PerSourcePenalties

This allows penalising connection sources that have had connections
dropped by the RefuseConnection option. ok markus@

OpenBSD-Commit-ID: 3c8443c427470bb3eac1880aa075cb4864463cb6

options.

This allows writing Match conditions that trigger for invalid username.
E.g.

PerSourcePenalties refuseconnection:90s
Match invalid-user
 RefuseConnection yes

Will effectively penalise bots try to guess passwords for bogus accounts,
at the cost of implicitly revealing which accounts are invalid.

feedback markus@

OpenBSD-Commit-ID: 93d3a46ca04bbd9d84a94d1e1d9d3a21073fbb07

OpenBSD-Commit-ID: 2c84a9b517283e9711e2812c1f268081dcb02081

implementation in SUPERCOP 20201130 to the "compact" implementation in
SUPERCOP 20240808. The new version is substantially faster. Thanks to Daniel
J Bernstein for pointing out the new implementation (and of course for
writing it).

tested in snaps/ok deraadt@

OpenBSD-Commit-ID: bf1a77924c125ecdbf03e2f3df8ad13bd3dafdcb

Simpler and removes some code with the old-style BSD license.

OpenBSD-Commit-ID: d899c13b0e8061d209298eaf58fe53e3643e967c

OpenBSD-Commit-ID: 1c81f37b138b8b66abba811fec836388a0f3e6da

relies on using -fwrapv to provide defined over/underflow behaviour, but we
use -ftrapv to catch integer errors and abort the program. ok dtucker@

OpenBSD-Commit-ID: 8933369b33c17b5f02479503d0a92d87bc3a574b

key values need to be static to persist across invocations;
spotted by the Qualys Security Advisory team.

OpenBSD-Commit-ID: 303417285f1a73b9cb7a2ae78d3f493bbbe31f98

OpenBSD-Commit-ID: 3fb621a58e04b759a875ad6a33f35bb57ca80231

OpenBSD-Commit-ID: 81869ee6356fdbff19dae6ff757095e6b24de712

02e16ad did a copy-paste for
utmpx, but forgot to change the ifdef appropriately

Fixes compile error on Void Linux/Musl

From Void Linux

OpenBSD-Commit-ID: 22072bfa1df1391858ae7768a6c627e08593a91e

criteria tokeniser to a more shell-like one. Apparently the old tokeniser
(accidentally?) allowed "Match criteria=argument" as well as the "Match
criteria argument" syntax that we tested for.

People were using this syntax so this adds back support for
"Match criteria=argument"

bz3739 ok dtucker

OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a

original diff had a couple of errors, which i've fixed

OpenBSD-Commit-ID: f37ad5888adbc0d4e1cd6b6de237841f4b1e650d

OpenBSD-Commit-ID: 3a63e4e11d455704f684c28715d61b17f91e0996

negated Matches; spotted by phessler@ ok deraadt@

OpenBSD-Commit-ID: b1c6acec66cd5bd1252feff1d02ad7129ced37c7

exchange in sshd by default. Specifically, this removes the
diffie-hellman-group* and diffie-hellman-group-exchange-* methods. The client
is unchanged and continues to support these methods by default.

Finite field Diffie Hellman is slow and computationally expensive for
the same security level as Elliptic Curve DH or PQ key agreement while
offering no redeeming advantages.

ECDH has been specified for the SSH protocol for 15 years and some
form of ECDH has been the default key exchange in OpenSSH for the last
14 years.

ok markus@

OpenBSD-Commit-ID: 4e238ad480a33312667cc10ae0eb6393abaec8da

OpenBSD-Commit-ID: fdd056e7854294834d54632b4282b877cfe4c12e

there has been traffic on a X11 forwarding channel recently.

Should fix X11 forwarding performance problems when this setting is
enabled. Patch from Antonio Larrosa via bz3655

OpenBSD-Commit-ID: 820284a92eb4592fcd3d181a62c1b86b08a4a7ab