| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
This doesn't actually do anything useful, since getifaddrs() will only
return supported addresses. The root cause of the issue described in
the PR lies earlier in the connection timeline, around the start of the
ssh_create_socket() function.
This reverts commit e5ff8e7977434b150a66bb3e472c6d0e0f644cfa.
PR: 195231
|
| |
|
|
|
|
|
|
|
|
|
| |
When selecting an address to bind to, skip IPv4 addresses if the kernel
does not support the inet feature, and IPv6 addresses if the kernel does
not support the inet6 feature.
PR: 195231
MFC after: 1 week
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D53561
|
| |
|
|
|
|
|
|
|
| |
Apply openssh-portable commit 8b6c1f402feb by deraadt@openbsd.org
Obtained from: openssh-portable
PR: 288773
Reported by: wosch
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
|
|
|
| |
BLOCKLIST_NOTIFY() is called within a signal handler for the alarm after
the grace period has expired that may only take async-signal safe
actions.
Reviewed by: emaste
Fixes: e02003bce726 ("openssh: blocklist: Use NetBSD probes")
MFC after: 1 day
Differential Revision: https://reviews.freebsd.org/D53109
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Follow up upstream rename from blacklist to blocklist.
- Old names and rc scripts are still valid, but emitting an ugly warning
- Old firewall rules and anchor names should work, but emitting an ugly
warning
- Old MK_BLACKLIST* knobs are wired to the new ones
Although care has been taken not to break current configurations, this
is a large patch containing mostly duplicated code. If issues arise, it
will be swiftly reverted.
Reviewed by: ivy (pkgbase)
Approved by: emaste (mentor)
MFC after: 2 days
Relnotes: yes
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use NetBSD probe locations for consistency. We have submitted all
improved or missing probes, keeping them synchronized with NetBSD (our
blocklist upstream) should simplify upgrades and maintenance, as the
locations of these probes are a moving target, depending on upstream
OpenSSH changes.
Additionally, use BLACKLIST_AUTH_FAIL exclusively for now. At the time
of this commit BLACKLIST_BAD_USER, is a no-op. However, it will change
in a future upgrade.
Also, enhance blacklist notification messages for better debugging by
making them more descriptive.
Reviewed by: emaste
Approved by: emaste (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52749
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FreeBSD introduced VersionAddendum for the server as a local change in
2001 in commit 933ca70f8f88 and later extended it to the client in
commit 9e2cbe04ff4f.
In 2012 upstream added support for server VersionAddendum, in commit
23528816dc10. They did not add client support.
We removed the client support in commit bffe60ead024 ("ssh: retire
client VersionAddendum").
As of the 10.0p2 release upstream has added client-side VersionAddendum.
Make note of this in FREEBSD-upgrade's patches section.
Sponsored by: The FreeBSD Foundation
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Full release notes are available at
https://www.openssh.com/txt/release-10.0
Selected highlights from the release notes:
Potentially-incompatible changes
- This release removes support for the weak DSA signature algorithm.
[This change was previously merged to FreeBSD main.]
- This release has the version number 10.0 and announces itself as
"SSH-2.0-OpenSSH_10.0". Software that naively matches versions using
patterns like "OpenSSH_1*" may be confused by this.
- sshd(8): this release removes the code responsible for the user
authentication phase of the protocol from the per-connection
sshd-session binary to a new sshd-auth binary.
Security
- sshd(8): fix the DisableForwarding directive, which was failing to
disable X11 forwarding and agent forwarding as documented.
[This change was previously merged to FreeBSD main.]
New features
- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now
used by default for key agreement.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51630
|
| | |
| |
| |
| |
| |
| | |
This reverts commit 239e8c98636a7578cc67a6f9d54d14c71b095e36.
Fixes: 9da2fe96ff ("kern: fix setgroups(2) and getgroups(2) [...]")
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Current and traditional FreeBSD behavior means that getegid() here is
the first element in the prior setgroups() call, if any, so we may
inadvertently wipe out our rgid with the unprivileged gid. This is
rendered somewhat harmless by the fact that we're losing the privileged
gid -- we'll still regain it as the egid in restore_uid() later by way
of restoring saved_egroups, rather than by intentionally restoring it
from getgid().
This will be promptly reverted if we can get setgroups(2)/getgroups(2)
changed in FreeBSD 15.0, but it seemed wise to get this technically
correct for previous branches.
Reviewed by: jlduran
Differential Revision: https://reviews.freebsd.org/D51753
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This stub isn't actually used on modern versions of OpenSSL for which
OpenSSH uses EVP_CIPHER_CTX_get_updated_iv instead via a wrapper macro.
However, the wrapper macro conflicted with the existing namespace
macro triggering an error on GCC:
In file included from crypto/openssh/sshd-session.c:65:
crypto/openssh/openbsd-compat/openssl-compat.h:71:11: error: "EVP_CIPHER_CTX_get_iv" redefined [-Werror]
71 | # define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv
| ^~~~~~~~~~~~~~~~~~~~~
In file included from <command-line>:
crypto/openssh/ssh_namespace.h:12:9: note: this is the location of the previous definition
12 | #define EVP_CIPHER_CTX_get_iv Fssh_EVP_CIPHER_CTX_get_iv
| ^~~~~~~~~~~~~~~~~~~~~
The error was masked on clang due to MIT krb5 adding a blanket
-Wno-macro-redefined. Building sshd-session without Kerberos support
was sufficient to trigger a warning from clang.
Reviewed by: des
Differential Revision: https://reviews.freebsd.org/D51810
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This was previously included due to nested includes in Heimdal's
headers. Without this, the build fails with an error due to redefining
AT_FDCWD.
clang:
In file included from crypto/openssh/sshd-session.c:46:
/usr/obj/.../tmp/usr/include/fcntl.h:232:9: error: 'AT_FDCWD' macro redefined [-Werror,-Wmacro-redefined]
232 | #define AT_FDCWD -100
| ^
crypto/openssh/openbsd-compat/bsd-misc.h:69:10: note: previous definition is here
69 | # define AT_FDCWD (-2)
| ^
GCC (can't be disabled):
In file included from crypto/openssh/sshd-session.c:46:
sys/sys/fcntl.h:232:9: error: "AT_FDCWD" redefined [-Werror]
232 | #define AT_FDCWD -100
| ^~~~~~~~
In file included from crypto/openssh/openbsd-compat/openbsd-compat.h:218,
from crypto/openssh/includes.h:173,
from crypto/openssh/sshd-session.c:30:
openssh/openbsd-compat/bsd-misc.h:69:10: note: this is the location of the previous definition
69 | # define AT_FDCWD (-2)
| ^~~~~~~~
Reviewed by: des
Differential Revision: https://reviews.freebsd.org/D51809
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Upstream had a poor description for KbdInteractiveAuthentication prior
to the 10.0p2 release. We use KbdInteractiveAuthentication for PAM
authentication, and we replaced the poor description with a note about
use by PAM.
In 10.0p2 the upstream description has been fixed. Incorporate that
text now as it is an improvement and avoids a conflict in the upcoming
10.0p2 import.
Reviewed by: jhb
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove HEIMDAL=1 from openssh/krb5_config.h and move the definition
to the Makefile in order to control whether we're building under
Heimdal or MIT.
Add MIT KRB5 LIBS and INCLUDES to the openssh build.
Sponsored by: The FreeBSD Foundation
Reviewed by: markj
Differential revision: https://reviews.freebsd.org/D50782
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The net result of this change is the removal of a few comments from
config.h; it has no direct user-facing impact as DSA was already
disabled as of commit 0b707d5fe8b6 ("ssh: Disable support for DSA
keys").
Reviewed by: jlduran, philip
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D49739
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
DSA is deprecated and upstream OpenSSH is in the process of removing it.
From OpenSSH-portable 10.0, cherry-pick the configure change so that we
can independently decide what to merge to stable branches.
This change has no direct user-facing impact, as the upstream configure
script is not used in the FreeBSD build process. It is worth noting as
part of OpenSSH's full removal of DSA support.
Reviewed by: jlduran, philip
Relnotes: Yes
Obtained from: OpenSSH-portable 6c9872faa1c2
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This option was documented as disabling X11 and agent forwarding but it
failed to do so. Spotted by Tim Rice.
Obtained from: OpenBSD d31ec64016fc
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In version 9.8, the server was split into a listener binary, sshd(8),
and a per-session binary "sshd-session".
Our blacklistd changes also have to be moved from sshd.c to
sshd-session.c.
Reviewed by: emaste
Approved by: emaste (mentor)
Fixes: 0fdf8fae8b56 ("openssh: Update to 9.8p1")
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D49116
|
| | |
| |
| |
| |
| |
| |
| | |
Our class-based login restrictions patch was merged upstream in commit
c276672fc0e9 ("Class-imposed login restrictions").
Sponsored by: The FreeBSD Foundation
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This release exists primarily to fix two security bugs. The fixes have
been independently imported into FreeBSD. This import serves to update
the ssh and sshd version number.
A few minor bug fixes are also included; see the upstream release notes
for full details of the 9.9p2 release
(https://www.openssh.com/releasenotes.html).
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| |
| |
| | |
We use the source mdoc man pages (i.e., ssh-sk-helper.8) not the
rendered ones included in the OpenSSH releases.
Fixes: 0fdf8fae8b56 ("openssh: Update to 9.8p1")
Sponsored by: The FreeBSD Foundation
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Highlights from the release notes are reproduced below. Bug fixes and
improvements that were previously merged into FreeBSD have been elided.
See the upstream release notes for full details of the 9.9p1 release
(https://www.openssh.com/releasenotes.html).
---
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.
Potentially-incompatible changes
--------------------------------
* ssh(1): remove support for pre-authentication compression.
* ssh(1), sshd(8): processing of the arguments to the "Match"
configuration directive now follows more shell-like rules for
quoted strings, including allowing nested quotes and \-escaped
characters.
New features
------------
* ssh(1), sshd(8): add support for a new hybrid post-quantum key
exchange based on the FIPS 203 Module-Lattice Key Enapsulation
mechanism (ML-KEM) combined with X25519 ECDH as described by
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This algorithm "mlkem768x25519-sha256" is available by default.
* ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
included in core dump files for most of their lifespans. This is
in addition to pre-existing controls in ssh-agent(1) and sshd(8)
that prevented coredumps. This feature is supported on OpenBSD,
Linux and FreeBSD.
* All: convert key handling to use the libcrypto EVP_PKEY API, with
the exception of DSA.
Bugfixes
--------
* sshd(8): do not apply authorized_keys options when signature
verification fails. Prevents more restrictive key options being
incorrectly applied to subsequent keys in authorized_keys. bz3733
* ssh-keygen(1): include pathname in some of ssh-keygen's passphrase
prompts. Helps the user know what's going on when ssh-keygen is
invoked via other tools. Requested in GHPR503
* ssh(1), ssh-add(1): make parsing user@host consistently look for
the last '@' in the string rather than the first. This makes it
possible to more consistently use usernames that contain '@'
characters.
* ssh(1), sshd(8): be more strict in parsing key type names. Only
allow short names (e.g "rsa") in user-interface code and require
full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725
* ssh-keygen(1): clarify that ed25519 is the default key type
generated and clarify that rsa-sha2-512 is the default signature
scheme when RSA is in use. GHPR505
---
Reviewed by: jlduran (build infrastructure)
Reviewed by: cy (build infrastructure)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48947
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Highlights from the release notes are reproduced below. Some security
and bug fixes were previously merged into FreeBSD and have been elided.
See the upstream release notes for full details
(https://www.openssh.com/releasenotes.html).
---
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.
Potentially-incompatible changes
--------------------------------
* sshd(8): the server will now block client addresses that
repeatedly fail authentication, repeatedly connect without ever
completing authentication or that crash the server. See the
discussion of PerSourcePenalties below for more information.
Operators of servers that accept connections from many users, or
servers that accept connections from addresses behind NAT or
proxies may need to consider these settings.
* sshd(8): the server has been split into a listener binary, sshd(8),
and a per-session binary "sshd-session". This allows for a much
smaller listener binary, as it no longer needs to support the SSH
protocol. As part of this work, support for disabling privilege
separation (which previously required code changes to disable) and
disabling re-execution of sshd(8) has been removed. Further
separation of sshd-session into additional, minimal binaries is
planned for the future.
* sshd(8): several log messages have changed. In particular, some
log messages will be tagged with as originating from a process
named "sshd-session" rather than "sshd".
* ssh-keyscan(1): this tool previously emitted comment lines
containing the hostname and SSH protocol banner to standard error.
This release now emits them to standard output, but adds a new
"-q" flag to silence them altogether.
* sshd(8): (portable OpenSSH only) sshd will no longer use argv[0]
as the PAM service name. A new "PAMServiceName" sshd_config(5)
directive allows selecting the service name at runtime. This
defaults to "sshd". bz2101
New features
------------
* sshd(8): sshd(8) will now penalise client addresses that, for various
reasons, do not successfully complete authentication. This feature is
controlled by a new sshd_config(5) PerSourcePenalties option and is
on by default.
* ssh(8): allow the HostkeyAlgorithms directive to disable the
implicit fallback from certificate host key to plain host keys.
Portability
-----------
* sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
unconditionally. The previous behaviour was to expose it only when
particular authentication methods were in use.
* ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
environment variable to enable SSH_ASKPASS, similarly to the X11
DISPLAY environment variable. GHPR479
---
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48914
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In 2000 (commit a95c1225217b) we changed the CheckHostIP default to
"no". We added text to ssh_config(5) documenting FreeBSD's default.
In 2021 OpenSSH made the same change, released with OpenSSH 8.5p1.
When we imported the update the added text remained, resulting in:
If the option is set to no (the default), the check will not be
executed. The default is no.
Remove the now-redundant text.
Fixes: 206be79acbde ("Vendor import of OpenSSH 8.5p1")
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| | |
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| | |
Obtained from: OpenSSH 38df39ecf278
Security: CVE-2025-26465
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| | |
Obtained from: OpenSSH 5e07dee272c3
Security: CVE-2025-26466
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
OpenSSH-portable had a configure bug that prevented it from detecting
OpenSSL ED25519 support, fixed in 8d0e46c1ddb5 ("Fix OpenSSL ED25519
support detection"). This will come in with the OpenSSH 9.8p1 update,
but fix the error in config.h now.
Reported by: jlduran
Reviewed by: jlduran
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48942
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is the upstream default -- from the 9.8p1 release notes:
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025. This release disables DSA by default at compile time.
DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.
OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs, mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.
This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA
in OpenSSH to be justified and hope that removing it from OpenSSH
can accelerate its wider deprecation in supporting cryptography
libraries.
This release, and its deactivation of DSA by default at compile-time,
marks the second step in our timeline to finally deprecate DSA. The
final step of removing DSA support entirely is planned for the first
OpenSSH release of 2025.
---
The config.h comment /* DSA keys explicitly enabled */ is somewhat
confusing, but this is what upstream's ./configure generates.
Reviewed by: jlduran
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48910
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
XAUTH_PATH is normally set (in the upstream build infrastructure) in
config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE
is set, and over time have sometimes also defined it in config.h.
Leave it unset in config.h and move the CFLAGS logic to to ssh.mk so
that it will be set when building all ssh libraries and programs but
still be set by LOCALBASE.
Reviewed by: jlduran
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48907
|
| | |
| |
| |
| |
| | |
Reviewed by: emaste
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| | |
Reported by: markj
Fixes: 2739a6845031 ("sshd: remove blacklist call from grace_alarm_...")
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Under certain circumstances it may call log(3), which is not async-
signal-safe.
For now just remove the blacklist integration from this path, which
means that blacklistd will not detect and firewall hosts that establish
a connection but do nothing further.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46203
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Cherry-pick fix:
upstream: when sending ObscureKeystrokeTiming chaff packets, we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@
OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
Obtained from: openssh-portable 146c420d29d0
Reviewed by: gordon
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45823
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Autoconf 2.72 uses '' rather tha `' in comments in config.h, from
autoconf commit 64df9b4523fe ("Autoconf now quotes 'like this' instead
of `like this'").
Switch quoting style now to minimize diffs on the next OpenSSH update
and config.h regen.
Reviewed by: gordon, philip
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45840
|
| | |
| |
| |
| |
| |
| |
| | |
Reported by: Qualys Threat Research Unit (TRU)
Approved by: so
Security: FreeBSD-SA-24:04.openssh
Security: CVE-2024-6387
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Support for a client VersionAddendum was removed in bffe60ead024, but
the option was retained (as oDeprecated) as a transition aid.
Sufficient time has passed that it can be removed.
Sponsored by: The FreeBSD Foundation
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This release contains mostly bugfixes.
It also makes support for the DSA signature algorithm a compile-time
option, with plans to disable it upstream later this year and remove
support entirely in 2025.
Full release notes at https://www.openssh.com/txt/release-9.7
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
From the release notes,
> This release contains a number of security fixes, some small features
> and bugfixes.
The most significant change in 9.6p1 is a set of fixes for a newly-
discovered weakness in the SSH transport protocol. The fix was already
merged into FreeBSD and released as FreeBSD-SA-23:19.openssh.
Full release notes at https://www.openssh.com/txt/release-9.6
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.
Full details of the extension are in the PROTOCOL file.
OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
Approved by: so (implicit)
Obtained from: https://anongit.mindrot.org/openssh.git/patch/?id=1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
Security: CVE-2023-48795
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Excerpts from the release notes:
Potentially incompatible changes
--------------------------------
* ssh-keygen(1): generate Ed25519 keys by default.
[NOTE: This change was already merged into FreeBSD.]
* sshd(8): the Subsystem directive now accurately preserves quoting of
subsystem commands and arguments.
New features
------------
* ssh(1): add keystroke timing obfuscation to the client.
* ssh(1), sshd(8): Introduce a transport-level ping facility.
* sshd(8): allow override of Sybsystem directives in sshd Match blocks.
Full release notes at https://www.openssh.com/txt/release-9.5
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Ed25519 keys are convenient because they're much smaller, and the next
OpenSSH release (9.5) will switch to them by default. Apply the change
to FreeBSD main now, to help identify issues as early as possible.
Reviewed by: kevans, karels, des
Relnotes: Yes
Obtained from: OpenBSD 9de458a24986
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41773
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Upstream commit message:
upstream: fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
multiplexed sessions to ignore SIGINT under some circumstances.
Reported by / feedback naddy@, ok dtucker@
OpenBSD-Commit-ID: 4d5c6c894664f50149153fd4764f21f43e7d7e5a
Fixes: 535af610a4fd ("ssh: Update to OpenSSH 9.4p1")
Obtained from: OpenSSH 803e22eabd3b
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| |
| |
| | |
OpenSSH 9.4p1 (updated in commit 535af610a4fd) includes the memory leak
fix that we originally applied in 69c72a57af84 ("sftp: avoid leaking
path arg in calls to make_absolute_pwd_glob.").
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| | |
Reported by: Herbert J. Skuhra <herbert@gojira.at>
Fixes: 535af610a4fd ("ssh: Update to OpenSSH 9.4p1")
Sponsored by: The FreeBSD Foundation
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Excerpts from the release notes:
* ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system
library directories.
* ssh(1): allow forwarding Unix Domain sockets via ssh -W.
* ssh(1): add support for configuration tags to ssh(1).
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.
* ssh(1): add a "match localnetwork" predicate. This allows matching
on the addresses of available network interfaces and may be used to
vary the effective client configuration based on network location.
* ssh-agent(1): improve isolation between loaded PKCS#11 modules
by running separate ssh-pkcs11-helpers for each loaded provider.
* ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
modules being loaded by checking that the requested module
contains the required symbol before loading it.
* ssh(1): don't incorrectly disable hostname canonicalization when
CanonicalizeHostname=yes and ProxyJump was expicitly set to
"none". bz3567
Full release notes at https://www.openssh.com/txt/release-9.4
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The HPN patch set was removed from base system SSH in January 2016, in
commit 60c59fad8806. We retained the option parsing (using OpenSSH's
support for deprecated options) to avoid breaking existing installations
upon upgrade, but sufficient time has now passed that we can remove this
special case.
Approved by: des
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41291
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Older versions of FreeBSD included the HPN patch set and provided
client-side VersionAddendum. Both of these changes have been retired
but we've retained the option parsing for backwards compatibility to
avoid breaking upgrades. Add comment references to the relevant
commits.
Sponsored by: The FreeBSD Foundation
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a compromise between POLA and practical reasoning. We don't
want to block the main server loop in an attempt to resolve. But we
need to keep the format of the logged message as is, for sake of
sshguard and other scripts. So let's print just the IP address twice,
this is what libwrap's refuse() would do if it failed to resolve.
Reviewed by: philip
PR: 269456
Differential revision: https://reviews.freebsd.org/D40069
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This part of ca573c9a177 proved to be unnecessary. As the removed
comment says, we set them merely for logging syntax errors, as we log
refusals ourselves. However, inside the libwrap the parser logs any
syntax errors with tcpd_warn() which has hardcoded LOG_WARNING inside.
Reviewed by: philip, emaste
Differential revision: https://reviews.freebsd.org/D40068
|
