Copy stable/10@r272459 to releng/10.1 as part of
the 10.1-RELEASE process.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFH (r264691): merge upstream patch for EC calculation bug

MFH (r263712): upgrade openssh to 6.6p1
MFH (r264308): restore p level in debugging output

MFH (r261320): upgrade openssh to 6.5p1
MFH (r261340): enable sandboxing by default

MFH (r257954): upgrade to OpenSSH 6.4p1

Approved by: re (kib)

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Upgrade to 6.3p1.

Approved by: re (gjb)

r251088 reverted the default value for UsePrivilegeSeparation from
"sandbox" to "yes", but did not update the documentation to match.

Upgrade to OpenSSH 6.2p2. Mostly a no-op since I had already patched
the issues that affected us.

Upgrade to OpenSSH 6.2p1. The most important new features are support
for a key revocation list and more fine-grained authentication control.

Keep the default AuthorizedKeysFile setting. Although authorized_keys2
has been deprecated for a while, some people still use it and were
unpleasantly surprised by this change.

I may revert this commit at a later date if I can come up with a way
to give users who still have authorized_keys2 files sufficient advance
warning.

MFC after: ASAP

Upgrade OpenSSH to 6.1p1.

Upgrade to OpenSSH 5.9p1.

MFC after: 3 months

Add support for dynamically adjusted buffers to allow the full use of
the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or
trans-continental links). Bandwidth-delay products up to 64MB are
supported.

Also add support (not compiled by default) for the None cypher. The
None cypher can only be enabled on non-interactive sessions (those
without a pty where -T was not used) and must be enabled in both
the client and server configuration files and on the client command
line. Additionally, the None cypher will only be activated after
authentication is complete. To enable the None cypher you must add
-DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in
/etc/make.conf.

This code is a style(9) compliant version of these features extracted
from the patches published at:

http://www.psc.edu/networking/projects/hpn-ssh/

Merging this patch has been a collaboration between me and Bjoern.

Reviewed by: bz
Approved by: re (kib), des (maintainer)

Upgrade to OpenSSH 5.8p2.

Upgrade to OpenSSH 5.6p1.

Upgrade to OpenSSH 5.5p1.

Upgrade to OpenSSH 5.4p1.

MFC after: 1 month

Remove dupe.

Upgrade to OpenSSH 5.3p1.

Upgrade to OpenSSH 5.2p1.

MFC after: 3 months

Upgrade to OpenSSH 5.1p1.

I have worked hard to reduce diffs against the vendor branch. One
notable change in that respect is that we no longer prefer DSA over
RSA - the reasons for doing so went away years ago. This may cause
some surprises, as ssh will warn about unknown host keys even for
hosts whose keys haven't changed.

MFC after: 6 weeks

Consistently set svn:eol-style.

Resolve conflicts.

Bump version addendum.

MFC after: 1 week

Merge conflicts.

MFC after: 1 week

Merge conflicts.

Resolve conflicts.

Resolve conflicts.

Resolve conflicts

Adjust version number and addendum.

Correctly document the default value of UsePAM.

Update VersionAddendum in config files and man pages.

Resolve conflicts.

Pull asbesthos underpants on and disable protocol version 1 by default.

Turn non-PAM password authentication off by default when USE_PAM is
defined. Too many users are getting bitten by it.

Resolve conflicts and remove obsolete files.

Sponsored by: registrar.no

Update version string.

Resolve conflicts.

document the current default value for VersionAddendum.

Document the current default value for VersionAddendum.

Resolve conflicts.

FreeBSD doesn't use the host RSA key by default.

Reviewed by: des

Two FreeBSD-specific nits in comments:
- ChallengeResponseAuthentication controls PAM, not S/Key
- We don't honor PAMAuthenticationViaKbdInt, because the code path it
controls doesn't make sense for us, so don't mention it.

Sponsored by: DARPA, NAI Labs

Forgot to update the addendum in the config files.

Document FreeBSD defaults.

Sponsored by: DARPA, NAI Labs

Forcibly revert to mainline.

Resolve conflicts. Known issues:

- sshd fails to set TERM correctly.
- privilege separation may break PAM and is currently turned off.
- man pages have not yet been updated

I will have these issues resolved, and privilege separation turned on by
default, in time for DP2.

Sponsored by: DARPA, NAI Labs

Usual after-import fixup of SCM IDs.

Back out previous commit.

Change default challenge/response behavior of sshd by popular demand.
This brings us into sync with the behavior of sshd on other Unix platforms.

Submitted by: Joshua Goodall <joshua@roughtrade.net>

Change the FreeBSD version addendum to "FreeBSD-20020402". This shortens
the version string to 28 characters, which is below the 40-character limit
specified in the proposed SECSH standard. Some servers, however (like the
one built into the Foundry BigIron line of switches) will hang when
confronted with a version string longer than 24 characters, so some users
may need to shorten it further.

Sponsored by: DARPA, NAI Labs

Fix conflicts.

Restore the RSA host key to /etc/ssh/ssh_host_key.
Also fix $FreeBSD$ spamage in crypto/openssh/sshd_config rev. 1.16.

sshd_config should still be keeping ssh host keys in /etc/ssh, not /etc.

Fix conflicts for OpenSSH 2.9.

/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it
and giving a dire error to its lingering users.

Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0
new features description elided in favor of checking out their
website.

Important new FreeBSD-version stuff: PAM support has been worked
in, partially from the "Unix" OpenSSH version, and a lot due to the
work of Eivind Eklend, too.

This requires at least the following in pam.conf:

sshd auth sufficient pam_skey.so
sshd auth required pam_unix.so try_first_pass
sshd session required pam_permit.so

Parts by: Eivind Eklend <eivind@FreeBSD.org>

Resolve conflicts and update for OpenSSH 2.2.0

Reviewed by: gshapiro, peter, green

Turn on X11Forwarding by default on the server. Any risk is to the client,
where it is already disabled by default.

Reminded by: peter

Increase the default value of LoginGraceTime from 60 seconds to 120
seconds.

PR: 20488
Submitted by: rwatson

Forced commit. This is to try and help folks that used the international
crypto repo and have slightly different files but with the same version.
cvsup in 'checkout mode' has no trouble with this, but cvs can get really
silly about it.

Turn on CheckMail to be more login-compatible by default

Correct two stupid typos in the DSA key location.

Submitted by: Udo Schweigert <ust@cert.siemens.de>

Create a DSA host key if one does not already exist, and teach sshd_config
about it.

Resolve conflicts and update for FreeBSD.

oops, update path to /etc/ssh/ssh_host_key

remove ports junk

Add the patches fom ports (QV: ports/security/openssh/patches/patch-*)

This commit was generated by cvs2svn to compensate for changes in r57429,
which included commits to RCS files with non-trunk default branches.

Vendor import of OpenSSH.