Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

openssh-6.6p1-11.1 RPM for x86_64

From OpenSuSE leap updates for 42.1 / oss / x86_64

Name: openssh Distribution: openSUSE Leap 42.1
Version: 6.6p1 Vendor: openSUSE
Release: 11.1 Build date: Mon May 23 18:06:05 2016
Group: Productivity/Networking/SSH Build host: cloud109
Size: 4672620 Source RPM: openssh-6.6p1-11.1.src.rpm
Summary: Secure Shell Client and Server (Remote Login Program)
SSH (Secure Shell) is a program for logging into and executing commands
on a remote machine. It is intended to replace rsh (rlogin and rsh) and
provides openssl (secure encrypted communication) between two untrusted
hosts over an insecure network.

xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can
also be forwarded over the secure channel.




BSD-2-Clause and MIT


* Thu Apr 07 2016
  - Correctly parse GSSAPI KEX algorithms (bsc#961368)
  - Sanitise input for xauth(1) (bsc#970632, CVE-2016-3115)
  - prevent X11 SECURITY circumvention when forwarding X11
    connections (bsc#962313, CVE-2016-1908)
  - more verbose FIPS mode/CC related documentation in README.FIPS
    (bsc#965576, bsc#960414)
  - fix PRNG re-seeding (bsc#960414, bsc#729190)
  - Disable DH parameters under 2048 bits by default and allow
    lowering the limit back to the RFC 4419 specified minimum
    through an option (bsc#932483, bsc#948902)
    [-disable_DH_under_1536b -> -disable_short_DH_parameters]
  - ignore PAM environment when using login
    (bsc#975865, CVE-2015-8325)
* Tue Mar 08 2016
  - fix minor problems (bsc#945493)
  - fix postun script of main package (bsc#945484)
  - fix crashes when /proc is not available (bsc#947458)
  - rename and comment the roaming patch
    (CVE-2016-077-7_8 to -disable_roaming)
* Wed Jan 13 2016
  - CVE-2016-0777, bsc#961642, CVE-2016-0778, bsc#961645
    Added CVE-2016-077-7_8.patch to disable the roaming code to prevent
    information leak and buffer overflow
* Fri Jul 31 2015
  - Maintenance update
    * better timeouting of X11 forwards (CVE-2015-5352/bsc#936695)
      [-X11_forwarding_timeout] and hardening of ssh-agent(1)
      locking (bsc#936695) [-agent_locking_hardening]
    * removing and disabling short DH parameters (bsc#932483)
      [-disable_DH_under_1536b, -remove_moduli_under_1536b]
    * disable accdess to procfs from sftp (bsc#903649)
    * Allow each keyboard authentication method to be used only
      once per login (CVE-2015-5600/bsc#938746)
    * Don't resend username to PAM, it can be misused for privilege
      escalation (CVE-2015-6563/bsc#943010)
    * Prevent possible use-after-free in PAM authentication monitor
* Thu May 14 2015
  - use %restart_on_update in the trigger script
* Fri Apr 10 2015
  - Fix dependencies of the main package and the -fips subpackage
    to include exact build number, so that mismatching hashes are
    removed on upgrade.
* Tue Feb 10 2015
  - CAVS test for KDF (bsc#916905)
  - CAVS related parts now reside in the -cavs subpackage
  - changing license to 2-clause BSD and MIT, since that reflects
    better what the code is licenced under
* Fri Feb 06 2015
  - Change FIPS integrity tests to use HMAC instead of plain hash
* Tue Jan 13 2015
  - Add hmac-sha1-etm to MACs available inthe FIPS 140-2 mode
  - allow stat() syscall pulled in by OpenSSL certification
    (bsc#912436, bsc#855676)
    [-seccomp_stat patch]
  - enable building without auditing support
* Tue Oct 28 2014
  - key exchange modifications for FIPS
* Thu Aug 07 2014
  - change FIPS checksum files and subpackage naming (bnc#856316)
* Fri Jul 25 2014
  - ssh(1) - correct FIPS checks to prevent connection fails when
    protocol version is not explicitly requested (bnc#876704)
  - ssh-keygen(1) - do not create DSA and RSA1 keys in FIPS mode
    when generating all server keys (bnc#886845)
  - fix SUSE spelling (bnc#889014)
* Fri Jul 04 2014
  - Prevent other possible crashes in audit code due to abnormal
    execution paths (generalized previous fix for bnc#832628)
* Fri Jun 13 2014
  - exit sshd normally when port is already in use (bnc#832628)
  - fix forwarding with IPv6 addresses in DISPLAY (bnc#847710)
  - check SSHFP DNS records even for server certificates
    (bnc#870532, CVE-2014-2653)
  - removing the key converter (which hasn't been built since
    the update to 6.5p1) patch from sources
* Thu Apr 24 2014
  - curve25519 key exchange fix (-curve25519-6.6.1p1.patch)
  - patch re-ordering (-audit3-key_auth_usage-fips.patch,
    - audit4-kex_results-fips.patch)
  - remove uneeded dependency on the OpenLDAP server (openldap2)
    in the helpers subpackage
* Fri Apr 11 2014
  - update to 6.6p1
    * sshd(8): when using environment passing with a sshd_config(5)
      AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could
      be tricked into accepting any enviornment variable that
      contains the characters before the wildcard character.
    Features since 6.5p1:
    * ssh(1), sshd(8): removal of the J-PAKE authentication code,
      which was experimental, never enabled and has been
      unmaintained for some time.
    * ssh(1): skip 'exec' clauses other clauses predicates failed
      to match while processing Match blocks.
    * ssh(1): if hostname canonicalisation is enabled and results
      in the destination hostname being changed, then re-parse
      ssh_config(5) files using the new destination hostname. This
      gives 'Host' and 'Match' directives that use the expanded
      hostname a chance to be applied.
    * ssh(1): avoid spurious "getsockname failed: Bad file
      descriptor" in ssh -W. bz#2200, debian#738692
    * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and
      systrace sandbox modes, as it is reachable if the connection
      is terminated during the pre-auth phase.
    * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1
      bignum parsing. Minimum key length checks render this bug
      unexploitable to compromise SSH 1 sessions.
    * sshd_config(5): clarify behaviour of a keyword that appears
      in multiple matching Match blocks. bz#2184
    * ssh(1): avoid unnecessary hostname lookups when
      canonicalisation is disabled. bz#2205
    * sshd(8): avoid sandbox violation crashes in GSSAPI code by
      caching the supported list of GSSAPI mechanism OIDs before
      entering the sandbox. bz#2107
    * ssh(1): fix possible crashes in SOCKS4 parsing caused by
      assumption that the SOCKS username is nul-terminated.
    * ssh(1): fix regression for UsePrivilegedPort=yes when
      BindAddress is not specified.
    * ssh(1), sshd(8): fix memory leak in ECDSA signature
    * ssh(1): fix matching of 'Host' directives in ssh_config(5)
      files to be case-insensitive again (regression in 6.5).
  - FIPS checks in sftp-server
* Mon Mar 31 2014
  - FIPS checks during ssh client and daemon startup
* Mon Mar 17 2014
  - re-enabling the GSSAPI Key Exchange patch
* Fri Feb 28 2014
  - re-enabling FIPS-enablement patch
  - enable X11 forwarding when IPv6 is present but disabled on server
    (bnc#712683, FATE#315036)
* Tue Feb 18 2014
  - re-enabling the seccomp sandbox
    (allowing use of getuid the syscall)
* Tue Feb 18 2014
  - disabling seccomp sandboxing which doesn't work properly on SLE
* Wed Feb 12 2014
  - Update to 6.5p1
    Features since 6.4p1:
    * ssh(1), sshd(8): support for key exchange using ECDH in
      Daniel Bernstein's Curve25519; default when both the client
      and server support it.
    * ssh(1), sshd(8): support for Ed25519 as a public key type fo
      rboth server and client.  Ed25519 is an EC signature offering
      better security than ECDSA and DSA and good performance.
    * Add a new private key format that uses a bcrypt KDF to better
      protect keys at rest. Used unconditionally for Ed25519 keys,
      on demand for other key types via the -o ssh-keygen(1)
      option.  Intended to become default in the near future.
      Details documented in PROTOCOL.key.
    * ssh(1), sshd(8): new transport cipher
      "" combining Daniel Bernstein's
      ChaCha20 stream cipher and Poly1305 MAC to build an
      authenticated encryption mode. Details documented
    * ssh(1), sshd(8): refuse RSA keys from old proprietary clients
      and servers that use the obsolete RSA+MD5 signature scheme.
      It will still be possible to connect with these
      clients/servers but only DSA keys will be accepted, and
      OpenSSH will refuse connection entirely in a future release.
    * ssh(1), sshd(8): refuse old proprietary clients and servers
      that use a weaker key exchange hash calculation.
    * ssh(1): increase the size of the Diffie-Hellman groups
      requested for each symmetric key size. New values from NIST
      Special Publication 800-57 with the upper limit specified by
    * ssh(1), ssh-agent(1): support pkcs#11 tokens that only
      provide X.509 certs instead of raw public keys (requested as
    * ssh(1): new ssh_config(5) "Match" keyword that allows
      conditional configuration to be applied by matching on
      hostname, user and result of arbitrary commands.
    * ssh(1): support for client-side hostname canonicalisation
      using a set of DNS suffixes and rules in ssh_config(5). This
      allows unqualified names to be canonicalised to
      fully-qualified domain names to eliminate ambiguity when
      looking up keys in known_hosts or checking host certificate
    * sftp-server(8): ability to whitelist and/or blacklist sftp
      protocol requests by name.
    * sftp-server(8): sftp "" to support calling
      fsync(2) on an open file handle.
    * sshd(8): ssh_config(5) PermitTTY to disallow TTY allocation,
      mirroring the longstanding no-pty authorized_keys option.
    * ssh(1): ssh_config ProxyUseFDPass option that supports the
      use of ProxyCommands that establish a connection and then
      pass a connected file descriptor back to ssh(1). This allows
      the ProxyCommand to exit rather than staying around to
      transfer data.
    Bugfixes since 6.4p1:
    * ssh(1), sshd(8): fix potential stack exhaustion caused by
      nested certificates.
    * ssh(1): bz#1211: make BindAddress work with
    * sftp(1): bz#2137: fix the progress meter for resumed
    * ssh-add(1): bz#2187: do not request smartcard PIN when
      removing keys from ssh-agent.
    * sshd(8): bz#2139: fix re-exec fallback when original sshd
      binary cannot be executed.
    * ssh-keygen(1): make relative-specified certificate expiry
      times relative to current time and not the validity start
    * sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match
    * sftp(1): bz#2129: symlinking a file would incorrectly
      canonicalise the target path.
    * ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11
      agent helper executable.
    * sshd(8): improve logging of sessions to include the user
      name, remote host and port, the session type (shell, command,
      etc.) and allocated TTY (if any).
    * sshd(8): bz#1297: tell the client (via a debug message) when
      their preferred listen address has been overridden by the
      server's GatewayPorts setting.
    * sshd(8): bz#2162: include report port in bad protocol banner
    * sftp(1): bz#2163: fix memory leak in error path in
    * sftp(1): bz#2171: don't leak file descriptor on error.
    * sshd(8): include the local address and port in "Connection
      from ..." message (only shown at loglevel>=verbose).
  - systemd systems
    * create sysconfig file on systemd systems as well, yet do not
      require it at run-time (bnc#862600)
    * symlink rcsshd to /usr/bin/service
  - rename "-forcepermissions" patch to "-sftp_force_permissions"
  - disable key converter - ssh-keygen is able to do the same
* Tue Feb 11 2014
  - Do not fail if sysconfig file isn't installed (bnc#862600)
* Wed Feb 05 2014
  - Add openssh-6.2p1-forcepermissions.patch to implement a force
    permissions mode (fate#312774). The patch is based on
* Fri Jan 24 2014
  - Update to 6.4p1
    Features since 6.2p2:
    * ssh-agent(1) support in sshd(8); allows encrypted hostkeys, or
      hostkeys on smartcards.
    * ssh(1)/sshd(8): allow optional time-based rekeying via a
      second argument to the existing RekeyLimit option. RekeyLimit
      is now supported in sshd_config as well as on the client.
    * sshd(8): standardise logging of information during user
    * The presented key/cert and the remote username (if available)
      is now logged in the authentication success/failure message on
      the same log line as the local username, remote host/port and
      protocol in use.  Certificates contents and the key
      fingerprint of the signing CA are logged too.
    * ssh(1) ability to query what cryptographic algorithms are
      supported in the binary.
    * ssh(1): ProxyCommand=- for cases where stdin and stdout
      already point to the proxy.
    * ssh(1): allow IdentityFile=none
    * ssh(1)/sshd(8): -E option to append debugging logs to a
      specified file instead of stderr or syslog.
    * sftp(1): support resuming partial downloads with the "reget"
      command and on the sftp commandline or on the "get"
      commandline with the "-a" (append) option.
    * ssh(1): "IgnoreUnknown" configuration option to selectively
      suppress errors arising from unknown configuration directives.
    * sshd(8): support for submethods to be appended to required
      authentication methods listed via AuthenticationMethods.
    Bugfixes since 6.2p2:
    * sshd(8): fix refusal to accept certificate if a key of a
      different type to the CA key appeared in authorized_keys
      before the CA key.
    * ssh(1)/ssh-agent(1)/sshd(8): Use a monotonic time source for
      timers so that things like keepalives and rekeying will work
      properly over clock steps.
    * sftp(1): update progressmeter when data is acknowledged, not
      when it's sent. bz#2108
    * ssh(1)/ssh-keygen(1): improve error messages when the current
      user does not exist in /etc/passwd; bz#2125
    * ssh(1): reset the order in which public keys are tried after
      partial authentication success.
    * ssh-agent(1): clean up socket files after SIGINT when in debug
      mode; bz#2120
    * ssh(1) and others: avoid confusing error messages in the case
      of broken system resolver configurations; bz#2122
    * ssh(1): set TCP nodelay for connections started with -N;
    * ssh(1): correct manual for permission requirements on
      ~/.ssh/config; bz#2078
    * ssh(1): fix ControlPersist timeout not triggering in cases
      where TCP connections have hung. bz#1917
    * ssh(1): properly deatch a ControlPersist master from its
      controlling terminal.
    * sftp(1): avoid crashes in libedit when it has been compiled
      with multi- byte character support. bz#1990
    * sshd(8): when running sshd -D, close stderr unless we have
      explicitly requested logging to stderr. bz#1976,
    * ssh(1): fix incomplete bzero; bz#2100
    * sshd(8): log and error and exit if ChrootDirectory is
      specified and running without root privileges.
    * Many improvements to the regression test suite. In particular
      log files are now saved from ssh and sshd after failures.
    * Fix a number of memory leaks. bz#1967 bz#2096 and others
    * sshd(8): fix public key authentication when a :style is
      appended to the requested username.
    * ssh(1): do not fatally exit when attempting to cleanup
      multiplexing- created channels that are incompletely opened.
    * sshd(8): fix a memory corruption problem triggered during
      rekeying when an AES-GCM cipher is selected
    * Fix unaligned accesses in umac.c for strict-alignment
      architectures.  bz#2101
    * Fix broken incorrect commandline reporting errors. bz#1448
    * Only include SHA256 and ECC-based key exchange methods if
      libcrypto has the required support.
    * Fix crash in SOCKS5 dynamic forwarding code on
      strict-alignment architectures.
    - FIPS and GSSKEX patched disabled for now
* Fri Oct 04 2013
  - fix server crashes when using AES-GCM
  - removed superfluous build dependency on X
* Thu Sep 19 2013
  - spec file and patch cleanup
    * key converter is now in the -key-converter.patch
    * openssh-nodaemon-nopid.patch is -no_fork-no_pid_file.patch
    * openssh-nocrazyabicheck.patch is
    - disable-openssl-abi-check.patch
    * removing obsolete -engines.diff patch
  - patches from SLE11
    * use auditing infrastructure extending upstream hooks
      (-auditX-*.patch) instead of the single old patch
    * FIPS enablement (currently disabled)
      (-fingerprint_hash.patch, -fips.patch)
    * GSSAPI key exchange
      (bnc#784689, fate#313068, -gssapi_key_exchange.patch)
    * SysV init script update - 'stop' now terminates all sshd
      processes and closes all connections, 'soft-stop' only
      terminates the listener process (keeps active sessions intact)
    * helper application for retrieving users' public keys from
      an LDAP server (bnc#683733, fate#302144, -ldap.patch)
    - subpackage openssh-akc-ldap
    * several bugfixes:
    - login invocation
      (bnc#833605, -login_options.patch)
    - disable locked accounts when using PAM
      (bnc#708678, fate#312033, -pam-check-locks.patch)
    - fix wtmp handling
      (bnc#18024, -lastlog.patch)
  - init script is moved into documentation for openSUSE 12.3+
    (as it confused systemd)
* Tue Sep 10 2013
  - fix the logic in openssh-nodaemon-nopid.patch which is broken
    and pid_file therefore still being created.
* Sat Aug 03 2013
  - Update to version 6.2p2
    * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption
    * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes
    * ssh(1)/sshd(8): Added support for the UMAC-128 MAC
    * sshd(8): Added support for multiple required authentication
    * sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists
    * ssh(1): When SSH protocol 2 only is selected (the default), ssh(1)
    now immediately sends its SSH protocol banner to the server without
    waiting to receive the server's banner, saving time when connecting.
    * dozens of other changes, see
* Mon Jul 01 2013
  - avoid the build cycle between curl, krb5, libssh2_org and openssh
    by using krb5-mini-devel
* Wed Jun 19 2013
  - Recommend xauth, X11-forwarding won't work if it is not installed
* Sun Apr 14 2013
  - sshd.service: Do not order after, it is
    not required or recommended and that target does not even exist
* Tue Jan 08 2013
  - use ssh-keygen(1) default keylengths in generating the host key
    instead of hardcoding it
* Tue Nov 13 2012
  - Updated to 6.1p1, a bugfix release
    * sshd(8): This release turns on pre-auth sandboxing sshd by default for
    new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
    * ssh-keygen(1): Add options to specify starting line number and number of
    lines to process when screening moduli candidates, allowing processing
    of different parts of a candidate moduli file in parallel
    * sshd(8): The Match directive now supports matching on the local (listen)
    address and port upon which the incoming connection was received via
    LocalAddress and LocalPort clauses.
    * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv
    and {Allow,Deny}{Users,Groups}
    * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978
    * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8
    * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as
    an argument to refuse all port-forwarding requests.
    * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile
    * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971
    * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators
    to append some arbitrary text to the server SSH protocol banner.
    * ssh(1)/sshd(8): Don't spin in accept() in situations of file
    descriptor exhaustion. Instead back off for a while.
    * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as
    they were removed from the specification. bz#2023,
    * sshd(8): Handle long comments in config files better. bz#2025
    * ssh(1): Delay setting tty_flag so RequestTTY options are correctly
    picked up. bz#1995
    * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root
    on platforms that use login_cap.
    Portable OpenSSH:
    * sshd(8): Allow sshd pre-auth sandboxing to fall-back to the rlimit
    sandbox from the Linux SECCOMP filter sandbox when the latter is
    not available in the kernel.
    * ssh(1): Fix NULL dereference when built with LDNS and using DNSSEC to
    retrieve a CNAME SSHFP record.
    * Fix cross-compilation problems related to pkg-config. bz#1996
* Tue Nov 13 2012
  - Fix groupadd arguments
  - Add LSB tag to sshd init script
* Fri Oct 26 2012
  - explicit buildrequire groff, needed for man pages
* Tue Oct 16 2012
  - buildrequire systemd through pkgconfig to break cycle
* Wed Aug 15 2012
  - When not daemonizing, such is used with systemd, no not
    create a PID file
* Mon Jun 18 2012
  - do not buildrequire xorg-x11, the askpass is an extra package
    and should build from a different package
* Tue May 29 2012
  - use correct download url and tarball format.
* Tue May 29 2012
  - Update to version 6.0, large list of changes, seen for detail.
* Thu May 10 2012
  - By default openSSH checks at *runtime* if the openssl
    API version matches with the running library, that might
    be good if you are compiling SSH yourself but it is a totally
    insane way to check for binary/source compatibility in a distribution.
* Mon Feb 20 2012
  - include X11 app default dir
* Fri Dec 23 2011
  - Fix building for OS 11.0, 10.3, 10.2
    * Don't require selinux on OS 11.0 or lower
* Fri Dec 23 2011
  - Fix building for OS 11.2 and 11.1
  - Cleanup remove remaining litteral /etc/init.d 's
* Wed Dec 21 2011
  - add autoconf as buildrequire to avoid implicit dependency
* Tue Nov 29 2011
  - Add systemd startup units
* Sat Oct 29 2011
  - finalising libexecdir change (bnc#726712)
* Wed Oct 19 2011
  - Update to 5.9p1
    * sandboxing privsep child through rlimit
* Fri Sep 16 2011
  - Avoid overriding libexecdir with %_lib (bnc#712025)
  - Clean up the specfile by request of Minh Ngo, details entail:
    * remove norootforbuild comments, redundant %clean section
    * run spec-beautifier over it
  - Add PIEFLAGS to compilation of askpass; fails otherwise
* Mon Aug 29 2011
  -  Update to verison 5.8p2
    * Fixed vuln in systems without dev/random, we arenot affected
    * Fixes problems building with selinux enabled
  - Fix build with as-needed and no-add-needed
* Sat Aug 13 2011
  - Enable libedit/autocompletion support in sftp
* Tue May 10 2011
  - Change default keysizes of rsa and dsa from 1024 to 2048
    to match ssh-keygen manpage recommendations.
* Fri Feb 04 2011
  - Update to 5.8p1
    * Fix vulnerability in legacy certificate signing introduced in
    OpenSSH-5.6 and found by Mateusz Kocielski.
    * Fix compilation failure when enableing SELinux support.
    * Do not attempt to call SELinux functions when SELinux is
  - Remove patch that is now upstream:
    * openssh-5.7p1-selinux.diff
* Thu Feb 03 2011
  - specfile/patches cleanup
* Mon Jan 24 2011
  - Update to 5.7p1
    * Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
    and host/user keys (ECDSA) as specified by RFC5656.
    * sftp(1)/sftp-server(8): add a protocol extension to support a hard
    link operation.
    * scp(1): Add a new -3 option to scp: Copies between two remote hosts
    are transferred through the local host.
    * ssh(1): automatically order the hostkeys requested by the client
    based on which hostkeys are already recorded in known_hosts.
    * ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary
    TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
    * sftp(1): the sftp client is now significantly faster at performing
    directory listings, using OpenBSD glob(3) extensions to preserve
    the results of stat(3) operations performed in the course of its
    execution rather than performing expensive round trips to fetch
    them again afterwards.
    * ssh(1): "atomically" create the listening mux socket by binding it on
    a temporary name and then linking it into position after listen() has
    * ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server
    configuration to allow selection of which key exchange methods are
    used by ssh(1) and sshd(8) and their order of preference.
    * sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into
    a generic bandwidth limiter that can be attached using the atomicio
    callback mechanism and use it to add a bandwidth limit option to
    * Support building against openssl-1.0.0a.
    * Bug fixes.
  - Remove patches that are now upstream:
    * openssh-5.6p1-tmpdir.diff
    * openssh-linux-new-oomkill.patch
  - Add upstream patch to fix build with SELinux enabled.
* Wed Jan 12 2011
  - Removed relics of no more implemented opensc support.
* Thu Nov 18 2010
  - add pam_lastlog to show failed login attempts
  - remove permissions handling, no special handling needed
* Tue Nov 16 2010
  - Use upstream oom_adj is deprecated patch
* Tue Nov 02 2010
  - remove the code trying to patch X11 paths - which was broken
    for a very long time and was useless anyway as the Makefiles
    do this correctly themselves
* Sun Oct 31 2010
  - Use %_smp_mflags
* Thu Oct 14 2010
  - Fix warning "oom_adj is deprecated use oom_score_adj instead"
* Mon Sep 13 2010
  - actualize README.SuSE (bnc#638893)
* Tue Aug 24 2010
  - update to 5.6p1
    * Added a ControlPersist option to ssh_config(5) that automatically
    starts a background ssh(1) multiplex master when connecting.
    * Hostbased authentication may now use certificate host keys.
    * ssh-keygen(1) now supports signing certificate using a CA key that
    has been stored in a PKCS#11 token.
    * ssh(1) will now log the hostname and address that we connected to at
    LogLevel=verbose after authentication is successful to mitigate
    "phishing" attacks by servers with trusted keys that accept
    authentication silently and automatically before presenting fake
    password/passphrase prompts.
    * Expand %h to the hostname in ssh_config Hostname options.
    * Allow ssh-keygen(1) to import (-i) and export (-e) of PEM and PKCS#8
    keys in addition to RFC4716 (SSH.COM) encodings via a new -m option
    * sshd(8) will now queue debug messages for bad ownership or
    permissions on the user's keyfiles encountered during authentication
    and will send them after authentication has successfully completed.
    * ssh(1) connection multiplexing now supports remote forwarding with
    dynamic port allocation and can report the allocated port back to
    the user
    * sshd(8) now supports indirection in matching of principal names
    listed in certificates.
    * sshd(8) now has a new AuthorizedPrincipalsFile option to specify a
    file containing a list of names that may be accepted in place of the
    username when authorizing a certificate trusted via the
    sshd_config(5) TrustedCAKeys option.
    * Additional sshd_config(5) options are now valid inside Match blocks
    * Revised the format of certificate keys.
    * bugfixes
  - removed -forward patch (SSH_MAX_FORWARDS_PER_DIRECTION not hard-coded
    any more), removed memory leak fix (fixed in upstream)
* Fri Aug 20 2010
  - hint user how to remove offending keys (bnc#625552)
* Thu Jul 22 2010
  - update to 5.5p1
* Tue Jul 20 2010
  - update to 5.5p1
    * Allow ChrootDirectory to work in SELinux platforms.
    * bugfixes
* Wed Jun 30 2010
  - Disable visual hostkey support again, after discussion on
    its usefulness.
* Mon May 17 2010
  - Hardware crypto is supported and patched but never
    enabled, need to use --with-ssl-engine explicitely
* Fri May 14 2010
  - fixed memory leak in sftp (bnc#604274)
* Fri Apr 23 2010
  - honour /etc/nologin (bnc#530885)
* Thu Mar 25 2010
  - Enable VisualHostKey (ascii art of the hostkey fingerprint) and
    HashHostKeys (hardening measure to make them unusable for worms/malicious
    users for further host hopping).
* Tue Mar 23 2010
  - update to 5.4p1
    * After a transition period of about 10 years, this release disables
    SSH protocol 1 by default. Clients and servers that need to use the
    legacy protocol must explicitly enable it in ssh_config / sshd_config
    or on the command-line.
    * Remove the libsectok/OpenSC-based smartcard code and add support for
    PKCS#11 tokens. This support is automatically enabled on all
    platforms that support dlopen(3) and was inspired by patches written
    by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) manpages.
    * Add support for certificate authentication of users and hosts using a
    new, minimal OpenSSH certificate format (not X.509). Certificates
    contain a public key, identity information and some validity
    constraints and are signed with a standard SSH public key using
    ssh-keygen(1). CA keys may be marked as trusted in authorized_keys
    or via a TrustedUserCAKeys option in sshd_config(5) (for user
    authentication), or in known_hosts (for host authentication).
    Documentation for certificate support may be found in ssh-keygen(1),
    sshd(8) and ssh(1) and a description of the protocol extensions in
    * Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects
    stdio on the client to a single port forward on the server. This
    allows, for example, using ssh as a ProxyCommand to route connections
    via intermediate servers. bz#1618
    * Add the ability to revoke keys in sshd(8) and ssh(1). User keys may
    be revoked using a new sshd_config(5) option "RevokedKeys". Host keys
    are revoked through known_hosts (details in the sshd(8) man page).
    Revoked keys cannot be used for user or host authentication and will
    trigger a warning if used.
    * Rewrite the ssh(1) multiplexing support to support non-blocking
    operation of the mux master, improve the resilience of the master to
    malformed messages sent to it by the slave and add support for
    requesting port- forwardings via the multiplex protocol. The new
    stdio-to-local forward mode ("ssh -W host:port ...") is also
    supported. The revised multiplexing protocol is documented in the
    file PROTOCOL.mux in the source distribution.
    * Add a 'read-only' mode to sftp-server(8) that disables open in write
    mode and all other fs-modifying protocol methods. bz#430
    * Allow setting an explicit umask on the sftp-server(8) commandline to
    override whatever default the user has. bz#1229
    * Many improvements to the sftp(1) client, many of which were
    implemented by Carlos Silva through the Google Summer of Code
    - Support the "-h" (human-readable units) flag for ls
    - Implement tab-completion of commands, local and remote filenames
    - Support most of scp(1)'s commandline arguments in sftp(1), as a
      first step towards making sftp(1) a drop-in replacement for scp(1).
      Note that the rarely-used "-P sftp_server_path" option has been
      moved to "-D sftp_server_path" to make way for "-P port" to match
    - Add recursive transfer support for get/put and on the commandline
    * New RSA keys will be generated with a public exponent of RSA_F4 ==
    (2**16)+1 == 65537 instead of the previous value 35.
    * Passphrase-protected SSH protocol 2 private keys are now protected
    with AES-128 instead of 3DES. This applied to newly-generated keys
    as well as keys that are reencrypted (e.g. by changing their
  - cleanup in patches
* Tue Mar 02 2010
  - do not use paths at all, but prereq packages
* Sat Feb 27 2010
  - Use complete path for groupadd and useradd in pre section.
* Tue Feb 23 2010
  - audit patch: add fix for bnc#545271
* Mon Feb 22 2010
  - do not fix uid/gid anymore (bnc#536564)
* Tue Dec 15 2009
  - select large PIE for SPARC, it is required to avoid
    "relocation truncated to fit: R_SPARC_GOT13 against symbol xyz
    defined in COMMON section in sshd.o"
* Mon Sep 21 2009
  - add new version of homechroot patch (added documentation, added
    check for nodev and nosuid)
  - remove Provides and Obsoletes ssh
* Thu Aug 20 2009
  - make sftp in chroot users life easier (ie. bnc#518238),
    many thanks for a patch
* Sun Jul 12 2009
  - readd $SSHD_BIN so that sshd starts at all
* Tue Jul 07 2009  
  - Added a hook for ksshaskpass
* Sun Jul 05 2009
  - readd -f to startproc and remove -p instead to
    ensure that sshd is started even though old instances
    are still running (e.e. being logged in from remote)
* Fri Jun 19 2009
  - disable as-needed for this package as it fails to build with it
* Tue May 26 2009
  - disable -f in startproc to calm the warning (bnc#506831)
* Thu Apr 23 2009
  - do not enable sshd by default



Generated by rpm2html 1.8.1

Fabrice Bellet, Sat Nov 10 04:30:48 2018