openssh: update to OpenSSH v8.7p1

Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985

Upgrade to OpenSSH 7.9p1.

MFC after: 2 months
Sponsored by: The FreeBSD Foundation

Upgrade to OpenSSH 7.8p1.

Approved by: re (kib@)

Upgrade to OpenSSH 7.7p1.

Upgrade to OpenSSH 7.3p1.

Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed
upstream) and a number of security fixes which we had already backported.

MFC after: 1 week

Upgrade OpenSSH to 6.1p1.

Upgrade to OpenSSH 5.3p1.

Upgrade to OpenSSH 5.1p1.

I have worked hard to reduce diffs against the vendor branch. One
notable change in that respect is that we no longer prefer DSA over
RSA - the reasons for doing so went away years ago. This may cause
some surprises, as ssh will warn about unknown host keys even for
hosts whose keys haven't changed.

MFC after: 6 weeks

Another four files without local changes. This is driving me nuts -
every time I think I got them all, another one pops up.

Properly flatten openssh/dist.

Merge conflicts.

MFC after: 1 week

Vendor import of OpenSSH 4.4p1.

Resolve conflicts.

Vendor import of OpenSSH 4.2p1.

Resolve conflicts.

Vendor import of OpenSSH 4.1p1.

Vendor import of OpenSSH 4.0p1.

Resolve conflicts

Vendor import of OpenSSH 3.9p1.

Resolve conflicts.

Vendor import of OpenSSH 3.8.1p1.

Resolve conflicts.

Vendor import of OpenSSH 3.8p1.

Resolve conflicts and remove obsolete files.

Sponsored by: registrar.no

Vendor import of OpenSSH 3.7.1p2.

Resolve conflicts.

Vendor import of OpenSSH-portable 3.6.1p1.

Resolve conflicts.

Vendor import of OpenSSH-portable 3.5p1.

Do not try to use PAM for password authentication, as it is
already (and far better) supported by the challenge/response
authentication mechanism.

Forcibly revert to mainline.

Vendor import of OpenSSH 3.3p1.

Resolve conflicts. Known issues:

- sshd fails to set TERM correctly.
- privilege separation may break PAM and is currently turned off.
- man pages have not yet been updated

I will have these issues resolved, and privilege separation turned on by
default, in time for DP2.

Sponsored by: DARPA, NAI Labs

Vendor import of OpenSSH 3.3.

Fix conflicts.

Vendor import of OpenSSH 3.1

Fix conflicts for OpenSSH 2.9.

Say "hi" to the latest in the OpenSSH series, version 2.9!

Happy birthday to: rwatson

Add code for being compatible with ssh.com's krb5 authentication.
It is done by using the same ssh messages for v4 and v5 authentication
(since the ssh.com does not now anything about v4) and looking at the
contents after unpacking it to see if it is v4 or v5.
Based on code from Björn Grönvall <bg@sics.se>

PR: misc/20504

Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0
new features description elided in favor of checking out their
website.

Important new FreeBSD-version stuff: PAM support has been worked
in, partially from the "Unix" OpenSSH version, and a lot due to the
work of Eivind Eklend, too.

This requires at least the following in pam.conf:

sshd auth sufficient pam_skey.so
sshd auth required pam_unix.so try_first_pass
sshd session required pam_permit.so

Parts by: Eivind Eklend <eivind@FreeBSD.org>

Import of OpenSSH 2.3.0 (virgin OpenBSD source release).

Resolve conflicts and update for OpenSSH 2.2.0

Reviewed by: gshapiro, peter, green

Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09

Resolve conflicts and update for FreeBSD.

Initial import of OpenSSH v2.1.

1) Add kerberos5 functionality.
by Daniel Kouril <kouril@informatics.muni.cz>
2) Add full LOGIN_CAP capability
by Andrey Chernov

Vendor import of OpenSSH.

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

MFH OpenSSH 5.4p1

Create the altix project branch. The altix project will add support
for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting
is a two-module system, consisting of a base compute module and a
CPU expansion module. SGI's NUMAFlex architecture can be an excellent
platform to test CPU affinity and NUMA-aware features in FreeBSD.

- Import the HEAD csup code which is the basis for the cvsmode work.

Another four files without local changes. This is driving me nuts -
every time I think I got them all, another one pops up.

Merge conflicts.

MFC after: 1 week

Vendor import of OpenSSH 4.4p1.

Resolve conflicts.

Vendor import of OpenSSH 4.2p1.

Resolve conflicts.

Vendor import of OpenSSH 4.1p1.

Vendor import of OpenSSH 4.0p1.

Resolve conflicts

Vendor import of OpenSSH 3.9p1.

Resolve conflicts.

Vendor import of OpenSSH 3.8.1p1.

Resolve conflicts.

Vendor import of OpenSSH 3.8p1.

Resolve conflicts and remove obsolete files.

Sponsored by: registrar.no

Vendor import of OpenSSH 3.7.1p2.

Resolve conflicts.

Vendor import of OpenSSH-portable 3.6.1p1.

Resolve conflicts.

Vendor import of OpenSSH-portable 3.5p1.

Do not try to use PAM for password authentication, as it is
already (and far better) supported by the challenge/response
authentication mechanism.

Forcibly revert to mainline.

Vendor import of OpenSSH 3.3p1.

Resolve conflicts. Known issues:

- sshd fails to set TERM correctly.
- privilege separation may break PAM and is currently turned off.
- man pages have not yet been updated

I will have these issues resolved, and privilege separation turned on by
default, in time for DP2.

Sponsored by: DARPA, NAI Labs

Vendor import of OpenSSH 3.3.

Fix conflicts.

Vendor import of OpenSSH 3.1

Fix conflicts for OpenSSH 2.9.

Say "hi" to the latest in the OpenSSH series, version 2.9!

Happy birthday to: rwatson

Add code for being compatible with ssh.com's krb5 authentication.
It is done by using the same ssh messages for v4 and v5 authentication
(since the ssh.com does not now anything about v4) and looking at the
contents after unpacking it to see if it is v4 or v5.
Based on code from Björn Grönvall <bg@sics.se>

PR: misc/20504

Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0
new features description elided in favor of checking out their
website.

Important new FreeBSD-version stuff: PAM support has been worked
in, partially from the "Unix" OpenSSH version, and a lot due to the
work of Eivind Eklend, too.

This requires at least the following in pam.conf:

sshd auth sufficient pam_skey.so
sshd auth required pam_unix.so try_first_pass
sshd session required pam_permit.so

Parts by: Eivind Eklend <eivind@FreeBSD.org>

Import of OpenSSH 2.3.0 (virgin OpenBSD source release).

Resolve conflicts and update for OpenSSH 2.2.0

Reviewed by: gshapiro, peter, green

Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09

Resolve conflicts and update for FreeBSD.

Initial import of OpenSSH v2.1.

1) Add kerberos5 functionality.
by Daniel Kouril <kouril@informatics.muni.cz>
2) Add full LOGIN_CAP capability
by Andrey Chernov

Vendor import of OpenSSH.