src/secure/libexec/sshd-session/Makefile, branch stable/14 FreeBSD source tree OpenSSH: Update to 10.0p2 2026-01-20T19:41:59+00:00 Ed Maste emaste@FreeBSD.org 2025-08-01T15:56:45+00:00 7ca599aa613955a939284292f0993b59b0d9fef3 Full release notes are available at https://www.openssh.com/txt/release-10.0 Selected highlights from the release notes: Potentially-incompatible changes - This release removes support for the weak DSA signature algorithm. [This change was previously merged to FreeBSD main.] - This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this. - sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per-connection sshd-session binary to a new sshd-auth binary. Security - sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. [This change was previously merged to FreeBSD main.] New features - ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement. Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D51630 (cherry picked from commit 8e28d84935f2f0ee081d44f9803f3052b960e50b) (cherry picked from commit e600fc7295a7082041388113a5d677f6c4cf7ce7) 
Full release notes are available at
https://www.openssh.com/txt/release-10.0

Selected highlights from the release notes:

Potentially-incompatible changes

- This release removes support for the weak DSA signature algorithm.
  [This change was previously merged to FreeBSD main.]

- This release has the version number 10.0 and announces itself as
  "SSH-2.0-OpenSSH_10.0".  Software that naively matches versions using
  patterns like "OpenSSH_1*" may be confused by this.

- sshd(8): this release removes the code responsible for the user
  authentication phase of the protocol from the per-connection
  sshd-session binary to a new sshd-auth binary.

Security

- sshd(8): fix the DisableForwarding directive, which was failing to
  disable X11 forwarding and agent forwarding as documented.
  [This change was previously merged to FreeBSD main.]

New features

- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now
  used by default for key agreement.

Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51630

(cherry picked from commit 8e28d84935f2f0ee081d44f9803f3052b960e50b)
(cherry picked from commit e600fc7295a7082041388113a5d677f6c4cf7ce7)
ssh: Consolidate HAVE_LDNS / LIBWRAP in ssh.mk 2025-03-11T14:39:36+00:00 Ed Maste emaste@FreeBSD.org 2022-04-12T13:18:20+00:00 74776eba28d86b9384faa7fce5a699a73afced99 Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part of enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERS handling there. Reviewed by: kevans Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31896 (cherry picked from commit d71e7e57fc1472e3ea6d31c44e187c2819d2c71e) 
Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new
ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part
of enabling FIDO/U2F.  Move duplicated MK_LDNS and MK_TCP_WRAPPERS
handling there.

Reviewed by:	kevans
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D31896

(cherry picked from commit d71e7e57fc1472e3ea6d31c44e187c2819d2c71e)
ssh: tidy include handling 2025-03-11T14:39:36+00:00 Ed Maste emaste@FreeBSD.org 2022-03-02T14:45:23+00:00 be7b176511003be3d47ae463fd6bea5659446c70 Centralize optional krb5_config.h handling in ssh.mk. Do not add headers (that are committed to the src tree) to SRCS as there is no need. Reviewed by: imp, jlduran, kevans (all earlier) MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34409 (cherry picked from commit 7f916236044d9a733de8b3c47b5dcbf71988cb03) 
Centralize optional krb5_config.h handling in ssh.mk.  Do not add
headers (that are committed to the src tree) to SRCS as there is no
need.

Reviewed by:	imp, jlduran, kevans (all earlier)
MFC after:	1 month
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34409

(cherry picked from commit 7f916236044d9a733de8b3c47b5dcbf71988cb03)
openssh: Update to 9.8p1 2025-02-20T17:50:11+00:00 Ed Maste emaste@FreeBSD.org 2025-02-19T17:20:44+00:00 ff2fd01609cc10bcdc87ebe4de42efaf7ffe2ee9 Highlights from the release notes are reproduced below. Some security and bug fixes were previously merged into FreeBSD and have been elided. See the upstream release notes for full details (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 New features ------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 --- Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48914 (cherry picked from commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e) (cherry picked from commit b4bb480ae9294d7e4b375f0ead9ae57517c79ef3) (cherry picked from commit e95979047aec384852102cf8bb1d55278ea77eeb) (cherry picked from commit dcb4ae528d357f34e4a4b4882c2757c67c98e395) Approved by: re (accelerated MFC) 
Highlights from the release notes are reproduced below.  Some security
and bug fixes were previously merged into FreeBSD and have been elided.
See the upstream release notes for full details
(https://www.openssh.com/releasenotes.html).

---

Future deprecation notice
=========================

OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.

Potentially-incompatible changes
--------------------------------

 * sshd(8): the server will now block client addresses that
   repeatedly fail authentication, repeatedly connect without ever
   completing authentication or that crash the server. See the
   discussion of PerSourcePenalties below for more information.
   Operators of servers that accept connections from many users, or
   servers that accept connections from addresses behind NAT or
   proxies may need to consider these settings.

 * sshd(8): the server has been split into a listener binary, sshd(8),
   and a per-session binary "sshd-session". This allows for a much
   smaller listener binary, as it no longer needs to support the SSH
   protocol. As part of this work, support for disabling privilege
   separation (which previously required code changes to disable) and
   disabling re-execution of sshd(8) has been removed. Further
   separation of sshd-session into additional, minimal binaries is
   planned for the future.

 * sshd(8): several log messages have changed. In particular, some
   log messages will be tagged with as originating from a process
   named "sshd-session" rather than "sshd".

 * ssh-keyscan(1): this tool previously emitted comment lines
   containing the hostname and SSH protocol banner to standard error.
   This release now emits them to standard output, but adds a new
   "-q" flag to silence them altogether.

 * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0]
   as the PAM service name. A new "PAMServiceName" sshd_config(5)
   directive allows selecting the service name at runtime. This
   defaults to "sshd". bz2101

New features
------------

 * sshd(8): sshd(8) will now penalise client addresses that, for various
   reasons, do not successfully complete authentication. This feature is
   controlled by a new sshd_config(5) PerSourcePenalties option and is
   on by default.

 * ssh(8): allow the HostkeyAlgorithms directive to disable the
   implicit fallback from certificate host key to plain host keys.

Portability
-----------

 * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
   unconditionally. The previous behaviour was to expose it only when
   particular authentication methods were in use.

 * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
   environment variable to enable SSH_ASKPASS, similarly to the X11
   DISPLAY environment variable. GHPR479

---

Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48914

(cherry picked from commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e)
(cherry picked from commit b4bb480ae9294d7e4b375f0ead9ae57517c79ef3)
(cherry picked from commit e95979047aec384852102cf8bb1d55278ea77eeb)
(cherry picked from commit dcb4ae528d357f34e4a4b4882c2757c67c98e395)

Approved by:	re (accelerated MFC)