Revision tags: v6.2.2, v6.2.1, v6.2.0, v6.3.0 |
|
#
50a69bb5 |
| 09-Oct-2021 |
Sascha Wildner <saw@online.de> |
Import OpenSSH-8.8p1
|
Revision tags: v6.0.1, v6.0.0, v6.0.0rc1, v6.1.0, v5.8.3, v5.8.2 |
|
#
0cbfa66c |
| 22-Jul-2020 |
Daniel Fojt <df@neosystem.org> |
vendor/openssh: upgrade from 8.0p1 to 8.3p1
Summary of notable changes:
- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at rest in RAM against speculation and memory side-channel
vendor/openssh: upgrade from 8.0p1 to 8.3p1
Summary of notable changes:
- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed, openssh 8.1 and later encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large "prekey" consisting of random data (currently 16KB)
- ssh(1), sshd(8), ssh-keygen(1): openssh 8.2 removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures (i.e. the client and server CASignatureAlgorithms option) and will use the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) CA signs new certificates
- ssh(1), sshd(8): openssh 8.2 removes diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server
- ssh-keygen(1): the command-line options related to the generation and screening of safe prime numbers used by the diffie-hellman-group-* key exchange algorithms have changed, most options have been folded under the -O flag
- support PKCS8 as an optional format for storage of private keys to disk, native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required
- ssh(1), sshd(8): prefer to use chacha20 from libcrypto
- sshd(8): the sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups
- sshd(8): when clients get denied by MaxStartups, send a notification prior to the SSH2 protocol banner according to RFC4253 section 4.2
- sshd(8): add an Include sshd_config keyword that allows including additional configuration files via glob(3) patterns
- sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts
- sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks
- ssh(1), sshd(8): allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g. "HostKeyAlgorithms ^ssh-ed25519"
- ssh(1): allow forwarding a different agent socket to the path specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no
- ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding
- ssh(1): allow %n to be expanded in ProxyCommand strings
- sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it
- sftp(1): check for user@host when parsing sftp target, this allows user@[1.2.3.4] to work without a path
- sftp(1): fix a race condition in the SIGCHILD handler that could turn in to a kill(-1)
For detailed list of all improvements, enhancements and bugfixes see release notes:
https://www.openssh.com/releasenotes.html
show more ...
|
Revision tags: v5.8.1, v5.8.0, v5.9.0, v5.8.0rc1, v5.6.3, v5.6.2, v5.6.1, v5.6.0, v5.6.0rc1, v5.7.0, v5.4.3, v5.4.2 |
|
#
664f4763 |
| 18-Apr-2019 |
zrj <rimvydas.jasinskas@gmail.com> |
Import OpenSSH-8.0p1
|
Revision tags: v5.4.1, v5.4.0, v5.5.0, v5.4.0rc1, v5.2.2, v5.2.1, v5.2.0, v5.3.0, v5.2.0rc, v5.0.2, v5.0.1, v5.0.0 |
|
#
ce74baca |
| 13-Oct-2017 |
Matthew Dillon <dillon@apollo.backplane.com> |
Import OpenSSH-7.6p1
|
Revision tags: v6.2.2, v6.2.1, v6.2.0, v6.3.0 |
|
#
50a69bb5 |
| 09-Oct-2021 |
Sascha Wildner <saw@online.de> |
Import OpenSSH-8.8p1
|
Revision tags: v6.0.1, v6.0.0, v6.0.0rc1, v6.1.0, v5.8.3, v5.8.2 |
|
#
0cbfa66c |
| 22-Jul-2020 |
Daniel Fojt <df@neosystem.org> |
vendor/openssh: upgrade from 8.0p1 to 8.3p1
Summary of notable changes:
- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at rest in RAM against speculation and memory side-channel
vendor/openssh: upgrade from 8.0p1 to 8.3p1
Summary of notable changes:
- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed, openssh 8.1 and later encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large "prekey" consisting of random data (currently 16KB)
- ssh(1), sshd(8), ssh-keygen(1): openssh 8.2 removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures (i.e. the client and server CASignatureAlgorithms option) and will use the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) CA signs new certificates
- ssh(1), sshd(8): openssh 8.2 removes diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server
- ssh-keygen(1): the command-line options related to the generation and screening of safe prime numbers used by the diffie-hellman-group-* key exchange algorithms have changed, most options have been folded under the -O flag
- support PKCS8 as an optional format for storage of private keys to disk, native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required
- ssh(1), sshd(8): prefer to use chacha20 from libcrypto
- sshd(8): the sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups
- sshd(8): when clients get denied by MaxStartups, send a notification prior to the SSH2 protocol banner according to RFC4253 section 4.2
- sshd(8): add an Include sshd_config keyword that allows including additional configuration files via glob(3) patterns
- sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts
- sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks
- ssh(1), sshd(8): allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g. "HostKeyAlgorithms ^ssh-ed25519"
- ssh(1): allow forwarding a different agent socket to the path specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no
- ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding
- ssh(1): allow %n to be expanded in ProxyCommand strings
- sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it
- sftp(1): check for user@host when parsing sftp target, this allows user@[1.2.3.4] to work without a path
- sftp(1): fix a race condition in the SIGCHILD handler that could turn in to a kill(-1)
For detailed list of all improvements, enhancements and bugfixes see release notes:
https://www.openssh.com/releasenotes.html
show more ...
|
Revision tags: v5.8.1, v5.8.0, v5.9.0, v5.8.0rc1, v5.6.3, v5.6.2, v5.6.1, v5.6.0, v5.6.0rc1, v5.7.0, v5.4.3, v5.4.2 |
|
#
664f4763 |
| 18-Apr-2019 |
zrj <rimvydas.jasinskas@gmail.com> |
Import OpenSSH-8.0p1
|
#
2c9c1408 |
| 13-Oct-2017 |
Matthew Dillon <dillon@apollo.backplane.com> |
Import OpenSSH-7.6p1
* Import OpeNSSH-7.6p1. Couldn't really merge from the vendor branch so just brought it in.
* Adjustments for WARNS issues
|
Revision tags: v5.4.1, v5.4.0, v5.5.0, v5.4.0rc1, v5.2.2, v5.2.1, v5.2.0, v5.3.0, v5.2.0rc, v5.0.2, v5.0.1, v5.0.0 |
|
#
ce74baca |
| 13-Oct-2017 |
Matthew Dillon <dillon@apollo.backplane.com> |
Import OpenSSH-7.6p1
|
Revision tags: v5.0.0rc2, v5.1.0, v5.0.0rc1, v4.8.1, v4.8.0, v4.6.2, v4.9.0, v4.8.0rc, v4.6.1 |
|
#
e9778795 |
| 04-Aug-2016 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-7.3p1.
|
Revision tags: v4.6.0, v4.6.0rc2, v4.6.0rc, v4.7.0, v4.4.3, v4.4.2, v4.4.1, v4.4.0, v4.5.0, v4.4.0rc, v4.2.4, v4.3.1, v4.2.3, v4.2.1, v4.2.0, v4.0.6, v4.3.0, v4.2.0rc, v4.0.5, v4.0.4, v4.0.3, v4.0.2, v4.0.1, v4.0.0, v4.0.0rc3, v4.0.0rc2, v4.0.0rc, v4.1.0, v3.8.2, v3.8.1, v3.6.3, v3.8.0, v3.8.0rc2, v3.9.0, v3.8.0rc, v3.6.2, v3.6.1, v3.6.0, v3.7.1, v3.6.0rc, v3.7.0, v3.4.3, v3.4.2, v3.4.0, v3.4.1, v3.4.0rc, v3.5.0, v3.2.2 |
|
#
99e85e0d |
| 28-Oct-2012 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-6.1p1.
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard supp
Import OpenSSH-6.1p1.
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline * sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks * ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
show more ...
|
Revision tags: v3.2.1, v3.2.0, v3.3.0, v3.0.3, v3.0.2, v3.0.1, v3.1.0, v3.0.0 |
|
#
86d7f5d3 |
| 26-Nov-2011 |
John Marino <draco@marino.st> |
Initial import of binutils 2.22 on the new vendor branch
Future versions of binutils will also reside on this branch rather than continuing to create new binutils branches for each new version.
|
Revision tags: v2.12.0, v2.13.0, v2.10.1, v2.11.0, v2.10.0 |
|
#
9f304aaf |
| 09-Apr-2011 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-5.8p1.
* Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6.
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (
Import OpenSSH-5.8p1.
* Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6.
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
* sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command
* scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts.
* ssh(1): automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys, since these are now preferred when learning hostkeys for the first time.
* ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
* ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races. stale server sockets are now automatically removed.
* ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
* sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into a generic bandwidth limiter that can be attached using the atomicio callback mechanism and use it to add a bandwidth limit option to sftp(1).
BugFixes:
* ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories.
* ssh(1): avoid NULL deref on receiving a channel request on an unknown or invalid channel;
* sshd(8): remove a debug() that pollutes stderr on client connecting to a server in debug mode
* scp(1): pass through ssh command-line flags and options when doing remote-remote transfers, e.g. to enable agent forwarding which is particularly useful in this case;
* sftp-server(8): umask should be parsed as octal
* sftp(1): escape '[' in filename tab-completion
* ssh(1): Typo in confirmation message.
* sshd(8): prevent free() of string in .rodata when overriding AuthorizedKeys in a Match block
* sshd(8): Use default shell /bin/sh if $SHELL is ""
* ssh(1): kill proxy command on fatal() (we already killed it on clean exit);
* ssh(1): install a SIGCHLD handler to reap expiried child process;
* sshd(8): Use correct uid_t/pid_t types instead of int.
show more ...
|
Revision tags: v2.9.1, v2.8.2, v2.8.1, v2.8.0, v2.9.0 |
|
#
856ea928 |
| 29-Sep-2010 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-5.6p1.
|