commit 8725dbc5b5fcc3e326fc71189ef8dba4333362cc
Author: Damien Miller <djm@mindrot.org>
Date:   Wed Apr 9 17:02:17 2025 +1000

    update version numbers

commit cc7feb9458ad3b893b53dc9c7500d1affd208bde
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Apr 9 07:00:21 2025 +0000

    upstream: openssh-10.0
    
    OpenBSD-Commit-ID: db5b4a1f1c9e988f8f166b56dc5643606294b403

commit fc86875e6acb36401dfc1dfb6b628a9d1460f367
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Apr 9 07:00:03 2025 +0000

    upstream: Fix logic error in DisableForwarding option. This option
    
    was documented as disabling X11 and agent forwarding but it failed to do so.
    Spotted by Tim Rice.
    
    OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1

commit dd73459e351b0a2908aed90910c8ff9b0b381c6d
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Apr 9 01:24:40 2025 +0000

    upstream: oops, I accidentally backed out the typo fix
    
    OpenBSD-Commit-ID: f485f79bf3e9ebbe1de13ac96150cf458956cfd8

commit 0cb945891944bada5850e85d60afa3c807cf1af6
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Apr 9 01:23:47 2025 +0000

    upstream: typo
    
    OpenBSD-Commit-ID: f912725c7d303720706b3ccfb2cb846d46296d13

commit cd4a6bd50b658d707867caa1f5aa40b35c2b6c19
Author: Damien Miller <djm@mindrot.org>
Date:   Wed Apr 9 09:49:55 2025 +1000

    initialise websafe_allowlist in agent fuzzer

commit 55b7cb48af96c1102ef8ab5a73bb329cbed30945
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Apr 8 23:10:46 2025 +0000

    upstream: typo
    
    OpenBSD-Regress-ID: 08477b936d1d0c1e8a98aa1c0e1bdde8871894c9

commit 985d8cbcd3438cc36b4e709476f1783e358ddfb1
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Apr 8 23:10:08 2025 +0000

    upstream: typo
    
    OpenBSD-Commit-ID: 6e683e13e72bf1e43bbd3bbc6a8332d5a98bdc99

commit 000c3d14e94d8f7597087c457260ea9417045b65
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Mon Apr 7 08:12:22 2025 +0000

    upstream: Include time.h for time().
    
    Fixes warning on some platforms when building without openssl.
    
    OpenBSD-Commit-ID: 04ca29b8eaae1860c7adde3e770baa1866e30a54

commit 49b8b9bf829e08af22366530614a5e59ac341ca9
Author: tb@openbsd.org <tb@openbsd.org>
Date:   Wed Apr 2 04:28:03 2025 +0000

    upstream: Wrap #include <openssl/dsa.h> in #ifdef WITH_DSA
    
    ok djm
    
    OpenBSD-Commit-ID: ed01a7c102243f84e4a317aefb431916d98aab15

commit f80fb819e5521e13f167edbcc3eed66e22ad0c2a
Author: Damien Miller <djm@mindrot.org>
Date:   Thu Apr 3 09:10:19 2025 +1100

    remove all instances of -pie from LDFLAGS
    
    Previously only the first instance of this flag was removed.
    Unbreaks build on OpenSUSE Tumbleweed. Patch from Antonio Larrosa

commit 6c9872faa1c297a84c6d3e3b95a927be99eadbf6
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Apr 1 23:23:20 2025 +0000

    upstream: remove ability to enable DSA support. Actual code will be
    
    g/c'd separately. ok deraadt@
    
    OpenBSD-Commit-ID: 2a032b75156c4d922e8343fa97ff6bc227f09819

commit 8460aaa4e1f8680f03cc5334556b9440b401f010
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Mar 28 21:45:55 2025 +0000

    upstream: Add TEST_SSH_SSHD_ENV to sshd lines here too.
    
    OpenBSD-Regress-ID: 045f2c88b42d694b404db51c5de5eca20d748ff1

commit 5e60f5937b9c33190b9d7614f72d85d4a9b38d3d
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Mar 28 06:04:07 2025 +0000

    upstream: Pass "ControlMaster no" to ssh when invoked by scp & sftp.
    
    If you have ControlMaster auto (or yes) in your config, and the
    first connection you make is via scp or sftp, then you may get a
    few unexpected options applied to it (eg ForwardX11 no), since sftp
    and sftp explicitly disable those for reasons.  These effects will
    persist beyond the initial scp or sftp command.
    
    This explicitly disables persistent session *creation* by scp and sftp.
    It will not prevent them from using an existing session if one has
    already been created.
    
    From Github PR#557, ok djm@ kn@
    
    OpenBSD-Commit-ID: 9dad7c737466837e0150c4318920f46d844770c4

commit bbd36869dfb4b770cc9e6a345c04a585a0955aec
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Mar 28 05:41:15 2025 +0000

    upstream: Set sshd environment variables during sshd test run too.
    
    OpenBSD-Regress-ID: 50cb325d92c390a2909662c901f6ac5d80b6f74d

commit 98f05b1484daddef2f56b79e24540523b5016143
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Mar 28 05:36:24 2025 +0000

    upstream: Add TEST_SSH_SSHD_ENV variable which is added to sshd's
    
    environment. Will be used in Portable to tweak behaviour of tcmalloc's
    debugging.
    
    OpenBSD-Regress-ID: 67e38c3c4517ddb72c8a3549a3325a166d7bb6d6

commit 8cd9ed4df0eccc825eca0c45354a37332e125e38
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Mar 28 05:33:30 2025 +0000

    upstream: chown log directory in addition to log files.
    
    OpenBSD-Regress-ID: b520d54a0bbf2c6554413c798218bda26b385ad9

commit e32de6bf4f3229d4838beb127de45eed1377ccc5
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri Mar 28 16:47:58 2025 +1100

    Be explicit about environment variables for tests.
    
    This will make it easier to reproduce a test failure by cut-and-paste of
    the corresponding line from the github log.

commit 77a3e6ba47381547b3fe4b29223256f276fbd07e
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri Mar 28 16:46:40 2025 +1100

    Add tcmalloc flags to TEST_SSH_SSHD_ENV.
    
    This will get passed to sshd via test-exec.sh.

commit a73890e340fbd6121251854b658a72d738b86c84
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Thu Mar 27 23:04:44 2025 +1100

    Add PuTTY 0.81, 0.82 and 0.83 to tests.

commit 90a28de0d49570324d1695c0b4686354ef3bcae0
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Thu Mar 27 22:30:40 2025 +1100

    Include TCMALLOC_STACKTRACE_METHOD in output.
    
    If TCMALLOC_STACKTRACE_METHOD happens to be set, include it in the debug
    output to make reproducing test cases easier.

commit fd5a6bb6dd7657c4bd8cd0ee11d5c8ddf0d927b2
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Thu Mar 27 20:15:11 2025 +1100

    Test with-linux-memlock-onfault in kitchensink.

commit 22330711e2459c23d9736ee16e0e2ee0fcc30b9a
Author: Collin Funk <collin.funk1@gmail.com>
Date:   Wed Mar 26 18:24:59 2025 -0700

    Include fcntl.h so AT_FDCWD does not get redefined.

commit 6c49e5f7dcaf886b4a702a6c003cae9dca04d3ea
Author: Daniil Tatianin <d-tatianin@yandex-team.ru>
Date:   Thu Feb 27 11:37:13 2025 +0300

    Add support for locking memory on Linux
    
    Linux wakes up kcompactd threads in order to make more contiguous memory
    available on the system, it does this by migrating live movable pages
    (actively modifying live processes' page tables and constantly flooding
    them with page invalidation IPIs, which can be up to millions per
    second), which causes the process to become unresponsive for up to
    seconds or even minutes in some severe cases. In case of sshd, we want
    to always be able to connect to the system, even if it's under heavy
    kcompactd load.
    
    Introduce an option to protect sshd and its children sessions from being
    compacted by kcompactd (this works in cojunction with
    compact_unevictable_allowed = 0). Note that we depend on MCL_ONFAULT
    being available, which was introduced in linux 4.4. MCL_ONFAULT allows
    the system to lock pages lazily, thus drastically reducing memory usage
    of a locked process (without MCL_ONFAULT, every existing mapping in the
    process is instantly write-faulted).

commit fdc4853c5b1567934d43ab13282f03033cc21325
Author: Daniil Tatianin <d-tatianin@yandex-team.ru>
Date:   Thu Feb 27 11:46:25 2025 +0300

    platform: introduce a way to hook new session start
    
    Previously this was possible via post_fork_child, but ever since sshd
    was split into multiple binaries, this is now no longer possible becase
    of execv.

commit 1b311b6b17be81577514c38e8be4f5740d7df496
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Wed Mar 19 06:11:15 2025 +0000

    upstream: Prevent theoretical NULL deref in throughlocal_sftp.
    
    Coverity CID 405019, although at the moment it's not reachable. ok djm@
    
    OpenBSD-Commit-ID: 630d46c1021b69fbb470e349976c70e9a48b7644

commit 96493ebd6ff48bbb802576e208794a26928569b0
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Wed Mar 19 17:35:10 2025 +1100

    Fix workflow syntax again.

commit 575c43fd4c44d376b1771c0fdaf4941021ba88c9
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Tue Mar 18 20:54:48 2025 +1100

    Differentiate logfiles better.

commit 8a1294638f3a47d46263ea574fa85c8e115ea893
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Tue Mar 18 20:27:46 2025 +1100

    Fix another typo in workflow.

commit bd9e6bbcc864b3e10c4e11f5aec1b3a5e3a89b55
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Tue Mar 18 18:16:12 2025 +1100

    Fix syntax error in workflow.

commit ce88a1bb4a2e6425752094f7a2eb4adfb0ca7971
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Tue Mar 18 18:13:14 2025 +1100

    Identify each logfile while printing them.

commit b58e429960c4791fc4e30bb7c70d1f77d538b546
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Mar 18 04:53:14 2025 +0000

    upstream: fix NULL dereference for Match conditions missing
    
    arguments, e.g. "Match user". Spotted by Coverity (CID 477813)
    
    OpenBSD-Commit-ID: 13584281cfa23b8ebc41f9d128a6b9464ae960d4

commit 0ce5281f017c3ad7bdcc2bbd9745119a73e0cbb8
Author: tb@openbsd.org <tb@openbsd.org>
Date:   Fri Mar 14 09:49:49 2025 +0000

    upstream: Fix EVP_CIPHER_CTX_ctrl() return checks
    
    While this API tries to translate negative return values (i.e. -1) to 0
    in BoringSSL and LibreSSL, it is still possible for it to return negative
    values in prinicple. We even incorrectly document that -1 can be returned
    while Boring and OpenSSL plead the Fifth.
    
    In OpenSSL 3 there are now code paths that explicitly return -1 and they
    started shifting their return checks to <= 0 - of course they do this in
    inconsistent and sometimes incorrect manner. While these paths aren't
    reachable from ssh right now, who can really tell what happens in the two
    hundred lines of inscrutable bloated mess this has become.
    
    So error check with <= 0 to ensure that we don't accidentally translate an
    error to success.
    
    ok markus schwarze
    
    OpenBSD-Commit-ID: a855c833cf4ecfce43bedc761f26ad924f70483c

commit 2e81100763d5885e500f065b04c16ed87ce74318
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Mon Mar 17 21:35:55 2025 +1100

    Fix debug log path.

commit 442a44970179d70ebb62bba792699eaec978a1db
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri Mar 14 16:24:06 2025 +1100

    Also lazily unmount workspace in case of straggers.

commit 20427f6735fe5ddab31911ce5315adc71acf47d8
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri Mar 14 16:17:39 2025 +1100

    Make sure upstream tests run on correct hardware.

commit 91a2f70a56827ae31649baf17227b0914ac5aa36
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri Mar 14 13:47:27 2025 +1100

    Add OpenBSD upstream test on obsdsnap-arm64.

commit c20f7413525602b0ea786d8974d03a81f7ca2a92
Author: Damien Miller <djm@mindrot.org>
Date:   Thu Mar 13 10:45:53 2025 +1100

    rebuild .depend

commit d47ef958b89c6fa809302d654009d3dfabe11b75
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Mar 12 22:43:44 2025 +0000

    upstream: remove assumption that the sshd_config and any configs
    
    included from it can fit in a (possibly enlarged) socket buffer, by having
    the sshd listener mainloop actively manage sending the configuration to the
    sshd-session subprocess.
    
    work by markus@ w/ a little feedback from me;
    ok me and committing on his behalf
    
    OpenBSD-Commit-ID: 8f54451483f64951853074adb76bc4f838eaf3ae

commit 9c90b563943c16418d737433ac478974b8761ee5
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Tue Mar 11 11:46:44 2025 +0000

    upstream: Prime caches for DNS names needed for tests.
    
    When running the SSHFP tests, particularly on an ephemeral VM, the first
    query or two can fail for some reason, presumably because something isn't
    fully initialized or something.  To work around this, issue queries for the
    names we'll need before we need them.
    
    OpenBSD-Regress-ID: 900841133540e7dead253407db5a874a6ed09eca

commit 10124eefe875a3e4e1cfb84ebe6a613ed3213b78
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Tue Mar 11 09:06:50 2025 +0000

    upstream: Some dd's don't understand "1m", so handle seperately.
    
    OpenBSD-Regress-ID: 1d983b27c96f28f69d3a288c19e8d8c58e1b2ee3

commit c21c8fc319376c2f5e0da166e9e89a97a245ae72
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Tue Mar 11 19:17:46 2025 +1100

    Lazily unmount github workspace at end of workflow.
    
    Sometimes when a test times out the workspace is still busy when we try
    to unmount it, which leaves the runner unusable until it's cleaned up
    manually. We try to unmount this in the first step, but that usually
    doesn't work since it fails during setup before it starts our workflow.
    Move it to the end and make it a lazy unmount so it hopefully works
    eventually.

commit 4bcbac742968f5086cfd4c570a51de25ef77931f
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Tue Mar 11 07:50:20 2025 +0000

    upstream: Add regress test for sftp resume.
    
    OpenBSD-Regress-ID: 37f629b3014338fa23a85df1e1bb320ea12282e1

commit e2c4f070b43a4fd7d59a9350e2fe78df605830b5
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Tue Mar 11 07:46:02 2025 +0000

    upstream: Use ssh binary instead of the (smaller) script when
    
    preparing test data files since it's faster.
    
    OpenBSD-Regress-ID: 4215e42682fdb73e131e10645d4a1a23a91d64f5

commit 62f02e95ba5cda4649c482d30f4370e2360eb94d
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Tue Mar 11 07:43:45 2025 +0000

    upstream: Set up dbclient's known_hosts as it expects.
    
    OpenBSD-Regress-ID: 9e0898e8423237ce5023be53787bb4062e0d0418

commit 395284bd52887dbaf7e78200c857d7f2d9ce398e
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Tue Mar 11 07:43:03 2025 +0000

    upstream: Use $DBCLIENT to access dbclient for consistency.
    
    OpenBSD-Regress-ID: 81e1b41e1ffc49aba1e6fcaeb6242f3b7875ea3c

commit 97e10c0005a784622c61cb4e8bb7858b410bbcc6
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Tue Mar 11 07:42:08 2025 +0000

    upstream: Check if dbclient supports SHA1 before trying SHA1-based
    
    KEX.
    
    Dropbear 2025.87 removed SHA1 support by default, which means
    diffie-hellman-group14-sha1 is not available.  Unfortunately there isn't a
    flag to query supported KEX, so instead check MACs and if it doesn't have
    SHA1 methods, assuming SHA1 based KEXes are likewise not available.  Spotted
    by anton@.
    
    OpenBSD-Regress-ID: acfa8e26c001cb18b9fb81a27271c3b51288d304

commit 29a5127f808d00aa539fd27d83a65c2c56179b0e
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Tue Mar 11 07:48:51 2025 +0000

    upstream: Set highwater when resuming a "put". Prevents bogus "server
    
    reordered acks" debug message.  ok djm@
    
    OpenBSD-Commit-ID: aa7f6d0fc2e893c8c278ea3e6e0974c2eca83f5d

commit 6575859d7acb110acf408707f98ed9744ca7d692
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Mon Mar 3 06:54:37 2025 +0000

    upstream: Test for %-token and env var expansion in SetEnv.
    
    OpenBSD-Regress-ID: bd6139a6177ac4afb29a0ce4afc23567b22ef9f9

commit fd7ad8d7bf7dbdeb8f11a8b51aa9d31df1a17e52
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Sun Mar 2 07:41:06 2025 +0000

    upstream: Also test User expansions when supplied via -l option and
    
    user@host.
    
    OpenBSD-Regress-ID: 56415859260b53ef0dd20f71225ba5fdf6320f50

commit e6cfd783f1491b502db9322aa970822c63f1667d
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Sat Mar 1 06:12:47 2025 +0000

    upstream: Tests for User expansion of %-tokens and environment
    
    variables.
    
    OpenBSD-Regress-ID: 7ed21dd0e09fb1f3537b8b177f171018aa501628

commit 197e503b8e4b642ce0f405a5d65da4256fa96431
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Dec 6 16:25:58 2024 +0000

    upstream: use glob(3) wildcards in AuthorizedKeys/PrincipalsFile
    
    tests to exercise this feature; ok dtucker
    
    OpenBSD-Regress-ID: 7f7b19c0b05b1862cc6521ce61b2b301a3f9cc3b

commit 396202180180a4ac16788d469508a348789dafa1
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Dec 6 10:37:42 2024 +0000

    upstream: implement attestation verification for ED25519 keys
    
    OpenBSD-Regress-ID: c44fa5cdb434375a8b5545fdb4fc651061afca1f

commit b49875428cda9c16c5bd52552100da2b419cda5f
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Mon Mar 3 06:53:09 2025 +0000

    upstream: Add %-token and environment variable expansion to SetEnv.
    
    feedback deraadt@ jmc@, nits and ok djm@
    
    OpenBSD-Commit-ID: 2f6e5070481cb73e6f35fd1c6608c1eeff88a5c1

commit b6bba67e6c31d268480773e4fed16d0a32b4218e
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Sun Mar 2 22:44:00 2025 +0000

    upstream: fix PerSourcePenalty incorrectly using "crash" penalty when
    
    LoginGraceTime was exceeded. Reported by irwin AT princeton.edu via bz3797
    
    OpenBSD-Commit-ID: 1ba3e490a5a9451359618c550d995380af454d25

commit 38d69fee1b06948f160d94abd07b6b297630d30a
Author: Damien Miller <djm@mindrot.org>
Date:   Sun Mar 2 22:06:53 2025 +1100

    include __builtin_popcount replacement function
    
    Some systems/compilers lack __builtin_popcount(), so replace it as
    necessary. Reported by Dennis Clarke; ok dtucker@

commit c94138d02a45dda5015f38f5a60b0bdde29019c1
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Sun Mar 2 11:03:13 2025 +0000

    upstream: whitespace
    
    OpenBSD-Commit-ID: 1bd8953a37451ef7e0991f9fceec5e8005fe986a

commit 65d2c59628e68e166046efa69e76c1d395a8df6e
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Sun Mar 2 07:02:49 2025 +0000

    upstream: Make a copy of the user when handling ssh -l, so that
    
    later during User token expansion we don't end up freeing a member of argv.
    Spotted by anton@'s regress tests.
    
    OpenBSD-Commit-ID: 2f671a4f5726b66d123b88b1fdd1a90581339955

commit bd30cf784d6e825ef71592fb723c41d4f2fd407b
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Sat Mar 1 06:11:26 2025 +0000

    upstream: Allow %-token and environment variable expansion in User,
    
    with the exception of %r and %C which are self-referential.  Requested in
    bz#3477, ok djm@, man page improvements jmc@
    
    OpenBSD-Commit-ID: caeb46251ee073662f6f5864c6f7b92d8ac80fa8

commit 94f59dcfc57f95ae044f75c3ce544329c8956c35
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Sat Mar 1 10:28:59 2025 +1100

    Rebuild config files if Makefile changes.
    
    This ensures paths are updated if they are changed by re-running configure.
    Patch from rapier at psc.edu.

commit dfd9880585db1570656022f9fe1519df673f7b8a
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Wed Feb 26 18:16:03 2025 +1100

    Check for le32toh, le64toh, htole64 individually.
    
    It appears that at least some versions of endian.h in glibc do not have
    the latter two, so check for and replace each one individually.
    bz#3794, ok djm@

commit cb99e8eb228df366af33f4fe88d7a9dd0dbf0756
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Feb 25 06:25:30 2025 +0000

    upstream: ressurect fix for "match invalid-user" that got clobbered
    
    by 1.423
    
    OpenBSD-Commit-ID: d18bf0945976e0f3467d710d4bc8bdbe181c0567

commit 487cf4c18c123b66c1f3f733398cd37e6b2ab6ab
Author: deraadt@openbsd.org <deraadt@openbsd.org>
Date:   Fri Feb 21 18:22:41 2025 +0000

    upstream: Also prohibit , (comma) in hostnames, proposed by David
    
    Leadbeater ok djm millert
    
    OpenBSD-Commit-ID: 2837fa31dc6e81976f510f0a259edaa559b20b07

commit 3bc6de98c830bd5207f6c371ba69c5874f06305b
Author: Damien Miller <djm@mindrot.org>
Date:   Mon Feb 24 17:27:50 2025 +1100

    Try to fix github tcmalloc target failure
    
    tcmalloc may, depending on the stacktrace generator it uses, create
    pipe(2) fds during shared library initialisation. These will later
    get clobbered by ssh/sshd calling closefrom() and chaos will ensue.
    Tell tcmalloc to use an unwinder that doesn't pull this stuff.

commit 922e54bbfe8c8479453693ef52350338f0c19124
Author: Damien Miller <djm@mindrot.org>
Date:   Fri Feb 21 13:44:35 2025 +1100

    cleanup last mention of ubuntu-20.04

commit bc4b3f6dc1738d389e5c9dcca8c56d7e153fee49
Author: Damien Miller <djm@mindrot.org>
Date:   Fri Feb 21 13:44:13 2025 +1100

    prune gcc/clang versions to be tested
    
    Test only the oldest and latest versions of each

commit 94b73755f931d592a612ef5cb998694643eab5ff
Author: Damien Miller <djm@mindrot.org>
Date:   Fri Feb 21 11:30:22 2025 +1100

    Update AWS-LC version number
    
    Patch from Shubham Mittal bz bz3792

commit 6887099fae6d9f3482e1075d034e9343dc413200
Author: Damien Miller <djm@mindrot.org>
Date:   Fri Feb 21 11:22:34 2025 +1100

    adjust workflows for ubuntu version transition
    
    remove workflows for unsupported compilers, add a few for additional
    supported compilers, move some workflows to run on ubuntu-latest

commit 33bb47e6f74f2ca8093946e6f462d655a9ae46d3
Author: Damien Miller <djm@mindrot.org>
Date:   Thu Feb 20 17:10:32 2025 +1100

    Add ubuntu-*-arm test runners

commit a0c95fbb215b2168fa51b15906e2d6990d7fef6b
Author: Damien Miller <djm@mindrot.org>
Date:   Thu Feb 20 17:03:28 2025 +1100

    remove ubuntu-20.04 Github action runners
    
    ubuntu-20.04 is deprecated now, so migrate all its unique runners
    to ubuntu-22.04.
    
    ok dtucker@

commit 0cbeedba81b57c56379e1d202b9ccd3b72af7ddc
Author: Damien Miller <djm@mindrot.org>
Date:   Tue Feb 18 19:03:42 2025 +1100

    openssh-9.9p2

commit 0832aac79517611dd4de93ad0a83577994d9c907
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Feb 18 08:02:48 2025 +0000

    upstream: Fix cases where error codes were not correctly set
    
    Reported by the Qualys Security Advisory team. ok markus@
    
    OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d

commit 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Feb 18 08:02:12 2025 +0000

    upstream: Don't reply to PING in preauth phase or during KEX
    
    Reported by the Qualys Security Advisory team. ok markus@
    
    OpenBSD-Commit-ID: c656ac4abd1504389d1733d85152044b15830217

commit 9e5bd74a85192c00a842f63d7ab788713b4284c3
Author: jmc@openbsd.org <jmc@openbsd.org>
Date:   Sat Feb 15 06:48:56 2025 +0000

    upstream: - use \& when contructs like "e.g." end a line, to avoid
    
    double spacing - macro is Qq not Oq
    
    OpenBSD-Commit-ID: 17e5d2d7f288cc7fc536e3af252224525f9fb43a

commit f519e71fb7a46314ae16e2a75490649dc0bd01a2
Author: Damien Miller <djm@mindrot.org>
Date:   Sat Feb 15 13:12:40 2025 +1100

    depend

commit 9131ac64b0ebe66dc1de9d44bf8d1bd64a24c350
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Sat Feb 15 01:52:07 2025 +0000

    upstream: add "Match version" support to ssh_config. Allows
    
    matching on the local version of OpenSSH, e.g. "Match version OpenSSH_10.*"
    
    ok markus@
    
    OpenBSD-Commit-ID: c0cb504d0b9e43ccf12e68a544a7cd625e89758d

commit 192a20df00c8a56fe7d92ffa23d959c865d7fb9e
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Sat Feb 15 01:50:47 2025 +0000

    upstream: Add support for "Match sessiontype" to ssh_config. Allows
    
    matching on the type of session requested, either "shell" for interactive
    sessions, "exec" for command execution sessions, "subsystem" for subsystem
    requests, such as sftp, or "none" for transport/forwarding-only sessions.
    
    ok markus@
    
    OpenBSD-Commit-ID: eff5c001aecb2283d36639cfb28c0935a8bfd468

commit caa3c0c77082888236b0b0c4feb3e6879731b3ba
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Sat Feb 15 01:48:30 2025 +0000

    upstream: "Match command ..." support for ssh_config to allow
    
    matching on the remote command specified on the commandline.
    
    Also relaxes matching rules for `Match tagged` to allow
    `Match tagged ""` to match an empty tag value. This also works
    for command.
    
    ok markus@
    
    OpenBSD-Commit-ID: 00dcfea425bf58d824bf5e3464cfc2409121b60d

commit 38f6000e9851a00e2e4b8e1eb4ea6a243ef7e6a3
Author: Damien Miller <djm@mindrot.org>
Date:   Tue Feb 11 10:32:26 2025 +1100

    depend

commit aa1409e7a0a5605f0127651a3ba5a348666325bc
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Mon Feb 10 23:19:26 2025 +0000

    upstream: include arguments the command was invoked with, and
    
    operating system name, version and architecture in startup debugging output;
    ok dtucker
    
    OpenBSD-Commit-ID: 2a509d319aaf31a6bf9998e1842832883fbc3edd

commit 857ac20f5fe19f183defba5dbf4b7d9e6400230c
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Mon Feb 10 23:16:51 2025 +0000

    upstream: include line number in Match debug messages, makes it a
    
    little easier to see what's going on
    
    OpenBSD-Commit-ID: 1fcf4aa2ee667711b9497ded0fa52d757c69b1df

commit af49d474e481d2d78b2f06b06a06b0b37629358e
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Mon Feb 10 23:00:29 2025 +0000

    upstream: fix "Match invalid-user" from incorrectly being activated
    
    in initial configuration pass when no other predicates were present on the
    match line
    
    OpenBSD-Commit-ID: 02703b4bd207fafd03788bc4e7774bf80be6c9a8

commit 1c67bae3f5834e48ded71c406f2039dea6e536db
Author: schwarze@openbsd.org <schwarze@openbsd.org>
Date:   Sun Feb 9 18:24:08 2025 +0000

    upstream: In a section 1 manual, use the plain English words
    
    "standard output" rather than the overly technical abbreviation "stdout" - we
    are not talking about a device file or a FILE * object here. Issue reported
    by <onf at disroot dot org> on the groff mailing list.
    
    OpenBSD-Commit-ID: a0816999f970e6159523bed8484f62c42ec93109

commit 85b3d68dd931416ede657f371f1d60cdc3a66f34
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Jan 17 00:09:41 2025 +0000

    upstream: Fix debug logging of user specific delay. Patch from
    
    Achim Leitner (fjl5) via github PR#552.
    
    OpenBSD-Commit-ID: 834a869ed9b15058d3c1ef0cd75402ef989255d8

commit e4e5b06fdf4532705669c0ae944b364022d16b9d
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Thu Jan 16 06:37:10 2025 +0000

    upstream: Call log_init in sshd-auth and sshd-session immediately
    
    after parsing the config file so that any log settings set in the config file
    take effect immediately.  Move version banners to immediately after that, and
    make them distinct per binary.  ok djm@
    
    OpenBSD-Commit-ID: acf3d090638edf9b6e6f78eed96b537fe671f0f5

commit 0643994b20f2cc54bca80842a984b3052ff1a6a9
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Wed Jan 15 22:23:13 2025 +0000

    upstream: Use strprefix helper when processing sshd -C test args
    
    instead of counting bytes by hand.  ok djm@
    
    OpenBSD-Commit-ID: 2866d369d96fe04bf76112260ac37e489f98a9a9

commit 66efd0fbb6b8b95f8a520f2cdf8ede14e62b30b3
Author: Damien Miller <djm@mindrot.org>
Date:   Thu Feb 6 09:38:09 2025 +1100

    add support for AWS-LC (AWS libcrypto)
    
    Patch from Shubham Mittal via bz3784; ok dtucker

commit 826483d51a9fee60703298bbf839d9ce37943474
Author: Tim Rice <tim@multitalents.net>
Date:   Mon Dec 16 15:36:54 2024 -0800

    fix old typo (s/SYSVINITSTOPT/SYSVINITSTOP/)

commit 1a8ce460f1d0c3f7304edba0733783b57b430e21
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Thu Dec 12 09:09:09 2024 +0000

    upstream: Plug leak on error path, spotted by Coverity. ok djm@
    
    OpenBSD-Commit-ID: b1859959374b4709569760cae0866d22a16606d3

commit 924f996144fc0ae1a659fadcfc2237d1ae935fc4
Author: Xavier Hsinyuan <me@lstlx.com>
Date:   Mon Dec 9 11:21:05 2024 +0800

    Add $(srcdir) for standalone sk-libfido2 make target.
    
    Fix out-of-tree build failure due to incorrect path for `sk-usbhid.c`.

commit bbc9c18e84de29c83fa03e69290979fcca54a2b2
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Sat Dec 7 10:12:19 2024 +0000

    upstream: replace bespoke logging of MaxSessions enforcement with
    
    new ratelimited logging infrastructure.
    
    Add ratelimits to logging of connections dropped by PerSourcePenalties
    
    ok dtucker
    
    OpenBSD-Commit-ID: f22fe7c39607e4361aadf95e33773ffd68c59489

commit 5a6ddf946cf105189c2c99a04f86ce95edc55fc5
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Sat Dec 7 10:05:36 2024 +0000

    upstream: add infrastructure for ratelimited logging; feedback/ok
    
    dtucker
    
    OpenBSD-Commit-ID: 18a83e5ac09d59aaf1e834fd6b796db89dd842e7

commit 85f0c1e75e8f6c5d83b8070918ee2f6ab16d403e
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Dec 6 16:24:27 2024 +0000

    upstream: allow glob(3) patterns for sshd_config AuthorizedKeysFile
    
    and AuthorizedPrincipalsFile directives; bz2755 ok dtucker
    
    OpenBSD-Commit-ID: 3e3e05a17fca39bba78b993a07b44664519adf7f

commit 9a9ffee6e10bcd039f1f9385599577441ebe542a
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Dec 6 16:21:48 2024 +0000

    upstream: support VersionAddendum in the client, mirroring the
    
    option of the same name in the server; bz2745 ok dtucker@
    
    OpenBSD-Commit-ID: 6ff7905b3f9806649bde750515786553fb89cdf4

commit 41ab0ccecd68232e196efae5e224b31ca104c423
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Dec 6 16:02:12 2024 +0000

    upstream: clarify encoding of options/extensions; bz2389
    
    OpenBSD-Commit-ID: c4e92356d44dfe6d0a4416deecb33d1d1eba016c

commit 5488810359f0fd91e2f7b919c70a3798e46376cb
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Dec 6 15:17:15 2024 +0000

    upstream: ignore SIGPIPE here; some downstreams have had this for
    
    years...
    
    OpenBSD-Commit-ID: 73674ee4f8ceb8fc9cb8de71d8ddea0c721eb035

commit 4389a792d9078212366eba124a3eed36e009d09e
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Dec 6 15:12:56 2024 +0000

    upstream: sync -o option lists with ssh.1; requested jmc@
    
    OpenBSD-Commit-ID: a7ac295b444da7b2ca7a33a52370594f6897f6bb

commit 6b9cd095565ddc5402d5096dce248fa0521dbda3
Author: Fabio Pedretti <pedretti.fabio@gmail.com>
Date:   Mon Oct 16 17:12:24 2023 +0200

    Remove ancient RHL 6.x config in RPM spec.
    
    It looks like build6x options were intended for RHL 6.x
    (the Red Hat distro predating Fedora, not RHEL), but were
    then applied to RHEL.
    
    Completely remove support for this ancient configuration.
    
    Successfully built, installed and run on RHEL 6. This also
    remove a build warning about deprecation of PreReq.

commit 5cacfa798f92b707491375fed748d1d1bcb33ec9
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri Dec 6 23:54:45 2024 +1100

    Add new hardware-backed signing key for myself.
    
    Retire old non-hardware based signing key.

commit f129b6ee1d4361799e65307216e3a4d5544356b7
Author: Jonas 'Sortie' Termansen <sortie@maxsi.org>
Date:   Sat Nov 2 22:05:45 2024 +0100

    Fix configure implicit declaration and format warnings.

commit 11a5e5179077f73c2d45bcdf3f60153ae3f17815
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Dec 6 07:05:54 2024 +0000

    upstream: Expand $SSH to absolute path if it's not already.
    
    Prevents problem later in increase_datafile_size if ssh is not in
    the path.  Patch from quaresmajose via GHPR#510.
    
    OpenBSD-Regress-ID: 2670a66af8b827410ca7139f0a89f4501cece77b

commit dc2ef8f0944a4ff7ba19e52fd17b4654e6bd9b93
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date:   Fri Dec 6 06:55:28 2024 +0000

    upstream: Change "login again" to "log in again"
    
    in password change message.  From ThinLinc-Zeijlon via github PR#532.
    
    OpenBSD-Commit-ID: fea5e9bc04caf613a118c419f16863733b340cf1

commit 8252f346eb21cd6b30816f905b7d94f10962373e
Author: naddy@openbsd.org <naddy@openbsd.org>
Date:   Thu Dec 5 22:45:03 2024 +0000

    upstream: catch up documentation: AES-GCM is preferred to AES-CTR
    
    OpenBSD-Commit-ID: 63360924b6834507fe70020edb936f5075043a9e

commit 9a2f4c75081769bd45eba2bf3fab0a32b25f1879
Author: Darren Tucker <dtucker@dtucker.net>
Date:   Fri Dec 6 17:56:17 2024 +1100

    Change text from "login to" to "log in to".
    
    From ThinLinc-Zeijlon via GHPR#532.

commit 24dcf368d816b06136a02845ebd0c7846bf18927
Author: Xavier Hsinyuan <me@lstlx.com>
Date:   Fri Dec 6 11:56:34 2024 +0800

    Fix configure message typo in sk-libfido2 standalone.

commit 1a0cac2f3411a22d69ae6918eff48456b805e73b
Author: Alexander Kanavin <alex@linutronix.de>
Date:   Thu Dec 5 16:26:46 2024 +0100

    Skip 2038 key expiry test on 64 bit time_t systems.
    
    This allows testing Y2038 with system time set to after that (i.e. 2040),
    so that actual Y2038 issues can be exposed, and not masked by key expiry
    errors.
    
    Signed-off-by: Alexander Kanavin <alex@linutronix.de>

