FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F14.4 2025-04-03T04:33:21Z 2025-04-03T04:33:21Z Jose Luis Duran jlduran@FreeBSD.org 2025-03-27T00:19:14Z urn:sha1:bebe2fea194624ce2116eadb48e5b99f29f48a14 Upstream OpenSSH commit f51423bda ("request 1.1x API compatibility for OpenSSL >=3.x") requests OPENSSL_API_COMPAT version 0x10100000L (OpenSSL 1.1.0), in order to avoid warnings about deprecated functions. Do the same here, to avoid getting those warnings. Reviewed by: emaste Approved by: emaste (mentor) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49517 (cherry picked from commit d4f438357e90ee1cb12819d092913fdbce813626) 2025-03-11T14:39:36Z Ed Maste emaste@FreeBSD.org 2022-04-12T13:18:20Z urn:sha1:74776eba28d86b9384faa7fce5a699a73afced99 Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part of enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERS handling there. Reviewed by: kevans Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31896 (cherry picked from commit d71e7e57fc1472e3ea6d31c44e187c2819d2c71e) 2025-03-11T14:39:36Z Ed Maste emaste@FreeBSD.org 2022-03-02T14:45:23Z urn:sha1:be7b176511003be3d47ae463fd6bea5659446c70 Centralize optional krb5_config.h handling in ssh.mk. Do not add headers (that are committed to the src tree) to SRCS as there is no need. Reviewed by: imp, jlduran, kevans (all earlier) MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34409 (cherry picked from commit 7f916236044d9a733de8b3c47b5dcbf71988cb03) 2025-02-19T14:58:47Z Ed Maste emaste@FreeBSD.org 2025-02-09T20:37:24Z urn:sha1:73dd56ffcd7b2c46de58980ac888c0421e3ec0b6 XAUTH_PATH is normally set (in the upstream build infrastructure) in config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE is set, and over time have sometimes also defined it in config.h. Leave it unset in config.h and move the CFLAGS logic to to ssh.mk so that it will be set when building all ssh libraries and programs but still be set by LOCALBASE. Reviewed by: jlduran Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48907 (cherry picked from commit a63701848fe5462c4e8bbff0131bb42979e603ec) 2022-03-02T14:35:12Z Ed Maste emaste@FreeBSD.org 2022-03-01T21:42:13Z urn:sha1:92ef98b8fa9273049af3cf2fcb4f5e13a6775ff8 An upcoming OpenSSH update has multiple config.h settings that change depending on whether builtin security key support is enabled. Prepare for this by moving ENABLE_SK_INTERNAL to a new sk_config.h header (similar to the approach used for optional krb5 support) and optionally including that, instead of defining the macro directly from CFLAGS. Reviewed by: kevans MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34407 2021-11-04T17:01:44Z Ed Maste emaste@FreeBSD.org 2021-10-07T03:31:17Z urn:sha1:e9a994639b2af232f994ba2ad23ca45a17718d2b Description of FIDO/U2F support (from OpenSSH 8.2 release notes, https://www.openssh.com/txt/release-8.2): This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types. ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they may be used much like any other key type supported by OpenSSH, so long as the hardware token is attached when the keys are used. FIDO tokens also generally require the user explicitly authorise operations by touching or tapping them. Generating a FIDO key requires the token be attached, and will usually require the user tap the token to confirm the operation: $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your security key to authorize key generation. Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used. To enable FIDO/U2F support, this change regenerates ssh_namespace.h, adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building WITHOUT_USB). devd integration is not included in this change, and is under investigation for the base system. In the interim the security/u2f-devd port can be installed to provide appropriate devd rules. Reviewed by: delphij, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32509 2021-11-03T23:38:05Z Ed Maste emaste@FreeBSD.org 2021-11-02T18:48:33Z urn:sha1:9d63429fa16352f58037ac2aa6ddc734b25e8331 This moves SSHDIR and ssh_namespace.h handling to a common location, and will simplify future work such as adding U2F support (D32509). Reviewed by: kevans MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32808