FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F13.5 2025-02-20T18:45:36Z 2025-02-20T18:45:36Z Ed Maste emaste@FreeBSD.org 2025-02-19T19:08:59Z urn:sha1:cb8e164fbb1544a82dee9bfbb49dfcd1659f63b1 Highlights from the release notes are reproduced below. Bug fixes and improvements that were previously merged into FreeBSD have been elided. See the upstream release notes for full details of the 9.9p1 release (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * ssh(1): remove support for pre-authentication compression. * ssh(1), sshd(8): processing of the arguments to the "Match" configuration directive now follows more shell-like rules for quoted strings, including allowing nested quotes and \-escaped characters. New features ------------ * ssh(1), sshd(8): add support for a new hybrid post-quantum key exchange based on the FIPS 203 Module-Lattice Key Enapsulation mechanism (ML-KEM) combined with X25519 ECDH as described by https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03 This algorithm "mlkem768x25519-sha256" is available by default. * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being included in core dump files for most of their lifespans. This is in addition to pre-existing controls in ssh-agent(1) and sshd(8) that prevented coredumps. This feature is supported on OpenBSD, Linux and FreeBSD. * All: convert key handling to use the libcrypto EVP_PKEY API, with the exception of DSA. Bugfixes -------- * sshd(8): do not apply authorized_keys options when signature verification fails. Prevents more restrictive key options being incorrectly applied to subsequent keys in authorized_keys. bz3733 * ssh-keygen(1): include pathname in some of ssh-keygen's passphrase prompts. Helps the user know what's going on when ssh-keygen is invoked via other tools. Requested in GHPR503 * ssh(1), ssh-add(1): make parsing user@host consistently look for the last '@' in the string rather than the first. This makes it possible to more consistently use usernames that contain '@' characters. * ssh(1), sshd(8): be more strict in parsing key type names. Only allow short names (e.g "rsa") in user-interface code and require full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725 * ssh-keygen(1): clarify that ed25519 is the default key type generated and clarify that rsa-sha2-512 is the default signature scheme when RSA is in use. GHPR505 --- Reviewed by: jlduran (build infrastructure) Reviewed by: cy (build infrastructure) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48947 (cherry picked from commit 3d9fd9fcb432750f3716b28f6ccb0104cd9d351a) Approved by: re (accelerated MFC) (cherry picked from commit 802386cd37f638eec9606cb10d3dd03c8f1d6c17) (cherry picked from commit 6e688e6d4f9305441adce78079beaf1030e2881b) Approved by: re (cperciva) 2025-02-20T18:45:19Z Ed Maste emaste@FreeBSD.org 2025-02-19T17:20:44Z urn:sha1:b74bb7f01193eaf1f69735e530e85ac7cb6faa26 Highlights from the release notes are reproduced below. Some security and bug fixes were previously merged into FreeBSD and have been elided. See the upstream release notes for full details (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 New features ------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 --- Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48914 (cherry picked from commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e) (cherry picked from commit b4bb480ae9294d7e4b375f0ead9ae57517c79ef3) (cherry picked from commit e95979047aec384852102cf8bb1d55278ea77eeb) (cherry picked from commit dcb4ae528d357f34e4a4b4882c2757c67c98e395) Approved by: re (accelerated MFC) (cherry picked from commit ff2fd01609cc10bcdc87ebe4de42efaf7ffe2ee9) (cherry picked from commit c845ae475579d9b38cd1e3061f3896b44d1cb172) Approved by: re (cperciva) 2025-02-20T18:45:03Z Ed Maste emaste@FreeBSD.org 2025-02-06T19:21:12Z urn:sha1:ef280c2e5fe46241e12d2ddc5a557927eaadf584 It is used only by scp and sftp, and already included directly in their Makefiles. It does not belong in libssh. Fixes: d8b043c8d497 ("Update for 3.6.1p1; also remove Kerberos IV shims.") Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48871 (cherry picked from commit c0af32952564099fe30a34aeb335f95a6dc811ba) (cherry picked from commit 8a02eb2c1e4f3847fccf3eb1e7ff914871e35be4) (cherry picked from commit 63d3c245221d79f16b59771e84467bdd1abf11dd) Approved by: re (cperciva) 2025-01-11T02:48:29Z Kyle Evans kevans@FreeBSD.org 2025-01-01T21:10:27Z urn:sha1:e993a99fd86267a6ea6a7925bf05d3f26730ee9c libecc is not intended to be general use, other applications should really be using openssl. pkg(7) uses libecc to align with the pkg(8) project and its goals. This will be used in the upcoming support for ECC in pkg(7). Reviewed by: emaste (cherry picked from commit 05427f4639bcf2703329a9be9d25ec09bb782742) 2023-09-11T17:16:21Z Jung-uk Kim jkim@FreeBSD.org 2023-09-11T17:16:21Z urn:sha1:ab5435791cc727316bb504b15fa019fcd134a007 2023-08-23T17:43:35Z John Baldwin jhb@FreeBSD.org 2023-08-22T04:01:48Z urn:sha1:8f54a610e00d946472a3c9b7acee6c0bd08e2f39 Reviewed by: gallatin, ngie, emaste Differential Revision: https://reviews.freebsd.org/D41536 (With ppc assembler stuff removed, since that's no in stable/13 yet) (cherry picked from commit 7a56f5af71851c8b502720ca956629c302821430) 2023-08-23T17:43:30Z Warner Losh imp@FreeBSD.org 2023-08-22T01:32:01Z urn:sha1:023fc80ee38a117fa65b2ccb2abf8bdc7dbd6fd9 Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ Similar commit in main: (cherry picked from commit d0b2dbfa0ecf) 2023-08-23T17:43:26Z Warner Losh imp@FreeBSD.org 2023-08-22T01:31:41Z urn:sha1:3d497e17ebd33fe0f58d773e35ab994d750258d6 Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/ Similar commit in main: (cherry picked from commit 1d386b48a555) 2023-08-23T17:43:23Z Warner Losh imp@FreeBSD.org 2023-08-22T01:31:18Z urn:sha1:8ad303d68cec3ee1133550de37e0009502621e50 Remove /^/[*/]\s*\$FreeBSD\$.*\n/ Similar commit in main: (cherry picked from commit 2a63c3be1582) 2023-08-23T17:43:21Z Warner Losh imp@FreeBSD.org 2023-08-22T01:31:07Z urn:sha1:17da660ad5b3b9cd90e164dd4dbb9beaa7203054 Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/ Similar commit in main: (cherry picked from commit b3e7694832e8)