ssh: remove deprecated client VersionAddendum

Support for a client VersionAddendum was removed in bffe60ead024, but
the option was retained (as oDeprecated) as a transition aid.
Sufficient time has passed that it can be removed.

Sponsored by: The FreeBSD Foundation

ssh: Remove note about memory leak now resolved upstream

OpenSSH 9.4p1 (updated in commit 535af610a4fd) includes the memory leak
fix that we originally applied in 69c72a57af84 ("sftp: avoid leaking
path arg in calls to make_absolute_pwd_glob.").

Sponsored by: The FreeBSD Foundation

openssh: retire HPN option handling

The HPN patch set was removed from base system SSH in January 2016, in
commit 60c59fad8806. We retained the option parsing (using OpenSSH's
support for deprecated options) to avoid breaking existing installations
upon upgrade, but sufficient time has now passed that we can remove this
special case.

Approved by: des
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41291

openssh: document a locally-applied workaround

We have a local hacky workaround for an issue caused by a hacky
upstream autoconf test. Reported upstream on the OpenSSH mailing list:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html

PR: 209441
Sponsored by: The FreeBSD Foundation

ssh: update FREEBSD-upgrade for upstream CheckHostIP default change

We changed the CheckHostIP default to "no" years ago. Upstream has now
made the same change, so do not list it as a local change any longer.

I did not just remove the "Modified client-side defaults" section to
avoid having to renumber everything, and we may add a new local change
in the future.

Sponsored by: The FreeBSD Foundation

sftp: add description of memory leak fix

ssh: update FREEBSD-upgrade instructions

Make it clear that the 'freebsd-configure.sh' and 'freebsd-namespace.sh'
scripts are run from the crypto/openssh directory.

Sponsored by: The FreeBSD Foundation

ssh: default VerifyHostKeyDNS to no, following upstream

Revert to upstream's default. Using VerifyHostKeyDNS may depend on a
trusted nameserver and network path.

This reverts commit 83c6a5242c80160fff76fb85454938761645b0c4.

Reported by: David Leadbeater, G-Research
Reviewed by: gordon
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D38648

ssh: add information on hostname canonicalization patch

We introduced hostname canonicalization in 2002, while upstream OpenSSH
added similar support in 2014.

It would be good to review our handling of CNAMEs in hostname
canonicalization.

Sponsored by: The FreeBSD Foundation

ssh: default X11Forwarding to no, following upstream

Administrators can enable it if required.

Reviewed by: bz, kevans
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37411

ssh: remove old reference from update instructions

ssh_config and ssh_config.5 no longer contain the VersionAddendum,
so remove instructions to update these files.

Fixes: bffe60ead024 ("ssh: retire client VersionAddendum")
Sponsored By: The FreeBSD Foundation

openssh: remove mention of now-unused svn:keywords

Reported by: gshapiro

ssh: describe two additional changes present in base system ssh

Sponsored by: The FreeBSD Foundation

ssh: remove note about local change to [Use]PrivilegeSeparation

We documented "[Use]PrivilegeSeparation defaults to sandbox" as one of
our modifications to ssh's server-side defaults, but this is not (any
longer) a difference from upstream.

Sponsored by: The FreeBSD Foundation

ssh: remove VersionAddendum from list of client side config changes

Fixes: bffe60ead024 ("ssh: retire client VersionAddendum")
Sponsored by: The FreeBSD Foundation

ssh: remove pre- and post-merge update steps

We no longer use the pre- and post-merge scripts to strip/add RCS tags.
The tags have been removed from main, but persist on older branches.

While here renumber the steps in the update documentation using a more
conventional scheme.

Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36904

nanobsd: remove unmodified copies of ssh config files

Nanobsd included copies of ssh_config and sshd_config. The former is
identical to the one provided by the base system, and the latter is
identical except for PermitRootLogin, which is updated by nanobsd's
cust_allow_ssh_root anyhow. Remove nanobsd's copies and use the
existing base system ones.

Reported by: Jose Luis Duran <jlduran@gmail.com> in D34937
Reviewed by: Jose Luis Duran <jlduran@gmail.com>, imp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36933

ssh: describe deprecated options in general in update doc

Rename "HPN" to more general "Retired patches." We handle two now-
removed patches the same way: to avoid breaking existing configurations
we accept, but ignore, the option.

Sponsored by: The FreeBSD Foundation

openssh: Remove description of VersionAddendum in upgrade doc

ssh: drop $FreeBSD$ from crypto/openssh

After we moved to git $FreeBSD$ is no longer expanded and serves no
purpose. Remove them from OpenSSH to reduce diffs against upstream.

Sponsored by: The FreeBSD Foundation

openssh: Add a note to check for deprecated and removed config options

Suggested by: emaste
MFC after: 1 week
Sponsored by: The FreeBSD Foundation

ssh: add command to push tag to FREEBSD-upgrade instructions

Because it appears `git push --follow-tags` may push extra, undesired
tags document both techniques (pushing the specific vendor/openssh/X.YpZ
tag and pushing all with --follow-tags, using --dry-run first).

Discussed with: imp, lwhsu
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D33605

ssh: remove 11.x from FREEBSD-upgrade instructions

11.x is no longer supported.

ssh: mention nanobsd config files in upgrade instructions

Sponsored by: The FreeBSD Foundation

openssh: remove update notes about upstreamed changes

Two local changes were committed upstream and are present in OpenSSH
8.7p1. Remove references from FREEBSD-upgrade now that we have updated
to that version.

openssh: update note about class-based login restrictions

openssh: add information about a local change

openssh: add a note about pushing vendor updates

Sponsored by: The FreeBSD Foundation

openssh: document two changes that are now upstream

These patches can be removed once we update to 8.5p1 or later.

openssh: port upgrade doc and script to git

Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D28564

ssh: Remove AES-CBC ciphers from default server and client lists

A base system OpenSSH update in 2016 or so removed a number of ciphers
from the default lists offered by the server/client, due to known
weaknesses. This caused POLA issues for some users and prompted
PR207679; the ciphers were restored to the default lists in r296634.

When upstream removed these ciphers from the default server list, they
moved them to the client-only default list. They were subsequently
removed from the client default, in OpenSSH 7.9p1.

The change has persisted long enough. Remove these extra ciphers from
both the server and client default lists, in advance of FreeBSD 13.

Reviewed by: markm, rgrimes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D25833

Add a note about deleted files in OpenSSH upgrade instructions

Update OpenSSH upgrade instructions to use https, not ftp

ftp://ftp.openbsd.org/ does not work.

sshd: add upgrade process note about TCP wrappers

We need to add user-facing deprecation notices for TCP wrappers; start
with a note in the upgrade process docmentation.

Sponsored by: The FreeBSD Foundation

openssh: add a note about libwrap in config.h

LIBWRAP is defined by the Makefile based on MK_TCP_WRAPPERS and should
not be defined in config.h.

PR: 210141
Sponsored by: The FreeBSD Foundation

Update the repository URLs.

Remove DSA from default cipher list and disable SSH1.

Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for
reasons which boil down to POLA. Now is a good time to catch up.

MFC after: 3 days
Relnotes: yes

Re-add AES-CBC ciphers to the default cipher list on the server.

PR: 207679

Switch UseDNS back on

Update the instructions and the list of major local modifications.

Add a pre-merge script which reverts mechanical changes such as added
$FreeBSD$ tags and man page dates.

Add a post-merge script which reapplies these changes.

Run both scripts to normalize the existing code base. As a result, many
files which should have had $FreeBSD$ tags but didn't now have them.

Partly rewrite the upgrade instructions and remove the now outdated
list of tricks.

Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a
repeat performance by introducing a script that runs configure with and
without Kerberos, diffs the result and generates krb5_config.h, which
contains the preprocessor macros that need to be defined in the Kerberos
case and undefined otherwise.

Approved by: re (marius)

Revert r247892 now that this has been fixed upstream.

Explicitly disable lastlog, utmp and wtmp.

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

Create the altix project branch. The altix project will add support
for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting
is a two-module system, consisting of a base compute module and a
CPU expansion module. SGI's NUMAFlex architecture can be an excellent
platform to test CPU affinity and NUMA-aware features in FreeBSD.

- Import the HEAD csup code which is the basis for the cvsmode work.

Catch up with reality.

Fix the Xlist so it actually works with 'tar -X', and update the upgrade
instructions accordingly.

Update configure options and add some missing steps.
The section about our local changes needs reviewing, and some of those
changes should probably be reconsidered (such as preferring DSA over RSA,
which made sense when RSA was encumbered but probably doesn't any more)

Reimplementation of world/kernel build options. For details, see:

http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)

Update for 4.1p1.

Better Xlist command line.

Document recently changed configuration defaults.

Update the "overview of FreeBSD changes to OpenSSH-portable" to reflect
reality.

Update to reflect changes since the last version.

Nit.

Correct shell code to expand globs in FREEBSD-Xlist

Fix typo (s@src/crypto/openssh-portable@src/crypto/openssh@).

(forgot to commit) We don't need --with-opie since PAM takes care of it.

Document the upgrade process.