en Copyright 2025 Java http://opengrok.net:8080/history/src/secure/libexec/Makefile#8e28d84935f2f0ee081d44f9803f3052b960e50b OpenSSH: Update to 10.0p2Full release notes are available athttps://www.openssh.com/txt/release-10.0Selected highlights from the release notes:Potentially-incompatible changes- This release removes support for the weak DSA signature algorithm. [This change was previously merged to FreeBSD main.]- This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this.- sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per-connection sshd-session binary to a new sshd-auth binary.Security- sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. [This change was previously merged to FreeBSD main.]New features- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement.Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D51630 List of files: /src/secure/libexec/Makefile Tue, 26 Aug 2025 19:04:16 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e openssh: Update to 9.8p1Highlights from the release notes are reproduced below. Some securityand bug fixes were previously merged into FreeBSD and have been elided.See the upstream release notes for full details(https://www.openssh.com/releasenotes.html).---Future deprecation notice=========================OpenSSH plans to remove support for the DSA signature algorithm inearly 2025.Potentially-incompatible changes-------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101New features------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys.Portability----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479---Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D48914 List of files: /src/secure/libexec/Makefile Wed, 19 Feb 2025 17:20:44 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#e9ac41698b2f322d55ccf9da50a3596edb2c1800 Remove residual blank line at start of MakefileThis is a residual of the $FreeBSD$ removal.MFC After: 3 days (though I'll just run the command on the branches)Sponsored by: Netflix List of files: /src/secure/libexec/Makefile Mon, 15 Jul 2024 04:46:32 +0000 Warner Losh <imp@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove $FreeBSD$: one-line sh patternRemove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ List of files: /src/secure/libexec/Makefile Wed, 16 Aug 2023 17:55:03 +0000 Warner Losh <imp@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#e9a994639b2af232f994ba2ad23ca45a17718d2b ssh: enable FIDO/U2F keysDescription of FIDO/U2F support (from OpenSSH 8.2 release notes,https://www.openssh.com/txt/release-8.2): This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types. ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they may be used much like any other key type supported by OpenSSH, so long as the hardware token is attached when the keys are used. FIDO tokens also generally require the user explicitly authorise operations by touching or tapping them. Generating a FIDO key requires the token be attached, and will usually require the user tap the token to confirm the operation: $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your security key to authorize key generation. Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used.To enable FIDO/U2F support, this change regenerates ssh_namespace.h,adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless buildingWITHOUT_USB).devd integration is not included in this change, and is underinvestigation for the base system. In the interim the security/u2f-devdport can be installed to provide appropriate devd rules.Reviewed by: delphij, kevansRelnotes: YesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D32509 List of files: /src/secure/libexec/Makefile Thu, 07 Oct 2021 03:31:17 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#8e28d84935f2f0ee081d44f9803f3052b960e50b OpenSSH: Update to 10.0p2Full release notes are available athttps://www.openssh.com/txt/release-10.0Selected highlights from the release notes:Potentially-incompatible changes- This release removes support for the weak DSA signature algorithm. [This change was previously merged to FreeBSD main.]- This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this.- sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per-connection sshd-session binary to a new sshd-auth binary.Security- sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. [This change was previously merged to FreeBSD main.]New features- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement.Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D51630 List of files: /src/secure/libexec/Makefile Tue, 26 Aug 2025 19:04:16 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e openssh: Update to 9.8p1Highlights from the release notes are reproduced below. Some securityand bug fixes were previously merged into FreeBSD and have been elided.See the upstream release notes for full details(https://www.openssh.com/releasenotes.html).---Future deprecation notice=========================OpenSSH plans to remove support for the DSA signature algorithm inearly 2025.Potentially-incompatible changes-------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101New features------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys.Portability----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479---Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D48914 List of files: /src/secure/libexec/Makefile Wed, 19 Feb 2025 17:20:44 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#e9ac41698b2f322d55ccf9da50a3596edb2c1800 Remove residual blank line at start of MakefileThis is a residual of the $FreeBSD$ removal.MFC After: 3 days (though I'll just run the command on the branches)Sponsored by: Netflix List of files: /src/secure/libexec/Makefile Mon, 15 Jul 2024 04:46:32 +0000 Warner Losh <imp@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove $FreeBSD$: one-line sh patternRemove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ List of files: /src/secure/libexec/Makefile Wed, 16 Aug 2023 17:55:03 +0000 Warner Losh <imp@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#e9a994639b2af232f994ba2ad23ca45a17718d2b ssh: enable FIDO/U2F keysDescription of FIDO/U2F support (from OpenSSH 8.2 release notes,https://www.openssh.com/txt/release-8.2): This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types. ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they may be used much like any other key type supported by OpenSSH, so long as the hardware token is attached when the keys are used. FIDO tokens also generally require the user explicitly authorise operations by touching or tapping them. Generating a FIDO key requires the token be attached, and will usually require the user tap the token to confirm the operation: $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your security key to authorize key generation. Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used.To enable FIDO/U2F support, this change regenerates ssh_namespace.h,adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless buildingWITHOUT_USB).devd integration is not included in this change, and is underinvestigation for the base system. In the interim the security/u2f-devdport can be installed to provide appropriate devd rules.Reviewed by: delphij, kevansRelnotes: YesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D32509 List of files: /src/secure/libexec/Makefile Thu, 07 Oct 2021 03:31:17 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#0275f9dbf73b01e9478dc7d6ab5fab4f8e077448 Merge ^/head r321383 through r322397. List of files: /src/secure/libexec/Makefile Fri, 11 Aug 2017 10:59:34 +0000 Hans Petter Selasky <hselasky@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#d59ead01d83460374ba0e7be8096b1a66d737efb MFhead@r321970 List of files: /src/secure/libexec/Makefile Thu, 03 Aug 2017 05:30:11 +0000 Enji Cooper <ngie@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#46b37aa2c4068c1a237b0a7e61b8c2f953b3708c MFhead@r321912 List of files: /src/secure/libexec/Makefile Wed, 02 Aug 2017 08:38:36 +0000 Enji Cooper <ngie@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#4b330699f819a81d8e34d471225143ffeb321855 Convert traditional ${MK_TESTS} conditional idiom for including testdirectories to SUBDIR.${MK_TESTS} idiomThis is being done to pave the way for future work (and homogenity) in^/projects/make-check-sandbox .No functional change intended.MFC after: 1 weeks List of files: /src/secure/libexec/Makefile Wed, 02 Aug 2017 08:35:51 +0000 Enji Cooper <ngie@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#b626f5a73a48f44a31a200291b141e1da408a2ff MFH r289384-r293170Sponsored by: The FreeBSD Foundation List of files: /src/secure/libexec/Makefile Mon, 04 Jan 2016 19:19:48 +0000 Glen Barber <gjb@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#a5d8944a83ff8a3aad14197b7aa0800ff9bda95e Catch up with head (r291075). List of files: /src/secure/libexec/Makefile Thu, 19 Nov 2015 16:28:42 +0000 Navdeep Parhar <np@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#11d38a5764295585a2472d5e861fa8abe1a11eb2 Merge from headSponsored by: Gandi.net List of files: /src/secure/libexec/Makefile Wed, 28 Oct 2015 11:58:18 +0000 Baptiste Daroussin <bapt@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#031c294c1d25a6b9b62a50a2dfdb300c9ca22f2b Merge from head List of files: /src/secure/libexec/Makefile Mon, 19 Oct 2015 11:51:10 +0000 Baptiste Daroussin <bapt@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#aa92269e4636d8ec1b42fcd66e6f52c479e77516 Add more SUBDIR_PARALLEL.MFC after: 3 weeksSponsored by: EMC / Isilon Storage Division List of files: /src/secure/libexec/Makefile Thu, 15 Oct 2015 22:55:08 +0000 Bryan Drewery <bdrewery@FreeBSD.org> http://opengrok.net:8080/history/src/secure/libexec/Makefile#6cec9cad762b6476313fb1f8e931a1647822db6b MFC @ r266724An SVM update will follow this. List of files: /src/secure/libexec/Makefile Tue, 03 Jun 2014 02:34:21 +0000 Peter Grehan <grehan@FreeBSD.org>