#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
fb5aabcb |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
scp: switch to using the SFTP protocol by default From upstream release notes https://www.openssh.com/txt/release-9.0 This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. In case of incompatibility, the scp(1) client may be instructed to use the legacy scp/rcp using the -O flag. Relnotes: Yes Sponsored by: The FreeBSD Foundation |
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
afde5170 |
|
21-Feb-2019 |
Ed Maste <emaste@FreeBSD.org> |
scp: validate filenames provided by server against wildcard in client OpenSSH-portable commits: check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@ OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda Minor patch conflict (getopt) resolved. Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc scp: add -T to usage(); OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899 Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8 PR: 234965 Approved by: des MFC after: 3 days Obtained from: OpenSSH-portable 391ffc4b9d, 2c21b75a7b Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D19076
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
5b71b2eb |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have mandoc, we can leave $Mdocdate$ tags as-is. Unfortunately, there is (currently) no way to make Subversion generate correct $Mdocdate$ tags, but perhas we can teach mandoc to read Subversion's %d format. |
#
cf783db1 |
|
24-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a pre-merge script which reverts mechanical changes such as added $FreeBSD$ tags and man page dates. Add a post-merge script which reapplies these changes. Run both scripts to normalize the existing code base. As a result, many files which should have had $FreeBSD$ tags but didn't now have them. Partly rewrite the upgrade instructions and remove the now outdated list of tricks. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
afee23fe |
|
01-Jun-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Missing commas |
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
a29f9ec5 |
|
29-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our groff doesn't understand $Mdocdate$, so replace them with bare dates. MFC after: 3 days |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1. |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25 |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
fb5aabcb |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
scp: switch to using the SFTP protocol by default From upstream release notes https://www.openssh.com/txt/release-9.0 This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. In case of incompatibility, the scp(1) client may be instructed to use the legacy scp/rcp using the -O flag. Relnotes: Yes Sponsored by: The FreeBSD Foundation |
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
afde5170 |
|
21-Feb-2019 |
Ed Maste <emaste@FreeBSD.org> |
scp: validate filenames provided by server against wildcard in client OpenSSH-portable commits: check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@ OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda Minor patch conflict (getopt) resolved. Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc scp: add -T to usage(); OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899 Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8 PR: 234965 Approved by: des MFC after: 3 days Obtained from: OpenSSH-portable 391ffc4b9d, 2c21b75a7b Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D19076
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
5b71b2eb |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have mandoc, we can leave $Mdocdate$ tags as-is. Unfortunately, there is (currently) no way to make Subversion generate correct $Mdocdate$ tags, but perhas we can teach mandoc to read Subversion's %d format. |
#
cf783db1 |
|
24-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a pre-merge script which reverts mechanical changes such as added $FreeBSD$ tags and man page dates. Add a post-merge script which reapplies these changes. Run both scripts to normalize the existing code base. As a result, many files which should have had $FreeBSD$ tags but didn't now have them. Partly rewrite the upgrade instructions and remove the now outdated list of tricks. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
afee23fe |
|
01-Jun-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Missing commas |
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
a29f9ec5 |
|
29-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our groff doesn't understand $Mdocdate$, so replace them with bare dates. MFC after: 3 days |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1. |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25 |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
fb5aabcb |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
scp: switch to using the SFTP protocol by default From upstream release notes https://www.openssh.com/txt/release-9.0 This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. In case of incompatibility, the scp(1) client may be instructed to use the legacy scp/rcp using the -O flag. Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
afde5170 |
|
21-Feb-2019 |
Ed Maste <emaste@FreeBSD.org> |
scp: validate filenames provided by server against wildcard in client OpenSSH-portable commits: check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@ OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda Minor patch conflict (getopt) resolved. Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc scp: add -T to usage(); OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899 Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8 PR: 234965 Approved by: des MFC after: 3 days Obtained from: OpenSSH-portable 391ffc4b9d, 2c21b75a7b Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D19076
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
5b71b2eb |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have mandoc, we can leave $Mdocdate$ tags as-is. Unfortunately, there is (currently) no way to make Subversion generate correct $Mdocdate$ tags, but perhas we can teach mandoc to read Subversion's %d format. |
#
cf783db1 |
|
24-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a pre-merge script which reverts mechanical changes such as added $FreeBSD$ tags and man page dates. Add a post-merge script which reapplies these changes. Run both scripts to normalize the existing code base. As a result, many files which should have had $FreeBSD$ tags but didn't now have them. Partly rewrite the upgrade instructions and remove the now outdated list of tricks. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
afee23fe |
|
01-Jun-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Missing commas |
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
a29f9ec5 |
|
29-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our groff doesn't understand $Mdocdate$, so replace them with bare dates. MFC after: 3 days |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1. |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25 |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
afde5170 |
|
21-Feb-2019 |
Ed Maste <emaste@FreeBSD.org> |
scp: validate filenames provided by server against wildcard in client OpenSSH-portable commits: check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@ OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda Minor patch conflict (getopt) resolved. Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc scp: add -T to usage(); OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899 Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8 PR: 234965 Approved by: des MFC after: 3 days Obtained from: OpenSSH-portable 391ffc4b9d, 2c21b75a7b Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D19076
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
5b71b2eb |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have mandoc, we can leave $Mdocdate$ tags as-is. Unfortunately, there is (currently) no way to make Subversion generate correct $Mdocdate$ tags, but perhas we can teach mandoc to read Subversion's %d format. |
#
cf783db1 |
|
24-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a pre-merge script which reverts mechanical changes such as added $FreeBSD$ tags and man page dates. Add a post-merge script which reapplies these changes. Run both scripts to normalize the existing code base. As a result, many files which should have had $FreeBSD$ tags but didn't now have them. Partly rewrite the upgrade instructions and remove the now outdated list of tricks. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
afee23fe |
|
01-Jun-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Missing commas |
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
a29f9ec5 |
|
29-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our groff doesn't understand $Mdocdate$, so replace them with bare dates. MFC after: 3 days |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1. |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25 |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
afde5170 |
|
21-Feb-2019 |
Ed Maste <emaste@FreeBSD.org> |
scp: validate filenames provided by server against wildcard in client OpenSSH-portable commits: check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@ OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda Minor patch conflict (getopt) resolved. Obtained from: OpenSSH-portable 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc scp: add -T to usage(); OpenBSD-Commit-ID: a7ae14d9436c64e1bd05022329187ea3a0ce1899 Obtained from: OpenSSH-portable 2c21b75a7be6ebdcbceaebb43157c48dbb36f3d8 PR: 234965 Approved by: des MFC after: 3 days Obtained from: OpenSSH-portable 391ffc4b9d, 2c21b75a7b Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D19076
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
5b71b2eb |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have mandoc, we can leave $Mdocdate$ tags as-is. Unfortunately, there is (currently) no way to make Subversion generate correct $Mdocdate$ tags, but perhas we can teach mandoc to read Subversion's %d format. |
#
cf783db1 |
|
24-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a pre-merge script which reverts mechanical changes such as added $FreeBSD$ tags and man page dates. Add a post-merge script which reapplies these changes. Run both scripts to normalize the existing code base. As a result, many files which should have had $FreeBSD$ tags but didn't now have them. Partly rewrite the upgrade instructions and remove the now outdated list of tricks. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
afee23fe |
|
01-Jun-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Missing commas |
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
a29f9ec5 |
|
29-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our groff doesn't understand $Mdocdate$, so replace them with bare dates. MFC after: 3 days |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1. |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25 |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
5b71b2eb |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Now that we have mandoc, we can leave $Mdocdate$ tags as-is. Unfortunately, there is (currently) no way to make Subversion generate correct $Mdocdate$ tags, but perhas we can teach mandoc to read Subversion's %d format.
|
#
cf783db1 |
|
24-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a pre-merge script which reverts mechanical changes such as added $FreeBSD$ tags and man page dates. Add a post-merge script which reapplies these changes. Run both scripts to normalize the existing code base. As a result, many files which should have had $FreeBSD$ tags but didn't now have them. Partly rewrite the upgrade instructions and remove the now outdated list of tricks.
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
d2997dab |
|
02-Jun-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Missing commas in Dd Approved by: re (kib@)
|
#
afee23fe |
|
01-Jun-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Missing commas
|
#
124981e1 |
|
21-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
MFH OpenSSH 5.4p1
|
#
fe0506d7 |
|
09-Mar-2010 |
Marcel Moolenaar <marcel@FreeBSD.org> |
Create the altix project branch. The altix project will add support for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting is a two-module system, consisting of a base compute module and a CPU expansion module. SGI's NUMAFlex architecture can be an excellent platform to test CPU affinity and NUMA-aware features in FreeBSD.
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
a29f9ec5 |
|
29-Sep-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Our groff doesn't understand $Mdocdate$, so replace them with bare dates. MFC after: 3 days
|
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1.
|
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1.
|
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1.
|
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1.
|
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1.
|
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1.
|
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2.
|
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1.
|
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1.
|
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3.
|
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1
|
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson
|
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release).
|
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09
|
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1.
|
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25
|
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH.
|