en Copyright 2015 Java http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#2574974648c68c738aec3ff96644d888d7913a37 OpenSSH: Update to 10.3p1Full release notes are available athttps://www.openssh.com/txt/release-10.3Selected highlights from the release notes: * ssh(1), sshd(8): remove bug compatibility for implementations that don't support rekeying. If such an implementation tries to interoperate with OpenSSH, it will now eventually fail when the transport needs rekeying. * ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new names is advertised via the EXT_INFO message. If a server offers support for the new names, then they are used preferentially. * ssh(1): add a ~I escape option that shows information about the current SSH connection. * sshd(8): add 'invaliduser' penalty to PerSourcePenalties, which is applied to login attempts for usernames that do not match real accounts. Defaults to 5s to match 'authfail' but allows administrators to block such attempts for longer if desired. * Support the ed25519 signature scheme via libcrypto.Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D56999 List of files: /freebsd/secure/lib/libssh/Makefile Thu, 14 May 2026 20:59:30 +0200 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#644b4646c7acab87dc20d4e5dd53d2d9da152989 OpenSSH: Update to 10.1p1Full release notes are available athttps://www.openssh.com/txt/release-10.1Selected highlights from the release notes:Potentially-incompatible changes * ssh(1): add a warning when the connection negotiates a non-post quantum key agreement algorithm. * ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS * ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS) keywords in the IPQoS configuration directive. * ssh-add(1): when adding certificates to an agent, set the expiry to the certificate expiry time plus a short (5 min) grace period. * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8).Security * ssh(1): disallow control characters in usernames passed via the commandline or expanded using %-sequences from the configuration file, and disallow \0 characters in ssh:// URIs.New features * ssh(1), sshd(8): add SIGINFO handlers to log active channel and session information.Sponsored by: The FreeBSD Foundation List of files: /freebsd/secure/lib/libssh/Makefile Tue, 12 May 2026 22:24:10 +0200 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#4757b351ea9d59d71d4a38b82506d2d16fcd560d openssl: Import version 3.5.1Migrate to OpenSSL 3.5 in advance of FreeBSD 15.0. OpenSSL 3.0 will beEOL after 2026-09-07.Approved by: philip (mentor)Sponsored by: Alpha-Omega Beach Cleaning ProjectSponsored by: The FreeBSD FoundationDifferential revision: https://reviews.freebsd.org/D51613 List of files: /freebsd/secure/lib/libssh/Makefile Fri, 11 Jul 2025 23:57:10 +0200 Pierre Pronchery <khorben@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#8e35800732573de6c4bc1dd3ac420447fca96231 build: remove the last vestiges of lint supportCommit 1cbb58886a47 (shipped in 12.0.0) removed all lint infrastructure.A bunch of NO_LINT definitions remained (perhaps as a bootstrappingmeasture). Remove them.Reviewed by: emasteDifferential Revision: https://reviews.freebsd.org/D50704 List of files: /freebsd/secure/lib/libssh/Makefile Fri, 06 Jun 2025 01:55:34 +0200 Brooks Davis <brooks@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#ac62b97951c25a33ec0880e574ccff31be7452f7 openssh: Add ${SKSRCS} to libsshsshkey.c references sshsk_sign(), which is defined in ${SKSRCS}.Due to how FreeBSD builds libssh, or put differently, due to upstreamnot building a shared libssh.so, we need to partially revert65d8491719bb ("secure: Adapt Makefile to ssh-sk-client everywhere"), andadd ${SKSRCS} back, to avoid linking problems, especially when buildingwith GCC: /usr/local/bin/ld: /usr/obj/usr/src/amd64.amd64/secure/lib/libssh/libprivatessh.so: undefined reference to `sshsk_sign' collect2: error: ld returned 1 exit status`Put the sources in a separate line, to maintain line-by-linecompatibility with upstream Makefile.inPR: 286580Reviewed by: emasteApproved by: emaste (mentor)Fixes: 65d8491719bb ("secure: Adapt Makefile to ssh-sk-client everywhere")Differential Revision: https://reviews.freebsd.org/D50020 List of files: /freebsd/secure/lib/libssh/Makefile Wed, 21 May 2025 00:58:23 +0200 Jose Luis Duran <jlduran@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#65d8491719bbc88ed45637d2381931c2d29cfe87 secure: Adapt Makefile to ssh-sk-client everywhereUpstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere")adapted the Makefiles to ssh-sk-client. Do the same here.Reviewed by: emasteApproved by: emaste (mentor)Differential Revision: https://reviews.freebsd.org/D49795 List of files: /freebsd/secure/lib/libssh/Makefile Thu, 17 Apr 2025 21:08:02 +0200 Jose Luis Duran <jlduran@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#9440aad19dca73fdd224b128ac2dc2e78191ff15 secure: Rearrange Makefile SRCS to match upstream Makefile.inSRCS entries are kept in the same order and with the same line breaks asupstream, to make comparison easier.No functional change intended.Reviewed by: emasteApproved by: emaste (mentor)Differential Revision: https://reviews.freebsd.org/D49793 List of files: /freebsd/secure/lib/libssh/Makefile Thu, 17 Apr 2025 20:56:00 +0200 Jose Luis Duran <jlduran@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#d71e7e57fc1472e3ea6d31c44e187c2819d2c71e ssh: Consolidate HAVE_LDNS / LIBWRAP in ssh.mkCommit 9d63429fa163 ("ssh: move common Makefile boilerplate to a newssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as partof enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERShandling there.Reviewed by: kevansSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D31896 List of files: /freebsd/secure/lib/libssh/Makefile Tue, 12 Apr 2022 15:18:20 +0200 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#7f916236044d9a733de8b3c47b5dcbf71988cb03 ssh: tidy include handlingCentralize optional krb5_config.h handling in ssh.mk. Do not addheaders (that are committed to the src tree) to SRCS as there is noneed.Reviewed by: imp, jlduran, kevans (all earlier)MFC after: 1 monthSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D34409 List of files: /freebsd/secure/lib/libssh/Makefile Wed, 02 Mar 2022 15:45:23 +0100 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#3d9fd9fcb432750f3716b28f6ccb0104cd9d351a openssh: Update to 9.9p1Highlights from the release notes are reproduced below. Bug fixes andimprovements that were previously merged into FreeBSD have been elided.See the upstream release notes for full details of the 9.9p1 release(https://www.openssh.com/releasenotes.html).---Future deprecation notice=========================OpenSSH plans to remove support for the DSA signature algorithm inearly 2025.Potentially-incompatible changes-------------------------------- * ssh(1): remove support for pre-authentication compression. * ssh(1), sshd(8): processing of the arguments to the "Match" configuration directive now follows more shell-like rules for quoted strings, including allowing nested quotes and \-escaped characters.New features------------ * ssh(1), sshd(8): add support for a new hybrid post-quantum key exchange based on the FIPS 203 Module-Lattice Key Enapsulation mechanism (ML-KEM) combined with X25519 ECDH as described by https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03 This algorithm "mlkem768x25519-sha256" is available by default. * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being included in core dump files for most of their lifespans. This is in addition to pre-existing controls in ssh-agent(1) and sshd(8) that prevented coredumps. This feature is supported on OpenBSD, Linux and FreeBSD. * All: convert key handling to use the libcrypto EVP_PKEY API, with the exception of DSA.Bugfixes-------- * sshd(8): do not apply authorized_keys options when signature verification fails. Prevents more restrictive key options being incorrectly applied to subsequent keys in authorized_keys. bz3733 * ssh-keygen(1): include pathname in some of ssh-keygen's passphrase prompts. Helps the user know what's going on when ssh-keygen is invoked via other tools. Requested in GHPR503 * ssh(1), ssh-add(1): make parsing user@host consistently look for the last '@' in the string rather than the first. This makes it possible to more consistently use usernames that contain '@' characters. * ssh(1), sshd(8): be more strict in parsing key type names. Only allow short names (e.g "rsa") in user-interface code and require full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725 * ssh-keygen(1): clarify that ed25519 is the default key type generated and clarify that rsa-sha2-512 is the default signature scheme when RSA is in use. GHPR505---Reviewed by: jlduran (build infrastructure)Reviewed by: cy (build infrastructure)Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D48947 List of files: /freebsd/secure/lib/libssh/Makefile Wed, 19 Feb 2025 20:08:59 +0100 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e openssh: Update to 9.8p1Highlights from the release notes are reproduced below. Some securityand bug fixes were previously merged into FreeBSD and have been elided.See the upstream release notes for full details(https://www.openssh.com/releasenotes.html).---Future deprecation notice=========================OpenSSH plans to remove support for the DSA signature algorithm inearly 2025.Potentially-incompatible changes-------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101New features------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys.Portability----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479---Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D48914 List of files: /freebsd/secure/lib/libssh/Makefile Wed, 19 Feb 2025 18:20:44 +0100 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#c0af32952564099fe30a34aeb335f95a6dc811ba libssh: Remove progressmeterIt is used only by scp and sftp, and already included directly in theirMakefiles. It does not belong in libssh.Fixes: d8b043c8d497 ("Update for 3.6.1p1; also remove Kerberos IV shims.")Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D48871 List of files: /freebsd/secure/lib/libssh/Makefile Thu, 06 Feb 2025 20:21:12 +0100 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#e9ac41698b2f322d55ccf9da50a3596edb2c1800 Remove residual blank line at start of MakefileThis is a residual of the $FreeBSD$ removal.MFC After: 3 days (though I'll just run the command on the branches)Sponsored by: Netflix List of files: /freebsd/secure/lib/libssh/Makefile Mon, 15 Jul 2024 06:46:32 +0200 Warner Losh <imp@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove $FreeBSD$: one-line sh patternRemove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ List of files: /freebsd/secure/lib/libssh/Makefile Wed, 16 Aug 2023 19:55:03 +0200 Warner Losh <imp@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#4d3fc8b0570b29fb0d6ee9525f104d52176ff0d4 ssh: Update to OpenSSH 9.3p1This release fixes a number of security bugs and has minor newfeatures and bug fixes. Security fixes, from the release notes(https://www.openssh.com/txt/release-9.3):This release contains fixes for a security problem and a memorysafety problem. The memory safety problem is not believed to beexploitable, but we report most network-reachable memory faults assecurity bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer.Sponsored by: The FreeBSD Foundation List of files: /freebsd/secure/lib/libssh/Makefile Thu, 16 Mar 2023 15:29:55 +0100 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#f374ba41f55c1a127303d92d830dd58eef2f5243 ssh: update to OpenSSH 9.2p1Release notes are available at https://www.openssh.com/txt/release-9.2OpenSSH 9.2 contains fixes for two security problems and a memory safetyproblem. The memory safety problem is not believed to be exploitable.These fixes have already been committed to OpenSSH 9.1 in FreeBSD.Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499MFC after: 1 weekSponsored by: The FreeBSD Foundation List of files: /freebsd/secure/lib/libssh/Makefile Mon, 06 Feb 2023 22:54:56 +0100 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3 ssh: update to OpenSSH 9.1p1Release notes are available at https://www.openssh.com/txt/release-9.19.1 contains fixes for three minor memory safety problems; these havelready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD basesystem.Some highlights copied from the release notes:Potentially-incompatible changes-------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years.New features------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429MFC after: 2 weeksRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /freebsd/secure/lib/libssh/Makefile Wed, 19 Oct 2022 16:27:11 +0200 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#9d63429fa16352f58037ac2aa6ddc734b25e8331 ssh: move common Makefile boilerplate to a new ssh.mkThis moves SSHDIR and ssh_namespace.h handling to a common location,and will simplify future work such as adding U2F support (D32509).Reviewed by: kevansMFC after: 1 weekSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D32808 List of files: /freebsd/secure/lib/libssh/Makefile Tue, 02 Nov 2021 19:48:33 +0100 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#1c99af1ebe61cbaf633792941640dcd254acf921 libssh: Rearrange Makefile SRCS to match upstream Makefile.inSRCS entries are kept in the same order and with the same line breaksas upstream, to make comparison easier.Reported by: des List of files: /freebsd/secure/lib/libssh/Makefile Wed, 20 Oct 2021 02:09:46 +0200 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/lib/libssh/Makefile#576b58108c1723c85e4dd00355e29bfe301dab11 libssh: correct libssh src file listLink against the ssh-sk-helper client rather than the sk internalimplementation.PR: 258384Tested by: madpilotFixes: f448c3ed4ae1 ("openssh: Add new source files to libssl")Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1")Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D32529 List of files: /freebsd/secure/lib/libssh/Makefile Fri, 15 Oct 2021 18:21:23 +0200 Ed Maste <emaste@FreeBSD.org>