head 1.4; access; symbols netbsd-11-0-RC4:1.3.10.1 v103-20260402:1.1.1.5 netbsd-11-0-RC3:1.3.10.1 netbsd-11-0-RC2:1.3.10.1 netbsd-11-0-RC1:1.3.10.1 v102-20251010:1.1.1.5 v102-20251006:1.1.1.5 perseant-exfatfs-base-20250801:1.3 netbsd-11:1.3.0.10 netbsd-11-base:1.3 v100-20250409:1.1.1.4 netbsd-10-1-RELEASE:1.3 v99-20240919:1.1.1.4 v98-20240701:1.1.1.4 perseant-exfatfs-base-20240630:1.3 perseant-exfatfs:1.3.0.8 perseant-exfatfs-base:1.3 v97-20240311:1.1.1.4 netbsd-8-3-RELEASE:1.2 netbsd-9-4-RELEASE:1.2.20.1 netbsd-10-0-RELEASE:1.3 netbsd-10-0-RC6:1.3 netbsd-10-0-RC5:1.3 netbsd-10-0-RC4:1.3 netbsd-10-0-RC3:1.3 netbsd-10-0-RC2:1.3 v96-20231218:1.1.1.4 netbsd-10-0-RC1:1.3 v95-20231004:1.1.1.4 v93p2-20230719:1.1.1.4 v93-20230719:1.1.1.4 netbsd-10:1.3.0.6 netbsd-10-base:1.3 v91-20221004:1.1.1.4 netbsd-9-3-RELEASE:1.2 v90-20220408:1.1.1.4 v89-20220223:1.1.1.4 v88-20210926:1.1.1.4 v87-20210820:1.1.1.4 cjep_sun2x-base1:1.3 cjep_sun2x:1.3.0.4 cjep_sun2x-base:1.3 cjep_staticlib_x-base1:1.3 netbsd-9-2-RELEASE:1.2 cjep_staticlib_x:1.3.0.2 cjep_staticlib_x-base:1.3 v86-20210419:1.1.1.4 v85_20210303:1.1.1.4 v84-20200927:1.1.1.3 netbsd-9-1-RELEASE:1.2 v83-20200527:1.1.1.3 phil-wifi-20200421:1.2 phil-wifi-20200411:1.2 is-mlppp:1.2.0.22 is-mlppp-base:1.2 phil-wifi-20200406:1.2 netbsd-8-2-RELEASE:1.2 v82-20200214:1.1.1.3 netbsd-9-0-RELEASE:1.2 netbsd-9-0-RC2:1.2 netbsd-9-0-RC1:1.2 phil-wifi-20191119:1.2 v81-20191009:1.1.1.3 netbsd-9:1.2.0.20 netbsd-9-base:1.2 phil-wifi-20190609:1.2 netbsd-8-1-RELEASE:1.2 netbsd-8-1-RC1:1.2 v80-20190417:1.1.1.3 pgoyette-compat-merge-20190127:1.2 pgoyette-compat-20190127:1.2 pgoyette-compat-20190118:1.2 pgoyette-compat-1226:1.2 pgoyette-compat-1126:1.2 pgoyette-compat-1020:1.2 pgoyette-compat-0930:1.2 pgoyette-compat-0906:1.2 netbsd-7-2-RELEASE:1.1.1.1.2.2 v78-20180824:1.1.1.3 pgoyette-compat-0728:1.2 netbsd-8-0-RELEASE:1.2 phil-wifi:1.2.0.18 phil-wifi-base:1.2 pgoyette-compat-0625:1.2 netbsd-8-0-RC2:1.2 pgoyette-compat-0521:1.2 pgoyette-compat-0502:1.2 pgoyette-compat-0422:1.2 netbsd-8-0-RC1:1.2 pgoyette-compat-0415:1.2 pgoyette-compat-0407:1.2 v77-20180405:1.1.1.3 pgoyette-compat-0330:1.2 pgoyette-compat-0322:1.2 pgoyette-compat-0315:1.2 netbsd-7-1-2-RELEASE:1.1.1.1.2.2 pgoyette-compat:1.2.0.16 pgoyette-compat-base:1.2 netbsd-7-1-1-RELEASE:1.1.1.1.2.2 matt-nb8-mediatek:1.2.0.14 matt-nb8-mediatek-base:1.2 v76-20171003:1.1.1.3 netbsd-6:1.2.0.12 netbsd-6-1:1.2.0.10 netbsd-6-0:1.2.0.8 perseant-stdc-iso10646:1.2.0.6 perseant-stdc-iso10646-base:1.2 netbsd-8:1.2.0.4 netbsd-8-base:1.2 prg-localcount2-base3:1.2 prg-localcount2-base2:1.2 prg-localcount2-base1:1.2 prg-localcount2:1.2.0.2 prg-localcount2-base:1.2 pgoyette-localcount-20170426:1.2 bouyer-socketcan-base1:1.2 v75-20170418:1.1.1.3 pgoyette-localcount-20170320:1.2 netbsd-7-1:1.1.1.1.2.2.0.6 netbsd-7-1-RELEASE:1.1.1.1.2.2 netbsd-7-1-RC2:1.1.1.1.2.2 netbsd-7-nhusb-base-20170116:1.1.1.1.2.2 bouyer-socketcan:1.1.1.3.0.4 bouyer-socketcan-base:1.1.1.3 pgoyette-localcount-20170107:1.1.1.3 netbsd-7-1-RC1:1.1.1.1.2.2 v74-20161219:1.1.1.3 pgoyette-localcount-20161104:1.1.1.3 netbsd-7-0-2-RELEASE:1.1.1.1.2.2 localcount-20160914:1.1.1.3 netbsd-7-nhusb:1.1.1.1.2.2.0.4 netbsd-7-nhusb-base:1.1.1.1.2.2 pgoyette-localcount-20160806:1.1.1.3 v73-20160802:1.1.1.3 pgoyette-localcount-20160726:1.1.1.3 pgoyette-localcount:1.1.1.3.0.2 pgoyette-localcount-base:1.1.1.3 netbsd-7-0-1-RELEASE:1.1.1.1.2.2 v72-20160310:1.1.1.3 netbsd-7-0:1.1.1.1.2.2.0.2 netbsd-7-0-RELEASE:1.1.1.1.2.2 v71-20150821:1.1.1.2 v70-20150812:1.1.1.2 netbsd-7-0-RC3:1.1.1.1.2.2 netbsd-7-0-RC2:1.1.1.1.2.2 v69-20150630:1.1.1.2 netbsd-7-0-RC1:1.1.1.1.2.2 netbsd-7:1.1.1.1.0.2 v68-20150318:1.1.1.1 v67-20141018:1.1.1.1 OPENSSH:1.1.1; locks; strict; comment @# @; 1.4 date 2025.10.11.15.45.09; author christos; state Exp; branches; next 1.3; commitid 5RgqA9p3dWoJoaeG; 1.3 date 2021.03.05.17.47.16; author christos; state Exp; branches 1.3.10.1; next 1.2; commitid l29G1ZHQtayK69KC; 1.2 date 2017.02.01.14.24.13; author christos; state Exp; branches 1.2.8.1 1.2.10.1 1.2.12.1 1.2.20.1; next 1.1; commitid Mfc3xuJt5IYzYfEz; 1.1 date 2014.10.19.16.28.38; author christos; state Exp; branches 1.1.1.1; next ; commitid IpPIAjhtQdotwPUx; 1.3.10.1 date 2026.02.02.18.08.02; author martin; state Exp; branches; next ; commitid uoph5GzxvxGnwPsG; 1.2.8.1 date 2017.02.01.14.24.13; author snj; state dead; branches; next 1.2.8.2; commitid Avii1iKwJTVPxg3A; 1.2.8.2 date 2017.08.15.04.53.01; author snj; state Exp; branches; next ; commitid Avii1iKwJTVPxg3A; 1.2.10.1 date 2017.02.01.14.24.13; author snj; state dead; branches; next 1.2.10.2; commitid 9D1SFZl4sgHsGg3A; 1.2.10.2 date 2017.08.15.05.17.58; author snj; state Exp; branches; next ; commitid 9D1SFZl4sgHsGg3A; 1.2.12.1 date 2017.02.01.14.24.13; author snj; state dead; branches; next 1.2.12.2; commitid 1NcQ7l6cl0KAJg3A; 1.2.12.2 date 2017.08.15.05.27.53; author snj; state Exp; branches; next ; commitid 1NcQ7l6cl0KAJg3A; 1.2.20.1 date 2023.12.25.12.31.10; author martin; state Exp; branches; next ; commitid vv3qcCjaL8wmpQRE; 1.1.1.1 date 2014.10.19.16.28.38; author christos; state Exp; branches 1.1.1.1.2.1; next 1.1.1.2; commitid IpPIAjhtQdotwPUx; 1.1.1.2 date 2015.07.03.00.54.47; author christos; state Exp; branches; next 1.1.1.3; commitid t0cRLxDR49Eh6Mry; 1.1.1.3 date 2016.03.11.01.50.02; author christos; state Exp; branches 1.1.1.3.2.1 1.1.1.3.4.1; next 1.1.1.4; commitid HppexSDs3UVGiaYy; 1.1.1.4 date 2021.03.05.17.45.27; author christos; state Exp; branches; next 1.1.1.5; commitid jkD4d70FD0RU59KC; 1.1.1.5 date 2025.10.11.15.36.59; author christos; state Exp; branches; next ; commitid POe68kUMZQsrlaeG; 1.1.1.1.2.1 date 2014.10.19.16.28.38; author riz; state dead; branches; next 1.1.1.1.2.2; commitid HvseHc4xVzxnTzjy; 1.1.1.1.2.2 date 2015.04.30.06.07.31; author riz; state Exp; branches; next ; commitid HvseHc4xVzxnTzjy; 1.1.1.3.2.1 date 2017.03.20.06.51.53; author pgoyette; state Exp; branches; next ; commitid jjw7cAwgyKq7RfKz; 1.1.1.3.4.1 date 2017.04.21.16.50.57; author bouyer; state Exp; branches; next ; commitid dUG7nkTKALCadqOz; desc @@ 1.4 log @Merge changes between OpenSSH-10.0 and 10.2 @ text @# $OpenBSD: Makefile,v 1.7 2025/06/16 09:09:42 dtucker Exp $ .include # The larger ones will take many days, so if you're going to regen them run # it in a tmux session or something. The checkpoints should make it safe # to stop and restart. # The sizes match those in dh.c:dh_estimate() plus some historic sizes. DHSIZE=2048 3072 4096 6144 7680 8192 .for bits in ${DHSIZE} MODULI_PARTS+=moduli.${bits} WORK_MODULI_PARTS+=${.OBJDIR}/moduli.${bits}.sieved.gz .endfor all: ${MODULI_PARTS} update-moduli: ${MODULI_PARTS} ( \ echo -n '# $$Open'; echo 'BSD$$'; \ echo '# Time Type Tests Tries Size Generator Modulus'; \ for i in ${MODULI_PARTS}; do head -100 $$i; done \ ) > ${BSDSRCDIR}/etc/moduli clean: rm -f ${WORK_MODULI_PARTS} .for bits in ${DHSIZE} moduli.${bits}: sh ${.CURDIR}/moduli-gen.sh ${.CURDIR} ${.CURDIR}/work ${bits} .endfor @ 1.3 log @merge local changes between openssh 8.4 and 8.5 @ text @d1 1 a1 1 # $OpenBSD: Makefile,v 1.6 2020/11/08 12:10:20 dtucker Exp $ d24 1 a24 1 cat ${MODULI_PARTS} \ @ 1.3.10.1 log @Pull up the following, requested by maya in ticket #173: crypto/external/bsd/openssh/dist/misc-agent.c up to 1.2 crypto/external/bsd/openssh/dist/PROTOCOL.certkeys delete crypto/external/bsd/openssh/dist/PROTOCOL.chacha20poly1305 delete crypto/external/bsd/openssh/dist/ssh-dss.c delete crypto/external/bsd/openssh/dist/ssh-sandbox.h delete crypto/external/bsd/openssh/dist/ssh-xmss.c delete crypto/external/bsd/openssh/dist/sshkey-xmss.c delete crypto/external/bsd/openssh/dist/sshkey-xmss.h delete crypto/external/bsd/openssh/dist/xmss_commons.c delete crypto/external/bsd/openssh/dist/xmss_commons.h delete crypto/external/bsd/openssh/dist/xmss_fast.c delete crypto/external/bsd/openssh/dist/xmss_fast.h delete crypto/external/bsd/openssh/dist/xmss_hash.c delete crypto/external/bsd/openssh/dist/xmss_hash.h delete crypto/external/bsd/openssh/dist/xmss_hash_address.c delete crypto/external/bsd/openssh/dist/xmss_hash_address.h delete crypto/external/bsd/openssh/dist/xmss_wots.c delete crypto/external/bsd/openssh/dist/xmss_wots.h delete crypto/external/bsd/openssh/Makefile.inc up to 1.20 crypto/external/bsd/openssh/bin/Makefile.inc up to 1.9 crypto/external/bsd/openssh/bin/ssh-agent/Makefile up to 1.8 crypto/external/bsd/openssh/bin/ssh-keygen/Makefile up to 1.12 crypto/external/bsd/openssh/bin/ssh-keyscan/Makefile up to 1.7 crypto/external/bsd/openssh/dist/PROTOCOL up to 1.25 crypto/external/bsd/openssh/dist/PROTOCOL.agent up to 1.19 crypto/external/bsd/openssh/dist/auth-krb5.c up to 1.19 crypto/external/bsd/openssh/dist/auth-options.c up to 1.30 crypto/external/bsd/openssh/dist/auth-passwd.c up to 1.14 crypto/external/bsd/openssh/dist/auth.c up to 1.39 crypto/external/bsd/openssh/dist/auth.h up to 1.25 crypto/external/bsd/openssh/dist/auth2-chall.c up to 1.20 crypto/external/bsd/openssh/dist/auth2-hostbased.c up to 1.25 crypto/external/bsd/openssh/dist/auth2-krb5.c up to 1.12 crypto/external/bsd/openssh/dist/auth2-pubkey.c up to 1.37 crypto/external/bsd/openssh/dist/auth2-pubkeyfile.c up to 1.4 crypto/external/bsd/openssh/dist/authfd.c up to 1.28 crypto/external/bsd/openssh/dist/authfd.h up to 1.18 crypto/external/bsd/openssh/dist/authfile.c up to 1.30 crypto/external/bsd/openssh/dist/channels.c up to 1.47 crypto/external/bsd/openssh/dist/channels.h up to 1.30 crypto/external/bsd/openssh/dist/cipher.c up to 1.26 crypto/external/bsd/openssh/dist/clientloop.c up to 1.44 crypto/external/bsd/openssh/dist/digest-libc.c up to 1.11 crypto/external/bsd/openssh/dist/dispatch.c up to 1.12 crypto/external/bsd/openssh/dist/dns.c up to 1.24 crypto/external/bsd/openssh/dist/dns.h up to 1.14 crypto/external/bsd/openssh/dist/gss-genr.c up to 1.15 crypto/external/bsd/openssh/dist/gss-serv.c up to 1.17 crypto/external/bsd/openssh/dist/hash.c up to 1.9 crypto/external/bsd/openssh/dist/hmac.c up to 1.9 crypto/external/bsd/openssh/dist/hostfile.c up to 1.24 crypto/external/bsd/openssh/dist/includes.h up to 1.11 crypto/external/bsd/openssh/dist/kex-names.c up to 1.4 crypto/external/bsd/openssh/dist/kex.c up to 1.39 crypto/external/bsd/openssh/dist/kex.h up to 1.28 crypto/external/bsd/openssh/dist/kexdh.c up to 1.11 crypto/external/bsd/openssh/dist/kexecdh.c up to 1.9 crypto/external/bsd/openssh/dist/kexgexc.c up to 1.18 crypto/external/bsd/openssh/dist/kexgexs.c up to 1.25 crypto/external/bsd/openssh/dist/krl.c up to 1.26 crypto/external/bsd/openssh/dist/log.c up to 1.33 crypto/external/bsd/openssh/dist/mac.c up to 1.17 crypto/external/bsd/openssh/dist/misc.c up to 1.40 crypto/external/bsd/openssh/dist/misc.h up to 1.32 crypto/external/bsd/openssh/dist/moduli.c up to 1.18 crypto/external/bsd/openssh/dist/monitor.c up to 1.50 crypto/external/bsd/openssh/dist/monitor_wrap.c up to 1.37 crypto/external/bsd/openssh/dist/monitor_wrap.h up to 1.26 crypto/external/bsd/openssh/dist/mux.c up to 1.39 crypto/external/bsd/openssh/dist/packet.c up to 1.56 crypto/external/bsd/openssh/dist/packet.h up to 1.29 crypto/external/bsd/openssh/dist/pathnames.h up to 1.18 crypto/external/bsd/openssh/dist/pkcs11.h up to 1.7 crypto/external/bsd/openssh/dist/progressmeter.c up to 1.17 crypto/external/bsd/openssh/dist/readconf.c up to 1.50 crypto/external/bsd/openssh/dist/readconf.h up to 1.37 crypto/external/bsd/openssh/dist/readpass.c up to 1.20 crypto/external/bsd/openssh/dist/scp.1 up to 1.33 crypto/external/bsd/openssh/dist/scp.c up to 1.44 crypto/external/bsd/openssh/dist/servconf.c up to 1.51 crypto/external/bsd/openssh/dist/serverloop.c up to 1.39 crypto/external/bsd/openssh/dist/session.c up to 1.44 crypto/external/bsd/openssh/dist/sftp-client.c up to 1.38 crypto/external/bsd/openssh/dist/sftp-client.h up to 1.19 crypto/external/bsd/openssh/dist/sftp-server.c up to 1.32 crypto/external/bsd/openssh/dist/sftp.c up to 1.43 crypto/external/bsd/openssh/dist/sk-usbhid.c up to 1.11 crypto/external/bsd/openssh/dist/srclimit.c up to 1.7 crypto/external/bsd/openssh/dist/ssh-add.1 up to 1.21 crypto/external/bsd/openssh/dist/ssh-add.c up to 1.33 crypto/external/bsd/openssh/dist/ssh-agent.1 up to 1.21 crypto/external/bsd/openssh/dist/ssh-agent.c up to 1.43 crypto/external/bsd/openssh/dist/ssh-ecdsa.c up to 1.17 crypto/external/bsd/openssh/dist/ssh-ed25519.c up to 1.11 crypto/external/bsd/openssh/dist/ssh-keygen.1 up to 1.41 crypto/external/bsd/openssh/dist/ssh-keygen.c up to 1.50 crypto/external/bsd/openssh/dist/ssh-keyscan.1 up to 1.20 crypto/external/bsd/openssh/dist/ssh-keyscan.c up to 1.37 crypto/external/bsd/openssh/dist/ssh-keysign.c up to 1.28 crypto/external/bsd/openssh/dist/ssh-pkcs11-client.c up to 1.21 crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.c up to 1.24 crypto/external/bsd/openssh/dist/ssh-pkcs11.c up to 1.30 crypto/external/bsd/openssh/dist/ssh-pkcs11.h up to 1.10 crypto/external/bsd/openssh/dist/ssh-rsa.c up to 1.21 crypto/external/bsd/openssh/dist/ssh-sk-helper.c up to 1.8 crypto/external/bsd/openssh/dist/ssh.c up to 1.48 crypto/external/bsd/openssh/dist/ssh_config up to 1.17 crypto/external/bsd/openssh/dist/ssh_config.5 up to 1.45 crypto/external/bsd/openssh/dist/sshbuf-misc.c up to 1.15 crypto/external/bsd/openssh/dist/sshbuf.h up to 1.22 crypto/external/bsd/openssh/dist/sshconnect.c up to 1.41 crypto/external/bsd/openssh/dist/sshconnect2.c up to 1.52 crypto/external/bsd/openssh/dist/sshd-auth.c up to 1.4 crypto/external/bsd/openssh/dist/sshd-session.c up to 1.11 crypto/external/bsd/openssh/dist/sshd.8 up to 1.34 crypto/external/bsd/openssh/dist/sshd.c up to 1.56 crypto/external/bsd/openssh/dist/sshd_config.5 up to 1.48 crypto/external/bsd/openssh/dist/sshkey.c up to 1.36 crypto/external/bsd/openssh/dist/sshkey.h up to 1.25 crypto/external/bsd/openssh/dist/sshsig.c up to 1.16 crypto/external/bsd/openssh/dist/umac.c up to 1.23 crypto/external/bsd/openssh/dist/version.h up to 1.52 crypto/external/bsd/openssh/dist/xmalloc.c up to 1.14 crypto/external/bsd/openssh/dist/moduli-gen/Makefile up to 1.4 crypto/external/bsd/openssh/dist/moduli-gen/moduli-gen.sh up to 1.1.1.4 crypto/external/bsd/openssh/dist/moduli-gen/moduli.2048 up to 1.21 crypto/external/bsd/openssh/dist/moduli-gen/moduli.3072 up to 1.23 crypto/external/bsd/openssh/dist/moduli-gen/moduli.4096 up to 1.23 crypto/external/bsd/openssh/dist/moduli-gen/moduli.6144 up to 1.23 crypto/external/bsd/openssh/dist/moduli-gen/moduli.7680 up to 1.23 crypto/external/bsd/openssh/dist/moduli-gen/moduli.8192 up to 1.23 crypto/external/bsd/openssh/lib/Makefile up to 1.47 crypto/external/bsd/openssh/lib/shlib_version up to 1.41 crypto/external/bsd/openssh/lib/ssh.expsym up to 1.4 crypto/external/bsd/openssh/libexec/Makefile up to 1.4 crypto/external/bsd/openssh/libexec/ssh-sk-helper/Makefile up to 1.5 crypto/external/bsd/openssh/libexec/sshd-auth/Makefile up to 1.5 crypto/external/bsd/openssh/libexec/sshd-session/Makefile up to 1.4 lib/libpam/modules/pam_ssh/pam_ssh.c 1.31,1.32 distrib/sets/lists/base/shl.mi (apply patch) distrib/sets/lists/debug/shl.mi (apply patch) doc/3RDPARTY (apply patch) Import OpenSSH 10.2 @ text @d1 1 a1 1 # $OpenBSD: Makefile,v 1.7 2025/06/16 09:09:42 dtucker Exp $ d24 1 a24 1 for i in ${MODULI_PARTS}; do head -100 $$i; done \ @ 1.2 log @regen @ text @d1 1 a1 1 # $OpenBSD: Makefile,v 1.5 2015/10/21 06:37:25 doug Exp $ d8 1 @ 1.2.20.1 log @Pull up the following, requested by kim in ticket #1780: crypto/external/bsd/openssh/Makefile.inc up to 1.15 (+patch) crypto/external/bsd/openssh/bin/Makefile.inc up to 1.4 crypto/external/bsd/openssh/bin/scp/Makefile up to 1.6 crypto/external/bsd/openssh/bin/sftp/Makefile up to 1.11 crypto/external/bsd/openssh/bin/sftp-server/Makefile up to 1.4 crypto/external/bsd/openssh/bin/ssh/Makefile up to 1.20 crypto/external/bsd/openssh/bin/ssh-add/Makefile up to 1.3 crypto/external/bsd/openssh/bin/ssh-agent/Makefile up to 1.7 crypto/external/bsd/openssh/bin/ssh-keygen/Makefile up to 1.10 crypto/external/bsd/openssh/bin/ssh-keyscan/Makefile up to 1.6 crypto/external/bsd/openssh/bin/ssh-pkcs11-helper/Makefile up to 1.4 crypto/external/bsd/openssh/bin/sshd/Makefile up to 1.27 (+patch) crypto/external/bsd/openssh/dist/PROTOCOL.sshsig up to 1.1.1.2 crypto/external/bsd/openssh/dist/srclimit.c up to 1.3 crypto/external/bsd/openssh/dist/sftp-realpath.c up to 1.3 crypto/external/bsd/openssh/dist/sntrup761.c up to 1.3 crypto/external/bsd/openssh/dist/sntrup761.sh up to 1.1.1.2 crypto/external/bsd/openssh/dist/sshsig.c up to 1.12 crypto/external/bsd/openssh/dist/sshsig.h up to 1.1.1.5 crypto/external/bsd/openssh/dist/addr.c up to 1.6 crypto/external/bsd/openssh/dist/PROTOCOL.u2f up to 1.1.1.3 crypto/external/bsd/openssh/dist/sk-api.h up to 1.1.1.6 crypto/external/bsd/openssh/dist/sk-usbhid.c up to 1.9 crypto/external/bsd/openssh/dist/ssh-ecdsa-sk.c up to 1.4 crypto/external/bsd/openssh/dist/ssh-ed25519-sk.c up to 1.5 crypto/external/bsd/openssh/dist/ssh-sk-client.c up to 1.6 crypto/external/bsd/openssh/dist/ssh-sk-helper.8 up to 1.1.1.2 crypto/external/bsd/openssh/dist/ssh-sk-helper.c up to 1.7 crypto/external/bsd/openssh/dist/ssh-sk.c up to 1.8 crypto/external/bsd/openssh/dist/ssh-sk.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/sshbuf-io.c up to 1.2 crypto/external/bsd/openssh/dist/addr.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/kexsntrup761x25519.c up to 1.3 crypto/external/bsd/openssh/dist/cipher-chachapoly-libcrypto.c up to 1.3 crypto/external/bsd/openssh/dist/srclimit.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/auth2-pubkeyfile.c up to 1.3 crypto/external/bsd/openssh/dist/sftp-usergroup.c up to 1.3 crypto/external/bsd/openssh/dist/sftp-usergroup.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/ed25519.sh up to 1.1.1.1 crypto/external/bsd/openssh/dist/crc32.c delete crypto/external/bsd/openssh/dist/crc32.h delete crypto/external/bsd/openssh/dist/fe25519.c delete crypto/external/bsd/openssh/dist/fe25519.h delete crypto/external/bsd/openssh/dist/ge25519.c delete crypto/external/bsd/openssh/dist/ge25519.h delete crypto/external/bsd/openssh/dist/ge25519_base.data delete crypto/external/bsd/openssh/dist/kexsntrup4591761x25519.c delete crypto/external/bsd/openssh/dist/sc25519.c delete crypto/external/bsd/openssh/dist/sc25519.h delete crypto/external/bsd/openssh/dist/sntrup4591761.c delete crypto/external/bsd/openssh/dist/sntrup4591761.sh delete crypto/external/bsd/openssh/dist/uuencode.c delete crypto/external/bsd/openssh/dist/uuencode.h delete crypto/external/bsd/openssh/dist/verify.c delete crypto/external/bsd/openssh/dist/LICENCE up to 1.7 crypto/external/bsd/openssh/dist/PROTOCOL up to 1.23 crypto/external/bsd/openssh/dist/PROTOCOL.agent up to 1.15 crypto/external/bsd/openssh/dist/PROTOCOL.certkeys up to 1.13 crypto/external/bsd/openssh/dist/PROTOCOL.chacha20poly1305 up to 1.1.1.4 crypto/external/bsd/openssh/dist/PROTOCOL.key up to 1.1.1.3 crypto/external/bsd/openssh/dist/PROTOCOL.krl up to 1.1.1.5 crypto/external/bsd/openssh/dist/PROTOCOL.mux up to 1.12 crypto/external/bsd/openssh/dist/addrmatch.c up to 1.15 crypto/external/bsd/openssh/dist/auth-krb5.c up to 1.16 crypto/external/bsd/openssh/dist/auth-options.c up to 1.29 crypto/external/bsd/openssh/dist/auth-options.h up to 1.15 crypto/external/bsd/openssh/dist/auth-pam.c up to 1.21 crypto/external/bsd/openssh/dist/auth-passwd.c up to 1.13 crypto/external/bsd/openssh/dist/auth-rhosts.c up to 1.16 crypto/external/bsd/openssh/dist/auth.c up to 1.34 crypto/external/bsd/openssh/dist/auth.h up to 1.23 crypto/external/bsd/openssh/dist/auth2-chall.c up to 1.19 crypto/external/bsd/openssh/dist/auth2-gss.c up to 1.17 crypto/external/bsd/openssh/dist/auth2-hostbased.c up to 1.23 crypto/external/bsd/openssh/dist/auth2-kbdint.c up to 1.15 crypto/external/bsd/openssh/dist/auth2-krb5.c up to 1.10 crypto/external/bsd/openssh/dist/auth2-none.c up to 1.14 crypto/external/bsd/openssh/dist/auth2-passwd.c up to 1.16 crypto/external/bsd/openssh/dist/auth2-pubkey.c up to 1.34 crypto/external/bsd/openssh/dist/auth2.c up to 1.29 crypto/external/bsd/openssh/dist/authfd.c up to 1.27 crypto/external/bsd/openssh/dist/authfd.h up to 1.17 crypto/external/bsd/openssh/dist/authfile.c up to 1.28 crypto/external/bsd/openssh/dist/authfile.h up to 1.10 crypto/external/bsd/openssh/dist/canohost.c up to 1.16 crypto/external/bsd/openssh/dist/chacha.c up to 1.6 crypto/external/bsd/openssh/dist/chacha.h up to 1.3 crypto/external/bsd/openssh/dist/channels.c up to 1.42 crypto/external/bsd/openssh/dist/channels.h up to 1.26 crypto/external/bsd/openssh/dist/cipher-chachapoly.c up to 1.7 crypto/external/bsd/openssh/dist/cipher-chachapoly.h up to 1.3 crypto/external/bsd/openssh/dist/cipher.c up to 1.21 crypto/external/bsd/openssh/dist/cipher.h up to 1.17 crypto/external/bsd/openssh/dist/clientloop.c up to 1.39 crypto/external/bsd/openssh/dist/clientloop.h up to 1.18 crypto/external/bsd/openssh/dist/compat.c up to 1.26 crypto/external/bsd/openssh/dist/compat.h up to 1.18 crypto/external/bsd/openssh/dist/crypto_api.h up to 1.5 crypto/external/bsd/openssh/dist/dh.c up to 1.20 crypto/external/bsd/openssh/dist/dh.h up to 1.13 crypto/external/bsd/openssh/dist/digest-libc.c up to 1.8 crypto/external/bsd/openssh/dist/digest-openssl.c up to 1.9 crypto/external/bsd/openssh/dist/dispatch.c up to 1.11 crypto/external/bsd/openssh/dist/dns.c up to 1.23 crypto/external/bsd/openssh/dist/dns.h up to 1.13 crypto/external/bsd/openssh/dist/ed25519.c up to 1.6 crypto/external/bsd/openssh/dist/fatal.c up to 1.7 crypto/external/bsd/openssh/dist/getrrsetbyname.c up to 1.6 crypto/external/bsd/openssh/dist/gss-genr.c up to 1.11 crypto/external/bsd/openssh/dist/gss-serv.c up to 1.15 crypto/external/bsd/openssh/dist/hash.c up to 1.7 crypto/external/bsd/openssh/dist/hmac.c up to 1.8 crypto/external/bsd/openssh/dist/hostfile.c up to 1.23 crypto/external/bsd/openssh/dist/hostfile.h up to 1.11 crypto/external/bsd/openssh/dist/includes.h up to 1.9 crypto/external/bsd/openssh/dist/kex.c up to 1.34 crypto/external/bsd/openssh/dist/kex.h up to 1.24 crypto/external/bsd/openssh/dist/kexdh.c up to 1.10 crypto/external/bsd/openssh/dist/kexgen.c up to 1.7 crypto/external/bsd/openssh/dist/kexgexc.c up to 1.17 crypto/external/bsd/openssh/dist/kexgexs.c up to 1.23 crypto/external/bsd/openssh/dist/krl.c up to 1.23 crypto/external/bsd/openssh/dist/krl.h up to 1.6 crypto/external/bsd/openssh/dist/ldapauth.c up to 1.8 crypto/external/bsd/openssh/dist/ldapauth.h up to 1.6 crypto/external/bsd/openssh/dist/log.c up to 1.27 crypto/external/bsd/openssh/dist/log.h up to 1.17 crypto/external/bsd/openssh/dist/mac.c up to 1.16 crypto/external/bsd/openssh/dist/match.c up to 1.16 crypto/external/bsd/openssh/dist/match.h up to 1.11 crypto/external/bsd/openssh/dist/misc.c up to 1.35 crypto/external/bsd/openssh/dist/misc.h up to 1.27 crypto/external/bsd/openssh/dist/moduli up to 1.10 crypto/external/bsd/openssh/dist/moduli.c up to 1.17 crypto/external/bsd/openssh/dist/monitor.c up to 1.43 crypto/external/bsd/openssh/dist/monitor.h up to 1.13 crypto/external/bsd/openssh/dist/monitor_fdpass.c up to 1.9 crypto/external/bsd/openssh/dist/monitor_wrap.c up to 1.34 crypto/external/bsd/openssh/dist/monitor_wrap.h up to 1.23 crypto/external/bsd/openssh/dist/msg.c up to 1.11 crypto/external/bsd/openssh/dist/mux.c up to 1.35 crypto/external/bsd/openssh/dist/myproposal.h up to 1.24 crypto/external/bsd/openssh/dist/namespace.h up to 1.10 crypto/external/bsd/openssh/dist/nchan.c up to 1.14 crypto/external/bsd/openssh/dist/packet.c up to 1.50 crypto/external/bsd/openssh/dist/packet.h up to 1.26 crypto/external/bsd/openssh/dist/pathnames.h up to 1.15 crypto/external/bsd/openssh/dist/pfilter.c up to 1.8 (+patch) crypto/external/bsd/openssh/dist/poly1305.c up to 1.6 crypto/external/bsd/openssh/dist/progressmeter.c up to 1.15 crypto/external/bsd/openssh/dist/readconf.c up to 1.44 crypto/external/bsd/openssh/dist/readconf.h up to 1.34 crypto/external/bsd/openssh/dist/readpass.c up to 1.18 crypto/external/bsd/openssh/dist/rijndael.h up to 1.3 crypto/external/bsd/openssh/dist/sandbox-pledge.c up to 1.3 crypto/external/bsd/openssh/dist/sandbox-rlimit.c up to 1.7 crypto/external/bsd/openssh/dist/scp.1 up to 1.31 crypto/external/bsd/openssh/dist/scp.c up to 1.41 crypto/external/bsd/openssh/dist/servconf.c up to 1.44 crypto/external/bsd/openssh/dist/servconf.h up to 1.30 crypto/external/bsd/openssh/dist/serverloop.c up to 1.35 crypto/external/bsd/openssh/dist/session.c up to 1.38 crypto/external/bsd/openssh/dist/session.h up to 1.10 crypto/external/bsd/openssh/dist/sftp-client.c up to 1.35 crypto/external/bsd/openssh/dist/sftp-client.h up to 1.18 crypto/external/bsd/openssh/dist/sftp-common.c up to 1.14 crypto/external/bsd/openssh/dist/sftp-common.h up to 1.8 crypto/external/bsd/openssh/dist/sftp-glob.c up to 1.15 crypto/external/bsd/openssh/dist/sftp-server-main.c up to 1.8 crypto/external/bsd/openssh/dist/sftp-server.8 up to 1.14 crypto/external/bsd/openssh/dist/sftp-server.c up to 1.30 crypto/external/bsd/openssh/dist/sftp.1 up to 1.30 crypto/external/bsd/openssh/dist/sftp.c up to 1.39 crypto/external/bsd/openssh/dist/ssh-add.1 up to 1.18 crypto/external/bsd/openssh/dist/ssh-add.c up to 1.30 crypto/external/bsd/openssh/dist/ssh-agent.1 up to 1.19 crypto/external/bsd/openssh/dist/ssh-agent.c up to 1.37 crypto/external/bsd/openssh/dist/ssh-dss.c up to 1.18 crypto/external/bsd/openssh/dist/ssh-ecdsa.c up to 1.15 crypto/external/bsd/openssh/dist/ssh-ed25519.c up to 1.10 crypto/external/bsd/openssh/dist/ssh-gss.h up to 1.10 crypto/external/bsd/openssh/dist/ssh-keygen.1 up to 1.34 crypto/external/bsd/openssh/dist/ssh-keygen.c up to 1.46 crypto/external/bsd/openssh/dist/ssh-keyscan.1 up to 1.18 crypto/external/bsd/openssh/dist/ssh-keyscan.c up to 1.32 crypto/external/bsd/openssh/dist/ssh-keysign.8 up to 1.14 crypto/external/bsd/openssh/dist/ssh-keysign.c up to 1.24 crypto/external/bsd/openssh/dist/ssh-pkcs11-client.c up to 1.19 crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.8 up to 1.12 crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.c up to 1.22 crypto/external/bsd/openssh/dist/ssh-pkcs11.c up to 1.26 crypto/external/bsd/openssh/dist/ssh-pkcs11.h up to 1.9 crypto/external/bsd/openssh/dist/ssh-rsa.c up to 1.19 crypto/external/bsd/openssh/dist/ssh-xmss.c up to 1.6 crypto/external/bsd/openssh/dist/ssh.1 up to 1.39 crypto/external/bsd/openssh/dist/ssh.c up to 1.45 crypto/external/bsd/openssh/dist/ssh.h up to 1.13 crypto/external/bsd/openssh/dist/ssh2.h up to 1.15 crypto/external/bsd/openssh/dist/ssh_api.c up to 1.15 crypto/external/bsd/openssh/dist/ssh_config up to 1.16 crypto/external/bsd/openssh/dist/ssh_config.5 up to 1.40 crypto/external/bsd/openssh/dist/sshbuf-getput-basic.c up to 1.12 crypto/external/bsd/openssh/dist/sshbuf-getput-crypto.c up to 1.11 crypto/external/bsd/openssh/dist/sshbuf-misc.c up to 1.14 crypto/external/bsd/openssh/dist/sshbuf.c up to 1.14 crypto/external/bsd/openssh/dist/sshbuf.h up to 1.19 crypto/external/bsd/openssh/dist/sshconnect.c up to 1.37 crypto/external/bsd/openssh/dist/sshconnect.h up to 1.17 crypto/external/bsd/openssh/dist/sshconnect2.c up to 1.46 crypto/external/bsd/openssh/dist/sshd.8 up to 1.31 crypto/external/bsd/openssh/dist/sshd.c up to 1.50 crypto/external/bsd/openssh/dist/sshd_config up to 1.28 crypto/external/bsd/openssh/dist/sshd_config.5 up to 1.42 crypto/external/bsd/openssh/dist/ssherr.c up to 1.10 crypto/external/bsd/openssh/dist/ssherr.h up to 1.4 crypto/external/bsd/openssh/dist/sshkey-xmss.c up to 1.10 crypto/external/bsd/openssh/dist/sshkey-xmss.h up to 1.5 crypto/external/bsd/openssh/dist/sshkey.c up to 1.32 crypto/external/bsd/openssh/dist/sshkey.h up to 1.19 crypto/external/bsd/openssh/dist/sshlogin.c up to 1.13 crypto/external/bsd/openssh/dist/sshpty.c up to 1.8 crypto/external/bsd/openssh/dist/ttymodes.c up to 1.12 crypto/external/bsd/openssh/dist/uidswap.c up to 1.10 crypto/external/bsd/openssh/dist/umac.c up to 1.22 crypto/external/bsd/openssh/dist/umac.h up to 1.10 crypto/external/bsd/openssh/dist/utf8.c up to 1.9 crypto/external/bsd/openssh/dist/utf8.h up to 1.5 crypto/external/bsd/openssh/dist/version.h up to 1.44 crypto/external/bsd/openssh/dist/xmalloc.c up to 1.13 crypto/external/bsd/openssh/dist/xmalloc.h up to 1.16 crypto/external/bsd/openssh/dist/xmss_hash.c up to 1.3 crypto/external/bsd/openssh/dist/moduli-gen/Makefile up to 1.3 crypto/external/bsd/openssh/dist/moduli-gen/moduli-gen.sh up to 1.1.1.3 crypto/external/bsd/openssh/dist/moduli-gen/moduli.2048 up to 1.16 crypto/external/bsd/openssh/dist/moduli-gen/moduli.3072 up to 1.18 crypto/external/bsd/openssh/dist/moduli-gen/moduli.4096 up to 1.18 crypto/external/bsd/openssh/dist/moduli-gen/moduli.6144 up to 1.18 crypto/external/bsd/openssh/dist/moduli-gen/moduli.7680 up to 1.18 crypto/external/bsd/openssh/dist/moduli-gen/moduli.8192 up to 1.18 crypto/external/bsd/openssh/lib/Makefile up to 1.38 crypto/external/bsd/openssh/lib/shlib_version up to 1.36 crypto/external/bsd/openssh/openssh2netbsd up to 1.4 lib/libpam/modules/pam_ssh/Makefile up to 1.13 lib/libpam/modules/pam_ssh/pam_ssh.c up to 1.30 distrib/sets/lists/base/shl.mi (apply patch) distrib/sets/lists/debug/shl.mi (apply patch) doc/3RDPARTY (apply patch) Update OpenSSH to 9.6. @ text @d1 1 a1 1 # $OpenBSD: Makefile,v 1.6 2020/11/08 12:10:20 dtucker Exp $ a7 1 # The sizes match those in dh.c:dh_estimate() plus some historic sizes. @ 1.2.12.1 log @file Makefile was added on branch netbsd-6 on 2017-08-15 05:27:53 +0000 @ text @d1 32 @ 1.2.12.2 log @Apply patch (requested by mrg in ticket #1468): Update OpenSSH to 7.5. @ text @a0 32 # $OpenBSD: Makefile,v 1.5 2015/10/21 06:37:25 doug Exp $ .include # The larger ones will take many days, so if you're going to regen them run # it in a tmux session or something. The checkpoints should make it safe # to stop and restart. DHSIZE=2048 3072 4096 6144 7680 8192 .for bits in ${DHSIZE} MODULI_PARTS+=moduli.${bits} WORK_MODULI_PARTS+=${.OBJDIR}/moduli.${bits}.sieved.gz .endfor all: ${MODULI_PARTS} update-moduli: ${MODULI_PARTS} ( \ echo -n '# $$Open'; echo 'BSD$$'; \ echo '# Time Type Tests Tries Size Generator Modulus'; \ cat ${MODULI_PARTS} \ ) > ${BSDSRCDIR}/etc/moduli clean: rm -f ${WORK_MODULI_PARTS} .for bits in ${DHSIZE} moduli.${bits}: sh ${.CURDIR}/moduli-gen.sh ${.CURDIR} ${.CURDIR}/work ${bits} .endfor @ 1.2.10.1 log @file Makefile was added on branch netbsd-6-1 on 2017-08-15 05:17:58 +0000 @ text @d1 32 @ 1.2.10.2 log @Apply patch (requested by mrg in ticket #1468): Update OpenSSH to 7.5. @ text @a0 32 # $OpenBSD: Makefile,v 1.5 2015/10/21 06:37:25 doug Exp $ .include # The larger ones will take many days, so if you're going to regen them run # it in a tmux session or something. The checkpoints should make it safe # to stop and restart. DHSIZE=2048 3072 4096 6144 7680 8192 .for bits in ${DHSIZE} MODULI_PARTS+=moduli.${bits} WORK_MODULI_PARTS+=${.OBJDIR}/moduli.${bits}.sieved.gz .endfor all: ${MODULI_PARTS} update-moduli: ${MODULI_PARTS} ( \ echo -n '# $$Open'; echo 'BSD$$'; \ echo '# Time Type Tests Tries Size Generator Modulus'; \ cat ${MODULI_PARTS} \ ) > ${BSDSRCDIR}/etc/moduli clean: rm -f ${WORK_MODULI_PARTS} .for bits in ${DHSIZE} moduli.${bits}: sh ${.CURDIR}/moduli-gen.sh ${.CURDIR} ${.CURDIR}/work ${bits} .endfor @ 1.2.8.1 log @file Makefile was added on branch netbsd-6-0 on 2017-08-15 04:53:01 +0000 @ text @d1 32 @ 1.2.8.2 log @Apply patch (requested by mrg in ticket #1468): Update OpenSSH to 7.5. @ text @a0 32 # $OpenBSD: Makefile,v 1.5 2015/10/21 06:37:25 doug Exp $ .include # The larger ones will take many days, so if you're going to regen them run # it in a tmux session or something. The checkpoints should make it safe # to stop and restart. DHSIZE=2048 3072 4096 6144 7680 8192 .for bits in ${DHSIZE} MODULI_PARTS+=moduli.${bits} WORK_MODULI_PARTS+=${.OBJDIR}/moduli.${bits}.sieved.gz .endfor all: ${MODULI_PARTS} update-moduli: ${MODULI_PARTS} ( \ echo -n '# $$Open'; echo 'BSD$$'; \ echo '# Time Type Tests Tries Size Generator Modulus'; \ cat ${MODULI_PARTS} \ ) > ${BSDSRCDIR}/etc/moduli clean: rm -f ${WORK_MODULI_PARTS} .for bits in ${DHSIZE} moduli.${bits}: sh ${.CURDIR}/moduli-gen.sh ${.CURDIR} ${.CURDIR}/work ${bits} .endfor @ 1.1 log @Initial revision @ text @d1 1 a1 1 # $OpenBSD: Makefile,v 1.2 2013/10/14 02:57:59 dtucker Exp $ a4 2 all: moduli d8 1 a8 1 DHSIZE=1024 1536 2048 3072 4096 6144 7680 8192 d12 3 a15 3 moduli.${bits}: sh ${.CURDIR}/moduli-gen.sh ${.CURDIR} ${.CURDIR}/work ${bits} .endfor d17 3 a19 1 moduli: ${MODULI_PARTS} d24 1 a24 1 ) > moduli d26 2 a27 2 update-moduli: cp moduli ${BSDSRCDIR}/etc/moduli a28 1 clean: d30 2 a31 1 rm -f ${.OBJDIR}/moduli.${bits}.sieved.gz @ 1.1.1.1 log @Changes since OpenSSH 6.6 ========================= Potentially-incompatible changes * sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options. * sshd(8): Support for tcpwrappers/libwrap has been removed. * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the curve25519-sha256@@libssh.org KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions. New Features * Major internal refactoring to begin to make part of OpenSSH usable as a library. So far the wire parsing, key handling and KRL code has been refactored. Please note that we do not consider the API stable yet, nor do we offer the library in separable form. * ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 key types. * sftp(1): Allow resumption of interrupted uploads. * ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange; bz#2154 * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family; bz#2222 * sshd(8): Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option; bz#2160 * ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths; bz#2220 * sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199 * Added unit and fuzz tests for refactored code. These are run automatically in portable OpenSSH via the "make tests" target. Bugfixes * sshd(8): Fix remote forwarding with the same listen port but different listen address. * ssh(1): Fix inverted test that caused PKCS#11 keys that were explicitly listed in ssh_config or on the commandline not to be preferred. * ssh-keygen(1): Fix bug in KRL generation: multiple consecutive revoked certificate serial number ranges could be serialised to an invalid format. Readers of a broken KRL caused by this bug will fail closed, so no should-have-been-revoked key will be accepted. * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in exit status. Previously we were always returning 0; bz#2255 * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the randomart border; bz#2247 * ssh-agent(1): Only cleanup agent socket in the main agent process and not in any subprocesses it may have started (e.g. forked askpass). Fixes agent sockets being zapped when askpass processes fatal(); bz#2236 * ssh-add(1): Make stdout line-buffered; saves partial output getting lost when ssh-add fatal()s part-way through (e.g. when listing keys from an agent that supports key types that ssh-add doesn't); bz#2234 * ssh-keygen(1): When hashing or removing hosts, don't choke on @@revoked markers and don't remove @@cert-authority markers; bz#2241 * ssh(1): Don't fatal when hostname canonicalisation fails and a ProxyCommand is in use; continue and allow the ProxyCommand to connect anyway (e.g. to a host with a name outside the DNS behind a bastion) * scp(1): When copying local->remote fails during read, don't send uninitialised heap to the remote end. * sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing filenames with a single quote char somewhere in the string; bz#2238 * ssh-keyscan(1): Scan for Ed25519 keys by default. * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down- convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys. * sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225 * Fix some strict-alignment errors. Portable OpenSSH * Portable OpenSSH now supports building against libressl-portable. * Portable OpenSSH now requires openssl 0.9.8f or greater. Older versions are no longer supported. * In the OpenSSL version check, allow fix version upgrades (but not downgrades. Debian bug #748150. * sshd(8): On Cygwin, determine privilege separation user at runtime, since it may need to be a domain account. * sshd(8): Don't attempt to use vhangup on Linux. It doesn't work for non-root users, and for them it just messes up the tty settings. * Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is available. It considers time spent suspended, thereby ensuring timeouts (e.g. for expiring agent keys) fire correctly. bz#2228 * Add support for ed25519 to opensshd.init init script. * sftp-server(8): On platforms that support it, use prctl() to prevent sftp-server from accessing /proc/self/{mem,maps} Changes since OpenSSH 6.5 ========================= This is primarily a bugfix release. Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. New / changed features: * ssh(1), sshd(8): this release removes the J-PAKE authentication code. This code was experimental, never enabled and had been unmaintained for some time. * ssh(1): when processing Match blocks, skip 'exec' clauses other clauses predicates failed to match. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 * ssh(1): avoid unnecessary hostname lookups when canonicalisation is disabled. bz#2205 * sshd(8): avoid sandbox violation crashes in GSSAPI code by caching the supported list of GSSAPI mechanism OIDs before entering the sandbox. bz#2107 * ssh(1): fix possible crashes in SOCKS4 parsing caused by assumption that the SOCKS username is nul-terminated. * ssh(1): fix regression for UsePrivilegedPort=yes when BindAddress is not specified. * ssh(1), sshd(8): fix memory leak in ECDSA signature verification. * ssh(1): fix matching of 'Host' directives in ssh_config(5) files to be case-insensitive again (regression in 6.5). Portable OpenSSH: * sshd(8): don't fatal if the FreeBSD Capsicum is offered by the system headers and libc but is not supported by the kernel. * Fix build using the HP-UX compiler. Changes since OpenSSH 6.4 ========================= This is a feature-focused release. New features: * ssh(1), sshd(8): Add support for key exchange using elliptic-curve Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange method is the default when both the client and server support it. * ssh(1), sshd(8): Add support for Ed25519 as a public key type. Ed25519 is a elliptic curve signature scheme that offers better security than ECDSA and DSA and good performance. It may be used for both user and host keys. * Add a new private key format that uses a bcrypt KDF to better protect keys at rest. This format is used unconditionally for Ed25519 keys, but may be requested when generating or saving existing keys of other types via the -o ssh-keygen(1) option. We intend to make the new format the default in the near future. Details of the new format are in the PROTOCOL.key file. * ssh(1), sshd(8): Add a new transport cipher "chacha20-poly1305@@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details are in the PROTOCOL.chacha20poly1305 file. * ssh(1), sshd(8): Refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release. * ssh(1), sshd(8): Refuse old proprietary clients and servers that use a weaker key exchange hash calculation. * ssh(1): Increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by RFC4419. * ssh(1), ssh-agent(1): Support PKCS#11 tokens that only provide X.509 certs instead of raw public keys (requested as bz#1908). * ssh(1): Add a ssh_config(5) "Match" keyword that allows conditional configuration to be applied by matching on hostname, user and result of arbitrary commands. * ssh(1): Add support for client-side hostname canonicalisation using a set of DNS suffixes and rules in ssh_config(5). This allows unqualified names to be canonicalised to fully-qualified domain names to eliminate ambiguity when looking up keys in known_hosts or checking host certificate names. * sftp-server(8): Add the ability to whitelist and/or blacklist sftp protocol requests by name. * sftp-server(8): Add a sftp "fsync@@openssh.com" to support calling fsync(2) on an open file handle. * sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option. * ssh(1): Add a ssh_config ProxyUseFDPass option that supports the use of ProxyCommands that establish a connection and then pass a connected file descriptor back to ssh(1). This allows the ProxyCommand to exit rather than staying around to transfer data. Bugfixes: * ssh(1), sshd(8): Fix potential stack exhaustion caused by nested certificates. * ssh(1): bz#1211: make BindAddress work with UsePrivilegedPort. * sftp(1): bz#2137: fix the progress meter for resumed transfer. * ssh-add(1): bz#2187: do not request smartcard PIN when removing keys from ssh-agent. * sshd(8): bz#2139: fix re-exec fallback when original sshd binary cannot be executed. * ssh-keygen(1): Make relative-specified certificate expiry times relative to current time and not the validity start time. * sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match block. * sftp(1): bz#2129: symlinking a file would incorrectly canonicalise the target path. * ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11 agent helper executable. * sshd(8): Improve logging of sessions to include the user name, remote host and port, the session type (shell, command, etc.) and allocated TTY (if any). * sshd(8): bz#1297: tell the client (via a debug message) when their preferred listen address has been overridden by the server's GatewayPorts setting. * sshd(8): bz#2162: include report port in bad protocol banner message. * sftp(1): bz#2163: fix memory leak in error path in do_readdir(). * sftp(1): bz#2171: don't leak file descriptor on error. * sshd(8): Include the local address and port in "Connection from ..." message (only shown at loglevel>=verbose). Portable OpenSSH: * Please note that this is the last version of Portable OpenSSH that will support versions of OpenSSL prior to 0.9.6. Support (i.e. SSH_OLD_EVP) will be removed following the 6.5p1 release. * Portable OpenSSH will attempt compile and link as a Position Independent Executable on Linux, OS X and OpenBSD on recent gcc- like compilers. Other platforms and older/other compilers may request this using the --with-pie configure flag. * A number of other toolchain-related hardening options are used automatically if available, including -ftrapv to abort on signed integer overflow and options to write-protect dynamic linking information. The use of these options may be disabled using the --without-hardening configure flag. * If the toolchain supports it, one of the -fstack-protector-strong, -fstack-protector-all or -fstack-protector compilation flag are used to add guards to mitigate attacks based on stack overflows. The use of these options may be disabled using the --without-stackprotect configure option. * sshd(8): Add support for pre-authentication sandboxing using the Capsicum API introduced in FreeBSD 10. * Switch to a ChaCha20-based arc4random() PRNG for platforms that do not provide their own. * sshd(8): bz#2156: restore Linux oom_adj setting when handling SIGHUP to maintain behaviour over retart. * sshd(8): bz#2032: use local username in krb5_kuserok check rather than full client name which may be of form user@@REALM. * ssh(1), sshd(8): Test for both the presence of ECC NID numbers in OpenSSL and that they actually work. Fedora (at least) has NID_secp521r1 that doesn't work. * bz#2173: use pkg-config --libs to include correct -L location for libedit. @ text @@ 1.1.1.2 log @Changes since OpenSSH 6.8 ========================= This is primarily a bugfix release. Security -------- * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn. * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to password guessing by implementing an increasing failure delay, storing a salted hash of the password rather than the password itself and using a timing-safe comparison function for verifying unlock attempts. This problem was reported by Ryan Castellucci. New Features ------------ * ssh(1), sshd(8): promote chacha20-poly1305@@openssh.com to be the default cipher * sshd(8): support admin-specified arguments to AuthorizedKeysCommand; bz#2081 * sshd(8): add AuthorizedPrincipalsCommand that allows retrieving authorized principals information from a subprocess rather than a file. * ssh(1), ssh-add(1): support PKCS#11 devices with external PIN entry devices bz#2240 * sshd(8): allow GSSAPI host credential check to be relaxed for multihomed hosts via GSSAPIStrictAcceptorCheck option; bz#928 * ssh-keygen(1): support "ssh-keygen -lF hostname" to search known_hosts and print key hashes rather than full keys. * ssh-agent(1): add -D flag to leave ssh-agent in foreground without enabling debug mode; bz#2381 Bugfixes -------- * ssh(1), sshd(8): deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message and do not try to use it against some 3rd-party SSH implementations that use it (older PuTTY, WinSCP). * Many fixes for problems caused by compile-time deactivation of SSH1 support (including bz#2369) * ssh(1), sshd(8): cap DH-GEX group size at 4Kbits for Cisco implementations as some would fail when attempting to use group sizes >4K; bz#2209 * ssh(1): fix out-of-bound read in EscapeChar configuration option parsing; bz#2396 * sshd(8): fix application of PermitTunnel, LoginGraceTime, AuthenticationMethods and StreamLocalBindMask options in Match blocks * ssh(1), sshd(8): improve disconnection message on TCP reset; bz#2257 * ssh(1): remove failed remote forwards established by muliplexing from the list of active forwards; bz#2363 * sshd(8): make parsing of authorized_keys "environment=" options independent of PermitUserEnv being enabled; bz#2329 * sshd(8): fix post-auth crash with permitopen=none; bz#2355 * ssh(1), ssh-add(1), ssh-keygen(1): allow new-format private keys to be encrypted with AEAD ciphers; bz#2366 * ssh(1): allow ListenAddress, Port and AddressFamily configuration options to appear in any order; bz#86 * sshd(8): check for and reject missing arguments for VersionAddendum and ForceCommand; bz#2281 * ssh(1), sshd(8): don't treat unknown certificate extensions as fatal; bz#2387 * ssh-keygen(1): make stdout and stderr output consistent; bz#2325 * ssh(1): mention missing DISPLAY environment in debug log when X11 forwarding requested; bz#1682 * sshd(8): correctly record login when UseLogin is set; bz#378 * sshd(8): Add some missing options to sshd -T output and fix output of VersionAddendum and HostCertificate. bz#2346 * Document and improve consistency of options that accept a "none" argument" TrustedUserCAKeys, RevokedKeys (bz#2382), AuthorizedPrincipalsFile (bz#2288) * ssh(1): include remote username in debug output; bz#2368 * sshd(8): avoid compatibility problem with some versions of Tera Term, which would crash when they received the hostkeys notification message (hostkeys-00@@openssh.com) * sshd(8): mention ssh-keygen -E as useful when comparing legacy MD5 host key fingerprints; bz#2332 * ssh(1): clarify pseudo-terminal request behaviour and use make manual language consistent; bz#1716 * ssh(1): document that the TERM environment variable is not subject to SendEnv and AcceptEnv; bz#2386 @ text @d1 1 a1 1 # $OpenBSD: Makefile,v 1.4 2015/05/28 00:54:01 dtucker Exp $ d5 2 d10 1 a10 1 DHSIZE=1536 2048 3072 4096 6144 7680 8192 a14 2 all: ${MODULI_PARTS} d19 1 a19 1 update-moduli: ${MODULI_PARTS} d24 4 a27 1 ) > ${BSDSRCDIR}/etc/moduli @ 1.1.1.3 log @Future deprecation notice ========================= We plan on retiring more legacy cryptography in a near-future release, specifically: * Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits) This list reflects our current intentions, but please check the final release notes for future releases. Potentially-incompatible changes ================================ This release disables a number of legacy cryptographic algorithms by default in ssh: * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES. * MD5-based and truncated HMAC algorithms. These algorithms are already disabled by default in sshd. Changes since OpenSSH 7.1p2 =========================== This is primarily a bugfix release. Security -------- * ssh(1), sshd(8): remove unfinished and unused roaming code (was already forcibly disabled in OpenSSH 7.1p2). * ssh(1): eliminate fallback from untrusted X11 forwarding to trusted forwarding when the X server disables the SECURITY extension. * ssh(1), sshd(8): increase the minimum modulus size supported for diffie-hellman-group-exchange to 2048 bits. * sshd(8): pre-auth sandboxing is now enabled by default (previous releases enabled it for new installations via sshd_config). New Features ------------ * all: add support for RSA signatures using SHA-256/512 hash algorithms based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt. * ssh(1): Add an AddKeysToAgent client option which can be set to 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a private key that is used during authentication will be added to ssh-agent if it is running (with confirmation enabled if set to 'confirm'). * sshd(8): add a new authorized_keys option "restrict" that includes all current and future key restrictions (no-*-forwarding, etc.). Also add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future. * ssh(1): add ssh_config CertificateFile option to explicitly list certificates. bz#2436 * ssh-keygen(1): allow ssh-keygen to change the key comment for all supported formats. * ssh-keygen(1): allow fingerprinting from standard input, e.g. "ssh-keygen -lf -" * ssh-keygen(1): allow fingerprinting multiple public keys in a file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys" bz#1319 * sshd(8): support "none" as an argument for sshd_config Foreground and ChrootDirectory. Useful inside Match blocks to override a global default. bz#2486 * ssh-keygen(1): support multiple certificates (one per line) and reading from standard input (using "-f -") for "ssh-keygen -L" * ssh-keyscan(1): add "ssh-keyscan -c ..." flag to allow fetching certificates instead of plain keys. * ssh(1): better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in hostname canonicalisation - treat them as already canonical and remove the trailing '.' before matching ssh_config. Bugfixes -------- * sftp(1): existing destination directories should not terminate recursive uploads (regression in openssh 6.8) bz#2528 * ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during key exchange. bz#2949 * ssh(1): refuse attempts to set ConnectionAttempts=0, which does not make sense and would cause ssh to print an uninitialised stack variable. bz#2500 * ssh(1): fix errors when attempting to connect to scoped IPv6 addresses with hostname canonicalisation enabled. * sshd_config(5): list a couple more options usable in Match blocks. bz#2489 * sshd(8): fix "PubkeyAcceptedKeyTypes +..." inside a Match block. * ssh(1): expand tilde characters in filenames passed to -i options before checking whether or not the identity file exists. Avoids confusion for cases where shell doesn't expand (e.g. "-i ~/file" vs. "-i~/file"). bz#2481 * ssh(1): do not prepend "exec" to the shell command run by "Match exec" in a config file, which could cause some commands to fail in certain environments. bz#2471 * ssh-keyscan(1): fix output for multiple hosts/addrs on one line when host hashing or a non standard port is in use bz#2479 * sshd(8): skip "Could not chdir to home directory" message when ChrootDirectory is active. bz#2485 * ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump. * sshd(8): avoid changing TunnelForwarding device flags if they are already what is needed; makes it possible to use tun/tap networking as non-root user if device permissions and interface flags are pre-established * ssh(1), sshd(8): RekeyLimits could be exceeded by one packet. bz#2521 * ssh(1): fix multiplexing master failure to notice client exit. * ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that present empty key IDs. bz#1773 * sshd(8): avoid printf of NULL argument. bz#2535 * ssh(1), sshd(8): allow RekeyLimits larger than 4GB. bz#2521 * ssh-keygen(1): sshd(8): fix several bugs in (unused) KRL signature support. * ssh(1), sshd(8): fix connections with peers that use the key exchange guess feature of the protocol. bz#2515 * sshd(8): include remote port number in log messages. bz#2503 * ssh(1): don't try to load SSHv1 private key when compiled without SSHv1 support. bz#2505 * ssh-agent(1), ssh(1): fix incorrect error messages during key loading and signing errors. bz#2507 * ssh-keygen(1): don't leave empty temporary files when performing known_hosts file edits when known_hosts doesn't exist. * sshd(8): correct packet format for tcpip-forward replies for requests that don't allocate a port bz#2509 * ssh(1), sshd(8): fix possible hang on closed output. bz#2469 * ssh(1): expand %i in ControlPath to UID. bz#2449 * ssh(1), sshd(8): fix return type of openssh_RSA_verify. bz#2460 * ssh(1), sshd(8): fix some option parsing memory leaks. bz#2182 * ssh(1): add a some debug output before DNS resolution; it's a place where ssh could previously silently stall in cases of unresponsive DNS servers. bz#2433 * ssh(1): remove spurious newline in visual hostkey. bz#2686 * ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+... * ssh(1): fix expansion of HostkeyAlgorithms=+... Documentation ------------- * ssh_config(5), sshd_config(5): update default algorithm lists to match current reality. bz#2527 * ssh(1): mention -Q key-plain and -Q key-cert query options. bz#2455 * sshd_config(8): more clearly describe what AuthorizedKeysFile=none does. * ssh_config(5): better document ExitOnForwardFailure. bz#2444 * sshd(5): mention internal DH-GEX fallback groups in manual. bz#2302 * sshd_config(5): better description for MaxSessions option. bz#2531 Portability ----------- * ssh(1), sftp-server(8), ssh-agent(1), sshd(8): Support Illumos/ Solaris fine-grained privileges. Including a pre-auth privsep sandbox and several pledge() emulations. bz#2511 * Renovate redhat/openssh.spec, removing deprecated options and syntax. * configure: allow --without-ssl-engine with --without-openssl * sshd(8): fix multiple authentication using S/Key. bz#2502 * sshd(8): read back from libcrypto RAND_* before dropping privileges. Avoids sandboxing violations with BoringSSL. * Fix name collision with system-provided glob(3) functions. bz#2463 * Adapt Makefile to use ssh-keygen -A when generating host keys. bz#2459 * configure: correct default value for --with-ssh1 bz#2457 * configure: better detection of _res symbol bz#2259 * support getrandom() syscall on Linux @ text @d1 1 a1 1 # $OpenBSD: Makefile,v 1.5 2015/10/21 06:37:25 doug Exp $ d8 1 a8 1 DHSIZE=2048 3072 4096 6144 7680 8192 @ 1.1.1.4 log @OpenSSH 8.5/8.5p1 (2021-03-03) OpenSSH 8.5 was released on 2021-03-03. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation notice ========================= It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket. On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions. The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access. * Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR212 Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@@tinyssh.org method is replaced with sntrup761x25519-sha512@@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. Changes since OpenSSH 8.4 ========================= New features ------------ * ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions: - The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile). - The same key does not exist under another name. - A certificate host key is not in use. - known_hosts contains no matching wildcard hostname pattern. - VerifyHostKeyDNS is not enabled. - The default UserKnownHostsFile is in use. We expect some of these conditions will be modified or relaxed in future. * ssh(1), sshd(8): add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists. * ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key. * ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys. * ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files. * ssh(1): add a ssh_config PermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS. * ssh(1): for FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials. * sshd(8): implement client address-based rate-limiting via new sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize directives that provide more fine-grained control on a per-origin address basis than the global MaxStartups limit. Bugfixes -------- * ssh(1): Prefix keyboard interactive prompts with "(user@@host)" to make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc. bz#3224 * sshd(8): fix sshd_config SetEnv directives located inside Match blocks. GHPR201 * ssh(1): when requesting a FIDO token touch on stderr, inform the user once the touch has been recorded. * ssh(1): prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229 * ssh(1): consider the ECDSA key subtype when ordering host key algorithms in the client. * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. * sftp-server(8): add missing lsetstat@@openssh.com documentation and advertisement in the server's SSH2_FXP_VERSION hello packet. * ssh(1), sshd(8): more strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit platforms instead of being limited by LONG_MAX. bz#3206 * Minor man page fixes (capitalization, commas, etc.) bz#3223 * sftp(1): when doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222 * ssh-keygen(1): document the -Z, check the validity of its argument earlier and provide a better error message if it's not correct. bz#2879 * ssh(1): ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320 * sshd_config(5): mention that DisableForwarding is valid in a sshd_config Match block. bz3239 * sftp(1): fix incorrect sorting of "ls -ltr" under some circumstances. bz3248. * ssh(1), sshd(8): fix potential integer truncation of (unlikely) timeout values. bz#3250 * ssh(1): make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type. Portability ----------- * sshd(8): add a number of platform-specific syscalls to the Linux seccomp-bpf sandbox. bz#3232 bz#3260 * sshd(8): remove debug message from sigchld handler that could cause deadlock on some platforms. bz#3259 * Sync contrib/ssh-copy-id with upstream. * unittests: add a hostname function for systems that don't have it. Some systems don't have a hostname command (it's not required by POSIX). The do have uname -n (which is), but not all of those have it report the FQDN. Checksums: ========== - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc Please note that the OpenPGP key used to sign releases has been rotated for this release. The new key has been signed by the previous key to provide continuity. Reporting Bugs: =============== - Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@@openssh.com @ text @d1 1 a1 1 # $OpenBSD: Makefile,v 1.6 2020/11/08 12:10:20 dtucker Exp $ a7 1 # The sizes match those in dh.c:dh_estimate() plus some historic sizes. @ 1.1.1.5 log @Import OpenSSH-10.2 (previous was 10.0) OpenSSH 10.2/10.2p1 (2025-10-10) OpenSSH 10.2 was released on 2025-10-10. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation warning -------------------------- * A future release of OpenSSH will deprecate support for SHA1 SSHFP records due to weaknesses in the SHA1 hash function. SHA1 SSHFP DNS records will be ignored and ssh-keygen -r will generate only SHA256 SSHFP records. The SHA256 hash algorithm, which has no known weaknesses, has been supported for SSHFP records since OpenSSH 6.1, released in 2012. Changes since OpenSSH 10.1 ========================== This is a bugfix release, primarily to fix a problem that rendered ssh(1) unusable when ControlPersist was enabled. Bugfixes -------- * ssh(1): fix mishandling of terminal connections when ControlPersist was active that rendered the session unusable. bz3872 * ssh-keygen(1): fix download of keys from PKCS#11 tokens. * ssh-keygen(1): fix CA signing operations when the CA key is held in a ssh-agent(1). bz3877 Portability ----------- * All: support platforms without mmap(2), e.g. WASM builds such as https://hterm.org * All: fix builds on FreeBSD for missing fnctl.h include. * All: fix builds on MacOS <10.12 Sierra, which lacks clock_gettime(3) * sshd(8): don't PAM_RHOST if the remote host is the "UNKNOWN" placeholder name. Avoids potential hangs in some PAM modules as they try to resolve it. Note, sshd(8) only uses the "UNKNOWN" name when the connection is not on an IPv4 or IPv6 socket. OpenSSH 10.1/10.1p1 (2025-10-06) OpenSSH 10.1 was released on 2025-10-06. It is available from the mirrors listed at https://www.openssh.com/. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html Future deprecation warning -------------------------- * A future release of OpenSSH will deprecate support for SHA1 SSHFP records due to weaknesses in the SHA1 hash function. SHA1 SSHFP DNS records will be ignored and ssh-keygen -r will generate only SHA256 SSHFP records. The SHA256 hash algorithm, which has no known weaknesses, has been supported for SSHFP records since OpenSSH 6.1, released in 2012. Potentially-incompatible changes -------------------------------- * ssh(1): add a warning when the connection negotiates a non-post quantum key agreement algorithm. This warning has been added due to the risk of "store now, decrypt later" attacks. More details at https://openssh.com/pq.html This warning may be controlled via a new WarnWeakCrypto ssh_config option, defaulting to on. This option is likely to control additional weak crypto warnings in the future. * ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS In both client and server the default DSCP (a.k.a IPQoS) values were revised and the way these values are used during runtime has changed. Interactive traffic is now assigned to the EF (Expedited Forwarding) class by default. This provides more appropriate packet prioritisation information for the intermediate network, such as wireless media (cf. RFC 8325). Non-interactive traffic will now use the operating system default DSCP marking. Both the interactive and non-interactive DSCP values may be overridden via the IPQoS keyword, described in ssh_config(5) and sshd_config(5). The appropriate DSCP marking is now automatically selected and updated as needed over the course of a connection's lifetime. ssh(1) and sshd(8) will switch between the interactive and non-interactive IPQoS values depending on the type of SSH channels open at the time. For example, if an sftp session is using the connection alongside a shell session, then the non- interactive value will be used for the duration of the sftp. A connection which contains only interactive sessions is marked EF. * ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS) keywords in the IPQoS configuration directive. Type of Service (ToS) was deprecated in the late nineties and replaced with the Differentiated Services architecture, which has significant advantages for operators because it offers more granularity. OpenSSH switched its default IPQoS from ToS to DSCP values in 2018 (openssh-7.7). IPQoS configurations with 'lowdelay', 'reliability', or 'throughput' will be ignored and will instead use the system default QoS settings. Additionally, a debug message will be logged about the deprecation with a suggestion to use DSCP QoS instead. * ssh-add(1): when adding certificates to an agent, set the expiry to the certificate expiry time plus a short (5 min) grace period. This will cause the agent to automatically remove certificates shortly after they expire. A new ssh-add -N option disables this behaviour. * All: remove experimental support for XMSS keys. This was never enabled by default. We expect to implement a new post-quantum signature scheme in the near future. * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8). This ensures processes that have restricted filesystem access that includes /tmp do not ambiently have the ability to use keys in an agent. Moving the default directory has the consequence that the OS will no longer clean up stale agent sockets, so ssh-agent now gains this ability. To support $HOME on NFS, the socket path includes a truncated hash of the hostname. ssh-agent will, by default, only clean up sockets from the same hostname. ssh-agent(1) gains some new flags: -U suppresses the automatic cleanup of stale sockets when it starts. -u forces a cleanup without keeping a running agent, -uu forces a cleanup that ignores the hostname. -T makes ssh-agent put the socket back in /tmp. Changes since OpenSSH 10.0 ========================== This release contains a minor security fix as well as a number of feature improvements and bugfixes. Security ======== * ssh(1): disallow control characters in usernames passed via the commandline or expanded using %-sequences from the configuration file, and disallow \0 characters in ssh:// URIs. If an ssh(1) commandline was constructed using usernames or URIs obtained from an untrusted source, and if a ProxyCommand that uses the %r expansion was configured, then it may be possible for an attacker to inject shell expressions that may be executed when the proxy command is started. We strongly recommend against using untrusted inputs to construct ssh(1) commandlines. This change also relaxes the validity checks in one small way: usernames supplied via the configuration file as literals (i.e. that have no % expansion characters) are not subject to these validity checks. This allows usernames that contain arbitrary characters to be used, but only via configuration files. This is done on the basis that ssh's configuration is trusted. This issue was reported by David Leadbeater. New features ------------ * ssh(1), sshd(8): add SIGINFO handlers to log active channel and session information. * sshd(8): when refusing a certificate for user authentication, log enough information to identify the certificate in addition to the reason why it was being denied. Makes debugging certificate authorisation problems a bit easier. * ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11 tokens. * ssh(1): add an ssh_config(5) RefuseConnection option that, when encountered while processing an active section in a configuration, terminates ssh(1) with an error message that contains the argument to the option. This may be useful for expressing reminders or warnings in config files, for example: Match host foo RefuseConnection "foo is deprecated, use splork instead" * sshd(8): make the X11 display number check relative to X11DisplayOffset. This will allow people to use X11DisplayOffset to configure much higher port ranges if they really want, while not changing the default behaviour. * unit tests: the unit test framework now includes some basic benchmarking capabilities. Run with "make UNITTEST_BENCHMARK=yes" on OpenBSD or "make unit-bench" on Portable OpenSSH. Bugfixes -------- * sshd(8): fix mistracking of MaxStartups process exits in some situations. At worst, this could cause all MaxStartups slots to fill and sshd to refuse new connections. * ssh(1): fix delay on X client startup when ObscureKeystrokeTiming is enabled. bz#3820 * sshd(8): increase the maximum size of the supported configuration from 256KB to 4MB, which ought to be enough for anybody. Fail early and visibly when this limit is breached. bz3808 * sftp(1): during sftp uploads, avoid a condition where a failed write could be ignored if a subsequent write succeeded. This is unlikely but technically possible because sftp servers are allowed to reorder requests. * sshd(8): avoid a race condition when the sshd-auth process exits that could cause a spurious error message to be logged. * sshd(8): log at level INFO when PerSourcePenalties actually blocks access to a source address range. Previously this was logged at level VERBOSE, which hid enforcement actions under default config settings. * sshd(8): GssStrictAcceptor was missing from sshd -T output; fix * sshd(8): Make the MaxStartups and PerSourceNetBlockSize options first-match-wins as advertised. bz3859 * ssh(1): fix an incorrect return value check in the local forward cancellation path that would cause failed cancellations not to be logged. * sshd(8): make "Match !final" not trigger a second parsing pass of ssh_config (unless hostname canonicalisation or a separate "Match final" does). bz3843 * ssh(1): better debug diagnostics when loading keys. Will now list key fingerprint and algorithm (not just algorithm number) as well as making it explicit which keys didn't load. * All: fix a number of memory leaks found by LeakSanitizer, Coverity and manual inspection. * sshd(8): Output the current name for PermitRootLogin's "prohibit-password" in sshd -T instead of its deprecated alias "without-password". bz#3788 * ssh(1): make writing known_hosts lines more atomic by writing the entire line in one operation and using unbuffered stdio. Usually writes to this file are serialised on the "Are you sure you want to continue connecting?" prompt, but if host key checking is disabled and connections were being made with high concurrency then interleaved writes might have been possible. Portability ----------- * sshd(8): check the username didn't change during the PAM transactions. PAM modules can change the user during their execution, but this is not supported by sshd(8). If such a case was incorrectly configured by the system administrator, then sshd(8) could end up using a different username to the one authorised by PAM. * sshd(8): don't log audit messages with UNKNOWN hostname to avoid slow DNS lookups in the audit subsystem. * All: when making a copy of struct passwd, ensure struct fields are non-NULL. Android libc can return NULL pw_gecos, for example. * All: Remove status bits from OpenSSL >=3 version check. * sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD. Otherwise tun forwarding from other OSes fails as soon as the first IPv6 message is sent by the other side (which is usually a Router Solicitation ICMPv6 message which is sent as soon as the interface is up). * ssh(1), ssh-agent(8): check for nlist function presence before attempting to use it instead of relying on the presence of the nlist.h header. Mac OS X, for example, has the header but not the function in the 64bit libraries. * All: fill in missing system header files. Create replacement header files inside openbsd-compat for common headers that are missing on a given platform. Usually these are just empty, but in some cases they'll include the equivalent file. This avoids having to wrap those includes in '#ifdef HAVE_FOO_H' and reduces the diff between Portable OpenSSH and OpenBSD. * sshd(8): handle futex_time64 properly in seccomp sandbox Previously we only allowed __NR_futex, but some 32-bit systems apparently support __NR_futex_time64. We had support for this in the sandbox, but because of a macro error only __NR_futex was allowlisted. * Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API. * sshd(8): let ga_init() fail gracefully if getgrouplist does. Apparently getgrouplist() can fail on OSX when passed a non-existent group name. Other platforms seem to return a group list consisting of the numeric gid passed to the function. bz3848 * ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation, preventing a graceful shutdown of an agent via systemd from incorrectly marking the service as "failed". * build: wrap some autoconf macros in AC_CACHE_CHECK. This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE and OSSH_CHECK_CFLAG_LINK macros used to discover supported compiler or linker flags. E.g. $ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no [...] checking if cc supports compile flag -fzero-call-used-regs=used and linking succeeds... (cached) no @ text @d1 1 a1 1 # $OpenBSD: Makefile,v 1.7 2025/06/16 09:09:42 dtucker Exp $ d24 1 a24 1 for i in ${MODULI_PARTS}; do head -100 $$i; done \ @ 1.1.1.3.4.1 log @Sync with HEAD @ text @a11 2 WORK_MODULI_PARTS+=${.OBJDIR}/moduli.${bits}.sieved.gz .endfor d13 1 d15 3 a17 2 all: ${MODULI_PARTS} a26 2 rm -f ${WORK_MODULI_PARTS} d28 1 a28 2 moduli.${bits}: sh ${.CURDIR}/moduli-gen.sh ${.CURDIR} ${.CURDIR}/work ${bits} @ 1.1.1.3.2.1 log @Sync with HEAD @ text @a11 2 WORK_MODULI_PARTS+=${.OBJDIR}/moduli.${bits}.sieved.gz .endfor d13 1 d15 3 a17 2 all: ${MODULI_PARTS} a26 2 rm -f ${WORK_MODULI_PARTS} d28 1 a28 2 moduli.${bits}: sh ${.CURDIR}/moduli-gen.sh ${.CURDIR} ${.CURDIR}/work ${bits} @ 1.1.1.1.2.1 log @file Makefile was added on branch netbsd-7 on 2015-04-30 06:07:31 +0000 @ text @d1 32 @ 1.1.1.1.2.2 log @Pull up blacklistd(8), requested by christos in ticket #711: crypto/external/bsd/openssh/dist/moduli-gen/Makefile up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli-gen.sh up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.1024 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.1536 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.2048 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.3072 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.4096 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.6144 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.7680 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.8192 up to 1.1.1.1 crypto/external/bsd/openssh/dist/bcrypt_pbkdf.c up to 1.2 crypto/external/bsd/openssh/dist/kexc25519.c up to 1.3 crypto/external/bsd/openssh/dist/smult_curve25519_ref.c up to 1.3 crypto/external/bsd/openssh/dist/bitmap.c up to 1.2 plus patch crypto/external/bsd/openssh/dist/PROTOCOL.chacha20poly1305 up to 1.1.1.1 crypto/external/bsd/openssh/dist/PROTOCOL.key up to 1.1.1.1 crypto/external/bsd/openssh/dist/blf.h up to 1.1 crypto/external/bsd/openssh/dist/blocks.c up to 1.3 crypto/external/bsd/openssh/dist/blowfish.c up to 1.2 crypto/external/bsd/openssh/dist/chacha.c up to 1.3 crypto/external/bsd/openssh/dist/chacha.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/cipher-aesctr.c up to 1.1.1.2 crypto/external/bsd/openssh/dist/cipher-aesctr.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/cipher-chachapoly.c up to 1.3 crypto/external/bsd/openssh/dist/cipher-chachapoly.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/crypto_api.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/digest-libc.c up to 1.3 crypto/external/bsd/openssh/dist/digest-openssl.c up to 1.3 crypto/external/bsd/openssh/dist/digest.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/ed25519.c up to 1.3 crypto/external/bsd/openssh/dist/fe25519.c up to 1.3 crypto/external/bsd/openssh/dist/fe25519.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/ge25519.c up to 1.3 crypto/external/bsd/openssh/dist/ge25519.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/ge25519_base.data up to 1.1.1.1 crypto/external/bsd/openssh/dist/hash.c up to 1.3 crypto/external/bsd/openssh/dist/hmac.c up to 1.3 crypto/external/bsd/openssh/dist/hmac.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/kexc25519c.c up to 1.3 crypto/external/bsd/openssh/dist/kexc25519s.c up to 1.3 crypto/external/bsd/openssh/dist/poly1305.c up to 1.3 crypto/external/bsd/openssh/dist/poly1305.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/rijndael.c up to 1.1.1.2 crypto/external/bsd/openssh/dist/rijndael.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/sc25519.c up to 1.3 crypto/external/bsd/openssh/dist/sc25519.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/ssh-ed25519.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf-getput-basic.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf-getput-crypto.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf-misc.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf.h up to 1.4 crypto/external/bsd/openssh/dist/ssherr.c up to 1.3 crypto/external/bsd/openssh/dist/ssherr.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/sshkey.c up to 1.3 crypto/external/bsd/openssh/dist/sshkey.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/verify.c up to 1.3 crypto/external/bsd/openssh/dist/opacket.c up to 1.2 crypto/external/bsd/openssh/dist/umac128.c up to 1.1 crypto/external/bsd/openssh/dist/pfilter.c up to 1.2 crypto/external/bsd/openssh/dist/pfilter.h up to 1.1 crypto/external/bsd/openssh/dist/bitmap.h up to 1.2 crypto/external/bsd/openssh/dist/opacket.h up to 1.2 crypto/external/bsd/openssh/dist/ssh_api.c up to 1.2 crypto/external/bsd/openssh/dist/ssh_api.h up to 1.2 crypto/external/bsd/openssh/dist/auth2-jpake.c delete crypto/external/bsd/openssh/dist/compress.c delete crypto/external/bsd/openssh/dist/compress.h delete crypto/external/bsd/openssh/dist/jpake.c delete crypto/external/bsd/openssh/dist/jpake.h delete crypto/external/bsd/openssh/dist/schnorr.c delete crypto/external/bsd/openssh/dist/schnorr.h delete crypto/external/bsd/openssh/dist/strtonum.c 1.1 crypto/external/bsd/openssh/Makefile.inc up to 1.8 crypto/external/bsd/openssh/bin/Makefile.inc up to 1.3 crypto/external/bsd/openssh/bin/ssh-keyscan/Makefile up to 1.2 crypto/external/bsd/openssh/bin/sshd/Makefile up to 1.12 crypto/external/bsd/openssh/dist/PROTOCOL up to 1.5 crypto/external/bsd/openssh/dist/PROTOCOL.krl up to 1.1.1.2 crypto/external/bsd/openssh/dist/addrmatch.c up to 1.8 crypto/external/bsd/openssh/dist/atomicio.c up to 1.6 crypto/external/bsd/openssh/dist/auth-bsdauth.c up to 1.4 crypto/external/bsd/openssh/dist/auth-chall.c up to 1.6 crypto/external/bsd/openssh/dist/auth-krb5.c up to 1.7 crypto/external/bsd/openssh/dist/auth-options.c up to 1.9 crypto/external/bsd/openssh/dist/auth-options.h up to 1.6 crypto/external/bsd/openssh/dist/auth-passwd.c up to 1.4 crypto/external/bsd/openssh/dist/auth-rh-rsa.c up to 1.6 crypto/external/bsd/openssh/dist/auth-rhosts.c up to 1.5 crypto/external/bsd/openssh/dist/auth-rsa.c up to 1.10 crypto/external/bsd/openssh/dist/auth.c up to 1.12 crypto/external/bsd/openssh/dist/auth.h up to 1.10 crypto/external/bsd/openssh/dist/auth1.c up to 1.11 crypto/external/bsd/openssh/dist/auth2-chall.c up to 1.7 crypto/external/bsd/openssh/dist/auth2-gss.c up to 1.8 crypto/external/bsd/openssh/dist/auth2-hostbased.c up to 1.7 crypto/external/bsd/openssh/dist/auth2-kbdint.c up to 1.5 crypto/external/bsd/openssh/dist/auth2-krb5.c up to 1.4 crypto/external/bsd/openssh/dist/auth2-none.c up to 1.5 crypto/external/bsd/openssh/dist/auth2-passwd.c up to 1.5 crypto/external/bsd/openssh/dist/auth2-pubkey.c up to 1.11 crypto/external/bsd/openssh/dist/auth2.c up to 1.11 crypto/external/bsd/openssh/dist/authfd.c up to 1.8 crypto/external/bsd/openssh/dist/authfd.h up to 1.5 crypto/external/bsd/openssh/dist/authfile.c up to 1.10 crypto/external/bsd/openssh/dist/authfile.h up to 1.6 crypto/external/bsd/openssh/dist/bufaux.c up to 1.7 crypto/external/bsd/openssh/dist/bufbn.c up to 1.5 crypto/external/bsd/openssh/dist/bufec.c up to 1.5 crypto/external/bsd/openssh/dist/buffer.c up to 1.6 crypto/external/bsd/openssh/dist/buffer.h up to 1.7 crypto/external/bsd/openssh/dist/canohost.c up to 1.8 crypto/external/bsd/openssh/dist/channels.c up to 1.13 crypto/external/bsd/openssh/dist/channels.h up to 1.10 crypto/external/bsd/openssh/dist/cipher-3des1.c up to 1.7 crypto/external/bsd/openssh/dist/cipher-bf1.c up to 1.6 crypto/external/bsd/openssh/dist/cipher.c up to 1.7 crypto/external/bsd/openssh/dist/cipher.h up to 1.7 crypto/external/bsd/openssh/dist/clientloop.c up to 1.13 crypto/external/bsd/openssh/dist/compat.c up to 1.9 crypto/external/bsd/openssh/dist/compat.h up to 1.6 crypto/external/bsd/openssh/dist/deattack.c up to 1.4 crypto/external/bsd/openssh/dist/deattack.h up to 1.4 crypto/external/bsd/openssh/dist/dh.c up to 1.8 crypto/external/bsd/openssh/dist/dh.h up to 1.4 crypto/external/bsd/openssh/dist/dispatch.c up to 1.5 crypto/external/bsd/openssh/dist/dispatch.h up to 1.4 crypto/external/bsd/openssh/dist/dns.c up to 1.11 crypto/external/bsd/openssh/dist/dns.h up to 1.6 crypto/external/bsd/openssh/dist/groupaccess.c up to 1.5 crypto/external/bsd/openssh/dist/gss-genr.c up to 1.7 crypto/external/bsd/openssh/dist/gss-serv-krb5.c up to 1.8 crypto/external/bsd/openssh/dist/gss-serv.c up to 1.7 crypto/external/bsd/openssh/dist/hostfile.c up to 1.7 crypto/external/bsd/openssh/dist/hostfile.h up to 1.7 crypto/external/bsd/openssh/dist/includes.h up to 1.4 crypto/external/bsd/openssh/dist/kex.c up to 1.10 crypto/external/bsd/openssh/dist/kex.h up to 1.9 crypto/external/bsd/openssh/dist/kexdh.c up to 1.4 crypto/external/bsd/openssh/dist/kexdhc.c up to 1.6 crypto/external/bsd/openssh/dist/kexdhs.c up to 1.8 crypto/external/bsd/openssh/dist/kexecdh.c up to 1.5 crypto/external/bsd/openssh/dist/kexecdhc.c up to 1.5 crypto/external/bsd/openssh/dist/kexecdhs.c up to 1.5 crypto/external/bsd/openssh/dist/kexgex.c up to 1.4 crypto/external/bsd/openssh/dist/kexgexc.c up to 1.6 crypto/external/bsd/openssh/dist/kexgexs.c up to 1.8 crypto/external/bsd/openssh/dist/key.c up to 1.16 crypto/external/bsd/openssh/dist/key.h up to 1.9 crypto/external/bsd/openssh/dist/krl.c up to 1.5 crypto/external/bsd/openssh/dist/krl.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/mac.c up to 1.11 crypto/external/bsd/openssh/dist/mac.h up to 1.5 crypto/external/bsd/openssh/dist/match.c up to 1.5 crypto/external/bsd/openssh/dist/misc.c up to 1.10 crypto/external/bsd/openssh/dist/misc.h up to 1.9 plus patch crypto/external/bsd/openssh/dist/moduli.c up to 1.8 crypto/external/bsd/openssh/dist/monitor.c up to 1.14 crypto/external/bsd/openssh/dist/monitor.h up to 1.7 crypto/external/bsd/openssh/dist/monitor_fdpass.c up to 1.5 crypto/external/bsd/openssh/dist/monitor_mm.c up to 1.6 crypto/external/bsd/openssh/dist/monitor_mm.h up to 1.4 crypto/external/bsd/openssh/dist/monitor_wrap.c up to 1.11 crypto/external/bsd/openssh/dist/monitor_wrap.h up to 1.8 crypto/external/bsd/openssh/dist/msg.c up to 1.4 crypto/external/bsd/openssh/dist/msg.h up to 1.4 crypto/external/bsd/openssh/dist/mux.c up to 1.11 crypto/external/bsd/openssh/dist/myproposal.h up to 1.10 crypto/external/bsd/openssh/dist/namespace.h up to 1.5 crypto/external/bsd/openssh/dist/packet.c up to 1.18 crypto/external/bsd/openssh/dist/packet.h up to 1.11 crypto/external/bsd/openssh/dist/pathnames.h up to 1.9 crypto/external/bsd/openssh/dist/pkcs11.h up to 1.4 crypto/external/bsd/openssh/dist/progressmeter.c up to 1.7 crypto/external/bsd/openssh/dist/progressmeter.h up to 1.4 crypto/external/bsd/openssh/dist/reallocarray.c new crypto/external/bsd/openssh/dist/readconf.c up to 1.13 crypto/external/bsd/openssh/dist/readconf.h up to 1.12 crypto/external/bsd/openssh/dist/readpass.c up to 1.6 crypto/external/bsd/openssh/dist/roaming_client.c up to 1.7 crypto/external/bsd/openssh/dist/roaming_common.c up to 1.9 crypto/external/bsd/openssh/dist/roaming_dummy.c up to 1.4 crypto/external/bsd/openssh/dist/rsa.c up to 1.5 crypto/external/bsd/openssh/dist/rsa.h up to 1.4 crypto/external/bsd/openssh/dist/sandbox-systrace.c up to 1.1.1.5 crypto/external/bsd/openssh/dist/scp.1 up to 1.9 crypto/external/bsd/openssh/dist/scp.c up to 1.11 crypto/external/bsd/openssh/dist/servconf.c up to 1.17 crypto/external/bsd/openssh/dist/servconf.h up to 1.11 crypto/external/bsd/openssh/dist/serverloop.c up to 1.12 crypto/external/bsd/openssh/dist/session.c up to 1.14 crypto/external/bsd/openssh/dist/session.h up to 1.4 crypto/external/bsd/openssh/dist/sftp-client.c up to 1.13 crypto/external/bsd/openssh/dist/sftp-client.h up to 1.7 crypto/external/bsd/openssh/dist/sftp-common.c up to 1.7 crypto/external/bsd/openssh/dist/sftp-common.h up to 1.5 crypto/external/bsd/openssh/dist/sftp-glob.c up to 1.8 crypto/external/bsd/openssh/dist/sftp-server.8 up to 1.9 crypto/external/bsd/openssh/dist/sftp-server.c up to 1.11 crypto/external/bsd/openssh/dist/sftp.1 up to 1.11 crypto/external/bsd/openssh/dist/sftp.c up to 1.15 crypto/external/bsd/openssh/dist/ssh-add.1 up to 1.9 crypto/external/bsd/openssh/dist/ssh-add.c up to 1.10 crypto/external/bsd/openssh/dist/ssh-agent.1 up to 1.8 crypto/external/bsd/openssh/dist/ssh-agent.c up to 1.14 crypto/external/bsd/openssh/dist/ssh-dss.c up to 1.7 crypto/external/bsd/openssh/dist/ssh-ecdsa.c up to 1.6 crypto/external/bsd/openssh/dist/ssh-gss.h up to 1.5 crypto/external/bsd/openssh/dist/ssh-keygen.1 up to 1.13 crypto/external/bsd/openssh/dist/ssh-keygen.c up to 1.16 crypto/external/bsd/openssh/dist/ssh-keyscan.1 up to 1.10 crypto/external/bsd/openssh/dist/ssh-keyscan.c up to 1.13 crypto/external/bsd/openssh/dist/ssh-keysign.8 up to 1.9 crypto/external/bsd/openssh/dist/ssh-keysign.c up to 1.8 crypto/external/bsd/openssh/dist/ssh-pkcs11-client.c up to 1.6 crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.c up to 1.8 crypto/external/bsd/openssh/dist/ssh-pkcs11.c up to 1.7 crypto/external/bsd/openssh/dist/ssh-pkcs11.h up to 1.4 crypto/external/bsd/openssh/dist/ssh-rsa.c up to 1.7 crypto/external/bsd/openssh/dist/ssh.1 up to 1.14 crypto/external/bsd/openssh/dist/ssh.c up to 1.16 crypto/external/bsd/openssh/dist/ssh2.h up to 1.6 crypto/external/bsd/openssh/dist/ssh_config up to 1.8 crypto/external/bsd/openssh/dist/ssh_config.5 up to 1.13 crypto/external/bsd/openssh/dist/sshconnect.c up to 1.11 crypto/external/bsd/openssh/dist/sshconnect.h up to 1.6 crypto/external/bsd/openssh/dist/sshconnect1.c up to 1.6 crypto/external/bsd/openssh/dist/sshconnect2.c up to 1.19 crypto/external/bsd/openssh/dist/sshd.8 up to 1.13 crypto/external/bsd/openssh/dist/sshd.c up to 1.18 crypto/external/bsd/openssh/dist/sshd_config up to 1.13 crypto/external/bsd/openssh/dist/sshd_config.5 up to 1.17 crypto/external/bsd/openssh/dist/sshlogin.c up to 1.6 crypto/external/bsd/openssh/dist/sshpty.c up to 1.4 crypto/external/bsd/openssh/dist/uidswap.c up to 1.4 crypto/external/bsd/openssh/dist/umac.c up to 1.9 crypto/external/bsd/openssh/dist/version.h up to 1.14 crypto/external/bsd/openssh/dist/xmalloc.c up to 1.5 crypto/external/bsd/openssh/lib/Makefile up to 1.17 plus patch crypto/external/bsd/openssh/lib/shlib_version up to 1.13 distrib/sets/lists/base/ad.aarch64 patch distrib/sets/lists/base/ad.arm patch distrib/sets/lists/base/ad.mips patch distrib/sets/lists/base/ad.powerpc patch distrib/sets/lists/base/md.amd64 patch distrib/sets/lists/base/md.sparc64 patch distrib/sets/lists/base/mi patch distrib/sets/lists/base/shl.mi patch distrib/sets/lists/comp/ad.aarch64 patch distrib/sets/lists/comp/ad.arm patch distrib/sets/lists/comp/ad.mips patch distrib/sets/lists/comp/ad.powerpc patch distrib/sets/lists/comp/md.amd64 patch distrib/sets/lists/comp/md.sparc64 patch distrib/sets/lists/comp/mi patch distrib/sets/lists/comp/shl.mi patch distrib/sets/lists/debug/ad.aarch64 patch distrib/sets/lists/debug/ad.arm patch distrib/sets/lists/debug/ad.mips patch distrib/sets/lists/debug/ad.powerpc patch distrib/sets/lists/debug/md.amd64 patch distrib/sets/lists/debug/md.sparc64 patch distrib/sets/lists/debug/shl.mi patch distrib/sets/lists/etc/mi patch distrib/sets/lists/man/mi patch etc/defaults/rc.conf 1.130 etc/mtree/NetBSD.dist.base 1.142 external/bsd/Makefile up to 1.48 external/bsd/blacklist/bin/Makefile up to 1.11 plus patch external/bsd/blacklist/bin/blacklistctl.8 up to 1.6 external/bsd/blacklist/bin/blacklistctl.c up to 1.17 external/bsd/blacklist/bin/blacklistd.8 up to 1.10 external/bsd/blacklist/bin/blacklistd.c up to 1.32 external/bsd/blacklist/bin/blacklistd.conf.5 up to 1.2 external/bsd/blacklist/bin/conf.c up to 1.18 external/bsd/blacklist/bin/conf.h up to 1.6 external/bsd/blacklist/bin/internal.c up to 1.5 external/bsd/blacklist/bin/internal.h up to 1.12 external/bsd/blacklist/bin/run.c up to 1.12 external/bsd/blacklist/bin/run.h up to 1.5 external/bsd/blacklist/bin/state.c up to 1.15 external/bsd/blacklist/bin/state.h up to 1.5 external/bsd/blacklist/bin/support.c up to 1.6 external/bsd/blacklist/bin/support.h up to 1.5 external/bsd/blacklist/etc/rc.d/Makefile up to 1.1 external/bsd/blacklist/etc/rc.d/blacklistd up to 1.1 external/bsd/blacklist/etc/Makefile up to 1.3 external/bsd/blacklist/etc/blacklistd.conf up to 1.3 external/bsd/blacklist/etc/npf.conf up to 1.1 external/bsd/blacklist/Makefile up to 1.2 external/bsd/blacklist/Makefile.inc up to 1.3 external/bsd/blacklist/README up to 1.7 external/bsd/blacklist/TODO up to 1.7 external/bsd/blacklist/diff/ftpd.diff up to 1.1 external/bsd/blacklist/diff/named.diff up to 1.6 external/bsd/blacklist/diff/ssh.diff up to 1.6 external/bsd/blacklist/include/Makefile up to 1.1 external/bsd/blacklist/include/bl.h up to 1.12 external/bsd/blacklist/include/blacklist.h up to 1.3 external/bsd/blacklist/include/config.h new external/bsd/blacklist/lib/Makefile up to 1.3 external/bsd/blacklist/lib/bl.c up to 1.24 external/bsd/blacklist/lib/blacklist.c up to 1.5 external/bsd/blacklist/lib/libblacklist.3 up to 1.3 external/bsd/blacklist/lib/shlib_version up to 1.1 external/bsd/blacklist/libexec/Makefile up to 1.1 external/bsd/blacklist/libexec/blacklistd-helper up to 1.4 external/bsd/blacklist/port/m4/.cvsignore up to 1.1 external/bsd/blacklist/port/Makefile.am up to 1.4 external/bsd/blacklist/port/_strtoi.h up to 1.1 external/bsd/blacklist/port/clock_gettime.c up to 1.2 external/bsd/blacklist/port/configure.ac up to 1.7 external/bsd/blacklist/port/fgetln.c up to 1.1 external/bsd/blacklist/port/fparseln.c up to 1.1 external/bsd/blacklist/port/getprogname.c up to 1.4 external/bsd/blacklist/port/pidfile.c up to 1.1 external/bsd/blacklist/port/popenve.c up to 1.2 external/bsd/blacklist/port/port.h up to 1.6 external/bsd/blacklist/port/sockaddr_snprintf.c up to 1.9 external/bsd/blacklist/port/strlcat.c up to 1.2 external/bsd/blacklist/port/strlcpy.c up to 1.2 external/bsd/blacklist/port/strtoi.c up to 1.3 external/bsd/blacklist/test/Makefile up to 1.2 external/bsd/blacklist/test/cltest.c up to 1.6 external/bsd/blacklist/test/srvtest.c up to 1.9 lib/libpam/modules/pam_ssh/pam_ssh.c up to 1.23 libexec/ftpd/pfilter.c up to 1.1 libexec/ftpd/pfilter.h up to 1.1 libexec/ftpd/Makefile up to 1.64 libexec/ftpd/ftpd.c up to 1.201 Add blacklistd(8), a daemon to block and release network ports on demand to mitigate abuse, and related changes to system daemons to support it. [christos, ticket #711] @ text @a0 32 # $OpenBSD: Makefile,v 1.2 2013/10/14 02:57:59 dtucker Exp $ .include all: moduli # The larger ones will take many days, so if you're going to regen them run # it in a tmux session or something. The checkpoints should make it safe # to stop and restart. DHSIZE=1024 1536 2048 3072 4096 6144 7680 8192 .for bits in ${DHSIZE} MODULI_PARTS+=moduli.${bits} moduli.${bits}: sh ${.CURDIR}/moduli-gen.sh ${.CURDIR} ${.CURDIR}/work ${bits} .endfor moduli: ${MODULI_PARTS} ( \ echo -n '# $$Open'; echo 'BSD$$'; \ echo '# Time Type Tests Tries Size Generator Modulus'; \ cat ${MODULI_PARTS} \ ) > moduli update-moduli: cp moduli ${BSDSRCDIR}/etc/moduli clean: .for bits in ${DHSIZE} rm -f ${.OBJDIR}/moduli.${bits}.sieved.gz .endfor @