D28624.diff
No OneTemporary
Actions

Size

41 KB

Referenced Files

None

Subscribers

None

D28624.diff
View Options

	Index: INSTALL
	===================================================================
	--- INSTALL
	+++ INSTALL
	@@ -79,6 +79,15 @@

	http://www.jmknoble.net/software/x11-ssh-askpass/

	+TCP Wrappers:
	+
	+If you wish to use the TCP wrappers functionality you will need at least
	+tcpd.h and libwrap.a, either in the standard include and library paths,
	+or in the directory specified by --with-tcp-wrappers. Version 7.6 is
	+known to work.
	+
	+http://ftp.porcupine.org/pub/security/index.html
	+
	LibEdit:

	sftp supports command-line editing via NetBSD's libedit. If your platform
	@@ -197,6 +206,9 @@
	--with-osfsia, --without-osfsia will enable or disable OSF1's Security
	Integration Architecture. The default for OSF1 machines is enable.

	+--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow\|deny)
	+support.
	+
	--with-md5-passwords will enable the use of MD5 passwords. Enable this
	if your operating system uses MD5 passwords and the system crypt() does
	not support them directly (see the crypt(3/3c) man page). If enabled, the
	Index: auth-pam.c
	===================================================================
	--- auth-pam.c
	+++ auth-pam.c
	@@ -105,6 +105,7 @@
	#include "ssh-gss.h"
	#endif
	#include "monitor_wrap.h"
	+#include "blacklist_client.h"

	extern ServerOptions options;
	extern struct sshbuf *loginmsg;
	@@ -922,6 +923,8 @@
	sshbuf_free(buffer);
	return (0);
	}
	+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER,
	+ sshpam_authctxt->user);
	error("PAM: %s for %s%.100s from %.100s", msg,
	sshpam_authctxt->valid ? "" : "illegal user ",
	sshpam_authctxt->user, sshpam_rhost);
	Index: auth.c
	===================================================================
	--- auth.c
	+++ auth.c
	@@ -24,6 +24,7 @@
	*/

	#include "includes.h"
	+__RCSID("$FreeBSD$");

	#include <sys/types.h>
	#include <sys/stat.h>
	@@ -76,6 +77,7 @@
	#include "ssherr.h"
	#include "compat.h"
	#include "channels.h"
	+#include "blacklist_client.h"

	/* import */
	extern ServerOptions options;
	@@ -331,8 +333,11 @@
	authmsg = "Postponed";
	else if (partial)
	authmsg = "Partial";
	- else
	+ else {
	authmsg = authenticated ? "Accepted" : "Failed";
	+ if (authenticated)
	+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_OK, "ssh");
	+ }

	if ((extra = format_method_key(authctxt)) == NULL) {
	if (authctxt->auth_method_info != NULL)
	@@ -565,6 +570,9 @@
	{
	#ifdef HAVE_LOGIN_CAP
	extern login_cap_t *lc;
	+#ifdef HAVE_AUTH_HOSTOK
	+ const char from_host, from_ip;
	+#endif
	#ifdef BSD_AUTH
	auth_session_t *as;
	#endif
	@@ -592,6 +600,7 @@
	aix_restoreauthdb();
	#endif
	if (pw == NULL) {
	+ BLACKLIST_NOTIFY(BLACKLIST_BAD_USER, user);
	logit("Invalid user %.100s from %.100s port %d",
	user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
	#ifdef CUSTOM_FAILED_LOGIN
	@@ -610,6 +619,21 @@
	debug("unable to get login class: %s", user);
	return (NULL);
	}
	+#ifdef HAVE_AUTH_HOSTOK
	+ from_host = auth_get_canonical_hostname(ssh, options.use_dns);
	+ from_ip = ssh_remote_ipaddr(ssh);
	+ if (!auth_hostok(lc, from_host, from_ip)) {
	+ debug("Denied connection for %.200s from %.200s [%.200s].",
	+ pw->pw_name, from_host, from_ip);
	+ return (NULL);
	+ }
	+#endif /* HAVE_AUTH_HOSTOK */
	+#ifdef HAVE_AUTH_TIMEOK
	+ if (!auth_timeok(lc, time(NULL))) {
	+ debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);
	+ return (NULL);
	+ }
	+#endif /* HAVE_AUTH_TIMEOK */
	#ifdef BSD_AUTH
	if ((as = auth_open()) == NULL \|\| auth_setpwd(as, pw) != 0 \|\|
	auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
	Index: auth2.c
	===================================================================
	--- auth2.c
	+++ auth2.c
	@@ -24,6 +24,7 @@
	*/

	#include "includes.h"
	+__RCSID("$FreeBSD$");

	#include <sys/types.h>
	#include <sys/stat.h>
	@@ -53,6 +54,7 @@
	#include "dispatch.h"
	#include "pathnames.h"
	#include "ssherr.h"
	+#include "blacklist_client.h"
	#ifdef GSSAPI
	#include "ssh-gss.h"
	#endif
	@@ -421,8 +423,10 @@
	} else {
	/* Allow initial try of "none" auth without failure penalty */
	if (!partial && !authctxt->server_caused_failure &&
	- (authctxt->attempt > 1 \|\| strcmp(method, "none") != 0))
	+ (authctxt->attempt > 1 \|\| strcmp(method, "none") != 0)) {
	authctxt->failures++;
	+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
	+ }
	if (authctxt->failures >= options.max_authtries) {
	#ifdef SSH_AUDIT_EVENTS
	PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
	Index: configure.ac
	===================================================================
	--- configure.ac
	+++ configure.ac
	@@ -1576,6 +1576,61 @@
	AC_MSG_RESULT([no])
	fi

	+# Check whether user wants TCP wrappers support
	+TCPW_MSG="no"
	+AC_ARG_WITH([tcp-wrappers],
	+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
	+ [
	+ if test "x$withval" != "xno" ; then
	+ saved_LIBS="$LIBS"
	+ saved_LDFLAGS="$LDFLAGS"
	+ saved_CPPFLAGS="$CPPFLAGS"
	+ if test -n "${withval}" && \
	+ test "x${withval}" != "xyes"; then
	+ if test -d "${withval}/lib"; then
	+ if test -n "${need_dash_r}"; then
	+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
	+ else
	+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
	+ fi
	+ else
	+ if test -n "${need_dash_r}"; then
	+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
	+ else
	+ LDFLAGS="-L${withval} ${LDFLAGS}"
	+ fi
	+ fi
	+ if test -d "${withval}/include"; then
	+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
	+ else
	+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
	+ fi
	+ fi
	+ LIBS="-lwrap $LIBS"
	+ AC_MSG_CHECKING([for libwrap])
	+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
	+#include <sys/types.h>
	+#include <sys/socket.h>
	+#include <netinet/in.h>
	+#include <tcpd.h>
	+int deny_severity = 0, allow_severity = 0;
	+ ]], [[
	+ hosts_access(0);
	+ ]])], [
	+ AC_MSG_RESULT([yes])
	+ AC_DEFINE([LIBWRAP], [1],
	+ [Define if you want
	+ TCP Wrappers support])
	+ SSHDLIBS="$SSHDLIBS -lwrap"
	+ TCPW_MSG="yes"
	+ ], [
	+ AC_MSG_ERROR([*** libwrap missing])
	+ ])
	+ LIBS="$saved_LIBS"
	+ fi
	+ ]
	+)
	+
	# Check whether user wants to use ldns
	LDNS_MSG="no"
	AC_ARG_WITH(ldns,
	@@ -1794,6 +1849,8 @@

	dnl Checks for library functions. Please keep in alphabetical order
	AC_CHECK_FUNCS([ \
	+ auth_hostok \
	+ auth_timeok \
	Blowfish_initstate \
	Blowfish_expandstate \
	Blowfish_expand0state \
	@@ -5560,6 +5617,7 @@
	echo " OSF SIA support: $SIA_MSG"
	echo " KerberosV support: $KRB5_MSG"
	echo " SELinux support: $SELINUX_MSG"
	+echo " TCP Wrappers support: $TCPW_MSG"
	echo " MD5 password support: $MD5_MSG"
	echo " libedit support: $LIBEDIT_MSG"
	echo " libldns support: $LDNS_MSG"
	Index: packet.c
	===================================================================
	--- packet.c
	+++ packet.c
	@@ -38,6 +38,7 @@
	*/

	#include "includes.h"
	+__RCSID("$FreeBSD$");

	#include <sys/types.h>
	#include "openbsd-compat/sys-queue.h"
	@@ -96,6 +97,7 @@
	#include "packet.h"
	#include "ssherr.h"
	#include "sshbuf.h"
	+#include "blacklist_client.h"

	#ifdef PACKET_DEBUG
	#define DBG(x) x
	@@ -1874,6 +1876,7 @@
	case SSH_ERR_NO_KEX_ALG_MATCH:
	case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
	if (ssh && ssh->kex && ssh->kex->failed_choice) {
	+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
	ssh_packet_clear_keys(ssh);
	errno = oerrno;
	logdie("Unable to negotiate with %s: %s. "
	Index: pathnames.h
	===================================================================
	--- pathnames.h
	+++ pathnames.h
	@@ -1,4 +1,5 @@
	/* $OpenBSD: pathnames.h,v 1.31 2019/11/12 19:33:08 markus Exp $ */
	+/* $FreeBSD$ */

	/*
	* Author: Tatu Ylonen <ylo@cs.hut.fi>
	@@ -121,7 +122,7 @@
	* Default location of askpass
	*/
	#ifndef _PATH_SSH_ASKPASS_DEFAULT
	-#define _PATH_SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass"
	+#define _PATH_SSH_ASKPASS_DEFAULT "/usr/local/bin/ssh-askpass"
	#endif

	/* Location of ssh-keysign for hostbased authentication */
	@@ -141,7 +142,7 @@

	/* xauth for X11 forwarding */
	#ifndef _PATH_XAUTH
	-#define _PATH_XAUTH "/usr/X11R6/bin/xauth"
	+#define _PATH_XAUTH "/usr/local/bin/xauth"
	#endif

	/* UNIX domain socket for X11 server; displaynum will replace %u */
	Index: readconf.h
	===================================================================
	--- readconf.h
	+++ readconf.h
	@@ -1,4 +1,5 @@
	/* $OpenBSD: readconf.h,v 1.144 2021/07/23 04:04:52 djm Exp $ */
	+/* $FreeBSD$ */

	/*
	* Author: Tatu Ylonen <ylo@cs.hut.fi>
	@@ -169,6 +170,8 @@
	char *hostbased_accepted_algos;
	char *pubkey_accepted_algos;

	+ char version_addendum; / Appended to SSH banner */
	+
	char *jump_user;
	char *jump_host;
	int jump_port;
	Index: readconf.c
	===================================================================
	--- readconf.c
	+++ readconf.c
	@@ -13,6 +13,7 @@
	*/

	#include "includes.h"
	+__RCSID("$FreeBSD$");

	#include <sys/types.h>
	#include <sys/stat.h>
	@@ -67,6 +68,7 @@
	#include "uidswap.h"
	#include "myproposal.h"
	#include "digest.h"
	+#include "version.h"

	/* Format of the configuration file:

	@@ -141,6 +143,7 @@

	typedef enum {
	oBadOption,
	+ oVersionAddendum,
	oHost, oMatch, oInclude,
	oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
	oGatewayPorts, oExitOnForwardFailure,
	@@ -321,6 +324,14 @@
	{ "securitykeyprovider", oSecurityKeyProvider },
	{ "knownhostscommand", oKnownHostsCommand },

	+ { "hpndisabled", oDeprecated },
	+ { "hpnbuffersize", oDeprecated },
	+ { "tcprcvbufpoll", oDeprecated },
	+ { "tcprcvbuf", oDeprecated },
	+ { "noneenabled", oUnsupported },
	+ { "noneswitch", oUnsupported },
	+ { "versionaddendum", oVersionAddendum },
	+
	{ NULL, oBadOption }
	};

	@@ -1964,6 +1975,22 @@
	intptr = &options->fork_after_authentication;
	goto parse_flag;

	+ case oVersionAddendum:
	+ if (str == NULL)
	+ fatal("%.200s line %d: Missing argument.", filename,
	+ linenum);
	+ len = strspn(str, WHITESPACE);
	+ if (*activep && options->version_addendum == NULL) {
	+ if (strcasecmp(str + len, "none") == 0)
	+ options->version_addendum = xstrdup("");
	+ else if (strchr(str + len, '\r') != NULL)
	+ fatal("%.200s line %d: Invalid argument",
	+ filename, linenum);
	+ else
	+ options->version_addendum = xstrdup(str + len);
	+ }
	+ return 0;
	+
	case oIgnoreUnknown:
	charptr = &options->ignored_unknown;
	goto parse_string;
	@@ -2291,6 +2318,7 @@
	initialize_options(Options * options)
	{
	memset(options, 'X', sizeof(*options));
	+ options->version_addendum = NULL;
	options->forward_agent = -1;
	options->forward_agent_sock_path = NULL;
	options->forward_x11 = -1;
	@@ -2545,8 +2573,14 @@
	options->rekey_limit = 0;
	if (options->rekey_interval == -1)
	options->rekey_interval = 0;
	+#if HAVE_LDNS
	+ if (options->verify_host_key_dns == -1)
	+ /* automatically trust a verified SSHFP record */
	+ options->verify_host_key_dns = 1;
	+#else
	if (options->verify_host_key_dns == -1)
	options->verify_host_key_dns = 0;
	+#endif
	if (options->server_alive_interval == -1)
	options->server_alive_interval = 0;
	if (options->server_alive_count_max == -1)
	@@ -2653,6 +2687,8 @@
	/* options->hostname will be set in the main program if appropriate */
	/* options->host_key_alias should not be set by default */
	/* options->preferred_authentications will be set in ssh */
	+ if (options->version_addendum == NULL)
	+ options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);

	/* success */
	ret = 0;
	Index: regress/unittests/sshkey/test_sshkey.c
	===================================================================
	--- regress/unittests/sshkey/test_sshkey.c
	+++ regress/unittests/sshkey/test_sshkey.c
	@@ -9,6 +9,7 @@

	#include <sys/types.h>
	#include <sys/param.h>
	+#include <paths.h>
	#include <stdio.h>
	#ifdef HAVE_STDINT_H
	#include <stdint.h>
	@@ -80,7 +81,7 @@

	critopts = sshbuf_new();
	ASSERT_PTR_NE(critopts, NULL);
	- put_opt(critopts, "force-command", "/usr/local/bin/nethack");
	+ put_opt(critopts, "force-command", _PATH_LOCALBASE "/bin/nethack");
	put_opt(critopts, "source-address", "192.168.0.0/24,127.0.0.1,::1");

	exts = sshbuf_new();
	Index: sandbox-capsicum.c
	===================================================================
	--- sandbox-capsicum.c
	+++ sandbox-capsicum.c
	@@ -15,6 +15,7 @@
	*/

	#include "includes.h"
	+__RCSID("$FreeBSD$");

	#ifdef SANDBOX_CAPSICUM

	@@ -30,6 +31,7 @@
	#include <stdlib.h>
	#include <string.h>
	#include <unistd.h>
	+#include <capsicum_helpers.h>

	#include "log.h"
	#include "monitor.h"
	@@ -70,6 +72,8 @@
	struct rlimit rl_zero;
	cap_rights_t rights;

	+ caph_cache_tzdata();
	+
	rl_zero.rlim_cur = rl_zero.rlim_max = 0;

	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
	Index: servconf.h
	===================================================================
	--- servconf.h
	+++ servconf.h
	@@ -229,6 +229,7 @@
	int expose_userauth_info;
	u_int64_t timing_secret;
	char *sk_provider;
	+ int use_blacklist;
	} ServerOptions;

	/* Information about the incoming connection as used by Match */
	Index: servconf.c
	===================================================================
	--- servconf.c
	+++ servconf.c
	@@ -12,6 +12,7 @@
	*/

	#include "includes.h"
	+__RCSID("$FreeBSD$");

	#include <sys/types.h>
	#include <sys/socket.h>
	@@ -70,6 +71,7 @@
	#include "auth.h"
	#include "myproposal.h"
	#include "digest.h"
	+#include "version.h"

	static void add_listen_addr(ServerOptions , const char ,
	const char *, int);
	@@ -195,6 +197,7 @@
	options->fingerprint_hash = -1;
	options->disable_forwarding = -1;
	options->expose_userauth_info = -1;
	+ options->use_blacklist = -1;
	}

	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
	@@ -247,12 +250,16 @@
	free(def_sig);
	}

	+static const char *defaultkey = "[default]";
	+
	void
	servconf_add_hostkey(const char *file, const int line,
	ServerOptions options, const char path, int userprovided)
	{
	char *apath = derelativise_path(path);

	+ if (file == defaultkey && access(path, R_OK) != 0)
	+ return;
	opt_array_append2(file, line, "HostKey",
	&options->host_key_files, &options->host_key_file_userprovided,
	&options->num_host_key_files, apath, userprovided);
	@@ -277,24 +284,26 @@

	/* Portable-specific options */
	if (options->use_pam == -1)
	- options->use_pam = 0;
	+ options->use_pam = 1;

	/* Standard Options */
	if (options->num_host_key_files == 0) {
	/* fill default hostkeys for protocols */
	- servconf_add_hostkey("[default]", 0, options,
	+ servconf_add_hostkey(defaultkey, 0, options,
	_PATH_HOST_RSA_KEY_FILE, 0);
	#ifdef OPENSSL_HAS_ECC
	- servconf_add_hostkey("[default]", 0, options,
	+ servconf_add_hostkey(defaultkey, 0, options,
	_PATH_HOST_ECDSA_KEY_FILE, 0);
	#endif
	- servconf_add_hostkey("[default]", 0, options,
	+ servconf_add_hostkey(defaultkey, 0, options,
	_PATH_HOST_ED25519_KEY_FILE, 0);
	#ifdef WITH_XMSS
	- servconf_add_hostkey("[default]", 0, options,
	+ servconf_add_hostkey(defaultkey, 0, options,
	_PATH_HOST_XMSS_KEY_FILE, 0);
	#endif /* WITH_XMSS */
	}
	+ if (options->num_host_key_files == 0)
	+ fatal("No host key files found");
	/* No certificates by default */
	if (options->num_ports == 0)
	options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
	@@ -309,7 +318,7 @@
	if (options->login_grace_time == -1)
	options->login_grace_time = 120;
	if (options->permit_root_login == PERMIT_NOT_SET)
	- options->permit_root_login = PERMIT_NO_PASSWD;
	+ options->permit_root_login = PERMIT_NO;
	if (options->ignore_rhosts == -1)
	options->ignore_rhosts = 1;
	if (options->ignore_user_known_hosts == -1)
	@@ -319,7 +328,7 @@
	if (options->print_lastlog == -1)
	options->print_lastlog = 1;
	if (options->x11_forwarding == -1)
	- options->x11_forwarding = 0;
	+ options->x11_forwarding = 1;
	if (options->x11_display_offset == -1)
	options->x11_display_offset = 10;
	if (options->x11_use_localhost == -1)
	@@ -361,7 +370,7 @@
	if (options->gss_strict_acceptor == -1)
	options->gss_strict_acceptor = 1;
	if (options->password_authentication == -1)
	- options->password_authentication = 1;
	+ options->password_authentication = 0;
	if (options->kbd_interactive_authentication == -1)
	options->kbd_interactive_authentication = 1;
	if (options->permit_empty_passwd == -1)
	@@ -406,17 +415,17 @@
	if (options->max_sessions == -1)
	options->max_sessions = DEFAULT_SESSIONS_MAX;
	if (options->use_dns == -1)
	- options->use_dns = 0;
	+ options->use_dns = 1;
	if (options->client_alive_interval == -1)
	options->client_alive_interval = 0;
	if (options->client_alive_count_max == -1)
	options->client_alive_count_max = 3;
	if (options->num_authkeys_files == 0) {
	- opt_array_append("[default]", 0, "AuthorizedKeysFiles",
	+ opt_array_append(defaultkey, 0, "AuthorizedKeysFiles",
	&options->authorized_keys_files,
	&options->num_authkeys_files,
	_PATH_SSH_USER_PERMITTED_KEYS);
	- opt_array_append("[default]", 0, "AuthorizedKeysFiles",
	+ opt_array_append(defaultkey, 0, "AuthorizedKeysFiles",
	&options->authorized_keys_files,
	&options->num_authkeys_files,
	_PATH_SSH_USER_PERMITTED_KEYS2);
	@@ -428,7 +437,7 @@
	if (options->ip_qos_bulk == -1)
	options->ip_qos_bulk = IPTOS_DSCP_CS1;
	if (options->version_addendum == NULL)
	- options->version_addendum = xstrdup("");
	+ options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
	options->fwd_opts.streamlocal_bind_mask = 0177;
	if (options->fwd_opts.streamlocal_bind_unlink == -1)
	@@ -441,6 +450,8 @@
	options->expose_userauth_info = 0;
	if (options->sk_provider == NULL)
	options->sk_provider = xstrdup("internal");
	+ if (options->use_blacklist == -1)
	+ options->use_blacklist = 0;

	assemble_algorithms(options);

	@@ -518,6 +529,7 @@
	sStreamLocalBindMask, sStreamLocalBindUnlink,
	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
	sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
	+ sUseBlacklist,
	sDeprecated, sIgnore, sUnsupported
	} ServerOpCodes;

	@@ -677,6 +689,12 @@
	{ "rdomain", sRDomain, SSHCFG_ALL },
	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
	+ { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
	+ { "useblocklist", sUseBlacklist, SSHCFG_GLOBAL }, /* alias */
	+ { "noneenabled", sUnsupported, SSHCFG_ALL },
	+ { "hpndisabled", sDeprecated, SSHCFG_ALL },
	+ { "hpnbuffersize", sDeprecated, SSHCFG_ALL },
	+ { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
	{ NULL, sBadOption, 0 }
	};

	@@ -2436,6 +2454,10 @@
	*charptr = xstrdup(arg);
	break;

	+ case sUseBlacklist:
	+ intptr = &options->use_blacklist;
	+ goto parse_flag;
	+
	case sDeprecated:
	case sIgnore:
	case sUnsupported:
	@@ -2917,6 +2939,7 @@
	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
	dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
	+ dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);

	/* string arguments */
	dump_cfg_string(sPidFile, o->pid_file);
	Index: session.c
	===================================================================
	--- session.c
	+++ session.c
	@@ -34,6 +34,7 @@
	*/

	#include "includes.h"
	+__RCSID("$FreeBSD$");

	#include <sys/types.h>
	#include <sys/param.h>
	@@ -990,6 +991,9 @@
	struct passwd *pw = s->pw;
	#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
	char *path = NULL;
	+#else
	+ extern char **environ;
	+ char senv, var, *val;
	#endif

	/* Initialize the environment. */
	@@ -1011,6 +1015,9 @@
	}
	#endif

	+ if (getenv("TZ"))
	+ child_set_env(&env, &envsize, "TZ", getenv("TZ"));
	+
	#ifdef GSSAPI
	/* Allow any GSSAPI methods that we've used to alter
	* the child's environment as they see fit
	@@ -1028,11 +1035,30 @@
	child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
	#endif
	child_set_env(&env, &envsize, "HOME", pw->pw_dir);
	+ snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name);
	+ child_set_env(&env, &envsize, "MAIL", buf);
	#ifdef HAVE_LOGIN_CAP
	- if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
	- child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
	- else
	- child_set_env(&env, &envsize, "PATH", getenv("PATH"));
	+ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
	+ child_set_env(&env, &envsize, "TERM", "su");
	+ /*
	+ * Temporarily swap out our real environment with an empty one,
	+ * let setusercontext() apply any environment variables defined
	+ * for the user's login class, copy those variables to the child,
	+ * free the temporary environment, and restore the original.
	+ */
	+ senv = environ;
	+ environ = xmalloc(sizeof(*environ));
	+ *environ = NULL;
	+ (void)setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV\|LOGIN_SETPATH);
	+ for (var = environ; *var != NULL; ++var) {
	+ if ((val = strchr(*var, '=')) != NULL) {
	+ *val++ = '\0';
	+ child_set_env(&env, &envsize, *var, val);
	+ }
	+ free(*var);
	+ }
	+ free(environ);
	+ environ = senv;
	#else /* HAVE_LOGIN_CAP */
	# ifndef HAVE_CYGWIN
	/*
	@@ -1061,8 +1087,6 @@
	/* Normal systems set SHELL by default. */
	child_set_env(&env, &envsize, "SHELL", shell);

	- if (getenv("TZ"))
	- child_set_env(&env, &envsize, "TZ", getenv("TZ"));
	if (s->term)
	child_set_env(&env, &envsize, "TERM", s->term);
	if (s->display)
	@@ -1275,7 +1299,8 @@
	do_nologin(struct passwd *pw)
	{
	FILE *f = NULL;
	- char buf[1024], nl, def_nl = _PATH_NOLOGIN;
	+ const char *nl;
	+ char buf[1024], *def_nl = _PATH_NOLOGIN;
	struct stat sb;

	#ifdef HAVE_LOGIN_CAP
	@@ -1365,7 +1390,7 @@
	if (platform_privileged_uidswap()) {
	#ifdef HAVE_LOGIN_CAP
	if (setusercontext(lc, pw, pw->pw_uid,
	- (LOGIN_SETALL & ~(LOGIN_SETPATH\|LOGIN_SETUSER))) < 0) {
	+ (LOGIN_SETALL & ~(LOGIN_SETENV\|LOGIN_SETPATH\|LOGIN_SETUSER))) < 0) {
	perror("unable to set user context");
	exit(1);
	}
	Index: ssh-agent.1
	===================================================================
	--- ssh-agent.1
	+++ ssh-agent.1
	@@ -1,4 +1,5 @@
	.\" $OpenBSD: ssh-agent.1,v 1.72 2020/06/22 05:52:05 djm Exp $
	+.\" $FreeBSD$
	.\"
	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	@@ -43,7 +44,7 @@
	.Sh SYNOPSIS
	.Nm ssh-agent
	.Op Fl c \| s
	-.Op Fl \&Dd
	+.Op Fl \&Ddx
	.Op Fl a Ar bind_address
	.Op Fl E Ar fingerprint_hash
	.Op Fl P Ar allowed_providers
	@@ -135,6 +136,8 @@
	this is executed as a subprocess of the agent.
	The agent exits automatically when the command given on the command
	line terminates.
	+.It Fl x
	+Exit after the last client has disconnected.
	.El
	.Pp
	There are two main ways to get an agent set up.
	Index: ssh-agent.c
	===================================================================
	--- ssh-agent.c
	+++ ssh-agent.c
	@@ -35,6 +35,7 @@
	*/

	#include "includes.h"
	+__RCSID("$FreeBSD$");

	#include <sys/types.h>
	#include <sys/param.h>
	@@ -171,9 +172,26 @@
	/* Refuse signing of non-SSH messages for web-origin FIDO keys */
	static int restrict_websafe = 1;

	+/*
	+ * Client connection count; incremented in new_socket() and decremented in
	+ * close_socket(). When it reaches 0, ssh-agent will exit. Since it is
	+ * normally initialized to 1, it will never reach 0. However, if the -x
	+ * option is specified, it is initialized to 0 in main(); in that case,
	+ * ssh-agent will exit as soon as it has had at least one client but no
	+ * longer has any.
	+ */
	+static int xcount = 1;
	+
	static void
	close_socket(SocketEntry *e)
	{
	+ int last = 0;
	+
	+ if (e->type == AUTH_CONNECTION) {
	+ debug("xcount %d -> %d", xcount, xcount - 1);
	+ if (--xcount == 0)
	+ last = 1;
	+ }
	close(e->fd);
	sshbuf_free(e->input);
	sshbuf_free(e->output);
	@@ -181,6 +199,8 @@
	memset(e, '\0', sizeof(*e));
	e->fd = -1;
	e->type = AUTH_UNUSED;
	+ if (last)
	+ cleanup_exit(0);
	}

	static void
	@@ -1067,6 +1087,10 @@

	debug_f("type = %s", type == AUTH_CONNECTION ? "CONNECTION" :
	(type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
	+ if (type == AUTH_CONNECTION) {
	+ debug("xcount %d -> %d", xcount, xcount + 1);
	+ ++xcount;
	+ }
	set_nonblock(fd);

	if (fd > max_fd)
	@@ -1360,7 +1384,7 @@
	usage(void)
	{
	fprintf(stderr,
	- "usage: ssh-agent [-c \| -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
	+ "usage: ssh-agent [-c \| -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n"
	" [-P allowed_providers] [-t life]\n"
	" ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
	" [-t life] command [arg ...]\n"
	@@ -1394,6 +1418,7 @@
	/* drop */
	setegid(getgid());
	setgid(getgid());
	+ setuid(geteuid());

	platform_disable_tracing(0); /* strict=no */

	@@ -1405,7 +1430,7 @@
	__progname = ssh_get_progname(av[0]);
	seed_rng();

	- while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) {
	+ while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:x")) != -1) {
	switch (ch) {
	case 'E':
	fingerprint_hash = ssh_digest_alg_by_name(optarg);
	@@ -1455,6 +1480,9 @@
	usage();
	}
	break;
	+ case 'x':
	+ xcount = 0;
	+ break;
	default:
	usage();
	}
	Index: ssh-gss.h
	===================================================================
	--- ssh-gss.h
	+++ ssh-gss.h
	@@ -1,4 +1,5 @@
	/* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */
	+/* $FreeBSD$ */
	/*
	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
	*
	@@ -28,10 +29,10 @@

	#ifdef GSSAPI

	-#ifdef HAVE_GSSAPI_H
	-#include <gssapi.h>
	-#elif defined(HAVE_GSSAPI_GSSAPI_H)
	+#ifdef HAVE_GSSAPI_GSSAPI_H
	#include <gssapi/gssapi.h>
	+#elif defined(HAVE_GSSAPI_H)
	+#include <gssapi.h>
	#endif

	#ifdef KRB5
	Index: ssh.1
	===================================================================
	--- ssh.1
	+++ ssh.1
	@@ -34,6 +34,7 @@
	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	.\"
	.\" $OpenBSD: ssh.1,v 1.425 2021/07/28 05:57:42 jmc Exp $
	+.\" $FreeBSD$
	.Dd $Mdocdate: July 28 2021 $
	.Dt SSH 1
	.Os
	@@ -575,6 +576,7 @@
	.It User
	.It UserKnownHostsFile
	.It VerifyHostKeyDNS
	+.It VersionAddendum
	.It VisualHostKey
	.It XAuthLocation
	.El
	Index: ssh.c
	===================================================================
	--- ssh.c
	+++ ssh.c
	@@ -41,6 +41,7 @@
	*/

	#include "includes.h"
	+__RCSID("$FreeBSD$");

	#include <sys/types.h>
	#ifdef HAVE_SYS_STAT_H
	@@ -871,8 +872,14 @@
	}
	break;
	case 'V':
	- fprintf(stderr, "%s, %s\n",
	- SSH_RELEASE, SSH_OPENSSL_VERSION);
	+ if (options.version_addendum &&
	+ *options.version_addendum != '\0')
	+ fprintf(stderr, "%s %s, %s\n", SSH_RELEASE,
	+ options.version_addendum,
	+ OPENSSL_VERSION_STRING);
	+ else
	+ fprintf(stderr, "%s, %s\n", SSH_RELEASE,
	+ OPENSSL_VERSION_STRING);
	if (opt == 'V')
	exit(0);
	break;
	@@ -1139,7 +1146,8 @@
	!use_syslog);

	if (debug_flag)
	- logit("%s, %s", SSH_RELEASE, SSH_OPENSSL_VERSION);
	+ /* version_addendum is always NULL at this point */
	+ logit("%s, %s", SSH_RELEASE, OPENSSL_VERSION_STRING);

	/* Parse the configuration files */
	process_config_files(host_arg, pw, 0, &want_final_pass);
	@@ -1372,6 +1380,23 @@
	cinfo->homedir = xstrdup(pw->pw_dir);
	cinfo->locuser = xstrdup(pw->pw_name);

	+ /* Find canonic host name. */
	+ if (strchr(host, '.') == 0) {
	+ struct addrinfo hints;
	+ struct addrinfo *ai = NULL;
	+ int errgai;
	+ memset(&hints, 0, sizeof(hints));
	+ hints.ai_family = options.address_family;
	+ hints.ai_flags = AI_CANONNAME;
	+ hints.ai_socktype = SOCK_STREAM;
	+ errgai = getaddrinfo(host, NULL, &hints, &ai);
	+ if (errgai == 0) {
	+ if (ai->ai_canonname != NULL)
	+ host = xstrdup(ai->ai_canonname);
	+ freeaddrinfo(ai);
	+ }
	+ }
	+
	/*
	* Expand tokens in arguments. NB. LocalCommand is expanded later,
	* after port-forwarding is set up, so it may pick up any local
	Index: ssh_config
	===================================================================
	--- ssh_config
	+++ ssh_config
	@@ -1,4 +1,5 @@
	# $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
	+# $FreeBSD$

	# This is the ssh client system-wide configuration file. See
	# ssh_config(5) for more information. This file provides defaults for
	@@ -25,7 +26,7 @@
	# GSSAPIAuthentication no
	# GSSAPIDelegateCredentials no
	# BatchMode no
	-# CheckHostIP yes
	+# CheckHostIP no
	# AddressFamily any
	# ConnectTimeout 0
	# StrictHostKeyChecking ask
	@@ -44,3 +45,5 @@
	# ProxyCommand ssh -q -W %h:%p gateway.example.com
	# RekeyLimit 1G 1h
	# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
	+# VerifyHostKeyDNS yes
	+# VersionAddendum FreeBSD-20210907
	Index: ssh_config.5
	===================================================================
	--- ssh_config.5
	+++ ssh_config.5
	@@ -34,6 +34,7 @@
	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	.\"
	.\" $OpenBSD: ssh_config.5,v 1.362 2021/08/12 23:59:25 djm Exp $
	+.\" $FreeBSD$
	.Dd $Mdocdate: August 12 2021 $
	.Dt SSH_CONFIG 5
	.Os
	@@ -430,7 +431,7 @@
	authentication.
	.It Cm CheckHostIP
	If set to
	-.Cm yes
	+.Cm yes ,
	.Xr ssh 1
	will additionally check the host IP address in the
	.Pa known_hosts
	@@ -444,6 +445,8 @@
	.Cm no
	(the default),
	the check will not be executed.
	+The default is
	+.Cm no .
	.It Cm Ciphers
	Specifies the ciphers allowed and their order of preference.
	Multiple ciphers must be comma-separated.
	@@ -1953,12 +1956,23 @@
	.Cm StrictHostKeyChecking
	option.
	The default is
	-.Cm no .
	+.Cm yes
	+if compiled with LDNS and
	+.Cm no
	+otherwise.
	.Pp
	See also
	.Sx VERIFYING HOST KEYS
	in
	.Xr ssh 1 .
	+.It Cm VersionAddendum
	+Specifies a string to append to the regular version string to identify
	+OS- or site-specific modifications.
	+The default is
	+.Dq FreeBSD-20210907 .
	+The value
	+.Cm none
	+may be used to disable this.
	.It Cm VisualHostKey
	If this flag is set to
	.Cm yes ,
	@@ -1975,7 +1989,7 @@
	.Xr xauth 1
	program.
	The default is
	-.Pa /usr/X11R6/bin/xauth .
	+.Pa /usr/local/bin/xauth .
	.El
	.Sh PATTERNS
	A
	Index: sshconnect.c
	===================================================================
	--- sshconnect.c
	+++ sshconnect.c
	@@ -14,6 +14,7 @@
	*/

	#include "includes.h"
	+__RCSID("$FreeBSD$");

	#include <sys/types.h>
	#include <sys/wait.h>
	@@ -1553,7 +1554,8 @@
	lowercase(host);

	/* Exchange protocol version identification strings with the server. */
	- if ((r = kex_exchange_identification(ssh, timeout_ms, NULL)) != 0)
	+ if ((r = kex_exchange_identification(ssh, timeout_ms,
	+ options.version_addendum)) != 0)
	sshpkt_fatal(ssh, r, "banner exchange");

	/* Put the connection into non-blocking mode. */
	Index: sshd.8
	===================================================================
	--- sshd.8
	+++ sshd.8
	@@ -34,6 +34,7 @@
	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	.\"
	.\" $OpenBSD: sshd.8,v 1.316 2021/07/30 14:28:13 jmc Exp $
	+.\" $FreeBSD$
	.Dd $Mdocdate: July 30 2021 $
	.Dt SSHD 8
	.Os
	@@ -64,7 +65,7 @@
	.Nm
	listens for connections from clients.
	It is normally started at boot from
	-.Pa /etc/rc .
	+.Pa /etc/rc.d/sshd .
	It forks a new
	daemon for each incoming connection.
	The forked daemons handle
	@@ -330,8 +331,9 @@
	If the login is on a tty, records login time.
	.It
	Checks
	-.Pa /etc/nologin ;
	-if it exists, prints contents and quits
	+.Pa /etc/nologin and
	+.Pa /var/run/nologin ;
	+if one exists, it prints the contents and quits
	(unless root).
	.It
	Changes to run with normal user privileges.
	@@ -903,6 +905,12 @@
	This file should be writable only by the user, and need not be
	readable by anyone else.
	.Pp
	+.It Pa /etc/hosts.allow
	+.It Pa /etc/hosts.deny
	+Access controls that should be enforced by tcp-wrappers are defined here.
	+Further details are described in
	+.Xr hosts_access 5 .
	+.Pp
	.It Pa /etc/hosts.equiv
	This file is for host-based authentication (see
	.Xr ssh 1 ) .
	@@ -1005,6 +1013,7 @@
	.Xr ssh-keygen 1 ,
	.Xr ssh-keyscan 1 ,
	.Xr chroot 2 ,
	+.Xr hosts_access 5 ,
	.Xr login.conf 5 ,
	.Xr moduli 5 ,
	.Xr sshd_config 5 ,
	Index: sshd.c
	===================================================================
	--- sshd.c
	+++ sshd.c
	@@ -43,9 +43,11 @@
	*/

	#include "includes.h"
	+__RCSID("$FreeBSD$");

	#include <sys/types.h>
	#include <sys/ioctl.h>
	+#include <sys/mman.h>
	#include <sys/socket.h>
	#ifdef HAVE_SYS_STAT_H
	# include <sys/stat.h>
	@@ -85,6 +87,15 @@
	#include <prot.h>
	#endif

	+#ifdef __FreeBSD__
	+#include <resolv.h>
	+#if defined(GSSAPI) && defined(HAVE_GSSAPI_GSSAPI_H)
	+#include <gssapi/gssapi.h>
	+#elif defined(GSSAPI) && defined(HAVE_GSSAPI_H)
	+#include <gssapi.h>
	+#endif
	+#endif
	+
	#include "xmalloc.h"
	#include "ssh.h"
	#include "ssh2.h"
	@@ -125,6 +136,14 @@
	#include "sk-api.h"
	#include "srclimit.h"
	#include "dh.h"
	+#include "blacklist_client.h"
	+
	+#ifdef LIBWRAP
	+#include <tcpd.h>
	+#include <syslog.h>
	+int allow_severity;
	+int deny_severity;
	+#endif /* LIBWRAP */

	/* Re-exec fds */
	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
	@@ -366,6 +385,8 @@
	kill(0, SIGTERM);
	}

	+ BLACKLIST_NOTIFY(BLACKLIST_AUTH_FAIL, "ssh");
	+
	/* Log error and exit. */
	if (use_privsep && pmonitor != NULL && pmonitor->m_pid <= 0)
	cleanup_exit(255); /* don't log in privsep child */
	@@ -903,7 +924,13 @@
	static void
	usage(void)
	{
	- fprintf(stderr, "%s, %s\n", SSH_RELEASE, SSH_OPENSSL_VERSION);
	+ if (options.version_addendum && *options.version_addendum != '\0')
	+ fprintf(stderr, "%s %s, %s\n",
	+ SSH_RELEASE,
	+ options.version_addendum, OPENSSL_VERSION_STRING);
	+ else
	+ fprintf(stderr, "%s, %s\n",
	+ SSH_RELEASE, OPENSSL_VERSION_STRING);
	fprintf(stderr,
	"usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
	" [-E log_file] [-f config_file] [-g login_grace_time]\n"
	@@ -2032,6 +2059,10 @@
	/* Reinitialize the log (because of the fork above). */
	log_init(__progname, options.log_level, options.log_facility, log_stderr);

	+ /* Avoid killing the process in high-pressure swapping environments. */
	+ if (!inetd_flag && madvise(NULL, 0, MADV_PROTECT) != 0)
	+ debug("madvise(): %.200s", strerror(errno));
	+
	/*
	* Chdir to the root directory so that the current disk can be
	* unmounted if desired.
	@@ -2139,6 +2170,29 @@
	ssh_signal(SIGCHLD, SIG_DFL);
	ssh_signal(SIGINT, SIG_DFL);

	+#ifdef __FreeBSD__
	+ /*
	+ * Initialize the resolver. This may not happen automatically
	+ * before privsep chroot().
	+ */
	+ if ((_res.options & RES_INIT) == 0) {
	+ debug("res_init()");
	+ res_init();
	+ }
	+#ifdef GSSAPI
	+ /*
	+ * Force GSS-API to parse its configuration and load any
	+ * mechanism plugins.
	+ */
	+ {
	+ gss_OID_set mechs;
	+ OM_uint32 minor_status;
	+ gss_indicate_mechs(&minor_status, &mechs);
	+ gss_release_oid_set(&minor_status, &mechs);
	+ }
	+#endif
	+#endif
	+
	/*
	* Register our connection. This turns encryption off because we do
	* not have a key.
	@@ -2175,9 +2229,32 @@
	*/
	remote_ip = ssh_remote_ipaddr(ssh);

	+#ifdef HAVE_LOGIN_CAP
	+ /* Also caches remote hostname for sandboxed child. */
	+ auth_get_canonical_hostname(ssh, options.use_dns);
	+#endif
	+
	#ifdef SSH_AUDIT_EVENTS
	audit_connection_from(remote_ip, remote_port);
	#endif
	+#ifdef LIBWRAP
	+ allow_severity = options.log_facility\|LOG_INFO;
	+ deny_severity = options.log_facility\|LOG_WARNING;
	+ /* Check whether logins are denied from this host. */
	+ if (ssh_packet_connection_is_on_socket(ssh)) {
	+ struct request_info req;
	+
	+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
	+ fromhost(&req);
	+
	+ if (!hosts_access(&req)) {
	+ debug("Connection refused by tcp wrapper");
	+ refuse(&req);
	+ /* NOTREACHED */
	+ fatal("libwrap refuse returns");
	+ }
	+ }
	+#endif /* LIBWRAP */

	rdomain = ssh_packet_rdomain_in(ssh);

	@@ -2226,6 +2303,8 @@
	fatal_f("sshbuf_new failed");
	auth_debug_reset();

	+ BLACKLIST_INIT();
	+
	if (use_privsep) {
	if (privsep_preauth(ssh) == 1)
	goto authenticated;
	Index: sshd_config
	===================================================================
	--- sshd_config
	+++ sshd_config
	@@ -1,4 +1,5 @@
	# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
	+# $FreeBSD$

	# This is the sshd server system-wide configuration file. See
	# sshd_config(5) for more information.
	@@ -10,6 +11,9 @@
	# possible, but leave them commented. Uncommented options override the
	# default value.

	+# Note that some of FreeBSD's defaults differ from OpenBSD's, and
	+# FreeBSD has a few additional options.
	+
	#Port 22
	#AddressFamily any
	#ListenAddress 0.0.0.0
	@@ -29,7 +33,7 @@
	# Authentication:

	#LoginGraceTime 2m
	-#PermitRootLogin prohibit-password
	+#PermitRootLogin no
	#StrictModes yes
	#MaxAuthTries 6
	#MaxSessions 10
	@@ -53,11 +57,11 @@
	# Don't read the user's ~/.rhosts and ~/.shosts files
	#IgnoreRhosts yes

	-# To disable tunneled clear text passwords, change to no here!
	-#PasswordAuthentication yes
	+# Change to yes to enable built-in password authentication.
	+#PasswordAuthentication no
	#PermitEmptyPasswords no

	-# Change to no to disable s/key passwords
	+# Change to no to disable PAM authentication
	#KbdInteractiveAuthentication yes

	# Kerberos options
	@@ -70,7 +74,7 @@
	#GSSAPIAuthentication no
	#GSSAPICleanupCredentials yes

	-# Set this to 'yes' to enable PAM authentication, account processing,
	+# Set this to 'no' to disable PAM authentication, account processing,
	# and session processing. If this is enabled, PAM authentication will
	# be allowed through the KbdInteractiveAuthentication and
	# PasswordAuthentication. Depending on your PAM configuration,
	@@ -79,12 +83,12 @@
	# If you just want the PAM account and session checks to run without
	# PAM authentication, then enable this but set PasswordAuthentication
	# and KbdInteractiveAuthentication to 'no'.
	-#UsePAM no
	+#UsePAM yes

	#AllowAgentForwarding yes
	#AllowTcpForwarding yes
	#GatewayPorts no
	-#X11Forwarding no
	+#X11Forwarding yes
	#X11DisplayOffset 10
	#X11UseLocalhost yes
	#PermitTTY yes
	@@ -95,12 +99,13 @@
	#Compression delayed
	#ClientAliveInterval 0
	#ClientAliveCountMax 3
	-#UseDNS no
	+#UseDNS yes
	#PidFile /var/run/sshd.pid
	#MaxStartups 10:30:100
	#PermitTunnel no
	#ChrootDirectory none
	-#VersionAddendum none
	+#UseBlacklist no
	+#VersionAddendum FreeBSD-20210907

	# no default banner path
	#Banner none
	Index: sshd_config.5
	===================================================================
	--- sshd_config.5
	+++ sshd_config.5
	@@ -34,6 +34,7 @@
	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	.\"
	.\" $OpenBSD: sshd_config.5,v 1.334 2021/08/12 23:59:25 djm Exp $
	+.\" $FreeBSD$
	.Dd $Mdocdate: August 12 2021 $
	.Dt SSHD_CONFIG 5
	.Os
	@@ -794,7 +795,7 @@
	The system-wide
	.Pa /etc/hosts.equiv
	and
	-.Pa /etc/shosts.equiv
	+.Pa /etc/ssh/shosts.equiv
	are still used regardless of this setting.
	.Pp
	Accepted values are
	@@ -1276,8 +1277,10 @@
	.Pa /etc/moduli .
	.It Cm PasswordAuthentication
	Specifies whether password authentication is allowed.
	+See also
	+.Cm UsePAM .
	The default is
	-.Cm yes .
	+.Cm no .
	.It Cm PermitEmptyPasswords
	When password authentication is allowed, it specifies whether the
	server allows login to accounts with empty password strings.
	@@ -1370,7 +1373,14 @@
	or
	.Cm no .
	The default is
	-.Cm prohibit-password .
	+.Cm no .
	+Note that if
	+.Cm ChallengeResponseAuthentication
	+and
	+.Cm UsePAM
	+are both
	+.Cm yes ,
	+this setting may be overridden by the PAM policy.
	.Pp
	If this option is set to
	.Cm prohibit-password
	@@ -1734,6 +1744,20 @@
	.Cm TrustedUserCAKeys .
	For more details on certificates, see the CERTIFICATES section in
	.Xr ssh-keygen 1 .
	+.It Cm UseBlacklist
	+Specifies whether
	+.Xr sshd 8
	+attempts to send authentication success and failure messages
	+to the
	+.Xr blacklistd 8
	+daemon.
	+The default is
	+.Cm no .
	+For forward compatibility with an upcoming
	+.Xr blacklistd
	+rename, the
	+.Cm UseBlocklist
	+alias can be used instead.
	.It Cm UseDNS
	Specifies whether
	.Xr sshd 8
	@@ -1742,8 +1766,8 @@
	very same IP address.
	.Pp
	If this option is set to
	-.Cm no
	-(the default) then only addresses and not host names may be used in
	+.Cm no ,
	+then only addresses and not host names may be used in
	.Pa ~/.ssh/authorized_keys
	.Cm from
	and
	@@ -1751,6 +1775,8 @@
	.Cm Match
	.Cm Host
	directives.
	+The default is
	+.Dq yes .
	.It Cm UsePAM
	Enables the Pluggable Authentication Module interface.
	If set to
	@@ -1774,12 +1800,15 @@
	.Xr sshd 8
	as a non-root user.
	The default is
	-.Cm no .
	+.Cm yes .
	.It Cm VersionAddendum
	Optionally specifies additional text to append to the SSH protocol banner
	sent by the server upon connection.
	The default is
	-.Cm none .
	+.Qq FreeBSD-20210907 .
	+The value
	+.Cm none
	+may be used to disable this.
	.It Cm X11DisplayOffset
	Specifies the first display number available for
	.Xr sshd 8 Ns 's
	@@ -1793,7 +1822,7 @@
	or
	.Cm no .
	The default is
	-.Cm no .
	+.Cm yes .
	.Pp
	When X11 forwarding is enabled, there may be additional exposure to
	the server and to client displays if the
	@@ -1849,7 +1878,7 @@
	.Cm none
	to not use one.
	The default is
	-.Pa /usr/X11R6/bin/xauth .
	+.Pa /usr/local/bin/xauth .
	.El
	.Sh TIME FORMATS
	.Xr sshd 8
	Index: umac128.c
	===================================================================
	--- umac128.c
	+++ umac128.c
	@@ -1,4 +1,12 @@
	/* $OpenBSD: umac128.c,v 1.2 2018/02/08 04:12:32 dtucker Exp $ */
	+/* $FreeBSD$ */
	+
	+/* undo ssh_namespace.h munging */
	+#undef umac_new
	+#undef umac_update
	+#undef umac_final
	+#undef umac_delete
	+#undef umac_ctx

	#define UMAC_OUTPUT_LEN 16
	#define umac_new umac128_new
	Index: version.h
	===================================================================
	--- version.h
	+++ version.h
	@@ -1,6 +1,15 @@
	/* $OpenBSD: version.h,v 1.91 2021/08/20 03:22:55 djm Exp $ */
	+/* $FreeBSD$ */

	#define SSH_VERSION "OpenSSH_8.7"

	#define SSH_PORTABLE "p1"
	#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
	+
	+#define SSH_VERSION_FREEBSD "FreeBSD-20210907"
	+
	+#ifdef WITH_OPENSSL
	+#define OPENSSL_VERSION_STRING OpenSSL_version(OPENSSL_VERSION)
	+#else
	+#define OPENSSL_VERSION_STRING "without OpenSSL"
	+#endif

File Metadata

Mime Type: text/plain
Expires: Sat, Nov 9, 7:29 AM (21 h, 44 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 14552948
Default Alt Text: D28624.diff (41 KB)

D28624.diffNo OneTemporaryActions

D28624.diffView Options

File Metadata

Event Timeline

D28624.diff
No OneTemporary
Actions

D28624.diff
View Options