aboutsummaryrefslogtreecommitdiffstats
path: root/picobsd
diff options
context:
space:
mode:
authorluigi <luigi@FreeBSD.org>2001-04-22 22:03:04 +0800
committerluigi <luigi@FreeBSD.org>2001-04-22 22:03:04 +0800
commit2f612469577c6ce604f93dbfeedabfb762a18bf1 (patch)
tree33c0667078e520b11f1539d93f2f4c72d42090f1 /picobsd
parent2bff668263065545bb43ee257008e56da062e7e1 (diff)
downloadfreebsd-ports-graphics-2f612469577c6ce604f93dbfeedabfb762a18bf1.tar.gz
freebsd-ports-graphics-2f612469577c6ce604f93dbfeedabfb762a18bf1.tar.zst
freebsd-ports-graphics-2f612469577c6ce604f93dbfeedabfb762a18bf1.zip
New port: stripped-down ssh version to be used in picobsd images.
"stripped down" refers to the fact that we build a single binary which includes ssh, sshd and scp functionality without having to bring in 3 copies of mostly the same code. Requests to add this category and this port have been posted on the ports list and directly to satoshi over the past few months. I assume no reply means no problem.
Diffstat (limited to 'picobsd')
-rw-r--r--picobsd/ssh-picobsd/Makefile74
-rw-r--r--picobsd/ssh-picobsd/distinfo1
-rw-r--r--picobsd/ssh-picobsd/files/patch-aa19
-rw-r--r--picobsd/ssh-picobsd/files/patch-ac121
-rw-r--r--picobsd/ssh-picobsd/files/patch-ad13
-rw-r--r--picobsd/ssh-picobsd/files/patch-ae58
-rw-r--r--picobsd/ssh-picobsd/files/patch-af809
-rw-r--r--picobsd/ssh-picobsd/files/patch-ag54
-rw-r--r--picobsd/ssh-picobsd/files/patch-al408
-rw-r--r--picobsd/ssh-picobsd/files/patch-ao583
-rw-r--r--picobsd/ssh-picobsd/files/patch-aw73
-rw-r--r--picobsd/ssh-picobsd/files/patch-ax25
-rw-r--r--picobsd/ssh-picobsd/files/patch-ay20
-rw-r--r--picobsd/ssh-picobsd/files/patch-az12
-rw-r--r--picobsd/ssh-picobsd/files/patch-ba176
-rw-r--r--picobsd/ssh-picobsd/files/patch-bb29
-rw-r--r--picobsd/ssh-picobsd/files/patch-bc401
-rw-r--r--picobsd/ssh-picobsd/files/patch-bd60
-rw-r--r--picobsd/ssh-picobsd/files/patch-be370
-rw-r--r--picobsd/ssh-picobsd/files/patch-bf17
-rw-r--r--picobsd/ssh-picobsd/files/patch-bg120
-rw-r--r--picobsd/ssh-picobsd/files/patch-bh66
-rw-r--r--picobsd/ssh-picobsd/files/patch-bi56
-rw-r--r--picobsd/ssh-picobsd/files/patch-bj16
-rw-r--r--picobsd/ssh-picobsd/files/patch-bl66
-rw-r--r--picobsd/ssh-picobsd/files/patch-bm14
-rw-r--r--picobsd/ssh-picobsd/files/patch-bn191
-rw-r--r--picobsd/ssh-picobsd/files/patch-bo197
-rw-r--r--picobsd/ssh-picobsd/files/patch-bp45
-rw-r--r--picobsd/ssh-picobsd/files/patch-br97
-rw-r--r--picobsd/ssh-picobsd/files/patch-bs94
-rw-r--r--picobsd/ssh-picobsd/files/patch-xa167
-rw-r--r--picobsd/ssh-picobsd/files/patch-ya54
-rw-r--r--picobsd/ssh-picobsd/files/patch-yb260
-rw-r--r--picobsd/ssh-picobsd/files/sshd.sh27
-rw-r--r--picobsd/ssh-picobsd/pkg-comment1
-rw-r--r--picobsd/ssh-picobsd/pkg-descr7
-rw-r--r--picobsd/ssh-picobsd/pkg-plist0
38 files changed, 4801 insertions, 0 deletions
diff --git a/picobsd/ssh-picobsd/Makefile b/picobsd/ssh-picobsd/Makefile
new file mode 100644
index 00000000000..2b113731dfe
--- /dev/null
+++ b/picobsd/ssh-picobsd/Makefile
@@ -0,0 +1,74 @@
+# New ports collection makefile for: ssh-picobsd
+# Date created: 21 Apr 2001
+# Whom: luigi@FreeBSD.org
+#
+# $FreeBSD$
+#
+# A small version of ssh for picobsd. A single binary does ssh,sshd and scp
+#
+
+PORTNAME= ssh
+PORTVERSION= 1.2.27 # Note, 1.2.30 is under a more restrictive license
+PORTREVISION= 1
+CATEGORIES= security picobsd
+MASTER_SITES= ftp://ftp.cs.engr.uky.edu/cs/software/ \
+ ftp://ftp.cs.umn.edu/dept/users/rybski/ \
+ ftp://ftp.net.ohio-state.edu/disk/d/security/ssh/ \
+ ftp://ftp.cronyx.ru/.w2/mirror/ssh/old/ \
+ ftp://ftp.nsysu.edu.tw/Unix/Security/ssh/old/ \
+ ftp://ftp.tokyonet.ad.jp/.da0/security/ssh/old/ \
+ ftp://ftp.comp.hkbu.edu.hk/.6/unix/ \
+ ftp://ftp.dei.uc.pt/.disk2/Crypto/SSH/old/
+
+MAINTAINER= luigi@FreeBSD.org
+
+NO_CDROM= "Picobsd only"
+NO_PACKAGE= "This is only useful to build picobsd images"
+
+USE_AUTOCONF= YES
+GNU_CONFIGURE= YES
+USE_PERL5= YES
+CONFIGURE_ENV+= PERL=${PERL5}
+
+CONFIGURE_ARGS+= --with-etcdir=${PREFIX}/etc
+
+# Uncomment if all your users are in their own group and their homedir
+# is writeable by that group. Beware the security implications!
+#
+#CONFIGURE_ARGS+= --enable-group-writeability
+
+# Uncomment if you want to allow ssh to emulate an unencrypted rsh connection
+# over a secure medium (i.e. allow SSH connections without encryption).
+# This is normally dangerous since it can lead to the disclosure of keys
+# and passwords.
+#
+#CONFIGURE_ARGS+= --with-none
+
+.if defined(KRB5_HOME) && exists(${KRB5_HOME})
+CONFIGURE_ARGS+=--with-kerberos5=${KRB5_HOME} --enable-kerberos-tgt-passing \
+ --disable-suid-ssh
+.endif
+
+# Include support for the SecureID card
+# Warning: untested !
+#
+.if defined(WITH_SECUREID)
+CONFIGURE_ARGS+= --with-secureid
+.endif
+
+# Don't use IDEA. IDEA can be freely used for non-commercial use. However,
+# commercial use may require a licence in a number of countries. Since SSH
+# itself may not be used for commercial purposes without a license, we
+# enable IDEA by default since the user would already be getting himself
+# into trouble.
+
+pre-patch:
+ @${MV} -f ${WRKSRC}/make-ssh-known-hosts.pl \
+ ${WRKSRC}/make-ssh-known-hosts.pl.in
+
+.include <bsd.port.pre.mk>
+
+# no IDEA, tcpwrap, IPV6, SOCKS, x11 for picobsd
+CONFIGURE_ARGS+= --disable-ipv6 --without-x --without-idea
+
+.include <bsd.port.post.mk>
diff --git a/picobsd/ssh-picobsd/distinfo b/picobsd/ssh-picobsd/distinfo
new file mode 100644
index 00000000000..bf690165936
--- /dev/null
+++ b/picobsd/ssh-picobsd/distinfo
@@ -0,0 +1 @@
+MD5 (ssh-1.2.27.tar.gz) = c22bc000bee0f7d6f4845eab72a81395
diff --git a/picobsd/ssh-picobsd/files/patch-aa b/picobsd/ssh-picobsd/files/patch-aa
new file mode 100644
index 00000000000..3386fc8d68a
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-aa
@@ -0,0 +1,19 @@
+*** make-ssh-known-hosts.pl.in.orig Wed May 12 20:18:51 1999
+--- make-ssh-known-hosts.pl.in Sun Jun 6 02:30:08 1999
+***************
+*** 98,104 ****
+ $debug = 5;
+ $defserver = '';
+ $bell='\a';
+! $public_key = '/etc/ssh_host_key.pub';
+ $private_ssh_known_hosts = "/tmp/ssh_known_hosts$$";
+ $timeout = 60;
+ $ping_timeout = 3;
+--- 98,104 ----
+ $debug = 5;
+ $defserver = '';
+ $bell='\a';
+! $public_key = '@ETCDIR@/ssh_host_key.pub';
+ $private_ssh_known_hosts = "/tmp/ssh_known_hosts$$";
+ $timeout = 60;
+ $ping_timeout = 3;
diff --git a/picobsd/ssh-picobsd/files/patch-ac b/picobsd/ssh-picobsd/files/patch-ac
new file mode 100644
index 00000000000..1f4163606c0
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-ac
@@ -0,0 +1,121 @@
+--- Makefile.in.orig Wed May 12 04:19:31 1999
++++ Makefile.in Sun Sep 17 01:39:40 2000
+@@ -301,12 +301,17 @@
+ SHELL = /bin/sh
+
+ GMPDIR = gmp-2.0.2-ssh-2
+-GMPLIBS = -L$(GMPDIR) -lgmp
+-GMPDEP = $(GMPDIR)/gmp.h $(GMPDIR)/libgmp.a
++# We have the same libgmp in the system, so use it instead
++GMPINCDIR = /usr/include
++GMPLIBDIR = /usr/lib
++GMPLIBS = -lgmp
++GMPDEP = $(GMPINCDIR)/gmp.h $(GMPLIBDIR)/libgmp.a
+
+ ZLIBDIR = zlib-1.0.4
+-ZLIBDEP = $(ZLIBDIR)/libz.a
+-ZLIBLIBS = -L$(ZLIBDIR) -lz
++ZLIBINCDIR = /usr/include
++ZLIBLIBDIR = /usr/lib
++ZLIBDEP = $(ZLIBINCDIR)/libz.a
++ZLIBLIBS = -lz
+
+ RSAREFDIR = rsaref2
+ RSAREFSRCDIR = $(RSAREFDIR)/source
+@@ -411,7 +416,7 @@
+ $(CC) -o rfc-pg rfc-pg.o
+
+ .c.o:
+- $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
++ $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPINCDIR) -I$(srcdir)/$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
+
+ sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
+ -rm -f sshd
+@@ -454,19 +459,19 @@
+ sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts
+ chmod +x make-ssh-known-hosts
+
+-GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \
+- mpz_mul.c mpz_cmp.c mpz_sqrtrem.c
+-$(GMPDIR)/libgmp.a:
+- cd $(GMPDIR); $(MAKE)
+-
+-$(ZLIBDEP):
+- -if test '!' -d $(ZLIBDIR); then \
+- mkdir $(ZLIBDIR); \
+- cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
+- fi
+- cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \
+- CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \
+- -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a
++#GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \
++# mpz_mul.c mpz_cmp.c mpz_sqrtrem.c
++#$(GMPDIR)/libgmp.a:
++# cd $(GMPDIR); $(MAKE)
++#
++#$(ZLIBDEP):
++# -if test '!' -d $(ZLIBDIR); then \
++# mkdir $(ZLIBDIR); \
++# cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
++# fi
++# cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \
++# CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \
++# -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a
+
+ $(RSAREFSRCDIR)/librsaref.a:
+ -if test '!' -d $(RSAREFDIR); then \
+@@ -523,7 +528,7 @@
+ # (otherwise it can only log in as the user it runs as, and must be
+ # bound to a non-privileged port). Also, password authentication may
+ # not be available if non-root and using shadow passwords.
+-install: $(PROGRAMS) make-dirs generate-host-key install-configs
++install: $(PROGRAMS) make-dirs install-configs
+ -rm -f $(install_prefix)$(bindir)/ssh1.old
+ -chmod 755 $(install_prefix)$(bindir)/ssh1
+ -chmod 755 $(install_prefix)$(bindir)/ssh
+@@ -679,15 +684,15 @@
+
+ clean:
+ -rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg
+- cd $(GMPDIR); $(MAKE) clean
++# cd $(GMPDIR); $(MAKE) clean
+ # cd $(RSAREFSRCDIR); rm -f *.o *.a
+- cd $(ZLIBDIR); $(MAKE) clean
++# cd $(ZLIBDIR); $(MAKE) clean
+
+ distclean: clean
+ -rm -f Makefile config.status config.cache config.log config.h
+ -rm -f ssh.1 sshd.8 make-ssh-known-hosts.1
+- cd $(GMPDIR); $(MAKE) distclean
+- cd $(ZLIBDIR); $(MAKE) distclean
++# cd $(GMPDIR); $(MAKE) distclean
++# cd $(ZLIBDIR); $(MAKE) distclean
+
+ dist: dist-free
+
+@@ -716,12 +721,12 @@
+ -mkdir $(DISTNAME)
+ cp $(DISTFILES) $(DISTNAME)
+ for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done
+- (cd $(GMPDIR); make dist)
+- gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - )
++# (cd $(GMPDIR); make dist)
++# gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - )
+ # tar cf - $(RSAREFDIR) | (cd $(DISTNAME); tar xf -)
+ # cd $(DISTNAME)/$(RSAREFSRCDIR); rm -f *.o *.a
+- (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -)
+- cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS
++# (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -)
++# cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS
+
+ #ifdef F_SECURE_COMMERCIAL
+ #
+@@ -749,7 +754,7 @@
+ (echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null
+
+ depend:
+- $(MAKEDEP) -I$(srcdir) -I. -I$(GMPDIR) -I$(ZLIBDIR) $(DEFS) $(SRCS)
++ $(MAKEDEP) -I$(srcdir) -I. $(DEFS) $(SRCS)
+
+ tags:
+ -rm -f TAGS
diff --git a/picobsd/ssh-picobsd/files/patch-ad b/picobsd/ssh-picobsd/files/patch-ad
new file mode 100644
index 00000000000..bab4169bca6
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-ad
@@ -0,0 +1,13 @@
+*** auth-passwd.c.orig Wed May 12 20:19:23 1999
+--- auth-passwd.c Sun Jun 6 02:36:00 1999
+***************
+*** 911,916 ****
+--- 911,918 ----
+ encrypted_password = crypt(password,
+ (correct_passwd[0] && correct_passwd[1]) ?
+ correct_passwd : "xx");
++ if (!password[0] && correct_passwd[0])
++ encrypted_password = ":";
+ #endif /* HAVE_SCO_ETC_SHADOW */
+
+ /* Authentication is accepted if the encrypted passwords are identical. */
diff --git a/picobsd/ssh-picobsd/files/patch-ae b/picobsd/ssh-picobsd/files/patch-ae
new file mode 100644
index 00000000000..0ef0a89ae6c
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-ae
@@ -0,0 +1,58 @@
+*** server_config.sample.old Thu Apr 20 23:24:57 2000
+--- server_config.sample Thu Apr 20 23:26:24 2000
+***************
+*** 1,13 ****
+ # This is ssh server systemwide configuration file.
+
+ Port 22
+! ListenAddress 0.0.0.0
+ HostKey _ETCDIR_/ssh_host_key
+ RandomSeed _ETCDIR_/ssh_random_seed
+ ServerKeyBits 768
+ LoginGraceTime 600
+ KeyRegenerationInterval 3600
+! PermitRootLogin yes
+ IgnoreRhosts no
+ StrictModes yes
+ QuietMode no
+--- 1,13 ----
+ # This is ssh server systemwide configuration file.
+
+ Port 22
+! #Port 722 # Secondary port to listen on
+ HostKey _ETCDIR_/ssh_host_key
+ RandomSeed _ETCDIR_/ssh_random_seed
+ ServerKeyBits 768
+ LoginGraceTime 600
+ KeyRegenerationInterval 3600
+! PermitRootLogin no
+ IgnoreRhosts no
+ StrictModes yes
+ QuietMode no
+***************
+*** 16,27 ****
+ FascistLogging no
+ PrintMotd yes
+ KeepAlive yes
+! SyslogFacility DAEMON
+ RhostsAuthentication no
+ RhostsRSAAuthentication yes
+ RSAAuthentication yes
+ PasswordAuthentication yes
+! PermitEmptyPasswords yes
+ UseLogin no
+ # CheckMail no
+ # PidFile /u/zappa/.ssh/pid
+--- 16,27 ----
+ FascistLogging no
+ PrintMotd yes
+ KeepAlive yes
+! SyslogFacility AUTH
+ RhostsAuthentication no
+ RhostsRSAAuthentication yes
+ RSAAuthentication yes
+ PasswordAuthentication yes
+! PermitEmptyPasswords no
+ UseLogin no
+ # CheckMail no
+ # PidFile /u/zappa/.ssh/pid
diff --git a/picobsd/ssh-picobsd/files/patch-af b/picobsd/ssh-picobsd/files/patch-af
new file mode 100644
index 00000000000..d3fce096361
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-af
@@ -0,0 +1,809 @@
+*** sshd.c.orig Tue Jan 11 20:40:10 2000
+--- sshd.c Tue Jan 11 20:40:07 2000
+***************
+*** 553,558 ****
+--- 553,571 ----
+ /* Name of the server configuration file. */
+ char *config_file_name = SERVER_CONFIG_FILE;
+
++ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
++ Default value is AF_UNSPEC means both IPv4 and IPv6. */
++ #ifdef ENABLE_IPV6
++ int IPv4or6 = AF_UNSPEC;
++ #else
++ int IPv4or6 = AF_INET;
++ #endif
++
++ #ifdef ENABLE_LOG_AUTH
++ char *unauthenticated_user = NULL;
++ int log_auth_flag = 0;
++ #endif /* ENABLE_LOG_AUTH */
++
+ /* Debug mode flag. This can be set on the command line. If debug
+ mode is enabled, extra debugging output will be sent to the system
+ log, the daemon will not go to background, and will exit after processing
+***************
+*** 576,582 ****
+
+ /* This is set to the socket that the server is listening; this is used in
+ the SIGHUP signal handler. */
+! int listen_sock;
+
+ /* This is not really needed, and could be eliminated if server-specific
+ and client-specific code were removed from newchannels.c */
+--- 589,605 ----
+
+ /* This is set to the socket that the server is listening; this is used in
+ the SIGHUP signal handler. */
+! #define MAX_LISTEN_SOCKS 16
+! int listen_socks[MAX_LISTEN_SOCKS];
+! int num_listen_socks = 0;
+! void close_listen_socks()
+! {
+! int i;
+!
+! for (i = 0; i < num_listen_socks; i++)
+! close(listen_socks[i]);
+! num_listen_socks = -1;
+! }
+
+ /* This is not really needed, and could be eliminated if server-specific
+ and client-specific code were removed from newchannels.c */
+***************
+*** 666,672 ****
+ void sighup_restart(void)
+ {
+ log_msg("Received SIGHUP; restarting.");
+! close(listen_sock);
+ execvp(saved_argv[0], saved_argv);
+ log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.",
+ saved_argv[0], strerror(errno));
+--- 689,695 ----
+ void sighup_restart(void)
+ {
+ log_msg("Received SIGHUP; restarting.");
+! close_listen_socks();
+ execvp(saved_argv[0], saved_argv);
+ log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.",
+ saved_argv[0], strerror(errno));
+***************
+*** 680,686 ****
+ RETSIGTYPE sigterm_handler(int sig)
+ {
+ log_msg("Received signal %d; terminating.", sig);
+! close(listen_sock);
+ exit(255);
+ }
+
+--- 703,709 ----
+ RETSIGTYPE sigterm_handler(int sig)
+ {
+ log_msg("Received signal %d; terminating.", sig);
+! close_listen_socks();
+ exit(255);
+ }
+
+***************
+*** 759,765 ****
+ int perm_denied = 0;
+ int ret;
+ fd_set fdset;
+! struct sockaddr_in sin;
+ char buf[100]; /* Must not be larger than remote_version. */
+ char remote_version[100]; /* Must be at least as big as buf. */
+ char *comment;
+--- 782,788 ----
+ int perm_denied = 0;
+ int ret;
+ fd_set fdset;
+! struct sockaddr_storage from;
+ char buf[100]; /* Must not be larger than remote_version. */
+ char remote_version[100]; /* Must be at least as big as buf. */
+ char *comment;
+***************
+*** 769,774 ****
+--- 792,800 ----
+ struct linger linger;
+ #endif /* SO_LINGER */
+ int done;
++ struct addrinfo *ai;
++ char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
++ int listen_sock, maxfd;
+
+ /* Save argv[0]. */
+ saved_argv = av;
+***************
+*** 787,796 ****
+ initialize_server_options(&options);
+
+ /* Parse command-line arguments. */
+! while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:")) != EOF)
+ {
+ switch (opt)
+ {
+ case 'f':
+ config_file_name = optarg;
+ break;
+--- 813,838 ----
+ initialize_server_options(&options);
+
+ /* Parse command-line arguments. */
+! while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:4"
+! #ifdef ENABLE_IPV6
+! "6"
+! #endif
+! )) != EOF)
+ {
+ switch (opt)
+ {
++ case '4':
++ #ifdef ENABLE_IPV6
++ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET;
++ #else
++ IPv4or6 = AF_INET;
++ #endif
++ break;
++ #ifdef ENABLE_IPV6
++ case '6':
++ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6;
++ break;
++ #endif
+ case 'f':
+ config_file_name = optarg;
+ break;
+***************
+*** 807,813 ****
+ options.server_key_bits = atoi(optarg);
+ break;
+ case 'p':
+! options.port = atoi(optarg);
+ break;
+ case 'g':
+ options.login_grace_time = atoi(optarg);
+--- 849,855 ----
+ options.server_key_bits = atoi(optarg);
+ break;
+ case 'p':
+! options.ports[options.num_ports++] = atoi(optarg);
+ break;
+ case 'g':
+ options.login_grace_time = atoi(optarg);
+***************
+*** 829,834 ****
+--- 871,880 ----
+ fprintf(stderr, "sshd version %s [%s]\n", SSH_VERSION, HOSTTYPE);
+ fprintf(stderr, "Usage: %s [options]\n", av0);
+ fprintf(stderr, "Options:\n");
++ fprintf(stderr, " -4 Use IPv4 only\n");
++ #ifdef ENABLE_IPV6
++ fprintf(stderr, " -6 Use IPv6 only\n");
++ #endif
+ fprintf(stderr, " -f file Configuration file (default %s/sshd_config)\n", ETCDIR);
+ fprintf(stderr, " -d Debugging mode\n");
+ fprintf(stderr, " -i Started from inetd\n");
+***************
+*** 857,872 ****
+ fprintf(stderr, "fatal: Bad server key size.\n");
+ exit(1);
+ }
+- if (options.port < 1 || options.port > 65535)
+- {
+- fprintf(stderr, "fatal: Bad port number.\n");
+- exit(1);
+- }
+ if (options.umask != -1)
+ {
+ umask(options.umask);
+ }
+
+ /* Check that there are no remaining arguments. */
+ if (optind < ac)
+ {
+--- 903,917 ----
+ fprintf(stderr, "fatal: Bad server key size.\n");
+ exit(1);
+ }
+ if (options.umask != -1)
+ {
+ umask(options.umask);
+ }
+
++ #ifdef ENABLE_LOG_AUTH
++ log_auth_flag = options.log_auth;
++ #endif /* ENABLE_LOG_AUTH */
++
+ /* Check that there are no remaining arguments. */
+ if (optind < ac)
+ {
+***************
+*** 1034,1043 ****
+ }
+ else
+ {
+ /* Create socket for listening. */
+! listen_sock = socket(AF_INET, SOCK_STREAM, 0);
+ if (listen_sock < 0)
+ fatal("socket: %.100s", strerror(errno));
+
+ /* Set socket options. We try to make the port reusable and have it
+ close as fast as possible without waiting in unnecessary wait states
+--- 1079,1091 ----
+ }
+ else
+ {
++ for (ai = options.listen_addrs; ai; ai = ai->ai_next)
++ {
+ /* Create socket for listening. */
+! listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ if (listen_sock < 0)
+ fatal("socket: %.100s", strerror(errno));
++ listen_socks[num_listen_socks] = listen_sock;
+
+ /* Set socket options. We try to make the port reusable and have it
+ close as fast as possible without waiting in unnecessary wait states
+***************
+*** 1051,1071 ****
+ sizeof(linger));
+ #endif /* SO_LINGER */
+
+! /* Initialize the socket address. */
+! memset(&sin, 0, sizeof(sin));
+! sin.sin_family = AF_INET;
+! sin.sin_addr = options.listen_addr;
+! sin.sin_port = htons(options.port);
+
+ /* Bind the socket to the desired port. */
+! if (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
+ {
+! error("bind: %.100s", strerror(errno));
+! shutdown(listen_sock, 2);
+ close(listen_sock);
+! fatal("Bind to port %d failed: %.200s.", options.port,
+! strerror(errno));
+ }
+
+ if (!debug_flag)
+ {
+--- 1099,1128 ----
+ sizeof(linger));
+ #endif /* SO_LINGER */
+
+! getnameinfo(ai->ai_addr, ai->ai_addrlen,
+! ntop, sizeof(ntop), strport, sizeof(strport),
+! NI_NUMERICHOST|NI_NUMERICSERV);
+
+ /* Bind the socket to the desired port. */
+! if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0)
+ {
+! error("Bind to port %s on %s failed: %.200s.",
+! strport, ntop, strerror(errno));
+ close(listen_sock);
+! continue;
+ }
++ num_listen_socks++;
++
++ /* Start listening on the port. */
++ log_msg("Server listening on %s port %s.", ntop, strport);
++ if (listen(listen_sock, 5) < 0)
++ fatal("listen: %.100s", strerror(errno));
++
++ } /* for (ai = options.listen_addrs; ai; ai = ai->ai_next) */
++ freeaddrinfo(options.listen_addrs);
++
++ if (!num_listen_socks)
++ fatal("Cannot bind all addresses.");
+
+ if (!debug_flag)
+ {
+***************
+*** 1081,1091 ****
+ }
+ }
+
+- /* Start listening on the port. */
+- log_msg("Server listening on port %d.", options.port);
+- if (listen(listen_sock, 5) < 0)
+- fatal("listen: %.100s", strerror(errno));
+-
+ /* Generate an rsa key. */
+ log_msg("Generating %d bit RSA key.", options.server_key_bits);
+ rsa_generate_key(&sensitive_data.private_key, &public_key,
+--- 1138,1143 ----
+***************
+*** 1139,1156 ****
+
+ /* Wait in select until there is a connection. */
+ FD_ZERO(&fdset);
+! FD_SET(listen_sock, &fdset);
+! ret = select(listen_sock + 1, &fdset, NULL, NULL, NULL);
+! if (ret < 0 || !FD_ISSET(listen_sock, &fdset))
+ {
+ if (errno == EINTR)
+ continue;
+ error("select: %.100s", strerror(errno));
+ continue;
+ }
+!
+! aux = sizeof(sin);
+! newsock = accept(listen_sock, (struct sockaddr *)&sin, &aux);
+ if (newsock < 0)
+ {
+ if (errno == EINTR)
+--- 1191,1218 ----
+
+ /* Wait in select until there is a connection. */
+ FD_ZERO(&fdset);
+! maxfd = 0;
+! for (i = 0; i < num_listen_socks; i++)
+! {
+! FD_SET(listen_socks[i], &fdset);
+! if (listen_socks[i] > maxfd)
+! maxfd = listen_socks[i];
+! }
+! ret = select(maxfd + 1, &fdset, NULL, NULL, NULL);
+! if (ret < 0)
+ {
+ if (errno == EINTR)
+ continue;
+ error("select: %.100s", strerror(errno));
+ continue;
+ }
+!
+! for (i = 0; i < num_listen_socks; i++)
+! {
+! if (!FD_ISSET(listen_socks[i], &fdset))
+! continue;
+! aux = sizeof(from);
+! newsock = accept(listen_socks[i], (struct sockaddr *)&from, &aux);
+ if (newsock < 0)
+ {
+ if (errno == EINTR)
+***************
+*** 1166,1172 ****
+ /* In debugging mode. Close the listening socket, and start
+ processing the connection without forking. */
+ debug("Server will not fork when running in debugging mode.");
+! close(listen_sock);
+ sock_in = newsock;
+ sock_out = newsock;
+ pid = getpid();
+--- 1228,1234 ----
+ /* In debugging mode. Close the listening socket, and start
+ processing the connection without forking. */
+ debug("Server will not fork when running in debugging mode.");
+! close_listen_socks();
+ sock_in = newsock;
+ sock_out = newsock;
+ pid = getpid();
+***************
+*** 1195,1201 ****
+ the accepted socket. Reinitialize logging (since our
+ pid has changed). We break out of the loop to handle
+ the connection. */
+! close(listen_sock);
+ sock_in = newsock;
+ sock_out = newsock;
+ #ifdef LIBWRAP
+--- 1257,1263 ----
+ the accepted socket. Reinitialize logging (since our
+ pid has changed). We break out of the loop to handle
+ the connection. */
+! close_listen_socks();
+ sock_in = newsock;
+ sock_out = newsock;
+ #ifdef LIBWRAP
+***************
+*** 1233,1238 ****
+--- 1295,1304 ----
+
+ /* Close the new socket (the child is now taking care of it). */
+ close(newsock);
++ } /* for (i = 0; i < num_host_socks; i++) */
++ /* child process check (or debug mode) */
++ if (num_listen_socks < 0)
++ break;
+ }
+ }
+
+***************
+*** 2205,2210 ****
+--- 2271,2279 ----
+ krb5_parse_name(ssh_context, user, &client);
+ #endif /* defined(KERBEROS) && defined(KRB5) */
+
++ #ifdef ENABLE_LOG_AUTH
++ unauthenticated_user = user;
++ #endif /* ENABLE_LOG_AUTH */
+ /* Verify that the user is a valid user. We disallow usernames starting
+ with any characters that are commonly used to start NIS entries. */
+ pw = getpwnam(user);
+***************
+*** 2222,2228 ****
+ pwcopy.pw_class = xstrdup(pw->pw_class);
+ pwcopy.pw_change = pw->pw_change;
+ pwcopy.pw_expire = pw->pw_expire;
+! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
+ pwcopy.pw_dir = xstrdup(pw->pw_dir);
+ pwcopy.pw_shell = xstrdup(pw->pw_shell);
+ pw = &pwcopy;
+--- 2291,2297 ----
+ pwcopy.pw_class = xstrdup(pw->pw_class);
+ pwcopy.pw_change = pw->pw_change;
+ pwcopy.pw_expire = pw->pw_expire;
+! #endif /* (__bsdi__ && _BSDI_VERSION >= 199510) || (__FreeBSD__ && HAVE_LOGIN_CAP_H) */
+ pwcopy.pw_dir = xstrdup(pw->pw_dir);
+ pwcopy.pw_shell = xstrdup(pw->pw_shell);
+ pw = &pwcopy;
+***************
+*** 2260,2265 ****
+--- 2329,2339 ----
+ {
+ /* Authentication with empty password succeeded. */
+ debug("Login for user %.100s accepted without authentication.", user);
++ #ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.700s (%s)",
++ user, get_canonical_hostname(),
++ "empty password accepted");
++ #endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_PASSWORD;
+ authenticated = 1;
+ /* Success packet will be sent after loop below. */
+***************
+*** 2334,2339 ****
+--- 2408,2418 ----
+ /* Client has successfully authenticated to us. */
+ log_msg("Kerberos authentication accepted %.100s for login to account %.100s from %.200s",
+ tkt_user, user, get_canonical_hostname());
++ #ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.700s (%s)",
++ user, get_canonical_hostname(),
++ "kerberos authentication accepted");
++ #endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_KERBEROS;
+ authenticated = 1;
+ break;
+***************
+*** 2382,2387 ****
+--- 2461,2471 ----
+ /* Authentication accepted. */
+ log_msg("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.",
+ user, client_user, get_canonical_hostname());
++ #ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.100s@%.700s (%s)",
++ user, client_user, get_canonical_hostname(),
++ "rhosts authentication accepted");
++ #endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_RHOSTS;
+ authenticated = 1;
+ remote_user_name = client_user;
+***************
+*** 2441,2446 ****
+--- 2525,2535 ----
+ options.strict_modes))
+ {
+ /* Authentication accepted. */
++ #ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.100s@%.700s (%s)",
++ user, client_user, get_canonical_hostname(),
++ "rhosts with RSA host authentication accepted");
++ #endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_RHOSTS_RSA;
+ authenticated = 1;
+ remote_user_name = client_user;
+***************
+*** 2474,2479 ****
+--- 2563,2573 ----
+ /* Successful authentication. */
+ mpz_clear(&n);
+ log_msg("RSA authentication for %.100s accepted.", user);
++ #ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.700s (%s)",
++ user, get_canonical_hostname(),
++ "RSA user authentication accepted");
++ #endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_RSA;
+ authenticated = 1;
+ break;
+***************
+*** 2608,2613 ****
+--- 2702,2712 ----
+ auth_close();
+ memset(password, 0, strlen(password));
+ xfree(password);
++ #ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from @%.700s (%s)",
++ user, get_canonical_hostname(),
++ "TIS authentication accepted");
++ #endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_TIS;
+ authenticated = 1;
+ break;
+***************
+*** 2668,2673 ****
+--- 2767,2777 ----
+ memset(password, 0, strlen(password));
+ xfree(password);
+ log_msg("Password authentication for %.100s accepted.", user);
++ #ifdef ENABLE_LOG_AUTH
++ log_auth("%.100s from %.700s (%s)",
++ user, get_canonical_hostname(),
++ "password authentication accepted");
++ #endif /* ENABLE_LOG_AUTH */
+ authentication_type = SSH_AUTH_PASSWORD;
+ authenticated = 1;
+ break;
+***************
+*** 2708,2713 ****
+--- 2812,2822 ----
+ }
+
+ /* Check if the user is logging in as root and root logins are disallowed. */
++ #ifdef ENABLE_LOG_AUTH
++ if ((pw->pw_uid == UID_ROOT && options.permit_root_login == 1) ||
++ (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && !forced_command))
++ log_auth("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname());
++ #endif /* ENABLE_LOG_AUTH */
+ if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1)
+ {
+ if (authentication_type == SSH_AUTH_PASSWORD)
+***************
+*** 2775,2780 ****
+--- 2884,2892 ----
+ packet_start(SSH_SMSG_SUCCESS);
+ packet_send();
+ packet_write_wait();
++ #ifdef ENABLE_LOG_AUTH
++ unauthenticated_user = NULL;
++ #endif /* ENABLE_LOG_AUTH */
+
+ /* Perform session preparation. */
+ do_authenticated(pw);
+***************
+*** 3280,3294 ****
+ char line[256];
+ struct stat st;
+ int quiet_login;
+! struct sockaddr_in from;
+ int fromlen;
+ struct pty_cleanup_context cleanup_context;
+ #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
+ login_cap_t *lc;
+ #endif
+! #if defined (__bsdi__) && _BSDI_VERSION >= 199510
+ struct timeval tp;
+! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
+
+ /* We no longer need the child running on user's privileges. */
+ userfile_uninit();
+--- 3392,3407 ----
+ char line[256];
+ struct stat st;
+ int quiet_login;
+! struct sockaddr_storage from;
+ int fromlen;
+ struct pty_cleanup_context cleanup_context;
+ #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
+ login_cap_t *lc;
++ time_t warnpassword, warnexpire;
+ #endif
+! #if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
+ struct timeval tp;
+! #endif /* __FreeBSD__ || (__bsdi__ && _BSDI_VERSION >= 199510) */
+
+ /* We no longer need the child running on user's privileges. */
+ userfile_uninit();
+***************
+*** 3387,3393 ****
+
+ /* Record that there was a login on that terminal. */
+ record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
+! &from);
+
+ #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
+ lc = login_getclass(pw->pw_class);
+--- 3500,3506 ----
+
+ /* Record that there was a login on that terminal. */
+ record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
+! (struct sockaddr *)&from);
+
+ #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
+ lc = login_getclass(pw->pw_class);
+***************
+*** 3446,3451 ****
+--- 3559,3572 ----
+ "The Regents of the University of California. ",
+ "All rights reserved.");
+ }
++ #ifdef HAVE_LOGIN_CAP_H
++ #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
++
++ warnpassword = login_getcaptime(lc, "warnpassword",
++ DEFAULT_WARN, DEFAULT_WARN);
++ warnexpire = login_getcaptime(lc, "warnexpire",
++ DEFAULT_WARN, DEFAULT_WARN);
++ #endif
+ #endif
+
+ /* Print /etc/motd unless a command was specified or printing it was
+***************
+*** 3469,3475 ****
+ fputs(line, stdout);
+ fclose(f);
+ }
+! #if defined (__bsdi__) && _BSDI_VERSION >= 199510
+ if (pw->pw_change || pw->pw_expire)
+ (void)gettimeofday(&tp, (struct timezone *)NULL);
+ if (pw->pw_change)
+--- 3590,3596 ----
+ fputs(line, stdout);
+ fclose(f);
+ }
+! #if defined(__FreeBSD__) || (defined(__bsdi__) && _BSDI_VERSION >= 199510)
+ if (pw->pw_change || pw->pw_expire)
+ (void)gettimeofday(&tp, (struct timezone *)NULL);
+ if (pw->pw_change)
+***************
+*** 3876,3881 ****
+--- 3997,4003 ----
+ char *user_shell;
+ char *remote_ip;
+ int remote_port;
++ int local_port;
+ #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
+ login_cap_t *lc;
+ char *real_shell;
+***************
+*** 3922,3928 ****
+ while (fgets(buf, sizeof(buf), f))
+ fputs(buf, stderr);
+ fclose(f);
+! #if defined (__bsdi__) && _BSDI_VERSION >= 199510
+ if (pw->pw_uid != UID_ROOT &&
+ !login_getcapbool(lc, "ignorenologin", 0))
+ exit(254);
+--- 4044,4050 ----
+ while (fgets(buf, sizeof(buf), f))
+ fputs(buf, stderr);
+ fclose(f);
+! #if (defined(__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
+ if (pw->pw_uid != UID_ROOT &&
+ !login_getcapbool(lc, "ignorenologin", 0))
+ exit(254);
+***************
+*** 3981,3986 ****
+--- 4103,4109 ----
+ user_shell = xstrdup(pw->pw_shell);
+ remote_ip = xstrdup(get_remote_ipaddr());
+ remote_port = get_remote_port();
++ local_port = get_local_port();
+
+ /* Close the connection descriptors; note that this is the child, and the
+ server will still have the socket open, and it is important that we
+***************
+*** 4000,4006 ****
+ /* Close any extra file descriptors. Note that there may still be
+ descriptors left by system functions. They will be closed later. */
+ endpwent();
+- endhostent();
+
+ /* Set dummy encryption key to clear information about the key from
+ memory. This key will never be used. */
+--- 4123,4128 ----
+***************
+*** 4257,4263 ****
+
+ /* Set SSH_CLIENT. */
+ snprintf(buf, sizeof(buf),
+! "%.50s %d %d", remote_ip, remote_port, options.port);
+ child_set_env(&env, &envsize, "SSH_CLIENT", buf);
+
+ /* Set SSH_TTY if we have a pty. */
+--- 4379,4385 ----
+
+ /* Set SSH_CLIENT. */
+ snprintf(buf, sizeof(buf),
+! "%.50s %d %d", remote_ip, remote_port, local_port);
+ child_set_env(&env, &envsize, "SSH_CLIENT", buf);
+
+ /* Set SSH_TTY if we have a pty. */
+***************
+*** 4426,4432 ****
+ int i;
+ char name[255], *p;
+ char line[256];
+! struct hostent *hp;
+
+ strncpy(name, display, sizeof(name));
+ name[sizeof(name) - 1] = '\0';
+--- 4548,4555 ----
+ int i;
+ char name[255], *p;
+ char line[256];
+! struct addrinfo hints, *ai, *aitop;
+! char ntop[ADDRSTRLEN];
+
+ strncpy(name, display, sizeof(name));
+ name[sizeof(name) - 1] = '\0';
+***************
+*** 4443,4449 ****
+ /* Moved this call here to avoid a nasty buf in SunOS
+ 4.1.4 libc where gethostbyname closes an unrelated
+ file descriptor. */
+! hp = gethostbyname(name);
+
+ snprintf(line, sizeof(line),
+ "%.200s -q -", options.xauth_path);
+--- 4566,4575 ----
+ /* Moved this call here to avoid a nasty buf in SunOS
+ 4.1.4 libc where gethostbyname closes an unrelated
+ file descriptor. */
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! if (getaddrinfo(name, NULL, &hints, &aitop) != 0)
+! aitop = 0;
+
+ snprintf(line, sizeof(line),
+ "%.200s -q -", options.xauth_path);
+***************
+*** 4461,4481 ****
+ cp - display, display, cp, auth_proto,
+ auth_data);
+ #endif
+! if (hp)
+ {
+! for(i = 0; hp->h_addr_list[i]; i++)
+ {
+ if (debug_flag)
+ {
+ fprintf(stderr, "Running %s add %s%s %s %s\n",
+ options.xauth_path,
+! inet_ntoa(*((struct in_addr *)
+! hp->h_addr_list[i])),
+ cp, auth_proto, auth_data);
+ }
+ fprintf(f, "add %s%s %s %s\n",
+! inet_ntoa(*((struct in_addr *)
+! hp->h_addr_list[i])),
+ cp, auth_proto, auth_data);
+ }
+ }
+--- 4587,4610 ----
+ cp - display, display, cp, auth_proto,
+ auth_data);
+ #endif
+! if (aitop)
+ {
+! for (ai = aitop; ai; ai = ai->ai_next)
+ {
++ getnameinfo(ai->ai_addr, ai->ai_addrlen,
++ ntop, sizeof(ntop), NULL, 0,
++ NI_NUMERICHOST);
++ if (strchr(ntop, ':'))
++ continue; /* XXX - xauth doesn't accept it */
+ if (debug_flag)
+ {
+ fprintf(stderr, "Running %s add %s%s %s %s\n",
+ options.xauth_path,
+! ntop,
+ cp, auth_proto, auth_data);
+ }
+ fprintf(f, "add %s%s %s %s\n",
+! ntop,
+ cp, auth_proto, auth_data);
+ }
+ }
+***************
+*** 4525,4531 ****
+--- 4654,4664 ----
+ struct stat mailbuf;
+
+ if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0)
++ #ifdef __FreeBSD__
++ ;
++ #else
+ printf("No mail.\n");
++ #endif
+ else if (mailbuf.st_atime > mailbuf.st_mtime)
+ printf("You have mail.\n");
+ else
diff --git a/picobsd/ssh-picobsd/files/patch-ag b/picobsd/ssh-picobsd/files/patch-ag
new file mode 100644
index 00000000000..71f3b7e168f
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-ag
@@ -0,0 +1,54 @@
+*** auth-kerberos.c.orig Tue Jan 11 20:33:46 2000
+--- auth-kerberos.c Tue Jan 11 20:33:38 2000
+***************
+*** 120,129 ****
+--- 120,137 ----
+
+ debug("Kerberos invalid service name (%.100s).", server);
+ packet_send_debug("Kerberos invalid service name (%.100s).", server);
++ #ifdef krb5_xfree
+ krb5_xfree(server);
++ #else
++ free(server);
++ #endif
+ return 0;
+ }
++ #ifdef krb5_xfree
+ krb5_xfree(server);
++ #else
++ free(server);
++ #endif
+
+ /* Extract the users name from the ticket client principal */
+ problem = krb5_copy_principal(ssh_context, ticket->enc_part2->client,
+***************
+*** 159,165 ****
+--- 167,177 ----
+ packet_put_string((char *) reply.data, reply.length);
+ packet_send();
+ packet_write_wait();
++ #ifdef krb5_xfree
+ krb5_xfree(reply.data);
++ #else
++ krb5_free_data_contents(ssh_context, &reply);
++ #endif
+ return 1;
+ }
+ #endif /* KRB5 */
+***************
+*** 177,183 ****
+ extern char *ticket;
+ static krb5_principal rcache_server = 0;
+ static krb5_rcache rcache;
+! struct sockaddr_in local, foreign;
+ krb5_address *local_addr, *remote_addr;
+ int s;
+
+--- 189,195 ----
+ extern char *ticket;
+ static krb5_principal rcache_server = 0;
+ static krb5_rcache rcache;
+! struct sockaddr_storage local, foreign;
+ krb5_address *local_addr, *remote_addr;
+ int s;
+
diff --git a/picobsd/ssh-picobsd/files/patch-al b/picobsd/ssh-picobsd/files/patch-al
new file mode 100644
index 00000000000..35a191b5561
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-al
@@ -0,0 +1,408 @@
+*** sshconnect.c.orig Wed May 12 20:19:29 1999
+--- sshconnect.c Thu Feb 24 22:34:47 2000
+***************
+*** 337,343 ****
+
+ /* Creates a (possibly privileged) socket for use as the ssh connection. */
+
+! int ssh_create_socket(uid_t original_real_uid, int privileged)
+ {
+ int sock;
+
+--- 337,343 ----
+
+ /* Creates a (possibly privileged) socket for use as the ssh connection. */
+
+! int ssh_create_socket(uid_t original_real_uid, int privileged, int family)
+ {
+ int sock;
+
+***************
+*** 345,379 ****
+ bind our own socket to a privileged port. */
+ if (privileged)
+ {
+! struct sockaddr_in sin;
+ int p;
+ for (p = 1023; p > 512; p--)
+ {
+! sock = socket(AF_INET, SOCK_STREAM, 0);
+ if (sock < 0)
+! fatal("socket: %.100s", strerror(errno));
+
+! /* Initialize the desired sockaddr_in structure. */
+! memset(&sin, 0, sizeof(sin));
+! sin.sin_family = AF_INET;
+! sin.sin_addr.s_addr = INADDR_ANY;
+! sin.sin_port = htons(p);
+
+ /* Try to bind the socket to the privileged port. */
+ #if defined(SOCKS)
+! if (Rbind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
+ break; /* Success. */
+ #else /* SOCKS */
+! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
+ break; /* Success. */
+ #endif /* SOCKS */
+ if (errno == EADDRINUSE)
+ {
+ close(sock);
+ continue;
+ }
+! fatal("bind: %.100s", strerror(errno));
+ }
+ debug("Allocated local port %d.", p);
+ }
+ else
+--- 345,404 ----
+ bind our own socket to a privileged port. */
+ if (privileged)
+ {
+! struct addrinfo hints, *ai = NULL;
+! int errgai;
+! char strport[PORTSTRLEN];
+ int p;
++ #if (defined(__OpenBSD__) || defined(__FreeBSD__)) && !defined(SOCKS)
++ p = 1023; /* Compat with old FreeBSD */
++ #if __FreeBSD__ >= 400014
++ sock = rresvport_af(&p, family);
++ if (sock < 0)
++ error("rresvport_af: %.100s", strerror(errno));
++ #else
++ sock = rresvport(&p);
++ if (sock < 0)
++ error("rresvport: %.100s", strerror(errno));
++ #endif
++ #else
+ for (p = 1023; p > 512; p--)
+ {
+! sock = socket(family, SOCK_STREAM, 0);
+ if (sock < 0)
+! error("socket: %.100s", strerror(errno));
+
+! /* Initialize the desired addrinfo structure. */
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = family;
+! hints.ai_flags = AI_PASSIVE;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", p);
+! #if defined(SOCKS)
+! if ((errgai = Rgetaddrinfo(NULL, strport, &hints, &ai)) != 0)
+! fatal("getaddrinfo: %.100s", gai_strerror(errgai));
+! #else /* SOCKS */
+! if ((errgai = getaddrinfo(NULL, strport, &hints, &ai)) != 0)
+! fatal("getaddrinfo: %.100s", gai_strerror(errgai));
+! #endif /* SOCKS */
+
+ /* Try to bind the socket to the privileged port. */
+ #if defined(SOCKS)
+! if (Rbind(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
+ break; /* Success. */
+ #else /* SOCKS */
+! if (bind(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
+ break; /* Success. */
+ #endif /* SOCKS */
+ if (errno == EADDRINUSE)
+ {
+ close(sock);
++ freeaddrinfo(ai);
+ continue;
+ }
+! error("bind: %.100s", strerror(errno));
+ }
++ freeaddrinfo(ai);
++ #endif
+ debug("Allocated local port %d.", p);
+ }
+ else
+***************
+*** 396,409 ****
+ the daemon. */
+
+ int ssh_connect(const char *host, int port, int connection_attempts,
+ int anonymous, uid_t original_real_uid,
+ const char *proxy_command, RandomState *random_state)
+ {
+ int sock = -1, attempt, i;
+ int on = 1;
+ struct servent *sp;
+! struct hostent *hp;
+! struct sockaddr_in hostaddr;
+ #if defined(SO_LINGER) && defined(ENABLE_SO_LINGER)
+ struct linger linger;
+ #endif /* SO_LINGER */
+--- 421,439 ----
+ the daemon. */
+
+ int ssh_connect(const char *host, int port, int connection_attempts,
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ int another_port,
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ int anonymous, uid_t original_real_uid,
+ const char *proxy_command, RandomState *random_state)
+ {
+ int sock = -1, attempt, i;
+ int on = 1;
+ struct servent *sp;
+! struct addrinfo hints, *ai, *aitop, *aitmp;
+! struct sockaddr_storage hostaddr;
+! char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
+! int gaierr;
+ #if defined(SO_LINGER) && defined(ENABLE_SO_LINGER)
+ struct linger linger;
+ #endif /* SO_LINGER */
+***************
+*** 421,430 ****
+ port = SSH_DEFAULT_PORT;
+ }
+
+- /* Map localhost to ip-address locally */
+- if (strcmp(host, "localhost") == 0)
+- host = "127.0.0.1";
+-
+ /* If a proxy command is given, connect using it. */
+ if (proxy_command != NULL && *proxy_command)
+ return ssh_proxy_connect(host, port, original_real_uid, proxy_command,
+--- 451,456 ----
+***************
+*** 432,440 ****
+
+ /* No proxy command. */
+
+! /* No host lookup made yet. */
+! hp = NULL;
+!
+ /* Try to connect several times. On some machines, the first time will
+ sometimes fail. In general socket code appears to behave quite
+ magically on many machines. */
+--- 458,495 ----
+
+ /* No proxy command. */
+
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", port);
+! #if defined(SOCKS)
+! if ((gaierr = Rgetaddrinfo(host, strport, &hints, &aitop)) != 0)
+! fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr));
+! #else /* SOCKS */
+! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
+! fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr));
+! #endif /* SOCKS */
+!
+! #ifdef ENABLE_ANOTHER_PORT_TRY
+! if (another_port)
+! {
+! aitmp = aitop;
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", another_port);
+! #if defined(SOCKS)
+! if ((gaierr = Rgetaddrinfo(host, strport, &hints, &aitop)) != 0)
+! fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr));
+! #else /* SOCKS */
+! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
+! fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr));
+! #endif /* SOCKS */
+! for (ai = aitop; ai->ai_next; ai = ai->ai_next);
+! ai->ai_next = aitmp;
+! }
+! #endif /* ENABLE_ANOTHER_PORT_TRY */
+!
+ /* Try to connect several times. On some machines, the first time will
+ sometimes fail. In general socket code appears to behave quite
+ magically on many machines. */
+***************
+*** 443,545 ****
+ if (attempt > 0)
+ debug("Trying again...");
+
+- /* Try to parse the host name as a numeric inet address. */
+- memset(&hostaddr, 0, sizeof(hostaddr));
+- hostaddr.sin_family = AF_INET;
+- hostaddr.sin_port = htons(port);
+- #ifdef BROKEN_INET_ADDR
+- hostaddr.sin_addr.s_addr = inet_network(host);
+- #else /* BROKEN_INET_ADDR */
+- hostaddr.sin_addr.s_addr = inet_addr(host);
+- #endif /* BROKEN_INET_ADDR */
+- if ((hostaddr.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
+- {
+- /* Create a socket. */
+- sock = ssh_create_socket(original_real_uid,
+- !anonymous && geteuid() == UID_ROOT);
+-
+- /* Valid numeric IP address */
+- debug("Connecting to %.100s port %d.",
+- inet_ntoa(hostaddr.sin_addr), port);
+-
+- /* Connect to the host. */
+- #if defined(SOCKS)
+- if (Rconnect(sock, (struct sockaddr *)&hostaddr, sizeof(hostaddr))
+- #else /* SOCKS */
+- if (connect(sock, (struct sockaddr *)&hostaddr, sizeof(hostaddr))
+- #endif /* SOCKS */
+- >= 0)
+- {
+- /* Successful connect. */
+- break;
+- }
+- debug("connect: %.100s", strerror(errno));
+-
+- /* Destroy the failed socket. */
+- shutdown(sock, 2);
+- close(sock);
+- }
+- else
+- {
+- /* Not a valid numeric inet address. */
+- /* Map host name to an address. */
+- if (!hp)
+- {
+- struct hostent *hp_static;
+-
+- #if defined(SOCKS5)
+- hp_static = Rgethostbyname(host);
+- #else
+- hp_static = gethostbyname(host);
+- #endif
+- if (hp_static)
+- {
+- hp = xmalloc(sizeof(struct hostent));
+- memcpy(hp, hp_static, sizeof(struct hostent));
+-
+- /* Copy list of addresses, not just pointers.
+- We don't use h_name & h_aliases so leave them as is */
+- for (i = 0; hp_static->h_addr_list[i]; i++)
+- ; /* count them */
+- hp->h_addr_list = xmalloc((i + 1) *
+- sizeof(hp_static->h_addr_list[0]));
+- for (i = 0; hp_static->h_addr_list[i]; i++)
+- {
+- hp->h_addr_list[i] = xmalloc(hp->h_length);
+- memcpy(hp->h_addr_list[i], hp_static->h_addr_list[i],
+- hp->h_length);
+- }
+- hp->h_addr_list[i] = NULL; /* last one */
+- }
+- }
+- if (!hp)
+- fatal("Bad host name: %.100s", host);
+- if (!hp->h_addr_list[0])
+- fatal("Host does not have an IP address: %.100s", host);
+-
+ /* Loop through addresses for this host, and try each one in
+ sequence until the connection succeeds. */
+! for (i = 0; hp->h_addr_list[i]; i++)
+ {
+! /* Set the address to connect to. */
+! hostaddr.sin_family = hp->h_addrtype;
+! memcpy(&hostaddr.sin_addr, hp->h_addr_list[i],
+! sizeof(hostaddr.sin_addr));
+
+! debug("Connecting to %.200s [%.100s] port %d.",
+! host, inet_ntoa(hostaddr.sin_addr), port);
+
+ /* Create a socket for connecting. */
+ sock = ssh_create_socket(original_real_uid,
+! !anonymous && geteuid() == UID_ROOT);
+
+ /* Connect to the host. */
+ #if defined(SOCKS)
+! if (Rconnect(sock, (struct sockaddr *)&hostaddr,
+! sizeof(hostaddr)) >= 0)
+ #else /* SOCKS */
+! if (connect(sock, (struct sockaddr *)&hostaddr,
+! sizeof(hostaddr)) >= 0)
+ #endif /* SOCKS */
+ {
+ /* Successful connection. */
+--- 498,526 ----
+ if (attempt > 0)
+ debug("Trying again...");
+
+ /* Loop through addresses for this host, and try each one in
+ sequence until the connection succeeds. */
+! for (ai = aitop; ai; ai = ai->ai_next)
+ {
+! getnameinfo(ai->ai_addr, ai->ai_addrlen,
+! ntop, sizeof(ntop), strport, sizeof(strport),
+! NI_NUMERICHOST|NI_NUMERICSERV);
+
+! debug("Connecting to %.200s [%.100s] port %s.",
+! host, ntop, strport);
+
+ /* Create a socket for connecting. */
+ sock = ssh_create_socket(original_real_uid,
+! !anonymous && geteuid() == UID_ROOT,
+! ai->ai_family);
+! if (sock < 0)
+! continue;
+
+ /* Connect to the host. */
+ #if defined(SOCKS)
+! if (Rconnect(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
+ #else /* SOCKS */
+! if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0)
+ #endif /* SOCKS */
+ {
+ /* Successful connection. */
+***************
+*** 552,573 ****
+ returned an error. */
+ shutdown(sock, 2);
+ close(sock);
+! }
+! if (hp->h_addr_list[i])
+ break; /* Successful connection. */
+- }
+
+ /* Sleep a moment before retrying. */
+ sleep(1);
+ }
+
+! if (hp)
+! {
+! for (i = 0; hp->h_addr_list[i]; i++)
+! xfree(hp->h_addr_list[i]);
+! xfree(hp->h_addr_list);
+! xfree(hp);
+! }
+
+ /* Return failure if we didn't get a successful connection. */
+ if (attempt >= connection_attempts)
+--- 533,547 ----
+ returned an error. */
+ shutdown(sock, 2);
+ close(sock);
+! } /* for (ai = aitop; ai; ai = ai->ai_next) */
+! if (ai)
+ break; /* Successful connection. */
+
+ /* Sleep a moment before retrying. */
+ sleep(1);
+ }
+
+! freeaddrinfo(aitop);
+
+ /* Return failure if we didn't get a successful connection. */
+ if (attempt >= connection_attempts)
+***************
+*** 946,952 ****
+ int ap_opts, ret_stat = 0;
+ krb5_keyblock *session_key = 0;
+ krb5_ap_rep_enc_part *repl = 0;
+! struct sockaddr_in local, foreign;
+
+ memset(&auth, 0 , sizeof(auth));
+ remotehost = (char *) get_canonical_hostname();
+--- 920,926 ----
+ int ap_opts, ret_stat = 0;
+ krb5_keyblock *session_key = 0;
+ krb5_ap_rep_enc_part *repl = 0;
+! struct sockaddr_storage local, foreign;
+
+ memset(&auth, 0 , sizeof(auth));
+ remotehost = (char *) get_canonical_hostname();
diff --git a/picobsd/ssh-picobsd/files/patch-ao b/picobsd/ssh-picobsd/files/patch-ao
new file mode 100644
index 00000000000..0c5f76b3ed1
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-ao
@@ -0,0 +1,583 @@
+*** newchannels.c.orig Tue Jan 11 20:38:09 2000
+--- newchannels.c Tue Jan 11 20:38:02 2000
+***************
+*** 282,287 ****
+--- 282,292 ----
+ #endif /* NEED_SYS_SYSLOG_H */
+ #endif /* LIBWRAP */
+
++ #ifdef __FreeBSD__
++ #include <utmp.h>
++ #include <osreldate.h>
++ #endif
++
+ /* Directory in which the fake unix-domain X11 displays reside. */
+ #ifndef X11_DIR
+ #define X11_DIR "/tmp/.X11-unix"
+***************
+*** 1405,1417 ****
+ int host_port, int gatewayports)
+ {
+ int ch, sock;
+! struct sockaddr_in sin;
+
+ if (strlen(host) > sizeof(channels[0].path) - 1)
+ packet_disconnect("Forward host name too long.");
+
+ /* Create a port to listen for the host. */
+! sock = socket(AF_INET, SOCK_STREAM, 0);
+ if (sock < 0)
+ packet_disconnect("socket: %.100s", strerror(errno));
+
+--- 1410,1438 ----
+ int host_port, int gatewayports)
+ {
+ int ch, sock;
+! struct addrinfo hints, *ai, *aitop;
+! char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
+
+ if (strlen(host) > sizeof(channels[0].path) - 1)
+ packet_disconnect("Forward host name too long.");
+
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = IPv4or6;
++ hints.ai_flags = gatewayports ? AI_PASSIVE : 0;
++ hints.ai_socktype = SOCK_STREAM;
++ sprintf(strport, "%d", port);
++ if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
++ packet_disconnect("getaddrinfo: fatal error");
++
++ for (ai = aitop; ai; ai = ai->ai_next)
++ {
++
++ getnameinfo(ai->ai_addr, ai->ai_addrlen,
++ ntop, sizeof(ntop), strport, sizeof(strport),
++ NI_NUMERICHOST|NI_NUMERICSERV);
++
+ /* Create a port to listen for the host. */
+! sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ if (sock < 0)
+ packet_disconnect("socket: %.100s", strerror(errno));
+
+***************
+*** 1421,1441 ****
+ (void)fcntl(sock, F_SETFL, O_NDELAY);
+ #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */
+
+! /* Initialize socket address. */
+! memset(&sin, 0, sizeof(sin));
+! sin.sin_family = AF_INET;
+! if (gatewayports)
+! sin.sin_addr.s_addr = INADDR_ANY;
+! else
+! #ifdef BROKEN_INET_ADDR
+! sin.sin_addr.s_addr = inet_network("127.0.0.1");
+! #else /* BROKEN_INET_ADDR */
+! sin.sin_addr.s_addr = inet_addr("127.0.0.1");
+! #endif /* BROKEN_INET_ADDR */
+! sin.sin_port = htons(port);
+!
+ /* Bind the socket to the address. */
+! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
+ packet_disconnect("bind: %.100s", strerror(errno));
+
+ /* Start listening for connections on the socket. */
+--- 1442,1451 ----
+ (void)fcntl(sock, F_SETFL, O_NDELAY);
+ #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */
+
+! debug("Listening on %s port %s.", ntop, strport);
+!
+ /* Bind the socket to the address. */
+! if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0)
+ packet_disconnect("bind: %.100s", strerror(errno));
+
+ /* Start listening for connections on the socket. */
+***************
+*** 1448,1453 ****
+--- 1458,1466 ----
+ strcpy(channels[ch].path, host); /* note: host name stored here */
+ channels[ch].host_port = host_port; /* port on host to connect to */
+ channels[ch].listening_port = port; /* port being listened */
++
++ } /* for (ai = aitop; ai; ai = ai->ai_next) */
++ freeaddrinfo(aitop);
+ }
+
+ /* Initiate forwarding of connections to port "port" on remote host through
+***************
+*** 1636,1644 ****
+ void channel_input_port_open(void)
+ {
+ int remote_channel, sock, newch, host_port, i;
+- struct sockaddr_in sin;
+ char *host, *originator_string;
+! struct hostent *hp;
+
+ /* Get remote channel number. */
+ remote_channel = packet_get_int();
+--- 1649,1658 ----
+ void channel_input_port_open(void)
+ {
+ int remote_channel, sock, newch, host_port, i;
+ char *host, *originator_string;
+! struct addrinfo hints, *ai, *aitop;
+! char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
+! int gaierr;
+
+ /* Get remote channel number. */
+ remote_channel = packet_get_int();
+***************
+*** 1678,1713 ****
+ }
+ }
+
+! memset(&sin, 0, sizeof(sin));
+! #ifdef BROKEN_INET_ADDR
+! sin.sin_addr.s_addr = inet_network(host);
+! #else /* BROKEN_INET_ADDR */
+! sin.sin_addr.s_addr = inet_addr(host);
+! #endif /* BROKEN_INET_ADDR */
+! if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
+! {
+! /* It was a valid numeric host address. */
+! sin.sin_family = AF_INET;
+! }
+! else
+ {
+! /* Look up the host address from the name servers. */
+! hp = gethostbyname(host);
+! if (!hp)
+! {
+! error("%.100s: unknown host.", host);
+! goto fail;
+! }
+! if (!hp->h_addr_list[0])
+! {
+! error("%.100s: host has no IP address.", host);
+! goto fail;
+! }
+! sin.sin_family = hp->h_addrtype;
+! memcpy(&sin.sin_addr, hp->h_addr_list[0],
+! sizeof(sin.sin_addr));
+ }
+- sin.sin_port = htons(host_port);
+
+ #ifdef F_SECURE_COMMERCIAL
+
+--- 1692,1706 ----
+ }
+ }
+
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", host_port);
+! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
+ {
+! error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
+! goto fail;
+ }
+
+ #ifdef F_SECURE_COMMERCIAL
+
+***************
+*** 1744,1751 ****
+
+ #endif /* F_SECURE_COMMERCIAL */
+
+ /* Create the socket. */
+! sock = socket(sin.sin_family, SOCK_STREAM, 0);
+ if (sock < 0)
+ {
+ error("socket: %.100s", strerror(errno));
+--- 1737,1751 ----
+
+ #endif /* F_SECURE_COMMERCIAL */
+
++ for (ai = aitop; ai; ai = ai->ai_next)
++ {
++
++ getnameinfo(ai->ai_addr, ai->ai_addrlen,
++ ntop, sizeof(ntop), strport, sizeof(strport),
++ NI_NUMERICHOST|NI_NUMERICSERV);
++
+ /* Create the socket. */
+! sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ if (sock < 0)
+ {
+ error("socket: %.100s", strerror(errno));
+***************
+*** 1753,1767 ****
+ }
+
+ /* Connect to the host/port. */
+! if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
+ {
+! error("connect %.100s:%d: %.100s", host, host_port,
+! strerror(errno));
+ close(sock);
+ goto fail;
+ }
+
+ /* Successful connection. */
+
+ #if defined(O_NONBLOCK) && !defined(O_NONBLOCK_BROKEN)
+ (void)fcntl(sock, F_SETFL, O_NONBLOCK);
+--- 1753,1777 ----
+ }
+
+ /* Connect to the host/port. */
+! if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0)
+ {
+! debug("connect %.100s port %s: %.100s", ntop, strport, strerror(errno));
+ close(sock);
++ continue; /* fail -- try next */
++ }
++ break; /* success */
++
++ } /* for (ai = aitop; ai; ai = ai->ai_next) */
++ freeaddrinfo(aitop);
++
++ if (!ai)
++ {
++ error("connect %.100s:%d: failed.", host, host_port);
+ goto fail;
+ }
+
+ /* Successful connection. */
++ debug("Connecting to %.200s [%.100s] port %s.", host, ntop, strport);
+
+ #if defined(O_NONBLOCK) && !defined(O_NONBLOCK_BROKEN)
+ (void)fcntl(sock, F_SETFL, O_NONBLOCK);
+***************
+*** 1803,1809 ****
+ {
+ extern ServerOptions options;
+ int display_number, port, sock;
+! struct sockaddr_in sin;
+ char buf[512];
+ #ifdef HAVE_GETHOSTNAME
+ char hostname[257];
+--- 1813,1822 ----
+ {
+ extern ServerOptions options;
+ int display_number, port, sock;
+! struct addrinfo hints, *ai, *aitop;
+! char strport[PORTSTRLEN];
+! #define NUM_SOCKS 10
+! int gaierr, n, nn, num_socks = 0, socks[NUM_SOCKS];
+ char buf[512];
+ #ifdef HAVE_GETHOSTNAME
+ char hostname[257];
+***************
+*** 1817,1828 ****
+ for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++)
+ {
+ port = 6000 + display_number;
+! memset(&sin, 0, sizeof(sin));
+! sin.sin_family = AF_INET;
+! sin.sin_addr.s_addr = INADDR_ANY;
+! sin.sin_port = htons(port);
+
+! sock = socket(AF_INET, SOCK_STREAM, 0);
+ if (sock < 0)
+ {
+ error("socket: %.100s", strerror(errno));
+--- 1830,1850 ----
+ for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++)
+ {
+ port = 6000 + display_number;
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! hints.ai_flags = AI_PASSIVE;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", port);
+! if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0)
+! {
+! error("getaddrinfo: %.100s", gai_strerror(gaierr));
+! return NULL;
+! }
+!
+! for (ai = aitop; ai; ai = ai->ai_next)
+! {
+
+! sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ if (sock < 0)
+ {
+ error("socket: %.100s", strerror(errno));
+***************
+*** 1835,1847 ****
+ (void)fcntl(sock, F_SETFL, O_NDELAY);
+ #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */
+
+! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
+ {
+ debug("bind port %d: %.100s", port, strerror(errno));
+ shutdown(sock, 2);
+ close(sock);
+! continue;
+ }
+ break;
+ }
+ if (display_number >= MAX_DISPLAYS)
+--- 1857,1882 ----
+ (void)fcntl(sock, F_SETFL, O_NDELAY);
+ #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */
+
+! if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0)
+ {
+ debug("bind port %d: %.100s", port, strerror(errno));
+ shutdown(sock, 2);
+ close(sock);
+! for (n = 0; n < num_socks; n++)
+! {
+! shutdown(socks[n], 2);
+! close(socks[n]);
+! }
+! num_socks = 0;
+! break;
+ }
++
++ socks[num_socks++] = sock;
++ if (num_socks == NUM_SOCKS)
++ break;
++ } /* for (ai = aitop; ai; ai = ai->ai_next) */
++
++ if (num_socks > 0)
+ break;
+ }
+ if (display_number >= MAX_DISPLAYS)
+***************
+*** 1851,1863 ****
+--- 1886,1907 ----
+ }
+
+ /* Start listening for connections on the socket. */
++ for (n = 0; n < num_socks; n++)
++ {
++ sock = socks[n];
+ if (listen(sock, 5) < 0)
+ {
+ error("listen: %.100s", strerror(errno));
+ shutdown(sock, 2);
+ close(sock);
++ for (nn = 0; nn < n; nn++)
++ {
++ shutdown(socks[nn], 2);
++ close(socks[nn]);
++ }
+ return NULL;
+ }
++ } /* for (n = 0; n < num_socks; n++) */
+
+ /* Set up a suitable value for the DISPLAY variable. */
+ #ifdef NONSTANDARD_IP_ADDRESS_X11_KLUDGE
+***************
+*** 1868,1877 ****
+ if (gethostname(hostname, sizeof(hostname)) < 0)
+ fatal("gethostname: %.100s", strerror(errno));
+ {
+! struct hostent *hp;
+! struct in_addr addr;
+! hp = gethostbyname(hostname);
+! if (hp == NULL || !hp->h_addr_list[0])
+ {
+ error("Could not get server IP address for %.200s.", hostname);
+ packet_send_debug("Could not get server IP address for %.200s.",
+--- 1912,1922 ----
+ if (gethostname(hostname, sizeof(hostname)) < 0)
+ fatal("gethostname: %.100s", strerror(errno));
+ {
+! struct addrinfo hints, *ai;
+! char ntop[ADDRSTRLEN];
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! if (getaddrinfo(hostname, NULL, &hints, &ai) != 0 || !ai)
+ {
+ error("Could not get server IP address for %.200s.", hostname);
+ packet_send_debug("Could not get server IP address for %.200s.",
+***************
+*** 1880,1888 ****
+ close(sock);
+ return NULL;
+ }
+! memcpy(&addr, hp->h_addr_list[0], sizeof(addr));
+ snprintf(buf, sizeof(buf),
+! "%.100s:%d.%d", inet_ntoa(addr), display_number,
+ screen_number);
+ }
+ #else /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */
+--- 1925,1934 ----
+ close(sock);
+ return NULL;
+ }
+! getnameinfo(ai->ai_addr, ai->ai_addrlen,
+! ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST);
+ snprintf(buf, sizeof(buf),
+! "%.100s:%d.%d", ntop, display_number,
+ screen_number);
+ }
+ #else /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */
+***************
+*** 1891,1896 ****
+--- 1937,1945 ----
+ fatal("gethostname: %.100s", strerror(errno));
+ snprintf(buf, sizeof(buf),
+ "%.400s:%d.%d", hostname, display_number, screen_number);
++ #if __FreeBSD_version >= 320000
++ trimdomain(buf, UT_HOSTSIZE);
++ #endif
+ #else /* HAVE_GETHOSTNAME */
+ if (uname(&uts) < 0)
+ fatal("uname: %.100s", strerror(errno));
+***************
+*** 1900,1907 ****
+--- 1949,1960 ----
+ #endif /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */
+
+ /* Allocate a channel for the socket. */
++ for (n = 0; n < num_socks; n++)
++ {
++ sock = socks[n];
+ (void)channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
+ xstrdup("X11 inet listener"));
++ } /* for (n = 0; n < num_socks; n++) */
+
+ /* Return a suitable value for the DISPLAY environment variable. */
+ return xstrdup(buf);
+***************
+*** 1916,1924 ****
+ int remote_channel, display_number, sock, newch;
+ const char *display;
+ struct sockaddr_un ssun;
+- struct sockaddr_in sin;
+ char buf[255], *cp, *remote_host;
+! struct hostent *hp;
+
+ /* Get remote channel number. */
+ remote_channel = packet_get_int();
+--- 1969,1978 ----
+ int remote_channel, display_number, sock, newch;
+ const char *display;
+ struct sockaddr_un ssun;
+ char buf[255], *cp, *remote_host;
+! struct addrinfo hints, *ai, *aitop;
+! char strport[PORTSTRLEN];
+! int gaierr;
+
+ /* Get remote channel number. */
+ remote_channel = packet_get_int();
+***************
+*** 2058,2110 ****
+ goto fail;
+ }
+
+! /* Try to parse the host name as a numeric IP address. */
+! memset(&sin, 0, sizeof(sin));
+! #ifdef BROKEN_INET_ADDR
+! sin.sin_addr.s_addr = inet_network(buf);
+! #else /* BROKEN_INET_ADDR */
+! sin.sin_addr.s_addr = inet_addr(buf);
+! #endif /* BROKEN_INET_ADDR */
+! if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
+ {
+! /* It was a valid numeric host address. */
+! sin.sin_family = AF_INET;
+ }
+! else
+ {
+- /* Not a numeric IP address. */
+- /* Look up the host address from the name servers. */
+- hp = gethostbyname(buf);
+- if (!hp)
+- {
+- error("%.100s: unknown host.", buf);
+- goto fail;
+- }
+- if (!hp->h_addr_list[0])
+- {
+- error("%.100s: host has no IP address.", buf);
+- goto fail;
+- }
+- sin.sin_family = hp->h_addrtype;
+- memcpy(&sin.sin_addr, hp->h_addr_list[0],
+- sizeof(sin.sin_addr));
+- }
+- /* Set port number. */
+- sin.sin_port = htons(6000 + display_number);
+
+ /* Create a socket. */
+! sock = socket(sin.sin_family, SOCK_STREAM, 0);
+ if (sock < 0)
+ {
+! error("socket: %.100s", strerror(errno));
+! goto fail;
+ }
+ /* Connect it to the display. */
+! if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
+ {
+! error("connect %.100s:%d: %.100s", buf, 6000 + display_number,
+ strerror(errno));
+ close(sock);
+ goto fail;
+ }
+
+--- 2112,2155 ----
+ goto fail;
+ }
+
+! /* Look up the host address */
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", 6000 + display_number);
+! if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0)
+ {
+! error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
+! goto fail;
+ }
+!
+! for (ai = aitop; ai; ai = ai->ai_next)
+ {
+
+ /* Create a socket. */
+! sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ if (sock < 0)
+ {
+! debug("socket: %.100s", strerror(errno));
+! continue;
+ }
+ /* Connect it to the display. */
+! if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0)
+ {
+! debug("connect %.100s:%d: %.100s", buf, 6000 + display_number,
+ strerror(errno));
+ close(sock);
++ continue;
++ }
++ /* Success */
++ break;
++
++ } /* (ai = aitop, ai; ai = ai->ai_next) */
++ freeaddrinfo(aitop);
++ if (!ai)
++ {
++ error("connect %.100s:%d: %.100s", buf, 6000 + display_number,
++ strerror(errno));
+ goto fail;
+ }
+
+***************
+*** 2412,2417 ****
+--- 2457,2466 ----
+ ssh-agent connections on your system */
+ old_umask = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+
++ /* Make sure the socket doesn't already exist, left over from a system
++ crash perhaps. */
++ unlink(channel_forwarded_auth_socket_name);
++
+ if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0)
+ packet_disconnect("Agent socket bind failed: %.100s", strerror(errno));
+
diff --git a/picobsd/ssh-picobsd/files/patch-aw b/picobsd/ssh-picobsd/files/patch-aw
new file mode 100644
index 00000000000..697f32393bf
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-aw
@@ -0,0 +1,73 @@
+*** login.c.orig Tue Jan 11 20:36:37 2000
+--- login.c Tue Jan 11 20:36:34 2000
+***************
+*** 117,122 ****
+--- 117,125 ----
+ #include <hpsecurity.h>
+ #include <prot.h>
+ #endif /* HAVE_HPUX_TCB_AUTH */
++ #ifdef __FreeBSD__
++ #include <osreldate.h>
++ #endif
+ #include "ssh.h"
+
+ /* Returns the time when the user last logged in. Returns 0 if the
+***************
+*** 255,261 ****
+ were more standardized. */
+
+ void record_login(int pid, const char *ttyname, const char *user, uid_t uid,
+! const char *host, struct sockaddr_in *addr)
+ {
+ int fd;
+
+--- 258,264 ----
+ were more standardized. */
+
+ void record_login(int pid, const char *ttyname, const char *user, uid_t uid,
+! const char *host, struct sockaddr *addr)
+ {
+ int fd;
+
+***************
+*** 301,317 ****
+ strncpy(u.ut_user, user, sizeof(u.ut_user));
+ #endif /* HAVE_NAME_IN_UTMP */
+ #ifdef HAVE_HOST_IN_UTMP
+- strncpy(u.ut_host, host, sizeof(u.ut_host));
+ #ifdef __FreeBSD__
+ if (strlen(host) > sizeof(u.ut_host)) {
+ strncpy(u.ut_host, get_remote_ipaddr(), sizeof(u.ut_host));
+! }
+ #endif /* __FreeBSD__ */
+ #endif /* HAVE_HOST_IN_UTMP */
+ #ifdef HAVE_ADDR_IN_UTMP
+ if (addr)
+ memcpy(&u.ut_addr, &addr->sin_addr, sizeof(u.ut_addr));
+ else
+ memset(&u.ut_addr, 0, sizeof(u.ut_addr));
+ #endif
+
+--- 304,325 ----
+ strncpy(u.ut_user, user, sizeof(u.ut_user));
+ #endif /* HAVE_NAME_IN_UTMP */
+ #ifdef HAVE_HOST_IN_UTMP
+ #ifdef __FreeBSD__
++ #if __FreeBSD_version >= 320000
++ trimdomain(host, sizeof u.ut_host);
++ #endif
+ if (strlen(host) > sizeof(u.ut_host)) {
+ strncpy(u.ut_host, get_remote_ipaddr(), sizeof(u.ut_host));
+! } else
+ #endif /* __FreeBSD__ */
++ strncpy(u.ut_host, host, sizeof(u.ut_host));
+ #endif /* HAVE_HOST_IN_UTMP */
+ #ifdef HAVE_ADDR_IN_UTMP
++ #if 0 /* XXX */
+ if (addr)
+ memcpy(&u.ut_addr, &addr->sin_addr, sizeof(u.ut_addr));
+ else
++ #endif /* XXX */
+ memset(&u.ut_addr, 0, sizeof(u.ut_addr));
+ #endif
+
diff --git a/picobsd/ssh-picobsd/files/patch-ax b/picobsd/ssh-picobsd/files/patch-ax
new file mode 100644
index 00000000000..c4a114fc306
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-ax
@@ -0,0 +1,25 @@
+--- rsaglue.c.orig Tue Nov 9 11:12:32 1999
++++ rsaglue.c Tue Nov 9 11:17:58 1999
+@@ -139,6 +139,10 @@
+
+ input_bits = mpz_sizeinbase(input, 2);
+ input_len = (input_bits + 7) / 8;
++ if(input_bits > MAX_RSA_MODULUS_BITS)
++ fatal("Attempted to encrypt a block too large (%d bits, %d max) (malicious?).",
++ input_bits, MAX_RSA_MODULUS_BITS);
++
+ gmp_to_rsaref(input_data, input_len, input);
+
+ rsaref_public_key(&public_key, key);
+@@ -172,6 +176,10 @@
+
+ input_bits = mpz_sizeinbase(input, 2);
+ input_len = (input_bits + 7) / 8;
++ if(input_bits > MAX_RSA_MODULUS_BITS)
++ fatal("Received session key too long (%d bits, %d max) (malicious?).",
++ input_bits, MAX_RSA_MODULUS_BITS);
++
+ gmp_to_rsaref(input_data, input_len, input);
+
+ rsaref_private_key(&private_key, key);
+
diff --git a/picobsd/ssh-picobsd/files/patch-ay b/picobsd/ssh-picobsd/files/patch-ay
new file mode 100644
index 00000000000..71daac2ca4a
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-ay
@@ -0,0 +1,20 @@
+--- rsaglue.c 1999/12/10 23:27:25 1.8
++++ rsaglue.c 2001/02/03 09:42:05
+@@ -264,7 +268,15 @@
+ mpz_clear(&aux);
+
+ if (value[0] != 0 || value[1] != 2)
+- fatal("Bad result from rsa_private_decrypt");
++ {
++ static time_t last_kill_time = 0;
++ if (time(NULL) - last_kill_time > 60 && getppid() != 1)
++ {
++ last_kill_time = time(NULL);
++ kill(getppid(), SIGALRM);
++ }
++ fatal("Bad result from rsa_private_decrypt");
++ }
+
+ for (i = 2; i < len && value[i]; i++)
+ ;
+
diff --git a/picobsd/ssh-picobsd/files/patch-az b/picobsd/ssh-picobsd/files/patch-az
new file mode 100644
index 00000000000..e09b6edda90
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-az
@@ -0,0 +1,12 @@
+--- deattack.c-old Wed Feb 7 19:45:16 2001
++++ deattack.c Wed Feb 7 19:54:11 2001
+@@ -79,7 +79,7 @@
+ detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
+ {
+ static word16 *h = (word16 *) NULL;
+- static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
++ static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
+ register word32 i, j;
+ word32 l;
+ register unsigned char *c;
+
diff --git a/picobsd/ssh-picobsd/files/patch-ba b/picobsd/ssh-picobsd/files/patch-ba
new file mode 100644
index 00000000000..69ad90067e8
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-ba
@@ -0,0 +1,176 @@
+*** README-IPv6.orig Mon Jan 10 22:56:13 2000
+--- README-IPv6 Mon Jan 10 22:56:13 2000
+***************
+*** 0 ****
+--- 1,171 ----
++ ssh-1.2.27-IPv6 version 1.5 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * ssh-1.2.27-IPv6 can handle both IPv4 and IPv6.
++
++ To enable sshd/ssh to handle both IPv4 and IPv6,
++
++ ./configure --enable-ipv6
++
++ Otherwise sshd/ssh handle IPv4 only as same as original ssh.
++
++ * You can have multiple ListenAddress lines in /etc/sshd_config.
++ It means that sshd can listen multiple addresses.
++
++ Example1: sshd will bind on these four adresses.
++
++ ListenAddress 202.249.17.50
++ ListenAddress 202.249.17.137
++ ListenAddress 3ffe:501:c0b::1
++ ListenAddress 3ffe:501:c0b:20:2a0:c9ff:fe3e:f5fc
++
++ Example2: as same as example1.
++ (Because bertemu.rcac.tdi.co.jp has these four addresses.)
++
++ ListenAddress bertemu.rcac.tdi.co.jp
++
++ Example3: sshd will bind on any address both IPv4 and IPv6.
++
++ ListenAddress ::
++ ListenAddress 0.0.0.0
++
++ Example4: as same as example3.
++
++ No ListenAddress line in /etc/sshd_config.
++
++ * You don't mind whether the host has IPv4 or IPv6 address.
++ You can also specify using only IPv4 (or only IPv6).
++
++ Example1: ssh will try all IPv4 and IPv6 addresses that the host has.
++
++ ssh host
++
++ Example2: ssh will try all IPv4 addresses that the host has.
++
++ ssh -4 host
++
++ Example3: ssh will try all IPv6 addresses that the host has.
++
++ ssh -6 host
++
++ * You can have multiple Port lines in /etc/sshd_config and -p options.
++ It means that sshd can listen multiple ports, not only port 22.
++
++ For example, you run sshd that listens port 22 and port 722,
++ and you can use port 22 for slogin and port 722 for scp.
++ It's useful if you have preference for interactive traffic in the router.
++
++ You can have "AnotherPort 722" line in /etc/ssh_config or your
++ config file (maybe ~/.ssh/config). In this case, ssh with -A option
++ try to connect to port 722 at first, and try to connect to original
++ port (maybe port 22) if port 722 fails. scp executes ssh with -A option.
++
++ * IPv6 supported platform
++
++ IPv6 feature is available on follwing platforms now.
++
++ kame -- http://www.kame.net/ (used to be called Hydrangea)
++ v6d -- http://onoe2.sm.sony.co.jp/ipv6/ (IPv6 daemon)
++
++ On the other environments you can compile and run ssh-1.2.27-IPv6 if
++ you have a good getaddrinfo() in your library.
++
++ * How to get ssh-1.2.27-IPv6
++
++ You can get tar.gz or patch to ssh-1.2.27.tar.gz:
++
++ ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/ssh-1.2.27-IPv6-1.5.tar.gz
++ ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/ssh-1.2.27-IPv6-1.5-patch.gz
++
++ * How to install ssh-1.2.27-IPv6
++
++ Apply ssh-1.2.27-IPv6-1.5-patch to ssh-1.2.27.tar.gz (or use
++ ssh-1.2.27-IPv6-1.5.tar.gz) and then see INSTALL file of ssh-1.2.27.
++
++ If you want to enable ssh to handle IPv6, for example,
++
++ % ./configure --enable-ipv6
++ % make
++ % make install
++
++ and you will be able to enjoy ssh handling both IPv6 and IPv4.
++
++ * Change Log
++
++ v1.5 1999-05-15 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * for ssh-1.2.27
++ * supported scp with bracketed ipv6 ip address
++ * used struct sockaddr_storage instead of union sockunion
++
++ v1.4 1998-08-21 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * fixed ipv6 address checking bug at match_host() in match.c
++ * cleanup comparing ip address at get_remote_hostname() in canohost.c
++
++ v1.3 1998-08-14 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * fixed ipv6 address checking bug at match_host() in match.c
++ pointed out by Kenji Rikitake <kenji@k2r.org>
++
++ v1.2.2 1998-08-07 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * fixed IPv6 enable checking bug in configure.in
++
++ v1.2.1 1998-08-05 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * fixed AuthLog enable handling bug
++
++ v1.2 1998-08-01 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * for ssh-1.2.26
++
++ v1.1.5 1998-06-13 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * supported AuthLog (logging authenticated info) in /etc/sshd_config
++
++ v1.1.4 1998-06-11 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * supported multiple Port lines in /etc/sshd_config
++ * supported AnotherPort line in /etc/ssh_config
++ * supported -A option of ssh for another port try
++
++ v1.1.3 1998-06-01 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * X11 connection forwarding IPv6 support
++ * removeed all hostent and sockaddr_in from *.c
++
++ v1.1.2 1998-05-31 Jun-ichiro itojun Itoh <itojun@itojun.org>
++
++ * configuration support for v6d.
++
++ v1.1.1 1998-05-31 Jun-ichiro itojun Itoh <itojun@itojun.org>
++
++ * add getaddinfo.c, getnameinfo.c and gai.h (delete fakelibinet6.c)
++ * configure checks whether getaddrinfo exists or not.
++
++ v1.1 1998-05-31 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * add fakelibinet6.c (including getaddrinfo and getnameinfo)
++ * compilation support on non-IPv6 environment.
++ * fixed port forwarding bug
++
++ v1.0.1 1998-05-30 Jun-ichiro itojun Itoh <itojun@itojun.org>
++
++ * add ENABLE_IPV6 flag.
++ * configuration support --enable-ipv6 for IPv6 platforms.
++
++ v1.0 1998-05-30 created by KIKUCHI Takahiro <kick@kyoto.wide.ad.jp>
++
++ * first release
++ * IPv6 support except X11 connection forwarding
++
++ * Guideline for making this patch
++
++ * protocol family independent (using AF_UNSPEC)
++ * use getaddrinfo and getnameinfo (see RFC2133)
++ * don't use sockaddr_in and AF_INET (but option -4 uses AF_INET)
++ * don't use sockaddr_in6 and AF_INET6 (but option -6 uses AF_INET6)
++ * don't use gethostbyname, gethostbyaddr and hostent
++ * listen to all addresses for all available protocol family
++ * try to connect to all addresses for all available protocol family
++
diff --git a/picobsd/ssh-picobsd/files/patch-bb b/picobsd/ssh-picobsd/files/patch-bb
new file mode 100644
index 00000000000..945e1fd83b2
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-bb
@@ -0,0 +1,29 @@
+*** acconfig.h.orig Wed May 12 13:19:23 1999
+--- acconfig.h Mon Jan 10 22:56:13 2000
+***************
+*** 274,279 ****
+--- 274,297 ----
+ /etc/nologin.allow. */
+ #undef NOLOGIN_ALLOW
+
++ /* Define this if you have struct sockaddr_storage. */
++ #undef HAVE_SOCKADDR_STORAGE
++
++ /* Define this if you have __sa_family in struct sockaddr_storage. */
++ #undef HAVE_NEW_SS_FAMILY
++
++ /* Define this if you have ss_len in struct sockaddr. */
++ #undef HAVE_SOCKADDR_LEN
++
++ /* Define this if you want to enable IPv6 support. */
++ #undef ENABLE_IPV6
++
++ /* Define this if you want to enable another port try support. */
++ #undef ENABLE_ANOTHER_PORT_TRY
++
++ /* Define this if you want to enable logging auth info support. */
++ #undef ENABLE_LOG_AUTH
++
+ /* Where to find the X11 socket */
+ #undef X11_DIR
+
diff --git a/picobsd/ssh-picobsd/files/patch-bc b/picobsd/ssh-picobsd/files/patch-bc
new file mode 100644
index 00000000000..63b079f2e35
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-bc
@@ -0,0 +1,401 @@
+*** canohost.c.orig Wed May 12 13:19:24 1999
+--- canohost.c Mon Jan 10 22:56:13 2000
+***************
+*** 59,68 ****
+
+ char *get_remote_hostname(int socket)
+ {
+! struct sockaddr_in from;
+ int fromlen, i;
+! struct hostent *hp;
+ char name[255];
+
+ /* Get IP address of client. */
+ fromlen = sizeof(from);
+--- 59,69 ----
+
+ char *get_remote_hostname(int socket)
+ {
+! struct sockaddr_storage from;
+ int fromlen, i;
+! struct addrinfo hints, *ai, *aitop;
+ char name[255];
++ char ntop[ADDRSTRLEN], ntop2[ADDRSTRLEN];
+
+ /* Get IP address of client. */
+ fromlen = sizeof(from);
+***************
+*** 73,86 ****
+ strcpy(name, "UNKNOWN");
+ goto check_ip_options;
+ }
+
+ /* Map the IP address to a host name. */
+! hp = gethostbyaddr((char *)&from.sin_addr, sizeof(struct in_addr),
+! from.sin_family);
+! if (hp)
+ {
+ /* Got host name. */
+- strncpy(name, hp->h_name, sizeof(name));
+ name[sizeof(name) - 1] = '\0';
+
+ /* Convert it to all lowercase (which is expected by the rest of this
+--- 74,89 ----
+ strcpy(name, "UNKNOWN");
+ goto check_ip_options;
+ }
++
++ getnameinfo((struct sockaddr *)&from, fromlen,
++ ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST);
+
+ /* Map the IP address to a host name. */
+! if (getnameinfo((struct sockaddr *)&from, fromlen,
+! name, sizeof(name),
+! NULL, 0, NI_NAMEREQD) == 0)
+ {
+ /* Got host name. */
+ name[sizeof(name) - 1] = '\0';
+
+ /* Convert it to all lowercase (which is expected by the rest of this
+***************
+*** 95,119 ****
+ Mapping from name to IP address can be trusted better (but can still
+ be fooled if the intruder has access to the name server of the
+ domain). */
+! hp = gethostbyname(name);
+! if (!hp)
+ {
+ log_msg("reverse mapping checking gethostbyname for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name);
+! strcpy(name, inet_ntoa(from.sin_addr));
+ goto check_ip_options;
+ }
+ /* Look for the address from the list of addresses. */
+! for (i = 0; hp->h_addr_list[i]; i++)
+! if (memcmp(hp->h_addr_list[i], &from.sin_addr, sizeof(from.sin_addr))
+! == 0)
+! break;
+ /* If we reached the end of the list, the address was not there. */
+! if (!hp->h_addr_list[i])
+ {
+ /* Address not found for the host name. */
+ log_msg("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!",
+! inet_ntoa(from.sin_addr), name);
+! strcpy(name, inet_ntoa(from.sin_addr));
+ goto check_ip_options;
+ }
+ /* Address was found for the host name. We accept the host name. */
+--- 98,127 ----
+ Mapping from name to IP address can be trusted better (but can still
+ be fooled if the intruder has access to the name server of the
+ domain). */
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = from.__ss_family;
+! if (getaddrinfo(name, NULL, &hints, &aitop) != 0)
+ {
+ log_msg("reverse mapping checking gethostbyname for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name);
+! strcpy(name, ntop);
+ goto check_ip_options;
+ }
+ /* Look for the address from the list of addresses. */
+! for (ai = aitop; ai; ai = ai->ai_next)
+! {
+! getnameinfo(ai->ai_addr, ai->ai_addrlen,
+! ntop2, sizeof(ntop2), NULL, 0, NI_NUMERICHOST);
+! if (strcmp(ntop, ntop2) == 0)
+! break;
+! }
+! freeaddrinfo(aitop);
+ /* If we reached the end of the list, the address was not there. */
+! if (!ai)
+ {
+ /* Address not found for the host name. */
+ log_msg("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!",
+! ntop, name);
+! strcpy(name, ntop);
+ goto check_ip_options;
+ }
+ /* Address was found for the host name. We accept the host name. */
+***************
+*** 121,127 ****
+ else
+ {
+ /* Host name not found. Use ascii representation of the address. */
+! strcpy(name, inet_ntoa(from.sin_addr));
+ log_msg("Could not reverse map address %.100s.", name);
+ }
+
+--- 129,135 ----
+ else
+ {
+ /* Host name not found. Use ascii representation of the address. */
+! strcpy(name, ntop);
+ log_msg("Could not reverse map address %.100s.", name);
+ }
+
+***************
+*** 136,141 ****
+--- 144,150 ----
+ Notice also that if we just dropped source routing here, the other
+ side could use IP spoofing to do rest of the interaction and could still
+ bypass security. So we exit here if we detect any IP options. */
++ if (from.__ss_family == AF_INET) /* IP options -- IPv4 only */
+ {
+ unsigned char options[200], *ucp;
+ char text[1024], *cp;
+***************
+*** 157,165 ****
+ for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3)
+ sprintf(cp, " %2.2x", *ucp);
+ log_msg("Connection from %.100s with IP options:%.800s",
+! inet_ntoa(from.sin_addr), text);
+ packet_disconnect("Connection from %.100s with IP options:%.800s",
+! inet_ntoa(from.sin_addr), text);
+ }
+ }
+ #endif
+--- 166,174 ----
+ for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3)
+ sprintf(cp, " %2.2x", *ucp);
+ log_msg("Connection from %.100s with IP options:%.800s",
+! ntop, text);
+ packet_disconnect("Connection from %.100s with IP options:%.800s",
+! ntop, text);
+ }
+ }
+ #endif
+***************
+*** 177,183 ****
+ const char *get_canonical_hostname(void)
+ {
+ int fromlen, tolen;
+! struct sockaddr_in from, to;
+
+ /* Check if we have previously retrieved this same name. */
+ if (canonical_host_name != NULL)
+--- 186,192 ----
+ const char *get_canonical_hostname(void)
+ {
+ int fromlen, tolen;
+! struct sockaddr_storage from, to;
+
+ /* Check if we have previously retrieved this same name. */
+ if (canonical_host_name != NULL)
+***************
+*** 200,207 ****
+ &tolen) < 0)
+ goto no_ip_addr;
+
+! if (from.sin_family == AF_INET && to.sin_family == AF_INET &&
+! memcmp(&from, &to, sizeof(from)) == 0)
+ goto return_ip_addr;
+
+ no_ip_addr:
+--- 209,215 ----
+ &tolen) < 0)
+ goto no_ip_addr;
+
+! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0)
+ goto return_ip_addr;
+
+ no_ip_addr:
+***************
+*** 221,228 ****
+
+ const char *get_remote_ipaddr(void)
+ {
+! struct sockaddr_in from, to;
+ int fromlen, tolen, socket;
+
+ /* Check if we have previously retrieved this same name. */
+ if (canonical_host_ip != NULL)
+--- 229,237 ----
+
+ const char *get_remote_ipaddr(void)
+ {
+! struct sockaddr_storage from, to;
+ int fromlen, tolen, socket;
++ char ntop[ADDRSTRLEN];
+
+ /* Check if we have previously retrieved this same name. */
+ if (canonical_host_ip != NULL)
+***************
+*** 245,252 ****
+ &tolen) < 0)
+ goto no_ip_addr;
+
+! if (from.sin_family == AF_INET && to.sin_family == AF_INET &&
+! memcmp(&from, &to, sizeof(from)) == 0)
+ goto return_ip_addr;
+
+ no_ip_addr:
+--- 254,260 ----
+ &tolen) < 0)
+ goto no_ip_addr;
+
+! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0)
+ goto return_ip_addr;
+
+ no_ip_addr:
+***************
+*** 269,275 ****
+ }
+
+ /* Get the IP address in ascii. */
+! canonical_host_ip = xstrdup(inet_ntoa(from.sin_addr));
+
+ /* Return ip address string. */
+ return canonical_host_ip;
+--- 277,285 ----
+ }
+
+ /* Get the IP address in ascii. */
+! getnameinfo((struct sockaddr *)&from, fromlen,
+! ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST);
+! canonical_host_ip = xstrdup(ntop);
+
+ /* Return ip address string. */
+ return canonical_host_ip;
+***************
+*** 279,286 ****
+
+ int get_peer_port(int sock)
+ {
+! struct sockaddr_in from;
+ int fromlen;
+
+ /* Get IP address of client. */
+ fromlen = sizeof(from);
+--- 289,297 ----
+
+ int get_peer_port(int sock)
+ {
+! struct sockaddr_storage from;
+ int fromlen;
++ char strport[PORTSTRLEN];
+
+ /* Get IP address of client. */
+ fromlen = sizeof(from);
+***************
+*** 292,298 ****
+ }
+
+ /* Return port number. */
+! return ntohs(from.sin_port);
+ }
+
+ /* Returns the port number of the remote host. */
+--- 303,311 ----
+ }
+
+ /* Return port number. */
+! getnameinfo((struct sockaddr *)&from, fromlen,
+! NULL, 0, strport, sizeof(strport), NI_NUMERICSERV);
+! return atoi(strport);
+ }
+
+ /* Returns the port number of the remote host. */
+***************
+*** 301,307 ****
+ {
+ int socket;
+ int fromlen, tolen;
+! struct sockaddr_in from, to;
+
+ /* If two different descriptors, check if they are internet-domain, and
+ have the same address. */
+--- 314,320 ----
+ {
+ int socket;
+ int fromlen, tolen;
+! struct sockaddr_storage from, to;
+
+ /* If two different descriptors, check if they are internet-domain, and
+ have the same address. */
+***************
+*** 319,326 ****
+ &tolen) < 0)
+ goto no_ip_addr;
+
+! if (from.sin_family == AF_INET && to.sin_family == AF_INET &&
+! memcmp(&from, &to, sizeof(from)) == 0)
+ goto return_port;
+
+ no_ip_addr:
+--- 332,338 ----
+ &tolen) < 0)
+ goto no_ip_addr;
+
+! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0)
+ goto return_port;
+
+ no_ip_addr:
+***************
+*** 335,337 ****
+--- 347,413 ----
+ /* Get and return the peer port number. */
+ return get_peer_port(socket);
+ }
++
++ /* Returns the port of the local of the socket. */
++
++ int get_sock_port(int sock)
++ {
++ struct sockaddr_storage from;
++ int fromlen;
++ char strport[PORTSTRLEN];
++
++ /* Get IP address of client. */
++ fromlen = sizeof(from);
++ memset(&from, 0, sizeof(from));
++ if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0)
++ {
++ error("getsockname failed: %.100s", strerror(errno));
++ return 0;
++ }
++
++ /* Return port number. */
++ getnameinfo((struct sockaddr *)&from, fromlen,
++ NULL, 0, strport, sizeof(strport), NI_NUMERICSERV);
++ return atoi(strport);
++ }
++
++ /* Returns the port number of the local host. */
++
++ int get_local_port()
++ {
++ int socket;
++ int fromlen, tolen;
++ struct sockaddr_storage from, to;
++
++ /* If two different descriptors, check if they are internet-domain, and
++ have the same address. */
++ if (packet_get_connection_in() != packet_get_connection_out())
++ {
++ fromlen = sizeof(from);
++ memset(&from, 0, sizeof(from));
++ if (getsockname(packet_get_connection_in(), (struct sockaddr *)&from,
++ &fromlen) < 0)
++ goto no_ip_addr;
++
++ tolen = sizeof(to);
++ memset(&to, 0, sizeof(to));
++ if (getsockname(packet_get_connection_out(), (struct sockaddr *)&to,
++ &tolen) < 0)
++ goto no_ip_addr;
++
++ if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0)
++ goto return_port;
++
++ no_ip_addr:
++ return 65535;
++ }
++
++ return_port:
++
++ /* Get client socket. */
++ socket = packet_get_connection_in();
++
++ /* Get and return the local port number. */
++ return get_sock_port(socket);
++ }
++
diff --git a/picobsd/ssh-picobsd/files/patch-bd b/picobsd/ssh-picobsd/files/patch-bd
new file mode 100644
index 00000000000..7cb3c119c21
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-bd
@@ -0,0 +1,60 @@
+*** config.h.in.orig Wed May 12 13:20:04 1999
+--- config.h.in Thu Feb 24 17:12:10 2000
+***************
+*** 285,290 ****
+--- 285,292 ----
+ #undef Rdup2
+ #undef Rfclose
+ #undef Rgethostbyname
++ #undef Rgetaddrinfo
++
+
+ /* Set this to allow group writeability of $HOME, .ssh and authorized_keys */
+ #undef ALLOW_GROUP_WRITEABILITY
+***************
+*** 323,328 ****
+--- 325,348 ----
+ /etc/nologin.allow. */
+ #undef NOLOGIN_ALLOW
+
++ /* Define this if you have struct sockaddr_storage. */
++ #undef HAVE_SOCKADDR_STORAGE
++
++ /* Define this if you have __sa_family in struct sockaddr_storage. */
++ #undef HAVE_NEW_SS_FAMILY
++
++ /* Define this if you have ss_len in struct sockaddr. */
++ #undef HAVE_SOCKADDR_LEN
++
++ /* Define this if you want to enable IPv6 support. */
++ #undef ENABLE_IPV6
++
++ /* Define this if you want to enable another port try support. */
++ #undef ENABLE_ANOTHER_PORT_TRY
++
++ /* Define this if you want to enable logging auth info support. */
++ #undef ENABLE_LOG_AUTH
++
+ /* Where to find the X11 socket */
+ #undef X11_DIR
+
+***************
+*** 375,385 ****
+--- 395,411 ----
+ /* Define if you have the ftruncate function. */
+ #undef HAVE_FTRUNCATE
+
++ /* Define if you have the getaddrinfo function. */
++ #undef HAVE_GETADDRINFO
++
+ /* Define if you have the getdtablesize function. */
+ #undef HAVE_GETDTABLESIZE
+
+ /* Define if you have the gethostname function. */
+ #undef HAVE_GETHOSTNAME
++
++ /* Define if you have the getnameinfo function. */
++ #undef HAVE_GETNAMEINFO
+
+ /* Define if you have the getpseudotty function. */
+ #undef HAVE_GETPSEUDOTTY
diff --git a/picobsd/ssh-picobsd/files/patch-be b/picobsd/ssh-picobsd/files/patch-be
new file mode 100644
index 00000000000..4a13d5dccb4
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-be
@@ -0,0 +1,370 @@
+--- configure.in.orig Wed May 12 04:20:02 1999
++++ configure.in Wed Apr 19 01:02:34 2000
+@@ -30,8 +30,140 @@
+ fi
+
+ AC_PROG_CC
++AC_PROG_CPP
+ AC_ISC_POSIX
+
++AC_MSG_CHECKING([whether to enable ipv6])
++AC_ARG_ENABLE(ipv6,
++[ --enable-ipv6 Enable ipv6 (with ipv4) support
++ --disable-ipv6 Disable ipv6 support],
++[ case "$enableval" in
++ no)
++ AC_MSG_RESULT(no)
++ ipv6=no
++ ;;
++ *) AC_MSG_RESULT(yes)
++ AC_DEFINE(ENABLE_IPV6)
++ ipv6=yes
++ ;;
++ esac ],
++
++ AC_TRY_RUN([ /* AF_INET6 avalable check */
++#include <sys/types.h>
++#include <sys/socket.h>
++main()
++{
++ if (socket(AF_INET6, SOCK_STREAM, 0) < 0)
++ exit(1);
++ else
++ exit(0);
++}
++],
++ AC_MSG_RESULT(yes)
++ AC_DEFINE(ENABLE_IPV6)
++ ipv6=yes,
++ AC_MSG_RESULT(no)
++ ipv6=no,
++ AC_MSG_RESULT(no)
++ ipv6=no
++))
++
++ipv6type=unknown
++ipv6lib=none
++
++if test "$ipv6" = "yes"; then
++ AC_MSG_CHECKING([ipv6 stack type])
++ for i in inria kame linux toshiba v6d zeta; do
++ case $i in
++ inria)
++ dnl http://www.kame.net/
++ AC_EGREP_CPP(yes, [dnl
++#include <netinet/in.h>
++#ifdef IPV6_INRIA_VERSION
++yes
++#endif],
++ [ipv6type=$i;
++ CPPFLAGS="-DINET6 $CPPFLAGS"])
++ ;;
++ kame)
++ dnl http://www.kame.net/
++ AC_EGREP_CPP(yes, [dnl
++#include <netinet/in.h>
++#ifdef __KAME__
++yes
++#endif],
++ [ipv6type=$i;
++ CPPFLAGS="-DINET6 $CPPFLAGS"])
++ ;;
++ linux)
++ dnl http://www.v6.linux.or.jp/
++ if test -d /usr/inet6; then
++ ipv6type=$i
++ ipv6lib=inet6
++ ipv6libdir=/usr/inet6/lib
++ CPPFLAGS="-DINET6 -I/usr/inet6/include $CPPFLAGS"
++ fi
++ ;;
++ toshiba)
++ AC_EGREP_CPP(yes, [dnl
++#include <sys/param.h>
++#ifdef _TOSHIBA_INET6
++yes
++#endif],
++ [ipv6type=$i;
++ ipv6lib=inet6;
++ ipv6libdir=/usr/local/v6/lib;
++ CPPFLAGS="-DINET6 $CPPFLAGS"])
++ ;;
++ v6d)
++ AC_EGREP_CPP(yes, [dnl
++#include </usr/local/v6/include/sys/v6config.h>
++#ifdef __V6D__
++yes
++#endif],
++ [ipv6type=$i;
++ ipv6lib=v6;
++ ipv6libdir=/usr/local/v6/lib;
++ CPPFLAGS="-I/usr/local/v6/include $CPPFLAGS"])
++ ;;
++ zeta)
++ AC_EGREP_CPP(yes, [dnl
++#include <sys/param.h>
++#ifdef _ZETA_MINAMI_INET6
++yes
++#endif],
++ [ipv6type=$i;
++ ipv6lib=inet6;
++ ipv6libdir=/usr/local/v6/lib;
++ CPPFLAGS="-DINET6 $CPPFLAGS"])
++ ;;
++ esac
++ if test "$ipv6type" != "unknown"; then
++ break
++ fi
++ done
++ AC_MSG_RESULT($ipv6type)
++fi
++
++if test "$ipv6" = "yes" -a -f /usr/local/v6/lib/libinet6.a; then
++ ac_inet6_LDFLAGS="inet6"
++ ipv6libdir=/usr/local/v6/lib
++ LDFLAGS="$LDFLAGS -L/usr/local/v6/lib"
++ AC_CHECK_LIB(inet6, getaddrinfo, , ipv6lib="$ac_inet6_LDFLAGS")
++fi
++
++
++if test "$ipv6" = "yes" -a "$ipv6lib" != "none"; then
++ if test -d $ipv6libdir -a -f $ipv6libdir/lib$ipv6lib.a; then
++ LIBS="-L$ipv6libdir -l$ipv6lib $LIBS"
++ else
++ echo 'Fatal: no $ipv6lib library found. cannot continue.'
++ echo "You need to fetch lib$ipv6lib.a from appropriate"
++ echo 'ipv6 kit and compile beforehand.'
++ exit 1
++ fi
++fi
++
+ AC_DEFINE_UNQUOTED(HOSTTYPE, "$host")
+
+ case "$host" in
+@@ -313,7 +445,7 @@
+
+ # Socket pairs appear to be broken on several systems. I don't know exactly
+ # where, so I'll use pipes everywhere for now.
+-AC_DEFINE(USE_PIPES)
++# AC_DEFINE(USE_PIPES)
+
+ AC_MSG_CHECKING([that the compiler works])
+ AC_TRY_RUN([ main(int ac, char **av) { return 0; } ],
+@@ -369,7 +501,7 @@
+
+ AC_HEADER_STDC
+ AC_HEADER_SYS_WAIT
+-AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h utmp.h shadow.h)
++AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h login_cap.h utmp.h shadow.h)
+ AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h)
+ AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h)
+ AC_CHECK_HEADERS(netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h)
+@@ -399,6 +531,16 @@
+ [ AC_DEFINE(HAVE_INCOMPATIBLE_SIGINFO)
+ AC_MSG_RESULT(yes)] , AC_MSG_RESULT(no))
+
++AC_MSG_CHECKING([whether sys/socket.h have struct sockaddr_storage])
++AC_EGREP_HEADER(sockaddr_storage, sys/socket.h,
++ [ AC_DEFINE(HAVE_SOCKADDR_STORAGE) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no))
++AC_MSG_CHECKING([whether sys/socket.h have __ss_family])
++AC_EGREP_HEADER(__ss_family, sys/socket.h,
++ [ AC_DEFINE(HAVE_NEW_SS_FAMILY) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no))
++AC_MSG_CHECKING([whether sys/socket.h have sa_len])
++AC_EGREP_HEADER(sa_len, sys/socket.h,
++ [ AC_DEFINE(HAVE_SOCKADDR_LEN) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no))
++
+ AC_CHECK_LIB(c, crypt, [true], AC_CHECK_LIB(crypt, crypt))
+ AC_CHECK_LIB(sec, getspnam)
+ AC_CHECK_LIB(seq, get_process_stats)
+@@ -436,6 +578,107 @@
+
+ AC_REPLACE_FUNCS(strerror memmove remove random putenv crypt socketpair snprintf)
+
++AC_MSG_CHECKING(getaddrinfo bug)
++AC_TRY_RUN([
++#include <sys/types.h>
++#include <netdb.h>
++#include <string.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++
++main()
++{
++ int passive, gaierr, inet4 = 0, inet6 = 0;
++ struct addrinfo hints, *ai, *aitop;
++ char straddr[INET6_ADDRSTRLEN], strport[16];
++
++ for (passive = 0; passive <= 1; passive++) {
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = AF_UNSPEC;
++ hints.ai_flags = passive ? AI_PASSIVE : 0;
++ hints.ai_socktype = SOCK_STREAM;
++ if ((gaierr = getaddrinfo(NULL, "54321", &hints, &aitop)) != 0) {
++ (void)gai_strerror(gaierr);
++ goto bad;
++ }
++ for (ai = aitop; ai; ai = ai->ai_next) {
++ if (ai->ai_addr == NULL ||
++ ai->ai_addrlen == 0 ||
++ getnameinfo(ai->ai_addr, ai->ai_addrlen,
++ straddr, sizeof(straddr), strport, sizeof(strport),
++ NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
++ goto bad;
++ }
++ if (strcmp(strport, "54321") != 0) {
++ goto bad;
++ }
++ switch (ai->ai_family) {
++ case AF_INET:
++ if (passive) {
++ if (strcmp(straddr, "0.0.0.0") != 0) {
++ goto bad;
++ }
++ } else {
++ if (strcmp(straddr, "127.0.0.1") != 0) {
++ goto bad;
++ }
++ }
++ inet4++;
++ break;
++ case AF_INET6:
++ if (passive) {
++ if (strcmp(straddr, "::") != 0) {
++ goto bad;
++ }
++ } else {
++ if (strcmp(straddr, "::1") != 0) {
++ goto bad;
++ }
++ }
++ inet6++;
++ break;
++ case AF_UNSPEC:
++ goto bad;
++ break;
++ default:
++ /* another family support? */
++ break;
++ }
++ }
++ }
++
++ if (!(inet4 == 0 || inet4 == 2))
++ goto bad;
++ if (!(inet6 == 0 || inet6 == 2))
++ goto bad;
++
++ if (aitop)
++ freeaddrinfo(aitop);
++ exit(0);
++
++ bad:
++ if (aitop)
++ freeaddrinfo(aitop);
++ exit(1);
++}
++],
++AC_MSG_RESULT(good)
++buggygetaddrinfo=no,
++AC_MSG_RESULT(buggy)
++buggygetaddrinfo=yes,
++AC_MSG_RESULT(buggy)
++buggygetaddrinfo=yes)
++
++if test "$buggygetaddrinfo" = "yes"; then
++ if test "$ipv6" = "yes"; then
++ echo 'Fatal: You must get working getaddrinfo() function.'
++ echo ' or you can specify "--disable-ipv6"'.
++ exit 1
++ else
++ AC_REPLACE_FUNCS(getaddrinfo getnameinfo)
++ fi
++fi
++
+ AC_PROG_LN_S
+ AC_PROG_INSTALL
+ AC_CHECK_PROG(AR, ar, ar, echo)
+@@ -932,7 +1175,11 @@
+ AC_DEFINE(KRB5)
+ KERBEROS_ROOT="$with_kerberos5"
+ KERBEROS_INCS="-I${KERBEROS_ROOT}/include"
+- KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lcrypto -lcom_err"
++ if test -f ${KERBEROS_ROOT}/lib/libk5crypto.a ; then
++ KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err"
++ else
++ KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lcrypto -lcom_err"
++ fi
+ AC_CHECK_LIB(ndbm, dbm_open, KERBEROS_LIBS="$KERBEROS_LIBS -lndbm")
+ KERBEROS_OBJS="auth-kerberos.o"
+ ;;
+@@ -1123,6 +1370,7 @@
+ AC_DEFINE(Rdup2,SOCKSdup2)
+ AC_DEFINE(Rfclose,SOCKSfclose)
+ AC_DEFINE(Rgethostbyname,SOCKSgethostbyname)
++ AC_DEFINE(Rgetaddrinfo,SOCKSgetaddrinfo)
+ fi
+
+ AC_MSG_CHECKING(whether to use rsaref)
+@@ -1252,6 +1500,38 @@
+ AC_DEFINE(ENABLE_TCP_NODELAY)
+ )
+
++AC_MSG_CHECKING(whether to enable another port try support)
++AC_ARG_ENABLE(another-port-try,
++[ --enable-another-port-try Enable another port try support (default)
++ --disable-another-port-try Disable another port try support],
++[ case "$enableval" in
++ no)
++ AC_MSG_RESULT(no)
++ ;;
++ *) AC_MSG_RESULT(yes)
++ AC_DEFINE(ENABLE_ANOTHER_PORT_TRY)
++ ;;
++ esac ],
++ AC_MSG_RESULT(yes)
++ AC_DEFINE(ENABLE_ANOTHER_PORT_TRY)
++)
++
++AC_MSG_CHECKING(whether to enable logging auth info support)
++AC_ARG_ENABLE(log-auth,
++[ --enable-log-auth Enable logging auth info support (default)
++ --disable-log-auth Disable logging auth info support],
++[ case "$enableval" in
++ no)
++ AC_MSG_RESULT(no)
++ ;;
++ *) AC_MSG_RESULT(yes)
++ AC_DEFINE(ENABLE_LOG_AUTH)
++ ;;
++ esac ],
++ AC_MSG_RESULT(yes)
++ AC_DEFINE(ENABLE_LOG_AUTH)
++)
++
+ AC_MSG_CHECKING(whether to enable SO_LINGER)
+ AC_ARG_ENABLE(so-linger,
+ [ --enable-so-linger Enable setting SO_LINGER socket option],
+@@ -1311,6 +1591,8 @@
+ AC_DEFINE(SCP_ALL_STATISTICS_ENABLED)
+ )
+
++CFLAGS="$CPPFLAGS $CFLAGS"
++
+ # We include this here only to make it visible in --help; this is only used
+ # in the gmp subdirectory.
+ AC_ARG_ENABLE(asm,
+@@ -1324,7 +1606,7 @@
+ fi
+ AC_MSG_RESULT($PIDDIR)
+
+-AC_CONFIG_SUBDIRS(gmp-2.0.2-ssh-2)
++#AC_CONFIG_SUBDIRS(gmp-2.0.2-ssh-2)
+
+ AC_ARG_PROGRAM
+
+@@ -1336,4 +1618,4 @@
+ AC_SUBST(SSHDCONFOBJS)
+ AC_SUBST(SSHINSTALLMODE)
+
+-AC_OUTPUT(Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 zlib-1.0.4/Makefile)
++AC_OUTPUT(Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 make-ssh-known-hosts.pl)
diff --git a/picobsd/ssh-picobsd/files/patch-bf b/picobsd/ssh-picobsd/files/patch-bf
new file mode 100644
index 00000000000..d8d53bc4553
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-bf
@@ -0,0 +1,17 @@
+*** gai.h.orig Mon Jan 10 22:56:13 2000
+--- gai.h Mon Jan 10 22:56:13 2000
+***************
+*** 0 ****
+--- 1,12 ----
++ /*
++ * fake library for ssh
++ *
++ * This file is included in getaddrinfo.c and getnameinfo.c.
++ * See getaddrinfo.c and getnameinfo.c.
++ */
++
++ /* for old netdb.h */
++ #ifndef EAI_NODATA
++ #define EAI_NODATA 1
++ #define EAI_MEMORY 2
++ #endif
diff --git a/picobsd/ssh-picobsd/files/patch-bg b/picobsd/ssh-picobsd/files/patch-bg
new file mode 100644
index 00000000000..689982094b9
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-bg
@@ -0,0 +1,120 @@
+*** getaddrinfo.c.orig Mon Jan 10 22:56:13 2000
+--- getaddrinfo.c Mon Jan 10 22:56:13 2000
+***************
+*** 0 ****
+--- 1,115 ----
++ /*
++ * fake library for ssh
++ *
++ * This file includes getaddrinfo(), freeaddrinfo() and gai_strerror().
++ * These funtions are defined in rfc2133.
++ *
++ * But these functions are not implemented correctly. The minimum subset
++ * is implemented for ssh use only. For exapmle, this routine assumes
++ * that ai_family is AF_INET. Don't use it for another purpose.
++ *
++ * In the case not using 'configure --enable-ipv6', this getaddrinfo.c
++ * will be used if you have broken getaddrinfo or no getaddrinfo.
++ */
++
++ #include "includes.h"
++ #include "ssh.h"
++
++ #include "gai.h"
++
++ static struct addrinfo *
++ malloc_ai(port, addr)
++ int port;
++ u_long addr;
++ {
++ struct addrinfo *ai;
++
++ if (ai = (struct addrinfo *)malloc(sizeof(struct addrinfo) +
++ sizeof(struct sockaddr_in))) {
++ memset(ai, 0, sizeof(struct addrinfo) + sizeof(struct sockaddr_in));
++ ai->ai_addr = (struct sockaddr *)(ai + 1);
++ /* XXX -- ssh doesn't use sa_len */
++ ai->ai_addrlen = sizeof(struct sockaddr_in);
++ ai->ai_addr->sa_family = ai->ai_family = AF_INET;
++ ((struct sockaddr_in *)(ai)->ai_addr)->sin_port = port;
++ ((struct sockaddr_in *)(ai)->ai_addr)->sin_addr.s_addr = addr;
++ return ai;
++ } else {
++ return NULL;
++ }
++ }
++
++ char *
++ gai_strerror(ecode)
++ int ecode;
++ {
++ switch (ecode) {
++ case EAI_NODATA:
++ return "no address associated with hostname.";
++ case EAI_MEMORY:
++ return "memory allocation failure.";
++ default:
++ return "unknown error.";
++ }
++ }
++
++ void
++ freeaddrinfo(ai)
++ struct addrinfo *ai;
++ {
++ struct addrinfo *next;
++
++ do {
++ next = ai->ai_next;
++ free(ai);
++ } while (ai = next);
++ }
++
++ int
++ getaddrinfo(hostname, servname, hints, res)
++ const char *hostname, *servname;
++ const struct addrinfo *hints;
++ struct addrinfo **res;
++ {
++ struct addrinfo *cur, *prev = NULL;
++ struct hostent *hp;
++ int i, port;
++
++ if (servname)
++ port = htons(atoi(servname));
++ else
++ port = 0;
++ if (hints && hints->ai_flags & AI_PASSIVE)
++ if (*res = malloc_ai(port, htonl(0x00000000)))
++ return 0;
++ else
++ return EAI_MEMORY;
++ if (!hostname)
++ if (*res = malloc_ai(port, htonl(0x7f000001)))
++ return 0;
++ else
++ return EAI_MEMORY;
++ if (inet_addr(hostname) != -1)
++ if (*res = malloc_ai(port, inet_addr(hostname)))
++ return 0;
++ else
++ return EAI_MEMORY;
++ if ((hp = gethostbyname(hostname)) &&
++ hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) {
++ for (i = 0; hp->h_addr_list[i]; i++)
++ if (cur = malloc_ai(port,
++ ((struct in_addr *)hp->h_addr_list[i])->s_addr)) {
++ if (prev)
++ prev->ai_next = cur;
++ else
++ *res = cur;
++ prev = cur;
++ } else {
++ if (*res)
++ freeaddrinfo(*res);
++ return EAI_MEMORY;
++ }
++ return 0;
++ }
++ return EAI_NODATA;
++ }
diff --git a/picobsd/ssh-picobsd/files/patch-bh b/picobsd/ssh-picobsd/files/patch-bh
new file mode 100644
index 00000000000..3e50aaeda09
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-bh
@@ -0,0 +1,66 @@
+*** getnameinfo.c.orig Mon Jan 10 22:56:13 2000
+--- getnameinfo.c Mon Jan 10 22:56:13 2000
+***************
+*** 0 ****
+--- 1,61 ----
++ /*
++ * fake library for ssh
++ *
++ * This file includes getnameinfo().
++ * These funtions are defined in rfc2133.
++ *
++ * But these functions are not implemented correctly. The minimum subset
++ * is implemented for ssh use only. For exapmle, this routine assumes
++ * that ai_family is AF_INET. Don't use it for another purpose.
++ *
++ * In the case not using 'configure --enable-ipv6', this getnameinfo.c
++ * will be used if you have broken getnameinfo or no getnameinfo.
++ */
++
++ #include "includes.h"
++ #include "ssh.h"
++
++ #include "gai.h"
++
++ int
++ getnameinfo(sa, salen, host, hostlen, serv, servlen, flags)
++ const struct sockaddr *sa;
++ size_t salen;
++ char *host;
++ size_t hostlen;
++ char *serv;
++ size_t servlen;
++ int flags;
++ {
++ struct sockaddr_in *sin = (struct sockaddr_in *)sa;
++ struct hostent *hp;
++ char tmpserv[16];
++
++ if (serv) {
++ sprintf(tmpserv, "%d", ntohs(sin->sin_port));
++ if (strlen(tmpserv) > servlen)
++ return EAI_MEMORY;
++ else
++ strcpy(serv, tmpserv);
++ }
++ if (host)
++ if (flags & NI_NUMERICHOST)
++ if (strlen(inet_ntoa(sin->sin_addr)) > hostlen)
++ return EAI_MEMORY;
++ else {
++ strcpy(host, inet_ntoa(sin->sin_addr));
++ return 0;
++ }
++ else
++ if (hp = gethostbyaddr((char *)&sin->sin_addr, sizeof(struct in_addr),
++ AF_INET))
++ if (strlen(hp->h_name) > hostlen)
++ return EAI_MEMORY;
++ else {
++ strcpy(host, hp->h_name);
++ return 0;
++ }
++ else
++ return EAI_NODATA;
++ return 0;
++ }
diff --git a/picobsd/ssh-picobsd/files/patch-bi b/picobsd/ssh-picobsd/files/patch-bi
new file mode 100644
index 00000000000..77ff392db91
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-bi
@@ -0,0 +1,56 @@
+*** log-server.c.orig Wed May 12 13:19:26 1999
+--- log-server.c Mon Jan 10 22:56:13 2000
+***************
+*** 146,151 ****
+--- 146,170 ----
+ syslog(LOG_INFO, "log: %.500s", buf);
+ }
+
++ #ifdef ENABLE_LOG_AUTH
++ void log_auth(const char *fmt, ...)
++ {
++ char buf[1024];
++ va_list args;
++ extern int log_auth_flag;
++ if (!log_auth_flag)
++ return;
++ if (log_quiet)
++ return;
++ va_start(args, fmt);
++ vsprintf(buf, fmt, args);
++ va_end(args);
++ if (log_on_stderr)
++ fprintf(stderr, "log: %s\n", buf);
++ syslog(LOG_INFO|LOG_AUTH, "%.500s", buf);
++ }
++ #endif /* ENABLE_LOG_AUTH */
++
+ /* Converts portable syslog severity to machine-specific syslog severity. */
+
+ static int syslog_severity(int severity)
+***************
+*** 322,327 ****
+--- 341,349 ----
+ {
+ char buf[1024];
+ va_list args;
++ #ifdef ENABLE_LOG_AUTH
++ extern char *unauthenticated_user;
++ #endif /* ENABLE_LOG_AUTH */
+
+ if (log_quiet)
+ exit(1);
+***************
+*** 331,336 ****
+--- 353,363 ----
+ if (log_on_stderr)
+ fprintf(stderr, "fatal: %s\n", buf);
+ syslog(syslog_severity(severity), "fatal: %.500s", buf);
++ #ifdef ENABLE_LOG_AUTH
++ if (unauthenticated_user)
++ log_auth("LOGIN FAILED %.100s from %.200s",
++ unauthenticated_user, get_canonical_hostname());
++ #endif /* ENABLE_LOG_AUTH */
+
+ do_fatal_cleanups();
+
diff --git a/picobsd/ssh-picobsd/files/patch-bj b/picobsd/ssh-picobsd/files/patch-bj
new file mode 100644
index 00000000000..fb897af4865
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-bj
@@ -0,0 +1,16 @@
+*** match.c.orig Wed May 12 13:19:27 1999
+--- match.c Mon Jan 10 22:56:13 2000
+***************
+*** 129,134 ****
+--- 129,139 ----
+ is_ip_pattern = 0;
+ break;
+ }
++ for(p = pattern; *p; p++)
++ if (!(isxdigit(*p) || *p == ':' || *p == '?' || *p == '*'))
++ break;
++ if (ip && !*p)
++ is_ip_pattern = 1;
+ if (is_ip_pattern)
+ {
+ return match_pattern(ip, pattern);
diff --git a/picobsd/ssh-picobsd/files/patch-bl b/picobsd/ssh-picobsd/files/patch-bl
new file mode 100644
index 00000000000..60296a9735b
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-bl
@@ -0,0 +1,66 @@
+*** readconf.c.orig Wed May 12 13:19:27 1999
+--- readconf.c Mon Jan 10 22:56:13 2000
+***************
+*** 171,176 ****
+--- 171,179 ----
+ oBatchMode, oStrictHostKeyChecking, oCompression, oCompressionLevel,
+ oKeepAlives, oUsePrivilegedPort, oKerberosAuthentication,
+ oKerberosTgtPassing, oClearAllForwardings, oNumberOfPasswordPrompts,
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ oAnotherPort,
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ oXauthPath, oGatewayPorts, oPasswordPromptLogin, oPasswordPromptHost
+ } OpCodes;
+
+***************
+*** 194,199 ****
+--- 197,205 ----
+ { "hostname", oHostName },
+ { "proxycommand", oProxyCommand },
+ { "port", oPort },
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ { "anotherport", oAnotherPort },
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ { "cipher", oCipher },
+ { "remoteforward", oRemoteForward },
+ { "localforward", oLocalForward },
+***************
+*** 497,502 ****
+--- 503,514 ----
+ *intptr = value;
+ break;
+
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ case oAnotherPort:
++ intptr = &options->another_port;
++ goto parse_int;
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
++
+ case oConnectionAttempts:
+ intptr = &options->connection_attempts;
+ goto parse_int;
+***************
+*** 689,694 ****
+--- 701,709 ----
+ options->keepalives = -1;
+ options->compression_level = -1;
+ options->port = -1;
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ options->another_port = -1;
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ options->connection_attempts = -1;
+ options->number_of_password_prompts = -1;
+ options->password_prompt_login = -1;
+***************
+*** 759,764 ****
+--- 774,783 ----
+ options->compression_level = 6;
+ if (options->port == -1)
+ options->port = 0; /* Filled in ssh_connect. */
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ if (options->another_port == -1)
++ options->another_port = 0;
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ if (options->connection_attempts == -1)
+ options->connection_attempts = 4;
+ if (options->number_of_password_prompts == -1)
diff --git a/picobsd/ssh-picobsd/files/patch-bm b/picobsd/ssh-picobsd/files/patch-bm
new file mode 100644
index 00000000000..a394777b484
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-bm
@@ -0,0 +1,14 @@
+*** readconf.h.orig Wed May 12 13:19:27 1999
+--- readconf.h Mon Jan 10 22:56:13 2000
+***************
+*** 98,103 ****
+--- 98,106 ----
+ int use_privileged_port; /* Use privileged port */
+
+ int port; /* Port to connect. */
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ int another_port; /* Port to connect for -A option. */
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ int connection_attempts; /* Max attempts (seconds) before giving up */
+ int number_of_password_prompts; /* Max number of password prompts */
+ int password_prompt_login; /* Show remote login at password prompt */
diff --git a/picobsd/ssh-picobsd/files/patch-bn b/picobsd/ssh-picobsd/files/patch-bn
new file mode 100644
index 00000000000..7f625fcea26
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-bn
@@ -0,0 +1,191 @@
+*** scp.c.orig Wed May 12 13:19:28 1999
+--- scp.c Mon Jan 10 22:56:13 2000
+***************
+*** 180,185 ****
+--- 180,193 ----
+ #define STDERR_FILENO 2
+ #endif
+
++ /* This is set to non-zero if IPv4 is desired. */
++ int IPv4 = 0;
++
++ #ifdef ENABLE_IPV6
++ /* This is set to non-zero if IPv6 is desired. */
++ int IPv6 = 0;
++ #endif
++
+ /* This is set to non-zero to enable verbose mode. */
+ int verbose = 0;
+
+***************
+*** 295,302 ****
+--- 303,319 ----
+ }
+ args[i++] = "-x";
+ args[i++] = "-a";
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ args[i++] = "-A";
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ args[i++] = "-oFallBackToRsh no";
+ args[i++] = "-oClearAllForwardings yes";
++ if (IPv4)
++ args[i++] = "-4";
++ #ifdef ENABLE_IPV6
++ if (IPv6)
++ args[i++] = "-6";
++ #endif
+ if (verbose)
+ args[i++] = "-v";
+ if (compress)
+***************
+*** 441,448 ****
+ statistics = 0;
+
+ fflag = tflag = 0;
+! while ((ch = getopt(argc, argv, "aAqQdfprtvBCL1c:i:P:o:S:")) != EOF)
+ switch(ch) { /* User-visible flags. */
+ case 'S':
+ ssh_program = optarg;
+ break;
+--- 458,477 ----
+ statistics = 0;
+
+ fflag = tflag = 0;
+! while ((ch = getopt(argc, argv, "aAqQdfprtvBCL1c:i:P:o:S:4"
+! #ifdef ENABLE_IPV6
+! "6"
+! #endif
+! )) != EOF)
+ switch(ch) { /* User-visible flags. */
++ case '4':
++ IPv4 = 1;
++ break;
++ #ifdef ENABLE_IPV6
++ case '6':
++ IPv6 = 1;
++ break;
++ #endif
+ case 'S':
+ ssh_program = optarg;
+ break;
+***************
+*** 589,594 ****
+--- 618,634 ----
+ exit(errs != 0);
+ }
+
++ char *
++ cleanhostname(host)
++ char *host;
++ {
++ if (*host == '[' && host[strlen(host) - 1] == ']') {
++ host[strlen(host) - 1] = '\0';
++ return (host + 1);
++ } else
++ return host;
++ }
++
+ void
+ toremote(targ, argc, argv)
+ char *targ, *argv[];
+***************
+*** 644,649 ****
+--- 684,690 ----
+ bp = xmalloc(len);
+ if (host) {
+ *host++ = 0;
++ host = cleanhostname(host);
+ suser = argv[i];
+ if (*suser == '\0')
+ suser = pwd->pw_name;
+***************
+*** 655,667 ****
+ suser, host, cmd, src,
+ tuser ? tuser : "", tuser ? "@" : "",
+ thost, targ);
+! } else
+ (void)snprintf(bp, len,
+ "exec %s%s %s -x -o'FallBackToRsh no' -o'ClearAllForwardings yes' -n %s %s %s '%s%s%s:%s'",
+ ssh_program, verbose ? " -v" : "", options,
+! argv[i], cmd, src,
+ tuser ? tuser : "", tuser ? "@" : "",
+ thost, targ);
+ if (verbose)
+ fprintf(stderr, "Executing: %s\n", bp);
+ if (system(bp)) errs++;
+--- 696,710 ----
+ suser, host, cmd, src,
+ tuser ? tuser : "", tuser ? "@" : "",
+ thost, targ);
+! } else {
+! host = cleanhostname(argv[i]);
+ (void)snprintf(bp, len,
+ "exec %s%s %s -x -o'FallBackToRsh no' -o'ClearAllForwardings yes' -n %s %s %s '%s%s%s:%s'",
+ ssh_program, verbose ? " -v" : "", options,
+! host, cmd, src,
+ tuser ? tuser : "", tuser ? "@" : "",
+ thost, targ);
++ }
+ if (verbose)
+ fprintf(stderr, "Executing: %s\n", bp);
+ if (system(bp)) errs++;
+***************
+*** 671,677 ****
+ len = strlen(targ) + CMDNEEDS + 20;
+ bp = xmalloc(len);
+ (void)snprintf(bp, len, "%s -t %s", cmd, targ);
+! host = thost;
+ if (do_cmd(host, tuser,
+ bp, &remin, &remout) < 0)
+ exit(1);
+--- 714,720 ----
+ len = strlen(targ) + CMDNEEDS + 20;
+ bp = xmalloc(len);
+ (void)snprintf(bp, len, "%s -t %s", cmd, targ);
+! host = cleanhostname(thost);
+ if (do_cmd(host, tuser,
+ bp, &remin, &remout) < 0)
+ exit(1);
+***************
+*** 721,726 ****
+--- 764,770 ----
+ else if (!okname(suser))
+ continue;
+ }
++ host = cleanhostname(host);
+ len = strlen(src) + CMDNEEDS + 20;
+ bp = xmalloc(len);
+ (void)snprintf(bp, len, "%s -f %s", cmd, src);
+***************
+*** 1365,1375 ****
+ colon(cp)
+ char *cp;
+ {
+ if (*cp == ':') /* Leading colon is part of file name. */
+ return (0);
+
+ for (; *cp; ++cp) {
+! if (*cp == ':')
+ return (cp);
+ if (*cp == '/')
+ return (0);
+--- 1409,1427 ----
+ colon(cp)
+ char *cp;
+ {
++ int flag = 0;
++
+ if (*cp == ':') /* Leading colon is part of file name. */
+ return (0);
++ if (*cp == '[')
++ flag = 1;
+
+ for (; *cp; ++cp) {
+! if (*cp == '@' && *(cp+1) == '[')
+! flag = 1;
+! if (*cp == ']' && *(cp+1) == ':' && flag)
+! return (cp+1);
+! if (*cp == ':' && !flag)
+ return (cp);
+ if (*cp == '/')
+ return (0);
diff --git a/picobsd/ssh-picobsd/files/patch-bo b/picobsd/ssh-picobsd/files/patch-bo
new file mode 100644
index 00000000000..886720df255
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-bo
@@ -0,0 +1,197 @@
+*** servconf.c.orig Wed May 12 13:19:28 1999
+--- servconf.c Mon Jan 10 22:56:13 2000
+***************
+*** 81,88 ****
+ void initialize_server_options(ServerOptions *options)
+ {
+ memset(options, 0, sizeof(*options));
+! options->port = -1;
+! options->listen_addr.s_addr = INADDR_ANY;
+ options->host_key_file = NULL;
+ options->random_seed_file = NULL;
+ options->pid_file = NULL;
+--- 81,88 ----
+ void initialize_server_options(ServerOptions *options)
+ {
+ memset(options, 0, sizeof(*options));
+! options->num_ports = 0;
+! options->listen_addrs = NULL;
+ options->host_key_file = NULL;
+ options->random_seed_file = NULL;
+ options->pid_file = NULL;
+***************
+*** 92,97 ****
+--- 92,100 ----
+ options->permit_root_login = -1;
+ options->ignore_rhosts = -1;
+ options->ignore_root_rhosts = -1;
++ #ifdef ENABLE_LOG_AUTH
++ options->log_auth = -1;
++ #endif /* ENABLE_LOG_AUTH */
+ options->quiet_mode = -1;
+ options->fascist_logging = -1;
+ options->print_motd = -1;
+***************
+*** 138,153 ****
+
+ void fill_default_server_options(ServerOptions *options)
+ {
+! if (options->port == -1)
+ {
+! struct servent *sp;
+!
+! sp = getservbyname(SSH_SERVICE_NAME, "tcp");
+! if (sp)
+! options->port = ntohs(sp->s_port);
+! else
+! options->port = SSH_DEFAULT_PORT;
+! endservent();
+ }
+ if (options->host_key_file == NULL)
+ options->host_key_file = HOST_KEY_FILE;
+--- 141,171 ----
+
+ void fill_default_server_options(ServerOptions *options)
+ {
+! struct addrinfo hints, *ai, *aitop;
+! char strport[PORTSTRLEN];
+! int i;
+!
+! if (options->num_ports == 0)
+! options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
+! if (options->listen_addrs == NULL)
+ {
+! for (i = 0; i < options->num_ports; i++)
+! {
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_flags = AI_PASSIVE;
+! hints.ai_family = IPv4or6;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", options->ports[i]);
+! if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
+! {
+! fprintf(stderr, "fatal: getaddrinfo: Cannot get anyaddr.\n");
+! exit(1);
+! }
+! for (ai = aitop; ai->ai_next; ai = ai->ai_next);
+! ai->ai_next = options->listen_addrs;
+! options->listen_addrs = aitop;
+! }
+! /* freeaddrinfo(options->listen_addrs) in sshd.c */
+ }
+ if (options->host_key_file == NULL)
+ options->host_key_file = HOST_KEY_FILE;
+***************
+*** 243,248 ****
+--- 261,269 ----
+ {
+ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
+ sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility,
++ #ifdef ENABLE_LOG_AUTH
++ sLogAuth,
++ #endif /* ENABLE_LOG_AUTH */
+ sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
+ sTISAuthentication, sPasswordAuthentication, sAllowHosts, sDenyHosts,
+ sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
+***************
+*** 275,280 ****
+--- 296,304 ----
+ { "quietmode", sQuietMode },
+ { "fascistlogging", sFascistLogging },
+ { "syslogfacility", sLogFacility },
++ #ifdef ENABLE_LOG_AUTH
++ { "logauth", sLogAuth },
++ #endif /* ENABLE_LOG_AUTH */
+ { "rhostsauthentication", sRhostsAuthentication },
+ { "rhostsrsaauthentication", sRhostsRSAAuthentication },
+ { "rsaauthentication", sRSAAuthentication },
+***************
+*** 367,372 ****
+--- 391,399 ----
+ char *cp, **charptr;
+ int linenum, *intptr, i, value;
+ ServerOpCodes opcode;
++ struct addrinfo hints, *ai, *aitop;
++ char strport[PORTSTRLEN];
++ int gaierr;
+
+ f = fopen(filename, "r");
+ if (!f)
+***************
+*** 389,395 ****
+ switch (opcode)
+ {
+ case sPort:
+! intptr = &options->port;
+ parse_int:
+ cp = strtok(NULL, WHITESPACE);
+ if (!cp)
+--- 416,429 ----
+ switch (opcode)
+ {
+ case sPort:
+! if (options->num_ports >= MAX_PORTS)
+! {
+! fprintf(stderr, "%s line %d: too many ports.\n",
+! filename, linenum);
+! exit(1);
+! }
+! options->ports[options->num_ports] = -1;
+! intptr = &options->ports[options->num_ports++];
+ parse_int:
+ cp = strtok(NULL, WHITESPACE);
+ if (!cp)
+***************
+*** 452,462 ****
+ filename, linenum);
+ exit(1);
+ }
+! #ifdef BROKEN_INET_ADDR
+! options->listen_addr.s_addr = inet_network(cp);
+! #else /* BROKEN_INET_ADDR */
+! options->listen_addr.s_addr = inet_addr(cp);
+! #endif /* BROKEN_INET_ADDR */
+ break;
+
+ case sHostKeyFile:
+--- 486,510 ----
+ filename, linenum);
+ exit(1);
+ }
+! if (options->num_ports == 0)
+! options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
+! for (i = 0; i < options->num_ports; i++)
+! {
+! memset(&hints, 0, sizeof(hints));
+! hints.ai_family = IPv4or6;
+! hints.ai_socktype = SOCK_STREAM;
+! sprintf(strport, "%d", options->ports[i]);
+! if ((gaierr = getaddrinfo(cp, strport, &hints, &aitop)) != 0)
+! {
+! fprintf(stderr, "%s line %d: bad addr or host. (%s)\n",
+! filename, linenum, gai_strerror(gaierr));
+! exit(1);
+! }
+! for (ai = aitop; ai->ai_next; ai = ai->ai_next);
+! ai->ai_next = options->listen_addrs;
+! options->listen_addrs = aitop;
+! }
+! strtok(cp, WHITESPACE); /* getaddrinfo() may use strtok() */
+ break;
+
+ case sHostKeyFile:
+***************
+*** 531,536 ****
+--- 579,590 ----
+ if (*intptr == -1)
+ *intptr = value;
+ break;
++
++ #ifdef ENABLE_LOG_AUTH
++ case sLogAuth:
++ intptr = &options->log_auth;
++ goto parse_flag;
++ #endif /* ENABLE_LOG_AUTH */
+
+ case sIgnoreRhosts:
+ intptr = &options->ignore_rhosts;
diff --git a/picobsd/ssh-picobsd/files/patch-bp b/picobsd/ssh-picobsd/files/patch-bp
new file mode 100644
index 00000000000..40b10db36c4
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-bp
@@ -0,0 +1,45 @@
+*** servconf.h.orig Wed May 12 13:19:28 1999
+--- servconf.h Mon Jan 10 22:56:13 2000
+***************
+*** 64,69 ****
+--- 64,71 ----
+ #ifndef SERVCONF_H
+ #define SERVCONF_H
+
++ #define MAX_PORTS 256 /* Max # hosts on allow list. */
++
+ #define MAX_ALLOW_SHOSTS 256 /* Max # hosts on allow shosts list. */
+ #define MAX_DENY_SHOSTS 256 /* Max # hosts on deny shosts list. */
+ #define MAX_ALLOW_HOSTS 256 /* Max # hosts on allow list. */
+***************
+*** 82,89 ****
+
+ typedef struct
+ {
+! int port; /* Port number to listen on. */
+! struct in_addr listen_addr; /* Address on which the server listens. */
+ char *host_key_file; /* File containing host key. */
+ char *random_seed_file; /* File containing random seed. */
+ char *pid_file; /* File containing process ID number. */
+--- 84,92 ----
+
+ typedef struct
+ {
+! unsigned int num_ports;
+! int ports[MAX_PORTS]; /* Port number to listen on. */
+! struct addrinfo *listen_addrs;/* Addresses on which the server listens. */
+ char *host_key_file; /* File containing host key. */
+ char *random_seed_file; /* File containing random seed. */
+ char *pid_file; /* File containing process ID number. */
+***************
+*** 91,96 ****
+--- 94,102 ----
+ int login_grace_time; /* Disconnect if no auth in this time (sec). */
+ int key_regeneration_time; /* Server key lifetime (seconds). */
+ int permit_root_login; /* 0 = forced cmd only, 1 = no pwd, 2 = yes. */
++ #ifdef ENABLE_LOG_AUTH
++ int log_auth; /* If true, log authentication info. */
++ #endif /* ENABLE_LOG_AUTH */
+ int ignore_rhosts; /* Ignore .rhosts and .shosts. */
+ int ignore_root_rhosts; /* Ignore .rhosts and .shosts for root,
+ defaults to ignore_rhosts if not given. */
diff --git a/picobsd/ssh-picobsd/files/patch-br b/picobsd/ssh-picobsd/files/patch-br
new file mode 100644
index 00000000000..28dd08a5be5
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-br
@@ -0,0 +1,97 @@
+*** ssh.c.orig Wed May 12 13:19:28 1999
+--- ssh.c Mon Jan 10 22:56:13 2000
+***************
+*** 218,223 ****
+--- 218,231 ----
+ other functions. */
+ RandomState random_state;
+
++ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
++ Default value is AF_UNSPEC means both IPv4 and IPv6. */
++ #ifdef ENABLE_IPV6
++ int IPv4or6 = AF_UNSPEC;
++ #else
++ int IPv4or6 = AF_INET;
++ #endif
++
+ /* Flag indicating whether debug mode is on. This can be set on the
+ command line. */
+ int debug_flag = 0;
+***************
+*** 277,282 ****
+--- 285,297 ----
+ {
+ fprintf(stderr, "Usage: %s [options] host [command]\n", av0);
+ fprintf(stderr, "Options:\n");
++ fprintf(stderr, " -4 Use IPv4 only.\n");
++ #ifdef ENABLE_IPV6
++ fprintf(stderr, " -6 Use IPv6 only.\n");
++ #endif
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ fprintf(stderr, " -A Try to connect to another port before original port.\n");
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ fprintf(stderr, " -l user Log in using this user name.\n");
+ fprintf(stderr, " -n Redirect input from /dev/null.\n");
+ fprintf(stderr, " -a Disable authentication agent forwarding.\n");
+***************
+*** 413,418 ****
+--- 428,436 ----
+ #ifdef SIGWINCH
+ struct winsize ws;
+ #endif /* SIGWINCH */
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ int another_port_flag = 0;
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+
+ /* Save the original real uid. It will be needed later (uid-swapping may
+ clobber the real uid). */
+***************
+*** 522,527 ****
+--- 540,565 ----
+ }
+ switch (opt)
+ {
++ case '4':
++ #ifdef ENABLE_IPV6
++ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET;
++ #else
++ IPv4or6 = AF_INET;
++ #endif
++ break;
++
++ #ifdef ENABLE_IPV6
++ case '6':
++ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6;
++ break;
++ #endif
++
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ case 'A':
++ another_port_flag = 1;
++ break;
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
++
+ case 'n':
+ stdin_null_flag = 1;
+ break;
+***************
+*** 789,799 ****
+--- 827,844 ----
+ {
+ use_privileged_port = 0;
+ }
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ if (!another_port_flag)
++ options.another_port = 0;
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ /* Open a connection to the remote host. This needs root privileges if
+ rhosts_authentication is true. Note that the random_state is not
+ yet used by this call, although a pointer to it is stored, and thus it
+ need not be initialized. */
+ ok = ssh_connect(host, options.port, options.connection_attempts,
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ options.another_port,
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ !use_privileged_port,
+ original_real_uid, options.proxy_command, &random_state);
+
diff --git a/picobsd/ssh-picobsd/files/patch-bs b/picobsd/ssh-picobsd/files/patch-bs
new file mode 100644
index 00000000000..ec0e1a86ef9
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-bs
@@ -0,0 +1,94 @@
+*** ssh.h.orig Wed May 12 13:19:28 1999
+--- ssh.h Mon Jan 10 22:56:13 2000
+***************
+*** 430,436 ****
+ /* Records that the user has logged in. This does many things normally
+ done by login(1). */
+ void record_login(int pid, const char *ttyname, const char *user, uid_t uid,
+! const char *host, struct sockaddr_in *addr);
+
+ /* Records that the user has logged out. This does many thigs normally
+ done by login(1) or init. */
+--- 430,436 ----
+ /* Records that the user has logged in. This does many things normally
+ done by login(1). */
+ void record_login(int pid, const char *ttyname, const char *user, uid_t uid,
+! const char *host, struct sockaddr *addr);
+
+ /* Records that the user has logged out. This does many thigs normally
+ done by login(1) or init. */
+***************
+*** 447,452 ****
+--- 447,455 ----
+ connection is successful, this calls packet_set_connection for the
+ connection. */
+ int ssh_connect(const char *host, int port, int connection_attempts,
++ #ifdef ENABLE_ANOTHER_PORT_TRY
++ int another_port,
++ #endif /* ENABLE_ANOTHER_PORT_TRY */
+ int anonymous, uid_t original_real_uid,
+ const char *proxy_command, RandomState *random_state);
+
+***************
+*** 872,876 ****
+--- 875,934 ----
+ #else
+ #define UID_ROOT 0
+ #endif
++
++ #ifdef HAVE_SOCKADDR_STORAGE
++ #ifndef HAVE_NEW_SS_FAMILY
++ #define __ss_len ss_len
++ #define __ss_family ss_family
++ #endif
++ #else
++ #define _SS_MAXSIZE 128 /* Implementation specific max size */
++ #define _SS_ALIGNSIZE (sizeof(int))
++ #define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_short))
++ #define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof(u_short) + \
++ _SS_PAD1SIZE + _SS_ALIGNSIZE))
++ struct sockaddr_storage {
++ #ifdef HAVE_SOCKADDR_LEN
++ u_char __ss_len;
++ u_char __ss_family;
++ #else
++ u_short __ss_family;
++ #endif
++ char __ss_pad1[_SS_PAD1SIZE];
++ int __ss_align;
++ char __ss_pad2[_SS_PAD2SIZE];
++ };
++ #endif
++
++ #ifdef INET6_ADDRSTRLEN
++ #define ADDRSTRLEN INET6_ADDRSTRLEN
++ #else
++ #define ADDRSTRLEN 46
++ #endif
++
++ #define PORTSTRLEN 16
++
++ /* AF_UNSPEC or AF_INET or AF_INET6 */
++ extern int IPv4or6;
++
++ #ifndef ENABLE_IPV6
++ /* dummy value for old netdb.h */
++ #ifndef AI_PASSIVE
++ #define AI_PASSIVE 1
++ #define NI_NUMERICHOST 2
++ #define NI_NAMEREQD 4
++ #define NI_NUMERICSERV 8
++ struct addrinfo {
++ int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
++ int ai_family; /* PF_xxx */
++ int ai_socktype; /* SOCK_xxx */
++ int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
++ size_t ai_addrlen; /* length of ai_addr */
++ char *ai_canonname; /* canonical name for hostname */
++ struct sockaddr *ai_addr; /* binary address */
++ struct addrinfo *ai_next; /* next structure in linked list */
++ };
++ #endif
++ #endif /* not ENABLE_IPV6 */
+
+ #endif /* SSH_H */
diff --git a/picobsd/ssh-picobsd/files/patch-xa b/picobsd/ssh-picobsd/files/patch-xa
new file mode 100644
index 00000000000..a775ff6820d
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-xa
@@ -0,0 +1,167 @@
+Note that this patch has been incorporated into the port due to problems
+with patching a autoconf generated configure script. The script itself contains
+linenumbers and in case of two patches against that script the second one fails
+because it expects something that the first patch has already changed. The
+only clean way is to re-generate it with autoconf. *sigh*
+This patch was fetched from
+http://www.ssh.org/patches/patch-ssh-1.2.27-bsd.tty.chown
+ - torstenb@FreeBSD.org, Tue Jan 11 21:36:46 CET 2000
+
+
+Patch for problem with tty ownership with chflags and chown in BSD 4.4
+variants. Fixes a security bug in tty allocation.
+
+This patch works for ssh-1.2.27.
+
+Apply with the following commands:
+
+% cd /wherever/you/hold/your/sources/ssh-1.2.27
+% patch -p1 -l < /path/to/where/you/saved/patch-ssh-1.2.27-bsd.tty.chown
+% ./configure --whatever-config-flags-you-use
+% make clean
+% make
+% su
+Password: ***********
+# make install
+# kill -HUP `cat /var/run/sshd.pid`
+
+You should be all set.
+
+Sami Lehtinen <sjl@ssh.fi>
+
+--begin patch--
+diff -u --recursive -X /u/sjl/bin/diff-src-db auth-passwd.c.orig auth-passwd.c
+--- auth-passwd.c.orig Wed May 12 14:19:23 1999
++++ auth-passwd.c Wed Aug 11 19:49:32 1999
+@@ -613,7 +613,13 @@
+ /* get_name pulls out just the name not the
+ type */
+ strcpy(ccname + 5, krb5_cc_get_name(ssh_context, ccache));
+- (void) chown(ccname + 5, pw->pw_uid, pw->pw_gid);
++ if (chown(ccname + 5, pw->pw_uid, pw->pw_gid) < 0)
++ {
++ log_msg("Kerberos: chown failed for %s, error: %s",
++ ccname + 5, strerror(errno));
++ packet_send_debug("Kerberos: chown failed for %s", ccname + 5);
++ goto errout;
++ }
+
+ /* If tgt was passed unlink file */
+ if (ticket)
+diff -u --recursive -X /u/sjl/bin/diff-src-db config.h.in.orig config.h.in
+--- config.h.in.orig Wed May 12 14:20:04 1999
++++ config.h.in Wed Aug 11 20:20:51 1999
+@@ -360,6 +360,9 @@
+ /* Define if you have the authenticate function. */
+ #undef HAVE_AUTHENTICATE
+
++/* Define if you have the chflags function. */
++#undef HAVE_CHFLAGS
++
+ /* Define if you have the clock function. */
+ #undef HAVE_CLOCK
+
+diff -u --recursive -X /u/sjl/bin/diff-src-db configure.in.orig configure.in
+--- configure.in.orig Wed May 12 14:20:02 1999
++++ configure.in Wed Aug 11 20:05:13 1999
+@@ -433,6 +433,7 @@
+ AC_CHECK_FUNCS(strchr memcpy setlogin openpty _getpty clock fchmod ulimit)
+ AC_CHECK_FUNCS(gethostname getdtablesize umask innetgr initgroups setpgrp)
+ AC_CHECK_FUNCS(setpgid daemon waitpid ttyslot authenticate getpt isastream)
++AC_CHECK_FUNCS(chflags)
+
+ AC_REPLACE_FUNCS(strerror memmove remove random putenv crypt socketpair snprintf)
+
+diff -u --recursive -X /u/sjl/bin/diff-src-db sshd.c.orig sshd.c
+--- sshd.c.orig Wed May 12 14:19:29 1999
++++ sshd.c Wed Aug 11 20:26:31 1999
+@@ -2897,9 +2897,87 @@
+ tty_mode = S_IRUSR|S_IWUSR|S_IWGRP|S_IWOTH;
+ }
+
++ retry_chown:
++
+ /* Change ownership of the tty. */
+- (void)chown(ttyname, pw->pw_uid, tty_gid);
+- (void)chmod(ttyname, tty_mode);
++ if (chown(ttyname, pw->pw_uid, tty_gid) < 0)
++ {
++ /* chown failed. Atleast two possibilities. Either we are not
++ running as root, in which case this is OK, or we are running
++ on BSD, and somebody has put some flags to the tty. */
++
++ /* Check whether we are root or not.*/
++ if (getuid() != UID_ROOT)
++ {
++ /* We are not, and then this is OK. */
++ debug("chown failed (but we're not root anyway) for "
++ "%s, error %s", ttyname, strerror(errno));
++ }
++ else
++ {
++#ifdef HAVE_CHFLAGS
++ static int retrying = 0;
++ struct stat st;
++
++ if (!retrying)
++ {
++ debug("chown failed for %s, error: %s. Removing "
++ "user-settable flags, and retrying.",
++ ttyname, strerror(errno));
++
++ if (stat(ttyname, &st) < 0)
++ {
++ error("stat failed for %s, error: %s",
++ ttyname, strerror(errno));
++ }
++ else
++ {
++ debug("Removing user-settable flags with "
++ "chflags.");
++ /* Remove user definable flags. */
++ if (chflags(ttyname, st.st_flags &
++ ~(UF_NODUMP | UF_IMMUTABLE |
++ UF_APPEND | UF_OPAQUE)) < 0)
++ {
++ debug("chflags failed for %s, error: %s",
++ ttyname, strerror(errno));
++ }
++ else
++ {
++ debug("Retrying...");
++ retrying = 1;
++ goto retry_chown;
++ }
++ }
++ }
++ else
++ {
++ debug("chown failed even with retry. error: %s",
++ strerror(errno));
++ }
++
++#endif /* HAVE_CHFLAGS */
++ error("ssh_pty_allocate_and_fork: chown failed for %s.",
++ ttyname);
++ goto fail;
++ }
++ }
++
++ if (chmod(ttyname, tty_mode) < 0)
++ {
++ if (getuid() != UID_ROOT)
++ {
++ /* We are not, and then this is (probably) OK. */
++ debug("chmod failed (but we're not root anyway) for "
++ "%s, error %s", ttyname, strerror(errno));
++ }
++ else
++ {
++ error("ssh_pty_allocate_and_fork: chmod %s: %s",
++ ttyname, strerror(errno));
++ goto fail;
++ }
++ }
+
+ /* Get TERM from the packet. Note that the value may be of arbitrary
+ length. */
diff --git a/picobsd/ssh-picobsd/files/patch-ya b/picobsd/ssh-picobsd/files/patch-ya
new file mode 100644
index 00000000000..28df9da5090
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-ya
@@ -0,0 +1,54 @@
+--- Makefile.in.1 Thu Dec 21 18:39:10 2000
++++ Makefile.in Thu Dec 21 18:44:34 2000
+@@ -267,6 +267,7 @@
+ LIBS = @LIBS@
+ LIBOBJS = @LIBOBJS@
+ CONFOBJS = @CONFOBJS@
++CONFOBJS = # force none.
+ SSHCONFOBJS = @SSHCONFOBJS@
+ SSHDCONFOBJS = @SSHDCONFOBJS@
+
+@@ -324,16 +325,21 @@
+ XLIBS = $(X_LIBS) $(X_PRE_LIBS) -lX11 $(X_EXTRA_LIBS) $(LIBS)
+
+ COMMON_OBJS = $(LIBOBJS) $(CONFOBJS) \
++ log-server.o \
+ rsa.o randoms.o md5.o buffer.o emulate.o packet.o compress.o \
+ xmalloc.o ttymodes.o newchannels.o bufaux.o authfd.o authfile.o \
+ crc32.o rsaglue.o cipher.o des.o match.o arcfour.o mpaux.o \
+- userfile.o signals.o blowfish.o deattack.o
++ userfile.o signals.o blowfish.o deattack.o \
++ canohost.o
++
+ SSHD_OBJS = sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o \
+- log-server.o login.o hostfile.o canohost.o servconf.o tildexpand.o \
+- serverloop.o $(COMMON_OBJS) $(KERBEROS_OBJS) $(SSHDCONFOBJS)
+-SSH_OBJS = ssh.o sshconnect.o log-client.o readconf.o hostfile.o readpass.o \
+- tildexpand.o clientloop.o canohost.o $(COMMON_OBJS) $(SSHCONFOBJS)
+-KEYGEN_OBJS = ssh-keygen.o log-client.o readpass.o rsa.o randoms.o md5.o \
++ login.o hostfile.o servconf.o tildexpand.o \
++ serverloop.o \
++ ssh.o sshconnect.o log-client.o readconf.o readpass.o \
++ clientloop.o \
++ scp.o \
++ $(COMMON_OBJS) $(SSHCONFOBJS)
++KEYGEN_OBJS = ssh-keygen.o log-server.o readpass.o rsa.o randoms.o md5.o \
+ buffer.o xmalloc.o authfile.o cipher.o des.o arcfour.o mpaux.o \
+ bufaux.o userfile.o signals.o blowfish.o $(LIBOBJS) $(CONFOBJS)
+ AGENT_OBJS = ssh-agent.o log-client.o rsa.o randoms.o md5.o buffer.o \
+@@ -403,7 +409,6 @@
+ #endif F_SECURE_COMMERCIAL
+ SCRIPT_PROGRAMS = make-ssh-known-hosts
+ SBIN_PROGRAMS = sshd
+-PROGRAMS = ssh $(SBIN_PROGRAMS) $(NORMAL_PROGRAMS) $(SCRIPT_PROGRAMS) \
+-$(X_PROGRAMS) $(OTHER_PROGRAMS)
++PROGRAMS = $(SBIN_PROGRAMS)
+ SSH_PROGRAM = $(bindir)/ssh1
+
+@@ -759,3 +765,6 @@
+ tags:
+ -rm -f TAGS
+ find config.h $(srcdir) -name '*.[chly]' -print | xargs etags -a
++
++obj:
++ echo "-- fake target for picobsd --"
diff --git a/picobsd/ssh-picobsd/files/patch-yb b/picobsd/ssh-picobsd/files/patch-yb
new file mode 100644
index 00000000000..6139703ded6
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/patch-yb
@@ -0,0 +1,260 @@
+diff -ubwr work/ssh-1.2.27/log-client.c work.luigi/ssh-1.2.27/log-client.c
+--- log-client.c Wed May 12 04:19:26 1999
++++ log-client.c Wed Dec 6 18:27:30 2000
+@@ -50,6 +50,7 @@
+ * $Endlog$
+ */
+
++#if 0 /* XXX luigi */
+ #include "includes.h"
+ #include "xmalloc.h"
+ #include "ssh.h"
+@@ -216,3 +217,4 @@
+ va_end(args);
+ exit(255);
+ }
++#endif /* XXX luigi */
+diff -ubwr work/ssh-1.2.27/log-server.c work.luigi/ssh-1.2.27/log-server.c
+--- log-server.c Wed Dec 6 18:47:50 2000
++++ log-server.c Wed Dec 6 19:02:53 2000
+@@ -69,6 +69,36 @@
+ static int log_debug = 0;
+ static int log_quiet = 0;
+ static int log_on_stderr = 0;
++/*
++ * lr 001206
++ *
++ * try to put here all logging and error handling functions
++ *
++
++fatal:
++ scp.c
++ ssh-askpass.c
++ log-server.c
++ log-client.c
++ *
++ */
++
++enum { SCP, ASKPASS, SERVER, CLIENT } fatal_mode ;
++char *unauthenticated_user = NULL; /* from sshd.c */
++int log_auth_flag = 0; /* from sshd.c */
++int allow_severity = LOG_INFO;
++int deny_severity = LOG_WARNING;
++int debug_flag = 0;
++
++uid_t original_real_uid = 0;
++
++/* from ssh.c */
++#ifdef ENABLE_IPV6
++int IPv4or6 = AF_UNSPEC;
++#else
++int IPv4or6 = AF_INET;
++#endif
++
+
+ /* Initialize the log.
+ av0 program name (should be argv[0])
+@@ -325,6 +355,10 @@
+
+ if (log_quiet)
+ exit(1);
++
++ if (fatal_mode == CLIENT)
++ do_fatal_cleanups();
++
+ va_start(args, fmt);
+ vsnprintf(buf, sizeof(buf), fmt, args);
+ va_end(args);
+@@ -332,6 +366,7 @@
+ fprintf(stderr, "fatal: %s\n", buf);
+ syslog(LOG_ERR, "fatal: %.500s", buf);
+
++ if (fatal_mode == SERVER)
+ do_fatal_cleanups();
+
+ exit(1);
+diff -ubwr work/ssh-1.2.27/newchannels.c work.luigi/ssh-1.2.27/newchannels.c
+--- newchannels.c Wed Dec 6 18:47:49 2000
++++ newchannels.c Wed Dec 6 18:44:06 2000
+@@ -274,6 +274,7 @@
+ #include "authfd.h"
+ #include "emulate.h"
+ #include "servconf.h"
++ServerOptions options; /* from sshd */
+ #ifdef LIBWRAP
+ #include <tcpd.h>
+ #include <syslog.h>
+diff -ubwr work/ssh-1.2.27/scp.c work.luigi/ssh-1.2.27/scp.c
+--- scp.c Wed Dec 6 18:47:51 2000
++++ scp.c Wed Dec 6 19:09:39 2000
+@@ -363,6 +363,7 @@
+ return 0;
+ }
+
++#if 0 /* XXX luigi */
+ void fatal(const char *fmt, ...)
+ {
+ va_list ap;
+@@ -374,7 +375,7 @@
+ fprintf(stderr, "%s\n", buf);
+ exit(255);
+ }
+-
++#endif
+ /* This stuff used to be in BSD rcp extern.h. */
+
+ typedef struct {
+@@ -408,10 +409,10 @@
+ void source(int, char *[]);
+ void tolocal(int, char *[]);
+ void toremote(char *, int, char *[]);
+-void usage(void);
++void scp_usage(void);
+
+ int
+-main(argc, argv)
++scp_main(argc, argv)
+ int argc;
+ char *argv[];
+ {
+@@ -555,7 +556,7 @@
+ break;
+ case '?':
+ default:
+- usage();
++ scp_usage();
+ }
+ argc -= optind;
+ argv += optind;
+@@ -578,7 +579,7 @@
+ }
+
+ if (argc < 2)
+- usage();
++ scp_usage();
+ if (argc > 2)
+ targetshouldbedirectory = 1;
+
+@@ -1336,7 +1337,7 @@
+ }
+
+ void
+-usage(void)
++scp_usage(void)
+ {
+ (void)fprintf(stderr,
+ "usage: scp [-qQaAprvBCL] [-S path-to-ssh] [-o ssh-options] [-P port] [-c cipher] [-i identity] f1 f2; or: scp [options] f1 ... fn directory\n");
+diff -ubwr work/ssh-1.2.27/ssh.c work.luigi/ssh-1.2.27/ssh.c
+--- ssh.c Wed Dec 6 18:47:51 2000
++++ ssh.c Wed Dec 6 19:03:25 2000
+@@ -209,8 +209,8 @@
+ #ifdef NEED_SYS_SYSLOG_H
+ #include <sys/syslog.h>
+ #endif /* NEED_SYS_SYSLOG_H */
+-int allow_severity = LOG_INFO;
+-int deny_severity = LOG_WARNING;
++extern int allow_severity ;
++extern int deny_severity;
+ #endif /* LIBWRAP */
+
+ /* Random number generator state. This is initialized in ssh_login, and
+@@ -220,15 +220,11 @@
+
+ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
+ Default value is AF_UNSPEC means both IPv4 and IPv6. */
+-#ifdef ENABLE_IPV6
+-int IPv4or6 = AF_UNSPEC;
+-#else
+-int IPv4or6 = AF_INET;
+-#endif
++extern int IPv4or6 ;
+
+ /* Flag indicating whether debug mode is on. This can be set on the
+ command line. */
+-int debug_flag = 0;
++extern int debug_flag;
+
+ /* Flag indicating whether quiet mode is on. */
+ int quiet_flag = 0;
+@@ -414,7 +410,7 @@
+
+ /* Main program for the ssh client. */
+
+-int main(int ac, char **av)
++int ssh_main(int ac, char **av)
+ {
+ int i, opt, optind, type, exit_status, ok, fwd_port, fwd_host_port;
+ int authfd;
+diff -ubwr work/ssh-1.2.27/sshd.c work.luigi/ssh-1.2.27/sshd.c
+--- sshd.c Wed Dec 6 18:47:52 2000
++++ sshd.c Wed Dec 6 19:08:18 2000
+@@ -488,8 +488,8 @@
+ #ifdef NEED_SYS_SYSLOG_H
+ #include <sys/syslog.h>
+ #endif /* NEED_SYS_SYSLOG_H */
+-int allow_severity = LOG_INFO;
+-int deny_severity = LOG_WARNING;
++extern int allow_severity ;
++extern int deny_severity ;
+ #endif /* LIBWRAP */
+
+ #ifdef CRAY
+@@ -548,29 +548,23 @@
+ #endif /* KERBEROS */
+
+ /* Server configuration options. */
+-ServerOptions options;
++extern ServerOptions options;
+
+ /* Name of the server configuration file. */
+ char *config_file_name = SERVER_CONFIG_FILE;
+
+-/* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
+- Default value is AF_UNSPEC means both IPv4 and IPv6. */
+-#ifdef ENABLE_IPV6
+-int IPv4or6 = AF_UNSPEC;
+-#else
+-int IPv4or6 = AF_INET;
+-#endif
++extern int IPv4or6;
+
+ #ifdef ENABLE_LOG_AUTH
+-char *unauthenticated_user = NULL;
+-int log_auth_flag = 0;
++extern char *unauthenticated_user ;
++extern int log_auth_flag ;
+ #endif /* ENABLE_LOG_AUTH */
+
+ /* Debug mode flag. This can be set on the command line. If debug
+ mode is enabled, extra debugging output will be sent to the system
+ log, the daemon will not go to background, and will exit after processing
+ the first connection. */
+-int debug_flag = 0;
++extern int debug_flag ;
+
+ /* Flag indicating that the daemon is being started from inetd. */
+ int inetd_flag = 0;
+@@ -603,7 +597,7 @@
+
+ /* This is not really needed, and could be eliminated if server-specific
+ and client-specific code were removed from newchannels.c */
+-uid_t original_real_uid = 0;
++extern uid_t original_real_uid ;
+
+ /* Flags set in auth-rsa from authorized_keys flags. These are set in
+ auth-rsa.c. */
+@@ -796,6 +790,14 @@
+ char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
+ int listen_sock, maxfd;
+
++ { int l = strlen(av[0]); /* do ssh if necessary */
++ if (l < 3) /* assume ssh */
++ return ssh_main(ac, av);
++ if (!strcmp( av[0] + l - 3, "ssh"))
++ return ssh_main(ac, av);
++ if (!strcmp( av[0] + l - 3, "scp"))
++ return scp_main(ac, av);
++ }
+ /* Save argv[0]. */
+ saved_argv = av;
+ if (strchr(av[0], '/'))
diff --git a/picobsd/ssh-picobsd/files/sshd.sh b/picobsd/ssh-picobsd/files/sshd.sh
new file mode 100644
index 00000000000..dd882003037
--- /dev/null
+++ b/picobsd/ssh-picobsd/files/sshd.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+case "$1" in
+ start)
+ !!PREFIX!!/sbin/sshd
+ echo -n ' sshd'
+ ;;
+ stop)
+ if [ -f /var/run/sshd.pid ]; then
+ kill -TERM `cat /var/run/sshd.pid`
+ rm -f /var/run/sshd.pid
+ echo -n ' sshd'
+ fi
+ ;;
+ restart)
+ if [ -f /var/run/sshd.pid ]; then
+ kill -HUP `cat /var/run/sshd.pid`
+ echo 'sshd restarted'
+ fi
+ ;;
+ -h)
+ echo "Usage: `basename $0` { start | stop | restart }"
+ ;;
+ *)
+ !!PREFIX!!/sbin/sshd
+ echo -n ' sshd'
+ ;;
+esac
diff --git a/picobsd/ssh-picobsd/pkg-comment b/picobsd/ssh-picobsd/pkg-comment
new file mode 100644
index 00000000000..5bdd6e93c31
--- /dev/null
+++ b/picobsd/ssh-picobsd/pkg-comment
@@ -0,0 +1 @@
+Secure shell client, server and remote copy (for picobsd)
diff --git a/picobsd/ssh-picobsd/pkg-descr b/picobsd/ssh-picobsd/pkg-descr
new file mode 100644
index 00000000000..9c1a410f46f
--- /dev/null
+++ b/picobsd/ssh-picobsd/pkg-descr
@@ -0,0 +1,7 @@
+Secure Shell is a program to log into another computer over a network,
+to execute commands in a remote machine, and to move files from one
+machine to another. It provides strong authentication and secure
+communications over insecure channels. It is intended as a replacement
+for rlogin, rsh, and rcp.
+This port builds the three programs ssh, sshd and scp as a single binary,
+and is intended for use with picobsd images.
diff --git a/picobsd/ssh-picobsd/pkg-plist b/picobsd/ssh-picobsd/pkg-plist
new file mode 100644
index 00000000000..e69de29bb2d
--- /dev/null
+++ b/picobsd/ssh-picobsd/pkg-plist