Commit Graph

30 Commits

Author SHA1 Message Date
Ed Maste
952d18a214 ssh: Remove AES-CBC ciphers from default server and client lists
A base system OpenSSH update in 2016 or so removed a number of ciphers
from the default lists offered by the server/client, due to known
weaknesses.  This caused POLA issues for some users and prompted
PR207679; the ciphers were restored to the default lists in r296634.

When upstream removed these ciphers from the default server list, they
moved them to the client-only default list.  They were subsequently
removed from the client default, in OpenSSH 7.9p1.

The change has persisted long enough.  Remove these extra ciphers from
both the server and client default lists, in advance of FreeBSD 13.

Reviewed by:	markm, rgrimes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D25833
2020-07-28 00:24:12 +00:00
Ed Maste
99b201c331 Add a note about deleted files in OpenSSH upgrade instructions 2020-02-25 22:15:25 +00:00
Ed Maste
9fcda2f48d Update OpenSSH upgrade instructions to use https, not ftp
ftp://ftp.openbsd.org/ does not work.
2020-02-14 19:33:50 +00:00
Ed Maste
e491358c94 sshd: add upgrade process note about TCP wrappers
We need to add user-facing deprecation notices for TCP wrappers; start
with a note in the upgrade process docmentation.

Sponsored by:	The FreeBSD Foundation
2020-02-14 18:59:50 +00:00
Ed Maste
4c3ccd967e openssh: add a note about libwrap in config.h
LIBWRAP is defined by the Makefile based on MK_TCP_WRAPPERS and should
not be defined in config.h.

PR:		210141
Sponsored by:	The FreeBSD Foundation
2020-02-14 17:05:35 +00:00
Dag-Erling Smørgrav
4f52dfbb8d Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.
This completely removes client-side support for the SSH 1 protocol,
which was already disabled in 12 but is still enabled in 11.  For that
reason, we will not be able to merge 7.6p1 or newer back to 11.
2018-05-08 23:13:11 +00:00
Dag-Erling Smørgrav
b23ddc5855 Update the repository URLs. 2018-05-06 13:21:44 +00:00
Dag-Erling Smørgrav
9ded33068e Remove DSA from default cipher list and disable SSH1.
Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for
reasons which boil down to POLA.  Now is a good time to catch up.

MFC after:	3 days
Relnotes:	yes
2016-08-03 16:08:21 +00:00
Dag-Erling Smørgrav
c3c6c935fc Re-add AES-CBC ciphers to the default cipher list on the server.
PR:		207679
2016-03-11 00:23:10 +00:00
Dag-Erling Smørgrav
c4cd1fa410 Switch UseDNS back on 2016-01-27 13:40:44 +00:00
Dag-Erling Smørgrav
0591b689c2 Update the instructions and the list of major local modifications. 2016-01-21 12:42:31 +00:00
Dag-Erling Smørgrav
cf783db152 Add a pre-merge script which reverts mechanical changes such as added
$FreeBSD$ tags and man page dates.

Add a post-merge script which reapplies these changes.

Run both scripts to normalize the existing code base.  As a result, many
files which should have had $FreeBSD$ tags but didn't now have them.

Partly rewrite the upgrade instructions and remove the now outdated
list of tricks.
2014-03-24 19:15:13 +00:00
Dag-Erling Smørgrav
0085282b6a Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a
repeat performance by introducing a script that runs configure with and
without Kerberos, diffs the result and generates krb5_config.h, which
contains the preprocessor macros that need to be defined in the Kerberos
case and undefined otherwise.

Approved by:	re (marius)
2013-09-23 20:35:54 +00:00
Dag-Erling Smørgrav
009fd5a774 Revert r247892 now that this has been fixed upstream. 2013-03-23 14:52:31 +00:00
Dag-Erling Smørgrav
d9bb67e8ce Explicitly disable lastlog, utmp and wtmp. 2013-03-06 13:46:20 +00:00
Dag-Erling Smørgrav
d4af9e693f Upgrade to OpenSSH 5.1p1.
I have worked hard to reduce diffs against the vendor branch.  One
notable change in that respect is that we no longer prefer DSA over
RSA - the reasons for doing so went away years ago.  This may cause
some surprises, as ssh will warn about unknown host keys even for
hosts whose keys haven't changed.

MFC after:	6 weeks
2008-08-01 02:48:36 +00:00
Dag-Erling Smørgrav
cb7b802714 Catch up with reality. 2008-08-01 00:28:50 +00:00
Dag-Erling Smørgrav
1c71974b6c Fix the Xlist so it actually works with 'tar -X', and update the upgrade
instructions accordingly.
2008-02-06 23:14:24 +00:00
Dag-Erling Smørgrav
e66498cd40 Update configure options and add some missing steps.
The section about our local changes needs reviewing, and some of those
changes should probably be reconsidered (such as preferring DSA over RSA,
which made sense when RSA was encumbered but probably doesn't any more)
2006-10-02 12:39:28 +00:00
Ruslan Ermilov
e1fe3dba5c Reimplementation of world/kernel build options. For details, see:
http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Brought to you by:	imp, jhb, kris, phk, ru (all bugs are mine)
2006-03-17 18:54:44 +00:00
Dag-Erling Smørgrav
6dbd30e786 Update for 4.1p1. 2005-06-05 15:43:57 +00:00
Dag-Erling Smørgrav
d49dad04cb Better Xlist command line. 2004-10-28 16:13:28 +00:00
Dag-Erling Smørgrav
3ee07a3a90 Document recently changed configuration defaults. 2004-02-26 10:57:28 +00:00
Dag-Erling Smørgrav
c880b0438e Update the "overview of FreeBSD changes to OpenSSH-portable" to reflect
reality.
2004-01-25 13:09:56 +00:00
Dag-Erling Smørgrav
e2fb0b2a6b Update to reflect changes since the last version. 2004-01-07 11:51:18 +00:00
Dag-Erling Smørgrav
2d61bc6706 Nit. 2003-04-23 17:23:06 +00:00
Dag-Erling Smørgrav
d73be2d96a Correct shell code to expand globs in FREEBSD-Xlist 2002-10-29 09:55:28 +00:00
Jun Kuriyama
b811072634 Fix typo (s@src/crypto/openssh-portable@src/crypto/openssh@). 2002-09-09 02:00:28 +00:00
Dag-Erling Smørgrav
21f19a0cbf (forgot to commit) We don't need --with-opie since PAM takes care of it. 2002-07-05 15:25:55 +00:00
Dag-Erling Smørgrav
ba11afcc21 Document the upgrade process. 2002-06-29 10:39:14 +00:00