From nobody Wed Feb 19 20:19:38 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Yynms3YHQz5ncRk; Wed, 19 Feb 2025 20:19:41 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta004.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Yynmr6Fj2z3CBF; Wed, 19 Feb 2025 20:19:40 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142]) by cmsmtp with ESMTPS id kg5wtwZ0u5MqykqXktq4bn; Wed, 19 Feb 2025 20:19:40 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id kqXite9gp4k0okqXjt3DIW; Wed, 19 Feb 2025 20:19:40 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=fLKa3oae c=1 sm=1 tr=0 ts=67b63cdc a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=kj9zAlcOel0A:10 a=T2h4t0Lz3GQA:10 a=6I5d2MoRAAAA:8 a=HU1OPnRnAAAA:8 a=EkcXrb_YAAAA:8 a=YxBL1-UpAAAA:8 a=j9ArpBs3sUbxuZrqQqYA:9 a=CjuIK1q_8ugA:10 a=Cil3w7wJrOMA:10 a=y4ddQsrDJA4A:10 a=vQ5cN67eHy2kcvnFvKcb:22 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 2CCD610E; Wed, 19 Feb 2025 12:19:38 -0800 (PST) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 18A35A8; Wed, 19 Feb 2025 12:19:38 -0800 (PST) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Ed Maste cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 0fdf8fae8b56 - main - openssh: Update to 9.8p1 In-reply-to: <202502191721.51JHL9CT090248@gitrepo.freebsd.org> References: <202502191721.51JHL9CT090248@gitrepo.freebsd.org> Comments: In-reply-to Ed Maste message dated "Wed, 19 Feb 2025 17:21:09 +0000." List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 19 Feb 2025 12:19:38 -0800 Message-Id: <20250219201938.18A35A8@slippy.cwsent.com> X-CMAE-Envelope: MS4xfCxnDp2ZvOAo2xttjYrdjrNmsOFTcMKlEIkVu3TloKuuZtcLOF7Hj0+ZVdIE1sYf//j1Oj7L9PQoxKuay5Z5Fzcc+U10bisuPOSU3A3JhudJKiXjNkRY CrSIgyL2kQoRw8vMgzDyR3qx7kOabFmSncqHb1/hgMDF3mUW3uOVsdNJqkkI0r6Tgnvm6tklP2dFBE8er+mphm48JJMRgzmjdRhr7h6ywr3QRImkisNM13un nZkcPid1WDFaHYaINL1IMkeQqf78iIsxlyDwixyMEZ7GrHiLnZNJQtf9rE1lX9eH6aBXXyZV0102QRRsGVUDoi/5ivTJeYO43YataMtP4Eo= X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] X-Rspamd-Queue-Id: 4Yynmr6Fj2z3CBF X-Spamd-Bar: ---- In message <202502191721.51JHL9CT090248@gitrepo.freebsd.org>, Ed Maste writes: > The branch main has been updated by emaste: > > URL: https://cgit.FreeBSD.org/src/commit/?id=0fdf8fae8b569bf9fff3b5171e669dcd > 7cf9c79e > > commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e > Merge: fdccf0336197 d565364dadeb > Author: Ed Maste > AuthorDate: 2025-02-19 17:20:44 +0000 > Commit: Ed Maste > CommitDate: 2025-02-19 17:20:44 +0000 > > openssh: Update to 9.8p1 > > Highlights from the release notes are reproduced below. Some security > and bug fixes were previously merged into FreeBSD and have been elided. > See the upstream release notes for full details > (https://www.openssh.com/releasenotes.html). > > --- > > Future deprecation notice > ========================= > > OpenSSH plans to remove support for the DSA signature algorithm in > early 2025. > > Potentially-incompatible changes > -------------------------------- > > * sshd(8): the server will now block client addresses that > repeatedly fail authentication, repeatedly connect without ever > completing authentication or that crash the server. See the > discussion of PerSourcePenalties below for more information. > Operators of servers that accept connections from many users, or > servers that accept connections from addresses behind NAT or > proxies may need to consider these settings. > > * sshd(8): the server has been split into a listener binary, sshd(8), > and a per-session binary "sshd-session". This allows for a much > smaller listener binary, as it no longer needs to support the SSH > protocol. As part of this work, support for disabling privilege > separation (which previously required code changes to disable) and > disabling re-execution of sshd(8) has been removed. Further > separation of sshd-session into additional, minimal binaries is > planned for the future. > > * sshd(8): several log messages have changed. In particular, some > log messages will be tagged with as originating from a process > named "sshd-session" rather than "sshd". > > * ssh-keyscan(1): this tool previously emitted comment lines > containing the hostname and SSH protocol banner to standard error. > This release now emits them to standard output, but adds a new > "-q" flag to silence them altogether. > > * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] > as the PAM service name. A new "PAMServiceName" sshd_config(5) > directive allows selecting the service name at runtime. This > defaults to "sshd". bz2101 > > New features > ------------ > > * sshd(8): sshd(8) will now penalise client addresses that, for various > reasons, do not successfully complete authentication. This feature is > controlled by a new sshd_config(5) PerSourcePenalties option and is > on by default. > > * ssh(8): allow the HostkeyAlgorithms directive to disable the > implicit fallback from certificate host key to plain host keys. > > Portability > ----------- > > * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules > unconditionally. The previous behaviour was to expose it only when > particular authentication methods were in use. > > * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY > environment variable to enable SSH_ASKPASS, similarly to the X11 > DISPLAY environment variable. GHPR479 > > --- > > Sponsored by: The FreeBSD Foundation > Differential Revision: https://reviews.freebsd.org/D48914 I think it was this commit but could have been a later commit. I'm seeing the following error: cwsys# service sshd restart Performing sanity check on sshd configuration. /etc/ssh/sshd_config line 70: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 77: Unsupported option GSSAPIAuthentication /etc/ssh/sshd_config line 128: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 129: Unsupported option GSSAPIAuthentication /etc/ssh/sshd_config line 132: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 133: Unsupported option GSSAPIAuthentication Stopping sshd. Waiting for PIDS: 3432. Performing sanity check on sshd configuration. /etc/ssh/sshd_config line 70: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 77: Unsupported option GSSAPIAuthentication /etc/ssh/sshd_config line 128: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 129: Unsupported option GSSAPIAuthentication /etc/ssh/sshd_config line 132: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 133: Unsupported option GSSAPIAuthentication Starting sshd. /etc/ssh/sshd_config line 70: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 77: Unsupported option GSSAPIAuthentication /etc/ssh/sshd_config line 128: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 129: Unsupported option GSSAPIAuthentication /etc/ssh/sshd_config line 132: Unsupported option KerberosAuthentication /etc/ssh/sshd_config line 133: Unsupported option GSSAPIAuthentication cwsys# -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0