git: 19261079b743 - main - openssh: update to OpenSSH v8.7p1

Kyle Evans kevans at freebsd.org
Thu Sep 9 14:33:56 UTC 2021 

On Thu, Sep 9, 2021 at 6:24 AM Guido Falsi <madpilot at freebsd.org> wrote:
>
> On 08/09/21 03:07, Ed Maste wrote:
> > The branch main has been updated by emaste:
> >
> > URL: https://cgit.FreeBSD.org/src/commit/?id=19261079b74319502c6ffa1249920079f0f69a72
> >
> > commit 19261079b74319502c6ffa1249920079f0f69a72
> > Merge: c5128c48df3c 66719ee573ac
> > Author:     Ed Maste <emaste at FreeBSD.org>
> > AuthorDate: 2021-09-08 01:05:51 +0000
> > Commit:     Ed Maste <emaste at FreeBSD.org>
> > CommitDate: 2021-09-08 01:05:51 +0000
> >
> >      openssh: update to OpenSSH v8.7p1
> >
> >      Some notable changes, from upstream's release notes:
> >
> >      - sshd(8): Remove support for obsolete "host/port" syntax.
> >      - ssh(1): When prompting whether to record a new host key, accept the key
> >        fingerprint as a synonym for "yes".
> >      - ssh-keygen(1): when acting as a CA and signing certificates with an RSA
> >        key, default to using the rsa-sha2-512 signature algorithm.
> >      - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
> >        (RSA/SHA1) algorithm from those accepted for certificate signatures.
> >      - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
> >        support to provide address-space isolation for token middleware
> >        libraries (including the internal one).
> >      - ssh(1): this release enables UpdateHostkeys by default subject to some
> >        conservative preconditions.
> >      - scp(1): this release changes the behaviour of remote to remote copies
> >        (e.g. "scp host-a:/path host-b:") to transfer through the local host
> >        by default.
> >      - scp(1): experimental support for transfers using the SFTP protocol as
> >        a replacement for the venerable SCP/RCP protocol that it has
> >        traditionally used.
> >
> >      Additional integration work is needed to support FIDO/U2F in the base
> >      system.
> >
> >      Deprecation Notice
> >      ------------------
> >
> >      OpenSSH will disable the ssh-rsa signature scheme by default in the
> >      next release.
> >
> >      Reviewed by:    imp
> >      MFC after:      1 month
> >      Relnotes:       Yes
> >      Sponsored by:   The FreeBSD Foundation
> >      Differential Revision:  https://reviews.freebsd.org/D29985
> >
>
> While upgrading my current machines I encountered an issue with pam_ssh
> which seems to be caused by this update.
>
> I filed a bug report with all the details:
>
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258384
>
> Could you take a look?
>
> Seems to be caused by the ssh code trying to call a function available
> only when FIDO/U2F support is enabled, which is not the case in our
> source base.
>
> I tried a quick fix by adding some ifdefs, but it failed to make it
> work, I'm still trying to find a solution myself.
>

Looks like the reference in openssh/sshkey.c... probably the correct
thing to do is add ssh-sk.c to the secure/lib/libssh build; it still
requires additional integration for FIDO/U2F, though.

More information about the dev-commits-src-main mailing list