| #
0fdf8fae |
| 19-Feb-2025 |
Ed Maste <emaste@FreeBSD.org> |
openssh: Update to 9.8p1
Highlights from the release notes are reproduced below. Some security
and bug fixes were previously merged into FreeBSD and have been elided.
See the upstream release notes
openssh: Update to 9.8p1
Highlights from the release notes are reproduced below. Some security
and bug fixes were previously merged into FreeBSD and have been elided.
See the upstream release notes for full details
(https://www.openssh.com/releasenotes.html).
---
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.
Potentially-incompatible changes
--------------------------------
* sshd(8): the server will now block client addresses that
repeatedly fail authentication, repeatedly connect without ever
completing authentication or that crash the server. See the
discussion of PerSourcePenalties below for more information.
Operators of servers that accept connections from many users, or
servers that accept connections from addresses behind NAT or
proxies may need to consider these settings.
* sshd(8): the server has been split into a listener binary, sshd(8),
and a per-session binary "sshd-session". This allows for a much
smaller listener binary, as it no longer needs to support the SSH
protocol. As part of this work, support for disabling privilege
separation (which previously required code changes to disable) and
disabling re-execution of sshd(8) has been removed. Further
separation of sshd-session into additional, minimal binaries is
planned for the future.
* sshd(8): several log messages have changed. In particular, some
log messages will be tagged with as originating from a process
named "sshd-session" rather than "sshd".
* ssh-keyscan(1): this tool previously emitted comment lines
containing the hostname and SSH protocol banner to standard error.
This release now emits them to standard output, but adds a new
"-q" flag to silence them altogether.
* sshd(8): (portable OpenSSH only) sshd will no longer use argv[0]
as the PAM service name. A new "PAMServiceName" sshd_config(5)
directive allows selecting the service name at runtime. This
defaults to "sshd". bz2101
New features
------------
* sshd(8): sshd(8) will now penalise client addresses that, for various
reasons, do not successfully complete authentication. This feature is
controlled by a new sshd_config(5) PerSourcePenalties option and is
on by default.
* ssh(8): allow the HostkeyAlgorithms directive to disable the
implicit fallback from certificate host key to plain host keys.
Portability
-----------
* sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
unconditionally. The previous behaviour was to expose it only when
particular authentication methods were in use.
* ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
environment variable to enable SSH_ASKPASS, similarly to the X11
DISPLAY environment variable. GHPR479
---
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48914
show more ...
|
|
Revision tags: release/14.1.0-p7, release/14.2.0-p1, release/13.4.0-p3, release/14.2.0, release/13.4.0, release/14.1.0, release/13.3.0, release/14.0.0, release/13.2.0, release/12.4.0, release/13.1.0, release/12.3.0 |
|
| #
19261079 |
| 08-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new ho
openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.
Additional integration work is needed to support FIDO/U2F in the base
system.
Deprecation Notice
------------------
OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.
Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985
show more ...
|
| #
27ceebbc |
| 31-Aug-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: simplify login class restrictions
Login class-based restrictions were introduced in 5b400a39b8ad. The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, incl
openssh: simplify login class restrictions
Login class-based restrictions were introduced in 5b400a39b8ad. The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a9fcee, bd393de91cc3, and
e8c56fba2926.
During an attempt to upstream the work a much simpler approach was
suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.
Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from: https://github.com/openssh/openssh-portable/pull/262
Reviewed by: allanjude, kevans
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31760
show more ...
|
|
Revision tags: release/13.0.0, release/12.2.0, release/11.4.0, release/12.1.0, release/11.3.0, release/12.0.0 |
|
| #
c6879c6c |
| 23-Oct-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r339015 through r339669.
|
| #
fc3f42d8 |
| 08-Oct-2018 |
Glen Barber <gjb@FreeBSD.org> |
MFH r339206-r339212, r339215-r339239
Sponsored by: The FreeBSD Foundation
|
| #
fc3c19a9 |
| 06-Oct-2018 |
Ed Maste <emaste@FreeBSD.org> |
sshd: address capsicum issues
* Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
capability mode.
* Cache timezone data via caph_cache_tzdata() as we cannot access the
timezone
sshd: address capsicum issues
* Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
capability mode.
* Cache timezone data via caph_cache_tzdata() as we cannot access the
timezone file.
* Reverse resolve hostname before entering capability mode.
PR: 231172
Submitted by: naito.yuichiro@gmail.com
Reviewed by: cem, des
Approved by: re (rgrimes)
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D17128
show more ...
|
| #
3af64f03 |
| 11-Sep-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r338392 through r338594.
|
| #
190cef3d |
| 10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1.
Approved by: re (kib@)
|
|
Revision tags: release/11.2.0, release/10.4.0, release/11.1.0 |
|
| #
ca86bcf2 |
| 06-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
|
Revision tags: release/11.0.1, release/11.0.0, release/10.3.0 |
|
| #
d9b9dae1 |
| 22-Jan-2016 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r294169 through r294598.
|
| #
009e81b1 |
| 22-Jan-2016 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFH @r294567
|
| #
59d43d11 |
| 20-Jan-2016 |
Glen Barber <gjb@FreeBSD.org> |
MFH
Sponsored by: The FreeBSD Foundation
|
| #
bc5531de |
| 19-Jan-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.8p1.
|
|
Revision tags: release/10.2.0, release/10.1.0, release/9.3.0 |
|
| #
6cec9cad |
| 03-Jun-2014 |
Peter Grehan <grehan@FreeBSD.org> |
MFC @ r266724
An SVM update will follow this.
|
| #
3b8f0845 |
| 28-Apr-2014 |
Simon J. Gerraty <sjg@FreeBSD.org> |
Merge head
|
| #
84e51a1b |
| 23-Apr-2014 |
Alan Somers <asomers@FreeBSD.org> |
IFC @264767
|
| #
1709ccf9 |
| 29-Mar-2014 |
Martin Matuska <mm@FreeBSD.org> |
Merge head up to r263906.
|
| #
b83788ff |
| 25-Mar-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.6p1.
|
|
Revision tags: release/10.0.0, release/9.2.0 |
|
| #
552311f4 |
| 17-Jul-2013 |
Xin LI <delphij@FreeBSD.org> |
IFC @253398
|
| #
cfe30d02 |
| 19-Jun-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Merge fresh head.
|
|
Revision tags: release/8.4.0 |
|
| #
69e6d7b7 |
| 12-Apr-2013 |
Simon J. Gerraty <sjg@FreeBSD.org> |
sync from head
|
| #
6888a9be |
| 22-Mar-2013 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 6.2p1. The most important new features are support
for a key revocation list and more fine-grained authentication control.
|
|
Revision tags: release/9.1.0, release/8.3.0_cvs, release/8.3.0 |
|
| #
8fa0b743 |
| 23-Jan-2012 |
Xin LI <delphij@FreeBSD.org> |
IFC @230489 (pending review).
|
|
Revision tags: release/9.0.0 |
|
| #
70d8f36a |
| 27-Oct-2011 |
Peter Grehan <grehan@FreeBSD.org> |
IFC @ r226824
|
| #
e146993e |
| 06-Oct-2011 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 5.9p1.
MFC after: 3 months
|