- Features:
Possible use of sftp/sftp-server with older FreeBSD releases.
Use a newer version independently from the Base system.
Easier to test and fix possible security bugs.
- Bugs:
build of pam_ssm.so isn't be supported any more
Any file named "cookie" can be deleted by this and any older "sshd"
with X11 Forwarding.
ports-based OpenSSH. OpenSSH has been in the base system for more
than long enough to justify not having to maintain two separate
FreeBSD versions of OpenSSH.
it is no longer required. Apologies to the various maintainers whom I
did not yet hear back from, but the ports freeze is coming up in a few
hours and I will be verifying all of these ports on a 4.1 machine
myself to catch any problems.
not needed for the port.
Big thanks to Issei-san for doing the majority of the work necessary for
this upgrade!
Submitted by: Issei Suzuki <issei@jp.FreeBSD.org>
Go to a much more convenient scheme for distfiles/ignorefiles. There
will be a lot less change from now on... the release name not being
embedded in them helps a lot.
Fix an unquoted "${CVS_DATE}" so cvs update isn't always run when
we're in one of the first 9 days of a month in CVS_DATE.
Update to OpenSSH-1.2.2, which doesn't really mean anything since there
are no source releases anyway...
The port has been verified to work with pdksh 5.2.14 as /bin/sh, and
about 7 times faster.
The version is now 1.2.1, from 1.2. You can mv your old distfiles/OpenSSH-1.2
dir to distfiles/OpenSSH-1.2.1, if you want to not waste time/space.
Some minor nits have been fixed, and a couple bugs. One sizeof(len)
should have just been len, and, in markus's words,
"fix get_remote_port() and friends for sshd -i".
updated to today's snapshot of OpenSSH.
Various updates from the latest ${CVS_DATE}, and requisite patch
changes, are the "big new thing". Nothing major has changed; the
biggest ones would be using atomicio() in a lot of places and a
fix for a SIGHUP not updating sshd(8)'s configuration until the
next connection.
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources. In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
So here we are, rate-limiting. The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least. This is, essentially, a
stopgap solution; however, it is a properly implemented and documented
one, and has an easily modifiable framework.
reality, though. One file, cipher.c, calls cryptographic routines
from external libraries. This really cannot encumber OpenSSH in
any case, but I put RESTRICTED back since it would give people a
false hope of being able to install the OpenSSH package but
not the requisite, RESTRICTED (so nonexistant) openssl package.
Reasons:
1. It's not crypto.
2. It links with crypto.
a. That crypto is in the public domain.
b. Linking with crypto does not constitute cryptography.
3. Even if it were crypto, the description of the entire protocol, etc.,
is in the public domain. The RFC is PD in the USA, and the white paper
in Europe.
4. Precedence? Even if it were crypto, the Bernstein case has set
precedence for allowing export of that. But it's not even crypto.
"login auth sufficient pam_ssh.so" to your /etc/pam.conf, and
users with a ~/.ssh/identity can login(1) with their SSH key :)
PR: 15158
Submitted by: Andrew J. Korty <ajk@waterspout.com>
Reviewed by: obrien
obsoleting a couple patches (it's the same code, though, except for
additions).
This also brings in KNFization of everything (please hold the cheering
down :) and made me reroll all my patches.
My patches have been almost entirely rewritten. The places are the
same, but the code's rewritten. It fits with the style (KNF) now,
and looks better.
I've also added strlcat.c to the build, which, just like strlcpy.c, is
necessary for compatibility with older libcs. After strlcat() snuck
into the OpenSSH code recently, this would prevent OpenSSH from
building on (e.g.) FreeBSD 3.2. Adding it to ssh/lib/ makes it work
yet again :)
Add "ignorelogin" login.conf functionality to sshd.
The biggest change: new port functionality. Making "fetchsrctarball"
will soon work for those of you who cannot use CVS to get OpenSSH.
Mark Murray, the savior he is :), will use "make makesrctarball" and
put the snapshots of OpenSSH source in the proper place.
The current ${MASTER_SITES} is just a guess at where the snapshot
files could be hosted; something definite should be worked out very
soon.
