FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F14.4 2026-01-20T19:41:59Z 2026-01-20T19:41:59Z Ed Maste emaste@FreeBSD.org 2025-08-01T15:56:45Z urn:sha1:7ca599aa613955a939284292f0993b59b0d9fef3 Full release notes are available at https://www.openssh.com/txt/release-10.0 Selected highlights from the release notes: Potentially-incompatible changes - This release removes support for the weak DSA signature algorithm. [This change was previously merged to FreeBSD main.] - This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this. - sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per-connection sshd-session binary to a new sshd-auth binary. Security - sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. [This change was previously merged to FreeBSD main.] New features - ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement. Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D51630 (cherry picked from commit 8e28d84935f2f0ee081d44f9803f3052b960e50b) (cherry picked from commit e600fc7295a7082041388113a5d677f6c4cf7ce7) 2025-03-11T14:39:36Z Ed Maste emaste@FreeBSD.org 2022-04-12T13:18:20Z urn:sha1:74776eba28d86b9384faa7fce5a699a73afced99 Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part of enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERS handling there. Reviewed by: kevans Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31896 (cherry picked from commit d71e7e57fc1472e3ea6d31c44e187c2819d2c71e) 2025-03-11T14:39:36Z Ed Maste emaste@FreeBSD.org 2022-03-02T14:45:23Z urn:sha1:be7b176511003be3d47ae463fd6bea5659446c70 Centralize optional krb5_config.h handling in ssh.mk. Do not add headers (that are committed to the src tree) to SRCS as there is no need. Reviewed by: imp, jlduran, kevans (all earlier) MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34409 (cherry picked from commit 7f916236044d9a733de8b3c47b5dcbf71988cb03) 2025-02-27T19:45:40Z Isaac Freund ifreund@freebsdfoundation.org 2024-12-23T21:54:29Z urn:sha1:f183965bb8f5cf68edbd60a7c39e20ad211d6bd5 Currently, files that belong in the tests package are included in the ssh, bsnmp, and clibs-dev packages: ssh.plist 24:@dir(root,wheel,0755,) /usr/tests/secure/libexec 25:@(root,wheel,0444,) /usr/tests/secure/libexec/Kyuafile bsnmp.plist 82:@dir(root,wheel,0755,) /usr/tests/lib/libbsnmp 83:@(root,wheel,0444,) /usr/tests/lib/libbsnmp/Kyuafile 84:@(root,wheel,0555,) /usr/tests/lib/libbsnmp/bsnmpd_test clibs-dev.plist 2518:@dir(root,wheel,0755,) /usr/tests/lib/csu 2519:@(root,wheel,0444,) /usr/tests/lib/csu/Kyuafile This is caused by the PACKAGE=foo assignment in foo/Makefile.inc which overrides the default PACKAGE?=tests in bsd.test.mk. To fix this, instead use PACKAGE?=foo in foo/Makefile.inc and set PACKAGE=tests in foo/tests/Makefile. PR: 249144 Reviewed by: bapt, emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D47025 (cherry picked from commit 3a56015a2f5d630910177fa79a522bb95511ccf7) 2025-02-20T17:50:11Z Ed Maste emaste@FreeBSD.org 2025-02-19T17:20:44Z urn:sha1:ff2fd01609cc10bcdc87ebe4de42efaf7ffe2ee9 Highlights from the release notes are reproduced below. Some security and bug fixes were previously merged into FreeBSD and have been elided. See the upstream release notes for full details (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 New features ------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 --- Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48914 (cherry picked from commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e) (cherry picked from commit b4bb480ae9294d7e4b375f0ead9ae57517c79ef3) (cherry picked from commit e95979047aec384852102cf8bb1d55278ea77eeb) (cherry picked from commit dcb4ae528d357f34e4a4b4882c2757c67c98e395) Approved by: re (accelerated MFC) 2023-08-16T17:55:03Z Warner Losh imp@FreeBSD.org 2023-08-16T17:55:03Z urn:sha1:d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ 2023-04-19T00:14:23Z Simon J. Gerraty sjg@FreeBSD.org 2023-04-19T00:14:23Z urn:sha1:d9a42747950146bf03cda7f6e25d219253f8a57a 2021-11-04T17:01:44Z Ed Maste emaste@FreeBSD.org 2021-10-07T03:31:17Z urn:sha1:e9a994639b2af232f994ba2ad23ca45a17718d2b Description of FIDO/U2F support (from OpenSSH 8.2 release notes, https://www.openssh.com/txt/release-8.2): This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types. ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they may be used much like any other key type supported by OpenSSH, so long as the hardware token is attached when the keys are used. FIDO tokens also generally require the user explicitly authorise operations by touching or tapping them. Generating a FIDO key requires the token be attached, and will usually require the user tap the token to confirm the operation: $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your security key to authorize key generation. Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used. To enable FIDO/U2F support, this change regenerates ssh_namespace.h, adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building WITHOUT_USB). devd integration is not included in this change, and is under investigation for the base system. In the interim the security/u2f-devd port can be installed to provide appropriate devd rules. Reviewed by: delphij, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32509 2021-11-03T23:38:05Z Ed Maste emaste@FreeBSD.org 2021-11-02T18:48:33Z urn:sha1:9d63429fa16352f58037ac2aa6ddc734b25e8331 This moves SSHDIR and ssh_namespace.h handling to a common location, and will simplify future work such as adding U2F support (D32509). Reviewed by: kevans MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32808 2018-09-10T16:20:12Z Dag-Erling Smørgrav des@FreeBSD.org 2018-09-10T16:20:12Z urn:sha1:190cef3d52236565eb22e18b33e9e865ec634aa3 Approved by: re (kib@)