Revision tags: v6.2.2, v6.2.1, v6.2.0, v6.3.0 |
|
#
50a69bb5 |
| 09-Oct-2021 |
Sascha Wildner <saw@online.de> |
Import OpenSSH-8.8p1
|
Revision tags: v6.0.1, v6.0.0, v6.0.0rc1, v6.1.0, v5.8.3, v5.8.2, v5.8.1, v5.8.0, v5.9.0, v5.8.0rc1, v5.6.3, v5.6.2, v5.6.1, v5.6.0, v5.6.0rc1, v5.7.0, v5.4.3, v5.4.2 |
|
#
664f4763 |
| 18-Apr-2019 |
zrj <rimvydas.jasinskas@gmail.com> |
Import OpenSSH-8.0p1
|
Revision tags: v5.4.1, v5.4.0, v5.5.0, v5.4.0rc1, v5.2.2, v5.2.1, v5.2.0, v5.3.0, v5.2.0rc, v5.0.2, v5.0.1, v5.0.0 |
|
#
ce74baca |
| 13-Oct-2017 |
Matthew Dillon <dillon@apollo.backplane.com> |
Import OpenSSH-7.6p1
|
Revision tags: v6.2.2, v6.2.1, v6.2.0, v6.3.0 |
|
#
50a69bb5 |
| 09-Oct-2021 |
Sascha Wildner <saw@online.de> |
Import OpenSSH-8.8p1
|
Revision tags: v6.0.1, v6.0.0, v6.0.0rc1, v6.1.0, v5.8.3, v5.8.2, v5.8.1, v5.8.0, v5.9.0, v5.8.0rc1, v5.6.3, v5.6.2, v5.6.1, v5.6.0, v5.6.0rc1, v5.7.0, v5.4.3, v5.4.2 |
|
#
664f4763 |
| 18-Apr-2019 |
zrj <rimvydas.jasinskas@gmail.com> |
Import OpenSSH-8.0p1
|
#
ad5056c7 |
| 14-Oct-2017 |
Matthew Dillon <dillon@apollo.backplane.com> |
sshd - Disable tunneled clear text passwords by default
* Reapply 1cb3a32c13b and c866a462b3. sshd on DragonFlyBSD defaults to disabling cleartext passwords by default.
Reminded-by: ivadasz
|
#
2c9c1408 |
| 13-Oct-2017 |
Matthew Dillon <dillon@apollo.backplane.com> |
Import OpenSSH-7.6p1
* Import OpeNSSH-7.6p1. Couldn't really merge from the vendor branch so just brought it in.
* Adjustments for WARNS issues
|
Revision tags: v5.4.1, v5.4.0, v5.5.0, v5.4.0rc1, v5.2.2, v5.2.1, v5.2.0, v5.3.0, v5.2.0rc, v5.0.2, v5.0.1, v5.0.0 |
|
#
ce74baca |
| 13-Oct-2017 |
Matthew Dillon <dillon@apollo.backplane.com> |
Import OpenSSH-7.6p1
|
Revision tags: v5.0.0rc2, v5.1.0, v5.0.0rc1, v4.8.1, v4.8.0, v4.6.2 |
|
#
1cb3a32c |
| 17-Mar-2017 |
Matthew Dillon <dillon@apollo.backplane.com> |
sshd - Fix default password authentication
* The default for PasswordAuthentication somehow got reverted to being enabled.
* Disable PasswordAuthentication by default.
* Uncomment PasswordAuthen
sshd - Fix default password authentication
* The default for PasswordAuthentication somehow got reverted to being enabled.
* Disable PasswordAuthentication by default.
* Uncomment PasswordAuthentication in the default sshd_config, defaulting to 'no', and always overriding sshd's own defaults.
show more ...
|
Revision tags: v4.9.0, v4.8.0rc, v4.6.1 |
|
#
4bde49b7 |
| 13-Aug-2016 |
Peter Avalos <pavalos@dragonflybsd.org> |
sshd(8): Disable tunneled cleartext passwords.
This was previously our default that got wiped away when I removed our local changes to OpenSSH. It's unlikely that anyone running master saw any chang
sshd(8): Disable tunneled cleartext passwords.
This was previously our default that got wiped away when I removed our local changes to OpenSSH. It's unlikely that anyone running master saw any change to their sshd behavior, because they likely had the PasswordAuthentication line uncommented in their configuration file.
show more ...
|
#
e9778795 |
| 04-Aug-2016 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-7.3p1.
|
#
f0ea6a7a |
| 04-Aug-2016 |
Peter Avalos <pavalos@dragonflybsd.org> |
Remove most local modifications from OpenSSH.
This primarily removes the HPN patches. It's become too cumbersome to maintain these patches as demonstrated by the fact that we haven't updated OpenSSH
Remove most local modifications from OpenSSH.
This primarily removes the HPN patches. It's become too cumbersome to maintain these patches as demonstrated by the fact that we haven't updated OpenSSH in quite some time. If people want additional functionality in their OpenSSH, it's available in dports (security/openssh).
Instead of just silently ignoring removed options in people's configurations, I decided to treat these as errors so that the admin will need to decide to remove it from their configuration or install the dport to get the functionality back.
show more ...
|
Revision tags: v4.6.0, v4.6.0rc2, v4.6.0rc, v4.7.0, v4.4.3, v4.4.2, v4.4.1, v4.4.0, v4.5.0, v4.4.0rc, v4.2.4, v4.3.1, v4.2.3, v4.2.1, v4.2.0, v4.0.6, v4.3.0, v4.2.0rc, v4.0.5, v4.0.4 |
|
#
3b34ad6b |
| 24-Jan-2015 |
Peter Avalos <pavalos@dragonflybsd.org> |
Remove blacklisted keys support from OpenSSH.
As time progresses, this code becomes less useful. I left the code that still scans the configuration option, and in the future it can be removed as wel
Remove blacklisted keys support from OpenSSH.
As time progresses, this code becomes less useful. I left the code that still scans the configuration option, and in the future it can be removed as well.
The original author made a decent case for removing this in 2013: https://lists.debian.org/debian-devel/2013/09/msg00240.html
show more ...
|
Revision tags: v4.0.3, v4.0.2 |
|
#
36e94dc5 |
| 26-Nov-2014 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-6.7p1.
|
Revision tags: v4.0.1, v4.0.0, v4.0.0rc3, v4.0.0rc2, v4.0.0rc, v4.1.0, v3.8.2, v3.8.1, v3.6.3, v3.8.0, v3.8.0rc2, v3.9.0, v3.8.0rc, v3.6.2, v3.6.1, v3.6.0, v3.7.1, v3.6.0rc, v3.7.0, v3.4.3, v3.4.2 |
|
#
91e5aabb |
| 20-May-2013 |
Sascha Wildner <saw@online.de> |
Switch to /usr/local/... paths in several files.
|
Revision tags: v3.4.0, v3.4.1, v3.4.0rc, v3.5.0, v3.2.2 |
|
#
a3775bf2 |
| 28-Oct-2012 |
Peter Avalos <pavalos@dragonflybsd.org> |
Update files for OpenSSH-6.1p1 import.
|
#
99e85e0d |
| 28-Oct-2012 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-6.1p1.
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard supp
Import OpenSSH-6.1p1.
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening * ssh-add(1): new -k option to load plain keys (skipping certificates) * sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857 * ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings * support cancellation of local/dynamic forwardings from ~C commandline * sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config. * ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel * sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses. * sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups} * Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978 * ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8 * sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests. * sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile * ssh-keyscan(1): Look for ECDSA keys by default. bz#1971 * sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports * scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying * ssh(1): skip attempting to create ~/.ssh when -F is passed * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943 * sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859 * sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683 * Fixed a number of memory and file descriptor leaks * ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while. * ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023, * sshd(8): Handle long comments in config files better. bz#2025 * ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995 * sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
show more ...
|
Revision tags: v3.2.1, v3.2.0, v3.3.0, v3.0.3, v3.0.2, v3.0.1, v3.1.0, v3.0.0 |
|
#
86d7f5d3 |
| 26-Nov-2011 |
John Marino <draco@marino.st> |
Initial import of binutils 2.22 on the new vendor branch
Future versions of binutils will also reside on this branch rather than continuing to create new binutils branches for each new version.
|
Revision tags: v2.12.0, v2.13.0 |
|
#
fa7cb8ce |
| 20-Sep-2011 |
Peter Avalos <pavalos@dragonflybsd.org> |
Update files for OpenSSH-5.9p1 import.
|
#
1c188a7f |
| 20-Sep-2011 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-5.9p1.
* Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the sy
Import OpenSSH-5.9p1.
* Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. This intention is to prevent a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface.
The rlimit sandbox is a fallback choice for platforms that don't support a better one; it uses setrlimit() to reset the hard-limit of file descriptors and processes to zero, which should prevent the privsep child from forking or opening new network connections.
* Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, and hmac-sha2-512-96, and are available by default in ssh(1) and sshd(8)
* The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot.
* ssh(1) now warns when a server refuses X11 forwarding
* sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by whitespace. The undocumented AuthorizedKeysFile2 option is deprecated (though the default for AuthorizedKeysFile includes .ssh/authorized_keys2)
* sshd_config(5): similarly deprecate UserKnownHostsFile2 and GlobalKnownHostsFile2 by making UserKnownHostsFile and GlobalKnownHostsFile accept multiple options and default to include known_hosts2
* Retain key comments when loading v.2 keys. These will be visible in "ssh-add -l" and other places. bz#439
* ssh(1) and sshd(8): set IPv6 traffic class from IPQoS (as well as IPv4 ToS/DSCP). bz#1855
* ssh_config(5)'s ControlPath option now expands %L to the host portion of the destination host name.
* ssh_config(5) "Host" options now support negated Host matching, e.g.
Host *.example.org !c.example.org User mekmitasdigoat
Will match "a.example.org", "b.example.org", but not "c.example.org"
* ssh_config(5): a new RequestTTY option provides control over when a TTY is requested for a connection, similar to the existing -t/-tt/-T ssh(1) commandline options.
* sshd(8): allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244
* ssh-keygen(1): Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This is useful for system initialization scripts.
* ssh(1): Allow graceful shutdown of multiplexing: request that a mux server removes its listener socket and refuse future multiplexing requests but don't kill existing connections. This may be requested using "ssh -O stop ..."
* ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add - < /path/to/key"
* ssh-keysign(8) now signs hostbased authentication challenges correctly using ECDSA keys; bz#1858
* sftp(1): document that sftp accepts square brackets to delimit addresses (useful for IPv6); bz#1847a
* ssh(1): when using session multiplexing, the master process will change its process title to reflect the control path in use and when a ControlPersist-ed master is waiting to close; bz#1883 and bz#1911
* Other minor bugs fixed: 1849 1861 1862 1869 1875 1878 1879 1892 1900 1905 1913
show more ...
|
Revision tags: v2.10.1, v2.11.0, v2.10.0 |
|
#
9f304aaf |
| 09-Apr-2011 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-5.8p1.
* Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6.
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (
Import OpenSSH-5.8p1.
* Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6.
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
* sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command
* scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts.
* ssh(1): automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys, since these are now preferred when learning hostkeys for the first time.
* ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
* ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races. stale server sockets are now automatically removed.
* ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
* sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into a generic bandwidth limiter that can be attached using the atomicio callback mechanism and use it to add a bandwidth limit option to sftp(1).
BugFixes:
* ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories.
* ssh(1): avoid NULL deref on receiving a channel request on an unknown or invalid channel;
* sshd(8): remove a debug() that pollutes stderr on client connecting to a server in debug mode
* scp(1): pass through ssh command-line flags and options when doing remote-remote transfers, e.g. to enable agent forwarding which is particularly useful in this case;
* sftp-server(8): umask should be parsed as octal
* sftp(1): escape '[' in filename tab-completion
* ssh(1): Typo in confirmation message.
* sshd(8): prevent free() of string in .rodata when overriding AuthorizedKeys in a Match block
* sshd(8): Use default shell /bin/sh if $SHELL is ""
* ssh(1): kill proxy command on fatal() (we already killed it on clean exit);
* ssh(1): install a SIGCHLD handler to reap expiried child process;
* sshd(8): Use correct uid_t/pid_t types instead of int.
show more ...
|
Revision tags: v2.9.1, v2.8.2, v2.8.1, v2.8.0, v2.9.0 |
|
#
856ea928 |
| 29-Sep-2010 |
Peter Avalos <pavalos@dragonflybsd.org> |
Import OpenSSH-5.6p1.
|
Revision tags: v2.6.3, v2.7.3, v2.6.2, v2.7.2, v2.7.1, v2.6.1, v2.7.0, v2.6.0 |
|
#
85088528 |
| 15-Nov-2009 |
Matthew Dillon <dillon@apollo.backplane.com> |
SSHD - Change default security
This only effects fresh installs.
* Allow root logins via public key only (previously: root logins not allowed at all via ssh). I've done this for years, it allows
SSHD - Change default security
This only effects fresh installs.
* Allow root logins via public key only (previously: root logins not allowed at all via ssh). I've done this for years, it allows an authorized_keys file in ~root/.ssh to work without having to adjust /etc/ssh/sshd_config on every install.
* Do not allow any login, root or otherwise, via tunneled plaintext password (previously: non-root logins were allowed via plaintext password).
Often people want plaintext passwords on e.g. workstations for xdm or console logins, but do not want to allow their use over networked connections. Since tunneled plaintext passwords are not considered very secure and alternatives exist (aka public key logins) we now disallow them by default.
show more ...
|
Revision tags: v2.5.1, v2.4.1, v2.5.0, v2.4.0, v2.3.2 |
|
#
18de8d7f |
| 20-Jun-2009 |
Peter Avalos <pavalos@theshell.com> |
Move openssh-5/ to openssh/. We don't need a versioned directory.
|
Revision tags: v2.3.1, v2.2.1, v2.2.0, v2.3.0, v2.1.1, v2.0.1 |
|
#
1de703da |
| 17-Jun-2003 |
Matthew Dillon <dillon@dragonflybsd.org> |
Add the DragonFly cvs id and perform general cleanups on cvs/rcs/sccs ids. Most ids have been removed from !lint sections and moved into comment sections.
|