Release notes are available at https://www.openssh.com/txt/release-8.9
Some highlights:
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1)
* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
default KEXAlgorithms list (after the ECDH methods but before the
prime-group DH ones). The next release of OpenSSH is likely to
make this key exchange the default method.
* sshd(8), portable OpenSSH only: this release removes in-built
support for MD5-hashed passwords. If you require these on your
system then we recommend linking against libxcrypt or similar.
Future deprecation notice
=========================
A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Currently if an e1000 interface is set to a fixed media configuration,
for gigabit, it will participate in auto-negotiation as required by
IEEE 802.3-2018 Clause 37. However, if set to fixed media configuration
for 100 or 10, it does NOT participate in auto-negotiation.
By my reading of Clauses 28 and 37, while auto-negotiation is optional
for 100 and 10, it is not prohibited and is, in fact, "highly
recommended".
This patch enables auto-negotiation for fixed 100 and 10 media
configuration, in a similar manner to that already performed for 1000.
I.e., the patch enables advertising of just the manually configured
settings with the goal of allowing the remote end to match the manually
configured settings if it has them available.
To be clear, this patch does NOT allow an em(4) interface that has been
manually configured with specific media settings to respond to
auto-negotiation by then configuring different parameters to those that
were manually configured. The intent of this patch is to fully comply
with the requirements of Clause 37, but for 100 and 10.
The need for this has arisen on an em(4) link where the other end is
under a different administrative control and is set to full
auto-negotiation. Due to the cable length GigE is not working well. It
is desired to set the em(4) end to "media 100baseTX mediatype
full-duplex" which does work when both ends are configured that way.
Currently, because em(4) does not participate in autoneg for this
setting, the remote defaults to half-duplex - i.e., there's a duplex
mismatch and things don't work. With this patch, em(4) would inform the
remote that it has only 100baseTX full, the remote would match that and
it will work.
Approved by: erj
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D34449
-A and -m select different output modes output modes for diff3. When
both flags are present gnu diff3 prefers -m, drop the extra -A flag in
etcupdate.
Reviewed by: pstef, 0mp
MFC after: 3 days
Sponsored by: Klara Inc
Differential Revision: <https://reviews.freebsd.org/D###>
Capsicum rights are a bit tricky since some of them are subsets of
others, and one can have rights R1 and R2 such that R1 is a subset of
R2, but there is no collection of named rights whose union is R2. So,
they don't behave like most other flag sets. sysdecode_cap_rights(3)
does not handle this properly and so can emit misleading decodings.
Try to fix all of these problems:
- Include composite rights in the caprights table.
- Use a constructor to sort the caprights table such that "larger"
rights appear first and thus are matched first.
- Don't print rights that are a subset of rights already printed, so as
to minimize the length of the output.
- Print a trailing message if some of the specific rights are not
matched by the table.
PR: 263165
Reviewed by: pauamma_gundo.com (doc), jhb, emaste
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34874
The "void *stuff" (also called fstuff and dstuff) argument
was used by the Mac OSX port. For FreeBSD, this argument
is always NULL, so remove it to clean up the code.
This commit gets rid of "stuff" for nfscl_loadattrcache().
Future commits will do the same for other functions.
Whitespace cleanup (leading spaces to tabs)
Nicefy function definitions with indentations
No functional change
Reviewed By: #transport, thj
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D30043
The error control was not properly implemented. "changelist" is const, hence
event.flags is never changed by the syscall.
PR: 196844
Reported by: eugen@
Reviewed by: PauAmma <pauamma@gundo.com>
Approved by: eugen@
Fixes: 8c231786f0
New connections will use the new values. Existing connections are not
affected.
Obtained from: jhb@
MFC after: 3 weeks
Sponsored by: Chelsio Communications
We don't need it for userboot, but it avoids issues with BIND_NOW, so
just provide it. time(3) isn't defined but ends up being provided by
libc linked into the host process, which is generally fine.
PR: 262920
Reviewed by: imp, jhb
MFC after: 3 days
Diferential Revision: https://reviews.freebsd.org/D34758
Printing device followed by interface matches, e.g., edk2. Note that
this is only a fallback, many firmware implementations will provide the
protocol that we'll use to format device paths.
Reviewed by: imp, tsoome
Sponsored by: Ampere Computing
Submitted by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34539
This device is present on the Allwinner D1-based SoCs. Without this
driver, the watchdog timeout will trigger a reset a few seconds after
control is given to the kernel.
Reviewed By: manu, mhorne
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D34749
As the PolarFire SoC needs SGMII to connect the PHY, check the
'phy-mode' property of device tree node for ethernet and act on it
appropriately.
Add the compatible strings for the PolarFire SoC device tree.
'microchip,mpfs-mss-gem" is not officially documented but has been
observed in the available firmware for this platform, so it is included
for now.
Also, fix a typo in if_cgem_hw.h.
Reviewed by: mhorne
MFC after: 1 week
Sponsored by: Conclusive Engineering
Differential Revision: https://reviews.freebsd.org/D34764
Rather than doing these checks based on the detected hardware variant, allow
quirks to be specified as a set of flags for each compatible string.
This simplifies adding support for new compatible hardware.
Reviewed by: mhorne
MFC after: 1 week
Sponsored by: Conclusive Engineering
Differential Revision: https://reviews.freebsd.org/D34764
This parameter was set to the hook that terminated the iteration
early. However, none of the remaining callers used this argument and
it was always set to an otherwise-unused variable.
In theory the errors during llan_attach should be handled, but other
errors in llan_attach (e.g. bus_setup_intr) are already ignored, so
just remove the unused variable to preserve the status quo.