FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=upstream%2F13.1.0 2022-05-03T20:34:47Z 2022-05-03T20:34:47Z Jung-uk Kim jkim@FreeBSD.org 2022-05-03T19:07:06Z urn:sha1:2e121bd7c73932ac52332b53ebd7824965e6a7b4 Approved by: re (gjb, implicit, security) (cherry picked from commit 34252e89a96c8d498d7537ade16d20602bf2106a) (cherry picked from commit 1b7b799f9ebaa6d558523498005ca0e698051274) 2022-03-18T13:49:32Z Jung-uk Kim jkim@FreeBSD.org 2022-03-15T23:35:22Z urn:sha1:e404b2562b1de8503ea2bfc9a1204b3b4c72511f Approved by: re (delphij) (cherry picked from commit 5ac766ab8ec23e780f108b7903d46e553d5e39d1) (cherry picked from commit 97fe61d5bfdee2adc4d6ffb9b65a0cfb5bc5d317) 2022-03-15T17:42:48Z Gordon Tetlow gordon@FreeBSD.org 2022-03-15T16:48:59Z urn:sha1:942b5e156d4126dfa370486972669347fc585575 Approved by: re (implicit) Obtained from: OpenSSL Project Security: CVE-2022-0778 Security: FreeBSD-SA-22:03.openssl (cherry picked from commit fdc418f15e92732a3551832bcb625ba9b47242df) (cherry picked from commit 5f3d952f6e6bce1151ab4a260c6922ba10d7a7ba) 2022-03-08T00:26:22Z Mark Johnston markj@FreeBSD.org 2022-03-01T14:36:23Z urn:sha1:59269984cc3eb86ad4a01669f4285f13f2c9fdb6 Suggested by: emaste Sponsored by: The FreeBSD Foundation (cherry picked from commit 9340d69e57764c6ead568dbf14a859d184c35b8e) 2022-03-04T01:23:51Z Ed Maste emaste@FreeBSD.org 2022-03-01T14:35:46Z urn:sha1:d9ca85e8daed01e671e0654cfa844d36c9fbf532 The option is security-key-builtin not security-key-internal. There is no change to the generated config.h because the option defaults off anyway. MFC after: 3 days Fixes: 87152f340549 ("ssh: disble internal security key...") Sponsored by: The FreeBSD Foundation (cherry picked from commit f1421a8972a2c8babfacfd1270258492579e0208) 2022-02-17T22:51:58Z John Baldwin jhb@FreeBSD.org 2022-02-17T22:51:58Z urn:sha1:e1465e2e1e062324533a9a710783c9ab5c43dc6f Also add comment to the public header to avoid making another conflict in future. Reviewed by: jkim Obtained from: OpenSSL commit 5d4975ecd88ac17d0749513a8fac9a7c7befd900 Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D34135 (cherry picked from commit aa7208254996a66fb0b363bb696fe65d81335d81) 2022-02-17T22:51:58Z John Baldwin jhb@FreeBSD.org 2022-02-17T22:51:58Z urn:sha1:96ec9e3c313d291b87547a557f996e5d9bd16b28 ERR_raise_data is only present in OpenSSL 3.0 and later. Reviewed by: jkim Obtained from: CheriBSD Differential Revision: https://reviews.freebsd.org/D33363 (cherry picked from commit 27bb8830d555621d4292da8a83f3bc09176fd00d) 2022-02-10T18:09:57Z Ed Maste emaste@FreeBSD.org 2022-01-20T18:41:39Z urn:sha1:860508661c14beb1e449c504ccb0bc5dafca60cc As of f833ab9dd187 procctl(2) allows idtype P_PID with id = 0 as a shortcut for the calling process ID. The shortcut also bypasses the p_cansee / p_candebug test (since the process is able to act on itself.) At present if the security.bsd.unprivileged_proc_debug sysctl is 0 then procctl(P_PID, getpid(), ... for a process to act on itself will fail, but procctl(P_PID, 0, ... will succeed. This should likely be addressed with a kernel change. In any case the id = 0 shortcut is a tiny optimization for a process to act on itself and allows the self-procctl to succeed, so use it in ssh. Reported by: Shawn Webb Reviewed by: kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33970 (cherry picked from commit 0746301c4995d9e4a82b0e5034b62e310694d1ef) (cherry picked from commit e38610abcadbfeba5f7a32aa8a6bc8981be64908) 2022-02-10T18:09:57Z Ed Maste emaste@FreeBSD.org 2021-12-19T16:02:02Z urn:sha1:8464ad72e0874fb70c5eb96fe14225c18d06fb3a OpenSSH v8.8p1 was motivated primarily by a security update and deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes. The security update was already applied to FreeBSD as an independent change, and the RSA/SHA1 deprecation is excluded from this commit but will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit e9e8876a4d6afc1ad5315faaa191b25121a813d7) (cherry picked from commit 2ffb13149c8e46cb7d7e891b237255615906dc60) 2022-02-10T00:03:21Z Ed Maste emaste@FreeBSD.org 2021-10-07T03:31:17Z urn:sha1:a613d68fff9af03730e1c18438f85d80649547e4 Description of FIDO/U2F support (from OpenSSH 8.2 release notes, https://www.openssh.com/txt/release-8.2): This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types. ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they may be used much like any other key type supported by OpenSSH, so long as the hardware token is attached when the keys are used. FIDO tokens also generally require the user explicitly authorise operations by touching or tapping them. Generating a FIDO key requires the token be attached, and will usually require the user tap the token to confirm the operation: $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your security key to authorize key generation. Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used. To enable FIDO/U2F support, this change regenerates ssh_namespace.h, adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building WITHOUT_USB). devd integration is not included in this change, and is under investigation for the base system. In the interim the security/u2f-devd port can be installed to provide appropriate devd rules. Reviewed by: delphij, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32509 (cherry picked from commit e9a994639b2af232f994ba2ad23ca45a17718d2b)