openssh 1:9.6p1-3ubuntu1 source package in Ubuntu
Changelog
openssh (1:9.6p1-3ubuntu1) noble; urgency=medium * Merge with Debian unstable (LP: #2040406). Remaining changes: - debian/rules: modify dh_installsystemd invocations for socket-activated sshd. - debian/openssh-server.postinst: handle migration of sshd_config options to systemd socket options on upgrade. - debian/README.Debian: document systemd socket activation. - debian/patches/socket-activation-documentation.patch: Document in sshd_config(5) that ListenAddress and Port no longer work. - debian/openssh-server.templates: include debconf prompt explaining when migration cannot happen due to multiple ListenAddress values. - debian/.gitignore: drop file. - debian/openssh-server.postrm: remove systemd drop-ins for socket-activated sshd on purge. - debian/openssh-server.ucf-md5sum: update for Ubuntu delta - debian/openssh-server.tmpfile,debian/systemd/ssh.service: Move /run/sshd creation out of the systemd unit to a tmpfile config so that sshd can be run manually if necessary without having to create this directory by hand. - debian/patches/systemd-socket-activation.patch: Fix sshd re-execution behavior when socket activation is used. - debian/tests/systemd-socket-activation: Add autopkgtest for systemd socket activation functionality. - d/p/test-set-UsePAM-no-on-some-tests.patch: set UsePAM=no for some tests. * Dropped changes, fixed upstream: - d/p/fix-ftbfs-with-zlib13.patch: fix ftbfs when using zlib 1.3 (LP #2049552) openssh (1:9.6p1-3) unstable; urgency=medium * Allow passing extra ssh-agent arguments via "/usr/lib/openssh/agent-launch start", making it possible to override things like identity lifetime using a systemd drop-in unit (closes: #1059639). * Don't try to start rescue-ssh.target in postinst (LP: #2047082). openssh (1:9.6p1-2) unstable; urgency=medium * Improve detection of broken -fzero-call-used-regs=used (see https://bugzilla.mindrot.org/show_bug.cgi?id=3645; fixes build on ppc64/ppc64el). openssh (1:9.6p1-1) unstable; urgency=medium * Use single quotes in suggested ssh-keygen commands (closes: #1057835). * Debconf translations: - Catalan (thanks, Pablo Huguet; closes: #1049995). * New upstream release (https://www.openssh.com/releasenotes.html#9.6p1): - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. - [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected. - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive. OpenSSH 9.6 now bans most shell metacharacters from user and hostnames supplied via the command-line. - ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this limit was exceeded by a non-conforming peer SSH implementation, ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH 9.6, ssh(1)/sshd(8) will now terminate the connection if a peer exceeds the window limit by more than a small grace factor. This change should have no effect of SSH implementations that follow the specification. - ssh(1): add a %j token that expands to the configured ProxyJump hostname (or the empty string if this option is not being used) that can be used in a number of ssh_config(5) keywords. - ssh(1): add ChannelTimeout support to the client, mirroring the same option in the server and allowing ssh(1) to terminate quiescent channels. - ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading ED25519 private keys in PEM PKCS8 format. Previously only the OpenSSH private key format was supported. - ssh(1), sshd(8): introduce a protocol extension to allow renegotiation of acceptable signature algorithms for public key authentication after the server has learned the username being used for authentication. This allows varying sshd_config(5) PubkeyAcceptedAlgorithms in a "Match user" block. - ssh-add(1), ssh-agent(1): add an agent protocol extension to allow specifying certificates when loading PKCS#11 keys. This allows the use of certificates backed by PKCS#11 private keys in all OpenSSH tools that support ssh-agent(1). Previously only ssh(1) supported this use-case. - ssh(1): when deciding whether to enable the keystroke timing obfuscation, enable it only if a channel with a TTY is active. - ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals before checking flags set in signal handler. Avoids potential race condition between signaling ssh to exit and polling. - ssh(1): when connecting to a destination with both the AddressFamily and CanonicalizeHostname directives in use, the AddressFamily directive could be ignored. - sftp(1): correct handling of the <email address hidden> option when the server returned an unexpected message. - ssh(1): release GSS OIDs only at end of authentication, avoiding unnecessary init/cleanup cycles. - ssh_config(5): mention "none" is a valid argument to IdentityFile in the manual. - scp(1): improved debugging for paths from the server rejected for not matching the client's glob(3) pattern in old SCP/RCP protocol mode. - ssh-agent(1): refuse signing operations on destination-constrained keys if a previous session-bind operation has failed. This may prevent a fail-open situation in future if a user uses a mismatched ssh(1) client and ssh-agent(1) where the client supports a key type that the agent does not support. * debian/run-tests: Supply absolute paths to tools. * debian/run-tests: Enable interop tests for Dropbear. openssh (1:9.5p1-2) unstable; urgency=medium * Upload to unstable. openssh (1:9.5p1-1) experimental; urgency=medium * New upstream release (https://www.openssh.com/releasenotes.html#9.5p1): - ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys are very convenient due to their small size. Ed25519 keys are specified in RFC 8709 and OpenSSH has supported them since version 6.5 (January 2014). - sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. This may change behaviour for exotic configurations, but the most common subsystem configuration (sftp-server) is unlikely to be affected. - ssh(1): add keystroke timing obfuscation to the client. This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword. - ssh(1), sshd(8): Introduce a transport-level ping facility. This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "<email address hidden>" ext-info message with a string version number of "0". - sshd(8): allow override of Subsystem directives in sshd Match blocks. - scp(1): fix scp in SFTP mode recursive upload and download of directories that contain symlinks to other directories. In scp mode, the links would be followed, but in SFTP mode they were not. - ssh-keygen(1): handle cr+lf (instead of just cr) line endings in sshsig signature files. - ssh(1): interactive mode for ControlPersist sessions if they originally requested a tty. - sshd(8): make PerSourceMaxStartups first-match-wins. - sshd(8): limit artificial login delay to a reasonable maximum (5s) and don't delay at all for the "none" authentication mechanism. - sshd(8): Log errors in kex_exchange_identification() with level verbose instead of error to reduce preauth log spam. All of those get logged with a more generic error message by sshpkt_fatal(). - sshd(8): correct math for ClientAliveInterval that caused the probes to be sent less frequently than configured. - ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed sessions to ignore SIGINT under some circumstances. * Build-depend on dh-sequence-movetousr. * Report DebianBanner setting in "sshd -G/-T" output (thanks, Rasmus Villemoes; closes: #1053555). -- Miriam España Acebal <email address hidden> Mon, 29 Jan 2024 11:16:31 +0100
Upload details
- Uploaded by:
- Miriam España Acebal
- Sponsored by:
- Nick Rosbrook
- Uploaded to:
- Noble
- Original maintainer:
- Ubuntu Developers
- Architectures:
- any all
- Section:
- net
- Urgency:
- Medium Urgency
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
openssh_9.6p1.orig.tar.gz | 1.8 MiB | 910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c |
openssh_9.6p1.orig.tar.gz.asc | 833 bytes | 9b1e931cbc811f02e91f7eacd55f8211cc45dade11975462f4b0dcdad29927aa |
openssh_9.6p1-3ubuntu1.debian.tar.xz | 189.9 KiB | 828c80b8f9197431f6e009a3c4c62c28a5f4773721402e6dd31fae2202a65738 |
openssh_9.6p1-3ubuntu1.dsc | 3.3 KiB | 467e8c889cbad2255de36b29b9798ea6ddbc47b2554c8ab9716fa265fa3033e2 |
Available diffs
- diff from 1:9.4p1-1ubuntu1 to 1:9.6p1-3ubuntu1 (181.8 KiB)
- diff from 1:9.4p1-1ubuntu2 to 1:9.6p1-3ubuntu1 (182.1 KiB)
Binary packages built by this source
- openssh-client: secure shell (SSH) client, for secure access to remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the ssh, scp and sftp clients, the ssh-agent
and ssh-add programs to make public key authentication more convenient,
and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
.
In some countries it may be illegal to use any encryption at all
without a special permit.
.
ssh replaces the insecure rsh, rcp and rlogin programs, which are
obsolete for most purposes.
- openssh-client-dbgsym: debug symbols for openssh-client
- openssh-server: secure shell (SSH) server, for secure access from remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the sshd server.
.
In some countries it may be illegal to use any encryption at all
without a special permit.
.
sshd replaces the insecure rshd program, which is obsolete for most
purposes.
- openssh-server-dbgsym: debug symbols for openssh-server
- openssh-sftp-server: secure shell (SSH) sftp server module, for SFTP access from remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the SFTP server module for the SSH server. It
is needed if you want to access your SSH server with SFTP. The SFTP
server module also works with other SSH daemons like dropbear.
.
OpenSSH's sftp and sftp-server implement revision 3 of the SSH filexfer
protocol described in:
.
http://www.openssh. com/txt/ draft-ietf- secsh-filexfer- 02.txt
.
Newer versions of the draft will not be supported, though some features
are individually implemented as extensions.
- openssh-sftp-server-dbgsym: debug symbols for openssh-sftp-server
- openssh-tests: OpenSSH regression tests
This package provides OpenSSH's regression test suite. It is mainly
intended for use with the autopkgtest system, though can also be run
directly using /usr/lib/openssh/ regress/ run-tests.
- openssh-tests-dbgsym: debug symbols for openssh-tests
- ssh: secure shell client and server (metapackage)
This metapackage is a convenient way to install both the OpenSSH client
and the OpenSSH server. It provides nothing in and of itself, so you
may remove it if nothing depends on it.
- ssh-askpass-gnome: interactive X program to prompt users for a passphrase for ssh-add
This has been split out of the main openssh-client package so that
openssh-client does not need to depend on GTK+.
.
You probably want the ssh-askpass package instead, but this is
provided to add to your choice and/or confusion.
- ssh-askpass-gnome-dbgsym: debug symbols for ssh-askpass-gnome