FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F14.3 2025-04-03T04:33:21Z 2025-04-03T04:33:21Z Jose Luis Duran jlduran@FreeBSD.org 2025-03-27T00:19:14Z urn:sha1:bebe2fea194624ce2116eadb48e5b99f29f48a14 Upstream OpenSSH commit f51423bda ("request 1.1x API compatibility for OpenSSL >=3.x") requests OPENSSL_API_COMPAT version 0x10100000L (OpenSSL 1.1.0), in order to avoid warnings about deprecated functions. Do the same here, to avoid getting those warnings. Reviewed by: emaste Approved by: emaste (mentor) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49517 (cherry picked from commit d4f438357e90ee1cb12819d092913fdbce813626) 2025-03-25T21:07:59Z Enji Cooper ngie@FreeBSD.org 2025-03-06T18:07:54Z urn:sha1:0d61082e3c64a43f52ec5f1bf3d85671d97d9514 MFC after: 1 week MFC with: 0d0c8621fd181e507f0fb50ffcca606faf66a8c2 Differential Revision: https://reviews.freebsd.org/D49297 (cherry picked from commit d2a55e6a9348bb55038dbc6b727ab041085f22db) 2025-03-20T10:18:27Z Michael Osipov michaelo@FreeBSD.org 2025-03-07T18:58:55Z urn:sha1:7577dae4d67216c602dc11e2388d190a2c9dc9ff Summary: - Seven (7) new roots - Four (4) distrusted roots - Fifteen (15) removed (expired) roots Reviewed by: kevans MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49294 (cherry picked from commit 0100da4deb96e15acf72d7655127c6faafa4148f) 2025-03-15T13:51:24Z Michael Osipov michaelo@FreeBSD.org 2025-02-20T09:48:48Z urn:sha1:4fd560bc94f0f6f070aeab9183c680a796450f22 Mozilla introduced the field CKA_NSS_SERVER_DISTRUST_AFTER which indicates that a CA certificate will be distrusted in the future before its NotAfter time. This means that the CA stops issuing new certificates, but previous ones are still valid, but at most for 398 days after the distrust date. See also: * https://bugzilla.mozilla.org/show_bug.cgi?id=1465613 * https://github.com/Lukasa/mkcert/issues/19 * https://gitlab.alpinelinux.org/alpine/ca-certificates/-/merge_requests/16 * https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c Tested by: michaelo Reviewed by: emaste MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49075 (cherry picked from commit 457c03b397c80d44da92684d417a58b3ca1fed02) 2025-03-11T14:39:36Z Ed Maste emaste@FreeBSD.org 2022-04-12T13:18:20Z urn:sha1:74776eba28d86b9384faa7fce5a699a73afced99 Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part of enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERS handling there. Reviewed by: kevans Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31896 (cherry picked from commit d71e7e57fc1472e3ea6d31c44e187c2819d2c71e) 2025-03-11T14:39:36Z Ed Maste emaste@FreeBSD.org 2022-03-02T14:45:23Z urn:sha1:be7b176511003be3d47ae463fd6bea5659446c70 Centralize optional krb5_config.h handling in ssh.mk. Do not add headers (that are committed to the src tree) to SRCS as there is no need. Reviewed by: imp, jlduran, kevans (all earlier) MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34409 (cherry picked from commit 7f916236044d9a733de8b3c47b5dcbf71988cb03) 2025-02-27T19:45:40Z Isaac Freund ifreund@freebsdfoundation.org 2024-12-23T21:54:29Z urn:sha1:f183965bb8f5cf68edbd60a7c39e20ad211d6bd5 Currently, files that belong in the tests package are included in the ssh, bsnmp, and clibs-dev packages: ssh.plist 24:@dir(root,wheel,0755,) /usr/tests/secure/libexec 25:@(root,wheel,0444,) /usr/tests/secure/libexec/Kyuafile bsnmp.plist 82:@dir(root,wheel,0755,) /usr/tests/lib/libbsnmp 83:@(root,wheel,0444,) /usr/tests/lib/libbsnmp/Kyuafile 84:@(root,wheel,0555,) /usr/tests/lib/libbsnmp/bsnmpd_test clibs-dev.plist 2518:@dir(root,wheel,0755,) /usr/tests/lib/csu 2519:@(root,wheel,0444,) /usr/tests/lib/csu/Kyuafile This is caused by the PACKAGE=foo assignment in foo/Makefile.inc which overrides the default PACKAGE?=tests in bsd.test.mk. To fix this, instead use PACKAGE?=foo in foo/Makefile.inc and set PACKAGE=tests in foo/tests/Makefile. PR: 249144 Reviewed by: bapt, emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D47025 (cherry picked from commit 3a56015a2f5d630910177fa79a522bb95511ccf7) 2025-02-20T17:50:31Z Ed Maste emaste@FreeBSD.org 2025-02-19T19:08:59Z urn:sha1:802386cd37f638eec9606cb10d3dd03c8f1d6c17 Highlights from the release notes are reproduced below. Bug fixes and improvements that were previously merged into FreeBSD have been elided. See the upstream release notes for full details of the 9.9p1 release (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * ssh(1): remove support for pre-authentication compression. * ssh(1), sshd(8): processing of the arguments to the "Match" configuration directive now follows more shell-like rules for quoted strings, including allowing nested quotes and \-escaped characters. New features ------------ * ssh(1), sshd(8): add support for a new hybrid post-quantum key exchange based on the FIPS 203 Module-Lattice Key Enapsulation mechanism (ML-KEM) combined with X25519 ECDH as described by https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03 This algorithm "mlkem768x25519-sha256" is available by default. * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being included in core dump files for most of their lifespans. This is in addition to pre-existing controls in ssh-agent(1) and sshd(8) that prevented coredumps. This feature is supported on OpenBSD, Linux and FreeBSD. * All: convert key handling to use the libcrypto EVP_PKEY API, with the exception of DSA. Bugfixes -------- * sshd(8): do not apply authorized_keys options when signature verification fails. Prevents more restrictive key options being incorrectly applied to subsequent keys in authorized_keys. bz3733 * ssh-keygen(1): include pathname in some of ssh-keygen's passphrase prompts. Helps the user know what's going on when ssh-keygen is invoked via other tools. Requested in GHPR503 * ssh(1), ssh-add(1): make parsing user@host consistently look for the last '@' in the string rather than the first. This makes it possible to more consistently use usernames that contain '@' characters. * ssh(1), sshd(8): be more strict in parsing key type names. Only allow short names (e.g "rsa") in user-interface code and require full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725 * ssh-keygen(1): clarify that ed25519 is the default key type generated and clarify that rsa-sha2-512 is the default signature scheme when RSA is in use. GHPR505 --- Reviewed by: jlduran (build infrastructure) Reviewed by: cy (build infrastructure) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48947 (cherry picked from commit 3d9fd9fcb432750f3716b28f6ccb0104cd9d351a) Approved by: re (accelerated MFC) 2025-02-20T17:50:11Z Ed Maste emaste@FreeBSD.org 2025-02-19T17:20:44Z urn:sha1:ff2fd01609cc10bcdc87ebe4de42efaf7ffe2ee9 Highlights from the release notes are reproduced below. Some security and bug fixes were previously merged into FreeBSD and have been elided. See the upstream release notes for full details (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 New features ------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 --- Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48914 (cherry picked from commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e) (cherry picked from commit b4bb480ae9294d7e4b375f0ead9ae57517c79ef3) (cherry picked from commit e95979047aec384852102cf8bb1d55278ea77eeb) (cherry picked from commit dcb4ae528d357f34e4a4b4882c2757c67c98e395) Approved by: re (accelerated MFC) 2025-02-20T02:31:22Z Ed Maste emaste@FreeBSD.org 2025-02-06T19:21:12Z urn:sha1:8a02eb2c1e4f3847fccf3eb1e7ff914871e35be4 It is used only by scp and sftp, and already included directly in their Makefiles. It does not belong in libssh. Fixes: d8b043c8d497 ("Update for 3.6.1p1; also remove Kerberos IV shims.") Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48871 (cherry picked from commit c0af32952564099fe30a34aeb335f95a6dc811ba)