Remove MK_GSSAPI

For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled. Backport this
behaviour to Heimdal so it works the

Remove MK_GSSAPI

For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled. Backport this
behaviour to Heimdal so it works the same way.

While here, change Heimdal's libcom_err and compile_et to be selected by
MK_KERBEROS, not MK_KERBEROS_SUPPORT, since these are part of Kerberos
and third-party users might need it even if Kerberos support is disabled
in the base system. This means MK_KERBEROS_SUPPORT installs the same
files with both MIT and Heimdal.

Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D51859

show more ...

openssh: Support building with MIT KRB5

Remove HEIMDAL=1 from openssh/krb5_config.h and move the definition
to the Makefile in order to control whether we're building under
Heimdal or MIT.

Add MIT

openssh: Support building with MIT KRB5

Remove HEIMDAL=1 from openssh/krb5_config.h and move the definition
to the Makefile in order to control whether we're building under
Heimdal or MIT.

Add MIT KRB5 LIBS and INCLUDES to the openssh build.

Sponsored by: The FreeBSD Foundation
Reviewed by: markj
Differential revision: https://reviews.freebsd.org/D50782

show more ...

secure: Adapt Makefile to ssh-sk-client everywhere

Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere")
adapted the Makefiles to ssh-sk-client. Do the same here.

Reviewed by: e

secure: Adapt Makefile to ssh-sk-client everywhere

Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere")
adapted the Makefiles to ssh-sk-client. Do the same here.

Reviewed by: emaste
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D49795

show more ...

secure: Rearrange Makefile SRCS to match upstream Makefile.in

SRCS entries are kept in the same order and with the same line breaks as
upstream, to make comparison easier.

No functional change inte

secure: Rearrange Makefile SRCS to match upstream Makefile.in

SRCS entries are kept in the same order and with the same line breaks as
upstream, to make comparison easier.

No functional change intended.

Reviewed by: emaste
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D49793

show more ...

openssh: Request the OpenSSL 1.1 API

Upstream OpenSSH commit f51423bda ("request 1.1x API compatibility for
OpenSSL >=3.x") requests OPENSSL_API_COMPAT version 0x10100000L (OpenSSL
1.1.0), in order

openssh: Request the OpenSSL 1.1 API

Upstream OpenSSH commit f51423bda ("request 1.1x API compatibility for
OpenSSL >=3.x") requests OPENSSL_API_COMPAT version 0x10100000L (OpenSSL
1.1.0), in order to avoid warnings about deprecated functions.

Do the same here, to avoid getting those warnings.

Reviewed by: emaste
Approved by: emaste (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D49517

show more ...

ssh: Consolidate HAVE_LDNS / LIBWRAP in ssh.mk

Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new
ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part
of enabling

ssh: Consolidate HAVE_LDNS / LIBWRAP in ssh.mk

Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new
ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part
of enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERS
handling there.

Reviewed by: kevans
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31896

show more ...

ssh: tidy include handling

Centralize optional krb5_config.h handling in ssh.mk. Do not add
headers (that are committed to the src tree) to SRCS as there is no
need.

Reviewed by: imp, jlduran, kev

ssh: tidy include handling

Centralize optional krb5_config.h handling in ssh.mk. Do not add
headers (that are committed to the src tree) to SRCS as there is no
need.

Reviewed by: imp, jlduran, kevans (all earlier)
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34409

show more ...

ssh: Move XAUTH_PATH setting to ssh.mk

XAUTH_PATH is normally set (in the upstream build infrastructure) in
config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE
is set, and over

ssh: Move XAUTH_PATH setting to ssh.mk

XAUTH_PATH is normally set (in the upstream build infrastructure) in
config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE
is set, and over time have sometimes also defined it in config.h.

Leave it unset in config.h and move the CFLAGS logic to to ssh.mk so
that it will be set when building all ssh libraries and programs but
still be set by LOCALBASE.

Reviewed by: jlduran
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48907

show more ...

ssh: use standalone config file for security key support

An upcoming OpenSSH update has multiple config.h settings that change
depending on whether builtin security key support is enabled. Prepare

ssh: use standalone config file for security key support

An upcoming OpenSSH update has multiple config.h settings that change
depending on whether builtin security key support is enabled. Prepare
for this by moving ENABLE_SK_INTERNAL to a new sk_config.h header
(similar to the approach used for optional krb5 support) and optionally
including that, instead of defining the macro directly from CFLAGS.

Reviewed by: kevans
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34407

show more ...

ssh: enable FIDO/U2F keys

Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
https://www.openssh.com/txt/release-8.2):

This release adds support for FIDO/U2F hardware authenticators

ssh: enable FIDO/U2F keys

Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
https://www.openssh.com/txt/release-8.2):

This release adds support for FIDO/U2F hardware authenticators to
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
authentication hardware that are widely used for website
authentication. In OpenSSH FIDO devices are supported by new public
key types "ecdsa-sk" and "ed25519-sk", along with corresponding
certificate types.

ssh-keygen(1) may be used to generate a FIDO token-backed key, after
which they may be used much like any other key type supported by
OpenSSH, so long as the hardware token is attached when the keys are
used. FIDO tokens also generally require the user explicitly
authorise operations by touching or tapping them.

Generating a FIDO key requires the token be attached, and will
usually require the user tap the token to confirm the operation:

$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your security key to authorize key generation.
Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub

This will yield a public and private key-pair. The private key file
should be useless to an attacker who does not have access to the
physical token. After generation, this key may be used like any
other supported key in OpenSSH and may be listed in authorized_keys,
added to ssh-agent(1), etc. The only additional stipulation is that
the FIDO token that the key belongs to must be attached when the key
is used.

To enable FIDO/U2F support, this change regenerates ssh_namespace.h,
adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building
WITHOUT_USB).

devd integration is not included in this change, and is under
investigation for the base system. In the interim the security/u2f-devd
port can be installed to provide appropriate devd rules.

Reviewed by: delphij, kevans
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32509

show more ...

ssh: move common Makefile boilerplate to a new ssh.mk

This moves SSHDIR and ssh_namespace.h handling to a common location,
and will simplify future work such as adding U2F support (D32509).

Reviewe

ssh: move common Makefile boilerplate to a new ssh.mk

This moves SSHDIR and ssh_namespace.h handling to a common location,
and will simplify future work such as adding U2F support (D32509).

Reviewed by: kevans
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32808

show more ...

Remove MK_GSSAPI

For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled. Backport this
behaviour to Heimdal so it works the

Remove MK_GSSAPI

For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled. Backport this
behaviour to Heimdal so it works the same way.

While here, change Heimdal's libcom_err and compile_et to be selected by
MK_KERBEROS, not MK_KERBEROS_SUPPORT, since these are part of Kerberos
and third-party users might need it even if Kerberos support is disabled
in the base system. This means MK_KERBEROS_SUPPORT installs the same
files with both MIT and Heimdal.

Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D51859

show more ...

openssh: Support building with MIT KRB5

Remove HEIMDAL=1 from openssh/krb5_config.h and move the definition
to the Makefile in order to control whether we're building under
Heimdal or MIT.

Add MIT

openssh: Support building with MIT KRB5

Remove HEIMDAL=1 from openssh/krb5_config.h and move the definition
to the Makefile in order to control whether we're building under
Heimdal or MIT.

Add MIT KRB5 LIBS and INCLUDES to the openssh build.

Sponsored by: The FreeBSD Foundation
Reviewed by: markj
Differential revision: https://reviews.freebsd.org/D50782

show more ...

secure: Adapt Makefile to ssh-sk-client everywhere

Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere")
adapted the Makefiles to ssh-sk-client. Do the same here.

Reviewed by: e

secure: Adapt Makefile to ssh-sk-client everywhere

Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere")
adapted the Makefiles to ssh-sk-client. Do the same here.

Reviewed by: emaste
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D49795

show more ...

secure: Rearrange Makefile SRCS to match upstream Makefile.in

SRCS entries are kept in the same order and with the same line breaks as
upstream, to make comparison easier.

No functional change inte

secure: Rearrange Makefile SRCS to match upstream Makefile.in

SRCS entries are kept in the same order and with the same line breaks as
upstream, to make comparison easier.

No functional change intended.

Reviewed by: emaste
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D49793

show more ...

openssh: Request the OpenSSL 1.1 API

Upstream OpenSSH commit f51423bda ("request 1.1x API compatibility for
OpenSSL >=3.x") requests OPENSSL_API_COMPAT version 0x10100000L (OpenSSL
1.1.0), in order

openssh: Request the OpenSSL 1.1 API

Upstream OpenSSH commit f51423bda ("request 1.1x API compatibility for
OpenSSL >=3.x") requests OPENSSL_API_COMPAT version 0x10100000L (OpenSSL
1.1.0), in order to avoid warnings about deprecated functions.

Do the same here, to avoid getting those warnings.

Reviewed by: emaste
Approved by: emaste (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D49517

show more ...

ssh: Consolidate HAVE_LDNS / LIBWRAP in ssh.mk

Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new
ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part
of enabling

ssh: Consolidate HAVE_LDNS / LIBWRAP in ssh.mk

Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new
ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part
of enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERS
handling there.

Reviewed by: kevans
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31896

show more ...

ssh: tidy include handling

Centralize optional krb5_config.h handling in ssh.mk. Do not add
headers (that are committed to the src tree) to SRCS as there is no
need.

Reviewed by: imp, jlduran, kev

ssh: tidy include handling

Centralize optional krb5_config.h handling in ssh.mk. Do not add
headers (that are committed to the src tree) to SRCS as there is no
need.

Reviewed by: imp, jlduran, kevans (all earlier)
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34409

show more ...

ssh: Move XAUTH_PATH setting to ssh.mk

XAUTH_PATH is normally set (in the upstream build infrastructure) in
config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE
is set, and over

ssh: Move XAUTH_PATH setting to ssh.mk

XAUTH_PATH is normally set (in the upstream build infrastructure) in
config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE
is set, and over time have sometimes also defined it in config.h.

Leave it unset in config.h and move the CFLAGS logic to to ssh.mk so
that it will be set when building all ssh libraries and programs but
still be set by LOCALBASE.

Reviewed by: jlduran
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48907

show more ...

ssh: use standalone config file for security key support

An upcoming OpenSSH update has multiple config.h settings that change
depending on whether builtin security key support is enabled. Prepare

ssh: use standalone config file for security key support

An upcoming OpenSSH update has multiple config.h settings that change
depending on whether builtin security key support is enabled. Prepare
for this by moving ENABLE_SK_INTERNAL to a new sk_config.h header
(similar to the approach used for optional krb5 support) and optionally
including that, instead of defining the macro directly from CFLAGS.

Reviewed by: kevans
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34407

show more ...

ssh: enable FIDO/U2F keys

Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
https://www.openssh.com/txt/release-8.2):

This release adds support for FIDO/U2F hardware authenticators

ssh: enable FIDO/U2F keys

Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
https://www.openssh.com/txt/release-8.2):

This release adds support for FIDO/U2F hardware authenticators to
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
authentication hardware that are widely used for website
authentication. In OpenSSH FIDO devices are supported by new public
key types "ecdsa-sk" and "ed25519-sk", along with corresponding
certificate types.

ssh-keygen(1) may be used to generate a FIDO token-backed key, after
which they may be used much like any other key type supported by
OpenSSH, so long as the hardware token is attached when the keys are
used. FIDO tokens also generally require the user explicitly
authorise operations by touching or tapping them.

Generating a FIDO key requires the token be attached, and will
usually require the user tap the token to confirm the operation:

$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your security key to authorize key generation.
Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub

This will yield a public and private key-pair. The private key file
should be useless to an attacker who does not have access to the
physical token. After generation, this key may be used like any
other supported key in OpenSSH and may be listed in authorized_keys,
added to ssh-agent(1), etc. The only additional stipulation is that
the FIDO token that the key belongs to must be attached when the key
is used.

To enable FIDO/U2F support, this change regenerates ssh_namespace.h,
adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building
WITHOUT_USB).

devd integration is not included in this change, and is under
investigation for the base system. In the interim the security/u2f-devd
port can be installed to provide appropriate devd rules.

Reviewed by: delphij, kevans
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32509

show more ...

ssh: move common Makefile boilerplate to a new ssh.mk

This moves SSHDIR and ssh_namespace.h handling to a common location,
and will simplify future work such as adding U2F support (D32509).

Reviewe

ssh: move common Makefile boilerplate to a new ssh.mk

This moves SSHDIR and ssh_namespace.h handling to a common location,
and will simplify future work such as adding U2F support (D32509).

Reviewed by: kevans
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32808

show more ...

Remove MK_GSSAPI

For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled. Backport this
behaviour to Heimdal so it works the

Remove MK_GSSAPI

For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled. Backport this
behaviour to Heimdal so it works the same way.

While here, change Heimdal's libcom_err and compile_et to be selected by
MK_KERBEROS, not MK_KERBEROS_SUPPORT, since these are part of Kerberos
and third-party users might need it even if Kerberos support is disabled
in the base system. This means MK_KERBEROS_SUPPORT installs the same
files with both MIT and Heimdal.

Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D51859

show more ...

openssh: Support building with MIT KRB5

Remove HEIMDAL=1 from openssh/krb5_config.h and move the definition
to the Makefile in order to control whether we're building under
Heimdal or MIT.

Add MIT

openssh: Support building with MIT KRB5

Remove HEIMDAL=1 from openssh/krb5_config.h and move the definition
to the Makefile in order to control whether we're building under
Heimdal or MIT.

Add MIT KRB5 LIBS and INCLUDES to the openssh build.

Sponsored by: The FreeBSD Foundation
Reviewed by: markj
Differential revision: https://reviews.freebsd.org/D50782

show more ...

secure: Adapt Makefile to ssh-sk-client everywhere

Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere")
adapted the Makefiles to ssh-sk-client. Do the same here.

Reviewed by: e

secure: Adapt Makefile to ssh-sk-client everywhere

Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere")
adapted the Makefiles to ssh-sk-client. Do the same here.

Reviewed by: emaste
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D49795

show more ...