git: 19261079b743 - main - openssh: update to OpenSSH v8.7p1
FreeBSD User
freebsd at walstatt-de.de
Thu Sep 9 17:27:18 UTC 2021
Am Wed, 8 Sep 2021 01:07:51 GMT
Ed Maste <emaste at FreeBSD.org> schrieb:
> The branch main has been updated by emaste:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=19261079b74319502c6ffa1249920079f0f69a72
>
> commit 19261079b74319502c6ffa1249920079f0f69a72
> Merge: c5128c48df3c 66719ee573ac
> Author: Ed Maste <emaste at FreeBSD.org>
> AuthorDate: 2021-09-08 01:05:51 +0000
> Commit: Ed Maste <emaste at FreeBSD.org>
> CommitDate: 2021-09-08 01:05:51 +0000
>
> openssh: update to OpenSSH v8.7p1
>
> Some notable changes, from upstream's release notes:
>
> - sshd(8): Remove support for obsolete "host/port" syntax.
> - ssh(1): When prompting whether to record a new host key, accept the key
> fingerprint as a synonym for "yes".
> - ssh-keygen(1): when acting as a CA and signing certificates with an RSA
> key, default to using the rsa-sha2-512 signature algorithm.
> - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
> (RSA/SHA1) algorithm from those accepted for certificate signatures.
> - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
> support to provide address-space isolation for token middleware
> libraries (including the internal one).
> - ssh(1): this release enables UpdateHostkeys by default subject to some
> conservative preconditions.
> - scp(1): this release changes the behaviour of remote to remote copies
> (e.g. "scp host-a:/path host-b:") to transfer through the local host
> by default.
> - scp(1): experimental support for transfers using the SFTP protocol as
> a replacement for the venerable SCP/RCP protocol that it has
> traditionally used.
>
> Additional integration work is needed to support FIDO/U2F in the base
> system.
>
> Deprecation Notice
> ------------------
>
> OpenSSH will disable the ssh-rsa signature scheme by default in the
> next release.
>
> Reviewed by: imp
> MFC after: 1 month
> Relnotes: Yes
> Sponsored by: The FreeBSD Foundation
> Differential Revision: https://reviews.freebsd.org/D29985
>
> crypto/openssh/.depend | 354 +-
> crypto/openssh/.github/ci-status.md | 4 +
> crypto/openssh/.github/configs | 170 +
> crypto/openssh/.github/configure.sh | 6 +
> crypto/openssh/.github/run_test.sh | 34 +
> crypto/openssh/.github/setup_ci.sh | 115 +
> crypto/openssh/.github/workflows/c-cpp.yml | 76 +
> crypto/openssh/.github/workflows/selfhosted.yml | 93 +
> crypto/openssh/.github/workflows/upstream.yml | 43 +
> crypto/openssh/.gitignore | 8 +
> crypto/openssh/.skipped-commit-ids | 18 +
> crypto/openssh/CREDITS | 2 +-
> crypto/openssh/ChangeLog | 16777 ++++++++++++-------
> crypto/openssh/FREEBSD-vendor | 4 +-
> crypto/openssh/INSTALL | 79 +-
> crypto/openssh/LICENCE | 64 +-
> crypto/openssh/Makefile.in | 328 +-
> crypto/openssh/OVERVIEW | 7 +-
> crypto/openssh/PROTOCOL | 89 +-
> crypto/openssh/PROTOCOL.agent | 6 +-
> crypto/openssh/PROTOCOL.certkeys | 35 +-
> crypto/openssh/PROTOCOL.chacha20poly1305 | 4 +-
> crypto/openssh/PROTOCOL.key | 9 +-
> crypto/openssh/PROTOCOL.mux | 4 +-
> crypto/openssh/PROTOCOL.sshsig | 100 +
> crypto/openssh/PROTOCOL.u2f | 309 +
> crypto/openssh/README | 36 +-
> crypto/openssh/README.dns | 8 +-
> crypto/openssh/README.md | 84 +
> crypto/openssh/README.platform | 16 +-
> crypto/openssh/README.privsep | 11 +-
> crypto/openssh/aclocal.m4 | 193 +-
> crypto/openssh/addr.c | 423 +
> crypto/openssh/addr.h | 60 +
> crypto/openssh/addrmatch.c | 351 +-
> crypto/openssh/atomicio.c | 32 +-
> crypto/openssh/atomicio.h | 4 +-
> crypto/openssh/audit-bsm.c | 41 +-
> crypto/openssh/audit-linux.c | 4 +-
> crypto/openssh/audit.c | 2 +-
> crypto/openssh/audit.h | 4 +-
> crypto/openssh/auth-bsdauth.c | 2 -
> crypto/openssh/auth-krb5.c | 19 +-
> crypto/openssh/auth-options.c | 194 +-
> crypto/openssh/auth-options.h | 13 +-
> crypto/openssh/auth-pam.c | 119 +-
> crypto/openssh/auth-pam.h | 2 +-
> crypto/openssh/auth-passwd.c | 6 +-
> crypto/openssh/auth-rhosts.c | 19 +-
> crypto/openssh/auth-skey.c | 107 -
> crypto/openssh/auth.c | 303 +-
> crypto/openssh/auth.h | 36 +-
> crypto/openssh/auth2-chall.c | 43 +-
> crypto/openssh/auth2-gss.c | 29 +-
> crypto/openssh/auth2-hostbased.c | 71 +-
> crypto/openssh/auth2-kbdint.c | 8 +-
> crypto/openssh/auth2-none.c | 4 +-
> crypto/openssh/auth2-passwd.c | 9 +-
> crypto/openssh/auth2-pubkey.c | 264 +-
> crypto/openssh/auth2.c | 209 +-
> crypto/openssh/authfd.c | 178 +-
> crypto/openssh/authfd.h | 12 +-
> crypto/openssh/authfile.c | 265 +-
> crypto/openssh/authfile.h | 10 +-
> crypto/openssh/blacklist.c | 6 +-
> crypto/openssh/buildpkg.sh.in | 8 +-
> crypto/openssh/canohost.c | 12 +-
> crypto/openssh/chacha.h | 4 +-
> crypto/openssh/channels.c | 761 +-
> crypto/openssh/channels.h | 38 +-
> crypto/openssh/cipher-chachapoly-libcrypto.c | 166 +
> crypto/openssh/cipher-chachapoly.c | 32 +-
> crypto/openssh/cipher-chachapoly.h | 13 +-
> crypto/openssh/cipher.c | 48 +-
> crypto/openssh/cipher.h | 5 +-
> crypto/openssh/clientloop.c | 1074 +-
> crypto/openssh/clientloop.h | 5 +-
> crypto/openssh/compat.c | 92 +-
> crypto/openssh/compat.h | 20 +-
> crypto/openssh/config.guess | 882 +-
> crypto/openssh/config.h | 241 +-
> crypto/openssh/config.sub | 2528 ++-
> crypto/openssh/configure.ac | 970 +-
> crypto/openssh/contrib/Makefile | 6 +-
> crypto/openssh/contrib/cygwin/README | 4 +-
> crypto/openssh/contrib/cygwin/ssh-host-config | 59 +-
> crypto/openssh/contrib/findssl.sh | 0
> crypto/openssh/contrib/gnome-ssh-askpass1.c | 7 +-
> crypto/openssh/contrib/gnome-ssh-askpass2.c | 210 +-
> crypto/openssh/contrib/gnome-ssh-askpass3.c | 305 +
> crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh | 0
> crypto/openssh/contrib/redhat/openssh.spec | 55 +-
> crypto/openssh/contrib/solaris/README | 0
> crypto/openssh/contrib/ssh-copy-id | 303 +-
> crypto/openssh/contrib/ssh-copy-id.1 | 11 +-
> crypto/openssh/contrib/suse/openssh.spec | 6 +-
> crypto/openssh/crc32.c | 105 -
> crypto/openssh/crc32.h | 30 -
> crypto/openssh/crypto_api.h | 20 +-
> crypto/openssh/defines.h | 54 +-
> crypto/openssh/dh.c | 39 +-
> crypto/openssh/dh.h | 10 +-
> crypto/openssh/digest-libc.c | 33 +-
> crypto/openssh/digest-openssl.c | 19 +-
> crypto/openssh/dispatch.c | 6 +-
> crypto/openssh/dispatch.h | 9 +-
> crypto/openssh/dns.c | 72 +-
> crypto/openssh/dns.h | 3 +-
> crypto/openssh/entropy.c | 175 +-
> crypto/openssh/fatal.c | 7 +-
> crypto/openssh/groupaccess.c | 5 +-
> crypto/openssh/gss-genr.c | 19 +-
> crypto/openssh/gss-serv.c | 4 +-
> crypto/openssh/hash.c | 36 +-
> crypto/openssh/hmac.c | 7 +-
> crypto/openssh/hostfile.c | 269 +-
> crypto/openssh/hostfile.h | 27 +-
> crypto/openssh/int32_minmax.inc | 0
> crypto/openssh/kex.c | 490 +-
> crypto/openssh/kex.h | 92 +-
> crypto/openssh/kexc25519.c | 182 +-
> crypto/openssh/kexc25519c.c | 169 -
> crypto/openssh/kexc25519s.c | 158 -
> crypto/openssh/kexdh.c | 205 +-
> crypto/openssh/kexdhc.c | 224 -
> crypto/openssh/kexdhs.c | 222 -
> crypto/openssh/kexecdh.c | 239 +-
> crypto/openssh/kexecdhc.c | 222 -
> crypto/openssh/kexecdhs.c | 203 -
> crypto/openssh/kexgen.c | 346 +
> crypto/openssh/kexgex.c | 30 +-
> crypto/openssh/kexgexc.c | 123 +-
> crypto/openssh/kexgexs.c | 119 +-
> crypto/openssh/kexsntrup761x25519.c | 251 +
> crypto/openssh/krl.c | 223 +-
> crypto/openssh/krl.h | 5 +-
> crypto/openssh/log.c | 219 +-
> crypto/openssh/log.h | 93 +-
> crypto/openssh/loginrec.c | 13 +-
> crypto/openssh/loginrec.h | 7 +-
> crypto/openssh/logintest.c | 60 +-
> crypto/openssh/m4/openssh.m4 | 200 +
> crypto/openssh/mac.c | 7 +-
> crypto/openssh/match.c | 34 +-
> crypto/openssh/match.h | 7 +-
> crypto/openssh/misc.c | 962 +-
> crypto/openssh/misc.h | 75 +-
> crypto/openssh/moduli | 876 +-
> crypto/openssh/moduli.c | 29 +-
> crypto/openssh/monitor.c | 708 +-
> crypto/openssh/monitor.h | 13 +-
> crypto/openssh/monitor_fdpass.c | 24 +-
> crypto/openssh/monitor_wrap.c | 305 +-
> crypto/openssh/monitor_wrap.h | 26 +-
> crypto/openssh/msg.c | 18 +-
> crypto/openssh/mux.c | 640 +-
> crypto/openssh/myproposal.h | 144 +-
> crypto/openssh/nchan.c | 77 +-
> crypto/openssh/opacket.c | 320 -
> crypto/openssh/opacket.h | 154 -
> crypto/openssh/openbsd-compat/Makefile.in | 11 +-
> crypto/openssh/openbsd-compat/arc4random.c | 12 +-
> crypto/openssh/openbsd-compat/base64.c | 2 +-
> crypto/openssh/openbsd-compat/bcrypt_pbkdf.c | 4 +-
> crypto/openssh/openbsd-compat/bsd-closefrom.c | 88 +-
> crypto/openssh/openbsd-compat/bsd-cygwin_util.c | 149 +
> crypto/openssh/openbsd-compat/bsd-cygwin_util.h | 1 +
> crypto/openssh/openbsd-compat/bsd-misc.c | 113 +
> crypto/openssh/openbsd-compat/bsd-misc.h | 41 +-
> crypto/openssh/openbsd-compat/bsd-openpty.c | 17 +-
> crypto/openssh/openbsd-compat/bsd-poll.h | 2 +-
> crypto/openssh/openbsd-compat/bsd-pselect.c | 205 +
> crypto/openssh/openbsd-compat/bsd-setres_id.c | 12 +-
> crypto/openssh/openbsd-compat/bsd-signal.c | 29 +-
> crypto/openssh/openbsd-compat/bsd-signal.h | 7 +-
> crypto/openssh/openbsd-compat/bsd-snprintf.c | 18 +-
> crypto/openssh/openbsd-compat/bsd-statvfs.c | 10 +-
> crypto/openssh/openbsd-compat/bsd-waitpid.h | 2 +-
> crypto/openssh/openbsd-compat/explicit_bzero.c | 10 +-
> crypto/openssh/openbsd-compat/fnmatch.c | 495 +
> crypto/openssh/openbsd-compat/fnmatch.h | 66 +
> crypto/openssh/openbsd-compat/getopt_long.c | 2 +-
> crypto/openssh/openbsd-compat/glob.c | 157 +-
> crypto/openssh/openbsd-compat/glob.h | 9 +-
> .../openssh/openbsd-compat/libressl-api-compat.c | 6 +-
> crypto/openssh/openbsd-compat/memmem.c | 196 +
> crypto/openssh/openbsd-compat/mktemp.c | 4 +-
> crypto/openssh/openbsd-compat/openbsd-compat.h | 42 +-
> crypto/openssh/openbsd-compat/openssl-compat.c | 22 +-
> crypto/openssh/openbsd-compat/openssl-compat.h | 59 +-
> crypto/openssh/openbsd-compat/port-aix.c | 25 +-
> crypto/openssh/openbsd-compat/port-aix.h | 7 +-
> crypto/openssh/openbsd-compat/port-irix.c | 2 +
> crypto/openssh/openbsd-compat/port-linux.c | 25 +-
> crypto/openssh/openbsd-compat/port-net.c | 18 +-
> crypto/openssh/openbsd-compat/port-prngd.c | 164 +
> crypto/openssh/openbsd-compat/port-solaris.c | 14 +-
> crypto/openssh/openbsd-compat/port-uw.c | 2 +-
> crypto/openssh/openbsd-compat/pwcache.c | 4 +-
> crypto/openssh/openbsd-compat/regress/Makefile.in | 4 +-
> .../openssh/openbsd-compat/regress/closefromtest.c | 4 +-
> .../openbsd-compat/regress/opensslvertest.c | 2 +
> .../openssh/openbsd-compat/regress/snprintftest.c | 5 +-
> crypto/openssh/openbsd-compat/regress/strduptest.c | 2 +
> .../openssh/openbsd-compat/regress/strtonumtest.c | 2 +
> .../openssh/openbsd-compat/regress/utimensattest.c | 120 +
> crypto/openssh/openbsd-compat/rmd160.c | 378 -
> crypto/openssh/openbsd-compat/rmd160.h | 61 -
> crypto/openssh/openbsd-compat/setenv.c | 2 +
> crypto/openssh/openbsd-compat/setproctitle.c | 1 +
> crypto/openssh/openbsd-compat/sha1.c | 13 +-
> crypto/openssh/openbsd-compat/sha2.c | 336 +-
> crypto/openssh/openbsd-compat/sha2.h | 138 +-
> crypto/openssh/openbsd-compat/strtonum.c | 6 +-
> crypto/openssh/openbsd-compat/sys-queue.h | 376 +-
> crypto/openssh/packet.c | 264 +-
> crypto/openssh/packet.h | 14 +-
> crypto/openssh/pathnames.h | 9 +-
> crypto/openssh/platform.c | 1 +
> crypto/openssh/progressmeter.c | 60 +-
> crypto/openssh/progressmeter.h | 3 +-
> crypto/openssh/readconf.c | 1338 +-
> crypto/openssh/readconf.h | 37 +-
> crypto/openssh/readpass.c | 191 +-
> crypto/openssh/regress/Makefile | 75 +-
> crypto/openssh/regress/README.regress | 80 +-
> crypto/openssh/regress/addrmatch.sh | 16 +-
> crypto/openssh/regress/agent-getpeereid.sh | 6 +-
> crypto/openssh/regress/agent-pkcs11.sh | 99 +-
> crypto/openssh/regress/agent-ptrace.sh | 2 +-
> crypto/openssh/regress/agent-subprocess.sh | 22 +
> crypto/openssh/regress/agent-timeout.sh | 12 +-
> crypto/openssh/regress/agent.sh | 124 +-
> crypto/openssh/regress/allow-deny-users.sh | 8 +-
> crypto/openssh/regress/banner.sh | 6 +-
> crypto/openssh/regress/cert-file.sh | 4 +-
> crypto/openssh/regress/cert-hostkey.sh | 36 +-
> crypto/openssh/regress/cert-userkey.sh | 53 +-
> crypto/openssh/regress/cfginclude.sh | 24 +-
> crypto/openssh/regress/cfgmatch.sh | 55 +-
> crypto/openssh/regress/cfgparse.sh | 0
> crypto/openssh/regress/conch-ciphers.sh | 4 +-
> crypto/openssh/regress/connect-privsep.sh | 5 +-
> crypto/openssh/regress/connect.sh | 11 +-
> crypto/openssh/regress/dhgex.sh | 14 +-
> crypto/openssh/regress/ed25519_openssh.prv | 7 +
> crypto/openssh/regress/ed25519_openssh.pub | 1 +
> crypto/openssh/regress/forward-control.sh | 6 +-
> crypto/openssh/regress/forwarding.sh | 44 +-
> crypto/openssh/regress/host-expand.sh | 0
> crypto/openssh/regress/hostkey-agent.sh | 10 +-
> crypto/openssh/regress/hostkey-rotate.sh | 80 +-
> crypto/openssh/regress/integrity.sh | 8 +-
> crypto/openssh/regress/kextype.sh | 0
> crypto/openssh/regress/key-options.sh | 10 +-
> crypto/openssh/regress/keygen-change.sh | 7 +-
> crypto/openssh/regress/keygen-comment.sh | 52 +
> crypto/openssh/regress/keygen-convert.sh | 54 +-
> crypto/openssh/regress/keygen-knownhosts.sh | 0
> crypto/openssh/regress/keygen-moduli.sh | 17 +-
> crypto/openssh/regress/keygen-sshfp.sh | 29 +
> crypto/openssh/regress/keys-command.sh | 11 +-
> crypto/openssh/regress/keyscan.sh | 17 +-
> crypto/openssh/regress/keytype.sh | 57 +-
> crypto/openssh/regress/knownhosts-command.sh | 53 +
> crypto/openssh/regress/krl.sh | 41 +-
> crypto/openssh/regress/limit-keytype.sh | 69 +-
> crypto/openssh/regress/localcommand.sh | 0
> crypto/openssh/regress/misc/Makefile | 2 +-
> crypto/openssh/regress/misc/fuzz-harness/Makefile | 51 +-
> .../regress/misc/fuzz-harness/agent_fuzz.cc | 15 +
> .../regress/misc/fuzz-harness/agent_fuzz_helper.c | 177 +
> .../openssh/regress/misc/fuzz-harness/fixed-keys.h | 119 +
> .../openssh/regress/misc/fuzz-harness/kex_fuzz.cc | 461 +
> .../regress/misc/fuzz-harness/privkey_fuzz.cc | 21 +
> .../openssh/regress/misc/fuzz-harness/sig_fuzz.cc | 24 +-
> .../regress/misc/fuzz-harness/ssh-sk-null.cc | 51 +
> .../regress/misc/fuzz-harness/sshsig_fuzz.cc | 37 +
> .../regress/misc/fuzz-harness/sshsigopt_fuzz.cc | 29 +
> .../regress/misc/fuzz-harness/testdata/README | 4 +
> .../fuzz-harness/testdata/create-agent-corpus.sh | 44 +
> .../regress/misc/fuzz-harness/testdata/id_dsa | 21 +
> .../misc/fuzz-harness/testdata/id_dsa-cert.pub | 1 +
> .../regress/misc/fuzz-harness/testdata/id_dsa.pub | 1 +
> .../regress/misc/fuzz-harness/testdata/id_ecdsa | 8 +
> .../misc/fuzz-harness/testdata/id_ecdsa-cert.pub | 1 +
> .../misc/fuzz-harness/testdata/id_ecdsa.pub | 1 +
> .../regress/misc/fuzz-harness/testdata/id_ecdsa_sk | 14 +
> .../fuzz-harness/testdata/id_ecdsa_sk-cert.pub | 1 +
> .../misc/fuzz-harness/testdata/id_ecdsa_sk.pub | 1 +
> .../regress/misc/fuzz-harness/testdata/id_ed25519 | 7 +
> .../misc/fuzz-harness/testdata/id_ed25519-cert.pub | 1 +
> .../misc/fuzz-harness/testdata/id_ed25519.pub | 2 +
> .../misc/fuzz-harness/testdata/id_ed25519_sk | 8 +
> .../fuzz-harness/testdata/id_ed25519_sk-cert.pub | 1 +
> .../misc/fuzz-harness/testdata/id_ed25519_sk.pub | 1 +
> .../regress/misc/fuzz-harness/testdata/id_rsa | 27 +
> .../misc/fuzz-harness/testdata/id_rsa-cert.pub | 1 +
> .../regress/misc/fuzz-harness/testdata/id_rsa.pub | 1 +
> crypto/openssh/regress/misc/kexfuzz/Makefile | 88 -
> crypto/openssh/regress/misc/kexfuzz/README | 34 -
> crypto/openssh/regress/misc/kexfuzz/kexfuzz.c | 459 -
> crypto/openssh/regress/misc/sk-dummy/fatal.c | 27 +
> crypto/openssh/regress/misc/sk-dummy/sk-dummy.c | 539 +
> crypto/openssh/regress/modpipe.c | 0
> crypto/openssh/regress/multiplex.sh | 32 +-
> crypto/openssh/regress/multipubkey.sh | 19 +-
> crypto/openssh/regress/netcat.c | 46 +-
> crypto/openssh/regress/percent.sh | 119 +
> crypto/openssh/regress/portnum.sh | 0
> crypto/openssh/regress/principals-command.sh | 16 +-
> crypto/openssh/regress/proxy-connect.sh | 10 +-
> crypto/openssh/regress/putty-ciphers.sh | 4 +-
> crypto/openssh/regress/putty-kex.sh | 4 +-
> crypto/openssh/regress/putty-transfer.sh | 10 +-
> crypto/openssh/regress/reconfigure.sh | 24 +-
> crypto/openssh/regress/reexec.sh | 5 +-
> crypto/openssh/regress/rekey.sh | 8 +-
> crypto/openssh/regress/scp-ssh-wrapper.sh | 14 +-
> crypto/openssh/regress/scp-uri.sh | 81 +-
> crypto/openssh/regress/scp.sh | 183 +-
> crypto/openssh/regress/scp3.sh | 60 +
> crypto/openssh/regress/servcfginclude.sh | 188 +
> crypto/openssh/regress/sftp-badcmds.sh | 4 +-
> crypto/openssh/regress/sftp-chroot.sh | 7 +-
> crypto/openssh/regress/sftp-cmds.sh | 4 -
> crypto/openssh/regress/sftp-perm.sh | 18 +-
> crypto/openssh/regress/ssh2putty.sh | 8 +-
> crypto/openssh/regress/sshcfgparse.sh | 68 +-
> crypto/openssh/regress/sshfp-connect.sh | 66 +
> crypto/openssh/regress/sshsig.sh | 236 +
> crypto/openssh/regress/test-exec.sh | 280 +-
> crypto/openssh/regress/unittests/Makefile | 4 +-
> crypto/openssh/regress/unittests/Makefile.inc | 38 +-
> crypto/openssh/regress/unittests/authopt/tests.c | 10 +-
> crypto/openssh/regress/unittests/bitmap/tests.c | 4 +
> .../openssh/regress/unittests/conversion/Makefile | 3 +-
> .../openssh/regress/unittests/conversion/tests.c | 32 +-
> crypto/openssh/regress/unittests/hostkeys/Makefile | 12 +-
> .../regress/unittests/hostkeys/mktestdata.sh | 0
> .../regress/unittests/hostkeys/test_iterate.c | 119 +-
> crypto/openssh/regress/unittests/kex/Makefile | 31 +-
> crypto/openssh/regress/unittests/kex/test_kex.c | 29 +-
> crypto/openssh/regress/unittests/match/Makefile | 4 +-
> crypto/openssh/regress/unittests/match/tests.c | 4 +-
> crypto/openssh/regress/unittests/misc/test_argv.c | 187 +
> .../openssh/regress/unittests/misc/test_convtime.c | 59 +
> .../openssh/regress/unittests/misc/test_expand.c | 90 +
> crypto/openssh/regress/unittests/misc/test_parse.c | 86 +
> .../openssh/regress/unittests/misc/test_strdelim.c | 202 +
> crypto/openssh/regress/unittests/misc/tests.c | 38 +
> crypto/openssh/regress/unittests/sshbuf/Makefile | 10 +-
> .../regress/unittests/sshbuf/test_sshbuf_fuzz.c | 9 +-
> .../unittests/sshbuf/test_sshbuf_getput_basic.c | 231 +-
> .../unittests/sshbuf/test_sshbuf_getput_crypto.c | 160 +-
> .../unittests/sshbuf/test_sshbuf_getput_fuzz.c | 31 +-
> .../regress/unittests/sshbuf/test_sshbuf_misc.c | 71 +-
> crypto/openssh/regress/unittests/sshbuf/tests.c | 2 +
> crypto/openssh/regress/unittests/sshkey/Makefile | 14 +-
> crypto/openssh/regress/unittests/sshkey/common.c | 17 +-
> .../openssh/regress/unittests/sshkey/mktestdata.sh | 85 +-
> .../openssh/regress/unittests/sshkey/test_file.c | 141 +-
> .../openssh/regress/unittests/sshkey/test_fuzz.c | 78 +-
> .../openssh/regress/unittests/sshkey/test_sshkey.c | 55 +-
> .../regress/unittests/sshkey/testdata/dsa_n | 33 +-
> .../regress/unittests/sshkey/testdata/ecdsa_n | 13 +-
> .../regress/unittests/sshkey/testdata/ecdsa_sk1 | 13 +
> .../unittests/sshkey/testdata/ecdsa_sk1-cert.fp | 1 +
> .../unittests/sshkey/testdata/ecdsa_sk1-cert.pub | 1 +
> .../regress/unittests/sshkey/testdata/ecdsa_sk1.fp | 1 +
> .../unittests/sshkey/testdata/ecdsa_sk1.fp.bb | 1 +
> .../unittests/sshkey/testdata/ecdsa_sk1.pub | 1 +
> .../regress/unittests/sshkey/testdata/ecdsa_sk1_pw | 14 +
> .../regress/unittests/sshkey/testdata/ecdsa_sk2 | 13 +
> .../regress/unittests/sshkey/testdata/ecdsa_sk2.fp | 1 +
> .../unittests/sshkey/testdata/ecdsa_sk2.fp.bb | 1 +
> .../unittests/sshkey/testdata/ecdsa_sk2.pub | 1 +
> .../regress/unittests/sshkey/testdata/ed25519_1_pw | 12 +-
> .../regress/unittests/sshkey/testdata/ed25519_sk1 | 8 +
> .../unittests/sshkey/testdata/ed25519_sk1-cert.fp | 1 +
> .../unittests/sshkey/testdata/ed25519_sk1-cert.pub | 1 +
> .../unittests/sshkey/testdata/ed25519_sk1.fp | 1 +
> .../unittests/sshkey/testdata/ed25519_sk1.fp.bb | 1 +
> .../unittests/sshkey/testdata/ed25519_sk1.pub | 1 +
> .../unittests/sshkey/testdata/ed25519_sk1_pw | 9 +
> .../regress/unittests/sshkey/testdata/ed25519_sk2 | 8 +
> .../unittests/sshkey/testdata/ed25519_sk2.fp | 1 +
> .../unittests/sshkey/testdata/ed25519_sk2.fp.bb | 1 +
> .../unittests/sshkey/testdata/ed25519_sk2.pub | 1 +
> .../regress/unittests/sshkey/testdata/rsa1_1 | Bin 533 -> 0 bytes
> .../regress/unittests/sshkey/testdata/rsa1_1.fp | 1 -
> .../regress/unittests/sshkey/testdata/rsa1_1.fp.bb | 1 -
> .../unittests/sshkey/testdata/rsa1_1.param.n | 1 -
> .../regress/unittests/sshkey/testdata/rsa1_1.pub | 1 -
> .../regress/unittests/sshkey/testdata/rsa1_1_pw | Bin 533 -> 0 bytes
> .../regress/unittests/sshkey/testdata/rsa1_2 | Bin 981 -> 0 bytes
> .../regress/unittests/sshkey/testdata/rsa1_2.fp | 1 -
> .../regress/unittests/sshkey/testdata/rsa1_2.fp.bb | 1 -
> .../unittests/sshkey/testdata/rsa1_2.param.n | 1 -
> .../regress/unittests/sshkey/testdata/rsa1_2.pub | 1 -
> .../regress/unittests/sshkey/testdata/rsa_n | 31 +-
> crypto/openssh/regress/unittests/sshkey/tests.c | 5 -
> crypto/openssh/regress/unittests/sshsig/Makefile | 25 +
> .../openssh/regress/unittests/sshsig/mktestdata.sh | 42 +
> .../openssh/regress/unittests/sshsig/testdata/dsa | 12 +
> .../regress/unittests/sshsig/testdata/dsa.pub | 1 +
> .../regress/unittests/sshsig/testdata/dsa.sig | 13 +
> .../regress/unittests/sshsig/testdata/ecdsa | 5 +
> .../regress/unittests/sshsig/testdata/ecdsa.pub | 1 +
> .../regress/unittests/sshsig/testdata/ecdsa.sig | 7 +
> .../regress/unittests/sshsig/testdata/ecdsa_sk | 13 +
> .../regress/unittests/sshsig/testdata/ecdsa_sk.pub | 1 +
> .../regress/unittests/sshsig/testdata/ecdsa_sk.sig | 8 +
> .../sshsig/testdata/ecdsa_sk_webauthn.pub | 1 +
> .../sshsig/testdata/ecdsa_sk_webauthn.sig | 13 +
> .../regress/unittests/sshsig/testdata/ed25519 | 7 +
> .../regress/unittests/sshsig/testdata/ed25519.pub | 1 +
> .../regress/unittests/sshsig/testdata/ed25519.sig | 6 +
> .../regress/unittests/sshsig/testdata/ed25519_sk | 8 +
> .../unittests/sshsig/testdata/ed25519_sk.pub | 1 +
> .../unittests/sshsig/testdata/ed25519_sk.sig | 7 +
> .../regress/unittests/sshsig/testdata/namespace | 1 +
> .../openssh/regress/unittests/sshsig/testdata/rsa | 39 +
> .../regress/unittests/sshsig/testdata/rsa.pub | 1 +
> .../regress/unittests/sshsig/testdata/rsa.sig | 19 +
> .../regress/unittests/sshsig/testdata/signed-data | 1 +
> crypto/openssh/regress/unittests/sshsig/tests.c | 139 +
> .../openssh/regress/unittests/sshsig/webauthn.html | 766 +
> .../regress/unittests/test_helper/test_helper.c | 60 +-
> .../regress/unittests/test_helper/test_helper.h | 8 +-
> crypto/openssh/regress/unittests/utf8/tests.c | 2 +
> crypto/openssh/regress/valgrind-unit.sh | 2 +
> crypto/openssh/sandbox-darwin.c | 2 +-
> crypto/openssh/sandbox-pledge.c | 8 +-
> crypto/openssh/sandbox-rlimit.c | 18 +-
> crypto/openssh/sandbox-seccomp-filter.c | 76 +-
> crypto/openssh/sandbox-systrace.c | 7 +-
> crypto/openssh/scp.1 | 87 +-
> crypto/openssh/scp.c | 679 +-
> crypto/openssh/servconf.c | 1165 +-
> crypto/openssh/servconf.h | 63 +-
> crypto/openssh/serverloop.c | 566 +-
> crypto/openssh/session.c | 461 +-
> crypto/openssh/sftp-client.c | 1162 +-
> crypto/openssh/sftp-client.h | 64 +-
> crypto/openssh/sftp-common.c | 5 +-
> crypto/openssh/sftp-glob.c | 4 +-
> .../{openbsd-compat/realpath.c => sftp-realpath.c} | 13 +-
> crypto/openssh/sftp-server-main.c | 5 +-
> crypto/openssh/sftp-server.8 | 32 +-
> crypto/openssh/sftp-server.c | 491 +-
> crypto/openssh/sftp.1 | 126 +-
> crypto/openssh/sftp.c | 304 +-
> crypto/openssh/sk-api.h | 98 +
> crypto/openssh/sk-usbhid.c | 1267 ++
> crypto/openssh/sntrup761.c | 1273 ++
> crypto/openssh/sntrup761.sh | 85 +
> crypto/openssh/srclimit.c | 140 +
> crypto/openssh/srclimit.h | 18 +
> crypto/openssh/ssh-add.1 | 81 +-
> crypto/openssh/ssh-add.c | 315 +-
> crypto/openssh/ssh-agent.1 | 178 +-
> crypto/openssh/ssh-agent.c | 697 +-
> crypto/openssh/ssh-dss.c | 8 +-
> crypto/openssh/ssh-ecdsa-sk.c | 324 +
> crypto/openssh/ssh-ecdsa.c | 14 +-
> crypto/openssh/ssh-ed25519-sk.c | 163 +
> crypto/openssh/ssh-ed25519.c | 23 +-
> crypto/openssh/ssh-gss.h | 4 +-
> crypto/openssh/ssh-keygen.1 | 717 +-
> crypto/openssh/ssh-keygen.c | 2111 ++-
> crypto/openssh/ssh-keyscan.1 | 6 +-
> crypto/openssh/ssh-keyscan.c | 105 +-
> crypto/openssh/ssh-keysign.8 | 6 +-
> crypto/openssh/ssh-keysign.c | 77 +-
> crypto/openssh/ssh-pkcs11-client.c | 212 +-
> crypto/openssh/ssh-pkcs11-helper.8 | 29 +-
> crypto/openssh/ssh-pkcs11-helper.c | 210 +-
> crypto/openssh/ssh-pkcs11.c | 1774 +-
> crypto/openssh/ssh-pkcs11.h | 20 +-
> crypto/openssh/ssh-sk-client.c | 448 +
> crypto/openssh/ssh-sk-helper.8 | 66 +
> crypto/openssh/ssh-sk-helper.c | 364 +
> crypto/openssh/ssh-sk.c | 826 +
> crypto/openssh/ssh-sk.h | 69 +
> crypto/openssh/ssh-xmss.c | 27 +-
> crypto/openssh/ssh.1 | 166 +-
> crypto/openssh/ssh.c | 925 +-
> crypto/openssh/ssh.h | 11 +-
> crypto/openssh/ssh2.h | 4 +-
> crypto/openssh/ssh_api.c | 234 +-
> crypto/openssh/ssh_config | 6 +-
> crypto/openssh/ssh_config.5 | 651 +-
> crypto/openssh/ssh_namespace.h | 223 +-
> crypto/openssh/sshbuf-getput-basic.c | 171 +-
> crypto/openssh/sshbuf-getput-crypto.c | 76 +-
> crypto/openssh/sshbuf-io.c | 117 +
> crypto/openssh/sshbuf-misc.c | 152 +-
> crypto/openssh/sshbuf.c | 22 +-
> crypto/openssh/sshbuf.h | 79 +-
> crypto/openssh/sshconnect.c | 882 +-
> crypto/openssh/sshconnect.h | 63 +-
> crypto/openssh/sshconnect2.c | 942 +-
> crypto/openssh/sshd.8 | 115 +-
> crypto/openssh/sshd.c | 975 +-
> crypto/openssh/sshd_config | 12 +-
> crypto/openssh/sshd_config.5 | 351 +-
> crypto/openssh/ssherr.c | 6 +-
> crypto/openssh/ssherr.h | 4 +-
> crypto/openssh/sshkey-xmss.c | 160 +-
> crypto/openssh/sshkey-xmss.h | 16 +-
> crypto/openssh/sshkey.c | 1516 +-
> crypto/openssh/sshkey.h | 103 +-
> crypto/openssh/sshlogin.c | 9 +-
> crypto/openssh/sshpty.c | 23 +-
> crypto/openssh/sshsig.c | 1098 ++
> crypto/openssh/sshsig.h | 107 +
> crypto/openssh/ttymodes.c | 44 +-
> crypto/openssh/uidswap.c | 40 +-
> crypto/openssh/umac.c | 10 +-
> crypto/openssh/umac.h | 6 +-
> crypto/openssh/utf8.c | 27 +-
> crypto/openssh/utf8.h | 11 +-
> crypto/openssh/uuencode.c | 95 -
> crypto/openssh/uuencode.h | 29 -
> crypto/openssh/version.h | 6 +-
> crypto/openssh/xmalloc.c | 31 +-
> crypto/openssh/xmalloc.h | 8 +-
> crypto/openssh/xmss_commons.c | 2 +-
> crypto/openssh/xmss_fast.c | 2 +-
> crypto/openssh/xmss_hash.c | 2 +-
> crypto/openssh/xmss_hash_address.c | 2 +-
> crypto/openssh/xmss_wots.c | 2 +-
> lib/libpam/modules/pam_ssh/pam_ssh.c | 2 +-
> secure/lib/libssh/Makefile | 19 +-
> secure/usr.bin/scp/Makefile | 2 +-
> secure/usr.bin/ssh-add/Makefile | 2 +-
> secure/usr.bin/ssh-keygen/Makefile | 3 +-
> secure/usr.sbin/sshd/Makefile | 2 +-
> 539 files changed, 54039 insertions(+), 25574 deletions(-)
>
> diff --cc crypto/openssh/.github/ci-status.md
> index 000000000000,0ad8bf5aaf44..0ad8bf5aaf44
> mode 000000,100644..100644
> --- a/crypto/openssh/.github/ci-status.md
> +++ b/crypto/openssh/.github/ci-status.md
> diff --cc crypto/openssh/.github/configs
> index 000000000000,12578c067348..12578c067348
> mode 000000,100755..100755
> --- a/crypto/openssh/.github/configs
> +++ b/crypto/openssh/.github/configs
> diff --cc crypto/openssh/.github/configure.sh
> index 000000000000,e098730f02d6..e098730f02d6
> mode 000000,100755..100755
> --- a/crypto/openssh/.github/configure.sh
> +++ b/crypto/openssh/.github/configure.sh
> diff --cc crypto/openssh/.github/run_test.sh
> index 000000000000,adf2568ad1e2..adf2568ad1e2
> mode 000000,100755..100755
> --- a/crypto/openssh/.github/run_test.sh
> +++ b/crypto/openssh/.github/run_test.sh
> diff --cc crypto/openssh/.github/setup_ci.sh
> index 000000000000,70a444e4eff4..70a444e4eff4
> mode 000000,100755..100755
> --- a/crypto/openssh/.github/setup_ci.sh
> +++ b/crypto/openssh/.github/setup_ci.sh
> diff --cc crypto/openssh/.github/workflows/c-cpp.yml
> index 000000000000,289b18b7f621..289b18b7f621
> mode 000000,100644..100644
> --- a/crypto/openssh/.github/workflows/c-cpp.yml
> +++ b/crypto/openssh/.github/workflows/c-cpp.yml
> diff --cc crypto/openssh/.github/workflows/selfhosted.yml
> index 000000000000,df6eca714fb5..df6eca714fb5
> mode 000000,100644..100644
> --- a/crypto/openssh/.github/workflows/selfhosted.yml
> +++ b/crypto/openssh/.github/workflows/selfhosted.yml
> diff --cc crypto/openssh/.github/workflows/upstream.yml
> index 000000000000,f0493c12d7d5..f0493c12d7d5
> mode 000000,100644..100644
> --- a/crypto/openssh/.github/workflows/upstream.yml
> +++ b/crypto/openssh/.github/workflows/upstream.yml
> diff --cc crypto/openssh/.gitignore
> index 650eb3c3c90c,000000000000..5e4ae5a60d06
> mode 100644,000000..100644
> --- a/crypto/openssh/.gitignore
> +++ b/crypto/openssh/.gitignore
> @@@ -1,28 -1,0 +1,36 @@@
> +Makefile
> +buildpkg.sh
> +config.h
> +config.h.in
> ++config.h.in~
> ++config.log
> +config.status
> +configure
> ++aclocal.m4
> +openbsd-compat/Makefile
> +openbsd-compat/regress/Makefile
> +openssh.xml
> +opensshd.init
> +survey.sh
> +**/*.0
> +**/*.o
> ++**/*.lo
> ++**/*.so
> +**/*.out
> +**/*.a
> +autom4te.cache/
> +scp
> +sftp
> +sftp-server
> +ssh
> +ssh-add
> +ssh-agent
> +ssh-keygen
> +ssh-keyscan
> +ssh-keysign
> +ssh-pkcs11-helper
> ++ssh-sk-helper
> +sshd
> +!regress/misc/fuzz-harness/Makefile
> ++!regress/unittests/sshsig/Makefile
> ++tags
> diff --cc crypto/openssh/FREEBSD-vendor
> index f48cbb6c3079,000000000000..c7f6462985a2
> mode 100644,000000..100644
> --- a/crypto/openssh/FREEBSD-vendor
> +++ b/crypto/openssh/FREEBSD-vendor
> @@@ -1,6 -1,0 +1,6 @@@
> +# $FreeBSD$
> +Project: Portable OpenSSH
> +ProjectURL: http://www.openssh.com/portable.html
> - Version: 7.9p1
> ++Version: 8.7p1
> +License: BSD
> - Maintainer: des
> ++Maintainer: emaste
> diff --cc crypto/openssh/INSTALL
> index 775eb6c05342,000000000000..8ab8a403a4e2
> mode 100644,000000..100644
> --- a/crypto/openssh/INSTALL
> +++ b/crypto/openssh/INSTALL
> @@@ -1,276 -1,0 +1,301 @@@
> +1. Prerequisites
> +----------------
> +
> +A C compiler. Any C89 or better compiler should work. Where supported,
> +configure will attempt to enable the compiler's run-time integrity checking
> +options. Some notes about specific compilers:
> + - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime
> + (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure)
> +
> - You will need working installations of Zlib and libcrypto (LibreSSL /
> - OpenSSL)
> ++To support Privilege Separation (which is now required) you will need
> ++to create the user, group and directory used by sshd for privilege
> ++separation. See README.privsep for details.
> +
> ++
> ++The remaining items are optional.
> ++
> ++A working installation of zlib:
> +Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
> +http://www.gzip.org/zlib/
> +
> - libcrypto (LibreSSL or OpenSSL >= 1.0.1 < 1.1.0)
> - LibreSSL http://www.libressl.org/ ; or
> - OpenSSL http://www.openssl.org/
> ++libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto
> ++is supported but severely restricts the available ciphers and algorithms.
> ++ - LibreSSL (https://www.libressl.org/)
> ++ - OpenSSL (https://www.openssl.org) with any of the following versions:
> ++ - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1
> ++
> ++Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to
> ++1.1.0g can't be used.
> +
> +LibreSSL/OpenSSL should be compiled as a position-independent library
> - (i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
> - If you must use a non-position-independent libcrypto, then you may need
> - to configure OpenSSH --without-pie. Note that because of API changes,
> - OpenSSL 1.1.x is not currently supported.
> ++(i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC"
> ++or LibreSSL as "CFLAGS=-fPIC ./configure") otherwise OpenSSH will not
> ++be able to link with it. If you must use a non-position-independent
> ++libcrypto, then you may need to configure OpenSSH --without-pie.
> +
> - The remaining items are optional.
> ++If you build either from source, running the OpenSSL self-test ("make
> ++tests") or the LibreSSL equivalent ("make check") and ensuring that all
> ++tests pass is strongly recommended.
> +
> +NB. If you operating system supports /dev/random, you should configure
> +libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
> - direct support of /dev/random, or failing that, either prngd or egd
> ++direct support of /dev/random, or failing that, either prngd or egd.
> +
> +PRNGD:
> +
> +If your system lacks kernel-based random collection, the use of Lutz
> - Jaenicke's PRNGd is recommended.
> ++Jaenicke's PRNGd is recommended. It requires that libcrypto be configured
> ++to support it.
> +
> +http://prngd.sourceforge.net/
> +
> +EGD:
> +
> - If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is
> - supported only if libcrypto supports it.
> ++The Entropy Gathering Daemon (EGD) supports the same interface as prngd.
> ++It also supported only if libcrypto is configured to support it.
> +
> +http://egd.sourceforge.net/
> +
> +PAM:
> +
> +OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
> +system supports it. PAM is standard most Linux distributions, Solaris,
> - HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD.
> ++HP-UX 11, AIX >= 5.2, FreeBSD, NetBSD and Mac OS X.
> +
> +Information about the various PAM implementations are available:
> +
> +Solaris PAM: http://www.sun.com/software/solaris/pam/
> +Linux PAM: http://www.kernel.org/pub/linux/libs/pam/
> +OpenPAM: http://www.openpam.org/
> +
> +If you wish to build the GNOME passphrase requester, you will need the GNOME
> +libraries and headers.
> +
> +GNOME:
> +http://www.gnome.org/
> +
> +Alternatively, Jim Knoble <jmknoble at pobox.com> has written an excellent X11
> +passphrase requester. This is maintained separately at:
> +
> +http://www.jmknoble.net/software/x11-ssh-askpass/
> +
> +TCP Wrappers:
> +
> +If you wish to use the TCP wrappers functionality you will need at least
> +tcpd.h and libwrap.a, either in the standard include and library paths,
> +or in the directory specified by --with-tcp-wrappers. Version 7.6 is
> +known to work.
> +
> +http://ftp.porcupine.org/pub/security/index.html
> +
> +LibEdit:
> +
> +sftp supports command-line editing via NetBSD's libedit. If your platform
> +has it available natively you can use that, alternatively you might try
> +these multi-platform ports:
> +
> +http://www.thrysoee.dk/editline/
> +http://sourceforge.net/projects/libedit/
> +
> +LDNS:
> +
> +LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
> +
> +http://nlnetlabs.nl/projects/ldns/
> +
> +Autoconf:
> +
> +If you modify configure.ac or configure doesn't exist (eg if you checked
> - the code out of git yourself) then you will need autoconf-2.69 to rebuild
> - the automatically generated files by running "autoreconf". Earlier
> - versions may also work but this is not guaranteed.
> ++the code out of git yourself) then you will need autoconf-2.69 and
> ++automake-1.16.1 to rebuild the automatically generated files by running
> ++"autoreconf". Earlier versions may also work but this is not guaranteed.
> +
> +http://www.gnu.org/software/autoconf/
> ++http://www.gnu.org/software/automake/
> +
> +Basic Security Module (BSM):
> +
> +Native BSM support is known to exist in Solaris from at least 2.5.1,
> +FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM
> +implementation (http://www.openbsm.org).
> +
> +makedepend:
> +
> +https://www.x.org/archive/individual/util/
> +
> +If you are making significant changes to the code you may need to rebuild
> +the dependency (.depend) file using "make depend", which requires the
> +"makedepend" tool from the X11 distribution.
> +
> ++libfido2:
> ++
> ++libfido2 allows the use of hardware security keys over USB. libfido2
> ++in turn depends on libcbor. libfido2 >= 1.5.0 is strongly recommended.
> ++Limited functionality is possible with earlier libfido2 versions.
> ++
> ++https://github.com/Yubico/libfido2
> ++https://github.com/pjk/libcbor
> ++
> ++
> +2. Building / Installation
> +--------------------------
> +
> +To install OpenSSH with default options:
> +
> +./configure
> +make
> +make install
> +
> +This will install the OpenSSH binaries in /usr/local/bin, configuration files
> +in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
> +installation prefix, use the --prefix option to configure:
> +
> +./configure --prefix=/opt
> +make
> +make install
> +
> +Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
> +specific paths, for example:
> +
> +./configure --prefix=/opt --sysconfdir=/etc/ssh
> +make
> +make install
> +
> +This will install the binaries in /opt/{bin,lib,sbin}, but will place the
> +configuration files in /etc/ssh.
> +
> - If you are using Privilege Separation (which is enabled by default)
> - then you will also need to create the user, group and directory used by
> - sshd for privilege separation. See README.privsep for details.
> -
> +If you are using PAM, you may need to manually install a PAM control
> +file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
> +them). Note that the service name used to start PAM is __progname,
> +which is the basename of the path of your sshd (e.g., the service name
> +for /usr/sbin/osshd will be osshd). If you have renamed your sshd
> +executable, your PAM configuration may need to be modified.
> +
> +A generic PAM configuration is included as "contrib/sshd.pam.generic",
> +you may need to edit it before using it on your system. If you are
> +using a recent version of Red Hat Linux, the config file in
> +contrib/redhat/sshd.pam should be more useful. Failure to install a
> +valid PAM file may result in an inability to use password
> +authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf
> +configuration will work with sshd (sshd will match the other service
> +name).
> +
> +There are a few other options to the configure script:
> +
> +--with-audit=[module] enable additional auditing via the specified module.
> +Currently, drivers for "debug" (additional info via syslog) and "bsm"
> +(Sun's Basic Security Module) are supported.
> +
> +--with-pam enables PAM support. If PAM support is compiled in, it must
> +also be enabled in sshd_config (refer to the UsePAM directive).
> +
> +--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
> +support and to specify a PRNGd socket. Use this if your Unix lacks
> +/dev/random.
> +
> +--with-prngd-port=portnum allows you to enable EGD or PRNGD support
> +and to specify a EGD localhost TCP port. Use this if your Unix lacks
> +/dev/random.
> +
> +--with-lastlog=FILE will specify the location of the lastlog file.
> +./configure searches a few locations for lastlog, but may not find
> +it if lastlog is installed in a different place.
> +
> +--without-lastlog will disable lastlog support entirely.
> +
> +--with-osfsia, --without-osfsia will enable or disable OSF1's Security
> +Integration Architecture. The default for OSF1 machines is enable.
> +
> +--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
> +support.
> +
> +--with-md5-passwords will enable the use of MD5 passwords. Enable this
> +if your operating system uses MD5 passwords and the system crypt() does
> +not support them directly (see the crypt(3/3c) man page). If enabled, the
> +resulting binary will support both MD5 and traditional crypt passwords.
> +
> +--with-utmpx enables utmpx support. utmpx support is automatic for
> +some platforms.
> +
> +--without-shadow disables shadow password support.
> +
> +--with-ipaddr-display forces the use of a numeric IP address in the
> +$DISPLAY environment variable. Some broken systems need this.
> +
> +--with-default-path=PATH allows you to specify a default $PATH for sessions
> +started by sshd. This replaces the standard path entirely.
> +
> +--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
> +created.
> +
> +--with-xauth=PATH specifies the location of the xauth binary
> +
> +--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
> +libraries are installed.
> +
> +--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
> +
> ++--without-openssl builds without using OpenSSL. Only a subset of ciphers
> ++and algorithms are supported in this configuration.
> ++
> ++--without-zlib builds without zlib. This disables the Compression option.
> ++
> +--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
> +real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
> +
> +If you need to pass special options to the compiler or linker, you
> +can specify these as environment variables before running ./configure.
> +For example:
> +
> +CC="/usr/foo/cc" CFLAGS="-O" LDFLAGS="-s" LIBS="-lrubbish" ./configure
> +
> +3. Configuration
> +----------------
> +
> +The runtime configuration files are installed by in ${prefix}/etc or
> +whatever you specified as your --sysconfdir (/usr/local/etc by default).
> +
> +The default configuration should be instantly usable, though you should
> +review it to ensure that it matches your security requirements.
> +
> +To generate a host key, run "make host-key". Alternately you can do so
> +manually using the following commands:
> +
> + ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N ""
> +
> +for each of the types you wish to generate (rsa, dsa or ecdsa) or
> +
> + ssh-keygen -A
> +
> +to generate keys for all supported types.
> +
> +Replacing /etc/ssh with the correct path to the configuration directory.
> +(${prefix}/etc or whatever you specified with --sysconfdir during
> *** 20555 LINES SKIPPED ***
> _______________________________________________
> dev-commits-src-main at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main
> To unsubscribe, send any mail to "dev-commits-src-main-unsubscribe at freebsd.org"
After upgrading 14-CURRENT to this commit, we are unable to use "scp" from certain FreeBSD
13-STABLE hosts as well as from Linux Xubuntu 20.04 clients with the latest updates. scp from
14-CURRENT to 14-CURRENT works with public key authetication, if password/built-in-password or
PAM is used, we receive the password prompter, but then the connection is refused: Permission
denied or, taken from /var/log/auth.log:
Sep 9 17:19:10 <4.6> thor sshd[1450]: Failed password for ohartmann from 192.168.0.1 port
24332 ssh2
I do not see essential changes so scp works now exclusively/only with publickey. What is
wrong? Is this a bug? How to return to normal/expected behaviour?
It is also confusing that the manpage for sshd_config states for "UsePAM as an regular config
tag:
"...UsePAM Enables the Pluggable Authentication Module interface. If set to yes this will
enable PAM ... blablabla ... The default is yes ..."
If "UsePAM yes" used explicetely in /etc/ssh/sshd_config and restarting sshd, i.e. "service
sshd restart", then one receives this error message in /var/log/auth.log:
Sep 9 17:22:44 <4.6> thor sshd[1480]: rexec line 89: Unsupported option UsePAM
and on the console, this weird message appears:
# service sshd restart
Performing sanity check on sshd configuration.
/etc/ssh/sshd_config line 89: Unsupported option UsePAM
Stopping sshd.
Waiting for PIDS: 1423, 1423.
Performing sanity check on sshd configuration.
/etc/ssh/sshd_config line 89: Unsupported option UsePAM
Starting sshd.
/etc/ssh/sshd_config line 89: Unsupported option UsePAM
Kind regards,
O. Hartmann
--
O. Hartmann
More information about the dev-commits-src-all
mailing list