OpenSSH: Update to 10.0p2

Full release notes are available at
https://www.openssh.com/txt/release-10.0

Selected highlights from the release notes:

Potentially-incompatible changes

- This release removes support for the weak DSA signature algorithm.
  [This change was previously merged to FreeBSD main.]

- This release has the version number 10.0 and announces itself as
  "SSH-2.0-OpenSSH_10.0".  Software that naively matches versions using
  patterns like "OpenSSH_1*" may be confused by this.

- sshd(8): this release removes the code responsible for the user
  authentication phase of the protocol from the per-connection
  sshd-session binary to a new sshd-auth binary.

Security

- sshd(8): fix the DisableForwarding directive, which was failing to
  disable X11 forwarding and agent forwarding as documented.
  [This change was previously merged to FreeBSD main.]

New features

- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now
  used by default for key agreement.

Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51630
This commit is contained in:
Ed Maste
2025-08-26 15:04:16 -04:00
133 changed files with 6492 additions and 3092 deletions
+1
View File
@@ -3,6 +3,7 @@
SUBDIR=
.if ${MK_OPENSSH} != "no"
SUBDIR+=sftp-server ssh-keysign ssh-pkcs11-helper ssh-sk-helper sshd-session
SUBDIR+=sshd-auth
.endif
SUBDIR.${MK_TESTS}+= tests
+58
View File
@@ -0,0 +1,58 @@
.include <src.opts.mk>
.include "${SRCTOP}/secure/ssh.mk"
PROG= sshd-auth
SRCS= sshd-auth.c \
auth2-methods.c \
auth-rhosts.c auth-passwd.c sshpty.c sshlogin.c servconf.c \
serverloop.c auth.c auth2.c auth-options.c session.c auth2-chall.c \
groupaccess.c auth-bsdauth.c auth2-hostbased.c auth2-kbdint.c \
auth2-none.c auth2-passwd.c auth2-pubkey.c auth2-pubkeyfile.c \
auth2-gss.c gss-serv.c gss-serv-krb5.c \
monitor_wrap.c auth-krb5.c \
audit.c audit-bsm.c audit-linux.c platform.c \
loginrec.c auth-pam.c auth-shadow.c auth-sia.c \
sandbox-null.c sandbox-rlimit.c sandbox-darwin.c \
sandbox-seccomp-filter.c sandbox-capsicum.c sandbox-solaris.c \
sftp-server.c sftp-common.c \
uidswap.c $(SKSRCS)
PACKAGE= ssh
# gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
SRCS+= gss-genr.c
MAN=
# pam should always happen before ssh here for static linking
LIBADD= pam ssh util
.if ${MK_AUDIT} != "no"
CFLAGS+= -DUSE_BSM_AUDIT=1 -DHAVE_GETAUDIT_ADDR=1
LIBADD+= bsm
.endif
.if ${MK_BLACKLIST_SUPPORT} != "no"
CFLAGS+= -DUSE_BLACKLIST=1 -I${SRCTOP}/contrib/blocklist/include
SRCS+= blacklist.c
LIBADD+= blacklist
LDFLAGS+=-L${LIBBLACKLISTDIR}
.endif
.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
LIBADD+= gssapi_krb5 gssapi krb5
.if ${MK_MITKRB5} != "no"
.include "../../krb5/Makefile.inc"
CFLAGS+= -I${KRB5_DIR}/include \
-I${KRB5_SRCTOP}/include \
-I${KRB5_OBJTOP}/lib \
-I${KRB5_DIR}/lib/gssapi/generic \
-I${KRB5_DIR}/lib/gssapi/krb5 \
-I${KRB5_DIR}/lib/gssapi/mechglue
.endif
.endif
LIBADD+= crypto
.include <bsd.prog.mk>
.PATH: ${SSHDIR}
+1 -3
View File
@@ -13,9 +13,7 @@ SRCS= sshd-session.c auth-rhosts.c auth-passwd.c \
auth2-gss.c gss-serv.c gss-serv-krb5.c \
loginrec.c auth-pam.c auth-shadow.c auth-sia.c \
sftp-server.c sftp-common.c \
sandbox-null.c sandbox-rlimit.c sandbox-systrace.c sandbox-darwin.c \
sandbox-seccomp-filter.c sandbox-capsicum.c sandbox-pledge.c \
sandbox-solaris.c uidswap.c $(SKSRCS)
uidswap.c platform-listen.c $(SKSRCS)
PACKAGE= ssh
# gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile