--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: a way to force ssh-askpass to be used
- From: Wouter Verhelst <wouter@debian.org>
- Date: Tue, 23 May 2006 22:52:16 +0200
- Message-id: <20060523205216.14297.56020.reportbug@country.grep.be>
Package: openssh-client
Version: 1:4.3p2-2
Severity: wishlist
Hi,
Currently, ssh will run ssh-askpass only if there is no controlling
terminal. While this is a sane default, there are cases where I would
like it to be used regarless of whether there is a controlling terminal,
e.g., when I'm running an 'svn update' in a working copy that makes use
of the svn:externals feature, or in cases where I'm trying to set up a
connection to a slow machine on an overloaded network. In such cases, I
may not be paying attention to the terminal where ssh is running, only
noticing that I need to enter a password when it is too late; had SSH
popped up ssh-askpass at that time, then this wouldn't occur.
Thanks,
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: powerpc (ppc)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-2-powerpc
Locale: LANG=nl_BE.UTF-8@euro, LC_CTYPE=nl_BE.UTF-8@euro (charmap=UTF-8)
Versions of packages openssh-client depends on:
ii adduser 3.87 Add and remove users and groups
ii debconf [debc 1.5.1 Debian configuration management sy
ii dpkg 1.13.19 package maintenance system for Deb
ii libc6 2.3.6-9 GNU C Library: Shared libraries
ii libcomerr2 1.38+1.39-WIP-2006.04.09-2 common error description library
ii libedit2 2.9.cvs.20050518-2.2 BSD editline and history libraries
ii libkrb53 1.4.3-7 MIT Kerberos runtime libraries
ii libncurses5 5.5-2 Shared libraries for terminal hand
ii libselinux1 1.30-1 SELinux shared libraries
ii libssl0.9.8 0.9.8b-2 SSL shared libraries
ii zlib1g 1:1.2.3-11 compression library - runtime
openssh-client recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:8.4p1-1
Done: Colin Watson <cjwatson@debian.org>
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 368657@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 20 Oct 2020 14:15:17 +0100
Source: openssh
Architecture: source
Version: 1:8.4p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 368657 481250
Changes:
openssh (1:8.4p1-1) unstable; urgency=medium
.
* New upstream release (https://www.openssh.com/txt/release-8.4):
- [SECURITY] ssh-agent(1): restrict ssh-agent from signing web
challenges for FIDO/U2F keys.
- [SECURITY] ssh-keygen(1): Enable FIDO 2.1 credProtect extension when
generating a FIDO resident key.
- ssh-keygen(1): the format of the attestation information optionally
recorded when a FIDO key is generated has changed. It now includes the
authenticator data needed to validate attestation signatures.
- The API between OpenSSH and the FIDO token middleware has changed and
the SSH_SK_VERSION_MAJOR version has been incremented as a result.
Third-party middleware libraries must support the current API version
(7) to work with OpenSSH 8.4.
- ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
each use. These keys may be generated using ssh-keygen using a new
"verify-required" option. When a PIN-required key is used, the user
will be prompted for a PIN to complete the signature operation.
- sshd(8): authorized_keys now supports a new "verify-required" option
to require FIDO signatures assert that the token verified that the
user was present before making the signature. The FIDO protocol
supports multiple methods for user-verification, but currently OpenSSH
only supports PIN verification.
- sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
signatures. Webauthn is a standard for using FIDO keys in web
browsers. These signatures are a slightly different format to plain
FIDO signatures and thus require explicit support.
- ssh(1): allow some keywords to expand shell-style ${ENV} environment
variables. The supported keywords are CertificateFile, ControlPath,
IdentityAgent and IdentityFile, plus LocalForward and RemoteForward
when used for Unix domain socket paths.
- ssh(1), ssh-agent(1): allow some additional control over the use of
ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
including forcibly enabling and disabling its use (closes: #368657).
- ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
limit for keys in addition to its current flag options. Time-limited
keys will automatically be removed from ssh-agent after their expiry
time has passed.
- scp(1), sftp(1): allow the -A flag to explicitly enable agent
forwarding in scp and sftp. The default remains to not forward an
agent, even when ssh_config enables it.
- ssh(1): add a '%k' TOKEN that expands to the effective HostKey of the
destination. This allows, e.g., keeping host keys in individual files
using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k" (closes: #481250).
- ssh(1): add %-TOKEN, environment variable and tilde expansion to the
UserKnownHostsFile directive, allowing the path to be completed by the
configuration.
- ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted from
stdin.
- sshd(8): improve logging for MaxStartups connection throttling. sshd
will now log when it starts and stops throttling and periodically
while in this state.
- ssh(1), ssh-keygen(1): better support for multiple attached FIDO
tokens. In cases where OpenSSH cannot unambiguously determine which
token to direct a request to, the user is now required to select a
token by touching it. In cases of operations that require a PIN to be
verified, this avoids sending the wrong PIN to the wrong token and
incrementing the token's PIN failure counter (tokens effectively erase
their keys after too many PIN failures).
- sshd(8): fix Include before Match in sshd_config (LP: #1885990).
- ssh(1): close stdin/out/error when forking after authentication
completes ("ssh -f ...").
- ssh(1), sshd(8): limit the amount of channel input data buffered,
avoiding peers that advertise large windows but are slow to read from
causing high memory consumption.
- ssh-agent(1): handle multiple requests sent in a single write() to the
agent.
- sshd(8): allow sshd_config longer than 256k.
- sshd(8): avoid spurious "Unable to load host key" message when sshd
load a private key but no public counterpart.
- ssh(1): prefer the default hostkey algorithm list whenever we have a
hostkey that matches its best-preference algorithm.
- sshd(1): when ordering the hostkey algorithms to request from a
server, prefer certificate types if the known_hosts files contain a
key marked as a @cert-authority.
- ssh(1): perform host key fingerprint comparisons for the "Are you sure
you want to continue connecting (yes/no/[fingerprint])?" prompt with
case sensitivity.
- sshd(8): ensure that address/masklen mismatches in sshd_config yield
fatal errors at daemon start time rather than later when they are
evaluated.
- ssh-keygen(1): ensure that certificate extensions are lexically
sorted. Previously if the user specified a custom extension then the
everything would be in order except the custom ones.
- ssh(1): also compare username when checking for JumpHost loops.
- ssh-keygen(1): preserve group/world read permission on known_hosts
files across runs of "ssh-keygen -Rf /path". The old behaviour was to
remove all rights for group/other.
- ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen manual
page and usage().
- sshd(8): explicitly construct path to ~/.ssh/rc rather than relying on
it being relative to the current directory, so that it can still be
found if the shell startup changes its directory.
- sshd(8): when redirecting sshd's log output to a file, undo this
redirection after the session child process is forked(). Fixes missing
log messages when using this feature under some circumstances.
- sshd(8): start ClientAliveInterval bookkeeping before first pass
through select() loop; fixed theoretical case where busy sshd may
ignore timeouts from client.
- ssh(1): only reset the ServerAliveInterval check when we receive
traffic from the server and ignore traffic from a port forwarding
client, preventing a client from keeping a connection alive when it
should be terminated.
- ssh-keygen(1): avoid spurious error message when ssh-keygen creates
files outside ~/.ssh.
- sftp-client(1): fix off-by-one error that caused sftp downloads to
make one more concurrent request that desired. This prevented using
sftp(1) in unpipelined request/response mode, which is useful when
debugging.
- ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect()
helpers.
- ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to
write to it so we don't leave an empty .ssh directory when it's not
needed.
- ssh(1), sshd(8): fix multiplier when parsing time specifications when
handling seconds after other units.
- sshd(8): always send any PAM account messages. If the PAM account
stack returns any messages, always send them to the user and not just
if the check succeeds.
- gnome-ssh-askpass3: ensure the "close" button is not focused by
default for SSH_ASKPASS_PROMPT=none prompts. Avoids space/enter
accidentally dismissing FIDO touch notifications.
- gnome-ssh-askpass3: allow some control over textarea colour via
$GNOME_SSH_ASKPASS_FG_COLOR and $GNOME_SSH_ASKPASS_BG_COLOR
environment variables.
- Detect the Frankenstein monster of Linux/X32 and allow the sandbox to
function there.
Checksums-Sha1:
e864e8c1f16626b55602fc01ffab7ff83f51c366 3353 openssh_8.4p1-1.dsc
69305059e10a60693ebe6f17731f962c9577535c 1742201 openssh_8.4p1.orig.tar.gz
323573568682eac265e1f69206bc98149a8e423e 683 openssh_8.4p1.orig.tar.gz.asc
be88025ebe71c0f58be2f83b8a7245f57e2ea1a6 177752 openssh_8.4p1-1.debian.tar.xz
Checksums-Sha256:
cb35733eef94d5b6cd85d8adbd7d44f5164fae6ca14cb00a885b98bd1cfb0dd9 3353 openssh_8.4p1-1.dsc
5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24 1742201 openssh_8.4p1.orig.tar.gz
ccd9dd484651ce4cc926228f6e1b46afaf0c5ab98a866217fa0ef1074370ea2b 683 openssh_8.4p1.orig.tar.gz.asc
a384da62eb06352938740f020cd78621af403cabf44f9cec238a202faa4ddd61 177752 openssh_8.4p1-1.debian.tar.xz
Files:
a2ae18b63060f660075dce5a5725b321 3353 net standard openssh_8.4p1-1.dsc
8f897870404c088e4aa7d1c1c58b526b 1742201 net standard openssh_8.4p1.orig.tar.gz
715c219a524631139bafa8a351cf44e7 683 net standard openssh_8.4p1.orig.tar.gz.asc
d00fecf7d6d44f36eb03a49e6e670b58 177752 net standard openssh_8.4p1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAl+O4wYACgkQOTWH2X2G
UAvA3A/8DY/uNkvp8PItmqF5rOgFuTgpe+NtfwlWBqJ9XVL8x5SoiEohV3ZycrS0
+vWMN9IMTi21yPocw0uTEbQVh3Df8fFQuf5539Zg6Bb9olOuZrhU5SUXVb1+N4h7
sgZDwQirK+PZ6YxRTuXeNmoAxHHdeQZmtzThHiMQSVHPEr/RQDIJoAUl+jV8M4KO
Dhrk9iNqQASAl7Rm5kIxh9IlL2RbIO3KAwyLi6dUeKQn78seh90opy4+DtpGPHZn
smcT7OAxQ0PapcNRTiDnY7A6iMqcUTopL8iS1fPtyum1cmQfTUTnyGqdxIwm4SXu
aLvFfMiGARrcZqzVPTwieCeUcQkX006T/LRS0QjfR8qNUmJoLFq+N8kdLY6PSb5O
j8vx2HSucQEAad3AaNyqHb/yqhEoy/chqSsJf0Nnll17TSkvwRfp1LMkoJBpUZ9k
dtl5EhYqKSTmWLEK4G/yKRtCRRBOYxoWHck8blpC/JLxMx7YSPt5dMLD/f/U8wIV
tvfXVDEgFB6MhEvyNW/vNLfbg3dHbOcR2rwF/OAEoVu4RFc5wZP4KUG72oBkQDEA
ox+++CcDJZK0QXHaq4+Q0HmpL2KOS08ZY5dZ4PGcJkz32tV2g40Qyc+DN1ktEvmt
W9vXjeXlPcOJPuRvKTW/fOabo5KnPgCH+mZfnvgDH7SPWkxKFvI=
=573D
-----END PGP SIGNATURE-----
--- End Message ---