git: 7ca599aa6139 - stable/14 - OpenSSH: Update to 10.0p2
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 20 Jan 2026 19:43:36 UTC
The branch stable/14 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=7ca599aa613955a939284292f0993b59b0d9fef3
commit 7ca599aa613955a939284292f0993b59b0d9fef3
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2025-08-01 15:56:45 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2026-01-20 19:41:59 +0000
OpenSSH: Update to 10.0p2
Full release notes are available at
https://www.openssh.com/txt/release-10.0
Selected highlights from the release notes:
Potentially-incompatible changes
- This release removes support for the weak DSA signature algorithm.
[This change was previously merged to FreeBSD main.]
- This release has the version number 10.0 and announces itself as
"SSH-2.0-OpenSSH_10.0". Software that naively matches versions using
patterns like "OpenSSH_1*" may be confused by this.
- sshd(8): this release removes the code responsible for the user
authentication phase of the protocol from the per-connection
sshd-session binary to a new sshd-auth binary.
Security
- sshd(8): fix the DisableForwarding directive, which was failing to
disable X11 forwarding and agent forwarding as documented.
[This change was previously merged to FreeBSD main.]
New features
- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now
used by default for key agreement.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51630
(cherry picked from commit 8e28d84935f2f0ee081d44f9803f3052b960e50b)
(cherry picked from commit e600fc7295a7082041388113a5d677f6c4cf7ce7)
---
crypto/openssh/.depend | 16 +-
crypto/openssh/.git_allowed_signers | 6 +-
crypto/openssh/.github/ci-status.md | 8 +
crypto/openssh/.github/configs | 31 +-
crypto/openssh/.github/run_test.sh | 22 +-
crypto/openssh/.github/setup_ci.sh | 13 +
crypto/openssh/.github/workflows/c-cpp.yml | 88 +-
crypto/openssh/.github/workflows/selfhosted.yml | 63 +-
crypto/openssh/.github/workflows/upstream.yml | 21 +-
crypto/openssh/.gitignore | 8 +-
crypto/openssh/.skipped-commit-ids | 2 +
crypto/openssh/ChangeLog | 9510 +++++++++++---------
crypto/openssh/FREEBSD-upgrade | 3 -
crypto/openssh/INSTALL | 12 +-
crypto/openssh/Makefile.in | 65 +-
crypto/openssh/PROTOCOL.agent | 4 +-
crypto/openssh/PROTOCOL.certkeys | 15 +-
crypto/openssh/README | 20 +-
crypto/openssh/README.md | 4 +-
crypto/openssh/addr.c | 22 +-
crypto/openssh/addr.h | 11 -
crypto/openssh/auth2-pubkey.c | 91 +-
crypto/openssh/auth2.c | 4 +-
crypto/openssh/authfile.c | 4 +-
crypto/openssh/buildpkg.sh.in | 20 +-
crypto/openssh/channels.c | 40 +-
crypto/openssh/channels.h | 3 +-
crypto/openssh/cipher.c | 28 +-
crypto/openssh/clientloop.c | 7 +-
crypto/openssh/config.h | 27 +-
crypto/openssh/configure.ac | 145 +-
crypto/openssh/contrib/cygwin/ssh-user-config | 2 +-
crypto/openssh/contrib/redhat/openssh.spec | 30 +-
crypto/openssh/contrib/suse/openssh.spec | 2 +-
crypto/openssh/defines.h | 30 +-
crypto/openssh/dh.c | 8 +-
crypto/openssh/groupaccess.c | 2 +-
crypto/openssh/includes.h | 3 +
crypto/openssh/libcrux_mlkem768_sha3.h | 8 +-
crypto/openssh/log.c | 174 +-
crypto/openssh/log.h | 26 +-
crypto/openssh/loginrec.c | 76 +-
crypto/openssh/loginrec.h | 3 +
crypto/openssh/mdoc2man.awk | 4 +-
crypto/openssh/misc.c | 5 +-
crypto/openssh/mlkem768.sh | 10 +-
crypto/openssh/moduli | 844 +-
crypto/openssh/monitor.c | 111 +-
crypto/openssh/monitor.h | 3 +
crypto/openssh/monitor_wrap.c | 84 +-
crypto/openssh/monitor_wrap.h | 6 +
crypto/openssh/mux.c | 3 +-
crypto/openssh/myproposal.h | 14 +-
crypto/openssh/openbsd-compat/bsd-pselect.c | 106 +-
crypto/openssh/openbsd-compat/openssl-compat.h | 4 +-
crypto/openssh/openbsd-compat/port-linux.c | 13 +
crypto/openssh/openbsd-compat/port-linux.h | 4 +
crypto/openssh/pathnames.h | 3 +
crypto/openssh/platform-listen.c | 17 +
crypto/openssh/platform.h | 1 +
crypto/openssh/progressmeter.c | 3 +-
crypto/openssh/readconf.c | 125 +-
crypto/openssh/readconf.h | 9 +-
crypto/openssh/regress/Makefile | 3 +-
crypto/openssh/regress/agent-restrict.sh | 6 +-
crypto/openssh/regress/agent.sh | 27 +-
crypto/openssh/regress/cert-userkey.sh | 62 +-
crypto/openssh/regress/cfginclude.sh | 14 +-
crypto/openssh/regress/cfgmatch.sh | 70 +-
crypto/openssh/regress/dropbear-ciphers.sh | 4 +-
crypto/openssh/regress/dropbear-kex.sh | 17 +-
crypto/openssh/regress/hostkey-agent.sh | 28 +-
crypto/openssh/regress/key-options.sh | 7 +-
.../regress/misc/fuzz-harness/agent_fuzz_helper.c | 1 +
crypto/openssh/regress/misc/sk-dummy/Makefile | 66 +
.../regress/misc/ssh-verify-attestation/Makefile | 79 +
.../ssh-verify-attestation.c | 433 +
crypto/openssh/regress/percent.sh | 42 +-
crypto/openssh/regress/servcfginclude.sh | 14 +-
crypto/openssh/regress/sftp-resume.sh | 43 +
crypto/openssh/regress/sshfp-connect.sh | 8 +-
crypto/openssh/regress/test-exec.sh | 27 +-
crypto/openssh/regress/unittests/authopt/Makefile | 27 +
crypto/openssh/regress/unittests/misc/Makefile | 33 +
crypto/openssh/sandbox-capsicum.c | 30 +-
crypto/openssh/sandbox-darwin.c | 17 +-
crypto/openssh/sandbox-null.c | 12 -
crypto/openssh/sandbox-pledge.c | 77 -
crypto/openssh/sandbox-rlimit.c | 17 +-
crypto/openssh/sandbox-seccomp-filter.c | 17 +-
crypto/openssh/sandbox-solaris.c | 14 -
crypto/openssh/sandbox-systrace.c | 218 -
crypto/openssh/scp.1 | 59 +-
crypto/openssh/scp.c | 5 +-
crypto/openssh/servconf.c | 69 +-
crypto/openssh/servconf.h | 1 +
crypto/openssh/serverloop.c | 5 +-
crypto/openssh/session.c | 11 +-
crypto/openssh/sftp-client.c | 3 +-
crypto/openssh/sftp.1 | 59 +-
crypto/openssh/sftp.c | 3 +-
crypto/openssh/sk-usbhid.c | 9 +-
crypto/openssh/srclimit.c | 2 +-
crypto/openssh/ssh-agent.1 | 62 +-
crypto/openssh/ssh-agent.c | 136 +-
crypto/openssh/ssh-ecdsa-sk.c | 2 +-
crypto/openssh/ssh-keygen.1 | 8 +-
crypto/openssh/ssh-keygen.c | 12 +-
crypto/openssh/ssh-keyscan.c | 19 +-
crypto/openssh/ssh-keysign.c | 4 +-
crypto/openssh/ssh-pkcs11.c | 6 +-
crypto/openssh/ssh-sandbox.h | 2 -
crypto/openssh/ssh.1 | 34 +-
crypto/openssh/ssh.c | 93 +-
crypto/openssh/ssh.h | 17 +-
crypto/openssh/ssh_api.c | 25 +-
crypto/openssh/ssh_config.5 | 105 +-
crypto/openssh/ssh_namespace.h | 11 +-
crypto/openssh/sshconnect.c | 5 +-
crypto/openssh/sshconnect.h | 14 +-
crypto/openssh/sshconnect2.c | 8 +-
crypto/openssh/sshd-auth.c | 888 ++
crypto/openssh/sshd-debug.sh | 52 +
crypto/openssh/sshd-session.c | 334 +-
crypto/openssh/sshd.c | 402 +-
crypto/openssh/sshd_config | 4 +-
crypto/openssh/sshd_config.5 | 40 +-
crypto/openssh/sshkey.c | 18 +-
crypto/openssh/sshkey.h | 4 +-
crypto/openssh/sshsig.c | 13 +-
crypto/openssh/version.h | 6 +-
secure/libexec/Makefile | 1 +
secure/libexec/sshd-auth/Makefile | 49 +
secure/libexec/sshd-session/Makefile | 4 +-
134 files changed, 9724 insertions(+), 6339 deletions(-)
diff --git a/crypto/openssh/.depend b/crypto/openssh/.depend
index 45fc6b9afea1..152905fb7b78 100644
--- a/crypto/openssh/.depend
+++ b/crypto/openssh/.depend
@@ -26,8 +26,8 @@ auth2-kbdint.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-
auth2-methods.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h misc.h servconf.h openbsd-compat/sys-queue.h xmalloc.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
auth2-none.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h misc.h servconf.h ssh2.h monitor_wrap.h
auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h packet.h openbsd-compat/sys-queue.h dispatch.h ssherr.h log.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h monitor_wrap.h misc.h servconf.h
-auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
-auth2-pubkey.o: pathnames.h uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h channels.h session.h sk-api.h
+auth2-pubkey.o: audit.h loginrec.h pathnames.h uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h channels.h session.h sk-api.h
+auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h
auth2-pubkeyfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h log.h ssherr.h misc.h sshkey.h digest.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfile.h match.h
auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h dig
est.h kex.h
auth2.o: mac.h crypto_api.h
@@ -99,20 +99,18 @@ platform.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-comp
poly1305.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h poly1305.h
progressmeter.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h progressmeter.h atomicio.h misc.h utf8.h
readconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h xmalloc.h ssh.h ssherr.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h pathnames.h log.h sshkey.h misc.h readconf.h match.h kex.h mac.h crypto_api.h uidswap.h
-readconf.o: myproposal.h digest.h
+readconf.o: myproposal.h digest.h version.h
readpass.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h misc.h pathnames.h log.h ssherr.h ssh.h uidswap.h
rijndael.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h rijndael.h
sandbox-capsicum.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sandbox-darwin.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sandbox-null.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
-sandbox-pledge.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sandbox-rlimit.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sandbox-seccomp-filter.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
sandbox-solaris.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
-sandbox-systrace.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
scp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h xmalloc.h ssh.h atomicio.h pathnames.h log.h ssherr.h misc.h progressmeter.h utf8.h sftp.h sftp-common.h sftp-client.h
servconf.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/glob.h openbsd-compat/sys-queue.h xmalloc.h ssh.h log.h ssherr.h sshbuf.h misc.h servconf.h pathnames.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h
-servconf.o: mac.h crypto_api.h match.h channels.h groupaccess.h canohost.h packet.h dispatch.h hostfile.h auth.h auth-pam.h audit.h loginrec.h myproposal.h digest.h
+servconf.o: mac.h crypto_api.h match.h channels.h groupaccess.h canohost.h packet.h dispatch.h hostfile.h auth.h auth-pam.h audit.h loginrec.h myproposal.h digest.h version.h
serverloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h packet.h dispatch.h sshbuf.h log.h ssherr.h misc.h servconf.h canohost.h sshpty.h channels.h ssh2.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h ciph
er-aesctr.h
serverloop.o: rijndael.h kex.h mac.h crypto_api.h hostfile.h auth.h auth-pam.h audit.h loginrec.h session.h auth-options.h serverloop.h
session.o: hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfd.h pathnames.h log.h misc.h servconf.h sshlogin.h serverloop.h canohost.h session.h kex.h mac.h crypto_api.h monitor_wrap.h sftp.h atomicio.h
@@ -161,9 +159,11 @@ sshconnect.o: authfd.h kex.h mac.h crypto_api.h
sshconnect.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h hostfile.h ssh.h sshbuf.h packet.h openbsd-compat/sys-queue.h dispatch.h sshkey.h sshconnect.h log.h ssherr.h match.h misc.h readconf.h atomicio.h dns.h monitor_fdpass.h ssh2.h version.h authfile.h
sshconnect2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h packet.h dispatch.h compat.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h sshkey.h kex.h mac.h crypto_api.h
sshconnect2.o: sshconnect.h authfile.h dh.h authfd.h log.h ssherr.h misc.h readconf.h match.h canohost.h msg.h pathnames.h uidswap.h hostfile.h utf8.h ssh-sk.h sk-api.h
-sshd-session.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h ssh-sandbox.h auth-options.h version.h sk-api.h srclimit.h dh.h
+sshd-auth.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h auth-options.h version.h sk-api.h srclimit.h ssh-sandbox.h dh.h
+sshd-auth.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h log.h ssherr.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h
+sshd-session.o: chacha.h poly1305.h cipher-aesctr.h rijndael.h digest.h sshkey.h kex.h mac.h crypto_api.h authfile.h pathnames.h atomicio.h canohost.h hostfile.h auth.h auth-pam.h audit.h loginrec.h authfd.h msg.h channels.h session.h monitor.h monitor_wrap.h auth-options.h version.h sk-api.h srclimit.h dh.h
sshd-session.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshpty.h packet.h dispatch.h log.h ssherr.h sshbuf.h misc.h match.h servconf.h uidswap.h compat.h cipher.h cipher-chachapoly.h
-sshd.o: audit.h loginrec.h authfd.h msg.h version.h sk-api.h addr.h srclimit.h
+sshd.o: audit.h loginrec.h authfd.h msg.h version.h sk-api.h addr.h srclimit.h atomicio.h
sshd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshpty.h log.h ssherr.h sshbuf.h misc.h servconf.h compat.h digest.h sshkey.h authfile.h pathnames.h canohost.h hostfile.h auth.h auth-pam.h
ssherr.o: ssherr.h
sshkey-xmss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
diff --git a/crypto/openssh/.git_allowed_signers b/crypto/openssh/.git_allowed_signers
index 2a5fdc67c6ed..04fe425ab891 100644
--- a/crypto/openssh/.git_allowed_signers
+++ b/crypto/openssh/.git_allowed_signers
@@ -1,7 +1,11 @@
-dtucker@dtucker.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKecyjh9aNmD4rb8WblA8v91JjRb0Cd2JtkzqxcggGeG
+dtucker@dtucker.net valid-before="20241206" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKecyjh9aNmD4rb8WblA8v91JjRb0Cd2JtkzqxcggGeG
dtucker@dtucker.net sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBDV81zWQ1+XVfWH5z4L4klDQ/z/6l2GLphfSTX/Rmq6kL5H8mkfzUlryxLlkN8cD9srtVJBAmwJWfJBNsCo958YAAAAEc3NoOg==
+dtucker@dtucker.net sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIElSYahCw60CGct39Eg9EY8OLV9Ppr7tsudvSiMyNHOhAAAABHNzaDo=
djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBLnJo3ZVDENYZGXm5uO9lU7b0iDFq5gHpTu1MaHPWTEfPdvw+AjFQQ/q5YizuMJkXGsMdYmblJEJZYHpm9IS7ZkAAAAEc3NoOg==
djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBJoAXBTQalfg+kC5wy1vE7HkIHtVnmV6AUuuIo9KQ1P+70juHwvsFKpsGaqQbrHJkTVgYDGVP02XHj8+Fb18yBIAAAAEc3NoOg==
djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBH+z1I48s6ydOhP5SJmI02zVCLf0K15B+UMHgoTIKVfUIv5oDoVX7e9f+7QiRmTeEOdZfQydiaVqsfi7qPSve+0AAAAEc3NoOg==
djm@mindrot.org sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBPM4BmUg/fMnsl42JwktTekk/mB8Be3M+yK2ayg6lqYsqEri8yhRx84gey51OHKVk1TwlGbJjcMHI4URreDBEMQAAAAEc3NoOg==
+
+tim@multitalents.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/L8E1DfiZ9cHzygqx0IzRCSAlmh4tXH7mZPwWZEY1L
+
diff --git a/crypto/openssh/.github/ci-status.md b/crypto/openssh/.github/ci-status.md
index 17fa97bdc309..68275715dfb1 100644
--- a/crypto/openssh/.github/ci-status.md
+++ b/crypto/openssh/.github/ci-status.md
@@ -9,3 +9,11 @@ master :
9.9 :
[](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_9)
[](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_9)
+
+9.8 :
+[](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_8)
+[](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_8)
+
+9.7 :
+[](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_7)
+[](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_7)
diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs
index 4f47f820b506..2526e3ef4812 100755
--- a/crypto/openssh/.github/configs
+++ b/crypto/openssh/.github/configs
@@ -129,6 +129,7 @@ case "$config" in
kitchensink)
CONFIGFLAGS="--with-kerberos5 --with-libedit --with-pam"
CONFIGFLAGS="${CONFIGFLAGS} --with-security-key-builtin --with-selinux"
+ CONFIGFLAGS="${CONFIGFLAGS} --with-linux-memlock-onfault"
CFLAGS="-DSK_DEBUG -DSANDBOX_SECCOMP_FILTER_DEBUG"
;;
hardenedmalloc)
@@ -136,6 +137,13 @@ case "$config" in
;;
tcmalloc)
CONFIGFLAGS="--with-ldflags=-ltcmalloc"
+ # tcmalloc may, depending on the stacktrace generator it uses, create
+ # pipe(2) fds during shared library initialisation. These will later
+ # get clobbered by ssh/sshd calling closefrom() and chaos will ensue.
+ # Tell tcmalloc to use an unwinder that doesn't pull this stuff.
+ TCMALLOC_STACKTRACE_METHOD=generic_fp
+ TEST_SSH_SSHD_ENV="TCMALLOC_STACKTRACE_METHOD=generic_fp"
+ export TCMALLOC_STACKTRACE_METHOD TEST_SSH_SSHD_ENV
;;
krb5|heimdal)
CONFIGFLAGS="--with-kerberos5"
@@ -161,6 +169,9 @@ case "$config" in
CONFIGFLAGS="--disable-pkcs11"
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/boringssl --with-rpath=-Wl,-rpath,"
;;
+ aws-lc)
+ LIBCRYPTOFLAGS="--with-ssl-dir=/opt/aws-lc --with-rpath=-Wl,-rpath,"
+ ;;
libressl-*)
LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
;;
@@ -181,7 +192,7 @@ case "$config" in
CONFIGFLAGS="--with-selinux"
;;
sk)
- CONFIGFLAGS="--with-security-key-builtin"
+ CONFIGFLAGS="--with-security-key-builtin --with-security-key-standalone"
;;
without-openssl)
LIBCRYPTOFLAGS="--without-openssl"
@@ -266,6 +277,10 @@ case "${TARGET_HOST}" in
# Native linker is not great with PIC so OpenSSL is built w/out.
CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
;;
+ fbsd14-ppc64)
+ # Disable security key tests for bigendian interop test.
+ CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
+ ;;
hurd)
SKIP_LTESTS="forwarding multiplex proxy-connect hostkey-agent agent-ptrace"
;;
@@ -296,8 +311,20 @@ case "${TARGET_HOST}" in
# SHA256 functions in sha2.h conflict with OpenSSL's breaking sk-dummy
CONFIGFLAGS="${CONFIGFLAGS} --without-hardening --disable-security-key"
;;
+ openwrt-mipsel)
+ # Test most of the flags that OpenWRT sets for their package build.
+ # We only do this on one OpenWRT target for better coverage.
+ # The installed shared libraries installed by default are stripped and
+ # can't be linked to on the target systems.
+ OPENWRT_FLAGS="--disable-strip --disable-lastlog
+ --disable-utmp --disable-utmpx --disable-wtmp --disable-wtmpx
+ --with-stackprotect --with-cflags-after=-fzero-call-used-regs=skip"
+ CONFIGFLAGS="${CONFIGFLAGS} $(echo ${OPENWRT_FLAGS}) --without-zlib --disable-security-key"
+ LIBCRYPTOFLAGS="--without-openssl"
+ TEST_TARGET="t-exec"
+ ;;
openwrt-*)
- CONFIGFLAGS="${CONFIGFLAGS} --without-zlib"
+ CONFIGFLAGS="${CONFIGFLAGS} --without-zlib --disable-security-key"
LIBCRYPTOFLAGS="--without-openssl"
TEST_TARGET="t-exec"
;;
diff --git a/crypto/openssh/.github/run_test.sh b/crypto/openssh/.github/run_test.sh
index 17c1731ff860..74ab2423c0d8 100755
--- a/crypto/openssh/.github/run_test.sh
+++ b/crypto/openssh/.github/run_test.sh
@@ -33,17 +33,31 @@ output_failed_logs() {
}
trap output_failed_logs 0
+env=""
+if [ ! -z "${SUDO}" ]; then
+ env="${env} SUDO=${SUDO}"
+fi
+if [ ! -z "${TCMALLOC_STACKTRACE_METHOD}" ]; then
+ env="${env} TCMALLOC_STACKTRACE_METHOD=${TCMALLOC_STACKTRACE_METHOD}"
+fi
+if [ ! -z "${TEST_SSH_SSHD_ENV}" ]; then
+ env="${env} TEST_SSH_SSHD_ENV=${TEST_SSH_SSHD_ENV}"
+fi
+if [ ! -z "${env}" ]; then
+ env="env${env}"
+fi
+
if [ -z "${LTESTS}" ]; then
- make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}"
+ ${env} make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}"
else
- make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}"
+ ${env} make ${TEST_TARGET} SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}"
fi
if [ ! -z "${SSHD_CONFOPTS}" ]; then
echo "rerunning t-exec with TEST_SSH_SSHD_CONFOPTS='${SSHD_CONFOPTS}'"
if [ -z "${LTESTS}" ]; then
- make t-exec SKIP_LTESTS="${SKIP_LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
+ ${env} make t-exec SKIP_LTESTS="${SKIP_LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
else
- make t-exec SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
+ ${env} make t-exec SKIP_LTESTS="${SKIP_LTESTS}" LTESTS="${LTESTS}" TEST_SSH_SSHD_CONFOPTS="${SSHD_CONFOPTS}"
fi
fi
diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh
index 7e1becaac2df..f6c4a5c84fb5 100755
--- a/crypto/openssh/.github/setup_ci.sh
+++ b/crypto/openssh/.github/setup_ci.sh
@@ -142,6 +142,10 @@ for TARGET in $TARGETS; do
INSTALL_BORINGSSL=1
PACKAGES="${PACKAGES} cmake ninja-build"
;;
+ aws-lc)
+ INSTALL_AWSLC=1
+ PACKAGES="${PACKAGES} cmake ninja-build"
+ ;;
putty-*)
INSTALL_PUTTY=$(echo "${TARGET}" | cut -f2 -d-)
PACKAGES="${PACKAGES} cmake"
@@ -240,6 +244,15 @@ if [ ! -z "${INSTALL_BORINGSSL}" ]; then
cp -r ${HOME}/boringssl/include /opt/boringssl)
fi
+if [ ! -z "${INSTALL_AWSLC}" ]; then
+ (cd ${HOME} && git clone --depth 1 --branch v1.46.1 https://github.com/aws/aws-lc.git &&
+ cd ${HOME}/aws-lc && mkdir build && cd build &&
+ cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF .. && ninja &&
+ mkdir -p /opt/aws-lc/lib &&
+ cp ${HOME}/aws-lc/build/crypto/libcrypto.a /opt/aws-lc/lib &&
+ cp -r ${HOME}/aws-lc/include /opt/aws-lc)
+fi
+
if [ ! -z "${INSTALL_ZLIB}" ]; then
(cd ${HOME} && git clone https://github.com/madler/zlib.git &&
cd ${HOME}/zlib && ./configure && make &&
diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml
index c179f73d16e0..424c193fb207 100644
--- a/crypto/openssh/.github/workflows/c-cpp.yml
+++ b/crypto/openssh/.github/workflows/c-cpp.yml
@@ -2,9 +2,9 @@ name: C/C++ CI
on:
push:
- paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yaml' ]
+ paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yml' ]
pull_request:
- paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yaml' ]
+ paths: [ '**.c', '**.h', '**.m4', '**.sh', '**/Makefile.in', 'configure.ac', '.github/configs', '.github/workflows/c-cpp.yml' ]
jobs:
ci:
@@ -15,11 +15,13 @@ jobs:
matrix:
# First we test all OSes in the default configuration.
target:
- - ubuntu-20.04
- ubuntu-22.04
- - macos-12
+ - ubuntu-latest
+ - ubuntu-22.04-arm
+ - ubuntu-24.04-arm
- macos-13
- macos-14
+ - macos-15
- windows-2019
- windows-2022
config: [default]
@@ -28,33 +30,36 @@ jobs:
include:
- { target: windows-2019, config: cygwin-release }
- { target: windows-2022, config: cygwin-release }
- - { target: ubuntu-20.04, config: valgrind-1 }
- - { target: ubuntu-20.04, config: valgrind-2 }
- - { target: ubuntu-20.04, config: valgrind-3 }
- - { target: ubuntu-20.04, config: valgrind-4 }
- - { target: ubuntu-20.04, config: valgrind-unit }
- - { target: ubuntu-20.04, config: c89 }
- - { target: ubuntu-20.04, config: clang-6.0 }
- - { target: ubuntu-20.04, config: clang-8 }
- - { target: ubuntu-20.04, config: clang-9 }
- - { target: ubuntu-20.04, config: clang-10 }
- - { target: ubuntu-20.04, config: clang-11 }
- - { target: ubuntu-20.04, config: clang-12-Werror }
- - { target: ubuntu-20.04, config: clang-sanitize-address }
- - { target: ubuntu-20.04, config: clang-sanitize-undefined }
- - { target: ubuntu-20.04, config: gcc-sanitize-address }
- - { target: ubuntu-20.04, config: gcc-sanitize-undefined }
- - { target: ubuntu-20.04, config: gcc-7 }
- - { target: ubuntu-20.04, config: gcc-8 }
- - { target: ubuntu-20.04, config: gcc-10 }
+ - { target: ubuntu-22.04, config: c89 }
+ - { target: ubuntu-22.04, config: clang-11 }
+ - { target: ubuntu-22.04, config: clang-12-Werror }
+ - { target: ubuntu-22.04, config: clang-14 }
+ - { target: ubuntu-22.04, config: clang-sanitize-address }
+ - { target: ubuntu-22.04, config: clang-sanitize-undefined }
+ - { target: ubuntu-22.04, config: gcc-9 }
- { target: ubuntu-22.04, config: gcc-11-Werror }
- { target: ubuntu-22.04, config: gcc-12-Werror }
- - { target: ubuntu-20.04, config: pam }
- - { target: ubuntu-20.04, config: kitchensink }
+ - { target: ubuntu-22.04, config: gcc-sanitize-address }
+ - { target: ubuntu-22.04, config: gcc-sanitize-undefined }
- { target: ubuntu-22.04, config: hardenedmalloc }
- - { target: ubuntu-20.04, config: tcmalloc }
- - { target: ubuntu-20.04, config: musl }
+ - { target: ubuntu-22.04, config: heimdal }
+ - { target: ubuntu-22.04, config: kitchensink }
+ - { target: ubuntu-22.04, config: krb5 }
+ - { target: ubuntu-22.04, config: libedit }
+ - { target: ubuntu-22.04, config: pam }
+ - { target: ubuntu-22.04, config: selinux }
+ - { target: ubuntu-22.04, config: sk }
+ - { target: ubuntu-22.04, config: valgrind-1 }
+ - { target: ubuntu-22.04, config: valgrind-2 }
+ - { target: ubuntu-22.04, config: valgrind-3 }
+ - { target: ubuntu-22.04, config: valgrind-4 }
+ - { target: ubuntu-22.04, config: valgrind-unit }
+ - { target: ubuntu-22.04, config: without-openssl }
+ - { target: ubuntu-latest, config: gcc-14 }
+ - { target: ubuntu-latest, config: clang-15 }
+ - { target: ubuntu-latest, config: clang-19 }
- { target: ubuntu-latest, config: boringssl }
+ - { target: ubuntu-latest, config: aws-lc }
- { target: ubuntu-latest, config: libressl-master }
- { target: ubuntu-latest, config: libressl-3.2.6 }
- { target: ubuntu-latest, config: libressl-3.3.6 }
@@ -63,18 +68,20 @@ jobs:
- { target: ubuntu-latest, config: libressl-3.6.1 }
- { target: ubuntu-latest, config: libressl-3.7.2 }
- { target: ubuntu-latest, config: libressl-3.8.4 }
- - { target: ubuntu-latest, config: libressl-3.9.1 }
+ - { target: ubuntu-latest, config: libressl-3.9.2 }
+ - { target: ubuntu-latest, config: libressl-4.0.0 }
- { target: ubuntu-latest, config: openssl-master }
- { target: ubuntu-latest, config: openssl-noec }
- { target: ubuntu-latest, config: openssl-1.1.1 }
- { target: ubuntu-latest, config: openssl-1.1.1t }
- { target: ubuntu-latest, config: openssl-1.1.1w }
- { target: ubuntu-latest, config: openssl-3.0.0 }
- - { target: ubuntu-latest, config: openssl-3.0.13 }
+ - { target: ubuntu-latest, config: openssl-3.0.15 }
- { target: ubuntu-latest, config: openssl-3.1.0 }
- - { target: ubuntu-latest, config: openssl-3.1.5 }
- - { target: ubuntu-latest, config: openssl-3.2.1 }
- - { target: ubuntu-latest, config: openssl-3.3.0 }
+ - { target: ubuntu-latest, config: openssl-3.1.7 }
+ - { target: ubuntu-latest, config: openssl-3.2.3 }
+ - { target: ubuntu-latest, config: openssl-3.3.2 }
+ - { target: ubuntu-latest, config: openssl-3.4.0 }
- { target: ubuntu-latest, config: openssl-1.1.1_stable }
- { target: ubuntu-latest, config: openssl-3.0 } # stable branch
- { target: ubuntu-latest, config: openssl-3.1 } # stable branch
@@ -90,19 +97,18 @@ jobs:
- { target: ubuntu-latest, config: putty-0.78 }
- { target: ubuntu-latest, config: putty-0.79 }
- { target: ubuntu-latest, config: putty-0.80 }
+ - { target: ubuntu-latest, config: putty-0.81 }
+ - { target: ubuntu-latest, config: putty-0.82 }
+ - { target: ubuntu-latest, config: putty-0.83 }
- { target: ubuntu-latest, config: putty-snapshot }
- { target: ubuntu-latest, config: zlib-develop }
- - { target: ubuntu-22.04, config: pam }
- - { target: ubuntu-22.04, config: krb5 }
- - { target: ubuntu-22.04, config: heimdal }
- - { target: ubuntu-22.04, config: libedit }
- - { target: ubuntu-22.04, config: sk }
- - { target: ubuntu-22.04, config: selinux }
- - { target: ubuntu-22.04, config: kitchensink }
- - { target: ubuntu-22.04, config: without-openssl }
- - { target: macos-12, config: pam }
+ - { target: ubuntu-latest, config: tcmalloc }
+ - { target: ubuntu-latest, config: musl }
+ - { target: ubuntu-22.04-arm, config: kitchensink }
+ - { target: ubuntu-24.04-arm, config: kitchensink }
- { target: macos-13, config: pam }
- { target: macos-14, config: pam }
+ - { target: macos-15, config: pam }
runs-on: ${{ matrix.target }}
steps:
- name: set cygwin git params
diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml
index 755bb0cacb69..d892a28c3eb6 100644
--- a/crypto/openssh/.github/workflows/selfhosted.yml
+++ b/crypto/openssh/.github/workflows/selfhosted.yml
@@ -21,6 +21,7 @@ jobs:
REMOTE: ${{ startsWith(matrix.host, 'remote') }}
VM: ${{ startsWith(matrix.host, 'libvirt') || startsWith(matrix.host, 'persist') }}
SSHFS: ${{ startsWith(matrix.host, 'libvirt') || startsWith(matrix.host, 'persist') || startsWith(matrix.host, 'remote') }}
+ BIGENDIAN: ${{ matrix.target == 'aix51' || matrix.target == 'fbsd14-ppc64' || matrix.target == 'openwrt-mips' }}
strategy:
fail-fast: false
# We use a matrix in two parts: firstly all of the VMs are tested with the
@@ -40,11 +41,11 @@ jobs:
- fbsd12
- fbsd13
- fbsd14
- - minix3
- nbsd3
- nbsd4
- nbsd8
- nbsd9
+ - nbsd10
- obsd51
- obsd67
- obsd72
@@ -62,6 +63,7 @@ jobs:
include:
# Long-running/slow tests have access to high priority runners.
- { target: aix51, config: default, host: libvirt-hipri }
+ - { target: fbsd14-ppc64, config: default, host: libvirt-hipri }
- { target: openindiana, config: pam, host: libvirt-hipri }
- { target: sol10, config: default, host: libvirt-hipri }
- { target: sol10, config: pam, host: libvirt-hipri }
@@ -96,14 +98,9 @@ jobs:
- { target: ARM64, config: pam, host: ARM64 }
# Physical hosts with remote runners.
- { target: debian-riscv64, config: default, host: remote-debian-riscv64 }
-
- { target: openwrt-mips, config: default, host: remote-openwrt-mips }
- { target: openwrt-mipsel, config: default, host: remote-openwrt-mipsel }
steps:
- - name: unmount stale workspace
- if: env.SSHFS == 'true'
- run: fusermount -u ${GITHUB_WORKSPACE} || true
- working-directory: ${{ runner.temp }}
- name: shutdown VM if running
if: env.VM == 'true'
run: vmshutdown
@@ -147,6 +144,60 @@ jobs:
if: always() && env.SSHFS == 'true'
run: fusermount -u ${GITHUB_WORKSPACE} || true
working-directory: ${{ runner.temp }}
+
+ - name: bigendian interop - mount regress
+ if: env.SSHFS == 'true' && env.BIGENDIAN == 'true'
+ run: |
+ set -x
+ vmrun sudo chown -R $LOGNAME ~/$(basename ${GITHUB_WORKSPACE}) || true
+ vmrun "cd $(basename ${GITHUB_WORKSPACE}/regress) && sudo make clean"
+ sshfs_mount regress
+ vmrun "sudo mkdir -p $(dirname ${GITHUB_WORKSPACE})"
+ vmrun "sudo ln -s ~/$(basename ${GITHUB_WORKSPACE}) ${GITHUB_WORKSPACE}"
+ working-directory: ${{ runner.temp }}
+
+ - name: bigendian interop - host build
+ if: env.SSHFS == 'true' && env.BIGENDIAN == 'true'
+ run: |
+ set -x
+ ./.github/configure.sh ${{ matrix.config }}
+ pwd
+ ls -ld regress || true
+ ls -l regress/check-perm || true
+ make clean
+ make
+
+ - name: bigendian interop - test
+ if: env.SSHFS == 'true' && env.BIGENDIAN == 'true'
+ env:
+ TEST_SSH_UNSAFE_PERMISSIONS: 1
+ run: |
+ set -x
+ echo "#!/bin/sh" >remote_sshd
+ echo "exec /usr/bin/ssh ${TARGET_DOMAIN} exec /home/builder/$(basename ${GITHUB_WORKSPACE})/sshd "'$@' >>remote_sshd
+ chmod 755 remote_sshd
+ make t-exec TEST_SSH_SSHD=`pwd`/remote_sshd LTESTS="try-ciphers kextype keytype"
+
+ - name: bigendian interop - save logs
+ if: failure() && env.BIGENDIAN == 'true'
+ uses: actions/upload-artifact@main
+ with:
+ name: ${{ matrix.target }}-${{ matrix.config }}-interop-logs
+ path: |
+ config.h
+ config.log
+ regress/*.log
+ regress/log/*
+
+ - name: bigendian interop - unmount regress
+ if: always() && env.SSHFS == 'true' && env.BIGENDIAN == 'true'
+ run: fusermount -z -u ${GITHUB_WORKSPACE}/regress || true
+ working-directory: ${{ runner.temp }}
+
+ - name: lazily unmount workspace
+ if: always() && env.SSHFS == 'true'
+ run: fusermount -z -u ${GITHUB_WORKSPACE} || true
+ working-directory: ${{ runner.temp }}
- name: shutdown VM
if: always() && env.VM == 'true'
run: vmshutdown
diff --git a/crypto/openssh/.github/workflows/upstream.yml b/crypto/openssh/.github/workflows/upstream.yml
index e25adb423917..615a7763fb9b 100644
--- a/crypto/openssh/.github/workflows/upstream.yml
+++ b/crypto/openssh/.github/workflows/upstream.yml
@@ -9,19 +9,25 @@ jobs:
selfhosted:
name: "upstream ${{ matrix.target }} ${{ matrix.config }}"
if: github.repository == 'openssh/openssh-portable-selfhosted'
- runs-on: 'libvirt'
+ runs-on: ${{ matrix.host }}
env:
DEBUG_ACTIONS: true
EPHEMERAL: true
- HOST: 'libvirt'
+ HOST: ${{ matrix.host }}
TARGET_HOST: ${{ matrix.target }}
TARGET_CONFIG: ${{ matrix.config }}
TARGET_DOMAIN: ${{ format('{0}-{1}-{2}', matrix.target, matrix.config, github.run_id) || matrix.target }}
strategy:
fail-fast: false
matrix:
+ host:
+ - libvirt
target: [ obsdsnap, obsdsnap-i386 ]
config: [ default, without-openssl, ubsan ]
+ include:
+ - { host: libvirt-arm64, target: obsdsnap-arm64, config: default }
+ - { host: libvirt-arm64, target: obsdsnap-arm64, config: without-openssl }
+ - { host: libvirt-arm64, target: obsdsnap-arm64, config: ubsan }
steps:
- name: unmount stale workspace
run: fusermount -u ${GITHUB_WORKSPACE} || true
@@ -49,17 +55,22 @@ jobs:
env:
SUDO: sudo
timeout-minutes: 300
+ - name: show logs
+ if: failure()
+ run: vmrun 'for i in /usr/src/regress/usr.bin/ssh/obj/*.log; do echo ====; echo logfile $i; echo =====; cat $i; done'
- name: save logs
if: failure()
uses: actions/upload-artifact@main
with:
name: ${{ matrix.target }}-${{ matrix.config }}-logs
path: |
- /usr/obj/regress/usr.bin/ssh/obj/*.log
- /usr/obj/regress/usr.bin/ssh/obj/log/*
+ /usr/src/regress/usr.bin/ssh/obj/*.log
+ /usr/src/regress/usr.bin/ssh/obj/log/*
- name: unmount workspace
if: always()
- run: fusermount -u ${GITHUB_WORKSPACE} || true
+ run: |
+ fusermount -u ${GITHUB_WORKSPACE} || true
+ fusermount -z -u ${GITHUB_WORKSPACE} || true
working-directory: ${{ runner.temp }}
- name: shutdown VM
if: always()
diff --git a/crypto/openssh/.gitignore b/crypto/openssh/.gitignore
index 41d505c46dde..c419d0fd662b 100644
--- a/crypto/openssh/.gitignore
+++ b/crypto/openssh/.gitignore
@@ -12,6 +12,8 @@ survey.sh
**/*.o
**/*.lo
**/*.so
+**/*.dylib
+**/*.dll
**/*.out
**/*.a
**/*.un~
@@ -29,7 +31,9 @@ ssh-keysign
ssh-pkcs11-helper
ssh-sk-helper
sshd
-!regress/misc/fuzz-harness/Makefile
-!regress/unittests/sshsig/Makefile
+sshd-session
+sshd-auth
+!regress/misc/**/Makefile
+!regress/unittests/**/Makefile
tags
diff --git a/crypto/openssh/.skipped-commit-ids b/crypto/openssh/.skipped-commit-ids
index ec7831e5ff53..7988e25006f4 100644
--- a/crypto/openssh/.skipped-commit-ids
+++ b/crypto/openssh/.skipped-commit-ids
@@ -37,6 +37,8 @@ ef9341d5a50f0d33e3a6fbe995e92964bc7ef2d3 Makefile relinking changes
fb39324748824cb0387e9d67c41d1bef945c54ea Makefile change
5f378c38ad8976d507786dc4db9283a879ec8cd0 Makefile change
112aacedd3b61cc5c34b1fa6d9fb759214179172 Makefile change
+a959fc45ea3431b36f52eda04faefc58bcde00db groupaccess.c changes
+6d07e4606997e36b860621a14dd41975f2902f8f Makefile.inc
Old upstream tree:
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index 2ef1164e6cfb..60a06386e42d 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,6764 +1,7464 @@
-commit 6ebc4dd77a479892d5ca0cd2a567a651f70aad82
+commit 8725dbc5b5fcc3e326fc71189ef8dba4333362cc
Author: Damien Miller <djm@mindrot.org>
-Date: Tue Feb 18 19:03:42 2025 +1100
+Date: Wed Apr 9 17:02:17 2025 +1000
- openssh-9.9p2
+ update version numbers
-commit 38df39ecf278a7ab5794fb03c01286f2cfe82c0d
+commit cc7feb9458ad3b893b53dc9c7500d1affd208bde
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Feb 18 08:02:48 2025 +0000
+Date: Wed Apr 9 07:00:21 2025 +0000
- upstream: Fix cases where error codes were not correctly set
-
- Reported by the Qualys Security Advisory team. ok markus@
+ upstream: openssh-10.0
- OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d
+ OpenBSD-Commit-ID: db5b4a1f1c9e988f8f166b56dc5643606294b403
-commit 5e07dee272c34e193362fba8eda0e3c453f3c773
+commit fc86875e6acb36401dfc1dfb6b628a9d1460f367
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Tue Feb 18 08:02:12 2025 +0000
+Date: Wed Apr 9 07:00:03 2025 +0000
- upstream: Don't reply to PING in preauth phase or during KEX
+ upstream: Fix logic error in DisableForwarding option. This option
- Reported by the Qualys Security Advisory team. ok markus@
+ was documented as disabling X11 and agent forwarding but it failed to do so.
+ Spotted by Tim Rice.
- OpenBSD-Commit-ID: c656ac4abd1504389d1733d85152044b15830217
+ OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
-commit fb071011fb843142282b8b8a69cbb15e9b0b9485
+commit dd73459e351b0a2908aed90910c8ff9b0b381c6d
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Mon Feb 10 23:00:29 2025 +0000
+Date: Wed Apr 9 01:24:40 2025 +0000
- upstream: fix "Match invalid-user" from incorrectly being activated
-
- in initial configuration pass when no other predicates were present on the
- match line
+ upstream: oops, I accidentally backed out the typo fix
- OpenBSD-Commit-ID: 02703b4bd207fafd03788bc4e7774bf80be6c9a8
+ OpenBSD-Commit-ID: f485f79bf3e9ebbe1de13ac96150cf458956cfd8
-commit 729a26a978dd39db60d4625bdfb5405baa629e59
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Oct 30 14:25:14 2024 +1100
+commit 0cb945891944bada5850e85d60afa3c807cf1af6
+Author: djm@openbsd.org <djm@openbsd.org>
+Date: Wed Apr 9 01:23:47 2025 +0000
- fix uint64_t types; reported by Tom G. Christensen
+ upstream: typo
+
+ OpenBSD-Commit-ID: f912725c7d303720706b3ccfb2cb846d46296d13
-commit 33c5f384ae03a5d1a0bd46ca0fac3c62e4eaf784
+commit cd4a6bd50b658d707867caa1f5aa40b35c2b6c19
Author: Damien Miller <djm@mindrot.org>
-Date: Sun Oct 27 13:28:11 2024 +1100
+Date: Wed Apr 9 09:49:55 2025 +1000
- htole64() etc for systems without endian.h
+ initialise websafe_allowlist in agent fuzzer
-commit fe8d28a7ebbaa35cfc04a21263627f05c237e460
+commit 55b7cb48af96c1102ef8ab5a73bb329cbed30945
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Oct 27 02:06:59 2024 +0000
+Date: Tue Apr 8 23:10:46 2025 +0000
- upstream: explicitly include endian.h
+ upstream: typo
- OpenBSD-Commit-ID: 13511fdef7535bdbc35b644c90090013da43a318
+ OpenBSD-Regress-ID: 08477b936d1d0c1e8a98aa1c0e1bdde8871894c9
-commit 11f348196b3fb51c3d8d1f4f36db9d73f03149ed
+commit 985d8cbcd3438cc36b4e709476f1783e358ddfb1
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Sun Oct 27 02:06:01 2024 +0000
+Date: Tue Apr 8 23:10:08 2025 +0000
- upstream: fix ML-KEM768x25519 KEX on big-endian systems; spotted by
+ upstream: typo
- jsg@ feedback/ok deraadt@
+ OpenBSD-Commit-ID: 6e683e13e72bf1e43bbd3bbc6a8332d5a98bdc99
+
+commit 000c3d14e94d8f7597087c457260ea9417045b65
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Mon Apr 7 08:12:22 2025 +0000
+
+ upstream: Include time.h for time().
- OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0
+ Fixes warning on some platforms when building without openssl.
+
+ OpenBSD-Commit-ID: 04ca29b8eaae1860c7adde3e770baa1866e30a54
-commit 19bcb2d90c6caf14abf386b644fb24eb7afab889
-Author: djm@openbsd.org <djm@openbsd.org>
-Date: Thu Sep 26 23:55:08 2024 +0000
+commit 49b8b9bf829e08af22366530614a5e59ac341ca9
+Author: tb@openbsd.org <tb@openbsd.org>
+Date: Wed Apr 2 04:28:03 2025 +0000
- upstream: fix previous change to ssh_config Match, which broken on
+ upstream: Wrap #include <openssl/dsa.h> in #ifdef WITH_DSA
- negated Matches; spotted by phessler@ ok deraadt@
+ ok djm
- OpenBSD-Commit-ID: b1c6acec66cd5bd1252feff1d02ad7129ced37c7
+ OpenBSD-Commit-ID: ed01a7c102243f84e4a317aefb431916d98aab15
+
+commit f80fb819e5521e13f167edbcc3eed66e22ad0c2a
+Author: Damien Miller <djm@mindrot.org>
+Date: Thu Apr 3 09:10:19 2025 +1100
+
+ remove all instances of -pie from LDFLAGS
+
+ Previously only the first instance of this flag was removed.
+ Unbreaks build on OpenSUSE Tumbleweed. Patch from Antonio Larrosa
-commit 66878e12a207fa9746dee3e2bdcca29b704cf035
+commit 6c9872faa1c297a84c6d3e3b95a927be99eadbf6
Author: djm@openbsd.org <djm@openbsd.org>
-Date: Wed Sep 25 01:24:04 2024 +0000
+Date: Tue Apr 1 23:23:20 2025 +0000
- upstream: fix regression introduced when I switched the "Match"
+ upstream: remove ability to enable DSA support. Actual code will be
- criteria tokeniser to a more shell-like one. Apparently the old tokeniser
- (accidentally?) allowed "Match criteria=argument" as well as the "Match
- criteria argument" syntax that we tested for.
+ g/c'd separately. ok deraadt@
- People were using this syntax so this adds back support for
- "Match criteria=argument"
+ OpenBSD-Commit-ID: 2a032b75156c4d922e8343fa97ff6bc227f09819
+
+commit 8460aaa4e1f8680f03cc5334556b9440b401f010
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Mar 28 21:45:55 2025 +0000
+
+ upstream: Add TEST_SSH_SSHD_ENV to sshd lines here too.
- bz3739 ok dtucker
+ OpenBSD-Regress-ID: 045f2c88b42d694b404db51c5de5eca20d748ff1
+
+commit 5e60f5937b9c33190b9d7614f72d85d4a9b38d3d
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Mar 28 06:04:07 2025 +0000
+
+ upstream: Pass "ControlMaster no" to ssh when invoked by scp & sftp.
- OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a
+ If you have ControlMaster auto (or yes) in your config, and the
+ first connection you make is via scp or sftp, then you may get a
+ few unexpected options applied to it (eg ForwardX11 no), since sftp
+ and sftp explicitly disable those for reasons. These effects will
+ persist beyond the initial scp or sftp command.
+
+ This explicitly disables persistent session *creation* by scp and sftp.
+ It will not prevent them from using an existing session if one has
+ already been created.
+
+ From Github PR#557, ok djm@ kn@
+
+ OpenBSD-Commit-ID: 9dad7c737466837e0150c4318920f46d844770c4
-commit ff2cd1dd5711ff88efdf26662d6189d980439a1f
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Sep 25 11:15:45 2024 +1000
+commit bbd36869dfb4b770cc9e6a345c04a585a0955aec
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Mar 28 05:41:15 2025 +0000
- gss-serv.c needs sys/param.h
+ upstream: Set sshd environment variables during sshd test run too.
- From Void Linux
+ OpenBSD-Regress-ID: 50cb325d92c390a2909662c901f6ac5d80b6f74d
-commit 2c12ae8cf9b0b7549ae097c4123abeda0ee63e5b
-Author: Damien Miller <djm@mindrot.org>
-Date: Wed Sep 25 11:13:05 2024 +1000
+commit 98f05b1484daddef2f56b79e24540523b5016143
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date: Fri Mar 28 05:36:24 2025 +0000
- build construct_utmp() when USE_BTMP is set
+ upstream: Add TEST_SSH_SSHD_ENV variable which is added to sshd's
- Fixes compile error on Void Linux/Musl
+ environment. Will be used in Portable to tweak behaviour of tcmalloc's
+ debugging.
+
+ OpenBSD-Regress-ID: 67e38c3c4517ddb72c8a3549a3325a166d7bb6d6
-commit c7fda601186ff28128cfe3eab9c9c0622de096e1
-Author: Christoph Ostarek <christoph@zededa.com>
*** 22191 LINES SKIPPED ***