openkylin
/
openssh
mirror of https://gitee.com/openkylin/openssh.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
45 Commits 6 Branches 12 Tags 5.9 MiB
Commit Graph

6 Commits

Author SHA1 Message Date
Colin Watson d194c5bf3b Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for" 
This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.

The IPQoS default changes have some unfortunate interactions with
iptables (see https://bugs.debian.org/923880) and VMware, so I'm
temporarily reverting them until those have been fixed.

Bug-Debian: https://bugs.debian.org/923879
Bug-Debian: https://bugs.debian.org/926229
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370
Last-Update: 2019-04-08

Patch-Name: revert-ipqos-defaults.patch

Gbp-Pq: Name revert-ipqos-defaults.patch
 2024-04-10 14:39:11 +08:00
Kees Cook 83f02f00a0 Add DebianBanner server configuration option 
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.

Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2023-12-18

Patch-Name: debian-banner.patch

Gbp-Pq: Name debian-banner.patch
 2024-04-10 14:39:11 +08:00
Colin Watson 8c38607866 Accept obsolete ssh-vulnkey configuration options 
These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.

Last-Update: 2014-02-09

Patch-Name: ssh-vulnkey-compat.patch

Gbp-Pq: Name ssh-vulnkey-compat.patch
 2024-04-10 14:39:10 +08:00
Simon Wilkinson e657c8997e GSSAPI key exchange support 
This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years.  This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface.  This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."

However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have).  It seems to have a generally good
security history.

2024-03-13 update:
Upstream commit dbb339f015c33d63484261d140c84ad875a9e548 ("prepare for
multiple names for authmethods") changed the Authmethod structure to
incorporate a new element "synonym", and also changed the signature of the
userauth_gssapi function to have an extra method parameter. These changes need
to be replicated to the gsskeyex patch.
This fixes LP: #2053146

Author: Simon Wilkinson <simon@sxw.org.uk>
Author: Colin Watson <cjwatson@debian.org>
Author: Jakub Jelen <jjelen@redhat.com>
Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2024-03-13

Patch-Name: gssapi.patch

Gbp-Pq: Name gssapi.patch
 2024-04-10 14:39:10 +08:00
lixiuwen 71cc35751a Import Upstream version 9.6p1 2024-04-10 14:39:05 +08:00
Lu zhiping 1968fef375 Import Upstream version 8.2p1 2022-06-16 16:57:06 +08:00