -0,0 +1,40 @@
From 8b13bba78cbebca9f74c89f6d35c716b871f9598 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:13 +0000
Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
Bug-Debian: http://bugs.debian.org/711623
Forwarded: no
Last-Update: 2020-02-21
Patch-Name: ssh-agent-setgid.patch
---
ssh-agent.1 | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/ssh-agent.1 b/ssh-agent.1
index 533ad6d3a..43f9cf7aa 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -284,6 +284,21 @@ socket and stores its pathname in this variable.
It is accessible only to the current user,
but is easily abused by root or another instance of the same user.
.El
+.Pp
+In Debian,
+.Nm
+is installed with the set-group-id bit set, to prevent
+.Xr ptrace 2
+attacks retrieving private key material.
+This has the side-effect of causing the run-time linker to remove certain
+environment variables which might have security implications for set-id
+programs, including
+.Ev LD_PRELOAD ,
+.Ev LD_LIBRARY_PATH ,
+and
+.Ev TMPDIR .
+If you need to set any of these environment variables, you will need to do
+so in the program executed by ssh-agent.
.Sh FILES
.Bl -tag -width Ds
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>

31
debian/patches/ssh-argv0.patch vendored Normal file
View file

@ -0,0 +1,31 @@
From fbda96f6f98870a8445019875f8783243e53ed01 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:10 +0000
Subject: ssh(1): Refer to ssh-argv0(1)
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to. Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).
Bug-Debian: http://bugs.debian.org/111341
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: ssh-argv0.patch
---
ssh.1 | 1 +
1 file changed, 1 insertion(+)
diff --git a/ssh.1 b/ssh.1
index 62bb40a50..3d849f02c 100644
--- a/ssh.1
+++ b/ssh.1
@@ -1678,6 +1678,7 @@ if an error occurred.
.Xr sftp 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
+.Xr ssh-argv0 1 ,
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr tun 4 ,

42
debian/patches/ssh-vulnkey-compat.patch vendored Normal file
View file

@ -0,0 +1,42 @@
From d0cbcbf53d5f0d4457b47a09af06aac1f483e712 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:50 +0000
Subject: Accept obsolete ssh-vulnkey configuration options
These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.
Last-Update: 2014-02-09
Patch-Name: ssh-vulnkey-compat.patch
---
readconf.c | 1 +
servconf.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/readconf.c b/readconf.c
index ac94e58b5..2b6f2c1e3 100644
--- a/readconf.c
+++ b/readconf.c
@@ -199,6 +199,7 @@ static struct {
{ "fallbacktorsh", oDeprecated },
{ "globalknownhostsfile2", oDeprecated },
{ "rhostsauthentication", oDeprecated },
+ { "useblacklistedkeys", oDeprecated },
{ "userknownhostsfile2", oDeprecated },
{ "useroaming", oDeprecated },
{ "usersh", oDeprecated },
diff --git a/servconf.c b/servconf.c
index 03b4960e0..d2025592a 100644
--- a/servconf.c
+++ b/servconf.c
@@ -702,6 +702,7 @@ static struct {
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
+ { "permitblacklistedkeys", sDeprecated, SSHCFG_GLOBAL },
{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
{ "uselogin", sDeprecated, SSHCFG_GLOBAL },

47
debian/patches/syslog-level-silent.patch vendored Normal file
View file

@ -0,0 +1,47 @@
From 098e60e62af180a1e2e2a7b0587da696cc34b92b Mon Sep 17 00:00:00 2001
From: Natalie Amery <nmamery@chiark.greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:54 +0000
Subject: "LogLevel SILENT" compatibility
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
match the behaviour of non-free SSH, in which -q does not suppress fatal
errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody
complained, so we've dropped most of it. The parts that remain are basic
configuration file compatibility, and an adjustment to "Pseudo-terminal will
not be allocated ..." which should be split out into a separate patch.
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2013-09-14
Patch-Name: syslog-level-silent.patch
---
log.c | 1 +
ssh.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/log.c b/log.c
index 6617f2672..f6645ce10 100644
--- a/log.c
+++ b/log.c
@@ -98,6 +98,7 @@ static struct {
LogLevel val;
} log_levels[] =
{
+ { "SILENT", SYSLOG_LEVEL_QUIET }, /* compatibility */
{ "QUIET", SYSLOG_LEVEL_QUIET },
{ "FATAL", SYSLOG_LEVEL_FATAL },
{ "ERROR", SYSLOG_LEVEL_ERROR },
diff --git a/ssh.c b/ssh.c
index c23d3b9e3..55463e5ad 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1425,7 +1425,7 @@ main(int ac, char **av)
/* Do not allocate a tty if stdin is not a tty. */
if ((!isatty(fileno(stdin)) || options.stdin_null) &&
options.request_tty != REQUEST_TTY_FORCE) {
- if (tty_flag)
+ if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET)
logit("Pseudo-terminal will not be allocated because "
"stdin is not a terminal.");
tty_flag = 0;

203
debian/patches/systemd-socket-activation.patch vendored Normal file
View file

@ -0,0 +1,203 @@
From aa7d7ffcefa83f6a524da54a10cd9026b6012695 Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langasek@ubuntu.com>
Date: Thu, 1 Sep 2022 16:03:37 +0100
Subject: Support systemd socket activation
Unlike inetd socket activation, with systemd socket activation the
supervisor passes the listened-on socket to the child process and lets
the child process handle the accept(). This lets us do delayed start
of the sshd daemon without becoming incompatible with config options
like ClientAliveCountMax.
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2025-04-11
Patch-Name: systemd-socket-activation.patch
---
configure.ac | 1 +
sshd.c | 131 +++++++++++++++++++++++++++++++++++++++++++++------
2 files changed, 118 insertions(+), 14 deletions(-)
diff --git a/configure.ac b/configure.ac
index 06ad5c78a..75e50acf3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -974,6 +974,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
)
AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
+ AC_DEFINE([SYSTEMD_SOCKET_ACTIVATION], [1], [Have sshd accept systemd socket activation])
inet6_default_4in6=yes
case `uname -r` in
1.*|2.0.*)
diff --git a/sshd.c b/sshd.c
index c9ea8e385..802cbe760 100644
--- a/sshd.c
+++ b/sshd.c
@@ -96,9 +96,17 @@
#include "atomicio.h"
/* Re-exec fds */
-#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
-#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 2)
-#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 3)
+#ifdef SYSTEMD_SOCKET_ACTIVATION
+static int get_systemd_listen_fds(void);
+#define SYSTEMD_OFFSET get_systemd_listen_fds()
+#define SYSTEMD_LISTEN_FDS_START 3
+#else
+#define SYSTEMD_OFFSET 0
+#endif
+
+#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1 + SYSTEMD_OFFSET)
+#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 2 + SYSTEMD_OFFSET)
+#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 3 + SYSTEMD_OFFSET)
extern char *__progname;
@@ -802,6 +810,88 @@ send_rexec_state(int fd)
exit(0);
}
+#ifdef SYSTEMD_SOCKET_ACTIVATION
+/*
+ * Get file descriptors passed by systemd; this implements the protocol
+ * described in the NOTES section of sd_listen_fds(3).
+ *
+ * We deliberately return 0 on error, so that the return value can safely be
+ * added as part of the REEXEC_*_FD macros without extra checks.
+ */
+static int
+get_systemd_listen_fds(void)
+{
+ const char *listen_pid_str, *listen_fds_str;
+ pid_t listen_pid;
+ int listen_fds;
+ const char *errstr = NULL;
+ int fd;
+
+ listen_pid_str = getenv("LISTEN_PID");
+ if (listen_pid_str == NULL)
+ return 0;
+ listen_pid = (pid_t)strtonum(listen_pid_str, 2, INT_MAX, &errstr);
+ if (errstr != NULL || getpid() != listen_pid)
+ return 0;
+
+ listen_fds_str = getenv("LISTEN_FDS");
+ if (listen_fds_str == NULL)
+ return 0;
+ listen_fds = (int)strtonum(listen_fds_str, 1,
+ INT_MAX - SYSTEMD_LISTEN_FDS_START, &errstr);
+ if (errstr != NULL)
+ return 0;
+
+ for (fd = SYSTEMD_LISTEN_FDS_START;
+ fd < SYSTEMD_LISTEN_FDS_START + listen_fds; fd++) {
+ if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
+ return 0;
+ }
+
+ return listen_fds;
+}
+
+/*
+ * Configure our socket fds that were passed from systemd
+ */
+static void
+setup_systemd_socket(int listen_sock)
+{
+ int ret;
+ struct sockaddr_storage addr;
+ socklen_t len = sizeof(addr);
+ char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+
+ if (getsockname(listen_sock, (struct sockaddr *)&addr, &len) != 0)
+ return;
+
+ if (((struct sockaddr *)&addr)->sa_family != AF_INET
+ && ((struct sockaddr *)&addr)->sa_family != AF_INET6)
+ return;
+ if (num_listen_socks >= MAX_LISTEN_SOCKS)
+ fatal("Too many listen sockets. "
+ "Enlarge MAX_LISTEN_SOCKS");
+ if ((ret = getnameinfo((struct sockaddr *)&addr, len, ntop,
+ sizeof(ntop), strport, sizeof(strport),
+ NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
+ error("getnameinfo failed: %.100s",
+ ssh_gai_strerror(ret));
+ return;
+ }
+ if (set_nonblock(listen_sock) == -1) {
+ close(listen_sock);
+ return;
+ }
+ /* Socket options */
+ set_reuseaddr(listen_sock);
+
+ listen_socks[num_listen_socks] = listen_sock;
+ num_listen_socks++;
+
+ logit("Server listening on %s port %s.", ntop, strport);
+}
+#endif
+
/*
* Listen for TCP connections
*/
@@ -881,6 +971,9 @@ static void
server_listen(void)
{
u_int i;
+#ifdef SYSTEMD_SOCKET_ACTIVATION
+ int systemd_socket_count;
+#endif
/* Initialise per-source limit tracking. */
srclimit_init(options.max_startups,
@@ -890,17 +983,27 @@ server_listen(void)
&options.per_source_penalty,
options.per_source_penalty_exempt);
- for (i = 0; i < options.num_listen_addrs; i++) {
- listen_on_addrs(&options.listen_addrs[i]);
- freeaddrinfo(options.listen_addrs[i].addrs);
- free(options.listen_addrs[i].rdomain);
- memset(&options.listen_addrs[i], 0,
- sizeof(options.listen_addrs[i]));
+#ifdef SYSTEMD_SOCKET_ACTIVATION
+ systemd_socket_count = get_systemd_listen_fds();
+ if (systemd_socket_count > 0)
+ {
+ int i;
+ for (i = 0; i < systemd_socket_count; i++)
+ setup_systemd_socket(SYSTEMD_LISTEN_FDS_START + i);
+ } else
+#endif
+ {
+ for (i = 0; i < options.num_listen_addrs; i++) {
+ listen_on_addrs(&options.listen_addrs[i]);
+ freeaddrinfo(options.listen_addrs[i].addrs);
+ free(options.listen_addrs[i].rdomain);
+ memset(&options.listen_addrs[i], 0,
+ sizeof(options.listen_addrs[i]));
+ }
+ free(options.listen_addrs);
+ options.listen_addrs = NULL;
+ options.num_listen_addrs = 0;
}
- free(options.listen_addrs);
- options.listen_addrs = NULL;
- options.num_listen_addrs = 0;
-
if (!num_listen_socks)
fatal("Cannot bind any address.");
}
@@ -1461,7 +1564,7 @@ main(int ac, char **av)
if (!test_flag && !inetd_flag && !do_dump_cfg && !path_absolute(av[0]))
fatal("sshd requires execution with an absolute path");
- closefrom(STDERR_FILENO + 1);
+ closefrom(STDERR_FILENO + 1 + SYSTEMD_OFFSET);
/* Reserve fds we'll need later for reexec things */
if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1)

210
debian/patches/user-group-modes.patch vendored Normal file
View file

@ -0,0 +1,210 @@
From 69d17a6efb4ca9c28fdc700154affb67d696a4ee Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:09:58 +0000
Subject: Allow harmless group-writability
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem). Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
default.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
Last-Update: 2022-02-23
Patch-Name: user-group-modes.patch
---
auth-rhosts.c | 6 ++----
auth.c | 3 +--
misc.c | 57 ++++++++++++++++++++++++++++++++++++++++++++++-----
misc.h | 2 ++
readconf.c | 3 +--
ssh.1 | 2 ++
ssh_config.5 | 2 ++
7 files changed, 62 insertions(+), 13 deletions(-)
diff --git a/auth-rhosts.c b/auth-rhosts.c
index d5d2c7a12..13c3c201b 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -265,8 +265,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
return 0;
}
if (options.strict_modes &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
- (st.st_mode & 022) != 0)) {
+ !secure_permissions(&st, pw->pw_uid)) {
logit("Rhosts authentication refused for %.100s: "
"bad ownership or modes for home directory.", pw->pw_name);
auth_debug_add("Rhosts authentication refused for %.100s: "
@@ -295,8 +294,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
* allowing access to their account by anyone.
*/
if (options.strict_modes &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
- (st.st_mode & 022) != 0)) {
+ !secure_permissions(&st, pw->pw_uid)) {
logit("Rhosts authentication refused for %.100s: "
"bad modes for %.200s", pw->pw_name, path);
auth_debug_add("Bad file modes for %.200s", path);
diff --git a/auth.c b/auth.c
index e4578169b..4b878865f 100644
--- a/auth.c
+++ b/auth.c
@@ -430,8 +430,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
if (options.strict_modes &&
(stat(user_hostfile, &st) == 0) &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
- (st.st_mode & 022) != 0)) {
+ !secure_permissions(&st, pw->pw_uid)) {
logit("Authentication refused for %.100s: "
"bad owner or modes for %.200s",
pw->pw_name, user_hostfile);
diff --git a/misc.c b/misc.c
index dd0bd032a..081d07993 100644
--- a/misc.c
+++ b/misc.c
@@ -62,9 +62,9 @@
#include <netdb.h>
#ifdef HAVE_PATHS_H
# include <paths.h>
+#endif
#include <pwd.h>
#include <grp.h>
-#endif
#ifdef SSH_TUN_OPENBSD
#include <net/if.h>
#endif
@@ -1449,6 +1449,55 @@ percent_dollar_expand(const char *string, ...)
return ret;
}
+int
+secure_permissions(struct stat *st, uid_t uid)
+{
+ if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid)
+ return 0;
+ if ((st->st_mode & 002) != 0)
+ return 0;
+ if ((st->st_mode & 020) != 0) {
+ /* If the file is group-writable, the group in question must
+ * have exactly one member, namely the file's owner.
+ * (Zero-member groups are typically used by setgid
+ * binaries, and are unlikely to be suitable.)
+ */
+ struct passwd *pw;
+ struct group *gr;
+ int members = 0;
+
+ gr = getgrgid(st->st_gid);
+ if (!gr)
+ return 0;
+
+ /* Check primary group memberships. */
+ while ((pw = getpwent()) != NULL) {
+ if (pw->pw_gid == gr->gr_gid) {
+ ++members;
+ if (pw->pw_uid != uid)
+ return 0;
+ }
+ }
+ endpwent();
+
+ pw = getpwuid(st->st_uid);
+ if (!pw)
+ return 0;
+
+ /* Check supplementary group memberships. */
+ if (gr->gr_mem[0]) {
+ ++members;
+ if (strcmp(pw->pw_name, gr->gr_mem[0]) ||
+ gr->gr_mem[1])
+ return 0;
+ }
+
+ if (!members)
+ return 0;
+ }
+ return 1;
+}
+
int
tun_open(int tun, int mode, char **ifname)
{
@@ -2271,8 +2320,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
snprintf(err, errlen, "%s is not a regular file", buf);
return -1;
}
- if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
- (stp->st_mode & 022) != 0) {
+ if (!secure_permissions(stp, uid)) {
snprintf(err, errlen, "bad ownership or modes for file %s",
buf);
return -1;
@@ -2287,8 +2335,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
strlcpy(buf, cp, sizeof(buf));
if (stat(buf, &st) == -1 ||
- (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
- (st.st_mode & 022) != 0) {
+ !secure_permissions(&st, uid)) {
snprintf(err, errlen,
"bad ownership or modes for directory %s", buf);
return -1;
diff --git a/misc.h b/misc.h
index efecdf1ad..9ea1128ac 100644
--- a/misc.h
+++ b/misc.h
@@ -247,6 +247,8 @@ struct notifier_ctx *notify_start(int, const char *, ...)
void notify_complete(struct notifier_ctx *, const char *, ...)
__attribute__((format(printf, 2, 3)));
+int secure_permissions(struct stat *st, uid_t uid);
+
#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
#define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
#define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
diff --git a/readconf.c b/readconf.c
index 5a38016eb..8419b5451 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2638,8 +2638,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
if (fstat(fileno(f), &sb) == -1)
fatal("fstat %s: %s", filename, strerror(errno));
- if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
- (sb.st_mode & 022) != 0))
+ if (!secure_permissions(&sb, getuid()))
fatal("Bad owner or permissions on %s", filename);
}
diff --git a/ssh.1 b/ssh.1
index f83514c8f..62bb40a50 100644
--- a/ssh.1
+++ b/ssh.1
@@ -1582,6 +1582,8 @@ The file format and configuration options are described in
.Xr ssh_config 5 .
Because of the potential for abuse, this file must have strict permissions:
read/write for the user, and not writable by others.
+It may be group-writable provided that the group in question contains only
+the user.
.Pp
.It Pa ~/.ssh/environment
Contains additional definitions for environment variables; see
diff --git a/ssh_config.5 b/ssh_config.5
index a82ea54db..dd0084c82 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -2490,6 +2490,8 @@ The format of this file is described above.
This file is used by the SSH client.
Because of the potential for abuse, this file must have strict permissions:
read/write for the user, and not writable by others.
+It may be group-writable provided that the group in question contains only
+the user.
.It Pa /etc/ssh/ssh_config
Systemwide configuration file.
This file provides defaults for those

1
debian/po/POTFILES.in vendored Normal file
View file

@ -0,0 +1 @@
[type: gettext/rfc822deb] openssh-server.templates

58
debian/po/ca.po vendored Normal file
View file

@ -0,0 +1,58 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the PACKAGE package.
# Pablo Huguet, 2023.
# <https://linktr.ee/VoodooPablo>
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2023-08-18 03:20+0200\n"
"Last-Translator: Pablo Huguet <https://linktr.ee/VoodooPablo>\n"
"Language-Team: Catalan <debian-l10n-catalan@lists.debian.org>\n"
"Language: ca\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Desactivar l'autenticació de contrasenya SSH per a root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Les versions anteriors d'openssh-server permetien iniciar sessió com a root "
"a través de SSH utilitzant l'autenticació de contrasenya. El valor "
"predeterminat per a instal·lacions noves és ara \"PermitRootLogin prohibit-"
"password\", que desactiva la contrasenya d'autenticació per a root sense "
"trencar sistemes que tenen explícitament autenticació de clau pública SSH "
"configurada per a root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Aquest canvi fa que els sistemes siguin més segurs contra contrasenyes de "
"força bruta atacs de diccionari a l'usuari root (un objectiu molt comú per a "
"aquests atacs). Tanmateix, pot trencar els sistemes configurats amb "
"l'expectativa de poder fer SSH com a root mitjançant l'autenticació de "
"contrasenya. Només hauríeu de fer aquest canvi si no ho necessiteu."

55
debian/po/cs.po vendored Normal file
View file

@ -0,0 +1,55 @@
# Czech PO debconf template translation of openssh.
# Copyright (C) 2014 Michal Simunek <michal.simunek@gmail.com>
# This file is distributed under the same license as the openssh package.
# Michal Simunek <michal.simunek@gmail.com>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh 1:6.6p1-1\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-06-12 12:25+0200\n"
"Last-Translator: Michal Simunek <michal.simunek@gmail.com>\n"
"Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n"
"Language: cs\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Zakázat ověřování heslem pro uživatele root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Předchozí verze openssh-server dovolovala přihlašovat se přes SSH jako root "
"pomocí ověřování heslem. Výchozí volba pro nové instalace je nyní "
"\"PermitRootLogin prohibit-password\", která zakazuje ověřování heslem pro "
"uživatele root, aniž by to omezilo systémy, které mají explicitně nastaveno "
"ověřování veřejným SSH klíčem pro uživatele root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Tato změna činí systémy zabezpečenějšími proti útokům hrubou silou na heslo "
"uživatele root pomocí slovníku (velmi častý cíl útoků). Nicméně, to může "
"poškodit systémy, které jsou nastaveny s předpokladem, že bude možné se "
"přihlašovat přes SSH jako root pomocí ověřování heslem. Změnu této volby "
"byste měli provést pouze pokud ověřování heslem potřebujete."

55
debian/po/da.po vendored Normal file
View file

@ -0,0 +1,55 @@
# Danish translation openssh.
# Copyright (C) 2014 openssh og nedenstående oversættere.
# This file is distributed under the same license as the openssh package.
# Joe Hansen <joedalton2@yahoo.dk>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-21 23:51+0200\n"
"Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n"
"Language-Team: Danish <debian-l10n-danish@lists.debian.org>\n"
"Language: da\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Deaktiver SSH-adgangskodegodkendelse for root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Tidligere versioner af openssh-server tillod indlogning som root over SSH "
"med brug af adgangskodegodkendelse. Standarden for nye installationer er nu "
"»PermitRootLogin prohibit-password«, som deaktiverer adgangskodegodkendelse "
"for root uden at ødelægge systemer, som eksplicit har konfigureret SSH-"
"offentlig nøglegodkendelse for root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Denne ændring gør systemer mere sikre mod brute-force angreb vis ordlister "
"med adgangskoder på root-brugeren (et meget ofte mål for sådanne angreb). "
"Det kan dog ødelægge systemer, som er opsat med forventning om at kunne SSH "
"som root via brug af adgangskodegodkendelse. Du skal kun lave denne ændring, "
"hvis du ikke har brug for dette."

61
debian/po/de.po vendored Normal file
View file

@ -0,0 +1,61 @@
# openssh.
# Copyright (C) 2014 Colin Watson
# Copyright (C) 2014 Stephan Beck
# This file is distributed under the same license as the openssh package.
# Stephan Beck <sbeck@mailbox.org>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh_1:6.6p1-1\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-24 22:21+0100\n"
"Last-Translator: Stephan Beck <sbeck@mailbox.org>\n"
"Language-Team: Debian German translation team <debian-l10n-german@lists."
"debian.org>\n"
"Language: de\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "SSH Passwort-Authentifizierung für »root« deaktivieren?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Vorherige Versionen von openssh-server erlaubten das Anmelden als »root« "
"über SSH unter Verwendung von Passwort-Authentifizierung. Die "
"Standardeinstellung für Neuinstallationen lautet nun »PermitRootLogin "
"prohibit-password«, wodurch die Passwort-Authentifizierung für »root« "
"deaktiviert wird, und Systeme dennoch funktionsfähig bleiben, bei denen "
"ausdrücklich die Authentifizierung als »root« mittels öffentlichem SSH-"
"Schlüssel konfiguriert ist."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Diese Änderung sichert Systeme besser gegen jene Angriffe auf den Benutzer "
"»root« (ein verbreitetes Ziel solcher Angriffe) ab, die das Passwort durch "
"simples Ausprobieren aller Einträge von Wörterbüchern zu erraten versuchen. "
"Sie kann allerdings dazu führen, dass Systeme nicht mehr funktionieren, die "
"in der Absicht konfiguriert wurden, die Anmeldung als »root« über SSH unter "
"Verwendung von Passwort-Authentifizierung zuzulassen. Sie sollten diese "
"Änderung nur vornehmen, wenn Sie auf Letzteres verzichten können."

80
debian/po/es.po vendored Normal file
View file

@ -0,0 +1,80 @@
# openssh po-debconf translation to Spanish
# Copyright (C) 2014 Software in the Public Interest
# This file is distributed under the same license as the openssh package.
#
# Changes:
# - Initial translation
# Matías A. Bellone <matiasbellone+debian@gmail.com>, 2014
#
# Traductores, si no conocen el formato PO, merece la pena leer la
# de gettext, especialmente las secciones dedicadas a este
# formato, por ejemplo ejecutando:
# info -n '(gettext)PO Files'
# info -n '(gettext)Header Entry'
#
# Equipo de traducción al español, por favor, lean antes de traducir
# los siguientes documentos:
#
# - El proyecto de traducción de Debian al español
# http://www.debian.org/intl/spanish/
# especialmente las notas de traducción en
# http://www.debian.org/intl/spanish/notas
#
# - La guía de traducción de po's de debconf:
# /usr/share/doc/po-debconf/README-trans
# o http://www.debian.org/intl/l10n/po-debconf/README-trans
#
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-23 20:43-0300\n"
"Last-Translator: Matías Bellone <matiasbellone+debian@gmail.com>\n"
"Language-Team: Debian l10n Spanish <debian-l10n-spanish@lists.debian.org>\n"
"Language: es\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr ""
"¿Desea desactivar la autenticación SSH mediante contraseña para el usuario "
"root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Las versiones anteriores de openssh-server permitían iniciar sesión como "
"usuario root utilizando autenticación con contraseña. La configuración "
"predeterminada para las nuevas instalaciones ahora incluye «PermitRootLogin "
"prohibit-password», lo que desactiva la autenticación con contraseña para el "
"usuario root sin romper los sistemas que tienen configurado explícitamente "
"la autenticación SSH utilizando claves públicas para el usuario root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Este cambio hace que los sistemas sean más resistentes contra ataques de "
"fuerza bruta basados en diccionarios sobre el usuario root (un objetivo muy "
"común para este tipo de ataques). Sin embargo, podría romper sistemas cuya "
"configuración permite que el usuario root inicie sesión a través de SSH "
"utilizando una contraseña. Sólo debería realizar este cambio si no necesita "
"este comportamiento."

59
debian/po/fr.po vendored Normal file
View file

@ -0,0 +1,59 @@
# Translation of openssh debconf template to French
# Copyright (C) 2014
# This file is distributed under the same license as the openssh package.
# Étienne Gilli <etienne.gilli@gmail.com>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh_1:6.5p1-6\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-22 08:26+0100\n"
"Last-Translator: Étienne Gilli <etienne.gilli@gmail.com>\n"
"Language-Team: French <debian-l10n-french@lists.debian.org>\n"
"Language: fr\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr ""
"Désactiver lauthentification SSH par mot de passe pour le superutilisateur ?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Les versions précédentes du paquet openssh-server autorisaient la connexion "
"par SSH du superutilisateur (root) en utilisant lauthentification par mot "
"de passe. Par défaut, les nouvelles installations ont maintenant loption "
 PermitRootLogin prohibit-password », qui désactive lauthentification par "
"mot de passe pour le compte « root », sans casser les systèmes qui ont "
"configuré explicitement lauthentification SSH par clé publique pour ce "
"compte."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Cette modification rend les systèmes plus robustes face aux attaques par "
"force brute et par dictionnaire contre le superutilisateur (très souvent "
"pris pour cible par ce type dattaque). Cependant, cela peut rendre "
"inutilisables les systèmes reposant sur la possibilité de se connecter au "
"compte « root » par SSH avec authentification par mot de passe. Vous ne "
"devriez appliquer cette modification que si ce nest pas votre cas."

58
debian/po/it.po vendored Normal file
View file

@ -0,0 +1,58 @@
# Italian translation of openssh debconf messages.
# Copyright (C) 2014, openssh package copyright holder
# This file is distributed under the same license as the openssh package.
# Beatrice Torracca <beatricet@libero.it>, 2014.
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-28 11:12+0200\n"
"Last-Translator: Beatrice Torracca <beatricet@libero.it>\n"
"Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n"
"Language: it\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
"X-Generator: Virtaal 0.7.1\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Disabilitare l'autenticazione SSH con password per root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Le versioni precedenti di openssh-server permettevano il login come root via "
"SSH, usando l'autenticazione con password. Il comportamento predefinito "
"delle nuove installazioni è «PermitRootLogin prohibit-password» che "
"disabilita l'autenticazione con password per root, senza rendere non "
"funzionanti sistemi che hanno esplicitamente configurato l'autenticazione "
"SSH con chiave pubblica per root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Questo cambiamento rende i sistemi più al sicuro da attacchi di forza bruta "
"a dizionario sulle password per l'utente root (un obiettivo molto comune per "
"tali attacchi). Tuttavia, può rendere non funzionanti sistemi che sono "
"impostati facendo affidamento sulla possibilità di autenticazione SSH come "
"root usando la password. Si dovrebbe fare questo cambiamento solo se non si "
"ha bisogno di tale comportamento."

55
debian/po/ja.po vendored Normal file
View file

@ -0,0 +1,55 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the openssh package.
# victory <victory.deb@gmail.com>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-20 11:06+0900\n"
"Last-Translator: victory <victory.deb@gmail.com>\n"
"Language-Team: Japanese <debian-japanese@lists.debian.org>\n"
"Language: ja\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "root での SSH パスワード認証を無効にしますか?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"openssh-server の以前のバージョンではパスワード認証を利用した SSH 経由の "
"root のログインを許可していました。新しくインストールした場合のデフォルト値が"
"現在は「PermitRootLogin prohibit-password」になり、root のパスワード認証を無"
"効化しますが SSH の公開鍵認証を root 用に明示的に設定しているシステムでは特に"
"問題はありません。"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"この変更によりシステムは root ユーザ (こういった攻撃ではとても一般的な攻撃対"
"象です) へのブルートフォースによるパスワード辞書攻撃に対してはより安全になり"
"ます。しかしパスワード認証により root で SSH 接続できることを前提として構成し"
"たシステムでは問題が発生する可能性があります。そういった必要のない場合にのみ"
"この変更を行うようにしてください。"

60
debian/po/nl.po vendored Normal file
View file

@ -0,0 +1,60 @@
# Dutch translation of openssh debconf templates.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the openssh package.
# Frans Spiesschaert <Frans.Spiesschaert@yucom.be>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-10-03 23:54+0200\n"
"Last-Translator: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>\n"
"Language-Team: Debian Dutch l10n Team <debian-l10n-dutch@lists.debian.org>\n"
"Language: nl\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr ""
"Wachtwoordauthenticatie over SSH voor de systeembeheerder uitschakelen?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Eerdere versies van de openssh-server lieten de systeembeheerder toe om zich "
"over SSH te authenticeren met een wachtwoord. Voor nieuwe installaties is de "
"standaard nu \"PermitRootLogin prohibit-password\". Deze standaardinstelling "
"maakt het voor de systeembeheerder onmogelijk om zich via een wachtwoord te "
"authenticeren. Deze instelling heeft geen impact op systemen waarbij de SSH-"
"configuratie expliciet vereist dat de systeembeheerder zich authenticeert "
"via een publieke sleutel."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Deze wijziging maakt systemen veiliger tegenover aanvallen met brute kracht "
"(met een wachtwoordenwoordenboek) op de systeembeheerder, een zeer courant "
"doelwit voor zulke aanvallen. Maar het kan systemen onbruikbaar maken die "
"ingesteld werden vanuit de verwachting dat de systeembeheerder SSH kan "
"gebruiken met authenticatie via wachtwoord. Enkel wanneer u dit laatste niet "
"nodig heeft, zou u deze wijziging kunnen doorvoeren."

59
debian/po/pt.po vendored Normal file
View file

@ -0,0 +1,59 @@
# Translation of openssh's debconf messages to European Portuguese
# Copyright (C) 2014 YEAR THE openssh'S COPYRIGHT HOLDER
# This file is distributed under the same license as the openssh package.
#
# Américo Monteiro <a_monteiro@gmx.com>, 2014.
msgid ""
msgstr ""
"Project-Id-Version: openssh 1:6.6p1-1\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-21 21:13+0000\n"
"Last-Translator: Américo Monteiro <a_monteiro@gmx.com>\n"
"Language-Team: Portuguese <traduz@debianpt.org>\n"
"Language: pt\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
"X-Generator: Lokalize 1.4\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Desactivar a autenticação SSH por palavra passe para o root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"As versões anteriores do servidor openssh permitiam iniciar sessão como root "
"sobre SSH usando autenticação por palavra-passe. A predefinição para novas "
"instalações é agora \"PermitRootLogin prohibit-password\", a qual desactiva "
"a autenticação por palavra-passe para o root sem danificar os sistemas que "
"têm configurados explicitamente autenticação SSH por chave pública para o "
"root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Esta alteração torna os sistemas mais seguros contra ataques em que se "
"forçam dicionários de palavras-passe no utilizador root (um alvo muito comum "
"para tais ataques). No entanto, pode danificar sistemas que estão "
"configurados com a expectativa de serem capazes de SSH como root usando "
"autenticação por palavra-passe. Apenas deverá fazer esta alteração se não "
"precisa de tal método de autenticação."

57
debian/po/pt_BR.po vendored Normal file
View file

@ -0,0 +1,57 @@
# Debconf translations for openssh.
# Copyright (C) 2014 THE openssh'S COPYRIGHT HOLDER
# This file is distributed under the same license as the openssh package.
# José de Figueiredo <deb.gnulinux@gmail.com>, 2014.
#
#
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-11-23 23:49-0200\n"
"Last-Translator: José de Figueiredo <deb.gnulinux@gmail.com>\n"
"Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian."
"org>\n"
"Language: pt_BR\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Desabilitar autenticação por senha do SSH para root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Versões anteriores do openssh-server permitiam login como root sobre SSH "
"usando autenticação por senha. O padrão para as novas instalações agora é "
"\"PermitRootLogin prohibit-password\", que desabilita a autenticação por "
"senha para root sem quebrar sistemas que tenham configurado explicitamente o "
"SSH para autenticação por chave pública para root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Esta alteração torna sistemas mais seguros contra ataques de força bruta por "
"dicionário de senhas no usuário root (um alvo muito comum destes ataques). "
"Entretanto, ela pode quebrar sistemas que foram configurados com a "
"expectativa de acesso SSH com root usando autenticação por senha. Você deve "
"fazer esta mudança somente se você não precisa fazer isso."

69
debian/po/ro.po vendored Normal file
View file

@ -0,0 +1,69 @@
# Mesajele în limba română pentru pachetul openssh.
# Romanian translation of openssh.
# Copyright © 2023 THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the openssh package.
#
# Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>, 2023.
#
# Cronologia traducerii fișierului „openssh”:
# Traducerea inițială, făcută de R-GC, pentru versiunea openssh 1 9.2p1-2(2014-03-20).
# Actualizare a traducerii pentru versiunea Y, făcută de X, Y(anul).
#
msgid ""
msgstr ""
"Project-Id-Version: openssh 1 9.2p1-2\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2023-03-11 12:17+0100\n"
"Last-Translator: Remus-Gabriel Chelu <remusgabriel.chelu@disroot.org>\n"
"Language-Team: Romanian <debian-l10n-romanian@lists.debian.org>\n"
"Language: ro\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n==0 || (n!=1 && n%100>=1 && "
"n%100<=19) ? 1 : 2);\n"
"X-Bugs: Report translation errors to the Language-Team address.\n"
"X-Generator: Poedit 3.2.2\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr ""
"Doriți să dezactivați autentificarea SSH prin parolă pentru utilizatorul „root”?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH using "
"password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password authentication "
"for root without breaking systems that have explicitly configured SSH public "
"key authentication for root."
msgstr ""
"Versiunile anterioare ale «openssh-server» permiteau conectarea ca utilizator "
"„root” prin SSH folosind autentificarea prin parolă. Valoarea implicită pentru "
"noile instalări este acum „PermitRootLogin prohibit-password”, care "
"dezactivează autentificarea parolei pentru „root” fără să deterioreze sistemele "
"care au configurat în mod explicit autentificarea cu cheie publică SSH pentru "
"„root”."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password dictionary "
"attacks on the root user (a very common target for such attacks). However, it "
"may break systems that are set up with the expectation of being able to SSH as "
"root using password authentication. You should only make this change if you do "
"not need to do that."
msgstr ""
"Această modificare face sistemele mai sigure împotriva atacurilor de forță "
"brută bazate pe dicționar de parole asupra utilizatorului „root” (o țintă "
"foarte comună pentru astfel de atacuri). Cu toate acestea, poate distruge "
"sistemele care sunt configurate pentru a permite utilizatorului „root” să se "
"conecteze prin SSH folosind o parolă. Ar trebui să faceți această modificare "
"doar dacă nu este necesar să utilizați acest tip de autentificare pentru "
"utilizatorul „root”."

57
debian/po/ru.po vendored Normal file
View file

@ -0,0 +1,57 @@
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the openssh package.
#
# Yuri Kozlov <yuray@komyakino.ru>, 2014.
msgid ""
msgstr ""
"Project-Id-Version: openssh 1:6.6p1-1\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-22 10:04+0400\n"
"Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n"
"Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n"
"Language: ru\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
"X-Generator: Lokalize 1.4\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Выключить в SSH аутентификацию по паролю для root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"В предыдущих версиях openssh-server разрешён вход с правами пользователя "
"root через SSH с помощью аутентификации по паролю. При новых установках по "
"умолчанию теперь используется настройка «PermitRootLogin prohibit-password», "
"которая отключает аутентификацию по паролю для root, что не вредит системам, "
"у которых в SSH для root настроена аутентификация по открытому ключу."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Это изменение делает системы более стойкими к атакам методом перебора "
"словарных паролей для пользователя root (самая распространённая цель таких "
"атак). Однако, это вредит системам, в которых специально настроен вход для "
"root по SSH с парольной аутентификацией. Если это не ваш случай, то ответьте "
"утвердительно."

58
debian/po/sv.po vendored Normal file
View file

@ -0,0 +1,58 @@
# Swedish translations for openssh package
# Svenska översättningar för paket openssh.
# Copyright (C) 2014 THE openssh'S COPYRIGHT HOLDER
# This file is distributed under the same license as the openssh package.
# Andreas Rönnquist <gusnan@gusnan.se>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-21 21:36+0100\n"
"Last-Translator: Andreas Rönnquist <gusnan@gusnan.se>\n"
"Language-Team: Swedish\n"
"Language: sv\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Inaktivera SSH-lösenordsautentisering för root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Tidigare versioner av openssh-server tillät inloggning som root över SSH med "
"hjälp av lösenordsautentisering. Standardinställningen för nya "
"installationer är nu \"PermitRootLogin prohibit-password\", vilket "
"inaktiverar lösenordsautentisering för root utan att förstöra system som "
"explicit har konfigurerat nyckelautentisering med hjälp av publika nycklar "
"för root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Denna förändring gör system säkrare mot brute-force-angrepp med hjälp av "
"ordlistor med lösenord på root-användaren (ett väldigt vanligt mål för "
"sådana angrepp). Dock så kan detta förstöra system som förväntas kunna "
"använda SSH som root med hjälp av lösenordsautentisering. Du skall endast "
"göra denna förändring om du inte har ett behov av att kunna göra detta."

46
debian/po/templates.pot vendored Normal file
View file

@ -0,0 +1,46 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=CHARSET\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr ""
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""

58
debian/po/tr.po vendored Normal file
View file

@ -0,0 +1,58 @@
# Turkish translation of openssh package
# Copyright (C) 2014 Mert Dirik
# This file is distributed under the same license as the openssh package.
# Mert Dirik <mertdirik@gmail.com>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh-server\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-08-01 14:44+0200\n"
"Last-Translator: Mert Dirik <mertdirik@gmail.com>\n"
"Language-Team: Debian L10n Turkish <debian-l10n-turkish@lists.debian.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Generator: Poedit 1.5.4\n"
"Language: tr\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "root kullanıcısının parola ile kimlik doğrulaması engellensin mi?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"openssh-server'ın önceki sürümleri parola ile kimlik doğrulama kullanılarak "
"root kullanıcısının SSH üzerinden oturum açmasına izin veriyordu. Artık yeni "
"kurulumların öntanımlı ayarı \"PermitRootLogin prohibit-password\" "
"şeklindedir. Bu ayar root kullanıcısının parola kullanarak oturum açmasını "
"yasaklar. SSH genel anahtar doğrulama yöntemine ayrıca izin veren mevcut "
"sistemler bu ayardan etkilenmez."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Bu ayar sistemleri kaba kuvvet sözlükten parola saldırılarına karşı güvenli "
"hale getirir (root kullanıcısı bu tarz saldırıların en büyük "
"hedeflerindendir). Fakat bu ayarın etkinleştirilmesi, root kullanıcısına "
"parola doğrulama yöntemiyle oturum açılabileceği varsayımıyla hareket eden "
"sistemlerde eskiden çalışan düzenin bozulmasına sebep olacaktır. Bu "
"değişikliği yalnızca sorun çıkarmayacağından eminseniz yapın."

236
debian/rules vendored Executable file
View file

@ -0,0 +1,236 @@
#!/usr/bin/make -f
export DEB_BUILD_MAINT_OPTIONS := hardening=+all
include /usr/share/dpkg/default.mk
# Uncomment this to turn on verbose mode.
# export DH_VERBOSE=1
# This has to be exported to make some magic below work.
export DH_OPTIONS
ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
RUN_TESTS := yes
else
RUN_TESTS :=
endif
ifeq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
PARALLEL :=
else
PARALLEL := \
-j$(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
endif
ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
CC := gcc
PKG_CONFIG = pkg-config
else
CC := $(DEB_HOST_GNU_TYPE)-gcc
PKG_CONFIG = $(DEB_HOST_GNU_TYPE)-pkg-config
RUN_TESTS :=
endif
# Change the version string to reflect distribution
SSH_EXTRAVERSION := $(DEB_VENDOR)-$(shell echo '$(DEB_VERSION)' | sed -e 's/.*-//; s/+salsaci+.*/+salsaci/')
UBUNTU := $(shell $(call dpkg_vendor_derives_from,Ubuntu))
ifeq ($(UBUNTU),yes)
DEFAULT_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
else
DEFAULT_PATH := /usr/local/bin:/usr/bin:/bin:/usr/games
endif
SUPERUSER_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ifeq ($(UBUNTU),yes)
server_recommends := ssh-import-id
else
server_recommends :=
endif
# Common path configuration.
confflags += --sysconfdir=/etc/ssh
confflags += --libexecdir=\$${prefix}/lib/openssh
# Common build options.
confflags += --disable-strip
confflags += --with-mantype=doc
confflags += --with-4in6
confflags += --with-privsep-path=/run/sshd
confflags += --with-pid-dir=/run
# The Hurd needs libcrypt for res_query et al.
ifeq ($(DEB_HOST_ARCH_OS),hurd)
confflags += --with-libs=-lcrypt
endif
# Always use the internal mkdtemp; see https://bugs.debian.org/1001186.
confflags += ac_cv_func_mkdtemp=no
# ppc64el doesn't support -fzero-call-used-regs=used, but configure fails to
# detect that.
ifeq ($(DEB_HOST_ARCH),ppc64el)
confflags += ossh_cv_cflag__fzero_call_used_regs_used=no
endif
# passwd isn't otherwise needed and may not be installed at build time.
# Ensure that sshd knows its path.
confflags += PATH_PASSWD_PROG=/usr/bin/passwd
# Everything above here is common to the deb and udeb builds.
confflags_udeb := $(confflags)
# Options specific to the deb build.
confflags += --with-tcp-wrappers
confflags += --with-pam
confflags += --with-libedit
confflags += --with-kerberos5=/usr
confflags += --with-ssl-engine
confflags += --with-wtmpdb
ifeq ($(DEB_HOST_ARCH_OS),linux)
confflags += --with-selinux
confflags += --with-audit=linux
confflags += --with-security-key-builtin
endif
# The deb build wants xauth; the udeb build doesn't.
confflags += --with-xauth=/usr/bin/xauth
confflags_udeb += --without-xauth
# Default paths. The udeb build has /usr/games removed.
confflags += --with-default-path=$(DEFAULT_PATH) --with-superuser-path=$(SUPERUSER_PATH)
confflags_udeb += --with-default-path=/usr/local/bin:/usr/bin:/bin --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Compiler flags.
cflags := $(CPPFLAGS) $(CFLAGS)
cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
cflags_udeb := -Os
cflags_udeb += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
confflags += --with-cflags='$(cflags)'
confflags_udeb += --with-cflags='$(cflags_udeb)'
# Linker flags.
confflags += --with-ldflags='$(strip -Wl,--as-needed $(LDFLAGS))'
confflags_udeb += --with-ldflags='-Wl,--as-needed'
ifeq ($(shell dpkg-vendor --is Ubuntu && echo yes) $(DEB_HOST_ARCH), yes i386)
BUILD_PACKAGES += -Nopenssh-tests
endif
%:
dh $@ --with=runit $(BUILD_PACKAGES)
override_dh_autoreconf-indep:
override_dh_auto_configure-arch:
dh_auto_configure -Bdebian/build-deb -- $(confflags)
ifeq ($(filter noudeb,$(DEB_BUILD_PROFILES)),)
dh_auto_configure -Bdebian/build-udeb -- $(confflags_udeb)
# Avoid libnsl linkage. Ugh.
perl -pi -e 's/ +-lnsl//' debian/build-udeb/config.status
cd debian/build-udeb && ./config.status
endif
# Nothing reads /var/log/btmp any more (see
# https://bugs.debian.org/1072184).
perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' debian/build-deb/config.h
ifeq ($(filter noudeb,$(DEB_BUILD_PROFILES)),)
perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' debian/build-udeb/config.h
endif
override_dh_auto_configure-indep:
override_dh_auto_build-arch:
$(MAKE) -C debian/build-deb $(PARALLEL) ASKPASS_PROGRAM='/usr/bin/ssh-askpass'
$(MAKE) -C debian/build-deb regress-prep
$(MAKE) -C debian/build-deb $(PARALLEL) regress-binaries regress-unit-binaries
ifeq ($(filter noudeb,$(DEB_BUILD_PROFILES)),)
$(MAKE) -C debian/build-udeb $(PARALLEL) ASKPASS_PROGRAM='/usr/bin/ssh-askpass' ssh scp sftp sshd ssh-keygen sshd-auth sshd-session
endif
ifeq ($(filter pkg.openssh.nognome,$(DEB_BUILD_PROFILES)),)
$(MAKE) -C contrib gnome-ssh-askpass3 CC='$(CC) $(CPPFLAGS) $(CFLAGS) -Wall -Wl,--as-needed $(LDFLAGS)' PKG_CONFIG=$(PKG_CONFIG)
endif
override_dh_auto_build-indep:
override_dh_auto_test-arch:
ifeq ($(RUN_TESTS),yes)
$(MAKE) -C debian/build-deb unit compat-tests
$(MAKE) -C debian/keygen-test
debian/check-ucf-md5sums
endif
override_dh_auto_test-indep:
override_dh_auto_clean:
rm -rf debian/build-deb debian/build-udeb
ifeq ($(RUN_TESTS),yes)
$(MAKE) -C debian/keygen-test clean
endif
$(MAKE) -C contrib clean
override_dh_auto_install-arch:
$(MAKE) -C debian/build-deb DESTDIR=`pwd`/debian/tmp install-nokeys
override_dh_auto_install-indep:
override_dh_install-arch:
# Remove version control tags to avoid unnecessary conffile
# resolution steps for administrators.
sed -i '/\$$OpenBSD:/d' \
debian/tmp/etc/ssh/moduli \
debian/tmp/etc/ssh/ssh_config \
debian/tmp/etc/ssh/sshd_config
dh_install -Nopenssh-client-udeb -Nopenssh-server-udeb
ifeq ($(filter noudeb,$(DEB_BUILD_PROFILES)),)
dh_install -popenssh-client-udeb -popenssh-server-udeb \
--sourcedir=debian/build-udeb
endif
rm -f debian/openssh-tests/usr/lib/openssh/regress/misc/sk-dummy/*.lo
override_dh_installdocs:
dh_installdocs -Nopenssh-server -Nopenssh-sftp-server
dh_installdocs -popenssh-server -popenssh-sftp-server \
--link-doc=openssh-client
# Avoid breaking dh_installexamples later.
mkdir -p debian/openssh-server/usr/share/doc/openssh-client
override_dh_installinit:
dh_installinit -R --name ssh
# Can be dropped in compat level 14
execute_after_dh_installinit:
dh_installsysusers
override_dh_installsystemd:
dh_installsystemd -popenssh-server ssh.service
dh_installsystemd -popenssh-server --no-enable ssh.socket
dh_installsystemd -popenssh-server --no-start rescue-ssh.target
dh_installsystemd -popenssh-server sshd-keygen.service
debian/openssh-server.sshd.pam: debian/openssh-server.sshd.pam.in
ifeq ($(DEB_HOST_ARCH_OS),linux)
sed 's/^@IF_KEYINIT@//' $< > $@
else
sed '/^@IF_KEYINIT@/d' $< > $@
endif
override_dh_installpam: debian/openssh-server.sshd.pam
dh_installpam --name sshd
override_dh_runit:
dh_runit -popenssh-server
execute_after_dh_fixperms-arch:
chmod u+s debian/openssh-client/usr/lib/openssh/ssh-keysign
# Work around debhelper/dh-exec bug #1017023.
override_dh_missing:
dh_missing --list-missing
override_dh_gencontrol:
dh_gencontrol -- -V'openssh-server:Recommends=$(server_recommends)'

51
debian/run-tests vendored Executable file
View file

@ -0,0 +1,51 @@
#! /bin/sh
# Run installed OpenSSH regression tests.
tmp="$1"
if [ -z "$tmp" ]; then
tmp="$(mktemp -d)"
cleanup () {
rm -rf "$tmp"
}
trap cleanup EXIT
fi
shift
if [ -z "$1" ]; then
set -- tests interop-tests
fi
# Copy the regression tests to a fresh directory; this is easier than trying
# to pick apart which ones need write access.
cp -a /usr/lib/openssh/regress "$tmp/regress"
ret=0
make -C "$tmp/regress" \
.OBJDIR="$tmp/regress" \
.CURDIR="$tmp/regress" \
BUILDDIR="$tmp/regress" \
OBJ="$tmp/regress" \
SUDO=sudo \
TEST_SHELL=/bin/sh \
TEST_SSH_SSH=/usr/bin/ssh \
TEST_SSH_SSHD_AUTH=/usr/lib/openssh/sshd-auth \
TEST_SSH_SSHD_SESSION=/usr/lib/openssh/sshd-session \
TEST_SSH_SFTPSERVER=/usr/lib/openssh/sftp-server \
TEST_SSH_PLINK=/usr/bin/plink \
TEST_SSH_PUTTYGEN=/usr/bin/puttygen \
TEST_SSH_CONCH=/usr/bin/conch3 \
TEST_SSH_DROPBEAR=/usr/bin/dropbear \
TEST_SSH_DROPBEARKEY=/usr/bin/dropbearkey \
TEST_SSH_DROPBEARCONVERT=/usr/bin/dropbearconvert \
TEST_SSH_DBCLIENT=/usr/bin/dbclient \
TEST_SSH_IPV6=yes \
TEST_SSH_ECC=yes \
TEST_SSH_UNSAFE_PERMISSIONS=1 \
"$@" || ret="$?"
if [ "$ret" -ne 0 ]; then
for log in failed-regress.log failed-ssh.log failed-sshd.log; do
if [ -e "$tmp/regress/$log" ]; then
tail -v -n+0 "$tmp/regress/$log"
fi
done
fi
exit "$ret"

13
debian/salsa-ci.yml vendored Normal file
View file

@ -0,0 +1,13 @@
---
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
variables:
SALSA_CI_ENABLE_BUILD_PACKAGE_PROFILES: 1
test-build-profiles:
extends: .test-build-package-profiles
parallel:
matrix:
- BUILD_PROFILES: noudeb
- BUILD_PROFILES: pkg.openssh.nognome

Some files were not shown because too many files have changed in this diff Show more