Commit Graph

623 Commits

Author SHA1 Message Date
Ed Maste
6f7bc8e7a3 ssh: describe deprecated options in general in update doc
Rename "HPN" to more general "Retired patches."  We handle two now-
removed patches the same way: to avoid breaking existing configurations
we accept, but ignore, the option.

Sponsored by:	The FreeBSD Foundation
2022-09-04 20:11:03 -04:00
Ed Maste
97be6fced7 openssh: Remove description of VersionAddendum in upgrade doc 2022-08-19 10:39:17 -04:00
Ed Maste
bffe60ead0 ssh: retire client VersionAddendum
FreeBSD introduced VersionAddendum for the server as a local change in
2001 in commit 933ca70f8f and later extended it to the client in
commit 9e2cbe04ff.

In 2012 upstream added support for server VersionAddendum, in commit
23528816dc10.  They do not support it for the client.

The argument for supporting this in the client is not nearly as strong
as for the server, so retire this option to reduce the scope of our
local patch set.  This also avoids some cases of conflicts in ssh_config
during update, as a user's configuration would typically follow the
commented-out default VersionAddendum value.

Reviewed by:	gordon, glebius
Relnotes:	yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32930
2022-08-19 10:38:42 -04:00
Ed Maste
9f009e066f sshd_config: clarify password authentication options
Passwords may be accepted by both the PasswordAuthentication and
KbdInteractiveAuthentication authentication schemes.  Add a reference to
the latter in the description/comment for PasswordAuthentication, as it
otherwise may seem that "PasswordAuthentication no" implies passwords
will be disallowed.

This situation should be clarified with more extensive documentation on
the authentication schemes and configuration options, but that should be
done in coordination with upstream OpenSSH.  This is a minimal change
that will hopefully clarify the situation without requiring an extensive
local patch set.

PR:		263045
Reviewed by:	manu (earlier version)
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D35272
2022-06-08 16:20:46 -04:00
Ed Maste
0e12eb7b58 ssh: update sshd_config for prohibit-password option
The PermitRootLogin option "prohibit-password" was added as a synonym
for "without-password" in 2015.  Then in 2017 these were swapped:
"prohibit-password" became the canonical option and "without-password"
became a deprecated synonym (in OpenSSH commit 071325f458).

The UsePAM description in sshd_config still mentioned
"without-password."  Update it to match the new canonical option.

Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2022-05-12 11:16:09 -04:00
Ed Maste
6e24fe6128 ssh: use upstream SSH_OPENSSL_VERSION macro
With the upgrade to OpenSSH 6.7p1 in commit a0ee8cc636 we replaced
WITH_OPENSSL ifdefs with an OPENSSL_VERSION macro, later changing it
to OPENSSL_VERSION_STRING.

A few years later OpenSSH made an equivalent change (with a different
macro name), in commit 4d94b031ff88.  Switch to the macro name they
chose.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2022-04-23 20:07:57 -04:00
Ed Maste
835ee05f3c ssh: drop $FreeBSD$ from crypto/openssh
After we moved to git $FreeBSD$ is no longer expanded and serves no
purpose.  Remove them from OpenSSH to reduce diffs against upstream.

Sponsored by:	The FreeBSD Foundation
2022-04-22 19:12:23 -04:00
Ed Maste
1978059263 ssh: remove duplicate setting of MAIL env var
We already set it earlier in do_setup_env().

Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2022-04-19 10:30:52 -04:00
Ed Maste
613b4b7971 ssh: apply style(9) to version_addendum
Reported by:	allanjude (in review D29953)
Fixes:		462c32cb8d ("Upgrade OpenSSH to 6.1p1.")
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2022-04-18 18:13:42 -04:00
Ed Maste
eb45bc6829 ssh-agent: move -x description to correct spot in man page
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2022-04-17 17:43:20 -04:00
Ed Maste
e2cec5ba2c ssh: correct version number (9.0)
Reported by:	flo
Fixes:		87c1498d1a ("ssh: update to OpenSSH v9.0p1")
Sponsored by:	The FreeBSD Foundation
2022-04-15 12:10:35 -04:00
Ed Maste
9fce8d4140 ssh: apply post-release patch from V_9_0 branch
upstream: clear io_want/io_ready flags at start of poll() cycle;

avoids plausible spin during rekeying if channel io_want flags are reused
across cycles. ok markus@ deraadt@
2022-04-15 11:04:54 -04:00
Ed Maste
fb5aabcb99 scp: switch to using the SFTP protocol by default
From upstream release notes https://www.openssh.com/txt/release-9.0

This release switches scp(1) from using the legacy scp/rcp protocol
to using the SFTP protocol by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.

Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@openssh.com" to support
this.

In case of incompatibility, the scp(1) client may be instructed to use
the legacy scp/rcp using the -O flag.

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2022-04-15 10:47:28 -04:00
Ed Maste
87c1498d1a ssh: update to OpenSSH v9.0p1
Release notes are available at https://www.openssh.com/txt/release-9.0

Some highlights:

 * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
   exchange method by default ("sntrup761x25519-sha512@openssh.com").
   The NTRU algorithm is believed to resist attacks enabled by future
   quantum computers and is paired with the X25519 ECDH key exchange
   (the previous default) as a backstop against any weaknesses in
   NTRU Prime that may be discovered in the future. The combination
   ensures that the hybrid exchange offers at least as good security
   as the status quo.

 * sftp-server(8): support the "copy-data" extension to allow server-
   side copying of files/data, following the design in
   draft-ietf-secsh-filexfer-extensions-00. bz2948

 * sftp(1): add a "cp" command to allow the sftp client to perform
   server-side file copies.

This commit excludes the scp(1) change to use the SFTP protocol by
default; that change will immediately follow.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2022-04-15 10:41:08 -04:00
Ed Maste
58def461e2 ssh: update with post-release V_8_9 branch commits
MFC after:	1 month
Sponsored by:	The FreeBSD Foundation
2022-04-13 16:53:20 -04:00
Ed Maste
1323ec5712 ssh: update to OpenSSH v8.9p1
Release notes are available at https://www.openssh.com/txt/release-8.9

Some highlights:

 * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
   restricting forwarding and use of keys added to ssh-agent(1)

 * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
   ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
   default KEXAlgorithms list (after the ECDH methods but before the
   prime-group DH ones). The next release of OpenSSH is likely to
   make this key exchange the default method.

 * sshd(8), portable OpenSSH only: this release removes in-built
   support for MD5-hashed passwords. If you require these on your
   system then we recommend linking against libxcrypt or similar.

Future deprecation notice
=========================

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2022-04-13 16:00:56 -04:00
Ed Maste
cea0d3689e ssh: update sshd_config(5) for RSA/SHA-1 signature removal
OpenSSH 8.8p1 removed RSA/SHA-1 signatures by default, but failed to
update sshd_config(5).  It was updated upstream after the release in
b711bc01a7ec and da4035523406.

Fixes:		8c22023ca5 ("ssh: disable RSA/SHA-1 signatures")
Sponsored by:	The FreeBSD Foundation
2022-03-08 16:56:56 -05:00
Ed Maste
822d379b1f ssh: regen sk_config.h after 73104d5838 2022-03-05 20:00:04 -05:00
Ed Maste
73104d5838 ssh: generate SK config file using private cbor and fido2 libs
Specify -lprivatecbor and -lprivatefido2 in OpenSSH's configure.ac, and
pass -I paths to libcbor and libfido2's contrib src location.

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34440
2022-03-05 19:57:22 -05:00
Ed Maste
92ef98b8fa ssh: use standalone config file for security key support
An upcoming OpenSSH update has multiple config.h settings that change
depending on whether builtin security key support is enabled.  Prepare
for this by moving ENABLE_SK_INTERNAL to a new sk_config.h header
(similar to the approach used for optional krb5 support) and optionally
including that, instead of defining the macro directly from CFLAGS.

Reviewed by:	kevans
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34407
2022-03-02 09:35:12 -05:00
Ed Maste
f1421a8972 ssh: correct configure option name
The option is security-key-builtin not security-key-internal.  There is
no change to the generated config.h because the option defaults off
anyway.

MFC after:	3 days
Fixes:		87152f3405 ("ssh: disble internal security key...")
Sponsored by:	The FreeBSD Foundation
2022-03-01 09:41:51 -05:00
Mark Johnston
9340d69e57 openssh: Add a note to check for deprecated and removed config options
Suggested by:	emaste
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2022-03-01 09:38:44 -05:00
Ed Maste
ab7d095969 ssh: add command to push tag to FREEBSD-upgrade instructions
Because it appears `git push --follow-tags` may push extra, undesired
tags document both techniques (pushing the specific vendor/openssh/X.YpZ
tag and pushing all with --follow-tags, using --dry-run first).

Discussed with:	imp, lwhsu
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33605
2022-02-23 13:47:28 -05:00
Ed Maste
2e6ec1e4fe ssh: remove 11.x from FREEBSD-upgrade instructions
11.x is no longer supported.
2022-02-23 13:36:27 -05:00
Ed Maste
e38610abca ssh: remove unused header
Fixes:		0746301c49 ("ssh: pass 0 to procctl(2) to operate...")
Sponsored by:	The FreeBSD Foundation
2022-01-31 17:15:21 -05:00
Ed Maste
0746301c49 ssh: pass 0 to procctl(2) to operate on self
As of f833ab9dd1 procctl(2) allows idtype P_PID with id = 0 as a
shortcut for the calling process ID.  The shortcut also bypasses the
p_cansee / p_candebug test (since the process is able to act on itself.)

At present if the security.bsd.unprivileged_proc_debug sysctl is 0 then
procctl(P_PID, getpid(), ... for a process to act on itself will fail,
but procctl(P_PID, 0, ... will succeed.  This should likely be addressed
with a kernel change.

In any case the id = 0 shortcut is a tiny optimization for a process to
act on itself and allows the self-procctl to succeed, so use it in ssh.

Reported by:	Shawn Webb
Reviewed by:	kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D33970
2022-01-20 19:54:49 -05:00
Gleb Smirnoff
ca573c9a17 sshd: update the libwrap patch to drop connections early
OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014
(f2719b7c in github.com/openssh/openssh-portable) and we
maintain the patch ourselves since 2016 (a0ee8cc636).

Over the years, the libwrap support has deteriotated and probably
that was reason for removal upstream.  Original idea of libwrap was
to drop illegitimate connection as soon as possible, but over the
years the code was pushed further down and down and ended in the
forked client connection handler.

The negative effects of late dropping is increasing attack surface
for hosts that are to be dropped anyway.  Apart from hypothetical
future vulnerabilities in connection handling, today a malicious
host listed in /etc/hosts.allow still can trigger sshd to enter
connection throttling mode, which is enabled by default (see
MaxStartups in sshd_config(5)), effectively casting DoS attack.
Note that on OpenBSD this attack isn't possible, since they enable
MaxStartups together with UseBlacklist.

A only negative effect from early drop, that I can imagine, is that
now main listener parses file in /etc, and if our root filesystems
goes bad, it would get stuck.  But unlikely you'd be able to login
in that case anyway.

Implementation details:

- For brevity we reuse the same struct request_info.  This isn't
  a documented feature of libwrap, but code review, viewing data
  in a debugger and real life testing shows that if we clear
  RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended.
- We set SO_LINGER on the socket to force immediate connection reset.
- We log message exactly as libwrap's refuse() would do.

Differential revision:	https://reviews.freebsd.org/D33044
2022-01-02 18:32:30 -08:00
Ed Maste
8c22023ca5 ssh: disable RSA/SHA-1 signatures
From OpenSSH 8.8p1's release notes:

---

Potentially-incompatible changes
================================

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]

For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:

    Host old-host
        HostkeyAlgorithms +ssh-rsa
	PubkeyAcceptedAlgorithms +ssh-rsa

We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

---

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2021-12-19 11:03:45 -05:00
Ed Maste
e9e8876a4d ssh: update to OpenSSH v8.8p1
OpenSSH v8.8p1 was motivated primarily by a security update and
deprecation of RSA/SHA1 signatures.  It also has a few minor bug fixes.

The security update was already applied to FreeBSD as an independent
change, and the RSA/SHA1 deprecation is excluded from this commit but
will immediately follow.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2021-12-19 11:02:02 -05:00
Ed Maste
bdcfd222ce Remove FREEBSD-vendor files
These files were intended to track version and perhaps maintainership
information for contrib software.  However, they were never used beyond
bzip2, netcat, and OpenSSH, and generally haven't been kept up to date
recently (my OpenSSH 8.7p1 update notwithstanding).  Just remove them to
avoid having confusing or outdated information.

Suggested by:	des
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-12-06 16:36:44 -05:00
Ed Maste
438fd19dc3 ssh: mention nanobsd config files in upgrade instructions
Sponsored by:	The FreeBSD Foundation
2021-11-20 16:38:18 -05:00
Ed Maste
e9a994639b ssh: enable FIDO/U2F keys
Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
https://www.openssh.com/txt/release-8.2):

  This release adds support for FIDO/U2F hardware authenticators to
  OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
  authentication hardware that are widely used for website
  authentication.  In OpenSSH FIDO devices are supported by new public
  key types "ecdsa-sk" and "ed25519-sk", along with corresponding
  certificate types.

  ssh-keygen(1) may be used to generate a FIDO token-backed key, after
  which they may be used much like any other key type supported by
  OpenSSH, so long as the hardware token is attached when the keys are
  used. FIDO tokens also generally require the user explicitly
  authorise operations by touching or tapping them.

  Generating a FIDO key requires the token be attached, and will
  usually require the user tap the token to confirm the operation:

    $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
    Generating public/private ecdsa-sk key pair.
    You may need to touch your security key to authorize key generation.
    Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
    Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub

  This will yield a public and private key-pair. The private key file
  should be useless to an attacker who does not have access to the
  physical token. After generation, this key may be used like any
  other supported key in OpenSSH and may be listed in authorized_keys,
  added to ssh-agent(1), etc. The only additional stipulation is that
  the FIDO token that the key belongs to must be attached when the key
  is used.

To enable FIDO/U2F support, this change regenerates ssh_namespace.h,
adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building
WITHOUT_USB).

devd integration is not included in this change, and is under
investigation for the base system.  In the interim the security/u2f-devd
port can be installed to provide appropriate devd rules.

Reviewed by:	delphij, kevans
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32509
2021-11-04 13:01:44 -04:00
Ed Maste
87152f3405 ssh: disble internal security key support in generated config.h
We want to set ENABLE_SK_INTERNAL only when building with USB support.
We'll leave it off in config.h and enble it via our bespoke build's
Makefile.inc.

Sponsored by:	The FreeBSD Foundation
2021-11-01 15:45:37 -04:00
Ed Maste
172fa4aa75 OpenSSH: cherry-pick "need initgroups() before setresgid()"
From openssh-portable commits f3cbe43e28fe and bf944e3794ef.
2021-10-08 21:29:25 -04:00
Ed Maste
adb56e58e8 openssh: use global state for blacklist in grace_alarm_handler
Obtained from:	security/openssh-portable
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Sponsored by:	The FreeBSD Foundation
2021-09-16 14:10:11 -04:00
Ed Maste
0f9bafdfc3 openssh: pass ssh context to BLACKLIST_NOTIFY
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Sponsored by:	The FreeBSD Foundation
2021-09-14 13:44:39 -04:00
Ed Maste
1f290c707a openssh: regen config.h
Fixes:		19261079b7 ("openssh: update to OpenSSH v8.7p1")
Reported by:	O. Hartmann
Sponsored by:	The FreeBSD Foundation
2021-09-09 20:16:14 -04:00
Ed Maste
b645ee1815 openssh: remove update notes about upstreamed changes
Two local changes were committed upstream and are present in OpenSSH
8.7p1.  Remove references from FREEBSD-upgrade now that we have updated
to that version.
2021-09-09 09:57:22 -04:00
Ed Maste
0e642632e6 openssh: remove unnecessary $FreeBSD$ tags
Diff reduction against upstream: remove $FreeBSD$ tags from files where
the tag itself is the only difference from upstream.
2021-09-07 21:52:06 -04:00
Ed Maste
19261079b7 openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
  fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
  key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
  (RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
  support to provide address-space isolation for token middleware
  libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
  conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
  (e.g. "scp host-a:/path host-b:") to transfer through the local host
  by default.
- scp(1): experimental support for transfers using the SFTP protocol as
  a replacement for the venerable SCP/RCP protocol that it has
  traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by:	imp
MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29985
2021-09-07 21:05:51 -04:00
Ed Maste
b0025f9b7f openssh: update default version addendum in man pages
Fixes:		2f513db72b ("Upgrade to OpenSSH 7.9p1.")
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2021-09-04 11:33:13 -04:00
Ed Maste
ba91e31f47 openssh: remove login class restrictions leftovers
MFC after:	2 weeks
Fixes:		27ceebbc24 ("openssh: simplify login class...")
Sponsored by:	The FreeBSD Foundation
2021-09-03 16:07:47 -04:00
Ed Maste
258f5f79bb openssh: restore local change to gssapi include logic
/usr/include/gssapi.h claims that it is deprecated, and gssapi/gssapi.h
should be used instead.  So, test HAVE_GSSAPI_GSSAPI_H first falling
back to HAVE_GSSAPI_H.

This will be submitted upstream.

Fixes:		6eac665c81 ("openssh: diff reduction against...")
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D31810
2021-09-03 16:07:47 -04:00
Ed Maste
6eac665c81 openssh: diff reduction against upstream 7.9p1
Clean up whitespace and nonfunctional differences, and unused functions.
2021-09-02 15:10:44 -04:00
Ed Maste
c7b4c21ee4 openssh: regenerate freebsd-namespace.h
For some reason poly64 was omitted when this file was last generated
(perhaps it was inlined by the Clang version then in use).

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-02 09:45:14 -04:00
Ed Maste
b3e858f762 openssh: tag generated file with @generated
Tools like Phabricator use the @generated tag to identify files that
may be excluded from review by default.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-02 09:44:58 -04:00
Ed Maste
7b529268a5 openssh: regenerate config.h
Since config.h was last regenerated FreeBSD has added (a stub) libdl,
and has removed sys/dir.h.  Regenerate config.h to avoid spurious
additional changes when OpenSSH is next updated.

There should be no issue if this change is MFC'd, but I don't plan to do
so.  Although configure checks for libdl HAVE_LIBDL isn't even used, and
sys/dir.h was non-functional before being removed.  The state of these
two config.h settings should make no difference in the built OpenSSH.

Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:41 -04:00
Ed Maste
36cd1e5e8c openssh: disable libwrap (TCP wrappers) at configure time
We define LIBWRAP at build time in secure/usr.sbin/sshd/Makefile if
WITH_TCPWRAPPERS is in effect, so it should not be set in config.h.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:41 -04:00
Ed Maste
5e4dd21fd6 openssh: clarify krb5 use in freebsd-configure
freebsd-configure.sh runs configure twice, --with-kerberos5 and
--without-kerberos5, in order to build a config.h that defaults to
kerberos5 disabled, and a small config file that represents the
differences.

Rename config.h.orig to config.h.kerberos5 to clarify the intent of this
script.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2021-09-01 20:42:34 -04:00
Ed Maste
f3fd885074 openssh: update note about class-based login restrictions 2021-09-01 16:09:56 -04:00