Date: Thu, 9 Sep 2021 19:26:42 +0200 From: FreeBSD User <freebsd@walstatt-de.de> To: Ed Maste <emaste@FreeBSD.org> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 19261079b743 - main - openssh: update to OpenSSH v8.7p1 Message-ID: <20210909192709.173d0bb6@thor.intern.walstatt.dynvpn.de> In-Reply-To: <202109080107.18817pdj030849@gitrepo.freebsd.org> References: <202109080107.18817pdj030849@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Am Wed, 8 Sep 2021 01:07:51 GMT Ed Maste <emaste@FreeBSD.org> schrieb: > The branch main has been updated by emaste: > > URL: https://cgit.FreeBSD.org/src/commit/?id=19261079b74319502c6ffa1249920079f0f69a72 > > commit 19261079b74319502c6ffa1249920079f0f69a72 > Merge: c5128c48df3c 66719ee573ac > Author: Ed Maste <emaste@FreeBSD.org> > AuthorDate: 2021-09-08 01:05:51 +0000 > Commit: Ed Maste <emaste@FreeBSD.org> > CommitDate: 2021-09-08 01:05:51 +0000 > > openssh: update to OpenSSH v8.7p1 > > Some notable changes, from upstream's release notes: > > - sshd(8): Remove support for obsolete "host/port" syntax. > - ssh(1): When prompting whether to record a new host key, accept the key > fingerprint as a synonym for "yes". > - ssh-keygen(1): when acting as a CA and signing certificates with an RSA > key, default to using the rsa-sha2-512 signature algorithm. > - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" > (RSA/SHA1) algorithm from those accepted for certificate signatures. > - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F > support to provide address-space isolation for token middleware > libraries (including the internal one). > - ssh(1): this release enables UpdateHostkeys by default subject to some > conservative preconditions. > - scp(1): this release changes the behaviour of remote to remote copies > (e.g. "scp host-a:/path host-b:") to transfer through the local host > by default. > - scp(1): experimental support for transfers using the SFTP protocol as > a replacement for the venerable SCP/RCP protocol that it has > traditionally used. > > Additional integration work is needed to support FIDO/U2F in the base > system. > > Deprecation Notice > ------------------ > > OpenSSH will disable the ssh-rsa signature scheme by default in the > next release. > > Reviewed by: imp > MFC after: 1 month > Relnotes: Yes > Sponsored by: The FreeBSD Foundation > Differential Revision: https://reviews.freebsd.org/D29985 > > crypto/openssh/.depend | 354 +- > crypto/openssh/.github/ci-status.md | 4 + > crypto/openssh/.github/configs | 170 + > crypto/openssh/.github/configure.sh | 6 + > crypto/openssh/.github/run_test.sh | 34 + > crypto/openssh/.github/setup_ci.sh | 115 + > crypto/openssh/.github/workflows/c-cpp.yml | 76 + > crypto/openssh/.github/workflows/selfhosted.yml | 93 + > crypto/openssh/.github/workflows/upstream.yml | 43 + > crypto/openssh/.gitignore | 8 + > crypto/openssh/.skipped-commit-ids | 18 + > crypto/openssh/CREDITS | 2 +- > crypto/openssh/ChangeLog | 16777 ++++++++++++------- > crypto/openssh/FREEBSD-vendor | 4 +- > crypto/openssh/INSTALL | 79 +- > crypto/openssh/LICENCE | 64 +- > crypto/openssh/Makefile.in | 328 +- > crypto/openssh/OVERVIEW | 7 +- > crypto/openssh/PROTOCOL | 89 +- > crypto/openssh/PROTOCOL.agent | 6 +- > crypto/openssh/PROTOCOL.certkeys | 35 +- > crypto/openssh/PROTOCOL.chacha20poly1305 | 4 +- > crypto/openssh/PROTOCOL.key | 9 +- > crypto/openssh/PROTOCOL.mux | 4 +- > crypto/openssh/PROTOCOL.sshsig | 100 + > crypto/openssh/PROTOCOL.u2f | 309 + > crypto/openssh/README | 36 +- > crypto/openssh/README.dns | 8 +- > crypto/openssh/README.md | 84 + > crypto/openssh/README.platform | 16 +- > crypto/openssh/README.privsep | 11 +- > crypto/openssh/aclocal.m4 | 193 +- > crypto/openssh/addr.c | 423 + > crypto/openssh/addr.h | 60 + > crypto/openssh/addrmatch.c | 351 +- > crypto/openssh/atomicio.c | 32 +- > crypto/openssh/atomicio.h | 4 +- > crypto/openssh/audit-bsm.c | 41 +- > crypto/openssh/audit-linux.c | 4 +- > crypto/openssh/audit.c | 2 +- > crypto/openssh/audit.h | 4 +- > crypto/openssh/auth-bsdauth.c | 2 - > crypto/openssh/auth-krb5.c | 19 +- > crypto/openssh/auth-options.c | 194 +- > crypto/openssh/auth-options.h | 13 +- > crypto/openssh/auth-pam.c | 119 +- > crypto/openssh/auth-pam.h | 2 +- > crypto/openssh/auth-passwd.c | 6 +- > crypto/openssh/auth-rhosts.c | 19 +- > crypto/openssh/auth-skey.c | 107 - > crypto/openssh/auth.c | 303 +- > crypto/openssh/auth.h | 36 +- > crypto/openssh/auth2-chall.c | 43 +- > crypto/openssh/auth2-gss.c | 29 +- > crypto/openssh/auth2-hostbased.c | 71 +- > crypto/openssh/auth2-kbdint.c | 8 +- > crypto/openssh/auth2-none.c | 4 +- > crypto/openssh/auth2-passwd.c | 9 +- > crypto/openssh/auth2-pubkey.c | 264 +- > crypto/openssh/auth2.c | 209 +- > crypto/openssh/authfd.c | 178 +- > crypto/openssh/authfd.h | 12 +- > crypto/openssh/authfile.c | 265 +- > crypto/openssh/authfile.h | 10 +- > crypto/openssh/blacklist.c | 6 +- > crypto/openssh/buildpkg.sh.in | 8 +- > crypto/openssh/canohost.c | 12 +- > crypto/openssh/chacha.h | 4 +- > crypto/openssh/channels.c | 761 +- > crypto/openssh/channels.h | 38 +- > crypto/openssh/cipher-chachapoly-libcrypto.c | 166 + > crypto/openssh/cipher-chachapoly.c | 32 +- > crypto/openssh/cipher-chachapoly.h | 13 +- > crypto/openssh/cipher.c | 48 +- > crypto/openssh/cipher.h | 5 +- > crypto/openssh/clientloop.c | 1074 +- > crypto/openssh/clientloop.h | 5 +- > crypto/openssh/compat.c | 92 +- > crypto/openssh/compat.h | 20 +- > crypto/openssh/config.guess | 882 +- > crypto/openssh/config.h | 241 +- > crypto/openssh/config.sub | 2528 ++- > crypto/openssh/configure.ac | 970 +- > crypto/openssh/contrib/Makefile | 6 +- > crypto/openssh/contrib/cygwin/README | 4 +- > crypto/openssh/contrib/cygwin/ssh-host-config | 59 +- > crypto/openssh/contrib/findssl.sh | 0 > crypto/openssh/contrib/gnome-ssh-askpass1.c | 7 +- > crypto/openssh/contrib/gnome-ssh-askpass2.c | 210 +- > crypto/openssh/contrib/gnome-ssh-askpass3.c | 305 + > crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh | 0 > crypto/openssh/contrib/redhat/openssh.spec | 55 +- > crypto/openssh/contrib/solaris/README | 0 > crypto/openssh/contrib/ssh-copy-id | 303 +- > crypto/openssh/contrib/ssh-copy-id.1 | 11 +- > crypto/openssh/contrib/suse/openssh.spec | 6 +- > crypto/openssh/crc32.c | 105 - > crypto/openssh/crc32.h | 30 - > crypto/openssh/crypto_api.h | 20 +- > crypto/openssh/defines.h | 54 +- > crypto/openssh/dh.c | 39 +- > crypto/openssh/dh.h | 10 +- > crypto/openssh/digest-libc.c | 33 +- > crypto/openssh/digest-openssl.c | 19 +- > crypto/openssh/dispatch.c | 6 +- > crypto/openssh/dispatch.h | 9 +- > crypto/openssh/dns.c | 72 +- > crypto/openssh/dns.h | 3 +- > crypto/openssh/entropy.c | 175 +- > crypto/openssh/fatal.c | 7 +- > crypto/openssh/groupaccess.c | 5 +- > crypto/openssh/gss-genr.c | 19 +- > crypto/openssh/gss-serv.c | 4 +- > crypto/openssh/hash.c | 36 +- > crypto/openssh/hmac.c | 7 +- > crypto/openssh/hostfile.c | 269 +- > crypto/openssh/hostfile.h | 27 +- > crypto/openssh/int32_minmax.inc | 0 > crypto/openssh/kex.c | 490 +- > crypto/openssh/kex.h | 92 +- > crypto/openssh/kexc25519.c | 182 +- > crypto/openssh/kexc25519c.c | 169 - > crypto/openssh/kexc25519s.c | 158 - > crypto/openssh/kexdh.c | 205 +- > crypto/openssh/kexdhc.c | 224 - > crypto/openssh/kexdhs.c | 222 - > crypto/openssh/kexecdh.c | 239 +- > crypto/openssh/kexecdhc.c | 222 - > crypto/openssh/kexecdhs.c | 203 - > crypto/openssh/kexgen.c | 346 + > crypto/openssh/kexgex.c | 30 +- > crypto/openssh/kexgexc.c | 123 +- > crypto/openssh/kexgexs.c | 119 +- > crypto/openssh/kexsntrup761x25519.c | 251 + > crypto/openssh/krl.c | 223 +- > crypto/openssh/krl.h | 5 +- > crypto/openssh/log.c | 219 +- > crypto/openssh/log.h | 93 +- > crypto/openssh/loginrec.c | 13 +- > crypto/openssh/loginrec.h | 7 +- > crypto/openssh/logintest.c | 60 +- > crypto/openssh/m4/openssh.m4 | 200 + > crypto/openssh/mac.c | 7 +- > crypto/openssh/match.c | 34 +- > crypto/openssh/match.h | 7 +- > crypto/openssh/misc.c | 962 +- > crypto/openssh/misc.h | 75 +- > crypto/openssh/moduli | 876 +- > crypto/openssh/moduli.c | 29 +- > crypto/openssh/monitor.c | 708 +- > crypto/openssh/monitor.h | 13 +- > crypto/openssh/monitor_fdpass.c | 24 +- > crypto/openssh/monitor_wrap.c | 305 +- > crypto/openssh/monitor_wrap.h | 26 +- > crypto/openssh/msg.c | 18 +- > crypto/openssh/mux.c | 640 +- > crypto/openssh/myproposal.h | 144 +- > crypto/openssh/nchan.c | 77 +- > crypto/openssh/opacket.c | 320 - > crypto/openssh/opacket.h | 154 - > crypto/openssh/openbsd-compat/Makefile.in | 11 +- > crypto/openssh/openbsd-compat/arc4random.c | 12 +- > crypto/openssh/openbsd-compat/base64.c | 2 +- > crypto/openssh/openbsd-compat/bcrypt_pbkdf.c | 4 +- > crypto/openssh/openbsd-compat/bsd-closefrom.c | 88 +- > crypto/openssh/openbsd-compat/bsd-cygwin_util.c | 149 + > crypto/openssh/openbsd-compat/bsd-cygwin_util.h | 1 + > crypto/openssh/openbsd-compat/bsd-misc.c | 113 + > crypto/openssh/openbsd-compat/bsd-misc.h | 41 +- > crypto/openssh/openbsd-compat/bsd-openpty.c | 17 +- > crypto/openssh/openbsd-compat/bsd-poll.h | 2 +- > crypto/openssh/openbsd-compat/bsd-pselect.c | 205 + > crypto/openssh/openbsd-compat/bsd-setres_id.c | 12 +- > crypto/openssh/openbsd-compat/bsd-signal.c | 29 +- > crypto/openssh/openbsd-compat/bsd-signal.h | 7 +- > crypto/openssh/openbsd-compat/bsd-snprintf.c | 18 +- > crypto/openssh/openbsd-compat/bsd-statvfs.c | 10 +- > crypto/openssh/openbsd-compat/bsd-waitpid.h | 2 +- > crypto/openssh/openbsd-compat/explicit_bzero.c | 10 +- > crypto/openssh/openbsd-compat/fnmatch.c | 495 + > crypto/openssh/openbsd-compat/fnmatch.h | 66 + > crypto/openssh/openbsd-compat/getopt_long.c | 2 +- > crypto/openssh/openbsd-compat/glob.c | 157 +- > crypto/openssh/openbsd-compat/glob.h | 9 +- > .../openssh/openbsd-compat/libressl-api-compat.c | 6 +- > crypto/openssh/openbsd-compat/memmem.c | 196 + > crypto/openssh/openbsd-compat/mktemp.c | 4 +- > crypto/openssh/openbsd-compat/openbsd-compat.h | 42 +- > crypto/openssh/openbsd-compat/openssl-compat.c | 22 +- > crypto/openssh/openbsd-compat/openssl-compat.h | 59 +- > crypto/openssh/openbsd-compat/port-aix.c | 25 +- > crypto/openssh/openbsd-compat/port-aix.h | 7 +- > crypto/openssh/openbsd-compat/port-irix.c | 2 + > crypto/openssh/openbsd-compat/port-linux.c | 25 +- > crypto/openssh/openbsd-compat/port-net.c | 18 +- > crypto/openssh/openbsd-compat/port-prngd.c | 164 + > crypto/openssh/openbsd-compat/port-solaris.c | 14 +- > crypto/openssh/openbsd-compat/port-uw.c | 2 +- > crypto/openssh/openbsd-compat/pwcache.c | 4 +- > crypto/openssh/openbsd-compat/regress/Makefile.in | 4 +- > .../openssh/openbsd-compat/regress/closefromtest.c | 4 +- > .../openbsd-compat/regress/opensslvertest.c | 2 + > .../openssh/openbsd-compat/regress/snprintftest.c | 5 +- > crypto/openssh/openbsd-compat/regress/strduptest.c | 2 + > .../openssh/openbsd-compat/regress/strtonumtest.c | 2 + > .../openssh/openbsd-compat/regress/utimensattest.c | 120 + > crypto/openssh/openbsd-compat/rmd160.c | 378 - > crypto/openssh/openbsd-compat/rmd160.h | 61 - > crypto/openssh/openbsd-compat/setenv.c | 2 + > crypto/openssh/openbsd-compat/setproctitle.c | 1 + > crypto/openssh/openbsd-compat/sha1.c | 13 +- > crypto/openssh/openbsd-compat/sha2.c | 336 +- > crypto/openssh/openbsd-compat/sha2.h | 138 +- > crypto/openssh/openbsd-compat/strtonum.c | 6 +- > crypto/openssh/openbsd-compat/sys-queue.h | 376 +- > crypto/openssh/packet.c | 264 +- > crypto/openssh/packet.h | 14 +- > crypto/openssh/pathnames.h | 9 +- > crypto/openssh/platform.c | 1 + > crypto/openssh/progressmeter.c | 60 +- > crypto/openssh/progressmeter.h | 3 +- > crypto/openssh/readconf.c | 1338 +- > crypto/openssh/readconf.h | 37 +- > crypto/openssh/readpass.c | 191 +- > crypto/openssh/regress/Makefile | 75 +- > crypto/openssh/regress/README.regress | 80 +- > crypto/openssh/regress/addrmatch.sh | 16 +- > crypto/openssh/regress/agent-getpeereid.sh | 6 +- > crypto/openssh/regress/agent-pkcs11.sh | 99 +- > crypto/openssh/regress/agent-ptrace.sh | 2 +- > crypto/openssh/regress/agent-subprocess.sh | 22 + > crypto/openssh/regress/agent-timeout.sh | 12 +- > crypto/openssh/regress/agent.sh | 124 +- > crypto/openssh/regress/allow-deny-users.sh | 8 +- > crypto/openssh/regress/banner.sh | 6 +- > crypto/openssh/regress/cert-file.sh | 4 +- > crypto/openssh/regress/cert-hostkey.sh | 36 +- > crypto/openssh/regress/cert-userkey.sh | 53 +- > crypto/openssh/regress/cfginclude.sh | 24 +- > crypto/openssh/regress/cfgmatch.sh | 55 +- > crypto/openssh/regress/cfgparse.sh | 0 > crypto/openssh/regress/conch-ciphers.sh | 4 +- > crypto/openssh/regress/connect-privsep.sh | 5 +- > crypto/openssh/regress/connect.sh | 11 +- > crypto/openssh/regress/dhgex.sh | 14 +- > crypto/openssh/regress/ed25519_openssh.prv | 7 + > crypto/openssh/regress/ed25519_openssh.pub | 1 + > crypto/openssh/regress/forward-control.sh | 6 +- > crypto/openssh/regress/forwarding.sh | 44 +- > crypto/openssh/regress/host-expand.sh | 0 > crypto/openssh/regress/hostkey-agent.sh | 10 +- > crypto/openssh/regress/hostkey-rotate.sh | 80 +- > crypto/openssh/regress/integrity.sh | 8 +- > crypto/openssh/regress/kextype.sh | 0 > crypto/openssh/regress/key-options.sh | 10 +- > crypto/openssh/regress/keygen-change.sh | 7 +- > crypto/openssh/regress/keygen-comment.sh | 52 + > crypto/openssh/regress/keygen-convert.sh | 54 +- > crypto/openssh/regress/keygen-knownhosts.sh | 0 > crypto/openssh/regress/keygen-moduli.sh | 17 +- > crypto/openssh/regress/keygen-sshfp.sh | 29 + > crypto/openssh/regress/keys-command.sh | 11 +- > crypto/openssh/regress/keyscan.sh | 17 +- > crypto/openssh/regress/keytype.sh | 57 +- > crypto/openssh/regress/knownhosts-command.sh | 53 + > crypto/openssh/regress/krl.sh | 41 +- > crypto/openssh/regress/limit-keytype.sh | 69 +- > crypto/openssh/regress/localcommand.sh | 0 > crypto/openssh/regress/misc/Makefile | 2 +- > crypto/openssh/regress/misc/fuzz-harness/Makefile | 51 +- > .../regress/misc/fuzz-harness/agent_fuzz.cc | 15 + > .../regress/misc/fuzz-harness/agent_fuzz_helper.c | 177 + > .../openssh/regress/misc/fuzz-harness/fixed-keys.h | 119 + > .../openssh/regress/misc/fuzz-harness/kex_fuzz.cc | 461 + > .../regress/misc/fuzz-harness/privkey_fuzz.cc | 21 + > .../openssh/regress/misc/fuzz-harness/sig_fuzz.cc | 24 +- > .../regress/misc/fuzz-harness/ssh-sk-null.cc | 51 + > .../regress/misc/fuzz-harness/sshsig_fuzz.cc | 37 + > .../regress/misc/fuzz-harness/sshsigopt_fuzz.cc | 29 + > .../regress/misc/fuzz-harness/testdata/README | 4 + > .../fuzz-harness/testdata/create-agent-corpus.sh | 44 + > .../regress/misc/fuzz-harness/testdata/id_dsa | 21 + > .../misc/fuzz-harness/testdata/id_dsa-cert.pub | 1 + > .../regress/misc/fuzz-harness/testdata/id_dsa.pub | 1 + > .../regress/misc/fuzz-harness/testdata/id_ecdsa | 8 + > .../misc/fuzz-harness/testdata/id_ecdsa-cert.pub | 1 + > .../misc/fuzz-harness/testdata/id_ecdsa.pub | 1 + > .../regress/misc/fuzz-harness/testdata/id_ecdsa_sk | 14 + > .../fuzz-harness/testdata/id_ecdsa_sk-cert.pub | 1 + > .../misc/fuzz-harness/testdata/id_ecdsa_sk.pub | 1 + > .../regress/misc/fuzz-harness/testdata/id_ed25519 | 7 + > .../misc/fuzz-harness/testdata/id_ed25519-cert.pub | 1 + > .../misc/fuzz-harness/testdata/id_ed25519.pub | 2 + > .../misc/fuzz-harness/testdata/id_ed25519_sk | 8 + > .../fuzz-harness/testdata/id_ed25519_sk-cert.pub | 1 + > .../misc/fuzz-harness/testdata/id_ed25519_sk.pub | 1 + > .../regress/misc/fuzz-harness/testdata/id_rsa | 27 + > .../misc/fuzz-harness/testdata/id_rsa-cert.pub | 1 + > .../regress/misc/fuzz-harness/testdata/id_rsa.pub | 1 + > crypto/openssh/regress/misc/kexfuzz/Makefile | 88 - > crypto/openssh/regress/misc/kexfuzz/README | 34 - > crypto/openssh/regress/misc/kexfuzz/kexfuzz.c | 459 - > crypto/openssh/regress/misc/sk-dummy/fatal.c | 27 + > crypto/openssh/regress/misc/sk-dummy/sk-dummy.c | 539 + > crypto/openssh/regress/modpipe.c | 0 > crypto/openssh/regress/multiplex.sh | 32 +- > crypto/openssh/regress/multipubkey.sh | 19 +- > crypto/openssh/regress/netcat.c | 46 +- > crypto/openssh/regress/percent.sh | 119 + > crypto/openssh/regress/portnum.sh | 0 > crypto/openssh/regress/principals-command.sh | 16 +- > crypto/openssh/regress/proxy-connect.sh | 10 +- > crypto/openssh/regress/putty-ciphers.sh | 4 +- > crypto/openssh/regress/putty-kex.sh | 4 +- > crypto/openssh/regress/putty-transfer.sh | 10 +- > crypto/openssh/regress/reconfigure.sh | 24 +- > crypto/openssh/regress/reexec.sh | 5 +- > crypto/openssh/regress/rekey.sh | 8 +- > crypto/openssh/regress/scp-ssh-wrapper.sh | 14 +- > crypto/openssh/regress/scp-uri.sh | 81 +- > crypto/openssh/regress/scp.sh | 183 +- > crypto/openssh/regress/scp3.sh | 60 + > crypto/openssh/regress/servcfginclude.sh | 188 + > crypto/openssh/regress/sftp-badcmds.sh | 4 +- > crypto/openssh/regress/sftp-chroot.sh | 7 +- > crypto/openssh/regress/sftp-cmds.sh | 4 - > crypto/openssh/regress/sftp-perm.sh | 18 +- > crypto/openssh/regress/ssh2putty.sh | 8 +- > crypto/openssh/regress/sshcfgparse.sh | 68 +- > crypto/openssh/regress/sshfp-connect.sh | 66 + > crypto/openssh/regress/sshsig.sh | 236 + > crypto/openssh/regress/test-exec.sh | 280 +- > crypto/openssh/regress/unittests/Makefile | 4 +- > crypto/openssh/regress/unittests/Makefile.inc | 38 +- > crypto/openssh/regress/unittests/authopt/tests.c | 10 +- > crypto/openssh/regress/unittests/bitmap/tests.c | 4 + > .../openssh/regress/unittests/conversion/Makefile | 3 +- > .../openssh/regress/unittests/conversion/tests.c | 32 +- > crypto/openssh/regress/unittests/hostkeys/Makefile | 12 +- > .../regress/unittests/hostkeys/mktestdata.sh | 0 > .../regress/unittests/hostkeys/test_iterate.c | 119 +- > crypto/openssh/regress/unittests/kex/Makefile | 31 +- > crypto/openssh/regress/unittests/kex/test_kex.c | 29 +- > crypto/openssh/regress/unittests/match/Makefile | 4 +- > crypto/openssh/regress/unittests/match/tests.c | 4 +- > crypto/openssh/regress/unittests/misc/test_argv.c | 187 + > .../openssh/regress/unittests/misc/test_convtime.c | 59 + > .../openssh/regress/unittests/misc/test_expand.c | 90 + > crypto/openssh/regress/unittests/misc/test_parse.c | 86 + > .../openssh/regress/unittests/misc/test_strdelim.c | 202 + > crypto/openssh/regress/unittests/misc/tests.c | 38 + > crypto/openssh/regress/unittests/sshbuf/Makefile | 10 +- > .../regress/unittests/sshbuf/test_sshbuf_fuzz.c | 9 +- > .../unittests/sshbuf/test_sshbuf_getput_basic.c | 231 +- > .../unittests/sshbuf/test_sshbuf_getput_crypto.c | 160 +- > .../unittests/sshbuf/test_sshbuf_getput_fuzz.c | 31 +- > .../regress/unittests/sshbuf/test_sshbuf_misc.c | 71 +- > crypto/openssh/regress/unittests/sshbuf/tests.c | 2 + > crypto/openssh/regress/unittests/sshkey/Makefile | 14 +- > crypto/openssh/regress/unittests/sshkey/common.c | 17 +- > .../openssh/regress/unittests/sshkey/mktestdata.sh | 85 +- > .../openssh/regress/unittests/sshkey/test_file.c | 141 +- > .../openssh/regress/unittests/sshkey/test_fuzz.c | 78 +- > .../openssh/regress/unittests/sshkey/test_sshkey.c | 55 +- > .../regress/unittests/sshkey/testdata/dsa_n | 33 +- > .../regress/unittests/sshkey/testdata/ecdsa_n | 13 +- > .../regress/unittests/sshkey/testdata/ecdsa_sk1 | 13 + > .../unittests/sshkey/testdata/ecdsa_sk1-cert.fp | 1 + > .../unittests/sshkey/testdata/ecdsa_sk1-cert.pub | 1 + > .../regress/unittests/sshkey/testdata/ecdsa_sk1.fp | 1 + > .../unittests/sshkey/testdata/ecdsa_sk1.fp.bb | 1 + > .../unittests/sshkey/testdata/ecdsa_sk1.pub | 1 + > .../regress/unittests/sshkey/testdata/ecdsa_sk1_pw | 14 + > .../regress/unittests/sshkey/testdata/ecdsa_sk2 | 13 + > .../regress/unittests/sshkey/testdata/ecdsa_sk2.fp | 1 + > .../unittests/sshkey/testdata/ecdsa_sk2.fp.bb | 1 + > .../unittests/sshkey/testdata/ecdsa_sk2.pub | 1 + > .../regress/unittests/sshkey/testdata/ed25519_1_pw | 12 +- > .../regress/unittests/sshkey/testdata/ed25519_sk1 | 8 + > .../unittests/sshkey/testdata/ed25519_sk1-cert.fp | 1 + > .../unittests/sshkey/testdata/ed25519_sk1-cert.pub | 1 + > .../unittests/sshkey/testdata/ed25519_sk1.fp | 1 + > .../unittests/sshkey/testdata/ed25519_sk1.fp.bb | 1 + > .../unittests/sshkey/testdata/ed25519_sk1.pub | 1 + > .../unittests/sshkey/testdata/ed25519_sk1_pw | 9 + > .../regress/unittests/sshkey/testdata/ed25519_sk2 | 8 + > .../unittests/sshkey/testdata/ed25519_sk2.fp | 1 + > .../unittests/sshkey/testdata/ed25519_sk2.fp.bb | 1 + > .../unittests/sshkey/testdata/ed25519_sk2.pub | 1 + > .../regress/unittests/sshkey/testdata/rsa1_1 | Bin 533 -> 0 bytes > .../regress/unittests/sshkey/testdata/rsa1_1.fp | 1 - > .../regress/unittests/sshkey/testdata/rsa1_1.fp.bb | 1 - > .../unittests/sshkey/testdata/rsa1_1.param.n | 1 - > .../regress/unittests/sshkey/testdata/rsa1_1.pub | 1 - > .../regress/unittests/sshkey/testdata/rsa1_1_pw | Bin 533 -> 0 bytes > .../regress/unittests/sshkey/testdata/rsa1_2 | Bin 981 -> 0 bytes > .../regress/unittests/sshkey/testdata/rsa1_2.fp | 1 - > .../regress/unittests/sshkey/testdata/rsa1_2.fp.bb | 1 - > .../unittests/sshkey/testdata/rsa1_2.param.n | 1 - > .../regress/unittests/sshkey/testdata/rsa1_2.pub | 1 - > .../regress/unittests/sshkey/testdata/rsa_n | 31 +- > crypto/openssh/regress/unittests/sshkey/tests.c | 5 - > crypto/openssh/regress/unittests/sshsig/Makefile | 25 + > .../openssh/regress/unittests/sshsig/mktestdata.sh | 42 + > .../openssh/regress/unittests/sshsig/testdata/dsa | 12 + > .../regress/unittests/sshsig/testdata/dsa.pub | 1 + > .../regress/unittests/sshsig/testdata/dsa.sig | 13 + > .../regress/unittests/sshsig/testdata/ecdsa | 5 + > .../regress/unittests/sshsig/testdata/ecdsa.pub | 1 + > .../regress/unittests/sshsig/testdata/ecdsa.sig | 7 + > .../regress/unittests/sshsig/testdata/ecdsa_sk | 13 + > .../regress/unittests/sshsig/testdata/ecdsa_sk.pub | 1 + > .../regress/unittests/sshsig/testdata/ecdsa_sk.sig | 8 + > .../sshsig/testdata/ecdsa_sk_webauthn.pub | 1 + > .../sshsig/testdata/ecdsa_sk_webauthn.sig | 13 + > .../regress/unittests/sshsig/testdata/ed25519 | 7 + > .../regress/unittests/sshsig/testdata/ed25519.pub | 1 + > .../regress/unittests/sshsig/testdata/ed25519.sig | 6 + > .../regress/unittests/sshsig/testdata/ed25519_sk | 8 + > .../unittests/sshsig/testdata/ed25519_sk.pub | 1 + > .../unittests/sshsig/testdata/ed25519_sk.sig | 7 + > .../regress/unittests/sshsig/testdata/namespace | 1 + > .../openssh/regress/unittests/sshsig/testdata/rsa | 39 + > .../regress/unittests/sshsig/testdata/rsa.pub | 1 + > .../regress/unittests/sshsig/testdata/rsa.sig | 19 + > .../regress/unittests/sshsig/testdata/signed-data | 1 + > crypto/openssh/regress/unittests/sshsig/tests.c | 139 + > .../openssh/regress/unittests/sshsig/webauthn.html | 766 + > .../regress/unittests/test_helper/test_helper.c | 60 +- > .../regress/unittests/test_helper/test_helper.h | 8 +- > crypto/openssh/regress/unittests/utf8/tests.c | 2 + > crypto/openssh/regress/valgrind-unit.sh | 2 + > crypto/openssh/sandbox-darwin.c | 2 +- > crypto/openssh/sandbox-pledge.c | 8 +- > crypto/openssh/sandbox-rlimit.c | 18 +- > crypto/openssh/sandbox-seccomp-filter.c | 76 +- > crypto/openssh/sandbox-systrace.c | 7 +- > crypto/openssh/scp.1 | 87 +- > crypto/openssh/scp.c | 679 +- > crypto/openssh/servconf.c | 1165 +- > crypto/openssh/servconf.h | 63 +- > crypto/openssh/serverloop.c | 566 +- > crypto/openssh/session.c | 461 +- > crypto/openssh/sftp-client.c | 1162 +- > crypto/openssh/sftp-client.h | 64 +- > crypto/openssh/sftp-common.c | 5 +- > crypto/openssh/sftp-glob.c | 4 +- > .../{openbsd-compat/realpath.c => sftp-realpath.c} | 13 +- > crypto/openssh/sftp-server-main.c | 5 +- > crypto/openssh/sftp-server.8 | 32 +- > crypto/openssh/sftp-server.c | 491 +- > crypto/openssh/sftp.1 | 126 +- > crypto/openssh/sftp.c | 304 +- > crypto/openssh/sk-api.h | 98 + > crypto/openssh/sk-usbhid.c | 1267 ++ > crypto/openssh/sntrup761.c | 1273 ++ > crypto/openssh/sntrup761.sh | 85 + > crypto/openssh/srclimit.c | 140 + > crypto/openssh/srclimit.h | 18 + > crypto/openssh/ssh-add.1 | 81 +- > crypto/openssh/ssh-add.c | 315 +- > crypto/openssh/ssh-agent.1 | 178 +- > crypto/openssh/ssh-agent.c | 697 +- > crypto/openssh/ssh-dss.c | 8 +- > crypto/openssh/ssh-ecdsa-sk.c | 324 + > crypto/openssh/ssh-ecdsa.c | 14 +- > crypto/openssh/ssh-ed25519-sk.c | 163 + > crypto/openssh/ssh-ed25519.c | 23 +- > crypto/openssh/ssh-gss.h | 4 +- > crypto/openssh/ssh-keygen.1 | 717 +- > crypto/openssh/ssh-keygen.c | 2111 ++- > crypto/openssh/ssh-keyscan.1 | 6 +- > crypto/openssh/ssh-keyscan.c | 105 +- > crypto/openssh/ssh-keysign.8 | 6 +- > crypto/openssh/ssh-keysign.c | 77 +- > crypto/openssh/ssh-pkcs11-client.c | 212 +- > crypto/openssh/ssh-pkcs11-helper.8 | 29 +- > crypto/openssh/ssh-pkcs11-helper.c | 210 +- > crypto/openssh/ssh-pkcs11.c | 1774 +- > crypto/openssh/ssh-pkcs11.h | 20 +- > crypto/openssh/ssh-sk-client.c | 448 + > crypto/openssh/ssh-sk-helper.8 | 66 + > crypto/openssh/ssh-sk-helper.c | 364 + > crypto/openssh/ssh-sk.c | 826 + > crypto/openssh/ssh-sk.h | 69 + > crypto/openssh/ssh-xmss.c | 27 +- > crypto/openssh/ssh.1 | 166 +- > crypto/openssh/ssh.c | 925 +- > crypto/openssh/ssh.h | 11 +- > crypto/openssh/ssh2.h | 4 +- > crypto/openssh/ssh_api.c | 234 +- > crypto/openssh/ssh_config | 6 +- > crypto/openssh/ssh_config.5 | 651 +- > crypto/openssh/ssh_namespace.h | 223 +- > crypto/openssh/sshbuf-getput-basic.c | 171 +- > crypto/openssh/sshbuf-getput-crypto.c | 76 +- > crypto/openssh/sshbuf-io.c | 117 + > crypto/openssh/sshbuf-misc.c | 152 +- > crypto/openssh/sshbuf.c | 22 +- > crypto/openssh/sshbuf.h | 79 +- > crypto/openssh/sshconnect.c | 882 +- > crypto/openssh/sshconnect.h | 63 +- > crypto/openssh/sshconnect2.c | 942 +- > crypto/openssh/sshd.8 | 115 +- > crypto/openssh/sshd.c | 975 +- > crypto/openssh/sshd_config | 12 +- > crypto/openssh/sshd_config.5 | 351 +- > crypto/openssh/ssherr.c | 6 +- > crypto/openssh/ssherr.h | 4 +- > crypto/openssh/sshkey-xmss.c | 160 +- > crypto/openssh/sshkey-xmss.h | 16 +- > crypto/openssh/sshkey.c | 1516 +- > crypto/openssh/sshkey.h | 103 +- > crypto/openssh/sshlogin.c | 9 +- > crypto/openssh/sshpty.c | 23 +- > crypto/openssh/sshsig.c | 1098 ++ > crypto/openssh/sshsig.h | 107 + > crypto/openssh/ttymodes.c | 44 +- > crypto/openssh/uidswap.c | 40 +- > crypto/openssh/umac.c | 10 +- > crypto/openssh/umac.h | 6 +- > crypto/openssh/utf8.c | 27 +- > crypto/openssh/utf8.h | 11 +- > crypto/openssh/uuencode.c | 95 - > crypto/openssh/uuencode.h | 29 - > crypto/openssh/version.h | 6 +- > crypto/openssh/xmalloc.c | 31 +- > crypto/openssh/xmalloc.h | 8 +- > crypto/openssh/xmss_commons.c | 2 +- > crypto/openssh/xmss_fast.c | 2 +- > crypto/openssh/xmss_hash.c | 2 +- > crypto/openssh/xmss_hash_address.c | 2 +- > crypto/openssh/xmss_wots.c | 2 +- > lib/libpam/modules/pam_ssh/pam_ssh.c | 2 +- > secure/lib/libssh/Makefile | 19 +- > secure/usr.bin/scp/Makefile | 2 +- > secure/usr.bin/ssh-add/Makefile | 2 +- > secure/usr.bin/ssh-keygen/Makefile | 3 +- > secure/usr.sbin/sshd/Makefile | 2 +- > 539 files changed, 54039 insertions(+), 25574 deletions(-) > > diff --cc crypto/openssh/.github/ci-status.md > index 000000000000,0ad8bf5aaf44..0ad8bf5aaf44 > mode 000000,100644..100644 > --- a/crypto/openssh/.github/ci-status.md > +++ b/crypto/openssh/.github/ci-status.md > diff --cc crypto/openssh/.github/configs > index 000000000000,12578c067348..12578c067348 > mode 000000,100755..100755 > --- a/crypto/openssh/.github/configs > +++ b/crypto/openssh/.github/configs > diff --cc crypto/openssh/.github/configure.sh > index 000000000000,e098730f02d6..e098730f02d6 > mode 000000,100755..100755 > --- a/crypto/openssh/.github/configure.sh > +++ b/crypto/openssh/.github/configure.sh > diff --cc crypto/openssh/.github/run_test.sh > index 000000000000,adf2568ad1e2..adf2568ad1e2 > mode 000000,100755..100755 > --- a/crypto/openssh/.github/run_test.sh > +++ b/crypto/openssh/.github/run_test.sh > diff --cc crypto/openssh/.github/setup_ci.sh > index 000000000000,70a444e4eff4..70a444e4eff4 > mode 000000,100755..100755 > --- a/crypto/openssh/.github/setup_ci.sh > +++ b/crypto/openssh/.github/setup_ci.sh > diff --cc crypto/openssh/.github/workflows/c-cpp.yml > index 000000000000,289b18b7f621..289b18b7f621 > mode 000000,100644..100644 > --- a/crypto/openssh/.github/workflows/c-cpp.yml > +++ b/crypto/openssh/.github/workflows/c-cpp.yml > diff --cc crypto/openssh/.github/workflows/selfhosted.yml > index 000000000000,df6eca714fb5..df6eca714fb5 > mode 000000,100644..100644 > --- a/crypto/openssh/.github/workflows/selfhosted.yml > +++ b/crypto/openssh/.github/workflows/selfhosted.yml > diff --cc crypto/openssh/.github/workflows/upstream.yml > index 000000000000,f0493c12d7d5..f0493c12d7d5 > mode 000000,100644..100644 > --- a/crypto/openssh/.github/workflows/upstream.yml > +++ b/crypto/openssh/.github/workflows/upstream.yml > diff --cc crypto/openssh/.gitignore > index 650eb3c3c90c,000000000000..5e4ae5a60d06 > mode 100644,000000..100644 > --- a/crypto/openssh/.gitignore > +++ b/crypto/openssh/.gitignore > @@@ -1,28 -1,0 +1,36 @@@ > +Makefile > +buildpkg.sh > +config.h > +config.h.in > ++config.h.in~ > ++config.log > +config.status > +configure > ++aclocal.m4 > +openbsd-compat/Makefile > +openbsd-compat/regress/Makefile > +openssh.xml > +opensshd.init > +survey.sh > +**/*.0 > +**/*.o > ++**/*.lo > ++**/*.so > +**/*.out > +**/*.a > +autom4te.cache/ > +scp > +sftp > +sftp-server > +ssh > +ssh-add > +ssh-agent > +ssh-keygen > +ssh-keyscan > +ssh-keysign > +ssh-pkcs11-helper > ++ssh-sk-helper > +sshd > +!regress/misc/fuzz-harness/Makefile > ++!regress/unittests/sshsig/Makefile > ++tags > diff --cc crypto/openssh/FREEBSD-vendor > index f48cbb6c3079,000000000000..c7f6462985a2 > mode 100644,000000..100644 > --- a/crypto/openssh/FREEBSD-vendor > +++ b/crypto/openssh/FREEBSD-vendor > @@@ -1,6 -1,0 +1,6 @@@ > +# $FreeBSD$ > +Project: Portable OpenSSH > +ProjectURL: http://www.openssh.com/portable.html > - Version: 7.9p1 > ++Version: 8.7p1 > +License: BSD > - Maintainer: des > ++Maintainer: emaste > diff --cc crypto/openssh/INSTALL > index 775eb6c05342,000000000000..8ab8a403a4e2 > mode 100644,000000..100644 > --- a/crypto/openssh/INSTALL > +++ b/crypto/openssh/INSTALL > @@@ -1,276 -1,0 +1,301 @@@ > +1. Prerequisites > +---------------- > + > +A C compiler. Any C89 or better compiler should work. Where supported, > +configure will attempt to enable the compiler's run-time integrity checking > +options. Some notes about specific compilers: > + - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime > + (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure) > + > - You will need working installations of Zlib and libcrypto (LibreSSL / > - OpenSSL) > ++To support Privilege Separation (which is now required) you will need > ++to create the user, group and directory used by sshd for privilege > ++separation. See README.privsep for details. > + > ++ > ++The remaining items are optional. > ++ > ++A working installation of zlib: > +Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems): > +http://www.gzip.org/zlib/ > + > - libcrypto (LibreSSL or OpenSSL >= 1.0.1 < 1.1.0) > - LibreSSL http://www.libressl.org/ ; or > - OpenSSL http://www.openssl.org/ > ++libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto > ++is supported but severely restricts the available ciphers and algorithms. > ++ - LibreSSL (https://www.libressl.org/) > ++ - OpenSSL (https://www.openssl.org) with any of the following versions: > ++ - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1 > ++ > ++Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to > ++1.1.0g can't be used. > + > +LibreSSL/OpenSSL should be compiled as a position-independent library > - (i.e. with -fPIC) otherwise OpenSSH will not be able to link with it. > - If you must use a non-position-independent libcrypto, then you may need > - to configure OpenSSH --without-pie. Note that because of API changes, > - OpenSSL 1.1.x is not currently supported. > ++(i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC" > ++or LibreSSL as "CFLAGS=-fPIC ./configure") otherwise OpenSSH will not > ++be able to link with it. If you must use a non-position-independent > ++libcrypto, then you may need to configure OpenSSH --without-pie. > + > - The remaining items are optional. > ++If you build either from source, running the OpenSSL self-test ("make > ++tests") or the LibreSSL equivalent ("make check") and ensuring that all > ++tests pass is strongly recommended. > + > +NB. If you operating system supports /dev/random, you should configure > +libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's > - direct support of /dev/random, or failing that, either prngd or egd > ++direct support of /dev/random, or failing that, either prngd or egd. > + > +PRNGD: > + > +If your system lacks kernel-based random collection, the use of Lutz > - Jaenicke's PRNGd is recommended. > ++Jaenicke's PRNGd is recommended. It requires that libcrypto be configured > ++to support it. > + > +http://prngd.sourceforge.net/ > + > +EGD: > + > - If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is > - supported only if libcrypto supports it. > ++The Entropy Gathering Daemon (EGD) supports the same interface as prngd. > ++It also supported only if libcrypto is configured to support it. > + > +http://egd.sourceforge.net/ > + > +PAM: > + > +OpenSSH can utilise Pluggable Authentication Modules (PAM) if your > +system supports it. PAM is standard most Linux distributions, Solaris, > - HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. > ++HP-UX 11, AIX >= 5.2, FreeBSD, NetBSD and Mac OS X. > + > +Information about the various PAM implementations are available: > + > +Solaris PAM: http://www.sun.com/software/solaris/pam/ > +Linux PAM: http://www.kernel.org/pub/linux/libs/pam/ > +OpenPAM: http://www.openpam.org/ > + > +If you wish to build the GNOME passphrase requester, you will need the GNOME > +libraries and headers. > + > +GNOME: > +http://www.gnome.org/ > + > +Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11 > +passphrase requester. This is maintained separately at: > + > +http://www.jmknoble.net/software/x11-ssh-askpass/ > + > +TCP Wrappers: > + > +If you wish to use the TCP wrappers functionality you will need at least > +tcpd.h and libwrap.a, either in the standard include and library paths, > +or in the directory specified by --with-tcp-wrappers. Version 7.6 is > +known to work. > + > +http://ftp.porcupine.org/pub/security/index.html > + > +LibEdit: > + > +sftp supports command-line editing via NetBSD's libedit. If your platform > +has it available natively you can use that, alternatively you might try > +these multi-platform ports: > + > +http://www.thrysoee.dk/editline/ > +http://sourceforge.net/projects/libedit/ > + > +LDNS: > + > +LDNS is a DNS BSD-licensed resolver library which supports DNSSEC. > + > +http://nlnetlabs.nl/projects/ldns/ > + > +Autoconf: > + > +If you modify configure.ac or configure doesn't exist (eg if you checked > - the code out of git yourself) then you will need autoconf-2.69 to rebuild > - the automatically generated files by running "autoreconf". Earlier > - versions may also work but this is not guaranteed. > ++the code out of git yourself) then you will need autoconf-2.69 and > ++automake-1.16.1 to rebuild the automatically generated files by running > ++"autoreconf". Earlier versions may also work but this is not guaranteed. > + > +http://www.gnu.org/software/autoconf/ > ++http://www.gnu.org/software/automake/ > + > +Basic Security Module (BSM): > + > +Native BSM support is known to exist in Solaris from at least 2.5.1, > +FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM > +implementation (http://www.openbsm.org). > + > +makedepend: > + > +https://www.x.org/archive/individual/util/ > + > +If you are making significant changes to the code you may need to rebuild > +the dependency (.depend) file using "make depend", which requires the > +"makedepend" tool from the X11 distribution. > + > ++libfido2: > ++ > ++libfido2 allows the use of hardware security keys over USB. libfido2 > ++in turn depends on libcbor. libfido2 >= 1.5.0 is strongly recommended. > ++Limited functionality is possible with earlier libfido2 versions. > ++ > ++https://github.com/Yubico/libfido2 > ++https://github.com/pjk/libcbor > ++ > ++ > +2. Building / Installation > +-------------------------- > + > +To install OpenSSH with default options: > + > +./configure > +make > +make install > + > +This will install the OpenSSH binaries in /usr/local/bin, configuration files > +in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different > +installation prefix, use the --prefix option to configure: > + > +./configure --prefix=/opt > +make > +make install > + > +Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override > +specific paths, for example: > + > +./configure --prefix=/opt --sysconfdir=/etc/ssh > +make > +make install > + > +This will install the binaries in /opt/{bin,lib,sbin}, but will place the > +configuration files in /etc/ssh. > + > - If you are using Privilege Separation (which is enabled by default) > - then you will also need to create the user, group and directory used by > - sshd for privilege separation. See README.privsep for details. > - > +If you are using PAM, you may need to manually install a PAM control > +file as "/etc/pam.d/sshd" (or wherever your system prefers to keep > +them). Note that the service name used to start PAM is __progname, > +which is the basename of the path of your sshd (e.g., the service name > +for /usr/sbin/osshd will be osshd). If you have renamed your sshd > +executable, your PAM configuration may need to be modified. > + > +A generic PAM configuration is included as "contrib/sshd.pam.generic", > +you may need to edit it before using it on your system. If you are > +using a recent version of Red Hat Linux, the config file in > +contrib/redhat/sshd.pam should be more useful. Failure to install a > +valid PAM file may result in an inability to use password > +authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf > +configuration will work with sshd (sshd will match the other service > +name). > + > +There are a few other options to the configure script: > + > +--with-audit=[module] enable additional auditing via the specified module. > +Currently, drivers for "debug" (additional info via syslog) and "bsm" > +(Sun's Basic Security Module) are supported. > + > +--with-pam enables PAM support. If PAM support is compiled in, it must > +also be enabled in sshd_config (refer to the UsePAM directive). > + > +--with-prngd-socket=/some/file allows you to enable EGD or PRNGD > +support and to specify a PRNGd socket. Use this if your Unix lacks > +/dev/random. > + > +--with-prngd-port=portnum allows you to enable EGD or PRNGD support > +and to specify a EGD localhost TCP port. Use this if your Unix lacks > +/dev/random. > + > +--with-lastlog=FILE will specify the location of the lastlog file. > +./configure searches a few locations for lastlog, but may not find > +it if lastlog is installed in a different place. > + > +--without-lastlog will disable lastlog support entirely. > + > +--with-osfsia, --without-osfsia will enable or disable OSF1's Security > +Integration Architecture. The default for OSF1 machines is enable. > + > +--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) > +support. > + > +--with-md5-passwords will enable the use of MD5 passwords. Enable this > +if your operating system uses MD5 passwords and the system crypt() does > +not support them directly (see the crypt(3/3c) man page). If enabled, the > +resulting binary will support both MD5 and traditional crypt passwords. > + > +--with-utmpx enables utmpx support. utmpx support is automatic for > +some platforms. > + > +--without-shadow disables shadow password support. > + > +--with-ipaddr-display forces the use of a numeric IP address in the > +$DISPLAY environment variable. Some broken systems need this. > + > +--with-default-path=PATH allows you to specify a default $PATH for sessions > +started by sshd. This replaces the standard path entirely. > + > +--with-pid-dir=PATH specifies the directory in which the sshd.pid file is > +created. > + > +--with-xauth=PATH specifies the location of the xauth binary > + > +--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL > +libraries are installed. > + > +--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support > + > ++--without-openssl builds without using OpenSSL. Only a subset of ciphers > ++and algorithms are supported in this configuration. > ++ > ++--without-zlib builds without zlib. This disables the Compression option. > ++ > +--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to > +real (AF_INET) IPv4 addresses. Works around some quirks on Linux. > + > +If you need to pass special options to the compiler or linker, you > +can specify these as environment variables before running ./configure. > +For example: > + > +CC="/usr/foo/cc" CFLAGS="-O" LDFLAGS="-s" LIBS="-lrubbish" ./configure > + > +3. Configuration > +---------------- > + > +The runtime configuration files are installed by in ${prefix}/etc or > +whatever you specified as your --sysconfdir (/usr/local/etc by default). > + > +The default configuration should be instantly usable, though you should > +review it to ensure that it matches your security requirements. > + > +To generate a host key, run "make host-key". Alternately you can do so > +manually using the following commands: > + > + ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N "" > + > +for each of the types you wish to generate (rsa, dsa or ecdsa) or > + > + ssh-keygen -A > + > +to generate keys for all supported types. > + > +Replacing /etc/ssh with the correct path to the configuration directory. > +(${prefix}/etc or whatever you specified with --sysconfdir during > *** 20555 LINES SKIPPED *** > _______________________________________________ > dev-commits-src-main@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main > To unsubscribe, send any mail to "dev-commits-src-main-unsubscribe@freebsd.org" After upgrading 14-CURRENT to this commit, we are unable to use "scp" from certain FreeBSD 13-STABLE hosts as well as from Linux Xubuntu 20.04 clients with the latest updates. scp from 14-CURRENT to 14-CURRENT works with public key authetication, if password/built-in-password or PAM is used, we receive the password prompter, but then the connection is refused: Permission denied or, taken from /var/log/auth.log: Sep 9 17:19:10 <4.6> thor sshd[1450]: Failed password for ohartmann from 192.168.0.1 port 24332 ssh2 I do not see essential changes so scp works now exclusively/only with publickey. What is wrong? Is this a bug? How to return to normal/expected behaviour? It is also confusing that the manpage for sshd_config states for "UsePAM as an regular config tag: "...UsePAM Enables the Pluggable Authentication Module interface. If set to yes this will enable PAM ... blablabla ... The default is yes ..." If "UsePAM yes" used explicetely in /etc/ssh/sshd_config and restarting sshd, i.e. "service sshd restart", then one receives this error message in /var/log/auth.log: Sep 9 17:22:44 <4.6> thor sshd[1480]: rexec line 89: Unsupported option UsePAM and on the console, this weird message appears: # service sshd restart Performing sanity check on sshd configuration. /etc/ssh/sshd_config line 89: Unsupported option UsePAM Stopping sshd. Waiting for PIDS: 1423, 1423. Performing sanity check on sshd configuration. /etc/ssh/sshd_config line 89: Unsupported option UsePAM Starting sshd. /etc/ssh/sshd_config line 89: Unsupported option UsePAM Kind regards, O. Hartmann -- O. Hartmann
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210909192709.173d0bb6>