Changes in sshd_config

7238317403b95a8e35cf0bc7cd66fbd78ecbe521 - blocklist: Rename blacklist to blocklist

Sun, 12 Oct 2025 17:14:27 +0000

blocklist: Rename blacklist to blocklistFollow up upstream rename from blacklist to blocklist.- Old names and rc scripts are still valid, but emitting an ugly warning- Old firewall rules and anchor names should work, but emitting an ugly warning- Old MK_BLACKLIST* knobs are wired to the new onesAlthough care has been taken not to break current configurations, thisis a large patch containing mostly duplicated code. If issues arise, itwill be swiftly reverted.Reviewed by: ivy (pkgbase)Approved by: emaste (mentor)MFC after: 2 daysRelnotes: yes List of files: /src/crypto/openssh/sshd_config

8e28d84935f2f0ee081d44f9803f3052b960e50b - OpenSSH: Update to 10.0p2

Tue, 26 Aug 2025 19:04:16 +0000

OpenSSH: Update to 10.0p2Full release notes are available athttps://www.openssh.com/txt/release-10.0Selected highlights from the release notes:Potentially-incompatible changes- This release removes support for the weak DSA signature algorithm. [This change was previously merged to FreeBSD main.]- This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this.- sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per-connection sshd-session binary to a new sshd-auth binary.Security- sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. [This change was previously merged to FreeBSD main.]New features- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement.Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D51630 List of files: /src/crypto/openssh/sshd_config

8be24d80adb4ba998240c1b5e20e678852dc0a05 - ssh: Reduce sshd_config diffs against OpenSSH 10.0p2

Tue, 29 Jul 2025 17:20:15 +0000

ssh: Reduce sshd_config diffs against OpenSSH 10.0p2Upstream had a poor description for KbdInteractiveAuthentication priorto the 10.0p2 release. We use KbdInteractiveAuthentication for PAMauthentication, and we replaced the poor description with a note aboutuse by PAM.In 10.0p2 the upstream description has been fixed. Incorporate thattext now as it is an improvement and avoids a conflict in the upcoming10.0p2 import.Reviewed by: jhbSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config

62df41ae0a71e77ccb1e8fae06d82eec5dff441a - ssh: Bump VersionAddendum for CVE fixes

Wed, 19 Feb 2025 14:00:42 +0000

ssh: Bump VersionAddendum for CVE fixesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config

3d3bae9b95388169d396adc8007585699c5a23e0 - sshd: bump VersionAddendum for 2739a6845031

Tue, 06 Aug 2024 19:22:53 +0000

sshd: bump VersionAddendum for 2739a6845031Reported by: markjFixes: 2739a6845031 ("sshd: remove blacklist call from grace_alarm_...")Sponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config

a91a246563dffa876a52f53a98de4af9fa364c52 - ssh: Update to OpenSSH 9.7p1

Mon, 18 Mar 2024 14:00:57 +0000

ssh: Update to OpenSSH 9.7p1This release contains mostly bugfixes.It also makes support for the DSA signature algorithm a compile-timeoption, with plans to disable it upstream later this year and removesupport entirely in 2025.Full release notes at https://www.openssh.com/txt/release-9.7Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config

069ac18495ad8fde2748bc94b0f80a50250bb01d - ssh: Update to OpenSSH 9.6p1

Fri, 05 Jan 2024 03:16:30 +0000

ssh: Update to OpenSSH 9.6p1From the release notes,> This release contains a number of security fixes, some small features> and bugfixes.The most significant change in 9.6p1 is a set of fixes for a newly-discovered weakness in the SSH transport protocol. The fix was alreadymerged into FreeBSD and released as FreeBSD-SA-23:19.openssh.Full release notes at https://www.openssh.com/txt/release-9.6Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config

edf8578117e8844e02c0121147f45e4609b30680 - ssh: Update to OpenSSH 9.5p1

Mon, 09 Oct 2023 17:28:17 +0000

ssh: Update to OpenSSH 9.5p1Excerpts from the release notes:Potentially incompatible changes-------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. [NOTE: This change was already merged into FreeBSD.] * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments.New features------------ * ssh(1): add keystroke timing obfuscation to the client. * ssh(1), sshd(8): Introduce a transport-level ping facility. * sshd(8): allow override of Sybsystem directives in sshd Match blocks.Full release notes at https://www.openssh.com/txt/release-9.5Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config

33a23ef2878fe525700983fb754f6f9f9f8fc4b7 - ssh: correct VersionAddendum date

Tue, 15 Aug 2023 13:29:06 +0000

ssh: correct VersionAddendum dateReported by: Herbert J. Skuhra Fixes: 535af610a4fd ("ssh: Update to OpenSSH 9.4p1")Sponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config

535af610a4fdace6d50960c0ad9be0597eea7a1b - ssh: Update to OpenSSH 9.4p1

Fri, 11 Aug 2023 03:10:18 +0000

ssh: Update to OpenSSH 9.4p1Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567Full release notes at https://www.openssh.com/txt/release-9.4Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config

66fd12cf4896eb08ad8e7a2627537f84ead84dd3 - ssh: Update to OpenSSH 9.3p2

Wed, 19 Jul 2023 17:02:33 +0000

ssh: Update to OpenSSH 9.3p2From the release notes:Changes since OpenSSH 9.3=========================This release fixes a security bug.Security========Fix CVE-2023-38408 - a condition where specific libaries loaded viassh-agent(1)'s PKCS#11 support could be abused to achieve remotecode execution via a forwarded agent socket if the followingconditions are met:* Exploitation requires the presence of specific libraries on the victim system.* Remote exploitation requires that the agent was forwarded to an attacker-controlled system.Exploitation can also be prevented by starting ssh-agent(1) with anempty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuringan allowlist that contains only specific provider libraries.This vulnerability was discovered and demonstrated to be exploitableby the Qualys Security Advisory team.In addition to removing the main precondition for exploitation,this release removes the ability for remote ssh-agent(1) clientsto load PKCS#11 modules by default (see below).Potentially-incompatible changes-------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction.CVE: CVE-2023-38408Sponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config

4d3fc8b0570b29fb0d6ee9525f104d52176ff0d4 - ssh: Update to OpenSSH 9.3p1

Thu, 16 Mar 2023 14:29:55 +0000

ssh: Update to OpenSSH 9.3p1This release fixes a number of security bugs and has minor newfeatures and bug fixes. Security fixes, from the release notes(https://www.openssh.com/txt/release-9.3):This release contains fixes for a security problem and a memorysafety problem. The memory safety problem is not believed to beexploitable, but we report most network-reachable memory faults assecurity bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer.Sponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config

77934b7a1301737edcd3518f1af99a387b3068ae - ssh: default X11Forwarding to no, following upstream

Mon, 14 Nov 2022 20:24:54 +0000

ssh: default X11Forwarding to no, following upstreamAdministrators can enable it if required.Reviewed by: bz, kevansRelnotes: YesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D37411 List of files: /src/crypto/openssh/sshd_config

f374ba41f55c1a127303d92d830dd58eef2f5243 - ssh: update to OpenSSH 9.2p1

Mon, 06 Feb 2023 21:54:56 +0000

ssh: update to OpenSSH 9.2p1Release notes are available at https://www.openssh.com/txt/release-9.2OpenSSH 9.2 contains fixes for two security problems and a memory safetyproblem. The memory safety problem is not believed to be exploitable.These fixes have already been committed to OpenSSH 9.1 in FreeBSD.Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499MFC after: 1 weekSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config

38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3 - ssh: update to OpenSSH 9.1p1

Wed, 19 Oct 2022 14:27:11 +0000

ssh: update to OpenSSH 9.1p1Release notes are available at https://www.openssh.com/txt/release-9.19.1 contains fixes for three minor memory safety problems; these havelready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD basesystem.Some highlights copied from the release notes:Potentially-incompatible changes-------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years.New features------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429MFC after: 2 weeksRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config

9f009e066f088e2c31442db31d2a85001040abfe - sshd_config: clarify password authentication options

Wed, 25 May 2022 13:32:57 +0000

sshd_config: clarify password authentication optionsPasswords may be accepted by both the PasswordAuthentication andKbdInteractiveAuthentication authentication schemes. Add a reference tothe latter in the description/comment for PasswordAuthentication, as itotherwise may seem that "PasswordAuthentication no" implies passwordswill be disallowed.This situation should be clarified with more extensive documentation onthe authentication schemes and configuration options, but that should bedone in coordination with upstream OpenSSH. This is a minimal changethat will hopefully clarify the situation without requiring an extensivelocal patch set.PR: 263045Reviewed by: manu (earlier version)MFC after: 2 weeksSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D35272 List of files: /src/crypto/openssh/sshd_config

0e12eb7b58ae29ccf52571e82af99c3a3a04b399 - ssh: update sshd_config for prohibit-password option

Tue, 10 May 2022 14:08:21 +0000

ssh: update sshd_config for prohibit-password optionThe PermitRootLogin option "prohibit-password" was added as a synonymfor "without-password" in 2015. Then in 2017 these were swapped:"prohibit-password" became the canonical option and "without-password"became a deprecated synonym (in OpenSSH commit 071325f458).The UsePAM description in sshd_config still mentioned"without-password." Update it to match the new canonical option.Sponsored by: The FreeBSD FoundationMFC after: 1 week List of files: /src/crypto/openssh/sshd_config

835ee05f3c754d905099a3500f421dc01fab028f - ssh: drop $FreeBSD$ from crypto/openssh

Fri, 22 Apr 2022 23:05:44 +0000

ssh: drop $FreeBSD$ from crypto/opensshAfter we moved to git $FreeBSD$ is no longer expanded and serves nopurpose. Remove them from OpenSSH to reduce diffs against upstream.Sponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config

87c1498d1a7473ff983e5c0456f30608f3f1e601 - ssh: update to OpenSSH v9.0p1

Fri, 15 Apr 2022 14:41:08 +0000

ssh: update to OpenSSH v9.0p1Release notes are available at https://www.openssh.com/txt/release-9.0Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies.This commit excludes the scp(1) change to use the SFTP protocol bydefault; that change will immediately follow.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config

1323ec571215a77ddd21294f0871979d5ad6b992 - ssh: update to OpenSSH v8.9p1

Wed, 13 Apr 2022 20:00:56 +0000

ssh: update to OpenSSH v8.9p1Release notes are available at https://www.openssh.com/txt/release-8.9Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar.Future deprecation notice=========================A near-future release of OpenSSH will switch scp(1) from using thelegacy scp/rcp protocol to using SFTP by default.Legacy scp/rcp performs wildcard expansion of remote filenames (e.g."scp host:* .") through the remote shell. This has the side effect ofrequiring double quoting of shell meta-characters in file namesincluded on scp(1) command-lines, otherwise they could be interpretedas shell commands on the remote side.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/sshd_config