|
Revision tags: release/14.0.0 |
|
| #
535af610 |
| 11-Aug-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.4p1
Excerpts from the release notes:
* ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system
ssh: Update to OpenSSH 9.4p1
Excerpts from the release notes:
* ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system
library directories.
* ssh(1): allow forwarding Unix Domain sockets via ssh -W.
* ssh(1): add support for configuration tags to ssh(1).
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.
* ssh(1): add a "match localnetwork" predicate. This allows matching
on the addresses of available network interfaces and may be used to
vary the effective client configuration based on network location.
* ssh-agent(1): improve isolation between loaded PKCS#11 modules
by running separate ssh-pkcs11-helpers for each loaded provider.
* ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
modules being loaded by checking that the requested module
contains the required symbol before loading it.
* ssh(1): don't incorrectly disable hostname canonicalization when
CanonicalizeHostname=yes and ProxyJump was expicitly set to
"none". bz3567
Full release notes at https://www.openssh.com/txt/release-9.4
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
show more ...
|
|
Revision tags: release/13.2.0 |
|
| #
41ff5ea2 |
| 17-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: default VerifyHostKeyDNS to no, following upstream
Revert to upstream's default. Using VerifyHostKeyDNS may depend on a
trusted nameserver and network path.
This reverts commit 83c6a5242c8016
ssh: default VerifyHostKeyDNS to no, following upstream
Revert to upstream's default. Using VerifyHostKeyDNS may depend on a
trusted nameserver and network path.
This reverts commit 83c6a5242c80160fff76fb85454938761645b0c4.
Reported by: David Leadbeater, G-Research
Reviewed by: gordon
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D38648
show more ...
|
|
Revision tags: release/12.4.0, release/13.1.0 |
|
| #
bffe60ea |
| 23-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: retire client VersionAddendum
FreeBSD introduced VersionAddendum for the server as a local change in
2001 in commit 933ca70f8f88 and later extended it to the client in
commit 9e2cbe04ff4f.
In
ssh: retire client VersionAddendum
FreeBSD introduced VersionAddendum for the server as a local change in
2001 in commit 933ca70f8f88 and later extended it to the client in
commit 9e2cbe04ff4f.
In 2012 upstream added support for server VersionAddendum, in commit
23528816dc10. They do not support it for the client.
The argument for supporting this in the client is not nearly as strong
as for the server, so retire this option to reduce the scope of our
local patch set. This also avoids some cases of conflicts in ssh_config
during update, as a user's configuration would typically follow the
commented-out default VersionAddendum value.
Reviewed by: gordon, glebius
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32930
show more ...
|
| #
835ee05f |
| 23-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: drop $FreeBSD$ from crypto/openssh
After we moved to git $FreeBSD$ is no longer expanded and serves no
purpose. Remove them from OpenSSH to reduce diffs against upstream.
Sponsored by: The Fr
ssh: drop $FreeBSD$ from crypto/openssh
After we moved to git $FreeBSD$ is no longer expanded and serves no
purpose. Remove them from OpenSSH to reduce diffs against upstream.
Sponsored by: The FreeBSD Foundation
show more ...
|
| #
87c1498d |
| 15-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v9.0p1
Release notes are available at https://www.openssh.com/txt/release-9.0
Some highlights:
* ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
exch
ssh: update to OpenSSH v9.0p1
Release notes are available at https://www.openssh.com/txt/release-9.0
Some highlights:
* ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
exchange method by default ("sntrup761x25519-sha512@openssh.com").
The NTRU algorithm is believed to resist attacks enabled by future
quantum computers and is paired with the X25519 ECDH key exchange
(the previous default) as a backstop against any weaknesses in
NTRU Prime that may be discovered in the future. The combination
ensures that the hybrid exchange offers at least as good security
as the status quo.
* sftp-server(8): support the "copy-data" extension to allow server-
side copying of files/data, following the design in
draft-ietf-secsh-filexfer-extensions-00. bz2948
* sftp(1): add a "cp" command to allow the sftp client to perform
server-side file copies.
This commit excludes the scp(1) change to use the SFTP protocol by
default; that change will immediately follow.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
show more ...
|
| #
1323ec57 |
| 13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1
Release notes are available at https://www.openssh.com/txt/release-8.9
Some highlights:
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting
ssh: update to OpenSSH v8.9p1
Release notes are available at https://www.openssh.com/txt/release-8.9
Some highlights:
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1)
* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
default KEXAlgorithms list (after the ECDH methods but before the
prime-group DH ones). The next release of OpenSSH is likely to
make this key exchange the default method.
* sshd(8), portable OpenSSH only: this release removes in-built
support for MD5-hashed passwords. If you require these on your
system then we recommend linking against libxcrypt or similar.
Future deprecation notice
=========================
A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
show more ...
|
| #
e9e8876a |
| 19-Dec-2021 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.8p1
OpenSSH v8.8p1 was motivated primarily by a security update and
deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes.
The security update was already
ssh: update to OpenSSH v8.8p1
OpenSSH v8.8p1 was motivated primarily by a security update and
deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes.
The security update was already applied to FreeBSD as an independent
change, and the RSA/SHA1 deprecation is excluded from this commit but
will immediately follow.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
show more ...
|
|
Revision tags: release/12.3.0 |
|
| #
19261079 |
| 08-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new ho
openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.
Additional integration work is needed to support FIDO/U2F in the base
system.
Deprecation Notice
------------------
OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.
Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985
show more ...
|
|
Revision tags: release/13.0.0, release/12.2.0, release/11.4.0 |
|
| #
ef1c128c |
| 14-Feb-2020 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r357921 through r357930.
|
| #
2f513db7 |
| 14-Feb-2020 |
Ed Maste <emaste@FreeBSD.org> |
Upgrade to OpenSSH 7.9p1.
MFC after: 2 months
Sponsored by: The FreeBSD Foundation
|
|
Revision tags: release/12.1.0, release/11.3.0, release/12.0.0 |
|
| #
3af64f03 |
| 11-Sep-2018 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r338392 through r338594.
|
| #
190cef3d |
| 10-Sep-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.8p1.
Approved by: re (kib@)
|
|
Revision tags: release/11.2.0 |
|
| #
47dd1d1b |
| 11-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.7p1.
|
| #
4f52dfbb |
| 09-May-2018 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.
This completely removes client-side support for the SSH 1 protocol,
which was already disabled in 12 but is still enabled in 11. F
Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.
This completely removes client-side support for the SSH 1 protocol,
which was already disabled in 12 but is still enabled in 11. For that
reason, we will not be able to merge 7.6p1 or newer back to 11.
show more ...
|
|
Revision tags: release/10.4.0 |
|
| #
083c8ded |
| 13-Aug-2017 |
Enji Cooper <ngie@FreeBSD.org> |
MFhead@r322451
|
| #
0275f9db |
| 11-Aug-2017 |
Hans Petter Selasky <hselasky@FreeBSD.org> |
Merge ^/head r321383 through r322397.
|
| #
79210755 |
| 04-Aug-2017 |
Enji Cooper <ngie@FreeBSD.org> |
MFhead@r322057
|
| #
d93a896e |
| 04-Aug-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.5p1.
|
|
Revision tags: release/11.1.0 |
|
| #
ca86bcf2 |
| 06-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.4p1.
|
| #
6d6e8a4a |
| 03-Mar-2017 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Forgot to bump the version addendum date.
|
| #
8a6fe8ce |
| 11-Jan-2017 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r311812 through r311939.
|
| #
9ea45e75 |
| 11-Jan-2017 |
Xin LI <delphij@FreeBSD.org> |
MFV r311913:
Fix multiple OpenSSH vulnerabilities.
Submitted by: des
Approved by: so
|
|
Revision tags: release/11.0.1, release/11.0.0, release/10.3.0 |
|
| #
53835448 |
| 14-Mar-2016 |
Glen Barber <gjb@FreeBSD.org> |
MFH
Sponsored by: The FreeBSD Foundation
|
| #
acc1a9ef |
| 11-Mar-2016 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Upgrade to OpenSSH 7.2p2.
|
| #
f9421853 |
| 25-Jan-2016 |
Glen Barber <gjb@FreeBSD.org> |
MFH
Sponsored by: The FreeBSD Foundation
|