ssh: Update to OpenSSH 9.3p2

From the release notes:

Changes since OpenSSH 9.3
=========================

This release fixes a security bug.

Security
========

Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:

* Exploitation requires the presence of specific libraries on
  the victim system.
* Remote exploitation requires that the agent was forwarded
  to an attacker-controlled system.

Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.

This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.

In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).

Potentially-incompatible changes
--------------------------------

 * ssh-agent(8): the agent will now refuse requests to load PKCS#11
   modules issued by remote clients by default. A flag has been added
   to restore the previous behaviour "-Oallow-remote-pkcs11".

   Note that ssh-agent(8) depends on the SSH client to identify
   requests that are remote. The OpenSSH >=8.9 ssh(1) client does
   this, but forwarding access to an agent socket using other tools
   may circumvent this restriction.

Security:	CVE-2023-38408
Sponsored by:	The FreeBSD Foundation

(cherry picked from commit 66fd12cf4896eb08ad8e7a2627537f84ead84dd3)

10 files changed, 82 insertions, 1848 deletions

diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index f1d1b37d583c..40ca976a61b3 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,3 +1,36 @@
+commit 9795c4016ae35162072144df032c8b262433b462
+Author: Damien Miller <djm@mindrot.org>
+Date:   Wed Jul 19 16:27:12 2023 +1000
+
+    OpenSSH 9.3p2
+
+commit bde3635f3c9324bad132cf9ed917813d6abb599e
+Author: Damien Miller <djm@mindrot.org>
+Date:   Wed Jul 19 16:31:09 2023 +1000
+
+    update version in README
+
+commit f673f2f3e5f67099018fc281a6b5fb918142472e
+Author: Damien Miller <djm@mindrot.org>
+Date:   Wed Jul 19 16:31:00 2023 +1000
+
+    update RPM spec versions
+
+commit d7790cdce72a1b6982795baa2b4d6f0bdbb0100d
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jul 7 13:30:15 2023 +1000
+
+    disallow remote addition of FIDO/PKCS11 keys
+    
+    Depends on the local client performing the session-bind@openssh.com
+    operation, so non-OpenSSH local client may circumvent this.
+
+commit b23fe83f06ee7e721033769cfa03ae840476d280
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Jul 13 12:09:34 2023 +1000
+
+    terminate pkcs11 process for bad libraries
+
 commit cb30fbdbee869f1ce11f06aa97e1cb8717a0b645
 Author: Damien Miller <djm@mindrot.org>
 Date:   Thu Mar 16 08:28:19 2023 +1100
@@ -9402,1837 +9435,3 @@ Date:   Mon Jul 19 05:08:54 2021 +0000
     reliability on very heavily loaded hosts.
     
     OpenBSD-Regress-ID: 4c28a0fce3ea89ebde441d7091464176e9730533
-
-commit 7953e1bfce9e76bec41c1331a29bc6cff9d416b8
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Jul 19 13:47:51 2021 +1000
-
-    Add sshfp-connect.sh file missed in previous.
-
-commit b75a80fa8369864916d4c93a50576155cad4df03
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jul 19 03:13:28 2021 +0000
-
-    upstream: Ensure that all returned SSHFP records for the specified host
-    
-    name and hostkey type match instead of only one.  While there, simplify the
-    code somewhat and add some debugging.  Based on discussion in bz#3322, ok
-    djm@.
-    
-    OpenBSD-Commit-ID: 0a6a0a476eb7f9dfe8fe2c05a1a395e3e9b22ee4
-
-commit 1cc1fd095393663cd72ddac927d82c6384c622ba
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jul 19 02:21:50 2021 +0000
-
-    upstream: Id sync only, -portable already has this.
-    
-    Put dh_set_moduli_file call inside ifdef WITH_OPENSSL. Fixes
-    build with OPENSSL=no.
-    
-    OpenBSD-Commit-ID: af54abbebfb12bcde6219a44d544e18204defb15
-
-commit 33abbe2f4153f5ca5c874582f6a7cc91ae167485
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jul 19 02:46:34 2021 +0000
-
-    upstream: Add test for host key verification via SSHFP records. This
-    
-    requires some external setup to operate so is disabled by default (see
-    comments in sshfp-connect.sh).
-    
-    OpenBSD-Regress-ID: c52c461bd1df3a803d17498917d156ef64512fd9
-
-commit f0cd000d8e3afeb0416dce1c711c3d7c28d89bdd
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jul 19 02:29:28 2021 +0000
-
-    upstream: Add ed25519 key and test SSHFP export of it. Only test
-    
-    RSA SSHFP export if we have RSA functionality compiled in.
-    
-    OpenBSD-Regress-ID: b4ff5181b8c9a5862e7f0ecdd96108622333a9af
-
-commit 0075511e27e5394faa28edca02bfbf13b9a6693e
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jul 19 00:16:26 2021 +0000
-
-    upstream: Group keygen tests together.
-    
-    OpenBSD-Regress-ID: 07e2d25c527bb44f03b7c329d893a1f2d6c5c40c
-
-commit 034828820c7e62652e7c48f9ee6b67fb7ba6fa26
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Sun Jul 18 23:10:10 2021 +0000
-
-    upstream: Add test for ssh-keygen printing of SSHFP records.
-    
-    OpenBSD-Regress-ID: fde9566b56eeb980e149bbe157a884838507c46b
-
-commit 52c3b6985ef1d5dadb4c4fe212f8b3a78ca96812
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Jul 17 00:38:11 2021 +0000
-
-    upstream: wrap some long lines
-    
-    OpenBSD-Commit-ID: 4f5186b1466656762dae37d3e569438d900c350d
-
-commit 43ec991a782791d0b3f42898cd789f99a07bfaa4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Jul 17 00:36:53 2021 +0000
-
-    upstream: fix sftp on ControlPersist connections, broken by recent
-    
-    SessionType change; spotted by sthen@
-    
-    OpenBSD-Commit-ID: 4c5ddc5698790ae6ff50d2a4f8f832f0eeeaa234
-
-commit 073f45c236550f158c9a94003e4611c07dea5279
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 16 09:00:23 2021 +0000
-
-    upstream: Explicitly check for and start time-based rekeying in the
-    
-    client and server mainloops.
-    
-    Previously the rekey timeout could expire but rekeying would not start
-    until a packet was sent or received. This could cause us to spin in
-    select() on the rekey timeout if the connection was quiet.
-    
-    ok markus@
-    
-    OpenBSD-Commit-ID: 4356cf50d7900f3df0a8f2117d9e07c91b9ff987
-
-commit ef7c4e52d5d840607f9ca3a302a4cbb81053eccf
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Wed Jul 14 06:46:38 2021 +0000
-
-    upstream: reorder SessionType; ok djm
-    
-    OpenBSD-Commit-ID: c7dd0b39e942b1caf4976a0b1cf0fed33d05418c
-
-commit 8aa2f9aeb56506dca996d68ab90ab9c0bebd7ec3
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Jul 14 11:26:50 2021 +1000
-
-    Make whitespace consistent.
-
-commit 4f4297ee9b8a39f4dfd243a74c5f51f9e7a05723
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Jul 14 11:26:12 2021 +1000
-
-    Add ARM64 Linux self-hosted runner.
-
-commit eda8909d1b0a85b9c3804a04d03ec6738fd9dc7f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jul 13 23:48:36 2021 +0000
-
-    upstream: add a SessionType directive to ssh_config, allowing the
-    
-    configuration file to offer equivalent control to the -N (no session) and -s
-    (subsystem) command-line flags.
-    
-    Part of GHPR#231 by Volker Diels-Grabsch with some minor tweaks;
-    feedback and ok dtucker@
-    
-    OpenBSD-Commit-ID: 726ee931dd4c5cc7f1d7a187b26f41257f9a2d12
-
-commit 7ae69f2628e338ba6e0eae7ee8a63bcf8fea7538
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jul 12 02:12:22 2021 +0000
-
-    upstream: fix some broken tests; clean up output
-    
-    OpenBSD-Regress-ID: 1d5038edb511dc4ce1622344c1e724626a253566
-
-commit f5fc6a4c3404bbf65c21ca6361853b33d78aa87e
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Jul 12 18:00:05 2021 +1000
-
-    Add configure-time detection for SSH_TIME_T_MAX.
-    
-    Should fix printing cert times exceeding INT_MAX (bz#3329) on platforms
-    were time_t is a long long.  The limit used is for the signed type, so if
-    some system has a 32bit unsigned time_t then the lower limit will still
-    be imposed and we would need to add some way to detect this.  Anyone using
-    an unsigned 64bit can let us know when it starts being a problem.
-
-commit fd2d06ae4442820429d634c0a8bae11c8e40c174
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jul 12 06:22:57 2021 +0000
-
-    upstream: Make limit for time_t test unconditional in the
-    
-    format_absolute_time fix for bz#3329 that allows printing of timestamps past
-    INT_MAX. This was incorrectly included with the previous commit.   Based on
-    discussion with djm@.
-    
-    OpenBSD-Commit-ID: 835936f6837c86504b07cabb596b613600cf0f6e
-
-commit 6c29b387cd64a57b0ec8ae7d2c8d02789d88fcc3
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jul 12 06:08:57 2021 +0000
-
-    upstream: Use existing format_absolute_time() function when
-    
-    printing cert validity instead of doing it inline.  Part of bz#3329.
-    
-    OpenBSD-Commit-ID: a13d4e3c4f59644c23745eb02a09b2a4e717c00c
-
-commit 99981d5f8bfa383791afea03f6bce8454e96e323
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jul 9 09:55:56 2021 +0000
-
-    upstream: silence redundant error message; reported by Fabian Stelzer
-    
-    OpenBSD-Commit-ID: 9349a703016579a60557dafd03af2fe1d44e6aa2
-
-commit e86097813419b49d5bff5c4b51d1c3a5d4d2d804
-Author: John Ericson <John.Ericson@Obsidian.Systems>
-Date:   Sat Dec 26 11:40:49 2020 -0500
-
-    Re-indent krb5 section after pkg-config addition.
-
-commit 32dd2daa56c294e40ff7efea482c9eac536d8cbb
-Author: John Ericson <John.Ericson@Obsidian.Systems>
-Date:   Sat Dec 26 11:40:49 2020 -0500
-
-    Support finding Kerberos via pkg-config
-    
-    This makes cross compilation easier.
-
-commit def7a72234d7e4f684d72d33a0f7229f9eee0aa4
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jul 9 14:34:06 2021 +1000
-
-    Update comments about EGD to include prngd.
-
-commit b5d23150b4e3368f4983fd169d432c07afeee45a
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jul 5 01:21:07 2021 +0000
-
-    upstream: Fix a couple of whitespace things. Portable already has
-    
-    these so this removes two diffs between the two.
-    
-    OpenBSD-Commit-ID: 769f017ebafd8e741e337b3e9e89eb5ac73c9c56
-
-commit 8f57be9f279b8e905f9883066aa633c7e67b31cf
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jul 5 01:16:46 2021 +0000
-
-    upstream: Order includes as per style(9). Portable already has
-    
-    these so this removes a handful of diffs between the two.
-    
-    OpenBSD-Commit-ID: 8bd7452d809b199c19bfc49511a798f414eb4a77
-
-commit b75624f8733b3ed9e240f86cac5d4a39dae11848
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon Jul 5 00:50:25 2021 +0000
-
-    upstream: Remove comment referencing now-removed
-    
-    RhostsRSAAuthentication.  ok djm@
-    
-    OpenBSD-Commit-ID: 3d864bfbd99a1d4429a58e301688f3be464827a9
-
-commit b67eb12f013c5441bb4f0893a97533582ad4eb13
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jul 5 00:25:42 2021 +0000
-
-    upstream: allow spaces to appear in usernames for local to remote,
-    
-    and scp -3 remote to remote copies. with & ok dtucker bz#1164
-    
-    OpenBSD-Commit-ID: e9b550f3a85ffbb079b6720833da31317901d6dd
-
-commit 8c4ef0943e574f614fc7c6c7e427fd81ee64ab87
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Jul 2 07:20:44 2021 +0000
-
-    upstream: Remove obsolete comments about SSHv1 auth methods. ok
-    
-    djm@
-    
-    OpenBSD-Commit-ID: 6060f70966f362d8eb4bec3da2f6c4712fbfb98f
-
-commit 88908c9b61bcb99f16e8d398fc41e2b3b4be2003
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Jul 3 23:00:19 2021 +1000
-
-    Remove reference to ChallengeResponse.
-    
-    challenge_response_authentication was removed from the struct, keeping
-    kbd_interactive_authentication.
-
-commit 321874416d610ad2158ce6112f094a4862c2e37f
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Jul 3 20:38:09 2021 +1000
-
-    Move signal.h up include order to match upstream.
-
-commit 4fa83e2d0e32c2dd758653e0359984bbf1334f32
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Jul 3 20:36:06 2021 +1000
-
-    Remove old OpenBSD version marker.
-    
-    Looks like an accidental leftover from a sync.
-
-commit 9d5e31f55d5f3899b72645bac41a932d298ad73b
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Jul 3 20:34:19 2021 +1000
-
-    Remove duplicate error on error path.
-    
-    There's an extra error() call on the listen error path, it looks like
-    its removal was missed during an upstream sync.
-
-commit 888c459925c7478ce22ff206c9ac1fb812a40caf
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Jul 3 20:32:46 2021 +1000
-
-    Remove some whitespace not in upstream.
-    
-    Reduces diff vs OpenBSD by a small amount.
-
-commit 4d2d4d47a18d93f3e0a91a241a6fdb545bbf7dc2
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Jul 3 19:27:43 2021 +1000
-
-    Replace remaining references to ChallengeResponse.
-    
-    Portable had a few additional references to ChallengeResponse related to
-    UsePAM, replaces these with equivalent keyboard-interactive ones.
-
-commit 53237ac789183946dac6dcb8838bc3b6b9b43be1
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Jul 3 19:23:28 2021 +1000
-
-    Sync remaining ChallengeResponse removal.
-    
-    These were omitted from commit 88868fd131.
-
-commit 2c9e4b319f7e98744b188b0f58859d431def343b
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Jul 3 19:17:31 2021 +1000
-
-    Disable rocky84 to figure out why agent test fails
-
-commit bfe19197a92b7916f64a121fbd3c179abf15e218
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jul 2 15:43:28 2021 +1000
-
-    Remove now-unused SSHv1 enums.
-    
-    sRhostsRSAAuthentication and sRSAAuthentication are protocol 1 options
-    and are no longer used.
-
-commit c73b02d92d72458a5312bd098f32ce88868fd131
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Jul 2 05:11:20 2021 +0000
-
-    upstream: Remove references to ChallengeResponseAuthentication in
-    
-    favour of KbdInteractiveAuthentication.  The former is what was in SSHv1, the
-    latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but
-    not entirely equivalent.  We retain the old name as deprecated alias so
-    config files continue to work and a reference in the man page for people
-    looking for it.
-    
-    Prompted by bz#3303 which pointed out the discrepancy between the two
-    when used with Match.  Man page help & ok jmc@, with & ok djm@
-    
-    OpenBSD-Commit-ID: 2c1bff8e5c9852cfcdab1f3ea94dfef5a22f3b7e
-
-commit f841fc9c8c7568a3b5d84a4cc0cefacb7dbc16b9
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jul 2 15:20:32 2021 +1000
-
-    Fix ifdefs around get_random_bytes_prngd.
-    
-    get_random_bytes_prngd() is used if either of PRNGD_PORT or PRNGD_SOCKET
-    are defined, so adjust ifdef accordingly.
-
-commit 0767627cf66574484b9c0834500b42ea04fe528a
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Jul 2 14:30:23 2021 +1000
-
-    wrap get_random_bytes_prngd() in ifdef
-    
-    avoid unused static function warning
-
-commit f93fdc4de158386efe1116bd44c5b3f4a7a82c25
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Jun 28 13:06:37 2021 +1000
-
-    Add rocky84 test target.
-
-commit d443006c0ddfa7f6a5bd9c0ae92036f3d5f2fa3b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 25 06:30:22 2021 +0000
-
-    upstream: fix decoding of X.509 subject name; from Leif Thuresson
-    
-    via bz3327 ok markus@
-    
-    OpenBSD-Commit-ID: 0ea2e28f39750dd388b7e317bc43dd997a217ae8
-
-commit 2a5704ec142202d387fda2d6872fd4715ab81347
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Jun 25 06:20:39 2021 +0000
-
-    upstream: Use better language to refer to the user. From l1ving
-    
-    via github PR#250, ok jmc@
-    
-    OpenBSD-Commit-ID: 07ca3526626996613e128aeddf7748c93c4d6bbf
-
-commit 4bdf7a04797a0ea1c431a9d54588417c29177d19
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Jun 25 03:38:17 2021 +0000
-
-    upstream: Replace SIGCHLD/notify_pipe kludge with pselect.
-    
-    Previously sshd's SIGCHLD handler would wake up select() by writing a
-    byte to notify_pipe.  We can remove this by blocking SIGCHLD, checking
-    for child terminations then passing the original signal mask through
-    to pselect.  This ensures that the pselect will immediately wake up if
-    a child terminates between wait()ing on them and the pselect.
-    
-    In -portable, for platforms that do not have pselect the kludge is still
-    there but is hidden behind a pselect interface.
-    
-    Based on other changes for bz#2158, ok djm@
-    
-    OpenBSD-Commit-ID: 202c85de0b3bdf1744fe53529a05404c5480d813
-
-commit c9f7bba2e6f70b7ac1f5ea190d890cb5162ce127
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jun 25 15:08:18 2021 +1000
-
-    Move closefrom() to before first malloc.
-    
-    When built against tcmalloc, tcmalloc allocates a descriptor for its
-    internal use, so calling closefrom() afterward causes the descriptor
-    number to be reused resulting in a corrupted connection.  Moving the
-    closefrom a little earlier should resolve this.  From kircherlike at
-    outlook.com via bz#3321, ok djm@
-
-commit 7ebfe4e439853b88997c9cfc2ff703408a1cca92
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jun 18 20:41:45 2021 +1000
-
-    Put second -lssh in link line for sftp-server.
-    
-    When building --without-openssl the recent port-prngd.c change adds
-    a dependency on atomicio, but since nothing else in sftp-server uses
-    it, the linker may not find it.  Add a second -lssh similar to other
-    binaries.
-
-commit e409d7966785cfd9f5970e66a820685c42169717
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jun 18 18:34:08 2021 +1000
-
-    Try EGD/PRNGD if random device fails.
-    
-    When built --without-openssl, try EGD/PRGGD (if configured) as a last
-    resort before failing.
-
-commit e43a898043faa3a965dbaa1193cc60e0b479033d
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jun 18 18:32:51 2021 +1000
-
-    Split EGD/PRNGD interface into its own file.
-    
-    This will allow us to use it when building --without-openssl.
-
-commit acb2887a769a1b1912cfd7067f3ce04fad240260
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Jun 17 21:03:19 2021 +1000
-
-    Handle GIDs > 2^31 in getgrouplist.
-    
-    When compiled in 32bit mode, the getgrouplist implementation may fail
-    for GIDs greater than LONG_MAX.  Analysis and change from ralf.winkel
-    at tui.com.
-
-commit 31fac20c941126281b527605b73bff30a8f02edd
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu Jun 10 09:46:28 2021 +0000
-
-    upstream: Use $SUDO when reading sshd's pidfile here too.
-    
-    OpenBSD-Regress-ID: 6bfb0d455d493f24839034a629c5306f84dbd409
-
-commit a3a58acffc8cc527f8fc6729486d34e4c3d27643
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu Jun 10 09:43:51 2021 +0000
-
-    upstream: Use $SUDO when reading sshd's pidfile in case it was
-    
-    created with a very restrictive umask.  This resyncs with -portable.
-    
-    OpenBSD-Regress-ID: 07fd2af06df759d4f64b82c59094accca1076a5d
-
-commit 249ad4ae51cd3bc235e75a4846eccdf8b1416611
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu Jun 10 09:37:59 2021 +0000
-
-    upstream: Set umask when creating hostkeys to prevent excessive
-    
-    permissions warning.
-    
-    OpenBSD-Regress-ID: 382841db0ee28dfef7f7bffbd511803e1b8ab0ef
-
-commit 9d0892153c005cc65897e9372b01fa66fcbe2842
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu Jun 10 03:45:31 2021 +0000
-
-    upstream: Add regress test for SIGHUP restart
-    
-    while handling active and unauthenticated clients.  Should catch anything
-    similar to the pselect bug just fixed in sshd.c.
-    
-    OpenBSD-Regress-ID: 3b3c19b5e75e43af1ebcb9586875b3ae3a4cac73
-
-commit 73f6f191f44440ca3049b9d3c8e5401d10b55097
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu Jun 10 03:14:14 2021 +0000
-
-    upstream: Continue accept loop when pselect
-    
-    returns -1, eg if it was interrupted by a signal.  This should prevent
-    the hang discovered by sthen@ wherein sshd receives a SIGHUP while it has
-    an unauthenticated child and goes on to a blocking read on a notify_pipe.
-    feedback deraadt@, ok djm@
-    
-    OpenBSD-Commit-ID: 0243c1c5544fca0974dae92cd4079543a3fceaa0
-
-commit c785c0ae134a8e8b5c82b2193f64c632a98159e4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jun 8 22:30:27 2021 +0000
-
-    upstream: test that UserKnownHostsFile correctly accepts multiple
-    
-    arguments; would have caught readconf.c r1.356 regression
-    
-    OpenBSD-Regress-ID: 71ca54e66c2a0211b04999263e56390b1f323a6a
-
-commit 1a6f6b08e62c78906a3032e8d9a83e721c84574e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jun 8 22:06:12 2021 +0000
-
-    upstream: fix regression in r1.356: for ssh_config options that
-    
-    accepted multiple string arguments, ssh was only recording the first.
-    Reported by Lucas via bugs@
-    
-    OpenBSD-Commit-ID: 7cbf182f7449bf1cb7c5b4452667dc2b41170d6d
-
-commit 78e30af3e2b2dd540a341cc827c6b98dd8b0a6de
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jun 8 07:40:12 2021 +0000
-
-    upstream: test argv_split() optional termination on comments
-    
-    OpenBSD-Regress-ID: 9fd1c4a27a409897437c010cfd79c54b639a059c
-
-commit a023138957ea2becf1c7f93fcc42b0aaac6f2b03
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Tue Jun 8 07:05:27 2021 +0000
-
-    upstream: Add testcases from bz#3319 for IPQoS and TunnelDevice
-    
-    being overridden on the command line.
-    
-    OpenBSD-Regress-ID: 801674d5d2d02abd58274a78cab2711f11de14a8
-
-commit 660cea10b2cdc11f13ba99c89b1bbb368a4d9ff2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jun 8 06:52:43 2021 +0000
-
-    upstream: sprinkle some "# comment" at end of configuration lines
-    
-    to test comment handling
-    
-    OpenBSD-Regress-ID: cb82fbf40bda5c257a9f742c63b1798e5a8fdda7
-
-commit acc9c32dcb6def6c7d3688bceb4c0e59bd26b411
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jun 8 06:51:47 2021 +0000
-
-    upstream: more descriptive failure message
-    
-    OpenBSD-Regress-ID: 5300f6faf1d9e99c0cd10827b51756c5510e3509
-
-commit ce04dd4eae23d1c9cf7c424a702f48ee78573bc1
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jun 7 01:16:34 2021 +0000
-
-    upstream: test AuthenticationMethods inside a Match block as well
-    
-    as in the main config section
-    
-    OpenBSD-Regress-ID: ebe0a686621b7cb8bb003ac520975279c28747f7
-
-commit 9018bd821fca17e26e92f7a7e51d9b24cd62f2db
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jun 7 00:00:50 2021 +0000
-
-    upstream: prepare for stricter sshd_config parsing that will refuse
-    
-    a config that has {Allow,Deny}{Users,Groups} on a line with no subsequent
-    arguments. Such lines are permitted but are nonsensical noops ATM
-    
-    OpenBSD-Regress-ID: ef65463fcbc0bd044e27f3fe400ea56eb4b8f650
-
-commit a10f929d1ce80640129fc5b6bc1acd9bf689169e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jun 8 07:09:42 2021 +0000
-
-    upstream: switch sshd_config parsing to argv_split()
-    
-    similar to the previous commit, this switches sshd_config parsing to
-    the newer tokeniser. Config parsing will be a little stricter wrt
-    quote correctness and directives appearing without arguments.
-    
-    feedback and ok markus@
-    
-    tested in snaps for the last five or so days - thanks Theo and those who
-    caught bugs
-    
-    OpenBSD-Commit-ID: 9c4305631d20c2d194661504ce11e1f68b20d93e
-
-commit ea9e45c89a4822d74a9d97fef8480707d584da4d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jun 8 07:07:15 2021 +0000
-
-    upstream: Switch ssh_config parsing to use argv_split()
-    
-    This fixes a couple of problems with the previous tokeniser,
-    strdelim()
-    
-    1. strdelim() is permissive wrt accepting '=' characters. This is
-      intended to allow it to tokenise "Option=value" but because it
-      cannot keep state, it will incorrectly split "Opt=val=val2".
-    2. strdelim() has rudimentry handling of quoted strings, but it
-      is incomplete and inconsistent. E.g. it doesn't handle escaped
-      quotes inside a quoted string.
-    3. It has no support for stopping on a (unquoted) comment. Because
-      of this readconf.c r1.343 added chopping of lines at '#', but
-      this caused a regression because these characters may legitimately
-      appear inside quoted strings.
-    
-    The new tokeniser is stricter is a number of cases, including #1 above
-    but previously it was also possible for some directives to appear
-    without arguments. AFAIK these were nonsensical in all cases, and the
-    new tokeniser refuses to accept them.
-    
-    The new code handles quotes much better, permitting quoted space as
-    well as escaped closing quotes. Finally, comment handling should be
-    fixed - the tokeniser will terminate only on unquoted # characters.
-    
-    feedback & ok markus@
-    
-    tested in snaps for the last five or so days - thanks Theo and those who
-    caught bugs
-    
-    OpenBSD-Commit-ID: dc72fd12af9d5398f4d9e159d671f9269c5b14d5
-
-commit d786424986c04d1d375f231fda177c8408e05c3e
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Tue Jun 8 07:02:46 2021 +0000
-
-    upstream: Check if IPQoS or TunnelDevice are already set before
-    
-    overriding. Prevents values in config files from overriding values supplied
-    on the command line.  bz#3319, ok markus.
-    
-    OpenBSD-Commit-ID: f3b08b898c324debb9195e6865d8999406938f74
-
-commit aae4b4d3585b9f944d7dbd3c9e5ba0006c55e457
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Jun 8 06:54:40 2021 +0000
-
-    upstream: Allow argv_split() to optionally terminate tokenisation
-    
-    when it encounters an unquoted comment.
-    
-    Add some additional utility function for working with argument
-    vectors, since we'll be switching to using them to parse
-    ssh/sshd_config shortly.
-    
-    ok markus@ as part of a larger diff; tested in snaps
-    
-    OpenBSD-Commit-ID: fd9c108cef2f713f24e3bc5848861d221bb3a1ac
-
-commit da9f9acaac5bab95dca642b48e0c8182b246ab69
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Jun 7 19:19:23 2021 +1000
-
-    Save logs on failure for upstream test
-
-commit 76883c60161e5f3808787085a27a8c37f8cc4e08
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Jun 7 14:36:32 2021 +1000
-
-    Add obsdsnap-i386 upstream test target.
-
-commit d45b9c63f947ec5ec314696e70281f6afddc0ac3
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Jun 7 03:38:38 2021 +0000
-
-    upstream: fix debug message when finding a private key to match a
-    
-    certificate being attempted for user authentication. Previously it would
-    print the certificate's path, whereas it was supposed to be showing the
-    private key's path. Patch from Alex Sherwin via GHPR247
-    
-    OpenBSD-Commit-ID: d5af3be66d0f22c371dc1fe6195e774a18b2327b
-
-commit 530739d42f6102668aecd699be0ce59815c1eceb
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Jun 6 11:34:16 2021 +0000
-
-    upstream: Match host certificates against host public keys, not private
-    
-    keys. Allows use of certificates with private keys held in a ssh-agent.
-    Reported by Miles Zhou in bz3524; ok dtucker@
-    
-    OpenBSD-Commit-ID: 25f5bf70003126d19162862d9eb380bf34bac22a
-
-commit 4265215d7300901fd7097061c7517688ade82f8e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Jun 6 03:40:39 2021 +0000
-
-    upstream: Client-side workaround for a bug in OpenSSH 7.4: this release
-    
-    allows RSA/SHA2 signatures for public key authentication but fails to
-    advertise this correctly via SSH2_MSG_EXT_INFO. This causes clients of these
-    server to incorrectly match PubkeyAcceptedAlgorithms and potentially refuse
-    to offer valid keys.
-    
-    Reported by and based on patch from Gordon Messmer via bz3213, thanks
-    also for additional analysis by Jakub Jelen. ok dtucker
-    
-    OpenBSD-Commit-ID: d6d0b7351d5d44c45f3daaa26efac65847a564f7
-
-commit bda270d7fb8522d43c21a79a4b02a052d7c64de8
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Jun 6 03:17:02 2021 +0000
-
-    upstream: degrade gracefully if a sftp-server offers the
-    
-    limits@openssh.com extension but fails when the client tries to invoke it.
-    Reported by Hector Martin via bz3318
-    
-    OpenBSD-Commit-ID: bd9d1839c41811616ede4da467e25746fcd9b967
-
-commit d345d5811afdc2d6923019b653cdd93c4cc95f76
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Jun 6 03:15:39 2021 +0000
-
-    upstream: the limits@openssh.com extension was incorrectly marked
-    
-    as an operation that writes to the filesystem, which made it unavailable in
-    sftp-server read-only mode. Spotted by Hector Martin via bz3318
-    
-    OpenBSD-Commit-ID: f054465230787e37516c4b57098fc7975e00f067
-
-commit 2b71010d9b43d7b8c9ec1bf010beb00d98fa765a
-Author: naddy@openbsd.org <naddy@openbsd.org>
-Date:   Sat Jun 5 13:47:00 2021 +0000
-
-    upstream: PROTOCOL.certkeys: update reference from IETF draft to
-    
-    RFC
-    
-    Also fix some typos.
-    ok djm@
-    
-    OpenBSD-Commit-ID: 5e855b6c5a22b5b13f8ffa3897a868e40d349b44
-
-commit aa99b2d9a3e45b943196914e8d8bf086646fdb54
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jun 4 23:41:29 2021 +1000
-
-    Clear notify_pipe from readset if present.
-    
-    Prevents leaking an implementation detail to the caller.
-
-commit 6de8dadf6b4d0627d35bca0667ca44b1d61c2c6b
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jun 4 23:24:25 2021 +1000
-
-    space->tabs.
-
-commit c8677065070ee34c05c7582a9c2f58d8642e552d
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Jun 4 18:39:48 2021 +1000
-
-    Add pselect implementation for platforms without.
-    
-    This is basically the existing notify_pipe kludge from serverloop.c
-    moved behind a pselect interface.  It works by installing a signal
-    handler that writes to a pipe that the select is watching, then calls
-    the original handler.
-    
-    The select call in serverloop will become pselect soon, at which point the
-    kludge will be removed from thereand will only exist in the compat layer.
-    Original code by markus, help from djm.
-
-commit 7cd7f302d3a072748299f362f9e241d81fcecd26
-Author: Vincent Brillault <vincent.brillault@cern.ch>
-Date:   Sun May 24 09:15:06 2020 +0200
-
-    auth_log: dont log partial successes as failures
-    
-    By design, 'partial' logins are successful logins, so initially with
-    authenticated set to 1, for which another authentication is required. As
-    a result, authenticated is always reset to 0 when partial is set to 1.
-    However, even if authenticated is 0, those are not failed login
-    attempts, similarly to attempts with authctxt->postponed set to 1.
-
-commit e7606919180661edc7f698e6a1b4ef2cfb363ebf
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 4 06:19:07 2021 +0000
-
-    upstream: The RB_GENERATE_STATIC(3) macro expands to a series of
-    
-    function definitions and not a statement, so there should be no semicolon
-    following them. Patch from Michael Forney
-    
-    OpenBSD-Commit-ID: c975dd180580f0bdc0a4d5b7d41ab1f5e9b7bedd
-
-commit c298c4da574ab92df2f051561aeb3e106b0ec954
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 4 05:59:18 2021 +0000
-
-    upstream: rework authorized_keys example section, removing irrelevant
-    
-    stuff, de-wrapping the example lines and better aligning the examples with
-    common usage and FAQs; ok jmc
-    
-    OpenBSD-Commit-ID: d59f1c9281f828148e2a2e49eb9629266803b75c
-
-commit d9cb35bbec5f623589d7c58fc094817b33030f35
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 4 05:10:03 2021 +0000
-
-    upstream: adjust SetEnv description to clarify $TERM handling
-    
-    OpenBSD-Commit-ID: 8b8cc0124856bc1094949d55615e5c44390bcb22
-
-commit 771f57a8626709f2ad207058efd68fbf30d31553
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Jun 4 05:09:08 2021 +0000
-
-    upstream: Switch the listening select loop from select() to
-    
-    pselect() and mask signals while checking signal flags, umasking for pselect
-    and restoring afterwards. Also restore signals before sighup_restart so they
-    don't remain blocked after restart.
-    
-    This prevents a race where a SIGTERM or SIGHUP can arrive between
-    checking the flag and calling select (eg if sshd is processing a
-    new connection) resulting in sshd not shutting down until the next
-    time it receives a new connection.  bz#2158, with & ok djm@
-    
-    OpenBSD-Commit-ID: bf85bf880fd78e00d7478657644fcda97b9a936f
-
-commit f64f8c00d158acc1359b8a096835849b23aa2e86
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 4 05:02:40 2021 +0000
-
-    upstream: allow ssh_config SetEnv to override $TERM, which is otherwise
-    
-    handled specially by the protocol. Useful in ~/.ssh/config to set TERM to
-    something generic (e.g. "xterm" instead of "xterm-256color") for destinations
-    that lack terminfo entries. feedback and ok dtucker@
-    
-    OpenBSD-Commit-ID: 38b1ef4d5bc159c7d9d589d05e3017433e2d5758
-
-commit 60107677dc0ce1e93c61f23c433ad54687fcd9f5
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Jun 4 04:02:21 2021 +0000
-
-    upstream: correct extension name "no-presence-required" =>
-    
-    "no-touch-required"
-    
-    document "verify-required" option
-    
-    OpenBSD-Commit-ID: 1879ff4062cf61d79b515e433aff0bf49a6c55c5
-
-commit ecc186e46e3e30f27539b4311366dfda502f0a08
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Jun 2 13:54:11 2021 +1000
-
-    Retire fbsd7 test target.
-    
-    It's the slowest of the selfhosted targets (since it's 32bit but has
-    most of the crypto algos). We still have coverage for 32bit i386.
-
-commit 5de0867b822ec48b5eec9abde0f5f95d1d646546
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Jun 2 11:21:40 2021 +1000
-
-    Check for $OPENSSL in md5 fallback too.
-
-commit 1db69d1b6542f8419c04cee7fd523a4a11004be2
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Jun 2 11:17:54 2021 +1000
-
-    Add dfly60 target.
-
-commit a3f2dd955f1c19cad387a139f0e719af346ca6ef
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Wed Jun 2 00:17:45 2021 +0000
-
-    upstream: Merge back shell portability changes
-    
-    bringing it back in sync with -portable.
-    
-    OpenBSD-Regress-ID: c07905ba931e66ad7d849b87b7d19648007175d1
-
-commit 9d482295c9f073e84d75af46b720a1c0f7ec2867
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Tue Jun 1 23:56:20 2021 +0000
-
-    upstream: Use a default value for $OPENSSL,
-    
-    allowing it to be overridden. Do the same in the PuTTY tests since it's
-    needed there and not exported by test-exec.sh.
-    
-    OpenBSD-Regress-ID: c49dcd6aa7602a8606b7afa192196ca1fa65de16
-
-commit 07660b3c99f8ea74ddf4a440e55c16c9f7fb3dd1
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon May 24 10:25:18 2021 +0000
-
-    upstream: Find openssl binary via environment variable. This
-    
-    allows overriding if necessary (eg in -portable where we're testing against a
-    specific version of OpenSSL).
-    
-    OpenBSD-Regress-ID: 491f39cae9e762c71aa4bf045803d077139815c5
-
-commit 1a4d1da9188d7c88f646b61f0d6a3b34f47c5439
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 21 04:03:47 2021 +0000
-
-    upstream: fix memleak in test
-    
-    OpenBSD-Regress-ID: 5e529d0982aa04666604936df43242e97a7a6f81
-
-commit 60455a5d98065a73ec9a1f303345856bbd49aecc
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 21 03:59:01 2021 +0000
-
-    upstream: also check contents of remaining string
-    
-    OpenBSD-Regress-ID: d526fa07253f4eebbc7d6205a0ab3d491ec71a28
-
-commit 39f6cd207851d7b67ca46903bfce4a9f615b5b1c
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 21 03:48:07 2021 +0000
-
-    upstream: unit test for misc.c:strdelim() that mostly servces to
-    
-    highlight its inconsistencies
-    
-    OpenBSD-Regress-ID: 8d2bf970fcc01ccc6e36a5065f89b9c7fa934195
-
-commit 7a3a1dd2c7d4461962acbcc0ebee9445ba892be0
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu May 27 21:23:15 2021 +1000
-
-    Put minix3 config in the host-specific block.
-
-commit 59a194825f12fff8a7f75d91bf751ea17645711b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon May 31 06:48:42 2021 +0000
-
-    upstream: Hash challenge supplied by client during FIDO key enrollment
-    
-    prior to passing it to libfido2, which does expect a hash.
-    
-    There is no effect for users who are simply generating FIDO keys using
-    ssh-keygen - by default we generate a random 256 bit challenge, but
-    people building attestation workflows around our tools should now have
-    a more consistent experience (esp. fewer failures when they fail to
-    guess the magic 32-byte challenge length requirement).
-    
-    ok markus@
-    
-    OpenBSD-Commit-ID: b8d5363a6a7ca3b23dc28f3ca69470472959f2b5
-
-commit eb68e669bc8ab968d4cca5bf1357baca7136a826
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu May 27 21:14:15 2021 +1000
-
-    Include login_cap.h for login_getpwclass override.
-    
-    On minix3, login_getpwclass is __RENAME'ed to __login_getpwclass50 so
-    without this the include overriding login_getpwclass causes a compile
-    error.
-
-commit 2063af71422501b65c7a92a5e14c0e6a3799ed89
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu May 27 21:13:38 2021 +1000
-
-    Add minix3 test target.
-
-commit 2e1efcfd9f94352ca5f4b6958af8a454f8cf48cd
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed May 26 01:47:24 2021 +0000
-
-    upstream: fix SEGV in UpdateHostkeys debug() message, triggered
-    
-    when the update removed more host keys than remain present. Fix tested by
-    reporter James Cook, via bugs@
-    
-    OpenBSD-Commit-ID: 44f641f6ee02bb957f0c1d150495b60cf7b869d3
-
-commit 9acd76e6e4d2b519773e7119c33cf77f09534909
-Author: naddy@openbsd.org <naddy@openbsd.org>
-Date:   Sun May 23 18:22:57 2021 +0000
-
-    upstream: ssh: The client configuration keyword is
-    
-    "hostbasedacceptedalgorithms"
-    
-    This fixes a mistake that slipped in when "HostbasedKeyTypes" was
-    renamed to "HostbasedAcceptedAlgorithms".
-    
-    Bug report by zack@philomathiclife.com
-    
-    OpenBSD-Commit-ID: d745a7e8e50b2589fc56877f322ea204bc784f38
-
-commit 078a0e60c92700da4c536c93c007257828ccd05b
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Tue May 25 11:40:47 2021 +1000
-
-    Rename README.md to ci-status.md.
-    
-    The original intent was to provide a status page for the CIs configured
-    in that directory, but it had the side effect of replacing the top-level
-    README.md.
-
-commit 7be4ac813662f68e89f23c50de058a49aa32f7e4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed May 19 01:24:05 2021 +0000
-
-    upstream: restore blocking status on stdio fds before close
-    
-    ssh(1) needs to set file descriptors to non-blocking mode to operate
-    but it was not restoring the original state on exit. This could cause
-    problems with fds shared with other programs via the shell, e.g.
-    
-    > $ cat > test.sh << _EOF
-    > #!/bin/sh
-    > {
-    >         ssh -Fnone -oLogLevel=verbose ::1 hostname
-    >         cat /usr/share/dict/words
-    > } | sleep 10
-    > _EOF
-    > $ ./test.sh
-    > Authenticated to ::1 ([::1]:22).
-    > Transferred: sent 2352, received 2928 bytes, in 0.1 seconds
-    > Bytes per second: sent 44338.9, received 55197.4
-    > cat: stdout: Resource temporarily unavailable
-    
-    This restores the blocking status for fds 0,1,2 (stdio) before ssh(1)
-    abandons/closes them.
-    
-    This was reported as bz3280 and GHPR246; ok dtucker@
-    
-    OpenBSD-Commit-ID: 8cc67346f05aa85a598bddf2383fcfcc3aae61ce
-
-commit c4902e1a653c67fea850ec99c7537f358904c0af
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon May 17 11:43:16 2021 +0000
-
-    upstream: fix breakage of -W forwaring introduced in 1.554; reported by
-    
-    naddy@ and sthen@, ok sthen@
-    
-    OpenBSD-Commit-ID: f72558e643a26dc4150cff6e5097b5502f6c85fd
-
-commit afea01381ad1fcea1543b133040f75f7542257e6
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Mon May 17 07:22:45 2021 +0000
-
-    upstream: Regenerate moduli.
-    
-    OpenBSD-Commit-ID: 83c93a2a07c584c347ac6114d6329b18ce515557
-
-commit be2866d6207b090615ff083c9ef212b603816a56
-Author: Damien Miller <djm@mindrot.org>
-Date:   Mon May 17 09:40:23 2021 +1000
-
-    Handle Android libc returning NULL pw->pw_passwd
-    
-    Reported by Luke Dashjr
-
-commit 5953c143008259d87342fb5155bd0b8835ba88e5
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 14 05:20:32 2021 +0000
-
-    upstream: fix previous: test saved no_shell_flag, not the one that just
-    
-    got clobbered
-    
-    OpenBSD-Commit-ID: b8deace085d9d941b2d02f810243b9c302e5355d
-
-commit 1e9fa55f4dc4b334651d569d3448aaa3841f736f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 14 03:09:48 2021 +0000
-
-    upstream: Fix ssh started with ControlPersist incorrectly executing a
-    
-    shell when the -N (no shell) option was specified. bz3290 reported by Richard
-    Schwab; patch from markus@ ok me
-    
-    OpenBSD-Commit-ID: ea1ea4af16a95687302f7690bdbe36a6aabf87e1
-
-commit d1320c492f655d8f5baef8c93899d79dded217a5
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Wed May 12 11:34:30 2021 +0000
-
-    upstream: Clarify language about moduli. While both ends of the
-    
-    connection do need to use the same parameters (ie groups), the DH-GEX
-    protocol takes care of that and both ends do not need the same contents in
-    the moduli file, which is what the previous text suggested.  ok djm@ jmc@
-    
-    OpenBSD-Commit-ID: f0c18cc8e79c2fbf537a432a9070ed94e96a622a
-
-commit d3cc4d650ce3e59f3e370b101778b0e8f1c02c4d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 7 04:11:51 2021 +0000
-
-    upstream: include pid in LogVerbose spam
-    
-    OpenBSD-Commit-ID: aacb86f96ee90c7cb84ec27452374285f89a7f00
-
-commit e3c032333be5fdbbaf2751f6f478e044922b4ec4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 7 03:09:38 2021 +0000
-
-    upstream: don't sigdie() in signal handler in privsep child process;
-    
-    this can end up causing sandbox violations per bz3286; ok dtucker@
-    
-    OpenBSD-Commit-ID: a7f40b2141dca4287920da68ede812bff7ccfdda
-
-commit a4039724a3f2abac810735fc95cf9114a3856049
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri May 7 09:23:40 2021 +0000
-
-    upstream: Increase ConnectionAttempts from 4 to 10 as the tests
-    
-    occasionally time out on heavily loaded hosts.
-    
-    OpenBSD-Regress-ID: 29a8cdef354fc9da471a301f7f65184770434f3a
-
-commit c0d7e36e979fa3cdb60f5dcb6ac9ad3fd018543b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 7 02:26:55 2021 +0000
-
-    upstream: dump out a usable private key string too; inspired by Tyson
-    
-    Whitehead
-    
-    OpenBSD-Regress-ID: 65572d5333801cb2f650ebc778cbdc955e372058
-
-commit 24fee8973abdf1c521cd2c0047d89e86d9c3fc38
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri May 7 02:29:40 2021 +0000
-
-    upstream: correct mistake in spec - the private key blobs are encoded
-    
-    verbatim and not as strings (i.e. no 4-byte length header)
-    
-    OpenBSD-Commit-ID: 3606b5d443d72118c5b76c4af6dd87a5d5a4f837
-
-commit f43859159cc62396ad5d080f0b1f2635a67dac02
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Tue May 4 22:53:52 2021 +0000
-
-    upstream: Don't pass NULL as a string in debugging as it does not work
-    
-    on some platforms in -portable.  ok djm@
-    
-    OpenBSD-Commit-ID: 937c892c99aa3c9c272a8ed78fa7c2aba3a44fc9
-
-commit ac31aa3c6341905935e75f0539cf4a61bbe99779
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon May 3 00:16:45 2021 +0000
-
-    upstream: more debugging for UpdateHostKeys signature failures
-    
-    OpenBSD-Commit-ID: 1ee95f03875e1725df15d5e4bea3e73493d57d36
-
-commit 8e32e97e788e0676ce83018a742203614df6a2b3
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat May 1 20:07:47 2021 +1000
-
-    Add obsd69 test target.
-
-commit f06893063597c5bb9d9e93f851c4070e77d2fba9
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Apr 30 04:29:53 2021 +0000
-
-    upstream: a little debugging in the main mux process for status
-    
-    confirmation failures in multiplexed sessions
-    
-    OpenBSD-Commit-ID: 6e27b87c95176107597035424e1439c3232bcb49
-
-commit e65cf00da6bc31e5f54603b7feb7252dc018c033
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Apr 30 04:02:52 2021 +0000
-
-    upstream: Remove now-unused skey function prototypes leftover from
-    
-    skey removal.
-    
-    OpenBSD-Commit-ID: 2fc36d519fd37c6f10ce74854c628561555a94c3
-
-commit ae5f9b0d5c8126214244ee6b35aae29c21028133
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Apr 29 13:01:50 2021 +1000
-
-    Wrap sntrup761x25519 inside ifdef.
-    
-    From balu.gajjala at gmail.com via bz#3306.
-
-commit 70a8dc138a6480f85065cdb239915ad4b7f928cf
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Apr 28 14:44:07 2021 +1000
-
-    Add status badges for Actions-based tests.
-
-commit 40b59024cc3365815381474cdf4fe423102e391b
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Apr 28 12:22:11 2021 +1000
-
-    Add obsdsnap (OpenBSD snapshot) test target.
-
-commit e627067ec8ef9ae8e7a638f4dbac91d52dee3e6d
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Apr 28 11:35:28 2021 +1000
-
-    Add test building upstream OpenBSD source.
-
-commit 1b8108ebd12fc4ed0fb39ef94c5ba122558ac373
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Tue Apr 27 14:22:20 2021 +1000
-
-    Test against OpenSSL 1.1.0h instead of 1.1.0g.
-    
-    1.1.0g requires a perl glob module that's not installed by default.
-
-commit 9bc20efd39ce8525be33df3ee009f5a4564224f1
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Tue Apr 27 12:37:59 2021 +1000
-
-    Use the default VM type for libcrypto ver tests.
-
-commit 9f79e80dc40965c2e73164531250b83b176c1eea
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Tue Apr 27 12:24:10 2021 +1000
-
-    Always build OpenSSL shared.
-    
-    This is the default for current versions but we need it to test against
-    earlier versions.
-
-commit b3cc9fbdff2782eca79e33e02ac22450dc63bce9
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Tue Apr 27 09:18:02 2021 +1000
-
-    Fix custom OpenSSL tests.
-    
-    Check out specified OpenSSL version.  Install custom libcrypto where
-    configure expects to find it.  Remove unneeded OpenSSL config time
-    options.  Older OpenSSL versions were not make -j safe so remove it.
-
-commit 77532609874a99a19e3e2eb2d1b7fa93aef963bb
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Apr 26 17:18:25 2021 +1000
-
-    Export CC and CFLAGS for c89 test.
-
-commit 33f62dfbe865f4de77980ab88774bf1eb5e4e040
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Apr 26 17:13:44 2021 +1000
-
-    Add c89 here too.
-
-commit da9d59f526fce58e11cba49cd8eb011dc0bf5677
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Apr 26 15:34:23 2021 +1000
-
-    Add test against OpenSSL w/out ECC.
-
-commit 29e194a752359ebf85bf7fce100f23a0477fc4de
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Apr 26 14:49:59 2021 +1000
-
-    Ensure we can still build with C89.
-
-commit a38016d369d21df5d35f761f2b67e175e132ba22
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Apr 26 14:29:03 2021 +1000
-
-    Interop test agains PuTTY.
-
-commit 095b0307a77be8803768857cc6c0963fa52ed85b
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Apr 26 14:02:03 2021 +1000
-
-    Support testing against arbitary libcrytpo vers.
-    
-    Add tests against various LibreSSL and OpenSSL versions.
-
-commit b16082aa110fa7128ece2a9037ff420c4a285317
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Apr 26 13:35:44 2021 +1000
-
-    Add fbsd10 test target.
-
-commit 2c805f16b24ea37cc051c6018fcb05defab6e57a
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sun Apr 25 14:15:02 2021 +1000
-
-    Disable compiler hardening on nbsd4.
-    
-    The system compiler supports -fstack-protector-all, but using it will
-    result in an internal compiler error on some files.
-
-commit 6a5d39305649da5dff1934ee54292ee0cebd579d
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sun Apr 25 13:01:34 2021 +1000
-
-    Add nbsd3, nbsd4 and nbsd9 test targets.
-
-commit d1aed05bd2e4ae70f359a394dc60a2d96b88f78c
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Apr 24 22:03:46 2021 +1000
-
-    Comment out nbsd2 test target for now.
-
-commit a6b4ec94e5bd5a8a18cd2c9942d829d2e5698837
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Apr 24 17:52:24 2021 +1000
-
-    Add OPENBSD ORIGINAL marker.
-
-commit 3737c9f66ee590255546c4b637b6d2be669a11eb
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 23 19:49:46 2021 +1000
-
-    Replace "==" (a bashism) with "=".
-
-commit a116b6f5be17a1dd345b7d54bf8aa3779a28a0df
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 23 16:34:48 2021 +1000
-
-    Add nbsd2 test target.
-
-commit 196bf2a9bb771f45d9b0429cee7d325962233c44
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 23 14:54:10 2021 +1000
-
-    Add obsd68 test target.
-
-commit e3ba6574ed69e8b7af725cf5e8a9edaac04ff077
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 23 14:53:32 2021 +1000
-
-    Remove dependency on bash.
-
-commit db1f9ab8feb838aee9f5b99c6fd3f211355dfdcf
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 23 14:41:13 2021 +1000
-
-    Add obsd67 test target.
-
-commit c039a6bf79192fe1daa9ddcc7c87dd98e258ae7c
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 23 11:08:23 2021 +1000
-
-    Re-add macos-11.0 test target.
-
-commit a6db3a47b56adb76870d59225ffb90a65bc4daf2
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 23 10:28:28 2021 +1000
-
-    Add openindiana test target.
-
-commit 3fe7e73b025c07eda46d78049f1da8ed7dfc0c69
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 23 10:26:35 2021 +1000
-
-    Test krb5 on Solaris 11 too.
-
-commit f57fbfe5eb02df1a91f1a237c4d27165afd87c13
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Apr 22 22:27:26 2021 +1000
-
-    Don't always set SUDO.
-    
-    Rely on sourcing configs to set as appropriate.
-
-commit e428f29402fb6ac140b52f8f12e06ece7bb104a0
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Apr 22 22:26:08 2021 +1000
-
-    Remove now-unused 2nd arg to configs.
-
-commit cb4ff640d79b3c736879582139778f016bbb2cd7
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Apr 21 01:08:04 2021 +1000
-
-    Add win10 test target.
-
-commit 4457837238072836b2fa3107d603aac809624983
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Tue Apr 20 23:31:29 2021 +1000
-
-    Add nbsd8 test target.
-
-commit bd4fba22e14da2fa196009010aabec5a8ba9dd42
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Apr 17 09:55:47 2021 +1000
-
-    Add obsd51 target.
-
-commit 9403d0e805c77a5741ea8c3281bbe92558c2f125
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Fri Apr 16 18:14:25 2021 +1000
-
-    Add fbsd13 target.
-
-commit e86968280e358e62649d268d41f698d64d0dc9fa
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Apr 16 13:55:25 2021 +1000
-
-    depend
-
-commit 2fb25ca11e8b281363a2a2a4dec4c497a1475d9a
-Author: Damien Miller <djm@mindrot.org>
-Date:   Fri Apr 16 13:53:02 2021 +1000
-
-    crank version in README and RPM spec files
-
-commit b2b60ebab0cb77b5bc02d364d72e13db882f33ae
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Apr 16 03:42:00 2021 +0000
-
-    upstream: openssh-8.6
-    
-    OpenBSD-Commit-ID: b5f3e133c846127ec114812248bc17eff07c3e19
-
-commit faf2b86a46c9281d237bcdec18c99e94a4eb820a
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Thu Apr 15 16:24:31 2021 +0000
-
-    upstream: do not pass file/func to monitor; noted by Ilja van Sprundel;
-    
-    ok djm@
-    
-    OpenBSD-Commit-ID: 85ae5c063845c410283cbdce685515dcd19479fa
-
-commit 2dc328023f60212cd29504fc05d849133ae47355
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Apr 14 11:42:55 2021 +1000
-
-    sshd don't exit on transient read errors
-    
-    openssh-8.5 introduced a regression that would cause sshd to exit
-    because of transient read errors on the network socket (e.g. EINTR,
-    EAGAIN). Reported by balu.gajjala AT gmail.com via bz3297
-
-commit d5d6b7d76d171a2e6861609dcd92e714ee62ad88
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Apr 10 18:45:00 2021 +1000
-
-    perform report_failed_grab() inline
-
-commit ea996ce2d023aa3c6d31125e2c3ebda1cb42db8c
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Apr 10 18:22:57 2021 +1000
-
-    dedicated gnome-ssk-askpass3 source
-    
-    Compatibility with Wayland requires that we use the gdk_seat_grab()
-    API for grabbing mouse/keyboard, however these API don't exist in
-    Gtk+2.
-    
-    This branches gnome-ssk-askpass2.c => gnome-ssk-askpass3.c and
-    makes the changes to use the gdk_seat_grab() instead of grabbing
-    mouse/focus separately via GDK.
-    
-    In the future, we can also use the branched file to avoid some
-    API that has been soft-deprecated in GTK+3, e.g. gtk_widget_modify_fg
-
-commit bfa5405da05d906ffd58216eb77c4375b62d64c2
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Apr 8 15:18:15 2021 +1000
-
-    Ensure valgrind-out exists.
-    
-    Normally the regress tests would create it, but running the unit tests
-    on their own would fail because the directory did not exist.
-
-commit 1f189181f3ea09a9b08aa866f78843fec800874f
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Apr 8 15:17:19 2021 +1000
-
-    Pass OBJ to unit test make invocation.
-    
-    At least the Valgrind unit tests uses $OBJ.
-
-commit f42b550c281d28bd19e9dd6ce65069164f3482b0
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Apr 8 14:20:12 2021 +1000
-
-    Add pattern for valgrind-unit.
-
-commit 19e534462710e98737478fd9c44768b50c27c4c6
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Apr 8 13:31:08 2021 +1000
-
-    Run unit tests under valgrind.
-    
-    Run a separate build for the unit tests under Valgrind.  They take long
-    enough that running in parallel with the other Valgrind tests helps.
-
-commit 80032102d05e866dc2a48a5caf760cf42c2e090e
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Apr 8 13:25:57 2021 +1000
-
-    ifdef out MIN and MAX.
-    
-    In -portable, defines.h ensures that these are defined, so redefining
-    potentially causes a warning.  We don't just delete it to make any
-    future code syncs a little but easier.  bz#3293.
-
-commit d1bd184046bc310c405f45da3614a1dc5b3e521a
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Apr 7 10:23:51 2021 +1000
-
-    Remove only use of warn().
-    
-    The warn() function is only used in one place in portable and does not
-    exist upstream.  Upgrade the only instance it's used to fail()
-    (the privsep/sandbox+proxyconnect, from back when that was new) and
-    remove the now-unused function.
-
-commit fea8f4b1aa85026ad5aee5ad8e1599a8d5141fe0
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Apr 7 10:18:32 2021 +1000
-
-    Move make_tmpdir() into portable-specific area.
-    
-    Reduces diff vs OpenBSD and makes it more likely diffs will apply
-    cleanly.
-
-commit 13e5fa2acffd26e754c6ee1d070d0afd035d4cb7
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Tue Apr 6 23:57:56 2021 +0000
-
-    upstream: Add TEST_SSH_ELAPSED_TIMES environment variable to print the
-    
-    elapsed time in seconds of each test.  This depends on "date +%s" which is
-    not specified by POSIX but is commonly implemented.
-    
-    OpenBSD-Regress-ID: ec3c8c19ff49b2192116a0a646ee7c9b944e8a9c
-
-commit ef4f46ab4387bb863b471bad124d46e8d911a79a
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Apr 7 09:59:15 2021 +1000
-
-    Move the TEST_SSH_PORT section down a bit.
-    
-    This groups the portable-specific changes together and makes it a
-    little more likely that patches will apply cleanly.
-
-commit 3674e33fa70dfa1fe69b345bf576113af7b7be11
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Apr 7 10:05:10 2021 +1000
-
-    Further split Valgrind tests.
-    
-    Even split in two, the Valgrind tests take by far the longest to run,
-    so split them four ways to further increase parallelism.
-
-commit 961af266b861e30fce1e26170ee0dbb5bf591f29
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Apr 6 23:24:30 2021 +0000
-
-    upstream: include "ssherr.h" not <ssherr.h>; from Balu Gajjala via
-    
-    bz#3292
-    
-    OpenBSD-Commit-ID: e9535cd9966eb2e69e73d1ede1f44905c30310bd
-
-commit e7d0a285dbdd65d8df16123ad90f15e91862f959
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Apr 7 08:50:38 2021 +1000
-
-    wrap struct rlimit in HAVE_GETRLIMIT too
-
-commit f283a6c2e0a9bd9369e18462acd00be56fbe5b0d
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Apr 7 08:20:35 2021 +1000
-
-    wrap getrlimit call in HAVE_GETRLIMIT; bz3291
-
-commit 679bdc4a5c9244f427a7aee9c14b0a0ed086da1f
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Tue Apr 6 09:07:33 2021 +0000
-
-    upstream: Don't check return value of unsetenv(). It's part of the
-    
-    environment setup and not part of the actual test, and some platforms
-    -portable runs on declare it as returning void, which prevents the test from
-    compiling.
-    
-    OpenBSD-Regress-ID: 24f08543ee3cdebc404f2951f3e388cc82b844a1
-
-commit 320af2f3de6333aa123f1b088eca146a245e968a
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Sun Apr 4 11:36:56 2021 +0000
-
-    upstream: remove stray inserts; from matthias schmidt
-    
-    OpenBSD-Commit-ID: 2c36ebdc54e14bbf1daad70c6a05479a073d5c63
-
-commit 801f710953b24dd2f21939171c622eac77c7484d
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Sun Apr 4 06:11:24 2021 +0000
-
-    upstream: missing comma; from kawashima james
-    
-    OpenBSD-Commit-ID: 31cec6bf26c6db4ffefc8a070715ebef274e68ea
-
-commit b3ca08cb174266884d44ec710a84cd64c12414ea
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Apr 5 23:46:42 2021 +1000
-
-    Install libcbor with libfido2.
-
-commit f3ca8af87a4c32ada660da12ae95cf03d190c083
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Apr 3 18:21:08 2021 +1100
-
-    enable authopt and misc unit tests
-    
-    Neither were wired into the build, both required some build
-    adaptations for -portable
-
-commit dc1b45841fb97e3d7f655ddbcfef3839735cae5f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Apr 3 06:58:30 2021 +0000
-
-    upstream: typos in comments; GHPR#180 from Vill
-    
-    =?UTF-8?q?e=20Skytt=C3=A4?=
-    MIME-Version: 1.0
-    Content-Type: text/plain; charset=UTF-8
-    Content-Transfer-Encoding: 8bit
-    
-    OpenBSD-Commit-ID: 93c732381ae0e2b680c79e67c40c1814b7ceed2c
-
-commit 53ea05e09b04fd7b6dea66b42b34d65fe61b9636
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Apr 3 06:55:52 2021 +0000
-
-    upstream: sync CASignatureAlgorithms lists with reality. GHPR#174 from
-    
-    Matt Hazinski
-    
-    OpenBSD-Commit-ID: f05e4ca54d7e67b90fe58fe1bdb1d2a37e0e2696
-
-commit 57ed647ee07bb883a2f2264231bcd1df6a5b9392
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Apr 3 17:47:37 2021 +1100
-
-    polish whitespace for portable files
-
-commit 31d8d231eb9377df474746a822d380c5d68d7ad6
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Apr 3 06:18:40 2021 +0000
-
-    upstream: highly polished whitespace, mostly fixing spaces-for-tab
-    
-    and bad indentation on continuation lines. Prompted by GHPR#185
-    
-    OpenBSD-Commit-ID: e5c81f0cbdcc6144df1ce468ec1bac366d8ad6e9
-
-commit 34afde5c73b5570d6f8cce9b49993b23b77bfb86
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Apr 3 05:54:14 2021 +0000
-
-    upstream: whitespace (tab after space)
-    
-    OpenBSD-Commit-ID: 0e2b3f7674e985d3f7c27ff5028e690ba1c2efd4
-
-commit 7cd262c1c5a08cc7f4f30e3cab108ef089d0a57b
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Apr 3 16:59:10 2021 +1100
-
-    Save config.h and config.log on failure too.
-
-commit 460aee9298f365357e9fd26851c22e0dca51fd6a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Apr 3 05:46:41 2021 +0000
-
-    upstream: fix incorrect plural; from Ville Skyt
-    
-    =?UTF-8?q?t=C3=A4=20via=20GHPR#181?=
-    MIME-Version: 1.0
-    Content-Type: text/plain; charset=UTF-8
-    Content-Transfer-Encoding: 8bit
-    
-    OpenBSD-Commit-ID: 92f31754c6296d8f403d7c293e09dc27292d22c9
-
-commit 082804c14e548cada75c81003a3c68ee098138ee
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Apr 3 05:40:39 2021 +0000
-
-    upstream: ensure that pkcs11_del_provider() is called before exit -
-    
-    some PKCS#11 providers get upset if C_Initialize is not matched with
-    C_Finalize.
-    
-    From Adithya Baglody via GHPR#234; ok markus
-    
-    OpenBSD-Commit-ID: f8e770e03b416ee9a58f9762e162add900f832b6
-
-commit 464ebc82aa926dd132ec75a0b064574ef375675e
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Apr 3 05:28:43 2021 +0000
-
-    upstream: unused variable
-    
-    OpenBSD-Commit-ID: 85f6a394c8e0f60d15ecddda75176f112007b205
-
-commit dc3c0be8208c488e64a8bcb7d9efad98514e0ffb
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sat Apr 3 05:21:46 2021 +0000
-
-    upstream: Fix two problems in string->argv conversion: 1) multiple
-    
-    backslashes were not being dequoted correctly and 2) quoted space in the
-    middle of a string was being incorrectly split.
-    MIME-Version: 1.0
-    Content-Type: text/plain; charset=UTF-8
-    Content-Transfer-Encoding: 8bit
-    
-    A unit test for these cases has already been committed
-    
-    prompted by and based on GHPR#223 by Eero Häkkinen; ok markus@
-    
-    OpenBSD-Commit-ID: d7ef27abb4eeeaf6e167e9312e4abe9e89faf1e4
-
-commit f75bcbba58a08c670727ece5e3f8812125969799
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sat Apr 3 16:22:48 2021 +1100
-
-    missing bits from 259d648e
-
-commit 4cbc4a722873d9b68cb5496304dc050d7168df78
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Mar 31 21:59:26 2021 +0000
-
-    upstream: cannot effectively test posix-rename extension after
-    
-    changes in feature advertisment.
-    
-    OpenBSD-Regress-ID: 5e390bf88d379162aaa81b60ed86b34cb0c54d29
-
-commit 259d648e63e82ade4fe2c2c73c8b67fe57d9d049
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Mar 19 04:23:50 2021 +0000
-
-    upstream: add a test for misc.c:argv_split(), currently fails
-    
-    OpenBSD-Regress-ID: ad6b96d6ebeb9643b698b3575bdd6f78bb144200
-
-commit 473ddfc2d6b602cb2d1d897e0e5c204de145cd9a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Mar 19 03:25:01 2021 +0000
-
-    upstream: split
-    
-    OpenBSD-Regress-ID: f6c03c0e4c58b3b9e04b161757b8c10dc8378c34
-
-commit 1339800fef8d0dfbfeabff71b34670105bcfddd2
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Mar 31 22:16:34 2021 +0000
-
-    upstream: Use new limits@openssh.com protocol extension to let the
-    
-    client select good limits based on what the server supports. Split the
-    download and upload buffer sizes to allow them to be chosen independently.
-    
-    In practice (and assuming upgraded sftp/sftp-server at each end), this
-    increases the download buffer 32->64KiB and the upload buffer
-    32->255KiB.
-    
-    Patches from Mike Frysinger; ok dtucker@
-    
-    OpenBSD-Commit-ID: ebd61c80d85b951b794164acc4b2f2fd8e88606c
-
-commit 6653c61202d104e59c8e741329fcc567f7bc36b8
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Mar 31 21:58:07 2021 +0000
-
-    upstream: do not advertise protocol extensions that have been
-    
-    disallowed by the command-line options (e.g. -p/-P/-R); ok dtucker@
-    
-    OpenBSD-Commit-ID: 3a8a76b3f5131741aca4b41bfab8d101c9926205
-
-commit 71241fc05db4bbb11bb29340b44b92e2575373d8
-Author: Damien Miller <djm@mindrot.org>
-Date:   Mon Mar 29 15:14:25 2021 +1100
-
-    gnome-ssh-askpass3 is a valid target here
-
-commit 8a9520836e71830f4fccca066dba73fea3d16bda
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Mar 19 02:22:34 2021 +0000
-
-    upstream: return non-zero exit status when killed by signal; bz#3281 ok
-    
-    dtucker@
-    
-    OpenBSD-Commit-ID: 117b31cf3c807993077b596bd730c24da9e9b816
-
-commit 1269b8a686bf1254b03cd38af78167a04aa6ec88
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Mar 19 02:18:28 2021 +0000
-
-    upstream: increase maximum SSH2_FXP_READ to match the maximum
-    
-    packet size. Also handle zero-length reads that are borderline nonsensical
-    but not explicitly banned by the spec. Based on patch from Mike Frysinger,
-    feedback deraadt@ ok dtucker@
-    
-    OpenBSD-Commit-ID: 4e67d60d81bde7b84a742b4ee5a34001bdf80d9c
-
-commit 860b67604416640e8db14f365adc3f840aebcb1f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Mar 16 06:15:43 2021 +0000
-
-    upstream: don't let logging clobber errno before use
-    
-    OpenBSD-Commit-ID: ce6cca370005c270c277c51c111bb6911e1680ec
diff --git a/crypto/openssh/README b/crypto/openssh/README
index 796101c7abef..fc73a2f2e872 100644
--- a/crypto/openssh/README
+++ b/crypto/openssh/README
@@ -1,4 +1,4 @@
-See https://www.openssh.com/releasenotes.html#9.3p1 for the release
+See https://www.openssh.com/releasenotes.html#9.3p2 for the release
 notes.
 
 Please read https://www.openssh.com/report.html for bug reporting
diff --git a/crypto/openssh/contrib/redhat/openssh.spec b/crypto/openssh/contrib/redhat/openssh.spec
index a665aa20bc1f..de60b5c4fb60 100644
--- a/crypto/openssh/contrib/redhat/openssh.spec
+++ b/crypto/openssh/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%global ver 9.3p1
+%global ver 9.3p2
 %global rel 1%{?dist}
 
 # OpenSSH privilege separation requires a user & group ID
diff --git a/crypto/openssh/contrib/suse/openssh.spec b/crypto/openssh/contrib/suse/openssh.spec
index 406b7c0b8606..c68c85da0348 100644
--- a/crypto/openssh/contrib/suse/openssh.spec
+++ b/crypto/openssh/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
 
 Summary:	OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:		openssh
-Version:	9.3p1
+Version:	9.3p2
 URL:		https://www.openssh.com/
 Release:	1
 Source0:	openssh-%{version}.tar.gz
diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1
index e1fe387ebaf5..666c8b32253f 100644
--- a/crypto/openssh/ssh-agent.1
+++ b/crypto/openssh/ssh-agent.1
@@ -107,9 +107,27 @@ environment variable).
 .It Fl O Ar option
 Specify an option when starting
 .Nm .
-Currently only one option is supported:
+Currently two options are supported:
+.Cm allow-remote-pkcs11
+and
 .Cm no-restrict-websafe .
-This instructs
+.Pp
+The
+.Cm allow-remote-pkcs11
+option allows clients of a forwarded
+.Nm
+to load PKCS#11 or FIDO provider libraries.
+By default only local clients may perform this operation.
+Note that signalling that a
+.Nm
+client remote is performed by
+.Xr ssh 1 ,
+and use of other tools to forward access to the agent socket may circumvent
+this restriction.
+.Pp
+The
+.Cm no-restrict-websafe ,
+instructs
 .Nm
 to permit signatures using FIDO keys that might be web authentication
 requests.
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
index fa85e204f28d..14650396a1e4 100644
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@@ -169,6 +169,12 @@ char socket_dir[PATH_MAX];
 /* Pattern-list of allowed PKCS#11/Security key paths */
 static char *allowed_providers;
 
+/*
+ * Allows PKCS11 providers or SK keys that use non-internal providers to
+ * be added over a remote connection (identified by session-bind@openssh.com).
+ */
+static int remote_add_provider;
+
 /* locking */
 #define LOCK_SIZE	32
 #define LOCK_SALT_SIZE	16
@@ -1246,6 +1252,12 @@ process_add_identity(SocketEntry *e)
 		if (strcasecmp(sk_provider, "internal") == 0) {
 			debug_f("internal provider");
 		} else {
+			if (e->nsession_ids != 0 && !remote_add_provider) {
+				verbose("failed add of SK provider \"%.100s\": "
+				    "remote addition of providers is disabled",
+				    sk_provider);
+				goto out;
+			}
 			if (realpath(sk_provider, canonical_provider) == NULL) {
 				verbose("failed provider \"%.100s\": "
 				    "realpath: %s", sk_provider,
@@ -1409,6 +1421,11 @@ process_add_smartcard_key(SocketEntry *e)
 		error_f("failed to parse constraints");
 		goto send;
 	}
+	if (e->nsession_ids != 0 && !remote_add_provider) {
+		verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
+		    "providers is disabled", provider);
+		goto send;
+	}
 	if (realpath(provider, canonical_provider) == NULL) {
 		verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
 		    provider, strerror(errno));
@@ -2073,7 +2090,9 @@ main(int ac, char **av)
 			break;
 		case 'O':
 			if (strcmp(optarg, "no-restrict-websafe") == 0)
-				restrict_websafe  = 0;
+				restrict_websafe = 0;
+			else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
+				remote_add_provider = 1;
 			else
 				fatal("Unknown -O option");
 			break;
diff --git a/crypto/openssh/ssh-pkcs11.c b/crypto/openssh/ssh-pkcs11.c
index 6be647ec443c..ebddf6c3a250 100644
--- a/crypto/openssh/ssh-pkcs11.c
+++ b/crypto/openssh/ssh-pkcs11.c
@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
 		error("dlopen %s failed: %s", provider_id, dlerror());
 		goto fail;
 	}
-	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
-		error("dlsym(C_GetFunctionList) failed: %s", dlerror());
-		goto fail;
-	}
+	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
+		fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
 	p = xcalloc(1, sizeof(*p));
 	p->name = xstrdup(provider_id);
 	p->handle = handle;
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index 3540210daaee..30655ee03582 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -105,7 +105,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #PermitTunnel no
 #ChrootDirectory none
 #UseBlacklist no
-#VersionAddendum FreeBSD-20230316
+#VersionAddendum FreeBSD-20230719
 
 # no default banner path
 #Banner none
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index bbddec50a2e9..aae830c08a83 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -1930,7 +1930,7 @@ The default is
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.
 The default is
-.Qq FreeBSD-20230316 .
+.Qq FreeBSD-20230719 .
 The value
 .Cm none
 may be used to disable this.
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
index 24c778283020..7132fd7b0780 100644
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@@ -2,7 +2,7 @@
 
 #define SSH_VERSION	"OpenSSH_9.3"
 
-#define SSH_PORTABLE	"p1"
+#define SSH_PORTABLE	"p2"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 
-#define SSH_VERSION_FREEBSD	"FreeBSD-20230316"
+#define SSH_VERSION_FREEBSD	"FreeBSD-20230719"