Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

ssh: enable FIDO/U2F keys

Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
https://www.openssh.com/txt/release-8.2):

This release adds support for FIDO/U2F hardware authenticators

ssh: enable FIDO/U2F keys

Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
https://www.openssh.com/txt/release-8.2):

This release adds support for FIDO/U2F hardware authenticators to
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
authentication hardware that are widely used for website
authentication. In OpenSSH FIDO devices are supported by new public
key types "ecdsa-sk" and "ed25519-sk", along with corresponding
certificate types.

ssh-keygen(1) may be used to generate a FIDO token-backed key, after
which they may be used much like any other key type supported by
OpenSSH, so long as the hardware token is attached when the keys are
used. FIDO tokens also generally require the user explicitly
authorise operations by touching or tapping them.

Generating a FIDO key requires the token be attached, and will
usually require the user tap the token to confirm the operation:

$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your security key to authorize key generation.
Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub

This will yield a public and private key-pair. The private key file
should be useless to an attacker who does not have access to the
physical token. After generation, this key may be used like any
other supported key in OpenSSH and may be listed in authorized_keys,
added to ssh-agent(1), etc. The only additional stipulation is that
the FIDO token that the key belongs to must be attached when the key
is used.

To enable FIDO/U2F support, this change regenerates ssh_namespace.h,
adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building
WITHOUT_USB).

devd integration is not included in this change, and is under
investigation for the base system. In the interim the security/u2f-devd
port can be installed to provide appropriate devd rules.

Reviewed by: delphij, kevans
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32509

show more ...

Convert traditional ${MK_TESTS} conditional idiom for including test
directories to SUBDIR.${MK_TESTS} idiom

This is being done to pave the way for future work (and homogenity) in
^/projects/make-ch

Convert traditional ${MK_TESTS} conditional idiom for including test
directories to SUBDIR.${MK_TESTS} idiom

This is being done to pave the way for future work (and homogenity) in
^/projects/make-check-sandbox .

No functional change intended.

MFC after: 1 weeks

show more ...

Add more SUBDIR_PARALLEL.

MFC after: 3 weeks
Sponsored by: EMC / Isilon Storage Division

Use src.opts.mk in preference to bsd.own.mk except where we need stuff
from the latter.

Add placeholder Kyuafiles for various top-level hierarchies.

This change adds tests/ directories in the source tree to create various
subdirectories in /usr/tests/ and to install placeholder Kyuafil

Add placeholder Kyuafiles for various top-level hierarchies.

This change adds tests/ directories in the source tree to create various
subdirectories in /usr/tests/ and to install placeholder Kyuafiles for
them.

the relevant hierarchies are: cddl, etc, games, gnu and secure.

The reason for this is to simplify the addition of new test programs for
utilities or libraries under any of these directories. Doing so on a
case by case basis is unnecessary and is quite an obscure process.

show more ...

MFH OpenSSH 5.4p1

Revert r204939

Fix the build. The ssh-pkcs11-helper directory is empty, which is
causing confusion.

Reimplementation of world/kernel build options. For details, see:

http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Bro

Reimplementation of world/kernel build options. For details, see:

http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)

show more ...

Very big makeover in the way telnet, telnetd and libtelnet are built.

Previously, there were two copies of telnet; a non-crypto version
that lived in the usual places, and a crypto version that live

Very big makeover in the way telnet, telnetd and libtelnet are built.

Previously, there were two copies of telnet; a non-crypto version
that lived in the usual places, and a crypto version that lived in
crypto/telnet/. The latter was built in a broken manner somewhat akin
to other "contribified" sources. This meant that there were 4 telnets
competing with each other at build time - KerberosIV, Kerberos5,
plain-old-secure and base. KerberosIV is no longer in the running, but
the other three took it in turns to jump all over each other during a
"make buildworld".

As the crypto issue has been clarified, and crypto _calls_ are not
a problem, crypto/telnet has been repo-copied to contrib/telnet,
and with this commit, all telnets are now "contribified". The contrib
path was chosen to not destroy history in the repository, and differs
from other contrib/ entries in that it may be worked on as "normal"
BSD code. There is no dangerous crypto in these sources, only a
very weak system less strong than enigma(1).

Kerberos5 telnet and Secure telnet are now selected by using the usual
macros in /etc/make.conf, and the build process is unsurprising and
less treacherous.

show more ...

Turn MAKE_KERBEROS5 into NO_KERBEROS by negating the logic. Some extra
cleanups were necessary in release/Makefile, and the tinderbox code
was syntax checked, not run checked.

Most things depend on !defined(NO_OPENSSL); make it look so.

NOSECURE is implied by NOCRYPT, meaning if the latter is defined
we won't be here.

Remove Kerberos IV shims.

ssh-keysign(8) belongs in /usr/libexec, not in /usr/bin, and needs to be
setuid so ssh(1) doesn't have to be.

Pointy hat to: des
Submitted by: Katsuyuki TATEISHI <[email protected]>

Revamp and diff-reduce the various secure telnets. Make sure that
Kerberos5 has _a_ telnet (which is not currently K5 enabled).
Incorporate BDE's static linking fixes.

Only build sftp-server conditionally

Add sftp-server

Don't build crypto-enabled telnetd if NO_OPENSSL is defined, since it
attempts to link against libcrypto.

Dont build telenet if we are going for kerberised telnet; this just
jumps all over kerberised telnet otherwise.

Make telnet with SRA work.

Submitted by: Nick Sayer

After pst and ache fixed secure telnet, it was still not in the main
makefiles. This puts it in.

PLEASE NOTE - YOU WILL NEED TO BUILD AND INSTALL THE libtelnet IN secure/
Reviewed by:
Submitted by:

After pst and ache fixed secure telnet, it was still not in the main
makefiles. This puts it in.

PLEASE NOTE - YOU WILL NEED TO BUILD AND INSTALL THE libtelnet IN secure/
Reviewed by:
Submitted by:
Obtained from:

show more ...