vendor/openssh: upgrade from 8.0p1 to 8.3p1

Summary of notable changes:

- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
rest in RAM against speculation and memory side-channel

vendor/openssh: upgrade from 8.0p1 to 8.3p1

Summary of notable changes:

- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
rest in RAM against speculation and memory side-channel attacks like
Spectre, Meltdown and Rambleed, openssh 8.1 and later encrypts private
keys when they are not in use with a symmetric key that is derived from
a relatively large "prekey" consisting of random data (currently 16KB)

- ssh(1), sshd(8), ssh-keygen(1): openssh 8.2 removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures
(i.e. the client and server CASignatureAlgorithms option) and will
use the rsa-sha2-512 signature algorithm by default when the
ssh-keygen(1) CA signs new certificates

- ssh(1), sshd(8): openssh 8.2 removes diffie-hellman-group14-sha1 from
the default key exchange proposal for both the client and server

- ssh-keygen(1): the command-line options related to the generation and
screening of safe prime numbers used by the diffie-hellman-group-* key
exchange algorithms have changed, most options have been folded under
the -O flag

- support PKCS8 as an optional format for storage of private keys to disk,
native key format remains the default, but PKCS8 is a superior format to
PEM if interoperability with non-OpenSSH software is required

- ssh(1), sshd(8): prefer to use chacha20 from libcrypto

- sshd(8): the sshd listener process title visible to ps(1) has changed
to include information about the number of connections that are
currently attempting authentication and the limits configured
by MaxStartups

- sshd(8): when clients get denied by MaxStartups, send a notification
prior to the SSH2 protocol banner according to RFC4253 section 4.2

- sshd(8): add an Include sshd_config keyword that allows including
additional configuration files via glob(3) patterns

- sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
to allow .shosts files but not .rhosts

- sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
sshd_config, not just before any Match blocks

- ssh(1), sshd(8): allow prepending a list of algorithms to the default
set by starting the list with the '^' character, e.g.
"HostKeyAlgorithms ^ssh-ed25519"

- ssh(1): allow forwarding a different agent socket to the path specified
by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable in
addition to yes/no

- ssh(1): add %TOKEN percent expansion for the LocalFoward and
RemoteForward keywords when used for Unix domain socket forwarding

- ssh(1): allow %n to be expanded in ProxyCommand strings

- sftp(1): reject an argument of "-1" in the same way as ssh(1) and
scp(1) do instead of accepting and silently ignoring it

- sftp(1): check for user@host when parsing sftp target, this allows
user@[1.2.3.4] to work without a path

- sftp(1): fix a race condition in the SIGCHILD handler that could
turn in to a kill(-1)

For detailed list of all improvements, enhancements and bugfixes see
release notes:

https://www.openssh.com/releasenotes.html

show more ...

vendor/openssh: upgrade from 8.0p1 to 8.3p1

Summary of notable changes:

- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
rest in RAM against speculation and memory side-channel

vendor/openssh: upgrade from 8.0p1 to 8.3p1

Summary of notable changes:

- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
rest in RAM against speculation and memory side-channel attacks like
Spectre, Meltdown and Rambleed, openssh 8.1 and later encrypts private
keys when they are not in use with a symmetric key that is derived from
a relatively large "prekey" consisting of random data (currently 16KB)

- ssh(1), sshd(8), ssh-keygen(1): openssh 8.2 removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures
(i.e. the client and server CASignatureAlgorithms option) and will
use the rsa-sha2-512 signature algorithm by default when the
ssh-keygen(1) CA signs new certificates

- ssh(1), sshd(8): openssh 8.2 removes diffie-hellman-group14-sha1 from
the default key exchange proposal for both the client and server

- ssh-keygen(1): the command-line options related to the generation and
screening of safe prime numbers used by the diffie-hellman-group-* key
exchange algorithms have changed, most options have been folded under
the -O flag

- support PKCS8 as an optional format for storage of private keys to disk,
native key format remains the default, but PKCS8 is a superior format to
PEM if interoperability with non-OpenSSH software is required

- ssh(1), sshd(8): prefer to use chacha20 from libcrypto

- sshd(8): the sshd listener process title visible to ps(1) has changed
to include information about the number of connections that are
currently attempting authentication and the limits configured
by MaxStartups

- sshd(8): when clients get denied by MaxStartups, send a notification
prior to the SSH2 protocol banner according to RFC4253 section 4.2

- sshd(8): add an Include sshd_config keyword that allows including
additional configuration files via glob(3) patterns

- sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
to allow .shosts files but not .rhosts

- sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
sshd_config, not just before any Match blocks

- ssh(1), sshd(8): allow prepending a list of algorithms to the default
set by starting the list with the '^' character, e.g.
"HostKeyAlgorithms ^ssh-ed25519"

- ssh(1): allow forwarding a different agent socket to the path specified
by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable in
addition to yes/no

- ssh(1): add %TOKEN percent expansion for the LocalFoward and
RemoteForward keywords when used for Unix domain socket forwarding

- ssh(1): allow %n to be expanded in ProxyCommand strings

- sftp(1): reject an argument of "-1" in the same way as ssh(1) and
scp(1) do instead of accepting and silently ignoring it

- sftp(1): check for user@host when parsing sftp target, this allows
user@[1.2.3.4] to work without a path

- sftp(1): fix a race condition in the SIGCHILD handler that could
turn in to a kill(-1)

For detailed list of all improvements, enhancements and bugfixes see
release notes:

https://www.openssh.com/releasenotes.html

show more ...

Initial import of binutils 2.22 on the new vendor branch

Future versions of binutils will also reside on this branch rather
than continuing to create new binutils branches for each new version.

Move openssh-5/ to openssh/. We don't need a versioned directory.