Module Name: src Committed By: christos Date: Thu Aug 13 10:26:16 UTC 2015
Update of /cvsroot/src/crypto/external/bsd/openssh/dist In directory ivanova.netbsd.org:/tmp/cvs-serv18268 Log Message: import openssh-7.0 Changes since OpenSSH 6.9 ========================= This focus of this release is primarily to deprecate weak, legacy and/or unsafe cryptography. Security -------- * sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world- writable. Local attackers may be able to write arbitrary messages to logged-in users, including terminal escape sequences. Reported by Nikolay Edigaryev. * sshd(8): Portable OpenSSH only: Fixed a privilege separation weakness related to PAM support. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users. Reported by Moritz Jodeit. * sshd(8): Portable OpenSSH only: Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution. Also reported by Moritz Jodeit. * sshd(8): fix circumvention of MaxAuthTries using keyboard- interactive authentication. By specifying a long, repeating keyboard-interactive "devices" string, an attacker could request the same authentication method be tried thousands of times in a single pass. The LoginGraceTime timeout in sshd(8) and any authentication failure delays implemented by the authentication mechanism itself were still applied. Found by Kingcope. Potentially-incompatible Changes -------------------------------- * Support for the legacy SSH version 1 protocol is disabled by default at compile time. * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time. It may be re-enabled using the instructions at http://www.openssh.com/legacy.html * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at http://www.openssh.com/legacy.html * Support for the legacy v00 cert format has been removed. * The default for the sshd_config(5) PermitRootLogin option has changed from "yes" to "prohibit-password". * PermitRootLogin=without-password/prohibit-password now bans all interactive authentication methods, allowing only public-key, hostbased and GSSAPI authentication (previously it permitted keyboard-interactive and password-less authentication if those were enabled). New Features ------------ * ssh_config(5): add PubkeyAcceptedKeyTypes option to control which public key types are available for user authentication. * sshd_config(5): add HostKeyAlgorithms option to control which public key types are offered for host authentications. * ssh(1), sshd(8): extend Ciphers, MACs, KexAlgorithms, HostKeyAlgorithms, PubkeyAcceptedKeyTypes and HostbasedKeyTypes options to allow appending to the default set of algorithms instead of replacing it. Options may now be prefixed with a '+' to append to the default, e.g. "HostKeyAlgorithms=+ssh-dss". * sshd_config(5): PermitRootLogin now accepts an argument of 'prohibit-password' as a less-ambiguous synonym of 'without- password'. Bugfixes -------- * ssh(1), sshd(8): add compatability workarounds for Cisco and more PuTTY versions. bz#2424 * Fix some omissions and errors in the PROTOCOL and PROTOCOL.mux documentation relating to Unix domain socket forwarding; bz#2421 bz#2422 * ssh(1): Improve the ssh(1) manual page to include a better description of Unix domain socket forwarding; bz#2423 * ssh(1), ssh-agent(1): skip uninitialised PKCS#11 slots, fixing failures to load keys when they are present. bz#2427 * ssh(1), ssh-agent(1): do not ignore PKCS#11 hosted keys that wth empty CKA_ID; bz#2429 * sshd(8): clarify documentation for UseDNS option; bz#2045 Status: Vendor Tag: OPENSSH Release Tags: v70-20150812 U src/crypto/external/bsd/openssh/dist/PROTOCOL.agent U src/crypto/external/bsd/openssh/dist/hostfile.c U src/crypto/external/bsd/openssh/dist/LICENCE C src/crypto/external/bsd/openssh/dist/OVERVIEW C src/crypto/external/bsd/openssh/dist/PROTOCOL U src/crypto/external/bsd/openssh/dist/PROTOCOL.chacha20poly1305 U src/crypto/external/bsd/openssh/dist/PROTOCOL.certkeys U src/crypto/external/bsd/openssh/dist/auth-bsdauth.c U src/crypto/external/bsd/openssh/dist/PROTOCOL.key U src/crypto/external/bsd/openssh/dist/PROTOCOL.krl C src/crypto/external/bsd/openssh/dist/PROTOCOL.mux U src/crypto/external/bsd/openssh/dist/README C src/crypto/external/bsd/openssh/dist/addrmatch.c U src/crypto/external/bsd/openssh/dist/atomicio.c U src/crypto/external/bsd/openssh/dist/atomicio.h U src/crypto/external/bsd/openssh/dist/canohost.c U src/crypto/external/bsd/openssh/dist/auth-chall.c U src/crypto/external/bsd/openssh/dist/auth-krb5.c C src/crypto/external/bsd/openssh/dist/auth-options.c U src/crypto/external/bsd/openssh/dist/auth-options.h U src/crypto/external/bsd/openssh/dist/hmac.c U src/crypto/external/bsd/openssh/dist/auth-passwd.c U src/crypto/external/bsd/openssh/dist/auth-rh-rsa.c U src/crypto/external/bsd/openssh/dist/auth-rhosts.c U src/crypto/external/bsd/openssh/dist/auth-rsa.c C src/crypto/external/bsd/openssh/dist/auth.c U src/crypto/external/bsd/openssh/dist/auth.h U src/crypto/external/bsd/openssh/dist/auth1.c C src/crypto/external/bsd/openssh/dist/auth2-chall.c U src/crypto/external/bsd/openssh/dist/auth2-gss.c U src/crypto/external/bsd/openssh/dist/auth2-hostbased.c U src/crypto/external/bsd/openssh/dist/auth2-kbdint.c U src/crypto/external/bsd/openssh/dist/auth2-none.c U src/crypto/external/bsd/openssh/dist/auth2-passwd.c U src/crypto/external/bsd/openssh/dist/auth2-pubkey.c U src/crypto/external/bsd/openssh/dist/auth2.c C src/crypto/external/bsd/openssh/dist/authfd.c U src/crypto/external/bsd/openssh/dist/authfd.h C src/crypto/external/bsd/openssh/dist/authfile.c U src/crypto/external/bsd/openssh/dist/authfile.h U src/crypto/external/bsd/openssh/dist/bitmap.c U src/crypto/external/bsd/openssh/dist/bitmap.h U src/crypto/external/bsd/openssh/dist/blocks.c U src/crypto/external/bsd/openssh/dist/bufaux.c U src/crypto/external/bsd/openssh/dist/bufbn.c U src/crypto/external/bsd/openssh/dist/bufec.c U src/crypto/external/bsd/openssh/dist/buffer.c U src/crypto/external/bsd/openssh/dist/buffer.h U src/crypto/external/bsd/openssh/dist/cipher-3des1.c U src/crypto/external/bsd/openssh/dist/canohost.h U src/crypto/external/bsd/openssh/dist/chacha.c U src/crypto/external/bsd/openssh/dist/chacha.h U src/crypto/external/bsd/openssh/dist/channels.c U src/crypto/external/bsd/openssh/dist/channels.h U src/crypto/external/bsd/openssh/dist/cipher-chachapoly.c U src/crypto/external/bsd/openssh/dist/cipher-aesctr.c U src/crypto/external/bsd/openssh/dist/cipher-aesctr.h U src/crypto/external/bsd/openssh/dist/cipher-bf1.c U src/crypto/external/bsd/openssh/dist/crypto_api.h C src/crypto/external/bsd/openssh/dist/compat.c U src/crypto/external/bsd/openssh/dist/cipher-chachapoly.h U src/crypto/external/bsd/openssh/dist/cipher.c C src/crypto/external/bsd/openssh/dist/cipher.h U src/crypto/external/bsd/openssh/dist/cleanup.c C src/crypto/external/bsd/openssh/dist/clientloop.c U src/crypto/external/bsd/openssh/dist/clientloop.h U src/crypto/external/bsd/openssh/dist/crc32.c U src/crypto/external/bsd/openssh/dist/compat.h U src/crypto/external/bsd/openssh/dist/crc32.h U src/crypto/external/bsd/openssh/dist/digest-libc.c U src/crypto/external/bsd/openssh/dist/deattack.c U src/crypto/external/bsd/openssh/dist/deattack.h U src/crypto/external/bsd/openssh/dist/dh.c U src/crypto/external/bsd/openssh/dist/dh.h U src/crypto/external/bsd/openssh/dist/ge25519_base.data U src/crypto/external/bsd/openssh/dist/digest-openssl.c U src/crypto/external/bsd/openssh/dist/digest.h U src/crypto/external/bsd/openssh/dist/dispatch.c U src/crypto/external/bsd/openssh/dist/dispatch.h U src/crypto/external/bsd/openssh/dist/dns.c U src/crypto/external/bsd/openssh/dist/dns.h U src/crypto/external/bsd/openssh/dist/ed25519.c U src/crypto/external/bsd/openssh/dist/fatal.c U src/crypto/external/bsd/openssh/dist/fe25519.c U src/crypto/external/bsd/openssh/dist/fe25519.h U src/crypto/external/bsd/openssh/dist/ge25519.c U src/crypto/external/bsd/openssh/dist/ge25519.h U src/crypto/external/bsd/openssh/dist/match.c U src/crypto/external/bsd/openssh/dist/groupaccess.c U src/crypto/external/bsd/openssh/dist/groupaccess.h U src/crypto/external/bsd/openssh/dist/gss-genr.c U src/crypto/external/bsd/openssh/dist/gss-serv-krb5.c U src/crypto/external/bsd/openssh/dist/gss-serv.c U src/crypto/external/bsd/openssh/dist/hash.c U src/crypto/external/bsd/openssh/dist/hmac.h U src/crypto/external/bsd/openssh/dist/hostfile.h C src/crypto/external/bsd/openssh/dist/kex.c C src/crypto/external/bsd/openssh/dist/kex.h U src/crypto/external/bsd/openssh/dist/kexc25519.c U src/crypto/external/bsd/openssh/dist/kexc25519c.c U src/crypto/external/bsd/openssh/dist/kexc25519s.c U src/crypto/external/bsd/openssh/dist/kexdh.c U src/crypto/external/bsd/openssh/dist/kexdhc.c U src/crypto/external/bsd/openssh/dist/kexdhs.c U src/crypto/external/bsd/openssh/dist/kexecdh.c U src/crypto/external/bsd/openssh/dist/kexecdhc.c U src/crypto/external/bsd/openssh/dist/kexecdhs.c U src/crypto/external/bsd/openssh/dist/kexgex.c U src/crypto/external/bsd/openssh/dist/kexgexc.c U src/crypto/external/bsd/openssh/dist/kexgexs.c C src/crypto/external/bsd/openssh/dist/key.c C src/crypto/external/bsd/openssh/dist/key.h C src/crypto/external/bsd/openssh/dist/krl.c U src/crypto/external/bsd/openssh/dist/krl.h C src/crypto/external/bsd/openssh/dist/log.c U src/crypto/external/bsd/openssh/dist/log.h U src/crypto/external/bsd/openssh/dist/mac.c U src/crypto/external/bsd/openssh/dist/mac.h U src/crypto/external/bsd/openssh/dist/match.h U src/crypto/external/bsd/openssh/dist/misc.c U src/crypto/external/bsd/openssh/dist/monitor.c U src/crypto/external/bsd/openssh/dist/misc.h U src/crypto/external/bsd/openssh/dist/moduli.c U src/crypto/external/bsd/openssh/dist/monitor_fdpass.c U src/crypto/external/bsd/openssh/dist/monitor.h U src/crypto/external/bsd/openssh/dist/sandbox-systrace.c U src/crypto/external/bsd/openssh/dist/monitor_fdpass.h U src/crypto/external/bsd/openssh/dist/monitor_mm.c U src/crypto/external/bsd/openssh/dist/monitor_mm.h U src/crypto/external/bsd/openssh/dist/monitor_wrap.c U src/crypto/external/bsd/openssh/dist/monitor_wrap.h U src/crypto/external/bsd/openssh/dist/msg.c U src/crypto/external/bsd/openssh/dist/msg.h U src/crypto/external/bsd/openssh/dist/mux.c C src/crypto/external/bsd/openssh/dist/myproposal.h U src/crypto/external/bsd/openssh/dist/nchan.c U src/crypto/external/bsd/openssh/dist/nchan.ms U src/crypto/external/bsd/openssh/dist/nchan2.ms U src/crypto/external/bsd/openssh/dist/opacket.c U src/crypto/external/bsd/openssh/dist/opacket.h C src/crypto/external/bsd/openssh/dist/packet.c U src/crypto/external/bsd/openssh/dist/packet.h U src/crypto/external/bsd/openssh/dist/pathnames.h U src/crypto/external/bsd/openssh/dist/pkcs11.h U src/crypto/external/bsd/openssh/dist/poly1305.c U src/crypto/external/bsd/openssh/dist/rsa.c U src/crypto/external/bsd/openssh/dist/poly1305.h U src/crypto/external/bsd/openssh/dist/progressmeter.c U src/crypto/external/bsd/openssh/dist/progressmeter.h C src/crypto/external/bsd/openssh/dist/readconf.c C src/crypto/external/bsd/openssh/dist/readconf.h U src/crypto/external/bsd/openssh/dist/readpass.c U src/crypto/external/bsd/openssh/dist/rijndael.c U src/crypto/external/bsd/openssh/dist/rijndael.h U src/crypto/external/bsd/openssh/dist/roaming.h U src/crypto/external/bsd/openssh/dist/roaming_client.c U src/crypto/external/bsd/openssh/dist/roaming_common.c U src/crypto/external/bsd/openssh/dist/roaming_dummy.c U src/crypto/external/bsd/openssh/dist/roaming_serv.c U src/crypto/external/bsd/openssh/dist/rsa.h U src/crypto/external/bsd/openssh/dist/sandbox-rlimit.c U src/crypto/external/bsd/openssh/dist/sftp-client.c U src/crypto/external/bsd/openssh/dist/sc25519.c U src/crypto/external/bsd/openssh/dist/sc25519.h C src/crypto/external/bsd/openssh/dist/scp.1 U src/crypto/external/bsd/openssh/dist/scp.c C src/crypto/external/bsd/openssh/dist/servconf.c C src/crypto/external/bsd/openssh/dist/servconf.h U src/crypto/external/bsd/openssh/dist/serverloop.c U src/crypto/external/bsd/openssh/dist/serverloop.h U src/crypto/external/bsd/openssh/dist/session.c U src/crypto/external/bsd/openssh/dist/session.h U src/crypto/external/bsd/openssh/dist/sftp-server-main.c U src/crypto/external/bsd/openssh/dist/sftp-client.h U src/crypto/external/bsd/openssh/dist/sftp-common.c U src/crypto/external/bsd/openssh/dist/sftp-common.h U src/crypto/external/bsd/openssh/dist/sftp-glob.c U src/crypto/external/bsd/openssh/dist/smult_curve25519_ref.c U src/crypto/external/bsd/openssh/dist/sftp-server.8 U src/crypto/external/bsd/openssh/dist/sftp-server.c U src/crypto/external/bsd/openssh/dist/sftp.1 U src/crypto/external/bsd/openssh/dist/sftp.c U src/crypto/external/bsd/openssh/dist/sftp.h U src/crypto/external/bsd/openssh/dist/ssh-ed25519.c U src/crypto/external/bsd/openssh/dist/ssh-add.1 C src/crypto/external/bsd/openssh/dist/ssh-add.c U src/crypto/external/bsd/openssh/dist/ssh-agent.1 C src/crypto/external/bsd/openssh/dist/ssh-agent.c U src/crypto/external/bsd/openssh/dist/ssh-dss.c U src/crypto/external/bsd/openssh/dist/ssh-ecdsa.c C src/crypto/external/bsd/openssh/dist/ssh.1 U src/crypto/external/bsd/openssh/dist/ssh-gss.h U src/crypto/external/bsd/openssh/dist/ssh-keyscan.1 C src/crypto/external/bsd/openssh/dist/ssh-keygen.1 C src/crypto/external/bsd/openssh/dist/ssh-keygen.c U src/crypto/external/bsd/openssh/dist/ssh-pkcs11-client.c U src/crypto/external/bsd/openssh/dist/ssh-keyscan.c U src/crypto/external/bsd/openssh/dist/ssh-keysign.8 C src/crypto/external/bsd/openssh/dist/ssh-keysign.c U src/crypto/external/bsd/openssh/dist/sshbuf-misc.c U src/crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.8 U src/crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.c C src/crypto/external/bsd/openssh/dist/ssh-pkcs11.c U src/crypto/external/bsd/openssh/dist/ssh-pkcs11.h U src/crypto/external/bsd/openssh/dist/ssh-rsa.c U src/crypto/external/bsd/openssh/dist/ssh-sandbox.h C src/crypto/external/bsd/openssh/dist/ssh.c C src/crypto/external/bsd/openssh/dist/ssh.h U src/crypto/external/bsd/openssh/dist/ssh1.h U src/crypto/external/bsd/openssh/dist/ssh2.h U src/crypto/external/bsd/openssh/dist/ssh_api.c U src/crypto/external/bsd/openssh/dist/ssh_api.h U src/crypto/external/bsd/openssh/dist/ssh_config C src/crypto/external/bsd/openssh/dist/ssh_config.5 C src/crypto/external/bsd/openssh/dist/sshd_config C src/crypto/external/bsd/openssh/dist/sshd.8 U src/crypto/external/bsd/openssh/dist/sshbuf-getput-basic.c U src/crypto/external/bsd/openssh/dist/sshbuf-getput-crypto.c U src/crypto/external/bsd/openssh/dist/sshbuf.c U src/crypto/external/bsd/openssh/dist/sshbuf.h U src/crypto/external/bsd/openssh/dist/sshconnect.c U src/crypto/external/bsd/openssh/dist/sshconnect.h U src/crypto/external/bsd/openssh/dist/sshconnect1.c C src/crypto/external/bsd/openssh/dist/sshconnect2.c C src/crypto/external/bsd/openssh/dist/sshd.c U src/crypto/external/bsd/openssh/dist/ttymodes.c C src/crypto/external/bsd/openssh/dist/sshd_config.5 U src/crypto/external/bsd/openssh/dist/ssherr.c U src/crypto/external/bsd/openssh/dist/ssherr.h C src/crypto/external/bsd/openssh/dist/sshkey.c U src/crypto/external/bsd/openssh/dist/sshkey.h U src/crypto/external/bsd/openssh/dist/sshlogin.c U src/crypto/external/bsd/openssh/dist/sshlogin.h C src/crypto/external/bsd/openssh/dist/sshpty.c U src/crypto/external/bsd/openssh/dist/sshpty.h U src/crypto/external/bsd/openssh/dist/sshtty.c U src/crypto/external/bsd/openssh/dist/ttymodes.h U src/crypto/external/bsd/openssh/dist/umac.c U src/crypto/external/bsd/openssh/dist/uidswap.c U src/crypto/external/bsd/openssh/dist/uidswap.h U src/crypto/external/bsd/openssh/dist/umac.h U src/crypto/external/bsd/openssh/dist/uuencode.c U src/crypto/external/bsd/openssh/dist/uuencode.h U src/crypto/external/bsd/openssh/dist/verify.c C src/crypto/external/bsd/openssh/dist/version.h U src/crypto/external/bsd/openssh/dist/xmalloc.c U src/crypto/external/bsd/openssh/dist/xmalloc.h U src/crypto/external/bsd/openssh/dist/moduli-gen/moduli-gen.sh U src/crypto/external/bsd/openssh/dist/moduli-gen/Makefile U src/crypto/external/bsd/openssh/dist/moduli-gen/moduli.1536 U src/crypto/external/bsd/openssh/dist/moduli-gen/moduli.2048 U src/crypto/external/bsd/openssh/dist/moduli-gen/moduli.3072 U src/crypto/external/bsd/openssh/dist/moduli-gen/moduli.4096 U src/crypto/external/bsd/openssh/dist/moduli-gen/moduli.6144 U src/crypto/external/bsd/openssh/dist/moduli-gen/moduli.7680 U src/crypto/external/bsd/openssh/dist/moduli-gen/moduli.8192 43 conflicts created by this import. Use the following command to help the merge: cvs checkout -jOPENSSH:yesterday -jOPENSSH src/crypto/external/bsd/openssh/dist
