en Copyright 2025 Java http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#535af610a4fdace6d50960c0ad9be0597eea7a1b ssh: Update to OpenSSH 9.4p1Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567Full release notes at https://www.openssh.com/txt/release-9.4Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/ssh_config Fri, 11 Aug 2023 03:10:18 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#41ff5ea22cb95deb9e7415510eb2f5f00b91537a ssh: default VerifyHostKeyDNS to no, following upstreamRevert to upstream's default. Using VerifyHostKeyDNS may depend on atrusted nameserver and network path.This reverts commit 83c6a5242c80160fff76fb85454938761645b0c4.Reported by: David Leadbeater, G-ResearchReviewed by: gordonRelnotes: YesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D38648 List of files: /src/crypto/openssh/ssh_config Fri, 17 Feb 2023 01:26:41 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#bffe60ead024a1fdf4312eaec5892435a7f6b4c5 ssh: retire client VersionAddendumFreeBSD introduced VersionAddendum for the server as a local change in2001 in commit 933ca70f8f88 and later extended it to the client incommit 9e2cbe04ff4f.In 2012 upstream added support for server VersionAddendum, in commit23528816dc10. They do not support it for the client.The argument for supporting this in the client is not nearly as strongas for the server, so retire this option to reduce the scope of ourlocal patch set. This also avoids some cases of conflicts in ssh_configduring update, as a user's configuration would typically follow thecommented-out default VersionAddendum value.Reviewed by: gordon, glebiusRelnotes: yesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D32930 List of files: /src/crypto/openssh/ssh_config Sat, 23 Apr 2022 19:40:48 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#835ee05f3c754d905099a3500f421dc01fab028f ssh: drop $FreeBSD$ from crypto/opensshAfter we moved to git $FreeBSD$ is no longer expanded and serves nopurpose. Remove them from OpenSSH to reduce diffs against upstream.Sponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/ssh_config Fri, 22 Apr 2022 23:05:44 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#87c1498d1a7473ff983e5c0456f30608f3f1e601 ssh: update to OpenSSH v9.0p1Release notes are available at https://www.openssh.com/txt/release-9.0Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies.This commit excludes the scp(1) change to use the SFTP protocol bydefault; that change will immediately follow.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/ssh_config Fri, 15 Apr 2022 14:41:08 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#1323ec571215a77ddd21294f0871979d5ad6b992 ssh: update to OpenSSH v8.9p1Release notes are available at https://www.openssh.com/txt/release-8.9Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar.Future deprecation notice=========================A near-future release of OpenSSH will switch scp(1) from using thelegacy scp/rcp protocol to using SFTP by default.Legacy scp/rcp performs wildcard expansion of remote filenames (e.g."scp host:* .") through the remote shell. This has the side effect ofrequiring double quoting of shell meta-characters in file namesincluded on scp(1) command-lines, otherwise they could be interpretedas shell commands on the remote side.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/ssh_config Wed, 13 Apr 2022 20:00:56 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#e9e8876a4d6afc1ad5315faaa191b25121a813d7 ssh: update to OpenSSH v8.8p1OpenSSH v8.8p1 was motivated primarily by a security update anddeprecation of RSA/SHA1 signatures. It also has a few minor bug fixes.The security update was already applied to FreeBSD as an independentchange, and the RSA/SHA1 deprecation is excluded from this commit butwill immediately follow.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/ssh_config Sun, 19 Dec 2021 16:02:02 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#19261079b74319502c6ffa1249920079f0f69a72 openssh: update to OpenSSH v8.7p1Some notable changes, from upstream's release notes:- sshd(8): Remove support for obsolete "host/port" syntax.- ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes".- ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm.- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures.- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one).- ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions.- scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default.- scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used.Additional integration work is needed to support FIDO/U2F in the basesystem.Deprecation Notice------------------OpenSSH will disable the ssh-rsa signature scheme by default in thenext release.Reviewed by: impMFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D29985 List of files: /src/crypto/openssh/ssh_config Wed, 08 Sep 2021 01:05:51 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#ef1c128c05a64dc96083697fdbf6f045262f7844 Merge ^/head r357921 through r357930. List of files: /src/crypto/openssh/ssh_config Fri, 14 Feb 2020 19:33:48 +0000 Dimitry Andric <dim@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#2f513db72b034fd5ef7f080b11be5c711c15186a Upgrade to OpenSSH 7.9p1.MFC after: 2 monthsSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/ssh_config Fri, 14 Feb 2020 19:06:59 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#3af64f03119a159ac15eb75b92d346705b490385 Merge ^/head r338392 through r338594. List of files: /src/crypto/openssh/ssh_config Tue, 11 Sep 2018 18:41:00 +0000 Dimitry Andric <dim@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#190cef3d52236565eb22e18b33e9e865ec634aa3 Upgrade to OpenSSH 7.8p1.Approved by: re (kib@) List of files: /src/crypto/openssh/ssh_config Mon, 10 Sep 2018 16:20:12 +0000 Dag-Erling Smørgrav <des@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#535af610a4fdace6d50960c0ad9be0597eea7a1b ssh: Update to OpenSSH 9.4p1Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567Full release notes at https://www.openssh.com/txt/release-9.4Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/ssh_config Fri, 11 Aug 2023 03:10:18 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#41ff5ea22cb95deb9e7415510eb2f5f00b91537a ssh: default VerifyHostKeyDNS to no, following upstreamRevert to upstream's default. Using VerifyHostKeyDNS may depend on atrusted nameserver and network path.This reverts commit 83c6a5242c80160fff76fb85454938761645b0c4.Reported by: David Leadbeater, G-ResearchReviewed by: gordonRelnotes: YesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D38648 List of files: /src/crypto/openssh/ssh_config Fri, 17 Feb 2023 01:26:41 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#bffe60ead024a1fdf4312eaec5892435a7f6b4c5 ssh: retire client VersionAddendumFreeBSD introduced VersionAddendum for the server as a local change in2001 in commit 933ca70f8f88 and later extended it to the client incommit 9e2cbe04ff4f.In 2012 upstream added support for server VersionAddendum, in commit23528816dc10. They do not support it for the client.The argument for supporting this in the client is not nearly as strongas for the server, so retire this option to reduce the scope of ourlocal patch set. This also avoids some cases of conflicts in ssh_configduring update, as a user's configuration would typically follow thecommented-out default VersionAddendum value.Reviewed by: gordon, glebiusRelnotes: yesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D32930 List of files: /src/crypto/openssh/ssh_config Sat, 23 Apr 2022 19:40:48 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#835ee05f3c754d905099a3500f421dc01fab028f ssh: drop $FreeBSD$ from crypto/opensshAfter we moved to git $FreeBSD$ is no longer expanded and serves nopurpose. Remove them from OpenSSH to reduce diffs against upstream.Sponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/ssh_config Fri, 22 Apr 2022 23:05:44 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#87c1498d1a7473ff983e5c0456f30608f3f1e601 ssh: update to OpenSSH v9.0p1Release notes are available at https://www.openssh.com/txt/release-9.0Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies.This commit excludes the scp(1) change to use the SFTP protocol bydefault; that change will immediately follow.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/ssh_config Fri, 15 Apr 2022 14:41:08 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#1323ec571215a77ddd21294f0871979d5ad6b992 ssh: update to OpenSSH v8.9p1Release notes are available at https://www.openssh.com/txt/release-8.9Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar.Future deprecation notice=========================A near-future release of OpenSSH will switch scp(1) from using thelegacy scp/rcp protocol to using SFTP by default.Legacy scp/rcp performs wildcard expansion of remote filenames (e.g."scp host:* .") through the remote shell. This has the side effect ofrequiring double quoting of shell meta-characters in file namesincluded on scp(1) command-lines, otherwise they could be interpretedas shell commands on the remote side.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/ssh_config Wed, 13 Apr 2022 20:00:56 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#e9e8876a4d6afc1ad5315faaa191b25121a813d7 ssh: update to OpenSSH v8.8p1OpenSSH v8.8p1 was motivated primarily by a security update anddeprecation of RSA/SHA1 signatures. It also has a few minor bug fixes.The security update was already applied to FreeBSD as an independentchange, and the RSA/SHA1 deprecation is excluded from this commit butwill immediately follow.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/ssh_config Sun, 19 Dec 2021 16:02:02 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/ssh_config#19261079b74319502c6ffa1249920079f0f69a72 openssh: update to OpenSSH v8.7p1Some notable changes, from upstream's release notes:- sshd(8): Remove support for obsolete "host/port" syntax.- ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes".- ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm.- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures.- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one).- ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions.- scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default.- scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used.Additional integration work is needed to support FIDO/U2F in the basesystem.Deprecation Notice------------------OpenSSH will disable the ssh-rsa signature scheme by default in thenext release.Reviewed by: impMFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D29985 List of files: /src/crypto/openssh/ssh_config Wed, 08 Sep 2021 01:05:51 +0000 Ed Maste <emaste@FreeBSD.org>