Highlights from the release notes are reproduced below. Some security
and bug fixes were previously merged into FreeBSD and have been elided.
See the upstream release notes for full details
(https://www.openssh.com/releasenotes.html).
---
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.
Potentially-incompatible changes
--------------------------------
* sshd(8): the server will now block client addresses that
repeatedly fail authentication, repeatedly connect without ever
completing authentication or that crash the server. See the
discussion of PerSourcePenalties below for more information.
Operators of servers that accept connections from many users, or
servers that accept connections from addresses behind NAT or
proxies may need to consider these settings.
* sshd(8): the server has been split into a listener binary, sshd(8),
and a per-session binary "sshd-session". This allows for a much
smaller listener binary, as it no longer needs to support the SSH
protocol. As part of this work, support for disabling privilege
separation (which previously required code changes to disable) and
disabling re-execution of sshd(8) has been removed. Further
separation of sshd-session into additional, minimal binaries is
planned for the future.
* sshd(8): several log messages have changed. In particular, some
log messages will be tagged with as originating from a process
named "sshd-session" rather than "sshd".
* ssh-keyscan(1): this tool previously emitted comment lines
containing the hostname and SSH protocol banner to standard error.
This release now emits them to standard output, but adds a new
"-q" flag to silence them altogether.
* sshd(8): (portable OpenSSH only) sshd will no longer use argv[0]
as the PAM service name. A new "PAMServiceName" sshd_config(5)
directive allows selecting the service name at runtime. This
defaults to "sshd". bz2101
New features
------------
* sshd(8): sshd(8) will now penalise client addresses that, for various
reasons, do not successfully complete authentication. This feature is
controlled by a new sshd_config(5) PerSourcePenalties option and is
on by default.
* ssh(8): allow the HostkeyAlgorithms directive to disable the
implicit fallback from certificate host key to plain host keys.
Portability
-----------
* sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
unconditionally. The previous behaviour was to expose it only when
particular authentication methods were in use.
* ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
environment variable to enable SSH_ASKPASS, similarly to the X11
DISPLAY environment variable. GHPR479
---
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48914
(cherry picked from commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e)
(cherry picked from commit b4bb480ae9294d7e4b375f0ead9ae57517c79ef3)
(cherry picked from commit e95979047aec384852102cf8bb1d55278ea77eeb)
(cherry picked from commit dcb4ae528d357f34e4a4b4882c2757c67c98e395)
Approved by: re (accelerated MFC)
GETENTROPY_MAX should be defined in limits.h. EINVAL is the return
value for buflen > GETENTROPY_MAX.
PR: 282783
Reviewed by: markj, asomers, jhb
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47689
Bump default to POSIX at 202405, C at 2023 and xopen at 800...
Sponsored by: Netflix
Reviewed by: brooks
Differential Revision: https://reviews.freebsd.org/D47578
(cherry picked from commit f95d9ec92122e6b4ef99c9a258f31b9564d327d3)
This sets the correct ownership values when building base.txz
install(1) does not validate the arguments passed to -o or -g
(see PR283355) so there's no need to have the passwd db available
for now. Future work includes plumbing the appropriate passwd db
path through certctl, and validating uid and gid in install(1).
PR: 283340
Reviewed by: jrtc27
Differential Revision: https://reviews.freebsd.org/D48506
(cherry picked from commit 10fa3f2518d4582c98d74527f79af9f30b1eceab)
(cherry picked from commit 98bebc20cef7527ccb15f8defc9d52e803a0d506)
(cherry picked from commit 4d15b58365ea706129bedfdb37e0c5e8661a640f)
In 2000 (commit a95c122521) we changed the CheckHostIP default to
"no". We added text to ssh_config(5) documenting FreeBSD's default.
In 2021 OpenSSH made the same change, released with OpenSSH 8.5p1.
When we imported the update the added text remained, resulting in:
If the option is set to no (the default), the check will not be
executed. The default is no.
Remove the now-redundant text.
Fixes: 206be79acb ("Vendor import of OpenSSH 8.5p1")
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 06016adaccca1958cdde4edf845f5b972be7ffc0)
This uses DES and it's likely that nobody uses that in 2025.
If somebody uses this we help them by deprecating and removing this.
Reviewed by: bapt, emaste
Differential Revision: https://reviews.freebsd.org/D30682
(cherry picked from commit 723425f837270dd3b22098168ae9464a1ebe38c6)
It is used only by scp and sftp, and already included directly in their
Makefiles. It does not belong in libssh.
Fixes: d8b043c8d4 ("Update for 3.6.1p1; also remove Kerberos IV shims.")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48871
(cherry picked from commit c0af32952564099fe30a34aeb335f95a6dc811ba)
XAUTH_PATH is normally set (in the upstream build infrastructure) in
config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE
is set, and over time have sometimes also defined it in config.h.
Leave it unset in config.h and move the CFLAGS logic to to ssh.mk so
that it will be set when building all ssh libraries and programs but
still be set by LOCALBASE.
Reviewed by: jlduran
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48907
(cherry picked from commit a63701848fe5462c4e8bbff0131bb42979e603ec)
Obtained from: OpenSSH 38df39ecf278
Security: CVE-2025-26465
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd)
Obtained from: OpenSSH 5e07dee272c3
Security: CVE-2025-26466
Approved by: so
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 8a16d0831e70530b2fbd682e748bd051de35f192)
This bug and https://www.mail-archive.com/freebsd-stable@freebsd.org/msg124458.html
both have this fix. It turns unknown errors into an autosense failure, which causes
us to grab the sense buffer manually. It also sets a condition that we use to retry
timed out commands that jmg reports as being helpful.
I'm torn on committing it. The code seems fine in terms of fixing
things. But this is a 10-year-old bug with few other bugs and a short CC
list for a driver that might go away in 15 anyway. I'm going to commit
and close the bug, and MFC it in a week, unless someone complains (which
seems unliekly, given the age of this hardware, I susepct most of it is
out of service).
Suggested by: jmg, Scott Long
PR: 191135
MFC After: 1 week
Reviewed by: imp
(cherry picked from commit f52154a2044a4d1f324952af05542f93fdf0a088)
In the case of an Intel 7260 device, the device needs to be put
into something called "manufacturer mode" before the firmware
is uploaded. The firmware is then upladed, and the card is
taken out of this mode, at which point it disconnects and
reconnects to the USB bus, and is at that point usable.
However, iwmbtfw(8) puts the device into manufacturer mode
before verifying that there exists a copy of the firmware to
upload. As a result, in the case where there is no firmware
available on disk, the device is put into manufacturer mode,
the firmware can't be found so isn't uploaded, and the card is
brought out of manufacturer mode, so it disconnects and
reconnects to the USB bus.
Enter devd(8). There are rules in /etc/devd/iwmbtfw.conf to
call iwmbtfw(8) when the device appears. When there's no
firmware on disk, devd will call iwmbtfw, iwmbtfw will try to
do its thing and fail, the device will dis/reconnect, and devd
will notice the device reappear and start the whole loop again.
Fix is to verify that the firmware exists before putting the device into
its special mode. The fix only changes things for the 7260 and not the
other chips supported, I don't believe the issue exists with other chips
as those do not need to be switched into manufacturer mode before
uploading.
PR: 283896
Reviewed by: emaste
(cherry picked from commit b8cdbe1852ef5df4ba3c7a021d9632bde2e61327)
pf.conf expects <=, not ≤ (and the same applies to ≥ and >=).
Make sure the man page reflects this.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 85c333a947e950d9267517afd1d9c30a655b7bfb)
Add more test cases for pf fragment hole counter. Also look into
final fragment of echo reply and check total length of IP packet.
MFC after: 1 week
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 640736615b
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit db100bd93036855c7688dc088b811dc7b660f51d)
Fragment reassembly finishes when no holes are left in the fragment
queue. In certain overlap conditions, the hole counter was wrong
and pf(4) created an incomplete IP packet. Before adjusting the
length, remove the overlapping fragment from the queue and insert
it again afterwards. pf_frent_remove() and pf_frent_insert() adjust
the hole counter automatically.
bug reported and fix tested by Lucas Aubard with Johan Mazel, Gilles
Guette and Pierre Chifflier; OK claudio@
MFC after: 1 week
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 9915416fe8
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 8b2feafb535d10a559b995c6fc2529715f927e2a)
The reassembly state will be dropped after timeout, all related
fragments are dropped until that. This is conforming to RFC 5722.
- Sort pf_fragment fields while there.
- If the fr_queue is empty, we had overlapping fragments, don't add
new ones.
- If we detect overlapping IPv6 fragments, flush the fr_queue and
drop all fragments immediately.
- Rearrange debug output, to make clear what happens.
- An IPv4 fragment that is totaly overlapped does not inclease the
bad fragment counter.
- Put an KASSERT into pf_isfull_fragment() to make sure that the
fr_queue is never emtpy there.
discussed with Fernando Gont; ok henning@
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 8b45f36762
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 6a3266f72e437aecf3edcfb8aa919466b270d548)
gethost is a build tool built in stage 2.3, but it had a dependency on
tc.const.h, which requires target headers (that are not installed until
stage 4.1). The build falls back to the host's headers if the target
headers don't yet exist, which may result in a build failure if the
host's headers don't match the target.
As gethost.c doesn't actually require the definitions in tc.const.h, add
a hack to skip the include of tc.const.h and remove the dependency.
PR: 283273
Reviewed by: imp
Sponsored by: The FreeBSD Foundation
Fixes: e754e5f361 ("Upgrade to 6.10")
Differential Revision: https://reviews.freebsd.org/D48880
(cherry picked from commit ed8b456f82ed822652f2abb24d65ab73ac3dbb0a)
Prior to change [1] this flag is useless but harmless. After the change
plat_name[] will be fetched from kernel environment after invoking the
platform probe function `platform_probe_and_attach()`. The probe function
runs at early boot stage prior to `mi_startup()` thus it is too late and
pointless to set plat_name[] after the probe.
Nathan mentioned that the logic to specify the platform pre-dates the
powerpc64 work, and is from the original pre-FDT Book-E bringup from
like 2008, so it's irrelevant these days. Instead of fixing setting the
sysctl knob hw.platform, let's clean it up now.
[1] 3da1cf1e88 Extend the meaning of the CTLFLAG_TUN flag to ...
Discussed with: nwhitehorn
Reviewed by: olce (previous version), jhibbits, #powerpc
MFC after: 5 days
Differential Revision: https://reviews.freebsd.org/D48897
(cherry picked from commit b61fbbed73ea3bf0c84589b56cca160c46a3739d)
OpenSSH-portable had a configure bug that prevented it from detecting
OpenSSL ED25519 support, fixed in 8d0e46c1ddb5 ("Fix OpenSSL ED25519
support detection"). This will come in with the OpenSSH 9.8p1 update,
but fix the error in config.h now.
Reported by: jlduran
Reviewed by: jlduran
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48942
(cherry picked from commit 975c6f3337039d14ecf87d674af72ac5ab0fee02)
This is a direct commit to the stable/14 and stable/13 branch.
Reviewed by: emaste
Approved by: emaste (mentor)
Fixes: bceabe277e ("flua: initial support for "require" in the base system")
Differential Revision: https://reviews.freebsd.org/D49011
We don't use legacy receive descriptors and masking out the vlan ID
isn't necessary since the tag is in the standard format, so remove it.
(cherry picked from commit 124b7722aad7d4cf12d96c030659aef78175aa9c)
a0993376ec5f (from D43179) subtly changed stats_v1_blob_clone() to stop returning EOVERFLOW in the case where the user buffer is not large enough to receive the entire statsblob. This results in any consumers which are implemented to retry on receiving EOVERFLOW to instead give up after receiving an empty statsblob header.
Fix by latching any errors recorded prior to copyout.
Reviewed by: markj
Obtained from: Netflix, Inc.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D44585
Fixes: a0993376ec5f ("stats: Check for errors from copyout()")
(cherry picked from commit 7eb92c502eb503d808a51296e426de625239a0d9)
There is an undocumented limit on the length of a GELI passphrase, and
the test exceeded that. Most of the time it worked because a nul
terminator would appear early enough in the string.
Reported by: Jenkins
Fixes: 2b7b09ac9675 ("geli tests: Add a regression test for geli setkey -J")
(cherry picked from commit c4b927c341e23eea17f75d139aafcf58545c5b0e)
On arm64, the FBT provider treats tail calls as return probes. Ignoring
the question of whether this is really correct, the implementation is
wrong: instr is a pointer to uint32_t, so the removed multiplication by
the instruction size is wrong. As a result, FBT would create return
probes for intra-function branches.
MFC after: 2 weeks
Sponsored by: Innovate UK
(cherry picked from commit 4da070ce6c015a994ec4ecf3d31ee94810ea19f1)
The .align directive has a different behaviour on 32-bit arm than on
other platforms. Use .balign instead, which has consistent behaviour on
all architectures.
Reported by: kib
Reviewed by: jrtc27, kib
Fixes: 6b82130e6c9a ("clock: Add a long ticks variable, ticksl")
Differential Revision: https://reviews.freebsd.org/D48430
(cherry picked from commit 159d29d3948294cdc9ee4cc3951d004de6797a32)
- We can use builtin constants for the size of int and long to simplify
definitions.
- The file should have a .S prefix since we want to run it through the
preprocessor, though apparently this happens anyway with .s...
- Move ticks and ticksl from .data to .bss.
Reported by: jrtc27
Reviewed by: jrtc27, kib, emaste
Fixes: 6b82130e6c9a ("clock: Add a long ticks variable, ticksl")
Differential Revision: https://reviews.freebsd.org/D48420
(cherry picked from commit b2b974f7ef4cddff251d0de69d8da13232b25e4d)
For compatibility with Linux, it's useful to have a tick counter of
width sizeof(long), but our tick counter is an int. Currently the
linuxkpi tries paper over this difference, but this cannot really be
done reliably, so it's desirable to have a wider tick counter. This
change introduces ticksl, keeping the existing ticks variable.
Follow a suggestion from kib to avoid having to maintain two separate
counters and to avoid converting existing code to use ticksl: change
hardclock() to update ticksl instead of ticks, and then use assembler
directives to make ticks and ticksl overlap such that loading ticks
gives the bottom 32 bits. This makes it possible to use ticksl in the
linuxkpi without having to convert any native code, and without making
hardclock() more complicated or expensive. Then, the linuxkpi can be
modified to use ticksl instead of ticks.
Reviewed by: olce, kib, emaste
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D48383
(cherry picked from commit 6b82130e6c9add4a8892ca897df5a0ec04663ea2)
- Don't consume the breakpoint if all invop handlers returned a non-zero
value.
- Fix style nits.
MFC after: 2 weeks
Sponsored by: Innovate UK
(cherry picked from commit 853cd8723494ccc2e972aaa09e7d04ede1508c95)
Make it easier to support data models other than ILP32 and LP64 by
avoiding constructs which assume that it must be one or the other.
No functional change intended.
MFC after: 2 weeks
Sponsored by: Innovate UK
(cherry picked from commit 096a5c6cd28c417456d5ce3598be15e6b656af5c)
It serves no purpose after commit 82283cad12a4. No functional change
intended.
Fixes: 82283cad12a4 ("dtrace: Avoid including dtrace_isa.c directly into dtrace.c")
MFC after: 2 weeks
(cherry picked from commit 494a2b14722e8955af54e306305f462e5765c1e4)
Drivers, including those that support SR-IOV, can be loaded via kld_list
and it makes sense to process iovctl configuration files afer all
drivers have been loaded.
Sponsored by: Chelsio Communications
Reviewed by: 0mp, jhb
Differential Revision: https://reviews.freebsd.org/D47937
(cherry picked from commit 41594021fa8bf02468407e8fc48c2e7a13de1a2f)
Normally the reply to destroy_server() releases the listen context but
it is not called when the adapter is suspended. Release the context
right away in that case.
Sponsored by: Chelsio Communications
(cherry picked from commit 45d5b9f0324a13df06712b7a9df5f2fbe8475764)
This got lost many years ago in 8eb6488ebb
It is used by the driver's DBG printfs.
(cherry picked from commit bf6f0db8a762966b08430692c92ae34e667948db)
GCC 14 warned about transposed arguments to calloc, but these cases
are better served by more abstract string functions.
(cherry picked from commit f94513a3a36b50823c3918c93ee5c6bf5f525e91)
