Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
---|---|---|---|---|---|---|
gssapi.patch | GSSAPI key exchange support This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. |
Jakub Jelen <jjelen@redhat.com> | yes | upstream | other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23 | 2014-02-09 |
restore-tcp-wrappers.patch | Restore TCP wrappers support Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. |
Colin Watson <cjwatson@debian.org> | not-needed | 2022-02-23 | ||
selinux-role.patch | Handle SELinux authorisation roles Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. |
Manoj Srivastava <srivasta@debian.org> | yes | debian upstream | 2021-11-05 | |
ssh-vulnkey-compat.patch | Accept obsolete ssh-vulnkey configuration options These options were used as part of Debian's response to CVE-2008-0166. Nearly six years later, we no longer need to continue carrying the bulk of that patch, but we do need to avoid failing when the associated configuration options are still present. |
Colin Watson <cjwatson@ubuntu.com> | no | 2014-02-09 | ||
keepalive-extensions.patch | Various keepalive extensions Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported in previous versions of Debian's OpenSSH package but since superseded by ServerAliveInterval. (We're probably stuck with this bit for compatibility.) In batch mode, default ServerAliveInterval to five minutes. Adjust documentation to match and to give some more advice on use of keepalives. |
Colin Watson <cjwatson@debian.org> | no | 2023-01-02 | ||
syslog-level-silent.patch | "LogLevel SILENT" compatibility "LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to match the behaviour of non-free SSH, in which -q does not suppress fatal errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody complained, so we've dropped most of it. The parts that remain are basic configuration file compatibility, and an adjustment to "Pseudo-terminal will not be allocated ..." which should be split out into a separate patch. |
Colin Watson <cjwatson@debian.org> | no | 2013-09-14 | ||
user-group-modes.patch | Allow harmless group-writability Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be group-writable, provided that the group in question contains only the file's owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding about the contents of gr->gr_mem). Given that per-user groups and umask 002 are the default setup in Debian (for good reasons - this makes operating in setgid directories with other groups much easier), we need to permit this by default. |
Colin Watson <cjwatson@debian.org> | yes | debian upstream | 2022-02-23 | |
scp-quoting.patch | Adjust scp quoting in verbose mode Tweak scp's reporting of filenames in verbose mode to be a bit less confusing with spaces. This should be revised to mimic real shell quoting. |
=?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> | no | 2010-02-27 | ||
shell-path.patch | Look for $SHELL on the path for ProxyCommand/LocalCommand There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. |
Colin Watson <cjwatson@debian.org> | yes | debian upstream | 2020-02-21 | |
dnssec-sshfp.patch | Force use of DNSSEC even if "options edns0" isn't in resolv.conf This allows SSHFP DNS records to be verified if glibc 2.11 is installed. |
Colin Watson <cjwatson@debian.org> | invalid | debian upstream | vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup | 2010-04-06 |
mention-ssh-keygen-on-keychange.patch | Mention ssh-keygen in ssh fingerprint changed warning | Chris Lamb <lamby@debian.org> | yes | upstream | 2017-08-22 | |
package-versioning.patch | Include the Debian version in our identification This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) |
Matthew Vernon <matthew@debian.org> | not-needed | 2021-11-05 | ||
debian-banner.patch | Add DebianBanner server configuration option Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. |
Kees Cook <kees@debian.org> | not-needed | debian | 2023-01-02 | |
authorized-keys-man-symlink.patch | Install authorized_keys(5) as a symlink to sshd(8) | Tomas Pospisek <tpo_deb@sourcepole.ch> | yes | debian upstream | 2013-09-14 | |
openbsd-docs.patch | Adjust various OpenBSD-specific references in manual pages No single bug reference for this patch, but history includes: https://bugs.debian.org/154434 (login.conf(5)) https://bugs.debian.org/513417 (/etc/rc) https://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) https://bugs.debian.org/998069 (rdomain(4)) |
Colin Watson <cjwatson@debian.org> | not-needed | 2021-11-05 | ||
ssh-argv0.patch | ssh(1): Refer to ssh-argv0(1) Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). |
Colin Watson <cjwatson@debian.org> | not-needed | debian | 2013-09-14 | |
doc-hash-tab-completion.patch | Document that HashKnownHosts may break tab-completion | Colin Watson <cjwatson@debian.org> | yes | debian upstream | 2021-11-05 | |
ssh-agent-setgid.patch | Document consequences of ssh-agent being setgid in ssh-agent(1) | Colin Watson <cjwatson@debian.org> | no | debian | 2020-02-21 | |
no-openssl-version-status.patch | Don't check the status field of the OpenSSL version There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. |
Colin Watson <cjwatson@debian.org> | not-needed | debian | 2014-10-07 | |
gnome-ssh-askpass2-icon.patch | Give the ssh-askpass-gnome window a default icon | Vincent Untz <vuntz@ubuntu.com> | no | 2010-02-28 | ||
systemd-readiness.patch | Add systemd readiness notification support | Michael Biebl <biebl@debian.org> | no | debian | 2017-08-22 | |
debian-config.patch | Various Debian-specific configuration changes fewer problems with existing setups (http://bugs.debian.org/237021). worms. PrintMotd. Document all of this. |
Russ Allbery <rra@debian.org> | not-needed | 2023-01-03 | ||
restore-authorized_keys2.patch | Restore reading authorized_keys2 by default Upstream seems to intend to gradually phase this out, so don't assume that this will remain the default forever. However, we were late in adopting the upstream sshd_config changes, so it makes sense to extend the grace period. |
Colin Watson <cjwatson@debian.org> | not-needed | debian | 2017-03-05 | |
revert-ipqos-defaults.patch | Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for" This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379. The IPQoS default changes have some unfortunate interactions with iptables (see https://bugs.debian.org/923880) and VMware, so I'm temporarily reverting them until those have been fixed. |
Colin Watson <cjwatson@debian.org> | no | debian | 2019-04-08 | |
maxhostnamelen.patch | Define MAXHOSTNAMELEN on GNU/Hurd | Svante Signell <svante.signell@gmail.com> | no | debian | 2021-11-05 | |
conch-ssh-rsa.patch | Work around RSA SHA-2 signature issues in conch This was supposed to be fixed in Twisted upstream (https://twistedmatrix.com/trac/ticket/9765), and that fix is in Debian now. However, regression tests still seem to fail in GitLab CI but not locally (see e.g. https://salsa.debian.org/ssh-team/openssh/-/jobs/3513178). Leave this in place for now until we figure out what's wrong. |
Colin Watson <cjwatson@debian.org> | not-needed | 2022-11-14 | ||
systemd-socket-activation.patch | Support systemd socket activation Unlike inetd socket activation, with systemd socket activation the supervisor passes the listened-on socket to the child process and lets the child process handle the accept(). This lets us do delayed start of the sshd daemon without becoming incompatible with config options like ClientAliveCountMax. |
Steve Langasek <steve.langasek@ubuntu.com> | no | 2022-09-01 | ||
remove-spurious-ssh-agent-options.patch | Remove spurious ssh-agent options These cause regress/agent-getpeereid.sh to leave a stray ssh-agent process lying around. |
Colin Watson <cjwatson@debian.org> | yes | upstream | 2023-02-07 | |
CVE-2023-38408-1.patch | terminate pkcs11 process for bad libraries | Damien Miller <djm@mindrot.org> | no | upstream, https://anongit.mindrot.org/openssh.git/commit/?id=b23fe83f06ee7e721033769cfa03ae840476d280 | 2023-09-17 | |
CVE-2023-38408-2.patch | disallow remote addition of FIDO/PKCS11 keys Depends on the local client performing the session-bind@openssh.com operation, so non-OpenSSH local client may circumvent this. |
Damien Miller <djm@mindrot.org> | no | upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d7790cdce72a1b6982795baa2b4d6f0bdbb0100d | 2023-09-17 | |
CVE-2023-38408-3.patch | upstream: Ensure FIDO/PKCS11 libraries contain expected symbols This checks via nlist(3) that candidate provider libraries contain one of the symbols that we will require prior to dlopen(), which can cause a number of side effects, including execution of constructors. Feedback deraadt; ok markus |
"djm@openbsd.org" <djm@openbsd.org> | no | upstream, https://anongit.mindrot.org/openssh.git/commit/?id=29ef8a04866ca14688d5b7fed7b8b9deab851f77 | 2023-09-17 | |
CVE-2023-28531.patch | upstream: include destination constraints for smartcard keys too. Spotted by Luci Stanescu; ok deraadt@ markus@ |
"djm@openbsd.org" <djm@openbsd.org> | no | debian | backport, https://anongit.mindrot.org/openssh.git/commit/?id=54ac4ab2b53ce9fcb66b8250dee91c070e4167ed | 2023-12-19 |
CVE-2023-48795.patch | upstream: implement "strict key exchange" in ssh and sshd This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange (KEX) phase. Full details of the extension are in the PROTOCOL file. with markus@ |
"djm@openbsd.org" <djm@openbsd.org> | no | backport, https://anongit.mindrot.org/openssh.git/commit/?id=1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 | 2023-12-19 | |
CVE-2023-51384.patch | upstream: apply destination constraints to all p11 keys Previously applied only to the first key returned from each token. ok markus@ |
"djm@openbsd.org" <djm@openbsd.org> | no | backport, https://anongit.mindrot.org/openssh.git/commit/?id=881d9c6af9da4257c69c327c4e2f1508b2fa754b | 2023-12-19 | |
CVE-2023-51385.patch | upstream: ban user/hostnames with most shell metacharacters This makes ssh(1) refuse user or host names provided on the commandline that contain most shell metacharacters. Some programs that invoke ssh(1) using untrusted data do not filter metacharacters in arguments they supply. This could create interactions with user-specified ProxyCommand and other directives that allow shell injection attacks to occur. It's a mistake to invoke ssh(1) with arbitrary untrusted arguments, but getting this stuff right can be tricky, so this should prevent most obvious ways of creating risky situations. It however is not and cannot be perfect: ssh(1) has no practical way of interpreting what shell quoting rules are in use and how they interact with the user's specified ProxyCommand. To allow configurations that use strange user or hostnames to continue to work, this strictness is applied only to names coming from the commandline. Names specified using User or Hostname directives in ssh_config(5) are not affected. feedback/ok millert@ markus@ dtucker@ deraadt@ |
"djm@openbsd.org" <djm@openbsd.org> | no | backport, https://anongit.mindrot.org/openssh.git/commit/?id=7ef3787c84b6b524501211b11a26c742f829af1a | 2023-12-19 | |
Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch | Disable async-signal-unsafe code from the sshsigdie() function Address signal handler race condition: if a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously, but this signal handler calls various functions that are not async-signal-safe (for example, syslog()). This is a regression from CVE-2006-5051 ("Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code") |
Salvatore Bonaccorso <carnil@debian.org> | no | 2024-06-22 | ||
sntrup761x25519-sha512.patch | upstream: sntrup761x25519-sha512 now has an IANA codepoint assigned, so we can make the algorithm available without the @openssh.com suffix too. ok markus@ deraadt@ |
"djm@openbsd.org" <djm@openbsd.org> | no | backport, https://anongit.mindrot.org/openssh.git/commit/?id=aee54878255d71bf93aa6e91bbd4eb1825c0d1b9 | 2024-12-03 |