FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F13.1.0 2022-05-03T20:36:33Z 2022-05-03T20:36:33Z Jung-uk Kim jkim@FreeBSD.org 2022-05-03T19:12:42Z urn:sha1:2b3d81ba7dfea48c4a76d526027d0907eaf19dae Approved by: re (gjb, implicit, security) (cherry picked from commit 9a3583bfbd1740a158b3916432286190e0f2bf60) (cherry picked from commit 225a1494a5538364cddf9080b57d65277c6bfdf4) 2022-03-18T13:49:32Z Jung-uk Kim jkim@FreeBSD.org 2022-03-15T23:35:22Z urn:sha1:e404b2562b1de8503ea2bfc9a1204b3b4c72511f Approved by: re (delphij) (cherry picked from commit 5ac766ab8ec23e780f108b7903d46e553d5e39d1) (cherry picked from commit 97fe61d5bfdee2adc4d6ffb9b65a0cfb5bc5d317) 2022-02-10T00:03:21Z Ed Maste emaste@FreeBSD.org 2021-10-07T03:31:17Z urn:sha1:a613d68fff9af03730e1c18438f85d80649547e4 Description of FIDO/U2F support (from OpenSSH 8.2 release notes, https://www.openssh.com/txt/release-8.2): This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types. ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they may be used much like any other key type supported by OpenSSH, so long as the hardware token is attached when the keys are used. FIDO tokens also generally require the user explicitly authorise operations by touching or tapping them. Generating a FIDO key requires the token be attached, and will usually require the user tap the token to confirm the operation: $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your security key to authorize key generation. Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used. To enable FIDO/U2F support, this change regenerates ssh_namespace.h, adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building WITHOUT_USB). devd integration is not included in this change, and is under investigation for the base system. In the interim the security/u2f-devd port can be installed to provide appropriate devd rules. Reviewed by: delphij, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32509 (cherry picked from commit e9a994639b2af232f994ba2ad23ca45a17718d2b) 2022-02-09T19:53:11Z Ed Maste emaste@FreeBSD.org 2021-09-08T01:05:51Z urn:sha1:317a38ab65334cbd24bd020b20b11041423d142f Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985 (cherry picked from commit 19261079b74319502c6ffa1249920079f0f69a72) (cherry picked from commit f448c3ed4ae1281861913a56377f9d93d49f8e8e) (cherry picked from commit 1f290c707a19d1695c303e6c8ead9cc414ccc6dc) (cherry picked from commit 0f9bafdfc325779e4ecc5154d5bb06c752297138) (cherry picked from commit adb56e58e8db84d8087ebe3d3e7def0074cb5a90) (cherry picked from commit 576b58108c1723c85e4dd00355e29bfe301dab11) (cherry picked from commit 1c99af1ebe61cbaf633792941640dcd254acf921) (cherry picked from commit 87152f34054921632016bc5eb4ab9f836fbaa522) (cherry picked from commit 172fa4aa7577915bf5ace5783251821d3774dc05) 2021-12-29T13:45:29Z Piotr Kubaj pkubaj@FreeBSD.org 2021-11-22T02:28:46Z urn:sha1:ce35a3bc852d25cb989bc1f3dc4ddb723d7d5117 Summary: 1. https://github.com/openssl/openssl/commit/34ab13b7d8e3e723adb60be8142e38b7c9cd382a needs to be merged for ELFv2 support on big-endian. 2. crypto/openssl/crypto/ppccap.c needs to be patched. Same reason as in https://github.com/openssl/openssl/pull/17082. Approved by: jkim, jhibbits, alfredo (MFC to stable/13) MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D33076 (cherry picked from commit 3a60869237b8b315fe66497cf5299ec08b688533) 2021-12-14T22:43:19Z Jung-uk Kim jkim@FreeBSD.org 2021-12-14T21:01:07Z urn:sha1:aeef12228a4574609c37560c3a89f0bc63bee5b8 (cherry picked from commit 754c4757c9cb225c66eb3297f2a8be198786fcc9) 2021-11-08T21:24:09Z Ed Maste emaste@FreeBSD.org 2021-11-02T18:48:33Z urn:sha1:a0880129a545dbb7ff35b456429b12e55146ef5d This moves SSHDIR and ssh_namespace.h handling to a common location, and will simplify future work such as adding U2F support (D32509). Reviewed by: kevans MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32808 (cherry picked from commit 9d63429fa16352f58037ac2aa6ddc734b25e8331) 2021-09-04T07:39:07Z Kyle Evans kevans@FreeBSD.org 2021-03-30T02:56:40Z urn:sha1:62aaa70143a6e2d5ffc0065fa901c598e6cab9b8 This adds a note in all existing certs that they are explicitly trusted for server auth, and also: - Seven (7) added - Nineteen (19) removed (cherry picked from commit 446169e0b6f04b96960540784539c218f5a14c86) (cherry picked from commit 3016c5c2bf68d8c6ebf303939f20092478e7a4ca) (cherry picked from commit fac832b27105d926d9f8728d7147adb547b937d8) (cherry picked from commit 76461921dac18b300489e326ba3df61d2809f364) 2021-09-04T07:38:53Z Kyle Evans kevans@FreeBSD.org 2021-03-30T03:05:38Z urn:sha1:c8c18ce8dacaa5c250fd11740ea2bf7091c9937f Our current processor was identified as trusting cert not explicitly marked for SERVER_AUTH, as well as certs that were tagged with DISTRUST_AFTER. Update the script to handle both scenarios. This patch was originally authored by mandree@ for ports, and it was subsequently ported to base caroot. (cherry picked from commit c3510c941c0dddd09389915a9395e6f059088bab) 2021-09-03T17:10:57Z Jung-uk Kim jkim@FreeBSD.org 2021-09-01T04:10:59Z urn:sha1:f7fe1ce49e7ae131de831e5ed211e0fb36c66014 (cherry picked from commit 649ccdd753790069623e192185d133fd26a03bf9)