#
069ac184 |
|
04-Jan-2024 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.6p1 From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
edf85781 |
|
09-Oct-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.5p1 Excerpts from the release notes: Potentially incompatible changes -------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. [NOTE: This change was already merged into FreeBSD.] * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. New features ------------ * ssh(1): add keystroke timing obfuscation to the client. * ssh(1), sshd(8): Introduce a transport-level ping facility. * sshd(8): allow override of Sybsystem directives in sshd Match blocks. Full release notes at https://www.openssh.com/txt/release-9.5 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
4d3fc8b0 |
|
16-Mar-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p1 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
|
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
0f9bafdf |
|
13-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: pass ssh context to BLACKLIST_NOTIFY Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
ba91e31f |
|
02-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: remove login class restrictions leftovers MFC after: 2 weeks Fixes: 27ceebbc2402 ("openssh: simplify login class...") Sponsored by: The FreeBSD Foundation |
#
6eac665c |
|
02-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: diff reduction against upstream 7.9p1 Clean up whitespace and nonfunctional differences, and unused functions. |
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 |
#
8d8b2923 |
|
25-Jun-2020 |
Xin LI <delphij@FreeBSD.org> |
Don't log normal login_getpwclass(3) result. The logging was introduced in r314527 but doesn't appear to be useful for regular operation, and as the result, for users with no class set (very common) the administrator would see a message like this in their auth.log: sshd[44251]: user root login class [preauth] (note that the class was "" because that's what's typically configured for most users; we would get 'default' if lc->lc_class is chosen) Remove this log as it can be annoying as the lookup happen before authentication and repeats, and our code is not acting upon lc_class or pw_class directly anyways. Reviewed by: cem, imp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D24997 |
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 |
#
2a01feab |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Compatibility with existing OpenSSL versions is maintained. Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Connect libressl-api-compat.c to the build, and regenerate config.h Reviewed by: des Approved by: re (rgrimes) MFC after: 2 seeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17444
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation |
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 |
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). |
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
cf783db1 |
|
24-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a pre-merge script which reverts mechanical changes such as added $FreeBSD$ tags and man page dates. Add a post-merge script which reapplies these changes. Run both scripts to normalize the existing code base. As a result, many files which should have had $FreeBSD$ tags but didn't now have them. Partly rewrite the upgrade instructions and remove the now outdated list of tricks. |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
9be00009 |
|
14-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a missing #include "canohost.h". |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
5b400a39 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply class-imposed login restrictions. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
2735cfee |
|
25-Mar-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Switch over to using pam_login_access(8) module in sshd(8). (Fixes static compilation. Reduces diffs to OpenSSH.) Reviewed by: bde |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
a681ab0a |
|
16-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Diff reduction. Sponsored by: DARPA, NAI Labs |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
e4fe1ca6 |
|
14-Mar-2001 |
Brian Feldman <green@FreeBSD.org> |
Don't dump core when an attempt is made to login using protocol 2 with an invalid user name. |
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504 |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
03e72be8 |
|
13-Nov-2000 |
Brian Feldman <green@FreeBSD.org> |
Add login_cap and login_access support. Previously, these FreeBSD-local checks were only made when using the 1.x protocol. |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
21deafa3 |
|
27-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
So /this/ is what has made OpenSSH's SSHv2 support never work right! In some cases, limits did not get set to the proper class, but instead always to "default", because not all passwd copies were done to completion. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
edf85781 |
|
09-Oct-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.5p1 Excerpts from the release notes: Potentially incompatible changes -------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. [NOTE: This change was already merged into FreeBSD.] * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. New features ------------ * ssh(1): add keystroke timing obfuscation to the client. * ssh(1), sshd(8): Introduce a transport-level ping facility. * sshd(8): allow override of Sybsystem directives in sshd Match blocks. Full release notes at https://www.openssh.com/txt/release-9.5 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
4d3fc8b0 |
|
16-Mar-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p1 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
|
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
0f9bafdf |
|
13-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: pass ssh context to BLACKLIST_NOTIFY Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
ba91e31f |
|
02-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: remove login class restrictions leftovers MFC after: 2 weeks Fixes: 27ceebbc2402 ("openssh: simplify login class...") Sponsored by: The FreeBSD Foundation |
#
6eac665c |
|
02-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: diff reduction against upstream 7.9p1 Clean up whitespace and nonfunctional differences, and unused functions. |
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 |
#
8d8b2923 |
|
25-Jun-2020 |
Xin LI <delphij@FreeBSD.org> |
Don't log normal login_getpwclass(3) result. The logging was introduced in r314527 but doesn't appear to be useful for regular operation, and as the result, for users with no class set (very common) the administrator would see a message like this in their auth.log: sshd[44251]: user root login class [preauth] (note that the class was "" because that's what's typically configured for most users; we would get 'default' if lc->lc_class is chosen) Remove this log as it can be annoying as the lookup happen before authentication and repeats, and our code is not acting upon lc_class or pw_class directly anyways. Reviewed by: cem, imp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D24997 |
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 |
#
2a01feab |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Compatibility with existing OpenSSL versions is maintained. Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Connect libressl-api-compat.c to the build, and regenerate config.h Reviewed by: des Approved by: re (rgrimes) MFC after: 2 seeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17444
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation |
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 |
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). |
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
cf783db1 |
|
24-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a pre-merge script which reverts mechanical changes such as added $FreeBSD$ tags and man page dates. Add a post-merge script which reapplies these changes. Run both scripts to normalize the existing code base. As a result, many files which should have had $FreeBSD$ tags but didn't now have them. Partly rewrite the upgrade instructions and remove the now outdated list of tricks. |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
9be00009 |
|
14-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a missing #include "canohost.h". |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
5b400a39 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply class-imposed login restrictions. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
2735cfee |
|
25-Mar-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Switch over to using pam_login_access(8) module in sshd(8). (Fixes static compilation. Reduces diffs to OpenSSH.) Reviewed by: bde |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
a681ab0a |
|
16-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Diff reduction. Sponsored by: DARPA, NAI Labs |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
e4fe1ca6 |
|
14-Mar-2001 |
Brian Feldman <green@FreeBSD.org> |
Don't dump core when an attempt is made to login using protocol 2 with an invalid user name. |
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504 |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
03e72be8 |
|
13-Nov-2000 |
Brian Feldman <green@FreeBSD.org> |
Add login_cap and login_access support. Previously, these FreeBSD-local checks were only made when using the 1.x protocol. |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
21deafa3 |
|
27-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
So /this/ is what has made OpenSSH's SSHv2 support never work right! In some cases, limits did not get set to the proper class, but instead always to "default", because not all passwd copies were done to completion. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
4d3fc8b0 |
|
16-Mar-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p1 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
|
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
0f9bafdf |
|
13-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: pass ssh context to BLACKLIST_NOTIFY Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
ba91e31f |
|
02-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: remove login class restrictions leftovers MFC after: 2 weeks Fixes: 27ceebbc2402 ("openssh: simplify login class...") Sponsored by: The FreeBSD Foundation |
#
6eac665c |
|
02-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: diff reduction against upstream 7.9p1 Clean up whitespace and nonfunctional differences, and unused functions. |
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 |
#
8d8b2923 |
|
25-Jun-2020 |
Xin LI <delphij@FreeBSD.org> |
Don't log normal login_getpwclass(3) result. The logging was introduced in r314527 but doesn't appear to be useful for regular operation, and as the result, for users with no class set (very common) the administrator would see a message like this in their auth.log: sshd[44251]: user root login class [preauth] (note that the class was "" because that's what's typically configured for most users; we would get 'default' if lc->lc_class is chosen) Remove this log as it can be annoying as the lookup happen before authentication and repeats, and our code is not acting upon lc_class or pw_class directly anyways. Reviewed by: cem, imp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D24997 |
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 |
#
2a01feab |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Compatibility with existing OpenSSL versions is maintained. Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Connect libressl-api-compat.c to the build, and regenerate config.h Reviewed by: des Approved by: re (rgrimes) MFC after: 2 seeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17444
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation |
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 |
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). |
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
cf783db1 |
|
24-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a pre-merge script which reverts mechanical changes such as added $FreeBSD$ tags and man page dates. Add a post-merge script which reapplies these changes. Run both scripts to normalize the existing code base. As a result, many files which should have had $FreeBSD$ tags but didn't now have them. Partly rewrite the upgrade instructions and remove the now outdated list of tricks. |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
9be00009 |
|
14-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a missing #include "canohost.h". |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
5b400a39 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply class-imposed login restrictions. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
2735cfee |
|
25-Mar-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Switch over to using pam_login_access(8) module in sshd(8). (Fixes static compilation. Reduces diffs to OpenSSH.) Reviewed by: bde |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
a681ab0a |
|
16-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Diff reduction. Sponsored by: DARPA, NAI Labs |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
e4fe1ca6 |
|
14-Mar-2001 |
Brian Feldman <green@FreeBSD.org> |
Don't dump core when an attempt is made to login using protocol 2 with an invalid user name. |
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504 |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
03e72be8 |
|
13-Nov-2000 |
Brian Feldman <green@FreeBSD.org> |
Add login_cap and login_access support. Previously, these FreeBSD-local checks were only made when using the 1.x protocol. |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
21deafa3 |
|
27-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
So /this/ is what has made OpenSSH's SSHv2 support never work right! In some cases, limits did not get set to the proper class, but instead always to "default", because not all passwd copies were done to completion. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
0f9bafdf |
|
13-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: pass ssh context to BLACKLIST_NOTIFY Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
ba91e31f |
|
02-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: remove login class restrictions leftovers MFC after: 2 weeks Fixes: 27ceebbc2402 ("openssh: simplify login class...") Sponsored by: The FreeBSD Foundation |
#
6eac665c |
|
02-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: diff reduction against upstream 7.9p1 Clean up whitespace and nonfunctional differences, and unused functions. |
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 |
#
8d8b2923 |
|
25-Jun-2020 |
Xin LI <delphij@FreeBSD.org> |
Don't log normal login_getpwclass(3) result. The logging was introduced in r314527 but doesn't appear to be useful for regular operation, and as the result, for users with no class set (very common) the administrator would see a message like this in their auth.log: sshd[44251]: user root login class [preauth] (note that the class was "" because that's what's typically configured for most users; we would get 'default' if lc->lc_class is chosen) Remove this log as it can be annoying as the lookup happen before authentication and repeats, and our code is not acting upon lc_class or pw_class directly anyways. Reviewed by: cem, imp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D24997 |
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 |
#
2a01feab |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Compatibility with existing OpenSSL versions is maintained. Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Connect libressl-api-compat.c to the build, and regenerate config.h Reviewed by: des Approved by: re (rgrimes) MFC after: 2 seeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17444
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation |
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 |
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). |
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
cf783db1 |
|
24-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a pre-merge script which reverts mechanical changes such as added $FreeBSD$ tags and man page dates. Add a post-merge script which reapplies these changes. Run both scripts to normalize the existing code base. As a result, many files which should have had $FreeBSD$ tags but didn't now have them. Partly rewrite the upgrade instructions and remove the now outdated list of tricks. |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
9be00009 |
|
14-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a missing #include "canohost.h". |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
5b400a39 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply class-imposed login restrictions. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
2735cfee |
|
25-Mar-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Switch over to using pam_login_access(8) module in sshd(8). (Fixes static compilation. Reduces diffs to OpenSSH.) Reviewed by: bde |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
a681ab0a |
|
16-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Diff reduction. Sponsored by: DARPA, NAI Labs |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
e4fe1ca6 |
|
14-Mar-2001 |
Brian Feldman <green@FreeBSD.org> |
Don't dump core when an attempt is made to login using protocol 2 with an invalid user name. |
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504 |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
03e72be8 |
|
13-Nov-2000 |
Brian Feldman <green@FreeBSD.org> |
Add login_cap and login_access support. Previously, these FreeBSD-local checks were only made when using the 1.x protocol. |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
21deafa3 |
|
27-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
So /this/ is what has made OpenSSH's SSHv2 support never work right! In some cases, limits did not get set to the proper class, but instead always to "default", because not all passwd copies were done to completion. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
0f9bafdf |
|
13-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: pass ssh context to BLACKLIST_NOTIFY Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
ba91e31f |
|
02-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: remove login class restrictions leftovers MFC after: 2 weeks Fixes: 27ceebbc2402 ("openssh: simplify login class...") Sponsored by: The FreeBSD Foundation |
#
6eac665c |
|
02-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: diff reduction against upstream 7.9p1 Clean up whitespace and nonfunctional differences, and unused functions. |
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 |
#
8d8b2923 |
|
25-Jun-2020 |
Xin LI <delphij@FreeBSD.org> |
Don't log normal login_getpwclass(3) result. The logging was introduced in r314527 but doesn't appear to be useful for regular operation, and as the result, for users with no class set (very common) the administrator would see a message like this in their auth.log: sshd[44251]: user root login class [preauth] (note that the class was "" because that's what's typically configured for most users; we would get 'default' if lc->lc_class is chosen) Remove this log as it can be annoying as the lookup happen before authentication and repeats, and our code is not acting upon lc_class or pw_class directly anyways. Reviewed by: cem, imp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D24997 |
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 |
#
2a01feab |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Compatibility with existing OpenSSL versions is maintained. Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Connect libressl-api-compat.c to the build, and regenerate config.h Reviewed by: des Approved by: re (rgrimes) MFC after: 2 seeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17444
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation |
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 |
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). |
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
cf783db1 |
|
24-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a pre-merge script which reverts mechanical changes such as added $FreeBSD$ tags and man page dates. Add a post-merge script which reapplies these changes. Run both scripts to normalize the existing code base. As a result, many files which should have had $FreeBSD$ tags but didn't now have them. Partly rewrite the upgrade instructions and remove the now outdated list of tricks. |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
9be00009 |
|
14-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a missing #include "canohost.h". |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
5b400a39 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply class-imposed login restrictions. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
2735cfee |
|
25-Mar-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Switch over to using pam_login_access(8) module in sshd(8). (Fixes static compilation. Reduces diffs to OpenSSH.) Reviewed by: bde |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
a681ab0a |
|
16-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Diff reduction. Sponsored by: DARPA, NAI Labs |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
e4fe1ca6 |
|
14-Mar-2001 |
Brian Feldman <green@FreeBSD.org> |
Don't dump core when an attempt is made to login using protocol 2 with an invalid user name. |
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504 |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
03e72be8 |
|
13-Nov-2000 |
Brian Feldman <green@FreeBSD.org> |
Add login_cap and login_access support. Previously, these FreeBSD-local checks were only made when using the 1.x protocol. |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
21deafa3 |
|
27-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
So /this/ is what has made OpenSSH's SSHv2 support never work right! In some cases, limits did not get set to the proper class, but instead always to "default", because not all passwd copies were done to completion. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
ba91e31f |
|
02-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: remove login class restrictions leftovers MFC after: 2 weeks Fixes: 27ceebbc2402 ("openssh: simplify login class...") Sponsored by: The FreeBSD Foundation
|
#
6eac665c |
|
02-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: diff reduction against upstream 7.9p1 Clean up whitespace and nonfunctional differences, and unused functions.
|
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760
|
#
8d8b2923 |
|
25-Jun-2020 |
Xin LI <delphij@FreeBSD.org> |
Don't log normal login_getpwclass(3) result. The logging was introduced in r314527 but doesn't appear to be useful for regular operation, and as the result, for users with no class set (very common) the administrator would see a message like this in their auth.log: sshd[44251]: user root login class [preauth] (note that the class was "" because that's what's typically configured for most users; we would get 'default' if lc->lc_class is chosen) Remove this log as it can be annoying as the lookup happen before authentication and repeats, and our code is not acting upon lc_class or pw_class directly anyways. Reviewed by: cem, imp MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D24997
|
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128
|
#
3e058dbd |
|
19-Sep-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Sponsored by: The FreeBSD Foundation
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051
|
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation
|
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915
|
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$").
|
#
cf783db1 |
|
24-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a pre-merge script which reverts mechanical changes such as added $FreeBSD$ tags and man page dates. Add a post-merge script which reapplies these changes. Run both scripts to normalize the existing code base. As a result, many files which should have had $FreeBSD$ tags but didn't now have them. Partly rewrite the upgrade instructions and remove the now outdated list of tricks.
|
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
124981e1 |
|
21-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
MFH OpenSSH 5.4p1
|
#
fe0506d7 |
|
09-Mar-2010 |
Marcel Moolenaar <marcel@FreeBSD.org> |
Create the altix project branch. The altix project will add support for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting is a two-module system, consisting of a base compute module and a CPU expansion module. SGI's NUMAFlex architecture can be an excellent platform to test CPU affinity and NUMA-aware features in FreeBSD.
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week
|
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1.
|
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts.
|
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1.
|
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1.
|
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1.
|
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts
|
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1.
|
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1.
|
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1.
|
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no
|
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2.
|
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1.
|
#
9be00009 |
|
14-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a missing #include "canohost.h".
|
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1.
|
#
5b400a39 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply class-imposed login restrictions. Sponsored by: DARPA, NAI Labs
|
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline.
|
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1.
|
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs
|
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3.
|
#
2735cfee |
|
25-Mar-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Switch over to using pam_login_access(8) module in sshd(8). (Fixes static compilation. Reduces diffs to OpenSSH.) Reviewed by: bde
|
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts.
|
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1
|
#
a681ab0a |
|
16-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Diff reduction. Sponsored by: DARPA, NAI Labs
|
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9.
|
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson
|
#
e4fe1ca6 |
|
14-Mar-2001 |
Brian Feldman <green@FreeBSD.org> |
Don't dump core when an attempt is made to login using protocol 2 with an invalid user name.
|
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504
|
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org>
|
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release).
|
#
03e72be8 |
|
13-Nov-2000 |
Brian Feldman <green@FreeBSD.org> |
Add login_cap and login_access support. Previously, these FreeBSD-local checks were only made when using the 1.x protocol.
|
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green
|
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09
|
#
21deafa3 |
|
27-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
So /this/ is what has made OpenSSH's SSHv2 support never work right! In some cases, limits did not get set to the proper class, but instead always to "default", because not all passwd copies were done to completion.
|
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD.
|
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1.
|