ssh: update to OpenSSH v8.8p1

OpenSSH v8.8p1 was motivated primarily by a security update and
deprecation of RSA/SHA1 signatures.  It also has a few minor bug fixes.

The security update was already applied to FreeBSD as an independent
change, and the RSA/SHA1 deprecation is excluded from this commit but
will immediately follow.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation

crypto/openssh/.github/setup_ci.sh

@@ -11,6 +11,7 @@ TARGETS=$@
 
 PACKAGES=""
 INSTALL_FIDO_PPA="no"
+export DEBIAN_FRONTEND=noninteractive
 
 #echo "Setting up for '$TARGETS'"
 
@@ -54,6 +55,7 @@ for TARGET in $TARGETS; do
     openssl-*)
         INSTALL_OPENSSL=$(echo ${TARGET} | cut -f2 -d-)
         case ${INSTALL_OPENSSL} in
+          1.1.1_stable)	INSTALL_OPENSSL="OpenSSL_1_1_1-stable" ;;
           1.*)	INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;;
           3.*)	INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;;
         esac
@@ -78,8 +80,8 @@ done
 
 if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
     sudo apt update -qq
-    sudo apt install software-properties-common
-    sudo apt-add-repository ppa:yubico/stable
+    sudo apt install -qy software-properties-common
+    sudo apt-add-repository -y ppa:yubico/stable
 fi
 
 if [ "x" != "x$PACKAGES" ]; then 

crypto/openssh/.github/workflows/c-cpp.yml

@@ -31,7 +31,9 @@ jobs:
           - { os: ubuntu-latest, configs: libressl-2.2.9 }
           - { os: ubuntu-latest, configs: libressl-2.8.3 }
           - { os: ubuntu-latest, configs: libressl-3.0.2 }
-          - { os: ubuntu-latest, configs: libressl-3.2.5 }
+          - { os: ubuntu-latest, configs: libressl-3.2.6 }
+          - { os: ubuntu-latest, configs: libressl-3.3.4 }
+          - { os: ubuntu-latest, configs: libressl-3.4.0 }
           - { os: ubuntu-latest, configs: openssl-master }
           - { os: ubuntu-latest, configs: openssl-noec }
           - { os: ubuntu-latest, configs: openssl-1.0.1 }
@@ -40,6 +42,9 @@ jobs:
           - { os: ubuntu-latest, configs: openssl-1.1.0h }
           - { os: ubuntu-latest, configs: openssl-1.1.1 }
           - { os: ubuntu-latest, configs: openssl-1.1.1k }
+          - { os: ubuntu-latest, configs: openssl-3.0.0 }
+          - { os: ubuntu-latest, configs: openssl-1.1.1_stable } # stable branch
+          - { os: ubuntu-latest, configs: openssl-3.0 }          # stable branch
           - { os: ubuntu-18.04, configs: pam }
           - { os: ubuntu-18.04, configs: kerberos5 }
           - { os: ubuntu-18.04, configs: libedit }

crypto/openssh/README

@@ -1,4 +1,4 @@
-See https://www.openssh.com/releasenotes.html#8.7p1 for the release notes.
+See https://www.openssh.com/releasenotes.html#8.8p1 for the release notes.
 
 Please read https://www.openssh.com/report.html for bug reporting
 instructions and note that we do not use Github for bug reporting or

crypto/openssh/auth-pam.c

@@ -887,6 +887,7 @@ sshpam_query(void *ctx, char **name, char **info,
 		case PAM_AUTH_ERR:
 			debug3("PAM: %s", pam_strerror(sshpam_handle, type));
 			if (**prompts != NULL && strlen(**prompts) != 0) {
+				free(*info);
 				*info = **prompts;
 				**prompts = NULL;
 				*num = 0;

crypto/openssh/channels.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.407 2021/05/19 01:24:05 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.408 2021/09/14 11:04:21 mbuhl Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -629,9 +629,11 @@ channel_free(struct ssh *ssh, Channel *c)
 	debug("channel %d: free: %s, nchannels %u", c->self,
 	    c->remote_name ? c->remote_name : "???", n);
 
-	if (c->type == SSH_CHANNEL_MUX_CLIENT)
+	if (c->type == SSH_CHANNEL_MUX_CLIENT) {
 		mux_remove_remote_forwardings(ssh, c);
-	else if (c->type == SSH_CHANNEL_MUX_LISTENER) {
+		free(c->mux_ctx);
+		c->mux_ctx = NULL;
+	} else if (c->type == SSH_CHANNEL_MUX_LISTENER) {
 		free(c->mux_ctx);
 		c->mux_ctx = NULL;
 	}

crypto/openssh/clientloop.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.369 2021/07/23 04:04:52 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.370 2021/08/29 23:44:07 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1405,7 +1405,8 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
 	 * exit status to be returned.  In that case, clear error code if the
 	 * connection was deliberately terminated at this end.
 	 */
-	if (options.session_type == SESSION_TYPE_NONE && received_signal == SIGTERM) {
+	if (options.session_type == SESSION_TYPE_NONE &&
+	    received_signal == SIGTERM) {
 		received_signal = 0;
 		exit_status = 0;
 	}

crypto/openssh/compat.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.118 2021/06/06 03:40:39 djm Exp $ */
+/* $OpenBSD: compat.c,v 1.119 2021/09/10 05:46:09 djm Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -69,7 +69,6 @@ compat_banner(struct ssh *ssh, const char *version)
 		  "OpenSSH_7.1*,"
 		  "OpenSSH_7.2*,"
 		  "OpenSSH_7.3*,"
-		  "OpenSSH_7.4*,"
 		  "OpenSSH_7.5*,"
 		  "OpenSSH_7.6*,"
 		  "OpenSSH_7.7*",	SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},

crypto/openssh/config.h

@@ -1068,6 +1068,9 @@
 /* Define to 1 if you have the <priv.h> header file. */
 /* #undef HAVE_PRIV_H */
 
+/* Define to 1 if you have the `procctl' function. */
+#define HAVE_PROCCTL 1
+
 /* Define if you have /proc/$pid/fd */
 /* #undef HAVE_PROC_PID */
 
@@ -1492,6 +1495,9 @@
 /* Define to 1 if you have the <sys/prctl.h> header file. */
 /* #undef HAVE_SYS_PRCTL_H */
 
+/* Define to 1 if you have the <sys/procctl.h> header file. */
+#define HAVE_SYS_PROCCTL_H 1
+
 /* Define to 1 if you have the <sys/pstat.h> header file. */
 /* #undef HAVE_SYS_PSTAT_H */
 

crypto/openssh/configure.ac

@@ -454,6 +454,7 @@ AC_CHECK_HEADERS([ \
 	sys/ndir.h \
 	sys/poll.h \
 	sys/prctl.h \
+	sys/procctl.h \
 	sys/pstat.h \
 	sys/ptrace.h \
 	sys/random.h \
@@ -1925,6 +1926,7 @@ AC_CHECK_FUNCS([ \
 	pledge \
 	poll \
 	prctl \
+	procctl \
 	pselect \
 	pstat \
 	raise \
@@ -2818,7 +2820,8 @@ if test "x$openssl" = "xyes" ; then
 				;;
 			101*)   ;; # 1.1.x
 			200*)   ;; # LibreSSL
-			300*)   ;; # OpenSSL development branch.
+			300*)   ;; # OpenSSL 3
+			301*)   ;; # OpenSSL development branch.
 		        *)
 				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
 		                ;;
@@ -3157,7 +3160,6 @@ if test "x$openssl" = "xyes" ; then
 		AC_MSG_RESULT([no])
 	)
 
-	COMMENT_OUT_ECC="#no ecc#"
 	TEST_SSH_ECC=no
 
 	if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
@@ -3172,7 +3174,6 @@ if test "x$openssl" = "xyes" ; then
 		AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
 		    [libcrypto has NID_X9_62_prime256v1])
 		TEST_SSH_ECC=yes
-		COMMENT_OUT_ECC=""
 	else
 		unsupported_algorithms="$unsupported_algorithms \
 			ecdsa-sha2-nistp256 \
@@ -3182,7 +3183,6 @@ if test "x$openssl" = "xyes" ; then
 	if test x$enable_nistp384 = x1; then
 		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
 		TEST_SSH_ECC=yes
-		COMMENT_OUT_ECC=""
 	else
 		unsupported_algorithms="$unsupported_algorithms \
 			ecdsa-sha2-nistp384 \
@@ -3192,7 +3192,6 @@ if test "x$openssl" = "xyes" ; then
 	if test x$enable_nistp521 = x1; then
 		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
 		TEST_SSH_ECC=yes
-		COMMENT_OUT_ECC=""
 	else
 		unsupported_algorithms="$unsupported_algorithms \
 			ecdh-sha2-nistp521 \
@@ -3201,7 +3200,6 @@ if test "x$openssl" = "xyes" ; then
 	fi
 
 	AC_SUBST([TEST_SSH_ECC])
-	AC_SUBST([COMMENT_OUT_ECC])
 else
 	AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
 	AC_CHECK_FUNCS([crypt])

crypto/openssh/contrib/redhat/openssh.spec

@@ -1,4 +1,4 @@
-%global ver 8.7p1
+%global ver 8.8p1
 %global rel 1%{?dist}
 
 # OpenSSH privilege separation requires a user & group ID

crypto/openssh/contrib/redhat/sshd.init.old

@@ -1,155 +0,0 @@
-#!/bin/bash
-#
-# Init file for OpenSSH server daemon
-#
-# chkconfig: 2345 55 25
-# description: OpenSSH server daemon
-#
-# processname: sshd
-# config: /etc/ssh/ssh_host_key
-# config: /etc/ssh/ssh_host_key.pub
-# config: /etc/ssh/ssh_random_seed
-# config: /etc/ssh/sshd_config
-# pidfile: /var/run/sshd.pid
-
-# source function library
-. /etc/rc.d/init.d/functions
-
-# pull in sysconfig settings
-[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
-
-RETVAL=0
-prog="sshd"
-
-# Some functions to make the below more readable
-KEYGEN=/usr/bin/ssh-keygen
-SSHD=/usr/sbin/sshd
-RSA_KEY=/etc/ssh/ssh_host_rsa_key
-DSA_KEY=/etc/ssh/ssh_host_dsa_key
-PID_FILE=/var/run/sshd.pid
-
-my_success() {
-  local msg
-  if [ $# -gt 1 ]; then
-    msg="$2"
-  else
-    msg="done"
-  fi
-  case "`type -type success`" in
-    function)
-      success "$1"
-    ;;
-    *)
-      echo -n "${msg}"
-    ;;
-  esac
-}
-my_failure() {
-  local msg
-  if [ $# -gt 1 ]; then
-    msg="$2"
-  else
-    msg="FAILED"
-  fi
-  case "`type -type failure`" in
-    function)
-      failure "$1"
-    ;;
-    *)
-      echo -n "${msg}"
-    ;;
-  esac
-}
-do_rsa_keygen() {
-	if [ ! -s $RSA_KEY ]; then
-		echo -n "Generating SSH2 RSA host key: "
-		if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
-			chmod 600 $RSA_KEY
-			chmod 644 $RSA_KEY.pub
-			my_success "RSA key generation"
-			echo
-		else
-			my_failure "RSA key generation"
-			echo
-			exit 1
-		fi
-	fi
-}
-do_dsa_keygen() {
-	if [ ! -s $DSA_KEY ]; then
-		echo -n "Generating SSH2 DSA host key: "
-		if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
-			chmod 600 $DSA_KEY
-			chmod 644 $DSA_KEY.pub
-			my_success "DSA key generation"
-			echo
-		else
-			my_failure "DSA key generation"
-			echo
-			exit 1
-		fi
-	fi
-}
-do_restart_sanity_check() {
-	$SSHD -t
-	RETVAL=$?
-	if [ ! "$RETVAL" = 0 ]; then
-		my_failure "Configuration file or keys"
-		echo
-	fi
-}
-
-
-case "$1" in
-	start)
-		# Create keys if necessary
-		do_rsa_keygen;
-		do_dsa_keygen;
-		
-		echo -n "Starting sshd: "
-		if [ ! -f $PID_FILE ] ; then
-			sshd $OPTIONS
-			RETVAL=$?
-			if [ "$RETVAL" = "0" ] ; then
-				my_success "sshd startup" "sshd"
-				touch /var/lock/subsys/sshd
-			else
-				my_failure "sshd startup" ""
-			fi
-		fi
-		echo
-		;;
-	stop)
-		echo -n "Shutting down sshd: "
-		if [ -f $PID_FILE ] ; then
-			killproc sshd
-			RETVAL=$?
-			[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
-		fi
-		echo
-		;;
-	restart)
-		do_restart_sanity_check
-		$0 stop
-		$0 start
-		RETVAL=$?
-		;;
-	condrestart)
-		if [ -f /var/lock/subsys/sshd ] ; then
-			do_restart_sanity_check
-			$0 stop
-			$0 start
-			RETVAL=$?
-		fi
-		;;
-	status)
-		status sshd
-		RETVAL=$?
-		;;
-	*)
-		echo "Usage: sshd {start|stop|restart|status|condrestart}"
-		exit 1
-		;;
-esac
-
-exit $RETVAL

crypto/openssh/contrib/redhat/sshd.pam.old

@@ -1,8 +0,0 @@
-#%PAM-1.0
-auth       required     /lib/security/pam_pwdb.so shadow nodelay
-auth       required     /lib/security/pam_nologin.so
-account    required     /lib/security/pam_pwdb.so
-password   required     /lib/security/pam_cracklib.so
-password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
-session    required     /lib/security/pam_pwdb.so
-session    required     /lib/security/pam_limits.so

crypto/openssh/contrib/suse/openssh.spec

@@ -13,7 +13,7 @@
 
 Summary:	OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:		openssh
-Version:	8.7p1
+Version:	8.8p1
 URL:		https://www.openssh.com/
 Release:	1
 Source0:	openssh-%{version}.tar.gz

crypto/openssh/log.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: log.c,v 1.59 2021/05/07 04:11:51 djm Exp $ */
+/* $OpenBSD: log.c,v 1.60 2021/09/16 15:11:19 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -346,6 +346,7 @@ do_log(LogLevel level, int force, const char *suffix, const char *fmt,
 	int pri = LOG_INFO;
 	int saved_errno = errno;
 	log_handler_fn *tmp_handler;
+	const char *progname = argv0 != NULL ? argv0 : __progname;
 
 	if (!force && level > log_level)
 		return;
@@ -403,16 +404,18 @@ do_log(LogLevel level, int force, const char *suffix, const char *fmt,
 		tmp_handler(level, force, fmtbuf, log_handler_ctx);
 		log_handler = tmp_handler;
 	} else if (log_on_stderr) {
-		snprintf(msgbuf, sizeof msgbuf, "%.*s\r\n",
+		snprintf(msgbuf, sizeof msgbuf, "%s%s%.*s\r\n",
+		    (log_on_stderr > 1) ? progname : "",
+		    (log_on_stderr > 1) ? ": " : "",
 		    (int)sizeof msgbuf - 3, fmtbuf);
 		(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
 	} else {
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
-		openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
+		openlog_r(progname, LOG_PID, log_facility, &sdata);
 		syslog_r(pri, &sdata, "%.500s", fmtbuf);
 		closelog_r(&sdata);
 #else
-		openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
+		openlog(progname, LOG_PID, log_facility);
 		syslog(pri, "%.500s", fmtbuf);
 		closelog();
 #endif

crypto/openssh/openbsd-compat/bsd-pselect.c

@@ -188,7 +188,7 @@ pselect(int nfds, fd_set *readfds, fd_set *writefds, fd_set *exceptfds,
 	if (unmasked) {
 		pselect_notify_setup();
 		pselect_notify_prepare(readfds);
-		nfds = MAX(nfds, notify_pipe[0]);
+		nfds = MAX(nfds, notify_pipe[0] + 1);
 	}
 
 	/* Unmask signals, call select then restore signal mask. */

crypto/openssh/opensshd.init.in

@@ -17,26 +17,6 @@ PIDFILE=$piddir/sshd.pid
 PidFile=`grep "^PidFile" ${sysconfdir}/sshd_config | tr "=" " " | awk '{print $2}'`
 [ X$PidFile = X ]  ||  PIDFILE=$PidFile
 SSH_KEYGEN=$prefix/bin/ssh-keygen
-HOST_KEY_DSA=$sysconfdir/ssh_host_dsa_key
-HOST_KEY_RSA=$sysconfdir/ssh_host_rsa_key
-@COMMENT_OUT_ECC@HOST_KEY_ECDSA=$sysconfdir/ssh_host_ecdsa_key
-HOST_KEY_ED25519=$sysconfdir/ssh_host_ed25519_key
-
-
-checkkeys() {
-    if [ ! -f $HOST_KEY_DSA ]; then
-	${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N ""
-    fi
-    if [ ! -f $HOST_KEY_RSA ]; then
-	${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N ""
-    fi
-@COMMENT_OUT_ECC@    if [ ! -f $HOST_KEY_ECDSA ]; then
-@COMMENT_OUT_ECC@	${SSH_KEYGEN} -t ecdsa -f ${HOST_KEY_ECDSA} -N ""
-@COMMENT_OUT_ECC@    fi
-    if [ ! -f $HOST_KEY_ED25519 ]; then
-	${SSH_KEYGEN} -t ed25519 -f ${HOST_KEY_ED25519} -N ""
-    fi
-}
 
 stop_service() {
     if [  -r $PIDFILE  -a  ! -z ${PIDFILE}  ]; then
@@ -54,7 +34,7 @@ start_service() {
     # XXX we will opt out at this time. - Bal
 
     # Check to see if we have keys that need to be made
-    checkkeys
+    ${SSH_KEYGEN} -A
 
     # Start SSHD
     echo "starting $SSHD... \c"         ; $SSHD

crypto/openssh/platform-tracing.c

@@ -17,6 +17,9 @@
 #include "includes.h"
 
 #include <sys/types.h>
+#ifdef HAVE_SYS_PROCCTL_H
+#include <sys/procctl.h>
+#endif
 #if defined(HAVE_SYS_PRCTL_H)
 #include <sys/prctl.h>	/* For prctl() and PR_SET_DUMPABLE */
 #endif
@@ -27,12 +30,20 @@
 #include <priv.h> /* For setpflags() and __PROC_PROTECT  */
 #endif
 #include <stdarg.h>
+#include <unistd.h>
 
 #include "log.h"
 
 void
 platform_disable_tracing(int strict)
 {
+#if defined(HAVE_PROCCTL) && defined(PROC_TRACE_CTL)
+	/* On FreeBSD, we should make this process untraceable */
+	int disable_trace = PROC_TRACE_CTL_DISABLE;
+
+	if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict)
+		fatal("unable to make the process untraceable");
+#endif
 #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
 	/* Disable ptrace on Linux without sgid bit */
 	if (prctl(PR_SET_DUMPABLE, 0) != 0 && strict)

crypto/openssh/readconf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.361 2021/07/23 04:04:52 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.363 2021/09/16 05:36:03 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2038,11 +2038,23 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host,
 
 	case oCanonicalizePermittedCNAMEs:
 		value = options->num_permitted_cnames != 0;
+		i = 0;
 		while ((arg = argv_next(&ac, &av)) != NULL) {
-			/* Either '*' for everything or 'list:list' */
-			if (strcmp(arg, "*") == 0)
+			/*
+			 * Either 'none' (only in first position), '*' for
+			 * everything or 'list:list'
+			 */
+			if (strcasecmp(arg, "none") == 0) {
+				if (i > 0 || ac > 0) {
+					error("%s line %d: keyword %s \"none\" "
+					    "argument must appear alone.",
+					    filename, linenum, keyword);
+					goto out;
+				}
+				arg2 = "";
+			} else if (strcmp(arg, "*") == 0) {
 				arg2 = arg;
-			else {
+			} else {
 				lowercase(arg);
 				if ((arg2 = strchr(arg, ':')) == NULL ||
 				    arg2[1] == '\0') {
@@ -2054,6 +2066,7 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host,
 				*arg2 = '\0';
 				arg2++;
 			}
+			i++;
 			if (!*activep || value)
 				continue;
 			if (options->num_permitted_cnames >=
@@ -2307,6 +2320,20 @@ option_clear_or_none(const char *o)
 	return o == NULL || strcasecmp(o, "none") == 0;
 }
 
+/*
+ * Returns 1 if CanonicalizePermittedCNAMEs have been specified, 0 otherwise.
+ * Allowed to be called on non-final configuration.
+ */
+int
+config_has_permitted_cnames(Options *options)
+{
+	if (options->num_permitted_cnames == 1 &&
+	    strcasecmp(options->permitted_cnames[0].source_list, "none") == 0 &&
+	    strcmp(options->permitted_cnames[0].target_list, "") == 0)
+		return 0;
+	return options->num_permitted_cnames > 0;
+}
+
 /*
  * Initializes options to special values that indicate that they have not yet
  * been set.  Read_config_file will only set options with this value. Options
@@ -2682,6 +2709,15 @@ fill_default_options(Options * options)
 		free(options->jump_host);
 		options->jump_host = NULL;
 	}
+	if (options->num_permitted_cnames == 1 &&
+	    !config_has_permitted_cnames(options)) {
+		/* clean up CanonicalizePermittedCNAMEs=none */
+		free(options->permitted_cnames[0].source_list);
+		free(options->permitted_cnames[0].target_list);
+		memset(options->permitted_cnames, '\0',
+		    sizeof(*options->permitted_cnames));
+		options->num_permitted_cnames = 0;
+	}
 	/* options->identity_agent distinguishes NULL from 'none' */
 	/* options->user will be set in the main program if appropriate */
 	/* options->hostname will be set in the main program if appropriate */
@@ -3399,14 +3435,14 @@ dump_client_config(Options *o, const char *host)
 	printf("\n");
 
 	/* oCanonicalizePermittedCNAMEs */
-	if ( o->num_permitted_cnames > 0) {
-		printf("canonicalizePermittedcnames");
-		for (i = 0; i < o->num_permitted_cnames; i++) {
-			printf(" %s:%s", o->permitted_cnames[i].source_list,
-			    o->permitted_cnames[i].target_list);
-		}
-		printf("\n");
+	printf("canonicalizePermittedcnames");
+	if (o->num_permitted_cnames == 0)
+		printf(" none");
+	for (i = 0; i < o->num_permitted_cnames; i++) {
+		printf(" %s:%s", o->permitted_cnames[i].source_list,
+		    o->permitted_cnames[i].target_list);
 	}
+	printf("\n");
 
 	/* oControlPersist */
 	if (o->control_persist == 0 || o->control_persist_timeout == 0)

crypto/openssh/readconf.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.144 2021/07/23 04:04:52 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.145 2021/09/15 06:56:01 djm Exp $ */
 /* $FreeBSD$ */
 
 /*
@@ -231,6 +231,7 @@ int	 parse_jump(const char *, Options *, int);
 int	 parse_ssh_uri(const char *, char **, char **, int *);
 int	 default_ssh_port(void);
 int	 option_clear_or_none(const char *);
+int	 config_has_permitted_cnames(Options *);
 void	 dump_client_config(Options *o, const char *host);
 
 void	 add_local_forward(Options *, const struct Forward *);

crypto/openssh/regress/Makefile

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.116 2021/08/04 21:28:00 djm Exp $
+#	$OpenBSD: Makefile,v 1.117 2021/09/03 04:11:13 dtucker Exp $
 
 tests:		prep file-tests t-exec unit
 
@@ -27,6 +27,7 @@ LTESTS= 	connect \
 		proto-version \
 		proto-mismatch \
 		exit-status \
+		exit-status-signal \
 		envpass \
 		transfer \
 		banner \

crypto/openssh/regress/agent-getpeereid.sh

@@ -1,4 +1,4 @@
-#	$OpenBSD: agent-getpeereid.sh,v 1.11 2019/11/26 23:43:10 djm Exp $
+#	$OpenBSD: agent-getpeereid.sh,v 1.13 2021/09/01 00:50:27 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="disallow agent attach from other uid"
@@ -10,19 +10,15 @@ SSH_AUTH_SOCK=/nonexistent
 if config_defined HAVE_GETPEEREID HAVE_GETPEERUCRED HAVE_SO_PEERCRED ; then
 	:
 else
-	echo "skipped (not supported on this platform)"
-	exit 0
+	skip "skipped (not supported on this platform)"
 fi
 case "x$SUDO" in
 	xsudo) sudo=1;;
 	xdoas|xdoas\ *) ;;
 	x)
-		echo "need SUDO to switch to uid $UNPRIV"
-		echo SKIPPED
-		exit 0 ;;
+		skip "need SUDO to switch to uid $UNPRIV" ;;
 	*)
-		echo "unsupported $SUDO - "doas" and "sudo" are allowed"
-		exit 0 ;;
+		skip "unsupported $SUDO - "doas" and "sudo" are allowed" ;;
 esac
 
 trace "start agent"

crypto/openssh/regress/exit-status-signal.sh

@@ -0,0 +1,24 @@
+# This test performs validation that ssh client is not successive on being terminated
+
+tid="exit status on signal"
+
+# spawn client in background
+rm -f $OBJ/remote_pid
+${SSH} -F $OBJ/ssh_proxy somehost 'echo $$ >'$OBJ'/remote_pid; sleep 444' &
+ssh_pid=$!
+
+# wait for it to start
+n=20
+while [ ! -f $OBJ/remote_pid ] && [ $n -gt 0 ]; do
+	n=$(($n - 1))
+	sleep 1
+done
+
+kill $ssh_pid
+wait $ssh_pid
+exit_code=$?
+
+if [ $exit_code -eq 0 ]; then
+	fail "ssh client should fail on signal"
+fi
+

crypto/openssh/regress/hostkey-rotate.sh

@@ -3,6 +3,25 @@
 
 tid="hostkey rotate"
 
+#
+# GNU (f)grep <=2.18, as shipped by FreeBSD<=12 and NetBSD<=9 will occasionally
+# fail to find ssh host keys in the hostkey-rotate test.  If we have those
+# versions, use awk instead.
+# See # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258616
+#
+case `grep --version 2>&1 | awk '/GNU grep/{print $4}'` in
+2.19)			fgrep=good ;;
+1.*|2.?|2.?.?|2.1?)	fgrep=bad ;;	# stock GNU grep
+2.5.1*)			fgrep=bad ;;	# FreeBSD and NetBSD
+*)			fgrep=good ;;
+esac
+if test "x$fgrep" = "xbad"; then
+	fgrep()
+{
+	awk 'BEGIN{e=1} {if (index($0,"'$1'")>0){e=0;print}} END{exit e}' $2
+}
+fi
+
 rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig $OBJ/ssh_proxy.orig
 
 grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig

crypto/openssh/regress/keys-command.sh

@@ -1,4 +1,4 @@
-#	$OpenBSD: keys-command.sh,v 1.6 2019/07/25 08:48:11 dtucker Exp $
+#	$OpenBSD: keys-command.sh,v 1.7 2021/09/01 00:50:27 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="authorized keys from command"
@@ -77,5 +77,5 @@ if [ -x $KEY_COMMAND ]; then
 		fail "connect failed"
 	fi
 else
-	echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
+	skip "$KEY_COMMAND not executable (/var/run mounted noexec?)"
 fi

crypto/openssh/regress/putty-ciphers.sh

@@ -1,11 +1,17 @@
-#	$OpenBSD: putty-ciphers.sh,v 1.7 2020/01/23 03:35:07 dtucker Exp $
+#	$OpenBSD: putty-ciphers.sh,v 1.11 2021/09/01 03:16:06 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="putty ciphers"
 
 if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
-	echo "putty interop tests not enabled"
-	exit 0
+	skip "putty interop tests not enabled"
+fi
+
+# Re-enable ssh-rsa on older PuTTY versions.
+oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
+if [ "x$oldver" = "xyes" ]; then
+	echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
+	echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
 fi
 
 for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do

crypto/openssh/regress/putty-kex.sh

@@ -1,11 +1,17 @@
-#	$OpenBSD: putty-kex.sh,v 1.5 2020/01/23 03:24:38 dtucker Exp $
+#	$OpenBSD: putty-kex.sh,v 1.9 2021/09/01 03:16:06 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="putty KEX"
 
 if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
-	echo "putty interop tests not enabled"
-	exit 0
+	skip "putty interop tests not enabled"
+fi
+
+# Re-enable ssh-rsa on older PuTTY versions.
+oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
+if [ "x$oldver" = "xyes" ]; then
+	echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
+	echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
 fi
 
 for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do

crypto/openssh/regress/putty-transfer.sh

@@ -1,11 +1,17 @@
-#	$OpenBSD: putty-transfer.sh,v 1.7 2020/01/23 11:19:12 dtucker Exp $
+#	$OpenBSD: putty-transfer.sh,v 1.11 2021/09/01 03:16:06 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="putty transfer data"
 
 if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
-	echo "putty interop tests not enabled"
-	exit 0
+	skip "putty interop tests not enabled"
+fi
+
+# Re-enable ssh-rsa on older PuTTY versions.
+oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
+if [ "x$oldver" = "xyes" ]; then
+	echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
+	echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
 fi
 
 if [ "`${SSH} -Q compression`" = "none" ]; then

crypto/openssh/regress/sftp-chroot.sh

@@ -1,4 +1,4 @@
-#	$OpenBSD: sftp-chroot.sh,v 1.7 2018/11/22 08:48:32 dtucker Exp $
+#	$OpenBSD: sftp-chroot.sh,v 1.8 2021/09/01 00:50:27 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="sftp in chroot"
@@ -9,14 +9,11 @@ PRIVDATA=${CHROOT}/${FILENAME}
 trap "${SUDO} rm -f ${PRIVDATA}" 0
 
 if [ -z "$SUDO" -a ! -w /var/run ]; then
-	echo "need SUDO to create file in /var/run, test won't work without"
-	echo SKIPPED
-	exit 0
+	skip "need SUDO to create file in /var/run, test won't work without"
 fi
 
 if ! $OBJ/check-perm -m chroot "$CHROOT" ; then
-  echo "skipped: $CHROOT is unsuitable as ChrootDirectory"
-  exit 0
+  skip "$CHROOT is unsuitable as ChrootDirectory"
 fi
 
 $SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \

crypto/openssh/regress/sshfp-connect.sh

@@ -1,4 +1,4 @@
-#	$OpenBSD: sshfp-connect.sh,v 1.2 2021/07/19 08:48:33 dtucker Exp $
+#	$OpenBSD: sshfp-connect.sh,v 1.4 2021/09/01 00:50:27 dtucker Exp $
 #	Placed in the Public Domain.
 
 # This test requires external setup and thus is skipped unless
@@ -24,9 +24,11 @@
 
 tid="sshfp connect"
 
-if [ ! -z "${TEST_SSH_SSHFP_DOMAIN}" ] && \
-    $SSH -Q key-plain | grep ssh-rsa >/dev/null; then
-
+if ! $SSH -Q key-plain | grep ssh-rsa >/dev/null; then
+	skip "RSA keys not supported."
+elif [ -z "${TEST_SSH_SSHFP_DOMAIN}" ]; then
+	skip "TEST_SSH_SSHFP_DOMAIN not set."
+else
 	# Set RSA host key to match fingerprints above.
 	mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
 	$SUDO cp $SRC/rsa_openssh.prv $OBJ/host.ssh-rsa
@@ -45,7 +47,7 @@ if [ ! -z "${TEST_SSH_SSHFP_DOMAIN}" ] && \
 		trace "sshfp connect $n good fingerprint"
 		host="${n}.dtucker.net"
 		opts="-F $OBJ/ssh_proxy -o VerifyHostKeyDNS=yes "
-		opts="$opts -o HostKeyAlgorithms=ssh-rsa"
+		opts="$opts -o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256"
 		host="${n}.${TEST_SSH_SSHFP_DOMAIN}"
 		SSH_CONNECTION=`${SSH} $opts $host 'echo $SSH_CONNECTION'`
 		if [ $? -ne 0 ]; then
@@ -61,6 +63,4 @@ if [ ! -z "${TEST_SSH_SSHFP_DOMAIN}" ] && \
 			fail "sshfp-connect succeeded with bad SSHFP record"
 		fi
 	done
-else
-	echo SKIPPED: TEST_SSH_SSHFP_DOMAIN not set.
 fi

crypto/openssh/regress/test-exec.sh

@@ -1,4 +1,4 @@
-#	$OpenBSD: test-exec.sh,v 1.86 2021/08/08 08:27:28 dtucker Exp $
+#	$OpenBSD: test-exec.sh,v 1.87 2021/09/01 00:50:27 dtucker Exp $
 #	Placed in the Public Domain.
 
 #SUDO=sudo
@@ -462,6 +462,14 @@ fatal ()
 	exit $RESULT
 }
 
+# Skip remaining tests in script.
+skip ()
+{
+	echo "SKIPPED: $@"
+	cleanup
+	exit $RESULT
+}
+
 RESULT=0
 PIDFILE=$OBJ/pidfile
 

crypto/openssh/scp.1

@@ -8,9 +8,9 @@
 .\"
 .\" Created: Sun May  7 00:14:37 1995 ylo
 .\"
-.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $
+.\" $OpenBSD: scp.1,v 1.105 2021/09/20 06:53:56 djm Exp $
 .\"
-.Dd $Mdocdate: August 11 2021 $
+.Dd $Mdocdate: September 20 2021 $
 .Dt SCP 1
 .Os
 .Sh NAME
@@ -37,9 +37,6 @@ It uses
 .Xr ssh 1
 for data transfer, and uses the same authentication and provides the
 same security as a login session.
-The scp protocol requires execution of the remote user's shell to perform
-.Xr glob 3
-pattern matching.
 .Pp
 .Nm
 will ask for passwords or passphrases if they are needed for
@@ -79,7 +76,7 @@ The options are as follows:
 Copies between two remote hosts are transferred through the local host.
 Without this option the data is copied directly between the two remote
 hosts.
-Note that, when using the legacy SCP protocol (the default), this option
+Note that, when using the original SCP protocol (the default), this option
 selects batch mode for the second host as
 .Nm
 cannot ask for passwords or passphrases for both hosts.
@@ -112,7 +109,7 @@ This option is directly passed to
 .Xr ssh 1 .
 .It Fl D Ar sftp_server_path
 When using the SFTP protocol support via
-.Fl M ,
+.Fl s ,
 connect directly to a local SFTP server program rather than a
 remote one via
 .Xr ssh 1 .
@@ -144,10 +141,12 @@ This option is directly passed to
 .It Fl l Ar limit
 Limits the used bandwidth, specified in Kbit/s.
 .It Fl O
-Use the legacy SCP protocol for file transfers instead of the SFTP protocol.
+Use the original SCP protocol for file transfers instead of the SFTP protocol.
 Forcing the use of the SCP protocol may be necessary for servers that do
-not implement SFTP or for backwards-compatibility for particular filename
-wildcard patterns.
+not implement SFTP, for backwards-compatibility for particular filename
+wildcard patterns and for expanding paths with a
+.Sq ~
+prefix for older SFTP servers.
 This mode is the default.
 .It Fl o Ar ssh_option
 Can be used to pass options to
@@ -229,10 +228,10 @@ Note that this option is written with a capital
 .Sq P ,
 because
 .Fl p
-is already reserved for preserving the times and modes of the file.
+is already reserved for preserving the times and mode bits of the file.
 .It Fl p
-Preserves modification times, access times, and modes from the
-original file.
+Preserves modification times, access times, and file mode bits from the
+source file.
 .It Fl q
 Quiet mode: disables the progress meter as well as warning and diagnostic
 messages from
@@ -259,15 +258,7 @@ The program must understand
 .Xr ssh 1
 options.
 .It Fl s
-Use the SFTP protocol for file transfers instead of the legacy SCP protocol.
-Using SFTP avoids invoking a shell on the remote side and provides
-more predictable filename handling, as the SCP protocol
-relied on the remote shell for expanding
-.Xr glob 3
-wildcards.
-.Pp
-A near-future release of OpenSSH will make the SFTP protocol the default.
-This option will be deleted before the end of 2022.
+Use the SFTP protocol for transfers rather than the original scp protocol.
 .It Fl T
 Disable strict filename checking.
 By default when copying files from a remote host to a local directory
@@ -307,3 +298,10 @@ source code from the Regents of the University of California.
 .Sh AUTHORS
 .An Timo Rinne Aq Mt tri@iki.fi
 .An Tatu Ylonen Aq Mt ylo@cs.hut.fi
+.Sh CAVEATS
+The original SCP protocol (used by default) requires execution of the
+remote user's shell to perform
+.Xr glob 3
+pattern matching.
+This requires careful quoting of any characters that have special meaning to
+the remote shell, such as quote characters.

crypto/openssh/scp.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */
+/* $OpenBSD: scp.c,v 1.239 2021/09/20 06:53:56 djm Exp $ */
 /*
  * scp - secure remote copy.  This is basically patched BSD rcp which
  * uses ssh to do the data transfer (instead of using rcmd).
@@ -467,7 +467,7 @@ main(int argc, char **argv)
 
 	__progname = ssh_get_progname(argv[0]);
 
-	log_init(argv0, log_level, SYSLOG_FACILITY_USER, 1);
+	log_init(argv0, log_level, SYSLOG_FACILITY_USER, 2);
 
 	memset(&args, '\0', sizeof(args));
 	memset(&remote_remote_args, '\0', sizeof(remote_remote_args));
@@ -588,7 +588,7 @@ main(int argc, char **argv)
 	argc -= optind;
 	argv += optind;
 
-	log_init(argv0, log_level, SYSLOG_FACILITY_USER, 1);
+	log_init(argv0, log_level, SYSLOG_FACILITY_USER, 2);
 
 	/* Do this last because we want the user to be able to override it */
 	addargs(&args, "-oForwardAgent=no");
@@ -652,7 +652,7 @@ main(int argc, char **argv)
 	 * Finally check the exit status of the ssh process, if one was forked
 	 * and no error has occurred yet
 	 */
-	if (do_cmd_pid != -1 && errs == 0) {
+	if (do_cmd_pid != -1 && (mode == MODE_SFTP || errs == 0)) {
 		if (remin != -1)
 		    (void) close(remin);
 		if (remout != -1)
@@ -1213,8 +1213,7 @@ tolocal(int argc, char **argv, enum scp_mode_e mode, char *sftp_direct)
 			conn = do_sftp_connect(host, suser, sport,
 			    sftp_direct, &remin, &remout, &do_cmd_pid);
 			if (conn == NULL) {
-				error("Couldn't make sftp connection "
-				    "to server");
+				error("sftp connection failed");
 				++errs;
 				continue;
 			}
@@ -1261,7 +1260,8 @@ prepare_remote_path(struct sftp_conn *conn, const char *path)
 	if (can_expand_path(conn))
 		return do_expand_path(conn, path);
 	/* No protocol extension */
-	error("~user paths are not currently supported");
+	error("server expand-path extension is required "
+	    "for ~user paths in SFTP mode");
 	return NULL;
 }
 
@@ -1296,11 +1296,14 @@ source_sftp(int argc, char *src, char *targ, struct sftp_conn *conn)
 	if (local_is_dir(src) && iamrecursive) {
 		if (upload_dir(conn, src, abs_dst, pflag,
 		    SFTP_PROGRESS_ONLY, 0, 0, 1) != 0) {
-			fatal("failed to upload directory %s to %s",
+			error("failed to upload directory %s to %s",
 				src, abs_dst);
+			errs = 1;
 		}
-	} else if (do_upload(conn, src, abs_dst, pflag, 0, 0) != 0)
-		fatal("failed to upload file %s to %s", src, abs_dst);
+	} else if (do_upload(conn, src, abs_dst, pflag, 0, 0) != 0) {
+		error("failed to upload file %s to %s", src, abs_dst);
+		errs = 1;
+	}
 
 	free(abs_dst);
 	free(target);
@@ -1490,9 +1493,9 @@ sink_sftp(int argc, char *dst, const char *src, struct sftp_conn *conn)
 	debug3_f("copying remote %s to local %s", abs_src, dst);
 	if ((r = remote_glob(conn, abs_src, GLOB_MARK, NULL, &g)) != 0) {
 		if (r == GLOB_NOSPACE)
-			error("Too many glob matches for \"%s\".", abs_src);
+			error("%s: too many glob matches", abs_src);
 		else
-			error("File \"%s\" not found.", abs_src);
+			error("%s: %s", abs_src, strerror(ENOENT));
 		err = -1;
 		goto out;
 	}
@@ -1537,9 +1540,8 @@ sink_sftp(int argc, char *dst, const char *src, struct sftp_conn *conn)
 	free(abs_src);
 	free(tmp);
 	globfree(&g);
-	if (err == -1) {
-		fatal("Failed to download file '%s'", src);
-	}
+	if (err == -1)
+		errs = 1;
 }
 
 
@@ -1887,7 +1889,7 @@ throughlocal_sftp(struct sftp_conn *from, struct sftp_conn *to,
 
 	targetisdir = remote_is_dir(to, target);
 	if (!targetisdir && targetshouldbedirectory) {
-		error("Destination path \"%s\" is not a directory", target);
+		error("%s: destination is not a directory", target);
 		err = -1;
 		goto out;
 	}
@@ -1895,9 +1897,9 @@ throughlocal_sftp(struct sftp_conn *from, struct sftp_conn *to,
 	debug3_f("copying remote %s to remote %s", abs_src, target);
 	if ((r = remote_glob(from, abs_src, GLOB_MARK, NULL, &g)) != 0) {
 		if (r == GLOB_NOSPACE)
-			error("Too many glob matches for \"%s\".", abs_src);
+			error("%s: too many glob matches", abs_src);
 		else
-			error("File \"%s\" not found.", abs_src);
+			error("%s: %s", abs_src, strerror(ENOENT));
 		err = -1;
 		goto out;
 	}
@@ -1938,7 +1940,7 @@ throughlocal_sftp(struct sftp_conn *from, struct sftp_conn *to,
 	free(tmp);
 	globfree(&g);
 	if (err == -1)
-		fatal("Failed to download file '%s'", src);
+		errs = 1;
 }
 
 int

crypto/openssh/servconf.c

@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.381 2021/07/02 05:11:21 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.382 2021/09/06 00:36:01 millert Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -501,9 +501,8 @@ typedef enum {
 	sPort, sHostKeyFile, sLoginGraceTime,
 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
-	sKerberosGetAFSToken, sChallengeResponseAuthentication,
-	sPasswordAuthentication, sKbdInteractiveAuthentication,
-	sListenAddress, sAddressFamily,
+	sKerberosGetAFSToken, sPasswordAuthentication,
+	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,

crypto/openssh/sftp-client.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-client.c,v 1.154 2021/08/09 23:47:44 djm Exp $ */
+/* $OpenBSD: sftp-client.c,v 1.155 2021/09/03 05:12:25 dtucker Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -2039,7 +2039,6 @@ upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
 	if (print_flag && print_flag != SFTP_PROGRESS_ONLY)
 		mprintf("Entering %s\n", src);
 
-	attrib_clear(&a);
 	stat_to_attrib(&sb, &a);
 	a.flags &= ~SSH2_FILEXFER_ATTR_SIZE;
 	a.flags &= ~SSH2_FILEXFER_ATTR_UIDGID;

crypto/openssh/sftp-realpath.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: sftp-realpath.c,v 1.1 2019/07/05 04:55:40 djm Exp $ */
+/*	$OpenBSD: sftp-realpath.c,v 1.2 2021/09/02 21:03:54 deraadt Exp $ */
 /*
  * Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
  *
@@ -30,7 +30,6 @@
 #include "includes.h"
 
 #include <sys/types.h>
-#include <sys/param.h>
 #include <sys/stat.h>
 
 #include <errno.h>

crypto/openssh/sftp.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp.c,v 1.211 2021/08/12 09:59:00 schwarze Exp $ */
+/* $OpenBSD: sftp.c,v 1.212 2021/09/11 09:05:50 schwarze Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -2204,28 +2204,31 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2)
 	interactive = !batchmode && isatty(STDIN_FILENO);
 	err = 0;
 	for (;;) {
+		struct sigaction sa;
+
+		interrupted = 0;
+		memset(&sa, 0, sizeof(sa));
+		sa.sa_handler = interactive ? read_interrupt : killchild;
+		if (sigaction(SIGINT, &sa, NULL) == -1) {
+			debug3("sigaction(%s): %s", strsignal(SIGINT),
+			    strerror(errno));
+			break;
+		}
 		if (el == NULL) {
 			if (interactive)
 				printf("sftp> ");
 			if (fgets(cmd, sizeof(cmd), infile) == NULL) {
 				if (interactive)
 					printf("\n");
+				if (interrupted)
+					continue;
 				break;
 			}
 		} else {
 #ifdef USE_LIBEDIT
 			const char *line;
 			int count = 0;
-			struct sigaction sa;
 
-			interrupted = 0;
-			memset(&sa, 0, sizeof(sa));
-			sa.sa_handler = read_interrupt;
-			if (sigaction(SIGINT, &sa, NULL) == -1) {
-				debug3("sigaction(%s): %s",
-				    strsignal(SIGINT), strerror(errno));
-				break;
-			}
 			if ((line = el_gets(el, &count)) == NULL ||
 			    count <= 0) {
 				printf("\n");

crypto/openssh/ssh-keygen.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.435 2021/08/11 08:54:17 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.437 2021/09/08 03:23:44 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2680,7 +2680,8 @@ sig_process_opts(char * const *opts, size_t nopts, uint64_t *verify_timep,
 	time_t now;
 
 	*verify_timep = 0;
-	*print_pubkey = 0;
+	if (print_pubkey != NULL)
+		*print_pubkey = 0;
 	for (i = 0; i < nopts; i++) {
 		if (strncasecmp(opts[i], "verify-time=", 12) == 0) {
 			if (parse_absolute_time(opts[i] + 12,

crypto/openssh/ssh.1

@@ -33,9 +33,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.425 2021/07/28 05:57:42 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.427 2021/09/10 10:26:02 dtucker Exp $
 .\" $FreeBSD$
-.Dd $Mdocdate: July 28 2021 $
+.Dd $Mdocdate: September 10 2021 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -66,7 +66,7 @@
 .Op Fl W Ar host : Ns Ar port
 .Op Fl w Ar local_tun Ns Op : Ns Ar remote_tun
 .Ar destination
-.Op Ar command
+.Op Ar command Op Ar argument ...
 .Sh DESCRIPTION
 .Nm
 (SSH client) is a program for logging into a remote machine and for
@@ -95,7 +95,12 @@ their identity to the remote machine using one of several methods
 If a
 .Ar command
 is specified,
-it is executed on the remote host instead of a login shell.
+it will be executed on the remote host instead of a login shell.
+A complete command line may be specified as
+.Ar command ,
+or it may have additional arguments.
+If supplied, the arguments will be appended to the command, separated by
+spaces, before it is sent to the server to be executed.
 .Pp
 The options are as follows:
 .Pp
@@ -289,6 +294,10 @@ authentication.
 .It Fl i Ar identity_file
 Selects a file from which the identity (private key) for
 public key authentication is read.
+You can also specify a public key file to use the corresponding
+private key that is loaded in
+.Xr ssh-agent 1
+when the private key file is not present locally.
 The default is
 .Pa ~/.ssh/id_dsa ,
 .Pa ~/.ssh/id_ecdsa ,

crypto/openssh/ssh.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.566 2021/08/08 08:49:09 dtucker Exp $ */
+/* $OpenBSD: ssh.c,v 1.569 2021/09/20 04:02:13 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -186,7 +186,7 @@ usage(void)
 "           [-i identity_file] [-J [user@]host[:port]] [-L address]\n"
 "           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
 "           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n"
-"           [-w local_tun[:remote_tun]] destination [command]\n"
+"           [-w local_tun[:remote_tun]] destination [command [argument ...]]\n"
 	);
 	exit(255);
 }
@@ -260,6 +260,7 @@ resolve_host(const char *name, int port, int logerr, char *cname, size_t clen)
 		port = default_ssh_port();
 	if (cname != NULL)
 		*cname = '\0';
+	debug3_f("lookup %s:%d", name, port);
 
 	snprintf(strport, sizeof strport, "%d", port);
 	memset(&hints, 0, sizeof(hints));
@@ -383,7 +384,7 @@ check_follow_cname(int direct, char **namep, const char *cname)
 	int i;
 	struct allowed_cname *rule;
 
-	if (*cname == '\0' || options.num_permitted_cnames == 0 ||
+	if (*cname == '\0' || !config_has_permitted_cnames(&options) ||
 	    strcmp(*namep, cname) == 0)
 		return 0;
 	if (options.canonicalize_hostname == SSH_CANONICALISE_NO)
@@ -1194,7 +1195,7 @@ main(int ac, char **av)
 	 */
 	direct = option_clear_or_none(options.proxy_command) &&
 	    options.jump_host == NULL;
-	if (addrs == NULL && options.num_permitted_cnames != 0 && (direct ||
+	if (addrs == NULL && config_has_permitted_cnames(&options) && (direct ||
 	    options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) {
 		if ((addrs = resolve_host(host, options.port,
 		    direct, cname, sizeof(cname))) == NULL) {
@@ -1817,7 +1818,8 @@ ssh_confirm_remote_forward(struct ssh *ssh, int type, u_int32_t seq, void *ctxt)
 				rfwd->allocated_port = (int)port;
 				logit("Allocated port %u for remote "
 				    "forward to %s:%d",
-				    rfwd->allocated_port, rfwd->connect_host,
+				    rfwd->allocated_port, rfwd->connect_path ?
+				    rfwd->connect_path : rfwd->connect_host,
 				    rfwd->connect_port);
 				channel_update_permission(ssh,
 				    rfwd->handle, rfwd->allocated_port);

crypto/openssh/ssh_config

@@ -46,4 +46,4 @@
 #   RekeyLimit 1G 1h
 #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
 #   VerifyHostKeyDNS yes
-#   VersionAddendum FreeBSD-20210907
+#   VersionAddendum FreeBSD-20211221

crypto/openssh/ssh_config.5

@@ -33,9 +33,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.362 2021/08/12 23:59:25 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.366 2021/09/25 09:40:33 kn Exp $
 .\" $FreeBSD$
-.Dd $Mdocdate: August 12 2021 $
+.Dd $Mdocdate: September 25 2021 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -373,6 +373,11 @@ to be canonicalized to names in the
 or
 .Qq *.c.example.com
 domains.
+.Pp
+A single argument of
+.Qq none
+causes no CNAMEs to be considered for canonicalization.
+This is the default behaviour.
 .It Cm CASignatureAlgorithms
 Specifies which algorithms are allowed for signing of certificates
 by certificate authorities (CAs).
@@ -1153,15 +1158,15 @@ Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
 If the specified list begins with a
 .Sq +
-character, then the specified methods will be appended to the default set
+character, then the specified algorithms will be appended to the default set
 instead of replacing them.
 If the specified list begins with a
 .Sq -
-character, then the specified methods (including wildcards) will be removed
+character, then the specified algorithms (including wildcards) will be removed
 from the default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
-character, then the specified methods will be placed at the head of the
+character, then the specified algorithms will be placed at the head of the
 default set.
 The default is:
 .Bd -literal -offset indent
@@ -1507,7 +1512,7 @@ sk-ssh-ed25519-cert-v01@openssh.com,
 sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 rsa-sha2-512-cert-v01@openssh.com,
 rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com,
+-ssh-rsa-cert-v01@openssh.com,
 ssh-ed25519,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 sk-ssh-ed25519@openssh.com,
@@ -1791,15 +1796,15 @@ This option forces the user to manually
 add all new hosts.
 .Pp
 If this flag is set to
-.Dq accept-new
+.Cm accept-new
 then ssh will automatically add new host keys to the user's
 .Pa known_hosts
 file, but will not permit connections to hosts with
 changed host keys.
 If this flag is set to
-.Dq no
+.Cm no
 or
-.Dq off ,
+.Cm off ,
 ssh will automatically add new host keys to the user known hosts files
 and allow connections to hosts with changed hostkeys to proceed,
 subject to some restrictions.
@@ -1969,7 +1974,7 @@ in
 Specifies a string to append to the regular version string to identify
 OS- or site-specific modifications.
 The default is
-.Dq FreeBSD-20210907 .
+.Dq FreeBSD-20211221 .
 The value
 .Cm none
 may be used to disable this.

crypto/openssh/ssh_namespace.h

@@ -206,6 +206,7 @@
 #define ciphers_valid				Fssh_ciphers_valid
 #define cleanhostname				Fssh_cleanhostname
 #define cleanup_exit				Fssh_cleanup_exit
+#define client_converse				Fssh_client_converse
 #define colon					Fssh_colon
 #define compare					Fssh_compare
 #define compare_gps				Fssh_compare_gps
@@ -877,11 +878,8 @@
 #define sshpkt_start				Fssh_sshpkt_start
 #define sshpkt_vfatal				Fssh_sshpkt_vfatal
 #define sshsigdie				Fssh_sshsigdie
-#define sshsk_add_option			Fssh_sshsk_add_option
 #define sshsk_enroll				Fssh_sshsk_enroll
-#define sshsk_key_from_response			Fssh_sshsk_key_from_response
 #define sshsk_load_resident			Fssh_sshsk_load_resident
-#define sshsk_open				Fssh_sshsk_open
 #define sshsk_sign				Fssh_sshsk_sign
 #define start_progress_meter			Fssh_start_progress_meter
 #define stdfd_devnull				Fssh_stdfd_devnull

crypto/openssh/sshd.8

@@ -33,9 +33,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.316 2021/07/30 14:28:13 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.317 2021/09/10 11:38:38 dtucker Exp $
 .\" $FreeBSD$
-.Dd $Mdocdate: July 30 2021 $
+.Dd $Mdocdate: September 10 2021 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -304,7 +304,12 @@ things like allocating a pseudo-tty, forwarding X11 connections,
 forwarding TCP connections, or forwarding the authentication agent
 connection over the secure channel.
 .Pp
-After this, the client either requests a shell or execution of a command.
+After this, the client either requests an interactive shell or execution
+or a non-interactive command, which
+.Nm
+will execute via the user's shell using its
+.Fl c
+option.
 The sides then enter session mode.
 In this mode, either side may send
 data at any time, and such data is forwarded to/from the shell or

crypto/openssh/sshd_config

@@ -105,7 +105,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #PermitTunnel no
 #ChrootDirectory none
 #UseBlacklist no
-#VersionAddendum FreeBSD-20210907
+#VersionAddendum FreeBSD-20211221
 
 # no default banner path
 #Banner none

crypto/openssh/sshd_config.5

@@ -33,9 +33,9 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.334 2021/08/12 23:59:25 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.335 2021/09/03 05:25:50 dtucker Exp $
 .\" $FreeBSD$
-.Dd $Mdocdate: August 12 2021 $
+.Dd $Mdocdate: September 3 2021 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -921,15 +921,15 @@ Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
 Alternately if the specified list begins with a
 .Sq +
-character, then the specified methods will be appended to the default set
+character, then the specified algorithms will be appended to the default set
 instead of replacing them.
 If the specified list begins with a
 .Sq -
-character, then the specified methods (including wildcards) will be removed
+character, then the specified algorithms (including wildcards) will be removed
 from the default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
-character, then the specified methods will be placed at the head of the
+character, then the specified algorithms will be placed at the head of the
 default set.
 The supported algorithms are:
 .Pp
@@ -1805,7 +1805,7 @@ The default is
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.
 The default is
-.Qq FreeBSD-20210907 .
+.Qq FreeBSD-20211221 .
 The value
 .Cm none
 may be used to disable this.

crypto/openssh/version.h

@@ -1,12 +1,12 @@
-/* $OpenBSD: version.h,v 1.91 2021/08/20 03:22:55 djm Exp $ */
+/* $OpenBSD: version.h,v 1.92 2021/09/26 14:01:11 djm Exp $ */
 /* $FreeBSD$ */
 
-#define SSH_VERSION	"OpenSSH_8.7"
+#define SSH_VERSION	"OpenSSH_8.8"
 
 #define SSH_PORTABLE	"p1"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 
-#define SSH_VERSION_FREEBSD	"FreeBSD-20210907"
+#define SSH_VERSION_FREEBSD	"FreeBSD-20211221"
 
 #ifdef WITH_OPENSSL
 #define OPENSSL_VERSION_STRING	OpenSSL_version(OPENSSL_VERSION)