Date: Wed, 19 Feb 2025 12:19:38 -0800 From: Cy Schubert <Cy.Schubert@cschubert.com> To: Ed Maste <emaste@FreeBSD.org> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 0fdf8fae8b56 - main - openssh: Update to 9.8p1 Message-ID: <20250219201938.18A35A8@slippy.cwsent.com> In-Reply-To: <202502191721.51JHL9CT090248@gitrepo.freebsd.org> References: <202502191721.51JHL9CT090248@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <202502191721.51JHL9CT090248@gitrepo.freebsd.org>, Ed Maste writes: > The branch main has been updated by emaste: > > URL: https://cgit.FreeBSD.org/src/commit/?id=0fdf8fae8b569bf9fff3b5171e669dcd > 7cf9c79e > > commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e > Merge: fdccf0336197 d565364dadeb > Author: Ed Maste <emaste@FreeBSD.org> > AuthorDate: 2025-02-19 17:20:44 +0000 > Commit: Ed Maste <emaste@FreeBSD.org> > CommitDate: 2025-02-19 17:20:44 +0000 > > openssh: Update to 9.8p1 > > Highlights from the release notes are reproduced below. Some security > and bug fixes were previously merged into FreeBSD and have been elided. > See the upstream release notes for full details > (https://www.openssh.com/releasenotes.html). > > --- > > Future deprecation notice > ========================= > > OpenSSH plans to remove support for the DSA signature algorithm in > early 2025. > > Potentially-incompatible changes > -------------------------------- > > * sshd(8): the server will now block client addresses that > repeatedly fail authentication, repeatedly connect without ever > completing authentication or that crash the server. See the > discussion of PerSourcePenalties below for more information. > Operators of servers that accept connections from many users, or > servers that accept connections from addresses behind NAT or > proxies may need to consider these settings. > > * sshd(8): the server has been split into a listener binary, sshd(8), > and a per-session binary "sshd-session". This allows for a much > smaller listener binary, as it no longer needs to support the SSH > protocol. As part of this work, support for disabling privilege > separation (which previously required code changes to disable) and > disabling re-execution of sshd(8) has been removed. Further > separation of sshd-session into additional, minimal binaries is > planned for the future. > > * sshd(8): several log messages have changed. In particular, some > log messages will be tagged with as originating from a process > named "sshd-session" rather than "sshd". > > * ssh-keyscan(1): this tool previously emitted comment lines > containing the hostname and SSH protocol banner to standard error. > This release now emits them to standard output, but adds a new > "-q" flag to silence them altogether. > > * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] > as the PAM service name. A new "PAMServiceName" sshd_config(5) > directive allows selecting the service name at runtime. This > defaults to "sshd". bz2101 > > New features > ------------ > > * sshd(8): sshd(8) will now penalise client addresses that, for various > reasons, do not successfully complete authentication. This feature is > controlled by a new sshd_config(5) PerSourcePenalties option and is > on by default. > > * ssh(8): allow the HostkeyAlgorithms directive to disable the > implicit fallback from certificate host key to plain host keys. > > Portability > ----------- > > * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules > unconditionally. The previous behaviour was to expose it only when > particular authentication methods were in use. > > * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY > environment variable to enable SSH_ASKPASS, similarly to the X11 > DISPLAY environment variable. GHPR479 > > --- > > Sponsored by: The FreeBSD Foundation > Differential Revision: https://reviews.freebsd.org/D48914 I think it was this commit but could have been a later commit. I'm seeing the following error: cwsys# service sshd restart Performing sanity check on sshd configuration. /etc/ssh/sshd_config line 70: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 77: Unsupported option GSSAPIAuthentication /etc/ssh/sshd_config line 128: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 129: Unsupported option GSSAPIAuthentication /etc/ssh/sshd_config line 132: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 133: Unsupported option GSSAPIAuthentication Stopping sshd. Waiting for PIDS: 3432. Performing sanity check on sshd configuration. /etc/ssh/sshd_config line 70: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 77: Unsupported option GSSAPIAuthentication /etc/ssh/sshd_config line 128: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 129: Unsupported option GSSAPIAuthentication /etc/ssh/sshd_config line 132: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 133: Unsupported option GSSAPIAuthentication Starting sshd. /etc/ssh/sshd_config line 70: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 77: Unsupported option GSSAPIAuthentication /etc/ssh/sshd_config line 128: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 129: Unsupported option GSSAPIAuthentication /etc/ssh/sshd_config line 132: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 133: Unsupported option GSSAPIAuthentication cwsys# -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e^(i*pi)+1=0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20250219201938.18A35A8>