- Update to 4.4p1.

- Disable temporary HPN patch until HPN release new version. - Fix rc.d script path in sshd.8 - Add FreeBSD-${PKGNAME} in SSH_VERSION and SSH_RELEASE like src does. - Sync patches with src. Security: CVE-2006-4924, CVE-2006-5051
author: mnag <mnag@FreeBSD.org> 2006-10-01 10:15:00 +0800
committer: mnag <mnag@FreeBSD.org> 2006-10-01 10:15:00 +0800
commit: 696bf5784930e45ea5e05c256ac4673ca1672da0 (patch)
tree: f476a39a3894947c30498934cab8778ad3facb1a /security
parent: fa42719cf388f200b9ec1c9df8116a820b677632 (diff)
download: freebsd-ports-gnome-696bf5784930e45ea5e05c256ac4673ca1672da0.tar.gz
freebsd-ports-gnome-696bf5784930e45ea5e05c256ac4673ca1672da0.tar.zst
freebsd-ports-gnome-696bf5784930e45ea5e05c256ac4673ca1672da0.zip
21 files changed, 467 insertions, 448 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 2c4c8da8a202..81167ca74641 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=	openssh
-DISTVERSION=	4.3p2
-PORTREVISION=	1
+DISTVERSION=	4.4p1
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ \
@@ -42,8 +41,8 @@ USE_OPENSSL=		yes
 USE_PERL5_BUILD=	yes
 GNU_CONFIGURE=		yes
 CONFIGURE_TARGET=	--build=${MACHINE_ARCH}-portbld-freebsd${OSREL}
-CONFIGURE_ARGS=		--prefix=${PREFIX} --with-md5-passwords \
-			--without-zlib-version-check
+CONFIGURE_ARGS=		--prefix=${PREFIX} --mandir=${MANPREFIX}/man \
+			--with-md5-passwords --without-zlib-version-check
 PRECIOUS=		ssh_config sshd_config ssh_host_key ssh_host_key.pub \
 			ssh_host_rsa_key ssh_host_rsa_key.pub ssh_host_dsa_key \
 			ssh_host_dsa_key.pub
@@ -134,6 +133,7 @@ EXTRA_PATCHES+=		${FILESDIR}/scardpin.patch
 .endif
 
 .if defined(WITH_HPN)
+IGNORE=			option HPN is temporary disabled, waiting patch for new openssh release
 PATCH_DIST_STRIP=	-p1
 PATCH_SITES+=		http://www.psc.edu/networking/projects/hpn-ssh/
 PATCHFILES+=		openssh-4.3p2-hpn12.diff.gz
@@ -142,7 +142,7 @@ PATCHFILES+=		openssh-4.3p2-hpn12.diff.gz
 .if defined(WITH_OVERWRITE_BASE)
 WITH_OPENSSL_BASE=	yes
 BASE_SUFFIX=		-overwrite-base
-CONFIGURE_ARGS+=	--mandir=${PREFIX}/share/man --localstatedir=/var
+CONFIGURE_ARGS+=	--localstatedir=/var
 EMPTYDIR=		/var/empty
 PREFIX=			/usr
 ETCSSH=			/etc/ssh
@@ -168,6 +168,13 @@ PLIST_SUB+=		BASE="@comment "
 PLIST_SUB+=		EMPTYDIR="${EMPTYDIR}"
 CONFIGURE_ARGS+=	--sysconfdir=${ETCSSH} --with-privsep-path=${EMPTYDIR}
 
+# Sync this with bsd.port.mk
+.if (${OSVERSION} >= 700007 || ( ${OSVERSION} < 700000 && ${OSVERSION} >= 600101 ))
+RC_SCRIPT_NAME=		openssh
+.else
+RC_SCRIPT_NAME=		openssh.sh
+.endif
+
 post-extract:
 .if defined(OPENSSH_SNAPSHOT)
 	@# rc.d script have same name of openssh snapshot dir
@@ -176,6 +183,21 @@ post-extract:
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
+.if defined(WITH_OVERWRITE_BASE)
+	@${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \
+		-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
+.else
+	@${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|' \
+		-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
+.endif
+	@${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \
+		-e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h
+	@${ECHO_CMD} '#define FREEBSD_PORT_VERSION	" FreeBSD-${PKGNAME}"' >> \
+		${WRKSRC}/version.h
+	@${ECHO_CMD} '#define SSH_VERSION	TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
+		${WRKSRC}/version.h
+	@${ECHO_CMD} '#define SSH_RELEASE	TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \
+		${WRKSRC}/version.h
 
 pre-install:
 .if defined(WITH_OVERWRITE_BASE)
@@ -204,13 +226,8 @@ post-install:
 .if defined(WITH_OVERWRITE_BASE)
 	@${ECHO_CMD} "===> Installing rc.d startup script(s)"
 	@${ECHO_CMD} "@cwd ${LOCALBASE}" >> ${TMPPLIST}
-.if ${OSVERSION} >= 700007
-	@${INSTALL_SCRIPT} ${WRKDIR}/openssh ${LOCALBASE}/etc/rc.d/openssh
-	@${ECHO_CMD} "etc/rc.d/openssh" >> ${TMPPLIST}
-.else
-	@${INSTALL_SCRIPT} ${WRKDIR}/openssh ${LOCALBASE}/etc/rc.d/openssh.sh
-	@${ECHO_CMD} "etc/rc.d/openssh.sh" >> ${TMPPLIST}
-.endif
+	@${INSTALL_SCRIPT} ${WRKDIR}/openssh ${LOCALBASE}/etc/rc.d/${RC_SCRIPT_NAME}
+	@${ECHO_CMD} "etc/rc.d/${RC_SCRIPT_NAME}" >> ${TMPPLIST}
 	@${ECHO_CMD} "@cwd ${PREFIX}" >> ${TMPPLIST}
 .endif
 	@${CAT} ${PKGMESSAGE}
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index d8fac8339839..58e7e8569bff 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,6 +1,3 @@
-MD5 (openssh-4.3p2.tar.gz) = 7e9880ac20a9b9db0d3fea30a9ff3d46
-SHA256 (openssh-4.3p2.tar.gz) = 4ba757d6c933e7d075b6424124d92d197eb5d91e4a58794596b67f5f0ca21d4f
-SIZE (openssh-4.3p2.tar.gz) = 941455
-MD5 (openssh-4.3p2-hpn12.diff.gz) = f2fef0ecd2315d940dbb5b9188546400
-SHA256 (openssh-4.3p2-hpn12.diff.gz) = 704ff6ac9737850ac04b77bbb613099c0d557be4a0b28925946a90a76d7d7ac0
-SIZE (openssh-4.3p2-hpn12.diff.gz) = 14891
+MD5 (openssh-4.4p1.tar.gz) = 793a709a8de695c22f523024d7e9bf07
+SHA256 (openssh-4.4p1.tar.gz) = 0252474af4009129cde6a2df2893fb1ac24316436758796f6adc043ac73b35ac
+SIZE (openssh-4.4p1.tar.gz) = 1044334
diff --git a/security/openssh-portable/files/patch-auth.c b/security/openssh-portable/files/patch-auth.c
index e15f33234d56..fb0b95115016 100644
--- a/security/openssh-portable/files/patch-auth.c
+++ b/security/openssh-portable/files/patch-auth.c
@@ -1,24 +1,6 @@
---- auth.c.orig	Thu Aug 12 14:40:25 2004
-+++ auth.c	Mon Sep 20 05:04:48 2004
-@@ -208,6 +208,17 @@
- 		return 0;
- #endif
- 
-+#ifdef __FreeBSD__
-+	/* Fail if the account's expiration time has passed. */
-+	if (pw->pw_expire != 0) {
-+		struct timeval tv;
-+
-+		(void)gettimeofday(&tv, NULL);
-+		if (tv.tv_sec >= pw->pw_expire)
-+			return 0;
-+	}
-+#endif /* __FreeBSD__ */
-+
- 	/* We found no reason not to let this user try to log on... */
- 	return 1;
- }
-@@ -472,7 +483,7 @@
+--- auth.c.orig	Wed Sep  6 21:36:43 2006
++++ auth.c	Sat Sep 30 10:38:04 2006
+@@ -500,7 +501,7 @@
  	if (!allowed_user(pw))
  		return (NULL);
  #ifdef HAVE_LOGIN_CAP
diff --git a/security/openssh-portable/files/patch-auth1.c b/security/openssh-portable/files/patch-auth1.c
index c574eee773db..06657e5cb608 100644
--- a/security/openssh-portable/files/patch-auth1.c
+++ b/security/openssh-portable/files/patch-auth1.c
@@ -1,30 +1,28 @@
---- auth1.c.orig	Sun Jul 17 04:26:44 2005
-+++ auth1.c	Thu Sep  1 11:23:35 2005
-@@ -26,6 +26,7 @@
- #include "uidswap.h"
+--- auth1.c.orig	Fri Sep  1 02:38:36 2006
++++ auth1.c	Sat Sep 30 18:47:57 2006
+@@ -39,6 +39,7 @@
+ #endif
  #include "monitor_wrap.h"
  #include "buffer.h"
 +#include "canohost.h"
  
  /* import */
  extern ServerOptions options;
-@@ -220,6 +221,15 @@
+@@ -238,6 +239,13 @@
  	char info[1024];
  	int prev = 0, type = 0;
  	const struct AuthMethod1 *meth;
 +#ifdef HAVE_LOGIN_CAP
 +	login_cap_t *lc;
-+#endif /* HAVE_LOGIN_CAP */
-+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
 +	const char *from_host, *from_ip;
 +
 +	from_host = get_canonical_hostname(options.use_dns);
 +	from_ip = get_remote_ipaddr();
-+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
++#endif
  
  	debug("Attempting authentication for %s%.100s.",
  	    authctxt->valid ? "" : "invalid user ", authctxt->user);
-@@ -270,6 +280,33 @@
+@@ -288,6 +296,26 @@
  			    "type %d", type);
  			goto skip;
  		}
@@ -48,13 +46,6 @@
 +			lc = NULL;
 +		}
 +#endif  /* HAVE_LOGIN_CAP */
-+#ifdef LOGIN_ACCESS                                                       
-+		if (authctxt->pw != NULL && !login_access(authctxt->pw->pw_name, from_host)) {
-+			logit("Denied connection for %.200s from %.200s [%.200s].",
-+			       authctxt->pw->pw_name, from_host, from_ip);
-+			packet_disconnect("Sorry, you are not allowed to connect.");
-+		}
-+#endif /* LOGIN_ACCESS */
  
  		if (!*(meth->enabled)) {
  			verbose("%s authentication disabled.", meth->name);
diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c
index 37e596c15939..3a9e7a274684 100644
--- a/security/openssh-portable/files/patch-auth2.c
+++ b/security/openssh-portable/files/patch-auth2.c
@@ -1,67 +1,51 @@
---- auth2.c.orig	Tue Feb  8 11:52:48 2005
-+++ auth2.c	Sat Mar 19 20:50:32 2005
-@@ -36,6 +36,7 @@
+--- auth2.c.orig	Fri Aug  4 23:39:39 2006
++++ auth2.c	Sat Sep 30 10:38:04 2006
+@@ -44,6 +45,7 @@
+ #include "dispatch.h"
  #include "pathnames.h"
- #include "monitor_wrap.h"
  #include "buffer.h"
 +#include "canohost.h"
  
  #ifdef GSSAPI
  #include "ssh-gss.h"
-@@ -136,6 +137,15 @@
+@@ -147,6 +149,13 @@
  	Authmethod *m = NULL;
  	char *user, *service, *method, *style = NULL;
  	int authenticated = 0;
 +#ifdef HAVE_LOGIN_CAP
 +	login_cap_t *lc;
-+#endif /* HAVE_LOGIN_CAP */
-+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
 +	const char *from_host, *from_ip;
 +
 +	from_host = get_canonical_hostname(options.use_dns);
 +	from_ip = get_remote_ipaddr();
-+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
++#endif
  
  	if (authctxt == NULL)
  		fatal("input_userauth_request: no authctxt");
-@@ -183,6 +193,41 @@
+@@ -190,6 +199,27 @@
  		    "(%s,%s) -> (%s,%s)",
  		    authctxt->user, authctxt->service, user, service);
  	}
 +
 +#ifdef HAVE_LOGIN_CAP
-+	if (authctxt->pw != NULL) {
-+		lc = login_getpwclass(authctxt->pw);
-+		if (lc == NULL)
-+			lc = login_getclassbyname(NULL, authctxt->pw);
-+		if (!auth_hostok(lc, from_host, from_ip)) {
-+			logit("Denied connection for %.200s from %.200s [%.200s].",
-+			    authctxt->pw->pw_name, from_host, from_ip);
-+			packet_disconnect("Sorry, you are not allowed to connect.");
-+		}
-+		if (!auth_timeok(lc, time(NULL))) {
-+			logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
-+			    authctxt->pw->pw_name, from_host);
-+			packet_disconnect("Logins not available right now.");
-+		}
-+		login_close(lc);
-+		lc = NULL;
-+	}
++        if (authctxt->pw != NULL) {
++                lc = login_getpwclass(authctxt->pw);
++                if (lc == NULL)
++                        lc = login_getclassbyname(NULL, authctxt->pw);
++                if (!auth_hostok(lc, from_host, from_ip)) {
++                        logit("Denied connection for %.200s from %.200s [%.200s].",
++                            authctxt->pw->pw_name, from_host, from_ip);
++                        packet_disconnect("Sorry, you are not allowed to connect.");
++                }
++                if (!auth_timeok(lc, time(NULL))) {
++                        logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
++                            authctxt->pw->pw_name, from_host);
++                        packet_disconnect("Logins not available right now.");
++                }
++                login_close(lc);
++                lc = NULL;
++        }
 +#endif  /* HAVE_LOGIN_CAP */
-+#ifdef LOGIN_ACCESS
-+	if (authctxt->pw != NULL &&
-+	    !login_access(authctxt->pw->pw_name, from_host)) {
-+		logit("Denied connection for %.200s from %.200s [%.200s].",
-+		    authctxt->pw->pw_name, from_host, from_ip);
-+		packet_disconnect("Sorry, you are not allowed to connect.");
-+	}
-+#endif /* LOGIN_ACCESS */
-+#ifdef BSD_AUTH
-+	if (authctxt->as) {
-+		auth_close(authctxt->as);
-+		authctxt->as = NULL;
-+	}
-+#endif
 +
  	/* reset state */
  	auth2_challenge_stop(authctxt);
diff --git a/security/openssh-portable/files/patch-clientloop.c b/security/openssh-portable/files/patch-clientloop.c
deleted file mode 100644
index 78fba1757228..000000000000
--- a/security/openssh-portable/files/patch-clientloop.c
+++ /dev/null
@@ -1,11 +0,0 @@
---- clientloop.c.orig	Fri Aug 13 13:18:01 2004
-+++ clientloop.c	Mon Sep 20 05:04:48 2004
-@@ -1581,7 +1581,7 @@
- 
- 	if (strcmp(ctype, "forwarded-tcpip") == 0) {
- 		c = client_request_forwarded_tcpip(ctype, rchan);
--	} else if (strcmp(ctype, "x11") == 0) {
-+	} else if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
- 		c = client_request_x11(ctype, rchan);
- 	} else if (strcmp(ctype, "auth-agent@openssh.com") == 0) {
- 		c = client_request_agent(ctype, rchan);
diff --git a/security/openssh-portable/files/patch-loginrec.c b/security/openssh-portable/files/patch-loginrec.c
index 18e427f111a5..01a953a298dd 100644
--- a/security/openssh-portable/files/patch-loginrec.c
+++ b/security/openssh-portable/files/patch-loginrec.c
@@ -14,7 +14,7 @@
  	strncpy(ut->ut_name, li->username,
  	    MIN_SIZEOF(ut->ut_name, li->username));
  # ifdef HAVE_HOST_IN_UTMP
-+# if defined(__FreeBSD__) && __FreeBSD_version <= 400000
++# if defined(__FreeBSD__) && __FreeBSD_version < 400000
  	strncpy(ut->ut_host, li->hostname,
  	    MIN_SIZEOF(ut->ut_host, li->hostname));
 +# else
diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c
new file mode 100644
index 000000000000..92e8a3ddb70c
--- /dev/null
+++ b/security/openssh-portable/files/patch-readconf.c
@@ -0,0 +1,11 @@
+--- readconf.c.orig	Fri Sep  1 02:38:37 2006
++++ readconf.c	Sat Sep 30 10:38:05 2006
+@@ -1112,7 +1122,7 @@
+ 	if (options->batch_mode == -1)
+ 		options->batch_mode = 0;
+ 	if (options->check_host_ip == -1)
+-		options->check_host_ip = 1;
++		options->check_host_ip = 0;
+ 	if (options->strict_host_key_checking == -1)
+ 		options->strict_host_key_checking = 2;	/* 2 is default */
+ 	if (options->compression == -1)
diff --git a/security/openssh-portable/files/patch-regress-test-exec.sh b/security/openssh-portable/files/patch-regress-test-exec.sh
deleted file mode 100644
index 5fbf834f3c0c..000000000000
--- a/security/openssh-portable/files/patch-regress-test-exec.sh
+++ /dev/null
@@ -1,11 +0,0 @@
---- regress/test-exec.sh.orig	Fri Jun 25 05:46:09 2004
-+++ regress/test-exec.sh	Tue Aug 17 05:27:49 2004
-@@ -178,6 +178,8 @@
- 	AcceptEnv		_XXX_TEST_*
- 	AcceptEnv		_XXX_TEST
- 	Subsystem	sftp	$SFTPSERVER
-+	PermitRootLogin		yes
-+	UsePrivilegeSeparation	no
- EOF
- 
- if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then
diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c
new file mode 100644
index 000000000000..da3d241695da
--- /dev/null
+++ b/security/openssh-portable/files/patch-servconf.c
@@ -0,0 +1,41 @@
+--- servconf.c.orig	Fri Aug 18 11:23:15 2006
++++ servconf.c	Sat Sep 30 21:54:26 2006
+@@ -129,7 +129,7 @@
+ {
+ 	/* Portable-specific options */
+ 	if (options->use_pam == -1)
+-		options->use_pam = 0;
++		options->use_pam = 1;
+ 
+ 	/* Standard Options */
+ 	if (options->protocol == SSH_PROTO_UNKNOWN)
+@@ -159,7 +159,7 @@
+ 	if (options->key_regeneration_time == -1)
+ 		options->key_regeneration_time = 3600;
+ 	if (options->permit_root_login == PERMIT_NOT_SET)
+-		options->permit_root_login = PERMIT_YES;
++		options->permit_root_login = PERMIT_NO;
+ 	if (options->ignore_rhosts == -1)
+ 		options->ignore_rhosts = 1;
+ 	if (options->ignore_user_known_hosts == -1)
+@@ -169,7 +169,7 @@
+ 	if (options->print_lastlog == -1)
+ 		options->print_lastlog = 1;
+ 	if (options->x11_forwarding == -1)
+-		options->x11_forwarding = 0;
++		options->x11_forwarding = 1;
+ 	if (options->x11_display_offset == -1)
+ 		options->x11_display_offset = 10;
+ 	if (options->x11_use_localhost == -1)
+@@ -207,7 +207,11 @@
+ 	if (options->gss_cleanup_creds == -1)
+ 		options->gss_cleanup_creds = 1;
+ 	if (options->password_authentication == -1)
++#ifdef USE_PAM
++		options->password_authentication = 0;
++#else
+ 		options->password_authentication = 1;
++#endif
+ 	if (options->kbd_interactive_authentication == -1)
+ 		options->kbd_interactive_authentication = 0;
+ 	if (options->challenge_response_authentication == -1)
diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c
index 170bc8911d39..56ea323b488f 100644
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@@ -1,344 +1,164 @@
---- session.c.orig	Sun Mar  6 12:38:52 2005
-+++ session.c	Sat Mar 19 21:45:32 2005
-@@ -66,6 +66,11 @@
- #include "ssh-gss.h"
- #endif
- 
-+#ifdef __FreeBSD__
-+#include <syslog.h>
-+#define _PATH_CHPASS "/usr/bin/passwd"
-+#endif /* __FreeBSD__ */
-+
- /* func */
- 
- Session *session_new(void);
-@@ -414,6 +419,13 @@
- 		log_init(__progname, options.log_level, options.log_facility, log_stderr);
- 
- 		/*
-+		 * Using login and executing a specific "command" are mutually
-+		 * exclusive, so turn off use_login if there's a command.
-+		 */
-+		if (command != NULL)
-+			options.use_login = 0;
-+
-+		/*
- 		 * Create a new session and process group since the 4.4BSD
- 		 * setlogin() affects the entire process group.
- 		 */
-@@ -550,6 +562,14 @@
- 
- 		/* Child.  Reinitialize the log because the pid has changed. */
- 		log_init(__progname, options.log_level, options.log_facility, log_stderr);
-+
-+		/*
-+		 * Using login and executing a specific "command" are mutually
-+		 * exclusive, so turn off use_login if there's a command.
-+		 */
-+		if (command != NULL)
-+			options.use_login = 0;
-+
- 		/* Close the master side of the pseudo tty. */
- 		close(ptyfd);
- 
-@@ -700,6 +720,18 @@
- 	struct sockaddr_storage from;
- 	struct passwd * pw = s->pw;
- 	pid_t pid = getpid();
+--- session.c.orig	Fri Sep  1 02:38:37 2006
++++ session.c	Sat Sep 30 19:32:06 2006
+@@ -776,6 +776,24 @@
+ {
+ 	FILE *f;
+ 	char buf[256];
 +#ifdef HAVE_LOGIN_CAP
-+	FILE *f;
-+	char buf[256];
 +	const char *fname;
-+	const char *shorttty;
-+#endif /* HAVE_LOGIN_CAP */
-+#ifdef __FreeBSD__
-+#define DEFAULT_WARN  (2L * 7L * 86400L)  /* Two weeks */
-+	char *newcommand = NULL;
-+	struct timeval tv;
-+	time_t warntime = DEFAULT_WARN;
-+#endif /* __FreeBSD__ */
- 
- 	/*
- 	 * Get IP address of client. If the connection is not a socket, let
-@@ -735,12 +767,101 @@
- 	}
- #endif
- 
-+#ifdef __FreeBSD__
-+	if (pw->pw_change || pw->pw_expire)
-+		(void)gettimeofday(&tv, NULL);
-+#ifdef HAVE_LOGIN_CAP
-+	warntime = login_getcaptime(lc, "warnpassword",
-+				    DEFAULT_WARN, DEFAULT_WARN);
-+#endif /* HAVE_LOGIN_CAP */
-+	/*
-+	 * If the password change time is set and has passed, give the
-+	 * user a password expiry notice and chance to change it.
-+	 */
-+	if (pw->pw_change != 0) {
-+		if (tv.tv_sec >= pw->pw_change) {
-+			(void)printf(
-+			    "Sorry -- your password has expired.\n");
-+			logit("%s Password expired - forcing change",
-+			    pw->pw_name);
-+			if (newcommand != NULL)
-+				xfree(newcommand);
-+			newcommand = xstrdup(_PATH_CHPASS);
-+		} else if (pw->pw_change - tv.tv_sec < warntime &&
-+			   !check_quietlogin(s, command))
-+			(void)printf(
-+			    "Warning: your password expires on %s",
-+			     ctime(&pw->pw_change));
-+	}
-+
-+#ifndef USE_PAM
-+	if (pw->pw_expire) {
-+		if (tv.tv_sec >= pw->pw_expire) {
-+			(void)printf(
-+			    "Sorry -- your account has expired.\n");
-+			logit(
-+	   "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s",
-+				pw->pw_name, get_remote_name_or_ip(utmp_len,
-+				options.use_dns), s->tty);
-+			exit(254);
-+		} else if (pw->pw_expire - tv.tv_sec < warntime &&
-+			   !check_quietlogin(s, command))
-+			(void)printf(
-+			    "Warning: your account expires on %s",
-+			     ctime(&pw->pw_expire));
-+	}
-+#endif /* !USE_PAM */
-+#endif /* __FreeBSD__ */
-+
-+#ifdef HAVE_LOGIN_CAP
-+	/* check if we have a pathname in the ttyname */
-+	shorttty = rindex( s->tty, '/' );
-+	if (shorttty != NULL ) {
-+		/* use only the short filename to check */
-+		shorttty ++;
-+	} else {
-+		/* nothing found, use the whole name found */
-+		shorttty = s->tty;
-+	}
-+	if (!auth_ttyok(lc, shorttty)) {
-+		(void)printf("Permission denied.\n");
-+		logit(
-+	       "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
-+		    pw->pw_name, get_remote_name_or_ip(utmp_len,
-+			options.use_dns), s->tty);
-+		exit(254);
-+	}
-+#endif /* HAVE_LOGIN_CAP */
++#endif
 +
- 	if (check_quietlogin(s, command))
- 		return;
- 
- 	display_loginmsg();
- 
--	do_motd();
 +#ifdef HAVE_LOGIN_CAP
-+	if (command == NULL &&
-+	    !options.use_login) {
-+		fname = login_getcapstr(lc, "copyright", NULL, NULL);
-+		if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
-+			while (fgets(buf, sizeof(buf), f) != NULL)
-+				fputs(buf, stdout);
++	fname = login_getcapstr(lc, "copyright", NULL, NULL);
++	if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
++		while (fgets(buf, sizeof(buf), f) != NULL)
++			fputs(buf, stdout);
 +			fclose(f);
-+		} else
-+			(void)printf("%s\n\t%s %s\n",
-+	"Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
-+	    "The Regents of the University of California. ",
-+	    "All rights reserved.");
-+	}
++	} else
 +#endif /* HAVE_LOGIN_CAP */
++		(void)printf("%s\n\t%s %s\n",
++	"Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
++	"The Regents of the University of California. ",
++	"All rights reserved.");
 +
-+	/*
-+	 * Print /etc/motd unless a command was specified or printing
-+	 * it was disabled in server options or login(1) will be
-+	 * used.  Note that some machines appear to print it in
-+	 * /etc/profile or similar.
-+	 */
-+	if (command == NULL && !options.use_login)
-+		do_motd();
- }
++	(void)printf("\n");
  
- /*
-@@ -756,9 +877,9 @@
+ 	if (options.print_motd) {
  #ifdef HAVE_LOGIN_CAP
- 		f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
- 		    "/etc/motd"), "r");
--#else
-+#else /* !HAVE_LOGIN_CAP */
- 		f = fopen("/etc/motd", "r");
--#endif
-+#endif /* HAVE_LOGIN_CAP */
- 		if (f) {
- 			while (fgets(buf, sizeof(buf), f))
- 				fputs(buf, stdout);
-@@ -785,10 +906,10 @@
- #ifdef HAVE_LOGIN_CAP
- 	if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
- 		return 1;
--#else
-+#else /* HAVE_LOGIN_CAP */
- 	if (stat(buf, &st) >= 0)
- 		return 1;
--#endif
-+#endif /* HAVE_LOGIN_CAP */
- 	return 0;
- }
- 
-@@ -974,7 +1095,14 @@
- {
- 	char buf[256];
- 	u_int i, envsize;
--	char **env, *laddr, *path = NULL;
-+	char **env, *laddr;
-+#ifdef HAVE_CYGWIN
-+	char *path = NULL;
-+#endif /* HAVE_CYGWIN */
-+#ifdef HAVE_LOGIN_CAP
+@@ -1004,6 +1022,9 @@
+ 	struct passwd *pw = s->pw;
+ #ifndef HAVE_LOGIN_CAP
+ 	char *path = NULL;
++#else
 +	extern char **environ;
 +	char **senv, **var;
-+#endif /* HAVE_LOGIN_CAP */
- 	struct passwd *pw = s->pw;
+ #endif
  
  	/* Initialize the environment. */
-@@ -982,6 +1110,9 @@
- 	env = xmalloc(envsize * sizeof(char *));
- 	env[0] = NULL;
+@@ -1025,6 +1046,9 @@
+ 	}
+ #endif
  
-+	/* Moved up to resove confict with gsssapi patches */
 +	if (getenv("TZ"))
 +		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
- #ifdef HAVE_CYGWIN
- 	/*
- 	 * The Windows environment contains some setting which are
-@@ -1046,9 +1177,21 @@
- 
- 		/* Normal systems set SHELL by default. */
- 		child_set_env(&env, &envsize, "SHELL", shell);
-+#ifdef HAVE_LOGIN_CAP
++
+ #ifdef GSSAPI
+ 	/* Allow any GSSAPI methods that we've used to alter
+ 	 * the childs environment as they see fit
+@@ -1044,11 +1068,22 @@
+ 		child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
+ #endif
+ 		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
++		snprintf(buf, sizeof buf, "%.200s/%.50s",
++			 _PATH_MAILDIR, pw->pw_name);
++		child_set_env(&env, &envsize, "MAIL", buf);
+ #ifdef HAVE_LOGIN_CAP
+-		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
+-			child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+-		else
+-			child_set_env(&env, &envsize, "PATH", getenv("PATH"));
++		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
++		child_set_env(&env, &envsize, "TERM", "su");
 +		senv = environ;
 +		environ = xmalloc(sizeof(char *));
 +		*environ = NULL;
-+		if (setusercontext(lc, pw, pw->pw_uid,
-+			LOGIN_SETENV|LOGIN_SETPATH) < 0) {
-+			perror("unable to set user context enviroment");
-+		}
++		(void) setusercontext(lc, pw, pw->pw_uid,
++		    LOGIN_SETENV|LOGIN_SETPATH);
 +		copy_environment(environ, &env, &envsize);
 +		for (var = environ; *var != NULL; ++var)
 +			xfree(*var);
 +		xfree(environ);
 +		environ = senv;
-+#endif /* HAVE_LOGIN_CAP */
+ #else /* HAVE_LOGIN_CAP */
+ # ifndef HAVE_CYGWIN
+ 		/*
+@@ -1069,15 +1104,9 @@
+ # endif /* HAVE_CYGWIN */
+ #endif /* HAVE_LOGIN_CAP */
+ 
+-		snprintf(buf, sizeof buf, "%.200s/%.50s",
+-			 _PATH_MAILDIR, pw->pw_name);
+-		child_set_env(&env, &envsize, "MAIL", buf);
+-
+ 		/* Normal systems set SHELL by default. */
+ 		child_set_env(&env, &envsize, "SHELL", shell);
  	}
 -	if (getenv("TZ"))
 -		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
  
  	/* Set custom environment options from RSA authentication. */
  	if (!options.use_login) {
-@@ -1258,6 +1401,12 @@
+@@ -1287,6 +1316,10 @@
  void
  do_setusercontext(struct passwd *pw)
  {
-+
 +#ifdef CHROOT
 +	char *user_dir;
 +	char *new_root;
 +#endif /* CHROOT */
-+
  #ifndef HAVE_CYGWIN
  	if (getuid() == 0 || geteuid() == 0)
  #endif /* HAVE_CYGWIN */
-@@ -1285,10 +1434,30 @@
+@@ -1314,10 +1347,31 @@
  		}
  # endif /* USE_PAM */
  		if (setusercontext(lc, pw, pw->pw_uid,
 -		    (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
-+		    (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
++		    (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH))) < 0) {
  			perror("unable to set user context");
  			exit(1);
  		}
 +#ifdef CHROOT
-+	user_dir = xstrdup(pw->pw_dir);
-+	new_root = user_dir + 1;
++		user_dir = xstrdup(pw->pw_dir);
++		new_root = user_dir + 1;
 +
-+	while((new_root = strchr(new_root, '.')) != NULL) {
-+		new_root--;
-+		if(strncmp(new_root, "/./", 3) == 0) {
-+			*new_root = '\0';
-+			new_root += 2;
++		while((new_root = strchr(new_root, '.')) != NULL) {
++			new_root--;
++			if(strncmp(new_root, "/./", 3) == 0) {
++				*new_root = '\0';
++				new_root += 2;
 +
-+			if(chroot(user_dir) != 0)
-+				fatal("Couldn't chroot to user directory %s", user_dir);
-+			pw->pw_dir = new_root;
-+			break;
-+		}
++				if(chroot(user_dir) != 0)
++					fatal("Couldn't chroot to user directory %s", user_dir);
++				pw->pw_dir = new_root;
++				break;
++			}
 +
-+		new_root += 2;
-+	}
++			new_root += 2;
++		}
 +#endif /* CHROOT */
-+	permanently_set_uid(pw);
++		/* Permanently switch to the desired uid. */
++		permanently_set_uid(pw);
  #else
  # if defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
  		/* Sets login uid for accounting */
-@@ -1322,7 +1491,16 @@
- 		 * Reestablish them here.
- 		 */
- 		if (options.use_pam) {
--			do_pam_session();
-+			/* check if we have a pathname in the ttyname */
-+			shorttty = rindex( s->tty, '/' );
-+			if (shorttty != NULL ) {
-+				/* use only the short filename to check */
-+				shorttty ++;
-+			} else {
-+				/* nothing found, use the whole name found */
-+				shorttty = s->tty;
-+			}
-+			do_pam_session(s->pw->pw_name, shorttty);
- 			do_pam_setcred(0);
- 		}
- # endif /* USE_PAM */
-@@ -1417,7 +1595,7 @@
- 	 * initgroups, because at least on Solaris 2.3 it leaves file
- 	 * descriptors open.
+@@ -1472,6 +1526,9 @@
+ 	char *argv[10];
+ 	const char *shell, *shell0, *hostname = NULL;
+ 	struct passwd *pw = s->pw;
++#ifdef HAVE_LOGIN_CAP
++	int lc_requirehome;
++#endif
+ 
+ 	/* remove hostkey from the child's memory */
+ 	destroy_sensitive_data();
+@@ -1559,6 +1616,10 @@
  	 */
--	for (i = 3; i < 64; i++)
-+	for (i = 3; i < getdtablesize(); i++)
- 		close(i);
- }
+ 	environ = env;
  
-@@ -1553,6 +1731,31 @@
++#ifdef HAVE_LOGIN_CAP
++	lc_requirehome = login_getcapbool(lc, "requirehome", 0);
++	login_close(lc);
++#endif
+ #if defined(KRB5) && defined(USE_AFS)
+ 	/*
+ 	 * At this point, we check to see if AFS is active and if we have
+@@ -1590,7 +1651,7 @@
+ 		fprintf(stderr, "Could not chdir to home directory %s: %s\n",
+ 		    pw->pw_dir, strerror(errno));
+ #ifdef HAVE_LOGIN_CAP
+-		if (login_getcapbool(lc, "requirehome", 0))
++		if (lc_requirehome)
  			exit(1);
  #endif
  	}
-+
-+#ifdef __FreeBSD__
-+  	if (!options.use_login) {
-+		/*
-+		 * If the password change time is set and has passed, give the
-+		 * user a password expiry notice and chance to change it.
-+		 */
-+		if (pw->pw_change != 0) {
-+			struct timeval tv;
-+
-+			(void)gettimeofday(&tv, NULL);
-+			if (tv.tv_sec >= pw->pw_change) {
-+				(void)printf(
-+				    "Sorry -- your password has expired.\n");
-+				syslog(LOG_INFO,
-+				    "%s Password expired - forcing change",
-+				    pw->pw_name);
-+				if (system("/usr/bin/passwd") != 0) {
-+					perror("/usr/bin/passwd");
-+					exit(1);
-+				}
-+			}
-+		}
-+	}
-+#endif /* __FreeBSD__ */
- 
- 	if (!options.use_login)
- 		do_rc_files(s, shell);
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
new file mode 100644
index 000000000000..a9f760bb3dc1
--- /dev/null
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -0,0 +1,10 @@
+--- ssh-agent.c.orig	Fri Sep  1 02:38:37 2006
++++ ssh-agent.c	Sat Sep 30 18:30:32 2006
+@@ -1036,6 +1036,7 @@
+ 	/* drop */
+ 	setegid(getgid());
+ 	setgid(getgid());
++	setuid(geteuid());
+ 
+ #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+ 	/* Disable ptrace on Linux without sgid bit */
diff --git a/security/openssh-portable/files/patch-ssh.c b/security/openssh-portable/files/patch-ssh.c
new file mode 100644
index 000000000000..ba7ddd3b6aa0
--- /dev/null
+++ b/security/openssh-portable/files/patch-ssh.c
@@ -0,0 +1,26 @@
+--- ssh.c.orig	Sat Sep  2 02:32:40 2006
++++ ssh.c	Sat Sep 30 10:38:05 2006
+@@ -639,6 +640,23 @@
+ 
+ 	if (options.hostname != NULL)
+ 		host = options.hostname;
++
++	/* Find canonic host name. */
++	if (strchr(host, '.') == 0) {
++		struct addrinfo hints;
++		struct addrinfo *ai = NULL;
++		int errgai;
++		memset(&hints, 0, sizeof(hints));
++		hints.ai_family = options.address_family;
++		hints.ai_flags = AI_CANONNAME;
++		hints.ai_socktype = SOCK_STREAM;
++		errgai = getaddrinfo(host, NULL, &hints, &ai);
++		if (errgai == 0) {
++			if (ai->ai_canonname != NULL)
++				host = xstrdup(ai->ai_canonname);
++			freeaddrinfo(ai);
++		}
++	}
+ 
+ 	/* force lowercase for hostkey matching */
+ 	if (options.host_key_alias != NULL) {
diff --git a/security/openssh-portable/files/patch-ssh_config b/security/openssh-portable/files/patch-ssh_config
new file mode 100644
index 000000000000..a5fd64b5b081
--- /dev/null
+++ b/security/openssh-portable/files/patch-ssh_config
@@ -0,0 +1,11 @@
+--- ssh_config.orig	Tue Jun 13 00:01:10 2006
++++ ssh_config	Sat Sep 30 10:39:07 2006
+@@ -27,7 +28,7 @@
+ #   GSSAPIAuthentication no
+ #   GSSAPIDelegateCredentials no
+ #   BatchMode no
+-#   CheckHostIP yes
++#   CheckHostIP no
+ #   AddressFamily any
+ #   ConnectTimeout 0
+ #   StrictHostKeyChecking ask
diff --git a/security/openssh-portable/files/patch-ssh_config.5 b/security/openssh-portable/files/patch-ssh_config.5
new file mode 100644
index 000000000000..98a6ec25f6bf
--- /dev/null
+++ b/security/openssh-portable/files/patch-ssh_config.5
@@ -0,0 +1,11 @@
+--- ssh_config.5.orig	Fri Aug  4 22:34:51 2006
++++ ssh_config.5	Sat Sep 30 10:39:07 2006
+@@ -165,7 +166,7 @@
+ .Dq no ,
+ the check will not be executed.
+ The default is
+-.Dq yes .
++.Dq no .
+ .It Cm Cipher
+ Specifies the cipher to use for encrypting the session
+ in protocol version 1.
diff --git a/security/openssh-portable/files/patch-sshd.8 b/security/openssh-portable/files/patch-sshd.8
new file mode 100644
index 000000000000..b9854e39c405
--- /dev/null
+++ b/security/openssh-portable/files/patch-sshd.8
@@ -0,0 +1,33 @@
+--- sshd.8.orig	Tue Aug 29 22:07:01 2006
++++ sshd.8	Sat Sep 30 20:05:16 2006
+@@ -65,7 +65,7 @@
+ .Nm
+ listens for connections from clients.
+ It is normally started at boot from
+-.Pa /etc/rc .
++.Pa %%PREFIX%%/etc/rc.d/%%RC_SCRIPT_NAME%% .
+ It forks a new
+ daemon for each incoming connection.
+ The forked daemons handle
+@@ -342,8 +342,9 @@
+ If the login is on a tty, records login time.
+ .It
+ Checks
+-.Pa /etc/nologin ;
+-if it exists, prints contents and quits
++.Pa /etc/nologin and
++.Pa /var/run/nologin ;
++if one exists, it prints the contents and quits
+ (unless root).
+ .It
+ Changes to run with normal user privileges.
+@@ -365,7 +366,8 @@
+ exists, runs it; else if
+ .Pa /etc/ssh/sshrc
+ exists, runs
+-it; otherwise runs xauth.
++it; otherwise runs
++.Xr xauth 1 .
+ The
+ .Dq rc
+ files are given the X11
diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c
index 09665a42d7bd..392cd2082571 100644
--- a/security/openssh-portable/files/patch-sshd.c
+++ b/security/openssh-portable/files/patch-sshd.c
@@ -1,20 +1,23 @@
---- sshd.c.orig	Wed Jun 26 01:24:19 2002
-+++ sshd.c	Thu Jul 25 06:32:37 2002
-@@ -53,6 +53,10 @@
+--- sshd.c.patch	Sun Sep 17 01:04:46 2006
++++ sshd.c	Sat Sep 30 10:38:05 2006
+@@ -80,6 +81,13 @@
  #include <prot.h>
  #endif
  
 +#ifdef __FreeBSD__
 +#include <resolv.h>
++#ifdef GSSAPI
++#include <gssapi.h>
++#endif
 +#endif
 +
+ #include "xmalloc.h"
  #include "ssh.h"
  #include "ssh1.h"
- #include "ssh2.h"
-@@ -1409,6 +1413,17 @@
- 	    setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
- 	    sizeof(on)) < 0)
- 		error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
+@@ -1697,6 +1705,29 @@
+ 	signal(SIGQUIT, SIG_DFL);
+ 	signal(SIGCHLD, SIG_DFL);
+ 	signal(SIGINT, SIG_DFL);
 +
 +#ifdef __FreeBSD__
 +	/*
@@ -25,6 +28,18 @@
 +		debug("res_init()");         
 +		res_init();         
 +	}
++#ifdef GSSAPI
++	/*
++	 * Force GSS-API to parse its configuration and load any
++	 * mechanism plugins.
++	 */
++	{
++		gss_OID_set mechs;
++		OM_uint32 minor_status;
++		gss_indicate_mechs(&minor_status, &mechs);
++		gss_release_oid_set(&minor_status, &mechs);
++	}
++#endif
 +#endif
  
  	/*
diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config
index 0d7486dcb83b..91729f01e928 100644
--- a/security/openssh-portable/files/patch-sshd_config
+++ b/security/openssh-portable/files/patch-sshd_config
@@ -1,18 +1,49 @@
---- sshd_config.orig	Mon May 24 02:36:24 2004
-+++ sshd_config	Mon Sep 20 05:04:48 2004
-@@ -34,6 +34,7 @@
+--- sshd_config.orig	Mon Jul 24 01:06:47 2006
++++ sshd_config	Sat Sep 30 21:52:31 2006
+@@ -34,7 +34,7 @@
+ # Authentication:
  
  #LoginGraceTime 2m
- #PermitRootLogin yes
-+PermitRootLogin no
+-#PermitRootLogin yes
++#PermitRootLogin no
  #StrictModes yes
  #MaxAuthTries 6
  
-@@ -57,6 +58,7 @@
+@@ -52,11 +52,11 @@
+ # Don't read the user's ~/.rhosts and ~/.shosts files
+ #IgnoreRhosts yes
  
- # Change to no to disable s/key passwords
+-# To disable tunneled clear text passwords, change to no here!
+-#PasswordAuthentication yes
++# Change to yes to enable built-in password authentication.
++#PasswordAuthentication no
+ #PermitEmptyPasswords no
+ 
+-# Change to no to disable s/key passwords
++# Change to no to disable PAM authentication
  #ChallengeResponseAuthentication yes
-+ChallengeResponseAuthentication no
  
  # Kerberos options
- #KerberosAuthentication no
+@@ -69,7 +69,7 @@
+ #GSSAPIAuthentication no
+ #GSSAPICleanupCredentials yes
+ 
+-# Set this to 'yes' to enable PAM authentication, account processing, 
++# Set this to 'no' to disable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will 
+ # be allowed through the ChallengeResponseAuthentication and
+ # PasswordAuthentication.  Depending on your PAM configuration,
+@@ -78,11 +78,11 @@
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and ChallengeResponseAuthentication to 'no'.
+-#UsePAM no
++#UsePAM yes
+ 
+ #AllowTcpForwarding yes
+ #GatewayPorts no
+-#X11Forwarding no
++#X11Forwarding yes
+ #X11DisplayOffset 10
+ #X11UseLocalhost yes
+ #PrintMotd yes
diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5
new file mode 100644
index 000000000000..6ccd1c7f2d53
--- /dev/null
+++ b/security/openssh-portable/files/patch-sshd_config.5
@@ -0,0 +1,90 @@
+--- sshd_config.5.orig	Tue Aug 29 22:06:34 2006
++++ sshd_config.5	Sat Sep 30 10:39:07 2006
+@@ -169,9 +170,16 @@
+ By default, no banner is displayed.
+ .It Cm ChallengeResponseAuthentication
+ Specifies whether challenge-response authentication is allowed.
+-All authentication styles from
+-.Xr login.conf 5
+-are supported.
++Specifically, in
++.Fx ,
++this controls the use of PAM (see
++.Xr pam 3 )
++for authentication.
++Note that this affects the effectiveness of the
++.Cm PasswordAuthentication
++and
++.Cm PermitRootLogin
++variables.
+ The default is
+ .Dq yes .
+ .It Cm Ciphers
+@@ -554,7 +560,22 @@
+ .It Cm PasswordAuthentication
+ Specifies whether password authentication is allowed.
+ The default is
++.Dq no ,
++unless
++.Nm sshd
++was built without PAM support, in which case the default is
+ .Dq yes .
++Note that if
++.Cm ChallengeResponseAuthentication
++is
++.Dq yes ,
++and the PAM authentication policy for
++.Nm sshd
++includes
++.Xr pam_unix 8 ,
++password authentication will be allowed through the challenge-response
++mechanism regardless of the value of
++.Cm PasswordAuthentication .
+ .It Cm PermitEmptyPasswords
+ When password authentication is allowed, it specifies whether the
+ server allows login to accounts with empty password strings.
+@@ -597,7 +618,14 @@
+ or
+ .Dq no .
+ The default is
+-.Dq yes .
++.Dq no .
++Note that if
++.Cm ChallengeResponseAuthentication
++is
++.Dq yes ,
++the root user may be allowed in with its password even if
++.Cm PermitRootLogin is set to
++.Dq without-password .
+ .Pp
+ If this option is set to
+ .Dq without-password ,
+@@ -704,7 +732,9 @@
+ .Dq yes .
+ Note that this option applies to protocol version 2 only.
+ .It Cm RhostsRSAAuthentication
+-Specifies whether rhosts or /etc/hosts.equiv authentication together
++Specifies whether rhosts or
++.Pa /etc/hosts.equiv
++authentication together
+ with successful RSA host authentication is allowed.
+ The default is
+ .Dq no .
+@@ -814,7 +844,7 @@
+ .Xr sshd 8
+ as a non-root user.
+ The default is
+-.Dq no .
++.Dq yes .
+ .It Cm UsePrivilegeSeparation
+ Specifies whether
+ .Xr sshd 8
+@@ -839,7 +874,7 @@
+ or
+ .Dq no .
+ The default is
+-.Dq no .
++.Dq yes .
+ .Pp
+ When X11 forwarding is enabled, there may be additional exposure to
+ the server and to client displays if the
diff --git a/security/openssh-portable/files/patch-sshpty.c b/security/openssh-portable/files/patch-sshpty.c
deleted file mode 100644
index d8cd703dcec7..000000000000
--- a/security/openssh-portable/files/patch-sshpty.c
+++ /dev/null
@@ -1,12 +0,0 @@
---- sshpty.c.orig	Wed Jan 21 07:07:17 2004
-+++ sshpty.c	Wed Feb 25 11:58:54 2004
-@@ -17,6 +17,9 @@
- #ifdef HAVE_UTIL_H
- # include <util.h>
- #endif /* HAVE_UTIL_H */
-+#ifdef HAVE_LIBUTIL_H
-+#include <libutil.h>
-+#endif
- 
- #include "sshpty.h"
- #include "log.h"
diff --git a/security/openssh-portable/files/servconf.c.patch b/security/openssh-portable/files/servconf.c.patch
deleted file mode 100644
index dde0a6947e60..000000000000
--- a/security/openssh-portable/files/servconf.c.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- servconf.c.orig	Sat Mar 23 11:02:41 2002
-+++ servconf.c	Sat Mar 23 11:07:39 2002
-@@ -17,12 +17,12 @@
- #endif
- #if defined(KRB5)
- #ifdef HEIMDAL
--#include <krb.h>
-+#include <krb5.h>
- #else
- /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
-  * keytab */
--#define KEYFILE "/etc/krb5.keytab"
- #endif
-+#define KEYFILE "/etc/krb5.keytab"
- #endif
- #ifdef AFS
- #include <kafs.h>
author	mnag <mnag@FreeBSD.org>	2006-10-01 10:15:00 +0800
committer	mnag <mnag@FreeBSD.org>	2006-10-01 10:15:00 +0800
commit	696bf5784930e45ea5e05c256ac4673ca1672da0 (patch)
tree	f476a39a3894947c30498934cab8778ad3facb1a /security
parent	fa42719cf388f200b9ec1c9df8116a820b677632 (diff)
download	freebsd-ports-gnome-696bf5784930e45ea5e05c256ac4673ca1672da0.tar.gz freebsd-ports-gnome-696bf5784930e45ea5e05c256ac4673ca1672da0.tar.zst freebsd-ports-gnome-696bf5784930e45ea5e05c256ac4673ca1672da0.zip