openkylin
/
openssh
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Import Debian changes 1:8.2p1-ok1 

openssh (1:8.2p1-ok1) yangtze; urgency=medium

  * Build for openKylin.
This commit is contained in:
openKylinBot 2022-04-25 22:03:04 +08:00 committed by Lu zhiping
parent 1968fef375
commit 619b31ff1d
120 changed files with 11332 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
debian/.git-dpm vendored Normal file
View File

@ -0,0 +1,12 @@
# see git-dpm(1) from git-dpm package
86fe78ef4686485394b464cf9d3393ce27b33979
86fe78ef4686485394b464cf9d3393ce27b33979
f0de78bd4f29fa688c5df116f3f9cd43543a76d0
f0de78bd4f29fa688c5df116f3f9cd43543a76d0
openssh_8.2p1.orig.tar.gz
d1ab35a93507321c5db885e02d41ce1414f0507c
1701197
debianTag="debian/%e%%%V"
patchedTag="patched/%e%%%V"
upstreamTag="upstream/%U"
signature:d3814ab57572c13bdee2037ad1477e2f7c51e1b0:683:openssh_8.2p1.orig.tar.gz.asc

12
debian/.gitlab-ci.yml vendored Normal file
View File

@ -0,0 +1,12 @@
image: registry.gitlab.com/eighthave/ci-image-git-buildpackage:latest
build:
artifacts:
paths:
- "*.deb"
expire_in: 1 day
script:
- gitlab-ci-git-buildpackage-all
except:
variables:
- $CI_COMMIT_TAG != null

321
debian/NEWS vendored Normal file
View File

@ -0,0 +1,321 @@
openssh (1:8.2p1-1) unstable; urgency=medium
OpenSSH 8.2 includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8), ssh-keygen(1): This release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures
(i.e. the client and server CASignatureAlgorithms option) and will use
the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1)
CA signs new certificates.
Certificates are at special risk to SHA1 collision vulnerabilities as
an attacker has effectively unlimited time in which to craft a
collision that yields them a valid certificate, far more than the
relatively brief LoginGraceTime window that they have to forge a host
key signature.
The OpenSSH certificate format includes a CA-specified (typically
random) nonce value near the start of the certificate that should make
exploitation of chosen-prefix collisions in this context challenging,
as the attacker does not have full control over the prefix that
actually gets signed. Nonetheless, SHA1 is now a demonstrably broken
algorithm and further improvements in attacks are highly likely.
OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
algorithms and will refuse to accept certificates signed by an OpenSSH
8.2+ CA using RSA keys unless the unsafe algorithm is explicitly
selected during signing ("ssh-keygen -t ssh-rsa"). Older
clients/servers may use another CA key type such as ssh-ed25519
(supported since OpenSSH 6.5) or one of the ecdsa-sha2-nistp256/384/521
types (supported since OpenSSH 5.7) instead if they cannot be upgraded.
* ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default
key exchange proposal for both the client and server.
* ssh-keygen(1): The command-line options related to the generation and
screening of safe prime numbers used by the
diffie-hellman-group-exchange-* key exchange algorithms have changed.
Most options have been folded under the -O flag.
* sshd(8): The sshd listener process title visible to ps(1) has changed
to include information about the number of connections that are
currently attempting authentication and the limits configured by
MaxStartups.
-- Colin Watson <cjwatson@debian.org> Fri, 21 Feb 2020 16:36:37 +0000
openssh (1:8.1p1-1) unstable; urgency=medium
OpenSSH 8.1 includes a number of changes that may affect existing
configurations:
* ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
Certificates signed by RSA keys will therefore be incompatible with
OpenSSH versions prior to 7.2 unless the default is overridden (using
"ssh-keygen -t ssh-rsa -s ...").
-- Colin Watson <cjwatson@debian.org> Thu, 10 Oct 2019 10:23:19 +0100
openssh (1:8.0p1-1) experimental; urgency=medium
OpenSSH 8.0 includes a number of changes that may affect existing
configurations:
* sshd(8): Remove support for obsolete "host/port" syntax.
Slash-separated host/port was added in 2001 as an alternative to
host:port syntax for the benefit of IPv6 users. These days there are
established standards for this like [::1]:22 and the slash syntax is
easily mistaken for CIDR notation, which OpenSSH supports for some
things. Remove the slash notation from ListenAddress and PermitOpen.
-- Colin Watson <cjwatson@debian.org> Sun, 09 Jun 2019 22:47:27 +0100
openssh (1:7.9p1-1) unstable; urgency=medium
OpenSSH 7.9 includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option
bans the use of DSA keys as certificate authorities.
* sshd(8): the authentication success/failure log message has changed
format slightly. It now includes the certificate fingerprint
(previously it included only key ID and CA key fingerprint).
-- Colin Watson <cjwatson@debian.org> Sun, 21 Oct 2018 10:39:24 +0100
openssh (1:7.8p1-1) unstable; urgency=medium
OpenSSH 7.8 includes a number of changes that may affect existing
configurations:
* ssh-keygen(1): Write OpenSSH format private keys by default instead of
using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH
releases since 2014 and described in the PROTOCOL.key file in the
source distribution, offers substantially better protection against
offline password guessing and supports key comments in private keys.
If necessary, it is possible to write old PEM-style keys by adding "-m
PEM" to ssh-keygen's arguments when generating or updating a key.
* sshd(8): Remove internal support for S/Key multiple factor
authentication. S/Key may still be used via PAM or BSD auth.
* ssh(1): Remove vestigial support for running ssh(1) as setuid. This
used to be required for hostbased authentication and the (long gone)
rhosts-style authentication, but has not been necessary for a long
time. Attempting to execute ssh as a setuid binary, or with uid !=
effective uid will now yield a fatal error at runtime.
* sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
HostbasedAcceptedKeyTypes options have changed. These now specify
signature algorithms that are accepted for their respective
authentication mechanism, where previously they specified accepted key
types. This distinction matters when using the RSA/SHA2 signature
algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
counterparts. Configurations that override these options but omit
these algorithm names may cause unexpected authentication failures (no
action is required for configurations that accept the default for these
options).
* sshd(8): The precedence of session environment variables has changed.
~/.ssh/environment and environment="..." options in authorized_keys
files can no longer override SSH_* variables set implicitly by sshd.
* ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They
will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a
detailed rationale, please see the commit message:
https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
-- Colin Watson <cjwatson@debian.org> Thu, 30 Aug 2018 15:35:27 +0100
openssh (1:7.6p1-1) unstable; urgency=medium
OpenSSH 7.6 includes a number of changes that may affect existing
configurations:
* ssh(1): Delete SSH protocol version 1 support, associated configuration
options and documentation.
* ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
* ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
ciphers.
* Refuse RSA keys <1024 bits in length and improve reporting for keys
that do not meet this requirement.
* ssh(1): Do not offer CBC ciphers by default.
-- Colin Watson <cjwatson@debian.org> Fri, 06 Oct 2017 12:36:48 +0100
openssh (1:7.5p1-1) experimental; urgency=medium
OpenSSH 7.5 includes a number of changes that may affect existing
configurations:
* This release deprecates the sshd_config UsePrivilegeSeparation option,
thereby making privilege separation mandatory.
* The format of several log messages emitted by the packet code has
changed to include additional information about the user and their
authentication state. Software that monitors ssh/sshd logs may need to
account for these changes. For example:
Connection closed by user x 1.1.1.1 port 1234 [preauth]
Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
Affected messages include connection closure, timeout, remote
disconnection, negotiation failure and some other fatal messages
generated by the packet code.
-- Colin Watson <cjwatson@debian.org> Sun, 02 Apr 2017 02:58:01 +0100
openssh (1:7.4p1-7) unstable; urgency=medium
This version restores the default for AuthorizedKeysFile to search both
~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
Debian configurations before 1:7.4p1-1. Upstream intends to phase out
searching ~/.ssh/authorized_keys2 by default, so you should ensure that
you are only using ~/.ssh/authorized_keys, at least for critical
administrative access; do not assume that the current default will remain
in place forever.
-- Colin Watson <cjwatson@debian.org> Sun, 05 Mar 2017 02:12:42 +0000
openssh (1:7.4p1-1) unstable; urgency=medium
OpenSSH 7.4 includes a number of changes that may affect existing
configurations:
* ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
block ciphers are not safe in 2016 and we don't want to wait until
attacks like SWEET32 are extended to SSH. As 3des-cbc was the only
mandatory cipher in the SSH RFCs, this may cause problems connecting to
older devices using the default configuration, but it's highly likely
that such devices already need explicit configuration for key exchange
and hostkey algorithms already anyway.
* sshd(8): Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the
1990s, but today it's clearly a bad idea in terms of both cryptography
(cf. multiple compression oracle attacks in TLS) and attack surface.
Pre-auth compression support has been disabled by default for >10
years. Support remains in the client.
* ssh-agent will refuse to load PKCS#11 modules outside a whitelist of
trusted paths by default. The path whitelist may be specified at
run-time.
* sshd(8): When a forced-command appears in both a certificate and an
authorized keys/principals command= restriction, sshd will now refuse
to accept the certificate unless they are identical. The previous
(documented) behaviour of having the certificate forced-command
override the other could be a bit confusing and error-prone.
* sshd(8): Remove the UseLogin configuration directive and support for
having /bin/login manage login sessions.
The unprivileged sshd process that deals with pre-authentication network
traffic is now subject to additional sandboxing restrictions by default:
that is, the default sshd_config now sets UsePrivilegeSeparation to
"sandbox" rather than "yes". This has been the case upstream for a while,
but until now the Debian configuration diverged unnecessarily.
-- Colin Watson <cjwatson@debian.org> Tue, 27 Dec 2016 18:01:46 +0000
openssh (1:7.2p1-1) unstable; urgency=medium
OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
default in ssh:
* Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
rijndael-cbc aliases for AES.
* MD5-based and truncated HMAC algorithms.
These algorithms are already disabled by default in sshd.
-- Colin Watson <cjwatson@debian.org> Tue, 08 Mar 2016 11:47:20 +0000
openssh (1:7.1p1-2) unstable; urgency=medium
OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
cryptography.
* Support for the legacy SSH version 1 protocol is disabled by default at
compile time. Note that this also means that the Cipher keyword in
ssh_config(5) is effectively no longer usable; use Ciphers instead for
protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1",
and "ssh-keygen1" binaries which you can use if you have no alternative
way to connect to an outdated SSH1-only server; please contact the
server administrator or system vendor in such cases and ask them to
upgrade.
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
disabled by default at run-time. It may be re-enabled using the
instructions at http://www.openssh.com/legacy.html
* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
default at run-time. These may be re-enabled using the instructions at
http://www.openssh.com/legacy.html
* Support for the legacy v00 cert format has been removed.
Future releases will retire more legacy cryptography, including:
* Refusing all RSA keys smaller than 1024 bits (the current minimum is
768 bits).
* Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
all arcfour variants, and the rijndael-cbc aliases for AES.
* MD5-based HMAC algorithms will be disabled by default.
-- Colin Watson <cjwatson@debian.org> Tue, 08 Dec 2015 15:33:08 +0000
openssh (1:6.9p1-1) unstable; urgency=medium
UseDNS now defaults to 'no'. Configurations that match against the client
host name (via sshd_config or authorized_keys) may need to re-enable it or
convert to matching against addresses.
-- Colin Watson <cjwatson@debian.org> Thu, 20 Aug 2015 10:38:58 +0100
openssh (1:6.7p1-5) unstable; urgency=medium
openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
a number of specific LC_FOO variables rather than the wildcard LC_*. I
have since been persuaded that this was a bad idea and have reverted it,
but it is difficult to automatically undo the change to
/etc/ssh/sshd_config without compounding the problem (that of modifying
configuration that some users did not want to be modified) further. Most
users who upgraded via version 1:6.7p1-4 should restore the previous value
of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.
-- Colin Watson <cjwatson@debian.org> Sun, 22 Mar 2015 23:09:32 +0000
openssh (1:5.4p1-2) unstable; urgency=low
Smartcard support is now available using PKCS#11 tokens. If you were
previously using an unofficial build of Debian's OpenSSH package with
OpenSC-based smartcard support added, then note that commands like
'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s
/usr/lib/opensc-pkcs11.so' instead.
-- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100
openssh (1:3.8.1p1-9) experimental; urgency=low
The ssh package has been split into openssh-client and openssh-server. If
you had previously requested that the sshd server should not be run, then
that request will still be honoured. However, the recommended approach is
now to remove the openssh-server package if you do not want to run sshd.
You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing
that.
-- Colin Watson <cjwatson@debian.org> Mon, 2 Aug 2004 20:48:54 +0100
openssh (1:3.5p1-1) unstable; urgency=low
This version of OpenSSH disables the environment option for public keys by
default, in order to avoid certain attacks (for example, LD_PRELOAD). If
you are using this option in an authorized_keys file, beware that the keys
in question will no longer work until the option is removed.
To re-enable this option, set "PermitUserEnvironment yes" in
/etc/ssh/sshd_config after the upgrade is complete, taking note of the
warning in the sshd_config(5) manual page.
-- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100
openssh (1:3.0.1p1-1) unstable; urgency=high
As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2
keys. This means the authorized_keys2 and known_hosts2 files are no longer
needed. They will still be read in order to maintain backward
compatibility.
-- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000

295
debian/README.Debian vendored Normal file
View File

@ -0,0 +1,295 @@
OpenSSH for Debian
------------------
UPGRADE ISSUES
==============
PermitRootLogin
---------------
As of 1:6.6p1-1, new installations will be set to "PermitRootLogin
without-password" (or the synonymous "PermitRootLogin prohibit-password" as
of 1:7.1p1-1). This disables password authentication for root, foiling
password dictionary attacks on the root user. Some sites may wish to use
the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no",
but note that "PermitRootLogin no" will break setups that SSH to root with a
forced command to take full-system backups. You can use PermitRootLogin in
a Match block if you want finer-grained control here.
For many years Debian's OpenSSH packaging used "PermitRootLogin yes", in
line with upstream. To avoid breaking local setups, this is still true for
installations upgraded from before 1:6.6p1-1. If you wish to change this,
you should edit /etc/ssh/sshd_config, change it manually, and run "service
ssh restart" as root.
Disabling PermitRootLogin means that an attacker possessing credentials for
the root account (any credentials in the case of "yes", or private key
material in the case of "prohibit-password") must compromise a normal user
account rather than being able to SSH directly to root. Be careful to avoid
a false illusion of security if you change this setting; any account you
escalate to root from should be considered equivalent to root for the
purposes of security against external attack. You might for example disable
it if you know you will only ever log in as root from the physical console.
Since the root account does not generally have non-password credentials
unless you explicitly install an SSH public key in its
~/.ssh/authorized_keys, which you presumably only do if you want to SSH to
it, "prohibit-password" should be a reasonable default for most sites.
As of OpenSSH 7.0, this is the upstream default.
For further discussion, see:
https://bugs.debian.org/298138
https://bugzilla.mindrot.org/show_bug.cgi?id=2164
X11 Forwarding
--------------
ssh's default for ForwardX11 has been changed to ``no'' because it has
been pointed out that logging into remote systems administered by
untrusted people is likely to open you up to X11 attacks, so you
should have to actively decide that you trust the remote machine's
root, before enabling X11. I strongly recommend that you do this on a
machine-by-machine basis, rather than just enabling it in the default
host settings.
In order for X11 forwarding to work, you need to install xauth on the
server. In Debian this is in the xbase-clients package.
As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
the security risks of X11 forwarding. Look up X11UseLocalhost in
sshd_config(8) if this is a problem.
OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the
ssh client to create an untrusted X cookie so that attacks on the
forwarded X11 connection can't become attacks on X clients on the remote
machine. However, this has some problems in implementation - notably a
very short timeout of the untrusted cookie - breaks large numbers of
existing setups, and generally seems immature. The Debian package
therefore sets the default for this option to "yes" (in ssh itself,
rather than in ssh_config).
Fallback to RSH
---------------
The default for this setting has been changed from Yes to No, for
security reasons, and to stop the delay attempting to rsh to machines
that don't offer the service. Simply switch it back on in either
/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
it for.
Setgid ssh-agent and environment variables
------------------------------------------
As of version 1:3.5p1-1, ssh-agent is installed setgid to prevent ptrace()
attacks retrieving private key material. This has the side-effect of causing
glibc to remove certain environment variables which might have security
implications for set-id programs, including LD_PRELOAD, LD_LIBRARY_PATH, and
TMPDIR.
If you need to set any of these environment variables, you will need to do
so in the program exec()ed by ssh-agent. This may involve creating a small
wrapper script.
Symlink Hostname invocation
---------------------------
This version of ssh no longer includes support for invoking ssh with the
hostname as the name of the file run. People wanting this support should
use the ssh-argv0 script.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
OTHER ISSUES
============
Authorization Forwarding
------------------------
Similarly, root on a remote server could make use of your ssh-agent
(while you're logged into their machine) to obtain access to machines
which trust your keys. This feature is therefore disabled by default.
You should only re-enable it for those hosts (in your ~/.ssh/config or
/etc/ssh/ssh_config) where you are confident that the remote machine
is not a threat.
Problems logging in with RSA authentication
-------------------------------------------
If you have trouble logging in with RSA authentication then the
problem is probably caused by the fact that you have your home
directory writable by group, as well as user (this is the default on
Debian systems).
Depending upon other settings on your system (i.e. other users being
in your group) this could open a security hole, so you will need to
make your home directory writable only by yourself. Run this command,
as yourself:
chmod g-w ~/
to remove group write permissions. If you use ssh-copy-id to install your
keys, it does this for you.
-L option of ssh nonfree
------------------------
non-free ssh supported the usage of the option -L to use a non privileged
port for scp. This option will not be supported by scp from openssh.
Please use instead scp -o "UsePrivilegedPort=no" as documented in the
manpage to scp itself.
Problem logging in because of TCP-Wrappers
------------------------------------------
ssh is compiled with support for tcp-wrappers. So if you can no longer
log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
are configured so that ssh is not blocked.
Kerberos support
----------------
ssh is now compiled with Kerberos support. Unfortunately, privilege
separation is incompatible with parts of Kerberos support for protocol 2;
you may need to run kinit after logging in.
Interoperability between scp and the ssh.com SSH server
-------------------------------------------------------
In version 2 and greater of the commercial SSH server produced by SSH
Communications Security, scp was changed to use SFTP (SSH2's file transfer
protocol) instead of the traditional rcp-over-ssh, thereby breaking
compatibility. The OpenSSH developers regard this as a bug in the ssh.com
server, and do not currently intend to change OpenSSH's scp to match.
Workarounds for this problem are to install scp1 on the server (scp2 will
fall back to it), to use sftp, or to use some other transfer mechanism such
as rsync-over-ssh or tar-over-ssh.
Running sshd from inittab
-------------------------
Some people find it useful to run the sshd server from inittab, to make sure
that it always stays running. To do this, stop sshd ('service ssh stop'),
add the following line to /etc/inittab, and run 'telinit q':
ss:2345:respawn:/usr/sbin/sshd -D
If you do this, note that you will need to stop sshd being started in the
normal way ('update-rc.d ssh disable') and that you will need to restart
this sshd manually on upgrades.
Per-connection sshd instances with systemd
------------------------------------------
If you want to reconfigure systemd to listen on port 22 itself and launch an
instance of sshd for each connection (inetd-style socket activation), then
you can run:
systemctl stop ssh.service
systemctl start ssh.socket
To make this permanent:
systemctl disable ssh.service
systemctl enable ssh.socket
This may be appropriate in environments where minimal footprint is critical
(e.g. cloud guests). Be aware that this bypasses MaxStartups, and systemd's
MaxConnections cannot quite replace this as it cannot distinguish between
authenticated and unauthenticated connections; see
https://bugzilla.redhat.com/show_bug.cgi?id=963268 for more discussion.
The provided ssh.socket unit file sets ListenStream=22. If you need to have
it listen on a different address or port, then you will need to do this as
follows (modifying ListenStream to match your requirements):
mkdir -p /etc/systemd/system/ssh.socket.d
cat >/etc/systemd/system/ssh.socket.d/listen.conf <<EOF
[Socket]
ListenStream=2222
EOF
systemctl daemon-reload
See systemd.socket(5) for details.
Terminating SSH sessions cleanly on shutdown/reboot with systemd
----------------------------------------------------------------
If you have libpam-systemd >= 230 installed (following openssh-server's
Recommends) and "UsePAM yes" in sshd_config (the default configuration
shipped by this package), then SSH sessions will be terminated cleanly when
the server is shut down or rebooted.
If either of these conditions does not hold, then you may find that SSH
sessions hang silently when the server is shut down or rebooted. If you do
not want to use PAM or configure it properly for whatever reason, then you
can instead copy
/usr/share/doc/openssh-server/examples/ssh-session-cleanup.service to
/etc/systemd/system/ and run "systemctl enable ssh-session-cleanup.service".
Non-systemd users may find /usr/lib/openssh/ssh-session-cleanup helpful if
they have a similar problem, although at present there is no system
integration for this for anything other than systemd.
SSH protocol 1 server support removed
-------------------------------------
sshd(8) no longer supports the old SSH protocol 1, so all the configuration
options related to it are now deprecated and should be removed from
/etc/ssh/sshd_config. These are:
KeyRegenerationInterval
RSAAuthentication
RhostsRSAAuthentication
ServerKeyBits
The Protocol option is also no longer needed, although it is silently
ignored rather than deprecated.
if-up hook removed
------------------
openssh-server previously shipped an if-up hook that restarted sshd when a
network interface came up. This generally caused more problems than it
solved: for instance, it means that sshd stops listening briefly while being
restarted, which can cause problems in some environments, particularly
automated tests.
The only known situation where the if-up hook was useful was when
sshd_config was changed to add ListenAddress entries for particular IP
addresses, overriding the default of listening on all addresses, and the
system is one that often roams between networks. In such a situation, it is
better to remove ListenAddress entries from sshd_config (restoring it to the
default behaviour) and instead use firewall rules to restrict incoming SSH
connections to only the desired interfaces or addresses.
For further discussion, see:
https://bugs.launchpad.net/bugs/1674330
IPQoS defaults reverted to pre-7.8 values
-----------------------------------------
OpenSSH 7.8 changed the default IPQoS settings to use DSCP AF21 for
interactive traffic and CS1 for bulk. This caused some problems with other
software ("iptables -m tos" and VMware), so Debian's OpenSSH reverts this
change for the time being.
This is *temporary*, and we expect to come back into sync with upstream
OpenSSH once those other issues have been fixed. If you want to restore the
upstream default, add this to ssh_config and sshd_config:
IPQoS af21 cs1
For further discussion, see:
https://bugs.debian.org/923879
https://bugs.debian.org/926229
https://bugs.launchpad.net/1822370
--
Matthew Vernon <matthew@debian.org>
Colin Watson <cjwatson@debian.org>

36
debian/adjust-openssl-dependencies vendored Executable file
View File

@ -0,0 +1,36 @@
#! /bin/sh
# Attempt to tighten libssl dependencies to match the check in entropy.c.
# Must be run after dpkg-shlibdeps.
client=debian/openssh-client.substvars
server=debian/openssh-server.substvars
libssl_version="$(dpkg-query -W libssl-dev 2>/dev/null | cut -f2)"
if [ -z "$libssl_version" ]; then
echo "Can't find libssl-dev version; leaving dependencies alone."
exit 0
fi
libssl_version="$(echo "$libssl_version" | sed 's/[a-z-].*//')"
libssl_package="$(sed -n 's/.*[= ]\(libssl[0-9][a-z0-9+.-]*\).*/\1/p' "$client")"
if [ "$libssl_package" ]; then
new_dep="$libssl_package (>= $libssl_version)"
sed -i "/^shlibs:Depends=/s/\$/, $new_dep/" "$client"
sed -i "/^shlibs:Depends=/s/\$/, $new_dep/" "$server"
fi
client_udeb=debian/openssh-client-udeb.substvars
server_udeb=debian/openssh-server-udeb.substvars
libcrypto_package="$(sed -n 's/.*[= ]\(libcrypto[0-9][a-z0-9+.-]*\).*/\1/p' "$client_udeb")"
if [ "$libcrypto_package" ]; then
new_dep="$libcrypto_package (>= $libssl_version)"
if [ -e "$client_udeb" ]; then
sed -i "/^shlibs:Depends=/s/\$/, $new_dep/" "$client_udeb"
fi
if [ -e "$server_udeb" ]; then
sed -i "/^shlibs:Depends=/s/\$/, $new_dep/" "$server_udeb"
fi
fi
exit 0

23
debian/agent-launch vendored Executable file
View File

@ -0,0 +1,23 @@
#!/bin/sh
# helper script for launching ssh-agent, used by systemd unit
set -e
if [ ! -d "$XDG_RUNTIME_DIR" ]; then
echo 'This needs $XDG_RUNTIME_DIR to be set' >&2
exit 1
fi
if [ "$1" = start ]; then
if [ -z "$SSH_AUTH_SOCK" ] && grep -s -q '^use-ssh-agent$' /etc/X11/Xsession.options; then
S="$XDG_RUNTIME_DIR/openssh_agent"
dbus-update-activation-environment --verbose --systemd SSH_AUTH_SOCK=$S SSH_AGENT_LAUNCHER=openssh
exec ssh-agent -D -a $S
fi
elif [ "$1" = stop ]; then
if [ "$SSH_AGENT_LAUNCHER" = openssh ]; then
dbus-update-activation-environment --systemd SSH_AUTH_SOCK=
fi
else
echo "Unknown command $1" >&2
exit 1
fi

5
debian/changelog vendored Normal file
View File

@ -0,0 +1,5 @@
openssh (1:8.2p1-ok1) yangtze; urgency=medium
* Build for openKylin.
-- openKylinBot <openKylinBot@openkylin.com> Mon, 25 Apr 2022 22:03:04 +0800

2
debian/clean vendored Normal file
View File

@ -0,0 +1,2 @@
config.log
debian/openssh-server.sshd.pam

240
debian/control vendored Normal file
View File

@ -0,0 +1,240 @@
Source: openssh
Section: net
Priority: standard
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Build-Depends: autotools-dev,
debhelper (>= 9.20160709~),
debhelper-compat (= 9),
dh-autoreconf,
dh-exec,
dh-runit (>= 2.8.8),
dpkg-dev (>= 1.16.1~),
libaudit-dev [linux-any],
libedit-dev,
libfido2-dev [linux-any],
libgtk-3-dev <!pkg.openssh.nognome>,
libkrb5-dev | heimdal-dev,
libpam0g-dev | libpam-dev,
libselinux1-dev [linux-any],
libssl-dev (>= 1.1.0g),
libsystemd-dev [linux-any],
libwrap0-dev | libwrap-dev,
pkg-config,
zlib1g-dev (>= 1:1.2.3),
Standards-Version: 4.1.0
Uploaders: Colin Watson <cjwatson@debian.org>,
Matthew Vernon <matthew@debian.org>,
Homepage: http://www.openssh.com/
Vcs-Git: https://salsa.debian.org/ssh-team/openssh.git
Vcs-Browser: https://salsa.debian.org/ssh-team/openssh
Package: openssh-client
Architecture: any
Depends: adduser (>= 3.10),
dpkg (>= 1.7.0),
passwd,
${misc:Depends},
${shlibs:Depends},
Recommends: xauth,
Conflicts: sftp,
Breaks: openssh-sk-helper
Replaces: openssh-sk-helper,
ssh,
ssh-krb5,
Suggests: keychain,
libpam-ssh,
monkeysphere,
ssh-askpass,
Provides: rsh-client,
ssh-client,
Multi-Arch: foreign
Description: secure shell (SSH) client, for secure access to remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the ssh, scp and sftp clients, the ssh-agent
and ssh-add programs to make public key authentication more convenient,
and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
.
In some countries it may be illegal to use any encryption at all
without a special permit.
.
ssh replaces the insecure rsh, rcp and rlogin programs, which are
obsolete for most purposes.
Package: openssh-server
Priority: optional
Architecture: any
Pre-Depends: ${misc:Pre-Depends},
Depends: adduser (>= 3.9),
dpkg (>= 1.9.0),
libpam-modules (>= 0.72-0),
libpam-runtime (>= 0.76-0),
lsb-base (>= 4.1+Debian3),
openssh-client (= ${binary:Version}),
openssh-sftp-server,
procps,
ucf (>= 0.28),
${misc:Depends},
${shlibs:Depends},
Recommends: default-logind | logind | libpam-systemd,
ncurses-term,
xauth,
${openssh-server:Recommends},
Conflicts: sftp,
ssh-socks,
ssh2,
Replaces: openssh-client (<< 1:7.9p1-0),
ssh,
ssh-krb5,
Breaks: ${runit:Breaks},
Suggests: molly-guard,
monkeysphere,
ssh-askpass,
ufw,
Provides: ssh-server,
Multi-Arch: foreign
Description: secure shell (SSH) server, for secure access from remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the sshd server.
.
In some countries it may be illegal to use any encryption at all
without a special permit.
.
sshd replaces the insecure rshd program, which is obsolete for most
purposes.
Package: openssh-sftp-server
Priority: optional
Architecture: any
Depends: ${misc:Depends},
${shlibs:Depends},
Recommends: openssh-server | ssh-server,
Breaks: openssh-server (<< 1:6.5p1-0),
Replaces: openssh-server (<< 1:6.5p1-0),
Enhances: openssh-server,
ssh-server,
Multi-Arch: foreign
Description: secure shell (SSH) sftp server module, for SFTP access from remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the SFTP server module for the SSH server. It
is needed if you want to access your SSH server with SFTP. The SFTP
server module also works with other SSH daemons like dropbear.
.
OpenSSH's sftp and sftp-server implement revision 3 of the SSH filexfer
protocol described in:
.
http://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt
.
Newer versions of the draft will not be supported, though some features
are individually implemented as extensions.
Package: openssh-tests
Priority: optional
Architecture: any
Depends: openssh-client (= ${binary:Version}),
openssh-server (= ${binary:Version}),
openssh-sftp-server (= ${binary:Version}),
openssl,
putty-tools (>= 0.67-0),
python3-twisted,
${misc:Depends},
${shlibs:Depends},
Multi-Arch: foreign
Description: OpenSSH regression tests
This package provides OpenSSH's regression test suite. It is mainly
intended for use with the autopkgtest system, though can also be run
directly using /usr/lib/openssh/regress/run-tests.
Package: ssh
Priority: optional
Architecture: all
Pre-Depends: dpkg (>= 1.17.5),
Depends: openssh-client (>= ${binary:Version}),
openssh-server (>= ${binary:Version}),
${misc:Depends},
Multi-Arch: foreign
Description: secure shell client and server (metapackage)
This metapackage is a convenient way to install both the OpenSSH client
and the OpenSSH server. It provides nothing in and of itself, so you
may remove it if nothing depends on it.
Package: ssh-askpass-gnome
Build-Profiles: <!pkg.openssh.nognome>
Section: gnome
Priority: optional
Architecture: any
Depends: openssh-client | ssh (>= 1:1.2pre7-0),
${misc:Depends},
${shlibs:Depends},
Replaces: ssh (<< 1:3.5p1-0),
Provides: ssh-askpass,
Multi-Arch: foreign
Description: interactive X program to prompt users for a passphrase for ssh-add
This has been split out of the main openssh-client package so that
openssh-client does not need to depend on GTK+.
.
You probably want the ssh-askpass package instead, but this is
provided to add to your choice and/or confusion.
Package: openssh-client-udeb
Build-Profiles: <!noudeb>
Package-Type: udeb
Section: debian-installer
Priority: optional
Architecture: any
Depends: ${shlibs:Depends},
XB-Installer-Menu-Item: 99999
Description: secure shell client for the Debian installer
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
This package provides the ssh client for use in debian-installer.
Package: openssh-server-udeb
Build-Profiles: <!noudeb>
Package-Type: udeb
Section: debian-installer
Priority: optional
Architecture: any
Depends: ${shlibs:Depends},
Description: secure shell server for the Debian installer
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
This package provides the sshd server for use in debian-installer.
Since it is expected to be used in specialized situations (e.g. S/390
installs with no console), it does not provide any configuration.

247
debian/copyright vendored Normal file
View File

@ -0,0 +1,247 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: OpenSSH
Upstream-Contact: openssh-unix-dev@mindrot.org
Source: http://www.openssh.com/portable.html
Comment:
The overall licence of the OpenSSH upstream code amounts to BSD-3-clause or
various less restrictive licences, with the additional restrictions that
derived versions must be clearly marked as such and that if derived works
are incompatible with the RFC-specified protocol then they must be called
by a name other than "ssh" or "Secure Shell".
Files: *
Copyright:
1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
Markus Friedl
Theo de Raadt
Niels Provos
Dug Song
Aaron Campbell
Damien Miller
Kevin Steves
Daniel Kouril
Wesley Griffin
Per Allansson
Nils Nordman
Simon Wilkinson
Ben Lindstrom
Tim Rice
Andre Lucas
Chris Adams
Corinna Vinschen
Cray Inc.
Denis Parker
Gert Doering
Jakob Schlyter
Jason Downs
Juha Yrjölä
Michael Stone
Networks Associates Technology, Inc.
Solar Designer
Todd C. Miller
Wayne Schroeder
William Jones
Darren Tucker
Sun Microsystems
The SCO Group
Daniel Walsh
Red Hat, Inc
Simon Vallet / Genoscope
Internet Software Consortium
Reyk Floeter
Chad Mynhier
License: OpenSSH
Tatu Ylonen's original licence is as follows (excluding some terms about
third-party code which are no longer relevant; see the LICENCE file for
details):
.
As far as I am concerned, the code I have written for this software
can be used freely for any purpose. Any derived versions of this
software must be clearly marked as such, and if the derived work is
incompatible with the protocol description in the RFC file, it must be
called by a name other than "ssh" or "Secure Shell".
.
Note that any information and cryptographic algorithms used in this
software are publicly available on the Internet and at any major
bookstore, scientific library, and patent office worldwide. More
information can be found e.g. at "http://www.cs.hut.fi/crypto".
.
The legal status of this program is some combination of all these
permissions and restrictions. Use only at your own responsibility.
You will be responsible for any legal consequences yourself; I am not
making any claims whether possessing or using this is legal or not in
your country, and I am not taking any responsibility on your behalf.
.
Most remaining components of the software are provided under a standard
2-term BSD licence:
.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.
Some code is licensed under an ISC-style license, to the following
copyright holders:
.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
.
THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Files: ssh-keyscan.*
Copyright: 1995, 1996 David Mazieres <dm@lcs.mit.edu>
License: Mazieres-BSD-style
Modification and redistribution in source and binary forms is
permitted provided that due credit is given to the author and the
OpenBSD project by leaving this copyright notice intact.
Files: rijndael.*
License: public-domain
This code is from a reference implementation of the Rijndael cipher which
has been dedicated to the public domain.
.
@version 3.0 (December 2000)
.
Optimised ANSI C code for the Rijndael cipher (now AES)
.
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
.
This code is hereby placed in the public domain.
.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Files: loginrec.c openbsd-compat/* scp.c
Copyright:
1983, 1995-1997 Eric P. Allman
1999 Aaron Campbell
1993 by Digital Equipment Corporation
2000 Andre Lucas
1999-2010 Damien Miller
1997-2010 Todd C. Miller
1995, 1996, 1998, 1999, 2008 Theo de Raadt
2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
1980, 1983, 1987, 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995 The Regents of the University of California
License: BSD-3-clause
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
Files: md5crypt.*
Copyright: Poul-Henning Kamp
License: Beer-ware
"THE BEER-WARE LICENSE" (Revision 42):
<phk@login.dknet.dk> wrote this file. As long as you retain this
notice you can do whatever you want with this stuff. If we meet
some day, and you think this stuff is worth it, you can buy me a
beer in return. Poul-Henning Kamp
Files: openbsd-compat/bsd-snprintf.c
Copyright: 1995 Patrick Powell
License: Powell-BSD-style
This code is based on code written by Patrick Powell
(papowell@astart.com) It may be used for any purpose as long as this
notice remains intact on all source code distributions
Files: openbsd-compat/sigact.*
Copyright: 1998, 2000 Free Software Foundation, Inc.
License: Expat-with-advertising-restriction
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, distribute with modifications, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
.
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
THE USE OR OTHER DEALINGS IN THE SOFTWARE.
.
Except as contained in this notice, the name(s) of the above copyright
holders shall not be used in advertising or otherwise to promote the
sale, use or other dealings in this Software without prior written
authorization.
Files: debian/*
Copyright: Matthew Vernon, Colin Watson
License: BSD-2-clause
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

1187
debian/faq.html vendored Normal file
View File

File diff suppressed because it is too large Load Diff

51
debian/gnome-ssh-askpass.1 vendored Normal file
View File

@ -0,0 +1,51 @@
.TH GNOME-SSH-ASKPASS 1
.SH NAME
gnome\-ssh\-askpass \- prompts a user for a passphrase using GNOME
.SH SYNOPSIS
.B gnome\-ssh\-askpass
.SH DESCRIPTION
.B gnome\-ssh\-askpass
is a GNOME-based passphrase dialog for use with OpenSSH.
It is intended to be called by the
.BR ssh\-add (1)
program and not invoked directly.
It allows
.BR ssh\-add (1)
to obtain a passphrase from a user, even if not connected to a terminal
(assuming that an X display is available).
This happens automatically in the case where
.B ssh\-add
is invoked from one's
.B ~/.xsession
or as one of the GNOME startup programs, for example.
.PP
In order to be called automatically by
.BR ssh\-add ,
.B gnome\-ssh\-askpass
should be installed as
.IR /usr/bin/ssh\-askpass .
.SH "ENVIRONMENT VARIABLES"
The following environment variables are recognized:
.TP
.I GNOME_SSH_ASKPASS_GRAB_SERVER
Causes
.B gnome\-ssh\-askpass
to grab the X server before asking for a passphrase.
.TP
.I GNOME_SSH_ASKPASS_GRAB_POINTER
Causes
.B gnome\-ssh\-askpass
to grab the mouse pointer using
.IR gdk_pointer_grab ()
before asking for a passphrase.
.PP
Regardless of whether either of these environment variables is set,
.B gnome\-ssh\-askpass
will grab the keyboard using
.IR gdk_keyboard_grab ().
.SH AUTHOR
This manual page was written by Colin Watson <cjwatson@debian.org>
for the Debian system (but may be used by others).
It was based on that for
.B x11\-ssh\-askpass
by Philip Hands.

12
debian/keygen-test/Makefile vendored Normal file
View File

@ -0,0 +1,12 @@
test: getpid.so
chmod +x keygen-test
./keygen-test
getpid.o: getpid.c
gcc -fPIC -c $< -o $@
getpid.so: getpid.o
gcc -shared -o $@ $<
clean:
rm -f getpid.o getpid.so key1 key1.pub key2 key2.pub

39
debian/keygen-test/getpid.c vendored Normal file
View File

@ -0,0 +1,39 @@
/*
* Compile:
gcc -fPIC -c getpid.c -o getpid.o
gcc -shared -o getpid.so getpid.o
* Use:
FORCE_PID=1234 LD_PRELOAD=./getpid.so bash
#
# Copyright (C) 2001-2008 Kees Cook
# kees@outflux.net, http://outflux.net/
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# http://www.gnu.org/copyleft/gpl.html
*/
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
pid_t getpid(void)
{
return atoi(getenv("FORCE_PID"));
}

12
debian/keygen-test/keygen-test vendored Executable file
View File

@ -0,0 +1,12 @@
#! /bin/sh
rm -f key1 key1.pub key2 key2.pub
LD_PRELOAD="$(pwd)/getpid.so" FORCE_PID=1234 \
../build-deb/ssh-keygen -N '' -f key1 >/dev/null
LD_PRELOAD="$(pwd)/getpid.so" FORCE_PID=1234 \
../build-deb/ssh-keygen -N '' -f key2 >/dev/null
if cmp -s key1 key2; then
echo "Generated two identical keys!" >&2
exit 1
fi
exit 0

3
debian/openssh-client-udeb.install vendored Normal file
View File

@ -0,0 +1,3 @@
scp usr/bin
sftp usr/bin
ssh usr/bin

35
debian/openssh-client.apport vendored Normal file
View File

@ -0,0 +1,35 @@
'''apport hook for openssh-client
(c) 2010 Canonical Ltd.
Author: Chuck Short <chuck.short@canonical.com>
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version. See http://www.gnu.org/copyleft/gpl.html for
the full text of the license.
'''
from apport.hookutils import (
attach_conffiles,
attach_related_packages,
command_output,
)
def add_info(report, ui):
response = ui.yesno("The contents of your /etc/ssh/ssh_config file "
"may help developers diagnose your bug more "
"quickly. However, it may contain sensitive "
"information. Do you want to include it in your "
"bug report?")
if response == None: # user cancelled
raise StopIteration
elif response:
attach_conffiles(report, 'openssh-client')
attach_related_packages(report,
['ssh-askpass', 'libpam-ssh', 'keychain', 'ssh-askpass-gnome'])
report['SSHClientVersion'] = command_output(['/usr/bin/ssh', '-V'])

1
debian/openssh-client.dirs vendored Normal file
View File

@ -0,0 +1 @@
etc/ssh/ssh_config.d

5
debian/openssh-client.docs vendored Normal file
View File

@ -0,0 +1,5 @@
OVERVIEW
README
README.dns
README.tun
debian/faq.html

36
debian/openssh-client.install vendored Executable file
View File

@ -0,0 +1,36 @@
#! /usr/bin/dh-exec
etc/ssh/ssh_config
usr/bin/scp
usr/bin/sftp
usr/bin/ssh
usr/bin/ssh-add
usr/bin/ssh-agent
usr/bin/ssh-keygen
usr/bin/ssh-keyscan
usr/lib/openssh/ssh-keysign
usr/lib/openssh/ssh-pkcs11-helper
usr/lib/openssh/ssh-sk-helper
usr/share/man/man1/scp.1
usr/share/man/man1/sftp.1
usr/share/man/man1/ssh-add.1
usr/share/man/man1/ssh-agent.1
usr/share/man/man1/ssh-keygen.1
usr/share/man/man1/ssh-keyscan.1
usr/share/man/man1/ssh.1
usr/share/man/man5/ssh_config.5
usr/share/man/man8/ssh-keysign.8
usr/share/man/man8/ssh-pkcs11-helper.8
usr/share/man/man8/ssh-sk-helper.8
contrib/ssh-copy-id usr/bin
debian/ssh-argv0 usr/bin
debian/agent-launch usr/lib/openssh
# dh_apport would be neater, but at the time of writing it isn't in unstable
# yet.
debian/openssh-client.apport => usr/share/apport/package-hooks/openssh-client.py
# systemd user unit (only used under sessions)
debian/systemd/ssh-agent.service usr/lib/systemd/user

4
debian/openssh-client.links vendored Normal file
View File

@ -0,0 +1,4 @@
usr/bin/ssh usr/bin/slogin
usr/share/man/man1/ssh.1 usr/share/man/man1/slogin.1
# enable systemd user unit for graphical sessions that use systemd
usr/lib/systemd/user/ssh-agent.service usr/lib/systemd/user/graphical-session-pre.target.wants/ssh-agent.service

1
debian/openssh-client.lintian-overrides vendored Normal file
View File

@ -0,0 +1 @@
openssh-client: setuid-binary usr/lib/openssh/ssh-keysign 4755 root/root

1
debian/openssh-client.maintscript vendored Normal file
View File

@ -0,0 +1 @@
rm_conffile /etc/ssh/moduli 1:7.9p1-8~

2
debian/openssh-client.manpages vendored Normal file
View File

@ -0,0 +1,2 @@
contrib/ssh-copy-id.1
debian/ssh-argv0.1

45
debian/openssh-client.postinst vendored Normal file
View File

@ -0,0 +1,45 @@
#!/bin/sh
set -e
action="$1"
oldversion="$2"
umask 022
create_alternatives() {
# Create alternatives for the various r* tools.
# Make sure we don't change existing alternatives that a user might have
# changed, but clean up after some old alternatives that mistakenly pointed
# rlogin and rcp to ssh.
update-alternatives --quiet --remove rlogin /usr/bin/ssh
update-alternatives --quiet --remove rcp /usr/bin/ssh
for cmd in rsh rlogin rcp; do
scmd="s${cmd#r}"
if ! update-alternatives --display "$cmd" 2>/dev/null | \
grep -q "$scmd"; then
update-alternatives --quiet --install "/usr/bin/$cmd" "$cmd" "/usr/bin/$scmd" 20 \
--slave "/usr/share/man/man1/$cmd.1.gz" "$cmd.1.gz" "/usr/share/man/man1/$scmd.1.gz"
fi
done
}
set_ssh_agent_permissions() {
if ! getent group ssh >/dev/null; then
addgroup --system --quiet ssh
fi
if ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null; then
chgrp ssh /usr/bin/ssh-agent
chmod 2755 /usr/bin/ssh-agent
fi
}
if [ "$action" = configure ]; then
create_alternatives
set_ssh_agent_permissions
fi
#DEBHELPER#
exit 0

22
debian/openssh-client.postrm vendored Normal file
View File

@ -0,0 +1,22 @@
#!/bin/sh
set -e
#DEBHELPER#
case $1 in
purge)
# Remove all non-conffiles that ssh might create, so that we
# can smoothly remove /etc/ssh if and only if the user
# hasn't dropped some other files in there. Conffiles have
# already been removed at this point.
rm -f /etc/ssh/moduli /etc/ssh/primes
rm -f /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
[ ! -d /etc/ssh ] || rmdir --ignore-fail-on-non-empty /etc/ssh
if which delgroup >/dev/null 2>&1; then
delgroup --quiet ssh > /dev/null || true
fi
;;
esac
exit 0

39
debian/openssh-client.prerm vendored Normal file
View File

@ -0,0 +1,39 @@
#! /bin/sh
# prerm script for ssh
#
# see: dh_installdeb(1)
set -e
# summary of how this script can be called:
# * <prerm> `remove'
# * <old-prerm> `upgrade' <new-version>
# * <new-prerm> `failed-upgrade' <old-version>
# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
# * <deconfigured's-prerm> `deconfigure' `in-favour'
# <package-being-installed> <version> `removing'
# <conflicting-package> <version>
# for details, see /usr/share/doc/packaging-manual/
case "$1" in
remove|deconfigure)
update-alternatives --quiet --remove rsh /usr/bin/ssh
update-alternatives --quiet --remove rlogin /usr/bin/slogin
update-alternatives --quiet --remove rcp /usr/bin/scp
;;
upgrade)
;;
failed-upgrade)
;;
*)
echo "prerm called with unknown argument \`$1'" >&2
exit 0
;;
esac
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0

1
debian/openssh-server-udeb.dirs vendored Normal file
View File

@ -0,0 +1 @@
run/sshd

2
debian/openssh-server-udeb.install vendored Normal file
View File

@ -0,0 +1,2 @@
sshd usr/sbin
ssh-keygen usr/bin

27
debian/openssh-server.apport vendored Normal file
View File

@ -0,0 +1,27 @@
'''apport hook for openssh-server
(c) 2010 Canonical Ltd.
Author: Chuck Short <chuck.short@canonical.com>
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version. See http://www.gnu.org/copyleft/gpl.html for
the full text of the license.
'''
from apport.hookutils import root_command_output
def add_info(report, ui):
response = ui.yesno("The contents of your /etc/ssh/sshd_config file "
"may help developers diagnose your bug more "
"quickly. However, it may contain sensitive "
"information. Do you want to include it in your "
"bug report?")
if response == None: # user cancelled
raise StopIteration
elif response:
report['SSHDConfig'] = root_command_output(['/usr/sbin/sshd', '-T'])

46
debian/openssh-server.config vendored Normal file
View File

@ -0,0 +1,46 @@
#! /bin/sh
set -e
. /usr/share/debconf/confmodule
db_version 2.0
get_config_option() {
option="$1"
[ -f /etc/ssh/sshd_config ] || return
# TODO: actually only one '=' allowed after option
perl -lne '
s/[[:space:]]+/ /g; s/[[:space:]]+$//;
print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
/etc/ssh/sshd_config 2>/dev/null
}
permit_root_login="$(get_config_option PermitRootLogin)" || true
password_authentication="$(get_config_option PasswordAuthentication)" || true
if [ -f /etc/ssh/sshd_config ]; then
# Make sure the debconf database is in sync with the current state
# of the system.
if [ "$permit_root_login" = yes ]; then
db_set openssh-server/permit-root-login false
else
db_set openssh-server/permit-root-login true
fi
if [ "$password_authentication" = no ]; then
db_set openssh-server/password-authentication false
else
db_set openssh-server/password-authentication true
fi
fi
if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
[ "$permit_root_login" = yes ]; then
if [ "$(getent shadow root | cut -d: -f2)" = "!" ]; then
db_set openssh-server/permit-root-login true
else
db_input high openssh-server/permit-root-login || true
db_go
fi
fi
exit 0

1
debian/openssh-server.dirs vendored Normal file
View File

@ -0,0 +1 @@
etc/ssh/sshd_config.d

1
debian/openssh-server.examples vendored Normal file
View File

@ -0,0 +1 @@
debian/systemd/ssh-session-cleanup.service

21
debian/openssh-server.install vendored Executable file
View File

@ -0,0 +1,21 @@
#! /usr/bin/dh-exec
etc/ssh/moduli
usr/sbin/sshd
usr/share/man/man5/authorized_keys.5
usr/share/man/man5/moduli.5
usr/share/man/man5/sshd_config.5
usr/share/man/man8/sshd.8
sshd_config => usr/share/openssh/sshd_config
debian/openssh-server.ucf-md5sum => usr/share/openssh/sshd_config.md5sum
debian/openssh-server.ufw.profile => etc/ufw/applications.d/openssh-server
debian/systemd/ssh.socket lib/systemd/system
debian/systemd/rescue-ssh.target lib/systemd/system
debian/systemd/ssh@.service lib/systemd/system
debian/systemd/ssh-session-cleanup usr/lib/openssh
# dh_apport would be neater, but at the time of writing it isn't in unstable
# yet.
debian/openssh-server.apport => usr/share/apport/package-hooks/openssh-server.py

0
debian/openssh-server.links vendored Normal file
View File

3
debian/openssh-server.maintscript vendored Normal file
View File

@ -0,0 +1,3 @@
mv_conffile /etc/pam.d/ssh /etc/pam.d/sshd 1:4.7p1-4~
rm_conffile /etc/init/ssh.conf 1:7.5p1-6~
rm_conffile /etc/network/if-up.d/openssh-server 1:7.9p1-1~

167
debian/openssh-server.postinst vendored Normal file
View File

@ -0,0 +1,167 @@
#!/bin/sh
set -e
. /usr/share/debconf/confmodule
db_version 2.0
action="$1"
oldversion="$2"
umask 022
get_config_option() {
option="$1"
[ -f /etc/ssh/sshd_config ] || return
# TODO: actually only one '=' allowed after option
perl -lne '
s/[[:space:]]+/ /g; s/[[:space:]]+$//;
print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
/etc/ssh/sshd_config
}
host_keys_required() {
hostkeys="$(get_config_option HostKey)"
if [ "$hostkeys" ]; then
echo "$hostkeys"
else
# No HostKey directives at all, so the server picks some
# defaults.
echo /etc/ssh/ssh_host_rsa_key
echo /etc/ssh/ssh_host_ecdsa_key
echo /etc/ssh/ssh_host_ed25519_key
fi
}
create_key() {
msg="$1"
shift
hostkeys="$1"
shift
file="$1"
shift
if echo "$hostkeys" | grep -x "$file" >/dev/null && \
[ ! -f "$file" ] ; then
echo -n $msg
ssh-keygen -q -f "$file" -N '' "$@"
echo
if which restorecon >/dev/null 2>&1; then
restorecon "$file" "$file.pub"
fi
ssh-keygen -l -f "$file.pub"
fi
}
create_keys() {
hostkeys="$(host_keys_required)"
create_key "Creating SSH2 RSA key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
create_key "Creating SSH2 DSA key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
create_key "Creating SSH2 ECDSA key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa
create_key "Creating SSH2 ED25519 key; this may take some time ..." \
"$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519
}
new_config=
cleanup() {
if [ "$new_config" ]; then
rm -f "$new_config"
fi
}
create_sshdconfig() {
# XXX cjwatson 2016-12-24: This debconf template is very confusingly
# named; its description is "Disable SSH password authentication for
# root?", so true -> prohibit-password (the upstream default),
# false -> yes.
db_get openssh-server/permit-root-login
permit_root_login="$RET"
db_get openssh-server/password-authentication
password_authentication="$RET"
trap cleanup EXIT
new_config="$(tempfile)"
cp -a /usr/share/openssh/sshd_config "$new_config"
if [ "$permit_root_login" != true ]; then
sed -i 's/^#*PermitRootLogin .*/PermitRootLogin yes/' \
"$new_config"
fi
if [ "$password_authentication" != true ]; then
sed -i 's/^#PasswordAuthentication .*/PasswordAuthentication no/' \
"$new_config"
fi
mkdir -p /etc/ssh
ucf --three-way --debconf-ok \
--sum-file /usr/share/openssh/sshd_config.md5sum \
"$new_config" /etc/ssh/sshd_config
ucfr openssh-server /etc/ssh/sshd_config
}
fix_statoverride() {
# Remove an erronous override for sshd (we should have overridden ssh)
if dpkg-statoverride --list /usr/sbin/sshd >/dev/null; then
dpkg-statoverride --remove /usr/sbin/sshd
fi
}
setup_sshd_user() {
if ! getent passwd sshd >/dev/null; then
adduser --quiet --system --no-create-home --home /run/sshd --shell /usr/sbin/nologin sshd
fi
}
if [ "$action" = configure ]; then
create_sshdconfig
create_keys
fix_statoverride
setup_sshd_user
# Renamed to /etc/ssh/moduli in 2.9.9 (!)
if dpkg --compare-versions "$2" lt-nl 1:4.7p1-1; then
rm -f /etc/ssh/primes
fi
if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then
rm -f /run/sshd/.placeholder
fi
if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \
deb-systemd-helper debian-installed ssh.socket && \
deb-systemd-helper --quiet was-enabled ssh.service && \
deb-systemd-helper --quiet was-enabled ssh.socket; then
# 1:6.5p1-1 mistakenly left both ssh.service and ssh.socket
# enabled.
deb-systemd-helper disable ssh.socket >/dev/null || true
fi
if dpkg --compare-versions "$2" lt-nl 1:6.5p1-3 && \
[ -d /run/systemd/system ]; then
# We must stop the sysvinit-controlled sshd before we can
# restart it under systemd.
start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd || true
fi
if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \
[ -f /etc/ssh/moduli.dpkg-bak ]; then
# Handle /etc/ssh/moduli being moved from openssh-client to
# openssh-server. If there were no user modifications, then we
# don't need to do anything special here; but if there were,
# then the dpkg-maintscript-helper calls from openssh-client's
# maintainer scripts will have saved the old file as .dpkg-bak,
# which we now move back into place.
mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli
fi
fi
#DEBHELPER#
db_stop
exit 0

35
debian/openssh-server.postrm vendored Normal file
View File

@ -0,0 +1,35 @@
#!/bin/sh
set -e
#DEBHELPER#
case $1 in
purge)
# Remove all non-conffiles that ssh might create, so that we
# can smoothly remove /etc/ssh if and only if the user
# hasn't dropped some other files in there. Conffiles have
# already been removed at this point.
rm -f /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub
rm -f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub
rm -f /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub
rm -f /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key.pub
rm -f /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key.pub
for ext in .ucf-new .ucf-old .ucf-dist ""; do
rm -f "/etc/ssh/sshd_config$ext"
done
if which ucf >/dev/null 2>&1; then
ucf --purge /etc/ssh/sshd_config
fi
if which ucfr >/dev/null 2>&1; then
ucfr --purge openssh-server /etc/ssh/sshd_config
fi
rm -f /etc/ssh/sshd_not_to_be_run
[ ! -d /etc/ssh ] || rmdir --ignore-fail-on-non-empty /etc/ssh
if which deluser >/dev/null 2>&1; then
deluser --quiet sshd > /dev/null || true
fi
;;
esac
exit 0

18
debian/openssh-server.preinst vendored Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
set -e
action=$1
version=$2
if [ "$action" = upgrade ] || [ "$action" = install ]
then
if dpkg --compare-versions "$version" lt 1:5.5p1-6 && \
[ -d /run/sshd ]; then
# make sure /run/sshd is not removed on upgrades
touch /run/sshd/.placeholder
fi
fi
#DEBHELPER#
exit 0

1
debian/openssh-server.runit vendored Normal file
View File

@ -0,0 +1 @@
debian/openssh-server.ssh.runscript logscript,name=ssh,since=1:8.0p1-5

5
debian/openssh-server.ssh.default vendored Normal file
View File

@ -0,0 +1,5 @@
# Default settings for openssh-server. This file is sourced by /bin/sh from
# /etc/init.d/ssh.
# Options to pass to sshd
SSHD_OPTS=

162
debian/openssh-server.ssh.init vendored Executable file
View File

@ -0,0 +1,162 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: sshd
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: OpenBSD Secure Shell server
### END INIT INFO
set -e
# /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon
test -x /usr/sbin/sshd || exit 0
( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
umask 022
if test -f /etc/default/ssh; then
. /etc/default/ssh
fi
. /lib/lsb/init-functions
if [ -n "$2" ]; then
SSHD_OPTS="$SSHD_OPTS $2"
fi
# Are we running from init?
run_by_init() {
([ "$previous" ] && [ "$runlevel" ]) || [ "$runlevel" = S ]
}
check_for_no_start() {
# forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
if [ -e /etc/ssh/sshd_not_to_be_run ]; then
if [ "$1" = log_end_msg ]; then
log_end_msg 0 || true
fi
if ! run_by_init; then
log_action_msg "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)" || true
fi
exit 0
fi
}
check_dev_null() {
if [ ! -c /dev/null ]; then
if [ "$1" = log_end_msg ]; then
log_end_msg 1 || true
fi
if ! run_by_init; then
log_action_msg "/dev/null is not a character device!" || true
fi
exit 1
fi
}
check_privsep_dir() {
# Create the PrivSep empty dir if necessary
if [ ! -d /run/sshd ]; then
mkdir /run/sshd
chmod 0755 /run/sshd
fi
}
check_config() {
if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
/usr/sbin/sshd $SSHD_OPTS -t || exit 1
fi
}
export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
case "$1" in
start)
check_privsep_dir
check_for_no_start
check_dev_null
log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
stop)
log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" || true
if start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
reload|force-reload)
check_for_no_start
check_config
log_daemon_msg "Reloading OpenBSD Secure Shell server's configuration" "sshd" || true
if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
restart)
check_privsep_dir
check_config
log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /run/sshd.pid --exec /usr/sbin/sshd
check_for_no_start log_end_msg
check_dev_null log_end_msg
if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
try-restart)
check_privsep_dir
check_config
log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
RET=0
start-stop-daemon --stop --quiet --retry 30 --pidfile /run/sshd.pid --exec /usr/sbin/sshd || RET="$?"
case $RET in
0)
# old daemon stopped
check_for_no_start log_end_msg
check_dev_null log_end_msg
if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
1)
# daemon not running
log_progress_msg "(not running)" || true
log_end_msg 0 || true
;;
*)
# failed to stop
log_progress_msg "(failed to stop)" || true
log_end_msg 1 || true
;;
esac
;;
status)
status_of_proc -p /run/sshd.pid /usr/sbin/sshd sshd && exit 0 || exit $?
;;
*)
log_action_msg "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart|try-restart|status}" || true
exit 1
esac
exit 0

16
debian/openssh-server.ssh.runscript/finish vendored Normal file
View File

@ -0,0 +1,16 @@
#!/bin/sh
set -e
NAME=ssh
[ $1 = -1 ] && echo "runsv: ERROR in $NAME: unexpected error or wrong sh syntax"
# no need to stop the service here, runsv will stop trying after the first attempt
[ $1 = 161 ] && echo "runsv: ERROR $1 in $NAME: disabled by local settings" \
&& sv d $(dirname $0) && exit 0
[ $1 = 162 ] && echo "runsv: ERROR $1 in $NAME: configtest or early setup failed" \
&& sv d $(dirname $0) && exit 0
echo "$NAME Stopped"

20
debian/openssh-server.ssh.runscript/run vendored Normal file
View File

@ -0,0 +1,20 @@
#!/usr/bin/env /lib/runit/invoke-run
set -e
NAME="ssh"
sv start auditd || sv check auditd || true
# don't start if 'sshd_not_to_be_run' exists
test -e /etc/ssh/sshd_not_to_be_run && exit 161
#Create /run/sshd
test -d /run/sshd || mkdir /run/sshd && chmod 0755 /run/sshd
exec 2>&1
#Config test
/usr/sbin/sshd -t || exit 162
echo "Starting $NAME..."
exec /usr/sbin/sshd -D -e $SSHD_OPTS

1
debian/openssh-server.ssh.service vendored Symbolic link
View File

@ -0,0 +1 @@
systemd/ssh.service

55
debian/openssh-server.sshd.pam.in vendored Normal file
View File

@ -0,0 +1,55 @@
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
@IF_KEYINIT@# Create a new session keyring.
@IF_KEYINIT@session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password

23
debian/openssh-server.templates vendored Normal file
View File

@ -0,0 +1,23 @@
Template: openssh-server/permit-root-login
Type: boolean
Default: true
_Description: Disable SSH password authentication for root?
Previous versions of openssh-server permitted logging in as root over SSH
using password authentication. The default for new installations is now
"PermitRootLogin prohibit-password", which disables password authentication
for root without breaking systems that have explicitly configured SSH
public key authentication for root.
.
This change makes systems more secure against brute-force password
dictionary attacks on the root user (a very common target for such
attacks). However, it may break systems that are set up with the
expectation of being able to SSH as root using password authentication. You
should only make this change if you do not need to do that.
Template: openssh-server/password-authentication
Type: boolean
Default: true
Description: Allow password authentication?
By default, the SSH server will allow authenticating using a password.
You may want to change this if all users on this system authenticate using
a stronger authentication method, such as public keys.

98
debian/openssh-server.ucf-md5sum vendored Normal file
View File

@ -0,0 +1,98 @@
# Historical md5sums of the default /etc/ssh/sshd_config up to and including
# 1:7.3p1-5.
0d06fc337cee10609d4833dc88df740f
10dc68360f6658910a98a051273de22c
11f9e107b4d13bbcabe7f8e8da734371
16c827adcff44efaca05ec5eea6383d7
2eeff28468576c3f2e538314e177687b
386c8b9079625b78f6d624ae506958ae
38fc7b31b3e3078848f0eec457d3e050
395c5e13801f9b4f17c2cb54aa634fbd
423d5796cee663af2d0f24c4d520b578
42be2cb5b64bc91443b2e46969d2d539
42cd8b7c5ea9e440d3efa50b9a1bb444
4f56ca8d0b5dfdaeb732becd3292ce5d
54998a682a97af8449e9de0316eacf1d
5c0bdc1735accbdc062381149937ec4a
6357b54acf8e089c57544e06d1bbec53
6a621d8bc448987e5a8a613c40307a4c
702a79962e60aa17c6d3df742e8ec670
7a69eff91ec92b4e065b8dd8846366b2
7c60e22f183b6219c684f15ce24153fd
8304e780c43d4a606f695c8965f48299
8b9e70ee87f4b822714e2ed7af5b70dc
8caefdd9e251b7cc1baa37874149a870
90baeb1c778464d2da610f8268939719
962a382e51f43f80109131838ca326ba
96eaf22faba705a37905282f6ad69d64
9cb6cd83be1c21f73476be629b163c01
a07a9865cd33b85a1426cd67954c6fa0
ae1e844b43986e2a964cf84f46b50c5b
b516afa5a1e298f4cd00952b36dd623f
b69fc974ee9b5a111bd473ef54cdd232
ba9c3f808c811d6f944ad10a508c4767
bccf9af9c7027afd0895d8ff8e02761a
bd3a2b95f8b4b180eed707794ad81e4d
c34586b56496f81a10615c002685fc74
c47555a21189a6b703d2c5d37d2c50ed
cac079e87c0ae0d77eafc9b285e36348
d224f92823483333432974f63cb6dc66
d50ef9ef2aa51cb9f808f6a776260c0a
e0029e1e9871d4d2b673ee6d70a38614
e086e7eb521ccc5776371b2e198f0702
e101f74dc7381527e9aefa1f78b01a7f
e24f749808133a27d94fda84a89bb27b
ec16c3dd0203f13885d74ce529719fda
efcff5380823d4e3f5039620c2e08459
f58056370a64dbd2017d7486421c281d
fe396d52df77f1fbf710591d4dbf3311
# From this point on, we have four md5sums for each released version of
# sshd_config, depending on the state of openssh-server/permit-root-login
# and openssh-server/password-authentication; the plain copy plus the result
# of running through either or both of the following:
#
# sed 's/^#*PermitRootLogin .*/PermitRootLogin yes/'
# sed 's/^#PasswordAuthentication .*/PasswordAuthentication no/'
#
# This obviously leaves something to be desired in terms of maintainability.
#
# The following covers up to 1:7.8p1-1, including everything except the
# latest version of sshd_config. It should be extended any time sshd_config
# changes.
# From 1:7.4p1-1:
f8ecd8f588749a0e39a5b1d3ff261cb2
0f923c50ef1b00e1e88e02736727f03e
abc2568a7ec0cb54c584ea03c7a4f854
17851b145a2515fce2e8d0b9020d5cd4
# From 1:7.4p1-6:
bbcdf7b77777d40996e287495bb96e47
55dd47f61a4af5d1a8884ec590ce33ef
e1375e853a36f9bcd5faeb4b8c570dd1
fa6d314c0ab05933ab970fd362ab2800
# From 1:7.4p1-7:
bbad7ed242a834e831c7066901cee49e
df8447ce600dd3d6bc4048ccc2faa536
87adc8952a7f06efdda8473fd772997f
14301f8b9e39c72b3f929dc70e41ebf6
# From 1:7.5p1-1:
739d6887c8f3dd71a9168c614c07175c
cc463c55b512da68e807784f675a1301
203e9b92fe3623aeba277ee44297f7dd
1d29cac6b0dd5c0004cf7d80b823715c
# From 1:7.7p1-1:
cc873ab3ccc9cf3a3830c3c0728c0d0b
2d0b1d2719c01b15457401fd97d607ed
8ce930e15835a8f46285315ed0da7f4a
8a71a3620605f21ac3ef16fd5d23f76a
# From 1:7.8p1-1:
55570f990ec9c3b8d19c19ab4d0b8eb8
0b8a28dca5cdbace0cd85fcd7794cba8
18df1377273c4d51d4c03c9adc31021f
63284e767f6ccf2375ef80507c564797

4
debian/openssh-server.ufw.profile vendored Normal file
View File

@ -0,0 +1,4 @@
[OpenSSH]
title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.
ports=22/tcp

2
debian/openssh-sftp-server.install vendored Normal file
View File

@ -0,0 +1,2 @@
usr/lib/openssh/sftp-server
usr/share/man/man8/sftp-server.8

1
debian/openssh-sftp-server.links vendored Normal file
View File

@ -0,0 +1 @@
usr/lib/openssh/sftp-server usr/lib/sftp-server

11
debian/openssh-tests.install vendored Normal file
View File

@ -0,0 +1,11 @@
regress /usr/lib/openssh
debian/build-deb/regress/check-perm /usr/lib/openssh/regress
debian/build-deb/regress/misc /usr/lib/openssh/regress
debian/build-deb/regress/mkdtemp /usr/lib/openssh/regress
debian/build-deb/regress/modpipe /usr/lib/openssh/regress
debian/build-deb/regress/netcat /usr/lib/openssh/regress
debian/build-deb/regress/setuid-allowed /usr/lib/openssh/regress
debian/build-deb/regress/unittests /usr/lib/openssh/regress
debian/build-deb/config.h /usr/lib/openssh/regress
debian/run-tests /usr/lib/openssh/regress

26
debian/patches/authorized-keys-man-symlink.patch vendored Normal file
View File

@ -0,0 +1,26 @@
From b0cb3badf4d423f8ea7bf950e55ca72878cc224b Mon Sep 17 00:00:00 2001
From: Tomas Pospisek <tpo_deb@sourcepole.ch>
Date: Sun, 9 Feb 2014 16:10:07 +0000
Subject: Install authorized_keys(5) as a symlink to sshd(8)
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
Bug-Debian: http://bugs.debian.org/441817
Last-Update: 2013-09-14
Patch-Name: authorized-keys-man-symlink.patch
---
Makefile.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/Makefile.in b/Makefile.in
index b68c1710f..bff1db49b 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -402,6 +402,7 @@ install-files:
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
+ ln -s ../$(mansubdir)8/sshd.8 $(DESTDIR)$(mandir)/$(mansubdir)5/authorized_keys.5
$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8

68
debian/patches/conch-old-privkey-format.patch vendored Normal file
View File

@ -0,0 +1,68 @@
From 39d3bb41ec288e8ba2384c65248440603f65349c Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Thu, 30 Aug 2018 00:58:56 +0100
Subject: Work around conch interoperability failure
Twisted Conch fails to read private keys in the new format
(https://twistedmatrix.com/trac/ticket/9515). Work around this until it
can be fixed in Twisted.
Forwarded: not-needed
Last-Update: 2019-10-09
Patch-Name: conch-old-privkey-format.patch
---
regress/Makefile | 2 +-
regress/conch-ciphers.sh | 2 +-
regress/test-exec.sh | 12 ++++++++++++
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/regress/Makefile b/regress/Makefile
index 774c10d41..01e257a94 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -120,7 +120,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
- ssh-rsa_oldfmt \
+ ssh-rsa_oldfmt ssh-rsa_oldfmt.pub \
ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
sshd_config.* sshd_proxy sshd_proxy.* sshd_proxy_bak \
diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
index 6678813a2..6ff5da20b 100644
--- a/regress/conch-ciphers.sh
+++ b/regress/conch-ciphers.sh
@@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
rm -f ${COPY}
# XXX the 2nd "cat" seems to be needed because of buggy FD handling
# in conch
- ${CONCH} --identity $OBJ/ssh-rsa --port $PORT --user $USER -e none \
+ ${CONCH} --identity $OBJ/ssh-rsa_oldfmt --port $PORT --user $USER -e none \
--known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
if [ $? -ne 0 ]; then
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index f5e3ee6f5..a3a40719f 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -573,6 +573,18 @@ REGRESS_INTEROP_CONCH=no
if test -x "$CONCH" ; then
REGRESS_INTEROP_CONCH=yes
fi
+case "$SCRIPT" in
+*conch*) ;;
+*) REGRESS_INTEROP_CONCH=no
+esac
+
+if test "$REGRESS_INTEROP_CONCH" = "yes" ; then
+ # Convert rsa key to old format to work around
+ # https://twistedmatrix.com/trac/ticket/9515
+ cp $OBJ/ssh-rsa $OBJ/ssh-rsa_oldfmt
+ cp $OBJ/ssh-rsa.pub $OBJ/ssh-rsa_oldfmt.pub
+ ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/ssh-rsa_oldfmt >/dev/null
+fi
# If PuTTY is present and we are running a PuTTY test, prepare keys and
# configuration

163
debian/patches/debian-banner.patch vendored Normal file
View File

@ -0,0 +1,163 @@
From 7d20d00ea24ec0c3fffacc80ab271d0699d198c6 Mon Sep 17 00:00:00 2001
From: Kees Cook <kees@debian.org>
Date: Sun, 9 Feb 2014 16:10:06 +0000
Subject: Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2020-02-21
Patch-Name: debian-banner.patch
---
kex.c | 5 +++--
kex.h | 2 +-
servconf.c | 9 +++++++++
servconf.h | 2 ++
sshconnect.c | 2 +-
sshd.c | 3 ++-
sshd_config.5 | 5 +++++
7 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/kex.c b/kex.c
index f638942d3..2abfbb95a 100644
--- a/kex.c
+++ b/kex.c
@@ -1226,7 +1226,7 @@ send_error(struct ssh *ssh, char *msg)
*/
int
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
- const char *version_addendum)
+ int debian_banner, const char *version_addendum)
{
int remote_major, remote_minor, mismatch;
size_t len, i, n;
@@ -1244,7 +1244,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+ debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
diff --git a/kex.h b/kex.h
index fe7141414..938dca03b 100644
--- a/kex.h
+++ b/kex.h
@@ -194,7 +194,7 @@ char *kex_names_cat(const char *, const char *);
int kex_assemble_names(char **, const char *, const char *);
int kex_gss_names_valid(const char *);
-int kex_exchange_identification(struct ssh *, int, const char *);
+int kex_exchange_identification(struct ssh *, int, int, const char *);
struct kex *kex_new(void);
int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
diff --git a/servconf.c b/servconf.c
index bf3cd84a4..7bbc25c2e 100644
--- a/servconf.c
+++ b/servconf.c
@@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options)
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
options->expose_userauth_info = -1;
+ options->debian_banner = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -468,6 +469,8 @@ fill_default_server_options(ServerOptions *options)
options->expose_userauth_info = 0;
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("internal");
+ if (options->debian_banner == -1)
+ options->debian_banner = 1;
assemble_algorithms(options);
@@ -556,6 +559,7 @@ typedef enum {
sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
+ sDebianBanner,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@@ -719,6 +723,7 @@ static struct {
{ "rdomain", sRDomain, SSHCFG_ALL },
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
{ NULL, sBadOption, 0 }
};
@@ -2382,6 +2387,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
*charptr = xstrdup(arg);
break;
+ case sDebianBanner:
+ intptr = &options->debian_banner;
+ goto parse_flag;
+
case sDeprecated:
case sIgnore:
case sUnsupported:
diff --git a/servconf.h b/servconf.h
index 3f47ea25e..3fa05fcac 100644
--- a/servconf.h
+++ b/servconf.h
@@ -221,6 +221,8 @@ typedef struct {
int expose_userauth_info;
u_int64_t timing_secret;
char *sk_provider;
+
+ int debian_banner;
} ServerOptions;
/* Information about the incoming connection as used by Match */
diff --git a/sshconnect.c b/sshconnect.c
index b796d3c8a..9f2412e0d 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1292,7 +1292,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
lowercase(host);
/* Exchange protocol version identification strings with the server. */
- if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0)
+ if (kex_exchange_identification(ssh, timeout_ms, 1, NULL) != 0)
cleanup_exit(255); /* error already logged */
/* Put the connection into non-blocking mode. */
diff --git a/sshd.c b/sshd.c
index 65916fc6d..da876a900 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2187,7 +2187,8 @@ main(int ac, char **av)
if (!debug_flag)
alarm(options.login_grace_time);
- if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0)
+ if (kex_exchange_identification(ssh, -1, options.debian_banner,
+ options.version_addendum) != 0)
cleanup_exit(255); /* error already logged */
ssh_packet_set_nonblocking(ssh);
diff --git a/sshd_config.5 b/sshd_config.5
index ebd09f891..c926f584c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -542,6 +542,11 @@ or
.Cm no .
The default is
.Cm yes .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Cm yes .
.It Cm DenyGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.

270
debian/patches/debian-config.patch vendored Normal file
View File

@ -0,0 +1,270 @@
From 8086961f9f4ad834e9c3b09b6e2c80273be1c506 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:18 +0000
Subject: Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
ssh: Include /etc/ssh/ssh_config.d/*.conf.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
sshd: Include /etc/ssh/sshd_config.d/*.conf.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2020-02-21
Patch-Name: debian-config.patch
---
readconf.c | 2 +-
ssh.1 | 24 ++++++++++++++++++++++++
ssh_config | 8 +++++++-
ssh_config.5 | 26 +++++++++++++++++++++++++-
sshd_config | 18 ++++++++++++------
sshd_config.5 | 29 +++++++++++++++++++++++++++++
6 files changed, 98 insertions(+), 9 deletions(-)
diff --git a/readconf.c b/readconf.c
index 7f251dd4a..e82024678 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2087,7 +2087,7 @@ fill_default_options(Options * options)
if (options->forward_x11 == -1)
options->forward_x11 = 0;
if (options->forward_x11_trusted == -1)
- options->forward_x11_trusted = 0;
+ options->forward_x11_trusted = 1;
if (options->forward_x11_timeout == -1)
options->forward_x11_timeout = 1200;
/*
diff --git a/ssh.1 b/ssh.1
index b33a8049f..a8967c2f8 100644
--- a/ssh.1
+++ b/ssh.1
@@ -809,6 +809,16 @@ directive in
.Xr ssh_config 5
for more information.
.Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
.It Fl x
Disables X11 forwarding.
.Pp
@@ -817,6 +827,20 @@ Enables trusted X11 forwarding.
Trusted X11 forwardings are not subjected to the X11 SECURITY extension
controls.
.Pp
+(Debian-specific: In the default configuration, this option is equivalent to
+.Fl X ,
+since
+.Cm ForwardX11Trusted
+defaults to
+.Dq yes
+as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
.It Fl y
Send log information using the
.Xr syslog 3
diff --git a/ssh_config b/ssh_config
index 1ff999b68..8a55237b9 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,12 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
-# Host *
+Include /etc/ssh/ssh_config.d/*.conf
+
+Host *
# ForwardAgent no
# ForwardX11 no
+# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
@@ -45,3 +48,6 @@
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
+ SendEnv LANG LC_*
+ HashKnownHosts yes
+ GSSAPIAuthentication yes
diff --git a/ssh_config.5 b/ssh_config.5
index c6eaa63e7..34dc2d51b 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
host-specific declarations should be given near the beginning of the
file, and general defaults at the end.
.Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Include /etc/ssh/ssh_config.d/*.conf
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
+.Pa /etc/ssh/ssh_config.d/*.conf
+files are included at the start of the system-wide configuration file, so
+options set there will override those in
+.Pa /etc/ssh/ssh_config.
+.Pp
The file contains keyword-argument pairs, one per line.
Lines starting with
.Ql #
@@ -729,11 +752,12 @@ elapsed.
.It Cm ForwardX11Trusted
If this option is set to
.Cm yes ,
+(the Debian-specific default),
remote X11 clients will have full access to the original X11 display.
.Pp
If this option is set to
.Cm no
-(the default),
+(the upstream default),
remote X11 clients will be considered untrusted and prevented
from stealing or tampering with data belonging to trusted X11
clients.
diff --git a/sshd_config b/sshd_config
index 2c48105f8..459c1b230 100644
--- a/sshd_config
+++ b/sshd_config
@@ -10,6 +10,8 @@
# possible, but leave them commented. Uncommented options override the
# default value.
+Include /etc/ssh/sshd_config.d/*.conf
+
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
@@ -57,8 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys
#PasswordAuthentication yes
#PermitEmptyPasswords no
-# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
@@ -81,16 +84,16 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
+UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
-#PrintMotd yes
+PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
@@ -107,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys
# no default banner path
#Banner none
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
# override default of no subsystems
-Subsystem sftp /usr/libexec/sftp-server
+Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
diff --git a/sshd_config.5 b/sshd_config.5
index 25f4b8117..e8271be74 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
.Pq \&"
in order to represent arguments containing spaces.
.Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Include /etc/ssh/sshd_config.d/*.conf
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
+.Pa /etc/ssh/sshd_config.d/*.conf
+files are included at the start of the configuration file, so options set
+there will override those in
+.Pa /etc/ssh/sshd_config.
+.Pp
The possible
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):

94
debian/patches/dnssec-sshfp.patch vendored Normal file
View File

@ -0,0 +1,94 @@
From 74c1c0ef7689ea68dc8263f73c00ff8675f9f0fe Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:01 +0000
Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2010-04-06
Patch-Name: dnssec-sshfp.patch
---
dns.c | 14 +++++++++++++-
openbsd-compat/getrrsetbyname.c | 10 +++++-----
openbsd-compat/getrrsetbyname.h | 3 +++
3 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/dns.c b/dns.c
index e4f9bf830..9c9fe6413 100644
--- a/dns.c
+++ b/dns.c
@@ -210,6 +210,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
{
u_int counter;
int result;
+ unsigned int rrset_flags = 0;
struct rrsetinfo *fingerprints = NULL;
u_int8_t hostkey_algorithm;
@@ -233,8 +234,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
return -1;
}
+ /*
+ * Original getrrsetbyname function, found on OpenBSD for example,
+ * doesn't accept any flag and prerequisite for obtaining AD bit in
+ * DNS response is set by "options edns0" in resolv.conf.
+ *
+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
+ */
+#ifndef HAVE_GETRRSETBYNAME
+ rrset_flags |= RRSET_FORCE_EDNS0;
+#endif
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
- DNS_RDATATYPE_SSHFP, 0, &fingerprints);
+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
+
if (result) {
verbose("DNS lookup error: %s", dns_result_totext(result));
return -1;
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index dc6fe0533..e061a290a 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
goto fail;
}
- /* don't allow flags yet, unimplemented */
- if (flags) {
+ /* Allow RRSET_FORCE_EDNS0 flag only. */
+ if ((flags & !RRSET_FORCE_EDNS0) != 0) {
result = ERRSET_INVAL;
goto fail;
}
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
#endif /* DEBUG */
#ifdef RES_USE_DNSSEC
- /* turn on DNSSEC if EDNS0 is configured */
- if (_resp->options & RES_USE_EDNS0)
- _resp->options |= RES_USE_DNSSEC;
+ /* turn on DNSSEC if required */
+ if (flags & RRSET_FORCE_EDNS0)
+ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
#endif /* RES_USE_DNSEC */
/* make query */
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
index 1283f5506..dbbc85a2a 100644
--- a/openbsd-compat/getrrsetbyname.h
+++ b/openbsd-compat/getrrsetbyname.h
@@ -72,6 +72,9 @@
#ifndef RRSET_VALIDATED
# define RRSET_VALIDATED 1
#endif
+#ifndef RRSET_FORCE_EDNS0
+# define RRSET_FORCE_EDNS0 0x0001
+#endif
/*
* Return codes for getrrsetbyname()

28
debian/patches/doc-hash-tab-completion.patch vendored Normal file
View File

@ -0,0 +1,28 @@
From a14ddfc3f607b0bf29046bfb4b26a6d827fa58c7 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:11 +0000
Subject: Document that HashKnownHosts may break tab-completion
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
Bug-Debian: http://bugs.debian.org/430154
Last-Update: 2013-09-14
Patch-Name: doc-hash-tab-completion.patch
---
ssh_config.5 | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ssh_config.5 b/ssh_config.5
index e61a0fd43..c6eaa63e7 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -848,6 +848,9 @@ Note that existing names and addresses in known hosts files
will not be converted automatically,
but may be manually hashed using
.Xr ssh-keygen 1 .
+Use of this option may break facilities such as tab-completion that rely
+on being able to read unhashed host names from
+.Pa ~/.ssh/known_hosts .
.It Cm HostbasedAuthentication
Specifies whether to try rhosts based authentication with public key
authentication.

26
debian/patches/gnome-ssh-askpass2-icon.patch vendored Normal file
View File

@ -0,0 +1,26 @@
From 63da84c3570afb4fa6bab38fdac3e9af45d0ec54 Mon Sep 17 00:00:00 2001
From: Vincent Untz <vuntz@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:16 +0000
Subject: Give the ssh-askpass-gnome window a default icon
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
Last-Update: 2010-02-28
Patch-Name: gnome-ssh-askpass2-icon.patch
---
contrib/gnome-ssh-askpass2.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
index bc83a2d67..88cdfaeff 100644
--- a/contrib/gnome-ssh-askpass2.c
+++ b/contrib/gnome-ssh-askpass2.c
@@ -233,6 +233,8 @@ main(int argc, char **argv)
gtk_init(&argc, &argv);
+ gtk_window_set_default_icon_from_file ("/usr/share/pixmaps/ssh-askpass-gnome.png", NULL);
+
if (argc > 1) {
message = g_strjoinv(" ", argv + 1);
} else {

3983
debian/patches/gssapi.patch vendored Normal file
View File

File diff suppressed because it is too large Load Diff

135
debian/patches/keepalive-extensions.patch vendored Normal file
View File

@ -0,0 +1,135 @@
From 3558be2914c0127489faae40ce2eae66142c3287 Mon Sep 17 00:00:00 2001
From: Richard Kettlewell <rjk@greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:52 +0000
Subject: Various keepalive extensions
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
in previous versions of Debian's OpenSSH package but since superseded by
ServerAliveInterval. (We're probably stuck with this bit for
compatibility.)
In batch mode, default ServerAliveInterval to five minutes.
Adjust documentation to match and to give some more advice on use of
keepalives.
Author: Ian Jackson <ian@chiark.greenend.org.uk>
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2020-02-21
Patch-Name: keepalive-extensions.patch
---
readconf.c | 14 ++++++++++++--
ssh_config.5 | 21 +++++++++++++++++++--
sshd_config.5 | 3 +++
3 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/readconf.c b/readconf.c
index 0fc996871..2399208f8 100644
--- a/readconf.c
+++ b/readconf.c
@@ -176,6 +176,7 @@ typedef enum {
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
oSecurityKeyProvider,
+ oProtocolKeepAlives, oSetupTimeOut,
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
@@ -326,6 +327,8 @@ static struct {
{ "ignoreunknown", oIgnoreUnknown },
{ "proxyjump", oProxyJump },
{ "securitykeyprovider", oSecurityKeyProvider },
+ { "protocolkeepalives", oProtocolKeepAlives },
+ { "setuptimeout", oSetupTimeOut },
{ NULL, oBadOption }
};
@@ -1495,6 +1498,8 @@ parse_keytypes:
goto parse_flag;
case oServerAliveInterval:
+ case oProtocolKeepAlives: /* Debian-specific compatibility alias */
+ case oSetupTimeOut: /* Debian-specific compatibility alias */
intptr = &options->server_alive_interval;
goto parse_time;
@@ -2198,8 +2203,13 @@ fill_default_options(Options * options)
options->rekey_interval = 0;
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
- if (options->server_alive_interval == -1)
- options->server_alive_interval = 0;
+ if (options->server_alive_interval == -1) {
+ /* in batch mode, default is 5mins */
+ if (options->batch_mode == 1)
+ options->server_alive_interval = 300;
+ else
+ options->server_alive_interval = 0;
+ }
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
if (options->control_master == -1)
diff --git a/ssh_config.5 b/ssh_config.5
index 3f4906972..3079db19b 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -266,9 +266,13 @@ If set to
.Cm yes ,
user interaction such as password prompts and host key confirmation requests
will be disabled.
+In addition, the
+.Cm ServerAliveInterval
+option will be set to 300 seconds by default (Debian-specific).
This option is useful in scripts and other batch jobs where no user
is present to interact with
-.Xr ssh 1 .
+.Xr ssh 1 ,
+and where it is desirable to detect a broken network swiftly.
The argument must be
.Cm yes
or
@@ -1593,7 +1597,14 @@ from the server,
will send a message through the encrypted
channel to request a response from the server.
The default
-is 0, indicating that these messages will not be sent to the server.
+is 0, indicating that these messages will not be sent to the server,
+or 300 if the
+.Cm BatchMode
+option is set (Debian-specific).
+.Cm ProtocolKeepAlives
+and
+.Cm SetupTimeOut
+are Debian-specific compatibility aliases for this option.
.It Cm SetEnv
Directly specify one or more environment variables and their contents to
be sent to the server.
@@ -1673,6 +1684,12 @@ Specifies whether the system should send TCP keepalive messages to the
other side.
If they are sent, death of the connection or crash of one
of the machines will be properly noticed.
+This option only uses TCP keepalives (as opposed to using ssh level
+keepalives), so takes a long time to notice when the connection dies.
+As such, you probably want
+the
+.Cm ServerAliveInterval
+option as well.
However, this means that
connections will die if the route is down temporarily, and some people
find it annoying.
diff --git a/sshd_config.5 b/sshd_config.5
index f6b41a2f8..ebd09f891 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1668,6 +1668,9 @@ This avoids infinitely hanging sessions.
.Pp
To disable TCP keepalive messages, the value should be set to
.Cm no .
+.Pp
+This option was formerly called
+.Cm KeepAlive .
.It Cm TrustedUserCAKeys
Specifies a file containing public keys of certificate authorities that are
trusted to sign user certificates for authentication, or

44
debian/patches/mention-ssh-keygen-on-keychange.patch vendored Normal file
View File

@ -0,0 +1,44 @@
From c18e3c8125fc4553951705a1da8c86395d219bb1 Mon Sep 17 00:00:00 2001
From: Scott Moser <smoser@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:03 +0000
Subject: Mention ssh-keygen in ssh fingerprint changed warning
Author: Chris Lamb <lamby@debian.org>
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
Last-Update: 2017-08-22
Patch-Name: mention-ssh-keygen-on-keychange.patch
---
sshconnect.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/sshconnect.c b/sshconnect.c
index 4a5d4a003..b796d3c8a 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -991,9 +991,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
error("%s. This could either mean that", key_msg);
error("DNS SPOOFING is happening or the IP address for the host");
error("and its host key have changed at the same time.");
- if (ip_status != HOST_NEW)
+ if (ip_status != HOST_NEW) {
error("Offending key for IP in %s:%lu",
ip_found->file, ip_found->line);
+ error(" remove with:");
+ error(" ssh-keygen -f \"%s\" -R \"%s\"",
+ ip_found->file, ip);
+ }
}
/* The host key has changed. */
warn_changed_key(host_key);
@@ -1002,6 +1006,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
error("Offending %s key in %s:%lu",
sshkey_type(host_found->key),
host_found->file, host_found->line);
+ error(" remove with:");
+ error(" ssh-keygen -f \"%s\" -R \"%s\"",
+ host_found->file, host);
/*
* If strict host key checking is in use, the user will have

62
debian/patches/no-openssl-version-status.patch vendored Normal file
View File

@ -0,0 +1,62 @@
From ba0377ab3e6b68f7ab747f500991a0445c7f4086 Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 9 Feb 2014 16:10:14 +0000
Subject: Don't check the status field of the OpenSSL version
There is no reason to check the version of OpenSSL (in Debian). If it's
not compatible the soname will change. OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same. Remove that check on the status since
it doesn't tell you anything about how compatible that version is.
Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: https://bugs.debian.org/93581
Bug-Debian: https://bugs.debian.org/664383
Bug-Debian: https://bugs.debian.org/732940
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: no-openssl-version-status.patch
---
openbsd-compat/openssl-compat.c | 6 +++---
openbsd-compat/regress/opensslvertest.c | 1 +
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index a37ca61bf..c1749210d 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -34,7 +34,7 @@
/*
* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
* We match major, minor, fix and status (not patch) for <1.0.0.
- * After that, we acceptable compatible fix versions (so we
+ * After that, we accept compatible fix and status versions (so we
* allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
* within a patch series.
*/
@@ -55,10 +55,10 @@ ssh_compatible_openssl(long headerver, long libver)
}
/*
- * For versions >= 1.0.0, major,minor,status must match and library
+ * For versions >= 1.0.0, major,minor must match and library
* fix version must be equal to or newer than the header.
*/
- mask = 0xfff0000fL; /* major,minor,status */
+ mask = 0xfff00000L; /* major,minor */
hfix = (headerver & 0x000ff000) >> 12;
lfix = (libver & 0x000ff000) >> 12;
if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
index 5d019b598..58474873d 100644
--- a/openbsd-compat/regress/opensslvertest.c
+++ b/openbsd-compat/regress/opensslvertest.c
@@ -35,6 +35,7 @@ struct version_test {
/* built with 1.0.1b release headers */
{ 0x1000101fL, 0x1000101fL, 1},/* exact match */
+ { 0x1000101fL, 0x10001010L, 1}, /* different status: ok */
{ 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */
{ 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */
{ 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */

148
debian/patches/openbsd-docs.patch vendored Normal file
View File

@ -0,0 +1,148 @@
From 39fe318a4b572deeb3f7d03e55d319c0ab112a28 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:09 +0000
Subject: Adjust various OpenBSD-specific references in manual pages
No single bug reference for this patch, but history includes:
http://bugs.debian.org/154434 (login.conf(5))
http://bugs.debian.org/513417 (/etc/rc)
http://bugs.debian.org/530692 (ssl(8))
https://bugs.launchpad.net/bugs/456660 (ssl(8))
Forwarded: not-needed
Last-Update: 2017-10-04
Patch-Name: openbsd-docs.patch
---
moduli.5 | 4 ++--
ssh-keygen.1 | 12 ++++--------
ssh.1 | 4 ++++
sshd.8 | 5 ++---
sshd_config.5 | 3 +--
5 files changed, 13 insertions(+), 15 deletions(-)
diff --git a/moduli.5 b/moduli.5
index ef0de0850..149846c8c 100644
--- a/moduli.5
+++ b/moduli.5
@@ -21,7 +21,7 @@
.Nd Diffie-Hellman moduli
.Sh DESCRIPTION
The
-.Pa /etc/moduli
+.Pa /etc/ssh/moduli
file contains prime numbers and generators for use by
.Xr sshd 8
in the Diffie-Hellman Group Exchange key exchange method.
@@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough
Diffie-Hellman output to sufficiently key the selected symmetric cipher.
.Xr sshd 8
then randomly selects a modulus from
-.Fa /etc/moduli
+.Fa /etc/ssh/moduli
that best meets the size requirement.
.Sh SEE ALSO
.Xr ssh-keygen 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 7af564297..d6a7870e0 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -196,9 +196,7 @@ key in
.Pa ~/.ssh/id_ed25519_sk
or
.Pa ~/.ssh/id_rsa .
-Additionally, the system administrator may use this to generate host keys,
-as seen in
-.Pa /etc/rc .
+Additionally, the system administrator may use this to generate host keys.
.Pp
Normally this program generates the key and asks for a file in which
to store the private key.
@@ -261,9 +259,7 @@ If
.Fl f
has also been specified, its argument is used as a prefix to the
default path for the resulting host key files.
-This is used by
-.Pa /etc/rc
-to generate new host keys.
+This is used by system administration scripts to generate new host keys.
.It Fl a Ar rounds
When saving a private key, this option specifies the number of KDF
(key derivation function) rounds used.
@@ -783,7 +779,7 @@ option.
Valid generator values are 2, 3, and 5.
.Pp
Screened DH groups may be installed in
-.Pa /etc/moduli .
+.Pa /etc/ssh/moduli .
It is important that this file contains moduli of a range of bit lengths and
that both ends of a connection share common moduli.
.Pp
@@ -1154,7 +1150,7 @@ on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
.Pp
-.It Pa /etc/moduli
+.It Pa /etc/ssh/moduli
Contains Diffie-Hellman groups used for DH-GEX.
The file format is described in
.Xr moduli 5 .
diff --git a/ssh.1 b/ssh.1
index cf991e4ee..17b0e984f 100644
--- a/ssh.1
+++ b/ssh.1
@@ -887,6 +887,10 @@ implements public key authentication protocol automatically,
using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
The HISTORY section of
.Xr ssl 8
+(on non-OpenBSD systems, see
+.nh
+http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY)
+.hy
contains a brief discussion of the DSA and RSA algorithms.
.Pp
The file
diff --git a/sshd.8 b/sshd.8
index 730520231..5ce0ea4fa 100644
--- a/sshd.8
+++ b/sshd.8
@@ -65,7 +65,7 @@ over an insecure network.
.Nm
listens for connections from clients.
It is normally started at boot from
-.Pa /etc/rc .
+.Pa /etc/init.d/ssh .
It forks a new
daemon for each incoming connection.
The forked daemons handle
@@ -904,7 +904,7 @@ This file is for host-based authentication (see
.Xr ssh 1 ) .
It should only be writable by root.
.Pp
-.It Pa /etc/moduli
+.It Pa /etc/ssh/moduli
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
key exchange method.
The file format is described in
@@ -1002,7 +1002,6 @@ The content of this file is not sensitive; it can be world-readable.
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
-.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
.Xr inetd 8 ,
diff --git a/sshd_config.5 b/sshd_config.5
index c926f584c..25f4b8117 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -387,8 +387,7 @@ Certificates signed using other algorithms will not be accepted for
public key or host-based authentication.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via
-PAM or through authentication styles supported in
-.Xr login.conf 5 )
+PAM).
The default is
.Cm yes .
.It Cm ChrootDirectory

47
debian/patches/package-versioning.patch vendored Normal file
View File

@ -0,0 +1,47 @@
From a4f868858c3395cacb59c58786b501317b9a3d03 Mon Sep 17 00:00:00 2001
From: Matthew Vernon <matthew@debian.org>
Date: Sun, 9 Feb 2014 16:10:05 +0000
Subject: Include the Debian version in our identification
This makes it easier to audit networks for versions patched against security
vulnerabilities. It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings. (However, see debian-banner.patch.)
Forwarded: not-needed
Last-Update: 2019-06-05
Patch-Name: package-versioning.patch
---
kex.c | 2 +-
version.h | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/kex.c b/kex.c
index 574c76093..f638942d3 100644
--- a/kex.c
+++ b/kex.c
@@ -1244,7 +1244,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
diff --git a/version.h b/version.h
index c2affcb2a..d79126cc3 100644
--- a/version.h
+++ b/version.h
@@ -3,4 +3,9 @@
#define SSH_VERSION "OpenSSH_8.2"
#define SSH_PORTABLE "p1"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
+#ifdef SSH_EXTRAVERSION
+#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION
+#else
+#define SSH_RELEASE SSH_RELEASE_MINIMUM
+#endif

35
debian/patches/restore-authorized_keys2.patch vendored Normal file
View File

@ -0,0 +1,35 @@
From 58390cbd5e07df92729b794beb491f7352b26993 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 5 Mar 2017 02:02:11 +0000
Subject: Restore reading authorized_keys2 by default
Upstream seems to intend to gradually phase this out, so don't assume
that this will remain the default forever. However, we were late in
adopting the upstream sshd_config changes, so it makes sense to extend
the grace period.
Bug-Debian: https://bugs.debian.org/852320
Forwarded: not-needed
Last-Update: 2017-03-05
Patch-Name: restore-authorized_keys2.patch
---
sshd_config | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/sshd_config b/sshd_config
index 459c1b230..dc0db5706 100644
--- a/sshd_config
+++ b/sshd_config
@@ -38,9 +38,8 @@ Include /etc/ssh/sshd_config.d/*.conf
#PubkeyAuthentication yes
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile .ssh/authorized_keys
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none

172
debian/patches/restore-tcp-wrappers.patch vendored Normal file
View File

@ -0,0 +1,172 @@
From 31d42cd8624f29508f772447e617ab043a6487d9 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 7 Oct 2014 13:22:41 +0100
Subject: Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
and thread:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
It is true that this reduces preauth attack surface in sshd. On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.
It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.
Forwarded: not-needed
Last-Update: 2019-06-05
Patch-Name: restore-tcp-wrappers.patch
---
configure.ac | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++
sshd.8 | 7 +++++++
sshd.c | 25 +++++++++++++++++++++++
3 files changed, 89 insertions(+)
diff --git a/configure.ac b/configure.ac
index efafb6bd8..cee7cbc51 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1556,6 +1556,62 @@ else
AC_MSG_RESULT([no])
fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+ saved_LIBS="$LIBS"
+ saved_LDFLAGS="$LDFLAGS"
+ saved_CPPFLAGS="$CPPFLAGS"
+ if test -n "${withval}" && \
+ test "x${withval}" != "xyes"; then
+ if test -d "${withval}/lib"; then
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ else
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ fi
+ if test -d "${withval}/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ fi
+ LIBS="-lwrap $LIBS"
+ AC_MSG_CHECKING([for libwrap])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+ ]], [[
+ hosts_access(0);
+ ]])], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([LIBWRAP], [1],
+ [Define if you want
+ TCP Wrappers support])
+ SSHDLIBS="$SSHDLIBS -lwrap"
+ TCPW_MSG="yes"
+ ], [
+ AC_MSG_ERROR([*** libwrap missing])
+
+ ])
+ LIBS="$saved_LIBS"
+ fi
+ ]
+)
+
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5413,6 +5469,7 @@ echo " PAM support: $PAM_MSG"
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index c5f8987d2..730520231 100644
--- a/sshd.8
+++ b/sshd.8
@@ -893,6 +893,12 @@ the user's home directory becomes accessible.
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -995,6 +1001,7 @@ The content of this file is not sensitive; it can be world-readable.
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
+.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index d92f03aaf..62dc55cf2 100644
--- a/sshd.c
+++ b/sshd.c
@@ -124,6 +124,13 @@
#include "ssherr.h"
#include "sk-api.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2138,6 +2145,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif
+#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
+ /* Check whether logins are denied from this host. */
+ if (ssh_packet_connection_is_on_socket(ssh)) {
+ struct request_info req;
+
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ debug("Connection refused by tcp wrapper");
+ refuse(&req);
+ /* NOTREACHED */
+ fatal("libwrap refuse returns");
+ }
+ }
+#endif /* LIBWRAP */
rdomain = ssh_packet_rdomain_in(ssh);

93
debian/patches/revert-ipqos-defaults.patch vendored Normal file
View File

@ -0,0 +1,93 @@
From 86fe78ef4686485394b464cf9d3393ce27b33979 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 8 Apr 2019 10:46:29 +0100
Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
AF21 for"
This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.
The IPQoS default changes have some unfortunate interactions with
iptables (see https://bugs.debian.org/923880) and VMware, so I'm
temporarily reverting them until those have been fixed.
Bug-Debian: https://bugs.debian.org/923879
Bug-Debian: https://bugs.debian.org/926229
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370
Last-Update: 2019-04-08
Patch-Name: revert-ipqos-defaults.patch
---
readconf.c | 4 ++--
servconf.c | 4 ++--
ssh_config.5 | 6 ++----
sshd_config.5 | 6 ++----
4 files changed, 8 insertions(+), 12 deletions(-)
diff --git a/readconf.c b/readconf.c
index e82024678..1b9494d7c 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2230,9 +2230,9 @@ fill_default_options(Options * options)
if (options->visual_host_key == -1)
options->visual_host_key = 0;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->request_tty == -1)
options->request_tty = REQUEST_TTY_AUTO;
if (options->proxy_use_fdpass == -1)
diff --git a/servconf.c b/servconf.c
index 7bbc25c2e..470ad3619 100644
--- a/servconf.c
+++ b/servconf.c
@@ -452,9 +452,9 @@ fill_default_server_options(ServerOptions *options)
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
diff --git a/ssh_config.5 b/ssh_config.5
index 34dc2d51b..91beb6f50 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1140,11 +1140,9 @@ If one argument is specified, it is used as the packet class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
-.Cm af21
-(Low-Latency Data)
+.Cm lowdelay
for interactive sessions and
-.Cm cs1
-(Lower Effort)
+.Cm throughput
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to use keyboard-interactive authentication.
diff --git a/sshd_config.5 b/sshd_config.5
index e8271be74..d25b2f3d5 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -914,11 +914,9 @@ If one argument is specified, it is used as the packet class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
-.Cm af21
-(Low-Latency Data)
+.Cm lowdelay
for interactive sessions and
-.Cm cs1
-(Lower Effort)
+.Cm throughput
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to allow keyboard-interactive authentication.

41
debian/patches/scp-quoting.patch vendored Normal file
View File

@ -0,0 +1,41 @@
From 5166a6af68da4778c7e2c2d117bb56361c7aa361 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:59 +0000
Subject: Adjust scp quoting in verbose mode
Tweak scp's reporting of filenames in verbose mode to be a bit less
confusing with spaces.
This should be revised to mimic real shell quoting.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945
Last-Update: 2010-02-27
Patch-Name: scp-quoting.patch
---
scp.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/scp.c b/scp.c
index 6901e0c94..9b64aa5f4 100644
--- a/scp.c
+++ b/scp.c
@@ -201,8 +201,16 @@ do_local_cmd(arglist *a)
if (verbose_mode) {
fprintf(stderr, "Executing:");
- for (i = 0; i < a->num; i++)
- fmprintf(stderr, " %s", a->list[i]);
+ for (i = 0; i < a->num; i++) {
+ if (i == 0)
+ fmprintf(stderr, " %s", a->list[i]);
+ else
+ /*
+ * TODO: misbehaves if a->list[i] contains a
+ * single quote
+ */
+ fmprintf(stderr, " '%s'", a->list[i]);
+ }
fprintf(stderr, "\n");
}
if ((pid = fork()) == -1)

472
debian/patches/selinux-role.patch vendored Normal file
View File

@ -0,0 +1,472 @@
From b108c6bbe4b3691600a272b27fa24d9080018db7 Mon Sep 17 00:00:00 2001
From: Manoj Srivastava <srivasta@debian.org>
Date: Sun, 9 Feb 2014 16:09:49 +0000
Subject: Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2020-02-21
Patch-Name: selinux-role.patch
---
auth.h | 1 +
auth2.c | 10 ++++++++--
monitor.c | 37 +++++++++++++++++++++++++++++++++----
monitor.h | 2 ++
monitor_wrap.c | 27 ++++++++++++++++++++++++---
monitor_wrap.h | 3 ++-
openbsd-compat/port-linux.c | 21 ++++++++++++++-------
openbsd-compat/port-linux.h | 4 ++--
platform.c | 4 ++--
platform.h | 2 +-
session.c | 10 +++++-----
session.h | 2 +-
sshd.c | 2 +-
sshpty.c | 4 ++--
sshpty.h | 2 +-
15 files changed, 99 insertions(+), 32 deletions(-)
diff --git a/auth.h b/auth.h
index becc672b5..5da9fe75f 100644
--- a/auth.h
+++ b/auth.h
@@ -63,6 +63,7 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+ char *role;
/* Method lists for multiple authentication */
char **auth_methods; /* modified from server config */
diff --git a/auth2.c b/auth2.c
index 1c217268c..92a6bcaf4 100644
--- a/auth2.c
+++ b/auth2.c
@@ -265,7 +265,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
{
Authctxt *authctxt = ssh->authctxt;
Authmethod *m = NULL;
- char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
+ char *user = NULL, *service = NULL, *method = NULL, *style = NULL, *role = NULL;
int r, authenticated = 0;
double tstart = monotime_double();
@@ -279,8 +279,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = 0;
+
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
+ else if (role && (style = strchr(role, ':')) != NULL)
+ *style++ = '\0';
if (authctxt->attempt++ == 0) {
/* setup auth context */
@@ -307,8 +312,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
+ authctxt->role = role ? xstrdup(role) : NULL;
if (use_privsep)
- mm_inform_authserv(service, style);
+ mm_inform_authserv(service, style, role);
userauth_banner(ssh);
if (auth2_setup_methods_lists(authctxt) != 0)
ssh_packet_disconnect(ssh,
diff --git a/monitor.c b/monitor.c
index ebf76c7f9..947fdfadc 100644
--- a/monitor.c
+++ b/monitor.c
@@ -118,6 +118,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
+int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
@@ -198,6 +199,7 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -820,6 +822,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
#ifdef USE_PAM
@@ -853,16 +856,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
monitor_permit_authentications(1);
if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
- (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0)
+ (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0 ||
+ (r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
- debug3("%s: service=%s, style=%s",
- __func__, authctxt->service, authctxt->style);
+ debug3("%s: service=%s, style=%s, role=%s",
+ __func__, authctxt->service, authctxt->style, authctxt->role);
if (strlen(authctxt->style) == 0) {
free(authctxt->style);
authctxt->style = NULL;
}
+ if (strlen(authctxt->role) == 0) {
+ free(authctxt->role);
+ authctxt->role = NULL;
+ }
+
+ return (0);
+}
+
+int
+mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
+{
+ int r;
+
+ monitor_permit_authentications(1);
+
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ debug3("%s: role=%s",
+ __func__, authctxt->role);
+
+ if (strlen(authctxt->role) == 0) {
+ free(authctxt->role);
+ authctxt->role = NULL;
+ }
+
return (0);
}
@@ -1554,7 +1583,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
if (res == 0)
goto error;
- pty_setowner(authctxt->pw, s->tty);
+ pty_setowner(authctxt->pw, s->tty, authctxt->role);
if ((r = sshbuf_put_u32(m, 1)) != 0 ||
(r = sshbuf_put_cstring(m, s->tty)) != 0)
diff --git a/monitor.h b/monitor.h
index 2b1a2d590..4d87284aa 100644
--- a/monitor.h
+++ b/monitor.h
@@ -65,6 +65,8 @@ enum monitor_reqtype {
MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
+
+ MONITOR_REQ_AUTHROLE = 154,
};
struct ssh;
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 6edb509a3..b49c268d3 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -364,10 +364,10 @@ mm_auth2_read_banner(void)
return (banner);
}
-/* Inform the privileged process about service and style */
+/* Inform the privileged process about service, style, and role */
void
-mm_inform_authserv(char *service, char *style)
+mm_inform_authserv(char *service, char *style, char *role)
{
struct sshbuf *m;
int r;
@@ -377,7 +377,8 @@ mm_inform_authserv(char *service, char *style)
if ((m = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
if ((r = sshbuf_put_cstring(m, service)) != 0 ||
- (r = sshbuf_put_cstring(m, style ? style : "")) != 0)
+ (r = sshbuf_put_cstring(m, style ? style : "")) != 0 ||
+ (r = sshbuf_put_cstring(m, role ? role : "")) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m);
@@ -385,6 +386,26 @@ mm_inform_authserv(char *service, char *style)
sshbuf_free(m);
}
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+ struct sshbuf *m;
+ int r;
+
+ debug3("%s entering", __func__);
+
+ if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
+
+ sshbuf_free(m);
+}
+
/* Do the password authentication */
int
mm_auth_password(struct ssh *ssh, char *password)
diff --git a/monitor_wrap.h b/monitor_wrap.h
index 485590c18..370b08e17 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -47,7 +47,8 @@ DH *mm_choose_dh(int, int, int);
#endif
int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
const u_char *, size_t, const char *, const char *, u_int compat);
-void mm_inform_authserv(char *, char *);
+void mm_inform_authserv(char *, char *, char *);
+void mm_inform_authrole(char *);
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct ssh *, char *);
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 622988822..3e6e07670 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -56,7 +56,7 @@ ssh_selinux_enabled(void)
/* Return the default security context for the given username */
static security_context_t
-ssh_selinux_getctxbyname(char *pwname)
+ssh_selinux_getctxbyname(char *pwname, const char *role)
{
security_context_t sc = NULL;
char *sename = NULL, *lvl = NULL;
@@ -71,9 +71,16 @@ ssh_selinux_getctxbyname(char *pwname)
#endif
#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
- r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ if (role != NULL && role[0])
+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
+ &sc);
+ else
+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
#else
- r = get_default_context(sename, NULL, &sc);
+ if (role != NULL && role[0])
+ r = get_default_context_with_role(sename, role, NULL, &sc);
+ else
+ r = get_default_context(sename, NULL, &sc);
#endif
if (r != 0) {
@@ -103,7 +110,7 @@ ssh_selinux_getctxbyname(char *pwname)
/* Set the execution context to the default for the specified user */
void
-ssh_selinux_setup_exec_context(char *pwname)
+ssh_selinux_setup_exec_context(char *pwname, const char *role)
{
security_context_t user_ctx = NULL;
@@ -112,7 +119,7 @@ ssh_selinux_setup_exec_context(char *pwname)
debug3("%s: setting execution context", __func__);
- user_ctx = ssh_selinux_getctxbyname(pwname);
+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
if (setexeccon(user_ctx) != 0) {
switch (security_getenforce()) {
case -1:
@@ -134,7 +141,7 @@ ssh_selinux_setup_exec_context(char *pwname)
/* Set the TTY context for the specified user */
void
-ssh_selinux_setup_pty(char *pwname, const char *tty)
+ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
{
security_context_t new_tty_ctx = NULL;
security_context_t user_ctx = NULL;
@@ -146,7 +153,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
debug3("%s: setting TTY context on %s", __func__, tty);
- user_ctx = ssh_selinux_getctxbyname(pwname);
+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
/* XXX: should these calls fatal() upon failure in enforcing mode? */
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index 3c22a854d..c88129428 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -19,8 +19,8 @@
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
-void ssh_selinux_setup_pty(char *, const char *);
-void ssh_selinux_setup_exec_context(char *);
+void ssh_selinux_setup_pty(char *, const char *, const char *);
+void ssh_selinux_setup_exec_context(char *, const char *);
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
#endif
diff --git a/platform.c b/platform.c
index 44ba71dc5..2defe9425 100644
--- a/platform.c
+++ b/platform.c
@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
* called if sshd is running as root.
*/
void
-platform_setusercontext_post_groups(struct passwd *pw)
+platform_setusercontext_post_groups(struct passwd *pw, const char *role)
{
#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
/*
@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
}
#endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX
- ssh_selinux_setup_exec_context(pw->pw_name);
+ ssh_selinux_setup_exec_context(pw->pw_name, role);
#endif
}
diff --git a/platform.h b/platform.h
index ea4f9c584..60d72ffe7 100644
--- a/platform.h
+++ b/platform.h
@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid);
void platform_post_fork_child(void);
int platform_privileged_uidswap(void);
void platform_setusercontext(struct passwd *);
-void platform_setusercontext_post_groups(struct passwd *);
+void platform_setusercontext_post_groups(struct passwd *, const char *);
char *platform_get_krb5_client(const char *);
char *platform_krb5_get_principal_name(const char *);
int platform_sys_dir_uid(uid_t);
diff --git a/session.c b/session.c
index 06a33442a..871799590 100644
--- a/session.c
+++ b/session.c
@@ -1360,7 +1360,7 @@ safely_chroot(const char *path, uid_t uid)
/* Set login name, uid, gid, and groups. */
void
-do_setusercontext(struct passwd *pw)
+do_setusercontext(struct passwd *pw, const char *role)
{
char uidstr[32], *chroot_path, *tmp;
@@ -1388,7 +1388,7 @@ do_setusercontext(struct passwd *pw)
endgrent();
#endif
- platform_setusercontext_post_groups(pw);
+ platform_setusercontext_post_groups(pw, role);
if (!in_chroot && options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1529,7 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
/* Force a password change */
if (s->authctxt->force_pwchange) {
- do_setusercontext(pw);
+ do_setusercontext(pw, s->authctxt->role);
child_close_fds(ssh);
do_pwchange(s);
exit(1);
@@ -1547,7 +1547,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
/* When PAM is enabled we rely on it to do the nologin check */
if (!options.use_pam)
do_nologin(pw);
- do_setusercontext(pw);
+ do_setusercontext(pw, s->authctxt->role);
/*
* PAM session modules in do_setusercontext may have
* generated messages, so if this in an interactive
@@ -1946,7 +1946,7 @@ session_pty_req(struct ssh *ssh, Session *s)
sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
if (!use_privsep)
- pty_setowner(s->pw, s->tty);
+ pty_setowner(s->pw, s->tty, s->authctxt->role);
/* Set window size from the packet. */
pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
diff --git a/session.h b/session.h
index ce59dabd9..675c91146 100644
--- a/session.h
+++ b/session.h
@@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *);
Session *session_new(void);
Session *session_by_tty(char *);
void session_close(struct ssh *, Session *);
-void do_setusercontext(struct passwd *);
+void do_setusercontext(struct passwd *, const char *);
const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
diff --git a/sshd.c b/sshd.c
index 62dc55cf2..65916fc6d 100644
--- a/sshd.c
+++ b/sshd.c
@@ -595,7 +595,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
reseed_prngs();
/* Drop privileges */
- do_setusercontext(authctxt->pw);
+ do_setusercontext(authctxt->pw, authctxt->role);
skip:
/* It is safe now to apply the key state */
diff --git a/sshpty.c b/sshpty.c
index bce09e255..308449b37 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
}
void
-pty_setowner(struct passwd *pw, const char *tty)
+pty_setowner(struct passwd *pw, const char *tty, const char *role)
{
struct group *grp;
gid_t gid;
@@ -186,7 +186,7 @@ pty_setowner(struct passwd *pw, const char *tty)
strerror(errno));
#ifdef WITH_SELINUX
- ssh_selinux_setup_pty(pw->pw_name, tty);
+ ssh_selinux_setup_pty(pw->pw_name, tty, role);
#endif
if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
diff --git a/sshpty.h b/sshpty.h
index 9ec7e9a15..de7e000ae 100644
--- a/sshpty.h
+++ b/sshpty.h
@@ -24,5 +24,5 @@ int pty_allocate(int *, int *, char *, size_t);
void pty_release(const char *);
void pty_make_controlling_tty(int *, const char *);
void pty_change_window_size(int, u_int, u_int, u_int, u_int);
-void pty_setowner(struct passwd *, const char *);
+void pty_setowner(struct passwd *, const char *, const char *);
void disconnect_controlling_tty(void);

25
debian/patches/series vendored Normal file
View File

@ -0,0 +1,25 @@
gssapi.patch
restore-tcp-wrappers.patch
selinux-role.patch
ssh-vulnkey-compat.patch
keepalive-extensions.patch
syslog-level-silent.patch
user-group-modes.patch
scp-quoting.patch
shell-path.patch
dnssec-sshfp.patch
mention-ssh-keygen-on-keychange.patch
package-versioning.patch
debian-banner.patch
authorized-keys-man-symlink.patch
openbsd-docs.patch
ssh-argv0.patch
doc-hash-tab-completion.patch
ssh-agent-setgid.patch
no-openssl-version-status.patch
gnome-ssh-askpass2-icon.patch
systemd-readiness.patch
debian-config.patch
restore-authorized_keys2.patch
conch-old-privkey-format.patch
revert-ipqos-defaults.patch

39
debian/patches/shell-path.patch vendored Normal file
View File

@ -0,0 +1,39 @@
From c19bcc02b07b450d585d0fd10ccd96174aeb3b7c Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:00 +0000
Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
There's some debate on the upstream bug about whether POSIX requires this.
I (Colin Watson) agree with Vincent and think it does.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
Bug-Debian: http://bugs.debian.org/492728
Last-Update: 2020-02-21
Patch-Name: shell-path.patch
---
sshconnect.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sshconnect.c b/sshconnect.c
index 4711af782..4a5d4a003 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -260,7 +260,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg,
/* Execute the proxy command. Note that we gave up any
extra privileges above. */
ssh_signal(SIGPIPE, SIG_DFL);
- execv(argv[0], argv);
+ execvp(argv[0], argv);
perror(argv[0]);
exit(1);
}
@@ -1388,7 +1388,7 @@ ssh_local_cmd(const char *args)
if (pid == 0) {
ssh_signal(SIGPIPE, SIG_DFL);
debug3("Executing %s -c \"%s\"", shell, args);
- execl(shell, shell, "-c", args, (char *)NULL);
+ execlp(shell, shell, "-c", args, (char *)NULL);
error("Couldn't execute %s -c \"%s\": %s",
shell, args, strerror(errno));
_exit(1);

40
debian/patches/ssh-agent-setgid.patch vendored Normal file
View File

@ -0,0 +1,40 @@
From ad09303388f0172ab6e028aaf27d87cf873d123d Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:13 +0000
Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
Bug-Debian: http://bugs.debian.org/711623
Forwarded: no
Last-Update: 2020-02-21
Patch-Name: ssh-agent-setgid.patch
---
ssh-agent.1 | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/ssh-agent.1 b/ssh-agent.1
index fff0db6bc..99e4f6d2e 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -201,6 +201,21 @@ socket and stores its pathname in this variable.
It is accessible only to the current user,
but is easily abused by root or another instance of the same user.
.El
+.Pp
+In Debian,
+.Nm
+is installed with the set-group-id bit set, to prevent
+.Xr ptrace 2
+attacks retrieving private key material.
+This has the side-effect of causing the run-time linker to remove certain
+environment variables which might have security implications for set-id
+programs, including
+.Ev LD_PRELOAD ,
+.Ev LD_LIBRARY_PATH ,
+and
+.Ev TMPDIR .
+If you need to set any of these environment variables, you will need to do
+so in the program executed by ssh-agent.
.Sh FILES
.Bl -tag -width Ds
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>

31
debian/patches/ssh-argv0.patch vendored Normal file
View File

@ -0,0 +1,31 @@
From 4b1e0000a099f988553ccc4b274e1790b5114c12 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:10 +0000
Subject: ssh(1): Refer to ssh-argv0(1)
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to. Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).
Bug-Debian: http://bugs.debian.org/111341
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: ssh-argv0.patch
---
ssh.1 | 1 +
1 file changed, 1 insertion(+)
diff --git a/ssh.1 b/ssh.1
index 17b0e984f..b33a8049f 100644
--- a/ssh.1
+++ b/ssh.1
@@ -1610,6 +1610,7 @@ if an error occurred.
.Xr sftp 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
+.Xr ssh-argv0 1 ,
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr tun 4 ,

42
debian/patches/ssh-vulnkey-compat.patch vendored Normal file
View File

@ -0,0 +1,42 @@
From 11d571f137c76d8c2e38b1c1a537b04cc279f8e3 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:50 +0000
Subject: Accept obsolete ssh-vulnkey configuration options
These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.
Last-Update: 2014-02-09
Patch-Name: ssh-vulnkey-compat.patch
---
readconf.c | 1 +
servconf.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/readconf.c b/readconf.c
index da8022dd0..0fc996871 100644
--- a/readconf.c
+++ b/readconf.c
@@ -191,6 +191,7 @@ static struct {
{ "fallbacktorsh", oDeprecated },
{ "globalknownhostsfile2", oDeprecated },
{ "rhostsauthentication", oDeprecated },
+ { "useblacklistedkeys", oDeprecated },
{ "userknownhostsfile2", oDeprecated },
{ "useroaming", oDeprecated },
{ "usersh", oDeprecated },
diff --git a/servconf.c b/servconf.c
index 191575a16..bf3cd84a4 100644
--- a/servconf.c
+++ b/servconf.c
@@ -656,6 +656,7 @@ static struct {
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
+ { "permitblacklistedkeys", sDeprecated, SSHCFG_GLOBAL },
{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
{ "uselogin", sDeprecated, SSHCFG_GLOBAL },

47
debian/patches/syslog-level-silent.patch vendored Normal file
View File

@ -0,0 +1,47 @@
From 387c2c1954773733bae9fca21a92db62c31180bd Mon Sep 17 00:00:00 2001
From: Natalie Amery <nmamery@chiark.greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:54 +0000
Subject: "LogLevel SILENT" compatibility
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
match the behaviour of non-free SSH, in which -q does not suppress fatal
errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody
complained, so we've dropped most of it. The parts that remain are basic
configuration file compatibility, and an adjustment to "Pseudo-terminal will
not be allocated ..." which should be split out into a separate patch.
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2013-09-14
Patch-Name: syslog-level-silent.patch
---
log.c | 1 +
ssh.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/log.c b/log.c
index d9c2d136c..1749af6d1 100644
--- a/log.c
+++ b/log.c
@@ -93,6 +93,7 @@ static struct {
LogLevel val;
} log_levels[] =
{
+ { "SILENT", SYSLOG_LEVEL_QUIET }, /* compatibility */
{ "QUIET", SYSLOG_LEVEL_QUIET },
{ "FATAL", SYSLOG_LEVEL_FATAL },
{ "ERROR", SYSLOG_LEVEL_ERROR },
diff --git a/ssh.c b/ssh.c
index 110cf9c19..6138fd4d3 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1305,7 +1305,7 @@ main(int ac, char **av)
/* Do not allocate a tty if stdin is not a tty. */
if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
options.request_tty != REQUEST_TTY_FORCE) {
- if (tty_flag)
+ if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET)
logit("Pseudo-terminal will not be allocated because "
"stdin is not a terminal.");
tty_flag = 0;

84
debian/patches/systemd-readiness.patch vendored Normal file
View File

@ -0,0 +1,84 @@
From a208834b2d1811dac7054d7fdcdd04672f8b19f6 Mon Sep 17 00:00:00 2001
From: Michael Biebl <biebl@debian.org>
Date: Mon, 21 Dec 2015 16:08:47 +0000
Subject: Add systemd readiness notification support
Bug-Debian: https://bugs.debian.org/778913
Forwarded: no
Last-Update: 2017-08-22
Patch-Name: systemd-readiness.patch
---
configure.ac | 24 ++++++++++++++++++++++++
sshd.c | 9 +++++++++
2 files changed, 33 insertions(+)
diff --git a/configure.ac b/configure.ac
index cee7cbc51..5db3013de 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4664,6 +4664,29 @@ AC_ARG_WITH([kerberos5],
AC_SUBST([GSSLIBS])
AC_SUBST([K5LIBS])
+# Check whether user wants systemd support
+SYSTEMD_MSG="no"
+AC_ARG_WITH(systemd,
+ [ --with-systemd Enable systemd support],
+ [ if test "x$withval" != "xno" ; then
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+ if test "$PKGCONFIG" != "no"; then
+ AC_MSG_CHECKING([for libsystemd])
+ if $PKGCONFIG --exists libsystemd; then
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
+ AC_MSG_RESULT([yes])
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
+ SYSTEMD_MSG="yes"
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+ fi ]
+)
+
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
@@ -5476,6 +5499,7 @@ echo " libldns support: $LDNS_MSG"
echo " Solaris process contract support: $SPC_MSG"
echo " Solaris project support: $SP_MSG"
echo " Solaris privilege support: $SPP_MSG"
+echo " systemd support: $SYSTEMD_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
diff --git a/sshd.c b/sshd.c
index da876a900..c069505a0 100644
--- a/sshd.c
+++ b/sshd.c
@@ -85,6 +85,10 @@
#include <prot.h>
#endif
+#ifdef HAVE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
#include "xmalloc.h"
#include "ssh.h"
#include "ssh2.h"
@@ -2027,6 +2031,11 @@ main(int ac, char **av)
}
}
+#ifdef HAVE_SYSTEMD
+ /* Signal systemd that we are ready to accept connections */
+ sd_notify(0, "READY=1");
+#endif
+
/* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out,
&newsock, config_s);

210
debian/patches/user-group-modes.patch vendored Normal file
View File

@ -0,0 +1,210 @@
From 3309e464e5ae6c940ddd584eed4d2d403f4c168c Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:09:58 +0000
Subject: Allow harmless group-writability
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem). Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
default.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
Last-Update: 2019-10-09
Patch-Name: user-group-modes.patch
---
auth-rhosts.c | 6 ++----
auth.c | 3 +--
misc.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++-----
misc.h | 2 ++
readconf.c | 3 +--
ssh.1 | 2 ++
ssh_config.5 | 2 ++
7 files changed, 63 insertions(+), 13 deletions(-)
diff --git a/auth-rhosts.c b/auth-rhosts.c
index 7a10210b6..587f53721 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -260,8 +260,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
return 0;
}
if (options.strict_modes &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
- (st.st_mode & 022) != 0)) {
+ !secure_permissions(&st, pw->pw_uid)) {
logit("Rhosts authentication refused for %.100s: "
"bad ownership or modes for home directory.", pw->pw_name);
auth_debug_add("Rhosts authentication refused for %.100s: "
@@ -287,8 +286,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
* allowing access to their account by anyone.
*/
if (options.strict_modes &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
- (st.st_mode & 022) != 0)) {
+ !secure_permissions(&st, pw->pw_uid)) {
logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
pw->pw_name, buf);
auth_debug_add("Bad file modes for %.200s", buf);
diff --git a/auth.c b/auth.c
index 687c57b42..aed3c13ac 100644
--- a/auth.c
+++ b/auth.c
@@ -474,8 +474,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
if (options.strict_modes &&
(stat(user_hostfile, &st) == 0) &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
- (st.st_mode & 022) != 0)) {
+ !secure_permissions(&st, pw->pw_uid)) {
logit("Authentication refused for %.100s: "
"bad owner or modes for %.200s",
pw->pw_name, user_hostfile);
diff --git a/misc.c b/misc.c
index 3a31d5c18..073d3be19 100644
--- a/misc.c
+++ b/misc.c
@@ -61,8 +61,9 @@
#include <netdb.h>
#ifdef HAVE_PATHS_H
# include <paths.h>
-#include <pwd.h>
#endif
+#include <pwd.h>
+#include <grp.h>
#ifdef SSH_TUN_OPENBSD
#include <net/if.h>
#endif
@@ -1124,6 +1125,55 @@ percent_expand(const char *string, ...)
#undef EXPAND_MAX_KEYS
}
+int
+secure_permissions(struct stat *st, uid_t uid)
+{
+ if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid)
+ return 0;
+ if ((st->st_mode & 002) != 0)
+ return 0;
+ if ((st->st_mode & 020) != 0) {
+ /* If the file is group-writable, the group in question must
+ * have exactly one member, namely the file's owner.
+ * (Zero-member groups are typically used by setgid
+ * binaries, and are unlikely to be suitable.)
+ */
+ struct passwd *pw;
+ struct group *gr;
+ int members = 0;
+
+ gr = getgrgid(st->st_gid);
+ if (!gr)
+ return 0;
+
+ /* Check primary group memberships. */
+ while ((pw = getpwent()) != NULL) {
+ if (pw->pw_gid == gr->gr_gid) {
+ ++members;
+ if (pw->pw_uid != uid)
+ return 0;
+ }
+ }
+ endpwent();
+
+ pw = getpwuid(st->st_uid);
+ if (!pw)
+ return 0;
+
+ /* Check supplementary group memberships. */
+ if (gr->gr_mem[0]) {
+ ++members;
+ if (strcmp(pw->pw_name, gr->gr_mem[0]) ||
+ gr->gr_mem[1])
+ return 0;
+ }
+
+ if (!members)
+ return 0;
+ }
+ return 1;
+}
+
int
tun_open(int tun, int mode, char **ifname)
{
@@ -1909,8 +1959,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
snprintf(err, errlen, "%s is not a regular file", buf);
return -1;
}
- if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
- (stp->st_mode & 022) != 0) {
+ if (!secure_permissions(stp, uid)) {
snprintf(err, errlen, "bad ownership or modes for file %s",
buf);
return -1;
@@ -1925,8 +1974,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
strlcpy(buf, cp, sizeof(buf));
if (stat(buf, &st) == -1 ||
- (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
- (st.st_mode & 022) != 0) {
+ !secure_permissions(&st, uid)) {
snprintf(err, errlen,
"bad ownership or modes for directory %s", buf);
return -1;
diff --git a/misc.h b/misc.h
index 4a05db2da..5db594b91 100644
--- a/misc.h
+++ b/misc.h
@@ -188,6 +188,8 @@ struct notifier_ctx *notify_start(int, const char *, ...)
__attribute__((format(printf, 2, 3)));
void notify_complete(struct notifier_ctx *);
+int secure_permissions(struct stat *st, uid_t uid);
+
#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
#define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
#define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
diff --git a/readconf.c b/readconf.c
index 2399208f8..7f251dd4a 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1902,8 +1902,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
if (fstat(fileno(f), &sb) == -1)
fatal("fstat %s: %s", filename, strerror(errno));
- if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
- (sb.st_mode & 022) != 0))
+ if (!secure_permissions(&sb, getuid()))
fatal("Bad owner or permissions on %s", filename);
}
diff --git a/ssh.1 b/ssh.1
index db5c65bc7..cf991e4ee 100644
--- a/ssh.1
+++ b/ssh.1
@@ -1506,6 +1506,8 @@ The file format and configuration options are described in
.Xr ssh_config 5 .
Because of the potential for abuse, this file must have strict permissions:
read/write for the user, and not writable by others.
+It may be group-writable provided that the group in question contains only
+the user.
.Pp
.It Pa ~/.ssh/environment
Contains additional definitions for environment variables; see
diff --git a/ssh_config.5 b/ssh_config.5
index 3079db19b..e61a0fd43 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1952,6 +1952,8 @@ The format of this file is described above.
This file is used by the SSH client.
Because of the potential for abuse, this file must have strict permissions:
read/write for the user, and not writable by others.
+It may be group-writable provided that the group in question contains only
+the user.
.It Pa /etc/ssh/ssh_config
Systemwide configuration file.
This file provides defaults for those

1
debian/po/POTFILES.in vendored Normal file
View File

@ -0,0 +1 @@
[type: gettext/rfc822deb] openssh-server.templates

55
debian/po/cs.po vendored Normal file
View File

@ -0,0 +1,55 @@
# Czech PO debconf template translation of openssh.
# Copyright (C) 2014 Michal Simunek <michal.simunek@gmail.com>
# This file is distributed under the same license as the openssh package.
# Michal Simunek <michal.simunek@gmail.com>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh 1:6.6p1-1\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-06-12 12:25+0200\n"
"Last-Translator: Michal Simunek <michal.simunek@gmail.com>\n"
"Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n"
"Language: cs\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Zakázat ověřování heslem pro uživatele root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Předchozí verze openssh-server dovolovala přihlašovat se přes SSH jako root "
"pomocí ověřování heslem. Výchozí volba pro nové instalace je nyní "
"\"PermitRootLogin prohibit-password\", která zakazuje ověřování heslem pro "
"uživatele root, aniž by to omezilo systémy, které mají explicitně nastaveno "
"ověřování veřejným SSH klíčem pro uživatele root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Tato změna činí systémy zabezpečenějšími proti útokům hrubou silou na heslo "
"uživatele root pomocí slovníku (velmi častý cíl útoků). Nicméně, to může "
"poškodit systémy, které jsou nastaveny s předpokladem, že bude možné se "
"přihlašovat přes SSH jako root pomocí ověřování heslem. Změnu této volby "
"byste měli provést pouze pokud ověřování heslem potřebujete."

55
debian/po/da.po vendored Normal file
View File

@ -0,0 +1,55 @@
# Danish translation openssh.
# Copyright (C) 2014 openssh og nedenstående oversættere.
# This file is distributed under the same license as the openssh package.
# Joe Hansen <joedalton2@yahoo.dk>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-21 23:51+0200\n"
"Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n"
"Language-Team: Danish <debian-l10n-danish@lists.debian.org>\n"
"Language: da\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Deaktiver SSH-adgangskodegodkendelse for root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Tidligere versioner af openssh-server tillod indlogning som root over SSH "
"med brug af adgangskodegodkendelse. Standarden for nye installationer er nu "
"»PermitRootLogin prohibit-password«, som deaktiverer adgangskodegodkendelse "
"for root uden at ødelægge systemer, som eksplicit har konfigureret SSH-"
"offentlig nøglegodkendelse for root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Denne ændring gør systemer mere sikre mod brute-force angreb vis ordlister "
"med adgangskoder på root-brugeren (et meget ofte mål for sådanne angreb). "
"Det kan dog ødelægge systemer, som er opsat med forventning om at kunne SSH "
"som root via brug af adgangskodegodkendelse. Du skal kun lave denne ændring, "
"hvis du ikke har brug for dette."

61
debian/po/de.po vendored Normal file
View File

@ -0,0 +1,61 @@
# openssh.
# Copyright (C) 2014 Colin Watson
# Copyright (C) 2014 Stephan Beck
# This file is distributed under the same license as the openssh package.
# Stephan Beck <sbeck@mailbox.org>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh_1:6.6p1-1\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-24 22:21+0100\n"
"Last-Translator: Stephan Beck <sbeck@mailbox.org>\n"
"Language-Team: Debian German translation team <debian-l10n-german@lists."
"debian.org>\n"
"Language: de\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "SSH Passwort-Authentifizierung für »root« deaktivieren?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Vorherige Versionen von openssh-server erlaubten das Anmelden als »root« "
"über SSH unter Verwendung von Passwort-Authentifizierung. Die "
"Standardeinstellung für Neuinstallationen lautet nun »PermitRootLogin "
"prohibit-password«, wodurch die Passwort-Authentifizierung für »root« "
"deaktiviert wird, und Systeme dennoch funktionsfähig bleiben, bei denen "
"ausdrücklich die Authentifizierung als »root« mittels öffentlichem SSH-"
"Schlüssel konfiguriert ist."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Diese Änderung sichert Systeme besser gegen jene Angriffe auf den Benutzer "
"»root« (ein verbreitetes Ziel solcher Angriffe) ab, die das Passwort durch "
"simples Ausprobieren aller Einträge von Wörterbüchern zu erraten versuchen. "
"Sie kann allerdings dazu führen, dass Systeme nicht mehr funktionieren, die "
"in der Absicht konfiguriert wurden, die Anmeldung als »root« über SSH unter "
"Verwendung von Passwort-Authentifizierung zuzulassen. Sie sollten diese "
"Änderung nur vornehmen, wenn Sie auf Letzteres verzichten können."

80
debian/po/es.po vendored Normal file
View File

@ -0,0 +1,80 @@
# openssh po-debconf translation to Spanish
# Copyright (C) 2014 Software in the Public Interest
# This file is distributed under the same license as the openssh package.
#
# Changes:
# - Initial translation
# Matías A. Bellone <matiasbellone+debian@gmail.com>, 2014
#
# Traductores, si no conocen el formato PO, merece la pena leer la
# de gettext, especialmente las secciones dedicadas a este
# formato, por ejemplo ejecutando:
# info -n '(gettext)PO Files'
# info -n '(gettext)Header Entry'
#
# Equipo de traducción al español, por favor, lean antes de traducir
# los siguientes documentos:
#
# - El proyecto de traducción de Debian al español
# http://www.debian.org/intl/spanish/
# especialmente las notas de traducción en
# http://www.debian.org/intl/spanish/notas
#
# - La guía de traducción de po's de debconf:
# /usr/share/doc/po-debconf/README-trans
# o http://www.debian.org/intl/l10n/po-debconf/README-trans
#
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-23 20:43-0300\n"
"Last-Translator: Matías Bellone <matiasbellone+debian@gmail.com>\n"
"Language-Team: Debian l10n Spanish <debian-l10n-spanish@lists.debian.org>\n"
"Language: es\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr ""
"¿Desea desactivar la autenticación SSH mediante contraseña para el usuario "
"root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Las versiones anteriores de openssh-server permitían iniciar sesión como "
"usuario root utilizando autenticación con contraseña. La configuración "
"predeterminada para las nuevas instalaciones ahora incluye «PermitRootLogin "
"prohibit-password», lo que desactiva la autenticación con contraseña para el "
"usuario root sin romper los sistemas que tienen configurado explícitamente "
"la autenticación SSH utilizando claves públicas para el usuario root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Este cambio hace que los sistemas sean más resistentes contra ataques de "
"fuerza bruta basados en diccionarios sobre el usuario root (un objetivo muy "
"común para este tipo de ataques). Sin embargo, podría romper sistemas cuya "
"configuración permite que el usuario root inicie sesión a través de SSH "
"utilizando una contraseña. Sólo debería realizar este cambio si no necesita "
"este comportamiento."

59
debian/po/fr.po vendored Normal file
View File

@ -0,0 +1,59 @@
# Translation of openssh debconf template to French
# Copyright (C) 2014
# This file is distributed under the same license as the openssh package.
# Étienne Gilli <etienne.gilli@gmail.com>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh_1:6.5p1-6\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-22 08:26+0100\n"
"Last-Translator: Étienne Gilli <etienne.gilli@gmail.com>\n"
"Language-Team: French <debian-l10n-french@lists.debian.org>\n"
"Language: fr\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr ""
"Désactiver lauthentification SSH par mot de passe pour le superutilisateur ?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Les versions précédentes du paquet openssh-server autorisaient la connexion "
"par SSH du superutilisateur (root) en utilisant lauthentification par mot "
"de passe. Par défaut, les nouvelles installations ont maintenant loption "
 PermitRootLogin prohibit-password », qui désactive lauthentification par "
"mot de passe pour le compte « root », sans casser les systèmes qui ont "
"configuré explicitement lauthentification SSH par clé publique pour ce "
"compte."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Cette modification rend les systèmes plus robustes face aux attaques par "
"force brute et par dictionnaire contre le superutilisateur (très souvent "
"pris pour cible par ce type dattaque). Cependant, cela peut rendre "
"inutilisables les systèmes reposant sur la possibilité de se connecter au "
"compte « root » par SSH avec authentification par mot de passe. Vous ne "
"devriez appliquer cette modification que si ce nest pas votre cas."

58
debian/po/it.po vendored Normal file
View File

@ -0,0 +1,58 @@
# Italian translation of openssh debconf messages.
# Copyright (C) 2014, openssh package copyright holder
# This file is distributed under the same license as the openssh package.
# Beatrice Torracca <beatricet@libero.it>, 2014.
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-28 11:12+0200\n"
"Last-Translator: Beatrice Torracca <beatricet@libero.it>\n"
"Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n"
"Language: it\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
"X-Generator: Virtaal 0.7.1\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Disabilitare l'autenticazione SSH con password per root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Le versioni precedenti di openssh-server permettevano il login come root via "
"SSH, usando l'autenticazione con password. Il comportamento predefinito "
"delle nuove installazioni è «PermitRootLogin prohibit-password» che "
"disabilita l'autenticazione con password per root, senza rendere non "
"funzionanti sistemi che hanno esplicitamente configurato l'autenticazione "
"SSH con chiave pubblica per root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Questo cambiamento rende i sistemi più al sicuro da attacchi di forza bruta "
"a dizionario sulle password per l'utente root (un obiettivo molto comune per "
"tali attacchi). Tuttavia, può rendere non funzionanti sistemi che sono "
"impostati facendo affidamento sulla possibilità di autenticazione SSH come "
"root usando la password. Si dovrebbe fare questo cambiamento solo se non si "
"ha bisogno di tale comportamento."

55
debian/po/ja.po vendored Normal file
View File

@ -0,0 +1,55 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the openssh package.
# victory <victory.deb@gmail.com>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-20 11:06+0900\n"
"Last-Translator: victory <victory.deb@gmail.com>\n"
"Language-Team: Japanese <debian-japanese@lists.debian.org>\n"
"Language: ja\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "root での SSH パスワード認証を無効にしますか?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"openssh-server の以前のバージョンではパスワード認証を利用した SSH 経由の "
"root のログインを許可していました。新しくインストールした場合のデフォルト値が"
"現在は「PermitRootLogin prohibit-password」になり、root のパスワード認証を無"
"効化しますが SSH の公開鍵認証を root 用に明示的に設定しているシステムでは特に"
"問題はありません。"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"この変更によりシステムは root ユーザ (こういった攻撃ではとても一般的な攻撃対"
"象です) へのブルートフォースによるパスワード辞書攻撃に対してはより安全になり"
"ます。しかしパスワード認証により root で SSH 接続できることを前提として構成し"
"たシステムでは問題が発生する可能性があります。そういった必要のない場合にのみ"
"この変更を行うようにしてください。"

60
debian/po/nl.po vendored Normal file
View File

@ -0,0 +1,60 @@
# Dutch translation of openssh debconf templates.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the openssh package.
# Frans Spiesschaert <Frans.Spiesschaert@yucom.be>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-10-03 23:54+0200\n"
"Last-Translator: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>\n"
"Language-Team: Debian Dutch l10n Team <debian-l10n-dutch@lists.debian.org>\n"
"Language: nl\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr ""
"Wachtwoordauthenticatie over SSH voor de systeembeheerder uitschakelen?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Eerdere versies van de openssh-server lieten de systeembeheerder toe om zich "
"over SSH te authenticeren met een wachtwoord. Voor nieuwe installaties is de "
"standaard nu \"PermitRootLogin prohibit-password\". Deze standaardinstelling "
"maakt het voor de systeembeheerder onmogelijk om zich via een wachtwoord te "
"authenticeren. Deze instelling heeft geen impact op systemen waarbij de SSH-"
"configuratie expliciet vereist dat de systeembeheerder zich authenticeert "
"via een publieke sleutel."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Deze wijziging maakt systemen veiliger tegenover aanvallen met brute kracht "
"(met een wachtwoordenwoordenboek) op de systeembeheerder, een zeer courant "
"doelwit voor zulke aanvallen. Maar het kan systemen onbruikbaar maken die "
"ingesteld werden vanuit de verwachting dat de systeembeheerder SSH kan "
"gebruiken met authenticatie via wachtwoord. Enkel wanneer u dit laatste niet "
"nodig heeft, zou u deze wijziging kunnen doorvoeren."

59
debian/po/pt.po vendored Normal file
View File

@ -0,0 +1,59 @@
# Translation of openssh's debconf messages to European Portuguese
# Copyright (C) 2014 YEAR THE openssh'S COPYRIGHT HOLDER
# This file is distributed under the same license as the openssh package.
#
# Américo Monteiro <a_monteiro@gmx.com>, 2014.
msgid ""
msgstr ""
"Project-Id-Version: openssh 1:6.6p1-1\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-21 21:13+0000\n"
"Last-Translator: Américo Monteiro <a_monteiro@gmx.com>\n"
"Language-Team: Portuguese <traduz@debianpt.org>\n"
"Language: pt\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
"X-Generator: Lokalize 1.4\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Desactivar a autenticação SSH por palavra passe para o root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"As versões anteriores do servidor openssh permitiam iniciar sessão como root "
"sobre SSH usando autenticação por palavra-passe. A predefinição para novas "
"instalações é agora \"PermitRootLogin prohibit-password\", a qual desactiva "
"a autenticação por palavra-passe para o root sem danificar os sistemas que "
"têm configurados explicitamente autenticação SSH por chave pública para o "
"root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Esta alteração torna os sistemas mais seguros contra ataques em que se "
"forçam dicionários de palavras-passe no utilizador root (um alvo muito comum "
"para tais ataques). No entanto, pode danificar sistemas que estão "
"configurados com a expectativa de serem capazes de SSH como root usando "
"autenticação por palavra-passe. Apenas deverá fazer esta alteração se não "
"precisa de tal método de autenticação."

57
debian/po/pt_BR.po vendored Normal file
View File

@ -0,0 +1,57 @@
# Debconf translations for openssh.
# Copyright (C) 2014 THE openssh'S COPYRIGHT HOLDER
# This file is distributed under the same license as the openssh package.
# José de Figueiredo <deb.gnulinux@gmail.com>, 2014.
#
#
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-11-23 23:49-0200\n"
"Last-Translator: José de Figueiredo <deb.gnulinux@gmail.com>\n"
"Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian."
"org>\n"
"Language: pt_BR\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Desabilitar autenticação por senha do SSH para root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Versões anteriores do openssh-server permitiam login como root sobre SSH "
"usando autenticação por senha. O padrão para as novas instalações agora é "
"\"PermitRootLogin prohibit-password\", que desabilita a autenticação por "
"senha para root sem quebrar sistemas que tenham configurado explicitamente o "
"SSH para autenticação por chave pública para root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Esta alteração torna sistemas mais seguros contra ataques de força bruta por "
"dicionário de senhas no usuário root (um alvo muito comum destes ataques). "
"Entretanto, ela pode quebrar sistemas que foram configurados com a "
"expectativa de acesso SSH com root usando autenticação por senha. Você deve "
"fazer esta mudança somente se você não precisa fazer isso."

57
debian/po/ru.po vendored Normal file
View File

@ -0,0 +1,57 @@
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the openssh package.
#
# Yuri Kozlov <yuray@komyakino.ru>, 2014.
msgid ""
msgstr ""
"Project-Id-Version: openssh 1:6.6p1-1\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-22 10:04+0400\n"
"Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n"
"Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n"
"Language: ru\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
"X-Generator: Lokalize 1.4\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Выключить в SSH аутентификацию по паролю для root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"В предыдущих версиях openssh-server разрешён вход с правами пользователя "
"root через SSH с помощью аутентификации по паролю. При новых установках по "
"умолчанию теперь используется настройка «PermitRootLogin prohibit-password», "
"которая отключает аутентификацию по паролю для root, что не вредит системам, "
"у которых в SSH для root настроена аутентификация по открытому ключу."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Это изменение делает системы более стойкими к атакам методом перебора "
"словарных паролей для пользователя root (самая распространённая цель таких "
"атак). Однако, это вредит системам, в которых специально настроен вход для "
"root по SSH с парольной аутентификацией. Если это не ваш случай, то ответьте "
"утвердительно."

58
debian/po/sv.po vendored Normal file
View File

@ -0,0 +1,58 @@
# Swedish translations for openssh package
# Svenska översättningar för paket openssh.
# Copyright (C) 2014 THE openssh'S COPYRIGHT HOLDER
# This file is distributed under the same license as the openssh package.
# Andreas Rönnquist <gusnan@gusnan.se>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-03-21 21:36+0100\n"
"Last-Translator: Andreas Rönnquist <gusnan@gusnan.se>\n"
"Language-Team: Swedish\n"
"Language: sv\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "Inaktivera SSH-lösenordsautentisering för root?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"Tidigare versioner av openssh-server tillät inloggning som root över SSH med "
"hjälp av lösenordsautentisering. Standardinställningen för nya "
"installationer är nu \"PermitRootLogin prohibit-password\", vilket "
"inaktiverar lösenordsautentisering för root utan att förstöra system som "
"explicit har konfigurerat nyckelautentisering med hjälp av publika nycklar "
"för root."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Denna förändring gör system säkrare mot brute-force-angrepp med hjälp av "
"ordlistor med lösenord på root-användaren (ett väldigt vanligt mål för "
"sådana angrepp). Dock så kan detta förstöra system som förväntas kunna "
"använda SSH som root med hjälp av lösenordsautentisering. Du skall endast "
"göra denna förändring om du inte har ett behov av att kunna göra detta."

46
debian/po/templates.pot vendored Normal file
View File

@ -0,0 +1,46 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
# This file is distributed under the same license as the PACKAGE package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: openssh\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=CHARSET\n"
"Content-Transfer-Encoding: 8bit\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr ""
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""

58
debian/po/tr.po vendored Normal file
View File

@ -0,0 +1,58 @@
# Turkish translation of openssh package
# Copyright (C) 2014 Mert Dirik
# This file is distributed under the same license as the openssh package.
# Mert Dirik <mertdirik@gmail.com>, 2014.
#
msgid ""
msgstr ""
"Project-Id-Version: openssh-server\n"
"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
"POT-Creation-Date: 2014-03-20 02:06+0000\n"
"PO-Revision-Date: 2014-08-01 14:44+0200\n"
"Last-Translator: Mert Dirik <mertdirik@gmail.com>\n"
"Language-Team: Debian L10n Turkish <debian-l10n-turkish@lists.debian.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Generator: Poedit 1.5.4\n"
"Language: tr\n"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid "Disable SSH password authentication for root?"
msgstr "root kullanıcısının parola ile kimlik doğrulaması engellensin mi?"
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"Previous versions of openssh-server permitted logging in as root over SSH "
"using password authentication. The default for new installations is now "
"\"PermitRootLogin prohibit-password\", which disables password "
"authentication for root without breaking systems that have explicitly "
"configured SSH public key authentication for root."
msgstr ""
"openssh-server'ın önceki sürümleri parola ile kimlik doğrulama kullanılarak "
"root kullanıcısının SSH üzerinden oturum açmasına izin veriyordu. Artık yeni "
"kurulumların öntanımlı ayarı \"PermitRootLogin prohibit-password\" "
"şeklindedir. Bu ayar root kullanıcısının parola kullanarak oturum açmasını "
"yasaklar. SSH genel anahtar doğrulama yöntemine ayrıca izin veren mevcut "
"sistemler bu ayardan etkilenmez."
#. Type: boolean
#. Description
#: ../openssh-server.templates:1001
msgid ""
"This change makes systems more secure against brute-force password "
"dictionary attacks on the root user (a very common target for such attacks). "
"However, it may break systems that are set up with the expectation of being "
"able to SSH as root using password authentication. You should only make this "
"change if you do not need to do that."
msgstr ""
"Bu ayar sistemleri kaba kuvvet sözlükten parola saldırılarına karşı güvenli "
"hale getirir (root kullanıcısı bu tarz saldırıların en büyük "
"hedeflerindendir). Fakat bu ayarın etkinleştirilmesi, root kullanıcısına "
"parola doğrulama yöntemiyle oturum açılabileceği varsayımıyla hareket eden "
"sistemlerde eskiden çalışan düzenin bozulmasına sebep olacaktır. Bu "
"değişikliği yalnızca sorun çıkarmayacağından eminseniz yapın."

229
debian/rules vendored Executable file
View File

@ -0,0 +1,229 @@
#!/usr/bin/make -f
export DEB_BUILD_MAINT_OPTIONS := hardening=+all
include /usr/share/dpkg/default.mk
# Uncomment this to turn on verbose mode.
# export DH_VERBOSE=1
# This has to be exported to make some magic below work.
export DH_OPTIONS
ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
RUN_TESTS := yes
else
RUN_TESTS :=
endif
ifeq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
PARALLEL :=
else
PARALLEL := \
-j$(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
endif
ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
CC := gcc
PKG_CONFIG = pkg-config
else
CC := $(DEB_HOST_GNU_TYPE)-gcc
PKG_CONFIG = $(DEB_HOST_GNU_TYPE)-pkg-config
RUN_TESTS :=
endif
# Change the version string to reflect distribution
SSH_EXTRAVERSION := $(DEB_VENDOR)-$(shell echo '$(DEB_VERSION)' | sed -e 's/.*-//')
UBUNTU := $(shell $(call dpkg_vendor_derives_from,Ubuntu))
ifeq ($(UBUNTU),yes)
DEFAULT_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
else
DEFAULT_PATH := /usr/local/bin:/usr/bin:/bin:/usr/games
endif
SUPERUSER_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ifeq ($(UBUNTU),yes)
server_recommends := ssh-import-id
else
server_recommends :=
endif
# Common path configuration.
confflags += --sysconfdir=/etc/ssh
confflags += --libexecdir=\$${prefix}/lib/openssh
# Common build options.
confflags += --disable-strip
confflags += --with-mantype=doc
confflags += --with-4in6
confflags += --with-privsep-path=/run/sshd
confflags += --with-pid-dir=/run
# The Hurd needs libcrypt for res_query et al.
ifeq ($(DEB_HOST_ARCH_OS),hurd)
confflags += --with-libs=-lcrypt
endif
# Everything above here is common to the deb and udeb builds.
confflags_udeb := $(confflags)
# Options specific to the deb build.
confflags += --with-tcp-wrappers
confflags += --with-pam
confflags += --with-libedit
confflags += --with-kerberos5=/usr
confflags += --with-ssl-engine
ifeq ($(DEB_HOST_ARCH_OS),linux)
confflags += --with-selinux
confflags += --with-audit=linux
confflags += --with-systemd
confflags += --with-security-key-builtin
endif
# The deb build wants xauth; the udeb build doesn't.
confflags += --with-xauth=/usr/bin/xauth
confflags_udeb += --without-xauth
# Default paths. The udeb build has /usr/games removed.
confflags += --with-default-path=$(DEFAULT_PATH) --with-superuser-path=$(SUPERUSER_PATH)
confflags_udeb += --with-default-path=/usr/local/bin:/usr/bin:/bin --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Compiler flags.
cflags := $(CPPFLAGS) $(CFLAGS)
cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
cflags_udeb := -Os
cflags_udeb += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
confflags += --with-cflags='$(cflags)'
confflags_udeb += --with-cflags='$(cflags_udeb)'
# Linker flags.
confflags += --with-ldflags='$(strip -Wl,--as-needed $(LDFLAGS))'
confflags_udeb += --with-ldflags='-Wl,--as-needed'
ifeq ($(shell dpkg-vendor --is Ubuntu && echo yes) $(DEB_HOST_ARCH), yes i386)
BUILD_PACKAGES += -Nopenssh-tests
endif
%:
dh $@ --with=autoreconf,systemd,runit $(BUILD_PACKAGES)
autoreconf:
autoreconf -f -i
cp -f /usr/share/misc/config.guess /usr/share/misc/config.sub ./
override_dh_autoreconf-arch:
dh_autoreconf debian/rules -- autoreconf
override_dh_autoreconf-indep:
override_dh_auto_configure-arch:
dh_auto_configure -Bdebian/build-deb -- $(confflags)
ifeq ($(filter noudeb,$(DEB_BUILD_PROFILES)),)
dh_auto_configure -Bdebian/build-udeb -- $(confflags_udeb)
# Avoid libnsl linkage. Ugh.
perl -pi -e 's/ +-lnsl//' debian/build-udeb/config.status
cd debian/build-udeb && ./config.status
endif
override_dh_auto_configure-indep:
override_dh_auto_build-arch:
$(MAKE) -C debian/build-deb $(PARALLEL) ASKPASS_PROGRAM='/usr/bin/ssh-askpass'
$(MAKE) -C debian/build-deb regress-prep
$(MAKE) -C debian/build-deb $(PARALLEL) regress-binaries
ifeq ($(filter noudeb,$(DEB_BUILD_PROFILES)),)
$(MAKE) -C debian/build-udeb $(PARALLEL) ASKPASS_PROGRAM='/usr/bin/ssh-askpass' ssh scp sftp sshd ssh-keygen
endif
ifeq ($(filter pkg.openssh.nognome,$(DEB_BUILD_PROFILES)),)
$(MAKE) -C contrib gnome-ssh-askpass3 CC='$(CC) $(CPPFLAGS) $(CFLAGS) -Wall -Wl,--as-needed $(LDFLAGS)' PKG_CONFIG=$(PKG_CONFIG)
endif
override_dh_auto_build-indep:
override_dh_auto_test-arch:
ifeq ($(RUN_TESTS),yes)
$(MAKE) -C debian/build-deb unit compat-tests
$(MAKE) -C debian/keygen-test
endif
override_dh_auto_test-indep:
override_dh_auto_clean:
rm -rf debian/build-deb debian/build-udeb
ifeq ($(RUN_TESTS),yes)
$(MAKE) -C debian/keygen-test clean
endif
$(MAKE) -C contrib clean
override_dh_auto_install-arch:
$(MAKE) -C debian/build-deb DESTDIR=`pwd`/debian/tmp install-nokeys
override_dh_auto_install-indep:
override_dh_install-arch:
rm -f debian/tmp/etc/ssh/sshd_config
dh_install -Nopenssh-client-udeb -Nopenssh-server-udeb --fail-missing
ifeq ($(filter noudeb,$(DEB_BUILD_PROFILES)),)
dh_install -popenssh-client-udeb -popenssh-server-udeb \
--sourcedir=debian/build-udeb
endif
# Remove version control tags to avoid unnecessary conffile
# resolution steps for administrators.
sed -i '/\$$OpenBSD:/d' \
debian/openssh-server/etc/ssh/moduli \
debian/openssh-client/etc/ssh/ssh_config
# We'd like to use dh_install --fail-missing here, but that doesn't work
# well in combination with dh-exec: it complains that files generated by
# dh-exec for architecture-dependent packages aren't installed.
override_dh_install-indep:
rm -f debian/tmp/etc/ssh/sshd_config
dh_install
override_dh_installdocs:
dh_installdocs -Nopenssh-server -Nopenssh-sftp-server
dh_installdocs -popenssh-server -popenssh-sftp-server \
--link-doc=openssh-client
# Avoid breaking dh_installexamples later.
mkdir -p debian/openssh-server/usr/share/doc/openssh-client
override_dh_systemd_enable:
dh_systemd_enable -popenssh-server --name ssh ssh.service
dh_systemd_enable -popenssh-server --name ssh --no-enable ssh.socket
override_dh_installinit:
dh_installinit -R --name ssh
debian/openssh-server.sshd.pam: debian/openssh-server.sshd.pam.in
ifeq ($(DEB_HOST_ARCH_OS),linux)
sed 's/^@IF_KEYINIT@//' $< > $@
else
sed '/^@IF_KEYINIT@/d' $< > $@
endif
override_dh_installpam: debian/openssh-server.sshd.pam
dh_installpam --name sshd
override_dh_runit:
dh_runit -popenssh-server
override_dh_fixperms-arch:
dh_fixperms
chmod u+s debian/openssh-client/usr/lib/openssh/ssh-keysign
# Tighten libssl dependencies to match the check in entropy.c.
override_dh_shlibdeps:
dh_shlibdeps
debian/adjust-openssl-dependencies
override_dh_gencontrol:
dh_gencontrol -- -V'openssh-server:Recommends=$(server_recommends)'
debian/faq.html:
wget -O - http://www.openssh.com/faq.html | \
sed 's,\(href="\)\(txt/\|[^":]*\.html\),\1http://www.openssh.com/\2,g' \
> debian/faq.html

39
debian/run-tests vendored Executable file
View File

@ -0,0 +1,39 @@
#! /bin/sh
# Run installed OpenSSH regression tests.
tmp="$1"
if [ -z "$tmp" ]; then
tmp="$(mktemp -d)"
cleanup () {
rm -rf "$tmp"
}
trap cleanup EXIT
fi
# Copy the regression tests to a fresh directory; this is easier than trying
# to pick apart which ones need write access.
cp -a /usr/lib/openssh/regress "$tmp/regress"
ret=0
make -C "$tmp/regress" \
.OBJDIR="$tmp/regress" \
.CURDIR="$tmp/regress" \
BUILDDIR="$tmp/regress" \
OBJ="$tmp/regress" \
SUDO=sudo \
TEST_SHELL=sh \
TEST_SSH_SFTPSERVER=/usr/lib/openssh/sftp-server \
TEST_SSH_PLINK=plink \
TEST_SSH_PUTTYGEN=puttygen \
TEST_SSH_CONCH=conch3 \
TEST_SSH_IPV6=yes \
TEST_SSH_ECC=yes \
tests interop-tests </dev/zero || ret="$?"
if [ "$ret" -ne 0 ]; then
for log in failed-regress.log failed-ssh.log failed-sshd.log; do
if [ -e "$tmp/regress/$log" ]; then
tail -v -n+0 "$tmp/regress/$log"
fi
done
fi
exit "$ret"

1
debian/source/format vendored Normal file
View File

@ -0,0 +1 @@
3.0 (quilt)

1
debian/source/include-binaries vendored Normal file
View File

@ -0,0 +1 @@
debian/ssh-askpass-gnome.png

2
debian/source/lintian-overrides vendored Normal file
View File

@ -0,0 +1,2 @@
# openssh-server/password-authentication is preseeding-only, at least for now.
openssh source: untranslatable-debconf-templates openssh-server.templates: 20

31
debian/ssh-argv0 vendored Normal file
View File

@ -0,0 +1,31 @@
#! /bin/sh
set -e
# Copyright (c) 2001 Natalie Amery.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
if [ "${0##*/}" = "ssh-argv0" ]
then
echo 'ssh-argv0: This script should not be run like this, see ssh-argv0(1) for details' 1>&2
exit 1
fi
exec ssh "${0##*/}" "$@"

64
debian/ssh-argv0.1 vendored Normal file
View File

@ -0,0 +1,64 @@
.Dd September 7, 2001
.Dt SSH-ARGV0 1
.Os Debian Project
.Sh NAME
.Nm ssh-argv0
.Nd replaces the old ssh command-name as hostname handling
.Sh SYNOPSIS
.Ar hostname | user@hostname
.Op Fl l Ar login_name
.Op Ar command
.Pp
.Ar hostname | user@hostname
.Op Fl afgknqstvxACNTX1246
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl e Ar escape_char
.Op Fl i Ar identity_file
.Op Fl l Ar login_name
.Op Fl m Ar mac_spec
.Op Fl o Ar option
.Op Fl p Ar port
.Op Fl F Ar configfile
.Oo Fl L Xo
.Sm off
.Ar port :
.Ar host :
.Ar hostport
.Sm on
.Xc
.Oc
.Oo Fl R Xo
.Sm off
.Ar port :
.Ar host :
.Ar hostport
.Sm on
.Xc
.Oc
.Op Fl D Ar port
.Op Ar command
.Sh DESCRIPTION
.Nm
replaces the old ssh command-name as hostname handling.
If you link to this script with a hostname then executing the link is
equivalent to having executed ssh with that hostname as an argument.
All other arguments are passed to ssh and will be processed normally.
.Sh OPTIONS
See
.Xr ssh 1 .
.Sh FILES
See
.Xr ssh 1 .
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
Theo de Raadt and Dug Song
removed many bugs, re-added newer features and
created OpenSSH.
Markus Friedl contributed the support for SSH
protocol versions 1.5 and 2.0.
Natalie Amery wrote this ssh-argv0 script and the associated documentation.
.Sh SEE ALSO
.Xr ssh 1

Some files were not shown because too many files have changed in this diff Show More