| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug)
MFH (r296634): re-add aes-cbc to server-side default cipher list
MFH (r296651, r296657): fix gcc build of pam_ssh
PR: 207679
Security: CVE-2016-3115
Approved by: re (marius)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MFH (r285975, r287143): register mergeinfo for security fixes
MFH (r294497, r294498, r295139): internal documentation
MFH (r294328): upgrade to openssh 6.7p1, re-add libwrap
MFH (r294332): upgrade to openssh 6.8p1
MFH (r294367): update pam_ssh for api changes
MFH (r294909): switch usedns back on
MFH (r294336): upgrade to openssh 6.9p1
MFH (r294495): re-enable dsa keys
MFH (r294464): upgrade to openssh 7.0p1
MFH (r294496): upgrade to openssh 7.1p2
Approved by: re (gjb)
Relnotes: yes
|
|
|
|
| |
Remove the HPN and None cipher patches.
|
|
|
|
| |
Replace unneeded manual dependency on header by adding it to SRCS.
|
|
|
|
| |
Add more SUBDIR_PARALLEL.
|
|
|
|
| |
Fix order of libthr and libc in the global dso list for sshd.
|
|
|
|
| |
This is "make tinderbox" clean.
|
|
|
|
| |
MFH (r264308): restore p level in debugging output
|
|
|
|
| |
MFH (r261340): enable sandboxing by default
|
|
|
|
|
|
|
|
|
| |
repeat performance by introducing a script that runs configure with and
without Kerberos, diffs the result and generates krb5_config.h, which
contains the preprocessor macros that need to be defined in the Kerberos
case and undefined otherwise.
Approved by: re (marius)
|
|
|
|
|
|
|
|
|
|
| |
as static binaries, if desired. The one exception is sshd, which runs
into trouble due to libpam.a's includion of pam_ssh.
Make OpenSSH use LDNS if available. This allows it to verify signed
SSHFP records.
Approved by: re (blanket)
|
|
|
|
| |
Approved by: re (blanket)
|
|
|
|
|
|
|
|
|
| |
which, only after authentication, disables crypto, and only for sessions
without a terminal.
Submitted by: Jeremy Chadwick (freebsd jdc.parodius.com)
PR: bin/163095
MFC after: 10 days
|
|
|
|
|
|
|
|
|
| |
Add the ability to use a non-standard LOCALBASE to ssh
Submitted by: jhb
Reviewed by: des
Approved by: cperciva
MFC after: 0 days (with r233136)
|
|
|
|
|
|
| |
Reviewed by: ???
Approved by: ???
MFC after: 3 days
|
|
|
|
| |
MFC after: 3 months
|
| |
|
|
|
|
| |
MFC after: 1 month
|
|
|
|
|
| |
libgssapi.a and libgssapi_krb5.a libraries that define the
same symbols.
|
| |
|
|
|
|
| |
MFC after: 3 months
|
|
|
|
| |
BSM audit tokens for IPv6.
|
|
|
|
|
|
|
|
|
|
| |
I have worked hard to reduce diffs against the vendor branch. One
notable change in that respect is that we no longer prefer DSA over
RSA - the reasons for doing so went away years ago. This may cause
some surprises, as ssh will warn about unknown host keys even for
hosts whose keys haven't changed.
MFC after: 6 weeks
|
|
|
|
| |
all non-style changes made by heimdal to our own libgssapi.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
that they add X11BASE=${LOCALBASE} to /etc/make.conf since X11BASE was
hard-wired to the now-wrong location in old releases.
However, both X11BASE and LOCALBASE have moved out of scope of src/
into ports/ now, which causes problems for upgraded users who have old
make.conf files still containing the above setting. X11BASE becomes
null and we instruct ssh and sshd to look for xauth in /bin/xauth
where it is unlikely to be found.
Instead, provide a copy of the default LOCALBASE?=/usr/local setting
here.
We also have to deal with the case where the user only overrides
LOCALBASE and doesn't set an explicit X11BASE (in ports it will be set
implicitly but not here), which will also move the location of xauth.
MFC after: 3 days
Reported by: rwatson
|
|
|
|
| |
MFC after: 1 week
|
|
|
|
| |
Discussed with: ru
|
|
|
|
|
|
|
|
| |
the namespace of applications which inadvertantly link in libssh (usually
through pam_ssh)
Suggested by: lukem@netbsd.org
MFC after: 6 weeks
|
|
|
|
|
|
|
|
| |
http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html
The src.conf(5) manpage is to follow in a few days.
Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
have been added with the latest OpenBSM import, hook USE_BSM_AUDIT into
build conditionally.
For users which do not care for audit support and do not want to compile
it into their SSH servers, add the following to the /etc/make.conf:
NO_AUDIT=true
Discussed with: rwatson
Obtained from: TrustedBSD Project
|
|
|
|
|
|
|
|
|
| |
similar the the Solaris implementation. Repackage the krb5 GSS mechanism
as a plugin library for the new implementation. This also includes a
comprehensive set of manpages for the GSS-API functions with text mostly
taken from the RFC.
Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts)
|
|
|
|
|
|
| |
trouble, especially on amd64.
Requested by: ru
|
| |
|
| |
|
|
|
|
|
| |
NOLIBPTHREAD -> NO_LIBPTHREAD
NOLIBTHR -> NO_LIBTHR
|
| |
|
| |
|
|
|
|
| |
Reviewed by: des, deischen
|
|
|
|
|
|
|
|
| |
- Removed libopie and libmd; libopie used to serve auth-skey.c
which is compiled now only to ease maintenance, as well as
a few other auth-*.c sources.
Reviewed by: des
|
|
|
|
| |
Reviewed by: des
|
|
|
|
|
|
| |
Also remove some duplicates from ssh's SRCS.
Submitted by: [1] Björn Grönvall <bg@sics.se>
|
| |
|
|
|
|
| |
OK'ed by: markm
|
|
|
|
|
| |
cleanups were necessary in release/Makefile, and the tinderbox code
was syntax checked, not run checked.
|
|
|
|
| |
part of the regular security dist.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Use pthreads for PAM if the platform supports it and the user asked for it
(by setting OPENSSH_USE_POSIX_THREADS)
Sponsored by: DARPA, NAI Labs
|
|
|
|
| |
Sponsored by: DARPA, NAI Labs
|