ssh: Update to OpenSSH 9.7p1

This release contains mostly bugfixes.

It also makes support for the DSA signature algorithm a compile-time
option, with plans to disable it upstream later this year and remove
support entirely in 2025.

Full release notes at https://www.openssh.com/txt/release-9.7

Relnotes: Yes
Sponsored by: The FreeBSD Foundation

ssh-keysign: fix double free in error path

From OpenSSH-portable commit 141535b904b6, OpenBSD commit 3d21aa127b1f.

MFC after: 3 days

ssh: update to OpenSSH v8.9p1

Release notes are available at https://www.openssh.com/txt/release-8.9

Some highlights:

* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1)

* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
default KEXAlgorithms list (after the ECDH methods but before the
prime-group DH ones). The next release of OpenSSH is likely to
make this key exchange the default method.

* sshd(8), portable OpenSSH only: this release removes in-built
support for MD5-hashed passwords. If you require these on your
system then we recommend linking against libxcrypt or similar.

Future deprecation notice
=========================

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation

openssh: update to OpenSSH v8.7p1

Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985

Upgrade to OpenSSH 7.8p1.

Approved by: re (kib@)

Upgrade to OpenSSH 7.7p1.

Upgrade to OpenSSH 7.2p2.

Upgrade to OpenSSH 7.0p1.

Upgrade to OpenSSH 6.9p1.

Upgrade to OpenSSH 6.8p1.

Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed
upstream) and a number of security fixes which we had already backported.

MFC after: 1 week

Upgrade to OpenSSH 6.5p1.

Upgrade to 6.3p1.

Approved by: re (gjb)

Upgrade to OpenSSH 5.9p1.

MFC after: 3 months

Upgrade to OpenSSH 5.8p2.

Upgrade to OpenSSH 5.6p1.

Upgrade to OpenSSH 5.4p1.

MFC after: 1 month

Properly flatten openssh/dist.

Vendor import of OpenSSH 4.4p1.

Vendor import of OpenSSH 4.3p1.

Vendor import of OpenSSH 4.0p1.

Vendor import of OpenSSH 3.9p1.

Vendor import of OpenSSH 3.8p1.

Vendor import of OpenSSH 3.7.1p2.

Vendor import of OpenSSH-portable 3.6.1p1.

Vendor import of OpenSSH-portable 3.5p1.

Vendor import of OpenSSH 3.3p1.

Vendor import of OpenSSH 3.3.

ssh-keysign: fix double free in error path

From OpenSSH-portable commit 141535b904b6, OpenBSD commit 3d21aa127b1f.

MFC after: 3 days

ssh: update to OpenSSH v8.9p1

Release notes are available at https://www.openssh.com/txt/release-8.9

Some highlights:

* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1)

* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
default KEXAlgorithms list (after the ECDH methods but before the
prime-group DH ones). The next release of OpenSSH is likely to
make this key exchange the default method.

* sshd(8), portable OpenSSH only: this release removes in-built
support for MD5-hashed passwords. If you require these on your
system then we recommend linking against libxcrypt or similar.

Future deprecation notice
=========================

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation

openssh: update to OpenSSH v8.7p1

Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985

Upgrade to OpenSSH 7.8p1.

Approved by: re (kib@)

Upgrade to OpenSSH 7.7p1.

Upgrade to OpenSSH 7.2p2.

Upgrade to OpenSSH 7.0p1.

Upgrade to OpenSSH 6.9p1.

Upgrade to OpenSSH 6.8p1.

Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed
upstream) and a number of security fixes which we had already backported.

MFC after: 1 week

Upgrade to OpenSSH 6.5p1.

Upgrade to 6.3p1.

Approved by: re (gjb)

Upgrade to OpenSSH 5.9p1.

MFC after: 3 months

Upgrade to OpenSSH 5.8p2.

Upgrade to OpenSSH 5.6p1.

Upgrade to OpenSSH 5.4p1.

MFC after: 1 month

Properly flatten openssh/dist.

Vendor import of OpenSSH 4.4p1.

Vendor import of OpenSSH 4.3p1.

Vendor import of OpenSSH 4.0p1.

Vendor import of OpenSSH 3.9p1.

Vendor import of OpenSSH 3.8p1.

Vendor import of OpenSSH 3.7.1p2.

Vendor import of OpenSSH-portable 3.6.1p1.

Vendor import of OpenSSH-portable 3.5p1.

Vendor import of OpenSSH 3.3p1.

Vendor import of OpenSSH 3.3.

openssh: update to OpenSSH v8.7p1

Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985

Upgrade to OpenSSH 7.8p1.

Approved by: re (kib@)

Upgrade to OpenSSH 7.7p1.

Upgrade to OpenSSH 7.2p2.

Upgrade to OpenSSH 7.0p1.

Upgrade to OpenSSH 6.9p1.

Upgrade to OpenSSH 6.8p1.

Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed
upstream) and a number of security fixes which we had already backported.

MFC after: 1 week

Upgrade to OpenSSH 6.5p1.

Upgrade to 6.3p1.

Approved by: re (gjb)

Upgrade to OpenSSH 5.9p1.

MFC after: 3 months

Upgrade to OpenSSH 5.8p2.

Upgrade to OpenSSH 5.6p1.

Upgrade to OpenSSH 5.4p1.

MFC after: 1 month

Properly flatten openssh/dist.

Vendor import of OpenSSH 4.4p1.

Vendor import of OpenSSH 4.3p1.

Vendor import of OpenSSH 4.0p1.

Vendor import of OpenSSH 3.9p1.

Vendor import of OpenSSH 3.8p1.

Vendor import of OpenSSH 3.7.1p2.

Vendor import of OpenSSH-portable 3.6.1p1.

Vendor import of OpenSSH-portable 3.5p1.

Vendor import of OpenSSH 3.3p1.

Vendor import of OpenSSH 3.3.

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

MFH OpenSSH 5.4p1

Create the altix project branch. The altix project will add support
for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting
is a two-module system, consisting of a base compute module and a
CPU expansion module. SGI's NUMAFlex architecture can be an excellent
platform to test CPU affinity and NUMA-aware features in FreeBSD.

- Import the HEAD csup code which is the basis for the cvsmode work.

Vendor import of OpenSSH 4.4p1.

Vendor import of OpenSSH 4.3p1.

Vendor import of OpenSSH 4.0p1.

Vendor import of OpenSSH 3.9p1.

Vendor import of OpenSSH 3.8p1.

Vendor import of OpenSSH 3.7.1p2.

Vendor import of OpenSSH-portable 3.6.1p1.

Vendor import of OpenSSH-portable 3.5p1.

Vendor import of OpenSSH 3.3p1.

Vendor import of OpenSSH 3.3.