| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Release notes are available at https://www.openssh.com/txt/release-9.1
9.1 contains fixes for three minor memory safety problems; these have
lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base
system.
Some highlights copied from the release notes:
Potentially-incompatible changes
--------------------------------
* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
are now first-match-wins to match other directives. Previously
if an environment variable was multiply specified the last set
value would have been used. bz3438
* ssh-keygen(8): ssh-keygen -A (generate all default host key types)
will no longer generate DSA keys, as these are insecure and have
not been used by default for some years.
New features
------------
* ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
RSA key length. Keys below this length will be ignored for user
authentication and for host authentication in sshd(8).
* sftp-server(8): add a "users-groups-by-id@openssh.com" extension
request that allows the client to obtain user/group names that
correspond to a set of uids/gids.
* sftp(1): use "users-groups-by-id@openssh.com" sftp-server
extension (when available) to fill in user/group names for
directory listings.
* sftp-server(8): support the "home-directory" extension request
defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
a bit with the existing "expand-path@openssh.com", but some other
clients support it.
* ssh-keygen(1), sshd(8): allow certificate validity intervals,
sshsig verification times and authorized_keys expiry-time options
to accept dates in the UTC time zone in addition to the default
of interpreting them in the system time zone. YYYYMMDD and
YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
with a 'Z' character.
Also allow certificate validity intervals to be specified in raw
seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
is intended for use by regress tests and other tools that call
ssh-keygen as part of a CA workflow. bz3468
* sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
"/usr/libexec/sftp-server -el debug3"
* ssh-keygen(1): allow the existing -U (use agent) flag to work
with "-Y sign" operations, where it will be interpreted to require
that the private keys is hosted in an agent; bz3429
MFC after: 2 weeks
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3)
(cherry picked from commit ac5c465b9fdff74d1a73f63d157820887ff1787f)
(cherry picked from commit 4aee71578a60981de9296451b7a995b180ae23db)
Approved by: re (gjb)
|
| |
|
|
| |
(cherry picked from commit 25fb2515923796b329329b5c1c17d200ff416e84)
|
| | |
|
| | |
|
| |
|
|
|
| |
(cherry picked from commit 5ac766ab8ec23e780f108b7903d46e553d5e39d1)
(cherry picked from commit 97fe61d5bfdee2adc4d6ffb9b65a0cfb5bc5d317)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.
Additional integration work is needed to support FIDO/U2F in the base
system.
Deprecation Notice
------------------
OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.
Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985
(cherry picked from commit 19261079b74319502c6ffa1249920079f0f69a72)
(cherry picked from commit f448c3ed4ae1281861913a56377f9d93d49f8e8e)
(cherry picked from commit 1f290c707a19d1695c303e6c8ead9cc414ccc6dc)
(cherry picked from commit 0f9bafdfc325779e4ecc5154d5bb06c752297138)
(cherry picked from commit adb56e58e8db84d8087ebe3d3e7def0074cb5a90)
(cherry picked from commit 576b58108c1723c85e4dd00355e29bfe301dab11)
(cherry picked from commit 1c99af1ebe61cbaf633792941640dcd254acf921)
(cherry picked from commit 87152f34054921632016bc5eb4ab9f836fbaa522)
(cherry picked from commit 172fa4aa7577915bf5ace5783251821d3774dc05)
(cherry picked from commit 317a38ab65334cbd24bd020b20b11041423d142f)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 77c2fe20df6a9a7c1a353e1a4ab2ba80fefab881.
The VMware Workstation issue was fixed in 2019[1], and we'd rather not
carry unnecessary local changes in OpenSSH.
[1] https://communities.vmware.com/t5/VMware-Workstation-Pro/Regression-ssh-results-in-broken-pipe-upon-connecting-in-Vmware/m-p/486105/highlight/true#M25470
PR: 234426
Discussed with: yuripv
Approved by: des
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
(cherry picked from commit d55bf492f8f587e4a99f4dcb39a96159b4431782)
(cherry picked from commit 6fd4891545c2a6d06dbc1927b2e0b375cd2b0b17)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This moves SSHDIR and ssh_namespace.h handling to a common location,
and will simplify future work such as adding U2F support (D32509).
Reviewed by: kevans
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32808
(cherry picked from commit 9d63429fa16352f58037ac2aa6ddc734b25e8331)
|
| | |
|
| |
|
|
| |
(cherry picked from commit 7595394130a163b7ff53d9ef3f28fcb87f629d17)
|
| | |
|
| |
|
|
|
|
|
|
| |
Note this is a direct commit because assembly code was moved to a new place
on head.
Notes:
svn path=/stable/12/; revision=368639
|
| |
|
|
|
|
|
| |
Merge OpenSSL 1.1.1h.
Notes:
svn path=/stable/12/; revision=366176
|
| |
|
|
|
|
|
| |
Merge OpenSSL 1.1.1g.
Notes:
svn path=/stable/12/; revision=360278
|
| |
|
|
|
|
|
|
|
| |
Merge OpenSSL 1.1.1f.
PR: 245073
Notes:
svn path=/stable/12/; revision=359607
|
| |
|
|
|
|
|
| |
Merge OpenSSL 1.1.1e.
Notes:
svn path=/stable/12/; revision=359186
|
| |
|
|
|
|
|
| |
Submitted by: yuripv
Notes:
svn path=/stable/12/; revision=358773
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Leaf directories that have dependencies impacted
by options need a Makefile.depend.options file
to avoid churn in Makefile.depend
DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc
can be set in local.dirdeps-options.mk
which can add to those set in Makefile.depend.options
See share/mk/dirdeps-options.mk
Also update affected Makefile.depend files.
MFC of r355616 and r355617
Reviewed by: bdrewery
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D22469
Notes:
svn path=/stable/12/; revision=355906
|
| |
|
|
|
|
|
| |
Merge OpenSSL 1.1.1d.
Notes:
svn path=/stable/12/; revision=352192
|
| |
|
|
|
|
|
| |
Merge OpenSSL 1.1.1c.
Notes:
svn path=/stable/12/; revision=348341
|
| |
|
|
|
|
|
| |
Merge OpenSSL 1.1.1b.
Notes:
svn path=/stable/12/; revision=344603
|
| |
|
|
|
|
|
| |
Merge OpenSSL 1.1.1a.
Notes:
svn path=/stable/12/; revision=340705
|
| |\
| |
| |
| |
| |
| |
| | |
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/projects/openssl111/; revision=339201
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This leverages CONFS to do the install
Approved by: re (pkgbase, blanket), bapt (mentor)
Differential Revision: https://reviews.freebsd.org/D17245
Notes:
svn path=/head/; revision=338825
|
| | |
| |
| |
| |
| |
| |
| | |
It can't be right. :-(
Notes:
svn path=/projects/openssl111/; revision=338936
|
| | |
| |
| |
| | |
Notes:
svn path=/projects/openssl111/; revision=338933
|
| | |
| |
| |
| |
| |
| |
| | |
libcrypto is linked with pthread since r338816.
Notes:
svn path=/projects/openssl111/; revision=338848
|
| | |
| |
| |
| | |
Notes:
svn path=/projects/openssl111/; revision=338768
|
| |/
|
|
|
|
|
| |
Note the manual pages are not automatically generated for now.
Notes:
svn path=/projects/openssl111/; revision=338671
|
| |
|
|
|
|
|
|
|
|
| |
This helps with pkgbase by using CONFS and tagging these as config files.
Approved by: allanjude (mentor), des
Differential Revision: https://reviews.freebsd.org/D16678
Notes:
svn path=/head/; revision=337852
|
| |
|
|
| |
Notes:
svn path=/head/; revision=337791
|
| |
|
|
|
|
|
|
|
| |
This completely removes client-side support for the SSH 1 protocol,
which was already disabled in 12 but is still enabled in 11. For that
reason, we will not be able to merge 7.6p1 or newer back to 11.
Notes:
svn path=/head/; revision=333389
|
| |
|
|
| |
Notes:
svn path=/head/; revision=331627
|
| |
|
|
|
|
|
| |
MFC after: 3 days
Notes:
svn path=/head/; revision=329024
|
| |
|
|
| |
Notes:
svn path=/head/; revision=326662
|
| |
|
|
| |
Notes:
svn path=/head/; revision=325328
|
| |
|
|
|
|
|
| |
Sponsored by: Dell EMC Isilon
Notes:
svn path=/head/; revision=325188
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
directories to SUBDIR.${MK_TESTS} idiom
This is being done to pave the way for future work (and homogenity) in
^/projects/make-check-sandbox .
No functional change intended.
MFC after: 1 weeks
Notes:
svn path=/head/; revision=321912
|
| |
|
|
| |
Notes:
svn path=/head/; revision=318899
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The use of DES for anything is discouraged, especially with a static IV of 0
If you still need bdes(1) to decrypt Kirk's video lectures, see
security/bdes in ports.
This commit brought to you by the FOSDEM DevSummit and the
"remove unneeded dependancies on openssl in base" working group
Reviewed by: bapt, brnrd
Relnotes: yes
Sponsored by: FOSDEM DevSummit
Differential Revision: https://reviews.freebsd.org/D9424
Notes:
svn path=/head/; revision=313329
|
| |
|
|
| |
Notes:
svn path=/head/; revision=312825
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MK_KERBEROS_SUPPORT != no
This fixes the odd case where someone specified MK_GSSAPI=no and
MK_KERBEROS_SUPPORT=yes (which admittedly, probably doesn't make sense,
but the build system doesn't prevent this case today, and it didn't when
I filed the bug back in 2011 either).
MFC after: 2 weeks
PR: 159745
Notes:
svn path=/head/; revision=311140
|
| |
|
|
| |
Notes:
svn path=/head/; revision=306342
|
| |
|
|
| |
Notes:
svn path=/head/; revision=306193
|
| |
|
|
|
|
|
| |
Sponsored by: EMC / Isilon Storage Division
Notes:
svn path=/head/; revision=305146
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
after r298107
Summary of changes:
- Replace all instances of FILES/TESTS with ${PACKAGE}FILES. This ensures that
namespacing is kept with FILES appropriately, and that this shouldn't need
to be repeated if the namespace changes -- only the definition of PACKAGE
needs to be changed
- Allow PACKAGE to be overridden by callers instead of forcing it to always be
`tests`. In the event we get to the point where things can be split up
enough in the base system, it would make more sense to group the tests
with the blocks they're a part of, e.g. byacc with byacc-tests, etc
- Remove PACKAGE definitions where possible, i.e. where FILES wasn't used
previously.
- Remove unnecessary TESTSPACKAGE definitions; this has been elided into
bsd.tests.mk
- Remove unnecessary BINDIRs used previously with ${PACKAGE}FILES;
${PACKAGE}FILESDIR is now automatically defined in bsd.test.mk.
- Fix installation of files under data/ subdirectories in lib/libc/tests/hash
and lib/libc/tests/net/getaddrinfo
- Remove unnecessary .include <bsd.own.mk>s (some opportunistic cleanup)
Document the proposed changes in share/examples/tests/tests/... via examples
so it's clear that ${PACKAGES}FILES is the suggested way forward in terms of
replacing FILES. share/mk/bsd.README didn't seem like the appropriate method
of communicating that info.
MFC after: never probably
X-MFC with: r298107
PR: 209114
Relnotes: yes
Tested with: buildworld, installworld, checkworld; buildworld, packageworld
Sponsored by: EMC / Isilon Storage Division
Notes:
svn path=/head/; revision=299094
|
| |
|
|
|
|
|
| |
Relnotes: yes
Notes:
svn path=/head/; revision=298998
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix a related typo while here.
Note, this change results in the Kyuafile inclusion in the runtime
package, which needs to be fixed, however addresses the PR as far
as I can tell in my tests.
PR: 209114
Submitted by: ngie
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/head/; revision=298768
|
| |\
| |
| |
| |
| |
| |
| | |
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/projects/release-pkg/; revision=296869
|
