Date: Thu, 9 Sep 2021 13:24:08 +0200 From: Guido Falsi <madpilot@FreeBSD.org> To: Ed Maste <emaste@FreeBSD.org>, src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 19261079b743 - main - openssh: update to OpenSSH v8.7p1 Message-ID: <8309c83d-9dc2-d0bc-3985-b5d7a5c853f1@FreeBSD.org> In-Reply-To: <202109080107.18817pdj030849@gitrepo.freebsd.org> References: <202109080107.18817pdj030849@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/09/21 03:07, Ed Maste wrote: > The branch main has been updated by emaste: > > URL: https://cgit.FreeBSD.org/src/commit/?id=19261079b74319502c6ffa1249920079f0f69a72 > > commit 19261079b74319502c6ffa1249920079f0f69a72 > Merge: c5128c48df3c 66719ee573ac > Author: Ed Maste <emaste@FreeBSD.org> > AuthorDate: 2021-09-08 01:05:51 +0000 > Commit: Ed Maste <emaste@FreeBSD.org> > CommitDate: 2021-09-08 01:05:51 +0000 > > openssh: update to OpenSSH v8.7p1 > > Some notable changes, from upstream's release notes: > > - sshd(8): Remove support for obsolete "host/port" syntax. > - ssh(1): When prompting whether to record a new host key, accept the key > fingerprint as a synonym for "yes". > - ssh-keygen(1): when acting as a CA and signing certificates with an RSA > key, default to using the rsa-sha2-512 signature algorithm. > - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" > (RSA/SHA1) algorithm from those accepted for certificate signatures. > - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F > support to provide address-space isolation for token middleware > libraries (including the internal one). > - ssh(1): this release enables UpdateHostkeys by default subject to some > conservative preconditions. > - scp(1): this release changes the behaviour of remote to remote copies > (e.g. "scp host-a:/path host-b:") to transfer through the local host > by default. > - scp(1): experimental support for transfers using the SFTP protocol as > a replacement for the venerable SCP/RCP protocol that it has > traditionally used. > > Additional integration work is needed to support FIDO/U2F in the base > system. > > Deprecation Notice > ------------------ > > OpenSSH will disable the ssh-rsa signature scheme by default in the > next release. > > Reviewed by: imp > MFC after: 1 month > Relnotes: Yes > Sponsored by: The FreeBSD Foundation > Differential Revision: https://reviews.freebsd.org/D29985 > While upgrading my current machines I encountered an issue with pam_ssh which seems to be caused by this update. I filed a bug report with all the details: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258384 Could you take a look? Seems to be caused by the ssh code trying to call a function available only when FIDO/U2F support is enabled, which is not the case in our source base. I tried a quick fix by adding some ifdefs, but it failed to make it work, I'm still trying to find a solution myself. -- Guido Falsi <madpilot@FreeBSD.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8309c83d-9dc2-d0bc-3985-b5d7a5c853f1>