Last commit made on 2017-04-06
Get this branch:
git clone -b ubuntu/yakkety-updates https://git.launchpad.net/ubuntu/+source/openssh
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

d5b4bbd... by Christian Ehrhardt  on 2017-03-15

Import patches-unapplied version 1:7.3p1-1ubuntu0.1 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: 226f77ba212482d0ed31bfd38da81801fcd7ca87

New changelog entries:
  * Fix ssh-keygen -H accidentally corrupting known_hosts that contained
    already-hashed entries (LP: #1668093).
  * Fix ssh-keyscan to correctly hash hosts with a port number (LP: #1670745).

226f77b... by Colin Watson on 2016-08-07

Import patches-unapplied version 1:7.3p1-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 500332226cc5dd797169826a715b044d77b16fc8

New changelog entries:
  * New upstream release (http://www.openssh.com/txt/release-7.3):
    - SECURITY: sshd(8): Mitigate a potential denial-of-service attack
      against the system's crypt(3) function via sshd(8). An attacker could
      send very long passwords that would cause excessive CPU use in
      crypt(3). sshd(8) now refuses to accept password authentication
      requests of length greater than 1024 characters.
    - SECURITY: ssh(1), sshd(8): Fix observable timing weakness in the CBC
      padding oracle countermeasures. Note that CBC ciphers are disabled by
      default and only included for legacy compatibility.
    - SECURITY: ssh(1), sshd(8): Improve operation ordering of MAC
      verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms
      to verify the MAC before decrypting any ciphertext. This removes the
      possibility of timing differences leaking facts about the plaintext,
      though no such leakage has been observed.
    - ssh(1): Add a ProxyJump option and corresponding -J command-line flag
      to allow simplified indirection through a one or more SSH bastions or
      "jump hosts".
    - ssh(1): Add an IdentityAgent option to allow specifying specific agent
      sockets instead of accepting one from the environment.
    - ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
      optionally overridden when using ssh -W.
    - ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per
      draft-sgtatham-secsh-iutf8-00 (closes: #337041, LP: #394570).
    - ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman 2K,
      4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
    - ssh-keygen(1), ssh(1), sshd(8): Support SHA256 and SHA512 RSA
      signatures in certificates.
    - ssh(1): Add an Include directive for ssh_config(5) files (closes:
    - ssh(1): Permit UTF-8 characters in pre-authentication banners sent
      from the server.
    - ssh(1), sshd(8): Reduce the syslog level of some relatively common
      protocol events from LOG_CRIT.
    - sshd(8): Refuse AuthenticationMethods="" in configurations and accept
      AuthenticationMethods=any for the default behaviour of not requiring
      multiple authentication.
    - sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!"
      message when forward and reverse DNS don't match.
    - ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
      failures when both ExitOnForwardFailure and hostname canonicalisation
      are enabled.
    - sshd(8): Remove fallback from moduli to obsolete "primes" file that
      was deprecated in 2001 (LP: #1528251).
    - sshd_config(5): Correct description of UseDNS: it affects ssh hostname
      processing for authorized_keys, not known_hosts.
    - sshd(8): Send ClientAliveInterval pings when a time-based RekeyLimit
      is set; previously keepalive packets were not being sent.
    - sshd(8): Whitelist more architectures to enable the seccomp-bpf
    - scp(1): Respect the local user's LC_CTYPE locale (closes: #396295).
    - Take character display widths into account for the progressmeter
      (closes: #407088).

5003322... by Colin Watson on 2016-07-29

Import patches-unapplied version 1:7.2p2-8 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 56a113ebd301e4bde02fa26b4b074947d056125a

New changelog entries:
  [ Colin Watson ]
  * Stop enabling ssh-session-cleanup.service by default; instead, ship it
    as an example and add a section to README.Debian. libpam-systemd >= 230
    and "UsePAM yes" should take care of the original problem for most
    systemd users (thanks, Michael Biebl; closes: #832155).
  [ Martin Pitt ]
  * Add debian/agent-launch: Helper script for conditionally starting the SSH
    agent in the user session. Use it in ssh-agent.user-session.upstart.
  * Add systemd user unit for graphical sessions that use systemd. Override
    the corresponding upstart job in that case (closes: #832445).
  * debian/openssh-server.if-up: Don't block on a finished reload of
    openssh.service, to avoid deadlocking with restarting networking.
    (closes: #832557, LP: #1584393)

56a113e... by Colin Watson on 2016-07-23

Import patches-unapplied version 1:7.2p2-7 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 5c038bd8c8aa920739a2c182c5a3e87c4b094b87

New changelog entries:
  * Don't stop the ssh-session-cleanup service on upgrade (closes: #832155).
    This may cause SSH sessions to be killed on upgrade to *this* version if
    you had previously installed 1:7.2p2-6. Sorry! If your session is
    killed, you can recover using "dpkg --unpack" on this openssh-server
    .deb, followed by "dpkg --configure -a".
  * Recommend libpam-systemd from openssh-server. It's a much better
    solution than the above for systemd users, but I'm wary of depending on
    it in case I cause an assortment of exciting dependency problems on
    upgrade for non-systemd users.

5c038bd... by Colin Watson on 2016-07-22

Import patches-unapplied version 1:7.2p2-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 9714e5bb80cfec6e068c6ede4498be0e12739b84

New changelog entries:
  * debian/watch: Switch to HTTP (thanks, Nicholas Luedtke; closes:
  * Copy summary of supported SFTP protocol versions from upstream's
    PROTOCOL file into the openssh-sftp-server package description (closes:
  * Set SSH_PROGRAM=/usr/bin/ssh1 when building openssh-client-ssh1 so that
    scp1 works (reported by Olivier MATZ).
  * Retroactively add a NEWS.Debian entry for the UseDNS change in 6.9 (see
    LP #1588457).
  * CVE-2016-6210: Mitigate user enumeration via covert timing channel
    (closes: #831902).
  * Backport upstream patch to close ControlPersist background process
    stderr when not in debug mode or when logging to a file or syslog
    (closes: #714526).
  * Add a session cleanup script and a systemd unit file to trigger it,
    which serves to terminate SSH sessions cleanly if systemd doesn't do
    that itself, often because libpam-systemd is not installed (thanks,
    Vivek Das Mohapatra, Tom Hutter, and others; closes: #751636).
  * Stop generating DSA host keys by default (thanks, Santiago Vila; closes:

9714e5b... by Colin Watson on 2016-04-28

Import patches-unapplied version 1:7.2p2-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: c898ad9d904eaccd57b2881cd517a8e586e118c1

New changelog entries:
  * Backport upstream patch to unbreak authentication using lone certificate
    keys in ssh-agent: when attempting pubkey auth with a certificate, if no
    separate private key is found among the keys then try with the
    certificate key itself (thanks, Paul Querna; LP: #1575961).

c898ad9... by Colin Watson on 2016-04-15

Import patches-unapplied version 1:7.2p2-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f1922cb23326618db9ab52158d24fd1a07db52de

New changelog entries:
  * Drop dependency on libnss-files-udeb (closes: #819686).
  * Policy version 3.9.7: no changes required.

f1922cb... by Colin Watson on 2016-04-13

Import patches-unapplied version 1:7.2p2-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: c2103d45711713728b0043c9acefc3031e8875be

New changelog entries:
  * Change all openssh.org references to openssh.com (closes: #819213).
  * CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes.

c2103d4... by Colin Watson on 2016-03-21

Import patches-unapplied version 1:7.2p2-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: a7348ee9c66b86c9a50a50bb47a0a62368c2e33c

New changelog entries:
  * Fix kexgss_server to cope with DH_GRP_MIN/DH_GRP_MAX being stricter on
    the server end than the client (thanks, Damien Miller; closes: #817870,
    LP: #1558576).

a7348ee... by Colin Watson on 2016-03-10

Import patches-unapplied version 1:7.2p2-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 7ee188cc5aac92f13be290ec4177f345a6fd5aa9

New changelog entries:
  * New upstream release (http://www.openssh.com/txt/release-7.2p2):
    - SECURITY: sshd(8): Sanitise X11 authentication credentials to avoid
      xauth command injection when X11Forwarding is enabled