openssh: update to OpenSSH v8.7p1

Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new ho

openssh: update to OpenSSH v8.7p1

Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985

(cherry picked from commit 19261079b74319502c6ffa1249920079f0f69a72)
(cherry picked from commit f448c3ed4ae1281861913a56377f9d93d49f8e8e)
(cherry picked from commit 1f290c707a19d1695c303e6c8ead9cc414ccc6dc)
(cherry picked from commit 0f9bafdfc325779e4ecc5154d5bb06c752297138)
(cherry picked from commit adb56e58e8db84d8087ebe3d3e7def0074cb5a90)
(cherry picked from commit 576b58108c1723c85e4dd00355e29bfe301dab11)
(cherry picked from commit 1c99af1ebe61cbaf633792941640dcd254acf921)
(cherry picked from commit 87152f34054921632016bc5eb4ab9f836fbaa522)
(cherry picked from commit 172fa4aa7577915bf5ace5783251821d3774dc05)

show more ...

ssh: move common Makefile boilerplate to a new ssh.mk

This moves SSHDIR and ssh_namespace.h handling to a common location,
and will simplify future work such as adding U2F support (D32509).

Reviewe

ssh: move common Makefile boilerplate to a new ssh.mk

This moves SSHDIR and ssh_namespace.h handling to a common location,
and will simplify future work such as adding U2F support (D32509).

Reviewed by: kevans
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32808

(cherry picked from commit 9d63429fa16352f58037ac2aa6ddc734b25e8331)

show more ...

Replace literal uses of /usr/local in C sources with _PATH_LOCALBASE

Literal references to /usr/local exist in a large number of files in
the FreeBSD base system. Many are in contributed software, i

Replace literal uses of /usr/local in C sources with _PATH_LOCALBASE

Literal references to /usr/local exist in a large number of files in
the FreeBSD base system. Many are in contributed software, in configuration
files, or in the documentation, but 19 uses have been identified in C
source files or headers outside the contrib and sys/contrib directories.

This commit makes it possible to set _PATH_LOCALBASE in paths.h to use
a different prefix for locally installed software.

In order to avoid changes to openssh source files, LOCALBASE is passed to
the build via Makefiles under src/secure. While _PATH_LOCALBASE could have
been used here, there is precedent in the construction of the path used to
a xauth program which depends on the LOCALBASE value passed on the compiler
command line to select a non-default directory.

This could be changed in a later commit to make the openssh build
consistently use _PATH_LOCALBASE. It is considered out-of-scope for this
commit.

Reviewed by: imp
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D26942

show more ...

openssh: connect libressl-api-compat.c and regen config.h

Differential Revision: https://reviews.freebsd.org/D17390

Fix invalid .o SRCS from r314527.

MFC after: 1 week
Sponsored by: Dell EMC Isilon

crypto: normalize paths using SRCTOP-relative paths or :H when possible

This simplifies make logic/output

MFC after: 1 month
Sponsored by: Dell EMC Isilon

Only bake krb5_config.h support in to ssh(3), etc if both MK_GSSAPI and
MK_KERBEROS_SUPPORT != no

This fixes the odd case where someone specified MK_GSSAPI=no and
MK_KERBEROS_SUPPORT=yes (which admi

Only bake krb5_config.h support in to ssh(3), etc if both MK_GSSAPI and
MK_KERBEROS_SUPPORT != no

This fixes the odd case where someone specified MK_GSSAPI=no and
MK_KERBEROS_SUPPORT=yes (which admittedly, probably doesn't make sense,
but the build system doesn't prevent this case today, and it didn't when
I filed the bug back in 2011 either).

MFC after: 2 weeks
PR: 159745

show more ...

List source files (foo.c) instead of object files in SRCS.

Reviewed by: bdrewery

Replace unneeded manual dependency on header by adding it to SRCS.

bsd.lib.mk and bsd.prog.mk already depend all objs on headers in SRCS if
there is not yet a depend file. The headers in SRCS are n

Replace unneeded manual dependency on header by adding it to SRCS.

bsd.lib.mk and bsd.prog.mk already depend all objs on headers in SRCS if
there is not yet a depend file. The headers in SRCS are never built or
installed. After 'make depend' the header was already added as a proper
dependency on the objects where needed.

MFC after: 2 weeks
Sponsored by: EMC / Isilon Storage Division

show more ...

Retire the NONE cipher option.

Move ssh into a dedicated package
Flag config files as "to be merged on upgrade"

Reduce overlinking
The framework now ensure by itself that pthread is added to the link chain
as the last component if linked to kerberos hence avoid with out any explicit
addition prevent issue like

Reduce overlinking
The framework now ensure by itself that pthread is added to the link chain
as the last component if linked to kerberos hence avoid with out any explicit
addition prevent issue like CVE-2014-8475

show more ...

Convert to LIBADD
Reduce overlinking

Rework privatelib/internallib

Make sure everything linking to a privatelib and/or an internallib does it directly
from the OBJDIR rather than DESTDIR.
Add src.libnames.mk so bsd.libnames.mk is not p

Rework privatelib/internallib

Make sure everything linking to a privatelib and/or an internallib does it directly
from the OBJDIR rather than DESTDIR.
Add src.libnames.mk so bsd.libnames.mk is not polluted by libraries not existsing
in final installation
Introduce the LD* variable which is what ld(1) is expecting (via LDADD) to link to
internal/privatelib
Directly link to the .so in case of private library to avoid having to complexify
LDFLAGS.

Phabric: https://phabric.freebsd.org/D553
Reviewed by: imp, emaste

show more ...

Use src.opts.mk in preference to bsd.own.mk except where we need stuff
from the latter.

Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a
repeat performance by introducing a script that runs configure with and
without Kerberos, diffs the result and generates krb5_config

Unbreak the WITHOUT_KERBEROS build and try to reduce the odds of a
repeat performance by introducing a script that runs configure with and
without Kerberos, diffs the result and generates krb5_config.h, which
contains the preprocessor macros that need to be defined in the Kerberos
case and undefined otherwise.

Approved by: re (marius)

show more ...

Clean up the OpenSSH build. It is now possible to build most components
as static binaries, if desired. The one exception is sshd, which runs
into trouble due to libpam.a's includion of pam_ssh.

M

Clean up the OpenSSH build. It is now possible to build most components
as static binaries, if desired. The one exception is sshd, which runs
into trouble due to libpam.a's includion of pam_ssh.

Make OpenSSH use LDNS if available. This allows it to verify signed
SSHFP records.

Approved by: re (blanket)

show more ...

Make libldns and libssh private.

Approved by: re (blanket)

Add a src.conf(5) option to allow users to compile in the "NONE cipher",
which, only after authentication, disables crypto, and only for sessions
without a terminal.

Submitted by: Jeremy Chadwick (f

Add a src.conf(5) option to allow users to compile in the "NONE cipher",
which, only after authentication, disables crypto, and only for sessions
without a terminal.

Submitted by: Jeremy Chadwick (freebsd jdc.parodius.com)
PR: bin/163095
MFC after: 10 days

show more ...

MFH OpenSSH 5.4p1

Fix globbing

Noticed by: delphij, David Cornejo <[email protected]>
Forgotten by: des

Bump the version of all non-symbol-versioned shared libraries in
preparation for 8.0-RELEASE. Add the previous version of those
libraries to ObsoleteFiles.inc and bump __FreeBSD_Version.

Reviewed b

Bump the version of all non-symbol-versioned shared libraries in
preparation for 8.0-RELEASE. Add the previous version of those
libraries to ObsoleteFiles.inc and bump __FreeBSD_Version.

Reviewed by: kib
Approved by: re (rwatson)

show more ...

Use the closefrom(2) system call.

Reviewed by: des

Fix conflicts after heimdal-1.1 import and add build infrastructure. Import
all non-style changes made by heimdal to our own libgssapi.

- Bump share library version which were missed in last bump

Reported by: jhb
Discussed with: deischen, des, doubg, harti
Approved by: re (kensmith)