en Copyright 2015 Java http://kernelsources.org:8080/source/history/freebsd/secure/libexec/sshd-session/Makefile#7238317403b95a8e35cf0bc7cd66fbd78ecbe521 blocklist: Rename blacklist to blocklistFollow up upstream rename from blacklist to blocklist.- Old names and rc scripts are still valid, but emitting an ugly warning- Old firewall rules and anchor names should work, but emitting an ugly warning- Old MK_BLACKLIST* knobs are wired to the new onesAlthough care has been taken not to break current configurations, thisis a large patch containing mostly duplicated code. If issues arise, itwill be swiftly reverted.Reviewed by: ivy (pkgbase)Approved by: emaste (mentor)MFC after: 2 daysRelnotes: yes List of files: /freebsd/secure/libexec/sshd-session/Makefile Sun, 12 Oct 2025 19:14:27 +0200 Jose Luis Duran <jlduran@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/libexec/sshd-session/Makefile#8e28d84935f2f0ee081d44f9803f3052b960e50b OpenSSH: Update to 10.0p2Full release notes are available athttps://www.openssh.com/txt/release-10.0Selected highlights from the release notes:Potentially-incompatible changes- This release removes support for the weak DSA signature algorithm. [This change was previously merged to FreeBSD main.]- This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this.- sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per-connection sshd-session binary to a new sshd-auth binary.Security- sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. [This change was previously merged to FreeBSD main.]New features- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement.Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D51630 List of files: /freebsd/secure/libexec/sshd-session/Makefile Tue, 26 Aug 2025 21:04:16 +0200 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/libexec/sshd-session/Makefile#dc5ba6b8b4f028eb944434be82838d272330f26f Remove MK_GSSAPIFor MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part ofKerberos and is always built if MK_KERBEROS is enabled. Backport thisbehaviour to Heimdal so it works the same way.While here, change Heimdal's libcom_err and compile_et to be selected byMK_KERBEROS, not MK_KERBEROS_SUPPORT, since these are part of Kerberosand third-party users might need it even if Kerberos support is disabledin the base system. This means MK_KERBEROS_SUPPORT installs the samefiles with both MIT and Heimdal.Reviewed by: cyDifferential Revision: https://reviews.freebsd.org/D51859 List of files: /freebsd/secure/libexec/sshd-session/Makefile Wed, 20 Aug 2025 20:42:20 +0200 Lexi Winter <ivy@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/libexec/sshd-session/Makefile#e26259f48afe98022d885f02fbb8abcd7878e41a gssapi,krb5: Replace libgssapi with the MIT versionlib/libgssapi is based on Heimdal. As on Linux systems, the MITlibgssapi_krb5 replaces it. With both gssapi libraries and header filesinstalled results in broken buildworld (gssd) and ports that will notbuild without modifications to support the MIT gssapi in an alternatelocation.73ed0c7992fd removed the MIT GSSAPI headers from /usr/include. Apps usingMIT KRB5 gssapi functions and structures will fail to build without thispatch.This patch includes a temporary patch to usr.sbin/gssd to allow itto build with this patch. rmacklem@ has a patch for this and forkgssapi that uses this patch to resolve kgssapi issues for NFS withKerberos.This patch is an updated version of D51661 to allow it to build followingadditional patchs to the tree.This should have been implmented with 7e35117eb07f.Fixes: 7e35117eb07f, 73ed0c7992fdDifferential Revision: https://reviews.freebsd.org/D51661 List of files: /freebsd/secure/libexec/sshd-session/Makefile Thu, 31 Jul 2025 18:51:20 +0200 Cy Schubert <cy@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/libexec/sshd-session/Makefile#70371c7959df8bcba9b5ee62d976c1e74991e0a9 openssh: Support building with MIT KRB5Remove HEIMDAL=1 from openssh/krb5_config.h and move the definitionto the Makefile in order to control whether we're building underHeimdal or MIT.Add MIT KRB5 LIBS and INCLUDES to the openssh build.Sponsored by: The FreeBSD FoundationReviewed by: markjDifferential revision: https://reviews.freebsd.org/D50782 List of files: /freebsd/secure/libexec/sshd-session/Makefile Tue, 10 Jun 2025 21:46:35 +0200 Cy Schubert <cy@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/libexec/sshd-session/Makefile#65d8491719bbc88ed45637d2381931c2d29cfe87 secure: Adapt Makefile to ssh-sk-client everywhereUpstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere")adapted the Makefiles to ssh-sk-client. Do the same here.Reviewed by: emasteApproved by: emaste (mentor)Differential Revision: https://reviews.freebsd.org/D49795 List of files: /freebsd/secure/libexec/sshd-session/Makefile Thu, 17 Apr 2025 21:08:02 +0200 Jose Luis Duran <jlduran@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/libexec/sshd-session/Makefile#d71e7e57fc1472e3ea6d31c44e187c2819d2c71e ssh: Consolidate HAVE_LDNS / LIBWRAP in ssh.mkCommit 9d63429fa163 ("ssh: move common Makefile boilerplate to a newssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as partof enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERShandling there.Reviewed by: kevansSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D31896 List of files: /freebsd/secure/libexec/sshd-session/Makefile Tue, 12 Apr 2022 15:18:20 +0200 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/libexec/sshd-session/Makefile#7f916236044d9a733de8b3c47b5dcbf71988cb03 ssh: tidy include handlingCentralize optional krb5_config.h handling in ssh.mk. Do not addheaders (that are committed to the src tree) to SRCS as there is noneed.Reviewed by: imp, jlduran, kevans (all earlier)MFC after: 1 monthSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D34409 List of files: /freebsd/secure/libexec/sshd-session/Makefile Wed, 02 Mar 2022 15:45:23 +0100 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/libexec/sshd-session/Makefile#b4bb480ae9294d7e4b375f0ead9ae57517c79ef3 ssh: Remove unintended XAUTH_PATH settingThis crept in while rebasing the OpenSSH 9.8p1 update acrossa63701848fe5 ("ssh: Move XAUTH_PATH setting to ssh.mk").Fixes: 0fdf8fae8b56 ("openssh: Update to 9.8p1")Sponsored by: The FreeBSD Foundation List of files: /freebsd/secure/libexec/sshd-session/Makefile Wed, 19 Feb 2025 18:37:09 +0100 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/secure/libexec/sshd-session/Makefile#0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e openssh: Update to 9.8p1Highlights from the release notes are reproduced below. Some securityand bug fixes were previously merged into FreeBSD and have been elided.See the upstream release notes for full details(https://www.openssh.com/releasenotes.html).---Future deprecation notice=========================OpenSSH plans to remove support for the DSA signature algorithm inearly 2025.Potentially-incompatible changes-------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101New features------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys.Portability----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479---Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D48914 List of files: /freebsd/secure/libexec/sshd-session/Makefile Wed, 19 Feb 2025 18:20:44 +0100 Ed Maste <emaste@FreeBSD.org>