Update to 7.9p1.

- Fixes build on 12, head, and openssl-devel.
- GSSAPI and HPN are currently marked BROKEN as I don't want to block
  the main update for anyone.

  http://www.openssh.com/txt/release-7.8
  http://www.openssh.com/txt/release-7.9

MFH:	2018Q4 (due to being broken on 12+head)

12 files changed, 56 insertions, 210 deletions

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 1ed65712d5a9..954625614cd6 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,8 +2,8 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	7.7p1
-PORTREVISION=	6
+DISTVERSION=	7.9p1
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -26,9 +26,6 @@ CONFIGURE_ARGS=		--prefix=${PREFIX} --with-md5-passwords \
 
 ETCOLD=			${PREFIX}/etc
 
-BROKEN_SSL=	openssl111
-BROKEN_SSL_REASON_openssl111=	error: OpenSSL >= 1.1.0 is not yet supported
-
 FLAVORS=			default hpn
 default_CONFLICTS_INSTALL=	openssl-portable-hpn
 hpn_CONFLICTS_INSTALL=		openssh-portable
@@ -70,10 +67,10 @@ HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 
 # See http://www.roumenpetrov.info/openssh/
-X509_VERSION=		11.3.2
+X509_VERSION=		11.5
 X509_PATCH_SITES=	http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
 X509_EXTRA_PATCHES+=	${FILESDIR}/extra-patch-x509-glue
-X509_PATCHFILES=	${PORTNAME}-7.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_PATCHFILES=	${PORTNAME}-7.9p1+x509-${X509_VERSION}.diff.gz:-p1:x509
 
 MIT_LIB_DEPENDS=		libkrb5.so.3:security/krb5
 HEIMDAL_LIB_DEPENDS=		libkrb5.so.26:security/heimdal
@@ -98,7 +95,7 @@ EXTRA_PATCHES:=		${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
 
 # Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI}
-#BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
+BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
 # Patch from:
 # https://sources.debian.org/data/main/o/openssh/1:7.7p1-2/debian/patches/gssapi.patch
 # which was originally based on 5.7 patch from
@@ -113,7 +110,7 @@ PATCHFILES+=	openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:g
 
 # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
-#BROKEN=			HPN: Not yet updated for ${DISTVERSION} and disabled in base
+BROKEN=			HPN: Not yet updated for ${DISTVERSION} yet.
 PORTDOCS+=		HPN-README
 HPN_VERSION=		14v15
 HPN_DISTVERSION=	7.7p1
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index aa8795c30a97..ccbee479569d 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,7 +1,7 @@
-TIMESTAMP = 1524589531
-SHA256 (openssh-7.7p1.tar.gz) = d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f
-SIZE (openssh-7.7p1.tar.gz) = 1536900
-SHA256 (openssh-7.7p1+x509-11.3.2.diff.gz) = f0549007b2bdb99c41d83e622b6504365a3fa0a5ac22e3d0755c89cb0e29a02f
-SIZE (openssh-7.7p1+x509-11.3.2.diff.gz) = 492142
+TIMESTAMP = 1541877994
+SHA256 (openssh-7.9p1.tar.gz) = 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad
+SIZE (openssh-7.9p1.tar.gz) = 1565384
+SHA256 (openssh-7.9p1+x509-11.5.diff.gz) = 1d15099ce54614f158f10f55b6b4992d915353f92a05e179a64b0655650c00bb
+SIZE (openssh-7.9p1+x509-11.5.diff.gz) = 594995
 SHA256 (openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz) = c58f10ed5d9550e6e4ac09898a1aa131321e69c4d65a742ab95d357b35576ef4
 SIZE (openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz) = 27251
diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat
index a036a09c938c..ef921659d14b 100644
--- a/security/openssh-portable/files/extra-patch-hpn-compat
+++ b/security/openssh-portable/files/extra-patch-hpn-compat
@@ -31,12 +31,12 @@ r294563 was incomplete; re-add the client-side options as well.
  
  	{ NULL, oBadOption }
  };
---- servconf.c.orig	2017-10-02 12:34:26.000000000 -0700
-+++ servconf.c	2017-10-12 12:20:19.089884000 -0700
-@@ -618,6 +618,10 @@ static struct {
- 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
+--- servconf.c.orig	2018-10-16 17:01:20.000000000 -0700
++++ servconf.c	2018-11-10 11:32:09.835817000 -0800
+@@ -645,6 +645,10 @@ static struct {
  	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
  	{ "rdomain", sRDomain, SSHCFG_ALL },
+ 	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
 +	{ "noneenabled", sUnsupported, SSHCFG_ALL },
 +	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
 +	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },
diff --git a/security/openssh-portable/files/extra-patch-tcpwrappers b/security/openssh-portable/files/extra-patch-tcpwrappers
index ad552ca607d1..a7d9c229b670 100644
--- a/security/openssh-portable/files/extra-patch-tcpwrappers
+++ b/security/openssh-portable/files/extra-patch-tcpwrappers
@@ -85,11 +85,11 @@ index 0ade557..045f149 100644
  	laddr = get_local_ipaddr(sock_in);
 diff --git configure.ac configure.ac
 index f48ba4a..66fbe82 100644
---- configure.ac
-+++ configure.ac
-@@ -1380,6 +1380,62 @@ AC_ARG_WITH([skey],
- 	]
- )
+--- configure.ac.orig	2018-10-16 17:01:20.000000000 -0700
++++ configure.ac	2018-11-10 11:29:32.626326000 -0800
+@@ -1493,6 +1493,62 @@ else
+ 	AC_MSG_RESULT([no])
+ fi
  
 +# Check whether user wants TCP wrappers support
 +TCPW_MSG="no"
@@ -150,11 +150,11 @@ index f48ba4a..66fbe82 100644
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -4803,6 +4859,7 @@ echo "                 KerberosV support: $KRB5_MSG"
+@@ -5305,6 +5361,7 @@ echo "                       PAM support: $PAM_MSG"
+ echo "                   OSF SIA support: $SIA_MSG"
+ echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"
- echo "                 Smartcard support: $SCARD_MSG"
- echo "                     S/KEY support: $SKEY_MSG"
 +echo "              TCP Wrappers support: $TCPW_MSG"
  echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
- echo "  Solaris process contract support: $SPC_MSG"
+ echo "                   libldns support: $LDNS_MSG"
diff --git a/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb b/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb
deleted file mode 100644
index d17acd109fb9..000000000000
--- a/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb
+++ /dev/null
@@ -1,35 +0,0 @@
-From 341727df910e12e26ef161508ed76d91c40a61eb Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Mon, 9 Apr 2018 23:54:49 +0000
-Subject: [PATCH] upstream: don't kill ssh-agent's listening socket entriely if
- we
-
-fail to accept a connection; bz#2837, patch from Lukas Kuster
-
-OpenBSD-Commit-ID: 52413f5069179bebf30d38f524afe1a2133c738f
----
- ssh-agent.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git ssh-agent.c ssh-agent.c
-index 2a4578b03..68de56ce6 100644
---- ssh-agent.c
-+++ ssh-agent.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: ssh-agent.c,v 1.228 2018/02/23 15:58:37 markus Exp $ */
-+/* $OpenBSD: ssh-agent.c,v 1.229 2018/04/09 23:54:49 djm Exp $ */
- /*
-  * Author: Tatu Ylonen <ylo@cs.hut.fi>
-  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-@@ -909,9 +909,8 @@ after_poll(struct pollfd *pfd, size_t npfd)
- 		/* Process events */
- 		switch (sockets[socknum].type) {
- 		case AUTH_SOCKET:
--			if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 &&
--			    handle_socket_read(socknum) != 0)
--				close_socket(&sockets[socknum]);
-+			if ((pfd[i].revents & (POLLIN|POLLERR)) != 0)
-+				handle_socket_read(socknum);
- 			break;
- 		case AUTH_CONNECTION:
- 			if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 &&
diff --git a/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b b/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b
deleted file mode 100644
index 5a414eceb025..000000000000
--- a/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b
+++ /dev/null
@@ -1,24 +0,0 @@
-From 85fe48fd49f2e81fa30902841b362cfbb7f1933b Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Sat, 14 Apr 2018 21:50:41 +0000
-Subject: [PATCH] upstream: don't free the %C expansion, it's used later for
-
-LocalCommand
-
-OpenBSD-Commit-ID: 857b5cb37b2d856bfdfce61289a415257a487fb1
----
- ssh.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git ssh.c ssh.c
-index d3619fe29..9c011dd7e 100644
---- ssh.c
-+++ ssh.c
-@@ -1323,7 +1323,6 @@ main(int ac, char **av)
- 		    (char *)NULL);
- 		free(cp);
- 	}
--	free(conn_hash_hex);
- 
- 	if (config_test) {
- 		dump_client_config(&options, host);
diff --git a/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20 b/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20
deleted file mode 100644
index f6a571efb999..000000000000
--- a/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20
+++ /dev/null
@@ -1,36 +0,0 @@
-From 868afa68469de50d8a43e5daf867d7c624a34d20 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Mon, 16 Apr 2018 22:50:44 +0000
-Subject: [PATCH] upstream: Disable SSH2_MSG_DEBUG messages for Twisted Conch
- clients
-
-without version numbers since they choke on them under some circumstances.
-https://twistedmatrix.com/trac/ticket/9422 via Colin Watson
-
-Newer Conch versions have a version number in their ident string and
-handle debug messages okay. https://twistedmatrix.com/trac/ticket/9424
-
-OpenBSD-Commit-ID: 6cf7be262af0419c58ddae11324d9c0dc1577539
----
- compat.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git compat.c compat.c
-index 861e9e21f..1c0e08732 100644
---- compat.c
-+++ compat.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: compat.c,v 1.106 2018/02/16 04:43:11 dtucker Exp $ */
-+/* $OpenBSD: compat.c,v 1.107 2018/04/16 22:50:44 djm Exp $ */
- /*
-  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
-  *
-@@ -128,6 +128,8 @@ compat_datafellows(const char *version)
- 					SSH_OLD_DHGEX },
- 		{ "ConfD-*",
- 					SSH_BUG_UTF8TTYMODE },
-+		{ "Twisted_*",		0 },
-+		{ "Twisted*",		SSH_BUG_DEBUG },
- 		{ NULL,			0 }
- 	};
- 
diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c
index 39d6b12e44c2..f808c3830f36 100644
--- a/security/openssh-portable/files/patch-auth2.c
+++ b/security/openssh-portable/files/patch-auth2.c
@@ -5,31 +5,32 @@ Changed paths:
 
 Apply class-imposed login restrictions.
 
---- auth2.c.orig	2017-03-19 19:39:27.000000000 -0700
-+++ auth2.c	2017-03-20 11:52:27.960733000 -0700
-@@ -47,6 +47,7 @@
- #include "key.h"
+--- auth2.c.orig	2018-10-16 17:01:20.000000000 -0700
++++ auth2.c	2018-11-10 11:35:07.816193000 -0800
+@@ -48,6 +48,7 @@
+ #include "sshkey.h"
  #include "hostfile.h"
  #include "auth.h"
 +#include "canohost.h"
  #include "dispatch.h"
  #include "pathnames.h"
- #include "buffer.h"
-@@ -217,6 +218,13 @@ input_userauth_request(int type, u_int32
- 	Authmethod *m = NULL;
+ #include "sshbuf.h"
+@@ -258,7 +259,14 @@ input_userauth_request(int type, u_int32_t seq, struct
  	char *user, *service, *method, *style = NULL;
  	int authenticated = 0;
+ 	double tstart = monotime_double();
 +#ifdef HAVE_LOGIN_CAP
 +	login_cap_t *lc;
 +	const char *from_host, *from_ip;
-+
+ 
 +	from_host = auth_get_canonical_hostname(ssh, options.use_dns);
 +	from_ip = ssh_remote_ipaddr(ssh);
 +#endif
- 
++
  	if (authctxt == NULL)
  		fatal("input_userauth_request: no authctxt");
-@@ -266,6 +274,27 @@ input_userauth_request(int type, u_int32
+ 
+@@ -307,6 +315,27 @@ input_userauth_request(int type, u_int32_t seq, struct
  		    "(%s,%s) -> (%s,%s)",
  		    authctxt->user, authctxt->service, user, service);
  	}
@@ -55,5 +56,5 @@ Apply class-imposed login restrictions.
 +#endif  /* HAVE_LOGIN_CAP */
 +
  	/* reset state */
- 	auth2_challenge_stop(authctxt);
+ 	auth2_challenge_stop(ssh);
  
diff --git a/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad b/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad
deleted file mode 100644
index 0ba52bdc25f5..000000000000
--- a/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad
+++ /dev/null
@@ -1,32 +0,0 @@
-From b81b2d120e9c8a83489e241620843687758925ad Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Fri, 13 Apr 2018 13:38:06 +1000
-Subject: [PATCH] Fix tunnel forwarding broken in 7.7p1
-
-bz2855, ok dtucker@
----
- openbsd-compat/port-net.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git openbsd-compat/port-net.c openbsd-compat/port-net.c
-index 7050629c3..bb535626f 100644
---- openbsd-compat/port-net.c
-+++ openbsd-compat/port-net.c
-@@ -185,7 +185,7 @@ sys_tun_open(int tun, int mode, char **ifname)
- 	else
- 		debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd);
- 
--	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
-+	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL)
- 		goto failed;
- 
- 	return (fd);
-@@ -272,7 +272,7 @@ sys_tun_open(int tun, int mode, char **ifname)
- 			goto failed;
- 	}
- 
--	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
-+	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL)
- 		goto failed;
- 
- 	close(sock);
diff --git a/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 b/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6
deleted file mode 100644
index 388b51df1121..000000000000
--- a/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6
+++ /dev/null
@@ -1,24 +0,0 @@
-From f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 Mon Sep 17 00:00:00 2001
-From: Darren Tucker <dtucker@dtucker.net>
-Date: Thu, 19 Apr 2018 09:53:14 +1000
-Subject: [PATCH] Omit 3des-cbc if OpenSSL built without DES.
-
-Patch from hongxu.jia at windriver.com, ok djm@
----
- cipher.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git cipher.c cipher.c
-index 578763616..a72682a82 100644
---- cipher.c
-+++ cipher.c
-@@ -82,7 +82,9 @@ struct sshcipher {
- 
- static const struct sshcipher ciphers[] = {
- #ifdef WITH_OPENSSL
-+#ifndef OPENSSL_NO_DES
- 	{ "3des-cbc",		8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
-+#endif
- 	{ "aes128-cbc",		16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
- 	{ "aes192-cbc",		16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
- 	{ "aes256-cbc",		16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
diff --git a/security/openssh-portable/files/patch-misc.c b/security/openssh-portable/files/patch-serverloop.c
index 9ce31ea43fa6..1b081327d1f5 100644
--- a/security/openssh-portable/files/patch-misc.c
+++ b/security/openssh-portable/files/patch-serverloop.c
@@ -9,21 +9,21 @@ Submitted upstream, no reaction.
 Submitted by:   delphij@
 [rewritten for 7.4 by bdrewery@]
 
---- misc.c.orig	2017-01-12 11:54:41.058558000 -0800
-+++ misc.c	2017-01-12 11:55:16.531356000 -0800
-@@ -56,6 +56,8 @@
- #include <net/if.h>
- #endif
+--- serverloop.c.orig	2018-11-10 11:38:16.728617000 -0800
++++ serverloop.c	2018-11-10 11:38:19.497300000 -0800
+@@ -55,6 +55,8 @@
+ #include <unistd.h>
+ #include <stdarg.h>
  
 +#include <sys/sysctl.h>
 +
+ #include "openbsd-compat/sys-queue.h"
  #include "xmalloc.h"
- #include "misc.h"
- #include "log.h"
-@@ -1253,7 +1255,19 @@ forward_equals(const struct Forward *a, 
- int
- bind_permitted(int port, uid_t uid)
+ #include "packet.h"
+@@ -109,7 +111,19 @@ bind_permitted(int port, uid_t uid)
  {
+ 	if (use_privsep)
+ 		return 1; /* allow system to decide */
 -	if (port < IPPORT_RESERVED && uid != 0)
 +	int ipport_reserved;
 +#ifdef __FreeBSD__
diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c
index cf6a50c65c0d..1caf32b53b77 100644
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@@ -10,9 +10,9 @@ Reviewed by:    ache
 Sponsored by:   DARPA, NAI Labs
 
 
---- session.c.orig	2018-04-01 22:38:28.000000000 -0700
-+++ session.c	2018-04-03 13:56:49.599400000 -0700
-@@ -982,6 +982,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+--- session.c.orig	2018-10-16 17:01:20.000000000 -0700
++++ session.c	2018-11-10 11:45:14.645263000 -0800
+@@ -1020,6 +1020,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	struct passwd *pw = s->pw;
  #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
  	char *path = NULL;
@@ -22,7 +22,7 @@ Sponsored by:   DARPA, NAI Labs
  #endif
  
  	/* Initialize the environment. */
-@@ -1003,6 +1006,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1041,6 +1044,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	}
  #endif
  
@@ -32,7 +32,7 @@ Sponsored by:   DARPA, NAI Labs
  #ifdef GSSAPI
  	/* Allow any GSSAPI methods that we've used to alter
  	 * the childs environment as they see fit
-@@ -1020,11 +1026,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1058,11 +1064,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
  #endif
  	child_set_env(&env, &envsize, "HOME", pw->pw_dir);
@@ -58,7 +58,7 @@ Sponsored by:   DARPA, NAI Labs
  #else /* HAVE_LOGIN_CAP */
  # ifndef HAVE_CYGWIN
  	/*
-@@ -1044,15 +1060,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1082,14 +1098,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  # endif /* HAVE_CYGWIN */
  #endif /* HAVE_LOGIN_CAP */
  
@@ -70,11 +70,10 @@ Sponsored by:   DARPA, NAI Labs
  
 -	if (getenv("TZ"))
 -		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
--
- 	/* Set custom environment options from pubkey authentication. */
- 	if (options.permit_user_env) {
- 		for (n = 0 ; n < auth_opts->nenv; n++) {
-@@ -1331,7 +1341,7 @@ do_setusercontext(struct passwd *pw)
+ 	if (s->term)
+ 		child_set_env(&env, &envsize, "TERM", s->term);
+ 	if (s->display)
+@@ -1389,7 +1400,7 @@ do_setusercontext(struct passwd *pw)
  	if (platform_privileged_uidswap()) {
  #ifdef HAVE_LOGIN_CAP
  		if (setusercontext(lc, pw, pw->pw_uid,