Compatibility with existing OpenSSL versions is maintained.
Upstream commits:
482d23bcac upstream: hold our collective noses and use the openssl-1.1.x
48f54b9d12 adapt -portable to OpenSSL 1.1x API
86e0a9f3d2 upstream: use only openssl-1.1.x API here too
a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest
cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl.
Trivial conflicts in sshkey.c and test_sshkey.c were resolved.
Connect libressl-api-compat.c to the build, and regenerate config.h
Reviewed by: des
Approved by: re (rgrimes)
MFC after: 2 seeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17444
This completely removes client-side support for the SSH 1 protocol,
which was already disabled in 12 but is still enabled in 11. For that
reason, we will not be able to merge 7.6p1 or newer back to 11.
Adjust notification points slightly to catch all auth failures,
rather than just the ones caused by bad usernames.
Modify notification point for bad usernames to send new type of
BLACKLIST_BAD_USER. (Support in libblacklist will be forthcoming soon.)
Add guards to allow library headers to expose the enum of action values.
Reviewed by: des
Approved by: des
Sponsored by: The FreeBSD Foundation
Change the calls to of blacklist_init() and blacklist_notify to be
macros defined in the blacklist_client.h file. This avoids
the need for #ifdef USE_BLACKLIST / #endif except in the
blacklist.c file.
Remove redundent initialization attempts from within
blacklist_notify - everything always goes through
blacklistd_init().
Added UseBlacklist option to sshd, which defaults to off.
To enable the functionality, use '-o UseBlacklist=yes' on
the command line, or uncomment in the sshd_config file.
Reviewed by: des
Approved by: des
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D7051
This change has functional impact, and other concerns raised
by the OpenSSH maintainer.
Requested by: des
PR: 210479 (related)
Approved by: re (marius)
Sponsored by: The FreeBSD Foundation
Reviewed by: rpaulo
Approved by: rpaulo (earlier version of changes)
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D5915
I have worked hard to reduce diffs against the vendor branch. One
notable change in that respect is that we no longer prefer DSA over
RSA - the reasons for doing so went away years ago. This may cause
some surprises, as ssh will warn about unknown host keys even for
hosts whose keys haven't changed.
MFC after: 6 weeks
that were never registered. At the same time handle a failure from
pam_setcreds with a bit more paranioa than the previous fix.
Sync a bit with the "Portable OpenSSH" work to make comparisons a easier.
