#
a91a2465 |
|
18-Mar-2024 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.7p1 This release contains mostly bugfixes. It also makes support for the DSA signature algorithm a compile-time option, with plans to disable it upstream later this year and remove support entirely in 2025. Full release notes at https://www.openssh.com/txt/release-9.7 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
069ac184 |
|
04-Jan-2024 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.6p1 From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
edf85781 |
|
09-Oct-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.5p1 Excerpts from the release notes: Potentially incompatible changes -------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. [NOTE: This change was already merged into FreeBSD.] * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. New features ------------ * ssh(1): add keystroke timing obfuscation to the client. * ssh(1), sshd(8): Introduce a transport-level ping facility. * sshd(8): allow override of Sybsystem directives in sshd Match blocks. Full release notes at https://www.openssh.com/txt/release-9.5 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
9ff45b8e |
|
20-Jul-2023 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: do not resolve refused client hostname This is a compromise between POLA and practical reasoning. We don't want to block the main server loop in an attempt to resolve. But we need to keep the format of the logged message as is, for sake of sshguard and other scripts. So let's print just the IP address twice, this is what libwrap's refuse() would do if it failed to resolve. Reviewed by: philip PR: 269456 Differential revision: https://reviews.freebsd.org/D40069 |
#
90f10db8 |
|
20-Jul-2023 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: remove unneeded initialization of libwrap logging severities This part of ca573c9a177 proved to be unnecessary. As the removed comment says, we set them merely for logging syntax errors, as we log refusals ourselves. However, inside the libwrap the parser logs any syntax errors with tcpd_warn() which has hardcoded LOG_WARNING inside. Reviewed by: philip, emaste Differential revision: https://reviews.freebsd.org/D40068 |
#
4d3fc8b0 |
|
16-Mar-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p1 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
|
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
6e24fe61 |
|
23-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: use upstream SSH_OPENSSL_VERSION macro With the upgrade to OpenSSH 6.7p1 in commit a0ee8cc636cd we replaced WITH_OPENSSL ifdefs with an OPENSSL_VERSION macro, later changing it to OPENSSL_VERSION_STRING. A few years later OpenSSH made an equivalent change (with a different macro name), in commit 4d94b031ff88. Switch to the macro name they chose. MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
613b4b79 |
|
18-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: apply style(9) to version_addendum Reported by: allanjude (in review D29953) Fixes: 462c32cb8d7a ("Upgrade OpenSSH to 6.1p1.") MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
58def461 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update with post-release V_8_9 branch commits MFC after: 1 month Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
ca573c9a |
|
02-Jan-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: update the libwrap patch to drop connections early OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014 (f2719b7c in github.com/openssh/openssh-portable) and we maintain the patch ourselves since 2016 (a0ee8cc636cd). Over the years, the libwrap support has deteriotated and probably that was reason for removal upstream. Original idea of libwrap was to drop illegitimate connection as soon as possible, but over the years the code was pushed further down and down and ended in the forked client connection handler. The negative effects of late dropping is increasing attack surface for hosts that are to be dropped anyway. Apart from hypothetical future vulnerabilities in connection handling, today a malicious host listed in /etc/hosts.allow still can trigger sshd to enter connection throttling mode, which is enabled by default (see MaxStartups in sshd_config(5)), effectively casting DoS attack. Note that on OpenBSD this attack isn't possible, since they enable MaxStartups together with UseBlacklist. A only negative effect from early drop, that I can imagine, is that now main listener parses file in /etc, and if our root filesystems goes bad, it would get stuck. But unlikely you'd be able to login in that case anyway. Implementation details: - For brevity we reuse the same struct request_info. This isn't a documented feature of libwrap, but code review, viewing data in a debugger and real life testing shows that if we clear RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended. - We set SO_LINGER on the socket to force immediate connection reset. - We log message exactly as libwrap's refuse() would do. Differential revision: https://reviews.freebsd.org/D33044 |
#
adb56e58 |
|
16-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: use global state for blacklist in grace_alarm_handler Obtained from: security/openssh-portable Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
0f9bafdf |
|
13-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: pass ssh context to BLACKLIST_NOTIFY Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
a62dc346 |
|
12-Feb-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: remove ssh-hpn leftovers This was introduced in 8998619212f3a, and left behind when the hpn-ssh patches were removed in 60c59fad8806. Although Being able to log SO_RCVBUF in debug mode might have some small value on its own, it's not worth carrying an extra diff against upstream. Reviewed by: kevans MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28610 |
#
ea64ebd0 |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay, part 2 This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. This should have been part of r363225. Obtained from: OpenSSH-portable a65784c9f9c5 MFC with: r363225 Sponsored by: The FreeBSD Foundation |
#
6471c6bd |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. Obtained from: OpenSSH-portable a65784c9f9c5 Sponsored by: The FreeBSD Foundation |
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 |
#
2a01feab |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Compatibility with existing OpenSSL versions is maintained. Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Connect libressl-api-compat.c to the build, and regenerate config.h Reviewed by: des Approved by: re (rgrimes) MFC after: 2 seeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17444
|
#
c6de6086 |
|
19-Sep-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: rename local macro to avoid OpenSSL 1.1.1 conflict Local changes introduced an OPENSSH_VERSION macro, but this conflicts with a macro of the same name introduced with OepnsSL 1.1.1 Reviewed by: des Approved by: re (gjb) MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation |
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation |
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
1765946b |
|
22-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Retire the NONE cipher option. |
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
8c0260d6 |
|
27-May-2012 |
Eygene Ryabinkin <rea@FreeBSD.org> |
OpenSSH: allow VersionAddendum to be used again Prior to this, setting VersionAddendum will be a no-op: one will always have BASE_VERSION + " " + VERSION_HPN for VersionAddendum set in the config and a bare BASE_VERSION + VERSION_HPN when there is no VersionAddendum is set. HPN patch requires both parties to have the "hpn" inside their advertized versions, so we add VERSION_HPN to the VERSION_BASE if HPN is enabled and omitting it if HPN is disabled. VersionAddendum now uses the following logics: * unset (default value): append " " and VERSION_ADDENDUM; * VersionAddendum is set and isn't empty: append " " and VersionAddendum; * VersionAddendum is set and empty: don't append anything. Approved by: des Reviewed by: bz MFC after: 3 days |
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
412ea5c6 |
|
07-Apr-2010 |
Konstantin Belousov <kib@FreeBSD.org> |
Enhance r199804 by marking the daemonised child as immune to OOM instead of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd. Submitted by: Mykola Dzham <i levsha me> Reviewed by: attilio MFC after: 1 week |
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7a7043c7 |
|
25-Nov-2009 |
Attilio Rao <attilio@FreeBSD.org> |
Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap environments. Please note that this can't be done while such processes run in jails. Note: in future it would be interesting to find a way to do that selectively for any desired proccess (choosen by user himself), probabilly via a ptrace interface or whatever. Obtained from: Sandvine Incorporated Reviewed by: emaste, arch@ Sponsored by: Sandvine Incorporated MFC: 1 month |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
0aeb000d |
|
21-Oct-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
At some point, construct_utmp() was changed to use realhostname() to fill in the struct utmp due to concerns about the length of the hostname buffer. However, this breaks the UseDNS option. There is a simpler and better solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the buffer. PR: bin/97499 Submitted by: Bruce Cran <bruce@cran.org.uk> MFC after: 1 week |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
92eb0aa1 |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.5p1. |
#
497e3d52 |
|
03-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Tweak ifdefs for backward compatibility. |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
c0b9f4fe |
|
29-Dec-2005 |
Doug Rabson <dfr@FreeBSD.org> |
Add a new extensible GSS-API layer which can support GSS-API plugins, similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts) |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4518870c |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.1p1. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
da05574c |
|
28-May-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix off-by-one and initialization errors which prevented sshd from restarting when sent a SIGHUP. Submitted by: tegge Approved by: re (jhb) |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
84860c33 |
|
22-Jan-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Force early initialization of the resolver library, since the resolver configuration files will no longer be available once sshd is chrooted. PR: 39953, 40894 Submitted by: dinoex MFC after: 3 days |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a82e551f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Sponsored by: DARPA, NAI Labs |
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1. |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
fd4ca9e0 |
|
23-Jan-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Make libssh.so useable (undefined reference to IPv4or6). Reviewed by: des, markm Approved by: markm |
#
1f131ac4 |
|
04-Sep-2001 |
Assar Westerlund <assar@FreeBSD.org> |
fix renamed options in some of the code that was #ifdef AFS also print an error if krb5 ticket passing is disabled Submitted by: Jonathan Chen <jon@spock.org> |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504 |
#
a09221f8 |
|
11-Feb-2001 |
Kris Kennaway <kris@FreeBSD.org> |
Patches backported from later development version of OpenSSH which prevent (instead of just mitigating through connection limits) the Bleichenbacher attack which can lead to guessing of the server key (not host key) by regenerating it when an RSA failure is detected. Reviewed by: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
39567f8c |
|
06-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix a long-standing bug that resulted in a dropped session sometimes when an X11-forwarded client was closed. For some reason, sshd didn't disable the SIGPIPE exit handler and died a horrible death (well, okay, a silent death really). Set SIGPIPE's handler to SIG_IGN. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
4a950c22 |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a few style oddities. |
#
dd5f9dff |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a goof in timevaldiff. |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
c8ef594c |
|
04-Jul-2000 |
Brian Feldman <green@FreeBSD.org> |
Allow restarting on SIGHUP when the full path was not given as argv[0]. We do have /proc/curproc/file :) |
#
c342fc93 |
|
26-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Also make sure to close the socket that exceeds your rate limit. |
#
7e03cf33 |
|
25-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Make rate limiting work per-listening-socket. Log better messages than before for this, requiring a new function (get_ipaddr()). canohost.c receives a $FreeBSD$ line. Suggested by: Niels Provos <niels@OpenBSD.org> |
#
c322fe35 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts |
#
2632b0c8 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH snapshot from 2000/05/30 Obtained from: OpenBSD |
#
b787acb5 |
|
17-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Unbreak Kerberos5 compilation. This still remains untested. Noticed by: obrien |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
3c6ae118 |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts. |
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25 |
#
c59bf099 |
|
09-Mar-2000 |
Mark Murray <markm@FreeBSD.org> |
Make LOGIN_CAP work properly. |
#
e51ec40e |
|
29-Feb-2000 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
Enable connection logging. FreeBSD's libwrap is IPv6 ready. OpenSSH is in our source tree, now. It's a time to enable it. Reviewed by: markm, shin Approved by: jkh |
#
fe5fd017 |
|
28-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
1) Add kerberos5 functionality. by Daniel Kouril <kouril@informatics.muni.cz> 2) Add full LOGIN_CAP capability by Andrey Chernov |
#
82610343 |
|
24-Feb-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a bug that crawled in pretty recently (from the port). It made sshd coredump :( |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
069ac184 |
|
04-Jan-2024 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.6p1 From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
edf85781 |
|
09-Oct-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.5p1 Excerpts from the release notes: Potentially incompatible changes -------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. [NOTE: This change was already merged into FreeBSD.] * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. New features ------------ * ssh(1): add keystroke timing obfuscation to the client. * ssh(1), sshd(8): Introduce a transport-level ping facility. * sshd(8): allow override of Sybsystem directives in sshd Match blocks. Full release notes at https://www.openssh.com/txt/release-9.5 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
9ff45b8e |
|
20-Jul-2023 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: do not resolve refused client hostname This is a compromise between POLA and practical reasoning. We don't want to block the main server loop in an attempt to resolve. But we need to keep the format of the logged message as is, for sake of sshguard and other scripts. So let's print just the IP address twice, this is what libwrap's refuse() would do if it failed to resolve. Reviewed by: philip PR: 269456 Differential revision: https://reviews.freebsd.org/D40069 |
#
90f10db8 |
|
20-Jul-2023 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: remove unneeded initialization of libwrap logging severities This part of ca573c9a177 proved to be unnecessary. As the removed comment says, we set them merely for logging syntax errors, as we log refusals ourselves. However, inside the libwrap the parser logs any syntax errors with tcpd_warn() which has hardcoded LOG_WARNING inside. Reviewed by: philip, emaste Differential revision: https://reviews.freebsd.org/D40068 |
#
4d3fc8b0 |
|
16-Mar-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p1 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
|
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
6e24fe61 |
|
23-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: use upstream SSH_OPENSSL_VERSION macro With the upgrade to OpenSSH 6.7p1 in commit a0ee8cc636cd we replaced WITH_OPENSSL ifdefs with an OPENSSL_VERSION macro, later changing it to OPENSSL_VERSION_STRING. A few years later OpenSSH made an equivalent change (with a different macro name), in commit 4d94b031ff88. Switch to the macro name they chose. MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
613b4b79 |
|
18-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: apply style(9) to version_addendum Reported by: allanjude (in review D29953) Fixes: 462c32cb8d7a ("Upgrade OpenSSH to 6.1p1.") MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
58def461 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update with post-release V_8_9 branch commits MFC after: 1 month Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
ca573c9a |
|
02-Jan-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: update the libwrap patch to drop connections early OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014 (f2719b7c in github.com/openssh/openssh-portable) and we maintain the patch ourselves since 2016 (a0ee8cc636cd). Over the years, the libwrap support has deteriotated and probably that was reason for removal upstream. Original idea of libwrap was to drop illegitimate connection as soon as possible, but over the years the code was pushed further down and down and ended in the forked client connection handler. The negative effects of late dropping is increasing attack surface for hosts that are to be dropped anyway. Apart from hypothetical future vulnerabilities in connection handling, today a malicious host listed in /etc/hosts.allow still can trigger sshd to enter connection throttling mode, which is enabled by default (see MaxStartups in sshd_config(5)), effectively casting DoS attack. Note that on OpenBSD this attack isn't possible, since they enable MaxStartups together with UseBlacklist. A only negative effect from early drop, that I can imagine, is that now main listener parses file in /etc, and if our root filesystems goes bad, it would get stuck. But unlikely you'd be able to login in that case anyway. Implementation details: - For brevity we reuse the same struct request_info. This isn't a documented feature of libwrap, but code review, viewing data in a debugger and real life testing shows that if we clear RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended. - We set SO_LINGER on the socket to force immediate connection reset. - We log message exactly as libwrap's refuse() would do. Differential revision: https://reviews.freebsd.org/D33044 |
#
adb56e58 |
|
16-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: use global state for blacklist in grace_alarm_handler Obtained from: security/openssh-portable Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
0f9bafdf |
|
13-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: pass ssh context to BLACKLIST_NOTIFY Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
a62dc346 |
|
12-Feb-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: remove ssh-hpn leftovers This was introduced in 8998619212f3a, and left behind when the hpn-ssh patches were removed in 60c59fad8806. Although Being able to log SO_RCVBUF in debug mode might have some small value on its own, it's not worth carrying an extra diff against upstream. Reviewed by: kevans MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28610 |
#
ea64ebd0 |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay, part 2 This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. This should have been part of r363225. Obtained from: OpenSSH-portable a65784c9f9c5 MFC with: r363225 Sponsored by: The FreeBSD Foundation |
#
6471c6bd |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. Obtained from: OpenSSH-portable a65784c9f9c5 Sponsored by: The FreeBSD Foundation |
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 |
#
2a01feab |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Compatibility with existing OpenSSL versions is maintained. Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Connect libressl-api-compat.c to the build, and regenerate config.h Reviewed by: des Approved by: re (rgrimes) MFC after: 2 seeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17444
|
#
c6de6086 |
|
19-Sep-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: rename local macro to avoid OpenSSL 1.1.1 conflict Local changes introduced an OPENSSH_VERSION macro, but this conflicts with a macro of the same name introduced with OepnsSL 1.1.1 Reviewed by: des Approved by: re (gjb) MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation |
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation |
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
1765946b |
|
22-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Retire the NONE cipher option. |
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
8c0260d6 |
|
27-May-2012 |
Eygene Ryabinkin <rea@FreeBSD.org> |
OpenSSH: allow VersionAddendum to be used again Prior to this, setting VersionAddendum will be a no-op: one will always have BASE_VERSION + " " + VERSION_HPN for VersionAddendum set in the config and a bare BASE_VERSION + VERSION_HPN when there is no VersionAddendum is set. HPN patch requires both parties to have the "hpn" inside their advertized versions, so we add VERSION_HPN to the VERSION_BASE if HPN is enabled and omitting it if HPN is disabled. VersionAddendum now uses the following logics: * unset (default value): append " " and VERSION_ADDENDUM; * VersionAddendum is set and isn't empty: append " " and VersionAddendum; * VersionAddendum is set and empty: don't append anything. Approved by: des Reviewed by: bz MFC after: 3 days |
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
412ea5c6 |
|
07-Apr-2010 |
Konstantin Belousov <kib@FreeBSD.org> |
Enhance r199804 by marking the daemonised child as immune to OOM instead of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd. Submitted by: Mykola Dzham <i levsha me> Reviewed by: attilio MFC after: 1 week |
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7a7043c7 |
|
25-Nov-2009 |
Attilio Rao <attilio@FreeBSD.org> |
Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap environments. Please note that this can't be done while such processes run in jails. Note: in future it would be interesting to find a way to do that selectively for any desired proccess (choosen by user himself), probabilly via a ptrace interface or whatever. Obtained from: Sandvine Incorporated Reviewed by: emaste, arch@ Sponsored by: Sandvine Incorporated MFC: 1 month |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
0aeb000d |
|
21-Oct-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
At some point, construct_utmp() was changed to use realhostname() to fill in the struct utmp due to concerns about the length of the hostname buffer. However, this breaks the UseDNS option. There is a simpler and better solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the buffer. PR: bin/97499 Submitted by: Bruce Cran <bruce@cran.org.uk> MFC after: 1 week |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
92eb0aa1 |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.5p1. |
#
497e3d52 |
|
03-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Tweak ifdefs for backward compatibility. |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
c0b9f4fe |
|
29-Dec-2005 |
Doug Rabson <dfr@FreeBSD.org> |
Add a new extensible GSS-API layer which can support GSS-API plugins, similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts) |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4518870c |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.1p1. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
da05574c |
|
28-May-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix off-by-one and initialization errors which prevented sshd from restarting when sent a SIGHUP. Submitted by: tegge Approved by: re (jhb) |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
84860c33 |
|
22-Jan-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Force early initialization of the resolver library, since the resolver configuration files will no longer be available once sshd is chrooted. PR: 39953, 40894 Submitted by: dinoex MFC after: 3 days |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a82e551f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Sponsored by: DARPA, NAI Labs |
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1. |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
fd4ca9e0 |
|
23-Jan-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Make libssh.so useable (undefined reference to IPv4or6). Reviewed by: des, markm Approved by: markm |
#
1f131ac4 |
|
04-Sep-2001 |
Assar Westerlund <assar@FreeBSD.org> |
fix renamed options in some of the code that was #ifdef AFS also print an error if krb5 ticket passing is disabled Submitted by: Jonathan Chen <jon@spock.org> |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504 |
#
a09221f8 |
|
11-Feb-2001 |
Kris Kennaway <kris@FreeBSD.org> |
Patches backported from later development version of OpenSSH which prevent (instead of just mitigating through connection limits) the Bleichenbacher attack which can lead to guessing of the server key (not host key) by regenerating it when an RSA failure is detected. Reviewed by: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
39567f8c |
|
06-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix a long-standing bug that resulted in a dropped session sometimes when an X11-forwarded client was closed. For some reason, sshd didn't disable the SIGPIPE exit handler and died a horrible death (well, okay, a silent death really). Set SIGPIPE's handler to SIG_IGN. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
4a950c22 |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a few style oddities. |
#
dd5f9dff |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a goof in timevaldiff. |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
c8ef594c |
|
04-Jul-2000 |
Brian Feldman <green@FreeBSD.org> |
Allow restarting on SIGHUP when the full path was not given as argv[0]. We do have /proc/curproc/file :) |
#
c342fc93 |
|
26-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Also make sure to close the socket that exceeds your rate limit. |
#
7e03cf33 |
|
25-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Make rate limiting work per-listening-socket. Log better messages than before for this, requiring a new function (get_ipaddr()). canohost.c receives a $FreeBSD$ line. Suggested by: Niels Provos <niels@OpenBSD.org> |
#
c322fe35 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts |
#
2632b0c8 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH snapshot from 2000/05/30 Obtained from: OpenBSD |
#
b787acb5 |
|
17-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Unbreak Kerberos5 compilation. This still remains untested. Noticed by: obrien |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
3c6ae118 |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts. |
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25 |
#
c59bf099 |
|
09-Mar-2000 |
Mark Murray <markm@FreeBSD.org> |
Make LOGIN_CAP work properly. |
#
e51ec40e |
|
29-Feb-2000 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
Enable connection logging. FreeBSD's libwrap is IPv6 ready. OpenSSH is in our source tree, now. It's a time to enable it. Reviewed by: markm, shin Approved by: jkh |
#
fe5fd017 |
|
28-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
1) Add kerberos5 functionality. by Daniel Kouril <kouril@informatics.muni.cz> 2) Add full LOGIN_CAP capability by Andrey Chernov |
#
82610343 |
|
24-Feb-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a bug that crawled in pretty recently (from the port). It made sshd coredump :( |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
edf85781 |
|
09-Oct-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.5p1 Excerpts from the release notes: Potentially incompatible changes -------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. [NOTE: This change was already merged into FreeBSD.] * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. New features ------------ * ssh(1): add keystroke timing obfuscation to the client. * ssh(1), sshd(8): Introduce a transport-level ping facility. * sshd(8): allow override of Sybsystem directives in sshd Match blocks. Full release notes at https://www.openssh.com/txt/release-9.5 Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
9ff45b8e |
|
20-Jul-2023 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: do not resolve refused client hostname This is a compromise between POLA and practical reasoning. We don't want to block the main server loop in an attempt to resolve. But we need to keep the format of the logged message as is, for sake of sshguard and other scripts. So let's print just the IP address twice, this is what libwrap's refuse() would do if it failed to resolve. Reviewed by: philip PR: 269456 Differential revision: https://reviews.freebsd.org/D40069 |
#
90f10db8 |
|
20-Jul-2023 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: remove unneeded initialization of libwrap logging severities This part of ca573c9a177 proved to be unnecessary. As the removed comment says, we set them merely for logging syntax errors, as we log refusals ourselves. However, inside the libwrap the parser logs any syntax errors with tcpd_warn() which has hardcoded LOG_WARNING inside. Reviewed by: philip, emaste Differential revision: https://reviews.freebsd.org/D40068 |
#
4d3fc8b0 |
|
16-Mar-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p1 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
|
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
6e24fe61 |
|
23-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: use upstream SSH_OPENSSL_VERSION macro With the upgrade to OpenSSH 6.7p1 in commit a0ee8cc636cd we replaced WITH_OPENSSL ifdefs with an OPENSSL_VERSION macro, later changing it to OPENSSL_VERSION_STRING. A few years later OpenSSH made an equivalent change (with a different macro name), in commit 4d94b031ff88. Switch to the macro name they chose. MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
613b4b79 |
|
18-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: apply style(9) to version_addendum Reported by: allanjude (in review D29953) Fixes: 462c32cb8d7a ("Upgrade OpenSSH to 6.1p1.") MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
58def461 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update with post-release V_8_9 branch commits MFC after: 1 month Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
ca573c9a |
|
02-Jan-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: update the libwrap patch to drop connections early OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014 (f2719b7c in github.com/openssh/openssh-portable) and we maintain the patch ourselves since 2016 (a0ee8cc636cd). Over the years, the libwrap support has deteriotated and probably that was reason for removal upstream. Original idea of libwrap was to drop illegitimate connection as soon as possible, but over the years the code was pushed further down and down and ended in the forked client connection handler. The negative effects of late dropping is increasing attack surface for hosts that are to be dropped anyway. Apart from hypothetical future vulnerabilities in connection handling, today a malicious host listed in /etc/hosts.allow still can trigger sshd to enter connection throttling mode, which is enabled by default (see MaxStartups in sshd_config(5)), effectively casting DoS attack. Note that on OpenBSD this attack isn't possible, since they enable MaxStartups together with UseBlacklist. A only negative effect from early drop, that I can imagine, is that now main listener parses file in /etc, and if our root filesystems goes bad, it would get stuck. But unlikely you'd be able to login in that case anyway. Implementation details: - For brevity we reuse the same struct request_info. This isn't a documented feature of libwrap, but code review, viewing data in a debugger and real life testing shows that if we clear RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended. - We set SO_LINGER on the socket to force immediate connection reset. - We log message exactly as libwrap's refuse() would do. Differential revision: https://reviews.freebsd.org/D33044 |
#
adb56e58 |
|
16-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: use global state for blacklist in grace_alarm_handler Obtained from: security/openssh-portable Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
0f9bafdf |
|
13-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: pass ssh context to BLACKLIST_NOTIFY Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
a62dc346 |
|
12-Feb-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: remove ssh-hpn leftovers This was introduced in 8998619212f3a, and left behind when the hpn-ssh patches were removed in 60c59fad8806. Although Being able to log SO_RCVBUF in debug mode might have some small value on its own, it's not worth carrying an extra diff against upstream. Reviewed by: kevans MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28610 |
#
ea64ebd0 |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay, part 2 This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. This should have been part of r363225. Obtained from: OpenSSH-portable a65784c9f9c5 MFC with: r363225 Sponsored by: The FreeBSD Foundation |
#
6471c6bd |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. Obtained from: OpenSSH-portable a65784c9f9c5 Sponsored by: The FreeBSD Foundation |
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 |
#
2a01feab |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Compatibility with existing OpenSSL versions is maintained. Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Connect libressl-api-compat.c to the build, and regenerate config.h Reviewed by: des Approved by: re (rgrimes) MFC after: 2 seeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17444
|
#
c6de6086 |
|
19-Sep-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: rename local macro to avoid OpenSSL 1.1.1 conflict Local changes introduced an OPENSSH_VERSION macro, but this conflicts with a macro of the same name introduced with OepnsSL 1.1.1 Reviewed by: des Approved by: re (gjb) MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation |
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation |
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
1765946b |
|
22-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Retire the NONE cipher option. |
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
8c0260d6 |
|
27-May-2012 |
Eygene Ryabinkin <rea@FreeBSD.org> |
OpenSSH: allow VersionAddendum to be used again Prior to this, setting VersionAddendum will be a no-op: one will always have BASE_VERSION + " " + VERSION_HPN for VersionAddendum set in the config and a bare BASE_VERSION + VERSION_HPN when there is no VersionAddendum is set. HPN patch requires both parties to have the "hpn" inside their advertized versions, so we add VERSION_HPN to the VERSION_BASE if HPN is enabled and omitting it if HPN is disabled. VersionAddendum now uses the following logics: * unset (default value): append " " and VERSION_ADDENDUM; * VersionAddendum is set and isn't empty: append " " and VersionAddendum; * VersionAddendum is set and empty: don't append anything. Approved by: des Reviewed by: bz MFC after: 3 days |
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
412ea5c6 |
|
07-Apr-2010 |
Konstantin Belousov <kib@FreeBSD.org> |
Enhance r199804 by marking the daemonised child as immune to OOM instead of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd. Submitted by: Mykola Dzham <i levsha me> Reviewed by: attilio MFC after: 1 week |
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7a7043c7 |
|
25-Nov-2009 |
Attilio Rao <attilio@FreeBSD.org> |
Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap environments. Please note that this can't be done while such processes run in jails. Note: in future it would be interesting to find a way to do that selectively for any desired proccess (choosen by user himself), probabilly via a ptrace interface or whatever. Obtained from: Sandvine Incorporated Reviewed by: emaste, arch@ Sponsored by: Sandvine Incorporated MFC: 1 month |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
0aeb000d |
|
21-Oct-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
At some point, construct_utmp() was changed to use realhostname() to fill in the struct utmp due to concerns about the length of the hostname buffer. However, this breaks the UseDNS option. There is a simpler and better solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the buffer. PR: bin/97499 Submitted by: Bruce Cran <bruce@cran.org.uk> MFC after: 1 week |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
92eb0aa1 |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.5p1. |
#
497e3d52 |
|
03-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Tweak ifdefs for backward compatibility. |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
c0b9f4fe |
|
29-Dec-2005 |
Doug Rabson <dfr@FreeBSD.org> |
Add a new extensible GSS-API layer which can support GSS-API plugins, similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts) |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4518870c |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.1p1. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
da05574c |
|
28-May-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix off-by-one and initialization errors which prevented sshd from restarting when sent a SIGHUP. Submitted by: tegge Approved by: re (jhb) |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
84860c33 |
|
22-Jan-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Force early initialization of the resolver library, since the resolver configuration files will no longer be available once sshd is chrooted. PR: 39953, 40894 Submitted by: dinoex MFC after: 3 days |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a82e551f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Sponsored by: DARPA, NAI Labs |
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1. |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
fd4ca9e0 |
|
23-Jan-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Make libssh.so useable (undefined reference to IPv4or6). Reviewed by: des, markm Approved by: markm |
#
1f131ac4 |
|
04-Sep-2001 |
Assar Westerlund <assar@FreeBSD.org> |
fix renamed options in some of the code that was #ifdef AFS also print an error if krb5 ticket passing is disabled Submitted by: Jonathan Chen <jon@spock.org> |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504 |
#
a09221f8 |
|
11-Feb-2001 |
Kris Kennaway <kris@FreeBSD.org> |
Patches backported from later development version of OpenSSH which prevent (instead of just mitigating through connection limits) the Bleichenbacher attack which can lead to guessing of the server key (not host key) by regenerating it when an RSA failure is detected. Reviewed by: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
39567f8c |
|
06-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix a long-standing bug that resulted in a dropped session sometimes when an X11-forwarded client was closed. For some reason, sshd didn't disable the SIGPIPE exit handler and died a horrible death (well, okay, a silent death really). Set SIGPIPE's handler to SIG_IGN. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
4a950c22 |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a few style oddities. |
#
dd5f9dff |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a goof in timevaldiff. |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
c8ef594c |
|
04-Jul-2000 |
Brian Feldman <green@FreeBSD.org> |
Allow restarting on SIGHUP when the full path was not given as argv[0]. We do have /proc/curproc/file :) |
#
c342fc93 |
|
26-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Also make sure to close the socket that exceeds your rate limit. |
#
7e03cf33 |
|
25-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Make rate limiting work per-listening-socket. Log better messages than before for this, requiring a new function (get_ipaddr()). canohost.c receives a $FreeBSD$ line. Suggested by: Niels Provos <niels@OpenBSD.org> |
#
c322fe35 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts |
#
2632b0c8 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH snapshot from 2000/05/30 Obtained from: OpenBSD |
#
b787acb5 |
|
17-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Unbreak Kerberos5 compilation. This still remains untested. Noticed by: obrien |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
3c6ae118 |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts. |
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25 |
#
c59bf099 |
|
09-Mar-2000 |
Mark Murray <markm@FreeBSD.org> |
Make LOGIN_CAP work properly. |
#
e51ec40e |
|
29-Feb-2000 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
Enable connection logging. FreeBSD's libwrap is IPv6 ready. OpenSSH is in our source tree, now. It's a time to enable it. Reviewed by: markm, shin Approved by: jkh |
#
fe5fd017 |
|
28-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
1) Add kerberos5 functionality. by Daniel Kouril <kouril@informatics.muni.cz> 2) Add full LOGIN_CAP capability by Andrey Chernov |
#
82610343 |
|
24-Feb-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a bug that crawled in pretty recently (from the port). It made sshd coredump :( |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
9ff45b8e |
|
20-Jul-2023 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: do not resolve refused client hostname This is a compromise between POLA and practical reasoning. We don't want to block the main server loop in an attempt to resolve. But we need to keep the format of the logged message as is, for sake of sshguard and other scripts. So let's print just the IP address twice, this is what libwrap's refuse() would do if it failed to resolve. Reviewed by: philip PR: 269456 Differential revision: https://reviews.freebsd.org/D40069
|
#
90f10db8 |
|
20-Jul-2023 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: remove unneeded initialization of libwrap logging severities This part of ca573c9a177 proved to be unnecessary. As the removed comment says, we set them merely for logging syntax errors, as we log refusals ourselves. However, inside the libwrap the parser logs any syntax errors with tcpd_warn() which has hardcoded LOG_WARNING inside. Reviewed by: philip, emaste Differential revision: https://reviews.freebsd.org/D40068
|
#
4d3fc8b0 |
|
16-Mar-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.3p1 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
|
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
6e24fe61 |
|
23-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: use upstream SSH_OPENSSL_VERSION macro With the upgrade to OpenSSH 6.7p1 in commit a0ee8cc636cd we replaced WITH_OPENSSL ifdefs with an OPENSSL_VERSION macro, later changing it to OPENSSL_VERSION_STRING. A few years later OpenSSH made an equivalent change (with a different macro name), in commit 4d94b031ff88. Switch to the macro name they chose. MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
613b4b79 |
|
18-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: apply style(9) to version_addendum Reported by: allanjude (in review D29953) Fixes: 462c32cb8d7a ("Upgrade OpenSSH to 6.1p1.") MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
58def461 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update with post-release V_8_9 branch commits MFC after: 1 month Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
ca573c9a |
|
02-Jan-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: update the libwrap patch to drop connections early OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014 (f2719b7c in github.com/openssh/openssh-portable) and we maintain the patch ourselves since 2016 (a0ee8cc636cd). Over the years, the libwrap support has deteriotated and probably that was reason for removal upstream. Original idea of libwrap was to drop illegitimate connection as soon as possible, but over the years the code was pushed further down and down and ended in the forked client connection handler. The negative effects of late dropping is increasing attack surface for hosts that are to be dropped anyway. Apart from hypothetical future vulnerabilities in connection handling, today a malicious host listed in /etc/hosts.allow still can trigger sshd to enter connection throttling mode, which is enabled by default (see MaxStartups in sshd_config(5)), effectively casting DoS attack. Note that on OpenBSD this attack isn't possible, since they enable MaxStartups together with UseBlacklist. A only negative effect from early drop, that I can imagine, is that now main listener parses file in /etc, and if our root filesystems goes bad, it would get stuck. But unlikely you'd be able to login in that case anyway. Implementation details: - For brevity we reuse the same struct request_info. This isn't a documented feature of libwrap, but code review, viewing data in a debugger and real life testing shows that if we clear RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended. - We set SO_LINGER on the socket to force immediate connection reset. - We log message exactly as libwrap's refuse() would do. Differential revision: https://reviews.freebsd.org/D33044 |
#
adb56e58 |
|
16-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: use global state for blacklist in grace_alarm_handler Obtained from: security/openssh-portable Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
0f9bafdf |
|
13-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: pass ssh context to BLACKLIST_NOTIFY Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
a62dc346 |
|
12-Feb-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: remove ssh-hpn leftovers This was introduced in 8998619212f3a, and left behind when the hpn-ssh patches were removed in 60c59fad8806. Although Being able to log SO_RCVBUF in debug mode might have some small value on its own, it's not worth carrying an extra diff against upstream. Reviewed by: kevans MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28610 |
#
ea64ebd0 |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay, part 2 This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. This should have been part of r363225. Obtained from: OpenSSH-portable a65784c9f9c5 MFC with: r363225 Sponsored by: The FreeBSD Foundation |
#
6471c6bd |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. Obtained from: OpenSSH-portable a65784c9f9c5 Sponsored by: The FreeBSD Foundation |
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 |
#
2a01feab |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Compatibility with existing OpenSSL versions is maintained. Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Connect libressl-api-compat.c to the build, and regenerate config.h Reviewed by: des Approved by: re (rgrimes) MFC after: 2 seeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17444
|
#
c6de6086 |
|
19-Sep-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: rename local macro to avoid OpenSSL 1.1.1 conflict Local changes introduced an OPENSSH_VERSION macro, but this conflicts with a macro of the same name introduced with OepnsSL 1.1.1 Reviewed by: des Approved by: re (gjb) MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation |
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation |
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
1765946b |
|
22-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Retire the NONE cipher option. |
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
8c0260d6 |
|
27-May-2012 |
Eygene Ryabinkin <rea@FreeBSD.org> |
OpenSSH: allow VersionAddendum to be used again Prior to this, setting VersionAddendum will be a no-op: one will always have BASE_VERSION + " " + VERSION_HPN for VersionAddendum set in the config and a bare BASE_VERSION + VERSION_HPN when there is no VersionAddendum is set. HPN patch requires both parties to have the "hpn" inside their advertized versions, so we add VERSION_HPN to the VERSION_BASE if HPN is enabled and omitting it if HPN is disabled. VersionAddendum now uses the following logics: * unset (default value): append " " and VERSION_ADDENDUM; * VersionAddendum is set and isn't empty: append " " and VersionAddendum; * VersionAddendum is set and empty: don't append anything. Approved by: des Reviewed by: bz MFC after: 3 days |
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
412ea5c6 |
|
07-Apr-2010 |
Konstantin Belousov <kib@FreeBSD.org> |
Enhance r199804 by marking the daemonised child as immune to OOM instead of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd. Submitted by: Mykola Dzham <i levsha me> Reviewed by: attilio MFC after: 1 week |
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7a7043c7 |
|
25-Nov-2009 |
Attilio Rao <attilio@FreeBSD.org> |
Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap environments. Please note that this can't be done while such processes run in jails. Note: in future it would be interesting to find a way to do that selectively for any desired proccess (choosen by user himself), probabilly via a ptrace interface or whatever. Obtained from: Sandvine Incorporated Reviewed by: emaste, arch@ Sponsored by: Sandvine Incorporated MFC: 1 month |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
0aeb000d |
|
21-Oct-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
At some point, construct_utmp() was changed to use realhostname() to fill in the struct utmp due to concerns about the length of the hostname buffer. However, this breaks the UseDNS option. There is a simpler and better solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the buffer. PR: bin/97499 Submitted by: Bruce Cran <bruce@cran.org.uk> MFC after: 1 week |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
92eb0aa1 |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.5p1. |
#
497e3d52 |
|
03-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Tweak ifdefs for backward compatibility. |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
c0b9f4fe |
|
29-Dec-2005 |
Doug Rabson <dfr@FreeBSD.org> |
Add a new extensible GSS-API layer which can support GSS-API plugins, similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts) |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4518870c |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.1p1. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
da05574c |
|
28-May-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix off-by-one and initialization errors which prevented sshd from restarting when sent a SIGHUP. Submitted by: tegge Approved by: re (jhb) |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
84860c33 |
|
22-Jan-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Force early initialization of the resolver library, since the resolver configuration files will no longer be available once sshd is chrooted. PR: 39953, 40894 Submitted by: dinoex MFC after: 3 days |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a82e551f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Sponsored by: DARPA, NAI Labs |
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1. |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
fd4ca9e0 |
|
23-Jan-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Make libssh.so useable (undefined reference to IPv4or6). Reviewed by: des, markm Approved by: markm |
#
1f131ac4 |
|
04-Sep-2001 |
Assar Westerlund <assar@FreeBSD.org> |
fix renamed options in some of the code that was #ifdef AFS also print an error if krb5 ticket passing is disabled Submitted by: Jonathan Chen <jon@spock.org> |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504 |
#
a09221f8 |
|
11-Feb-2001 |
Kris Kennaway <kris@FreeBSD.org> |
Patches backported from later development version of OpenSSH which prevent (instead of just mitigating through connection limits) the Bleichenbacher attack which can lead to guessing of the server key (not host key) by regenerating it when an RSA failure is detected. Reviewed by: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
39567f8c |
|
06-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix a long-standing bug that resulted in a dropped session sometimes when an X11-forwarded client was closed. For some reason, sshd didn't disable the SIGPIPE exit handler and died a horrible death (well, okay, a silent death really). Set SIGPIPE's handler to SIG_IGN. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
4a950c22 |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a few style oddities. |
#
dd5f9dff |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a goof in timevaldiff. |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
c8ef594c |
|
04-Jul-2000 |
Brian Feldman <green@FreeBSD.org> |
Allow restarting on SIGHUP when the full path was not given as argv[0]. We do have /proc/curproc/file :) |
#
c342fc93 |
|
26-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Also make sure to close the socket that exceeds your rate limit. |
#
7e03cf33 |
|
25-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Make rate limiting work per-listening-socket. Log better messages than before for this, requiring a new function (get_ipaddr()). canohost.c receives a $FreeBSD$ line. Suggested by: Niels Provos <niels@OpenBSD.org> |
#
c322fe35 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts |
#
2632b0c8 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH snapshot from 2000/05/30 Obtained from: OpenBSD |
#
b787acb5 |
|
17-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Unbreak Kerberos5 compilation. This still remains untested. Noticed by: obrien |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
3c6ae118 |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts. |
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25 |
#
c59bf099 |
|
09-Mar-2000 |
Mark Murray <markm@FreeBSD.org> |
Make LOGIN_CAP work properly. |
#
e51ec40e |
|
29-Feb-2000 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
Enable connection logging. FreeBSD's libwrap is IPv6 ready. OpenSSH is in our source tree, now. It's a time to enable it. Reviewed by: markm, shin Approved by: jkh |
#
fe5fd017 |
|
28-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
1) Add kerberos5 functionality. by Daniel Kouril <kouril@informatics.muni.cz> 2) Add full LOGIN_CAP capability by Andrey Chernov |
#
82610343 |
|
24-Feb-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a bug that crawled in pretty recently (from the port). It made sshd coredump :( |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
f374ba41 |
|
06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1 Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
6e24fe61 |
|
23-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: use upstream SSH_OPENSSL_VERSION macro With the upgrade to OpenSSH 6.7p1 in commit a0ee8cc636cd we replaced WITH_OPENSSL ifdefs with an OPENSSL_VERSION macro, later changing it to OPENSSL_VERSION_STRING. A few years later OpenSSH made an equivalent change (with a different macro name), in commit 4d94b031ff88. Switch to the macro name they chose. MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
613b4b79 |
|
18-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: apply style(9) to version_addendum Reported by: allanjude (in review D29953) Fixes: 462c32cb8d7a ("Upgrade OpenSSH to 6.1p1.") MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
58def461 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update with post-release V_8_9 branch commits MFC after: 1 month Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
ca573c9a |
|
02-Jan-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: update the libwrap patch to drop connections early OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014 (f2719b7c in github.com/openssh/openssh-portable) and we maintain the patch ourselves since 2016 (a0ee8cc636cd). Over the years, the libwrap support has deteriotated and probably that was reason for removal upstream. Original idea of libwrap was to drop illegitimate connection as soon as possible, but over the years the code was pushed further down and down and ended in the forked client connection handler. The negative effects of late dropping is increasing attack surface for hosts that are to be dropped anyway. Apart from hypothetical future vulnerabilities in connection handling, today a malicious host listed in /etc/hosts.allow still can trigger sshd to enter connection throttling mode, which is enabled by default (see MaxStartups in sshd_config(5)), effectively casting DoS attack. Note that on OpenBSD this attack isn't possible, since they enable MaxStartups together with UseBlacklist. A only negative effect from early drop, that I can imagine, is that now main listener parses file in /etc, and if our root filesystems goes bad, it would get stuck. But unlikely you'd be able to login in that case anyway. Implementation details: - For brevity we reuse the same struct request_info. This isn't a documented feature of libwrap, but code review, viewing data in a debugger and real life testing shows that if we clear RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended. - We set SO_LINGER on the socket to force immediate connection reset. - We log message exactly as libwrap's refuse() would do. Differential revision: https://reviews.freebsd.org/D33044 |
#
adb56e58 |
|
16-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: use global state for blacklist in grace_alarm_handler Obtained from: security/openssh-portable Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
0f9bafdf |
|
13-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: pass ssh context to BLACKLIST_NOTIFY Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
a62dc346 |
|
12-Feb-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: remove ssh-hpn leftovers This was introduced in 8998619212f3a, and left behind when the hpn-ssh patches were removed in 60c59fad8806. Although Being able to log SO_RCVBUF in debug mode might have some small value on its own, it's not worth carrying an extra diff against upstream. Reviewed by: kevans MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28610 |
#
ea64ebd0 |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay, part 2 This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. This should have been part of r363225. Obtained from: OpenSSH-portable a65784c9f9c5 MFC with: r363225 Sponsored by: The FreeBSD Foundation |
#
6471c6bd |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. Obtained from: OpenSSH-portable a65784c9f9c5 Sponsored by: The FreeBSD Foundation |
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 |
#
2a01feab |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Compatibility with existing OpenSSL versions is maintained. Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Connect libressl-api-compat.c to the build, and regenerate config.h Reviewed by: des Approved by: re (rgrimes) MFC after: 2 seeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17444
|
#
c6de6086 |
|
19-Sep-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: rename local macro to avoid OpenSSL 1.1.1 conflict Local changes introduced an OPENSSH_VERSION macro, but this conflicts with a macro of the same name introduced with OepnsSL 1.1.1 Reviewed by: des Approved by: re (gjb) MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation |
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation |
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
1765946b |
|
22-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Retire the NONE cipher option. |
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
8c0260d6 |
|
27-May-2012 |
Eygene Ryabinkin <rea@FreeBSD.org> |
OpenSSH: allow VersionAddendum to be used again Prior to this, setting VersionAddendum will be a no-op: one will always have BASE_VERSION + " " + VERSION_HPN for VersionAddendum set in the config and a bare BASE_VERSION + VERSION_HPN when there is no VersionAddendum is set. HPN patch requires both parties to have the "hpn" inside their advertized versions, so we add VERSION_HPN to the VERSION_BASE if HPN is enabled and omitting it if HPN is disabled. VersionAddendum now uses the following logics: * unset (default value): append " " and VERSION_ADDENDUM; * VersionAddendum is set and isn't empty: append " " and VersionAddendum; * VersionAddendum is set and empty: don't append anything. Approved by: des Reviewed by: bz MFC after: 3 days |
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
412ea5c6 |
|
07-Apr-2010 |
Konstantin Belousov <kib@FreeBSD.org> |
Enhance r199804 by marking the daemonised child as immune to OOM instead of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd. Submitted by: Mykola Dzham <i levsha me> Reviewed by: attilio MFC after: 1 week |
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7a7043c7 |
|
25-Nov-2009 |
Attilio Rao <attilio@FreeBSD.org> |
Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap environments. Please note that this can't be done while such processes run in jails. Note: in future it would be interesting to find a way to do that selectively for any desired proccess (choosen by user himself), probabilly via a ptrace interface or whatever. Obtained from: Sandvine Incorporated Reviewed by: emaste, arch@ Sponsored by: Sandvine Incorporated MFC: 1 month |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
0aeb000d |
|
21-Oct-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
At some point, construct_utmp() was changed to use realhostname() to fill in the struct utmp due to concerns about the length of the hostname buffer. However, this breaks the UseDNS option. There is a simpler and better solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the buffer. PR: bin/97499 Submitted by: Bruce Cran <bruce@cran.org.uk> MFC after: 1 week |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
92eb0aa1 |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.5p1. |
#
497e3d52 |
|
03-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Tweak ifdefs for backward compatibility. |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
c0b9f4fe |
|
29-Dec-2005 |
Doug Rabson <dfr@FreeBSD.org> |
Add a new extensible GSS-API layer which can support GSS-API plugins, similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts) |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4518870c |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.1p1. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
da05574c |
|
28-May-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix off-by-one and initialization errors which prevented sshd from restarting when sent a SIGHUP. Submitted by: tegge Approved by: re (jhb) |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
84860c33 |
|
22-Jan-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Force early initialization of the resolver library, since the resolver configuration files will no longer be available once sshd is chrooted. PR: 39953, 40894 Submitted by: dinoex MFC after: 3 days |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a82e551f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Sponsored by: DARPA, NAI Labs |
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1. |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
fd4ca9e0 |
|
23-Jan-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Make libssh.so useable (undefined reference to IPv4or6). Reviewed by: des, markm Approved by: markm |
#
1f131ac4 |
|
04-Sep-2001 |
Assar Westerlund <assar@FreeBSD.org> |
fix renamed options in some of the code that was #ifdef AFS also print an error if krb5 ticket passing is disabled Submitted by: Jonathan Chen <jon@spock.org> |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504 |
#
a09221f8 |
|
11-Feb-2001 |
Kris Kennaway <kris@FreeBSD.org> |
Patches backported from later development version of OpenSSH which prevent (instead of just mitigating through connection limits) the Bleichenbacher attack which can lead to guessing of the server key (not host key) by regenerating it when an RSA failure is detected. Reviewed by: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
39567f8c |
|
06-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix a long-standing bug that resulted in a dropped session sometimes when an X11-forwarded client was closed. For some reason, sshd didn't disable the SIGPIPE exit handler and died a horrible death (well, okay, a silent death really). Set SIGPIPE's handler to SIG_IGN. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
4a950c22 |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a few style oddities. |
#
dd5f9dff |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a goof in timevaldiff. |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
c8ef594c |
|
04-Jul-2000 |
Brian Feldman <green@FreeBSD.org> |
Allow restarting on SIGHUP when the full path was not given as argv[0]. We do have /proc/curproc/file :) |
#
c342fc93 |
|
26-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Also make sure to close the socket that exceeds your rate limit. |
#
7e03cf33 |
|
25-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Make rate limiting work per-listening-socket. Log better messages than before for this, requiring a new function (get_ipaddr()). canohost.c receives a $FreeBSD$ line. Suggested by: Niels Provos <niels@OpenBSD.org> |
#
c322fe35 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts |
#
2632b0c8 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH snapshot from 2000/05/30 Obtained from: OpenBSD |
#
b787acb5 |
|
17-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Unbreak Kerberos5 compilation. This still remains untested. Noticed by: obrien |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
3c6ae118 |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts. |
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25 |
#
c59bf099 |
|
09-Mar-2000 |
Mark Murray <markm@FreeBSD.org> |
Make LOGIN_CAP work properly. |
#
e51ec40e |
|
29-Feb-2000 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
Enable connection logging. FreeBSD's libwrap is IPv6 ready. OpenSSH is in our source tree, now. It's a time to enable it. Reviewed by: markm, shin Approved by: jkh |
#
fe5fd017 |
|
28-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
1) Add kerberos5 functionality. by Daniel Kouril <kouril@informatics.muni.cz> 2) Add full LOGIN_CAP capability by Andrey Chernov |
#
82610343 |
|
24-Feb-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a bug that crawled in pretty recently (from the port). It made sshd coredump :( |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
38a52bd3 |
|
19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
6e24fe61 |
|
23-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: use upstream SSH_OPENSSL_VERSION macro With the upgrade to OpenSSH 6.7p1 in commit a0ee8cc636cd we replaced WITH_OPENSSL ifdefs with an OPENSSL_VERSION macro, later changing it to OPENSSL_VERSION_STRING. A few years later OpenSSH made an equivalent change (with a different macro name), in commit 4d94b031ff88. Switch to the macro name they chose. MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation |
#
613b4b79 |
|
18-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: apply style(9) to version_addendum Reported by: allanjude (in review D29953) Fixes: 462c32cb8d7a ("Upgrade OpenSSH to 6.1p1.") MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
58def461 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update with post-release V_8_9 branch commits MFC after: 1 month Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
ca573c9a |
|
02-Jan-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: update the libwrap patch to drop connections early OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014 (f2719b7c in github.com/openssh/openssh-portable) and we maintain the patch ourselves since 2016 (a0ee8cc636cd). Over the years, the libwrap support has deteriotated and probably that was reason for removal upstream. Original idea of libwrap was to drop illegitimate connection as soon as possible, but over the years the code was pushed further down and down and ended in the forked client connection handler. The negative effects of late dropping is increasing attack surface for hosts that are to be dropped anyway. Apart from hypothetical future vulnerabilities in connection handling, today a malicious host listed in /etc/hosts.allow still can trigger sshd to enter connection throttling mode, which is enabled by default (see MaxStartups in sshd_config(5)), effectively casting DoS attack. Note that on OpenBSD this attack isn't possible, since they enable MaxStartups together with UseBlacklist. A only negative effect from early drop, that I can imagine, is that now main listener parses file in /etc, and if our root filesystems goes bad, it would get stuck. But unlikely you'd be able to login in that case anyway. Implementation details: - For brevity we reuse the same struct request_info. This isn't a documented feature of libwrap, but code review, viewing data in a debugger and real life testing shows that if we clear RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended. - We set SO_LINGER on the socket to force immediate connection reset. - We log message exactly as libwrap's refuse() would do. Differential revision: https://reviews.freebsd.org/D33044 |
#
adb56e58 |
|
16-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: use global state for blacklist in grace_alarm_handler Obtained from: security/openssh-portable Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
0f9bafdf |
|
13-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: pass ssh context to BLACKLIST_NOTIFY Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
a62dc346 |
|
12-Feb-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: remove ssh-hpn leftovers This was introduced in 8998619212f3a, and left behind when the hpn-ssh patches were removed in 60c59fad8806. Although Being able to log SO_RCVBUF in debug mode might have some small value on its own, it's not worth carrying an extra diff against upstream. Reviewed by: kevans MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28610 |
#
ea64ebd0 |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay, part 2 This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. This should have been part of r363225. Obtained from: OpenSSH-portable a65784c9f9c5 MFC with: r363225 Sponsored by: The FreeBSD Foundation |
#
6471c6bd |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. Obtained from: OpenSSH-portable a65784c9f9c5 Sponsored by: The FreeBSD Foundation |
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 |
#
2a01feab |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Compatibility with existing OpenSSL versions is maintained. Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Connect libressl-api-compat.c to the build, and regenerate config.h Reviewed by: des Approved by: re (rgrimes) MFC after: 2 seeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17444
|
#
c6de6086 |
|
19-Sep-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: rename local macro to avoid OpenSSL 1.1.1 conflict Local changes introduced an OPENSSH_VERSION macro, but this conflicts with a macro of the same name introduced with OepnsSL 1.1.1 Reviewed by: des Approved by: re (gjb) MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation |
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation |
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
1765946b |
|
22-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Retire the NONE cipher option. |
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
8c0260d6 |
|
27-May-2012 |
Eygene Ryabinkin <rea@FreeBSD.org> |
OpenSSH: allow VersionAddendum to be used again Prior to this, setting VersionAddendum will be a no-op: one will always have BASE_VERSION + " " + VERSION_HPN for VersionAddendum set in the config and a bare BASE_VERSION + VERSION_HPN when there is no VersionAddendum is set. HPN patch requires both parties to have the "hpn" inside their advertized versions, so we add VERSION_HPN to the VERSION_BASE if HPN is enabled and omitting it if HPN is disabled. VersionAddendum now uses the following logics: * unset (default value): append " " and VERSION_ADDENDUM; * VersionAddendum is set and isn't empty: append " " and VersionAddendum; * VersionAddendum is set and empty: don't append anything. Approved by: des Reviewed by: bz MFC after: 3 days |
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
412ea5c6 |
|
07-Apr-2010 |
Konstantin Belousov <kib@FreeBSD.org> |
Enhance r199804 by marking the daemonised child as immune to OOM instead of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd. Submitted by: Mykola Dzham <i levsha me> Reviewed by: attilio MFC after: 1 week |
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7a7043c7 |
|
25-Nov-2009 |
Attilio Rao <attilio@FreeBSD.org> |
Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap environments. Please note that this can't be done while such processes run in jails. Note: in future it would be interesting to find a way to do that selectively for any desired proccess (choosen by user himself), probabilly via a ptrace interface or whatever. Obtained from: Sandvine Incorporated Reviewed by: emaste, arch@ Sponsored by: Sandvine Incorporated MFC: 1 month |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
0aeb000d |
|
21-Oct-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
At some point, construct_utmp() was changed to use realhostname() to fill in the struct utmp due to concerns about the length of the hostname buffer. However, this breaks the UseDNS option. There is a simpler and better solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the buffer. PR: bin/97499 Submitted by: Bruce Cran <bruce@cran.org.uk> MFC after: 1 week |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
92eb0aa1 |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.5p1. |
#
497e3d52 |
|
03-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Tweak ifdefs for backward compatibility. |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
c0b9f4fe |
|
29-Dec-2005 |
Doug Rabson <dfr@FreeBSD.org> |
Add a new extensible GSS-API layer which can support GSS-API plugins, similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts) |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4518870c |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.1p1. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
da05574c |
|
28-May-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix off-by-one and initialization errors which prevented sshd from restarting when sent a SIGHUP. Submitted by: tegge Approved by: re (jhb) |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
84860c33 |
|
22-Jan-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Force early initialization of the resolver library, since the resolver configuration files will no longer be available once sshd is chrooted. PR: 39953, 40894 Submitted by: dinoex MFC after: 3 days |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a82e551f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Sponsored by: DARPA, NAI Labs |
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1. |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
fd4ca9e0 |
|
23-Jan-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Make libssh.so useable (undefined reference to IPv4or6). Reviewed by: des, markm Approved by: markm |
#
1f131ac4 |
|
04-Sep-2001 |
Assar Westerlund <assar@FreeBSD.org> |
fix renamed options in some of the code that was #ifdef AFS also print an error if krb5 ticket passing is disabled Submitted by: Jonathan Chen <jon@spock.org> |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504 |
#
a09221f8 |
|
11-Feb-2001 |
Kris Kennaway <kris@FreeBSD.org> |
Patches backported from later development version of OpenSSH which prevent (instead of just mitigating through connection limits) the Bleichenbacher attack which can lead to guessing of the server key (not host key) by regenerating it when an RSA failure is detected. Reviewed by: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
39567f8c |
|
06-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix a long-standing bug that resulted in a dropped session sometimes when an X11-forwarded client was closed. For some reason, sshd didn't disable the SIGPIPE exit handler and died a horrible death (well, okay, a silent death really). Set SIGPIPE's handler to SIG_IGN. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
4a950c22 |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a few style oddities. |
#
dd5f9dff |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a goof in timevaldiff. |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
c8ef594c |
|
04-Jul-2000 |
Brian Feldman <green@FreeBSD.org> |
Allow restarting on SIGHUP when the full path was not given as argv[0]. We do have /proc/curproc/file :) |
#
c342fc93 |
|
26-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Also make sure to close the socket that exceeds your rate limit. |
#
7e03cf33 |
|
25-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Make rate limiting work per-listening-socket. Log better messages than before for this, requiring a new function (get_ipaddr()). canohost.c receives a $FreeBSD$ line. Suggested by: Niels Provos <niels@OpenBSD.org> |
#
c322fe35 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts |
#
2632b0c8 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH snapshot from 2000/05/30 Obtained from: OpenBSD |
#
b787acb5 |
|
17-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Unbreak Kerberos5 compilation. This still remains untested. Noticed by: obrien |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
3c6ae118 |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts. |
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25 |
#
c59bf099 |
|
09-Mar-2000 |
Mark Murray <markm@FreeBSD.org> |
Make LOGIN_CAP work properly. |
#
e51ec40e |
|
29-Feb-2000 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
Enable connection logging. FreeBSD's libwrap is IPv6 ready. OpenSSH is in our source tree, now. It's a time to enable it. Reviewed by: markm, shin Approved by: jkh |
#
fe5fd017 |
|
28-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
1) Add kerberos5 functionality. by Daniel Kouril <kouril@informatics.muni.cz> 2) Add full LOGIN_CAP capability by Andrey Chernov |
#
82610343 |
|
24-Feb-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a bug that crawled in pretty recently (from the port). It made sshd coredump :( |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
6e24fe61 |
|
23-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: use upstream SSH_OPENSSL_VERSION macro With the upgrade to OpenSSH 6.7p1 in commit a0ee8cc636cd we replaced WITH_OPENSSL ifdefs with an OPENSSL_VERSION macro, later changing it to OPENSSL_VERSION_STRING. A few years later OpenSSH made an equivalent change (with a different macro name), in commit 4d94b031ff88. Switch to the macro name they chose. MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
835ee05f |
|
22-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh After we moved to git $FreeBSD$ is no longer expanded and serves no purpose. Remove them from OpenSSH to reduce diffs against upstream. Sponsored by: The FreeBSD Foundation
|
#
613b4b79 |
|
18-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: apply style(9) to version_addendum Reported by: allanjude (in review D29953) Fixes: 462c32cb8d7a ("Upgrade OpenSSH to 6.1p1.") MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
87c1498d |
|
15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
58def461 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update with post-release V_8_9 branch commits MFC after: 1 month Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
ca573c9a |
|
02-Jan-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: update the libwrap patch to drop connections early OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014 (f2719b7c in github.com/openssh/openssh-portable) and we maintain the patch ourselves since 2016 (a0ee8cc636cd). Over the years, the libwrap support has deteriotated and probably that was reason for removal upstream. Original idea of libwrap was to drop illegitimate connection as soon as possible, but over the years the code was pushed further down and down and ended in the forked client connection handler. The negative effects of late dropping is increasing attack surface for hosts that are to be dropped anyway. Apart from hypothetical future vulnerabilities in connection handling, today a malicious host listed in /etc/hosts.allow still can trigger sshd to enter connection throttling mode, which is enabled by default (see MaxStartups in sshd_config(5)), effectively casting DoS attack. Note that on OpenBSD this attack isn't possible, since they enable MaxStartups together with UseBlacklist. A only negative effect from early drop, that I can imagine, is that now main listener parses file in /etc, and if our root filesystems goes bad, it would get stuck. But unlikely you'd be able to login in that case anyway. Implementation details: - For brevity we reuse the same struct request_info. This isn't a documented feature of libwrap, but code review, viewing data in a debugger and real life testing shows that if we clear RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended. - We set SO_LINGER on the socket to force immediate connection reset. - We log message exactly as libwrap's refuse() would do. Differential revision: https://reviews.freebsd.org/D33044 |
#
adb56e58 |
|
16-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: use global state for blacklist in grace_alarm_handler Obtained from: security/openssh-portable Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
0f9bafdf |
|
13-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: pass ssh context to BLACKLIST_NOTIFY Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
a62dc346 |
|
12-Feb-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: remove ssh-hpn leftovers This was introduced in 8998619212f3a, and left behind when the hpn-ssh patches were removed in 60c59fad8806. Although Being able to log SO_RCVBUF in debug mode might have some small value on its own, it's not worth carrying an extra diff against upstream. Reviewed by: kevans MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28610 |
#
ea64ebd0 |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay, part 2 This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. This should have been part of r363225. Obtained from: OpenSSH-portable a65784c9f9c5 MFC with: r363225 Sponsored by: The FreeBSD Foundation |
#
6471c6bd |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. Obtained from: OpenSSH-portable a65784c9f9c5 Sponsored by: The FreeBSD Foundation |
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 |
#
2a01feab |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Compatibility with existing OpenSSL versions is maintained. Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Connect libressl-api-compat.c to the build, and regenerate config.h Reviewed by: des Approved by: re (rgrimes) MFC after: 2 seeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17444
|
#
c6de6086 |
|
19-Sep-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: rename local macro to avoid OpenSSL 1.1.1 conflict Local changes introduced an OPENSSH_VERSION macro, but this conflicts with a macro of the same name introduced with OepnsSL 1.1.1 Reviewed by: des Approved by: re (gjb) MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation |
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation |
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
1765946b |
|
22-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Retire the NONE cipher option. |
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
8c0260d6 |
|
27-May-2012 |
Eygene Ryabinkin <rea@FreeBSD.org> |
OpenSSH: allow VersionAddendum to be used again Prior to this, setting VersionAddendum will be a no-op: one will always have BASE_VERSION + " " + VERSION_HPN for VersionAddendum set in the config and a bare BASE_VERSION + VERSION_HPN when there is no VersionAddendum is set. HPN patch requires both parties to have the "hpn" inside their advertized versions, so we add VERSION_HPN to the VERSION_BASE if HPN is enabled and omitting it if HPN is disabled. VersionAddendum now uses the following logics: * unset (default value): append " " and VERSION_ADDENDUM; * VersionAddendum is set and isn't empty: append " " and VersionAddendum; * VersionAddendum is set and empty: don't append anything. Approved by: des Reviewed by: bz MFC after: 3 days |
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
412ea5c6 |
|
07-Apr-2010 |
Konstantin Belousov <kib@FreeBSD.org> |
Enhance r199804 by marking the daemonised child as immune to OOM instead of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd. Submitted by: Mykola Dzham <i levsha me> Reviewed by: attilio MFC after: 1 week |
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7a7043c7 |
|
25-Nov-2009 |
Attilio Rao <attilio@FreeBSD.org> |
Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap environments. Please note that this can't be done while such processes run in jails. Note: in future it would be interesting to find a way to do that selectively for any desired proccess (choosen by user himself), probabilly via a ptrace interface or whatever. Obtained from: Sandvine Incorporated Reviewed by: emaste, arch@ Sponsored by: Sandvine Incorporated MFC: 1 month |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
0aeb000d |
|
21-Oct-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
At some point, construct_utmp() was changed to use realhostname() to fill in the struct utmp due to concerns about the length of the hostname buffer. However, this breaks the UseDNS option. There is a simpler and better solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the buffer. PR: bin/97499 Submitted by: Bruce Cran <bruce@cran.org.uk> MFC after: 1 week |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
92eb0aa1 |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.5p1. |
#
497e3d52 |
|
03-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Tweak ifdefs for backward compatibility. |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
c0b9f4fe |
|
29-Dec-2005 |
Doug Rabson <dfr@FreeBSD.org> |
Add a new extensible GSS-API layer which can support GSS-API plugins, similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts) |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4518870c |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.1p1. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
da05574c |
|
28-May-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix off-by-one and initialization errors which prevented sshd from restarting when sent a SIGHUP. Submitted by: tegge Approved by: re (jhb) |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
84860c33 |
|
22-Jan-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Force early initialization of the resolver library, since the resolver configuration files will no longer be available once sshd is chrooted. PR: 39953, 40894 Submitted by: dinoex MFC after: 3 days |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a82e551f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Sponsored by: DARPA, NAI Labs |
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1. |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
fd4ca9e0 |
|
23-Jan-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Make libssh.so useable (undefined reference to IPv4or6). Reviewed by: des, markm Approved by: markm |
#
1f131ac4 |
|
04-Sep-2001 |
Assar Westerlund <assar@FreeBSD.org> |
fix renamed options in some of the code that was #ifdef AFS also print an error if krb5 ticket passing is disabled Submitted by: Jonathan Chen <jon@spock.org> |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504 |
#
a09221f8 |
|
11-Feb-2001 |
Kris Kennaway <kris@FreeBSD.org> |
Patches backported from later development version of OpenSSH which prevent (instead of just mitigating through connection limits) the Bleichenbacher attack which can lead to guessing of the server key (not host key) by regenerating it when an RSA failure is detected. Reviewed by: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
39567f8c |
|
06-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix a long-standing bug that resulted in a dropped session sometimes when an X11-forwarded client was closed. For some reason, sshd didn't disable the SIGPIPE exit handler and died a horrible death (well, okay, a silent death really). Set SIGPIPE's handler to SIG_IGN. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
4a950c22 |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a few style oddities. |
#
dd5f9dff |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a goof in timevaldiff. |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
c8ef594c |
|
04-Jul-2000 |
Brian Feldman <green@FreeBSD.org> |
Allow restarting on SIGHUP when the full path was not given as argv[0]. We do have /proc/curproc/file :) |
#
c342fc93 |
|
26-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Also make sure to close the socket that exceeds your rate limit. |
#
7e03cf33 |
|
25-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Make rate limiting work per-listening-socket. Log better messages than before for this, requiring a new function (get_ipaddr()). canohost.c receives a $FreeBSD$ line. Suggested by: Niels Provos <niels@OpenBSD.org> |
#
c322fe35 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts |
#
2632b0c8 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH snapshot from 2000/05/30 Obtained from: OpenBSD |
#
b787acb5 |
|
17-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Unbreak Kerberos5 compilation. This still remains untested. Noticed by: obrien |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
3c6ae118 |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts. |
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25 |
#
c59bf099 |
|
09-Mar-2000 |
Mark Murray <markm@FreeBSD.org> |
Make LOGIN_CAP work properly. |
#
e51ec40e |
|
29-Feb-2000 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
Enable connection logging. FreeBSD's libwrap is IPv6 ready. OpenSSH is in our source tree, now. It's a time to enable it. Reviewed by: markm, shin Approved by: jkh |
#
fe5fd017 |
|
28-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
1) Add kerberos5 functionality. by Daniel Kouril <kouril@informatics.muni.cz> 2) Add full LOGIN_CAP capability by Andrey Chernov |
#
82610343 |
|
24-Feb-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a bug that crawled in pretty recently (from the port). It made sshd coredump :( |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
58def461 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update with post-release V_8_9 branch commits MFC after: 1 month Sponsored by: The FreeBSD Foundation
|
#
1323ec57 |
|
13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1 Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
|
#
ca573c9a |
|
02-Jan-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: update the libwrap patch to drop connections early OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014 (f2719b7c in github.com/openssh/openssh-portable) and we maintain the patch ourselves since 2016 (a0ee8cc636cd). Over the years, the libwrap support has deteriotated and probably that was reason for removal upstream. Original idea of libwrap was to drop illegitimate connection as soon as possible, but over the years the code was pushed further down and down and ended in the forked client connection handler. The negative effects of late dropping is increasing attack surface for hosts that are to be dropped anyway. Apart from hypothetical future vulnerabilities in connection handling, today a malicious host listed in /etc/hosts.allow still can trigger sshd to enter connection throttling mode, which is enabled by default (see MaxStartups in sshd_config(5)), effectively casting DoS attack. Note that on OpenBSD this attack isn't possible, since they enable MaxStartups together with UseBlacklist. A only negative effect from early drop, that I can imagine, is that now main listener parses file in /etc, and if our root filesystems goes bad, it would get stuck. But unlikely you'd be able to login in that case anyway. Implementation details: - For brevity we reuse the same struct request_info. This isn't a documented feature of libwrap, but code review, viewing data in a debugger and real life testing shows that if we clear RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended. - We set SO_LINGER on the socket to force immediate connection reset. - We log message exactly as libwrap's refuse() would do. Differential revision: https://reviews.freebsd.org/D33044 |
#
adb56e58 |
|
16-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: use global state for blacklist in grace_alarm_handler Obtained from: security/openssh-portable Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
0f9bafdf |
|
13-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: pass ssh context to BLACKLIST_NOTIFY Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation |
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
a62dc346 |
|
12-Feb-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: remove ssh-hpn leftovers This was introduced in 8998619212f3a, and left behind when the hpn-ssh patches were removed in 60c59fad8806. Although Being able to log SO_RCVBUF in debug mode might have some small value on its own, it's not worth carrying an extra diff against upstream. Reviewed by: kevans MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28610 |
#
ea64ebd0 |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay, part 2 This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. This should have been part of r363225. Obtained from: OpenSSH-portable a65784c9f9c5 MFC with: r363225 Sponsored by: The FreeBSD Foundation |
#
6471c6bd |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. Obtained from: OpenSSH-portable a65784c9f9c5 Sponsored by: The FreeBSD Foundation |
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 |
#
2a01feab |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Compatibility with existing OpenSSL versions is maintained. Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Connect libressl-api-compat.c to the build, and regenerate config.h Reviewed by: des Approved by: re (rgrimes) MFC after: 2 seeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17444
|
#
c6de6086 |
|
19-Sep-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: rename local macro to avoid OpenSSL 1.1.1 conflict Local changes introduced an OPENSSH_VERSION macro, but this conflicts with a macro of the same name introduced with OepnsSL 1.1.1 Reviewed by: des Approved by: re (gjb) MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation |
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation |
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
1765946b |
|
22-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Retire the NONE cipher option. |
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
8c0260d6 |
|
27-May-2012 |
Eygene Ryabinkin <rea@FreeBSD.org> |
OpenSSH: allow VersionAddendum to be used again Prior to this, setting VersionAddendum will be a no-op: one will always have BASE_VERSION + " " + VERSION_HPN for VersionAddendum set in the config and a bare BASE_VERSION + VERSION_HPN when there is no VersionAddendum is set. HPN patch requires both parties to have the "hpn" inside their advertized versions, so we add VERSION_HPN to the VERSION_BASE if HPN is enabled and omitting it if HPN is disabled. VersionAddendum now uses the following logics: * unset (default value): append " " and VERSION_ADDENDUM; * VersionAddendum is set and isn't empty: append " " and VersionAddendum; * VersionAddendum is set and empty: don't append anything. Approved by: des Reviewed by: bz MFC after: 3 days |
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
412ea5c6 |
|
07-Apr-2010 |
Konstantin Belousov <kib@FreeBSD.org> |
Enhance r199804 by marking the daemonised child as immune to OOM instead of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd. Submitted by: Mykola Dzham <i levsha me> Reviewed by: attilio MFC after: 1 week |
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7a7043c7 |
|
25-Nov-2009 |
Attilio Rao <attilio@FreeBSD.org> |
Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap environments. Please note that this can't be done while such processes run in jails. Note: in future it would be interesting to find a way to do that selectively for any desired proccess (choosen by user himself), probabilly via a ptrace interface or whatever. Obtained from: Sandvine Incorporated Reviewed by: emaste, arch@ Sponsored by: Sandvine Incorporated MFC: 1 month |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
0aeb000d |
|
21-Oct-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
At some point, construct_utmp() was changed to use realhostname() to fill in the struct utmp due to concerns about the length of the hostname buffer. However, this breaks the UseDNS option. There is a simpler and better solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the buffer. PR: bin/97499 Submitted by: Bruce Cran <bruce@cran.org.uk> MFC after: 1 week |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
92eb0aa1 |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.5p1. |
#
497e3d52 |
|
03-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Tweak ifdefs for backward compatibility. |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
c0b9f4fe |
|
29-Dec-2005 |
Doug Rabson <dfr@FreeBSD.org> |
Add a new extensible GSS-API layer which can support GSS-API plugins, similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts) |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4518870c |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.1p1. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
da05574c |
|
28-May-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix off-by-one and initialization errors which prevented sshd from restarting when sent a SIGHUP. Submitted by: tegge Approved by: re (jhb) |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
84860c33 |
|
22-Jan-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Force early initialization of the resolver library, since the resolver configuration files will no longer be available once sshd is chrooted. PR: 39953, 40894 Submitted by: dinoex MFC after: 3 days |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a82e551f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Sponsored by: DARPA, NAI Labs |
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1. |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
fd4ca9e0 |
|
23-Jan-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Make libssh.so useable (undefined reference to IPv4or6). Reviewed by: des, markm Approved by: markm |
#
1f131ac4 |
|
04-Sep-2001 |
Assar Westerlund <assar@FreeBSD.org> |
fix renamed options in some of the code that was #ifdef AFS also print an error if krb5 ticket passing is disabled Submitted by: Jonathan Chen <jon@spock.org> |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504 |
#
a09221f8 |
|
11-Feb-2001 |
Kris Kennaway <kris@FreeBSD.org> |
Patches backported from later development version of OpenSSH which prevent (instead of just mitigating through connection limits) the Bleichenbacher attack which can lead to guessing of the server key (not host key) by regenerating it when an RSA failure is detected. Reviewed by: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
39567f8c |
|
06-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix a long-standing bug that resulted in a dropped session sometimes when an X11-forwarded client was closed. For some reason, sshd didn't disable the SIGPIPE exit handler and died a horrible death (well, okay, a silent death really). Set SIGPIPE's handler to SIG_IGN. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
4a950c22 |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a few style oddities. |
#
dd5f9dff |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a goof in timevaldiff. |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
c8ef594c |
|
04-Jul-2000 |
Brian Feldman <green@FreeBSD.org> |
Allow restarting on SIGHUP when the full path was not given as argv[0]. We do have /proc/curproc/file :) |
#
c342fc93 |
|
26-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Also make sure to close the socket that exceeds your rate limit. |
#
7e03cf33 |
|
25-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Make rate limiting work per-listening-socket. Log better messages than before for this, requiring a new function (get_ipaddr()). canohost.c receives a $FreeBSD$ line. Suggested by: Niels Provos <niels@OpenBSD.org> |
#
c322fe35 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts |
#
2632b0c8 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH snapshot from 2000/05/30 Obtained from: OpenBSD |
#
b787acb5 |
|
17-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Unbreak Kerberos5 compilation. This still remains untested. Noticed by: obrien |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
3c6ae118 |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts. |
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25 |
#
c59bf099 |
|
09-Mar-2000 |
Mark Murray <markm@FreeBSD.org> |
Make LOGIN_CAP work properly. |
#
e51ec40e |
|
29-Feb-2000 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
Enable connection logging. FreeBSD's libwrap is IPv6 ready. OpenSSH is in our source tree, now. It's a time to enable it. Reviewed by: markm, shin Approved by: jkh |
#
fe5fd017 |
|
28-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
1) Add kerberos5 functionality. by Daniel Kouril <kouril@informatics.muni.cz> 2) Add full LOGIN_CAP capability by Andrey Chernov |
#
82610343 |
|
24-Feb-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a bug that crawled in pretty recently (from the port). It made sshd coredump :( |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
ca573c9a |
|
02-Jan-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
sshd: update the libwrap patch to drop connections early OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014 (f2719b7c in github.com/openssh/openssh-portable) and we maintain the patch ourselves since 2016 (a0ee8cc636cd). Over the years, the libwrap support has deteriotated and probably that was reason for removal upstream. Original idea of libwrap was to drop illegitimate connection as soon as possible, but over the years the code was pushed further down and down and ended in the forked client connection handler. The negative effects of late dropping is increasing attack surface for hosts that are to be dropped anyway. Apart from hypothetical future vulnerabilities in connection handling, today a malicious host listed in /etc/hosts.allow still can trigger sshd to enter connection throttling mode, which is enabled by default (see MaxStartups in sshd_config(5)), effectively casting DoS attack. Note that on OpenBSD this attack isn't possible, since they enable MaxStartups together with UseBlacklist. A only negative effect from early drop, that I can imagine, is that now main listener parses file in /etc, and if our root filesystems goes bad, it would get stuck. But unlikely you'd be able to login in that case anyway. Implementation details: - For brevity we reuse the same struct request_info. This isn't a documented feature of libwrap, but code review, viewing data in a debugger and real life testing shows that if we clear RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended. - We set SO_LINGER on the socket to force immediate connection reset. - We log message exactly as libwrap's refuse() would do. Differential revision: https://reviews.freebsd.org/D33044
|
#
adb56e58 |
|
16-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: use global state for blacklist in grace_alarm_handler Obtained from: security/openssh-portable Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation
|
#
0f9bafdf |
|
13-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: pass ssh context to BLACKLIST_NOTIFY Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1") Sponsored by: The FreeBSD Foundation
|
#
19261079 |
|
07-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
|
#
a62dc346 |
|
12-Feb-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: remove ssh-hpn leftovers This was introduced in 8998619212f3a, and left behind when the hpn-ssh patches were removed in 60c59fad8806. Although Being able to log SO_RCVBUF in debug mode might have some small value on its own, it's not worth carrying an extra diff against upstream. Reviewed by: kevans MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28610 |
#
ea64ebd0 |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay, part 2 This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. This should have been part of r363225. Obtained from: OpenSSH-portable a65784c9f9c5 MFC with: r363225 Sponsored by: The FreeBSD Foundation |
#
6471c6bd |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. Obtained from: OpenSSH-portable a65784c9f9c5 Sponsored by: The FreeBSD Foundation |
#
2f513db7 |
|
14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1. MFC after: 2 months Sponsored by: The FreeBSD Foundation
|
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 |
#
2a01feab |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Compatibility with existing OpenSSL versions is maintained. Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Connect libressl-api-compat.c to the build, and regenerate config.h Reviewed by: des Approved by: re (rgrimes) MFC after: 2 seeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17444
|
#
c6de6086 |
|
19-Sep-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: rename local macro to avoid OpenSSL 1.1.1 conflict Local changes introduced an OPENSSH_VERSION macro, but this conflicts with a macro of the same name introduced with OepnsSL 1.1.1 Reviewed by: des Approved by: re (gjb) MFC after: 1 week Sponsored by: The FreeBSD Foundation |
#
190cef3d |
|
10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1. Approved by: re (kib@)
|
#
47dd1d1b |
|
11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
#
4f52dfbb |
|
08-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1. This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11.
|
#
d93a896e |
|
03-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation |
#
ca86bcf2 |
|
05-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
#
076ad2f8 |
|
01-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.3p1.
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051 |
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation |
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915 |
#
acc1a9ef |
|
10-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
#
fc1ba28a |
|
21-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.1p2.
|
#
eccfee6e |
|
20-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.0p1.
|
#
557f75e5 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.9p1.
|
#
bc5531de |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
#
a0ee8cc6 |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed upstream) and a number of security fixes which we had already backported. MFC after: 1 week
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH. |
#
1765946b |
|
22-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Retire the NONE cipher option. |
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). |
#
30a03439 |
|
20-Apr-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Apply upstream patch for EC calculation bug and bump version addendum.
|
#
b83788ff |
|
25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
#
f7167e0e |
|
31-Jan-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.5p1.
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius) |
#
e4a9863f |
|
21-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to 6.3p1. Approved by: re (gjb)
|
#
6888a9be |
|
22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support for a key revocation list and more fine-grained authentication control.
|
#
462c32cb |
|
03-Sep-2012 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade OpenSSH to 6.1p1.
|
#
8c0260d6 |
|
27-May-2012 |
Eygene Ryabinkin <rea@FreeBSD.org> |
OpenSSH: allow VersionAddendum to be used again Prior to this, setting VersionAddendum will be a no-op: one will always have BASE_VERSION + " " + VERSION_HPN for VersionAddendum set in the config and a bare BASE_VERSION + VERSION_HPN when there is no VersionAddendum is set. HPN patch requires both parties to have the "hpn" inside their advertized versions, so we add VERSION_HPN to the VERSION_BASE if HPN is enabled and omitting it if HPN is disabled. VersionAddendum now uses the following logics: * unset (default value): append " " and VERSION_ADDENDUM; * VersionAddendum is set and isn't empty: append " " and VersionAddendum; * VersionAddendum is set and empty: don't append anything. Approved by: des Reviewed by: bz MFC after: 3 days |
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month |
#
e146993e |
|
05-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1. MFC after: 3 months
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer) |
#
4a421b63 |
|
04-May-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.8p2.
|
#
e2f6069c |
|
11-Nov-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.6p1.
|
#
412ea5c6 |
|
07-Apr-2010 |
Konstantin Belousov <kib@FreeBSD.org> |
Enhance r199804 by marking the daemonised child as immune to OOM instead of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd. Submitted by: Mykola Dzham <i levsha me> Reviewed by: attilio MFC after: 1 week |
#
b15c8340 |
|
09-Mar-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.4p1. MFC after: 1 month
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'. |
#
7a7043c7 |
|
25-Nov-2009 |
Attilio Rao <attilio@FreeBSD.org> |
Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap environments. Please note that this can't be done while such processes run in jails. Note: in future it would be interesting to find a way to do that selectively for any desired proccess (choosen by user himself), probabilly via a ptrace interface or whatever. Obtained from: Sandvine Incorporated Reviewed by: emaste, arch@ Sponsored by: Sandvine Incorporated MFC: 1 month |
#
7aee6ffe |
|
01-Oct-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.3p1.
|
#
cce7d346 |
|
22-May-2009 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.2p1. MFC after: 3 months
|
#
0aeb000d |
|
21-Oct-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
At some point, construct_utmp() was changed to use realhostname() to fill in the struct utmp due to concerns about the length of the hostname buffer. However, this breaks the UseDNS option. There is a simpler and better solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the buffer. PR: bin/97499 Submitted by: Bruce Cran <bruce@cran.org.uk> MFC after: 1 week |
#
d4af9e69 |
|
31-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.1p1. I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
|
#
e3ae3b09 |
|
22-Jul-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Properly flatten openssh/dist. |
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
92eb0aa1 |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.5p1. |
#
497e3d52 |
|
03-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Tweak ifdefs for backward compatibility. |
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week |
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1. |
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. |
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1. |
#
c0b9f4fe |
|
29-Dec-2005 |
Doug Rabson <dfr@FreeBSD.org> |
Add a new extensible GSS-API layer which can support GSS-API plugins, similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts) |
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1. |
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4518870c |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.1p1. |
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1. |
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts |
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1. |
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1. |
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1. |
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no |
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2. |
#
da05574c |
|
28-May-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix off-by-one and initialization errors which prevented sshd from restarting when sent a SIGHUP. Submitted by: tegge Approved by: re (jhb) |
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1. |
#
84860c33 |
|
22-Jan-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Force early initialization of the resolver library, since the resolver configuration files will no longer be available once sshd is chrooted. PR: 39953, 40894 Submitted by: dinoex MFC after: 3 days |
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. |
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1. |
#
a82e551f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Sponsored by: DARPA, NAI Labs |
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1. |
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline. |
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1. |
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs |
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3. |
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts. |
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1 |
#
fd4ca9e0 |
|
23-Jan-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Make libssh.so useable (undefined reference to IPv4or6). Reviewed by: des, markm Approved by: markm |
#
1f131ac4 |
|
04-Sep-2001 |
Assar Westerlund <assar@FreeBSD.org> |
fix renamed options in some of the code that was #ifdef AFS also print an error if krb5 ticket passing is disabled Submitted by: Jonathan Chen <jon@spock.org> |
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9. |
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson |
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504 |
#
a09221f8 |
|
11-Feb-2001 |
Kris Kennaway <kris@FreeBSD.org> |
Patches backported from later development version of OpenSSH which prevent (instead of just mitigating through connection limits) the Bleichenbacher attack which can lead to guessing of the server key (not host key) by regenerating it when an RSA failure is detected. Reviewed by: rwatson |
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users. |
#
39567f8c |
|
06-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix a long-standing bug that resulted in a dropped session sometimes when an X11-forwarded client was closed. For some reason, sshd didn't disable the SIGPIPE exit handler and died a horrible death (well, okay, a silent death really). Set SIGPIPE's handler to SIG_IGN. |
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org> |
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release). |
#
4a950c22 |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a few style oddities. |
#
dd5f9dff |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a goof in timevaldiff. |
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green |
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09 |
#
c8ef594c |
|
04-Jul-2000 |
Brian Feldman <green@FreeBSD.org> |
Allow restarting on SIGHUP when the full path was not given as argv[0]. We do have /proc/curproc/file :) |
#
c342fc93 |
|
26-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Also make sure to close the socket that exceeds your rate limit. |
#
7e03cf33 |
|
25-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Make rate limiting work per-listening-socket. Log better messages than before for this, requiring a new function (get_ipaddr()). canohost.c receives a $FreeBSD$ line. Suggested by: Niels Provos <niels@OpenBSD.org> |
#
c322fe35 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts |
#
2632b0c8 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH snapshot from 2000/05/30 Obtained from: OpenBSD |
#
b787acb5 |
|
17-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Unbreak Kerberos5 compilation. This still remains untested. Noticed by: obrien |
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD. |
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1. |
#
3c6ae118 |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts. |
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25 |
#
c59bf099 |
|
09-Mar-2000 |
Mark Murray <markm@FreeBSD.org> |
Make LOGIN_CAP work properly. |
#
e51ec40e |
|
29-Feb-2000 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
Enable connection logging. FreeBSD's libwrap is IPv6 ready. OpenSSH is in our source tree, now. It's a time to enable it. Reviewed by: markm, shin Approved by: jkh |
#
fe5fd017 |
|
28-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
1) Add kerberos5 functionality. by Daniel Kouril <kouril@informatics.muni.cz> 2) Add full LOGIN_CAP capability by Andrey Chernov |
#
82610343 |
|
24-Feb-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a bug that crawled in pretty recently (from the port). It made sshd coredump :( |
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*) |
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH. |
#
a62dc346 |
|
12-Feb-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: remove ssh-hpn leftovers This was introduced in 8998619212f3a, and left behind when the hpn-ssh patches were removed in 60c59fad8806. Although Being able to log SO_RCVBUF in debug mode might have some small value on its own, it's not worth carrying an extra diff against upstream. Reviewed by: kevans MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28610
|
#
ea64ebd0 |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay, part 2 This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. This should have been part of r363225. Obtained from: OpenSSH-portable a65784c9f9c5 MFC with: r363225 Sponsored by: The FreeBSD Foundation
|
#
6471c6bd |
|
15-Jul-2020 |
Ed Maste <emaste@FreeBSD.org> |
openssh: refer to OpenSSL not SSLeay This change was made upstream between 7.9p1 and 8.0p1. We've made local changes in the same places for handling the version_addendum; apply the SSLeay_version to OpenSSL_version change in advance of importing 8.0p1. Obtained from: OpenSSH-portable a65784c9f9c5 Sponsored by: The FreeBSD Foundation
|
#
fc3c19a9 |
|
06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128
|
#
3e058dbd |
|
19-Sep-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: cherry-pick OpenSSL 1.1.1 compatibility Upstream commits: 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x 48f54b9d12 adapt -portable to OpenSSL 1.1x API 86e0a9f3d2 upstream: use only openssl-1.1.x API here too a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl. Trivial conflicts in sshkey.c and test_sshkey.c were resolved. Sponsored by: The FreeBSD Foundation
|
#
c6de6086 |
|
19-Sep-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: rename local macro to avoid OpenSSL 1.1.1 conflict Local changes introduced an OPENSSH_VERSION macro, but this conflicts with a macro of the same name introduced with OepnsSL 1.1.1 Reviewed by: des Approved by: re (gjb) MFC after: 1 week Sponsored by: The FreeBSD Foundation
|
#
5d5f8b31 |
|
19-Sep-2018 |
Ed Maste <emaste@FreeBSD.org> |
openssh: rename local macro to avoid OpenSSL 1.1.1 conflict Local changes introduced an OPENSSH_VERSION macro, but this conflicts with a macro of the same name introduced with OpenSSL 1.1.1.
|
#
342b8b88 |
|
12-May-2017 |
Kurt Lidl <lidl@FreeBSD.org> |
Refine and update blacklist support in sshd Adjust notification points slightly to catch all auth failures, rather than just the ones caused by bad usernames. Modify notification point for bad usernames to send new type of BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.) Add guards to allow library headers to expose the enum of action values. Reviewed by: des Approved by: des Sponsored by: The FreeBSD Foundation
|
#
b2af61ec |
|
30-Aug-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add refactored blacklist support to sshd Change the calls to of blacklist_init() and blacklist_notify to be macros defined in the blacklist_client.h file. This avoids the need for #ifdef USE_BLACKLIST / #endif except in the blacklist.c file. Remove redundent initialization attempts from within blacklist_notify - everything always goes through blacklistd_init(). Added UseBlacklist option to sshd, which defaults to off. To enable the functionality, use '-o UseBlacklist=yes' on the command line, or uncomment in the sshd_config file. Reviewed by: des Approved by: des MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D7051
|
#
faebc97a |
|
24-Jun-2016 |
Glen Barber <gjb@FreeBSD.org> |
Revert r301551, which added blacklistd(8) to sshd(8). This change has functional impact, and other concerns raised by the OpenSSH maintainer. Requested by: des PR: 210479 (related) Approved by: re (marius) Sponsored by: The FreeBSD Foundation
|
#
c0cc3641 |
|
07-Jun-2016 |
Kurt Lidl <lidl@FreeBSD.org> |
Add blacklist support to sshd Reviewed by: rpaulo Approved by: rpaulo (earlier version of changes) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5915
|
#
60c59fad |
|
19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
As previously threatened, remove the HPN patch from OpenSSH.
|
#
1765946b |
|
22-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Retire the NONE cipher option.
|
#
5bec830e |
|
11-Nov-2015 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$").
|
#
0085282b |
|
23-Sep-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius)
|
#
8c0260d6 |
|
27-May-2012 |
Eygene Ryabinkin <rea@FreeBSD.org> |
OpenSSH: allow VersionAddendum to be used again Prior to this, setting VersionAddendum will be a no-op: one will always have BASE_VERSION + " " + VERSION_HPN for VersionAddendum set in the config and a bare BASE_VERSION + VERSION_HPN when there is no VersionAddendum is set. HPN patch requires both parties to have the "hpn" inside their advertized versions, so we add VERSION_HPN to the VERSION_BASE if HPN is enabled and omitting it if HPN is disabled. VersionAddendum now uses the following logics: * unset (default value): append " " and VERSION_ADDENDUM; * VersionAddendum is set and isn't empty: append " " and VersionAddendum; * VersionAddendum is set and empty: don't append anything. Approved by: des Reviewed by: bz MFC after: 3 days
|
#
35762f59 |
|
13-Feb-2012 |
Ed Schouten <ed@FreeBSD.org> |
Polish diff against upstream. - Revert unneeded whitespace changes. - Revert modifications to loginrec.c, as the upstream version already does the right thing. - Fix indentation and whitespace of local changes. Approved by: des MFC after: 1 month
|
#
89986192 |
|
03-Aug-2011 |
Brooks Davis <brooks@FreeBSD.org> |
Add support for dynamically adjusted buffers to allow the full use of the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer)
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
124981e1 |
|
21-Apr-2010 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
MFH OpenSSH 5.4p1
|
#
eada7f55 |
|
15-Apr-2010 |
Konstantin Belousov <kib@FreeBSD.org> |
MFC r206397: Enhance r199804 by marking the daemonised child as immune to OOM instead of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd.
|
#
412ea5c6 |
|
07-Apr-2010 |
Konstantin Belousov <kib@FreeBSD.org> |
Enhance r199804 by marking the daemonised child as immune to OOM instead of short-living parent. Only mark the master process that accepts connections, do not protect connection handlers spawned from inetd. Submitted by: Mykola Dzham <i levsha me> Reviewed by: attilio MFC after: 1 week
|
#
fe0506d7 |
|
09-Mar-2010 |
Marcel Moolenaar <marcel@FreeBSD.org> |
Create the altix project branch. The altix project will add support for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting is a two-module system, consisting of a base compute module and a CPU expansion module. SGI's NUMAFlex architecture can be an excellent platform to test CPU affinity and NUMA-aware features in FreeBSD.
|
#
b40cdde6 |
|
13-Jan-2010 |
Ed Schouten <ed@FreeBSD.org> |
Make OpenSSH work with utmpx. - Partially revert r184122 (sshd.c). Our ut_host is now big enough to fit proper hostnames. - Change config.h to match reality. - defines.h requires UTMPX_FILE to be set by <utmpx.h> before it allows the utmpx code to work. This makes no sense to me. I've already mentioned this upstream. - Add our own platform-specific handling of lastlog. The version I will send to the OpenSSH folks will use proper autoconf generated definitions instead of `#if 1'.
|
#
acd3c015 |
|
19-Dec-2009 |
Attilio Rao <attilio@FreeBSD.org> |
MFC r199804: Avoid sshd, crond, inetd and syslogd to be killed in an high-pressure swapping environment. Sponsored by: Sandvine Incorporated
|
#
7a7043c7 |
|
25-Nov-2009 |
Attilio Rao <attilio@FreeBSD.org> |
Avoid sshd, cron, syslogd and inetd to be killed under high-pressure swap environments. Please note that this can't be done while such processes run in jails. Note: in future it would be interesting to find a way to do that selectively for any desired proccess (choosen by user himself), probabilly via a ptrace interface or whatever. Obtained from: Sandvine Incorporated Reviewed by: emaste, arch@ Sponsored by: Sandvine Incorporated MFC: 1 month
|
#
0aeb000d |
|
21-Oct-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
At some point, construct_utmp() was changed to use realhostname() to fill in the struct utmp due to concerns about the length of the hostname buffer. However, this breaks the UseDNS option. There is a simpler and better solution: initialize utmp_len to the correct value (UT_HOSTSIZE instead of MAXHOSTNAMELEN) and let get_remote_name_or_ip() worry about the size of the buffer. PR: bin/97499 Submitted by: Bruce Cran <bruce@cran.org.uk> MFC after: 1 week
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
62efe23a |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
92eb0aa1 |
|
10-Nov-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.5p1.
|
#
497e3d52 |
|
03-Oct-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Tweak ifdefs for backward compatibility.
|
#
333ee039 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts. MFC after: 1 week
|
#
761efaa7 |
|
30-Sep-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.4p1.
|
#
b74df5b2 |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Merge conflicts.
|
#
021d409f |
|
22-Mar-2006 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.3p1.
|
#
c0b9f4fe |
|
29-Dec-2005 |
Doug Rabson <dfr@FreeBSD.org> |
Add a new extensible GSS-API layer which can support GSS-API plugins, similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts)
|
#
d4ecd108 |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
043840df |
|
03-Sep-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.2p1.
|
#
aa49c926 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
4518870c |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.1p1.
|
#
5e8dbd04 |
|
05-Jun-2005 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 4.0p1.
|
#
21e764df |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts
|
#
d74d50a8 |
|
28-Oct-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.9p1.
|
#
5962c0e9 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
52028650 |
|
20-Apr-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8.1p1.
|
#
1ec0d754 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
efcad6b7 |
|
26-Feb-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.8p1.
|
#
cf2b5f3b |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts and remove obsolete files. Sponsored by: registrar.no
|
#
d95e11bf |
|
07-Jan-2004 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.7.1p2.
|
#
da05574c |
|
28-May-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix off-by-one and initialization errors which prevented sshd from restarting when sent a SIGHUP. Submitted by: tegge Approved by: re (jhb)
|
#
e73e9afa |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
d0c8c0bc |
|
23-Apr-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.6.1p1.
|
#
84860c33 |
|
22-Jan-2003 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Force early initialization of the resolver library, since the resolver configuration files will no longer be available once sshd is chrooted. PR: 39953, 40894 Submitted by: dinoex MFC after: 3 days
|
#
f388f5ef |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts.
|
#
4b17dab0 |
|
29-Oct-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH-portable 3.5p1.
|
#
a82e551f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Sponsored by: DARPA, NAI Labs
|
#
ee21a45f |
|
29-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.4p1.
|
#
989dd127 |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forcibly revert to mainline.
|
#
83d2307d |
|
27-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3p1.
|
#
80628bac |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Resolve conflicts. Known issues: - sshd fails to set TERM correctly. - privilege separation may break PAM and is currently turned off. - man pages have not yet been updated I will have these issues resolved, and privilege separation turned on by default, in time for DP2. Sponsored by: DARPA, NAI Labs
|
#
545d5eca |
|
23-Jun-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.3.
|
#
af12a3e7 |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix conflicts.
|
#
ae1f160d |
|
18-Mar-2002 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Vendor import of OpenSSH 3.1
|
#
fd4ca9e0 |
|
23-Jan-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
Make libssh.so useable (undefined reference to IPv4or6). Reviewed by: des, markm Approved by: markm
|
#
1f131ac4 |
|
04-Sep-2001 |
Assar Westerlund <assar@FreeBSD.org> |
fix renamed options in some of the code that was #ifdef AFS also print an error if krb5 ticket passing is disabled Submitted by: Jonathan Chen <jon@spock.org>
|
#
ca3176e7 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix conflicts for OpenSSH 2.9.
|
#
1e8db6e2 |
|
03-May-2001 |
Brian Feldman <green@FreeBSD.org> |
Say "hi" to the latest in the OpenSSH series, version 2.9! Happy birthday to: rwatson
|
#
cb96ab36 |
|
03-Mar-2001 |
Assar Westerlund <assar@FreeBSD.org> |
Add code for being compatible with ssh.com's krb5 authentication. It is done by using the same ssh messages for v4 and v5 authentication (since the ssh.com does not now anything about v4) and looking at the contents after unpacking it to see if it is v4 or v5. Based on code from Björn Grönvall <bg@sics.se> PR: misc/20504
|
#
a09221f8 |
|
11-Feb-2001 |
Kris Kennaway <kris@FreeBSD.org> |
Patches backported from later development version of OpenSSH which prevent (instead of just mitigating through connection limits) the Bleichenbacher attack which can lead to guessing of the server key (not host key) by regenerating it when an RSA failure is detected. Reviewed by: rwatson
|
#
ea018703 |
|
13-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
/Really/ deprecate ConnectionsPerPeriod, ripping out the code for it and giving a dire error to its lingering users.
|
#
39567f8c |
|
06-Jan-2001 |
Brian Feldman <green@FreeBSD.org> |
Fix a long-standing bug that resulted in a dropped session sometimes when an X11-forwarded client was closed. For some reason, sshd didn't disable the SIGPIPE exit handler and died a horrible death (well, okay, a silent death really). Set SIGPIPE's handler to SIG_IGN.
|
#
09958426 |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Update to OpenSSH 2.3.0 with FreeBSD modifications. OpenSSH 2.3.0 new features description elided in favor of checking out their website. Important new FreeBSD-version stuff: PAM support has been worked in, partially from the "Unix" OpenSSH version, and a lot due to the work of Eivind Eklend, too. This requires at least the following in pam.conf: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so Parts by: Eivind Eklend <eivind@FreeBSD.org>
|
#
5b9b2faf |
|
04-Dec-2000 |
Brian Feldman <green@FreeBSD.org> |
Import of OpenSSH 2.3.0 (virgin OpenBSD source release).
|
#
4a950c22 |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a few style oddities.
|
#
dd5f9dff |
|
10-Sep-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a goof in timevaldiff.
|
#
c2d3a559 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for OpenSSH 2.2.0 Reviewed by: gshapiro, peter, green
|
#
b66f2d16 |
|
10-Sep-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09
|
#
c8ef594c |
|
04-Jul-2000 |
Brian Feldman <green@FreeBSD.org> |
Allow restarting on SIGHUP when the full path was not given as argv[0]. We do have /proc/curproc/file :)
|
#
c342fc93 |
|
26-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Also make sure to close the socket that exceeds your rate limit.
|
#
7e03cf33 |
|
25-Jun-2000 |
Brian Feldman <green@FreeBSD.org> |
Make rate limiting work per-listening-socket. Log better messages than before for this, requiring a new function (get_ipaddr()). canohost.c receives a $FreeBSD$ line. Suggested by: Niels Provos <niels@OpenBSD.org>
|
#
c322fe35 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts
|
#
2632b0c8 |
|
03-Jun-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH snapshot from 2000/05/30 Obtained from: OpenBSD
|
#
b787acb5 |
|
17-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Unbreak Kerberos5 compilation. This still remains untested. Noticed by: obrien
|
#
e8aafc91 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts and update for FreeBSD.
|
#
a04a10f8 |
|
14-May-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Initial import of OpenSSH v2.1.
|
#
3c6ae118 |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Resolve conflicts.
|
#
a8f6863a |
|
26-Mar-2000 |
Kris Kennaway <kris@FreeBSD.org> |
Virgin import of OpenSSH sources dated 2000/03/25
|
#
c59bf099 |
|
09-Mar-2000 |
Mark Murray <markm@FreeBSD.org> |
Make LOGIN_CAP work properly.
|
#
e51ec40e |
|
29-Feb-2000 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
Enable connection logging. FreeBSD's libwrap is IPv6 ready. OpenSSH is in our source tree, now. It's a time to enable it. Reviewed by: markm, shin Approved by: jkh
|
#
fe5fd017 |
|
28-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
1) Add kerberos5 functionality. by Daniel Kouril <kouril@informatics.muni.cz> 2) Add full LOGIN_CAP capability by Andrey Chernov
|
#
82610343 |
|
24-Feb-2000 |
Brian Feldman <green@FreeBSD.org> |
Fix a bug that crawled in pretty recently (from the port). It made sshd coredump :(
|
#
42f71286 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Add the patches fom ports (QV: ports/security/openssh/patches/patch-*)
|
#
511b41d2 |
|
24-Feb-2000 |
Mark Murray <markm@FreeBSD.org> |
Vendor import of OpenSSH.
|