blocklist: Rename blacklist to blocklist

Follow up upstream rename from blacklist to blocklist.

- Old names and rc scripts are still valid, but emitting an ugly warning
- Old firewall rules and anc

blocklist: Rename blacklist to blocklist

Follow up upstream rename from blacklist to blocklist.

- Old names and rc scripts are still valid, but emitting an ugly warning
- Old firewall rules and anchor names should work, but emitting an ugly
warning
- Old MK_BLACKLIST* knobs are wired to the new ones

Although care has been taken not to break current configurations, this
is a large patch containing mostly duplicated code. If issues arise, it
will be swiftly reverted.

Reviewed by: ivy (pkgbase)
Approved by: emaste (mentor)
MFC after: 2 days
Relnotes: yes

show more ...

OpenSSH: Update to 10.0p2

Full release notes are available at
https://www.openssh.com/txt/release-10.0

Selected highlights from the release notes:

Potentially-incompatible changes

- This release

OpenSSH: Update to 10.0p2

Full release notes are available at
https://www.openssh.com/txt/release-10.0

Selected highlights from the release notes:

Potentially-incompatible changes

- This release removes support for the weak DSA signature algorithm.
[This change was previously merged to FreeBSD main.]

- This release has the version number 10.0 and announces itself as
"SSH-2.0-OpenSSH_10.0". Software that naively matches versions using
patterns like "OpenSSH_1*" may be confused by this.

- sshd(8): this release removes the code responsible for the user
authentication phase of the protocol from the per-connection
sshd-session binary to a new sshd-auth binary.

Security

- sshd(8): fix the DisableForwarding directive, which was failing to
disable X11 forwarding and agent forwarding as documented.
[This change was previously merged to FreeBSD main.]

New features

- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now
used by default for key agreement.

Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51630

show more ...

Remove MK_GSSAPI

For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled. Backport this
behaviour to Heimdal so it works the

Remove MK_GSSAPI

For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled. Backport this
behaviour to Heimdal so it works the same way.

While here, change Heimdal's libcom_err and compile_et to be selected by
MK_KERBEROS, not MK_KERBEROS_SUPPORT, since these are part of Kerberos
and third-party users might need it even if Kerberos support is disabled
in the base system. This means MK_KERBEROS_SUPPORT installs the same
files with both MIT and Heimdal.

Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D51859

show more ...

gssapi,krb5: Replace libgssapi with the MIT version

lib/libgssapi is based on Heimdal. As on Linux systems, the MIT
libgssapi_krb5 replaces it. With both gssapi libraries and header files
installed

gssapi,krb5: Replace libgssapi with the MIT version

lib/libgssapi is based on Heimdal. As on Linux systems, the MIT
libgssapi_krb5 replaces it. With both gssapi libraries and header files
installed results in broken buildworld (gssd) and ports that will not
build without modifications to support the MIT gssapi in an alternate
location.

73ed0c7992fd removed the MIT GSSAPI headers from /usr/include. Apps using
MIT KRB5 gssapi functions and structures will fail to build without this
patch.

This patch includes a temporary patch to usr.sbin/gssd to allow it
to build with this patch. rmacklem@ has a patch for this and for
kgssapi that uses this patch to resolve kgssapi issues for NFS with
Kerberos.

This patch is an updated version of D51661 to allow it to build following
additional patchs to the tree.

This should have been implmented with 7e35117eb07f.

Fixes: 7e35117eb07f, 73ed0c7992fd
Differential Revision: https://reviews.freebsd.org/D51661

show more ...

openssh: Support building with MIT KRB5

Remove HEIMDAL=1 from openssh/krb5_config.h and move the definition
to the Makefile in order to control whether we're building under
Heimdal or MIT.

Add MIT

openssh: Support building with MIT KRB5

Remove HEIMDAL=1 from openssh/krb5_config.h and move the definition
to the Makefile in order to control whether we're building under
Heimdal or MIT.

Add MIT KRB5 LIBS and INCLUDES to the openssh build.

Sponsored by: The FreeBSD Foundation
Reviewed by: markj
Differential revision: https://reviews.freebsd.org/D50782

show more ...

secure: Adapt Makefile to ssh-sk-client everywhere

Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere")
adapted the Makefiles to ssh-sk-client. Do the same here.

Reviewed by: e

secure: Adapt Makefile to ssh-sk-client everywhere

Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere")
adapted the Makefiles to ssh-sk-client. Do the same here.

Reviewed by: emaste
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D49795

show more ...

ssh: Consolidate HAVE_LDNS / LIBWRAP in ssh.mk

Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new
ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part
of enabling

ssh: Consolidate HAVE_LDNS / LIBWRAP in ssh.mk

Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new
ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part
of enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERS
handling there.

Reviewed by: kevans
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31896

show more ...

ssh: tidy include handling

Centralize optional krb5_config.h handling in ssh.mk. Do not add
headers (that are committed to the src tree) to SRCS as there is no
need.

Reviewed by: imp, jlduran, kev

ssh: tidy include handling

Centralize optional krb5_config.h handling in ssh.mk. Do not add
headers (that are committed to the src tree) to SRCS as there is no
need.

Reviewed by: imp, jlduran, kevans (all earlier)
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34409

show more ...

ssh: Remove unintended XAUTH_PATH setting

This crept in while rebasing the OpenSSH 9.8p1 update across
a63701848fe5 ("ssh: Move XAUTH_PATH setting to ssh.mk").

Fixes: 0fdf8fae8b56 ("openssh: Update

ssh: Remove unintended XAUTH_PATH setting

This crept in while rebasing the OpenSSH 9.8p1 update across
a63701848fe5 ("ssh: Move XAUTH_PATH setting to ssh.mk").

Fixes: 0fdf8fae8b56 ("openssh: Update to 9.8p1")
Sponsored by: The FreeBSD Foundation

show more ...

openssh: Update to 9.8p1

Highlights from the release notes are reproduced below. Some security
and bug fixes were previously merged into FreeBSD and have been elided.
See the upstream release notes

openssh: Update to 9.8p1

Highlights from the release notes are reproduced below. Some security
and bug fixes were previously merged into FreeBSD and have been elided.
See the upstream release notes for full details
(https://www.openssh.com/releasenotes.html).

---

Future deprecation notice
=========================

OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.

Potentially-incompatible changes
--------------------------------

* sshd(8): the server will now block client addresses that
repeatedly fail authentication, repeatedly connect without ever
completing authentication or that crash the server. See the
discussion of PerSourcePenalties below for more information.
Operators of servers that accept connections from many users, or
servers that accept connections from addresses behind NAT or
proxies may need to consider these settings.

* sshd(8): the server has been split into a listener binary, sshd(8),
and a per-session binary "sshd-session". This allows for a much
smaller listener binary, as it no longer needs to support the SSH
protocol. As part of this work, support for disabling privilege
separation (which previously required code changes to disable) and
disabling re-execution of sshd(8) has been removed. Further
separation of sshd-session into additional, minimal binaries is
planned for the future.

* sshd(8): several log messages have changed. In particular, some
log messages will be tagged with as originating from a process
named "sshd-session" rather than "sshd".

* ssh-keyscan(1): this tool previously emitted comment lines
containing the hostname and SSH protocol banner to standard error.
This release now emits them to standard output, but adds a new
"-q" flag to silence them altogether.

* sshd(8): (portable OpenSSH only) sshd will no longer use argv[0]
as the PAM service name. A new "PAMServiceName" sshd_config(5)
directive allows selecting the service name at runtime. This
defaults to "sshd". bz2101

New features
------------

* sshd(8): sshd(8) will now penalise client addresses that, for various
reasons, do not successfully complete authentication. This feature is
controlled by a new sshd_config(5) PerSourcePenalties option and is
on by default.

* ssh(8): allow the HostkeyAlgorithms directive to disable the
implicit fallback from certificate host key to plain host keys.

Portability
-----------

* sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
unconditionally. The previous behaviour was to expose it only when
particular authentication methods were in use.

* ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
environment variable to enable SSH_ASKPASS, similarly to the X11
DISPLAY environment variable. GHPR479

---

Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48914

show more ...