OpenSSH: Update to 10.0p2
Full release notes are available at https://www.openssh.com/txt/release-10.0 Selected highlights from the release notes: Potentially-incompatible changes - This release removes support for the weak DSA signature algorithm. [This change was previously merged to FreeBSD main.] - This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this. - sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per-connection sshd-session binary to a new sshd-auth binary. Security - sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. [This change was previously merged to FreeBSD main.] New features - ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement. Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D51630
This commit is contained in:
@@ -3,6 +3,7 @@
|
||||
SUBDIR=
|
||||
.if ${MK_OPENSSH} != "no"
|
||||
SUBDIR+=sftp-server ssh-keysign ssh-pkcs11-helper ssh-sk-helper sshd-session
|
||||
SUBDIR+=sshd-auth
|
||||
.endif
|
||||
|
||||
SUBDIR.${MK_TESTS}+= tests
|
||||
|
||||
@@ -0,0 +1,58 @@
|
||||
.include <src.opts.mk>
|
||||
.include "${SRCTOP}/secure/ssh.mk"
|
||||
|
||||
PROG= sshd-auth
|
||||
SRCS= sshd-auth.c \
|
||||
auth2-methods.c \
|
||||
auth-rhosts.c auth-passwd.c sshpty.c sshlogin.c servconf.c \
|
||||
serverloop.c auth.c auth2.c auth-options.c session.c auth2-chall.c \
|
||||
groupaccess.c auth-bsdauth.c auth2-hostbased.c auth2-kbdint.c \
|
||||
auth2-none.c auth2-passwd.c auth2-pubkey.c auth2-pubkeyfile.c \
|
||||
auth2-gss.c gss-serv.c gss-serv-krb5.c \
|
||||
monitor_wrap.c auth-krb5.c \
|
||||
audit.c audit-bsm.c audit-linux.c platform.c \
|
||||
loginrec.c auth-pam.c auth-shadow.c auth-sia.c \
|
||||
sandbox-null.c sandbox-rlimit.c sandbox-darwin.c \
|
||||
sandbox-seccomp-filter.c sandbox-capsicum.c sandbox-solaris.c \
|
||||
sftp-server.c sftp-common.c \
|
||||
uidswap.c $(SKSRCS)
|
||||
PACKAGE= ssh
|
||||
|
||||
# gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
|
||||
SRCS+= gss-genr.c
|
||||
|
||||
MAN=
|
||||
|
||||
# pam should always happen before ssh here for static linking
|
||||
LIBADD= pam ssh util
|
||||
|
||||
.if ${MK_AUDIT} != "no"
|
||||
CFLAGS+= -DUSE_BSM_AUDIT=1 -DHAVE_GETAUDIT_ADDR=1
|
||||
LIBADD+= bsm
|
||||
.endif
|
||||
|
||||
.if ${MK_BLACKLIST_SUPPORT} != "no"
|
||||
CFLAGS+= -DUSE_BLACKLIST=1 -I${SRCTOP}/contrib/blocklist/include
|
||||
SRCS+= blacklist.c
|
||||
LIBADD+= blacklist
|
||||
LDFLAGS+=-L${LIBBLACKLISTDIR}
|
||||
.endif
|
||||
|
||||
.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
|
||||
LIBADD+= gssapi_krb5 gssapi krb5
|
||||
.if ${MK_MITKRB5} != "no"
|
||||
.include "../../krb5/Makefile.inc"
|
||||
CFLAGS+= -I${KRB5_DIR}/include \
|
||||
-I${KRB5_SRCTOP}/include \
|
||||
-I${KRB5_OBJTOP}/lib \
|
||||
-I${KRB5_DIR}/lib/gssapi/generic \
|
||||
-I${KRB5_DIR}/lib/gssapi/krb5 \
|
||||
-I${KRB5_DIR}/lib/gssapi/mechglue
|
||||
.endif
|
||||
.endif
|
||||
|
||||
LIBADD+= crypto
|
||||
|
||||
.include <bsd.prog.mk>
|
||||
|
||||
.PATH: ${SSHDIR}
|
||||
@@ -13,9 +13,7 @@ SRCS= sshd-session.c auth-rhosts.c auth-passwd.c \
|
||||
auth2-gss.c gss-serv.c gss-serv-krb5.c \
|
||||
loginrec.c auth-pam.c auth-shadow.c auth-sia.c \
|
||||
sftp-server.c sftp-common.c \
|
||||
sandbox-null.c sandbox-rlimit.c sandbox-systrace.c sandbox-darwin.c \
|
||||
sandbox-seccomp-filter.c sandbox-capsicum.c sandbox-pledge.c \
|
||||
sandbox-solaris.c uidswap.c $(SKSRCS)
|
||||
uidswap.c platform-listen.c $(SKSRCS)
|
||||
PACKAGE= ssh
|
||||
|
||||
# gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
|
||||
|
||||
Reference in New Issue
Block a user