From nobody Mon Jan 08 14:04:26 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T7wmC5HgQz55pJN; Mon, 8 Jan 2024 14:04:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4T7wmC4kdcz45tv; Mon, 8 Jan 2024 14:04:27 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1704722667; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AYr5C/T5/33V64Zr5gOv7ZD6DSISKP0dTGMK+F7yvzo=; b=PIeBmpjh3xnX8OtKVnkhFHefxZSNywl6FNg480ZtvFE2NkeSGs7tSLOOqNC8AMMpLPl+WW kU8IXOz845pO8DRmi+msvqBiVsBLXpdpqxdBSk8bOyT4AsytXYhntc9d5qQU+cVTKUlCKU Z58mxHUYmkGabtTUI3Vxe/tUAcMDbt6dfvYNNuPsDmo2WhGN3kX827N8/VZVDwzfyyFocG MCaFK7XewNScemfTUHRful+6bg184GND2PY9hY4oobfLLedSJvdEdktXk4q+FXNBmQQWia 6S0940fOrWnh1al0FP1umRjjbCzfhuY1+Y9skqsqzdbgccnqSczZMfRvNUJWzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1704722667; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AYr5C/T5/33V64Zr5gOv7ZD6DSISKP0dTGMK+F7yvzo=; b=uYx5SF5PxHJOhb9gDhanvD0xSfeEX+8E2DJ+eT0Y2kLRsITQ3sQwsbJu8v72P/1AvAdzZG GySQXI0aumI92jgi9soci8apW1ESNcjbAPBHlY42p8HjY4F/VpwoSubZVbsQ1JNesK3CmU m5xGv1W8WmffgVFRtk83oIP24zvgl6viUEPQ1S4zfGfkhLXiRpfNkDTDwpZjfhg6F2a9zN AGGKX1XuNqRRX/oGhgFojQKJphHF5deZqmD57FrXu4lyCLhOIcA/6J7J1VgXpO4OzV0MCv ewyR46fEHwfv3dQMwYNGRgAhLCP1Gfjqwney9KZad+HmG3/D6KyIqRtMGDXdTA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1704722667; a=rsa-sha256; cv=none; b=olieWBRkXCHfaIavnNn7rGuYu+TairUt3XxPS8DgwY2sH3NOB10ePYpTbF7PLqvw/rG1/d WLZmCrEqDGXe91OCaaxEWFICtZqBcirLXPOpoiG0yPg4k8cK9Dzebt6eQ7/LR0BoxUZUif LcfmI1A8y3VI+xmCANtFsjBudqD4dERehYUY6Ep2mBygmiPBU1FsCleYMBhYn6YgtfLJjd tR91nexicvzSYM+mKU9sI0tUiEsJZ6csHmCyf3nG7oK5SfYqLoyDnku9+jEejoXH3frMuZ 5/T/fqQID9hXj2/H5Yt5USdyLziAMcJlGsw3ilTRg6XHI2BrgCosjPCmAgXvVw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4T7wmC2gcCz18Df; Mon, 8 Jan 2024 14:04:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 408E4Ri6067462; Mon, 8 Jan 2024 14:04:27 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 408E4QF8067459; Mon, 8 Jan 2024 14:04:26 GMT (envelope-from git) Date: Mon, 8 Jan 2024 14:04:26 GMT Message-Id: <202401081404.408E4QF8067459@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 2cd20d9bc807 - stable/13 - ssh: Update to OpenSSH 9.6p1 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 2cd20d9bc80743d6562cb6165dc07b8391dddc27 Auto-Submitted: auto-generated The branch stable/13 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=2cd20d9bc80743d6562cb6165dc07b8391dddc27 commit 2cd20d9bc80743d6562cb6165dc07b8391dddc27 Author: Ed Maste AuthorDate: 2024-01-05 03:16:30 +0000 Commit: Ed Maste CommitDate: 2024-01-08 13:57:12 +0000 ssh: Update to OpenSSH 9.6p1 From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit 069ac18495ad8fde2748bc94b0f80a50250bb01d) (cherry picked from commit a25789646d7130f5be166cac63d5c8b2b07c4706) --- crypto/openssh/.depend | 3 +- crypto/openssh/.github/configs | 14 +- crypto/openssh/.github/setup_ci.sh | 53 +- crypto/openssh/.github/workflows/c-cpp.yml | 15 +- crypto/openssh/.github/workflows/selfhosted.yml | 21 +- crypto/openssh/ChangeLog | 12792 +++++++++++----------- crypto/openssh/Makefile.in | 14 +- crypto/openssh/PROTOCOL | 21 +- crypto/openssh/PROTOCOL.agent | 33 +- crypto/openssh/README | 2 +- crypto/openssh/auth2.c | 8 +- crypto/openssh/authfd.c | 40 +- crypto/openssh/authfd.h | 5 +- crypto/openssh/channels.c | 36 +- crypto/openssh/channels.h | 4 +- crypto/openssh/cipher.c | 23 +- crypto/openssh/cipher.h | 3 +- crypto/openssh/clientloop.c | 34 +- crypto/openssh/config.h | 9 + crypto/openssh/configure.ac | 49 +- crypto/openssh/contrib/redhat/openssh.spec | 34 +- crypto/openssh/contrib/suse/openssh.spec | 2 +- crypto/openssh/kex.c | 235 +- crypto/openssh/kex.h | 7 +- crypto/openssh/log.c | 6 +- crypto/openssh/m4/openssh.m4 | 116 +- crypto/openssh/misc.c | 41 +- crypto/openssh/misc.h | 3 +- crypto/openssh/moduli | 898 +- crypto/openssh/monitor_wrap.c | 4 +- crypto/openssh/mux.c | 4 +- crypto/openssh/openbsd-compat/port-solaris.c | 24 +- crypto/openssh/readconf.c | 57 +- crypto/openssh/readconf.h | 7 +- crypto/openssh/regress/Makefile | 10 +- crypto/openssh/regress/agent-pkcs11-cert.sh | 92 + crypto/openssh/regress/agent-pkcs11-restrict.sh | 193 + crypto/openssh/regress/agent-pkcs11.sh | 82 +- crypto/openssh/regress/conch-ciphers.sh | 11 +- crypto/openssh/regress/dropbear-ciphers.sh | 33 + crypto/openssh/regress/dropbear-kex.sh | 31 + crypto/openssh/regress/forcecommand.sh | 56 +- crypto/openssh/regress/sshsig.sh | 72 +- crypto/openssh/regress/test-exec.sh | 169 +- crypto/openssh/regress/unittests/Makefile | 3 +- crypto/openssh/regress/unittests/Makefile.inc | 4 +- crypto/openssh/scp.c | 12 +- crypto/openssh/servconf.c | 40 +- crypto/openssh/sftp-client.c | 4 +- crypto/openssh/ssh-add.1 | 14 +- crypto/openssh/ssh-add.c | 92 +- crypto/openssh/ssh-agent.c | 241 +- crypto/openssh/ssh-pkcs11-client.c | 56 +- crypto/openssh/ssh-pkcs11.h | 5 +- crypto/openssh/ssh.1 | 7 +- crypto/openssh/ssh.c | 26 +- crypto/openssh/ssh2.h | 3 +- crypto/openssh/ssh_config.5 | 83 +- crypto/openssh/ssh_namespace.h | 7 +- crypto/openssh/sshconnect.c | 10 +- crypto/openssh/sshconnect.h | 6 +- crypto/openssh/sshconnect2.c | 63 +- crypto/openssh/sshd.c | 4 +- crypto/openssh/sshd_config | 2 +- crypto/openssh/sshd_config.5 | 2 +- crypto/openssh/sshkey.c | 40 +- crypto/openssh/sshsig.c | 7 +- crypto/openssh/version.h | 6 +- secure/usr.bin/ssh-agent/Makefile | 2 +- 69 files changed, 8731 insertions(+), 7374 deletions(-) diff --git a/crypto/openssh/.depend b/crypto/openssh/.depend index 259bf3b2f136..4897698ab74a 100644 --- a/crypto/openssh/.depend +++ b/crypto/openssh/.depend @@ -28,7 +28,8 @@ auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd- auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth2-pubkey.o: pathnames.h uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h channels.h session.h sk-api.h auth2-pubkeyfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h log.h ssherr.h misc.h sshkey.h digest.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfile.h match.h -auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h digest.h +auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h digest.h kex .h +auth2.o: mac.h crypto_api.h authfd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h log.h ssherr.h atomicio.h misc.h authfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h ssh.h log.h ssherr.h authfile.h misc.h atomicio.h sshkey.h sshbuf.h krl.h bitmap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h bitmap.h diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs index c7d6a55ab962..df82faf5046b 100755 --- a/crypto/openssh/.github/configs +++ b/crypto/openssh/.github/configs @@ -108,9 +108,19 @@ case "$config" in SKIP_LTESTS=sftp-chroot ;; gcc-11-Werror) - CC="gcc" + CC="gcc-11" + # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled + # -Wunused-result ignores (void) so is not useful. See + # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425 + CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result" + CONFIGFLAGS="--with-pam --with-Werror" + ;; + gcc-12-Werror) + CC="gcc-12" # -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled - CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter" + # -Wunused-result ignores (void) so is not useful. See + # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425 + CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result" CONFIGFLAGS="--with-pam --with-Werror" ;; clang*|gcc*) diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh index 010a333a6642..d0ba7b4724e9 100755 --- a/crypto/openssh/.github/setup_ci.sh +++ b/crypto/openssh/.github/setup_ci.sh @@ -18,8 +18,7 @@ case "$host" in ;; *-darwin*) PACKAGER=brew - brew install automake - exit 0 + PACKAGES="automake" ;; *) PACKAGER=apt @@ -30,20 +29,30 @@ TARGETS=$@ INSTALL_FIDO_PPA="no" export DEBIAN_FRONTEND=noninteractive -#echo "Setting up for '$TARGETS'" - -set -ex +set -e if [ -x "`which lsb_release 2>&1`" ]; then lsb_release -a fi -# Ubuntu 22.04 defaults to private home dirs which prevent the -# agent-getpeerid test from running ssh-add as nobody. See -# https://github.com/actions/runner-images/issues/6106 -if [ ! -z "$SUDO" ] && ! "$SUDO" -u nobody test -x ~; then - echo ~ is not executable by nobody, adding perms. - chmod go+x ~ +if [ ! -z "$SUDO" ]; then + # Ubuntu 22.04 defaults to private home dirs which prevent the + # agent-getpeerid test from running ssh-add as nobody. See + # https://github.com/actions/runner-images/issues/6106 + if ! "$SUDO" -u nobody test -x ~; then + echo ~ is not executable by nobody, adding perms. + chmod go+x ~ + fi + # Some of the Mac OS X runners don't have a nopasswd sudo rule. Regular + # sudo still works, but sudo -u doesn't. Restore the sudo rule. + if ! "$SUDO" grep -E 'runner.*NOPASSWD' /etc/passwd >/dev/null; then + echo "Restoring runner nopasswd rule to sudoers." + echo 'runner ALL=(ALL) NOPASSWD: ALL' |$SUDO tee -a /etc/sudoers + fi + if ! "$SUDO" -u nobody -S test -x ~ -Date: Wed Oct 4 15:34:10 2023 +1100 +Date: Tue Dec 19 01:59:50 2023 +1100 - crank version numbers + crank versions -commit f65f187b105d9b5c12fd750a211397d08c17c6d4 -Author: djm@openbsd.org -Date: Wed Oct 4 04:04:09 2023 +0000 +commit 2f2c65cb5f1518a9c556d3e8efa27ea0ca305c6b +Author: Damien Miller +Date: Tue Dec 19 01:59:06 2023 +1100 - upstream: openssh-9.5 - - OpenBSD-Commit-ID: 5e0af680480bd3b6f5560cf840ad032d48fd6b16 + depend -commit ffe27e54a4bb18d5d3bbd3f4cc93a41b8d94dfd2 +commit e48cdee8e19059203b1aeeabec2350b8375fa61f Author: djm@openbsd.org -Date: Wed Oct 4 04:03:50 2023 +0000 +Date: Mon Dec 18 14:50:08 2023 +0000 - upstream: add some cautionary text about % token expansion and - - shell metacharacters; based on report from vinci AT protonmail.ch + upstream: regress test for agent PKCS#11-backed certificates - OpenBSD-Commit-ID: aa1450a54fcee2f153ef70368d90edb1e7019113 + OpenBSD-Regress-ID: 38f681777cb944a8cc3bf9d0ad62959a16764df9 -commit 60ec3d54fd1ebfe2dda75893fa1e870b8dffbb0d +commit 2f512f862df1d5f456f82a0334c9e8cc7208a2a1 Author: djm@openbsd.org -Date: Tue Oct 3 23:56:10 2023 +0000 +Date: Mon Dec 18 14:49:39 2023 +0000 - upstream: fix link to agent draft; spotted by Jann Horn + upstream: regress test for constrained PKCS#11 keys - OpenBSD-Commit-ID: ff5bda21a83ec013db683e282256a85201d2dc4b + OpenBSD-Regress-ID: b2f26ae95d609d12257b43aef7cd7714c82618ff -commit 12e2d4b13f6f63ce2de13cbfcc9e4d0d4b4ab231 -Author: Damien Miller -Date: Wed Oct 4 10:54:04 2023 +1100 +commit cdddd66412ca5920ed4d3ebbfa6ace12dbd9b82f +Author: djm@openbsd.org +Date: Mon Dec 18 14:48:44 2023 +0000 - use portable provider allowlist path in manpage + upstream: openssh-9.6 - spotted by Jann Horn + OpenBSD-Commit-ID: 21759837cf0e0092d9a2079f8fb562071c11016b -commit 6c2c6ffde75df95fd838039850d3dd3d84956d87 -Author: deraadt@openbsd.org -Date: Tue Sep 19 20:37:07 2023 +0000 +commit 6d51feab157cedf1e7ef5b3f8781ca8ff9c4ab1b +Author: djm@openbsd.org +Date: Mon Dec 18 14:48:08 2023 +0000 - upstream: typo; from Jim Spath + upstream: ssh-agent: record failed session-bind attempts - OpenBSD-Commit-ID: 2f5fba917b5d4fcf93d9e0b0756c7f63189e228e + Record failed attempts to session-bind a connection and refuse signing + operations on that connection henceforth. + + Prevents a future situation where we add a new hostkey type that is not + recognised by an older ssh-agent, that consequently causes session-bind + to fail (this situation is only likely to arise when people mix ssh(1) + and ssh-agent(1) of different versions on the same host). Previously, + after such a failure the agent socket would be considered unbound and + not subject to restriction. + + Spotted by Jann Horn + + OpenBSD-Commit-ID: b0fdd023e920aa4831413f640de4c5307b53552e -commit b6b49130a0089b297245ee39e769231d7c763014 +commit 7ef3787c84b6b524501211b11a26c742f829af1a Author: djm@openbsd.org -Date: Sun Sep 10 23:12:32 2023 +0000 +Date: Mon Dec 18 14:47:44 2023 +0000 - upstream: rename remote_glob() -> sftp_glob() to match other API + upstream: ban user/hostnames with most shell metacharacters - OpenBSD-Commit-ID: d9dfb3708d824ec02970a84d96cf5937e0887229 + This makes ssh(1) refuse user or host names provided on the + commandline that contain most shell metacharacters. + + Some programs that invoke ssh(1) using untrusted data do not filter + metacharacters in arguments they supply. This could create + interactions with user-specified ProxyCommand and other directives + that allow shell injection attacks to occur. + + It's a mistake to invoke ssh(1) with arbitrary untrusted arguments, + but getting this stuff right can be tricky, so this should prevent + most obvious ways of creating risky situations. It however is not + and cannot be perfect: ssh(1) has no practical way of interpreting + what shell quoting rules are in use and how they interact with the + user's specified ProxyCommand. + + To allow configurations that use strange user or hostnames to + continue to work, this strictness is applied only to names coming + from the commandline. Names specified using User or Hostname + directives in ssh_config(5) are not affected. + + feedback/ok millert@ markus@ dtucker@ deraadt@ + + OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9 -commit 21b79af6c8d2357c822c84cef3fbdb8001ed263b +commit 0cb50eefdd29f0fec31d0e71cc4b004a5f704e67 Author: djm@openbsd.org -Date: Sun Sep 10 03:51:55 2023 +0000 +Date: Mon Dec 18 14:47:20 2023 +0000 - upstream: typo in comment + upstream: stricter handling of channel window limits - OpenBSD-Commit-ID: 69285e0ce962a7c6b0ab5f17a293c60a0a360a18 - -commit 41232d25532b4d2ef6c5db62efc0cf50a79d26ca -Author: Darren Tucker -Date: Sun Sep 10 15:45:38 2023 +1000 - - Use zero-call-used-regs=used with Apple compilers. + This makes ssh/sshd more strict in handling non-compliant peers that + send more data than the advertised channel window allows. Previously + the additional data would be silently discarded. This change will + cause ssh/sshd to terminate the connection if the channel window is + exceeded by more than a small grace allowance. - Apple's versions of clang have version numbers that do not match the - corresponding upstream clang versions. Unfortunately, they do still - have the clang-15 zero-call-used-regs=all bug, so for now use the value - that doesn't result in segfaults. We could allowlist future versions - that are known to work. bz#3584 (and probably also our github CI - failures). + ok markus@ + + OpenBSD-Commit-ID: 811e21b41831eba3dd7f67b3d409a438f20d3037 -commit 90ccc5918ea505bf156c31148b6b59a1bf5d6dc6 +commit 4448a2938abc76e6bd33ba09b2ec17a216dfb491 Author: djm@openbsd.org -Date: Sun Sep 10 03:25:53 2023 +0000 +Date: Mon Dec 18 14:46:56 2023 +0000 - upstream: randomise keystroke obfuscation intervals and average + upstream: Make it possible to load certs from PKCS#11 tokens - interval rate. ok dtucker@ + Adds a protocol extension to allow grafting certificates supplied by + ssh-add to keys loaded from PKCS#11 tokens in the agent. - OpenBSD-Commit-ID: 05f61d051ab418fcfc4857ff306e420037502382 + feedback/ok markus@ + + OpenBSD-Commit-ID: bb5433cd28ede2bc910996eb3c0b53e20f86037f -commit bd1b9e52f5fa94d87223c90905c5fdc1a7c32aa6 +commit 881d9c6af9da4257c69c327c4e2f1508b2fa754b Author: djm@openbsd.org -Date: Fri Sep 8 06:34:24 2023 +0000 +Date: Mon Dec 18 14:46:12 2023 +0000 - upstream: fix sizeof(*ptr) instead sizeof(ptr) in realloc (pointer here + upstream: apply destination constraints to all p11 keys - is char**, so harmless); spotted in CID 416964 + Previously applied only to the first key returned from each token. - OpenBSD-Commit-ID: c61caa4a5a667ee20bb1042098861e6c72c69002 + ok markus@ + + OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d -commit c4f966482983e18601eec70a1563115de836616f +commit a7ed931caeb68947d30af8a795f4108b6efad761 Author: djm@openbsd.org -Date: Fri Sep 8 06:10:57 2023 +0000 +Date: Mon Dec 18 14:45:49 2023 +0000 - upstream: regress test recursive remote-remote directories copies where + upstream: add "ext-info-in-auth@openssh.com" extension - the directory contains a symlink to another directory. + This adds another transport protocol extension to allow a sshd to send + SSH2_MSG_EXT_INFO during user authentication, after the server has + learned the username that is being logged in to. - also remove errant `set -x` that snuck in at some point + This lets sshd to update the acceptable signature algoritms for public + key authentication, and allows these to be varied via sshd_config(5) + "Match" directives, which are evaluated after the server learns the + username being authenticated. - OpenBSD-Regress-ID: 1c94a48bdbd633ef2285954ee257725cd7bc456f + Full details in the PROTOCOL file + + OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779 -commit 5e1dfe5014ebc194641678303e22ab3bba15f4e5 +commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Author: djm@openbsd.org -Date: Fri Sep 8 06:10:02 2023 +0000 +Date: Mon Dec 18 14:45:17 2023 +0000 - upstream: fix recursive remote-remote copies of directories that + upstream: implement "strict key exchange" in ssh and sshd - contain symlinks to other directories (similar to bz3611) + This adds a protocol extension to improve the integrity of the SSH + transport protocol, particular in and around the initial key exchange + (KEX) phase. - OpenBSD-Commit-ID: 7e19d2ae09b4f941bf8eecc3955c9120171da37f + Full details of the extension are in the PROTOCOL file. + + with markus@ + + OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14 -commit 7c0ce2bf98b303b6ad91493ee3247d96c18ba1f6 -Author: djm@openbsd.org -Date: Fri Sep 8 05:50:57 2023 +0000 +commit 59d691b886c79e70b1d1c4ab744e81fd176222fd +Author: Damien Miller +Date: Mon Dec 18 14:49:11 2023 +1100 - upstream: regress test for recursive copies of directories containing + better detection of broken -fzero-call-used-regs - symlinks to other directories. bz3611, ok dtucker@ + Use OSSH_CHECK_CFLAG_LINK() for detection of these flags and extend + test program to exercise varargs, which seems to catch more stuff. - OpenBSD-Regress-ID: eaa4c29cc5cddff4e72a16bcce14aeb1ecfc94b9 + ok dtucker@ -commit 2de990142a83bf60ef694378b8598706bc654b08 +commit aa7b21708511a6d4aed3839fc9f6e82e849dd4a1 Author: djm@openbsd.org -Date: Fri Sep 8 05:56:13 2023 +0000 +Date: Wed Dec 13 03:28:19 2023 +0000 - upstream: the sftp code was one of my first contributions to + upstream: when invoking KnownHostsCommand to determine the order of - OpenSSH and it shows - the function names are terrible. + host key algorithms to request, ensure that the hostname passed to the + command is decorated with the port number for ports other than 22. - Rename do_blah() to sftp_blah() to make them less so. + This matches the behaviour of KnownHostsCommand when invoked to look + up the actual host key. - Completely mechanical except for sftp_stat() and sftp_lstat() which - change from returning a pointer to a static variable (error-prone) to - taking a pointer to a caller-provided receiver. + bz3643, ok dtucker@ - OpenBSD-Commit-ID: eb54d6a72d0bbba4d623e2175cf5cc4c75dc2ba4 + OpenBSD-Commit-ID: 5cfabc0b7c6c7ab473666df314f377b1f15420b1 -commit 249d8bd0472b53e3a2a0e138b4c030a31e83346a -Author: djm@openbsd.org -Date: Fri Sep 8 05:50:12 2023 +0000 +commit 4086bd6652c0badccc020218a62190a7798fb72c +Author: markus@openbsd.org +Date: Fri Dec 8 09:18:39 2023 +0000 - upstream: fix scp in SFTP mode recursive upload and download of - - directories that contain symlinks to other directories. In scp mode, the - links would be followed, but in SFTP mode they were not. bz3611, ok dtucker@ + upstream: prevent leak in sshsig_match_principals; ok djm@ - OpenBSD-Commit-ID: 9760fda668eaa94a992250d7670dfbc62a45197c + OpenBSD-Commit-ID: 594f61ad4819ff5c72dfe99ba666a17f0e1030ae -commit 0e1f4401c466fa4fdaea81b6dadc8dd1fc4cf0af +commit 19d3ee2f3adf7d9a606ff015c1e153744702c4c9 Author: djm@openbsd.org -Date: Wed Sep 6 23:36:09 2023 +0000 +Date: Wed Dec 6 21:06:48 2023 +0000 - upstream: regression test for override of subsystem in match blocks + upstream: short circuit debug log processing early if we're not going - OpenBSD-Regress-ID: 5f8135da3bfda71067084c048d717b0e8793e87c + to log anything. From Kobe Housen + + OpenBSD-Commit-ID: 2bcddd695872a1bef137cfff7823044dcded90ea -commit 8a1450c62035e834d8a79a5d0d1c904236f9dcfe -Author: djm@openbsd.org -Date: Wed Sep 6 23:35:35 2023 +0000 +commit 947affad4831df015c498c00c6351ea6f13895d5 +Author: Darren Tucker +Date: Mon Nov 27 09:37:28 2023 +1100 - upstream: allow override of Sybsystem directives in sshd Match - - blocks + Add tests for OpenSSL 3.2.0 and 3.2 stable branch. + +commit 747dce36206675ca6b885010a835733df469351b +Author: Darren Tucker +Date: Sat Nov 25 09:03:38 2023 +1100 + + Use non-zero arg in compiler test program. - OpenBSD-Commit-ID: 3911d18a826a2d2fe7e4519075cf3e57af439722 + Now that we're running the test program, passing zero to the test function + can cause divide-by-zero exceptions which might show up in logs. -commit 6e52826e2a74d077147a82ead8d4fbd5b54f4e3b -Author: djm@openbsd.org -Date: Wed Sep 6 23:26:37 2023 +0000 +commit 3d44a5c56585d1c351dbc006240a591b6da502b1 +Author: dtucker@openbsd.org +Date: Fri Nov 24 00:31:30 2023 +0000 - upstream: allocate the subsystems array as necessary and remove the + upstream: Plug mem leak of msg when processing a quit message. - fixed limit of subsystems. Saves a few kb of memory in the server and makes - it more like the other options. + Coverity CID#427852, ok djm@ - OpenBSD-Commit-ID: e683dfca6bdcbc3cc339bb6c6517c0c4736a547f + OpenBSD-Commit-ID: bf85362addbe2134c3d8c4b80f16601fbff823b7 -commit e19069c9fac4c111d6496b19c7f7db43b4f07b4f -Author: djm@openbsd.org -Date: Wed Sep 6 23:23:53 2023 +0000 +commit 1d7f9b6e297877bd00973e6dc5c0642dbefc3b5f +Author: dtucker@openbsd.org +Date: Thu Nov 23 03:37:05 2023 +0000 - upstream: preserve quoting of Subsystem commands and arguments. + upstream: Include existing mux path in debug message. - This may change behaviour of exotic configurations, but the most common - subsystem configuration (sftp-server) is unlikely to be affected. + OpenBSD-Commit-ID: 1c3641be10c2f4fbad2a1b088a441d072e18bf16 + +commit f29934066bd0e561a2e516b7e584fb92d2eedee0 +Author: Darren Tucker +Date: Thu Nov 23 19:41:27 2023 +1100 + + Add an Ubuntu 22.04 test VM. - OpenBSD-Commit-ID: 8ffa296aeca981de5b0945242ce75aa6dee479bf + This is the same version as Github's runners so most of the testing on + it is over there, but having a local VM makes debugging much easier. -commit 52dfe3c72d98503d8b7c6f64fc7e19d685636c0b -Author: djm@openbsd.org -Date: Wed Sep 6 23:21:36 2023 +0000 +commit a93284a780cd3972afe5f89086b75d564ba157f3 +Author: Darren Tucker +Date: Thu Nov 23 19:36:22 2023 +1100 - upstream: downgrade duplicate Subsystem directives from being a + Add gcc-12 -Werror test on Ubuntu 22.04. - fatal error to being a debug message to match behaviour with just about all - other directives. + Explictly specify gcc-11 on Ubuntu 22.04 (it's the system compiler). + +commit 670f5a647e98b6fd95ad64f789f87ee3274b481b +Author: Darren Tucker +Date: Thu Nov 23 19:34:57 2023 +1100 + + Check return value from write to prevent warning. - OpenBSD-Commit-ID: fc90ed2cc0c18d4eb8e33d2c5e98d25f282588ce + ... and since we're testing for flags with -Werror, this caused + configure to mis-detect compiler flags. -commit 1ee0a16e07b6f0847ff463d7b5221c4bf1876e25 -Author: djm@openbsd.org -Date: Wed Sep 6 23:18:15 2023 +0000 +commit cea007d691cfedfa07a5b8599f97ce0511f53fc9 +Author: Darren Tucker +Date: Wed Nov 22 21:18:55 2023 +1100 - upstream: handle cr+lf (instead of just cr) in sshsig signature + Run compiler test program when compiling natively. - files + ok djm@ + +commit ee0d305828f13536c0a416bbf9c3e81039d9ea55 +Author: Darren Tucker +Date: Wed Nov 22 21:18:07 2023 +1100 + + Factor out compiler test program into a macro. - OpenBSD-Commit-ID: 647460a212b916540016d066568816507375fd7f + ok djm@ -commit e1c284d60a928bcdd60bc575c6f9604663502770 -Author: job@openbsd.org -Date: Mon Sep 4 10:29:58 2023 +0000 +commit de304c76316b029df460673725a9104224b9959b +Author: Darren Tucker +Date: Wed Nov 22 08:55:36 2023 +1100 - upstream: Generate Ed25519 keys when invoked without arguments + Add fbsd14 VM to test pool. + +commit 99a2df5e1994cdcb44ba2187b5f34d0e9190be91 +Author: Darren Tucker +Date: Tue Nov 21 16:19:29 2023 +1100 + + Expand -fzero-call-used-regs test to cover gcc 11. - Ed25519 public keys are very convenient due to their small size. - OpenSSH has supported Ed25519 since version 6.5 (January 2014). + It turns out that gcc also has some problems with -fzero-call-used-regs, + at least v11 on mips. Previously the test in OSSH_CHECK_CFLAG_COMPILE + was sufficient to catch it with "=all", but not sufficient for "=used". + Expand the testcase and include it in the other tests for good measure. + See bz#3629. ok djm@. + +commit ff220d4010717f7bfbbc02a2400666fb9d24f250 +Author: Darren Tucker +Date: Tue Nov 21 14:04:34 2023 +1100 + + Stop using -fzero-call-used-regs=all - OK djm@ markus@ sthen@ deraadt@ + ... since it seems to be problematic with several different versions of + clang. Only use -fzero-call-used-regs=used which is less + problematic, except with Apple's clang where we don't use it at all. + bz#3629, ok djm@ + +commit 2a19e02f36b16f0f6cc915f7d1e60ead5e36303b +Author: Darren Tucker +Date: Tue Nov 21 14:02:18 2023 +1100 + + Allow for vendor prefix on clang version numbers. - OpenBSD-Commit-ID: f498beaad19c8cdcc357381a60df4a9c69858b3f + Correctly detects the version of OpenBSD's native clang, as well as + Apple's. Spotted tb@, ok djm@. -commit 694150ad92765574ff82a18f4e86322bd3231e68 +commit c52db0114826d73eff6cdbf205e9c1fa4f7ca6c6 Author: djm@openbsd.org -Date: Mon Sep 4 00:08:14 2023 +0000 +Date: Mon Nov 20 02:50:00 2023 +0000 - upstream: trigger keystroke timing obfucation only if the channels - - layer enqueud some data in the last poll() cycle; this avoids triggering the - obfuscatior for non-channels data like ClientAlive probes and also fixes a - related problem were the obfucations would be triggered on fully quiescent - connections. + upstream: set errno=EAFNOSUPPORT when filtering addresses that don't - Based on / tested by naddy@ + match AddressFamily; yields slightly better error message if no address + matches. bz#3526 - OpenBSD-Commit-ID: d98f32dc62d7663ff4660e4556e184032a0db123 + OpenBSD-Commit-ID: 29cea900ddd8b04a4d1968da5c4a893be2ebd9e6 -commit b5fd97896b59a3a46245cf438cc8b16c795d9f74 +commit 26f3f3bbc69196d908cad6558c8c7dc5beb8d74a Author: djm@openbsd.org -Date: Mon Sep 4 00:04:02 2023 +0000 +Date: Wed Nov 15 23:03:38 2023 +0000 - upstream: avoid bogus "obfuscate_keystroke_timing: stopping ..." + upstream: when connecting via socket (the default case), filter - debug messages when keystroke timing obfuscation was never started; spotted - by naddy@ + addresses by AddressFamily if one was specified. Fixes the case where, if + CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326; ok + dtucker - OpenBSD-Commit-ID: 5c270d35f7d2974db5c1646e9c64188f9393be31 + OpenBSD-Commit-ID: 6c7d7751f6cd055126b2b268a7b64dcafa447439 -commit ccf7d913db34e49b7a6db1b8331bd402004c840d +commit 050c335c8da43741ed0df2570ebfbd5d1dfd0a31 Author: djm@openbsd.org -Date: Mon Sep 4 00:01:46 2023 +0000 +Date: Wed Nov 15 22:51:49 2023 +0000 - upstream: make channel_output_poll() return a flag indicating + upstream: when deciding whether to enable keystroke timing - whether channel data was enqueued. Will be used to improve keystroke timing - obfuscation. Problem spotted by / tested by naddy@ + obfuscation, only consider enabling it when a channel with a tty is open. - OpenBSD-Commit-ID: f9776c7b0065ba7c3bbe50431fd3b629f44314d0 + Avoids turning on the obfucation when X11 forwarding only is in use, + which slows it right down. Reported by Roger Marsh + + OpenBSD-Commit-ID: c292f738db410f729190f92de100c39ec931a4f1 -commit 43254b326ac6e2131dbd750f9464dc62c14bd5a7 -Author: djm@openbsd.org -Date: Sun Sep 3 23:59:32 2023 +0000 +commit 676377ce67807a24e08a54cd60ec832946cc6cae +Author: tobhe@openbsd.org +Date: Mon Nov 13 09:18:19 2023 +0000 - upstream: set interactive mode for ControlPersist sessions if they + upstream: Make sure sftp_get_limits() only returns 0 if 'limits' - originally requested a tty; enables keystroke timing obfuscation for most - ControlPersist sessions. Spotted by naddy@ + was initialized. This fixes a potential uninitialized use of 'limits' in + sftp_init() if sftp_get_limits() returned early because of an unexpected + message type. - OpenBSD-Commit-ID: 72783a26254202e2f3f41a2818a19956fe49a772 + ok djm@ + + OpenBSD-Commit-ID: 1c177d7c3becc1d71bc8763eecf61873a1d3884c -commit ff3eda68ceb2e2bb8f48e3faceb96076c3e85c20 +commit 64e0600f23c6dec36c3875392ac95b8a9100c2d6 Author: Darren Tucker -Date: Thu Aug 31 23:02:35 2023 +1000 +Date: Mon Nov 13 20:03:31 2023 +1100 - Set LLONG_MAX for C89 test. + Test current releases of LibreSSL and OpenSSL. - If we don't have LLONG_MAX, configure will figure out that it can get it - by setting -std=gnu99, at which point we won't be testing C89 any more. - To avoid this, feed it in via CFLAGS. + Retire some of the older releases. -commit f98031773db361424d59e3301aa92aacf423d920 -Author: djm@openbsd.org -Date: Tue Aug 29 02:50:10 2023 +0000 +commit c8ed7cc545879ac15f6ce428be4b29c35598bb2a +Author: dtucker@openbsd.org +Date: Wed Nov 1 02:08:38 2023 +0000 - upstream: make PerSourceMaxStartups first-match-wins; ok dtucker@ + upstream: Specify ssh binary to use - OpenBSD-Commit-ID: dac0c24cb709e3c595b8b4f422a0355dc5a3b4e7 + ... instead of relying on installed one. Fixes test failures in -portable + when running tests prior to installation. + + OpenBSD-Regress-ID: b6d6ba71c23209c616efc805a60d9a445d53a685 -commit cfa66857db90cd908de131e0041a50ffc17c7df8 -Author: djm@openbsd.org -Date: Mon Aug 28 09:52:09 2023 +0000 +commit e9fc2c48121cada1b4dcc5dadea5d447fe0093c3 +Author: Darren Tucker +Date: Wed Nov 1 13:11:31 2023 +1100 - upstream: descriptive text shouldn't be under .Cm + Put long-running test targets on hipri runners. - OpenBSD-Commit-ID: b1afaeb456a52bc8a58f4f9f8b2f9fa8f6bf651b + Some of the selfhosted test targets take a long time to run for various + reasons, so label them for "libvirt-hipri" runners so that they can + start immediately. This should reduce the time to complete all tests. -commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec +commit 7ddf27668f0e21233f08c0ab2fe9ee3fdd6ab1e2 Author: djm@openbsd.org -Date: Mon Aug 28 09:48:11 2023 +0000 +Date: Wed Nov 1 00:29:46 2023 +0000 - upstream: limit artificial login delay to a reasonable maximum (5s) + upstream: add some tests of forced commands overriding Subsystem - and don't delay at all for the "none" authentication mechanism. Patch by - Dmitry Belyavskiy in bz3602 with polish/ok dtucker@ + directives - OpenBSD-Commit-ID: 85b364676dd84cf1de0e98fc2fbdcb1a844ce515 + OpenBSD-Regress-ID: eb48610282f6371672bdf2a8b5d2aa33cfbd322b -commit 528da5b9d7c5da01ed7a73ff21c722e1b5326006 -Author: jmc@openbsd.org -Date: Mon Aug 28 05:32:28 2023 +0000 +commit fb06f9b5a065dfbbef5916fc4accc03c0bf026dd *** 20737 LINES SKIPPED ***