#
a91a2465 |
|
18-Mar-2024 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.7p1 This release contains mostly bugfixes. It also makes support for the DSA signature algorithm a compile-time option, with plans to disable it upstream later this year and remove support entirely in 2025. Full release notes at https://www.openssh.com/txt/release-9.7 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
069ac184 |
|
04-Jan-2024 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.6p1 From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
edf85781 |
|
09-Oct-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.5p1 Excerpts from the release notes: Potentially incompatible changes -------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. [NOTE: This change was already merged into FreeBSD.] * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. New features ------------ * ssh(1): add keystroke timing obfuscation to the client. * ssh(1), sshd(8): Introduce a transport-level ping facility. * sshd(8): allow override of Sybsystem directives in sshd Match blocks. Full release notes at https://www.openssh.com/txt/release-9.5 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
33a23ef2 |
|
15-Aug-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: correct VersionAddendum date Reported by: Herbert J. Skuhra <herbert@gojira.at> Fixes: 535af610a4fd ("ssh: Update to OpenSSH 9.4p1") Sponsored by: The FreeBSD Foundation |
#
535af610 |
|
10-Aug-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.4p1 Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 Full release notes at https://www.openssh.com/txt/release-9.4 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
66fd12cf |
|
19-Jul-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p2 From the release notes: Changes since OpenSSH 9.3 ========================= This release fixes a security bug. Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. CVE: CVE-2023-38408 Sponsored by: The FreeBSD Foundation
|
#
4d3fc8b0 |
|
16-Mar-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p1 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
|
#
77934b7a |
|
14-Nov-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: default X11Forwarding to no, following upstream Administrators can enable it if required. Reviewed by: bz, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D37411 |
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
9f009e06 |
|
25-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
sshd_config: clarify password authentication options Passwords may be accepted by both the PasswordAuthentication and KbdInteractiveAuthentication authentication schemes. Add a reference to the latter in the description/comment for PasswordAuthentication, as it otherwise may seem that "PasswordAuthentication no" implies passwords will be disallowed. This situation should be clarified with more extensive documentation on the authentication schemes and configuration options, but that should be done in coordination with upstream OpenSSH. This is a minimal change that will hopefully clarify the situation without requiring an extensive local patch set. PR: 263045 Reviewed by: manu (earlier version) MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35272 |
#
0e12eb7b |
|
10-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update sshd_config for prohibit-password option The PermitRootLogin option "prohibit-password" was added as a synonym for "without-password" in 2015. Then in 2017 these were swapped: "prohibit-password" became the canonical option and "without-password" became a deprecated synonym (in OpenSSH commit 071325f458). The UsePAM description in sshd_config still mentioned "without-password." Update it to match the new canonical option. Sponsored by: The FreeBSD Foundation MFC after: 1 week |
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
6d6e8a4a |
|
02-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to bump the version addendum date. |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
9ea45e75 |
|
10-Jan-2017 |
Xin LI <delphij@FreeBSD.org> |
MFV r311913: Fix multiple OpenSSH vulnerabilities. Submitted by: des Approved by: so
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
b4245df0 |
|
02-Feb-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document our modified default value for PermitRootLogin. |
#
c4cd1fa4 |
|
27-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Switch UseDNS back on |
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
db83e542 |
|
24-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove description of the now-defunct NoneEnabled option. |
#
4b0b2f2d |
|
20-May-2014 |
Steven Hartland <smh@FreeBSD.org> |
Change comment about HPNDisabled to match the style of other options to avoid confusion. Sponsored by: Multiplay |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
2b1970f3 |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn sandboxing on by default. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0a37d4a3 |
|
11-Nov-2013 |
Xin LI <delphij@FreeBSD.org> |
MFV r257952: Upgrade to OpenSSH 6.4p1. Bump VersionAddendum. Approved by: des
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
aa0dd44b |
|
28-Jun-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
r251088 reverted the default value for UsePrivilegeSeparation from "sandbox" to "yes", but did not update the documentation to match. |
#
420bce64 |
|
17-May-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p2. Mostly a no-op since I had already patched the issues that affected us.
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
c5c0dc91 |
|
18-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Keep the default AuthorizedKeysFile setting. Although authorized_keys2 has been deprecated for a while, some people still use it and were unpleasantly surprised by this change. I may revert this commit at a later date if I can come up with a way to give users who still have authorized_keys2 files sufficient advance warning. MFC after: ASAP |
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
5972f81b |
|
11-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove dupe. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
3c492e28 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Bump version addendum. MFC after: 1 week |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
562de5d9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Adjust version number and addendum. |
#
d2b1b4f3 |
|
15-Mar-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Correctly document the default value of UsePAM. |
#
eea81d70 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update VersionAddendum in config files and man pages. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
028c324a |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Pull asbesthos underpants on and disable protocol version 1 by default. |
#
b909c84b |
|
19-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
44172b70 |
|
24-Sep-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update version string. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
9794bba8 |
|
10-Feb-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
document the current default value for VersionAddendum. |
#
00617102 |
|
05-Nov-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document the current default value for VersionAddendum. |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a02377d3 |
|
26-Jul-2002 |
Tony Finch <fanf@FreeBSD.org> |
FreeBSD doesn't use the host RSA key by default. Reviewed by: des |
#
53282320 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it. Sponsored by: DARPA, NAI Labs |
#
9a979375 |
|
30-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to update the addendum in the config files. |
#
1f334c7b |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
259bbc73 |
|
01-May-2002 |
David E. O'Brien <obrien@FreeBSD.org> |
Usual after-import fixup of SCM IDs. |
#
80241871 |
|
25-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Back out previous commit. |
#
44493e08 |
|
24-Apr-2002 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
Change default challenge/response behavior of sshd by popular demand. This brings us into sync with the behavior of sshd on other Unix platforms. Submitted by: Joshua Goodall <joshua@roughtrade.net> |
#
43e73ba0 |
|
02-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens the version string to 28 characters, which is below the 40-character limit specified in the proposed SECSH standard. Some servers, however (like the one built into the Foundry BigIron line of switches) will hang when confronted with a version string longer than 24 characters, so some users may need to shorten it further. Sponsored by: DARPA, NAI Labs |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
d3ebe37c |
|
18-May-2001 |
David E. O'Brien <obrien@FreeBSD.org> |
Restore the RSA host key to /etc/ssh/ssh_host_key. Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16. |
#
3817a12c |
|
05-May-2001 |
Brian Feldman <green@FreeBSD.org> |
sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc. |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
1610cd7f |
|
01-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Turn on X11Forwarding by default on the server. Any risk is to the client, where it is already disabled by default. Reminded by: peter |
#
b87db7ce |
|
23-Aug-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Increase the default value of LoginGraceTime from 60 seconds to 120 seconds. PR: 20488 Submitted by: rwatson |
#
a4bc7676 |
|
23-May-2000 |
Andrey A. Chernov <ache@FreeBSD.org> |
Turn on CheckMail to be more login-compatible by default |
#
ba0c6b08 |
|
18-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Correct two stupid typos in the DSA key location. Submitted by: Udo Schweigert <ust@cert.siemens.de> |
#
0c11f6e1 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Create a DSA host key if one does not already exist, and teach sshd_config about it. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
4d3289a8 |
|
25-Feb-2000 |
Peter Wemm <peter@FreeBSD.org> |
oops, update path to /etc/ssh/ssh_host_key |
#
6ecb0507 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
remove ports junk |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
069ac184 |
|
04-Jan-2024 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.6p1 From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
edf85781 |
|
09-Oct-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.5p1 Excerpts from the release notes: Potentially incompatible changes -------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. [NOTE: This change was already merged into FreeBSD.] * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. New features ------------ * ssh(1): add keystroke timing obfuscation to the client. * ssh(1), sshd(8): Introduce a transport-level ping facility. * sshd(8): allow override of Sybsystem directives in sshd Match blocks. Full release notes at https://www.openssh.com/txt/release-9.5 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
33a23ef2 |
|
15-Aug-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: correct VersionAddendum date Reported by: Herbert J. Skuhra <herbert@gojira.at> Fixes: 535af610a4fd ("ssh: Update to OpenSSH 9.4p1") Sponsored by: The FreeBSD Foundation |
#
535af610 |
|
10-Aug-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.4p1 Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 Full release notes at https://www.openssh.com/txt/release-9.4 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
66fd12cf |
|
19-Jul-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p2 From the release notes: Changes since OpenSSH 9.3 ========================= This release fixes a security bug. Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. CVE: CVE-2023-38408 Sponsored by: The FreeBSD Foundation
|
#
4d3fc8b0 |
|
16-Mar-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p1 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
|
#
77934b7a |
|
14-Nov-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: default X11Forwarding to no, following upstream Administrators can enable it if required. Reviewed by: bz, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D37411 |
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
9f009e06 |
|
25-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
sshd_config: clarify password authentication options Passwords may be accepted by both the PasswordAuthentication and KbdInteractiveAuthentication authentication schemes. Add a reference to the latter in the description/comment for PasswordAuthentication, as it otherwise may seem that "PasswordAuthentication no" implies passwords will be disallowed. This situation should be clarified with more extensive documentation on the authentication schemes and configuration options, but that should be done in coordination with upstream OpenSSH. This is a minimal change that will hopefully clarify the situation without requiring an extensive local patch set. PR: 263045 Reviewed by: manu (earlier version) MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35272 |
#
0e12eb7b |
|
10-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update sshd_config for prohibit-password option The PermitRootLogin option "prohibit-password" was added as a synonym for "without-password" in 2015. Then in 2017 these were swapped: "prohibit-password" became the canonical option and "without-password" became a deprecated synonym (in OpenSSH commit 071325f458). The UsePAM description in sshd_config still mentioned "without-password." Update it to match the new canonical option. Sponsored by: The FreeBSD Foundation MFC after: 1 week |
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
6d6e8a4a |
|
02-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to bump the version addendum date. |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
9ea45e75 |
|
10-Jan-2017 |
Xin LI <delphij@FreeBSD.org> |
MFV r311913: Fix multiple OpenSSH vulnerabilities. Submitted by: des Approved by: so
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
b4245df0 |
|
02-Feb-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document our modified default value for PermitRootLogin. |
#
c4cd1fa4 |
|
27-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Switch UseDNS back on |
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
db83e542 |
|
24-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove description of the now-defunct NoneEnabled option. |
#
4b0b2f2d |
|
20-May-2014 |
Steven Hartland <smh@FreeBSD.org> |
Change comment about HPNDisabled to match the style of other options to avoid confusion. Sponsored by: Multiplay |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
2b1970f3 |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn sandboxing on by default. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0a37d4a3 |
|
11-Nov-2013 |
Xin LI <delphij@FreeBSD.org> |
MFV r257952: Upgrade to OpenSSH 6.4p1. Bump VersionAddendum. Approved by: des
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
aa0dd44b |
|
28-Jun-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
r251088 reverted the default value for UsePrivilegeSeparation from "sandbox" to "yes", but did not update the documentation to match. |
#
420bce64 |
|
17-May-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p2. Mostly a no-op since I had already patched the issues that affected us.
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
c5c0dc91 |
|
18-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Keep the default AuthorizedKeysFile setting. Although authorized_keys2 has been deprecated for a while, some people still use it and were unpleasantly surprised by this change. I may revert this commit at a later date if I can come up with a way to give users who still have authorized_keys2 files sufficient advance warning. MFC after: ASAP |
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
5972f81b |
|
11-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove dupe. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
3c492e28 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Bump version addendum. MFC after: 1 week |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
562de5d9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Adjust version number and addendum. |
#
d2b1b4f3 |
|
15-Mar-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Correctly document the default value of UsePAM. |
#
eea81d70 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update VersionAddendum in config files and man pages. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
028c324a |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Pull asbesthos underpants on and disable protocol version 1 by default. |
#
b909c84b |
|
19-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
44172b70 |
|
24-Sep-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update version string. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
9794bba8 |
|
10-Feb-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
document the current default value for VersionAddendum. |
#
00617102 |
|
05-Nov-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document the current default value for VersionAddendum. |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a02377d3 |
|
26-Jul-2002 |
Tony Finch <fanf@FreeBSD.org> |
FreeBSD doesn't use the host RSA key by default. Reviewed by: des |
#
53282320 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it. Sponsored by: DARPA, NAI Labs |
#
9a979375 |
|
30-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to update the addendum in the config files. |
#
1f334c7b |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
259bbc73 |
|
01-May-2002 |
David E. O'Brien <obrien@FreeBSD.org> |
Usual after-import fixup of SCM IDs. |
#
80241871 |
|
25-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Back out previous commit. |
#
44493e08 |
|
24-Apr-2002 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
Change default challenge/response behavior of sshd by popular demand. This brings us into sync with the behavior of sshd on other Unix platforms. Submitted by: Joshua Goodall <joshua@roughtrade.net> |
#
43e73ba0 |
|
02-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens the version string to 28 characters, which is below the 40-character limit specified in the proposed SECSH standard. Some servers, however (like the one built into the Foundry BigIron line of switches) will hang when confronted with a version string longer than 24 characters, so some users may need to shorten it further. Sponsored by: DARPA, NAI Labs |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
d3ebe37c |
|
18-May-2001 |
David E. O'Brien <obrien@FreeBSD.org> |
Restore the RSA host key to /etc/ssh/ssh_host_key. Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16. |
#
3817a12c |
|
05-May-2001 |
Brian Feldman <green@FreeBSD.org> |
sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc. |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
1610cd7f |
|
01-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Turn on X11Forwarding by default on the server. Any risk is to the client, where it is already disabled by default. Reminded by: peter |
#
b87db7ce |
|
23-Aug-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Increase the default value of LoginGraceTime from 60 seconds to 120 seconds. PR: 20488 Submitted by: rwatson |
#
a4bc7676 |
|
23-May-2000 |
Andrey A. Chernov <ache@FreeBSD.org> |
Turn on CheckMail to be more login-compatible by default |
#
ba0c6b08 |
|
18-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Correct two stupid typos in the DSA key location. Submitted by: Udo Schweigert <ust@cert.siemens.de> |
#
0c11f6e1 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Create a DSA host key if one does not already exist, and teach sshd_config about it. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
4d3289a8 |
|
25-Feb-2000 |
Peter Wemm <peter@FreeBSD.org> |
oops, update path to /etc/ssh/ssh_host_key |
#
6ecb0507 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
remove ports junk |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
edf85781 |
|
09-Oct-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.5p1 Excerpts from the release notes: Potentially incompatible changes -------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. [NOTE: This change was already merged into FreeBSD.] * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. New features ------------ * ssh(1): add keystroke timing obfuscation to the client. * ssh(1), sshd(8): Introduce a transport-level ping facility. * sshd(8): allow override of Sybsystem directives in sshd Match blocks. Full release notes at https://www.openssh.com/txt/release-9.5 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
33a23ef2 |
|
15-Aug-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: correct VersionAddendum date Reported by: Herbert J. Skuhra <herbert@gojira.at> Fixes: 535af610a4fd ("ssh: Update to OpenSSH 9.4p1") Sponsored by: The FreeBSD Foundation |
#
535af610 |
|
10-Aug-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.4p1 Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 Full release notes at https://www.openssh.com/txt/release-9.4 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
66fd12cf |
|
19-Jul-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p2 From the release notes: Changes since OpenSSH 9.3 ========================= This release fixes a security bug. Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. CVE: CVE-2023-38408 Sponsored by: The FreeBSD Foundation
|
#
4d3fc8b0 |
|
16-Mar-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p1 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
|
#
77934b7a |
|
14-Nov-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: default X11Forwarding to no, following upstream Administrators can enable it if required. Reviewed by: bz, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D37411 |
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
9f009e06 |
|
25-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
sshd_config: clarify password authentication options Passwords may be accepted by both the PasswordAuthentication and KbdInteractiveAuthentication authentication schemes. Add a reference to the latter in the description/comment for PasswordAuthentication, as it otherwise may seem that "PasswordAuthentication no" implies passwords will be disallowed. This situation should be clarified with more extensive documentation on the authentication schemes and configuration options, but that should be done in coordination with upstream OpenSSH. This is a minimal change that will hopefully clarify the situation without requiring an extensive local patch set. PR: 263045 Reviewed by: manu (earlier version) MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35272 |
#
0e12eb7b |
|
10-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update sshd_config for prohibit-password option The PermitRootLogin option "prohibit-password" was added as a synonym for "without-password" in 2015. Then in 2017 these were swapped: "prohibit-password" became the canonical option and "without-password" became a deprecated synonym (in OpenSSH commit 071325f458). The UsePAM description in sshd_config still mentioned "without-password." Update it to match the new canonical option. Sponsored by: The FreeBSD Foundation MFC after: 1 week |
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
6d6e8a4a |
|
02-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to bump the version addendum date. |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
9ea45e75 |
|
10-Jan-2017 |
Xin LI <delphij@FreeBSD.org> |
MFV r311913: Fix multiple OpenSSH vulnerabilities. Submitted by: des Approved by: so
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
b4245df0 |
|
02-Feb-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document our modified default value for PermitRootLogin. |
#
c4cd1fa4 |
|
27-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Switch UseDNS back on |
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
db83e542 |
|
24-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove description of the now-defunct NoneEnabled option. |
#
4b0b2f2d |
|
20-May-2014 |
Steven Hartland <smh@FreeBSD.org> |
Change comment about HPNDisabled to match the style of other options to avoid confusion. Sponsored by: Multiplay |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
2b1970f3 |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn sandboxing on by default. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0a37d4a3 |
|
11-Nov-2013 |
Xin LI <delphij@FreeBSD.org> |
MFV r257952: Upgrade to OpenSSH 6.4p1. Bump VersionAddendum. Approved by: des
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
aa0dd44b |
|
28-Jun-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
r251088 reverted the default value for UsePrivilegeSeparation from "sandbox" to "yes", but did not update the documentation to match. |
#
420bce64 |
|
17-May-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p2. Mostly a no-op since I had already patched the issues that affected us.
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
c5c0dc91 |
|
18-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Keep the default AuthorizedKeysFile setting. Although authorized_keys2 has been deprecated for a while, some people still use it and were unpleasantly surprised by this change. I may revert this commit at a later date if I can come up with a way to give users who still have authorized_keys2 files sufficient advance warning. MFC after: ASAP |
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
5972f81b |
|
11-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove dupe. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
3c492e28 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Bump version addendum. MFC after: 1 week |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
562de5d9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Adjust version number and addendum. |
#
d2b1b4f3 |
|
15-Mar-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Correctly document the default value of UsePAM. |
#
eea81d70 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update VersionAddendum in config files and man pages. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
028c324a |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Pull asbesthos underpants on and disable protocol version 1 by default. |
#
b909c84b |
|
19-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
44172b70 |
|
24-Sep-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update version string. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
9794bba8 |
|
10-Feb-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
document the current default value for VersionAddendum. |
#
00617102 |
|
05-Nov-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document the current default value for VersionAddendum. |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a02377d3 |
|
26-Jul-2002 |
Tony Finch <fanf@FreeBSD.org> |
FreeBSD doesn't use the host RSA key by default. Reviewed by: des |
#
53282320 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it. Sponsored by: DARPA, NAI Labs |
#
9a979375 |
|
30-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to update the addendum in the config files. |
#
1f334c7b |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
259bbc73 |
|
01-May-2002 |
David E. O'Brien <obrien@FreeBSD.org> |
Usual after-import fixup of SCM IDs. |
#
80241871 |
|
25-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Back out previous commit. |
#
44493e08 |
|
24-Apr-2002 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
Change default challenge/response behavior of sshd by popular demand. This brings us into sync with the behavior of sshd on other Unix platforms. Submitted by: Joshua Goodall <joshua@roughtrade.net> |
#
43e73ba0 |
|
02-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens the version string to 28 characters, which is below the 40-character limit specified in the proposed SECSH standard. Some servers, however (like the one built into the Foundry BigIron line of switches) will hang when confronted with a version string longer than 24 characters, so some users may need to shorten it further. Sponsored by: DARPA, NAI Labs |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
d3ebe37c |
|
18-May-2001 |
David E. O'Brien <obrien@FreeBSD.org> |
Restore the RSA host key to /etc/ssh/ssh_host_key. Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16. |
#
3817a12c |
|
05-May-2001 |
Brian Feldman <green@FreeBSD.org> |
sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc. |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
1610cd7f |
|
01-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Turn on X11Forwarding by default on the server. Any risk is to the client, where it is already disabled by default. Reminded by: peter |
#
b87db7ce |
|
23-Aug-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Increase the default value of LoginGraceTime from 60 seconds to 120 seconds. PR: 20488 Submitted by: rwatson |
#
a4bc7676 |
|
23-May-2000 |
Andrey A. Chernov <ache@FreeBSD.org> |
Turn on CheckMail to be more login-compatible by default |
#
ba0c6b08 |
|
18-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Correct two stupid typos in the DSA key location. Submitted by: Udo Schweigert <ust@cert.siemens.de> |
#
0c11f6e1 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Create a DSA host key if one does not already exist, and teach sshd_config about it. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
4d3289a8 |
|
25-Feb-2000 |
Peter Wemm <peter@FreeBSD.org> |
oops, update path to /etc/ssh/ssh_host_key |
#
6ecb0507 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
remove ports junk |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
33a23ef2 |
|
15-Aug-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: correct VersionAddendum date Reported by: Herbert J. Skuhra <herbert@gojira.at> Fixes: 535af610a4fd ("ssh: Update to OpenSSH 9.4p1") Sponsored by: The FreeBSD Foundation
|
#
535af610 |
|
10-Aug-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.4p1 Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 Full release notes at https://www.openssh.com/txt/release-9.4 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
66fd12cf |
|
19-Jul-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p2 From the release notes: Changes since OpenSSH 9.3 ========================= This release fixes a security bug. Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. CVE: CVE-2023-38408 Sponsored by: The FreeBSD Foundation
|
#
4d3fc8b0 |
|
16-Mar-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p1 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
|
#
77934b7a |
|
14-Nov-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: default X11Forwarding to no, following upstream Administrators can enable it if required. Reviewed by: bz, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D37411 |
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
9f009e06 |
|
25-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
sshd_config: clarify password authentication options Passwords may be accepted by both the PasswordAuthentication and KbdInteractiveAuthentication authentication schemes. Add a reference to the latter in the description/comment for PasswordAuthentication, as it otherwise may seem that "PasswordAuthentication no" implies passwords will be disallowed. This situation should be clarified with more extensive documentation on the authentication schemes and configuration options, but that should be done in coordination with upstream OpenSSH. This is a minimal change that will hopefully clarify the situation without requiring an extensive local patch set. PR: 263045 Reviewed by: manu (earlier version) MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35272 |
#
0e12eb7b |
|
10-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update sshd_config for prohibit-password option The PermitRootLogin option "prohibit-password" was added as a synonym for "without-password" in 2015. Then in 2017 these were swapped: "prohibit-password" became the canonical option and "without-password" became a deprecated synonym (in OpenSSH commit 071325f458). The UsePAM description in sshd_config still mentioned "without-password." Update it to match the new canonical option. Sponsored by: The FreeBSD Foundation MFC after: 1 week |
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
6d6e8a4a |
|
02-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to bump the version addendum date. |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
9ea45e75 |
|
10-Jan-2017 |
Xin LI <delphij@FreeBSD.org> |
MFV r311913: Fix multiple OpenSSH vulnerabilities. Submitted by: des Approved by: so
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
b4245df0 |
|
02-Feb-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document our modified default value for PermitRootLogin. |
#
c4cd1fa4 |
|
27-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Switch UseDNS back on |
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
db83e542 |
|
24-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove description of the now-defunct NoneEnabled option. |
#
4b0b2f2d |
|
20-May-2014 |
Steven Hartland <smh@FreeBSD.org> |
Change comment about HPNDisabled to match the style of other options to avoid confusion. Sponsored by: Multiplay |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
2b1970f3 |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn sandboxing on by default. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0a37d4a3 |
|
11-Nov-2013 |
Xin LI <delphij@FreeBSD.org> |
MFV r257952: Upgrade to OpenSSH 6.4p1. Bump VersionAddendum. Approved by: des
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
aa0dd44b |
|
28-Jun-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
r251088 reverted the default value for UsePrivilegeSeparation from "sandbox" to "yes", but did not update the documentation to match. |
#
420bce64 |
|
17-May-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p2. Mostly a no-op since I had already patched the issues that affected us.
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
c5c0dc91 |
|
18-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Keep the default AuthorizedKeysFile setting. Although authorized_keys2 has been deprecated for a while, some people still use it and were unpleasantly surprised by this change. I may revert this commit at a later date if I can come up with a way to give users who still have authorized_keys2 files sufficient advance warning. MFC after: ASAP |
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
5972f81b |
|
11-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove dupe. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
3c492e28 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Bump version addendum. MFC after: 1 week |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
562de5d9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Adjust version number and addendum. |
#
d2b1b4f3 |
|
15-Mar-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Correctly document the default value of UsePAM. |
#
eea81d70 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update VersionAddendum in config files and man pages. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
028c324a |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Pull asbesthos underpants on and disable protocol version 1 by default. |
#
b909c84b |
|
19-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
44172b70 |
|
24-Sep-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update version string. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
9794bba8 |
|
10-Feb-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
document the current default value for VersionAddendum. |
#
00617102 |
|
05-Nov-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document the current default value for VersionAddendum. |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a02377d3 |
|
26-Jul-2002 |
Tony Finch <fanf@FreeBSD.org> |
FreeBSD doesn't use the host RSA key by default. Reviewed by: des |
#
53282320 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it. Sponsored by: DARPA, NAI Labs |
#
9a979375 |
|
30-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to update the addendum in the config files. |
#
1f334c7b |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
259bbc73 |
|
01-May-2002 |
David E. O'Brien <obrien@FreeBSD.org> |
Usual after-import fixup of SCM IDs. |
#
80241871 |
|
25-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Back out previous commit. |
#
44493e08 |
|
24-Apr-2002 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
Change default challenge/response behavior of sshd by popular demand. This brings us into sync with the behavior of sshd on other Unix platforms. Submitted by: Joshua Goodall <joshua@roughtrade.net> |
#
43e73ba0 |
|
02-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens the version string to 28 characters, which is below the 40-character limit specified in the proposed SECSH standard. Some servers, however (like the one built into the Foundry BigIron line of switches) will hang when confronted with a version string longer than 24 characters, so some users may need to shorten it further. Sponsored by: DARPA, NAI Labs |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
d3ebe37c |
|
18-May-2001 |
David E. O'Brien <obrien@FreeBSD.org> |
Restore the RSA host key to /etc/ssh/ssh_host_key. Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16. |
#
3817a12c |
|
05-May-2001 |
Brian Feldman <green@FreeBSD.org> |
sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc. |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
1610cd7f |
|
01-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Turn on X11Forwarding by default on the server. Any risk is to the client, where it is already disabled by default. Reminded by: peter |
#
b87db7ce |
|
23-Aug-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Increase the default value of LoginGraceTime from 60 seconds to 120 seconds. PR: 20488 Submitted by: rwatson |
#
a4bc7676 |
|
23-May-2000 |
Andrey A. Chernov <ache@FreeBSD.org> |
Turn on CheckMail to be more login-compatible by default |
#
ba0c6b08 |
|
18-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Correct two stupid typos in the DSA key location. Submitted by: Udo Schweigert <ust@cert.siemens.de> |
#
0c11f6e1 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Create a DSA host key if one does not already exist, and teach sshd_config about it. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
4d3289a8 |
|
25-Feb-2000 |
Peter Wemm <peter@FreeBSD.org> |
oops, update path to /etc/ssh/ssh_host_key |
#
6ecb0507 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
remove ports junk |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
66fd12cf |
|
19-Jul-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p2 From the release notes: Changes since OpenSSH 9.3 ========================= This release fixes a security bug. Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. CVE: CVE-2023-38408 Sponsored by: The FreeBSD Foundation
|
#
4d3fc8b0 |
|
16-Mar-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p1 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
|
#
77934b7a |
|
14-Nov-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: default X11Forwarding to no, following upstream Administrators can enable it if required. Reviewed by: bz, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D37411 |
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
9f009e06 |
|
25-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
sshd_config: clarify password authentication options Passwords may be accepted by both the PasswordAuthentication and KbdInteractiveAuthentication authentication schemes. Add a reference to the latter in the description/comment for PasswordAuthentication, as it otherwise may seem that "PasswordAuthentication no" implies passwords will be disallowed. This situation should be clarified with more extensive documentation on the authentication schemes and configuration options, but that should be done in coordination with upstream OpenSSH. This is a minimal change that will hopefully clarify the situation without requiring an extensive local patch set. PR: 263045 Reviewed by: manu (earlier version) MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35272 |
#
0e12eb7b |
|
10-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update sshd_config for prohibit-password option The PermitRootLogin option "prohibit-password" was added as a synonym for "without-password" in 2015. Then in 2017 these were swapped: "prohibit-password" became the canonical option and "without-password" became a deprecated synonym (in OpenSSH commit 071325f458). The UsePAM description in sshd_config still mentioned "without-password." Update it to match the new canonical option. Sponsored by: The FreeBSD Foundation MFC after: 1 week |
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
6d6e8a4a |
|
02-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to bump the version addendum date. |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
9ea45e75 |
|
10-Jan-2017 |
Xin LI <delphij@FreeBSD.org> |
MFV r311913: Fix multiple OpenSSH vulnerabilities. Submitted by: des Approved by: so
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
b4245df0 |
|
02-Feb-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document our modified default value for PermitRootLogin. |
#
c4cd1fa4 |
|
27-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Switch UseDNS back on |
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
db83e542 |
|
24-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove description of the now-defunct NoneEnabled option. |
#
4b0b2f2d |
|
20-May-2014 |
Steven Hartland <smh@FreeBSD.org> |
Change comment about HPNDisabled to match the style of other options to avoid confusion. Sponsored by: Multiplay |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
2b1970f3 |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn sandboxing on by default. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0a37d4a3 |
|
11-Nov-2013 |
Xin LI <delphij@FreeBSD.org> |
MFV r257952: Upgrade to OpenSSH 6.4p1. Bump VersionAddendum. Approved by: des
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
aa0dd44b |
|
28-Jun-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
r251088 reverted the default value for UsePrivilegeSeparation from "sandbox" to "yes", but did not update the documentation to match. |
#
420bce64 |
|
17-May-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p2. Mostly a no-op since I had already patched the issues that affected us.
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
c5c0dc91 |
|
18-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Keep the default AuthorizedKeysFile setting. Although authorized_keys2 has been deprecated for a while, some people still use it and were unpleasantly surprised by this change. I may revert this commit at a later date if I can come up with a way to give users who still have authorized_keys2 files sufficient advance warning. MFC after: ASAP |
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
5972f81b |
|
11-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove dupe. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
3c492e28 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Bump version addendum. MFC after: 1 week |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
562de5d9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Adjust version number and addendum. |
#
d2b1b4f3 |
|
15-Mar-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Correctly document the default value of UsePAM. |
#
eea81d70 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update VersionAddendum in config files and man pages. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
028c324a |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Pull asbesthos underpants on and disable protocol version 1 by default. |
#
b909c84b |
|
19-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
44172b70 |
|
24-Sep-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update version string. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
9794bba8 |
|
10-Feb-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
document the current default value for VersionAddendum. |
#
00617102 |
|
05-Nov-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document the current default value for VersionAddendum. |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a02377d3 |
|
26-Jul-2002 |
Tony Finch <fanf@FreeBSD.org> |
FreeBSD doesn't use the host RSA key by default. Reviewed by: des |
#
53282320 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it. Sponsored by: DARPA, NAI Labs |
#
9a979375 |
|
30-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to update the addendum in the config files. |
#
1f334c7b |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
259bbc73 |
|
01-May-2002 |
David E. O'Brien <obrien@FreeBSD.org> |
Usual after-import fixup of SCM IDs. |
#
80241871 |
|
25-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Back out previous commit. |
#
44493e08 |
|
24-Apr-2002 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
Change default challenge/response behavior of sshd by popular demand. This brings us into sync with the behavior of sshd on other Unix platforms. Submitted by: Joshua Goodall <joshua@roughtrade.net> |
#
43e73ba0 |
|
02-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens the version string to 28 characters, which is below the 40-character limit specified in the proposed SECSH standard. Some servers, however (like the one built into the Foundry BigIron line of switches) will hang when confronted with a version string longer than 24 characters, so some users may need to shorten it further. Sponsored by: DARPA, NAI Labs |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
d3ebe37c |
|
18-May-2001 |
David E. O'Brien <obrien@FreeBSD.org> |
Restore the RSA host key to /etc/ssh/ssh_host_key. Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16. |
#
3817a12c |
|
05-May-2001 |
Brian Feldman <green@FreeBSD.org> |
sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc. |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
1610cd7f |
|
01-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Turn on X11Forwarding by default on the server. Any risk is to the client, where it is already disabled by default. Reminded by: peter |
#
b87db7ce |
|
23-Aug-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Increase the default value of LoginGraceTime from 60 seconds to 120 seconds. PR: 20488 Submitted by: rwatson |
#
a4bc7676 |
|
23-May-2000 |
Andrey A. Chernov <ache@FreeBSD.org> |
Turn on CheckMail to be more login-compatible by default |
#
ba0c6b08 |
|
18-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Correct two stupid typos in the DSA key location. Submitted by: Udo Schweigert <ust@cert.siemens.de> |
#
0c11f6e1 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Create a DSA host key if one does not already exist, and teach sshd_config about it. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
4d3289a8 |
|
25-Feb-2000 |
Peter Wemm <peter@FreeBSD.org> |
oops, update path to /etc/ssh/ssh_host_key |
#
6ecb0507 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
remove ports junk |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
4d3fc8b0 |
|
16-Mar-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p1 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
|
#
77934b7a |
|
14-Nov-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: default X11Forwarding to no, following upstream Administrators can enable it if required. Reviewed by: bz, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D37411 |
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
9f009e06 |
|
25-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
sshd_config: clarify password authentication options Passwords may be accepted by both the PasswordAuthentication and KbdInteractiveAuthentication authentication schemes. Add a reference to the latter in the description/comment for PasswordAuthentication, as it otherwise may seem that "PasswordAuthentication no" implies passwords will be disallowed. This situation should be clarified with more extensive documentation on the authentication schemes and configuration options, but that should be done in coordination with upstream OpenSSH. This is a minimal change that will hopefully clarify the situation without requiring an extensive local patch set. PR: 263045 Reviewed by: manu (earlier version) MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35272 |
#
0e12eb7b |
|
10-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update sshd_config for prohibit-password option The PermitRootLogin option "prohibit-password" was added as a synonym for "without-password" in 2015. Then in 2017 these were swapped: "prohibit-password" became the canonical option and "without-password" became a deprecated synonym (in OpenSSH commit 071325f458). The UsePAM description in sshd_config still mentioned "without-password." Update it to match the new canonical option. Sponsored by: The FreeBSD Foundation MFC after: 1 week |
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
6d6e8a4a |
|
02-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to bump the version addendum date. |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
9ea45e75 |
|
10-Jan-2017 |
Xin LI <delphij@FreeBSD.org> |
MFV r311913: Fix multiple OpenSSH vulnerabilities. Submitted by: des Approved by: so
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
b4245df0 |
|
02-Feb-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document our modified default value for PermitRootLogin. |
#
c4cd1fa4 |
|
27-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Switch UseDNS back on |
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
db83e542 |
|
24-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove description of the now-defunct NoneEnabled option. |
#
4b0b2f2d |
|
20-May-2014 |
Steven Hartland <smh@FreeBSD.org> |
Change comment about HPNDisabled to match the style of other options to avoid confusion. Sponsored by: Multiplay |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
2b1970f3 |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn sandboxing on by default. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0a37d4a3 |
|
11-Nov-2013 |
Xin LI <delphij@FreeBSD.org> |
MFV r257952: Upgrade to OpenSSH 6.4p1. Bump VersionAddendum. Approved by: des
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
aa0dd44b |
|
28-Jun-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
r251088 reverted the default value for UsePrivilegeSeparation from "sandbox" to "yes", but did not update the documentation to match. |
#
420bce64 |
|
17-May-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p2. Mostly a no-op since I had already patched the issues that affected us.
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
c5c0dc91 |
|
18-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Keep the default AuthorizedKeysFile setting. Although authorized_keys2 has been deprecated for a while, some people still use it and were unpleasantly surprised by this change. I may revert this commit at a later date if I can come up with a way to give users who still have authorized_keys2 files sufficient advance warning. MFC after: ASAP |
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
5972f81b |
|
11-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove dupe. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
3c492e28 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Bump version addendum. MFC after: 1 week |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
562de5d9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Adjust version number and addendum. |
#
d2b1b4f3 |
|
15-Mar-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Correctly document the default value of UsePAM. |
#
eea81d70 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update VersionAddendum in config files and man pages. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
028c324a |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Pull asbesthos underpants on and disable protocol version 1 by default. |
#
b909c84b |
|
19-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
44172b70 |
|
24-Sep-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update version string. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
9794bba8 |
|
10-Feb-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
document the current default value for VersionAddendum. |
#
00617102 |
|
05-Nov-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document the current default value for VersionAddendum. |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a02377d3 |
|
26-Jul-2002 |
Tony Finch <fanf@FreeBSD.org> |
FreeBSD doesn't use the host RSA key by default. Reviewed by: des |
#
53282320 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it. Sponsored by: DARPA, NAI Labs |
#
9a979375 |
|
30-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to update the addendum in the config files. |
#
1f334c7b |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
259bbc73 |
|
01-May-2002 |
David E. O'Brien <obrien@FreeBSD.org> |
Usual after-import fixup of SCM IDs. |
#
80241871 |
|
25-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Back out previous commit. |
#
44493e08 |
|
24-Apr-2002 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
Change default challenge/response behavior of sshd by popular demand. This brings us into sync with the behavior of sshd on other Unix platforms. Submitted by: Joshua Goodall <joshua@roughtrade.net> |
#
43e73ba0 |
|
02-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens the version string to 28 characters, which is below the 40-character limit specified in the proposed SECSH standard. Some servers, however (like the one built into the Foundry BigIron line of switches) will hang when confronted with a version string longer than 24 characters, so some users may need to shorten it further. Sponsored by: DARPA, NAI Labs |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
d3ebe37c |
|
18-May-2001 |
David E. O'Brien <obrien@FreeBSD.org> |
Restore the RSA host key to /etc/ssh/ssh_host_key. Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16. |
#
3817a12c |
|
05-May-2001 |
Brian Feldman <green@FreeBSD.org> |
sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc. |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
1610cd7f |
|
01-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Turn on X11Forwarding by default on the server. Any risk is to the client, where it is already disabled by default. Reminded by: peter |
#
b87db7ce |
|
23-Aug-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Increase the default value of LoginGraceTime from 60 seconds to 120 seconds. PR: 20488 Submitted by: rwatson |
#
a4bc7676 |
|
23-May-2000 |
Andrey A. Chernov <ache@FreeBSD.org> |
Turn on CheckMail to be more login-compatible by default |
#
ba0c6b08 |
|
18-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Correct two stupid typos in the DSA key location. Submitted by: Udo Schweigert <ust@cert.siemens.de> |
#
0c11f6e1 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Create a DSA host key if one does not already exist, and teach sshd_config about it. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
4d3289a8 |
|
25-Feb-2000 |
Peter Wemm <peter@FreeBSD.org> |
oops, update path to /etc/ssh/ssh_host_key |
#
6ecb0507 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
remove ports junk |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
77934b7a |
|
14-Nov-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: default X11Forwarding to no, following upstream Administrators can enable it if required. Reviewed by: bz, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D37411
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
9f009e06 |
|
25-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
sshd_config: clarify password authentication options Passwords may be accepted by both the PasswordAuthentication and KbdInteractiveAuthentication authentication schemes. Add a reference to the latter in the description/comment for PasswordAuthentication, as it otherwise may seem that "PasswordAuthentication no" implies passwords will be disallowed. This situation should be clarified with more extensive documentation on the authentication schemes and configuration options, but that should be done in coordination with upstream OpenSSH. This is a minimal change that will hopefully clarify the situation without requiring an extensive local patch set. PR: 263045 Reviewed by: manu (earlier version) MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35272 |
#
0e12eb7b |
|
10-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update sshd_config for prohibit-password option The PermitRootLogin option "prohibit-password" was added as a synonym for "without-password" in 2015. Then in 2017 these were swapped: "prohibit-password" became the canonical option and "without-password" became a deprecated synonym (in OpenSSH commit 071325f458). The UsePAM description in sshd_config still mentioned "without-password." Update it to match the new canonical option. Sponsored by: The FreeBSD Foundation MFC after: 1 week |
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
6d6e8a4a |
|
02-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to bump the version addendum date. |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
9ea45e75 |
|
10-Jan-2017 |
Xin LI <delphij@FreeBSD.org> |
MFV r311913: Fix multiple OpenSSH vulnerabilities. Submitted by: des Approved by: so
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
b4245df0 |
|
02-Feb-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document our modified default value for PermitRootLogin. |
#
c4cd1fa4 |
|
27-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Switch UseDNS back on |
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
db83e542 |
|
24-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove description of the now-defunct NoneEnabled option. |
#
4b0b2f2d |
|
20-May-2014 |
Steven Hartland <smh@FreeBSD.org> |
Change comment about HPNDisabled to match the style of other options to avoid confusion. Sponsored by: Multiplay |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
2b1970f3 |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn sandboxing on by default. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0a37d4a3 |
|
11-Nov-2013 |
Xin LI <delphij@FreeBSD.org> |
MFV r257952: Upgrade to OpenSSH 6.4p1. Bump VersionAddendum. Approved by: des
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
aa0dd44b |
|
28-Jun-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
r251088 reverted the default value for UsePrivilegeSeparation from "sandbox" to "yes", but did not update the documentation to match. |
#
420bce64 |
|
17-May-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p2. Mostly a no-op since I had already patched the issues that affected us.
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
c5c0dc91 |
|
18-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Keep the default AuthorizedKeysFile setting. Although authorized_keys2 has been deprecated for a while, some people still use it and were unpleasantly surprised by this change. I may revert this commit at a later date if I can come up with a way to give users who still have authorized_keys2 files sufficient advance warning. MFC after: ASAP |
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
5972f81b |
|
11-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove dupe. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
3c492e28 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Bump version addendum. MFC after: 1 week |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
562de5d9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Adjust version number and addendum. |
#
d2b1b4f3 |
|
15-Mar-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Correctly document the default value of UsePAM. |
#
eea81d70 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update VersionAddendum in config files and man pages. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
028c324a |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Pull asbesthos underpants on and disable protocol version 1 by default. |
#
b909c84b |
|
19-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
44172b70 |
|
24-Sep-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update version string. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
9794bba8 |
|
10-Feb-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
document the current default value for VersionAddendum. |
#
00617102 |
|
05-Nov-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document the current default value for VersionAddendum. |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a02377d3 |
|
26-Jul-2002 |
Tony Finch <fanf@FreeBSD.org> |
FreeBSD doesn't use the host RSA key by default. Reviewed by: des |
#
53282320 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it. Sponsored by: DARPA, NAI Labs |
#
9a979375 |
|
30-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to update the addendum in the config files. |
#
1f334c7b |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
259bbc73 |
|
01-May-2002 |
David E. O'Brien <obrien@FreeBSD.org> |
Usual after-import fixup of SCM IDs. |
#
80241871 |
|
25-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Back out previous commit. |
#
44493e08 |
|
24-Apr-2002 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
Change default challenge/response behavior of sshd by popular demand. This brings us into sync with the behavior of sshd on other Unix platforms. Submitted by: Joshua Goodall <joshua@roughtrade.net> |
#
43e73ba0 |
|
02-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens the version string to 28 characters, which is below the 40-character limit specified in the proposed SECSH standard. Some servers, however (like the one built into the Foundry BigIron line of switches) will hang when confronted with a version string longer than 24 characters, so some users may need to shorten it further. Sponsored by: DARPA, NAI Labs |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
d3ebe37c |
|
18-May-2001 |
David E. O'Brien <obrien@FreeBSD.org> |
Restore the RSA host key to /etc/ssh/ssh_host_key. Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16. |
#
3817a12c |
|
05-May-2001 |
Brian Feldman <green@FreeBSD.org> |
sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc. |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
1610cd7f |
|
01-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Turn on X11Forwarding by default on the server. Any risk is to the client, where it is already disabled by default. Reminded by: peter |
#
b87db7ce |
|
23-Aug-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Increase the default value of LoginGraceTime from 60 seconds to 120 seconds. PR: 20488 Submitted by: rwatson |
#
a4bc7676 |
|
23-May-2000 |
Andrey A. Chernov <ache@FreeBSD.org> |
Turn on CheckMail to be more login-compatible by default |
#
ba0c6b08 |
|
18-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Correct two stupid typos in the DSA key location. Submitted by: Udo Schweigert <ust@cert.siemens.de> |
#
0c11f6e1 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Create a DSA host key if one does not already exist, and teach sshd_config about it. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
4d3289a8 |
|
25-Feb-2000 |
Peter Wemm <peter@FreeBSD.org> |
oops, update path to /etc/ssh/ssh_host_key |
#
6ecb0507 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
remove ports junk |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
9f009e06 |
|
25-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
sshd_config: clarify password authentication options Passwords may be accepted by both the PasswordAuthentication and KbdInteractiveAuthentication authentication schemes. Add a reference to the latter in the description/comment for PasswordAuthentication, as it otherwise may seem that "PasswordAuthentication no" implies passwords will be disallowed. This situation should be clarified with more extensive documentation on the authentication schemes and configuration options, but that should be done in coordination with upstream OpenSSH. This is a minimal change that will hopefully clarify the situation without requiring an extensive local patch set. PR: 263045 Reviewed by: manu (earlier version) MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35272
|
#
0e12eb7b |
|
10-May-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update sshd_config for prohibit-password option The PermitRootLogin option "prohibit-password" was added as a synonym for "without-password" in 2015. Then in 2017 these were swapped: "prohibit-password" became the canonical option and "without-password" became a deprecated synonym (in OpenSSH commit 071325f458). The UsePAM description in sshd_config still mentioned "without-password." Update it to match the new canonical option. Sponsored by: The FreeBSD Foundation MFC after: 1 week
|
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation
|
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
6d6e8a4a |
|
02-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to bump the version addendum date. |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
9ea45e75 |
|
10-Jan-2017 |
Xin LI <delphij@FreeBSD.org> |
MFV r311913: Fix multiple OpenSSH vulnerabilities. Submitted by: des Approved by: so
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
b4245df0 |
|
02-Feb-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document our modified default value for PermitRootLogin. |
#
c4cd1fa4 |
|
27-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Switch UseDNS back on |
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
db83e542 |
|
24-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove description of the now-defunct NoneEnabled option. |
#
4b0b2f2d |
|
20-May-2014 |
Steven Hartland <smh@FreeBSD.org> |
Change comment about HPNDisabled to match the style of other options to avoid confusion. Sponsored by: Multiplay |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
2b1970f3 |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn sandboxing on by default. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0a37d4a3 |
|
11-Nov-2013 |
Xin LI <delphij@FreeBSD.org> |
MFV r257952: Upgrade to OpenSSH 6.4p1. Bump VersionAddendum. Approved by: des
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
aa0dd44b |
|
28-Jun-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
r251088 reverted the default value for UsePrivilegeSeparation from "sandbox" to "yes", but did not update the documentation to match. |
#
420bce64 |
|
17-May-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p2. Mostly a no-op since I had already patched the issues that affected us.
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
c5c0dc91 |
|
18-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Keep the default AuthorizedKeysFile setting. Although authorized_keys2 has been deprecated for a while, some people still use it and were unpleasantly surprised by this change. I may revert this commit at a later date if I can come up with a way to give users who still have authorized_keys2 files sufficient advance warning. MFC after: ASAP |
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
5972f81b |
|
11-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove dupe. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
3c492e28 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Bump version addendum. MFC after: 1 week |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
562de5d9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Adjust version number and addendum. |
#
d2b1b4f3 |
|
15-Mar-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Correctly document the default value of UsePAM. |
#
eea81d70 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update VersionAddendum in config files and man pages. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
028c324a |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Pull asbesthos underpants on and disable protocol version 1 by default. |
#
b909c84b |
|
19-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
44172b70 |
|
24-Sep-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update version string. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
9794bba8 |
|
10-Feb-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
document the current default value for VersionAddendum. |
#
00617102 |
|
05-Nov-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document the current default value for VersionAddendum. |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a02377d3 |
|
26-Jul-2002 |
Tony Finch <fanf@FreeBSD.org> |
FreeBSD doesn't use the host RSA key by default. Reviewed by: des |
#
53282320 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it. Sponsored by: DARPA, NAI Labs |
#
9a979375 |
|
30-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to update the addendum in the config files. |
#
1f334c7b |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
259bbc73 |
|
01-May-2002 |
David E. O'Brien <obrien@FreeBSD.org> |
Usual after-import fixup of SCM IDs. |
#
80241871 |
|
25-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Back out previous commit. |
#
44493e08 |
|
24-Apr-2002 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
Change default challenge/response behavior of sshd by popular demand. This brings us into sync with the behavior of sshd on other Unix platforms. Submitted by: Joshua Goodall <joshua@roughtrade.net> |
#
43e73ba0 |
|
02-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens the version string to 28 characters, which is below the 40-character limit specified in the proposed SECSH standard. Some servers, however (like the one built into the Foundry BigIron line of switches) will hang when confronted with a version string longer than 24 characters, so some users may need to shorten it further. Sponsored by: DARPA, NAI Labs |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
d3ebe37c |
|
18-May-2001 |
David E. O'Brien <obrien@FreeBSD.org> |
Restore the RSA host key to /etc/ssh/ssh_host_key. Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16. |
#
3817a12c |
|
05-May-2001 |
Brian Feldman <green@FreeBSD.org> |
sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc. |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
1610cd7f |
|
01-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Turn on X11Forwarding by default on the server. Any risk is to the client, where it is already disabled by default. Reminded by: peter |
#
b87db7ce |
|
23-Aug-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Increase the default value of LoginGraceTime from 60 seconds to 120 seconds. PR: 20488 Submitted by: rwatson |
#
a4bc7676 |
|
23-May-2000 |
Andrey A. Chernov <ache@FreeBSD.org> |
Turn on CheckMail to be more login-compatible by default |
#
ba0c6b08 |
|
18-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Correct two stupid typos in the DSA key location. Submitted by: Udo Schweigert <ust@cert.siemens.de> |
#
0c11f6e1 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Create a DSA host key if one does not already exist, and teach sshd_config about it. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
4d3289a8 |
|
25-Feb-2000 |
Peter Wemm <peter@FreeBSD.org> |
oops, update path to /etc/ssh/ssh_host_key |
#
6ecb0507 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
remove ports junk |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
6d6e8a4a |
|
02-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to bump the version addendum date. |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
9ea45e75 |
|
10-Jan-2017 |
Xin LI <delphij@FreeBSD.org> |
MFV r311913: Fix multiple OpenSSH vulnerabilities. Submitted by: des Approved by: so
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
b4245df0 |
|
02-Feb-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document our modified default value for PermitRootLogin. |
#
c4cd1fa4 |
|
27-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Switch UseDNS back on |
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
db83e542 |
|
24-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove description of the now-defunct NoneEnabled option. |
#
4b0b2f2d |
|
20-May-2014 |
Steven Hartland <smh@FreeBSD.org> |
Change comment about HPNDisabled to match the style of other options to avoid confusion. Sponsored by: Multiplay |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
2b1970f3 |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn sandboxing on by default. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0a37d4a3 |
|
11-Nov-2013 |
Xin LI <delphij@FreeBSD.org> |
MFV r257952: Upgrade to OpenSSH 6.4p1. Bump VersionAddendum. Approved by: des
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
aa0dd44b |
|
28-Jun-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
r251088 reverted the default value for UsePrivilegeSeparation from "sandbox" to "yes", but did not update the documentation to match. |
#
420bce64 |
|
17-May-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p2. Mostly a no-op since I had already patched the issues that affected us.
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
c5c0dc91 |
|
18-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Keep the default AuthorizedKeysFile setting. Although authorized_keys2 has been deprecated for a while, some people still use it and were unpleasantly surprised by this change. I may revert this commit at a later date if I can come up with a way to give users who still have authorized_keys2 files sufficient advance warning. MFC after: ASAP |
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
5972f81b |
|
11-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove dupe. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
3c492e28 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Bump version addendum. MFC after: 1 week |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
562de5d9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Adjust version number and addendum. |
#
d2b1b4f3 |
|
15-Mar-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Correctly document the default value of UsePAM. |
#
eea81d70 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update VersionAddendum in config files and man pages. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
028c324a |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Pull asbesthos underpants on and disable protocol version 1 by default. |
#
b909c84b |
|
19-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
44172b70 |
|
24-Sep-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update version string. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
9794bba8 |
|
10-Feb-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
document the current default value for VersionAddendum. |
#
00617102 |
|
05-Nov-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document the current default value for VersionAddendum. |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a02377d3 |
|
26-Jul-2002 |
Tony Finch <fanf@FreeBSD.org> |
FreeBSD doesn't use the host RSA key by default. Reviewed by: des |
#
53282320 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it. Sponsored by: DARPA, NAI Labs |
#
9a979375 |
|
30-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to update the addendum in the config files. |
#
1f334c7b |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
259bbc73 |
|
01-May-2002 |
David E. O'Brien <obrien@FreeBSD.org> |
Usual after-import fixup of SCM IDs. |
#
80241871 |
|
25-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Back out previous commit. |
#
44493e08 |
|
24-Apr-2002 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
Change default challenge/response behavior of sshd by popular demand. This brings us into sync with the behavior of sshd on other Unix platforms. Submitted by: Joshua Goodall <joshua@roughtrade.net> |
#
43e73ba0 |
|
02-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens the version string to 28 characters, which is below the 40-character limit specified in the proposed SECSH standard. Some servers, however (like the one built into the Foundry BigIron line of switches) will hang when confronted with a version string longer than 24 characters, so some users may need to shorten it further. Sponsored by: DARPA, NAI Labs |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
d3ebe37c |
|
18-May-2001 |
David E. O'Brien <obrien@FreeBSD.org> |
Restore the RSA host key to /etc/ssh/ssh_host_key. Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16. |
#
3817a12c |
|
05-May-2001 |
Brian Feldman <green@FreeBSD.org> |
sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc. |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
1610cd7f |
|
01-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Turn on X11Forwarding by default on the server. Any risk is to the client, where it is already disabled by default. Reminded by: peter |
#
b87db7ce |
|
23-Aug-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Increase the default value of LoginGraceTime from 60 seconds to 120 seconds. PR: 20488 Submitted by: rwatson |
#
a4bc7676 |
|
23-May-2000 |
Andrey A. Chernov <ache@FreeBSD.org> |
Turn on CheckMail to be more login-compatible by default |
#
ba0c6b08 |
|
18-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Correct two stupid typos in the DSA key location. Submitted by: Udo Schweigert <ust@cert.siemens.de> |
#
0c11f6e1 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Create a DSA host key if one does not already exist, and teach sshd_config about it. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
4d3289a8 |
|
25-Feb-2000 |
Peter Wemm <peter@FreeBSD.org> |
oops, update path to /etc/ssh/ssh_host_key |
#
6ecb0507 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
remove ports junk |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
e9e8876a |
|
19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1 OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
6d6e8a4a |
|
02-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to bump the version addendum date. |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
9ea45e75 |
|
10-Jan-2017 |
Xin LI <delphij@FreeBSD.org> |
MFV r311913: Fix multiple OpenSSH vulnerabilities. Submitted by: des Approved by: so
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
b4245df0 |
|
02-Feb-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document our modified default value for PermitRootLogin. |
#
c4cd1fa4 |
|
27-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Switch UseDNS back on |
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
db83e542 |
|
24-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove description of the now-defunct NoneEnabled option. |
#
4b0b2f2d |
|
20-May-2014 |
Steven Hartland <smh@FreeBSD.org> |
Change comment about HPNDisabled to match the style of other options to avoid confusion. Sponsored by: Multiplay |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
2b1970f3 |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn sandboxing on by default. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0a37d4a3 |
|
11-Nov-2013 |
Xin LI <delphij@FreeBSD.org> |
MFV r257952: Upgrade to OpenSSH 6.4p1. Bump VersionAddendum. Approved by: des
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
aa0dd44b |
|
28-Jun-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
r251088 reverted the default value for UsePrivilegeSeparation from "sandbox" to "yes", but did not update the documentation to match. |
#
420bce64 |
|
17-May-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p2. Mostly a no-op since I had already patched the issues that affected us.
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
c5c0dc91 |
|
18-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Keep the default AuthorizedKeysFile setting. Although authorized_keys2 has been deprecated for a while, some people still use it and were unpleasantly surprised by this change. I may revert this commit at a later date if I can come up with a way to give users who still have authorized_keys2 files sufficient advance warning. MFC after: ASAP |
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
5972f81b |
|
11-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove dupe. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
3c492e28 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Bump version addendum. MFC after: 1 week |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
562de5d9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Adjust version number and addendum. |
#
d2b1b4f3 |
|
15-Mar-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Correctly document the default value of UsePAM. |
#
eea81d70 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update VersionAddendum in config files and man pages. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
028c324a |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Pull asbesthos underpants on and disable protocol version 1 by default. |
#
b909c84b |
|
19-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
44172b70 |
|
24-Sep-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update version string. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
9794bba8 |
|
10-Feb-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
document the current default value for VersionAddendum. |
#
00617102 |
|
05-Nov-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document the current default value for VersionAddendum. |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a02377d3 |
|
26-Jul-2002 |
Tony Finch <fanf@FreeBSD.org> |
FreeBSD doesn't use the host RSA key by default. Reviewed by: des |
#
53282320 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it. Sponsored by: DARPA, NAI Labs |
#
9a979375 |
|
30-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to update the addendum in the config files. |
#
1f334c7b |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
259bbc73 |
|
01-May-2002 |
David E. O'Brien <obrien@FreeBSD.org> |
Usual after-import fixup of SCM IDs. |
#
80241871 |
|
25-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Back out previous commit. |
#
44493e08 |
|
24-Apr-2002 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
Change default challenge/response behavior of sshd by popular demand. This brings us into sync with the behavior of sshd on other Unix platforms. Submitted by: Joshua Goodall <joshua@roughtrade.net> |
#
43e73ba0 |
|
02-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens the version string to 28 characters, which is below the 40-character limit specified in the proposed SECSH standard. Some servers, however (like the one built into the Foundry BigIron line of switches) will hang when confronted with a version string longer than 24 characters, so some users may need to shorten it further. Sponsored by: DARPA, NAI Labs |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
d3ebe37c |
|
18-May-2001 |
David E. O'Brien <obrien@FreeBSD.org> |
Restore the RSA host key to /etc/ssh/ssh_host_key. Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16. |
#
3817a12c |
|
05-May-2001 |
Brian Feldman <green@FreeBSD.org> |
sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc. |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
1610cd7f |
|
01-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Turn on X11Forwarding by default on the server. Any risk is to the client, where it is already disabled by default. Reminded by: peter |
#
b87db7ce |
|
23-Aug-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Increase the default value of LoginGraceTime from 60 seconds to 120 seconds. PR: 20488 Submitted by: rwatson |
#
a4bc7676 |
|
23-May-2000 |
Andrey A. Chernov <ache@FreeBSD.org> |
Turn on CheckMail to be more login-compatible by default |
#
ba0c6b08 |
|
18-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Correct two stupid typos in the DSA key location. Submitted by: Udo Schweigert <ust@cert.siemens.de> |
#
0c11f6e1 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Create a DSA host key if one does not already exist, and teach sshd_config about it. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
4d3289a8 |
|
25-Feb-2000 |
Peter Wemm <peter@FreeBSD.org> |
oops, update path to /etc/ssh/ssh_host_key |
#
6ecb0507 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
remove ports junk |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
6d6e8a4a |
|
02-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to bump the version addendum date. |
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
9ea45e75 |
|
10-Jan-2017 |
Xin LI <delphij@FreeBSD.org> |
MFV r311913: Fix multiple OpenSSH vulnerabilities. Submitted by: des Approved by: so
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
b4245df0 |
|
02-Feb-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document our modified default value for PermitRootLogin. |
#
c4cd1fa4 |
|
27-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Switch UseDNS back on |
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
db83e542 |
|
24-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove description of the now-defunct NoneEnabled option. |
#
4b0b2f2d |
|
20-May-2014 |
Steven Hartland <smh@FreeBSD.org> |
Change comment about HPNDisabled to match the style of other options to avoid confusion. Sponsored by: Multiplay |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
2b1970f3 |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn sandboxing on by default. |
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0a37d4a3 |
|
11-Nov-2013 |
Xin LI <delphij@FreeBSD.org> |
MFV r257952: Upgrade to OpenSSH 6.4p1. Bump VersionAddendum. Approved by: des
|
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
aa0dd44b |
|
28-Jun-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
r251088 reverted the default value for UsePrivilegeSeparation from "sandbox" to "yes", but did not update the documentation to match. |
#
420bce64 |
|
17-May-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p2. Mostly a no-op since I had already patched the issues that affected us.
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
c5c0dc91 |
|
18-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Keep the default AuthorizedKeysFile setting. Although authorized_keys2 has been deprecated for a while, some people still use it and were unpleasantly surprised by this change. I may revert this commit at a later date if I can come up with a way to give users who still have authorized_keys2 files sufficient advance warning. MFC after: ASAP |
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
8ad9b54a |
|
28-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.5p1.
|
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
5972f81b |
|
11-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove dupe. |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
3c492e28 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Bump version addendum. MFC after: 1 week |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
562de5d9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Adjust version number and addendum. |
#
d2b1b4f3 |
|
15-Mar-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Correctly document the default value of UsePAM. |
#
eea81d70 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update VersionAddendum in config files and man pages. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
028c324a |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Pull asbesthos underpants on and disable protocol version 1 by default. |
#
b909c84b |
|
19-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
44172b70 |
|
24-Sep-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update version string. |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
9794bba8 |
|
10-Feb-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
document the current default value for VersionAddendum. |
#
00617102 |
|
05-Nov-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document the current default value for VersionAddendum. |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a02377d3 |
|
26-Jul-2002 |
Tony Finch <fanf@FreeBSD.org> |
FreeBSD doesn't use the host RSA key by default. Reviewed by: des |
#
53282320 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it. Sponsored by: DARPA, NAI Labs |
#
9a979375 |
|
30-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to update the addendum in the config files. |
#
1f334c7b |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
259bbc73 |
|
01-May-2002 |
David E. O'Brien <obrien@FreeBSD.org> |
Usual after-import fixup of SCM IDs. |
#
80241871 |
|
25-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Back out previous commit. |
#
44493e08 |
|
24-Apr-2002 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
Change default challenge/response behavior of sshd by popular demand. This brings us into sync with the behavior of sshd on other Unix platforms. Submitted by: Joshua Goodall <joshua@roughtrade.net> |
#
43e73ba0 |
|
02-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens the version string to 28 characters, which is below the 40-character limit specified in the proposed SECSH standard. Some servers, however (like the one built into the Foundry BigIron line of switches) will hang when confronted with a version string longer than 24 characters, so some users may need to shorten it further. Sponsored by: DARPA, NAI Labs |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
d3ebe37c |
|
18-May-2001 |
David E. O'Brien <obrien@FreeBSD.org> |
Restore the RSA host key to /etc/ssh/ssh_host_key. Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16. |
#
3817a12c |
|
05-May-2001 |
Brian Feldman <green@FreeBSD.org> |
sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc. |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
1610cd7f |
|
01-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Turn on X11Forwarding by default on the server. Any risk is to the client, where it is already disabled by default. Reminded by: peter |
#
b87db7ce |
|
23-Aug-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Increase the default value of LoginGraceTime from 60 seconds to 120 seconds. PR: 20488 Submitted by: rwatson |
#
a4bc7676 |
|
23-May-2000 |
Andrey A. Chernov <ache@FreeBSD.org> |
Turn on CheckMail to be more login-compatible by default |
#
ba0c6b08 |
|
18-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Correct two stupid typos in the DSA key location. Submitted by: Udo Schweigert <ust@cert.siemens.de> |
#
0c11f6e1 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Create a DSA host key if one does not already exist, and teach sshd_config about it. |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
4d3289a8 |
|
25-Feb-2000 |
Peter Wemm <peter@FreeBSD.org> |
oops, update path to /etc/ssh/ssh_host_key |
#
6ecb0507 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
remove ports junk |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
6d6e8a4a |
|
02-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to bump the version addendum date.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051
|
#
b4245df0 |
|
02-Feb-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document our modified default value for PermitRootLogin.
|
#
c4cd1fa4 |
|
27-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Switch UseDNS back on
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH.
|
#
db83e542 |
|
24-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove description of the now-defunct NoneEnabled option.
|
#
4b0b2f2d |
|
20-May-2014 |
Steven Hartland <smh@FreeBSD.org> |
Change comment about HPNDisabled to match the style of other options to avoid confusion. Sponsored by: Multiplay
|
#
2b1970f3 |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn sandboxing on by default.
|
#
aa0dd44b |
|
28-Jun-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
r251088 reverted the default value for UsePrivilegeSeparation from "sandbox" to "yes", but did not update the documentation to match.
|
#
c5c0dc91 |
|
18-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Keep the default AuthorizedKeysFile setting. Although authorized_keys2 has been deprecated for a while, some people still use it and were unpleasantly surprised by this change. I may revert this commit at a later date if I can come up with a way to give users who still have authorized_keys2 files sufficient advance warning. MFC after: ASAP
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer)
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
124981e1 |
|
21-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
MFH OpenSSH 5.4p1
|
#
fe0506d7 |
|
09-Mar-2010 |
Marcel Moolenaar <marcel@FreeBSD.org> |
Create the altix project branch. The altix project will add support for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting is a two-module system, consisting of a base compute module and a CPU expansion module. SGI's NUMAFlex architecture can be an excellent platform to test CPU affinity and NUMA-aware features in FreeBSD.
|
#
5972f81b |
|
11-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove dupe.
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
3c492e28 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Bump version addendum. MFC after: 1 week
|
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week
|
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1.
|
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts.
|
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1.
|
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1.
|
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1.
|
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts
|
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1.
|
#
562de5d9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Adjust version number and addendum.
|
#
d2b1b4f3 |
|
15-Mar-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Correctly document the default value of UsePAM.
|
#
eea81d70 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update VersionAddendum in config files and man pages.
|
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1.
|
#
028c324a |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Pull asbesthos underpants on and disable protocol version 1 by default.
|
#
b909c84b |
|
19-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Turn non-PAM password authentication off by default when USE_PAM is defined. Too many users are getting bitten by it.
|
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no
|
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2.
|
#
44172b70 |
|
24-Sep-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Update version string.
|
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
9794bba8 |
|
10-Feb-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
document the current default value for VersionAddendum.
|
#
00617102 |
|
05-Nov-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document the current default value for VersionAddendum.
|
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1.
|
#
a02377d3 |
|
26-Jul-2002 |
Tony Finch <fanf@FreeBSD.org> |
FreeBSD doesn't use the host RSA key by default. Reviewed by: des
|
#
53282320 |
|
02-Jul-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Two FreeBSD-specific nits in comments: - ChallengeResponseAuthentication controls PAM, not S/Key - We don't honor PAMAuthenticationViaKbdInt, because the code path it controls doesn't make sense for us, so don't mention it. Sponsored by: DARPA, NAI Labs
|
#
9a979375 |
|
30-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to update the addendum in the config files.
|
#
1f334c7b |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Document FreeBSD defaults. Sponsored by: DARPA, NAI Labs
|
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline.
|
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1.
|
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs
|
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3.
|
#
259bbc73 |
|
01-May-2002 |
David E. O'Brien <obrien@FreeBSD.org> |
Usual after-import fixup of SCM IDs.
|
#
80241871 |
|
25-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Back out previous commit.
|
#
44493e08 |
|
24-Apr-2002 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
Change default challenge/response behavior of sshd by popular demand. This brings us into sync with the behavior of sshd on other Unix platforms. Submitted by: Joshua Goodall <joshua@roughtrade.net>
|
#
43e73ba0 |
|
02-Apr-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens the version string to 28 characters, which is below the 40-character limit specified in the proposed SECSH standard. Some servers, however (like the one built into the Foundry BigIron line of switches) will hang when confronted with a version string longer than 24 characters, so some users may need to shorten it further. Sponsored by: DARPA, NAI Labs
|
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts.
|
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1
|
#
d3ebe37c |
|
18-May-2001 |
David E. O'Brien <obrien@FreeBSD.org> |
Restore the RSA host key to /etc/ssh/ssh_host_key. Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16.
|
#
3817a12c |
|
05-May-2001 |
Brian Feldman <green@FreeBSD.org> |
sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc.
|
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9.
|
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson
|
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users.
|
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org>
|
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release).
|
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green
|
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09
|
#
1610cd7f |
|
01-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Turn on X11Forwarding by default on the server. Any risk is to the client, where it is already disabled by default. Reminded by: peter
|
#
b87db7ce |
|
23-Aug-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Increase the default value of LoginGraceTime from 60 seconds to 120 seconds. PR: 20488 Submitted by: rwatson
|
#
a4bc7676 |
|
23-May-2000 |
Andrey A. Chernov <ache@FreeBSD.org> |
Turn on CheckMail to be more login-compatible by default
|
#
ba0c6b08 |
|
18-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Correct two stupid typos in the DSA key location. Submitted by: Udo Schweigert <ust@cert.siemens.de>
|
#
0c11f6e1 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Create a DSA host key if one does not already exist, and teach sshd_config about it.
|
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD.
|
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1.
|
#
4d3289a8 |
|
25-Feb-2000 |
Peter Wemm <peter@FreeBSD.org> |
oops, update path to /etc/ssh/ssh_host_key
|
#
6ecb0507 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
remove ports junk
|
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*)
|
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH.
|