<feed xmlns='http://www.w3.org/2005/Atom'>
<title>src/secure/libexec, branch main</title>
<subtitle>FreeBSD source tree</subtitle>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/'/>
<entry>
<title>OpenSSH: Update to 10.3p1</title>
<updated>2026-05-14T18:59:30+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2026-05-14T18:59:30+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=2574974648c68c738aec3ff96644d888d7913a37'/>
<id>2574974648c68c738aec3ff96644d888d7913a37</id>
<content type='text'>
Full release notes are available at
https://www.openssh.com/txt/release-10.3

Selected highlights from the release notes:

 * ssh(1), sshd(8): remove bug compatibility for implementations
   that don't support rekeying. If such an implementation tries to
   interoperate with OpenSSH, it will now eventually fail when the
   transport needs rekeying.

 * ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent
   forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new
   names is advertised via the EXT_INFO message. If a server offers
   support for the new names, then they are used preferentially.

 * ssh(1): add a ~I escape option that shows information about the
   current SSH connection.

 * sshd(8): add 'invaliduser' penalty to PerSourcePenalties, which is
   applied to login attempts for usernames that do not match real
   accounts. Defaults to 5s to match 'authfail' but allows
   administrators to block such attempts for longer if desired.

 * Support the ed25519 signature scheme via libcrypto.

Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D56999
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Full release notes are available at
https://www.openssh.com/txt/release-10.3

Selected highlights from the release notes:

 * ssh(1), sshd(8): remove bug compatibility for implementations
   that don't support rekeying. If such an implementation tries to
   interoperate with OpenSSH, it will now eventually fail when the
   transport needs rekeying.

 * ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent
   forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new
   names is advertised via the EXT_INFO message. If a server offers
   support for the new names, then they are used preferentially.

 * ssh(1): add a ~I escape option that shows information about the
   current SSH connection.

 * sshd(8): add 'invaliduser' penalty to PerSourcePenalties, which is
   applied to login attempts for usernames that do not match real
   accounts. Defaults to 5s to match 'authfail' but allows
   administrators to block such attempts for longer if desired.

 * Support the ed25519 signature scheme via libcrypto.

Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D56999
</pre>
</div>
</content>
</entry>
<entry>
<title>blocklist: Rename blacklist to blocklist</title>
<updated>2025-10-12T17:14:27+00:00</updated>
<author>
<name>Jose Luis Duran</name>
<email>jlduran@FreeBSD.org</email>
</author>
<published>2025-10-12T17:14:27+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=7238317403b95a8e35cf0bc7cd66fbd78ecbe521'/>
<id>7238317403b95a8e35cf0bc7cd66fbd78ecbe521</id>
<content type='text'>
Follow up upstream rename from blacklist to blocklist.

- Old names and rc scripts are still valid, but emitting an ugly warning
- Old firewall rules and anchor names should work, but emitting an ugly
  warning
- Old MK_BLACKLIST* knobs are wired to the new ones

Although care has been taken not to break current configurations, this
is a large patch containing mostly duplicated code.  If issues arise, it
will be swiftly reverted.

Reviewed by:	ivy (pkgbase)
Approved by:	emaste (mentor)
MFC after:	2 days
Relnotes:	yes
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Follow up upstream rename from blacklist to blocklist.

- Old names and rc scripts are still valid, but emitting an ugly warning
- Old firewall rules and anchor names should work, but emitting an ugly
  warning
- Old MK_BLACKLIST* knobs are wired to the new ones

Although care has been taken not to break current configurations, this
is a large patch containing mostly duplicated code.  If issues arise, it
will be swiftly reverted.

Reviewed by:	ivy (pkgbase)
Approved by:	emaste (mentor)
MFC after:	2 days
Relnotes:	yes
</pre>
</div>
</content>
</entry>
<entry>
<title>sshd-auth: Chase MK_GSSAPI changes</title>
<updated>2025-08-26T19:13:07+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2025-08-18T16:04:06+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=665bf6ffb500f63b58cf971c99bb9d3f1413af9b'/>
<id>665bf6ffb500f63b58cf971c99bb9d3f1413af9b</id>
<content type='text'>
Fixes: 8e28d84935f2 ("OpenSSH: Update to 10.0p2")
Sponsored by: The FreeBSD Foundation
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fixes: 8e28d84935f2 ("OpenSSH: Update to 10.0p2")
Sponsored by: The FreeBSD Foundation
</pre>
</div>
</content>
</entry>
<entry>
<title>OpenSSH: Update to 10.0p2</title>
<updated>2025-08-26T19:04:16+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2025-08-26T19:04:16+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=8e28d84935f2f0ee081d44f9803f3052b960e50b'/>
<id>8e28d84935f2f0ee081d44f9803f3052b960e50b</id>
<content type='text'>
Full release notes are available at
https://www.openssh.com/txt/release-10.0

Selected highlights from the release notes:

Potentially-incompatible changes

- This release removes support for the weak DSA signature algorithm.
  [This change was previously merged to FreeBSD main.]

- This release has the version number 10.0 and announces itself as
  "SSH-2.0-OpenSSH_10.0".  Software that naively matches versions using
  patterns like "OpenSSH_1*" may be confused by this.

- sshd(8): this release removes the code responsible for the user
  authentication phase of the protocol from the per-connection
  sshd-session binary to a new sshd-auth binary.

Security

- sshd(8): fix the DisableForwarding directive, which was failing to
  disable X11 forwarding and agent forwarding as documented.
  [This change was previously merged to FreeBSD main.]

New features

- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now
  used by default for key agreement.

Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51630
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Full release notes are available at
https://www.openssh.com/txt/release-10.0

Selected highlights from the release notes:

Potentially-incompatible changes

- This release removes support for the weak DSA signature algorithm.
  [This change was previously merged to FreeBSD main.]

- This release has the version number 10.0 and announces itself as
  "SSH-2.0-OpenSSH_10.0".  Software that naively matches versions using
  patterns like "OpenSSH_1*" may be confused by this.

- sshd(8): this release removes the code responsible for the user
  authentication phase of the protocol from the per-connection
  sshd-session binary to a new sshd-auth binary.

Security

- sshd(8): fix the DisableForwarding directive, which was failing to
  disable X11 forwarding and agent forwarding as documented.
  [This change was previously merged to FreeBSD main.]

New features

- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now
  used by default for key agreement.

Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51630
</pre>
</div>
</content>
</entry>
<entry>
<title>Remove MK_GSSAPI</title>
<updated>2025-08-20T18:42:20+00:00</updated>
<author>
<name>Lexi Winter</name>
<email>ivy@FreeBSD.org</email>
</author>
<published>2025-08-20T18:42:20+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=dc5ba6b8b4f028eb944434be82838d272330f26f'/>
<id>dc5ba6b8b4f028eb944434be82838d272330f26f</id>
<content type='text'>
For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled.  Backport this
behaviour to Heimdal so it works the same way.

While here, change Heimdal's libcom_err and compile_et to be selected by
MK_KERBEROS, not MK_KERBEROS_SUPPORT, since these are part of Kerberos
and third-party users might need it even if Kerberos support is disabled
in the base system.  This means MK_KERBEROS_SUPPORT installs the same
files with both MIT and Heimdal.

Reviewed by:	cy
Differential Revision:	https://reviews.freebsd.org/D51859
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled.  Backport this
behaviour to Heimdal so it works the same way.

While here, change Heimdal's libcom_err and compile_et to be selected by
MK_KERBEROS, not MK_KERBEROS_SUPPORT, since these are part of Kerberos
and third-party users might need it even if Kerberos support is disabled
in the base system.  This means MK_KERBEROS_SUPPORT installs the same
files with both MIT and Heimdal.

Reviewed by:	cy
Differential Revision:	https://reviews.freebsd.org/D51859
</pre>
</div>
</content>
</entry>
<entry>
<title>gssapi,krb5: Replace libgssapi with the MIT version</title>
<updated>2025-08-07T17:17:00+00:00</updated>
<author>
<name>Cy Schubert</name>
<email>cy@FreeBSD.org</email>
</author>
<published>2025-07-31T16:51:20+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=e26259f48afe98022d885f02fbb8abcd7878e41a'/>
<id>e26259f48afe98022d885f02fbb8abcd7878e41a</id>
<content type='text'>
lib/libgssapi is based on Heimdal. As on Linux systems, the MIT
libgssapi_krb5 replaces it. With both gssapi libraries and header files
installed results in broken buildworld (gssd) and ports that will not
build without modifications to support the MIT gssapi in an alternate
location.

73ed0c7992fd removed the MIT GSSAPI headers from /usr/include. Apps using
MIT KRB5 gssapi functions and structures will fail to build without this
patch.

This patch includes a temporary patch to usr.sbin/gssd to allow it
to build with this patch. rmacklem@ has a patch for this and for
kgssapi that uses this patch to resolve kgssapi issues for NFS with
Kerberos.

This patch is an updated version of D51661 to allow it to build following
additional patchs to the tree.

This should have been implmented with 7e35117eb07f.

Fixes:			7e35117eb07f, 73ed0c7992fd
Differential Revision:	https://reviews.freebsd.org/D51661
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
lib/libgssapi is based on Heimdal. As on Linux systems, the MIT
libgssapi_krb5 replaces it. With both gssapi libraries and header files
installed results in broken buildworld (gssd) and ports that will not
build without modifications to support the MIT gssapi in an alternate
location.

73ed0c7992fd removed the MIT GSSAPI headers from /usr/include. Apps using
MIT KRB5 gssapi functions and structures will fail to build without this
patch.

This patch includes a temporary patch to usr.sbin/gssd to allow it
to build with this patch. rmacklem@ has a patch for this and for
kgssapi that uses this patch to resolve kgssapi issues for NFS with
Kerberos.

This patch is an updated version of D51661 to allow it to build following
additional patchs to the tree.

This should have been implmented with 7e35117eb07f.

Fixes:			7e35117eb07f, 73ed0c7992fd
Differential Revision:	https://reviews.freebsd.org/D51661
</pre>
</div>
</content>
</entry>
<entry>
<title>openssh: Support building with MIT KRB5</title>
<updated>2025-06-16T02:49:36+00:00</updated>
<author>
<name>Cy Schubert</name>
<email>cy@FreeBSD.org</email>
</author>
<published>2025-06-10T19:46:35+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=70371c7959df8bcba9b5ee62d976c1e74991e0a9'/>
<id>70371c7959df8bcba9b5ee62d976c1e74991e0a9</id>
<content type='text'>
Remove HEIMDAL=1 from openssh/krb5_config.h and move the definition
to the Makefile in order to control whether we're building under
Heimdal or MIT.

Add MIT KRB5 LIBS and INCLUDES to the openssh build.

Sponsored by:		The FreeBSD Foundation
Reviewed by:		markj
Differential revision:	https://reviews.freebsd.org/D50782
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Remove HEIMDAL=1 from openssh/krb5_config.h and move the definition
to the Makefile in order to control whether we're building under
Heimdal or MIT.

Add MIT KRB5 LIBS and INCLUDES to the openssh build.

Sponsored by:		The FreeBSD Foundation
Reviewed by:		markj
Differential revision:	https://reviews.freebsd.org/D50782
</pre>
</div>
</content>
</entry>
<entry>
<title>secure: Add ssh-sk-client to all consumers of libssh</title>
<updated>2025-04-22T02:05:28+00:00</updated>
<author>
<name>John Baldwin</name>
<email>jhb@FreeBSD.org</email>
</author>
<published>2025-04-22T02:05:28+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=a098111a28ed59e1ab1101ad09913f0235ebd28f'/>
<id>a098111a28ed59e1ab1101ad09913f0235ebd28f</id>
<content type='text'>
These all failed to link with ld.bfd used by GCC due to
Fssh_sshsk_sign being an unresolved symbol.

Fixes:		65d8491719bb ("secure: Adapt Makefile to ssh-sk-client everywhere")
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
These all failed to link with ld.bfd used by GCC due to
Fssh_sshsk_sign being an unresolved symbol.

Fixes:		65d8491719bb ("secure: Adapt Makefile to ssh-sk-client everywhere")
</pre>
</div>
</content>
</entry>
<entry>
<title>secure: Adapt Makefile to ssh-sk-client everywhere</title>
<updated>2025-04-17T19:12:39+00:00</updated>
<author>
<name>Jose Luis Duran</name>
<email>jlduran@FreeBSD.org</email>
</author>
<published>2025-04-17T19:08:02+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=65d8491719bbc88ed45637d2381931c2d29cfe87'/>
<id>65d8491719bbc88ed45637d2381931c2d29cfe87</id>
<content type='text'>
Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere")
adapted the Makefiles to ssh-sk-client.  Do the same here.

Reviewed by:	emaste
Approved by:	emaste (mentor)
Differential Revision:	https://reviews.freebsd.org/D49795
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere")
adapted the Makefiles to ssh-sk-client.  Do the same here.

Reviewed by:	emaste
Approved by:	emaste (mentor)
Differential Revision:	https://reviews.freebsd.org/D49795
</pre>
</div>
</content>
</entry>
<entry>
<title>secure: Rearrange Makefile SRCS to match upstream Makefile.in</title>
<updated>2025-04-17T19:12:05+00:00</updated>
<author>
<name>Jose Luis Duran</name>
<email>jlduran@FreeBSD.org</email>
</author>
<published>2025-04-17T18:56:00+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=9440aad19dca73fdd224b128ac2dc2e78191ff15'/>
<id>9440aad19dca73fdd224b128ac2dc2e78191ff15</id>
<content type='text'>
SRCS entries are kept in the same order and with the same line breaks as
upstream, to make comparison easier.

No functional change intended.

Reviewed by:	emaste
Approved by:	emaste (mentor)
Differential Revision:	https://reviews.freebsd.org/D49793
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
SRCS entries are kept in the same order and with the same line breaks as
upstream, to make comparison easier.

No functional change intended.

Reviewed by:	emaste
Approved by:	emaste (mentor)
Differential Revision:	https://reviews.freebsd.org/D49793
</pre>
</div>
</content>
</entry>
</feed>
