Commit Graph

110 Commits

Author SHA1 Message Date
emaste
615e4a31ce sshd: allow UseBlocklist alias for UseBlacklist
blacklistd has been renamed to blocklistd upstream, and a future
import into FreeBSD will follow that change.  Support the new name
as an alias in config files.

Reviewed by:	bz, delphij
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D25865
2020-07-29 00:34:24 +00:00
emaste
1d2f971c73 Upgrade to OpenSSH 7.9p1.
MFC after:	2 months
Sponsored by:	The FreeBSD Foundation
2020-02-14 19:06:59 +00:00
des
0a47c58bdd Upgrade to OpenSSH 7.8p1.
Approved by:	re (kib@)
2018-09-10 16:20:12 +00:00
des
13e42418d1 Upgrade to OpenSSH 7.7p1. 2018-05-11 13:22:43 +00:00
des
271dcc6a42 Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.
This completely removes client-side support for the SSH 1 protocol,
which was already disabled in 12 but is still enabled in 11.  For that
reason, we will not be able to merge 7.6p1 or newer back to 11.
2018-05-08 23:13:11 +00:00
des
a2e5565774 Upgrade to OpenSSH 7.5p1. 2017-08-04 12:57:24 +00:00
des
c995370269 Upgrade to OpenSSH 7.4p1. 2017-03-06 01:37:05 +00:00
des
dc519490bb Upgrade to OpenSSH 7.3p1. 2017-03-02 00:11:32 +00:00
lidl
7235884959 Add refactored blacklist support to sshd
Change the calls to of blacklist_init() and blacklist_notify to be
macros defined in the blacklist_client.h file.  This avoids
the need for #ifdef USE_BLACKLIST / #endif except in the
blacklist.c file.

Remove redundent initialization attempts from within
blacklist_notify - everything always goes through
blacklistd_init().

Added UseBlacklist option to sshd, which defaults to off.
To enable the functionality, use '-o UseBlacklist=yes' on
the command line, or uncomment in the sshd_config file.

Reviewed by:	des
Approved by:	des
MFC after:		1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D7051
2016-08-30 14:09:24 +00:00
des
291f74b116 Try to check whether each key file exists before adding it, and bail out
if we didn't find any of them.  This reduces log spam about key files for
deprecated algorithms, which we look for but don't generate.

PR:		208254
MFC after:	3 days
2016-08-08 10:46:18 +00:00
des
7b7845b35c Remove DSA from default cipher list and disable SSH1.
Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for
reasons which boil down to POLA.  Now is a good time to catch up.

MFC after:	3 days
Relnotes:	yes
2016-08-03 16:08:21 +00:00
des
bb6f58c772 Upgrade to OpenSSH 7.2p2. 2016-03-11 00:15:29 +00:00
des
bf4d314681 Switch UseDNS back on 2016-01-27 13:40:44 +00:00
des
150b570cfa Instead of removing the NoneEnabled option, mark it as unsupported.
(should have done this in r291198, but didn't think of it until now)
2016-01-22 13:13:46 +00:00
des
9b2207f860 Upgrade to OpenSSH 7.0p1. 2016-01-20 22:57:10 +00:00
des
b856a45731 Upgrade to OpenSSH 6.9p1. 2016-01-19 18:55:44 +00:00
des
76107b0880 Re-add HPN configuration options as deprecated options to avoid breaking
existing configurations that use them.  Note that there is no functional
difference between OpenSSH with HPN and OpenSSH without HPN.
2016-01-19 18:38:17 +00:00
des
7a7bc643b5 Upgrade to OpenSSH 6.8p1. 2016-01-19 18:28:23 +00:00
des
14172c52f8 Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed
upstream) and a number of security fixes which we had already backported.

MFC after:	1 week
2016-01-19 16:18:26 +00:00
des
43b4a69321 As previously threatened, remove the HPN patch from OpenSSH. 2016-01-19 14:38:20 +00:00
des
24641fd80b Retire the NONE cipher option. 2015-11-23 12:48:13 +00:00
des
72179a6f4b Remove /* $FreeBSD$ */ from files that already have __RCSID("$FreeBSD$"). 2015-11-11 13:26:47 +00:00
des
ae82763de4 Upgrade to OpenSSH 6.6p1. 2014-03-25 11:05:34 +00:00
des
b1dd5bd906 Turn sandboxing on by default. 2014-02-01 00:07:16 +00:00
des
7573e91b12 Upgrade to OpenSSH 6.5p1. 2014-01-31 13:12:02 +00:00
des
cda41f674d Upgrade to 6.3p1.
Approved by:	re (gjb)
2013-09-21 21:36:09 +00:00
des
df51273aa9 Revert a local change that sets the default for UsePrivilegeSeparation to
"sandbox" instead of "yes".  In sandbox mode, the privsep child is unable
to load additional libraries and will therefore crash when trying to take
advantage of crypto offloading on CPUs that support it.
2013-05-29 00:19:58 +00:00
des
b291eafe8d Upgrade to OpenSSH 6.2p1. The most important new features are support
for a key revocation list and more fine-grained authentication control.
2013-03-22 17:55:38 +00:00
des
00f3582ac6 Upgrade OpenSSH to 6.1p1. 2012-09-03 16:51:41 +00:00
ed
b36b72f154 Polish diff against upstream.
- Revert unneeded whitespace changes.
- Revert modifications to loginrec.c, as the upstream version already
  does the right thing.
- Fix indentation and whitespace of local changes.

Approved by:	des
MFC after:	1 month
2012-02-13 11:59:59 +00:00
des
038442ad80 Upgrade to OpenSSH 5.9p1.
MFC after:	3 months
2011-10-05 22:08:17 +00:00
brooks
0f65fdcb29 Add support for dynamically adjusted buffers to allow the full use of
the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or
trans-continental links).  Bandwidth-delay products up to 64MB are
supported.

Also add support (not compiled by default) for the None cypher.  The
None cypher can only be enabled on non-interactive sessions (those
without a pty where -T was not used) and must be enabled in both
the client and server configuration files and on the client command
line.  Additionally, the None cypher will only be activated after
authentication is complete.  To enable the None cypher you must add
-DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in
/etc/make.conf.

This code is a style(9) compliant version of these features extracted
from the patches published at:

http://www.psc.edu/networking/projects/hpn-ssh/

Merging this patch has been a collaboration between me and Bjoern.

Reviewed by:	bz
Approved by:	re (kib), des (maintainer)
2011-08-03 19:14:22 +00:00
des
ee2afa8165 Upgrade to OpenSSH 5.8p2. 2011-05-04 07:34:44 +00:00
des
59d1af2322 Upgrade to OpenSSH 5.6p1. 2010-11-11 11:46:19 +00:00
des
fc607a2e80 Upgrade to OpenSSH 5.5p1. 2010-04-28 10:36:33 +00:00
des
c3510f9e73 Upgrade to OpenSSH 5.4p1.
MFC after:	1 month
2010-03-09 19:16:43 +00:00
des
c6a1085fef Upgrade to OpenSSH 5.3p1. 2009-10-01 17:12:52 +00:00
des
8bf56a9772 Upgrade to OpenSSH 5.2p1.
MFC after:	3 months
2009-05-22 18:46:28 +00:00
des
b7aa600c41 Upgrade to OpenSSH 5.1p1.
I have worked hard to reduce diffs against the vendor branch.  One
notable change in that respect is that we no longer prefer DSA over
RSA - the reasons for doing so went away years ago.  This may cause
some surprises, as ssh will warn about unknown host keys even for
hosts whose keys haven't changed.

MFC after:	6 weeks
2008-08-01 02:48:36 +00:00
des
f1596419c2 Properly flatten openssh/dist. 2008-07-22 19:01:18 +00:00
des
666aa9cc16 Revert part of 180714 - the intent was to flatten dist, not to nuke it. 2008-07-22 18:58:19 +00:00
des
624d93001f Flatten the OpenSSH vendor tree for 3.x and newer. 2008-07-22 17:13:05 +00:00
des
4ff234ef46 Merge conflicts.
MFC after:	1 week
2006-09-30 13:38:06 +00:00
des
2f35ce4773 Vendor import of OpenSSH 4.4p1. 2006-09-30 13:29:51 +00:00
des
7c07891caf Merge conflicts. 2006-03-22 20:41:37 +00:00
des
448503722a Vendor import of OpenSSH 4.3p1. 2006-03-22 19:46:12 +00:00
des
88c7c9558b Resolve conflicts. 2005-09-03 07:04:25 +00:00
des
755a16fa86 Vendor import of OpenSSH 4.2p1. 2005-09-03 06:59:33 +00:00
des
983ad11a1c Resolve conflicts. 2005-06-05 15:46:09 +00:00
des
c4dfc1ed3b Vendor import of OpenSSH 4.1p1. 2005-06-05 15:41:57 +00:00