K 10
svn:author
V 6
emaste
K 8
svn:date
V 27
2023-07-21T16:37:02.240020Z
K 7
svn:log
V 730
ssh: disallow loading PKCS#11 modules by default

This is the rest of the OpenSSH 9.3p2 change to address CVE-2023-38408.

From the release notes:

 * ssh-agent(8): the agent will now refuse requests to load PKCS#11
   modules issued by remote clients by default. A flag has been added
   to restore the previous behaviour "-Oallow-remote-pkcs11".

   Note that ssh-agent(8) depends on the SSH client to identify
   requests that are remote. The OpenSSH >=8.9 ssh(1) client does
   this, but forwarding access to an agent socket using other tools
   may circumvent this restriction.

Security:	CVE-2023-38408
Sponsored by:	The FreeBSD Foundation

Git Hash:   56749f05dbfdb003aeb5639ef5f9b8af8f5e65ba
Git Author: emaste@FreeBSD.org
END