aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormnag <mnag@FreeBSD.org>2006-10-01 10:15:00 +0800
committermnag <mnag@FreeBSD.org>2006-10-01 10:15:00 +0800
commit696bf5784930e45ea5e05c256ac4673ca1672da0 (patch)
treef476a39a3894947c30498934cab8778ad3facb1a
parentfa42719cf388f200b9ec1c9df8116a820b677632 (diff)
downloadfreebsd-ports-gnome-696bf5784930e45ea5e05c256ac4673ca1672da0.tar.gz
freebsd-ports-gnome-696bf5784930e45ea5e05c256ac4673ca1672da0.tar.zst
freebsd-ports-gnome-696bf5784930e45ea5e05c256ac4673ca1672da0.zip
- Update to 4.4p1.
- Disable temporary HPN patch until HPN release new version. - Fix rc.d script path in sshd.8 - Add FreeBSD-${PKGNAME} in SSH_VERSION and SSH_RELEASE like src does. - Sync patches with src. Security: CVE-2006-4924, CVE-2006-5051
-rw-r--r--security/openssh-portable/Makefile41
-rw-r--r--security/openssh-portable/distinfo9
-rw-r--r--security/openssh-portable/files/patch-auth.c24
-rw-r--r--security/openssh-portable/files/patch-auth1.c23
-rw-r--r--security/openssh-portable/files/patch-auth2.c64
-rw-r--r--security/openssh-portable/files/patch-clientloop.c11
-rw-r--r--security/openssh-portable/files/patch-loginrec.c2
-rw-r--r--security/openssh-portable/files/patch-readconf.c11
-rw-r--r--security/openssh-portable/files/patch-regress-test-exec.sh11
-rw-r--r--security/openssh-portable/files/patch-servconf.c41
-rw-r--r--security/openssh-portable/files/patch-session.c388
-rw-r--r--security/openssh-portable/files/patch-ssh-agent.c10
-rw-r--r--security/openssh-portable/files/patch-ssh.c26
-rw-r--r--security/openssh-portable/files/patch-ssh_config11
-rw-r--r--security/openssh-portable/files/patch-ssh_config.511
-rw-r--r--security/openssh-portable/files/patch-sshd.833
-rw-r--r--security/openssh-portable/files/patch-sshd.c31
-rw-r--r--security/openssh-portable/files/patch-sshd_config49
-rw-r--r--security/openssh-portable/files/patch-sshd_config.590
-rw-r--r--security/openssh-portable/files/patch-sshpty.c12
-rw-r--r--security/openssh-portable/files/servconf.c.patch17
21 files changed, 467 insertions, 448 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 2c4c8da8a202..81167ca74641 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -6,8 +6,7 @@
#
PORTNAME= openssh
-DISTVERSION= 4.3p2
-PORTREVISION= 1
+DISTVERSION= 4.4p1
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ \
@@ -42,8 +41,8 @@ USE_OPENSSL= yes
USE_PERL5_BUILD= yes
GNU_CONFIGURE= yes
CONFIGURE_TARGET= --build=${MACHINE_ARCH}-portbld-freebsd${OSREL}
-CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \
- --without-zlib-version-check
+CONFIGURE_ARGS= --prefix=${PREFIX} --mandir=${MANPREFIX}/man \
+ --with-md5-passwords --without-zlib-version-check
PRECIOUS= ssh_config sshd_config ssh_host_key ssh_host_key.pub \
ssh_host_rsa_key ssh_host_rsa_key.pub ssh_host_dsa_key \
ssh_host_dsa_key.pub
@@ -134,6 +133,7 @@ EXTRA_PATCHES+= ${FILESDIR}/scardpin.patch
.endif
.if defined(WITH_HPN)
+IGNORE= option HPN is temporary disabled, waiting patch for new openssh release
PATCH_DIST_STRIP= -p1
PATCH_SITES+= http://www.psc.edu/networking/projects/hpn-ssh/
PATCHFILES+= openssh-4.3p2-hpn12.diff.gz
@@ -142,7 +142,7 @@ PATCHFILES+= openssh-4.3p2-hpn12.diff.gz
.if defined(WITH_OVERWRITE_BASE)
WITH_OPENSSL_BASE= yes
BASE_SUFFIX= -overwrite-base
-CONFIGURE_ARGS+= --mandir=${PREFIX}/share/man --localstatedir=/var
+CONFIGURE_ARGS+= --localstatedir=/var
EMPTYDIR= /var/empty
PREFIX= /usr
ETCSSH= /etc/ssh
@@ -168,6 +168,13 @@ PLIST_SUB+= BASE="@comment "
PLIST_SUB+= EMPTYDIR="${EMPTYDIR}"
CONFIGURE_ARGS+= --sysconfdir=${ETCSSH} --with-privsep-path=${EMPTYDIR}
+# Sync this with bsd.port.mk
+.if (${OSVERSION} >= 700007 || ( ${OSVERSION} < 700000 && ${OSVERSION} >= 600101 ))
+RC_SCRIPT_NAME= openssh
+.else
+RC_SCRIPT_NAME= openssh.sh
+.endif
+
post-extract:
.if defined(OPENSSH_SNAPSHOT)
@# rc.d script have same name of openssh snapshot dir
@@ -176,6 +183,21 @@ post-extract:
post-patch:
@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
+.if defined(WITH_OVERWRITE_BASE)
+ @${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \
+ -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
+.else
+ @${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|' \
+ -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
+.endif
+ @${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
+ -e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
+ @${ECHO_CMD} '#define FREEBSD_PORT_VERSION " FreeBSD-${PKGNAME}"' >> \
+ ${WRKSRC}/version.h
+ @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
+ ${WRKSRC}/version.h
+ @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
+ ${WRKSRC}/version.h
pre-install:
.if defined(WITH_OVERWRITE_BASE)
@@ -204,13 +226,8 @@ post-install:
.if defined(WITH_OVERWRITE_BASE)
@${ECHO_CMD} "===> Installing rc.d startup script(s)"
@${ECHO_CMD} "@cwd ${LOCALBASE}" >> ${TMPPLIST}
-.if ${OSVERSION} >= 700007
- @${INSTALL_SCRIPT} ${WRKDIR}/openssh ${LOCALBASE}/etc/rc.d/openssh
- @${ECHO_CMD} "etc/rc.d/openssh" >> ${TMPPLIST}
-.else
- @${INSTALL_SCRIPT} ${WRKDIR}/openssh ${LOCALBASE}/etc/rc.d/openssh.sh
- @${ECHO_CMD} "etc/rc.d/openssh.sh" >> ${TMPPLIST}
-.endif
+ @${INSTALL_SCRIPT} ${WRKDIR}/openssh ${LOCALBASE}/etc/rc.d/${RC_SCRIPT_NAME}
+ @${ECHO_CMD} "etc/rc.d/${RC_SCRIPT_NAME}" >> ${TMPPLIST}
@${ECHO_CMD} "@cwd ${PREFIX}" >> ${TMPPLIST}
.endif
@${CAT} ${PKGMESSAGE}
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index d8fac8339839..58e7e8569bff 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,6 +1,3 @@
-MD5 (openssh-4.3p2.tar.gz) = 7e9880ac20a9b9db0d3fea30a9ff3d46
-SHA256 (openssh-4.3p2.tar.gz) = 4ba757d6c933e7d075b6424124d92d197eb5d91e4a58794596b67f5f0ca21d4f
-SIZE (openssh-4.3p2.tar.gz) = 941455
-MD5 (openssh-4.3p2-hpn12.diff.gz) = f2fef0ecd2315d940dbb5b9188546400
-SHA256 (openssh-4.3p2-hpn12.diff.gz) = 704ff6ac9737850ac04b77bbb613099c0d557be4a0b28925946a90a76d7d7ac0
-SIZE (openssh-4.3p2-hpn12.diff.gz) = 14891
+MD5 (openssh-4.4p1.tar.gz) = 793a709a8de695c22f523024d7e9bf07
+SHA256 (openssh-4.4p1.tar.gz) = 0252474af4009129cde6a2df2893fb1ac24316436758796f6adc043ac73b35ac
+SIZE (openssh-4.4p1.tar.gz) = 1044334
diff --git a/security/openssh-portable/files/patch-auth.c b/security/openssh-portable/files/patch-auth.c
index e15f33234d56..fb0b95115016 100644
--- a/security/openssh-portable/files/patch-auth.c
+++ b/security/openssh-portable/files/patch-auth.c
@@ -1,24 +1,6 @@
---- auth.c.orig Thu Aug 12 14:40:25 2004
-+++ auth.c Mon Sep 20 05:04:48 2004
-@@ -208,6 +208,17 @@
- return 0;
- #endif
-
-+#ifdef __FreeBSD__
-+ /* Fail if the account's expiration time has passed. */
-+ if (pw->pw_expire != 0) {
-+ struct timeval tv;
-+
-+ (void)gettimeofday(&tv, NULL);
-+ if (tv.tv_sec >= pw->pw_expire)
-+ return 0;
-+ }
-+#endif /* __FreeBSD__ */
-+
- /* We found no reason not to let this user try to log on... */
- return 1;
- }
-@@ -472,7 +483,7 @@
+--- auth.c.orig Wed Sep 6 21:36:43 2006
++++ auth.c Sat Sep 30 10:38:04 2006
+@@ -500,7 +501,7 @@
if (!allowed_user(pw))
return (NULL);
#ifdef HAVE_LOGIN_CAP
diff --git a/security/openssh-portable/files/patch-auth1.c b/security/openssh-portable/files/patch-auth1.c
index c574eee773db..06657e5cb608 100644
--- a/security/openssh-portable/files/patch-auth1.c
+++ b/security/openssh-portable/files/patch-auth1.c
@@ -1,30 +1,28 @@
---- auth1.c.orig Sun Jul 17 04:26:44 2005
-+++ auth1.c Thu Sep 1 11:23:35 2005
-@@ -26,6 +26,7 @@
- #include "uidswap.h"
+--- auth1.c.orig Fri Sep 1 02:38:36 2006
++++ auth1.c Sat Sep 30 18:47:57 2006
+@@ -39,6 +39,7 @@
+ #endif
#include "monitor_wrap.h"
#include "buffer.h"
+#include "canohost.h"
/* import */
extern ServerOptions options;
-@@ -220,6 +221,15 @@
+@@ -238,6 +239,13 @@
char info[1024];
int prev = 0, type = 0;
const struct AuthMethod1 *meth;
+#ifdef HAVE_LOGIN_CAP
+ login_cap_t *lc;
-+#endif /* HAVE_LOGIN_CAP */
-+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+ const char *from_host, *from_ip;
+
+ from_host = get_canonical_hostname(options.use_dns);
+ from_ip = get_remote_ipaddr();
-+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
++#endif
debug("Attempting authentication for %s%.100s.",
authctxt->valid ? "" : "invalid user ", authctxt->user);
-@@ -270,6 +280,33 @@
+@@ -288,6 +296,26 @@
"type %d", type);
goto skip;
}
@@ -48,13 +46,6 @@
+ lc = NULL;
+ }
+#endif /* HAVE_LOGIN_CAP */
-+#ifdef LOGIN_ACCESS
-+ if (authctxt->pw != NULL && !login_access(authctxt->pw->pw_name, from_host)) {
-+ logit("Denied connection for %.200s from %.200s [%.200s].",
-+ authctxt->pw->pw_name, from_host, from_ip);
-+ packet_disconnect("Sorry, you are not allowed to connect.");
-+ }
-+#endif /* LOGIN_ACCESS */
if (!*(meth->enabled)) {
verbose("%s authentication disabled.", meth->name);
diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c
index 37e596c15939..3a9e7a274684 100644
--- a/security/openssh-portable/files/patch-auth2.c
+++ b/security/openssh-portable/files/patch-auth2.c
@@ -1,67 +1,51 @@
---- auth2.c.orig Tue Feb 8 11:52:48 2005
-+++ auth2.c Sat Mar 19 20:50:32 2005
-@@ -36,6 +36,7 @@
+--- auth2.c.orig Fri Aug 4 23:39:39 2006
++++ auth2.c Sat Sep 30 10:38:04 2006
+@@ -44,6 +45,7 @@
+ #include "dispatch.h"
#include "pathnames.h"
- #include "monitor_wrap.h"
#include "buffer.h"
+#include "canohost.h"
#ifdef GSSAPI
#include "ssh-gss.h"
-@@ -136,6 +137,15 @@
+@@ -147,6 +149,13 @@
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
int authenticated = 0;
+#ifdef HAVE_LOGIN_CAP
+ login_cap_t *lc;
-+#endif /* HAVE_LOGIN_CAP */
-+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+ const char *from_host, *from_ip;
+
+ from_host = get_canonical_hostname(options.use_dns);
+ from_ip = get_remote_ipaddr();
-+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
++#endif
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
-@@ -183,6 +193,41 @@
+@@ -190,6 +199,27 @@
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
+
+#ifdef HAVE_LOGIN_CAP
-+ if (authctxt->pw != NULL) {
-+ lc = login_getpwclass(authctxt->pw);
-+ if (lc == NULL)
-+ lc = login_getclassbyname(NULL, authctxt->pw);
-+ if (!auth_hostok(lc, from_host, from_ip)) {
-+ logit("Denied connection for %.200s from %.200s [%.200s].",
-+ authctxt->pw->pw_name, from_host, from_ip);
-+ packet_disconnect("Sorry, you are not allowed to connect.");
-+ }
-+ if (!auth_timeok(lc, time(NULL))) {
-+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
-+ authctxt->pw->pw_name, from_host);
-+ packet_disconnect("Logins not available right now.");
-+ }
-+ login_close(lc);
-+ lc = NULL;
-+ }
++ if (authctxt->pw != NULL) {
++ lc = login_getpwclass(authctxt->pw);
++ if (lc == NULL)
++ lc = login_getclassbyname(NULL, authctxt->pw);
++ if (!auth_hostok(lc, from_host, from_ip)) {
++ logit("Denied connection for %.200s from %.200s [%.200s].",
++ authctxt->pw->pw_name, from_host, from_ip);
++ packet_disconnect("Sorry, you are not allowed to connect.");
++ }
++ if (!auth_timeok(lc, time(NULL))) {
++ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
++ authctxt->pw->pw_name, from_host);
++ packet_disconnect("Logins not available right now.");
++ }
++ login_close(lc);
++ lc = NULL;
++ }
+#endif /* HAVE_LOGIN_CAP */
-+#ifdef LOGIN_ACCESS
-+ if (authctxt->pw != NULL &&
-+ !login_access(authctxt->pw->pw_name, from_host)) {
-+ logit("Denied connection for %.200s from %.200s [%.200s].",
-+ authctxt->pw->pw_name, from_host, from_ip);
-+ packet_disconnect("Sorry, you are not allowed to connect.");
-+ }
-+#endif /* LOGIN_ACCESS */
-+#ifdef BSD_AUTH
-+ if (authctxt->as) {
-+ auth_close(authctxt->as);
-+ authctxt->as = NULL;
-+ }
-+#endif
+
/* reset state */
auth2_challenge_stop(authctxt);
diff --git a/security/openssh-portable/files/patch-clientloop.c b/security/openssh-portable/files/patch-clientloop.c
deleted file mode 100644
index 78fba1757228..000000000000
--- a/security/openssh-portable/files/patch-clientloop.c
+++ /dev/null
@@ -1,11 +0,0 @@
---- clientloop.c.orig Fri Aug 13 13:18:01 2004
-+++ clientloop.c Mon Sep 20 05:04:48 2004
-@@ -1581,7 +1581,7 @@
-
- if (strcmp(ctype, "forwarded-tcpip") == 0) {
- c = client_request_forwarded_tcpip(ctype, rchan);
-- } else if (strcmp(ctype, "x11") == 0) {
-+ } else if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
- c = client_request_x11(ctype, rchan);
- } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) {
- c = client_request_agent(ctype, rchan);
diff --git a/security/openssh-portable/files/patch-loginrec.c b/security/openssh-portable/files/patch-loginrec.c
index 18e427f111a5..01a953a298dd 100644
--- a/security/openssh-portable/files/patch-loginrec.c
+++ b/security/openssh-portable/files/patch-loginrec.c
@@ -14,7 +14,7 @@
strncpy(ut->ut_name, li->username,
MIN_SIZEOF(ut->ut_name, li->username));
# ifdef HAVE_HOST_IN_UTMP
-+# if defined(__FreeBSD__) && __FreeBSD_version <= 400000
++# if defined(__FreeBSD__) && __FreeBSD_version < 400000
strncpy(ut->ut_host, li->hostname,
MIN_SIZEOF(ut->ut_host, li->hostname));
+# else
diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c
new file mode 100644
index 000000000000..92e8a3ddb70c
--- /dev/null
+++ b/security/openssh-portable/files/patch-readconf.c
@@ -0,0 +1,11 @@
+--- readconf.c.orig Fri Sep 1 02:38:37 2006
++++ readconf.c Sat Sep 30 10:38:05 2006
+@@ -1112,7 +1122,7 @@
+ if (options->batch_mode == -1)
+ options->batch_mode = 0;
+ if (options->check_host_ip == -1)
+- options->check_host_ip = 1;
++ options->check_host_ip = 0;
+ if (options->strict_host_key_checking == -1)
+ options->strict_host_key_checking = 2; /* 2 is default */
+ if (options->compression == -1)
diff --git a/security/openssh-portable/files/patch-regress-test-exec.sh b/security/openssh-portable/files/patch-regress-test-exec.sh
deleted file mode 100644
index 5fbf834f3c0c..000000000000
--- a/security/openssh-portable/files/patch-regress-test-exec.sh
+++ /dev/null
@@ -1,11 +0,0 @@
---- regress/test-exec.sh.orig Fri Jun 25 05:46:09 2004
-+++ regress/test-exec.sh Tue Aug 17 05:27:49 2004
-@@ -178,6 +178,8 @@
- AcceptEnv _XXX_TEST_*
- AcceptEnv _XXX_TEST
- Subsystem sftp $SFTPSERVER
-+ PermitRootLogin yes
-+ UsePrivilegeSeparation no
- EOF
-
- if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then
diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c
new file mode 100644
index 000000000000..da3d241695da
--- /dev/null
+++ b/security/openssh-portable/files/patch-servconf.c
@@ -0,0 +1,41 @@
+--- servconf.c.orig Fri Aug 18 11:23:15 2006
++++ servconf.c Sat Sep 30 21:54:26 2006
+@@ -129,7 +129,7 @@
+ {
+ /* Portable-specific options */
+ if (options->use_pam == -1)
+- options->use_pam = 0;
++ options->use_pam = 1;
+
+ /* Standard Options */
+ if (options->protocol == SSH_PROTO_UNKNOWN)
+@@ -159,7 +159,7 @@
+ if (options->key_regeneration_time == -1)
+ options->key_regeneration_time = 3600;
+ if (options->permit_root_login == PERMIT_NOT_SET)
+- options->permit_root_login = PERMIT_YES;
++ options->permit_root_login = PERMIT_NO;
+ if (options->ignore_rhosts == -1)
+ options->ignore_rhosts = 1;
+ if (options->ignore_user_known_hosts == -1)
+@@ -169,7 +169,7 @@
+ if (options->print_lastlog == -1)
+ options->print_lastlog = 1;
+ if (options->x11_forwarding == -1)
+- options->x11_forwarding = 0;
++ options->x11_forwarding = 1;
+ if (options->x11_display_offset == -1)
+ options->x11_display_offset = 10;
+ if (options->x11_use_localhost == -1)
+@@ -207,7 +207,11 @@
+ if (options->gss_cleanup_creds == -1)
+ options->gss_cleanup_creds = 1;
+ if (options->password_authentication == -1)
++#ifdef USE_PAM
++ options->password_authentication = 0;
++#else
+ options->password_authentication = 1;
++#endif
+ if (options->kbd_interactive_authentication == -1)
+ options->kbd_interactive_authentication = 0;
+ if (options->challenge_response_authentication == -1)
diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c
index 170bc8911d39..56ea323b488f 100644
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@@ -1,344 +1,164 @@
---- session.c.orig Sun Mar 6 12:38:52 2005
-+++ session.c Sat Mar 19 21:45:32 2005
-@@ -66,6 +66,11 @@
- #include "ssh-gss.h"
- #endif
-
-+#ifdef __FreeBSD__
-+#include <syslog.h>
-+#define _PATH_CHPASS "/usr/bin/passwd"
-+#endif /* __FreeBSD__ */
-+
- /* func */
-
- Session *session_new(void);
-@@ -414,6 +419,13 @@
- log_init(__progname, options.log_level, options.log_facility, log_stderr);
-
- /*
-+ * Using login and executing a specific "command" are mutually
-+ * exclusive, so turn off use_login if there's a command.
-+ */
-+ if (command != NULL)
-+ options.use_login = 0;
-+
-+ /*
- * Create a new session and process group since the 4.4BSD
- * setlogin() affects the entire process group.
- */
-@@ -550,6 +562,14 @@
-
- /* Child. Reinitialize the log because the pid has changed. */
- log_init(__progname, options.log_level, options.log_facility, log_stderr);
-+
-+ /*
-+ * Using login and executing a specific "command" are mutually
-+ * exclusive, so turn off use_login if there's a command.
-+ */
-+ if (command != NULL)
-+ options.use_login = 0;
-+
- /* Close the master side of the pseudo tty. */
- close(ptyfd);
-
-@@ -700,6 +720,18 @@
- struct sockaddr_storage from;
- struct passwd * pw = s->pw;
- pid_t pid = getpid();
+--- session.c.orig Fri Sep 1 02:38:37 2006
++++ session.c Sat Sep 30 19:32:06 2006
+@@ -776,6 +776,24 @@
+ {
+ FILE *f;
+ char buf[256];
+#ifdef HAVE_LOGIN_CAP
-+ FILE *f;
-+ char buf[256];
+ const char *fname;
-+ const char *shorttty;
-+#endif /* HAVE_LOGIN_CAP */
-+#ifdef __FreeBSD__
-+#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
-+ char *newcommand = NULL;
-+ struct timeval tv;
-+ time_t warntime = DEFAULT_WARN;
-+#endif /* __FreeBSD__ */
-
- /*
- * Get IP address of client. If the connection is not a socket, let
-@@ -735,12 +767,101 @@
- }
- #endif
-
-+#ifdef __FreeBSD__
-+ if (pw->pw_change || pw->pw_expire)
-+ (void)gettimeofday(&tv, NULL);
-+#ifdef HAVE_LOGIN_CAP
-+ warntime = login_getcaptime(lc, "warnpassword",
-+ DEFAULT_WARN, DEFAULT_WARN);
-+#endif /* HAVE_LOGIN_CAP */
-+ /*
-+ * If the password change time is set and has passed, give the
-+ * user a password expiry notice and chance to change it.
-+ */
-+ if (pw->pw_change != 0) {
-+ if (tv.tv_sec >= pw->pw_change) {
-+ (void)printf(
-+ "Sorry -- your password has expired.\n");
-+ logit("%s Password expired - forcing change",
-+ pw->pw_name);
-+ if (newcommand != NULL)
-+ xfree(newcommand);
-+ newcommand = xstrdup(_PATH_CHPASS);
-+ } else if (pw->pw_change - tv.tv_sec < warntime &&
-+ !check_quietlogin(s, command))
-+ (void)printf(
-+ "Warning: your password expires on %s",
-+ ctime(&pw->pw_change));
-+ }
-+
-+#ifndef USE_PAM
-+ if (pw->pw_expire) {
-+ if (tv.tv_sec >= pw->pw_expire) {
-+ (void)printf(
-+ "Sorry -- your account has expired.\n");
-+ logit(
-+ "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s",
-+ pw->pw_name, get_remote_name_or_ip(utmp_len,
-+ options.use_dns), s->tty);
-+ exit(254);
-+ } else if (pw->pw_expire - tv.tv_sec < warntime &&
-+ !check_quietlogin(s, command))
-+ (void)printf(
-+ "Warning: your account expires on %s",
-+ ctime(&pw->pw_expire));
-+ }
-+#endif /* !USE_PAM */
-+#endif /* __FreeBSD__ */
-+
-+#ifdef HAVE_LOGIN_CAP
-+ /* check if we have a pathname in the ttyname */
-+ shorttty = rindex( s->tty, '/' );
-+ if (shorttty != NULL ) {
-+ /* use only the short filename to check */
-+ shorttty ++;
-+ } else {
-+ /* nothing found, use the whole name found */
-+ shorttty = s->tty;
-+ }
-+ if (!auth_ttyok(lc, shorttty)) {
-+ (void)printf("Permission denied.\n");
-+ logit(
-+ "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
-+ pw->pw_name, get_remote_name_or_ip(utmp_len,
-+ options.use_dns), s->tty);
-+ exit(254);
-+ }
-+#endif /* HAVE_LOGIN_CAP */
++#endif
+
- if (check_quietlogin(s, command))
- return;
-
- display_loginmsg();
-
-- do_motd();
+#ifdef HAVE_LOGIN_CAP
-+ if (command == NULL &&
-+ !options.use_login) {
-+ fname = login_getcapstr(lc, "copyright", NULL, NULL);
-+ if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
-+ while (fgets(buf, sizeof(buf), f) != NULL)
-+ fputs(buf, stdout);
++ fname = login_getcapstr(lc, "copyright", NULL, NULL);
++ if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
++ while (fgets(buf, sizeof(buf), f) != NULL)
++ fputs(buf, stdout);
+ fclose(f);
-+ } else
-+ (void)printf("%s\n\t%s %s\n",
-+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
-+ "The Regents of the University of California. ",
-+ "All rights reserved.");
-+ }
++ } else
+#endif /* HAVE_LOGIN_CAP */
++ (void)printf("%s\n\t%s %s\n",
++ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
++ "The Regents of the University of California. ",
++ "All rights reserved.");
+
-+ /*
-+ * Print /etc/motd unless a command was specified or printing
-+ * it was disabled in server options or login(1) will be
-+ * used. Note that some machines appear to print it in
-+ * /etc/profile or similar.
-+ */
-+ if (command == NULL && !options.use_login)
-+ do_motd();
- }
++ (void)printf("\n");
- /*
-@@ -756,9 +877,9 @@
+ if (options.print_motd) {
#ifdef HAVE_LOGIN_CAP
- f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
- "/etc/motd"), "r");
--#else
-+#else /* !HAVE_LOGIN_CAP */
- f = fopen("/etc/motd", "r");
--#endif
-+#endif /* HAVE_LOGIN_CAP */
- if (f) {
- while (fgets(buf, sizeof(buf), f))
- fputs(buf, stdout);
-@@ -785,10 +906,10 @@
- #ifdef HAVE_LOGIN_CAP
- if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
- return 1;
--#else
-+#else /* HAVE_LOGIN_CAP */
- if (stat(buf, &st) >= 0)
- return 1;
--#endif
-+#endif /* HAVE_LOGIN_CAP */
- return 0;
- }
-
-@@ -974,7 +1095,14 @@
- {
- char buf[256];
- u_int i, envsize;
-- char **env, *laddr, *path = NULL;
-+ char **env, *laddr;
-+#ifdef HAVE_CYGWIN
-+ char *path = NULL;
-+#endif /* HAVE_CYGWIN */
-+#ifdef HAVE_LOGIN_CAP
+@@ -1004,6 +1022,9 @@
+ struct passwd *pw = s->pw;
+ #ifndef HAVE_LOGIN_CAP
+ char *path = NULL;
++#else
+ extern char **environ;
+ char **senv, **var;
-+#endif /* HAVE_LOGIN_CAP */
- struct passwd *pw = s->pw;
+ #endif
/* Initialize the environment. */
-@@ -982,6 +1110,9 @@
- env = xmalloc(envsize * sizeof(char *));
- env[0] = NULL;
+@@ -1025,6 +1046,9 @@
+ }
+ #endif
-+ /* Moved up to resove confict with gsssapi patches */
+ if (getenv("TZ"))
+ child_set_env(&env, &envsize, "TZ", getenv("TZ"));
- #ifdef HAVE_CYGWIN
- /*
- * The Windows environment contains some setting which are
-@@ -1046,9 +1177,21 @@
-
- /* Normal systems set SHELL by default. */
- child_set_env(&env, &envsize, "SHELL", shell);
-+#ifdef HAVE_LOGIN_CAP
++
+ #ifdef GSSAPI
+ /* Allow any GSSAPI methods that we've used to alter
+ * the childs environment as they see fit
+@@ -1044,11 +1068,22 @@
+ child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
+ #endif
+ child_set_env(&env, &envsize, "HOME", pw->pw_dir);
++ snprintf(buf, sizeof buf, "%.200s/%.50s",
++ _PATH_MAILDIR, pw->pw_name);
++ child_set_env(&env, &envsize, "MAIL", buf);
+ #ifdef HAVE_LOGIN_CAP
+- if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
+- child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+- else
+- child_set_env(&env, &envsize, "PATH", getenv("PATH"));
++ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
++ child_set_env(&env, &envsize, "TERM", "su");
+ senv = environ;
+ environ = xmalloc(sizeof(char *));
+ *environ = NULL;
-+ if (setusercontext(lc, pw, pw->pw_uid,
-+ LOGIN_SETENV|LOGIN_SETPATH) < 0) {
-+ perror("unable to set user context enviroment");
-+ }
++ (void) setusercontext(lc, pw, pw->pw_uid,
++ LOGIN_SETENV|LOGIN_SETPATH);
+ copy_environment(environ, &env, &envsize);
+ for (var = environ; *var != NULL; ++var)
+ xfree(*var);
+ xfree(environ);
+ environ = senv;
-+#endif /* HAVE_LOGIN_CAP */
+ #else /* HAVE_LOGIN_CAP */
+ # ifndef HAVE_CYGWIN
+ /*
+@@ -1069,15 +1104,9 @@
+ # endif /* HAVE_CYGWIN */
+ #endif /* HAVE_LOGIN_CAP */
+
+- snprintf(buf, sizeof buf, "%.200s/%.50s",
+- _PATH_MAILDIR, pw->pw_name);
+- child_set_env(&env, &envsize, "MAIL", buf);
+-
+ /* Normal systems set SHELL by default. */
+ child_set_env(&env, &envsize, "SHELL", shell);
}
- if (getenv("TZ"))
- child_set_env(&env, &envsize, "TZ", getenv("TZ"));
/* Set custom environment options from RSA authentication. */
if (!options.use_login) {
-@@ -1258,6 +1401,12 @@
+@@ -1287,6 +1316,10 @@
void
do_setusercontext(struct passwd *pw)
{
-+
+#ifdef CHROOT
+ char *user_dir;
+ char *new_root;
+#endif /* CHROOT */
-+
#ifndef HAVE_CYGWIN
if (getuid() == 0 || geteuid() == 0)
#endif /* HAVE_CYGWIN */
-@@ -1285,10 +1434,30 @@
+@@ -1314,10 +1347,31 @@
}
# endif /* USE_PAM */
if (setusercontext(lc, pw, pw->pw_uid,
- (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
-+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
++ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH))) < 0) {
perror("unable to set user context");
exit(1);
}
+#ifdef CHROOT
-+ user_dir = xstrdup(pw->pw_dir);
-+ new_root = user_dir + 1;
++ user_dir = xstrdup(pw->pw_dir);
++ new_root = user_dir + 1;
+
-+ while((new_root = strchr(new_root, '.')) != NULL) {
-+ new_root--;
-+ if(strncmp(new_root, "/./", 3) == 0) {
-+ *new_root = '\0';
-+ new_root += 2;
++ while((new_root = strchr(new_root, '.')) != NULL) {
++ new_root--;
++ if(strncmp(new_root, "/./", 3) == 0) {
++ *new_root = '\0';
++ new_root += 2;
+
-+ if(chroot(user_dir) != 0)
-+ fatal("Couldn't chroot to user directory %s", user_dir);
-+ pw->pw_dir = new_root;
-+ break;
-+ }
++ if(chroot(user_dir) != 0)
++ fatal("Couldn't chroot to user directory %s", user_dir);
++ pw->pw_dir = new_root;
++ break;
++ }
+
-+ new_root += 2;
-+ }
++ new_root += 2;
++ }
+#endif /* CHROOT */
-+ permanently_set_uid(pw);
++ /* Permanently switch to the desired uid. */
++ permanently_set_uid(pw);
#else
# if defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
/* Sets login uid for accounting */
-@@ -1322,7 +1491,16 @@
- * Reestablish them here.
- */
- if (options.use_pam) {
-- do_pam_session();
-+ /* check if we have a pathname in the ttyname */
-+ shorttty = rindex( s->tty, '/' );
-+ if (shorttty != NULL ) {
-+ /* use only the short filename to check */
-+ shorttty ++;
-+ } else {
-+ /* nothing found, use the whole name found */
-+ shorttty = s->tty;
-+ }
-+ do_pam_session(s->pw->pw_name, shorttty);
- do_pam_setcred(0);
- }
- # endif /* USE_PAM */
-@@ -1417,7 +1595,7 @@
- * initgroups, because at least on Solaris 2.3 it leaves file
- * descriptors open.
+@@ -1472,6 +1526,9 @@
+ char *argv[10];
+ const char *shell, *shell0, *hostname = NULL;
+ struct passwd *pw = s->pw;
++#ifdef HAVE_LOGIN_CAP
++ int lc_requirehome;
++#endif
+
+ /* remove hostkey from the child's memory */
+ destroy_sensitive_data();
+@@ -1559,6 +1616,10 @@
*/
-- for (i = 3; i < 64; i++)
-+ for (i = 3; i < getdtablesize(); i++)
- close(i);
- }
+ environ = env;
-@@ -1553,6 +1731,31 @@
++#ifdef HAVE_LOGIN_CAP
++ lc_requirehome = login_getcapbool(lc, "requirehome", 0);
++ login_close(lc);
++#endif
+ #if defined(KRB5) && defined(USE_AFS)
+ /*
+ * At this point, we check to see if AFS is active and if we have
+@@ -1590,7 +1651,7 @@
+ fprintf(stderr, "Could not chdir to home directory %s: %s\n",
+ pw->pw_dir, strerror(errno));
+ #ifdef HAVE_LOGIN_CAP
+- if (login_getcapbool(lc, "requirehome", 0))
++ if (lc_requirehome)
exit(1);
#endif
}
-+
-+#ifdef __FreeBSD__
-+ if (!options.use_login) {
-+ /*
-+ * If the password change time is set and has passed, give the
-+ * user a password expiry notice and chance to change it.
-+ */
-+ if (pw->pw_change != 0) {
-+ struct timeval tv;
-+
-+ (void)gettimeofday(&tv, NULL);
-+ if (tv.tv_sec >= pw->pw_change) {
-+ (void)printf(
-+ "Sorry -- your password has expired.\n");
-+ syslog(LOG_INFO,
-+ "%s Password expired - forcing change",
-+ pw->pw_name);
-+ if (system("/usr/bin/passwd") != 0) {
-+ perror("/usr/bin/passwd");
-+ exit(1);
-+ }
-+ }
-+ }
-+ }
-+#endif /* __FreeBSD__ */
-
- if (!options.use_login)
- do_rc_files(s, shell);
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
new file mode 100644
index 000000000000..a9f760bb3dc1
--- /dev/null
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -0,0 +1,10 @@
+--- ssh-agent.c.orig Fri Sep 1 02:38:37 2006
++++ ssh-agent.c Sat Sep 30 18:30:32 2006
+@@ -1036,6 +1036,7 @@
+ /* drop */
+ setegid(getgid());
+ setgid(getgid());
++ setuid(geteuid());
+
+ #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+ /* Disable ptrace on Linux without sgid bit */
diff --git a/security/openssh-portable/files/patch-ssh.c b/security/openssh-portable/files/patch-ssh.c
new file mode 100644
index 000000000000..ba7ddd3b6aa0
--- /dev/null
+++ b/security/openssh-portable/files/patch-ssh.c
@@ -0,0 +1,26 @@
+--- ssh.c.orig Sat Sep 2 02:32:40 2006
++++ ssh.c Sat Sep 30 10:38:05 2006
+@@ -639,6 +640,23 @@
+
+ if (options.hostname != NULL)
+ host = options.hostname;
++
++ /* Find canonic host name. */
++ if (strchr(host, '.') == 0) {
++ struct addrinfo hints;
++ struct addrinfo *ai = NULL;
++ int errgai;
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = options.address_family;
++ hints.ai_flags = AI_CANONNAME;
++ hints.ai_socktype = SOCK_STREAM;
++ errgai = getaddrinfo(host, NULL, &hints, &ai);
++ if (errgai == 0) {
++ if (ai->ai_canonname != NULL)
++ host = xstrdup(ai->ai_canonname);
++ freeaddrinfo(ai);
++ }
++ }
+
+ /* force lowercase for hostkey matching */
+ if (options.host_key_alias != NULL) {
diff --git a/security/openssh-portable/files/patch-ssh_config b/security/openssh-portable/files/patch-ssh_config
new file mode 100644
index 000000000000..a5fd64b5b081
--- /dev/null
+++ b/security/openssh-portable/files/patch-ssh_config
@@ -0,0 +1,11 @@
+--- ssh_config.orig Tue Jun 13 00:01:10 2006
++++ ssh_config Sat Sep 30 10:39:07 2006
+@@ -27,7 +28,7 @@
+ # GSSAPIAuthentication no
+ # GSSAPIDelegateCredentials no
+ # BatchMode no
+-# CheckHostIP yes
++# CheckHostIP no
+ # AddressFamily any
+ # ConnectTimeout 0
+ # StrictHostKeyChecking ask
diff --git a/security/openssh-portable/files/patch-ssh_config.5 b/security/openssh-portable/files/patch-ssh_config.5
new file mode 100644
index 000000000000..98a6ec25f6bf
--- /dev/null
+++ b/security/openssh-portable/files/patch-ssh_config.5
@@ -0,0 +1,11 @@
+--- ssh_config.5.orig Fri Aug 4 22:34:51 2006
++++ ssh_config.5 Sat Sep 30 10:39:07 2006
+@@ -165,7 +166,7 @@
+ .Dq no ,
+ the check will not be executed.
+ The default is
+-.Dq yes .
++.Dq no .
+ .It Cm Cipher
+ Specifies the cipher to use for encrypting the session
+ in protocol version 1.
diff --git a/security/openssh-portable/files/patch-sshd.8 b/security/openssh-portable/files/patch-sshd.8
new file mode 100644
index 000000000000..b9854e39c405
--- /dev/null
+++ b/security/openssh-portable/files/patch-sshd.8
@@ -0,0 +1,33 @@
+--- sshd.8.orig Tue Aug 29 22:07:01 2006
++++ sshd.8 Sat Sep 30 20:05:16 2006
+@@ -65,7 +65,7 @@
+ .Nm
+ listens for connections from clients.
+ It is normally started at boot from
+-.Pa /etc/rc .
++.Pa %%PREFIX%%/etc/rc.d/%%RC_SCRIPT_NAME%% .
+ It forks a new
+ daemon for each incoming connection.
+ The forked daemons handle
+@@ -342,8 +342,9 @@
+ If the login is on a tty, records login time.
+ .It
+ Checks
+-.Pa /etc/nologin ;
+-if it exists, prints contents and quits
++.Pa /etc/nologin and
++.Pa /var/run/nologin ;
++if one exists, it prints the contents and quits
+ (unless root).
+ .It
+ Changes to run with normal user privileges.
+@@ -365,7 +366,8 @@
+ exists, runs it; else if
+ .Pa /etc/ssh/sshrc
+ exists, runs
+-it; otherwise runs xauth.
++it; otherwise runs
++.Xr xauth 1 .
+ The
+ .Dq rc
+ files are given the X11
diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c
index 09665a42d7bd..392cd2082571 100644
--- a/security/openssh-portable/files/patch-sshd.c
+++ b/security/openssh-portable/files/patch-sshd.c
@@ -1,20 +1,23 @@
---- sshd.c.orig Wed Jun 26 01:24:19 2002
-+++ sshd.c Thu Jul 25 06:32:37 2002
-@@ -53,6 +53,10 @@
+--- sshd.c.patch Sun Sep 17 01:04:46 2006
++++ sshd.c Sat Sep 30 10:38:05 2006
+@@ -80,6 +81,13 @@
#include <prot.h>
#endif
+#ifdef __FreeBSD__
+#include <resolv.h>
++#ifdef GSSAPI
++#include <gssapi.h>
++#endif
+#endif
+
+ #include "xmalloc.h"
#include "ssh.h"
#include "ssh1.h"
- #include "ssh2.h"
-@@ -1409,6 +1413,17 @@
- setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
- sizeof(on)) < 0)
- error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
+@@ -1697,6 +1705,29 @@
+ signal(SIGQUIT, SIG_DFL);
+ signal(SIGCHLD, SIG_DFL);
+ signal(SIGINT, SIG_DFL);
+
+#ifdef __FreeBSD__
+ /*
@@ -25,6 +28,18 @@
+ debug("res_init()");
+ res_init();
+ }
++#ifdef GSSAPI
++ /*
++ * Force GSS-API to parse its configuration and load any
++ * mechanism plugins.
++ */
++ {
++ gss_OID_set mechs;
++ OM_uint32 minor_status;
++ gss_indicate_mechs(&minor_status, &mechs);
++ gss_release_oid_set(&minor_status, &mechs);
++ }
++#endif
+#endif
/*
diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config
index 0d7486dcb83b..91729f01e928 100644
--- a/security/openssh-portable/files/patch-sshd_config
+++ b/security/openssh-portable/files/patch-sshd_config
@@ -1,18 +1,49 @@
---- sshd_config.orig Mon May 24 02:36:24 2004
-+++ sshd_config Mon Sep 20 05:04:48 2004
-@@ -34,6 +34,7 @@
+--- sshd_config.orig Mon Jul 24 01:06:47 2006
++++ sshd_config Sat Sep 30 21:52:31 2006
+@@ -34,7 +34,7 @@
+ # Authentication:
#LoginGraceTime 2m
- #PermitRootLogin yes
-+PermitRootLogin no
+-#PermitRootLogin yes
++#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
-@@ -57,6 +58,7 @@
+@@ -52,11 +52,11 @@
+ # Don't read the user's ~/.rhosts and ~/.shosts files
+ #IgnoreRhosts yes
- # Change to no to disable s/key passwords
+-# To disable tunneled clear text passwords, change to no here!
+-#PasswordAuthentication yes
++# Change to yes to enable built-in password authentication.
++#PasswordAuthentication no
+ #PermitEmptyPasswords no
+
+-# Change to no to disable s/key passwords
++# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes
-+ChallengeResponseAuthentication no
# Kerberos options
- #KerberosAuthentication no
+@@ -69,7 +69,7 @@
+ #GSSAPIAuthentication no
+ #GSSAPICleanupCredentials yes
+
+-# Set this to 'yes' to enable PAM authentication, account processing,
++# Set this to 'no' to disable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will
+ # be allowed through the ChallengeResponseAuthentication and
+ # PasswordAuthentication. Depending on your PAM configuration,
+@@ -78,11 +78,11 @@
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and ChallengeResponseAuthentication to 'no'.
+-#UsePAM no
++#UsePAM yes
+
+ #AllowTcpForwarding yes
+ #GatewayPorts no
+-#X11Forwarding no
++#X11Forwarding yes
+ #X11DisplayOffset 10
+ #X11UseLocalhost yes
+ #PrintMotd yes
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
new file mode 100644
index 000000000000..6ccd1c7f2d53
--- /dev/null
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -0,0 +1,90 @@
+--- sshd_config.5.orig Tue Aug 29 22:06:34 2006
++++ sshd_config.5 Sat Sep 30 10:39:07 2006
+@@ -169,9 +170,16 @@
+ By default, no banner is displayed.
+ .It Cm ChallengeResponseAuthentication
+ Specifies whether challenge-response authentication is allowed.
+-All authentication styles from
+-.Xr login.conf 5
+-are supported.
++Specifically, in
++.Fx ,
++this controls the use of PAM (see
++.Xr pam 3 )
++for authentication.
++Note that this affects the effectiveness of the
++.Cm PasswordAuthentication
++and
++.Cm PermitRootLogin
++variables.
+ The default is
+ .Dq yes .
+ .It Cm Ciphers
+@@ -554,7 +560,22 @@
+ .It Cm PasswordAuthentication
+ Specifies whether password authentication is allowed.
+ The default is
++.Dq no ,
++unless
++.Nm sshd
++was built without PAM support, in which case the default is
+ .Dq yes .
++Note that if
++.Cm ChallengeResponseAuthentication
++is
++.Dq yes ,
++and the PAM authentication policy for
++.Nm sshd
++includes
++.Xr pam_unix 8 ,
++password authentication will be allowed through the challenge-response
++mechanism regardless of the value of
++.Cm PasswordAuthentication .
+ .It Cm PermitEmptyPasswords
+ When password authentication is allowed, it specifies whether the
+ server allows login to accounts with empty password strings.
+@@ -597,7 +618,14 @@
+ or
+ .Dq no .
+ The default is
+-.Dq yes .
++.Dq no .
++Note that if
++.Cm ChallengeResponseAuthentication
++is
++.Dq yes ,
++the root user may be allowed in with its password even if
++.Cm PermitRootLogin is set to
++.Dq without-password .
+ .Pp
+ If this option is set to
+ .Dq without-password ,
+@@ -704,7 +732,9 @@
+ .Dq yes .
+ Note that this option applies to protocol version 2 only.
+ .It Cm RhostsRSAAuthentication
+-Specifies whether rhosts or /etc/hosts.equiv authentication together
++Specifies whether rhosts or
++.Pa /etc/hosts.equiv
++authentication together
+ with successful RSA host authentication is allowed.
+ The default is
+ .Dq no .
+@@ -814,7 +844,7 @@
+ .Xr sshd 8
+ as a non-root user.
+ The default is
+-.Dq no .
++.Dq yes .
+ .It Cm UsePrivilegeSeparation
+ Specifies whether
+ .Xr sshd 8
+@@ -839,7 +874,7 @@
+ or
+ .Dq no .
+ The default is
+-.Dq no .
++.Dq yes .
+ .Pp
+ When X11 forwarding is enabled, there may be additional exposure to
+ the server and to client displays if the
diff --git a/security/openssh-portable/files/patch-sshpty.c b/security/openssh-portable/files/patch-sshpty.c
deleted file mode 100644
index d8cd703dcec7..000000000000
--- a/security/openssh-portable/files/patch-sshpty.c
+++ /dev/null
@@ -1,12 +0,0 @@
---- sshpty.c.orig Wed Jan 21 07:07:17 2004
-+++ sshpty.c Wed Feb 25 11:58:54 2004
-@@ -17,6 +17,9 @@
- #ifdef HAVE_UTIL_H
- # include <util.h>
- #endif /* HAVE_UTIL_H */
-+#ifdef HAVE_LIBUTIL_H
-+#include <libutil.h>
-+#endif
-
- #include "sshpty.h"
- #include "log.h"
diff --git a/security/openssh-portable/files/servconf.c.patch b/security/openssh-portable/files/servconf.c.patch
deleted file mode 100644
index dde0a6947e60..000000000000
--- a/security/openssh-portable/files/servconf.c.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- servconf.c.orig Sat Mar 23 11:02:41 2002
-+++ servconf.c Sat Mar 23 11:07:39 2002
-@@ -17,12 +17,12 @@
- #endif
- #if defined(KRB5)
- #ifdef HEIMDAL
--#include <krb.h>
-+#include <krb5.h>
- #else
- /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
- * keytab */
--#define KEYFILE "/etc/krb5.keytab"
- #endif
-+#define KEYFILE "/etc/krb5.keytab"
- #endif
- #ifdef AFS
- #include <kafs.h>