I have worked hard to reduce diffs against the vendor branch. One
notable change in that respect is that we no longer prefer DSA over
RSA - the reasons for doing so went away years ago. This may cause
some surprises, as ssh will warn about unknown host keys even for
hosts whose keys haven't changed.
MFC after: 6 weeks
- sshd fails to set TERM correctly.
- privilege separation may break PAM and is currently turned off.
- man pages have not yet been updated
I will have these issues resolved, and privilege separation turned on by
default, in time for DP2.
Sponsored by: DARPA, NAI Labs
authentication is enabled, the client effectively ignores any error
from krb5_rd_rep due to a missing branch.
In theory this could result in an ssh client using Kerberos 5
authentication accepting a spoofed AP-REP. I doubt this is a real
possiblity, however, because the AP-REP is passed from the server to
the client via the SSH encrypted channel. Any tampering should cause
the decryption or MAC to fail.
Approved by: green
MFC after: 1 week
"non-echoed" characters are still echoed back in a null packet, as well
as pad passwords sent to not give hints to the length otherwise.
Obtained from: OpenBSD
It is done by using the same ssh messages for v4 and v5 authentication
(since the ssh.com does not now anything about v4) and looking at the
contents after unpacking it to see if it is v4 or v5.
Based on code from Björn Grönvall <bg@sics.se>
PR: misc/20504
new features description elided in favor of checking out their
website.
Important new FreeBSD-version stuff: PAM support has been worked
in, partially from the "Unix" OpenSSH version, and a lot due to the
work of Eivind Eklend, too.
This requires at least the following in pam.conf:
sshd auth sufficient pam_skey.so
sshd auth required pam_unix.so try_first_pass
sshd session required pam_permit.so
Parts by: Eivind Eklend <eivind@FreeBSD.org>