Last commit made on 2011-06-17
Get this branch:
git clone -b ubuntu/maverick-updates https://git.launchpad.net/ubuntu/+source/openssh
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

5837046... by Clint Byrum on 2011-06-11

Import patches-unapplied version 1:5.5p1-4ubuntu6 to ubuntu/maverick-proposed

Imported using git-ubuntu import.

Changelog parent: d1eae4b6ff15a0514a73f1cbdd8ddcf9baf565bb

New changelog entries:
  [ Clint Byrum ]
  * debian/openssh-server.ssh.init: Adding upstart awareness that will
    call /lib/init/upstart-job when script is run outside of a chroot.
    While this fixes LP: #531912, the change should be reverted when
    upstart gains chroot session support.
  [ Colin Watson ]
  * Only do the above if /etc/init/ssh.conf still exists, since apparently
    some people have been removing it.

d1eae4b... by Imre Gergely on 2011-01-07

Import patches-unapplied version 1:5.5p1-4ubuntu5 to ubuntu/maverick-proposed

Imported using git-ubuntu import.

Changelog parent: 7e00e91f9d3c168d9d109607d048fd2f98db0cec

New changelog entries:
  * debian/openssh-server.ssh.upstart: drop 'expect fork' and run sshd
    with -D to avoid losing track on reload (LP: #687535)

7e00e91... by Colin Watson on 2010-09-14

Import patches-unapplied version 1:5.5p1-4ubuntu4 to ubuntu/maverick

Imported using git-ubuntu import.

Changelog parent: b4dce181fd26df4cd944e8c9e3e864b5ac350afe

New changelog entries:
  * Fix stray hyphen in the title of ssh-import-id(1).

b4dce18... by Colin Watson on 2010-07-22

Import patches-unapplied version 1:5.5p1-4ubuntu3 to ubuntu/maverick

Imported using git-ubuntu import.

Changelog parent: f19383a235ff84e55ac4d629615ccd5690a11a42

New changelog entries:
  [ Colin Watson ]
  * Use 'dh $@ --options' rather than 'dh --options $@', for
    forward-compatibility with debhelper v8.
  [ Dustin Kirkland ]
  * debian/openssh-server.install, debian/ssh-import-id:
    - move the ssh-import-lp-id utility from the ssh-import
      package to openssh-server (which is the logical destination
      for this tool)
    - rename it from ssh-import-lp-id (clumsy) to ssh-import-id (nicer,
      more like 'ssh-copy-id')
  * debian/openssh-server.links:
    - add a symlink from ssh-import-lp-id (old name) to ssh-import-id
      (new name) to maintain compatibility with existing user scripts;
      link the manpage too
  * debian/control:
    - ensure that openssh-server replaces and conflicts ssh-import (which
      will be removed from the archive)
  * debian/ssh-import-id.1, debian/openssh-server.manpages:
    - add/install a manpage

f19383a... by Colin Watson on 2010-07-09

Import patches-unapplied version 1:5.5p1-4ubuntu2 to ubuntu/maverick

Imported using git-ubuntu import.

Changelog parent: 1f9835b6372d5f9222831e161206ca516f200eab

New changelog entries:
  * Stop Upstart job on runlevel [!2345] rather than just S, since
    /etc/init.d/sendsigs no longer kills jobs under Upstart's control
    (thanks, Rob Donovan; LP: #603363).

1f9835b... by Colin Watson on 2010-05-26

Import patches-unapplied version 1:5.5p1-4ubuntu1 to ubuntu/maverick

Imported using git-ubuntu import.

Changelog parent: 9adc09845b0da7943da87a1557d1de606b9ceefd

New changelog entries:
  * Resynchronise with Debian. Remaining changes:
    - Add support for registering ConsoleKit sessions on login.
    - Drop openssh-blacklist and openssh-blacklist-extra to Suggests; they
      take up a lot of CD space, and I suspect that rolling them out in
      security updates has covered most affected systems now.
    - Convert to Upstart. The init script is still here for the benefit of
      people running sshd in chroots.
    - Install apport hook.

9adc098... by Colin Watson on 2010-05-22

Import patches-unapplied version 1:5.5p1-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e4497c171d8bdc103b97f975f46ca5b3fbf997c3

New changelog entries:
  [ Sebastian Andrzej Siewior ]
  * Add powerpcspe to architecture list for libselinux1-dev build-dependency
    (closes: #579843).
  [ Colin Watson ]
  * Allow ~/.ssh/authorized_keys and other secure files to be
    group-writable, provided that the group in question contains only the
    file's owner; this extends a patch previously applied to ~/.ssh/config
    (closes: #581919).
  * Check primary group memberships as well as supplementary group
    memberships, and only allow group-writability by groups with exactly one
    member, as zero-member groups are typically used by setgid binaries
    rather than being user-private groups (closes: #581697).

e4497c1... by Colin Watson on 2010-04-28

Import patches-unapplied version 1:5.5p1-3 to debian/squeeze

Imported using git-ubuntu import.

Changelog parent: 7bdadd4fa071e0dfca1a4ec4512a30da8f2961ea

New changelog entries:
  * Discard error messages while checking whether rsh, rlogin, and rcp
    alternatives exist (closes: #579285).
  * Drop IDEA key check; I don't think it works properly any more due to
    textual changes in error output, it's only relevant for direct upgrades
    from truly ancient versions, and it breaks upgrades if
    /etc/ssh/ssh_host_key can't be loaded (closes: #579570).
  * Use dh_installinit -n, since our maintainer scripts already handle this
    more carefully (thanks, Julien Cristau).
  * New upstream release:
    - Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative
    - Include a language tag when sending a protocol 2 disconnection
    - Make logging of certificates used for user authentication more clear
      and consistent between CAs specified using TrustedUserCAKeys and

7bdadd4... by Colin Watson on 2010-04-10

Import patches-unapplied version 1:5.4p1-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 59671bbcf5c2c40a1dd11fa17d96f46702ae8c50

New changelog entries:
  * Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is
    installed, the host key is published in an SSHFP RR secured with DNSSEC,
    and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key
    verification (closes: #572049).
  * Convert to dh(1), and use dh_installdocs --link-doc.
  * Drop lpia support, since Ubuntu no longer supports this architecture.
  * Use dh_install more effectively.
  * Add a NEWS.Debian entry about changes in smartcard support relative to
    previous unofficial builds (closes: #231472).

59671bb... by Colin Watson on 2010-04-06

Import patches-unapplied version 1:5.4p1-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 400193166240ece3210e4f4481eba7d18eff2f52

New changelog entries:
  * New upstream release (LP: #535029).
    - After a transition period of about 10 years, this release disables SSH
      protocol 1 by default. Clients and servers that need to use the
      legacy protocol must explicitly enable it in ssh_config / sshd_config
      or on the command-line.
    - Remove the libsectok/OpenSC-based smartcard code and add support for
      PKCS#11 tokens. This support is enabled by default in the Debian
      packaging, since it now doesn't involve additional library
      dependencies (closes: #231472, LP: #16918).
    - Add support for certificate authentication of users and hosts using a
      new, minimal OpenSSH certificate format (closes: #482806).
    - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
    - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian
      package, this overlaps with the key blacklisting facility added in
      openssh 1:4.7p1-9, but with different file formats and slightly
      different scopes; for the moment, I've roughly merged the two.)
    - Various multiplexing improvements, including support for requesting
      port-forwardings via the multiplex protocol (closes: #360151).
    - Allow setting an explicit umask on the sftp-server(8) commandline to
      override whatever default the user has (closes: #496843).
    - Many sftp client improvements, including tab-completion, more options,
      and recursive transfer support for get/put (LP: #33378). The old
      mget/mput commands never worked properly and have been removed
      (closes: #270399, #428082).
    - Do not prompt for a passphrase if we fail to open a keyfile, and log
      the reason why the open failed to debug (closes: #431538).
    - Prevent sftp from crashing when given a "-" without a command. Also,
      allow whitespace to follow a "-" (closes: #531561).
  * Fix 'debian/rules quilt-setup' to avoid writing .orig files if some
    patches apply with offsets.
  * Include debian/ssh-askpass-gnome.png in the Debian tarball now that
    we're using a source format that permits this, rather than messing
    around with uudecode.
  * Drop compatibility with the old gssapi mechanism used in ssh-krb5 <<
    3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi
    mechanism was removed due to a serious security hole, and since these
    versions of ssh-krb5 are no longer security-supported by Debian I don't
    think there's any point keeping client compatibility for them.
  * Fix substitution of ETC_PAM_D_SSH, following the rename in 1:4.7p1-4.
  * Hardcode the location of xauth to /usr/bin/xauth rather than
    /usr/bin/X11/xauth (thanks, Aron Griffis; closes: #575725, LP: #8440).
    xauth no longer depends on x11-common, so we're no longer guaranteed to
    have the /usr/bin/X11 symlink available. I was taking advantage of the
    /usr/bin/X11 symlink to smooth X's move to /usr/bin, but this is far
    enough in the past now that it's probably safe to just use /usr/bin.
  * Remove SSHD_OOM_ADJUST configuration. sshd now unconditionally makes
    itself non-OOM-killable, and doesn't require configuration to avoid log
    spam in virtualisation containers (closes: #555625).
  * Drop Debian-specific removal of OpenSSL version check. Upstream ignores
    the two patchlevel nybbles now, which is sufficient to address the
    original reason this change was introduced, and it appears that any
    change in the major/minor/fix nybbles would involve a new libssl package
    name. (We'd still lose if the status nybble were ever changed, but that
    would mean somebody had packaged a development/beta version rather than
    a proper release, which doesn't appear to be normal practice.)
  * Drop most of our "LogLevel SILENT" (-qq) patch. This was originally
    introduced to match the behaviour of non-free SSH, in which -q does not
    suppress fatal errors, but matching the behaviour of OpenSSH upstream is
    much more important nowadays. We no longer document that -q does not
    suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to
    "LogLevel QUIET" in sshd_config on upgrade.
  * Policy version 3.8.4:
    - Add a Homepage field.