en Copyright 2025 Java http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#3d9fd9fcb432750f3716b28f6ccb0104cd9d351a openssh: Update to 9.9p1Highlights from the release notes are reproduced below. Bug fixes andimprovements that were previously merged into FreeBSD have been elided.See the upstream release notes for full details of the 9.9p1 release(https://www.openssh.com/releasenotes.html).---Future deprecation notice=========================OpenSSH plans to remove support for the DSA signature algorithm inearly 2025.Potentially-incompatible changes-------------------------------- * ssh(1): remove support for pre-authentication compression. * ssh(1), sshd(8): processing of the arguments to the "Match" configuration directive now follows more shell-like rules for quoted strings, including allowing nested quotes and \-escaped characters.New features------------ * ssh(1), sshd(8): add support for a new hybrid post-quantum key exchange based on the FIPS 203 Module-Lattice Key Enapsulation mechanism (ML-KEM) combined with X25519 ECDH as described by https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03 This algorithm "mlkem768x25519-sha256" is available by default. * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being included in core dump files for most of their lifespans. This is in addition to pre-existing controls in ssh-agent(1) and sshd(8) that prevented coredumps. This feature is supported on OpenBSD, Linux and FreeBSD. * All: convert key handling to use the libcrypto EVP_PKEY API, with the exception of DSA.Bugfixes-------- * sshd(8): do not apply authorized_keys options when signature verification fails. Prevents more restrictive key options being incorrectly applied to subsequent keys in authorized_keys. bz3733 * ssh-keygen(1): include pathname in some of ssh-keygen's passphrase prompts. Helps the user know what's going on when ssh-keygen is invoked via other tools. Requested in GHPR503 * ssh(1), ssh-add(1): make parsing user@host consistently look for the last '@' in the string rather than the first. This makes it possible to more consistently use usernames that contain '@' characters. * ssh(1), sshd(8): be more strict in parsing key type names. Only allow short names (e.g "rsa") in user-interface code and require full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725 * ssh-keygen(1): clarify that ed25519 is the default key type generated and clarify that rsa-sha2-512 is the default signature scheme when RSA is in use. GHPR505---Reviewed by: jlduran (build infrastructure)Reviewed by: cy (build infrastructure)Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D48947 List of files: /src/crypto/openssh/LICENCE Wed, 19 Feb 2025 19:08:59 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3 ssh: update to OpenSSH 9.1p1Release notes are available at https://www.openssh.com/txt/release-9.19.1 contains fixes for three minor memory safety problems; these havelready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD basesystem.Some highlights copied from the release notes:Potentially-incompatible changes-------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years.New features------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429MFC after: 2 weeksRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/LICENCE Wed, 19 Oct 2022 14:27:11 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#1323ec571215a77ddd21294f0871979d5ad6b992 ssh: update to OpenSSH v8.9p1Release notes are available at https://www.openssh.com/txt/release-8.9Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar.Future deprecation notice=========================A near-future release of OpenSSH will switch scp(1) from using thelegacy scp/rcp protocol to using SFTP by default.Legacy scp/rcp performs wildcard expansion of remote filenames (e.g."scp host:* .") through the remote shell. This has the side effect ofrequiring double quoting of shell meta-characters in file namesincluded on scp(1) command-lines, otherwise they could be interpretedas shell commands on the remote side.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/LICENCE Wed, 13 Apr 2022 20:00:56 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#19261079b74319502c6ffa1249920079f0f69a72 openssh: update to OpenSSH v8.7p1Some notable changes, from upstream's release notes:- sshd(8): Remove support for obsolete "host/port" syntax.- ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes".- ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm.- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures.- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one).- ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions.- scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default.- scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used.Additional integration work is needed to support FIDO/U2F in the basesystem.Deprecation Notice------------------OpenSSH will disable the ssh-rsa signature scheme by default in thenext release.Reviewed by: impMFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D29985 List of files: /src/crypto/openssh/LICENCE Wed, 08 Sep 2021 01:05:51 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#3d9fd9fcb432750f3716b28f6ccb0104cd9d351a openssh: Update to 9.9p1Highlights from the release notes are reproduced below. Bug fixes andimprovements that were previously merged into FreeBSD have been elided.See the upstream release notes for full details of the 9.9p1 release(https://www.openssh.com/releasenotes.html).---Future deprecation notice=========================OpenSSH plans to remove support for the DSA signature algorithm inearly 2025.Potentially-incompatible changes-------------------------------- * ssh(1): remove support for pre-authentication compression. * ssh(1), sshd(8): processing of the arguments to the "Match" configuration directive now follows more shell-like rules for quoted strings, including allowing nested quotes and \-escaped characters.New features------------ * ssh(1), sshd(8): add support for a new hybrid post-quantum key exchange based on the FIPS 203 Module-Lattice Key Enapsulation mechanism (ML-KEM) combined with X25519 ECDH as described by https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03 This algorithm "mlkem768x25519-sha256" is available by default. * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being included in core dump files for most of their lifespans. This is in addition to pre-existing controls in ssh-agent(1) and sshd(8) that prevented coredumps. This feature is supported on OpenBSD, Linux and FreeBSD. * All: convert key handling to use the libcrypto EVP_PKEY API, with the exception of DSA.Bugfixes-------- * sshd(8): do not apply authorized_keys options when signature verification fails. Prevents more restrictive key options being incorrectly applied to subsequent keys in authorized_keys. bz3733 * ssh-keygen(1): include pathname in some of ssh-keygen's passphrase prompts. Helps the user know what's going on when ssh-keygen is invoked via other tools. Requested in GHPR503 * ssh(1), ssh-add(1): make parsing user@host consistently look for the last '@' in the string rather than the first. This makes it possible to more consistently use usernames that contain '@' characters. * ssh(1), sshd(8): be more strict in parsing key type names. Only allow short names (e.g "rsa") in user-interface code and require full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725 * ssh-keygen(1): clarify that ed25519 is the default key type generated and clarify that rsa-sha2-512 is the default signature scheme when RSA is in use. GHPR505---Reviewed by: jlduran (build infrastructure)Reviewed by: cy (build infrastructure)Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D48947 List of files: /src/crypto/openssh/LICENCE Wed, 19 Feb 2025 19:08:59 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3 ssh: update to OpenSSH 9.1p1Release notes are available at https://www.openssh.com/txt/release-9.19.1 contains fixes for three minor memory safety problems; these havelready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD basesystem.Some highlights copied from the release notes:Potentially-incompatible changes-------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years.New features------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429MFC after: 2 weeksRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/LICENCE Wed, 19 Oct 2022 14:27:11 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#1323ec571215a77ddd21294f0871979d5ad6b992 ssh: update to OpenSSH v8.9p1Release notes are available at https://www.openssh.com/txt/release-8.9Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar.Future deprecation notice=========================A near-future release of OpenSSH will switch scp(1) from using thelegacy scp/rcp protocol to using SFTP by default.Legacy scp/rcp performs wildcard expansion of remote filenames (e.g."scp host:* .") through the remote shell. This has the side effect ofrequiring double quoting of shell meta-characters in file namesincluded on scp(1) command-lines, otherwise they could be interpretedas shell commands on the remote side.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/LICENCE Wed, 13 Apr 2022 20:00:56 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#19261079b74319502c6ffa1249920079f0f69a72 openssh: update to OpenSSH v8.7p1Some notable changes, from upstream's release notes:- sshd(8): Remove support for obsolete "host/port" syntax.- ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes".- ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm.- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures.- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one).- ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions.- scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default.- scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used.Additional integration work is needed to support FIDO/U2F in the basesystem.Deprecation Notice------------------OpenSSH will disable the ssh-rsa signature scheme by default in thenext release.Reviewed by: impMFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D29985 List of files: /src/crypto/openssh/LICENCE Wed, 08 Sep 2021 01:05:51 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#4f52dfbb8d6c4d446500c5b097e3806ec219fbd4 Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.This completely removes client-side support for the SSH 1 protocol,which was already disabled in 12 but is still enabled in 11. For thatreason, we will not be able to merge 7.6p1 or newer back to 11. List of files: /src/crypto/openssh/LICENCE Tue, 08 May 2018 23:13:11 +0000 Dag-Erling Smørgrav <des@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#e477abf734cc777a55286bfbd6b80a6760c96acf MFC @ r241285 List of files: /src/crypto/openssh/LICENCE Tue, 27 Nov 2012 18:38:50 +0000 Alexander Motin <mav@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#a10c6f5544ccbab911d786d4b50d50cabd6bb5ab IFC @ r242684 List of files: /src/crypto/openssh/LICENCE Sun, 11 Nov 2012 03:26:14 +0000 Neel Natu <neel@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#23090366f729c56cab62de74c7a51792357e98a9 Sync from head List of files: /src/crypto/openssh/LICENCE Sun, 04 Nov 2012 02:52:03 +0000 Simon J. Gerraty <sjg@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#24bf3585ae49955b5d065afd9ae3b8aabe1f04a1 Merge head r233826 through r240095. List of files: /src/crypto/openssh/LICENCE Tue, 04 Sep 2012 19:49:37 +0000 Gleb Smirnoff <glebius@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#462c32cb8d7a451c999a3f1e7d00f9c89e96700c Upgrade OpenSSH to 6.1p1. List of files: /src/crypto/openssh/LICENCE Mon, 03 Sep 2012 16:51:41 +0000 Dag-Erling Smørgrav <des@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#4f52dfbb8d6c4d446500c5b097e3806ec219fbd4 Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.This completely removes client-side support for the SSH 1 protocol,which was already disabled in 12 but is still enabled in 11. For thatreason, we will not be able to merge 7.6p1 or newer back to 11. List of files: /src/crypto/openssh/LICENCE Tue, 08 May 2018 23:13:11 +0000 Dag-Erling Smørgrav <des@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#e477abf734cc777a55286bfbd6b80a6760c96acf MFC @ r241285 List of files: /src/crypto/openssh/LICENCE Tue, 27 Nov 2012 18:38:50 +0000 Alexander Motin <mav@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#a10c6f5544ccbab911d786d4b50d50cabd6bb5ab IFC @ r242684 List of files: /src/crypto/openssh/LICENCE Sun, 11 Nov 2012 03:26:14 +0000 Neel Natu <neel@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#23090366f729c56cab62de74c7a51792357e98a9 Sync from head List of files: /src/crypto/openssh/LICENCE Sun, 04 Nov 2012 02:52:03 +0000 Simon J. Gerraty <sjg@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#24bf3585ae49955b5d065afd9ae3b8aabe1f04a1 Merge head r233826 through r240095. List of files: /src/crypto/openssh/LICENCE Tue, 04 Sep 2012 19:49:37 +0000 Gleb Smirnoff <glebius@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/LICENCE#462c32cb8d7a451c999a3f1e7d00f9c89e96700c Upgrade OpenSSH to 6.1p1. List of files: /src/crypto/openssh/LICENCE Mon, 03 Sep 2012 16:51:41 +0000 Dag-Erling Smørgrav <des@FreeBSD.org>