d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
228,323 Commits 72 Branches 135 Tags 3.2 GiB
0521e6e192
Commit Graph

526 Commits

Author SHA1 Message Date
Dag-Erling Smørgrav
d93a896ef9 Upgrade to OpenSSH 7.5p1. 2017-08-04 12:57:24 +00:00
Kurt Lidl
342b8b88ba Refine and update blacklist support in sshd 
Adjust notification points slightly to catch all auth failures,
rather than just the ones caused by bad usernames.

Modify notification point for bad usernames to send new type of
BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.)
Add guards to allow library headers to expose the enum of action values.

Reviewed by:	des
Approved by:	des
Sponsored by:	The FreeBSD Foundation
 2017-05-12 15:20:12 +00:00
Dag-Erling Smørgrav
ca86bcf253 Upgrade to OpenSSH 7.4p1. 2017-03-06 01:37:05 +00:00
Dag-Erling Smørgrav
0999bc4881 Re-apply part of r311585 which was inadvertantly reverted in the upgrade 
to 7.3p1.  The other part (which adds -DLIBWRAP to sshd's CFLAGS) is
still in place.

Reported by:	ngie
 2017-03-03 14:25:55 +00:00
Dag-Erling Smørgrav
6d6e8a4a09 Forgot to bump the version addendum date. 2017-03-03 01:50:10 +00:00
Dag-Erling Smørgrav
076ad2f836 Upgrade to OpenSSH 7.3p1. 2017-03-02 00:11:32 +00:00
Dag-Erling Smørgrav
4fcbf74fb1 Avoid picking up MIT Kerberos from ports (if installed). 2017-02-26 19:00:55 +00:00
Dag-Erling Smørgrav
8f7bfc76bd Fix amusingly harmless mis-merge. 2017-02-26 16:34:58 +00:00
Kurt Lidl
5057f65606 Only notify blacklistd for successful logins in auth.c 
Reported by:	Rick Adams
Reviewed by:	des
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
 2017-02-19 20:35:39 +00:00
Xin LI
9ea45e75fa MFV r311913: 
Fix multiple OpenSSH vulnerabilities.

Submitted by:	des
Approved by:	so
 2017-01-11 05:49:39 +00:00
Enji Cooper
233932cc2a Conditionalize building libwrap support into sshd 
Only build libwrap support into sshd if MK_TCP_WRAPPERS != no

This will unbreak the build if libwrap has been removed from the system

MFC after:	2 weeks
PR:		210141
Submitted by:	kpect@protonmail.com
Differential Revision:	D9049
 2017-01-07 08:08:35 +00:00
Xin LI
56e6c4251c MFV r308196: 
Fix OpenSSH remote Denial of Service vulnerability.

Security:	CVE-2016-8858
 2016-11-02 06:49:25 +00:00
Kurt Lidl
b2af61ec69 Add refactored blacklist support to sshd 
Change the calls to of blacklist_init() and blacklist_notify to be
macros defined in the blacklist_client.h file.  This avoids
the need for #ifdef USE_BLACKLIST / #endif except in the
blacklist.c file.

Remove redundent initialization attempts from within
blacklist_notify - everything always goes through
blacklistd_init().

Added UseBlacklist option to sshd, which defaults to off.
To enable the functionality, use '-o UseBlacklist=yes' on
the command line, or uncomment in the sshd_config file.

Reviewed by:	des
Approved by:	des
MFC after:		1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D7051
 2016-08-30 14:09:24 +00:00
Dag-Erling Smørgrav
144a80bd9a Try to check whether each key file exists before adding it, and bail out 
if we didn't find any of them.  This reduces log spam about key files for
deprecated algorithms, which we look for but don't generate.

PR:		208254
MFC after:	3 days
 2016-08-08 10:46:18 +00:00
Dag-Erling Smørgrav
9ded33068e Remove DSA from default cipher list and disable SSH1. 
Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for
reasons which boil down to POLA.  Now is a good time to catch up.

MFC after:	3 days
Relnotes:	yes
 2016-08-03 16:08:21 +00:00
Glen Barber
faebc97a1c Revert r301551, which added blacklistd(8) to sshd(8). 
This change has functional impact, and other concerns raised
by the OpenSSH maintainer.

Requested by:	des
PR:		210479 (related)
Approved by:	re (marius)
Sponsored by:	The FreeBSD Foundation
 2016-06-24 23:22:42 +00:00
Kurt Lidl
c0cc364181 Add blacklist support to sshd 
Reviewed by:	rpaulo
Approved by:	rpaulo (earlier version of changes)
Relnotes:	YES
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D5915
 2016-06-07 16:18:09 +00:00
Dag-Erling Smørgrav
c3c6c935fc Re-add AES-CBC ciphers to the default cipher list on the server. 
PR:		207679
 2016-03-11 00:23:10 +00:00
Dag-Erling Smørgrav
acc1a9ef83 Upgrade to OpenSSH 7.2p2. 2016-03-11 00:15:29 +00:00
Dag-Erling Smørgrav
b4245df0a8 Document our modified default value for PermitRootLogin. 2016-02-02 10:02:38 +00:00
Dag-Erling Smørgrav
c4cd1fa410 Switch UseDNS back on 2016-01-27 13:40:44 +00:00
Dag-Erling Smørgrav
6362080245 r294563 was incomplete; re-add the client-side options as well. 2016-01-22 14:22:11 +00:00
Dag-Erling Smørgrav
6f3513465d Instead of removing the NoneEnabled option, mark it as unsupported. 
(should have done this in r291198, but didn't think of it until now)
 2016-01-22 13:13:46 +00:00
Dag-Erling Smørgrav
0591b689c2 Update the instructions and the list of major local modifications. 2016-01-21 12:42:31 +00:00
Dag-Erling Smørgrav
a067b78c9c Explain why we don't include VersionAddendum in the debug mode banner. 2016-01-21 12:41:02 +00:00
Dag-Erling Smørgrav
fc1ba28a5c Upgrade to OpenSSH 7.1p2. 2016-01-21 11:54:34 +00:00
Dag-Erling Smørgrav
acf8e75eb0 Enable DSA keys by default. They were disabled in OpenSSH 6.9p1. 
Noticed by:	glebius
 2016-01-21 11:10:14 +00:00
Dag-Erling Smørgrav
ca04c57ca9 Take care not to pick up the wrong version of OpenSSL when running in an 
environment that has OpenSSL from ports in addition to the base version.
 2016-01-21 10:57:45 +00:00
Dag-Erling Smørgrav
0b0dd5086b Remove RCS tags from files in which we no longer have any local 
modifications, and add them to two files in which we do.
 2016-01-20 23:23:08 +00:00
Dag-Erling Smørgrav
8688f98d23 Remove a number of generated files which are either out-of-date (because 
they are never regenerated to reflect our changes) or in the way of
freebsd-configure.sh.
 2016-01-20 23:08:57 +00:00
Dag-Erling Smørgrav
eccfee6ebc Upgrade to OpenSSH 7.0p1. 2016-01-20 22:57:10 +00:00
Dag-Erling Smørgrav
557f75e54a Upgrade to OpenSSH 6.9p1. 2016-01-19 18:55:44 +00:00
Dag-Erling Smørgrav
9860d96e8f Re-add HPN configuration options as deprecated options to avoid breaking 
existing configurations that use them.  Note that there is no functional
difference between OpenSSH with HPN and OpenSSH without HPN.
 2016-01-19 18:38:17 +00:00
Dag-Erling Smørgrav
bc5531debe Upgrade to OpenSSH 6.8p1. 2016-01-19 18:28:23 +00:00
Dag-Erling Smørgrav
00912a2021 Now that we have local modifications in configure.ac and configure, run 
autoheader and autoconf to avoid having to patch configure manually.
 2016-01-19 17:20:07 +00:00
Dag-Erling Smørgrav
a0ee8cc636 Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed 
upstream) and a number of security fixes which we had already backported.

MFC after:	1 week
 2016-01-19 16:18:26 +00:00
Dag-Erling Smørgrav
60c59fad88 As previously threatened, remove the HPN patch from OpenSSH. 2016-01-19 14:38:20 +00:00
Dag-Erling Smørgrav
5ecdd3c4d3 Use 'svn list -R' instead of find, and recognize comments in shell scripts 
and {ssh,sshd}_config.
 2016-01-19 14:25:22 +00:00
Dag-Erling Smørgrav
c1ea5e1a86 Recognize *roff comments. 2016-01-19 13:15:57 +00:00
Dag-Erling Smørgrav
50356f4843 Update the pre- and post-merge scripts to work correctly after the recent 
cleanup.  A round-trip (./freebsd-pre-merge.sh ; ./freebsd-post-merge.sh)
now results in an unchanged working copy.
 2016-01-19 12:38:53 +00:00
Gleb Smirnoff
1026c03c28 Fix OpenSSH client information leak. 
Security:	SA-16:07.openssh
Security:	CVE-2016-0777
 2016-01-14 22:40:46 +00:00
Dag-Erling Smørgrav
22f393c35d Incorrect length in calloc() call, already fixed upstream. 
PR:		204769
Submitted by:	David Binderman <dcb314@hotmail.com>
MFC after:	1 week
 2015-12-17 19:36:25 +00:00
Dag-Erling Smørgrav
6dd7775dfd r291198 inadvertantly reverted a local patch for the default location 
of ssh-askpass and xauth, breaking X11 forwarding.
 2015-11-26 23:05:40 +00:00
Dag-Erling Smørgrav
af12673615 Revert inadvertent commit of an incorrect patch 2015-11-24 16:07:03 +00:00
Dag-Erling Smørgrav
db83e5424b Remove description of the now-defunct NoneEnabled option. 2015-11-24 16:06:15 +00:00
Dag-Erling Smørgrav
1765946ba9 Retire the NONE cipher option. 2015-11-23 12:48:13 +00:00
Dag-Erling Smørgrav
f2e553364c Remove dead code. 2015-11-11 13:47:23 +00:00
Dag-Erling Smørgrav
845c9bd1d9 One more $Mdocdate$ 2015-11-11 13:27:58 +00:00
Dag-Erling Smørgrav
5bec830e40 Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). 2015-11-11 13:26:47 +00:00
Dag-Erling Smørgrav
5b71b2ebe0 Now that we have mandoc, we can leave $Mdocdate$ tags as-is. Unfortunately, 
there is (currently) no way to make Subversion generate correct $Mdocdate$
tags, but perhas we can teach mandoc to read Subversion's %d format.
 2015-11-11 13:23:07 +00:00