git: 6ac1039d047a - stable/13 - ssh: update to OpenSSH v8.9p1
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 07 Oct 2022 01:39:38 UTC
The branch stable/13 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=6ac1039d047aafcaae5fec13504ece8fdc764c5a
commit 6ac1039d047aafcaae5fec13504ece8fdc764c5a
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2022-04-13 20:00:56 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-10-07 01:39:00 +0000
ssh: update to OpenSSH v8.9p1
Release notes are available at https://www.openssh.com/txt/release-8.9
Some highlights:
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1)
* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
default KEXAlgorithms list (after the ECDH methods but before the
prime-group DH ones). The next release of OpenSSH is likely to
make this key exchange the default method.
* sshd(8), portable OpenSSH only: this release removes in-built
support for MD5-hashed passwords. If you require these on your
system then we recommend linking against libxcrypt or similar.
Future deprecation notice
=========================
A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 1323ec571215a77ddd21294f0871979d5ad6b992)
(cherry picked from commit 58def461e256e3a05c3ff15a87ed702fe0c3662c)
---
crypto/openssh/.depend | 11 +-
crypto/openssh/.github/configs | 76 +-
crypto/openssh/.github/configure.sh | 17 +-
crypto/openssh/.github/setup_ci.sh | 41 +-
crypto/openssh/.github/workflows/c-cpp.yml | 24 +-
crypto/openssh/.github/workflows/selfhosted.yml | 14 +-
crypto/openssh/.github/workflows/upstream.yml | 3 +-
crypto/openssh/.skipped-commit-ids | 1 +
crypto/openssh/ChangeLog | 17378 +++++++++----------
crypto/openssh/INSTALL | 5 -
crypto/openssh/LICENCE | 21 +-
crypto/openssh/Makefile.in | 55 +-
crypto/openssh/PROTOCOL | 69 +-
crypto/openssh/PROTOCOL.agent | 85 +-
crypto/openssh/PROTOCOL.mux | 6 +-
crypto/openssh/README | 2 +-
crypto/openssh/SECURITY.md | 5 +
crypto/openssh/addr.c | 30 +-
crypto/openssh/atomicio.c | 1 -
crypto/openssh/auth-options.c | 4 +-
crypto/openssh/auth-rhosts.c | 41 +-
crypto/openssh/auth.c | 16 +-
crypto/openssh/auth.h | 5 +-
crypto/openssh/auth2-gss.c | 5 +-
crypto/openssh/auth2-hostbased.c | 11 +-
crypto/openssh/auth2-kbdint.c | 5 +-
crypto/openssh/auth2-none.c | 5 +-
crypto/openssh/auth2-passwd.c | 5 +-
crypto/openssh/auth2-pubkey.c | 49 +-
crypto/openssh/auth2.c | 70 +-
crypto/openssh/authfd.c | 116 +-
crypto/openssh/authfd.h | 35 +-
crypto/openssh/authfile.c | 4 +-
crypto/openssh/channels.c | 554 +-
crypto/openssh/channels.h | 31 +-
crypto/openssh/clientloop.c | 236 +-
crypto/openssh/config.h | 36 +-
crypto/openssh/configure.ac | 126 +-
crypto/openssh/contrib/redhat/openssh.spec | 10 +-
crypto/openssh/contrib/suse/openssh.spec | 2 +-
crypto/openssh/defines.h | 39 +-
crypto/openssh/digest-libc.c | 10 +
crypto/openssh/dns.c | 4 +-
crypto/openssh/gss-genr.c | 1 +
crypto/openssh/hostfile.c | 22 +-
crypto/openssh/includes.h | 1 -
crypto/openssh/kex.c | 48 +-
crypto/openssh/kex.h | 13 +-
crypto/openssh/kexgen.c | 35 +-
crypto/openssh/kexgexc.c | 24 +-
crypto/openssh/kexgexs.c | 14 +-
crypto/openssh/kexsntrup761x25519.c | 4 +-
crypto/openssh/loginrec.c | 3 +-
crypto/openssh/md5crypt.c | 165 -
crypto/openssh/md5crypt.h | 22 -
crypto/openssh/misc.c | 90 +-
crypto/openssh/misc.h | 4 +-
crypto/openssh/moduli | 831 +-
crypto/openssh/monitor.c | 31 +-
crypto/openssh/mux.c | 4 +-
crypto/openssh/myproposal.h | 3 +-
crypto/openssh/nchan.c | 10 +-
crypto/openssh/openbsd-compat/arc4random.c | 8 +-
crypto/openssh/openbsd-compat/base64.c | 1 -
crypto/openssh/openbsd-compat/bcrypt_pbkdf.c | 41 +-
crypto/openssh/openbsd-compat/bindresvport.c | 1 +
crypto/openssh/openbsd-compat/blf.h | 7 +-
crypto/openssh/openbsd-compat/blowfish.c | 7 +-
crypto/openssh/openbsd-compat/bsd-closefrom.c | 8 +-
crypto/openssh/openbsd-compat/bsd-cygwin_util.c | 4 +-
crypto/openssh/openbsd-compat/bsd-getline.c | 2 +-
crypto/openssh/openbsd-compat/bsd-openpty.c | 76 +-
crypto/openssh/openbsd-compat/bsd-poll.c | 68 +-
crypto/openssh/openbsd-compat/bsd-poll.h | 26 +-
crypto/openssh/openbsd-compat/bsd-statvfs.c | 1 -
crypto/openssh/openbsd-compat/dirname.c | 1 -
crypto/openssh/openbsd-compat/fmt_scaled.c | 32 +-
crypto/openssh/openbsd-compat/getcwd.c | 1 -
crypto/openssh/openbsd-compat/inet_aton.c | 1 -
crypto/openssh/openbsd-compat/inet_ntop.c | 1 -
crypto/openssh/openbsd-compat/openbsd-compat.h | 4 +-
crypto/openssh/openbsd-compat/port-solaris.c | 1 -
crypto/openssh/openbsd-compat/xcrypt.c | 17 +-
crypto/openssh/packet.c | 103 +-
crypto/openssh/packet.h | 3 +-
crypto/openssh/platform-tracing.c | 13 +-
crypto/openssh/readconf.c | 27 +-
crypto/openssh/readconf.h | 7 +-
crypto/openssh/regress/Makefile | 14 +-
crypto/openssh/regress/agent-getpeereid.sh | 3 +
crypto/openssh/regress/agent-restrict.sh | 495 +
crypto/openssh/regress/cert-hostkey.sh | 86 +-
crypto/openssh/regress/cert-userkey.sh | 326 +-
crypto/openssh/regress/cipher-speed.sh | 10 +
crypto/openssh/regress/hostbased.sh | 66 +
crypto/openssh/regress/hostkey-agent.sh | 84 +-
crypto/openssh/regress/hostkey-rotate.sh | 17 +-
crypto/openssh/regress/keys-command.sh | 6 +-
crypto/openssh/regress/knownhosts.sh | 17 +
crypto/openssh/regress/login-timeout.sh | 4 +-
crypto/openssh/regress/misc/fuzz-harness/Makefile | 2 +-
.../openssh/regress/misc/fuzz-harness/kex_fuzz.cc | 3 +-
.../regress/misc/fuzz-harness/ssh-sk-null.cc | 3 +-
crypto/openssh/regress/misc/sk-dummy/sk-dummy.c | 55 +-
crypto/openssh/regress/percent.sh | 5 +-
crypto/openssh/regress/principals-command.sh | 220 +-
crypto/openssh/regress/sshd-log-wrapper.sh | 3 +-
crypto/openssh/regress/sshsig.sh | 256 +-
crypto/openssh/regress/test-exec.sh | 30 +-
crypto/openssh/regress/unittests/authopt/tests.c | 3 +-
crypto/openssh/regress/unittests/bitmap/tests.c | 3 +-
.../openssh/regress/unittests/conversion/tests.c | 3 +-
.../regress/unittests/hostkeys/test_iterate.c | 3 +-
crypto/openssh/regress/unittests/kex/test_kex.c | 3 +-
crypto/openssh/regress/unittests/match/tests.c | 3 +-
crypto/openssh/regress/unittests/misc/test_argv.c | 3 +-
.../openssh/regress/unittests/misc/test_convtime.c | 4 +-
.../openssh/regress/unittests/misc/test_expand.c | 3 +-
.../openssh/regress/unittests/misc/test_hpdelim.c | 82 +
crypto/openssh/regress/unittests/misc/test_parse.c | 3 +-
.../openssh/regress/unittests/misc/test_strdelim.c | 3 +-
crypto/openssh/regress/unittests/misc/tests.c | 5 +-
.../openssh/regress/unittests/sshbuf/test_sshbuf.c | 7 +-
.../regress/unittests/sshbuf/test_sshbuf_fixed.c | 3 +-
.../regress/unittests/sshbuf/test_sshbuf_fuzz.c | 5 +-
.../unittests/sshbuf/test_sshbuf_getput_basic.c | 3 +-
.../unittests/sshbuf/test_sshbuf_getput_crypto.c | 3 +-
.../unittests/sshbuf/test_sshbuf_getput_fuzz.c | 5 +-
.../regress/unittests/sshbuf/test_sshbuf_misc.c | 3 +-
crypto/openssh/regress/unittests/sshkey/common.c | 3 +-
.../openssh/regress/unittests/sshkey/test_file.c | 5 +-
.../openssh/regress/unittests/sshkey/test_fuzz.c | 5 +-
.../openssh/regress/unittests/sshkey/test_sshkey.c | 5 +-
crypto/openssh/regress/unittests/sshsig/tests.c | 7 +-
.../openssh/regress/unittests/sshsig/webauthn.html | 6 +-
.../regress/unittests/test_helper/test_helper.c | 11 +-
crypto/openssh/rijndael.h | 5 +-
crypto/openssh/sandbox-capsicum.c | 1 -
crypto/openssh/sandbox-seccomp-filter.c | 17 +-
crypto/openssh/scp.1 | 4 +-
crypto/openssh/scp.c | 85 +-
crypto/openssh/servconf.c | 21 +-
crypto/openssh/serverloop.c | 157 +-
crypto/openssh/session.c | 5 +-
crypto/openssh/sftp-client.c | 200 +-
crypto/openssh/sftp-client.h | 4 +-
crypto/openssh/sftp-server.c | 85 +-
crypto/openssh/sftp.c | 1 -
crypto/openssh/sk-api.h | 7 +-
crypto/openssh/sk-usbhid.c | 225 +-
crypto/openssh/sk_config.h | 2 +
crypto/openssh/ssh-add.1 | 88 +-
crypto/openssh/ssh-add.c | 218 +-
crypto/openssh/ssh-agent.c | 716 +-
crypto/openssh/ssh-keygen.1 | 37 +-
crypto/openssh/ssh-keygen.c | 246 +-
crypto/openssh/ssh-keyscan.c | 70 +-
crypto/openssh/ssh-keysign.c | 42 +-
crypto/openssh/ssh-pkcs11-client.c | 16 +-
crypto/openssh/ssh-pkcs11-helper.c | 4 +-
crypto/openssh/ssh-pkcs11.c | 35 +-
crypto/openssh/ssh-sk-client.c | 98 +-
crypto/openssh/ssh-sk-helper.c | 33 +-
crypto/openssh/ssh-sk.c | 106 +-
crypto/openssh/ssh-sk.h | 14 +-
crypto/openssh/ssh.1 | 10 +-
crypto/openssh/ssh.c | 20 +-
crypto/openssh/ssh_config | 2 +-
crypto/openssh/ssh_config.5 | 22 +-
crypto/openssh/ssh_namespace.h | 40 +-
crypto/openssh/sshbuf-misc.c | 39 +-
crypto/openssh/sshbuf.h | 8 +-
crypto/openssh/sshconnect.c | 4 +-
crypto/openssh/sshconnect2.c | 79 +-
crypto/openssh/sshd.c | 91 +-
crypto/openssh/sshd_config | 2 +-
crypto/openssh/sshd_config.5 | 8 +-
crypto/openssh/sshkey.c | 31 +-
crypto/openssh/sshkey.h | 6 +-
crypto/openssh/sshsig.c | 284 +-
crypto/openssh/sshsig.h | 6 +-
crypto/openssh/umac.c | 4 +-
crypto/openssh/umac.h | 4 +-
crypto/openssh/version.h | 6 +-
lib/libpam/modules/pam_ssh/pam_ssh.c | 2 +-
secure/usr.sbin/sshd/Makefile | 2 +-
186 files changed, 13912 insertions(+), 12246 deletions(-)
diff --git a/crypto/openssh/.depend b/crypto/openssh/.depend
index a94a82d0e6f7..945a01dcc05d 100644
--- a/crypto/openssh/.depend
+++ b/crypto/openssh/.depend
@@ -13,7 +13,7 @@ auth-krb5.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-com
auth-options.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssherr.h log.h sshbuf.h misc.h sshkey.h match.h ssh2.h auth-options.h
auth-pam.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
auth-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h sshbuf.h ssherr.h log.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h
-auth-rhosts.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h uidswap.h pathnames.h log.h ssherr.h misc.h sshbuf.h sshkey.h servconf.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
+auth-rhosts.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h uidswap.h pathnames.h log.h ssherr.h misc.h xmalloc.h sshbuf.h sshkey.h servconf.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
auth-shadow.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
auth-sia.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
auth.o: authfile.h monitor_wrap.h compat.h channels.h
@@ -74,11 +74,10 @@ kexgexs.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compa
kexsntrup761x25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssherr.h
krl.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h sshbuf.h ssherr.h sshkey.h authfile.h misc.h log.h digest.h bitmap.h utf8.h krl.h
log.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h match.h
-loginrec.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h hostfile.h ssh.h loginrec.h log.h ssherr.h atomicio.h packet.h openbsd-compat/sys-queue.h dispatch.h canohost.h auth.h auth-pam.h audit.h sshbuf.h
+loginrec.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h hostfile.h ssh.h loginrec.h log.h ssherr.h atomicio.h packet.h openbsd-compat/sys-queue.h dispatch.h canohost.h auth.h auth-pam.h audit.h sshbuf.h misc.h
logintest.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h loginrec.h
mac.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h digest.h hmac.h umac.h mac.h misc.h ssherr.h sshbuf.h openbsd-compat/openssl-compat.h
match.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h match.h misc.h
-md5crypt.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
misc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h misc.h log.h ssherr.h ssh.h sshbuf.h
moduli.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
monitor.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h dh.h packet.h dispatch.h auth-options.h sshpty.h channels.h session.h sshlogin.h canohost.h log.h ssherr.h misc.h servconf.h monitor.h monitor_wrap.h monitor_fdpass.h compat.h ssh2.h authfd.h match.h sk-api.h
@@ -110,7 +109,7 @@ sandbox-seccomp-filter.o: includes.h config.h defines.h platform.h openbsd-compa
sandbox-solaris.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sandbox-systrace.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sc25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sc25519.h crypto_api.h
-scp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h xmalloc.h ssh.h atomicio.h pathnames.h log.h ssherr.h misc.h progressmeter.h utf8.h sftp-common.h sftp-client.h
+scp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h xmalloc.h ssh.h atomicio.h pathnames.h log.h ssherr.h misc.h progressmeter.h utf8.h sftp.h sftp-common.h sftp-client.h
servconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h openbsd-compat/sys-queue.h xmalloc.h ssh.h log.h ssherr.h sshbuf.h misc.h servconf.h compat.h pathnames.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey
.h
servconf.o: kex.h mac.h crypto_api.h match.h channels.h groupaccess.h canohost.h packet.h dispatch.h hostfile.h auth.h auth-pam.h audit.h loginrec.h myproposal.h digest.h
serverloop.o: cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h hostfile.h auth.h auth-pam.h audit.h loginrec.h session.h auth-options.h serverloop.h
@@ -127,8 +126,8 @@ sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h
sk-usbhid.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sntrup761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
srclimit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h addr.h canohost.h log.h ssherr.h misc.h srclimit.h xmalloc.h
-ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h log.h ssherr.h sshkey.h sshbuf.h authfd.h authfile.h pathnames.h misc.h digest.h ssh-sk.h sk-api.h
-ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h sshkey.h authfd.h compat.h log.h ssherr.h misc.h digest.h match.h msg.h pathnames.h ssh-pkcs11.h sk-api.h
+ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h log.h ssherr.h sshkey.h sshbuf.h authfd.h authfile.h pathnames.h misc.h digest.h ssh-sk.h sk-api.h hostfile.h
+ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h sshkey.h authfd.h compat.h log.h ssherr.h misc.h digest.h match.h msg.h pathnames.h ssh-pkcs11.h sk-api.h myproposal.h
ssh-dss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
ssh-ecdsa-sk.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/openssl-compat.h sshbuf.h ssherr.h digest.h sshkey.h
ssh-ecdsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs
index 12578c067348..853da58a51e3 100755
--- a/crypto/openssh/.github/configs
+++ b/crypto/openssh/.github/configs
@@ -15,6 +15,8 @@ LTESTS=""
SKIP_LTESTS=""
SUDO=sudo # run with sudo by default
TEST_SSH_UNSAFE_PERMISSIONS=1
+# Stop on first test failure to minimize logs
+TEST_SSH_FAIL_FATAL=yes
CONFIGFLAGS=""
LIBCRYPTOFLAGS=""
@@ -25,9 +27,29 @@ case "$config" in
c89)
CC="gcc"
CFLAGS="-Wall -std=c89 -pedantic -Werror=vla"
- CONFIGFLAGS="--without-openssl --without-zlib"
+ CONFIGFLAGS="--without-zlib"
+ LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET=t-exec
;;
+ cygwin-release)
+ CONFIGFLAGS="--with-libedit --with-xauth=/usr/bin/xauth --disable-strip --with-security-key-builtin"
+ ;;
+ clang-12-Werror)
+ CC="clang-12"
+ # clang's implicit-fallthrough requires that the code be annotated with
+ # __attribute__((fallthrough)) and does not understand /* FALLTHROUGH */
+ CFLAGS="-Wall -Wextra -O2 -Wno-error=implicit-fallthrough"
+ CONFIGFLAGS="--with-pam --with-Werror"
+ ;;
+ gcc-11-Werror)
+ CC="gcc"
+ # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
+ CFLAGS="-Wall -Wextra -Wno-format-truncation -O2 -Wimplicit-fallthrough=4"
+ CONFIGFLAGS="--with-pam --with-Werror"
+ ;;
+ clang*|gcc*)
+ CC="$config"
+ ;;
kitchensink)
CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
@@ -36,12 +58,21 @@ case "$config" in
hardenedmalloc)
CONFIGFLAGS="--with-ldflags=-lhardened_malloc"
;;
- kerberos5)
+ tcmalloc)
+ CONFIGFLAGS="--with-ldflags=-ltcmalloc"
+ ;;
+ krb5|heimdal)
CONFIGFLAGS="--with-kerberos5"
;;
libedit)
CONFIGFLAGS="--with-libedit"
;;
+ musl)
+ CC="musl-gcc"
+ CONFIGFLAGS="--without-zlib"
+ LIBCRYPTOFLAGS="--without-openssl"
+ TEST_TARGET="t-exec"
+ ;;
pam-krb5)
CONFIGFLAGS="--with-pam --with-kerberos5"
SSHD_CONFOPTS="UsePam yes"
@@ -76,9 +107,9 @@ case "$config" in
# Valgrind slows things down enough that the agent timeout test
# won't reliably pass, and the unit tests run longer than allowed
# by github so split into three separate tests.
- tests2="rekey integrity"
- tests3="krl forward-control sshsig"
- tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment"
+ tests2="rekey integrity try-ciphers sftp"
+ tests3="krl forward-control sshsig agent-restrict kextype"
+ tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
case "$config" in
valgrind-1)
# All tests except agent-timeout (which is flaky under valgrind)
@@ -122,22 +153,25 @@ case "${TARGET_HOST}" in
SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
;;
minix3)
- CC="clang"
- LIBCRYPTOFLAGS="--without-openssl"
+ LIBCRYPTOFLAGS="--without-openssl --disable-security-key"
# Minix does not have a loopback interface so we have to skip any
- # test that relies on it.
+ # test that relies on one.
+ # Also, Minix seems to be very limited in the number of select()
+ # calls that can be operating concurrently, so prune additional tests for that.
+ T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse connect
+ connect-uri exit-status forward-control forwarding hostkey-agent
+ key-options keyscan knownhosts-command login-timeout multiplex
+ reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
+ sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
+ transfer"
+ SKIP_LTESTS="$(echo $T)"
TEST_TARGET=t-exec
- SKIP_LTESTS="addrmatch cfgparse key-options reexec agent connect"
- SKIP_LTESTS="$SKIP_LTESTS keyscan rekey allow-deny-users connect-uri"
- SKIP_LTESTS="$SKIP_LTESTS knownhosts-command sftp-uri brokenkeys"
- SKIP_LTESTS="$SKIP_LTESTS exit-status login-timeout stderr-data"
- SKIP_LTESTS="$SKIP_LTESTS cfgmatch forward-control multiplex transfer"
- SKIP_LTESTS="$SKIP_LTESTS cfgmatchlisten forwarding reconfigure"
SUDO=""
;;
nbsd4)
# System compiler will ICE on some files with fstack-protector
- CONFIGFLAGS="${CONFIGFLAGS} --without-hardening"
+ # SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
+ CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
;;
sol10|sol11)
# sol10 VM is 32bit and the unit tests are slow.
@@ -150,6 +184,15 @@ case "${TARGET_HOST}" in
;;
esac
+# Unless specified otherwise, build without OpenSSL on Mac OS since
+# modern versions don't ship with libcrypto.
+case "`./config.guess`" in
+*-darwin*)
+ LIBCRYPTOFLAGS="--without-openssl"
+ TEST_TARGET=t-exec
+ ;;
+esac
+
# If we have a local openssl/libressl, use that.
if [ -z "${LIBCRYPTOFLAGS}" ]; then
# last-match
@@ -167,4 +210,5 @@ if [ -x "$(which plink 2>/dev/null)" ]; then
export REGRESS_INTEROP_PUTTY
fi
-export CC CFLAGS LTESTS SUDO TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS
+export CC CFLAGS LTESTS SUDO
+export TEST_TARGET TEST_SSH_UNSAFE_PERMISSIONS TEST_SSH_FAIL_FATAL
diff --git a/crypto/openssh/.github/configure.sh b/crypto/openssh/.github/configure.sh
index e098730f02d6..502bf5f0d407 100755
--- a/crypto/openssh/.github/configure.sh
+++ b/crypto/openssh/.github/configure.sh
@@ -2,5 +2,20 @@
. .github/configs $1
-set -x
+printf "$ "
+
+if [ "x$CC" != "x" ]; then
+ printf "CC='$CC' "
+fi
+if [ "x$CFLAGS" != "x" ]; then
+ printf "CFLAGS='$CFLAGS' "
+fi
+if [ "x$CPPFLAGS" != "x" ]; then
+ printf "CPPFLAGS='$CPPFLAGS' "
+fi
+if [ "x$LDFLAGS" != "x" ]; then
+ printf "LDFLAGS='$LDFLAGS' "
+fi
+
+echo ./configure ${CONFIGFLAGS}
./configure ${CONFIGFLAGS}
diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh
index 107c049c4175..ca37f8c5512f 100755
--- a/crypto/openssh/.github/setup_ci.sh
+++ b/crypto/openssh/.github/setup_ci.sh
@@ -1,6 +1,8 @@
#!/bin/sh
-case $(./config.guess) in
+ . .github/configs $@
+
+case "`./config.guess`" in
*-darwin*)
brew install automake
exit 0
@@ -20,23 +22,30 @@ set -ex
lsb_release -a
if [ "${TARGETS}" = "kitchensink" ]; then
- TARGETS="kerberos5 libedit pam sk selinux"
+ TARGETS="krb5 libedit pam sk selinux"
fi
+for flag in $CONFIGFLAGS; do
+ case "$flag" in
+ --with-pam) PACKAGES="${PACKAGES} libpam0g-dev" ;;
+ --with-libedit) PACKAGES="${PACKAGES} libedit-dev" ;;
+ esac
+done
+
for TARGET in $TARGETS; do
case $TARGET in
- default|without-openssl|without-zlib|c89)
+ default|without-openssl|without-zlib|c89|libedit|*pam)
# nothing to do
;;
- kerberos5)
- PACKAGES="$PACKAGES heimdal-dev"
- #PACKAGES="$PACKAGES libkrb5-dev"
- ;;
- libedit)
- PACKAGES="$PACKAGES libedit-dev"
+ clang-*|gcc-*)
+ compiler=$(echo $TARGET | sed 's/-Werror//')
+ PACKAGES="$PACKAGES $compiler"
;;
- *pam)
- PACKAGES="$PACKAGES libpam0g-dev"
+ krb5)
+ PACKAGES="$PACKAGES libkrb5-dev"
+ ;;
+ heimdal)
+ PACKAGES="$PACKAGES heimdal-dev"
;;
sk)
INSTALL_FIDO_PPA="yes"
@@ -47,7 +56,13 @@ for TARGET in $TARGETS; do
;;
hardenedmalloc)
INSTALL_HARDENED_MALLOC=yes
- ;;
+ ;;
+ musl)
+ PACKAGES="$PACKAGES musl-tools"
+ ;;
+ tcmalloc)
+ PACKAGES="$PACKAGES libgoogle-perftools-dev"
+ ;;
openssl-noec)
INSTALL_OPENSSL=OpenSSL_1_1_1k
SSLCONFOPTS="no-ec"
@@ -93,7 +108,7 @@ if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
(cd ${HOME} &&
git clone https://github.com/GrapheneOS/hardened_malloc.git &&
cd ${HOME}/hardened_malloc &&
- make -j2 && sudo cp libhardened_malloc.so /usr/lib/)
+ make -j2 && sudo cp out/libhardened_malloc.so /usr/lib/)
fi
if [ ! -z "${INSTALL_OPENSSL}" ]; then
diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml
index 152ddaa4fba6..5ee896308478 100644
--- a/crypto/openssh/.github/workflows/c-cpp.yml
+++ b/crypto/openssh/.github/workflows/c-cpp.yml
@@ -24,16 +24,28 @@ jobs:
- { os: ubuntu-20.04, configs: valgrind-4 }
- { os: ubuntu-20.04, configs: valgrind-unit }
- { os: ubuntu-20.04, configs: c89 }
+ - { os: ubuntu-20.04, configs: clang-6.0 }
+ - { os: ubuntu-20.04, configs: clang-8 }
+ - { os: ubuntu-20.04, configs: clang-9 }
+ - { os: ubuntu-20.04, configs: clang-10 }
+ - { os: ubuntu-20.04, configs: clang-11 }
+ - { os: ubuntu-20.04, configs: clang-12-Werror }
+ - { os: ubuntu-20.04, configs: gcc-7 }
+ - { os: ubuntu-20.04, configs: gcc-8 }
+ - { os: ubuntu-20.04, configs: gcc-10 }
+ - { os: ubuntu-20.04, configs: gcc-11-Werror }
- { os: ubuntu-20.04, configs: pam }
- { os: ubuntu-20.04, configs: kitchensink }
- { os: ubuntu-20.04, configs: hardenedmalloc }
+ - { os: ubuntu-20.04, configs: tcmalloc }
+ - { os: ubuntu-20.04, configs: musl }
- { os: ubuntu-latest, configs: libressl-master }
- { os: ubuntu-latest, configs: libressl-2.2.9 }
- { os: ubuntu-latest, configs: libressl-2.8.3 }
- { os: ubuntu-latest, configs: libressl-3.0.2 }
- { os: ubuntu-latest, configs: libressl-3.2.6 }
- { os: ubuntu-latest, configs: libressl-3.3.4 }
- - { os: ubuntu-latest, configs: libressl-3.4.0 }
+ - { os: ubuntu-latest, configs: libressl-3.4.1 }
- { os: ubuntu-latest, configs: openssl-master }
- { os: ubuntu-latest, configs: openssl-noec }
- { os: ubuntu-latest, configs: openssl-1.0.1 }
@@ -46,7 +58,8 @@ jobs:
- { os: ubuntu-latest, configs: openssl-1.1.1_stable } # stable branch
- { os: ubuntu-latest, configs: openssl-3.0 } # stable branch
- { os: ubuntu-18.04, configs: pam }
- - { os: ubuntu-18.04, configs: kerberos5 }
+ - { os: ubuntu-18.04, configs: krb5 }
+ - { os: ubuntu-18.04, configs: heimdal }
- { os: ubuntu-18.04, configs: libedit }
- { os: ubuntu-18.04, configs: sk }
- { os: ubuntu-18.04, configs: selinux }
@@ -63,6 +76,13 @@ jobs:
run: autoreconf
- name: configure
run: ./.github/configure.sh ${{ matrix.configs }}
+ - name: save config
+ uses: actions/upload-artifact@v2
+ with:
+ name: ${{ matrix.os }}-${{ matrix.configs }}-config
+ path: config.h
+ - name: make clean
+ run: make clean
- name: make
run: make -j2
- name: make tests
diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml
index df6eca714fb5..09f7af939912 100644
--- a/crypto/openssh/.github/workflows/selfhosted.yml
+++ b/crypto/openssh/.github/workflows/selfhosted.yml
@@ -17,6 +17,7 @@ jobs:
matrix:
os:
- ARM64
+ - alpine
- bbone
- dfly30
- dfly48
@@ -26,7 +27,7 @@ jobs:
- fbsd10
- fbsd12
- fbsd13
- - hurd
+ # - hurd
- minix3
# - nbsd2
- nbsd3
@@ -35,8 +36,8 @@ jobs:
- nbsd9
- obsd51
- obsd67
- - obsd68
- obsd69
+ - obsd70
- obsdsnap
- openindiana
# - rocky84
@@ -64,6 +65,7 @@ jobs:
- { os: sol11, configs: pam-krb5 }
- { os: sol11, configs: sol64 }
# - { os: sol11, configs: sol64-pam }
+ - { os: win10, configs: cygwin-release }
steps:
- uses: actions/checkout@v2
- name: autoreconf
@@ -74,10 +76,18 @@ jobs:
run: vmstartup
- name: configure
run: vmrun ./.github/configure.sh ${{ matrix.configs }}
+ - name: save config
+ uses: actions/upload-artifact@v2
+ with:
+ name: ${{ matrix.os }}-${{ matrix.configs }}-config
+ path: config.h
+ - name: make clean
+ run: vmrun make clean
- name: make
run: vmrun make
- name: make tests
run: vmrun ./.github/run_test.sh ${{ matrix.configs }}
+ timeout-minutes: 300
- name: save logs
if: failure()
uses: actions/upload-artifact@v2
diff --git a/crypto/openssh/.github/workflows/upstream.yml b/crypto/openssh/.github/workflows/upstream.yml
index f0493c12d7d5..b91083c65184 100644
--- a/crypto/openssh/.github/workflows/upstream.yml
+++ b/crypto/openssh/.github/workflows/upstream.yml
@@ -13,7 +13,7 @@ jobs:
strategy:
fail-fast: false
matrix:
- os: [ obsdsnap, obsdsnap-i386, obsd69, obsd68 ]
+ os: [ obsdsnap, obsdsnap-i386 ]
configs: [ default, without-openssl ]
steps:
- uses: actions/checkout@v2
@@ -31,6 +31,7 @@ jobs:
run: vmrun "cd /usr/src/usr.bin/ssh && sudo make install"
- name: make tests
run: vmrun "cd /usr/src/regress/usr.bin/ssh && make obj && make clean && if test '${{ matrix.configs }}' = 'without-openssl'; then make SUDO=sudo OPENSSL=no; else make SUDO=sudo; fi"
+ timeout-minutes: 300
- name: save logs
if: failure()
uses: actions/upload-artifact@v2
diff --git a/crypto/openssh/.skipped-commit-ids b/crypto/openssh/.skipped-commit-ids
index 1de78172232a..c606eaee6c51 100644
--- a/crypto/openssh/.skipped-commit-ids
+++ b/crypto/openssh/.skipped-commit-ids
@@ -23,6 +23,7 @@ d9b910e412d139141b072a905e66714870c38ac0 Makefile.inc
07b5031e9f49f2b69ac5e85b8da4fc9e393992a0 Makefile.inc
cc12a9029833d222043aecd252d654965c351a69 moduli-gen Makefile
7ac6c252d2a5be8fbad4c66d9d35db507c9dac5b moduli update
+6b52cd2b637f3d29ef543f0ce532a2bce6d86af5 makefile change
Old upstream tree:
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index 9e660ec37ef3..c225b94dfd3e 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,13611 +1,11979 @@
-commit bf944e3794eff5413f2df1ef37cddf96918c6bde
+commit 166456cedad3962b83b848b1e9caf80794831f0f
Author: Damien Miller <djm@mindrot.org>
-Date: Mon Sep 27 00:03:19 2021 +1000
+Date: Wed Feb 23 22:31:11 2022 +1100
- initgroups needs grp.h
+ makedepend
-commit 8c5b5655149bd76ea21026d7fe73ab387dbc3bc7
+commit 32ebaa0dbca5d0bb86e384e72bebc153f48413e4
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Sep 26 14:01:11 2021 +0000
+Date: Wed Feb 23 11:18:13 2022 +0000
- upstream: openssh-8.8
+ upstream: avoid integer overflow of auth attempts (harmless, caught
- OpenBSD-Commit-ID: 12357794602ac979eb7312a1fb190c453f492ec4
+ by monitor)
+
+ OpenBSD-Commit-ID: 488ad570b003b21e0cd9e7a00349cfc1003b4d86
-commit f3cbe43e28fe71427d41cfe3a17125b972710455
+commit 6e0258c64c901753df695e06498b26f9f4812ea6
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Sep 26 14:01:03 2021 +0000
+Date: Wed Feb 23 11:17:10 2022 +0000
- upstream: need initgroups() before setresgid(); reported by anton@,
+ upstream: randomise the password used in fakepw
- ok deraadt@
+ OpenBSD-Commit-ID: 34e159f73b1fbf0a924a9c042d8d61edde293947
+
+commit bf114d6f0a9df0b8369823d9a0daa6c72b0c4cc9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Feb 23 11:15:57 2022 +0000
+
+ upstream: use asprintf to construct .rhosts paths
- OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce
+ OpenBSD-Commit-ID: 8286e8d3d2c6ff916ff13d041d1713073f738a8b
-commit 8acaff41f7518be40774c626334157b1b1c5583c
-Author: Damien Miller <djm@mindrot.org>
-Date: Sun Sep 26 22:16:36 2021 +1000
+commit c07e154fbdc7285e9ec54e78d8a31f7325d43537
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Feb 23 11:07:09 2022 +0000
- update version numbers for release
+ upstream: openssh-8.9
+
+ OpenBSD-Commit-ID: 5c5f791c87c483cdab6d9266b43acdd9ca7bde0e
-commit d39039ddc0010baa91c70a0fa0753a2699bbf435
-Author: kn@openbsd.org <kn@openbsd.org>
-Date: Sat Sep 25 09:40:33 2021 +0000
+commit bc16667b4a1c3cad7029304853c143a32ae04bd4
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Feb 22 15:29:22 2022 +1100
- upstream: RSA/SHA-1 is not used by default anymore
+ Extend select+rlimit sanbox test to include poll.
- OK dtucker deraadt djm
+ POSIX specifies that poll() shall fail if "nfds argument is greater
+ than {OPEN_MAX}". The setrlimit sandbox sets this to effectively zero
+ so this causes poll() to fail in the preauth privsep process.
- OpenBSD-Commit-ID: 055c51a221c3f099dd75c95362f902da1b8678c6
+ This is likely the underlying cause for the previously observed similar
+ behaviour of select() on plaforms where it is implement in userspace on
+ top of poll().
-commit 9b2ee74e3aa8c461eb5552a6ebf260449bb06f7e
+commit 6520c488de95366be031d49287ed243620399e23
Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri Sep 24 11:08:03 2021 +1000
+Date: Tue Feb 22 13:08:59 2022 +1100
- Move the fgrep replacement to hostkey-rotate.sh.
-
- The fgrep replacement for buggy greps doesn't work in the sftp-glob test
- so move it to just where we know it's needed.
+ Add Alpine Linux test VM.
-commit f7039541570d4b66d76e6f574544db176d8d5c02
+commit a4b325a3fc82d11e0f5d61f62e7fde29415f7afb
Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri Sep 24 08:04:14 2021 +1000
+Date: Tue Feb 22 12:27:07 2022 +1100
- Replacement function for buggy fgrep.
+ Include sys/param.h if present.
- GNU (f)grep <=2.18, as shipped by FreeBSD<=12 and NetBSD<=9 will
- occasionally fail to find ssh host keys in the hostkey-rotate test.
- If we have those versions, use awk instead.
+ Needed for howmany() on MUSL systems such as Alpine.
-commit f6a660e5bf28a01962af87568e118a2d2e79eaa0
-Author: David Manouchehri <david.manouchehri@riseup.net>
-Date: Thu Sep 23 17:03:18 2021 -0400
+commit 5a102e9cb287a43bd7dfe594b775a89a8e94697c
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Tue Feb 22 12:25:52 2022 +1100
- Don't prompt for yes/no questions.
+ Only include sys/poll.h if we don't have poll.h.
+
+ Prevents warnings on MUSL based systems such as Alpine.
-commit 7ed1a3117c09f8c3f1add35aad77d3ebe1b85b4d
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Sep 20 06:53:56 2021 +0000
+commit 7c0d4ce911d5c58b6166b2db754a4e91f352adf5
+Author: Damien Miller <djm@mindrot.org>
+Date: Tue Feb 22 11:14:51 2022 +1100
- upstream: fix missing -s in SYNOPSYS and usage() as well as a
+ disable agent-restrict test on minix3
- capitalisation mistake; spotted by jmc@
+ Minix seems to have a platform-wide limit on the number of
+ select(2) syscalls that can be concurrently issued. This test
+ seems to exceed this limit.
- OpenBSD-Commit-ID: 0ed8ee085c7503c60578941d8b45f3a61d4c9710
+ Refer to:
+
+ https://github.com/Stichting-MINIX-Research-Foundation/minix/blob/R3.3.0/minix/servers/vfs/select.c#L114
+ https://github.com/Stichting-MINIX-Research-Foundation/minix/blob/R3.3.0/minix/servers/vfs/select.c#L30-L31
-commit 8c07170135dde82a26886b600a8bf6fb290b633d
+commit 81d33d8e3cf7ea5ce3a5653c6102b623e019428a
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Feb 21 21:27:20 2022 +1100
+
+ Skip agent-getpeereid when running as root.
+
+commit fbd772570a25436a33924d91c164d2b24021f010
Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date: Mon Sep 20 04:02:13 2021 +0000
+Date: Sun Feb 20 03:47:26 2022 +0000
- upstream: Fix "Allocated port" debug message
+ upstream: Aproximate realpath on the expected output by deduping
- for unix domain sockets. From peder.stray at gmail.com via github PR#272,
- ok deraadt@
+ leading slashes. Fixes test failure when user's home dir is / which is
+ possible in some portable configurations.
- OpenBSD-Commit-ID: 8d5ef3fbdcdd29ebb0792b5022a4942db03f017e
+ OpenBSD-Regress-ID: 53b8c53734f8893806961475c7106397f98d9f63
-commit 277d3c6adfb128b4129db08e3d65195d94b55fe7
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Sep 20 01:55:42 2021 +0000
+commit 336685d223a59f893faeedf0a562e053fd84058e
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Sun Feb 20 13:30:52 2022 +1100
- upstream: Switch scp back to use the old protocol by default, ahead of
-
- release. We'll wait a little longer for people to pick up sftp-server(8) that
- supports the extension that scp needs for ~user paths to continue working in
- SFTP protocol mode. Discussed with deraadt@
+ Really move DSA to end of list.
- OpenBSD-Commit-ID: f281f603a705fba317ff076e7b11bcf2df941871
+ In commit ad16a84e syncing from OpenBSD, RSA was accidentally moved to
+ the end of the list instead of DSA. Spotted by andrew at fyfe.gb.net.
-commit ace19b34cc15bea3482be90450c1ed0cd0dd0669
+commit 63bf4f49ed2fdf2da6f97136c9df0c8168546eb3
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Feb 18 12:12:21 2022 +1100
+
+ Add test configs for MUSL C library.
+
+commit f7fc6a43f1173e8b2c38770bf6cee485a562d03b
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Feb 17 22:54:19 2022 +1100
+
+ minix needs BROKEN_POLL too; chokes on /dev/null
+
+commit 667fec5d4fe4406745750a32f69b5d2e1a75e94b
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sat Sep 18 02:03:25 2021 +0000
+Date: Thu Feb 17 10:58:27 2022 +0000
- upstream: better error message for ~user failures when the
+ upstream: check for EINTR/EAGAIN failures in the rfd fast-path; caught
- sftp-server lacks the expand-path extension; ok deraadt@
+ by dtucker's minix3 vm :) ok dtucker@
- OpenBSD-Commit-ID: 9c1d965d389411f7e86f0a445158bf09b8f9e4bc
+ OpenBSD-Commit-ID: 2e2c895a3e82ef347aa6694394a76a438be91361
-commit 6b1238ba971ee722a310d95037b498ede5539c03
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Sep 16 15:22:22 2021 +0000
+commit 41417dbda9fb55a0af49a8236e3ef9d50d862644
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Thu Feb 17 22:05:29 2022 +1100
- upstream: make some more scp-in-SFTP mode better match Unix idioms
-
- suggested by deraadt@
+ Comment hurd test, the VM is currently broken.
+
+commit b2aee35a1f0dc798339b3fcf96136da71b7e3f6d
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Feb 17 21:15:16 2022 +1100
+
+ find sk-dummy.so when build_dir != src_dir
- OpenBSD-Commit-ID: 0f2439404ed4cf0b0be8bf49a1ee734836e1ac87
+ spotted by Corinna Vinschen; feedback & ok dtucker@
-commit e694f8ac4409931e67d08ac44ed251b20b10a957
+commit 62a2d4e50b2e89f2ef04576931895d5139a5d037
+Author: Damien Miller <djm@mindrot.org>
+Date: Wed Feb 16 16:26:17 2022 +1100
+
+ update versions in preparation for 8.9 release
+
+commit dd6d3dded721ac653ea73c017325e5bfeeec837f
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Sep 16 15:11:19 2021 +0000
+Date: Tue Feb 15 05:13:36 2022 +0000
- upstream: allow log_stderr==2 to prefix log messages with argv[0]
+ upstream: document the unbound/host-bound options to
- use this to make scp's SFTP mode error messages more scp-like
+ PubkeyAuthentication; spotted by HARUYAMA Seigo
- prompted by and ok deraadt@
+ OpenBSD-Commit-ID: 298f681b66a9ecd498f0700082c7a6c46e948981
+
+commit df93529dd727fdf2fb290700cd4f1adb0c3c084b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Mon Feb 14 14:19:40 2022 +1100
+
+ Test if sshd accidentally acquires controlling tty
- OpenBSD-Commit-ID: 0e821dbde423fc2280e47414bdc22aaa5b4e0733
+ When SSHD_ACQUIRES_CTTY is defined, test for the problematic behaviour
+ in the STREAMS code before activating the workaround. ok djm@
-commit 8a7a06ee505cb833e613f74a07392e9296286c30
+commit 766176cfdbfd7ec38bb6118dde6e4daa0df34888
Author: Darren Tucker <dtucker@dtucker.net>
-Date: Fri Sep 17 13:03:31 2021 +1000
+Date: Sat Feb 12 10:24:56 2022 +1100
- Test against LibreSSL 3.2.6, 3.3.4, 3.4.0.
+ Add cygwin-release test config.
+
+ This tests the flags used to build the cygwin release binaries.
-commit c25c84074a47f700dd6534995b4af4b456927150
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Sep 16 05:36:03 2021 +0000
+commit b30698662b862f5397116d23688aac0764e0886e
+Author: Darren Tucker <dtucker@dtucker.net>
+Date: Fri Feb 11 21:00:35 2022 +1100
- upstream: missing space character in ssh -G output broke the
+ Move SSHD_ACQUIRES_CTTY workaround into compat.
- t-sshcfgparse regression test; spotted by anton@
+ On some (most? all?) SysV based systems with STREAMS based ptys,
+ sshd could acquire a controlling terminal during pty setup when
+ it pushed the "ptem" module, due to what is probably a bug in
+ the STREAMS driver that's old enough to vote. Because it was the
+ privileged sshd's controlling terminal, it was not available for
+ the user's session, which ended up without one. This is known to
+ affect at least Solaris <=10, derivatives such as OpenIndiana and
+ several other SysV systems. See bz#245 for the backstory.
- OpenBSD-Commit-ID: bcc36fae2f233caac4baa8e58482da4aa350eed0
+ In the we past worked around that by not calling setsid in the
+ privileged sshd child, which meant it was not a session or process
+ group leader. This solved controlling terminal problem because sshd
+ was not eligble to acquire one, but had other side effects such as
+ not cleaning up helper subprocesses in the SIGALRM handler since it
+ was not PG leader. Recent cleanups in the signal handler uncovered
+ this, resulting in the LoginGraceTime timer not cleaning up privsep
+ unprivileged processes.
+
+ This change moves the workaround into the STREAMS pty allocation code,
+ by allocating a sacrificial pty to act as sshd's controlling terminal
+ before allocating user ptys, so those are still available for users'
+ sessions.
+
+ On the down side:
+ - this will waste a pty per ssh connection on affected platforms.
+
+ On the up side:
+ - it makes the process group behaviour consistent between platforms.
+
*** 37455 LINES SKIPPED ***