#
a91a2465 |
|
18-Mar-2024 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.7p1 This release contains mostly bugfixes. It also makes support for the DSA signature algorithm a compile-time option, with plans to disable it upstream later this year and remove support entirely in 2025. Full release notes at https://www.openssh.com/txt/release-9.7 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
069ac184 |
|
04-Jan-2024 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.6p1 From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
535af610 |
|
10-Aug-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.4p1 Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 Full release notes at https://www.openssh.com/txt/release-9.4 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
43c6b7a6 |
|
19-Apr-2023 |
Ed Maste <emaste@FreeBSD.org> |
openssh: restore PrintLastLog option Upstream's autoconf sets DISABLE_LASTLOG if lastlog.ll_line does not exist, but PrintLastLog also works with utmpx and other mechanisms. Reported upstream at https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html PR: 209441 Sponsored by: The FreeBSD Foundation |
#
1aa9a35f |
|
08-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: fix SIZEOF_TIME_T #define on i386 Reported by: imp Reviewed by: imp MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D38443 |
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1f290c70 |
|
09-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regen config.h Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Reported by: O. Hartmann Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
7b529268 |
|
01-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regenerate config.h Since config.h was last regenerated FreeBSD has added (a stub) libdl, and has removed sys/dir.h. Regenerate config.h to avoid spurious additional changes when OpenSSH is next updated. There should be no issue if this change is MFC'd, but I don't plan to do so. Although configure checks for libdl HAVE_LIBDL isn't even used, and sys/dir.h was non-functional before being removed. The state of these two config.h settings should make no difference in the built OpenSSH. Sponsored by: The FreeBSD Foundation |
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 |
#
4b6d416b |
|
03-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: connect libressl-api-compat.c and regen config.h Differential Revision: https://reviews.freebsd.org/D17390 |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
c1e80940 |
|
19-Aug-2018 |
Xin LI <delphij@FreeBSD.org> |
Update userland arc4random() with OpenBSD's Chacha20 based arc4random(). ObsoleteFiles.inc: Remove manual pages for arc4random_addrandom(3) and arc4random_stir(3). contrib/ntp/lib/isc/random.c: contrib/ntp/sntp/libevent/evutil_rand.c: Eliminate in-tree usage of arc4random_addrandom(). crypto/heimdal/lib/roken/rand.c: crypto/openssh/config.h: Eliminate in-tree usage of arc4random_stir(). include/stdlib.h: Remove arc4random_stir() and arc4random_addrandom() prototypes, provide temporary shims for transistion period. lib/libc/gen/Makefile.inc: Hook arc4random-compat.c to build, add hint for Chacha20 source for kernel, and remove arc4random_addrandom(3) and arc4random_stir(3) links. lib/libc/gen/arc4random.c: Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the sys/crypto/chacha20 implementation of keystream. lib/libc/gen/Symbol.map: Remove arc4random_stir and arc4random_addrandom interfaces. lib/libc/gen/arc4random.h: Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own. lib/libc/gen/arc4random.3: Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and r118247. lib/libc/gen/arc4random-compat.c: Compatibility shims for arc4random_stir and arc4random_addrandom functions to preserve ABI. Log once when called but do nothing otherwise. lib/libc/gen/getentropy.c: lib/libc/include/libc_private.h: Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl). Remove from libc_private.h as a result. sys/crypto/chacha20/chacha.c: sys/crypto/chacha20/chacha.h: Make it possible to use the kernel implementation in libc. PR: 182610 Reviewed by: cem, markm Obtained from: OpenBSD Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16760 |
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
0999bc48 |
|
03-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Re-apply part of r311585 which was inadvertantly reverted in the upgrade to 7.3p1. The other part (which adds -DLIBWRAP to sshd's CFLAGS) is still in place. Reported by: ngie |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
233932cc |
|
07-Jan-2017 |
Enji Cooper <ngie@FreeBSD.org> |
Conditionalize building libwrap support into sshd Only build libwrap support into sshd if MK_TCP_WRAPPERS != no This will unbreak the build if libwrap has been removed from the system MFC after: 2 weeks PR: 210141 Submitted by: kpect@protonmail.com Differential Revision: D9049 |
#
9ded3306 |
|
03-Aug-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove DSA from default cipher list and disable SSH1. Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for reasons which boil down to POLA. Now is a good time to catch up. MFC after: 3 days Relnotes: yes |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
00912a20 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have local modifications in configure.ac and configure, run autoheader and autoconf to avoid having to patch configure manually. |
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
29911fca |
|
07-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Partially revert r247892 and r247904 since our strnvis() does not behave the way OpenSSH expects. |
#
d9bb67e8 |
|
06-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Explicitly disable lastlog, utmp and wtmp. |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
5d54b264 |
|
16-Jun-2009 |
John Baldwin <jhb@FreeBSD.org> |
Use the closefrom(2) system call. Reviewed by: des |
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d08cd946 |
|
01-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Set SIZEOF_LONG_INT and SIZEOF_LONG_LONG_INT to plausible values. They aren't used for anything, but that's no excuse for being silly. |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
7cbfb014 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Revert an old hack I put in to replace S/Key with OPIE. We haven't used that code in ages - we use pam_opie(8) instead - so this is a NOP. |
#
6c93a5ae |
|
06-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Don't define XAUTH_PATH here, we either pass it in on the compiler command line or rely on the built-in default. |
#
77ec673a |
|
01-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate; no effect on the code as it doesn't actually use the handful of conditionals that changed in this revision. |
#
4a20f963 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. MFC after: 1 week |
#
567b2a32 |
|
09-Jun-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our glob(3) has all the required features. Submitted by: ache |
#
998ab761 |
|
23-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix utmp. There is some clever logic in configure.ac which attempts to determine whether struct utmp contains the ut_host and ut_time fields. Unfortunately, it reports a false negative for both on FreeBSD, and I didn't check the resulting config.h closely enough to catch the error. Noticed by: ache |
#
d8b92da8 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
184ad7d3 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate |
#
19bccc89 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
3c848701 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
98e00621 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Define HAVE_GSSAPI_H. |
#
7dbb68c4 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
a5ac46fb |
|
08-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate config.h; I don't know why this didn't hit CVS yesterday. |
#
07a3a290 |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
5d93b6af |
|
03-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Since OpenSSH drops privileges before calling pam_open_session(3), pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog. Approved by: re (rwatson) |
#
b770f258 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
- Don't enable OpenSSH's OPIE support, since we let PAM handle OPIE. - We don't have setutent(3) etc., and I have no idea why configure ever thought we did. |
#
e12c2461 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
effdee7c |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Commit config.h so we don't need autoconf to build world. |
#
069ac184 |
|
04-Jan-2024 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.6p1 From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
535af610 |
|
10-Aug-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.4p1 Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 Full release notes at https://www.openssh.com/txt/release-9.4 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
43c6b7a6 |
|
19-Apr-2023 |
Ed Maste <emaste@FreeBSD.org> |
openssh: restore PrintLastLog option Upstream's autoconf sets DISABLE_LASTLOG if lastlog.ll_line does not exist, but PrintLastLog also works with utmpx and other mechanisms. Reported upstream at https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html PR: 209441 Sponsored by: The FreeBSD Foundation |
#
1aa9a35f |
|
08-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: fix SIZEOF_TIME_T #define on i386 Reported by: imp Reviewed by: imp MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D38443 |
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1f290c70 |
|
09-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regen config.h Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Reported by: O. Hartmann Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
7b529268 |
|
01-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regenerate config.h Since config.h was last regenerated FreeBSD has added (a stub) libdl, and has removed sys/dir.h. Regenerate config.h to avoid spurious additional changes when OpenSSH is next updated. There should be no issue if this change is MFC'd, but I don't plan to do so. Although configure checks for libdl HAVE_LIBDL isn't even used, and sys/dir.h was non-functional before being removed. The state of these two config.h settings should make no difference in the built OpenSSH. Sponsored by: The FreeBSD Foundation |
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 |
#
4b6d416b |
|
03-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: connect libressl-api-compat.c and regen config.h Differential Revision: https://reviews.freebsd.org/D17390 |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
c1e80940 |
|
19-Aug-2018 |
Xin LI <delphij@FreeBSD.org> |
Update userland arc4random() with OpenBSD's Chacha20 based arc4random(). ObsoleteFiles.inc: Remove manual pages for arc4random_addrandom(3) and arc4random_stir(3). contrib/ntp/lib/isc/random.c: contrib/ntp/sntp/libevent/evutil_rand.c: Eliminate in-tree usage of arc4random_addrandom(). crypto/heimdal/lib/roken/rand.c: crypto/openssh/config.h: Eliminate in-tree usage of arc4random_stir(). include/stdlib.h: Remove arc4random_stir() and arc4random_addrandom() prototypes, provide temporary shims for transistion period. lib/libc/gen/Makefile.inc: Hook arc4random-compat.c to build, add hint for Chacha20 source for kernel, and remove arc4random_addrandom(3) and arc4random_stir(3) links. lib/libc/gen/arc4random.c: Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the sys/crypto/chacha20 implementation of keystream. lib/libc/gen/Symbol.map: Remove arc4random_stir and arc4random_addrandom interfaces. lib/libc/gen/arc4random.h: Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own. lib/libc/gen/arc4random.3: Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and r118247. lib/libc/gen/arc4random-compat.c: Compatibility shims for arc4random_stir and arc4random_addrandom functions to preserve ABI. Log once when called but do nothing otherwise. lib/libc/gen/getentropy.c: lib/libc/include/libc_private.h: Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl). Remove from libc_private.h as a result. sys/crypto/chacha20/chacha.c: sys/crypto/chacha20/chacha.h: Make it possible to use the kernel implementation in libc. PR: 182610 Reviewed by: cem, markm Obtained from: OpenBSD Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16760 |
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
0999bc48 |
|
03-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Re-apply part of r311585 which was inadvertantly reverted in the upgrade to 7.3p1. The other part (which adds -DLIBWRAP to sshd's CFLAGS) is still in place. Reported by: ngie |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
233932cc |
|
07-Jan-2017 |
Enji Cooper <ngie@FreeBSD.org> |
Conditionalize building libwrap support into sshd Only build libwrap support into sshd if MK_TCP_WRAPPERS != no This will unbreak the build if libwrap has been removed from the system MFC after: 2 weeks PR: 210141 Submitted by: kpect@protonmail.com Differential Revision: D9049 |
#
9ded3306 |
|
03-Aug-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove DSA from default cipher list and disable SSH1. Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for reasons which boil down to POLA. Now is a good time to catch up. MFC after: 3 days Relnotes: yes |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
00912a20 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have local modifications in configure.ac and configure, run autoheader and autoconf to avoid having to patch configure manually. |
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
29911fca |
|
07-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Partially revert r247892 and r247904 since our strnvis() does not behave the way OpenSSH expects. |
#
d9bb67e8 |
|
06-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Explicitly disable lastlog, utmp and wtmp. |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
5d54b264 |
|
16-Jun-2009 |
John Baldwin <jhb@FreeBSD.org> |
Use the closefrom(2) system call. Reviewed by: des |
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d08cd946 |
|
01-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Set SIZEOF_LONG_INT and SIZEOF_LONG_LONG_INT to plausible values. They aren't used for anything, but that's no excuse for being silly. |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
7cbfb014 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Revert an old hack I put in to replace S/Key with OPIE. We haven't used that code in ages - we use pam_opie(8) instead - so this is a NOP. |
#
6c93a5ae |
|
06-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Don't define XAUTH_PATH here, we either pass it in on the compiler command line or rely on the built-in default. |
#
77ec673a |
|
01-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate; no effect on the code as it doesn't actually use the handful of conditionals that changed in this revision. |
#
4a20f963 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. MFC after: 1 week |
#
567b2a32 |
|
09-Jun-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our glob(3) has all the required features. Submitted by: ache |
#
998ab761 |
|
23-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix utmp. There is some clever logic in configure.ac which attempts to determine whether struct utmp contains the ut_host and ut_time fields. Unfortunately, it reports a false negative for both on FreeBSD, and I didn't check the resulting config.h closely enough to catch the error. Noticed by: ache |
#
d8b92da8 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
184ad7d3 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate |
#
19bccc89 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
3c848701 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
98e00621 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Define HAVE_GSSAPI_H. |
#
7dbb68c4 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
a5ac46fb |
|
08-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate config.h; I don't know why this didn't hit CVS yesterday. |
#
07a3a290 |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
5d93b6af |
|
03-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Since OpenSSH drops privileges before calling pam_open_session(3), pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog. Approved by: re (rwatson) |
#
b770f258 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
- Don't enable OpenSSH's OPIE support, since we let PAM handle OPIE. - We don't have setutent(3) etc., and I have no idea why configure ever thought we did. |
#
e12c2461 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
effdee7c |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Commit config.h so we don't need autoconf to build world. |
#
535af610 |
|
10-Aug-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.4p1 Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 Full release notes at https://www.openssh.com/txt/release-9.4 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
43c6b7a6 |
|
19-Apr-2023 |
Ed Maste <emaste@FreeBSD.org> |
openssh: restore PrintLastLog option Upstream's autoconf sets DISABLE_LASTLOG if lastlog.ll_line does not exist, but PrintLastLog also works with utmpx and other mechanisms. Reported upstream at https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html PR: 209441 Sponsored by: The FreeBSD Foundation |
#
1aa9a35f |
|
08-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: fix SIZEOF_TIME_T #define on i386 Reported by: imp Reviewed by: imp MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D38443 |
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1f290c70 |
|
09-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regen config.h Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Reported by: O. Hartmann Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
7b529268 |
|
01-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regenerate config.h Since config.h was last regenerated FreeBSD has added (a stub) libdl, and has removed sys/dir.h. Regenerate config.h to avoid spurious additional changes when OpenSSH is next updated. There should be no issue if this change is MFC'd, but I don't plan to do so. Although configure checks for libdl HAVE_LIBDL isn't even used, and sys/dir.h was non-functional before being removed. The state of these two config.h settings should make no difference in the built OpenSSH. Sponsored by: The FreeBSD Foundation |
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 |
#
4b6d416b |
|
03-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: connect libressl-api-compat.c and regen config.h Differential Revision: https://reviews.freebsd.org/D17390 |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
c1e80940 |
|
19-Aug-2018 |
Xin LI <delphij@FreeBSD.org> |
Update userland arc4random() with OpenBSD's Chacha20 based arc4random(). ObsoleteFiles.inc: Remove manual pages for arc4random_addrandom(3) and arc4random_stir(3). contrib/ntp/lib/isc/random.c: contrib/ntp/sntp/libevent/evutil_rand.c: Eliminate in-tree usage of arc4random_addrandom(). crypto/heimdal/lib/roken/rand.c: crypto/openssh/config.h: Eliminate in-tree usage of arc4random_stir(). include/stdlib.h: Remove arc4random_stir() and arc4random_addrandom() prototypes, provide temporary shims for transistion period. lib/libc/gen/Makefile.inc: Hook arc4random-compat.c to build, add hint for Chacha20 source for kernel, and remove arc4random_addrandom(3) and arc4random_stir(3) links. lib/libc/gen/arc4random.c: Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the sys/crypto/chacha20 implementation of keystream. lib/libc/gen/Symbol.map: Remove arc4random_stir and arc4random_addrandom interfaces. lib/libc/gen/arc4random.h: Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own. lib/libc/gen/arc4random.3: Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and r118247. lib/libc/gen/arc4random-compat.c: Compatibility shims for arc4random_stir and arc4random_addrandom functions to preserve ABI. Log once when called but do nothing otherwise. lib/libc/gen/getentropy.c: lib/libc/include/libc_private.h: Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl). Remove from libc_private.h as a result. sys/crypto/chacha20/chacha.c: sys/crypto/chacha20/chacha.h: Make it possible to use the kernel implementation in libc. PR: 182610 Reviewed by: cem, markm Obtained from: OpenBSD Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16760 |
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
0999bc48 |
|
03-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Re-apply part of r311585 which was inadvertantly reverted in the upgrade to 7.3p1. The other part (which adds -DLIBWRAP to sshd's CFLAGS) is still in place. Reported by: ngie |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
233932cc |
|
07-Jan-2017 |
Enji Cooper <ngie@FreeBSD.org> |
Conditionalize building libwrap support into sshd Only build libwrap support into sshd if MK_TCP_WRAPPERS != no This will unbreak the build if libwrap has been removed from the system MFC after: 2 weeks PR: 210141 Submitted by: kpect@protonmail.com Differential Revision: D9049 |
#
9ded3306 |
|
03-Aug-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove DSA from default cipher list and disable SSH1. Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for reasons which boil down to POLA. Now is a good time to catch up. MFC after: 3 days Relnotes: yes |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
00912a20 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have local modifications in configure.ac and configure, run autoheader and autoconf to avoid having to patch configure manually. |
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
29911fca |
|
07-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Partially revert r247892 and r247904 since our strnvis() does not behave the way OpenSSH expects. |
#
d9bb67e8 |
|
06-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Explicitly disable lastlog, utmp and wtmp. |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
5d54b264 |
|
16-Jun-2009 |
John Baldwin <jhb@FreeBSD.org> |
Use the closefrom(2) system call. Reviewed by: des |
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d08cd946 |
|
01-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Set SIZEOF_LONG_INT and SIZEOF_LONG_LONG_INT to plausible values. They aren't used for anything, but that's no excuse for being silly. |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
7cbfb014 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Revert an old hack I put in to replace S/Key with OPIE. We haven't used that code in ages - we use pam_opie(8) instead - so this is a NOP. |
#
6c93a5ae |
|
06-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Don't define XAUTH_PATH here, we either pass it in on the compiler command line or rely on the built-in default. |
#
77ec673a |
|
01-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate; no effect on the code as it doesn't actually use the handful of conditionals that changed in this revision. |
#
4a20f963 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. MFC after: 1 week |
#
567b2a32 |
|
09-Jun-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our glob(3) has all the required features. Submitted by: ache |
#
998ab761 |
|
23-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix utmp. There is some clever logic in configure.ac which attempts to determine whether struct utmp contains the ut_host and ut_time fields. Unfortunately, it reports a false negative for both on FreeBSD, and I didn't check the resulting config.h closely enough to catch the error. Noticed by: ache |
#
d8b92da8 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
184ad7d3 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate |
#
19bccc89 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
3c848701 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
98e00621 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Define HAVE_GSSAPI_H. |
#
7dbb68c4 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
a5ac46fb |
|
08-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate config.h; I don't know why this didn't hit CVS yesterday. |
#
07a3a290 |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
5d93b6af |
|
03-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Since OpenSSH drops privileges before calling pam_open_session(3), pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog. Approved by: re (rwatson) |
#
b770f258 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
- Don't enable OpenSSH's OPIE support, since we let PAM handle OPIE. - We don't have setutent(3) etc., and I have no idea why configure ever thought we did. |
#
e12c2461 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
effdee7c |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Commit config.h so we don't need autoconf to build world. |
#
43c6b7a6 |
|
19-Apr-2023 |
Ed Maste <emaste@FreeBSD.org> |
openssh: restore PrintLastLog option Upstream's autoconf sets DISABLE_LASTLOG if lastlog.ll_line does not exist, but PrintLastLog also works with utmpx and other mechanisms. Reported upstream at https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html PR: 209441 Sponsored by: The FreeBSD Foundation
|
#
1aa9a35f |
|
08-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: fix SIZEOF_TIME_T #define on i386 Reported by: imp Reviewed by: imp MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D38443
|
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1f290c70 |
|
09-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regen config.h Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Reported by: O. Hartmann Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
7b529268 |
|
01-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regenerate config.h Since config.h was last regenerated FreeBSD has added (a stub) libdl, and has removed sys/dir.h. Regenerate config.h to avoid spurious additional changes when OpenSSH is next updated. There should be no issue if this change is MFC'd, but I don't plan to do so. Although configure checks for libdl HAVE_LIBDL isn't even used, and sys/dir.h was non-functional before being removed. The state of these two config.h settings should make no difference in the built OpenSSH. Sponsored by: The FreeBSD Foundation |
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 |
#
4b6d416b |
|
03-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: connect libressl-api-compat.c and regen config.h Differential Revision: https://reviews.freebsd.org/D17390 |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
c1e80940 |
|
19-Aug-2018 |
Xin LI <delphij@FreeBSD.org> |
Update userland arc4random() with OpenBSD's Chacha20 based arc4random(). ObsoleteFiles.inc: Remove manual pages for arc4random_addrandom(3) and arc4random_stir(3). contrib/ntp/lib/isc/random.c: contrib/ntp/sntp/libevent/evutil_rand.c: Eliminate in-tree usage of arc4random_addrandom(). crypto/heimdal/lib/roken/rand.c: crypto/openssh/config.h: Eliminate in-tree usage of arc4random_stir(). include/stdlib.h: Remove arc4random_stir() and arc4random_addrandom() prototypes, provide temporary shims for transistion period. lib/libc/gen/Makefile.inc: Hook arc4random-compat.c to build, add hint for Chacha20 source for kernel, and remove arc4random_addrandom(3) and arc4random_stir(3) links. lib/libc/gen/arc4random.c: Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the sys/crypto/chacha20 implementation of keystream. lib/libc/gen/Symbol.map: Remove arc4random_stir and arc4random_addrandom interfaces. lib/libc/gen/arc4random.h: Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own. lib/libc/gen/arc4random.3: Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and r118247. lib/libc/gen/arc4random-compat.c: Compatibility shims for arc4random_stir and arc4random_addrandom functions to preserve ABI. Log once when called but do nothing otherwise. lib/libc/gen/getentropy.c: lib/libc/include/libc_private.h: Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl). Remove from libc_private.h as a result. sys/crypto/chacha20/chacha.c: sys/crypto/chacha20/chacha.h: Make it possible to use the kernel implementation in libc. PR: 182610 Reviewed by: cem, markm Obtained from: OpenBSD Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16760 |
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
0999bc48 |
|
03-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Re-apply part of r311585 which was inadvertantly reverted in the upgrade to 7.3p1. The other part (which adds -DLIBWRAP to sshd's CFLAGS) is still in place. Reported by: ngie |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
233932cc |
|
07-Jan-2017 |
Enji Cooper <ngie@FreeBSD.org> |
Conditionalize building libwrap support into sshd Only build libwrap support into sshd if MK_TCP_WRAPPERS != no This will unbreak the build if libwrap has been removed from the system MFC after: 2 weeks PR: 210141 Submitted by: kpect@protonmail.com Differential Revision: D9049 |
#
9ded3306 |
|
03-Aug-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove DSA from default cipher list and disable SSH1. Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for reasons which boil down to POLA. Now is a good time to catch up. MFC after: 3 days Relnotes: yes |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
00912a20 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have local modifications in configure.ac and configure, run autoheader and autoconf to avoid having to patch configure manually. |
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
29911fca |
|
07-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Partially revert r247892 and r247904 since our strnvis() does not behave the way OpenSSH expects. |
#
d9bb67e8 |
|
06-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Explicitly disable lastlog, utmp and wtmp. |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
5d54b264 |
|
16-Jun-2009 |
John Baldwin <jhb@FreeBSD.org> |
Use the closefrom(2) system call. Reviewed by: des |
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d08cd946 |
|
01-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Set SIZEOF_LONG_INT and SIZEOF_LONG_LONG_INT to plausible values. They aren't used for anything, but that's no excuse for being silly. |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
7cbfb014 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Revert an old hack I put in to replace S/Key with OPIE. We haven't used that code in ages - we use pam_opie(8) instead - so this is a NOP. |
#
6c93a5ae |
|
06-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Don't define XAUTH_PATH here, we either pass it in on the compiler command line or rely on the built-in default. |
#
77ec673a |
|
01-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate; no effect on the code as it doesn't actually use the handful of conditionals that changed in this revision. |
#
4a20f963 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. MFC after: 1 week |
#
567b2a32 |
|
09-Jun-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our glob(3) has all the required features. Submitted by: ache |
#
998ab761 |
|
23-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix utmp. There is some clever logic in configure.ac which attempts to determine whether struct utmp contains the ut_host and ut_time fields. Unfortunately, it reports a false negative for both on FreeBSD, and I didn't check the resulting config.h closely enough to catch the error. Noticed by: ache |
#
d8b92da8 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
184ad7d3 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate |
#
19bccc89 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
3c848701 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
98e00621 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Define HAVE_GSSAPI_H. |
#
7dbb68c4 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
a5ac46fb |
|
08-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate config.h; I don't know why this didn't hit CVS yesterday. |
#
07a3a290 |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
5d93b6af |
|
03-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Since OpenSSH drops privileges before calling pam_open_session(3), pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog. Approved by: re (rwatson) |
#
b770f258 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
- Don't enable OpenSSH's OPIE support, since we let PAM handle OPIE. - We don't have setutent(3) etc., and I have no idea why configure ever thought we did. |
#
e12c2461 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
effdee7c |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Commit config.h so we don't need autoconf to build world. |
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1f290c70 |
|
09-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regen config.h Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Reported by: O. Hartmann Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
7b529268 |
|
01-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regenerate config.h Since config.h was last regenerated FreeBSD has added (a stub) libdl, and has removed sys/dir.h. Regenerate config.h to avoid spurious additional changes when OpenSSH is next updated. There should be no issue if this change is MFC'd, but I don't plan to do so. Although configure checks for libdl HAVE_LIBDL isn't even used, and sys/dir.h was non-functional before being removed. The state of these two config.h settings should make no difference in the built OpenSSH. Sponsored by: The FreeBSD Foundation |
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 |
#
4b6d416b |
|
03-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: connect libressl-api-compat.c and regen config.h Differential Revision: https://reviews.freebsd.org/D17390 |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
c1e80940 |
|
19-Aug-2018 |
Xin LI <delphij@FreeBSD.org> |
Update userland arc4random() with OpenBSD's Chacha20 based arc4random(). ObsoleteFiles.inc: Remove manual pages for arc4random_addrandom(3) and arc4random_stir(3). contrib/ntp/lib/isc/random.c: contrib/ntp/sntp/libevent/evutil_rand.c: Eliminate in-tree usage of arc4random_addrandom(). crypto/heimdal/lib/roken/rand.c: crypto/openssh/config.h: Eliminate in-tree usage of arc4random_stir(). include/stdlib.h: Remove arc4random_stir() and arc4random_addrandom() prototypes, provide temporary shims for transistion period. lib/libc/gen/Makefile.inc: Hook arc4random-compat.c to build, add hint for Chacha20 source for kernel, and remove arc4random_addrandom(3) and arc4random_stir(3) links. lib/libc/gen/arc4random.c: Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the sys/crypto/chacha20 implementation of keystream. lib/libc/gen/Symbol.map: Remove arc4random_stir and arc4random_addrandom interfaces. lib/libc/gen/arc4random.h: Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own. lib/libc/gen/arc4random.3: Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and r118247. lib/libc/gen/arc4random-compat.c: Compatibility shims for arc4random_stir and arc4random_addrandom functions to preserve ABI. Log once when called but do nothing otherwise. lib/libc/gen/getentropy.c: lib/libc/include/libc_private.h: Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl). Remove from libc_private.h as a result. sys/crypto/chacha20/chacha.c: sys/crypto/chacha20/chacha.h: Make it possible to use the kernel implementation in libc. PR: 182610 Reviewed by: cem, markm Obtained from: OpenBSD Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16760 |
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
0999bc48 |
|
03-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Re-apply part of r311585 which was inadvertantly reverted in the upgrade to 7.3p1. The other part (which adds -DLIBWRAP to sshd's CFLAGS) is still in place. Reported by: ngie |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
233932cc |
|
07-Jan-2017 |
Enji Cooper <ngie@FreeBSD.org> |
Conditionalize building libwrap support into sshd Only build libwrap support into sshd if MK_TCP_WRAPPERS != no This will unbreak the build if libwrap has been removed from the system MFC after: 2 weeks PR: 210141 Submitted by: kpect@protonmail.com Differential Revision: D9049 |
#
9ded3306 |
|
03-Aug-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove DSA from default cipher list and disable SSH1. Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for reasons which boil down to POLA. Now is a good time to catch up. MFC after: 3 days Relnotes: yes |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
00912a20 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have local modifications in configure.ac and configure, run autoheader and autoconf to avoid having to patch configure manually. |
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
29911fca |
|
07-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Partially revert r247892 and r247904 since our strnvis() does not behave the way OpenSSH expects. |
#
d9bb67e8 |
|
06-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Explicitly disable lastlog, utmp and wtmp. |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
5d54b264 |
|
16-Jun-2009 |
John Baldwin <jhb@FreeBSD.org> |
Use the closefrom(2) system call. Reviewed by: des |
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d08cd946 |
|
01-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Set SIZEOF_LONG_INT and SIZEOF_LONG_LONG_INT to plausible values. They aren't used for anything, but that's no excuse for being silly. |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
7cbfb014 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Revert an old hack I put in to replace S/Key with OPIE. We haven't used that code in ages - we use pam_opie(8) instead - so this is a NOP. |
#
6c93a5ae |
|
06-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Don't define XAUTH_PATH here, we either pass it in on the compiler command line or rely on the built-in default. |
#
77ec673a |
|
01-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate; no effect on the code as it doesn't actually use the handful of conditionals that changed in this revision. |
#
4a20f963 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. MFC after: 1 week |
#
567b2a32 |
|
09-Jun-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our glob(3) has all the required features. Submitted by: ache |
#
998ab761 |
|
23-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix utmp. There is some clever logic in configure.ac which attempts to determine whether struct utmp contains the ut_host and ut_time fields. Unfortunately, it reports a false negative for both on FreeBSD, and I didn't check the resulting config.h closely enough to catch the error. Noticed by: ache |
#
d8b92da8 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
184ad7d3 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate |
#
19bccc89 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
3c848701 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
98e00621 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Define HAVE_GSSAPI_H. |
#
7dbb68c4 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
a5ac46fb |
|
08-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate config.h; I don't know why this didn't hit CVS yesterday. |
#
07a3a290 |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
5d93b6af |
|
03-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Since OpenSSH drops privileges before calling pam_open_session(3), pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog. Approved by: re (rwatson) |
#
b770f258 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
- Don't enable OpenSSH's OPIE support, since we let PAM handle OPIE. - We don't have setutent(3) etc., and I have no idea why configure ever thought we did. |
#
e12c2461 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
effdee7c |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Commit config.h so we don't need autoconf to build world. |
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1f290c70 |
|
09-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regen config.h Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Reported by: O. Hartmann Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
7b529268 |
|
01-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regenerate config.h Since config.h was last regenerated FreeBSD has added (a stub) libdl, and has removed sys/dir.h. Regenerate config.h to avoid spurious additional changes when OpenSSH is next updated. There should be no issue if this change is MFC'd, but I don't plan to do so. Although configure checks for libdl HAVE_LIBDL isn't even used, and sys/dir.h was non-functional before being removed. The state of these two config.h settings should make no difference in the built OpenSSH. Sponsored by: The FreeBSD Foundation |
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 |
#
4b6d416b |
|
03-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: connect libressl-api-compat.c and regen config.h Differential Revision: https://reviews.freebsd.org/D17390 |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
c1e80940 |
|
19-Aug-2018 |
Xin LI <delphij@FreeBSD.org> |
Update userland arc4random() with OpenBSD's Chacha20 based arc4random(). ObsoleteFiles.inc: Remove manual pages for arc4random_addrandom(3) and arc4random_stir(3). contrib/ntp/lib/isc/random.c: contrib/ntp/sntp/libevent/evutil_rand.c: Eliminate in-tree usage of arc4random_addrandom(). crypto/heimdal/lib/roken/rand.c: crypto/openssh/config.h: Eliminate in-tree usage of arc4random_stir(). include/stdlib.h: Remove arc4random_stir() and arc4random_addrandom() prototypes, provide temporary shims for transistion period. lib/libc/gen/Makefile.inc: Hook arc4random-compat.c to build, add hint for Chacha20 source for kernel, and remove arc4random_addrandom(3) and arc4random_stir(3) links. lib/libc/gen/arc4random.c: Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the sys/crypto/chacha20 implementation of keystream. lib/libc/gen/Symbol.map: Remove arc4random_stir and arc4random_addrandom interfaces. lib/libc/gen/arc4random.h: Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own. lib/libc/gen/arc4random.3: Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and r118247. lib/libc/gen/arc4random-compat.c: Compatibility shims for arc4random_stir and arc4random_addrandom functions to preserve ABI. Log once when called but do nothing otherwise. lib/libc/gen/getentropy.c: lib/libc/include/libc_private.h: Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl). Remove from libc_private.h as a result. sys/crypto/chacha20/chacha.c: sys/crypto/chacha20/chacha.h: Make it possible to use the kernel implementation in libc. PR: 182610 Reviewed by: cem, markm Obtained from: OpenBSD Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16760 |
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
0999bc48 |
|
03-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Re-apply part of r311585 which was inadvertantly reverted in the upgrade to 7.3p1. The other part (which adds -DLIBWRAP to sshd's CFLAGS) is still in place. Reported by: ngie |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
233932cc |
|
07-Jan-2017 |
Enji Cooper <ngie@FreeBSD.org> |
Conditionalize building libwrap support into sshd Only build libwrap support into sshd if MK_TCP_WRAPPERS != no This will unbreak the build if libwrap has been removed from the system MFC after: 2 weeks PR: 210141 Submitted by: kpect@protonmail.com Differential Revision: D9049 |
#
9ded3306 |
|
03-Aug-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove DSA from default cipher list and disable SSH1. Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for reasons which boil down to POLA. Now is a good time to catch up. MFC after: 3 days Relnotes: yes |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
00912a20 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have local modifications in configure.ac and configure, run autoheader and autoconf to avoid having to patch configure manually. |
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
29911fca |
|
07-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Partially revert r247892 and r247904 since our strnvis() does not behave the way OpenSSH expects. |
#
d9bb67e8 |
|
06-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Explicitly disable lastlog, utmp and wtmp. |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
5d54b264 |
|
16-Jun-2009 |
John Baldwin <jhb@FreeBSD.org> |
Use the closefrom(2) system call. Reviewed by: des |
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d08cd946 |
|
01-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Set SIZEOF_LONG_INT and SIZEOF_LONG_LONG_INT to plausible values. They aren't used for anything, but that's no excuse for being silly. |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
7cbfb014 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Revert an old hack I put in to replace S/Key with OPIE. We haven't used that code in ages - we use pam_opie(8) instead - so this is a NOP. |
#
6c93a5ae |
|
06-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Don't define XAUTH_PATH here, we either pass it in on the compiler command line or rely on the built-in default. |
#
77ec673a |
|
01-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate; no effect on the code as it doesn't actually use the handful of conditionals that changed in this revision. |
#
4a20f963 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. MFC after: 1 week |
#
567b2a32 |
|
09-Jun-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our glob(3) has all the required features. Submitted by: ache |
#
998ab761 |
|
23-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix utmp. There is some clever logic in configure.ac which attempts to determine whether struct utmp contains the ut_host and ut_time fields. Unfortunately, it reports a false negative for both on FreeBSD, and I didn't check the resulting config.h closely enough to catch the error. Noticed by: ache |
#
d8b92da8 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
184ad7d3 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate |
#
19bccc89 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
3c848701 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
98e00621 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Define HAVE_GSSAPI_H. |
#
7dbb68c4 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
a5ac46fb |
|
08-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate config.h; I don't know why this didn't hit CVS yesterday. |
#
07a3a290 |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
5d93b6af |
|
03-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Since OpenSSH drops privileges before calling pam_open_session(3), pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog. Approved by: re (rwatson) |
#
b770f258 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
- Don't enable OpenSSH's OPIE support, since we let PAM handle OPIE. - We don't have setutent(3) etc., and I have no idea why configure ever thought we did. |
#
e12c2461 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
effdee7c |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Commit config.h so we don't need autoconf to build world. |
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1f290c70 |
|
09-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regen config.h Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Reported by: O. Hartmann Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
7b529268 |
|
01-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regenerate config.h Since config.h was last regenerated FreeBSD has added (a stub) libdl, and has removed sys/dir.h. Regenerate config.h to avoid spurious additional changes when OpenSSH is next updated. There should be no issue if this change is MFC'd, but I don't plan to do so. Although configure checks for libdl HAVE_LIBDL isn't even used, and sys/dir.h was non-functional before being removed. The state of these two config.h settings should make no difference in the built OpenSSH. Sponsored by: The FreeBSD Foundation |
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 |
#
4b6d416b |
|
03-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: connect libressl-api-compat.c and regen config.h Differential Revision: https://reviews.freebsd.org/D17390 |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
c1e80940 |
|
19-Aug-2018 |
Xin LI <delphij@FreeBSD.org> |
Update userland arc4random() with OpenBSD's Chacha20 based arc4random(). ObsoleteFiles.inc: Remove manual pages for arc4random_addrandom(3) and arc4random_stir(3). contrib/ntp/lib/isc/random.c: contrib/ntp/sntp/libevent/evutil_rand.c: Eliminate in-tree usage of arc4random_addrandom(). crypto/heimdal/lib/roken/rand.c: crypto/openssh/config.h: Eliminate in-tree usage of arc4random_stir(). include/stdlib.h: Remove arc4random_stir() and arc4random_addrandom() prototypes, provide temporary shims for transistion period. lib/libc/gen/Makefile.inc: Hook arc4random-compat.c to build, add hint for Chacha20 source for kernel, and remove arc4random_addrandom(3) and arc4random_stir(3) links. lib/libc/gen/arc4random.c: Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the sys/crypto/chacha20 implementation of keystream. lib/libc/gen/Symbol.map: Remove arc4random_stir and arc4random_addrandom interfaces. lib/libc/gen/arc4random.h: Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own. lib/libc/gen/arc4random.3: Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and r118247. lib/libc/gen/arc4random-compat.c: Compatibility shims for arc4random_stir and arc4random_addrandom functions to preserve ABI. Log once when called but do nothing otherwise. lib/libc/gen/getentropy.c: lib/libc/include/libc_private.h: Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl). Remove from libc_private.h as a result. sys/crypto/chacha20/chacha.c: sys/crypto/chacha20/chacha.h: Make it possible to use the kernel implementation in libc. PR: 182610 Reviewed by: cem, markm Obtained from: OpenBSD Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16760 |
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
0999bc48 |
|
03-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Re-apply part of r311585 which was inadvertantly reverted in the upgrade to 7.3p1. The other part (which adds -DLIBWRAP to sshd's CFLAGS) is still in place. Reported by: ngie |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
233932cc |
|
07-Jan-2017 |
Enji Cooper <ngie@FreeBSD.org> |
Conditionalize building libwrap support into sshd Only build libwrap support into sshd if MK_TCP_WRAPPERS != no This will unbreak the build if libwrap has been removed from the system MFC after: 2 weeks PR: 210141 Submitted by: kpect@protonmail.com Differential Revision: D9049 |
#
9ded3306 |
|
03-Aug-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove DSA from default cipher list and disable SSH1. Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for reasons which boil down to POLA. Now is a good time to catch up. MFC after: 3 days Relnotes: yes |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
00912a20 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have local modifications in configure.ac and configure, run autoheader and autoconf to avoid having to patch configure manually. |
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
29911fca |
|
07-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Partially revert r247892 and r247904 since our strnvis() does not behave the way OpenSSH expects. |
#
d9bb67e8 |
|
06-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Explicitly disable lastlog, utmp and wtmp. |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
5d54b264 |
|
16-Jun-2009 |
John Baldwin <jhb@FreeBSD.org> |
Use the closefrom(2) system call. Reviewed by: des |
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d08cd946 |
|
01-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Set SIZEOF_LONG_INT and SIZEOF_LONG_LONG_INT to plausible values. They aren't used for anything, but that's no excuse for being silly. |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
7cbfb014 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Revert an old hack I put in to replace S/Key with OPIE. We haven't used that code in ages - we use pam_opie(8) instead - so this is a NOP. |
#
6c93a5ae |
|
06-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Don't define XAUTH_PATH here, we either pass it in on the compiler command line or rely on the built-in default. |
#
77ec673a |
|
01-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate; no effect on the code as it doesn't actually use the handful of conditionals that changed in this revision. |
#
4a20f963 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. MFC after: 1 week |
#
567b2a32 |
|
09-Jun-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our glob(3) has all the required features. Submitted by: ache |
#
998ab761 |
|
23-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix utmp. There is some clever logic in configure.ac which attempts to determine whether struct utmp contains the ut_host and ut_time fields. Unfortunately, it reports a false negative for both on FreeBSD, and I didn't check the resulting config.h closely enough to catch the error. Noticed by: ache |
#
d8b92da8 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
184ad7d3 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate |
#
19bccc89 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
3c848701 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
98e00621 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Define HAVE_GSSAPI_H. |
#
7dbb68c4 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
a5ac46fb |
|
08-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate config.h; I don't know why this didn't hit CVS yesterday. |
#
07a3a290 |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
5d93b6af |
|
03-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Since OpenSSH drops privileges before calling pam_open_session(3), pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog. Approved by: re (rwatson) |
#
b770f258 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
- Don't enable OpenSSH's OPIE support, since we let PAM handle OPIE. - We don't have setutent(3) etc., and I have no idea why configure ever thought we did. |
#
e12c2461 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
effdee7c |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Commit config.h so we don't need autoconf to build world. |
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1f290c70 |
|
09-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regen config.h Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Reported by: O. Hartmann Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
7b529268 |
|
01-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regenerate config.h Since config.h was last regenerated FreeBSD has added (a stub) libdl, and has removed sys/dir.h. Regenerate config.h to avoid spurious additional changes when OpenSSH is next updated. There should be no issue if this change is MFC'd, but I don't plan to do so. Although configure checks for libdl HAVE_LIBDL isn't even used, and sys/dir.h was non-functional before being removed. The state of these two config.h settings should make no difference in the built OpenSSH. Sponsored by: The FreeBSD Foundation |
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 |
#
4b6d416b |
|
03-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: connect libressl-api-compat.c and regen config.h Differential Revision: https://reviews.freebsd.org/D17390 |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
c1e80940 |
|
19-Aug-2018 |
Xin LI <delphij@FreeBSD.org> |
Update userland arc4random() with OpenBSD's Chacha20 based arc4random(). ObsoleteFiles.inc: Remove manual pages for arc4random_addrandom(3) and arc4random_stir(3). contrib/ntp/lib/isc/random.c: contrib/ntp/sntp/libevent/evutil_rand.c: Eliminate in-tree usage of arc4random_addrandom(). crypto/heimdal/lib/roken/rand.c: crypto/openssh/config.h: Eliminate in-tree usage of arc4random_stir(). include/stdlib.h: Remove arc4random_stir() and arc4random_addrandom() prototypes, provide temporary shims for transistion period. lib/libc/gen/Makefile.inc: Hook arc4random-compat.c to build, add hint for Chacha20 source for kernel, and remove arc4random_addrandom(3) and arc4random_stir(3) links. lib/libc/gen/arc4random.c: Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the sys/crypto/chacha20 implementation of keystream. lib/libc/gen/Symbol.map: Remove arc4random_stir and arc4random_addrandom interfaces. lib/libc/gen/arc4random.h: Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own. lib/libc/gen/arc4random.3: Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and r118247. lib/libc/gen/arc4random-compat.c: Compatibility shims for arc4random_stir and arc4random_addrandom functions to preserve ABI. Log once when called but do nothing otherwise. lib/libc/gen/getentropy.c: lib/libc/include/libc_private.h: Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl). Remove from libc_private.h as a result. sys/crypto/chacha20/chacha.c: sys/crypto/chacha20/chacha.h: Make it possible to use the kernel implementation in libc. PR: 182610 Reviewed by: cem, markm Obtained from: OpenBSD Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16760 |
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
0999bc48 |
|
03-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Re-apply part of r311585 which was inadvertantly reverted in the upgrade to 7.3p1. The other part (which adds -DLIBWRAP to sshd's CFLAGS) is still in place. Reported by: ngie |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
233932cc |
|
07-Jan-2017 |
Enji Cooper <ngie@FreeBSD.org> |
Conditionalize building libwrap support into sshd Only build libwrap support into sshd if MK_TCP_WRAPPERS != no This will unbreak the build if libwrap has been removed from the system MFC after: 2 weeks PR: 210141 Submitted by: kpect@protonmail.com Differential Revision: D9049 |
#
9ded3306 |
|
03-Aug-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove DSA from default cipher list and disable SSH1. Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for reasons which boil down to POLA. Now is a good time to catch up. MFC after: 3 days Relnotes: yes |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
00912a20 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have local modifications in configure.ac and configure, run autoheader and autoconf to avoid having to patch configure manually. |
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
29911fca |
|
07-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Partially revert r247892 and r247904 since our strnvis() does not behave the way OpenSSH expects. |
#
d9bb67e8 |
|
06-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Explicitly disable lastlog, utmp and wtmp. |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
5d54b264 |
|
16-Jun-2009 |
John Baldwin <jhb@FreeBSD.org> |
Use the closefrom(2) system call. Reviewed by: des |
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d08cd946 |
|
01-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Set SIZEOF_LONG_INT and SIZEOF_LONG_LONG_INT to plausible values. They aren't used for anything, but that's no excuse for being silly. |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
7cbfb014 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Revert an old hack I put in to replace S/Key with OPIE. We haven't used that code in ages - we use pam_opie(8) instead - so this is a NOP. |
#
6c93a5ae |
|
06-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Don't define XAUTH_PATH here, we either pass it in on the compiler command line or rely on the built-in default. |
#
77ec673a |
|
01-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate; no effect on the code as it doesn't actually use the handful of conditionals that changed in this revision. |
#
4a20f963 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. MFC after: 1 week |
#
567b2a32 |
|
09-Jun-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our glob(3) has all the required features. Submitted by: ache |
#
998ab761 |
|
23-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix utmp. There is some clever logic in configure.ac which attempts to determine whether struct utmp contains the ut_host and ut_time fields. Unfortunately, it reports a false negative for both on FreeBSD, and I didn't check the resulting config.h closely enough to catch the error. Noticed by: ache |
#
d8b92da8 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
184ad7d3 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate |
#
19bccc89 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
3c848701 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
98e00621 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Define HAVE_GSSAPI_H. |
#
7dbb68c4 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
a5ac46fb |
|
08-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate config.h; I don't know why this didn't hit CVS yesterday. |
#
07a3a290 |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
5d93b6af |
|
03-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Since OpenSSH drops privileges before calling pam_open_session(3), pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog. Approved by: re (rwatson) |
#
b770f258 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
- Don't enable OpenSSH's OPIE support, since we let PAM handle OPIE. - We don't have setutent(3) etc., and I have no idea why configure ever thought we did. |
#
e12c2461 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
effdee7c |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Commit config.h so we don't need autoconf to build world. |
#
1f290c70 |
|
09-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regen config.h Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Reported by: O. Hartmann Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
7b529268 |
|
01-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regenerate config.h Since config.h was last regenerated FreeBSD has added (a stub) libdl, and has removed sys/dir.h. Regenerate config.h to avoid spurious additional changes when OpenSSH is next updated. There should be no issue if this change is MFC'd, but I don't plan to do so. Although configure checks for libdl HAVE_LIBDL isn't even used, and sys/dir.h was non-functional before being removed. The state of these two config.h settings should make no difference in the built OpenSSH. Sponsored by: The FreeBSD Foundation |
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 |
#
4b6d416b |
|
03-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: connect libressl-api-compat.c and regen config.h Differential Revision: https://reviews.freebsd.org/D17390 |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
c1e80940 |
|
19-Aug-2018 |
Xin LI <delphij@FreeBSD.org> |
Update userland arc4random() with OpenBSD's Chacha20 based arc4random(). ObsoleteFiles.inc: Remove manual pages for arc4random_addrandom(3) and arc4random_stir(3). contrib/ntp/lib/isc/random.c: contrib/ntp/sntp/libevent/evutil_rand.c: Eliminate in-tree usage of arc4random_addrandom(). crypto/heimdal/lib/roken/rand.c: crypto/openssh/config.h: Eliminate in-tree usage of arc4random_stir(). include/stdlib.h: Remove arc4random_stir() and arc4random_addrandom() prototypes, provide temporary shims for transistion period. lib/libc/gen/Makefile.inc: Hook arc4random-compat.c to build, add hint for Chacha20 source for kernel, and remove arc4random_addrandom(3) and arc4random_stir(3) links. lib/libc/gen/arc4random.c: Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the sys/crypto/chacha20 implementation of keystream. lib/libc/gen/Symbol.map: Remove arc4random_stir and arc4random_addrandom interfaces. lib/libc/gen/arc4random.h: Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own. lib/libc/gen/arc4random.3: Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and r118247. lib/libc/gen/arc4random-compat.c: Compatibility shims for arc4random_stir and arc4random_addrandom functions to preserve ABI. Log once when called but do nothing otherwise. lib/libc/gen/getentropy.c: lib/libc/include/libc_private.h: Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl). Remove from libc_private.h as a result. sys/crypto/chacha20/chacha.c: sys/crypto/chacha20/chacha.h: Make it possible to use the kernel implementation in libc. PR: 182610 Reviewed by: cem, markm Obtained from: OpenBSD Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16760 |
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
0999bc48 |
|
03-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Re-apply part of r311585 which was inadvertantly reverted in the upgrade to 7.3p1. The other part (which adds -DLIBWRAP to sshd's CFLAGS) is still in place. Reported by: ngie |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
233932cc |
|
07-Jan-2017 |
Enji Cooper <ngie@FreeBSD.org> |
Conditionalize building libwrap support into sshd Only build libwrap support into sshd if MK_TCP_WRAPPERS != no This will unbreak the build if libwrap has been removed from the system MFC after: 2 weeks PR: 210141 Submitted by: kpect@protonmail.com Differential Revision: D9049 |
#
9ded3306 |
|
03-Aug-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove DSA from default cipher list and disable SSH1. Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for reasons which boil down to POLA. Now is a good time to catch up. MFC after: 3 days Relnotes: yes |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
00912a20 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have local modifications in configure.ac and configure, run autoheader and autoconf to avoid having to patch configure manually. |
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
29911fca |
|
07-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Partially revert r247892 and r247904 since our strnvis() does not behave the way OpenSSH expects. |
#
d9bb67e8 |
|
06-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Explicitly disable lastlog, utmp and wtmp. |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
5d54b264 |
|
16-Jun-2009 |
John Baldwin <jhb@FreeBSD.org> |
Use the closefrom(2) system call. Reviewed by: des |
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d08cd946 |
|
01-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Set SIZEOF_LONG_INT and SIZEOF_LONG_LONG_INT to plausible values. They aren't used for anything, but that's no excuse for being silly. |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
7cbfb014 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Revert an old hack I put in to replace S/Key with OPIE. We haven't used that code in ages - we use pam_opie(8) instead - so this is a NOP. |
#
6c93a5ae |
|
06-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Don't define XAUTH_PATH here, we either pass it in on the compiler command line or rely on the built-in default. |
#
77ec673a |
|
01-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate; no effect on the code as it doesn't actually use the handful of conditionals that changed in this revision. |
#
4a20f963 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. MFC after: 1 week |
#
567b2a32 |
|
09-Jun-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our glob(3) has all the required features. Submitted by: ache |
#
998ab761 |
|
23-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix utmp. There is some clever logic in configure.ac which attempts to determine whether struct utmp contains the ut_host and ut_time fields. Unfortunately, it reports a false negative for both on FreeBSD, and I didn't check the resulting config.h closely enough to catch the error. Noticed by: ache |
#
d8b92da8 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
184ad7d3 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate |
#
19bccc89 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
3c848701 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
98e00621 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Define HAVE_GSSAPI_H. |
#
7dbb68c4 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
a5ac46fb |
|
08-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate config.h; I don't know why this didn't hit CVS yesterday. |
#
07a3a290 |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
5d93b6af |
|
03-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Since OpenSSH drops privileges before calling pam_open_session(3), pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog. Approved by: re (rwatson) |
#
b770f258 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
- Don't enable OpenSSH's OPIE support, since we let PAM handle OPIE. - We don't have setutent(3) etc., and I have no idea why configure ever thought we did. |
#
e12c2461 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. |
#
effdee7c |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Commit config.h so we don't need autoconf to build world. |
#
7b529268 |
|
01-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: regenerate config.h Since config.h was last regenerated FreeBSD has added (a stub) libdl, and has removed sys/dir.h. Regenerate config.h to avoid spurious additional changes when OpenSSH is next updated. There should be no issue if this change is MFC'd, but I don't plan to do so. Although configure checks for libdl HAVE_LIBDL isn't even used, and sys/dir.h was non-functional before being removed. The state of these two config.h settings should make no difference in the built OpenSSH. Sponsored by: The FreeBSD Foundation
|
#
27ceebbc |
|
31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760
|
#
4b6d416b |
|
03-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: connect libressl-api-compat.c and regen config.h Differential Revision: https://reviews.freebsd.org/D17390
|
#
c1e80940 |
|
19-Aug-2018 |
Xin LI <delphij@FreeBSD.org> |
Update userland arc4random() with OpenBSD's Chacha20 based arc4random(). ObsoleteFiles.inc: Remove manual pages for arc4random_addrandom(3) and arc4random_stir(3). contrib/ntp/lib/isc/random.c: contrib/ntp/sntp/libevent/evutil_rand.c: Eliminate in-tree usage of arc4random_addrandom(). crypto/heimdal/lib/roken/rand.c: crypto/openssh/config.h: Eliminate in-tree usage of arc4random_stir(). include/stdlib.h: Remove arc4random_stir() and arc4random_addrandom() prototypes, provide temporary shims for transistion period. lib/libc/gen/Makefile.inc: Hook arc4random-compat.c to build, add hint for Chacha20 source for kernel, and remove arc4random_addrandom(3) and arc4random_stir(3) links. lib/libc/gen/arc4random.c: Adopt OpenBSD arc4random.c,v 1.54 with bare minimum changes, use the sys/crypto/chacha20 implementation of keystream. lib/libc/gen/Symbol.map: Remove arc4random_stir and arc4random_addrandom interfaces. lib/libc/gen/arc4random.h: Adopt OpenBSD arc4random.h,v 1.4 but provide _ARC4_LOCK of our own. lib/libc/gen/arc4random.3: Adopt OpenBSD arc4random.3,v 1.35 but keep FreeBSD r114444 and r118247. lib/libc/gen/arc4random-compat.c: Compatibility shims for arc4random_stir and arc4random_addrandom functions to preserve ABI. Log once when called but do nothing otherwise. lib/libc/gen/getentropy.c: lib/libc/include/libc_private.h: Fold __arc4_sysctl into getentropy.c (renamed to arnd_sysctl). Remove from libc_private.h as a result. sys/crypto/chacha20/chacha.c: sys/crypto/chacha20/chacha.h: Make it possible to use the kernel implementation in libc. PR: 182610 Reviewed by: cem, markm Obtained from: OpenBSD Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16760
|
#
0999bc48 |
|
03-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Re-apply part of r311585 which was inadvertantly reverted in the upgrade to 7.3p1. The other part (which adds -DLIBWRAP to sshd's CFLAGS) is still in place. Reported by: ngie
|
#
233932cc |
|
07-Jan-2017 |
Enji Cooper <ngie@FreeBSD.org> |
Conditionalize building libwrap support into sshd Only build libwrap support into sshd if MK_TCP_WRAPPERS != no This will unbreak the build if libwrap has been removed from the system MFC after: 2 weeks PR: 210141 Submitted by: kpect@protonmail.com Differential Revision: D9049
|
#
9ded3306 |
|
03-Aug-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove DSA from default cipher list and disable SSH1. Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for reasons which boil down to POLA. Now is a good time to catch up. MFC after: 3 days Relnotes: yes
|
#
00912a20 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have local modifications in configure.ac and configure, run autoheader and autoconf to avoid having to patch configure manually.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius)
|
#
29911fca |
|
07-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Partially revert r247892 and r247904 since our strnvis() does not behave the way OpenSSH expects.
|
#
d9bb67e8 |
|
06-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Explicitly disable lastlog, utmp and wtmp.
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
124981e1 |
|
21-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
MFH OpenSSH 5.4p1
|
#
fe0506d7 |
|
09-Mar-2010 |
Marcel Moolenaar <marcel@FreeBSD.org> |
Create the altix project branch. The altix project will add support for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting is a two-module system, consisting of a base compute module and a CPU expansion module. SGI's NUMAFlex architecture can be an excellent platform to test CPU affinity and NUMA-aware features in FreeBSD.
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'.
|
#
5d54b264 |
|
16-Jun-2009 |
John Baldwin <jhb@FreeBSD.org> |
Use the closefrom(2) system call. Reviewed by: des
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
d08cd946 |
|
01-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Set SIZEOF_LONG_INT and SIZEOF_LONG_LONG_INT to plausible values. They aren't used for anything, but that's no excuse for being silly.
|
#
7cbfb014 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Revert an old hack I put in to replace S/Key with OPIE. We haven't used that code in ages - we use pam_opie(8) instead - so this is a NOP.
|
#
6c93a5ae |
|
06-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Don't define XAUTH_PATH here, we either pass it in on the compiler command line or rely on the built-in default.
|
#
77ec673a |
|
01-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate; no effect on the code as it doesn't actually use the handful of conditionals that changed in this revision.
|
#
4a20f963 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate. MFC after: 1 week
|
#
567b2a32 |
|
09-Jun-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our glob(3) has all the required features. Submitted by: ache
|
#
998ab761 |
|
23-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix utmp. There is some clever logic in configure.ac which attempts to determine whether struct utmp contains the ut_host and ut_time fields. Unfortunately, it reports a false negative for both on FreeBSD, and I didn't check the resulting config.h closely enough to catch the error. Noticed by: ache
|
#
d8b92da8 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate.
|
#
184ad7d3 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate
|
#
19bccc89 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate.
|
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts
|
#
3c848701 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate.
|
#
98e00621 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Define HAVE_GSSAPI_H.
|
#
7dbb68c4 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate.
|
#
a5ac46fb |
|
08-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate config.h; I don't know why this didn't hit CVS yesterday.
|
#
07a3a290 |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate.
|
#
5d93b6af |
|
03-Dec-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Since OpenSSH drops privileges before calling pam_open_session(3), pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog. Approved by: re (rwatson)
|
#
b770f258 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
- Don't enable OpenSSH's OPIE support, since we let PAM handle OPIE. - We don't have setutent(3) etc., and I have no idea why configure ever thought we did.
|
#
e12c2461 |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Regenerate.
|
#
effdee7c |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Commit config.h so we don't need autoconf to build world.
|