Page MenuHomeFreeBSD

ssh: FreeBSD diff against upstream 8.7p1
Needs ReviewPublic

Authored by emaste on Feb 12 2021, 6:10 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Dec 13, 12:35 PM
Unknown Object (File)
Tue, Dec 10, 11:27 AM
Unknown Object (File)
Sat, Dec 7, 4:35 PM
Unknown Object (File)
Wed, Nov 27, 6:06 AM
Unknown Object (File)
Nov 8 2024, 10:07 AM
Unknown Object (File)
Nov 8 2024, 9:53 AM
Unknown Object (File)
Nov 8 2024, 9:42 AM
Unknown Object (File)
Nov 8 2024, 9:35 AM

Details

Summary

This is a diff of cherry-picking changes from the FreeBSD tree to 8.6p1 and is a rolled-up diff of a number of individual changes in other reviews.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

emaste updated this revision to Diff 83778.

with context

emaste added inline comments.
INSTALL
82

I proposed removing tcpwrappers support, but folks are using it and the patch is not particularly onerous.
https://lists.freebsd.org/pipermail/freebsd-current/2020-February/075311.html

ssh_config
29

Default changed in R10:975616f046e2f

ssh_config.5
1763

Should be .Cm

sshd.c
395

extra blank line

sshd_config
36

commit f4373ed1e8fbc7c8ce3fc4ea97d0ba2e0c1d7ef0
Author: deraadt@openbsd.org <deraadt@openbsd.org>
Date: Thu Jul 30 19:23:02 2015 +0000

upstream commit

change default: PermitRootLogin without-password matching
 install script changes coming as well ok djm markus

Upstream-ID: 0e2a6c4441daf5498b47a61767382bead5eb8ea6
64

This description could be clarified

108

Another one to ensure remains in sync

sshd_config.5
1739

Need to update this

version.h
8

Need to update this and make sure all match

emaste retitled this revision from ssh: FreeBSD diff against upstream 8.3p1 to ssh: FreeBSD diff against upstream 8.4p1.
emaste edited the summary of this revision. (Show Details)

Update to 8.4p1

ssh_config.5
1763

With .Dq (patch as uploaded)

VersionAddendum
Specifies a string to append to the regular version string to identify OS- or site-specific modifications. The default is “FreeBSD-20180909”. The value none may be used to disable this.

With .Cm

VersionAddendum
Specifies a string to append to the regular version string to identify OS- or site-specific modifications. The default is FreeBSD-20180909. The value none may be used to disable this.

Maybe .Dq is actually appropriate here; Cm is documented as

Cm keyword ...
     Command modifiers.  Typically used for fixed strings passed as
     arguments to interactive commands, to commands in interpreted
     scripts, or to configuration file directives, unless Fl is more
     appropriate.

Perhaps Cm is appropriate for exact fixed strings as arguments (e.g. no, none, without-password) while the default text has no special meaning.

sshd.c
2239
From 25b2ed667216314471bb66752442c55b95792dc3 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sat, 19 Jan 2019 21:36:06 +0000
Subject: [PATCH 0083/1259] upstream: convert ssh.c to new packet API

with & ok markus@

packet_connection_is_on_socket() -> ssh_packet_connection_is_on_socket(ssh)

emaste retitled this revision from ssh: FreeBSD diff against upstream 8.4p1 to ssh: FreeBSD diff against upstream 8.6p1.
emaste edited the summary of this revision. (Show Details)
emaste added a subscriber: allanjude.
emaste retitled this revision from ssh: FreeBSD diff against upstream 8.6p1 to ssh: FreeBSD diff against upstream 8.7p1.

For reference, D31807 is a diff of what's in the base system now vs upstream 7.9p1

regen without crypto/openssh/ path prefix to simplify comparison against earlier uploads

pathnames.h
125

From D31807, @kevans suggested these ought to be _PATH_LOCALBASE

configure
846 ↗(On Diff #94621)

not sure what happened here, maybe an incidental autoconf change

servconf.c
294–295

This needs to be retired

Current proposed commit:

commit 401a25ab6abfd607ac8f550c08154938e30c18df (github/openssh-8.7p1-wip)
Merge: 686aa9287c6b 66719ee573ac
Author: Ed Maste <emaste@FreeBSD.org>
Date:   Tue Sep 7 15:32:45 2021 -0400

    openssh: update to OpenSSH v8.7p1
    
    Some notable changes, from upstream's release notes:
    
    - sshd(8): Remove support for obsolete "host/port" syntax.
    - ssh(1): When prompting whether to record a new host key, accept the key
      fingerprint as a synonym for "yes".
    - ssh-keygen(1): when acting as a CA and signing certificates with an RSA
      key, default to using the rsa-sha2-512 signature algorithm.
    - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
      (RSA/SHA1) algorithm from those accepted for certificate signatures.
    - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
      support to provide address-space isolation for token middleware
      libraries (including the internal one).
    - ssh(1): this release enables UpdateHostkeys by default subject to some
      conservative preconditions.
    - scp(1): this release changes the behaviour of remote to remote copies
      (e.g. "scp host-a:/path host-b:") to transfer through the local host
      by default.
    - scp(1): experimental support for transfers using the SFTP protocol as
      a replacement for the venerable SCP/RCP protocol that it has
      traditionally used.
    
    Additional integration work is needed to support FIDO/U2F in the base
    system.
    
    Deprecation Notice
    ------------------
    
    OpenSSH will disable the ssh-rsa signature scheme by default in the
    next release.
    
    MFC after:      1 month
    Relnotes:       Yes
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D29985

Update to what was committed in 19261079b74319502c6ffa1249920079f0f69a72 against upstream 8.7p1.

(Diff also includes $FreeBSD$ tag cleanup from 0e642632e64a8b8ca740ce3307abe116c990e0b6)

Generated via git diff -U9999 --diff-filter=M vendor/openssh HEAD:crypto/openssh