Support for a client VersionAddendum was removed in bffe60ead0, but
the option was retained (as oDeprecated) as a transition aid.
Sufficient time has passed that it can be removed.
Sponsored by: The FreeBSD Foundation
OpenSSH 9.4p1 (updated in commit 535af610a4) includes the memory leak
fix that we originally applied in 69c72a57af ("sftp: avoid leaking
path arg in calls to make_absolute_pwd_glob.").
Sponsored by: The FreeBSD Foundation
The HPN patch set was removed from base system SSH in January 2016, in
commit 60c59fad88. We retained the option parsing (using OpenSSH's
support for deprecated options) to avoid breaking existing installations
upon upgrade, but sufficient time has now passed that we can remove this
special case.
Approved by: des
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41291
We changed the CheckHostIP default to "no" years ago. Upstream has now
made the same change, so do not list it as a local change any longer.
I did not just remove the "Modified client-side defaults" section to
avoid having to renumber everything, and we may add a new local change
in the future.
Sponsored by: The FreeBSD Foundation
Make it clear that the 'freebsd-configure.sh' and 'freebsd-namespace.sh'
scripts are run from the crypto/openssh directory.
Sponsored by: The FreeBSD Foundation
Revert to upstream's default. Using VerifyHostKeyDNS may depend on a
trusted nameserver and network path.
This reverts commit 83c6a5242c.
Reported by: David Leadbeater, G-Research
Reviewed by: gordon
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D38648
We introduced hostname canonicalization in 2002, while upstream OpenSSH
added similar support in 2014.
It would be good to review our handling of CNAMEs in hostname
canonicalization.
Sponsored by: The FreeBSD Foundation
Administrators can enable it if required.
Reviewed by: bz, kevans
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37411
ssh_config and ssh_config.5 no longer contain the VersionAddendum,
so remove instructions to update these files.
Fixes: bffe60ead0 ("ssh: retire client VersionAddendum")
Sponsored By: The FreeBSD Foundation
We documented "[Use]PrivilegeSeparation defaults to sandbox" as one of
our modifications to ssh's server-side defaults, but this is not (any
longer) a difference from upstream.
Sponsored by: The FreeBSD Foundation
We no longer use the pre- and post-merge scripts to strip/add RCS tags.
The tags have been removed from main, but persist on older branches.
While here renumber the steps in the update documentation using a more
conventional scheme.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36904
Nanobsd included copies of ssh_config and sshd_config. The former is
identical to the one provided by the base system, and the latter is
identical except for PermitRootLogin, which is updated by nanobsd's
cust_allow_ssh_root anyhow. Remove nanobsd's copies and use the
existing base system ones.
Reported by: Jose Luis Duran <jlduran@gmail.com> in D34937
Reviewed by: Jose Luis Duran <jlduran@gmail.com>, imp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36933
Rename "HPN" to more general "Retired patches." We handle two now-
removed patches the same way: to avoid breaking existing configurations
we accept, but ignore, the option.
Sponsored by: The FreeBSD Foundation
After we moved to git $FreeBSD$ is no longer expanded and serves no
purpose. Remove them from OpenSSH to reduce diffs against upstream.
Sponsored by: The FreeBSD Foundation
Because it appears `git push --follow-tags` may push extra, undesired
tags document both techniques (pushing the specific vendor/openssh/X.YpZ
tag and pushing all with --follow-tags, using --dry-run first).
Discussed with: imp, lwhsu
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D33605
Two local changes were committed upstream and are present in OpenSSH
8.7p1. Remove references from FREEBSD-upgrade now that we have updated
to that version.
A base system OpenSSH update in 2016 or so removed a number of ciphers
from the default lists offered by the server/client, due to known
weaknesses. This caused POLA issues for some users and prompted
PR207679; the ciphers were restored to the default lists in r296634.
When upstream removed these ciphers from the default server list, they
moved them to the client-only default list. They were subsequently
removed from the client default, in OpenSSH 7.9p1.
The change has persisted long enough. Remove these extra ciphers from
both the server and client default lists, in advance of FreeBSD 13.
Reviewed by: markm, rgrimes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D25833
We need to add user-facing deprecation notices for TCP wrappers; start
with a note in the upgrade process docmentation.
Sponsored by: The FreeBSD Foundation
This completely removes client-side support for the SSH 1 protocol,
which was already disabled in 12 but is still enabled in 11. For that
reason, we will not be able to merge 7.6p1 or newer back to 11.
Upstream did this a long time ago, but we kept DSA and SSH1 in FreeBSD for
reasons which boil down to POLA. Now is a good time to catch up.
MFC after: 3 days
Relnotes: yes
$FreeBSD$ tags and man page dates.
Add a post-merge script which reapplies these changes.
Run both scripts to normalize the existing code base. As a result, many
files which should have had $FreeBSD$ tags but didn't now have them.
Partly rewrite the upgrade instructions and remove the now outdated
list of tricks.
repeat performance by introducing a script that runs configure with and
without Kerberos, diffs the result and generates krb5_config.h, which
contains the preprocessor macros that need to be defined in the Kerberos
case and undefined otherwise.
Approved by: re (marius)
I have worked hard to reduce diffs against the vendor branch. One
notable change in that respect is that we no longer prefer DSA over
RSA - the reasons for doing so went away years ago. This may cause
some surprises, as ssh will warn about unknown host keys even for
hosts whose keys haven't changed.
MFC after: 6 weeks
The section about our local changes needs reviewing, and some of those
changes should probably be reconsidered (such as preferring DSA over RSA,
which made sense when RSA was encumbered but probably doesn't any more)