FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=stable%2F13 2025-02-20T13:21:02Z 2025-02-20T13:21:02Z Ed Maste emaste@FreeBSD.org 2025-02-09T20:37:24Z urn:sha1:10e9add50f9358b6b74e1d481b270ba32f3e85da XAUTH_PATH is normally set (in the upstream build infrastructure) in config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE is set, and over time have sometimes also defined it in config.h. Leave it unset in config.h and move the CFLAGS logic to to ssh.mk so that it will be set when building all ssh libraries and programs but still be set by LOCALBASE. Reviewed by: jlduran Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48907 (cherry picked from commit a63701848fe5462c4e8bbff0131bb42979e603ec) (cherry picked from commit 73dd56ffcd7b2c46de58980ac888c0421e3ec0b6) 2024-01-08T13:57:12Z Ed Maste emaste@FreeBSD.org 2024-01-05T03:16:30Z urn:sha1:2cd20d9bc80743d6562cb6165dc07b8391dddc27 From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit 069ac18495ad8fde2748bc94b0f80a50250bb01d) (cherry picked from commit a25789646d7130f5be166cac63d5c8b2b07c4706) 2023-09-11T17:16:21Z Jung-uk Kim jkim@FreeBSD.org 2023-09-11T17:16:21Z urn:sha1:ab5435791cc727316bb504b15fa019fcd134a007 2023-08-23T17:43:30Z Warner Losh imp@FreeBSD.org 2023-08-22T01:32:01Z urn:sha1:023fc80ee38a117fa65b2ccb2abf8bdc7dbd6fd9 Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ Similar commit in main: (cherry picked from commit d0b2dbfa0ecf) 2023-08-01T16:48:23Z Jung-uk Kim jkim@FreeBSD.org 2023-08-01T16:48:23Z urn:sha1:ad5cea201d5dc5417fbae5bb8cb797729641a2c8 2023-05-30T16:52:04Z Jung-uk Kim jkim@FreeBSD.org 2023-05-30T15:03:10Z urn:sha1:cf3a76018cadf9bb39c90badb13e779415bafe37 (cherry picked from commit 5b1268252c56d96d3858969108a8cd6add9d5776) 2023-02-07T22:40:12Z Jung-uk Kim jkim@FreeBSD.org 2023-02-07T19:01:15Z urn:sha1:4f0087aa7c0d7a57c39f7ca8f6c6784ebd5e0b85 (cherry picked from commit eb9b98fb5aea1b20d71b0be948454f472b024da7) 2022-11-18T02:43:54Z Jung-uk Kim jkim@FreeBSD.org 2022-11-01T23:38:40Z urn:sha1:f529bc93a4be0a64ae1d8065300fc8cbe97c7124 (cherry picked from commit 93381ae06bb043a85d6b26459b511ccacc2045e2) 2022-10-26T16:42:37Z Ed Maste emaste@FreeBSD.org 2022-10-19T14:27:11Z urn:sha1:75f9d5c7e36b452f4f76356dfeb8bba51d64e51b Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit 38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3) 2022-07-05T16:27:33Z Jung-uk Kim jkim@FreeBSD.org 2022-07-05T16:01:07Z urn:sha1:7b456c97430589df5ebc742a78ecd58e781628bc (cherry picked from commit 25fb2515923796b329329b5c1c17d200ff416e84)