vendor/openssh: upgrade from 8.0p1 to 8.3p1
Summary of notable changes:
- ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
rest in RAM against speculation and memory side-channel attacks like
Spectre, Meltdown and Rambleed, openssh 8.1 and later encrypts private
keys when they are not in use with a symmetric key that is derived from
a relatively large "prekey" consisting of random data (currently 16KB)
- ssh(1), sshd(8), ssh-keygen(1): openssh 8.2 removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures
(i.e. the client and server CASignatureAlgorithms option) and will
use the rsa-sha2-512 signature algorithm by default when the
ssh-keygen(1) CA signs new certificates
- ssh(1), sshd(8): openssh 8.2 removes diffie-hellman-group14-sha1 from
the default key exchange proposal for both the client and server
- ssh-keygen(1): the command-line options related to the generation and
screening of safe prime numbers used by the diffie-hellman-group-* key
exchange algorithms have changed, most options have been folded under
the -O flag
- support PKCS8 as an optional format for storage of private keys to disk,
native key format remains the default, but PKCS8 is a superior format to
PEM if interoperability with non-OpenSSH software is required
- ssh(1), sshd(8): prefer to use chacha20 from libcrypto
- sshd(8): the sshd listener process title visible to ps(1) has changed
to include information about the number of connections that are
currently attempting authentication and the limits configured
by MaxStartups
- sshd(8): when clients get denied by MaxStartups, send a notification
prior to the SSH2 protocol banner according to RFC4253 section 4.2
- sshd(8): add an Include sshd_config keyword that allows including
additional configuration files via glob(3) patterns
- sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
to allow .shosts files but not .rhosts
- sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
sshd_config, not just before any Match blocks
- ssh(1), sshd(8): allow prepending a list of algorithms to the default
set by starting the list with the '^' character, e.g.
"HostKeyAlgorithms ^ssh-ed25519"
- ssh(1): allow forwarding a different agent socket to the path specified
by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable in
addition to yes/no
- ssh(1): add %TOKEN percent expansion for the LocalFoward and
RemoteForward keywords when used for Unix domain socket forwarding
- ssh(1): allow %n to be expanded in ProxyCommand strings
- sftp(1): reject an argument of "-1" in the same way as ssh(1) and
scp(1) do instead of accepting and silently ignoring it
- sftp(1): check for user@host when parsing sftp target, this allows
user@[1.2.3.4] to work without a path
- sftp(1): fix a race condition in the SIGCHILD handler that could
turn in to a kill(-1)
For detailed list of all improvements, enhancements and bugfixes see
release notes:
https://www.openssh.com/releasenotes.html
- [DBH] crypto/openssh/CREDITS
- [DBH] crypto/openssh/LICENCE
- [DBH] crypto/openssh/PROTOCOL
- [DBH] crypto/openssh/PROTOCOL.certkeys
- [DBH] crypto/openssh/PROTOCOL.chacha20poly1305
- [DBH] crypto/openssh/PROTOCOL.mux
- [DBH] crypto/openssh/PROTOCOL.sshsig
- [DBH] crypto/openssh/README
- [DBH] crypto/openssh/README.dns
- [DBH] crypto/openssh/auth-options.c
- [DBH] crypto/openssh/auth-options.h
- [DBH] crypto/openssh/auth-pam.c
- [DBH] crypto/openssh/auth-rhosts.c
- [DBH] crypto/openssh/auth.c
- [DBH] crypto/openssh/auth.h
- [DBH] crypto/openssh/auth2-chall.c
- [DBH] crypto/openssh/auth2-hostbased.c
- [DBH] crypto/openssh/auth2-kbdint.c
- [DBH] crypto/openssh/auth2-passwd.c
- [DBH] crypto/openssh/auth2-pubkey.c
- [DBH] crypto/openssh/auth2.c
- [DBH] crypto/openssh/authfd.c
- [DBH] crypto/openssh/authfd.h
- [DBH] crypto/openssh/authfile.c
- [DBH] crypto/openssh/authfile.h
- [DBH] crypto/openssh/canohost.c
- [DBH] crypto/openssh/channels.c
- [DBH] crypto/openssh/channels.h
- [DBH] crypto/openssh/cipher-chachapoly-libcrypto.c
- [DBH] crypto/openssh/cipher-chachapoly.h
- [DBH] crypto/openssh/cipher.c
- [DBH] crypto/openssh/cipher.h
- [DBH] crypto/openssh/clientloop.c
- [DBH] crypto/openssh/clientloop.h
- [DBH] crypto/openssh/contrib/ssh-copy-id.1
- [DBH] crypto/openssh/crc32.h
- [DBH] crypto/openssh/defines.h
- [DBH] crypto/openssh/dh.c
- [DBH] crypto/openssh/dh.h
- [DBH] crypto/openssh/digest-openssl.c
- [DBH] crypto/openssh/dns.c
- [DBH] crypto/openssh/entropy.c
- [DBH] crypto/openssh/hash.c
- [DBH] crypto/openssh/hmac.c
- [DBH] crypto/openssh/hostfile.c
- [DBH] crypto/openssh/kex.c
- [DBH] crypto/openssh/kex.h
- [DBH] crypto/openssh/kexecdh.c
- [DBH] crypto/openssh/kexgen.c
- [DBH] crypto/openssh/kexgexc.c
- [DBH] crypto/openssh/krl.c
- [DBH] crypto/openssh/krl.h
- [DBH] crypto/openssh/log.h
- [DBH] crypto/openssh/loginrec.c
- [DBH] crypto/openssh/mac.c
- [DBH] crypto/openssh/match.c
- [DBH] crypto/openssh/misc.c
- [DBH] crypto/openssh/misc.h
- [DBH] crypto/openssh/moduli
- [DBH] crypto/openssh/moduli.c
- [DBH] crypto/openssh/monitor.c
- [DBH] crypto/openssh/monitor_wrap.c
- [DBH] crypto/openssh/monitor_wrap.h
- [DBH] crypto/openssh/msg.c
- [DBH] crypto/openssh/mux.c
- [DBH] crypto/openssh/myproposal.h
- [DBH] crypto/openssh/nchan.c
- [DBH] crypto/openssh/packet.c
- [DBH] crypto/openssh/packet.h
- [DBH] crypto/openssh/pathnames.h
- [DBH] crypto/openssh/platform.c
- [DBH] crypto/openssh/progressmeter.c
- [DBH] crypto/openssh/readconf.c
- [DBH] crypto/openssh/readconf.h
- [DBH] crypto/openssh/readpass.c
- [DBH] crypto/openssh/scp.1
- [DBH] crypto/openssh/scp.c
- [DBH] crypto/openssh/servconf.c
- [DBH] crypto/openssh/servconf.h
- [DBH] crypto/openssh/serverloop.c
- [DBH] crypto/openssh/session.c
- [DBH] crypto/openssh/sftp-client.c
- [DBH] crypto/openssh/sftp-glob.c
- [DBH] crypto/openssh/sftp-realpath.c
- [DBH] crypto/openssh/sftp-server-main.c
- [DBH] crypto/openssh/sftp-server.8
- [DBH] crypto/openssh/sftp-server.c
- [DBH] crypto/openssh/sftp.1
- [DBH] crypto/openssh/sftp.c
- [DBH] crypto/openssh/sk-api.h
- [DBH] crypto/openssh/ssh-add.1
- [DBH] crypto/openssh/ssh-add.c
- [DBH] crypto/openssh/ssh-agent.1
- [DBH] crypto/openssh/ssh-agent.c
- [DBH] crypto/openssh/ssh-dss.c
- [DBH] crypto/openssh/ssh-ecdsa-sk.c
- [DBH] crypto/openssh/ssh-ed25519-sk.c
- [DBH] crypto/openssh/ssh-ed25519.c
- [DBH] crypto/openssh/ssh-keygen.1
- [DBH] crypto/openssh/ssh-keygen.c
- [DBH] crypto/openssh/ssh-keyscan.1
- [DBH] crypto/openssh/ssh-keyscan.c
- [DBH] crypto/openssh/ssh-keysign.8
- [DBH] crypto/openssh/ssh-keysign.c
- [DBH] crypto/openssh/ssh-pkcs11-helper.8
- [DBH] crypto/openssh/ssh-pkcs11-helper.c
- [DBH] crypto/openssh/ssh-pkcs11.h
- [DBH] crypto/openssh/ssh-sk-client.c
- [DBH] crypto/openssh/ssh-sk.h
- [DBH] crypto/openssh/ssh.1
- [DBH] crypto/openssh/ssh.c
- [DBH] crypto/openssh/ssh_api.c
- [DBH] crypto/openssh/ssh_config.5
- [DBH] crypto/openssh/sshbuf-getput-basic.c
- [DBH] crypto/openssh/sshbuf-getput-crypto.c
- [DBH] crypto/openssh/sshbuf-io.c
- [DBH] crypto/openssh/sshbuf-misc.c
- [DBH] crypto/openssh/sshbuf.c
- [DBH] crypto/openssh/sshbuf.h
- [DBH] crypto/openssh/sshconnect.c
- [DBH] crypto/openssh/sshconnect.h
- [DBH] crypto/openssh/sshconnect2.c
- [DBH] crypto/openssh/sshd.8
- [DBH] crypto/openssh/sshd.c
- [DBH] crypto/openssh/sshd_config.5
- [DBH] crypto/openssh/ssherr.c
- [DBH] crypto/openssh/ssherr.h
- [DBH] crypto/openssh/sshkey.c
- [DBH] crypto/openssh/sshkey.h
- [DBH] crypto/openssh/sshlogin.c
- [DBH] crypto/openssh/sshpty.c
- [DBH] crypto/openssh/sshsig.c
- [DBH] crypto/openssh/sshsig.h
- [DBH] crypto/openssh/uidswap.c
- [DBH] crypto/openssh/umac.c
- [DBH] crypto/openssh/umac.h
- [DBH] crypto/openssh/utf8.c
- [DBH] crypto/openssh/utf8.h
- [DBH] crypto/openssh/uuencode.c
- [DBH] crypto/openssh/uuencode.h
- [DBH] crypto/openssh/version.h
- [DBH] crypto/openssh/xmalloc.c
- [DBH] crypto/openssh/xmalloc.h